Merge git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc-merge
[linux-2.6] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76 #include "xfrm.h"
77
78 #define XATTR_SELINUX_SUFFIX "selinux"
79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81 extern unsigned int policydb_loaded_version;
82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83
84 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
85 int selinux_enforcing = 0;
86
87 static int __init enforcing_setup(char *str)
88 {
89         selinux_enforcing = simple_strtol(str,NULL,0);
90         return 1;
91 }
92 __setup("enforcing=", enforcing_setup);
93 #endif
94
95 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
96 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
97
98 static int __init selinux_enabled_setup(char *str)
99 {
100         selinux_enabled = simple_strtol(str, NULL, 0);
101         return 1;
102 }
103 __setup("selinux=", selinux_enabled_setup);
104 #endif
105
106 /* Original (dummy) security module. */
107 static struct security_operations *original_ops = NULL;
108
109 /* Minimal support for a secondary security module,
110    just to allow the use of the dummy or capability modules.
111    The owlsm module can alternatively be used as a secondary
112    module as long as CONFIG_OWLSM_FD is not enabled. */
113 static struct security_operations *secondary_ops = NULL;
114
115 /* Lists of inode and superblock security structures initialized
116    before the policy was loaded. */
117 static LIST_HEAD(superblock_security_head);
118 static DEFINE_SPINLOCK(sb_security_lock);
119
120 /* Allocate and free functions for each kind of security blob. */
121
122 static int task_alloc_security(struct task_struct *task)
123 {
124         struct task_security_struct *tsec;
125
126         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
127         if (!tsec)
128                 return -ENOMEM;
129
130         tsec->magic = SELINUX_MAGIC;
131         tsec->task = task;
132         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
133         task->security = tsec;
134
135         return 0;
136 }
137
138 static void task_free_security(struct task_struct *task)
139 {
140         struct task_security_struct *tsec = task->security;
141
142         if (!tsec || tsec->magic != SELINUX_MAGIC)
143                 return;
144
145         task->security = NULL;
146         kfree(tsec);
147 }
148
149 static int inode_alloc_security(struct inode *inode)
150 {
151         struct task_security_struct *tsec = current->security;
152         struct inode_security_struct *isec;
153
154         isec = kzalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
155         if (!isec)
156                 return -ENOMEM;
157
158         init_MUTEX(&isec->sem);
159         INIT_LIST_HEAD(&isec->list);
160         isec->magic = SELINUX_MAGIC;
161         isec->inode = inode;
162         isec->sid = SECINITSID_UNLABELED;
163         isec->sclass = SECCLASS_FILE;
164         if (tsec && tsec->magic == SELINUX_MAGIC)
165                 isec->task_sid = tsec->sid;
166         else
167                 isec->task_sid = SECINITSID_UNLABELED;
168         inode->i_security = isec;
169
170         return 0;
171 }
172
173 static void inode_free_security(struct inode *inode)
174 {
175         struct inode_security_struct *isec = inode->i_security;
176         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
177
178         if (!isec || isec->magic != SELINUX_MAGIC)
179                 return;
180
181         spin_lock(&sbsec->isec_lock);
182         if (!list_empty(&isec->list))
183                 list_del_init(&isec->list);
184         spin_unlock(&sbsec->isec_lock);
185
186         inode->i_security = NULL;
187         kfree(isec);
188 }
189
190 static int file_alloc_security(struct file *file)
191 {
192         struct task_security_struct *tsec = current->security;
193         struct file_security_struct *fsec;
194
195         fsec = kzalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
196         if (!fsec)
197                 return -ENOMEM;
198
199         fsec->magic = SELINUX_MAGIC;
200         fsec->file = file;
201         if (tsec && tsec->magic == SELINUX_MAGIC) {
202                 fsec->sid = tsec->sid;
203                 fsec->fown_sid = tsec->sid;
204         } else {
205                 fsec->sid = SECINITSID_UNLABELED;
206                 fsec->fown_sid = SECINITSID_UNLABELED;
207         }
208         file->f_security = fsec;
209
210         return 0;
211 }
212
213 static void file_free_security(struct file *file)
214 {
215         struct file_security_struct *fsec = file->f_security;
216
217         if (!fsec || fsec->magic != SELINUX_MAGIC)
218                 return;
219
220         file->f_security = NULL;
221         kfree(fsec);
222 }
223
224 static int superblock_alloc_security(struct super_block *sb)
225 {
226         struct superblock_security_struct *sbsec;
227
228         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
229         if (!sbsec)
230                 return -ENOMEM;
231
232         init_MUTEX(&sbsec->sem);
233         INIT_LIST_HEAD(&sbsec->list);
234         INIT_LIST_HEAD(&sbsec->isec_head);
235         spin_lock_init(&sbsec->isec_lock);
236         sbsec->magic = SELINUX_MAGIC;
237         sbsec->sb = sb;
238         sbsec->sid = SECINITSID_UNLABELED;
239         sbsec->def_sid = SECINITSID_FILE;
240         sb->s_security = sbsec;
241
242         return 0;
243 }
244
245 static void superblock_free_security(struct super_block *sb)
246 {
247         struct superblock_security_struct *sbsec = sb->s_security;
248
249         if (!sbsec || sbsec->magic != SELINUX_MAGIC)
250                 return;
251
252         spin_lock(&sb_security_lock);
253         if (!list_empty(&sbsec->list))
254                 list_del_init(&sbsec->list);
255         spin_unlock(&sb_security_lock);
256
257         sb->s_security = NULL;
258         kfree(sbsec);
259 }
260
261 #ifdef CONFIG_SECURITY_NETWORK
262 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
263 {
264         struct sk_security_struct *ssec;
265
266         if (family != PF_UNIX)
267                 return 0;
268
269         ssec = kzalloc(sizeof(*ssec), priority);
270         if (!ssec)
271                 return -ENOMEM;
272
273         ssec->magic = SELINUX_MAGIC;
274         ssec->sk = sk;
275         ssec->peer_sid = SECINITSID_UNLABELED;
276         sk->sk_security = ssec;
277
278         return 0;
279 }
280
281 static void sk_free_security(struct sock *sk)
282 {
283         struct sk_security_struct *ssec = sk->sk_security;
284
285         if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
286                 return;
287
288         sk->sk_security = NULL;
289         kfree(ssec);
290 }
291 #endif  /* CONFIG_SECURITY_NETWORK */
292
293 /* The security server must be initialized before
294    any labeling or access decisions can be provided. */
295 extern int ss_initialized;
296
297 /* The file system's label must be initialized prior to use. */
298
299 static char *labeling_behaviors[6] = {
300         "uses xattr",
301         "uses transition SIDs",
302         "uses task SIDs",
303         "uses genfs_contexts",
304         "not configured for labeling",
305         "uses mountpoint labeling",
306 };
307
308 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
309
310 static inline int inode_doinit(struct inode *inode)
311 {
312         return inode_doinit_with_dentry(inode, NULL);
313 }
314
315 enum {
316         Opt_context = 1,
317         Opt_fscontext = 2,
318         Opt_defcontext = 4,
319 };
320
321 static match_table_t tokens = {
322         {Opt_context, "context=%s"},
323         {Opt_fscontext, "fscontext=%s"},
324         {Opt_defcontext, "defcontext=%s"},
325 };
326
327 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
328
329 static int try_context_mount(struct super_block *sb, void *data)
330 {
331         char *context = NULL, *defcontext = NULL;
332         const char *name;
333         u32 sid;
334         int alloc = 0, rc = 0, seen = 0;
335         struct task_security_struct *tsec = current->security;
336         struct superblock_security_struct *sbsec = sb->s_security;
337
338         if (!data)
339                 goto out;
340
341         name = sb->s_type->name;
342
343         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
344
345                 /* NFS we understand. */
346                 if (!strcmp(name, "nfs")) {
347                         struct nfs_mount_data *d = data;
348
349                         if (d->version <  NFS_MOUNT_VERSION)
350                                 goto out;
351
352                         if (d->context[0]) {
353                                 context = d->context;
354                                 seen |= Opt_context;
355                         }
356                 } else
357                         goto out;
358
359         } else {
360                 /* Standard string-based options. */
361                 char *p, *options = data;
362
363                 while ((p = strsep(&options, ",")) != NULL) {
364                         int token;
365                         substring_t args[MAX_OPT_ARGS];
366
367                         if (!*p)
368                                 continue;
369
370                         token = match_token(p, tokens, args);
371
372                         switch (token) {
373                         case Opt_context:
374                                 if (seen) {
375                                         rc = -EINVAL;
376                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
377                                         goto out_free;
378                                 }
379                                 context = match_strdup(&args[0]);
380                                 if (!context) {
381                                         rc = -ENOMEM;
382                                         goto out_free;
383                                 }
384                                 if (!alloc)
385                                         alloc = 1;
386                                 seen |= Opt_context;
387                                 break;
388
389                         case Opt_fscontext:
390                                 if (seen & (Opt_context|Opt_fscontext)) {
391                                         rc = -EINVAL;
392                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
393                                         goto out_free;
394                                 }
395                                 context = match_strdup(&args[0]);
396                                 if (!context) {
397                                         rc = -ENOMEM;
398                                         goto out_free;
399                                 }
400                                 if (!alloc)
401                                         alloc = 1;
402                                 seen |= Opt_fscontext;
403                                 break;
404
405                         case Opt_defcontext:
406                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
407                                         rc = -EINVAL;
408                                         printk(KERN_WARNING "SELinux:  "
409                                                "defcontext option is invalid "
410                                                "for this filesystem type\n");
411                                         goto out_free;
412                                 }
413                                 if (seen & (Opt_context|Opt_defcontext)) {
414                                         rc = -EINVAL;
415                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
416                                         goto out_free;
417                                 }
418                                 defcontext = match_strdup(&args[0]);
419                                 if (!defcontext) {
420                                         rc = -ENOMEM;
421                                         goto out_free;
422                                 }
423                                 if (!alloc)
424                                         alloc = 1;
425                                 seen |= Opt_defcontext;
426                                 break;
427
428                         default:
429                                 rc = -EINVAL;
430                                 printk(KERN_WARNING "SELinux:  unknown mount "
431                                        "option\n");
432                                 goto out_free;
433
434                         }
435                 }
436         }
437
438         if (!seen)
439                 goto out;
440
441         if (context) {
442                 rc = security_context_to_sid(context, strlen(context), &sid);
443                 if (rc) {
444                         printk(KERN_WARNING "SELinux: security_context_to_sid"
445                                "(%s) failed for (dev %s, type %s) errno=%d\n",
446                                context, sb->s_id, name, rc);
447                         goto out_free;
448                 }
449
450                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
451                                   FILESYSTEM__RELABELFROM, NULL);
452                 if (rc)
453                         goto out_free;
454
455                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
456                                   FILESYSTEM__RELABELTO, NULL);
457                 if (rc)
458                         goto out_free;
459
460                 sbsec->sid = sid;
461
462                 if (seen & Opt_context)
463                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
464         }
465
466         if (defcontext) {
467                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
468                 if (rc) {
469                         printk(KERN_WARNING "SELinux: security_context_to_sid"
470                                "(%s) failed for (dev %s, type %s) errno=%d\n",
471                                defcontext, sb->s_id, name, rc);
472                         goto out_free;
473                 }
474
475                 if (sid == sbsec->def_sid)
476                         goto out_free;
477
478                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
479                                   FILESYSTEM__RELABELFROM, NULL);
480                 if (rc)
481                         goto out_free;
482
483                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
484                                   FILESYSTEM__ASSOCIATE, NULL);
485                 if (rc)
486                         goto out_free;
487
488                 sbsec->def_sid = sid;
489         }
490
491 out_free:
492         if (alloc) {
493                 kfree(context);
494                 kfree(defcontext);
495         }
496 out:
497         return rc;
498 }
499
500 static int superblock_doinit(struct super_block *sb, void *data)
501 {
502         struct superblock_security_struct *sbsec = sb->s_security;
503         struct dentry *root = sb->s_root;
504         struct inode *inode = root->d_inode;
505         int rc = 0;
506
507         down(&sbsec->sem);
508         if (sbsec->initialized)
509                 goto out;
510
511         if (!ss_initialized) {
512                 /* Defer initialization until selinux_complete_init,
513                    after the initial policy is loaded and the security
514                    server is ready to handle calls. */
515                 spin_lock(&sb_security_lock);
516                 if (list_empty(&sbsec->list))
517                         list_add(&sbsec->list, &superblock_security_head);
518                 spin_unlock(&sb_security_lock);
519                 goto out;
520         }
521
522         /* Determine the labeling behavior to use for this filesystem type. */
523         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
524         if (rc) {
525                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
526                        __FUNCTION__, sb->s_type->name, rc);
527                 goto out;
528         }
529
530         rc = try_context_mount(sb, data);
531         if (rc)
532                 goto out;
533
534         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
535                 /* Make sure that the xattr handler exists and that no
536                    error other than -ENODATA is returned by getxattr on
537                    the root directory.  -ENODATA is ok, as this may be
538                    the first boot of the SELinux kernel before we have
539                    assigned xattr values to the filesystem. */
540                 if (!inode->i_op->getxattr) {
541                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
542                                "xattr support\n", sb->s_id, sb->s_type->name);
543                         rc = -EOPNOTSUPP;
544                         goto out;
545                 }
546                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
547                 if (rc < 0 && rc != -ENODATA) {
548                         if (rc == -EOPNOTSUPP)
549                                 printk(KERN_WARNING "SELinux: (dev %s, type "
550                                        "%s) has no security xattr handler\n",
551                                        sb->s_id, sb->s_type->name);
552                         else
553                                 printk(KERN_WARNING "SELinux: (dev %s, type "
554                                        "%s) getxattr errno %d\n", sb->s_id,
555                                        sb->s_type->name, -rc);
556                         goto out;
557                 }
558         }
559
560         if (strcmp(sb->s_type->name, "proc") == 0)
561                 sbsec->proc = 1;
562
563         sbsec->initialized = 1;
564
565         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
566                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
567                        sb->s_id, sb->s_type->name);
568         }
569         else {
570                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
571                        sb->s_id, sb->s_type->name,
572                        labeling_behaviors[sbsec->behavior-1]);
573         }
574
575         /* Initialize the root inode. */
576         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
577
578         /* Initialize any other inodes associated with the superblock, e.g.
579            inodes created prior to initial policy load or inodes created
580            during get_sb by a pseudo filesystem that directly
581            populates itself. */
582         spin_lock(&sbsec->isec_lock);
583 next_inode:
584         if (!list_empty(&sbsec->isec_head)) {
585                 struct inode_security_struct *isec =
586                                 list_entry(sbsec->isec_head.next,
587                                            struct inode_security_struct, list);
588                 struct inode *inode = isec->inode;
589                 spin_unlock(&sbsec->isec_lock);
590                 inode = igrab(inode);
591                 if (inode) {
592                         if (!IS_PRIVATE (inode))
593                                 inode_doinit(inode);
594                         iput(inode);
595                 }
596                 spin_lock(&sbsec->isec_lock);
597                 list_del_init(&isec->list);
598                 goto next_inode;
599         }
600         spin_unlock(&sbsec->isec_lock);
601 out:
602         up(&sbsec->sem);
603         return rc;
604 }
605
606 static inline u16 inode_mode_to_security_class(umode_t mode)
607 {
608         switch (mode & S_IFMT) {
609         case S_IFSOCK:
610                 return SECCLASS_SOCK_FILE;
611         case S_IFLNK:
612                 return SECCLASS_LNK_FILE;
613         case S_IFREG:
614                 return SECCLASS_FILE;
615         case S_IFBLK:
616                 return SECCLASS_BLK_FILE;
617         case S_IFDIR:
618                 return SECCLASS_DIR;
619         case S_IFCHR:
620                 return SECCLASS_CHR_FILE;
621         case S_IFIFO:
622                 return SECCLASS_FIFO_FILE;
623
624         }
625
626         return SECCLASS_FILE;
627 }
628
629 static inline int default_protocol_stream(int protocol)
630 {
631         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
632 }
633
634 static inline int default_protocol_dgram(int protocol)
635 {
636         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
637 }
638
639 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
640 {
641         switch (family) {
642         case PF_UNIX:
643                 switch (type) {
644                 case SOCK_STREAM:
645                 case SOCK_SEQPACKET:
646                         return SECCLASS_UNIX_STREAM_SOCKET;
647                 case SOCK_DGRAM:
648                         return SECCLASS_UNIX_DGRAM_SOCKET;
649                 }
650                 break;
651         case PF_INET:
652         case PF_INET6:
653                 switch (type) {
654                 case SOCK_STREAM:
655                         if (default_protocol_stream(protocol))
656                                 return SECCLASS_TCP_SOCKET;
657                         else
658                                 return SECCLASS_RAWIP_SOCKET;
659                 case SOCK_DGRAM:
660                         if (default_protocol_dgram(protocol))
661                                 return SECCLASS_UDP_SOCKET;
662                         else
663                                 return SECCLASS_RAWIP_SOCKET;
664                 default:
665                         return SECCLASS_RAWIP_SOCKET;
666                 }
667                 break;
668         case PF_NETLINK:
669                 switch (protocol) {
670                 case NETLINK_ROUTE:
671                         return SECCLASS_NETLINK_ROUTE_SOCKET;
672                 case NETLINK_FIREWALL:
673                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
674                 case NETLINK_INET_DIAG:
675                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
676                 case NETLINK_NFLOG:
677                         return SECCLASS_NETLINK_NFLOG_SOCKET;
678                 case NETLINK_XFRM:
679                         return SECCLASS_NETLINK_XFRM_SOCKET;
680                 case NETLINK_SELINUX:
681                         return SECCLASS_NETLINK_SELINUX_SOCKET;
682                 case NETLINK_AUDIT:
683                         return SECCLASS_NETLINK_AUDIT_SOCKET;
684                 case NETLINK_IP6_FW:
685                         return SECCLASS_NETLINK_IP6FW_SOCKET;
686                 case NETLINK_DNRTMSG:
687                         return SECCLASS_NETLINK_DNRT_SOCKET;
688                 case NETLINK_KOBJECT_UEVENT:
689                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
690                 default:
691                         return SECCLASS_NETLINK_SOCKET;
692                 }
693         case PF_PACKET:
694                 return SECCLASS_PACKET_SOCKET;
695         case PF_KEY:
696                 return SECCLASS_KEY_SOCKET;
697         }
698
699         return SECCLASS_SOCKET;
700 }
701
702 #ifdef CONFIG_PROC_FS
703 static int selinux_proc_get_sid(struct proc_dir_entry *de,
704                                 u16 tclass,
705                                 u32 *sid)
706 {
707         int buflen, rc;
708         char *buffer, *path, *end;
709
710         buffer = (char*)__get_free_page(GFP_KERNEL);
711         if (!buffer)
712                 return -ENOMEM;
713
714         buflen = PAGE_SIZE;
715         end = buffer+buflen;
716         *--end = '\0';
717         buflen--;
718         path = end-1;
719         *path = '/';
720         while (de && de != de->parent) {
721                 buflen -= de->namelen + 1;
722                 if (buflen < 0)
723                         break;
724                 end -= de->namelen;
725                 memcpy(end, de->name, de->namelen);
726                 *--end = '/';
727                 path = end;
728                 de = de->parent;
729         }
730         rc = security_genfs_sid("proc", path, tclass, sid);
731         free_page((unsigned long)buffer);
732         return rc;
733 }
734 #else
735 static int selinux_proc_get_sid(struct proc_dir_entry *de,
736                                 u16 tclass,
737                                 u32 *sid)
738 {
739         return -EINVAL;
740 }
741 #endif
742
743 /* The inode's security attributes must be initialized before first use. */
744 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
745 {
746         struct superblock_security_struct *sbsec = NULL;
747         struct inode_security_struct *isec = inode->i_security;
748         u32 sid;
749         struct dentry *dentry;
750 #define INITCONTEXTLEN 255
751         char *context = NULL;
752         unsigned len = 0;
753         int rc = 0;
754         int hold_sem = 0;
755
756         if (isec->initialized)
757                 goto out;
758
759         down(&isec->sem);
760         hold_sem = 1;
761         if (isec->initialized)
762                 goto out;
763
764         sbsec = inode->i_sb->s_security;
765         if (!sbsec->initialized) {
766                 /* Defer initialization until selinux_complete_init,
767                    after the initial policy is loaded and the security
768                    server is ready to handle calls. */
769                 spin_lock(&sbsec->isec_lock);
770                 if (list_empty(&isec->list))
771                         list_add(&isec->list, &sbsec->isec_head);
772                 spin_unlock(&sbsec->isec_lock);
773                 goto out;
774         }
775
776         switch (sbsec->behavior) {
777         case SECURITY_FS_USE_XATTR:
778                 if (!inode->i_op->getxattr) {
779                         isec->sid = sbsec->def_sid;
780                         break;
781                 }
782
783                 /* Need a dentry, since the xattr API requires one.
784                    Life would be simpler if we could just pass the inode. */
785                 if (opt_dentry) {
786                         /* Called from d_instantiate or d_splice_alias. */
787                         dentry = dget(opt_dentry);
788                 } else {
789                         /* Called from selinux_complete_init, try to find a dentry. */
790                         dentry = d_find_alias(inode);
791                 }
792                 if (!dentry) {
793                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
794                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
795                                inode->i_ino);
796                         goto out;
797                 }
798
799                 len = INITCONTEXTLEN;
800                 context = kmalloc(len, GFP_KERNEL);
801                 if (!context) {
802                         rc = -ENOMEM;
803                         dput(dentry);
804                         goto out;
805                 }
806                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
807                                            context, len);
808                 if (rc == -ERANGE) {
809                         /* Need a larger buffer.  Query for the right size. */
810                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
811                                                    NULL, 0);
812                         if (rc < 0) {
813                                 dput(dentry);
814                                 goto out;
815                         }
816                         kfree(context);
817                         len = rc;
818                         context = kmalloc(len, GFP_KERNEL);
819                         if (!context) {
820                                 rc = -ENOMEM;
821                                 dput(dentry);
822                                 goto out;
823                         }
824                         rc = inode->i_op->getxattr(dentry,
825                                                    XATTR_NAME_SELINUX,
826                                                    context, len);
827                 }
828                 dput(dentry);
829                 if (rc < 0) {
830                         if (rc != -ENODATA) {
831                                 printk(KERN_WARNING "%s:  getxattr returned "
832                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
833                                        -rc, inode->i_sb->s_id, inode->i_ino);
834                                 kfree(context);
835                                 goto out;
836                         }
837                         /* Map ENODATA to the default file SID */
838                         sid = sbsec->def_sid;
839                         rc = 0;
840                 } else {
841                         rc = security_context_to_sid_default(context, rc, &sid,
842                                                              sbsec->def_sid);
843                         if (rc) {
844                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
845                                        "returned %d for dev=%s ino=%ld\n",
846                                        __FUNCTION__, context, -rc,
847                                        inode->i_sb->s_id, inode->i_ino);
848                                 kfree(context);
849                                 /* Leave with the unlabeled SID */
850                                 rc = 0;
851                                 break;
852                         }
853                 }
854                 kfree(context);
855                 isec->sid = sid;
856                 break;
857         case SECURITY_FS_USE_TASK:
858                 isec->sid = isec->task_sid;
859                 break;
860         case SECURITY_FS_USE_TRANS:
861                 /* Default to the fs SID. */
862                 isec->sid = sbsec->sid;
863
864                 /* Try to obtain a transition SID. */
865                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
866                 rc = security_transition_sid(isec->task_sid,
867                                              sbsec->sid,
868                                              isec->sclass,
869                                              &sid);
870                 if (rc)
871                         goto out;
872                 isec->sid = sid;
873                 break;
874         default:
875                 /* Default to the fs SID. */
876                 isec->sid = sbsec->sid;
877
878                 if (sbsec->proc) {
879                         struct proc_inode *proci = PROC_I(inode);
880                         if (proci->pde) {
881                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
882                                 rc = selinux_proc_get_sid(proci->pde,
883                                                           isec->sclass,
884                                                           &sid);
885                                 if (rc)
886                                         goto out;
887                                 isec->sid = sid;
888                         }
889                 }
890                 break;
891         }
892
893         isec->initialized = 1;
894
895 out:
896         if (isec->sclass == SECCLASS_FILE)
897                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
898
899         if (hold_sem)
900                 up(&isec->sem);
901         return rc;
902 }
903
904 /* Convert a Linux signal to an access vector. */
905 static inline u32 signal_to_av(int sig)
906 {
907         u32 perm = 0;
908
909         switch (sig) {
910         case SIGCHLD:
911                 /* Commonly granted from child to parent. */
912                 perm = PROCESS__SIGCHLD;
913                 break;
914         case SIGKILL:
915                 /* Cannot be caught or ignored */
916                 perm = PROCESS__SIGKILL;
917                 break;
918         case SIGSTOP:
919                 /* Cannot be caught or ignored */
920                 perm = PROCESS__SIGSTOP;
921                 break;
922         default:
923                 /* All other signals. */
924                 perm = PROCESS__SIGNAL;
925                 break;
926         }
927
928         return perm;
929 }
930
931 /* Check permission betweeen a pair of tasks, e.g. signal checks,
932    fork check, ptrace check, etc. */
933 static int task_has_perm(struct task_struct *tsk1,
934                          struct task_struct *tsk2,
935                          u32 perms)
936 {
937         struct task_security_struct *tsec1, *tsec2;
938
939         tsec1 = tsk1->security;
940         tsec2 = tsk2->security;
941         return avc_has_perm(tsec1->sid, tsec2->sid,
942                             SECCLASS_PROCESS, perms, NULL);
943 }
944
945 /* Check whether a task is allowed to use a capability. */
946 static int task_has_capability(struct task_struct *tsk,
947                                int cap)
948 {
949         struct task_security_struct *tsec;
950         struct avc_audit_data ad;
951
952         tsec = tsk->security;
953
954         AVC_AUDIT_DATA_INIT(&ad,CAP);
955         ad.tsk = tsk;
956         ad.u.cap = cap;
957
958         return avc_has_perm(tsec->sid, tsec->sid,
959                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
960 }
961
962 /* Check whether a task is allowed to use a system operation. */
963 static int task_has_system(struct task_struct *tsk,
964                            u32 perms)
965 {
966         struct task_security_struct *tsec;
967
968         tsec = tsk->security;
969
970         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
971                             SECCLASS_SYSTEM, perms, NULL);
972 }
973
974 /* Check whether a task has a particular permission to an inode.
975    The 'adp' parameter is optional and allows other audit
976    data to be passed (e.g. the dentry). */
977 static int inode_has_perm(struct task_struct *tsk,
978                           struct inode *inode,
979                           u32 perms,
980                           struct avc_audit_data *adp)
981 {
982         struct task_security_struct *tsec;
983         struct inode_security_struct *isec;
984         struct avc_audit_data ad;
985
986         tsec = tsk->security;
987         isec = inode->i_security;
988
989         if (!adp) {
990                 adp = &ad;
991                 AVC_AUDIT_DATA_INIT(&ad, FS);
992                 ad.u.fs.inode = inode;
993         }
994
995         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
996 }
997
998 /* Same as inode_has_perm, but pass explicit audit data containing
999    the dentry to help the auditing code to more easily generate the
1000    pathname if needed. */
1001 static inline int dentry_has_perm(struct task_struct *tsk,
1002                                   struct vfsmount *mnt,
1003                                   struct dentry *dentry,
1004                                   u32 av)
1005 {
1006         struct inode *inode = dentry->d_inode;
1007         struct avc_audit_data ad;
1008         AVC_AUDIT_DATA_INIT(&ad,FS);
1009         ad.u.fs.mnt = mnt;
1010         ad.u.fs.dentry = dentry;
1011         return inode_has_perm(tsk, inode, av, &ad);
1012 }
1013
1014 /* Check whether a task can use an open file descriptor to
1015    access an inode in a given way.  Check access to the
1016    descriptor itself, and then use dentry_has_perm to
1017    check a particular permission to the file.
1018    Access to the descriptor is implicitly granted if it
1019    has the same SID as the process.  If av is zero, then
1020    access to the file is not checked, e.g. for cases
1021    where only the descriptor is affected like seek. */
1022 static int file_has_perm(struct task_struct *tsk,
1023                                 struct file *file,
1024                                 u32 av)
1025 {
1026         struct task_security_struct *tsec = tsk->security;
1027         struct file_security_struct *fsec = file->f_security;
1028         struct vfsmount *mnt = file->f_vfsmnt;
1029         struct dentry *dentry = file->f_dentry;
1030         struct inode *inode = dentry->d_inode;
1031         struct avc_audit_data ad;
1032         int rc;
1033
1034         AVC_AUDIT_DATA_INIT(&ad, FS);
1035         ad.u.fs.mnt = mnt;
1036         ad.u.fs.dentry = dentry;
1037
1038         if (tsec->sid != fsec->sid) {
1039                 rc = avc_has_perm(tsec->sid, fsec->sid,
1040                                   SECCLASS_FD,
1041                                   FD__USE,
1042                                   &ad);
1043                 if (rc)
1044                         return rc;
1045         }
1046
1047         /* av is zero if only checking access to the descriptor. */
1048         if (av)
1049                 return inode_has_perm(tsk, inode, av, &ad);
1050
1051         return 0;
1052 }
1053
1054 /* Check whether a task can create a file. */
1055 static int may_create(struct inode *dir,
1056                       struct dentry *dentry,
1057                       u16 tclass)
1058 {
1059         struct task_security_struct *tsec;
1060         struct inode_security_struct *dsec;
1061         struct superblock_security_struct *sbsec;
1062         u32 newsid;
1063         struct avc_audit_data ad;
1064         int rc;
1065
1066         tsec = current->security;
1067         dsec = dir->i_security;
1068         sbsec = dir->i_sb->s_security;
1069
1070         AVC_AUDIT_DATA_INIT(&ad, FS);
1071         ad.u.fs.dentry = dentry;
1072
1073         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1074                           DIR__ADD_NAME | DIR__SEARCH,
1075                           &ad);
1076         if (rc)
1077                 return rc;
1078
1079         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1080                 newsid = tsec->create_sid;
1081         } else {
1082                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1083                                              &newsid);
1084                 if (rc)
1085                         return rc;
1086         }
1087
1088         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1089         if (rc)
1090                 return rc;
1091
1092         return avc_has_perm(newsid, sbsec->sid,
1093                             SECCLASS_FILESYSTEM,
1094                             FILESYSTEM__ASSOCIATE, &ad);
1095 }
1096
1097 #define MAY_LINK   0
1098 #define MAY_UNLINK 1
1099 #define MAY_RMDIR  2
1100
1101 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1102 static int may_link(struct inode *dir,
1103                     struct dentry *dentry,
1104                     int kind)
1105
1106 {
1107         struct task_security_struct *tsec;
1108         struct inode_security_struct *dsec, *isec;
1109         struct avc_audit_data ad;
1110         u32 av;
1111         int rc;
1112
1113         tsec = current->security;
1114         dsec = dir->i_security;
1115         isec = dentry->d_inode->i_security;
1116
1117         AVC_AUDIT_DATA_INIT(&ad, FS);
1118         ad.u.fs.dentry = dentry;
1119
1120         av = DIR__SEARCH;
1121         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1122         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1123         if (rc)
1124                 return rc;
1125
1126         switch (kind) {
1127         case MAY_LINK:
1128                 av = FILE__LINK;
1129                 break;
1130         case MAY_UNLINK:
1131                 av = FILE__UNLINK;
1132                 break;
1133         case MAY_RMDIR:
1134                 av = DIR__RMDIR;
1135                 break;
1136         default:
1137                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1138                 return 0;
1139         }
1140
1141         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1142         return rc;
1143 }
1144
1145 static inline int may_rename(struct inode *old_dir,
1146                              struct dentry *old_dentry,
1147                              struct inode *new_dir,
1148                              struct dentry *new_dentry)
1149 {
1150         struct task_security_struct *tsec;
1151         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1152         struct avc_audit_data ad;
1153         u32 av;
1154         int old_is_dir, new_is_dir;
1155         int rc;
1156
1157         tsec = current->security;
1158         old_dsec = old_dir->i_security;
1159         old_isec = old_dentry->d_inode->i_security;
1160         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1161         new_dsec = new_dir->i_security;
1162
1163         AVC_AUDIT_DATA_INIT(&ad, FS);
1164
1165         ad.u.fs.dentry = old_dentry;
1166         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1167                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1168         if (rc)
1169                 return rc;
1170         rc = avc_has_perm(tsec->sid, old_isec->sid,
1171                           old_isec->sclass, FILE__RENAME, &ad);
1172         if (rc)
1173                 return rc;
1174         if (old_is_dir && new_dir != old_dir) {
1175                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1176                                   old_isec->sclass, DIR__REPARENT, &ad);
1177                 if (rc)
1178                         return rc;
1179         }
1180
1181         ad.u.fs.dentry = new_dentry;
1182         av = DIR__ADD_NAME | DIR__SEARCH;
1183         if (new_dentry->d_inode)
1184                 av |= DIR__REMOVE_NAME;
1185         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1186         if (rc)
1187                 return rc;
1188         if (new_dentry->d_inode) {
1189                 new_isec = new_dentry->d_inode->i_security;
1190                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1191                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1192                                   new_isec->sclass,
1193                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1194                 if (rc)
1195                         return rc;
1196         }
1197
1198         return 0;
1199 }
1200
1201 /* Check whether a task can perform a filesystem operation. */
1202 static int superblock_has_perm(struct task_struct *tsk,
1203                                struct super_block *sb,
1204                                u32 perms,
1205                                struct avc_audit_data *ad)
1206 {
1207         struct task_security_struct *tsec;
1208         struct superblock_security_struct *sbsec;
1209
1210         tsec = tsk->security;
1211         sbsec = sb->s_security;
1212         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1213                             perms, ad);
1214 }
1215
1216 /* Convert a Linux mode and permission mask to an access vector. */
1217 static inline u32 file_mask_to_av(int mode, int mask)
1218 {
1219         u32 av = 0;
1220
1221         if ((mode & S_IFMT) != S_IFDIR) {
1222                 if (mask & MAY_EXEC)
1223                         av |= FILE__EXECUTE;
1224                 if (mask & MAY_READ)
1225                         av |= FILE__READ;
1226
1227                 if (mask & MAY_APPEND)
1228                         av |= FILE__APPEND;
1229                 else if (mask & MAY_WRITE)
1230                         av |= FILE__WRITE;
1231
1232         } else {
1233                 if (mask & MAY_EXEC)
1234                         av |= DIR__SEARCH;
1235                 if (mask & MAY_WRITE)
1236                         av |= DIR__WRITE;
1237                 if (mask & MAY_READ)
1238                         av |= DIR__READ;
1239         }
1240
1241         return av;
1242 }
1243
1244 /* Convert a Linux file to an access vector. */
1245 static inline u32 file_to_av(struct file *file)
1246 {
1247         u32 av = 0;
1248
1249         if (file->f_mode & FMODE_READ)
1250                 av |= FILE__READ;
1251         if (file->f_mode & FMODE_WRITE) {
1252                 if (file->f_flags & O_APPEND)
1253                         av |= FILE__APPEND;
1254                 else
1255                         av |= FILE__WRITE;
1256         }
1257
1258         return av;
1259 }
1260
1261 /* Set an inode's SID to a specified value. */
1262 static int inode_security_set_sid(struct inode *inode, u32 sid)
1263 {
1264         struct inode_security_struct *isec = inode->i_security;
1265         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1266
1267         if (!sbsec->initialized) {
1268                 /* Defer initialization to selinux_complete_init. */
1269                 return 0;
1270         }
1271
1272         down(&isec->sem);
1273         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1274         isec->sid = sid;
1275         isec->initialized = 1;
1276         up(&isec->sem);
1277         return 0;
1278 }
1279
1280 /* Hook functions begin here. */
1281
1282 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1283 {
1284         struct task_security_struct *psec = parent->security;
1285         struct task_security_struct *csec = child->security;
1286         int rc;
1287
1288         rc = secondary_ops->ptrace(parent,child);
1289         if (rc)
1290                 return rc;
1291
1292         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1293         /* Save the SID of the tracing process for later use in apply_creds. */
1294         if (!rc)
1295                 csec->ptrace_sid = psec->sid;
1296         return rc;
1297 }
1298
1299 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1300                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1301 {
1302         int error;
1303
1304         error = task_has_perm(current, target, PROCESS__GETCAP);
1305         if (error)
1306                 return error;
1307
1308         return secondary_ops->capget(target, effective, inheritable, permitted);
1309 }
1310
1311 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1312                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1313 {
1314         int error;
1315
1316         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1317         if (error)
1318                 return error;
1319
1320         return task_has_perm(current, target, PROCESS__SETCAP);
1321 }
1322
1323 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1324                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1325 {
1326         secondary_ops->capset_set(target, effective, inheritable, permitted);
1327 }
1328
1329 static int selinux_capable(struct task_struct *tsk, int cap)
1330 {
1331         int rc;
1332
1333         rc = secondary_ops->capable(tsk, cap);
1334         if (rc)
1335                 return rc;
1336
1337         return task_has_capability(tsk,cap);
1338 }
1339
1340 static int selinux_sysctl(ctl_table *table, int op)
1341 {
1342         int error = 0;
1343         u32 av;
1344         struct task_security_struct *tsec;
1345         u32 tsid;
1346         int rc;
1347
1348         rc = secondary_ops->sysctl(table, op);
1349         if (rc)
1350                 return rc;
1351
1352         tsec = current->security;
1353
1354         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1355                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1356         if (rc) {
1357                 /* Default to the well-defined sysctl SID. */
1358                 tsid = SECINITSID_SYSCTL;
1359         }
1360
1361         /* The op values are "defined" in sysctl.c, thereby creating
1362          * a bad coupling between this module and sysctl.c */
1363         if(op == 001) {
1364                 error = avc_has_perm(tsec->sid, tsid,
1365                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1366         } else {
1367                 av = 0;
1368                 if (op & 004)
1369                         av |= FILE__READ;
1370                 if (op & 002)
1371                         av |= FILE__WRITE;
1372                 if (av)
1373                         error = avc_has_perm(tsec->sid, tsid,
1374                                              SECCLASS_FILE, av, NULL);
1375         }
1376
1377         return error;
1378 }
1379
1380 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1381 {
1382         int rc = 0;
1383
1384         if (!sb)
1385                 return 0;
1386
1387         switch (cmds) {
1388                 case Q_SYNC:
1389                 case Q_QUOTAON:
1390                 case Q_QUOTAOFF:
1391                 case Q_SETINFO:
1392                 case Q_SETQUOTA:
1393                         rc = superblock_has_perm(current,
1394                                                  sb,
1395                                                  FILESYSTEM__QUOTAMOD, NULL);
1396                         break;
1397                 case Q_GETFMT:
1398                 case Q_GETINFO:
1399                 case Q_GETQUOTA:
1400                         rc = superblock_has_perm(current,
1401                                                  sb,
1402                                                  FILESYSTEM__QUOTAGET, NULL);
1403                         break;
1404                 default:
1405                         rc = 0;  /* let the kernel handle invalid cmds */
1406                         break;
1407         }
1408         return rc;
1409 }
1410
1411 static int selinux_quota_on(struct dentry *dentry)
1412 {
1413         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1414 }
1415
1416 static int selinux_syslog(int type)
1417 {
1418         int rc;
1419
1420         rc = secondary_ops->syslog(type);
1421         if (rc)
1422                 return rc;
1423
1424         switch (type) {
1425                 case 3:         /* Read last kernel messages */
1426                 case 10:        /* Return size of the log buffer */
1427                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1428                         break;
1429                 case 6:         /* Disable logging to console */
1430                 case 7:         /* Enable logging to console */
1431                 case 8:         /* Set level of messages printed to console */
1432                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1433                         break;
1434                 case 0:         /* Close log */
1435                 case 1:         /* Open log */
1436                 case 2:         /* Read from log */
1437                 case 4:         /* Read/clear last kernel messages */
1438                 case 5:         /* Clear ring buffer */
1439                 default:
1440                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1441                         break;
1442         }
1443         return rc;
1444 }
1445
1446 /*
1447  * Check that a process has enough memory to allocate a new virtual
1448  * mapping. 0 means there is enough memory for the allocation to
1449  * succeed and -ENOMEM implies there is not.
1450  *
1451  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1452  * if the capability is granted, but __vm_enough_memory requires 1 if
1453  * the capability is granted.
1454  *
1455  * Do not audit the selinux permission check, as this is applied to all
1456  * processes that allocate mappings.
1457  */
1458 static int selinux_vm_enough_memory(long pages)
1459 {
1460         int rc, cap_sys_admin = 0;
1461         struct task_security_struct *tsec = current->security;
1462
1463         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1464         if (rc == 0)
1465                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1466                                         SECCLASS_CAPABILITY,
1467                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1468                                         NULL);
1469
1470         if (rc == 0)
1471                 cap_sys_admin = 1;
1472
1473         return __vm_enough_memory(pages, cap_sys_admin);
1474 }
1475
1476 /* binprm security operations */
1477
1478 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1479 {
1480         struct bprm_security_struct *bsec;
1481
1482         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1483         if (!bsec)
1484                 return -ENOMEM;
1485
1486         bsec->magic = SELINUX_MAGIC;
1487         bsec->bprm = bprm;
1488         bsec->sid = SECINITSID_UNLABELED;
1489         bsec->set = 0;
1490
1491         bprm->security = bsec;
1492         return 0;
1493 }
1494
1495 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1496 {
1497         struct task_security_struct *tsec;
1498         struct inode *inode = bprm->file->f_dentry->d_inode;
1499         struct inode_security_struct *isec;
1500         struct bprm_security_struct *bsec;
1501         u32 newsid;
1502         struct avc_audit_data ad;
1503         int rc;
1504
1505         rc = secondary_ops->bprm_set_security(bprm);
1506         if (rc)
1507                 return rc;
1508
1509         bsec = bprm->security;
1510
1511         if (bsec->set)
1512                 return 0;
1513
1514         tsec = current->security;
1515         isec = inode->i_security;
1516
1517         /* Default to the current task SID. */
1518         bsec->sid = tsec->sid;
1519
1520         /* Reset create SID on execve. */
1521         tsec->create_sid = 0;
1522
1523         if (tsec->exec_sid) {
1524                 newsid = tsec->exec_sid;
1525                 /* Reset exec SID on execve. */
1526                 tsec->exec_sid = 0;
1527         } else {
1528                 /* Check for a default transition on this program. */
1529                 rc = security_transition_sid(tsec->sid, isec->sid,
1530                                              SECCLASS_PROCESS, &newsid);
1531                 if (rc)
1532                         return rc;
1533         }
1534
1535         AVC_AUDIT_DATA_INIT(&ad, FS);
1536         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1537         ad.u.fs.dentry = bprm->file->f_dentry;
1538
1539         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1540                 newsid = tsec->sid;
1541
1542         if (tsec->sid == newsid) {
1543                 rc = avc_has_perm(tsec->sid, isec->sid,
1544                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1545                 if (rc)
1546                         return rc;
1547         } else {
1548                 /* Check permissions for the transition. */
1549                 rc = avc_has_perm(tsec->sid, newsid,
1550                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1551                 if (rc)
1552                         return rc;
1553
1554                 rc = avc_has_perm(newsid, isec->sid,
1555                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1556                 if (rc)
1557                         return rc;
1558
1559                 /* Clear any possibly unsafe personality bits on exec: */
1560                 current->personality &= ~PER_CLEAR_ON_SETID;
1561
1562                 /* Set the security field to the new SID. */
1563                 bsec->sid = newsid;
1564         }
1565
1566         bsec->set = 1;
1567         return 0;
1568 }
1569
1570 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1571 {
1572         return secondary_ops->bprm_check_security(bprm);
1573 }
1574
1575
1576 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1577 {
1578         struct task_security_struct *tsec = current->security;
1579         int atsecure = 0;
1580
1581         if (tsec->osid != tsec->sid) {
1582                 /* Enable secure mode for SIDs transitions unless
1583                    the noatsecure permission is granted between
1584                    the two SIDs, i.e. ahp returns 0. */
1585                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1586                                          SECCLASS_PROCESS,
1587                                          PROCESS__NOATSECURE, NULL);
1588         }
1589
1590         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1591 }
1592
1593 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1594 {
1595         kfree(bprm->security);
1596         bprm->security = NULL;
1597 }
1598
1599 extern struct vfsmount *selinuxfs_mount;
1600 extern struct dentry *selinux_null;
1601
1602 /* Derived from fs/exec.c:flush_old_files. */
1603 static inline void flush_unauthorized_files(struct files_struct * files)
1604 {
1605         struct avc_audit_data ad;
1606         struct file *file, *devnull = NULL;
1607         struct tty_struct *tty = current->signal->tty;
1608         struct fdtable *fdt;
1609         long j = -1;
1610
1611         if (tty) {
1612                 file_list_lock();
1613                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1614                 if (file) {
1615                         /* Revalidate access to controlling tty.
1616                            Use inode_has_perm on the tty inode directly rather
1617                            than using file_has_perm, as this particular open
1618                            file may belong to another process and we are only
1619                            interested in the inode-based check here. */
1620                         struct inode *inode = file->f_dentry->d_inode;
1621                         if (inode_has_perm(current, inode,
1622                                            FILE__READ | FILE__WRITE, NULL)) {
1623                                 /* Reset controlling tty. */
1624                                 current->signal->tty = NULL;
1625                                 current->signal->tty_old_pgrp = 0;
1626                         }
1627                 }
1628                 file_list_unlock();
1629         }
1630
1631         /* Revalidate access to inherited open files. */
1632
1633         AVC_AUDIT_DATA_INIT(&ad,FS);
1634
1635         spin_lock(&files->file_lock);
1636         for (;;) {
1637                 unsigned long set, i;
1638                 int fd;
1639
1640                 j++;
1641                 i = j * __NFDBITS;
1642                 fdt = files_fdtable(files);
1643                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1644                         break;
1645                 set = fdt->open_fds->fds_bits[j];
1646                 if (!set)
1647                         continue;
1648                 spin_unlock(&files->file_lock);
1649                 for ( ; set ; i++,set >>= 1) {
1650                         if (set & 1) {
1651                                 file = fget(i);
1652                                 if (!file)
1653                                         continue;
1654                                 if (file_has_perm(current,
1655                                                   file,
1656                                                   file_to_av(file))) {
1657                                         sys_close(i);
1658                                         fd = get_unused_fd();
1659                                         if (fd != i) {
1660                                                 if (fd >= 0)
1661                                                         put_unused_fd(fd);
1662                                                 fput(file);
1663                                                 continue;
1664                                         }
1665                                         if (devnull) {
1666                                                 get_file(devnull);
1667                                         } else {
1668                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1669                                                 if (!devnull) {
1670                                                         put_unused_fd(fd);
1671                                                         fput(file);
1672                                                         continue;
1673                                                 }
1674                                         }
1675                                         fd_install(fd, devnull);
1676                                 }
1677                                 fput(file);
1678                         }
1679                 }
1680                 spin_lock(&files->file_lock);
1681
1682         }
1683         spin_unlock(&files->file_lock);
1684 }
1685
1686 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1687 {
1688         struct task_security_struct *tsec;
1689         struct bprm_security_struct *bsec;
1690         u32 sid;
1691         int rc;
1692
1693         secondary_ops->bprm_apply_creds(bprm, unsafe);
1694
1695         tsec = current->security;
1696
1697         bsec = bprm->security;
1698         sid = bsec->sid;
1699
1700         tsec->osid = tsec->sid;
1701         bsec->unsafe = 0;
1702         if (tsec->sid != sid) {
1703                 /* Check for shared state.  If not ok, leave SID
1704                    unchanged and kill. */
1705                 if (unsafe & LSM_UNSAFE_SHARE) {
1706                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1707                                         PROCESS__SHARE, NULL);
1708                         if (rc) {
1709                                 bsec->unsafe = 1;
1710                                 return;
1711                         }
1712                 }
1713
1714                 /* Check for ptracing, and update the task SID if ok.
1715                    Otherwise, leave SID unchanged and kill. */
1716                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1717                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1718                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1719                                           NULL);
1720                         if (rc) {
1721                                 bsec->unsafe = 1;
1722                                 return;
1723                         }
1724                 }
1725                 tsec->sid = sid;
1726         }
1727 }
1728
1729 /*
1730  * called after apply_creds without the task lock held
1731  */
1732 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1733 {
1734         struct task_security_struct *tsec;
1735         struct rlimit *rlim, *initrlim;
1736         struct itimerval itimer;
1737         struct bprm_security_struct *bsec;
1738         int rc, i;
1739
1740         tsec = current->security;
1741         bsec = bprm->security;
1742
1743         if (bsec->unsafe) {
1744                 force_sig_specific(SIGKILL, current);
1745                 return;
1746         }
1747         if (tsec->osid == tsec->sid)
1748                 return;
1749
1750         /* Close files for which the new task SID is not authorized. */
1751         flush_unauthorized_files(current->files);
1752
1753         /* Check whether the new SID can inherit signal state
1754            from the old SID.  If not, clear itimers to avoid
1755            subsequent signal generation and flush and unblock
1756            signals. This must occur _after_ the task SID has
1757           been updated so that any kill done after the flush
1758           will be checked against the new SID. */
1759         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1760                           PROCESS__SIGINH, NULL);
1761         if (rc) {
1762                 memset(&itimer, 0, sizeof itimer);
1763                 for (i = 0; i < 3; i++)
1764                         do_setitimer(i, &itimer, NULL);
1765                 flush_signals(current);
1766                 spin_lock_irq(&current->sighand->siglock);
1767                 flush_signal_handlers(current, 1);
1768                 sigemptyset(&current->blocked);
1769                 recalc_sigpending();
1770                 spin_unlock_irq(&current->sighand->siglock);
1771         }
1772
1773         /* Check whether the new SID can inherit resource limits
1774            from the old SID.  If not, reset all soft limits to
1775            the lower of the current task's hard limit and the init
1776            task's soft limit.  Note that the setting of hard limits
1777            (even to lower them) can be controlled by the setrlimit
1778            check. The inclusion of the init task's soft limit into
1779            the computation is to avoid resetting soft limits higher
1780            than the default soft limit for cases where the default
1781            is lower than the hard limit, e.g. RLIMIT_CORE or
1782            RLIMIT_STACK.*/
1783         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1784                           PROCESS__RLIMITINH, NULL);
1785         if (rc) {
1786                 for (i = 0; i < RLIM_NLIMITS; i++) {
1787                         rlim = current->signal->rlim + i;
1788                         initrlim = init_task.signal->rlim+i;
1789                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1790                 }
1791                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1792                         /*
1793                          * This will cause RLIMIT_CPU calculations
1794                          * to be refigured.
1795                          */
1796                         current->it_prof_expires = jiffies_to_cputime(1);
1797                 }
1798         }
1799
1800         /* Wake up the parent if it is waiting so that it can
1801            recheck wait permission to the new task SID. */
1802         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1803 }
1804
1805 /* superblock security operations */
1806
1807 static int selinux_sb_alloc_security(struct super_block *sb)
1808 {
1809         return superblock_alloc_security(sb);
1810 }
1811
1812 static void selinux_sb_free_security(struct super_block *sb)
1813 {
1814         superblock_free_security(sb);
1815 }
1816
1817 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1818 {
1819         if (plen > olen)
1820                 return 0;
1821
1822         return !memcmp(prefix, option, plen);
1823 }
1824
1825 static inline int selinux_option(char *option, int len)
1826 {
1827         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1828                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1829                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1830 }
1831
1832 static inline void take_option(char **to, char *from, int *first, int len)
1833 {
1834         if (!*first) {
1835                 **to = ',';
1836                 *to += 1;
1837         }
1838         else
1839                 *first = 0;
1840         memcpy(*to, from, len);
1841         *to += len;
1842 }
1843
1844 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1845 {
1846         int fnosec, fsec, rc = 0;
1847         char *in_save, *in_curr, *in_end;
1848         char *sec_curr, *nosec_save, *nosec;
1849
1850         in_curr = orig;
1851         sec_curr = copy;
1852
1853         /* Binary mount data: just copy */
1854         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1855                 copy_page(sec_curr, in_curr);
1856                 goto out;
1857         }
1858
1859         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1860         if (!nosec) {
1861                 rc = -ENOMEM;
1862                 goto out;
1863         }
1864
1865         nosec_save = nosec;
1866         fnosec = fsec = 1;
1867         in_save = in_end = orig;
1868
1869         do {
1870                 if (*in_end == ',' || *in_end == '\0') {
1871                         int len = in_end - in_curr;
1872
1873                         if (selinux_option(in_curr, len))
1874                                 take_option(&sec_curr, in_curr, &fsec, len);
1875                         else
1876                                 take_option(&nosec, in_curr, &fnosec, len);
1877
1878                         in_curr = in_end + 1;
1879                 }
1880         } while (*in_end++);
1881
1882         strcpy(in_save, nosec_save);
1883         free_page((unsigned long)nosec_save);
1884 out:
1885         return rc;
1886 }
1887
1888 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1889 {
1890         struct avc_audit_data ad;
1891         int rc;
1892
1893         rc = superblock_doinit(sb, data);
1894         if (rc)
1895                 return rc;
1896
1897         AVC_AUDIT_DATA_INIT(&ad,FS);
1898         ad.u.fs.dentry = sb->s_root;
1899         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1900 }
1901
1902 static int selinux_sb_statfs(struct super_block *sb)
1903 {
1904         struct avc_audit_data ad;
1905
1906         AVC_AUDIT_DATA_INIT(&ad,FS);
1907         ad.u.fs.dentry = sb->s_root;
1908         return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1909 }
1910
1911 static int selinux_mount(char * dev_name,
1912                          struct nameidata *nd,
1913                          char * type,
1914                          unsigned long flags,
1915                          void * data)
1916 {
1917         int rc;
1918
1919         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1920         if (rc)
1921                 return rc;
1922
1923         if (flags & MS_REMOUNT)
1924                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1925                                            FILESYSTEM__REMOUNT, NULL);
1926         else
1927                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1928                                        FILE__MOUNTON);
1929 }
1930
1931 static int selinux_umount(struct vfsmount *mnt, int flags)
1932 {
1933         int rc;
1934
1935         rc = secondary_ops->sb_umount(mnt, flags);
1936         if (rc)
1937                 return rc;
1938
1939         return superblock_has_perm(current,mnt->mnt_sb,
1940                                    FILESYSTEM__UNMOUNT,NULL);
1941 }
1942
1943 /* inode security operations */
1944
1945 static int selinux_inode_alloc_security(struct inode *inode)
1946 {
1947         return inode_alloc_security(inode);
1948 }
1949
1950 static void selinux_inode_free_security(struct inode *inode)
1951 {
1952         inode_free_security(inode);
1953 }
1954
1955 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1956                                        char **name, void **value,
1957                                        size_t *len)
1958 {
1959         struct task_security_struct *tsec;
1960         struct inode_security_struct *dsec;
1961         struct superblock_security_struct *sbsec;
1962         struct inode_security_struct *isec;
1963         u32 newsid, clen;
1964         int rc;
1965         char *namep = NULL, *context;
1966
1967         tsec = current->security;
1968         dsec = dir->i_security;
1969         sbsec = dir->i_sb->s_security;
1970         isec = inode->i_security;
1971
1972         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1973                 newsid = tsec->create_sid;
1974         } else {
1975                 rc = security_transition_sid(tsec->sid, dsec->sid,
1976                                              inode_mode_to_security_class(inode->i_mode),
1977                                              &newsid);
1978                 if (rc) {
1979                         printk(KERN_WARNING "%s:  "
1980                                "security_transition_sid failed, rc=%d (dev=%s "
1981                                "ino=%ld)\n",
1982                                __FUNCTION__,
1983                                -rc, inode->i_sb->s_id, inode->i_ino);
1984                         return rc;
1985                 }
1986         }
1987
1988         inode_security_set_sid(inode, newsid);
1989
1990         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
1991                 return -EOPNOTSUPP;
1992
1993         if (name) {
1994                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1995                 if (!namep)
1996                         return -ENOMEM;
1997                 *name = namep;
1998         }
1999
2000         if (value && len) {
2001                 rc = security_sid_to_context(newsid, &context, &clen);
2002                 if (rc) {
2003                         kfree(namep);
2004                         return rc;
2005                 }
2006                 *value = context;
2007                 *len = clen;
2008         }
2009
2010         return 0;
2011 }
2012
2013 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2014 {
2015         return may_create(dir, dentry, SECCLASS_FILE);
2016 }
2017
2018 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2019 {
2020         int rc;
2021
2022         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2023         if (rc)
2024                 return rc;
2025         return may_link(dir, old_dentry, MAY_LINK);
2026 }
2027
2028 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2029 {
2030         int rc;
2031
2032         rc = secondary_ops->inode_unlink(dir, dentry);
2033         if (rc)
2034                 return rc;
2035         return may_link(dir, dentry, MAY_UNLINK);
2036 }
2037
2038 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2039 {
2040         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2041 }
2042
2043 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2044 {
2045         return may_create(dir, dentry, SECCLASS_DIR);
2046 }
2047
2048 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2049 {
2050         return may_link(dir, dentry, MAY_RMDIR);
2051 }
2052
2053 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2054 {
2055         int rc;
2056
2057         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2058         if (rc)
2059                 return rc;
2060
2061         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2062 }
2063
2064 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2065                                 struct inode *new_inode, struct dentry *new_dentry)
2066 {
2067         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2068 }
2069
2070 static int selinux_inode_readlink(struct dentry *dentry)
2071 {
2072         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2073 }
2074
2075 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2076 {
2077         int rc;
2078
2079         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2080         if (rc)
2081                 return rc;
2082         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2083 }
2084
2085 static int selinux_inode_permission(struct inode *inode, int mask,
2086                                     struct nameidata *nd)
2087 {
2088         int rc;
2089
2090         rc = secondary_ops->inode_permission(inode, mask, nd);
2091         if (rc)
2092                 return rc;
2093
2094         if (!mask) {
2095                 /* No permission to check.  Existence test. */
2096                 return 0;
2097         }
2098
2099         return inode_has_perm(current, inode,
2100                                file_mask_to_av(inode->i_mode, mask), NULL);
2101 }
2102
2103 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2104 {
2105         int rc;
2106
2107         rc = secondary_ops->inode_setattr(dentry, iattr);
2108         if (rc)
2109                 return rc;
2110
2111         if (iattr->ia_valid & ATTR_FORCE)
2112                 return 0;
2113
2114         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2115                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2116                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2117
2118         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2119 }
2120
2121 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2122 {
2123         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2124 }
2125
2126 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2127 {
2128         struct task_security_struct *tsec = current->security;
2129         struct inode *inode = dentry->d_inode;
2130         struct inode_security_struct *isec = inode->i_security;
2131         struct superblock_security_struct *sbsec;
2132         struct avc_audit_data ad;
2133         u32 newsid;
2134         int rc = 0;
2135
2136         if (strcmp(name, XATTR_NAME_SELINUX)) {
2137                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2138                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2139                     !capable(CAP_SYS_ADMIN)) {
2140                         /* A different attribute in the security namespace.
2141                            Restrict to administrator. */
2142                         return -EPERM;
2143                 }
2144
2145                 /* Not an attribute we recognize, so just check the
2146                    ordinary setattr permission. */
2147                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2148         }
2149
2150         sbsec = inode->i_sb->s_security;
2151         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2152                 return -EOPNOTSUPP;
2153
2154         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2155                 return -EPERM;
2156
2157         AVC_AUDIT_DATA_INIT(&ad,FS);
2158         ad.u.fs.dentry = dentry;
2159
2160         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2161                           FILE__RELABELFROM, &ad);
2162         if (rc)
2163                 return rc;
2164
2165         rc = security_context_to_sid(value, size, &newsid);
2166         if (rc)
2167                 return rc;
2168
2169         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2170                           FILE__RELABELTO, &ad);
2171         if (rc)
2172                 return rc;
2173
2174         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2175                                           isec->sclass);
2176         if (rc)
2177                 return rc;
2178
2179         return avc_has_perm(newsid,
2180                             sbsec->sid,
2181                             SECCLASS_FILESYSTEM,
2182                             FILESYSTEM__ASSOCIATE,
2183                             &ad);
2184 }
2185
2186 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2187                                         void *value, size_t size, int flags)
2188 {
2189         struct inode *inode = dentry->d_inode;
2190         struct inode_security_struct *isec = inode->i_security;
2191         u32 newsid;
2192         int rc;
2193
2194         if (strcmp(name, XATTR_NAME_SELINUX)) {
2195                 /* Not an attribute we recognize, so nothing to do. */
2196                 return;
2197         }
2198
2199         rc = security_context_to_sid(value, size, &newsid);
2200         if (rc) {
2201                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2202                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2203                 return;
2204         }
2205
2206         isec->sid = newsid;
2207         return;
2208 }
2209
2210 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2211 {
2212         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2213 }
2214
2215 static int selinux_inode_listxattr (struct dentry *dentry)
2216 {
2217         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2218 }
2219
2220 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2221 {
2222         if (strcmp(name, XATTR_NAME_SELINUX)) {
2223                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2224                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2225                     !capable(CAP_SYS_ADMIN)) {
2226                         /* A different attribute in the security namespace.
2227                            Restrict to administrator. */
2228                         return -EPERM;
2229                 }
2230
2231                 /* Not an attribute we recognize, so just check the
2232                    ordinary setattr permission. Might want a separate
2233                    permission for removexattr. */
2234                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2235         }
2236
2237         /* No one is allowed to remove a SELinux security label.
2238            You can change the label, but all data must be labeled. */
2239         return -EACCES;
2240 }
2241
2242 /*
2243  * Copy the in-core inode security context value to the user.  If the
2244  * getxattr() prior to this succeeded, check to see if we need to
2245  * canonicalize the value to be finally returned to the user.
2246  *
2247  * Permission check is handled by selinux_inode_getxattr hook.
2248  */
2249 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
2250 {
2251         struct inode_security_struct *isec = inode->i_security;
2252         char *context;
2253         unsigned len;
2254         int rc;
2255
2256         if (strcmp(name, XATTR_SELINUX_SUFFIX)) {
2257                 rc = -EOPNOTSUPP;
2258                 goto out;
2259         }
2260
2261         rc = security_sid_to_context(isec->sid, &context, &len);
2262         if (rc)
2263                 goto out;
2264
2265         /* Probe for required buffer size */
2266         if (!buffer || !size) {
2267                 rc = len;
2268                 goto out_free;
2269         }
2270
2271         if (size < len) {
2272                 rc = -ERANGE;
2273                 goto out_free;
2274         }
2275
2276         if (err > 0) {
2277                 if ((len == err) && !(memcmp(context, buffer, len))) {
2278                         /* Don't need to canonicalize value */
2279                         rc = err;
2280                         goto out_free;
2281                 }
2282                 memset(buffer, 0, size);
2283         }
2284         memcpy(buffer, context, len);
2285         rc = len;
2286 out_free:
2287         kfree(context);
2288 out:
2289         return rc;
2290 }
2291
2292 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2293                                      const void *value, size_t size, int flags)
2294 {
2295         struct inode_security_struct *isec = inode->i_security;
2296         u32 newsid;
2297         int rc;
2298
2299         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2300                 return -EOPNOTSUPP;
2301
2302         if (!value || !size)
2303                 return -EACCES;
2304
2305         rc = security_context_to_sid((void*)value, size, &newsid);
2306         if (rc)
2307                 return rc;
2308
2309         isec->sid = newsid;
2310         return 0;
2311 }
2312
2313 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2314 {
2315         const int len = sizeof(XATTR_NAME_SELINUX);
2316         if (buffer && len <= buffer_size)
2317                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2318         return len;
2319 }
2320
2321 /* file security operations */
2322
2323 static int selinux_file_permission(struct file *file, int mask)
2324 {
2325         struct inode *inode = file->f_dentry->d_inode;
2326
2327         if (!mask) {
2328                 /* No permission to check.  Existence test. */
2329                 return 0;
2330         }
2331
2332         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2333         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2334                 mask |= MAY_APPEND;
2335
2336         return file_has_perm(current, file,
2337                              file_mask_to_av(inode->i_mode, mask));
2338 }
2339
2340 static int selinux_file_alloc_security(struct file *file)
2341 {
2342         return file_alloc_security(file);
2343 }
2344
2345 static void selinux_file_free_security(struct file *file)
2346 {
2347         file_free_security(file);
2348 }
2349
2350 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2351                               unsigned long arg)
2352 {
2353         int error = 0;
2354
2355         switch (cmd) {
2356                 case FIONREAD:
2357                 /* fall through */
2358                 case FIBMAP:
2359                 /* fall through */
2360                 case FIGETBSZ:
2361                 /* fall through */
2362                 case EXT2_IOC_GETFLAGS:
2363                 /* fall through */
2364                 case EXT2_IOC_GETVERSION:
2365                         error = file_has_perm(current, file, FILE__GETATTR);
2366                         break;
2367
2368                 case EXT2_IOC_SETFLAGS:
2369                 /* fall through */
2370                 case EXT2_IOC_SETVERSION:
2371                         error = file_has_perm(current, file, FILE__SETATTR);
2372                         break;
2373
2374                 /* sys_ioctl() checks */
2375                 case FIONBIO:
2376                 /* fall through */
2377                 case FIOASYNC:
2378                         error = file_has_perm(current, file, 0);
2379                         break;
2380
2381                 case KDSKBENT:
2382                 case KDSKBSENT:
2383                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2384                         break;
2385
2386                 /* default case assumes that the command will go
2387                  * to the file's ioctl() function.
2388                  */
2389                 default:
2390                         error = file_has_perm(current, file, FILE__IOCTL);
2391
2392         }
2393         return error;
2394 }
2395
2396 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2397 {
2398 #ifndef CONFIG_PPC32
2399         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2400                 /*
2401                  * We are making executable an anonymous mapping or a
2402                  * private file mapping that will also be writable.
2403                  * This has an additional check.
2404                  */
2405                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2406                 if (rc)
2407                         return rc;
2408         }
2409 #endif
2410
2411         if (file) {
2412                 /* read access is always possible with a mapping */
2413                 u32 av = FILE__READ;
2414
2415                 /* write access only matters if the mapping is shared */
2416                 if (shared && (prot & PROT_WRITE))
2417                         av |= FILE__WRITE;
2418
2419                 if (prot & PROT_EXEC)
2420                         av |= FILE__EXECUTE;
2421
2422                 return file_has_perm(current, file, av);
2423         }
2424         return 0;
2425 }
2426
2427 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2428                              unsigned long prot, unsigned long flags)
2429 {
2430         int rc;
2431
2432         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2433         if (rc)
2434                 return rc;
2435
2436         if (selinux_checkreqprot)
2437                 prot = reqprot;
2438
2439         return file_map_prot_check(file, prot,
2440                                    (flags & MAP_TYPE) == MAP_SHARED);
2441 }
2442
2443 static int selinux_file_mprotect(struct vm_area_struct *vma,
2444                                  unsigned long reqprot,
2445                                  unsigned long prot)
2446 {
2447         int rc;
2448
2449         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2450         if (rc)
2451                 return rc;
2452
2453         if (selinux_checkreqprot)
2454                 prot = reqprot;
2455
2456 #ifndef CONFIG_PPC32
2457         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) &&
2458            (vma->vm_start >= vma->vm_mm->start_brk &&
2459             vma->vm_end <= vma->vm_mm->brk)) {
2460                 /*
2461                  * We are making an executable mapping in the brk region.
2462                  * This has an additional execheap check.
2463                  */
2464                 rc = task_has_perm(current, current, PROCESS__EXECHEAP);
2465                 if (rc)
2466                         return rc;
2467         }
2468         if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
2469                 /*
2470                  * We are making executable a file mapping that has
2471                  * had some COW done. Since pages might have been written,
2472                  * check ability to execute the possibly modified content.
2473                  * This typically should only occur for text relocations.
2474                  */
2475                 int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
2476                 if (rc)
2477                         return rc;
2478         }
2479         if (!vma->vm_file && (prot & PROT_EXEC) &&
2480                 vma->vm_start <= vma->vm_mm->start_stack &&
2481                 vma->vm_end >= vma->vm_mm->start_stack) {
2482                 /* Attempt to make the process stack executable.
2483                  * This has an additional execstack check.
2484                  */
2485                 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2486                 if (rc)
2487                         return rc;
2488         }
2489 #endif
2490
2491         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2492 }
2493
2494 static int selinux_file_lock(struct file *file, unsigned int cmd)
2495 {
2496         return file_has_perm(current, file, FILE__LOCK);
2497 }
2498
2499 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2500                               unsigned long arg)
2501 {
2502         int err = 0;
2503
2504         switch (cmd) {
2505                 case F_SETFL:
2506                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2507                                 err = -EINVAL;
2508                                 break;
2509                         }
2510
2511                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2512                                 err = file_has_perm(current, file,FILE__WRITE);
2513                                 break;
2514                         }
2515                         /* fall through */
2516                 case F_SETOWN:
2517                 case F_SETSIG:
2518                 case F_GETFL:
2519                 case F_GETOWN:
2520                 case F_GETSIG:
2521                         /* Just check FD__USE permission */
2522                         err = file_has_perm(current, file, 0);
2523                         break;
2524                 case F_GETLK:
2525                 case F_SETLK:
2526                 case F_SETLKW:
2527 #if BITS_PER_LONG == 32
2528                 case F_GETLK64:
2529                 case F_SETLK64:
2530                 case F_SETLKW64:
2531 #endif
2532                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2533                                 err = -EINVAL;
2534                                 break;
2535                         }
2536                         err = file_has_perm(current, file, FILE__LOCK);
2537                         break;
2538         }
2539
2540         return err;
2541 }
2542
2543 static int selinux_file_set_fowner(struct file *file)
2544 {
2545         struct task_security_struct *tsec;
2546         struct file_security_struct *fsec;
2547
2548         tsec = current->security;
2549         fsec = file->f_security;
2550         fsec->fown_sid = tsec->sid;
2551
2552         return 0;
2553 }
2554
2555 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2556                                        struct fown_struct *fown, int signum)
2557 {
2558         struct file *file;
2559         u32 perm;
2560         struct task_security_struct *tsec;
2561         struct file_security_struct *fsec;
2562
2563         /* struct fown_struct is never outside the context of a struct file */
2564         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2565
2566         tsec = tsk->security;
2567         fsec = file->f_security;
2568
2569         if (!signum)
2570                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2571         else
2572                 perm = signal_to_av(signum);
2573
2574         return avc_has_perm(fsec->fown_sid, tsec->sid,
2575                             SECCLASS_PROCESS, perm, NULL);
2576 }
2577
2578 static int selinux_file_receive(struct file *file)
2579 {
2580         return file_has_perm(current, file, file_to_av(file));
2581 }
2582
2583 /* task security operations */
2584
2585 static int selinux_task_create(unsigned long clone_flags)
2586 {
2587         int rc;
2588
2589         rc = secondary_ops->task_create(clone_flags);
2590         if (rc)
2591                 return rc;
2592
2593         return task_has_perm(current, current, PROCESS__FORK);
2594 }
2595
2596 static int selinux_task_alloc_security(struct task_struct *tsk)
2597 {
2598         struct task_security_struct *tsec1, *tsec2;
2599         int rc;
2600
2601         tsec1 = current->security;
2602
2603         rc = task_alloc_security(tsk);
2604         if (rc)
2605                 return rc;
2606         tsec2 = tsk->security;
2607
2608         tsec2->osid = tsec1->osid;
2609         tsec2->sid = tsec1->sid;
2610
2611         /* Retain the exec and create SIDs across fork */
2612         tsec2->exec_sid = tsec1->exec_sid;
2613         tsec2->create_sid = tsec1->create_sid;
2614
2615         /* Retain ptracer SID across fork, if any.
2616            This will be reset by the ptrace hook upon any
2617            subsequent ptrace_attach operations. */
2618         tsec2->ptrace_sid = tsec1->ptrace_sid;
2619
2620         return 0;
2621 }
2622
2623 static void selinux_task_free_security(struct task_struct *tsk)
2624 {
2625         task_free_security(tsk);
2626 }
2627
2628 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2629 {
2630         /* Since setuid only affects the current process, and
2631            since the SELinux controls are not based on the Linux
2632            identity attributes, SELinux does not need to control
2633            this operation.  However, SELinux does control the use
2634            of the CAP_SETUID and CAP_SETGID capabilities using the
2635            capable hook. */
2636         return 0;
2637 }
2638
2639 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2640 {
2641         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2642 }
2643
2644 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2645 {
2646         /* See the comment for setuid above. */
2647         return 0;
2648 }
2649
2650 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2651 {
2652         return task_has_perm(current, p, PROCESS__SETPGID);
2653 }
2654
2655 static int selinux_task_getpgid(struct task_struct *p)
2656 {
2657         return task_has_perm(current, p, PROCESS__GETPGID);
2658 }
2659
2660 static int selinux_task_getsid(struct task_struct *p)
2661 {
2662         return task_has_perm(current, p, PROCESS__GETSESSION);
2663 }
2664
2665 static int selinux_task_setgroups(struct group_info *group_info)
2666 {
2667         /* See the comment for setuid above. */
2668         return 0;
2669 }
2670
2671 static int selinux_task_setnice(struct task_struct *p, int nice)
2672 {
2673         int rc;
2674
2675         rc = secondary_ops->task_setnice(p, nice);
2676         if (rc)
2677                 return rc;
2678
2679         return task_has_perm(current,p, PROCESS__SETSCHED);
2680 }
2681
2682 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2683 {
2684         struct rlimit *old_rlim = current->signal->rlim + resource;
2685         int rc;
2686
2687         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2688         if (rc)
2689                 return rc;
2690
2691         /* Control the ability to change the hard limit (whether
2692            lowering or raising it), so that the hard limit can
2693            later be used as a safe reset point for the soft limit
2694            upon context transitions. See selinux_bprm_apply_creds. */
2695         if (old_rlim->rlim_max != new_rlim->rlim_max)
2696                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2697
2698         return 0;
2699 }
2700
2701 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2702 {
2703         return task_has_perm(current, p, PROCESS__SETSCHED);
2704 }
2705
2706 static int selinux_task_getscheduler(struct task_struct *p)
2707 {
2708         return task_has_perm(current, p, PROCESS__GETSCHED);
2709 }
2710
2711 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2712 {
2713         u32 perm;
2714         int rc;
2715
2716         rc = secondary_ops->task_kill(p, info, sig);
2717         if (rc)
2718                 return rc;
2719
2720         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2721                 return 0;
2722
2723         if (!sig)
2724                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2725         else
2726                 perm = signal_to_av(sig);
2727
2728         return task_has_perm(current, p, perm);
2729 }
2730
2731 static int selinux_task_prctl(int option,
2732                               unsigned long arg2,
2733                               unsigned long arg3,
2734                               unsigned long arg4,
2735                               unsigned long arg5)
2736 {
2737         /* The current prctl operations do not appear to require
2738            any SELinux controls since they merely observe or modify
2739            the state of the current process. */
2740         return 0;
2741 }
2742
2743 static int selinux_task_wait(struct task_struct *p)
2744 {
2745         u32 perm;
2746
2747         perm = signal_to_av(p->exit_signal);
2748
2749         return task_has_perm(p, current, perm);
2750 }
2751
2752 static void selinux_task_reparent_to_init(struct task_struct *p)
2753 {
2754         struct task_security_struct *tsec;
2755
2756         secondary_ops->task_reparent_to_init(p);
2757
2758         tsec = p->security;
2759         tsec->osid = tsec->sid;
2760         tsec->sid = SECINITSID_KERNEL;
2761         return;
2762 }
2763
2764 static void selinux_task_to_inode(struct task_struct *p,
2765                                   struct inode *inode)
2766 {
2767         struct task_security_struct *tsec = p->security;
2768         struct inode_security_struct *isec = inode->i_security;
2769
2770         isec->sid = tsec->sid;
2771         isec->initialized = 1;
2772         return;
2773 }
2774
2775 #ifdef CONFIG_SECURITY_NETWORK
2776
2777 /* Returns error only if unable to parse addresses */
2778 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2779 {
2780         int offset, ihlen, ret = -EINVAL;
2781         struct iphdr _iph, *ih;
2782
2783         offset = skb->nh.raw - skb->data;
2784         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2785         if (ih == NULL)
2786                 goto out;
2787
2788         ihlen = ih->ihl * 4;
2789         if (ihlen < sizeof(_iph))
2790                 goto out;
2791
2792         ad->u.net.v4info.saddr = ih->saddr;
2793         ad->u.net.v4info.daddr = ih->daddr;
2794         ret = 0;
2795
2796         switch (ih->protocol) {
2797         case IPPROTO_TCP: {
2798                 struct tcphdr _tcph, *th;
2799
2800                 if (ntohs(ih->frag_off) & IP_OFFSET)
2801                         break;
2802
2803                 offset += ihlen;
2804                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2805                 if (th == NULL)
2806                         break;
2807
2808                 ad->u.net.sport = th->source;
2809                 ad->u.net.dport = th->dest;
2810                 break;
2811         }
2812         
2813         case IPPROTO_UDP: {
2814                 struct udphdr _udph, *uh;
2815                 
2816                 if (ntohs(ih->frag_off) & IP_OFFSET)
2817                         break;
2818                         
2819                 offset += ihlen;
2820                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2821                 if (uh == NULL)
2822                         break;  
2823
2824                 ad->u.net.sport = uh->source;
2825                 ad->u.net.dport = uh->dest;
2826                 break;
2827         }
2828
2829         default:
2830                 break;
2831         }
2832 out:
2833         return ret;
2834 }
2835
2836 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2837
2838 /* Returns error only if unable to parse addresses */
2839 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2840 {
2841         u8 nexthdr;
2842         int ret = -EINVAL, offset;
2843         struct ipv6hdr _ipv6h, *ip6;
2844
2845         offset = skb->nh.raw - skb->data;
2846         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2847         if (ip6 == NULL)
2848                 goto out;
2849
2850         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2851         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2852         ret = 0;
2853
2854         nexthdr = ip6->nexthdr;
2855         offset += sizeof(_ipv6h);
2856         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2857         if (offset < 0)
2858                 goto out;
2859
2860         switch (nexthdr) {
2861         case IPPROTO_TCP: {
2862                 struct tcphdr _tcph, *th;
2863
2864                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2865                 if (th == NULL)
2866                         break;
2867
2868                 ad->u.net.sport = th->source;
2869                 ad->u.net.dport = th->dest;
2870                 break;
2871         }
2872
2873         case IPPROTO_UDP: {
2874                 struct udphdr _udph, *uh;
2875
2876                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2877                 if (uh == NULL)
2878                         break;
2879
2880                 ad->u.net.sport = uh->source;
2881                 ad->u.net.dport = uh->dest;
2882                 break;
2883         }
2884
2885         /* includes fragments */
2886         default:
2887                 break;
2888         }
2889 out:
2890         return ret;
2891 }
2892
2893 #endif /* IPV6 */
2894
2895 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2896                              char **addrp, int *len, int src)
2897 {
2898         int ret = 0;
2899
2900         switch (ad->u.net.family) {
2901         case PF_INET:
2902                 ret = selinux_parse_skb_ipv4(skb, ad);
2903                 if (ret || !addrp)
2904                         break;
2905                 *len = 4;
2906                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2907                                         &ad->u.net.v4info.daddr);
2908                 break;
2909
2910 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2911         case PF_INET6:
2912                 ret = selinux_parse_skb_ipv6(skb, ad);
2913                 if (ret || !addrp)
2914                         break;
2915                 *len = 16;
2916                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2917                                         &ad->u.net.v6info.daddr);
2918                 break;
2919 #endif  /* IPV6 */
2920         default:
2921                 break;
2922         }
2923
2924         return ret;
2925 }
2926
2927 /* socket security operations */
2928 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2929                            u32 perms)
2930 {
2931         struct inode_security_struct *isec;
2932         struct task_security_struct *tsec;
2933         struct avc_audit_data ad;
2934         int err = 0;
2935
2936         tsec = task->security;
2937         isec = SOCK_INODE(sock)->i_security;
2938
2939         if (isec->sid == SECINITSID_KERNEL)
2940                 goto out;
2941
2942         AVC_AUDIT_DATA_INIT(&ad,NET);
2943         ad.u.net.sk = sock->sk;
2944         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2945
2946 out:
2947         return err;
2948 }
2949
2950 static int selinux_socket_create(int family, int type,
2951                                  int protocol, int kern)
2952 {
2953         int err = 0;
2954         struct task_security_struct *tsec;
2955
2956         if (kern)
2957                 goto out;
2958
2959         tsec = current->security;
2960         err = avc_has_perm(tsec->sid, tsec->sid,
2961                            socket_type_to_security_class(family, type,
2962                            protocol), SOCKET__CREATE, NULL);
2963
2964 out:
2965         return err;
2966 }
2967
2968 static void selinux_socket_post_create(struct socket *sock, int family,
2969                                        int type, int protocol, int kern)
2970 {
2971         struct inode_security_struct *isec;
2972         struct task_security_struct *tsec;
2973
2974         isec = SOCK_INODE(sock)->i_security;
2975
2976         tsec = current->security;
2977         isec->sclass = socket_type_to_security_class(family, type, protocol);
2978         isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2979         isec->initialized = 1;
2980
2981         return;
2982 }
2983
2984 /* Range of port numbers used to automatically bind.
2985    Need to determine whether we should perform a name_bind
2986    permission check between the socket and the port number. */
2987 #define ip_local_port_range_0 sysctl_local_port_range[0]
2988 #define ip_local_port_range_1 sysctl_local_port_range[1]
2989
2990 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2991 {
2992         u16 family;
2993         int err;
2994
2995         err = socket_has_perm(current, sock, SOCKET__BIND);
2996         if (err)
2997                 goto out;
2998
2999         /*
3000          * If PF_INET or PF_INET6, check name_bind permission for the port.
3001          * Multiple address binding for SCTP is not supported yet: we just
3002          * check the first address now.
3003          */
3004         family = sock->sk->sk_family;
3005         if (family == PF_INET || family == PF_INET6) {
3006                 char *addrp;
3007                 struct inode_security_struct *isec;
3008                 struct task_security_struct *tsec;
3009                 struct avc_audit_data ad;
3010                 struct sockaddr_in *addr4 = NULL;
3011                 struct sockaddr_in6 *addr6 = NULL;
3012                 unsigned short snum;
3013                 struct sock *sk = sock->sk;
3014                 u32 sid, node_perm, addrlen;
3015
3016                 tsec = current->security;
3017                 isec = SOCK_INODE(sock)->i_security;
3018
3019                 if (family == PF_INET) {
3020                         addr4 = (struct sockaddr_in *)address;
3021                         snum = ntohs(addr4->sin_port);
3022                         addrlen = sizeof(addr4->sin_addr.s_addr);
3023                         addrp = (char *)&addr4->sin_addr.s_addr;
3024                 } else {
3025                         addr6 = (struct sockaddr_in6 *)address;
3026                         snum = ntohs(addr6->sin6_port);
3027                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3028                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3029                 }
3030
3031                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3032                            snum > ip_local_port_range_1)) {
3033                         err = security_port_sid(sk->sk_family, sk->sk_type,
3034                                                 sk->sk_protocol, snum, &sid);
3035                         if (err)
3036                                 goto out;
3037                         AVC_AUDIT_DATA_INIT(&ad,NET);
3038                         ad.u.net.sport = htons(snum);
3039                         ad.u.net.family = family;
3040                         err = avc_has_perm(isec->sid, sid,
3041                                            isec->sclass,
3042                                            SOCKET__NAME_BIND, &ad);
3043                         if (err)
3044                                 goto out;
3045                 }
3046                 
3047                 switch(isec->sclass) {
3048                 case SECCLASS_TCP_SOCKET:
3049                         node_perm = TCP_SOCKET__NODE_BIND;
3050                         break;
3051                         
3052                 case SECCLASS_UDP_SOCKET:
3053                         node_perm = UDP_SOCKET__NODE_BIND;
3054                         break;
3055                         
3056                 default:
3057                         node_perm = RAWIP_SOCKET__NODE_BIND;
3058                         break;
3059                 }
3060                 
3061                 err = security_node_sid(family, addrp, addrlen, &sid);
3062                 if (err)
3063                         goto out;
3064                 
3065                 AVC_AUDIT_DATA_INIT(&ad,NET);
3066                 ad.u.net.sport = htons(snum);
3067                 ad.u.net.family = family;
3068
3069                 if (family == PF_INET)
3070                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3071                 else
3072                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3073
3074                 err = avc_has_perm(isec->sid, sid,
3075                                    isec->sclass, node_perm, &ad);
3076                 if (err)
3077                         goto out;
3078         }
3079 out:
3080         return err;
3081 }
3082
3083 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3084 {
3085         struct inode_security_struct *isec;
3086         int err;
3087
3088         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3089         if (err)
3090                 return err;
3091
3092         /*
3093          * If a TCP socket, check name_connect permission for the port.
3094          */
3095         isec = SOCK_INODE(sock)->i_security;
3096         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3097                 struct sock *sk = sock->sk;
3098                 struct avc_audit_data ad;
3099                 struct sockaddr_in *addr4 = NULL;
3100                 struct sockaddr_in6 *addr6 = NULL;
3101                 unsigned short snum;
3102                 u32 sid;
3103
3104                 if (sk->sk_family == PF_INET) {
3105                         addr4 = (struct sockaddr_in *)address;
3106                         if (addrlen < sizeof(struct sockaddr_in))
3107                                 return -EINVAL;
3108                         snum = ntohs(addr4->sin_port);
3109                 } else {
3110                         addr6 = (struct sockaddr_in6 *)address;
3111                         if (addrlen < SIN6_LEN_RFC2133)
3112                                 return -EINVAL;
3113                         snum = ntohs(addr6->sin6_port);
3114                 }
3115
3116                 err = security_port_sid(sk->sk_family, sk->sk_type,
3117                                         sk->sk_protocol, snum, &sid);
3118                 if (err)
3119                         goto out;
3120
3121                 AVC_AUDIT_DATA_INIT(&ad,NET);
3122                 ad.u.net.dport = htons(snum);
3123                 ad.u.net.family = sk->sk_family;
3124                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3125                                    TCP_SOCKET__NAME_CONNECT, &ad);
3126                 if (err)
3127                         goto out;
3128         }
3129
3130 out:
3131         return err;
3132 }
3133
3134 static int selinux_socket_listen(struct socket *sock, int backlog)
3135 {
3136         return socket_has_perm(current, sock, SOCKET__LISTEN);
3137 }
3138
3139 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3140 {
3141         int err;
3142         struct inode_security_struct *isec;
3143         struct inode_security_struct *newisec;
3144
3145         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3146         if (err)
3147                 return err;
3148
3149         newisec = SOCK_INODE(newsock)->i_security;
3150
3151         isec = SOCK_INODE(sock)->i_security;
3152         newisec->sclass = isec->sclass;
3153         newisec->sid = isec->sid;
3154         newisec->initialized = 1;
3155
3156         return 0;
3157 }
3158
3159 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3160                                   int size)
3161 {
3162         return socket_has_perm(current, sock, SOCKET__WRITE);
3163 }
3164
3165 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3166                                   int size, int flags)
3167 {
3168         return socket_has_perm(current, sock, SOCKET__READ);
3169 }
3170
3171 static int selinux_socket_getsockname(struct socket *sock)
3172 {
3173         return socket_has_perm(current, sock, SOCKET__GETATTR);
3174 }
3175
3176 static int selinux_socket_getpeername(struct socket *sock)
3177 {
3178         return socket_has_perm(current, sock, SOCKET__GETATTR);
3179 }
3180
3181 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3182 {
3183         return socket_has_perm(current, sock, SOCKET__SETOPT);
3184 }
3185
3186 static int selinux_socket_getsockopt(struct socket *sock, int level,
3187                                      int optname)
3188 {
3189         return socket_has_perm(current, sock, SOCKET__GETOPT);
3190 }
3191
3192 static int selinux_socket_shutdown(struct socket *sock, int how)
3193 {
3194         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3195 }
3196
3197 static int selinux_socket_unix_stream_connect(struct socket *sock,
3198                                               struct socket *other,
3199                                               struct sock *newsk)
3200 {
3201         struct sk_security_struct *ssec;
3202         struct inode_security_struct *isec;
3203         struct inode_security_struct *other_isec;
3204         struct avc_audit_data ad;
3205         int err;
3206
3207         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3208         if (err)
3209                 return err;
3210
3211         isec = SOCK_INODE(sock)->i_security;
3212         other_isec = SOCK_INODE(other)->i_security;
3213
3214         AVC_AUDIT_DATA_INIT(&ad,NET);
3215         ad.u.net.sk = other->sk;
3216
3217         err = avc_has_perm(isec->sid, other_isec->sid,
3218                            isec->sclass,
3219                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3220         if (err)
3221                 return err;
3222
3223         /* connecting socket */
3224         ssec = sock->sk->sk_security;
3225         ssec->peer_sid = other_isec->sid;
3226         
3227         /* server child socket */
3228         ssec = newsk->sk_security;
3229         ssec->peer_sid = isec->sid;
3230         
3231         return 0;
3232 }
3233
3234 static int selinux_socket_unix_may_send(struct socket *sock,
3235                                         struct socket *other)
3236 {
3237         struct inode_security_struct *isec;
3238         struct inode_security_struct *other_isec;
3239         struct avc_audit_data ad;
3240         int err;
3241
3242         isec = SOCK_INODE(sock)->i_security;
3243         other_isec = SOCK_INODE(other)->i_security;
3244
3245         AVC_AUDIT_DATA_INIT(&ad,NET);
3246         ad.u.net.sk = other->sk;
3247
3248         err = avc_has_perm(isec->sid, other_isec->sid,
3249                            isec->sclass, SOCKET__SENDTO, &ad);
3250         if (err)
3251                 return err;
3252
3253         return 0;
3254 }
3255
3256 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3257 {
3258         u16 family;
3259         char *addrp;
3260         int len, err = 0;
3261         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3262         u32 sock_sid = 0;
3263         u16 sock_class = 0;
3264         struct socket *sock;
3265         struct net_device *dev;
3266         struct avc_audit_data ad;
3267
3268         family = sk->sk_family;
3269         if (family != PF_INET && family != PF_INET6)
3270                 goto out;
3271
3272         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3273         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3274                 family = PF_INET;
3275
3276         read_lock_bh(&sk->sk_callback_lock);
3277         sock = sk->sk_socket;
3278         if (sock) {
3279                 struct inode *inode;
3280                 inode = SOCK_INODE(sock);
3281                 if (inode) {
3282                         struct inode_security_struct *isec;
3283                         isec = inode->i_security;
3284                         sock_sid = isec->sid;
3285                         sock_class = isec->sclass;
3286                 }
3287         }
3288         read_unlock_bh(&sk->sk_callback_lock);
3289         if (!sock_sid)
3290                 goto out;
3291
3292         dev = skb->dev;
3293         if (!dev)
3294                 goto out;
3295
3296         err = sel_netif_sids(dev, &if_sid, NULL);
3297         if (err)
3298                 goto out;
3299
3300         switch (sock_class) {
3301         case SECCLASS_UDP_SOCKET:
3302                 netif_perm = NETIF__UDP_RECV;
3303                 node_perm = NODE__UDP_RECV;
3304                 recv_perm = UDP_SOCKET__RECV_MSG;
3305                 break;
3306         
3307         case SECCLASS_TCP_SOCKET:
3308                 netif_perm = NETIF__TCP_RECV;
3309                 node_perm = NODE__TCP_RECV;
3310                 recv_perm = TCP_SOCKET__RECV_MSG;
3311                 break;
3312         
3313         default:
3314                 netif_perm = NETIF__RAWIP_RECV;
3315                 node_perm = NODE__RAWIP_RECV;
3316                 break;
3317         }
3318
3319         AVC_AUDIT_DATA_INIT(&ad, NET);
3320         ad.u.net.netif = dev->name;
3321         ad.u.net.family = family;
3322
3323         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3324         if (err)
3325                 goto out;
3326
3327         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3328         if (err)
3329                 goto out;
3330         
3331         /* Fixme: this lookup is inefficient */
3332         err = security_node_sid(family, addrp, len, &node_sid);
3333         if (err)
3334                 goto out;
3335         
3336         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3337         if (err)
3338                 goto out;
3339
3340         if (recv_perm) {
3341                 u32 port_sid;
3342
3343                 /* Fixme: make this more efficient */
3344                 err = security_port_sid(sk->sk_family, sk->sk_type,
3345                                         sk->sk_protocol, ntohs(ad.u.net.sport),
3346                                         &port_sid);
3347                 if (err)
3348                         goto out;
3349
3350                 err = avc_has_perm(sock_sid, port_sid,
3351                                    sock_class, recv_perm, &ad);
3352         }
3353
3354         if (!err)
3355                 err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3356
3357 out:    
3358         return err;
3359 }
3360
3361 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3362                                      int __user *optlen, unsigned len)
3363 {
3364         int err = 0;
3365         char *scontext;
3366         u32 scontext_len;
3367         struct sk_security_struct *ssec;
3368         struct inode_security_struct *isec;
3369
3370         isec = SOCK_INODE(sock)->i_security;
3371         if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3372                 err = -ENOPROTOOPT;
3373                 goto out;
3374         }
3375
3376         ssec = sock->sk->sk_security;
3377         
3378         err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3379         if (err)
3380                 goto out;
3381
3382         if (scontext_len > len) {
3383                 err = -ERANGE;
3384                 goto out_len;
3385         }
3386
3387         if (copy_to_user(optval, scontext, scontext_len))
3388                 err = -EFAULT;
3389
3390 out_len:
3391         if (put_user(scontext_len, optlen))
3392                 err = -EFAULT;
3393
3394         kfree(scontext);
3395 out:    
3396         return err;
3397 }
3398
3399 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3400 {
3401         return sk_alloc_security(sk, family, priority);
3402 }
3403
3404 static void selinux_sk_free_security(struct sock *sk)
3405 {
3406         sk_free_security(sk);
3407 }
3408
3409 static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3410 {
3411         struct inode_security_struct *isec;
3412         u32 sock_sid = SECINITSID_ANY_SOCKET;
3413
3414         if (!sk)
3415                 return selinux_no_sk_sid(fl);
3416
3417         read_lock_bh(&sk->sk_callback_lock);
3418         isec = get_sock_isec(sk);
3419
3420         if (isec)
3421                 sock_sid = isec->sid;
3422
3423         read_unlock_bh(&sk->sk_callback_lock);
3424         return sock_sid;
3425 }
3426
3427 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3428 {
3429         int err = 0;
3430         u32 perm;
3431         struct nlmsghdr *nlh;
3432         struct socket *sock = sk->sk_socket;
3433         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3434         
3435         if (skb->len < NLMSG_SPACE(0)) {
3436                 err = -EINVAL;
3437                 goto out;
3438         }
3439         nlh = (struct nlmsghdr *)skb->data;
3440         
3441         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3442         if (err) {
3443                 if (err == -EINVAL) {
3444                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3445                                   "SELinux:  unrecognized netlink message"
3446                                   " type=%hu for sclass=%hu\n",
3447                                   nlh->nlmsg_type, isec->sclass);
3448                         if (!selinux_enforcing)
3449                                 err = 0;
3450                 }
3451
3452                 /* Ignore */
3453                 if (err == -ENOENT)
3454                         err = 0;
3455                 goto out;
3456         }
3457
3458         err = socket_has_perm(current, sock, perm);
3459 out:
3460         return err;
3461 }
3462
3463 #ifdef CONFIG_NETFILTER
3464
3465 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3466                                               struct sk_buff **pskb,
3467                                               const struct net_device *in,
3468                                               const struct net_device *out,
3469                                               int (*okfn)(struct sk_buff *),
3470                                               u16 family)
3471 {
3472         char *addrp;
3473         int len, err = NF_ACCEPT;
3474         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3475         struct sock *sk;
3476         struct socket *sock;
3477         struct inode *inode;
3478         struct sk_buff *skb = *pskb;
3479         struct inode_security_struct *isec;
3480         struct avc_audit_data ad;
3481         struct net_device *dev = (struct net_device *)out;
3482         
3483         sk = skb->sk;
3484         if (!sk)
3485                 goto out;
3486                 
3487         sock = sk->sk_socket;
3488         if (!sock)
3489                 goto out;
3490                 
3491         inode = SOCK_INODE(sock);
3492         if (!inode)
3493                 goto out;
3494
3495         err = sel_netif_sids(dev, &if_sid, NULL);
3496         if (err)
3497                 goto out;
3498
3499         isec = inode->i_security;
3500         
3501         switch (isec->sclass) {
3502         case SECCLASS_UDP_SOCKET:
3503                 netif_perm = NETIF__UDP_SEND;
3504                 node_perm = NODE__UDP_SEND;
3505                 send_perm = UDP_SOCKET__SEND_MSG;
3506                 break;
3507         
3508         case SECCLASS_TCP_SOCKET:
3509                 netif_perm = NETIF__TCP_SEND;
3510                 node_perm = NODE__TCP_SEND;
3511                 send_perm = TCP_SOCKET__SEND_MSG;
3512                 break;
3513         
3514         default:
3515                 netif_perm = NETIF__RAWIP_SEND;
3516                 node_perm = NODE__RAWIP_SEND;
3517                 break;
3518         }
3519
3520
3521         AVC_AUDIT_DATA_INIT(&ad, NET);
3522         ad.u.net.netif = dev->name;
3523         ad.u.net.family = family;
3524
3525         err = selinux_parse_skb(skb, &ad, &addrp,
3526                                 &len, 0) ? NF_DROP : NF_ACCEPT;
3527         if (err != NF_ACCEPT)
3528                 goto out;
3529
3530         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3531                            netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3532         if (err != NF_ACCEPT)
3533                 goto out;
3534                 
3535         /* Fixme: this lookup is inefficient */
3536         err = security_node_sid(family, addrp, len,
3537                                 &node_sid) ? NF_DROP : NF_ACCEPT;
3538         if (err != NF_ACCEPT)
3539                 goto out;
3540         
3541         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3542                            node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3543         if (err != NF_ACCEPT)
3544                 goto out;
3545
3546         if (send_perm) {
3547                 u32 port_sid;
3548                 
3549                 /* Fixme: make this more efficient */
3550                 err = security_port_sid(sk->sk_family,
3551                                         sk->sk_type,
3552                                         sk->sk_protocol,
3553                                         ntohs(ad.u.net.dport),
3554                                         &port_sid) ? NF_DROP : NF_ACCEPT;
3555                 if (err != NF_ACCEPT)
3556                         goto out;
3557
3558                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3559                                    send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3560         }
3561
3562         if (err != NF_ACCEPT)
3563                 goto out;
3564
3565         err = selinux_xfrm_postroute_last(isec->sid, skb);
3566
3567 out:
3568         return err;
3569 }
3570
3571 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3572                                                 struct sk_buff **pskb,
3573                                                 const struct net_device *in,
3574                                                 const struct net_device *out,
3575                                                 int (*okfn)(struct sk_buff *))
3576 {
3577         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3578 }
3579
3580 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3581
3582 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3583                                                 struct sk_buff **pskb,
3584                                                 const struct net_device *in,
3585                                                 const struct net_device *out,
3586                                                 int (*okfn)(struct sk_buff *))
3587 {
3588         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3589 }
3590
3591 #endif  /* IPV6 */
3592
3593 #endif  /* CONFIG_NETFILTER */
3594
3595 #else
3596
3597 static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3598 {
3599         return 0;
3600 }
3601
3602 #endif  /* CONFIG_SECURITY_NETWORK */
3603
3604 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3605 {
3606         struct task_security_struct *tsec;
3607         struct av_decision avd;
3608         int err;
3609
3610         err = secondary_ops->netlink_send(sk, skb);
3611         if (err)
3612                 return err;
3613
3614         tsec = current->security;
3615
3616         avd.allowed = 0;
3617         avc_has_perm_noaudit(tsec->sid, tsec->sid,
3618                                 SECCLASS_CAPABILITY, ~0, &avd);
3619         cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3620
3621         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3622                 err = selinux_nlmsg_perm(sk, skb);
3623
3624         return err;
3625 }
3626
3627 static int selinux_netlink_recv(struct sk_buff *skb)
3628 {
3629         if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3630                 return -EPERM;
3631         return 0;
3632 }
3633
3634 static int ipc_alloc_security(struct task_struct *task,
3635                               struct kern_ipc_perm *perm,
3636                               u16 sclass)
3637 {
3638         struct task_security_struct *tsec = task->security;
3639         struct ipc_security_struct *isec;
3640
3641         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3642         if (!isec)
3643                 return -ENOMEM;
3644
3645         isec->magic = SELINUX_MAGIC;
3646         isec->sclass = sclass;
3647         isec->ipc_perm = perm;
3648         if (tsec) {
3649                 isec->sid = tsec->sid;
3650         } else {
3651                 isec->sid = SECINITSID_UNLABELED;
3652         }
3653         perm->security = isec;
3654
3655         return 0;
3656 }
3657
3658 static void ipc_free_security(struct kern_ipc_perm *perm)
3659 {
3660         struct ipc_security_struct *isec = perm->security;
3661         if (!isec || isec->magic != SELINUX_MAGIC)
3662                 return;
3663
3664         perm->security = NULL;
3665         kfree(isec);
3666 }
3667
3668 static int msg_msg_alloc_security(struct msg_msg *msg)
3669 {
3670         struct msg_security_struct *msec;
3671
3672         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3673         if (!msec)
3674                 return -ENOMEM;
3675
3676         msec->magic = SELINUX_MAGIC;
3677         msec->msg = msg;
3678         msec->sid = SECINITSID_UNLABELED;
3679         msg->security = msec;
3680
3681         return 0;
3682 }
3683
3684 static void msg_msg_free_security(struct msg_msg *msg)
3685 {
3686         struct msg_security_struct *msec = msg->security;
3687         if (!msec || msec->magic != SELINUX_MAGIC)
3688                 return;
3689
3690         msg->security = NULL;
3691         kfree(msec);
3692 }
3693
3694 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3695                         u32 perms)
3696 {
3697         struct task_security_struct *tsec;
3698         struct ipc_security_struct *isec;
3699         struct avc_audit_data ad;
3700
3701         tsec = current->security;
3702         isec = ipc_perms->security;
3703
3704         AVC_AUDIT_DATA_INIT(&ad, IPC);
3705         ad.u.ipc_id = ipc_perms->key;
3706
3707         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3708 }
3709
3710 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3711 {
3712         return msg_msg_alloc_security(msg);
3713 }
3714
3715 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3716 {
3717         msg_msg_free_security(msg);
3718 }
3719
3720 /* message queue security operations */
3721 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3722 {
3723         struct task_security_struct *tsec;
3724         struct ipc_security_struct *isec;
3725         struct avc_audit_data ad;
3726         int rc;
3727
3728         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3729         if (rc)
3730                 return rc;
3731
3732         tsec = current->security;
3733         isec = msq->q_perm.security;
3734
3735         AVC_AUDIT_DATA_INIT(&ad, IPC);
3736         ad.u.ipc_id = msq->q_perm.key;
3737
3738         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3739                           MSGQ__CREATE, &ad);
3740         if (rc) {
3741                 ipc_free_security(&msq->q_perm);
3742                 return rc;
3743         }
3744         return 0;
3745 }
3746
3747 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3748 {
3749         ipc_free_security(&msq->q_perm);
3750 }
3751
3752 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3753 {
3754         struct task_security_struct *tsec;
3755         struct ipc_security_struct *isec;
3756         struct avc_audit_data ad;
3757
3758         tsec = current->security;
3759         isec = msq->q_perm.security;
3760
3761         AVC_AUDIT_DATA_INIT(&ad, IPC);
3762         ad.u.ipc_id = msq->q_perm.key;
3763
3764         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3765                             MSGQ__ASSOCIATE, &ad);
3766 }
3767
3768 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3769 {
3770         int err;
3771         int perms;
3772
3773         switch(cmd) {
3774         case IPC_INFO:
3775         case MSG_INFO:
3776                 /* No specific object, just general system-wide information. */
3777                 return task_has_system(current, SYSTEM__IPC_INFO);
3778         case IPC_STAT:
3779         case MSG_STAT:
3780                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3781                 break;
3782         case IPC_SET:
3783                 perms = MSGQ__SETATTR;
3784                 break;
3785         case IPC_RMID:
3786                 perms = MSGQ__DESTROY;
3787                 break;
3788         default:
3789                 return 0;
3790         }
3791
3792         err = ipc_has_perm(&msq->q_perm, perms);
3793         return err;
3794 }
3795
3796 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3797 {
3798         struct task_security_struct *tsec;
3799         struct ipc_security_struct *isec;
3800         struct msg_security_struct *msec;
3801         struct avc_audit_data ad;
3802         int rc;
3803
3804         tsec = current->security;
3805         isec = msq->q_perm.security;
3806         msec = msg->security;
3807
3808         /*
3809          * First time through, need to assign label to the message
3810          */
3811         if (msec->sid == SECINITSID_UNLABELED) {
3812                 /*
3813                  * Compute new sid based on current process and
3814                  * message queue this message will be stored in
3815                  */
3816                 rc = security_transition_sid(tsec->sid,
3817                                              isec->sid,
3818                                              SECCLASS_MSG,
3819                                              &msec->sid);
3820                 if (rc)
3821                         return rc;
3822         }
3823
3824         AVC_AUDIT_DATA_INIT(&ad, IPC);
3825         ad.u.ipc_id = msq->q_perm.key;
3826
3827         /* Can this process write to the queue? */
3828         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3829                           MSGQ__WRITE, &ad);
3830         if (!rc)
3831                 /* Can this process send the message */
3832                 rc = avc_has_perm(tsec->sid, msec->sid,
3833                                   SECCLASS_MSG, MSG__SEND, &ad);
3834         if (!rc)
3835                 /* Can the message be put in the queue? */
3836                 rc = avc_has_perm(msec->sid, isec->sid,
3837                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3838
3839         return rc;
3840 }
3841
3842 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3843                                     struct task_struct *target,
3844                                     long type, int mode)
3845 {
3846         struct task_security_struct *tsec;
3847         struct ipc_security_struct *isec;
3848         struct msg_security_struct *msec;
3849         struct avc_audit_data ad;
3850         int rc;
3851
3852         tsec = target->security;
3853         isec = msq->q_perm.security;
3854         msec = msg->security;
3855
3856         AVC_AUDIT_DATA_INIT(&ad, IPC);
3857         ad.u.ipc_id = msq->q_perm.key;
3858
3859         rc = avc_has_perm(tsec->sid, isec->sid,
3860                           SECCLASS_MSGQ, MSGQ__READ, &ad);
3861         if (!rc)
3862                 rc = avc_has_perm(tsec->sid, msec->sid,
3863                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
3864         return rc;
3865 }
3866
3867 /* Shared Memory security operations */
3868 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3869 {
3870         struct task_security_struct *tsec;
3871         struct ipc_security_struct *isec;
3872         struct avc_audit_data ad;
3873         int rc;
3874
3875         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3876         if (rc)
3877                 return rc;
3878
3879         tsec = current->security;
3880         isec = shp->shm_perm.security;
3881
3882         AVC_AUDIT_DATA_INIT(&ad, IPC);
3883         ad.u.ipc_id = shp->shm_perm.key;
3884
3885         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3886                           SHM__CREATE, &ad);
3887         if (rc) {
3888                 ipc_free_security(&shp->shm_perm);
3889                 return rc;
3890         }
3891         return 0;
3892 }
3893
3894 static void selinux_shm_free_security(struct shmid_kernel *shp)
3895 {
3896         ipc_free_security(&shp->shm_perm);
3897 }
3898
3899 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3900 {
3901         struct task_security_struct *tsec;
3902         struct ipc_security_struct *isec;
3903         struct avc_audit_data ad;
3904
3905         tsec = current->security;
3906         isec = shp->shm_perm.security;
3907
3908         AVC_AUDIT_DATA_INIT(&ad, IPC);
3909         ad.u.ipc_id = shp->shm_perm.key;
3910
3911         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3912                             SHM__ASSOCIATE, &ad);
3913 }
3914
3915 /* Note, at this point, shp is locked down */
3916 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3917 {
3918         int perms;
3919         int err;
3920
3921         switch(cmd) {
3922         case IPC_INFO:
3923         case SHM_INFO:
3924                 /* No specific object, just general system-wide information. */
3925                 return task_has_system(current, SYSTEM__IPC_INFO);
3926         case IPC_STAT:
3927         case SHM_STAT:
3928                 perms = SHM__GETATTR | SHM__ASSOCIATE;
3929                 break;
3930         case IPC_SET:
3931                 perms = SHM__SETATTR;
3932                 break;
3933         case SHM_LOCK:
3934         case SHM_UNLOCK:
3935                 perms = SHM__LOCK;
3936                 break;
3937         case IPC_RMID:
3938                 perms = SHM__DESTROY;
3939                 break;
3940         default:
3941                 return 0;
3942         }
3943
3944         err = ipc_has_perm(&shp->shm_perm, perms);
3945         return err;
3946 }
3947
3948 static int selinux_shm_shmat(struct shmid_kernel *shp,
3949                              char __user *shmaddr, int shmflg)
3950 {
3951         u32 perms;
3952         int rc;
3953
3954         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3955         if (rc)
3956                 return rc;
3957
3958         if (shmflg & SHM_RDONLY)
3959                 perms = SHM__READ;
3960         else
3961                 perms = SHM__READ | SHM__WRITE;
3962
3963         return ipc_has_perm(&shp->shm_perm, perms);
3964 }
3965
3966 /* Semaphore security operations */
3967 static int selinux_sem_alloc_security(struct sem_array *sma)
3968 {
3969         struct task_security_struct *tsec;
3970         struct ipc_security_struct *isec;
3971         struct avc_audit_data ad;
3972         int rc;
3973
3974         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3975         if (rc)
3976                 return rc;
3977
3978         tsec = current->security;
3979         isec = sma->sem_perm.security;
3980
3981         AVC_AUDIT_DATA_INIT(&ad, IPC);
3982         ad.u.ipc_id = sma->sem_perm.key;
3983
3984         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3985                           SEM__CREATE, &ad);
3986         if (rc) {
3987                 ipc_free_security(&sma->sem_perm);
3988                 return rc;
3989         }
3990         return 0;
3991 }
3992
3993 static void selinux_sem_free_security(struct sem_array *sma)
3994 {
3995         ipc_free_security(&sma->sem_perm);
3996 }
3997
3998 static int selinux_sem_associate(struct sem_array *sma, int semflg)
3999 {
4000         struct task_security_struct *tsec;
4001         struct ipc_security_struct *isec;
4002         struct avc_audit_data ad;
4003
4004         tsec = current->security;
4005         isec = sma->sem_perm.security;
4006
4007         AVC_AUDIT_DATA_INIT(&ad, IPC);
4008         ad.u.ipc_id = sma->sem_perm.key;
4009
4010         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4011                             SEM__ASSOCIATE, &ad);
4012 }
4013
4014 /* Note, at this point, sma is locked down */
4015 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4016 {
4017         int err;
4018         u32 perms;
4019
4020         switch(cmd) {
4021         case IPC_INFO:
4022         case SEM_INFO:
4023                 /* No specific object, just general system-wide information. */
4024                 return task_has_system(current, SYSTEM__IPC_INFO);
4025         case GETPID:
4026         case GETNCNT:
4027         case GETZCNT:
4028                 perms = SEM__GETATTR;
4029                 break;
4030         case GETVAL:
4031         case GETALL:
4032                 perms = SEM__READ;
4033                 break;
4034         case SETVAL:
4035         case SETALL:
4036                 perms = SEM__WRITE;
4037                 break;
4038         case IPC_RMID:
4039                 perms = SEM__DESTROY;
4040                 break;
4041         case IPC_SET:
4042                 perms = SEM__SETATTR;
4043                 break;
4044         case IPC_STAT:
4045         case SEM_STAT:
4046                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4047                 break;
4048         default:
4049                 return 0;
4050         }
4051
4052         err = ipc_has_perm(&sma->sem_perm, perms);
4053         return err;
4054 }
4055
4056 static int selinux_sem_semop(struct sem_array *sma,
4057                              struct sembuf *sops, unsigned nsops, int alter)
4058 {
4059         u32 perms;
4060
4061         if (alter)
4062                 perms = SEM__READ | SEM__WRITE;
4063         else
4064                 perms = SEM__READ;
4065
4066         return ipc_has_perm(&sma->sem_perm, perms);
4067 }
4068
4069 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4070 {
4071         u32 av = 0;
4072
4073         av = 0;
4074         if (flag & S_IRUGO)
4075                 av |= IPC__UNIX_READ;
4076         if (flag & S_IWUGO)
4077                 av |= IPC__UNIX_WRITE;
4078
4079         if (av == 0)
4080                 return 0;
4081
4082         return ipc_has_perm(ipcp, av);
4083 }
4084
4085 /* module stacking operations */
4086 static int selinux_register_security (const char *name, struct security_operations *ops)
4087 {
4088         if (secondary_ops != original_ops) {
4089                 printk(KERN_INFO "%s:  There is already a secondary security "
4090                        "module registered.\n", __FUNCTION__);
4091                 return -EINVAL;
4092         }
4093
4094         secondary_ops = ops;
4095
4096         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4097                __FUNCTION__,
4098                name);
4099
4100         return 0;
4101 }
4102
4103 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4104 {
4105         if (ops != secondary_ops) {
4106                 printk (KERN_INFO "%s:  trying to unregister a security module "
4107                         "that is not registered.\n", __FUNCTION__);
4108                 return -EINVAL;
4109         }
4110
4111         secondary_ops = original_ops;
4112
4113         return 0;
4114 }
4115
4116 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4117 {
4118         if (inode)
4119                 inode_doinit_with_dentry(inode, dentry);
4120 }
4121
4122 static int selinux_getprocattr(struct task_struct *p,
4123                                char *name, void *value, size_t size)
4124 {
4125         struct task_security_struct *tsec;
4126         u32 sid, len;
4127         char *context;
4128         int error;
4129
4130         if (current != p) {
4131                 error = task_has_perm(current, p, PROCESS__GETATTR);
4132                 if (error)
4133                         return error;
4134         }
4135
4136         if (!size)
4137                 return -ERANGE;
4138
4139         tsec = p->security;
4140
4141         if (!strcmp(name, "current"))
4142                 sid = tsec->sid;
4143         else if (!strcmp(name, "prev"))
4144                 sid = tsec->osid;
4145         else if (!strcmp(name, "exec"))
4146                 sid = tsec->exec_sid;
4147         else if (!strcmp(name, "fscreate"))
4148                 sid = tsec->create_sid;
4149         else
4150                 return -EINVAL;
4151
4152         if (!sid)
4153                 return 0;
4154
4155         error = security_sid_to_context(sid, &context, &len);
4156         if (error)
4157                 return error;
4158         if (len > size) {
4159                 kfree(context);
4160                 return -ERANGE;
4161         }
4162         memcpy(value, context, len);
4163         kfree(context);
4164         return len;
4165 }
4166
4167 static int selinux_setprocattr(struct task_struct *p,
4168                                char *name, void *value, size_t size)
4169 {
4170         struct task_security_struct *tsec;
4171         u32 sid = 0;
4172         int error;
4173         char *str = value;
4174
4175         if (current != p) {
4176                 /* SELinux only allows a process to change its own
4177                    security attributes. */
4178                 return -EACCES;
4179         }
4180
4181         /*
4182          * Basic control over ability to set these attributes at all.
4183          * current == p, but we'll pass them separately in case the
4184          * above restriction is ever removed.
4185          */
4186         if (!strcmp(name, "exec"))
4187                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4188         else if (!strcmp(name, "fscreate"))
4189                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4190         else if (!strcmp(name, "current"))
4191                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4192         else
4193                 error = -EINVAL;
4194         if (error)
4195                 return error;
4196
4197         /* Obtain a SID for the context, if one was specified. */
4198         if (size && str[1] && str[1] != '\n') {
4199                 if (str[size-1] == '\n') {
4200                         str[size-1] = 0;
4201                         size--;
4202                 }
4203                 error = security_context_to_sid(value, size, &sid);
4204                 if (error)
4205                         return error;
4206         }
4207
4208         /* Permission checking based on the specified context is
4209            performed during the actual operation (execve,
4210            open/mkdir/...), when we know the full context of the
4211            operation.  See selinux_bprm_set_security for the execve
4212            checks and may_create for the file creation checks. The
4213            operation will then fail if the context is not permitted. */
4214         tsec = p->security;
4215         if (!strcmp(name, "exec"))
4216                 tsec->exec_sid = sid;
4217         else if (!strcmp(name, "fscreate"))
4218                 tsec->create_sid = sid;
4219         else if (!strcmp(name, "current")) {
4220                 struct av_decision avd;
4221
4222                 if (sid == 0)
4223                         return -EINVAL;
4224
4225                 /* Only allow single threaded processes to change context */
4226                 if (atomic_read(&p->mm->mm_users) != 1) {
4227                         struct task_struct *g, *t;
4228                         struct mm_struct *mm = p->mm;
4229                         read_lock(&tasklist_lock);
4230                         do_each_thread(g, t)
4231                                 if (t->mm == mm && t != p) {
4232                                         read_unlock(&tasklist_lock);
4233                                         return -EPERM;
4234                                 }
4235                         while_each_thread(g, t);
4236                         read_unlock(&tasklist_lock);
4237                 }
4238
4239                 /* Check permissions for the transition. */
4240                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4241                                      PROCESS__DYNTRANSITION, NULL);
4242                 if (error)
4243                         return error;
4244
4245                 /* Check for ptracing, and update the task SID if ok.
4246                    Otherwise, leave SID unchanged and fail. */
4247                 task_lock(p);
4248                 if (p->ptrace & PT_PTRACED) {
4249                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4250                                                      SECCLASS_PROCESS,
4251                                                      PROCESS__PTRACE, &avd);
4252                         if (!error)
4253                                 tsec->sid = sid;
4254                         task_unlock(p);
4255                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4256                                   PROCESS__PTRACE, &avd, error, NULL);
4257                         if (error)
4258                                 return error;
4259                 } else {
4260                         tsec->sid = sid;
4261                         task_unlock(p);
4262                 }
4263         }
4264         else
4265                 return -EINVAL;
4266
4267         return size;
4268 }
4269
4270 static struct security_operations selinux_ops = {
4271         .ptrace =                       selinux_ptrace,
4272         .capget =                       selinux_capget,
4273         .capset_check =                 selinux_capset_check,
4274         .capset_set =                   selinux_capset_set,
4275         .sysctl =                       selinux_sysctl,
4276         .capable =                      selinux_capable,
4277         .quotactl =                     selinux_quotactl,
4278         .quota_on =                     selinux_quota_on,
4279         .syslog =                       selinux_syslog,
4280         .vm_enough_memory =             selinux_vm_enough_memory,
4281
4282         .netlink_send =                 selinux_netlink_send,
4283         .netlink_recv =                 selinux_netlink_recv,
4284
4285         .bprm_alloc_security =          selinux_bprm_alloc_security,
4286         .bprm_free_security =           selinux_bprm_free_security,
4287         .bprm_apply_creds =             selinux_bprm_apply_creds,
4288         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4289         .bprm_set_security =            selinux_bprm_set_security,
4290         .bprm_check_security =          selinux_bprm_check_security,
4291         .bprm_secureexec =              selinux_bprm_secureexec,
4292
4293         .sb_alloc_security =            selinux_sb_alloc_security,
4294         .sb_free_security =             selinux_sb_free_security,
4295         .sb_copy_data =                 selinux_sb_copy_data,
4296         .sb_kern_mount =                selinux_sb_kern_mount,
4297         .sb_statfs =                    selinux_sb_statfs,
4298         .sb_mount =                     selinux_mount,
4299         .sb_umount =                    selinux_umount,
4300
4301         .inode_alloc_security =         selinux_inode_alloc_security,
4302         .inode_free_security =          selinux_inode_free_security,
4303         .inode_init_security =          selinux_inode_init_security,
4304         .inode_create =                 selinux_inode_create,
4305         .inode_link =                   selinux_inode_link,
4306         .inode_unlink =                 selinux_inode_unlink,
4307         .inode_symlink =                selinux_inode_symlink,
4308         .inode_mkdir =                  selinux_inode_mkdir,
4309         .inode_rmdir =                  selinux_inode_rmdir,
4310         .inode_mknod =                  selinux_inode_mknod,
4311         .inode_rename =                 selinux_inode_rename,
4312         .inode_readlink =               selinux_inode_readlink,
4313         .inode_follow_link =            selinux_inode_follow_link,
4314         .inode_permission =             selinux_inode_permission,
4315         .inode_setattr =                selinux_inode_setattr,
4316         .inode_getattr =                selinux_inode_getattr,
4317         .inode_setxattr =               selinux_inode_setxattr,
4318         .inode_post_setxattr =          selinux_inode_post_setxattr,
4319         .inode_getxattr =               selinux_inode_getxattr,
4320         .inode_listxattr =              selinux_inode_listxattr,
4321         .inode_removexattr =            selinux_inode_removexattr,
4322         .inode_getsecurity =            selinux_inode_getsecurity,
4323         .inode_setsecurity =            selinux_inode_setsecurity,
4324         .inode_listsecurity =           selinux_inode_listsecurity,
4325
4326         .file_permission =              selinux_file_permission,
4327         .file_alloc_security =          selinux_file_alloc_security,
4328         .file_free_security =           selinux_file_free_security,
4329         .file_ioctl =                   selinux_file_ioctl,
4330         .file_mmap =                    selinux_file_mmap,
4331         .file_mprotect =                selinux_file_mprotect,
4332         .file_lock =                    selinux_file_lock,
4333         .file_fcntl =                   selinux_file_fcntl,
4334         .file_set_fowner =              selinux_file_set_fowner,
4335         .file_send_sigiotask =          selinux_file_send_sigiotask,
4336         .file_receive =                 selinux_file_receive,
4337
4338         .task_create =                  selinux_task_create,
4339         .task_alloc_security =          selinux_task_alloc_security,
4340         .task_free_security =           selinux_task_free_security,
4341         .task_setuid =                  selinux_task_setuid,
4342         .task_post_setuid =             selinux_task_post_setuid,
4343         .task_setgid =                  selinux_task_setgid,
4344         .task_setpgid =                 selinux_task_setpgid,
4345         .task_getpgid =                 selinux_task_getpgid,
4346         .task_getsid =                  selinux_task_getsid,
4347         .task_setgroups =               selinux_task_setgroups,
4348         .task_setnice =                 selinux_task_setnice,
4349         .task_setrlimit =               selinux_task_setrlimit,
4350         .task_setscheduler =            selinux_task_setscheduler,
4351         .task_getscheduler =            selinux_task_getscheduler,
4352         .task_kill =                    selinux_task_kill,
4353         .task_wait =                    selinux_task_wait,
4354         .task_prctl =                   selinux_task_prctl,
4355         .task_reparent_to_init =        selinux_task_reparent_to_init,
4356         .task_to_inode =                selinux_task_to_inode,
4357
4358         .ipc_permission =               selinux_ipc_permission,
4359
4360         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4361         .msg_msg_free_security =        selinux_msg_msg_free_security,
4362
4363         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4364         .msg_queue_free_security =      selinux_msg_queue_free_security,
4365         .msg_queue_associate =          selinux_msg_queue_associate,
4366         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4367         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4368         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4369
4370         .shm_alloc_security =           selinux_shm_alloc_security,
4371         .shm_free_security =            selinux_shm_free_security,
4372         .shm_associate =                selinux_shm_associate,
4373         .shm_shmctl =                   selinux_shm_shmctl,
4374         .shm_shmat =                    selinux_shm_shmat,
4375
4376         .sem_alloc_security =           selinux_sem_alloc_security,
4377         .sem_free_security =            selinux_sem_free_security,
4378         .sem_associate =                selinux_sem_associate,
4379         .sem_semctl =                   selinux_sem_semctl,
4380         .sem_semop =                    selinux_sem_semop,
4381
4382         .register_security =            selinux_register_security,
4383         .unregister_security =          selinux_unregister_security,
4384
4385         .d_instantiate =                selinux_d_instantiate,
4386
4387         .getprocattr =                  selinux_getprocattr,
4388         .setprocattr =                  selinux_setprocattr,
4389
4390 #ifdef CONFIG_SECURITY_NETWORK
4391         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4392         .unix_may_send =                selinux_socket_unix_may_send,
4393
4394         .socket_create =                selinux_socket_create,
4395         .socket_post_create =           selinux_socket_post_create,
4396         .socket_bind =                  selinux_socket_bind,
4397         .socket_connect =               selinux_socket_connect,
4398         .socket_listen =                selinux_socket_listen,
4399         .socket_accept =                selinux_socket_accept,
4400         .socket_sendmsg =               selinux_socket_sendmsg,
4401         .socket_recvmsg =               selinux_socket_recvmsg,
4402         .socket_getsockname =           selinux_socket_getsockname,
4403         .socket_getpeername =           selinux_socket_getpeername,
4404         .socket_getsockopt =            selinux_socket_getsockopt,
4405         .socket_setsockopt =            selinux_socket_setsockopt,
4406         .socket_shutdown =              selinux_socket_shutdown,
4407         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4408         .socket_getpeersec =            selinux_socket_getpeersec,
4409         .sk_alloc_security =            selinux_sk_alloc_security,
4410         .sk_free_security =             selinux_sk_free_security,
4411         .sk_getsid =                    selinux_sk_getsid_security,
4412 #endif
4413
4414 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4415         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
4416         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
4417         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
4418         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
4419         .xfrm_state_free_security =     selinux_xfrm_state_free,
4420         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
4421 #endif
4422 };
4423
4424 static __init int selinux_init(void)
4425 {
4426         struct task_security_struct *tsec;
4427
4428         if (!selinux_enabled) {
4429                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4430                 return 0;
4431         }
4432
4433         printk(KERN_INFO "SELinux:  Initializing.\n");
4434
4435         /* Set the security state for the initial task. */
4436         if (task_alloc_security(current))
4437                 panic("SELinux:  Failed to initialize initial task.\n");
4438         tsec = current->security;
4439         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4440
4441         avc_init();
4442
4443         original_ops = secondary_ops = security_ops;
4444         if (!secondary_ops)
4445                 panic ("SELinux: No initial security operations\n");
4446         if (register_security (&selinux_ops))
4447                 panic("SELinux: Unable to register with kernel.\n");
4448
4449         if (selinux_enforcing) {
4450                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4451         } else {
4452                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4453         }
4454         return 0;
4455 }
4456
4457 void selinux_complete_init(void)
4458 {
4459         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4460
4461         /* Set up any superblocks initialized prior to the policy load. */
4462         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4463         spin_lock(&sb_security_lock);
4464 next_sb:
4465         if (!list_empty(&superblock_security_head)) {
4466                 struct superblock_security_struct *sbsec =
4467                                 list_entry(superblock_security_head.next,
4468                                            struct superblock_security_struct,
4469                                            list);
4470                 struct super_block *sb = sbsec->sb;
4471                 spin_lock(&sb_lock);
4472                 sb->s_count++;
4473                 spin_unlock(&sb_lock);
4474                 spin_unlock(&sb_security_lock);
4475                 down_read(&sb->s_umount);
4476                 if (sb->s_root)
4477                         superblock_doinit(sb, NULL);
4478                 drop_super(sb);
4479                 spin_lock(&sb_security_lock);
4480                 list_del_init(&sbsec->list);
4481                 goto next_sb;
4482         }
4483         spin_unlock(&sb_security_lock);
4484 }
4485
4486 /* SELinux requires early initialization in order to label
4487    all processes and objects when they are created. */
4488 security_initcall(selinux_init);
4489
4490 #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
4491
4492 static struct nf_hook_ops selinux_ipv4_op = {
4493         .hook =         selinux_ipv4_postroute_last,
4494         .owner =        THIS_MODULE,
4495         .pf =           PF_INET,
4496         .hooknum =      NF_IP_POST_ROUTING,
4497         .priority =     NF_IP_PRI_SELINUX_LAST,
4498 };
4499
4500 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4501
4502 static struct nf_hook_ops selinux_ipv6_op = {
4503         .hook =         selinux_ipv6_postroute_last,
4504         .owner =        THIS_MODULE,
4505         .pf =           PF_INET6,
4506         .hooknum =      NF_IP6_POST_ROUTING,
4507         .priority =     NF_IP6_PRI_SELINUX_LAST,
4508 };
4509
4510 #endif  /* IPV6 */
4511
4512 static int __init selinux_nf_ip_init(void)
4513 {
4514         int err = 0;
4515
4516         if (!selinux_enabled)
4517                 goto out;
4518                 
4519         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4520         
4521         err = nf_register_hook(&selinux_ipv4_op);
4522         if (err)
4523                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4524
4525 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4526
4527         err = nf_register_hook(&selinux_ipv6_op);
4528         if (err)
4529                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4530
4531 #endif  /* IPV6 */
4532
4533 out:
4534         return err;
4535 }
4536
4537 __initcall(selinux_nf_ip_init);
4538
4539 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4540 static void selinux_nf_ip_exit(void)
4541 {
4542         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4543
4544         nf_unregister_hook(&selinux_ipv4_op);
4545 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4546         nf_unregister_hook(&selinux_ipv6_op);
4547 #endif  /* IPV6 */
4548 }
4549 #endif
4550
4551 #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4552
4553 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4554 #define selinux_nf_ip_exit()
4555 #endif
4556
4557 #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4558
4559 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4560 int selinux_disable(void)
4561 {
4562         extern void exit_sel_fs(void);
4563         static int selinux_disabled = 0;
4564
4565         if (ss_initialized) {
4566                 /* Not permitted after initial policy load. */
4567                 return -EINVAL;
4568         }
4569
4570         if (selinux_disabled) {
4571                 /* Only do this once. */
4572                 return -EINVAL;
4573         }
4574
4575         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4576
4577         selinux_disabled = 1;
4578
4579         /* Reset security_ops to the secondary module, dummy or capability. */
4580         security_ops = secondary_ops;
4581
4582         /* Unregister netfilter hooks. */
4583         selinux_nf_ip_exit();
4584
4585         /* Unregister selinuxfs. */
4586         exit_sel_fs();
4587
4588         return 0;
4589 }
4590 #endif
4591
4592