]> err.no Git - linux-2.6/blob - security/selinux/hooks.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394...
[linux-2.6] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16  *              Paul Moore <paul.moore@hp.com>
17  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
19  *
20  *      This program is free software; you can redistribute it and/or modify
21  *      it under the terms of the GNU General Public License version 2,
22  *      as published by the Free Software Foundation.
23  */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "netport.h"
84 #include "xfrm.h"
85 #include "netlabel.h"
86 #include "audit.h"
87
88 #define XATTR_SELINUX_SUFFIX "selinux"
89 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
90
91 #define NUM_SEL_MNT_OPTS 4
92
93 extern unsigned int policydb_loaded_version;
94 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
95 extern int selinux_compat_net;
96 extern struct security_operations *security_ops;
97
98 /* SECMARK reference count */
99 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
103
104 static int __init enforcing_setup(char *str)
105 {
106         selinux_enforcing = simple_strtol(str, NULL, 0);
107         return 1;
108 }
109 __setup("enforcing=", enforcing_setup);
110 #endif
111
112 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
113 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
114
115 static int __init selinux_enabled_setup(char *str)
116 {
117         selinux_enabled = simple_strtol(str, NULL, 0);
118         return 1;
119 }
120 __setup("selinux=", selinux_enabled_setup);
121 #else
122 int selinux_enabled = 1;
123 #endif
124
125 /* Original (dummy) security module. */
126 static struct security_operations *original_ops;
127
128 /* Minimal support for a secondary security module,
129    just to allow the use of the dummy or capability modules.
130    The owlsm module can alternatively be used as a secondary
131    module as long as CONFIG_OWLSM_FD is not enabled. */
132 static struct security_operations *secondary_ops;
133
134 /* Lists of inode and superblock security structures initialized
135    before the policy was loaded. */
136 static LIST_HEAD(superblock_security_head);
137 static DEFINE_SPINLOCK(sb_security_lock);
138
139 static struct kmem_cache *sel_inode_cache;
140
141 /**
142  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
143  *
144  * Description:
145  * This function checks the SECMARK reference counter to see if any SECMARK
146  * targets are currently configured, if the reference counter is greater than
147  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
148  * enabled, false (0) if SECMARK is disabled.
149  *
150  */
151 static int selinux_secmark_enabled(void)
152 {
153         return (atomic_read(&selinux_secmark_refcount) > 0);
154 }
155
156 /* Allocate and free functions for each kind of security blob. */
157
158 static int task_alloc_security(struct task_struct *task)
159 {
160         struct task_security_struct *tsec;
161
162         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
163         if (!tsec)
164                 return -ENOMEM;
165
166         tsec->osid = tsec->sid = SECINITSID_UNLABELED;
167         task->security = tsec;
168
169         return 0;
170 }
171
172 static void task_free_security(struct task_struct *task)
173 {
174         struct task_security_struct *tsec = task->security;
175         task->security = NULL;
176         kfree(tsec);
177 }
178
179 static int inode_alloc_security(struct inode *inode)
180 {
181         struct task_security_struct *tsec = current->security;
182         struct inode_security_struct *isec;
183
184         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
185         if (!isec)
186                 return -ENOMEM;
187
188         mutex_init(&isec->lock);
189         INIT_LIST_HEAD(&isec->list);
190         isec->inode = inode;
191         isec->sid = SECINITSID_UNLABELED;
192         isec->sclass = SECCLASS_FILE;
193         isec->task_sid = tsec->sid;
194         inode->i_security = isec;
195
196         return 0;
197 }
198
199 static void inode_free_security(struct inode *inode)
200 {
201         struct inode_security_struct *isec = inode->i_security;
202         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
203
204         spin_lock(&sbsec->isec_lock);
205         if (!list_empty(&isec->list))
206                 list_del_init(&isec->list);
207         spin_unlock(&sbsec->isec_lock);
208
209         inode->i_security = NULL;
210         kmem_cache_free(sel_inode_cache, isec);
211 }
212
213 static int file_alloc_security(struct file *file)
214 {
215         struct task_security_struct *tsec = current->security;
216         struct file_security_struct *fsec;
217
218         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
219         if (!fsec)
220                 return -ENOMEM;
221
222         fsec->sid = tsec->sid;
223         fsec->fown_sid = tsec->sid;
224         file->f_security = fsec;
225
226         return 0;
227 }
228
229 static void file_free_security(struct file *file)
230 {
231         struct file_security_struct *fsec = file->f_security;
232         file->f_security = NULL;
233         kfree(fsec);
234 }
235
236 static int superblock_alloc_security(struct super_block *sb)
237 {
238         struct superblock_security_struct *sbsec;
239
240         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
241         if (!sbsec)
242                 return -ENOMEM;
243
244         mutex_init(&sbsec->lock);
245         INIT_LIST_HEAD(&sbsec->list);
246         INIT_LIST_HEAD(&sbsec->isec_head);
247         spin_lock_init(&sbsec->isec_lock);
248         sbsec->sb = sb;
249         sbsec->sid = SECINITSID_UNLABELED;
250         sbsec->def_sid = SECINITSID_FILE;
251         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
252         sb->s_security = sbsec;
253
254         return 0;
255 }
256
257 static void superblock_free_security(struct super_block *sb)
258 {
259         struct superblock_security_struct *sbsec = sb->s_security;
260
261         spin_lock(&sb_security_lock);
262         if (!list_empty(&sbsec->list))
263                 list_del_init(&sbsec->list);
264         spin_unlock(&sb_security_lock);
265
266         sb->s_security = NULL;
267         kfree(sbsec);
268 }
269
270 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
271 {
272         struct sk_security_struct *ssec;
273
274         ssec = kzalloc(sizeof(*ssec), priority);
275         if (!ssec)
276                 return -ENOMEM;
277
278         ssec->peer_sid = SECINITSID_UNLABELED;
279         ssec->sid = SECINITSID_UNLABELED;
280         sk->sk_security = ssec;
281
282         selinux_netlbl_sk_security_reset(ssec, family);
283
284         return 0;
285 }
286
287 static void sk_free_security(struct sock *sk)
288 {
289         struct sk_security_struct *ssec = sk->sk_security;
290
291         sk->sk_security = NULL;
292         kfree(ssec);
293 }
294
295 /* The security server must be initialized before
296    any labeling or access decisions can be provided. */
297 extern int ss_initialized;
298
299 /* The file system's label must be initialized prior to use. */
300
301 static char *labeling_behaviors[6] = {
302         "uses xattr",
303         "uses transition SIDs",
304         "uses task SIDs",
305         "uses genfs_contexts",
306         "not configured for labeling",
307         "uses mountpoint labeling",
308 };
309
310 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
311
312 static inline int inode_doinit(struct inode *inode)
313 {
314         return inode_doinit_with_dentry(inode, NULL);
315 }
316
317 enum {
318         Opt_error = -1,
319         Opt_context = 1,
320         Opt_fscontext = 2,
321         Opt_defcontext = 3,
322         Opt_rootcontext = 4,
323 };
324
325 static match_table_t tokens = {
326         {Opt_context, CONTEXT_STR "%s"},
327         {Opt_fscontext, FSCONTEXT_STR "%s"},
328         {Opt_defcontext, DEFCONTEXT_STR "%s"},
329         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
330         {Opt_error, NULL},
331 };
332
333 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
334
335 static int may_context_mount_sb_relabel(u32 sid,
336                         struct superblock_security_struct *sbsec,
337                         struct task_security_struct *tsec)
338 {
339         int rc;
340
341         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
342                           FILESYSTEM__RELABELFROM, NULL);
343         if (rc)
344                 return rc;
345
346         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
347                           FILESYSTEM__RELABELTO, NULL);
348         return rc;
349 }
350
351 static int may_context_mount_inode_relabel(u32 sid,
352                         struct superblock_security_struct *sbsec,
353                         struct task_security_struct *tsec)
354 {
355         int rc;
356         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
357                           FILESYSTEM__RELABELFROM, NULL);
358         if (rc)
359                 return rc;
360
361         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
362                           FILESYSTEM__ASSOCIATE, NULL);
363         return rc;
364 }
365
366 static int sb_finish_set_opts(struct super_block *sb)
367 {
368         struct superblock_security_struct *sbsec = sb->s_security;
369         struct dentry *root = sb->s_root;
370         struct inode *root_inode = root->d_inode;
371         int rc = 0;
372
373         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
374                 /* Make sure that the xattr handler exists and that no
375                    error other than -ENODATA is returned by getxattr on
376                    the root directory.  -ENODATA is ok, as this may be
377                    the first boot of the SELinux kernel before we have
378                    assigned xattr values to the filesystem. */
379                 if (!root_inode->i_op->getxattr) {
380                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
381                                "xattr support\n", sb->s_id, sb->s_type->name);
382                         rc = -EOPNOTSUPP;
383                         goto out;
384                 }
385                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
386                 if (rc < 0 && rc != -ENODATA) {
387                         if (rc == -EOPNOTSUPP)
388                                 printk(KERN_WARNING "SELinux: (dev %s, type "
389                                        "%s) has no security xattr handler\n",
390                                        sb->s_id, sb->s_type->name);
391                         else
392                                 printk(KERN_WARNING "SELinux: (dev %s, type "
393                                        "%s) getxattr errno %d\n", sb->s_id,
394                                        sb->s_type->name, -rc);
395                         goto out;
396                 }
397         }
398
399         sbsec->initialized = 1;
400
401         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
402                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
403                        sb->s_id, sb->s_type->name);
404         else
405                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
406                        sb->s_id, sb->s_type->name,
407                        labeling_behaviors[sbsec->behavior-1]);
408
409         /* Initialize the root inode. */
410         rc = inode_doinit_with_dentry(root_inode, root);
411
412         /* Initialize any other inodes associated with the superblock, e.g.
413            inodes created prior to initial policy load or inodes created
414            during get_sb by a pseudo filesystem that directly
415            populates itself. */
416         spin_lock(&sbsec->isec_lock);
417 next_inode:
418         if (!list_empty(&sbsec->isec_head)) {
419                 struct inode_security_struct *isec =
420                                 list_entry(sbsec->isec_head.next,
421                                            struct inode_security_struct, list);
422                 struct inode *inode = isec->inode;
423                 spin_unlock(&sbsec->isec_lock);
424                 inode = igrab(inode);
425                 if (inode) {
426                         if (!IS_PRIVATE(inode))
427                                 inode_doinit(inode);
428                         iput(inode);
429                 }
430                 spin_lock(&sbsec->isec_lock);
431                 list_del_init(&isec->list);
432                 goto next_inode;
433         }
434         spin_unlock(&sbsec->isec_lock);
435 out:
436         return rc;
437 }
438
439 /*
440  * This function should allow an FS to ask what it's mount security
441  * options were so it can use those later for submounts, displaying
442  * mount options, or whatever.
443  */
444 static int selinux_get_mnt_opts(const struct super_block *sb,
445                                 struct security_mnt_opts *opts)
446 {
447         int rc = 0, i;
448         struct superblock_security_struct *sbsec = sb->s_security;
449         char *context = NULL;
450         u32 len;
451         char tmp;
452
453         security_init_mnt_opts(opts);
454
455         if (!sbsec->initialized)
456                 return -EINVAL;
457
458         if (!ss_initialized)
459                 return -EINVAL;
460
461         /*
462          * if we ever use sbsec flags for anything other than tracking mount
463          * settings this is going to need a mask
464          */
465         tmp = sbsec->flags;
466         /* count the number of mount options for this sb */
467         for (i = 0; i < 8; i++) {
468                 if (tmp & 0x01)
469                         opts->num_mnt_opts++;
470                 tmp >>= 1;
471         }
472
473         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
474         if (!opts->mnt_opts) {
475                 rc = -ENOMEM;
476                 goto out_free;
477         }
478
479         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
480         if (!opts->mnt_opts_flags) {
481                 rc = -ENOMEM;
482                 goto out_free;
483         }
484
485         i = 0;
486         if (sbsec->flags & FSCONTEXT_MNT) {
487                 rc = security_sid_to_context(sbsec->sid, &context, &len);
488                 if (rc)
489                         goto out_free;
490                 opts->mnt_opts[i] = context;
491                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
492         }
493         if (sbsec->flags & CONTEXT_MNT) {
494                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
495                 if (rc)
496                         goto out_free;
497                 opts->mnt_opts[i] = context;
498                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
499         }
500         if (sbsec->flags & DEFCONTEXT_MNT) {
501                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
502                 if (rc)
503                         goto out_free;
504                 opts->mnt_opts[i] = context;
505                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
506         }
507         if (sbsec->flags & ROOTCONTEXT_MNT) {
508                 struct inode *root = sbsec->sb->s_root->d_inode;
509                 struct inode_security_struct *isec = root->i_security;
510
511                 rc = security_sid_to_context(isec->sid, &context, &len);
512                 if (rc)
513                         goto out_free;
514                 opts->mnt_opts[i] = context;
515                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
516         }
517
518         BUG_ON(i != opts->num_mnt_opts);
519
520         return 0;
521
522 out_free:
523         security_free_mnt_opts(opts);
524         return rc;
525 }
526
527 static int bad_option(struct superblock_security_struct *sbsec, char flag,
528                       u32 old_sid, u32 new_sid)
529 {
530         /* check if the old mount command had the same options */
531         if (sbsec->initialized)
532                 if (!(sbsec->flags & flag) ||
533                     (old_sid != new_sid))
534                         return 1;
535
536         /* check if we were passed the same options twice,
537          * aka someone passed context=a,context=b
538          */
539         if (!sbsec->initialized)
540                 if (sbsec->flags & flag)
541                         return 1;
542         return 0;
543 }
544
545 /*
546  * Allow filesystems with binary mount data to explicitly set mount point
547  * labeling information.
548  */
549 static int selinux_set_mnt_opts(struct super_block *sb,
550                                 struct security_mnt_opts *opts)
551 {
552         int rc = 0, i;
553         struct task_security_struct *tsec = current->security;
554         struct superblock_security_struct *sbsec = sb->s_security;
555         const char *name = sb->s_type->name;
556         struct inode *inode = sbsec->sb->s_root->d_inode;
557         struct inode_security_struct *root_isec = inode->i_security;
558         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
559         u32 defcontext_sid = 0;
560         char **mount_options = opts->mnt_opts;
561         int *flags = opts->mnt_opts_flags;
562         int num_opts = opts->num_mnt_opts;
563
564         mutex_lock(&sbsec->lock);
565
566         if (!ss_initialized) {
567                 if (!num_opts) {
568                         /* Defer initialization until selinux_complete_init,
569                            after the initial policy is loaded and the security
570                            server is ready to handle calls. */
571                         spin_lock(&sb_security_lock);
572                         if (list_empty(&sbsec->list))
573                                 list_add(&sbsec->list, &superblock_security_head);
574                         spin_unlock(&sb_security_lock);
575                         goto out;
576                 }
577                 rc = -EINVAL;
578                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
579                         "before the security server is initialized\n");
580                 goto out;
581         }
582
583         /*
584          * Binary mount data FS will come through this function twice.  Once
585          * from an explicit call and once from the generic calls from the vfs.
586          * Since the generic VFS calls will not contain any security mount data
587          * we need to skip the double mount verification.
588          *
589          * This does open a hole in which we will not notice if the first
590          * mount using this sb set explict options and a second mount using
591          * this sb does not set any security options.  (The first options
592          * will be used for both mounts)
593          */
594         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
595             && (num_opts == 0))
596                 goto out;
597
598         /*
599          * parse the mount options, check if they are valid sids.
600          * also check if someone is trying to mount the same sb more
601          * than once with different security options.
602          */
603         for (i = 0; i < num_opts; i++) {
604                 u32 sid;
605                 rc = security_context_to_sid(mount_options[i],
606                                              strlen(mount_options[i]), &sid);
607                 if (rc) {
608                         printk(KERN_WARNING "SELinux: security_context_to_sid"
609                                "(%s) failed for (dev %s, type %s) errno=%d\n",
610                                mount_options[i], sb->s_id, name, rc);
611                         goto out;
612                 }
613                 switch (flags[i]) {
614                 case FSCONTEXT_MNT:
615                         fscontext_sid = sid;
616
617                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
618                                         fscontext_sid))
619                                 goto out_double_mount;
620
621                         sbsec->flags |= FSCONTEXT_MNT;
622                         break;
623                 case CONTEXT_MNT:
624                         context_sid = sid;
625
626                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
627                                         context_sid))
628                                 goto out_double_mount;
629
630                         sbsec->flags |= CONTEXT_MNT;
631                         break;
632                 case ROOTCONTEXT_MNT:
633                         rootcontext_sid = sid;
634
635                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
636                                         rootcontext_sid))
637                                 goto out_double_mount;
638
639                         sbsec->flags |= ROOTCONTEXT_MNT;
640
641                         break;
642                 case DEFCONTEXT_MNT:
643                         defcontext_sid = sid;
644
645                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
646                                         defcontext_sid))
647                                 goto out_double_mount;
648
649                         sbsec->flags |= DEFCONTEXT_MNT;
650
651                         break;
652                 default:
653                         rc = -EINVAL;
654                         goto out;
655                 }
656         }
657
658         if (sbsec->initialized) {
659                 /* previously mounted with options, but not on this attempt? */
660                 if (sbsec->flags && !num_opts)
661                         goto out_double_mount;
662                 rc = 0;
663                 goto out;
664         }
665
666         if (strcmp(sb->s_type->name, "proc") == 0)
667                 sbsec->proc = 1;
668
669         /* Determine the labeling behavior to use for this filesystem type. */
670         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
671         if (rc) {
672                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
673                        __func__, sb->s_type->name, rc);
674                 goto out;
675         }
676
677         /* sets the context of the superblock for the fs being mounted. */
678         if (fscontext_sid) {
679
680                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
681                 if (rc)
682                         goto out;
683
684                 sbsec->sid = fscontext_sid;
685         }
686
687         /*
688          * Switch to using mount point labeling behavior.
689          * sets the label used on all file below the mountpoint, and will set
690          * the superblock context if not already set.
691          */
692         if (context_sid) {
693                 if (!fscontext_sid) {
694                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
695                         if (rc)
696                                 goto out;
697                         sbsec->sid = context_sid;
698                 } else {
699                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
700                         if (rc)
701                                 goto out;
702                 }
703                 if (!rootcontext_sid)
704                         rootcontext_sid = context_sid;
705
706                 sbsec->mntpoint_sid = context_sid;
707                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
708         }
709
710         if (rootcontext_sid) {
711                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
712                 if (rc)
713                         goto out;
714
715                 root_isec->sid = rootcontext_sid;
716                 root_isec->initialized = 1;
717         }
718
719         if (defcontext_sid) {
720                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
721                         rc = -EINVAL;
722                         printk(KERN_WARNING "SELinux: defcontext option is "
723                                "invalid for this filesystem type\n");
724                         goto out;
725                 }
726
727                 if (defcontext_sid != sbsec->def_sid) {
728                         rc = may_context_mount_inode_relabel(defcontext_sid,
729                                                              sbsec, tsec);
730                         if (rc)
731                                 goto out;
732                 }
733
734                 sbsec->def_sid = defcontext_sid;
735         }
736
737         rc = sb_finish_set_opts(sb);
738 out:
739         mutex_unlock(&sbsec->lock);
740         return rc;
741 out_double_mount:
742         rc = -EINVAL;
743         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
744                "security settings for (dev %s, type %s)\n", sb->s_id, name);
745         goto out;
746 }
747
748 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
749                                         struct super_block *newsb)
750 {
751         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
752         struct superblock_security_struct *newsbsec = newsb->s_security;
753
754         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
755         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
756         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
757
758         /*
759          * if the parent was able to be mounted it clearly had no special lsm
760          * mount options.  thus we can safely put this sb on the list and deal
761          * with it later
762          */
763         if (!ss_initialized) {
764                 spin_lock(&sb_security_lock);
765                 if (list_empty(&newsbsec->list))
766                         list_add(&newsbsec->list, &superblock_security_head);
767                 spin_unlock(&sb_security_lock);
768                 return;
769         }
770
771         /* how can we clone if the old one wasn't set up?? */
772         BUG_ON(!oldsbsec->initialized);
773
774         /* if fs is reusing a sb, just let its options stand... */
775         if (newsbsec->initialized)
776                 return;
777
778         mutex_lock(&newsbsec->lock);
779
780         newsbsec->flags = oldsbsec->flags;
781
782         newsbsec->sid = oldsbsec->sid;
783         newsbsec->def_sid = oldsbsec->def_sid;
784         newsbsec->behavior = oldsbsec->behavior;
785
786         if (set_context) {
787                 u32 sid = oldsbsec->mntpoint_sid;
788
789                 if (!set_fscontext)
790                         newsbsec->sid = sid;
791                 if (!set_rootcontext) {
792                         struct inode *newinode = newsb->s_root->d_inode;
793                         struct inode_security_struct *newisec = newinode->i_security;
794                         newisec->sid = sid;
795                 }
796                 newsbsec->mntpoint_sid = sid;
797         }
798         if (set_rootcontext) {
799                 const struct inode *oldinode = oldsb->s_root->d_inode;
800                 const struct inode_security_struct *oldisec = oldinode->i_security;
801                 struct inode *newinode = newsb->s_root->d_inode;
802                 struct inode_security_struct *newisec = newinode->i_security;
803
804                 newisec->sid = oldisec->sid;
805         }
806
807         sb_finish_set_opts(newsb);
808         mutex_unlock(&newsbsec->lock);
809 }
810
811 static int selinux_parse_opts_str(char *options,
812                                   struct security_mnt_opts *opts)
813 {
814         char *p;
815         char *context = NULL, *defcontext = NULL;
816         char *fscontext = NULL, *rootcontext = NULL;
817         int rc, num_mnt_opts = 0;
818
819         opts->num_mnt_opts = 0;
820
821         /* Standard string-based options. */
822         while ((p = strsep(&options, "|")) != NULL) {
823                 int token;
824                 substring_t args[MAX_OPT_ARGS];
825
826                 if (!*p)
827                         continue;
828
829                 token = match_token(p, tokens, args);
830
831                 switch (token) {
832                 case Opt_context:
833                         if (context || defcontext) {
834                                 rc = -EINVAL;
835                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
836                                 goto out_err;
837                         }
838                         context = match_strdup(&args[0]);
839                         if (!context) {
840                                 rc = -ENOMEM;
841                                 goto out_err;
842                         }
843                         break;
844
845                 case Opt_fscontext:
846                         if (fscontext) {
847                                 rc = -EINVAL;
848                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
849                                 goto out_err;
850                         }
851                         fscontext = match_strdup(&args[0]);
852                         if (!fscontext) {
853                                 rc = -ENOMEM;
854                                 goto out_err;
855                         }
856                         break;
857
858                 case Opt_rootcontext:
859                         if (rootcontext) {
860                                 rc = -EINVAL;
861                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
862                                 goto out_err;
863                         }
864                         rootcontext = match_strdup(&args[0]);
865                         if (!rootcontext) {
866                                 rc = -ENOMEM;
867                                 goto out_err;
868                         }
869                         break;
870
871                 case Opt_defcontext:
872                         if (context || defcontext) {
873                                 rc = -EINVAL;
874                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
875                                 goto out_err;
876                         }
877                         defcontext = match_strdup(&args[0]);
878                         if (!defcontext) {
879                                 rc = -ENOMEM;
880                                 goto out_err;
881                         }
882                         break;
883
884                 default:
885                         rc = -EINVAL;
886                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
887                         goto out_err;
888
889                 }
890         }
891
892         rc = -ENOMEM;
893         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
894         if (!opts->mnt_opts)
895                 goto out_err;
896
897         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
898         if (!opts->mnt_opts_flags) {
899                 kfree(opts->mnt_opts);
900                 goto out_err;
901         }
902
903         if (fscontext) {
904                 opts->mnt_opts[num_mnt_opts] = fscontext;
905                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
906         }
907         if (context) {
908                 opts->mnt_opts[num_mnt_opts] = context;
909                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
910         }
911         if (rootcontext) {
912                 opts->mnt_opts[num_mnt_opts] = rootcontext;
913                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
914         }
915         if (defcontext) {
916                 opts->mnt_opts[num_mnt_opts] = defcontext;
917                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
918         }
919
920         opts->num_mnt_opts = num_mnt_opts;
921         return 0;
922
923 out_err:
924         kfree(context);
925         kfree(defcontext);
926         kfree(fscontext);
927         kfree(rootcontext);
928         return rc;
929 }
930 /*
931  * string mount options parsing and call set the sbsec
932  */
933 static int superblock_doinit(struct super_block *sb, void *data)
934 {
935         int rc = 0;
936         char *options = data;
937         struct security_mnt_opts opts;
938
939         security_init_mnt_opts(&opts);
940
941         if (!data)
942                 goto out;
943
944         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
945
946         rc = selinux_parse_opts_str(options, &opts);
947         if (rc)
948                 goto out_err;
949
950 out:
951         rc = selinux_set_mnt_opts(sb, &opts);
952
953 out_err:
954         security_free_mnt_opts(&opts);
955         return rc;
956 }
957
958 static inline u16 inode_mode_to_security_class(umode_t mode)
959 {
960         switch (mode & S_IFMT) {
961         case S_IFSOCK:
962                 return SECCLASS_SOCK_FILE;
963         case S_IFLNK:
964                 return SECCLASS_LNK_FILE;
965         case S_IFREG:
966                 return SECCLASS_FILE;
967         case S_IFBLK:
968                 return SECCLASS_BLK_FILE;
969         case S_IFDIR:
970                 return SECCLASS_DIR;
971         case S_IFCHR:
972                 return SECCLASS_CHR_FILE;
973         case S_IFIFO:
974                 return SECCLASS_FIFO_FILE;
975
976         }
977
978         return SECCLASS_FILE;
979 }
980
981 static inline int default_protocol_stream(int protocol)
982 {
983         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
984 }
985
986 static inline int default_protocol_dgram(int protocol)
987 {
988         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
989 }
990
991 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
992 {
993         switch (family) {
994         case PF_UNIX:
995                 switch (type) {
996                 case SOCK_STREAM:
997                 case SOCK_SEQPACKET:
998                         return SECCLASS_UNIX_STREAM_SOCKET;
999                 case SOCK_DGRAM:
1000                         return SECCLASS_UNIX_DGRAM_SOCKET;
1001                 }
1002                 break;
1003         case PF_INET:
1004         case PF_INET6:
1005                 switch (type) {
1006                 case SOCK_STREAM:
1007                         if (default_protocol_stream(protocol))
1008                                 return SECCLASS_TCP_SOCKET;
1009                         else
1010                                 return SECCLASS_RAWIP_SOCKET;
1011                 case SOCK_DGRAM:
1012                         if (default_protocol_dgram(protocol))
1013                                 return SECCLASS_UDP_SOCKET;
1014                         else
1015                                 return SECCLASS_RAWIP_SOCKET;
1016                 case SOCK_DCCP:
1017                         return SECCLASS_DCCP_SOCKET;
1018                 default:
1019                         return SECCLASS_RAWIP_SOCKET;
1020                 }
1021                 break;
1022         case PF_NETLINK:
1023                 switch (protocol) {
1024                 case NETLINK_ROUTE:
1025                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1026                 case NETLINK_FIREWALL:
1027                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1028                 case NETLINK_INET_DIAG:
1029                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1030                 case NETLINK_NFLOG:
1031                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1032                 case NETLINK_XFRM:
1033                         return SECCLASS_NETLINK_XFRM_SOCKET;
1034                 case NETLINK_SELINUX:
1035                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1036                 case NETLINK_AUDIT:
1037                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1038                 case NETLINK_IP6_FW:
1039                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1040                 case NETLINK_DNRTMSG:
1041                         return SECCLASS_NETLINK_DNRT_SOCKET;
1042                 case NETLINK_KOBJECT_UEVENT:
1043                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1044                 default:
1045                         return SECCLASS_NETLINK_SOCKET;
1046                 }
1047         case PF_PACKET:
1048                 return SECCLASS_PACKET_SOCKET;
1049         case PF_KEY:
1050                 return SECCLASS_KEY_SOCKET;
1051         case PF_APPLETALK:
1052                 return SECCLASS_APPLETALK_SOCKET;
1053         }
1054
1055         return SECCLASS_SOCKET;
1056 }
1057
1058 #ifdef CONFIG_PROC_FS
1059 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1060                                 u16 tclass,
1061                                 u32 *sid)
1062 {
1063         int buflen, rc;
1064         char *buffer, *path, *end;
1065
1066         buffer = (char *)__get_free_page(GFP_KERNEL);
1067         if (!buffer)
1068                 return -ENOMEM;
1069
1070         buflen = PAGE_SIZE;
1071         end = buffer+buflen;
1072         *--end = '\0';
1073         buflen--;
1074         path = end-1;
1075         *path = '/';
1076         while (de && de != de->parent) {
1077                 buflen -= de->namelen + 1;
1078                 if (buflen < 0)
1079                         break;
1080                 end -= de->namelen;
1081                 memcpy(end, de->name, de->namelen);
1082                 *--end = '/';
1083                 path = end;
1084                 de = de->parent;
1085         }
1086         rc = security_genfs_sid("proc", path, tclass, sid);
1087         free_page((unsigned long)buffer);
1088         return rc;
1089 }
1090 #else
1091 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1092                                 u16 tclass,
1093                                 u32 *sid)
1094 {
1095         return -EINVAL;
1096 }
1097 #endif
1098
1099 /* The inode's security attributes must be initialized before first use. */
1100 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1101 {
1102         struct superblock_security_struct *sbsec = NULL;
1103         struct inode_security_struct *isec = inode->i_security;
1104         u32 sid;
1105         struct dentry *dentry;
1106 #define INITCONTEXTLEN 255
1107         char *context = NULL;
1108         unsigned len = 0;
1109         int rc = 0;
1110
1111         if (isec->initialized)
1112                 goto out;
1113
1114         mutex_lock(&isec->lock);
1115         if (isec->initialized)
1116                 goto out_unlock;
1117
1118         sbsec = inode->i_sb->s_security;
1119         if (!sbsec->initialized) {
1120                 /* Defer initialization until selinux_complete_init,
1121                    after the initial policy is loaded and the security
1122                    server is ready to handle calls. */
1123                 spin_lock(&sbsec->isec_lock);
1124                 if (list_empty(&isec->list))
1125                         list_add(&isec->list, &sbsec->isec_head);
1126                 spin_unlock(&sbsec->isec_lock);
1127                 goto out_unlock;
1128         }
1129
1130         switch (sbsec->behavior) {
1131         case SECURITY_FS_USE_XATTR:
1132                 if (!inode->i_op->getxattr) {
1133                         isec->sid = sbsec->def_sid;
1134                         break;
1135                 }
1136
1137                 /* Need a dentry, since the xattr API requires one.
1138                    Life would be simpler if we could just pass the inode. */
1139                 if (opt_dentry) {
1140                         /* Called from d_instantiate or d_splice_alias. */
1141                         dentry = dget(opt_dentry);
1142                 } else {
1143                         /* Called from selinux_complete_init, try to find a dentry. */
1144                         dentry = d_find_alias(inode);
1145                 }
1146                 if (!dentry) {
1147                         printk(KERN_WARNING "SELinux: %s:  no dentry for dev=%s "
1148                                "ino=%ld\n", __func__, inode->i_sb->s_id,
1149                                inode->i_ino);
1150                         goto out_unlock;
1151                 }
1152
1153                 len = INITCONTEXTLEN;
1154                 context = kmalloc(len, GFP_NOFS);
1155                 if (!context) {
1156                         rc = -ENOMEM;
1157                         dput(dentry);
1158                         goto out_unlock;
1159                 }
1160                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1161                                            context, len);
1162                 if (rc == -ERANGE) {
1163                         /* Need a larger buffer.  Query for the right size. */
1164                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1165                                                    NULL, 0);
1166                         if (rc < 0) {
1167                                 dput(dentry);
1168                                 goto out_unlock;
1169                         }
1170                         kfree(context);
1171                         len = rc;
1172                         context = kmalloc(len, GFP_NOFS);
1173                         if (!context) {
1174                                 rc = -ENOMEM;
1175                                 dput(dentry);
1176                                 goto out_unlock;
1177                         }
1178                         rc = inode->i_op->getxattr(dentry,
1179                                                    XATTR_NAME_SELINUX,
1180                                                    context, len);
1181                 }
1182                 dput(dentry);
1183                 if (rc < 0) {
1184                         if (rc != -ENODATA) {
1185                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1186                                        "%d for dev=%s ino=%ld\n", __func__,
1187                                        -rc, inode->i_sb->s_id, inode->i_ino);
1188                                 kfree(context);
1189                                 goto out_unlock;
1190                         }
1191                         /* Map ENODATA to the default file SID */
1192                         sid = sbsec->def_sid;
1193                         rc = 0;
1194                 } else {
1195                         rc = security_context_to_sid_default(context, rc, &sid,
1196                                                              sbsec->def_sid,
1197                                                              GFP_NOFS);
1198                         if (rc) {
1199                                 printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1200                                        "returned %d for dev=%s ino=%ld\n",
1201                                        __func__, context, -rc,
1202                                        inode->i_sb->s_id, inode->i_ino);
1203                                 kfree(context);
1204                                 /* Leave with the unlabeled SID */
1205                                 rc = 0;
1206                                 break;
1207                         }
1208                 }
1209                 kfree(context);
1210                 isec->sid = sid;
1211                 break;
1212         case SECURITY_FS_USE_TASK:
1213                 isec->sid = isec->task_sid;
1214                 break;
1215         case SECURITY_FS_USE_TRANS:
1216                 /* Default to the fs SID. */
1217                 isec->sid = sbsec->sid;
1218
1219                 /* Try to obtain a transition SID. */
1220                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1221                 rc = security_transition_sid(isec->task_sid,
1222                                              sbsec->sid,
1223                                              isec->sclass,
1224                                              &sid);
1225                 if (rc)
1226                         goto out_unlock;
1227                 isec->sid = sid;
1228                 break;
1229         case SECURITY_FS_USE_MNTPOINT:
1230                 isec->sid = sbsec->mntpoint_sid;
1231                 break;
1232         default:
1233                 /* Default to the fs superblock SID. */
1234                 isec->sid = sbsec->sid;
1235
1236                 if (sbsec->proc) {
1237                         struct proc_inode *proci = PROC_I(inode);
1238                         if (proci->pde) {
1239                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1240                                 rc = selinux_proc_get_sid(proci->pde,
1241                                                           isec->sclass,
1242                                                           &sid);
1243                                 if (rc)
1244                                         goto out_unlock;
1245                                 isec->sid = sid;
1246                         }
1247                 }
1248                 break;
1249         }
1250
1251         isec->initialized = 1;
1252
1253 out_unlock:
1254         mutex_unlock(&isec->lock);
1255 out:
1256         if (isec->sclass == SECCLASS_FILE)
1257                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1258         return rc;
1259 }
1260
1261 /* Convert a Linux signal to an access vector. */
1262 static inline u32 signal_to_av(int sig)
1263 {
1264         u32 perm = 0;
1265
1266         switch (sig) {
1267         case SIGCHLD:
1268                 /* Commonly granted from child to parent. */
1269                 perm = PROCESS__SIGCHLD;
1270                 break;
1271         case SIGKILL:
1272                 /* Cannot be caught or ignored */
1273                 perm = PROCESS__SIGKILL;
1274                 break;
1275         case SIGSTOP:
1276                 /* Cannot be caught or ignored */
1277                 perm = PROCESS__SIGSTOP;
1278                 break;
1279         default:
1280                 /* All other signals. */
1281                 perm = PROCESS__SIGNAL;
1282                 break;
1283         }
1284
1285         return perm;
1286 }
1287
1288 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1289    fork check, ptrace check, etc. */
1290 static int task_has_perm(struct task_struct *tsk1,
1291                          struct task_struct *tsk2,
1292                          u32 perms)
1293 {
1294         struct task_security_struct *tsec1, *tsec2;
1295
1296         tsec1 = tsk1->security;
1297         tsec2 = tsk2->security;
1298         return avc_has_perm(tsec1->sid, tsec2->sid,
1299                             SECCLASS_PROCESS, perms, NULL);
1300 }
1301
1302 #if CAP_LAST_CAP > 63
1303 #error Fix SELinux to handle capabilities > 63.
1304 #endif
1305
1306 /* Check whether a task is allowed to use a capability. */
1307 static int task_has_capability(struct task_struct *tsk,
1308                                int cap)
1309 {
1310         struct task_security_struct *tsec;
1311         struct avc_audit_data ad;
1312         u16 sclass;
1313         u32 av = CAP_TO_MASK(cap);
1314
1315         tsec = tsk->security;
1316
1317         AVC_AUDIT_DATA_INIT(&ad, CAP);
1318         ad.tsk = tsk;
1319         ad.u.cap = cap;
1320
1321         switch (CAP_TO_INDEX(cap)) {
1322         case 0:
1323                 sclass = SECCLASS_CAPABILITY;
1324                 break;
1325         case 1:
1326                 sclass = SECCLASS_CAPABILITY2;
1327                 break;
1328         default:
1329                 printk(KERN_ERR
1330                        "SELinux:  out of range capability %d\n", cap);
1331                 BUG();
1332         }
1333         return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1334 }
1335
1336 /* Check whether a task is allowed to use a system operation. */
1337 static int task_has_system(struct task_struct *tsk,
1338                            u32 perms)
1339 {
1340         struct task_security_struct *tsec;
1341
1342         tsec = tsk->security;
1343
1344         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1345                             SECCLASS_SYSTEM, perms, NULL);
1346 }
1347
1348 /* Check whether a task has a particular permission to an inode.
1349    The 'adp' parameter is optional and allows other audit
1350    data to be passed (e.g. the dentry). */
1351 static int inode_has_perm(struct task_struct *tsk,
1352                           struct inode *inode,
1353                           u32 perms,
1354                           struct avc_audit_data *adp)
1355 {
1356         struct task_security_struct *tsec;
1357         struct inode_security_struct *isec;
1358         struct avc_audit_data ad;
1359
1360         if (unlikely(IS_PRIVATE(inode)))
1361                 return 0;
1362
1363         tsec = tsk->security;
1364         isec = inode->i_security;
1365
1366         if (!adp) {
1367                 adp = &ad;
1368                 AVC_AUDIT_DATA_INIT(&ad, FS);
1369                 ad.u.fs.inode = inode;
1370         }
1371
1372         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1373 }
1374
1375 /* Same as inode_has_perm, but pass explicit audit data containing
1376    the dentry to help the auditing code to more easily generate the
1377    pathname if needed. */
1378 static inline int dentry_has_perm(struct task_struct *tsk,
1379                                   struct vfsmount *mnt,
1380                                   struct dentry *dentry,
1381                                   u32 av)
1382 {
1383         struct inode *inode = dentry->d_inode;
1384         struct avc_audit_data ad;
1385         AVC_AUDIT_DATA_INIT(&ad, FS);
1386         ad.u.fs.path.mnt = mnt;
1387         ad.u.fs.path.dentry = dentry;
1388         return inode_has_perm(tsk, inode, av, &ad);
1389 }
1390
1391 /* Check whether a task can use an open file descriptor to
1392    access an inode in a given way.  Check access to the
1393    descriptor itself, and then use dentry_has_perm to
1394    check a particular permission to the file.
1395    Access to the descriptor is implicitly granted if it
1396    has the same SID as the process.  If av is zero, then
1397    access to the file is not checked, e.g. for cases
1398    where only the descriptor is affected like seek. */
1399 static int file_has_perm(struct task_struct *tsk,
1400                                 struct file *file,
1401                                 u32 av)
1402 {
1403         struct task_security_struct *tsec = tsk->security;
1404         struct file_security_struct *fsec = file->f_security;
1405         struct inode *inode = file->f_path.dentry->d_inode;
1406         struct avc_audit_data ad;
1407         int rc;
1408
1409         AVC_AUDIT_DATA_INIT(&ad, FS);
1410         ad.u.fs.path = file->f_path;
1411
1412         if (tsec->sid != fsec->sid) {
1413                 rc = avc_has_perm(tsec->sid, fsec->sid,
1414                                   SECCLASS_FD,
1415                                   FD__USE,
1416                                   &ad);
1417                 if (rc)
1418                         return rc;
1419         }
1420
1421         /* av is zero if only checking access to the descriptor. */
1422         if (av)
1423                 return inode_has_perm(tsk, inode, av, &ad);
1424
1425         return 0;
1426 }
1427
1428 /* Check whether a task can create a file. */
1429 static int may_create(struct inode *dir,
1430                       struct dentry *dentry,
1431                       u16 tclass)
1432 {
1433         struct task_security_struct *tsec;
1434         struct inode_security_struct *dsec;
1435         struct superblock_security_struct *sbsec;
1436         u32 newsid;
1437         struct avc_audit_data ad;
1438         int rc;
1439
1440         tsec = current->security;
1441         dsec = dir->i_security;
1442         sbsec = dir->i_sb->s_security;
1443
1444         AVC_AUDIT_DATA_INIT(&ad, FS);
1445         ad.u.fs.path.dentry = dentry;
1446
1447         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1448                           DIR__ADD_NAME | DIR__SEARCH,
1449                           &ad);
1450         if (rc)
1451                 return rc;
1452
1453         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1454                 newsid = tsec->create_sid;
1455         } else {
1456                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1457                                              &newsid);
1458                 if (rc)
1459                         return rc;
1460         }
1461
1462         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1463         if (rc)
1464                 return rc;
1465
1466         return avc_has_perm(newsid, sbsec->sid,
1467                             SECCLASS_FILESYSTEM,
1468                             FILESYSTEM__ASSOCIATE, &ad);
1469 }
1470
1471 /* Check whether a task can create a key. */
1472 static int may_create_key(u32 ksid,
1473                           struct task_struct *ctx)
1474 {
1475         struct task_security_struct *tsec;
1476
1477         tsec = ctx->security;
1478
1479         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1480 }
1481
1482 #define MAY_LINK        0
1483 #define MAY_UNLINK      1
1484 #define MAY_RMDIR       2
1485
1486 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1487 static int may_link(struct inode *dir,
1488                     struct dentry *dentry,
1489                     int kind)
1490
1491 {
1492         struct task_security_struct *tsec;
1493         struct inode_security_struct *dsec, *isec;
1494         struct avc_audit_data ad;
1495         u32 av;
1496         int rc;
1497
1498         tsec = current->security;
1499         dsec = dir->i_security;
1500         isec = dentry->d_inode->i_security;
1501
1502         AVC_AUDIT_DATA_INIT(&ad, FS);
1503         ad.u.fs.path.dentry = dentry;
1504
1505         av = DIR__SEARCH;
1506         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1507         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1508         if (rc)
1509                 return rc;
1510
1511         switch (kind) {
1512         case MAY_LINK:
1513                 av = FILE__LINK;
1514                 break;
1515         case MAY_UNLINK:
1516                 av = FILE__UNLINK;
1517                 break;
1518         case MAY_RMDIR:
1519                 av = DIR__RMDIR;
1520                 break;
1521         default:
1522                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1523                         __func__, kind);
1524                 return 0;
1525         }
1526
1527         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1528         return rc;
1529 }
1530
1531 static inline int may_rename(struct inode *old_dir,
1532                              struct dentry *old_dentry,
1533                              struct inode *new_dir,
1534                              struct dentry *new_dentry)
1535 {
1536         struct task_security_struct *tsec;
1537         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1538         struct avc_audit_data ad;
1539         u32 av;
1540         int old_is_dir, new_is_dir;
1541         int rc;
1542
1543         tsec = current->security;
1544         old_dsec = old_dir->i_security;
1545         old_isec = old_dentry->d_inode->i_security;
1546         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1547         new_dsec = new_dir->i_security;
1548
1549         AVC_AUDIT_DATA_INIT(&ad, FS);
1550
1551         ad.u.fs.path.dentry = old_dentry;
1552         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1553                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1554         if (rc)
1555                 return rc;
1556         rc = avc_has_perm(tsec->sid, old_isec->sid,
1557                           old_isec->sclass, FILE__RENAME, &ad);
1558         if (rc)
1559                 return rc;
1560         if (old_is_dir && new_dir != old_dir) {
1561                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1562                                   old_isec->sclass, DIR__REPARENT, &ad);
1563                 if (rc)
1564                         return rc;
1565         }
1566
1567         ad.u.fs.path.dentry = new_dentry;
1568         av = DIR__ADD_NAME | DIR__SEARCH;
1569         if (new_dentry->d_inode)
1570                 av |= DIR__REMOVE_NAME;
1571         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1572         if (rc)
1573                 return rc;
1574         if (new_dentry->d_inode) {
1575                 new_isec = new_dentry->d_inode->i_security;
1576                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1577                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1578                                   new_isec->sclass,
1579                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1580                 if (rc)
1581                         return rc;
1582         }
1583
1584         return 0;
1585 }
1586
1587 /* Check whether a task can perform a filesystem operation. */
1588 static int superblock_has_perm(struct task_struct *tsk,
1589                                struct super_block *sb,
1590                                u32 perms,
1591                                struct avc_audit_data *ad)
1592 {
1593         struct task_security_struct *tsec;
1594         struct superblock_security_struct *sbsec;
1595
1596         tsec = tsk->security;
1597         sbsec = sb->s_security;
1598         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1599                             perms, ad);
1600 }
1601
1602 /* Convert a Linux mode and permission mask to an access vector. */
1603 static inline u32 file_mask_to_av(int mode, int mask)
1604 {
1605         u32 av = 0;
1606
1607         if ((mode & S_IFMT) != S_IFDIR) {
1608                 if (mask & MAY_EXEC)
1609                         av |= FILE__EXECUTE;
1610                 if (mask & MAY_READ)
1611                         av |= FILE__READ;
1612
1613                 if (mask & MAY_APPEND)
1614                         av |= FILE__APPEND;
1615                 else if (mask & MAY_WRITE)
1616                         av |= FILE__WRITE;
1617
1618         } else {
1619                 if (mask & MAY_EXEC)
1620                         av |= DIR__SEARCH;
1621                 if (mask & MAY_WRITE)
1622                         av |= DIR__WRITE;
1623                 if (mask & MAY_READ)
1624                         av |= DIR__READ;
1625         }
1626
1627         return av;
1628 }
1629
1630 /*
1631  * Convert a file mask to an access vector and include the correct open
1632  * open permission.
1633  */
1634 static inline u32 open_file_mask_to_av(int mode, int mask)
1635 {
1636         u32 av = file_mask_to_av(mode, mask);
1637
1638         if (selinux_policycap_openperm) {
1639                 /*
1640                  * lnk files and socks do not really have an 'open'
1641                  */
1642                 if (S_ISREG(mode))
1643                         av |= FILE__OPEN;
1644                 else if (S_ISCHR(mode))
1645                         av |= CHR_FILE__OPEN;
1646                 else if (S_ISBLK(mode))
1647                         av |= BLK_FILE__OPEN;
1648                 else if (S_ISFIFO(mode))
1649                         av |= FIFO_FILE__OPEN;
1650                 else if (S_ISDIR(mode))
1651                         av |= DIR__OPEN;
1652                 else
1653                         printk(KERN_ERR "SELinux: WARNING: inside %s with "
1654                                 "unknown mode:%x\n", __func__, mode);
1655         }
1656         return av;
1657 }
1658
1659 /* Convert a Linux file to an access vector. */
1660 static inline u32 file_to_av(struct file *file)
1661 {
1662         u32 av = 0;
1663
1664         if (file->f_mode & FMODE_READ)
1665                 av |= FILE__READ;
1666         if (file->f_mode & FMODE_WRITE) {
1667                 if (file->f_flags & O_APPEND)
1668                         av |= FILE__APPEND;
1669                 else
1670                         av |= FILE__WRITE;
1671         }
1672         if (!av) {
1673                 /*
1674                  * Special file opened with flags 3 for ioctl-only use.
1675                  */
1676                 av = FILE__IOCTL;
1677         }
1678
1679         return av;
1680 }
1681
1682 /* Hook functions begin here. */
1683
1684 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1685 {
1686         int rc;
1687
1688         rc = secondary_ops->ptrace(parent, child);
1689         if (rc)
1690                 return rc;
1691
1692         return task_has_perm(parent, child, PROCESS__PTRACE);
1693 }
1694
1695 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1696                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1697 {
1698         int error;
1699
1700         error = task_has_perm(current, target, PROCESS__GETCAP);
1701         if (error)
1702                 return error;
1703
1704         return secondary_ops->capget(target, effective, inheritable, permitted);
1705 }
1706
1707 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1708                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1709 {
1710         int error;
1711
1712         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1713         if (error)
1714                 return error;
1715
1716         return task_has_perm(current, target, PROCESS__SETCAP);
1717 }
1718
1719 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1720                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1721 {
1722         secondary_ops->capset_set(target, effective, inheritable, permitted);
1723 }
1724
1725 static int selinux_capable(struct task_struct *tsk, int cap)
1726 {
1727         int rc;
1728
1729         rc = secondary_ops->capable(tsk, cap);
1730         if (rc)
1731                 return rc;
1732
1733         return task_has_capability(tsk, cap);
1734 }
1735
1736 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1737 {
1738         int buflen, rc;
1739         char *buffer, *path, *end;
1740
1741         rc = -ENOMEM;
1742         buffer = (char *)__get_free_page(GFP_KERNEL);
1743         if (!buffer)
1744                 goto out;
1745
1746         buflen = PAGE_SIZE;
1747         end = buffer+buflen;
1748         *--end = '\0';
1749         buflen--;
1750         path = end-1;
1751         *path = '/';
1752         while (table) {
1753                 const char *name = table->procname;
1754                 size_t namelen = strlen(name);
1755                 buflen -= namelen + 1;
1756                 if (buflen < 0)
1757                         goto out_free;
1758                 end -= namelen;
1759                 memcpy(end, name, namelen);
1760                 *--end = '/';
1761                 path = end;
1762                 table = table->parent;
1763         }
1764         buflen -= 4;
1765         if (buflen < 0)
1766                 goto out_free;
1767         end -= 4;
1768         memcpy(end, "/sys", 4);
1769         path = end;
1770         rc = security_genfs_sid("proc", path, tclass, sid);
1771 out_free:
1772         free_page((unsigned long)buffer);
1773 out:
1774         return rc;
1775 }
1776
1777 static int selinux_sysctl(ctl_table *table, int op)
1778 {
1779         int error = 0;
1780         u32 av;
1781         struct task_security_struct *tsec;
1782         u32 tsid;
1783         int rc;
1784
1785         rc = secondary_ops->sysctl(table, op);
1786         if (rc)
1787                 return rc;
1788
1789         tsec = current->security;
1790
1791         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1792                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1793         if (rc) {
1794                 /* Default to the well-defined sysctl SID. */
1795                 tsid = SECINITSID_SYSCTL;
1796         }
1797
1798         /* The op values are "defined" in sysctl.c, thereby creating
1799          * a bad coupling between this module and sysctl.c */
1800         if (op == 001) {
1801                 error = avc_has_perm(tsec->sid, tsid,
1802                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1803         } else {
1804                 av = 0;
1805                 if (op & 004)
1806                         av |= FILE__READ;
1807                 if (op & 002)
1808                         av |= FILE__WRITE;
1809                 if (av)
1810                         error = avc_has_perm(tsec->sid, tsid,
1811                                              SECCLASS_FILE, av, NULL);
1812         }
1813
1814         return error;
1815 }
1816
1817 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1818 {
1819         int rc = 0;
1820
1821         if (!sb)
1822                 return 0;
1823
1824         switch (cmds) {
1825         case Q_SYNC:
1826         case Q_QUOTAON:
1827         case Q_QUOTAOFF:
1828         case Q_SETINFO:
1829         case Q_SETQUOTA:
1830                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1831                                          NULL);
1832                 break;
1833         case Q_GETFMT:
1834         case Q_GETINFO:
1835         case Q_GETQUOTA:
1836                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1837                                          NULL);
1838                 break;
1839         default:
1840                 rc = 0;  /* let the kernel handle invalid cmds */
1841                 break;
1842         }
1843         return rc;
1844 }
1845
1846 static int selinux_quota_on(struct dentry *dentry)
1847 {
1848         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1849 }
1850
1851 static int selinux_syslog(int type)
1852 {
1853         int rc;
1854
1855         rc = secondary_ops->syslog(type);
1856         if (rc)
1857                 return rc;
1858
1859         switch (type) {
1860         case 3:         /* Read last kernel messages */
1861         case 10:        /* Return size of the log buffer */
1862                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1863                 break;
1864         case 6:         /* Disable logging to console */
1865         case 7:         /* Enable logging to console */
1866         case 8:         /* Set level of messages printed to console */
1867                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1868                 break;
1869         case 0:         /* Close log */
1870         case 1:         /* Open log */
1871         case 2:         /* Read from log */
1872         case 4:         /* Read/clear last kernel messages */
1873         case 5:         /* Clear ring buffer */
1874         default:
1875                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1876                 break;
1877         }
1878         return rc;
1879 }
1880
1881 /*
1882  * Check that a process has enough memory to allocate a new virtual
1883  * mapping. 0 means there is enough memory for the allocation to
1884  * succeed and -ENOMEM implies there is not.
1885  *
1886  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1887  * if the capability is granted, but __vm_enough_memory requires 1 if
1888  * the capability is granted.
1889  *
1890  * Do not audit the selinux permission check, as this is applied to all
1891  * processes that allocate mappings.
1892  */
1893 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1894 {
1895         int rc, cap_sys_admin = 0;
1896         struct task_security_struct *tsec = current->security;
1897
1898         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1899         if (rc == 0)
1900                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1901                                           SECCLASS_CAPABILITY,
1902                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1903                                           0,
1904                                           NULL);
1905
1906         if (rc == 0)
1907                 cap_sys_admin = 1;
1908
1909         return __vm_enough_memory(mm, pages, cap_sys_admin);
1910 }
1911
1912 /**
1913  * task_tracer_task - return the task that is tracing the given task
1914  * @task:               task to consider
1915  *
1916  * Returns NULL if noone is tracing @task, or the &struct task_struct
1917  * pointer to its tracer.
1918  *
1919  * Must be called under rcu_read_lock().
1920  */
1921 static struct task_struct *task_tracer_task(struct task_struct *task)
1922 {
1923         if (task->ptrace & PT_PTRACED)
1924                 return rcu_dereference(task->parent);
1925         return NULL;
1926 }
1927
1928 /* binprm security operations */
1929
1930 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1931 {
1932         struct bprm_security_struct *bsec;
1933
1934         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1935         if (!bsec)
1936                 return -ENOMEM;
1937
1938         bsec->sid = SECINITSID_UNLABELED;
1939         bsec->set = 0;
1940
1941         bprm->security = bsec;
1942         return 0;
1943 }
1944
1945 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1946 {
1947         struct task_security_struct *tsec;
1948         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1949         struct inode_security_struct *isec;
1950         struct bprm_security_struct *bsec;
1951         u32 newsid;
1952         struct avc_audit_data ad;
1953         int rc;
1954
1955         rc = secondary_ops->bprm_set_security(bprm);
1956         if (rc)
1957                 return rc;
1958
1959         bsec = bprm->security;
1960
1961         if (bsec->set)
1962                 return 0;
1963
1964         tsec = current->security;
1965         isec = inode->i_security;
1966
1967         /* Default to the current task SID. */
1968         bsec->sid = tsec->sid;
1969
1970         /* Reset fs, key, and sock SIDs on execve. */
1971         tsec->create_sid = 0;
1972         tsec->keycreate_sid = 0;
1973         tsec->sockcreate_sid = 0;
1974
1975         if (tsec->exec_sid) {
1976                 newsid = tsec->exec_sid;
1977                 /* Reset exec SID on execve. */
1978                 tsec->exec_sid = 0;
1979         } else {
1980                 /* Check for a default transition on this program. */
1981                 rc = security_transition_sid(tsec->sid, isec->sid,
1982                                              SECCLASS_PROCESS, &newsid);
1983                 if (rc)
1984                         return rc;
1985         }
1986
1987         AVC_AUDIT_DATA_INIT(&ad, FS);
1988         ad.u.fs.path = bprm->file->f_path;
1989
1990         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1991                 newsid = tsec->sid;
1992
1993         if (tsec->sid == newsid) {
1994                 rc = avc_has_perm(tsec->sid, isec->sid,
1995                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1996                 if (rc)
1997                         return rc;
1998         } else {
1999                 /* Check permissions for the transition. */
2000                 rc = avc_has_perm(tsec->sid, newsid,
2001                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2002                 if (rc)
2003                         return rc;
2004
2005                 rc = avc_has_perm(newsid, isec->sid,
2006                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2007                 if (rc)
2008                         return rc;
2009
2010                 /* Clear any possibly unsafe personality bits on exec: */
2011                 current->personality &= ~PER_CLEAR_ON_SETID;
2012
2013                 /* Set the security field to the new SID. */
2014                 bsec->sid = newsid;
2015         }
2016
2017         bsec->set = 1;
2018         return 0;
2019 }
2020
2021 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2022 {
2023         return secondary_ops->bprm_check_security(bprm);
2024 }
2025
2026
2027 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2028 {
2029         struct task_security_struct *tsec = current->security;
2030         int atsecure = 0;
2031
2032         if (tsec->osid != tsec->sid) {
2033                 /* Enable secure mode for SIDs transitions unless
2034                    the noatsecure permission is granted between
2035                    the two SIDs, i.e. ahp returns 0. */
2036                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2037                                          SECCLASS_PROCESS,
2038                                          PROCESS__NOATSECURE, NULL);
2039         }
2040
2041         return (atsecure || secondary_ops->bprm_secureexec(bprm));
2042 }
2043
2044 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2045 {
2046         kfree(bprm->security);
2047         bprm->security = NULL;
2048 }
2049
2050 extern struct vfsmount *selinuxfs_mount;
2051 extern struct dentry *selinux_null;
2052
2053 /* Derived from fs/exec.c:flush_old_files. */
2054 static inline void flush_unauthorized_files(struct files_struct *files)
2055 {
2056         struct avc_audit_data ad;
2057         struct file *file, *devnull = NULL;
2058         struct tty_struct *tty;
2059         struct fdtable *fdt;
2060         long j = -1;
2061         int drop_tty = 0;
2062
2063         mutex_lock(&tty_mutex);
2064         tty = get_current_tty();
2065         if (tty) {
2066                 file_list_lock();
2067                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2068                 if (file) {
2069                         /* Revalidate access to controlling tty.
2070                            Use inode_has_perm on the tty inode directly rather
2071                            than using file_has_perm, as this particular open
2072                            file may belong to another process and we are only
2073                            interested in the inode-based check here. */
2074                         struct inode *inode = file->f_path.dentry->d_inode;
2075                         if (inode_has_perm(current, inode,
2076                                            FILE__READ | FILE__WRITE, NULL)) {
2077                                 drop_tty = 1;
2078                         }
2079                 }
2080                 file_list_unlock();
2081         }
2082         mutex_unlock(&tty_mutex);
2083         /* Reset controlling tty. */
2084         if (drop_tty)
2085                 no_tty();
2086
2087         /* Revalidate access to inherited open files. */
2088
2089         AVC_AUDIT_DATA_INIT(&ad, FS);
2090
2091         spin_lock(&files->file_lock);
2092         for (;;) {
2093                 unsigned long set, i;
2094                 int fd;
2095
2096                 j++;
2097                 i = j * __NFDBITS;
2098                 fdt = files_fdtable(files);
2099                 if (i >= fdt->max_fds)
2100                         break;
2101                 set = fdt->open_fds->fds_bits[j];
2102                 if (!set)
2103                         continue;
2104                 spin_unlock(&files->file_lock);
2105                 for ( ; set ; i++, set >>= 1) {
2106                         if (set & 1) {
2107                                 file = fget(i);
2108                                 if (!file)
2109                                         continue;
2110                                 if (file_has_perm(current,
2111                                                   file,
2112                                                   file_to_av(file))) {
2113                                         sys_close(i);
2114                                         fd = get_unused_fd();
2115                                         if (fd != i) {
2116                                                 if (fd >= 0)
2117                                                         put_unused_fd(fd);
2118                                                 fput(file);
2119                                                 continue;
2120                                         }
2121                                         if (devnull) {
2122                                                 get_file(devnull);
2123                                         } else {
2124                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2125                                                 if (IS_ERR(devnull)) {
2126                                                         devnull = NULL;
2127                                                         put_unused_fd(fd);
2128                                                         fput(file);
2129                                                         continue;
2130                                                 }
2131                                         }
2132                                         fd_install(fd, devnull);
2133                                 }
2134                                 fput(file);
2135                         }
2136                 }
2137                 spin_lock(&files->file_lock);
2138
2139         }
2140         spin_unlock(&files->file_lock);
2141 }
2142
2143 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2144 {
2145         struct task_security_struct *tsec;
2146         struct bprm_security_struct *bsec;
2147         u32 sid;
2148         int rc;
2149
2150         secondary_ops->bprm_apply_creds(bprm, unsafe);
2151
2152         tsec = current->security;
2153
2154         bsec = bprm->security;
2155         sid = bsec->sid;
2156
2157         tsec->osid = tsec->sid;
2158         bsec->unsafe = 0;
2159         if (tsec->sid != sid) {
2160                 /* Check for shared state.  If not ok, leave SID
2161                    unchanged and kill. */
2162                 if (unsafe & LSM_UNSAFE_SHARE) {
2163                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2164                                         PROCESS__SHARE, NULL);
2165                         if (rc) {
2166                                 bsec->unsafe = 1;
2167                                 return;
2168                         }
2169                 }
2170
2171                 /* Check for ptracing, and update the task SID if ok.
2172                    Otherwise, leave SID unchanged and kill. */
2173                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2174                         struct task_struct *tracer;
2175                         struct task_security_struct *sec;
2176                         u32 ptsid = 0;
2177
2178                         rcu_read_lock();
2179                         tracer = task_tracer_task(current);
2180                         if (likely(tracer != NULL)) {
2181                                 sec = tracer->security;
2182                                 ptsid = sec->sid;
2183                         }
2184                         rcu_read_unlock();
2185
2186                         if (ptsid != 0) {
2187                                 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2188                                                   PROCESS__PTRACE, NULL);
2189                                 if (rc) {
2190                                         bsec->unsafe = 1;
2191                                         return;
2192                                 }
2193                         }
2194                 }
2195                 tsec->sid = sid;
2196         }
2197 }
2198
2199 /*
2200  * called after apply_creds without the task lock held
2201  */
2202 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2203 {
2204         struct task_security_struct *tsec;
2205         struct rlimit *rlim, *initrlim;
2206         struct itimerval itimer;
2207         struct bprm_security_struct *bsec;
2208         int rc, i;
2209
2210         tsec = current->security;
2211         bsec = bprm->security;
2212
2213         if (bsec->unsafe) {
2214                 force_sig_specific(SIGKILL, current);
2215                 return;
2216         }
2217         if (tsec->osid == tsec->sid)
2218                 return;
2219
2220         /* Close files for which the new task SID is not authorized. */
2221         flush_unauthorized_files(current->files);
2222
2223         /* Check whether the new SID can inherit signal state
2224            from the old SID.  If not, clear itimers to avoid
2225            subsequent signal generation and flush and unblock
2226            signals. This must occur _after_ the task SID has
2227           been updated so that any kill done after the flush
2228           will be checked against the new SID. */
2229         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2230                           PROCESS__SIGINH, NULL);
2231         if (rc) {
2232                 memset(&itimer, 0, sizeof itimer);
2233                 for (i = 0; i < 3; i++)
2234                         do_setitimer(i, &itimer, NULL);
2235                 flush_signals(current);
2236                 spin_lock_irq(&current->sighand->siglock);
2237                 flush_signal_handlers(current, 1);
2238                 sigemptyset(&current->blocked);
2239                 recalc_sigpending();
2240                 spin_unlock_irq(&current->sighand->siglock);
2241         }
2242
2243         /* Always clear parent death signal on SID transitions. */
2244         current->pdeath_signal = 0;
2245
2246         /* Check whether the new SID can inherit resource limits
2247            from the old SID.  If not, reset all soft limits to
2248            the lower of the current task's hard limit and the init
2249            task's soft limit.  Note that the setting of hard limits
2250            (even to lower them) can be controlled by the setrlimit
2251            check. The inclusion of the init task's soft limit into
2252            the computation is to avoid resetting soft limits higher
2253            than the default soft limit for cases where the default
2254            is lower than the hard limit, e.g. RLIMIT_CORE or
2255            RLIMIT_STACK.*/
2256         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2257                           PROCESS__RLIMITINH, NULL);
2258         if (rc) {
2259                 for (i = 0; i < RLIM_NLIMITS; i++) {
2260                         rlim = current->signal->rlim + i;
2261                         initrlim = init_task.signal->rlim+i;
2262                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2263                 }
2264                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2265                         /*
2266                          * This will cause RLIMIT_CPU calculations
2267                          * to be refigured.
2268                          */
2269                         current->it_prof_expires = jiffies_to_cputime(1);
2270                 }
2271         }
2272
2273         /* Wake up the parent if it is waiting so that it can
2274            recheck wait permission to the new task SID. */
2275         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2276 }
2277
2278 /* superblock security operations */
2279
2280 static int selinux_sb_alloc_security(struct super_block *sb)
2281 {
2282         return superblock_alloc_security(sb);
2283 }
2284
2285 static void selinux_sb_free_security(struct super_block *sb)
2286 {
2287         superblock_free_security(sb);
2288 }
2289
2290 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2291 {
2292         if (plen > olen)
2293                 return 0;
2294
2295         return !memcmp(prefix, option, plen);
2296 }
2297
2298 static inline int selinux_option(char *option, int len)
2299 {
2300         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2301                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2302                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2303                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2304 }
2305
2306 static inline void take_option(char **to, char *from, int *first, int len)
2307 {
2308         if (!*first) {
2309                 **to = ',';
2310                 *to += 1;
2311         } else
2312                 *first = 0;
2313         memcpy(*to, from, len);
2314         *to += len;
2315 }
2316
2317 static inline void take_selinux_option(char **to, char *from, int *first,
2318                                        int len)
2319 {
2320         int current_size = 0;
2321
2322         if (!*first) {
2323                 **to = '|';
2324                 *to += 1;
2325         } else
2326                 *first = 0;
2327
2328         while (current_size < len) {
2329                 if (*from != '"') {
2330                         **to = *from;
2331                         *to += 1;
2332                 }
2333                 from += 1;
2334                 current_size += 1;
2335         }
2336 }
2337
2338 static int selinux_sb_copy_data(char *orig, char *copy)
2339 {
2340         int fnosec, fsec, rc = 0;
2341         char *in_save, *in_curr, *in_end;
2342         char *sec_curr, *nosec_save, *nosec;
2343         int open_quote = 0;
2344
2345         in_curr = orig;
2346         sec_curr = copy;
2347
2348         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2349         if (!nosec) {
2350                 rc = -ENOMEM;
2351                 goto out;
2352         }
2353
2354         nosec_save = nosec;
2355         fnosec = fsec = 1;
2356         in_save = in_end = orig;
2357
2358         do {
2359                 if (*in_end == '"')
2360                         open_quote = !open_quote;
2361                 if ((*in_end == ',' && open_quote == 0) ||
2362                                 *in_end == '\0') {
2363                         int len = in_end - in_curr;
2364
2365                         if (selinux_option(in_curr, len))
2366                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2367                         else
2368                                 take_option(&nosec, in_curr, &fnosec, len);
2369
2370                         in_curr = in_end + 1;
2371                 }
2372         } while (*in_end++);
2373
2374         strcpy(in_save, nosec_save);
2375         free_page((unsigned long)nosec_save);
2376 out:
2377         return rc;
2378 }
2379
2380 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2381 {
2382         struct avc_audit_data ad;
2383         int rc;
2384
2385         rc = superblock_doinit(sb, data);
2386         if (rc)
2387                 return rc;
2388
2389         AVC_AUDIT_DATA_INIT(&ad, FS);
2390         ad.u.fs.path.dentry = sb->s_root;
2391         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2392 }
2393
2394 static int selinux_sb_statfs(struct dentry *dentry)
2395 {
2396         struct avc_audit_data ad;
2397
2398         AVC_AUDIT_DATA_INIT(&ad, FS);
2399         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2400         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2401 }
2402
2403 static int selinux_mount(char *dev_name,
2404                          struct path *path,
2405                          char *type,
2406                          unsigned long flags,
2407                          void *data)
2408 {
2409         int rc;
2410
2411         rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2412         if (rc)
2413                 return rc;
2414
2415         if (flags & MS_REMOUNT)
2416                 return superblock_has_perm(current, path->mnt->mnt_sb,
2417                                            FILESYSTEM__REMOUNT, NULL);
2418         else
2419                 return dentry_has_perm(current, path->mnt, path->dentry,
2420                                        FILE__MOUNTON);
2421 }
2422
2423 static int selinux_umount(struct vfsmount *mnt, int flags)
2424 {
2425         int rc;
2426
2427         rc = secondary_ops->sb_umount(mnt, flags);
2428         if (rc)
2429                 return rc;
2430
2431         return superblock_has_perm(current, mnt->mnt_sb,
2432                                    FILESYSTEM__UNMOUNT, NULL);
2433 }
2434
2435 /* inode security operations */
2436
2437 static int selinux_inode_alloc_security(struct inode *inode)
2438 {
2439         return inode_alloc_security(inode);
2440 }
2441
2442 static void selinux_inode_free_security(struct inode *inode)
2443 {
2444         inode_free_security(inode);
2445 }
2446
2447 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2448                                        char **name, void **value,
2449                                        size_t *len)
2450 {
2451         struct task_security_struct *tsec;
2452         struct inode_security_struct *dsec;
2453         struct superblock_security_struct *sbsec;
2454         u32 newsid, clen;
2455         int rc;
2456         char *namep = NULL, *context;
2457
2458         tsec = current->security;
2459         dsec = dir->i_security;
2460         sbsec = dir->i_sb->s_security;
2461
2462         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2463                 newsid = tsec->create_sid;
2464         } else {
2465                 rc = security_transition_sid(tsec->sid, dsec->sid,
2466                                              inode_mode_to_security_class(inode->i_mode),
2467                                              &newsid);
2468                 if (rc) {
2469                         printk(KERN_WARNING "%s:  "
2470                                "security_transition_sid failed, rc=%d (dev=%s "
2471                                "ino=%ld)\n",
2472                                __func__,
2473                                -rc, inode->i_sb->s_id, inode->i_ino);
2474                         return rc;
2475                 }
2476         }
2477
2478         /* Possibly defer initialization to selinux_complete_init. */
2479         if (sbsec->initialized) {
2480                 struct inode_security_struct *isec = inode->i_security;
2481                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2482                 isec->sid = newsid;
2483                 isec->initialized = 1;
2484         }
2485
2486         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2487                 return -EOPNOTSUPP;
2488
2489         if (name) {
2490                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2491                 if (!namep)
2492                         return -ENOMEM;
2493                 *name = namep;
2494         }
2495
2496         if (value && len) {
2497                 rc = security_sid_to_context(newsid, &context, &clen);
2498                 if (rc) {
2499                         kfree(namep);
2500                         return rc;
2501                 }
2502                 *value = context;
2503                 *len = clen;
2504         }
2505
2506         return 0;
2507 }
2508
2509 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2510 {
2511         return may_create(dir, dentry, SECCLASS_FILE);
2512 }
2513
2514 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2515 {
2516         int rc;
2517
2518         rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2519         if (rc)
2520                 return rc;
2521         return may_link(dir, old_dentry, MAY_LINK);
2522 }
2523
2524 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2525 {
2526         int rc;
2527
2528         rc = secondary_ops->inode_unlink(dir, dentry);
2529         if (rc)
2530                 return rc;
2531         return may_link(dir, dentry, MAY_UNLINK);
2532 }
2533
2534 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2535 {
2536         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2537 }
2538
2539 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2540 {
2541         return may_create(dir, dentry, SECCLASS_DIR);
2542 }
2543
2544 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2545 {
2546         return may_link(dir, dentry, MAY_RMDIR);
2547 }
2548
2549 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2550 {
2551         int rc;
2552
2553         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2554         if (rc)
2555                 return rc;
2556
2557         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2558 }
2559
2560 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2561                                 struct inode *new_inode, struct dentry *new_dentry)
2562 {
2563         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2564 }
2565
2566 static int selinux_inode_readlink(struct dentry *dentry)
2567 {
2568         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2569 }
2570
2571 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2572 {
2573         int rc;
2574
2575         rc = secondary_ops->inode_follow_link(dentry, nameidata);
2576         if (rc)
2577                 return rc;
2578         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2579 }
2580
2581 static int selinux_inode_permission(struct inode *inode, int mask,
2582                                     struct nameidata *nd)
2583 {
2584         int rc;
2585
2586         rc = secondary_ops->inode_permission(inode, mask, nd);
2587         if (rc)
2588                 return rc;
2589
2590         if (!mask) {
2591                 /* No permission to check.  Existence test. */
2592                 return 0;
2593         }
2594
2595         return inode_has_perm(current, inode,
2596                                open_file_mask_to_av(inode->i_mode, mask), NULL);
2597 }
2598
2599 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2600 {
2601         int rc;
2602
2603         rc = secondary_ops->inode_setattr(dentry, iattr);
2604         if (rc)
2605                 return rc;
2606
2607         if (iattr->ia_valid & ATTR_FORCE)
2608                 return 0;
2609
2610         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2611                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2612                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2613
2614         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2615 }
2616
2617 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2618 {
2619         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2620 }
2621
2622 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2623 {
2624         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2625                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2626                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2627                         if (!capable(CAP_SETFCAP))
2628                                 return -EPERM;
2629                 } else if (!capable(CAP_SYS_ADMIN)) {
2630                         /* A different attribute in the security namespace.
2631                            Restrict to administrator. */
2632                         return -EPERM;
2633                 }
2634         }
2635
2636         /* Not an attribute we recognize, so just check the
2637            ordinary setattr permission. */
2638         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2639 }
2640
2641 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2642 {
2643         struct task_security_struct *tsec = current->security;
2644         struct inode *inode = dentry->d_inode;
2645         struct inode_security_struct *isec = inode->i_security;
2646         struct superblock_security_struct *sbsec;
2647         struct avc_audit_data ad;
2648         u32 newsid;
2649         int rc = 0;
2650
2651         if (strcmp(name, XATTR_NAME_SELINUX))
2652                 return selinux_inode_setotherxattr(dentry, name);
2653
2654         sbsec = inode->i_sb->s_security;
2655         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2656                 return -EOPNOTSUPP;
2657
2658         if (!is_owner_or_cap(inode))
2659                 return -EPERM;
2660
2661         AVC_AUDIT_DATA_INIT(&ad, FS);
2662         ad.u.fs.path.dentry = dentry;
2663
2664         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2665                           FILE__RELABELFROM, &ad);
2666         if (rc)
2667                 return rc;
2668
2669         rc = security_context_to_sid(value, size, &newsid);
2670         if (rc)
2671                 return rc;
2672
2673         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2674                           FILE__RELABELTO, &ad);
2675         if (rc)
2676                 return rc;
2677
2678         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2679                                           isec->sclass);
2680         if (rc)
2681                 return rc;
2682
2683         return avc_has_perm(newsid,
2684                             sbsec->sid,
2685                             SECCLASS_FILESYSTEM,
2686                             FILESYSTEM__ASSOCIATE,
2687                             &ad);
2688 }
2689
2690 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2691                                         void *value, size_t size, int flags)
2692 {
2693         struct inode *inode = dentry->d_inode;
2694         struct inode_security_struct *isec = inode->i_security;
2695         u32 newsid;
2696         int rc;
2697
2698         if (strcmp(name, XATTR_NAME_SELINUX)) {
2699                 /* Not an attribute we recognize, so nothing to do. */
2700                 return;
2701         }
2702
2703         rc = security_context_to_sid(value, size, &newsid);
2704         if (rc) {
2705                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2706                        "%s, rc=%d\n", __func__, (char *)value, -rc);
2707                 return;
2708         }
2709
2710         isec->sid = newsid;
2711         return;
2712 }
2713
2714 static int selinux_inode_getxattr(struct dentry *dentry, char *name)
2715 {
2716         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2717 }
2718
2719 static int selinux_inode_listxattr(struct dentry *dentry)
2720 {
2721         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2722 }
2723
2724 static int selinux_inode_removexattr(struct dentry *dentry, char *name)
2725 {
2726         if (strcmp(name, XATTR_NAME_SELINUX))
2727                 return selinux_inode_setotherxattr(dentry, name);
2728
2729         /* No one is allowed to remove a SELinux security label.
2730            You can change the label, but all data must be labeled. */
2731         return -EACCES;
2732 }
2733
2734 /*
2735  * Copy the in-core inode security context value to the user.  If the
2736  * getxattr() prior to this succeeded, check to see if we need to
2737  * canonicalize the value to be finally returned to the user.
2738  *
2739  * Permission check is handled by selinux_inode_getxattr hook.
2740  */
2741 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2742 {
2743         u32 size;
2744         int error;
2745         char *context = NULL;
2746         struct inode_security_struct *isec = inode->i_security;
2747
2748         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2749                 return -EOPNOTSUPP;
2750
2751         error = security_sid_to_context(isec->sid, &context, &size);
2752         if (error)
2753                 return error;
2754         error = size;
2755         if (alloc) {
2756                 *buffer = context;
2757                 goto out_nofree;
2758         }
2759         kfree(context);
2760 out_nofree:
2761         return error;
2762 }
2763
2764 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2765                                      const void *value, size_t size, int flags)
2766 {
2767         struct inode_security_struct *isec = inode->i_security;
2768         u32 newsid;
2769         int rc;
2770
2771         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2772                 return -EOPNOTSUPP;
2773
2774         if (!value || !size)
2775                 return -EACCES;
2776
2777         rc = security_context_to_sid((void *)value, size, &newsid);
2778         if (rc)
2779                 return rc;
2780
2781         isec->sid = newsid;
2782         return 0;
2783 }
2784
2785 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2786 {
2787         const int len = sizeof(XATTR_NAME_SELINUX);
2788         if (buffer && len <= buffer_size)
2789                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2790         return len;
2791 }
2792
2793 static int selinux_inode_need_killpriv(struct dentry *dentry)
2794 {
2795         return secondary_ops->inode_need_killpriv(dentry);
2796 }
2797
2798 static int selinux_inode_killpriv(struct dentry *dentry)
2799 {
2800         return secondary_ops->inode_killpriv(dentry);
2801 }
2802
2803 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2804 {
2805         struct inode_security_struct *isec = inode->i_security;
2806         *secid = isec->sid;
2807 }
2808
2809 /* file security operations */
2810
2811 static int selinux_revalidate_file_permission(struct file *file, int mask)
2812 {
2813         int rc;
2814         struct inode *inode = file->f_path.dentry->d_inode;
2815
2816         if (!mask) {
2817                 /* No permission to check.  Existence test. */
2818                 return 0;
2819         }
2820
2821         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2822         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2823                 mask |= MAY_APPEND;
2824
2825         rc = file_has_perm(current, file,
2826                            file_mask_to_av(inode->i_mode, mask));
2827         if (rc)
2828                 return rc;
2829
2830         return selinux_netlbl_inode_permission(inode, mask);
2831 }
2832
2833 static int selinux_file_permission(struct file *file, int mask)
2834 {
2835         struct inode *inode = file->f_path.dentry->d_inode;
2836         struct task_security_struct *tsec = current->security;
2837         struct file_security_struct *fsec = file->f_security;
2838         struct inode_security_struct *isec = inode->i_security;
2839
2840         if (!mask) {
2841                 /* No permission to check.  Existence test. */
2842                 return 0;
2843         }
2844
2845         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2846             && fsec->pseqno == avc_policy_seqno())
2847                 return selinux_netlbl_inode_permission(inode, mask);
2848
2849         return selinux_revalidate_file_permission(file, mask);
2850 }
2851
2852 static int selinux_file_alloc_security(struct file *file)
2853 {
2854         return file_alloc_security(file);
2855 }
2856
2857 static void selinux_file_free_security(struct file *file)
2858 {
2859         file_free_security(file);
2860 }
2861
2862 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2863                               unsigned long arg)
2864 {
2865         int error = 0;
2866
2867         switch (cmd) {
2868         case FIONREAD:
2869         /* fall through */
2870         case FIBMAP:
2871         /* fall through */
2872         case FIGETBSZ:
2873         /* fall through */
2874         case EXT2_IOC_GETFLAGS:
2875         /* fall through */
2876         case EXT2_IOC_GETVERSION:
2877                 error = file_has_perm(current, file, FILE__GETATTR);
2878                 break;
2879
2880         case EXT2_IOC_SETFLAGS:
2881         /* fall through */
2882         case EXT2_IOC_SETVERSION:
2883                 error = file_has_perm(current, file, FILE__SETATTR);
2884                 break;
2885
2886         /* sys_ioctl() checks */
2887         case FIONBIO:
2888         /* fall through */
2889         case FIOASYNC:
2890                 error = file_has_perm(current, file, 0);
2891                 break;
2892
2893         case KDSKBENT:
2894         case KDSKBSENT:
2895                 error = task_has_capability(current, CAP_SYS_TTY_CONFIG);
2896                 break;
2897
2898         /* default case assumes that the command will go
2899          * to the file's ioctl() function.
2900          */
2901         default:
2902                 error = file_has_perm(current, file, FILE__IOCTL);
2903         }
2904         return error;
2905 }
2906
2907 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2908 {
2909 #ifndef CONFIG_PPC32
2910         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2911                 /*
2912                  * We are making executable an anonymous mapping or a
2913                  * private file mapping that will also be writable.
2914                  * This has an additional check.
2915                  */
2916                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2917                 if (rc)
2918                         return rc;
2919         }
2920 #endif
2921
2922         if (file) {
2923                 /* read access is always possible with a mapping */
2924                 u32 av = FILE__READ;
2925
2926                 /* write access only matters if the mapping is shared */
2927                 if (shared && (prot & PROT_WRITE))
2928                         av |= FILE__WRITE;
2929
2930                 if (prot & PROT_EXEC)
2931                         av |= FILE__EXECUTE;
2932
2933                 return file_has_perm(current, file, av);
2934         }
2935         return 0;
2936 }
2937
2938 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2939                              unsigned long prot, unsigned long flags,
2940                              unsigned long addr, unsigned long addr_only)
2941 {
2942         int rc = 0;
2943         u32 sid = ((struct task_security_struct *)(current->security))->sid;
2944
2945         if (addr < mmap_min_addr)
2946                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2947                                   MEMPROTECT__MMAP_ZERO, NULL);
2948         if (rc || addr_only)
2949                 return rc;
2950
2951         if (selinux_checkreqprot)
2952                 prot = reqprot;
2953
2954         return file_map_prot_check(file, prot,
2955                                    (flags & MAP_TYPE) == MAP_SHARED);
2956 }
2957
2958 static int selinux_file_mprotect(struct vm_area_struct *vma,
2959                                  unsigned long reqprot,
2960                                  unsigned long prot)
2961 {
2962         int rc;
2963
2964         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2965         if (rc)
2966                 return rc;
2967
2968         if (selinux_checkreqprot)
2969                 prot = reqprot;
2970
2971 #ifndef CONFIG_PPC32
2972         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2973                 rc = 0;
2974                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2975                     vma->vm_end <= vma->vm_mm->brk) {
2976                         rc = task_has_perm(current, current,
2977                                            PROCESS__EXECHEAP);
2978                 } else if (!vma->vm_file &&
2979                            vma->vm_start <= vma->vm_mm->start_stack &&
2980                            vma->vm_end >= vma->vm_mm->start_stack) {
2981                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2982                 } else if (vma->vm_file && vma->anon_vma) {
2983                         /*
2984                          * We are making executable a file mapping that has
2985                          * had some COW done. Since pages might have been
2986                          * written, check ability to execute the possibly
2987                          * modified content.  This typically should only
2988                          * occur for text relocations.
2989                          */
2990                         rc = file_has_perm(current, vma->vm_file,
2991                                            FILE__EXECMOD);
2992                 }
2993                 if (rc)
2994                         return rc;
2995         }
2996 #endif
2997
2998         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2999 }
3000
3001 static int selinux_file_lock(struct file *file, unsigned int cmd)
3002 {
3003         return file_has_perm(current, file, FILE__LOCK);
3004 }
3005
3006 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3007                               unsigned long arg)
3008 {
3009         int err = 0;
3010
3011         switch (cmd) {
3012         case F_SETFL:
3013                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3014                         err = -EINVAL;
3015                         break;
3016                 }
3017
3018                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3019                         err = file_has_perm(current, file, FILE__WRITE);
3020                         break;
3021                 }
3022                 /* fall through */
3023         case F_SETOWN:
3024         case F_SETSIG:
3025         case F_GETFL:
3026         case F_GETOWN:
3027         case F_GETSIG:
3028                 /* Just check FD__USE permission */
3029                 err = file_has_perm(current, file, 0);
3030                 break;
3031         case F_GETLK:
3032         case F_SETLK:
3033         case F_SETLKW:
3034 #if BITS_PER_LONG == 32
3035         case F_GETLK64:
3036         case F_SETLK64:
3037         case F_SETLKW64:
3038 #endif
3039                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3040                         err = -EINVAL;
3041                         break;
3042                 }
3043                 err = file_has_perm(current, file, FILE__LOCK);
3044                 break;
3045         }
3046
3047         return err;
3048 }
3049
3050 static int selinux_file_set_fowner(struct file *file)
3051 {
3052         struct task_security_struct *tsec;
3053         struct file_security_struct *fsec;
3054
3055         tsec = current->security;
3056         fsec = file->f_security;
3057         fsec->fown_sid = tsec->sid;
3058
3059         return 0;
3060 }
3061
3062 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3063                                        struct fown_struct *fown, int signum)
3064 {
3065         struct file *file;
3066         u32 perm;
3067         struct task_security_struct *tsec;
3068         struct file_security_struct *fsec;
3069
3070         /* struct fown_struct is never outside the context of a struct file */
3071         file = container_of(fown, struct file, f_owner);
3072
3073         tsec = tsk->security;
3074         fsec = file->f_security;
3075
3076         if (!signum)
3077                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3078         else
3079                 perm = signal_to_av(signum);
3080
3081         return avc_has_perm(fsec->fown_sid, tsec->sid,
3082                             SECCLASS_PROCESS, perm, NULL);
3083 }
3084
3085 static int selinux_file_receive(struct file *file)
3086 {
3087         return file_has_perm(current, file, file_to_av(file));
3088 }
3089
3090 static int selinux_dentry_open(struct file *file)
3091 {
3092         struct file_security_struct *fsec;
3093         struct inode *inode;
3094         struct inode_security_struct *isec;
3095         inode = file->f_path.dentry->d_inode;
3096         fsec = file->f_security;
3097         isec = inode->i_security;
3098         /*
3099          * Save inode label and policy sequence number
3100          * at open-time so that selinux_file_permission
3101          * can determine whether revalidation is necessary.
3102          * Task label is already saved in the file security
3103          * struct as its SID.
3104          */
3105         fsec->isid = isec->sid;
3106         fsec->pseqno = avc_policy_seqno();
3107         /*
3108          * Since the inode label or policy seqno may have changed
3109          * between the selinux_inode_permission check and the saving
3110          * of state above, recheck that access is still permitted.
3111          * Otherwise, access might never be revalidated against the
3112          * new inode label or new policy.
3113          * This check is not redundant - do not remove.
3114          */
3115         return inode_has_perm(current, inode, file_to_av(file), NULL);
3116 }
3117
3118 /* task security operations */
3119
3120 static int selinux_task_create(unsigned long clone_flags)
3121 {
3122         int rc;
3123
3124         rc = secondary_ops->task_create(clone_flags);
3125         if (rc)
3126                 return rc;
3127
3128         return task_has_perm(current, current, PROCESS__FORK);
3129 }
3130
3131 static int selinux_task_alloc_security(struct task_struct *tsk)
3132 {
3133         struct task_security_struct *tsec1, *tsec2;
3134         int rc;
3135
3136         tsec1 = current->security;
3137
3138         rc = task_alloc_security(tsk);
3139         if (rc)
3140                 return rc;
3141         tsec2 = tsk->security;
3142
3143         tsec2->osid = tsec1->osid;
3144         tsec2->sid = tsec1->sid;
3145
3146         /* Retain the exec, fs, key, and sock SIDs across fork */
3147         tsec2->exec_sid = tsec1->exec_sid;
3148         tsec2->create_sid = tsec1->create_sid;
3149         tsec2->keycreate_sid = tsec1->keycreate_sid;
3150         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3151
3152         return 0;
3153 }
3154
3155 static void selinux_task_free_security(struct task_struct *tsk)
3156 {
3157         task_free_security(tsk);
3158 }
3159
3160 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3161 {
3162         /* Since setuid only affects the current process, and
3163            since the SELinux controls are not based on the Linux
3164            identity attributes, SELinux does not need to control
3165            this operation.  However, SELinux does control the use
3166            of the CAP_SETUID and CAP_SETGID capabilities using the
3167            capable hook. */
3168         return 0;
3169 }
3170
3171 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3172 {
3173         return secondary_ops->task_post_setuid(id0, id1, id2, flags);
3174 }
3175
3176 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3177 {
3178         /* See the comment for setuid above. */
3179         return 0;
3180 }
3181
3182 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3183 {
3184         return task_has_perm(current, p, PROCESS__SETPGID);
3185 }
3186
3187 static int selinux_task_getpgid(struct task_struct *p)
3188 {
3189         return task_has_perm(current, p, PROCESS__GETPGID);
3190 }
3191
3192 static int selinux_task_getsid(struct task_struct *p)
3193 {
3194         return task_has_perm(current, p, PROCESS__GETSESSION);
3195 }
3196
3197 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3198 {
3199         struct task_security_struct *tsec = p->security;
3200         *secid = tsec->sid;
3201 }
3202
3203 static int selinux_task_setgroups(struct group_info *group_info)
3204 {
3205         /* See the comment for setuid above. */
3206         return 0;
3207 }
3208
3209 static int selinux_task_setnice(struct task_struct *p, int nice)
3210 {
3211         int rc;
3212
3213         rc = secondary_ops->task_setnice(p, nice);
3214         if (rc)
3215                 return rc;
3216
3217         return task_has_perm(current, p, PROCESS__SETSCHED);
3218 }
3219
3220 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3221 {
3222         int rc;
3223
3224         rc = secondary_ops->task_setioprio(p, ioprio);
3225         if (rc)
3226                 return rc;
3227
3228         return task_has_perm(current, p, PROCESS__SETSCHED);
3229 }
3230
3231 static int selinux_task_getioprio(struct task_struct *p)
3232 {
3233         return task_has_perm(current, p, PROCESS__GETSCHED);
3234 }
3235
3236 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3237 {
3238         struct rlimit *old_rlim = current->signal->rlim + resource;
3239         int rc;
3240
3241         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3242         if (rc)
3243                 return rc;
3244
3245         /* Control the ability to change the hard limit (whether
3246            lowering or raising it), so that the hard limit can
3247            later be used as a safe reset point for the soft limit
3248            upon context transitions. See selinux_bprm_apply_creds. */
3249         if (old_rlim->rlim_max != new_rlim->rlim_max)
3250                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3251
3252         return 0;
3253 }
3254
3255 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3256 {
3257         int rc;
3258
3259         rc = secondary_ops->task_setscheduler(p, policy, lp);
3260         if (rc)
3261                 return rc;
3262
3263         return task_has_perm(current, p, PROCESS__SETSCHED);
3264 }
3265
3266 static int selinux_task_getscheduler(struct task_struct *p)
3267 {
3268         return task_has_perm(current, p, PROCESS__GETSCHED);
3269 }
3270
3271 static int selinux_task_movememory(struct task_struct *p)
3272 {
3273         return task_has_perm(current, p, PROCESS__SETSCHED);
3274 }
3275
3276 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3277                                 int sig, u32 secid)
3278 {
3279         u32 perm;
3280         int rc;
3281         struct task_security_struct *tsec;
3282
3283         rc = secondary_ops->task_kill(p, info, sig, secid);
3284         if (rc)
3285                 return rc;
3286
3287         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3288                 return 0;
3289
3290         if (!sig)
3291                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3292         else
3293                 perm = signal_to_av(sig);
3294         tsec = p->security;
3295         if (secid)
3296                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3297         else
3298                 rc = task_has_perm(current, p, perm);
3299         return rc;
3300 }
3301
3302 static int selinux_task_prctl(int option,
3303                               unsigned long arg2,
3304                               unsigned long arg3,
3305                               unsigned long arg4,
3306                               unsigned long arg5)
3307 {
3308         /* The current prctl operations do not appear to require
3309            any SELinux controls since they merely observe or modify
3310            the state of the current process. */
3311         return 0;
3312 }
3313
3314 static int selinux_task_wait(struct task_struct *p)
3315 {
3316         return task_has_perm(p, current, PROCESS__SIGCHLD);
3317 }
3318
3319 static void selinux_task_reparent_to_init(struct task_struct *p)
3320 {
3321         struct task_security_struct *tsec;
3322
3323         secondary_ops->task_reparent_to_init(p);
3324
3325         tsec = p->security;
3326         tsec->osid = tsec->sid;
3327         tsec->sid = SECINITSID_KERNEL;
3328         return;
3329 }
3330
3331 static void selinux_task_to_inode(struct task_struct *p,
3332                                   struct inode *inode)
3333 {
3334         struct task_security_struct *tsec = p->security;
3335         struct inode_security_struct *isec = inode->i_security;
3336
3337         isec->sid = tsec->sid;
3338         isec->initialized = 1;
3339         return;
3340 }
3341
3342 /* Returns error only if unable to parse addresses */
3343 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3344                         struct avc_audit_data *ad, u8 *proto)
3345 {
3346         int offset, ihlen, ret = -EINVAL;
3347         struct iphdr _iph, *ih;
3348
3349         offset = skb_network_offset(skb);
3350         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3351         if (ih == NULL)
3352                 goto out;
3353
3354         ihlen = ih->ihl * 4;
3355         if (ihlen < sizeof(_iph))
3356                 goto out;
3357
3358         ad->u.net.v4info.saddr = ih->saddr;
3359         ad->u.net.v4info.daddr = ih->daddr;
3360         ret = 0;
3361
3362         if (proto)
3363                 *proto = ih->protocol;
3364
3365         switch (ih->protocol) {
3366         case IPPROTO_TCP: {
3367                 struct tcphdr _tcph, *th;
3368
3369                 if (ntohs(ih->frag_off) & IP_OFFSET)
3370                         break;
3371
3372                 offset += ihlen;
3373                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3374                 if (th == NULL)
3375                         break;
3376
3377                 ad->u.net.sport = th->source;
3378                 ad->u.net.dport = th->dest;
3379                 break;
3380         }
3381
3382         case IPPROTO_UDP: {
3383                 struct udphdr _udph, *uh;
3384
3385                 if (ntohs(ih->frag_off) & IP_OFFSET)
3386                         break;
3387
3388                 offset += ihlen;
3389                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3390                 if (uh == NULL)
3391                         break;
3392
3393                 ad->u.net.sport = uh->source;
3394                 ad->u.net.dport = uh->dest;
3395                 break;
3396         }
3397
3398         case IPPROTO_DCCP: {
3399                 struct dccp_hdr _dccph, *dh;
3400
3401                 if (ntohs(ih->frag_off) & IP_OFFSET)
3402                         break;
3403
3404                 offset += ihlen;
3405                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3406                 if (dh == NULL)
3407                         break;
3408
3409                 ad->u.net.sport = dh->dccph_sport;
3410                 ad->u.net.dport = dh->dccph_dport;
3411                 break;
3412         }
3413
3414         default:
3415                 break;
3416         }
3417 out:
3418         return ret;
3419 }
3420
3421 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3422
3423 /* Returns error only if unable to parse addresses */
3424 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3425                         struct avc_audit_data *ad, u8 *proto)
3426 {
3427         u8 nexthdr;
3428         int ret = -EINVAL, offset;
3429         struct ipv6hdr _ipv6h, *ip6;
3430
3431         offset = skb_network_offset(skb);
3432         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3433         if (ip6 == NULL)
3434                 goto out;
3435
3436         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3437         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3438         ret = 0;
3439
3440         nexthdr = ip6->nexthdr;
3441         offset += sizeof(_ipv6h);
3442         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3443         if (offset < 0)
3444                 goto out;
3445
3446         if (proto)
3447                 *proto = nexthdr;
3448
3449         switch (nexthdr) {
3450         case IPPROTO_TCP: {
3451                 struct tcphdr _tcph, *th;
3452
3453                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3454                 if (th == NULL)
3455                         break;
3456
3457                 ad->u.net.sport = th->source;
3458                 ad->u.net.dport = th->dest;
3459                 break;
3460         }
3461
3462         case IPPROTO_UDP: {
3463                 struct udphdr _udph, *uh;
3464
3465                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3466                 if (uh == NULL)
3467                         break;
3468
3469                 ad->u.net.sport = uh->source;
3470                 ad->u.net.dport = uh->dest;
3471                 break;
3472         }
3473
3474         case IPPROTO_DCCP: {
3475                 struct dccp_hdr _dccph, *dh;
3476
3477                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3478                 if (dh == NULL)
3479                         break;
3480
3481                 ad->u.net.sport = dh->dccph_sport;
3482                 ad->u.net.dport = dh->dccph_dport;
3483                 break;
3484         }
3485
3486         /* includes fragments */
3487         default:
3488                 break;
3489         }
3490 out:
3491         return ret;
3492 }
3493
3494 #endif /* IPV6 */
3495
3496 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3497                              char **addrp, int src, u8 *proto)
3498 {
3499         int ret = 0;
3500
3501         switch (ad->u.net.family) {
3502         case PF_INET:
3503                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3504                 if (ret || !addrp)
3505                         break;
3506                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3507                                         &ad->u.net.v4info.daddr);
3508                 break;
3509
3510 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3511         case PF_INET6:
3512                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3513                 if (ret || !addrp)
3514                         break;
3515                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3516                                         &ad->u.net.v6info.daddr);
3517                 break;
3518 #endif  /* IPV6 */
3519         default:
3520                 break;
3521         }
3522
3523         if (unlikely(ret))
3524                 printk(KERN_WARNING
3525                        "SELinux: failure in selinux_parse_skb(),"
3526                        " unable to parse packet\n");
3527
3528         return ret;
3529 }
3530
3531 /**
3532  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3533  * @skb: the packet
3534  * @family: protocol family
3535  * @sid: the packet's peer label SID
3536  *
3537  * Description:
3538  * Check the various different forms of network peer labeling and determine
3539  * the peer label/SID for the packet; most of the magic actually occurs in
3540  * the security server function security_net_peersid_cmp().  The function
3541  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3542  * or -EACCES if @sid is invalid due to inconsistencies with the different
3543  * peer labels.
3544  *
3545  */
3546 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3547 {
3548         int err;
3549         u32 xfrm_sid;
3550         u32 nlbl_sid;
3551         u32 nlbl_type;
3552
3553         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3554         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3555
3556         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3557         if (unlikely(err)) {
3558                 printk(KERN_WARNING
3559                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3560                        " unable to determine packet's peer label\n");
3561                 return -EACCES;
3562         }
3563
3564         return 0;
3565 }
3566
3567 /* socket security operations */
3568 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3569                            u32 perms)
3570 {
3571         struct inode_security_struct *isec;
3572         struct task_security_struct *tsec;
3573         struct avc_audit_data ad;
3574         int err = 0;
3575
3576         tsec = task->security;
3577         isec = SOCK_INODE(sock)->i_security;
3578
3579         if (isec->sid == SECINITSID_KERNEL)
3580                 goto out;
3581
3582         AVC_AUDIT_DATA_INIT(&ad, NET);
3583         ad.u.net.sk = sock->sk;
3584         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3585
3586 out:
3587         return err;
3588 }
3589
3590 static int selinux_socket_create(int family, int type,
3591                                  int protocol, int kern)
3592 {
3593         int err = 0;
3594         struct task_security_struct *tsec;
3595         u32 newsid;
3596
3597         if (kern)
3598                 goto out;
3599
3600         tsec = current->security;
3601         newsid = tsec->sockcreate_sid ? : tsec->sid;
3602         err = avc_has_perm(tsec->sid, newsid,
3603                            socket_type_to_security_class(family, type,
3604                            protocol), SOCKET__CREATE, NULL);
3605
3606 out:
3607         return err;
3608 }
3609
3610 static int selinux_socket_post_create(struct socket *sock, int family,
3611                                       int type, int protocol, int kern)
3612 {
3613         int err = 0;
3614         struct inode_security_struct *isec;
3615         struct task_security_struct *tsec;
3616         struct sk_security_struct *sksec;
3617         u32 newsid;
3618
3619         isec = SOCK_INODE(sock)->i_security;
3620
3621         tsec = current->security;
3622         newsid = tsec->sockcreate_sid ? : tsec->sid;
3623         isec->sclass = socket_type_to_security_class(family, type, protocol);
3624         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3625         isec->initialized = 1;
3626
3627         if (sock->sk) {
3628                 sksec = sock->sk->sk_security;
3629                 sksec->sid = isec->sid;
3630                 sksec->sclass = isec->sclass;
3631                 err = selinux_netlbl_socket_post_create(sock);
3632         }
3633
3634         return err;
3635 }
3636
3637 /* Range of port numbers used to automatically bind.
3638    Need to determine whether we should perform a name_bind
3639    permission check between the socket and the port number. */
3640
3641 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3642 {
3643         u16 family;
3644         int err;
3645
3646         err = socket_has_perm(current, sock, SOCKET__BIND);
3647         if (err)
3648                 goto out;
3649
3650         /*
3651          * If PF_INET or PF_INET6, check name_bind permission for the port.
3652          * Multiple address binding for SCTP is not supported yet: we just
3653          * check the first address now.
3654          */
3655         family = sock->sk->sk_family;
3656         if (family == PF_INET || family == PF_INET6) {
3657                 char *addrp;
3658                 struct inode_security_struct *isec;
3659                 struct task_security_struct *tsec;
3660                 struct avc_audit_data ad;
3661                 struct sockaddr_in *addr4 = NULL;
3662                 struct sockaddr_in6 *addr6 = NULL;
3663                 unsigned short snum;
3664                 struct sock *sk = sock->sk;
3665                 u32 sid, node_perm, addrlen;
3666
3667                 tsec = current->security;
3668                 isec = SOCK_INODE(sock)->i_security;
3669
3670                 if (family == PF_INET) {
3671                         addr4 = (struct sockaddr_in *)address;
3672                         snum = ntohs(addr4->sin_port);
3673                         addrlen = sizeof(addr4->sin_addr.s_addr);
3674                         addrp = (char *)&addr4->sin_addr.s_addr;
3675                 } else {
3676                         addr6 = (struct sockaddr_in6 *)address;
3677                         snum = ntohs(addr6->sin6_port);
3678                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3679                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3680                 }
3681
3682                 if (snum) {
3683                         int low, high;
3684
3685                         inet_get_local_port_range(&low, &high);
3686
3687                         if (snum < max(PROT_SOCK, low) || snum > high) {
3688                                 err = sel_netport_sid(sk->sk_protocol,
3689                                                       snum, &sid);
3690                                 if (err)
3691                                         goto out;
3692                                 AVC_AUDIT_DATA_INIT(&ad, NET);
3693                                 ad.u.net.sport = htons(snum);
3694                                 ad.u.net.family = family;
3695                                 err = avc_has_perm(isec->sid, sid,
3696                                                    isec->sclass,
3697                                                    SOCKET__NAME_BIND, &ad);
3698                                 if (err)
3699                                         goto out;
3700                         }
3701                 }
3702
3703                 switch (isec->sclass) {
3704                 case SECCLASS_TCP_SOCKET:
3705                         node_perm = TCP_SOCKET__NODE_BIND;
3706                         break;
3707
3708                 case SECCLASS_UDP_SOCKET:
3709                         node_perm = UDP_SOCKET__NODE_BIND;
3710                         break;
3711
3712                 case SECCLASS_DCCP_SOCKET:
3713                         node_perm = DCCP_SOCKET__NODE_BIND;
3714                         break;
3715
3716                 default:
3717                         node_perm = RAWIP_SOCKET__NODE_BIND;
3718                         break;
3719                 }
3720
3721                 err = sel_netnode_sid(addrp, family, &sid);
3722                 if (err)
3723                         goto out;
3724
3725                 AVC_AUDIT_DATA_INIT(&ad, NET);
3726                 ad.u.net.sport = htons(snum);
3727                 ad.u.net.family = family;
3728
3729                 if (family == PF_INET)
3730                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3731                 else
3732                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3733
3734                 err = avc_has_perm(isec->sid, sid,
3735                                    isec->sclass, node_perm, &ad);
3736                 if (err)
3737                         goto out;
3738         }
3739 out:
3740         return err;
3741 }
3742
3743 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3744 {
3745         struct inode_security_struct *isec;
3746         int err;
3747
3748         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3749         if (err)
3750                 return err;
3751
3752         /*
3753          * If a TCP or DCCP socket, check name_connect permission for the port.
3754          */
3755         isec = SOCK_INODE(sock)->i_security;
3756         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3757             isec->sclass == SECCLASS_DCCP_SOCKET) {
3758                 struct sock *sk = sock->sk;
3759                 struct avc_audit_data ad;
3760                 struct sockaddr_in *addr4 = NULL;
3761                 struct sockaddr_in6 *addr6 = NULL;
3762                 unsigned short snum;
3763                 u32 sid, perm;
3764
3765                 if (sk->sk_family == PF_INET) {
3766                         addr4 = (struct sockaddr_in *)address;
3767                         if (addrlen < sizeof(struct sockaddr_in))
3768                                 return -EINVAL;
3769                         snum = ntohs(addr4->sin_port);
3770                 } else {
3771                         addr6 = (struct sockaddr_in6 *)address;
3772                         if (addrlen < SIN6_LEN_RFC2133)
3773                                 return -EINVAL;
3774                         snum = ntohs(addr6->sin6_port);
3775                 }
3776
3777                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3778                 if (err)
3779                         goto out;
3780
3781                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3782                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3783
3784                 AVC_AUDIT_DATA_INIT(&ad, NET);
3785                 ad.u.net.dport = htons(snum);
3786                 ad.u.net.family = sk->sk_family;
3787                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3788                 if (err)
3789                         goto out;
3790         }
3791
3792 out:
3793         return err;
3794 }
3795
3796 static int selinux_socket_listen(struct socket *sock, int backlog)
3797 {
3798         return socket_has_perm(current, sock, SOCKET__LISTEN);
3799 }
3800
3801 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3802 {
3803         int err;
3804         struct inode_security_struct *isec;
3805         struct inode_security_struct *newisec;
3806
3807         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3808         if (err)
3809                 return err;
3810
3811         newisec = SOCK_INODE(newsock)->i_security;
3812
3813         isec = SOCK_INODE(sock)->i_security;
3814         newisec->sclass = isec->sclass;
3815         newisec->sid = isec->sid;
3816         newisec->initialized = 1;
3817
3818         return 0;
3819 }
3820
3821 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3822                                   int size)
3823 {
3824         int rc;
3825
3826         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3827         if (rc)
3828                 return rc;
3829
3830         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3831 }
3832
3833 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3834                                   int size, int flags)
3835 {
3836         return socket_has_perm(current, sock, SOCKET__READ);
3837 }
3838
3839 static int selinux_socket_getsockname(struct socket *sock)
3840 {
3841         return socket_has_perm(current, sock, SOCKET__GETATTR);
3842 }
3843
3844 static int selinux_socket_getpeername(struct socket *sock)
3845 {
3846         return socket_has_perm(current, sock, SOCKET__GETATTR);
3847 }
3848
3849 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3850 {
3851         int err;
3852
3853         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3854         if (err)
3855                 return err;
3856
3857         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3858 }
3859
3860 static int selinux_socket_getsockopt(struct socket *sock, int level,
3861                                      int optname)
3862 {
3863         return socket_has_perm(current, sock, SOCKET__GETOPT);
3864 }
3865
3866 static int selinux_socket_shutdown(struct socket *sock, int how)
3867 {
3868         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3869 }
3870
3871 static int selinux_socket_unix_stream_connect(struct socket *sock,
3872                                               struct socket *other,
3873                                               struct sock *newsk)
3874 {
3875         struct sk_security_struct *ssec;
3876         struct inode_security_struct *isec;
3877         struct inode_security_struct *other_isec;
3878         struct avc_audit_data ad;
3879         int err;
3880
3881         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3882         if (err)
3883                 return err;
3884
3885         isec = SOCK_INODE(sock)->i_security;
3886         other_isec = SOCK_INODE(other)->i_security;
3887
3888         AVC_AUDIT_DATA_INIT(&ad, NET);
3889         ad.u.net.sk = other->sk;
3890
3891         err = avc_has_perm(isec->sid, other_isec->sid,
3892                            isec->sclass,
3893                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3894         if (err)
3895                 return err;
3896
3897         /* connecting socket */
3898         ssec = sock->sk->sk_security;
3899         ssec->peer_sid = other_isec->sid;
3900
3901         /* server child socket */
3902         ssec = newsk->sk_security;
3903         ssec->peer_sid = isec->sid;
3904         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3905
3906         return err;
3907 }
3908
3909 static int selinux_socket_unix_may_send(struct socket *sock,
3910                                         struct socket *other)
3911 {
3912         struct inode_security_struct *isec;
3913         struct inode_security_struct *other_isec;
3914         struct avc_audit_data ad;
3915         int err;
3916
3917         isec = SOCK_INODE(sock)->i_security;
3918         other_isec = SOCK_INODE(other)->i_security;
3919
3920         AVC_AUDIT_DATA_INIT(&ad, NET);
3921         ad.u.net.sk = other->sk;
3922
3923         err = avc_has_perm(isec->sid, other_isec->sid,
3924                            isec->sclass, SOCKET__SENDTO, &ad);
3925         if (err)
3926                 return err;
3927
3928         return 0;
3929 }
3930
3931 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3932                                     u32 peer_sid,
3933                                     struct avc_audit_data *ad)
3934 {
3935         int err;
3936         u32 if_sid;
3937         u32 node_sid;
3938
3939         err = sel_netif_sid(ifindex, &if_sid);
3940         if (err)
3941                 return err;
3942         err = avc_has_perm(peer_sid, if_sid,
3943                            SECCLASS_NETIF, NETIF__INGRESS, ad);
3944         if (err)
3945                 return err;
3946
3947         err = sel_netnode_sid(addrp, family, &node_sid);
3948         if (err)
3949                 return err;
3950         return avc_has_perm(peer_sid, node_sid,
3951                             SECCLASS_NODE, NODE__RECVFROM, ad);
3952 }
3953
3954 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3955                                                 struct sk_buff *skb,
3956                                                 struct avc_audit_data *ad,
3957                                                 u16 family,
3958                                                 char *addrp)
3959 {
3960         int err;
3961         struct sk_security_struct *sksec = sk->sk_security;
3962         u16 sk_class;
3963         u32 netif_perm, node_perm, recv_perm;
3964         u32 port_sid, node_sid, if_sid, sk_sid;
3965
3966         sk_sid = sksec->sid;
3967         sk_class = sksec->sclass;
3968
3969         switch (sk_class) {
3970         case SECCLASS_UDP_SOCKET:
3971                 netif_perm = NETIF__UDP_RECV;
3972                 node_perm = NODE__UDP_RECV;
3973                 recv_perm = UDP_SOCKET__RECV_MSG;
3974                 break;
3975         case SECCLASS_TCP_SOCKET:
3976                 netif_perm = NETIF__TCP_RECV;
3977                 node_perm = NODE__TCP_RECV;
3978                 recv_perm = TCP_SOCKET__RECV_MSG;
3979                 break;
3980         case SECCLASS_DCCP_SOCKET:
3981                 netif_perm = NETIF__DCCP_RECV;
3982                 node_perm = NODE__DCCP_RECV;
3983                 recv_perm = DCCP_SOCKET__RECV_MSG;
3984                 break;
3985         default:
3986                 netif_perm = NETIF__RAWIP_RECV;
3987                 node_perm = NODE__RAWIP_RECV;
3988                 recv_perm = 0;
3989                 break;
3990         }
3991
3992         err = sel_netif_sid(skb->iif, &if_sid);
3993         if (err)
3994                 return err;
3995         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3996         if (err)
3997                 return err;
3998
3999         err = sel_netnode_sid(addrp, family, &node_sid);
4000         if (err)
4001                 return err;
4002         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4003         if (err)
4004                 return err;
4005
4006         if (!recv_perm)
4007                 return 0;
4008         err = sel_netport_sid(sk->sk_protocol,
4009                               ntohs(ad->u.net.sport), &port_sid);
4010         if (unlikely(err)) {
4011                 printk(KERN_WARNING
4012                        "SELinux: failure in"
4013                        " selinux_sock_rcv_skb_iptables_compat(),"
4014                        " network port label not found\n");
4015                 return err;
4016         }
4017         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4018 }
4019
4020 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4021                                        struct avc_audit_data *ad,
4022                                        u16 family, char *addrp)
4023 {
4024         int err;
4025         struct sk_security_struct *sksec = sk->sk_security;
4026         u32 peer_sid;
4027         u32 sk_sid = sksec->sid;
4028
4029         if (selinux_compat_net)
4030                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4031                                                            family, addrp);
4032         else
4033                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4034                                    PACKET__RECV, ad);
4035         if (err)
4036                 return err;
4037
4038         if (selinux_policycap_netpeer) {
4039                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4040                 if (err)
4041                         return err;
4042                 err = avc_has_perm(sk_sid, peer_sid,
4043                                    SECCLASS_PEER, PEER__RECV, ad);
4044         } else {
4045                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4046                 if (err)
4047                         return err;
4048                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4049         }
4050
4051         return err;
4052 }
4053
4054 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4055 {
4056         int err;
4057         struct sk_security_struct *sksec = sk->sk_security;
4058         u16 family = sk->sk_family;
4059         u32 sk_sid = sksec->sid;
4060         struct avc_audit_data ad;
4061         char *addrp;
4062
4063         if (family != PF_INET && family != PF_INET6)
4064                 return 0;
4065
4066         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4067         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4068                 family = PF_INET;
4069
4070         AVC_AUDIT_DATA_INIT(&ad, NET);
4071         ad.u.net.netif = skb->iif;
4072         ad.u.net.family = family;
4073         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4074         if (err)
4075                 return err;
4076
4077         /* If any sort of compatibility mode is enabled then handoff processing
4078          * to the selinux_sock_rcv_skb_compat() function to deal with the
4079          * special handling.  We do this in an attempt to keep this function
4080          * as fast and as clean as possible. */
4081         if (selinux_compat_net || !selinux_policycap_netpeer)
4082                 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4083                                                    family, addrp);
4084
4085         if (netlbl_enabled() || selinux_xfrm_enabled()) {
4086                 u32 peer_sid;
4087
4088                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4089                 if (err)
4090                         return err;
4091                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4092                                                peer_sid, &ad);
4093                 if (err)
4094                         return err;
4095                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4096                                    PEER__RECV, &ad);
4097         }
4098
4099         if (selinux_secmark_enabled()) {
4100                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4101                                    PACKET__RECV, &ad);
4102                 if (err)
4103                         return err;
4104         }
4105
4106         return err;
4107 }
4108
4109 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4110                                             int __user *optlen, unsigned len)
4111 {
4112         int err = 0;
4113         char *scontext;
4114         u32 scontext_len;
4115         struct sk_security_struct *ssec;
4116         struct inode_security_struct *isec;
4117         u32 peer_sid = SECSID_NULL;
4118
4119         isec = SOCK_INODE(sock)->i_security;
4120
4121         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4122             isec->sclass == SECCLASS_TCP_SOCKET) {
4123                 ssec = sock->sk->sk_security;
4124                 peer_sid = ssec->peer_sid;
4125         }
4126         if (peer_sid == SECSID_NULL) {
4127                 err = -ENOPROTOOPT;
4128                 goto out;
4129         }
4130
4131         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4132
4133         if (err)
4134                 goto out;
4135
4136         if (scontext_len > len) {
4137                 err = -ERANGE;
4138                 goto out_len;
4139         }
4140
4141         if (copy_to_user(optval, scontext, scontext_len))
4142                 err = -EFAULT;
4143
4144 out_len:
4145         if (put_user(scontext_len, optlen))
4146                 err = -EFAULT;
4147
4148         kfree(scontext);
4149 out:
4150         return err;
4151 }
4152
4153 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4154 {
4155         u32 peer_secid = SECSID_NULL;
4156         u16 family;
4157
4158         if (sock)
4159                 family = sock->sk->sk_family;
4160         else if (skb && skb->sk)
4161                 family = skb->sk->sk_family;
4162         else
4163                 goto out;
4164
4165         if (sock && family == PF_UNIX)
4166                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4167         else if (skb)
4168                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4169
4170 out:
4171         *secid = peer_secid;
4172         if (peer_secid == SECSID_NULL)
4173                 return -EINVAL;
4174         return 0;
4175 }
4176
4177 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4178 {
4179         return sk_alloc_security(sk, family, priority);
4180 }
4181
4182 static void selinux_sk_free_security(struct sock *sk)
4183 {
4184         sk_free_security(sk);
4185 }
4186
4187 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4188 {
4189         struct sk_security_struct *ssec = sk->sk_security;
4190         struct sk_security_struct *newssec = newsk->sk_security;
4191
4192         newssec->sid = ssec->sid;
4193         newssec->peer_sid = ssec->peer_sid;
4194         newssec->sclass = ssec->sclass;
4195
4196         selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4197 }
4198
4199 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4200 {
4201         if (!sk)
4202                 *secid = SECINITSID_ANY_SOCKET;
4203         else {
4204                 struct sk_security_struct *sksec = sk->sk_security;
4205
4206                 *secid = sksec->sid;
4207         }
4208 }
4209
4210 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4211 {
4212         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4213         struct sk_security_struct *sksec = sk->sk_security;
4214
4215         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4216             sk->sk_family == PF_UNIX)
4217                 isec->sid = sksec->sid;
4218         sksec->sclass = isec->sclass;
4219
4220         selinux_netlbl_sock_graft(sk, parent);
4221 }
4222
4223 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4224                                      struct request_sock *req)
4225 {
4226         struct sk_security_struct *sksec = sk->sk_security;
4227         int err;
4228         u32 newsid;
4229         u32 peersid;
4230
4231         err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4232         if (err)
4233                 return err;
4234         if (peersid == SECSID_NULL) {
4235                 req->secid = sksec->sid;
4236                 req->peer_secid = SECSID_NULL;
4237                 return 0;
4238         }
4239
4240         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4241         if (err)
4242                 return err;
4243
4244         req->secid = newsid;
4245         req->peer_secid = peersid;
4246         return 0;
4247 }
4248
4249 static void selinux_inet_csk_clone(struct sock *newsk,
4250                                    const struct request_sock *req)
4251 {
4252         struct sk_security_struct *newsksec = newsk->sk_security;
4253
4254         newsksec->sid = req->secid;
4255         newsksec->peer_sid = req->peer_secid;
4256         /* NOTE: Ideally, we should also get the isec->sid for the
4257            new socket in sync, but we don't have the isec available yet.
4258            So we will wait until sock_graft to do it, by which
4259            time it will have been created and available. */
4260
4261         /* We don't need to take any sort of lock here as we are the only
4262          * thread with access to newsksec */
4263         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4264 }
4265
4266 static void selinux_inet_conn_established(struct sock *sk,
4267                                 struct sk_buff *skb)
4268 {
4269         struct sk_security_struct *sksec = sk->sk_security;
4270
4271         selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4272 }
4273
4274 static void selinux_req_classify_flow(const struct request_sock *req,
4275                                       struct flowi *fl)
4276 {
4277         fl->secid = req->secid;
4278 }
4279
4280 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4281 {
4282         int err = 0;
4283         u32 perm;
4284         struct nlmsghdr *nlh;
4285         struct socket *sock = sk->sk_socket;
4286         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4287
4288         if (skb->len < NLMSG_SPACE(0)) {
4289                 err = -EINVAL;
4290                 goto out;
4291         }
4292         nlh = nlmsg_hdr(skb);
4293
4294         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4295         if (err) {
4296                 if (err == -EINVAL) {
4297                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4298                                   "SELinux:  unrecognized netlink message"
4299                                   " type=%hu for sclass=%hu\n",
4300                                   nlh->nlmsg_type, isec->sclass);
4301                         if (!selinux_enforcing)
4302                                 err = 0;
4303                 }
4304
4305                 /* Ignore */
4306                 if (err == -ENOENT)
4307                         err = 0;
4308                 goto out;
4309         }
4310
4311         err = socket_has_perm(current, sock, perm);
4312 out:
4313         return err;
4314 }
4315
4316 #ifdef CONFIG_NETFILTER
4317
4318 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4319                                        u16 family)
4320 {
4321         char *addrp;
4322         u32 peer_sid;
4323         struct avc_audit_data ad;
4324         u8 secmark_active;
4325         u8 peerlbl_active;
4326
4327         if (!selinux_policycap_netpeer)
4328                 return NF_ACCEPT;
4329
4330         secmark_active = selinux_secmark_enabled();
4331         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4332         if (!secmark_active && !peerlbl_active)
4333                 return NF_ACCEPT;
4334
4335         AVC_AUDIT_DATA_INIT(&ad, NET);
4336         ad.u.net.netif = ifindex;
4337         ad.u.net.family = family;
4338         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4339                 return NF_DROP;
4340
4341         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4342                 return NF_DROP;
4343
4344         if (peerlbl_active)
4345                 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4346                                              peer_sid, &ad) != 0)
4347                         return NF_DROP;
4348
4349         if (secmark_active)
4350                 if (avc_has_perm(peer_sid, skb->secmark,
4351                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4352                         return NF_DROP;
4353
4354         return NF_ACCEPT;
4355 }
4356
4357 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4358                                          struct sk_buff *skb,
4359                                          const struct net_device *in,
4360                                          const struct net_device *out,
4361                                          int (*okfn)(struct sk_buff *))
4362 {
4363         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4364 }
4365
4366 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4367 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4368                                          struct sk_buff *skb,
4369                                          const struct net_device *in,
4370                                          const struct net_device *out,
4371                                          int (*okfn)(struct sk_buff *))
4372 {
4373         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4374 }
4375 #endif  /* IPV6 */
4376
4377 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4378                                                 int ifindex,
4379                                                 struct avc_audit_data *ad,
4380                                                 u16 family, char *addrp)
4381 {
4382         int err;
4383         struct sk_security_struct *sksec = sk->sk_security;
4384         u16 sk_class;
4385         u32 netif_perm, node_perm, send_perm;
4386         u32 port_sid, node_sid, if_sid, sk_sid;
4387
4388         sk_sid = sksec->sid;
4389         sk_class = sksec->sclass;
4390
4391         switch (sk_class) {
4392         case SECCLASS_UDP_SOCKET:
4393                 netif_perm = NETIF__UDP_SEND;
4394                 node_perm = NODE__UDP_SEND;
4395                 send_perm = UDP_SOCKET__SEND_MSG;
4396                 break;
4397         case SECCLASS_TCP_SOCKET:
4398                 netif_perm = NETIF__TCP_SEND;
4399                 node_perm = NODE__TCP_SEND;
4400                 send_perm = TCP_SOCKET__SEND_MSG;
4401                 break;
4402         case SECCLASS_DCCP_SOCKET:
4403                 netif_perm = NETIF__DCCP_SEND;
4404                 node_perm = NODE__DCCP_SEND;
4405                 send_perm = DCCP_SOCKET__SEND_MSG;
4406                 break;
4407         default:
4408                 netif_perm = NETIF__RAWIP_SEND;
4409                 node_perm = NODE__RAWIP_SEND;
4410                 send_perm = 0;
4411                 break;
4412         }
4413
4414         err = sel_netif_sid(ifindex, &if_sid);
4415         if (err)
4416                 return err;
4417         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4418                 return err;
4419
4420         err = sel_netnode_sid(addrp, family, &node_sid);
4421         if (err)
4422                 return err;
4423         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4424         if (err)
4425                 return err;
4426
4427         if (send_perm != 0)
4428                 return 0;
4429
4430         err = sel_netport_sid(sk->sk_protocol,
4431                               ntohs(ad->u.net.dport), &port_sid);
4432         if (unlikely(err)) {
4433                 printk(KERN_WARNING
4434                        "SELinux: failure in"
4435                        " selinux_ip_postroute_iptables_compat(),"
4436                        " network port label not found\n");
4437                 return err;
4438         }
4439         return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4440 }
4441
4442 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4443                                                 int ifindex,
4444                                                 struct avc_audit_data *ad,
4445                                                 u16 family,
4446                                                 char *addrp,
4447                                                 u8 proto)
4448 {
4449         struct sock *sk = skb->sk;
4450         struct sk_security_struct *sksec;
4451
4452         if (sk == NULL)
4453                 return NF_ACCEPT;
4454         sksec = sk->sk_security;
4455
4456         if (selinux_compat_net) {
4457                 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4458                                                          ad, family, addrp))
4459                         return NF_DROP;
4460         } else {
4461                 if (avc_has_perm(sksec->sid, skb->secmark,
4462                                  SECCLASS_PACKET, PACKET__SEND, ad))
4463                         return NF_DROP;
4464         }
4465
4466         if (selinux_policycap_netpeer)
4467                 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4468                         return NF_DROP;
4469
4470         return NF_ACCEPT;
4471 }
4472
4473 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4474                                          u16 family)
4475 {
4476         u32 secmark_perm;
4477         u32 peer_sid;
4478         struct sock *sk;
4479         struct avc_audit_data ad;
4480         char *addrp;
4481         u8 proto;
4482         u8 secmark_active;
4483         u8 peerlbl_active;
4484
4485         AVC_AUDIT_DATA_INIT(&ad, NET);
4486         ad.u.net.netif = ifindex;
4487         ad.u.net.family = family;
4488         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4489                 return NF_DROP;
4490
4491         /* If any sort of compatibility mode is enabled then handoff processing
4492          * to the selinux_ip_postroute_compat() function to deal with the
4493          * special handling.  We do this in an attempt to keep this function
4494          * as fast and as clean as possible. */
4495         if (selinux_compat_net || !selinux_policycap_netpeer)
4496                 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4497                                                    family, addrp, proto);
4498
4499         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4500          * packet transformation so allow the packet to pass without any checks
4501          * since we'll have another chance to perform access control checks
4502          * when the packet is on it's final way out.
4503          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4504          *       is NULL, in this case go ahead and apply access control. */
4505         if (skb->dst != NULL && skb->dst->xfrm != NULL)
4506                 return NF_ACCEPT;
4507
4508         secmark_active = selinux_secmark_enabled();
4509         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4510         if (!secmark_active && !peerlbl_active)
4511                 return NF_ACCEPT;
4512
4513         /* if the packet is locally generated (skb->sk != NULL) then use the
4514          * socket's label as the peer label, otherwise the packet is being
4515          * forwarded through this system and we need to fetch the peer label
4516          * directly from the packet */
4517         sk = skb->sk;
4518         if (sk) {
4519                 struct sk_security_struct *sksec = sk->sk_security;
4520                 peer_sid = sksec->sid;
4521                 secmark_perm = PACKET__SEND;
4522         } else {
4523                 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4524                                 return NF_DROP;
4525                 secmark_perm = PACKET__FORWARD_OUT;
4526         }
4527
4528         if (secmark_active)
4529                 if (avc_has_perm(peer_sid, skb->secmark,
4530                                  SECCLASS_PACKET, secmark_perm, &ad))
4531                         return NF_DROP;
4532
4533         if (peerlbl_active) {
4534                 u32 if_sid;
4535                 u32 node_sid;
4536
4537                 if (sel_netif_sid(ifindex, &if_sid))
4538                         return NF_DROP;
4539                 if (avc_has_perm(peer_sid, if_sid,
4540                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4541                         return NF_DROP;
4542
4543                 if (sel_netnode_sid(addrp, family, &node_sid))
4544                         return NF_DROP;
4545                 if (avc_has_perm(peer_sid, node_sid,
4546                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4547                         return NF_DROP;
4548         }
4549
4550         return NF_ACCEPT;
4551 }
4552
4553 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4554                                            struct sk_buff *skb,
4555                                            const struct net_device *in,
4556                                            const struct net_device *out,
4557                                            int (*okfn)(struct sk_buff *))
4558 {
4559         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4560 }
4561
4562 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4563 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4564                                            struct sk_buff *skb,
4565                                            const struct net_device *in,
4566                                            const struct net_device *out,
4567                                            int (*okfn)(struct sk_buff *))
4568 {
4569         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4570 }
4571 #endif  /* IPV6 */
4572
4573 #endif  /* CONFIG_NETFILTER */
4574
4575 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4576 {
4577         int err;
4578
4579         err = secondary_ops->netlink_send(sk, skb);
4580         if (err)
4581                 return err;
4582
4583         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4584                 err = selinux_nlmsg_perm(sk, skb);
4585
4586         return err;
4587 }
4588
4589 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4590 {
4591         int err;
4592         struct avc_audit_data ad;
4593
4594         err = secondary_ops->netlink_recv(skb, capability);
4595         if (err)
4596                 return err;
4597
4598         AVC_AUDIT_DATA_INIT(&ad, CAP);
4599         ad.u.cap = capability;
4600
4601         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4602                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4603 }
4604
4605 static int ipc_alloc_security(struct task_struct *task,
4606                               struct kern_ipc_perm *perm,
4607                               u16 sclass)
4608 {
4609         struct task_security_struct *tsec = task->security;
4610         struct ipc_security_struct *isec;
4611
4612         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4613         if (!isec)
4614                 return -ENOMEM;
4615
4616         isec->sclass = sclass;
4617         isec->sid = tsec->sid;
4618         perm->security = isec;
4619
4620         return 0;
4621 }
4622
4623 static void ipc_free_security(struct kern_ipc_perm *perm)
4624 {
4625         struct ipc_security_struct *isec = perm->security;
4626         perm->security = NULL;
4627         kfree(isec);
4628 }
4629
4630 static int msg_msg_alloc_security(struct msg_msg *msg)
4631 {
4632         struct msg_security_struct *msec;
4633
4634         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4635         if (!msec)
4636                 return -ENOMEM;
4637
4638         msec->sid = SECINITSID_UNLABELED;
4639         msg->security = msec;
4640
4641         return 0;
4642 }
4643
4644 static void msg_msg_free_security(struct msg_msg *msg)
4645 {
4646         struct msg_security_struct *msec = msg->security;
4647
4648         msg->security = NULL;
4649         kfree(msec);
4650 }
4651
4652 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4653                         u32 perms)
4654 {
4655         struct task_security_struct *tsec;
4656         struct ipc_security_struct *isec;
4657         struct avc_audit_data ad;
4658
4659         tsec = current->security;
4660         isec = ipc_perms->security;
4661
4662         AVC_AUDIT_DATA_INIT(&ad, IPC);
4663         ad.u.ipc_id = ipc_perms->key;
4664
4665         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4666 }
4667
4668 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4669 {
4670         return msg_msg_alloc_security(msg);
4671 }
4672
4673 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4674 {
4675         msg_msg_free_security(msg);
4676 }
4677
4678 /* message queue security operations */
4679 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4680 {
4681         struct task_security_struct *tsec;
4682         struct ipc_security_struct *isec;
4683         struct avc_audit_data ad;
4684         int rc;
4685
4686         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4687         if (rc)
4688                 return rc;
4689
4690         tsec = current->security;
4691         isec = msq->q_perm.security;
4692
4693         AVC_AUDIT_DATA_INIT(&ad, IPC);
4694         ad.u.ipc_id = msq->q_perm.key;
4695
4696         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4697                           MSGQ__CREATE, &ad);
4698         if (rc) {
4699                 ipc_free_security(&msq->q_perm);
4700                 return rc;
4701         }
4702         return 0;
4703 }
4704
4705 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4706 {
4707         ipc_free_security(&msq->q_perm);
4708 }
4709
4710 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4711 {
4712         struct task_security_struct *tsec;
4713         struct ipc_security_struct *isec;
4714         struct avc_audit_data ad;
4715
4716         tsec = current->security;
4717         isec = msq->q_perm.security;
4718
4719         AVC_AUDIT_DATA_INIT(&ad, IPC);
4720         ad.u.ipc_id = msq->q_perm.key;
4721
4722         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4723                             MSGQ__ASSOCIATE, &ad);
4724 }
4725
4726 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4727 {
4728         int err;
4729         int perms;
4730
4731         switch (cmd) {
4732         case IPC_INFO:
4733         case MSG_INFO:
4734                 /* No specific object, just general system-wide information. */
4735                 return task_has_system(current, SYSTEM__IPC_INFO);
4736         case IPC_STAT:
4737         case MSG_STAT:
4738                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4739                 break;
4740         case IPC_SET:
4741                 perms = MSGQ__SETATTR;
4742                 break;
4743         case IPC_RMID:
4744                 perms = MSGQ__DESTROY;
4745                 break;
4746         default:
4747                 return 0;
4748         }
4749
4750         err = ipc_has_perm(&msq->q_perm, perms);
4751         return err;
4752 }
4753
4754 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4755 {
4756         struct task_security_struct *tsec;
4757         struct ipc_security_struct *isec;
4758         struct msg_security_struct *msec;
4759         struct avc_audit_data ad;
4760         int rc;
4761
4762         tsec = current->security;
4763         isec = msq->q_perm.security;
4764         msec = msg->security;
4765
4766         /*
4767          * First time through, need to assign label to the message
4768          */
4769         if (msec->sid == SECINITSID_UNLABELED) {
4770                 /*
4771                  * Compute new sid based on current process and
4772                  * message queue this message will be stored in
4773                  */
4774                 rc = security_transition_sid(tsec->sid,
4775                                              isec->sid,
4776                                              SECCLASS_MSG,
4777                                              &msec->sid);
4778                 if (rc)
4779                         return rc;
4780         }
4781
4782         AVC_AUDIT_DATA_INIT(&ad, IPC);
4783         ad.u.ipc_id = msq->q_perm.key;
4784
4785         /* Can this process write to the queue? */
4786         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4787                           MSGQ__WRITE, &ad);
4788         if (!rc)
4789                 /* Can this process send the message */
4790                 rc = avc_has_perm(tsec->sid, msec->sid,
4791                                   SECCLASS_MSG, MSG__SEND, &ad);
4792         if (!rc)
4793                 /* Can the message be put in the queue? */
4794                 rc = avc_has_perm(msec->sid, isec->sid,
4795                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4796
4797         return rc;
4798 }
4799
4800 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4801                                     struct task_struct *target,
4802                                     long type, int mode)
4803 {
4804         struct task_security_struct *tsec;
4805         struct ipc_security_struct *isec;
4806         struct msg_security_struct *msec;
4807         struct avc_audit_data ad;
4808         int rc;
4809
4810         tsec = target->security;
4811         isec = msq->q_perm.security;
4812         msec = msg->security;
4813
4814         AVC_AUDIT_DATA_INIT(&ad, IPC);
4815         ad.u.ipc_id = msq->q_perm.key;
4816
4817         rc = avc_has_perm(tsec->sid, isec->sid,
4818                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4819         if (!rc)
4820                 rc = avc_has_perm(tsec->sid, msec->sid,
4821                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4822         return rc;
4823 }
4824
4825 /* Shared Memory security operations */
4826 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4827 {
4828         struct task_security_struct *tsec;
4829         struct ipc_security_struct *isec;
4830         struct avc_audit_data ad;
4831         int rc;
4832
4833         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4834         if (rc)
4835                 return rc;
4836
4837         tsec = current->security;
4838         isec = shp->shm_perm.security;
4839
4840         AVC_AUDIT_DATA_INIT(&ad, IPC);
4841         ad.u.ipc_id = shp->shm_perm.key;
4842
4843         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4844                           SHM__CREATE, &ad);
4845         if (rc) {
4846                 ipc_free_security(&shp->shm_perm);
4847                 return rc;
4848         }
4849         return 0;
4850 }
4851
4852 static void selinux_shm_free_security(struct shmid_kernel *shp)
4853 {
4854         ipc_free_security(&shp->shm_perm);
4855 }
4856
4857 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4858 {
4859         struct task_security_struct *tsec;
4860         struct ipc_security_struct *isec;
4861         struct avc_audit_data ad;
4862
4863         tsec = current->security;
4864         isec = shp->shm_perm.security;
4865
4866         AVC_AUDIT_DATA_INIT(&ad, IPC);
4867         ad.u.ipc_id = shp->shm_perm.key;
4868
4869         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4870                             SHM__ASSOCIATE, &ad);
4871 }
4872
4873 /* Note, at this point, shp is locked down */
4874 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4875 {
4876         int perms;
4877         int err;
4878
4879         switch (cmd) {
4880         case IPC_INFO:
4881         case SHM_INFO:
4882                 /* No specific object, just general system-wide information. */
4883                 return task_has_system(current, SYSTEM__IPC_INFO);
4884         case IPC_STAT:
4885         case SHM_STAT:
4886                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4887                 break;
4888         case IPC_SET:
4889                 perms = SHM__SETATTR;
4890                 break;
4891         case SHM_LOCK:
4892         case SHM_UNLOCK:
4893                 perms = SHM__LOCK;
4894                 break;
4895         case IPC_RMID:
4896                 perms = SHM__DESTROY;
4897                 break;
4898         default:
4899                 return 0;
4900         }
4901
4902         err = ipc_has_perm(&shp->shm_perm, perms);
4903         return err;
4904 }
4905
4906 static int selinux_shm_shmat(struct shmid_kernel *shp,
4907                              char __user *shmaddr, int shmflg)
4908 {
4909         u32 perms;
4910         int rc;
4911
4912         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4913         if (rc)
4914                 return rc;
4915
4916         if (shmflg & SHM_RDONLY)
4917                 perms = SHM__READ;
4918         else
4919                 perms = SHM__READ | SHM__WRITE;
4920
4921         return ipc_has_perm(&shp->shm_perm, perms);
4922 }
4923
4924 /* Semaphore security operations */
4925 static int selinux_sem_alloc_security(struct sem_array *sma)
4926 {
4927         struct task_security_struct *tsec;
4928         struct ipc_security_struct *isec;
4929         struct avc_audit_data ad;
4930         int rc;
4931
4932         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4933         if (rc)
4934                 return rc;
4935
4936         tsec = current->security;
4937         isec = sma->sem_perm.security;
4938
4939         AVC_AUDIT_DATA_INIT(&ad, IPC);
4940         ad.u.ipc_id = sma->sem_perm.key;
4941
4942         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4943                           SEM__CREATE, &ad);
4944         if (rc) {
4945                 ipc_free_security(&sma->sem_perm);
4946                 return rc;
4947         }
4948         return 0;
4949 }
4950
4951 static void selinux_sem_free_security(struct sem_array *sma)
4952 {
4953         ipc_free_security(&sma->sem_perm);
4954 }
4955
4956 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4957 {
4958         struct task_security_struct *tsec;
4959         struct ipc_security_struct *isec;
4960         struct avc_audit_data ad;
4961
4962         tsec = current->security;
4963         isec = sma->sem_perm.security;
4964
4965         AVC_AUDIT_DATA_INIT(&ad, IPC);
4966         ad.u.ipc_id = sma->sem_perm.key;
4967
4968         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4969                             SEM__ASSOCIATE, &ad);
4970 }
4971
4972 /* Note, at this point, sma is locked down */
4973 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4974 {
4975         int err;
4976         u32 perms;
4977
4978         switch (cmd) {
4979         case IPC_INFO:
4980         case SEM_INFO:
4981                 /* No specific object, just general system-wide information. */
4982                 return task_has_system(current, SYSTEM__IPC_INFO);
4983         case GETPID:
4984         case GETNCNT:
4985         case GETZCNT:
4986                 perms = SEM__GETATTR;
4987                 break;
4988         case GETVAL:
4989         case GETALL:
4990                 perms = SEM__READ;
4991                 break;
4992         case SETVAL:
4993         case SETALL:
4994                 perms = SEM__WRITE;
4995                 break;
4996         case IPC_RMID:
4997                 perms = SEM__DESTROY;
4998                 break;
4999         case IPC_SET:
5000                 perms = SEM__SETATTR;
5001                 break;
5002         case IPC_STAT:
5003         case SEM_STAT:
5004                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5005                 break;
5006         default:
5007                 return 0;
5008         }
5009
5010         err = ipc_has_perm(&sma->sem_perm, perms);
5011         return err;
5012 }
5013
5014 static int selinux_sem_semop(struct sem_array *sma,
5015                              struct sembuf *sops, unsigned nsops, int alter)
5016 {
5017         u32 perms;
5018
5019         if (alter)
5020                 perms = SEM__READ | SEM__WRITE;
5021         else
5022                 perms = SEM__READ;
5023
5024         return ipc_has_perm(&sma->sem_perm, perms);
5025 }
5026
5027 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5028 {
5029         u32 av = 0;
5030
5031         av = 0;
5032         if (flag & S_IRUGO)
5033                 av |= IPC__UNIX_READ;
5034         if (flag & S_IWUGO)
5035                 av |= IPC__UNIX_WRITE;
5036
5037         if (av == 0)
5038                 return 0;
5039
5040         return ipc_has_perm(ipcp, av);
5041 }
5042
5043 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5044 {
5045         struct ipc_security_struct *isec = ipcp->security;
5046         *secid = isec->sid;
5047 }
5048
5049 /* module stacking operations */
5050 static int selinux_register_security(const char *name, struct security_operations *ops)
5051 {
5052         if (secondary_ops != original_ops) {
5053                 printk(KERN_ERR "%s:  There is already a secondary security "
5054                        "module registered.\n", __func__);
5055                 return -EINVAL;
5056         }
5057
5058         secondary_ops = ops;
5059
5060         printk(KERN_INFO "%s:  Registering secondary module %s\n",
5061                __func__,
5062                name);
5063
5064         return 0;
5065 }
5066
5067 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5068 {
5069         if (inode)
5070                 inode_doinit_with_dentry(inode, dentry);
5071 }
5072
5073 static int selinux_getprocattr(struct task_struct *p,
5074                                char *name, char **value)
5075 {
5076         struct task_security_struct *tsec;
5077         u32 sid;
5078         int error;
5079         unsigned len;
5080
5081         if (current != p) {
5082                 error = task_has_perm(current, p, PROCESS__GETATTR);
5083                 if (error)
5084                         return error;
5085         }
5086
5087         tsec = p->security;
5088
5089         if (!strcmp(name, "current"))
5090                 sid = tsec->sid;
5091         else if (!strcmp(name, "prev"))
5092                 sid = tsec->osid;
5093         else if (!strcmp(name, "exec"))
5094                 sid = tsec->exec_sid;
5095         else if (!strcmp(name, "fscreate"))
5096                 sid = tsec->create_sid;
5097         else if (!strcmp(name, "keycreate"))
5098                 sid = tsec->keycreate_sid;
5099         else if (!strcmp(name, "sockcreate"))
5100                 sid = tsec->sockcreate_sid;
5101         else
5102                 return -EINVAL;
5103
5104         if (!sid)
5105                 return 0;
5106
5107         error = security_sid_to_context(sid, value, &len);
5108         if (error)
5109                 return error;
5110         return len;
5111 }
5112
5113 static int selinux_setprocattr(struct task_struct *p,
5114                                char *name, void *value, size_t size)
5115 {
5116         struct task_security_struct *tsec;
5117         struct task_struct *tracer;
5118         u32 sid = 0;
5119         int error;
5120         char *str = value;
5121
5122         if (current != p) {
5123                 /* SELinux only allows a process to change its own
5124                    security attributes. */
5125                 return -EACCES;
5126         }
5127
5128         /*
5129          * Basic control over ability to set these attributes at all.
5130          * current == p, but we'll pass them separately in case the
5131          * above restriction is ever removed.
5132          */
5133         if (!strcmp(name, "exec"))
5134                 error = task_has_perm(current, p, PROCESS__SETEXEC);
5135         else if (!strcmp(name, "fscreate"))
5136                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5137         else if (!strcmp(name, "keycreate"))
5138                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5139         else if (!strcmp(name, "sockcreate"))
5140                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5141         else if (!strcmp(name, "current"))
5142                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5143         else
5144                 error = -EINVAL;
5145         if (error)
5146                 return error;
5147
5148         /* Obtain a SID for the context, if one was specified. */
5149         if (size && str[1] && str[1] != '\n') {
5150                 if (str[size-1] == '\n') {
5151                         str[size-1] = 0;
5152                         size--;
5153                 }
5154                 error = security_context_to_sid(value, size, &sid);
5155                 if (error)
5156                         return error;
5157         }
5158
5159         /* Permission checking based on the specified context is
5160            performed during the actual operation (execve,
5161            open/mkdir/...), when we know the full context of the
5162            operation.  See selinux_bprm_set_security for the execve
5163            checks and may_create for the file creation checks. The
5164            operation will then fail if the context is not permitted. */
5165         tsec = p->security;
5166         if (!strcmp(name, "exec"))
5167                 tsec->exec_sid = sid;
5168         else if (!strcmp(name, "fscreate"))
5169                 tsec->create_sid = sid;
5170         else if (!strcmp(name, "keycreate")) {
5171                 error = may_create_key(sid, p);
5172                 if (error)
5173                         return error;
5174                 tsec->keycreate_sid = sid;
5175         } else if (!strcmp(name, "sockcreate"))
5176                 tsec->sockcreate_sid = sid;
5177         else if (!strcmp(name, "current")) {
5178                 struct av_decision avd;
5179
5180                 if (sid == 0)
5181                         return -EINVAL;
5182
5183                 /* Only allow single threaded processes to change context */
5184                 if (atomic_read(&p->mm->mm_users) != 1) {
5185                         struct task_struct *g, *t;
5186                         struct mm_struct *mm = p->mm;
5187                         read_lock(&tasklist_lock);
5188                         do_each_thread(g, t)
5189                                 if (t->mm == mm && t != p) {
5190                                         read_unlock(&tasklist_lock);
5191                                         return -EPERM;
5192                                 }
5193                         while_each_thread(g, t);
5194                         read_unlock(&tasklist_lock);
5195                 }
5196
5197                 /* Check permissions for the transition. */
5198                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5199                                      PROCESS__DYNTRANSITION, NULL);
5200                 if (error)
5201                         return error;
5202
5203                 /* Check for ptracing, and update the task SID if ok.
5204                    Otherwise, leave SID unchanged and fail. */
5205                 task_lock(p);
5206                 rcu_read_lock();
5207                 tracer = task_tracer_task(p);
5208                 if (tracer != NULL) {
5209                         struct task_security_struct *ptsec = tracer->security;
5210                         u32 ptsid = ptsec->sid;
5211                         rcu_read_unlock();
5212                         error = avc_has_perm_noaudit(ptsid, sid,
5213                                                      SECCLASS_PROCESS,
5214                                                      PROCESS__PTRACE, 0, &avd);
5215                         if (!error)
5216                                 tsec->sid = sid;
5217                         task_unlock(p);
5218                         avc_audit(ptsid, sid, SECCLASS_PROCESS,
5219                                   PROCESS__PTRACE, &avd, error, NULL);
5220                         if (error)
5221                                 return error;
5222                 } else {
5223                         rcu_read_unlock();
5224                         tsec->sid = sid;
5225                         task_unlock(p);
5226                 }
5227         } else
5228                 return -EINVAL;
5229
5230         return size;
5231 }
5232
5233 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5234 {
5235         return security_sid_to_context(secid, secdata, seclen);
5236 }
5237
5238 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5239 {
5240         return security_context_to_sid(secdata, seclen, secid);
5241 }
5242
5243 static void selinux_release_secctx(char *secdata, u32 seclen)
5244 {
5245         kfree(secdata);
5246 }
5247
5248 #ifdef CONFIG_KEYS
5249
5250 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5251                              unsigned long flags)
5252 {
5253         struct task_security_struct *tsec = tsk->security;
5254         struct key_security_struct *ksec;
5255
5256         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5257         if (!ksec)
5258                 return -ENOMEM;
5259
5260         if (tsec->keycreate_sid)
5261                 ksec->sid = tsec->keycreate_sid;
5262         else
5263                 ksec->sid = tsec->sid;
5264         k->security = ksec;
5265
5266         return 0;
5267 }
5268
5269 static void selinux_key_free(struct key *k)
5270 {
5271         struct key_security_struct *ksec = k->security;
5272
5273         k->security = NULL;
5274         kfree(ksec);
5275 }
5276
5277 static int selinux_key_permission(key_ref_t key_ref,
5278                             struct task_struct *ctx,
5279                             key_perm_t perm)
5280 {
5281         struct key *key;
5282         struct task_security_struct *tsec;
5283         struct key_security_struct *ksec;
5284
5285         key = key_ref_to_ptr(key_ref);
5286
5287         tsec = ctx->security;
5288         ksec = key->security;
5289
5290         /* if no specific permissions are requested, we skip the
5291            permission check. No serious, additional covert channels
5292            appear to be created. */
5293         if (perm == 0)
5294                 return 0;
5295
5296         return avc_has_perm(tsec->sid, ksec->sid,
5297                             SECCLASS_KEY, perm, NULL);
5298 }
5299
5300 #endif
5301
5302 static struct security_operations selinux_ops = {
5303         .name =                         "selinux",
5304
5305         .ptrace =                       selinux_ptrace,
5306         .capget =                       selinux_capget,
5307         .capset_check =                 selinux_capset_check,
5308         .capset_set =                   selinux_capset_set,
5309         .sysctl =                       selinux_sysctl,
5310         .capable =                      selinux_capable,
5311         .quotactl =                     selinux_quotactl,
5312         .quota_on =                     selinux_quota_on,
5313         .syslog =                       selinux_syslog,
5314         .vm_enough_memory =             selinux_vm_enough_memory,
5315
5316         .netlink_send =                 selinux_netlink_send,
5317         .netlink_recv =                 selinux_netlink_recv,
5318
5319         .bprm_alloc_security =          selinux_bprm_alloc_security,
5320         .bprm_free_security =           selinux_bprm_free_security,
5321         .bprm_apply_creds =             selinux_bprm_apply_creds,
5322         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
5323         .bprm_set_security =            selinux_bprm_set_security,
5324         .bprm_check_security =          selinux_bprm_check_security,
5325         .bprm_secureexec =              selinux_bprm_secureexec,
5326
5327         .sb_alloc_security =            selinux_sb_alloc_security,
5328         .sb_free_security =             selinux_sb_free_security,
5329         .sb_copy_data =                 selinux_sb_copy_data,
5330         .sb_kern_mount =                selinux_sb_kern_mount,
5331         .sb_statfs =                    selinux_sb_statfs,
5332         .sb_mount =                     selinux_mount,
5333         .sb_umount =                    selinux_umount,
5334         .sb_get_mnt_opts =              selinux_get_mnt_opts,
5335         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5336         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5337         .sb_parse_opts_str =            selinux_parse_opts_str,
5338
5339
5340         .inode_alloc_security =         selinux_inode_alloc_security,
5341         .inode_free_security =          selinux_inode_free_security,
5342         .inode_init_security =          selinux_inode_init_security,
5343         .inode_create =                 selinux_inode_create,
5344         .inode_link =                   selinux_inode_link,
5345         .inode_unlink =                 selinux_inode_unlink,
5346         .inode_symlink =                selinux_inode_symlink,
5347         .inode_mkdir =                  selinux_inode_mkdir,
5348         .inode_rmdir =                  selinux_inode_rmdir,
5349         .inode_mknod =                  selinux_inode_mknod,
5350         .inode_rename =                 selinux_inode_rename,
5351         .inode_readlink =               selinux_inode_readlink,
5352         .inode_follow_link =            selinux_inode_follow_link,
5353         .inode_permission =             selinux_inode_permission,
5354         .inode_setattr =                selinux_inode_setattr,
5355         .inode_getattr =                selinux_inode_getattr,
5356         .inode_setxattr =               selinux_inode_setxattr,
5357         .inode_post_setxattr =          selinux_inode_post_setxattr,
5358         .inode_getxattr =               selinux_inode_getxattr,
5359         .inode_listxattr =              selinux_inode_listxattr,
5360         .inode_removexattr =            selinux_inode_removexattr,
5361         .inode_getsecurity =            selinux_inode_getsecurity,
5362         .inode_setsecurity =            selinux_inode_setsecurity,
5363         .inode_listsecurity =           selinux_inode_listsecurity,
5364         .inode_need_killpriv =          selinux_inode_need_killpriv,
5365         .inode_killpriv =               selinux_inode_killpriv,
5366         .inode_getsecid =               selinux_inode_getsecid,
5367
5368         .file_permission =              selinux_file_permission,
5369         .file_alloc_security =          selinux_file_alloc_security,
5370         .file_free_security =           selinux_file_free_security,
5371         .file_ioctl =                   selinux_file_ioctl,
5372         .file_mmap =                    selinux_file_mmap,
5373         .file_mprotect =                selinux_file_mprotect,
5374         .file_lock =                    selinux_file_lock,
5375         .file_fcntl =                   selinux_file_fcntl,
5376         .file_set_fowner =              selinux_file_set_fowner,
5377         .file_send_sigiotask =          selinux_file_send_sigiotask,
5378         .file_receive =                 selinux_file_receive,
5379
5380         .dentry_open =                  selinux_dentry_open,
5381
5382         .task_create =                  selinux_task_create,
5383         .task_alloc_security =          selinux_task_alloc_security,
5384         .task_free_security =           selinux_task_free_security,
5385         .task_setuid =                  selinux_task_setuid,
5386         .task_post_setuid =             selinux_task_post_setuid,
5387         .task_setgid =                  selinux_task_setgid,
5388         .task_setpgid =                 selinux_task_setpgid,
5389         .task_getpgid =                 selinux_task_getpgid,
5390         .task_getsid =                  selinux_task_getsid,
5391         .task_getsecid =                selinux_task_getsecid,
5392         .task_setgroups =               selinux_task_setgroups,
5393         .task_setnice =                 selinux_task_setnice,
5394         .task_setioprio =               selinux_task_setioprio,
5395         .task_getioprio =               selinux_task_getioprio,
5396         .task_setrlimit =               selinux_task_setrlimit,
5397         .task_setscheduler =            selinux_task_setscheduler,
5398         .task_getscheduler =            selinux_task_getscheduler,
5399         .task_movememory =              selinux_task_movememory,
5400         .task_kill =                    selinux_task_kill,
5401         .task_wait =                    selinux_task_wait,
5402         .task_prctl =                   selinux_task_prctl,
5403         .task_reparent_to_init =        selinux_task_reparent_to_init,
5404         .task_to_inode =                selinux_task_to_inode,
5405
5406         .ipc_permission =               selinux_ipc_permission,
5407         .ipc_getsecid =                 selinux_ipc_getsecid,
5408
5409         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5410         .msg_msg_free_security =        selinux_msg_msg_free_security,
5411
5412         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5413         .msg_queue_free_security =      selinux_msg_queue_free_security,
5414         .msg_queue_associate =          selinux_msg_queue_associate,
5415         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5416         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5417         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5418
5419         .shm_alloc_security =           selinux_shm_alloc_security,
5420         .shm_free_security =            selinux_shm_free_security,
5421         .shm_associate =                selinux_shm_associate,
5422         .shm_shmctl =                   selinux_shm_shmctl,
5423         .shm_shmat =                    selinux_shm_shmat,
5424
5425         .sem_alloc_security =           selinux_sem_alloc_security,
5426         .sem_free_security =            selinux_sem_free_security,
5427         .sem_associate =                selinux_sem_associate,
5428         .sem_semctl =                   selinux_sem_semctl,
5429         .sem_semop =                    selinux_sem_semop,
5430
5431         .register_security =            selinux_register_security,
5432
5433         .d_instantiate =                selinux_d_instantiate,
5434
5435         .getprocattr =                  selinux_getprocattr,
5436         .setprocattr =                  selinux_setprocattr,
5437
5438         .secid_to_secctx =              selinux_secid_to_secctx,
5439         .secctx_to_secid =              selinux_secctx_to_secid,
5440         .release_secctx =               selinux_release_secctx,
5441
5442         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5443         .unix_may_send =                selinux_socket_unix_may_send,
5444
5445         .socket_create =                selinux_socket_create,
5446         .socket_post_create =           selinux_socket_post_create,
5447         .socket_bind =                  selinux_socket_bind,
5448         .socket_connect =               selinux_socket_connect,
5449         .socket_listen =                selinux_socket_listen,
5450         .socket_accept =                selinux_socket_accept,
5451         .socket_sendmsg =               selinux_socket_sendmsg,
5452         .socket_recvmsg =               selinux_socket_recvmsg,
5453         .socket_getsockname =           selinux_socket_getsockname,
5454         .socket_getpeername =           selinux_socket_getpeername,
5455         .socket_getsockopt =            selinux_socket_getsockopt,
5456         .socket_setsockopt =            selinux_socket_setsockopt,
5457         .socket_shutdown =              selinux_socket_shutdown,
5458         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5459         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5460         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5461         .sk_alloc_security =            selinux_sk_alloc_security,
5462         .sk_free_security =             selinux_sk_free_security,
5463         .sk_clone_security =            selinux_sk_clone_security,
5464         .sk_getsecid =                  selinux_sk_getsecid,
5465         .sock_graft =                   selinux_sock_graft,
5466         .inet_conn_request =            selinux_inet_conn_request,
5467         .inet_csk_clone =               selinux_inet_csk_clone,
5468         .inet_conn_established =        selinux_inet_conn_established,
5469         .req_classify_flow =            selinux_req_classify_flow,
5470
5471 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5472         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5473         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5474         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5475         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5476         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5477         .xfrm_state_free_security =     selinux_xfrm_state_free,
5478         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5479         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5480         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5481         .xfrm_decode_session =          selinux_xfrm_decode_session,
5482 #endif
5483
5484 #ifdef CONFIG_KEYS
5485         .key_alloc =                    selinux_key_alloc,
5486         .key_free =                     selinux_key_free,
5487         .key_permission =               selinux_key_permission,
5488 #endif
5489
5490 #ifdef CONFIG_AUDIT
5491         .audit_rule_init =              selinux_audit_rule_init,
5492         .audit_rule_known =             selinux_audit_rule_known,
5493         .audit_rule_match =             selinux_audit_rule_match,
5494         .audit_rule_free =              selinux_audit_rule_free,
5495 #endif
5496 };
5497
5498 static __init int selinux_init(void)
5499 {
5500         struct task_security_struct *tsec;
5501
5502         if (!security_module_enable(&selinux_ops)) {
5503                 selinux_enabled = 0;
5504                 return 0;
5505         }
5506
5507         if (!selinux_enabled) {
5508                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5509                 return 0;
5510         }
5511
5512         printk(KERN_INFO "SELinux:  Initializing.\n");
5513
5514         /* Set the security state for the initial task. */
5515         if (task_alloc_security(current))
5516                 panic("SELinux:  Failed to initialize initial task.\n");
5517         tsec = current->security;
5518         tsec->osid = tsec->sid = SECINITSID_KERNEL;
5519
5520         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5521                                             sizeof(struct inode_security_struct),
5522                                             0, SLAB_PANIC, NULL);
5523         avc_init();
5524
5525         original_ops = secondary_ops = security_ops;
5526         if (!secondary_ops)
5527                 panic("SELinux: No initial security operations\n");
5528         if (register_security(&selinux_ops))
5529                 panic("SELinux: Unable to register with kernel.\n");
5530
5531         if (selinux_enforcing)
5532                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5533         else
5534                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5535
5536 #ifdef CONFIG_KEYS
5537         /* Add security information to initial keyrings */
5538         selinux_key_alloc(&root_user_keyring, current,
5539                           KEY_ALLOC_NOT_IN_QUOTA);
5540         selinux_key_alloc(&root_session_keyring, current,
5541                           KEY_ALLOC_NOT_IN_QUOTA);
5542 #endif
5543
5544         return 0;
5545 }
5546
5547 void selinux_complete_init(void)
5548 {
5549         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5550
5551         /* Set up any superblocks initialized prior to the policy load. */
5552         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5553         spin_lock(&sb_lock);
5554         spin_lock(&sb_security_lock);
5555 next_sb:
5556         if (!list_empty(&superblock_security_head)) {
5557                 struct superblock_security_struct *sbsec =
5558                                 list_entry(superblock_security_head.next,
5559                                            struct superblock_security_struct,
5560                                            list);
5561                 struct super_block *sb = sbsec->sb;
5562                 sb->s_count++;
5563                 spin_unlock(&sb_security_lock);
5564                 spin_unlock(&sb_lock);
5565                 down_read(&sb->s_umount);
5566                 if (sb->s_root)
5567                         superblock_doinit(sb, NULL);
5568                 drop_super(sb);
5569                 spin_lock(&sb_lock);
5570                 spin_lock(&sb_security_lock);
5571                 list_del_init(&sbsec->list);
5572                 goto next_sb;
5573         }
5574         spin_unlock(&sb_security_lock);
5575         spin_unlock(&sb_lock);
5576 }
5577
5578 /* SELinux requires early initialization in order to label
5579    all processes and objects when they are created. */
5580 security_initcall(selinux_init);
5581
5582 #if defined(CONFIG_NETFILTER)
5583
5584 static struct nf_hook_ops selinux_ipv4_ops[] = {
5585         {
5586                 .hook =         selinux_ipv4_postroute,
5587                 .owner =        THIS_MODULE,
5588                 .pf =           PF_INET,
5589                 .hooknum =      NF_INET_POST_ROUTING,
5590                 .priority =     NF_IP_PRI_SELINUX_LAST,
5591         },
5592         {
5593                 .hook =         selinux_ipv4_forward,
5594                 .owner =        THIS_MODULE,
5595                 .pf =           PF_INET,
5596                 .hooknum =      NF_INET_FORWARD,
5597                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5598         }
5599 };
5600
5601 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5602
5603 static struct nf_hook_ops selinux_ipv6_ops[] = {
5604         {
5605                 .hook =         selinux_ipv6_postroute,
5606                 .owner =        THIS_MODULE,
5607                 .pf =           PF_INET6,
5608                 .hooknum =      NF_INET_POST_ROUTING,
5609                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5610         },
5611         {
5612                 .hook =         selinux_ipv6_forward,
5613                 .owner =        THIS_MODULE,
5614                 .pf =           PF_INET6,
5615                 .hooknum =      NF_INET_FORWARD,
5616                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5617         }
5618 };
5619
5620 #endif  /* IPV6 */
5621
5622 static int __init selinux_nf_ip_init(void)
5623 {
5624         int err = 0;
5625         u32 iter;
5626
5627         if (!selinux_enabled)
5628                 goto out;
5629
5630         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5631
5632         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5633                 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5634                 if (err)
5635                         panic("SELinux: nf_register_hook for IPv4: error %d\n",
5636                               err);
5637         }
5638
5639 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5640         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5641                 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5642                 if (err)
5643                         panic("SELinux: nf_register_hook for IPv6: error %d\n",
5644                               err);
5645         }
5646 #endif  /* IPV6 */
5647
5648 out:
5649         return err;
5650 }
5651
5652 __initcall(selinux_nf_ip_init);
5653
5654 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5655 static void selinux_nf_ip_exit(void)
5656 {
5657         u32 iter;
5658
5659         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5660
5661         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5662                 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5663 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5664         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5665                 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5666 #endif  /* IPV6 */
5667 }
5668 #endif
5669
5670 #else /* CONFIG_NETFILTER */
5671
5672 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5673 #define selinux_nf_ip_exit()
5674 #endif
5675
5676 #endif /* CONFIG_NETFILTER */
5677
5678 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5679 static int selinux_disabled;
5680
5681 int selinux_disable(void)
5682 {
5683         extern void exit_sel_fs(void);
5684
5685         if (ss_initialized) {
5686                 /* Not permitted after initial policy load. */
5687                 return -EINVAL;
5688         }
5689
5690         if (selinux_disabled) {
5691                 /* Only do this once. */
5692                 return -EINVAL;
5693         }
5694
5695         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5696
5697         selinux_disabled = 1;
5698         selinux_enabled = 0;
5699
5700         /* Reset security_ops to the secondary module, dummy or capability. */
5701         security_ops = secondary_ops;
5702
5703         /* Unregister netfilter hooks. */
5704         selinux_nf_ip_exit();
5705
5706         /* Unregister selinuxfs. */
5707         exit_sel_fs();
5708
5709         return 0;
5710 }
5711 #endif