Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
[linux-2.6] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16  *                Paul Moore <paul.moore@hp.com>
17  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
19  *
20  *      This program is free software; you can redistribute it and/or modify
21  *      it under the terms of the GNU General Public License version 2,
22  *      as published by the Free Software Foundation.
23  */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "xfrm.h"
84 #include "netlabel.h"
85
86 #define XATTR_SELINUX_SUFFIX "selinux"
87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
88
89 #define NUM_SEL_MNT_OPTS 4
90
91 extern unsigned int policydb_loaded_version;
92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
93 extern int selinux_compat_net;
94 extern struct security_operations *security_ops;
95
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
98
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing = 0;
101
102 static int __init enforcing_setup(char *str)
103 {
104         selinux_enforcing = simple_strtol(str,NULL,0);
105         return 1;
106 }
107 __setup("enforcing=", enforcing_setup);
108 #endif
109
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
112
113 static int __init selinux_enabled_setup(char *str)
114 {
115         selinux_enabled = simple_strtol(str, NULL, 0);
116         return 1;
117 }
118 __setup("selinux=", selinux_enabled_setup);
119 #else
120 int selinux_enabled = 1;
121 #endif
122
123 /* Original (dummy) security module. */
124 static struct security_operations *original_ops = NULL;
125
126 /* Minimal support for a secondary security module,
127    just to allow the use of the dummy or capability modules.
128    The owlsm module can alternatively be used as a secondary
129    module as long as CONFIG_OWLSM_FD is not enabled. */
130 static struct security_operations *secondary_ops = NULL;
131
132 /* Lists of inode and superblock security structures initialized
133    before the policy was loaded. */
134 static LIST_HEAD(superblock_security_head);
135 static DEFINE_SPINLOCK(sb_security_lock);
136
137 static struct kmem_cache *sel_inode_cache;
138
139 /**
140  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
141  *
142  * Description:
143  * This function checks the SECMARK reference counter to see if any SECMARK
144  * targets are currently configured, if the reference counter is greater than
145  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
146  * enabled, false (0) if SECMARK is disabled.
147  *
148  */
149 static int selinux_secmark_enabled(void)
150 {
151         return (atomic_read(&selinux_secmark_refcount) > 0);
152 }
153
154 /* Allocate and free functions for each kind of security blob. */
155
156 static int task_alloc_security(struct task_struct *task)
157 {
158         struct task_security_struct *tsec;
159
160         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
161         if (!tsec)
162                 return -ENOMEM;
163
164         tsec->task = task;
165         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166         task->security = tsec;
167
168         return 0;
169 }
170
171 static void task_free_security(struct task_struct *task)
172 {
173         struct task_security_struct *tsec = task->security;
174         task->security = NULL;
175         kfree(tsec);
176 }
177
178 static int inode_alloc_security(struct inode *inode)
179 {
180         struct task_security_struct *tsec = current->security;
181         struct inode_security_struct *isec;
182
183         isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
184         if (!isec)
185                 return -ENOMEM;
186
187         mutex_init(&isec->lock);
188         INIT_LIST_HEAD(&isec->list);
189         isec->inode = inode;
190         isec->sid = SECINITSID_UNLABELED;
191         isec->sclass = SECCLASS_FILE;
192         isec->task_sid = tsec->sid;
193         inode->i_security = isec;
194
195         return 0;
196 }
197
198 static void inode_free_security(struct inode *inode)
199 {
200         struct inode_security_struct *isec = inode->i_security;
201         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
202
203         spin_lock(&sbsec->isec_lock);
204         if (!list_empty(&isec->list))
205                 list_del_init(&isec->list);
206         spin_unlock(&sbsec->isec_lock);
207
208         inode->i_security = NULL;
209         kmem_cache_free(sel_inode_cache, isec);
210 }
211
212 static int file_alloc_security(struct file *file)
213 {
214         struct task_security_struct *tsec = current->security;
215         struct file_security_struct *fsec;
216
217         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
218         if (!fsec)
219                 return -ENOMEM;
220
221         fsec->file = file;
222         fsec->sid = tsec->sid;
223         fsec->fown_sid = tsec->sid;
224         file->f_security = fsec;
225
226         return 0;
227 }
228
229 static void file_free_security(struct file *file)
230 {
231         struct file_security_struct *fsec = file->f_security;
232         file->f_security = NULL;
233         kfree(fsec);
234 }
235
236 static int superblock_alloc_security(struct super_block *sb)
237 {
238         struct superblock_security_struct *sbsec;
239
240         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
241         if (!sbsec)
242                 return -ENOMEM;
243
244         mutex_init(&sbsec->lock);
245         INIT_LIST_HEAD(&sbsec->list);
246         INIT_LIST_HEAD(&sbsec->isec_head);
247         spin_lock_init(&sbsec->isec_lock);
248         sbsec->sb = sb;
249         sbsec->sid = SECINITSID_UNLABELED;
250         sbsec->def_sid = SECINITSID_FILE;
251         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
252         sb->s_security = sbsec;
253
254         return 0;
255 }
256
257 static void superblock_free_security(struct super_block *sb)
258 {
259         struct superblock_security_struct *sbsec = sb->s_security;
260
261         spin_lock(&sb_security_lock);
262         if (!list_empty(&sbsec->list))
263                 list_del_init(&sbsec->list);
264         spin_unlock(&sb_security_lock);
265
266         sb->s_security = NULL;
267         kfree(sbsec);
268 }
269
270 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
271 {
272         struct sk_security_struct *ssec;
273
274         ssec = kzalloc(sizeof(*ssec), priority);
275         if (!ssec)
276                 return -ENOMEM;
277
278         ssec->sk = sk;
279         ssec->peer_sid = SECINITSID_UNLABELED;
280         ssec->sid = SECINITSID_UNLABELED;
281         sk->sk_security = ssec;
282
283         selinux_netlbl_sk_security_init(ssec, family);
284
285         return 0;
286 }
287
288 static void sk_free_security(struct sock *sk)
289 {
290         struct sk_security_struct *ssec = sk->sk_security;
291
292         sk->sk_security = NULL;
293         kfree(ssec);
294 }
295
296 /* The security server must be initialized before
297    any labeling or access decisions can be provided. */
298 extern int ss_initialized;
299
300 /* The file system's label must be initialized prior to use. */
301
302 static char *labeling_behaviors[6] = {
303         "uses xattr",
304         "uses transition SIDs",
305         "uses task SIDs",
306         "uses genfs_contexts",
307         "not configured for labeling",
308         "uses mountpoint labeling",
309 };
310
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313 static inline int inode_doinit(struct inode *inode)
314 {
315         return inode_doinit_with_dentry(inode, NULL);
316 }
317
318 enum {
319         Opt_error = -1,
320         Opt_context = 1,
321         Opt_fscontext = 2,
322         Opt_defcontext = 3,
323         Opt_rootcontext = 4,
324 };
325
326 static match_table_t tokens = {
327         {Opt_context, "context=%s"},
328         {Opt_fscontext, "fscontext=%s"},
329         {Opt_defcontext, "defcontext=%s"},
330         {Opt_rootcontext, "rootcontext=%s"},
331         {Opt_error, NULL},
332 };
333
334 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
335
336 static int may_context_mount_sb_relabel(u32 sid,
337                         struct superblock_security_struct *sbsec,
338                         struct task_security_struct *tsec)
339 {
340         int rc;
341
342         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343                           FILESYSTEM__RELABELFROM, NULL);
344         if (rc)
345                 return rc;
346
347         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348                           FILESYSTEM__RELABELTO, NULL);
349         return rc;
350 }
351
352 static int may_context_mount_inode_relabel(u32 sid,
353                         struct superblock_security_struct *sbsec,
354                         struct task_security_struct *tsec)
355 {
356         int rc;
357         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358                           FILESYSTEM__RELABELFROM, NULL);
359         if (rc)
360                 return rc;
361
362         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363                           FILESYSTEM__ASSOCIATE, NULL);
364         return rc;
365 }
366
367 static int sb_finish_set_opts(struct super_block *sb)
368 {
369         struct superblock_security_struct *sbsec = sb->s_security;
370         struct dentry *root = sb->s_root;
371         struct inode *root_inode = root->d_inode;
372         int rc = 0;
373
374         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
375                 /* Make sure that the xattr handler exists and that no
376                    error other than -ENODATA is returned by getxattr on
377                    the root directory.  -ENODATA is ok, as this may be
378                    the first boot of the SELinux kernel before we have
379                    assigned xattr values to the filesystem. */
380                 if (!root_inode->i_op->getxattr) {
381                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
382                                "xattr support\n", sb->s_id, sb->s_type->name);
383                         rc = -EOPNOTSUPP;
384                         goto out;
385                 }
386                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
387                 if (rc < 0 && rc != -ENODATA) {
388                         if (rc == -EOPNOTSUPP)
389                                 printk(KERN_WARNING "SELinux: (dev %s, type "
390                                        "%s) has no security xattr handler\n",
391                                        sb->s_id, sb->s_type->name);
392                         else
393                                 printk(KERN_WARNING "SELinux: (dev %s, type "
394                                        "%s) getxattr errno %d\n", sb->s_id,
395                                        sb->s_type->name, -rc);
396                         goto out;
397                 }
398         }
399
400         sbsec->initialized = 1;
401
402         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
404                        sb->s_id, sb->s_type->name);
405         else
406                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
407                        sb->s_id, sb->s_type->name,
408                        labeling_behaviors[sbsec->behavior-1]);
409
410         /* Initialize the root inode. */
411         rc = inode_doinit_with_dentry(root_inode, root);
412
413         /* Initialize any other inodes associated with the superblock, e.g.
414            inodes created prior to initial policy load or inodes created
415            during get_sb by a pseudo filesystem that directly
416            populates itself. */
417         spin_lock(&sbsec->isec_lock);
418 next_inode:
419         if (!list_empty(&sbsec->isec_head)) {
420                 struct inode_security_struct *isec =
421                                 list_entry(sbsec->isec_head.next,
422                                            struct inode_security_struct, list);
423                 struct inode *inode = isec->inode;
424                 spin_unlock(&sbsec->isec_lock);
425                 inode = igrab(inode);
426                 if (inode) {
427                         if (!IS_PRIVATE(inode))
428                                 inode_doinit(inode);
429                         iput(inode);
430                 }
431                 spin_lock(&sbsec->isec_lock);
432                 list_del_init(&isec->list);
433                 goto next_inode;
434         }
435         spin_unlock(&sbsec->isec_lock);
436 out:
437         return rc;
438 }
439
440 /*
441  * This function should allow an FS to ask what it's mount security
442  * options were so it can use those later for submounts, displaying
443  * mount options, or whatever.
444  */
445 static int selinux_get_mnt_opts(const struct super_block *sb,
446                                 struct security_mnt_opts *opts)
447 {
448         int rc = 0, i;
449         struct superblock_security_struct *sbsec = sb->s_security;
450         char *context = NULL;
451         u32 len;
452         char tmp;
453
454         security_init_mnt_opts(opts);
455
456         if (!sbsec->initialized)
457                 return -EINVAL;
458
459         if (!ss_initialized)
460                 return -EINVAL;
461
462         /*
463          * if we ever use sbsec flags for anything other than tracking mount
464          * settings this is going to need a mask
465          */
466         tmp = sbsec->flags;
467         /* count the number of mount options for this sb */
468         for (i = 0; i < 8; i++) {
469                 if (tmp & 0x01)
470                         opts->num_mnt_opts++;
471                 tmp >>= 1;
472         }
473
474         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
475         if (!opts->mnt_opts) {
476                 rc = -ENOMEM;
477                 goto out_free;
478         }
479
480         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
481         if (!opts->mnt_opts_flags) {
482                 rc = -ENOMEM;
483                 goto out_free;
484         }
485
486         i = 0;
487         if (sbsec->flags & FSCONTEXT_MNT) {
488                 rc = security_sid_to_context(sbsec->sid, &context, &len);
489                 if (rc)
490                         goto out_free;
491                 opts->mnt_opts[i] = context;
492                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
493         }
494         if (sbsec->flags & CONTEXT_MNT) {
495                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
496                 if (rc)
497                         goto out_free;
498                 opts->mnt_opts[i] = context;
499                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
500         }
501         if (sbsec->flags & DEFCONTEXT_MNT) {
502                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
503                 if (rc)
504                         goto out_free;
505                 opts->mnt_opts[i] = context;
506                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
507         }
508         if (sbsec->flags & ROOTCONTEXT_MNT) {
509                 struct inode *root = sbsec->sb->s_root->d_inode;
510                 struct inode_security_struct *isec = root->i_security;
511
512                 rc = security_sid_to_context(isec->sid, &context, &len);
513                 if (rc)
514                         goto out_free;
515                 opts->mnt_opts[i] = context;
516                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
517         }
518
519         BUG_ON(i != opts->num_mnt_opts);
520
521         return 0;
522
523 out_free:
524         security_free_mnt_opts(opts);
525         return rc;
526 }
527
528 static int bad_option(struct superblock_security_struct *sbsec, char flag,
529                       u32 old_sid, u32 new_sid)
530 {
531         /* check if the old mount command had the same options */
532         if (sbsec->initialized)
533                 if (!(sbsec->flags & flag) ||
534                     (old_sid != new_sid))
535                         return 1;
536
537         /* check if we were passed the same options twice,
538          * aka someone passed context=a,context=b
539          */
540         if (!sbsec->initialized)
541                 if (sbsec->flags & flag)
542                         return 1;
543         return 0;
544 }
545
546 /*
547  * Allow filesystems with binary mount data to explicitly set mount point
548  * labeling information.
549  */
550 static int selinux_set_mnt_opts(struct super_block *sb,
551                                 struct security_mnt_opts *opts)
552 {
553         int rc = 0, i;
554         struct task_security_struct *tsec = current->security;
555         struct superblock_security_struct *sbsec = sb->s_security;
556         const char *name = sb->s_type->name;
557         struct inode *inode = sbsec->sb->s_root->d_inode;
558         struct inode_security_struct *root_isec = inode->i_security;
559         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
560         u32 defcontext_sid = 0;
561         char **mount_options = opts->mnt_opts;
562         int *flags = opts->mnt_opts_flags;
563         int num_opts = opts->num_mnt_opts;
564
565         mutex_lock(&sbsec->lock);
566
567         if (!ss_initialized) {
568                 if (!num_opts) {
569                         /* Defer initialization until selinux_complete_init,
570                            after the initial policy is loaded and the security
571                            server is ready to handle calls. */
572                         spin_lock(&sb_security_lock);
573                         if (list_empty(&sbsec->list))
574                                 list_add(&sbsec->list, &superblock_security_head);
575                         spin_unlock(&sb_security_lock);
576                         goto out;
577                 }
578                 rc = -EINVAL;
579                 printk(KERN_WARNING "Unable to set superblock options before "
580                        "the security server is initialized\n");
581                 goto out;
582         }
583
584         /*
585          * Binary mount data FS will come through this function twice.  Once
586          * from an explicit call and once from the generic calls from the vfs.
587          * Since the generic VFS calls will not contain any security mount data
588          * we need to skip the double mount verification.
589          *
590          * This does open a hole in which we will not notice if the first
591          * mount using this sb set explict options and a second mount using
592          * this sb does not set any security options.  (The first options
593          * will be used for both mounts)
594          */
595         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
596             && (num_opts == 0))
597                 goto out;
598
599         /*
600          * parse the mount options, check if they are valid sids.
601          * also check if someone is trying to mount the same sb more
602          * than once with different security options.
603          */
604         for (i = 0; i < num_opts; i++) {
605                 u32 sid;
606                 rc = security_context_to_sid(mount_options[i],
607                                              strlen(mount_options[i]), &sid);
608                 if (rc) {
609                         printk(KERN_WARNING "SELinux: security_context_to_sid"
610                                "(%s) failed for (dev %s, type %s) errno=%d\n",
611                                mount_options[i], sb->s_id, name, rc);
612                         goto out;
613                 }
614                 switch (flags[i]) {
615                 case FSCONTEXT_MNT:
616                         fscontext_sid = sid;
617
618                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
619                                         fscontext_sid))
620                                 goto out_double_mount;
621
622                         sbsec->flags |= FSCONTEXT_MNT;
623                         break;
624                 case CONTEXT_MNT:
625                         context_sid = sid;
626
627                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
628                                         context_sid))
629                                 goto out_double_mount;
630
631                         sbsec->flags |= CONTEXT_MNT;
632                         break;
633                 case ROOTCONTEXT_MNT:
634                         rootcontext_sid = sid;
635
636                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
637                                         rootcontext_sid))
638                                 goto out_double_mount;
639
640                         sbsec->flags |= ROOTCONTEXT_MNT;
641
642                         break;
643                 case DEFCONTEXT_MNT:
644                         defcontext_sid = sid;
645
646                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
647                                         defcontext_sid))
648                                 goto out_double_mount;
649
650                         sbsec->flags |= DEFCONTEXT_MNT;
651
652                         break;
653                 default:
654                         rc = -EINVAL;
655                         goto out;
656                 }
657         }
658
659         if (sbsec->initialized) {
660                 /* previously mounted with options, but not on this attempt? */
661                 if (sbsec->flags && !num_opts)
662                         goto out_double_mount;
663                 rc = 0;
664                 goto out;
665         }
666
667         if (strcmp(sb->s_type->name, "proc") == 0)
668                 sbsec->proc = 1;
669
670         /* Determine the labeling behavior to use for this filesystem type. */
671         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
672         if (rc) {
673                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
674                        __FUNCTION__, sb->s_type->name, rc);
675                 goto out;
676         }
677
678         /* sets the context of the superblock for the fs being mounted. */
679         if (fscontext_sid) {
680
681                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
682                 if (rc)
683                         goto out;
684
685                 sbsec->sid = fscontext_sid;
686         }
687
688         /*
689          * Switch to using mount point labeling behavior.
690          * sets the label used on all file below the mountpoint, and will set
691          * the superblock context if not already set.
692          */
693         if (context_sid) {
694                 if (!fscontext_sid) {
695                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
696                         if (rc)
697                                 goto out;
698                         sbsec->sid = context_sid;
699                 } else {
700                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
701                         if (rc)
702                                 goto out;
703                 }
704                 if (!rootcontext_sid)
705                         rootcontext_sid = context_sid;
706
707                 sbsec->mntpoint_sid = context_sid;
708                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
709         }
710
711         if (rootcontext_sid) {
712                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
713                 if (rc)
714                         goto out;
715
716                 root_isec->sid = rootcontext_sid;
717                 root_isec->initialized = 1;
718         }
719
720         if (defcontext_sid) {
721                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
722                         rc = -EINVAL;
723                         printk(KERN_WARNING "SELinux: defcontext option is "
724                                "invalid for this filesystem type\n");
725                         goto out;
726                 }
727
728                 if (defcontext_sid != sbsec->def_sid) {
729                         rc = may_context_mount_inode_relabel(defcontext_sid,
730                                                              sbsec, tsec);
731                         if (rc)
732                                 goto out;
733                 }
734
735                 sbsec->def_sid = defcontext_sid;
736         }
737
738         rc = sb_finish_set_opts(sb);
739 out:
740         mutex_unlock(&sbsec->lock);
741         return rc;
742 out_double_mount:
743         rc = -EINVAL;
744         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
745                "security settings for (dev %s, type %s)\n", sb->s_id, name);
746         goto out;
747 }
748
749 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
750                                         struct super_block *newsb)
751 {
752         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
753         struct superblock_security_struct *newsbsec = newsb->s_security;
754
755         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
756         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
757         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
758
759         /* we can't error, we can't save the info, this shouldn't get called
760          * this early in the boot process. */
761         BUG_ON(!ss_initialized);
762
763         /* this might go away sometime down the line if there is a new user
764          * of clone, but for now, nfs better not get here... */
765         BUG_ON(newsbsec->initialized);
766
767         /* how can we clone if the old one wasn't set up?? */
768         BUG_ON(!oldsbsec->initialized);
769
770         mutex_lock(&newsbsec->lock);
771
772         newsbsec->flags = oldsbsec->flags;
773
774         newsbsec->sid = oldsbsec->sid;
775         newsbsec->def_sid = oldsbsec->def_sid;
776         newsbsec->behavior = oldsbsec->behavior;
777
778         if (set_context) {
779                 u32 sid = oldsbsec->mntpoint_sid;
780
781                 if (!set_fscontext)
782                         newsbsec->sid = sid;
783                 if (!set_rootcontext) {
784                         struct inode *newinode = newsb->s_root->d_inode;
785                         struct inode_security_struct *newisec = newinode->i_security;
786                         newisec->sid = sid;
787                 }
788                 newsbsec->mntpoint_sid = sid;
789         }
790         if (set_rootcontext) {
791                 const struct inode *oldinode = oldsb->s_root->d_inode;
792                 const struct inode_security_struct *oldisec = oldinode->i_security;
793                 struct inode *newinode = newsb->s_root->d_inode;
794                 struct inode_security_struct *newisec = newinode->i_security;
795
796                 newisec->sid = oldisec->sid;
797         }
798
799         sb_finish_set_opts(newsb);
800         mutex_unlock(&newsbsec->lock);
801 }
802
803 int selinux_parse_opts_str(char *options, struct security_mnt_opts *opts)
804 {
805         char *p;
806         char *context = NULL, *defcontext = NULL;
807         char *fscontext = NULL, *rootcontext = NULL;
808         int rc, num_mnt_opts = 0;
809
810         opts->num_mnt_opts = 0;
811
812         /* Standard string-based options. */
813         while ((p = strsep(&options, "|")) != NULL) {
814                 int token;
815                 substring_t args[MAX_OPT_ARGS];
816
817                 if (!*p)
818                         continue;
819
820                 token = match_token(p, tokens, args);
821
822                 switch (token) {
823                 case Opt_context:
824                         if (context || defcontext) {
825                                 rc = -EINVAL;
826                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
827                                 goto out_err;
828                         }
829                         context = match_strdup(&args[0]);
830                         if (!context) {
831                                 rc = -ENOMEM;
832                                 goto out_err;
833                         }
834                         break;
835
836                 case Opt_fscontext:
837                         if (fscontext) {
838                                 rc = -EINVAL;
839                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
840                                 goto out_err;
841                         }
842                         fscontext = match_strdup(&args[0]);
843                         if (!fscontext) {
844                                 rc = -ENOMEM;
845                                 goto out_err;
846                         }
847                         break;
848
849                 case Opt_rootcontext:
850                         if (rootcontext) {
851                                 rc = -EINVAL;
852                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
853                                 goto out_err;
854                         }
855                         rootcontext = match_strdup(&args[0]);
856                         if (!rootcontext) {
857                                 rc = -ENOMEM;
858                                 goto out_err;
859                         }
860                         break;
861
862                 case Opt_defcontext:
863                         if (context || defcontext) {
864                                 rc = -EINVAL;
865                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
866                                 goto out_err;
867                         }
868                         defcontext = match_strdup(&args[0]);
869                         if (!defcontext) {
870                                 rc = -ENOMEM;
871                                 goto out_err;
872                         }
873                         break;
874
875                 default:
876                         rc = -EINVAL;
877                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
878                         goto out_err;
879
880                 }
881         }
882
883         rc = -ENOMEM;
884         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
885         if (!opts->mnt_opts)
886                 goto out_err;
887
888         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
889         if (!opts->mnt_opts_flags) {
890                 kfree(opts->mnt_opts);
891                 goto out_err;
892         }
893
894         if (fscontext) {
895                 opts->mnt_opts[num_mnt_opts] = fscontext;
896                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
897         }
898         if (context) {
899                 opts->mnt_opts[num_mnt_opts] = context;
900                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
901         }
902         if (rootcontext) {
903                 opts->mnt_opts[num_mnt_opts] = rootcontext;
904                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
905         }
906         if (defcontext) {
907                 opts->mnt_opts[num_mnt_opts] = defcontext;
908                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
909         }
910
911         opts->num_mnt_opts = num_mnt_opts;
912         return 0;
913
914 out_err:
915         kfree(context);
916         kfree(defcontext);
917         kfree(fscontext);
918         kfree(rootcontext);
919         return rc;
920 }
921 /*
922  * string mount options parsing and call set the sbsec
923  */
924 static int superblock_doinit(struct super_block *sb, void *data)
925 {
926         int rc = 0;
927         char *options = data;
928         struct security_mnt_opts opts;
929
930         security_init_mnt_opts(&opts);
931
932         if (!data)
933                 goto out;
934
935         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
936
937         rc = selinux_parse_opts_str(options, &opts);
938         if (rc)
939                 goto out_err;
940
941 out:
942         rc = selinux_set_mnt_opts(sb, &opts);
943
944 out_err:
945         security_free_mnt_opts(&opts);
946         return rc;
947 }
948
949 static inline u16 inode_mode_to_security_class(umode_t mode)
950 {
951         switch (mode & S_IFMT) {
952         case S_IFSOCK:
953                 return SECCLASS_SOCK_FILE;
954         case S_IFLNK:
955                 return SECCLASS_LNK_FILE;
956         case S_IFREG:
957                 return SECCLASS_FILE;
958         case S_IFBLK:
959                 return SECCLASS_BLK_FILE;
960         case S_IFDIR:
961                 return SECCLASS_DIR;
962         case S_IFCHR:
963                 return SECCLASS_CHR_FILE;
964         case S_IFIFO:
965                 return SECCLASS_FIFO_FILE;
966
967         }
968
969         return SECCLASS_FILE;
970 }
971
972 static inline int default_protocol_stream(int protocol)
973 {
974         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
975 }
976
977 static inline int default_protocol_dgram(int protocol)
978 {
979         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
980 }
981
982 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
983 {
984         switch (family) {
985         case PF_UNIX:
986                 switch (type) {
987                 case SOCK_STREAM:
988                 case SOCK_SEQPACKET:
989                         return SECCLASS_UNIX_STREAM_SOCKET;
990                 case SOCK_DGRAM:
991                         return SECCLASS_UNIX_DGRAM_SOCKET;
992                 }
993                 break;
994         case PF_INET:
995         case PF_INET6:
996                 switch (type) {
997                 case SOCK_STREAM:
998                         if (default_protocol_stream(protocol))
999                                 return SECCLASS_TCP_SOCKET;
1000                         else
1001                                 return SECCLASS_RAWIP_SOCKET;
1002                 case SOCK_DGRAM:
1003                         if (default_protocol_dgram(protocol))
1004                                 return SECCLASS_UDP_SOCKET;
1005                         else
1006                                 return SECCLASS_RAWIP_SOCKET;
1007                 case SOCK_DCCP:
1008                         return SECCLASS_DCCP_SOCKET;
1009                 default:
1010                         return SECCLASS_RAWIP_SOCKET;
1011                 }
1012                 break;
1013         case PF_NETLINK:
1014                 switch (protocol) {
1015                 case NETLINK_ROUTE:
1016                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1017                 case NETLINK_FIREWALL:
1018                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1019                 case NETLINK_INET_DIAG:
1020                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1021                 case NETLINK_NFLOG:
1022                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1023                 case NETLINK_XFRM:
1024                         return SECCLASS_NETLINK_XFRM_SOCKET;
1025                 case NETLINK_SELINUX:
1026                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1027                 case NETLINK_AUDIT:
1028                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1029                 case NETLINK_IP6_FW:
1030                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1031                 case NETLINK_DNRTMSG:
1032                         return SECCLASS_NETLINK_DNRT_SOCKET;
1033                 case NETLINK_KOBJECT_UEVENT:
1034                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1035                 default:
1036                         return SECCLASS_NETLINK_SOCKET;
1037                 }
1038         case PF_PACKET:
1039                 return SECCLASS_PACKET_SOCKET;
1040         case PF_KEY:
1041                 return SECCLASS_KEY_SOCKET;
1042         case PF_APPLETALK:
1043                 return SECCLASS_APPLETALK_SOCKET;
1044         }
1045
1046         return SECCLASS_SOCKET;
1047 }
1048
1049 #ifdef CONFIG_PROC_FS
1050 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1051                                 u16 tclass,
1052                                 u32 *sid)
1053 {
1054         int buflen, rc;
1055         char *buffer, *path, *end;
1056
1057         buffer = (char*)__get_free_page(GFP_KERNEL);
1058         if (!buffer)
1059                 return -ENOMEM;
1060
1061         buflen = PAGE_SIZE;
1062         end = buffer+buflen;
1063         *--end = '\0';
1064         buflen--;
1065         path = end-1;
1066         *path = '/';
1067         while (de && de != de->parent) {
1068                 buflen -= de->namelen + 1;
1069                 if (buflen < 0)
1070                         break;
1071                 end -= de->namelen;
1072                 memcpy(end, de->name, de->namelen);
1073                 *--end = '/';
1074                 path = end;
1075                 de = de->parent;
1076         }
1077         rc = security_genfs_sid("proc", path, tclass, sid);
1078         free_page((unsigned long)buffer);
1079         return rc;
1080 }
1081 #else
1082 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1083                                 u16 tclass,
1084                                 u32 *sid)
1085 {
1086         return -EINVAL;
1087 }
1088 #endif
1089
1090 /* The inode's security attributes must be initialized before first use. */
1091 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1092 {
1093         struct superblock_security_struct *sbsec = NULL;
1094         struct inode_security_struct *isec = inode->i_security;
1095         u32 sid;
1096         struct dentry *dentry;
1097 #define INITCONTEXTLEN 255
1098         char *context = NULL;
1099         unsigned len = 0;
1100         int rc = 0;
1101
1102         if (isec->initialized)
1103                 goto out;
1104
1105         mutex_lock(&isec->lock);
1106         if (isec->initialized)
1107                 goto out_unlock;
1108
1109         sbsec = inode->i_sb->s_security;
1110         if (!sbsec->initialized) {
1111                 /* Defer initialization until selinux_complete_init,
1112                    after the initial policy is loaded and the security
1113                    server is ready to handle calls. */
1114                 spin_lock(&sbsec->isec_lock);
1115                 if (list_empty(&isec->list))
1116                         list_add(&isec->list, &sbsec->isec_head);
1117                 spin_unlock(&sbsec->isec_lock);
1118                 goto out_unlock;
1119         }
1120
1121         switch (sbsec->behavior) {
1122         case SECURITY_FS_USE_XATTR:
1123                 if (!inode->i_op->getxattr) {
1124                         isec->sid = sbsec->def_sid;
1125                         break;
1126                 }
1127
1128                 /* Need a dentry, since the xattr API requires one.
1129                    Life would be simpler if we could just pass the inode. */
1130                 if (opt_dentry) {
1131                         /* Called from d_instantiate or d_splice_alias. */
1132                         dentry = dget(opt_dentry);
1133                 } else {
1134                         /* Called from selinux_complete_init, try to find a dentry. */
1135                         dentry = d_find_alias(inode);
1136                 }
1137                 if (!dentry) {
1138                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
1139                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1140                                inode->i_ino);
1141                         goto out_unlock;
1142                 }
1143
1144                 len = INITCONTEXTLEN;
1145                 context = kmalloc(len, GFP_KERNEL);
1146                 if (!context) {
1147                         rc = -ENOMEM;
1148                         dput(dentry);
1149                         goto out_unlock;
1150                 }
1151                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1152                                            context, len);
1153                 if (rc == -ERANGE) {
1154                         /* Need a larger buffer.  Query for the right size. */
1155                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1156                                                    NULL, 0);
1157                         if (rc < 0) {
1158                                 dput(dentry);
1159                                 goto out_unlock;
1160                         }
1161                         kfree(context);
1162                         len = rc;
1163                         context = kmalloc(len, GFP_KERNEL);
1164                         if (!context) {
1165                                 rc = -ENOMEM;
1166                                 dput(dentry);
1167                                 goto out_unlock;
1168                         }
1169                         rc = inode->i_op->getxattr(dentry,
1170                                                    XATTR_NAME_SELINUX,
1171                                                    context, len);
1172                 }
1173                 dput(dentry);
1174                 if (rc < 0) {
1175                         if (rc != -ENODATA) {
1176                                 printk(KERN_WARNING "%s:  getxattr returned "
1177                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
1178                                        -rc, inode->i_sb->s_id, inode->i_ino);
1179                                 kfree(context);
1180                                 goto out_unlock;
1181                         }
1182                         /* Map ENODATA to the default file SID */
1183                         sid = sbsec->def_sid;
1184                         rc = 0;
1185                 } else {
1186                         rc = security_context_to_sid_default(context, rc, &sid,
1187                                                              sbsec->def_sid);
1188                         if (rc) {
1189                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
1190                                        "returned %d for dev=%s ino=%ld\n",
1191                                        __FUNCTION__, context, -rc,
1192                                        inode->i_sb->s_id, inode->i_ino);
1193                                 kfree(context);
1194                                 /* Leave with the unlabeled SID */
1195                                 rc = 0;
1196                                 break;
1197                         }
1198                 }
1199                 kfree(context);
1200                 isec->sid = sid;
1201                 break;
1202         case SECURITY_FS_USE_TASK:
1203                 isec->sid = isec->task_sid;
1204                 break;
1205         case SECURITY_FS_USE_TRANS:
1206                 /* Default to the fs SID. */
1207                 isec->sid = sbsec->sid;
1208
1209                 /* Try to obtain a transition SID. */
1210                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1211                 rc = security_transition_sid(isec->task_sid,
1212                                              sbsec->sid,
1213                                              isec->sclass,
1214                                              &sid);
1215                 if (rc)
1216                         goto out_unlock;
1217                 isec->sid = sid;
1218                 break;
1219         case SECURITY_FS_USE_MNTPOINT:
1220                 isec->sid = sbsec->mntpoint_sid;
1221                 break;
1222         default:
1223                 /* Default to the fs superblock SID. */
1224                 isec->sid = sbsec->sid;
1225
1226                 if (sbsec->proc) {
1227                         struct proc_inode *proci = PROC_I(inode);
1228                         if (proci->pde) {
1229                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1230                                 rc = selinux_proc_get_sid(proci->pde,
1231                                                           isec->sclass,
1232                                                           &sid);
1233                                 if (rc)
1234                                         goto out_unlock;
1235                                 isec->sid = sid;
1236                         }
1237                 }
1238                 break;
1239         }
1240
1241         isec->initialized = 1;
1242
1243 out_unlock:
1244         mutex_unlock(&isec->lock);
1245 out:
1246         if (isec->sclass == SECCLASS_FILE)
1247                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1248         return rc;
1249 }
1250
1251 /* Convert a Linux signal to an access vector. */
1252 static inline u32 signal_to_av(int sig)
1253 {
1254         u32 perm = 0;
1255
1256         switch (sig) {
1257         case SIGCHLD:
1258                 /* Commonly granted from child to parent. */
1259                 perm = PROCESS__SIGCHLD;
1260                 break;
1261         case SIGKILL:
1262                 /* Cannot be caught or ignored */
1263                 perm = PROCESS__SIGKILL;
1264                 break;
1265         case SIGSTOP:
1266                 /* Cannot be caught or ignored */
1267                 perm = PROCESS__SIGSTOP;
1268                 break;
1269         default:
1270                 /* All other signals. */
1271                 perm = PROCESS__SIGNAL;
1272                 break;
1273         }
1274
1275         return perm;
1276 }
1277
1278 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1279    fork check, ptrace check, etc. */
1280 static int task_has_perm(struct task_struct *tsk1,
1281                          struct task_struct *tsk2,
1282                          u32 perms)
1283 {
1284         struct task_security_struct *tsec1, *tsec2;
1285
1286         tsec1 = tsk1->security;
1287         tsec2 = tsk2->security;
1288         return avc_has_perm(tsec1->sid, tsec2->sid,
1289                             SECCLASS_PROCESS, perms, NULL);
1290 }
1291
1292 #if CAP_LAST_CAP > 63
1293 #error Fix SELinux to handle capabilities > 63.
1294 #endif
1295
1296 /* Check whether a task is allowed to use a capability. */
1297 static int task_has_capability(struct task_struct *tsk,
1298                                int cap)
1299 {
1300         struct task_security_struct *tsec;
1301         struct avc_audit_data ad;
1302         u16 sclass;
1303         u32 av = CAP_TO_MASK(cap);
1304
1305         tsec = tsk->security;
1306
1307         AVC_AUDIT_DATA_INIT(&ad,CAP);
1308         ad.tsk = tsk;
1309         ad.u.cap = cap;
1310
1311         switch (CAP_TO_INDEX(cap)) {
1312         case 0:
1313                 sclass = SECCLASS_CAPABILITY;
1314                 break;
1315         case 1:
1316                 sclass = SECCLASS_CAPABILITY2;
1317                 break;
1318         default:
1319                 printk(KERN_ERR
1320                        "SELinux:  out of range capability %d\n", cap);
1321                 BUG();
1322         }
1323         return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1324 }
1325
1326 /* Check whether a task is allowed to use a system operation. */
1327 static int task_has_system(struct task_struct *tsk,
1328                            u32 perms)
1329 {
1330         struct task_security_struct *tsec;
1331
1332         tsec = tsk->security;
1333
1334         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1335                             SECCLASS_SYSTEM, perms, NULL);
1336 }
1337
1338 /* Check whether a task has a particular permission to an inode.
1339    The 'adp' parameter is optional and allows other audit
1340    data to be passed (e.g. the dentry). */
1341 static int inode_has_perm(struct task_struct *tsk,
1342                           struct inode *inode,
1343                           u32 perms,
1344                           struct avc_audit_data *adp)
1345 {
1346         struct task_security_struct *tsec;
1347         struct inode_security_struct *isec;
1348         struct avc_audit_data ad;
1349
1350         if (unlikely (IS_PRIVATE (inode)))
1351                 return 0;
1352
1353         tsec = tsk->security;
1354         isec = inode->i_security;
1355
1356         if (!adp) {
1357                 adp = &ad;
1358                 AVC_AUDIT_DATA_INIT(&ad, FS);
1359                 ad.u.fs.inode = inode;
1360         }
1361
1362         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1363 }
1364
1365 /* Same as inode_has_perm, but pass explicit audit data containing
1366    the dentry to help the auditing code to more easily generate the
1367    pathname if needed. */
1368 static inline int dentry_has_perm(struct task_struct *tsk,
1369                                   struct vfsmount *mnt,
1370                                   struct dentry *dentry,
1371                                   u32 av)
1372 {
1373         struct inode *inode = dentry->d_inode;
1374         struct avc_audit_data ad;
1375         AVC_AUDIT_DATA_INIT(&ad,FS);
1376         ad.u.fs.path.mnt = mnt;
1377         ad.u.fs.path.dentry = dentry;
1378         return inode_has_perm(tsk, inode, av, &ad);
1379 }
1380
1381 /* Check whether a task can use an open file descriptor to
1382    access an inode in a given way.  Check access to the
1383    descriptor itself, and then use dentry_has_perm to
1384    check a particular permission to the file.
1385    Access to the descriptor is implicitly granted if it
1386    has the same SID as the process.  If av is zero, then
1387    access to the file is not checked, e.g. for cases
1388    where only the descriptor is affected like seek. */
1389 static int file_has_perm(struct task_struct *tsk,
1390                                 struct file *file,
1391                                 u32 av)
1392 {
1393         struct task_security_struct *tsec = tsk->security;
1394         struct file_security_struct *fsec = file->f_security;
1395         struct inode *inode = file->f_path.dentry->d_inode;
1396         struct avc_audit_data ad;
1397         int rc;
1398
1399         AVC_AUDIT_DATA_INIT(&ad, FS);
1400         ad.u.fs.path = file->f_path;
1401
1402         if (tsec->sid != fsec->sid) {
1403                 rc = avc_has_perm(tsec->sid, fsec->sid,
1404                                   SECCLASS_FD,
1405                                   FD__USE,
1406                                   &ad);
1407                 if (rc)
1408                         return rc;
1409         }
1410
1411         /* av is zero if only checking access to the descriptor. */
1412         if (av)
1413                 return inode_has_perm(tsk, inode, av, &ad);
1414
1415         return 0;
1416 }
1417
1418 /* Check whether a task can create a file. */
1419 static int may_create(struct inode *dir,
1420                       struct dentry *dentry,
1421                       u16 tclass)
1422 {
1423         struct task_security_struct *tsec;
1424         struct inode_security_struct *dsec;
1425         struct superblock_security_struct *sbsec;
1426         u32 newsid;
1427         struct avc_audit_data ad;
1428         int rc;
1429
1430         tsec = current->security;
1431         dsec = dir->i_security;
1432         sbsec = dir->i_sb->s_security;
1433
1434         AVC_AUDIT_DATA_INIT(&ad, FS);
1435         ad.u.fs.path.dentry = dentry;
1436
1437         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1438                           DIR__ADD_NAME | DIR__SEARCH,
1439                           &ad);
1440         if (rc)
1441                 return rc;
1442
1443         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1444                 newsid = tsec->create_sid;
1445         } else {
1446                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1447                                              &newsid);
1448                 if (rc)
1449                         return rc;
1450         }
1451
1452         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1453         if (rc)
1454                 return rc;
1455
1456         return avc_has_perm(newsid, sbsec->sid,
1457                             SECCLASS_FILESYSTEM,
1458                             FILESYSTEM__ASSOCIATE, &ad);
1459 }
1460
1461 /* Check whether a task can create a key. */
1462 static int may_create_key(u32 ksid,
1463                           struct task_struct *ctx)
1464 {
1465         struct task_security_struct *tsec;
1466
1467         tsec = ctx->security;
1468
1469         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1470 }
1471
1472 #define MAY_LINK   0
1473 #define MAY_UNLINK 1
1474 #define MAY_RMDIR  2
1475
1476 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1477 static int may_link(struct inode *dir,
1478                     struct dentry *dentry,
1479                     int kind)
1480
1481 {
1482         struct task_security_struct *tsec;
1483         struct inode_security_struct *dsec, *isec;
1484         struct avc_audit_data ad;
1485         u32 av;
1486         int rc;
1487
1488         tsec = current->security;
1489         dsec = dir->i_security;
1490         isec = dentry->d_inode->i_security;
1491
1492         AVC_AUDIT_DATA_INIT(&ad, FS);
1493         ad.u.fs.path.dentry = dentry;
1494
1495         av = DIR__SEARCH;
1496         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1497         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1498         if (rc)
1499                 return rc;
1500
1501         switch (kind) {
1502         case MAY_LINK:
1503                 av = FILE__LINK;
1504                 break;
1505         case MAY_UNLINK:
1506                 av = FILE__UNLINK;
1507                 break;
1508         case MAY_RMDIR:
1509                 av = DIR__RMDIR;
1510                 break;
1511         default:
1512                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1513                 return 0;
1514         }
1515
1516         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1517         return rc;
1518 }
1519
1520 static inline int may_rename(struct inode *old_dir,
1521                              struct dentry *old_dentry,
1522                              struct inode *new_dir,
1523                              struct dentry *new_dentry)
1524 {
1525         struct task_security_struct *tsec;
1526         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1527         struct avc_audit_data ad;
1528         u32 av;
1529         int old_is_dir, new_is_dir;
1530         int rc;
1531
1532         tsec = current->security;
1533         old_dsec = old_dir->i_security;
1534         old_isec = old_dentry->d_inode->i_security;
1535         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1536         new_dsec = new_dir->i_security;
1537
1538         AVC_AUDIT_DATA_INIT(&ad, FS);
1539
1540         ad.u.fs.path.dentry = old_dentry;
1541         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1542                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1543         if (rc)
1544                 return rc;
1545         rc = avc_has_perm(tsec->sid, old_isec->sid,
1546                           old_isec->sclass, FILE__RENAME, &ad);
1547         if (rc)
1548                 return rc;
1549         if (old_is_dir && new_dir != old_dir) {
1550                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1551                                   old_isec->sclass, DIR__REPARENT, &ad);
1552                 if (rc)
1553                         return rc;
1554         }
1555
1556         ad.u.fs.path.dentry = new_dentry;
1557         av = DIR__ADD_NAME | DIR__SEARCH;
1558         if (new_dentry->d_inode)
1559                 av |= DIR__REMOVE_NAME;
1560         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1561         if (rc)
1562                 return rc;
1563         if (new_dentry->d_inode) {
1564                 new_isec = new_dentry->d_inode->i_security;
1565                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1566                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1567                                   new_isec->sclass,
1568                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1569                 if (rc)
1570                         return rc;
1571         }
1572
1573         return 0;
1574 }
1575
1576 /* Check whether a task can perform a filesystem operation. */
1577 static int superblock_has_perm(struct task_struct *tsk,
1578                                struct super_block *sb,
1579                                u32 perms,
1580                                struct avc_audit_data *ad)
1581 {
1582         struct task_security_struct *tsec;
1583         struct superblock_security_struct *sbsec;
1584
1585         tsec = tsk->security;
1586         sbsec = sb->s_security;
1587         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1588                             perms, ad);
1589 }
1590
1591 /* Convert a Linux mode and permission mask to an access vector. */
1592 static inline u32 file_mask_to_av(int mode, int mask)
1593 {
1594         u32 av = 0;
1595
1596         if ((mode & S_IFMT) != S_IFDIR) {
1597                 if (mask & MAY_EXEC)
1598                         av |= FILE__EXECUTE;
1599                 if (mask & MAY_READ)
1600                         av |= FILE__READ;
1601
1602                 if (mask & MAY_APPEND)
1603                         av |= FILE__APPEND;
1604                 else if (mask & MAY_WRITE)
1605                         av |= FILE__WRITE;
1606
1607         } else {
1608                 if (mask & MAY_EXEC)
1609                         av |= DIR__SEARCH;
1610                 if (mask & MAY_WRITE)
1611                         av |= DIR__WRITE;
1612                 if (mask & MAY_READ)
1613                         av |= DIR__READ;
1614         }
1615
1616         return av;
1617 }
1618
1619 /* Convert a Linux file to an access vector. */
1620 static inline u32 file_to_av(struct file *file)
1621 {
1622         u32 av = 0;
1623
1624         if (file->f_mode & FMODE_READ)
1625                 av |= FILE__READ;
1626         if (file->f_mode & FMODE_WRITE) {
1627                 if (file->f_flags & O_APPEND)
1628                         av |= FILE__APPEND;
1629                 else
1630                         av |= FILE__WRITE;
1631         }
1632
1633         return av;
1634 }
1635
1636 /* Hook functions begin here. */
1637
1638 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1639 {
1640         struct task_security_struct *psec = parent->security;
1641         struct task_security_struct *csec = child->security;
1642         int rc;
1643
1644         rc = secondary_ops->ptrace(parent,child);
1645         if (rc)
1646                 return rc;
1647
1648         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1649         /* Save the SID of the tracing process for later use in apply_creds. */
1650         if (!(child->ptrace & PT_PTRACED) && !rc)
1651                 csec->ptrace_sid = psec->sid;
1652         return rc;
1653 }
1654
1655 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1656                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1657 {
1658         int error;
1659
1660         error = task_has_perm(current, target, PROCESS__GETCAP);
1661         if (error)
1662                 return error;
1663
1664         return secondary_ops->capget(target, effective, inheritable, permitted);
1665 }
1666
1667 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1668                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1669 {
1670         int error;
1671
1672         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1673         if (error)
1674                 return error;
1675
1676         return task_has_perm(current, target, PROCESS__SETCAP);
1677 }
1678
1679 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1680                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1681 {
1682         secondary_ops->capset_set(target, effective, inheritable, permitted);
1683 }
1684
1685 static int selinux_capable(struct task_struct *tsk, int cap)
1686 {
1687         int rc;
1688
1689         rc = secondary_ops->capable(tsk, cap);
1690         if (rc)
1691                 return rc;
1692
1693         return task_has_capability(tsk,cap);
1694 }
1695
1696 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1697 {
1698         int buflen, rc;
1699         char *buffer, *path, *end;
1700
1701         rc = -ENOMEM;
1702         buffer = (char*)__get_free_page(GFP_KERNEL);
1703         if (!buffer)
1704                 goto out;
1705
1706         buflen = PAGE_SIZE;
1707         end = buffer+buflen;
1708         *--end = '\0';
1709         buflen--;
1710         path = end-1;
1711         *path = '/';
1712         while (table) {
1713                 const char *name = table->procname;
1714                 size_t namelen = strlen(name);
1715                 buflen -= namelen + 1;
1716                 if (buflen < 0)
1717                         goto out_free;
1718                 end -= namelen;
1719                 memcpy(end, name, namelen);
1720                 *--end = '/';
1721                 path = end;
1722                 table = table->parent;
1723         }
1724         buflen -= 4;
1725         if (buflen < 0)
1726                 goto out_free;
1727         end -= 4;
1728         memcpy(end, "/sys", 4);
1729         path = end;
1730         rc = security_genfs_sid("proc", path, tclass, sid);
1731 out_free:
1732         free_page((unsigned long)buffer);
1733 out:
1734         return rc;
1735 }
1736
1737 static int selinux_sysctl(ctl_table *table, int op)
1738 {
1739         int error = 0;
1740         u32 av;
1741         struct task_security_struct *tsec;
1742         u32 tsid;
1743         int rc;
1744
1745         rc = secondary_ops->sysctl(table, op);
1746         if (rc)
1747                 return rc;
1748
1749         tsec = current->security;
1750
1751         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1752                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1753         if (rc) {
1754                 /* Default to the well-defined sysctl SID. */
1755                 tsid = SECINITSID_SYSCTL;
1756         }
1757
1758         /* The op values are "defined" in sysctl.c, thereby creating
1759          * a bad coupling between this module and sysctl.c */
1760         if(op == 001) {
1761                 error = avc_has_perm(tsec->sid, tsid,
1762                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1763         } else {
1764                 av = 0;
1765                 if (op & 004)
1766                         av |= FILE__READ;
1767                 if (op & 002)
1768                         av |= FILE__WRITE;
1769                 if (av)
1770                         error = avc_has_perm(tsec->sid, tsid,
1771                                              SECCLASS_FILE, av, NULL);
1772         }
1773
1774         return error;
1775 }
1776
1777 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1778 {
1779         int rc = 0;
1780
1781         if (!sb)
1782                 return 0;
1783
1784         switch (cmds) {
1785                 case Q_SYNC:
1786                 case Q_QUOTAON:
1787                 case Q_QUOTAOFF:
1788                 case Q_SETINFO:
1789                 case Q_SETQUOTA:
1790                         rc = superblock_has_perm(current,
1791                                                  sb,
1792                                                  FILESYSTEM__QUOTAMOD, NULL);
1793                         break;
1794                 case Q_GETFMT:
1795                 case Q_GETINFO:
1796                 case Q_GETQUOTA:
1797                         rc = superblock_has_perm(current,
1798                                                  sb,
1799                                                  FILESYSTEM__QUOTAGET, NULL);
1800                         break;
1801                 default:
1802                         rc = 0;  /* let the kernel handle invalid cmds */
1803                         break;
1804         }
1805         return rc;
1806 }
1807
1808 static int selinux_quota_on(struct dentry *dentry)
1809 {
1810         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1811 }
1812
1813 static int selinux_syslog(int type)
1814 {
1815         int rc;
1816
1817         rc = secondary_ops->syslog(type);
1818         if (rc)
1819                 return rc;
1820
1821         switch (type) {
1822                 case 3:         /* Read last kernel messages */
1823                 case 10:        /* Return size of the log buffer */
1824                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1825                         break;
1826                 case 6:         /* Disable logging to console */
1827                 case 7:         /* Enable logging to console */
1828                 case 8:         /* Set level of messages printed to console */
1829                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1830                         break;
1831                 case 0:         /* Close log */
1832                 case 1:         /* Open log */
1833                 case 2:         /* Read from log */
1834                 case 4:         /* Read/clear last kernel messages */
1835                 case 5:         /* Clear ring buffer */
1836                 default:
1837                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1838                         break;
1839         }
1840         return rc;
1841 }
1842
1843 /*
1844  * Check that a process has enough memory to allocate a new virtual
1845  * mapping. 0 means there is enough memory for the allocation to
1846  * succeed and -ENOMEM implies there is not.
1847  *
1848  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1849  * if the capability is granted, but __vm_enough_memory requires 1 if
1850  * the capability is granted.
1851  *
1852  * Do not audit the selinux permission check, as this is applied to all
1853  * processes that allocate mappings.
1854  */
1855 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1856 {
1857         int rc, cap_sys_admin = 0;
1858         struct task_security_struct *tsec = current->security;
1859
1860         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1861         if (rc == 0)
1862                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1863                                           SECCLASS_CAPABILITY,
1864                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1865                                           0,
1866                                           NULL);
1867
1868         if (rc == 0)
1869                 cap_sys_admin = 1;
1870
1871         return __vm_enough_memory(mm, pages, cap_sys_admin);
1872 }
1873
1874 /* binprm security operations */
1875
1876 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1877 {
1878         struct bprm_security_struct *bsec;
1879
1880         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1881         if (!bsec)
1882                 return -ENOMEM;
1883
1884         bsec->bprm = bprm;
1885         bsec->sid = SECINITSID_UNLABELED;
1886         bsec->set = 0;
1887
1888         bprm->security = bsec;
1889         return 0;
1890 }
1891
1892 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1893 {
1894         struct task_security_struct *tsec;
1895         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1896         struct inode_security_struct *isec;
1897         struct bprm_security_struct *bsec;
1898         u32 newsid;
1899         struct avc_audit_data ad;
1900         int rc;
1901
1902         rc = secondary_ops->bprm_set_security(bprm);
1903         if (rc)
1904                 return rc;
1905
1906         bsec = bprm->security;
1907
1908         if (bsec->set)
1909                 return 0;
1910
1911         tsec = current->security;
1912         isec = inode->i_security;
1913
1914         /* Default to the current task SID. */
1915         bsec->sid = tsec->sid;
1916
1917         /* Reset fs, key, and sock SIDs on execve. */
1918         tsec->create_sid = 0;
1919         tsec->keycreate_sid = 0;
1920         tsec->sockcreate_sid = 0;
1921
1922         if (tsec->exec_sid) {
1923                 newsid = tsec->exec_sid;
1924                 /* Reset exec SID on execve. */
1925                 tsec->exec_sid = 0;
1926         } else {
1927                 /* Check for a default transition on this program. */
1928                 rc = security_transition_sid(tsec->sid, isec->sid,
1929                                              SECCLASS_PROCESS, &newsid);
1930                 if (rc)
1931                         return rc;
1932         }
1933
1934         AVC_AUDIT_DATA_INIT(&ad, FS);
1935         ad.u.fs.path = bprm->file->f_path;
1936
1937         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1938                 newsid = tsec->sid;
1939
1940         if (tsec->sid == newsid) {
1941                 rc = avc_has_perm(tsec->sid, isec->sid,
1942                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1943                 if (rc)
1944                         return rc;
1945         } else {
1946                 /* Check permissions for the transition. */
1947                 rc = avc_has_perm(tsec->sid, newsid,
1948                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1949                 if (rc)
1950                         return rc;
1951
1952                 rc = avc_has_perm(newsid, isec->sid,
1953                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1954                 if (rc)
1955                         return rc;
1956
1957                 /* Clear any possibly unsafe personality bits on exec: */
1958                 current->personality &= ~PER_CLEAR_ON_SETID;
1959
1960                 /* Set the security field to the new SID. */
1961                 bsec->sid = newsid;
1962         }
1963
1964         bsec->set = 1;
1965         return 0;
1966 }
1967
1968 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1969 {
1970         return secondary_ops->bprm_check_security(bprm);
1971 }
1972
1973
1974 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1975 {
1976         struct task_security_struct *tsec = current->security;
1977         int atsecure = 0;
1978
1979         if (tsec->osid != tsec->sid) {
1980                 /* Enable secure mode for SIDs transitions unless
1981                    the noatsecure permission is granted between
1982                    the two SIDs, i.e. ahp returns 0. */
1983                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1984                                          SECCLASS_PROCESS,
1985                                          PROCESS__NOATSECURE, NULL);
1986         }
1987
1988         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1989 }
1990
1991 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1992 {
1993         kfree(bprm->security);
1994         bprm->security = NULL;
1995 }
1996
1997 extern struct vfsmount *selinuxfs_mount;
1998 extern struct dentry *selinux_null;
1999
2000 /* Derived from fs/exec.c:flush_old_files. */
2001 static inline void flush_unauthorized_files(struct files_struct * files)
2002 {
2003         struct avc_audit_data ad;
2004         struct file *file, *devnull = NULL;
2005         struct tty_struct *tty;
2006         struct fdtable *fdt;
2007         long j = -1;
2008         int drop_tty = 0;
2009
2010         mutex_lock(&tty_mutex);
2011         tty = get_current_tty();
2012         if (tty) {
2013                 file_list_lock();
2014                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2015                 if (file) {
2016                         /* Revalidate access to controlling tty.
2017                            Use inode_has_perm on the tty inode directly rather
2018                            than using file_has_perm, as this particular open
2019                            file may belong to another process and we are only
2020                            interested in the inode-based check here. */
2021                         struct inode *inode = file->f_path.dentry->d_inode;
2022                         if (inode_has_perm(current, inode,
2023                                            FILE__READ | FILE__WRITE, NULL)) {
2024                                 drop_tty = 1;
2025                         }
2026                 }
2027                 file_list_unlock();
2028         }
2029         mutex_unlock(&tty_mutex);
2030         /* Reset controlling tty. */
2031         if (drop_tty)
2032                 no_tty();
2033
2034         /* Revalidate access to inherited open files. */
2035
2036         AVC_AUDIT_DATA_INIT(&ad,FS);
2037
2038         spin_lock(&files->file_lock);
2039         for (;;) {
2040                 unsigned long set, i;
2041                 int fd;
2042
2043                 j++;
2044                 i = j * __NFDBITS;
2045                 fdt = files_fdtable(files);
2046                 if (i >= fdt->max_fds)
2047                         break;
2048                 set = fdt->open_fds->fds_bits[j];
2049                 if (!set)
2050                         continue;
2051                 spin_unlock(&files->file_lock);
2052                 for ( ; set ; i++,set >>= 1) {
2053                         if (set & 1) {
2054                                 file = fget(i);
2055                                 if (!file)
2056                                         continue;
2057                                 if (file_has_perm(current,
2058                                                   file,
2059                                                   file_to_av(file))) {
2060                                         sys_close(i);
2061                                         fd = get_unused_fd();
2062                                         if (fd != i) {
2063                                                 if (fd >= 0)
2064                                                         put_unused_fd(fd);
2065                                                 fput(file);
2066                                                 continue;
2067                                         }
2068                                         if (devnull) {
2069                                                 get_file(devnull);
2070                                         } else {
2071                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2072                                                 if (IS_ERR(devnull)) {
2073                                                         devnull = NULL;
2074                                                         put_unused_fd(fd);
2075                                                         fput(file);
2076                                                         continue;
2077                                                 }
2078                                         }
2079                                         fd_install(fd, devnull);
2080                                 }
2081                                 fput(file);
2082                         }
2083                 }
2084                 spin_lock(&files->file_lock);
2085
2086         }
2087         spin_unlock(&files->file_lock);
2088 }
2089
2090 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2091 {
2092         struct task_security_struct *tsec;
2093         struct bprm_security_struct *bsec;
2094         u32 sid;
2095         int rc;
2096
2097         secondary_ops->bprm_apply_creds(bprm, unsafe);
2098
2099         tsec = current->security;
2100
2101         bsec = bprm->security;
2102         sid = bsec->sid;
2103
2104         tsec->osid = tsec->sid;
2105         bsec->unsafe = 0;
2106         if (tsec->sid != sid) {
2107                 /* Check for shared state.  If not ok, leave SID
2108                    unchanged and kill. */
2109                 if (unsafe & LSM_UNSAFE_SHARE) {
2110                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2111                                         PROCESS__SHARE, NULL);
2112                         if (rc) {
2113                                 bsec->unsafe = 1;
2114                                 return;
2115                         }
2116                 }
2117
2118                 /* Check for ptracing, and update the task SID if ok.
2119                    Otherwise, leave SID unchanged and kill. */
2120                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2121                         rc = avc_has_perm(tsec->ptrace_sid, sid,
2122                                           SECCLASS_PROCESS, PROCESS__PTRACE,
2123                                           NULL);
2124                         if (rc) {
2125                                 bsec->unsafe = 1;
2126                                 return;
2127                         }
2128                 }
2129                 tsec->sid = sid;
2130         }
2131 }
2132
2133 /*
2134  * called after apply_creds without the task lock held
2135  */
2136 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2137 {
2138         struct task_security_struct *tsec;
2139         struct rlimit *rlim, *initrlim;
2140         struct itimerval itimer;
2141         struct bprm_security_struct *bsec;
2142         int rc, i;
2143
2144         tsec = current->security;
2145         bsec = bprm->security;
2146
2147         if (bsec->unsafe) {
2148                 force_sig_specific(SIGKILL, current);
2149                 return;
2150         }
2151         if (tsec->osid == tsec->sid)
2152                 return;
2153
2154         /* Close files for which the new task SID is not authorized. */
2155         flush_unauthorized_files(current->files);
2156
2157         /* Check whether the new SID can inherit signal state
2158            from the old SID.  If not, clear itimers to avoid
2159            subsequent signal generation and flush and unblock
2160            signals. This must occur _after_ the task SID has
2161           been updated so that any kill done after the flush
2162           will be checked against the new SID. */
2163         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2164                           PROCESS__SIGINH, NULL);
2165         if (rc) {
2166                 memset(&itimer, 0, sizeof itimer);
2167                 for (i = 0; i < 3; i++)
2168                         do_setitimer(i, &itimer, NULL);
2169                 flush_signals(current);
2170                 spin_lock_irq(&current->sighand->siglock);
2171                 flush_signal_handlers(current, 1);
2172                 sigemptyset(&current->blocked);
2173                 recalc_sigpending();
2174                 spin_unlock_irq(&current->sighand->siglock);
2175         }
2176
2177         /* Always clear parent death signal on SID transitions. */
2178         current->pdeath_signal = 0;
2179
2180         /* Check whether the new SID can inherit resource limits
2181            from the old SID.  If not, reset all soft limits to
2182            the lower of the current task's hard limit and the init
2183            task's soft limit.  Note that the setting of hard limits
2184            (even to lower them) can be controlled by the setrlimit
2185            check. The inclusion of the init task's soft limit into
2186            the computation is to avoid resetting soft limits higher
2187            than the default soft limit for cases where the default
2188            is lower than the hard limit, e.g. RLIMIT_CORE or
2189            RLIMIT_STACK.*/
2190         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2191                           PROCESS__RLIMITINH, NULL);
2192         if (rc) {
2193                 for (i = 0; i < RLIM_NLIMITS; i++) {
2194                         rlim = current->signal->rlim + i;
2195                         initrlim = init_task.signal->rlim+i;
2196                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2197                 }
2198                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2199                         /*
2200                          * This will cause RLIMIT_CPU calculations
2201                          * to be refigured.
2202                          */
2203                         current->it_prof_expires = jiffies_to_cputime(1);
2204                 }
2205         }
2206
2207         /* Wake up the parent if it is waiting so that it can
2208            recheck wait permission to the new task SID. */
2209         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2210 }
2211
2212 /* superblock security operations */
2213
2214 static int selinux_sb_alloc_security(struct super_block *sb)
2215 {
2216         return superblock_alloc_security(sb);
2217 }
2218
2219 static void selinux_sb_free_security(struct super_block *sb)
2220 {
2221         superblock_free_security(sb);
2222 }
2223
2224 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2225 {
2226         if (plen > olen)
2227                 return 0;
2228
2229         return !memcmp(prefix, option, plen);
2230 }
2231
2232 static inline int selinux_option(char *option, int len)
2233 {
2234         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2235                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
2236                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2237                 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
2238 }
2239
2240 static inline void take_option(char **to, char *from, int *first, int len)
2241 {
2242         if (!*first) {
2243                 **to = ',';
2244                 *to += 1;
2245         } else
2246                 *first = 0;
2247         memcpy(*to, from, len);
2248         *to += len;
2249 }
2250
2251 static inline void take_selinux_option(char **to, char *from, int *first, 
2252                                        int len)
2253 {
2254         int current_size = 0;
2255
2256         if (!*first) {
2257                 **to = '|';
2258                 *to += 1;
2259         }
2260         else
2261                 *first = 0;
2262
2263         while (current_size < len) {
2264                 if (*from != '"') {
2265                         **to = *from;
2266                         *to += 1;
2267                 }
2268                 from += 1;
2269                 current_size += 1;
2270         }
2271 }
2272
2273 static int selinux_sb_copy_data(char *orig, char *copy)
2274 {
2275         int fnosec, fsec, rc = 0;
2276         char *in_save, *in_curr, *in_end;
2277         char *sec_curr, *nosec_save, *nosec;
2278         int open_quote = 0;
2279
2280         in_curr = orig;
2281         sec_curr = copy;
2282
2283         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2284         if (!nosec) {
2285                 rc = -ENOMEM;
2286                 goto out;
2287         }
2288
2289         nosec_save = nosec;
2290         fnosec = fsec = 1;
2291         in_save = in_end = orig;
2292
2293         do {
2294                 if (*in_end == '"')
2295                         open_quote = !open_quote;
2296                 if ((*in_end == ',' && open_quote == 0) ||
2297                                 *in_end == '\0') {
2298                         int len = in_end - in_curr;
2299
2300                         if (selinux_option(in_curr, len))
2301                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2302                         else
2303                                 take_option(&nosec, in_curr, &fnosec, len);
2304
2305                         in_curr = in_end + 1;
2306                 }
2307         } while (*in_end++);
2308
2309         strcpy(in_save, nosec_save);
2310         free_page((unsigned long)nosec_save);
2311 out:
2312         return rc;
2313 }
2314
2315 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2316 {
2317         struct avc_audit_data ad;
2318         int rc;
2319
2320         rc = superblock_doinit(sb, data);
2321         if (rc)
2322                 return rc;
2323
2324         AVC_AUDIT_DATA_INIT(&ad,FS);
2325         ad.u.fs.path.dentry = sb->s_root;
2326         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2327 }
2328
2329 static int selinux_sb_statfs(struct dentry *dentry)
2330 {
2331         struct avc_audit_data ad;
2332
2333         AVC_AUDIT_DATA_INIT(&ad,FS);
2334         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2335         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2336 }
2337
2338 static int selinux_mount(char * dev_name,
2339                          struct nameidata *nd,
2340                          char * type,
2341                          unsigned long flags,
2342                          void * data)
2343 {
2344         int rc;
2345
2346         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2347         if (rc)
2348                 return rc;
2349
2350         if (flags & MS_REMOUNT)
2351                 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2352                                            FILESYSTEM__REMOUNT, NULL);
2353         else
2354                 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2355                                        FILE__MOUNTON);
2356 }
2357
2358 static int selinux_umount(struct vfsmount *mnt, int flags)
2359 {
2360         int rc;
2361
2362         rc = secondary_ops->sb_umount(mnt, flags);
2363         if (rc)
2364                 return rc;
2365
2366         return superblock_has_perm(current,mnt->mnt_sb,
2367                                    FILESYSTEM__UNMOUNT,NULL);
2368 }
2369
2370 /* inode security operations */
2371
2372 static int selinux_inode_alloc_security(struct inode *inode)
2373 {
2374         return inode_alloc_security(inode);
2375 }
2376
2377 static void selinux_inode_free_security(struct inode *inode)
2378 {
2379         inode_free_security(inode);
2380 }
2381
2382 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2383                                        char **name, void **value,
2384                                        size_t *len)
2385 {
2386         struct task_security_struct *tsec;
2387         struct inode_security_struct *dsec;
2388         struct superblock_security_struct *sbsec;
2389         u32 newsid, clen;
2390         int rc;
2391         char *namep = NULL, *context;
2392
2393         tsec = current->security;
2394         dsec = dir->i_security;
2395         sbsec = dir->i_sb->s_security;
2396
2397         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2398                 newsid = tsec->create_sid;
2399         } else {
2400                 rc = security_transition_sid(tsec->sid, dsec->sid,
2401                                              inode_mode_to_security_class(inode->i_mode),
2402                                              &newsid);
2403                 if (rc) {
2404                         printk(KERN_WARNING "%s:  "
2405                                "security_transition_sid failed, rc=%d (dev=%s "
2406                                "ino=%ld)\n",
2407                                __FUNCTION__,
2408                                -rc, inode->i_sb->s_id, inode->i_ino);
2409                         return rc;
2410                 }
2411         }
2412
2413         /* Possibly defer initialization to selinux_complete_init. */
2414         if (sbsec->initialized) {
2415                 struct inode_security_struct *isec = inode->i_security;
2416                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2417                 isec->sid = newsid;
2418                 isec->initialized = 1;
2419         }
2420
2421         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2422                 return -EOPNOTSUPP;
2423
2424         if (name) {
2425                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2426                 if (!namep)
2427                         return -ENOMEM;
2428                 *name = namep;
2429         }
2430
2431         if (value && len) {
2432                 rc = security_sid_to_context(newsid, &context, &clen);
2433                 if (rc) {
2434                         kfree(namep);
2435                         return rc;
2436                 }
2437                 *value = context;
2438                 *len = clen;
2439         }
2440
2441         return 0;
2442 }
2443
2444 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2445 {
2446         return may_create(dir, dentry, SECCLASS_FILE);
2447 }
2448
2449 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2450 {
2451         int rc;
2452
2453         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2454         if (rc)
2455                 return rc;
2456         return may_link(dir, old_dentry, MAY_LINK);
2457 }
2458
2459 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2460 {
2461         int rc;
2462
2463         rc = secondary_ops->inode_unlink(dir, dentry);
2464         if (rc)
2465                 return rc;
2466         return may_link(dir, dentry, MAY_UNLINK);
2467 }
2468
2469 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2470 {
2471         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2472 }
2473
2474 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2475 {
2476         return may_create(dir, dentry, SECCLASS_DIR);
2477 }
2478
2479 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2480 {
2481         return may_link(dir, dentry, MAY_RMDIR);
2482 }
2483
2484 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2485 {
2486         int rc;
2487
2488         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2489         if (rc)
2490                 return rc;
2491
2492         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2493 }
2494
2495 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2496                                 struct inode *new_inode, struct dentry *new_dentry)
2497 {
2498         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2499 }
2500
2501 static int selinux_inode_readlink(struct dentry *dentry)
2502 {
2503         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2504 }
2505
2506 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2507 {
2508         int rc;
2509
2510         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2511         if (rc)
2512                 return rc;
2513         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2514 }
2515
2516 static int selinux_inode_permission(struct inode *inode, int mask,
2517                                     struct nameidata *nd)
2518 {
2519         int rc;
2520
2521         rc = secondary_ops->inode_permission(inode, mask, nd);
2522         if (rc)
2523                 return rc;
2524
2525         if (!mask) {
2526                 /* No permission to check.  Existence test. */
2527                 return 0;
2528         }
2529
2530         return inode_has_perm(current, inode,
2531                                file_mask_to_av(inode->i_mode, mask), NULL);
2532 }
2533
2534 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2535 {
2536         int rc;
2537
2538         rc = secondary_ops->inode_setattr(dentry, iattr);
2539         if (rc)
2540                 return rc;
2541
2542         if (iattr->ia_valid & ATTR_FORCE)
2543                 return 0;
2544
2545         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2546                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2547                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2548
2549         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2550 }
2551
2552 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2553 {
2554         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2555 }
2556
2557 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2558 {
2559         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2560                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2561                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2562                         if (!capable(CAP_SETFCAP))
2563                                 return -EPERM;
2564                 } else if (!capable(CAP_SYS_ADMIN)) {
2565                         /* A different attribute in the security namespace.
2566                            Restrict to administrator. */
2567                         return -EPERM;
2568                 }
2569         }
2570
2571         /* Not an attribute we recognize, so just check the
2572            ordinary setattr permission. */
2573         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2574 }
2575
2576 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2577 {
2578         struct task_security_struct *tsec = current->security;
2579         struct inode *inode = dentry->d_inode;
2580         struct inode_security_struct *isec = inode->i_security;
2581         struct superblock_security_struct *sbsec;
2582         struct avc_audit_data ad;
2583         u32 newsid;
2584         int rc = 0;
2585
2586         if (strcmp(name, XATTR_NAME_SELINUX))
2587                 return selinux_inode_setotherxattr(dentry, name);
2588
2589         sbsec = inode->i_sb->s_security;
2590         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2591                 return -EOPNOTSUPP;
2592
2593         if (!is_owner_or_cap(inode))
2594                 return -EPERM;
2595
2596         AVC_AUDIT_DATA_INIT(&ad,FS);
2597         ad.u.fs.path.dentry = dentry;
2598
2599         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2600                           FILE__RELABELFROM, &ad);
2601         if (rc)
2602                 return rc;
2603
2604         rc = security_context_to_sid(value, size, &newsid);
2605         if (rc)
2606                 return rc;
2607
2608         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2609                           FILE__RELABELTO, &ad);
2610         if (rc)
2611                 return rc;
2612
2613         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2614                                           isec->sclass);
2615         if (rc)
2616                 return rc;
2617
2618         return avc_has_perm(newsid,
2619                             sbsec->sid,
2620                             SECCLASS_FILESYSTEM,
2621                             FILESYSTEM__ASSOCIATE,
2622                             &ad);
2623 }
2624
2625 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2626                                         void *value, size_t size, int flags)
2627 {
2628         struct inode *inode = dentry->d_inode;
2629         struct inode_security_struct *isec = inode->i_security;
2630         u32 newsid;
2631         int rc;
2632
2633         if (strcmp(name, XATTR_NAME_SELINUX)) {
2634                 /* Not an attribute we recognize, so nothing to do. */
2635                 return;
2636         }
2637
2638         rc = security_context_to_sid(value, size, &newsid);
2639         if (rc) {
2640                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2641                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2642                 return;
2643         }
2644
2645         isec->sid = newsid;
2646         return;
2647 }
2648
2649 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2650 {
2651         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2652 }
2653
2654 static int selinux_inode_listxattr (struct dentry *dentry)
2655 {
2656         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2657 }
2658
2659 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2660 {
2661         if (strcmp(name, XATTR_NAME_SELINUX))
2662                 return selinux_inode_setotherxattr(dentry, name);
2663
2664         /* No one is allowed to remove a SELinux security label.
2665            You can change the label, but all data must be labeled. */
2666         return -EACCES;
2667 }
2668
2669 /*
2670  * Copy the in-core inode security context value to the user.  If the
2671  * getxattr() prior to this succeeded, check to see if we need to
2672  * canonicalize the value to be finally returned to the user.
2673  *
2674  * Permission check is handled by selinux_inode_getxattr hook.
2675  */
2676 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2677 {
2678         u32 size;
2679         int error;
2680         char *context = NULL;
2681         struct inode_security_struct *isec = inode->i_security;
2682
2683         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2684                 return -EOPNOTSUPP;
2685
2686         error = security_sid_to_context(isec->sid, &context, &size);
2687         if (error)
2688                 return error;
2689         error = size;
2690         if (alloc) {
2691                 *buffer = context;
2692                 goto out_nofree;
2693         }
2694         kfree(context);
2695 out_nofree:
2696         return error;
2697 }
2698
2699 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2700                                      const void *value, size_t size, int flags)
2701 {
2702         struct inode_security_struct *isec = inode->i_security;
2703         u32 newsid;
2704         int rc;
2705
2706         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2707                 return -EOPNOTSUPP;
2708
2709         if (!value || !size)
2710                 return -EACCES;
2711
2712         rc = security_context_to_sid((void*)value, size, &newsid);
2713         if (rc)
2714                 return rc;
2715
2716         isec->sid = newsid;
2717         return 0;
2718 }
2719
2720 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2721 {
2722         const int len = sizeof(XATTR_NAME_SELINUX);
2723         if (buffer && len <= buffer_size)
2724                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2725         return len;
2726 }
2727
2728 static int selinux_inode_need_killpriv(struct dentry *dentry)
2729 {
2730         return secondary_ops->inode_need_killpriv(dentry);
2731 }
2732
2733 static int selinux_inode_killpriv(struct dentry *dentry)
2734 {
2735         return secondary_ops->inode_killpriv(dentry);
2736 }
2737
2738 /* file security operations */
2739
2740 static int selinux_revalidate_file_permission(struct file *file, int mask)
2741 {
2742         int rc;
2743         struct inode *inode = file->f_path.dentry->d_inode;
2744
2745         if (!mask) {
2746                 /* No permission to check.  Existence test. */
2747                 return 0;
2748         }
2749
2750         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2751         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2752                 mask |= MAY_APPEND;
2753
2754         rc = file_has_perm(current, file,
2755                            file_mask_to_av(inode->i_mode, mask));
2756         if (rc)
2757                 return rc;
2758
2759         return selinux_netlbl_inode_permission(inode, mask);
2760 }
2761
2762 static int selinux_file_permission(struct file *file, int mask)
2763 {
2764         struct inode *inode = file->f_path.dentry->d_inode;
2765         struct task_security_struct *tsec = current->security;
2766         struct file_security_struct *fsec = file->f_security;
2767         struct inode_security_struct *isec = inode->i_security;
2768
2769         if (!mask) {
2770                 /* No permission to check.  Existence test. */
2771                 return 0;
2772         }
2773
2774         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2775             && fsec->pseqno == avc_policy_seqno())
2776                 return selinux_netlbl_inode_permission(inode, mask);
2777
2778         return selinux_revalidate_file_permission(file, mask);
2779 }
2780
2781 static int selinux_file_alloc_security(struct file *file)
2782 {
2783         return file_alloc_security(file);
2784 }
2785
2786 static void selinux_file_free_security(struct file *file)
2787 {
2788         file_free_security(file);
2789 }
2790
2791 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2792                               unsigned long arg)
2793 {
2794         int error = 0;
2795
2796         switch (cmd) {
2797                 case FIONREAD:
2798                 /* fall through */
2799                 case FIBMAP:
2800                 /* fall through */
2801                 case FIGETBSZ:
2802                 /* fall through */
2803                 case EXT2_IOC_GETFLAGS:
2804                 /* fall through */
2805                 case EXT2_IOC_GETVERSION:
2806                         error = file_has_perm(current, file, FILE__GETATTR);
2807                         break;
2808
2809                 case EXT2_IOC_SETFLAGS:
2810                 /* fall through */
2811                 case EXT2_IOC_SETVERSION:
2812                         error = file_has_perm(current, file, FILE__SETATTR);
2813                         break;
2814
2815                 /* sys_ioctl() checks */
2816                 case FIONBIO:
2817                 /* fall through */
2818                 case FIOASYNC:
2819                         error = file_has_perm(current, file, 0);
2820                         break;
2821
2822                 case KDSKBENT:
2823                 case KDSKBSENT:
2824                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2825                         break;
2826
2827                 /* default case assumes that the command will go
2828                  * to the file's ioctl() function.
2829                  */
2830                 default:
2831                         error = file_has_perm(current, file, FILE__IOCTL);
2832
2833         }
2834         return error;
2835 }
2836
2837 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2838 {
2839 #ifndef CONFIG_PPC32
2840         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2841                 /*
2842                  * We are making executable an anonymous mapping or a
2843                  * private file mapping that will also be writable.
2844                  * This has an additional check.
2845                  */
2846                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2847                 if (rc)
2848                         return rc;
2849         }
2850 #endif
2851
2852         if (file) {
2853                 /* read access is always possible with a mapping */
2854                 u32 av = FILE__READ;
2855
2856                 /* write access only matters if the mapping is shared */
2857                 if (shared && (prot & PROT_WRITE))
2858                         av |= FILE__WRITE;
2859
2860                 if (prot & PROT_EXEC)
2861                         av |= FILE__EXECUTE;
2862
2863                 return file_has_perm(current, file, av);
2864         }
2865         return 0;
2866 }
2867
2868 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2869                              unsigned long prot, unsigned long flags,
2870                              unsigned long addr, unsigned long addr_only)
2871 {
2872         int rc = 0;
2873         u32 sid = ((struct task_security_struct*)(current->security))->sid;
2874
2875         if (addr < mmap_min_addr)
2876                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2877                                   MEMPROTECT__MMAP_ZERO, NULL);
2878         if (rc || addr_only)
2879                 return rc;
2880
2881         if (selinux_checkreqprot)
2882                 prot = reqprot;
2883
2884         return file_map_prot_check(file, prot,
2885                                    (flags & MAP_TYPE) == MAP_SHARED);
2886 }
2887
2888 static int selinux_file_mprotect(struct vm_area_struct *vma,
2889                                  unsigned long reqprot,
2890                                  unsigned long prot)
2891 {
2892         int rc;
2893
2894         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2895         if (rc)
2896                 return rc;
2897
2898         if (selinux_checkreqprot)
2899                 prot = reqprot;
2900
2901 #ifndef CONFIG_PPC32
2902         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2903                 rc = 0;
2904                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2905                     vma->vm_end <= vma->vm_mm->brk) {
2906                         rc = task_has_perm(current, current,
2907                                            PROCESS__EXECHEAP);
2908                 } else if (!vma->vm_file &&
2909                            vma->vm_start <= vma->vm_mm->start_stack &&
2910                            vma->vm_end >= vma->vm_mm->start_stack) {
2911                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2912                 } else if (vma->vm_file && vma->anon_vma) {
2913                         /*
2914                          * We are making executable a file mapping that has
2915                          * had some COW done. Since pages might have been
2916                          * written, check ability to execute the possibly
2917                          * modified content.  This typically should only
2918                          * occur for text relocations.
2919                          */
2920                         rc = file_has_perm(current, vma->vm_file,
2921                                            FILE__EXECMOD);
2922                 }
2923                 if (rc)
2924                         return rc;
2925         }
2926 #endif
2927
2928         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2929 }
2930
2931 static int selinux_file_lock(struct file *file, unsigned int cmd)
2932 {
2933         return file_has_perm(current, file, FILE__LOCK);
2934 }
2935
2936 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2937                               unsigned long arg)
2938 {
2939         int err = 0;
2940
2941         switch (cmd) {
2942                 case F_SETFL:
2943                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2944                                 err = -EINVAL;
2945                                 break;
2946                         }
2947
2948                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2949                                 err = file_has_perm(current, file,FILE__WRITE);
2950                                 break;
2951                         }
2952                         /* fall through */
2953                 case F_SETOWN:
2954                 case F_SETSIG:
2955                 case F_GETFL:
2956                 case F_GETOWN:
2957                 case F_GETSIG:
2958                         /* Just check FD__USE permission */
2959                         err = file_has_perm(current, file, 0);
2960                         break;
2961                 case F_GETLK:
2962                 case F_SETLK:
2963                 case F_SETLKW:
2964 #if BITS_PER_LONG == 32
2965                 case F_GETLK64:
2966                 case F_SETLK64:
2967                 case F_SETLKW64:
2968 #endif
2969                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2970                                 err = -EINVAL;
2971                                 break;
2972                         }
2973                         err = file_has_perm(current, file, FILE__LOCK);
2974                         break;
2975         }
2976
2977         return err;
2978 }
2979
2980 static int selinux_file_set_fowner(struct file *file)
2981 {
2982         struct task_security_struct *tsec;
2983         struct file_security_struct *fsec;
2984
2985         tsec = current->security;
2986         fsec = file->f_security;
2987         fsec->fown_sid = tsec->sid;
2988
2989         return 0;
2990 }
2991
2992 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2993                                        struct fown_struct *fown, int signum)
2994 {
2995         struct file *file;
2996         u32 perm;
2997         struct task_security_struct *tsec;
2998         struct file_security_struct *fsec;
2999
3000         /* struct fown_struct is never outside the context of a struct file */
3001         file = container_of(fown, struct file, f_owner);
3002
3003         tsec = tsk->security;
3004         fsec = file->f_security;
3005
3006         if (!signum)
3007                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3008         else
3009                 perm = signal_to_av(signum);
3010
3011         return avc_has_perm(fsec->fown_sid, tsec->sid,
3012                             SECCLASS_PROCESS, perm, NULL);
3013 }
3014
3015 static int selinux_file_receive(struct file *file)
3016 {
3017         return file_has_perm(current, file, file_to_av(file));
3018 }
3019
3020 static int selinux_dentry_open(struct file *file)
3021 {
3022         struct file_security_struct *fsec;
3023         struct inode *inode;
3024         struct inode_security_struct *isec;
3025         inode = file->f_path.dentry->d_inode;
3026         fsec = file->f_security;
3027         isec = inode->i_security;
3028         /*
3029          * Save inode label and policy sequence number
3030          * at open-time so that selinux_file_permission
3031          * can determine whether revalidation is necessary.
3032          * Task label is already saved in the file security
3033          * struct as its SID.
3034          */
3035         fsec->isid = isec->sid;
3036         fsec->pseqno = avc_policy_seqno();
3037         /*
3038          * Since the inode label or policy seqno may have changed
3039          * between the selinux_inode_permission check and the saving
3040          * of state above, recheck that access is still permitted.
3041          * Otherwise, access might never be revalidated against the
3042          * new inode label or new policy.
3043          * This check is not redundant - do not remove.
3044          */
3045         return inode_has_perm(current, inode, file_to_av(file), NULL);
3046 }
3047
3048 /* task security operations */
3049
3050 static int selinux_task_create(unsigned long clone_flags)
3051 {
3052         int rc;
3053
3054         rc = secondary_ops->task_create(clone_flags);
3055         if (rc)
3056                 return rc;
3057
3058         return task_has_perm(current, current, PROCESS__FORK);
3059 }
3060
3061 static int selinux_task_alloc_security(struct task_struct *tsk)
3062 {
3063         struct task_security_struct *tsec1, *tsec2;
3064         int rc;
3065
3066         tsec1 = current->security;
3067
3068         rc = task_alloc_security(tsk);
3069         if (rc)
3070                 return rc;
3071         tsec2 = tsk->security;
3072
3073         tsec2->osid = tsec1->osid;
3074         tsec2->sid = tsec1->sid;
3075
3076         /* Retain the exec, fs, key, and sock SIDs across fork */
3077         tsec2->exec_sid = tsec1->exec_sid;
3078         tsec2->create_sid = tsec1->create_sid;
3079         tsec2->keycreate_sid = tsec1->keycreate_sid;
3080         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3081
3082         /* Retain ptracer SID across fork, if any.
3083            This will be reset by the ptrace hook upon any
3084            subsequent ptrace_attach operations. */
3085         tsec2->ptrace_sid = tsec1->ptrace_sid;
3086
3087         return 0;
3088 }
3089
3090 static void selinux_task_free_security(struct task_struct *tsk)
3091 {
3092         task_free_security(tsk);
3093 }
3094
3095 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3096 {
3097         /* Since setuid only affects the current process, and
3098            since the SELinux controls are not based on the Linux
3099            identity attributes, SELinux does not need to control
3100            this operation.  However, SELinux does control the use
3101            of the CAP_SETUID and CAP_SETGID capabilities using the
3102            capable hook. */
3103         return 0;
3104 }
3105
3106 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3107 {
3108         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3109 }
3110
3111 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3112 {
3113         /* See the comment for setuid above. */
3114         return 0;
3115 }
3116
3117 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3118 {
3119         return task_has_perm(current, p, PROCESS__SETPGID);
3120 }
3121
3122 static int selinux_task_getpgid(struct task_struct *p)
3123 {
3124         return task_has_perm(current, p, PROCESS__GETPGID);
3125 }
3126
3127 static int selinux_task_getsid(struct task_struct *p)
3128 {
3129         return task_has_perm(current, p, PROCESS__GETSESSION);
3130 }
3131
3132 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3133 {
3134         selinux_get_task_sid(p, secid);
3135 }
3136
3137 static int selinux_task_setgroups(struct group_info *group_info)
3138 {
3139         /* See the comment for setuid above. */
3140         return 0;
3141 }
3142
3143 static int selinux_task_setnice(struct task_struct *p, int nice)
3144 {
3145         int rc;
3146
3147         rc = secondary_ops->task_setnice(p, nice);
3148         if (rc)
3149                 return rc;
3150
3151         return task_has_perm(current,p, PROCESS__SETSCHED);
3152 }
3153
3154 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3155 {
3156         int rc;
3157
3158         rc = secondary_ops->task_setioprio(p, ioprio);
3159         if (rc)
3160                 return rc;
3161
3162         return task_has_perm(current, p, PROCESS__SETSCHED);
3163 }
3164
3165 static int selinux_task_getioprio(struct task_struct *p)
3166 {
3167         return task_has_perm(current, p, PROCESS__GETSCHED);
3168 }
3169
3170 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3171 {
3172         struct rlimit *old_rlim = current->signal->rlim + resource;
3173         int rc;
3174
3175         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3176         if (rc)
3177                 return rc;
3178
3179         /* Control the ability to change the hard limit (whether
3180            lowering or raising it), so that the hard limit can
3181            later be used as a safe reset point for the soft limit
3182            upon context transitions. See selinux_bprm_apply_creds. */
3183         if (old_rlim->rlim_max != new_rlim->rlim_max)
3184                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3185
3186         return 0;
3187 }
3188
3189 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3190 {
3191         int rc;
3192
3193         rc = secondary_ops->task_setscheduler(p, policy, lp);
3194         if (rc)
3195                 return rc;
3196
3197         return task_has_perm(current, p, PROCESS__SETSCHED);
3198 }
3199
3200 static int selinux_task_getscheduler(struct task_struct *p)
3201 {
3202         return task_has_perm(current, p, PROCESS__GETSCHED);
3203 }
3204
3205 static int selinux_task_movememory(struct task_struct *p)
3206 {
3207         return task_has_perm(current, p, PROCESS__SETSCHED);
3208 }
3209
3210 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3211                                 int sig, u32 secid)
3212 {
3213         u32 perm;
3214         int rc;
3215         struct task_security_struct *tsec;
3216
3217         rc = secondary_ops->task_kill(p, info, sig, secid);
3218         if (rc)
3219                 return rc;
3220
3221         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3222                 return 0;
3223
3224         if (!sig)
3225                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3226         else
3227                 perm = signal_to_av(sig);
3228         tsec = p->security;
3229         if (secid)
3230                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3231         else
3232                 rc = task_has_perm(current, p, perm);
3233         return rc;
3234 }
3235
3236 static int selinux_task_prctl(int option,
3237                               unsigned long arg2,
3238                               unsigned long arg3,
3239                               unsigned long arg4,
3240                               unsigned long arg5)
3241 {
3242         /* The current prctl operations do not appear to require
3243            any SELinux controls since they merely observe or modify
3244            the state of the current process. */
3245         return 0;
3246 }
3247
3248 static int selinux_task_wait(struct task_struct *p)
3249 {
3250         return task_has_perm(p, current, PROCESS__SIGCHLD);
3251 }
3252
3253 static void selinux_task_reparent_to_init(struct task_struct *p)
3254 {
3255         struct task_security_struct *tsec;
3256
3257         secondary_ops->task_reparent_to_init(p);
3258
3259         tsec = p->security;
3260         tsec->osid = tsec->sid;
3261         tsec->sid = SECINITSID_KERNEL;
3262         return;
3263 }
3264
3265 static void selinux_task_to_inode(struct task_struct *p,
3266                                   struct inode *inode)
3267 {
3268         struct task_security_struct *tsec = p->security;
3269         struct inode_security_struct *isec = inode->i_security;
3270
3271         isec->sid = tsec->sid;
3272         isec->initialized = 1;
3273         return;
3274 }
3275
3276 /* Returns error only if unable to parse addresses */
3277 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3278                         struct avc_audit_data *ad, u8 *proto)
3279 {
3280         int offset, ihlen, ret = -EINVAL;
3281         struct iphdr _iph, *ih;
3282
3283         offset = skb_network_offset(skb);
3284         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3285         if (ih == NULL)
3286                 goto out;
3287
3288         ihlen = ih->ihl * 4;
3289         if (ihlen < sizeof(_iph))
3290                 goto out;
3291
3292         ad->u.net.v4info.saddr = ih->saddr;
3293         ad->u.net.v4info.daddr = ih->daddr;
3294         ret = 0;
3295
3296         if (proto)
3297                 *proto = ih->protocol;
3298
3299         switch (ih->protocol) {
3300         case IPPROTO_TCP: {
3301                 struct tcphdr _tcph, *th;
3302
3303                 if (ntohs(ih->frag_off) & IP_OFFSET)
3304                         break;
3305
3306                 offset += ihlen;
3307                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3308                 if (th == NULL)
3309                         break;
3310
3311                 ad->u.net.sport = th->source;
3312                 ad->u.net.dport = th->dest;
3313                 break;
3314         }
3315         
3316         case IPPROTO_UDP: {
3317                 struct udphdr _udph, *uh;
3318                 
3319                 if (ntohs(ih->frag_off) & IP_OFFSET)
3320                         break;
3321                         
3322                 offset += ihlen;
3323                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3324                 if (uh == NULL)
3325                         break;  
3326
3327                 ad->u.net.sport = uh->source;
3328                 ad->u.net.dport = uh->dest;
3329                 break;
3330         }
3331
3332         case IPPROTO_DCCP: {
3333                 struct dccp_hdr _dccph, *dh;
3334
3335                 if (ntohs(ih->frag_off) & IP_OFFSET)
3336                         break;
3337
3338                 offset += ihlen;
3339                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3340                 if (dh == NULL)
3341                         break;
3342
3343                 ad->u.net.sport = dh->dccph_sport;
3344                 ad->u.net.dport = dh->dccph_dport;
3345                 break;
3346         }
3347
3348         default:
3349                 break;
3350         }
3351 out:
3352         return ret;
3353 }
3354
3355 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3356
3357 /* Returns error only if unable to parse addresses */
3358 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3359                         struct avc_audit_data *ad, u8 *proto)
3360 {
3361         u8 nexthdr;
3362         int ret = -EINVAL, offset;
3363         struct ipv6hdr _ipv6h, *ip6;
3364
3365         offset = skb_network_offset(skb);
3366         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3367         if (ip6 == NULL)
3368                 goto out;
3369
3370         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3371         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3372         ret = 0;
3373
3374         nexthdr = ip6->nexthdr;
3375         offset += sizeof(_ipv6h);
3376         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3377         if (offset < 0)
3378                 goto out;
3379
3380         if (proto)
3381                 *proto = nexthdr;
3382
3383         switch (nexthdr) {
3384         case IPPROTO_TCP: {
3385                 struct tcphdr _tcph, *th;
3386
3387                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3388                 if (th == NULL)
3389                         break;
3390
3391                 ad->u.net.sport = th->source;
3392                 ad->u.net.dport = th->dest;
3393                 break;
3394         }
3395
3396         case IPPROTO_UDP: {
3397                 struct udphdr _udph, *uh;
3398
3399                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3400                 if (uh == NULL)
3401                         break;
3402
3403                 ad->u.net.sport = uh->source;
3404                 ad->u.net.dport = uh->dest;
3405                 break;
3406         }
3407
3408         case IPPROTO_DCCP: {
3409                 struct dccp_hdr _dccph, *dh;
3410
3411                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3412                 if (dh == NULL)
3413                         break;
3414
3415                 ad->u.net.sport = dh->dccph_sport;
3416                 ad->u.net.dport = dh->dccph_dport;
3417                 break;
3418         }
3419
3420         /* includes fragments */
3421         default:
3422                 break;
3423         }
3424 out:
3425         return ret;
3426 }
3427
3428 #endif /* IPV6 */
3429
3430 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3431                              char **addrp, int src, u8 *proto)
3432 {
3433         int ret = 0;
3434
3435         switch (ad->u.net.family) {
3436         case PF_INET:
3437                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3438                 if (ret || !addrp)
3439                         break;
3440                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3441                                         &ad->u.net.v4info.daddr);
3442                 break;
3443
3444 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3445         case PF_INET6:
3446                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3447                 if (ret || !addrp)
3448                         break;
3449                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3450                                         &ad->u.net.v6info.daddr);
3451                 break;
3452 #endif  /* IPV6 */
3453         default:
3454                 break;
3455         }
3456
3457         if (unlikely(ret))
3458                 printk(KERN_WARNING
3459                        "SELinux: failure in selinux_parse_skb(),"
3460                        " unable to parse packet\n");
3461
3462         return ret;
3463 }
3464
3465 /**
3466  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3467  * @skb: the packet
3468  * @family: protocol family
3469  * @sid: the packet's peer label SID
3470  *
3471  * Description:
3472  * Check the various different forms of network peer labeling and determine
3473  * the peer label/SID for the packet; most of the magic actually occurs in
3474  * the security server function security_net_peersid_cmp().  The function
3475  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3476  * or -EACCES if @sid is invalid due to inconsistencies with the different
3477  * peer labels.
3478  *
3479  */
3480 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3481 {
3482         int err;
3483         u32 xfrm_sid;
3484         u32 nlbl_sid;
3485         u32 nlbl_type;
3486
3487         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3488         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3489
3490         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3491         if (unlikely(err)) {
3492                 printk(KERN_WARNING
3493                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3494                        " unable to determine packet's peer label\n");
3495                 return -EACCES;
3496         }
3497
3498         return 0;
3499 }
3500
3501 /* socket security operations */
3502 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3503                            u32 perms)
3504 {
3505         struct inode_security_struct *isec;
3506         struct task_security_struct *tsec;
3507         struct avc_audit_data ad;
3508         int err = 0;
3509
3510         tsec = task->security;
3511         isec = SOCK_INODE(sock)->i_security;
3512
3513         if (isec->sid == SECINITSID_KERNEL)
3514                 goto out;
3515
3516         AVC_AUDIT_DATA_INIT(&ad,NET);
3517         ad.u.net.sk = sock->sk;
3518         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3519
3520 out:
3521         return err;
3522 }
3523
3524 static int selinux_socket_create(int family, int type,
3525                                  int protocol, int kern)
3526 {
3527         int err = 0;
3528         struct task_security_struct *tsec;
3529         u32 newsid;
3530
3531         if (kern)
3532                 goto out;
3533
3534         tsec = current->security;
3535         newsid = tsec->sockcreate_sid ? : tsec->sid;
3536         err = avc_has_perm(tsec->sid, newsid,
3537                            socket_type_to_security_class(family, type,
3538                            protocol), SOCKET__CREATE, NULL);
3539
3540 out:
3541         return err;
3542 }
3543
3544 static int selinux_socket_post_create(struct socket *sock, int family,
3545                                       int type, int protocol, int kern)
3546 {
3547         int err = 0;
3548         struct inode_security_struct *isec;
3549         struct task_security_struct *tsec;
3550         struct sk_security_struct *sksec;
3551         u32 newsid;
3552
3553         isec = SOCK_INODE(sock)->i_security;
3554
3555         tsec = current->security;
3556         newsid = tsec->sockcreate_sid ? : tsec->sid;
3557         isec->sclass = socket_type_to_security_class(family, type, protocol);
3558         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3559         isec->initialized = 1;
3560
3561         if (sock->sk) {
3562                 sksec = sock->sk->sk_security;
3563                 sksec->sid = isec->sid;
3564                 sksec->sclass = isec->sclass;
3565                 err = selinux_netlbl_socket_post_create(sock);
3566         }
3567
3568         return err;
3569 }
3570
3571 /* Range of port numbers used to automatically bind.
3572    Need to determine whether we should perform a name_bind
3573    permission check between the socket and the port number. */
3574
3575 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3576 {
3577         u16 family;
3578         int err;
3579
3580         err = socket_has_perm(current, sock, SOCKET__BIND);
3581         if (err)
3582                 goto out;
3583
3584         /*
3585          * If PF_INET or PF_INET6, check name_bind permission for the port.
3586          * Multiple address binding for SCTP is not supported yet: we just
3587          * check the first address now.
3588          */
3589         family = sock->sk->sk_family;
3590         if (family == PF_INET || family == PF_INET6) {
3591                 char *addrp;
3592                 struct inode_security_struct *isec;
3593                 struct task_security_struct *tsec;
3594                 struct avc_audit_data ad;
3595                 struct sockaddr_in *addr4 = NULL;
3596                 struct sockaddr_in6 *addr6 = NULL;
3597                 unsigned short snum;
3598                 struct sock *sk = sock->sk;
3599                 u32 sid, node_perm, addrlen;
3600
3601                 tsec = current->security;
3602                 isec = SOCK_INODE(sock)->i_security;
3603
3604                 if (family == PF_INET) {
3605                         addr4 = (struct sockaddr_in *)address;
3606                         snum = ntohs(addr4->sin_port);
3607                         addrlen = sizeof(addr4->sin_addr.s_addr);
3608                         addrp = (char *)&addr4->sin_addr.s_addr;
3609                 } else {
3610                         addr6 = (struct sockaddr_in6 *)address;
3611                         snum = ntohs(addr6->sin6_port);
3612                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3613                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3614                 }
3615
3616                 if (snum) {
3617                         int low, high;
3618
3619                         inet_get_local_port_range(&low, &high);
3620
3621                         if (snum < max(PROT_SOCK, low) || snum > high) {
3622                                 err = security_port_sid(sk->sk_family,
3623                                                         sk->sk_type,
3624                                                         sk->sk_protocol, snum,
3625                                                         &sid);
3626                                 if (err)
3627                                         goto out;
3628                                 AVC_AUDIT_DATA_INIT(&ad,NET);
3629                                 ad.u.net.sport = htons(snum);
3630                                 ad.u.net.family = family;
3631                                 err = avc_has_perm(isec->sid, sid,
3632                                                    isec->sclass,
3633                                                    SOCKET__NAME_BIND, &ad);
3634                                 if (err)
3635                                         goto out;
3636                         }
3637                 }
3638                 
3639                 switch(isec->sclass) {
3640                 case SECCLASS_TCP_SOCKET:
3641                         node_perm = TCP_SOCKET__NODE_BIND;
3642                         break;
3643                         
3644                 case SECCLASS_UDP_SOCKET:
3645                         node_perm = UDP_SOCKET__NODE_BIND;
3646                         break;
3647
3648                 case SECCLASS_DCCP_SOCKET:
3649                         node_perm = DCCP_SOCKET__NODE_BIND;
3650                         break;
3651
3652                 default:
3653                         node_perm = RAWIP_SOCKET__NODE_BIND;
3654                         break;
3655                 }
3656                 
3657                 err = sel_netnode_sid(addrp, family, &sid);
3658                 if (err)
3659                         goto out;
3660                 
3661                 AVC_AUDIT_DATA_INIT(&ad,NET);
3662                 ad.u.net.sport = htons(snum);
3663                 ad.u.net.family = family;
3664
3665                 if (family == PF_INET)
3666                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3667                 else
3668                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3669
3670                 err = avc_has_perm(isec->sid, sid,
3671                                    isec->sclass, node_perm, &ad);
3672                 if (err)
3673                         goto out;
3674         }
3675 out:
3676         return err;
3677 }
3678
3679 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3680 {
3681         struct inode_security_struct *isec;
3682         int err;
3683
3684         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3685         if (err)
3686                 return err;
3687
3688         /*
3689          * If a TCP or DCCP socket, check name_connect permission for the port.
3690          */
3691         isec = SOCK_INODE(sock)->i_security;
3692         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3693             isec->sclass == SECCLASS_DCCP_SOCKET) {
3694                 struct sock *sk = sock->sk;
3695                 struct avc_audit_data ad;
3696                 struct sockaddr_in *addr4 = NULL;
3697                 struct sockaddr_in6 *addr6 = NULL;
3698                 unsigned short snum;
3699                 u32 sid, perm;
3700
3701                 if (sk->sk_family == PF_INET) {
3702                         addr4 = (struct sockaddr_in *)address;
3703                         if (addrlen < sizeof(struct sockaddr_in))
3704                                 return -EINVAL;
3705                         snum = ntohs(addr4->sin_port);
3706                 } else {
3707                         addr6 = (struct sockaddr_in6 *)address;
3708                         if (addrlen < SIN6_LEN_RFC2133)
3709                                 return -EINVAL;
3710                         snum = ntohs(addr6->sin6_port);
3711                 }
3712
3713                 err = security_port_sid(sk->sk_family, sk->sk_type,
3714                                         sk->sk_protocol, snum, &sid);
3715                 if (err)
3716                         goto out;
3717
3718                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3719                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3720
3721                 AVC_AUDIT_DATA_INIT(&ad,NET);
3722                 ad.u.net.dport = htons(snum);
3723                 ad.u.net.family = sk->sk_family;
3724                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3725                 if (err)
3726                         goto out;
3727         }
3728
3729 out:
3730         return err;
3731 }
3732
3733 static int selinux_socket_listen(struct socket *sock, int backlog)
3734 {
3735         return socket_has_perm(current, sock, SOCKET__LISTEN);
3736 }
3737
3738 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3739 {
3740         int err;
3741         struct inode_security_struct *isec;
3742         struct inode_security_struct *newisec;
3743
3744         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3745         if (err)
3746                 return err;
3747
3748         newisec = SOCK_INODE(newsock)->i_security;
3749
3750         isec = SOCK_INODE(sock)->i_security;
3751         newisec->sclass = isec->sclass;
3752         newisec->sid = isec->sid;
3753         newisec->initialized = 1;
3754
3755         return 0;
3756 }
3757
3758 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3759                                   int size)
3760 {
3761         int rc;
3762
3763         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3764         if (rc)
3765                 return rc;
3766
3767         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3768 }
3769
3770 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3771                                   int size, int flags)
3772 {
3773         return socket_has_perm(current, sock, SOCKET__READ);
3774 }
3775
3776 static int selinux_socket_getsockname(struct socket *sock)
3777 {
3778         return socket_has_perm(current, sock, SOCKET__GETATTR);
3779 }
3780
3781 static int selinux_socket_getpeername(struct socket *sock)
3782 {
3783         return socket_has_perm(current, sock, SOCKET__GETATTR);
3784 }
3785
3786 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3787 {
3788         int err;
3789
3790         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3791         if (err)
3792                 return err;
3793
3794         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3795 }
3796
3797 static int selinux_socket_getsockopt(struct socket *sock, int level,
3798                                      int optname)
3799 {
3800         return socket_has_perm(current, sock, SOCKET__GETOPT);
3801 }
3802
3803 static int selinux_socket_shutdown(struct socket *sock, int how)
3804 {
3805         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3806 }
3807
3808 static int selinux_socket_unix_stream_connect(struct socket *sock,
3809                                               struct socket *other,
3810                                               struct sock *newsk)
3811 {
3812         struct sk_security_struct *ssec;
3813         struct inode_security_struct *isec;
3814         struct inode_security_struct *other_isec;
3815         struct avc_audit_data ad;
3816         int err;
3817
3818         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3819         if (err)
3820                 return err;
3821
3822         isec = SOCK_INODE(sock)->i_security;
3823         other_isec = SOCK_INODE(other)->i_security;
3824
3825         AVC_AUDIT_DATA_INIT(&ad,NET);
3826         ad.u.net.sk = other->sk;
3827
3828         err = avc_has_perm(isec->sid, other_isec->sid,
3829                            isec->sclass,
3830                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3831         if (err)
3832                 return err;
3833
3834         /* connecting socket */
3835         ssec = sock->sk->sk_security;
3836         ssec->peer_sid = other_isec->sid;
3837         
3838         /* server child socket */
3839         ssec = newsk->sk_security;
3840         ssec->peer_sid = isec->sid;
3841         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3842
3843         return err;
3844 }
3845
3846 static int selinux_socket_unix_may_send(struct socket *sock,
3847                                         struct socket *other)
3848 {
3849         struct inode_security_struct *isec;
3850         struct inode_security_struct *other_isec;
3851         struct avc_audit_data ad;
3852         int err;
3853
3854         isec = SOCK_INODE(sock)->i_security;
3855         other_isec = SOCK_INODE(other)->i_security;
3856
3857         AVC_AUDIT_DATA_INIT(&ad,NET);
3858         ad.u.net.sk = other->sk;
3859
3860         err = avc_has_perm(isec->sid, other_isec->sid,
3861                            isec->sclass, SOCKET__SENDTO, &ad);
3862         if (err)
3863                 return err;
3864
3865         return 0;
3866 }
3867
3868 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3869                                     u32 peer_sid,
3870                                     struct avc_audit_data *ad)
3871 {
3872         int err;
3873         u32 if_sid;
3874         u32 node_sid;
3875
3876         err = sel_netif_sid(ifindex, &if_sid);
3877         if (err)
3878                 return err;
3879         err = avc_has_perm(peer_sid, if_sid,
3880                            SECCLASS_NETIF, NETIF__INGRESS, ad);
3881         if (err)
3882                 return err;
3883
3884         err = sel_netnode_sid(addrp, family, &node_sid);
3885         if (err)
3886                 return err;
3887         return avc_has_perm(peer_sid, node_sid,
3888                             SECCLASS_NODE, NODE__RECVFROM, ad);
3889 }
3890
3891 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3892                                                 struct sk_buff *skb,
3893                                                 struct avc_audit_data *ad,
3894                                                 u16 family,
3895                                                 char *addrp)
3896 {
3897         int err;
3898         struct sk_security_struct *sksec = sk->sk_security;
3899         u16 sk_class;
3900         u32 netif_perm, node_perm, recv_perm;
3901         u32 port_sid, node_sid, if_sid, sk_sid;
3902
3903         sk_sid = sksec->sid;
3904         sk_class = sksec->sclass;
3905
3906         switch (sk_class) {
3907         case SECCLASS_UDP_SOCKET:
3908                 netif_perm = NETIF__UDP_RECV;
3909                 node_perm = NODE__UDP_RECV;
3910                 recv_perm = UDP_SOCKET__RECV_MSG;
3911                 break;
3912         case SECCLASS_TCP_SOCKET:
3913                 netif_perm = NETIF__TCP_RECV;
3914                 node_perm = NODE__TCP_RECV;
3915                 recv_perm = TCP_SOCKET__RECV_MSG;
3916                 break;
3917         case SECCLASS_DCCP_SOCKET:
3918                 netif_perm = NETIF__DCCP_RECV;
3919                 node_perm = NODE__DCCP_RECV;
3920                 recv_perm = DCCP_SOCKET__RECV_MSG;
3921                 break;
3922         default:
3923                 netif_perm = NETIF__RAWIP_RECV;
3924                 node_perm = NODE__RAWIP_RECV;
3925                 recv_perm = 0;
3926                 break;
3927         }
3928
3929         err = sel_netif_sid(skb->iif, &if_sid);
3930         if (err)
3931                 return err;
3932         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3933         if (err)
3934                 return err;
3935         
3936         err = sel_netnode_sid(addrp, family, &node_sid);
3937         if (err)
3938                 return err;
3939         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3940         if (err)
3941                 return err;
3942
3943         if (!recv_perm)
3944                 return 0;
3945         err = security_port_sid(sk->sk_family, sk->sk_type,
3946                                 sk->sk_protocol, ntohs(ad->u.net.sport),
3947                                 &port_sid);
3948         if (unlikely(err)) {
3949                 printk(KERN_WARNING
3950                        "SELinux: failure in"
3951                        " selinux_sock_rcv_skb_iptables_compat(),"
3952                        " network port label not found\n");
3953                 return err;
3954         }
3955         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
3956 }
3957
3958 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3959                                        struct avc_audit_data *ad,
3960                                        u16 family, char *addrp)
3961 {
3962         int err;
3963         struct sk_security_struct *sksec = sk->sk_security;
3964         u32 peer_sid;
3965         u32 sk_sid = sksec->sid;
3966
3967         if (selinux_compat_net)
3968                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
3969                                                            family, addrp);
3970         else
3971                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
3972                                    PACKET__RECV, ad);
3973         if (err)
3974                 return err;
3975
3976         if (selinux_policycap_netpeer) {
3977                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
3978                 if (err)
3979                         return err;
3980                 err = avc_has_perm(sk_sid, peer_sid,
3981                                    SECCLASS_PEER, PEER__RECV, ad);
3982         } else {
3983                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
3984                 if (err)
3985                         return err;
3986                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
3987         }
3988
3989         return err;
3990 }
3991
3992 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3993 {
3994         int err;
3995         struct sk_security_struct *sksec = sk->sk_security;
3996         u16 family = sk->sk_family;
3997         u32 sk_sid = sksec->sid;
3998         struct avc_audit_data ad;
3999         char *addrp;
4000
4001         if (family != PF_INET && family != PF_INET6)
4002                 return 0;
4003
4004         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4005         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4006                 family = PF_INET;
4007
4008         AVC_AUDIT_DATA_INIT(&ad, NET);
4009         ad.u.net.netif = skb->iif;
4010         ad.u.net.family = family;
4011         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4012         if (err)
4013                 return err;
4014
4015         /* If any sort of compatibility mode is enabled then handoff processing
4016          * to the selinux_sock_rcv_skb_compat() function to deal with the
4017          * special handling.  We do this in an attempt to keep this function
4018          * as fast and as clean as possible. */
4019         if (selinux_compat_net || !selinux_policycap_netpeer)
4020                 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4021                                                    family, addrp);
4022
4023         if (netlbl_enabled() || selinux_xfrm_enabled()) {
4024                 u32 peer_sid;
4025
4026                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4027                 if (err)
4028                         return err;
4029                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4030                                                peer_sid, &ad);
4031                 if (err)
4032                         return err;
4033                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4034                                    PEER__RECV, &ad);
4035         }
4036
4037         if (selinux_secmark_enabled()) {
4038                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4039                                    PACKET__RECV, &ad);
4040                 if (err)
4041                         return err;
4042         }
4043
4044         return err;
4045 }
4046
4047 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4048                                             int __user *optlen, unsigned len)
4049 {
4050         int err = 0;
4051         char *scontext;
4052         u32 scontext_len;
4053         struct sk_security_struct *ssec;
4054         struct inode_security_struct *isec;
4055         u32 peer_sid = SECSID_NULL;
4056
4057         isec = SOCK_INODE(sock)->i_security;
4058
4059         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4060             isec->sclass == SECCLASS_TCP_SOCKET) {
4061                 ssec = sock->sk->sk_security;
4062                 peer_sid = ssec->peer_sid;
4063         }
4064         if (peer_sid == SECSID_NULL) {
4065                 err = -ENOPROTOOPT;
4066                 goto out;
4067         }
4068
4069         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4070
4071         if (err)
4072                 goto out;
4073
4074         if (scontext_len > len) {
4075                 err = -ERANGE;
4076                 goto out_len;
4077         }
4078
4079         if (copy_to_user(optval, scontext, scontext_len))
4080                 err = -EFAULT;
4081
4082 out_len:
4083         if (put_user(scontext_len, optlen))
4084                 err = -EFAULT;
4085
4086         kfree(scontext);
4087 out:    
4088         return err;
4089 }
4090
4091 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4092 {
4093         u32 peer_secid = SECSID_NULL;
4094         u16 family;
4095
4096         if (sock)
4097                 family = sock->sk->sk_family;
4098         else if (skb && skb->sk)
4099                 family = skb->sk->sk_family;
4100         else
4101                 goto out;
4102
4103         if (sock && family == PF_UNIX)
4104                 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4105         else if (skb)
4106                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4107
4108 out:
4109         *secid = peer_secid;
4110         if (peer_secid == SECSID_NULL)
4111                 return -EINVAL;
4112         return 0;
4113 }
4114
4115 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4116 {
4117         return sk_alloc_security(sk, family, priority);
4118 }
4119
4120 static void selinux_sk_free_security(struct sock *sk)
4121 {
4122         sk_free_security(sk);
4123 }
4124
4125 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4126 {
4127         struct sk_security_struct *ssec = sk->sk_security;
4128         struct sk_security_struct *newssec = newsk->sk_security;
4129
4130         newssec->sid = ssec->sid;
4131         newssec->peer_sid = ssec->peer_sid;
4132         newssec->sclass = ssec->sclass;
4133
4134         selinux_netlbl_sk_security_clone(ssec, newssec);
4135 }
4136
4137 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4138 {
4139         if (!sk)
4140                 *secid = SECINITSID_ANY_SOCKET;
4141         else {
4142                 struct sk_security_struct *sksec = sk->sk_security;
4143
4144                 *secid = sksec->sid;
4145         }
4146 }
4147
4148 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4149 {
4150         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4151         struct sk_security_struct *sksec = sk->sk_security;
4152
4153         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4154             sk->sk_family == PF_UNIX)
4155                 isec->sid = sksec->sid;
4156         sksec->sclass = isec->sclass;
4157
4158         selinux_netlbl_sock_graft(sk, parent);
4159 }
4160
4161 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4162                                      struct request_sock *req)
4163 {
4164         struct sk_security_struct *sksec = sk->sk_security;
4165         int err;
4166         u32 newsid;
4167         u32 peersid;
4168
4169         err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4170         if (err)
4171                 return err;
4172         if (peersid == SECSID_NULL) {
4173                 req->secid = sksec->sid;
4174                 req->peer_secid = SECSID_NULL;
4175                 return 0;
4176         }
4177
4178         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4179         if (err)
4180                 return err;
4181
4182         req->secid = newsid;
4183         req->peer_secid = peersid;
4184         return 0;
4185 }
4186
4187 static void selinux_inet_csk_clone(struct sock *newsk,
4188                                    const struct request_sock *req)
4189 {
4190         struct sk_security_struct *newsksec = newsk->sk_security;
4191
4192         newsksec->sid = req->secid;
4193         newsksec->peer_sid = req->peer_secid;
4194         /* NOTE: Ideally, we should also get the isec->sid for the
4195            new socket in sync, but we don't have the isec available yet.
4196            So we will wait until sock_graft to do it, by which
4197            time it will have been created and available. */
4198
4199         /* We don't need to take any sort of lock here as we are the only
4200          * thread with access to newsksec */
4201         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4202 }
4203
4204 static void selinux_inet_conn_established(struct sock *sk,
4205                                 struct sk_buff *skb)
4206 {
4207         struct sk_security_struct *sksec = sk->sk_security;
4208
4209         selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4210 }
4211
4212 static void selinux_req_classify_flow(const struct request_sock *req,
4213                                       struct flowi *fl)
4214 {
4215         fl->secid = req->secid;
4216 }
4217
4218 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4219 {
4220         int err = 0;
4221         u32 perm;
4222         struct nlmsghdr *nlh;
4223         struct socket *sock = sk->sk_socket;
4224         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4225         
4226         if (skb->len < NLMSG_SPACE(0)) {
4227                 err = -EINVAL;
4228                 goto out;
4229         }
4230         nlh = nlmsg_hdr(skb);
4231         
4232         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4233         if (err) {
4234                 if (err == -EINVAL) {
4235                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4236                                   "SELinux:  unrecognized netlink message"
4237                                   " type=%hu for sclass=%hu\n",
4238                                   nlh->nlmsg_type, isec->sclass);
4239                         if (!selinux_enforcing)
4240                                 err = 0;
4241                 }
4242
4243                 /* Ignore */
4244                 if (err == -ENOENT)
4245                         err = 0;
4246                 goto out;
4247         }
4248
4249         err = socket_has_perm(current, sock, perm);
4250 out:
4251         return err;
4252 }
4253
4254 #ifdef CONFIG_NETFILTER
4255
4256 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4257                                        u16 family)
4258 {
4259         char *addrp;
4260         u32 peer_sid;
4261         struct avc_audit_data ad;
4262         u8 secmark_active;
4263         u8 peerlbl_active;
4264
4265         if (!selinux_policycap_netpeer)
4266                 return NF_ACCEPT;
4267
4268         secmark_active = selinux_secmark_enabled();
4269         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4270         if (!secmark_active && !peerlbl_active)
4271                 return NF_ACCEPT;
4272
4273         AVC_AUDIT_DATA_INIT(&ad, NET);
4274         ad.u.net.netif = ifindex;
4275         ad.u.net.family = family;
4276         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4277                 return NF_DROP;
4278
4279         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4280                 return NF_DROP;
4281
4282         if (peerlbl_active)
4283                 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4284                                              peer_sid, &ad) != 0)
4285                         return NF_DROP;
4286
4287         if (secmark_active)
4288                 if (avc_has_perm(peer_sid, skb->secmark,
4289                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4290                         return NF_DROP;
4291
4292         return NF_ACCEPT;
4293 }
4294
4295 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4296                                          struct sk_buff *skb,
4297                                          const struct net_device *in,
4298                                          const struct net_device *out,
4299                                          int (*okfn)(struct sk_buff *))
4300 {
4301         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4302 }
4303
4304 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4305 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4306                                          struct sk_buff *skb,
4307                                          const struct net_device *in,
4308                                          const struct net_device *out,
4309                                          int (*okfn)(struct sk_buff *))
4310 {
4311         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4312 }
4313 #endif  /* IPV6 */
4314
4315 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4316                                                 int ifindex,
4317                                                 struct avc_audit_data *ad,
4318                                                 u16 family, char *addrp)
4319 {
4320         int err;
4321         struct sk_security_struct *sksec = sk->sk_security;
4322         u16 sk_class;
4323         u32 netif_perm, node_perm, send_perm;
4324         u32 port_sid, node_sid, if_sid, sk_sid;
4325
4326         sk_sid = sksec->sid;
4327         sk_class = sksec->sclass;
4328
4329         switch (sk_class) {
4330         case SECCLASS_UDP_SOCKET:
4331                 netif_perm = NETIF__UDP_SEND;
4332                 node_perm = NODE__UDP_SEND;
4333                 send_perm = UDP_SOCKET__SEND_MSG;
4334                 break;
4335         case SECCLASS_TCP_SOCKET:
4336                 netif_perm = NETIF__TCP_SEND;
4337                 node_perm = NODE__TCP_SEND;
4338                 send_perm = TCP_SOCKET__SEND_MSG;
4339                 break;
4340         case SECCLASS_DCCP_SOCKET:
4341                 netif_perm = NETIF__DCCP_SEND;
4342                 node_perm = NODE__DCCP_SEND;
4343                 send_perm = DCCP_SOCKET__SEND_MSG;
4344                 break;
4345         default:
4346                 netif_perm = NETIF__RAWIP_SEND;
4347                 node_perm = NODE__RAWIP_SEND;
4348                 send_perm = 0;
4349                 break;
4350         }
4351
4352         err = sel_netif_sid(ifindex, &if_sid);
4353         if (err)
4354                 return err;
4355         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4356                 return err;
4357                 
4358         err = sel_netnode_sid(addrp, family, &node_sid);
4359         if (err)
4360                 return err;
4361         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4362         if (err)
4363                 return err;
4364
4365         if (send_perm != 0)
4366                 return 0;
4367
4368         err = security_port_sid(sk->sk_family, sk->sk_type,
4369                                 sk->sk_protocol, ntohs(ad->u.net.dport),
4370                                 &port_sid);
4371         if (unlikely(err)) {
4372                 printk(KERN_WARNING
4373                        "SELinux: failure in"
4374                        " selinux_ip_postroute_iptables_compat(),"
4375                        " network port label not found\n");
4376                 return err;
4377         }
4378         return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4379 }
4380
4381 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4382                                                 int ifindex,
4383                                                 struct avc_audit_data *ad,
4384                                                 u16 family,
4385                                                 char *addrp,
4386                                                 u8 proto)
4387 {
4388         struct sock *sk = skb->sk;
4389         struct sk_security_struct *sksec;
4390
4391         if (sk == NULL)
4392                 return NF_ACCEPT;
4393         sksec = sk->sk_security;
4394
4395         if (selinux_compat_net) {
4396                 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4397                                                          ad, family, addrp))
4398                         return NF_DROP;
4399         } else {
4400                 if (avc_has_perm(sksec->sid, skb->secmark,
4401                                  SECCLASS_PACKET, PACKET__SEND, ad))
4402                         return NF_DROP;
4403         }
4404
4405         if (selinux_policycap_netpeer)
4406                 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4407                         return NF_DROP;
4408
4409         return NF_ACCEPT;
4410 }
4411
4412 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4413                                          u16 family)
4414 {
4415         u32 secmark_perm;
4416         u32 peer_sid;
4417         struct sock *sk;
4418         struct avc_audit_data ad;
4419         char *addrp;
4420         u8 proto;
4421         u8 secmark_active;
4422         u8 peerlbl_active;
4423
4424         AVC_AUDIT_DATA_INIT(&ad, NET);
4425         ad.u.net.netif = ifindex;
4426         ad.u.net.family = family;
4427         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4428                 return NF_DROP;
4429
4430         /* If any sort of compatibility mode is enabled then handoff processing
4431          * to the selinux_ip_postroute_compat() function to deal with the
4432          * special handling.  We do this in an attempt to keep this function
4433          * as fast and as clean as possible. */
4434         if (selinux_compat_net || !selinux_policycap_netpeer)
4435                 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4436                                                    family, addrp, proto);
4437
4438         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4439          * packet transformation so allow the packet to pass without any checks
4440          * since we'll have another chance to perform access control checks
4441          * when the packet is on it's final way out.
4442          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4443          *       is NULL, in this case go ahead and apply access control. */
4444         if (skb->dst != NULL && skb->dst->xfrm != NULL)
4445                 return NF_ACCEPT;
4446
4447         secmark_active = selinux_secmark_enabled();
4448         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4449         if (!secmark_active && !peerlbl_active)
4450                 return NF_ACCEPT;
4451
4452         /* if the packet is locally generated (skb->sk != NULL) then use the
4453          * socket's label as the peer label, otherwise the packet is being
4454          * forwarded through this system and we need to fetch the peer label
4455          * directly from the packet */
4456         sk = skb->sk;
4457         if (sk) {
4458                 struct sk_security_struct *sksec = sk->sk_security;
4459                 peer_sid = sksec->sid;
4460                 secmark_perm = PACKET__SEND;
4461         } else {
4462                 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4463                                 return NF_DROP;
4464                 secmark_perm = PACKET__FORWARD_OUT;
4465         }
4466
4467         if (secmark_active)
4468                 if (avc_has_perm(peer_sid, skb->secmark,
4469                                  SECCLASS_PACKET, secmark_perm, &ad))
4470                         return NF_DROP;
4471
4472         if (peerlbl_active) {
4473                 u32 if_sid;
4474                 u32 node_sid;
4475
4476                 if (sel_netif_sid(ifindex, &if_sid))
4477                         return NF_DROP;
4478                 if (avc_has_perm(peer_sid, if_sid,
4479                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4480                         return NF_DROP;
4481
4482                 if (sel_netnode_sid(addrp, family, &node_sid))
4483                         return NF_DROP;
4484                 if (avc_has_perm(peer_sid, node_sid,
4485                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4486                         return NF_DROP;
4487         }
4488
4489         return NF_ACCEPT;
4490 }
4491
4492 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4493                                            struct sk_buff *skb,
4494                                            const struct net_device *in,
4495                                            const struct net_device *out,
4496                                            int (*okfn)(struct sk_buff *))
4497 {
4498         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4499 }
4500
4501 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4502 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4503                                            struct sk_buff *skb,
4504                                            const struct net_device *in,
4505                                            const struct net_device *out,
4506                                            int (*okfn)(struct sk_buff *))
4507 {
4508         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4509 }
4510 #endif  /* IPV6 */
4511
4512 #endif  /* CONFIG_NETFILTER */
4513
4514 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4515 {
4516         int err;
4517
4518         err = secondary_ops->netlink_send(sk, skb);
4519         if (err)
4520                 return err;
4521
4522         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4523                 err = selinux_nlmsg_perm(sk, skb);
4524
4525         return err;
4526 }
4527
4528 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4529 {
4530         int err;
4531         struct avc_audit_data ad;
4532
4533         err = secondary_ops->netlink_recv(skb, capability);
4534         if (err)
4535                 return err;
4536
4537         AVC_AUDIT_DATA_INIT(&ad, CAP);
4538         ad.u.cap = capability;
4539
4540         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4541                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4542 }
4543
4544 static int ipc_alloc_security(struct task_struct *task,
4545                               struct kern_ipc_perm *perm,
4546                               u16 sclass)
4547 {
4548         struct task_security_struct *tsec = task->security;
4549         struct ipc_security_struct *isec;
4550
4551         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4552         if (!isec)
4553                 return -ENOMEM;
4554
4555         isec->sclass = sclass;
4556         isec->ipc_perm = perm;
4557         isec->sid = tsec->sid;
4558         perm->security = isec;
4559
4560         return 0;
4561 }
4562
4563 static void ipc_free_security(struct kern_ipc_perm *perm)
4564 {
4565         struct ipc_security_struct *isec = perm->security;
4566         perm->security = NULL;
4567         kfree(isec);
4568 }
4569
4570 static int msg_msg_alloc_security(struct msg_msg *msg)
4571 {
4572         struct msg_security_struct *msec;
4573
4574         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4575         if (!msec)
4576                 return -ENOMEM;
4577
4578         msec->msg = msg;
4579         msec->sid = SECINITSID_UNLABELED;
4580         msg->security = msec;
4581
4582         return 0;
4583 }
4584
4585 static void msg_msg_free_security(struct msg_msg *msg)
4586 {
4587         struct msg_security_struct *msec = msg->security;
4588
4589         msg->security = NULL;
4590         kfree(msec);
4591 }
4592
4593 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4594                         u32 perms)
4595 {
4596         struct task_security_struct *tsec;
4597         struct ipc_security_struct *isec;
4598         struct avc_audit_data ad;
4599
4600         tsec = current->security;
4601         isec = ipc_perms->security;
4602
4603         AVC_AUDIT_DATA_INIT(&ad, IPC);
4604         ad.u.ipc_id = ipc_perms->key;
4605
4606         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4607 }
4608
4609 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4610 {
4611         return msg_msg_alloc_security(msg);
4612 }
4613
4614 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4615 {
4616         msg_msg_free_security(msg);
4617 }
4618
4619 /* message queue security operations */
4620 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4621 {
4622         struct task_security_struct *tsec;
4623         struct ipc_security_struct *isec;
4624         struct avc_audit_data ad;
4625         int rc;
4626
4627         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4628         if (rc)
4629                 return rc;
4630
4631         tsec = current->security;
4632         isec = msq->q_perm.security;
4633
4634         AVC_AUDIT_DATA_INIT(&ad, IPC);
4635         ad.u.ipc_id = msq->q_perm.key;
4636
4637         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4638                           MSGQ__CREATE, &ad);
4639         if (rc) {
4640                 ipc_free_security(&msq->q_perm);
4641                 return rc;
4642         }
4643         return 0;
4644 }
4645
4646 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4647 {
4648         ipc_free_security(&msq->q_perm);
4649 }
4650
4651 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4652 {
4653         struct task_security_struct *tsec;
4654         struct ipc_security_struct *isec;
4655         struct avc_audit_data ad;
4656
4657         tsec = current->security;
4658         isec = msq->q_perm.security;
4659
4660         AVC_AUDIT_DATA_INIT(&ad, IPC);
4661         ad.u.ipc_id = msq->q_perm.key;
4662
4663         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4664                             MSGQ__ASSOCIATE, &ad);
4665 }
4666
4667 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4668 {
4669         int err;
4670         int perms;
4671
4672         switch(cmd) {
4673         case IPC_INFO:
4674         case MSG_INFO:
4675                 /* No specific object, just general system-wide information. */
4676                 return task_has_system(current, SYSTEM__IPC_INFO);
4677         case IPC_STAT:
4678         case MSG_STAT:
4679                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4680                 break;
4681         case IPC_SET:
4682                 perms = MSGQ__SETATTR;
4683                 break;
4684         case IPC_RMID:
4685                 perms = MSGQ__DESTROY;
4686                 break;
4687         default:
4688                 return 0;
4689         }
4690
4691         err = ipc_has_perm(&msq->q_perm, perms);
4692         return err;
4693 }
4694
4695 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4696 {
4697         struct task_security_struct *tsec;
4698         struct ipc_security_struct *isec;
4699         struct msg_security_struct *msec;
4700         struct avc_audit_data ad;
4701         int rc;
4702
4703         tsec = current->security;
4704         isec = msq->q_perm.security;
4705         msec = msg->security;
4706
4707         /*
4708          * First time through, need to assign label to the message
4709          */
4710         if (msec->sid == SECINITSID_UNLABELED) {
4711                 /*
4712                  * Compute new sid based on current process and
4713                  * message queue this message will be stored in
4714                  */
4715                 rc = security_transition_sid(tsec->sid,
4716                                              isec->sid,
4717                                              SECCLASS_MSG,
4718                                              &msec->sid);
4719                 if (rc)
4720                         return rc;
4721         }
4722
4723         AVC_AUDIT_DATA_INIT(&ad, IPC);
4724         ad.u.ipc_id = msq->q_perm.key;
4725
4726         /* Can this process write to the queue? */
4727         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4728                           MSGQ__WRITE, &ad);
4729         if (!rc)
4730                 /* Can this process send the message */
4731                 rc = avc_has_perm(tsec->sid, msec->sid,
4732                                   SECCLASS_MSG, MSG__SEND, &ad);
4733         if (!rc)
4734                 /* Can the message be put in the queue? */
4735                 rc = avc_has_perm(msec->sid, isec->sid,
4736                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4737
4738         return rc;
4739 }
4740
4741 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4742                                     struct task_struct *target,
4743                                     long type, int mode)
4744 {
4745         struct task_security_struct *tsec;
4746         struct ipc_security_struct *isec;
4747         struct msg_security_struct *msec;
4748         struct avc_audit_data ad;
4749         int rc;
4750
4751         tsec = target->security;
4752         isec = msq->q_perm.security;
4753         msec = msg->security;
4754
4755         AVC_AUDIT_DATA_INIT(&ad, IPC);
4756         ad.u.ipc_id = msq->q_perm.key;
4757
4758         rc = avc_has_perm(tsec->sid, isec->sid,
4759                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4760         if (!rc)
4761                 rc = avc_has_perm(tsec->sid, msec->sid,
4762                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4763         return rc;
4764 }
4765
4766 /* Shared Memory security operations */
4767 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4768 {
4769         struct task_security_struct *tsec;
4770         struct ipc_security_struct *isec;
4771         struct avc_audit_data ad;
4772         int rc;
4773
4774         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4775         if (rc)
4776                 return rc;
4777
4778         tsec = current->security;
4779         isec = shp->shm_perm.security;
4780
4781         AVC_AUDIT_DATA_INIT(&ad, IPC);
4782         ad.u.ipc_id = shp->shm_perm.key;
4783
4784         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4785                           SHM__CREATE, &ad);
4786         if (rc) {
4787                 ipc_free_security(&shp->shm_perm);
4788                 return rc;
4789         }
4790         return 0;
4791 }
4792
4793 static void selinux_shm_free_security(struct shmid_kernel *shp)
4794 {
4795         ipc_free_security(&shp->shm_perm);
4796 }
4797
4798 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4799 {
4800         struct task_security_struct *tsec;
4801         struct ipc_security_struct *isec;
4802         struct avc_audit_data ad;
4803
4804         tsec = current->security;
4805         isec = shp->shm_perm.security;
4806
4807         AVC_AUDIT_DATA_INIT(&ad, IPC);
4808         ad.u.ipc_id = shp->shm_perm.key;
4809
4810         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4811                             SHM__ASSOCIATE, &ad);
4812 }
4813
4814 /* Note, at this point, shp is locked down */
4815 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4816 {
4817         int perms;
4818         int err;
4819
4820         switch(cmd) {
4821         case IPC_INFO:
4822         case SHM_INFO:
4823                 /* No specific object, just general system-wide information. */
4824                 return task_has_system(current, SYSTEM__IPC_INFO);
4825         case IPC_STAT:
4826         case SHM_STAT:
4827                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4828                 break;
4829         case IPC_SET:
4830                 perms = SHM__SETATTR;
4831                 break;
4832         case SHM_LOCK:
4833         case SHM_UNLOCK:
4834                 perms = SHM__LOCK;
4835                 break;
4836         case IPC_RMID:
4837                 perms = SHM__DESTROY;
4838                 break;
4839         default:
4840                 return 0;
4841         }
4842
4843         err = ipc_has_perm(&shp->shm_perm, perms);
4844         return err;
4845 }
4846
4847 static int selinux_shm_shmat(struct shmid_kernel *shp,
4848                              char __user *shmaddr, int shmflg)
4849 {
4850         u32 perms;
4851         int rc;
4852
4853         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4854         if (rc)
4855                 return rc;
4856
4857         if (shmflg & SHM_RDONLY)
4858                 perms = SHM__READ;
4859         else
4860                 perms = SHM__READ | SHM__WRITE;
4861
4862         return ipc_has_perm(&shp->shm_perm, perms);
4863 }
4864
4865 /* Semaphore security operations */
4866 static int selinux_sem_alloc_security(struct sem_array *sma)
4867 {
4868         struct task_security_struct *tsec;
4869         struct ipc_security_struct *isec;
4870         struct avc_audit_data ad;
4871         int rc;
4872
4873         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4874         if (rc)
4875                 return rc;
4876
4877         tsec = current->security;
4878         isec = sma->sem_perm.security;
4879
4880         AVC_AUDIT_DATA_INIT(&ad, IPC);
4881         ad.u.ipc_id = sma->sem_perm.key;
4882
4883         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4884                           SEM__CREATE, &ad);
4885         if (rc) {
4886                 ipc_free_security(&sma->sem_perm);
4887                 return rc;
4888         }
4889         return 0;
4890 }
4891
4892 static void selinux_sem_free_security(struct sem_array *sma)
4893 {
4894         ipc_free_security(&sma->sem_perm);
4895 }
4896
4897 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4898 {
4899         struct task_security_struct *tsec;
4900         struct ipc_security_struct *isec;
4901         struct avc_audit_data ad;
4902
4903         tsec = current->security;
4904         isec = sma->sem_perm.security;
4905
4906         AVC_AUDIT_DATA_INIT(&ad, IPC);
4907         ad.u.ipc_id = sma->sem_perm.key;
4908
4909         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4910                             SEM__ASSOCIATE, &ad);
4911 }
4912
4913 /* Note, at this point, sma is locked down */
4914 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4915 {
4916         int err;
4917         u32 perms;
4918
4919         switch(cmd) {
4920         case IPC_INFO:
4921         case SEM_INFO:
4922                 /* No specific object, just general system-wide information. */
4923                 return task_has_system(current, SYSTEM__IPC_INFO);
4924         case GETPID:
4925         case GETNCNT:
4926         case GETZCNT:
4927                 perms = SEM__GETATTR;
4928                 break;
4929         case GETVAL:
4930         case GETALL:
4931                 perms = SEM__READ;
4932                 break;
4933         case SETVAL:
4934         case SETALL:
4935                 perms = SEM__WRITE;
4936                 break;
4937         case IPC_RMID:
4938                 perms = SEM__DESTROY;
4939                 break;
4940         case IPC_SET:
4941                 perms = SEM__SETATTR;
4942                 break;
4943         case IPC_STAT:
4944         case SEM_STAT:
4945                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4946                 break;
4947         default:
4948                 return 0;
4949         }
4950
4951         err = ipc_has_perm(&sma->sem_perm, perms);
4952         return err;
4953 }
4954
4955 static int selinux_sem_semop(struct sem_array *sma,
4956                              struct sembuf *sops, unsigned nsops, int alter)
4957 {
4958         u32 perms;
4959
4960         if (alter)
4961                 perms = SEM__READ | SEM__WRITE;
4962         else
4963                 perms = SEM__READ;
4964
4965         return ipc_has_perm(&sma->sem_perm, perms);
4966 }
4967
4968 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4969 {
4970         u32 av = 0;
4971
4972         av = 0;
4973         if (flag & S_IRUGO)
4974                 av |= IPC__UNIX_READ;
4975         if (flag & S_IWUGO)
4976                 av |= IPC__UNIX_WRITE;
4977
4978         if (av == 0)
4979                 return 0;
4980
4981         return ipc_has_perm(ipcp, av);
4982 }
4983
4984 /* module stacking operations */
4985 static int selinux_register_security (const char *name, struct security_operations *ops)
4986 {
4987         if (secondary_ops != original_ops) {
4988                 printk(KERN_ERR "%s:  There is already a secondary security "
4989                        "module registered.\n", __FUNCTION__);
4990                 return -EINVAL;
4991         }
4992
4993         secondary_ops = ops;
4994
4995         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4996                __FUNCTION__,
4997                name);
4998
4999         return 0;
5000 }
5001
5002 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
5003 {
5004         if (inode)
5005                 inode_doinit_with_dentry(inode, dentry);
5006 }
5007
5008 static int selinux_getprocattr(struct task_struct *p,
5009                                char *name, char **value)
5010 {
5011         struct task_security_struct *tsec;
5012         u32 sid;
5013         int error;
5014         unsigned len;
5015
5016         if (current != p) {
5017                 error = task_has_perm(current, p, PROCESS__GETATTR);
5018                 if (error)
5019                         return error;
5020         }
5021
5022         tsec = p->security;
5023
5024         if (!strcmp(name, "current"))
5025                 sid = tsec->sid;
5026         else if (!strcmp(name, "prev"))
5027                 sid = tsec->osid;
5028         else if (!strcmp(name, "exec"))
5029                 sid = tsec->exec_sid;
5030         else if (!strcmp(name, "fscreate"))
5031                 sid = tsec->create_sid;
5032         else if (!strcmp(name, "keycreate"))
5033                 sid = tsec->keycreate_sid;
5034         else if (!strcmp(name, "sockcreate"))
5035                 sid = tsec->sockcreate_sid;
5036         else
5037                 return -EINVAL;
5038
5039         if (!sid)
5040                 return 0;
5041
5042         error = security_sid_to_context(sid, value, &len);
5043         if (error)
5044                 return error;
5045         return len;
5046 }
5047
5048 static int selinux_setprocattr(struct task_struct *p,
5049                                char *name, void *value, size_t size)
5050 {
5051         struct task_security_struct *tsec;
5052         u32 sid = 0;
5053         int error;
5054         char *str = value;
5055
5056         if (current != p) {
5057                 /* SELinux only allows a process to change its own
5058                    security attributes. */
5059                 return -EACCES;
5060         }
5061
5062         /*
5063          * Basic control over ability to set these attributes at all.
5064          * current == p, but we'll pass them separately in case the
5065          * above restriction is ever removed.
5066          */
5067         if (!strcmp(name, "exec"))
5068                 error = task_has_perm(current, p, PROCESS__SETEXEC);
5069         else if (!strcmp(name, "fscreate"))
5070                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5071         else if (!strcmp(name, "keycreate"))
5072                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5073         else if (!strcmp(name, "sockcreate"))
5074                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5075         else if (!strcmp(name, "current"))
5076                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5077         else
5078                 error = -EINVAL;
5079         if (error)
5080                 return error;
5081
5082         /* Obtain a SID for the context, if one was specified. */
5083         if (size && str[1] && str[1] != '\n') {
5084                 if (str[size-1] == '\n') {
5085                         str[size-1] = 0;
5086                         size--;
5087                 }
5088                 error = security_context_to_sid(value, size, &sid);
5089                 if (error)
5090                         return error;
5091         }
5092
5093         /* Permission checking based on the specified context is
5094            performed during the actual operation (execve,
5095            open/mkdir/...), when we know the full context of the
5096            operation.  See selinux_bprm_set_security for the execve
5097            checks and may_create for the file creation checks. The
5098            operation will then fail if the context is not permitted. */
5099         tsec = p->security;
5100         if (!strcmp(name, "exec"))
5101                 tsec->exec_sid = sid;
5102         else if (!strcmp(name, "fscreate"))
5103                 tsec->create_sid = sid;
5104         else if (!strcmp(name, "keycreate")) {
5105                 error = may_create_key(sid, p);
5106                 if (error)
5107                         return error;
5108                 tsec->keycreate_sid = sid;
5109         } else if (!strcmp(name, "sockcreate"))
5110                 tsec->sockcreate_sid = sid;
5111         else if (!strcmp(name, "current")) {
5112                 struct av_decision avd;
5113
5114                 if (sid == 0)
5115                         return -EINVAL;
5116
5117                 /* Only allow single threaded processes to change context */
5118                 if (atomic_read(&p->mm->mm_users) != 1) {
5119                         struct task_struct *g, *t;
5120                         struct mm_struct *mm = p->mm;
5121                         read_lock(&tasklist_lock);
5122                         do_each_thread(g, t)
5123                                 if (t->mm == mm && t != p) {
5124                                         read_unlock(&tasklist_lock);
5125                                         return -EPERM;
5126                                 }
5127                         while_each_thread(g, t);
5128                         read_unlock(&tasklist_lock);
5129                 }
5130
5131                 /* Check permissions for the transition. */
5132                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5133                                      PROCESS__DYNTRANSITION, NULL);
5134                 if (error)
5135                         return error;
5136
5137                 /* Check for ptracing, and update the task SID if ok.
5138                    Otherwise, leave SID unchanged and fail. */
5139                 task_lock(p);
5140                 if (p->ptrace & PT_PTRACED) {
5141                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
5142                                                      SECCLASS_PROCESS,
5143                                                      PROCESS__PTRACE, 0, &avd);
5144                         if (!error)
5145                                 tsec->sid = sid;
5146                         task_unlock(p);
5147                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
5148                                   PROCESS__PTRACE, &avd, error, NULL);
5149                         if (error)
5150                                 return error;
5151                 } else {
5152                         tsec->sid = sid;
5153                         task_unlock(p);
5154                 }
5155         }
5156         else
5157                 return -EINVAL;
5158
5159         return size;
5160 }
5161
5162 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5163 {
5164         return security_sid_to_context(secid, secdata, seclen);
5165 }
5166
5167 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5168 {
5169         return security_context_to_sid(secdata, seclen, secid);
5170 }
5171
5172 static void selinux_release_secctx(char *secdata, u32 seclen)
5173 {
5174         kfree(secdata);
5175 }
5176
5177 #ifdef CONFIG_KEYS
5178
5179 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5180                              unsigned long flags)
5181 {
5182         struct task_security_struct *tsec = tsk->security;
5183         struct key_security_struct *ksec;
5184
5185         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5186         if (!ksec)
5187                 return -ENOMEM;
5188
5189         ksec->obj = k;
5190         if (tsec->keycreate_sid)
5191                 ksec->sid = tsec->keycreate_sid;
5192         else
5193                 ksec->sid = tsec->sid;
5194         k->security = ksec;
5195
5196         return 0;
5197 }
5198
5199 static void selinux_key_free(struct key *k)
5200 {
5201         struct key_security_struct *ksec = k->security;
5202
5203         k->security = NULL;
5204         kfree(ksec);
5205 }
5206
5207 static int selinux_key_permission(key_ref_t key_ref,
5208                             struct task_struct *ctx,
5209                             key_perm_t perm)
5210 {
5211         struct key *key;
5212         struct task_security_struct *tsec;
5213         struct key_security_struct *ksec;
5214
5215         key = key_ref_to_ptr(key_ref);
5216
5217         tsec = ctx->security;
5218         ksec = key->security;
5219
5220         /* if no specific permissions are requested, we skip the
5221            permission check. No serious, additional covert channels
5222            appear to be created. */
5223         if (perm == 0)
5224                 return 0;
5225
5226         return avc_has_perm(tsec->sid, ksec->sid,
5227                             SECCLASS_KEY, perm, NULL);
5228 }
5229
5230 #endif
5231
5232 static struct security_operations selinux_ops = {
5233         .ptrace =                       selinux_ptrace,
5234         .capget =                       selinux_capget,
5235         .capset_check =                 selinux_capset_check,
5236         .capset_set =                   selinux_capset_set,
5237         .sysctl =                       selinux_sysctl,
5238         .capable =                      selinux_capable,
5239         .quotactl =                     selinux_quotactl,
5240         .quota_on =                     selinux_quota_on,
5241         .syslog =                       selinux_syslog,
5242         .vm_enough_memory =             selinux_vm_enough_memory,
5243
5244         .netlink_send =                 selinux_netlink_send,
5245         .netlink_recv =                 selinux_netlink_recv,
5246
5247         .bprm_alloc_security =          selinux_bprm_alloc_security,
5248         .bprm_free_security =           selinux_bprm_free_security,
5249         .bprm_apply_creds =             selinux_bprm_apply_creds,
5250         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
5251         .bprm_set_security =            selinux_bprm_set_security,
5252         .bprm_check_security =          selinux_bprm_check_security,
5253         .bprm_secureexec =              selinux_bprm_secureexec,
5254
5255         .sb_alloc_security =            selinux_sb_alloc_security,
5256         .sb_free_security =             selinux_sb_free_security,
5257         .sb_copy_data =                 selinux_sb_copy_data,
5258         .sb_kern_mount =                selinux_sb_kern_mount,
5259         .sb_statfs =                    selinux_sb_statfs,
5260         .sb_mount =                     selinux_mount,
5261         .sb_umount =                    selinux_umount,
5262         .sb_get_mnt_opts =              selinux_get_mnt_opts,
5263         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5264         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5265         .sb_parse_opts_str =            selinux_parse_opts_str,
5266
5267
5268         .inode_alloc_security =         selinux_inode_alloc_security,
5269         .inode_free_security =          selinux_inode_free_security,
5270         .inode_init_security =          selinux_inode_init_security,
5271         .inode_create =                 selinux_inode_create,
5272         .inode_link =                   selinux_inode_link,
5273         .inode_unlink =                 selinux_inode_unlink,
5274         .inode_symlink =                selinux_inode_symlink,
5275         .inode_mkdir =                  selinux_inode_mkdir,
5276         .inode_rmdir =                  selinux_inode_rmdir,
5277         .inode_mknod =                  selinux_inode_mknod,
5278         .inode_rename =                 selinux_inode_rename,
5279         .inode_readlink =               selinux_inode_readlink,
5280         .inode_follow_link =            selinux_inode_follow_link,
5281         .inode_permission =             selinux_inode_permission,
5282         .inode_setattr =                selinux_inode_setattr,
5283         .inode_getattr =                selinux_inode_getattr,
5284         .inode_setxattr =               selinux_inode_setxattr,
5285         .inode_post_setxattr =          selinux_inode_post_setxattr,
5286         .inode_getxattr =               selinux_inode_getxattr,
5287         .inode_listxattr =              selinux_inode_listxattr,
5288         .inode_removexattr =            selinux_inode_removexattr,
5289         .inode_getsecurity =            selinux_inode_getsecurity,
5290         .inode_setsecurity =            selinux_inode_setsecurity,
5291         .inode_listsecurity =           selinux_inode_listsecurity,
5292         .inode_need_killpriv =          selinux_inode_need_killpriv,
5293         .inode_killpriv =               selinux_inode_killpriv,
5294
5295         .file_permission =              selinux_file_permission,
5296         .file_alloc_security =          selinux_file_alloc_security,
5297         .file_free_security =           selinux_file_free_security,
5298         .file_ioctl =                   selinux_file_ioctl,
5299         .file_mmap =                    selinux_file_mmap,
5300         .file_mprotect =                selinux_file_mprotect,
5301         .file_lock =                    selinux_file_lock,
5302         .file_fcntl =                   selinux_file_fcntl,
5303         .file_set_fowner =              selinux_file_set_fowner,
5304         .file_send_sigiotask =          selinux_file_send_sigiotask,
5305         .file_receive =                 selinux_file_receive,
5306
5307         .dentry_open =                  selinux_dentry_open,
5308
5309         .task_create =                  selinux_task_create,
5310         .task_alloc_security =          selinux_task_alloc_security,
5311         .task_free_security =           selinux_task_free_security,
5312         .task_setuid =                  selinux_task_setuid,
5313         .task_post_setuid =             selinux_task_post_setuid,
5314         .task_setgid =                  selinux_task_setgid,
5315         .task_setpgid =                 selinux_task_setpgid,
5316         .task_getpgid =                 selinux_task_getpgid,
5317         .task_getsid =                  selinux_task_getsid,
5318         .task_getsecid =                selinux_task_getsecid,
5319         .task_setgroups =               selinux_task_setgroups,
5320         .task_setnice =                 selinux_task_setnice,
5321         .task_setioprio =               selinux_task_setioprio,
5322         .task_getioprio =               selinux_task_getioprio,
5323         .task_setrlimit =               selinux_task_setrlimit,
5324         .task_setscheduler =            selinux_task_setscheduler,
5325         .task_getscheduler =            selinux_task_getscheduler,
5326         .task_movememory =              selinux_task_movememory,
5327         .task_kill =                    selinux_task_kill,
5328         .task_wait =                    selinux_task_wait,
5329         .task_prctl =                   selinux_task_prctl,
5330         .task_reparent_to_init =        selinux_task_reparent_to_init,
5331         .task_to_inode =                selinux_task_to_inode,
5332
5333         .ipc_permission =               selinux_ipc_permission,
5334
5335         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5336         .msg_msg_free_security =        selinux_msg_msg_free_security,
5337
5338         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5339         .msg_queue_free_security =      selinux_msg_queue_free_security,
5340         .msg_queue_associate =          selinux_msg_queue_associate,
5341         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5342         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5343         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5344
5345         .shm_alloc_security =           selinux_shm_alloc_security,
5346         .shm_free_security =            selinux_shm_free_security,
5347         .shm_associate =                selinux_shm_associate,
5348         .shm_shmctl =                   selinux_shm_shmctl,
5349         .shm_shmat =                    selinux_shm_shmat,
5350
5351         .sem_alloc_security =           selinux_sem_alloc_security,
5352         .sem_free_security =            selinux_sem_free_security,
5353         .sem_associate =                selinux_sem_associate,
5354         .sem_semctl =                   selinux_sem_semctl,
5355         .sem_semop =                    selinux_sem_semop,
5356
5357         .register_security =            selinux_register_security,
5358
5359         .d_instantiate =                selinux_d_instantiate,
5360
5361         .getprocattr =                  selinux_getprocattr,
5362         .setprocattr =                  selinux_setprocattr,
5363
5364         .secid_to_secctx =              selinux_secid_to_secctx,
5365         .secctx_to_secid =              selinux_secctx_to_secid,
5366         .release_secctx =               selinux_release_secctx,
5367
5368         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5369         .unix_may_send =                selinux_socket_unix_may_send,
5370
5371         .socket_create =                selinux_socket_create,
5372         .socket_post_create =           selinux_socket_post_create,
5373         .socket_bind =                  selinux_socket_bind,
5374         .socket_connect =               selinux_socket_connect,
5375         .socket_listen =                selinux_socket_listen,
5376         .socket_accept =                selinux_socket_accept,
5377         .socket_sendmsg =               selinux_socket_sendmsg,
5378         .socket_recvmsg =               selinux_socket_recvmsg,
5379         .socket_getsockname =           selinux_socket_getsockname,
5380         .socket_getpeername =           selinux_socket_getpeername,
5381         .socket_getsockopt =            selinux_socket_getsockopt,
5382         .socket_setsockopt =            selinux_socket_setsockopt,
5383         .socket_shutdown =              selinux_socket_shutdown,
5384         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5385         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5386         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5387         .sk_alloc_security =            selinux_sk_alloc_security,
5388         .sk_free_security =             selinux_sk_free_security,
5389         .sk_clone_security =            selinux_sk_clone_security,
5390         .sk_getsecid =                  selinux_sk_getsecid,
5391         .sock_graft =                   selinux_sock_graft,
5392         .inet_conn_request =            selinux_inet_conn_request,
5393         .inet_csk_clone =               selinux_inet_csk_clone,
5394         .inet_conn_established =        selinux_inet_conn_established,
5395         .req_classify_flow =            selinux_req_classify_flow,
5396
5397 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5398         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5399         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5400         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5401         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5402         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5403         .xfrm_state_free_security =     selinux_xfrm_state_free,
5404         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5405         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5406         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5407         .xfrm_decode_session =          selinux_xfrm_decode_session,
5408 #endif
5409
5410 #ifdef CONFIG_KEYS
5411         .key_alloc =                    selinux_key_alloc,
5412         .key_free =                     selinux_key_free,
5413         .key_permission =               selinux_key_permission,
5414 #endif
5415 };
5416
5417 static __init int selinux_init(void)
5418 {
5419         struct task_security_struct *tsec;
5420
5421         if (!selinux_enabled) {
5422                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5423                 return 0;
5424         }
5425
5426         printk(KERN_INFO "SELinux:  Initializing.\n");
5427
5428         /* Set the security state for the initial task. */
5429         if (task_alloc_security(current))
5430                 panic("SELinux:  Failed to initialize initial task.\n");
5431         tsec = current->security;
5432         tsec->osid = tsec->sid = SECINITSID_KERNEL;
5433
5434         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5435                                             sizeof(struct inode_security_struct),
5436                                             0, SLAB_PANIC, NULL);
5437         avc_init();
5438
5439         original_ops = secondary_ops = security_ops;
5440         if (!secondary_ops)
5441                 panic ("SELinux: No initial security operations\n");
5442         if (register_security (&selinux_ops))
5443                 panic("SELinux: Unable to register with kernel.\n");
5444
5445         if (selinux_enforcing) {
5446                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5447         } else {
5448                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5449         }
5450
5451 #ifdef CONFIG_KEYS
5452         /* Add security information to initial keyrings */
5453         selinux_key_alloc(&root_user_keyring, current,
5454                           KEY_ALLOC_NOT_IN_QUOTA);
5455         selinux_key_alloc(&root_session_keyring, current,
5456                           KEY_ALLOC_NOT_IN_QUOTA);
5457 #endif
5458
5459         return 0;
5460 }
5461
5462 void selinux_complete_init(void)
5463 {
5464         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5465
5466         /* Set up any superblocks initialized prior to the policy load. */
5467         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5468         spin_lock(&sb_lock);
5469         spin_lock(&sb_security_lock);
5470 next_sb:
5471         if (!list_empty(&superblock_security_head)) {
5472                 struct superblock_security_struct *sbsec =
5473                                 list_entry(superblock_security_head.next,
5474                                            struct superblock_security_struct,
5475                                            list);
5476                 struct super_block *sb = sbsec->sb;
5477                 sb->s_count++;
5478                 spin_unlock(&sb_security_lock);
5479                 spin_unlock(&sb_lock);
5480                 down_read(&sb->s_umount);
5481                 if (sb->s_root)
5482                         superblock_doinit(sb, NULL);
5483                 drop_super(sb);
5484                 spin_lock(&sb_lock);
5485                 spin_lock(&sb_security_lock);
5486                 list_del_init(&sbsec->list);
5487                 goto next_sb;
5488         }
5489         spin_unlock(&sb_security_lock);
5490         spin_unlock(&sb_lock);
5491 }
5492
5493 /* SELinux requires early initialization in order to label
5494    all processes and objects when they are created. */
5495 security_initcall(selinux_init);
5496
5497 #if defined(CONFIG_NETFILTER)
5498
5499 static struct nf_hook_ops selinux_ipv4_ops[] = {
5500         {
5501                 .hook =         selinux_ipv4_postroute,
5502                 .owner =        THIS_MODULE,
5503                 .pf =           PF_INET,
5504                 .hooknum =      NF_INET_POST_ROUTING,
5505                 .priority =     NF_IP_PRI_SELINUX_LAST,
5506         },
5507         {
5508                 .hook =         selinux_ipv4_forward,
5509                 .owner =        THIS_MODULE,
5510                 .pf =           PF_INET,
5511                 .hooknum =      NF_INET_FORWARD,
5512                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5513         }
5514 };
5515
5516 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5517
5518 static struct nf_hook_ops selinux_ipv6_ops[] = {
5519         {
5520                 .hook =         selinux_ipv6_postroute,
5521                 .owner =        THIS_MODULE,
5522                 .pf =           PF_INET6,
5523                 .hooknum =      NF_INET_POST_ROUTING,
5524                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5525         },
5526         {
5527                 .hook =         selinux_ipv6_forward,
5528                 .owner =        THIS_MODULE,
5529                 .pf =           PF_INET6,
5530                 .hooknum =      NF_INET_FORWARD,
5531                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5532         }
5533 };
5534
5535 #endif  /* IPV6 */
5536
5537 static int __init selinux_nf_ip_init(void)
5538 {
5539         int err = 0;
5540         u32 iter;
5541
5542         if (!selinux_enabled)
5543                 goto out;
5544
5545         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5546
5547         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5548                 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5549                 if (err)
5550                         panic("SELinux: nf_register_hook for IPv4: error %d\n",
5551                               err);
5552         }
5553
5554 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5555         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5556                 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5557                 if (err)
5558                         panic("SELinux: nf_register_hook for IPv6: error %d\n",
5559                               err);
5560         }
5561 #endif  /* IPV6 */
5562
5563 out:
5564         return err;
5565 }
5566
5567 __initcall(selinux_nf_ip_init);
5568
5569 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5570 static void selinux_nf_ip_exit(void)
5571 {
5572         u32 iter;
5573
5574         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5575
5576         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5577                 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5578 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5579         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5580                 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5581 #endif  /* IPV6 */
5582 }
5583 #endif
5584
5585 #else /* CONFIG_NETFILTER */
5586
5587 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5588 #define selinux_nf_ip_exit()
5589 #endif
5590
5591 #endif /* CONFIG_NETFILTER */
5592
5593 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5594 int selinux_disable(void)
5595 {
5596         extern void exit_sel_fs(void);
5597         static int selinux_disabled = 0;
5598
5599         if (ss_initialized) {
5600                 /* Not permitted after initial policy load. */
5601                 return -EINVAL;
5602         }
5603
5604         if (selinux_disabled) {
5605                 /* Only do this once. */
5606                 return -EINVAL;
5607         }
5608
5609         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5610
5611         selinux_disabled = 1;
5612         selinux_enabled = 0;
5613
5614         /* Reset security_ops to the secondary module, dummy or capability. */
5615         security_ops = secondary_ops;
5616
5617         /* Unregister netfilter hooks. */
5618         selinux_nf_ip_exit();
5619
5620         /* Unregister selinuxfs. */
5621         exit_sel_fs();
5622
5623         return 0;
5624 }
5625 #endif
5626
5627