b13be15165f57d527ea6e334bf1ca8fe9606b6b8
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76
77 #define XATTR_SELINUX_SUFFIX "selinux"
78 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
79
80 extern unsigned int policydb_loaded_version;
81 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
82
83 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
84 int selinux_enforcing = 0;
85
86 static int __init enforcing_setup(char *str)
87 {
88         selinux_enforcing = simple_strtol(str,NULL,0);
89         return 1;
90 }
91 __setup("enforcing=", enforcing_setup);
92 #endif
93
94 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
95 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
96
97 static int __init selinux_enabled_setup(char *str)
98 {
99         selinux_enabled = simple_strtol(str, NULL, 0);
100         return 1;
101 }
102 __setup("selinux=", selinux_enabled_setup);
103 #endif
104
105 /* Original (dummy) security module. */
106 static struct security_operations *original_ops = NULL;
107
108 /* Minimal support for a secondary security module,
109    just to allow the use of the dummy or capability modules.
110    The owlsm module can alternatively be used as a secondary
111    module as long as CONFIG_OWLSM_FD is not enabled. */
112 static struct security_operations *secondary_ops = NULL;
113
114 /* Lists of inode and superblock security structures initialized
115    before the policy was loaded. */
116 static LIST_HEAD(superblock_security_head);
117 static DEFINE_SPINLOCK(sb_security_lock);
118
119 /* Allocate and free functions for each kind of security blob. */
120
121 static int task_alloc_security(struct task_struct *task)
122 {
123         struct task_security_struct *tsec;
124
125         tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL);
126         if (!tsec)
127                 return -ENOMEM;
128
129         memset(tsec, 0, sizeof(struct task_security_struct));
130         tsec->magic = SELINUX_MAGIC;
131         tsec->task = task;
132         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
133         task->security = tsec;
134
135         return 0;
136 }
137
138 static void task_free_security(struct task_struct *task)
139 {
140         struct task_security_struct *tsec = task->security;
141
142         if (!tsec || tsec->magic != SELINUX_MAGIC)
143                 return;
144
145         task->security = NULL;
146         kfree(tsec);
147 }
148
149 static int inode_alloc_security(struct inode *inode)
150 {
151         struct task_security_struct *tsec = current->security;
152         struct inode_security_struct *isec;
153
154         isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
155         if (!isec)
156                 return -ENOMEM;
157
158         memset(isec, 0, sizeof(struct inode_security_struct));
159         init_MUTEX(&isec->sem);
160         INIT_LIST_HEAD(&isec->list);
161         isec->magic = SELINUX_MAGIC;
162         isec->inode = inode;
163         isec->sid = SECINITSID_UNLABELED;
164         isec->sclass = SECCLASS_FILE;
165         if (tsec && tsec->magic == SELINUX_MAGIC)
166                 isec->task_sid = tsec->sid;
167         else
168                 isec->task_sid = SECINITSID_UNLABELED;
169         inode->i_security = isec;
170
171         return 0;
172 }
173
174 static void inode_free_security(struct inode *inode)
175 {
176         struct inode_security_struct *isec = inode->i_security;
177         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
178
179         if (!isec || isec->magic != SELINUX_MAGIC)
180                 return;
181
182         spin_lock(&sbsec->isec_lock);
183         if (!list_empty(&isec->list))
184                 list_del_init(&isec->list);
185         spin_unlock(&sbsec->isec_lock);
186
187         inode->i_security = NULL;
188         kfree(isec);
189 }
190
191 static int file_alloc_security(struct file *file)
192 {
193         struct task_security_struct *tsec = current->security;
194         struct file_security_struct *fsec;
195
196         fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
197         if (!fsec)
198                 return -ENOMEM;
199
200         memset(fsec, 0, sizeof(struct file_security_struct));
201         fsec->magic = SELINUX_MAGIC;
202         fsec->file = file;
203         if (tsec && tsec->magic == SELINUX_MAGIC) {
204                 fsec->sid = tsec->sid;
205                 fsec->fown_sid = tsec->sid;
206         } else {
207                 fsec->sid = SECINITSID_UNLABELED;
208                 fsec->fown_sid = SECINITSID_UNLABELED;
209         }
210         file->f_security = fsec;
211
212         return 0;
213 }
214
215 static void file_free_security(struct file *file)
216 {
217         struct file_security_struct *fsec = file->f_security;
218
219         if (!fsec || fsec->magic != SELINUX_MAGIC)
220                 return;
221
222         file->f_security = NULL;
223         kfree(fsec);
224 }
225
226 static int superblock_alloc_security(struct super_block *sb)
227 {
228         struct superblock_security_struct *sbsec;
229
230         sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
231         if (!sbsec)
232                 return -ENOMEM;
233
234         memset(sbsec, 0, sizeof(struct superblock_security_struct));
235         init_MUTEX(&sbsec->sem);
236         INIT_LIST_HEAD(&sbsec->list);
237         INIT_LIST_HEAD(&sbsec->isec_head);
238         spin_lock_init(&sbsec->isec_lock);
239         sbsec->magic = SELINUX_MAGIC;
240         sbsec->sb = sb;
241         sbsec->sid = SECINITSID_UNLABELED;
242         sbsec->def_sid = SECINITSID_FILE;
243         sb->s_security = sbsec;
244
245         return 0;
246 }
247
248 static void superblock_free_security(struct super_block *sb)
249 {
250         struct superblock_security_struct *sbsec = sb->s_security;
251
252         if (!sbsec || sbsec->magic != SELINUX_MAGIC)
253                 return;
254
255         spin_lock(&sb_security_lock);
256         if (!list_empty(&sbsec->list))
257                 list_del_init(&sbsec->list);
258         spin_unlock(&sb_security_lock);
259
260         sb->s_security = NULL;
261         kfree(sbsec);
262 }
263
264 #ifdef CONFIG_SECURITY_NETWORK
265 static int sk_alloc_security(struct sock *sk, int family, int priority)
266 {
267         struct sk_security_struct *ssec;
268
269         if (family != PF_UNIX)
270                 return 0;
271
272         ssec = kmalloc(sizeof(*ssec), priority);
273         if (!ssec)
274                 return -ENOMEM;
275
276         memset(ssec, 0, sizeof(*ssec));
277         ssec->magic = SELINUX_MAGIC;
278         ssec->sk = sk;
279         ssec->peer_sid = SECINITSID_UNLABELED;
280         sk->sk_security = ssec;
281
282         return 0;
283 }
284
285 static void sk_free_security(struct sock *sk)
286 {
287         struct sk_security_struct *ssec = sk->sk_security;
288
289         if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
290                 return;
291
292         sk->sk_security = NULL;
293         kfree(ssec);
294 }
295 #endif  /* CONFIG_SECURITY_NETWORK */
296
297 /* The security server must be initialized before
298    any labeling or access decisions can be provided. */
299 extern int ss_initialized;
300
301 /* The file system's label must be initialized prior to use. */
302
303 static char *labeling_behaviors[6] = {
304         "uses xattr",
305         "uses transition SIDs",
306         "uses task SIDs",
307         "uses genfs_contexts",
308         "not configured for labeling",
309         "uses mountpoint labeling",
310 };
311
312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313
314 static inline int inode_doinit(struct inode *inode)
315 {
316         return inode_doinit_with_dentry(inode, NULL);
317 }
318
319 enum {
320         Opt_context = 1,
321         Opt_fscontext = 2,
322         Opt_defcontext = 4,
323 };
324
325 static match_table_t tokens = {
326         {Opt_context, "context=%s"},
327         {Opt_fscontext, "fscontext=%s"},
328         {Opt_defcontext, "defcontext=%s"},
329 };
330
331 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
332
333 static int try_context_mount(struct super_block *sb, void *data)
334 {
335         char *context = NULL, *defcontext = NULL;
336         const char *name;
337         u32 sid;
338         int alloc = 0, rc = 0, seen = 0;
339         struct task_security_struct *tsec = current->security;
340         struct superblock_security_struct *sbsec = sb->s_security;
341
342         if (!data)
343                 goto out;
344
345         name = sb->s_type->name;
346
347         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
348
349                 /* NFS we understand. */
350                 if (!strcmp(name, "nfs")) {
351                         struct nfs_mount_data *d = data;
352
353                         if (d->version <  NFS_MOUNT_VERSION)
354                                 goto out;
355
356                         if (d->context[0]) {
357                                 context = d->context;
358                                 seen |= Opt_context;
359                         }
360                 } else
361                         goto out;
362
363         } else {
364                 /* Standard string-based options. */
365                 char *p, *options = data;
366
367                 while ((p = strsep(&options, ",")) != NULL) {
368                         int token;
369                         substring_t args[MAX_OPT_ARGS];
370
371                         if (!*p)
372                                 continue;
373
374                         token = match_token(p, tokens, args);
375
376                         switch (token) {
377                         case Opt_context:
378                                 if (seen) {
379                                         rc = -EINVAL;
380                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
381                                         goto out_free;
382                                 }
383                                 context = match_strdup(&args[0]);
384                                 if (!context) {
385                                         rc = -ENOMEM;
386                                         goto out_free;
387                                 }
388                                 if (!alloc)
389                                         alloc = 1;
390                                 seen |= Opt_context;
391                                 break;
392
393                         case Opt_fscontext:
394                                 if (seen & (Opt_context|Opt_fscontext)) {
395                                         rc = -EINVAL;
396                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
397                                         goto out_free;
398                                 }
399                                 context = match_strdup(&args[0]);
400                                 if (!context) {
401                                         rc = -ENOMEM;
402                                         goto out_free;
403                                 }
404                                 if (!alloc)
405                                         alloc = 1;
406                                 seen |= Opt_fscontext;
407                                 break;
408
409                         case Opt_defcontext:
410                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
411                                         rc = -EINVAL;
412                                         printk(KERN_WARNING "SELinux:  "
413                                                "defcontext option is invalid "
414                                                "for this filesystem type\n");
415                                         goto out_free;
416                                 }
417                                 if (seen & (Opt_context|Opt_defcontext)) {
418                                         rc = -EINVAL;
419                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
420                                         goto out_free;
421                                 }
422                                 defcontext = match_strdup(&args[0]);
423                                 if (!defcontext) {
424                                         rc = -ENOMEM;
425                                         goto out_free;
426                                 }
427                                 if (!alloc)
428                                         alloc = 1;
429                                 seen |= Opt_defcontext;
430                                 break;
431
432                         default:
433                                 rc = -EINVAL;
434                                 printk(KERN_WARNING "SELinux:  unknown mount "
435                                        "option\n");
436                                 goto out_free;
437
438                         }
439                 }
440         }
441
442         if (!seen)
443                 goto out;
444
445         if (context) {
446                 rc = security_context_to_sid(context, strlen(context), &sid);
447                 if (rc) {
448                         printk(KERN_WARNING "SELinux: security_context_to_sid"
449                                "(%s) failed for (dev %s, type %s) errno=%d\n",
450                                context, sb->s_id, name, rc);
451                         goto out_free;
452                 }
453
454                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
455                                   FILESYSTEM__RELABELFROM, NULL);
456                 if (rc)
457                         goto out_free;
458
459                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
460                                   FILESYSTEM__RELABELTO, NULL);
461                 if (rc)
462                         goto out_free;
463
464                 sbsec->sid = sid;
465
466                 if (seen & Opt_context)
467                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
468         }
469
470         if (defcontext) {
471                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
472                 if (rc) {
473                         printk(KERN_WARNING "SELinux: security_context_to_sid"
474                                "(%s) failed for (dev %s, type %s) errno=%d\n",
475                                defcontext, sb->s_id, name, rc);
476                         goto out_free;
477                 }
478
479                 if (sid == sbsec->def_sid)
480                         goto out_free;
481
482                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
483                                   FILESYSTEM__RELABELFROM, NULL);
484                 if (rc)
485                         goto out_free;
486
487                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
488                                   FILESYSTEM__ASSOCIATE, NULL);
489                 if (rc)
490                         goto out_free;
491
492                 sbsec->def_sid = sid;
493         }
494
495 out_free:
496         if (alloc) {
497                 kfree(context);
498                 kfree(defcontext);
499         }
500 out:
501         return rc;
502 }
503
504 static int superblock_doinit(struct super_block *sb, void *data)
505 {
506         struct superblock_security_struct *sbsec = sb->s_security;
507         struct dentry *root = sb->s_root;
508         struct inode *inode = root->d_inode;
509         int rc = 0;
510
511         down(&sbsec->sem);
512         if (sbsec->initialized)
513                 goto out;
514
515         if (!ss_initialized) {
516                 /* Defer initialization until selinux_complete_init,
517                    after the initial policy is loaded and the security
518                    server is ready to handle calls. */
519                 spin_lock(&sb_security_lock);
520                 if (list_empty(&sbsec->list))
521                         list_add(&sbsec->list, &superblock_security_head);
522                 spin_unlock(&sb_security_lock);
523                 goto out;
524         }
525
526         /* Determine the labeling behavior to use for this filesystem type. */
527         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
528         if (rc) {
529                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
530                        __FUNCTION__, sb->s_type->name, rc);
531                 goto out;
532         }
533
534         rc = try_context_mount(sb, data);
535         if (rc)
536                 goto out;
537
538         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
539                 /* Make sure that the xattr handler exists and that no
540                    error other than -ENODATA is returned by getxattr on
541                    the root directory.  -ENODATA is ok, as this may be
542                    the first boot of the SELinux kernel before we have
543                    assigned xattr values to the filesystem. */
544                 if (!inode->i_op->getxattr) {
545                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
546                                "xattr support\n", sb->s_id, sb->s_type->name);
547                         rc = -EOPNOTSUPP;
548                         goto out;
549                 }
550                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
551                 if (rc < 0 && rc != -ENODATA) {
552                         if (rc == -EOPNOTSUPP)
553                                 printk(KERN_WARNING "SELinux: (dev %s, type "
554                                        "%s) has no security xattr handler\n",
555                                        sb->s_id, sb->s_type->name);
556                         else
557                                 printk(KERN_WARNING "SELinux: (dev %s, type "
558                                        "%s) getxattr errno %d\n", sb->s_id,
559                                        sb->s_type->name, -rc);
560                         goto out;
561                 }
562         }
563
564         if (strcmp(sb->s_type->name, "proc") == 0)
565                 sbsec->proc = 1;
566
567         sbsec->initialized = 1;
568
569         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
570                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
571                        sb->s_id, sb->s_type->name);
572         }
573         else {
574                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
575                        sb->s_id, sb->s_type->name,
576                        labeling_behaviors[sbsec->behavior-1]);
577         }
578
579         /* Initialize the root inode. */
580         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
581
582         /* Initialize any other inodes associated with the superblock, e.g.
583            inodes created prior to initial policy load or inodes created
584            during get_sb by a pseudo filesystem that directly
585            populates itself. */
586         spin_lock(&sbsec->isec_lock);
587 next_inode:
588         if (!list_empty(&sbsec->isec_head)) {
589                 struct inode_security_struct *isec =
590                                 list_entry(sbsec->isec_head.next,
591                                            struct inode_security_struct, list);
592                 struct inode *inode = isec->inode;
593                 spin_unlock(&sbsec->isec_lock);
594                 inode = igrab(inode);
595                 if (inode) {
596                         if (!IS_PRIVATE (inode))
597                                 inode_doinit(inode);
598                         iput(inode);
599                 }
600                 spin_lock(&sbsec->isec_lock);
601                 list_del_init(&isec->list);
602                 goto next_inode;
603         }
604         spin_unlock(&sbsec->isec_lock);
605 out:
606         up(&sbsec->sem);
607         return rc;
608 }
609
610 static inline u16 inode_mode_to_security_class(umode_t mode)
611 {
612         switch (mode & S_IFMT) {
613         case S_IFSOCK:
614                 return SECCLASS_SOCK_FILE;
615         case S_IFLNK:
616                 return SECCLASS_LNK_FILE;
617         case S_IFREG:
618                 return SECCLASS_FILE;
619         case S_IFBLK:
620                 return SECCLASS_BLK_FILE;
621         case S_IFDIR:
622                 return SECCLASS_DIR;
623         case S_IFCHR:
624                 return SECCLASS_CHR_FILE;
625         case S_IFIFO:
626                 return SECCLASS_FIFO_FILE;
627
628         }
629
630         return SECCLASS_FILE;
631 }
632
633 static inline int default_protocol_stream(int protocol)
634 {
635         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
636 }
637
638 static inline int default_protocol_dgram(int protocol)
639 {
640         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
641 }
642
643 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
644 {
645         switch (family) {
646         case PF_UNIX:
647                 switch (type) {
648                 case SOCK_STREAM:
649                 case SOCK_SEQPACKET:
650                         return SECCLASS_UNIX_STREAM_SOCKET;
651                 case SOCK_DGRAM:
652                         return SECCLASS_UNIX_DGRAM_SOCKET;
653                 }
654                 break;
655         case PF_INET:
656         case PF_INET6:
657                 switch (type) {
658                 case SOCK_STREAM:
659                         if (default_protocol_stream(protocol))
660                                 return SECCLASS_TCP_SOCKET;
661                         else
662                                 return SECCLASS_RAWIP_SOCKET;
663                 case SOCK_DGRAM:
664                         if (default_protocol_dgram(protocol))
665                                 return SECCLASS_UDP_SOCKET;
666                         else
667                                 return SECCLASS_RAWIP_SOCKET;
668                 default:
669                         return SECCLASS_RAWIP_SOCKET;
670                 }
671                 break;
672         case PF_NETLINK:
673                 switch (protocol) {
674                 case NETLINK_ROUTE:
675                         return SECCLASS_NETLINK_ROUTE_SOCKET;
676                 case NETLINK_FIREWALL:
677                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
678                 case NETLINK_INET_DIAG:
679                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
680                 case NETLINK_NFLOG:
681                         return SECCLASS_NETLINK_NFLOG_SOCKET;
682                 case NETLINK_XFRM:
683                         return SECCLASS_NETLINK_XFRM_SOCKET;
684                 case NETLINK_SELINUX:
685                         return SECCLASS_NETLINK_SELINUX_SOCKET;
686                 case NETLINK_AUDIT:
687                         return SECCLASS_NETLINK_AUDIT_SOCKET;
688                 case NETLINK_IP6_FW:
689                         return SECCLASS_NETLINK_IP6FW_SOCKET;
690                 case NETLINK_DNRTMSG:
691                         return SECCLASS_NETLINK_DNRT_SOCKET;
692                 case NETLINK_KOBJECT_UEVENT:
693                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
694                 default:
695                         return SECCLASS_NETLINK_SOCKET;
696                 }
697         case PF_PACKET:
698                 return SECCLASS_PACKET_SOCKET;
699         case PF_KEY:
700                 return SECCLASS_KEY_SOCKET;
701         }
702
703         return SECCLASS_SOCKET;
704 }
705
706 #ifdef CONFIG_PROC_FS
707 static int selinux_proc_get_sid(struct proc_dir_entry *de,
708                                 u16 tclass,
709                                 u32 *sid)
710 {
711         int buflen, rc;
712         char *buffer, *path, *end;
713
714         buffer = (char*)__get_free_page(GFP_KERNEL);
715         if (!buffer)
716                 return -ENOMEM;
717
718         buflen = PAGE_SIZE;
719         end = buffer+buflen;
720         *--end = '\0';
721         buflen--;
722         path = end-1;
723         *path = '/';
724         while (de && de != de->parent) {
725                 buflen -= de->namelen + 1;
726                 if (buflen < 0)
727                         break;
728                 end -= de->namelen;
729                 memcpy(end, de->name, de->namelen);
730                 *--end = '/';
731                 path = end;
732                 de = de->parent;
733         }
734         rc = security_genfs_sid("proc", path, tclass, sid);
735         free_page((unsigned long)buffer);
736         return rc;
737 }
738 #else
739 static int selinux_proc_get_sid(struct proc_dir_entry *de,
740                                 u16 tclass,
741                                 u32 *sid)
742 {
743         return -EINVAL;
744 }
745 #endif
746
747 /* The inode's security attributes must be initialized before first use. */
748 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
749 {
750         struct superblock_security_struct *sbsec = NULL;
751         struct inode_security_struct *isec = inode->i_security;
752         u32 sid;
753         struct dentry *dentry;
754 #define INITCONTEXTLEN 255
755         char *context = NULL;
756         unsigned len = 0;
757         int rc = 0;
758         int hold_sem = 0;
759
760         if (isec->initialized)
761                 goto out;
762
763         down(&isec->sem);
764         hold_sem = 1;
765         if (isec->initialized)
766                 goto out;
767
768         sbsec = inode->i_sb->s_security;
769         if (!sbsec->initialized) {
770                 /* Defer initialization until selinux_complete_init,
771                    after the initial policy is loaded and the security
772                    server is ready to handle calls. */
773                 spin_lock(&sbsec->isec_lock);
774                 if (list_empty(&isec->list))
775                         list_add(&isec->list, &sbsec->isec_head);
776                 spin_unlock(&sbsec->isec_lock);
777                 goto out;
778         }
779
780         switch (sbsec->behavior) {
781         case SECURITY_FS_USE_XATTR:
782                 if (!inode->i_op->getxattr) {
783                         isec->sid = sbsec->def_sid;
784                         break;
785                 }
786
787                 /* Need a dentry, since the xattr API requires one.
788                    Life would be simpler if we could just pass the inode. */
789                 if (opt_dentry) {
790                         /* Called from d_instantiate or d_splice_alias. */
791                         dentry = dget(opt_dentry);
792                 } else {
793                         /* Called from selinux_complete_init, try to find a dentry. */
794                         dentry = d_find_alias(inode);
795                 }
796                 if (!dentry) {
797                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
798                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
799                                inode->i_ino);
800                         goto out;
801                 }
802
803                 len = INITCONTEXTLEN;
804                 context = kmalloc(len, GFP_KERNEL);
805                 if (!context) {
806                         rc = -ENOMEM;
807                         dput(dentry);
808                         goto out;
809                 }
810                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
811                                            context, len);
812                 if (rc == -ERANGE) {
813                         /* Need a larger buffer.  Query for the right size. */
814                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
815                                                    NULL, 0);
816                         if (rc < 0) {
817                                 dput(dentry);
818                                 goto out;
819                         }
820                         kfree(context);
821                         len = rc;
822                         context = kmalloc(len, GFP_KERNEL);
823                         if (!context) {
824                                 rc = -ENOMEM;
825                                 dput(dentry);
826                                 goto out;
827                         }
828                         rc = inode->i_op->getxattr(dentry,
829                                                    XATTR_NAME_SELINUX,
830                                                    context, len);
831                 }
832                 dput(dentry);
833                 if (rc < 0) {
834                         if (rc != -ENODATA) {
835                                 printk(KERN_WARNING "%s:  getxattr returned "
836                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
837                                        -rc, inode->i_sb->s_id, inode->i_ino);
838                                 kfree(context);
839                                 goto out;
840                         }
841                         /* Map ENODATA to the default file SID */
842                         sid = sbsec->def_sid;
843                         rc = 0;
844                 } else {
845                         rc = security_context_to_sid_default(context, rc, &sid,
846                                                              sbsec->def_sid);
847                         if (rc) {
848                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
849                                        "returned %d for dev=%s ino=%ld\n",
850                                        __FUNCTION__, context, -rc,
851                                        inode->i_sb->s_id, inode->i_ino);
852                                 kfree(context);
853                                 /* Leave with the unlabeled SID */
854                                 rc = 0;
855                                 break;
856                         }
857                 }
858                 kfree(context);
859                 isec->sid = sid;
860                 break;
861         case SECURITY_FS_USE_TASK:
862                 isec->sid = isec->task_sid;
863                 break;
864         case SECURITY_FS_USE_TRANS:
865                 /* Default to the fs SID. */
866                 isec->sid = sbsec->sid;
867
868                 /* Try to obtain a transition SID. */
869                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
870                 rc = security_transition_sid(isec->task_sid,
871                                              sbsec->sid,
872                                              isec->sclass,
873                                              &sid);
874                 if (rc)
875                         goto out;
876                 isec->sid = sid;
877                 break;
878         default:
879                 /* Default to the fs SID. */
880                 isec->sid = sbsec->sid;
881
882                 if (sbsec->proc) {
883                         struct proc_inode *proci = PROC_I(inode);
884                         if (proci->pde) {
885                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
886                                 rc = selinux_proc_get_sid(proci->pde,
887                                                           isec->sclass,
888                                                           &sid);
889                                 if (rc)
890                                         goto out;
891                                 isec->sid = sid;
892                         }
893                 }
894                 break;
895         }
896
897         isec->initialized = 1;
898
899 out:
900         if (isec->sclass == SECCLASS_FILE)
901                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
902
903         if (hold_sem)
904                 up(&isec->sem);
905         return rc;
906 }
907
908 /* Convert a Linux signal to an access vector. */
909 static inline u32 signal_to_av(int sig)
910 {
911         u32 perm = 0;
912
913         switch (sig) {
914         case SIGCHLD:
915                 /* Commonly granted from child to parent. */
916                 perm = PROCESS__SIGCHLD;
917                 break;
918         case SIGKILL:
919                 /* Cannot be caught or ignored */
920                 perm = PROCESS__SIGKILL;
921                 break;
922         case SIGSTOP:
923                 /* Cannot be caught or ignored */
924                 perm = PROCESS__SIGSTOP;
925                 break;
926         default:
927                 /* All other signals. */
928                 perm = PROCESS__SIGNAL;
929                 break;
930         }
931
932         return perm;
933 }
934
935 /* Check permission betweeen a pair of tasks, e.g. signal checks,
936    fork check, ptrace check, etc. */
937 static int task_has_perm(struct task_struct *tsk1,
938                          struct task_struct *tsk2,
939                          u32 perms)
940 {
941         struct task_security_struct *tsec1, *tsec2;
942
943         tsec1 = tsk1->security;
944         tsec2 = tsk2->security;
945         return avc_has_perm(tsec1->sid, tsec2->sid,
946                             SECCLASS_PROCESS, perms, NULL);
947 }
948
949 /* Check whether a task is allowed to use a capability. */
950 static int task_has_capability(struct task_struct *tsk,
951                                int cap)
952 {
953         struct task_security_struct *tsec;
954         struct avc_audit_data ad;
955
956         tsec = tsk->security;
957
958         AVC_AUDIT_DATA_INIT(&ad,CAP);
959         ad.tsk = tsk;
960         ad.u.cap = cap;
961
962         return avc_has_perm(tsec->sid, tsec->sid,
963                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
964 }
965
966 /* Check whether a task is allowed to use a system operation. */
967 static int task_has_system(struct task_struct *tsk,
968                            u32 perms)
969 {
970         struct task_security_struct *tsec;
971
972         tsec = tsk->security;
973
974         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
975                             SECCLASS_SYSTEM, perms, NULL);
976 }
977
978 /* Check whether a task has a particular permission to an inode.
979    The 'adp' parameter is optional and allows other audit
980    data to be passed (e.g. the dentry). */
981 static int inode_has_perm(struct task_struct *tsk,
982                           struct inode *inode,
983                           u32 perms,
984                           struct avc_audit_data *adp)
985 {
986         struct task_security_struct *tsec;
987         struct inode_security_struct *isec;
988         struct avc_audit_data ad;
989
990         tsec = tsk->security;
991         isec = inode->i_security;
992
993         if (!adp) {
994                 adp = &ad;
995                 AVC_AUDIT_DATA_INIT(&ad, FS);
996                 ad.u.fs.inode = inode;
997         }
998
999         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1000 }
1001
1002 /* Same as inode_has_perm, but pass explicit audit data containing
1003    the dentry to help the auditing code to more easily generate the
1004    pathname if needed. */
1005 static inline int dentry_has_perm(struct task_struct *tsk,
1006                                   struct vfsmount *mnt,
1007                                   struct dentry *dentry,
1008                                   u32 av)
1009 {
1010         struct inode *inode = dentry->d_inode;
1011         struct avc_audit_data ad;
1012         AVC_AUDIT_DATA_INIT(&ad,FS);
1013         ad.u.fs.mnt = mnt;
1014         ad.u.fs.dentry = dentry;
1015         return inode_has_perm(tsk, inode, av, &ad);
1016 }
1017
1018 /* Check whether a task can use an open file descriptor to
1019    access an inode in a given way.  Check access to the
1020    descriptor itself, and then use dentry_has_perm to
1021    check a particular permission to the file.
1022    Access to the descriptor is implicitly granted if it
1023    has the same SID as the process.  If av is zero, then
1024    access to the file is not checked, e.g. for cases
1025    where only the descriptor is affected like seek. */
1026 static inline int file_has_perm(struct task_struct *tsk,
1027                                 struct file *file,
1028                                 u32 av)
1029 {
1030         struct task_security_struct *tsec = tsk->security;
1031         struct file_security_struct *fsec = file->f_security;
1032         struct vfsmount *mnt = file->f_vfsmnt;
1033         struct dentry *dentry = file->f_dentry;
1034         struct inode *inode = dentry->d_inode;
1035         struct avc_audit_data ad;
1036         int rc;
1037
1038         AVC_AUDIT_DATA_INIT(&ad, FS);
1039         ad.u.fs.mnt = mnt;
1040         ad.u.fs.dentry = dentry;
1041
1042         if (tsec->sid != fsec->sid) {
1043                 rc = avc_has_perm(tsec->sid, fsec->sid,
1044                                   SECCLASS_FD,
1045                                   FD__USE,
1046                                   &ad);
1047                 if (rc)
1048                         return rc;
1049         }
1050
1051         /* av is zero if only checking access to the descriptor. */
1052         if (av)
1053                 return inode_has_perm(tsk, inode, av, &ad);
1054
1055         return 0;
1056 }
1057
1058 /* Check whether a task can create a file. */
1059 static int may_create(struct inode *dir,
1060                       struct dentry *dentry,
1061                       u16 tclass)
1062 {
1063         struct task_security_struct *tsec;
1064         struct inode_security_struct *dsec;
1065         struct superblock_security_struct *sbsec;
1066         u32 newsid;
1067         struct avc_audit_data ad;
1068         int rc;
1069
1070         tsec = current->security;
1071         dsec = dir->i_security;
1072         sbsec = dir->i_sb->s_security;
1073
1074         AVC_AUDIT_DATA_INIT(&ad, FS);
1075         ad.u.fs.dentry = dentry;
1076
1077         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1078                           DIR__ADD_NAME | DIR__SEARCH,
1079                           &ad);
1080         if (rc)
1081                 return rc;
1082
1083         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1084                 newsid = tsec->create_sid;
1085         } else {
1086                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1087                                              &newsid);
1088                 if (rc)
1089                         return rc;
1090         }
1091
1092         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1093         if (rc)
1094                 return rc;
1095
1096         return avc_has_perm(newsid, sbsec->sid,
1097                             SECCLASS_FILESYSTEM,
1098                             FILESYSTEM__ASSOCIATE, &ad);
1099 }
1100
1101 #define MAY_LINK   0
1102 #define MAY_UNLINK 1
1103 #define MAY_RMDIR  2
1104
1105 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1106 static int may_link(struct inode *dir,
1107                     struct dentry *dentry,
1108                     int kind)
1109
1110 {
1111         struct task_security_struct *tsec;
1112         struct inode_security_struct *dsec, *isec;
1113         struct avc_audit_data ad;
1114         u32 av;
1115         int rc;
1116
1117         tsec = current->security;
1118         dsec = dir->i_security;
1119         isec = dentry->d_inode->i_security;
1120
1121         AVC_AUDIT_DATA_INIT(&ad, FS);
1122         ad.u.fs.dentry = dentry;
1123
1124         av = DIR__SEARCH;
1125         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1126         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1127         if (rc)
1128                 return rc;
1129
1130         switch (kind) {
1131         case MAY_LINK:
1132                 av = FILE__LINK;
1133                 break;
1134         case MAY_UNLINK:
1135                 av = FILE__UNLINK;
1136                 break;
1137         case MAY_RMDIR:
1138                 av = DIR__RMDIR;
1139                 break;
1140         default:
1141                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1142                 return 0;
1143         }
1144
1145         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1146         return rc;
1147 }
1148
1149 static inline int may_rename(struct inode *old_dir,
1150                              struct dentry *old_dentry,
1151                              struct inode *new_dir,
1152                              struct dentry *new_dentry)
1153 {
1154         struct task_security_struct *tsec;
1155         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1156         struct avc_audit_data ad;
1157         u32 av;
1158         int old_is_dir, new_is_dir;
1159         int rc;
1160
1161         tsec = current->security;
1162         old_dsec = old_dir->i_security;
1163         old_isec = old_dentry->d_inode->i_security;
1164         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1165         new_dsec = new_dir->i_security;
1166
1167         AVC_AUDIT_DATA_INIT(&ad, FS);
1168
1169         ad.u.fs.dentry = old_dentry;
1170         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1171                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1172         if (rc)
1173                 return rc;
1174         rc = avc_has_perm(tsec->sid, old_isec->sid,
1175                           old_isec->sclass, FILE__RENAME, &ad);
1176         if (rc)
1177                 return rc;
1178         if (old_is_dir && new_dir != old_dir) {
1179                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1180                                   old_isec->sclass, DIR__REPARENT, &ad);
1181                 if (rc)
1182                         return rc;
1183         }
1184
1185         ad.u.fs.dentry = new_dentry;
1186         av = DIR__ADD_NAME | DIR__SEARCH;
1187         if (new_dentry->d_inode)
1188                 av |= DIR__REMOVE_NAME;
1189         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1190         if (rc)
1191                 return rc;
1192         if (new_dentry->d_inode) {
1193                 new_isec = new_dentry->d_inode->i_security;
1194                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1195                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1196                                   new_isec->sclass,
1197                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1198                 if (rc)
1199                         return rc;
1200         }
1201
1202         return 0;
1203 }
1204
1205 /* Check whether a task can perform a filesystem operation. */
1206 static int superblock_has_perm(struct task_struct *tsk,
1207                                struct super_block *sb,
1208                                u32 perms,
1209                                struct avc_audit_data *ad)
1210 {
1211         struct task_security_struct *tsec;
1212         struct superblock_security_struct *sbsec;
1213
1214         tsec = tsk->security;
1215         sbsec = sb->s_security;
1216         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1217                             perms, ad);
1218 }
1219
1220 /* Convert a Linux mode and permission mask to an access vector. */
1221 static inline u32 file_mask_to_av(int mode, int mask)
1222 {
1223         u32 av = 0;
1224
1225         if ((mode & S_IFMT) != S_IFDIR) {
1226                 if (mask & MAY_EXEC)
1227                         av |= FILE__EXECUTE;
1228                 if (mask & MAY_READ)
1229                         av |= FILE__READ;
1230
1231                 if (mask & MAY_APPEND)
1232                         av |= FILE__APPEND;
1233                 else if (mask & MAY_WRITE)
1234                         av |= FILE__WRITE;
1235
1236         } else {
1237                 if (mask & MAY_EXEC)
1238                         av |= DIR__SEARCH;
1239                 if (mask & MAY_WRITE)
1240                         av |= DIR__WRITE;
1241                 if (mask & MAY_READ)
1242                         av |= DIR__READ;
1243         }
1244
1245         return av;
1246 }
1247
1248 /* Convert a Linux file to an access vector. */
1249 static inline u32 file_to_av(struct file *file)
1250 {
1251         u32 av = 0;
1252
1253         if (file->f_mode & FMODE_READ)
1254                 av |= FILE__READ;
1255         if (file->f_mode & FMODE_WRITE) {
1256                 if (file->f_flags & O_APPEND)
1257                         av |= FILE__APPEND;
1258                 else
1259                         av |= FILE__WRITE;
1260         }
1261
1262         return av;
1263 }
1264
1265 /* Set an inode's SID to a specified value. */
1266 static int inode_security_set_sid(struct inode *inode, u32 sid)
1267 {
1268         struct inode_security_struct *isec = inode->i_security;
1269         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1270
1271         if (!sbsec->initialized) {
1272                 /* Defer initialization to selinux_complete_init. */
1273                 return 0;
1274         }
1275
1276         down(&isec->sem);
1277         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1278         isec->sid = sid;
1279         isec->initialized = 1;
1280         up(&isec->sem);
1281         return 0;
1282 }
1283
1284 /* Hook functions begin here. */
1285
1286 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1287 {
1288         struct task_security_struct *psec = parent->security;
1289         struct task_security_struct *csec = child->security;
1290         int rc;
1291
1292         rc = secondary_ops->ptrace(parent,child);
1293         if (rc)
1294                 return rc;
1295
1296         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1297         /* Save the SID of the tracing process for later use in apply_creds. */
1298         if (!rc)
1299                 csec->ptrace_sid = psec->sid;
1300         return rc;
1301 }
1302
1303 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1304                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1305 {
1306         int error;
1307
1308         error = task_has_perm(current, target, PROCESS__GETCAP);
1309         if (error)
1310                 return error;
1311
1312         return secondary_ops->capget(target, effective, inheritable, permitted);
1313 }
1314
1315 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1316                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1317 {
1318         int error;
1319
1320         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1321         if (error)
1322                 return error;
1323
1324         return task_has_perm(current, target, PROCESS__SETCAP);
1325 }
1326
1327 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1328                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1329 {
1330         secondary_ops->capset_set(target, effective, inheritable, permitted);
1331 }
1332
1333 static int selinux_capable(struct task_struct *tsk, int cap)
1334 {
1335         int rc;
1336
1337         rc = secondary_ops->capable(tsk, cap);
1338         if (rc)
1339                 return rc;
1340
1341         return task_has_capability(tsk,cap);
1342 }
1343
1344 static int selinux_sysctl(ctl_table *table, int op)
1345 {
1346         int error = 0;
1347         u32 av;
1348         struct task_security_struct *tsec;
1349         u32 tsid;
1350         int rc;
1351
1352         rc = secondary_ops->sysctl(table, op);
1353         if (rc)
1354                 return rc;
1355
1356         tsec = current->security;
1357
1358         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1359                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1360         if (rc) {
1361                 /* Default to the well-defined sysctl SID. */
1362                 tsid = SECINITSID_SYSCTL;
1363         }
1364
1365         /* The op values are "defined" in sysctl.c, thereby creating
1366          * a bad coupling between this module and sysctl.c */
1367         if(op == 001) {
1368                 error = avc_has_perm(tsec->sid, tsid,
1369                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1370         } else {
1371                 av = 0;
1372                 if (op & 004)
1373                         av |= FILE__READ;
1374                 if (op & 002)
1375                         av |= FILE__WRITE;
1376                 if (av)
1377                         error = avc_has_perm(tsec->sid, tsid,
1378                                              SECCLASS_FILE, av, NULL);
1379         }
1380
1381         return error;
1382 }
1383
1384 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1385 {
1386         int rc = 0;
1387
1388         if (!sb)
1389                 return 0;
1390
1391         switch (cmds) {
1392                 case Q_SYNC:
1393                 case Q_QUOTAON:
1394                 case Q_QUOTAOFF:
1395                 case Q_SETINFO:
1396                 case Q_SETQUOTA:
1397                         rc = superblock_has_perm(current,
1398                                                  sb,
1399                                                  FILESYSTEM__QUOTAMOD, NULL);
1400                         break;
1401                 case Q_GETFMT:
1402                 case Q_GETINFO:
1403                 case Q_GETQUOTA:
1404                         rc = superblock_has_perm(current,
1405                                                  sb,
1406                                                  FILESYSTEM__QUOTAGET, NULL);
1407                         break;
1408                 default:
1409                         rc = 0;  /* let the kernel handle invalid cmds */
1410                         break;
1411         }
1412         return rc;
1413 }
1414
1415 static int selinux_quota_on(struct dentry *dentry)
1416 {
1417         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1418 }
1419
1420 static int selinux_syslog(int type)
1421 {
1422         int rc;
1423
1424         rc = secondary_ops->syslog(type);
1425         if (rc)
1426                 return rc;
1427
1428         switch (type) {
1429                 case 3:         /* Read last kernel messages */
1430                 case 10:        /* Return size of the log buffer */
1431                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1432                         break;
1433                 case 6:         /* Disable logging to console */
1434                 case 7:         /* Enable logging to console */
1435                 case 8:         /* Set level of messages printed to console */
1436                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1437                         break;
1438                 case 0:         /* Close log */
1439                 case 1:         /* Open log */
1440                 case 2:         /* Read from log */
1441                 case 4:         /* Read/clear last kernel messages */
1442                 case 5:         /* Clear ring buffer */
1443                 default:
1444                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1445                         break;
1446         }
1447         return rc;
1448 }
1449
1450 /*
1451  * Check that a process has enough memory to allocate a new virtual
1452  * mapping. 0 means there is enough memory for the allocation to
1453  * succeed and -ENOMEM implies there is not.
1454  *
1455  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1456  * if the capability is granted, but __vm_enough_memory requires 1 if
1457  * the capability is granted.
1458  *
1459  * Do not audit the selinux permission check, as this is applied to all
1460  * processes that allocate mappings.
1461  */
1462 static int selinux_vm_enough_memory(long pages)
1463 {
1464         int rc, cap_sys_admin = 0;
1465         struct task_security_struct *tsec = current->security;
1466
1467         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1468         if (rc == 0)
1469                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1470                                         SECCLASS_CAPABILITY,
1471                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1472                                         NULL);
1473
1474         if (rc == 0)
1475                 cap_sys_admin = 1;
1476
1477         return __vm_enough_memory(pages, cap_sys_admin);
1478 }
1479
1480 /* binprm security operations */
1481
1482 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1483 {
1484         struct bprm_security_struct *bsec;
1485
1486         bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1487         if (!bsec)
1488                 return -ENOMEM;
1489
1490         memset(bsec, 0, sizeof *bsec);
1491         bsec->magic = SELINUX_MAGIC;
1492         bsec->bprm = bprm;
1493         bsec->sid = SECINITSID_UNLABELED;
1494         bsec->set = 0;
1495
1496         bprm->security = bsec;
1497         return 0;
1498 }
1499
1500 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1501 {
1502         struct task_security_struct *tsec;
1503         struct inode *inode = bprm->file->f_dentry->d_inode;
1504         struct inode_security_struct *isec;
1505         struct bprm_security_struct *bsec;
1506         u32 newsid;
1507         struct avc_audit_data ad;
1508         int rc;
1509
1510         rc = secondary_ops->bprm_set_security(bprm);
1511         if (rc)
1512                 return rc;
1513
1514         bsec = bprm->security;
1515
1516         if (bsec->set)
1517                 return 0;
1518
1519         tsec = current->security;
1520         isec = inode->i_security;
1521
1522         /* Default to the current task SID. */
1523         bsec->sid = tsec->sid;
1524
1525         /* Reset create SID on execve. */
1526         tsec->create_sid = 0;
1527
1528         if (tsec->exec_sid) {
1529                 newsid = tsec->exec_sid;
1530                 /* Reset exec SID on execve. */
1531                 tsec->exec_sid = 0;
1532         } else {
1533                 /* Check for a default transition on this program. */
1534                 rc = security_transition_sid(tsec->sid, isec->sid,
1535                                              SECCLASS_PROCESS, &newsid);
1536                 if (rc)
1537                         return rc;
1538         }
1539
1540         AVC_AUDIT_DATA_INIT(&ad, FS);
1541         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1542         ad.u.fs.dentry = bprm->file->f_dentry;
1543
1544         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1545                 newsid = tsec->sid;
1546
1547         if (tsec->sid == newsid) {
1548                 rc = avc_has_perm(tsec->sid, isec->sid,
1549                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1550                 if (rc)
1551                         return rc;
1552         } else {
1553                 /* Check permissions for the transition. */
1554                 rc = avc_has_perm(tsec->sid, newsid,
1555                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1556                 if (rc)
1557                         return rc;
1558
1559                 rc = avc_has_perm(newsid, isec->sid,
1560                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1561                 if (rc)
1562                         return rc;
1563
1564                 /* Clear any possibly unsafe personality bits on exec: */
1565                 current->personality &= ~PER_CLEAR_ON_SETID;
1566
1567                 /* Set the security field to the new SID. */
1568                 bsec->sid = newsid;
1569         }
1570
1571         bsec->set = 1;
1572         return 0;
1573 }
1574
1575 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1576 {
1577         return secondary_ops->bprm_check_security(bprm);
1578 }
1579
1580
1581 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1582 {
1583         struct task_security_struct *tsec = current->security;
1584         int atsecure = 0;
1585
1586         if (tsec->osid != tsec->sid) {
1587                 /* Enable secure mode for SIDs transitions unless
1588                    the noatsecure permission is granted between
1589                    the two SIDs, i.e. ahp returns 0. */
1590                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1591                                          SECCLASS_PROCESS,
1592                                          PROCESS__NOATSECURE, NULL);
1593         }
1594
1595         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1596 }
1597
1598 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1599 {
1600         kfree(bprm->security);
1601         bprm->security = NULL;
1602 }
1603
1604 extern struct vfsmount *selinuxfs_mount;
1605 extern struct dentry *selinux_null;
1606
1607 /* Derived from fs/exec.c:flush_old_files. */
1608 static inline void flush_unauthorized_files(struct files_struct * files)
1609 {
1610         struct avc_audit_data ad;
1611         struct file *file, *devnull = NULL;
1612         struct tty_struct *tty = current->signal->tty;
1613         struct fdtable *fdt;
1614         long j = -1;
1615
1616         if (tty) {
1617                 file_list_lock();
1618                 file = list_entry(tty->tty_files.next, typeof(*file), f_list);
1619                 if (file) {
1620                         /* Revalidate access to controlling tty.
1621                            Use inode_has_perm on the tty inode directly rather
1622                            than using file_has_perm, as this particular open
1623                            file may belong to another process and we are only
1624                            interested in the inode-based check here. */
1625                         struct inode *inode = file->f_dentry->d_inode;
1626                         if (inode_has_perm(current, inode,
1627                                            FILE__READ | FILE__WRITE, NULL)) {
1628                                 /* Reset controlling tty. */
1629                                 current->signal->tty = NULL;
1630                                 current->signal->tty_old_pgrp = 0;
1631                         }
1632                 }
1633                 file_list_unlock();
1634         }
1635
1636         /* Revalidate access to inherited open files. */
1637
1638         AVC_AUDIT_DATA_INIT(&ad,FS);
1639
1640         spin_lock(&files->file_lock);
1641         for (;;) {
1642                 unsigned long set, i;
1643                 int fd;
1644
1645                 j++;
1646                 i = j * __NFDBITS;
1647                 fdt = files_fdtable(files);
1648                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1649                         break;
1650                 set = fdt->open_fds->fds_bits[j];
1651                 if (!set)
1652                         continue;
1653                 spin_unlock(&files->file_lock);
1654                 for ( ; set ; i++,set >>= 1) {
1655                         if (set & 1) {
1656                                 file = fget(i);
1657                                 if (!file)
1658                                         continue;
1659                                 if (file_has_perm(current,
1660                                                   file,
1661                                                   file_to_av(file))) {
1662                                         sys_close(i);
1663                                         fd = get_unused_fd();
1664                                         if (fd != i) {
1665                                                 if (fd >= 0)
1666                                                         put_unused_fd(fd);
1667                                                 fput(file);
1668                                                 continue;
1669                                         }
1670                                         if (devnull) {
1671                                                 rcuref_inc(&devnull->f_count);
1672                                         } else {
1673                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1674                                                 if (!devnull) {
1675                                                         put_unused_fd(fd);
1676                                                         fput(file);
1677                                                         continue;
1678                                                 }
1679                                         }
1680                                         fd_install(fd, devnull);
1681                                 }
1682                                 fput(file);
1683                         }
1684                 }
1685                 spin_lock(&files->file_lock);
1686
1687         }
1688         spin_unlock(&files->file_lock);
1689 }
1690
1691 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1692 {
1693         struct task_security_struct *tsec;
1694         struct bprm_security_struct *bsec;
1695         u32 sid;
1696         int rc;
1697
1698         secondary_ops->bprm_apply_creds(bprm, unsafe);
1699
1700         tsec = current->security;
1701
1702         bsec = bprm->security;
1703         sid = bsec->sid;
1704
1705         tsec->osid = tsec->sid;
1706         bsec->unsafe = 0;
1707         if (tsec->sid != sid) {
1708                 /* Check for shared state.  If not ok, leave SID
1709                    unchanged and kill. */
1710                 if (unsafe & LSM_UNSAFE_SHARE) {
1711                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1712                                         PROCESS__SHARE, NULL);
1713                         if (rc) {
1714                                 bsec->unsafe = 1;
1715                                 return;
1716                         }
1717                 }
1718
1719                 /* Check for ptracing, and update the task SID if ok.
1720                    Otherwise, leave SID unchanged and kill. */
1721                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1722                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1723                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1724                                           NULL);
1725                         if (rc) {
1726                                 bsec->unsafe = 1;
1727                                 return;
1728                         }
1729                 }
1730                 tsec->sid = sid;
1731         }
1732 }
1733
1734 /*
1735  * called after apply_creds without the task lock held
1736  */
1737 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1738 {
1739         struct task_security_struct *tsec;
1740         struct rlimit *rlim, *initrlim;
1741         struct itimerval itimer;
1742         struct bprm_security_struct *bsec;
1743         int rc, i;
1744
1745         tsec = current->security;
1746         bsec = bprm->security;
1747
1748         if (bsec->unsafe) {
1749                 force_sig_specific(SIGKILL, current);
1750                 return;
1751         }
1752         if (tsec->osid == tsec->sid)
1753                 return;
1754
1755         /* Close files for which the new task SID is not authorized. */
1756         flush_unauthorized_files(current->files);
1757
1758         /* Check whether the new SID can inherit signal state
1759            from the old SID.  If not, clear itimers to avoid
1760            subsequent signal generation and flush and unblock
1761            signals. This must occur _after_ the task SID has
1762           been updated so that any kill done after the flush
1763           will be checked against the new SID. */
1764         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1765                           PROCESS__SIGINH, NULL);
1766         if (rc) {
1767                 memset(&itimer, 0, sizeof itimer);
1768                 for (i = 0; i < 3; i++)
1769                         do_setitimer(i, &itimer, NULL);
1770                 flush_signals(current);
1771                 spin_lock_irq(&current->sighand->siglock);
1772                 flush_signal_handlers(current, 1);
1773                 sigemptyset(&current->blocked);
1774                 recalc_sigpending();
1775                 spin_unlock_irq(&current->sighand->siglock);
1776         }
1777
1778         /* Check whether the new SID can inherit resource limits
1779            from the old SID.  If not, reset all soft limits to
1780            the lower of the current task's hard limit and the init
1781            task's soft limit.  Note that the setting of hard limits
1782            (even to lower them) can be controlled by the setrlimit
1783            check. The inclusion of the init task's soft limit into
1784            the computation is to avoid resetting soft limits higher
1785            than the default soft limit for cases where the default
1786            is lower than the hard limit, e.g. RLIMIT_CORE or
1787            RLIMIT_STACK.*/
1788         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1789                           PROCESS__RLIMITINH, NULL);
1790         if (rc) {
1791                 for (i = 0; i < RLIM_NLIMITS; i++) {
1792                         rlim = current->signal->rlim + i;
1793                         initrlim = init_task.signal->rlim+i;
1794                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1795                 }
1796                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1797                         /*
1798                          * This will cause RLIMIT_CPU calculations
1799                          * to be refigured.
1800                          */
1801                         current->it_prof_expires = jiffies_to_cputime(1);
1802                 }
1803         }
1804
1805         /* Wake up the parent if it is waiting so that it can
1806            recheck wait permission to the new task SID. */
1807         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1808 }
1809
1810 /* superblock security operations */
1811
1812 static int selinux_sb_alloc_security(struct super_block *sb)
1813 {
1814         return superblock_alloc_security(sb);
1815 }
1816
1817 static void selinux_sb_free_security(struct super_block *sb)
1818 {
1819         superblock_free_security(sb);
1820 }
1821
1822 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1823 {
1824         if (plen > olen)
1825                 return 0;
1826
1827         return !memcmp(prefix, option, plen);
1828 }
1829
1830 static inline int selinux_option(char *option, int len)
1831 {
1832         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1833                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1834                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1835 }
1836
1837 static inline void take_option(char **to, char *from, int *first, int len)
1838 {
1839         if (!*first) {
1840                 **to = ',';
1841                 *to += 1;
1842         }
1843         else
1844                 *first = 0;
1845         memcpy(*to, from, len);
1846         *to += len;
1847 }
1848
1849 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1850 {
1851         int fnosec, fsec, rc = 0;
1852         char *in_save, *in_curr, *in_end;
1853         char *sec_curr, *nosec_save, *nosec;
1854
1855         in_curr = orig;
1856         sec_curr = copy;
1857
1858         /* Binary mount data: just copy */
1859         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1860                 copy_page(sec_curr, in_curr);
1861                 goto out;
1862         }
1863
1864         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1865         if (!nosec) {
1866                 rc = -ENOMEM;
1867                 goto out;
1868         }
1869
1870         nosec_save = nosec;
1871         fnosec = fsec = 1;
1872         in_save = in_end = orig;
1873
1874         do {
1875                 if (*in_end == ',' || *in_end == '\0') {
1876                         int len = in_end - in_curr;
1877
1878                         if (selinux_option(in_curr, len))
1879                                 take_option(&sec_curr, in_curr, &fsec, len);
1880                         else
1881                                 take_option(&nosec, in_curr, &fnosec, len);
1882
1883                         in_curr = in_end + 1;
1884                 }
1885         } while (*in_end++);
1886
1887         strcpy(in_save, nosec_save);
1888         free_page((unsigned long)nosec_save);
1889 out:
1890         return rc;
1891 }
1892
1893 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1894 {
1895         struct avc_audit_data ad;
1896         int rc;
1897
1898         rc = superblock_doinit(sb, data);
1899         if (rc)
1900                 return rc;
1901
1902         AVC_AUDIT_DATA_INIT(&ad,FS);
1903         ad.u.fs.dentry = sb->s_root;
1904         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1905 }
1906
1907 static int selinux_sb_statfs(struct super_block *sb)
1908 {
1909         struct avc_audit_data ad;
1910
1911         AVC_AUDIT_DATA_INIT(&ad,FS);
1912         ad.u.fs.dentry = sb->s_root;
1913         return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1914 }
1915
1916 static int selinux_mount(char * dev_name,
1917                          struct nameidata *nd,
1918                          char * type,
1919                          unsigned long flags,
1920                          void * data)
1921 {
1922         int rc;
1923
1924         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1925         if (rc)
1926                 return rc;
1927
1928         if (flags & MS_REMOUNT)
1929                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1930                                            FILESYSTEM__REMOUNT, NULL);
1931         else
1932                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1933                                        FILE__MOUNTON);
1934 }
1935
1936 static int selinux_umount(struct vfsmount *mnt, int flags)
1937 {
1938         int rc;
1939
1940         rc = secondary_ops->sb_umount(mnt, flags);
1941         if (rc)
1942                 return rc;
1943
1944         return superblock_has_perm(current,mnt->mnt_sb,
1945                                    FILESYSTEM__UNMOUNT,NULL);
1946 }
1947
1948 /* inode security operations */
1949
1950 static int selinux_inode_alloc_security(struct inode *inode)
1951 {
1952         return inode_alloc_security(inode);
1953 }
1954
1955 static void selinux_inode_free_security(struct inode *inode)
1956 {
1957         inode_free_security(inode);
1958 }
1959
1960 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1961                                        char **name, void **value,
1962                                        size_t *len)
1963 {
1964         struct task_security_struct *tsec;
1965         struct inode_security_struct *dsec;
1966         struct superblock_security_struct *sbsec;
1967         struct inode_security_struct *isec;
1968         u32 newsid, clen;
1969         int rc;
1970         char *namep = NULL, *context;
1971
1972         tsec = current->security;
1973         dsec = dir->i_security;
1974         sbsec = dir->i_sb->s_security;
1975         isec = inode->i_security;
1976
1977         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1978                 newsid = tsec->create_sid;
1979         } else {
1980                 rc = security_transition_sid(tsec->sid, dsec->sid,
1981                                              inode_mode_to_security_class(inode->i_mode),
1982                                              &newsid);
1983                 if (rc) {
1984                         printk(KERN_WARNING "%s:  "
1985                                "security_transition_sid failed, rc=%d (dev=%s "
1986                                "ino=%ld)\n",
1987                                __FUNCTION__,
1988                                -rc, inode->i_sb->s_id, inode->i_ino);
1989                         return rc;
1990                 }
1991         }
1992
1993         inode_security_set_sid(inode, newsid);
1994
1995         if (name) {
1996                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1997                 if (!namep)
1998                         return -ENOMEM;
1999                 *name = namep;
2000         }
2001
2002         if (value && len) {
2003                 rc = security_sid_to_context(newsid, &context, &clen);
2004                 if (rc) {
2005                         kfree(namep);
2006                         return rc;
2007                 }
2008                 *value = context;
2009                 *len = clen;
2010         }
2011
2012         return 0;
2013 }
2014
2015 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2016 {
2017         return may_create(dir, dentry, SECCLASS_FILE);
2018 }
2019
2020 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2021 {
2022         int rc;
2023
2024         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2025         if (rc)
2026                 return rc;
2027         return may_link(dir, old_dentry, MAY_LINK);
2028 }
2029
2030 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2031 {
2032         int rc;
2033
2034         rc = secondary_ops->inode_unlink(dir, dentry);
2035         if (rc)
2036                 return rc;
2037         return may_link(dir, dentry, MAY_UNLINK);
2038 }
2039
2040 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2041 {
2042         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2043 }
2044
2045 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2046 {
2047         return may_create(dir, dentry, SECCLASS_DIR);
2048 }
2049
2050 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2051 {
2052         return may_link(dir, dentry, MAY_RMDIR);
2053 }
2054
2055 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2056 {
2057         int rc;
2058
2059         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2060         if (rc)
2061                 return rc;
2062
2063         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2064 }
2065
2066 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2067                                 struct inode *new_inode, struct dentry *new_dentry)
2068 {
2069         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2070 }
2071
2072 static int selinux_inode_readlink(struct dentry *dentry)
2073 {
2074         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2075 }
2076
2077 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2078 {
2079         int rc;
2080
2081         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2082         if (rc)
2083                 return rc;
2084         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2085 }
2086
2087 static int selinux_inode_permission(struct inode *inode, int mask,
2088                                     struct nameidata *nd)
2089 {
2090         int rc;
2091
2092         rc = secondary_ops->inode_permission(inode, mask, nd);
2093         if (rc)
2094                 return rc;
2095
2096         if (!mask) {
2097                 /* No permission to check.  Existence test. */
2098                 return 0;
2099         }
2100
2101         return inode_has_perm(current, inode,
2102                                file_mask_to_av(inode->i_mode, mask), NULL);
2103 }
2104
2105 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2106 {
2107         int rc;
2108
2109         rc = secondary_ops->inode_setattr(dentry, iattr);
2110         if (rc)
2111                 return rc;
2112
2113         if (iattr->ia_valid & ATTR_FORCE)
2114                 return 0;
2115
2116         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2117                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2118                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2119
2120         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2121 }
2122
2123 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2124 {
2125         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2126 }
2127
2128 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2129 {
2130         struct task_security_struct *tsec = current->security;
2131         struct inode *inode = dentry->d_inode;
2132         struct inode_security_struct *isec = inode->i_security;
2133         struct superblock_security_struct *sbsec;
2134         struct avc_audit_data ad;
2135         u32 newsid;
2136         int rc = 0;
2137
2138         if (strcmp(name, XATTR_NAME_SELINUX)) {
2139                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2140                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2141                     !capable(CAP_SYS_ADMIN)) {
2142                         /* A different attribute in the security namespace.
2143                            Restrict to administrator. */
2144                         return -EPERM;
2145                 }
2146
2147                 /* Not an attribute we recognize, so just check the
2148                    ordinary setattr permission. */
2149                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2150         }
2151
2152         sbsec = inode->i_sb->s_security;
2153         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2154                 return -EOPNOTSUPP;
2155
2156         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2157                 return -EPERM;
2158
2159         AVC_AUDIT_DATA_INIT(&ad,FS);
2160         ad.u.fs.dentry = dentry;
2161
2162         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2163                           FILE__RELABELFROM, &ad);
2164         if (rc)
2165                 return rc;
2166
2167         rc = security_context_to_sid(value, size, &newsid);
2168         if (rc)
2169                 return rc;
2170
2171         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2172                           FILE__RELABELTO, &ad);
2173         if (rc)
2174                 return rc;
2175
2176         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2177                                           isec->sclass);
2178         if (rc)
2179                 return rc;
2180
2181         return avc_has_perm(newsid,
2182                             sbsec->sid,
2183                             SECCLASS_FILESYSTEM,
2184                             FILESYSTEM__ASSOCIATE,
2185                             &ad);
2186 }
2187
2188 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2189                                         void *value, size_t size, int flags)
2190 {
2191         struct inode *inode = dentry->d_inode;
2192         struct inode_security_struct *isec = inode->i_security;
2193         u32 newsid;
2194         int rc;
2195
2196         if (strcmp(name, XATTR_NAME_SELINUX)) {
2197                 /* Not an attribute we recognize, so nothing to do. */
2198                 return;
2199         }
2200
2201         rc = security_context_to_sid(value, size, &newsid);
2202         if (rc) {
2203                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2204                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2205                 return;
2206         }
2207
2208         isec->sid = newsid;
2209         return;
2210 }
2211
2212 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2213 {
2214         struct inode *inode = dentry->d_inode;
2215         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
2216
2217         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2218                 return -EOPNOTSUPP;
2219
2220         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2221 }
2222
2223 static int selinux_inode_listxattr (struct dentry *dentry)
2224 {
2225         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2226 }
2227
2228 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2229 {
2230         if (strcmp(name, XATTR_NAME_SELINUX)) {
2231                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2232                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2233                     !capable(CAP_SYS_ADMIN)) {
2234                         /* A different attribute in the security namespace.
2235                            Restrict to administrator. */
2236                         return -EPERM;
2237                 }
2238
2239                 /* Not an attribute we recognize, so just check the
2240                    ordinary setattr permission. Might want a separate
2241                    permission for removexattr. */
2242                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2243         }
2244
2245         /* No one is allowed to remove a SELinux security label.
2246            You can change the label, but all data must be labeled. */
2247         return -EACCES;
2248 }
2249
2250 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size)
2251 {
2252         struct inode_security_struct *isec = inode->i_security;
2253         char *context;
2254         unsigned len;
2255         int rc;
2256
2257         /* Permission check handled by selinux_inode_getxattr hook.*/
2258
2259         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2260                 return -EOPNOTSUPP;
2261
2262         rc = security_sid_to_context(isec->sid, &context, &len);
2263         if (rc)
2264                 return rc;
2265
2266         if (!buffer || !size) {
2267                 kfree(context);
2268                 return len;
2269         }
2270         if (size < len) {
2271                 kfree(context);
2272                 return -ERANGE;
2273         }
2274         memcpy(buffer, context, len);
2275         kfree(context);
2276         return len;
2277 }
2278
2279 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2280                                      const void *value, size_t size, int flags)
2281 {
2282         struct inode_security_struct *isec = inode->i_security;
2283         u32 newsid;
2284         int rc;
2285
2286         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2287                 return -EOPNOTSUPP;
2288
2289         if (!value || !size)
2290                 return -EACCES;
2291
2292         rc = security_context_to_sid((void*)value, size, &newsid);
2293         if (rc)
2294                 return rc;
2295
2296         isec->sid = newsid;
2297         return 0;
2298 }
2299
2300 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2301 {
2302         const int len = sizeof(XATTR_NAME_SELINUX);
2303         if (buffer && len <= buffer_size)
2304                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2305         return len;
2306 }
2307
2308 /* file security operations */
2309
2310 static int selinux_file_permission(struct file *file, int mask)
2311 {
2312         struct inode *inode = file->f_dentry->d_inode;
2313
2314         if (!mask) {
2315                 /* No permission to check.  Existence test. */
2316                 return 0;
2317         }
2318
2319         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2320         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2321                 mask |= MAY_APPEND;
2322
2323         return file_has_perm(current, file,
2324                              file_mask_to_av(inode->i_mode, mask));
2325 }
2326
2327 static int selinux_file_alloc_security(struct file *file)
2328 {
2329         return file_alloc_security(file);
2330 }
2331
2332 static void selinux_file_free_security(struct file *file)
2333 {
2334         file_free_security(file);
2335 }
2336
2337 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2338                               unsigned long arg)
2339 {
2340         int error = 0;
2341
2342         switch (cmd) {
2343                 case FIONREAD:
2344                 /* fall through */
2345                 case FIBMAP:
2346                 /* fall through */
2347                 case FIGETBSZ:
2348                 /* fall through */
2349                 case EXT2_IOC_GETFLAGS:
2350                 /* fall through */
2351                 case EXT2_IOC_GETVERSION:
2352                         error = file_has_perm(current, file, FILE__GETATTR);
2353                         break;
2354
2355                 case EXT2_IOC_SETFLAGS:
2356                 /* fall through */
2357                 case EXT2_IOC_SETVERSION:
2358                         error = file_has_perm(current, file, FILE__SETATTR);
2359                         break;
2360
2361                 /* sys_ioctl() checks */
2362                 case FIONBIO:
2363                 /* fall through */
2364                 case FIOASYNC:
2365                         error = file_has_perm(current, file, 0);
2366                         break;
2367
2368                 case KDSKBENT:
2369                 case KDSKBSENT:
2370                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2371                         break;
2372
2373                 /* default case assumes that the command will go
2374                  * to the file's ioctl() function.
2375                  */
2376                 default:
2377                         error = file_has_perm(current, file, FILE__IOCTL);
2378
2379         }
2380         return error;
2381 }
2382
2383 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2384 {
2385 #ifndef CONFIG_PPC32
2386         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2387                 /*
2388                  * We are making executable an anonymous mapping or a
2389                  * private file mapping that will also be writable.
2390                  * This has an additional check.
2391                  */
2392                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2393                 if (rc)
2394                         return rc;
2395         }
2396 #endif
2397
2398         if (file) {
2399                 /* read access is always possible with a mapping */
2400                 u32 av = FILE__READ;
2401
2402                 /* write access only matters if the mapping is shared */
2403                 if (shared && (prot & PROT_WRITE))
2404                         av |= FILE__WRITE;
2405
2406                 if (prot & PROT_EXEC)
2407                         av |= FILE__EXECUTE;
2408
2409                 return file_has_perm(current, file, av);
2410         }
2411         return 0;
2412 }
2413
2414 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2415                              unsigned long prot, unsigned long flags)
2416 {
2417         int rc;
2418
2419         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2420         if (rc)
2421                 return rc;
2422
2423         if (selinux_checkreqprot)
2424                 prot = reqprot;
2425
2426         return file_map_prot_check(file, prot,
2427                                    (flags & MAP_TYPE) == MAP_SHARED);
2428 }
2429
2430 static int selinux_file_mprotect(struct vm_area_struct *vma,
2431                                  unsigned long reqprot,
2432                                  unsigned long prot)
2433 {
2434         int rc;
2435
2436         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2437         if (rc)
2438                 return rc;
2439
2440         if (selinux_checkreqprot)
2441                 prot = reqprot;
2442
2443 #ifndef CONFIG_PPC32
2444         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) &&
2445            (vma->vm_start >= vma->vm_mm->start_brk &&
2446             vma->vm_end <= vma->vm_mm->brk)) {
2447                 /*
2448                  * We are making an executable mapping in the brk region.
2449                  * This has an additional execheap check.
2450                  */
2451                 rc = task_has_perm(current, current, PROCESS__EXECHEAP);
2452                 if (rc)
2453                         return rc;
2454         }
2455         if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
2456                 /*
2457                  * We are making executable a file mapping that has
2458                  * had some COW done. Since pages might have been written,
2459                  * check ability to execute the possibly modified content.
2460                  * This typically should only occur for text relocations.
2461                  */
2462                 int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
2463                 if (rc)
2464                         return rc;
2465         }
2466         if (!vma->vm_file && (prot & PROT_EXEC) &&
2467                 vma->vm_start <= vma->vm_mm->start_stack &&
2468                 vma->vm_end >= vma->vm_mm->start_stack) {
2469                 /* Attempt to make the process stack executable.
2470                  * This has an additional execstack check.
2471                  */
2472                 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2473                 if (rc)
2474                         return rc;
2475         }
2476 #endif
2477
2478         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2479 }
2480
2481 static int selinux_file_lock(struct file *file, unsigned int cmd)
2482 {
2483         return file_has_perm(current, file, FILE__LOCK);
2484 }
2485
2486 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2487                               unsigned long arg)
2488 {
2489         int err = 0;
2490
2491         switch (cmd) {
2492                 case F_SETFL:
2493                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2494                                 err = -EINVAL;
2495                                 break;
2496                         }
2497
2498                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2499                                 err = file_has_perm(current, file,FILE__WRITE);
2500                                 break;
2501                         }
2502                         /* fall through */
2503                 case F_SETOWN:
2504                 case F_SETSIG:
2505                 case F_GETFL:
2506                 case F_GETOWN:
2507                 case F_GETSIG:
2508                         /* Just check FD__USE permission */
2509                         err = file_has_perm(current, file, 0);
2510                         break;
2511                 case F_GETLK:
2512                 case F_SETLK:
2513                 case F_SETLKW:
2514 #if BITS_PER_LONG == 32
2515                 case F_GETLK64:
2516                 case F_SETLK64:
2517                 case F_SETLKW64:
2518 #endif
2519                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2520                                 err = -EINVAL;
2521                                 break;
2522                         }
2523                         err = file_has_perm(current, file, FILE__LOCK);
2524                         break;
2525         }
2526
2527         return err;
2528 }
2529
2530 static int selinux_file_set_fowner(struct file *file)
2531 {
2532         struct task_security_struct *tsec;
2533         struct file_security_struct *fsec;
2534
2535         tsec = current->security;
2536         fsec = file->f_security;
2537         fsec->fown_sid = tsec->sid;
2538
2539         return 0;
2540 }
2541
2542 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2543                                        struct fown_struct *fown, int signum)
2544 {
2545         struct file *file;
2546         u32 perm;
2547         struct task_security_struct *tsec;
2548         struct file_security_struct *fsec;
2549
2550         /* struct fown_struct is never outside the context of a struct file */
2551         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2552
2553         tsec = tsk->security;
2554         fsec = file->f_security;
2555
2556         if (!signum)
2557                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2558         else
2559                 perm = signal_to_av(signum);
2560
2561         return avc_has_perm(fsec->fown_sid, tsec->sid,
2562                             SECCLASS_PROCESS, perm, NULL);
2563 }
2564
2565 static int selinux_file_receive(struct file *file)
2566 {
2567         return file_has_perm(current, file, file_to_av(file));
2568 }
2569
2570 /* task security operations */
2571
2572 static int selinux_task_create(unsigned long clone_flags)
2573 {
2574         int rc;
2575
2576         rc = secondary_ops->task_create(clone_flags);
2577         if (rc)
2578                 return rc;
2579
2580         return task_has_perm(current, current, PROCESS__FORK);
2581 }
2582
2583 static int selinux_task_alloc_security(struct task_struct *tsk)
2584 {
2585         struct task_security_struct *tsec1, *tsec2;
2586         int rc;
2587
2588         tsec1 = current->security;
2589
2590         rc = task_alloc_security(tsk);
2591         if (rc)
2592                 return rc;
2593         tsec2 = tsk->security;
2594
2595         tsec2->osid = tsec1->osid;
2596         tsec2->sid = tsec1->sid;
2597
2598         /* Retain the exec and create SIDs across fork */
2599         tsec2->exec_sid = tsec1->exec_sid;
2600         tsec2->create_sid = tsec1->create_sid;
2601
2602         /* Retain ptracer SID across fork, if any.
2603            This will be reset by the ptrace hook upon any
2604            subsequent ptrace_attach operations. */
2605         tsec2->ptrace_sid = tsec1->ptrace_sid;
2606
2607         return 0;
2608 }
2609
2610 static void selinux_task_free_security(struct task_struct *tsk)
2611 {
2612         task_free_security(tsk);
2613 }
2614
2615 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2616 {
2617         /* Since setuid only affects the current process, and
2618            since the SELinux controls are not based on the Linux
2619            identity attributes, SELinux does not need to control
2620            this operation.  However, SELinux does control the use
2621            of the CAP_SETUID and CAP_SETGID capabilities using the
2622            capable hook. */
2623         return 0;
2624 }
2625
2626 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2627 {
2628         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2629 }
2630
2631 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2632 {
2633         /* See the comment for setuid above. */
2634         return 0;
2635 }
2636
2637 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2638 {
2639         return task_has_perm(current, p, PROCESS__SETPGID);
2640 }
2641
2642 static int selinux_task_getpgid(struct task_struct *p)
2643 {
2644         return task_has_perm(current, p, PROCESS__GETPGID);
2645 }
2646
2647 static int selinux_task_getsid(struct task_struct *p)
2648 {
2649         return task_has_perm(current, p, PROCESS__GETSESSION);
2650 }
2651
2652 static int selinux_task_setgroups(struct group_info *group_info)
2653 {
2654         /* See the comment for setuid above. */
2655         return 0;
2656 }
2657
2658 static int selinux_task_setnice(struct task_struct *p, int nice)
2659 {
2660         int rc;
2661
2662         rc = secondary_ops->task_setnice(p, nice);
2663         if (rc)
2664                 return rc;
2665
2666         return task_has_perm(current,p, PROCESS__SETSCHED);
2667 }
2668
2669 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2670 {
2671         struct rlimit *old_rlim = current->signal->rlim + resource;
2672         int rc;
2673
2674         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2675         if (rc)
2676                 return rc;
2677
2678         /* Control the ability to change the hard limit (whether
2679            lowering or raising it), so that the hard limit can
2680            later be used as a safe reset point for the soft limit
2681            upon context transitions. See selinux_bprm_apply_creds. */
2682         if (old_rlim->rlim_max != new_rlim->rlim_max)
2683                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2684
2685         return 0;
2686 }
2687
2688 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2689 {
2690         return task_has_perm(current, p, PROCESS__SETSCHED);
2691 }
2692
2693 static int selinux_task_getscheduler(struct task_struct *p)
2694 {
2695         return task_has_perm(current, p, PROCESS__GETSCHED);
2696 }
2697
2698 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2699 {
2700         u32 perm;
2701         int rc;
2702
2703         rc = secondary_ops->task_kill(p, info, sig);
2704         if (rc)
2705                 return rc;
2706
2707         if (info && ((unsigned long)info == 1 ||
2708                      (unsigned long)info == 2 || SI_FROMKERNEL(info)))
2709                 return 0;
2710
2711         if (!sig)
2712                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2713         else
2714                 perm = signal_to_av(sig);
2715
2716         return task_has_perm(current, p, perm);
2717 }
2718
2719 static int selinux_task_prctl(int option,
2720                               unsigned long arg2,
2721                               unsigned long arg3,
2722                               unsigned long arg4,
2723                               unsigned long arg5)
2724 {
2725         /* The current prctl operations do not appear to require
2726            any SELinux controls since they merely observe or modify
2727            the state of the current process. */
2728         return 0;
2729 }
2730
2731 static int selinux_task_wait(struct task_struct *p)
2732 {
2733         u32 perm;
2734
2735         perm = signal_to_av(p->exit_signal);
2736
2737         return task_has_perm(p, current, perm);
2738 }
2739
2740 static void selinux_task_reparent_to_init(struct task_struct *p)
2741 {
2742         struct task_security_struct *tsec;
2743
2744         secondary_ops->task_reparent_to_init(p);
2745
2746         tsec = p->security;
2747         tsec->osid = tsec->sid;
2748         tsec->sid = SECINITSID_KERNEL;
2749         return;
2750 }
2751
2752 static void selinux_task_to_inode(struct task_struct *p,
2753                                   struct inode *inode)
2754 {
2755         struct task_security_struct *tsec = p->security;
2756         struct inode_security_struct *isec = inode->i_security;
2757
2758         isec->sid = tsec->sid;
2759         isec->initialized = 1;
2760         return;
2761 }
2762
2763 #ifdef CONFIG_SECURITY_NETWORK
2764
2765 /* Returns error only if unable to parse addresses */
2766 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2767 {
2768         int offset, ihlen, ret = -EINVAL;
2769         struct iphdr _iph, *ih;
2770
2771         offset = skb->nh.raw - skb->data;
2772         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2773         if (ih == NULL)
2774                 goto out;
2775
2776         ihlen = ih->ihl * 4;
2777         if (ihlen < sizeof(_iph))
2778                 goto out;
2779
2780         ad->u.net.v4info.saddr = ih->saddr;
2781         ad->u.net.v4info.daddr = ih->daddr;
2782         ret = 0;
2783
2784         switch (ih->protocol) {
2785         case IPPROTO_TCP: {
2786                 struct tcphdr _tcph, *th;
2787
2788                 if (ntohs(ih->frag_off) & IP_OFFSET)
2789                         break;
2790
2791                 offset += ihlen;
2792                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2793                 if (th == NULL)
2794                         break;
2795
2796                 ad->u.net.sport = th->source;
2797                 ad->u.net.dport = th->dest;
2798                 break;
2799         }
2800         
2801         case IPPROTO_UDP: {
2802                 struct udphdr _udph, *uh;
2803                 
2804                 if (ntohs(ih->frag_off) & IP_OFFSET)
2805                         break;
2806                         
2807                 offset += ihlen;
2808                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2809                 if (uh == NULL)
2810                         break;  
2811
2812                 ad->u.net.sport = uh->source;
2813                 ad->u.net.dport = uh->dest;
2814                 break;
2815         }
2816
2817         default:
2818                 break;
2819         }
2820 out:
2821         return ret;
2822 }
2823
2824 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2825
2826 /* Returns error only if unable to parse addresses */
2827 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2828 {
2829         u8 nexthdr;
2830         int ret = -EINVAL, offset;
2831         struct ipv6hdr _ipv6h, *ip6;
2832
2833         offset = skb->nh.raw - skb->data;
2834         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2835         if (ip6 == NULL)
2836                 goto out;
2837
2838         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2839         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2840         ret = 0;
2841
2842         nexthdr = ip6->nexthdr;
2843         offset += sizeof(_ipv6h);
2844         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2845         if (offset < 0)
2846                 goto out;
2847
2848         switch (nexthdr) {
2849         case IPPROTO_TCP: {
2850                 struct tcphdr _tcph, *th;
2851
2852                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2853                 if (th == NULL)
2854                         break;
2855
2856                 ad->u.net.sport = th->source;
2857                 ad->u.net.dport = th->dest;
2858                 break;
2859         }
2860
2861         case IPPROTO_UDP: {
2862                 struct udphdr _udph, *uh;
2863
2864                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2865                 if (uh == NULL)
2866                         break;
2867
2868                 ad->u.net.sport = uh->source;
2869                 ad->u.net.dport = uh->dest;
2870                 break;
2871         }
2872
2873         /* includes fragments */
2874         default:
2875                 break;
2876         }
2877 out:
2878         return ret;
2879 }
2880
2881 #endif /* IPV6 */
2882
2883 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2884                              char **addrp, int *len, int src)
2885 {
2886         int ret = 0;
2887
2888         switch (ad->u.net.family) {
2889         case PF_INET:
2890                 ret = selinux_parse_skb_ipv4(skb, ad);
2891                 if (ret || !addrp)
2892                         break;
2893                 *len = 4;
2894                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2895                                         &ad->u.net.v4info.daddr);
2896                 break;
2897
2898 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2899         case PF_INET6:
2900                 ret = selinux_parse_skb_ipv6(skb, ad);
2901                 if (ret || !addrp)
2902                         break;
2903                 *len = 16;
2904                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2905                                         &ad->u.net.v6info.daddr);
2906                 break;
2907 #endif  /* IPV6 */
2908         default:
2909                 break;
2910         }
2911
2912         return ret;
2913 }
2914
2915 /* socket security operations */
2916 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2917                            u32 perms)
2918 {
2919         struct inode_security_struct *isec;
2920         struct task_security_struct *tsec;
2921         struct avc_audit_data ad;
2922         int err = 0;
2923
2924         tsec = task->security;
2925         isec = SOCK_INODE(sock)->i_security;
2926
2927         if (isec->sid == SECINITSID_KERNEL)
2928                 goto out;
2929
2930         AVC_AUDIT_DATA_INIT(&ad,NET);
2931         ad.u.net.sk = sock->sk;
2932         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2933
2934 out:
2935         return err;
2936 }
2937
2938 static int selinux_socket_create(int family, int type,
2939                                  int protocol, int kern)
2940 {
2941         int err = 0;
2942         struct task_security_struct *tsec;
2943
2944         if (kern)
2945                 goto out;
2946
2947         tsec = current->security;
2948         err = avc_has_perm(tsec->sid, tsec->sid,
2949                            socket_type_to_security_class(family, type,
2950                            protocol), SOCKET__CREATE, NULL);
2951
2952 out:
2953         return err;
2954 }
2955
2956 static void selinux_socket_post_create(struct socket *sock, int family,
2957                                        int type, int protocol, int kern)
2958 {
2959         struct inode_security_struct *isec;
2960         struct task_security_struct *tsec;
2961
2962         isec = SOCK_INODE(sock)->i_security;
2963
2964         tsec = current->security;
2965         isec->sclass = socket_type_to_security_class(family, type, protocol);
2966         isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2967         isec->initialized = 1;
2968
2969         return;
2970 }
2971
2972 /* Range of port numbers used to automatically bind.
2973    Need to determine whether we should perform a name_bind
2974    permission check between the socket and the port number. */
2975 #define ip_local_port_range_0 sysctl_local_port_range[0]
2976 #define ip_local_port_range_1 sysctl_local_port_range[1]
2977
2978 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2979 {
2980         u16 family;
2981         int err;
2982
2983         err = socket_has_perm(current, sock, SOCKET__BIND);
2984         if (err)
2985                 goto out;
2986
2987         /*
2988          * If PF_INET or PF_INET6, check name_bind permission for the port.
2989          * Multiple address binding for SCTP is not supported yet: we just
2990          * check the first address now.
2991          */
2992         family = sock->sk->sk_family;
2993         if (family == PF_INET || family == PF_INET6) {
2994                 char *addrp;
2995                 struct inode_security_struct *isec;
2996                 struct task_security_struct *tsec;
2997                 struct avc_audit_data ad;
2998                 struct sockaddr_in *addr4 = NULL;
2999                 struct sockaddr_in6 *addr6 = NULL;
3000                 unsigned short snum;
3001                 struct sock *sk = sock->sk;
3002                 u32 sid, node_perm, addrlen;
3003
3004                 tsec = current->security;
3005                 isec = SOCK_INODE(sock)->i_security;
3006
3007                 if (family == PF_INET) {
3008                         addr4 = (struct sockaddr_in *)address;
3009                         snum = ntohs(addr4->sin_port);
3010                         addrlen = sizeof(addr4->sin_addr.s_addr);
3011                         addrp = (char *)&addr4->sin_addr.s_addr;
3012                 } else {
3013                         addr6 = (struct sockaddr_in6 *)address;
3014                         snum = ntohs(addr6->sin6_port);
3015                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3016                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3017                 }
3018
3019                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3020                            snum > ip_local_port_range_1)) {
3021                         err = security_port_sid(sk->sk_family, sk->sk_type,
3022                                                 sk->sk_protocol, snum, &sid);
3023                         if (err)
3024                                 goto out;
3025                         AVC_AUDIT_DATA_INIT(&ad,NET);
3026                         ad.u.net.sport = htons(snum);
3027                         ad.u.net.family = family;
3028                         err = avc_has_perm(isec->sid, sid,
3029                                            isec->sclass,
3030                                            SOCKET__NAME_BIND, &ad);
3031                         if (err)
3032                                 goto out;
3033                 }
3034                 
3035                 switch(isec->sclass) {
3036                 case SECCLASS_TCP_SOCKET:
3037                         node_perm = TCP_SOCKET__NODE_BIND;
3038                         break;
3039                         
3040                 case SECCLASS_UDP_SOCKET:
3041                         node_perm = UDP_SOCKET__NODE_BIND;
3042                         break;
3043                         
3044                 default:
3045                         node_perm = RAWIP_SOCKET__NODE_BIND;
3046                         break;
3047                 }
3048                 
3049                 err = security_node_sid(family, addrp, addrlen, &sid);
3050                 if (err)
3051                         goto out;
3052                 
3053                 AVC_AUDIT_DATA_INIT(&ad,NET);
3054                 ad.u.net.sport = htons(snum);
3055                 ad.u.net.family = family;
3056
3057                 if (family == PF_INET)
3058                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3059                 else
3060                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3061
3062                 err = avc_has_perm(isec->sid, sid,
3063                                    isec->sclass, node_perm, &ad);
3064                 if (err)
3065                         goto out;
3066         }
3067 out:
3068         return err;
3069 }
3070
3071 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3072 {
3073         struct inode_security_struct *isec;
3074         int err;
3075
3076         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3077         if (err)
3078                 return err;
3079
3080         /*
3081          * If a TCP socket, check name_connect permission for the port.
3082          */
3083         isec = SOCK_INODE(sock)->i_security;
3084         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3085                 struct sock *sk = sock->sk;
3086                 struct avc_audit_data ad;
3087                 struct sockaddr_in *addr4 = NULL;
3088                 struct sockaddr_in6 *addr6 = NULL;
3089                 unsigned short snum;
3090                 u32 sid;
3091
3092                 if (sk->sk_family == PF_INET) {
3093                         addr4 = (struct sockaddr_in *)address;
3094                         if (addrlen < sizeof(struct sockaddr_in))
3095                                 return -EINVAL;
3096                         snum = ntohs(addr4->sin_port);
3097                 } else {
3098                         addr6 = (struct sockaddr_in6 *)address;
3099                         if (addrlen < SIN6_LEN_RFC2133)
3100                                 return -EINVAL;
3101                         snum = ntohs(addr6->sin6_port);
3102                 }
3103
3104                 err = security_port_sid(sk->sk_family, sk->sk_type,
3105                                         sk->sk_protocol, snum, &sid);
3106                 if (err)
3107                         goto out;
3108
3109                 AVC_AUDIT_DATA_INIT(&ad,NET);
3110                 ad.u.net.dport = htons(snum);
3111                 ad.u.net.family = sk->sk_family;
3112                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3113                                    TCP_SOCKET__NAME_CONNECT, &ad);
3114                 if (err)
3115                         goto out;
3116         }
3117
3118 out:
3119         return err;
3120 }
3121
3122 static int selinux_socket_listen(struct socket *sock, int backlog)
3123 {
3124         return socket_has_perm(current, sock, SOCKET__LISTEN);
3125 }
3126
3127 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3128 {
3129         int err;
3130         struct inode_security_struct *isec;
3131         struct inode_security_struct *newisec;
3132
3133         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3134         if (err)
3135                 return err;
3136
3137         newisec = SOCK_INODE(newsock)->i_security;
3138
3139         isec = SOCK_INODE(sock)->i_security;
3140         newisec->sclass = isec->sclass;
3141         newisec->sid = isec->sid;
3142         newisec->initialized = 1;
3143
3144         return 0;
3145 }
3146
3147 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3148                                   int size)
3149 {
3150         return socket_has_perm(current, sock, SOCKET__WRITE);
3151 }
3152
3153 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3154                                   int size, int flags)
3155 {
3156         return socket_has_perm(current, sock, SOCKET__READ);
3157 }
3158
3159 static int selinux_socket_getsockname(struct socket *sock)
3160 {
3161         return socket_has_perm(current, sock, SOCKET__GETATTR);
3162 }
3163
3164 static int selinux_socket_getpeername(struct socket *sock)
3165 {
3166         return socket_has_perm(current, sock, SOCKET__GETATTR);
3167 }
3168
3169 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3170 {
3171         return socket_has_perm(current, sock, SOCKET__SETOPT);
3172 }
3173
3174 static int selinux_socket_getsockopt(struct socket *sock, int level,
3175                                      int optname)
3176 {
3177         return socket_has_perm(current, sock, SOCKET__GETOPT);
3178 }
3179
3180 static int selinux_socket_shutdown(struct socket *sock, int how)
3181 {
3182         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3183 }
3184
3185 static int selinux_socket_unix_stream_connect(struct socket *sock,
3186                                               struct socket *other,
3187                                               struct sock *newsk)
3188 {
3189         struct sk_security_struct *ssec;
3190         struct inode_security_struct *isec;
3191         struct inode_security_struct *other_isec;
3192         struct avc_audit_data ad;
3193         int err;
3194
3195         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3196         if (err)
3197                 return err;
3198
3199         isec = SOCK_INODE(sock)->i_security;
3200         other_isec = SOCK_INODE(other)->i_security;
3201
3202         AVC_AUDIT_DATA_INIT(&ad,NET);
3203         ad.u.net.sk = other->sk;
3204
3205         err = avc_has_perm(isec->sid, other_isec->sid,
3206                            isec->sclass,
3207                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3208         if (err)
3209                 return err;
3210
3211         /* connecting socket */
3212         ssec = sock->sk->sk_security;
3213         ssec->peer_sid = other_isec->sid;
3214         
3215         /* server child socket */
3216         ssec = newsk->sk_security;
3217         ssec->peer_sid = isec->sid;
3218         
3219         return 0;
3220 }
3221
3222 static int selinux_socket_unix_may_send(struct socket *sock,
3223                                         struct socket *other)
3224 {
3225         struct inode_security_struct *isec;
3226         struct inode_security_struct *other_isec;
3227         struct avc_audit_data ad;
3228         int err;
3229
3230         isec = SOCK_INODE(sock)->i_security;
3231         other_isec = SOCK_INODE(other)->i_security;
3232
3233         AVC_AUDIT_DATA_INIT(&ad,NET);
3234         ad.u.net.sk = other->sk;
3235
3236         err = avc_has_perm(isec->sid, other_isec->sid,
3237                            isec->sclass, SOCKET__SENDTO, &ad);
3238         if (err)
3239                 return err;
3240
3241         return 0;
3242 }
3243
3244 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3245 {
3246         u16 family;
3247         char *addrp;
3248         int len, err = 0;
3249         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3250         u32 sock_sid = 0;
3251         u16 sock_class = 0;
3252         struct socket *sock;
3253         struct net_device *dev;
3254         struct avc_audit_data ad;
3255
3256         family = sk->sk_family;
3257         if (family != PF_INET && family != PF_INET6)
3258                 goto out;
3259
3260         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3261         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3262                 family = PF_INET;
3263
3264         read_lock_bh(&sk->sk_callback_lock);
3265         sock = sk->sk_socket;
3266         if (sock) {
3267                 struct inode *inode;
3268                 inode = SOCK_INODE(sock);
3269                 if (inode) {
3270                         struct inode_security_struct *isec;
3271                         isec = inode->i_security;
3272                         sock_sid = isec->sid;
3273                         sock_class = isec->sclass;
3274                 }
3275         }
3276         read_unlock_bh(&sk->sk_callback_lock);
3277         if (!sock_sid)
3278                 goto out;
3279
3280         dev = skb->dev;
3281         if (!dev)
3282                 goto out;
3283
3284         err = sel_netif_sids(dev, &if_sid, NULL);
3285         if (err)
3286                 goto out;
3287
3288         switch (sock_class) {
3289         case SECCLASS_UDP_SOCKET:
3290                 netif_perm = NETIF__UDP_RECV;
3291                 node_perm = NODE__UDP_RECV;
3292                 recv_perm = UDP_SOCKET__RECV_MSG;
3293                 break;
3294         
3295         case SECCLASS_TCP_SOCKET:
3296                 netif_perm = NETIF__TCP_RECV;
3297                 node_perm = NODE__TCP_RECV;
3298                 recv_perm = TCP_SOCKET__RECV_MSG;
3299                 break;
3300         
3301         default:
3302                 netif_perm = NETIF__RAWIP_RECV;
3303                 node_perm = NODE__RAWIP_RECV;
3304                 break;
3305         }
3306
3307         AVC_AUDIT_DATA_INIT(&ad, NET);
3308         ad.u.net.netif = dev->name;
3309         ad.u.net.family = family;
3310
3311         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3312         if (err)
3313                 goto out;
3314
3315         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3316         if (err)
3317                 goto out;
3318         
3319         /* Fixme: this lookup is inefficient */
3320         err = security_node_sid(family, addrp, len, &node_sid);
3321         if (err)
3322                 goto out;
3323         
3324         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3325         if (err)
3326                 goto out;
3327
3328         if (recv_perm) {
3329                 u32 port_sid;
3330
3331                 /* Fixme: make this more efficient */
3332                 err = security_port_sid(sk->sk_family, sk->sk_type,
3333                                         sk->sk_protocol, ntohs(ad.u.net.sport),
3334                                         &port_sid);
3335                 if (err)
3336                         goto out;
3337
3338                 err = avc_has_perm(sock_sid, port_sid,
3339                                    sock_class, recv_perm, &ad);
3340         }
3341 out:    
3342         return err;
3343 }
3344
3345 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3346                                      int __user *optlen, unsigned len)
3347 {
3348         int err = 0;
3349         char *scontext;
3350         u32 scontext_len;
3351         struct sk_security_struct *ssec;
3352         struct inode_security_struct *isec;
3353
3354         isec = SOCK_INODE(sock)->i_security;
3355         if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3356                 err = -ENOPROTOOPT;
3357                 goto out;
3358         }
3359
3360         ssec = sock->sk->sk_security;
3361         
3362         err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3363         if (err)
3364                 goto out;
3365
3366         if (scontext_len > len) {
3367                 err = -ERANGE;
3368                 goto out_len;
3369         }
3370
3371         if (copy_to_user(optval, scontext, scontext_len))
3372                 err = -EFAULT;
3373
3374 out_len:
3375         if (put_user(scontext_len, optlen))
3376                 err = -EFAULT;
3377
3378         kfree(scontext);
3379 out:    
3380         return err;
3381 }
3382
3383 static int selinux_sk_alloc_security(struct sock *sk, int family, int priority)
3384 {
3385         return sk_alloc_security(sk, family, priority);
3386 }
3387
3388 static void selinux_sk_free_security(struct sock *sk)
3389 {
3390         sk_free_security(sk);
3391 }
3392
3393 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3394 {
3395         int err = 0;
3396         u32 perm;
3397         struct nlmsghdr *nlh;
3398         struct socket *sock = sk->sk_socket;
3399         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3400         
3401         if (skb->len < NLMSG_SPACE(0)) {
3402                 err = -EINVAL;
3403                 goto out;
3404         }
3405         nlh = (struct nlmsghdr *)skb->data;
3406         
3407         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3408         if (err) {
3409                 if (err == -EINVAL) {
3410                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3411                                   "SELinux:  unrecognized netlink message"
3412                                   " type=%hu for sclass=%hu\n",
3413                                   nlh->nlmsg_type, isec->sclass);
3414                         if (!selinux_enforcing)
3415                                 err = 0;
3416                 }
3417
3418                 /* Ignore */
3419                 if (err == -ENOENT)
3420                         err = 0;
3421                 goto out;
3422         }
3423
3424         err = socket_has_perm(current, sock, perm);
3425 out:
3426         return err;
3427 }
3428
3429 #ifdef CONFIG_NETFILTER
3430
3431 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3432                                               struct sk_buff **pskb,
3433                                               const struct net_device *in,
3434                                               const struct net_device *out,
3435                                               int (*okfn)(struct sk_buff *),
3436                                               u16 family)
3437 {
3438         char *addrp;
3439         int len, err = NF_ACCEPT;
3440         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3441         struct sock *sk;
3442         struct socket *sock;
3443         struct inode *inode;
3444         struct sk_buff *skb = *pskb;
3445         struct inode_security_struct *isec;
3446         struct avc_audit_data ad;
3447         struct net_device *dev = (struct net_device *)out;
3448         
3449         sk = skb->sk;
3450         if (!sk)
3451                 goto out;
3452                 
3453         sock = sk->sk_socket;
3454         if (!sock)
3455                 goto out;
3456                 
3457         inode = SOCK_INODE(sock);
3458         if (!inode)
3459                 goto out;
3460
3461         err = sel_netif_sids(dev, &if_sid, NULL);
3462         if (err)
3463                 goto out;
3464
3465         isec = inode->i_security;
3466         
3467         switch (isec->sclass) {
3468         case SECCLASS_UDP_SOCKET:
3469                 netif_perm = NETIF__UDP_SEND;
3470                 node_perm = NODE__UDP_SEND;
3471                 send_perm = UDP_SOCKET__SEND_MSG;
3472                 break;
3473         
3474         case SECCLASS_TCP_SOCKET:
3475                 netif_perm = NETIF__TCP_SEND;
3476                 node_perm = NODE__TCP_SEND;
3477                 send_perm = TCP_SOCKET__SEND_MSG;
3478                 break;
3479         
3480         default:
3481                 netif_perm = NETIF__RAWIP_SEND;
3482                 node_perm = NODE__RAWIP_SEND;
3483                 break;
3484         }
3485
3486
3487         AVC_AUDIT_DATA_INIT(&ad, NET);
3488         ad.u.net.netif = dev->name;
3489         ad.u.net.family = family;
3490
3491         err = selinux_parse_skb(skb, &ad, &addrp,
3492                                 &len, 0) ? NF_DROP : NF_ACCEPT;
3493         if (err != NF_ACCEPT)
3494                 goto out;
3495
3496         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3497                            netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3498         if (err != NF_ACCEPT)
3499                 goto out;
3500                 
3501         /* Fixme: this lookup is inefficient */
3502         err = security_node_sid(family, addrp, len,
3503                                 &node_sid) ? NF_DROP : NF_ACCEPT;
3504         if (err != NF_ACCEPT)
3505                 goto out;
3506         
3507         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3508                            node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3509         if (err != NF_ACCEPT)
3510                 goto out;
3511
3512         if (send_perm) {
3513                 u32 port_sid;
3514                 
3515                 /* Fixme: make this more efficient */
3516                 err = security_port_sid(sk->sk_family,
3517                                         sk->sk_type,
3518                                         sk->sk_protocol,
3519                                         ntohs(ad.u.net.dport),
3520                                         &port_sid) ? NF_DROP : NF_ACCEPT;
3521                 if (err != NF_ACCEPT)
3522                         goto out;
3523
3524                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3525                                    send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3526         }
3527
3528 out:
3529         return err;
3530 }
3531
3532 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3533                                                 struct sk_buff **pskb,
3534                                                 const struct net_device *in,
3535                                                 const struct net_device *out,
3536                                                 int (*okfn)(struct sk_buff *))
3537 {
3538         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3539 }
3540
3541 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3542
3543 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3544                                                 struct sk_buff **pskb,
3545                                                 const struct net_device *in,
3546                                                 const struct net_device *out,
3547                                                 int (*okfn)(struct sk_buff *))
3548 {
3549         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3550 }
3551
3552 #endif  /* IPV6 */
3553
3554 #endif  /* CONFIG_NETFILTER */
3555
3556 #else
3557
3558 static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3559 {
3560         return 0;
3561 }
3562
3563 #endif  /* CONFIG_SECURITY_NETWORK */
3564
3565 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3566 {
3567         struct task_security_struct *tsec;
3568         struct av_decision avd;
3569         int err;
3570
3571         err = secondary_ops->netlink_send(sk, skb);
3572         if (err)
3573                 return err;
3574
3575         tsec = current->security;
3576
3577         avd.allowed = 0;
3578         avc_has_perm_noaudit(tsec->sid, tsec->sid,
3579                                 SECCLASS_CAPABILITY, ~0, &avd);
3580         cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3581
3582         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3583                 err = selinux_nlmsg_perm(sk, skb);
3584
3585         return err;
3586 }
3587
3588 static int selinux_netlink_recv(struct sk_buff *skb)
3589 {
3590         if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3591                 return -EPERM;
3592         return 0;
3593 }
3594
3595 static int ipc_alloc_security(struct task_struct *task,
3596                               struct kern_ipc_perm *perm,
3597                               u16 sclass)
3598 {
3599         struct task_security_struct *tsec = task->security;
3600         struct ipc_security_struct *isec;
3601
3602         isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3603         if (!isec)
3604                 return -ENOMEM;
3605
3606         memset(isec, 0, sizeof(struct ipc_security_struct));
3607         isec->magic = SELINUX_MAGIC;
3608         isec->sclass = sclass;
3609         isec->ipc_perm = perm;
3610         if (tsec) {
3611                 isec->sid = tsec->sid;
3612         } else {
3613                 isec->sid = SECINITSID_UNLABELED;
3614         }
3615         perm->security = isec;
3616
3617         return 0;
3618 }
3619
3620 static void ipc_free_security(struct kern_ipc_perm *perm)
3621 {
3622         struct ipc_security_struct *isec = perm->security;
3623         if (!isec || isec->magic != SELINUX_MAGIC)
3624                 return;
3625
3626         perm->security = NULL;
3627         kfree(isec);
3628 }
3629
3630 static int msg_msg_alloc_security(struct msg_msg *msg)
3631 {
3632         struct msg_security_struct *msec;
3633
3634         msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3635         if (!msec)
3636                 return -ENOMEM;
3637
3638         memset(msec, 0, sizeof(struct msg_security_struct));
3639         msec->magic = SELINUX_MAGIC;
3640         msec->msg = msg;
3641         msec->sid = SECINITSID_UNLABELED;
3642         msg->security = msec;
3643
3644         return 0;
3645 }
3646
3647 static void msg_msg_free_security(struct msg_msg *msg)
3648 {
3649         struct msg_security_struct *msec = msg->security;
3650         if (!msec || msec->magic != SELINUX_MAGIC)
3651                 return;
3652
3653         msg->security = NULL;
3654         kfree(msec);
3655 }
3656
3657 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3658                         u32 perms)
3659 {
3660         struct task_security_struct *tsec;
3661         struct ipc_security_struct *isec;
3662         struct avc_audit_data ad;
3663
3664         tsec = current->security;
3665         isec = ipc_perms->security;
3666
3667         AVC_AUDIT_DATA_INIT(&ad, IPC);
3668         ad.u.ipc_id = ipc_perms->key;
3669
3670         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3671 }
3672
3673 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3674 {
3675         return msg_msg_alloc_security(msg);
3676 }
3677
3678 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3679 {
3680         msg_msg_free_security(msg);
3681 }
3682
3683 /* message queue security operations */
3684 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3685 {
3686         struct task_security_struct *tsec;
3687         struct ipc_security_struct *isec;
3688         struct avc_audit_data ad;
3689         int rc;
3690
3691         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3692         if (rc)
3693                 return rc;
3694
3695         tsec = current->security;
3696         isec = msq->q_perm.security;
3697
3698         AVC_AUDIT_DATA_INIT(&ad, IPC);
3699         ad.u.ipc_id = msq->q_perm.key;
3700
3701         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3702                           MSGQ__CREATE, &ad);
3703         if (rc) {
3704                 ipc_free_security(&msq->q_perm);
3705                 return rc;
3706         }
3707         return 0;
3708 }
3709
3710 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3711 {
3712         ipc_free_security(&msq->q_perm);
3713 }
3714
3715 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3716 {
3717         struct task_security_struct *tsec;
3718         struct ipc_security_struct *isec;
3719         struct avc_audit_data ad;
3720
3721         tsec = current->security;
3722         isec = msq->q_perm.security;
3723
3724         AVC_AUDIT_DATA_INIT(&ad, IPC);
3725         ad.u.ipc_id = msq->q_perm.key;
3726
3727         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3728                             MSGQ__ASSOCIATE, &ad);
3729 }
3730
3731 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3732 {
3733         int err;
3734         int perms;
3735
3736         switch(cmd) {
3737         case IPC_INFO:
3738         case MSG_INFO:
3739                 /* No specific object, just general system-wide information. */
3740                 return task_has_system(current, SYSTEM__IPC_INFO);
3741         case IPC_STAT:
3742         case MSG_STAT:
3743                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3744                 break;
3745         case IPC_SET:
3746                 perms = MSGQ__SETATTR;
3747                 break;
3748         case IPC_RMID:
3749                 perms = MSGQ__DESTROY;
3750                 break;
3751         default:
3752                 return 0;
3753         }
3754
3755         err = ipc_has_perm(&msq->q_perm, perms);
3756         return err;
3757 }
3758
3759 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3760 {
3761         struct task_security_struct *tsec;
3762         struct ipc_security_struct *isec;
3763         struct msg_security_struct *msec;
3764         struct avc_audit_data ad;
3765         int rc;
3766
3767         tsec = current->security;
3768         isec = msq->q_perm.security;
3769         msec = msg->security;
3770
3771         /*
3772          * First time through, need to assign label to the message
3773          */
3774         if (msec->sid == SECINITSID_UNLABELED) {
3775                 /*
3776                  * Compute new sid based on current process and
3777                  * message queue this message will be stored in
3778                  */
3779                 rc = security_transition_sid(tsec->sid,
3780                                              isec->sid,
3781                                              SECCLASS_MSG,
3782                                              &msec->sid);
3783                 if (rc)
3784                         return rc;
3785         }
3786
3787         AVC_AUDIT_DATA_INIT(&ad, IPC);
3788         ad.u.ipc_id = msq->q_perm.key;
3789
3790         /* Can this process write to the queue? */
3791         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3792                           MSGQ__WRITE, &ad);
3793         if (!rc)
3794                 /* Can this process send the message */
3795                 rc = avc_has_perm(tsec->sid, msec->sid,
3796                                   SECCLASS_MSG, MSG__SEND, &ad);
3797         if (!rc)
3798                 /* Can the message be put in the queue? */
3799                 rc = avc_has_perm(msec->sid, isec->sid,
3800                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3801
3802         return rc;
3803 }
3804
3805 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3806                                     struct task_struct *target,
3807                                     long type, int mode)
3808 {
3809         struct task_security_struct *tsec;
3810         struct ipc_security_struct *isec;
3811         struct msg_security_struct *msec;
3812         struct avc_audit_data ad;
3813         int rc;
3814
3815         tsec = target->security;
3816         isec = msq->q_perm.security;
3817         msec = msg->security;
3818
3819         AVC_AUDIT_DATA_INIT(&ad, IPC);
3820         ad.u.ipc_id = msq->q_perm.key;
3821
3822         rc = avc_has_perm(tsec->sid, isec->sid,
3823                           SECCLASS_MSGQ, MSGQ__READ, &ad);
3824         if (!rc)
3825                 rc = avc_has_perm(tsec->sid, msec->sid,
3826                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
3827         return rc;
3828 }
3829
3830 /* Shared Memory security operations */
3831 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3832 {
3833         struct task_security_struct *tsec;
3834         struct ipc_security_struct *isec;
3835         struct avc_audit_data ad;
3836         int rc;
3837
3838         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3839         if (rc)
3840                 return rc;
3841
3842         tsec = current->security;
3843         isec = shp->shm_perm.security;
3844
3845         AVC_AUDIT_DATA_INIT(&ad, IPC);
3846         ad.u.ipc_id = shp->shm_perm.key;
3847
3848         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3849                           SHM__CREATE, &ad);
3850         if (rc) {
3851                 ipc_free_security(&shp->shm_perm);
3852                 return rc;
3853         }
3854         return 0;
3855 }
3856