5e61635610bb08fab4df05108b3a8bd9c6b53e0b
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76 #include "xfrm.h"
77
78 #define XATTR_SELINUX_SUFFIX "selinux"
79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81 extern unsigned int policydb_loaded_version;
82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83
84 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
85 int selinux_enforcing = 0;
86
87 static int __init enforcing_setup(char *str)
88 {
89         selinux_enforcing = simple_strtol(str,NULL,0);
90         return 1;
91 }
92 __setup("enforcing=", enforcing_setup);
93 #endif
94
95 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
96 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
97
98 static int __init selinux_enabled_setup(char *str)
99 {
100         selinux_enabled = simple_strtol(str, NULL, 0);
101         return 1;
102 }
103 __setup("selinux=", selinux_enabled_setup);
104 #endif
105
106 /* Original (dummy) security module. */
107 static struct security_operations *original_ops = NULL;
108
109 /* Minimal support for a secondary security module,
110    just to allow the use of the dummy or capability modules.
111    The owlsm module can alternatively be used as a secondary
112    module as long as CONFIG_OWLSM_FD is not enabled. */
113 static struct security_operations *secondary_ops = NULL;
114
115 /* Lists of inode and superblock security structures initialized
116    before the policy was loaded. */
117 static LIST_HEAD(superblock_security_head);
118 static DEFINE_SPINLOCK(sb_security_lock);
119
120 /* Allocate and free functions for each kind of security blob. */
121
122 static int task_alloc_security(struct task_struct *task)
123 {
124         struct task_security_struct *tsec;
125
126         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
127         if (!tsec)
128                 return -ENOMEM;
129
130         tsec->magic = SELINUX_MAGIC;
131         tsec->task = task;
132         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
133         task->security = tsec;
134
135         return 0;
136 }
137
138 static void task_free_security(struct task_struct *task)
139 {
140         struct task_security_struct *tsec = task->security;
141
142         if (!tsec || tsec->magic != SELINUX_MAGIC)
143                 return;
144
145         task->security = NULL;
146         kfree(tsec);
147 }
148
149 static int inode_alloc_security(struct inode *inode)
150 {
151         struct task_security_struct *tsec = current->security;
152         struct inode_security_struct *isec;
153
154         isec = kzalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
155         if (!isec)
156                 return -ENOMEM;
157
158         init_MUTEX(&isec->sem);
159         INIT_LIST_HEAD(&isec->list);
160         isec->magic = SELINUX_MAGIC;
161         isec->inode = inode;
162         isec->sid = SECINITSID_UNLABELED;
163         isec->sclass = SECCLASS_FILE;
164         if (tsec && tsec->magic == SELINUX_MAGIC)
165                 isec->task_sid = tsec->sid;
166         else
167                 isec->task_sid = SECINITSID_UNLABELED;
168         inode->i_security = isec;
169
170         return 0;
171 }
172
173 static void inode_free_security(struct inode *inode)
174 {
175         struct inode_security_struct *isec = inode->i_security;
176         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
177
178         if (!isec || isec->magic != SELINUX_MAGIC)
179                 return;
180
181         spin_lock(&sbsec->isec_lock);
182         if (!list_empty(&isec->list))
183                 list_del_init(&isec->list);
184         spin_unlock(&sbsec->isec_lock);
185
186         inode->i_security = NULL;
187         kfree(isec);
188 }
189
190 static int file_alloc_security(struct file *file)
191 {
192         struct task_security_struct *tsec = current->security;
193         struct file_security_struct *fsec;
194
195         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
196         if (!fsec)
197                 return -ENOMEM;
198
199         fsec->magic = SELINUX_MAGIC;
200         fsec->file = file;
201         if (tsec && tsec->magic == SELINUX_MAGIC) {
202                 fsec->sid = tsec->sid;
203                 fsec->fown_sid = tsec->sid;
204         } else {
205                 fsec->sid = SECINITSID_UNLABELED;
206                 fsec->fown_sid = SECINITSID_UNLABELED;
207         }
208         file->f_security = fsec;
209
210         return 0;
211 }
212
213 static void file_free_security(struct file *file)
214 {
215         struct file_security_struct *fsec = file->f_security;
216
217         if (!fsec || fsec->magic != SELINUX_MAGIC)
218                 return;
219
220         file->f_security = NULL;
221         kfree(fsec);
222 }
223
224 static int superblock_alloc_security(struct super_block *sb)
225 {
226         struct superblock_security_struct *sbsec;
227
228         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
229         if (!sbsec)
230                 return -ENOMEM;
231
232         init_MUTEX(&sbsec->sem);
233         INIT_LIST_HEAD(&sbsec->list);
234         INIT_LIST_HEAD(&sbsec->isec_head);
235         spin_lock_init(&sbsec->isec_lock);
236         sbsec->magic = SELINUX_MAGIC;
237         sbsec->sb = sb;
238         sbsec->sid = SECINITSID_UNLABELED;
239         sbsec->def_sid = SECINITSID_FILE;
240         sb->s_security = sbsec;
241
242         return 0;
243 }
244
245 static void superblock_free_security(struct super_block *sb)
246 {
247         struct superblock_security_struct *sbsec = sb->s_security;
248
249         if (!sbsec || sbsec->magic != SELINUX_MAGIC)
250                 return;
251
252         spin_lock(&sb_security_lock);
253         if (!list_empty(&sbsec->list))
254                 list_del_init(&sbsec->list);
255         spin_unlock(&sb_security_lock);
256
257         sb->s_security = NULL;
258         kfree(sbsec);
259 }
260
261 #ifdef CONFIG_SECURITY_NETWORK
262 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
263 {
264         struct sk_security_struct *ssec;
265
266         if (family != PF_UNIX)
267                 return 0;
268
269         ssec = kzalloc(sizeof(*ssec), priority);
270         if (!ssec)
271                 return -ENOMEM;
272
273         ssec->magic = SELINUX_MAGIC;
274         ssec->sk = sk;
275         ssec->peer_sid = SECINITSID_UNLABELED;
276         sk->sk_security = ssec;
277
278         return 0;
279 }
280
281 static void sk_free_security(struct sock *sk)
282 {
283         struct sk_security_struct *ssec = sk->sk_security;
284
285         if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
286                 return;
287
288         sk->sk_security = NULL;
289         kfree(ssec);
290 }
291 #endif  /* CONFIG_SECURITY_NETWORK */
292
293 /* The security server must be initialized before
294    any labeling or access decisions can be provided. */
295 extern int ss_initialized;
296
297 /* The file system's label must be initialized prior to use. */
298
299 static char *labeling_behaviors[6] = {
300         "uses xattr",
301         "uses transition SIDs",
302         "uses task SIDs",
303         "uses genfs_contexts",
304         "not configured for labeling",
305         "uses mountpoint labeling",
306 };
307
308 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
309
310 static inline int inode_doinit(struct inode *inode)
311 {
312         return inode_doinit_with_dentry(inode, NULL);
313 }
314
315 enum {
316         Opt_context = 1,
317         Opt_fscontext = 2,
318         Opt_defcontext = 4,
319 };
320
321 static match_table_t tokens = {
322         {Opt_context, "context=%s"},
323         {Opt_fscontext, "fscontext=%s"},
324         {Opt_defcontext, "defcontext=%s"},
325 };
326
327 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
328
329 static int try_context_mount(struct super_block *sb, void *data)
330 {
331         char *context = NULL, *defcontext = NULL;
332         const char *name;
333         u32 sid;
334         int alloc = 0, rc = 0, seen = 0;
335         struct task_security_struct *tsec = current->security;
336         struct superblock_security_struct *sbsec = sb->s_security;
337
338         if (!data)
339                 goto out;
340
341         name = sb->s_type->name;
342
343         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
344
345                 /* NFS we understand. */
346                 if (!strcmp(name, "nfs")) {
347                         struct nfs_mount_data *d = data;
348
349                         if (d->version <  NFS_MOUNT_VERSION)
350                                 goto out;
351
352                         if (d->context[0]) {
353                                 context = d->context;
354                                 seen |= Opt_context;
355                         }
356                 } else
357                         goto out;
358
359         } else {
360                 /* Standard string-based options. */
361                 char *p, *options = data;
362
363                 while ((p = strsep(&options, ",")) != NULL) {
364                         int token;
365                         substring_t args[MAX_OPT_ARGS];
366
367                         if (!*p)
368                                 continue;
369
370                         token = match_token(p, tokens, args);
371
372                         switch (token) {
373                         case Opt_context:
374                                 if (seen) {
375                                         rc = -EINVAL;
376                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
377                                         goto out_free;
378                                 }
379                                 context = match_strdup(&args[0]);
380                                 if (!context) {
381                                         rc = -ENOMEM;
382                                         goto out_free;
383                                 }
384                                 if (!alloc)
385                                         alloc = 1;
386                                 seen |= Opt_context;
387                                 break;
388
389                         case Opt_fscontext:
390                                 if (seen & (Opt_context|Opt_fscontext)) {
391                                         rc = -EINVAL;
392                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
393                                         goto out_free;
394                                 }
395                                 context = match_strdup(&args[0]);
396                                 if (!context) {
397                                         rc = -ENOMEM;
398                                         goto out_free;
399                                 }
400                                 if (!alloc)
401                                         alloc = 1;
402                                 seen |= Opt_fscontext;
403                                 break;
404
405                         case Opt_defcontext:
406                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
407                                         rc = -EINVAL;
408                                         printk(KERN_WARNING "SELinux:  "
409                                                "defcontext option is invalid "
410                                                "for this filesystem type\n");
411                                         goto out_free;
412                                 }
413                                 if (seen & (Opt_context|Opt_defcontext)) {
414                                         rc = -EINVAL;
415                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
416                                         goto out_free;
417                                 }
418                                 defcontext = match_strdup(&args[0]);
419                                 if (!defcontext) {
420                                         rc = -ENOMEM;
421                                         goto out_free;
422                                 }
423                                 if (!alloc)
424                                         alloc = 1;
425                                 seen |= Opt_defcontext;
426                                 break;
427
428                         default:
429                                 rc = -EINVAL;
430                                 printk(KERN_WARNING "SELinux:  unknown mount "
431                                        "option\n");
432                                 goto out_free;
433
434                         }
435                 }
436         }
437
438         if (!seen)
439                 goto out;
440
441         if (context) {
442                 rc = security_context_to_sid(context, strlen(context), &sid);
443                 if (rc) {
444                         printk(KERN_WARNING "SELinux: security_context_to_sid"
445                                "(%s) failed for (dev %s, type %s) errno=%d\n",
446                                context, sb->s_id, name, rc);
447                         goto out_free;
448                 }
449
450                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
451                                   FILESYSTEM__RELABELFROM, NULL);
452                 if (rc)
453                         goto out_free;
454
455                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
456                                   FILESYSTEM__RELABELTO, NULL);
457                 if (rc)
458                         goto out_free;
459
460                 sbsec->sid = sid;
461
462                 if (seen & Opt_context)
463                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
464         }
465
466         if (defcontext) {
467                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
468                 if (rc) {
469                         printk(KERN_WARNING "SELinux: security_context_to_sid"
470                                "(%s) failed for (dev %s, type %s) errno=%d\n",
471                                defcontext, sb->s_id, name, rc);
472                         goto out_free;
473                 }
474
475                 if (sid == sbsec->def_sid)
476                         goto out_free;
477
478                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
479                                   FILESYSTEM__RELABELFROM, NULL);
480                 if (rc)
481                         goto out_free;
482
483                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
484                                   FILESYSTEM__ASSOCIATE, NULL);
485                 if (rc)
486                         goto out_free;
487
488                 sbsec->def_sid = sid;
489         }
490
491 out_free:
492         if (alloc) {
493                 kfree(context);
494                 kfree(defcontext);
495         }
496 out:
497         return rc;
498 }
499
500 static int superblock_doinit(struct super_block *sb, void *data)
501 {
502         struct superblock_security_struct *sbsec = sb->s_security;
503         struct dentry *root = sb->s_root;
504         struct inode *inode = root->d_inode;
505         int rc = 0;
506
507         down(&sbsec->sem);
508         if (sbsec->initialized)
509                 goto out;
510
511         if (!ss_initialized) {
512                 /* Defer initialization until selinux_complete_init,
513                    after the initial policy is loaded and the security
514                    server is ready to handle calls. */
515                 spin_lock(&sb_security_lock);
516                 if (list_empty(&sbsec->list))
517                         list_add(&sbsec->list, &superblock_security_head);
518                 spin_unlock(&sb_security_lock);
519                 goto out;
520         }
521
522         /* Determine the labeling behavior to use for this filesystem type. */
523         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
524         if (rc) {
525                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
526                        __FUNCTION__, sb->s_type->name, rc);
527                 goto out;
528         }
529
530         rc = try_context_mount(sb, data);
531         if (rc)
532                 goto out;
533
534         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
535                 /* Make sure that the xattr handler exists and that no
536                    error other than -ENODATA is returned by getxattr on
537                    the root directory.  -ENODATA is ok, as this may be
538                    the first boot of the SELinux kernel before we have
539                    assigned xattr values to the filesystem. */
540                 if (!inode->i_op->getxattr) {
541                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
542                                "xattr support\n", sb->s_id, sb->s_type->name);
543                         rc = -EOPNOTSUPP;
544                         goto out;
545                 }
546                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
547                 if (rc < 0 && rc != -ENODATA) {
548                         if (rc == -EOPNOTSUPP)
549                                 printk(KERN_WARNING "SELinux: (dev %s, type "
550                                        "%s) has no security xattr handler\n",
551                                        sb->s_id, sb->s_type->name);
552                         else
553                                 printk(KERN_WARNING "SELinux: (dev %s, type "
554                                        "%s) getxattr errno %d\n", sb->s_id,
555                                        sb->s_type->name, -rc);
556                         goto out;
557                 }
558         }
559
560         if (strcmp(sb->s_type->name, "proc") == 0)
561                 sbsec->proc = 1;
562
563         sbsec->initialized = 1;
564
565         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
566                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
567                        sb->s_id, sb->s_type->name);
568         }
569         else {
570                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
571                        sb->s_id, sb->s_type->name,
572                        labeling_behaviors[sbsec->behavior-1]);
573         }
574
575         /* Initialize the root inode. */
576         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
577
578         /* Initialize any other inodes associated with the superblock, e.g.
579            inodes created prior to initial policy load or inodes created
580            during get_sb by a pseudo filesystem that directly
581            populates itself. */
582         spin_lock(&sbsec->isec_lock);
583 next_inode:
584         if (!list_empty(&sbsec->isec_head)) {
585                 struct inode_security_struct *isec =
586                                 list_entry(sbsec->isec_head.next,
587                                            struct inode_security_struct, list);
588                 struct inode *inode = isec->inode;
589                 spin_unlock(&sbsec->isec_lock);
590                 inode = igrab(inode);
591                 if (inode) {
592                         if (!IS_PRIVATE (inode))
593                                 inode_doinit(inode);
594                         iput(inode);
595                 }
596                 spin_lock(&sbsec->isec_lock);
597                 list_del_init(&isec->list);
598                 goto next_inode;
599         }
600         spin_unlock(&sbsec->isec_lock);
601 out:
602         up(&sbsec->sem);
603         return rc;
604 }
605
606 static inline u16 inode_mode_to_security_class(umode_t mode)
607 {
608         switch (mode & S_IFMT) {
609         case S_IFSOCK:
610                 return SECCLASS_SOCK_FILE;
611         case S_IFLNK:
612                 return SECCLASS_LNK_FILE;
613         case S_IFREG:
614                 return SECCLASS_FILE;
615         case S_IFBLK:
616                 return SECCLASS_BLK_FILE;
617         case S_IFDIR:
618                 return SECCLASS_DIR;
619         case S_IFCHR:
620                 return SECCLASS_CHR_FILE;
621         case S_IFIFO:
622                 return SECCLASS_FIFO_FILE;
623
624         }
625
626         return SECCLASS_FILE;
627 }
628
629 static inline int default_protocol_stream(int protocol)
630 {
631         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
632 }
633
634 static inline int default_protocol_dgram(int protocol)
635 {
636         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
637 }
638
639 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
640 {
641         switch (family) {
642         case PF_UNIX:
643                 switch (type) {
644                 case SOCK_STREAM:
645                 case SOCK_SEQPACKET:
646                         return SECCLASS_UNIX_STREAM_SOCKET;
647                 case SOCK_DGRAM:
648                         return SECCLASS_UNIX_DGRAM_SOCKET;
649                 }
650                 break;
651         case PF_INET:
652         case PF_INET6:
653                 switch (type) {
654                 case SOCK_STREAM:
655                         if (default_protocol_stream(protocol))
656                                 return SECCLASS_TCP_SOCKET;
657                         else
658                                 return SECCLASS_RAWIP_SOCKET;
659                 case SOCK_DGRAM:
660                         if (default_protocol_dgram(protocol))
661                                 return SECCLASS_UDP_SOCKET;
662                         else
663                                 return SECCLASS_RAWIP_SOCKET;
664                 default:
665                         return SECCLASS_RAWIP_SOCKET;
666                 }
667                 break;
668         case PF_NETLINK:
669                 switch (protocol) {
670                 case NETLINK_ROUTE:
671                         return SECCLASS_NETLINK_ROUTE_SOCKET;
672                 case NETLINK_FIREWALL:
673                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
674                 case NETLINK_INET_DIAG:
675                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
676                 case NETLINK_NFLOG:
677                         return SECCLASS_NETLINK_NFLOG_SOCKET;
678                 case NETLINK_XFRM:
679                         return SECCLASS_NETLINK_XFRM_SOCKET;
680                 case NETLINK_SELINUX:
681                         return SECCLASS_NETLINK_SELINUX_SOCKET;
682                 case NETLINK_AUDIT:
683                         return SECCLASS_NETLINK_AUDIT_SOCKET;
684                 case NETLINK_IP6_FW:
685                         return SECCLASS_NETLINK_IP6FW_SOCKET;
686                 case NETLINK_DNRTMSG:
687                         return SECCLASS_NETLINK_DNRT_SOCKET;
688                 case NETLINK_KOBJECT_UEVENT:
689                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
690                 default:
691                         return SECCLASS_NETLINK_SOCKET;
692                 }
693         case PF_PACKET:
694                 return SECCLASS_PACKET_SOCKET;
695         case PF_KEY:
696                 return SECCLASS_KEY_SOCKET;
697         }
698
699         return SECCLASS_SOCKET;
700 }
701
702 #ifdef CONFIG_PROC_FS
703 static int selinux_proc_get_sid(struct proc_dir_entry *de,
704                                 u16 tclass,
705                                 u32 *sid)
706 {
707         int buflen, rc;
708         char *buffer, *path, *end;
709
710         buffer = (char*)__get_free_page(GFP_KERNEL);
711         if (!buffer)
712                 return -ENOMEM;
713
714         buflen = PAGE_SIZE;
715         end = buffer+buflen;
716         *--end = '\0';
717         buflen--;
718         path = end-1;
719         *path = '/';
720         while (de && de != de->parent) {
721                 buflen -= de->namelen + 1;
722                 if (buflen < 0)
723                         break;
724                 end -= de->namelen;
725                 memcpy(end, de->name, de->namelen);
726                 *--end = '/';
727                 path = end;
728                 de = de->parent;
729         }
730         rc = security_genfs_sid("proc", path, tclass, sid);
731         free_page((unsigned long)buffer);
732         return rc;
733 }
734 #else
735 static int selinux_proc_get_sid(struct proc_dir_entry *de,
736                                 u16 tclass,
737                                 u32 *sid)
738 {
739         return -EINVAL;
740 }
741 #endif
742
743 /* The inode's security attributes must be initialized before first use. */
744 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
745 {
746         struct superblock_security_struct *sbsec = NULL;
747         struct inode_security_struct *isec = inode->i_security;
748         u32 sid;
749         struct dentry *dentry;
750 #define INITCONTEXTLEN 255
751         char *context = NULL;
752         unsigned len = 0;
753         int rc = 0;
754         int hold_sem = 0;
755
756         if (isec->initialized)
757                 goto out;
758
759         down(&isec->sem);
760         hold_sem = 1;
761         if (isec->initialized)
762                 goto out;
763
764         sbsec = inode->i_sb->s_security;
765         if (!sbsec->initialized) {
766                 /* Defer initialization until selinux_complete_init,
767                    after the initial policy is loaded and the security
768                    server is ready to handle calls. */
769                 spin_lock(&sbsec->isec_lock);
770                 if (list_empty(&isec->list))
771                         list_add(&isec->list, &sbsec->isec_head);
772                 spin_unlock(&sbsec->isec_lock);
773                 goto out;
774         }
775
776         switch (sbsec->behavior) {
777         case SECURITY_FS_USE_XATTR:
778                 if (!inode->i_op->getxattr) {
779                         isec->sid = sbsec->def_sid;
780                         break;
781                 }
782
783                 /* Need a dentry, since the xattr API requires one.
784                    Life would be simpler if we could just pass the inode. */
785                 if (opt_dentry) {
786                         /* Called from d_instantiate or d_splice_alias. */
787                         dentry = dget(opt_dentry);
788                 } else {
789                         /* Called from selinux_complete_init, try to find a dentry. */
790                         dentry = d_find_alias(inode);
791                 }
792                 if (!dentry) {
793                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
794                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
795                                inode->i_ino);
796                         goto out;
797                 }
798
799                 len = INITCONTEXTLEN;
800                 context = kmalloc(len, GFP_KERNEL);
801                 if (!context) {
802                         rc = -ENOMEM;
803                         dput(dentry);
804                         goto out;
805                 }
806                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
807                                            context, len);
808                 if (rc == -ERANGE) {
809                         /* Need a larger buffer.  Query for the right size. */
810                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
811                                                    NULL, 0);
812                         if (rc < 0) {
813                                 dput(dentry);
814                                 goto out;
815                         }
816                         kfree(context);
817                         len = rc;
818                         context = kmalloc(len, GFP_KERNEL);
819                         if (!context) {
820                                 rc = -ENOMEM;
821                                 dput(dentry);
822                                 goto out;
823                         }
824                         rc = inode->i_op->getxattr(dentry,
825                                                    XATTR_NAME_SELINUX,
826                                                    context, len);
827                 }
828                 dput(dentry);
829                 if (rc < 0) {
830                         if (rc != -ENODATA) {
831                                 printk(KERN_WARNING "%s:  getxattr returned "
832                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
833                                        -rc, inode->i_sb->s_id, inode->i_ino);
834                                 kfree(context);
835                                 goto out;
836                         }
837                         /* Map ENODATA to the default file SID */
838                         sid = sbsec->def_sid;
839                         rc = 0;
840                 } else {
841                         rc = security_context_to_sid_default(context, rc, &sid,
842                                                              sbsec->def_sid);
843                         if (rc) {
844                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
845                                        "returned %d for dev=%s ino=%ld\n",
846                                        __FUNCTION__, context, -rc,
847                                        inode->i_sb->s_id, inode->i_ino);
848                                 kfree(context);
849                                 /* Leave with the unlabeled SID */
850                                 rc = 0;
851                                 break;
852                         }
853                 }
854                 kfree(context);
855                 isec->sid = sid;
856                 break;
857         case SECURITY_FS_USE_TASK:
858                 isec->sid = isec->task_sid;
859                 break;
860         case SECURITY_FS_USE_TRANS:
861                 /* Default to the fs SID. */
862                 isec->sid = sbsec->sid;
863
864                 /* Try to obtain a transition SID. */
865                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
866                 rc = security_transition_sid(isec->task_sid,
867                                              sbsec->sid,
868                                              isec->sclass,
869                                              &sid);
870                 if (rc)
871                         goto out;
872                 isec->sid = sid;
873                 break;
874         default:
875                 /* Default to the fs SID. */
876                 isec->sid = sbsec->sid;
877
878                 if (sbsec->proc) {
879                         struct proc_inode *proci = PROC_I(inode);
880                         if (proci->pde) {
881                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
882                                 rc = selinux_proc_get_sid(proci->pde,
883                                                           isec->sclass,
884                                                           &sid);
885                                 if (rc)
886                                         goto out;
887                                 isec->sid = sid;
888                         }
889                 }
890                 break;
891         }
892
893         isec->initialized = 1;
894
895 out:
896         if (isec->sclass == SECCLASS_FILE)
897                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
898
899         if (hold_sem)
900                 up(&isec->sem);
901         return rc;
902 }
903
904 /* Convert a Linux signal to an access vector. */
905 static inline u32 signal_to_av(int sig)
906 {
907         u32 perm = 0;
908
909         switch (sig) {
910         case SIGCHLD:
911                 /* Commonly granted from child to parent. */
912                 perm = PROCESS__SIGCHLD;
913                 break;
914         case SIGKILL:
915                 /* Cannot be caught or ignored */
916                 perm = PROCESS__SIGKILL;
917                 break;
918         case SIGSTOP:
919                 /* Cannot be caught or ignored */
920                 perm = PROCESS__SIGSTOP;
921                 break;
922         default:
923                 /* All other signals. */
924                 perm = PROCESS__SIGNAL;
925                 break;
926         }
927
928         return perm;
929 }
930
931 /* Check permission betweeen a pair of tasks, e.g. signal checks,
932    fork check, ptrace check, etc. */
933 static int task_has_perm(struct task_struct *tsk1,
934                          struct task_struct *tsk2,
935                          u32 perms)
936 {
937         struct task_security_struct *tsec1, *tsec2;
938
939         tsec1 = tsk1->security;
940         tsec2 = tsk2->security;
941         return avc_has_perm(tsec1->sid, tsec2->sid,
942                             SECCLASS_PROCESS, perms, NULL);
943 }
944
945 /* Check whether a task is allowed to use a capability. */
946 static int task_has_capability(struct task_struct *tsk,
947                                int cap)
948 {
949         struct task_security_struct *tsec;
950         struct avc_audit_data ad;
951
952         tsec = tsk->security;
953
954         AVC_AUDIT_DATA_INIT(&ad,CAP);
955         ad.tsk = tsk;
956         ad.u.cap = cap;
957
958         return avc_has_perm(tsec->sid, tsec->sid,
959                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
960 }
961
962 /* Check whether a task is allowed to use a system operation. */
963 static int task_has_system(struct task_struct *tsk,
964                            u32 perms)
965 {
966         struct task_security_struct *tsec;
967
968         tsec = tsk->security;
969
970         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
971                             SECCLASS_SYSTEM, perms, NULL);
972 }
973
974 /* Check whether a task has a particular permission to an inode.
975    The 'adp' parameter is optional and allows other audit
976    data to be passed (e.g. the dentry). */
977 static int inode_has_perm(struct task_struct *tsk,
978                           struct inode *inode,
979                           u32 perms,
980                           struct avc_audit_data *adp)
981 {
982         struct task_security_struct *tsec;
983         struct inode_security_struct *isec;
984         struct avc_audit_data ad;
985
986         tsec = tsk->security;
987         isec = inode->i_security;
988
989         if (!adp) {
990                 adp = &ad;
991                 AVC_AUDIT_DATA_INIT(&ad, FS);
992                 ad.u.fs.inode = inode;
993         }
994
995         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
996 }
997
998 /* Same as inode_has_perm, but pass explicit audit data containing
999    the dentry to help the auditing code to more easily generate the
1000    pathname if needed. */
1001 static inline int dentry_has_perm(struct task_struct *tsk,
1002                                   struct vfsmount *mnt,
1003                                   struct dentry *dentry,
1004                                   u32 av)
1005 {
1006         struct inode *inode = dentry->d_inode;
1007         struct avc_audit_data ad;
1008         AVC_AUDIT_DATA_INIT(&ad,FS);
1009         ad.u.fs.mnt = mnt;
1010         ad.u.fs.dentry = dentry;
1011         return inode_has_perm(tsk, inode, av, &ad);
1012 }
1013
1014 /* Check whether a task can use an open file descriptor to
1015    access an inode in a given way.  Check access to the
1016    descriptor itself, and then use dentry_has_perm to
1017    check a particular permission to the file.
1018    Access to the descriptor is implicitly granted if it
1019    has the same SID as the process.  If av is zero, then
1020    access to the file is not checked, e.g. for cases
1021    where only the descriptor is affected like seek. */
1022 static int file_has_perm(struct task_struct *tsk,
1023                                 struct file *file,
1024                                 u32 av)
1025 {
1026         struct task_security_struct *tsec = tsk->security;
1027         struct file_security_struct *fsec = file->f_security;
1028         struct vfsmount *mnt = file->f_vfsmnt;
1029         struct dentry *dentry = file->f_dentry;
1030         struct inode *inode = dentry->d_inode;
1031         struct avc_audit_data ad;
1032         int rc;
1033
1034         AVC_AUDIT_DATA_INIT(&ad, FS);
1035         ad.u.fs.mnt = mnt;
1036         ad.u.fs.dentry = dentry;
1037
1038         if (tsec->sid != fsec->sid) {
1039                 rc = avc_has_perm(tsec->sid, fsec->sid,
1040                                   SECCLASS_FD,
1041                                   FD__USE,
1042                                   &ad);
1043                 if (rc)
1044                         return rc;
1045         }
1046
1047         /* av is zero if only checking access to the descriptor. */
1048         if (av)
1049                 return inode_has_perm(tsk, inode, av, &ad);
1050
1051         return 0;
1052 }
1053
1054 /* Check whether a task can create a file. */
1055 static int may_create(struct inode *dir,
1056                       struct dentry *dentry,
1057                       u16 tclass)
1058 {
1059         struct task_security_struct *tsec;
1060         struct inode_security_struct *dsec;
1061         struct superblock_security_struct *sbsec;
1062         u32 newsid;
1063         struct avc_audit_data ad;
1064         int rc;
1065
1066         tsec = current->security;
1067         dsec = dir->i_security;
1068         sbsec = dir->i_sb->s_security;
1069
1070         AVC_AUDIT_DATA_INIT(&ad, FS);
1071         ad.u.fs.dentry = dentry;
1072
1073         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1074                           DIR__ADD_NAME | DIR__SEARCH,
1075                           &ad);
1076         if (rc)
1077                 return rc;
1078
1079         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1080                 newsid = tsec->create_sid;
1081         } else {
1082                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1083                                              &newsid);
1084                 if (rc)
1085                         return rc;
1086         }
1087
1088         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1089         if (rc)
1090                 return rc;
1091
1092         return avc_has_perm(newsid, sbsec->sid,
1093                             SECCLASS_FILESYSTEM,
1094                             FILESYSTEM__ASSOCIATE, &ad);
1095 }
1096
1097 #define MAY_LINK   0
1098 #define MAY_UNLINK 1
1099 #define MAY_RMDIR  2
1100
1101 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1102 static int may_link(struct inode *dir,
1103                     struct dentry *dentry,
1104                     int kind)
1105
1106 {
1107         struct task_security_struct *tsec;
1108         struct inode_security_struct *dsec, *isec;
1109         struct avc_audit_data ad;
1110         u32 av;
1111         int rc;
1112
1113         tsec = current->security;
1114         dsec = dir->i_security;
1115         isec = dentry->d_inode->i_security;
1116
1117         AVC_AUDIT_DATA_INIT(&ad, FS);
1118         ad.u.fs.dentry = dentry;
1119
1120         av = DIR__SEARCH;
1121         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1122         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1123         if (rc)
1124                 return rc;
1125
1126         switch (kind) {
1127         case MAY_LINK:
1128                 av = FILE__LINK;
1129                 break;
1130         case MAY_UNLINK:
1131                 av = FILE__UNLINK;
1132                 break;
1133         case MAY_RMDIR:
1134                 av = DIR__RMDIR;
1135                 break;
1136         default:
1137                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1138                 return 0;
1139         }
1140
1141         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1142         return rc;
1143 }
1144
1145 static inline int may_rename(struct inode *old_dir,
1146                              struct dentry *old_dentry,
1147                              struct inode *new_dir,
1148                              struct dentry *new_dentry)
1149 {
1150         struct task_security_struct *tsec;
1151         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1152         struct avc_audit_data ad;
1153         u32 av;
1154         int old_is_dir, new_is_dir;
1155         int rc;
1156
1157         tsec = current->security;
1158         old_dsec = old_dir->i_security;
1159         old_isec = old_dentry->d_inode->i_security;
1160         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1161         new_dsec = new_dir->i_security;
1162
1163         AVC_AUDIT_DATA_INIT(&ad, FS);
1164
1165         ad.u.fs.dentry = old_dentry;
1166         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1167                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1168         if (rc)
1169                 return rc;
1170         rc = avc_has_perm(tsec->sid, old_isec->sid,
1171                           old_isec->sclass, FILE__RENAME, &ad);
1172         if (rc)
1173                 return rc;
1174         if (old_is_dir && new_dir != old_dir) {
1175                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1176                                   old_isec->sclass, DIR__REPARENT, &ad);
1177                 if (rc)
1178                         return rc;
1179         }
1180
1181         ad.u.fs.dentry = new_dentry;
1182         av = DIR__ADD_NAME | DIR__SEARCH;
1183         if (new_dentry->d_inode)
1184                 av |= DIR__REMOVE_NAME;
1185         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1186         if (rc)
1187                 return rc;
1188         if (new_dentry->d_inode) {
1189                 new_isec = new_dentry->d_inode->i_security;
1190                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1191                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1192                                   new_isec->sclass,
1193                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1194                 if (rc)
1195                         return rc;
1196         }
1197
1198         return 0;
1199 }
1200
1201 /* Check whether a task can perform a filesystem operation. */
1202 static int superblock_has_perm(struct task_struct *tsk,
1203                                struct super_block *sb,
1204                                u32 perms,
1205                                struct avc_audit_data *ad)
1206 {
1207         struct task_security_struct *tsec;
1208         struct superblock_security_struct *sbsec;
1209
1210         tsec = tsk->security;
1211         sbsec = sb->s_security;
1212         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1213                             perms, ad);
1214 }
1215
1216 /* Convert a Linux mode and permission mask to an access vector. */
1217 static inline u32 file_mask_to_av(int mode, int mask)
1218 {
1219         u32 av = 0;
1220
1221         if ((mode & S_IFMT) != S_IFDIR) {
1222                 if (mask & MAY_EXEC)
1223                         av |= FILE__EXECUTE;
1224                 if (mask & MAY_READ)
1225                         av |= FILE__READ;
1226
1227                 if (mask & MAY_APPEND)
1228                         av |= FILE__APPEND;
1229                 else if (mask & MAY_WRITE)
1230                         av |= FILE__WRITE;
1231
1232         } else {
1233                 if (mask & MAY_EXEC)
1234                         av |= DIR__SEARCH;
1235                 if (mask & MAY_WRITE)
1236                         av |= DIR__WRITE;
1237                 if (mask & MAY_READ)
1238                         av |= DIR__READ;
1239         }
1240
1241         return av;
1242 }
1243
1244 /* Convert a Linux file to an access vector. */
1245 static inline u32 file_to_av(struct file *file)
1246 {
1247         u32 av = 0;
1248
1249         if (file->f_mode & FMODE_READ)
1250                 av |= FILE__READ;
1251         if (file->f_mode & FMODE_WRITE) {
1252                 if (file->f_flags & O_APPEND)
1253                         av |= FILE__APPEND;
1254                 else
1255                         av |= FILE__WRITE;
1256         }
1257
1258         return av;
1259 }
1260
1261 /* Set an inode's SID to a specified value. */
1262 static int inode_security_set_sid(struct inode *inode, u32 sid)
1263 {
1264         struct inode_security_struct *isec = inode->i_security;
1265         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1266
1267         if (!sbsec->initialized) {
1268                 /* Defer initialization to selinux_complete_init. */
1269                 return 0;
1270         }
1271
1272         down(&isec->sem);
1273         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1274         isec->sid = sid;
1275         isec->initialized = 1;
1276         up(&isec->sem);
1277         return 0;
1278 }
1279
1280 /* Hook functions begin here. */
1281
1282 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1283 {
1284         struct task_security_struct *psec = parent->security;
1285         struct task_security_struct *csec = child->security;
1286         int rc;
1287
1288         rc = secondary_ops->ptrace(parent,child);
1289         if (rc)
1290                 return rc;
1291
1292         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1293         /* Save the SID of the tracing process for later use in apply_creds. */
1294         if (!rc)
1295                 csec->ptrace_sid = psec->sid;
1296         return rc;
1297 }
1298
1299 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1300                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1301 {
1302         int error;
1303
1304         error = task_has_perm(current, target, PROCESS__GETCAP);
1305         if (error)
1306                 return error;
1307
1308         return secondary_ops->capget(target, effective, inheritable, permitted);
1309 }
1310
1311 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1312                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1313 {
1314         int error;
1315
1316         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1317         if (error)
1318                 return error;
1319
1320         return task_has_perm(current, target, PROCESS__SETCAP);
1321 }
1322
1323 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1324                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1325 {
1326         secondary_ops->capset_set(target, effective, inheritable, permitted);
1327 }
1328
1329 static int selinux_capable(struct task_struct *tsk, int cap)
1330 {
1331         int rc;
1332
1333         rc = secondary_ops->capable(tsk, cap);
1334         if (rc)
1335                 return rc;
1336
1337         return task_has_capability(tsk,cap);
1338 }
1339
1340 static int selinux_sysctl(ctl_table *table, int op)
1341 {
1342         int error = 0;
1343         u32 av;
1344         struct task_security_struct *tsec;
1345         u32 tsid;
1346         int rc;
1347
1348         rc = secondary_ops->sysctl(table, op);
1349         if (rc)
1350                 return rc;
1351
1352         tsec = current->security;
1353
1354         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1355                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1356         if (rc) {
1357                 /* Default to the well-defined sysctl SID. */
1358                 tsid = SECINITSID_SYSCTL;
1359         }
1360
1361         /* The op values are "defined" in sysctl.c, thereby creating
1362          * a bad coupling between this module and sysctl.c */
1363         if(op == 001) {
1364                 error = avc_has_perm(tsec->sid, tsid,
1365                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1366         } else {
1367                 av = 0;
1368                 if (op & 004)
1369                         av |= FILE__READ;
1370                 if (op & 002)
1371                         av |= FILE__WRITE;
1372                 if (av)
1373                         error = avc_has_perm(tsec->sid, tsid,
1374                                              SECCLASS_FILE, av, NULL);
1375         }
1376
1377         return error;
1378 }
1379
1380 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1381 {
1382         int rc = 0;
1383
1384         if (!sb)
1385                 return 0;
1386
1387         switch (cmds) {
1388                 case Q_SYNC:
1389                 case Q_QUOTAON:
1390                 case Q_QUOTAOFF:
1391                 case Q_SETINFO:
1392                 case Q_SETQUOTA:
1393                         rc = superblock_has_perm(current,
1394                                                  sb,
1395                                                  FILESYSTEM__QUOTAMOD, NULL);
1396                         break;
1397                 case Q_GETFMT:
1398                 case Q_GETINFO:
1399                 case Q_GETQUOTA:
1400                         rc = superblock_has_perm(current,
1401                                                  sb,
1402                                                  FILESYSTEM__QUOTAGET, NULL);
1403                         break;
1404                 default:
1405                         rc = 0;  /* let the kernel handle invalid cmds */
1406                         break;
1407         }
1408         return rc;
1409 }
1410
1411 static int selinux_quota_on(struct dentry *dentry)
1412 {
1413         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1414 }
1415
1416 static int selinux_syslog(int type)
1417 {
1418         int rc;
1419
1420         rc = secondary_ops->syslog(type);
1421         if (rc)
1422                 return rc;
1423
1424         switch (type) {
1425                 case 3:         /* Read last kernel messages */
1426                 case 10:        /* Return size of the log buffer */
1427                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1428                         break;
1429                 case 6:         /* Disable logging to console */
1430                 case 7:         /* Enable logging to console */
1431                 case 8:         /* Set level of messages printed to console */
1432                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1433                         break;
1434                 case 0:         /* Close log */
1435                 case 1:         /* Open log */
1436                 case 2:         /* Read from log */
1437                 case 4:         /* Read/clear last kernel messages */
1438                 case 5:         /* Clear ring buffer */
1439                 default:
1440                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1441                         break;
1442         }
1443         return rc;
1444 }
1445
1446 /*
1447  * Check that a process has enough memory to allocate a new virtual
1448  * mapping. 0 means there is enough memory for the allocation to
1449  * succeed and -ENOMEM implies there is not.
1450  *
1451  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1452  * if the capability is granted, but __vm_enough_memory requires 1 if
1453  * the capability is granted.
1454  *
1455  * Do not audit the selinux permission check, as this is applied to all
1456  * processes that allocate mappings.
1457  */
1458 static int selinux_vm_enough_memory(long pages)
1459 {
1460         int rc, cap_sys_admin = 0;
1461         struct task_security_struct *tsec = current->security;
1462
1463         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1464         if (rc == 0)
1465                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1466                                         SECCLASS_CAPABILITY,
1467                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1468                                         NULL);
1469
1470         if (rc == 0)
1471                 cap_sys_admin = 1;
1472
1473         return __vm_enough_memory(pages, cap_sys_admin);
1474 }
1475
1476 /* binprm security operations */
1477
1478 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1479 {
1480         struct bprm_security_struct *bsec;
1481
1482         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1483         if (!bsec)
1484                 return -ENOMEM;
1485
1486         bsec->magic = SELINUX_MAGIC;
1487         bsec->bprm = bprm;
1488         bsec->sid = SECINITSID_UNLABELED;
1489         bsec->set = 0;
1490
1491         bprm->security = bsec;
1492         return 0;
1493 }
1494
1495 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1496 {
1497         struct task_security_struct *tsec;
1498         struct inode *inode = bprm->file->f_dentry->d_inode;
1499         struct inode_security_struct *isec;
1500         struct bprm_security_struct *bsec;
1501         u32 newsid;
1502         struct avc_audit_data ad;
1503         int rc;
1504
1505         rc = secondary_ops->bprm_set_security(bprm);
1506         if (rc)
1507                 return rc;
1508
1509         bsec = bprm->security;
1510
1511         if (bsec->set)
1512                 return 0;
1513
1514         tsec = current->security;
1515         isec = inode->i_security;
1516
1517         /* Default to the current task SID. */
1518         bsec->sid = tsec->sid;
1519
1520         /* Reset create SID on execve. */
1521         tsec->create_sid = 0;
1522
1523         if (tsec->exec_sid) {
1524                 newsid = tsec->exec_sid;
1525                 /* Reset exec SID on execve. */
1526                 tsec->exec_sid = 0;
1527         } else {
1528                 /* Check for a default transition on this program. */
1529                 rc = security_transition_sid(tsec->sid, isec->sid,
1530                                              SECCLASS_PROCESS, &newsid);
1531                 if (rc)
1532                         return rc;
1533         }
1534
1535         AVC_AUDIT_DATA_INIT(&ad, FS);
1536         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1537         ad.u.fs.dentry = bprm->file->f_dentry;
1538
1539         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1540                 newsid = tsec->sid;
1541
1542         if (tsec->sid == newsid) {
1543                 rc = avc_has_perm(tsec->sid, isec->sid,
1544                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1545                 if (rc)
1546                         return rc;
1547         } else {
1548                 /* Check permissions for the transition. */
1549                 rc = avc_has_perm(tsec->sid, newsid,
1550                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1551                 if (rc)
1552                         return rc;
1553
1554                 rc = avc_has_perm(newsid, isec->sid,
1555                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1556                 if (rc)
1557                         return rc;
1558
1559                 /* Clear any possibly unsafe personality bits on exec: */
1560                 current->personality &= ~PER_CLEAR_ON_SETID;
1561
1562                 /* Set the security field to the new SID. */
1563                 bsec->sid = newsid;
1564         }
1565
1566         bsec->set = 1;
1567         return 0;
1568 }
1569
1570 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1571 {
1572         return secondary_ops->bprm_check_security(bprm);
1573 }
1574
1575
1576 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1577 {
1578         struct task_security_struct *tsec = current->security;
1579         int atsecure = 0;
1580
1581         if (tsec->osid != tsec->sid) {
1582                 /* Enable secure mode for SIDs transitions unless
1583                    the noatsecure permission is granted between
1584                    the two SIDs, i.e. ahp returns 0. */
1585                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1586                                          SECCLASS_PROCESS,
1587                                          PROCESS__NOATSECURE, NULL);
1588         }
1589
1590         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1591 }
1592
1593 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1594 {
1595         kfree(bprm->security);
1596         bprm->security = NULL;
1597 }
1598
1599 extern struct vfsmount *selinuxfs_mount;
1600 extern struct dentry *selinux_null;
1601
1602 /* Derived from fs/exec.c:flush_old_files. */
1603 static inline void flush_unauthorized_files(struct files_struct * files)
1604 {
1605         struct avc_audit_data ad;
1606         struct file *file, *devnull = NULL;
1607         struct tty_struct *tty = current->signal->tty;
1608         struct fdtable *fdt;
1609         long j = -1;
1610
1611         if (tty) {
1612                 file_list_lock();
1613                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1614                 if (file) {
1615                         /* Revalidate access to controlling tty.
1616                            Use inode_has_perm on the tty inode directly rather
1617                            than using file_has_perm, as this particular open
1618                            file may belong to another process and we are only
1619                            interested in the inode-based check here. */
1620                         struct inode *inode = file->f_dentry->d_inode;
1621                         if (inode_has_perm(current, inode,
1622                                            FILE__READ | FILE__WRITE, NULL)) {
1623                                 /* Reset controlling tty. */
1624                                 current->signal->tty = NULL;
1625                                 current->signal->tty_old_pgrp = 0;
1626                         }
1627                 }
1628                 file_list_unlock();
1629         }
1630
1631         /* Revalidate access to inherited open files. */
1632
1633         AVC_AUDIT_DATA_INIT(&ad,FS);
1634
1635         spin_lock(&files->file_lock);
1636         for (;;) {
1637                 unsigned long set, i;
1638                 int fd;
1639
1640                 j++;
1641                 i = j * __NFDBITS;
1642                 fdt = files_fdtable(files);
1643                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1644                         break;
1645                 set = fdt->open_fds->fds_bits[j];
1646                 if (!set)
1647                         continue;
1648                 spin_unlock(&files->file_lock);
1649                 for ( ; set ; i++,set >>= 1) {
1650                         if (set & 1) {
1651                                 file = fget(i);
1652                                 if (!file)
1653                                         continue;
1654                                 if (file_has_perm(current,
1655                                                   file,
1656                                                   file_to_av(file))) {
1657                                         sys_close(i);
1658                                         fd = get_unused_fd();
1659                                         if (fd != i) {
1660                                                 if (fd >= 0)
1661                                                         put_unused_fd(fd);
1662                                                 fput(file);
1663                                                 continue;
1664                                         }
1665                                         if (devnull) {
1666                                                 get_file(devnull);
1667                                         } else {
1668                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1669                                                 if (!devnull) {
1670                                                         put_unused_fd(fd);
1671                                                         fput(file);
1672                                                         continue;
1673                                                 }
1674                                         }
1675                                         fd_install(fd, devnull);
1676                                 }
1677                                 fput(file);
1678                         }
1679                 }
1680                 spin_lock(&files->file_lock);
1681
1682         }
1683         spin_unlock(&files->file_lock);
1684 }
1685
1686 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1687 {
1688         struct task_security_struct *tsec;
1689         struct bprm_security_struct *bsec;
1690         u32 sid;
1691         int rc;
1692
1693         secondary_ops->bprm_apply_creds(bprm, unsafe);
1694
1695         tsec = current->security;
1696
1697         bsec = bprm->security;
1698         sid = bsec->sid;
1699
1700         tsec->osid = tsec->sid;
1701         bsec->unsafe = 0;
1702         if (tsec->sid != sid) {
1703                 /* Check for shared state.  If not ok, leave SID
1704                    unchanged and kill. */
1705                 if (unsafe & LSM_UNSAFE_SHARE) {
1706                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1707                                         PROCESS__SHARE, NULL);
1708                         if (rc) {
1709                                 bsec->unsafe = 1;
1710                                 return;
1711                         }
1712                 }
1713
1714                 /* Check for ptracing, and update the task SID if ok.
1715                    Otherwise, leave SID unchanged and kill. */
1716                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1717                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1718                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1719                                           NULL);
1720                         if (rc) {
1721                                 bsec->unsafe = 1;
1722                                 return;
1723                         }
1724                 }
1725                 tsec->sid = sid;
1726         }
1727 }
1728
1729 /*
1730  * called after apply_creds without the task lock held
1731  */
1732 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1733 {
1734         struct task_security_struct *tsec;
1735         struct rlimit *rlim, *initrlim;
1736         struct itimerval itimer;
1737         struct bprm_security_struct *bsec;
1738         int rc, i;
1739
1740         tsec = current->security;
1741         bsec = bprm->security;
1742
1743         if (bsec->unsafe) {
1744                 force_sig_specific(SIGKILL, current);
1745                 return;
1746         }
1747         if (tsec->osid == tsec->sid)
1748                 return;
1749
1750         /* Close files for which the new task SID is not authorized. */
1751         flush_unauthorized_files(current->files);
1752
1753         /* Check whether the new SID can inherit signal state
1754            from the old SID.  If not, clear itimers to avoid
1755            subsequent signal generation and flush and unblock
1756            signals. This must occur _after_ the task SID has
1757           been updated so that any kill done after the flush
1758           will be checked against the new SID. */
1759         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1760                           PROCESS__SIGINH, NULL);
1761         if (rc) {
1762                 memset(&itimer, 0, sizeof itimer);
1763                 for (i = 0; i < 3; i++)
1764                         do_setitimer(i, &itimer, NULL);
1765                 flush_signals(current);
1766                 spin_lock_irq(&current->sighand->siglock);
1767                 flush_signal_handlers(current, 1);
1768                 sigemptyset(&current->blocked);
1769                 recalc_sigpending();
1770                 spin_unlock_irq(&current->sighand->siglock);
1771         }
1772
1773         /* Check whether the new SID can inherit resource limits
1774            from the old SID.  If not, reset all soft limits to
1775            the lower of the current task's hard limit and the init
1776            task's soft limit.  Note that the setting of hard limits
1777            (even to lower them) can be controlled by the setrlimit
1778            check. The inclusion of the init task's soft limit into
1779            the computation is to avoid resetting soft limits higher
1780            than the default soft limit for cases where the default
1781            is lower than the hard limit, e.g. RLIMIT_CORE or
1782            RLIMIT_STACK.*/
1783         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1784                           PROCESS__RLIMITINH, NULL);
1785         if (rc) {
1786                 for (i = 0; i < RLIM_NLIMITS; i++) {
1787                         rlim = current->signal->rlim + i;
1788                         initrlim = init_task.signal->rlim+i;
1789                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1790                 }
1791                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1792                         /*
1793                          * This will cause RLIMIT_CPU calculations
1794                          * to be refigured.
1795                          */
1796                         current->it_prof_expires = jiffies_to_cputime(1);
1797                 }
1798         }
1799
1800         /* Wake up the parent if it is waiting so that it can
1801            recheck wait permission to the new task SID. */
1802         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1803 }
1804
1805 /* superblock security operations */
1806
1807 static int selinux_sb_alloc_security(struct super_block *sb)
1808 {
1809         return superblock_alloc_security(sb);
1810 }
1811
1812 static void selinux_sb_free_security(struct super_block *sb)
1813 {
1814         superblock_free_security(sb);
1815 }
1816
1817 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1818 {
1819         if (plen > olen)
1820                 return 0;
1821
1822         return !memcmp(prefix, option, plen);
1823 }
1824
1825 static inline int selinux_option(char *option, int len)
1826 {
1827         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1828                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1829                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1830 }
1831
1832 static inline void take_option(char **to, char *from, int *first, int len)
1833 {
1834         if (!*first) {
1835                 **to = ',';
1836                 *to += 1;
1837         }
1838         else
1839                 *first = 0;
1840         memcpy(*to, from, len);
1841         *to += len;
1842 }
1843
1844 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1845 {
1846         int fnosec, fsec, rc = 0;
1847         char *in_save, *in_curr, *in_end;
1848         char *sec_curr, *nosec_save, *nosec;
1849
1850         in_curr = orig;
1851         sec_curr = copy;
1852
1853         /* Binary mount data: just copy */
1854         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1855                 copy_page(sec_curr, in_curr);
1856                 goto out;
1857         }
1858
1859         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1860         if (!nosec) {
1861                 rc = -ENOMEM;
1862                 goto out;
1863         }
1864
1865         nosec_save = nosec;
1866         fnosec = fsec = 1;
1867         in_save = in_end = orig;
1868
1869         do {
1870                 if (*in_end == ',' || *in_end == '\0') {
1871                         int len = in_end - in_curr;
1872
1873                         if (selinux_option(in_curr, len))
1874                                 take_option(&sec_curr, in_curr, &fsec, len);
1875                         else
1876                                 take_option(&nosec, in_curr, &fnosec, len);
1877
1878                         in_curr = in_end + 1;
1879                 }
1880         } while (*in_end++);
1881
1882         strcpy(in_save, nosec_save);
1883         free_page((unsigned long)nosec_save);
1884 out:
1885         return rc;
1886 }
1887
1888 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1889 {
1890         struct avc_audit_data ad;
1891         int rc;
1892
1893         rc = superblock_doinit(sb, data);
1894         if (rc)
1895                 return rc;
1896
1897         AVC_AUDIT_DATA_INIT(&ad,FS);
1898         ad.u.fs.dentry = sb->s_root;
1899         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1900 }
1901
1902 static int selinux_sb_statfs(struct super_block *sb)
1903 {
1904         struct avc_audit_data ad;
1905
1906         AVC_AUDIT_DATA_INIT(&ad,FS);
1907         ad.u.fs.dentry = sb->s_root;
1908         return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1909 }
1910
1911 static int selinux_mount(char * dev_name,
1912                          struct nameidata *nd,
1913                          char * type,
1914                          unsigned long flags,
1915                          void * data)
1916 {
1917         int rc;
1918
1919         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1920         if (rc)
1921                 return rc;
1922
1923         if (flags & MS_REMOUNT)
1924                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1925                                            FILESYSTEM__REMOUNT, NULL);
1926         else
1927                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1928                                        FILE__MOUNTON);
1929 }
1930
1931 static int selinux_umount(struct vfsmount *mnt, int flags)
1932 {
1933         int rc;
1934
1935         rc = secondary_ops->sb_umount(mnt, flags);
1936         if (rc)
1937                 return rc;
1938
1939         return superblock_has_perm(current,mnt->mnt_sb,
1940                                    FILESYSTEM__UNMOUNT,NULL);
1941 }
1942
1943 /* inode security operations */
1944
1945 static int selinux_inode_alloc_security(struct inode *inode)
1946 {
1947         return inode_alloc_security(inode);
1948 }
1949
1950 static void selinux_inode_free_security(struct inode *inode)
1951 {
1952         inode_free_security(inode);
1953 }
1954
1955 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1956                                        char **name, void **value,
1957                                        size_t *len)
1958 {
1959         struct task_security_struct *tsec;
1960         struct inode_security_struct *dsec;
1961         struct superblock_security_struct *sbsec;
1962         struct inode_security_struct *isec;
1963         u32 newsid, clen;
1964         int rc;
1965         char *namep = NULL, *context;
1966
1967         tsec = current->security;
1968         dsec = dir->i_security;
1969         sbsec = dir->i_sb->s_security;
1970         isec = inode->i_security;
1971
1972         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1973                 newsid = tsec->create_sid;
1974         } else {
1975                 rc = security_transition_sid(tsec->sid, dsec->sid,
1976                                              inode_mode_to_security_class(inode->i_mode),
1977                                              &newsid);
1978                 if (rc) {
1979                         printk(KERN_WARNING "%s:  "
1980                                "security_transition_sid failed, rc=%d (dev=%s "
1981                                "ino=%ld)\n",
1982                                __FUNCTION__,
1983                                -rc, inode->i_sb->s_id, inode->i_ino);
1984                         return rc;
1985                 }
1986         }
1987
1988         inode_security_set_sid(inode, newsid);
1989
1990         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
1991                 return -EOPNOTSUPP;
1992
1993         if (name) {
1994                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1995                 if (!namep)
1996                         return -ENOMEM;
1997                 *name = namep;
1998         }
1999
2000         if (value && len) {
2001                 rc = security_sid_to_context(newsid, &context, &clen);
2002                 if (rc) {
2003                         kfree(namep);
2004                         return rc;
2005                 }
2006                 *value = context;
2007                 *len = clen;
2008         }
2009
2010         return 0;
2011 }
2012
2013 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2014 {
2015         return may_create(dir, dentry, SECCLASS_FILE);
2016 }
2017
2018 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2019 {
2020         int rc;
2021
2022         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2023         if (rc)
2024                 return rc;
2025         return may_link(dir, old_dentry, MAY_LINK);
2026 }
2027
2028 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2029 {
2030         int rc;
2031
2032         rc = secondary_ops->inode_unlink(dir, dentry);
2033         if (rc)
2034                 return rc;
2035         return may_link(dir, dentry, MAY_UNLINK);
2036 }
2037
2038 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2039 {
2040         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2041 }
2042
2043 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2044 {
2045         return may_create(dir, dentry, SECCLASS_DIR);
2046 }
2047
2048 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2049 {
2050         return may_link(dir, dentry, MAY_RMDIR);
2051 }
2052
2053 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2054 {
2055         int rc;
2056
2057         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2058         if (rc)
2059                 return rc;
2060
2061         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2062 }
2063
2064 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2065                                 struct inode *new_inode, struct dentry *new_dentry)
2066 {
2067         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2068 }
2069
2070 static int selinux_inode_readlink(struct dentry *dentry)
2071 {
2072         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2073 }
2074
2075 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2076 {
2077         int rc;
2078
2079         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2080         if (rc)
2081                 return rc;
2082         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2083 }
2084
2085 static int selinux_inode_permission(struct inode *inode, int mask,
2086                                     struct nameidata *nd)
2087 {
2088         int rc;
2089
2090         rc = secondary_ops->inode_permission(inode, mask, nd);
2091         if (rc)
2092                 return rc;
2093
2094         if (!mask) {
2095                 /* No permission to check.  Existence test. */
2096                 return 0;
2097         }
2098
2099         return inode_has_perm(current, inode,
2100                                file_mask_to_av(inode->i_mode, mask), NULL);
2101 }
2102
2103 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2104 {
2105         int rc;
2106
2107         rc = secondary_ops->inode_setattr(dentry, iattr);
2108         if (rc)
2109                 return rc;
2110
2111         if (iattr->ia_valid & ATTR_FORCE)
2112                 return 0;
2113
2114         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2115                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2116                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2117
2118         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2119 }
2120
2121 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2122 {
2123         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2124 }
2125
2126 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2127 {
2128         struct task_security_struct *tsec = current->security;
2129         struct inode *inode = dentry->d_inode;
2130         struct inode_security_struct *isec = inode->i_security;
2131         struct superblock_security_struct *sbsec;
2132         struct avc_audit_data ad;
2133         u32 newsid;
2134         int rc = 0;
2135
2136         if (strcmp(name, XATTR_NAME_SELINUX)) {
2137                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2138                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2139                     !capable(CAP_SYS_ADMIN)) {
2140                         /* A different attribute in the security namespace.
2141                            Restrict to administrator. */
2142                         return -EPERM;
2143                 }
2144
2145                 /* Not an attribute we recognize, so just check the
2146                    ordinary setattr permission. */
2147                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2148         }
2149
2150         sbsec = inode->i_sb->s_security;
2151         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2152                 return -EOPNOTSUPP;
2153
2154         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2155                 return -EPERM;
2156
2157         AVC_AUDIT_DATA_INIT(&ad,FS);
2158         ad.u.fs.dentry = dentry;
2159
2160         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2161                           FILE__RELABELFROM, &ad);
2162         if (rc)
2163                 return rc;
2164
2165         rc = security_context_to_sid(value, size, &newsid);
2166         if (rc)
2167                 return rc;
2168
2169         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2170                           FILE__RELABELTO, &ad);
2171         if (rc)
2172                 return rc;
2173
2174         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2175                                           isec->sclass);
2176         if (rc)
2177                 return rc;
2178
2179         return avc_has_perm(newsid,
2180                             sbsec->sid,
2181                             SECCLASS_FILESYSTEM,
2182                             FILESYSTEM__ASSOCIATE,
2183                             &ad);
2184 }
2185
2186 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2187                                         void *value, size_t size, int flags)
2188 {
2189         struct inode *inode = dentry->d_inode;
2190         struct inode_security_struct *isec = inode->i_security;
2191         u32 newsid;
2192         int rc;
2193
2194         if (strcmp(name, XATTR_NAME_SELINUX)) {
2195                 /* Not an attribute we recognize, so nothing to do. */
2196                 return;
2197         }
2198
2199         rc = security_context_to_sid(value, size, &newsid);
2200         if (rc) {
2201                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2202                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2203                 return;
2204         }
2205
2206         isec->sid = newsid;
2207         return;
2208 }
2209
2210 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2211 {
2212         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2213 }
2214
2215 static int selinux_inode_listxattr (struct dentry *dentry)
2216 {
2217         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2218 }
2219
2220 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2221 {
2222         if (strcmp(name, XATTR_NAME_SELINUX)) {
2223                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2224                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2225                     !capable(CAP_SYS_ADMIN)) {
2226                         /* A different attribute in the security namespace.
2227                            Restrict to administrator. */
2228                         return -EPERM;
2229                 }
2230
2231                 /* Not an attribute we recognize, so just check the
2232                    ordinary setattr permission. Might want a separate
2233                    permission for removexattr. */
2234                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2235         }
2236
2237         /* No one is allowed to remove a SELinux security label.
2238            You can change the label, but all data must be labeled. */
2239         return -EACCES;
2240 }
2241
2242 /*
2243  * Copy the in-core inode security context value to the user.  If the
2244  * getxattr() prior to this succeeded, check to see if we need to
2245  * canonicalize the value to be finally returned to the user.
2246  *
2247  * Permission check is handled by selinux_inode_getxattr hook.
2248  */
2249 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
2250 {
2251         struct inode_security_struct *isec = inode->i_security;
2252         char *context;
2253         unsigned len;
2254         int rc;
2255
2256         if (strcmp(name, XATTR_SELINUX_SUFFIX)) {
2257                 rc = -EOPNOTSUPP;
2258                 goto out;
2259         }
2260
2261         rc = security_sid_to_context(isec->sid, &context, &len);
2262         if (rc)
2263                 goto out;
2264
2265         /* Probe for required buffer size */
2266         if (!buffer || !size) {
2267                 rc = len;
2268                 goto out_free;
2269         }
2270
2271         if (size < len) {
2272                 rc = -ERANGE;
2273                 goto out_free;
2274         }
2275
2276         if (err > 0) {
2277                 if ((len == err) && !(memcmp(context, buffer, len))) {
2278                         /* Don't need to canonicalize value */
2279                         rc = err;
2280                         goto out_free;
2281                 }
2282                 memset(buffer, 0, size);
2283         }
2284         memcpy(buffer, context, len);
2285         rc = len;
2286 out_free:
2287         kfree(context);
2288 out:
2289         return rc;
2290 }
2291
2292 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2293                                      const void *value, size_t size, int flags)
2294 {
2295         struct inode_security_struct *isec = inode->i_security;
2296         u32 newsid;
2297         int rc;
2298
2299         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2300                 return -EOPNOTSUPP;
2301
2302         if (!value || !size)
2303                 return -EACCES;
2304
2305         rc = security_context_to_sid((void*)value, size, &newsid);
2306         if (rc)
2307                 return rc;
2308
2309         isec->sid = newsid;
2310         return 0;
2311 }
2312
2313 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2314 {
2315         const int len = sizeof(XATTR_NAME_SELINUX);
2316         if (buffer && len <= buffer_size)
2317                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2318         return len;
2319 }
2320
2321 /* file security operations */
2322
2323 static int selinux_file_permission(struct file *file, int mask)
2324 {
2325         struct inode *inode = file->f_dentry->d_inode;
2326
2327         if (!mask) {
2328                 /* No permission to check.  Existence test. */
2329                 return 0;
2330         }
2331
2332         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2333         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2334                 mask |= MAY_APPEND;
2335
2336         return file_has_perm(current, file,
2337                              file_mask_to_av(inode->i_mode, mask));
2338 }
2339
2340 static int selinux_file_alloc_security(struct file *file)
2341 {
2342         return file_alloc_security(file);
2343 }
2344
2345 static void selinux_file_free_security(struct file *file)
2346 {
2347         file_free_security(file);
2348 }
2349
2350 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2351                               unsigned long arg)
2352 {
2353         int error = 0;
2354
2355         switch (cmd) {
2356                 case FIONREAD:
2357                 /* fall through */
2358                 case FIBMAP:
2359                 /* fall through */
2360                 case FIGETBSZ:
2361                 /* fall through */
2362                 case EXT2_IOC_GETFLAGS:
2363                 /* fall through */
2364                 case EXT2_IOC_GETVERSION:
2365                         error = file_has_perm(current, file, FILE__GETATTR);
2366                         break;
2367
2368                 case EXT2_IOC_SETFLAGS:
2369                 /* fall through */
2370                 case EXT2_IOC_SETVERSION:
2371                         error = file_has_perm(current, file, FILE__SETATTR);
2372                         break;
2373
2374                 /* sys_ioctl() checks */
2375                 case FIONBIO:
2376                 /* fall through */
2377                 case FIOASYNC:
2378                         error = file_has_perm(current, file, 0);
2379                         break;
2380
2381                 case KDSKBENT:
2382                 case KDSKBSENT:
2383                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2384                         break;
2385
2386                 /* default case assumes that the command will go
2387                  * to the file's ioctl() function.
2388                  */
2389                 default:
2390                         error = file_has_perm(current, file, FILE__IOCTL);
2391
2392         }
2393         return error;
2394 }
2395
2396 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2397 {
2398 #ifndef CONFIG_PPC32
2399         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2400                 /*
2401                  * We are making executable an anonymous mapping or a
2402                  * private file mapping that will also be writable.
2403                  * This has an additional check.
2404                  */
2405                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2406                 if (rc)
2407                         return rc;
2408         }
2409 #endif
2410
2411         if (file) {
2412                 /* read access is always possible with a mapping */
2413                 u32 av = FILE__READ;
2414
2415                 /* write access only matters if the mapping is shared */
2416                 if (shared && (prot & PROT_WRITE))
2417                         av |= FILE__WRITE;
2418
2419                 if (prot & PROT_EXEC)
2420                         av |= FILE__EXECUTE;
2421
2422                 return file_has_perm(current, file, av);
2423         }
2424         return 0;
2425 }
2426
2427 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2428                              unsigned long prot, unsigned long flags)
2429 {
2430         int rc;
2431
2432         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2433         if (rc)
2434                 return rc;
2435
2436         if (selinux_checkreqprot)
2437                 prot = reqprot;
2438
2439         return file_map_prot_check(file, prot,
2440                                    (flags & MAP_TYPE) == MAP_SHARED);
2441 }
2442
2443 static int selinux_file_mprotect(struct vm_area_struct *vma,
2444                                  unsigned long reqprot,
2445                                  unsigned long prot)
2446 {
2447         int rc;
2448
2449         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2450         if (rc)
2451                 return rc;
2452
2453         if (selinux_checkreqprot)
2454                 prot = reqprot;
2455
2456 #ifndef CONFIG_PPC32
2457         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2458                 rc = 0;
2459                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2460                     vma->vm_end <= vma->vm_mm->brk) {
2461                         rc = task_has_perm(current, current,
2462                                            PROCESS__EXECHEAP);
2463                 } else if (!vma->vm_file &&
2464                            vma->vm_start <= vma->vm_mm->start_stack &&
2465                            vma->vm_end >= vma->vm_mm->start_stack) {
2466                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2467                 } else if (vma->vm_file && vma->anon_vma) {
2468                         /*
2469                          * We are making executable a file mapping that has
2470                          * had some COW done. Since pages might have been
2471                          * written, check ability to execute the possibly
2472                          * modified content.  This typically should only
2473                          * occur for text relocations.
2474                          */
2475                         rc = file_has_perm(current, vma->vm_file,
2476                                            FILE__EXECMOD);
2477                 }
2478                 if (rc)
2479                         return rc;
2480         }
2481 #endif
2482
2483         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2484 }
2485
2486 static int selinux_file_lock(struct file *file, unsigned int cmd)
2487 {
2488         return file_has_perm(current, file, FILE__LOCK);
2489 }
2490
2491 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2492                               unsigned long arg)
2493 {
2494         int err = 0;
2495
2496         switch (cmd) {
2497                 case F_SETFL:
2498                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2499                                 err = -EINVAL;
2500                                 break;
2501                         }
2502
2503                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2504                                 err = file_has_perm(current, file,FILE__WRITE);
2505                                 break;
2506                         }
2507                         /* fall through */
2508                 case F_SETOWN:
2509                 case F_SETSIG:
2510                 case F_GETFL:
2511                 case F_GETOWN:
2512                 case F_GETSIG:
2513                         /* Just check FD__USE permission */
2514                         err = file_has_perm(current, file, 0);
2515                         break;
2516                 case F_GETLK:
2517                 case F_SETLK:
2518                 case F_SETLKW:
2519 #if BITS_PER_LONG == 32
2520                 case F_GETLK64:
2521                 case F_SETLK64:
2522                 case F_SETLKW64:
2523 #endif
2524                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2525                                 err = -EINVAL;
2526                                 break;
2527                         }
2528                         err = file_has_perm(current, file, FILE__LOCK);
2529                         break;
2530         }
2531
2532         return err;
2533 }
2534
2535 static int selinux_file_set_fowner(struct file *file)
2536 {
2537         struct task_security_struct *tsec;
2538         struct file_security_struct *fsec;
2539
2540         tsec = current->security;
2541         fsec = file->f_security;
2542         fsec->fown_sid = tsec->sid;
2543
2544         return 0;
2545 }
2546
2547 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2548                                        struct fown_struct *fown, int signum)
2549 {
2550         struct file *file;
2551         u32 perm;
2552         struct task_security_struct *tsec;
2553         struct file_security_struct *fsec;
2554
2555         /* struct fown_struct is never outside the context of a struct file */
2556         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2557
2558         tsec = tsk->security;
2559         fsec = file->f_security;
2560
2561         if (!signum)
2562                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2563         else
2564                 perm = signal_to_av(signum);
2565
2566         return avc_has_perm(fsec->fown_sid, tsec->sid,
2567                             SECCLASS_PROCESS, perm, NULL);
2568 }
2569
2570 static int selinux_file_receive(struct file *file)
2571 {
2572         return file_has_perm(current, file, file_to_av(file));
2573 }
2574
2575 /* task security operations */
2576
2577 static int selinux_task_create(unsigned long clone_flags)
2578 {
2579         int rc;
2580
2581         rc = secondary_ops->task_create(clone_flags);
2582         if (rc)
2583                 return rc;
2584
2585         return task_has_perm(current, current, PROCESS__FORK);
2586 }
2587
2588 static int selinux_task_alloc_security(struct task_struct *tsk)
2589 {
2590         struct task_security_struct *tsec1, *tsec2;
2591         int rc;
2592
2593         tsec1 = current->security;
2594
2595         rc = task_alloc_security(tsk);
2596         if (rc)
2597                 return rc;
2598         tsec2 = tsk->security;
2599
2600         tsec2->osid = tsec1->osid;
2601         tsec2->sid = tsec1->sid;
2602
2603         /* Retain the exec and create SIDs across fork */
2604         tsec2->exec_sid = tsec1->exec_sid;
2605         tsec2->create_sid = tsec1->create_sid;
2606
2607         /* Retain ptracer SID across fork, if any.
2608            This will be reset by the ptrace hook upon any
2609            subsequent ptrace_attach operations. */
2610         tsec2->ptrace_sid = tsec1->ptrace_sid;
2611
2612         return 0;
2613 }
2614
2615 static void selinux_task_free_security(struct task_struct *tsk)
2616 {
2617         task_free_security(tsk);
2618 }
2619
2620 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2621 {
2622         /* Since setuid only affects the current process, and
2623            since the SELinux controls are not based on the Linux
2624            identity attributes, SELinux does not need to control
2625            this operation.  However, SELinux does control the use
2626            of the CAP_SETUID and CAP_SETGID capabilities using the
2627            capable hook. */
2628         return 0;
2629 }
2630
2631 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2632 {
2633         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2634 }
2635
2636 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2637 {
2638         /* See the comment for setuid above. */
2639         return 0;
2640 }
2641
2642 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2643 {
2644         return task_has_perm(current, p, PROCESS__SETPGID);
2645 }
2646
2647 static int selinux_task_getpgid(struct task_struct *p)
2648 {
2649         return task_has_perm(current, p, PROCESS__GETPGID);
2650 }
2651
2652 static int selinux_task_getsid(struct task_struct *p)
2653 {
2654         return task_has_perm(current, p, PROCESS__GETSESSION);
2655 }
2656
2657 static int selinux_task_setgroups(struct group_info *group_info)
2658 {
2659         /* See the comment for setuid above. */
2660         return 0;
2661 }
2662
2663 static int selinux_task_setnice(struct task_struct *p, int nice)
2664 {
2665         int rc;
2666
2667         rc = secondary_ops->task_setnice(p, nice);
2668         if (rc)
2669                 return rc;
2670
2671         return task_has_perm(current,p, PROCESS__SETSCHED);
2672 }
2673
2674 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2675 {
2676         struct rlimit *old_rlim = current->signal->rlim + resource;
2677         int rc;
2678
2679         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2680         if (rc)
2681                 return rc;
2682
2683         /* Control the ability to change the hard limit (whether
2684            lowering or raising it), so that the hard limit can
2685            later be used as a safe reset point for the soft limit
2686            upon context transitions. See selinux_bprm_apply_creds. */
2687         if (old_rlim->rlim_max != new_rlim->rlim_max)
2688                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2689
2690         return 0;
2691 }
2692
2693 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2694 {
2695         return task_has_perm(current, p, PROCESS__SETSCHED);
2696 }
2697
2698 static int selinux_task_getscheduler(struct task_struct *p)
2699 {
2700         return task_has_perm(current, p, PROCESS__GETSCHED);
2701 }
2702
2703 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2704 {
2705         u32 perm;
2706         int rc;
2707
2708         rc = secondary_ops->task_kill(p, info, sig);
2709         if (rc)
2710                 return rc;
2711
2712         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2713                 return 0;
2714
2715         if (!sig)
2716                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2717         else
2718                 perm = signal_to_av(sig);
2719
2720         return task_has_perm(current, p, perm);
2721 }
2722
2723 static int selinux_task_prctl(int option,
2724                               unsigned long arg2,
2725                               unsigned long arg3,
2726                               unsigned long arg4,
2727                               unsigned long arg5)
2728 {
2729         /* The current prctl operations do not appear to require
2730            any SELinux controls since they merely observe or modify
2731            the state of the current process. */
2732         return 0;
2733 }
2734
2735 static int selinux_task_wait(struct task_struct *p)
2736 {
2737         u32 perm;
2738
2739         perm = signal_to_av(p->exit_signal);
2740
2741         return task_has_perm(p, current, perm);
2742 }
2743
2744 static void selinux_task_reparent_to_init(struct task_struct *p)
2745 {
2746         struct task_security_struct *tsec;
2747
2748         secondary_ops->task_reparent_to_init(p);
2749
2750         tsec = p->security;
2751         tsec->osid = tsec->sid;
2752         tsec->sid = SECINITSID_KERNEL;
2753         return;
2754 }
2755
2756 static void selinux_task_to_inode(struct task_struct *p,
2757                                   struct inode *inode)
2758 {
2759         struct task_security_struct *tsec = p->security;
2760         struct inode_security_struct *isec = inode->i_security;
2761
2762         isec->sid = tsec->sid;
2763         isec->initialized = 1;
2764         return;
2765 }
2766
2767 #ifdef CONFIG_SECURITY_NETWORK
2768
2769 /* Returns error only if unable to parse addresses */
2770 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2771 {
2772         int offset, ihlen, ret = -EINVAL;
2773         struct iphdr _iph, *ih;
2774
2775         offset = skb->nh.raw - skb->data;
2776         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2777         if (ih == NULL)
2778                 goto out;
2779
2780         ihlen = ih->ihl * 4;
2781         if (ihlen < sizeof(_iph))
2782                 goto out;
2783
2784         ad->u.net.v4info.saddr = ih->saddr;
2785         ad->u.net.v4info.daddr = ih->daddr;
2786         ret = 0;
2787
2788         switch (ih->protocol) {
2789         case IPPROTO_TCP: {
2790                 struct tcphdr _tcph, *th;
2791
2792                 if (ntohs(ih->frag_off) & IP_OFFSET)
2793                         break;
2794
2795                 offset += ihlen;
2796                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2797                 if (th == NULL)
2798                         break;
2799
2800                 ad->u.net.sport = th->source;
2801                 ad->u.net.dport = th->dest;
2802                 break;
2803         }
2804         
2805         case IPPROTO_UDP: {
2806                 struct udphdr _udph, *uh;
2807                 
2808                 if (ntohs(ih->frag_off) & IP_OFFSET)
2809                         break;
2810                         
2811                 offset += ihlen;
2812                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2813                 if (uh == NULL)
2814                         break;  
2815
2816                 ad->u.net.sport = uh->source;
2817                 ad->u.net.dport = uh->dest;
2818                 break;
2819         }
2820
2821         default:
2822                 break;
2823         }
2824 out:
2825         return ret;
2826 }
2827
2828 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2829
2830 /* Returns error only if unable to parse addresses */
2831 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2832 {
2833         u8 nexthdr;
2834         int ret = -EINVAL, offset;
2835         struct ipv6hdr _ipv6h, *ip6;
2836
2837         offset = skb->nh.raw - skb->data;
2838         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2839         if (ip6 == NULL)
2840                 goto out;
2841
2842         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2843         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2844         ret = 0;
2845
2846         nexthdr = ip6->nexthdr;
2847         offset += sizeof(_ipv6h);
2848         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2849         if (offset < 0)
2850                 goto out;
2851
2852         switch (nexthdr) {
2853         case IPPROTO_TCP: {
2854                 struct tcphdr _tcph, *th;
2855
2856                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2857                 if (th == NULL)
2858                         break;
2859
2860                 ad->u.net.sport = th->source;
2861                 ad->u.net.dport = th->dest;
2862                 break;
2863         }
2864
2865         case IPPROTO_UDP: {
2866                 struct udphdr _udph, *uh;
2867
2868                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2869                 if (uh == NULL)
2870                         break;
2871
2872                 ad->u.net.sport = uh->source;
2873                 ad->u.net.dport = uh->dest;
2874                 break;
2875         }
2876
2877         /* includes fragments */
2878         default:
2879                 break;
2880         }
2881 out:
2882         return ret;
2883 }
2884
2885 #endif /* IPV6 */
2886
2887 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2888                              char **addrp, int *len, int src)
2889 {
2890         int ret = 0;
2891
2892         switch (ad->u.net.family) {
2893         case PF_INET:
2894                 ret = selinux_parse_skb_ipv4(skb, ad);
2895                 if (ret || !addrp)
2896                         break;
2897                 *len = 4;
2898                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2899                                         &ad->u.net.v4info.daddr);
2900                 break;
2901
2902 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2903         case PF_INET6:
2904                 ret = selinux_parse_skb_ipv6(skb, ad);
2905                 if (ret || !addrp)
2906                         break;
2907                 *len = 16;
2908                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2909                                         &ad->u.net.v6info.daddr);
2910                 break;
2911 #endif  /* IPV6 */
2912         default:
2913                 break;
2914         }
2915
2916         return ret;
2917 }
2918
2919 /* socket security operations */
2920 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2921                            u32 perms)
2922 {
2923         struct inode_security_struct *isec;
2924         struct task_security_struct *tsec;
2925         struct avc_audit_data ad;
2926         int err = 0;
2927
2928         tsec = task->security;
2929         isec = SOCK_INODE(sock)->i_security;
2930
2931         if (isec->sid == SECINITSID_KERNEL)
2932                 goto out;
2933
2934         AVC_AUDIT_DATA_INIT(&ad,NET);
2935         ad.u.net.sk = sock->sk;
2936         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2937
2938 out:
2939         return err;
2940 }
2941
2942 static int selinux_socket_create(int family, int type,
2943                                  int protocol, int kern)
2944 {
2945         int err = 0;
2946         struct task_security_struct *tsec;
2947
2948         if (kern)
2949                 goto out;
2950
2951         tsec = current->security;
2952         err = avc_has_perm(tsec->sid, tsec->sid,
2953                            socket_type_to_security_class(family, type,
2954                            protocol), SOCKET__CREATE, NULL);
2955
2956 out:
2957         return err;
2958 }
2959
2960 static void selinux_socket_post_create(struct socket *sock, int family,
2961                                        int type, int protocol, int kern)
2962 {
2963         struct inode_security_struct *isec;
2964         struct task_security_struct *tsec;
2965
2966         isec = SOCK_INODE(sock)->i_security;
2967
2968         tsec = current->security;
2969         isec->sclass = socket_type_to_security_class(family, type, protocol);
2970         isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2971         isec->initialized = 1;
2972
2973         return;
2974 }
2975
2976 /* Range of port numbers used to automatically bind.
2977    Need to determine whether we should perform a name_bind
2978    permission check between the socket and the port number. */
2979 #define ip_local_port_range_0 sysctl_local_port_range[0]
2980 #define ip_local_port_range_1 sysctl_local_port_range[1]
2981
2982 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2983 {
2984         u16 family;
2985         int err;
2986
2987         err = socket_has_perm(current, sock, SOCKET__BIND);
2988         if (err)
2989                 goto out;
2990
2991         /*
2992          * If PF_INET or PF_INET6, check name_bind permission for the port.
2993          * Multiple address binding for SCTP is not supported yet: we just
2994          * check the first address now.
2995          */
2996         family = sock->sk->sk_family;
2997         if (family == PF_INET || family == PF_INET6) {
2998                 char *addrp;
2999                 struct inode_security_struct *isec;
3000                 struct task_security_struct *tsec;
3001                 struct avc_audit_data ad;
3002                 struct sockaddr_in *addr4 = NULL;
3003                 struct sockaddr_in6 *addr6 = NULL;
3004                 unsigned short snum;
3005                 struct sock *sk = sock->sk;
3006                 u32 sid, node_perm, addrlen;
3007
3008                 tsec = current->security;
3009                 isec = SOCK_INODE(sock)->i_security;
3010
3011                 if (family == PF_INET) {
3012                         addr4 = (struct sockaddr_in *)address;
3013                         snum = ntohs(addr4->sin_port);
3014                         addrlen = sizeof(addr4->sin_addr.s_addr);
3015                         addrp = (char *)&addr4->sin_addr.s_addr;
3016                 } else {
3017                         addr6 = (struct sockaddr_in6 *)address;
3018                         snum = ntohs(addr6->sin6_port);
3019                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3020                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3021                 }
3022
3023                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3024                            snum > ip_local_port_range_1)) {
3025                         err = security_port_sid(sk->sk_family, sk->sk_type,
3026                                                 sk->sk_protocol, snum, &sid);
3027                         if (err)
3028                                 goto out;
3029                         AVC_AUDIT_DATA_INIT(&ad,NET);
3030                         ad.u.net.sport = htons(snum);
3031                         ad.u.net.family = family;
3032                         err = avc_has_perm(isec->sid, sid,
3033                                            isec->sclass,
3034                                            SOCKET__NAME_BIND, &ad);
3035                         if (err)
3036                                 goto out;
3037                 }
3038                 
3039                 switch(isec->sclass) {
3040                 case SECCLASS_TCP_SOCKET:
3041                         node_perm = TCP_SOCKET__NODE_BIND;
3042                         break;
3043                         
3044                 case SECCLASS_UDP_SOCKET:
3045                         node_perm = UDP_SOCKET__NODE_BIND;
3046                         break;
3047                         
3048                 default:
3049                         node_perm = RAWIP_SOCKET__NODE_BIND;
3050                         break;
3051                 }
3052                 
3053                 err = security_node_sid(family, addrp, addrlen, &sid);
3054                 if (err)
3055                         goto out;
3056                 
3057                 AVC_AUDIT_DATA_INIT(&ad,NET);
3058                 ad.u.net.sport = htons(snum);
3059                 ad.u.net.family = family;
3060
3061                 if (family == PF_INET)
3062                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3063                 else
3064                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3065
3066                 err = avc_has_perm(isec->sid, sid,
3067                                    isec->sclass, node_perm, &ad);
3068                 if (err)
3069                         goto out;
3070         }
3071 out:
3072         return err;
3073 }
3074
3075 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3076 {
3077         struct inode_security_struct *isec;
3078         int err;
3079
3080         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3081         if (err)
3082                 return err;
3083
3084         /*
3085          * If a TCP socket, check name_connect permission for the port.
3086          */
3087         isec = SOCK_INODE(sock)->i_security;
3088         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3089                 struct sock *sk = sock->sk;
3090                 struct avc_audit_data ad;
3091                 struct sockaddr_in *addr4 = NULL;
3092                 struct sockaddr_in6 *addr6 = NULL;
3093                 unsigned short snum;
3094                 u32 sid;
3095
3096                 if (sk->sk_family == PF_INET) {
3097                         addr4 = (struct sockaddr_in *)address;
3098                         if (addrlen < sizeof(struct sockaddr_in))
3099                                 return -EINVAL;
3100                         snum = ntohs(addr4->sin_port);
3101                 } else {
3102                         addr6 = (struct sockaddr_in6 *)address;
3103                         if (addrlen < SIN6_LEN_RFC2133)
3104                                 return -EINVAL;
3105                         snum = ntohs(addr6->sin6_port);
3106                 }
3107
3108                 err = security_port_sid(sk->sk_family, sk->sk_type,
3109                                         sk->sk_protocol, snum, &sid);
3110                 if (err)
3111                         goto out;
3112
3113                 AVC_AUDIT_DATA_INIT(&ad,NET);
3114                 ad.u.net.dport = htons(snum);
3115                 ad.u.net.family = sk->sk_family;
3116                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3117                                    TCP_SOCKET__NAME_CONNECT, &ad);
3118                 if (err)
3119                         goto out;
3120         }
3121
3122 out:
3123         return err;
3124 }
3125
3126 static int selinux_socket_listen(struct socket *sock, int backlog)
3127 {
3128         return socket_has_perm(current, sock, SOCKET__LISTEN);
3129 }
3130
3131 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3132 {
3133         int err;
3134         struct inode_security_struct *isec;
3135         struct inode_security_struct *newisec;
3136
3137         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3138         if (err)
3139                 return err;
3140
3141         newisec = SOCK_INODE(newsock)->i_security;
3142
3143         isec = SOCK_INODE(sock)->i_security;
3144         newisec->sclass = isec->sclass;
3145         newisec->sid = isec->sid;
3146         newisec->initialized = 1;
3147
3148         return 0;
3149 }
3150
3151 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3152                                   int size)
3153 {
3154         return socket_has_perm(current, sock, SOCKET__WRITE);
3155 }
3156
3157 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3158                                   int size, int flags)
3159 {
3160         return socket_has_perm(current, sock, SOCKET__READ);
3161 }
3162
3163 static int selinux_socket_getsockname(struct socket *sock)
3164 {
3165         return socket_has_perm(current, sock, SOCKET__GETATTR);
3166 }
3167
3168 static int selinux_socket_getpeername(struct socket *sock)
3169 {
3170         return socket_has_perm(current, sock, SOCKET__GETATTR);
3171 }
3172
3173 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3174 {
3175         return socket_has_perm(current, sock, SOCKET__SETOPT);
3176 }
3177
3178 static int selinux_socket_getsockopt(struct socket *sock, int level,
3179                                      int optname)
3180 {
3181         return socket_has_perm(current, sock, SOCKET__GETOPT);
3182 }
3183
3184 static int selinux_socket_shutdown(struct socket *sock, int how)
3185 {
3186         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3187 }
3188
3189 static int selinux_socket_unix_stream_connect(struct socket *sock,
3190                                               struct socket *other,
3191                                               struct sock *newsk)
3192 {
3193         struct sk_security_struct *ssec;
3194         struct inode_security_struct *isec;
3195         struct inode_security_struct *other_isec;
3196         struct avc_audit_data ad;
3197         int err;
3198
3199         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3200         if (err)
3201                 return err;
3202
3203         isec = SOCK_INODE(sock)->i_security;
3204         other_isec = SOCK_INODE(other)->i_security;
3205
3206         AVC_AUDIT_DATA_INIT(&ad,NET);
3207         ad.u.net.sk = other->sk;
3208
3209         err = avc_has_perm(isec->sid, other_isec->sid,
3210                            isec->sclass,
3211                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3212         if (err)
3213                 return err;
3214
3215         /* connecting socket */
3216         ssec = sock->sk->sk_security;
3217         ssec->peer_sid = other_isec->sid;
3218         
3219         /* server child socket */
3220         ssec = newsk->sk_security;
3221         ssec->peer_sid = isec->sid;
3222         
3223         return 0;
3224 }
3225
3226 static int selinux_socket_unix_may_send(struct socket *sock,
3227                                         struct socket *other)
3228 {
3229         struct inode_security_struct *isec;
3230         struct inode_security_struct *other_isec;
3231         struct avc_audit_data ad;
3232         int err;
3233
3234         isec = SOCK_INODE(sock)->i_security;
3235         other_isec = SOCK_INODE(other)->i_security;
3236
3237         AVC_AUDIT_DATA_INIT(&ad,NET);
3238         ad.u.net.sk = other->sk;
3239
3240         err = avc_has_perm(isec->sid, other_isec->sid,
3241                            isec->sclass, SOCKET__SENDTO, &ad);
3242         if (err)
3243                 return err;
3244
3245         return 0;
3246 }
3247
3248 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3249 {
3250         u16 family;
3251         char *addrp;
3252         int len, err = 0;
3253         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3254         u32 sock_sid = 0;
3255         u16 sock_class = 0;
3256         struct socket *sock;
3257         struct net_device *dev;
3258         struct avc_audit_data ad;
3259
3260         family = sk->sk_family;
3261         if (family != PF_INET && family != PF_INET6)
3262                 goto out;
3263
3264         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3265         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3266                 family = PF_INET;
3267
3268         read_lock_bh(&sk->sk_callback_lock);
3269         sock = sk->sk_socket;
3270         if (sock) {
3271                 struct inode *inode;
3272                 inode = SOCK_INODE(sock);
3273                 if (inode) {
3274                         struct inode_security_struct *isec;
3275                         isec = inode->i_security;
3276                         sock_sid = isec->sid;
3277                         sock_class = isec->sclass;
3278                 }
3279         }
3280         read_unlock_bh(&sk->sk_callback_lock);
3281         if (!sock_sid)
3282                 goto out;
3283
3284         dev = skb->dev;
3285         if (!dev)
3286                 goto out;
3287
3288         err = sel_netif_sids(dev, &if_sid, NULL);
3289         if (err)
3290                 goto out;
3291
3292         switch (sock_class) {
3293         case SECCLASS_UDP_SOCKET:
3294                 netif_perm = NETIF__UDP_RECV;
3295                 node_perm = NODE__UDP_RECV;
3296                 recv_perm = UDP_SOCKET__RECV_MSG;
3297                 break;
3298         
3299         case SECCLASS_TCP_SOCKET:
3300                 netif_perm = NETIF__TCP_RECV;
3301                 node_perm = NODE__TCP_RECV;
3302                 recv_perm = TCP_SOCKET__RECV_MSG;