[PATCH] remove the inode_post_link and inode_post_rename LSM hooks
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76
77 #define XATTR_SELINUX_SUFFIX "selinux"
78 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
79
80 extern unsigned int policydb_loaded_version;
81 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
82
83 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
84 int selinux_enforcing = 0;
85
86 static int __init enforcing_setup(char *str)
87 {
88         selinux_enforcing = simple_strtol(str,NULL,0);
89         return 1;
90 }
91 __setup("enforcing=", enforcing_setup);
92 #endif
93
94 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
95 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
96
97 static int __init selinux_enabled_setup(char *str)
98 {
99         selinux_enabled = simple_strtol(str, NULL, 0);
100         return 1;
101 }
102 __setup("selinux=", selinux_enabled_setup);
103 #endif
104
105 /* Original (dummy) security module. */
106 static struct security_operations *original_ops = NULL;
107
108 /* Minimal support for a secondary security module,
109    just to allow the use of the dummy or capability modules.
110    The owlsm module can alternatively be used as a secondary
111    module as long as CONFIG_OWLSM_FD is not enabled. */
112 static struct security_operations *secondary_ops = NULL;
113
114 /* Lists of inode and superblock security structures initialized
115    before the policy was loaded. */
116 static LIST_HEAD(superblock_security_head);
117 static DEFINE_SPINLOCK(sb_security_lock);
118
119 /* Allocate and free functions for each kind of security blob. */
120
121 static int task_alloc_security(struct task_struct *task)
122 {
123         struct task_security_struct *tsec;
124
125         tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL);
126         if (!tsec)
127                 return -ENOMEM;
128
129         memset(tsec, 0, sizeof(struct task_security_struct));
130         tsec->magic = SELINUX_MAGIC;
131         tsec->task = task;
132         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
133         task->security = tsec;
134
135         return 0;
136 }
137
138 static void task_free_security(struct task_struct *task)
139 {
140         struct task_security_struct *tsec = task->security;
141
142         if (!tsec || tsec->magic != SELINUX_MAGIC)
143                 return;
144
145         task->security = NULL;
146         kfree(tsec);
147 }
148
149 static int inode_alloc_security(struct inode *inode)
150 {
151         struct task_security_struct *tsec = current->security;
152         struct inode_security_struct *isec;
153
154         isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
155         if (!isec)
156                 return -ENOMEM;
157
158         memset(isec, 0, sizeof(struct inode_security_struct));
159         init_MUTEX(&isec->sem);
160         INIT_LIST_HEAD(&isec->list);
161         isec->magic = SELINUX_MAGIC;
162         isec->inode = inode;
163         isec->sid = SECINITSID_UNLABELED;
164         isec->sclass = SECCLASS_FILE;
165         if (tsec && tsec->magic == SELINUX_MAGIC)
166                 isec->task_sid = tsec->sid;
167         else
168                 isec->task_sid = SECINITSID_UNLABELED;
169         inode->i_security = isec;
170
171         return 0;
172 }
173
174 static void inode_free_security(struct inode *inode)
175 {
176         struct inode_security_struct *isec = inode->i_security;
177         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
178
179         if (!isec || isec->magic != SELINUX_MAGIC)
180                 return;
181
182         spin_lock(&sbsec->isec_lock);
183         if (!list_empty(&isec->list))
184                 list_del_init(&isec->list);
185         spin_unlock(&sbsec->isec_lock);
186
187         inode->i_security = NULL;
188         kfree(isec);
189 }
190
191 static int file_alloc_security(struct file *file)
192 {
193         struct task_security_struct *tsec = current->security;
194         struct file_security_struct *fsec;
195
196         fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
197         if (!fsec)
198                 return -ENOMEM;
199
200         memset(fsec, 0, sizeof(struct file_security_struct));
201         fsec->magic = SELINUX_MAGIC;
202         fsec->file = file;
203         if (tsec && tsec->magic == SELINUX_MAGIC) {
204                 fsec->sid = tsec->sid;
205                 fsec->fown_sid = tsec->sid;
206         } else {
207                 fsec->sid = SECINITSID_UNLABELED;
208                 fsec->fown_sid = SECINITSID_UNLABELED;
209         }
210         file->f_security = fsec;
211
212         return 0;
213 }
214
215 static void file_free_security(struct file *file)
216 {
217         struct file_security_struct *fsec = file->f_security;
218
219         if (!fsec || fsec->magic != SELINUX_MAGIC)
220                 return;
221
222         file->f_security = NULL;
223         kfree(fsec);
224 }
225
226 static int superblock_alloc_security(struct super_block *sb)
227 {
228         struct superblock_security_struct *sbsec;
229
230         sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
231         if (!sbsec)
232                 return -ENOMEM;
233
234         memset(sbsec, 0, sizeof(struct superblock_security_struct));
235         init_MUTEX(&sbsec->sem);
236         INIT_LIST_HEAD(&sbsec->list);
237         INIT_LIST_HEAD(&sbsec->isec_head);
238         spin_lock_init(&sbsec->isec_lock);
239         sbsec->magic = SELINUX_MAGIC;
240         sbsec->sb = sb;
241         sbsec->sid = SECINITSID_UNLABELED;
242         sbsec->def_sid = SECINITSID_FILE;
243         sb->s_security = sbsec;
244
245         return 0;
246 }
247
248 static void superblock_free_security(struct super_block *sb)
249 {
250         struct superblock_security_struct *sbsec = sb->s_security;
251
252         if (!sbsec || sbsec->magic != SELINUX_MAGIC)
253                 return;
254
255         spin_lock(&sb_security_lock);
256         if (!list_empty(&sbsec->list))
257                 list_del_init(&sbsec->list);
258         spin_unlock(&sb_security_lock);
259
260         sb->s_security = NULL;
261         kfree(sbsec);
262 }
263
264 #ifdef CONFIG_SECURITY_NETWORK
265 static int sk_alloc_security(struct sock *sk, int family, int priority)
266 {
267         struct sk_security_struct *ssec;
268
269         if (family != PF_UNIX)
270                 return 0;
271
272         ssec = kmalloc(sizeof(*ssec), priority);
273         if (!ssec)
274                 return -ENOMEM;
275
276         memset(ssec, 0, sizeof(*ssec));
277         ssec->magic = SELINUX_MAGIC;
278         ssec->sk = sk;
279         ssec->peer_sid = SECINITSID_UNLABELED;
280         sk->sk_security = ssec;
281
282         return 0;
283 }
284
285 static void sk_free_security(struct sock *sk)
286 {
287         struct sk_security_struct *ssec = sk->sk_security;
288
289         if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
290                 return;
291
292         sk->sk_security = NULL;
293         kfree(ssec);
294 }
295 #endif  /* CONFIG_SECURITY_NETWORK */
296
297 /* The security server must be initialized before
298    any labeling or access decisions can be provided. */
299 extern int ss_initialized;
300
301 /* The file system's label must be initialized prior to use. */
302
303 static char *labeling_behaviors[6] = {
304         "uses xattr",
305         "uses transition SIDs",
306         "uses task SIDs",
307         "uses genfs_contexts",
308         "not configured for labeling",
309         "uses mountpoint labeling",
310 };
311
312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313
314 static inline int inode_doinit(struct inode *inode)
315 {
316         return inode_doinit_with_dentry(inode, NULL);
317 }
318
319 enum {
320         Opt_context = 1,
321         Opt_fscontext = 2,
322         Opt_defcontext = 4,
323 };
324
325 static match_table_t tokens = {
326         {Opt_context, "context=%s"},
327         {Opt_fscontext, "fscontext=%s"},
328         {Opt_defcontext, "defcontext=%s"},
329 };
330
331 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
332
333 static int try_context_mount(struct super_block *sb, void *data)
334 {
335         char *context = NULL, *defcontext = NULL;
336         const char *name;
337         u32 sid;
338         int alloc = 0, rc = 0, seen = 0;
339         struct task_security_struct *tsec = current->security;
340         struct superblock_security_struct *sbsec = sb->s_security;
341
342         if (!data)
343                 goto out;
344
345         name = sb->s_type->name;
346
347         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
348
349                 /* NFS we understand. */
350                 if (!strcmp(name, "nfs")) {
351                         struct nfs_mount_data *d = data;
352
353                         if (d->version <  NFS_MOUNT_VERSION)
354                                 goto out;
355
356                         if (d->context[0]) {
357                                 context = d->context;
358                                 seen |= Opt_context;
359                         }
360                 } else
361                         goto out;
362
363         } else {
364                 /* Standard string-based options. */
365                 char *p, *options = data;
366
367                 while ((p = strsep(&options, ",")) != NULL) {
368                         int token;
369                         substring_t args[MAX_OPT_ARGS];
370
371                         if (!*p)
372                                 continue;
373
374                         token = match_token(p, tokens, args);
375
376                         switch (token) {
377                         case Opt_context:
378                                 if (seen) {
379                                         rc = -EINVAL;
380                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
381                                         goto out_free;
382                                 }
383                                 context = match_strdup(&args[0]);
384                                 if (!context) {
385                                         rc = -ENOMEM;
386                                         goto out_free;
387                                 }
388                                 if (!alloc)
389                                         alloc = 1;
390                                 seen |= Opt_context;
391                                 break;
392
393                         case Opt_fscontext:
394                                 if (seen & (Opt_context|Opt_fscontext)) {
395                                         rc = -EINVAL;
396                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
397                                         goto out_free;
398                                 }
399                                 context = match_strdup(&args[0]);
400                                 if (!context) {
401                                         rc = -ENOMEM;
402                                         goto out_free;
403                                 }
404                                 if (!alloc)
405                                         alloc = 1;
406                                 seen |= Opt_fscontext;
407                                 break;
408
409                         case Opt_defcontext:
410                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
411                                         rc = -EINVAL;
412                                         printk(KERN_WARNING "SELinux:  "
413                                                "defcontext option is invalid "
414                                                "for this filesystem type\n");
415                                         goto out_free;
416                                 }
417                                 if (seen & (Opt_context|Opt_defcontext)) {
418                                         rc = -EINVAL;
419                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
420                                         goto out_free;
421                                 }
422                                 defcontext = match_strdup(&args[0]);
423                                 if (!defcontext) {
424                                         rc = -ENOMEM;
425                                         goto out_free;
426                                 }
427                                 if (!alloc)
428                                         alloc = 1;
429                                 seen |= Opt_defcontext;
430                                 break;
431
432                         default:
433                                 rc = -EINVAL;
434                                 printk(KERN_WARNING "SELinux:  unknown mount "
435                                        "option\n");
436                                 goto out_free;
437
438                         }
439                 }
440         }
441
442         if (!seen)
443                 goto out;
444
445         if (context) {
446                 rc = security_context_to_sid(context, strlen(context), &sid);
447                 if (rc) {
448                         printk(KERN_WARNING "SELinux: security_context_to_sid"
449                                "(%s) failed for (dev %s, type %s) errno=%d\n",
450                                context, sb->s_id, name, rc);
451                         goto out_free;
452                 }
453
454                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
455                                   FILESYSTEM__RELABELFROM, NULL);
456                 if (rc)
457                         goto out_free;
458
459                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
460                                   FILESYSTEM__RELABELTO, NULL);
461                 if (rc)
462                         goto out_free;
463
464                 sbsec->sid = sid;
465
466                 if (seen & Opt_context)
467                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
468         }
469
470         if (defcontext) {
471                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
472                 if (rc) {
473                         printk(KERN_WARNING "SELinux: security_context_to_sid"
474                                "(%s) failed for (dev %s, type %s) errno=%d\n",
475                                defcontext, sb->s_id, name, rc);
476                         goto out_free;
477                 }
478
479                 if (sid == sbsec->def_sid)
480                         goto out_free;
481
482                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
483                                   FILESYSTEM__RELABELFROM, NULL);
484                 if (rc)
485                         goto out_free;
486
487                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
488                                   FILESYSTEM__ASSOCIATE, NULL);
489                 if (rc)
490                         goto out_free;
491
492                 sbsec->def_sid = sid;
493         }
494
495 out_free:
496         if (alloc) {
497                 kfree(context);
498                 kfree(defcontext);
499         }
500 out:
501         return rc;
502 }
503
504 static int superblock_doinit(struct super_block *sb, void *data)
505 {
506         struct superblock_security_struct *sbsec = sb->s_security;
507         struct dentry *root = sb->s_root;
508         struct inode *inode = root->d_inode;
509         int rc = 0;
510
511         down(&sbsec->sem);
512         if (sbsec->initialized)
513                 goto out;
514
515         if (!ss_initialized) {
516                 /* Defer initialization until selinux_complete_init,
517                    after the initial policy is loaded and the security
518                    server is ready to handle calls. */
519                 spin_lock(&sb_security_lock);
520                 if (list_empty(&sbsec->list))
521                         list_add(&sbsec->list, &superblock_security_head);
522                 spin_unlock(&sb_security_lock);
523                 goto out;
524         }
525
526         /* Determine the labeling behavior to use for this filesystem type. */
527         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
528         if (rc) {
529                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
530                        __FUNCTION__, sb->s_type->name, rc);
531                 goto out;
532         }
533
534         rc = try_context_mount(sb, data);
535         if (rc)
536                 goto out;
537
538         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
539                 /* Make sure that the xattr handler exists and that no
540                    error other than -ENODATA is returned by getxattr on
541                    the root directory.  -ENODATA is ok, as this may be
542                    the first boot of the SELinux kernel before we have
543                    assigned xattr values to the filesystem. */
544                 if (!inode->i_op->getxattr) {
545                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
546                                "xattr support\n", sb->s_id, sb->s_type->name);
547                         rc = -EOPNOTSUPP;
548                         goto out;
549                 }
550                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
551                 if (rc < 0 && rc != -ENODATA) {
552                         if (rc == -EOPNOTSUPP)
553                                 printk(KERN_WARNING "SELinux: (dev %s, type "
554                                        "%s) has no security xattr handler\n",
555                                        sb->s_id, sb->s_type->name);
556                         else
557                                 printk(KERN_WARNING "SELinux: (dev %s, type "
558                                        "%s) getxattr errno %d\n", sb->s_id,
559                                        sb->s_type->name, -rc);
560                         goto out;
561                 }
562         }
563
564         if (strcmp(sb->s_type->name, "proc") == 0)
565                 sbsec->proc = 1;
566
567         sbsec->initialized = 1;
568
569         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
570                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
571                        sb->s_id, sb->s_type->name);
572         }
573         else {
574                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
575                        sb->s_id, sb->s_type->name,
576                        labeling_behaviors[sbsec->behavior-1]);
577         }
578
579         /* Initialize the root inode. */
580         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
581
582         /* Initialize any other inodes associated with the superblock, e.g.
583            inodes created prior to initial policy load or inodes created
584            during get_sb by a pseudo filesystem that directly
585            populates itself. */
586         spin_lock(&sbsec->isec_lock);
587 next_inode:
588         if (!list_empty(&sbsec->isec_head)) {
589                 struct inode_security_struct *isec =
590                                 list_entry(sbsec->isec_head.next,
591                                            struct inode_security_struct, list);
592                 struct inode *inode = isec->inode;
593                 spin_unlock(&sbsec->isec_lock);
594                 inode = igrab(inode);
595                 if (inode) {
596                         if (!IS_PRIVATE (inode))
597                                 inode_doinit(inode);
598                         iput(inode);
599                 }
600                 spin_lock(&sbsec->isec_lock);
601                 list_del_init(&isec->list);
602                 goto next_inode;
603         }
604         spin_unlock(&sbsec->isec_lock);
605 out:
606         up(&sbsec->sem);
607         return rc;
608 }
609
610 static inline u16 inode_mode_to_security_class(umode_t mode)
611 {
612         switch (mode & S_IFMT) {
613         case S_IFSOCK:
614                 return SECCLASS_SOCK_FILE;
615         case S_IFLNK:
616                 return SECCLASS_LNK_FILE;
617         case S_IFREG:
618                 return SECCLASS_FILE;
619         case S_IFBLK:
620                 return SECCLASS_BLK_FILE;
621         case S_IFDIR:
622                 return SECCLASS_DIR;
623         case S_IFCHR:
624                 return SECCLASS_CHR_FILE;
625         case S_IFIFO:
626                 return SECCLASS_FIFO_FILE;
627
628         }
629
630         return SECCLASS_FILE;
631 }
632
633 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
634 {
635         switch (family) {
636         case PF_UNIX:
637                 switch (type) {
638                 case SOCK_STREAM:
639                 case SOCK_SEQPACKET:
640                         return SECCLASS_UNIX_STREAM_SOCKET;
641                 case SOCK_DGRAM:
642                         return SECCLASS_UNIX_DGRAM_SOCKET;
643                 }
644                 break;
645         case PF_INET:
646         case PF_INET6:
647                 switch (type) {
648                 case SOCK_STREAM:
649                         return SECCLASS_TCP_SOCKET;
650                 case SOCK_DGRAM:
651                         return SECCLASS_UDP_SOCKET;
652                 case SOCK_RAW:
653                         return SECCLASS_RAWIP_SOCKET;
654                 }
655                 break;
656         case PF_NETLINK:
657                 switch (protocol) {
658                 case NETLINK_ROUTE:
659                         return SECCLASS_NETLINK_ROUTE_SOCKET;
660                 case NETLINK_FIREWALL:
661                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
662                 case NETLINK_INET_DIAG:
663                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
664                 case NETLINK_NFLOG:
665                         return SECCLASS_NETLINK_NFLOG_SOCKET;
666                 case NETLINK_XFRM:
667                         return SECCLASS_NETLINK_XFRM_SOCKET;
668                 case NETLINK_SELINUX:
669                         return SECCLASS_NETLINK_SELINUX_SOCKET;
670                 case NETLINK_AUDIT:
671                         return SECCLASS_NETLINK_AUDIT_SOCKET;
672                 case NETLINK_IP6_FW:
673                         return SECCLASS_NETLINK_IP6FW_SOCKET;
674                 case NETLINK_DNRTMSG:
675                         return SECCLASS_NETLINK_DNRT_SOCKET;
676                 case NETLINK_KOBJECT_UEVENT:
677                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
678                 default:
679                         return SECCLASS_NETLINK_SOCKET;
680                 }
681         case PF_PACKET:
682                 return SECCLASS_PACKET_SOCKET;
683         case PF_KEY:
684                 return SECCLASS_KEY_SOCKET;
685         }
686
687         return SECCLASS_SOCKET;
688 }
689
690 #ifdef CONFIG_PROC_FS
691 static int selinux_proc_get_sid(struct proc_dir_entry *de,
692                                 u16 tclass,
693                                 u32 *sid)
694 {
695         int buflen, rc;
696         char *buffer, *path, *end;
697
698         buffer = (char*)__get_free_page(GFP_KERNEL);
699         if (!buffer)
700                 return -ENOMEM;
701
702         buflen = PAGE_SIZE;
703         end = buffer+buflen;
704         *--end = '\0';
705         buflen--;
706         path = end-1;
707         *path = '/';
708         while (de && de != de->parent) {
709                 buflen -= de->namelen + 1;
710                 if (buflen < 0)
711                         break;
712                 end -= de->namelen;
713                 memcpy(end, de->name, de->namelen);
714                 *--end = '/';
715                 path = end;
716                 de = de->parent;
717         }
718         rc = security_genfs_sid("proc", path, tclass, sid);
719         free_page((unsigned long)buffer);
720         return rc;
721 }
722 #else
723 static int selinux_proc_get_sid(struct proc_dir_entry *de,
724                                 u16 tclass,
725                                 u32 *sid)
726 {
727         return -EINVAL;
728 }
729 #endif
730
731 /* The inode's security attributes must be initialized before first use. */
732 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
733 {
734         struct superblock_security_struct *sbsec = NULL;
735         struct inode_security_struct *isec = inode->i_security;
736         u32 sid;
737         struct dentry *dentry;
738 #define INITCONTEXTLEN 255
739         char *context = NULL;
740         unsigned len = 0;
741         int rc = 0;
742         int hold_sem = 0;
743
744         if (isec->initialized)
745                 goto out;
746
747         down(&isec->sem);
748         hold_sem = 1;
749         if (isec->initialized)
750                 goto out;
751
752         sbsec = inode->i_sb->s_security;
753         if (!sbsec->initialized) {
754                 /* Defer initialization until selinux_complete_init,
755                    after the initial policy is loaded and the security
756                    server is ready to handle calls. */
757                 spin_lock(&sbsec->isec_lock);
758                 if (list_empty(&isec->list))
759                         list_add(&isec->list, &sbsec->isec_head);
760                 spin_unlock(&sbsec->isec_lock);
761                 goto out;
762         }
763
764         switch (sbsec->behavior) {
765         case SECURITY_FS_USE_XATTR:
766                 if (!inode->i_op->getxattr) {
767                         isec->sid = sbsec->def_sid;
768                         break;
769                 }
770
771                 /* Need a dentry, since the xattr API requires one.
772                    Life would be simpler if we could just pass the inode. */
773                 if (opt_dentry) {
774                         /* Called from d_instantiate or d_splice_alias. */
775                         dentry = dget(opt_dentry);
776                 } else {
777                         /* Called from selinux_complete_init, try to find a dentry. */
778                         dentry = d_find_alias(inode);
779                 }
780                 if (!dentry) {
781                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
782                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
783                                inode->i_ino);
784                         goto out;
785                 }
786
787                 len = INITCONTEXTLEN;
788                 context = kmalloc(len, GFP_KERNEL);
789                 if (!context) {
790                         rc = -ENOMEM;
791                         dput(dentry);
792                         goto out;
793                 }
794                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
795                                            context, len);
796                 if (rc == -ERANGE) {
797                         /* Need a larger buffer.  Query for the right size. */
798                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
799                                                    NULL, 0);
800                         if (rc < 0) {
801                                 dput(dentry);
802                                 goto out;
803                         }
804                         kfree(context);
805                         len = rc;
806                         context = kmalloc(len, GFP_KERNEL);
807                         if (!context) {
808                                 rc = -ENOMEM;
809                                 dput(dentry);
810                                 goto out;
811                         }
812                         rc = inode->i_op->getxattr(dentry,
813                                                    XATTR_NAME_SELINUX,
814                                                    context, len);
815                 }
816                 dput(dentry);
817                 if (rc < 0) {
818                         if (rc != -ENODATA) {
819                                 printk(KERN_WARNING "%s:  getxattr returned "
820                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
821                                        -rc, inode->i_sb->s_id, inode->i_ino);
822                                 kfree(context);
823                                 goto out;
824                         }
825                         /* Map ENODATA to the default file SID */
826                         sid = sbsec->def_sid;
827                         rc = 0;
828                 } else {
829                         rc = security_context_to_sid_default(context, rc, &sid,
830                                                              sbsec->def_sid);
831                         if (rc) {
832                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
833                                        "returned %d for dev=%s ino=%ld\n",
834                                        __FUNCTION__, context, -rc,
835                                        inode->i_sb->s_id, inode->i_ino);
836                                 kfree(context);
837                                 /* Leave with the unlabeled SID */
838                                 rc = 0;
839                                 break;
840                         }
841                 }
842                 kfree(context);
843                 isec->sid = sid;
844                 break;
845         case SECURITY_FS_USE_TASK:
846                 isec->sid = isec->task_sid;
847                 break;
848         case SECURITY_FS_USE_TRANS:
849                 /* Default to the fs SID. */
850                 isec->sid = sbsec->sid;
851
852                 /* Try to obtain a transition SID. */
853                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
854                 rc = security_transition_sid(isec->task_sid,
855                                              sbsec->sid,
856                                              isec->sclass,
857                                              &sid);
858                 if (rc)
859                         goto out;
860                 isec->sid = sid;
861                 break;
862         default:
863                 /* Default to the fs SID. */
864                 isec->sid = sbsec->sid;
865
866                 if (sbsec->proc) {
867                         struct proc_inode *proci = PROC_I(inode);
868                         if (proci->pde) {
869                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
870                                 rc = selinux_proc_get_sid(proci->pde,
871                                                           isec->sclass,
872                                                           &sid);
873                                 if (rc)
874                                         goto out;
875                                 isec->sid = sid;
876                         }
877                 }
878                 break;
879         }
880
881         isec->initialized = 1;
882
883 out:
884         if (isec->sclass == SECCLASS_FILE)
885                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
886
887         if (hold_sem)
888                 up(&isec->sem);
889         return rc;
890 }
891
892 /* Convert a Linux signal to an access vector. */
893 static inline u32 signal_to_av(int sig)
894 {
895         u32 perm = 0;
896
897         switch (sig) {
898         case SIGCHLD:
899                 /* Commonly granted from child to parent. */
900                 perm = PROCESS__SIGCHLD;
901                 break;
902         case SIGKILL:
903                 /* Cannot be caught or ignored */
904                 perm = PROCESS__SIGKILL;
905                 break;
906         case SIGSTOP:
907                 /* Cannot be caught or ignored */
908                 perm = PROCESS__SIGSTOP;
909                 break;
910         default:
911                 /* All other signals. */
912                 perm = PROCESS__SIGNAL;
913                 break;
914         }
915
916         return perm;
917 }
918
919 /* Check permission betweeen a pair of tasks, e.g. signal checks,
920    fork check, ptrace check, etc. */
921 static int task_has_perm(struct task_struct *tsk1,
922                          struct task_struct *tsk2,
923                          u32 perms)
924 {
925         struct task_security_struct *tsec1, *tsec2;
926
927         tsec1 = tsk1->security;
928         tsec2 = tsk2->security;
929         return avc_has_perm(tsec1->sid, tsec2->sid,
930                             SECCLASS_PROCESS, perms, NULL);
931 }
932
933 /* Check whether a task is allowed to use a capability. */
934 static int task_has_capability(struct task_struct *tsk,
935                                int cap)
936 {
937         struct task_security_struct *tsec;
938         struct avc_audit_data ad;
939
940         tsec = tsk->security;
941
942         AVC_AUDIT_DATA_INIT(&ad,CAP);
943         ad.tsk = tsk;
944         ad.u.cap = cap;
945
946         return avc_has_perm(tsec->sid, tsec->sid,
947                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
948 }
949
950 /* Check whether a task is allowed to use a system operation. */
951 static int task_has_system(struct task_struct *tsk,
952                            u32 perms)
953 {
954         struct task_security_struct *tsec;
955
956         tsec = tsk->security;
957
958         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
959                             SECCLASS_SYSTEM, perms, NULL);
960 }
961
962 /* Check whether a task has a particular permission to an inode.
963    The 'adp' parameter is optional and allows other audit
964    data to be passed (e.g. the dentry). */
965 static int inode_has_perm(struct task_struct *tsk,
966                           struct inode *inode,
967                           u32 perms,
968                           struct avc_audit_data *adp)
969 {
970         struct task_security_struct *tsec;
971         struct inode_security_struct *isec;
972         struct avc_audit_data ad;
973
974         tsec = tsk->security;
975         isec = inode->i_security;
976
977         if (!adp) {
978                 adp = &ad;
979                 AVC_AUDIT_DATA_INIT(&ad, FS);
980                 ad.u.fs.inode = inode;
981         }
982
983         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
984 }
985
986 /* Same as inode_has_perm, but pass explicit audit data containing
987    the dentry to help the auditing code to more easily generate the
988    pathname if needed. */
989 static inline int dentry_has_perm(struct task_struct *tsk,
990                                   struct vfsmount *mnt,
991                                   struct dentry *dentry,
992                                   u32 av)
993 {
994         struct inode *inode = dentry->d_inode;
995         struct avc_audit_data ad;
996         AVC_AUDIT_DATA_INIT(&ad,FS);
997         ad.u.fs.mnt = mnt;
998         ad.u.fs.dentry = dentry;
999         return inode_has_perm(tsk, inode, av, &ad);
1000 }
1001
1002 /* Check whether a task can use an open file descriptor to
1003    access an inode in a given way.  Check access to the
1004    descriptor itself, and then use dentry_has_perm to
1005    check a particular permission to the file.
1006    Access to the descriptor is implicitly granted if it
1007    has the same SID as the process.  If av is zero, then
1008    access to the file is not checked, e.g. for cases
1009    where only the descriptor is affected like seek. */
1010 static inline int file_has_perm(struct task_struct *tsk,
1011                                 struct file *file,
1012                                 u32 av)
1013 {
1014         struct task_security_struct *tsec = tsk->security;
1015         struct file_security_struct *fsec = file->f_security;
1016         struct vfsmount *mnt = file->f_vfsmnt;
1017         struct dentry *dentry = file->f_dentry;
1018         struct inode *inode = dentry->d_inode;
1019         struct avc_audit_data ad;
1020         int rc;
1021
1022         AVC_AUDIT_DATA_INIT(&ad, FS);
1023         ad.u.fs.mnt = mnt;
1024         ad.u.fs.dentry = dentry;
1025
1026         if (tsec->sid != fsec->sid) {
1027                 rc = avc_has_perm(tsec->sid, fsec->sid,
1028                                   SECCLASS_FD,
1029                                   FD__USE,
1030                                   &ad);
1031                 if (rc)
1032                         return rc;
1033         }
1034
1035         /* av is zero if only checking access to the descriptor. */
1036         if (av)
1037                 return inode_has_perm(tsk, inode, av, &ad);
1038
1039         return 0;
1040 }
1041
1042 /* Check whether a task can create a file. */
1043 static int may_create(struct inode *dir,
1044                       struct dentry *dentry,
1045                       u16 tclass)
1046 {
1047         struct task_security_struct *tsec;
1048         struct inode_security_struct *dsec;
1049         struct superblock_security_struct *sbsec;
1050         u32 newsid;
1051         struct avc_audit_data ad;
1052         int rc;
1053
1054         tsec = current->security;
1055         dsec = dir->i_security;
1056         sbsec = dir->i_sb->s_security;
1057
1058         AVC_AUDIT_DATA_INIT(&ad, FS);
1059         ad.u.fs.dentry = dentry;
1060
1061         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1062                           DIR__ADD_NAME | DIR__SEARCH,
1063                           &ad);
1064         if (rc)
1065                 return rc;
1066
1067         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1068                 newsid = tsec->create_sid;
1069         } else {
1070                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1071                                              &newsid);
1072                 if (rc)
1073                         return rc;
1074         }
1075
1076         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1077         if (rc)
1078                 return rc;
1079
1080         return avc_has_perm(newsid, sbsec->sid,
1081                             SECCLASS_FILESYSTEM,
1082                             FILESYSTEM__ASSOCIATE, &ad);
1083 }
1084
1085 #define MAY_LINK   0
1086 #define MAY_UNLINK 1
1087 #define MAY_RMDIR  2
1088
1089 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1090 static int may_link(struct inode *dir,
1091                     struct dentry *dentry,
1092                     int kind)
1093
1094 {
1095         struct task_security_struct *tsec;
1096         struct inode_security_struct *dsec, *isec;
1097         struct avc_audit_data ad;
1098         u32 av;
1099         int rc;
1100
1101         tsec = current->security;
1102         dsec = dir->i_security;
1103         isec = dentry->d_inode->i_security;
1104
1105         AVC_AUDIT_DATA_INIT(&ad, FS);
1106         ad.u.fs.dentry = dentry;
1107
1108         av = DIR__SEARCH;
1109         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1110         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1111         if (rc)
1112                 return rc;
1113
1114         switch (kind) {
1115         case MAY_LINK:
1116                 av = FILE__LINK;
1117                 break;
1118         case MAY_UNLINK:
1119                 av = FILE__UNLINK;
1120                 break;
1121         case MAY_RMDIR:
1122                 av = DIR__RMDIR;
1123                 break;
1124         default:
1125                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1126                 return 0;
1127         }
1128
1129         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1130         return rc;
1131 }
1132
1133 static inline int may_rename(struct inode *old_dir,
1134                              struct dentry *old_dentry,
1135                              struct inode *new_dir,
1136                              struct dentry *new_dentry)
1137 {
1138         struct task_security_struct *tsec;
1139         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1140         struct avc_audit_data ad;
1141         u32 av;
1142         int old_is_dir, new_is_dir;
1143         int rc;
1144
1145         tsec = current->security;
1146         old_dsec = old_dir->i_security;
1147         old_isec = old_dentry->d_inode->i_security;
1148         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1149         new_dsec = new_dir->i_security;
1150
1151         AVC_AUDIT_DATA_INIT(&ad, FS);
1152
1153         ad.u.fs.dentry = old_dentry;
1154         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1155                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1156         if (rc)
1157                 return rc;
1158         rc = avc_has_perm(tsec->sid, old_isec->sid,
1159                           old_isec->sclass, FILE__RENAME, &ad);
1160         if (rc)
1161                 return rc;
1162         if (old_is_dir && new_dir != old_dir) {
1163                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1164                                   old_isec->sclass, DIR__REPARENT, &ad);
1165                 if (rc)
1166                         return rc;
1167         }
1168
1169         ad.u.fs.dentry = new_dentry;
1170         av = DIR__ADD_NAME | DIR__SEARCH;
1171         if (new_dentry->d_inode)
1172                 av |= DIR__REMOVE_NAME;
1173         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1174         if (rc)
1175                 return rc;
1176         if (new_dentry->d_inode) {
1177                 new_isec = new_dentry->d_inode->i_security;
1178                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1179                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1180                                   new_isec->sclass,
1181                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1182                 if (rc)
1183                         return rc;
1184         }
1185
1186         return 0;
1187 }
1188
1189 /* Check whether a task can perform a filesystem operation. */
1190 static int superblock_has_perm(struct task_struct *tsk,
1191                                struct super_block *sb,
1192                                u32 perms,
1193                                struct avc_audit_data *ad)
1194 {
1195         struct task_security_struct *tsec;
1196         struct superblock_security_struct *sbsec;
1197
1198         tsec = tsk->security;
1199         sbsec = sb->s_security;
1200         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1201                             perms, ad);
1202 }
1203
1204 /* Convert a Linux mode and permission mask to an access vector. */
1205 static inline u32 file_mask_to_av(int mode, int mask)
1206 {
1207         u32 av = 0;
1208
1209         if ((mode & S_IFMT) != S_IFDIR) {
1210                 if (mask & MAY_EXEC)
1211                         av |= FILE__EXECUTE;
1212                 if (mask & MAY_READ)
1213                         av |= FILE__READ;
1214
1215                 if (mask & MAY_APPEND)
1216                         av |= FILE__APPEND;
1217                 else if (mask & MAY_WRITE)
1218                         av |= FILE__WRITE;
1219
1220         } else {
1221                 if (mask & MAY_EXEC)
1222                         av |= DIR__SEARCH;
1223                 if (mask & MAY_WRITE)
1224                         av |= DIR__WRITE;
1225                 if (mask & MAY_READ)
1226                         av |= DIR__READ;
1227         }
1228
1229         return av;
1230 }
1231
1232 /* Convert a Linux file to an access vector. */
1233 static inline u32 file_to_av(struct file *file)
1234 {
1235         u32 av = 0;
1236
1237         if (file->f_mode & FMODE_READ)
1238                 av |= FILE__READ;
1239         if (file->f_mode & FMODE_WRITE) {
1240                 if (file->f_flags & O_APPEND)
1241                         av |= FILE__APPEND;
1242                 else
1243                         av |= FILE__WRITE;
1244         }
1245
1246         return av;
1247 }
1248
1249 /* Set an inode's SID to a specified value. */
1250 static int inode_security_set_sid(struct inode *inode, u32 sid)
1251 {
1252         struct inode_security_struct *isec = inode->i_security;
1253         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1254
1255         if (!sbsec->initialized) {
1256                 /* Defer initialization to selinux_complete_init. */
1257                 return 0;
1258         }
1259
1260         down(&isec->sem);
1261         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1262         isec->sid = sid;
1263         isec->initialized = 1;
1264         up(&isec->sem);
1265         return 0;
1266 }
1267
1268 /* Hook functions begin here. */
1269
1270 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1271 {
1272         struct task_security_struct *psec = parent->security;
1273         struct task_security_struct *csec = child->security;
1274         int rc;
1275
1276         rc = secondary_ops->ptrace(parent,child);
1277         if (rc)
1278                 return rc;
1279
1280         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1281         /* Save the SID of the tracing process for later use in apply_creds. */
1282         if (!rc)
1283                 csec->ptrace_sid = psec->sid;
1284         return rc;
1285 }
1286
1287 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1288                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1289 {
1290         int error;
1291
1292         error = task_has_perm(current, target, PROCESS__GETCAP);
1293         if (error)
1294                 return error;
1295
1296         return secondary_ops->capget(target, effective, inheritable, permitted);
1297 }
1298
1299 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1300                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1301 {
1302         int error;
1303
1304         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1305         if (error)
1306                 return error;
1307
1308         return task_has_perm(current, target, PROCESS__SETCAP);
1309 }
1310
1311 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1312                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1313 {
1314         secondary_ops->capset_set(target, effective, inheritable, permitted);
1315 }
1316
1317 static int selinux_capable(struct task_struct *tsk, int cap)
1318 {
1319         int rc;
1320
1321         rc = secondary_ops->capable(tsk, cap);
1322         if (rc)
1323                 return rc;
1324
1325         return task_has_capability(tsk,cap);
1326 }
1327
1328 static int selinux_sysctl(ctl_table *table, int op)
1329 {
1330         int error = 0;
1331         u32 av;
1332         struct task_security_struct *tsec;
1333         u32 tsid;
1334         int rc;
1335
1336         rc = secondary_ops->sysctl(table, op);
1337         if (rc)
1338                 return rc;
1339
1340         tsec = current->security;
1341
1342         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1343                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1344         if (rc) {
1345                 /* Default to the well-defined sysctl SID. */
1346                 tsid = SECINITSID_SYSCTL;
1347         }
1348
1349         /* The op values are "defined" in sysctl.c, thereby creating
1350          * a bad coupling between this module and sysctl.c */
1351         if(op == 001) {
1352                 error = avc_has_perm(tsec->sid, tsid,
1353                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1354         } else {
1355                 av = 0;
1356                 if (op & 004)
1357                         av |= FILE__READ;
1358                 if (op & 002)
1359                         av |= FILE__WRITE;
1360                 if (av)
1361                         error = avc_has_perm(tsec->sid, tsid,
1362                                              SECCLASS_FILE, av, NULL);
1363         }
1364
1365         return error;
1366 }
1367
1368 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1369 {
1370         int rc = 0;
1371
1372         if (!sb)
1373                 return 0;
1374
1375         switch (cmds) {
1376                 case Q_SYNC:
1377                 case Q_QUOTAON:
1378                 case Q_QUOTAOFF:
1379                 case Q_SETINFO:
1380                 case Q_SETQUOTA:
1381                         rc = superblock_has_perm(current,
1382                                                  sb,
1383                                                  FILESYSTEM__QUOTAMOD, NULL);
1384                         break;
1385                 case Q_GETFMT:
1386                 case Q_GETINFO:
1387                 case Q_GETQUOTA:
1388                         rc = superblock_has_perm(current,
1389                                                  sb,
1390                                                  FILESYSTEM__QUOTAGET, NULL);
1391                         break;
1392                 default:
1393                         rc = 0;  /* let the kernel handle invalid cmds */
1394                         break;
1395         }
1396         return rc;
1397 }
1398
1399 static int selinux_quota_on(struct dentry *dentry)
1400 {
1401         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1402 }
1403
1404 static int selinux_syslog(int type)
1405 {
1406         int rc;
1407
1408         rc = secondary_ops->syslog(type);
1409         if (rc)
1410                 return rc;
1411
1412         switch (type) {
1413                 case 3:         /* Read last kernel messages */
1414                 case 10:        /* Return size of the log buffer */
1415                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1416                         break;
1417                 case 6:         /* Disable logging to console */
1418                 case 7:         /* Enable logging to console */
1419                 case 8:         /* Set level of messages printed to console */
1420                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1421                         break;
1422                 case 0:         /* Close log */
1423                 case 1:         /* Open log */
1424                 case 2:         /* Read from log */
1425                 case 4:         /* Read/clear last kernel messages */
1426                 case 5:         /* Clear ring buffer */
1427                 default:
1428                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1429                         break;
1430         }
1431         return rc;
1432 }
1433
1434 /*
1435  * Check that a process has enough memory to allocate a new virtual
1436  * mapping. 0 means there is enough memory for the allocation to
1437  * succeed and -ENOMEM implies there is not.
1438  *
1439  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1440  * if the capability is granted, but __vm_enough_memory requires 1 if
1441  * the capability is granted.
1442  *
1443  * Do not audit the selinux permission check, as this is applied to all
1444  * processes that allocate mappings.
1445  */
1446 static int selinux_vm_enough_memory(long pages)
1447 {
1448         int rc, cap_sys_admin = 0;
1449         struct task_security_struct *tsec = current->security;
1450
1451         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1452         if (rc == 0)
1453                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1454                                         SECCLASS_CAPABILITY,
1455                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1456                                         NULL);
1457
1458         if (rc == 0)
1459                 cap_sys_admin = 1;
1460
1461         return __vm_enough_memory(pages, cap_sys_admin);
1462 }
1463
1464 /* binprm security operations */
1465
1466 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1467 {
1468         struct bprm_security_struct *bsec;
1469
1470         bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1471         if (!bsec)
1472                 return -ENOMEM;
1473
1474         memset(bsec, 0, sizeof *bsec);
1475         bsec->magic = SELINUX_MAGIC;
1476         bsec->bprm = bprm;
1477         bsec->sid = SECINITSID_UNLABELED;
1478         bsec->set = 0;
1479
1480         bprm->security = bsec;
1481         return 0;
1482 }
1483
1484 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1485 {
1486         struct task_security_struct *tsec;
1487         struct inode *inode = bprm->file->f_dentry->d_inode;
1488         struct inode_security_struct *isec;
1489         struct bprm_security_struct *bsec;
1490         u32 newsid;
1491         struct avc_audit_data ad;
1492         int rc;
1493
1494         rc = secondary_ops->bprm_set_security(bprm);
1495         if (rc)
1496                 return rc;
1497
1498         bsec = bprm->security;
1499
1500         if (bsec->set)
1501                 return 0;
1502
1503         tsec = current->security;
1504         isec = inode->i_security;
1505
1506         /* Default to the current task SID. */
1507         bsec->sid = tsec->sid;
1508
1509         /* Reset create SID on execve. */
1510         tsec->create_sid = 0;
1511
1512         if (tsec->exec_sid) {
1513                 newsid = tsec->exec_sid;
1514                 /* Reset exec SID on execve. */
1515                 tsec->exec_sid = 0;
1516         } else {
1517                 /* Check for a default transition on this program. */
1518                 rc = security_transition_sid(tsec->sid, isec->sid,
1519                                              SECCLASS_PROCESS, &newsid);
1520                 if (rc)
1521                         return rc;
1522         }
1523
1524         AVC_AUDIT_DATA_INIT(&ad, FS);
1525         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1526         ad.u.fs.dentry = bprm->file->f_dentry;
1527
1528         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1529                 newsid = tsec->sid;
1530
1531         if (tsec->sid == newsid) {
1532                 rc = avc_has_perm(tsec->sid, isec->sid,
1533                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1534                 if (rc)
1535                         return rc;
1536         } else {
1537                 /* Check permissions for the transition. */
1538                 rc = avc_has_perm(tsec->sid, newsid,
1539                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1540                 if (rc)
1541                         return rc;
1542
1543                 rc = avc_has_perm(newsid, isec->sid,
1544                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1545                 if (rc)
1546                         return rc;
1547
1548                 /* Clear any possibly unsafe personality bits on exec: */
1549                 current->personality &= ~PER_CLEAR_ON_SETID;
1550
1551                 /* Set the security field to the new SID. */
1552                 bsec->sid = newsid;
1553         }
1554
1555         bsec->set = 1;
1556         return 0;
1557 }
1558
1559 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1560 {
1561         return secondary_ops->bprm_check_security(bprm);
1562 }
1563
1564
1565 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1566 {
1567         struct task_security_struct *tsec = current->security;
1568         int atsecure = 0;
1569
1570         if (tsec->osid != tsec->sid) {
1571                 /* Enable secure mode for SIDs transitions unless
1572                    the noatsecure permission is granted between
1573                    the two SIDs, i.e. ahp returns 0. */
1574                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1575                                          SECCLASS_PROCESS,
1576                                          PROCESS__NOATSECURE, NULL);
1577         }
1578
1579         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1580 }
1581
1582 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1583 {
1584         kfree(bprm->security);
1585         bprm->security = NULL;
1586 }
1587
1588 extern struct vfsmount *selinuxfs_mount;
1589 extern struct dentry *selinux_null;
1590
1591 /* Derived from fs/exec.c:flush_old_files. */
1592 static inline void flush_unauthorized_files(struct files_struct * files)
1593 {
1594         struct avc_audit_data ad;
1595         struct file *file, *devnull = NULL;
1596         struct tty_struct *tty = current->signal->tty;
1597         long j = -1;
1598
1599         if (tty) {
1600                 file_list_lock();
1601                 file = list_entry(tty->tty_files.next, typeof(*file), f_list);
1602                 if (file) {
1603                         /* Revalidate access to controlling tty.
1604                            Use inode_has_perm on the tty inode directly rather
1605                            than using file_has_perm, as this particular open
1606                            file may belong to another process and we are only
1607                            interested in the inode-based check here. */
1608                         struct inode *inode = file->f_dentry->d_inode;
1609                         if (inode_has_perm(current, inode,
1610                                            FILE__READ | FILE__WRITE, NULL)) {
1611                                 /* Reset controlling tty. */
1612                                 current->signal->tty = NULL;
1613                                 current->signal->tty_old_pgrp = 0;
1614                         }
1615                 }
1616                 file_list_unlock();
1617         }
1618
1619         /* Revalidate access to inherited open files. */
1620
1621         AVC_AUDIT_DATA_INIT(&ad,FS);
1622
1623         spin_lock(&files->file_lock);
1624         for (;;) {
1625                 unsigned long set, i;
1626                 int fd;
1627
1628                 j++;
1629                 i = j * __NFDBITS;
1630                 if (i >= files->max_fds || i >= files->max_fdset)
1631                         break;
1632                 set = files->open_fds->fds_bits[j];
1633                 if (!set)
1634                         continue;
1635                 spin_unlock(&files->file_lock);
1636                 for ( ; set ; i++,set >>= 1) {
1637                         if (set & 1) {
1638                                 file = fget(i);
1639                                 if (!file)
1640                                         continue;
1641                                 if (file_has_perm(current,
1642                                                   file,
1643                                                   file_to_av(file))) {
1644                                         sys_close(i);
1645                                         fd = get_unused_fd();
1646                                         if (fd != i) {
1647                                                 if (fd >= 0)
1648                                                         put_unused_fd(fd);
1649                                                 fput(file);
1650                                                 continue;
1651                                         }
1652                                         if (devnull) {
1653                                                 atomic_inc(&devnull->f_count);
1654                                         } else {
1655                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1656                                                 if (!devnull) {
1657                                                         put_unused_fd(fd);
1658                                                         fput(file);
1659                                                         continue;
1660                                                 }
1661                                         }
1662                                         fd_install(fd, devnull);
1663                                 }
1664                                 fput(file);
1665                         }
1666                 }
1667                 spin_lock(&files->file_lock);
1668
1669         }
1670         spin_unlock(&files->file_lock);
1671 }
1672
1673 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1674 {
1675         struct task_security_struct *tsec;
1676         struct bprm_security_struct *bsec;
1677         u32 sid;
1678         int rc;
1679
1680         secondary_ops->bprm_apply_creds(bprm, unsafe);
1681
1682         tsec = current->security;
1683
1684         bsec = bprm->security;
1685         sid = bsec->sid;
1686
1687         tsec->osid = tsec->sid;
1688         bsec->unsafe = 0;
1689         if (tsec->sid != sid) {
1690                 /* Check for shared state.  If not ok, leave SID
1691                    unchanged and kill. */
1692                 if (unsafe & LSM_UNSAFE_SHARE) {
1693                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1694                                         PROCESS__SHARE, NULL);
1695                         if (rc) {
1696                                 bsec->unsafe = 1;
1697                                 return;
1698                         }
1699                 }
1700
1701                 /* Check for ptracing, and update the task SID if ok.
1702                    Otherwise, leave SID unchanged and kill. */
1703                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1704                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1705                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1706                                           NULL);
1707                         if (rc) {
1708                                 bsec->unsafe = 1;
1709                                 return;
1710                         }
1711                 }
1712                 tsec->sid = sid;
1713         }
1714 }
1715
1716 /*
1717  * called after apply_creds without the task lock held
1718  */
1719 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1720 {
1721         struct task_security_struct *tsec;
1722         struct rlimit *rlim, *initrlim;
1723         struct itimerval itimer;
1724         struct bprm_security_struct *bsec;
1725         int rc, i;
1726
1727         tsec = current->security;
1728         bsec = bprm->security;
1729
1730         if (bsec->unsafe) {
1731                 force_sig_specific(SIGKILL, current);
1732                 return;
1733         }
1734         if (tsec->osid == tsec->sid)
1735                 return;
1736
1737         /* Close files for which the new task SID is not authorized. */
1738         flush_unauthorized_files(current->files);
1739
1740         /* Check whether the new SID can inherit signal state
1741            from the old SID.  If not, clear itimers to avoid
1742            subsequent signal generation and flush and unblock
1743            signals. This must occur _after_ the task SID has
1744           been updated so that any kill done after the flush
1745           will be checked against the new SID. */
1746         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1747                           PROCESS__SIGINH, NULL);
1748         if (rc) {
1749                 memset(&itimer, 0, sizeof itimer);
1750                 for (i = 0; i < 3; i++)
1751                         do_setitimer(i, &itimer, NULL);
1752                 flush_signals(current);
1753                 spin_lock_irq(&current->sighand->siglock);
1754                 flush_signal_handlers(current, 1);
1755                 sigemptyset(&current->blocked);
1756                 recalc_sigpending();
1757                 spin_unlock_irq(&current->sighand->siglock);
1758         }
1759
1760         /* Check whether the new SID can inherit resource limits
1761            from the old SID.  If not, reset all soft limits to
1762            the lower of the current task's hard limit and the init
1763            task's soft limit.  Note that the setting of hard limits
1764            (even to lower them) can be controlled by the setrlimit
1765            check. The inclusion of the init task's soft limit into
1766            the computation is to avoid resetting soft limits higher
1767            than the default soft limit for cases where the default
1768            is lower than the hard limit, e.g. RLIMIT_CORE or
1769            RLIMIT_STACK.*/
1770         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1771                           PROCESS__RLIMITINH, NULL);
1772         if (rc) {
1773                 for (i = 0; i < RLIM_NLIMITS; i++) {
1774                         rlim = current->signal->rlim + i;
1775                         initrlim = init_task.signal->rlim+i;
1776                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1777                 }
1778                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1779                         /*
1780                          * This will cause RLIMIT_CPU calculations
1781                          * to be refigured.
1782                          */
1783                         current->it_prof_expires = jiffies_to_cputime(1);
1784                 }
1785         }
1786
1787         /* Wake up the parent if it is waiting so that it can
1788            recheck wait permission to the new task SID. */
1789         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1790 }
1791
1792 /* superblock security operations */
1793
1794 static int selinux_sb_alloc_security(struct super_block *sb)
1795 {
1796         return superblock_alloc_security(sb);
1797 }
1798
1799 static void selinux_sb_free_security(struct super_block *sb)
1800 {
1801         superblock_free_security(sb);
1802 }
1803
1804 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1805 {
1806         if (plen > olen)
1807                 return 0;
1808
1809         return !memcmp(prefix, option, plen);
1810 }
1811
1812 static inline int selinux_option(char *option, int len)
1813 {
1814         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1815                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1816                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1817 }
1818
1819 static inline void take_option(char **to, char *from, int *first, int len)
1820 {
1821         if (!*first) {
1822                 **to = ',';
1823                 *to += 1;
1824         }
1825         else
1826                 *first = 0;
1827         memcpy(*to, from, len);
1828         *to += len;
1829 }
1830
1831 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1832 {
1833         int fnosec, fsec, rc = 0;
1834         char *in_save, *in_curr, *in_end;
1835         char *sec_curr, *nosec_save, *nosec;
1836
1837         in_curr = orig;
1838         sec_curr = copy;
1839
1840         /* Binary mount data: just copy */
1841         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1842                 copy_page(sec_curr, in_curr);
1843                 goto out;
1844         }
1845
1846         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1847         if (!nosec) {
1848                 rc = -ENOMEM;
1849                 goto out;
1850         }
1851
1852         nosec_save = nosec;
1853         fnosec = fsec = 1;
1854         in_save = in_end = orig;
1855
1856         do {
1857                 if (*in_end == ',' || *in_end == '\0') {
1858                         int len = in_end - in_curr;
1859
1860                         if (selinux_option(in_curr, len))
1861                                 take_option(&sec_curr, in_curr, &fsec, len);
1862                         else
1863                                 take_option(&nosec, in_curr, &fnosec, len);
1864
1865                         in_curr = in_end + 1;
1866                 }
1867         } while (*in_end++);
1868
1869         strcpy(in_save, nosec_save);
1870         free_page((unsigned long)nosec_save);
1871 out:
1872         return rc;
1873 }
1874
1875 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1876 {
1877         struct avc_audit_data ad;
1878         int rc;
1879
1880         rc = superblock_doinit(sb, data);
1881         if (rc)
1882                 return rc;
1883
1884         AVC_AUDIT_DATA_INIT(&ad,FS);
1885         ad.u.fs.dentry = sb->s_root;
1886         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1887 }
1888
1889 static int selinux_sb_statfs(struct super_block *sb)
1890 {
1891         struct avc_audit_data ad;
1892
1893         AVC_AUDIT_DATA_INIT(&ad,FS);
1894         ad.u.fs.dentry = sb->s_root;
1895         return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1896 }
1897
1898 static int selinux_mount(char * dev_name,
1899                          struct nameidata *nd,
1900                          char * type,
1901                          unsigned long flags,
1902                          void * data)
1903 {
1904         int rc;
1905
1906         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1907         if (rc)
1908                 return rc;
1909
1910         if (flags & MS_REMOUNT)
1911                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1912                                            FILESYSTEM__REMOUNT, NULL);
1913         else
1914                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1915                                        FILE__MOUNTON);
1916 }
1917
1918 static int selinux_umount(struct vfsmount *mnt, int flags)
1919 {
1920         int rc;
1921
1922         rc = secondary_ops->sb_umount(mnt, flags);
1923         if (rc)
1924                 return rc;
1925
1926         return superblock_has_perm(current,mnt->mnt_sb,
1927                                    FILESYSTEM__UNMOUNT,NULL);
1928 }
1929
1930 /* inode security operations */
1931
1932 static int selinux_inode_alloc_security(struct inode *inode)
1933 {
1934         return inode_alloc_security(inode);
1935 }
1936
1937 static void selinux_inode_free_security(struct inode *inode)
1938 {
1939         inode_free_security(inode);
1940 }
1941
1942 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1943                                        char **name, void **value,
1944                                        size_t *len)
1945 {
1946         struct task_security_struct *tsec;
1947         struct inode_security_struct *dsec;
1948         struct superblock_security_struct *sbsec;
1949         struct inode_security_struct *isec;
1950         u32 newsid, clen;
1951         int rc;
1952         char *namep = NULL, *context;
1953
1954         tsec = current->security;
1955         dsec = dir->i_security;
1956         sbsec = dir->i_sb->s_security;
1957         isec = inode->i_security;
1958
1959         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1960                 newsid = tsec->create_sid;
1961         } else {
1962                 rc = security_transition_sid(tsec->sid, dsec->sid,
1963                                              inode_mode_to_security_class(inode->i_mode),
1964                                              &newsid);
1965                 if (rc) {
1966                         printk(KERN_WARNING "%s:  "
1967                                "security_transition_sid failed, rc=%d (dev=%s "
1968                                "ino=%ld)\n",
1969                                __FUNCTION__,
1970                                -rc, inode->i_sb->s_id, inode->i_ino);
1971                         return rc;
1972                 }
1973         }
1974
1975         inode_security_set_sid(inode, newsid);
1976
1977         if (name) {
1978                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1979                 if (!namep)
1980                         return -ENOMEM;
1981                 *name = namep;
1982         }
1983
1984         if (value && len) {
1985                 rc = security_sid_to_context(newsid, &context, &clen);
1986                 if (rc) {
1987                         kfree(namep);
1988                         return rc;
1989                 }
1990                 *value = context;
1991                 *len = clen;
1992         }
1993
1994         return 0;
1995 }
1996
1997 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
1998 {
1999         return may_create(dir, dentry, SECCLASS_FILE);
2000 }
2001
2002 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2003 {
2004         int rc;
2005
2006         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2007         if (rc)
2008                 return rc;
2009         return may_link(dir, old_dentry, MAY_LINK);
2010 }
2011
2012 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2013 {
2014         int rc;
2015
2016         rc = secondary_ops->inode_unlink(dir, dentry);
2017         if (rc)
2018                 return rc;
2019         return may_link(dir, dentry, MAY_UNLINK);
2020 }
2021
2022 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2023 {
2024         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2025 }
2026
2027 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2028 {
2029         return may_create(dir, dentry, SECCLASS_DIR);
2030 }
2031
2032 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2033 {
2034         return may_link(dir, dentry, MAY_RMDIR);
2035 }
2036
2037 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2038 {
2039         int rc;
2040
2041         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2042         if (rc)
2043                 return rc;
2044
2045         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2046 }
2047
2048 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2049                                 struct inode *new_inode, struct dentry *new_dentry)
2050 {
2051         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2052 }
2053
2054 static int selinux_inode_readlink(struct dentry *dentry)
2055 {
2056         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2057 }
2058
2059 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2060 {
2061         int rc;
2062
2063         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2064         if (rc)
2065                 return rc;
2066         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2067 }
2068
2069 static int selinux_inode_permission(struct inode *inode, int mask,
2070                                     struct nameidata *nd)
2071 {
2072         int rc;
2073
2074         rc = secondary_ops->inode_permission(inode, mask, nd);
2075         if (rc)
2076                 return rc;
2077
2078         if (!mask) {
2079                 /* No permission to check.  Existence test. */
2080                 return 0;
2081         }
2082
2083         return inode_has_perm(current, inode,
2084                                file_mask_to_av(inode->i_mode, mask), NULL);
2085 }
2086
2087 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2088 {
2089         int rc;
2090
2091         rc = secondary_ops->inode_setattr(dentry, iattr);
2092         if (rc)
2093                 return rc;
2094
2095         if (iattr->ia_valid & ATTR_FORCE)
2096                 return 0;
2097
2098         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2099                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2100                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2101
2102         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2103 }
2104
2105 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2106 {
2107         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2108 }
2109
2110 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2111 {
2112         struct task_security_struct *tsec = current->security;
2113         struct inode *inode = dentry->d_inode;
2114         struct inode_security_struct *isec = inode->i_security;
2115         struct superblock_security_struct *sbsec;
2116         struct avc_audit_data ad;
2117         u32 newsid;
2118         int rc = 0;
2119
2120         if (strcmp(name, XATTR_NAME_SELINUX)) {
2121                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2122                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2123                     !capable(CAP_SYS_ADMIN)) {
2124                         /* A different attribute in the security namespace.
2125                            Restrict to administrator. */
2126                         return -EPERM;
2127                 }
2128
2129                 /* Not an attribute we recognize, so just check the
2130                    ordinary setattr permission. */
2131                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2132         }
2133
2134         sbsec = inode->i_sb->s_security;
2135         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2136                 return -EOPNOTSUPP;
2137
2138         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2139                 return -EPERM;
2140
2141         AVC_AUDIT_DATA_INIT(&ad,FS);
2142         ad.u.fs.dentry = dentry;
2143
2144         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2145                           FILE__RELABELFROM, &ad);
2146         if (rc)
2147                 return rc;
2148
2149         rc = security_context_to_sid(value, size, &newsid);
2150         if (rc)
2151                 return rc;
2152
2153         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2154                           FILE__RELABELTO, &ad);
2155         if (rc)
2156                 return rc;
2157
2158         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2159                                           isec->sclass);
2160         if (rc)
2161                 return rc;
2162
2163         return avc_has_perm(newsid,
2164                             sbsec->sid,
2165                             SECCLASS_FILESYSTEM,
2166                             FILESYSTEM__ASSOCIATE,
2167                             &ad);
2168 }
2169
2170 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2171                                         void *value, size_t size, int flags)
2172 {
2173         struct inode *inode = dentry->d_inode;
2174         struct inode_security_struct *isec = inode->i_security;
2175         u32 newsid;
2176         int rc;
2177
2178         if (strcmp(name, XATTR_NAME_SELINUX)) {
2179                 /* Not an attribute we recognize, so nothing to do. */
2180                 return;
2181         }
2182
2183         rc = security_context_to_sid(value, size, &newsid);
2184         if (rc) {
2185                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2186                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2187                 return;
2188         }
2189
2190         isec->sid = newsid;
2191         return;
2192 }
2193
2194 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2195 {
2196         struct inode *inode = dentry->d_inode;
2197         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
2198
2199         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2200                 return -EOPNOTSUPP;
2201
2202         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2203 }
2204
2205 static int selinux_inode_listxattr (struct dentry *dentry)
2206 {
2207         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2208 }
2209
2210 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2211 {
2212         if (strcmp(name, XATTR_NAME_SELINUX)) {
2213                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2214                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2215                     !capable(CAP_SYS_ADMIN)) {
2216                         /* A different attribute in the security namespace.
2217                            Restrict to administrator. */
2218                         return -EPERM;
2219                 }
2220
2221                 /* Not an attribute we recognize, so just check the
2222                    ordinary setattr permission. Might want a separate
2223                    permission for removexattr. */
2224                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2225         }
2226
2227         /* No one is allowed to remove a SELinux security label.
2228            You can change the label, but all data must be labeled. */
2229         return -EACCES;
2230 }
2231
2232 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size)
2233 {
2234         struct inode_security_struct *isec = inode->i_security;
2235         char *context;
2236         unsigned len;
2237         int rc;
2238
2239         /* Permission check handled by selinux_inode_getxattr hook.*/
2240
2241         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2242                 return -EOPNOTSUPP;
2243
2244         rc = security_sid_to_context(isec->sid, &context, &len);
2245         if (rc)
2246                 return rc;
2247
2248         if (!buffer || !size) {
2249                 kfree(context);
2250                 return len;
2251         }
2252         if (size < len) {
2253                 kfree(context);
2254                 return -ERANGE;
2255         }
2256         memcpy(buffer, context, len);
2257         kfree(context);
2258         return len;
2259 }
2260
2261 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2262                                      const void *value, size_t size, int flags)
2263 {
2264         struct inode_security_struct *isec = inode->i_security;
2265         u32 newsid;
2266         int rc;
2267
2268         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2269                 return -EOPNOTSUPP;
2270
2271         if (!value || !size)
2272                 return -EACCES;
2273
2274         rc = security_context_to_sid((void*)value, size, &newsid);
2275         if (rc)
2276                 return rc;
2277
2278         isec->sid = newsid;
2279         return 0;
2280 }
2281
2282 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2283 {
2284         const int len = sizeof(XATTR_NAME_SELINUX);
2285         if (buffer && len <= buffer_size)
2286                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2287         return len;
2288 }
2289
2290 /* file security operations */
2291
2292 static int selinux_file_permission(struct file *file, int mask)
2293 {
2294         struct inode *inode = file->f_dentry->d_inode;
2295
2296         if (!mask) {
2297                 /* No permission to check.  Existence test. */
2298                 return 0;
2299         }
2300
2301         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2302         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2303                 mask |= MAY_APPEND;
2304
2305         return file_has_perm(current, file,
2306                              file_mask_to_av(inode->i_mode, mask));
2307 }
2308
2309 static int selinux_file_alloc_security(struct file *file)
2310 {
2311         return file_alloc_security(file);
2312 }
2313
2314 static void selinux_file_free_security(struct file *file)
2315 {
2316         file_free_security(file);
2317 }
2318
2319 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2320                               unsigned long arg)
2321 {
2322         int error = 0;
2323
2324         switch (cmd) {
2325                 case FIONREAD:
2326                 /* fall through */
2327                 case FIBMAP:
2328                 /* fall through */
2329                 case FIGETBSZ:
2330                 /* fall through */
2331                 case EXT2_IOC_GETFLAGS:
2332                 /* fall through */
2333                 case EXT2_IOC_GETVERSION:
2334                         error = file_has_perm(current, file, FILE__GETATTR);
2335                         break;
2336
2337                 case EXT2_IOC_SETFLAGS:
2338                 /* fall through */
2339                 case EXT2_IOC_SETVERSION:
2340                         error = file_has_perm(current, file, FILE__SETATTR);
2341                         break;
2342
2343                 /* sys_ioctl() checks */
2344                 case FIONBIO:
2345                 /* fall through */
2346                 case FIOASYNC:
2347                         error = file_has_perm(current, file, 0);
2348                         break;
2349
2350                 case KDSKBENT:
2351                 case KDSKBSENT:
2352                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2353                         break;
2354
2355                 /* default case assumes that the command will go
2356                  * to the file's ioctl() function.
2357                  */
2358                 default:
2359                         error = file_has_perm(current, file, FILE__IOCTL);
2360
2361         }
2362         return error;
2363 }
2364
2365 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2366 {
2367 #ifndef CONFIG_PPC32
2368         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2369                 /*
2370                  * We are making executable an anonymous mapping or a
2371                  * private file mapping that will also be writable.
2372                  * This has an additional check.
2373                  */
2374                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2375                 if (rc)
2376                         return rc;
2377         }
2378 #endif
2379
2380         if (file) {
2381                 /* read access is always possible with a mapping */
2382                 u32 av = FILE__READ;
2383
2384                 /* write access only matters if the mapping is shared */
2385                 if (shared && (prot & PROT_WRITE))
2386                         av |= FILE__WRITE;
2387
2388                 if (prot & PROT_EXEC)
2389                         av |= FILE__EXECUTE;
2390
2391                 return file_has_perm(current, file, av);
2392         }
2393         return 0;
2394 }
2395
2396 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2397                              unsigned long prot, unsigned long flags)
2398 {
2399         int rc;
2400
2401         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2402         if (rc)
2403                 return rc;
2404
2405         if (selinux_checkreqprot)
2406                 prot = reqprot;
2407
2408         return file_map_prot_check(file, prot,
2409                                    (flags & MAP_TYPE) == MAP_SHARED);
2410 }
2411
2412 static int selinux_file_mprotect(struct vm_area_struct *vma,
2413                                  unsigned long reqprot,
2414                                  unsigned long prot)
2415 {
2416         int rc;
2417
2418         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2419         if (rc)
2420                 return rc;
2421
2422         if (selinux_checkreqprot)
2423                 prot = reqprot;
2424
2425 #ifndef CONFIG_PPC32
2426         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) &&
2427            (vma->vm_start >= vma->vm_mm->start_brk &&
2428             vma->vm_end <= vma->vm_mm->brk)) {
2429                 /*
2430                  * We are making an executable mapping in the brk region.
2431                  * This has an additional execheap check.
2432                  */
2433                 rc = task_has_perm(current, current, PROCESS__EXECHEAP);
2434                 if (rc)
2435                         return rc;
2436         }
2437         if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
2438                 /*
2439                  * We are making executable a file mapping that has
2440                  * had some COW done. Since pages might have been written,
2441                  * check ability to execute the possibly modified content.
2442                  * This typically should only occur for text relocations.
2443                  */
2444                 int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
2445                 if (rc)
2446                         return rc;
2447         }
2448         if (!vma->vm_file && (prot & PROT_EXEC) &&
2449                 vma->vm_start <= vma->vm_mm->start_stack &&
2450                 vma->vm_end >= vma->vm_mm->start_stack) {
2451                 /* Attempt to make the process stack executable.
2452                  * This has an additional execstack check.
2453                  */
2454                 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2455                 if (rc)
2456                         return rc;
2457         }
2458 #endif
2459
2460         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2461 }
2462
2463 static int selinux_file_lock(struct file *file, unsigned int cmd)
2464 {
2465         return file_has_perm(current, file, FILE__LOCK);
2466 }
2467
2468 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2469                               unsigned long arg)
2470 {
2471         int err = 0;
2472
2473         switch (cmd) {
2474                 case F_SETFL:
2475                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2476                                 err = -EINVAL;
2477                                 break;
2478                         }
2479
2480                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2481                                 err = file_has_perm(current, file,FILE__WRITE);
2482                                 break;
2483                         }
2484                         /* fall through */
2485                 case F_SETOWN:
2486                 case F_SETSIG:
2487                 case F_GETFL:
2488                 case F_GETOWN:
2489                 case F_GETSIG:
2490                         /* Just check FD__USE permission */
2491                         err = file_has_perm(current, file, 0);
2492                         break;
2493                 case F_GETLK:
2494                 case F_SETLK:
2495                 case F_SETLKW:
2496 #if BITS_PER_LONG == 32
2497                 case F_GETLK64:
2498                 case F_SETLK64:
2499                 case F_SETLKW64:
2500 #endif
2501                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2502                                 err = -EINVAL;
2503                                 break;
2504                         }
2505                         err = file_has_perm(current, file, FILE__LOCK);
2506                         break;
2507         }
2508
2509         return err;
2510 }
2511
2512 static int selinux_file_set_fowner(struct file *file)
2513 {
2514         struct task_security_struct *tsec;
2515         struct file_security_struct *fsec;
2516
2517         tsec = current->security;
2518         fsec = file->f_security;
2519         fsec->fown_sid = tsec->sid;
2520
2521         return 0;
2522 }
2523
2524 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2525                                        struct fown_struct *fown, int signum)
2526 {
2527         struct file *file;
2528         u32 perm;
2529         struct task_security_struct *tsec;
2530         struct file_security_struct *fsec;
2531
2532         /* struct fown_struct is never outside the context of a struct file */
2533         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2534
2535         tsec = tsk->security;
2536         fsec = file->f_security;
2537
2538         if (!signum)
2539                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2540         else
2541                 perm = signal_to_av(signum);
2542
2543         return avc_has_perm(fsec->fown_sid, tsec->sid,
2544                             SECCLASS_PROCESS, perm, NULL);
2545 }
2546
2547 static int selinux_file_receive(struct file *file)
2548 {
2549         return file_has_perm(current, file, file_to_av(file));
2550 }
2551
2552 /* task security operations */
2553
2554 static int selinux_task_create(unsigned long clone_flags)
2555 {
2556         int rc;
2557
2558         rc = secondary_ops->task_create(clone_flags);
2559         if (rc)
2560                 return rc;
2561
2562         return task_has_perm(current, current, PROCESS__FORK);
2563 }
2564
2565 static int selinux_task_alloc_security(struct task_struct *tsk)
2566 {
2567         struct task_security_struct *tsec1, *tsec2;
2568         int rc;
2569
2570         tsec1 = current->security;
2571
2572         rc = task_alloc_security(tsk);
2573         if (rc)
2574                 return rc;
2575         tsec2 = tsk->security;
2576
2577         tsec2->osid = tsec1->osid;
2578         tsec2->sid = tsec1->sid;
2579
2580         /* Retain the exec and create SIDs across fork */
2581         tsec2->exec_sid = tsec1->exec_sid;
2582         tsec2->create_sid = tsec1->create_sid;
2583
2584         /* Retain ptracer SID across fork, if any.
2585            This will be reset by the ptrace hook upon any
2586            subsequent ptrace_attach operations. */
2587         tsec2->ptrace_sid = tsec1->ptrace_sid;
2588
2589         return 0;
2590 }
2591
2592 static void selinux_task_free_security(struct task_struct *tsk)
2593 {
2594         task_free_security(tsk);
2595 }
2596
2597 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2598 {
2599         /* Since setuid only affects the current process, and
2600            since the SELinux controls are not based on the Linux
2601            identity attributes, SELinux does not need to control
2602            this operation.  However, SELinux does control the use
2603            of the CAP_SETUID and CAP_SETGID capabilities using the
2604            capable hook. */
2605         return 0;
2606 }
2607
2608 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2609 {
2610         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2611 }
2612
2613 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2614 {
2615         /* See the comment for setuid above. */
2616         return 0;
2617 }
2618
2619 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2620 {
2621         return task_has_perm(current, p, PROCESS__SETPGID);
2622 }
2623
2624 static int selinux_task_getpgid(struct task_struct *p)
2625 {
2626         return task_has_perm(current, p, PROCESS__GETPGID);
2627 }
2628
2629 static int selinux_task_getsid(struct task_struct *p)
2630 {
2631         return task_has_perm(current, p, PROCESS__GETSESSION);
2632 }
2633
2634 static int selinux_task_setgroups(struct group_info *group_info)
2635 {
2636         /* See the comment for setuid above. */
2637         return 0;
2638 }
2639
2640 static int selinux_task_setnice(struct task_struct *p, int nice)
2641 {
2642         int rc;
2643
2644         rc = secondary_ops->task_setnice(p, nice);
2645         if (rc)
2646                 return rc;
2647
2648         return task_has_perm(current,p, PROCESS__SETSCHED);
2649 }
2650
2651 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2652 {
2653         struct rlimit *old_rlim = current->signal->rlim + resource;
2654         int rc;
2655
2656         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2657         if (rc)
2658                 return rc;
2659
2660         /* Control the ability to change the hard limit (whether
2661            lowering or raising it), so that the hard limit can
2662            later be used as a safe reset point for the soft limit
2663            upon context transitions. See selinux_bprm_apply_creds. */
2664         if (old_rlim->rlim_max != new_rlim->rlim_max)
2665                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2666
2667         return 0;
2668 }
2669
2670 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2671 {
2672         return task_has_perm(current, p, PROCESS__SETSCHED);
2673 }
2674
2675 static int selinux_task_getscheduler(struct task_struct *p)
2676 {
2677         return task_has_perm(current, p, PROCESS__GETSCHED);
2678 }
2679
2680 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2681 {
2682         u32 perm;
2683         int rc;
2684
2685         rc = secondary_ops->task_kill(p, info, sig);
2686         if (rc)
2687                 return rc;
2688
2689         if (info && ((unsigned long)info == 1 ||
2690                      (unsigned long)info == 2 || SI_FROMKERNEL(info)))
2691                 return 0;
2692
2693         if (!sig)
2694                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2695         else
2696                 perm = signal_to_av(sig);
2697
2698         return task_has_perm(current, p, perm);
2699 }
2700
2701 static int selinux_task_prctl(int option,
2702                               unsigned long arg2,
2703                               unsigned long arg3,
2704                               unsigned long arg4,
2705                               unsigned long arg5)
2706 {
2707         /* The current prctl operations do not appear to require
2708            any SELinux controls since they merely observe or modify
2709            the state of the current process. */
2710         return 0;
2711 }
2712
2713 static int selinux_task_wait(struct task_struct *p)
2714 {
2715         u32 perm;
2716
2717         perm = signal_to_av(p->exit_signal);
2718
2719         return task_has_perm(p, current, perm);
2720 }
2721
2722 static void selinux_task_reparent_to_init(struct task_struct *p)
2723 {
2724         struct task_security_struct *tsec;
2725
2726         secondary_ops->task_reparent_to_init(p);
2727
2728         tsec = p->security;
2729         tsec->osid = tsec->sid;
2730         tsec->sid = SECINITSID_KERNEL;
2731         return;
2732 }
2733
2734 static void selinux_task_to_inode(struct task_struct *p,
2735                                   struct inode *inode)
2736 {
2737         struct task_security_struct *tsec = p->security;
2738         struct inode_security_struct *isec = inode->i_security;
2739
2740         isec->sid = tsec->sid;
2741         isec->initialized = 1;
2742         return;
2743 }
2744
2745 #ifdef CONFIG_SECURITY_NETWORK
2746
2747 /* Returns error only if unable to parse addresses */
2748 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2749 {
2750         int offset, ihlen, ret = -EINVAL;
2751         struct iphdr _iph, *ih;
2752
2753         offset = skb->nh.raw - skb->data;
2754         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2755         if (ih == NULL)
2756                 goto out;
2757
2758         ihlen = ih->ihl * 4;
2759         if (ihlen < sizeof(_iph))
2760                 goto out;
2761
2762         ad->u.net.v4info.saddr = ih->saddr;
2763         ad->u.net.v4info.daddr = ih->daddr;
2764         ret = 0;
2765
2766         switch (ih->protocol) {
2767         case IPPROTO_TCP: {
2768                 struct tcphdr _tcph, *th;
2769
2770                 if (ntohs(ih->frag_off) & IP_OFFSET)
2771                         break;
2772
2773                 offset += ihlen;
2774                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2775                 if (th == NULL)
2776                         break;
2777
2778                 ad->u.net.sport = th->source;
2779                 ad->u.net.dport = th->dest;
2780                 break;
2781         }
2782         
2783         case IPPROTO_UDP: {
2784                 struct udphdr _udph, *uh;
2785                 
2786                 if (ntohs(ih->frag_off) & IP_OFFSET)
2787                         break;
2788                         
2789                 offset += ihlen;
2790                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2791                 if (uh == NULL)
2792                         break;  
2793
2794                 ad->u.net.sport = uh->source;
2795                 ad->u.net.dport = uh->dest;
2796                 break;
2797         }
2798
2799         default:
2800                 break;
2801         }
2802 out:
2803         return ret;
2804 }
2805
2806 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2807
2808 /* Returns error only if unable to parse addresses */
2809 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2810 {
2811         u8 nexthdr;
2812         int ret = -EINVAL, offset;
2813         struct ipv6hdr _ipv6h, *ip6;
2814
2815         offset = skb->nh.raw - skb->data;
2816         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2817         if (ip6 == NULL)
2818                 goto out;
2819
2820         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2821         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2822         ret = 0;
2823
2824         nexthdr = ip6->nexthdr;
2825         offset += sizeof(_ipv6h);
2826         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2827         if (offset < 0)
2828                 goto out;
2829
2830         switch (nexthdr) {
2831         case IPPROTO_TCP: {
2832                 struct tcphdr _tcph, *th;
2833
2834                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2835                 if (th == NULL)
2836                         break;
2837
2838                 ad->u.net.sport = th->source;
2839                 ad->u.net.dport = th->dest;
2840                 break;
2841         }
2842
2843         case IPPROTO_UDP: {
2844                 struct udphdr _udph, *uh;
2845
2846                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2847                 if (uh == NULL)
2848                         break;
2849
2850                 ad->u.net.sport = uh->source;
2851                 ad->u.net.dport = uh->dest;
2852                 break;
2853         }
2854
2855         /* includes fragments */
2856         default:
2857                 break;
2858         }
2859 out:
2860         return ret;
2861 }
2862
2863 #endif /* IPV6 */
2864
2865 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2866                              char **addrp, int *len, int src)
2867 {
2868         int ret = 0;
2869
2870         switch (ad->u.net.family) {
2871         case PF_INET:
2872                 ret = selinux_parse_skb_ipv4(skb, ad);
2873                 if (ret || !addrp)
2874                         break;
2875                 *len = 4;
2876                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2877                                         &ad->u.net.v4info.daddr);
2878                 break;
2879
2880 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2881         case PF_INET6:
2882                 ret = selinux_parse_skb_ipv6(skb, ad);
2883                 if (ret || !addrp)
2884                         break;
2885                 *len = 16;
2886                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2887                                         &ad->u.net.v6info.daddr);
2888                 break;
2889 #endif  /* IPV6 */
2890         default:
2891                 break;
2892         }
2893
2894         return ret;
2895 }
2896
2897 /* socket security operations */
2898 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2899                            u32 perms)
2900 {
2901         struct inode_security_struct *isec;
2902         struct task_security_struct *tsec;
2903         struct avc_audit_data ad;
2904         int err = 0;
2905
2906         tsec = task->security;
2907         isec = SOCK_INODE(sock)->i_security;
2908
2909         if (isec->sid == SECINITSID_KERNEL)
2910                 goto out;
2911
2912         AVC_AUDIT_DATA_INIT(&ad,NET);
2913         ad.u.net.sk = sock->sk;
2914         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2915
2916 out:
2917         return err;
2918 }
2919
2920 static int selinux_socket_create(int family, int type,
2921                                  int protocol, int kern)
2922 {
2923         int err = 0;
2924         struct task_security_struct *tsec;
2925
2926         if (kern)
2927                 goto out;
2928
2929         tsec = current->security;
2930         err = avc_has_perm(tsec->sid, tsec->sid,
2931                            socket_type_to_security_class(family, type,
2932                            protocol), SOCKET__CREATE, NULL);
2933
2934 out:
2935         return err;
2936 }
2937
2938 static void selinux_socket_post_create(struct socket *sock, int family,
2939                                        int type, int protocol, int kern)
2940 {
2941         struct inode_security_struct *isec;
2942         struct task_security_struct *tsec;
2943
2944         isec = SOCK_INODE(sock)->i_security;
2945
2946         tsec = current->security;
2947         isec->sclass = socket_type_to_security_class(family, type, protocol);
2948         isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2949         isec->initialized = 1;
2950
2951         return;
2952 }
2953
2954 /* Range of port numbers used to automatically bind.
2955    Need to determine whether we should perform a name_bind
2956    permission check between the socket and the port number. */
2957 #define ip_local_port_range_0 sysctl_local_port_range[0]
2958 #define ip_local_port_range_1 sysctl_local_port_range[1]
2959
2960 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2961 {
2962         u16 family;
2963         int err;
2964
2965         err = socket_has_perm(current, sock, SOCKET__BIND);
2966         if (err)
2967                 goto out;
2968
2969         /*
2970          * If PF_INET or PF_INET6, check name_bind permission for the port.
2971          */
2972         family = sock->sk->sk_family;
2973         if (family == PF_INET || family == PF_INET6) {
2974                 char *addrp;
2975                 struct inode_security_struct *isec;
2976                 struct task_security_struct *tsec;
2977                 struct avc_audit_data ad;
2978                 struct sockaddr_in *addr4 = NULL;
2979                 struct sockaddr_in6 *addr6 = NULL;
2980                 unsigned short snum;
2981                 struct sock *sk = sock->sk;
2982                 u32 sid, node_perm, addrlen;
2983
2984                 tsec = current->security;
2985                 isec = SOCK_INODE(sock)->i_security;
2986
2987                 if (family == PF_INET) {
2988                         addr4 = (struct sockaddr_in *)address;
2989                         snum = ntohs(addr4->sin_port);
2990                         addrlen = sizeof(addr4->sin_addr.s_addr);
2991                         addrp = (char *)&addr4->sin_addr.s_addr;
2992                 } else {
2993                         addr6 = (struct sockaddr_in6 *)address;
2994                         snum = ntohs(addr6->sin6_port);
2995                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
2996                         addrp = (char *)&addr6->sin6_addr.s6_addr;
2997                 }
2998
2999                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3000                            snum > ip_local_port_range_1)) {
3001                         err = security_port_sid(sk->sk_family, sk->sk_type,
3002                                                 sk->sk_protocol, snum, &sid);
3003                         if (err)
3004                                 goto out;
3005                         AVC_AUDIT_DATA_INIT(&ad,NET);
3006                         ad.u.net.sport = htons(snum);
3007                         ad.u.net.family = family;
3008                         err = avc_has_perm(isec->sid, sid,
3009                                            isec->sclass,
3010                                            SOCKET__NAME_BIND, &ad);
3011                         if (err)
3012                                 goto out;
3013                 }
3014                 
3015                 switch(sk->sk_protocol) {
3016                 case IPPROTO_TCP:
3017                         node_perm = TCP_SOCKET__NODE_BIND;
3018                         break;
3019                         
3020                 case IPPROTO_UDP:
3021                         node_perm = UDP_SOCKET__NODE_BIND;
3022                         break;
3023                         
3024                 default:
3025                         node_perm = RAWIP_SOCKET__NODE_BIND;
3026                         break;
3027                 }
3028                 
3029                 err = security_node_sid(family, addrp, addrlen, &sid);
3030                 if (err)
3031                         goto out;
3032                 
3033                 AVC_AUDIT_DATA_INIT(&ad,NET);
3034                 ad.u.net.sport = htons(snum);
3035                 ad.u.net.family = family;
3036
3037                 if (family == PF_INET)
3038                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3039                 else
3040                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3041
3042                 err = avc_has_perm(isec->sid, sid,
3043                                    isec->sclass, node_perm, &ad);
3044                 if (err)
3045                         goto out;
3046         }
3047 out:
3048         return err;
3049 }
3050
3051 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3052 {
3053         struct inode_security_struct *isec;
3054         int err;
3055
3056         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3057         if (err)
3058                 return err;
3059
3060         /*
3061          * If a TCP socket, check name_connect permission for the port.
3062          */
3063         isec = SOCK_INODE(sock)->i_security;
3064         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3065                 struct sock *sk = sock->sk;
3066                 struct avc_audit_data ad;
3067                 struct sockaddr_in *addr4 = NULL;
3068                 struct sockaddr_in6 *addr6 = NULL;
3069                 unsigned short snum;
3070                 u32 sid;
3071
3072                 if (sk->sk_family == PF_INET) {
3073                         addr4 = (struct sockaddr_in *)address;
3074                         if (addrlen < sizeof(struct sockaddr_in))
3075                                 return -EINVAL;
3076                         snum = ntohs(addr4->sin_port);
3077                 } else {
3078                         addr6 = (struct sockaddr_in6 *)address;
3079                         if (addrlen < SIN6_LEN_RFC2133)
3080                                 return -EINVAL;
3081                         snum = ntohs(addr6->sin6_port);
3082                 }
3083
3084                 err = security_port_sid(sk->sk_family, sk->sk_type,
3085                                         sk->sk_protocol, snum, &sid);
3086                 if (err)
3087                         goto out;
3088
3089                 AVC_AUDIT_DATA_INIT(&ad,NET);
3090                 ad.u.net.dport = htons(snum);
3091                 ad.u.net.family = sk->sk_family;
3092                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3093                                    TCP_SOCKET__NAME_CONNECT, &ad);
3094                 if (err)
3095                         goto out;
3096         }
3097
3098 out:
3099         return err;
3100 }
3101
3102 static int selinux_socket_listen(struct socket *sock, int backlog)
3103 {
3104         return socket_has_perm(current, sock, SOCKET__LISTEN);
3105 }
3106
3107 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3108 {
3109         int err;
3110         struct inode_security_struct *isec;
3111         struct inode_security_struct *newisec;
3112
3113         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3114         if (err)
3115                 return err;
3116
3117         newisec = SOCK_INODE(newsock)->i_security;
3118
3119         isec = SOCK_INODE(sock)->i_security;
3120         newisec->sclass = isec->sclass;
3121         newisec->sid = isec->sid;
3122         newisec->initialized = 1;
3123
3124         return 0;
3125 }
3126
3127 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3128                                   int size)
3129 {
3130         return socket_has_perm(current, sock, SOCKET__WRITE);
3131 }
3132
3133 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3134                                   int size, int flags)
3135 {
3136         return socket_has_perm(current, sock, SOCKET__READ);
3137 }
3138
3139 static int selinux_socket_getsockname(struct socket *sock)
3140 {
3141         return socket_has_perm(current, sock, SOCKET__GETATTR);
3142 }
3143
3144 static int selinux_socket_getpeername(struct socket *sock)
3145 {
3146         return socket_has_perm(current, sock, SOCKET__GETATTR);
3147 }
3148
3149 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3150 {
3151         return socket_has_perm(current, sock, SOCKET__SETOPT);
3152 }
3153
3154 static int selinux_socket_getsockopt(struct socket *sock, int level,
3155                                      int optname)
3156 {
3157         return socket_has_perm(current, sock, SOCKET__GETOPT);
3158 }
3159
3160 static int selinux_socket_shutdown(struct socket *sock, int how)
3161 {
3162         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3163 }
3164
3165 static int selinux_socket_unix_stream_connect(struct socket *sock,
3166                                               struct socket *other,
3167                                               struct sock *newsk)
3168 {
3169         struct sk_security_struct *ssec;
3170         struct inode_security_struct *isec;
3171         struct inode_security_struct *other_isec;
3172         struct avc_audit_data ad;
3173         int err;
3174
3175         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3176         if (err)
3177                 return err;
3178
3179         isec = SOCK_INODE(sock)->i_security;
3180         other_isec = SOCK_INODE(other)->i_security;
3181
3182         AVC_AUDIT_DATA_INIT(&ad,NET);
3183         ad.u.net.sk = other->sk;
3184
3185         err = avc_has_perm(isec->sid, other_isec->sid,
3186                            isec->sclass,
3187                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3188         if (err)
3189                 return err;
3190
3191         /* connecting socket */
3192         ssec = sock->sk->sk_security;
3193         ssec->peer_sid = other_isec->sid;
3194         
3195         /* server child socket */
3196         ssec = newsk->sk_security;
3197         ssec->peer_sid = isec->sid;
3198         
3199         return 0;
3200 }
3201
3202 static int selinux_socket_unix_may_send(struct socket *sock,
3203                                         struct socket *other)
3204 {
3205         struct inode_security_struct *isec;
3206         struct inode_security_struct *other_isec;
3207         struct avc_audit_data ad;
3208         int err;
3209
3210         isec = SOCK_INODE(sock)->i_security;
3211         other_isec = SOCK_INODE(other)->i_security;
3212
3213         AVC_AUDIT_DATA_INIT(&ad,NET);
3214         ad.u.net.sk = other->sk;
3215
3216         err = avc_has_perm(isec->sid, other_isec->sid,
3217                            isec->sclass, SOCKET__SENDTO, &ad);
3218         if (err)
3219                 return err;
3220
3221         return 0;
3222 }
3223
3224 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3225 {
3226         u16 family;
3227         char *addrp;
3228         int len, err = 0;
3229         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3230         u32 sock_sid = 0;
3231         u16 sock_class = 0;
3232         struct socket *sock;
3233         struct net_device *dev;
3234         struct avc_audit_data ad;
3235
3236         family = sk->sk_family;
3237         if (family != PF_INET && family != PF_INET6)
3238                 goto out;
3239
3240         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3241         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3242                 family = PF_INET;
3243
3244         read_lock_bh(&sk->sk_callback_lock);
3245         sock = sk->sk_socket;
3246         if (sock) {
3247                 struct inode *inode;
3248                 inode = SOCK_INODE(sock);
3249                 if (inode) {
3250                         struct inode_security_struct *isec;
3251                         isec = inode->i_security;
3252                         sock_sid = isec->sid;
3253                         sock_class = isec->sclass;
3254                 }
3255         }
3256         read_unlock_bh(&sk->sk_callback_lock);
3257         if (!sock_sid)
3258                 goto out;
3259
3260         dev = skb->dev;
3261         if (!dev)
3262                 goto out;
3263
3264         err = sel_netif_sids(dev, &if_sid, NULL);
3265         if (err)
3266                 goto out;
3267
3268         switch (sock_class) {
3269         case SECCLASS_UDP_SOCKET:
3270                 netif_perm = NETIF__UDP_RECV;
3271                 node_perm = NODE__UDP_RECV;
3272                 recv_perm = UDP_SOCKET__RECV_MSG;
3273                 break;
3274         
3275         case SECCLASS_TCP_SOCKET:
3276                 netif_perm = NETIF__TCP_RECV;
3277                 node_perm = NODE__TCP_RECV;
3278                 recv_perm = TCP_SOCKET__RECV_MSG;
3279                 break;
3280         
3281         default:
3282                 netif_perm = NETIF__RAWIP_RECV;
3283                 node_perm = NODE__RAWIP_RECV;
3284                 break;
3285         }
3286
3287         AVC_AUDIT_DATA_INIT(&ad, NET);
3288         ad.u.net.netif = dev->name;
3289         ad.u.net.family = family;
3290
3291         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3292         if (err)
3293                 goto out;
3294
3295         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3296         if (err)
3297                 goto out;
3298         
3299         /* Fixme: this lookup is inefficient */
3300         err = security_node_sid(family, addrp, len, &node_sid);
3301         if (err)