fc774436a264d0f21c1b07f142d96331372014f2
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76
77 #define XATTR_SELINUX_SUFFIX "selinux"
78 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
79
80 extern unsigned int policydb_loaded_version;
81 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
82
83 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
84 int selinux_enforcing = 0;
85
86 static int __init enforcing_setup(char *str)
87 {
88         selinux_enforcing = simple_strtol(str,NULL,0);
89         return 1;
90 }
91 __setup("enforcing=", enforcing_setup);
92 #endif
93
94 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
95 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
96
97 static int __init selinux_enabled_setup(char *str)
98 {
99         selinux_enabled = simple_strtol(str, NULL, 0);
100         return 1;
101 }
102 __setup("selinux=", selinux_enabled_setup);
103 #endif
104
105 /* Original (dummy) security module. */
106 static struct security_operations *original_ops = NULL;
107
108 /* Minimal support for a secondary security module,
109    just to allow the use of the dummy or capability modules.
110    The owlsm module can alternatively be used as a secondary
111    module as long as CONFIG_OWLSM_FD is not enabled. */
112 static struct security_operations *secondary_ops = NULL;
113
114 /* Lists of inode and superblock security structures initialized
115    before the policy was loaded. */
116 static LIST_HEAD(superblock_security_head);
117 static DEFINE_SPINLOCK(sb_security_lock);
118
119 /* Allocate and free functions for each kind of security blob. */
120
121 static int task_alloc_security(struct task_struct *task)
122 {
123         struct task_security_struct *tsec;
124
125         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
126         if (!tsec)
127                 return -ENOMEM;
128
129         tsec->magic = SELINUX_MAGIC;
130         tsec->task = task;
131         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
132         task->security = tsec;
133
134         return 0;
135 }
136
137 static void task_free_security(struct task_struct *task)
138 {
139         struct task_security_struct *tsec = task->security;
140
141         if (!tsec || tsec->magic != SELINUX_MAGIC)
142                 return;
143
144         task->security = NULL;
145         kfree(tsec);
146 }
147
148 static int inode_alloc_security(struct inode *inode)
149 {
150         struct task_security_struct *tsec = current->security;
151         struct inode_security_struct *isec;
152
153         isec = kzalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
154         if (!isec)
155                 return -ENOMEM;
156
157         init_MUTEX(&isec->sem);
158         INIT_LIST_HEAD(&isec->list);
159         isec->magic = SELINUX_MAGIC;
160         isec->inode = inode;
161         isec->sid = SECINITSID_UNLABELED;
162         isec->sclass = SECCLASS_FILE;
163         if (tsec && tsec->magic == SELINUX_MAGIC)
164                 isec->task_sid = tsec->sid;
165         else
166                 isec->task_sid = SECINITSID_UNLABELED;
167         inode->i_security = isec;
168
169         return 0;
170 }
171
172 static void inode_free_security(struct inode *inode)
173 {
174         struct inode_security_struct *isec = inode->i_security;
175         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
176
177         if (!isec || isec->magic != SELINUX_MAGIC)
178                 return;
179
180         spin_lock(&sbsec->isec_lock);
181         if (!list_empty(&isec->list))
182                 list_del_init(&isec->list);
183         spin_unlock(&sbsec->isec_lock);
184
185         inode->i_security = NULL;
186         kfree(isec);
187 }
188
189 static int file_alloc_security(struct file *file)
190 {
191         struct task_security_struct *tsec = current->security;
192         struct file_security_struct *fsec;
193
194         fsec = kzalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
195         if (!fsec)
196                 return -ENOMEM;
197
198         fsec->magic = SELINUX_MAGIC;
199         fsec->file = file;
200         if (tsec && tsec->magic == SELINUX_MAGIC) {
201                 fsec->sid = tsec->sid;
202                 fsec->fown_sid = tsec->sid;
203         } else {
204                 fsec->sid = SECINITSID_UNLABELED;
205                 fsec->fown_sid = SECINITSID_UNLABELED;
206         }
207         file->f_security = fsec;
208
209         return 0;
210 }
211
212 static void file_free_security(struct file *file)
213 {
214         struct file_security_struct *fsec = file->f_security;
215
216         if (!fsec || fsec->magic != SELINUX_MAGIC)
217                 return;
218
219         file->f_security = NULL;
220         kfree(fsec);
221 }
222
223 static int superblock_alloc_security(struct super_block *sb)
224 {
225         struct superblock_security_struct *sbsec;
226
227         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
228         if (!sbsec)
229                 return -ENOMEM;
230
231         init_MUTEX(&sbsec->sem);
232         INIT_LIST_HEAD(&sbsec->list);
233         INIT_LIST_HEAD(&sbsec->isec_head);
234         spin_lock_init(&sbsec->isec_lock);
235         sbsec->magic = SELINUX_MAGIC;
236         sbsec->sb = sb;
237         sbsec->sid = SECINITSID_UNLABELED;
238         sbsec->def_sid = SECINITSID_FILE;
239         sb->s_security = sbsec;
240
241         return 0;
242 }
243
244 static void superblock_free_security(struct super_block *sb)
245 {
246         struct superblock_security_struct *sbsec = sb->s_security;
247
248         if (!sbsec || sbsec->magic != SELINUX_MAGIC)
249                 return;
250
251         spin_lock(&sb_security_lock);
252         if (!list_empty(&sbsec->list))
253                 list_del_init(&sbsec->list);
254         spin_unlock(&sb_security_lock);
255
256         sb->s_security = NULL;
257         kfree(sbsec);
258 }
259
260 #ifdef CONFIG_SECURITY_NETWORK
261 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
262 {
263         struct sk_security_struct *ssec;
264
265         if (family != PF_UNIX)
266                 return 0;
267
268         ssec = kzalloc(sizeof(*ssec), priority);
269         if (!ssec)
270                 return -ENOMEM;
271
272         ssec->magic = SELINUX_MAGIC;
273         ssec->sk = sk;
274         ssec->peer_sid = SECINITSID_UNLABELED;
275         sk->sk_security = ssec;
276
277         return 0;
278 }
279
280 static void sk_free_security(struct sock *sk)
281 {
282         struct sk_security_struct *ssec = sk->sk_security;
283
284         if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
285                 return;
286
287         sk->sk_security = NULL;
288         kfree(ssec);
289 }
290 #endif  /* CONFIG_SECURITY_NETWORK */
291
292 /* The security server must be initialized before
293    any labeling or access decisions can be provided. */
294 extern int ss_initialized;
295
296 /* The file system's label must be initialized prior to use. */
297
298 static char *labeling_behaviors[6] = {
299         "uses xattr",
300         "uses transition SIDs",
301         "uses task SIDs",
302         "uses genfs_contexts",
303         "not configured for labeling",
304         "uses mountpoint labeling",
305 };
306
307 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
308
309 static inline int inode_doinit(struct inode *inode)
310 {
311         return inode_doinit_with_dentry(inode, NULL);
312 }
313
314 enum {
315         Opt_context = 1,
316         Opt_fscontext = 2,
317         Opt_defcontext = 4,
318 };
319
320 static match_table_t tokens = {
321         {Opt_context, "context=%s"},
322         {Opt_fscontext, "fscontext=%s"},
323         {Opt_defcontext, "defcontext=%s"},
324 };
325
326 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
327
328 static int try_context_mount(struct super_block *sb, void *data)
329 {
330         char *context = NULL, *defcontext = NULL;
331         const char *name;
332         u32 sid;
333         int alloc = 0, rc = 0, seen = 0;
334         struct task_security_struct *tsec = current->security;
335         struct superblock_security_struct *sbsec = sb->s_security;
336
337         if (!data)
338                 goto out;
339
340         name = sb->s_type->name;
341
342         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
343
344                 /* NFS we understand. */
345                 if (!strcmp(name, "nfs")) {
346                         struct nfs_mount_data *d = data;
347
348                         if (d->version <  NFS_MOUNT_VERSION)
349                                 goto out;
350
351                         if (d->context[0]) {
352                                 context = d->context;
353                                 seen |= Opt_context;
354                         }
355                 } else
356                         goto out;
357
358         } else {
359                 /* Standard string-based options. */
360                 char *p, *options = data;
361
362                 while ((p = strsep(&options, ",")) != NULL) {
363                         int token;
364                         substring_t args[MAX_OPT_ARGS];
365
366                         if (!*p)
367                                 continue;
368
369                         token = match_token(p, tokens, args);
370
371                         switch (token) {
372                         case Opt_context:
373                                 if (seen) {
374                                         rc = -EINVAL;
375                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
376                                         goto out_free;
377                                 }
378                                 context = match_strdup(&args[0]);
379                                 if (!context) {
380                                         rc = -ENOMEM;
381                                         goto out_free;
382                                 }
383                                 if (!alloc)
384                                         alloc = 1;
385                                 seen |= Opt_context;
386                                 break;
387
388                         case Opt_fscontext:
389                                 if (seen & (Opt_context|Opt_fscontext)) {
390                                         rc = -EINVAL;
391                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
392                                         goto out_free;
393                                 }
394                                 context = match_strdup(&args[0]);
395                                 if (!context) {
396                                         rc = -ENOMEM;
397                                         goto out_free;
398                                 }
399                                 if (!alloc)
400                                         alloc = 1;
401                                 seen |= Opt_fscontext;
402                                 break;
403
404                         case Opt_defcontext:
405                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
406                                         rc = -EINVAL;
407                                         printk(KERN_WARNING "SELinux:  "
408                                                "defcontext option is invalid "
409                                                "for this filesystem type\n");
410                                         goto out_free;
411                                 }
412                                 if (seen & (Opt_context|Opt_defcontext)) {
413                                         rc = -EINVAL;
414                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
415                                         goto out_free;
416                                 }
417                                 defcontext = match_strdup(&args[0]);
418                                 if (!defcontext) {
419                                         rc = -ENOMEM;
420                                         goto out_free;
421                                 }
422                                 if (!alloc)
423                                         alloc = 1;
424                                 seen |= Opt_defcontext;
425                                 break;
426
427                         default:
428                                 rc = -EINVAL;
429                                 printk(KERN_WARNING "SELinux:  unknown mount "
430                                        "option\n");
431                                 goto out_free;
432
433                         }
434                 }
435         }
436
437         if (!seen)
438                 goto out;
439
440         if (context) {
441                 rc = security_context_to_sid(context, strlen(context), &sid);
442                 if (rc) {
443                         printk(KERN_WARNING "SELinux: security_context_to_sid"
444                                "(%s) failed for (dev %s, type %s) errno=%d\n",
445                                context, sb->s_id, name, rc);
446                         goto out_free;
447                 }
448
449                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450                                   FILESYSTEM__RELABELFROM, NULL);
451                 if (rc)
452                         goto out_free;
453
454                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
455                                   FILESYSTEM__RELABELTO, NULL);
456                 if (rc)
457                         goto out_free;
458
459                 sbsec->sid = sid;
460
461                 if (seen & Opt_context)
462                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
463         }
464
465         if (defcontext) {
466                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
467                 if (rc) {
468                         printk(KERN_WARNING "SELinux: security_context_to_sid"
469                                "(%s) failed for (dev %s, type %s) errno=%d\n",
470                                defcontext, sb->s_id, name, rc);
471                         goto out_free;
472                 }
473
474                 if (sid == sbsec->def_sid)
475                         goto out_free;
476
477                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
478                                   FILESYSTEM__RELABELFROM, NULL);
479                 if (rc)
480                         goto out_free;
481
482                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
483                                   FILESYSTEM__ASSOCIATE, NULL);
484                 if (rc)
485                         goto out_free;
486
487                 sbsec->def_sid = sid;
488         }
489
490 out_free:
491         if (alloc) {
492                 kfree(context);
493                 kfree(defcontext);
494         }
495 out:
496         return rc;
497 }
498
499 static int superblock_doinit(struct super_block *sb, void *data)
500 {
501         struct superblock_security_struct *sbsec = sb->s_security;
502         struct dentry *root = sb->s_root;
503         struct inode *inode = root->d_inode;
504         int rc = 0;
505
506         down(&sbsec->sem);
507         if (sbsec->initialized)
508                 goto out;
509
510         if (!ss_initialized) {
511                 /* Defer initialization until selinux_complete_init,
512                    after the initial policy is loaded and the security
513                    server is ready to handle calls. */
514                 spin_lock(&sb_security_lock);
515                 if (list_empty(&sbsec->list))
516                         list_add(&sbsec->list, &superblock_security_head);
517                 spin_unlock(&sb_security_lock);
518                 goto out;
519         }
520
521         /* Determine the labeling behavior to use for this filesystem type. */
522         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
523         if (rc) {
524                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
525                        __FUNCTION__, sb->s_type->name, rc);
526                 goto out;
527         }
528
529         rc = try_context_mount(sb, data);
530         if (rc)
531                 goto out;
532
533         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
534                 /* Make sure that the xattr handler exists and that no
535                    error other than -ENODATA is returned by getxattr on
536                    the root directory.  -ENODATA is ok, as this may be
537                    the first boot of the SELinux kernel before we have
538                    assigned xattr values to the filesystem. */
539                 if (!inode->i_op->getxattr) {
540                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
541                                "xattr support\n", sb->s_id, sb->s_type->name);
542                         rc = -EOPNOTSUPP;
543                         goto out;
544                 }
545                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
546                 if (rc < 0 && rc != -ENODATA) {
547                         if (rc == -EOPNOTSUPP)
548                                 printk(KERN_WARNING "SELinux: (dev %s, type "
549                                        "%s) has no security xattr handler\n",
550                                        sb->s_id, sb->s_type->name);
551                         else
552                                 printk(KERN_WARNING "SELinux: (dev %s, type "
553                                        "%s) getxattr errno %d\n", sb->s_id,
554                                        sb->s_type->name, -rc);
555                         goto out;
556                 }
557         }
558
559         if (strcmp(sb->s_type->name, "proc") == 0)
560                 sbsec->proc = 1;
561
562         sbsec->initialized = 1;
563
564         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
565                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
566                        sb->s_id, sb->s_type->name);
567         }
568         else {
569                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
570                        sb->s_id, sb->s_type->name,
571                        labeling_behaviors[sbsec->behavior-1]);
572         }
573
574         /* Initialize the root inode. */
575         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
576
577         /* Initialize any other inodes associated with the superblock, e.g.
578            inodes created prior to initial policy load or inodes created
579            during get_sb by a pseudo filesystem that directly
580            populates itself. */
581         spin_lock(&sbsec->isec_lock);
582 next_inode:
583         if (!list_empty(&sbsec->isec_head)) {
584                 struct inode_security_struct *isec =
585                                 list_entry(sbsec->isec_head.next,
586                                            struct inode_security_struct, list);
587                 struct inode *inode = isec->inode;
588                 spin_unlock(&sbsec->isec_lock);
589                 inode = igrab(inode);
590                 if (inode) {
591                         if (!IS_PRIVATE (inode))
592                                 inode_doinit(inode);
593                         iput(inode);
594                 }
595                 spin_lock(&sbsec->isec_lock);
596                 list_del_init(&isec->list);
597                 goto next_inode;
598         }
599         spin_unlock(&sbsec->isec_lock);
600 out:
601         up(&sbsec->sem);
602         return rc;
603 }
604
605 static inline u16 inode_mode_to_security_class(umode_t mode)
606 {
607         switch (mode & S_IFMT) {
608         case S_IFSOCK:
609                 return SECCLASS_SOCK_FILE;
610         case S_IFLNK:
611                 return SECCLASS_LNK_FILE;
612         case S_IFREG:
613                 return SECCLASS_FILE;
614         case S_IFBLK:
615                 return SECCLASS_BLK_FILE;
616         case S_IFDIR:
617                 return SECCLASS_DIR;
618         case S_IFCHR:
619                 return SECCLASS_CHR_FILE;
620         case S_IFIFO:
621                 return SECCLASS_FIFO_FILE;
622
623         }
624
625         return SECCLASS_FILE;
626 }
627
628 static inline int default_protocol_stream(int protocol)
629 {
630         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
631 }
632
633 static inline int default_protocol_dgram(int protocol)
634 {
635         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
636 }
637
638 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
639 {
640         switch (family) {
641         case PF_UNIX:
642                 switch (type) {
643                 case SOCK_STREAM:
644                 case SOCK_SEQPACKET:
645                         return SECCLASS_UNIX_STREAM_SOCKET;
646                 case SOCK_DGRAM:
647                         return SECCLASS_UNIX_DGRAM_SOCKET;
648                 }
649                 break;
650         case PF_INET:
651         case PF_INET6:
652                 switch (type) {
653                 case SOCK_STREAM:
654                         if (default_protocol_stream(protocol))
655                                 return SECCLASS_TCP_SOCKET;
656                         else
657                                 return SECCLASS_RAWIP_SOCKET;
658                 case SOCK_DGRAM:
659                         if (default_protocol_dgram(protocol))
660                                 return SECCLASS_UDP_SOCKET;
661                         else
662                                 return SECCLASS_RAWIP_SOCKET;
663                 default:
664                         return SECCLASS_RAWIP_SOCKET;
665                 }
666                 break;
667         case PF_NETLINK:
668                 switch (protocol) {
669                 case NETLINK_ROUTE:
670                         return SECCLASS_NETLINK_ROUTE_SOCKET;
671                 case NETLINK_FIREWALL:
672                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
673                 case NETLINK_INET_DIAG:
674                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
675                 case NETLINK_NFLOG:
676                         return SECCLASS_NETLINK_NFLOG_SOCKET;
677                 case NETLINK_XFRM:
678                         return SECCLASS_NETLINK_XFRM_SOCKET;
679                 case NETLINK_SELINUX:
680                         return SECCLASS_NETLINK_SELINUX_SOCKET;
681                 case NETLINK_AUDIT:
682                         return SECCLASS_NETLINK_AUDIT_SOCKET;
683                 case NETLINK_IP6_FW:
684                         return SECCLASS_NETLINK_IP6FW_SOCKET;
685                 case NETLINK_DNRTMSG:
686                         return SECCLASS_NETLINK_DNRT_SOCKET;
687                 case NETLINK_KOBJECT_UEVENT:
688                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
689                 default:
690                         return SECCLASS_NETLINK_SOCKET;
691                 }
692         case PF_PACKET:
693                 return SECCLASS_PACKET_SOCKET;
694         case PF_KEY:
695                 return SECCLASS_KEY_SOCKET;
696         }
697
698         return SECCLASS_SOCKET;
699 }
700
701 #ifdef CONFIG_PROC_FS
702 static int selinux_proc_get_sid(struct proc_dir_entry *de,
703                                 u16 tclass,
704                                 u32 *sid)
705 {
706         int buflen, rc;
707         char *buffer, *path, *end;
708
709         buffer = (char*)__get_free_page(GFP_KERNEL);
710         if (!buffer)
711                 return -ENOMEM;
712
713         buflen = PAGE_SIZE;
714         end = buffer+buflen;
715         *--end = '\0';
716         buflen--;
717         path = end-1;
718         *path = '/';
719         while (de && de != de->parent) {
720                 buflen -= de->namelen + 1;
721                 if (buflen < 0)
722                         break;
723                 end -= de->namelen;
724                 memcpy(end, de->name, de->namelen);
725                 *--end = '/';
726                 path = end;
727                 de = de->parent;
728         }
729         rc = security_genfs_sid("proc", path, tclass, sid);
730         free_page((unsigned long)buffer);
731         return rc;
732 }
733 #else
734 static int selinux_proc_get_sid(struct proc_dir_entry *de,
735                                 u16 tclass,
736                                 u32 *sid)
737 {
738         return -EINVAL;
739 }
740 #endif
741
742 /* The inode's security attributes must be initialized before first use. */
743 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
744 {
745         struct superblock_security_struct *sbsec = NULL;
746         struct inode_security_struct *isec = inode->i_security;
747         u32 sid;
748         struct dentry *dentry;
749 #define INITCONTEXTLEN 255
750         char *context = NULL;
751         unsigned len = 0;
752         int rc = 0;
753         int hold_sem = 0;
754
755         if (isec->initialized)
756                 goto out;
757
758         down(&isec->sem);
759         hold_sem = 1;
760         if (isec->initialized)
761                 goto out;
762
763         sbsec = inode->i_sb->s_security;
764         if (!sbsec->initialized) {
765                 /* Defer initialization until selinux_complete_init,
766                    after the initial policy is loaded and the security
767                    server is ready to handle calls. */
768                 spin_lock(&sbsec->isec_lock);
769                 if (list_empty(&isec->list))
770                         list_add(&isec->list, &sbsec->isec_head);
771                 spin_unlock(&sbsec->isec_lock);
772                 goto out;
773         }
774
775         switch (sbsec->behavior) {
776         case SECURITY_FS_USE_XATTR:
777                 if (!inode->i_op->getxattr) {
778                         isec->sid = sbsec->def_sid;
779                         break;
780                 }
781
782                 /* Need a dentry, since the xattr API requires one.
783                    Life would be simpler if we could just pass the inode. */
784                 if (opt_dentry) {
785                         /* Called from d_instantiate or d_splice_alias. */
786                         dentry = dget(opt_dentry);
787                 } else {
788                         /* Called from selinux_complete_init, try to find a dentry. */
789                         dentry = d_find_alias(inode);
790                 }
791                 if (!dentry) {
792                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
793                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
794                                inode->i_ino);
795                         goto out;
796                 }
797
798                 len = INITCONTEXTLEN;
799                 context = kmalloc(len, GFP_KERNEL);
800                 if (!context) {
801                         rc = -ENOMEM;
802                         dput(dentry);
803                         goto out;
804                 }
805                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
806                                            context, len);
807                 if (rc == -ERANGE) {
808                         /* Need a larger buffer.  Query for the right size. */
809                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
810                                                    NULL, 0);
811                         if (rc < 0) {
812                                 dput(dentry);
813                                 goto out;
814                         }
815                         kfree(context);
816                         len = rc;
817                         context = kmalloc(len, GFP_KERNEL);
818                         if (!context) {
819                                 rc = -ENOMEM;
820                                 dput(dentry);
821                                 goto out;
822                         }
823                         rc = inode->i_op->getxattr(dentry,
824                                                    XATTR_NAME_SELINUX,
825                                                    context, len);
826                 }
827                 dput(dentry);
828                 if (rc < 0) {
829                         if (rc != -ENODATA) {
830                                 printk(KERN_WARNING "%s:  getxattr returned "
831                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
832                                        -rc, inode->i_sb->s_id, inode->i_ino);
833                                 kfree(context);
834                                 goto out;
835                         }
836                         /* Map ENODATA to the default file SID */
837                         sid = sbsec->def_sid;
838                         rc = 0;
839                 } else {
840                         rc = security_context_to_sid_default(context, rc, &sid,
841                                                              sbsec->def_sid);
842                         if (rc) {
843                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
844                                        "returned %d for dev=%s ino=%ld\n",
845                                        __FUNCTION__, context, -rc,
846                                        inode->i_sb->s_id, inode->i_ino);
847                                 kfree(context);
848                                 /* Leave with the unlabeled SID */
849                                 rc = 0;
850                                 break;
851                         }
852                 }
853                 kfree(context);
854                 isec->sid = sid;
855                 break;
856         case SECURITY_FS_USE_TASK:
857                 isec->sid = isec->task_sid;
858                 break;
859         case SECURITY_FS_USE_TRANS:
860                 /* Default to the fs SID. */
861                 isec->sid = sbsec->sid;
862
863                 /* Try to obtain a transition SID. */
864                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
865                 rc = security_transition_sid(isec->task_sid,
866                                              sbsec->sid,
867                                              isec->sclass,
868                                              &sid);
869                 if (rc)
870                         goto out;
871                 isec->sid = sid;
872                 break;
873         default:
874                 /* Default to the fs SID. */
875                 isec->sid = sbsec->sid;
876
877                 if (sbsec->proc) {
878                         struct proc_inode *proci = PROC_I(inode);
879                         if (proci->pde) {
880                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
881                                 rc = selinux_proc_get_sid(proci->pde,
882                                                           isec->sclass,
883                                                           &sid);
884                                 if (rc)
885                                         goto out;
886                                 isec->sid = sid;
887                         }
888                 }
889                 break;
890         }
891
892         isec->initialized = 1;
893
894 out:
895         if (isec->sclass == SECCLASS_FILE)
896                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
897
898         if (hold_sem)
899                 up(&isec->sem);
900         return rc;
901 }
902
903 /* Convert a Linux signal to an access vector. */
904 static inline u32 signal_to_av(int sig)
905 {
906         u32 perm = 0;
907
908         switch (sig) {
909         case SIGCHLD:
910                 /* Commonly granted from child to parent. */
911                 perm = PROCESS__SIGCHLD;
912                 break;
913         case SIGKILL:
914                 /* Cannot be caught or ignored */
915                 perm = PROCESS__SIGKILL;
916                 break;
917         case SIGSTOP:
918                 /* Cannot be caught or ignored */
919                 perm = PROCESS__SIGSTOP;
920                 break;
921         default:
922                 /* All other signals. */
923                 perm = PROCESS__SIGNAL;
924                 break;
925         }
926
927         return perm;
928 }
929
930 /* Check permission betweeen a pair of tasks, e.g. signal checks,
931    fork check, ptrace check, etc. */
932 static int task_has_perm(struct task_struct *tsk1,
933                          struct task_struct *tsk2,
934                          u32 perms)
935 {
936         struct task_security_struct *tsec1, *tsec2;
937
938         tsec1 = tsk1->security;
939         tsec2 = tsk2->security;
940         return avc_has_perm(tsec1->sid, tsec2->sid,
941                             SECCLASS_PROCESS, perms, NULL);
942 }
943
944 /* Check whether a task is allowed to use a capability. */
945 static int task_has_capability(struct task_struct *tsk,
946                                int cap)
947 {
948         struct task_security_struct *tsec;
949         struct avc_audit_data ad;
950
951         tsec = tsk->security;
952
953         AVC_AUDIT_DATA_INIT(&ad,CAP);
954         ad.tsk = tsk;
955         ad.u.cap = cap;
956
957         return avc_has_perm(tsec->sid, tsec->sid,
958                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
959 }
960
961 /* Check whether a task is allowed to use a system operation. */
962 static int task_has_system(struct task_struct *tsk,
963                            u32 perms)
964 {
965         struct task_security_struct *tsec;
966
967         tsec = tsk->security;
968
969         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
970                             SECCLASS_SYSTEM, perms, NULL);
971 }
972
973 /* Check whether a task has a particular permission to an inode.
974    The 'adp' parameter is optional and allows other audit
975    data to be passed (e.g. the dentry). */
976 static int inode_has_perm(struct task_struct *tsk,
977                           struct inode *inode,
978                           u32 perms,
979                           struct avc_audit_data *adp)
980 {
981         struct task_security_struct *tsec;
982         struct inode_security_struct *isec;
983         struct avc_audit_data ad;
984
985         tsec = tsk->security;
986         isec = inode->i_security;
987
988         if (!adp) {
989                 adp = &ad;
990                 AVC_AUDIT_DATA_INIT(&ad, FS);
991                 ad.u.fs.inode = inode;
992         }
993
994         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
995 }
996
997 /* Same as inode_has_perm, but pass explicit audit data containing
998    the dentry to help the auditing code to more easily generate the
999    pathname if needed. */
1000 static inline int dentry_has_perm(struct task_struct *tsk,
1001                                   struct vfsmount *mnt,
1002                                   struct dentry *dentry,
1003                                   u32 av)
1004 {
1005         struct inode *inode = dentry->d_inode;
1006         struct avc_audit_data ad;
1007         AVC_AUDIT_DATA_INIT(&ad,FS);
1008         ad.u.fs.mnt = mnt;
1009         ad.u.fs.dentry = dentry;
1010         return inode_has_perm(tsk, inode, av, &ad);
1011 }
1012
1013 /* Check whether a task can use an open file descriptor to
1014    access an inode in a given way.  Check access to the
1015    descriptor itself, and then use dentry_has_perm to
1016    check a particular permission to the file.
1017    Access to the descriptor is implicitly granted if it
1018    has the same SID as the process.  If av is zero, then
1019    access to the file is not checked, e.g. for cases
1020    where only the descriptor is affected like seek. */
1021 static inline int file_has_perm(struct task_struct *tsk,
1022                                 struct file *file,
1023                                 u32 av)
1024 {
1025         struct task_security_struct *tsec = tsk->security;
1026         struct file_security_struct *fsec = file->f_security;
1027         struct vfsmount *mnt = file->f_vfsmnt;
1028         struct dentry *dentry = file->f_dentry;
1029         struct inode *inode = dentry->d_inode;
1030         struct avc_audit_data ad;
1031         int rc;
1032
1033         AVC_AUDIT_DATA_INIT(&ad, FS);
1034         ad.u.fs.mnt = mnt;
1035         ad.u.fs.dentry = dentry;
1036
1037         if (tsec->sid != fsec->sid) {
1038                 rc = avc_has_perm(tsec->sid, fsec->sid,
1039                                   SECCLASS_FD,
1040                                   FD__USE,
1041                                   &ad);
1042                 if (rc)
1043                         return rc;
1044         }
1045
1046         /* av is zero if only checking access to the descriptor. */
1047         if (av)
1048                 return inode_has_perm(tsk, inode, av, &ad);
1049
1050         return 0;
1051 }
1052
1053 /* Check whether a task can create a file. */
1054 static int may_create(struct inode *dir,
1055                       struct dentry *dentry,
1056                       u16 tclass)
1057 {
1058         struct task_security_struct *tsec;
1059         struct inode_security_struct *dsec;
1060         struct superblock_security_struct *sbsec;
1061         u32 newsid;
1062         struct avc_audit_data ad;
1063         int rc;
1064
1065         tsec = current->security;
1066         dsec = dir->i_security;
1067         sbsec = dir->i_sb->s_security;
1068
1069         AVC_AUDIT_DATA_INIT(&ad, FS);
1070         ad.u.fs.dentry = dentry;
1071
1072         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1073                           DIR__ADD_NAME | DIR__SEARCH,
1074                           &ad);
1075         if (rc)
1076                 return rc;
1077
1078         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1079                 newsid = tsec->create_sid;
1080         } else {
1081                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1082                                              &newsid);
1083                 if (rc)
1084                         return rc;
1085         }
1086
1087         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1088         if (rc)
1089                 return rc;
1090
1091         return avc_has_perm(newsid, sbsec->sid,
1092                             SECCLASS_FILESYSTEM,
1093                             FILESYSTEM__ASSOCIATE, &ad);
1094 }
1095
1096 #define MAY_LINK   0
1097 #define MAY_UNLINK 1
1098 #define MAY_RMDIR  2
1099
1100 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1101 static int may_link(struct inode *dir,
1102                     struct dentry *dentry,
1103                     int kind)
1104
1105 {
1106         struct task_security_struct *tsec;
1107         struct inode_security_struct *dsec, *isec;
1108         struct avc_audit_data ad;
1109         u32 av;
1110         int rc;
1111
1112         tsec = current->security;
1113         dsec = dir->i_security;
1114         isec = dentry->d_inode->i_security;
1115
1116         AVC_AUDIT_DATA_INIT(&ad, FS);
1117         ad.u.fs.dentry = dentry;
1118
1119         av = DIR__SEARCH;
1120         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1121         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1122         if (rc)
1123                 return rc;
1124
1125         switch (kind) {
1126         case MAY_LINK:
1127                 av = FILE__LINK;
1128                 break;
1129         case MAY_UNLINK:
1130                 av = FILE__UNLINK;
1131                 break;
1132         case MAY_RMDIR:
1133                 av = DIR__RMDIR;
1134                 break;
1135         default:
1136                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1137                 return 0;
1138         }
1139
1140         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1141         return rc;
1142 }
1143
1144 static inline int may_rename(struct inode *old_dir,
1145                              struct dentry *old_dentry,
1146                              struct inode *new_dir,
1147                              struct dentry *new_dentry)
1148 {
1149         struct task_security_struct *tsec;
1150         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1151         struct avc_audit_data ad;
1152         u32 av;
1153         int old_is_dir, new_is_dir;
1154         int rc;
1155
1156         tsec = current->security;
1157         old_dsec = old_dir->i_security;
1158         old_isec = old_dentry->d_inode->i_security;
1159         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1160         new_dsec = new_dir->i_security;
1161
1162         AVC_AUDIT_DATA_INIT(&ad, FS);
1163
1164         ad.u.fs.dentry = old_dentry;
1165         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1166                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1167         if (rc)
1168                 return rc;
1169         rc = avc_has_perm(tsec->sid, old_isec->sid,
1170                           old_isec->sclass, FILE__RENAME, &ad);
1171         if (rc)
1172                 return rc;
1173         if (old_is_dir && new_dir != old_dir) {
1174                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1175                                   old_isec->sclass, DIR__REPARENT, &ad);
1176                 if (rc)
1177                         return rc;
1178         }
1179
1180         ad.u.fs.dentry = new_dentry;
1181         av = DIR__ADD_NAME | DIR__SEARCH;
1182         if (new_dentry->d_inode)
1183                 av |= DIR__REMOVE_NAME;
1184         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1185         if (rc)
1186                 return rc;
1187         if (new_dentry->d_inode) {
1188                 new_isec = new_dentry->d_inode->i_security;
1189                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1190                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1191                                   new_isec->sclass,
1192                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1193                 if (rc)
1194                         return rc;
1195         }
1196
1197         return 0;
1198 }
1199
1200 /* Check whether a task can perform a filesystem operation. */
1201 static int superblock_has_perm(struct task_struct *tsk,
1202                                struct super_block *sb,
1203                                u32 perms,
1204                                struct avc_audit_data *ad)
1205 {
1206         struct task_security_struct *tsec;
1207         struct superblock_security_struct *sbsec;
1208
1209         tsec = tsk->security;
1210         sbsec = sb->s_security;
1211         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1212                             perms, ad);
1213 }
1214
1215 /* Convert a Linux mode and permission mask to an access vector. */
1216 static inline u32 file_mask_to_av(int mode, int mask)
1217 {
1218         u32 av = 0;
1219
1220         if ((mode & S_IFMT) != S_IFDIR) {
1221                 if (mask & MAY_EXEC)
1222                         av |= FILE__EXECUTE;
1223                 if (mask & MAY_READ)
1224                         av |= FILE__READ;
1225
1226                 if (mask & MAY_APPEND)
1227                         av |= FILE__APPEND;
1228                 else if (mask & MAY_WRITE)
1229                         av |= FILE__WRITE;
1230
1231         } else {
1232                 if (mask & MAY_EXEC)
1233                         av |= DIR__SEARCH;
1234                 if (mask & MAY_WRITE)
1235                         av |= DIR__WRITE;
1236                 if (mask & MAY_READ)
1237                         av |= DIR__READ;
1238         }
1239
1240         return av;
1241 }
1242
1243 /* Convert a Linux file to an access vector. */
1244 static inline u32 file_to_av(struct file *file)
1245 {
1246         u32 av = 0;
1247
1248         if (file->f_mode & FMODE_READ)
1249                 av |= FILE__READ;
1250         if (file->f_mode & FMODE_WRITE) {
1251                 if (file->f_flags & O_APPEND)
1252                         av |= FILE__APPEND;
1253                 else
1254                         av |= FILE__WRITE;
1255         }
1256
1257         return av;
1258 }
1259
1260 /* Set an inode's SID to a specified value. */
1261 static int inode_security_set_sid(struct inode *inode, u32 sid)
1262 {
1263         struct inode_security_struct *isec = inode->i_security;
1264         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1265
1266         if (!sbsec->initialized) {
1267                 /* Defer initialization to selinux_complete_init. */
1268                 return 0;
1269         }
1270
1271         down(&isec->sem);
1272         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1273         isec->sid = sid;
1274         isec->initialized = 1;
1275         up(&isec->sem);
1276         return 0;
1277 }
1278
1279 /* Hook functions begin here. */
1280
1281 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1282 {
1283         struct task_security_struct *psec = parent->security;
1284         struct task_security_struct *csec = child->security;
1285         int rc;
1286
1287         rc = secondary_ops->ptrace(parent,child);
1288         if (rc)
1289                 return rc;
1290
1291         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1292         /* Save the SID of the tracing process for later use in apply_creds. */
1293         if (!rc)
1294                 csec->ptrace_sid = psec->sid;
1295         return rc;
1296 }
1297
1298 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1299                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1300 {
1301         int error;
1302
1303         error = task_has_perm(current, target, PROCESS__GETCAP);
1304         if (error)
1305                 return error;
1306
1307         return secondary_ops->capget(target, effective, inheritable, permitted);
1308 }
1309
1310 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1311                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1312 {
1313         int error;
1314
1315         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1316         if (error)
1317                 return error;
1318
1319         return task_has_perm(current, target, PROCESS__SETCAP);
1320 }
1321
1322 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1323                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1324 {
1325         secondary_ops->capset_set(target, effective, inheritable, permitted);
1326 }
1327
1328 static int selinux_capable(struct task_struct *tsk, int cap)
1329 {
1330         int rc;
1331
1332         rc = secondary_ops->capable(tsk, cap);
1333         if (rc)
1334                 return rc;
1335
1336         return task_has_capability(tsk,cap);
1337 }
1338
1339 static int selinux_sysctl(ctl_table *table, int op)
1340 {
1341         int error = 0;
1342         u32 av;
1343         struct task_security_struct *tsec;
1344         u32 tsid;
1345         int rc;
1346
1347         rc = secondary_ops->sysctl(table, op);
1348         if (rc)
1349                 return rc;
1350
1351         tsec = current->security;
1352
1353         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1354                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1355         if (rc) {
1356                 /* Default to the well-defined sysctl SID. */
1357                 tsid = SECINITSID_SYSCTL;
1358         }
1359
1360         /* The op values are "defined" in sysctl.c, thereby creating
1361          * a bad coupling between this module and sysctl.c */
1362         if(op == 001) {
1363                 error = avc_has_perm(tsec->sid, tsid,
1364                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1365         } else {
1366                 av = 0;
1367                 if (op & 004)
1368                         av |= FILE__READ;
1369                 if (op & 002)
1370                         av |= FILE__WRITE;
1371                 if (av)
1372                         error = avc_has_perm(tsec->sid, tsid,
1373                                              SECCLASS_FILE, av, NULL);
1374         }
1375
1376         return error;
1377 }
1378
1379 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1380 {
1381         int rc = 0;
1382
1383         if (!sb)
1384                 return 0;
1385
1386         switch (cmds) {
1387                 case Q_SYNC:
1388                 case Q_QUOTAON:
1389                 case Q_QUOTAOFF:
1390                 case Q_SETINFO:
1391                 case Q_SETQUOTA:
1392                         rc = superblock_has_perm(current,
1393                                                  sb,
1394                                                  FILESYSTEM__QUOTAMOD, NULL);
1395                         break;
1396                 case Q_GETFMT:
1397                 case Q_GETINFO:
1398                 case Q_GETQUOTA:
1399                         rc = superblock_has_perm(current,
1400                                                  sb,
1401                                                  FILESYSTEM__QUOTAGET, NULL);
1402                         break;
1403                 default:
1404                         rc = 0;  /* let the kernel handle invalid cmds */
1405                         break;
1406         }
1407         return rc;
1408 }
1409
1410 static int selinux_quota_on(struct dentry *dentry)
1411 {
1412         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1413 }
1414
1415 static int selinux_syslog(int type)
1416 {
1417         int rc;
1418
1419         rc = secondary_ops->syslog(type);
1420         if (rc)
1421                 return rc;
1422
1423         switch (type) {
1424                 case 3:         /* Read last kernel messages */
1425                 case 10:        /* Return size of the log buffer */
1426                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1427                         break;
1428                 case 6:         /* Disable logging to console */
1429                 case 7:         /* Enable logging to console */
1430                 case 8:         /* Set level of messages printed to console */
1431                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1432                         break;
1433                 case 0:         /* Close log */
1434                 case 1:         /* Open log */
1435                 case 2:         /* Read from log */
1436                 case 4:         /* Read/clear last kernel messages */
1437                 case 5:         /* Clear ring buffer */
1438                 default:
1439                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1440                         break;
1441         }
1442         return rc;
1443 }
1444
1445 /*
1446  * Check that a process has enough memory to allocate a new virtual
1447  * mapping. 0 means there is enough memory for the allocation to
1448  * succeed and -ENOMEM implies there is not.
1449  *
1450  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1451  * if the capability is granted, but __vm_enough_memory requires 1 if
1452  * the capability is granted.
1453  *
1454  * Do not audit the selinux permission check, as this is applied to all
1455  * processes that allocate mappings.
1456  */
1457 static int selinux_vm_enough_memory(long pages)
1458 {
1459         int rc, cap_sys_admin = 0;
1460         struct task_security_struct *tsec = current->security;
1461
1462         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1463         if (rc == 0)
1464                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1465                                         SECCLASS_CAPABILITY,
1466                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1467                                         NULL);
1468
1469         if (rc == 0)
1470                 cap_sys_admin = 1;
1471
1472         return __vm_enough_memory(pages, cap_sys_admin);
1473 }
1474
1475 /* binprm security operations */
1476
1477 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1478 {
1479         struct bprm_security_struct *bsec;
1480
1481         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1482         if (!bsec)
1483                 return -ENOMEM;
1484
1485         bsec->magic = SELINUX_MAGIC;
1486         bsec->bprm = bprm;
1487         bsec->sid = SECINITSID_UNLABELED;
1488         bsec->set = 0;
1489
1490         bprm->security = bsec;
1491         return 0;
1492 }
1493
1494 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1495 {
1496         struct task_security_struct *tsec;
1497         struct inode *inode = bprm->file->f_dentry->d_inode;
1498         struct inode_security_struct *isec;
1499         struct bprm_security_struct *bsec;
1500         u32 newsid;
1501         struct avc_audit_data ad;
1502         int rc;
1503
1504         rc = secondary_ops->bprm_set_security(bprm);
1505         if (rc)
1506                 return rc;
1507
1508         bsec = bprm->security;
1509
1510         if (bsec->set)
1511                 return 0;
1512
1513         tsec = current->security;
1514         isec = inode->i_security;
1515
1516         /* Default to the current task SID. */
1517         bsec->sid = tsec->sid;
1518
1519         /* Reset create SID on execve. */
1520         tsec->create_sid = 0;
1521
1522         if (tsec->exec_sid) {
1523                 newsid = tsec->exec_sid;
1524                 /* Reset exec SID on execve. */
1525                 tsec->exec_sid = 0;
1526         } else {
1527                 /* Check for a default transition on this program. */
1528                 rc = security_transition_sid(tsec->sid, isec->sid,
1529                                              SECCLASS_PROCESS, &newsid);
1530                 if (rc)
1531                         return rc;
1532         }
1533
1534         AVC_AUDIT_DATA_INIT(&ad, FS);
1535         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1536         ad.u.fs.dentry = bprm->file->f_dentry;
1537
1538         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1539                 newsid = tsec->sid;
1540
1541         if (tsec->sid == newsid) {
1542                 rc = avc_has_perm(tsec->sid, isec->sid,
1543                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1544                 if (rc)
1545                         return rc;
1546         } else {
1547                 /* Check permissions for the transition. */
1548                 rc = avc_has_perm(tsec->sid, newsid,
1549                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1550                 if (rc)
1551                         return rc;
1552
1553                 rc = avc_has_perm(newsid, isec->sid,
1554                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1555                 if (rc)
1556                         return rc;
1557
1558                 /* Clear any possibly unsafe personality bits on exec: */
1559                 current->personality &= ~PER_CLEAR_ON_SETID;
1560
1561                 /* Set the security field to the new SID. */
1562                 bsec->sid = newsid;
1563         }
1564
1565         bsec->set = 1;
1566         return 0;
1567 }
1568
1569 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1570 {
1571         return secondary_ops->bprm_check_security(bprm);
1572 }
1573
1574
1575 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1576 {
1577         struct task_security_struct *tsec = current->security;
1578         int atsecure = 0;
1579
1580         if (tsec->osid != tsec->sid) {
1581                 /* Enable secure mode for SIDs transitions unless
1582                    the noatsecure permission is granted between
1583                    the two SIDs, i.e. ahp returns 0. */
1584                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1585                                          SECCLASS_PROCESS,
1586                                          PROCESS__NOATSECURE, NULL);
1587         }
1588
1589         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1590 }
1591
1592 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1593 {
1594         kfree(bprm->security);
1595         bprm->security = NULL;
1596 }
1597
1598 extern struct vfsmount *selinuxfs_mount;
1599 extern struct dentry *selinux_null;
1600
1601 /* Derived from fs/exec.c:flush_old_files. */
1602 static inline void flush_unauthorized_files(struct files_struct * files)
1603 {
1604         struct avc_audit_data ad;
1605         struct file *file, *devnull = NULL;
1606         struct tty_struct *tty = current->signal->tty;
1607         struct fdtable *fdt;
1608         long j = -1;
1609
1610         if (tty) {
1611                 file_list_lock();
1612                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1613                 if (file) {
1614                         /* Revalidate access to controlling tty.
1615                            Use inode_has_perm on the tty inode directly rather
1616                            than using file_has_perm, as this particular open
1617                            file may belong to another process and we are only
1618                            interested in the inode-based check here. */
1619                         struct inode *inode = file->f_dentry->d_inode;
1620                         if (inode_has_perm(current, inode,
1621                                            FILE__READ | FILE__WRITE, NULL)) {
1622                                 /* Reset controlling tty. */
1623                                 current->signal->tty = NULL;
1624                                 current->signal->tty_old_pgrp = 0;
1625                         }
1626                 }
1627                 file_list_unlock();
1628         }
1629
1630         /* Revalidate access to inherited open files. */
1631
1632         AVC_AUDIT_DATA_INIT(&ad,FS);
1633
1634         spin_lock(&files->file_lock);
1635         for (;;) {
1636                 unsigned long set, i;
1637                 int fd;
1638
1639                 j++;
1640                 i = j * __NFDBITS;
1641                 fdt = files_fdtable(files);
1642                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1643                         break;
1644                 set = fdt->open_fds->fds_bits[j];
1645                 if (!set)
1646                         continue;
1647                 spin_unlock(&files->file_lock);
1648                 for ( ; set ; i++,set >>= 1) {
1649                         if (set & 1) {
1650                                 file = fget(i);
1651                                 if (!file)
1652                                         continue;
1653                                 if (file_has_perm(current,
1654                                                   file,
1655                                                   file_to_av(file))) {
1656                                         sys_close(i);
1657                                         fd = get_unused_fd();
1658                                         if (fd != i) {
1659                                                 if (fd >= 0)
1660                                                         put_unused_fd(fd);
1661                                                 fput(file);
1662                                                 continue;
1663                                         }
1664                                         if (devnull) {
1665                                                 rcuref_inc(&devnull->f_count);
1666                                         } else {
1667                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1668                                                 if (!devnull) {
1669                                                         put_unused_fd(fd);
1670                                                         fput(file);
1671                                                         continue;
1672                                                 }
1673                                         }
1674                                         fd_install(fd, devnull);
1675                                 }
1676                                 fput(file);
1677                         }
1678                 }
1679                 spin_lock(&files->file_lock);
1680
1681         }
1682         spin_unlock(&files->file_lock);
1683 }
1684
1685 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1686 {
1687         struct task_security_struct *tsec;
1688         struct bprm_security_struct *bsec;
1689         u32 sid;
1690         int rc;
1691
1692         secondary_ops->bprm_apply_creds(bprm, unsafe);
1693
1694         tsec = current->security;
1695
1696         bsec = bprm->security;
1697         sid = bsec->sid;
1698
1699         tsec->osid = tsec->sid;
1700         bsec->unsafe = 0;
1701         if (tsec->sid != sid) {
1702                 /* Check for shared state.  If not ok, leave SID
1703                    unchanged and kill. */
1704                 if (unsafe & LSM_UNSAFE_SHARE) {
1705                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1706                                         PROCESS__SHARE, NULL);
1707                         if (rc) {
1708                                 bsec->unsafe = 1;
1709                                 return;
1710                         }
1711                 }
1712
1713                 /* Check for ptracing, and update the task SID if ok.
1714                    Otherwise, leave SID unchanged and kill. */
1715                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1716                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1717                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1718                                           NULL);
1719                         if (rc) {
1720                                 bsec->unsafe = 1;
1721                                 return;
1722                         }
1723                 }
1724                 tsec->sid = sid;
1725         }
1726 }
1727
1728 /*
1729  * called after apply_creds without the task lock held
1730  */
1731 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1732 {
1733         struct task_security_struct *tsec;
1734         struct rlimit *rlim, *initrlim;
1735         struct itimerval itimer;
1736         struct bprm_security_struct *bsec;
1737         int rc, i;
1738
1739         tsec = current->security;
1740         bsec = bprm->security;
1741
1742         if (bsec->unsafe) {
1743                 force_sig_specific(SIGKILL, current);
1744                 return;
1745         }
1746         if (tsec->osid == tsec->sid)
1747                 return;
1748
1749         /* Close files for which the new task SID is not authorized. */
1750         flush_unauthorized_files(current->files);
1751
1752         /* Check whether the new SID can inherit signal state
1753            from the old SID.  If not, clear itimers to avoid
1754            subsequent signal generation and flush and unblock
1755            signals. This must occur _after_ the task SID has
1756           been updated so that any kill done after the flush
1757           will be checked against the new SID. */
1758         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1759                           PROCESS__SIGINH, NULL);
1760         if (rc) {
1761                 memset(&itimer, 0, sizeof itimer);
1762                 for (i = 0; i < 3; i++)
1763                         do_setitimer(i, &itimer, NULL);
1764                 flush_signals(current);
1765                 spin_lock_irq(&current->sighand->siglock);
1766                 flush_signal_handlers(current, 1);
1767                 sigemptyset(&current->blocked);
1768                 recalc_sigpending();
1769                 spin_unlock_irq(&current->sighand->siglock);
1770         }
1771
1772         /* Check whether the new SID can inherit resource limits
1773            from the old SID.  If not, reset all soft limits to
1774            the lower of the current task's hard limit and the init
1775            task's soft limit.  Note that the setting of hard limits
1776            (even to lower them) can be controlled by the setrlimit
1777            check. The inclusion of the init task's soft limit into
1778            the computation is to avoid resetting soft limits higher
1779            than the default soft limit for cases where the default
1780            is lower than the hard limit, e.g. RLIMIT_CORE or
1781            RLIMIT_STACK.*/
1782         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1783                           PROCESS__RLIMITINH, NULL);
1784         if (rc) {
1785                 for (i = 0; i < RLIM_NLIMITS; i++) {
1786                         rlim = current->signal->rlim + i;
1787                         initrlim = init_task.signal->rlim+i;
1788                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1789                 }
1790                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1791                         /*
1792                          * This will cause RLIMIT_CPU calculations
1793                          * to be refigured.
1794                          */
1795                         current->it_prof_expires = jiffies_to_cputime(1);
1796                 }
1797         }
1798
1799         /* Wake up the parent if it is waiting so that it can
1800            recheck wait permission to the new task SID. */
1801         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1802 }
1803
1804 /* superblock security operations */
1805
1806 static int selinux_sb_alloc_security(struct super_block *sb)
1807 {
1808         return superblock_alloc_security(sb);
1809 }
1810
1811 static void selinux_sb_free_security(struct super_block *sb)
1812 {
1813         superblock_free_security(sb);
1814 }
1815
1816 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1817 {
1818         if (plen > olen)
1819                 return 0;
1820
1821         return !memcmp(prefix, option, plen);
1822 }
1823
1824 static inline int selinux_option(char *option, int len)
1825 {
1826         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1827                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1828                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1829 }
1830
1831 static inline void take_option(char **to, char *from, int *first, int len)
1832 {
1833         if (!*first) {
1834                 **to = ',';
1835                 *to += 1;
1836         }
1837         else
1838                 *first = 0;
1839         memcpy(*to, from, len);
1840         *to += len;
1841 }
1842
1843 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1844 {
1845         int fnosec, fsec, rc = 0;
1846         char *in_save, *in_curr, *in_end;
1847         char *sec_curr, *nosec_save, *nosec;
1848
1849         in_curr = orig;
1850         sec_curr = copy;
1851
1852         /* Binary mount data: just copy */
1853         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1854                 copy_page(sec_curr, in_curr);
1855                 goto out;
1856         }
1857
1858         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1859         if (!nosec) {
1860                 rc = -ENOMEM;
1861                 goto out;
1862         }
1863
1864         nosec_save = nosec;
1865         fnosec = fsec = 1;
1866         in_save = in_end = orig;
1867
1868         do {
1869                 if (*in_end == ',' || *in_end == '\0') {
1870                         int len = in_end - in_curr;
1871
1872                         if (selinux_option(in_curr, len))
1873                                 take_option(&sec_curr, in_curr, &fsec, len);
1874                         else
1875                                 take_option(&nosec, in_curr, &fnosec, len);
1876
1877                         in_curr = in_end + 1;
1878                 }
1879         } while (*in_end++);
1880
1881         strcpy(in_save, nosec_save);
1882         free_page((unsigned long)nosec_save);
1883 out:
1884         return rc;
1885 }
1886
1887 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1888 {
1889         struct avc_audit_data ad;
1890         int rc;
1891
1892         rc = superblock_doinit(sb, data);
1893         if (rc)
1894                 return rc;
1895
1896         AVC_AUDIT_DATA_INIT(&ad,FS);
1897         ad.u.fs.dentry = sb->s_root;
1898         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1899 }
1900
1901 static int selinux_sb_statfs(struct super_block *sb)
1902 {
1903         struct avc_audit_data ad;
1904
1905         AVC_AUDIT_DATA_INIT(&ad,FS);
1906         ad.u.fs.dentry = sb->s_root;
1907         return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1908 }
1909
1910 static int selinux_mount(char * dev_name,
1911                          struct nameidata *nd,
1912                          char * type,
1913                          unsigned long flags,
1914                          void * data)
1915 {
1916         int rc;
1917
1918         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1919         if (rc)
1920                 return rc;
1921
1922         if (flags & MS_REMOUNT)
1923                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1924                                            FILESYSTEM__REMOUNT, NULL);
1925         else
1926                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1927                                        FILE__MOUNTON);
1928 }
1929
1930 static int selinux_umount(struct vfsmount *mnt, int flags)
1931 {
1932         int rc;
1933
1934         rc = secondary_ops->sb_umount(mnt, flags);
1935         if (rc)
1936                 return rc;
1937
1938         return superblock_has_perm(current,mnt->mnt_sb,
1939                                    FILESYSTEM__UNMOUNT,NULL);
1940 }
1941
1942 /* inode security operations */
1943
1944 static int selinux_inode_alloc_security(struct inode *inode)
1945 {
1946         return inode_alloc_security(inode);
1947 }
1948
1949 static void selinux_inode_free_security(struct inode *inode)
1950 {
1951         inode_free_security(inode);
1952 }
1953
1954 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1955                                        char **name, void **value,
1956                                        size_t *len)
1957 {
1958         struct task_security_struct *tsec;
1959         struct inode_security_struct *dsec;
1960         struct superblock_security_struct *sbsec;
1961         struct inode_security_struct *isec;
1962         u32 newsid, clen;
1963         int rc;
1964         char *namep = NULL, *context;
1965
1966         tsec = current->security;
1967         dsec = dir->i_security;
1968         sbsec = dir->i_sb->s_security;
1969         isec = inode->i_security;
1970
1971         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1972                 newsid = tsec->create_sid;
1973         } else {
1974                 rc = security_transition_sid(tsec->sid, dsec->sid,
1975                                              inode_mode_to_security_class(inode->i_mode),
1976                                              &newsid);
1977                 if (rc) {
1978                         printk(KERN_WARNING "%s:  "
1979                                "security_transition_sid failed, rc=%d (dev=%s "
1980                                "ino=%ld)\n",
1981                                __FUNCTION__,
1982                                -rc, inode->i_sb->s_id, inode->i_ino);
1983                         return rc;
1984                 }
1985         }
1986
1987         inode_security_set_sid(inode, newsid);
1988
1989         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
1990                 return -EOPNOTSUPP;
1991
1992         if (name) {
1993                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1994                 if (!namep)
1995                         return -ENOMEM;
1996                 *name = namep;
1997         }
1998
1999         if (value && len) {
2000                 rc = security_sid_to_context(newsid, &context, &clen);
2001                 if (rc) {
2002                         kfree(namep);
2003                         return rc;
2004                 }
2005                 *value = context;
2006                 *len = clen;
2007         }
2008
2009         return 0;
2010 }
2011
2012 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2013 {
2014         return may_create(dir, dentry, SECCLASS_FILE);
2015 }
2016
2017 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2018 {
2019         int rc;
2020
2021         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2022         if (rc)
2023                 return rc;
2024         return may_link(dir, old_dentry, MAY_LINK);
2025 }
2026
2027 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2028 {
2029         int rc;
2030
2031         rc = secondary_ops->inode_unlink(dir, dentry);
2032         if (rc)
2033                 return rc;
2034         return may_link(dir, dentry, MAY_UNLINK);
2035 }
2036
2037 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2038 {
2039         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2040 }
2041
2042 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2043 {
2044         return may_create(dir, dentry, SECCLASS_DIR);
2045 }
2046
2047 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2048 {
2049         return may_link(dir, dentry, MAY_RMDIR);
2050 }
2051
2052 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2053 {
2054         int rc;
2055
2056         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2057         if (rc)
2058                 return rc;
2059
2060         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2061 }
2062
2063 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2064                                 struct inode *new_inode, struct dentry *new_dentry)
2065 {
2066         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2067 }
2068
2069 static int selinux_inode_readlink(struct dentry *dentry)
2070 {
2071         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2072 }
2073
2074 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2075 {
2076         int rc;
2077
2078         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2079         if (rc)
2080                 return rc;
2081         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2082 }
2083
2084 static int selinux_inode_permission(struct inode *inode, int mask,
2085                                     struct nameidata *nd)
2086 {
2087         int rc;
2088
2089         rc = secondary_ops->inode_permission(inode, mask, nd);
2090         if (rc)
2091                 return rc;
2092
2093         if (!mask) {
2094                 /* No permission to check.  Existence test. */
2095                 return 0;
2096         }
2097
2098         return inode_has_perm(current, inode,
2099                                file_mask_to_av(inode->i_mode, mask), NULL);
2100 }
2101
2102 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2103 {
2104         int rc;
2105
2106         rc = secondary_ops->inode_setattr(dentry, iattr);
2107         if (rc)
2108                 return rc;
2109
2110         if (iattr->ia_valid & ATTR_FORCE)
2111                 return 0;
2112
2113         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2114                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2115                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2116
2117         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2118 }
2119
2120 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2121 {
2122         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2123 }
2124
2125 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2126 {
2127         struct task_security_struct *tsec = current->security;
2128         struct inode *inode = dentry->d_inode;
2129         struct inode_security_struct *isec = inode->i_security;
2130         struct superblock_security_struct *sbsec;
2131         struct avc_audit_data ad;
2132         u32 newsid;
2133         int rc = 0;
2134
2135         if (strcmp(name, XATTR_NAME_SELINUX)) {
2136                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2137                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2138                     !capable(CAP_SYS_ADMIN)) {
2139                         /* A different attribute in the security namespace.
2140                            Restrict to administrator. */
2141                         return -EPERM;
2142                 }
2143
2144                 /* Not an attribute we recognize, so just check the
2145                    ordinary setattr permission. */
2146                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2147         }
2148
2149         sbsec = inode->i_sb->s_security;
2150         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2151                 return -EOPNOTSUPP;
2152
2153         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2154                 return -EPERM;
2155
2156         AVC_AUDIT_DATA_INIT(&ad,FS);
2157         ad.u.fs.dentry = dentry;
2158
2159         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2160                           FILE__RELABELFROM, &ad);
2161         if (rc)
2162                 return rc;
2163
2164         rc = security_context_to_sid(value, size, &newsid);
2165         if (rc)
2166                 return rc;
2167
2168         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2169                           FILE__RELABELTO, &ad);
2170         if (rc)
2171                 return rc;
2172
2173         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2174                                           isec->sclass);
2175         if (rc)
2176                 return rc;
2177
2178         return avc_has_perm(newsid,
2179                             sbsec->sid,
2180                             SECCLASS_FILESYSTEM,
2181                             FILESYSTEM__ASSOCIATE,
2182                             &ad);
2183 }
2184
2185 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2186                                         void *value, size_t size, int flags)
2187 {
2188         struct inode *inode = dentry->d_inode;
2189         struct inode_security_struct *isec = inode->i_security;
2190         u32 newsid;
2191         int rc;
2192
2193         if (strcmp(name, XATTR_NAME_SELINUX)) {
2194                 /* Not an attribute we recognize, so nothing to do. */
2195                 return;
2196         }
2197
2198         rc = security_context_to_sid(value, size, &newsid);
2199         if (rc) {
2200                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2201                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2202                 return;
2203         }
2204
2205         isec->sid = newsid;
2206         return;
2207 }
2208
2209 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2210 {
2211         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2212 }
2213
2214 static int selinux_inode_listxattr (struct dentry *dentry)
2215 {
2216         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2217 }
2218
2219 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2220 {
2221         if (strcmp(name, XATTR_NAME_SELINUX)) {
2222                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2223                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2224                     !capable(CAP_SYS_ADMIN)) {
2225                         /* A different attribute in the security namespace.
2226                            Restrict to administrator. */
2227                         return -EPERM;
2228                 }
2229
2230                 /* Not an attribute we recognize, so just check the
2231                    ordinary setattr permission. Might want a separate
2232                    permission for removexattr. */
2233                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2234         }
2235
2236         /* No one is allowed to remove a SELinux security label.
2237            You can change the label, but all data must be labeled. */
2238         return -EACCES;
2239 }
2240
2241 /*
2242  * Copy the in-core inode security context value to the user.  If the
2243  * getxattr() prior to this succeeded, check to see if we need to
2244  * canonicalize the value to be finally returned to the user.
2245  *
2246  * Permission check is handled by selinux_inode_getxattr hook.
2247  */
2248 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
2249 {
2250         struct inode_security_struct *isec = inode->i_security;
2251         char *context;
2252         unsigned len;
2253         int rc;
2254
2255         if (strcmp(name, XATTR_SELINUX_SUFFIX)) {
2256                 rc = -EOPNOTSUPP;
2257                 goto out;
2258         }
2259
2260         rc = security_sid_to_context(isec->sid, &context, &len);
2261         if (rc)
2262                 goto out;
2263
2264         /* Probe for required buffer size */
2265         if (!buffer || !size) {
2266                 rc = len;
2267                 goto out_free;
2268         }
2269
2270         if (size < len) {
2271                 rc = -ERANGE;
2272                 goto out_free;
2273         }
2274
2275         if (err > 0) {
2276                 if ((len == err) && !(memcmp(context, buffer, len))) {
2277                         /* Don't need to canonicalize value */
2278                         rc = err;
2279                         goto out_free;
2280                 }
2281                 memset(buffer, 0, size);
2282         }
2283         memcpy(buffer, context, len);
2284         rc = len;
2285 out_free:
2286         kfree(context);
2287 out:
2288         return rc;
2289 }
2290
2291 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2292                                      const void *value, size_t size, int flags)
2293 {
2294         struct inode_security_struct *isec = inode->i_security;
2295         u32 newsid;
2296         int rc;
2297
2298         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2299                 return -EOPNOTSUPP;
2300
2301         if (!value || !size)
2302                 return -EACCES;
2303
2304         rc = security_context_to_sid((void*)value, size, &newsid);
2305         if (rc)
2306                 return rc;
2307
2308         isec->sid = newsid;
2309         return 0;
2310 }
2311
2312 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2313 {
2314         const int len = sizeof(XATTR_NAME_SELINUX);
2315         if (buffer && len <= buffer_size)
2316                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2317         return len;
2318 }
2319
2320 /* file security operations */
2321
2322 static int selinux_file_permission(struct file *file, int mask)
2323 {
2324         struct inode *inode = file->f_dentry->d_inode;
2325
2326         if (!mask) {
2327                 /* No permission to check.  Existence test. */
2328                 return 0;
2329         }
2330
2331         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2332         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2333                 mask |= MAY_APPEND;
2334
2335         return file_has_perm(current, file,
2336                              file_mask_to_av(inode->i_mode, mask));
2337 }
2338
2339 static int selinux_file_alloc_security(struct file *file)
2340 {
2341         return file_alloc_security(file);
2342 }
2343
2344 static void selinux_file_free_security(struct file *file)
2345 {
2346         file_free_security(file);
2347 }
2348
2349 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2350                               unsigned long arg)
2351 {
2352         int error = 0;
2353
2354         switch (cmd) {
2355                 case FIONREAD:
2356                 /* fall through */
2357                 case FIBMAP:
2358                 /* fall through */
2359                 case FIGETBSZ:
2360                 /* fall through */
2361                 case EXT2_IOC_GETFLAGS:
2362                 /* fall through */
2363                 case EXT2_IOC_GETVERSION:
2364                         error = file_has_perm(current, file, FILE__GETATTR);
2365                         break;
2366
2367                 case EXT2_IOC_SETFLAGS:
2368                 /* fall through */
2369                 case EXT2_IOC_SETVERSION:
2370                         error = file_has_perm(current, file, FILE__SETATTR);
2371                         break;
2372
2373                 /* sys_ioctl() checks */
2374                 case FIONBIO:
2375                 /* fall through */
2376                 case FIOASYNC:
2377                         error = file_has_perm(current, file, 0);
2378                         break;
2379
2380                 case KDSKBENT:
2381                 case KDSKBSENT:
2382                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2383                         break;
2384
2385                 /* default case assumes that the command will go
2386                  * to the file's ioctl() function.
2387                  */
2388                 default:
2389                         error = file_has_perm(current, file, FILE__IOCTL);
2390
2391         }
2392         return error;
2393 }
2394
2395 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2396 {
2397 #ifndef CONFIG_PPC32
2398         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2399                 /*
2400                  * We are making executable an anonymous mapping or a
2401                  * private file mapping that will also be writable.
2402                  * This has an additional check.
2403                  */
2404                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2405                 if (rc)
2406                         return rc;
2407         }
2408 #endif
2409
2410         if (file) {
2411                 /* read access is always possible with a mapping */
2412                 u32 av = FILE__READ;
2413
2414                 /* write access only matters if the mapping is shared */
2415                 if (shared && (prot & PROT_WRITE))
2416                         av |= FILE__WRITE;
2417
2418                 if (prot & PROT_EXEC)
2419                         av |= FILE__EXECUTE;
2420
2421                 return file_has_perm(current, file, av);
2422         }
2423         return 0;
2424 }
2425
2426 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2427                              unsigned long prot, unsigned long flags)
2428 {
2429         int rc;
2430
2431         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2432         if (rc)
2433                 return rc;
2434
2435         if (selinux_checkreqprot)
2436                 prot = reqprot;
2437
2438         return file_map_prot_check(file, prot,
2439                                    (flags & MAP_TYPE) == MAP_SHARED);
2440 }
2441
2442 static int selinux_file_mprotect(struct vm_area_struct *vma,
2443                                  unsigned long reqprot,
2444                                  unsigned long prot)
2445 {
2446         int rc;
2447
2448         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2449         if (rc)
2450                 return rc;
2451
2452         if (selinux_checkreqprot)
2453                 prot = reqprot;
2454
2455 #ifndef CONFIG_PPC32
2456         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) &&
2457            (vma->vm_start >= vma->vm_mm->start_brk &&
2458             vma->vm_end <= vma->vm_mm->brk)) {
2459                 /*
2460                  * We are making an executable mapping in the brk region.
2461                  * This has an additional execheap check.
2462                  */
2463                 rc = task_has_perm(current, current, PROCESS__EXECHEAP);
2464                 if (rc)
2465                         return rc;
2466         }
2467         if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
2468                 /*
2469                  * We are making executable a file mapping that has
2470                  * had some COW done. Since pages might have been written,
2471                  * check ability to execute the possibly modified content.
2472                  * This typically should only occur for text relocations.
2473                  */
2474                 int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
2475                 if (rc)
2476                         return rc;
2477         }
2478         if (!vma->vm_file && (prot & PROT_EXEC) &&
2479                 vma->vm_start <= vma->vm_mm->start_stack &&
2480                 vma->vm_end >= vma->vm_mm->start_stack) {
2481                 /* Attempt to make the process stack executable.
2482                  * This has an additional execstack check.
2483                  */
2484                 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2485                 if (rc)
2486                         return rc;
2487         }
2488 #endif
2489
2490         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2491 }
2492
2493 static int selinux_file_lock(struct file *file, unsigned int cmd)
2494 {
2495         return file_has_perm(current, file, FILE__LOCK);
2496 }
2497
2498 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2499                               unsigned long arg)
2500 {
2501         int err = 0;
2502
2503         switch (cmd) {
2504                 case F_SETFL:
2505                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2506                                 err = -EINVAL;
2507                                 break;
2508                         }
2509
2510                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2511                                 err = file_has_perm(current, file,FILE__WRITE);
2512                                 break;
2513                         }
2514                         /* fall through */
2515                 case F_SETOWN:
2516                 case F_SETSIG:
2517                 case F_GETFL:
2518                 case F_GETOWN:
2519                 case F_GETSIG:
2520                         /* Just check FD__USE permission */
2521                         err = file_has_perm(current, file, 0);
2522                         break;
2523                 case F_GETLK:
2524                 case F_SETLK:
2525                 case F_SETLKW:
2526 #if BITS_PER_LONG == 32
2527                 case F_GETLK64:
2528                 case F_SETLK64:
2529                 case F_SETLKW64:
2530 #endif
2531                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2532                                 err = -EINVAL;
2533                                 break;
2534                         }
2535                         err = file_has_perm(current, file, FILE__LOCK);
2536                         break;
2537         }
2538
2539         return err;
2540 }
2541
2542 static int selinux_file_set_fowner(struct file *file)
2543 {
2544         struct task_security_struct *tsec;
2545         struct file_security_struct *fsec;
2546
2547         tsec = current->security;
2548         fsec = file->f_security;
2549         fsec->fown_sid = tsec->sid;
2550
2551         return 0;
2552 }
2553
2554 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2555                                        struct fown_struct *fown, int signum)
2556 {
2557         struct file *file;
2558         u32 perm;
2559         struct task_security_struct *tsec;
2560         struct file_security_struct *fsec;
2561
2562         /* struct fown_struct is never outside the context of a struct file */
2563         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2564
2565         tsec = tsk->security;
2566         fsec = file->f_security;
2567
2568         if (!signum)
2569                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2570         else
2571                 perm = signal_to_av(signum);
2572
2573         return avc_has_perm(fsec->fown_sid, tsec->sid,
2574                             SECCLASS_PROCESS, perm, NULL);
2575 }
2576
2577 static int selinux_file_receive(struct file *file)
2578 {
2579         return file_has_perm(current, file, file_to_av(file));
2580 }
2581
2582 /* task security operations */
2583
2584 static int selinux_task_create(unsigned long clone_flags)
2585 {
2586         int rc;
2587
2588         rc = secondary_ops->task_create(clone_flags);
2589         if (rc)
2590                 return rc;
2591
2592         return task_has_perm(current, current, PROCESS__FORK);
2593 }
2594
2595 static int selinux_task_alloc_security(struct task_struct *tsk)
2596 {
2597         struct task_security_struct *tsec1, *tsec2;
2598         int rc;
2599
2600         tsec1 = current->security;
2601
2602         rc = task_alloc_security(tsk);
2603         if (rc)
2604                 return rc;
2605         tsec2 = tsk->security;
2606
2607         tsec2->osid = tsec1->osid;
2608         tsec2->sid = tsec1->sid;
2609
2610         /* Retain the exec and create SIDs across fork */
2611         tsec2->exec_sid = tsec1->exec_sid;
2612         tsec2->create_sid = tsec1->create_sid;
2613
2614         /* Retain ptracer SID across fork, if any.
2615            This will be reset by the ptrace hook upon any
2616            subsequent ptrace_attach operations. */
2617         tsec2->ptrace_sid = tsec1->ptrace_sid;
2618
2619         return 0;
2620 }
2621
2622 static void selinux_task_free_security(struct task_struct *tsk)
2623 {
2624         task_free_security(tsk);
2625 }
2626
2627 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2628 {
2629         /* Since setuid only affects the current process, and
2630            since the SELinux controls are not based on the Linux
2631            identity attributes, SELinux does not need to control
2632            this operation.  However, SELinux does control the use
2633            of the CAP_SETUID and CAP_SETGID capabilities using the
2634            capable hook. */
2635         return 0;
2636 }
2637
2638 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2639 {
2640         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2641 }
2642
2643 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2644 {
2645         /* See the comment for setuid above. */
2646         return 0;
2647 }
2648
2649 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2650 {
2651         return task_has_perm(current, p, PROCESS__SETPGID);
2652 }
2653
2654 static int selinux_task_getpgid(struct task_struct *p)
2655 {
2656         return task_has_perm(current, p, PROCESS__GETPGID);
2657 }
2658
2659 static int selinux_task_getsid(struct task_struct *p)
2660 {
2661         return task_has_perm(current, p, PROCESS__GETSESSION);
2662 }
2663
2664 static int selinux_task_setgroups(struct group_info *group_info)
2665 {
2666         /* See the comment for setuid above. */
2667         return 0;
2668 }
2669
2670 static int selinux_task_setnice(struct task_struct *p, int nice)
2671 {
2672         int rc;
2673
2674         rc = secondary_ops->task_setnice(p, nice);
2675         if (rc)
2676                 return rc;
2677
2678         return task_has_perm(current,p, PROCESS__SETSCHED);
2679 }
2680
2681 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2682 {
2683         struct rlimit *old_rlim = current->signal->rlim + resource;
2684         int rc;
2685
2686         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2687         if (rc)
2688                 return rc;
2689
2690         /* Control the ability to change the hard limit (whether
2691            lowering or raising it), so that the hard limit can
2692            later be used as a safe reset point for the soft limit
2693            upon context transitions. See selinux_bprm_apply_creds. */
2694         if (old_rlim->rlim_max != new_rlim->rlim_max)
2695                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2696
2697         return 0;
2698 }
2699
2700 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2701 {
2702         return task_has_perm(current, p, PROCESS__SETSCHED);
2703 }
2704
2705 static int selinux_task_getscheduler(struct task_struct *p)
2706 {
2707         return task_has_perm(current, p, PROCESS__GETSCHED);
2708 }
2709
2710 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2711 {
2712         u32 perm;
2713         int rc;
2714
2715         rc = secondary_ops->task_kill(p, info, sig);
2716         if (rc)
2717                 return rc;
2718
2719         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2720                 return 0;
2721
2722         if (!sig)
2723                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2724         else
2725                 perm = signal_to_av(sig);
2726
2727         return task_has_perm(current, p, perm);
2728 }
2729
2730 static int selinux_task_prctl(int option,
2731                               unsigned long arg2,
2732                               unsigned long arg3,
2733                               unsigned long arg4,
2734                               unsigned long arg5)
2735 {
2736         /* The current prctl operations do not appear to require
2737            any SELinux controls since they merely observe or modify
2738            the state of the current process. */
2739         return 0;
2740 }
2741
2742 static int selinux_task_wait(struct task_struct *p)
2743 {
2744         u32 perm;
2745
2746         perm = signal_to_av(p->exit_signal);
2747
2748         return task_has_perm(p, current, perm);
2749 }
2750
2751 static void selinux_task_reparent_to_init(struct task_struct *p)
2752 {
2753         struct task_security_struct *tsec;
2754
2755         secondary_ops->task_reparent_to_init(p);
2756
2757         tsec = p->security;
2758         tsec->osid = tsec->sid;
2759         tsec->sid = SECINITSID_KERNEL;
2760         return;
2761 }
2762
2763 static void selinux_task_to_inode(struct task_struct *p,
2764                                   struct inode *inode)
2765 {
2766         struct task_security_struct *tsec = p->security;
2767         struct inode_security_struct *isec = inode->i_security;
2768
2769         isec->sid = tsec->sid;
2770         isec->initialized = 1;
2771         return;
2772 }
2773
2774 #ifdef CONFIG_SECURITY_NETWORK
2775
2776 /* Returns error only if unable to parse addresses */
2777 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2778 {
2779         int offset, ihlen, ret = -EINVAL;
2780         struct iphdr _iph, *ih;
2781
2782         offset = skb->nh.raw - skb->data;
2783         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2784         if (ih == NULL)
2785                 goto out;
2786
2787         ihlen = ih->ihl * 4;
2788         if (ihlen < sizeof(_iph))
2789                 goto out;
2790
2791         ad->u.net.v4info.saddr = ih->saddr;
2792         ad->u.net.v4info.daddr = ih->daddr;
2793         ret = 0;
2794
2795         switch (ih->protocol) {
2796         case IPPROTO_TCP: {
2797                 struct tcphdr _tcph, *th;
2798
2799                 if (ntohs(ih->frag_off) & IP_OFFSET)
2800                         break;
2801
2802                 offset += ihlen;
2803                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2804                 if (th == NULL)
2805                         break;
2806
2807                 ad->u.net.sport = th->source;
2808                 ad->u.net.dport = th->dest;
2809                 break;
2810         }
2811         
2812         case IPPROTO_UDP: {
2813                 struct udphdr _udph, *uh;
2814                 
2815                 if (ntohs(ih->frag_off) & IP_OFFSET)
2816                         break;
2817                         
2818                 offset += ihlen;
2819                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2820                 if (uh == NULL)
2821                         break;  
2822
2823                 ad->u.net.sport = uh->source;
2824                 ad->u.net.dport = uh->dest;
2825                 break;
2826         }
2827
2828         default:
2829                 break;
2830         }
2831 out:
2832         return ret;
2833 }
2834
2835 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2836
2837 /* Returns error only if unable to parse addresses */
2838 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2839 {
2840         u8 nexthdr;
2841         int ret = -EINVAL, offset;
2842         struct ipv6hdr _ipv6h, *ip6;
2843
2844         offset = skb->nh.raw - skb->data;
2845         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2846         if (ip6 == NULL)
2847                 goto out;
2848
2849         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2850         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2851         ret = 0;
2852
2853         nexthdr = ip6->nexthdr;
2854         offset += sizeof(_ipv6h);
2855         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2856         if (offset < 0)
2857                 goto out;
2858
2859         switch (nexthdr) {
2860         case IPPROTO_TCP: {
2861                 struct tcphdr _tcph, *th;
2862
2863                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2864                 if (th == NULL)
2865                         break;
2866
2867                 ad->u.net.sport = th->source;
2868                 ad->u.net.dport = th->dest;
2869                 break;
2870         }
2871
2872         case IPPROTO_UDP: {
2873                 struct udphdr _udph, *uh;
2874
2875                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2876                 if (uh == NULL)
2877                         break;
2878
2879                 ad->u.net.sport = uh->source;
2880                 ad->u.net.dport = uh->dest;
2881                 break;
2882         }
2883
2884         /* includes fragments */
2885         default:
2886                 break;
2887         }
2888 out:
2889         return ret;
2890 }
2891
2892 #endif /* IPV6 */
2893
2894 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2895                              char **addrp, int *len, int src)
2896 {
2897         int ret = 0;
2898
2899         switch (ad->u.net.family) {
2900         case PF_INET:
2901                 ret = selinux_parse_skb_ipv4(skb, ad);
2902                 if (ret || !addrp)
2903                         break;
2904                 *len = 4;
2905                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2906                                         &ad->u.net.v4info.daddr);
2907                 break;
2908
2909 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2910         case PF_INET6:
2911                 ret = selinux_parse_skb_ipv6(skb, ad);
2912                 if (ret || !addrp)
2913                         break;
2914                 *len = 16;
2915                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2916                                         &ad->u.net.v6info.daddr);
2917                 break;
2918 #endif  /* IPV6 */
2919         default:
2920                 break;
2921         }
2922
2923         return ret;
2924 }
2925
2926 /* socket security operations */
2927 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2928                            u32 perms)
2929 {
2930         struct inode_security_struct *isec;
2931         struct task_security_struct *tsec;
2932         struct avc_audit_data ad;
2933         int err = 0;
2934
2935         tsec = task->security;
2936         isec = SOCK_INODE(sock)->i_security;
2937
2938         if (isec->sid == SECINITSID_KERNEL)
2939                 goto out;
2940
2941         AVC_AUDIT_DATA_INIT(&ad,NET);
2942         ad.u.net.sk = sock->sk;
2943         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2944
2945 out:
2946         return err;
2947 }
2948
2949 static int selinux_socket_create(int family, int type,
2950                                  int protocol, int kern)
2951 {
2952         int err = 0;
2953         struct task_security_struct *tsec;
2954
2955         if (kern)
2956                 goto out;
2957
2958         tsec = current->security;
2959         err = avc_has_perm(tsec->sid, tsec->sid,
2960                            socket_type_to_security_class(family, type,
2961                            protocol), SOCKET__CREATE, NULL);
2962
2963 out:
2964         return err;
2965 }
2966
2967 static void selinux_socket_post_create(struct socket *sock, int family,
2968                                        int type, int protocol, int kern)
2969 {
2970         struct inode_security_struct *isec;
2971         struct task_security_struct *tsec;
2972
2973         isec = SOCK_INODE(sock)->i_security;
2974
2975         tsec = current->security;
2976         isec->sclass = socket_type_to_security_class(family, type, protocol);
2977         isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2978         isec->initialized = 1;
2979
2980         return;
2981 }
2982
2983 /* Range of port numbers used to automatically bind.
2984    Need to determine whether we should perform a name_bind
2985    permission check between the socket and the port number. */
2986 #define ip_local_port_range_0 sysctl_local_port_range[0]
2987 #define ip_local_port_range_1 sysctl_local_port_range[1]
2988
2989 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2990 {
2991         u16 family;
2992         int err;
2993
2994         err = socket_has_perm(current, sock, SOCKET__BIND);
2995         if (err)
2996                 goto out;
2997
2998         /*
2999          * If PF_INET or PF_INET6, check name_bind permission for the port.
3000          * Multiple address binding for SCTP is not supported yet: we just
3001          * check the first address now.
3002          */
3003         family = sock->sk->sk_family;
3004         if (family == PF_INET || family == PF_INET6) {
3005                 char *addrp;
3006                 struct inode_security_struct *isec;
3007                 struct task_security_struct *tsec;
3008                 struct avc_audit_data ad;
3009                 struct sockaddr_in *addr4 = NULL;
3010                 struct sockaddr_in6 *addr6 = NULL;
3011                 unsigned short snum;
3012                 struct sock *sk = sock->sk;
3013                 u32 sid, node_perm, addrlen;
3014
3015                 tsec = current->security;
3016                 isec = SOCK_INODE(sock)->i_security;
3017
3018                 if (family == PF_INET) {
3019                         addr4 = (struct sockaddr_in *)address;
3020                         snum = ntohs(addr4->sin_port);
3021                         addrlen = sizeof(addr4->sin_addr.s_addr);
3022                         addrp = (char *)&addr4->sin_addr.s_addr;
3023                 } else {
3024                         addr6 = (struct sockaddr_in6 *)address;
3025                         snum = ntohs(addr6->sin6_port);
3026                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3027                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3028                 }
3029
3030                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3031                            snum > ip_local_port_range_1)) {
3032                         err = security_port_sid(sk->sk_family, sk->sk_type,
3033                                                 sk->sk_protocol, snum, &sid);
3034                         if (err)
3035                                 goto out;
3036                         AVC_AUDIT_DATA_INIT(&ad,NET);
3037                         ad.u.net.sport = htons(snum);
3038                         ad.u.net.family = family;
3039                         err = avc_has_perm(isec->sid, sid,
3040                                            isec->sclass,
3041                                            SOCKET__NAME_BIND, &ad);
3042                         if (err)
3043                                 goto out;
3044                 }
3045                 
3046                 switch(isec->sclass) {
3047                 case SECCLASS_TCP_SOCKET:
3048                         node_perm = TCP_SOCKET__NODE_BIND;
3049                         break;
3050                         
3051                 case SECCLASS_UDP_SOCKET:
3052                         node_perm = UDP_SOCKET__NODE_BIND;
3053                         break;
3054                         
3055                 default:
3056                         node_perm = RAWIP_SOCKET__NODE_BIND;
3057                         break;
3058                 }
3059                 
3060                 err = security_node_sid(family, addrp, addrlen, &sid);
3061                 if (err)
3062                         goto out;
3063                 
3064                 AVC_AUDIT_DATA_INIT(&ad,NET);
3065                 ad.u.net.sport = htons(snum);
3066                 ad.u.net.family = family;
3067
3068                 if (family == PF_INET)
3069                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3070                 else
3071                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3072
3073                 err = avc_has_perm(isec->sid, sid,
3074                                    isec->sclass, node_perm, &ad);
3075                 if (err)
3076                         goto out;
3077         }
3078 out:
3079         return err;
3080 }
3081
3082 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3083 {
3084         struct inode_security_struct *isec;
3085         int err;
3086
3087         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3088         if (err)
3089                 return err;
3090
3091         /*
3092          * If a TCP socket, check name_connect permission for the port.
3093          */
3094         isec = SOCK_INODE(sock)->i_security;
3095         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3096                 struct sock *sk = sock->sk;
3097                 struct avc_audit_data ad;
3098                 struct sockaddr_in *addr4 = NULL;
3099                 struct sockaddr_in6 *addr6 = NULL;
3100                 unsigned short snum;
3101                 u32 sid;
3102
3103                 if (sk->sk_family == PF_INET) {
3104                         addr4 = (struct sockaddr_in *)address;
3105                         if (addrlen < sizeof(struct sockaddr_in))
3106                                 return -EINVAL;
3107                         snum = ntohs(addr4->sin_port);
3108                 } else {
3109                         addr6 = (struct sockaddr_in6 *)address;
3110                         if (addrlen < SIN6_LEN_RFC2133)
3111                                 return -EINVAL;
3112                         snum = ntohs(addr6->sin6_port);
3113                 }
3114
3115                 err = security_port_sid(sk->sk_family, sk->sk_type,
3116                                         sk->sk_protocol, snum, &sid);
3117                 if (err)
3118                         goto out;
3119
3120                 AVC_AUDIT_DATA_INIT(&ad,NET);
3121                 ad.u.net.dport = htons(snum);
3122                 ad.u.net.family = sk->sk_family;
3123                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3124                                    TCP_SOCKET__NAME_CONNECT, &ad);
3125                 if (err)
3126                         goto out;
3127         }
3128
3129 out:
3130         return err;
3131 }
3132
3133 static int selinux_socket_listen(struct socket *sock, int backlog)
3134 {
3135         return socket_has_perm(current, sock, SOCKET__LISTEN);
3136 }
3137
3138 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3139 {
3140         int err;
3141         struct inode_security_struct *isec;
3142         struct inode_security_struct *newisec;
3143
3144         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3145         if (err)
3146                 return err;
3147
3148         newisec = SOCK_INODE(newsock)->i_security;
3149
3150         isec = SOCK_INODE(sock)->i_security;
3151         newisec->sclass = isec->sclass;
3152         newisec->sid = isec->sid;
3153         newisec->initialized = 1;
3154
3155         return 0;
3156 }
3157
3158 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3159                                   int size)
3160 {
3161         return socket_has_perm(current, sock, SOCKET__WRITE);
3162 }
3163
3164 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3165                                   int size, int flags)
3166 {
3167         return socket_has_perm(current, sock, SOCKET__READ);
3168 }
3169
3170 static int selinux_socket_getsockname(struct socket *sock)
3171 {
3172         return socket_has_perm(current, sock, SOCKET__GETATTR);
3173 }
3174
3175 static int selinux_socket_getpeername(struct socket *sock)
3176 {
3177         return socket_has_perm(current, sock, SOCKET__GETATTR);
3178 }
3179
3180 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3181 {
3182         return socket_has_perm(current, sock, SOCKET__SETOPT);
3183 }
3184
3185 static int selinux_socket_getsockopt(struct socket *sock, int level,
3186                                      int optname)
3187 {
3188         return socket_has_perm(current, sock, SOCKET__GETOPT);
3189 }
3190
3191 static int selinux_socket_shutdown(struct socket *sock, int how)
3192 {
3193         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3194 }
3195
3196 static int selinux_socket_unix_stream_connect(struct socket *sock,
3197                                               struct socket *other,
3198                                               struct sock *newsk)
3199 {
3200         struct sk_security_struct *ssec;
3201         struct inode_security_struct *isec;
3202         struct inode_security_struct *other_isec;
3203         struct avc_audit_data ad;
3204         int err;
3205
3206         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3207         if (err)
3208                 return err;
3209
3210         isec = SOCK_INODE(sock)->i_security;
3211         other_isec = SOCK_INODE(other)->i_security;
3212
3213         AVC_AUDIT_DATA_INIT(&ad,NET);
3214         ad.u.net.sk = other->sk;
3215
3216         err = avc_has_perm(isec->sid, other_isec->sid,
3217                            isec->sclass,
3218                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3219         if (err)
3220                 return err;
3221
3222         /* connecting socket */
3223         ssec = sock->sk->sk_security;
3224         ssec->peer_sid = other_isec->sid;
3225         
3226         /* server child socket */
3227         ssec = newsk->sk_security;
3228         ssec->peer_sid = isec->sid;
3229         
3230         return 0;
3231 }
3232
3233 static int selinux_socket_unix_may_send(struct socket *sock,
3234                                         struct socket *other)
3235 {
3236         struct inode_security_struct *isec;
3237         struct inode_security_struct *other_isec;
3238         struct avc_audit_data ad;
3239         int err;
3240
3241         isec = SOCK_INODE(sock)->i_security;
3242         other_isec = SOCK_INODE(other)->i_security;
3243
3244         AVC_AUDIT_DATA_INIT(&ad,NET);
3245         ad.u.net.sk = other->sk;
3246
3247         err = avc_has_perm(isec->sid, other_isec->sid,
3248                            isec->sclass, SOCKET__SENDTO, &ad);
3249         if (err)
3250                 return err;
3251
3252         return 0;
3253 }
3254
3255 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3256 {
3257         u16 family;
3258         char *addrp;
3259         int len, err = 0;
3260         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3261         u32 sock_sid = 0;
3262         u16 sock_class = 0;
3263         struct socket *sock;
3264         struct net_device *dev;
3265         struct avc_audit_data ad;
3266
3267         family = sk->sk_family;
3268         if (family != PF_INET && family != PF_INET6)
3269                 goto out;
3270
3271         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3272         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3273                 family = PF_INET;
3274
3275         read_lock_bh(&sk->sk_callback_lock);
3276         sock = sk->sk_socket;
3277         if (sock) {
3278                 struct inode *inode;
3279                 inode = SOCK_INODE(sock);
3280                 if (inode) {
3281                         struct inode_security_struct *isec;
3282                         isec = inode->i_security;
3283                         sock_sid = isec->sid;
3284                         sock_class = isec->sclass;
3285                 }
3286         }
3287         read_unlock_bh(&sk->sk_callback_lock);
3288         if (!sock_sid)
3289                 goto out;
3290
3291         dev = skb->dev;
3292         if (!dev)
3293                 goto out;
3294
3295         err = sel_netif_sids(dev, &if_sid, NULL);
3296         if (err)
3297                 goto out;
3298
3299         switch (sock_class) {
3300         case SECCLASS_UDP_SOCKET:
3301                 netif_perm = NETIF__UDP_RECV;
3302                 node_perm = NODE__UDP_RECV;
3303                 recv_perm = UDP_SOCKET__RECV_MSG;
3304                 break;
3305         
3306         case SECCLASS_TCP_SOCKET:
3307                 netif_perm = NETIF__TCP_RECV;
3308                 node_perm = NODE__TCP_RECV;
3309                 recv_perm = TCP_SOCKET__RECV_MSG;
3310                 break;
3311         
3312         default:
3313                 netif_perm = NETIF__RAWIP_RECV;
3314                 node_perm = NODE__RAWIP_RECV;
3315                 break;
3316         }
3317
3318         AVC_AUDIT_DATA_INIT(&ad, NET);
3319         ad.u.net.netif = dev->name;
3320         ad.u.net.family = family;
3321
3322         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3323         if (err)
3324                 goto out;
3325
3326         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3327         if (err)
3328                 goto out;
3329         
3330         /* Fixme: this lookup is inefficient */
3331         err = security_node_sid(family, addrp, len, &node_sid);
3332         if (err)
3333                 goto out;
3334         
3335         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3336         if (err)
3337                 goto out;
3338
3339         if (recv_perm) {
3340                 u32 port_sid;
3341
3342                 /* Fixme: make this more efficient */
3343                 err = security_port_sid(sk->sk_family, sk->sk_type,
3344                                         sk->sk_protocol, ntohs(ad.u.net.sport),
3345                                         &port_sid);
3346                 if (err)
3347                         goto out;
3348
3349                 err = avc_has_perm(sock_sid, port_sid,
3350                                    sock_class, recv_perm, &ad);
3351         }
3352 out:    
3353         return err;
3354 }
3355
3356 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3357                                      int __user *optlen, unsigned len)
3358 {
3359         int err = 0;
3360         char *scontext;
3361         u32 scontext_len;
3362         struct sk_security_struct *ssec;
3363         struct inode_security_struct *isec;
3364
3365         isec = SOCK_INODE(sock)->i_security;
3366         if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3367                 err = -ENOPROTOOPT;
3368                 goto out;
3369         }
3370
3371         ssec = sock->sk->sk_security;
3372         
3373         err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3374         if (err)
3375                 goto out;
3376
3377         if (scontext_len > len) {
3378                 err = -ERANGE;
3379                 goto out_len;
3380         }
3381
3382         if (copy_to_user(optval, scontext, scontext_len))
3383                 err = -EFAULT;
3384
3385 out_len:
3386         if (put_user(scontext_len, optlen))
3387                 err = -EFAULT;
3388
3389         kfree(scontext);
3390 out:    
3391         return err;
3392 }
3393
3394 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3395 {
3396         return sk_alloc_security(sk, family, priority);
3397 }
3398
3399 static void selinux_sk_free_security(struct sock *sk)
3400 {
3401         sk_free_security(sk);
3402 }
3403
3404 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3405 {
3406         int err = 0;
3407         u32 perm;
3408         struct nlmsghdr *nlh;
3409         struct socket *sock = sk->sk_socket;
3410         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3411         
3412         if (skb->len < NLMSG_SPACE(0)) {
3413                 err = -EINVAL;
3414                 goto out;
3415         }
3416         nlh = (struct nlmsghdr *)skb->data;
3417         
3418         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3419         if (err) {
3420                 if (err == -EINVAL) {
3421                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3422                                   "SELinux:  unrecognized netlink message"
3423                                   " type=%hu for sclass=%hu\n",
3424                                   nlh->nlmsg_type, isec->sclass);
3425                         if (!selinux_enforcing)
3426                                 err = 0;
3427                 }
3428
3429                 /* Ignore */
3430                 if (err == -ENOENT)
3431                         err = 0;
3432                 goto out;
3433         }
3434
3435         err = socket_has_perm(current, sock, perm);
3436 out:
3437         return err;
3438 }
3439
3440 #ifdef CONFIG_NETFILTER
3441
3442 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3443                                               struct sk_buff **pskb,
3444                                               const struct net_device *in,
3445                                               const struct net_device *out,
3446                                               int (*okfn)(struct sk_buff *),
3447                                               u16 family)
3448 {
3449         char *addrp;
3450         int len, err = NF_ACCEPT;
3451         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3452         struct sock *sk;
3453         struct socket *sock;
3454         struct inode *inode;
3455         struct sk_buff *skb = *pskb;
3456         struct inode_security_struct *isec;
3457         struct avc_audit_data ad;
3458         struct net_device *dev = (struct net_device *)out;
3459         
3460         sk = skb->sk;
3461         if (!sk)
3462                 goto out;
3463                 
3464         sock = sk->sk_socket;
3465         if (!sock)
3466                 goto out;
3467                 
3468         inode = SOCK_INODE(sock);
3469         if (!inode)
3470                 goto out;
3471
3472         err = sel_netif_sids(dev, &if_sid, NULL);
3473         if (err)
3474                 goto out;
3475
3476         isec = inode->i_security;
3477         
3478         switch (isec->sclass) {
3479         case SECCLASS_UDP_SOCKET:
3480                 netif_perm = NETIF__UDP_SEND;
3481                 node_perm = NODE__UDP_SEND;
3482                 send_perm = UDP_SOCKET__SEND_MSG;
3483                 break;
3484         
3485         case SECCLASS_TCP_SOCKET:
3486                 netif_perm = NETIF__TCP_SEND;
3487                 node_perm = NODE__TCP_SEND;
3488                 send_perm = TCP_SOCKET__SEND_MSG;
3489                 break;
3490         
3491         default:
3492                 netif_perm = NETIF__RAWIP_SEND;
3493                 node_perm = NODE__RAWIP_SEND;
3494                 break;
3495         }
3496
3497
3498         AVC_AUDIT_DATA_INIT(&ad, NET);
3499         ad.u.net.netif = dev->name;
3500         ad.u.net.family = family;
3501
3502         err = selinux_parse_skb(skb, &ad, &addrp,
3503                                 &len, 0) ? NF_DROP : NF_ACCEPT;
3504         if (err != NF_ACCEPT)
3505                 goto out;
3506
3507         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3508                            netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3509         if (err != NF_ACCEPT)
3510                 goto out;
3511                 
3512         /* Fixme: this lookup is inefficient */
3513         err = security_node_sid(family, addrp, len,
3514                                 &node_sid) ? NF_DROP : NF_ACCEPT;
3515         if (err != NF_ACCEPT)
3516                 goto out;
3517         
3518         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3519                            node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3520         if (err != NF_ACCEPT)
3521                 goto out;
3522
3523         if (send_perm) {
3524                 u32 port_sid;
3525                 
3526                 /* Fixme: make this more efficient */
3527                 err = security_port_sid(sk->sk_family,
3528                                         sk->sk_type,
3529                                         sk->sk_protocol,
3530                                         ntohs(ad.u.net.dport),
3531                                         &port_sid) ? NF_DROP : NF_ACCEPT;
3532                 if (err != NF_ACCEPT)
3533                         goto out;
3534
3535                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3536                                    send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3537         }
3538
3539 out:
3540         return err;
3541 }
3542
3543 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3544                                                 struct sk_buff **pskb,
3545                                                 const struct net_device *in,
3546                                                 const struct net_device *out,
3547                                                 int (*okfn)(struct sk_buff *))
3548 {
3549         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3550 }
3551
3552 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3553
3554 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3555                                                 struct sk_buff **pskb,
3556                                                 const struct net_device *in,
3557                                                 const struct net_device *out,
3558                                                 int (*okfn)(struct sk_buff *))
3559 {
3560         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3561 }
3562
3563 #endif  /* IPV6 */
3564
3565 #endif  /* CONFIG_NETFILTER */
3566
3567 #else
3568
3569 static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3570 {
3571         return 0;
3572 }
3573
3574 #endif  /* CONFIG_SECURITY_NETWORK */
3575
3576 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3577 {
3578         struct task_security_struct *tsec;
3579         struct av_decision avd;
3580         int err;
3581
3582         err = secondary_ops->netlink_send(sk, skb);
3583         if (err)
3584                 return err;
3585
3586         tsec = current->security;
3587
3588         avd.allowed = 0;
3589         avc_has_perm_noaudit(tsec->sid, tsec->sid,
3590                                 SECCLASS_CAPABILITY, ~0, &avd);
3591         cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3592
3593         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3594                 err = selinux_nlmsg_perm(sk, skb);
3595
3596         return err;
3597 }
3598
3599 static int selinux_netlink_recv(struct sk_buff *skb)
3600 {
3601         if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3602                 return -EPERM;
3603         return 0;
3604 }
3605
3606 static int ipc_alloc_security(struct task_struct *task,
3607                               struct kern_ipc_perm *perm,
3608                               u16 sclass)
3609 {
3610         struct task_security_struct *tsec = task->security;
3611         struct ipc_security_struct *isec;
3612
3613         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3614         if (!isec)
3615                 return -ENOMEM;
3616
3617         isec->magic = SELINUX_MAGIC;
3618         isec->sclass = sclass;
3619         isec->ipc_perm = perm;
3620         if (tsec) {
3621                 isec->sid = tsec->sid;
3622         } else {
3623                 isec->sid = SECINITSID_UNLABELED;
3624         }
3625         perm->security = isec;
3626
3627         return 0;
3628 }
3629
3630 static void ipc_free_security(struct kern_ipc_perm *perm)
3631 {
3632         struct ipc_security_struct *isec = perm->security;
3633         if (!isec || isec->magic != SELINUX_MAGIC)
3634                 return;
3635
3636         perm->security = NULL;
3637         kfree(isec);
3638 }
3639
3640 static int msg_msg_alloc_security(struct msg_msg *msg)
3641 {
3642         struct msg_security_struct *msec;
3643
3644         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3645         if (!msec)
3646                 return -ENOMEM;
3647
3648         msec->magic = SELINUX_MAGIC;
3649         msec->msg = msg;
3650         msec->sid = SECINITSID_UNLABELED;
3651         msg->security = msec;
3652
3653         return 0;
3654 }
3655
3656 static void msg_msg_free_security(struct msg_msg *msg)
3657 {
3658         struct msg_security_struct *msec = msg->security;
3659         if (!msec || msec->magic != SELINUX_MAGIC)
3660                 return;
3661
3662         msg->security = NULL;
3663         kfree(msec);
3664 }
3665
3666 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3667                         u32 perms)
3668 {
3669         struct task_security_struct *tsec;
3670         struct ipc_security_struct *isec;
3671         struct avc_audit_data ad;
3672
3673         tsec = current->security;
3674         isec = ipc_perms->security;
3675
3676         AVC_AUDIT_DATA_INIT(&ad, IPC);
3677         ad.u.ipc_id = ipc_perms->key;
3678
3679         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3680 }
3681
3682 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3683 {
3684         return msg_msg_alloc_security(msg);
3685 }
3686
3687 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3688 {
3689         msg_msg_free_security(msg);
3690 }
3691
3692 /* message queue security operations */
3693 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3694 {
3695         struct task_security_struct *tsec;
3696         struct ipc_security_struct *isec;
3697         struct avc_audit_data ad;
3698         int rc;
3699
3700         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3701         if (rc)
3702                 return rc;
3703
3704         tsec = current->security;
3705         isec = msq->q_perm.security;
3706
3707         AVC_AUDIT_DATA_INIT(&ad, IPC);
3708         ad.u.ipc_id = msq->q_perm.key;
3709
3710         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3711                           MSGQ__CREATE, &ad);
3712         if (rc) {
3713                 ipc_free_security(&msq->q_perm);
3714                 return rc;
3715         }
3716         return 0;
3717 }
3718
3719 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3720 {
3721         ipc_free_security(&msq->q_perm);
3722 }
3723
3724 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3725 {
3726         struct task_security_struct *tsec;
3727         struct ipc_security_struct *isec;
3728         struct avc_audit_data ad;
3729
3730         tsec = current->security;
3731         isec = msq->q_perm.security;
3732
3733         AVC_AUDIT_DATA_INIT(&ad, IPC);
3734         ad.u.ipc_id = msq->q_perm.key;
3735
3736         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3737                             MSGQ__ASSOCIATE, &ad);
3738 }
3739
3740 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3741 {
3742         int err;
3743         int perms;
3744
3745         switch(cmd) {
3746         case IPC_INFO:
3747         case MSG_INFO:
3748                 /* No specific object, just general system-wide information. */
3749                 return task_has_system(current, SYSTEM__IPC_INFO);
3750         case IPC_STAT:
3751         case MSG_STAT:
3752                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3753                 break;
3754         case IPC_SET:
3755                 perms = MSGQ__SETATTR;
3756                 break;
3757         case IPC_RMID:
3758                 perms = MSGQ__DESTROY;
3759                 break;
3760         default:
3761                 return 0;
3762         }
3763
3764         err = ipc_has_perm(&msq->q_perm, perms);
3765         return err;
3766 }
3767
3768 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3769 {
3770         struct task_security_struct *tsec;
3771         struct ipc_security_struct *isec;
3772         struct msg_security_struct *msec;
3773         struct avc_audit_data ad;
3774         int rc;
3775
3776         tsec = current->security;
3777         isec = msq->q_perm.security;
3778         msec = msg->security;
3779
3780         /*
3781          * First time through, need to assign label to the message
3782          */
3783         if (msec->sid == SECINITSID_UNLABELED) {
3784                 /*
3785                  * Compute new sid based on current process and
3786                  * message queue this message will be stored in
3787                  */
3788                 rc = security_transition_sid(tsec->sid,
3789                                              isec->sid,
3790                                              SECCLASS_MSG,
3791                                              &msec->sid);
3792                 if (rc)
3793                         return rc;
3794         }
3795
3796         AVC_AUDIT_DATA_INIT(&ad, IPC);
3797         ad.u.ipc_id = msq->q_perm.key;
3798
3799         /* Can this process write to the queue? */
3800         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3801                           MSGQ__WRITE, &ad);
3802         if (!rc)
3803                 /* Can this process send the message */
3804                 rc = avc_has_perm(tsec->sid, msec->sid,
3805                                   SECCLASS_MSG, MSG__SEND, &ad);
3806         if (!rc)
3807                 /* Can the message be put in the queue? */
3808                 rc = avc_has_perm(msec->sid, isec->sid,
3809                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3810
3811         return rc;
3812 }
3813
3814 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3815                                     struct task_struct *target,
3816                                     long type, int mode)
3817 {
3818         struct task_security_struct *tsec;
3819         struct ipc_security_struct *isec;
3820         struct msg_security_struct *msec;
3821         struct avc_audit_data ad;
3822         int rc;
3823
3824         tsec = target->security;
3825         isec = msq->q_perm.security;
3826         msec = msg->security;
3827
3828         AVC_AUDIT_DATA_INIT(&ad, IPC);
3829         ad.u.ipc_id = msq->q_perm.key;
3830
3831         rc = avc_has_perm(tsec->sid, isec->sid,
3832                           SECCLASS_MSGQ, MSGQ__READ, &ad);
3833         if (!rc)
3834                 rc = avc_has_perm(tsec->sid, msec->sid,
3835                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
3836         return rc;
3837 }
3838
3839 /* Shared Memory security operations */
3840 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3841 {