Merge branch 'timers/for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git...
[linux-2.6] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
17  *              Paul Moore <paul.moore@hp.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/ptrace.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/file.h>
43 #include <linux/fdtable.h>
44 #include <linux/namei.h>
45 #include <linux/mount.h>
46 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "netport.h"
84 #include "xfrm.h"
85 #include "netlabel.h"
86 #include "audit.h"
87
88 #define XATTR_SELINUX_SUFFIX "selinux"
89 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
90
91 #define NUM_SEL_MNT_OPTS 4
92
93 extern unsigned int policydb_loaded_version;
94 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
95 extern int selinux_compat_net;
96 extern struct security_operations *security_ops;
97
98 /* SECMARK reference count */
99 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
103
104 static int __init enforcing_setup(char *str)
105 {
106         unsigned long enforcing;
107         if (!strict_strtoul(str, 0, &enforcing))
108                 selinux_enforcing = enforcing ? 1 : 0;
109         return 1;
110 }
111 __setup("enforcing=", enforcing_setup);
112 #endif
113
114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117 static int __init selinux_enabled_setup(char *str)
118 {
119         unsigned long enabled;
120         if (!strict_strtoul(str, 0, &enabled))
121                 selinux_enabled = enabled ? 1 : 0;
122         return 1;
123 }
124 __setup("selinux=", selinux_enabled_setup);
125 #else
126 int selinux_enabled = 1;
127 #endif
128
129
130 /*
131  * Minimal support for a secondary security module,
132  * just to allow the use of the capability module.
133  */
134 static struct security_operations *secondary_ops;
135
136 /* Lists of inode and superblock security structures initialized
137    before the policy was loaded. */
138 static LIST_HEAD(superblock_security_head);
139 static DEFINE_SPINLOCK(sb_security_lock);
140
141 static struct kmem_cache *sel_inode_cache;
142
143 /**
144  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
145  *
146  * Description:
147  * This function checks the SECMARK reference counter to see if any SECMARK
148  * targets are currently configured, if the reference counter is greater than
149  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
150  * enabled, false (0) if SECMARK is disabled.
151  *
152  */
153 static int selinux_secmark_enabled(void)
154 {
155         return (atomic_read(&selinux_secmark_refcount) > 0);
156 }
157
158 /* Allocate and free functions for each kind of security blob. */
159
160 static int task_alloc_security(struct task_struct *task)
161 {
162         struct task_security_struct *tsec;
163
164         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
165         if (!tsec)
166                 return -ENOMEM;
167
168         tsec->osid = tsec->sid = SECINITSID_UNLABELED;
169         task->security = tsec;
170
171         return 0;
172 }
173
174 static void task_free_security(struct task_struct *task)
175 {
176         struct task_security_struct *tsec = task->security;
177         task->security = NULL;
178         kfree(tsec);
179 }
180
181 static int inode_alloc_security(struct inode *inode)
182 {
183         struct task_security_struct *tsec = current->security;
184         struct inode_security_struct *isec;
185
186         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
187         if (!isec)
188                 return -ENOMEM;
189
190         mutex_init(&isec->lock);
191         INIT_LIST_HEAD(&isec->list);
192         isec->inode = inode;
193         isec->sid = SECINITSID_UNLABELED;
194         isec->sclass = SECCLASS_FILE;
195         isec->task_sid = tsec->sid;
196         inode->i_security = isec;
197
198         return 0;
199 }
200
201 static void inode_free_security(struct inode *inode)
202 {
203         struct inode_security_struct *isec = inode->i_security;
204         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
205
206         spin_lock(&sbsec->isec_lock);
207         if (!list_empty(&isec->list))
208                 list_del_init(&isec->list);
209         spin_unlock(&sbsec->isec_lock);
210
211         inode->i_security = NULL;
212         kmem_cache_free(sel_inode_cache, isec);
213 }
214
215 static int file_alloc_security(struct file *file)
216 {
217         struct task_security_struct *tsec = current->security;
218         struct file_security_struct *fsec;
219
220         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
221         if (!fsec)
222                 return -ENOMEM;
223
224         fsec->sid = tsec->sid;
225         fsec->fown_sid = tsec->sid;
226         file->f_security = fsec;
227
228         return 0;
229 }
230
231 static void file_free_security(struct file *file)
232 {
233         struct file_security_struct *fsec = file->f_security;
234         file->f_security = NULL;
235         kfree(fsec);
236 }
237
238 static int superblock_alloc_security(struct super_block *sb)
239 {
240         struct superblock_security_struct *sbsec;
241
242         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
243         if (!sbsec)
244                 return -ENOMEM;
245
246         mutex_init(&sbsec->lock);
247         INIT_LIST_HEAD(&sbsec->list);
248         INIT_LIST_HEAD(&sbsec->isec_head);
249         spin_lock_init(&sbsec->isec_lock);
250         sbsec->sb = sb;
251         sbsec->sid = SECINITSID_UNLABELED;
252         sbsec->def_sid = SECINITSID_FILE;
253         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
254         sb->s_security = sbsec;
255
256         return 0;
257 }
258
259 static void superblock_free_security(struct super_block *sb)
260 {
261         struct superblock_security_struct *sbsec = sb->s_security;
262
263         spin_lock(&sb_security_lock);
264         if (!list_empty(&sbsec->list))
265                 list_del_init(&sbsec->list);
266         spin_unlock(&sb_security_lock);
267
268         sb->s_security = NULL;
269         kfree(sbsec);
270 }
271
272 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
273 {
274         struct sk_security_struct *ssec;
275
276         ssec = kzalloc(sizeof(*ssec), priority);
277         if (!ssec)
278                 return -ENOMEM;
279
280         ssec->peer_sid = SECINITSID_UNLABELED;
281         ssec->sid = SECINITSID_UNLABELED;
282         sk->sk_security = ssec;
283
284         selinux_netlbl_sk_security_reset(ssec, family);
285
286         return 0;
287 }
288
289 static void sk_free_security(struct sock *sk)
290 {
291         struct sk_security_struct *ssec = sk->sk_security;
292
293         sk->sk_security = NULL;
294         kfree(ssec);
295 }
296
297 /* The security server must be initialized before
298    any labeling or access decisions can be provided. */
299 extern int ss_initialized;
300
301 /* The file system's label must be initialized prior to use. */
302
303 static char *labeling_behaviors[6] = {
304         "uses xattr",
305         "uses transition SIDs",
306         "uses task SIDs",
307         "uses genfs_contexts",
308         "not configured for labeling",
309         "uses mountpoint labeling",
310 };
311
312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313
314 static inline int inode_doinit(struct inode *inode)
315 {
316         return inode_doinit_with_dentry(inode, NULL);
317 }
318
319 enum {
320         Opt_error = -1,
321         Opt_context = 1,
322         Opt_fscontext = 2,
323         Opt_defcontext = 3,
324         Opt_rootcontext = 4,
325 };
326
327 static match_table_t tokens = {
328         {Opt_context, CONTEXT_STR "%s"},
329         {Opt_fscontext, FSCONTEXT_STR "%s"},
330         {Opt_defcontext, DEFCONTEXT_STR "%s"},
331         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
332         {Opt_error, NULL},
333 };
334
335 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
336
337 static int may_context_mount_sb_relabel(u32 sid,
338                         struct superblock_security_struct *sbsec,
339                         struct task_security_struct *tsec)
340 {
341         int rc;
342
343         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
344                           FILESYSTEM__RELABELFROM, NULL);
345         if (rc)
346                 return rc;
347
348         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
349                           FILESYSTEM__RELABELTO, NULL);
350         return rc;
351 }
352
353 static int may_context_mount_inode_relabel(u32 sid,
354                         struct superblock_security_struct *sbsec,
355                         struct task_security_struct *tsec)
356 {
357         int rc;
358         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
359                           FILESYSTEM__RELABELFROM, NULL);
360         if (rc)
361                 return rc;
362
363         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
364                           FILESYSTEM__ASSOCIATE, NULL);
365         return rc;
366 }
367
368 static int sb_finish_set_opts(struct super_block *sb)
369 {
370         struct superblock_security_struct *sbsec = sb->s_security;
371         struct dentry *root = sb->s_root;
372         struct inode *root_inode = root->d_inode;
373         int rc = 0;
374
375         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
376                 /* Make sure that the xattr handler exists and that no
377                    error other than -ENODATA is returned by getxattr on
378                    the root directory.  -ENODATA is ok, as this may be
379                    the first boot of the SELinux kernel before we have
380                    assigned xattr values to the filesystem. */
381                 if (!root_inode->i_op->getxattr) {
382                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
383                                "xattr support\n", sb->s_id, sb->s_type->name);
384                         rc = -EOPNOTSUPP;
385                         goto out;
386                 }
387                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
388                 if (rc < 0 && rc != -ENODATA) {
389                         if (rc == -EOPNOTSUPP)
390                                 printk(KERN_WARNING "SELinux: (dev %s, type "
391                                        "%s) has no security xattr handler\n",
392                                        sb->s_id, sb->s_type->name);
393                         else
394                                 printk(KERN_WARNING "SELinux: (dev %s, type "
395                                        "%s) getxattr errno %d\n", sb->s_id,
396                                        sb->s_type->name, -rc);
397                         goto out;
398                 }
399         }
400
401         sbsec->initialized = 1;
402
403         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
404                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
405                        sb->s_id, sb->s_type->name);
406         else
407                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
408                        sb->s_id, sb->s_type->name,
409                        labeling_behaviors[sbsec->behavior-1]);
410
411         /* Initialize the root inode. */
412         rc = inode_doinit_with_dentry(root_inode, root);
413
414         /* Initialize any other inodes associated with the superblock, e.g.
415            inodes created prior to initial policy load or inodes created
416            during get_sb by a pseudo filesystem that directly
417            populates itself. */
418         spin_lock(&sbsec->isec_lock);
419 next_inode:
420         if (!list_empty(&sbsec->isec_head)) {
421                 struct inode_security_struct *isec =
422                                 list_entry(sbsec->isec_head.next,
423                                            struct inode_security_struct, list);
424                 struct inode *inode = isec->inode;
425                 spin_unlock(&sbsec->isec_lock);
426                 inode = igrab(inode);
427                 if (inode) {
428                         if (!IS_PRIVATE(inode))
429                                 inode_doinit(inode);
430                         iput(inode);
431                 }
432                 spin_lock(&sbsec->isec_lock);
433                 list_del_init(&isec->list);
434                 goto next_inode;
435         }
436         spin_unlock(&sbsec->isec_lock);
437 out:
438         return rc;
439 }
440
441 /*
442  * This function should allow an FS to ask what it's mount security
443  * options were so it can use those later for submounts, displaying
444  * mount options, or whatever.
445  */
446 static int selinux_get_mnt_opts(const struct super_block *sb,
447                                 struct security_mnt_opts *opts)
448 {
449         int rc = 0, i;
450         struct superblock_security_struct *sbsec = sb->s_security;
451         char *context = NULL;
452         u32 len;
453         char tmp;
454
455         security_init_mnt_opts(opts);
456
457         if (!sbsec->initialized)
458                 return -EINVAL;
459
460         if (!ss_initialized)
461                 return -EINVAL;
462
463         /*
464          * if we ever use sbsec flags for anything other than tracking mount
465          * settings this is going to need a mask
466          */
467         tmp = sbsec->flags;
468         /* count the number of mount options for this sb */
469         for (i = 0; i < 8; i++) {
470                 if (tmp & 0x01)
471                         opts->num_mnt_opts++;
472                 tmp >>= 1;
473         }
474
475         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
476         if (!opts->mnt_opts) {
477                 rc = -ENOMEM;
478                 goto out_free;
479         }
480
481         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
482         if (!opts->mnt_opts_flags) {
483                 rc = -ENOMEM;
484                 goto out_free;
485         }
486
487         i = 0;
488         if (sbsec->flags & FSCONTEXT_MNT) {
489                 rc = security_sid_to_context(sbsec->sid, &context, &len);
490                 if (rc)
491                         goto out_free;
492                 opts->mnt_opts[i] = context;
493                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
494         }
495         if (sbsec->flags & CONTEXT_MNT) {
496                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
497                 if (rc)
498                         goto out_free;
499                 opts->mnt_opts[i] = context;
500                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
501         }
502         if (sbsec->flags & DEFCONTEXT_MNT) {
503                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
504                 if (rc)
505                         goto out_free;
506                 opts->mnt_opts[i] = context;
507                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
508         }
509         if (sbsec->flags & ROOTCONTEXT_MNT) {
510                 struct inode *root = sbsec->sb->s_root->d_inode;
511                 struct inode_security_struct *isec = root->i_security;
512
513                 rc = security_sid_to_context(isec->sid, &context, &len);
514                 if (rc)
515                         goto out_free;
516                 opts->mnt_opts[i] = context;
517                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
518         }
519
520         BUG_ON(i != opts->num_mnt_opts);
521
522         return 0;
523
524 out_free:
525         security_free_mnt_opts(opts);
526         return rc;
527 }
528
529 static int bad_option(struct superblock_security_struct *sbsec, char flag,
530                       u32 old_sid, u32 new_sid)
531 {
532         /* check if the old mount command had the same options */
533         if (sbsec->initialized)
534                 if (!(sbsec->flags & flag) ||
535                     (old_sid != new_sid))
536                         return 1;
537
538         /* check if we were passed the same options twice,
539          * aka someone passed context=a,context=b
540          */
541         if (!sbsec->initialized)
542                 if (sbsec->flags & flag)
543                         return 1;
544         return 0;
545 }
546
547 /*
548  * Allow filesystems with binary mount data to explicitly set mount point
549  * labeling information.
550  */
551 static int selinux_set_mnt_opts(struct super_block *sb,
552                                 struct security_mnt_opts *opts)
553 {
554         int rc = 0, i;
555         struct task_security_struct *tsec = current->security;
556         struct superblock_security_struct *sbsec = sb->s_security;
557         const char *name = sb->s_type->name;
558         struct inode *inode = sbsec->sb->s_root->d_inode;
559         struct inode_security_struct *root_isec = inode->i_security;
560         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
561         u32 defcontext_sid = 0;
562         char **mount_options = opts->mnt_opts;
563         int *flags = opts->mnt_opts_flags;
564         int num_opts = opts->num_mnt_opts;
565
566         mutex_lock(&sbsec->lock);
567
568         if (!ss_initialized) {
569                 if (!num_opts) {
570                         /* Defer initialization until selinux_complete_init,
571                            after the initial policy is loaded and the security
572                            server is ready to handle calls. */
573                         spin_lock(&sb_security_lock);
574                         if (list_empty(&sbsec->list))
575                                 list_add(&sbsec->list, &superblock_security_head);
576                         spin_unlock(&sb_security_lock);
577                         goto out;
578                 }
579                 rc = -EINVAL;
580                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
581                         "before the security server is initialized\n");
582                 goto out;
583         }
584
585         /*
586          * Binary mount data FS will come through this function twice.  Once
587          * from an explicit call and once from the generic calls from the vfs.
588          * Since the generic VFS calls will not contain any security mount data
589          * we need to skip the double mount verification.
590          *
591          * This does open a hole in which we will not notice if the first
592          * mount using this sb set explict options and a second mount using
593          * this sb does not set any security options.  (The first options
594          * will be used for both mounts)
595          */
596         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
597             && (num_opts == 0))
598                 goto out;
599
600         /*
601          * parse the mount options, check if they are valid sids.
602          * also check if someone is trying to mount the same sb more
603          * than once with different security options.
604          */
605         for (i = 0; i < num_opts; i++) {
606                 u32 sid;
607                 rc = security_context_to_sid(mount_options[i],
608                                              strlen(mount_options[i]), &sid);
609                 if (rc) {
610                         printk(KERN_WARNING "SELinux: security_context_to_sid"
611                                "(%s) failed for (dev %s, type %s) errno=%d\n",
612                                mount_options[i], sb->s_id, name, rc);
613                         goto out;
614                 }
615                 switch (flags[i]) {
616                 case FSCONTEXT_MNT:
617                         fscontext_sid = sid;
618
619                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
620                                         fscontext_sid))
621                                 goto out_double_mount;
622
623                         sbsec->flags |= FSCONTEXT_MNT;
624                         break;
625                 case CONTEXT_MNT:
626                         context_sid = sid;
627
628                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
629                                         context_sid))
630                                 goto out_double_mount;
631
632                         sbsec->flags |= CONTEXT_MNT;
633                         break;
634                 case ROOTCONTEXT_MNT:
635                         rootcontext_sid = sid;
636
637                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
638                                         rootcontext_sid))
639                                 goto out_double_mount;
640
641                         sbsec->flags |= ROOTCONTEXT_MNT;
642
643                         break;
644                 case DEFCONTEXT_MNT:
645                         defcontext_sid = sid;
646
647                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
648                                         defcontext_sid))
649                                 goto out_double_mount;
650
651                         sbsec->flags |= DEFCONTEXT_MNT;
652
653                         break;
654                 default:
655                         rc = -EINVAL;
656                         goto out;
657                 }
658         }
659
660         if (sbsec->initialized) {
661                 /* previously mounted with options, but not on this attempt? */
662                 if (sbsec->flags && !num_opts)
663                         goto out_double_mount;
664                 rc = 0;
665                 goto out;
666         }
667
668         if (strcmp(sb->s_type->name, "proc") == 0)
669                 sbsec->proc = 1;
670
671         /* Determine the labeling behavior to use for this filesystem type. */
672         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
673         if (rc) {
674                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
675                        __func__, sb->s_type->name, rc);
676                 goto out;
677         }
678
679         /* sets the context of the superblock for the fs being mounted. */
680         if (fscontext_sid) {
681
682                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
683                 if (rc)
684                         goto out;
685
686                 sbsec->sid = fscontext_sid;
687         }
688
689         /*
690          * Switch to using mount point labeling behavior.
691          * sets the label used on all file below the mountpoint, and will set
692          * the superblock context if not already set.
693          */
694         if (context_sid) {
695                 if (!fscontext_sid) {
696                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
697                         if (rc)
698                                 goto out;
699                         sbsec->sid = context_sid;
700                 } else {
701                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
702                         if (rc)
703                                 goto out;
704                 }
705                 if (!rootcontext_sid)
706                         rootcontext_sid = context_sid;
707
708                 sbsec->mntpoint_sid = context_sid;
709                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
710         }
711
712         if (rootcontext_sid) {
713                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
714                 if (rc)
715                         goto out;
716
717                 root_isec->sid = rootcontext_sid;
718                 root_isec->initialized = 1;
719         }
720
721         if (defcontext_sid) {
722                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
723                         rc = -EINVAL;
724                         printk(KERN_WARNING "SELinux: defcontext option is "
725                                "invalid for this filesystem type\n");
726                         goto out;
727                 }
728
729                 if (defcontext_sid != sbsec->def_sid) {
730                         rc = may_context_mount_inode_relabel(defcontext_sid,
731                                                              sbsec, tsec);
732                         if (rc)
733                                 goto out;
734                 }
735
736                 sbsec->def_sid = defcontext_sid;
737         }
738
739         rc = sb_finish_set_opts(sb);
740 out:
741         mutex_unlock(&sbsec->lock);
742         return rc;
743 out_double_mount:
744         rc = -EINVAL;
745         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
746                "security settings for (dev %s, type %s)\n", sb->s_id, name);
747         goto out;
748 }
749
750 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
751                                         struct super_block *newsb)
752 {
753         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
754         struct superblock_security_struct *newsbsec = newsb->s_security;
755
756         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
757         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
758         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
759
760         /*
761          * if the parent was able to be mounted it clearly had no special lsm
762          * mount options.  thus we can safely put this sb on the list and deal
763          * with it later
764          */
765         if (!ss_initialized) {
766                 spin_lock(&sb_security_lock);
767                 if (list_empty(&newsbsec->list))
768                         list_add(&newsbsec->list, &superblock_security_head);
769                 spin_unlock(&sb_security_lock);
770                 return;
771         }
772
773         /* how can we clone if the old one wasn't set up?? */
774         BUG_ON(!oldsbsec->initialized);
775
776         /* if fs is reusing a sb, just let its options stand... */
777         if (newsbsec->initialized)
778                 return;
779
780         mutex_lock(&newsbsec->lock);
781
782         newsbsec->flags = oldsbsec->flags;
783
784         newsbsec->sid = oldsbsec->sid;
785         newsbsec->def_sid = oldsbsec->def_sid;
786         newsbsec->behavior = oldsbsec->behavior;
787
788         if (set_context) {
789                 u32 sid = oldsbsec->mntpoint_sid;
790
791                 if (!set_fscontext)
792                         newsbsec->sid = sid;
793                 if (!set_rootcontext) {
794                         struct inode *newinode = newsb->s_root->d_inode;
795                         struct inode_security_struct *newisec = newinode->i_security;
796                         newisec->sid = sid;
797                 }
798                 newsbsec->mntpoint_sid = sid;
799         }
800         if (set_rootcontext) {
801                 const struct inode *oldinode = oldsb->s_root->d_inode;
802                 const struct inode_security_struct *oldisec = oldinode->i_security;
803                 struct inode *newinode = newsb->s_root->d_inode;
804                 struct inode_security_struct *newisec = newinode->i_security;
805
806                 newisec->sid = oldisec->sid;
807         }
808
809         sb_finish_set_opts(newsb);
810         mutex_unlock(&newsbsec->lock);
811 }
812
813 static int selinux_parse_opts_str(char *options,
814                                   struct security_mnt_opts *opts)
815 {
816         char *p;
817         char *context = NULL, *defcontext = NULL;
818         char *fscontext = NULL, *rootcontext = NULL;
819         int rc, num_mnt_opts = 0;
820
821         opts->num_mnt_opts = 0;
822
823         /* Standard string-based options. */
824         while ((p = strsep(&options, "|")) != NULL) {
825                 int token;
826                 substring_t args[MAX_OPT_ARGS];
827
828                 if (!*p)
829                         continue;
830
831                 token = match_token(p, tokens, args);
832
833                 switch (token) {
834                 case Opt_context:
835                         if (context || defcontext) {
836                                 rc = -EINVAL;
837                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
838                                 goto out_err;
839                         }
840                         context = match_strdup(&args[0]);
841                         if (!context) {
842                                 rc = -ENOMEM;
843                                 goto out_err;
844                         }
845                         break;
846
847                 case Opt_fscontext:
848                         if (fscontext) {
849                                 rc = -EINVAL;
850                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
851                                 goto out_err;
852                         }
853                         fscontext = match_strdup(&args[0]);
854                         if (!fscontext) {
855                                 rc = -ENOMEM;
856                                 goto out_err;
857                         }
858                         break;
859
860                 case Opt_rootcontext:
861                         if (rootcontext) {
862                                 rc = -EINVAL;
863                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
864                                 goto out_err;
865                         }
866                         rootcontext = match_strdup(&args[0]);
867                         if (!rootcontext) {
868                                 rc = -ENOMEM;
869                                 goto out_err;
870                         }
871                         break;
872
873                 case Opt_defcontext:
874                         if (context || defcontext) {
875                                 rc = -EINVAL;
876                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
877                                 goto out_err;
878                         }
879                         defcontext = match_strdup(&args[0]);
880                         if (!defcontext) {
881                                 rc = -ENOMEM;
882                                 goto out_err;
883                         }
884                         break;
885
886                 default:
887                         rc = -EINVAL;
888                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
889                         goto out_err;
890
891                 }
892         }
893
894         rc = -ENOMEM;
895         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
896         if (!opts->mnt_opts)
897                 goto out_err;
898
899         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
900         if (!opts->mnt_opts_flags) {
901                 kfree(opts->mnt_opts);
902                 goto out_err;
903         }
904
905         if (fscontext) {
906                 opts->mnt_opts[num_mnt_opts] = fscontext;
907                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
908         }
909         if (context) {
910                 opts->mnt_opts[num_mnt_opts] = context;
911                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
912         }
913         if (rootcontext) {
914                 opts->mnt_opts[num_mnt_opts] = rootcontext;
915                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
916         }
917         if (defcontext) {
918                 opts->mnt_opts[num_mnt_opts] = defcontext;
919                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
920         }
921
922         opts->num_mnt_opts = num_mnt_opts;
923         return 0;
924
925 out_err:
926         kfree(context);
927         kfree(defcontext);
928         kfree(fscontext);
929         kfree(rootcontext);
930         return rc;
931 }
932 /*
933  * string mount options parsing and call set the sbsec
934  */
935 static int superblock_doinit(struct super_block *sb, void *data)
936 {
937         int rc = 0;
938         char *options = data;
939         struct security_mnt_opts opts;
940
941         security_init_mnt_opts(&opts);
942
943         if (!data)
944                 goto out;
945
946         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
947
948         rc = selinux_parse_opts_str(options, &opts);
949         if (rc)
950                 goto out_err;
951
952 out:
953         rc = selinux_set_mnt_opts(sb, &opts);
954
955 out_err:
956         security_free_mnt_opts(&opts);
957         return rc;
958 }
959
960 void selinux_write_opts(struct seq_file *m, struct security_mnt_opts *opts)
961 {
962         int i;
963         char *prefix;
964
965         for (i = 0; i < opts->num_mnt_opts; i++) {
966                 char *has_comma = strchr(opts->mnt_opts[i], ',');
967
968                 switch (opts->mnt_opts_flags[i]) {
969                 case CONTEXT_MNT:
970                         prefix = CONTEXT_STR;
971                         break;
972                 case FSCONTEXT_MNT:
973                         prefix = FSCONTEXT_STR;
974                         break;
975                 case ROOTCONTEXT_MNT:
976                         prefix = ROOTCONTEXT_STR;
977                         break;
978                 case DEFCONTEXT_MNT:
979                         prefix = DEFCONTEXT_STR;
980                         break;
981                 default:
982                         BUG();
983                 };
984                 /* we need a comma before each option */
985                 seq_putc(m, ',');
986                 seq_puts(m, prefix);
987                 if (has_comma)
988                         seq_putc(m, '\"');
989                 seq_puts(m, opts->mnt_opts[i]);
990                 if (has_comma)
991                         seq_putc(m, '\"');
992         }
993 }
994
995 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
996 {
997         struct security_mnt_opts opts;
998         int rc;
999
1000         rc = selinux_get_mnt_opts(sb, &opts);
1001         if (rc)
1002                 return rc;
1003
1004         selinux_write_opts(m, &opts);
1005
1006         security_free_mnt_opts(&opts);
1007
1008         return rc;
1009 }
1010
1011 static inline u16 inode_mode_to_security_class(umode_t mode)
1012 {
1013         switch (mode & S_IFMT) {
1014         case S_IFSOCK:
1015                 return SECCLASS_SOCK_FILE;
1016         case S_IFLNK:
1017                 return SECCLASS_LNK_FILE;
1018         case S_IFREG:
1019                 return SECCLASS_FILE;
1020         case S_IFBLK:
1021                 return SECCLASS_BLK_FILE;
1022         case S_IFDIR:
1023                 return SECCLASS_DIR;
1024         case S_IFCHR:
1025                 return SECCLASS_CHR_FILE;
1026         case S_IFIFO:
1027                 return SECCLASS_FIFO_FILE;
1028
1029         }
1030
1031         return SECCLASS_FILE;
1032 }
1033
1034 static inline int default_protocol_stream(int protocol)
1035 {
1036         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1037 }
1038
1039 static inline int default_protocol_dgram(int protocol)
1040 {
1041         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1042 }
1043
1044 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1045 {
1046         switch (family) {
1047         case PF_UNIX:
1048                 switch (type) {
1049                 case SOCK_STREAM:
1050                 case SOCK_SEQPACKET:
1051                         return SECCLASS_UNIX_STREAM_SOCKET;
1052                 case SOCK_DGRAM:
1053                         return SECCLASS_UNIX_DGRAM_SOCKET;
1054                 }
1055                 break;
1056         case PF_INET:
1057         case PF_INET6:
1058                 switch (type) {
1059                 case SOCK_STREAM:
1060                         if (default_protocol_stream(protocol))
1061                                 return SECCLASS_TCP_SOCKET;
1062                         else
1063                                 return SECCLASS_RAWIP_SOCKET;
1064                 case SOCK_DGRAM:
1065                         if (default_protocol_dgram(protocol))
1066                                 return SECCLASS_UDP_SOCKET;
1067                         else
1068                                 return SECCLASS_RAWIP_SOCKET;
1069                 case SOCK_DCCP:
1070                         return SECCLASS_DCCP_SOCKET;
1071                 default:
1072                         return SECCLASS_RAWIP_SOCKET;
1073                 }
1074                 break;
1075         case PF_NETLINK:
1076                 switch (protocol) {
1077                 case NETLINK_ROUTE:
1078                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1079                 case NETLINK_FIREWALL:
1080                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1081                 case NETLINK_INET_DIAG:
1082                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1083                 case NETLINK_NFLOG:
1084                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1085                 case NETLINK_XFRM:
1086                         return SECCLASS_NETLINK_XFRM_SOCKET;
1087                 case NETLINK_SELINUX:
1088                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1089                 case NETLINK_AUDIT:
1090                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1091                 case NETLINK_IP6_FW:
1092                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1093                 case NETLINK_DNRTMSG:
1094                         return SECCLASS_NETLINK_DNRT_SOCKET;
1095                 case NETLINK_KOBJECT_UEVENT:
1096                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1097                 default:
1098                         return SECCLASS_NETLINK_SOCKET;
1099                 }
1100         case PF_PACKET:
1101                 return SECCLASS_PACKET_SOCKET;
1102         case PF_KEY:
1103                 return SECCLASS_KEY_SOCKET;
1104         case PF_APPLETALK:
1105                 return SECCLASS_APPLETALK_SOCKET;
1106         }
1107
1108         return SECCLASS_SOCKET;
1109 }
1110
1111 #ifdef CONFIG_PROC_FS
1112 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1113                                 u16 tclass,
1114                                 u32 *sid)
1115 {
1116         int buflen, rc;
1117         char *buffer, *path, *end;
1118
1119         buffer = (char *)__get_free_page(GFP_KERNEL);
1120         if (!buffer)
1121                 return -ENOMEM;
1122
1123         buflen = PAGE_SIZE;
1124         end = buffer+buflen;
1125         *--end = '\0';
1126         buflen--;
1127         path = end-1;
1128         *path = '/';
1129         while (de && de != de->parent) {
1130                 buflen -= de->namelen + 1;
1131                 if (buflen < 0)
1132                         break;
1133                 end -= de->namelen;
1134                 memcpy(end, de->name, de->namelen);
1135                 *--end = '/';
1136                 path = end;
1137                 de = de->parent;
1138         }
1139         rc = security_genfs_sid("proc", path, tclass, sid);
1140         free_page((unsigned long)buffer);
1141         return rc;
1142 }
1143 #else
1144 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1145                                 u16 tclass,
1146                                 u32 *sid)
1147 {
1148         return -EINVAL;
1149 }
1150 #endif
1151
1152 /* The inode's security attributes must be initialized before first use. */
1153 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1154 {
1155         struct superblock_security_struct *sbsec = NULL;
1156         struct inode_security_struct *isec = inode->i_security;
1157         u32 sid;
1158         struct dentry *dentry;
1159 #define INITCONTEXTLEN 255
1160         char *context = NULL;
1161         unsigned len = 0;
1162         int rc = 0;
1163
1164         if (isec->initialized)
1165                 goto out;
1166
1167         mutex_lock(&isec->lock);
1168         if (isec->initialized)
1169                 goto out_unlock;
1170
1171         sbsec = inode->i_sb->s_security;
1172         if (!sbsec->initialized) {
1173                 /* Defer initialization until selinux_complete_init,
1174                    after the initial policy is loaded and the security
1175                    server is ready to handle calls. */
1176                 spin_lock(&sbsec->isec_lock);
1177                 if (list_empty(&isec->list))
1178                         list_add(&isec->list, &sbsec->isec_head);
1179                 spin_unlock(&sbsec->isec_lock);
1180                 goto out_unlock;
1181         }
1182
1183         switch (sbsec->behavior) {
1184         case SECURITY_FS_USE_XATTR:
1185                 if (!inode->i_op->getxattr) {
1186                         isec->sid = sbsec->def_sid;
1187                         break;
1188                 }
1189
1190                 /* Need a dentry, since the xattr API requires one.
1191                    Life would be simpler if we could just pass the inode. */
1192                 if (opt_dentry) {
1193                         /* Called from d_instantiate or d_splice_alias. */
1194                         dentry = dget(opt_dentry);
1195                 } else {
1196                         /* Called from selinux_complete_init, try to find a dentry. */
1197                         dentry = d_find_alias(inode);
1198                 }
1199                 if (!dentry) {
1200                         printk(KERN_WARNING "SELinux: %s:  no dentry for dev=%s "
1201                                "ino=%ld\n", __func__, inode->i_sb->s_id,
1202                                inode->i_ino);
1203                         goto out_unlock;
1204                 }
1205
1206                 len = INITCONTEXTLEN;
1207                 context = kmalloc(len, GFP_NOFS);
1208                 if (!context) {
1209                         rc = -ENOMEM;
1210                         dput(dentry);
1211                         goto out_unlock;
1212                 }
1213                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1214                                            context, len);
1215                 if (rc == -ERANGE) {
1216                         /* Need a larger buffer.  Query for the right size. */
1217                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1218                                                    NULL, 0);
1219                         if (rc < 0) {
1220                                 dput(dentry);
1221                                 goto out_unlock;
1222                         }
1223                         kfree(context);
1224                         len = rc;
1225                         context = kmalloc(len, GFP_NOFS);
1226                         if (!context) {
1227                                 rc = -ENOMEM;
1228                                 dput(dentry);
1229                                 goto out_unlock;
1230                         }
1231                         rc = inode->i_op->getxattr(dentry,
1232                                                    XATTR_NAME_SELINUX,
1233                                                    context, len);
1234                 }
1235                 dput(dentry);
1236                 if (rc < 0) {
1237                         if (rc != -ENODATA) {
1238                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1239                                        "%d for dev=%s ino=%ld\n", __func__,
1240                                        -rc, inode->i_sb->s_id, inode->i_ino);
1241                                 kfree(context);
1242                                 goto out_unlock;
1243                         }
1244                         /* Map ENODATA to the default file SID */
1245                         sid = sbsec->def_sid;
1246                         rc = 0;
1247                 } else {
1248                         rc = security_context_to_sid_default(context, rc, &sid,
1249                                                              sbsec->def_sid,
1250                                                              GFP_NOFS);
1251                         if (rc) {
1252                                 printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1253                                        "returned %d for dev=%s ino=%ld\n",
1254                                        __func__, context, -rc,
1255                                        inode->i_sb->s_id, inode->i_ino);
1256                                 kfree(context);
1257                                 /* Leave with the unlabeled SID */
1258                                 rc = 0;
1259                                 break;
1260                         }
1261                 }
1262                 kfree(context);
1263                 isec->sid = sid;
1264                 break;
1265         case SECURITY_FS_USE_TASK:
1266                 isec->sid = isec->task_sid;
1267                 break;
1268         case SECURITY_FS_USE_TRANS:
1269                 /* Default to the fs SID. */
1270                 isec->sid = sbsec->sid;
1271
1272                 /* Try to obtain a transition SID. */
1273                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1274                 rc = security_transition_sid(isec->task_sid,
1275                                              sbsec->sid,
1276                                              isec->sclass,
1277                                              &sid);
1278                 if (rc)
1279                         goto out_unlock;
1280                 isec->sid = sid;
1281                 break;
1282         case SECURITY_FS_USE_MNTPOINT:
1283                 isec->sid = sbsec->mntpoint_sid;
1284                 break;
1285         default:
1286                 /* Default to the fs superblock SID. */
1287                 isec->sid = sbsec->sid;
1288
1289                 if (sbsec->proc) {
1290                         struct proc_inode *proci = PROC_I(inode);
1291                         if (proci->pde) {
1292                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1293                                 rc = selinux_proc_get_sid(proci->pde,
1294                                                           isec->sclass,
1295                                                           &sid);
1296                                 if (rc)
1297                                         goto out_unlock;
1298                                 isec->sid = sid;
1299                         }
1300                 }
1301                 break;
1302         }
1303
1304         isec->initialized = 1;
1305
1306 out_unlock:
1307         mutex_unlock(&isec->lock);
1308 out:
1309         if (isec->sclass == SECCLASS_FILE)
1310                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1311         return rc;
1312 }
1313
1314 /* Convert a Linux signal to an access vector. */
1315 static inline u32 signal_to_av(int sig)
1316 {
1317         u32 perm = 0;
1318
1319         switch (sig) {
1320         case SIGCHLD:
1321                 /* Commonly granted from child to parent. */
1322                 perm = PROCESS__SIGCHLD;
1323                 break;
1324         case SIGKILL:
1325                 /* Cannot be caught or ignored */
1326                 perm = PROCESS__SIGKILL;
1327                 break;
1328         case SIGSTOP:
1329                 /* Cannot be caught or ignored */
1330                 perm = PROCESS__SIGSTOP;
1331                 break;
1332         default:
1333                 /* All other signals. */
1334                 perm = PROCESS__SIGNAL;
1335                 break;
1336         }
1337
1338         return perm;
1339 }
1340
1341 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1342    fork check, ptrace check, etc. */
1343 static int task_has_perm(struct task_struct *tsk1,
1344                          struct task_struct *tsk2,
1345                          u32 perms)
1346 {
1347         struct task_security_struct *tsec1, *tsec2;
1348
1349         tsec1 = tsk1->security;
1350         tsec2 = tsk2->security;
1351         return avc_has_perm(tsec1->sid, tsec2->sid,
1352                             SECCLASS_PROCESS, perms, NULL);
1353 }
1354
1355 #if CAP_LAST_CAP > 63
1356 #error Fix SELinux to handle capabilities > 63.
1357 #endif
1358
1359 /* Check whether a task is allowed to use a capability. */
1360 static int task_has_capability(struct task_struct *tsk,
1361                                int cap)
1362 {
1363         struct task_security_struct *tsec;
1364         struct avc_audit_data ad;
1365         u16 sclass;
1366         u32 av = CAP_TO_MASK(cap);
1367
1368         tsec = tsk->security;
1369
1370         AVC_AUDIT_DATA_INIT(&ad, CAP);
1371         ad.tsk = tsk;
1372         ad.u.cap = cap;
1373
1374         switch (CAP_TO_INDEX(cap)) {
1375         case 0:
1376                 sclass = SECCLASS_CAPABILITY;
1377                 break;
1378         case 1:
1379                 sclass = SECCLASS_CAPABILITY2;
1380                 break;
1381         default:
1382                 printk(KERN_ERR
1383                        "SELinux:  out of range capability %d\n", cap);
1384                 BUG();
1385         }
1386         return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1387 }
1388
1389 /* Check whether a task is allowed to use a system operation. */
1390 static int task_has_system(struct task_struct *tsk,
1391                            u32 perms)
1392 {
1393         struct task_security_struct *tsec;
1394
1395         tsec = tsk->security;
1396
1397         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1398                             SECCLASS_SYSTEM, perms, NULL);
1399 }
1400
1401 /* Check whether a task has a particular permission to an inode.
1402    The 'adp' parameter is optional and allows other audit
1403    data to be passed (e.g. the dentry). */
1404 static int inode_has_perm(struct task_struct *tsk,
1405                           struct inode *inode,
1406                           u32 perms,
1407                           struct avc_audit_data *adp)
1408 {
1409         struct task_security_struct *tsec;
1410         struct inode_security_struct *isec;
1411         struct avc_audit_data ad;
1412
1413         if (unlikely(IS_PRIVATE(inode)))
1414                 return 0;
1415
1416         tsec = tsk->security;
1417         isec = inode->i_security;
1418
1419         if (!adp) {
1420                 adp = &ad;
1421                 AVC_AUDIT_DATA_INIT(&ad, FS);
1422                 ad.u.fs.inode = inode;
1423         }
1424
1425         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1426 }
1427
1428 /* Same as inode_has_perm, but pass explicit audit data containing
1429    the dentry to help the auditing code to more easily generate the
1430    pathname if needed. */
1431 static inline int dentry_has_perm(struct task_struct *tsk,
1432                                   struct vfsmount *mnt,
1433                                   struct dentry *dentry,
1434                                   u32 av)
1435 {
1436         struct inode *inode = dentry->d_inode;
1437         struct avc_audit_data ad;
1438         AVC_AUDIT_DATA_INIT(&ad, FS);
1439         ad.u.fs.path.mnt = mnt;
1440         ad.u.fs.path.dentry = dentry;
1441         return inode_has_perm(tsk, inode, av, &ad);
1442 }
1443
1444 /* Check whether a task can use an open file descriptor to
1445    access an inode in a given way.  Check access to the
1446    descriptor itself, and then use dentry_has_perm to
1447    check a particular permission to the file.
1448    Access to the descriptor is implicitly granted if it
1449    has the same SID as the process.  If av is zero, then
1450    access to the file is not checked, e.g. for cases
1451    where only the descriptor is affected like seek. */
1452 static int file_has_perm(struct task_struct *tsk,
1453                                 struct file *file,
1454                                 u32 av)
1455 {
1456         struct task_security_struct *tsec = tsk->security;
1457         struct file_security_struct *fsec = file->f_security;
1458         struct inode *inode = file->f_path.dentry->d_inode;
1459         struct avc_audit_data ad;
1460         int rc;
1461
1462         AVC_AUDIT_DATA_INIT(&ad, FS);
1463         ad.u.fs.path = file->f_path;
1464
1465         if (tsec->sid != fsec->sid) {
1466                 rc = avc_has_perm(tsec->sid, fsec->sid,
1467                                   SECCLASS_FD,
1468                                   FD__USE,
1469                                   &ad);
1470                 if (rc)
1471                         return rc;
1472         }
1473
1474         /* av is zero if only checking access to the descriptor. */
1475         if (av)
1476                 return inode_has_perm(tsk, inode, av, &ad);
1477
1478         return 0;
1479 }
1480
1481 /* Check whether a task can create a file. */
1482 static int may_create(struct inode *dir,
1483                       struct dentry *dentry,
1484                       u16 tclass)
1485 {
1486         struct task_security_struct *tsec;
1487         struct inode_security_struct *dsec;
1488         struct superblock_security_struct *sbsec;
1489         u32 newsid;
1490         struct avc_audit_data ad;
1491         int rc;
1492
1493         tsec = current->security;
1494         dsec = dir->i_security;
1495         sbsec = dir->i_sb->s_security;
1496
1497         AVC_AUDIT_DATA_INIT(&ad, FS);
1498         ad.u.fs.path.dentry = dentry;
1499
1500         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1501                           DIR__ADD_NAME | DIR__SEARCH,
1502                           &ad);
1503         if (rc)
1504                 return rc;
1505
1506         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1507                 newsid = tsec->create_sid;
1508         } else {
1509                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1510                                              &newsid);
1511                 if (rc)
1512                         return rc;
1513         }
1514
1515         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1516         if (rc)
1517                 return rc;
1518
1519         return avc_has_perm(newsid, sbsec->sid,
1520                             SECCLASS_FILESYSTEM,
1521                             FILESYSTEM__ASSOCIATE, &ad);
1522 }
1523
1524 /* Check whether a task can create a key. */
1525 static int may_create_key(u32 ksid,
1526                           struct task_struct *ctx)
1527 {
1528         struct task_security_struct *tsec;
1529
1530         tsec = ctx->security;
1531
1532         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1533 }
1534
1535 #define MAY_LINK        0
1536 #define MAY_UNLINK      1
1537 #define MAY_RMDIR       2
1538
1539 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1540 static int may_link(struct inode *dir,
1541                     struct dentry *dentry,
1542                     int kind)
1543
1544 {
1545         struct task_security_struct *tsec;
1546         struct inode_security_struct *dsec, *isec;
1547         struct avc_audit_data ad;
1548         u32 av;
1549         int rc;
1550
1551         tsec = current->security;
1552         dsec = dir->i_security;
1553         isec = dentry->d_inode->i_security;
1554
1555         AVC_AUDIT_DATA_INIT(&ad, FS);
1556         ad.u.fs.path.dentry = dentry;
1557
1558         av = DIR__SEARCH;
1559         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1560         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1561         if (rc)
1562                 return rc;
1563
1564         switch (kind) {
1565         case MAY_LINK:
1566                 av = FILE__LINK;
1567                 break;
1568         case MAY_UNLINK:
1569                 av = FILE__UNLINK;
1570                 break;
1571         case MAY_RMDIR:
1572                 av = DIR__RMDIR;
1573                 break;
1574         default:
1575                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1576                         __func__, kind);
1577                 return 0;
1578         }
1579
1580         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1581         return rc;
1582 }
1583
1584 static inline int may_rename(struct inode *old_dir,
1585                              struct dentry *old_dentry,
1586                              struct inode *new_dir,
1587                              struct dentry *new_dentry)
1588 {
1589         struct task_security_struct *tsec;
1590         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1591         struct avc_audit_data ad;
1592         u32 av;
1593         int old_is_dir, new_is_dir;
1594         int rc;
1595
1596         tsec = current->security;
1597         old_dsec = old_dir->i_security;
1598         old_isec = old_dentry->d_inode->i_security;
1599         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1600         new_dsec = new_dir->i_security;
1601
1602         AVC_AUDIT_DATA_INIT(&ad, FS);
1603
1604         ad.u.fs.path.dentry = old_dentry;
1605         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1606                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1607         if (rc)
1608                 return rc;
1609         rc = avc_has_perm(tsec->sid, old_isec->sid,
1610                           old_isec->sclass, FILE__RENAME, &ad);
1611         if (rc)
1612                 return rc;
1613         if (old_is_dir && new_dir != old_dir) {
1614                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1615                                   old_isec->sclass, DIR__REPARENT, &ad);
1616                 if (rc)
1617                         return rc;
1618         }
1619
1620         ad.u.fs.path.dentry = new_dentry;
1621         av = DIR__ADD_NAME | DIR__SEARCH;
1622         if (new_dentry->d_inode)
1623                 av |= DIR__REMOVE_NAME;
1624         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1625         if (rc)
1626                 return rc;
1627         if (new_dentry->d_inode) {
1628                 new_isec = new_dentry->d_inode->i_security;
1629                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1630                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1631                                   new_isec->sclass,
1632                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1633                 if (rc)
1634                         return rc;
1635         }
1636
1637         return 0;
1638 }
1639
1640 /* Check whether a task can perform a filesystem operation. */
1641 static int superblock_has_perm(struct task_struct *tsk,
1642                                struct super_block *sb,
1643                                u32 perms,
1644                                struct avc_audit_data *ad)
1645 {
1646         struct task_security_struct *tsec;
1647         struct superblock_security_struct *sbsec;
1648
1649         tsec = tsk->security;
1650         sbsec = sb->s_security;
1651         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1652                             perms, ad);
1653 }
1654
1655 /* Convert a Linux mode and permission mask to an access vector. */
1656 static inline u32 file_mask_to_av(int mode, int mask)
1657 {
1658         u32 av = 0;
1659
1660         if ((mode & S_IFMT) != S_IFDIR) {
1661                 if (mask & MAY_EXEC)
1662                         av |= FILE__EXECUTE;
1663                 if (mask & MAY_READ)
1664                         av |= FILE__READ;
1665
1666                 if (mask & MAY_APPEND)
1667                         av |= FILE__APPEND;
1668                 else if (mask & MAY_WRITE)
1669                         av |= FILE__WRITE;
1670
1671         } else {
1672                 if (mask & MAY_EXEC)
1673                         av |= DIR__SEARCH;
1674                 if (mask & MAY_WRITE)
1675                         av |= DIR__WRITE;
1676                 if (mask & MAY_READ)
1677                         av |= DIR__READ;
1678         }
1679
1680         return av;
1681 }
1682
1683 /*
1684  * Convert a file mask to an access vector and include the correct open
1685  * open permission.
1686  */
1687 static inline u32 open_file_mask_to_av(int mode, int mask)
1688 {
1689         u32 av = file_mask_to_av(mode, mask);
1690
1691         if (selinux_policycap_openperm) {
1692                 /*
1693                  * lnk files and socks do not really have an 'open'
1694                  */
1695                 if (S_ISREG(mode))
1696                         av |= FILE__OPEN;
1697                 else if (S_ISCHR(mode))
1698                         av |= CHR_FILE__OPEN;
1699                 else if (S_ISBLK(mode))
1700                         av |= BLK_FILE__OPEN;
1701                 else if (S_ISFIFO(mode))
1702                         av |= FIFO_FILE__OPEN;
1703                 else if (S_ISDIR(mode))
1704                         av |= DIR__OPEN;
1705                 else
1706                         printk(KERN_ERR "SELinux: WARNING: inside %s with "
1707                                 "unknown mode:%x\n", __func__, mode);
1708         }
1709         return av;
1710 }
1711
1712 /* Convert a Linux file to an access vector. */
1713 static inline u32 file_to_av(struct file *file)
1714 {
1715         u32 av = 0;
1716
1717         if (file->f_mode & FMODE_READ)
1718                 av |= FILE__READ;
1719         if (file->f_mode & FMODE_WRITE) {
1720                 if (file->f_flags & O_APPEND)
1721                         av |= FILE__APPEND;
1722                 else
1723                         av |= FILE__WRITE;
1724         }
1725         if (!av) {
1726                 /*
1727                  * Special file opened with flags 3 for ioctl-only use.
1728                  */
1729                 av = FILE__IOCTL;
1730         }
1731
1732         return av;
1733 }
1734
1735 /* Hook functions begin here. */
1736
1737 static int selinux_ptrace(struct task_struct *parent,
1738                           struct task_struct *child,
1739                           unsigned int mode)
1740 {
1741         int rc;
1742
1743         rc = secondary_ops->ptrace(parent, child, mode);
1744         if (rc)
1745                 return rc;
1746
1747         if (mode == PTRACE_MODE_READ) {
1748                 struct task_security_struct *tsec = parent->security;
1749                 struct task_security_struct *csec = child->security;
1750                 return avc_has_perm(tsec->sid, csec->sid,
1751                                     SECCLASS_FILE, FILE__READ, NULL);
1752         }
1753
1754         return task_has_perm(parent, child, PROCESS__PTRACE);
1755 }
1756
1757 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1758                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1759 {
1760         int error;
1761
1762         error = task_has_perm(current, target, PROCESS__GETCAP);
1763         if (error)
1764                 return error;
1765
1766         return secondary_ops->capget(target, effective, inheritable, permitted);
1767 }
1768
1769 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1770                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1771 {
1772         int error;
1773
1774         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1775         if (error)
1776                 return error;
1777
1778         return task_has_perm(current, target, PROCESS__SETCAP);
1779 }
1780
1781 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1782                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1783 {
1784         secondary_ops->capset_set(target, effective, inheritable, permitted);
1785 }
1786
1787 static int selinux_capable(struct task_struct *tsk, int cap)
1788 {
1789         int rc;
1790
1791         rc = secondary_ops->capable(tsk, cap);
1792         if (rc)
1793                 return rc;
1794
1795         return task_has_capability(tsk, cap);
1796 }
1797
1798 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1799 {
1800         int buflen, rc;
1801         char *buffer, *path, *end;
1802
1803         rc = -ENOMEM;
1804         buffer = (char *)__get_free_page(GFP_KERNEL);
1805         if (!buffer)
1806                 goto out;
1807
1808         buflen = PAGE_SIZE;
1809         end = buffer+buflen;
1810         *--end = '\0';
1811         buflen--;
1812         path = end-1;
1813         *path = '/';
1814         while (table) {
1815                 const char *name = table->procname;
1816                 size_t namelen = strlen(name);
1817                 buflen -= namelen + 1;
1818                 if (buflen < 0)
1819                         goto out_free;
1820                 end -= namelen;
1821                 memcpy(end, name, namelen);
1822                 *--end = '/';
1823                 path = end;
1824                 table = table->parent;
1825         }
1826         buflen -= 4;
1827         if (buflen < 0)
1828                 goto out_free;
1829         end -= 4;
1830         memcpy(end, "/sys", 4);
1831         path = end;
1832         rc = security_genfs_sid("proc", path, tclass, sid);
1833 out_free:
1834         free_page((unsigned long)buffer);
1835 out:
1836         return rc;
1837 }
1838
1839 static int selinux_sysctl(ctl_table *table, int op)
1840 {
1841         int error = 0;
1842         u32 av;
1843         struct task_security_struct *tsec;
1844         u32 tsid;
1845         int rc;
1846
1847         rc = secondary_ops->sysctl(table, op);
1848         if (rc)
1849                 return rc;
1850
1851         tsec = current->security;
1852
1853         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1854                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1855         if (rc) {
1856                 /* Default to the well-defined sysctl SID. */
1857                 tsid = SECINITSID_SYSCTL;
1858         }
1859
1860         /* The op values are "defined" in sysctl.c, thereby creating
1861          * a bad coupling between this module and sysctl.c */
1862         if (op == 001) {
1863                 error = avc_has_perm(tsec->sid, tsid,
1864                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1865         } else {
1866                 av = 0;
1867                 if (op & 004)
1868                         av |= FILE__READ;
1869                 if (op & 002)
1870                         av |= FILE__WRITE;
1871                 if (av)
1872                         error = avc_has_perm(tsec->sid, tsid,
1873                                              SECCLASS_FILE, av, NULL);
1874         }
1875
1876         return error;
1877 }
1878
1879 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1880 {
1881         int rc = 0;
1882
1883         if (!sb)
1884                 return 0;
1885
1886         switch (cmds) {
1887         case Q_SYNC:
1888         case Q_QUOTAON:
1889         case Q_QUOTAOFF:
1890         case Q_SETINFO:
1891         case Q_SETQUOTA:
1892                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1893                                          NULL);
1894                 break;
1895         case Q_GETFMT:
1896         case Q_GETINFO:
1897         case Q_GETQUOTA:
1898                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1899                                          NULL);
1900                 break;
1901         default:
1902                 rc = 0;  /* let the kernel handle invalid cmds */
1903                 break;
1904         }
1905         return rc;
1906 }
1907
1908 static int selinux_quota_on(struct dentry *dentry)
1909 {
1910         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1911 }
1912
1913 static int selinux_syslog(int type)
1914 {
1915         int rc;
1916
1917         rc = secondary_ops->syslog(type);
1918         if (rc)
1919                 return rc;
1920
1921         switch (type) {
1922         case 3:         /* Read last kernel messages */
1923         case 10:        /* Return size of the log buffer */
1924                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1925                 break;
1926         case 6:         /* Disable logging to console */
1927         case 7:         /* Enable logging to console */
1928         case 8:         /* Set level of messages printed to console */
1929                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1930                 break;
1931         case 0:         /* Close log */
1932         case 1:         /* Open log */
1933         case 2:         /* Read from log */
1934         case 4:         /* Read/clear last kernel messages */
1935         case 5:         /* Clear ring buffer */
1936         default:
1937                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1938                 break;
1939         }
1940         return rc;
1941 }
1942
1943 /*
1944  * Check that a process has enough memory to allocate a new virtual
1945  * mapping. 0 means there is enough memory for the allocation to
1946  * succeed and -ENOMEM implies there is not.
1947  *
1948  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1949  * if the capability is granted, but __vm_enough_memory requires 1 if
1950  * the capability is granted.
1951  *
1952  * Do not audit the selinux permission check, as this is applied to all
1953  * processes that allocate mappings.
1954  */
1955 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1956 {
1957         int rc, cap_sys_admin = 0;
1958         struct task_security_struct *tsec = current->security;
1959
1960         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1961         if (rc == 0)
1962                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1963                                           SECCLASS_CAPABILITY,
1964                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1965                                           0,
1966                                           NULL);
1967
1968         if (rc == 0)
1969                 cap_sys_admin = 1;
1970
1971         return __vm_enough_memory(mm, pages, cap_sys_admin);
1972 }
1973
1974 /**
1975  * task_tracer_task - return the task that is tracing the given task
1976  * @task:               task to consider
1977  *
1978  * Returns NULL if noone is tracing @task, or the &struct task_struct
1979  * pointer to its tracer.
1980  *
1981  * Must be called under rcu_read_lock().
1982  */
1983 static struct task_struct *task_tracer_task(struct task_struct *task)
1984 {
1985         if (task->ptrace & PT_PTRACED)
1986                 return rcu_dereference(task->parent);
1987         return NULL;
1988 }
1989
1990 /* binprm security operations */
1991
1992 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1993 {
1994         struct bprm_security_struct *bsec;
1995
1996         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1997         if (!bsec)
1998                 return -ENOMEM;
1999
2000         bsec->sid = SECINITSID_UNLABELED;
2001         bsec->set = 0;
2002
2003         bprm->security = bsec;
2004         return 0;
2005 }
2006
2007 static int selinux_bprm_set_security(struct linux_binprm *bprm)
2008 {
2009         struct task_security_struct *tsec;
2010         struct inode *inode = bprm->file->f_path.dentry->d_inode;
2011         struct inode_security_struct *isec;
2012         struct bprm_security_struct *bsec;
2013         u32 newsid;
2014         struct avc_audit_data ad;
2015         int rc;
2016
2017         rc = secondary_ops->bprm_set_security(bprm);
2018         if (rc)
2019                 return rc;
2020
2021         bsec = bprm->security;
2022
2023         if (bsec->set)
2024                 return 0;
2025
2026         tsec = current->security;
2027         isec = inode->i_security;
2028
2029         /* Default to the current task SID. */
2030         bsec->sid = tsec->sid;
2031
2032         /* Reset fs, key, and sock SIDs on execve. */
2033         tsec->create_sid = 0;
2034         tsec->keycreate_sid = 0;
2035         tsec->sockcreate_sid = 0;
2036
2037         if (tsec->exec_sid) {
2038                 newsid = tsec->exec_sid;
2039                 /* Reset exec SID on execve. */
2040                 tsec->exec_sid = 0;
2041         } else {
2042                 /* Check for a default transition on this program. */
2043                 rc = security_transition_sid(tsec->sid, isec->sid,
2044                                              SECCLASS_PROCESS, &newsid);
2045                 if (rc)
2046                         return rc;
2047         }
2048
2049         AVC_AUDIT_DATA_INIT(&ad, FS);
2050         ad.u.fs.path = bprm->file->f_path;
2051
2052         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2053                 newsid = tsec->sid;
2054
2055         if (tsec->sid == newsid) {
2056                 rc = avc_has_perm(tsec->sid, isec->sid,
2057                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2058                 if (rc)
2059                         return rc;
2060         } else {
2061                 /* Check permissions for the transition. */
2062                 rc = avc_has_perm(tsec->sid, newsid,
2063                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2064                 if (rc)
2065                         return rc;
2066
2067                 rc = avc_has_perm(newsid, isec->sid,
2068                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2069                 if (rc)
2070                         return rc;
2071
2072                 /* Clear any possibly unsafe personality bits on exec: */
2073                 current->personality &= ~PER_CLEAR_ON_SETID;
2074
2075                 /* Set the security field to the new SID. */
2076                 bsec->sid = newsid;
2077         }
2078
2079         bsec->set = 1;
2080         return 0;
2081 }
2082
2083 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2084 {
2085         return secondary_ops->bprm_check_security(bprm);
2086 }
2087
2088
2089 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2090 {
2091         struct task_security_struct *tsec = current->security;
2092         int atsecure = 0;
2093
2094         if (tsec->osid != tsec->sid) {
2095                 /* Enable secure mode for SIDs transitions unless
2096                    the noatsecure permission is granted between
2097                    the two SIDs, i.e. ahp returns 0. */
2098                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2099                                          SECCLASS_PROCESS,
2100                                          PROCESS__NOATSECURE, NULL);
2101         }
2102
2103         return (atsecure || secondary_ops->bprm_secureexec(bprm));
2104 }
2105
2106 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2107 {
2108         kfree(bprm->security);
2109         bprm->security = NULL;
2110 }
2111
2112 extern struct vfsmount *selinuxfs_mount;
2113 extern struct dentry *selinux_null;
2114
2115 /* Derived from fs/exec.c:flush_old_files. */
2116 static inline void flush_unauthorized_files(struct files_struct *files)
2117 {
2118         struct avc_audit_data ad;
2119         struct file *file, *devnull = NULL;
2120         struct tty_struct *tty;
2121         struct fdtable *fdt;
2122         long j = -1;
2123         int drop_tty = 0;
2124
2125         mutex_lock(&tty_mutex);
2126         tty = get_current_tty();
2127         if (tty) {
2128                 file_list_lock();
2129                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2130                 if (file) {
2131                         /* Revalidate access to controlling tty.
2132                            Use inode_has_perm on the tty inode directly rather
2133                            than using file_has_perm, as this particular open
2134                            file may belong to another process and we are only
2135                            interested in the inode-based check here. */
2136                         struct inode *inode = file->f_path.dentry->d_inode;
2137                         if (inode_has_perm(current, inode,
2138                                            FILE__READ | FILE__WRITE, NULL)) {
2139                                 drop_tty = 1;
2140                         }
2141                 }
2142                 file_list_unlock();
2143         }
2144         mutex_unlock(&tty_mutex);
2145         /* Reset controlling tty. */
2146         if (drop_tty)
2147                 no_tty();
2148
2149         /* Revalidate access to inherited open files. */
2150
2151         AVC_AUDIT_DATA_INIT(&ad, FS);
2152
2153         spin_lock(&files->file_lock);
2154         for (;;) {
2155                 unsigned long set, i;
2156                 int fd;
2157
2158                 j++;
2159                 i = j * __NFDBITS;
2160                 fdt = files_fdtable(files);
2161                 if (i >= fdt->max_fds)
2162                         break;
2163                 set = fdt->open_fds->fds_bits[j];
2164                 if (!set)
2165                         continue;
2166                 spin_unlock(&files->file_lock);
2167                 for ( ; set ; i++, set >>= 1) {
2168                         if (set & 1) {
2169                                 file = fget(i);
2170                                 if (!file)
2171                                         continue;
2172                                 if (file_has_perm(current,
2173                                                   file,
2174                                                   file_to_av(file))) {
2175                                         sys_close(i);
2176                                         fd = get_unused_fd();
2177                                         if (fd != i) {
2178                                                 if (fd >= 0)
2179                                                         put_unused_fd(fd);
2180                                                 fput(file);
2181                                                 continue;
2182                                         }
2183                                         if (devnull) {
2184                                                 get_file(devnull);
2185                                         } else {
2186                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2187                                                 if (IS_ERR(devnull)) {
2188                                                         devnull = NULL;
2189                                                         put_unused_fd(fd);
2190                                                         fput(file);
2191                                                         continue;
2192                                                 }
2193                                         }
2194                                         fd_install(fd, devnull);
2195                                 }
2196                                 fput(file);
2197                         }
2198                 }
2199                 spin_lock(&files->file_lock);
2200
2201         }
2202         spin_unlock(&files->file_lock);
2203 }
2204
2205 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2206 {
2207         struct task_security_struct *tsec;
2208         struct bprm_security_struct *bsec;
2209         u32 sid;
2210         int rc;
2211
2212         secondary_ops->bprm_apply_creds(bprm, unsafe);
2213
2214         tsec = current->security;
2215
2216         bsec = bprm->security;
2217         sid = bsec->sid;
2218
2219         tsec->osid = tsec->sid;
2220         bsec->unsafe = 0;
2221         if (tsec->sid != sid) {
2222                 /* Check for shared state.  If not ok, leave SID
2223                    unchanged and kill. */
2224                 if (unsafe & LSM_UNSAFE_SHARE) {
2225                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2226                                         PROCESS__SHARE, NULL);
2227                         if (rc) {
2228                                 bsec->unsafe = 1;
2229                                 return;
2230                         }
2231                 }
2232
2233                 /* Check for ptracing, and update the task SID if ok.
2234                    Otherwise, leave SID unchanged and kill. */
2235                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2236                         struct task_struct *tracer;
2237                         struct task_security_struct *sec;
2238                         u32 ptsid = 0;
2239
2240                         rcu_read_lock();
2241                         tracer = task_tracer_task(current);
2242                         if (likely(tracer != NULL)) {
2243                                 sec = tracer->security;
2244                                 ptsid = sec->sid;
2245                         }
2246                         rcu_read_unlock();
2247
2248                         if (ptsid != 0) {
2249                                 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2250                                                   PROCESS__PTRACE, NULL);
2251                                 if (rc) {
2252                                         bsec->unsafe = 1;
2253                                         return;
2254                                 }
2255                         }
2256                 }
2257                 tsec->sid = sid;
2258         }
2259 }
2260
2261 /*
2262  * called after apply_creds without the task lock held
2263  */
2264 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2265 {
2266         struct task_security_struct *tsec;
2267         struct rlimit *rlim, *initrlim;
2268         struct itimerval itimer;
2269         struct bprm_security_struct *bsec;
2270         int rc, i;
2271
2272         tsec = current->security;
2273         bsec = bprm->security;
2274
2275         if (bsec->unsafe) {
2276                 force_sig_specific(SIGKILL, current);
2277                 return;
2278         }
2279         if (tsec->osid == tsec->sid)
2280                 return;
2281
2282         /* Close files for which the new task SID is not authorized. */
2283         flush_unauthorized_files(current->files);
2284
2285         /* Check whether the new SID can inherit signal state
2286            from the old SID.  If not, clear itimers to avoid
2287            subsequent signal generation and flush and unblock
2288            signals. This must occur _after_ the task SID has
2289           been updated so that any kill done after the flush
2290           will be checked against the new SID. */
2291         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2292                           PROCESS__SIGINH, NULL);
2293         if (rc) {
2294                 memset(&itimer, 0, sizeof itimer);
2295                 for (i = 0; i < 3; i++)
2296                         do_setitimer(i, &itimer, NULL);
2297                 flush_signals(current);
2298                 spin_lock_irq(&current->sighand->siglock);
2299                 flush_signal_handlers(current, 1);
2300                 sigemptyset(&current->blocked);
2301                 recalc_sigpending();
2302                 spin_unlock_irq(&current->sighand->siglock);
2303         }
2304
2305         /* Always clear parent death signal on SID transitions. */
2306         current->pdeath_signal = 0;
2307
2308         /* Check whether the new SID can inherit resource limits
2309            from the old SID.  If not, reset all soft limits to
2310            the lower of the current task's hard limit and the init
2311            task's soft limit.  Note that the setting of hard limits
2312            (even to lower them) can be controlled by the setrlimit
2313            check. The inclusion of the init task's soft limit into
2314            the computation is to avoid resetting soft limits higher
2315            than the default soft limit for cases where the default
2316            is lower than the hard limit, e.g. RLIMIT_CORE or
2317            RLIMIT_STACK.*/
2318         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2319                           PROCESS__RLIMITINH, NULL);
2320         if (rc) {
2321                 for (i = 0; i < RLIM_NLIMITS; i++) {
2322                         rlim = current->signal->rlim + i;
2323                         initrlim = init_task.signal->rlim+i;
2324                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2325                 }
2326                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2327                         /*
2328                          * This will cause RLIMIT_CPU calculations
2329                          * to be refigured.
2330                          */
2331                         current->it_prof_expires = jiffies_to_cputime(1);
2332                 }
2333         }
2334
2335         /* Wake up the parent if it is waiting so that it can
2336            recheck wait permission to the new task SID. */
2337         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2338 }
2339
2340 /* superblock security operations */
2341
2342 static int selinux_sb_alloc_security(struct super_block *sb)
2343 {
2344         return superblock_alloc_security(sb);
2345 }
2346
2347 static void selinux_sb_free_security(struct super_block *sb)
2348 {
2349         superblock_free_security(sb);
2350 }
2351
2352 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2353 {
2354         if (plen > olen)
2355                 return 0;
2356
2357         return !memcmp(prefix, option, plen);
2358 }
2359
2360 static inline int selinux_option(char *option, int len)
2361 {
2362         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2363                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2364                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2365                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2366 }
2367
2368 static inline void take_option(char **to, char *from, int *first, int len)
2369 {
2370         if (!*first) {
2371                 **to = ',';
2372                 *to += 1;
2373         } else
2374                 *first = 0;
2375         memcpy(*to, from, len);
2376         *to += len;
2377 }
2378
2379 static inline void take_selinux_option(char **to, char *from, int *first,
2380                                        int len)
2381 {
2382         int current_size = 0;
2383
2384         if (!*first) {
2385                 **to = '|';
2386                 *to += 1;
2387         } else
2388                 *first = 0;
2389
2390         while (current_size < len) {
2391                 if (*from != '"') {
2392                         **to = *from;
2393                         *to += 1;
2394                 }
2395                 from += 1;
2396                 current_size += 1;
2397         }
2398 }
2399
2400 static int selinux_sb_copy_data(char *orig, char *copy)
2401 {
2402         int fnosec, fsec, rc = 0;
2403         char *in_save, *in_curr, *in_end;
2404         char *sec_curr, *nosec_save, *nosec;
2405         int open_quote = 0;
2406
2407         in_curr = orig;
2408         sec_curr = copy;
2409
2410         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2411         if (!nosec) {
2412                 rc = -ENOMEM;
2413                 goto out;
2414         }
2415
2416         nosec_save = nosec;
2417         fnosec = fsec = 1;
2418         in_save = in_end = orig;
2419
2420         do {
2421                 if (*in_end == '"')
2422                         open_quote = !open_quote;
2423                 if ((*in_end == ',' && open_quote == 0) ||
2424                                 *in_end == '\0') {
2425                         int len = in_end - in_curr;
2426
2427                         if (selinux_option(in_curr, len))
2428                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2429                         else
2430                                 take_option(&nosec, in_curr, &fnosec, len);
2431
2432                         in_curr = in_end + 1;
2433                 }
2434         } while (*in_end++);
2435
2436         strcpy(in_save, nosec_save);
2437         free_page((unsigned long)nosec_save);
2438 out:
2439         return rc;
2440 }
2441
2442 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2443 {
2444         struct avc_audit_data ad;
2445         int rc;
2446
2447         rc = superblock_doinit(sb, data);
2448         if (rc)
2449                 return rc;
2450
2451         AVC_AUDIT_DATA_INIT(&ad, FS);
2452         ad.u.fs.path.dentry = sb->s_root;
2453         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2454 }
2455
2456 static int selinux_sb_statfs(struct dentry *dentry)
2457 {
2458         struct avc_audit_data ad;
2459
2460         AVC_AUDIT_DATA_INIT(&ad, FS);
2461         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2462         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2463 }
2464
2465 static int selinux_mount(char *dev_name,
2466                          struct path *path,
2467                          char *type,
2468                          unsigned long flags,
2469                          void *data)
2470 {
2471         int rc;
2472
2473         rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2474         if (rc)
2475                 return rc;
2476
2477         if (flags & MS_REMOUNT)
2478                 return superblock_has_perm(current, path->mnt->mnt_sb,
2479                                            FILESYSTEM__REMOUNT, NULL);
2480         else
2481                 return dentry_has_perm(current, path->mnt, path->dentry,
2482                                        FILE__MOUNTON);
2483 }
2484
2485 static int selinux_umount(struct vfsmount *mnt, int flags)
2486 {
2487         int rc;
2488
2489         rc = secondary_ops->sb_umount(mnt, flags);
2490         if (rc)
2491                 return rc;
2492
2493         return superblock_has_perm(current, mnt->mnt_sb,
2494                                    FILESYSTEM__UNMOUNT, NULL);
2495 }
2496
2497 /* inode security operations */
2498
2499 static int selinux_inode_alloc_security(struct inode *inode)
2500 {
2501         return inode_alloc_security(inode);
2502 }
2503
2504 static void selinux_inode_free_security(struct inode *inode)
2505 {
2506         inode_free_security(inode);
2507 }
2508
2509 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2510                                        char **name, void **value,
2511                                        size_t *len)
2512 {
2513         struct task_security_struct *tsec;
2514         struct inode_security_struct *dsec;
2515         struct superblock_security_struct *sbsec;
2516         u32 newsid, clen;
2517         int rc;
2518         char *namep = NULL, *context;
2519
2520         tsec = current->security;
2521         dsec = dir->i_security;
2522         sbsec = dir->i_sb->s_security;
2523
2524         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2525                 newsid = tsec->create_sid;
2526         } else {
2527                 rc = security_transition_sid(tsec->sid, dsec->sid,
2528                                              inode_mode_to_security_class(inode->i_mode),
2529                                              &newsid);
2530                 if (rc) {
2531                         printk(KERN_WARNING "%s:  "
2532                                "security_transition_sid failed, rc=%d (dev=%s "
2533                                "ino=%ld)\n",
2534                                __func__,
2535                                -rc, inode->i_sb->s_id, inode->i_ino);
2536                         return rc;
2537                 }
2538         }
2539
2540         /* Possibly defer initialization to selinux_complete_init. */
2541         if (sbsec->initialized) {
2542                 struct inode_security_struct *isec = inode->i_security;
2543                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2544                 isec->sid = newsid;
2545                 isec->initialized = 1;
2546         }
2547
2548         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2549                 return -EOPNOTSUPP;
2550
2551         if (name) {
2552                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2553                 if (!namep)
2554                         return -ENOMEM;
2555                 *name = namep;
2556         }
2557
2558         if (value && len) {
2559                 rc = security_sid_to_context_force(newsid, &context, &clen);
2560                 if (rc) {
2561                         kfree(namep);
2562                         return rc;
2563                 }
2564                 *value = context;
2565                 *len = clen;
2566         }
2567
2568         return 0;
2569 }
2570
2571 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2572 {
2573         return may_create(dir, dentry, SECCLASS_FILE);
2574 }
2575
2576 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2577 {
2578         int rc;
2579
2580         rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2581         if (rc)
2582                 return rc;
2583         return may_link(dir, old_dentry, MAY_LINK);
2584 }
2585
2586 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2587 {
2588         int rc;
2589
2590         rc = secondary_ops->inode_unlink(dir, dentry);
2591         if (rc)
2592                 return rc;
2593         return may_link(dir, dentry, MAY_UNLINK);
2594 }
2595
2596 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2597 {
2598         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2599 }
2600
2601 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2602 {
2603         return may_create(dir, dentry, SECCLASS_DIR);
2604 }
2605
2606 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2607 {
2608         return may_link(dir, dentry, MAY_RMDIR);
2609 }
2610
2611 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2612 {
2613         int rc;
2614
2615         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2616         if (rc)
2617                 return rc;
2618
2619         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2620 }
2621
2622 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2623                                 struct inode *new_inode, struct dentry *new_dentry)
2624 {
2625         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2626 }
2627
2628 static int selinux_inode_readlink(struct dentry *dentry)
2629 {
2630         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2631 }
2632
2633 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2634 {
2635         int rc;
2636
2637         rc = secondary_ops->inode_follow_link(dentry, nameidata);
2638         if (rc)
2639                 return rc;
2640         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2641 }
2642
2643 static int selinux_inode_permission(struct inode *inode, int mask,
2644                                     struct nameidata *nd)
2645 {
2646         int rc;
2647
2648         rc = secondary_ops->inode_permission(inode, mask, nd);
2649         if (rc)
2650                 return rc;
2651
2652         if (!mask) {
2653                 /* No permission to check.  Existence test. */
2654                 return 0;
2655         }
2656
2657         return inode_has_perm(current, inode,
2658                                open_file_mask_to_av(inode->i_mode, mask), NULL);
2659 }
2660
2661 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2662 {
2663         int rc;
2664
2665         rc = secondary_ops->inode_setattr(dentry, iattr);
2666         if (rc)
2667                 return rc;
2668
2669         if (iattr->ia_valid & ATTR_FORCE)
2670                 return 0;
2671
2672         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2673                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2674                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2675
2676         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2677 }
2678
2679 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2680 {
2681         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2682 }
2683
2684 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2685 {
2686         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2687                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2688                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2689                         if (!capable(CAP_SETFCAP))
2690                                 return -EPERM;
2691                 } else if (!capable(CAP_SYS_ADMIN)) {
2692                         /* A different attribute in the security namespace.
2693                            Restrict to administrator. */
2694                         return -EPERM;
2695                 }
2696         }
2697
2698         /* Not an attribute we recognize, so just check the
2699            ordinary setattr permission. */
2700         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2701 }
2702
2703 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2704                                   const void *value, size_t size, int flags)
2705 {
2706         struct task_security_struct *tsec = current->security;
2707         struct inode *inode = dentry->d_inode;
2708         struct inode_security_struct *isec = inode->i_security;
2709         struct superblock_security_struct *sbsec;
2710         struct avc_audit_data ad;
2711         u32 newsid;
2712         int rc = 0;
2713
2714         if (strcmp(name, XATTR_NAME_SELINUX))
2715                 return selinux_inode_setotherxattr(dentry, name);
2716
2717         sbsec = inode->i_sb->s_security;
2718         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2719                 return -EOPNOTSUPP;
2720
2721         if (!is_owner_or_cap(inode))
2722                 return -EPERM;
2723
2724         AVC_AUDIT_DATA_INIT(&ad, FS);
2725         ad.u.fs.path.dentry = dentry;
2726
2727         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2728                           FILE__RELABELFROM, &ad);
2729         if (rc)
2730                 return rc;
2731
2732         rc = security_context_to_sid(value, size, &newsid);
2733         if (rc == -EINVAL) {
2734                 if (!capable(CAP_MAC_ADMIN))
2735                         return rc;
2736                 rc = security_context_to_sid_force(value, size, &newsid);
2737         }
2738         if (rc)
2739                 return rc;
2740
2741         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2742                           FILE__RELABELTO, &ad);
2743         if (rc)
2744                 return rc;
2745
2746         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2747                                           isec->sclass);
2748         if (rc)
2749                 return rc;
2750
2751         return avc_has_perm(newsid,
2752                             sbsec->sid,
2753                             SECCLASS_FILESYSTEM,
2754                             FILESYSTEM__ASSOCIATE,
2755                             &ad);
2756 }
2757
2758 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2759                                         const void *value, size_t size,
2760                                         int flags)
2761 {
2762         struct inode *inode = dentry->d_inode;
2763         struct inode_security_struct *isec = inode->i_security;
2764         u32 newsid;
2765         int rc;
2766
2767         if (strcmp(name, XATTR_NAME_SELINUX)) {
2768                 /* Not an attribute we recognize, so nothing to do. */
2769                 return;
2770         }
2771
2772         rc = security_context_to_sid_force(value, size, &newsid);
2773         if (rc) {
2774                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2775                        "for (%s, %lu), rc=%d\n",
2776                        inode->i_sb->s_id, inode->i_ino, -rc);
2777                 return;
2778         }
2779
2780         isec->sid = newsid;
2781         return;
2782 }
2783
2784 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2785 {
2786         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2787 }
2788
2789 static int selinux_inode_listxattr(struct dentry *dentry)
2790 {
2791         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2792 }
2793
2794 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2795 {
2796         if (strcmp(name, XATTR_NAME_SELINUX))
2797                 return selinux_inode_setotherxattr(dentry, name);
2798
2799         /* No one is allowed to remove a SELinux security label.
2800            You can change the label, but all data must be labeled. */
2801         return -EACCES;
2802 }
2803
2804 /*
2805  * Copy the inode security context value to the user.
2806  *
2807  * Permission check is handled by selinux_inode_getxattr hook.
2808  */
2809 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2810 {
2811         u32 size;
2812         int error;
2813         char *context = NULL;
2814         struct task_security_struct *tsec = current->security;
2815         struct inode_security_struct *isec = inode->i_security;
2816
2817         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2818                 return -EOPNOTSUPP;
2819
2820         /*
2821          * If the caller has CAP_MAC_ADMIN, then get the raw context
2822          * value even if it is not defined by current policy; otherwise,
2823          * use the in-core value under current policy.
2824          * Use the non-auditing forms of the permission checks since
2825          * getxattr may be called by unprivileged processes commonly
2826          * and lack of permission just means that we fall back to the
2827          * in-core context value, not a denial.
2828          */
2829         error = secondary_ops->capable(current, CAP_MAC_ADMIN);
2830         if (!error)
2831                 error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2832                                              SECCLASS_CAPABILITY2,
2833                                              CAPABILITY2__MAC_ADMIN,
2834                                              0,
2835                                              NULL);
2836         if (!error)
2837                 error = security_sid_to_context_force(isec->sid, &context,
2838                                                       &size);
2839         else
2840                 error = security_sid_to_context(isec->sid, &context, &size);
2841         if (error)
2842                 return error;
2843         error = size;
2844         if (alloc) {
2845                 *buffer = context;
2846                 goto out_nofree;
2847         }
2848         kfree(context);
2849 out_nofree:
2850         return error;
2851 }
2852
2853 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2854                                      const void *value, size_t size, int flags)
2855 {
2856         struct inode_security_struct *isec = inode->i_security;
2857         u32 newsid;
2858         int rc;
2859
2860         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2861                 return -EOPNOTSUPP;
2862
2863         if (!value || !size)
2864                 return -EACCES;
2865
2866         rc = security_context_to_sid((void *)value, size, &newsid);
2867         if (rc)
2868                 return rc;
2869
2870         isec->sid = newsid;
2871         return 0;
2872 }
2873
2874 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2875 {
2876         const int len = sizeof(XATTR_NAME_SELINUX);
2877         if (buffer && len <= buffer_size)
2878                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2879         return len;
2880 }
2881
2882 static int selinux_inode_need_killpriv(struct dentry *dentry)
2883 {
2884         return secondary_ops->inode_need_killpriv(dentry);
2885 }
2886
2887 static int selinux_inode_killpriv(struct dentry *dentry)
2888 {
2889         return secondary_ops->inode_killpriv(dentry);
2890 }
2891
2892 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2893 {
2894         struct inode_security_struct *isec = inode->i_security;
2895         *secid = isec->sid;
2896 }
2897
2898 /* file security operations */
2899
2900 static int selinux_revalidate_file_permission(struct file *file, int mask)
2901 {
2902         int rc;
2903         struct inode *inode = file->f_path.dentry->d_inode;
2904
2905         if (!mask) {
2906                 /* No permission to check.  Existence test. */
2907                 return 0;
2908         }
2909
2910         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2911         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2912                 mask |= MAY_APPEND;
2913
2914         rc = file_has_perm(current, file,
2915                            file_mask_to_av(inode->i_mode, mask));
2916         if (rc)
2917                 return rc;
2918
2919         return selinux_netlbl_inode_permission(inode, mask);
2920 }
2921
2922 static int selinux_file_permission(struct file *file, int mask)
2923 {
2924         struct inode *inode = file->f_path.dentry->d_inode;
2925         struct task_security_struct *tsec = current->security;
2926         struct file_security_struct *fsec = file->f_security;
2927         struct inode_security_struct *isec = inode->i_security;
2928
2929         if (!mask) {
2930                 /* No permission to check.  Existence test. */
2931                 return 0;
2932         }
2933
2934         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2935             && fsec->pseqno == avc_policy_seqno())
2936                 return selinux_netlbl_inode_permission(inode, mask);
2937
2938         return selinux_revalidate_file_permission(file, mask);
2939 }
2940
2941 static int selinux_file_alloc_security(struct file *file)
2942 {
2943         return file_alloc_security(file);
2944 }
2945
2946 static void selinux_file_free_security(struct file *file)
2947 {
2948         file_free_security(file);
2949 }
2950
2951 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2952                               unsigned long arg)
2953 {
2954         u32 av = 0;
2955
2956         if (_IOC_DIR(cmd) & _IOC_WRITE)
2957                 av |= FILE__WRITE;
2958         if (_IOC_DIR(cmd) & _IOC_READ)
2959                 av |= FILE__READ;
2960         if (!av)
2961                 av = FILE__IOCTL;
2962
2963         return file_has_perm(current, file, av);
2964 }
2965
2966 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2967 {
2968 #ifndef CONFIG_PPC32
2969         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2970                 /*
2971                  * We are making executable an anonymous mapping or a
2972                  * private file mapping that will also be writable.
2973                  * This has an additional check.
2974                  */
2975                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2976                 if (rc)
2977                         return rc;
2978         }
2979 #endif
2980
2981         if (file) {
2982                 /* read access is always possible with a mapping */
2983                 u32 av = FILE__READ;
2984
2985                 /* write access only matters if the mapping is shared */
2986                 if (shared && (prot & PROT_WRITE))
2987                         av |= FILE__WRITE;
2988
2989                 if (prot & PROT_EXEC)
2990                         av |= FILE__EXECUTE;
2991
2992                 return file_has_perm(current, file, av);
2993         }
2994         return 0;
2995 }
2996
2997 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2998                              unsigned long prot, unsigned long flags,
2999                              unsigned long addr, unsigned long addr_only)
3000 {
3001         int rc = 0;
3002         u32 sid = ((struct task_security_struct *)(current->security))->sid;
3003
3004         if (addr < mmap_min_addr)
3005                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3006                                   MEMPROTECT__MMAP_ZERO, NULL);
3007         if (rc || addr_only)
3008                 return rc;
3009
3010         if (selinux_checkreqprot)
3011                 prot = reqprot;
3012
3013         return file_map_prot_check(file, prot,
3014                                    (flags & MAP_TYPE) == MAP_SHARED);
3015 }
3016
3017 static int selinux_file_mprotect(struct vm_area_struct *vma,
3018                                  unsigned long reqprot,
3019                                  unsigned long prot)
3020 {
3021         int rc;
3022
3023         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3024         if (rc)
3025                 return rc;
3026
3027         if (selinux_checkreqprot)
3028                 prot = reqprot;
3029
3030 #ifndef CONFIG_PPC32
3031         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3032                 rc = 0;
3033                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3034                     vma->vm_end <= vma->vm_mm->brk) {
3035                         rc = task_has_perm(current, current,
3036                                            PROCESS__EXECHEAP);
3037                 } else if (!vma->vm_file &&
3038                            vma->vm_start <= vma->vm_mm->start_stack &&
3039                            vma->vm_end >= vma->vm_mm->start_stack) {
3040                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
3041                 } else if (vma->vm_file && vma->anon_vma) {
3042                         /*
3043                          * We are making executable a file mapping that has
3044                          * had some COW done. Since pages might have been
3045                          * written, check ability to execute the possibly
3046                          * modified content.  This typically should only
3047                          * occur for text relocations.
3048                          */
3049                         rc = file_has_perm(current, vma->vm_file,
3050                                            FILE__EXECMOD);
3051                 }
3052                 if (rc)
3053                         return rc;
3054         }
3055 #endif
3056
3057         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3058 }
3059
3060 static int selinux_file_lock(struct file *file, unsigned int cmd)
3061 {
3062         return file_has_perm(current, file, FILE__LOCK);
3063 }
3064
3065 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3066                               unsigned long arg)
3067 {
3068         int err = 0;
3069
3070         switch (cmd) {
3071         case F_SETFL:
3072                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3073                         err = -EINVAL;
3074                         break;
3075                 }
3076
3077                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3078                         err = file_has_perm(current, file, FILE__WRITE);
3079                         break;
3080                 }
3081                 /* fall through */
3082         case F_SETOWN:
3083         case F_SETSIG:
3084         case F_GETFL:
3085         case F_GETOWN:
3086         case F_GETSIG:
3087                 /* Just check FD__USE permission */
3088                 err = file_has_perm(current, file, 0);
3089                 break;
3090         case F_GETLK:
3091         case F_SETLK:
3092         case F_SETLKW:
3093 #if BITS_PER_LONG == 32
3094         case F_GETLK64:
3095         case F_SETLK64:
3096         case F_SETLKW64:
3097 #endif
3098                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3099                         err = -EINVAL;
3100                         break;
3101                 }
3102                 err = file_has_perm(current, file, FILE__LOCK);
3103                 break;
3104         }
3105
3106         return err;
3107 }
3108
3109 static int selinux_file_set_fowner(struct file *file)
3110 {
3111         struct task_security_struct *tsec;
3112         struct file_security_struct *fsec;
3113
3114         tsec = current->security;
3115         fsec = file->f_security;
3116         fsec->fown_sid = tsec->sid;
3117
3118         return 0;
3119 }
3120
3121 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3122                                        struct fown_struct *fown, int signum)
3123 {
3124         struct file *file;
3125         u32 perm;
3126         struct task_security_struct *tsec;
3127         struct file_security_struct *fsec;
3128
3129         /* struct fown_struct is never outside the context of a struct file */
3130         file = container_of(fown, struct file, f_owner);
3131
3132         tsec = tsk->security;
3133         fsec = file->f_security;
3134
3135         if (!signum)
3136                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3137         else
3138                 perm = signal_to_av(signum);
3139
3140         return avc_has_perm(fsec->fown_sid, tsec->sid,
3141                             SECCLASS_PROCESS, perm, NULL);
3142 }
3143
3144 static int selinux_file_receive(struct file *file)
3145 {
3146         return file_has_perm(current, file, file_to_av(file));
3147 }
3148
3149 static int selinux_dentry_open(struct file *file)
3150 {
3151         struct file_security_struct *fsec;
3152         struct inode *inode;
3153         struct inode_security_struct *isec;
3154         inode = file->f_path.dentry->d_inode;
3155         fsec = file->f_security;
3156         isec = inode->i_security;
3157         /*
3158          * Save inode label and policy sequence number
3159          * at open-time so that selinux_file_permission
3160          * can determine whether revalidation is necessary.
3161          * Task label is already saved in the file security
3162          * struct as its SID.
3163          */
3164         fsec->isid = isec->sid;
3165         fsec->pseqno = avc_policy_seqno();
3166         /*
3167          * Since the inode label or policy seqno may have changed
3168          * between the selinux_inode_permission check and the saving
3169          * of state above, recheck that access is still permitted.
3170          * Otherwise, access might never be revalidated against the
3171          * new inode label or new policy.
3172          * This check is not redundant - do not remove.
3173          */
3174         return inode_has_perm(current, inode, file_to_av(file), NULL);
3175 }
3176
3177 /* task security operations */
3178
3179 static int selinux_task_create(unsigned long clone_flags)
3180 {
3181         int rc;
3182
3183         rc = secondary_ops->task_create(clone_flags);
3184         if (rc)
3185                 return rc;
3186
3187         return task_has_perm(current, current, PROCESS__FORK);
3188 }
3189
3190 static int selinux_task_alloc_security(struct task_struct *tsk)
3191 {
3192         struct task_security_struct *tsec1, *tsec2;
3193         int rc;
3194
3195         tsec1 = current->security;
3196
3197         rc = task_alloc_security(tsk);
3198         if (rc)
3199                 return rc;
3200         tsec2 = tsk->security;
3201
3202         tsec2->osid = tsec1->osid;
3203         tsec2->sid = tsec1->sid;
3204
3205         /* Retain the exec, fs, key, and sock SIDs across fork */
3206         tsec2->exec_sid = tsec1->exec_sid;
3207         tsec2->create_sid = tsec1->create_sid;
3208         tsec2->keycreate_sid = tsec1->keycreate_sid;
3209         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3210
3211         return 0;
3212 }
3213
3214 static void selinux_task_free_security(struct task_struct *tsk)
3215 {
3216         task_free_security(tsk);
3217 }
3218
3219 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3220 {
3221         /* Since setuid only affects the current process, and
3222            since the SELinux controls are not based on the Linux
3223            identity attributes, SELinux does not need to control
3224            this operation.  However, SELinux does control the use
3225            of the CAP_SETUID and CAP_SETGID capabilities using the
3226            capable hook. */
3227         return 0;
3228 }
3229
3230 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3231 {
3232         return secondary_ops->task_post_setuid(id0, id1, id2, flags);
3233 }
3234
3235 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3236 {
3237         /* See the comment for setuid above. */
3238         return 0;
3239 }
3240
3241 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3242 {
3243         return task_has_perm(current, p, PROCESS__SETPGID);
3244 }
3245
3246 static int selinux_task_getpgid(struct task_struct *p)
3247 {
3248         return task_has_perm(current, p, PROCESS__GETPGID);
3249 }
3250
3251 static int selinux_task_getsid(struct task_struct *p)
3252 {
3253         return task_has_perm(current, p, PROCESS__GETSESSION);
3254 }
3255
3256 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3257 {
3258         struct task_security_struct *tsec = p->security;
3259         *secid = tsec->sid;
3260 }
3261
3262 static int selinux_task_setgroups(struct group_info *group_info)
3263 {
3264         /* See the comment for setuid above. */
3265         return 0;
3266 }
3267
3268 static int selinux_task_setnice(struct task_struct *p, int nice)
3269 {
3270         int rc;
3271
3272         rc = secondary_ops->task_setnice(p, nice);
3273         if (rc)
3274                 return rc;
3275
3276         return task_has_perm(current, p, PROCESS__SETSCHED);
3277 }
3278
3279 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3280 {
3281         int rc;
3282
3283         rc = secondary_ops->task_setioprio(p, ioprio);
3284         if (rc)
3285                 return rc;
3286
3287         return task_has_perm(current, p, PROCESS__SETSCHED);
3288 }
3289
3290 static int selinux_task_getioprio(struct task_struct *p)
3291 {
3292         return task_has_perm(current, p, PROCESS__GETSCHED);
3293 }
3294
3295 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3296 {
3297         struct rlimit *old_rlim = current->signal->rlim + resource;
3298         int rc;
3299
3300         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3301         if (rc)
3302                 return rc;
3303
3304         /* Control the ability to change the hard limit (whether
3305            lowering or raising it), so that the hard limit can
3306            later be used as a safe reset point for the soft limit
3307            upon context transitions. See selinux_bprm_apply_creds. */
3308         if (old_rlim->rlim_max != new_rlim->rlim_max)
3309                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3310
3311         return 0;
3312 }
3313
3314 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3315 {
3316         int rc;
3317
3318         rc = secondary_ops->task_setscheduler(p, policy, lp);
3319         if (rc)
3320                 return rc;
3321
3322         return task_has_perm(current, p, PROCESS__SETSCHED);
3323 }
3324
3325 static int selinux_task_getscheduler(struct task_struct *p)
3326 {
3327         return task_has_perm(current, p, PROCESS__GETSCHED);
3328 }
3329
3330 static int selinux_task_movememory(struct task_struct *p)
3331 {
3332         return task_has_perm(current, p, PROCESS__SETSCHED);
3333 }
3334
3335 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3336                                 int sig, u32 secid)
3337 {
3338         u32 perm;
3339         int rc;
3340         struct task_security_struct *tsec;
3341
3342         rc = secondary_ops->task_kill(p, info, sig, secid);
3343         if (rc)
3344                 return rc;
3345
3346         if (!sig)
3347                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3348         else
3349                 perm = signal_to_av(sig);
3350         tsec = p->security;
3351         if (secid)
3352                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3353         else
3354                 rc = task_has_perm(current, p, perm);
3355         return rc;
3356 }
3357
3358 static int selinux_task_prctl(int option,
3359                               unsigned long arg2,
3360                               unsigned long arg3,
3361                               unsigned long arg4,
3362                               unsigned long arg5,
3363                               long *rc_p)
3364 {
3365         /* The current prctl operations do not appear to require
3366            any SELinux controls since they merely observe or modify
3367            the state of the current process. */
3368         return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
3369 }
3370
3371 static int selinux_task_wait(struct task_struct *p)
3372 {
3373         return task_has_perm(p, current, PROCESS__SIGCHLD);
3374 }
3375
3376 static void selinux_task_reparent_to_init(struct task_struct *p)
3377 {
3378         struct task_security_struct *tsec;
3379
3380         secondary_ops->task_reparent_to_init(p);
3381
3382         tsec = p->security;
3383         tsec->osid = tsec->sid;
3384         tsec->sid = SECINITSID_KERNEL;
3385         return;
3386 }
3387
3388 static void selinux_task_to_inode(struct task_struct *p,
3389                                   struct inode *inode)
3390 {
3391         struct task_security_struct *tsec = p->security;
3392         struct inode_security_struct *isec = inode->i_security;
3393
3394         isec->sid = tsec->sid;
3395         isec->initialized = 1;
3396         return;
3397 }
3398
3399 /* Returns error only if unable to parse addresses */
3400 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3401                         struct avc_audit_data *ad, u8 *proto)
3402 {
3403         int offset, ihlen, ret = -EINVAL;
3404         struct iphdr _iph, *ih;
3405
3406         offset = skb_network_offset(skb);
3407         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3408         if (ih == NULL)
3409                 goto out;
3410
3411         ihlen = ih->ihl * 4;
3412         if (ihlen < sizeof(_iph))
3413                 goto out;
3414
3415         ad->u.net.v4info.saddr = ih->saddr;
3416         ad->u.net.v4info.daddr = ih->daddr;
3417         ret = 0;
3418
3419         if (proto)
3420                 *proto = ih->protocol;
3421
3422         switch (ih->protocol) {
3423         case IPPROTO_TCP: {
3424                 struct tcphdr _tcph, *th;
3425
3426                 if (ntohs(ih->frag_off) & IP_OFFSET)
3427                         break;
3428
3429                 offset += ihlen;
3430                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3431                 if (th == NULL)
3432                         break;
3433
3434                 ad->u.net.sport = th->source;
3435                 ad->u.net.dport = th->dest;
3436                 break;
3437         }
3438
3439         case IPPROTO_UDP: {
3440                 struct udphdr _udph, *uh;
3441
3442                 if (ntohs(ih->frag_off) & IP_OFFSET)
3443                         break;
3444
3445                 offset += ihlen;
3446                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3447                 if (uh == NULL)
3448                         break;
3449
3450                 ad->u.net.sport = uh->source;
3451                 ad->u.net.dport = uh->dest;
3452                 break;
3453         }
3454
3455         case IPPROTO_DCCP: {
3456                 struct dccp_hdr _dccph, *dh;
3457
3458                 if (ntohs(ih->frag_off) & IP_OFFSET)
3459                         break;
3460
3461                 offset += ihlen;
3462                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3463                 if (dh == NULL)
3464                         break;
3465
3466                 ad->u.net.sport = dh->dccph_sport;
3467                 ad->u.net.dport = dh->dccph_dport;
3468                 break;
3469         }
3470
3471         default:
3472                 break;
3473         }
3474 out:
3475         return ret;
3476 }
3477
3478 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3479
3480 /* Returns error only if unable to parse addresses */
3481 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3482                         struct avc_audit_data *ad, u8 *proto)
3483 {
3484         u8 nexthdr;
3485         int ret = -EINVAL, offset;
3486         struct ipv6hdr _ipv6h, *ip6;
3487
3488         offset = skb_network_offset(skb);
3489         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3490         if (ip6 == NULL)
3491                 goto out;
3492
3493         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3494         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3495         ret = 0;
3496
3497         nexthdr = ip6->nexthdr;
3498         offset += sizeof(_ipv6h);
3499         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3500         if (offset < 0)
3501                 goto out;
3502
3503         if (proto)
3504                 *proto = nexthdr;
3505
3506         switch (nexthdr) {
3507         case IPPROTO_TCP: {
3508                 struct tcphdr _tcph, *th;
3509
3510                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3511                 if (th == NULL)
3512                         break;
3513
3514                 ad->u.net.sport = th->source;
3515                 ad->u.net.dport = th->dest;
3516                 break;
3517         }
3518
3519         case IPPROTO_UDP: {
3520                 struct udphdr _udph, *uh;
3521
3522                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3523                 if (uh == NULL)
3524                         break;
3525
3526                 ad->u.net.sport = uh->source;
3527                 ad->u.net.dport = uh->dest;
3528                 break;
3529         }
3530
3531         case IPPROTO_DCCP: {
3532                 struct dccp_hdr _dccph, *dh;
3533
3534                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3535                 if (dh == NULL)
3536                         break;
3537
3538                 ad->u.net.sport = dh->dccph_sport;
3539                 ad->u.net.dport = dh->dccph_dport;
3540                 break;
3541         }
3542
3543         /* includes fragments */
3544         default:
3545                 break;
3546         }
3547 out:
3548         return ret;
3549 }
3550
3551 #endif /* IPV6 */
3552
3553 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3554                              char **addrp, int src, u8 *proto)
3555 {
3556         int ret = 0;
3557
3558         switch (ad->u.net.family) {
3559         case PF_INET:
3560                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3561                 if (ret || !addrp)
3562                         break;
3563                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3564                                         &ad->u.net.v4info.daddr);
3565                 break;
3566
3567 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3568         case PF_INET6:
3569                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3570                 if (ret || !addrp)
3571                         break;
3572                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3573                                         &ad->u.net.v6info.daddr);
3574                 break;
3575 #endif  /* IPV6 */
3576         default:
3577                 break;
3578         }
3579
3580         if (unlikely(ret))
3581                 printk(KERN_WARNING
3582                        "SELinux: failure in selinux_parse_skb(),"
3583                        " unable to parse packet\n");
3584
3585         return ret;
3586 }
3587
3588 /**
3589  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3590  * @skb: the packet
3591  * @family: protocol family
3592  * @sid: the packet's peer label SID
3593  *
3594  * Description:
3595  * Check the various different forms of network peer labeling and determine
3596  * the peer label/SID for the packet; most of the magic actually occurs in
3597  * the security server function security_net_peersid_cmp().  The function
3598  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3599  * or -EACCES if @sid is invalid due to inconsistencies with the different
3600  * peer labels.
3601  *
3602  */
3603 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3604 {
3605         int err;
3606         u32 xfrm_sid;
3607         u32 nlbl_sid;
3608         u32 nlbl_type;
3609
3610         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3611         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3612
3613         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3614         if (unlikely(err)) {
3615                 printk(KERN_WARNING
3616                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3617                        " unable to determine packet's peer label\n");
3618                 return -EACCES;
3619         }
3620
3621         return 0;
3622 }
3623
3624 /* socket security operations */
3625 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3626                            u32 perms)
3627 {
3628         struct inode_security_struct *isec;
3629         struct task_security_struct *tsec;
3630         struct avc_audit_data ad;
3631         int err = 0;
3632
3633         tsec = task->security;
3634         isec = SOCK_INODE(sock)->i_security;
3635
3636         if (isec->sid == SECINITSID_KERNEL)
3637                 goto out;
3638
3639         AVC_AUDIT_DATA_INIT(&ad, NET);
3640         ad.u.net.sk = sock->sk;
3641         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3642
3643 out:
3644         return err;
3645 }
3646
3647 static int selinux_socket_create(int family, int type,
3648                                  int protocol, int kern)
3649 {
3650         int err = 0;
3651         struct task_security_struct *tsec;
3652         u32 newsid;
3653
3654         if (kern)
3655                 goto out;
3656
3657         tsec = current->security;
3658         newsid = tsec->sockcreate_sid ? : tsec->sid;
3659         err = avc_has_perm(tsec->sid, newsid,
3660                            socket_type_to_security_class(family, type,
3661                            protocol), SOCKET__CREATE, NULL);
3662
3663 out:
3664         return err;
3665 }
3666
3667 static int selinux_socket_post_create(struct socket *sock, int family,
3668                                       int type, int protocol, int kern)
3669 {
3670         int err = 0;
3671         struct inode_security_struct *isec;
3672         struct task_security_struct *tsec;
3673         struct sk_security_struct *sksec;
3674         u32 newsid;
3675
3676         isec = SOCK_INODE(sock)->i_security;
3677
3678         tsec = current->security;
3679         newsid = tsec->sockcreate_sid ? : tsec->sid;
3680         isec->sclass = socket_type_to_security_class(family, type, protocol);
3681         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3682         isec->initialized = 1;
3683
3684         if (sock->sk) {
3685                 sksec = sock->sk->sk_security;
3686                 sksec->sid = isec->sid;
3687                 sksec->sclass = isec->sclass;
3688                 err = selinux_netlbl_socket_post_create(sock);
3689         }
3690
3691         return err;
3692 }
3693
3694 /* Range of port numbers used to automatically bind.
3695    Need to determine whether we should perform a name_bind
3696    permission check between the socket and the port number. */
3697
3698 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3699 {
3700         u16 family;
3701         int err;
3702
3703         err = socket_has_perm(current, sock, SOCKET__BIND);
3704         if (err)
3705                 goto out;
3706
3707         /*
3708          * If PF_INET or PF_INET6, check name_bind permission for the port.
3709          * Multiple address binding for SCTP is not supported yet: we just
3710          * check the first address now.
3711          */
3712         family = sock->sk->sk_family;
3713         if (family == PF_INET || family == PF_INET6) {
3714                 char *addrp;
3715                 struct inode_security_struct *isec;
3716                 struct task_security_struct *tsec;
3717                 struct avc_audit_data ad;
3718                 struct sockaddr_in *addr4 = NULL;
3719                 struct sockaddr_in6 *addr6 = NULL;
3720                 unsigned short snum;
3721                 struct sock *sk = sock->sk;
3722                 u32 sid, node_perm;
3723
3724                 tsec = current->security;
3725                 isec = SOCK_INODE(sock)->i_security;
3726
3727                 if (family == PF_INET) {
3728                         addr4 = (struct sockaddr_in *)address;
3729                         snum = ntohs(addr4->sin_port);
3730                         addrp = (char *)&addr4->sin_addr.s_addr;
3731                 } else {
3732                         addr6 = (struct sockaddr_in6 *)address;
3733                         snum = ntohs(addr6->sin6_port);
3734                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3735                 }
3736
3737                 if (snum) {
3738                         int low, high;
3739
3740                         inet_get_local_port_range(&low, &high);
3741
3742                         if (snum < max(PROT_SOCK, low) || snum > high) {
3743                                 err = sel_netport_sid(sk->sk_protocol,
3744                                                       snum, &sid);
3745                                 if (err)
3746                                         goto out;
3747                                 AVC_AUDIT_DATA_INIT(&ad, NET);
3748                                 ad.u.net.sport = htons(snum);
3749                                 ad.u.net.family = family;
3750                                 err = avc_has_perm(isec->sid, sid,
3751                                                    isec->sclass,
3752                                                    SOCKET__NAME_BIND, &ad);
3753                                 if (err)
3754                                         goto out;
3755                         }
3756                 }
3757
3758                 switch (isec->sclass) {
3759                 case SECCLASS_TCP_SOCKET:
3760                         node_perm = TCP_SOCKET__NODE_BIND;
3761                         break;
3762
3763                 case SECCLASS_UDP_SOCKET:
3764                         node_perm = UDP_SOCKET__NODE_BIND;
3765                         break;
3766
3767                 case SECCLASS_DCCP_SOCKET:
3768                         node_perm = DCCP_SOCKET__NODE_BIND;
3769                         break;
3770
3771                 default:
3772                         node_perm = RAWIP_SOCKET__NODE_BIND;
3773                         break;
3774                 }
3775
3776                 err = sel_netnode_sid(addrp, family, &sid);
3777                 if (err)
3778                         goto out;
3779
3780                 AVC_AUDIT_DATA_INIT(&ad, NET);
3781                 ad.u.net.sport = htons(snum);
3782                 ad.u.net.family = family;
3783
3784                 if (family == PF_INET)
3785                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3786                 else
3787                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3788
3789                 err = avc_has_perm(isec->sid, sid,
3790                                    isec->sclass, node_perm, &ad);
3791                 if (err)
3792                         goto out;
3793         }
3794 out:
3795         return err;
3796 }
3797
3798 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3799 {
3800         struct inode_security_struct *isec;
3801         int err;
3802
3803         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3804         if (err)
3805                 return err;
3806
3807         /*
3808          * If a TCP or DCCP socket, check name_connect permission for the port.
3809          */
3810         isec = SOCK_INODE(sock)->i_security;
3811         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3812             isec->sclass == SECCLASS_DCCP_SOCKET) {
3813                 struct sock *sk = sock->sk;
3814                 struct avc_audit_data ad;
3815                 struct sockaddr_in *addr4 = NULL;
3816                 struct sockaddr_in6 *addr6 = NULL;
3817                 unsigned short snum;
3818                 u32 sid, perm;
3819
3820                 if (sk->sk_family == PF_INET) {
3821                         addr4 = (struct sockaddr_in *)address;
3822                         if (addrlen < sizeof(struct sockaddr_in))
3823                                 return -EINVAL;
3824                         snum = ntohs(addr4->sin_port);
3825                 } else {
3826                         addr6 = (struct sockaddr_in6 *)address;
3827                         if (addrlen < SIN6_LEN_RFC2133)
3828                                 return -EINVAL;
3829                         snum = ntohs(addr6->sin6_port);
3830                 }
3831
3832                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3833                 if (err)
3834                         goto out;
3835
3836                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3837                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3838
3839                 AVC_AUDIT_DATA_INIT(&ad, NET);
3840                 ad.u.net.dport = htons(snum);
3841                 ad.u.net.family = sk->sk_family;
3842                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3843                 if (err)
3844                         goto out;
3845         }
3846
3847 out:
3848         return err;
3849 }
3850
3851 static int selinux_socket_listen(struct socket *sock, int backlog)
3852 {
3853         return socket_has_perm(current, sock, SOCKET__LISTEN);
3854 }
3855
3856 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3857 {
3858         int err;
3859         struct inode_security_struct *isec;
3860         struct inode_security_struct *newisec;
3861
3862         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3863         if (err)
3864                 return err;
3865
3866         newisec = SOCK_INODE(newsock)->i_security;
3867
3868         isec = SOCK_INODE(sock)->i_security;
3869         newisec->sclass = isec->sclass;
3870         newisec->sid = isec->sid;
3871         newisec->initialized = 1;
3872
3873         return 0;
3874 }
3875
3876 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3877                                   int size)
3878 {
3879         int rc;
3880
3881         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3882         if (rc)
3883                 return rc;
3884
3885         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3886 }
3887
3888 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3889                                   int size, int flags)
3890 {
3891         return socket_has_perm(current, sock, SOCKET__READ);
3892 }
3893
3894 static int selinux_socket_getsockname(struct socket *sock)
3895 {
3896         return socket_has_perm(current, sock, SOCKET__GETATTR);
3897 }
3898
3899 static int selinux_socket_getpeername(struct socket *sock)
3900 {
3901         return socket_has_perm(current, sock, SOCKET__GETATTR);
3902 }
3903
3904 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3905 {
3906         int err;
3907
3908         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3909         if (err)
3910                 return err;
3911
3912         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3913 }
3914
3915 static int selinux_socket_getsockopt(struct socket *sock, int level,
3916                                      int optname)
3917 {
3918         return socket_has_perm(current, sock, SOCKET__GETOPT);
3919 }
3920
3921 static int selinux_socket_shutdown(struct socket *sock, int how)
3922 {
3923         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3924 }
3925
3926 static int selinux_socket_unix_stream_connect(struct socket *sock,
3927                                               struct socket *other,
3928                                               struct sock *newsk)
3929 {
3930         struct sk_security_struct *ssec;
3931         struct inode_security_struct *isec;
3932         struct inode_security_struct *other_isec;
3933         struct avc_audit_data ad;
3934         int err;
3935
3936         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3937         if (err)
3938                 return err;
3939
3940         isec = SOCK_INODE(sock)->i_security;
3941         other_isec = SOCK_INODE(other)->i_security;
3942
3943         AVC_AUDIT_DATA_INIT(&ad, NET);
3944         ad.u.net.sk = other->sk;
3945
3946         err = avc_has_perm(isec->sid, other_isec->sid,
3947                            isec->sclass,
3948                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3949         if (err)
3950                 return err;
3951
3952         /* connecting socket */
3953         ssec = sock->sk->sk_security;
3954         ssec->peer_sid = other_isec->sid;
3955
3956         /* server child socket */
3957         ssec = newsk->sk_security;
3958         ssec->peer_sid = isec->sid;
3959         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3960
3961         return err;
3962 }
3963
3964 static int selinux_socket_unix_may_send(struct socket *sock,
3965                                         struct socket *other)
3966 {
3967         struct inode_security_struct *isec;
3968         struct inode_security_struct *other_isec;
3969         struct avc_audit_data ad;
3970         int err;
3971
3972         isec = SOCK_INODE(sock)->i_security;
3973         other_isec = SOCK_INODE(other)->i_security;
3974
3975         AVC_AUDIT_DATA_INIT(&ad, NET);
3976         ad.u.net.sk = other->sk;
3977
3978         err = avc_has_perm(isec->sid, other_isec->sid,
3979                            isec->sclass, SOCKET__SENDTO, &ad);
3980         if (err)
3981                 return err;
3982
3983         return 0;
3984 }
3985
3986 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3987                                     u32 peer_sid,
3988                                     struct avc_audit_data *ad)
3989 {
3990         int err;
3991         u32 if_sid;
3992         u32 node_sid;
3993
3994         err = sel_netif_sid(ifindex, &if_sid);
3995         if (err)
3996                 return err;
3997         err = avc_has_perm(peer_sid, if_sid,
3998                            SECCLASS_NETIF, NETIF__INGRESS, ad);
3999         if (err)
4000                 return err;
4001
4002         err = sel_netnode_sid(addrp, family, &node_sid);
4003         if (err)
4004                 return err;
4005         return avc_has_perm(peer_sid, node_sid,
4006                             SECCLASS_NODE, NODE__RECVFROM, ad);
4007 }
4008
4009 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4010                                                 struct sk_buff *skb,
4011                                                 struct avc_audit_data *ad,
4012                                                 u16 family,
4013                                                 char *addrp)
4014 {
4015         int err;
4016         struct sk_security_struct *sksec = sk->sk_security;
4017         u16 sk_class;
4018         u32 netif_perm, node_perm, recv_perm;
4019         u32 port_sid, node_sid, if_sid, sk_sid;
4020
4021         sk_sid = sksec->sid;
4022         sk_class = sksec->sclass;
4023
4024         switch (sk_class) {
4025         case SECCLASS_UDP_SOCKET:
4026                 netif_perm = NETIF__UDP_RECV;
4027                 node_perm = NODE__UDP_RECV;
4028                 recv_perm = UDP_SOCKET__RECV_MSG;
4029                 break;
4030         case SECCLASS_TCP_SOCKET:
4031                 netif_perm = NETIF__TCP_RECV;
4032                 node_perm = NODE__TCP_RECV;
4033                 recv_perm = TCP_SOCKET__RECV_MSG;
4034                 break;
4035         case SECCLASS_DCCP_SOCKET:
4036                 netif_perm = NETIF__DCCP_RECV;
4037                 node_perm = NODE__DCCP_RECV;
4038                 recv_perm = DCCP_SOCKET__RECV_MSG;
4039                 break;
4040         default:
4041                 netif_perm = NETIF__RAWIP_RECV;
4042                 node_perm = NODE__RAWIP_RECV;
4043                 recv_perm = 0;
4044                 break;
4045         }
4046
4047         err = sel_netif_sid(skb->iif, &if_sid);
4048         if (err)
4049                 return err;
4050         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4051         if (err)
4052                 return err;
4053
4054         err = sel_netnode_sid(addrp, family, &node_sid);
4055         if (err)
4056                 return err;
4057         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4058         if (err)
4059                 return err;
4060
4061         if (!recv_perm)
4062                 return 0;
4063         err = sel_netport_sid(sk->sk_protocol,
4064                               ntohs(ad->u.net.sport), &port_sid);
4065         if (unlikely(err)) {
4066                 printk(KERN_WARNING
4067                        "SELinux: failure in"
4068                        " selinux_sock_rcv_skb_iptables_compat(),"
4069                        " network port label not found\n");
4070                 return err;
4071         }
4072         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4073 }
4074
4075 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4076                                        struct avc_audit_data *ad,
4077                                        u16 family, char *addrp)
4078 {
4079         int err;
4080         struct sk_security_struct *sksec = sk->sk_security;
4081         u32 peer_sid;
4082         u32 sk_sid = sksec->sid;
4083
4084         if (selinux_compat_net)
4085                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4086                                                            family, addrp);
4087         else
4088                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4089                                    PACKET__RECV, ad);
4090         if (err)
4091                 return err;
4092
4093         if (selinux_policycap_netpeer) {
4094                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4095                 if (err)
4096                         return err;
4097                 err = avc_has_perm(sk_sid, peer_sid,
4098                                    SECCLASS_PEER, PEER__RECV, ad);
4099         } else {
4100                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4101                 if (err)
4102                         return err;
4103                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4104         }
4105
4106         return err;
4107 }
4108
4109 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4110 {
4111         int err;
4112         struct sk_security_struct *sksec = sk->sk_security;
4113         u16 family = sk->sk_family;
4114         u32 sk_sid = sksec->sid;
4115         struct avc_audit_data ad;
4116         char *addrp;
4117
4118         if (family != PF_INET && family != PF_INET6)
4119                 return 0;
4120
4121         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4122         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4123                 family = PF_INET;
4124
4125         AVC_AUDIT_DATA_INIT(&ad, NET);
4126         ad.u.net.netif = skb->iif;
4127         ad.u.net.family = family;
4128         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4129         if (err)
4130                 return err;
4131
4132         /* If any sort of compatibility mode is enabled then handoff processing
4133          * to the selinux_sock_rcv_skb_compat() function to deal with the
4134          * special handling.  We do this in an attempt to keep this function
4135          * as fast and as clean as possible. */
4136         if (selinux_compat_net || !selinux_policycap_netpeer)
4137                 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4138                                                    family, addrp);
4139
4140         if (netlbl_enabled() || selinux_xfrm_enabled()) {
4141                 u32 peer_sid;
4142
4143                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4144                 if (err)
4145                         return err;
4146                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4147                                                peer_sid, &ad);
4148                 if (err)
4149                         return err;
4150                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4151                                    PEER__RECV, &ad);
4152         }
4153
4154         if (selinux_secmark_enabled()) {
4155                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4156                                    PACKET__RECV, &ad);
4157                 if (err)
4158                         return err;
4159         }
4160
4161         return err;
4162 }
4163
4164 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4165                                             int __user *optlen, unsigned len)
4166 {
4167         int err = 0;
4168         char *scontext;
4169         u32 scontext_len;
4170         struct sk_security_struct *ssec;
4171         struct inode_security_struct *isec;
4172         u32 peer_sid = SECSID_NULL;
4173
4174         isec = SOCK_INODE(sock)->i_security;
4175
4176         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4177             isec->sclass == SECCLASS_TCP_SOCKET) {
4178                 ssec = sock->sk->sk_security;
4179                 peer_sid = ssec->peer_sid;
4180         }
4181         if (peer_sid == SECSID_NULL) {
4182                 err = -ENOPROTOOPT;
4183                 goto out;
4184         }
4185
4186         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4187
4188         if (err)
4189                 goto out;
4190
4191         if (scontext_len > len) {
4192                 err = -ERANGE;
4193                 goto out_len;
4194         }
4195
4196         if (copy_to_user(optval, scontext, scontext_len))
4197                 err = -EFAULT;
4198
4199 out_len:
4200         if (put_user(scontext_len, optlen))
4201                 err = -EFAULT;
4202
4203         kfree(scontext);
4204 out:
4205         return err;
4206 }
4207
4208 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4209 {
4210         u32 peer_secid = SECSID_NULL;
4211         u16 family;
4212
4213         if (sock)
4214                 family = sock->sk->sk_family;
4215         else if (skb && skb->sk)
4216                 family = skb->sk->sk_family;
4217         else
4218                 goto out;
4219
4220         if (sock && family == PF_UNIX)
4221                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4222         else if (skb)
4223                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4224
4225 out:
4226         *secid = peer_secid;
4227         if (peer_secid == SECSID_NULL)
4228                 return -EINVAL;
4229         return 0;
4230 }
4231
4232 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4233 {
4234         return sk_alloc_security(sk, family, priority);
4235 }
4236
4237 static void selinux_sk_free_security(struct sock *sk)
4238 {
4239         sk_free_security(sk);
4240 }
4241
4242 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4243 {
4244         struct sk_security_struct *ssec = sk->sk_security;
4245         struct sk_security_struct *newssec = newsk->sk_security;
4246
4247         newssec->sid = ssec->sid;
4248         newssec->peer_sid = ssec->peer_sid;
4249         newssec->sclass = ssec->sclass;
4250
4251         selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4252 }
4253
4254 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4255 {
4256         if (!sk)
4257                 *secid = SECINITSID_ANY_SOCKET;
4258         else {
4259                 struct sk_security_struct *sksec = sk->sk_security;
4260
4261                 *secid = sksec->sid;
4262         }
4263 }
4264
4265 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4266 {
4267         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4268         struct sk_security_struct *sksec = sk->sk_security;
4269
4270         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4271             sk->sk_family == PF_UNIX)
4272                 isec->sid = sksec->sid;
4273         sksec->sclass = isec->sclass;
4274
4275         selinux_netlbl_sock_graft(sk, parent);
4276 }
4277
4278 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4279                                      struct request_sock *req)
4280 {
4281         struct sk_security_struct *sksec = sk->sk_security;
4282         int err;
4283         u32 newsid;
4284         u32 peersid;
4285
4286         err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4287         if (err)
4288                 return err;
4289         if (peersid == SECSID_NULL) {
4290                 req->secid = sksec->sid;
4291                 req->peer_secid = SECSID_NULL;
4292                 return 0;
4293         }
4294
4295         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4296         if (err)
4297                 return err;
4298
4299         req->secid = newsid;
4300         req->peer_secid = peersid;
4301         return 0;
4302 }
4303
4304 static void selinux_inet_csk_clone(struct sock *newsk,
4305                                    const struct request_sock *req)
4306 {
4307         struct sk_security_struct *newsksec = newsk->sk_security;
4308
4309         newsksec->sid = req->secid;
4310         newsksec->peer_sid = req->peer_secid;
4311         /* NOTE: Ideally, we should also get the isec->sid for the
4312            new socket in sync, but we don't have the isec available yet.
4313            So we will wait until sock_graft to do it, by which
4314            time it will have been created and available. */
4315
4316         /* We don't need to take any sort of lock here as we are the only
4317          * thread with access to newsksec */
4318         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4319 }
4320
4321 static void selinux_inet_conn_established(struct sock *sk,
4322                                 struct sk_buff *skb)
4323 {
4324         struct sk_security_struct *sksec = sk->sk_security;
4325
4326         selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4327 }
4328
4329 static void selinux_req_classify_flow(const struct request_sock *req,
4330                                       struct flowi *fl)
4331 {
4332         fl->secid = req->secid;
4333 }
4334
4335 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4336 {
4337         int err = 0;
4338         u32 perm;
4339         struct nlmsghdr *nlh;
4340         struct socket *sock = sk->sk_socket;
4341         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4342
4343         if (skb->len < NLMSG_SPACE(0)) {
4344                 err = -EINVAL;
4345                 goto out;
4346         }
4347         nlh = nlmsg_hdr(skb);
4348
4349         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4350         if (err) {
4351                 if (err == -EINVAL) {
4352                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4353                                   "SELinux:  unrecognized netlink message"
4354                                   " type=%hu for sclass=%hu\n",
4355                                   nlh->nlmsg_type, isec->sclass);
4356                         if (!selinux_enforcing)
4357                                 err = 0;
4358                 }
4359
4360                 /* Ignore */
4361                 if (err == -ENOENT)
4362                         err = 0;
4363                 goto out;
4364         }
4365
4366         err = socket_has_perm(current, sock, perm);
4367 out:
4368         return err;
4369 }
4370
4371 #ifdef CONFIG_NETFILTER
4372
4373 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4374                                        u16 family)
4375 {
4376         char *addrp;
4377         u32 peer_sid;
4378         struct avc_audit_data ad;
4379         u8 secmark_active;
4380         u8 peerlbl_active;
4381
4382         if (!selinux_policycap_netpeer)
4383                 return NF_ACCEPT;
4384
4385         secmark_active = selinux_secmark_enabled();
4386         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4387         if (!secmark_active && !peerlbl_active)
4388                 return NF_ACCEPT;
4389
4390         AVC_AUDIT_DATA_INIT(&ad, NET);
4391         ad.u.net.netif = ifindex;
4392         ad.u.net.family = family;
4393         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4394                 return NF_DROP;
4395
4396         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4397                 return NF_DROP;
4398
4399         if (peerlbl_active)
4400                 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4401                                              peer_sid, &ad) != 0)
4402                         return NF_DROP;
4403
4404         if (secmark_active)
4405                 if (avc_has_perm(peer_sid, skb->secmark,
4406                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4407                         return NF_DROP;
4408
4409         return NF_ACCEPT;
4410 }
4411
4412 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4413                                          struct sk_buff *skb,
4414                                          const struct net_device *in,
4415                                          const struct net_device *out,
4416                                          int (*okfn)(struct sk_buff *))
4417 {
4418         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4419 }
4420
4421 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4422 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4423                                          struct sk_buff *skb,
4424                                          const struct net_device *in,
4425                                          const struct net_device *out,
4426                                          int (*okfn)(struct sk_buff *))
4427 {
4428         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4429 }
4430 #endif  /* IPV6 */
4431
4432 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4433                                                 int ifindex,
4434                                                 struct avc_audit_data *ad,
4435                                                 u16 family, char *addrp)
4436 {
4437         int err;
4438         struct sk_security_struct *sksec = sk->sk_security;
4439         u16 sk_class;
4440         u32 netif_perm, node_perm, send_perm;
4441         u32 port_sid, node_sid, if_sid, sk_sid;
4442
4443         sk_sid = sksec->sid;
4444         sk_class = sksec->sclass;
4445
4446         switch (sk_class) {
4447         case SECCLASS_UDP_SOCKET:
4448                 netif_perm = NETIF__UDP_SEND;
4449                 node_perm = NODE__UDP_SEND;
4450                 send_perm = UDP_SOCKET__SEND_MSG;
4451                 break;
4452         case SECCLASS_TCP_SOCKET:
4453                 netif_perm = NETIF__TCP_SEND;
4454                 node_perm = NODE__TCP_SEND;
4455                 send_perm = TCP_SOCKET__SEND_MSG;
4456                 break;
4457         case SECCLASS_DCCP_SOCKET:
4458                 netif_perm = NETIF__DCCP_SEND;
4459                 node_perm = NODE__DCCP_SEND;
4460                 send_perm = DCCP_SOCKET__SEND_MSG;
4461                 break;
4462         default:
4463                 netif_perm = NETIF__RAWIP_SEND;
4464                 node_perm = NODE__RAWIP_SEND;
4465                 send_perm = 0;
4466                 break;
4467         }
4468
4469         err = sel_netif_sid(ifindex, &if_sid);
4470         if (err)
4471                 return err;
4472         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4473                 return err;
4474
4475         err = sel_netnode_sid(addrp, family, &node_sid);
4476         if (err)
4477                 return err;
4478         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4479         if (err)
4480                 return err;
4481
4482         if (send_perm != 0)
4483                 return 0;
4484
4485         err = sel_netport_sid(sk->sk_protocol,
4486                               ntohs(ad->u.net.dport), &port_sid);
4487         if (unlikely(err)) {
4488                 printk(KERN_WARNING
4489                        "SELinux: failure in"
4490                        " selinux_ip_postroute_iptables_compat(),"
4491                        " network port label not found\n");
4492                 return err;
4493         }
4494         return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4495 }
4496
4497 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4498                                                 int ifindex,
4499                                                 struct avc_audit_data *ad,
4500                                                 u16 family,
4501                                                 char *addrp,
4502                                                 u8 proto)
4503 {
4504         struct sock *sk = skb->sk;
4505         struct sk_security_struct *sksec;
4506
4507         if (sk == NULL)
4508                 return NF_ACCEPT;
4509         sksec = sk->sk_security;
4510
4511         if (selinux_compat_net) {
4512                 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4513                                                          ad, family, addrp))
4514                         return NF_DROP;
4515         } else {
4516                 if (avc_has_perm(sksec->sid, skb->secmark,
4517                                  SECCLASS_PACKET, PACKET__SEND, ad))
4518                         return NF_DROP;
4519         }
4520
4521         if (selinux_policycap_netpeer)
4522                 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4523                         return NF_DROP;
4524
4525         return NF_ACCEPT;
4526 }
4527
4528 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4529                                          u16 family)
4530 {
4531         u32 secmark_perm;
4532         u32 peer_sid;
4533         struct sock *sk;
4534         struct avc_audit_data ad;
4535         char *addrp;
4536         u8 proto;
4537         u8 secmark_active;
4538         u8 peerlbl_active;
4539
4540         AVC_AUDIT_DATA_INIT(&ad, NET);
4541         ad.u.net.netif = ifindex;
4542         ad.u.net.family = family;
4543         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4544                 return NF_DROP;
4545
4546         /* If any sort of compatibility mode is enabled then handoff processing
4547          * to the selinux_ip_postroute_compat() function to deal with the
4548          * special handling.  We do this in an attempt to keep this function
4549          * as fast and as clean as possible. */
4550         if (selinux_compat_net || !selinux_policycap_netpeer)
4551                 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4552                                                    family, addrp, proto);
4553
4554         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4555          * packet transformation so allow the packet to pass without any checks
4556          * since we'll have another chance to perform access control checks
4557          * when the packet is on it's final way out.
4558          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4559          *       is NULL, in this case go ahead and apply access control. */
4560         if (skb->dst != NULL && skb->dst->xfrm != NULL)
4561                 return NF_ACCEPT;
4562
4563         secmark_active = selinux_secmark_enabled();
4564         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4565         if (!secmark_active && !peerlbl_active)
4566                 return NF_ACCEPT;
4567
4568         /* if the packet is locally generated (skb->sk != NULL) then use the
4569          * socket's label as the peer label, otherwise the packet is being
4570          * forwarded through this system and we need to fetch the peer label
4571          * directly from the packet */
4572         sk = skb->sk;
4573         if (sk) {
4574                 struct sk_security_struct *sksec = sk->sk_security;
4575                 peer_sid = sksec->sid;
4576                 secmark_perm = PACKET__SEND;
4577         } else {
4578                 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4579                                 return NF_DROP;
4580                 secmark_perm = PACKET__FORWARD_OUT;
4581         }
4582
4583         if (secmark_active)
4584                 if (avc_has_perm(peer_sid, skb->secmark,
4585                                  SECCLASS_PACKET, secmark_perm, &ad))
4586                         return NF_DROP;
4587
4588         if (peerlbl_active) {
4589                 u32 if_sid;
4590                 u32 node_sid;
4591
4592                 if (sel_netif_sid(ifindex, &if_sid))
4593                         return NF_DROP;
4594                 if (avc_has_perm(peer_sid, if_sid,
4595                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4596                         return NF_DROP;
4597
4598                 if (sel_netnode_sid(addrp, family, &node_sid))
4599                         return NF_DROP;
4600                 if (avc_has_perm(peer_sid, node_sid,
4601                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4602                         return NF_DROP;
4603         }
4604
4605         return NF_ACCEPT;
4606 }
4607
4608 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4609                                            struct sk_buff *skb,
4610                                            const struct net_device *in,
4611                                            const struct net_device *out,
4612                                            int (*okfn)(struct sk_buff *))
4613 {
4614         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4615 }
4616
4617 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4618 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4619                                            struct sk_buff *skb,
4620                                            const struct net_device *in,
4621                                            const struct net_device *out,
4622                                            int (*okfn)(struct sk_buff *))
4623 {
4624         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4625 }
4626 #endif  /* IPV6 */
4627
4628 #endif  /* CONFIG_NETFILTER */
4629
4630 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4631 {
4632         int err;
4633
4634         err = secondary_ops->netlink_send(sk, skb);
4635         if (err)
4636                 return err;
4637
4638         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4639                 err = selinux_nlmsg_perm(sk, skb);
4640
4641         return err;
4642 }
4643
4644 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4645 {
4646         int err;
4647         struct avc_audit_data ad;
4648
4649         err = secondary_ops->netlink_recv(skb, capability);
4650         if (err)
4651                 return err;
4652
4653         AVC_AUDIT_DATA_INIT(&ad, CAP);
4654         ad.u.cap = capability;
4655
4656         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4657                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4658 }
4659
4660 static int ipc_alloc_security(struct task_struct *task,
4661                               struct kern_ipc_perm *perm,
4662                               u16 sclass)
4663 {
4664         struct task_security_struct *tsec = task->security;
4665         struct ipc_security_struct *isec;
4666
4667         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4668         if (!isec)
4669                 return -ENOMEM;
4670
4671         isec->sclass = sclass;
4672         isec->sid = tsec->sid;
4673         perm->security = isec;
4674
4675         return 0;
4676 }
4677
4678 static void ipc_free_security(struct kern_ipc_perm *perm)
4679 {
4680         struct ipc_security_struct *isec = perm->security;
4681         perm->security = NULL;
4682         kfree(isec);
4683 }
4684
4685 static int msg_msg_alloc_security(struct msg_msg *msg)
4686 {
4687         struct msg_security_struct *msec;
4688
4689         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4690         if (!msec)
4691                 return -ENOMEM;
4692
4693         msec->sid = SECINITSID_UNLABELED;
4694         msg->security = msec;
4695
4696         return 0;
4697 }
4698
4699 static void msg_msg_free_security(struct msg_msg *msg)
4700 {
4701         struct msg_security_struct *msec = msg->security;
4702
4703         msg->security = NULL;
4704         kfree(msec);
4705 }
4706
4707 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4708                         u32 perms)
4709 {
4710         struct task_security_struct *tsec;
4711         struct ipc_security_struct *isec;
4712         struct avc_audit_data ad;
4713
4714         tsec = current->security;
4715         isec = ipc_perms->security;
4716
4717         AVC_AUDIT_DATA_INIT(&ad, IPC);
4718         ad.u.ipc_id = ipc_perms->key;
4719
4720         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4721 }
4722
4723 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4724 {
4725         return msg_msg_alloc_security(msg);
4726 }
4727
4728 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4729 {
4730         msg_msg_free_security(msg);
4731 }
4732
4733 /* message queue security operations */
4734 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4735 {
4736         struct task_security_struct *tsec;
4737         struct ipc_security_struct *isec;
4738         struct avc_audit_data ad;
4739         int rc;
4740
4741         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4742         if (rc)
4743                 return rc;
4744
4745         tsec = current->security;
4746         isec = msq->q_perm.security;
4747
4748         AVC_AUDIT_DATA_INIT(&ad, IPC);
4749         ad.u.ipc_id = msq->q_perm.key;
4750
4751         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4752                           MSGQ__CREATE, &ad);
4753         if (rc) {
4754                 ipc_free_security(&msq->q_perm);
4755                 return rc;
4756         }
4757         return 0;
4758 }
4759
4760 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4761 {
4762         ipc_free_security(&msq->q_perm);
4763 }
4764
4765 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4766 {
4767         struct task_security_struct *tsec;
4768         struct ipc_security_struct *isec;
4769         struct avc_audit_data ad;
4770
4771         tsec = current->security;
4772         isec = msq->q_perm.security;
4773
4774         AVC_AUDIT_DATA_INIT(&ad, IPC);
4775         ad.u.ipc_id = msq->q_perm.key;
4776
4777         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4778                             MSGQ__ASSOCIATE, &ad);
4779 }
4780
4781 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4782 {
4783         int err;
4784         int perms;
4785
4786         switch (cmd) {
4787         case IPC_INFO:
4788         case MSG_INFO:
4789                 /* No specific object, just general system-wide information. */
4790                 return task_has_system(current, SYSTEM__IPC_INFO);
4791         case IPC_STAT:
4792         case MSG_STAT:
4793                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4794                 break;
4795         case IPC_SET:
4796                 perms = MSGQ__SETATTR;
4797                 break;
4798         case IPC_RMID:
4799                 perms = MSGQ__DESTROY;
4800                 break;
4801         default:
4802                 return 0;
4803         }
4804
4805         err = ipc_has_perm(&msq->q_perm, perms);
4806         return err;
4807 }
4808
4809 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4810 {
4811         struct task_security_struct *tsec;
4812         struct ipc_security_struct *isec;
4813         struct msg_security_struct *msec;
4814         struct avc_audit_data ad;
4815         int rc;
4816
4817         tsec = current->security;
4818         isec = msq->q_perm.security;
4819         msec = msg->security;
4820
4821         /*
4822          * First time through, need to assign label to the message
4823          */
4824         if (msec->sid == SECINITSID_UNLABELED) {
4825                 /*
4826                  * Compute new sid based on current process and
4827                  * message queue this message will be stored in
4828                  */
4829                 rc = security_transition_sid(tsec->sid,
4830                                              isec->sid,
4831                                              SECCLASS_MSG,
4832                                              &msec->sid);
4833                 if (rc)
4834                         return rc;
4835         }
4836
4837         AVC_AUDIT_DATA_INIT(&ad, IPC);
4838         ad.u.ipc_id = msq->q_perm.key;
4839
4840         /* Can this process write to the queue? */
4841         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4842                           MSGQ__WRITE, &ad);
4843         if (!rc)
4844                 /* Can this process send the message */
4845                 rc = avc_has_perm(tsec->sid, msec->sid,
4846                                   SECCLASS_MSG, MSG__SEND, &ad);
4847         if (!rc)
4848                 /* Can the message be put in the queue? */
4849                 rc = avc_has_perm(msec->sid, isec->sid,
4850                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4851
4852         return rc;
4853 }
4854
4855 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4856                                     struct task_struct *target,
4857                                     long type, int mode)
4858 {
4859         struct task_security_struct *tsec;
4860         struct ipc_security_struct *isec;
4861         struct msg_security_struct *msec;
4862         struct avc_audit_data ad;
4863         int rc;
4864
4865         tsec = target->security;
4866         isec = msq->q_perm.security;
4867         msec = msg->security;
4868
4869         AVC_AUDIT_DATA_INIT(&ad, IPC);
4870         ad.u.ipc_id = msq->q_perm.key;
4871
4872         rc = avc_has_perm(tsec->sid, isec->sid,
4873                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4874         if (!rc)
4875                 rc = avc_has_perm(tsec->sid, msec->sid,
4876                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4877         return rc;
4878 }
4879
4880 /* Shared Memory security operations */
4881 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4882 {
4883         struct task_security_struct *tsec;
4884         struct ipc_security_struct *isec;
4885         struct avc_audit_data ad;
4886         int rc;
4887
4888         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4889         if (rc)
4890                 return rc;
4891
4892         tsec = current->security;
4893         isec = shp->shm_perm.security;
4894
4895         AVC_AUDIT_DATA_INIT(&ad, IPC);
4896         ad.u.ipc_id = shp->shm_perm.key;
4897
4898         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4899                           SHM__CREATE, &ad);
4900         if (rc) {
4901                 ipc_free_security(&shp->shm_perm);
4902                 return rc;
4903         }
4904         return 0;
4905 }
4906
4907 static void selinux_shm_free_security(struct shmid_kernel *shp)
4908 {
4909         ipc_free_security(&shp->shm_perm);
4910 }
4911
4912 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4913 {
4914         struct task_security_struct *tsec;
4915         struct ipc_security_struct *isec;
4916         struct avc_audit_data ad;
4917
4918         tsec = current->security;
4919         isec = shp->shm_perm.security;
4920
4921         AVC_AUDIT_DATA_INIT(&ad, IPC);
4922         ad.u.ipc_id = shp->shm_perm.key;
4923
4924         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4925                             SHM__ASSOCIATE, &ad);
4926 }
4927
4928 /* Note, at this point, shp is locked down */
4929 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4930 {
4931         int perms;
4932         int err;
4933
4934         switch (cmd) {
4935         case IPC_INFO:
4936         case SHM_INFO:
4937                 /* No specific object, just general system-wide information. */
4938                 return task_has_system(current, SYSTEM__IPC_INFO);
4939         case IPC_STAT:
4940         case SHM_STAT:
4941                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4942                 break;
4943         case IPC_SET:
4944                 perms = SHM__SETATTR;
4945                 break;
4946         case SHM_LOCK:
4947         case SHM_UNLOCK:
4948                 perms = SHM__LOCK;
4949                 break;
4950         case IPC_RMID:
4951                 perms = SHM__DESTROY;
4952                 break;
4953         default:
4954                 return 0;
4955         }
4956
4957         err = ipc_has_perm(&shp->shm_perm, perms);
4958         return err;
4959 }
4960
4961 static int selinux_shm_shmat(struct shmid_kernel *shp,
4962                              char __user *shmaddr, int shmflg)
4963 {
4964         u32 perms;
4965         int rc;
4966
4967         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4968         if (rc)
4969                 return rc;
4970
4971         if (shmflg & SHM_RDONLY)
4972                 perms = SHM__READ;
4973         else
4974                 perms = SHM__READ | SHM__WRITE;
4975
4976         return ipc_has_perm(&shp->shm_perm, perms);
4977 }
4978
4979 /* Semaphore security operations */
4980 static int selinux_sem_alloc_security(struct sem_array *sma)
4981 {
4982         struct task_security_struct *tsec;
4983         struct ipc_security_struct *isec;
4984         struct avc_audit_data ad;
4985         int rc;
4986
4987         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4988         if (rc)
4989                 return rc;
4990
4991         tsec = current->security;
4992         isec = sma->sem_perm.security;
4993
4994         AVC_AUDIT_DATA_INIT(&ad, IPC);
4995         ad.u.ipc_id = sma->sem_perm.key;
4996
4997         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4998                           SEM__CREATE, &ad);
4999         if (rc) {
5000                 ipc_free_security(&sma->sem_perm);
5001                 return rc;
5002         }
5003         return 0;
5004 }
5005
5006 static void selinux_sem_free_security(struct sem_array *sma)
5007 {
5008         ipc_free_security(&sma->sem_perm);
5009 }
5010
5011 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5012 {
5013         struct task_security_struct *tsec;
5014         struct ipc_security_struct *isec;
5015         struct avc_audit_data ad;
5016
5017         tsec = current->security;
5018         isec = sma->sem_perm.security;
5019
5020         AVC_AUDIT_DATA_INIT(&ad, IPC);
5021         ad.u.ipc_id = sma->sem_perm.key;
5022
5023         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
5024                             SEM__ASSOCIATE, &ad);
5025 }
5026
5027 /* Note, at this point, sma is locked down */
5028 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5029 {
5030         int err;
5031         u32 perms;
5032
5033         switch (cmd) {
5034         case IPC_INFO:
5035         case SEM_INFO:
5036                 /* No specific object, just general system-wide information. */
5037                 return task_has_system(current, SYSTEM__IPC_INFO);
5038         case GETPID:
5039         case GETNCNT:
5040         case GETZCNT:
5041                 perms = SEM__GETATTR;
5042                 break;
5043         case GETVAL:
5044         case GETALL:
5045                 perms = SEM__READ;
5046                 break;
5047         case SETVAL:
5048         case SETALL:
5049                 perms = SEM__WRITE;
5050                 break;
5051         case IPC_RMID:
5052                 perms = SEM__DESTROY;
5053                 break;
5054         case IPC_SET:
5055                 perms = SEM__SETATTR;
5056                 break;
5057         case IPC_STAT:
5058         case SEM_STAT:
5059                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5060                 break;
5061         default:
5062                 return 0;
5063         }
5064
5065         err = ipc_has_perm(&sma->sem_perm, perms);
5066         return err;
5067 }
5068
5069 static int selinux_sem_semop(struct sem_array *sma,
5070                              struct sembuf *sops, unsigned nsops, int alter)
5071 {
5072         u32 perms;
5073
5074         if (alter)
5075                 perms = SEM__READ | SEM__WRITE;
5076         else
5077                 perms = SEM__READ;
5078
5079         return ipc_has_perm(&sma->sem_perm, perms);
5080 }
5081
5082 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5083 {
5084         u32 av = 0;
5085
5086         av = 0;
5087         if (flag & S_IRUGO)
5088                 av |= IPC__UNIX_READ;
5089         if (flag & S_IWUGO)
5090                 av |= IPC__UNIX_WRITE;
5091
5092         if (av == 0)
5093                 return 0;
5094
5095         return ipc_has_perm(ipcp, av);
5096 }
5097
5098 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5099 {
5100         struct ipc_security_struct *isec = ipcp->security;
5101         *secid = isec->sid;
5102 }
5103
5104 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5105 {
5106         if (inode)
5107                 inode_doinit_with_dentry(inode, dentry);
5108 }
5109
5110 static int selinux_getprocattr(struct task_struct *p,
5111                                char *name, char **value)
5112 {
5113         struct task_security_struct *tsec;
5114         u32 sid;
5115         int error;
5116         unsigned len;
5117
5118         if (current != p) {
5119                 error = task_has_perm(current, p, PROCESS__GETATTR);
5120                 if (error)
5121                         return error;
5122         }
5123
5124         tsec = p->security;
5125
5126         if (!strcmp(name, "current"))
5127                 sid = tsec->sid;
5128         else if (!strcmp(name, "prev"))
5129                 sid = tsec->osid;
5130         else if (!strcmp(name, "exec"))
5131                 sid = tsec->exec_sid;
5132         else if (!strcmp(name, "fscreate"))
5133                 sid = tsec->create_sid;
5134         else if (!strcmp(name, "keycreate"))
5135                 sid = tsec->keycreate_sid;
5136         else if (!strcmp(name, "sockcreate"))
5137                 sid = tsec->sockcreate_sid;
5138         else
5139                 return -EINVAL;
5140
5141         if (!sid)
5142                 return 0;
5143
5144         error = security_sid_to_context(sid, value, &len);
5145         if (error)
5146                 return error;
5147         return len;
5148 }
5149
5150 static int selinux_setprocattr(struct task_struct *p,
5151                                char *name, void *value, size_t size)
5152 {
5153         struct task_security_struct *tsec;
5154         struct task_struct *tracer;
5155         u32 sid = 0;
5156         int error;
5157         char *str = value;
5158
5159         if (current != p) {
5160                 /* SELinux only allows a process to change its own
5161                    security attributes. */
5162                 return -EACCES;
5163         }
5164
5165         /*
5166          * Basic control over ability to set these attributes at all.
5167          * current == p, but we'll pass them separately in case the
5168          * above restriction is ever removed.
5169          */
5170         if (!strcmp(name, "exec"))
5171                 error = task_has_perm(current, p, PROCESS__SETEXEC);
5172         else if (!strcmp(name, "fscreate"))
5173                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5174         else if (!strcmp(name, "keycreate"))
5175                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5176         else if (!strcmp(name, "sockcreate"))
5177                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5178         else if (!strcmp(name, "current"))
5179                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5180         else
5181                 error = -EINVAL;
5182         if (error)
5183                 return error;
5184
5185         /* Obtain a SID for the context, if one was specified. */
5186         if (size && str[1] && str[1] != '\n') {
5187                 if (str[size-1] == '\n') {
5188                         str[size-1] = 0;
5189                         size--;
5190                 }
5191                 error = security_context_to_sid(value, size, &sid);
5192                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5193                         if (!capable(CAP_MAC_ADMIN))
5194                                 return error;
5195                         error = security_context_to_sid_force(value, size,
5196                                                               &sid);
5197                 }
5198                 if (error)
5199                         return error;
5200         }
5201
5202         /* Permission checking based on the specified context is
5203            performed during the actual operation (execve,
5204            open/mkdir/...), when we know the full context of the
5205            operation.  See selinux_bprm_set_security for the execve
5206            checks and may_create for the file creation checks. The
5207            operation will then fail if the context is not permitted. */
5208         tsec = p->security;
5209         if (!strcmp(name, "exec"))
5210                 tsec->exec_sid = sid;
5211         else if (!strcmp(name, "fscreate"))
5212                 tsec->create_sid = sid;
5213         else if (!strcmp(name, "keycreate")) {
5214                 error = may_create_key(sid, p);
5215                 if (error)
5216                         return error;
5217                 tsec->keycreate_sid = sid;
5218         } else if (!strcmp(name, "sockcreate"))
5219                 tsec->sockcreate_sid = sid;
5220         else if (!strcmp(name, "current")) {
5221                 struct av_decision avd;
5222
5223                 if (sid == 0)
5224                         return -EINVAL;
5225
5226                 /* Only allow single threaded processes to change context */
5227                 if (atomic_read(&p->mm->mm_users) != 1) {
5228                         struct task_struct *g, *t;
5229                         struct mm_struct *mm = p->mm;
5230                         read_lock(&tasklist_lock);
5231                         do_each_thread(g, t) {
5232                                 if (t->mm == mm && t != p) {
5233                                         read_unlock(&tasklist_lock);
5234                                         return -EPERM;
5235                                 }
5236                         } while_each_thread(g, t);
5237                         read_unlock(&tasklist_lock);
5238                 }
5239
5240                 /* Check permissions for the transition. */
5241                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5242                                      PROCESS__DYNTRANSITION, NULL);
5243                 if (error)
5244                         return error;
5245
5246                 /* Check for ptracing, and update the task SID if ok.
5247                    Otherwise, leave SID unchanged and fail. */
5248                 task_lock(p);
5249                 rcu_read_lock();
5250                 tracer = task_tracer_task(p);
5251                 if (tracer != NULL) {
5252                         struct task_security_struct *ptsec = tracer->security;
5253                         u32 ptsid = ptsec->sid;
5254                         rcu_read_unlock();
5255                         error = avc_has_perm_noaudit(ptsid, sid,
5256                                                      SECCLASS_PROCESS,
5257                                                      PROCESS__PTRACE, 0, &avd);
5258                         if (!error)
5259                                 tsec->sid = sid;
5260                         task_unlock(p);
5261                         avc_audit(ptsid, sid, SECCLASS_PROCESS,
5262                                   PROCESS__PTRACE, &avd, error, NULL);
5263                         if (error)
5264                                 return error;
5265                 } else {
5266                         rcu_read_unlock();
5267                         tsec->sid = sid;
5268                         task_unlock(p);
5269                 }
5270         } else
5271                 return -EINVAL;
5272
5273         return size;
5274 }
5275
5276 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5277 {
5278         return security_sid_to_context(secid, secdata, seclen);
5279 }
5280
5281 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5282 {
5283         return security_context_to_sid(secdata, seclen, secid);
5284 }
5285
5286 static void selinux_release_secctx(char *secdata, u32 seclen)
5287 {
5288         kfree(secdata);
5289 }
5290
5291 #ifdef CONFIG_KEYS
5292
5293 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5294                              unsigned long flags)
5295 {
5296         struct task_security_struct *tsec = tsk->security;
5297         struct key_security_struct *ksec;
5298
5299         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5300         if (!ksec)
5301                 return -ENOMEM;
5302
5303         if (tsec->keycreate_sid)
5304                 ksec->sid = tsec->keycreate_sid;
5305         else
5306                 ksec->sid = tsec->sid;
5307         k->security = ksec;
5308
5309         return 0;
5310 }
5311
5312 static void selinux_key_free(struct key *k)
5313 {
5314         struct key_security_struct *ksec = k->security;
5315
5316         k->security = NULL;
5317         kfree(ksec);
5318 }
5319
5320 static int selinux_key_permission(key_ref_t key_ref,
5321                             struct task_struct *ctx,
5322                             key_perm_t perm)
5323 {
5324         struct key *key;
5325         struct task_security_struct *tsec;
5326         struct key_security_struct *ksec;
5327
5328         key = key_ref_to_ptr(key_ref);
5329
5330         tsec = ctx->security;
5331         ksec = key->security;
5332
5333         /* if no specific permissions are requested, we skip the
5334            permission check. No serious, additional covert channels
5335            appear to be created. */
5336         if (perm == 0)
5337                 return 0;
5338
5339         return avc_has_perm(tsec->sid, ksec->sid,
5340                             SECCLASS_KEY, perm, NULL);
5341 }
5342
5343 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5344 {
5345         struct key_security_struct *ksec = key->security;
5346         char *context = NULL;
5347         unsigned len;
5348         int rc;
5349
5350         rc = security_sid_to_context(ksec->sid, &context, &len);
5351         if (!rc)
5352                 rc = len;
5353         *_buffer = context;
5354         return rc;
5355 }
5356
5357 #endif
5358
5359 static struct security_operations selinux_ops = {
5360         .name =                         "selinux",
5361
5362         .ptrace =                       selinux_ptrace,
5363         .capget =                       selinux_capget,
5364         .capset_check =                 selinux_capset_check,
5365         .capset_set =                   selinux_capset_set,
5366         .sysctl =                       selinux_sysctl,
5367         .capable =                      selinux_capable,
5368         .quotactl =                     selinux_quotactl,
5369         .quota_on =                     selinux_quota_on,
5370         .syslog =                       selinux_syslog,
5371         .vm_enough_memory =             selinux_vm_enough_memory,
5372
5373         .netlink_send =                 selinux_netlink_send,
5374         .netlink_recv =                 selinux_netlink_recv,
5375
5376         .bprm_alloc_security =          selinux_bprm_alloc_security,
5377         .bprm_free_security =           selinux_bprm_free_security,
5378         .bprm_apply_creds =             selinux_bprm_apply_creds,
5379         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
5380         .bprm_set_security =            selinux_bprm_set_security,
5381         .bprm_check_security =          selinux_bprm_check_security,
5382         .bprm_secureexec =              selinux_bprm_secureexec,
5383
5384         .sb_alloc_security =            selinux_sb_alloc_security,
5385         .sb_free_security =             selinux_sb_free_security,
5386         .sb_copy_data =                 selinux_sb_copy_data,
5387         .sb_kern_mount =                selinux_sb_kern_mount,
5388         .sb_show_options =              selinux_sb_show_options,
5389         .sb_statfs =                    selinux_sb_statfs,
5390         .sb_mount =                     selinux_mount,
5391         .sb_umount =                    selinux_umount,
5392         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5393         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5394         .sb_parse_opts_str =            selinux_parse_opts_str,
5395
5396
5397         .inode_alloc_security =         selinux_inode_alloc_security,
5398         .inode_free_security =          selinux_inode_free_security,
5399         .inode_init_security =          selinux_inode_init_security,
5400         .inode_create =                 selinux_inode_create,
5401         .inode_link =                   selinux_inode_link,
5402         .inode_unlink =                 selinux_inode_unlink,
5403         .inode_symlink =                selinux_inode_symlink,
5404         .inode_mkdir =                  selinux_inode_mkdir,
5405         .inode_rmdir =                  selinux_inode_rmdir,
5406         .inode_mknod =                  selinux_inode_mknod,
5407         .inode_rename =                 selinux_inode_rename,
5408         .inode_readlink =               selinux_inode_readlink,
5409         .inode_follow_link =            selinux_inode_follow_link,
5410         .inode_permission =             selinux_inode_permission,
5411         .inode_setattr =                selinux_inode_setattr,
5412         .inode_getattr =                selinux_inode_getattr,
5413         .inode_setxattr =               selinux_inode_setxattr,
5414         .inode_post_setxattr =          selinux_inode_post_setxattr,
5415         .inode_getxattr =               selinux_inode_getxattr,
5416         .inode_listxattr =              selinux_inode_listxattr,
5417         .inode_removexattr =            selinux_inode_removexattr,
5418         .inode_getsecurity =            selinux_inode_getsecurity,
5419         .inode_setsecurity =            selinux_inode_setsecurity,
5420         .inode_listsecurity =           selinux_inode_listsecurity,
5421         .inode_need_killpriv =          selinux_inode_need_killpriv,
5422         .inode_killpriv =               selinux_inode_killpriv,
5423         .inode_getsecid =               selinux_inode_getsecid,
5424
5425         .file_permission =              selinux_file_permission,
5426         .file_alloc_security =          selinux_file_alloc_security,
5427         .file_free_security =           selinux_file_free_security,
5428         .file_ioctl =                   selinux_file_ioctl,
5429         .file_mmap =                    selinux_file_mmap,
5430         .file_mprotect =                selinux_file_mprotect,
5431         .file_lock =                    selinux_file_lock,
5432         .file_fcntl =                   selinux_file_fcntl,
5433         .file_set_fowner =              selinux_file_set_fowner,
5434         .file_send_sigiotask =          selinux_file_send_sigiotask,
5435         .file_receive =                 selinux_file_receive,
5436
5437         .dentry_open =                  selinux_dentry_open,
5438
5439         .task_create =                  selinux_task_create,
5440         .task_alloc_security =          selinux_task_alloc_security,
5441         .task_free_security =           selinux_task_free_security,
5442         .task_setuid =                  selinux_task_setuid,
5443         .task_post_setuid =             selinux_task_post_setuid,
5444         .task_setgid =                  selinux_task_setgid,
5445         .task_setpgid =                 selinux_task_setpgid,
5446         .task_getpgid =                 selinux_task_getpgid,
5447         .task_getsid =                  selinux_task_getsid,
5448         .task_getsecid =                selinux_task_getsecid,
5449         .task_setgroups =               selinux_task_setgroups,
5450         .task_setnice =                 selinux_task_setnice,
5451         .task_setioprio =               selinux_task_setioprio,
5452         .task_getioprio =               selinux_task_getioprio,
5453         .task_setrlimit =               selinux_task_setrlimit,
5454         .task_setscheduler =            selinux_task_setscheduler,
5455         .task_getscheduler =            selinux_task_getscheduler,
5456         .task_movememory =              selinux_task_movememory,
5457         .task_kill =                    selinux_task_kill,
5458         .task_wait =                    selinux_task_wait,
5459         .task_prctl =                   selinux_task_prctl,
5460         .task_reparent_to_init =        selinux_task_reparent_to_init,
5461         .task_to_inode =                selinux_task_to_inode,
5462
5463         .ipc_permission =               selinux_ipc_permission,
5464         .ipc_getsecid =                 selinux_ipc_getsecid,
5465
5466         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5467         .msg_msg_free_security =        selinux_msg_msg_free_security,
5468
5469         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5470         .msg_queue_free_security =      selinux_msg_queue_free_security,
5471         .msg_queue_associate =          selinux_msg_queue_associate,
5472         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5473         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5474         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5475
5476         .shm_alloc_security =           selinux_shm_alloc_security,
5477         .shm_free_security =            selinux_shm_free_security,
5478         .shm_associate =                selinux_shm_associate,
5479         .shm_shmctl =                   selinux_shm_shmctl,
5480         .shm_shmat =                    selinux_shm_shmat,
5481
5482         .sem_alloc_security =           selinux_sem_alloc_security,
5483         .sem_free_security =            selinux_sem_free_security,
5484         .sem_associate =                selinux_sem_associate,
5485         .sem_semctl =                   selinux_sem_semctl,
5486         .sem_semop =                    selinux_sem_semop,
5487
5488         .d_instantiate =                selinux_d_instantiate,
5489
5490         .getprocattr =                  selinux_getprocattr,
5491         .setprocattr =                  selinux_setprocattr,
5492
5493         .secid_to_secctx =              selinux_secid_to_secctx,
5494         .secctx_to_secid =              selinux_secctx_to_secid,
5495         .release_secctx =               selinux_release_secctx,
5496
5497         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5498         .unix_may_send =                selinux_socket_unix_may_send,
5499
5500         .socket_create =                selinux_socket_create,
5501         .socket_post_create =           selinux_socket_post_create,
5502         .socket_bind =                  selinux_socket_bind,
5503         .socket_connect =               selinux_socket_connect,
5504         .socket_listen =                selinux_socket_listen,
5505         .socket_accept =                selinux_socket_accept,
5506         .socket_sendmsg =               selinux_socket_sendmsg,
5507         .socket_recvmsg =               selinux_socket_recvmsg,
5508         .socket_getsockname =           selinux_socket_getsockname,
5509         .socket_getpeername =           selinux_socket_getpeername,
5510         .socket_getsockopt =            selinux_socket_getsockopt,
5511         .socket_setsockopt =            selinux_socket_setsockopt,
5512         .socket_shutdown =              selinux_socket_shutdown,
5513         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5514         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5515         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5516         .sk_alloc_security =            selinux_sk_alloc_security,
5517         .sk_free_security =             selinux_sk_free_security,
5518         .sk_clone_security =            selinux_sk_clone_security,
5519         .sk_getsecid =                  selinux_sk_getsecid,
5520         .sock_graft =                   selinux_sock_graft,
5521         .inet_conn_request =            selinux_inet_conn_request,
5522         .inet_csk_clone =               selinux_inet_csk_clone,
5523         .inet_conn_established =        selinux_inet_conn_established,
5524         .req_classify_flow =            selinux_req_classify_flow,
5525
5526 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5527         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5528         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5529         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5530         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5531         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5532         .xfrm_state_free_security =     selinux_xfrm_state_free,
5533         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5534         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5535         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5536         .xfrm_decode_session =          selinux_xfrm_decode_session,
5537 #endif
5538
5539 #ifdef CONFIG_KEYS
5540         .key_alloc =                    selinux_key_alloc,
5541         .key_free =                     selinux_key_free,
5542         .key_permission =               selinux_key_permission,
5543         .key_getsecurity =              selinux_key_getsecurity,
5544 #endif
5545
5546 #ifdef CONFIG_AUDIT
5547         .audit_rule_init =              selinux_audit_rule_init,
5548         .audit_rule_known =             selinux_audit_rule_known,
5549         .audit_rule_match =             selinux_audit_rule_match,
5550         .audit_rule_free =              selinux_audit_rule_free,
5551 #endif
5552 };
5553
5554 static __init int selinux_init(void)
5555 {
5556         struct task_security_struct *tsec;
5557
5558         if (!security_module_enable(&selinux_ops)) {
5559                 selinux_enabled = 0;
5560                 return 0;
5561         }
5562
5563         if (!selinux_enabled) {
5564                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5565                 return 0;
5566         }
5567
5568         printk(KERN_INFO "SELinux:  Initializing.\n");
5569
5570         /* Set the security state for the initial task. */
5571         if (task_alloc_security(current))
5572                 panic("SELinux:  Failed to initialize initial task.\n");
5573         tsec = current->security;
5574         tsec->osid = tsec->sid = SECINITSID_KERNEL;
5575
5576         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5577                                             sizeof(struct inode_security_struct),
5578                                             0, SLAB_PANIC, NULL);
5579         avc_init();
5580
5581         secondary_ops = security_ops;
5582         if (!secondary_ops)
5583                 panic("SELinux: No initial security operations\n");
5584         if (register_security(&selinux_ops))
5585                 panic("SELinux: Unable to register with kernel.\n");
5586
5587         if (selinux_enforcing)
5588                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5589         else
5590                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5591
5592         return 0;
5593 }
5594
5595 void selinux_complete_init(void)
5596 {
5597         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5598
5599         /* Set up any superblocks initialized prior to the policy load. */
5600         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5601         spin_lock(&sb_lock);
5602         spin_lock(&sb_security_lock);
5603 next_sb:
5604         if (!list_empty(&superblock_security_head)) {
5605                 struct superblock_security_struct *sbsec =
5606                                 list_entry(superblock_security_head.next,
5607                                            struct superblock_security_struct,
5608                                            list);
5609                 struct super_block *sb = sbsec->sb;
5610                 sb->s_count++;
5611                 spin_unlock(&sb_security_lock);
5612                 spin_unlock(&sb_lock);
5613                 down_read(&sb->s_umount);
5614                 if (sb->s_root)
5615                         superblock_doinit(sb, NULL);
5616                 drop_super(sb);
5617                 spin_lock(&sb_lock);
5618                 spin_lock(&sb_security_lock);
5619                 list_del_init(&sbsec->list);
5620                 goto next_sb;
5621         }
5622         spin_unlock(&sb_security_lock);
5623         spin_unlock(&sb_lock);
5624 }
5625
5626 /* SELinux requires early initialization in order to label
5627    all processes and objects when they are created. */
5628 security_initcall(selinux_init);
5629
5630 #if defined(CONFIG_NETFILTER)
5631
5632 static struct nf_hook_ops selinux_ipv4_ops[] = {
5633         {
5634                 .hook =         selinux_ipv4_postroute,
5635                 .owner =        THIS_MODULE,
5636                 .pf =           PF_INET,
5637                 .hooknum =      NF_INET_POST_ROUTING,
5638                 .priority =     NF_IP_PRI_SELINUX_LAST,
5639         },
5640         {
5641                 .hook =         selinux_ipv4_forward,
5642                 .owner =        THIS_MODULE,
5643                 .pf =           PF_INET,
5644                 .hooknum =      NF_INET_FORWARD,
5645                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5646         }
5647 };
5648
5649 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5650
5651 static struct nf_hook_ops selinux_ipv6_ops[] = {
5652         {
5653                 .hook =         selinux_ipv6_postroute,
5654                 .owner =        THIS_MODULE,
5655                 .pf =           PF_INET6,
5656                 .hooknum =      NF_INET_POST_ROUTING,
5657                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5658         },
5659         {
5660                 .hook =         selinux_ipv6_forward,
5661                 .owner =        THIS_MODULE,
5662                 .pf =           PF_INET6,
5663                 .hooknum =      NF_INET_FORWARD,
5664                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5665         }
5666 };
5667
5668 #endif  /* IPV6 */
5669
5670 static int __init selinux_nf_ip_init(void)
5671 {
5672         int err = 0;
5673         u32 iter;
5674
5675         if (!selinux_enabled)
5676                 goto out;
5677
5678         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5679
5680         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5681                 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5682                 if (err)
5683                         panic("SELinux: nf_register_hook for IPv4: error %d\n",
5684                               err);
5685         }
5686
5687 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5688         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5689                 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5690                 if (err)
5691                         panic("SELinux: nf_register_hook for IPv6: error %d\n",
5692                               err);
5693         }
5694 #endif  /* IPV6 */
5695
5696 out:
5697         return err;
5698 }
5699
5700 __initcall(selinux_nf_ip_init);
5701
5702 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5703 static void selinux_nf_ip_exit(void)
5704 {
5705         u32 iter;
5706
5707         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5708
5709         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5710                 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5711 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5712         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5713                 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5714 #endif  /* IPV6 */
5715 }
5716 #endif
5717
5718 #else /* CONFIG_NETFILTER */
5719
5720 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5721 #define selinux_nf_ip_exit()
5722 #endif
5723
5724 #endif /* CONFIG_NETFILTER */
5725
5726 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5727 static int selinux_disabled;
5728
5729 int selinux_disable(void)
5730 {
5731         extern void exit_sel_fs(void);
5732
5733         if (ss_initialized) {
5734                 /* Not permitted after initial policy load. */
5735                 return -EINVAL;
5736         }
5737
5738         if (selinux_disabled) {
5739                 /* Only do this once. */
5740                 return -EINVAL;
5741         }
5742
5743         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5744
5745         selinux_disabled = 1;
5746         selinux_enabled = 0;
5747
5748         /* Reset security_ops to the secondary module, dummy or capability. */
5749         security_ops = secondary_ops;
5750
5751         /* Unregister netfilter hooks. */
5752         selinux_nf_ip_exit();
5753
5754         /* Unregister selinuxfs. */
5755         exit_sel_fs();
5756
5757         return 0;
5758 }
5759 #endif