]> err.no Git - linux-2.6/blob - security/selinux/hooks.c
Merge branches 'release', 'acpica', 'bugzilla-10224', 'bugzilla-9772', 'bugzilla...
[linux-2.6] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16  *              Paul Moore <paul.moore@hp.com>
17  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
19  *
20  *      This program is free software; you can redistribute it and/or modify
21  *      it under the terms of the GNU General Public License version 2,
22  *      as published by the Free Software Foundation.
23  */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "netport.h"
84 #include "xfrm.h"
85 #include "netlabel.h"
86 #include "audit.h"
87
88 #define XATTR_SELINUX_SUFFIX "selinux"
89 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
90
91 #define NUM_SEL_MNT_OPTS 4
92
93 extern unsigned int policydb_loaded_version;
94 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
95 extern int selinux_compat_net;
96 extern struct security_operations *security_ops;
97
98 /* SECMARK reference count */
99 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
103
104 static int __init enforcing_setup(char *str)
105 {
106         selinux_enforcing = simple_strtol(str, NULL, 0);
107         return 1;
108 }
109 __setup("enforcing=", enforcing_setup);
110 #endif
111
112 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
113 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
114
115 static int __init selinux_enabled_setup(char *str)
116 {
117         selinux_enabled = simple_strtol(str, NULL, 0);
118         return 1;
119 }
120 __setup("selinux=", selinux_enabled_setup);
121 #else
122 int selinux_enabled = 1;
123 #endif
124
125 /* Original (dummy) security module. */
126 static struct security_operations *original_ops;
127
128 /* Minimal support for a secondary security module,
129    just to allow the use of the dummy or capability modules.
130    The owlsm module can alternatively be used as a secondary
131    module as long as CONFIG_OWLSM_FD is not enabled. */
132 static struct security_operations *secondary_ops;
133
134 /* Lists of inode and superblock security structures initialized
135    before the policy was loaded. */
136 static LIST_HEAD(superblock_security_head);
137 static DEFINE_SPINLOCK(sb_security_lock);
138
139 static struct kmem_cache *sel_inode_cache;
140
141 /**
142  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
143  *
144  * Description:
145  * This function checks the SECMARK reference counter to see if any SECMARK
146  * targets are currently configured, if the reference counter is greater than
147  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
148  * enabled, false (0) if SECMARK is disabled.
149  *
150  */
151 static int selinux_secmark_enabled(void)
152 {
153         return (atomic_read(&selinux_secmark_refcount) > 0);
154 }
155
156 /* Allocate and free functions for each kind of security blob. */
157
158 static int task_alloc_security(struct task_struct *task)
159 {
160         struct task_security_struct *tsec;
161
162         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
163         if (!tsec)
164                 return -ENOMEM;
165
166         tsec->osid = tsec->sid = SECINITSID_UNLABELED;
167         task->security = tsec;
168
169         return 0;
170 }
171
172 static void task_free_security(struct task_struct *task)
173 {
174         struct task_security_struct *tsec = task->security;
175         task->security = NULL;
176         kfree(tsec);
177 }
178
179 static int inode_alloc_security(struct inode *inode)
180 {
181         struct task_security_struct *tsec = current->security;
182         struct inode_security_struct *isec;
183
184         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
185         if (!isec)
186                 return -ENOMEM;
187
188         mutex_init(&isec->lock);
189         INIT_LIST_HEAD(&isec->list);
190         isec->inode = inode;
191         isec->sid = SECINITSID_UNLABELED;
192         isec->sclass = SECCLASS_FILE;
193         isec->task_sid = tsec->sid;
194         inode->i_security = isec;
195
196         return 0;
197 }
198
199 static void inode_free_security(struct inode *inode)
200 {
201         struct inode_security_struct *isec = inode->i_security;
202         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
203
204         spin_lock(&sbsec->isec_lock);
205         if (!list_empty(&isec->list))
206                 list_del_init(&isec->list);
207         spin_unlock(&sbsec->isec_lock);
208
209         inode->i_security = NULL;
210         kmem_cache_free(sel_inode_cache, isec);
211 }
212
213 static int file_alloc_security(struct file *file)
214 {
215         struct task_security_struct *tsec = current->security;
216         struct file_security_struct *fsec;
217
218         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
219         if (!fsec)
220                 return -ENOMEM;
221
222         fsec->sid = tsec->sid;
223         fsec->fown_sid = tsec->sid;
224         file->f_security = fsec;
225
226         return 0;
227 }
228
229 static void file_free_security(struct file *file)
230 {
231         struct file_security_struct *fsec = file->f_security;
232         file->f_security = NULL;
233         kfree(fsec);
234 }
235
236 static int superblock_alloc_security(struct super_block *sb)
237 {
238         struct superblock_security_struct *sbsec;
239
240         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
241         if (!sbsec)
242                 return -ENOMEM;
243
244         mutex_init(&sbsec->lock);
245         INIT_LIST_HEAD(&sbsec->list);
246         INIT_LIST_HEAD(&sbsec->isec_head);
247         spin_lock_init(&sbsec->isec_lock);
248         sbsec->sb = sb;
249         sbsec->sid = SECINITSID_UNLABELED;
250         sbsec->def_sid = SECINITSID_FILE;
251         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
252         sb->s_security = sbsec;
253
254         return 0;
255 }
256
257 static void superblock_free_security(struct super_block *sb)
258 {
259         struct superblock_security_struct *sbsec = sb->s_security;
260
261         spin_lock(&sb_security_lock);
262         if (!list_empty(&sbsec->list))
263                 list_del_init(&sbsec->list);
264         spin_unlock(&sb_security_lock);
265
266         sb->s_security = NULL;
267         kfree(sbsec);
268 }
269
270 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
271 {
272         struct sk_security_struct *ssec;
273
274         ssec = kzalloc(sizeof(*ssec), priority);
275         if (!ssec)
276                 return -ENOMEM;
277
278         ssec->peer_sid = SECINITSID_UNLABELED;
279         ssec->sid = SECINITSID_UNLABELED;
280         sk->sk_security = ssec;
281
282         selinux_netlbl_sk_security_reset(ssec, family);
283
284         return 0;
285 }
286
287 static void sk_free_security(struct sock *sk)
288 {
289         struct sk_security_struct *ssec = sk->sk_security;
290
291         sk->sk_security = NULL;
292         kfree(ssec);
293 }
294
295 /* The security server must be initialized before
296    any labeling or access decisions can be provided. */
297 extern int ss_initialized;
298
299 /* The file system's label must be initialized prior to use. */
300
301 static char *labeling_behaviors[6] = {
302         "uses xattr",
303         "uses transition SIDs",
304         "uses task SIDs",
305         "uses genfs_contexts",
306         "not configured for labeling",
307         "uses mountpoint labeling",
308 };
309
310 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
311
312 static inline int inode_doinit(struct inode *inode)
313 {
314         return inode_doinit_with_dentry(inode, NULL);
315 }
316
317 enum {
318         Opt_error = -1,
319         Opt_context = 1,
320         Opt_fscontext = 2,
321         Opt_defcontext = 3,
322         Opt_rootcontext = 4,
323 };
324
325 static match_table_t tokens = {
326         {Opt_context, CONTEXT_STR "%s"},
327         {Opt_fscontext, FSCONTEXT_STR "%s"},
328         {Opt_defcontext, DEFCONTEXT_STR "%s"},
329         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
330         {Opt_error, NULL},
331 };
332
333 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
334
335 static int may_context_mount_sb_relabel(u32 sid,
336                         struct superblock_security_struct *sbsec,
337                         struct task_security_struct *tsec)
338 {
339         int rc;
340
341         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
342                           FILESYSTEM__RELABELFROM, NULL);
343         if (rc)
344                 return rc;
345
346         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
347                           FILESYSTEM__RELABELTO, NULL);
348         return rc;
349 }
350
351 static int may_context_mount_inode_relabel(u32 sid,
352                         struct superblock_security_struct *sbsec,
353                         struct task_security_struct *tsec)
354 {
355         int rc;
356         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
357                           FILESYSTEM__RELABELFROM, NULL);
358         if (rc)
359                 return rc;
360
361         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
362                           FILESYSTEM__ASSOCIATE, NULL);
363         return rc;
364 }
365
366 static int sb_finish_set_opts(struct super_block *sb)
367 {
368         struct superblock_security_struct *sbsec = sb->s_security;
369         struct dentry *root = sb->s_root;
370         struct inode *root_inode = root->d_inode;
371         int rc = 0;
372
373         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
374                 /* Make sure that the xattr handler exists and that no
375                    error other than -ENODATA is returned by getxattr on
376                    the root directory.  -ENODATA is ok, as this may be
377                    the first boot of the SELinux kernel before we have
378                    assigned xattr values to the filesystem. */
379                 if (!root_inode->i_op->getxattr) {
380                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
381                                "xattr support\n", sb->s_id, sb->s_type->name);
382                         rc = -EOPNOTSUPP;
383                         goto out;
384                 }
385                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
386                 if (rc < 0 && rc != -ENODATA) {
387                         if (rc == -EOPNOTSUPP)
388                                 printk(KERN_WARNING "SELinux: (dev %s, type "
389                                        "%s) has no security xattr handler\n",
390                                        sb->s_id, sb->s_type->name);
391                         else
392                                 printk(KERN_WARNING "SELinux: (dev %s, type "
393                                        "%s) getxattr errno %d\n", sb->s_id,
394                                        sb->s_type->name, -rc);
395                         goto out;
396                 }
397         }
398
399         sbsec->initialized = 1;
400
401         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
402                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
403                        sb->s_id, sb->s_type->name);
404         else
405                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
406                        sb->s_id, sb->s_type->name,
407                        labeling_behaviors[sbsec->behavior-1]);
408
409         /* Initialize the root inode. */
410         rc = inode_doinit_with_dentry(root_inode, root);
411
412         /* Initialize any other inodes associated with the superblock, e.g.
413            inodes created prior to initial policy load or inodes created
414            during get_sb by a pseudo filesystem that directly
415            populates itself. */
416         spin_lock(&sbsec->isec_lock);
417 next_inode:
418         if (!list_empty(&sbsec->isec_head)) {
419                 struct inode_security_struct *isec =
420                                 list_entry(sbsec->isec_head.next,
421                                            struct inode_security_struct, list);
422                 struct inode *inode = isec->inode;
423                 spin_unlock(&sbsec->isec_lock);
424                 inode = igrab(inode);
425                 if (inode) {
426                         if (!IS_PRIVATE(inode))
427                                 inode_doinit(inode);
428                         iput(inode);
429                 }
430                 spin_lock(&sbsec->isec_lock);
431                 list_del_init(&isec->list);
432                 goto next_inode;
433         }
434         spin_unlock(&sbsec->isec_lock);
435 out:
436         return rc;
437 }
438
439 /*
440  * This function should allow an FS to ask what it's mount security
441  * options were so it can use those later for submounts, displaying
442  * mount options, or whatever.
443  */
444 static int selinux_get_mnt_opts(const struct super_block *sb,
445                                 struct security_mnt_opts *opts)
446 {
447         int rc = 0, i;
448         struct superblock_security_struct *sbsec = sb->s_security;
449         char *context = NULL;
450         u32 len;
451         char tmp;
452
453         security_init_mnt_opts(opts);
454
455         if (!sbsec->initialized)
456                 return -EINVAL;
457
458         if (!ss_initialized)
459                 return -EINVAL;
460
461         /*
462          * if we ever use sbsec flags for anything other than tracking mount
463          * settings this is going to need a mask
464          */
465         tmp = sbsec->flags;
466         /* count the number of mount options for this sb */
467         for (i = 0; i < 8; i++) {
468                 if (tmp & 0x01)
469                         opts->num_mnt_opts++;
470                 tmp >>= 1;
471         }
472
473         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
474         if (!opts->mnt_opts) {
475                 rc = -ENOMEM;
476                 goto out_free;
477         }
478
479         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
480         if (!opts->mnt_opts_flags) {
481                 rc = -ENOMEM;
482                 goto out_free;
483         }
484
485         i = 0;
486         if (sbsec->flags & FSCONTEXT_MNT) {
487                 rc = security_sid_to_context(sbsec->sid, &context, &len);
488                 if (rc)
489                         goto out_free;
490                 opts->mnt_opts[i] = context;
491                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
492         }
493         if (sbsec->flags & CONTEXT_MNT) {
494                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
495                 if (rc)
496                         goto out_free;
497                 opts->mnt_opts[i] = context;
498                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
499         }
500         if (sbsec->flags & DEFCONTEXT_MNT) {
501                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
502                 if (rc)
503                         goto out_free;
504                 opts->mnt_opts[i] = context;
505                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
506         }
507         if (sbsec->flags & ROOTCONTEXT_MNT) {
508                 struct inode *root = sbsec->sb->s_root->d_inode;
509                 struct inode_security_struct *isec = root->i_security;
510
511                 rc = security_sid_to_context(isec->sid, &context, &len);
512                 if (rc)
513                         goto out_free;
514                 opts->mnt_opts[i] = context;
515                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
516         }
517
518         BUG_ON(i != opts->num_mnt_opts);
519
520         return 0;
521
522 out_free:
523         security_free_mnt_opts(opts);
524         return rc;
525 }
526
527 static int bad_option(struct superblock_security_struct *sbsec, char flag,
528                       u32 old_sid, u32 new_sid)
529 {
530         /* check if the old mount command had the same options */
531         if (sbsec->initialized)
532                 if (!(sbsec->flags & flag) ||
533                     (old_sid != new_sid))
534                         return 1;
535
536         /* check if we were passed the same options twice,
537          * aka someone passed context=a,context=b
538          */
539         if (!sbsec->initialized)
540                 if (sbsec->flags & flag)
541                         return 1;
542         return 0;
543 }
544
545 /*
546  * Allow filesystems with binary mount data to explicitly set mount point
547  * labeling information.
548  */
549 static int selinux_set_mnt_opts(struct super_block *sb,
550                                 struct security_mnt_opts *opts)
551 {
552         int rc = 0, i;
553         struct task_security_struct *tsec = current->security;
554         struct superblock_security_struct *sbsec = sb->s_security;
555         const char *name = sb->s_type->name;
556         struct inode *inode = sbsec->sb->s_root->d_inode;
557         struct inode_security_struct *root_isec = inode->i_security;
558         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
559         u32 defcontext_sid = 0;
560         char **mount_options = opts->mnt_opts;
561         int *flags = opts->mnt_opts_flags;
562         int num_opts = opts->num_mnt_opts;
563
564         mutex_lock(&sbsec->lock);
565
566         if (!ss_initialized) {
567                 if (!num_opts) {
568                         /* Defer initialization until selinux_complete_init,
569                            after the initial policy is loaded and the security
570                            server is ready to handle calls. */
571                         spin_lock(&sb_security_lock);
572                         if (list_empty(&sbsec->list))
573                                 list_add(&sbsec->list, &superblock_security_head);
574                         spin_unlock(&sb_security_lock);
575                         goto out;
576                 }
577                 rc = -EINVAL;
578                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
579                         "before the security server is initialized\n");
580                 goto out;
581         }
582
583         /*
584          * Binary mount data FS will come through this function twice.  Once
585          * from an explicit call and once from the generic calls from the vfs.
586          * Since the generic VFS calls will not contain any security mount data
587          * we need to skip the double mount verification.
588          *
589          * This does open a hole in which we will not notice if the first
590          * mount using this sb set explict options and a second mount using
591          * this sb does not set any security options.  (The first options
592          * will be used for both mounts)
593          */
594         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
595             && (num_opts == 0))
596                 goto out;
597
598         /*
599          * parse the mount options, check if they are valid sids.
600          * also check if someone is trying to mount the same sb more
601          * than once with different security options.
602          */
603         for (i = 0; i < num_opts; i++) {
604                 u32 sid;
605                 rc = security_context_to_sid(mount_options[i],
606                                              strlen(mount_options[i]), &sid);
607                 if (rc) {
608                         printk(KERN_WARNING "SELinux: security_context_to_sid"
609                                "(%s) failed for (dev %s, type %s) errno=%d\n",
610                                mount_options[i], sb->s_id, name, rc);
611                         goto out;
612                 }
613                 switch (flags[i]) {
614                 case FSCONTEXT_MNT:
615                         fscontext_sid = sid;
616
617                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
618                                         fscontext_sid))
619                                 goto out_double_mount;
620
621                         sbsec->flags |= FSCONTEXT_MNT;
622                         break;
623                 case CONTEXT_MNT:
624                         context_sid = sid;
625
626                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
627                                         context_sid))
628                                 goto out_double_mount;
629
630                         sbsec->flags |= CONTEXT_MNT;
631                         break;
632                 case ROOTCONTEXT_MNT:
633                         rootcontext_sid = sid;
634
635                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
636                                         rootcontext_sid))
637                                 goto out_double_mount;
638
639                         sbsec->flags |= ROOTCONTEXT_MNT;
640
641                         break;
642                 case DEFCONTEXT_MNT:
643                         defcontext_sid = sid;
644
645                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
646                                         defcontext_sid))
647                                 goto out_double_mount;
648
649                         sbsec->flags |= DEFCONTEXT_MNT;
650
651                         break;
652                 default:
653                         rc = -EINVAL;
654                         goto out;
655                 }
656         }
657
658         if (sbsec->initialized) {
659                 /* previously mounted with options, but not on this attempt? */
660                 if (sbsec->flags && !num_opts)
661                         goto out_double_mount;
662                 rc = 0;
663                 goto out;
664         }
665
666         if (strcmp(sb->s_type->name, "proc") == 0)
667                 sbsec->proc = 1;
668
669         /* Determine the labeling behavior to use for this filesystem type. */
670         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
671         if (rc) {
672                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
673                        __func__, sb->s_type->name, rc);
674                 goto out;
675         }
676
677         /* sets the context of the superblock for the fs being mounted. */
678         if (fscontext_sid) {
679
680                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
681                 if (rc)
682                         goto out;
683
684                 sbsec->sid = fscontext_sid;
685         }
686
687         /*
688          * Switch to using mount point labeling behavior.
689          * sets the label used on all file below the mountpoint, and will set
690          * the superblock context if not already set.
691          */
692         if (context_sid) {
693                 if (!fscontext_sid) {
694                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
695                         if (rc)
696                                 goto out;
697                         sbsec->sid = context_sid;
698                 } else {
699                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
700                         if (rc)
701                                 goto out;
702                 }
703                 if (!rootcontext_sid)
704                         rootcontext_sid = context_sid;
705
706                 sbsec->mntpoint_sid = context_sid;
707                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
708         }
709
710         if (rootcontext_sid) {
711                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
712                 if (rc)
713                         goto out;
714
715                 root_isec->sid = rootcontext_sid;
716                 root_isec->initialized = 1;
717         }
718
719         if (defcontext_sid) {
720                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
721                         rc = -EINVAL;
722                         printk(KERN_WARNING "SELinux: defcontext option is "
723                                "invalid for this filesystem type\n");
724                         goto out;
725                 }
726
727                 if (defcontext_sid != sbsec->def_sid) {
728                         rc = may_context_mount_inode_relabel(defcontext_sid,
729                                                              sbsec, tsec);
730                         if (rc)
731                                 goto out;
732                 }
733
734                 sbsec->def_sid = defcontext_sid;
735         }
736
737         rc = sb_finish_set_opts(sb);
738 out:
739         mutex_unlock(&sbsec->lock);
740         return rc;
741 out_double_mount:
742         rc = -EINVAL;
743         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
744                "security settings for (dev %s, type %s)\n", sb->s_id, name);
745         goto out;
746 }
747
748 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
749                                         struct super_block *newsb)
750 {
751         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
752         struct superblock_security_struct *newsbsec = newsb->s_security;
753
754         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
755         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
756         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
757
758         /*
759          * if the parent was able to be mounted it clearly had no special lsm
760          * mount options.  thus we can safely put this sb on the list and deal
761          * with it later
762          */
763         if (!ss_initialized) {
764                 spin_lock(&sb_security_lock);
765                 if (list_empty(&newsbsec->list))
766                         list_add(&newsbsec->list, &superblock_security_head);
767                 spin_unlock(&sb_security_lock);
768                 return;
769         }
770
771         /* how can we clone if the old one wasn't set up?? */
772         BUG_ON(!oldsbsec->initialized);
773
774         /* if fs is reusing a sb, just let its options stand... */
775         if (newsbsec->initialized)
776                 return;
777
778         mutex_lock(&newsbsec->lock);
779
780         newsbsec->flags = oldsbsec->flags;
781
782         newsbsec->sid = oldsbsec->sid;
783         newsbsec->def_sid = oldsbsec->def_sid;
784         newsbsec->behavior = oldsbsec->behavior;
785
786         if (set_context) {
787                 u32 sid = oldsbsec->mntpoint_sid;
788
789                 if (!set_fscontext)
790                         newsbsec->sid = sid;
791                 if (!set_rootcontext) {
792                         struct inode *newinode = newsb->s_root->d_inode;
793                         struct inode_security_struct *newisec = newinode->i_security;
794                         newisec->sid = sid;
795                 }
796                 newsbsec->mntpoint_sid = sid;
797         }
798         if (set_rootcontext) {
799                 const struct inode *oldinode = oldsb->s_root->d_inode;
800                 const struct inode_security_struct *oldisec = oldinode->i_security;
801                 struct inode *newinode = newsb->s_root->d_inode;
802                 struct inode_security_struct *newisec = newinode->i_security;
803
804                 newisec->sid = oldisec->sid;
805         }
806
807         sb_finish_set_opts(newsb);
808         mutex_unlock(&newsbsec->lock);
809 }
810
811 static int selinux_parse_opts_str(char *options,
812                                   struct security_mnt_opts *opts)
813 {
814         char *p;
815         char *context = NULL, *defcontext = NULL;
816         char *fscontext = NULL, *rootcontext = NULL;
817         int rc, num_mnt_opts = 0;
818
819         opts->num_mnt_opts = 0;
820
821         /* Standard string-based options. */
822         while ((p = strsep(&options, "|")) != NULL) {
823                 int token;
824                 substring_t args[MAX_OPT_ARGS];
825
826                 if (!*p)
827                         continue;
828
829                 token = match_token(p, tokens, args);
830
831                 switch (token) {
832                 case Opt_context:
833                         if (context || defcontext) {
834                                 rc = -EINVAL;
835                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
836                                 goto out_err;
837                         }
838                         context = match_strdup(&args[0]);
839                         if (!context) {
840                                 rc = -ENOMEM;
841                                 goto out_err;
842                         }
843                         break;
844
845                 case Opt_fscontext:
846                         if (fscontext) {
847                                 rc = -EINVAL;
848                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
849                                 goto out_err;
850                         }
851                         fscontext = match_strdup(&args[0]);
852                         if (!fscontext) {
853                                 rc = -ENOMEM;
854                                 goto out_err;
855                         }
856                         break;
857
858                 case Opt_rootcontext:
859                         if (rootcontext) {
860                                 rc = -EINVAL;
861                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
862                                 goto out_err;
863                         }
864                         rootcontext = match_strdup(&args[0]);
865                         if (!rootcontext) {
866                                 rc = -ENOMEM;
867                                 goto out_err;
868                         }
869                         break;
870
871                 case Opt_defcontext:
872                         if (context || defcontext) {
873                                 rc = -EINVAL;
874                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
875                                 goto out_err;
876                         }
877                         defcontext = match_strdup(&args[0]);
878                         if (!defcontext) {
879                                 rc = -ENOMEM;
880                                 goto out_err;
881                         }
882                         break;
883
884                 default:
885                         rc = -EINVAL;
886                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
887                         goto out_err;
888
889                 }
890         }
891
892         rc = -ENOMEM;
893         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
894         if (!opts->mnt_opts)
895                 goto out_err;
896
897         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
898         if (!opts->mnt_opts_flags) {
899                 kfree(opts->mnt_opts);
900                 goto out_err;
901         }
902
903         if (fscontext) {
904                 opts->mnt_opts[num_mnt_opts] = fscontext;
905                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
906         }
907         if (context) {
908                 opts->mnt_opts[num_mnt_opts] = context;
909                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
910         }
911         if (rootcontext) {
912                 opts->mnt_opts[num_mnt_opts] = rootcontext;
913                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
914         }
915         if (defcontext) {
916                 opts->mnt_opts[num_mnt_opts] = defcontext;
917                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
918         }
919
920         opts->num_mnt_opts = num_mnt_opts;
921         return 0;
922
923 out_err:
924         kfree(context);
925         kfree(defcontext);
926         kfree(fscontext);
927         kfree(rootcontext);
928         return rc;
929 }
930 /*
931  * string mount options parsing and call set the sbsec
932  */
933 static int superblock_doinit(struct super_block *sb, void *data)
934 {
935         int rc = 0;
936         char *options = data;
937         struct security_mnt_opts opts;
938
939         security_init_mnt_opts(&opts);
940
941         if (!data)
942                 goto out;
943
944         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
945
946         rc = selinux_parse_opts_str(options, &opts);
947         if (rc)
948                 goto out_err;
949
950 out:
951         rc = selinux_set_mnt_opts(sb, &opts);
952
953 out_err:
954         security_free_mnt_opts(&opts);
955         return rc;
956 }
957
958 static inline u16 inode_mode_to_security_class(umode_t mode)
959 {
960         switch (mode & S_IFMT) {
961         case S_IFSOCK:
962                 return SECCLASS_SOCK_FILE;
963         case S_IFLNK:
964                 return SECCLASS_LNK_FILE;
965         case S_IFREG:
966                 return SECCLASS_FILE;
967         case S_IFBLK:
968                 return SECCLASS_BLK_FILE;
969         case S_IFDIR:
970                 return SECCLASS_DIR;
971         case S_IFCHR:
972                 return SECCLASS_CHR_FILE;
973         case S_IFIFO:
974                 return SECCLASS_FIFO_FILE;
975
976         }
977
978         return SECCLASS_FILE;
979 }
980
981 static inline int default_protocol_stream(int protocol)
982 {
983         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
984 }
985
986 static inline int default_protocol_dgram(int protocol)
987 {
988         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
989 }
990
991 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
992 {
993         switch (family) {
994         case PF_UNIX:
995                 switch (type) {
996                 case SOCK_STREAM:
997                 case SOCK_SEQPACKET:
998                         return SECCLASS_UNIX_STREAM_SOCKET;
999                 case SOCK_DGRAM:
1000                         return SECCLASS_UNIX_DGRAM_SOCKET;
1001                 }
1002                 break;
1003         case PF_INET:
1004         case PF_INET6:
1005                 switch (type) {
1006                 case SOCK_STREAM:
1007                         if (default_protocol_stream(protocol))
1008                                 return SECCLASS_TCP_SOCKET;
1009                         else
1010                                 return SECCLASS_RAWIP_SOCKET;
1011                 case SOCK_DGRAM:
1012                         if (default_protocol_dgram(protocol))
1013                                 return SECCLASS_UDP_SOCKET;
1014                         else
1015                                 return SECCLASS_RAWIP_SOCKET;
1016                 case SOCK_DCCP:
1017                         return SECCLASS_DCCP_SOCKET;
1018                 default:
1019                         return SECCLASS_RAWIP_SOCKET;
1020                 }
1021                 break;
1022         case PF_NETLINK:
1023                 switch (protocol) {
1024                 case NETLINK_ROUTE:
1025                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1026                 case NETLINK_FIREWALL:
1027                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1028                 case NETLINK_INET_DIAG:
1029                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1030                 case NETLINK_NFLOG:
1031                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1032                 case NETLINK_XFRM:
1033                         return SECCLASS_NETLINK_XFRM_SOCKET;
1034                 case NETLINK_SELINUX:
1035                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1036                 case NETLINK_AUDIT:
1037                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1038                 case NETLINK_IP6_FW:
1039                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1040                 case NETLINK_DNRTMSG:
1041                         return SECCLASS_NETLINK_DNRT_SOCKET;
1042                 case NETLINK_KOBJECT_UEVENT:
1043                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1044                 default:
1045                         return SECCLASS_NETLINK_SOCKET;
1046                 }
1047         case PF_PACKET:
1048                 return SECCLASS_PACKET_SOCKET;
1049         case PF_KEY:
1050                 return SECCLASS_KEY_SOCKET;
1051         case PF_APPLETALK:
1052                 return SECCLASS_APPLETALK_SOCKET;
1053         }
1054
1055         return SECCLASS_SOCKET;
1056 }
1057
1058 #ifdef CONFIG_PROC_FS
1059 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1060                                 u16 tclass,
1061                                 u32 *sid)
1062 {
1063         int buflen, rc;
1064         char *buffer, *path, *end;
1065
1066         buffer = (char *)__get_free_page(GFP_KERNEL);
1067         if (!buffer)
1068                 return -ENOMEM;
1069
1070         buflen = PAGE_SIZE;
1071         end = buffer+buflen;
1072         *--end = '\0';
1073         buflen--;
1074         path = end-1;
1075         *path = '/';
1076         while (de && de != de->parent) {
1077                 buflen -= de->namelen + 1;
1078                 if (buflen < 0)
1079                         break;
1080                 end -= de->namelen;
1081                 memcpy(end, de->name, de->namelen);
1082                 *--end = '/';
1083                 path = end;
1084                 de = de->parent;
1085         }
1086         rc = security_genfs_sid("proc", path, tclass, sid);
1087         free_page((unsigned long)buffer);
1088         return rc;
1089 }
1090 #else
1091 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1092                                 u16 tclass,
1093                                 u32 *sid)
1094 {
1095         return -EINVAL;
1096 }
1097 #endif
1098
1099 /* The inode's security attributes must be initialized before first use. */
1100 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1101 {
1102         struct superblock_security_struct *sbsec = NULL;
1103         struct inode_security_struct *isec = inode->i_security;
1104         u32 sid;
1105         struct dentry *dentry;
1106 #define INITCONTEXTLEN 255
1107         char *context = NULL;
1108         unsigned len = 0;
1109         int rc = 0;
1110
1111         if (isec->initialized)
1112                 goto out;
1113
1114         mutex_lock(&isec->lock);
1115         if (isec->initialized)
1116                 goto out_unlock;
1117
1118         sbsec = inode->i_sb->s_security;
1119         if (!sbsec->initialized) {
1120                 /* Defer initialization until selinux_complete_init,
1121                    after the initial policy is loaded and the security
1122                    server is ready to handle calls. */
1123                 spin_lock(&sbsec->isec_lock);
1124                 if (list_empty(&isec->list))
1125                         list_add(&isec->list, &sbsec->isec_head);
1126                 spin_unlock(&sbsec->isec_lock);
1127                 goto out_unlock;
1128         }
1129
1130         switch (sbsec->behavior) {
1131         case SECURITY_FS_USE_XATTR:
1132                 if (!inode->i_op->getxattr) {
1133                         isec->sid = sbsec->def_sid;
1134                         break;
1135                 }
1136
1137                 /* Need a dentry, since the xattr API requires one.
1138                    Life would be simpler if we could just pass the inode. */
1139                 if (opt_dentry) {
1140                         /* Called from d_instantiate or d_splice_alias. */
1141                         dentry = dget(opt_dentry);
1142                 } else {
1143                         /* Called from selinux_complete_init, try to find a dentry. */
1144                         dentry = d_find_alias(inode);
1145                 }
1146                 if (!dentry) {
1147                         printk(KERN_WARNING "SELinux: %s:  no dentry for dev=%s "
1148                                "ino=%ld\n", __func__, inode->i_sb->s_id,
1149                                inode->i_ino);
1150                         goto out_unlock;
1151                 }
1152
1153                 len = INITCONTEXTLEN;
1154                 context = kmalloc(len, GFP_NOFS);
1155                 if (!context) {
1156                         rc = -ENOMEM;
1157                         dput(dentry);
1158                         goto out_unlock;
1159                 }
1160                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1161                                            context, len);
1162                 if (rc == -ERANGE) {
1163                         /* Need a larger buffer.  Query for the right size. */
1164                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1165                                                    NULL, 0);
1166                         if (rc < 0) {
1167                                 dput(dentry);
1168                                 goto out_unlock;
1169                         }
1170                         kfree(context);
1171                         len = rc;
1172                         context = kmalloc(len, GFP_NOFS);
1173                         if (!context) {
1174                                 rc = -ENOMEM;
1175                                 dput(dentry);
1176                                 goto out_unlock;
1177                         }
1178                         rc = inode->i_op->getxattr(dentry,
1179                                                    XATTR_NAME_SELINUX,
1180                                                    context, len);
1181                 }
1182                 dput(dentry);
1183                 if (rc < 0) {
1184                         if (rc != -ENODATA) {
1185                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1186                                        "%d for dev=%s ino=%ld\n", __func__,
1187                                        -rc, inode->i_sb->s_id, inode->i_ino);
1188                                 kfree(context);
1189                                 goto out_unlock;
1190                         }
1191                         /* Map ENODATA to the default file SID */
1192                         sid = sbsec->def_sid;
1193                         rc = 0;
1194                 } else {
1195                         rc = security_context_to_sid_default(context, rc, &sid,
1196                                                              sbsec->def_sid,
1197                                                              GFP_NOFS);
1198                         if (rc) {
1199                                 printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1200                                        "returned %d for dev=%s ino=%ld\n",
1201                                        __func__, context, -rc,
1202                                        inode->i_sb->s_id, inode->i_ino);
1203                                 kfree(context);
1204                                 /* Leave with the unlabeled SID */
1205                                 rc = 0;
1206                                 break;
1207                         }
1208                 }
1209                 kfree(context);
1210                 isec->sid = sid;
1211                 break;
1212         case SECURITY_FS_USE_TASK:
1213                 isec->sid = isec->task_sid;
1214                 break;
1215         case SECURITY_FS_USE_TRANS:
1216                 /* Default to the fs SID. */
1217                 isec->sid = sbsec->sid;
1218
1219                 /* Try to obtain a transition SID. */
1220                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1221                 rc = security_transition_sid(isec->task_sid,
1222                                              sbsec->sid,
1223                                              isec->sclass,
1224                                              &sid);
1225                 if (rc)
1226                         goto out_unlock;
1227                 isec->sid = sid;
1228                 break;
1229         case SECURITY_FS_USE_MNTPOINT:
1230                 isec->sid = sbsec->mntpoint_sid;
1231                 break;
1232         default:
1233                 /* Default to the fs superblock SID. */
1234                 isec->sid = sbsec->sid;
1235
1236                 if (sbsec->proc) {
1237                         struct proc_inode *proci = PROC_I(inode);
1238                         if (proci->pde) {
1239                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1240                                 rc = selinux_proc_get_sid(proci->pde,
1241                                                           isec->sclass,
1242                                                           &sid);
1243                                 if (rc)
1244                                         goto out_unlock;
1245                                 isec->sid = sid;
1246                         }
1247                 }
1248                 break;
1249         }
1250
1251         isec->initialized = 1;
1252
1253 out_unlock:
1254         mutex_unlock(&isec->lock);
1255 out:
1256         if (isec->sclass == SECCLASS_FILE)
1257                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1258         return rc;
1259 }
1260
1261 /* Convert a Linux signal to an access vector. */
1262 static inline u32 signal_to_av(int sig)
1263 {
1264         u32 perm = 0;
1265
1266         switch (sig) {
1267         case SIGCHLD:
1268                 /* Commonly granted from child to parent. */
1269                 perm = PROCESS__SIGCHLD;
1270                 break;
1271         case SIGKILL:
1272                 /* Cannot be caught or ignored */
1273                 perm = PROCESS__SIGKILL;
1274                 break;
1275         case SIGSTOP:
1276                 /* Cannot be caught or ignored */
1277                 perm = PROCESS__SIGSTOP;
1278                 break;
1279         default:
1280                 /* All other signals. */
1281                 perm = PROCESS__SIGNAL;
1282                 break;
1283         }
1284
1285         return perm;
1286 }
1287
1288 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1289    fork check, ptrace check, etc. */
1290 static int task_has_perm(struct task_struct *tsk1,
1291                          struct task_struct *tsk2,
1292                          u32 perms)
1293 {
1294         struct task_security_struct *tsec1, *tsec2;
1295
1296         tsec1 = tsk1->security;
1297         tsec2 = tsk2->security;
1298         return avc_has_perm(tsec1->sid, tsec2->sid,
1299                             SECCLASS_PROCESS, perms, NULL);
1300 }
1301
1302 #if CAP_LAST_CAP > 63
1303 #error Fix SELinux to handle capabilities > 63.
1304 #endif
1305
1306 /* Check whether a task is allowed to use a capability. */
1307 static int task_has_capability(struct task_struct *tsk,
1308                                int cap)
1309 {
1310         struct task_security_struct *tsec;
1311         struct avc_audit_data ad;
1312         u16 sclass;
1313         u32 av = CAP_TO_MASK(cap);
1314
1315         tsec = tsk->security;
1316
1317         AVC_AUDIT_DATA_INIT(&ad, CAP);
1318         ad.tsk = tsk;
1319         ad.u.cap = cap;
1320
1321         switch (CAP_TO_INDEX(cap)) {
1322         case 0:
1323                 sclass = SECCLASS_CAPABILITY;
1324                 break;
1325         case 1:
1326                 sclass = SECCLASS_CAPABILITY2;
1327                 break;
1328         default:
1329                 printk(KERN_ERR
1330                        "SELinux:  out of range capability %d\n", cap);
1331                 BUG();
1332         }
1333         return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1334 }
1335
1336 /* Check whether a task is allowed to use a system operation. */
1337 static int task_has_system(struct task_struct *tsk,
1338                            u32 perms)
1339 {
1340         struct task_security_struct *tsec;
1341
1342         tsec = tsk->security;
1343
1344         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1345                             SECCLASS_SYSTEM, perms, NULL);
1346 }
1347
1348 /* Check whether a task has a particular permission to an inode.
1349    The 'adp' parameter is optional and allows other audit
1350    data to be passed (e.g. the dentry). */
1351 static int inode_has_perm(struct task_struct *tsk,
1352                           struct inode *inode,
1353                           u32 perms,
1354                           struct avc_audit_data *adp)
1355 {
1356         struct task_security_struct *tsec;
1357         struct inode_security_struct *isec;
1358         struct avc_audit_data ad;
1359
1360         if (unlikely(IS_PRIVATE(inode)))
1361                 return 0;
1362
1363         tsec = tsk->security;
1364         isec = inode->i_security;
1365
1366         if (!adp) {
1367                 adp = &ad;
1368                 AVC_AUDIT_DATA_INIT(&ad, FS);
1369                 ad.u.fs.inode = inode;
1370         }
1371
1372         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1373 }
1374
1375 /* Same as inode_has_perm, but pass explicit audit data containing
1376    the dentry to help the auditing code to more easily generate the
1377    pathname if needed. */
1378 static inline int dentry_has_perm(struct task_struct *tsk,
1379                                   struct vfsmount *mnt,
1380                                   struct dentry *dentry,
1381                                   u32 av)
1382 {
1383         struct inode *inode = dentry->d_inode;
1384         struct avc_audit_data ad;
1385         AVC_AUDIT_DATA_INIT(&ad, FS);
1386         ad.u.fs.path.mnt = mnt;
1387         ad.u.fs.path.dentry = dentry;
1388         return inode_has_perm(tsk, inode, av, &ad);
1389 }
1390
1391 /* Check whether a task can use an open file descriptor to
1392    access an inode in a given way.  Check access to the
1393    descriptor itself, and then use dentry_has_perm to
1394    check a particular permission to the file.
1395    Access to the descriptor is implicitly granted if it
1396    has the same SID as the process.  If av is zero, then
1397    access to the file is not checked, e.g. for cases
1398    where only the descriptor is affected like seek. */
1399 static int file_has_perm(struct task_struct *tsk,
1400                                 struct file *file,
1401                                 u32 av)
1402 {
1403         struct task_security_struct *tsec = tsk->security;
1404         struct file_security_struct *fsec = file->f_security;
1405         struct inode *inode = file->f_path.dentry->d_inode;
1406         struct avc_audit_data ad;
1407         int rc;
1408
1409         AVC_AUDIT_DATA_INIT(&ad, FS);
1410         ad.u.fs.path = file->f_path;
1411
1412         if (tsec->sid != fsec->sid) {
1413                 rc = avc_has_perm(tsec->sid, fsec->sid,
1414                                   SECCLASS_FD,
1415                                   FD__USE,
1416                                   &ad);
1417                 if (rc)
1418                         return rc;
1419         }
1420
1421         /* av is zero if only checking access to the descriptor. */
1422         if (av)
1423                 return inode_has_perm(tsk, inode, av, &ad);
1424
1425         return 0;
1426 }
1427
1428 /* Check whether a task can create a file. */
1429 static int may_create(struct inode *dir,
1430                       struct dentry *dentry,
1431                       u16 tclass)
1432 {
1433         struct task_security_struct *tsec;
1434         struct inode_security_struct *dsec;
1435         struct superblock_security_struct *sbsec;
1436         u32 newsid;
1437         struct avc_audit_data ad;
1438         int rc;
1439
1440         tsec = current->security;
1441         dsec = dir->i_security;
1442         sbsec = dir->i_sb->s_security;
1443
1444         AVC_AUDIT_DATA_INIT(&ad, FS);
1445         ad.u.fs.path.dentry = dentry;
1446
1447         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1448                           DIR__ADD_NAME | DIR__SEARCH,
1449                           &ad);
1450         if (rc)
1451                 return rc;
1452
1453         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1454                 newsid = tsec->create_sid;
1455         } else {
1456                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1457                                              &newsid);
1458                 if (rc)
1459                         return rc;
1460         }
1461
1462         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1463         if (rc)
1464                 return rc;
1465
1466         return avc_has_perm(newsid, sbsec->sid,
1467                             SECCLASS_FILESYSTEM,
1468                             FILESYSTEM__ASSOCIATE, &ad);
1469 }
1470
1471 /* Check whether a task can create a key. */
1472 static int may_create_key(u32 ksid,
1473                           struct task_struct *ctx)
1474 {
1475         struct task_security_struct *tsec;
1476
1477         tsec = ctx->security;
1478
1479         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1480 }
1481
1482 #define MAY_LINK        0
1483 #define MAY_UNLINK      1
1484 #define MAY_RMDIR       2
1485
1486 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1487 static int may_link(struct inode *dir,
1488                     struct dentry *dentry,
1489                     int kind)
1490
1491 {
1492         struct task_security_struct *tsec;
1493         struct inode_security_struct *dsec, *isec;
1494         struct avc_audit_data ad;
1495         u32 av;
1496         int rc;
1497
1498         tsec = current->security;
1499         dsec = dir->i_security;
1500         isec = dentry->d_inode->i_security;
1501
1502         AVC_AUDIT_DATA_INIT(&ad, FS);
1503         ad.u.fs.path.dentry = dentry;
1504
1505         av = DIR__SEARCH;
1506         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1507         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1508         if (rc)
1509                 return rc;
1510
1511         switch (kind) {
1512         case MAY_LINK:
1513                 av = FILE__LINK;
1514                 break;
1515         case MAY_UNLINK:
1516                 av = FILE__UNLINK;
1517                 break;
1518         case MAY_RMDIR:
1519                 av = DIR__RMDIR;
1520                 break;
1521         default:
1522                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1523                         __func__, kind);
1524                 return 0;
1525         }
1526
1527         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1528         return rc;
1529 }
1530
1531 static inline int may_rename(struct inode *old_dir,
1532                              struct dentry *old_dentry,
1533                              struct inode *new_dir,
1534                              struct dentry *new_dentry)
1535 {
1536         struct task_security_struct *tsec;
1537         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1538         struct avc_audit_data ad;
1539         u32 av;
1540         int old_is_dir, new_is_dir;
1541         int rc;
1542
1543         tsec = current->security;
1544         old_dsec = old_dir->i_security;
1545         old_isec = old_dentry->d_inode->i_security;
1546         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1547         new_dsec = new_dir->i_security;
1548
1549         AVC_AUDIT_DATA_INIT(&ad, FS);
1550
1551         ad.u.fs.path.dentry = old_dentry;
1552         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1553                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1554         if (rc)
1555                 return rc;
1556         rc = avc_has_perm(tsec->sid, old_isec->sid,
1557                           old_isec->sclass, FILE__RENAME, &ad);
1558         if (rc)
1559                 return rc;
1560         if (old_is_dir && new_dir != old_dir) {
1561                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1562                                   old_isec->sclass, DIR__REPARENT, &ad);
1563                 if (rc)
1564                         return rc;
1565         }
1566
1567         ad.u.fs.path.dentry = new_dentry;
1568         av = DIR__ADD_NAME | DIR__SEARCH;
1569         if (new_dentry->d_inode)
1570                 av |= DIR__REMOVE_NAME;
1571         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1572         if (rc)
1573                 return rc;
1574         if (new_dentry->d_inode) {
1575                 new_isec = new_dentry->d_inode->i_security;
1576                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1577                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1578                                   new_isec->sclass,
1579                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1580                 if (rc)
1581                         return rc;
1582         }
1583
1584         return 0;
1585 }
1586
1587 /* Check whether a task can perform a filesystem operation. */
1588 static int superblock_has_perm(struct task_struct *tsk,
1589                                struct super_block *sb,
1590                                u32 perms,
1591                                struct avc_audit_data *ad)
1592 {
1593         struct task_security_struct *tsec;
1594         struct superblock_security_struct *sbsec;
1595
1596         tsec = tsk->security;
1597         sbsec = sb->s_security;
1598         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1599                             perms, ad);
1600 }
1601
1602 /* Convert a Linux mode and permission mask to an access vector. */
1603 static inline u32 file_mask_to_av(int mode, int mask)
1604 {
1605         u32 av = 0;
1606
1607         if ((mode & S_IFMT) != S_IFDIR) {
1608                 if (mask & MAY_EXEC)
1609                         av |= FILE__EXECUTE;
1610                 if (mask & MAY_READ)
1611                         av |= FILE__READ;
1612
1613                 if (mask & MAY_APPEND)
1614                         av |= FILE__APPEND;
1615                 else if (mask & MAY_WRITE)
1616                         av |= FILE__WRITE;
1617
1618         } else {
1619                 if (mask & MAY_EXEC)
1620                         av |= DIR__SEARCH;
1621                 if (mask & MAY_WRITE)
1622                         av |= DIR__WRITE;
1623                 if (mask & MAY_READ)
1624                         av |= DIR__READ;
1625         }
1626
1627         return av;
1628 }
1629
1630 /*
1631  * Convert a file mask to an access vector and include the correct open
1632  * open permission.
1633  */
1634 static inline u32 open_file_mask_to_av(int mode, int mask)
1635 {
1636         u32 av = file_mask_to_av(mode, mask);
1637
1638         if (selinux_policycap_openperm) {
1639                 /*
1640                  * lnk files and socks do not really have an 'open'
1641                  */
1642                 if (S_ISREG(mode))
1643                         av |= FILE__OPEN;
1644                 else if (S_ISCHR(mode))
1645                         av |= CHR_FILE__OPEN;
1646                 else if (S_ISBLK(mode))
1647                         av |= BLK_FILE__OPEN;
1648                 else if (S_ISFIFO(mode))
1649                         av |= FIFO_FILE__OPEN;
1650                 else if (S_ISDIR(mode))
1651                         av |= DIR__OPEN;
1652                 else
1653                         printk(KERN_ERR "SELinux: WARNING: inside %s with "
1654                                 "unknown mode:%x\n", __func__, mode);
1655         }
1656         return av;
1657 }
1658
1659 /* Convert a Linux file to an access vector. */
1660 static inline u32 file_to_av(struct file *file)
1661 {
1662         u32 av = 0;
1663
1664         if (file->f_mode & FMODE_READ)
1665                 av |= FILE__READ;
1666         if (file->f_mode & FMODE_WRITE) {
1667                 if (file->f_flags & O_APPEND)
1668                         av |= FILE__APPEND;
1669                 else
1670                         av |= FILE__WRITE;
1671         }
1672         if (!av) {
1673                 /*
1674                  * Special file opened with flags 3 for ioctl-only use.
1675                  */
1676                 av = FILE__IOCTL;
1677         }
1678
1679         return av;
1680 }
1681
1682 /* Hook functions begin here. */
1683
1684 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1685 {
1686         int rc;
1687
1688         rc = secondary_ops->ptrace(parent, child);
1689         if (rc)
1690                 return rc;
1691
1692         return task_has_perm(parent, child, PROCESS__PTRACE);
1693 }
1694
1695 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1696                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1697 {
1698         int error;
1699
1700         error = task_has_perm(current, target, PROCESS__GETCAP);
1701         if (error)
1702                 return error;
1703
1704         return secondary_ops->capget(target, effective, inheritable, permitted);
1705 }
1706
1707 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1708                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1709 {
1710         int error;
1711
1712         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1713         if (error)
1714                 return error;
1715
1716         return task_has_perm(current, target, PROCESS__SETCAP);
1717 }
1718
1719 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1720                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1721 {
1722         secondary_ops->capset_set(target, effective, inheritable, permitted);
1723 }
1724
1725 static int selinux_capable(struct task_struct *tsk, int cap)
1726 {
1727         int rc;
1728
1729         rc = secondary_ops->capable(tsk, cap);
1730         if (rc)
1731                 return rc;
1732
1733         return task_has_capability(tsk, cap);
1734 }
1735
1736 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1737 {
1738         int buflen, rc;
1739         char *buffer, *path, *end;
1740
1741         rc = -ENOMEM;
1742         buffer = (char *)__get_free_page(GFP_KERNEL);
1743         if (!buffer)
1744                 goto out;
1745
1746         buflen = PAGE_SIZE;
1747         end = buffer+buflen;
1748         *--end = '\0';
1749         buflen--;
1750         path = end-1;
1751         *path = '/';
1752         while (table) {
1753                 const char *name = table->procname;
1754                 size_t namelen = strlen(name);
1755                 buflen -= namelen + 1;
1756                 if (buflen < 0)
1757                         goto out_free;
1758                 end -= namelen;
1759                 memcpy(end, name, namelen);
1760                 *--end = '/';
1761                 path = end;
1762                 table = table->parent;
1763         }
1764         buflen -= 4;
1765         if (buflen < 0)
1766                 goto out_free;
1767         end -= 4;
1768         memcpy(end, "/sys", 4);
1769         path = end;
1770         rc = security_genfs_sid("proc", path, tclass, sid);
1771 out_free:
1772         free_page((unsigned long)buffer);
1773 out:
1774         return rc;
1775 }
1776
1777 static int selinux_sysctl(ctl_table *table, int op)
1778 {
1779         int error = 0;
1780         u32 av;
1781         struct task_security_struct *tsec;
1782         u32 tsid;
1783         int rc;
1784
1785         rc = secondary_ops->sysctl(table, op);
1786         if (rc)
1787                 return rc;
1788
1789         tsec = current->security;
1790
1791         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1792                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1793         if (rc) {
1794                 /* Default to the well-defined sysctl SID. */
1795                 tsid = SECINITSID_SYSCTL;
1796         }
1797
1798         /* The op values are "defined" in sysctl.c, thereby creating
1799          * a bad coupling between this module and sysctl.c */
1800         if (op == 001) {
1801                 error = avc_has_perm(tsec->sid, tsid,
1802                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1803         } else {
1804                 av = 0;
1805                 if (op & 004)
1806                         av |= FILE__READ;
1807                 if (op & 002)
1808                         av |= FILE__WRITE;
1809                 if (av)
1810                         error = avc_has_perm(tsec->sid, tsid,
1811                                              SECCLASS_FILE, av, NULL);
1812         }
1813
1814         return error;
1815 }
1816
1817 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1818 {
1819         int rc = 0;
1820
1821         if (!sb)
1822                 return 0;
1823
1824         switch (cmds) {
1825         case Q_SYNC:
1826         case Q_QUOTAON:
1827         case Q_QUOTAOFF:
1828         case Q_SETINFO:
1829         case Q_SETQUOTA:
1830                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1831                                          NULL);
1832                 break;
1833         case Q_GETFMT:
1834         case Q_GETINFO:
1835         case Q_GETQUOTA:
1836                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1837                                          NULL);
1838                 break;
1839         default:
1840                 rc = 0;  /* let the kernel handle invalid cmds */
1841                 break;
1842         }
1843         return rc;
1844 }
1845
1846 static int selinux_quota_on(struct dentry *dentry)
1847 {
1848         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1849 }
1850
1851 static int selinux_syslog(int type)
1852 {
1853         int rc;
1854
1855         rc = secondary_ops->syslog(type);
1856         if (rc)
1857                 return rc;
1858
1859         switch (type) {
1860         case 3:         /* Read last kernel messages */
1861         case 10:        /* Return size of the log buffer */
1862                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1863                 break;
1864         case 6:         /* Disable logging to console */
1865         case 7:         /* Enable logging to console */
1866         case 8:         /* Set level of messages printed to console */
1867                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1868                 break;
1869         case 0:         /* Close log */
1870         case 1:         /* Open log */
1871         case 2:         /* Read from log */
1872         case 4:         /* Read/clear last kernel messages */
1873         case 5:         /* Clear ring buffer */
1874         default:
1875                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1876                 break;
1877         }
1878         return rc;
1879 }
1880
1881 /*
1882  * Check that a process has enough memory to allocate a new virtual
1883  * mapping. 0 means there is enough memory for the allocation to
1884  * succeed and -ENOMEM implies there is not.
1885  *
1886  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1887  * if the capability is granted, but __vm_enough_memory requires 1 if
1888  * the capability is granted.
1889  *
1890  * Do not audit the selinux permission check, as this is applied to all
1891  * processes that allocate mappings.
1892  */
1893 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1894 {
1895         int rc, cap_sys_admin = 0;
1896         struct task_security_struct *tsec = current->security;
1897
1898         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1899         if (rc == 0)
1900                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1901                                           SECCLASS_CAPABILITY,
1902                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1903                                           0,
1904                                           NULL);
1905
1906         if (rc == 0)
1907                 cap_sys_admin = 1;
1908
1909         return __vm_enough_memory(mm, pages, cap_sys_admin);
1910 }
1911
1912 /**
1913  * task_tracer_task - return the task that is tracing the given task
1914  * @task:               task to consider
1915  *
1916  * Returns NULL if noone is tracing @task, or the &struct task_struct
1917  * pointer to its tracer.
1918  *
1919  * Must be called under rcu_read_lock().
1920  */
1921 static struct task_struct *task_tracer_task(struct task_struct *task)
1922 {
1923         if (task->ptrace & PT_PTRACED)
1924                 return rcu_dereference(task->parent);
1925         return NULL;
1926 }
1927
1928 /* binprm security operations */
1929
1930 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1931 {
1932         struct bprm_security_struct *bsec;
1933
1934         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1935         if (!bsec)
1936                 return -ENOMEM;
1937
1938         bsec->sid = SECINITSID_UNLABELED;
1939         bsec->set = 0;
1940
1941         bprm->security = bsec;
1942         return 0;
1943 }
1944
1945 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1946 {
1947         struct task_security_struct *tsec;
1948         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1949         struct inode_security_struct *isec;
1950         struct bprm_security_struct *bsec;
1951         u32 newsid;
1952         struct avc_audit_data ad;
1953         int rc;
1954
1955         rc = secondary_ops->bprm_set_security(bprm);
1956         if (rc)
1957                 return rc;
1958
1959         bsec = bprm->security;
1960
1961         if (bsec->set)
1962                 return 0;
1963
1964         tsec = current->security;
1965         isec = inode->i_security;
1966
1967         /* Default to the current task SID. */
1968         bsec->sid = tsec->sid;
1969
1970         /* Reset fs, key, and sock SIDs on execve. */
1971         tsec->create_sid = 0;
1972         tsec->keycreate_sid = 0;
1973         tsec->sockcreate_sid = 0;
1974
1975         if (tsec->exec_sid) {
1976                 newsid = tsec->exec_sid;
1977                 /* Reset exec SID on execve. */
1978                 tsec->exec_sid = 0;
1979         } else {
1980                 /* Check for a default transition on this program. */
1981                 rc = security_transition_sid(tsec->sid, isec->sid,
1982                                              SECCLASS_PROCESS, &newsid);
1983                 if (rc)
1984                         return rc;
1985         }
1986
1987         AVC_AUDIT_DATA_INIT(&ad, FS);
1988         ad.u.fs.path = bprm->file->f_path;
1989
1990         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1991                 newsid = tsec->sid;
1992
1993         if (tsec->sid == newsid) {
1994                 rc = avc_has_perm(tsec->sid, isec->sid,
1995                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1996                 if (rc)
1997                         return rc;
1998         } else {
1999                 /* Check permissions for the transition. */
2000                 rc = avc_has_perm(tsec->sid, newsid,
2001                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2002                 if (rc)
2003                         return rc;
2004
2005                 rc = avc_has_perm(newsid, isec->sid,
2006                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2007                 if (rc)
2008                         return rc;
2009
2010                 /* Clear any possibly unsafe personality bits on exec: */
2011                 current->personality &= ~PER_CLEAR_ON_SETID;
2012
2013                 /* Set the security field to the new SID. */
2014                 bsec->sid = newsid;
2015         }
2016
2017         bsec->set = 1;
2018         return 0;
2019 }
2020
2021 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2022 {
2023         return secondary_ops->bprm_check_security(bprm);
2024 }
2025
2026
2027 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2028 {
2029         struct task_security_struct *tsec = current->security;
2030         int atsecure = 0;
2031
2032         if (tsec->osid != tsec->sid) {
2033                 /* Enable secure mode for SIDs transitions unless
2034                    the noatsecure permission is granted between
2035                    the two SIDs, i.e. ahp returns 0. */
2036                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2037                                          SECCLASS_PROCESS,
2038                                          PROCESS__NOATSECURE, NULL);
2039         }
2040
2041         return (atsecure || secondary_ops->bprm_secureexec(bprm));
2042 }
2043
2044 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2045 {
2046         kfree(bprm->security);
2047         bprm->security = NULL;
2048 }
2049
2050 extern struct vfsmount *selinuxfs_mount;
2051 extern struct dentry *selinux_null;
2052
2053 /* Derived from fs/exec.c:flush_old_files. */
2054 static inline void flush_unauthorized_files(struct files_struct *files)
2055 {
2056         struct avc_audit_data ad;
2057         struct file *file, *devnull = NULL;
2058         struct tty_struct *tty;
2059         struct fdtable *fdt;
2060         long j = -1;
2061         int drop_tty = 0;
2062
2063         mutex_lock(&tty_mutex);
2064         tty = get_current_tty();
2065         if (tty) {
2066                 file_list_lock();
2067                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2068                 if (file) {
2069                         /* Revalidate access to controlling tty.
2070                            Use inode_has_perm on the tty inode directly rather
2071                            than using file_has_perm, as this particular open
2072                            file may belong to another process and we are only
2073                            interested in the inode-based check here. */
2074                         struct inode *inode = file->f_path.dentry->d_inode;
2075                         if (inode_has_perm(current, inode,
2076                                            FILE__READ | FILE__WRITE, NULL)) {
2077                                 drop_tty = 1;
2078                         }
2079                 }
2080                 file_list_unlock();
2081         }
2082         mutex_unlock(&tty_mutex);
2083         /* Reset controlling tty. */
2084         if (drop_tty)
2085                 no_tty();
2086
2087         /* Revalidate access to inherited open files. */
2088
2089         AVC_AUDIT_DATA_INIT(&ad, FS);
2090
2091         spin_lock(&files->file_lock);
2092         for (;;) {
2093                 unsigned long set, i;
2094                 int fd;
2095
2096                 j++;
2097                 i = j * __NFDBITS;
2098                 fdt = files_fdtable(files);
2099                 if (i >= fdt->max_fds)
2100                         break;
2101                 set = fdt->open_fds->fds_bits[j];
2102                 if (!set)
2103                         continue;
2104                 spin_unlock(&files->file_lock);
2105                 for ( ; set ; i++, set >>= 1) {
2106                         if (set & 1) {
2107                                 file = fget(i);
2108                                 if (!file)
2109                                         continue;
2110                                 if (file_has_perm(current,
2111                                                   file,
2112                                                   file_to_av(file))) {
2113                                         sys_close(i);
2114                                         fd = get_unused_fd();
2115                                         if (fd != i) {
2116                                                 if (fd >= 0)
2117                                                         put_unused_fd(fd);
2118                                                 fput(file);
2119                                                 continue;
2120                                         }
2121                                         if (devnull) {
2122                                                 get_file(devnull);
2123                                         } else {
2124                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2125                                                 if (IS_ERR(devnull)) {
2126                                                         devnull = NULL;
2127                                                         put_unused_fd(fd);
2128                                                         fput(file);
2129                                                         continue;
2130                                                 }
2131                                         }
2132                                         fd_install(fd, devnull);
2133                                 }
2134                                 fput(file);
2135                         }
2136                 }
2137                 spin_lock(&files->file_lock);
2138
2139         }
2140         spin_unlock(&files->file_lock);
2141 }
2142
2143 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2144 {
2145         struct task_security_struct *tsec;
2146         struct bprm_security_struct *bsec;
2147         u32 sid;
2148         int rc;
2149
2150         secondary_ops->bprm_apply_creds(bprm, unsafe);
2151
2152         tsec = current->security;
2153
2154         bsec = bprm->security;
2155         sid = bsec->sid;
2156
2157         tsec->osid = tsec->sid;
2158         bsec->unsafe = 0;
2159         if (tsec->sid != sid) {
2160                 /* Check for shared state.  If not ok, leave SID
2161                    unchanged and kill. */
2162                 if (unsafe & LSM_UNSAFE_SHARE) {
2163                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2164                                         PROCESS__SHARE, NULL);
2165                         if (rc) {
2166                                 bsec->unsafe = 1;
2167                                 return;
2168                         }
2169                 }
2170
2171                 /* Check for ptracing, and update the task SID if ok.
2172                    Otherwise, leave SID unchanged and kill. */
2173                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2174                         struct task_struct *tracer;
2175                         struct task_security_struct *sec;
2176                         u32 ptsid = 0;
2177
2178                         rcu_read_lock();
2179                         tracer = task_tracer_task(current);
2180                         if (likely(tracer != NULL)) {
2181                                 sec = tracer->security;
2182                                 ptsid = sec->sid;
2183                         }
2184                         rcu_read_unlock();
2185
2186                         if (ptsid != 0) {
2187                                 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2188                                                   PROCESS__PTRACE, NULL);
2189                                 if (rc) {
2190                                         bsec->unsafe = 1;
2191                                         return;
2192                                 }
2193                         }
2194                 }
2195                 tsec->sid = sid;
2196         }
2197 }
2198
2199 /*
2200  * called after apply_creds without the task lock held
2201  */
2202 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2203 {
2204         struct task_security_struct *tsec;
2205         struct rlimit *rlim, *initrlim;
2206         struct itimerval itimer;
2207         struct bprm_security_struct *bsec;
2208         int rc, i;
2209
2210         tsec = current->security;
2211         bsec = bprm->security;
2212
2213         if (bsec->unsafe) {
2214                 force_sig_specific(SIGKILL, current);
2215                 return;
2216         }
2217         if (tsec->osid == tsec->sid)
2218                 return;
2219
2220         /* Close files for which the new task SID is not authorized. */
2221         flush_unauthorized_files(current->files);
2222
2223         /* Check whether the new SID can inherit signal state
2224            from the old SID.  If not, clear itimers to avoid
2225            subsequent signal generation and flush and unblock
2226            signals. This must occur _after_ the task SID has
2227           been updated so that any kill done after the flush
2228           will be checked against the new SID. */
2229         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2230                           PROCESS__SIGINH, NULL);
2231         if (rc) {
2232                 memset(&itimer, 0, sizeof itimer);
2233                 for (i = 0; i < 3; i++)
2234                         do_setitimer(i, &itimer, NULL);
2235                 flush_signals(current);
2236                 spin_lock_irq(&current->sighand->siglock);
2237                 flush_signal_handlers(current, 1);
2238                 sigemptyset(&current->blocked);
2239                 recalc_sigpending();
2240                 spin_unlock_irq(&current->sighand->siglock);
2241         }
2242
2243         /* Always clear parent death signal on SID transitions. */
2244         current->pdeath_signal = 0;
2245
2246         /* Check whether the new SID can inherit resource limits
2247            from the old SID.  If not, reset all soft limits to
2248            the lower of the current task's hard limit and the init
2249            task's soft limit.  Note that the setting of hard limits
2250            (even to lower them) can be controlled by the setrlimit
2251            check. The inclusion of the init task's soft limit into
2252            the computation is to avoid resetting soft limits higher
2253            than the default soft limit for cases where the default
2254            is lower than the hard limit, e.g. RLIMIT_CORE or
2255            RLIMIT_STACK.*/
2256         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2257                           PROCESS__RLIMITINH, NULL);
2258         if (rc) {
2259                 for (i = 0; i < RLIM_NLIMITS; i++) {
2260                         rlim = current->signal->rlim + i;
2261                         initrlim = init_task.signal->rlim+i;
2262                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2263                 }
2264                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2265                         /*
2266                          * This will cause RLIMIT_CPU calculations
2267                          * to be refigured.
2268                          */
2269                         current->it_prof_expires = jiffies_to_cputime(1);
2270                 }
2271         }
2272
2273         /* Wake up the parent if it is waiting so that it can
2274            recheck wait permission to the new task SID. */
2275         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2276 }
2277
2278 /* superblock security operations */
2279
2280 static int selinux_sb_alloc_security(struct super_block *sb)
2281 {
2282         return superblock_alloc_security(sb);
2283 }
2284
2285 static void selinux_sb_free_security(struct super_block *sb)
2286 {
2287         superblock_free_security(sb);
2288 }
2289
2290 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2291 {
2292         if (plen > olen)
2293                 return 0;
2294
2295         return !memcmp(prefix, option, plen);
2296 }
2297
2298 static inline int selinux_option(char *option, int len)
2299 {
2300         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2301                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2302                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2303                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2304 }
2305
2306 static inline void take_option(char **to, char *from, int *first, int len)
2307 {
2308         if (!*first) {
2309                 **to = ',';
2310                 *to += 1;
2311         } else
2312                 *first = 0;
2313         memcpy(*to, from, len);
2314         *to += len;
2315 }
2316
2317 static inline void take_selinux_option(char **to, char *from, int *first,
2318                                        int len)
2319 {
2320         int current_size = 0;
2321
2322         if (!*first) {
2323                 **to = '|';
2324                 *to += 1;
2325         } else
2326                 *first = 0;
2327
2328         while (current_size < len) {
2329                 if (*from != '"') {
2330                         **to = *from;
2331                         *to += 1;
2332                 }
2333                 from += 1;
2334                 current_size += 1;
2335         }
2336 }
2337
2338 static int selinux_sb_copy_data(char *orig, char *copy)
2339 {
2340         int fnosec, fsec, rc = 0;
2341         char *in_save, *in_curr, *in_end;
2342         char *sec_curr, *nosec_save, *nosec;
2343         int open_quote = 0;
2344
2345         in_curr = orig;
2346         sec_curr = copy;
2347
2348         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2349         if (!nosec) {
2350                 rc = -ENOMEM;
2351                 goto out;
2352         }
2353
2354         nosec_save = nosec;
2355         fnosec = fsec = 1;
2356         in_save = in_end = orig;
2357
2358         do {
2359                 if (*in_end == '"')
2360                         open_quote = !open_quote;
2361                 if ((*in_end == ',' && open_quote == 0) ||
2362                                 *in_end == '\0') {
2363                         int len = in_end - in_curr;
2364
2365                         if (selinux_option(in_curr, len))
2366                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2367                         else
2368                                 take_option(&nosec, in_curr, &fnosec, len);
2369
2370                         in_curr = in_end + 1;
2371                 }
2372         } while (*in_end++);
2373
2374         strcpy(in_save, nosec_save);
2375         free_page((unsigned long)nosec_save);
2376 out:
2377         return rc;
2378 }
2379
2380 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2381 {
2382         struct avc_audit_data ad;
2383         int rc;
2384
2385         rc = superblock_doinit(sb, data);
2386         if (rc)
2387                 return rc;
2388
2389         AVC_AUDIT_DATA_INIT(&ad, FS);
2390         ad.u.fs.path.dentry = sb->s_root;
2391         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2392 }
2393
2394 static int selinux_sb_statfs(struct dentry *dentry)
2395 {
2396         struct avc_audit_data ad;
2397
2398         AVC_AUDIT_DATA_INIT(&ad, FS);
2399         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2400         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2401 }
2402
2403 static int selinux_mount(char *dev_name,
2404                          struct path *path,
2405                          char *type,
2406                          unsigned long flags,
2407                          void *data)
2408 {
2409         int rc;
2410
2411         rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2412         if (rc)
2413                 return rc;
2414
2415         if (flags & MS_REMOUNT)
2416                 return superblock_has_perm(current, path->mnt->mnt_sb,
2417                                            FILESYSTEM__REMOUNT, NULL);
2418         else
2419                 return dentry_has_perm(current, path->mnt, path->dentry,
2420                                        FILE__MOUNTON);
2421 }
2422
2423 static int selinux_umount(struct vfsmount *mnt, int flags)
2424 {
2425         int rc;
2426
2427         rc = secondary_ops->sb_umount(mnt, flags);
2428         if (rc)
2429                 return rc;
2430
2431         return superblock_has_perm(current, mnt->mnt_sb,
2432                                    FILESYSTEM__UNMOUNT, NULL);
2433 }
2434
2435 /* inode security operations */
2436
2437 static int selinux_inode_alloc_security(struct inode *inode)
2438 {
2439         return inode_alloc_security(inode);
2440 }
2441
2442 static void selinux_inode_free_security(struct inode *inode)
2443 {
2444         inode_free_security(inode);
2445 }
2446
2447 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2448                                        char **name, void **value,
2449                                        size_t *len)
2450 {
2451         struct task_security_struct *tsec;
2452         struct inode_security_struct *dsec;
2453         struct superblock_security_struct *sbsec;
2454         u32 newsid, clen;
2455         int rc;
2456         char *namep = NULL, *context;
2457
2458         tsec = current->security;
2459         dsec = dir->i_security;
2460         sbsec = dir->i_sb->s_security;
2461
2462         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2463                 newsid = tsec->create_sid;
2464         } else {
2465                 rc = security_transition_sid(tsec->sid, dsec->sid,
2466                                              inode_mode_to_security_class(inode->i_mode),
2467                                              &newsid);
2468                 if (rc) {
2469                         printk(KERN_WARNING "%s:  "
2470                                "security_transition_sid failed, rc=%d (dev=%s "
2471                                "ino=%ld)\n",
2472                                __func__,
2473                                -rc, inode->i_sb->s_id, inode->i_ino);
2474                         return rc;
2475                 }
2476         }
2477
2478         /* Possibly defer initialization to selinux_complete_init. */
2479         if (sbsec->initialized) {
2480                 struct inode_security_struct *isec = inode->i_security;
2481                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2482                 isec->sid = newsid;
2483                 isec->initialized = 1;
2484         }
2485
2486         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2487                 return -EOPNOTSUPP;
2488
2489         if (name) {
2490                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2491                 if (!namep)
2492                         return -ENOMEM;
2493                 *name = namep;
2494         }
2495
2496         if (value && len) {
2497                 rc = security_sid_to_context(newsid, &context, &clen);
2498                 if (rc) {
2499                         kfree(namep);
2500                         return rc;
2501                 }
2502                 *value = context;
2503                 *len = clen;
2504         }
2505
2506         return 0;
2507 }
2508
2509 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2510 {
2511         return may_create(dir, dentry, SECCLASS_FILE);
2512 }
2513
2514 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2515 {
2516         int rc;
2517
2518         rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2519         if (rc)
2520                 return rc;
2521         return may_link(dir, old_dentry, MAY_LINK);
2522 }
2523
2524 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2525 {
2526         int rc;
2527
2528         rc = secondary_ops->inode_unlink(dir, dentry);
2529         if (rc)
2530                 return rc;
2531         return may_link(dir, dentry, MAY_UNLINK);
2532 }
2533
2534 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2535 {
2536         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2537 }
2538
2539 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2540 {
2541         return may_create(dir, dentry, SECCLASS_DIR);
2542 }
2543
2544 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2545 {
2546         return may_link(dir, dentry, MAY_RMDIR);
2547 }
2548
2549 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2550 {
2551         int rc;
2552
2553         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2554         if (rc)
2555                 return rc;
2556
2557         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2558 }
2559
2560 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2561                                 struct inode *new_inode, struct dentry *new_dentry)
2562 {
2563         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2564 }
2565
2566 static int selinux_inode_readlink(struct dentry *dentry)
2567 {
2568         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2569 }
2570
2571 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2572 {
2573         int rc;
2574
2575         rc = secondary_ops->inode_follow_link(dentry, nameidata);
2576         if (rc)
2577                 return rc;
2578         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2579 }
2580
2581 static int selinux_inode_permission(struct inode *inode, int mask,
2582                                     struct nameidata *nd)
2583 {
2584         int rc;
2585
2586         rc = secondary_ops->inode_permission(inode, mask, nd);
2587         if (rc)
2588                 return rc;
2589
2590         if (!mask) {
2591                 /* No permission to check.  Existence test. */
2592                 return 0;
2593         }
2594
2595         return inode_has_perm(current, inode,
2596                                open_file_mask_to_av(inode->i_mode, mask), NULL);
2597 }
2598
2599 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2600 {
2601         int rc;
2602
2603         rc = secondary_ops->inode_setattr(dentry, iattr);
2604         if (rc)
2605                 return rc;
2606
2607         if (iattr->ia_valid & ATTR_FORCE)
2608                 return 0;
2609
2610         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2611                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2612                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2613
2614         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2615 }
2616
2617 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2618 {
2619         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2620 }
2621
2622 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2623 {
2624         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2625                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2626                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2627                         if (!capable(CAP_SETFCAP))
2628                                 return -EPERM;
2629                 } else if (!capable(CAP_SYS_ADMIN)) {
2630                         /* A different attribute in the security namespace.
2631                            Restrict to administrator. */
2632                         return -EPERM;
2633                 }
2634         }
2635
2636         /* Not an attribute we recognize, so just check the
2637            ordinary setattr permission. */
2638         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2639 }
2640
2641 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2642 {
2643         struct task_security_struct *tsec = current->security;
2644         struct inode *inode = dentry->d_inode;
2645         struct inode_security_struct *isec = inode->i_security;
2646         struct superblock_security_struct *sbsec;
2647         struct avc_audit_data ad;
2648         u32 newsid;
2649         int rc = 0;
2650
2651         if (strcmp(name, XATTR_NAME_SELINUX))
2652                 return selinux_inode_setotherxattr(dentry, name);
2653
2654         sbsec = inode->i_sb->s_security;
2655         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2656                 return -EOPNOTSUPP;
2657
2658         if (!is_owner_or_cap(inode))
2659                 return -EPERM;
2660
2661         AVC_AUDIT_DATA_INIT(&ad, FS);
2662         ad.u.fs.path.dentry = dentry;
2663
2664         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2665                           FILE__RELABELFROM, &ad);
2666         if (rc)
2667                 return rc;
2668
2669         rc = security_context_to_sid(value, size, &newsid);
2670         if (rc)
2671                 return rc;
2672
2673         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2674                           FILE__RELABELTO, &ad);
2675         if (rc)
2676                 return rc;
2677
2678         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2679                                           isec->sclass);
2680         if (rc)
2681                 return rc;
2682
2683         return avc_has_perm(newsid,
2684                             sbsec->sid,
2685                             SECCLASS_FILESYSTEM,
2686                             FILESYSTEM__ASSOCIATE,
2687                             &ad);
2688 }
2689
2690 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2691                                         void *value, size_t size, int flags)
2692 {
2693         struct inode *inode = dentry->d_inode;
2694         struct inode_security_struct *isec = inode->i_security;
2695         u32 newsid;
2696         int rc;
2697
2698         if (strcmp(name, XATTR_NAME_SELINUX)) {
2699                 /* Not an attribute we recognize, so nothing to do. */
2700                 return;
2701         }
2702
2703         rc = security_context_to_sid(value, size, &newsid);
2704         if (rc) {
2705                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2706                        "%s, rc=%d\n", __func__, (char *)value, -rc);
2707                 return;
2708         }
2709
2710         isec->sid = newsid;
2711         return;
2712 }
2713
2714 static int selinux_inode_getxattr(struct dentry *dentry, char *name)
2715 {
2716         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2717 }
2718
2719 static int selinux_inode_listxattr(struct dentry *dentry)
2720 {
2721         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2722 }
2723
2724 static int selinux_inode_removexattr(struct dentry *dentry, char *name)
2725 {
2726         if (strcmp(name, XATTR_NAME_SELINUX))
2727                 return selinux_inode_setotherxattr(dentry, name);
2728
2729         /* No one is allowed to remove a SELinux security label.
2730            You can change the label, but all data must be labeled. */
2731         return -EACCES;
2732 }
2733
2734 /*
2735  * Copy the in-core inode security context value to the user.  If the
2736  * getxattr() prior to this succeeded, check to see if we need to
2737  * canonicalize the value to be finally returned to the user.
2738  *
2739  * Permission check is handled by selinux_inode_getxattr hook.
2740  */
2741 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2742 {
2743         u32 size;
2744         int error;
2745         char *context = NULL;
2746         struct inode_security_struct *isec = inode->i_security;
2747
2748         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2749                 return -EOPNOTSUPP;
2750
2751         error = security_sid_to_context(isec->sid, &context, &size);
2752         if (error)
2753                 return error;
2754         error = size;
2755         if (alloc) {
2756                 *buffer = context;
2757                 goto out_nofree;
2758         }
2759         kfree(context);
2760 out_nofree:
2761         return error;
2762 }
2763
2764 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2765                                      const void *value, size_t size, int flags)
2766 {
2767         struct inode_security_struct *isec = inode->i_security;
2768         u32 newsid;
2769         int rc;
2770
2771         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2772                 return -EOPNOTSUPP;
2773
2774         if (!value || !size)
2775                 return -EACCES;
2776
2777         rc = security_context_to_sid((void *)value, size, &newsid);
2778         if (rc)
2779                 return rc;
2780
2781         isec->sid = newsid;
2782         return 0;
2783 }
2784
2785 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2786 {
2787         const int len = sizeof(XATTR_NAME_SELINUX);
2788         if (buffer && len <= buffer_size)
2789                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2790         return len;
2791 }
2792
2793 static int selinux_inode_need_killpriv(struct dentry *dentry)
2794 {
2795         return secondary_ops->inode_need_killpriv(dentry);
2796 }
2797
2798 static int selinux_inode_killpriv(struct dentry *dentry)
2799 {
2800         return secondary_ops->inode_killpriv(dentry);
2801 }
2802
2803 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2804 {
2805         struct inode_security_struct *isec = inode->i_security;
2806         *secid = isec->sid;
2807 }
2808
2809 /* file security operations */
2810
2811 static int selinux_revalidate_file_permission(struct file *file, int mask)
2812 {
2813         int rc;
2814         struct inode *inode = file->f_path.dentry->d_inode;
2815
2816         if (!mask) {
2817                 /* No permission to check.  Existence test. */
2818                 return 0;
2819         }
2820
2821         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2822         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2823                 mask |= MAY_APPEND;
2824
2825         rc = file_has_perm(current, file,
2826                            file_mask_to_av(inode->i_mode, mask));
2827         if (rc)
2828                 return rc;
2829
2830         return selinux_netlbl_inode_permission(inode, mask);
2831 }
2832
2833 static int selinux_file_permission(struct file *file, int mask)
2834 {
2835         struct inode *inode = file->f_path.dentry->d_inode;
2836         struct task_security_struct *tsec = current->security;
2837         struct file_security_struct *fsec = file->f_security;
2838         struct inode_security_struct *isec = inode->i_security;
2839
2840         if (!mask) {
2841                 /* No permission to check.  Existence test. */
2842                 return 0;
2843         }
2844
2845         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2846             && fsec->pseqno == avc_policy_seqno())
2847                 return selinux_netlbl_inode_permission(inode, mask);
2848
2849         return selinux_revalidate_file_permission(file, mask);
2850 }
2851
2852 static int selinux_file_alloc_security(struct file *file)
2853 {
2854         return file_alloc_security(file);
2855 }
2856
2857 static void selinux_file_free_security(struct file *file)
2858 {
2859         file_free_security(file);
2860 }
2861
2862 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2863                               unsigned long arg)
2864 {
2865         int error = 0;
2866
2867         switch (cmd) {
2868         case FIONREAD:
2869         /* fall through */
2870         case FIBMAP:
2871         /* fall through */
2872         case FIGETBSZ:
2873         /* fall through */
2874         case EXT2_IOC_GETFLAGS:
2875         /* fall through */
2876         case EXT2_IOC_GETVERSION:
2877                 error = file_has_perm(current, file, FILE__GETATTR);
2878                 break;
2879
2880         case EXT2_IOC_SETFLAGS:
2881         /* fall through */
2882         case EXT2_IOC_SETVERSION:
2883                 error = file_has_perm(current, file, FILE__SETATTR);
2884                 break;
2885
2886         /* sys_ioctl() checks */
2887         case FIONBIO:
2888         /* fall through */
2889         case FIOASYNC:
2890                 error = file_has_perm(current, file, 0);
2891                 break;
2892
2893         case KDSKBENT:
2894         case KDSKBSENT:
2895                 error = task_has_capability(current, CAP_SYS_TTY_CONFIG);
2896                 break;
2897
2898         /* default case assumes that the command will go
2899          * to the file's ioctl() function.
2900          */
2901         default:
2902                 error = file_has_perm(current, file, FILE__IOCTL);
2903         }
2904         return error;
2905 }
2906
2907 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2908 {
2909 #ifndef CONFIG_PPC32
2910         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2911                 /*
2912                  * We are making executable an anonymous mapping or a
2913                  * private file mapping that will also be writable.
2914                  * This has an additional check.
2915                  */
2916                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2917                 if (rc)
2918                         return rc;
2919         }
2920 #endif
2921
2922         if (file) {
2923                 /* read access is always possible with a mapping */
2924                 u32 av = FILE__READ;
2925
2926                 /* write access only matters if the mapping is shared */
2927                 if (shared && (prot & PROT_WRITE))
2928                         av |= FILE__WRITE;
2929
2930                 if (prot & PROT_EXEC)
2931                         av |= FILE__EXECUTE;
2932
2933                 return file_has_perm(current, file, av);
2934         }
2935         return 0;
2936 }
2937
2938 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2939                              unsigned long prot, unsigned long flags,
2940                              unsigned long addr, unsigned long addr_only)
2941 {
2942         int rc = 0;
2943         u32 sid = ((struct task_security_struct *)(current->security))->sid;
2944
2945         if (addr < mmap_min_addr)
2946                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2947                                   MEMPROTECT__MMAP_ZERO, NULL);
2948         if (rc || addr_only)
2949                 return rc;
2950
2951         if (selinux_checkreqprot)
2952                 prot = reqprot;
2953
2954         return file_map_prot_check(file, prot,
2955                                    (flags & MAP_TYPE) == MAP_SHARED);
2956 }
2957
2958 static int selinux_file_mprotect(struct vm_area_struct *vma,
2959                                  unsigned long reqprot,
2960                                  unsigned long prot)
2961 {
2962         int rc;
2963
2964         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2965         if (rc)
2966                 return rc;
2967
2968         if (selinux_checkreqprot)
2969                 prot = reqprot;
2970
2971 #ifndef CONFIG_PPC32
2972         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2973                 rc = 0;
2974                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2975                     vma->vm_end <= vma->vm_mm->brk) {
2976                         rc = task_has_perm(current, current,
2977                                            PROCESS__EXECHEAP);
2978                 } else if (!vma->vm_file &&
2979                            vma->vm_start <= vma->vm_mm->start_stack &&
2980                            vma->vm_end >= vma->vm_mm->start_stack) {
2981                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2982                 } else if (vma->vm_file && vma->anon_vma) {
2983                         /*
2984                          * We are making executable a file mapping that has
2985                          * had some COW done. Since pages might have been
2986                          * written, check ability to execute the possibly
2987                          * modified content.  This typically should only
2988                          * occur for text relocations.
2989                          */
2990                         rc = file_has_perm(current, vma->vm_file,
2991                                            FILE__EXECMOD);
2992                 }
2993                 if (rc)
2994                         return rc;
2995         }
2996 #endif
2997
2998         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2999 }
3000
3001 static int selinux_file_lock(struct file *file, unsigned int cmd)
3002 {
3003         return file_has_perm(current, file, FILE__LOCK);
3004 }
3005
3006 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3007                               unsigned long arg)
3008 {
3009         int err = 0;
3010
3011         switch (cmd) {
3012         case F_SETFL:
3013                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3014                         err = -EINVAL;
3015                         break;
3016                 }
3017
3018                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3019                         err = file_has_perm(current, file, FILE__WRITE);
3020                         break;
3021                 }
3022                 /* fall through */
3023         case F_SETOWN:
3024         case F_SETSIG:
3025         case F_GETFL:
3026         case F_GETOWN:
3027         case F_GETSIG:
3028                 /* Just check FD__USE permission */
3029                 err = file_has_perm(current, file, 0);
3030                 break;
3031         case F_GETLK:
3032         case F_SETLK:
3033         case F_SETLKW:
3034 #if BITS_PER_LONG == 32
3035         case F_GETLK64:
3036         case F_SETLK64:
3037         case F_SETLKW64:
3038 #endif
3039                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3040                         err = -EINVAL;
3041                         break;
3042                 }
3043                 err = file_has_perm(current, file, FILE__LOCK);
3044                 break;
3045         }
3046
3047         return err;
3048 }
3049
3050 static int selinux_file_set_fowner(struct file *file)
3051 {
3052         struct task_security_struct *tsec;
3053         struct file_security_struct *fsec;
3054
3055         tsec = current->security;
3056         fsec = file->f_security;
3057         fsec->fown_sid = tsec->sid;
3058
3059         return 0;
3060 }
3061
3062 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3063                                        struct fown_struct *fown, int signum)
3064 {
3065         struct file *file;
3066         u32 perm;
3067         struct task_security_struct *tsec;
3068         struct file_security_struct *fsec;
3069
3070         /* struct fown_struct is never outside the context of a struct file */
3071         file = container_of(fown, struct file, f_owner);
3072
3073         tsec = tsk->security;
3074         fsec = file->f_security;
3075
3076         if (!signum)
3077                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3078         else
3079                 perm = signal_to_av(signum);
3080
3081         return avc_has_perm(fsec->fown_sid, tsec->sid,
3082                             SECCLASS_PROCESS, perm, NULL);
3083 }
3084
3085 static int selinux_file_receive(struct file *file)
3086 {
3087         return file_has_perm(current, file, file_to_av(file));
3088 }
3089
3090 static int selinux_dentry_open(struct file *file)
3091 {
3092         struct file_security_struct *fsec;
3093         struct inode *inode;
3094         struct inode_security_struct *isec;
3095         inode = file->f_path.dentry->d_inode;
3096         fsec = file->f_security;
3097         isec = inode->i_security;
3098         /*
3099          * Save inode label and policy sequence number
3100          * at open-time so that selinux_file_permission
3101          * can determine whether revalidation is necessary.
3102          * Task label is already saved in the file security
3103          * struct as its SID.
3104          */
3105         fsec->isid = isec->sid;
3106         fsec->pseqno = avc_policy_seqno();
3107         /*
3108          * Since the inode label or policy seqno may have changed
3109          * between the selinux_inode_permission check and the saving
3110          * of state above, recheck that access is still permitted.
3111          * Otherwise, access might never be revalidated against the
3112          * new inode label or new policy.
3113          * This check is not redundant - do not remove.
3114          */
3115         return inode_has_perm(current, inode, file_to_av(file), NULL);
3116 }
3117
3118 /* task security operations */
3119
3120 static int selinux_task_create(unsigned long clone_flags)
3121 {
3122         int rc;
3123
3124         rc = secondary_ops->task_create(clone_flags);
3125         if (rc)
3126                 return rc;
3127
3128         return task_has_perm(current, current, PROCESS__FORK);
3129 }
3130
3131 static int selinux_task_alloc_security(struct task_struct *tsk)
3132 {
3133         struct task_security_struct *tsec1, *tsec2;
3134         int rc;
3135
3136         tsec1 = current->security;
3137
3138         rc = task_alloc_security(tsk);
3139         if (rc)
3140                 return rc;
3141         tsec2 = tsk->security;
3142
3143         tsec2->osid = tsec1->osid;
3144         tsec2->sid = tsec1->sid;
3145
3146         /* Retain the exec, fs, key, and sock SIDs across fork */
3147         tsec2->exec_sid = tsec1->exec_sid;
3148         tsec2->create_sid = tsec1->create_sid;
3149         tsec2->keycreate_sid = tsec1->keycreate_sid;
3150         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3151
3152         return 0;
3153 }
3154
3155 static void selinux_task_free_security(struct task_struct *tsk)
3156 {
3157         task_free_security(tsk);
3158 }
3159
3160 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3161 {
3162         /* Since setuid only affects the current process, and
3163            since the SELinux controls are not based on the Linux
3164            identity attributes, SELinux does not need to control
3165            this operation.  However, SELinux does control the use
3166            of the CAP_SETUID and CAP_SETGID capabilities using the
3167            capable hook. */
3168         return 0;
3169 }
3170
3171 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3172 {
3173         return secondary_ops->task_post_setuid(id0, id1, id2, flags);
3174 }
3175
3176 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3177 {
3178         /* See the comment for setuid above. */
3179         return 0;
3180 }
3181
3182 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3183 {
3184         return task_has_perm(current, p, PROCESS__SETPGID);
3185 }
3186
3187 static int selinux_task_getpgid(struct task_struct *p)
3188 {
3189         return task_has_perm(current, p, PROCESS__GETPGID);
3190 }
3191
3192 static int selinux_task_getsid(struct task_struct *p)
3193 {
3194         return task_has_perm(current, p, PROCESS__GETSESSION);
3195 }
3196
3197 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3198 {
3199         struct task_security_struct *tsec = p->security;
3200         *secid = tsec->sid;
3201 }
3202
3203 static int selinux_task_setgroups(struct group_info *group_info)
3204 {
3205         /* See the comment for setuid above. */
3206         return 0;
3207 }
3208
3209 static int selinux_task_setnice(struct task_struct *p, int nice)
3210 {
3211         int rc;
3212
3213         rc = secondary_ops->task_setnice(p, nice);
3214         if (rc)
3215                 return rc;
3216
3217         return task_has_perm(current, p, PROCESS__SETSCHED);
3218 }
3219
3220 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3221 {
3222         int rc;
3223
3224         rc = secondary_ops->task_setioprio(p, ioprio);
3225         if (rc)
3226                 return rc;
3227
3228         return task_has_perm(current, p, PROCESS__SETSCHED);
3229 }
3230
3231 static int selinux_task_getioprio(struct task_struct *p)
3232 {
3233         return task_has_perm(current, p, PROCESS__GETSCHED);
3234 }
3235
3236 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3237 {
3238         struct rlimit *old_rlim = current->signal->rlim + resource;
3239         int rc;
3240
3241         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3242         if (rc)
3243                 return rc;
3244
3245         /* Control the ability to change the hard limit (whether
3246            lowering or raising it), so that the hard limit can
3247            later be used as a safe reset point for the soft limit
3248            upon context transitions. See selinux_bprm_apply_creds. */
3249         if (old_rlim->rlim_max != new_rlim->rlim_max)
3250                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3251
3252         return 0;
3253 }
3254
3255 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3256 {
3257         int rc;
3258
3259         rc = secondary_ops->task_setscheduler(p, policy, lp);
3260         if (rc)
3261                 return rc;
3262
3263         return task_has_perm(current, p, PROCESS__SETSCHED);
3264 }
3265
3266 static int selinux_task_getscheduler(struct task_struct *p)
3267 {
3268         return task_has_perm(current, p, PROCESS__GETSCHED);
3269 }
3270
3271 static int selinux_task_movememory(struct task_struct *p)
3272 {
3273         return task_has_perm(current, p, PROCESS__SETSCHED);
3274 }
3275
3276 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3277                                 int sig, u32 secid)
3278 {
3279         u32 perm;
3280         int rc;
3281         struct task_security_struct *tsec;
3282
3283         rc = secondary_ops->task_kill(p, info, sig, secid);
3284         if (rc)
3285                 return rc;
3286
3287         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3288                 return 0;
3289
3290         if (!sig)
3291                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3292         else
3293                 perm = signal_to_av(sig);
3294         tsec = p->security;
3295         if (secid)
3296                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3297         else
3298                 rc = task_has_perm(current, p, perm);
3299         return rc;
3300 }
3301
3302 static int selinux_task_prctl(int option,
3303                               unsigned long arg2,
3304                               unsigned long arg3,
3305                               unsigned long arg4,
3306                               unsigned long arg5,
3307                               long *rc_p)
3308 {
3309         /* The current prctl operations do not appear to require
3310            any SELinux controls since they merely observe or modify
3311            the state of the current process. */
3312         return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
3313 }
3314
3315 static int selinux_task_wait(struct task_struct *p)
3316 {
3317         return task_has_perm(p, current, PROCESS__SIGCHLD);
3318 }
3319
3320 static void selinux_task_reparent_to_init(struct task_struct *p)
3321 {
3322         struct task_security_struct *tsec;
3323
3324         secondary_ops->task_reparent_to_init(p);
3325
3326         tsec = p->security;
3327         tsec->osid = tsec->sid;
3328         tsec->sid = SECINITSID_KERNEL;
3329         return;
3330 }
3331
3332 static void selinux_task_to_inode(struct task_struct *p,
3333                                   struct inode *inode)
3334 {
3335         struct task_security_struct *tsec = p->security;
3336         struct inode_security_struct *isec = inode->i_security;
3337
3338         isec->sid = tsec->sid;
3339         isec->initialized = 1;
3340         return;
3341 }
3342
3343 /* Returns error only if unable to parse addresses */
3344 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3345                         struct avc_audit_data *ad, u8 *proto)
3346 {
3347         int offset, ihlen, ret = -EINVAL;
3348         struct iphdr _iph, *ih;
3349
3350         offset = skb_network_offset(skb);
3351         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3352         if (ih == NULL)
3353                 goto out;
3354
3355         ihlen = ih->ihl * 4;
3356         if (ihlen < sizeof(_iph))
3357                 goto out;
3358
3359         ad->u.net.v4info.saddr = ih->saddr;
3360         ad->u.net.v4info.daddr = ih->daddr;
3361         ret = 0;
3362
3363         if (proto)
3364                 *proto = ih->protocol;
3365
3366         switch (ih->protocol) {
3367         case IPPROTO_TCP: {
3368                 struct tcphdr _tcph, *th;
3369
3370                 if (ntohs(ih->frag_off) & IP_OFFSET)
3371                         break;
3372
3373                 offset += ihlen;
3374                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3375                 if (th == NULL)
3376                         break;
3377
3378                 ad->u.net.sport = th->source;
3379                 ad->u.net.dport = th->dest;
3380                 break;
3381         }
3382
3383         case IPPROTO_UDP: {
3384                 struct udphdr _udph, *uh;
3385
3386                 if (ntohs(ih->frag_off) & IP_OFFSET)
3387                         break;
3388
3389                 offset += ihlen;
3390                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3391                 if (uh == NULL)
3392                         break;
3393
3394                 ad->u.net.sport = uh->source;
3395                 ad->u.net.dport = uh->dest;
3396                 break;
3397         }
3398
3399         case IPPROTO_DCCP: {
3400                 struct dccp_hdr _dccph, *dh;
3401
3402                 if (ntohs(ih->frag_off) & IP_OFFSET)
3403                         break;
3404
3405                 offset += ihlen;
3406                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3407                 if (dh == NULL)
3408                         break;
3409
3410                 ad->u.net.sport = dh->dccph_sport;
3411                 ad->u.net.dport = dh->dccph_dport;
3412                 break;
3413         }
3414
3415         default:
3416                 break;
3417         }
3418 out:
3419         return ret;
3420 }
3421
3422 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3423
3424 /* Returns error only if unable to parse addresses */
3425 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3426                         struct avc_audit_data *ad, u8 *proto)
3427 {
3428         u8 nexthdr;
3429         int ret = -EINVAL, offset;
3430         struct ipv6hdr _ipv6h, *ip6;
3431
3432         offset = skb_network_offset(skb);
3433         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3434         if (ip6 == NULL)
3435                 goto out;
3436
3437         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3438         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3439         ret = 0;
3440
3441         nexthdr = ip6->nexthdr;
3442         offset += sizeof(_ipv6h);
3443         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3444         if (offset < 0)
3445                 goto out;
3446
3447         if (proto)
3448                 *proto = nexthdr;
3449
3450         switch (nexthdr) {
3451         case IPPROTO_TCP: {
3452                 struct tcphdr _tcph, *th;
3453
3454                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3455                 if (th == NULL)
3456                         break;
3457
3458                 ad->u.net.sport = th->source;
3459                 ad->u.net.dport = th->dest;
3460                 break;
3461         }
3462
3463         case IPPROTO_UDP: {
3464                 struct udphdr _udph, *uh;
3465
3466                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3467                 if (uh == NULL)
3468                         break;
3469
3470                 ad->u.net.sport = uh->source;
3471                 ad->u.net.dport = uh->dest;
3472                 break;
3473         }
3474
3475         case IPPROTO_DCCP: {
3476                 struct dccp_hdr _dccph, *dh;
3477
3478                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3479                 if (dh == NULL)
3480                         break;
3481
3482                 ad->u.net.sport = dh->dccph_sport;
3483                 ad->u.net.dport = dh->dccph_dport;
3484                 break;
3485         }
3486
3487         /* includes fragments */
3488         default:
3489                 break;
3490         }
3491 out:
3492         return ret;
3493 }
3494
3495 #endif /* IPV6 */
3496
3497 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3498                              char **addrp, int src, u8 *proto)
3499 {
3500         int ret = 0;
3501
3502         switch (ad->u.net.family) {
3503         case PF_INET:
3504                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3505                 if (ret || !addrp)
3506                         break;
3507                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3508                                         &ad->u.net.v4info.daddr);
3509                 break;
3510
3511 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3512         case PF_INET6:
3513                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3514                 if (ret || !addrp)
3515                         break;
3516                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3517                                         &ad->u.net.v6info.daddr);
3518                 break;
3519 #endif  /* IPV6 */
3520         default:
3521                 break;
3522         }
3523
3524         if (unlikely(ret))
3525                 printk(KERN_WARNING
3526                        "SELinux: failure in selinux_parse_skb(),"
3527                        " unable to parse packet\n");
3528
3529         return ret;
3530 }
3531
3532 /**
3533  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3534  * @skb: the packet
3535  * @family: protocol family
3536  * @sid: the packet's peer label SID
3537  *
3538  * Description:
3539  * Check the various different forms of network peer labeling and determine
3540  * the peer label/SID for the packet; most of the magic actually occurs in
3541  * the security server function security_net_peersid_cmp().  The function
3542  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3543  * or -EACCES if @sid is invalid due to inconsistencies with the different
3544  * peer labels.
3545  *
3546  */
3547 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3548 {
3549         int err;
3550         u32 xfrm_sid;
3551         u32 nlbl_sid;
3552         u32 nlbl_type;
3553
3554         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3555         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3556
3557         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3558         if (unlikely(err)) {
3559                 printk(KERN_WARNING
3560                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3561                        " unable to determine packet's peer label\n");
3562                 return -EACCES;
3563         }
3564
3565         return 0;
3566 }
3567
3568 /* socket security operations */
3569 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3570                            u32 perms)
3571 {
3572         struct inode_security_struct *isec;
3573         struct task_security_struct *tsec;
3574         struct avc_audit_data ad;
3575         int err = 0;
3576
3577         tsec = task->security;
3578         isec = SOCK_INODE(sock)->i_security;
3579
3580         if (isec->sid == SECINITSID_KERNEL)
3581                 goto out;
3582
3583         AVC_AUDIT_DATA_INIT(&ad, NET);
3584         ad.u.net.sk = sock->sk;
3585         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3586
3587 out:
3588         return err;
3589 }
3590
3591 static int selinux_socket_create(int family, int type,
3592                                  int protocol, int kern)
3593 {
3594         int err = 0;
3595         struct task_security_struct *tsec;
3596         u32 newsid;
3597
3598         if (kern)
3599                 goto out;
3600
3601         tsec = current->security;
3602         newsid = tsec->sockcreate_sid ? : tsec->sid;
3603         err = avc_has_perm(tsec->sid, newsid,
3604                            socket_type_to_security_class(family, type,
3605                            protocol), SOCKET__CREATE, NULL);
3606
3607 out:
3608         return err;
3609 }
3610
3611 static int selinux_socket_post_create(struct socket *sock, int family,
3612                                       int type, int protocol, int kern)
3613 {
3614         int err = 0;
3615         struct inode_security_struct *isec;
3616         struct task_security_struct *tsec;
3617         struct sk_security_struct *sksec;
3618         u32 newsid;
3619
3620         isec = SOCK_INODE(sock)->i_security;
3621
3622         tsec = current->security;
3623         newsid = tsec->sockcreate_sid ? : tsec->sid;
3624         isec->sclass = socket_type_to_security_class(family, type, protocol);
3625         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3626         isec->initialized = 1;
3627
3628         if (sock->sk) {
3629                 sksec = sock->sk->sk_security;
3630                 sksec->sid = isec->sid;
3631                 sksec->sclass = isec->sclass;
3632                 err = selinux_netlbl_socket_post_create(sock);
3633         }
3634
3635         return err;
3636 }
3637
3638 /* Range of port numbers used to automatically bind.
3639    Need to determine whether we should perform a name_bind
3640    permission check between the socket and the port number. */
3641
3642 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3643 {
3644         u16 family;
3645         int err;
3646
3647         err = socket_has_perm(current, sock, SOCKET__BIND);
3648         if (err)
3649                 goto out;
3650
3651         /*
3652          * If PF_INET or PF_INET6, check name_bind permission for the port.
3653          * Multiple address binding for SCTP is not supported yet: we just
3654          * check the first address now.
3655          */
3656         family = sock->sk->sk_family;
3657         if (family == PF_INET || family == PF_INET6) {
3658                 char *addrp;
3659                 struct inode_security_struct *isec;
3660                 struct task_security_struct *tsec;
3661                 struct avc_audit_data ad;
3662                 struct sockaddr_in *addr4 = NULL;
3663                 struct sockaddr_in6 *addr6 = NULL;
3664                 unsigned short snum;
3665                 struct sock *sk = sock->sk;
3666                 u32 sid, node_perm, addrlen;
3667
3668                 tsec = current->security;
3669                 isec = SOCK_INODE(sock)->i_security;
3670
3671                 if (family == PF_INET) {
3672                         addr4 = (struct sockaddr_in *)address;
3673                         snum = ntohs(addr4->sin_port);
3674                         addrlen = sizeof(addr4->sin_addr.s_addr);
3675                         addrp = (char *)&addr4->sin_addr.s_addr;
3676                 } else {
3677                         addr6 = (struct sockaddr_in6 *)address;
3678                         snum = ntohs(addr6->sin6_port);
3679                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3680                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3681                 }
3682
3683                 if (snum) {
3684                         int low, high;
3685
3686                         inet_get_local_port_range(&low, &high);
3687
3688                         if (snum < max(PROT_SOCK, low) || snum > high) {
3689                                 err = sel_netport_sid(sk->sk_protocol,
3690                                                       snum, &sid);
3691                                 if (err)
3692                                         goto out;
3693                                 AVC_AUDIT_DATA_INIT(&ad, NET);
3694                                 ad.u.net.sport = htons(snum);
3695                                 ad.u.net.family = family;
3696                                 err = avc_has_perm(isec->sid, sid,
3697                                                    isec->sclass,
3698                                                    SOCKET__NAME_BIND, &ad);
3699                                 if (err)
3700                                         goto out;
3701                         }
3702                 }
3703
3704                 switch (isec->sclass) {
3705                 case SECCLASS_TCP_SOCKET:
3706                         node_perm = TCP_SOCKET__NODE_BIND;
3707                         break;
3708
3709                 case SECCLASS_UDP_SOCKET:
3710                         node_perm = UDP_SOCKET__NODE_BIND;
3711                         break;
3712
3713                 case SECCLASS_DCCP_SOCKET:
3714                         node_perm = DCCP_SOCKET__NODE_BIND;
3715                         break;
3716
3717                 default:
3718                         node_perm = RAWIP_SOCKET__NODE_BIND;
3719                         break;
3720                 }
3721
3722                 err = sel_netnode_sid(addrp, family, &sid);
3723                 if (err)
3724                         goto out;
3725
3726                 AVC_AUDIT_DATA_INIT(&ad, NET);
3727                 ad.u.net.sport = htons(snum);
3728                 ad.u.net.family = family;
3729
3730                 if (family == PF_INET)
3731                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3732                 else
3733                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3734
3735                 err = avc_has_perm(isec->sid, sid,
3736                                    isec->sclass, node_perm, &ad);
3737                 if (err)
3738                         goto out;
3739         }
3740 out:
3741         return err;
3742 }
3743
3744 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3745 {
3746         struct inode_security_struct *isec;
3747         int err;
3748
3749         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3750         if (err)
3751                 return err;
3752
3753         /*
3754          * If a TCP or DCCP socket, check name_connect permission for the port.
3755          */
3756         isec = SOCK_INODE(sock)->i_security;
3757         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3758             isec->sclass == SECCLASS_DCCP_SOCKET) {
3759                 struct sock *sk = sock->sk;
3760                 struct avc_audit_data ad;
3761                 struct sockaddr_in *addr4 = NULL;
3762                 struct sockaddr_in6 *addr6 = NULL;
3763                 unsigned short snum;
3764                 u32 sid, perm;
3765
3766                 if (sk->sk_family == PF_INET) {
3767                         addr4 = (struct sockaddr_in *)address;
3768                         if (addrlen < sizeof(struct sockaddr_in))
3769                                 return -EINVAL;
3770                         snum = ntohs(addr4->sin_port);
3771                 } else {
3772                         addr6 = (struct sockaddr_in6 *)address;
3773                         if (addrlen < SIN6_LEN_RFC2133)
3774                                 return -EINVAL;
3775                         snum = ntohs(addr6->sin6_port);
3776                 }
3777
3778                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3779                 if (err)
3780                         goto out;
3781
3782                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3783                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3784
3785                 AVC_AUDIT_DATA_INIT(&ad, NET);
3786                 ad.u.net.dport = htons(snum);
3787                 ad.u.net.family = sk->sk_family;
3788                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3789                 if (err)
3790                         goto out;
3791         }
3792
3793 out:
3794         return err;
3795 }
3796
3797 static int selinux_socket_listen(struct socket *sock, int backlog)
3798 {
3799         return socket_has_perm(current, sock, SOCKET__LISTEN);
3800 }
3801
3802 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3803 {
3804         int err;
3805         struct inode_security_struct *isec;
3806         struct inode_security_struct *newisec;
3807
3808         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3809         if (err)
3810                 return err;
3811
3812         newisec = SOCK_INODE(newsock)->i_security;
3813
3814         isec = SOCK_INODE(sock)->i_security;
3815         newisec->sclass = isec->sclass;
3816         newisec->sid = isec->sid;
3817         newisec->initialized = 1;
3818
3819         return 0;
3820 }
3821
3822 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3823                                   int size)
3824 {
3825         int rc;
3826
3827         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3828         if (rc)
3829                 return rc;
3830
3831         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3832 }
3833
3834 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3835                                   int size, int flags)
3836 {
3837         return socket_has_perm(current, sock, SOCKET__READ);
3838 }
3839
3840 static int selinux_socket_getsockname(struct socket *sock)
3841 {
3842         return socket_has_perm(current, sock, SOCKET__GETATTR);
3843 }
3844
3845 static int selinux_socket_getpeername(struct socket *sock)
3846 {
3847         return socket_has_perm(current, sock, SOCKET__GETATTR);
3848 }
3849
3850 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3851 {
3852         int err;
3853
3854         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3855         if (err)
3856                 return err;
3857
3858         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3859 }
3860
3861 static int selinux_socket_getsockopt(struct socket *sock, int level,
3862                                      int optname)
3863 {
3864         return socket_has_perm(current, sock, SOCKET__GETOPT);
3865 }
3866
3867 static int selinux_socket_shutdown(struct socket *sock, int how)
3868 {
3869         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3870 }
3871
3872 static int selinux_socket_unix_stream_connect(struct socket *sock,
3873                                               struct socket *other,
3874                                               struct sock *newsk)
3875 {
3876         struct sk_security_struct *ssec;
3877         struct inode_security_struct *isec;
3878         struct inode_security_struct *other_isec;
3879         struct avc_audit_data ad;
3880         int err;
3881
3882         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3883         if (err)
3884                 return err;
3885
3886         isec = SOCK_INODE(sock)->i_security;
3887         other_isec = SOCK_INODE(other)->i_security;
3888
3889         AVC_AUDIT_DATA_INIT(&ad, NET);
3890         ad.u.net.sk = other->sk;
3891
3892         err = avc_has_perm(isec->sid, other_isec->sid,
3893                            isec->sclass,
3894                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3895         if (err)
3896                 return err;
3897
3898         /* connecting socket */
3899         ssec = sock->sk->sk_security;
3900         ssec->peer_sid = other_isec->sid;
3901
3902         /* server child socket */
3903         ssec = newsk->sk_security;
3904         ssec->peer_sid = isec->sid;
3905         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3906
3907         return err;
3908 }
3909
3910 static int selinux_socket_unix_may_send(struct socket *sock,
3911                                         struct socket *other)
3912 {
3913         struct inode_security_struct *isec;
3914         struct inode_security_struct *other_isec;
3915         struct avc_audit_data ad;
3916         int err;
3917
3918         isec = SOCK_INODE(sock)->i_security;
3919         other_isec = SOCK_INODE(other)->i_security;
3920
3921         AVC_AUDIT_DATA_INIT(&ad, NET);
3922         ad.u.net.sk = other->sk;
3923
3924         err = avc_has_perm(isec->sid, other_isec->sid,
3925                            isec->sclass, SOCKET__SENDTO, &ad);
3926         if (err)
3927                 return err;
3928
3929         return 0;
3930 }
3931
3932 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3933                                     u32 peer_sid,
3934                                     struct avc_audit_data *ad)
3935 {
3936         int err;
3937         u32 if_sid;
3938         u32 node_sid;
3939
3940         err = sel_netif_sid(ifindex, &if_sid);
3941         if (err)
3942                 return err;
3943         err = avc_has_perm(peer_sid, if_sid,
3944                            SECCLASS_NETIF, NETIF__INGRESS, ad);
3945         if (err)
3946                 return err;
3947
3948         err = sel_netnode_sid(addrp, family, &node_sid);
3949         if (err)
3950                 return err;
3951         return avc_has_perm(peer_sid, node_sid,
3952                             SECCLASS_NODE, NODE__RECVFROM, ad);
3953 }
3954
3955 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3956                                                 struct sk_buff *skb,
3957                                                 struct avc_audit_data *ad,
3958                                                 u16 family,
3959                                                 char *addrp)
3960 {
3961         int err;
3962         struct sk_security_struct *sksec = sk->sk_security;
3963         u16 sk_class;
3964         u32 netif_perm, node_perm, recv_perm;
3965         u32 port_sid, node_sid, if_sid, sk_sid;
3966
3967         sk_sid = sksec->sid;
3968         sk_class = sksec->sclass;
3969
3970         switch (sk_class) {
3971         case SECCLASS_UDP_SOCKET:
3972                 netif_perm = NETIF__UDP_RECV;
3973                 node_perm = NODE__UDP_RECV;
3974                 recv_perm = UDP_SOCKET__RECV_MSG;
3975                 break;
3976         case SECCLASS_TCP_SOCKET:
3977                 netif_perm = NETIF__TCP_RECV;
3978                 node_perm = NODE__TCP_RECV;
3979                 recv_perm = TCP_SOCKET__RECV_MSG;
3980                 break;
3981         case SECCLASS_DCCP_SOCKET:
3982                 netif_perm = NETIF__DCCP_RECV;
3983                 node_perm = NODE__DCCP_RECV;
3984                 recv_perm = DCCP_SOCKET__RECV_MSG;
3985                 break;
3986         default:
3987                 netif_perm = NETIF__RAWIP_RECV;
3988                 node_perm = NODE__RAWIP_RECV;
3989                 recv_perm = 0;
3990                 break;
3991         }
3992
3993         err = sel_netif_sid(skb->iif, &if_sid);
3994         if (err)
3995                 return err;
3996         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3997         if (err)
3998                 return err;
3999
4000         err = sel_netnode_sid(addrp, family, &node_sid);
4001         if (err)
4002                 return err;
4003         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4004         if (err)
4005                 return err;
4006
4007         if (!recv_perm)
4008                 return 0;
4009         err = sel_netport_sid(sk->sk_protocol,
4010                               ntohs(ad->u.net.sport), &port_sid);
4011         if (unlikely(err)) {
4012                 printk(KERN_WARNING
4013                        "SELinux: failure in"
4014                        " selinux_sock_rcv_skb_iptables_compat(),"
4015                        " network port label not found\n");
4016                 return err;
4017         }
4018         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4019 }
4020
4021 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4022                                        struct avc_audit_data *ad,
4023                                        u16 family, char *addrp)
4024 {
4025         int err;
4026         struct sk_security_struct *sksec = sk->sk_security;
4027         u32 peer_sid;
4028         u32 sk_sid = sksec->sid;
4029
4030         if (selinux_compat_net)
4031                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4032                                                            family, addrp);
4033         else
4034                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4035                                    PACKET__RECV, ad);
4036         if (err)
4037                 return err;
4038
4039         if (selinux_policycap_netpeer) {
4040                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4041                 if (err)
4042                         return err;
4043                 err = avc_has_perm(sk_sid, peer_sid,
4044                                    SECCLASS_PEER, PEER__RECV, ad);
4045         } else {
4046                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4047                 if (err)
4048                         return err;
4049                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4050         }
4051
4052         return err;
4053 }
4054
4055 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4056 {
4057         int err;
4058         struct sk_security_struct *sksec = sk->sk_security;
4059         u16 family = sk->sk_family;
4060         u32 sk_sid = sksec->sid;
4061         struct avc_audit_data ad;
4062         char *addrp;
4063
4064         if (family != PF_INET && family != PF_INET6)
4065                 return 0;
4066
4067         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4068         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4069                 family = PF_INET;
4070
4071         AVC_AUDIT_DATA_INIT(&ad, NET);
4072         ad.u.net.netif = skb->iif;
4073         ad.u.net.family = family;
4074         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4075         if (err)
4076                 return err;
4077
4078         /* If any sort of compatibility mode is enabled then handoff processing
4079          * to the selinux_sock_rcv_skb_compat() function to deal with the
4080          * special handling.  We do this in an attempt to keep this function
4081          * as fast and as clean as possible. */
4082         if (selinux_compat_net || !selinux_policycap_netpeer)
4083                 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4084                                                    family, addrp);
4085
4086         if (netlbl_enabled() || selinux_xfrm_enabled()) {
4087                 u32 peer_sid;
4088
4089                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4090                 if (err)
4091                         return err;
4092                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4093                                                peer_sid, &ad);
4094                 if (err)
4095                         return err;
4096                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4097                                    PEER__RECV, &ad);
4098         }
4099
4100         if (selinux_secmark_enabled()) {
4101                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4102                                    PACKET__RECV, &ad);
4103                 if (err)
4104                         return err;
4105         }
4106
4107         return err;
4108 }
4109
4110 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4111                                             int __user *optlen, unsigned len)
4112 {
4113         int err = 0;
4114         char *scontext;
4115         u32 scontext_len;
4116         struct sk_security_struct *ssec;
4117         struct inode_security_struct *isec;
4118         u32 peer_sid = SECSID_NULL;
4119
4120         isec = SOCK_INODE(sock)->i_security;
4121
4122         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4123             isec->sclass == SECCLASS_TCP_SOCKET) {
4124                 ssec = sock->sk->sk_security;
4125                 peer_sid = ssec->peer_sid;
4126         }
4127         if (peer_sid == SECSID_NULL) {
4128                 err = -ENOPROTOOPT;
4129                 goto out;
4130         }
4131
4132         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4133
4134         if (err)
4135                 goto out;
4136
4137         if (scontext_len > len) {
4138                 err = -ERANGE;
4139                 goto out_len;
4140         }
4141
4142         if (copy_to_user(optval, scontext, scontext_len))
4143                 err = -EFAULT;
4144
4145 out_len:
4146         if (put_user(scontext_len, optlen))
4147                 err = -EFAULT;
4148
4149         kfree(scontext);
4150 out:
4151         return err;
4152 }
4153
4154 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4155 {
4156         u32 peer_secid = SECSID_NULL;
4157         u16 family;
4158
4159         if (sock)
4160                 family = sock->sk->sk_family;
4161         else if (skb && skb->sk)
4162                 family = skb->sk->sk_family;
4163         else
4164                 goto out;
4165
4166         if (sock && family == PF_UNIX)
4167                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4168         else if (skb)
4169                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4170
4171 out:
4172         *secid = peer_secid;
4173         if (peer_secid == SECSID_NULL)
4174                 return -EINVAL;
4175         return 0;
4176 }
4177
4178 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4179 {
4180         return sk_alloc_security(sk, family, priority);
4181 }
4182
4183 static void selinux_sk_free_security(struct sock *sk)
4184 {
4185         sk_free_security(sk);
4186 }
4187
4188 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4189 {
4190         struct sk_security_struct *ssec = sk->sk_security;
4191         struct sk_security_struct *newssec = newsk->sk_security;
4192
4193         newssec->sid = ssec->sid;
4194         newssec->peer_sid = ssec->peer_sid;
4195         newssec->sclass = ssec->sclass;
4196
4197         selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4198 }
4199
4200 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4201 {
4202         if (!sk)
4203                 *secid = SECINITSID_ANY_SOCKET;
4204         else {
4205                 struct sk_security_struct *sksec = sk->sk_security;
4206
4207                 *secid = sksec->sid;
4208         }
4209 }
4210
4211 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4212 {
4213         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4214         struct sk_security_struct *sksec = sk->sk_security;
4215
4216         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4217             sk->sk_family == PF_UNIX)
4218                 isec->sid = sksec->sid;
4219         sksec->sclass = isec->sclass;
4220
4221         selinux_netlbl_sock_graft(sk, parent);
4222 }
4223
4224 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4225                                      struct request_sock *req)
4226 {
4227         struct sk_security_struct *sksec = sk->sk_security;
4228         int err;
4229         u32 newsid;
4230         u32 peersid;
4231
4232         err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4233         if (err)
4234                 return err;
4235         if (peersid == SECSID_NULL) {
4236                 req->secid = sksec->sid;
4237                 req->peer_secid = SECSID_NULL;
4238                 return 0;
4239         }
4240
4241         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4242         if (err)
4243                 return err;
4244
4245         req->secid = newsid;
4246         req->peer_secid = peersid;
4247         return 0;
4248 }
4249
4250 static void selinux_inet_csk_clone(struct sock *newsk,
4251                                    const struct request_sock *req)
4252 {
4253         struct sk_security_struct *newsksec = newsk->sk_security;
4254
4255         newsksec->sid = req->secid;
4256         newsksec->peer_sid = req->peer_secid;
4257         /* NOTE: Ideally, we should also get the isec->sid for the
4258            new socket in sync, but we don't have the isec available yet.
4259            So we will wait until sock_graft to do it, by which
4260            time it will have been created and available. */
4261
4262         /* We don't need to take any sort of lock here as we are the only
4263          * thread with access to newsksec */
4264         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4265 }
4266
4267 static void selinux_inet_conn_established(struct sock *sk,
4268                                 struct sk_buff *skb)
4269 {
4270         struct sk_security_struct *sksec = sk->sk_security;
4271
4272         selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4273 }
4274
4275 static void selinux_req_classify_flow(const struct request_sock *req,
4276                                       struct flowi *fl)
4277 {
4278         fl->secid = req->secid;
4279 }
4280
4281 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4282 {
4283         int err = 0;
4284         u32 perm;
4285         struct nlmsghdr *nlh;
4286         struct socket *sock = sk->sk_socket;
4287         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4288
4289         if (skb->len < NLMSG_SPACE(0)) {
4290                 err = -EINVAL;
4291                 goto out;
4292         }
4293         nlh = nlmsg_hdr(skb);
4294
4295         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4296         if (err) {
4297                 if (err == -EINVAL) {
4298                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4299                                   "SELinux:  unrecognized netlink message"
4300                                   " type=%hu for sclass=%hu\n",
4301                                   nlh->nlmsg_type, isec->sclass);
4302                         if (!selinux_enforcing)
4303                                 err = 0;
4304                 }
4305
4306                 /* Ignore */
4307                 if (err == -ENOENT)
4308                         err = 0;
4309                 goto out;
4310         }
4311
4312         err = socket_has_perm(current, sock, perm);
4313 out:
4314         return err;
4315 }
4316
4317 #ifdef CONFIG_NETFILTER
4318
4319 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4320                                        u16 family)
4321 {
4322         char *addrp;
4323         u32 peer_sid;
4324         struct avc_audit_data ad;
4325         u8 secmark_active;
4326         u8 peerlbl_active;
4327
4328         if (!selinux_policycap_netpeer)
4329                 return NF_ACCEPT;
4330
4331         secmark_active = selinux_secmark_enabled();
4332         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4333         if (!secmark_active && !peerlbl_active)
4334                 return NF_ACCEPT;
4335
4336         AVC_AUDIT_DATA_INIT(&ad, NET);
4337         ad.u.net.netif = ifindex;
4338         ad.u.net.family = family;
4339         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4340                 return NF_DROP;
4341
4342         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4343                 return NF_DROP;
4344
4345         if (peerlbl_active)
4346                 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4347                                              peer_sid, &ad) != 0)
4348                         return NF_DROP;
4349
4350         if (secmark_active)
4351                 if (avc_has_perm(peer_sid, skb->secmark,
4352                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4353                         return NF_DROP;
4354
4355         return NF_ACCEPT;
4356 }
4357
4358 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4359                                          struct sk_buff *skb,
4360                                          const struct net_device *in,
4361                                          const struct net_device *out,
4362                                          int (*okfn)(struct sk_buff *))
4363 {
4364         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4365 }
4366
4367 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4368 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4369                                          struct sk_buff *skb,
4370                                          const struct net_device *in,
4371                                          const struct net_device *out,
4372                                          int (*okfn)(struct sk_buff *))
4373 {
4374         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4375 }
4376 #endif  /* IPV6 */
4377
4378 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4379                                                 int ifindex,
4380                                                 struct avc_audit_data *ad,
4381                                                 u16 family, char *addrp)
4382 {
4383         int err;
4384         struct sk_security_struct *sksec = sk->sk_security;
4385         u16 sk_class;
4386         u32 netif_perm, node_perm, send_perm;
4387         u32 port_sid, node_sid, if_sid, sk_sid;
4388
4389         sk_sid = sksec->sid;
4390         sk_class = sksec->sclass;
4391
4392         switch (sk_class) {
4393         case SECCLASS_UDP_SOCKET:
4394                 netif_perm = NETIF__UDP_SEND;
4395                 node_perm = NODE__UDP_SEND;
4396                 send_perm = UDP_SOCKET__SEND_MSG;
4397                 break;
4398         case SECCLASS_TCP_SOCKET:
4399                 netif_perm = NETIF__TCP_SEND;
4400                 node_perm = NODE__TCP_SEND;
4401                 send_perm = TCP_SOCKET__SEND_MSG;
4402                 break;
4403         case SECCLASS_DCCP_SOCKET:
4404                 netif_perm = NETIF__DCCP_SEND;
4405                 node_perm = NODE__DCCP_SEND;
4406                 send_perm = DCCP_SOCKET__SEND_MSG;
4407                 break;
4408         default:
4409                 netif_perm = NETIF__RAWIP_SEND;
4410                 node_perm = NODE__RAWIP_SEND;
4411                 send_perm = 0;
4412                 break;
4413         }
4414
4415         err = sel_netif_sid(ifindex, &if_sid);
4416         if (err)
4417                 return err;
4418         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4419                 return err;
4420
4421         err = sel_netnode_sid(addrp, family, &node_sid);
4422         if (err)
4423                 return err;
4424         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4425         if (err)
4426                 return err;
4427
4428         if (send_perm != 0)
4429                 return 0;
4430
4431         err = sel_netport_sid(sk->sk_protocol,
4432                               ntohs(ad->u.net.dport), &port_sid);
4433         if (unlikely(err)) {
4434                 printk(KERN_WARNING
4435                        "SELinux: failure in"
4436                        " selinux_ip_postroute_iptables_compat(),"
4437                        " network port label not found\n");
4438                 return err;
4439         }
4440         return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4441 }
4442
4443 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4444                                                 int ifindex,
4445                                                 struct avc_audit_data *ad,
4446                                                 u16 family,
4447                                                 char *addrp,
4448                                                 u8 proto)
4449 {
4450         struct sock *sk = skb->sk;
4451         struct sk_security_struct *sksec;
4452
4453         if (sk == NULL)
4454                 return NF_ACCEPT;
4455         sksec = sk->sk_security;
4456
4457         if (selinux_compat_net) {
4458                 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4459                                                          ad, family, addrp))
4460                         return NF_DROP;
4461         } else {
4462                 if (avc_has_perm(sksec->sid, skb->secmark,
4463                                  SECCLASS_PACKET, PACKET__SEND, ad))
4464                         return NF_DROP;
4465         }
4466
4467         if (selinux_policycap_netpeer)
4468                 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4469                         return NF_DROP;
4470
4471         return NF_ACCEPT;
4472 }
4473
4474 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4475                                          u16 family)
4476 {
4477         u32 secmark_perm;
4478         u32 peer_sid;
4479         struct sock *sk;
4480         struct avc_audit_data ad;
4481         char *addrp;
4482         u8 proto;
4483         u8 secmark_active;
4484         u8 peerlbl_active;
4485
4486         AVC_AUDIT_DATA_INIT(&ad, NET);
4487         ad.u.net.netif = ifindex;
4488         ad.u.net.family = family;
4489         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4490                 return NF_DROP;
4491
4492         /* If any sort of compatibility mode is enabled then handoff processing
4493          * to the selinux_ip_postroute_compat() function to deal with the
4494          * special handling.  We do this in an attempt to keep this function
4495          * as fast and as clean as possible. */
4496         if (selinux_compat_net || !selinux_policycap_netpeer)
4497                 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4498                                                    family, addrp, proto);
4499
4500         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4501          * packet transformation so allow the packet to pass without any checks
4502          * since we'll have another chance to perform access control checks
4503          * when the packet is on it's final way out.
4504          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4505          *       is NULL, in this case go ahead and apply access control. */
4506         if (skb->dst != NULL && skb->dst->xfrm != NULL)
4507                 return NF_ACCEPT;
4508
4509         secmark_active = selinux_secmark_enabled();
4510         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4511         if (!secmark_active && !peerlbl_active)
4512                 return NF_ACCEPT;
4513
4514         /* if the packet is locally generated (skb->sk != NULL) then use the
4515          * socket's label as the peer label, otherwise the packet is being
4516          * forwarded through this system and we need to fetch the peer label
4517          * directly from the packet */
4518         sk = skb->sk;
4519         if (sk) {
4520                 struct sk_security_struct *sksec = sk->sk_security;
4521                 peer_sid = sksec->sid;
4522                 secmark_perm = PACKET__SEND;
4523         } else {
4524                 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4525                                 return NF_DROP;
4526                 secmark_perm = PACKET__FORWARD_OUT;
4527         }
4528
4529         if (secmark_active)
4530                 if (avc_has_perm(peer_sid, skb->secmark,
4531                                  SECCLASS_PACKET, secmark_perm, &ad))
4532                         return NF_DROP;
4533
4534         if (peerlbl_active) {
4535                 u32 if_sid;
4536                 u32 node_sid;
4537
4538                 if (sel_netif_sid(ifindex, &if_sid))
4539                         return NF_DROP;
4540                 if (avc_has_perm(peer_sid, if_sid,
4541                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4542                         return NF_DROP;
4543
4544                 if (sel_netnode_sid(addrp, family, &node_sid))
4545                         return NF_DROP;
4546                 if (avc_has_perm(peer_sid, node_sid,
4547                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4548                         return NF_DROP;
4549         }
4550
4551         return NF_ACCEPT;
4552 }
4553
4554 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4555                                            struct sk_buff *skb,
4556                                            const struct net_device *in,
4557                                            const struct net_device *out,
4558                                            int (*okfn)(struct sk_buff *))
4559 {
4560         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4561 }
4562
4563 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4564 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4565                                            struct sk_buff *skb,
4566                                            const struct net_device *in,
4567                                            const struct net_device *out,
4568                                            int (*okfn)(struct sk_buff *))
4569 {
4570         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4571 }
4572 #endif  /* IPV6 */
4573
4574 #endif  /* CONFIG_NETFILTER */
4575
4576 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4577 {
4578         int err;
4579
4580         err = secondary_ops->netlink_send(sk, skb);
4581         if (err)
4582                 return err;
4583
4584         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4585                 err = selinux_nlmsg_perm(sk, skb);
4586
4587         return err;
4588 }
4589
4590 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4591 {
4592         int err;
4593         struct avc_audit_data ad;
4594
4595         err = secondary_ops->netlink_recv(skb, capability);
4596         if (err)
4597                 return err;
4598
4599         AVC_AUDIT_DATA_INIT(&ad, CAP);
4600         ad.u.cap = capability;
4601
4602         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4603                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4604 }
4605
4606 static int ipc_alloc_security(struct task_struct *task,
4607                               struct kern_ipc_perm *perm,
4608                               u16 sclass)
4609 {
4610         struct task_security_struct *tsec = task->security;
4611         struct ipc_security_struct *isec;
4612
4613         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4614         if (!isec)
4615                 return -ENOMEM;
4616
4617         isec->sclass = sclass;
4618         isec->sid = tsec->sid;
4619         perm->security = isec;
4620
4621         return 0;
4622 }
4623
4624 static void ipc_free_security(struct kern_ipc_perm *perm)
4625 {
4626         struct ipc_security_struct *isec = perm->security;
4627         perm->security = NULL;
4628         kfree(isec);
4629 }
4630
4631 static int msg_msg_alloc_security(struct msg_msg *msg)
4632 {
4633         struct msg_security_struct *msec;
4634
4635         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4636         if (!msec)
4637                 return -ENOMEM;
4638
4639         msec->sid = SECINITSID_UNLABELED;
4640         msg->security = msec;
4641
4642         return 0;
4643 }
4644
4645 static void msg_msg_free_security(struct msg_msg *msg)
4646 {
4647         struct msg_security_struct *msec = msg->security;
4648
4649         msg->security = NULL;
4650         kfree(msec);
4651 }
4652
4653 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4654                         u32 perms)
4655 {
4656         struct task_security_struct *tsec;
4657         struct ipc_security_struct *isec;
4658         struct avc_audit_data ad;
4659
4660         tsec = current->security;
4661         isec = ipc_perms->security;
4662
4663         AVC_AUDIT_DATA_INIT(&ad, IPC);
4664         ad.u.ipc_id = ipc_perms->key;
4665
4666         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4667 }
4668
4669 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4670 {
4671         return msg_msg_alloc_security(msg);
4672 }
4673
4674 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4675 {
4676         msg_msg_free_security(msg);
4677 }
4678
4679 /* message queue security operations */
4680 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4681 {
4682         struct task_security_struct *tsec;
4683         struct ipc_security_struct *isec;
4684         struct avc_audit_data ad;
4685         int rc;
4686
4687         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4688         if (rc)
4689                 return rc;
4690
4691         tsec = current->security;
4692         isec = msq->q_perm.security;
4693
4694         AVC_AUDIT_DATA_INIT(&ad, IPC);
4695         ad.u.ipc_id = msq->q_perm.key;
4696
4697         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4698                           MSGQ__CREATE, &ad);
4699         if (rc) {
4700                 ipc_free_security(&msq->q_perm);
4701                 return rc;
4702         }
4703         return 0;
4704 }
4705
4706 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4707 {
4708         ipc_free_security(&msq->q_perm);
4709 }
4710
4711 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4712 {
4713         struct task_security_struct *tsec;
4714         struct ipc_security_struct *isec;
4715         struct avc_audit_data ad;
4716
4717         tsec = current->security;
4718         isec = msq->q_perm.security;
4719
4720         AVC_AUDIT_DATA_INIT(&ad, IPC);
4721         ad.u.ipc_id = msq->q_perm.key;
4722
4723         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4724                             MSGQ__ASSOCIATE, &ad);
4725 }
4726
4727 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4728 {
4729         int err;
4730         int perms;
4731
4732         switch (cmd) {
4733         case IPC_INFO:
4734         case MSG_INFO:
4735                 /* No specific object, just general system-wide information. */
4736                 return task_has_system(current, SYSTEM__IPC_INFO);
4737         case IPC_STAT:
4738         case MSG_STAT:
4739                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4740                 break;
4741         case IPC_SET:
4742                 perms = MSGQ__SETATTR;
4743                 break;
4744         case IPC_RMID:
4745                 perms = MSGQ__DESTROY;
4746                 break;
4747         default:
4748                 return 0;
4749         }
4750
4751         err = ipc_has_perm(&msq->q_perm, perms);
4752         return err;
4753 }
4754
4755 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4756 {
4757         struct task_security_struct *tsec;
4758         struct ipc_security_struct *isec;
4759         struct msg_security_struct *msec;
4760         struct avc_audit_data ad;
4761         int rc;
4762
4763         tsec = current->security;
4764         isec = msq->q_perm.security;
4765         msec = msg->security;
4766
4767         /*
4768          * First time through, need to assign label to the message
4769          */
4770         if (msec->sid == SECINITSID_UNLABELED) {
4771                 /*
4772                  * Compute new sid based on current process and
4773                  * message queue this message will be stored in
4774                  */
4775                 rc = security_transition_sid(tsec->sid,
4776                                              isec->sid,
4777                                              SECCLASS_MSG,
4778                                              &msec->sid);
4779                 if (rc)
4780                         return rc;
4781         }
4782
4783         AVC_AUDIT_DATA_INIT(&ad, IPC);
4784         ad.u.ipc_id = msq->q_perm.key;
4785
4786         /* Can this process write to the queue? */
4787         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4788                           MSGQ__WRITE, &ad);
4789         if (!rc)
4790                 /* Can this process send the message */
4791                 rc = avc_has_perm(tsec->sid, msec->sid,
4792                                   SECCLASS_MSG, MSG__SEND, &ad);
4793         if (!rc)
4794                 /* Can the message be put in the queue? */
4795                 rc = avc_has_perm(msec->sid, isec->sid,
4796                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4797
4798         return rc;
4799 }
4800
4801 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4802                                     struct task_struct *target,
4803                                     long type, int mode)
4804 {
4805         struct task_security_struct *tsec;
4806         struct ipc_security_struct *isec;
4807         struct msg_security_struct *msec;
4808         struct avc_audit_data ad;
4809         int rc;
4810
4811         tsec = target->security;
4812         isec = msq->q_perm.security;
4813         msec = msg->security;
4814
4815         AVC_AUDIT_DATA_INIT(&ad, IPC);
4816         ad.u.ipc_id = msq->q_perm.key;
4817
4818         rc = avc_has_perm(tsec->sid, isec->sid,
4819                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4820         if (!rc)
4821                 rc = avc_has_perm(tsec->sid, msec->sid,
4822                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4823         return rc;
4824 }
4825
4826 /* Shared Memory security operations */
4827 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4828 {
4829         struct task_security_struct *tsec;
4830         struct ipc_security_struct *isec;
4831         struct avc_audit_data ad;
4832         int rc;
4833
4834         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4835         if (rc)
4836                 return rc;
4837
4838         tsec = current->security;
4839         isec = shp->shm_perm.security;
4840
4841         AVC_AUDIT_DATA_INIT(&ad, IPC);
4842         ad.u.ipc_id = shp->shm_perm.key;
4843
4844         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4845                           SHM__CREATE, &ad);
4846         if (rc) {
4847                 ipc_free_security(&shp->shm_perm);
4848                 return rc;
4849         }
4850         return 0;
4851 }
4852
4853 static void selinux_shm_free_security(struct shmid_kernel *shp)
4854 {
4855         ipc_free_security(&shp->shm_perm);
4856 }
4857
4858 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4859 {
4860         struct task_security_struct *tsec;
4861         struct ipc_security_struct *isec;
4862         struct avc_audit_data ad;
4863
4864         tsec = current->security;
4865         isec = shp->shm_perm.security;
4866
4867         AVC_AUDIT_DATA_INIT(&ad, IPC);
4868         ad.u.ipc_id = shp->shm_perm.key;
4869
4870         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4871                             SHM__ASSOCIATE, &ad);
4872 }
4873
4874 /* Note, at this point, shp is locked down */
4875 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4876 {
4877         int perms;
4878         int err;
4879
4880         switch (cmd) {
4881         case IPC_INFO:
4882         case SHM_INFO:
4883                 /* No specific object, just general system-wide information. */
4884                 return task_has_system(current, SYSTEM__IPC_INFO);
4885         case IPC_STAT:
4886         case SHM_STAT:
4887                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4888                 break;
4889         case IPC_SET:
4890                 perms = SHM__SETATTR;
4891                 break;
4892         case SHM_LOCK:
4893         case SHM_UNLOCK:
4894                 perms = SHM__LOCK;
4895                 break;
4896         case IPC_RMID:
4897                 perms = SHM__DESTROY;
4898                 break;
4899         default:
4900                 return 0;
4901         }
4902
4903         err = ipc_has_perm(&shp->shm_perm, perms);
4904         return err;
4905 }
4906
4907 static int selinux_shm_shmat(struct shmid_kernel *shp,
4908                              char __user *shmaddr, int shmflg)
4909 {
4910         u32 perms;
4911         int rc;
4912
4913         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4914         if (rc)
4915                 return rc;
4916
4917         if (shmflg & SHM_RDONLY)
4918                 perms = SHM__READ;
4919         else
4920                 perms = SHM__READ | SHM__WRITE;
4921
4922         return ipc_has_perm(&shp->shm_perm, perms);
4923 }
4924
4925 /* Semaphore security operations */
4926 static int selinux_sem_alloc_security(struct sem_array *sma)
4927 {
4928         struct task_security_struct *tsec;
4929         struct ipc_security_struct *isec;
4930         struct avc_audit_data ad;
4931         int rc;
4932
4933         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4934         if (rc)
4935                 return rc;
4936
4937         tsec = current->security;
4938         isec = sma->sem_perm.security;
4939
4940         AVC_AUDIT_DATA_INIT(&ad, IPC);
4941         ad.u.ipc_id = sma->sem_perm.key;
4942
4943         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4944                           SEM__CREATE, &ad);
4945         if (rc) {
4946                 ipc_free_security(&sma->sem_perm);
4947                 return rc;
4948         }
4949         return 0;
4950 }
4951
4952 static void selinux_sem_free_security(struct sem_array *sma)
4953 {
4954         ipc_free_security(&sma->sem_perm);
4955 }
4956
4957 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4958 {
4959         struct task_security_struct *tsec;
4960         struct ipc_security_struct *isec;
4961         struct avc_audit_data ad;
4962
4963         tsec = current->security;
4964         isec = sma->sem_perm.security;
4965
4966         AVC_AUDIT_DATA_INIT(&ad, IPC);
4967         ad.u.ipc_id = sma->sem_perm.key;
4968
4969         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4970                             SEM__ASSOCIATE, &ad);
4971 }
4972
4973 /* Note, at this point, sma is locked down */
4974 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4975 {
4976         int err;
4977         u32 perms;
4978
4979         switch (cmd) {
4980         case IPC_INFO:
4981         case SEM_INFO:
4982                 /* No specific object, just general system-wide information. */
4983                 return task_has_system(current, SYSTEM__IPC_INFO);
4984         case GETPID:
4985         case GETNCNT:
4986         case GETZCNT:
4987                 perms = SEM__GETATTR;
4988                 break;
4989         case GETVAL:
4990         case GETALL:
4991                 perms = SEM__READ;
4992                 break;
4993         case SETVAL:
4994         case SETALL:
4995                 perms = SEM__WRITE;
4996                 break;
4997         case IPC_RMID:
4998                 perms = SEM__DESTROY;
4999                 break;
5000         case IPC_SET:
5001                 perms = SEM__SETATTR;
5002                 break;
5003         case IPC_STAT:
5004         case SEM_STAT:
5005                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5006                 break;
5007         default:
5008                 return 0;
5009         }
5010
5011         err = ipc_has_perm(&sma->sem_perm, perms);
5012         return err;
5013 }
5014
5015 static int selinux_sem_semop(struct sem_array *sma,
5016                              struct sembuf *sops, unsigned nsops, int alter)
5017 {
5018         u32 perms;
5019
5020         if (alter)
5021                 perms = SEM__READ | SEM__WRITE;
5022         else
5023                 perms = SEM__READ;
5024
5025         return ipc_has_perm(&sma->sem_perm, perms);
5026 }
5027
5028 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5029 {
5030         u32 av = 0;
5031
5032         av = 0;
5033         if (flag & S_IRUGO)
5034                 av |= IPC__UNIX_READ;
5035         if (flag & S_IWUGO)
5036                 av |= IPC__UNIX_WRITE;
5037
5038         if (av == 0)
5039                 return 0;
5040
5041         return ipc_has_perm(ipcp, av);
5042 }
5043
5044 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5045 {
5046         struct ipc_security_struct *isec = ipcp->security;
5047         *secid = isec->sid;
5048 }
5049
5050 /* module stacking operations */
5051 static int selinux_register_security(const char *name, struct security_operations *ops)
5052 {
5053         if (secondary_ops != original_ops) {
5054                 printk(KERN_ERR "%s:  There is already a secondary security "
5055                        "module registered.\n", __func__);
5056                 return -EINVAL;
5057         }
5058
5059         secondary_ops = ops;
5060
5061         printk(KERN_INFO "%s:  Registering secondary module %s\n",
5062                __func__,
5063                name);
5064
5065         return 0;
5066 }
5067
5068 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5069 {
5070         if (inode)
5071                 inode_doinit_with_dentry(inode, dentry);
5072 }
5073
5074 static int selinux_getprocattr(struct task_struct *p,
5075                                char *name, char **value)
5076 {
5077         struct task_security_struct *tsec;
5078         u32 sid;
5079         int error;
5080         unsigned len;
5081
5082         if (current != p) {
5083                 error = task_has_perm(current, p, PROCESS__GETATTR);
5084                 if (error)
5085                         return error;
5086         }
5087
5088         tsec = p->security;
5089
5090         if (!strcmp(name, "current"))
5091                 sid = tsec->sid;
5092         else if (!strcmp(name, "prev"))
5093                 sid = tsec->osid;
5094         else if (!strcmp(name, "exec"))
5095                 sid = tsec->exec_sid;
5096         else if (!strcmp(name, "fscreate"))
5097                 sid = tsec->create_sid;
5098         else if (!strcmp(name, "keycreate"))
5099                 sid = tsec->keycreate_sid;
5100         else if (!strcmp(name, "sockcreate"))
5101                 sid = tsec->sockcreate_sid;
5102         else
5103                 return -EINVAL;
5104
5105         if (!sid)
5106                 return 0;
5107
5108         error = security_sid_to_context(sid, value, &len);
5109         if (error)
5110                 return error;
5111         return len;
5112 }
5113
5114 static int selinux_setprocattr(struct task_struct *p,
5115                                char *name, void *value, size_t size)
5116 {
5117         struct task_security_struct *tsec;
5118         struct task_struct *tracer;
5119         u32 sid = 0;
5120         int error;
5121         char *str = value;
5122
5123         if (current != p) {
5124                 /* SELinux only allows a process to change its own
5125                    security attributes. */
5126                 return -EACCES;
5127         }
5128
5129         /*
5130          * Basic control over ability to set these attributes at all.
5131          * current == p, but we'll pass them separately in case the
5132          * above restriction is ever removed.
5133          */
5134         if (!strcmp(name, "exec"))
5135                 error = task_has_perm(current, p, PROCESS__SETEXEC);
5136         else if (!strcmp(name, "fscreate"))
5137                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5138         else if (!strcmp(name, "keycreate"))
5139                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5140         else if (!strcmp(name, "sockcreate"))
5141                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5142         else if (!strcmp(name, "current"))
5143                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5144         else
5145                 error = -EINVAL;
5146         if (error)
5147                 return error;
5148
5149         /* Obtain a SID for the context, if one was specified. */
5150         if (size && str[1] && str[1] != '\n') {
5151                 if (str[size-1] == '\n') {
5152                         str[size-1] = 0;
5153                         size--;
5154                 }
5155                 error = security_context_to_sid(value, size, &sid);
5156                 if (error)
5157                         return error;
5158         }
5159
5160         /* Permission checking based on the specified context is
5161            performed during the actual operation (execve,
5162            open/mkdir/...), when we know the full context of the
5163            operation.  See selinux_bprm_set_security for the execve
5164            checks and may_create for the file creation checks. The
5165            operation will then fail if the context is not permitted. */
5166         tsec = p->security;
5167         if (!strcmp(name, "exec"))
5168                 tsec->exec_sid = sid;
5169         else if (!strcmp(name, "fscreate"))
5170                 tsec->create_sid = sid;
5171         else if (!strcmp(name, "keycreate")) {
5172                 error = may_create_key(sid, p);
5173                 if (error)
5174                         return error;
5175                 tsec->keycreate_sid = sid;
5176         } else if (!strcmp(name, "sockcreate"))
5177                 tsec->sockcreate_sid = sid;
5178         else if (!strcmp(name, "current")) {
5179                 struct av_decision avd;
5180
5181                 if (sid == 0)
5182                         return -EINVAL;
5183
5184                 /* Only allow single threaded processes to change context */
5185                 if (atomic_read(&p->mm->mm_users) != 1) {
5186                         struct task_struct *g, *t;
5187                         struct mm_struct *mm = p->mm;
5188                         read_lock(&tasklist_lock);
5189                         do_each_thread(g, t)
5190                                 if (t->mm == mm && t != p) {
5191                                         read_unlock(&tasklist_lock);
5192                                         return -EPERM;
5193                                 }
5194                         while_each_thread(g, t);
5195                         read_unlock(&tasklist_lock);
5196                 }
5197
5198                 /* Check permissions for the transition. */
5199                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5200                                      PROCESS__DYNTRANSITION, NULL);
5201                 if (error)
5202                         return error;
5203
5204                 /* Check for ptracing, and update the task SID if ok.
5205                    Otherwise, leave SID unchanged and fail. */
5206                 task_lock(p);
5207                 rcu_read_lock();
5208                 tracer = task_tracer_task(p);
5209                 if (tracer != NULL) {
5210                         struct task_security_struct *ptsec = tracer->security;
5211                         u32 ptsid = ptsec->sid;
5212                         rcu_read_unlock();
5213                         error = avc_has_perm_noaudit(ptsid, sid,
5214                                                      SECCLASS_PROCESS,
5215                                                      PROCESS__PTRACE, 0, &avd);
5216                         if (!error)
5217                                 tsec->sid = sid;
5218                         task_unlock(p);
5219                         avc_audit(ptsid, sid, SECCLASS_PROCESS,
5220                                   PROCESS__PTRACE, &avd, error, NULL);
5221                         if (error)
5222                                 return error;
5223                 } else {
5224                         rcu_read_unlock();
5225                         tsec->sid = sid;
5226                         task_unlock(p);
5227                 }
5228         } else
5229                 return -EINVAL;
5230
5231         return size;
5232 }
5233
5234 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5235 {
5236         return security_sid_to_context(secid, secdata, seclen);
5237 }
5238
5239 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5240 {
5241         return security_context_to_sid(secdata, seclen, secid);
5242 }
5243
5244 static void selinux_release_secctx(char *secdata, u32 seclen)
5245 {
5246         kfree(secdata);
5247 }
5248
5249 #ifdef CONFIG_KEYS
5250
5251 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5252                              unsigned long flags)
5253 {
5254         struct task_security_struct *tsec = tsk->security;
5255         struct key_security_struct *ksec;
5256
5257         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5258         if (!ksec)
5259                 return -ENOMEM;
5260
5261         if (tsec->keycreate_sid)
5262                 ksec->sid = tsec->keycreate_sid;
5263         else
5264                 ksec->sid = tsec->sid;
5265         k->security = ksec;
5266
5267         return 0;
5268 }
5269
5270 static void selinux_key_free(struct key *k)
5271 {
5272         struct key_security_struct *ksec = k->security;
5273
5274         k->security = NULL;
5275         kfree(ksec);
5276 }
5277
5278 static int selinux_key_permission(key_ref_t key_ref,
5279                             struct task_struct *ctx,
5280                             key_perm_t perm)
5281 {
5282         struct key *key;
5283         struct task_security_struct *tsec;
5284         struct key_security_struct *ksec;
5285
5286         key = key_ref_to_ptr(key_ref);
5287
5288         tsec = ctx->security;
5289         ksec = key->security;
5290
5291         /* if no specific permissions are requested, we skip the
5292            permission check. No serious, additional covert channels
5293            appear to be created. */
5294         if (perm == 0)
5295                 return 0;
5296
5297         return avc_has_perm(tsec->sid, ksec->sid,
5298                             SECCLASS_KEY, perm, NULL);
5299 }
5300
5301 #endif
5302
5303 static struct security_operations selinux_ops = {
5304         .name =                         "selinux",
5305
5306         .ptrace =                       selinux_ptrace,
5307         .capget =                       selinux_capget,
5308         .capset_check =                 selinux_capset_check,
5309         .capset_set =                   selinux_capset_set,
5310         .sysctl =                       selinux_sysctl,
5311         .capable =                      selinux_capable,
5312         .quotactl =                     selinux_quotactl,
5313         .quota_on =                     selinux_quota_on,
5314         .syslog =                       selinux_syslog,
5315         .vm_enough_memory =             selinux_vm_enough_memory,
5316
5317         .netlink_send =                 selinux_netlink_send,
5318         .netlink_recv =                 selinux_netlink_recv,
5319
5320         .bprm_alloc_security =          selinux_bprm_alloc_security,
5321         .bprm_free_security =           selinux_bprm_free_security,
5322         .bprm_apply_creds =             selinux_bprm_apply_creds,
5323         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
5324         .bprm_set_security =            selinux_bprm_set_security,
5325         .bprm_check_security =          selinux_bprm_check_security,
5326         .bprm_secureexec =              selinux_bprm_secureexec,
5327
5328         .sb_alloc_security =            selinux_sb_alloc_security,
5329         .sb_free_security =             selinux_sb_free_security,
5330         .sb_copy_data =                 selinux_sb_copy_data,
5331         .sb_kern_mount =                selinux_sb_kern_mount,
5332         .sb_statfs =                    selinux_sb_statfs,
5333         .sb_mount =                     selinux_mount,
5334         .sb_umount =                    selinux_umount,
5335         .sb_get_mnt_opts =              selinux_get_mnt_opts,
5336         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5337         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5338         .sb_parse_opts_str =            selinux_parse_opts_str,
5339
5340
5341         .inode_alloc_security =         selinux_inode_alloc_security,
5342         .inode_free_security =          selinux_inode_free_security,
5343         .inode_init_security =          selinux_inode_init_security,
5344         .inode_create =                 selinux_inode_create,
5345         .inode_link =                   selinux_inode_link,
5346         .inode_unlink =                 selinux_inode_unlink,
5347         .inode_symlink =                selinux_inode_symlink,
5348         .inode_mkdir =                  selinux_inode_mkdir,
5349         .inode_rmdir =                  selinux_inode_rmdir,
5350         .inode_mknod =                  selinux_inode_mknod,
5351         .inode_rename =                 selinux_inode_rename,
5352         .inode_readlink =               selinux_inode_readlink,
5353         .inode_follow_link =            selinux_inode_follow_link,
5354         .inode_permission =             selinux_inode_permission,
5355         .inode_setattr =                selinux_inode_setattr,
5356         .inode_getattr =                selinux_inode_getattr,
5357         .inode_setxattr =               selinux_inode_setxattr,
5358         .inode_post_setxattr =          selinux_inode_post_setxattr,
5359         .inode_getxattr =               selinux_inode_getxattr,
5360         .inode_listxattr =              selinux_inode_listxattr,
5361         .inode_removexattr =            selinux_inode_removexattr,
5362         .inode_getsecurity =            selinux_inode_getsecurity,
5363         .inode_setsecurity =            selinux_inode_setsecurity,
5364         .inode_listsecurity =           selinux_inode_listsecurity,
5365         .inode_need_killpriv =          selinux_inode_need_killpriv,
5366         .inode_killpriv =               selinux_inode_killpriv,
5367         .inode_getsecid =               selinux_inode_getsecid,
5368
5369         .file_permission =              selinux_file_permission,
5370         .file_alloc_security =          selinux_file_alloc_security,
5371         .file_free_security =           selinux_file_free_security,
5372         .file_ioctl =                   selinux_file_ioctl,
5373         .file_mmap =                    selinux_file_mmap,
5374         .file_mprotect =                selinux_file_mprotect,
5375         .file_lock =                    selinux_file_lock,
5376         .file_fcntl =                   selinux_file_fcntl,
5377         .file_set_fowner =              selinux_file_set_fowner,
5378         .file_send_sigiotask =          selinux_file_send_sigiotask,
5379         .file_receive =                 selinux_file_receive,
5380
5381         .dentry_open =                  selinux_dentry_open,
5382
5383         .task_create =                  selinux_task_create,
5384         .task_alloc_security =          selinux_task_alloc_security,
5385         .task_free_security =           selinux_task_free_security,
5386         .task_setuid =                  selinux_task_setuid,
5387         .task_post_setuid =             selinux_task_post_setuid,
5388         .task_setgid =                  selinux_task_setgid,
5389         .task_setpgid =                 selinux_task_setpgid,
5390         .task_getpgid =                 selinux_task_getpgid,
5391         .task_getsid =                  selinux_task_getsid,
5392         .task_getsecid =                selinux_task_getsecid,
5393         .task_setgroups =               selinux_task_setgroups,
5394         .task_setnice =                 selinux_task_setnice,
5395         .task_setioprio =               selinux_task_setioprio,
5396         .task_getioprio =               selinux_task_getioprio,
5397         .task_setrlimit =               selinux_task_setrlimit,
5398         .task_setscheduler =            selinux_task_setscheduler,
5399         .task_getscheduler =            selinux_task_getscheduler,
5400         .task_movememory =              selinux_task_movememory,
5401         .task_kill =                    selinux_task_kill,
5402         .task_wait =                    selinux_task_wait,
5403         .task_prctl =                   selinux_task_prctl,
5404         .task_reparent_to_init =        selinux_task_reparent_to_init,
5405         .task_to_inode =                selinux_task_to_inode,
5406
5407         .ipc_permission =               selinux_ipc_permission,
5408         .ipc_getsecid =                 selinux_ipc_getsecid,
5409
5410         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5411         .msg_msg_free_security =        selinux_msg_msg_free_security,
5412
5413         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5414         .msg_queue_free_security =      selinux_msg_queue_free_security,
5415         .msg_queue_associate =          selinux_msg_queue_associate,
5416         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5417         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5418         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5419
5420         .shm_alloc_security =           selinux_shm_alloc_security,
5421         .shm_free_security =            selinux_shm_free_security,
5422         .shm_associate =                selinux_shm_associate,
5423         .shm_shmctl =                   selinux_shm_shmctl,
5424         .shm_shmat =                    selinux_shm_shmat,
5425
5426         .sem_alloc_security =           selinux_sem_alloc_security,
5427         .sem_free_security =            selinux_sem_free_security,
5428         .sem_associate =                selinux_sem_associate,
5429         .sem_semctl =                   selinux_sem_semctl,
5430         .sem_semop =                    selinux_sem_semop,
5431
5432         .register_security =            selinux_register_security,
5433
5434         .d_instantiate =                selinux_d_instantiate,
5435
5436         .getprocattr =                  selinux_getprocattr,
5437         .setprocattr =                  selinux_setprocattr,
5438
5439         .secid_to_secctx =              selinux_secid_to_secctx,
5440         .secctx_to_secid =              selinux_secctx_to_secid,
5441         .release_secctx =               selinux_release_secctx,
5442
5443         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5444         .unix_may_send =                selinux_socket_unix_may_send,
5445
5446         .socket_create =                selinux_socket_create,
5447         .socket_post_create =           selinux_socket_post_create,
5448         .socket_bind =                  selinux_socket_bind,
5449         .socket_connect =               selinux_socket_connect,
5450         .socket_listen =                selinux_socket_listen,
5451         .socket_accept =                selinux_socket_accept,
5452         .socket_sendmsg =               selinux_socket_sendmsg,
5453         .socket_recvmsg =               selinux_socket_recvmsg,
5454         .socket_getsockname =           selinux_socket_getsockname,
5455         .socket_getpeername =           selinux_socket_getpeername,
5456         .socket_getsockopt =            selinux_socket_getsockopt,
5457         .socket_setsockopt =            selinux_socket_setsockopt,
5458         .socket_shutdown =              selinux_socket_shutdown,
5459         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5460         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5461         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5462         .sk_alloc_security =            selinux_sk_alloc_security,
5463         .sk_free_security =             selinux_sk_free_security,
5464         .sk_clone_security =            selinux_sk_clone_security,
5465         .sk_getsecid =                  selinux_sk_getsecid,
5466         .sock_graft =                   selinux_sock_graft,
5467         .inet_conn_request =            selinux_inet_conn_request,
5468         .inet_csk_clone =               selinux_inet_csk_clone,
5469         .inet_conn_established =        selinux_inet_conn_established,
5470         .req_classify_flow =            selinux_req_classify_flow,
5471
5472 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5473         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5474         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5475         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5476         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5477         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5478         .xfrm_state_free_security =     selinux_xfrm_state_free,
5479         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5480         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5481         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5482         .xfrm_decode_session =          selinux_xfrm_decode_session,
5483 #endif
5484
5485 #ifdef CONFIG_KEYS
5486         .key_alloc =                    selinux_key_alloc,
5487         .key_free =                     selinux_key_free,
5488         .key_permission =               selinux_key_permission,
5489 #endif
5490
5491 #ifdef CONFIG_AUDIT
5492         .audit_rule_init =              selinux_audit_rule_init,
5493         .audit_rule_known =             selinux_audit_rule_known,
5494         .audit_rule_match =             selinux_audit_rule_match,
5495         .audit_rule_free =              selinux_audit_rule_free,
5496 #endif
5497 };
5498
5499 static __init int selinux_init(void)
5500 {
5501         struct task_security_struct *tsec;
5502
5503         if (!security_module_enable(&selinux_ops)) {
5504                 selinux_enabled = 0;
5505                 return 0;
5506         }
5507
5508         if (!selinux_enabled) {
5509                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5510                 return 0;
5511         }
5512
5513         printk(KERN_INFO "SELinux:  Initializing.\n");
5514
5515         /* Set the security state for the initial task. */
5516         if (task_alloc_security(current))
5517                 panic("SELinux:  Failed to initialize initial task.\n");
5518         tsec = current->security;
5519         tsec->osid = tsec->sid = SECINITSID_KERNEL;
5520
5521         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5522                                             sizeof(struct inode_security_struct),
5523                                             0, SLAB_PANIC, NULL);
5524         avc_init();
5525
5526         original_ops = secondary_ops = security_ops;
5527         if (!secondary_ops)
5528                 panic("SELinux: No initial security operations\n");
5529         if (register_security(&selinux_ops))
5530                 panic("SELinux: Unable to register with kernel.\n");
5531
5532         if (selinux_enforcing)
5533                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5534         else
5535                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5536
5537 #ifdef CONFIG_KEYS
5538         /* Add security information to initial keyrings */
5539         selinux_key_alloc(&root_user_keyring, current,
5540                           KEY_ALLOC_NOT_IN_QUOTA);
5541         selinux_key_alloc(&root_session_keyring, current,
5542                           KEY_ALLOC_NOT_IN_QUOTA);
5543 #endif
5544
5545         return 0;
5546 }
5547
5548 void selinux_complete_init(void)
5549 {
5550         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5551
5552         /* Set up any superblocks initialized prior to the policy load. */
5553         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5554         spin_lock(&sb_lock);
5555         spin_lock(&sb_security_lock);
5556 next_sb:
5557         if (!list_empty(&superblock_security_head)) {
5558                 struct superblock_security_struct *sbsec =
5559                                 list_entry(superblock_security_head.next,
5560                                            struct superblock_security_struct,
5561                                            list);
5562                 struct super_block *sb = sbsec->sb;
5563                 sb->s_count++;
5564                 spin_unlock(&sb_security_lock);
5565                 spin_unlock(&sb_lock);
5566                 down_read(&sb->s_umount);
5567                 if (sb->s_root)
5568                         superblock_doinit(sb, NULL);
5569                 drop_super(sb);
5570                 spin_lock(&sb_lock);
5571                 spin_lock(&sb_security_lock);
5572                 list_del_init(&sbsec->list);
5573                 goto next_sb;
5574         }
5575         spin_unlock(&sb_security_lock);
5576         spin_unlock(&sb_lock);
5577 }
5578
5579 /* SELinux requires early initialization in order to label
5580    all processes and objects when they are created. */
5581 security_initcall(selinux_init);
5582
5583 #if defined(CONFIG_NETFILTER)
5584
5585 static struct nf_hook_ops selinux_ipv4_ops[] = {
5586         {
5587                 .hook =         selinux_ipv4_postroute,
5588                 .owner =        THIS_MODULE,
5589                 .pf =           PF_INET,
5590                 .hooknum =      NF_INET_POST_ROUTING,
5591                 .priority =     NF_IP_PRI_SELINUX_LAST,
5592         },
5593         {
5594                 .hook =         selinux_ipv4_forward,
5595                 .owner =        THIS_MODULE,
5596                 .pf =           PF_INET,
5597                 .hooknum =      NF_INET_FORWARD,
5598                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5599         }
5600 };
5601
5602 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5603
5604 static struct nf_hook_ops selinux_ipv6_ops[] = {
5605         {
5606                 .hook =         selinux_ipv6_postroute,
5607                 .owner =        THIS_MODULE,
5608                 .pf =           PF_INET6,
5609                 .hooknum =      NF_INET_POST_ROUTING,
5610                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5611         },
5612         {
5613                 .hook =         selinux_ipv6_forward,
5614                 .owner =        THIS_MODULE,
5615                 .pf =           PF_INET6,
5616                 .hooknum =      NF_INET_FORWARD,
5617                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5618         }
5619 };
5620
5621 #endif  /* IPV6 */
5622
5623 static int __init selinux_nf_ip_init(void)
5624 {
5625         int err = 0;
5626         u32 iter;
5627
5628         if (!selinux_enabled)
5629                 goto out;
5630
5631         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5632
5633         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5634                 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5635                 if (err)
5636                         panic("SELinux: nf_register_hook for IPv4: error %d\n",
5637                               err);
5638         }
5639
5640 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5641         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5642                 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5643                 if (err)
5644                         panic("SELinux: nf_register_hook for IPv6: error %d\n",
5645                               err);
5646         }
5647 #endif  /* IPV6 */
5648
5649 out:
5650         return err;
5651 }
5652
5653 __initcall(selinux_nf_ip_init);
5654
5655 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5656 static void selinux_nf_ip_exit(void)
5657 {
5658         u32 iter;
5659
5660         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5661
5662         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5663                 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5664 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5665         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5666                 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5667 #endif  /* IPV6 */
5668 }
5669 #endif
5670
5671 #else /* CONFIG_NETFILTER */
5672
5673 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5674 #define selinux_nf_ip_exit()
5675 #endif
5676
5677 #endif /* CONFIG_NETFILTER */
5678
5679 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5680 static int selinux_disabled;
5681
5682 int selinux_disable(void)
5683 {
5684         extern void exit_sel_fs(void);
5685
5686         if (ss_initialized) {
5687                 /* Not permitted after initial policy load. */
5688                 return -EINVAL;
5689         }
5690
5691         if (selinux_disabled) {
5692                 /* Only do this once. */
5693                 return -EINVAL;
5694         }
5695
5696         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5697
5698         selinux_disabled = 1;
5699         selinux_enabled = 0;
5700
5701         /* Reset security_ops to the secondary module, dummy or capability. */
5702         security_ops = secondary_ops;
5703
5704         /* Unregister netfilter hooks. */
5705         selinux_nf_ip_exit();
5706
5707         /* Unregister selinuxfs. */
5708         exit_sel_fs();
5709
5710         return 0;
5711 }
5712 #endif