[PATCH] keys: Discard duplicate keys from a keyring on link
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76 #include "xfrm.h"
77
78 #define XATTR_SELINUX_SUFFIX "selinux"
79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81 extern unsigned int policydb_loaded_version;
82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83
84 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
85 int selinux_enforcing = 0;
86
87 static int __init enforcing_setup(char *str)
88 {
89         selinux_enforcing = simple_strtol(str,NULL,0);
90         return 1;
91 }
92 __setup("enforcing=", enforcing_setup);
93 #endif
94
95 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
96 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
97
98 static int __init selinux_enabled_setup(char *str)
99 {
100         selinux_enabled = simple_strtol(str, NULL, 0);
101         return 1;
102 }
103 __setup("selinux=", selinux_enabled_setup);
104 #endif
105
106 /* Original (dummy) security module. */
107 static struct security_operations *original_ops = NULL;
108
109 /* Minimal support for a secondary security module,
110    just to allow the use of the dummy or capability modules.
111    The owlsm module can alternatively be used as a secondary
112    module as long as CONFIG_OWLSM_FD is not enabled. */
113 static struct security_operations *secondary_ops = NULL;
114
115 /* Lists of inode and superblock security structures initialized
116    before the policy was loaded. */
117 static LIST_HEAD(superblock_security_head);
118 static DEFINE_SPINLOCK(sb_security_lock);
119
120 /* Allocate and free functions for each kind of security blob. */
121
122 static int task_alloc_security(struct task_struct *task)
123 {
124         struct task_security_struct *tsec;
125
126         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
127         if (!tsec)
128                 return -ENOMEM;
129
130         tsec->magic = SELINUX_MAGIC;
131         tsec->task = task;
132         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
133         task->security = tsec;
134
135         return 0;
136 }
137
138 static void task_free_security(struct task_struct *task)
139 {
140         struct task_security_struct *tsec = task->security;
141
142         if (!tsec || tsec->magic != SELINUX_MAGIC)
143                 return;
144
145         task->security = NULL;
146         kfree(tsec);
147 }
148
149 static int inode_alloc_security(struct inode *inode)
150 {
151         struct task_security_struct *tsec = current->security;
152         struct inode_security_struct *isec;
153
154         isec = kzalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
155         if (!isec)
156                 return -ENOMEM;
157
158         init_MUTEX(&isec->sem);
159         INIT_LIST_HEAD(&isec->list);
160         isec->magic = SELINUX_MAGIC;
161         isec->inode = inode;
162         isec->sid = SECINITSID_UNLABELED;
163         isec->sclass = SECCLASS_FILE;
164         if (tsec && tsec->magic == SELINUX_MAGIC)
165                 isec->task_sid = tsec->sid;
166         else
167                 isec->task_sid = SECINITSID_UNLABELED;
168         inode->i_security = isec;
169
170         return 0;
171 }
172
173 static void inode_free_security(struct inode *inode)
174 {
175         struct inode_security_struct *isec = inode->i_security;
176         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
177
178         if (!isec || isec->magic != SELINUX_MAGIC)
179                 return;
180
181         spin_lock(&sbsec->isec_lock);
182         if (!list_empty(&isec->list))
183                 list_del_init(&isec->list);
184         spin_unlock(&sbsec->isec_lock);
185
186         inode->i_security = NULL;
187         kfree(isec);
188 }
189
190 static int file_alloc_security(struct file *file)
191 {
192         struct task_security_struct *tsec = current->security;
193         struct file_security_struct *fsec;
194
195         fsec = kzalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
196         if (!fsec)
197                 return -ENOMEM;
198
199         fsec->magic = SELINUX_MAGIC;
200         fsec->file = file;
201         if (tsec && tsec->magic == SELINUX_MAGIC) {
202                 fsec->sid = tsec->sid;
203                 fsec->fown_sid = tsec->sid;
204         } else {
205                 fsec->sid = SECINITSID_UNLABELED;
206                 fsec->fown_sid = SECINITSID_UNLABELED;
207         }
208         file->f_security = fsec;
209
210         return 0;
211 }
212
213 static void file_free_security(struct file *file)
214 {
215         struct file_security_struct *fsec = file->f_security;
216
217         if (!fsec || fsec->magic != SELINUX_MAGIC)
218                 return;
219
220         file->f_security = NULL;
221         kfree(fsec);
222 }
223
224 static int superblock_alloc_security(struct super_block *sb)
225 {
226         struct superblock_security_struct *sbsec;
227
228         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
229         if (!sbsec)
230                 return -ENOMEM;
231
232         init_MUTEX(&sbsec->sem);
233         INIT_LIST_HEAD(&sbsec->list);
234         INIT_LIST_HEAD(&sbsec->isec_head);
235         spin_lock_init(&sbsec->isec_lock);
236         sbsec->magic = SELINUX_MAGIC;
237         sbsec->sb = sb;
238         sbsec->sid = SECINITSID_UNLABELED;
239         sbsec->def_sid = SECINITSID_FILE;
240         sb->s_security = sbsec;
241
242         return 0;
243 }
244
245 static void superblock_free_security(struct super_block *sb)
246 {
247         struct superblock_security_struct *sbsec = sb->s_security;
248
249         if (!sbsec || sbsec->magic != SELINUX_MAGIC)
250                 return;
251
252         spin_lock(&sb_security_lock);
253         if (!list_empty(&sbsec->list))
254                 list_del_init(&sbsec->list);
255         spin_unlock(&sb_security_lock);
256
257         sb->s_security = NULL;
258         kfree(sbsec);
259 }
260
261 #ifdef CONFIG_SECURITY_NETWORK
262 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
263 {
264         struct sk_security_struct *ssec;
265
266         if (family != PF_UNIX)
267                 return 0;
268
269         ssec = kzalloc(sizeof(*ssec), priority);
270         if (!ssec)
271                 return -ENOMEM;
272
273         ssec->magic = SELINUX_MAGIC;
274         ssec->sk = sk;
275         ssec->peer_sid = SECINITSID_UNLABELED;
276         sk->sk_security = ssec;
277
278         return 0;
279 }
280
281 static void sk_free_security(struct sock *sk)
282 {
283         struct sk_security_struct *ssec = sk->sk_security;
284
285         if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
286                 return;
287
288         sk->sk_security = NULL;
289         kfree(ssec);
290 }
291 #endif  /* CONFIG_SECURITY_NETWORK */
292
293 /* The security server must be initialized before
294    any labeling or access decisions can be provided. */
295 extern int ss_initialized;
296
297 /* The file system's label must be initialized prior to use. */
298
299 static char *labeling_behaviors[6] = {
300         "uses xattr",
301         "uses transition SIDs",
302         "uses task SIDs",
303         "uses genfs_contexts",
304         "not configured for labeling",
305         "uses mountpoint labeling",
306 };
307
308 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
309
310 static inline int inode_doinit(struct inode *inode)
311 {
312         return inode_doinit_with_dentry(inode, NULL);
313 }
314
315 enum {
316         Opt_context = 1,
317         Opt_fscontext = 2,
318         Opt_defcontext = 4,
319 };
320
321 static match_table_t tokens = {
322         {Opt_context, "context=%s"},
323         {Opt_fscontext, "fscontext=%s"},
324         {Opt_defcontext, "defcontext=%s"},
325 };
326
327 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
328
329 static int try_context_mount(struct super_block *sb, void *data)
330 {
331         char *context = NULL, *defcontext = NULL;
332         const char *name;
333         u32 sid;
334         int alloc = 0, rc = 0, seen = 0;
335         struct task_security_struct *tsec = current->security;
336         struct superblock_security_struct *sbsec = sb->s_security;
337
338         if (!data)
339                 goto out;
340
341         name = sb->s_type->name;
342
343         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
344
345                 /* NFS we understand. */
346                 if (!strcmp(name, "nfs")) {
347                         struct nfs_mount_data *d = data;
348
349                         if (d->version <  NFS_MOUNT_VERSION)
350                                 goto out;
351
352                         if (d->context[0]) {
353                                 context = d->context;
354                                 seen |= Opt_context;
355                         }
356                 } else
357                         goto out;
358
359         } else {
360                 /* Standard string-based options. */
361                 char *p, *options = data;
362
363                 while ((p = strsep(&options, ",")) != NULL) {
364                         int token;
365                         substring_t args[MAX_OPT_ARGS];
366
367                         if (!*p)
368                                 continue;
369
370                         token = match_token(p, tokens, args);
371
372                         switch (token) {
373                         case Opt_context:
374                                 if (seen) {
375                                         rc = -EINVAL;
376                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
377                                         goto out_free;
378                                 }
379                                 context = match_strdup(&args[0]);
380                                 if (!context) {
381                                         rc = -ENOMEM;
382                                         goto out_free;
383                                 }
384                                 if (!alloc)
385                                         alloc = 1;
386                                 seen |= Opt_context;
387                                 break;
388
389                         case Opt_fscontext:
390                                 if (seen & (Opt_context|Opt_fscontext)) {
391                                         rc = -EINVAL;
392                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
393                                         goto out_free;
394                                 }
395                                 context = match_strdup(&args[0]);
396                                 if (!context) {
397                                         rc = -ENOMEM;
398                                         goto out_free;
399                                 }
400                                 if (!alloc)
401                                         alloc = 1;
402                                 seen |= Opt_fscontext;
403                                 break;
404
405                         case Opt_defcontext:
406                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
407                                         rc = -EINVAL;
408                                         printk(KERN_WARNING "SELinux:  "
409                                                "defcontext option is invalid "
410                                                "for this filesystem type\n");
411                                         goto out_free;
412                                 }
413                                 if (seen & (Opt_context|Opt_defcontext)) {
414                                         rc = -EINVAL;
415                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
416                                         goto out_free;
417                                 }
418                                 defcontext = match_strdup(&args[0]);
419                                 if (!defcontext) {
420                                         rc = -ENOMEM;
421                                         goto out_free;
422                                 }
423                                 if (!alloc)
424                                         alloc = 1;
425                                 seen |= Opt_defcontext;
426                                 break;
427
428                         default:
429                                 rc = -EINVAL;
430                                 printk(KERN_WARNING "SELinux:  unknown mount "
431                                        "option\n");
432                                 goto out_free;
433
434                         }
435                 }
436         }
437
438         if (!seen)
439                 goto out;
440
441         if (context) {
442                 rc = security_context_to_sid(context, strlen(context), &sid);
443                 if (rc) {
444                         printk(KERN_WARNING "SELinux: security_context_to_sid"
445                                "(%s) failed for (dev %s, type %s) errno=%d\n",
446                                context, sb->s_id, name, rc);
447                         goto out_free;
448                 }
449
450                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
451                                   FILESYSTEM__RELABELFROM, NULL);
452                 if (rc)
453                         goto out_free;
454
455                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
456                                   FILESYSTEM__RELABELTO, NULL);
457                 if (rc)
458                         goto out_free;
459
460                 sbsec->sid = sid;
461
462                 if (seen & Opt_context)
463                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
464         }
465
466         if (defcontext) {
467                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
468                 if (rc) {
469                         printk(KERN_WARNING "SELinux: security_context_to_sid"
470                                "(%s) failed for (dev %s, type %s) errno=%d\n",
471                                defcontext, sb->s_id, name, rc);
472                         goto out_free;
473                 }
474
475                 if (sid == sbsec->def_sid)
476                         goto out_free;
477
478                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
479                                   FILESYSTEM__RELABELFROM, NULL);
480                 if (rc)
481                         goto out_free;
482
483                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
484                                   FILESYSTEM__ASSOCIATE, NULL);
485                 if (rc)
486                         goto out_free;
487
488                 sbsec->def_sid = sid;
489         }
490
491 out_free:
492         if (alloc) {
493                 kfree(context);
494                 kfree(defcontext);
495         }
496 out:
497         return rc;
498 }
499
500 static int superblock_doinit(struct super_block *sb, void *data)
501 {
502         struct superblock_security_struct *sbsec = sb->s_security;
503         struct dentry *root = sb->s_root;
504         struct inode *inode = root->d_inode;
505         int rc = 0;
506
507         down(&sbsec->sem);
508         if (sbsec->initialized)
509                 goto out;
510
511         if (!ss_initialized) {
512                 /* Defer initialization until selinux_complete_init,
513                    after the initial policy is loaded and the security
514                    server is ready to handle calls. */
515                 spin_lock(&sb_security_lock);
516                 if (list_empty(&sbsec->list))
517                         list_add(&sbsec->list, &superblock_security_head);
518                 spin_unlock(&sb_security_lock);
519                 goto out;
520         }
521
522         /* Determine the labeling behavior to use for this filesystem type. */
523         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
524         if (rc) {
525                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
526                        __FUNCTION__, sb->s_type->name, rc);
527                 goto out;
528         }
529
530         rc = try_context_mount(sb, data);
531         if (rc)
532                 goto out;
533
534         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
535                 /* Make sure that the xattr handler exists and that no
536                    error other than -ENODATA is returned by getxattr on
537                    the root directory.  -ENODATA is ok, as this may be
538                    the first boot of the SELinux kernel before we have
539                    assigned xattr values to the filesystem. */
540                 if (!inode->i_op->getxattr) {
541                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
542                                "xattr support\n", sb->s_id, sb->s_type->name);
543                         rc = -EOPNOTSUPP;
544                         goto out;
545                 }
546                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
547                 if (rc < 0 && rc != -ENODATA) {
548                         if (rc == -EOPNOTSUPP)
549                                 printk(KERN_WARNING "SELinux: (dev %s, type "
550                                        "%s) has no security xattr handler\n",
551                                        sb->s_id, sb->s_type->name);
552                         else
553                                 printk(KERN_WARNING "SELinux: (dev %s, type "
554                                        "%s) getxattr errno %d\n", sb->s_id,
555                                        sb->s_type->name, -rc);
556                         goto out;
557                 }
558         }
559
560         if (strcmp(sb->s_type->name, "proc") == 0)
561                 sbsec->proc = 1;
562
563         sbsec->initialized = 1;
564
565         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
566                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
567                        sb->s_id, sb->s_type->name);
568         }
569         else {
570                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
571                        sb->s_id, sb->s_type->name,
572                        labeling_behaviors[sbsec->behavior-1]);
573         }
574
575         /* Initialize the root inode. */
576         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
577
578         /* Initialize any other inodes associated with the superblock, e.g.
579            inodes created prior to initial policy load or inodes created
580            during get_sb by a pseudo filesystem that directly
581            populates itself. */
582         spin_lock(&sbsec->isec_lock);
583 next_inode:
584         if (!list_empty(&sbsec->isec_head)) {
585                 struct inode_security_struct *isec =
586                                 list_entry(sbsec->isec_head.next,
587                                            struct inode_security_struct, list);
588                 struct inode *inode = isec->inode;
589                 spin_unlock(&sbsec->isec_lock);
590                 inode = igrab(inode);
591                 if (inode) {
592                         if (!IS_PRIVATE (inode))
593                                 inode_doinit(inode);
594                         iput(inode);
595                 }
596                 spin_lock(&sbsec->isec_lock);
597                 list_del_init(&isec->list);
598                 goto next_inode;
599         }
600         spin_unlock(&sbsec->isec_lock);
601 out:
602         up(&sbsec->sem);
603         return rc;
604 }
605
606 static inline u16 inode_mode_to_security_class(umode_t mode)
607 {
608         switch (mode & S_IFMT) {
609         case S_IFSOCK:
610                 return SECCLASS_SOCK_FILE;
611         case S_IFLNK:
612                 return SECCLASS_LNK_FILE;
613         case S_IFREG:
614                 return SECCLASS_FILE;
615         case S_IFBLK:
616                 return SECCLASS_BLK_FILE;
617         case S_IFDIR:
618                 return SECCLASS_DIR;
619         case S_IFCHR:
620                 return SECCLASS_CHR_FILE;
621         case S_IFIFO:
622                 return SECCLASS_FIFO_FILE;
623
624         }
625
626         return SECCLASS_FILE;
627 }
628
629 static inline int default_protocol_stream(int protocol)
630 {
631         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
632 }
633
634 static inline int default_protocol_dgram(int protocol)
635 {
636         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
637 }
638
639 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
640 {
641         switch (family) {
642         case PF_UNIX:
643                 switch (type) {
644                 case SOCK_STREAM:
645                 case SOCK_SEQPACKET:
646                         return SECCLASS_UNIX_STREAM_SOCKET;
647                 case SOCK_DGRAM:
648                         return SECCLASS_UNIX_DGRAM_SOCKET;
649                 }
650                 break;
651         case PF_INET:
652         case PF_INET6:
653                 switch (type) {
654                 case SOCK_STREAM:
655                         if (default_protocol_stream(protocol))
656                                 return SECCLASS_TCP_SOCKET;
657                         else
658                                 return SECCLASS_RAWIP_SOCKET;
659                 case SOCK_DGRAM:
660                         if (default_protocol_dgram(protocol))
661                                 return SECCLASS_UDP_SOCKET;
662                         else
663                                 return SECCLASS_RAWIP_SOCKET;
664                 default:
665                         return SECCLASS_RAWIP_SOCKET;
666                 }
667                 break;
668         case PF_NETLINK:
669                 switch (protocol) {
670                 case NETLINK_ROUTE:
671                         return SECCLASS_NETLINK_ROUTE_SOCKET;
672                 case NETLINK_FIREWALL:
673                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
674                 case NETLINK_INET_DIAG:
675                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
676                 case NETLINK_NFLOG:
677                         return SECCLASS_NETLINK_NFLOG_SOCKET;
678                 case NETLINK_XFRM:
679                         return SECCLASS_NETLINK_XFRM_SOCKET;
680                 case NETLINK_SELINUX:
681                         return SECCLASS_NETLINK_SELINUX_SOCKET;
682                 case NETLINK_AUDIT:
683                         return SECCLASS_NETLINK_AUDIT_SOCKET;
684                 case NETLINK_IP6_FW:
685                         return SECCLASS_NETLINK_IP6FW_SOCKET;
686                 case NETLINK_DNRTMSG:
687                         return SECCLASS_NETLINK_DNRT_SOCKET;
688                 case NETLINK_KOBJECT_UEVENT:
689                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
690                 default:
691                         return SECCLASS_NETLINK_SOCKET;
692                 }
693         case PF_PACKET:
694                 return SECCLASS_PACKET_SOCKET;
695         case PF_KEY:
696                 return SECCLASS_KEY_SOCKET;
697         }
698
699         return SECCLASS_SOCKET;
700 }
701
702 #ifdef CONFIG_PROC_FS
703 static int selinux_proc_get_sid(struct proc_dir_entry *de,
704                                 u16 tclass,
705                                 u32 *sid)
706 {
707         int buflen, rc;
708         char *buffer, *path, *end;
709
710         buffer = (char*)__get_free_page(GFP_KERNEL);
711         if (!buffer)
712                 return -ENOMEM;
713
714         buflen = PAGE_SIZE;
715         end = buffer+buflen;
716         *--end = '\0';
717         buflen--;
718         path = end-1;
719         *path = '/';
720         while (de && de != de->parent) {
721                 buflen -= de->namelen + 1;
722                 if (buflen < 0)
723                         break;
724                 end -= de->namelen;
725                 memcpy(end, de->name, de->namelen);
726                 *--end = '/';
727                 path = end;
728                 de = de->parent;
729         }
730         rc = security_genfs_sid("proc", path, tclass, sid);
731         free_page((unsigned long)buffer);
732         return rc;
733 }
734 #else
735 static int selinux_proc_get_sid(struct proc_dir_entry *de,
736                                 u16 tclass,
737                                 u32 *sid)
738 {
739         return -EINVAL;
740 }
741 #endif
742
743 /* The inode's security attributes must be initialized before first use. */
744 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
745 {
746         struct superblock_security_struct *sbsec = NULL;
747         struct inode_security_struct *isec = inode->i_security;
748         u32 sid;
749         struct dentry *dentry;
750 #define INITCONTEXTLEN 255
751         char *context = NULL;
752         unsigned len = 0;
753         int rc = 0;
754         int hold_sem = 0;
755
756         if (isec->initialized)
757                 goto out;
758
759         down(&isec->sem);
760         hold_sem = 1;
761         if (isec->initialized)
762                 goto out;
763
764         sbsec = inode->i_sb->s_security;
765         if (!sbsec->initialized) {
766                 /* Defer initialization until selinux_complete_init,
767                    after the initial policy is loaded and the security
768                    server is ready to handle calls. */
769                 spin_lock(&sbsec->isec_lock);
770                 if (list_empty(&isec->list))
771                         list_add(&isec->list, &sbsec->isec_head);
772                 spin_unlock(&sbsec->isec_lock);
773                 goto out;
774         }
775
776         switch (sbsec->behavior) {
777         case SECURITY_FS_USE_XATTR:
778                 if (!inode->i_op->getxattr) {
779                         isec->sid = sbsec->def_sid;
780                         break;
781                 }
782
783                 /* Need a dentry, since the xattr API requires one.
784                    Life would be simpler if we could just pass the inode. */
785                 if (opt_dentry) {
786                         /* Called from d_instantiate or d_splice_alias. */
787                         dentry = dget(opt_dentry);
788                 } else {
789                         /* Called from selinux_complete_init, try to find a dentry. */
790                         dentry = d_find_alias(inode);
791                 }
792                 if (!dentry) {
793                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
794                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
795                                inode->i_ino);
796                         goto out;
797                 }
798
799                 len = INITCONTEXTLEN;
800                 context = kmalloc(len, GFP_KERNEL);
801                 if (!context) {
802                         rc = -ENOMEM;
803                         dput(dentry);
804                         goto out;
805                 }
806                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
807                                            context, len);
808                 if (rc == -ERANGE) {
809                         /* Need a larger buffer.  Query for the right size. */
810                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
811                                                    NULL, 0);
812                         if (rc < 0) {
813                                 dput(dentry);
814                                 goto out;
815                         }
816                         kfree(context);
817                         len = rc;
818                         context = kmalloc(len, GFP_KERNEL);
819                         if (!context) {
820                                 rc = -ENOMEM;
821                                 dput(dentry);
822                                 goto out;
823                         }
824                         rc = inode->i_op->getxattr(dentry,
825                                                    XATTR_NAME_SELINUX,
826                                                    context, len);
827                 }
828                 dput(dentry);
829                 if (rc < 0) {
830                         if (rc != -ENODATA) {
831                                 printk(KERN_WARNING "%s:  getxattr returned "
832                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
833                                        -rc, inode->i_sb->s_id, inode->i_ino);
834                                 kfree(context);
835                                 goto out;
836                         }
837                         /* Map ENODATA to the default file SID */
838                         sid = sbsec->def_sid;
839                         rc = 0;
840                 } else {
841                         rc = security_context_to_sid_default(context, rc, &sid,
842                                                              sbsec->def_sid);
843                         if (rc) {
844                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
845                                        "returned %d for dev=%s ino=%ld\n",
846                                        __FUNCTION__, context, -rc,
847                                        inode->i_sb->s_id, inode->i_ino);
848                                 kfree(context);
849                                 /* Leave with the unlabeled SID */
850                                 rc = 0;
851                                 break;
852                         }
853                 }
854                 kfree(context);
855                 isec->sid = sid;
856                 break;
857         case SECURITY_FS_USE_TASK:
858                 isec->sid = isec->task_sid;
859                 break;
860         case SECURITY_FS_USE_TRANS:
861                 /* Default to the fs SID. */
862                 isec->sid = sbsec->sid;
863
864                 /* Try to obtain a transition SID. */
865                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
866                 rc = security_transition_sid(isec->task_sid,
867                                              sbsec->sid,
868                                              isec->sclass,
869                                              &sid);
870                 if (rc)
871                         goto out;
872                 isec->sid = sid;
873                 break;
874         default:
875                 /* Default to the fs SID. */
876                 isec->sid = sbsec->sid;
877
878                 if (sbsec->proc) {
879                         struct proc_inode *proci = PROC_I(inode);
880                         if (proci->pde) {
881                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
882                                 rc = selinux_proc_get_sid(proci->pde,
883                                                           isec->sclass,
884                                                           &sid);
885                                 if (rc)
886                                         goto out;
887                                 isec->sid = sid;
888                         }
889                 }
890                 break;
891         }
892
893         isec->initialized = 1;
894
895 out:
896         if (isec->sclass == SECCLASS_FILE)
897                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
898
899         if (hold_sem)
900                 up(&isec->sem);
901         return rc;
902 }
903
904 /* Convert a Linux signal to an access vector. */
905 static inline u32 signal_to_av(int sig)
906 {
907         u32 perm = 0;
908
909         switch (sig) {
910         case SIGCHLD:
911                 /* Commonly granted from child to parent. */
912                 perm = PROCESS__SIGCHLD;
913                 break;
914         case SIGKILL:
915                 /* Cannot be caught or ignored */
916                 perm = PROCESS__SIGKILL;
917                 break;
918         case SIGSTOP:
919                 /* Cannot be caught or ignored */
920                 perm = PROCESS__SIGSTOP;
921                 break;
922         default:
923                 /* All other signals. */
924                 perm = PROCESS__SIGNAL;
925                 break;
926         }
927
928         return perm;
929 }
930
931 /* Check permission betweeen a pair of tasks, e.g. signal checks,
932    fork check, ptrace check, etc. */
933 static int task_has_perm(struct task_struct *tsk1,
934                          struct task_struct *tsk2,
935                          u32 perms)
936 {
937         struct task_security_struct *tsec1, *tsec2;
938
939         tsec1 = tsk1->security;
940         tsec2 = tsk2->security;
941         return avc_has_perm(tsec1->sid, tsec2->sid,
942                             SECCLASS_PROCESS, perms, NULL);
943 }
944
945 /* Check whether a task is allowed to use a capability. */
946 static int task_has_capability(struct task_struct *tsk,
947                                int cap)
948 {
949         struct task_security_struct *tsec;
950         struct avc_audit_data ad;
951
952         tsec = tsk->security;
953
954         AVC_AUDIT_DATA_INIT(&ad,CAP);
955         ad.tsk = tsk;
956         ad.u.cap = cap;
957
958         return avc_has_perm(tsec->sid, tsec->sid,
959                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
960 }
961
962 /* Check whether a task is allowed to use a system operation. */
963 static int task_has_system(struct task_struct *tsk,
964                            u32 perms)
965 {
966         struct task_security_struct *tsec;
967
968         tsec = tsk->security;
969
970         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
971                             SECCLASS_SYSTEM, perms, NULL);
972 }
973
974 /* Check whether a task has a particular permission to an inode.
975    The 'adp' parameter is optional and allows other audit
976    data to be passed (e.g. the dentry). */
977 static int inode_has_perm(struct task_struct *tsk,
978                           struct inode *inode,
979                           u32 perms,
980                           struct avc_audit_data *adp)
981 {
982         struct task_security_struct *tsec;
983         struct inode_security_struct *isec;
984         struct avc_audit_data ad;
985
986         tsec = tsk->security;
987         isec = inode->i_security;
988
989         if (!adp) {
990                 adp = &ad;
991                 AVC_AUDIT_DATA_INIT(&ad, FS);
992                 ad.u.fs.inode = inode;
993         }
994
995         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
996 }
997
998 /* Same as inode_has_perm, but pass explicit audit data containing
999    the dentry to help the auditing code to more easily generate the
1000    pathname if needed. */
1001 static inline int dentry_has_perm(struct task_struct *tsk,
1002                                   struct vfsmount *mnt,
1003                                   struct dentry *dentry,
1004                                   u32 av)
1005 {
1006         struct inode *inode = dentry->d_inode;
1007         struct avc_audit_data ad;
1008         AVC_AUDIT_DATA_INIT(&ad,FS);
1009         ad.u.fs.mnt = mnt;
1010         ad.u.fs.dentry = dentry;
1011         return inode_has_perm(tsk, inode, av, &ad);
1012 }
1013
1014 /* Check whether a task can use an open file descriptor to
1015    access an inode in a given way.  Check access to the
1016    descriptor itself, and then use dentry_has_perm to
1017    check a particular permission to the file.
1018    Access to the descriptor is implicitly granted if it
1019    has the same SID as the process.  If av is zero, then
1020    access to the file is not checked, e.g. for cases
1021    where only the descriptor is affected like seek. */
1022 static inline int file_has_perm(struct task_struct *tsk,
1023                                 struct file *file,
1024                                 u32 av)
1025 {
1026         struct task_security_struct *tsec = tsk->security;
1027         struct file_security_struct *fsec = file->f_security;
1028         struct vfsmount *mnt = file->f_vfsmnt;
1029         struct dentry *dentry = file->f_dentry;
1030         struct inode *inode = dentry->d_inode;
1031         struct avc_audit_data ad;
1032         int rc;
1033
1034         AVC_AUDIT_DATA_INIT(&ad, FS);
1035         ad.u.fs.mnt = mnt;
1036         ad.u.fs.dentry = dentry;
1037
1038         if (tsec->sid != fsec->sid) {
1039                 rc = avc_has_perm(tsec->sid, fsec->sid,
1040                                   SECCLASS_FD,
1041                                   FD__USE,
1042                                   &ad);
1043                 if (rc)
1044                         return rc;
1045         }
1046
1047         /* av is zero if only checking access to the descriptor. */
1048         if (av)
1049                 return inode_has_perm(tsk, inode, av, &ad);
1050
1051         return 0;
1052 }
1053
1054 /* Check whether a task can create a file. */
1055 static int may_create(struct inode *dir,
1056                       struct dentry *dentry,
1057                       u16 tclass)
1058 {
1059         struct task_security_struct *tsec;
1060         struct inode_security_struct *dsec;
1061         struct superblock_security_struct *sbsec;
1062         u32 newsid;
1063         struct avc_audit_data ad;
1064         int rc;
1065
1066         tsec = current->security;
1067         dsec = dir->i_security;
1068         sbsec = dir->i_sb->s_security;
1069
1070         AVC_AUDIT_DATA_INIT(&ad, FS);
1071         ad.u.fs.dentry = dentry;
1072
1073         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1074                           DIR__ADD_NAME | DIR__SEARCH,
1075                           &ad);
1076         if (rc)
1077                 return rc;
1078
1079         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1080                 newsid = tsec->create_sid;
1081         } else {
1082                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1083                                              &newsid);
1084                 if (rc)
1085                         return rc;
1086         }
1087
1088         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1089         if (rc)
1090                 return rc;
1091
1092         return avc_has_perm(newsid, sbsec->sid,
1093                             SECCLASS_FILESYSTEM,
1094                             FILESYSTEM__ASSOCIATE, &ad);
1095 }
1096
1097 #define MAY_LINK   0
1098 #define MAY_UNLINK 1
1099 #define MAY_RMDIR  2
1100
1101 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1102 static int may_link(struct inode *dir,
1103                     struct dentry *dentry,
1104                     int kind)
1105
1106 {
1107         struct task_security_struct *tsec;
1108         struct inode_security_struct *dsec, *isec;
1109         struct avc_audit_data ad;
1110         u32 av;
1111         int rc;
1112
1113         tsec = current->security;
1114         dsec = dir->i_security;
1115         isec = dentry->d_inode->i_security;
1116
1117         AVC_AUDIT_DATA_INIT(&ad, FS);
1118         ad.u.fs.dentry = dentry;
1119
1120         av = DIR__SEARCH;
1121         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1122         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1123         if (rc)
1124                 return rc;
1125
1126         switch (kind) {
1127         case MAY_LINK:
1128                 av = FILE__LINK;
1129                 break;
1130         case MAY_UNLINK:
1131                 av = FILE__UNLINK;
1132                 break;
1133         case MAY_RMDIR:
1134                 av = DIR__RMDIR;
1135                 break;
1136         default:
1137                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1138                 return 0;
1139         }
1140
1141         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1142         return rc;
1143 }
1144
1145 static inline int may_rename(struct inode *old_dir,
1146                              struct dentry *old_dentry,
1147                              struct inode *new_dir,
1148                              struct dentry *new_dentry)
1149 {
1150         struct task_security_struct *tsec;
1151         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1152         struct avc_audit_data ad;
1153         u32 av;
1154         int old_is_dir, new_is_dir;
1155         int rc;
1156
1157         tsec = current->security;
1158         old_dsec = old_dir->i_security;
1159         old_isec = old_dentry->d_inode->i_security;
1160         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1161         new_dsec = new_dir->i_security;
1162
1163         AVC_AUDIT_DATA_INIT(&ad, FS);
1164
1165         ad.u.fs.dentry = old_dentry;
1166         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1167                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1168         if (rc)
1169                 return rc;
1170         rc = avc_has_perm(tsec->sid, old_isec->sid,
1171                           old_isec->sclass, FILE__RENAME, &ad);
1172         if (rc)
1173                 return rc;
1174         if (old_is_dir && new_dir != old_dir) {
1175                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1176                                   old_isec->sclass, DIR__REPARENT, &ad);
1177                 if (rc)
1178                         return rc;
1179         }
1180
1181         ad.u.fs.dentry = new_dentry;
1182         av = DIR__ADD_NAME | DIR__SEARCH;
1183         if (new_dentry->d_inode)
1184                 av |= DIR__REMOVE_NAME;
1185         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1186         if (rc)
1187                 return rc;
1188         if (new_dentry->d_inode) {
1189                 new_isec = new_dentry->d_inode->i_security;
1190                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1191                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1192                                   new_isec->sclass,
1193                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1194                 if (rc)
1195                         return rc;
1196         }
1197
1198         return 0;
1199 }
1200
1201 /* Check whether a task can perform a filesystem operation. */
1202 static int superblock_has_perm(struct task_struct *tsk,
1203                                struct super_block *sb,
1204                                u32 perms,
1205                                struct avc_audit_data *ad)
1206 {
1207         struct task_security_struct *tsec;
1208         struct superblock_security_struct *sbsec;
1209
1210         tsec = tsk->security;
1211         sbsec = sb->s_security;
1212         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1213                             perms, ad);
1214 }
1215
1216 /* Convert a Linux mode and permission mask to an access vector. */
1217 static inline u32 file_mask_to_av(int mode, int mask)
1218 {
1219         u32 av = 0;
1220
1221         if ((mode & S_IFMT) != S_IFDIR) {
1222                 if (mask & MAY_EXEC)
1223                         av |= FILE__EXECUTE;
1224                 if (mask & MAY_READ)
1225                         av |= FILE__READ;
1226
1227                 if (mask & MAY_APPEND)
1228                         av |= FILE__APPEND;
1229                 else if (mask & MAY_WRITE)
1230                         av |= FILE__WRITE;
1231
1232         } else {
1233                 if (mask & MAY_EXEC)
1234                         av |= DIR__SEARCH;
1235                 if (mask & MAY_WRITE)
1236                         av |= DIR__WRITE;
1237                 if (mask & MAY_READ)
1238                         av |= DIR__READ;
1239         }
1240
1241         return av;
1242 }
1243
1244 /* Convert a Linux file to an access vector. */
1245 static inline u32 file_to_av(struct file *file)
1246 {
1247         u32 av = 0;
1248
1249         if (file->f_mode & FMODE_READ)
1250                 av |= FILE__READ;
1251         if (file->f_mode & FMODE_WRITE) {
1252                 if (file->f_flags & O_APPEND)
1253                         av |= FILE__APPEND;
1254                 else
1255                         av |= FILE__WRITE;
1256         }
1257
1258         return av;
1259 }
1260
1261 /* Set an inode's SID to a specified value. */
1262 static int inode_security_set_sid(struct inode *inode, u32 sid)
1263 {
1264         struct inode_security_struct *isec = inode->i_security;
1265         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1266
1267         if (!sbsec->initialized) {
1268                 /* Defer initialization to selinux_complete_init. */
1269                 return 0;
1270         }
1271
1272         down(&isec->sem);
1273         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1274         isec->sid = sid;
1275         isec->initialized = 1;
1276         up(&isec->sem);
1277         return 0;
1278 }
1279
1280 /* Hook functions begin here. */
1281
1282 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1283 {
1284         struct task_security_struct *psec = parent->security;
1285         struct task_security_struct *csec = child->security;
1286         int rc;
1287
1288         rc = secondary_ops->ptrace(parent,child);
1289         if (rc)
1290                 return rc;
1291
1292         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1293         /* Save the SID of the tracing process for later use in apply_creds. */
1294         if (!rc)
1295                 csec->ptrace_sid = psec->sid;
1296         return rc;
1297 }
1298
1299 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1300                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1301 {
1302         int error;
1303
1304         error = task_has_perm(current, target, PROCESS__GETCAP);
1305         if (error)
1306                 return error;
1307
1308         return secondary_ops->capget(target, effective, inheritable, permitted);
1309 }
1310
1311 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1312                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1313 {
1314         int error;
1315
1316         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1317         if (error)
1318                 return error;
1319
1320         return task_has_perm(current, target, PROCESS__SETCAP);
1321 }
1322
1323 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1324                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1325 {
1326         secondary_ops->capset_set(target, effective, inheritable, permitted);
1327 }
1328
1329 static int selinux_capable(struct task_struct *tsk, int cap)
1330 {
1331         int rc;
1332
1333         rc = secondary_ops->capable(tsk, cap);
1334         if (rc)
1335                 return rc;
1336
1337         return task_has_capability(tsk,cap);
1338 }
1339
1340 static int selinux_sysctl(ctl_table *table, int op)
1341 {
1342         int error = 0;
1343         u32 av;
1344         struct task_security_struct *tsec;
1345         u32 tsid;
1346         int rc;
1347
1348         rc = secondary_ops->sysctl(table, op);
1349         if (rc)
1350                 return rc;
1351
1352         tsec = current->security;
1353
1354         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1355                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1356         if (rc) {
1357                 /* Default to the well-defined sysctl SID. */
1358                 tsid = SECINITSID_SYSCTL;
1359         }
1360
1361         /* The op values are "defined" in sysctl.c, thereby creating
1362          * a bad coupling between this module and sysctl.c */
1363         if(op == 001) {
1364                 error = avc_has_perm(tsec->sid, tsid,
1365                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1366         } else {
1367                 av = 0;
1368                 if (op & 004)
1369                         av |= FILE__READ;
1370                 if (op & 002)
1371                         av |= FILE__WRITE;
1372                 if (av)
1373                         error = avc_has_perm(tsec->sid, tsid,
1374                                              SECCLASS_FILE, av, NULL);
1375         }
1376
1377         return error;
1378 }
1379
1380 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1381 {
1382         int rc = 0;
1383
1384         if (!sb)
1385                 return 0;
1386
1387         switch (cmds) {
1388                 case Q_SYNC:
1389                 case Q_QUOTAON:
1390                 case Q_QUOTAOFF:
1391                 case Q_SETINFO:
1392                 case Q_SETQUOTA:
1393                         rc = superblock_has_perm(current,
1394                                                  sb,
1395                                                  FILESYSTEM__QUOTAMOD, NULL);
1396                         break;
1397                 case Q_GETFMT:
1398                 case Q_GETINFO:
1399                 case Q_GETQUOTA:
1400                         rc = superblock_has_perm(current,
1401                                                  sb,
1402                                                  FILESYSTEM__QUOTAGET, NULL);
1403                         break;
1404                 default:
1405                         rc = 0;  /* let the kernel handle invalid cmds */
1406                         break;
1407         }
1408         return rc;
1409 }
1410
1411 static int selinux_quota_on(struct dentry *dentry)
1412 {
1413         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1414 }
1415
1416 static int selinux_syslog(int type)
1417 {
1418         int rc;
1419
1420         rc = secondary_ops->syslog(type);
1421         if (rc)
1422                 return rc;
1423
1424         switch (type) {
1425                 case 3:         /* Read last kernel messages */
1426                 case 10:        /* Return size of the log buffer */
1427                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1428                         break;
1429                 case 6:         /* Disable logging to console */
1430                 case 7:         /* Enable logging to console */
1431                 case 8:         /* Set level of messages printed to console */
1432                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1433                         break;
1434                 case 0:         /* Close log */
1435                 case 1:         /* Open log */
1436                 case 2:         /* Read from log */
1437                 case 4:         /* Read/clear last kernel messages */
1438                 case 5:         /* Clear ring buffer */
1439                 default:
1440                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1441                         break;
1442         }
1443         return rc;
1444 }
1445
1446 /*
1447  * Check that a process has enough memory to allocate a new virtual
1448  * mapping. 0 means there is enough memory for the allocation to
1449  * succeed and -ENOMEM implies there is not.
1450  *
1451  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1452  * if the capability is granted, but __vm_enough_memory requires 1 if
1453  * the capability is granted.
1454  *
1455  * Do not audit the selinux permission check, as this is applied to all
1456  * processes that allocate mappings.
1457  */
1458 static int selinux_vm_enough_memory(long pages)
1459 {
1460         int rc, cap_sys_admin = 0;
1461         struct task_security_struct *tsec = current->security;
1462
1463         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1464         if (rc == 0)
1465                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1466                                         SECCLASS_CAPABILITY,
1467                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1468                                         NULL);
1469
1470         if (rc == 0)
1471                 cap_sys_admin = 1;
1472
1473         return __vm_enough_memory(pages, cap_sys_admin);
1474 }
1475
1476 /* binprm security operations */
1477
1478 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1479 {
1480         struct bprm_security_struct *bsec;
1481
1482         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1483         if (!bsec)
1484                 return -ENOMEM;
1485
1486         bsec->magic = SELINUX_MAGIC;
1487         bsec->bprm = bprm;
1488         bsec->sid = SECINITSID_UNLABELED;
1489         bsec->set = 0;
1490
1491         bprm->security = bsec;
1492         return 0;
1493 }
1494
1495 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1496 {
1497         struct task_security_struct *tsec;
1498         struct inode *inode = bprm->file->f_dentry->d_inode;
1499         struct inode_security_struct *isec;
1500         struct bprm_security_struct *bsec;
1501         u32 newsid;
1502         struct avc_audit_data ad;
1503         int rc;
1504
1505         rc = secondary_ops->bprm_set_security(bprm);
1506         if (rc)
1507                 return rc;
1508
1509         bsec = bprm->security;
1510
1511         if (bsec->set)
1512                 return 0;
1513
1514         tsec = current->security;
1515         isec = inode->i_security;
1516
1517         /* Default to the current task SID. */
1518         bsec->sid = tsec->sid;
1519
1520         /* Reset create SID on execve. */
1521         tsec->create_sid = 0;
1522
1523         if (tsec->exec_sid) {
1524                 newsid = tsec->exec_sid;
1525                 /* Reset exec SID on execve. */
1526                 tsec->exec_sid = 0;
1527         } else {
1528                 /* Check for a default transition on this program. */
1529                 rc = security_transition_sid(tsec->sid, isec->sid,
1530                                              SECCLASS_PROCESS, &newsid);
1531                 if (rc)
1532                         return rc;
1533         }
1534
1535         AVC_AUDIT_DATA_INIT(&ad, FS);
1536         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1537         ad.u.fs.dentry = bprm->file->f_dentry;
1538
1539         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1540                 newsid = tsec->sid;
1541
1542         if (tsec->sid == newsid) {
1543                 rc = avc_has_perm(tsec->sid, isec->sid,
1544                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1545                 if (rc)
1546                         return rc;
1547         } else {
1548                 /* Check permissions for the transition. */
1549                 rc = avc_has_perm(tsec->sid, newsid,
1550                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1551                 if (rc)
1552                         return rc;
1553
1554                 rc = avc_has_perm(newsid, isec->sid,
1555                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1556                 if (rc)
1557                         return rc;
1558
1559                 /* Clear any possibly unsafe personality bits on exec: */
1560                 current->personality &= ~PER_CLEAR_ON_SETID;
1561
1562                 /* Set the security field to the new SID. */
1563                 bsec->sid = newsid;
1564         }
1565
1566         bsec->set = 1;
1567         return 0;
1568 }
1569
1570 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1571 {
1572         return secondary_ops->bprm_check_security(bprm);
1573 }
1574
1575
1576 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1577 {
1578         struct task_security_struct *tsec = current->security;
1579         int atsecure = 0;
1580
1581         if (tsec->osid != tsec->sid) {
1582                 /* Enable secure mode for SIDs transitions unless
1583                    the noatsecure permission is granted between
1584                    the two SIDs, i.e. ahp returns 0. */
1585                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1586                                          SECCLASS_PROCESS,
1587                                          PROCESS__NOATSECURE, NULL);
1588         }
1589
1590         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1591 }
1592
1593 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1594 {
1595         kfree(bprm->security);
1596         bprm->security = NULL;
1597 }
1598
1599 extern struct vfsmount *selinuxfs_mount;
1600 extern struct dentry *selinux_null;
1601
1602 /* Derived from fs/exec.c:flush_old_files. */
1603 static inline void flush_unauthorized_files(struct files_struct * files)
1604 {
1605         struct avc_audit_data ad;
1606         struct file *file, *devnull = NULL;
1607         struct tty_struct *tty = current->signal->tty;
1608         struct fdtable *fdt;
1609         long j = -1;
1610
1611         if (tty) {
1612                 file_list_lock();
1613                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1614                 if (file) {
1615                         /* Revalidate access to controlling tty.
1616                            Use inode_has_perm on the tty inode directly rather
1617                            than using file_has_perm, as this particular open
1618                            file may belong to another process and we are only
1619                            interested in the inode-based check here. */
1620                         struct inode *inode = file->f_dentry->d_inode;
1621                         if (inode_has_perm(current, inode,
1622                                            FILE__READ | FILE__WRITE, NULL)) {
1623                                 /* Reset controlling tty. */
1624                                 current->signal->tty = NULL;
1625                                 current->signal->tty_old_pgrp = 0;
1626                         }
1627                 }
1628                 file_list_unlock();
1629         }
1630
1631         /* Revalidate access to inherited open files. */
1632
1633         AVC_AUDIT_DATA_INIT(&ad,FS);
1634
1635         spin_lock(&files->file_lock);
1636         for (;;) {
1637                 unsigned long set, i;
1638                 int fd;
1639
1640                 j++;
1641                 i = j * __NFDBITS;
1642                 fdt = files_fdtable(files);
1643                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1644                         break;
1645                 set = fdt->open_fds->fds_bits[j];
1646                 if (!set)
1647                         continue;
1648                 spin_unlock(&files->file_lock);
1649                 for ( ; set ; i++,set >>= 1) {
1650                         if (set & 1) {
1651                                 file = fget(i);
1652                                 if (!file)
1653                                         continue;
1654                                 if (file_has_perm(current,
1655                                                   file,
1656                                                   file_to_av(file))) {
1657                                         sys_close(i);
1658                                         fd = get_unused_fd();
1659                                         if (fd != i) {
1660                                                 if (fd >= 0)
1661                                                         put_unused_fd(fd);
1662                                                 fput(file);
1663                                                 continue;
1664                                         }
1665                                         if (devnull) {
1666                                                 get_file(devnull);
1667                                         } else {
1668                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1669                                                 if (!devnull) {
1670                                                         put_unused_fd(fd);
1671                                                         fput(file);
1672                                                         continue;
1673                                                 }
1674                                         }
1675                                         fd_install(fd, devnull);
1676                                 }
1677                                 fput(file);
1678                         }
1679                 }
1680                 spin_lock(&files->file_lock);
1681
1682         }
1683         spin_unlock(&files->file_lock);
1684 }
1685
1686 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1687 {
1688         struct task_security_struct *tsec;
1689         struct bprm_security_struct *bsec;
1690         u32 sid;
1691         int rc;
1692
1693         secondary_ops->bprm_apply_creds(bprm, unsafe);
1694
1695         tsec = current->security;
1696
1697         bsec = bprm->security;
1698         sid = bsec->sid;
1699
1700         tsec->osid = tsec->sid;
1701         bsec->unsafe = 0;
1702         if (tsec->sid != sid) {
1703                 /* Check for shared state.  If not ok, leave SID
1704                    unchanged and kill. */
1705                 if (unsafe & LSM_UNSAFE_SHARE) {
1706                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1707                                         PROCESS__SHARE, NULL);
1708                         if (rc) {
1709                                 bsec->unsafe = 1;
1710                                 return;
1711                         }
1712                 }
1713
1714                 /* Check for ptracing, and update the task SID if ok.
1715                    Otherwise, leave SID unchanged and kill. */
1716                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1717                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1718                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1719                                           NULL);
1720                         if (rc) {
1721                                 bsec->unsafe = 1;
1722                                 return;
1723                         }
1724                 }
1725                 tsec->sid = sid;
1726         }
1727 }
1728
1729 /*
1730  * called after apply_creds without the task lock held
1731  */
1732 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1733 {
1734         struct task_security_struct *tsec;
1735         struct rlimit *rlim, *initrlim;
1736         struct itimerval itimer;
1737         struct bprm_security_struct *bsec;
1738         int rc, i;
1739
1740         tsec = current->security;
1741         bsec = bprm->security;
1742
1743         if (bsec->unsafe) {
1744                 force_sig_specific(SIGKILL, current);
1745                 return;
1746         }
1747         if (tsec->osid == tsec->sid)
1748                 return;
1749
1750         /* Close files for which the new task SID is not authorized. */
1751         flush_unauthorized_files(current->files);
1752
1753         /* Check whether the new SID can inherit signal state
1754            from the old SID.  If not, clear itimers to avoid
1755            subsequent signal generation and flush and unblock
1756            signals. This must occur _after_ the task SID has
1757           been updated so that any kill done after the flush
1758           will be checked against the new SID. */
1759         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1760                           PROCESS__SIGINH, NULL);
1761         if (rc) {
1762                 memset(&itimer, 0, sizeof itimer);
1763                 for (i = 0; i < 3; i++)
1764                         do_setitimer(i, &itimer, NULL);
1765                 flush_signals(current);
1766                 spin_lock_irq(&current->sighand->siglock);
1767                 flush_signal_handlers(current, 1);
1768                 sigemptyset(&current->blocked);
1769                 recalc_sigpending();
1770                 spin_unlock_irq(&current->sighand->siglock);
1771         }
1772
1773         /* Check whether the new SID can inherit resource limits
1774            from the old SID.  If not, reset all soft limits to
1775            the lower of the current task's hard limit and the init
1776            task's soft limit.  Note that the setting of hard limits
1777            (even to lower them) can be controlled by the setrlimit
1778            check. The inclusion of the init task's soft limit into
1779            the computation is to avoid resetting soft limits higher
1780            than the default soft limit for cases where the default
1781            is lower than the hard limit, e.g. RLIMIT_CORE or
1782            RLIMIT_STACK.*/
1783         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1784                           PROCESS__RLIMITINH, NULL);
1785         if (rc) {
1786                 for (i = 0; i < RLIM_NLIMITS; i++) {
1787                         rlim = current->signal->rlim + i;
1788                         initrlim = init_task.signal->rlim+i;
1789                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1790                 }
1791                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1792                         /*
1793                          * This will cause RLIMIT_CPU calculations
1794                          * to be refigured.
1795                          */
1796                         current->it_prof_expires = jiffies_to_cputime(1);
1797                 }
1798         }
1799
1800         /* Wake up the parent if it is waiting so that it can
1801            recheck wait permission to the new task SID. */
1802         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1803 }
1804
1805 /* superblock security operations */
1806
1807 static int selinux_sb_alloc_security(struct super_block *sb)
1808 {
1809         return superblock_alloc_security(sb);
1810 }
1811
1812 static void selinux_sb_free_security(struct super_block *sb)
1813 {
1814         superblock_free_security(sb);
1815 }
1816
1817 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1818 {
1819         if (plen > olen)
1820                 return 0;
1821
1822         return !memcmp(prefix, option, plen);
1823 }
1824
1825 static inline int selinux_option(char *option, int len)
1826 {
1827         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1828                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1829                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1830 }
1831
1832 static inline void take_option(char **to, char *from, int *first, int len)
1833 {
1834         if (!*first) {
1835                 **to = ',';
1836                 *to += 1;
1837         }
1838         else
1839                 *first = 0;
1840         memcpy(*to, from, len);
1841         *to += len;
1842 }
1843
1844 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1845 {
1846         int fnosec, fsec, rc = 0;
1847         char *in_save, *in_curr, *in_end;
1848         char *sec_curr, *nosec_save, *nosec;
1849
1850         in_curr = orig;
1851         sec_curr = copy;
1852
1853         /* Binary mount data: just copy */
1854         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1855                 copy_page(sec_curr, in_curr);
1856                 goto out;
1857         }
1858
1859         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1860         if (!nosec) {
1861                 rc = -ENOMEM;
1862                 goto out;
1863         }
1864
1865         nosec_save = nosec;
1866         fnosec = fsec = 1;
1867         in_save = in_end = orig;
1868
1869         do {
1870                 if (*in_end == ',' || *in_end == '\0') {
1871                         int len = in_end - in_curr;
1872
1873                         if (selinux_option(in_curr, len))
1874                                 take_option(&sec_curr, in_curr, &fsec, len);
1875                         else
1876                                 take_option(&nosec, in_curr, &fnosec, len);
1877
1878                         in_curr = in_end + 1;
1879                 }
1880         } while (*in_end++);
1881
1882         strcpy(in_save, nosec_save);
1883         free_page((unsigned long)nosec_save);
1884 out:
1885         return rc;
1886 }
1887
1888 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1889 {
1890         struct avc_audit_data ad;
1891         int rc;
1892
1893         rc = superblock_doinit(sb, data);
1894         if (rc)
1895                 return rc;
1896
1897         AVC_AUDIT_DATA_INIT(&ad,FS);
1898         ad.u.fs.dentry = sb->s_root;
1899         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1900 }
1901
1902 static int selinux_sb_statfs(struct super_block *sb)
1903 {
1904         struct avc_audit_data ad;
1905
1906         AVC_AUDIT_DATA_INIT(&ad,FS);
1907         ad.u.fs.dentry = sb->s_root;
1908         return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1909 }
1910
1911 static int selinux_mount(char * dev_name,
1912                          struct nameidata *nd,
1913                          char * type,
1914                          unsigned long flags,
1915                          void * data)
1916 {
1917         int rc;
1918
1919         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1920         if (rc)
1921                 return rc;
1922
1923         if (flags & MS_REMOUNT)
1924                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1925                                            FILESYSTEM__REMOUNT, NULL);
1926         else
1927                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1928                                        FILE__MOUNTON);
1929 }
1930
1931 static int selinux_umount(struct vfsmount *mnt, int flags)
1932 {
1933         int rc;
1934
1935         rc = secondary_ops->sb_umount(mnt, flags);
1936         if (rc)
1937                 return rc;
1938
1939         return superblock_has_perm(current,mnt->mnt_sb,
1940                                    FILESYSTEM__UNMOUNT,NULL);
1941 }
1942
1943 /* inode security operations */
1944
1945 static int selinux_inode_alloc_security(struct inode *inode)
1946 {
1947         return inode_alloc_security(inode);
1948 }
1949
1950 static void selinux_inode_free_security(struct inode *inode)
1951 {
1952         inode_free_security(inode);
1953 }
1954
1955 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1956                                        char **name, void **value,
1957                                        size_t *len)
1958 {
1959         struct task_security_struct *tsec;
1960         struct inode_security_struct *dsec;
1961         struct superblock_security_struct *sbsec;
1962         struct inode_security_struct *isec;
1963         u32 newsid, clen;
1964         int rc;
1965         char *namep = NULL, *context;
1966
1967         tsec = current->security;
1968         dsec = dir->i_security;
1969         sbsec = dir->i_sb->s_security;
1970         isec = inode->i_security;
1971
1972         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1973                 newsid = tsec->create_sid;
1974         } else {
1975                 rc = security_transition_sid(tsec->sid, dsec->sid,
1976                                              inode_mode_to_security_class(inode->i_mode),
1977                                              &newsid);
1978                 if (rc) {
1979                         printk(KERN_WARNING "%s:  "
1980                                "security_transition_sid failed, rc=%d (dev=%s "
1981                                "ino=%ld)\n",
1982                                __FUNCTION__,
1983                                -rc, inode->i_sb->s_id, inode->i_ino);
1984                         return rc;
1985                 }
1986         }
1987
1988         inode_security_set_sid(inode, newsid);
1989
1990         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
1991                 return -EOPNOTSUPP;
1992
1993         if (name) {
1994                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1995                 if (!namep)
1996                         return -ENOMEM;
1997                 *name = namep;
1998         }
1999
2000         if (value && len) {
2001                 rc = security_sid_to_context(newsid, &context, &clen);
2002                 if (rc) {
2003                         kfree(namep);
2004                         return rc;
2005                 }
2006                 *value = context;
2007                 *len = clen;
2008         }
2009
2010         return 0;
2011 }
2012
2013 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2014 {
2015         return may_create(dir, dentry, SECCLASS_FILE);
2016 }
2017
2018 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2019 {
2020         int rc;
2021
2022         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2023         if (rc)
2024                 return rc;
2025         return may_link(dir, old_dentry, MAY_LINK);
2026 }
2027
2028 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2029 {
2030         int rc;
2031
2032         rc = secondary_ops->inode_unlink(dir, dentry);
2033         if (rc)
2034                 return rc;
2035         return may_link(dir, dentry, MAY_UNLINK);
2036 }
2037
2038 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2039 {
2040         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2041 }
2042
2043 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2044 {
2045         return may_create(dir, dentry, SECCLASS_DIR);
2046 }
2047
2048 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2049 {
2050         return may_link(dir, dentry, MAY_RMDIR);
2051 }
2052
2053 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2054 {
2055         int rc;
2056
2057         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2058         if (rc)
2059                 return rc;
2060
2061         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2062 }
2063
2064 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2065                                 struct inode *new_inode, struct dentry *new_dentry)
2066 {
2067         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2068 }
2069
2070 static int selinux_inode_readlink(struct dentry *dentry)
2071 {
2072         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2073 }
2074
2075 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2076 {
2077         int rc;
2078
2079         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2080         if (rc)
2081                 return rc;
2082         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2083 }
2084
2085 static int selinux_inode_permission(struct inode *inode, int mask,
2086                                     struct nameidata *nd)
2087 {
2088         int rc;
2089
2090         rc = secondary_ops->inode_permission(inode, mask, nd);
2091         if (rc)
2092                 return rc;
2093
2094         if (!mask) {
2095                 /* No permission to check.  Existence test. */
2096                 return 0;
2097         }
2098
2099         return inode_has_perm(current, inode,
2100                                file_mask_to_av(inode->i_mode, mask), NULL);
2101 }
2102
2103 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2104 {
2105         int rc;
2106
2107         rc = secondary_ops->inode_setattr(dentry, iattr);
2108         if (rc)
2109                 return rc;
2110
2111         if (iattr->ia_valid & ATTR_FORCE)
2112                 return 0;
2113
2114         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2115                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2116                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2117
2118         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2119 }
2120
2121 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2122 {
2123         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2124 }
2125
2126 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2127 {
2128         struct task_security_struct *tsec = current->security;
2129         struct inode *inode = dentry->d_inode;
2130         struct inode_security_struct *isec = inode->i_security;
2131         struct superblock_security_struct *sbsec;
2132         struct avc_audit_data ad;
2133         u32 newsid;
2134         int rc = 0;
2135
2136         if (strcmp(name, XATTR_NAME_SELINUX)) {
2137                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2138                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2139                     !capable(CAP_SYS_ADMIN)) {
2140                         /* A different attribute in the security namespace.
2141                            Restrict to administrator. */
2142                         return -EPERM;
2143                 }
2144
2145                 /* Not an attribute we recognize, so just check the
2146                    ordinary setattr permission. */
2147                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2148         }
2149
2150         sbsec = inode->i_sb->s_security;
2151         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2152                 return -EOPNOTSUPP;
2153
2154         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2155                 return -EPERM;
2156
2157         AVC_AUDIT_DATA_INIT(&ad,FS);
2158         ad.u.fs.dentry = dentry;
2159
2160         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2161                           FILE__RELABELFROM, &ad);
2162         if (rc)
2163                 return rc;
2164
2165         rc = security_context_to_sid(value, size, &newsid);
2166         if (rc)
2167                 return rc;
2168
2169         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2170                           FILE__RELABELTO, &ad);
2171         if (rc)
2172                 return rc;
2173
2174         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2175                                           isec->sclass);
2176         if (rc)
2177                 return rc;
2178
2179         return avc_has_perm(newsid,
2180                             sbsec->sid,
2181                             SECCLASS_FILESYSTEM,
2182                             FILESYSTEM__ASSOCIATE,
2183                             &ad);
2184 }
2185
2186 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2187                                         void *value, size_t size, int flags)
2188 {
2189         struct inode *inode = dentry->d_inode;
2190         struct inode_security_struct *isec = inode->i_security;
2191         u32 newsid;
2192         int rc;
2193
2194         if (strcmp(name, XATTR_NAME_SELINUX)) {
2195                 /* Not an attribute we recognize, so nothing to do. */
2196                 return;
2197         }
2198
2199         rc = security_context_to_sid(value, size, &newsid);
2200         if (rc) {
2201                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2202                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2203                 return;
2204         }
2205
2206         isec->sid = newsid;
2207         return;
2208 }
2209
2210 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2211 {
2212         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2213 }
2214
2215 static int selinux_inode_listxattr (struct dentry *dentry)
2216 {
2217         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2218 }
2219
2220 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2221 {
2222         if (strcmp(name, XATTR_NAME_SELINUX)) {
2223                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2224                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2225                     !capable(CAP_SYS_ADMIN)) {
2226                         /* A different attribute in the security namespace.
2227                            Restrict to administrator. */
2228                         return -EPERM;
2229                 }
2230
2231                 /* Not an attribute we recognize, so just check the
2232                    ordinary setattr permission. Might want a separate
2233                    permission for removexattr. */
2234                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2235         }
2236
2237         /* No one is allowed to remove a SELinux security label.
2238            You can change the label, but all data must be labeled. */
2239         return -EACCES;
2240 }
2241
2242 /*
2243  * Copy the in-core inode security context value to the user.  If the
2244  * getxattr() prior to this succeeded, check to see if we need to
2245  * canonicalize the value to be finally returned to the user.
2246  *
2247  * Permission check is handled by selinux_inode_getxattr hook.
2248  */
2249 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
2250 {
2251         struct inode_security_struct *isec = inode->i_security;
2252         char *context;
2253         unsigned len;
2254         int rc;
2255
2256         if (strcmp(name, XATTR_SELINUX_SUFFIX)) {
2257                 rc = -EOPNOTSUPP;
2258                 goto out;
2259         }
2260
2261         rc = security_sid_to_context(isec->sid, &context, &len);
2262         if (rc)
2263                 goto out;
2264
2265         /* Probe for required buffer size */
2266         if (!buffer || !size) {
2267                 rc = len;
2268                 goto out_free;
2269         }
2270
2271         if (size < len) {
2272                 rc = -ERANGE;
2273                 goto out_free;
2274         }
2275
2276         if (err > 0) {
2277                 if ((len == err) && !(memcmp(context, buffer, len))) {
2278                         /* Don't need to canonicalize value */
2279                         rc = err;
2280                         goto out_free;
2281                 }
2282                 memset(buffer, 0, size);
2283         }
2284         memcpy(buffer, context, len);
2285         rc = len;
2286 out_free:
2287         kfree(context);
2288 out:
2289         return rc;
2290 }
2291
2292 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2293                                      const void *value, size_t size, int flags)
2294 {
2295         struct inode_security_struct *isec = inode->i_security;
2296         u32 newsid;
2297         int rc;
2298
2299         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2300                 return -EOPNOTSUPP;
2301
2302         if (!value || !size)
2303                 return -EACCES;
2304
2305         rc = security_context_to_sid((void*)value, size, &newsid);
2306         if (rc)
2307                 return rc;
2308
2309         isec->sid = newsid;
2310         return 0;
2311 }
2312
2313 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2314 {
2315         const int len = sizeof(XATTR_NAME_SELINUX);
2316         if (buffer && len <= buffer_size)
2317                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2318         return len;
2319 }
2320
2321 /* file security operations */
2322
2323 static int selinux_file_permission(struct file *file, int mask)
2324 {
2325         struct inode *inode = file->f_dentry->d_inode;
2326
2327         if (!mask) {
2328                 /* No permission to check.  Existence test. */
2329                 return 0;
2330         }
2331
2332         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2333         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2334                 mask |= MAY_APPEND;
2335
2336         return file_has_perm(current, file,
2337                              file_mask_to_av(inode->i_mode, mask));
2338 }
2339
2340 static int selinux_file_alloc_security(struct file *file)
2341 {
2342         return file_alloc_security(file);
2343 }
2344
2345 static void selinux_file_free_security(struct file *file)
2346 {
2347         file_free_security(file);
2348 }
2349
2350 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2351                               unsigned long arg)
2352 {
2353         int error = 0;
2354
2355         switch (cmd) {
2356                 case FIONREAD:
2357                 /* fall through */
2358                 case FIBMAP:
2359                 /* fall through */
2360                 case FIGETBSZ:
2361                 /* fall through */
2362                 case EXT2_IOC_GETFLAGS:
2363                 /* fall through */
2364                 case EXT2_IOC_GETVERSION:
2365                         error = file_has_perm(current, file, FILE__GETATTR);
2366                         break;
2367
2368                 case EXT2_IOC_SETFLAGS:
2369                 /* fall through */
2370                 case EXT2_IOC_SETVERSION:
2371                         error = file_has_perm(current, file, FILE__SETATTR);
2372                         break;
2373
2374                 /* sys_ioctl() checks */
2375                 case FIONBIO:
2376                 /* fall through */
2377                 case FIOASYNC:
2378                         error = file_has_perm(current, file, 0);
2379                         break;
2380
2381                 case KDSKBENT:
2382                 case KDSKBSENT:
2383                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2384                         break;
2385
2386                 /* default case assumes that the command will go
2387                  * to the file's ioctl() function.
2388                  */
2389                 default:
2390                         error = file_has_perm(current, file, FILE__IOCTL);
2391
2392         }
2393         return error;
2394 }
2395
2396 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2397 {
2398 #ifndef CONFIG_PPC32
2399         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2400                 /*
2401                  * We are making executable an anonymous mapping or a
2402                  * private file mapping that will also be writable.
2403                  * This has an additional check.
2404                  */
2405                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2406                 if (rc)
2407                         return rc;
2408         }
2409 #endif
2410
2411         if (file) {
2412                 /* read access is always possible with a mapping */
2413                 u32 av = FILE__READ;
2414
2415                 /* write access only matters if the mapping is shared */
2416                 if (shared && (prot & PROT_WRITE))
2417                         av |= FILE__WRITE;
2418
2419                 if (prot & PROT_EXEC)
2420                         av |= FILE__EXECUTE;
2421
2422                 return file_has_perm(current, file, av);
2423         }
2424         return 0;
2425 }
2426
2427 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2428                              unsigned long prot, unsigned long flags)
2429 {
2430         int rc;
2431
2432         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2433         if (rc)
2434                 return rc;
2435
2436         if (selinux_checkreqprot)
2437                 prot = reqprot;
2438
2439         return file_map_prot_check(file, prot,
2440                                    (flags & MAP_TYPE) == MAP_SHARED);
2441 }
2442
2443 static int selinux_file_mprotect(struct vm_area_struct *vma,
2444                                  unsigned long reqprot,
2445                                  unsigned long prot)
2446 {
2447         int rc;
2448
2449         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2450         if (rc)
2451                 return rc;
2452
2453         if (selinux_checkreqprot)
2454                 prot = reqprot;
2455
2456 #ifndef CONFIG_PPC32
2457         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) &&
2458            (vma->vm_start >= vma->vm_mm->start_brk &&
2459             vma->vm_end <= vma->vm_mm->brk)) {
2460                 /*
2461                  * We are making an executable mapping in the brk region.
2462                  * This has an additional execheap check.
2463                  */
2464                 rc = task_has_perm(current, current, PROCESS__EXECHEAP);
2465                 if (rc)
2466                         return rc;
2467         }
2468         if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
2469                 /*
2470                  * We are making executable a file mapping that has
2471                  * had some COW done. Since pages might have been written,
2472                  * check ability to execute the possibly modified content.
2473                  * This typically should only occur for text relocations.
2474                  */
2475                 int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
2476                 if (rc)
2477                         return rc;
2478         }
2479         if (!vma->vm_file && (prot & PROT_EXEC) &&
2480                 vma->vm_start <= vma->vm_mm->start_stack &&
2481                 vma->vm_end >= vma->vm_mm->start_stack) {
2482                 /* Attempt to make the process stack executable.
2483                  * This has an additional execstack check.
2484                  */
2485                 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2486                 if (rc)
2487                         return rc;
2488         }
2489 #endif
2490
2491         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2492 }
2493
2494 static int selinux_file_lock(struct file *file, unsigned int cmd)
2495 {
2496         return file_has_perm(current, file, FILE__LOCK);
2497 }
2498
2499 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2500                               unsigned long arg)
2501 {
2502         int err = 0;
2503
2504         switch (cmd) {
2505                 case F_SETFL:
2506                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2507                                 err = -EINVAL;
2508                                 break;
2509                         }
2510
2511                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2512                                 err = file_has_perm(current, file,FILE__WRITE);
2513                                 break;
2514                         }
2515                         /* fall through */
2516                 case F_SETOWN:
2517                 case F_SETSIG:
2518                 case F_GETFL:
2519                 case F_GETOWN:
2520                 case F_GETSIG:
2521                         /* Just check FD__USE permission */
2522                         err = file_has_perm(current, file, 0);
2523                         break;
2524                 case F_GETLK:
2525                 case F_SETLK:
2526                 case F_SETLKW:
2527 #if BITS_PER_LONG == 32
2528                 case F_GETLK64:
2529                 case F_SETLK64:
2530                 case F_SETLKW64:
2531 #endif
2532                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2533                                 err = -EINVAL;
2534                                 break;
2535                         }
2536                         err = file_has_perm(current, file, FILE__LOCK);
2537                         break;
2538         }
2539
2540         return err;
2541 }
2542
2543 static int selinux_file_set_fowner(struct file *file)
2544 {
2545         struct task_security_struct *tsec;
2546         struct file_security_struct *fsec;
2547
2548         tsec = current->security;
2549         fsec = file->f_security;
2550         fsec->fown_sid = tsec->sid;
2551
2552         return 0;
2553 }
2554
2555 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2556                                        struct fown_struct *fown, int signum)
2557 {
2558         struct file *file;
2559         u32 perm;
2560         struct task_security_struct *tsec;
2561         struct file_security_struct *fsec;
2562
2563         /* struct fown_struct is never outside the context of a struct file */
2564         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2565
2566         tsec = tsk->security;
2567         fsec = file->f_security;
2568
2569         if (!signum)
2570                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2571         else
2572                 perm = signal_to_av(signum);
2573
2574         return avc_has_perm(fsec->fown_sid, tsec->sid,
2575                             SECCLASS_PROCESS, perm, NULL);
2576 }
2577
2578 static int selinux_file_receive(struct file *file)
2579 {
2580         return file_has_perm(current, file, file_to_av(file));
2581 }
2582
2583 /* task security operations */
2584
2585 static int selinux_task_create(unsigned long clone_flags)
2586 {
2587         int rc;
2588
2589         rc = secondary_ops->task_create(clone_flags);
2590         if (rc)
2591                 return rc;
2592
2593         return task_has_perm(current, current, PROCESS__FORK);
2594 }
2595
2596 static int selinux_task_alloc_security(struct task_struct *tsk)
2597 {
2598         struct task_security_struct *tsec1, *tsec2;
2599         int rc;
2600
2601         tsec1 = current->security;
2602
2603         rc = task_alloc_security(tsk);
2604         if (rc)
2605                 return rc;
2606         tsec2 = tsk->security;
2607
2608         tsec2->osid = tsec1->osid;
2609         tsec2->sid = tsec1->sid;
2610
2611         /* Retain the exec and create SIDs across fork */
2612         tsec2->exec_sid = tsec1->exec_sid;
2613         tsec2->create_sid = tsec1->create_sid;
2614
2615         /* Retain ptracer SID across fork, if any.
2616            This will be reset by the ptrace hook upon any
2617            subsequent ptrace_attach operations. */
2618         tsec2->ptrace_sid = tsec1->ptrace_sid;
2619
2620         return 0;
2621 }
2622
2623 static void selinux_task_free_security(struct task_struct *tsk)
2624 {
2625         task_free_security(tsk);
2626 }
2627
2628 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2629 {
2630         /* Since setuid only affects the current process, and
2631            since the SELinux controls are not based on the Linux
2632            identity attributes, SELinux does not need to control
2633            this operation.  However, SELinux does control the use
2634            of the CAP_SETUID and CAP_SETGID capabilities using the
2635            capable hook. */
2636         return 0;
2637 }
2638
2639 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2640 {
2641         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2642 }
2643
2644 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2645 {
2646         /* See the comment for setuid above. */
2647         return 0;
2648 }
2649
2650 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2651 {
2652         return task_has_perm(current, p, PROCESS__SETPGID);
2653 }
2654
2655 static int selinux_task_getpgid(struct task_struct *p)
2656 {
2657         return task_has_perm(current, p, PROCESS__GETPGID);
2658 }
2659
2660 static int selinux_task_getsid(struct task_struct *p)
2661 {
2662         return task_has_perm(current, p, PROCESS__GETSESSION);
2663 }
2664
2665 static int selinux_task_setgroups(struct group_info *group_info)
2666 {
2667         /* See the comment for setuid above. */
2668         return 0;
2669 }
2670
2671 static int selinux_task_setnice(struct task_struct *p, int nice)
2672 {
2673         int rc;
2674
2675         rc = secondary_ops->task_setnice(p, nice);
2676         if (rc)
2677                 return rc;
2678
2679         return task_has_perm(current,p, PROCESS__SETSCHED);
2680 }
2681
2682 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2683 {
2684         struct rlimit *old_rlim = current->signal->rlim + resource;
2685         int rc;
2686
2687         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2688         if (rc)
2689                 return rc;
2690
2691         /* Control the ability to change the hard limit (whether
2692            lowering or raising it), so that the hard limit can
2693            later be used as a safe reset point for the soft limit
2694            upon context transitions. See selinux_bprm_apply_creds. */
2695         if (old_rlim->rlim_max != new_rlim->rlim_max)
2696                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2697
2698         return 0;
2699 }
2700
2701 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2702 {
2703         return task_has_perm(current, p, PROCESS__SETSCHED);
2704 }
2705
2706 static int selinux_task_getscheduler(struct task_struct *p)
2707 {
2708         return task_has_perm(current, p, PROCESS__GETSCHED);
2709 }
2710
2711 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2712 {
2713         u32 perm;
2714         int rc;
2715
2716         rc = secondary_ops->task_kill(p, info, sig);
2717         if (rc)
2718                 return rc;
2719
2720         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2721                 return 0;
2722
2723         if (!sig)
2724                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2725         else
2726                 perm = signal_to_av(sig);
2727
2728         return task_has_perm(current, p, perm);
2729 }
2730
2731 static int selinux_task_prctl(int option,
2732                               unsigned long arg2,
2733                               unsigned long arg3,
2734                               unsigned long arg4,
2735                               unsigned long arg5)
2736 {
2737         /* The current prctl operations do not appear to require
2738            any SELinux controls since they merely observe or modify
2739            the state of the current process. */
2740         return 0;
2741 }
2742
2743 static int selinux_task_wait(struct task_struct *p)
2744 {
2745         u32 perm;
2746
2747         perm = signal_to_av(p->exit_signal);
2748
2749         return task_has_perm(p, current, perm);
2750 }
2751
2752 static void selinux_task_reparent_to_init(struct task_struct *p)
2753 {
2754         struct task_security_struct *tsec;
2755
2756         secondary_ops->task_reparent_to_init(p);
2757
2758         tsec = p->security;
2759         tsec->osid = tsec->sid;
2760         tsec->sid = SECINITSID_KERNEL;
2761         return;
2762 }
2763
2764 static void selinux_task_to_inode(struct task_struct *p,
2765                                   struct inode *inode)
2766 {
2767         struct task_security_struct *tsec = p->security;
2768         struct inode_security_struct *isec = inode->i_security;
2769
2770         isec->sid = tsec->sid;
2771         isec->initialized = 1;
2772         return;
2773 }
2774
2775 #ifdef CONFIG_SECURITY_NETWORK
2776
2777 /* Returns error only if unable to parse addresses */
2778 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2779 {
2780         int offset, ihlen, ret = -EINVAL;
2781         struct iphdr _iph, *ih;
2782
2783         offset = skb->nh.raw - skb->data;
2784         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2785         if (ih == NULL)
2786                 goto out;
2787
2788         ihlen = ih->ihl * 4;
2789         if (ihlen < sizeof(_iph))
2790                 goto out;
2791
2792         ad->u.net.v4info.saddr = ih->saddr;
2793         ad->u.net.v4info.daddr = ih->daddr;
2794         ret = 0;
2795
2796         switch (ih->protocol) {
2797         case IPPROTO_TCP: {
2798                 struct tcphdr _tcph, *th;
2799
2800                 if (ntohs(ih->frag_off) & IP_OFFSET)
2801                         break;
2802
2803                 offset += ihlen;
2804                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2805                 if (th == NULL)
2806                         break;
2807
2808                 ad->u.net.sport = th->source;
2809                 ad->u.net.dport = th->dest;
2810                 break;
2811         }
2812         
2813         case IPPROTO_UDP: {
2814                 struct udphdr _udph, *uh;
2815                 
2816                 if (ntohs(ih->frag_off) & IP_OFFSET)
2817                         break;
2818                         
2819                 offset += ihlen;
2820                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2821                 if (uh == NULL)
2822                         break;  
2823
2824                 ad->u.net.sport = uh->source;
2825                 ad->u.net.dport = uh->dest;
2826                 break;
2827         }
2828
2829         default:
2830                 break;
2831         }
2832 out:
2833         return ret;
2834 }
2835
2836 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2837
2838 /* Returns error only if unable to parse addresses */
2839 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2840 {
2841         u8 nexthdr;
2842         int ret = -EINVAL, offset;
2843         struct ipv6hdr _ipv6h, *ip6;
2844
2845         offset = skb->nh.raw - skb->data;
2846         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2847         if (ip6 == NULL)
2848                 goto out;
2849
2850         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2851         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2852         ret = 0;
2853
2854         nexthdr = ip6->nexthdr;
2855         offset += sizeof(_ipv6h);
2856         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2857         if (offset < 0)
2858                 goto out;
2859
2860         switch (nexthdr) {
2861         case IPPROTO_TCP: {
2862                 struct tcphdr _tcph, *th;
2863
2864                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2865                 if (th == NULL)
2866                         break;
2867
2868                 ad->u.net.sport = th->source;
2869                 ad->u.net.dport = th->dest;
2870                 break;
2871         }
2872
2873         case IPPROTO_UDP: {
2874                 struct udphdr _udph, *uh;
2875
2876                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2877                 if (uh == NULL)
2878                         break;
2879
2880                 ad->u.net.sport = uh->source;
2881                 ad->u.net.dport = uh->dest;
2882                 break;
2883         }
2884
2885         /* includes fragments */
2886         default:
2887                 break;
2888         }
2889 out:
2890         return ret;
2891 }
2892
2893 #endif /* IPV6 */
2894
2895 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2896                              char **addrp, int *len, int src)
2897 {
2898         int ret = 0;
2899
2900         switch (ad->u.net.family) {
2901         case PF_INET:
2902                 ret = selinux_parse_skb_ipv4(skb, ad);
2903                 if (ret || !addrp)
2904                         break;
2905                 *len = 4;
2906                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2907                                         &ad->u.net.v4info.daddr);
2908                 break;
2909
2910 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2911         case PF_INET6:
2912                 ret = selinux_parse_skb_ipv6(skb, ad);
2913                 if (ret || !addrp)
2914                         break;
2915                 *len = 16;
2916                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2917                                         &ad->u.net.v6info.daddr);
2918                 break;
2919 #endif  /* IPV6 */
2920         default:
2921                 break;
2922         }
2923
2924         return ret;
2925 }
2926
2927 /* socket security operations */
2928 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2929                            u32 perms)
2930 {
2931         struct inode_security_struct *isec;
2932         struct task_security_struct *tsec;
2933         struct avc_audit_data ad;
2934         int err = 0;
2935
2936         tsec = task->security;
2937         isec = SOCK_INODE(sock)->i_security;
2938
2939         if (isec->sid == SECINITSID_KERNEL)
2940                 goto out;
2941
2942         AVC_AUDIT_DATA_INIT(&ad,NET);
2943         ad.u.net.sk = sock->sk;
2944         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2945
2946 out:
2947         return err;
2948 }
2949
2950 static int selinux_socket_create(int family, int type,
2951                                  int protocol, int kern)
2952 {
2953         int err = 0;
2954         struct task_security_struct *tsec;
2955
2956         if (kern)
2957                 goto out;
2958
2959         tsec = current->security;
2960         err = avc_has_perm(tsec->sid, tsec->sid,
2961                            socket_type_to_security_class(family, type,
2962                            protocol), SOCKET__CREATE, NULL);
2963
2964 out:
2965         return err;
2966 }
2967
2968 static void selinux_socket_post_create(struct socket *sock, int family,
2969                                        int type, int protocol, int kern)
2970 {
2971         struct inode_security_struct *isec;
2972         struct task_security_struct *tsec;
2973
2974         isec = SOCK_INODE(sock)->i_security;
2975
2976         tsec = current->security;
2977         isec->sclass = socket_type_to_security_class(family, type, protocol);
2978         isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2979         isec->initialized = 1;
2980
2981         return;
2982 }
2983
2984 /* Range of port numbers used to automatically bind.
2985    Need to determine whether we should perform a name_bind
2986    permission check between the socket and the port number. */
2987 #define ip_local_port_range_0 sysctl_local_port_range[0]
2988 #define ip_local_port_range_1 sysctl_local_port_range[1]
2989
2990 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2991 {
2992         u16 family;
2993         int err;
2994
2995         err = socket_has_perm(current, sock, SOCKET__BIND);
2996         if (err)
2997                 goto out;
2998
2999         /*
3000          * If PF_INET or PF_INET6, check name_bind permission for the port.
3001          * Multiple address binding for SCTP is not supported yet: we just
3002          * check the first address now.
3003          */
3004         family = sock->sk->sk_family;
3005         if (family == PF_INET || family == PF_INET6) {
3006                 char *addrp;
3007                 struct inode_security_struct *isec;
3008                 struct task_security_struct *tsec;
3009                 struct avc_audit_data ad;
3010                 struct sockaddr_in *addr4 = NULL;
3011                 struct sockaddr_in6 *addr6 = NULL;
3012                 unsigned short snum;
3013                 struct sock *sk = sock->sk;
3014                 u32 sid, node_perm, addrlen;
3015
3016                 tsec = current->security;
3017                 isec = SOCK_INODE(sock)->i_security;
3018
3019                 if (family == PF_INET) {
3020                         addr4 = (struct sockaddr_in *)address;
3021                         snum = ntohs(addr4->sin_port);
3022                         addrlen = sizeof(addr4->sin_addr.s_addr);
3023                         addrp = (char *)&addr4->sin_addr.s_addr;
3024                 } else {
3025                         addr6 = (struct sockaddr_in6 *)address;
3026                         snum = ntohs(addr6->sin6_port);
3027                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3028                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3029                 }
3030
3031                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3032                            snum > ip_local_port_range_1)) {
3033                         err = security_port_sid(sk->sk_family, sk->sk_type,
3034                                                 sk->sk_protocol, snum, &sid);
3035                         if (err)
3036                                 goto out;
3037                         AVC_AUDIT_DATA_INIT(&ad,NET);
3038                         ad.u.net.sport = htons(snum);
3039                         ad.u.net.family = family;
3040                         err = avc_has_perm(isec->sid, sid,
3041                                            isec->sclass,
3042                                            SOCKET__NAME_BIND, &ad);
3043                         if (err)
3044                                 goto out;
3045                 }
3046                 
3047                 switch(isec->sclass) {
3048                 case SECCLASS_TCP_SOCKET:
3049                         node_perm = TCP_SOCKET__NODE_BIND;
3050                         break;
3051                         
3052                 case SECCLASS_UDP_SOCKET:
3053                         node_perm = UDP_SOCKET__NODE_BIND;
3054                         break;
3055                         
3056                 default:
3057                         node_perm = RAWIP_SOCKET__NODE_BIND;
3058                         break;
3059                 }
3060                 
3061                 err = security_node_sid(family, addrp, addrlen, &sid);
3062                 if (err)
3063                         goto out;
3064                 
3065                 AVC_AUDIT_DATA_INIT(&ad,NET);
3066                 ad.u.net.sport = htons(snum);
3067                 ad.u.net.family = family;
3068
3069                 if (family == PF_INET)
3070                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3071                 else
3072                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3073
3074                 err = avc_has_perm(isec->sid, sid,
3075                                    isec->sclass, node_perm, &ad);
3076                 if (err)
3077                         goto out;
3078         }
3079 out:
3080         return err;
3081 }
3082
3083 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3084 {
3085         struct inode_security_struct *isec;
3086         int err;
3087
3088         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3089         if (err)
3090                 return err;
3091
3092         /*
3093          * If a TCP socket, check name_connect permission for the port.
3094          */
3095         isec = SOCK_INODE(sock)->i_security;
3096         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3097                 struct sock *sk = sock->sk;
3098                 struct avc_audit_data ad;
3099                 struct sockaddr_in *addr4 = NULL;
3100                 struct sockaddr_in6 *addr6 = NULL;
3101                 unsigned short snum;
3102                 u32 sid;
3103
3104                 if (sk->sk_family == PF_INET) {
3105                         addr4 = (struct sockaddr_in *)address;
3106                         if (addrlen < sizeof(struct sockaddr_in))
3107                                 return -EINVAL;
3108                         snum = ntohs(addr4->sin_port);
3109                 } else {
3110                         addr6 = (struct sockaddr_in6 *)address;
3111                         if (addrlen < SIN6_LEN_RFC2133)
3112                                 return -EINVAL;
3113                         snum = ntohs(addr6->sin6_port);
3114                 }
3115
3116                 err = security_port_sid(sk->sk_family, sk->sk_type,
3117                                         sk->sk_protocol, snum, &sid);
3118                 if (err)
3119                         goto out;
3120
3121                 AVC_AUDIT_DATA_INIT(&ad,NET);
3122                 ad.u.net.dport = htons(snum);
3123                 ad.u.net.family = sk->sk_family;
3124                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3125                                    TCP_SOCKET__NAME_CONNECT, &ad);
3126                 if (err)
3127                         goto out;
3128         }
3129
3130 out:
3131         return err;
3132 }
3133
3134 static int selinux_socket_listen(struct socket *sock, int backlog)
3135 {
3136         return socket_has_perm(current, sock, SOCKET__LISTEN);
3137 }
3138
3139 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3140 {
3141         int err;
3142         struct inode_security_struct *isec;
3143         struct inode_security_struct *newisec;
3144
3145         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3146         if (err)
3147                 return err;
3148
3149         newisec = SOCK_INODE(newsock)->i_security;
3150
3151         isec = SOCK_INODE(sock)->i_security;
3152         newisec->sclass = isec->sclass;
3153         newisec->sid = isec->sid;
3154         newisec->initialized = 1;
3155
3156         return 0;
3157 }
3158
3159 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3160                                   int size)
3161 {
3162         return socket_has_perm(current, sock, SOCKET__WRITE);
3163 }
3164
3165 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3166                                   int size, int flags)
3167 {
3168         return socket_has_perm(current, sock, SOCKET__READ);
3169 }
3170
3171 static int selinux_socket_getsockname(struct socket *sock)
3172 {
3173         return socket_has_perm(current, sock, SOCKET__GETATTR);
3174 }
3175
3176 static int selinux_socket_getpeername(struct socket *sock)
3177 {
3178         return socket_has_perm(current, sock, SOCKET__GETATTR);
3179 }
3180
3181 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3182 {
3183         return socket_has_perm(current, sock, SOCKET__SETOPT);
3184 }
3185
3186 static int selinux_socket_getsockopt(struct socket *sock, int level,
3187                                      int optname)
3188 {
3189         return socket_has_perm(current, sock, SOCKET__GETOPT);
3190 }
3191
3192 static int selinux_socket_shutdown(struct socket *sock, int how)
3193 {
3194         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3195 }
3196
3197 static int selinux_socket_unix_stream_connect(struct socket *sock,
3198                                               struct socket *other,
3199                                               struct sock *newsk)
3200 {
3201         struct sk_security_struct *ssec;
3202         struct inode_security_struct *isec;
3203         struct inode_security_struct *other_isec;
3204         struct avc_audit_data ad;
3205         int err;
3206
3207         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3208         if (err)
3209                 return err;
3210
3211         isec = SOCK_INODE(sock)->i_security;
3212         other_isec = SOCK_INODE(other)->i_security;
3213
3214         AVC_AUDIT_DATA_INIT(&ad,NET);
3215         ad.u.net.sk = other->sk;
3216
3217         err = avc_has_perm(isec->sid, other_isec->sid,
3218                            isec->sclass,
3219                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3220         if (err)
3221                 return err;
3222
3223         /* connecting socket */
3224         ssec = sock->sk->sk_security;
3225         ssec->peer_sid = other_isec->sid;
3226         
3227         /* server child socket */
3228         ssec = newsk->sk_security;
3229         ssec->peer_sid = isec->sid;
3230         
3231         return 0;
3232 }
3233
3234 static int selinux_socket_unix_may_send(struct socket *sock,
3235                                         struct socket *other)
3236 {
3237         struct inode_security_struct *isec;
3238         struct inode_security_struct *other_isec;
3239         struct avc_audit_data ad;
3240         int err;
3241
3242         isec = SOCK_INODE(sock)->i_security;
3243         other_isec = SOCK_INODE(other)->i_security;
3244
3245         AVC_AUDIT_DATA_INIT(&ad,NET);
3246         ad.u.net.sk = other->sk;
3247
3248         err = avc_has_perm(isec->sid, other_isec->sid,
3249                            isec->sclass, SOCKET__SENDTO, &ad);
3250         if (err)
3251                 return err;
3252
3253         return 0;
3254 }
3255
3256 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3257 {
3258         u16 family;
3259         char *addrp;
3260         int len, err = 0;
3261         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3262         u32 sock_sid = 0;
3263         u16 sock_class = 0;
3264         struct socket *sock;
3265         struct net_device *dev;
3266         struct avc_audit_data ad;
3267
3268         family = sk->sk_family;
3269         if (family != PF_INET && family != PF_INET6)
3270                 goto out;
3271
3272         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3273         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3274                 family = PF_INET;
3275
3276         read_lock_bh(&sk->sk_callback_lock);
3277         sock = sk->sk_socket;
3278         if (sock) {
3279                 struct inode *inode;
3280                 inode = SOCK_INODE(sock);
3281                 if (inode) {
3282                         struct inode_security_struct *isec;
3283                         isec = inode->i_security;
3284                         sock_sid = isec->sid;
3285                         sock_class = isec->sclass;
3286                 }
3287         }
3288         read_unlock_bh(&sk->sk_callback_lock);
3289         if (!sock_sid)
3290                 goto out;
3291
3292         dev = skb->dev;
3293         if (!dev)
3294                 goto out;
3295
3296         err = sel_netif_sids(dev, &if_sid, NULL);
3297         if (err)
3298                 goto out;
3299
3300         switch (sock_class) {
3301         case SECCLASS_UDP_SOCKET: