93c809a6e4fac5c1535650a2adb4d4811669c810
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16  *                Paul Moore <paul.moore@hp.com>
17  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
19  *
20  *      This program is free software; you can redistribute it and/or modify
21  *      it under the terms of the GNU General Public License version 2,
22  *      as published by the Free Software Foundation.
23  */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "xfrm.h"
84 #include "netlabel.h"
85
86 #define XATTR_SELINUX_SUFFIX "selinux"
87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
88
89 #define NUM_SEL_MNT_OPTS 4
90
91 extern unsigned int policydb_loaded_version;
92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
93 extern int selinux_compat_net;
94 extern struct security_operations *security_ops;
95
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
98
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing = 0;
101
102 static int __init enforcing_setup(char *str)
103 {
104         selinux_enforcing = simple_strtol(str,NULL,0);
105         return 1;
106 }
107 __setup("enforcing=", enforcing_setup);
108 #endif
109
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
112
113 static int __init selinux_enabled_setup(char *str)
114 {
115         selinux_enabled = simple_strtol(str, NULL, 0);
116         return 1;
117 }
118 __setup("selinux=", selinux_enabled_setup);
119 #else
120 int selinux_enabled = 1;
121 #endif
122
123 /* Original (dummy) security module. */
124 static struct security_operations *original_ops = NULL;
125
126 /* Minimal support for a secondary security module,
127    just to allow the use of the dummy or capability modules.
128    The owlsm module can alternatively be used as a secondary
129    module as long as CONFIG_OWLSM_FD is not enabled. */
130 static struct security_operations *secondary_ops = NULL;
131
132 /* Lists of inode and superblock security structures initialized
133    before the policy was loaded. */
134 static LIST_HEAD(superblock_security_head);
135 static DEFINE_SPINLOCK(sb_security_lock);
136
137 static struct kmem_cache *sel_inode_cache;
138
139 /**
140  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
141  *
142  * Description:
143  * This function checks the SECMARK reference counter to see if any SECMARK
144  * targets are currently configured, if the reference counter is greater than
145  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
146  * enabled, false (0) if SECMARK is disabled.
147  *
148  */
149 static int selinux_secmark_enabled(void)
150 {
151         return (atomic_read(&selinux_secmark_refcount) > 0);
152 }
153
154 /* Allocate and free functions for each kind of security blob. */
155
156 static int task_alloc_security(struct task_struct *task)
157 {
158         struct task_security_struct *tsec;
159
160         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
161         if (!tsec)
162                 return -ENOMEM;
163
164         tsec->osid = tsec->sid = SECINITSID_UNLABELED;
165         task->security = tsec;
166
167         return 0;
168 }
169
170 static void task_free_security(struct task_struct *task)
171 {
172         struct task_security_struct *tsec = task->security;
173         task->security = NULL;
174         kfree(tsec);
175 }
176
177 static int inode_alloc_security(struct inode *inode)
178 {
179         struct task_security_struct *tsec = current->security;
180         struct inode_security_struct *isec;
181
182         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
183         if (!isec)
184                 return -ENOMEM;
185
186         mutex_init(&isec->lock);
187         INIT_LIST_HEAD(&isec->list);
188         isec->inode = inode;
189         isec->sid = SECINITSID_UNLABELED;
190         isec->sclass = SECCLASS_FILE;
191         isec->task_sid = tsec->sid;
192         inode->i_security = isec;
193
194         return 0;
195 }
196
197 static void inode_free_security(struct inode *inode)
198 {
199         struct inode_security_struct *isec = inode->i_security;
200         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
201
202         spin_lock(&sbsec->isec_lock);
203         if (!list_empty(&isec->list))
204                 list_del_init(&isec->list);
205         spin_unlock(&sbsec->isec_lock);
206
207         inode->i_security = NULL;
208         kmem_cache_free(sel_inode_cache, isec);
209 }
210
211 static int file_alloc_security(struct file *file)
212 {
213         struct task_security_struct *tsec = current->security;
214         struct file_security_struct *fsec;
215
216         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
217         if (!fsec)
218                 return -ENOMEM;
219
220         fsec->sid = tsec->sid;
221         fsec->fown_sid = tsec->sid;
222         file->f_security = fsec;
223
224         return 0;
225 }
226
227 static void file_free_security(struct file *file)
228 {
229         struct file_security_struct *fsec = file->f_security;
230         file->f_security = NULL;
231         kfree(fsec);
232 }
233
234 static int superblock_alloc_security(struct super_block *sb)
235 {
236         struct superblock_security_struct *sbsec;
237
238         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
239         if (!sbsec)
240                 return -ENOMEM;
241
242         mutex_init(&sbsec->lock);
243         INIT_LIST_HEAD(&sbsec->list);
244         INIT_LIST_HEAD(&sbsec->isec_head);
245         spin_lock_init(&sbsec->isec_lock);
246         sbsec->sb = sb;
247         sbsec->sid = SECINITSID_UNLABELED;
248         sbsec->def_sid = SECINITSID_FILE;
249         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
250         sb->s_security = sbsec;
251
252         return 0;
253 }
254
255 static void superblock_free_security(struct super_block *sb)
256 {
257         struct superblock_security_struct *sbsec = sb->s_security;
258
259         spin_lock(&sb_security_lock);
260         if (!list_empty(&sbsec->list))
261                 list_del_init(&sbsec->list);
262         spin_unlock(&sb_security_lock);
263
264         sb->s_security = NULL;
265         kfree(sbsec);
266 }
267
268 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
269 {
270         struct sk_security_struct *ssec;
271
272         ssec = kzalloc(sizeof(*ssec), priority);
273         if (!ssec)
274                 return -ENOMEM;
275
276         ssec->peer_sid = SECINITSID_UNLABELED;
277         ssec->sid = SECINITSID_UNLABELED;
278         sk->sk_security = ssec;
279
280         selinux_netlbl_sk_security_reset(ssec, family);
281
282         return 0;
283 }
284
285 static void sk_free_security(struct sock *sk)
286 {
287         struct sk_security_struct *ssec = sk->sk_security;
288
289         sk->sk_security = NULL;
290         kfree(ssec);
291 }
292
293 /* The security server must be initialized before
294    any labeling or access decisions can be provided. */
295 extern int ss_initialized;
296
297 /* The file system's label must be initialized prior to use. */
298
299 static char *labeling_behaviors[6] = {
300         "uses xattr",
301         "uses transition SIDs",
302         "uses task SIDs",
303         "uses genfs_contexts",
304         "not configured for labeling",
305         "uses mountpoint labeling",
306 };
307
308 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
309
310 static inline int inode_doinit(struct inode *inode)
311 {
312         return inode_doinit_with_dentry(inode, NULL);
313 }
314
315 enum {
316         Opt_error = -1,
317         Opt_context = 1,
318         Opt_fscontext = 2,
319         Opt_defcontext = 3,
320         Opt_rootcontext = 4,
321 };
322
323 static match_table_t tokens = {
324         {Opt_context, CONTEXT_STR "%s"},
325         {Opt_fscontext, FSCONTEXT_STR "%s"},
326         {Opt_defcontext, DEFCONTEXT_STR "%s"},
327         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
328         {Opt_error, NULL},
329 };
330
331 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
332
333 static int may_context_mount_sb_relabel(u32 sid,
334                         struct superblock_security_struct *sbsec,
335                         struct task_security_struct *tsec)
336 {
337         int rc;
338
339         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
340                           FILESYSTEM__RELABELFROM, NULL);
341         if (rc)
342                 return rc;
343
344         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
345                           FILESYSTEM__RELABELTO, NULL);
346         return rc;
347 }
348
349 static int may_context_mount_inode_relabel(u32 sid,
350                         struct superblock_security_struct *sbsec,
351                         struct task_security_struct *tsec)
352 {
353         int rc;
354         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
355                           FILESYSTEM__RELABELFROM, NULL);
356         if (rc)
357                 return rc;
358
359         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
360                           FILESYSTEM__ASSOCIATE, NULL);
361         return rc;
362 }
363
364 static int sb_finish_set_opts(struct super_block *sb)
365 {
366         struct superblock_security_struct *sbsec = sb->s_security;
367         struct dentry *root = sb->s_root;
368         struct inode *root_inode = root->d_inode;
369         int rc = 0;
370
371         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
372                 /* Make sure that the xattr handler exists and that no
373                    error other than -ENODATA is returned by getxattr on
374                    the root directory.  -ENODATA is ok, as this may be
375                    the first boot of the SELinux kernel before we have
376                    assigned xattr values to the filesystem. */
377                 if (!root_inode->i_op->getxattr) {
378                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
379                                "xattr support\n", sb->s_id, sb->s_type->name);
380                         rc = -EOPNOTSUPP;
381                         goto out;
382                 }
383                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
384                 if (rc < 0 && rc != -ENODATA) {
385                         if (rc == -EOPNOTSUPP)
386                                 printk(KERN_WARNING "SELinux: (dev %s, type "
387                                        "%s) has no security xattr handler\n",
388                                        sb->s_id, sb->s_type->name);
389                         else
390                                 printk(KERN_WARNING "SELinux: (dev %s, type "
391                                        "%s) getxattr errno %d\n", sb->s_id,
392                                        sb->s_type->name, -rc);
393                         goto out;
394                 }
395         }
396
397         sbsec->initialized = 1;
398
399         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
400                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
401                        sb->s_id, sb->s_type->name);
402         else
403                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
404                        sb->s_id, sb->s_type->name,
405                        labeling_behaviors[sbsec->behavior-1]);
406
407         /* Initialize the root inode. */
408         rc = inode_doinit_with_dentry(root_inode, root);
409
410         /* Initialize any other inodes associated with the superblock, e.g.
411            inodes created prior to initial policy load or inodes created
412            during get_sb by a pseudo filesystem that directly
413            populates itself. */
414         spin_lock(&sbsec->isec_lock);
415 next_inode:
416         if (!list_empty(&sbsec->isec_head)) {
417                 struct inode_security_struct *isec =
418                                 list_entry(sbsec->isec_head.next,
419                                            struct inode_security_struct, list);
420                 struct inode *inode = isec->inode;
421                 spin_unlock(&sbsec->isec_lock);
422                 inode = igrab(inode);
423                 if (inode) {
424                         if (!IS_PRIVATE(inode))
425                                 inode_doinit(inode);
426                         iput(inode);
427                 }
428                 spin_lock(&sbsec->isec_lock);
429                 list_del_init(&isec->list);
430                 goto next_inode;
431         }
432         spin_unlock(&sbsec->isec_lock);
433 out:
434         return rc;
435 }
436
437 /*
438  * This function should allow an FS to ask what it's mount security
439  * options were so it can use those later for submounts, displaying
440  * mount options, or whatever.
441  */
442 static int selinux_get_mnt_opts(const struct super_block *sb,
443                                 struct security_mnt_opts *opts)
444 {
445         int rc = 0, i;
446         struct superblock_security_struct *sbsec = sb->s_security;
447         char *context = NULL;
448         u32 len;
449         char tmp;
450
451         security_init_mnt_opts(opts);
452
453         if (!sbsec->initialized)
454                 return -EINVAL;
455
456         if (!ss_initialized)
457                 return -EINVAL;
458
459         /*
460          * if we ever use sbsec flags for anything other than tracking mount
461          * settings this is going to need a mask
462          */
463         tmp = sbsec->flags;
464         /* count the number of mount options for this sb */
465         for (i = 0; i < 8; i++) {
466                 if (tmp & 0x01)
467                         opts->num_mnt_opts++;
468                 tmp >>= 1;
469         }
470
471         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
472         if (!opts->mnt_opts) {
473                 rc = -ENOMEM;
474                 goto out_free;
475         }
476
477         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
478         if (!opts->mnt_opts_flags) {
479                 rc = -ENOMEM;
480                 goto out_free;
481         }
482
483         i = 0;
484         if (sbsec->flags & FSCONTEXT_MNT) {
485                 rc = security_sid_to_context(sbsec->sid, &context, &len);
486                 if (rc)
487                         goto out_free;
488                 opts->mnt_opts[i] = context;
489                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
490         }
491         if (sbsec->flags & CONTEXT_MNT) {
492                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
493                 if (rc)
494                         goto out_free;
495                 opts->mnt_opts[i] = context;
496                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
497         }
498         if (sbsec->flags & DEFCONTEXT_MNT) {
499                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
500                 if (rc)
501                         goto out_free;
502                 opts->mnt_opts[i] = context;
503                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
504         }
505         if (sbsec->flags & ROOTCONTEXT_MNT) {
506                 struct inode *root = sbsec->sb->s_root->d_inode;
507                 struct inode_security_struct *isec = root->i_security;
508
509                 rc = security_sid_to_context(isec->sid, &context, &len);
510                 if (rc)
511                         goto out_free;
512                 opts->mnt_opts[i] = context;
513                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
514         }
515
516         BUG_ON(i != opts->num_mnt_opts);
517
518         return 0;
519
520 out_free:
521         security_free_mnt_opts(opts);
522         return rc;
523 }
524
525 static int bad_option(struct superblock_security_struct *sbsec, char flag,
526                       u32 old_sid, u32 new_sid)
527 {
528         /* check if the old mount command had the same options */
529         if (sbsec->initialized)
530                 if (!(sbsec->flags & flag) ||
531                     (old_sid != new_sid))
532                         return 1;
533
534         /* check if we were passed the same options twice,
535          * aka someone passed context=a,context=b
536          */
537         if (!sbsec->initialized)
538                 if (sbsec->flags & flag)
539                         return 1;
540         return 0;
541 }
542
543 /*
544  * Allow filesystems with binary mount data to explicitly set mount point
545  * labeling information.
546  */
547 static int selinux_set_mnt_opts(struct super_block *sb,
548                                 struct security_mnt_opts *opts)
549 {
550         int rc = 0, i;
551         struct task_security_struct *tsec = current->security;
552         struct superblock_security_struct *sbsec = sb->s_security;
553         const char *name = sb->s_type->name;
554         struct inode *inode = sbsec->sb->s_root->d_inode;
555         struct inode_security_struct *root_isec = inode->i_security;
556         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
557         u32 defcontext_sid = 0;
558         char **mount_options = opts->mnt_opts;
559         int *flags = opts->mnt_opts_flags;
560         int num_opts = opts->num_mnt_opts;
561
562         mutex_lock(&sbsec->lock);
563
564         if (!ss_initialized) {
565                 if (!num_opts) {
566                         /* Defer initialization until selinux_complete_init,
567                            after the initial policy is loaded and the security
568                            server is ready to handle calls. */
569                         spin_lock(&sb_security_lock);
570                         if (list_empty(&sbsec->list))
571                                 list_add(&sbsec->list, &superblock_security_head);
572                         spin_unlock(&sb_security_lock);
573                         goto out;
574                 }
575                 rc = -EINVAL;
576                 printk(KERN_WARNING "Unable to set superblock options before "
577                        "the security server is initialized\n");
578                 goto out;
579         }
580
581         /*
582          * Binary mount data FS will come through this function twice.  Once
583          * from an explicit call and once from the generic calls from the vfs.
584          * Since the generic VFS calls will not contain any security mount data
585          * we need to skip the double mount verification.
586          *
587          * This does open a hole in which we will not notice if the first
588          * mount using this sb set explict options and a second mount using
589          * this sb does not set any security options.  (The first options
590          * will be used for both mounts)
591          */
592         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
593             && (num_opts == 0))
594                 goto out;
595
596         /*
597          * parse the mount options, check if they are valid sids.
598          * also check if someone is trying to mount the same sb more
599          * than once with different security options.
600          */
601         for (i = 0; i < num_opts; i++) {
602                 u32 sid;
603                 rc = security_context_to_sid(mount_options[i],
604                                              strlen(mount_options[i]), &sid);
605                 if (rc) {
606                         printk(KERN_WARNING "SELinux: security_context_to_sid"
607                                "(%s) failed for (dev %s, type %s) errno=%d\n",
608                                mount_options[i], sb->s_id, name, rc);
609                         goto out;
610                 }
611                 switch (flags[i]) {
612                 case FSCONTEXT_MNT:
613                         fscontext_sid = sid;
614
615                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
616                                         fscontext_sid))
617                                 goto out_double_mount;
618
619                         sbsec->flags |= FSCONTEXT_MNT;
620                         break;
621                 case CONTEXT_MNT:
622                         context_sid = sid;
623
624                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
625                                         context_sid))
626                                 goto out_double_mount;
627
628                         sbsec->flags |= CONTEXT_MNT;
629                         break;
630                 case ROOTCONTEXT_MNT:
631                         rootcontext_sid = sid;
632
633                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
634                                         rootcontext_sid))
635                                 goto out_double_mount;
636
637                         sbsec->flags |= ROOTCONTEXT_MNT;
638
639                         break;
640                 case DEFCONTEXT_MNT:
641                         defcontext_sid = sid;
642
643                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
644                                         defcontext_sid))
645                                 goto out_double_mount;
646
647                         sbsec->flags |= DEFCONTEXT_MNT;
648
649                         break;
650                 default:
651                         rc = -EINVAL;
652                         goto out;
653                 }
654         }
655
656         if (sbsec->initialized) {
657                 /* previously mounted with options, but not on this attempt? */
658                 if (sbsec->flags && !num_opts)
659                         goto out_double_mount;
660                 rc = 0;
661                 goto out;
662         }
663
664         if (strcmp(sb->s_type->name, "proc") == 0)
665                 sbsec->proc = 1;
666
667         /* Determine the labeling behavior to use for this filesystem type. */
668         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
669         if (rc) {
670                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
671                        __func__, sb->s_type->name, rc);
672                 goto out;
673         }
674
675         /* sets the context of the superblock for the fs being mounted. */
676         if (fscontext_sid) {
677
678                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
679                 if (rc)
680                         goto out;
681
682                 sbsec->sid = fscontext_sid;
683         }
684
685         /*
686          * Switch to using mount point labeling behavior.
687          * sets the label used on all file below the mountpoint, and will set
688          * the superblock context if not already set.
689          */
690         if (context_sid) {
691                 if (!fscontext_sid) {
692                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
693                         if (rc)
694                                 goto out;
695                         sbsec->sid = context_sid;
696                 } else {
697                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
698                         if (rc)
699                                 goto out;
700                 }
701                 if (!rootcontext_sid)
702                         rootcontext_sid = context_sid;
703
704                 sbsec->mntpoint_sid = context_sid;
705                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
706         }
707
708         if (rootcontext_sid) {
709                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
710                 if (rc)
711                         goto out;
712
713                 root_isec->sid = rootcontext_sid;
714                 root_isec->initialized = 1;
715         }
716
717         if (defcontext_sid) {
718                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
719                         rc = -EINVAL;
720                         printk(KERN_WARNING "SELinux: defcontext option is "
721                                "invalid for this filesystem type\n");
722                         goto out;
723                 }
724
725                 if (defcontext_sid != sbsec->def_sid) {
726                         rc = may_context_mount_inode_relabel(defcontext_sid,
727                                                              sbsec, tsec);
728                         if (rc)
729                                 goto out;
730                 }
731
732                 sbsec->def_sid = defcontext_sid;
733         }
734
735         rc = sb_finish_set_opts(sb);
736 out:
737         mutex_unlock(&sbsec->lock);
738         return rc;
739 out_double_mount:
740         rc = -EINVAL;
741         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
742                "security settings for (dev %s, type %s)\n", sb->s_id, name);
743         goto out;
744 }
745
746 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
747                                         struct super_block *newsb)
748 {
749         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
750         struct superblock_security_struct *newsbsec = newsb->s_security;
751
752         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
753         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
754         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
755
756         /* we can't error, we can't save the info, this shouldn't get called
757          * this early in the boot process. */
758         BUG_ON(!ss_initialized);
759
760         /* how can we clone if the old one wasn't set up?? */
761         BUG_ON(!oldsbsec->initialized);
762
763         /* if fs is reusing a sb, just let its options stand... */
764         if (newsbsec->initialized)
765                 return;
766
767         mutex_lock(&newsbsec->lock);
768
769         newsbsec->flags = oldsbsec->flags;
770
771         newsbsec->sid = oldsbsec->sid;
772         newsbsec->def_sid = oldsbsec->def_sid;
773         newsbsec->behavior = oldsbsec->behavior;
774
775         if (set_context) {
776                 u32 sid = oldsbsec->mntpoint_sid;
777
778                 if (!set_fscontext)
779                         newsbsec->sid = sid;
780                 if (!set_rootcontext) {
781                         struct inode *newinode = newsb->s_root->d_inode;
782                         struct inode_security_struct *newisec = newinode->i_security;
783                         newisec->sid = sid;
784                 }
785                 newsbsec->mntpoint_sid = sid;
786         }
787         if (set_rootcontext) {
788                 const struct inode *oldinode = oldsb->s_root->d_inode;
789                 const struct inode_security_struct *oldisec = oldinode->i_security;
790                 struct inode *newinode = newsb->s_root->d_inode;
791                 struct inode_security_struct *newisec = newinode->i_security;
792
793                 newisec->sid = oldisec->sid;
794         }
795
796         sb_finish_set_opts(newsb);
797         mutex_unlock(&newsbsec->lock);
798 }
799
800 static int selinux_parse_opts_str(char *options,
801                                   struct security_mnt_opts *opts)
802 {
803         char *p;
804         char *context = NULL, *defcontext = NULL;
805         char *fscontext = NULL, *rootcontext = NULL;
806         int rc, num_mnt_opts = 0;
807
808         opts->num_mnt_opts = 0;
809
810         /* Standard string-based options. */
811         while ((p = strsep(&options, "|")) != NULL) {
812                 int token;
813                 substring_t args[MAX_OPT_ARGS];
814
815                 if (!*p)
816                         continue;
817
818                 token = match_token(p, tokens, args);
819
820                 switch (token) {
821                 case Opt_context:
822                         if (context || defcontext) {
823                                 rc = -EINVAL;
824                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
825                                 goto out_err;
826                         }
827                         context = match_strdup(&args[0]);
828                         if (!context) {
829                                 rc = -ENOMEM;
830                                 goto out_err;
831                         }
832                         break;
833
834                 case Opt_fscontext:
835                         if (fscontext) {
836                                 rc = -EINVAL;
837                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
838                                 goto out_err;
839                         }
840                         fscontext = match_strdup(&args[0]);
841                         if (!fscontext) {
842                                 rc = -ENOMEM;
843                                 goto out_err;
844                         }
845                         break;
846
847                 case Opt_rootcontext:
848                         if (rootcontext) {
849                                 rc = -EINVAL;
850                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
851                                 goto out_err;
852                         }
853                         rootcontext = match_strdup(&args[0]);
854                         if (!rootcontext) {
855                                 rc = -ENOMEM;
856                                 goto out_err;
857                         }
858                         break;
859
860                 case Opt_defcontext:
861                         if (context || defcontext) {
862                                 rc = -EINVAL;
863                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
864                                 goto out_err;
865                         }
866                         defcontext = match_strdup(&args[0]);
867                         if (!defcontext) {
868                                 rc = -ENOMEM;
869                                 goto out_err;
870                         }
871                         break;
872
873                 default:
874                         rc = -EINVAL;
875                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
876                         goto out_err;
877
878                 }
879         }
880
881         rc = -ENOMEM;
882         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
883         if (!opts->mnt_opts)
884                 goto out_err;
885
886         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
887         if (!opts->mnt_opts_flags) {
888                 kfree(opts->mnt_opts);
889                 goto out_err;
890         }
891
892         if (fscontext) {
893                 opts->mnt_opts[num_mnt_opts] = fscontext;
894                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
895         }
896         if (context) {
897                 opts->mnt_opts[num_mnt_opts] = context;
898                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
899         }
900         if (rootcontext) {
901                 opts->mnt_opts[num_mnt_opts] = rootcontext;
902                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
903         }
904         if (defcontext) {
905                 opts->mnt_opts[num_mnt_opts] = defcontext;
906                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
907         }
908
909         opts->num_mnt_opts = num_mnt_opts;
910         return 0;
911
912 out_err:
913         kfree(context);
914         kfree(defcontext);
915         kfree(fscontext);
916         kfree(rootcontext);
917         return rc;
918 }
919 /*
920  * string mount options parsing and call set the sbsec
921  */
922 static int superblock_doinit(struct super_block *sb, void *data)
923 {
924         int rc = 0;
925         char *options = data;
926         struct security_mnt_opts opts;
927
928         security_init_mnt_opts(&opts);
929
930         if (!data)
931                 goto out;
932
933         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
934
935         rc = selinux_parse_opts_str(options, &opts);
936         if (rc)
937                 goto out_err;
938
939 out:
940         rc = selinux_set_mnt_opts(sb, &opts);
941
942 out_err:
943         security_free_mnt_opts(&opts);
944         return rc;
945 }
946
947 static inline u16 inode_mode_to_security_class(umode_t mode)
948 {
949         switch (mode & S_IFMT) {
950         case S_IFSOCK:
951                 return SECCLASS_SOCK_FILE;
952         case S_IFLNK:
953                 return SECCLASS_LNK_FILE;
954         case S_IFREG:
955                 return SECCLASS_FILE;
956         case S_IFBLK:
957                 return SECCLASS_BLK_FILE;
958         case S_IFDIR:
959                 return SECCLASS_DIR;
960         case S_IFCHR:
961                 return SECCLASS_CHR_FILE;
962         case S_IFIFO:
963                 return SECCLASS_FIFO_FILE;
964
965         }
966
967         return SECCLASS_FILE;
968 }
969
970 static inline int default_protocol_stream(int protocol)
971 {
972         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
973 }
974
975 static inline int default_protocol_dgram(int protocol)
976 {
977         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
978 }
979
980 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
981 {
982         switch (family) {
983         case PF_UNIX:
984                 switch (type) {
985                 case SOCK_STREAM:
986                 case SOCK_SEQPACKET:
987                         return SECCLASS_UNIX_STREAM_SOCKET;
988                 case SOCK_DGRAM:
989                         return SECCLASS_UNIX_DGRAM_SOCKET;
990                 }
991                 break;
992         case PF_INET:
993         case PF_INET6:
994                 switch (type) {
995                 case SOCK_STREAM:
996                         if (default_protocol_stream(protocol))
997                                 return SECCLASS_TCP_SOCKET;
998                         else
999                                 return SECCLASS_RAWIP_SOCKET;
1000                 case SOCK_DGRAM:
1001                         if (default_protocol_dgram(protocol))
1002                                 return SECCLASS_UDP_SOCKET;
1003                         else
1004                                 return SECCLASS_RAWIP_SOCKET;
1005                 case SOCK_DCCP:
1006                         return SECCLASS_DCCP_SOCKET;
1007                 default:
1008                         return SECCLASS_RAWIP_SOCKET;
1009                 }
1010                 break;
1011         case PF_NETLINK:
1012                 switch (protocol) {
1013                 case NETLINK_ROUTE:
1014                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1015                 case NETLINK_FIREWALL:
1016                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1017                 case NETLINK_INET_DIAG:
1018                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1019                 case NETLINK_NFLOG:
1020                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1021                 case NETLINK_XFRM:
1022                         return SECCLASS_NETLINK_XFRM_SOCKET;
1023                 case NETLINK_SELINUX:
1024                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1025                 case NETLINK_AUDIT:
1026                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1027                 case NETLINK_IP6_FW:
1028                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1029                 case NETLINK_DNRTMSG:
1030                         return SECCLASS_NETLINK_DNRT_SOCKET;
1031                 case NETLINK_KOBJECT_UEVENT:
1032                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1033                 default:
1034                         return SECCLASS_NETLINK_SOCKET;
1035                 }
1036         case PF_PACKET:
1037                 return SECCLASS_PACKET_SOCKET;
1038         case PF_KEY:
1039                 return SECCLASS_KEY_SOCKET;
1040         case PF_APPLETALK:
1041                 return SECCLASS_APPLETALK_SOCKET;
1042         }
1043
1044         return SECCLASS_SOCKET;
1045 }
1046
1047 #ifdef CONFIG_PROC_FS
1048 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1049                                 u16 tclass,
1050                                 u32 *sid)
1051 {
1052         int buflen, rc;
1053         char *buffer, *path, *end;
1054
1055         buffer = (char*)__get_free_page(GFP_KERNEL);
1056         if (!buffer)
1057                 return -ENOMEM;
1058
1059         buflen = PAGE_SIZE;
1060         end = buffer+buflen;
1061         *--end = '\0';
1062         buflen--;
1063         path = end-1;
1064         *path = '/';
1065         while (de && de != de->parent) {
1066                 buflen -= de->namelen + 1;
1067                 if (buflen < 0)
1068                         break;
1069                 end -= de->namelen;
1070                 memcpy(end, de->name, de->namelen);
1071                 *--end = '/';
1072                 path = end;
1073                 de = de->parent;
1074         }
1075         rc = security_genfs_sid("proc", path, tclass, sid);
1076         free_page((unsigned long)buffer);
1077         return rc;
1078 }
1079 #else
1080 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1081                                 u16 tclass,
1082                                 u32 *sid)
1083 {
1084         return -EINVAL;
1085 }
1086 #endif
1087
1088 /* The inode's security attributes must be initialized before first use. */
1089 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1090 {
1091         struct superblock_security_struct *sbsec = NULL;
1092         struct inode_security_struct *isec = inode->i_security;
1093         u32 sid;
1094         struct dentry *dentry;
1095 #define INITCONTEXTLEN 255
1096         char *context = NULL;
1097         unsigned len = 0;
1098         int rc = 0;
1099
1100         if (isec->initialized)
1101                 goto out;
1102
1103         mutex_lock(&isec->lock);
1104         if (isec->initialized)
1105                 goto out_unlock;
1106
1107         sbsec = inode->i_sb->s_security;
1108         if (!sbsec->initialized) {
1109                 /* Defer initialization until selinux_complete_init,
1110                    after the initial policy is loaded and the security
1111                    server is ready to handle calls. */
1112                 spin_lock(&sbsec->isec_lock);
1113                 if (list_empty(&isec->list))
1114                         list_add(&isec->list, &sbsec->isec_head);
1115                 spin_unlock(&sbsec->isec_lock);
1116                 goto out_unlock;
1117         }
1118
1119         switch (sbsec->behavior) {
1120         case SECURITY_FS_USE_XATTR:
1121                 if (!inode->i_op->getxattr) {
1122                         isec->sid = sbsec->def_sid;
1123                         break;
1124                 }
1125
1126                 /* Need a dentry, since the xattr API requires one.
1127                    Life would be simpler if we could just pass the inode. */
1128                 if (opt_dentry) {
1129                         /* Called from d_instantiate or d_splice_alias. */
1130                         dentry = dget(opt_dentry);
1131                 } else {
1132                         /* Called from selinux_complete_init, try to find a dentry. */
1133                         dentry = d_find_alias(inode);
1134                 }
1135                 if (!dentry) {
1136                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
1137                                "ino=%ld\n", __func__, inode->i_sb->s_id,
1138                                inode->i_ino);
1139                         goto out_unlock;
1140                 }
1141
1142                 len = INITCONTEXTLEN;
1143                 context = kmalloc(len, GFP_NOFS);
1144                 if (!context) {
1145                         rc = -ENOMEM;
1146                         dput(dentry);
1147                         goto out_unlock;
1148                 }
1149                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1150                                            context, len);
1151                 if (rc == -ERANGE) {
1152                         /* Need a larger buffer.  Query for the right size. */
1153                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1154                                                    NULL, 0);
1155                         if (rc < 0) {
1156                                 dput(dentry);
1157                                 goto out_unlock;
1158                         }
1159                         kfree(context);
1160                         len = rc;
1161                         context = kmalloc(len, GFP_NOFS);
1162                         if (!context) {
1163                                 rc = -ENOMEM;
1164                                 dput(dentry);
1165                                 goto out_unlock;
1166                         }
1167                         rc = inode->i_op->getxattr(dentry,
1168                                                    XATTR_NAME_SELINUX,
1169                                                    context, len);
1170                 }
1171                 dput(dentry);
1172                 if (rc < 0) {
1173                         if (rc != -ENODATA) {
1174                                 printk(KERN_WARNING "%s:  getxattr returned "
1175                                        "%d for dev=%s ino=%ld\n", __func__,
1176                                        -rc, inode->i_sb->s_id, inode->i_ino);
1177                                 kfree(context);
1178                                 goto out_unlock;
1179                         }
1180                         /* Map ENODATA to the default file SID */
1181                         sid = sbsec->def_sid;
1182                         rc = 0;
1183                 } else {
1184                         rc = security_context_to_sid_default(context, rc, &sid,
1185                                                              sbsec->def_sid,
1186                                                              GFP_NOFS);
1187                         if (rc) {
1188                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
1189                                        "returned %d for dev=%s ino=%ld\n",
1190                                        __func__, context, -rc,
1191                                        inode->i_sb->s_id, inode->i_ino);
1192                                 kfree(context);
1193                                 /* Leave with the unlabeled SID */
1194                                 rc = 0;
1195                                 break;
1196                         }
1197                 }
1198                 kfree(context);
1199                 isec->sid = sid;
1200                 break;
1201         case SECURITY_FS_USE_TASK:
1202                 isec->sid = isec->task_sid;
1203                 break;
1204         case SECURITY_FS_USE_TRANS:
1205                 /* Default to the fs SID. */
1206                 isec->sid = sbsec->sid;
1207
1208                 /* Try to obtain a transition SID. */
1209                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1210                 rc = security_transition_sid(isec->task_sid,
1211                                              sbsec->sid,
1212                                              isec->sclass,
1213                                              &sid);
1214                 if (rc)
1215                         goto out_unlock;
1216                 isec->sid = sid;
1217                 break;
1218         case SECURITY_FS_USE_MNTPOINT:
1219                 isec->sid = sbsec->mntpoint_sid;
1220                 break;
1221         default:
1222                 /* Default to the fs superblock SID. */
1223                 isec->sid = sbsec->sid;
1224
1225                 if (sbsec->proc) {
1226                         struct proc_inode *proci = PROC_I(inode);
1227                         if (proci->pde) {
1228                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1229                                 rc = selinux_proc_get_sid(proci->pde,
1230                                                           isec->sclass,
1231                                                           &sid);
1232                                 if (rc)
1233                                         goto out_unlock;
1234                                 isec->sid = sid;
1235                         }
1236                 }
1237                 break;
1238         }
1239
1240         isec->initialized = 1;
1241
1242 out_unlock:
1243         mutex_unlock(&isec->lock);
1244 out:
1245         if (isec->sclass == SECCLASS_FILE)
1246                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1247         return rc;
1248 }
1249
1250 /* Convert a Linux signal to an access vector. */
1251 static inline u32 signal_to_av(int sig)
1252 {
1253         u32 perm = 0;
1254
1255         switch (sig) {
1256         case SIGCHLD:
1257                 /* Commonly granted from child to parent. */
1258                 perm = PROCESS__SIGCHLD;
1259                 break;
1260         case SIGKILL:
1261                 /* Cannot be caught or ignored */
1262                 perm = PROCESS__SIGKILL;
1263                 break;
1264         case SIGSTOP:
1265                 /* Cannot be caught or ignored */
1266                 perm = PROCESS__SIGSTOP;
1267                 break;
1268         default:
1269                 /* All other signals. */
1270                 perm = PROCESS__SIGNAL;
1271                 break;
1272         }
1273
1274         return perm;
1275 }
1276
1277 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1278    fork check, ptrace check, etc. */
1279 static int task_has_perm(struct task_struct *tsk1,
1280                          struct task_struct *tsk2,
1281                          u32 perms)
1282 {
1283         struct task_security_struct *tsec1, *tsec2;
1284
1285         tsec1 = tsk1->security;
1286         tsec2 = tsk2->security;
1287         return avc_has_perm(tsec1->sid, tsec2->sid,
1288                             SECCLASS_PROCESS, perms, NULL);
1289 }
1290
1291 #if CAP_LAST_CAP > 63
1292 #error Fix SELinux to handle capabilities > 63.
1293 #endif
1294
1295 /* Check whether a task is allowed to use a capability. */
1296 static int task_has_capability(struct task_struct *tsk,
1297                                int cap)
1298 {
1299         struct task_security_struct *tsec;
1300         struct avc_audit_data ad;
1301         u16 sclass;
1302         u32 av = CAP_TO_MASK(cap);
1303
1304         tsec = tsk->security;
1305
1306         AVC_AUDIT_DATA_INIT(&ad,CAP);
1307         ad.tsk = tsk;
1308         ad.u.cap = cap;
1309
1310         switch (CAP_TO_INDEX(cap)) {
1311         case 0:
1312                 sclass = SECCLASS_CAPABILITY;
1313                 break;
1314         case 1:
1315                 sclass = SECCLASS_CAPABILITY2;
1316                 break;
1317         default:
1318                 printk(KERN_ERR
1319                        "SELinux:  out of range capability %d\n", cap);
1320                 BUG();
1321         }
1322         return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1323 }
1324
1325 /* Check whether a task is allowed to use a system operation. */
1326 static int task_has_system(struct task_struct *tsk,
1327                            u32 perms)
1328 {
1329         struct task_security_struct *tsec;
1330
1331         tsec = tsk->security;
1332
1333         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1334                             SECCLASS_SYSTEM, perms, NULL);
1335 }
1336
1337 /* Check whether a task has a particular permission to an inode.
1338    The 'adp' parameter is optional and allows other audit
1339    data to be passed (e.g. the dentry). */
1340 static int inode_has_perm(struct task_struct *tsk,
1341                           struct inode *inode,
1342                           u32 perms,
1343                           struct avc_audit_data *adp)
1344 {
1345         struct task_security_struct *tsec;
1346         struct inode_security_struct *isec;
1347         struct avc_audit_data ad;
1348
1349         if (unlikely (IS_PRIVATE (inode)))
1350                 return 0;
1351
1352         tsec = tsk->security;
1353         isec = inode->i_security;
1354
1355         if (!adp) {
1356                 adp = &ad;
1357                 AVC_AUDIT_DATA_INIT(&ad, FS);
1358                 ad.u.fs.inode = inode;
1359         }
1360
1361         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1362 }
1363
1364 /* Same as inode_has_perm, but pass explicit audit data containing
1365    the dentry to help the auditing code to more easily generate the
1366    pathname if needed. */
1367 static inline int dentry_has_perm(struct task_struct *tsk,
1368                                   struct vfsmount *mnt,
1369                                   struct dentry *dentry,
1370                                   u32 av)
1371 {
1372         struct inode *inode = dentry->d_inode;
1373         struct avc_audit_data ad;
1374         AVC_AUDIT_DATA_INIT(&ad,FS);
1375         ad.u.fs.path.mnt = mnt;
1376         ad.u.fs.path.dentry = dentry;
1377         return inode_has_perm(tsk, inode, av, &ad);
1378 }
1379
1380 /* Check whether a task can use an open file descriptor to
1381    access an inode in a given way.  Check access to the
1382    descriptor itself, and then use dentry_has_perm to
1383    check a particular permission to the file.
1384    Access to the descriptor is implicitly granted if it
1385    has the same SID as the process.  If av is zero, then
1386    access to the file is not checked, e.g. for cases
1387    where only the descriptor is affected like seek. */
1388 static int file_has_perm(struct task_struct *tsk,
1389                                 struct file *file,
1390                                 u32 av)
1391 {
1392         struct task_security_struct *tsec = tsk->security;
1393         struct file_security_struct *fsec = file->f_security;
1394         struct inode *inode = file->f_path.dentry->d_inode;
1395         struct avc_audit_data ad;
1396         int rc;
1397
1398         AVC_AUDIT_DATA_INIT(&ad, FS);
1399         ad.u.fs.path = file->f_path;
1400
1401         if (tsec->sid != fsec->sid) {
1402                 rc = avc_has_perm(tsec->sid, fsec->sid,
1403                                   SECCLASS_FD,
1404                                   FD__USE,
1405                                   &ad);
1406                 if (rc)
1407                         return rc;
1408         }
1409
1410         /* av is zero if only checking access to the descriptor. */
1411         if (av)
1412                 return inode_has_perm(tsk, inode, av, &ad);
1413
1414         return 0;
1415 }
1416
1417 /* Check whether a task can create a file. */
1418 static int may_create(struct inode *dir,
1419                       struct dentry *dentry,
1420                       u16 tclass)
1421 {
1422         struct task_security_struct *tsec;
1423         struct inode_security_struct *dsec;
1424         struct superblock_security_struct *sbsec;
1425         u32 newsid;
1426         struct avc_audit_data ad;
1427         int rc;
1428
1429         tsec = current->security;
1430         dsec = dir->i_security;
1431         sbsec = dir->i_sb->s_security;
1432
1433         AVC_AUDIT_DATA_INIT(&ad, FS);
1434         ad.u.fs.path.dentry = dentry;
1435
1436         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1437                           DIR__ADD_NAME | DIR__SEARCH,
1438                           &ad);
1439         if (rc)
1440                 return rc;
1441
1442         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1443                 newsid = tsec->create_sid;
1444         } else {
1445                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1446                                              &newsid);
1447                 if (rc)
1448                         return rc;
1449         }
1450
1451         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1452         if (rc)
1453                 return rc;
1454
1455         return avc_has_perm(newsid, sbsec->sid,
1456                             SECCLASS_FILESYSTEM,
1457                             FILESYSTEM__ASSOCIATE, &ad);
1458 }
1459
1460 /* Check whether a task can create a key. */
1461 static int may_create_key(u32 ksid,
1462                           struct task_struct *ctx)
1463 {
1464         struct task_security_struct *tsec;
1465
1466         tsec = ctx->security;
1467
1468         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1469 }
1470
1471 #define MAY_LINK   0
1472 #define MAY_UNLINK 1
1473 #define MAY_RMDIR  2
1474
1475 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1476 static int may_link(struct inode *dir,
1477                     struct dentry *dentry,
1478                     int kind)
1479
1480 {
1481         struct task_security_struct *tsec;
1482         struct inode_security_struct *dsec, *isec;
1483         struct avc_audit_data ad;
1484         u32 av;
1485         int rc;
1486
1487         tsec = current->security;
1488         dsec = dir->i_security;
1489         isec = dentry->d_inode->i_security;
1490
1491         AVC_AUDIT_DATA_INIT(&ad, FS);
1492         ad.u.fs.path.dentry = dentry;
1493
1494         av = DIR__SEARCH;
1495         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1496         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1497         if (rc)
1498                 return rc;
1499
1500         switch (kind) {
1501         case MAY_LINK:
1502                 av = FILE__LINK;
1503                 break;
1504         case MAY_UNLINK:
1505                 av = FILE__UNLINK;
1506                 break;
1507         case MAY_RMDIR:
1508                 av = DIR__RMDIR;
1509                 break;
1510         default:
1511                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1512                 return 0;
1513         }
1514
1515         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1516         return rc;
1517 }
1518
1519 static inline int may_rename(struct inode *old_dir,
1520                              struct dentry *old_dentry,
1521                              struct inode *new_dir,
1522                              struct dentry *new_dentry)
1523 {
1524         struct task_security_struct *tsec;
1525         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1526         struct avc_audit_data ad;
1527         u32 av;
1528         int old_is_dir, new_is_dir;
1529         int rc;
1530
1531         tsec = current->security;
1532         old_dsec = old_dir->i_security;
1533         old_isec = old_dentry->d_inode->i_security;
1534         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1535         new_dsec = new_dir->i_security;
1536
1537         AVC_AUDIT_DATA_INIT(&ad, FS);
1538
1539         ad.u.fs.path.dentry = old_dentry;
1540         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1541                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1542         if (rc)
1543                 return rc;
1544         rc = avc_has_perm(tsec->sid, old_isec->sid,
1545                           old_isec->sclass, FILE__RENAME, &ad);
1546         if (rc)
1547                 return rc;
1548         if (old_is_dir && new_dir != old_dir) {
1549                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1550                                   old_isec->sclass, DIR__REPARENT, &ad);
1551                 if (rc)
1552                         return rc;
1553         }
1554
1555         ad.u.fs.path.dentry = new_dentry;
1556         av = DIR__ADD_NAME | DIR__SEARCH;
1557         if (new_dentry->d_inode)
1558                 av |= DIR__REMOVE_NAME;
1559         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1560         if (rc)
1561                 return rc;
1562         if (new_dentry->d_inode) {
1563                 new_isec = new_dentry->d_inode->i_security;
1564                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1565                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1566                                   new_isec->sclass,
1567                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1568                 if (rc)
1569                         return rc;
1570         }
1571
1572         return 0;
1573 }
1574
1575 /* Check whether a task can perform a filesystem operation. */
1576 static int superblock_has_perm(struct task_struct *tsk,
1577                                struct super_block *sb,
1578                                u32 perms,
1579                                struct avc_audit_data *ad)
1580 {
1581         struct task_security_struct *tsec;
1582         struct superblock_security_struct *sbsec;
1583
1584         tsec = tsk->security;
1585         sbsec = sb->s_security;
1586         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1587                             perms, ad);
1588 }
1589
1590 /* Convert a Linux mode and permission mask to an access vector. */
1591 static inline u32 file_mask_to_av(int mode, int mask)
1592 {
1593         u32 av = 0;
1594
1595         if ((mode & S_IFMT) != S_IFDIR) {
1596                 if (mask & MAY_EXEC)
1597                         av |= FILE__EXECUTE;
1598                 if (mask & MAY_READ)
1599                         av |= FILE__READ;
1600
1601                 if (mask & MAY_APPEND)
1602                         av |= FILE__APPEND;
1603                 else if (mask & MAY_WRITE)
1604                         av |= FILE__WRITE;
1605
1606         } else {
1607                 if (mask & MAY_EXEC)
1608                         av |= DIR__SEARCH;
1609                 if (mask & MAY_WRITE)
1610                         av |= DIR__WRITE;
1611                 if (mask & MAY_READ)
1612                         av |= DIR__READ;
1613         }
1614
1615         return av;
1616 }
1617
1618 /*
1619  * Convert a file mask to an access vector and include the correct open
1620  * open permission.
1621  */
1622 static inline u32 open_file_mask_to_av(int mode, int mask)
1623 {
1624         u32 av = file_mask_to_av(mode, mask);
1625
1626         if (selinux_policycap_openperm) {
1627                 /*
1628                  * lnk files and socks do not really have an 'open'
1629                  */
1630                 if (S_ISREG(mode))
1631                         av |= FILE__OPEN;
1632                 else if (S_ISCHR(mode))
1633                         av |= CHR_FILE__OPEN;
1634                 else if (S_ISBLK(mode))
1635                         av |= BLK_FILE__OPEN;
1636                 else if (S_ISFIFO(mode))
1637                         av |= FIFO_FILE__OPEN;
1638                 else if (S_ISDIR(mode))
1639                         av |= DIR__OPEN;
1640                 else
1641                         printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
1642                                 "with unknown mode:%x\n", mode);
1643         }
1644         return av;
1645 }
1646
1647 /* Convert a Linux file to an access vector. */
1648 static inline u32 file_to_av(struct file *file)
1649 {
1650         u32 av = 0;
1651
1652         if (file->f_mode & FMODE_READ)
1653                 av |= FILE__READ;
1654         if (file->f_mode & FMODE_WRITE) {
1655                 if (file->f_flags & O_APPEND)
1656                         av |= FILE__APPEND;
1657                 else
1658                         av |= FILE__WRITE;
1659         }
1660         if (!av) {
1661                 /*
1662                  * Special file opened with flags 3 for ioctl-only use.
1663                  */
1664                 av = FILE__IOCTL;
1665         }
1666
1667         return av;
1668 }
1669
1670 /* Hook functions begin here. */
1671
1672 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1673 {
1674         int rc;
1675
1676         rc = secondary_ops->ptrace(parent,child);
1677         if (rc)
1678                 return rc;
1679
1680         return task_has_perm(parent, child, PROCESS__PTRACE);
1681 }
1682
1683 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1684                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1685 {
1686         int error;
1687
1688         error = task_has_perm(current, target, PROCESS__GETCAP);
1689         if (error)
1690                 return error;
1691
1692         return secondary_ops->capget(target, effective, inheritable, permitted);
1693 }
1694
1695 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1696                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1697 {
1698         int error;
1699
1700         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1701         if (error)
1702                 return error;
1703
1704         return task_has_perm(current, target, PROCESS__SETCAP);
1705 }
1706
1707 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1708                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1709 {
1710         secondary_ops->capset_set(target, effective, inheritable, permitted);
1711 }
1712
1713 static int selinux_capable(struct task_struct *tsk, int cap)
1714 {
1715         int rc;
1716
1717         rc = secondary_ops->capable(tsk, cap);
1718         if (rc)
1719                 return rc;
1720
1721         return task_has_capability(tsk,cap);
1722 }
1723
1724 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1725 {
1726         int buflen, rc;
1727         char *buffer, *path, *end;
1728
1729         rc = -ENOMEM;
1730         buffer = (char*)__get_free_page(GFP_KERNEL);
1731         if (!buffer)
1732                 goto out;
1733
1734         buflen = PAGE_SIZE;
1735         end = buffer+buflen;
1736         *--end = '\0';
1737         buflen--;
1738         path = end-1;
1739         *path = '/';
1740         while (table) {
1741                 const char *name = table->procname;
1742                 size_t namelen = strlen(name);
1743                 buflen -= namelen + 1;
1744                 if (buflen < 0)
1745                         goto out_free;
1746                 end -= namelen;
1747                 memcpy(end, name, namelen);
1748                 *--end = '/';
1749                 path = end;
1750                 table = table->parent;
1751         }
1752         buflen -= 4;
1753         if (buflen < 0)
1754                 goto out_free;
1755         end -= 4;
1756         memcpy(end, "/sys", 4);
1757         path = end;
1758         rc = security_genfs_sid("proc", path, tclass, sid);
1759 out_free:
1760         free_page((unsigned long)buffer);
1761 out:
1762         return rc;
1763 }
1764
1765 static int selinux_sysctl(ctl_table *table, int op)
1766 {
1767         int error = 0;
1768         u32 av;
1769         struct task_security_struct *tsec;
1770         u32 tsid;
1771         int rc;
1772
1773         rc = secondary_ops->sysctl(table, op);
1774         if (rc)
1775                 return rc;
1776
1777         tsec = current->security;
1778
1779         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1780                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1781         if (rc) {
1782                 /* Default to the well-defined sysctl SID. */
1783                 tsid = SECINITSID_SYSCTL;
1784         }
1785
1786         /* The op values are "defined" in sysctl.c, thereby creating
1787          * a bad coupling between this module and sysctl.c */
1788         if(op == 001) {
1789                 error = avc_has_perm(tsec->sid, tsid,
1790                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1791         } else {
1792                 av = 0;
1793                 if (op & 004)
1794                         av |= FILE__READ;
1795                 if (op & 002)
1796                         av |= FILE__WRITE;
1797                 if (av)
1798                         error = avc_has_perm(tsec->sid, tsid,
1799                                              SECCLASS_FILE, av, NULL);
1800         }
1801
1802         return error;
1803 }
1804
1805 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1806 {
1807         int rc = 0;
1808
1809         if (!sb)
1810                 return 0;
1811
1812         switch (cmds) {
1813                 case Q_SYNC:
1814                 case Q_QUOTAON:
1815                 case Q_QUOTAOFF:
1816                 case Q_SETINFO:
1817                 case Q_SETQUOTA:
1818                         rc = superblock_has_perm(current,
1819                                                  sb,
1820                                                  FILESYSTEM__QUOTAMOD, NULL);
1821                         break;
1822                 case Q_GETFMT:
1823                 case Q_GETINFO:
1824                 case Q_GETQUOTA:
1825                         rc = superblock_has_perm(current,
1826                                                  sb,
1827                                                  FILESYSTEM__QUOTAGET, NULL);
1828                         break;
1829                 default:
1830                         rc = 0;  /* let the kernel handle invalid cmds */
1831                         break;
1832         }
1833         return rc;
1834 }
1835
1836 static int selinux_quota_on(struct dentry *dentry)
1837 {
1838         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1839 }
1840
1841 static int selinux_syslog(int type)
1842 {
1843         int rc;
1844
1845         rc = secondary_ops->syslog(type);
1846         if (rc)
1847                 return rc;
1848
1849         switch (type) {
1850                 case 3:         /* Read last kernel messages */
1851                 case 10:        /* Return size of the log buffer */
1852                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1853                         break;
1854                 case 6:         /* Disable logging to console */
1855                 case 7:         /* Enable logging to console */
1856                 case 8:         /* Set level of messages printed to console */
1857                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1858                         break;
1859                 case 0:         /* Close log */
1860                 case 1:         /* Open log */
1861                 case 2:         /* Read from log */
1862                 case 4:         /* Read/clear last kernel messages */
1863                 case 5:         /* Clear ring buffer */
1864                 default:
1865                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1866                         break;
1867         }
1868         return rc;
1869 }
1870
1871 /*
1872  * Check that a process has enough memory to allocate a new virtual
1873  * mapping. 0 means there is enough memory for the allocation to
1874  * succeed and -ENOMEM implies there is not.
1875  *
1876  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1877  * if the capability is granted, but __vm_enough_memory requires 1 if
1878  * the capability is granted.
1879  *
1880  * Do not audit the selinux permission check, as this is applied to all
1881  * processes that allocate mappings.
1882  */
1883 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1884 {
1885         int rc, cap_sys_admin = 0;
1886         struct task_security_struct *tsec = current->security;
1887
1888         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1889         if (rc == 0)
1890                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1891                                           SECCLASS_CAPABILITY,
1892                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1893                                           0,
1894                                           NULL);
1895
1896         if (rc == 0)
1897                 cap_sys_admin = 1;
1898
1899         return __vm_enough_memory(mm, pages, cap_sys_admin);
1900 }
1901
1902 /**
1903  * task_tracer_task - return the task that is tracing the given task
1904  * @task:               task to consider
1905  *
1906  * Returns NULL if noone is tracing @task, or the &struct task_struct
1907  * pointer to its tracer.
1908  *
1909  * Must be called under rcu_read_lock().
1910  */
1911 static struct task_struct *task_tracer_task(struct task_struct *task)
1912 {
1913         if (task->ptrace & PT_PTRACED)
1914                 return rcu_dereference(task->parent);
1915         return NULL;
1916 }
1917
1918 /* binprm security operations */
1919
1920 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1921 {
1922         struct bprm_security_struct *bsec;
1923
1924         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1925         if (!bsec)
1926                 return -ENOMEM;
1927
1928         bsec->sid = SECINITSID_UNLABELED;
1929         bsec->set = 0;
1930
1931         bprm->security = bsec;
1932         return 0;
1933 }
1934
1935 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1936 {
1937         struct task_security_struct *tsec;
1938         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1939         struct inode_security_struct *isec;
1940         struct bprm_security_struct *bsec;
1941         u32 newsid;
1942         struct avc_audit_data ad;
1943         int rc;
1944
1945         rc = secondary_ops->bprm_set_security(bprm);
1946         if (rc)
1947                 return rc;
1948
1949         bsec = bprm->security;
1950
1951         if (bsec->set)
1952                 return 0;
1953
1954         tsec = current->security;
1955         isec = inode->i_security;
1956
1957         /* Default to the current task SID. */
1958         bsec->sid = tsec->sid;
1959
1960         /* Reset fs, key, and sock SIDs on execve. */
1961         tsec->create_sid = 0;
1962         tsec->keycreate_sid = 0;
1963         tsec->sockcreate_sid = 0;
1964
1965         if (tsec->exec_sid) {
1966                 newsid = tsec->exec_sid;
1967                 /* Reset exec SID on execve. */
1968                 tsec->exec_sid = 0;
1969         } else {
1970                 /* Check for a default transition on this program. */
1971                 rc = security_transition_sid(tsec->sid, isec->sid,
1972                                              SECCLASS_PROCESS, &newsid);
1973                 if (rc)
1974                         return rc;
1975         }
1976
1977         AVC_AUDIT_DATA_INIT(&ad, FS);
1978         ad.u.fs.path = bprm->file->f_path;
1979
1980         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1981                 newsid = tsec->sid;
1982
1983         if (tsec->sid == newsid) {
1984                 rc = avc_has_perm(tsec->sid, isec->sid,
1985                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1986                 if (rc)
1987                         return rc;
1988         } else {
1989                 /* Check permissions for the transition. */
1990                 rc = avc_has_perm(tsec->sid, newsid,
1991                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1992                 if (rc)
1993                         return rc;
1994
1995                 rc = avc_has_perm(newsid, isec->sid,
1996                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1997                 if (rc)
1998                         return rc;
1999
2000                 /* Clear any possibly unsafe personality bits on exec: */
2001                 current->personality &= ~PER_CLEAR_ON_SETID;
2002
2003                 /* Set the security field to the new SID. */
2004                 bsec->sid = newsid;
2005         }
2006
2007         bsec->set = 1;
2008         return 0;
2009 }
2010
2011 static int selinux_bprm_check_security (struct linux_binprm *bprm)
2012 {
2013         return secondary_ops->bprm_check_security(bprm);
2014 }
2015
2016
2017 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
2018 {
2019         struct task_security_struct *tsec = current->security;
2020         int atsecure = 0;
2021
2022         if (tsec->osid != tsec->sid) {
2023                 /* Enable secure mode for SIDs transitions unless
2024                    the noatsecure permission is granted between
2025                    the two SIDs, i.e. ahp returns 0. */
2026                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2027                                          SECCLASS_PROCESS,
2028                                          PROCESS__NOATSECURE, NULL);
2029         }
2030
2031         return (atsecure || secondary_ops->bprm_secureexec(bprm));
2032 }
2033
2034 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2035 {
2036         kfree(bprm->security);
2037         bprm->security = NULL;
2038 }
2039
2040 extern struct vfsmount *selinuxfs_mount;
2041 extern struct dentry *selinux_null;
2042
2043 /* Derived from fs/exec.c:flush_old_files. */
2044 static inline void flush_unauthorized_files(struct files_struct * files)
2045 {
2046         struct avc_audit_data ad;
2047         struct file *file, *devnull = NULL;
2048         struct tty_struct *tty;
2049         struct fdtable *fdt;
2050         long j = -1;
2051         int drop_tty = 0;
2052
2053         mutex_lock(&tty_mutex);
2054         tty = get_current_tty();
2055         if (tty) {
2056                 file_list_lock();
2057                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2058                 if (file) {
2059                         /* Revalidate access to controlling tty.
2060                            Use inode_has_perm on the tty inode directly rather
2061                            than using file_has_perm, as this particular open
2062                            file may belong to another process and we are only
2063                            interested in the inode-based check here. */
2064                         struct inode *inode = file->f_path.dentry->d_inode;
2065                         if (inode_has_perm(current, inode,
2066                                            FILE__READ | FILE__WRITE, NULL)) {
2067                                 drop_tty = 1;
2068                         }
2069                 }
2070                 file_list_unlock();
2071         }
2072         mutex_unlock(&tty_mutex);
2073         /* Reset controlling tty. */
2074         if (drop_tty)
2075                 no_tty();
2076
2077         /* Revalidate access to inherited open files. */
2078
2079         AVC_AUDIT_DATA_INIT(&ad,FS);
2080
2081         spin_lock(&files->file_lock);
2082         for (;;) {
2083                 unsigned long set, i;
2084                 int fd;
2085
2086                 j++;
2087                 i = j * __NFDBITS;
2088                 fdt = files_fdtable(files);
2089                 if (i >= fdt->max_fds)
2090                         break;
2091                 set = fdt->open_fds->fds_bits[j];
2092                 if (!set)
2093                         continue;
2094                 spin_unlock(&files->file_lock);
2095                 for ( ; set ; i++,set >>= 1) {
2096                         if (set & 1) {
2097                                 file = fget(i);
2098                                 if (!file)
2099                                         continue;
2100                                 if (file_has_perm(current,
2101                                                   file,
2102                                                   file_to_av(file))) {
2103                                         sys_close(i);
2104                                         fd = get_unused_fd();
2105                                         if (fd != i) {
2106                                                 if (fd >= 0)
2107                                                         put_unused_fd(fd);
2108                                                 fput(file);
2109                                                 continue;
2110                                         }
2111                                         if (devnull) {
2112                                                 get_file(devnull);
2113                                         } else {
2114                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2115                                                 if (IS_ERR(devnull)) {
2116                                                         devnull = NULL;
2117                                                         put_unused_fd(fd);
2118                                                         fput(file);
2119                                                         continue;
2120                                                 }
2121                                         }
2122                                         fd_install(fd, devnull);
2123                                 }
2124                                 fput(file);
2125                         }
2126                 }
2127                 spin_lock(&files->file_lock);
2128
2129         }
2130         spin_unlock(&files->file_lock);
2131 }
2132
2133 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2134 {
2135         struct task_security_struct *tsec;
2136         struct bprm_security_struct *bsec;
2137         u32 sid;
2138         int rc;
2139
2140         secondary_ops->bprm_apply_creds(bprm, unsafe);
2141
2142         tsec = current->security;
2143
2144         bsec = bprm->security;
2145         sid = bsec->sid;
2146
2147         tsec->osid = tsec->sid;
2148         bsec->unsafe = 0;
2149         if (tsec->sid != sid) {
2150                 /* Check for shared state.  If not ok, leave SID
2151                    unchanged and kill. */
2152                 if (unsafe & LSM_UNSAFE_SHARE) {
2153                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2154                                         PROCESS__SHARE, NULL);
2155                         if (rc) {
2156                                 bsec->unsafe = 1;
2157                                 return;
2158                         }
2159                 }
2160
2161                 /* Check for ptracing, and update the task SID if ok.
2162                    Otherwise, leave SID unchanged and kill. */
2163                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2164                         struct task_struct *tracer;
2165                         struct task_security_struct *sec;
2166                         u32 ptsid = 0;
2167
2168                         rcu_read_lock();
2169                         tracer = task_tracer_task(current);
2170                         if (likely(tracer != NULL)) {
2171                                 sec = tracer->security;
2172                                 ptsid = sec->sid;
2173                         }
2174                         rcu_read_unlock();
2175
2176                         if (ptsid != 0) {
2177                                 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2178                                                   PROCESS__PTRACE, NULL);
2179                                 if (rc) {
2180                                         bsec->unsafe = 1;
2181                                         return;
2182                                 }
2183                         }
2184                 }
2185                 tsec->sid = sid;
2186         }
2187 }
2188
2189 /*
2190  * called after apply_creds without the task lock held
2191  */
2192 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2193 {
2194         struct task_security_struct *tsec;
2195         struct rlimit *rlim, *initrlim;
2196         struct itimerval itimer;
2197         struct bprm_security_struct *bsec;
2198         int rc, i;
2199
2200         tsec = current->security;
2201         bsec = bprm->security;
2202
2203         if (bsec->unsafe) {
2204                 force_sig_specific(SIGKILL, current);
2205                 return;
2206         }
2207         if (tsec->osid == tsec->sid)
2208                 return;
2209
2210         /* Close files for which the new task SID is not authorized. */
2211         flush_unauthorized_files(current->files);
2212
2213         /* Check whether the new SID can inherit signal state
2214            from the old SID.  If not, clear itimers to avoid
2215            subsequent signal generation and flush and unblock
2216            signals. This must occur _after_ the task SID has
2217           been updated so that any kill done after the flush
2218           will be checked against the new SID. */
2219         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2220                           PROCESS__SIGINH, NULL);
2221         if (rc) {
2222                 memset(&itimer, 0, sizeof itimer);
2223                 for (i = 0; i < 3; i++)
2224                         do_setitimer(i, &itimer, NULL);
2225                 flush_signals(current);
2226                 spin_lock_irq(&current->sighand->siglock);
2227                 flush_signal_handlers(current, 1);
2228                 sigemptyset(&current->blocked);
2229                 recalc_sigpending();
2230                 spin_unlock_irq(&current->sighand->siglock);
2231         }
2232
2233         /* Always clear parent death signal on SID transitions. */
2234         current->pdeath_signal = 0;
2235
2236         /* Check whether the new SID can inherit resource limits
2237            from the old SID.  If not, reset all soft limits to
2238            the lower of the current task's hard limit and the init
2239            task's soft limit.  Note that the setting of hard limits
2240            (even to lower them) can be controlled by the setrlimit
2241            check. The inclusion of the init task's soft limit into
2242            the computation is to avoid resetting soft limits higher
2243            than the default soft limit for cases where the default
2244            is lower than the hard limit, e.g. RLIMIT_CORE or
2245            RLIMIT_STACK.*/
2246         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2247                           PROCESS__RLIMITINH, NULL);
2248         if (rc) {
2249                 for (i = 0; i < RLIM_NLIMITS; i++) {
2250                         rlim = current->signal->rlim + i;
2251                         initrlim = init_task.signal->rlim+i;
2252                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2253                 }
2254                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2255                         /*
2256                          * This will cause RLIMIT_CPU calculations
2257                          * to be refigured.
2258                          */
2259                         current->it_prof_expires = jiffies_to_cputime(1);
2260                 }
2261         }
2262
2263         /* Wake up the parent if it is waiting so that it can
2264            recheck wait permission to the new task SID. */
2265         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2266 }
2267
2268 /* superblock security operations */
2269
2270 static int selinux_sb_alloc_security(struct super_block *sb)
2271 {
2272         return superblock_alloc_security(sb);
2273 }
2274
2275 static void selinux_sb_free_security(struct super_block *sb)
2276 {
2277         superblock_free_security(sb);
2278 }
2279
2280 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2281 {
2282         if (plen > olen)
2283                 return 0;
2284
2285         return !memcmp(prefix, option, plen);
2286 }
2287
2288 static inline int selinux_option(char *option, int len)
2289 {
2290         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2291                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2292                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2293                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2294 }
2295
2296 static inline void take_option(char **to, char *from, int *first, int len)
2297 {
2298         if (!*first) {
2299                 **to = ',';
2300                 *to += 1;
2301         } else
2302                 *first = 0;
2303         memcpy(*to, from, len);
2304         *to += len;
2305 }
2306
2307 static inline void take_selinux_option(char **to, char *from, int *first, 
2308                                        int len)
2309 {
2310         int current_size = 0;
2311
2312         if (!*first) {
2313                 **to = '|';
2314                 *to += 1;
2315         }
2316         else
2317                 *first = 0;
2318
2319         while (current_size < len) {
2320                 if (*from != '"') {
2321                         **to = *from;
2322                         *to += 1;
2323                 }
2324                 from += 1;
2325                 current_size += 1;
2326         }
2327 }
2328
2329 static int selinux_sb_copy_data(char *orig, char *copy)
2330 {
2331         int fnosec, fsec, rc = 0;
2332         char *in_save, *in_curr, *in_end;
2333         char *sec_curr, *nosec_save, *nosec;
2334         int open_quote = 0;
2335
2336         in_curr = orig;
2337         sec_curr = copy;
2338
2339         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2340         if (!nosec) {
2341                 rc = -ENOMEM;
2342                 goto out;
2343         }
2344
2345         nosec_save = nosec;
2346         fnosec = fsec = 1;
2347         in_save = in_end = orig;
2348
2349         do {
2350                 if (*in_end == '"')
2351                         open_quote = !open_quote;
2352                 if ((*in_end == ',' && open_quote == 0) ||
2353                                 *in_end == '\0') {
2354                         int len = in_end - in_curr;
2355
2356                         if (selinux_option(in_curr, len))
2357                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2358                         else
2359                                 take_option(&nosec, in_curr, &fnosec, len);
2360
2361                         in_curr = in_end + 1;
2362                 }
2363         } while (*in_end++);
2364
2365         strcpy(in_save, nosec_save);
2366         free_page((unsigned long)nosec_save);
2367 out:
2368         return rc;
2369 }
2370
2371 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2372 {
2373         struct avc_audit_data ad;
2374         int rc;
2375
2376         rc = superblock_doinit(sb, data);
2377         if (rc)
2378                 return rc;
2379
2380         AVC_AUDIT_DATA_INIT(&ad,FS);
2381         ad.u.fs.path.dentry = sb->s_root;
2382         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2383 }
2384
2385 static int selinux_sb_statfs(struct dentry *dentry)
2386 {
2387         struct avc_audit_data ad;
2388
2389         AVC_AUDIT_DATA_INIT(&ad,FS);
2390         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2391         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2392 }
2393
2394 static int selinux_mount(char * dev_name,
2395                          struct nameidata *nd,
2396                          char * type,
2397                          unsigned long flags,
2398                          void * data)
2399 {
2400         int rc;
2401
2402         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2403         if (rc)
2404                 return rc;
2405
2406         if (flags & MS_REMOUNT)
2407                 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2408                                            FILESYSTEM__REMOUNT, NULL);
2409         else
2410                 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2411                                        FILE__MOUNTON);
2412 }
2413
2414 static int selinux_umount(struct vfsmount *mnt, int flags)
2415 {
2416         int rc;
2417
2418         rc = secondary_ops->sb_umount(mnt, flags);
2419         if (rc)
2420                 return rc;
2421
2422         return superblock_has_perm(current,mnt->mnt_sb,
2423                                    FILESYSTEM__UNMOUNT,NULL);
2424 }
2425
2426 /* inode security operations */
2427
2428 static int selinux_inode_alloc_security(struct inode *inode)
2429 {
2430         return inode_alloc_security(inode);
2431 }
2432
2433 static void selinux_inode_free_security(struct inode *inode)
2434 {
2435         inode_free_security(inode);
2436 }
2437
2438 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2439                                        char **name, void **value,
2440                                        size_t *len)
2441 {
2442         struct task_security_struct *tsec;
2443         struct inode_security_struct *dsec;
2444         struct superblock_security_struct *sbsec;
2445         u32 newsid, clen;
2446         int rc;
2447         char *namep = NULL, *context;
2448
2449         tsec = current->security;
2450         dsec = dir->i_security;
2451         sbsec = dir->i_sb->s_security;
2452
2453         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2454                 newsid = tsec->create_sid;
2455         } else {
2456                 rc = security_transition_sid(tsec->sid, dsec->sid,
2457                                              inode_mode_to_security_class(inode->i_mode),
2458                                              &newsid);
2459                 if (rc) {
2460                         printk(KERN_WARNING "%s:  "
2461                                "security_transition_sid failed, rc=%d (dev=%s "
2462                                "ino=%ld)\n",
2463                                __func__,
2464                                -rc, inode->i_sb->s_id, inode->i_ino);
2465                         return rc;
2466                 }
2467         }
2468
2469         /* Possibly defer initialization to selinux_complete_init. */
2470         if (sbsec->initialized) {
2471                 struct inode_security_struct *isec = inode->i_security;
2472                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2473                 isec->sid = newsid;
2474                 isec->initialized = 1;
2475         }
2476
2477         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2478                 return -EOPNOTSUPP;
2479
2480         if (name) {
2481                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2482                 if (!namep)
2483                         return -ENOMEM;
2484                 *name = namep;
2485         }
2486
2487         if (value && len) {
2488                 rc = security_sid_to_context(newsid, &context, &clen);
2489                 if (rc) {
2490                         kfree(namep);
2491                         return rc;
2492                 }
2493                 *value = context;
2494                 *len = clen;
2495         }
2496
2497         return 0;
2498 }
2499
2500 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2501 {
2502         return may_create(dir, dentry, SECCLASS_FILE);
2503 }
2504
2505 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2506 {
2507         int rc;
2508
2509         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2510         if (rc)
2511                 return rc;
2512         return may_link(dir, old_dentry, MAY_LINK);
2513 }
2514
2515 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2516 {
2517         int rc;
2518
2519         rc = secondary_ops->inode_unlink(dir, dentry);
2520         if (rc)
2521                 return rc;
2522         return may_link(dir, dentry, MAY_UNLINK);
2523 }
2524
2525 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2526 {
2527         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2528 }
2529
2530 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2531 {
2532         return may_create(dir, dentry, SECCLASS_DIR);
2533 }
2534
2535 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2536 {
2537         return may_link(dir, dentry, MAY_RMDIR);
2538 }
2539
2540 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2541 {
2542         int rc;
2543
2544         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2545         if (rc)
2546                 return rc;
2547
2548         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2549 }
2550
2551 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2552                                 struct inode *new_inode, struct dentry *new_dentry)
2553 {
2554         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2555 }
2556
2557 static int selinux_inode_readlink(struct dentry *dentry)
2558 {
2559         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2560 }
2561
2562 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2563 {
2564         int rc;
2565
2566         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2567         if (rc)
2568                 return rc;
2569         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2570 }
2571
2572 static int selinux_inode_permission(struct inode *inode, int mask,
2573                                     struct nameidata *nd)
2574 {
2575         int rc;
2576
2577         rc = secondary_ops->inode_permission(inode, mask, nd);
2578         if (rc)
2579                 return rc;
2580
2581         if (!mask) {
2582                 /* No permission to check.  Existence test. */
2583                 return 0;
2584         }
2585
2586         return inode_has_perm(current, inode,
2587                                open_file_mask_to_av(inode->i_mode, mask), NULL);
2588 }
2589
2590 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2591 {
2592         int rc;
2593
2594         rc = secondary_ops->inode_setattr(dentry, iattr);
2595         if (rc)
2596                 return rc;
2597
2598         if (iattr->ia_valid & ATTR_FORCE)
2599                 return 0;
2600
2601         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2602                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2603                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2604
2605         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2606 }
2607
2608 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2609 {
2610         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2611 }
2612
2613 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2614 {
2615         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2616                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2617                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2618                         if (!capable(CAP_SETFCAP))
2619                                 return -EPERM;
2620                 } else if (!capable(CAP_SYS_ADMIN)) {
2621                         /* A different attribute in the security namespace.
2622                            Restrict to administrator. */
2623                         return -EPERM;
2624                 }
2625         }
2626
2627         /* Not an attribute we recognize, so just check the
2628            ordinary setattr permission. */
2629         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2630 }
2631
2632 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2633 {
2634         struct task_security_struct *tsec = current->security;
2635         struct inode *inode = dentry->d_inode;
2636         struct inode_security_struct *isec = inode->i_security;
2637         struct superblock_security_struct *sbsec;
2638         struct avc_audit_data ad;
2639         u32 newsid;
2640         int rc = 0;
2641
2642         if (strcmp(name, XATTR_NAME_SELINUX))
2643                 return selinux_inode_setotherxattr(dentry, name);
2644
2645         sbsec = inode->i_sb->s_security;
2646         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2647                 return -EOPNOTSUPP;
2648
2649         if (!is_owner_or_cap(inode))
2650                 return -EPERM;
2651
2652         AVC_AUDIT_DATA_INIT(&ad,FS);
2653         ad.u.fs.path.dentry = dentry;
2654
2655         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2656                           FILE__RELABELFROM, &ad);
2657         if (rc)
2658                 return rc;
2659
2660         rc = security_context_to_sid(value, size, &newsid);
2661         if (rc)
2662                 return rc;
2663
2664         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2665                           FILE__RELABELTO, &ad);
2666         if (rc)
2667                 return rc;
2668
2669         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2670                                           isec->sclass);
2671         if (rc)
2672                 return rc;
2673
2674         return avc_has_perm(newsid,
2675                             sbsec->sid,
2676                             SECCLASS_FILESYSTEM,
2677                             FILESYSTEM__ASSOCIATE,
2678                             &ad);
2679 }
2680
2681 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2682                                         void *value, size_t size, int flags)
2683 {
2684         struct inode *inode = dentry->d_inode;
2685         struct inode_security_struct *isec = inode->i_security;
2686         u32 newsid;
2687         int rc;
2688
2689         if (strcmp(name, XATTR_NAME_SELINUX)) {
2690                 /* Not an attribute we recognize, so nothing to do. */
2691                 return;
2692         }
2693
2694         rc = security_context_to_sid(value, size, &newsid);
2695         if (rc) {
2696                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2697                        "%s, rc=%d\n", __func__, (char *)value, -rc);
2698                 return;
2699         }
2700
2701         isec->sid = newsid;
2702         return;
2703 }
2704
2705 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2706 {
2707         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2708 }
2709
2710 static int selinux_inode_listxattr (struct dentry *dentry)
2711 {
2712         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2713 }
2714
2715 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2716 {
2717         if (strcmp(name, XATTR_NAME_SELINUX))
2718                 return selinux_inode_setotherxattr(dentry, name);
2719
2720         /* No one is allowed to remove a SELinux security label.
2721            You can change the label, but all data must be labeled. */
2722         return -EACCES;
2723 }
2724
2725 /*
2726  * Copy the in-core inode security context value to the user.  If the
2727  * getxattr() prior to this succeeded, check to see if we need to
2728  * canonicalize the value to be finally returned to the user.
2729  *
2730  * Permission check is handled by selinux_inode_getxattr hook.
2731  */
2732 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2733 {
2734         u32 size;
2735         int error;
2736         char *context = NULL;
2737         struct inode_security_struct *isec = inode->i_security;
2738
2739         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2740                 return -EOPNOTSUPP;
2741
2742         error = security_sid_to_context(isec->sid, &context, &size);
2743         if (error)
2744                 return error;
2745         error = size;
2746         if (alloc) {
2747                 *buffer = context;
2748                 goto out_nofree;
2749         }
2750         kfree(context);
2751 out_nofree:
2752         return error;
2753 }
2754
2755 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2756                                      const void *value, size_t size, int flags)
2757 {
2758         struct inode_security_struct *isec = inode->i_security;
2759         u32 newsid;
2760         int rc;
2761
2762         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2763                 return -EOPNOTSUPP;
2764
2765         if (!value || !size)
2766                 return -EACCES;
2767
2768         rc = security_context_to_sid((void*)value, size, &newsid);
2769         if (rc)
2770                 return rc;
2771
2772         isec->sid = newsid;
2773         return 0;
2774 }
2775
2776 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2777 {
2778         const int len = sizeof(XATTR_NAME_SELINUX);
2779         if (buffer && len <= buffer_size)
2780                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2781         return len;
2782 }
2783
2784 static int selinux_inode_need_killpriv(struct dentry *dentry)
2785 {
2786         return secondary_ops->inode_need_killpriv(dentry);
2787 }
2788
2789 static int selinux_inode_killpriv(struct dentry *dentry)
2790 {
2791         return secondary_ops->inode_killpriv(dentry);
2792 }
2793
2794 /* file security operations */
2795
2796 static int selinux_revalidate_file_permission(struct file *file, int mask)
2797 {
2798         int rc;
2799         struct inode *inode = file->f_path.dentry->d_inode;
2800
2801         if (!mask) {
2802                 /* No permission to check.  Existence test. */
2803                 return 0;
2804         }
2805
2806         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2807         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2808                 mask |= MAY_APPEND;
2809
2810         rc = file_has_perm(current, file,
2811                            file_mask_to_av(inode->i_mode, mask));
2812         if (rc)
2813                 return rc;
2814
2815         return selinux_netlbl_inode_permission(inode, mask);
2816 }
2817
2818 static int selinux_file_permission(struct file *file, int mask)
2819 {
2820         struct inode *inode = file->f_path.dentry->d_inode;
2821         struct task_security_struct *tsec = current->security;
2822         struct file_security_struct *fsec = file->f_security;
2823         struct inode_security_struct *isec = inode->i_security;
2824
2825         if (!mask) {
2826                 /* No permission to check.  Existence test. */
2827                 return 0;
2828         }
2829
2830         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2831             && fsec->pseqno == avc_policy_seqno())
2832                 return selinux_netlbl_inode_permission(inode, mask);
2833
2834         return selinux_revalidate_file_permission(file, mask);
2835 }
2836
2837 static int selinux_file_alloc_security(struct file *file)
2838 {
2839         return file_alloc_security(file);
2840 }
2841
2842 static void selinux_file_free_security(struct file *file)
2843 {
2844         file_free_security(file);
2845 }
2846
2847 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2848                               unsigned long arg)
2849 {
2850         int error = 0;
2851
2852         switch (cmd) {
2853                 case FIONREAD:
2854                 /* fall through */
2855                 case FIBMAP:
2856                 /* fall through */
2857                 case FIGETBSZ:
2858                 /* fall through */
2859                 case EXT2_IOC_GETFLAGS:
2860                 /* fall through */
2861                 case EXT2_IOC_GETVERSION:
2862                         error = file_has_perm(current, file, FILE__GETATTR);
2863                         break;
2864
2865                 case EXT2_IOC_SETFLAGS:
2866                 /* fall through */
2867                 case EXT2_IOC_SETVERSION:
2868                         error = file_has_perm(current, file, FILE__SETATTR);
2869                         break;
2870
2871                 /* sys_ioctl() checks */
2872                 case FIONBIO:
2873                 /* fall through */
2874                 case FIOASYNC:
2875                         error = file_has_perm(current, file, 0);
2876                         break;
2877
2878                 case KDSKBENT:
2879                 case KDSKBSENT:
2880                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2881                         break;
2882
2883                 /* default case assumes that the command will go
2884                  * to the file's ioctl() function.
2885                  */
2886                 default:
2887                         error = file_has_perm(current, file, FILE__IOCTL);
2888
2889         }
2890         return error;
2891 }
2892
2893 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2894 {
2895 #ifndef CONFIG_PPC32
2896         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2897                 /*
2898                  * We are making executable an anonymous mapping or a
2899                  * private file mapping that will also be writable.
2900                  * This has an additional check.
2901                  */
2902                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2903                 if (rc)
2904                         return rc;
2905         }
2906 #endif
2907
2908         if (file) {
2909                 /* read access is always possible with a mapping */
2910                 u32 av = FILE__READ;
2911
2912                 /* write access only matters if the mapping is shared */
2913                 if (shared && (prot & PROT_WRITE))
2914                         av |= FILE__WRITE;
2915
2916                 if (prot & PROT_EXEC)
2917                         av |= FILE__EXECUTE;
2918
2919                 return file_has_perm(current, file, av);
2920         }
2921         return 0;
2922 }
2923
2924 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2925                              unsigned long prot, unsigned long flags,
2926                              unsigned long addr, unsigned long addr_only)
2927 {
2928         int rc = 0;
2929         u32 sid = ((struct task_security_struct*)(current->security))->sid;
2930
2931         if (addr < mmap_min_addr)
2932                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2933                                   MEMPROTECT__MMAP_ZERO, NULL);
2934         if (rc || addr_only)
2935                 return rc;
2936
2937         if (selinux_checkreqprot)
2938                 prot = reqprot;
2939
2940         return file_map_prot_check(file, prot,
2941                                    (flags & MAP_TYPE) == MAP_SHARED);
2942 }
2943
2944 static int selinux_file_mprotect(struct vm_area_struct *vma,
2945                                  unsigned long reqprot,
2946                                  unsigned long prot)
2947 {
2948         int rc;
2949
2950         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2951         if (rc)
2952                 return rc;
2953
2954         if (selinux_checkreqprot)
2955                 prot = reqprot;
2956
2957 #ifndef CONFIG_PPC32
2958         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2959                 rc = 0;
2960                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2961                     vma->vm_end <= vma->vm_mm->brk) {
2962                         rc = task_has_perm(current, current,
2963                                            PROCESS__EXECHEAP);
2964                 } else if (!vma->vm_file &&
2965                            vma->vm_start <= vma->vm_mm->start_stack &&
2966                            vma->vm_end >= vma->vm_mm->start_stack) {
2967                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2968                 } else if (vma->vm_file && vma->anon_vma) {
2969                         /*
2970                          * We are making executable a file mapping that has
2971                          * had some COW done. Since pages might have been
2972                          * written, check ability to execute the possibly
2973                          * modified content.  This typically should only
2974                          * occur for text relocations.
2975                          */
2976                         rc = file_has_perm(current, vma->vm_file,
2977                                            FILE__EXECMOD);
2978                 }
2979                 if (rc)
2980                         return rc;
2981         }
2982 #endif
2983
2984         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2985 }
2986
2987 static int selinux_file_lock(struct file *file, unsigned int cmd)
2988 {
2989         return file_has_perm(current, file, FILE__LOCK);
2990 }
2991
2992 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2993                               unsigned long arg)
2994 {
2995         int err = 0;
2996
2997         switch (cmd) {
2998                 case F_SETFL:
2999                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3000                                 err = -EINVAL;
3001                                 break;
3002                         }
3003
3004                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3005                                 err = file_has_perm(current, file,FILE__WRITE);
3006                                 break;
3007                         }
3008                         /* fall through */
3009                 case F_SETOWN:
3010                 case F_SETSIG:
3011                 case F_GETFL:
3012                 case F_GETOWN:
3013                 case F_GETSIG:
3014                         /* Just check FD__USE permission */
3015                         err = file_has_perm(current, file, 0);
3016                         break;
3017                 case F_GETLK:
3018                 case F_SETLK:
3019                 case F_SETLKW:
3020 #if BITS_PER_LONG == 32
3021                 case F_GETLK64:
3022                 case F_SETLK64:
3023                 case F_SETLKW64:
3024 #endif
3025                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3026                                 err = -EINVAL;
3027                                 break;
3028                         }
3029                         err = file_has_perm(current, file, FILE__LOCK);
3030                         break;
3031         }
3032
3033         return err;
3034 }
3035
3036 static int selinux_file_set_fowner(struct file *file)
3037 {
3038         struct task_security_struct *tsec;
3039         struct file_security_struct *fsec;
3040
3041         tsec = current->security;
3042         fsec = file->f_security;
3043         fsec->fown_sid = tsec->sid;
3044
3045         return 0;
3046 }
3047
3048 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3049                                        struct fown_struct *fown, int signum)
3050 {
3051         struct file *file;
3052         u32 perm;
3053         struct task_security_struct *tsec;
3054         struct file_security_struct *fsec;
3055
3056         /* struct fown_struct is never outside the context of a struct file */
3057         file = container_of(fown, struct file, f_owner);
3058
3059         tsec = tsk->security;
3060         fsec = file->f_security;
3061
3062         if (!signum)
3063                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3064         else
3065                 perm = signal_to_av(signum);
3066
3067         return avc_has_perm(fsec->fown_sid, tsec->sid,
3068                             SECCLASS_PROCESS, perm, NULL);
3069 }
3070
3071 static int selinux_file_receive(struct file *file)
3072 {
3073         return file_has_perm(current, file, file_to_av(file));
3074 }
3075
3076 static int selinux_dentry_open(struct file *file)
3077 {
3078         struct file_security_struct *fsec;
3079         struct inode *inode;
3080         struct inode_security_struct *isec;
3081         inode = file->f_path.dentry->d_inode;
3082         fsec = file->f_security;
3083         isec = inode->i_security;
3084         /*
3085          * Save inode label and policy sequence number
3086          * at open-time so that selinux_file_permission
3087          * can determine whether revalidation is necessary.
3088          * Task label is already saved in the file security
3089          * struct as its SID.
3090          */
3091         fsec->isid = isec->sid;
3092         fsec->pseqno = avc_policy_seqno();
3093         /*
3094          * Since the inode label or policy seqno may have changed
3095          * between the selinux_inode_permission check and the saving
3096          * of state above, recheck that access is still permitted.
3097          * Otherwise, access might never be revalidated against the
3098          * new inode label or new policy.
3099          * This check is not redundant - do not remove.
3100          */
3101         return inode_has_perm(current, inode, file_to_av(file), NULL);
3102 }
3103
3104 /* task security operations */
3105
3106 static int selinux_task_create(unsigned long clone_flags)
3107 {
3108         int rc;
3109
3110         rc = secondary_ops->task_create(clone_flags);
3111         if (rc)
3112                 return rc;
3113
3114         return task_has_perm(current, current, PROCESS__FORK);
3115 }
3116
3117 static int selinux_task_alloc_security(struct task_struct *tsk)
3118 {
3119         struct task_security_struct *tsec1, *tsec2;
3120         int rc;
3121
3122         tsec1 = current->security;
3123
3124         rc = task_alloc_security(tsk);
3125         if (rc)
3126                 return rc;
3127         tsec2 = tsk->security;
3128
3129         tsec2->osid = tsec1->osid;
3130         tsec2->sid = tsec1->sid;
3131
3132         /* Retain the exec, fs, key, and sock SIDs across fork */
3133         tsec2->exec_sid = tsec1->exec_sid;
3134         tsec2->create_sid = tsec1->create_sid;
3135         tsec2->keycreate_sid = tsec1->keycreate_sid;
3136         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3137
3138         return 0;
3139 }
3140
3141 static void selinux_task_free_security(struct task_struct *tsk)
3142 {
3143         task_free_security(tsk);
3144 }
3145
3146 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3147 {
3148         /* Since setuid only affects the current process, and
3149            since the SELinux controls are not based on the Linux
3150            identity attributes, SELinux does not need to control
3151            this operation.  However, SELinux does control the use
3152            of the CAP_SETUID and CAP_SETGID capabilities using the
3153            capable hook. */
3154         return 0;
3155 }
3156
3157 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3158 {
3159         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3160 }
3161
3162 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3163 {
3164         /* See the comment for setuid above. */
3165         return 0;
3166 }
3167
3168 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3169 {
3170         return task_has_perm(current, p, PROCESS__SETPGID);
3171 }
3172
3173 static int selinux_task_getpgid(struct task_struct *p)
3174 {
3175         return task_has_perm(current, p, PROCESS__GETPGID);
3176 }
3177
3178 static int selinux_task_getsid(struct task_struct *p)
3179 {
3180         return task_has_perm(current, p, PROCESS__GETSESSION);
3181 }
3182
3183 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3184 {
3185         selinux_get_task_sid(p, secid);
3186 }
3187
3188 static int selinux_task_setgroups(struct group_info *group_info)
3189 {
3190         /* See the comment for setuid above. */
3191         return 0;
3192 }
3193
3194 static int selinux_task_setnice(struct task_struct *p, int nice)
3195 {
3196         int rc;
3197
3198         rc = secondary_ops->task_setnice(p, nice);
3199         if (rc)
3200                 return rc;
3201
3202         return task_has_perm(current,p, PROCESS__SETSCHED);
3203 }
3204
3205 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3206 {
3207         int rc;
3208
3209         rc = secondary_ops->task_setioprio(p, ioprio);
3210         if (rc)
3211                 return rc;
3212
3213         return task_has_perm(current, p, PROCESS__SETSCHED);
3214 }
3215
3216 static int selinux_task_getioprio(struct task_struct *p)
3217 {
3218         return task_has_perm(current, p, PROCESS__GETSCHED);
3219 }
3220
3221 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3222 {
3223         struct rlimit *old_rlim = current->signal->rlim + resource;
3224         int rc;
3225
3226         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3227         if (rc)
3228                 return rc;
3229
3230         /* Control the ability to change the hard limit (whether
3231            lowering or raising it), so that the hard limit can
3232            later be used as a safe reset point for the soft limit
3233            upon context transitions. See selinux_bprm_apply_creds. */
3234         if (old_rlim->rlim_max != new_rlim->rlim_max)
3235                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3236
3237         return 0;
3238 }
3239
3240 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3241 {
3242         int rc;
3243
3244         rc = secondary_ops->task_setscheduler(p, policy, lp);
3245         if (rc)
3246                 return rc;
3247
3248         return task_has_perm(current, p, PROCESS__SETSCHED);
3249 }
3250
3251 static int selinux_task_getscheduler(struct task_struct *p)
3252 {
3253         return task_has_perm(current, p, PROCESS__GETSCHED);
3254 }
3255
3256 static int selinux_task_movememory(struct task_struct *p)
3257 {
3258         return task_has_perm(current, p, PROCESS__SETSCHED);
3259 }
3260
3261 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3262                                 int sig, u32 secid)
3263 {
3264         u32 perm;
3265         int rc;
3266         struct task_security_struct *tsec;
3267
3268         rc = secondary_ops->task_kill(p, info, sig, secid);
3269         if (rc)
3270                 return rc;
3271
3272         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3273                 return 0;
3274
3275         if (!sig)
3276                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3277         else
3278                 perm = signal_to_av(sig);
3279         tsec = p->security;
3280         if (secid)
3281                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3282         else
3283                 rc = task_has_perm(current, p, perm);
3284         return rc;
3285 }
3286
3287 static int selinux_task_prctl(int option,
3288                               unsigned long arg2,
3289                               unsigned long arg3,
3290                               unsigned long arg4,
3291                               unsigned long arg5)
3292 {
3293         /* The current prctl operations do not appear to require
3294            any SELinux controls since they merely observe or modify
3295            the state of the current process. */
3296         return 0;
3297 }
3298
3299 static int selinux_task_wait(struct task_struct *p)
3300 {
3301         return task_has_perm(p, current, PROCESS__SIGCHLD);
3302 }
3303
3304 static void selinux_task_reparent_to_init(struct task_struct *p)
3305 {
3306         struct task_security_struct *tsec;
3307
3308         secondary_ops->task_reparent_to_init(p);
3309
3310         tsec = p->security;
3311         tsec->osid = tsec->sid;
3312         tsec->sid = SECINITSID_KERNEL;
3313         return;
3314 }
3315
3316 static void selinux_task_to_inode(struct task_struct *p,
3317                                   struct inode *inode)
3318 {
3319         struct task_security_struct *tsec = p->security;
3320         struct inode_security_struct *isec = inode->i_security;
3321
3322         isec->sid = tsec->sid;
3323         isec->initialized = 1;
3324         return;
3325 }
3326
3327 /* Returns error only if unable to parse addresses */
3328 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3329                         struct avc_audit_data *ad, u8 *proto)
3330 {
3331         int offset, ihlen, ret = -EINVAL;
3332         struct iphdr _iph, *ih;
3333
3334         offset = skb_network_offset(skb);
3335         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3336         if (ih == NULL)
3337                 goto out;
3338
3339         ihlen = ih->ihl * 4;
3340         if (ihlen < sizeof(_iph))
3341                 goto out;
3342
3343         ad->u.net.v4info.saddr = ih->saddr;
3344         ad->u.net.v4info.daddr = ih->daddr;
3345         ret = 0;
3346
3347         if (proto)
3348                 *proto = ih->protocol;
3349
3350         switch (ih->protocol) {
3351         case IPPROTO_TCP: {
3352                 struct tcphdr _tcph, *th;
3353
3354                 if (ntohs(ih->frag_off) & IP_OFFSET)
3355                         break;
3356
3357                 offset += ihlen;
3358                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3359                 if (th == NULL)
3360                         break;
3361
3362                 ad->u.net.sport = th->source;
3363                 ad->u.net.dport = th->dest;
3364                 break;
3365         }
3366         
3367         case IPPROTO_UDP: {
3368                 struct udphdr _udph, *uh;
3369                 
3370                 if (ntohs(ih->frag_off) & IP_OFFSET)
3371                         break;
3372                         
3373                 offset += ihlen;
3374                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3375                 if (uh == NULL)
3376                         break;  
3377
3378                 ad->u.net.sport = uh->source;
3379                 ad->u.net.dport = uh->dest;
3380                 break;
3381         }
3382
3383         case IPPROTO_DCCP: {
3384                 struct dccp_hdr _dccph, *dh;
3385
3386                 if (ntohs(ih->frag_off) & IP_OFFSET)
3387                         break;
3388
3389                 offset += ihlen;
3390                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3391                 if (dh == NULL)
3392                         break;
3393
3394                 ad->u.net.sport = dh->dccph_sport;
3395                 ad->u.net.dport = dh->dccph_dport;
3396                 break;
3397         }
3398
3399         default:
3400                 break;
3401         }
3402 out:
3403         return ret;
3404 }
3405
3406 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3407
3408 /* Returns error only if unable to parse addresses */
3409 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3410                         struct avc_audit_data *ad, u8 *proto)
3411 {
3412         u8 nexthdr;
3413         int ret = -EINVAL, offset;
3414         struct ipv6hdr _ipv6h, *ip6;
3415
3416         offset = skb_network_offset(skb);
3417         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3418         if (ip6 == NULL)
3419                 goto out;
3420
3421         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3422         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3423         ret = 0;
3424
3425         nexthdr = ip6->nexthdr;
3426         offset += sizeof(_ipv6h);
3427         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3428         if (offset < 0)
3429                 goto out;
3430
3431         if (proto)
3432                 *proto = nexthdr;
3433
3434         switch (nexthdr) {
3435         case IPPROTO_TCP: {
3436                 struct tcphdr _tcph, *th;
3437
3438                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3439                 if (th == NULL)
3440                         break;
3441
3442                 ad->u.net.sport = th->source;
3443                 ad->u.net.dport = th->dest;
3444                 break;
3445         }
3446
3447         case IPPROTO_UDP: {
3448                 struct udphdr _udph, *uh;
3449
3450                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3451                 if (uh == NULL)
3452                         break;
3453
3454                 ad->u.net.sport = uh->source;
3455                 ad->u.net.dport = uh->dest;
3456                 break;
3457         }
3458
3459         case IPPROTO_DCCP: {
3460                 struct dccp_hdr _dccph, *dh;
3461
3462                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3463                 if (dh == NULL)
3464                         break;
3465
3466                 ad->u.net.sport = dh->dccph_sport;
3467                 ad->u.net.dport = dh->dccph_dport;
3468                 break;
3469         }
3470
3471         /* includes fragments */
3472         default:
3473                 break;
3474         }
3475 out:
3476         return ret;
3477 }
3478
3479 #endif /* IPV6 */
3480
3481 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3482                              char **addrp, int src, u8 *proto)
3483 {
3484         int ret = 0;
3485
3486         switch (ad->u.net.family) {
3487         case PF_INET:
3488                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3489                 if (ret || !addrp)
3490                         break;
3491                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3492                                         &ad->u.net.v4info.daddr);
3493                 break;
3494
3495 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3496         case PF_INET6:
3497                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3498                 if (ret || !addrp)
3499                         break;
3500                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3501                                         &ad->u.net.v6info.daddr);
3502                 break;
3503 #endif  /* IPV6 */
3504         default:
3505                 break;
3506         }
3507
3508         if (unlikely(ret))
3509                 printk(KERN_WARNING
3510                        "SELinux: failure in selinux_parse_skb(),"
3511                        " unable to parse packet\n");
3512
3513         return ret;
3514 }
3515
3516 /**
3517  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3518  * @skb: the packet
3519  * @family: protocol family
3520  * @sid: the packet's peer label SID
3521  *
3522  * Description:
3523  * Check the various different forms of network peer labeling and determine
3524  * the peer label/SID for the packet; most of the magic actually occurs in
3525  * the security server function security_net_peersid_cmp().  The function
3526  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3527  * or -EACCES if @sid is invalid due to inconsistencies with the different
3528  * peer labels.
3529  *
3530  */
3531 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3532 {
3533         int err;
3534         u32 xfrm_sid;
3535         u32 nlbl_sid;
3536         u32 nlbl_type;
3537
3538         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3539         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3540
3541         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3542         if (unlikely(err)) {
3543                 printk(KERN_WARNING
3544                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3545                        " unable to determine packet's peer label\n");
3546                 return -EACCES;
3547         }
3548
3549         return 0;
3550 }
3551
3552 /* socket security operations */
3553 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3554                            u32 perms)
3555 {
3556         struct inode_security_struct *isec;
3557         struct task_security_struct *tsec;
3558         struct avc_audit_data ad;
3559         int err = 0;
3560
3561         tsec = task->security;
3562         isec = SOCK_INODE(sock)->i_security;
3563
3564         if (isec->sid == SECINITSID_KERNEL)
3565                 goto out;
3566
3567         AVC_AUDIT_DATA_INIT(&ad,NET);
3568         ad.u.net.sk = sock->sk;
3569         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3570
3571 out:
3572         return err;
3573 }
3574
3575 static int selinux_socket_create(int family, int type,
3576                                  int protocol, int kern)
3577 {
3578         int err = 0;
3579         struct task_security_struct *tsec;
3580         u32 newsid;
3581
3582         if (kern)
3583                 goto out;
3584
3585         tsec = current->security;
3586         newsid = tsec->sockcreate_sid ? : tsec->sid;
3587         err = avc_has_perm(tsec->sid, newsid,
3588                            socket_type_to_security_class(family, type,
3589                            protocol), SOCKET__CREATE, NULL);
3590
3591 out:
3592         return err;
3593 }
3594
3595 static int selinux_socket_post_create(struct socket *sock, int family,
3596                                       int type, int protocol, int kern)
3597 {
3598         int err = 0;
3599         struct inode_security_struct *isec;
3600         struct task_security_struct *tsec;
3601         struct sk_security_struct *sksec;
3602         u32 newsid;
3603
3604         isec = SOCK_INODE(sock)->i_security;
3605
3606         tsec = current->security;
3607         newsid = tsec->sockcreate_sid ? : tsec->sid;
3608         isec->sclass = socket_type_to_security_class(family, type, protocol);
3609         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3610         isec->initialized = 1;
3611
3612         if (sock->sk) {
3613                 sksec = sock->sk->sk_security;
3614                 sksec->sid = isec->sid;
3615                 sksec->sclass = isec->sclass;
3616                 err = selinux_netlbl_socket_post_create(sock);
3617         }
3618
3619         return err;
3620 }
3621
3622 /* Range of port numbers used to automatically bind.
3623    Need to determine whether we should perform a name_bind
3624    permission check between the socket and the port number. */
3625
3626 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3627 {
3628         u16 family;
3629         int err;
3630
3631         err = socket_has_perm(current, sock, SOCKET__BIND);
3632         if (err)
3633                 goto out;
3634
3635         /*
3636          * If PF_INET or PF_INET6, check name_bind permission for the port.
3637          * Multiple address binding for SCTP is not supported yet: we just
3638          * check the first address now.
3639          */
3640         family = sock->sk->sk_family;
3641         if (family == PF_INET || family == PF_INET6) {
3642                 char *addrp;
3643                 struct inode_security_struct *isec;
3644                 struct task_security_struct *tsec;
3645                 struct avc_audit_data ad;
3646                 struct sockaddr_in *addr4 = NULL;
3647                 struct sockaddr_in6 *addr6 = NULL;
3648                 unsigned short snum;
3649                 struct sock *sk = sock->sk;
3650                 u32 sid, node_perm, addrlen;
3651
3652                 tsec = current->security;
3653                 isec = SOCK_INODE(sock)->i_security;
3654
3655                 if (family == PF_INET) {
3656                         addr4 = (struct sockaddr_in *)address;
3657                         snum = ntohs(addr4->sin_port);
3658                         addrlen = sizeof(addr4->sin_addr.s_addr);
3659                         addrp = (char *)&addr4->sin_addr.s_addr;
3660                 } else {
3661                         addr6 = (struct sockaddr_in6 *)address;
3662                         snum = ntohs(addr6->sin6_port);
3663                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3664                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3665                 }
3666
3667                 if (snum) {
3668                         int low, high;
3669
3670                         inet_get_local_port_range(&low, &high);
3671
3672                         if (snum < max(PROT_SOCK, low) || snum > high) {
3673                                 err = security_port_sid(sk->sk_family,
3674                                                         sk->sk_type,
3675                                                         sk->sk_protocol, snum,
3676                                                         &sid);
3677                                 if (err)
3678                                         goto out;
3679                                 AVC_AUDIT_DATA_INIT(&ad,NET);
3680                                 ad.u.net.sport = htons(snum);
3681                                 ad.u.net.family = family;
3682                                 err = avc_has_perm(isec->sid, sid,
3683                                                    isec->sclass,
3684                                                    SOCKET__NAME_BIND, &ad);
3685                                 if (err)
3686                                         goto out;
3687                         }
3688                 }
3689                 
3690                 switch(isec->sclass) {
3691                 case SECCLASS_TCP_SOCKET:
3692                         node_perm = TCP_SOCKET__NODE_BIND;
3693                         break;
3694                         
3695                 case SECCLASS_UDP_SOCKET:
3696                         node_perm = UDP_SOCKET__NODE_BIND;
3697                         break;
3698
3699                 case SECCLASS_DCCP_SOCKET:
3700                         node_perm = DCCP_SOCKET__NODE_BIND;
3701                         break;
3702
3703                 default:
3704                         node_perm = RAWIP_SOCKET__NODE_BIND;
3705                         break;
3706                 }
3707                 
3708                 err = sel_netnode_sid(addrp, family, &sid);
3709                 if (err)
3710                         goto out;
3711                 
3712                 AVC_AUDIT_DATA_INIT(&ad,NET);
3713                 ad.u.net.sport = htons(snum);
3714                 ad.u.net.family = family;
3715
3716                 if (family == PF_INET)
3717                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3718                 else
3719                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3720
3721                 err = avc_has_perm(isec->sid, sid,
3722                                    isec->sclass, node_perm, &ad);
3723                 if (err)
3724                         goto out;
3725         }
3726 out:
3727         return err;
3728 }
3729
3730 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3731 {
3732         struct inode_security_struct *isec;
3733         int err;
3734
3735         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3736         if (err)
3737                 return err;
3738
3739         /*
3740          * If a TCP or DCCP socket, check name_connect permission for the port.
3741          */
3742         isec = SOCK_INODE(sock)->i_security;
3743         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3744             isec->sclass == SECCLASS_DCCP_SOCKET) {
3745                 struct sock *sk = sock->sk;
3746                 struct avc_audit_data ad;
3747                 struct sockaddr_in *addr4 = NULL;
3748                 struct sockaddr_in6 *addr6 = NULL;
3749                 unsigned short snum;
3750                 u32 sid, perm;
3751
3752                 if (sk->sk_family == PF_INET) {
3753                         addr4 = (struct sockaddr_in *)address;
3754                         if (addrlen < sizeof(struct sockaddr_in))
3755                                 return -EINVAL;
3756                         snum = ntohs(addr4->sin_port);
3757                 } else {
3758                         addr6 = (struct sockaddr_in6 *)address;
3759                         if (addrlen < SIN6_LEN_RFC2133)
3760                                 return -EINVAL;
3761                         snum = ntohs(addr6->sin6_port);
3762                 }
3763
3764                 err = security_port_sid(sk->sk_family, sk->sk_type,
3765                                         sk->sk_protocol, snum, &sid);
3766                 if (err)
3767                         goto out;
3768
3769                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3770                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3771
3772                 AVC_AUDIT_DATA_INIT(&ad,NET);
3773                 ad.u.net.dport = htons(snum);
3774                 ad.u.net.family = sk->sk_family;
3775                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3776                 if (err)
3777                         goto out;
3778         }
3779
3780 out:
3781         return err;
3782 }
3783
3784 static int selinux_socket_listen(struct socket *sock, int backlog)
3785 {
3786         return socket_has_perm(current, sock, SOCKET__LISTEN);
3787 }
3788
3789 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3790 {
3791         int err;
3792         struct inode_security_struct *isec;
3793         struct inode_security_struct *newisec;
3794
3795         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3796         if (err)
3797                 return err;
3798
3799         newisec = SOCK_INODE(newsock)->i_security;
3800
3801         isec = SOCK_INODE(sock)->i_security;
3802         newisec->sclass = isec->sclass;
3803         newisec->sid = isec->sid;
3804         newisec->initialized = 1;
3805
3806         return 0;
3807 }
3808
3809 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3810                                   int size)
3811 {
3812         int rc;
3813
3814         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3815         if (rc)
3816                 return rc;
3817
3818         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3819 }
3820
3821 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3822                                   int size, int flags)
3823 {
3824         return socket_has_perm(current, sock, SOCKET__READ);
3825 }
3826
3827 static int selinux_socket_getsockname(struct socket *sock)
3828 {
3829         return socket_has_perm(current, sock, SOCKET__GETATTR);
3830 }
3831