Linux-2.6.12-rc2
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71
72 #include "avc.h"
73 #include "objsec.h"
74 #include "netif.h"
75
76 #define XATTR_SELINUX_SUFFIX "selinux"
77 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
78
79 extern unsigned int policydb_loaded_version;
80 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
81
82 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
83 int selinux_enforcing = 0;
84
85 static int __init enforcing_setup(char *str)
86 {
87         selinux_enforcing = simple_strtol(str,NULL,0);
88         return 1;
89 }
90 __setup("enforcing=", enforcing_setup);
91 #endif
92
93 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
94 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
95
96 static int __init selinux_enabled_setup(char *str)
97 {
98         selinux_enabled = simple_strtol(str, NULL, 0);
99         return 1;
100 }
101 __setup("selinux=", selinux_enabled_setup);
102 #endif
103
104 /* Original (dummy) security module. */
105 static struct security_operations *original_ops = NULL;
106
107 /* Minimal support for a secondary security module,
108    just to allow the use of the dummy or capability modules.
109    The owlsm module can alternatively be used as a secondary
110    module as long as CONFIG_OWLSM_FD is not enabled. */
111 static struct security_operations *secondary_ops = NULL;
112
113 /* Lists of inode and superblock security structures initialized
114    before the policy was loaded. */
115 static LIST_HEAD(superblock_security_head);
116 static DEFINE_SPINLOCK(sb_security_lock);
117
118 /* Allocate and free functions for each kind of security blob. */
119
120 static int task_alloc_security(struct task_struct *task)
121 {
122         struct task_security_struct *tsec;
123
124         tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL);
125         if (!tsec)
126                 return -ENOMEM;
127
128         memset(tsec, 0, sizeof(struct task_security_struct));
129         tsec->magic = SELINUX_MAGIC;
130         tsec->task = task;
131         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
132         task->security = tsec;
133
134         return 0;
135 }
136
137 static void task_free_security(struct task_struct *task)
138 {
139         struct task_security_struct *tsec = task->security;
140
141         if (!tsec || tsec->magic != SELINUX_MAGIC)
142                 return;
143
144         task->security = NULL;
145         kfree(tsec);
146 }
147
148 static int inode_alloc_security(struct inode *inode)
149 {
150         struct task_security_struct *tsec = current->security;
151         struct inode_security_struct *isec;
152
153         isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
154         if (!isec)
155                 return -ENOMEM;
156
157         memset(isec, 0, sizeof(struct inode_security_struct));
158         init_MUTEX(&isec->sem);
159         INIT_LIST_HEAD(&isec->list);
160         isec->magic = SELINUX_MAGIC;
161         isec->inode = inode;
162         isec->sid = SECINITSID_UNLABELED;
163         isec->sclass = SECCLASS_FILE;
164         if (tsec && tsec->magic == SELINUX_MAGIC)
165                 isec->task_sid = tsec->sid;
166         else
167                 isec->task_sid = SECINITSID_UNLABELED;
168         inode->i_security = isec;
169
170         return 0;
171 }
172
173 static void inode_free_security(struct inode *inode)
174 {
175         struct inode_security_struct *isec = inode->i_security;
176         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
177
178         if (!isec || isec->magic != SELINUX_MAGIC)
179                 return;
180
181         spin_lock(&sbsec->isec_lock);
182         if (!list_empty(&isec->list))
183                 list_del_init(&isec->list);
184         spin_unlock(&sbsec->isec_lock);
185
186         inode->i_security = NULL;
187         kfree(isec);
188 }
189
190 static int file_alloc_security(struct file *file)
191 {
192         struct task_security_struct *tsec = current->security;
193         struct file_security_struct *fsec;
194
195         fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
196         if (!fsec)
197                 return -ENOMEM;
198
199         memset(fsec, 0, sizeof(struct file_security_struct));
200         fsec->magic = SELINUX_MAGIC;
201         fsec->file = file;
202         if (tsec && tsec->magic == SELINUX_MAGIC) {
203                 fsec->sid = tsec->sid;
204                 fsec->fown_sid = tsec->sid;
205         } else {
206                 fsec->sid = SECINITSID_UNLABELED;
207                 fsec->fown_sid = SECINITSID_UNLABELED;
208         }
209         file->f_security = fsec;
210
211         return 0;
212 }
213
214 static void file_free_security(struct file *file)
215 {
216         struct file_security_struct *fsec = file->f_security;
217
218         if (!fsec || fsec->magic != SELINUX_MAGIC)
219                 return;
220
221         file->f_security = NULL;
222         kfree(fsec);
223 }
224
225 static int superblock_alloc_security(struct super_block *sb)
226 {
227         struct superblock_security_struct *sbsec;
228
229         sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
230         if (!sbsec)
231                 return -ENOMEM;
232
233         memset(sbsec, 0, sizeof(struct superblock_security_struct));
234         init_MUTEX(&sbsec->sem);
235         INIT_LIST_HEAD(&sbsec->list);
236         INIT_LIST_HEAD(&sbsec->isec_head);
237         spin_lock_init(&sbsec->isec_lock);
238         sbsec->magic = SELINUX_MAGIC;
239         sbsec->sb = sb;
240         sbsec->sid = SECINITSID_UNLABELED;
241         sbsec->def_sid = SECINITSID_FILE;
242         sb->s_security = sbsec;
243
244         return 0;
245 }
246
247 static void superblock_free_security(struct super_block *sb)
248 {
249         struct superblock_security_struct *sbsec = sb->s_security;
250
251         if (!sbsec || sbsec->magic != SELINUX_MAGIC)
252                 return;
253
254         spin_lock(&sb_security_lock);
255         if (!list_empty(&sbsec->list))
256                 list_del_init(&sbsec->list);
257         spin_unlock(&sb_security_lock);
258
259         sb->s_security = NULL;
260         kfree(sbsec);
261 }
262
263 #ifdef CONFIG_SECURITY_NETWORK
264 static int sk_alloc_security(struct sock *sk, int family, int priority)
265 {
266         struct sk_security_struct *ssec;
267
268         if (family != PF_UNIX)
269                 return 0;
270
271         ssec = kmalloc(sizeof(*ssec), priority);
272         if (!ssec)
273                 return -ENOMEM;
274
275         memset(ssec, 0, sizeof(*ssec));
276         ssec->magic = SELINUX_MAGIC;
277         ssec->sk = sk;
278         ssec->peer_sid = SECINITSID_UNLABELED;
279         sk->sk_security = ssec;
280
281         return 0;
282 }
283
284 static void sk_free_security(struct sock *sk)
285 {
286         struct sk_security_struct *ssec = sk->sk_security;
287
288         if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
289                 return;
290
291         sk->sk_security = NULL;
292         kfree(ssec);
293 }
294 #endif  /* CONFIG_SECURITY_NETWORK */
295
296 /* The security server must be initialized before
297    any labeling or access decisions can be provided. */
298 extern int ss_initialized;
299
300 /* The file system's label must be initialized prior to use. */
301
302 static char *labeling_behaviors[6] = {
303         "uses xattr",
304         "uses transition SIDs",
305         "uses task SIDs",
306         "uses genfs_contexts",
307         "not configured for labeling",
308         "uses mountpoint labeling",
309 };
310
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313 static inline int inode_doinit(struct inode *inode)
314 {
315         return inode_doinit_with_dentry(inode, NULL);
316 }
317
318 enum {
319         Opt_context = 1,
320         Opt_fscontext = 2,
321         Opt_defcontext = 4,
322 };
323
324 static match_table_t tokens = {
325         {Opt_context, "context=%s"},
326         {Opt_fscontext, "fscontext=%s"},
327         {Opt_defcontext, "defcontext=%s"},
328 };
329
330 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
331
332 static int try_context_mount(struct super_block *sb, void *data)
333 {
334         char *context = NULL, *defcontext = NULL;
335         const char *name;
336         u32 sid;
337         int alloc = 0, rc = 0, seen = 0;
338         struct task_security_struct *tsec = current->security;
339         struct superblock_security_struct *sbsec = sb->s_security;
340
341         if (!data)
342                 goto out;
343
344         name = sb->s_type->name;
345
346         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
347
348                 /* NFS we understand. */
349                 if (!strcmp(name, "nfs")) {
350                         struct nfs_mount_data *d = data;
351
352                         if (d->version <  NFS_MOUNT_VERSION)
353                                 goto out;
354
355                         if (d->context[0]) {
356                                 context = d->context;
357                                 seen |= Opt_context;
358                         }
359                 } else
360                         goto out;
361
362         } else {
363                 /* Standard string-based options. */
364                 char *p, *options = data;
365
366                 while ((p = strsep(&options, ",")) != NULL) {
367                         int token;
368                         substring_t args[MAX_OPT_ARGS];
369
370                         if (!*p)
371                                 continue;
372
373                         token = match_token(p, tokens, args);
374
375                         switch (token) {
376                         case Opt_context:
377                                 if (seen) {
378                                         rc = -EINVAL;
379                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
380                                         goto out_free;
381                                 }
382                                 context = match_strdup(&args[0]);
383                                 if (!context) {
384                                         rc = -ENOMEM;
385                                         goto out_free;
386                                 }
387                                 if (!alloc)
388                                         alloc = 1;
389                                 seen |= Opt_context;
390                                 break;
391
392                         case Opt_fscontext:
393                                 if (seen & (Opt_context|Opt_fscontext)) {
394                                         rc = -EINVAL;
395                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
396                                         goto out_free;
397                                 }
398                                 context = match_strdup(&args[0]);
399                                 if (!context) {
400                                         rc = -ENOMEM;
401                                         goto out_free;
402                                 }
403                                 if (!alloc)
404                                         alloc = 1;
405                                 seen |= Opt_fscontext;
406                                 break;
407
408                         case Opt_defcontext:
409                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
410                                         rc = -EINVAL;
411                                         printk(KERN_WARNING "SELinux:  "
412                                                "defcontext option is invalid "
413                                                "for this filesystem type\n");
414                                         goto out_free;
415                                 }
416                                 if (seen & (Opt_context|Opt_defcontext)) {
417                                         rc = -EINVAL;
418                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
419                                         goto out_free;
420                                 }
421                                 defcontext = match_strdup(&args[0]);
422                                 if (!defcontext) {
423                                         rc = -ENOMEM;
424                                         goto out_free;
425                                 }
426                                 if (!alloc)
427                                         alloc = 1;
428                                 seen |= Opt_defcontext;
429                                 break;
430
431                         default:
432                                 rc = -EINVAL;
433                                 printk(KERN_WARNING "SELinux:  unknown mount "
434                                        "option\n");
435                                 goto out_free;
436
437                         }
438                 }
439         }
440
441         if (!seen)
442                 goto out;
443
444         if (context) {
445                 rc = security_context_to_sid(context, strlen(context), &sid);
446                 if (rc) {
447                         printk(KERN_WARNING "SELinux: security_context_to_sid"
448                                "(%s) failed for (dev %s, type %s) errno=%d\n",
449                                context, sb->s_id, name, rc);
450                         goto out_free;
451                 }
452
453                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
454                                   FILESYSTEM__RELABELFROM, NULL);
455                 if (rc)
456                         goto out_free;
457
458                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
459                                   FILESYSTEM__RELABELTO, NULL);
460                 if (rc)
461                         goto out_free;
462
463                 sbsec->sid = sid;
464
465                 if (seen & Opt_context)
466                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
467         }
468
469         if (defcontext) {
470                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
471                 if (rc) {
472                         printk(KERN_WARNING "SELinux: security_context_to_sid"
473                                "(%s) failed for (dev %s, type %s) errno=%d\n",
474                                defcontext, sb->s_id, name, rc);
475                         goto out_free;
476                 }
477
478                 if (sid == sbsec->def_sid)
479                         goto out_free;
480
481                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
482                                   FILESYSTEM__RELABELFROM, NULL);
483                 if (rc)
484                         goto out_free;
485
486                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
487                                   FILESYSTEM__ASSOCIATE, NULL);
488                 if (rc)
489                         goto out_free;
490
491                 sbsec->def_sid = sid;
492         }
493
494 out_free:
495         if (alloc) {
496                 kfree(context);
497                 kfree(defcontext);
498         }
499 out:
500         return rc;
501 }
502
503 static int superblock_doinit(struct super_block *sb, void *data)
504 {
505         struct superblock_security_struct *sbsec = sb->s_security;
506         struct dentry *root = sb->s_root;
507         struct inode *inode = root->d_inode;
508         int rc = 0;
509
510         down(&sbsec->sem);
511         if (sbsec->initialized)
512                 goto out;
513
514         if (!ss_initialized) {
515                 /* Defer initialization until selinux_complete_init,
516                    after the initial policy is loaded and the security
517                    server is ready to handle calls. */
518                 spin_lock(&sb_security_lock);
519                 if (list_empty(&sbsec->list))
520                         list_add(&sbsec->list, &superblock_security_head);
521                 spin_unlock(&sb_security_lock);
522                 goto out;
523         }
524
525         /* Determine the labeling behavior to use for this filesystem type. */
526         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
527         if (rc) {
528                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
529                        __FUNCTION__, sb->s_type->name, rc);
530                 goto out;
531         }
532
533         rc = try_context_mount(sb, data);
534         if (rc)
535                 goto out;
536
537         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
538                 /* Make sure that the xattr handler exists and that no
539                    error other than -ENODATA is returned by getxattr on
540                    the root directory.  -ENODATA is ok, as this may be
541                    the first boot of the SELinux kernel before we have
542                    assigned xattr values to the filesystem. */
543                 if (!inode->i_op->getxattr) {
544                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
545                                "xattr support\n", sb->s_id, sb->s_type->name);
546                         rc = -EOPNOTSUPP;
547                         goto out;
548                 }
549                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
550                 if (rc < 0 && rc != -ENODATA) {
551                         if (rc == -EOPNOTSUPP)
552                                 printk(KERN_WARNING "SELinux: (dev %s, type "
553                                        "%s) has no security xattr handler\n",
554                                        sb->s_id, sb->s_type->name);
555                         else
556                                 printk(KERN_WARNING "SELinux: (dev %s, type "
557                                        "%s) getxattr errno %d\n", sb->s_id,
558                                        sb->s_type->name, -rc);
559                         goto out;
560                 }
561         }
562
563         if (strcmp(sb->s_type->name, "proc") == 0)
564                 sbsec->proc = 1;
565
566         sbsec->initialized = 1;
567
568         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
569                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
570                        sb->s_id, sb->s_type->name);
571         }
572         else {
573                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
574                        sb->s_id, sb->s_type->name,
575                        labeling_behaviors[sbsec->behavior-1]);
576         }
577
578         /* Initialize the root inode. */
579         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
580
581         /* Initialize any other inodes associated with the superblock, e.g.
582            inodes created prior to initial policy load or inodes created
583            during get_sb by a pseudo filesystem that directly
584            populates itself. */
585         spin_lock(&sbsec->isec_lock);
586 next_inode:
587         if (!list_empty(&sbsec->isec_head)) {
588                 struct inode_security_struct *isec =
589                                 list_entry(sbsec->isec_head.next,
590                                            struct inode_security_struct, list);
591                 struct inode *inode = isec->inode;
592                 spin_unlock(&sbsec->isec_lock);
593                 inode = igrab(inode);
594                 if (inode) {
595                         if (!IS_PRIVATE (inode))
596                                 inode_doinit(inode);
597                         iput(inode);
598                 }
599                 spin_lock(&sbsec->isec_lock);
600                 list_del_init(&isec->list);
601                 goto next_inode;
602         }
603         spin_unlock(&sbsec->isec_lock);
604 out:
605         up(&sbsec->sem);
606         return rc;
607 }
608
609 static inline u16 inode_mode_to_security_class(umode_t mode)
610 {
611         switch (mode & S_IFMT) {
612         case S_IFSOCK:
613                 return SECCLASS_SOCK_FILE;
614         case S_IFLNK:
615                 return SECCLASS_LNK_FILE;
616         case S_IFREG:
617                 return SECCLASS_FILE;
618         case S_IFBLK:
619                 return SECCLASS_BLK_FILE;
620         case S_IFDIR:
621                 return SECCLASS_DIR;
622         case S_IFCHR:
623                 return SECCLASS_CHR_FILE;
624         case S_IFIFO:
625                 return SECCLASS_FIFO_FILE;
626
627         }
628
629         return SECCLASS_FILE;
630 }
631
632 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
633 {
634         switch (family) {
635         case PF_UNIX:
636                 switch (type) {
637                 case SOCK_STREAM:
638                 case SOCK_SEQPACKET:
639                         return SECCLASS_UNIX_STREAM_SOCKET;
640                 case SOCK_DGRAM:
641                         return SECCLASS_UNIX_DGRAM_SOCKET;
642                 }
643                 break;
644         case PF_INET:
645         case PF_INET6:
646                 switch (type) {
647                 case SOCK_STREAM:
648                         return SECCLASS_TCP_SOCKET;
649                 case SOCK_DGRAM:
650                         return SECCLASS_UDP_SOCKET;
651                 case SOCK_RAW:
652                         return SECCLASS_RAWIP_SOCKET;
653                 }
654                 break;
655         case PF_NETLINK:
656                 switch (protocol) {
657                 case NETLINK_ROUTE:
658                         return SECCLASS_NETLINK_ROUTE_SOCKET;
659                 case NETLINK_FIREWALL:
660                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
661                 case NETLINK_TCPDIAG:
662                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
663                 case NETLINK_NFLOG:
664                         return SECCLASS_NETLINK_NFLOG_SOCKET;
665                 case NETLINK_XFRM:
666                         return SECCLASS_NETLINK_XFRM_SOCKET;
667                 case NETLINK_SELINUX:
668                         return SECCLASS_NETLINK_SELINUX_SOCKET;
669                 case NETLINK_AUDIT:
670                         return SECCLASS_NETLINK_AUDIT_SOCKET;
671                 case NETLINK_IP6_FW:
672                         return SECCLASS_NETLINK_IP6FW_SOCKET;
673                 case NETLINK_DNRTMSG:
674                         return SECCLASS_NETLINK_DNRT_SOCKET;
675                 default:
676                         return SECCLASS_NETLINK_SOCKET;
677                 }
678         case PF_PACKET:
679                 return SECCLASS_PACKET_SOCKET;
680         case PF_KEY:
681                 return SECCLASS_KEY_SOCKET;
682         }
683
684         return SECCLASS_SOCKET;
685 }
686
687 #ifdef CONFIG_PROC_FS
688 static int selinux_proc_get_sid(struct proc_dir_entry *de,
689                                 u16 tclass,
690                                 u32 *sid)
691 {
692         int buflen, rc;
693         char *buffer, *path, *end;
694
695         buffer = (char*)__get_free_page(GFP_KERNEL);
696         if (!buffer)
697                 return -ENOMEM;
698
699         buflen = PAGE_SIZE;
700         end = buffer+buflen;
701         *--end = '\0';
702         buflen--;
703         path = end-1;
704         *path = '/';
705         while (de && de != de->parent) {
706                 buflen -= de->namelen + 1;
707                 if (buflen < 0)
708                         break;
709                 end -= de->namelen;
710                 memcpy(end, de->name, de->namelen);
711                 *--end = '/';
712                 path = end;
713                 de = de->parent;
714         }
715         rc = security_genfs_sid("proc", path, tclass, sid);
716         free_page((unsigned long)buffer);
717         return rc;
718 }
719 #else
720 static int selinux_proc_get_sid(struct proc_dir_entry *de,
721                                 u16 tclass,
722                                 u32 *sid)
723 {
724         return -EINVAL;
725 }
726 #endif
727
728 /* The inode's security attributes must be initialized before first use. */
729 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
730 {
731         struct superblock_security_struct *sbsec = NULL;
732         struct inode_security_struct *isec = inode->i_security;
733         u32 sid;
734         struct dentry *dentry;
735 #define INITCONTEXTLEN 255
736         char *context = NULL;
737         unsigned len = 0;
738         int rc = 0;
739         int hold_sem = 0;
740
741         if (isec->initialized)
742                 goto out;
743
744         down(&isec->sem);
745         hold_sem = 1;
746         if (isec->initialized)
747                 goto out;
748
749         sbsec = inode->i_sb->s_security;
750         if (!sbsec->initialized) {
751                 /* Defer initialization until selinux_complete_init,
752                    after the initial policy is loaded and the security
753                    server is ready to handle calls. */
754                 spin_lock(&sbsec->isec_lock);
755                 if (list_empty(&isec->list))
756                         list_add(&isec->list, &sbsec->isec_head);
757                 spin_unlock(&sbsec->isec_lock);
758                 goto out;
759         }
760
761         switch (sbsec->behavior) {
762         case SECURITY_FS_USE_XATTR:
763                 if (!inode->i_op->getxattr) {
764                         isec->sid = sbsec->def_sid;
765                         break;
766                 }
767
768                 /* Need a dentry, since the xattr API requires one.
769                    Life would be simpler if we could just pass the inode. */
770                 if (opt_dentry) {
771                         /* Called from d_instantiate or d_splice_alias. */
772                         dentry = dget(opt_dentry);
773                 } else {
774                         /* Called from selinux_complete_init, try to find a dentry. */
775                         dentry = d_find_alias(inode);
776                 }
777                 if (!dentry) {
778                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
779                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
780                                inode->i_ino);
781                         goto out;
782                 }
783
784                 len = INITCONTEXTLEN;
785                 context = kmalloc(len, GFP_KERNEL);
786                 if (!context) {
787                         rc = -ENOMEM;
788                         dput(dentry);
789                         goto out;
790                 }
791                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
792                                            context, len);
793                 if (rc == -ERANGE) {
794                         /* Need a larger buffer.  Query for the right size. */
795                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
796                                                    NULL, 0);
797                         if (rc < 0) {
798                                 dput(dentry);
799                                 goto out;
800                         }
801                         kfree(context);
802                         len = rc;
803                         context = kmalloc(len, GFP_KERNEL);
804                         if (!context) {
805                                 rc = -ENOMEM;
806                                 dput(dentry);
807                                 goto out;
808                         }
809                         rc = inode->i_op->getxattr(dentry,
810                                                    XATTR_NAME_SELINUX,
811                                                    context, len);
812                 }
813                 dput(dentry);
814                 if (rc < 0) {
815                         if (rc != -ENODATA) {
816                                 printk(KERN_WARNING "%s:  getxattr returned "
817                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
818                                        -rc, inode->i_sb->s_id, inode->i_ino);
819                                 kfree(context);
820                                 goto out;
821                         }
822                         /* Map ENODATA to the default file SID */
823                         sid = sbsec->def_sid;
824                         rc = 0;
825                 } else {
826                         rc = security_context_to_sid(context, rc, &sid);
827                         if (rc) {
828                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
829                                        "returned %d for dev=%s ino=%ld\n",
830                                        __FUNCTION__, context, -rc,
831                                        inode->i_sb->s_id, inode->i_ino);
832                                 kfree(context);
833                                 /* Leave with the unlabeled SID */
834                                 rc = 0;
835                                 break;
836                         }
837                 }
838                 kfree(context);
839                 isec->sid = sid;
840                 break;
841         case SECURITY_FS_USE_TASK:
842                 isec->sid = isec->task_sid;
843                 break;
844         case SECURITY_FS_USE_TRANS:
845                 /* Default to the fs SID. */
846                 isec->sid = sbsec->sid;
847
848                 /* Try to obtain a transition SID. */
849                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
850                 rc = security_transition_sid(isec->task_sid,
851                                              sbsec->sid,
852                                              isec->sclass,
853                                              &sid);
854                 if (rc)
855                         goto out;
856                 isec->sid = sid;
857                 break;
858         default:
859                 /* Default to the fs SID. */
860                 isec->sid = sbsec->sid;
861
862                 if (sbsec->proc) {
863                         struct proc_inode *proci = PROC_I(inode);
864                         if (proci->pde) {
865                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
866                                 rc = selinux_proc_get_sid(proci->pde,
867                                                           isec->sclass,
868                                                           &sid);
869                                 if (rc)
870                                         goto out;
871                                 isec->sid = sid;
872                         }
873                 }
874                 break;
875         }
876
877         isec->initialized = 1;
878
879 out:
880         if (isec->sclass == SECCLASS_FILE)
881                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
882
883         if (hold_sem)
884                 up(&isec->sem);
885         return rc;
886 }
887
888 /* Convert a Linux signal to an access vector. */
889 static inline u32 signal_to_av(int sig)
890 {
891         u32 perm = 0;
892
893         switch (sig) {
894         case SIGCHLD:
895                 /* Commonly granted from child to parent. */
896                 perm = PROCESS__SIGCHLD;
897                 break;
898         case SIGKILL:
899                 /* Cannot be caught or ignored */
900                 perm = PROCESS__SIGKILL;
901                 break;
902         case SIGSTOP:
903                 /* Cannot be caught or ignored */
904                 perm = PROCESS__SIGSTOP;
905                 break;
906         default:
907                 /* All other signals. */
908                 perm = PROCESS__SIGNAL;
909                 break;
910         }
911
912         return perm;
913 }
914
915 /* Check permission betweeen a pair of tasks, e.g. signal checks,
916    fork check, ptrace check, etc. */
917 static int task_has_perm(struct task_struct *tsk1,
918                          struct task_struct *tsk2,
919                          u32 perms)
920 {
921         struct task_security_struct *tsec1, *tsec2;
922
923         tsec1 = tsk1->security;
924         tsec2 = tsk2->security;
925         return avc_has_perm(tsec1->sid, tsec2->sid,
926                             SECCLASS_PROCESS, perms, NULL);
927 }
928
929 /* Check whether a task is allowed to use a capability. */
930 static int task_has_capability(struct task_struct *tsk,
931                                int cap)
932 {
933         struct task_security_struct *tsec;
934         struct avc_audit_data ad;
935
936         tsec = tsk->security;
937
938         AVC_AUDIT_DATA_INIT(&ad,CAP);
939         ad.tsk = tsk;
940         ad.u.cap = cap;
941
942         return avc_has_perm(tsec->sid, tsec->sid,
943                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
944 }
945
946 /* Check whether a task is allowed to use a system operation. */
947 static int task_has_system(struct task_struct *tsk,
948                            u32 perms)
949 {
950         struct task_security_struct *tsec;
951
952         tsec = tsk->security;
953
954         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
955                             SECCLASS_SYSTEM, perms, NULL);
956 }
957
958 /* Check whether a task has a particular permission to an inode.
959    The 'adp' parameter is optional and allows other audit
960    data to be passed (e.g. the dentry). */
961 static int inode_has_perm(struct task_struct *tsk,
962                           struct inode *inode,
963                           u32 perms,
964                           struct avc_audit_data *adp)
965 {
966         struct task_security_struct *tsec;
967         struct inode_security_struct *isec;
968         struct avc_audit_data ad;
969
970         tsec = tsk->security;
971         isec = inode->i_security;
972
973         if (!adp) {
974                 adp = &ad;
975                 AVC_AUDIT_DATA_INIT(&ad, FS);
976                 ad.u.fs.inode = inode;
977         }
978
979         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
980 }
981
982 /* Same as inode_has_perm, but pass explicit audit data containing
983    the dentry to help the auditing code to more easily generate the
984    pathname if needed. */
985 static inline int dentry_has_perm(struct task_struct *tsk,
986                                   struct vfsmount *mnt,
987                                   struct dentry *dentry,
988                                   u32 av)
989 {
990         struct inode *inode = dentry->d_inode;
991         struct avc_audit_data ad;
992         AVC_AUDIT_DATA_INIT(&ad,FS);
993         ad.u.fs.mnt = mnt;
994         ad.u.fs.dentry = dentry;
995         return inode_has_perm(tsk, inode, av, &ad);
996 }
997
998 /* Check whether a task can use an open file descriptor to
999    access an inode in a given way.  Check access to the
1000    descriptor itself, and then use dentry_has_perm to
1001    check a particular permission to the file.
1002    Access to the descriptor is implicitly granted if it
1003    has the same SID as the process.  If av is zero, then
1004    access to the file is not checked, e.g. for cases
1005    where only the descriptor is affected like seek. */
1006 static inline int file_has_perm(struct task_struct *tsk,
1007                                 struct file *file,
1008                                 u32 av)
1009 {
1010         struct task_security_struct *tsec = tsk->security;
1011         struct file_security_struct *fsec = file->f_security;
1012         struct vfsmount *mnt = file->f_vfsmnt;
1013         struct dentry *dentry = file->f_dentry;
1014         struct inode *inode = dentry->d_inode;
1015         struct avc_audit_data ad;
1016         int rc;
1017
1018         AVC_AUDIT_DATA_INIT(&ad, FS);
1019         ad.u.fs.mnt = mnt;
1020         ad.u.fs.dentry = dentry;
1021
1022         if (tsec->sid != fsec->sid) {
1023                 rc = avc_has_perm(tsec->sid, fsec->sid,
1024                                   SECCLASS_FD,
1025                                   FD__USE,
1026                                   &ad);
1027                 if (rc)
1028                         return rc;
1029         }
1030
1031         /* av is zero if only checking access to the descriptor. */
1032         if (av)
1033                 return inode_has_perm(tsk, inode, av, &ad);
1034
1035         return 0;
1036 }
1037
1038 /* Check whether a task can create a file. */
1039 static int may_create(struct inode *dir,
1040                       struct dentry *dentry,
1041                       u16 tclass)
1042 {
1043         struct task_security_struct *tsec;
1044         struct inode_security_struct *dsec;
1045         struct superblock_security_struct *sbsec;
1046         u32 newsid;
1047         struct avc_audit_data ad;
1048         int rc;
1049
1050         tsec = current->security;
1051         dsec = dir->i_security;
1052         sbsec = dir->i_sb->s_security;
1053
1054         AVC_AUDIT_DATA_INIT(&ad, FS);
1055         ad.u.fs.dentry = dentry;
1056
1057         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1058                           DIR__ADD_NAME | DIR__SEARCH,
1059                           &ad);
1060         if (rc)
1061                 return rc;
1062
1063         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1064                 newsid = tsec->create_sid;
1065         } else {
1066                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1067                                              &newsid);
1068                 if (rc)
1069                         return rc;
1070         }
1071
1072         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1073         if (rc)
1074                 return rc;
1075
1076         return avc_has_perm(newsid, sbsec->sid,
1077                             SECCLASS_FILESYSTEM,
1078                             FILESYSTEM__ASSOCIATE, &ad);
1079 }
1080
1081 #define MAY_LINK   0
1082 #define MAY_UNLINK 1
1083 #define MAY_RMDIR  2
1084
1085 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1086 static int may_link(struct inode *dir,
1087                     struct dentry *dentry,
1088                     int kind)
1089
1090 {
1091         struct task_security_struct *tsec;
1092         struct inode_security_struct *dsec, *isec;
1093         struct avc_audit_data ad;
1094         u32 av;
1095         int rc;
1096
1097         tsec = current->security;
1098         dsec = dir->i_security;
1099         isec = dentry->d_inode->i_security;
1100
1101         AVC_AUDIT_DATA_INIT(&ad, FS);
1102         ad.u.fs.dentry = dentry;
1103
1104         av = DIR__SEARCH;
1105         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1106         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1107         if (rc)
1108                 return rc;
1109
1110         switch (kind) {
1111         case MAY_LINK:
1112                 av = FILE__LINK;
1113                 break;
1114         case MAY_UNLINK:
1115                 av = FILE__UNLINK;
1116                 break;
1117         case MAY_RMDIR:
1118                 av = DIR__RMDIR;
1119                 break;
1120         default:
1121                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1122                 return 0;
1123         }
1124
1125         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1126         return rc;
1127 }
1128
1129 static inline int may_rename(struct inode *old_dir,
1130                              struct dentry *old_dentry,
1131                              struct inode *new_dir,
1132                              struct dentry *new_dentry)
1133 {
1134         struct task_security_struct *tsec;
1135         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1136         struct avc_audit_data ad;
1137         u32 av;
1138         int old_is_dir, new_is_dir;
1139         int rc;
1140
1141         tsec = current->security;
1142         old_dsec = old_dir->i_security;
1143         old_isec = old_dentry->d_inode->i_security;
1144         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1145         new_dsec = new_dir->i_security;
1146
1147         AVC_AUDIT_DATA_INIT(&ad, FS);
1148
1149         ad.u.fs.dentry = old_dentry;
1150         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1151                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1152         if (rc)
1153                 return rc;
1154         rc = avc_has_perm(tsec->sid, old_isec->sid,
1155                           old_isec->sclass, FILE__RENAME, &ad);
1156         if (rc)
1157                 return rc;
1158         if (old_is_dir && new_dir != old_dir) {
1159                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1160                                   old_isec->sclass, DIR__REPARENT, &ad);
1161                 if (rc)
1162                         return rc;
1163         }
1164
1165         ad.u.fs.dentry = new_dentry;
1166         av = DIR__ADD_NAME | DIR__SEARCH;
1167         if (new_dentry->d_inode)
1168                 av |= DIR__REMOVE_NAME;
1169         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1170         if (rc)
1171                 return rc;
1172         if (new_dentry->d_inode) {
1173                 new_isec = new_dentry->d_inode->i_security;
1174                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1175                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1176                                   new_isec->sclass,
1177                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1178                 if (rc)
1179                         return rc;
1180         }
1181
1182         return 0;
1183 }
1184
1185 /* Check whether a task can perform a filesystem operation. */
1186 static int superblock_has_perm(struct task_struct *tsk,
1187                                struct super_block *sb,
1188                                u32 perms,
1189                                struct avc_audit_data *ad)
1190 {
1191         struct task_security_struct *tsec;
1192         struct superblock_security_struct *sbsec;
1193
1194         tsec = tsk->security;
1195         sbsec = sb->s_security;
1196         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1197                             perms, ad);
1198 }
1199
1200 /* Convert a Linux mode and permission mask to an access vector. */
1201 static inline u32 file_mask_to_av(int mode, int mask)
1202 {
1203         u32 av = 0;
1204
1205         if ((mode & S_IFMT) != S_IFDIR) {
1206                 if (mask & MAY_EXEC)
1207                         av |= FILE__EXECUTE;
1208                 if (mask & MAY_READ)
1209                         av |= FILE__READ;
1210
1211                 if (mask & MAY_APPEND)
1212                         av |= FILE__APPEND;
1213                 else if (mask & MAY_WRITE)
1214                         av |= FILE__WRITE;
1215
1216         } else {
1217                 if (mask & MAY_EXEC)
1218                         av |= DIR__SEARCH;
1219                 if (mask & MAY_WRITE)
1220                         av |= DIR__WRITE;
1221                 if (mask & MAY_READ)
1222                         av |= DIR__READ;
1223         }
1224
1225         return av;
1226 }
1227
1228 /* Convert a Linux file to an access vector. */
1229 static inline u32 file_to_av(struct file *file)
1230 {
1231         u32 av = 0;
1232
1233         if (file->f_mode & FMODE_READ)
1234                 av |= FILE__READ;
1235         if (file->f_mode & FMODE_WRITE) {
1236                 if (file->f_flags & O_APPEND)
1237                         av |= FILE__APPEND;
1238                 else
1239                         av |= FILE__WRITE;
1240         }
1241
1242         return av;
1243 }
1244
1245 /* Set an inode's SID to a specified value. */
1246 static int inode_security_set_sid(struct inode *inode, u32 sid)
1247 {
1248         struct inode_security_struct *isec = inode->i_security;
1249         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1250
1251         if (!sbsec->initialized) {
1252                 /* Defer initialization to selinux_complete_init. */
1253                 return 0;
1254         }
1255
1256         down(&isec->sem);
1257         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1258         isec->sid = sid;
1259         isec->initialized = 1;
1260         up(&isec->sem);
1261         return 0;
1262 }
1263
1264 /* Set the security attributes on a newly created file. */
1265 static int post_create(struct inode *dir,
1266                        struct dentry *dentry)
1267 {
1268
1269         struct task_security_struct *tsec;
1270         struct inode *inode;
1271         struct inode_security_struct *dsec;
1272         struct superblock_security_struct *sbsec;
1273         u32 newsid;
1274         char *context;
1275         unsigned int len;
1276         int rc;
1277
1278         tsec = current->security;
1279         dsec = dir->i_security;
1280         sbsec = dir->i_sb->s_security;
1281
1282         inode = dentry->d_inode;
1283         if (!inode) {
1284                 /* Some file system types (e.g. NFS) may not instantiate
1285                    a dentry for all create operations (e.g. symlink),
1286                    so we have to check to see if the inode is non-NULL. */
1287                 printk(KERN_WARNING "post_create:  no inode, dir (dev=%s, "
1288                        "ino=%ld)\n", dir->i_sb->s_id, dir->i_ino);
1289                 return 0;
1290         }
1291
1292         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1293                 newsid = tsec->create_sid;
1294         } else {
1295                 rc = security_transition_sid(tsec->sid, dsec->sid,
1296                                              inode_mode_to_security_class(inode->i_mode),
1297                                              &newsid);
1298                 if (rc) {
1299                         printk(KERN_WARNING "post_create:  "
1300                                "security_transition_sid failed, rc=%d (dev=%s "
1301                                "ino=%ld)\n",
1302                                -rc, inode->i_sb->s_id, inode->i_ino);
1303                         return rc;
1304                 }
1305         }
1306
1307         rc = inode_security_set_sid(inode, newsid);
1308         if (rc) {
1309                 printk(KERN_WARNING "post_create:  inode_security_set_sid "
1310                        "failed, rc=%d (dev=%s ino=%ld)\n",
1311                        -rc, inode->i_sb->s_id, inode->i_ino);
1312                 return rc;
1313         }
1314
1315         if (sbsec->behavior == SECURITY_FS_USE_XATTR &&
1316             inode->i_op->setxattr) {
1317                 /* Use extended attributes. */
1318                 rc = security_sid_to_context(newsid, &context, &len);
1319                 if (rc) {
1320                         printk(KERN_WARNING "post_create:  sid_to_context "
1321                                "failed, rc=%d (dev=%s ino=%ld)\n",
1322                                -rc, inode->i_sb->s_id, inode->i_ino);
1323                         return rc;
1324                 }
1325                 down(&inode->i_sem);
1326                 rc = inode->i_op->setxattr(dentry,
1327                                            XATTR_NAME_SELINUX,
1328                                            context, len, 0);
1329                 up(&inode->i_sem);
1330                 kfree(context);
1331                 if (rc < 0) {
1332                         printk(KERN_WARNING "post_create:  setxattr failed, "
1333                                "rc=%d (dev=%s ino=%ld)\n",
1334                                -rc, inode->i_sb->s_id, inode->i_ino);
1335                         return rc;
1336                 }
1337         }
1338
1339         return 0;
1340 }
1341
1342
1343 /* Hook functions begin here. */
1344
1345 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1346 {
1347         struct task_security_struct *psec = parent->security;
1348         struct task_security_struct *csec = child->security;
1349         int rc;
1350
1351         rc = secondary_ops->ptrace(parent,child);
1352         if (rc)
1353                 return rc;
1354
1355         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1356         /* Save the SID of the tracing process for later use in apply_creds. */
1357         if (!rc)
1358                 csec->ptrace_sid = psec->sid;
1359         return rc;
1360 }
1361
1362 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1363                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1364 {
1365         int error;
1366
1367         error = task_has_perm(current, target, PROCESS__GETCAP);
1368         if (error)
1369                 return error;
1370
1371         return secondary_ops->capget(target, effective, inheritable, permitted);
1372 }
1373
1374 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1375                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1376 {
1377         int error;
1378
1379         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1380         if (error)
1381                 return error;
1382
1383         return task_has_perm(current, target, PROCESS__SETCAP);
1384 }
1385
1386 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1387                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1388 {
1389         secondary_ops->capset_set(target, effective, inheritable, permitted);
1390 }
1391
1392 static int selinux_capable(struct task_struct *tsk, int cap)
1393 {
1394         int rc;
1395
1396         rc = secondary_ops->capable(tsk, cap);
1397         if (rc)
1398                 return rc;
1399
1400         return task_has_capability(tsk,cap);
1401 }
1402
1403 static int selinux_sysctl(ctl_table *table, int op)
1404 {
1405         int error = 0;
1406         u32 av;
1407         struct task_security_struct *tsec;
1408         u32 tsid;
1409         int rc;
1410
1411         rc = secondary_ops->sysctl(table, op);
1412         if (rc)
1413                 return rc;
1414
1415         tsec = current->security;
1416
1417         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1418                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1419         if (rc) {
1420                 /* Default to the well-defined sysctl SID. */
1421                 tsid = SECINITSID_SYSCTL;
1422         }
1423
1424         /* The op values are "defined" in sysctl.c, thereby creating
1425          * a bad coupling between this module and sysctl.c */
1426         if(op == 001) {
1427                 error = avc_has_perm(tsec->sid, tsid,
1428                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1429         } else {
1430                 av = 0;
1431                 if (op & 004)
1432                         av |= FILE__READ;
1433                 if (op & 002)
1434                         av |= FILE__WRITE;
1435                 if (av)
1436                         error = avc_has_perm(tsec->sid, tsid,
1437                                              SECCLASS_FILE, av, NULL);
1438         }
1439
1440         return error;
1441 }
1442
1443 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1444 {
1445         int rc = 0;
1446
1447         if (!sb)
1448                 return 0;
1449
1450         switch (cmds) {
1451                 case Q_SYNC:
1452                 case Q_QUOTAON:
1453                 case Q_QUOTAOFF:
1454                 case Q_SETINFO:
1455                 case Q_SETQUOTA:
1456                         rc = superblock_has_perm(current,
1457                                                  sb,
1458                                                  FILESYSTEM__QUOTAMOD, NULL);
1459                         break;
1460                 case Q_GETFMT:
1461                 case Q_GETINFO:
1462                 case Q_GETQUOTA:
1463                         rc = superblock_has_perm(current,
1464                                                  sb,
1465                                                  FILESYSTEM__QUOTAGET, NULL);
1466                         break;
1467                 default:
1468                         rc = 0;  /* let the kernel handle invalid cmds */
1469                         break;
1470         }
1471         return rc;
1472 }
1473
1474 static int selinux_quota_on(struct dentry *dentry)
1475 {
1476         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1477 }
1478
1479 static int selinux_syslog(int type)
1480 {
1481         int rc;
1482
1483         rc = secondary_ops->syslog(type);
1484         if (rc)
1485                 return rc;
1486
1487         switch (type) {
1488                 case 3:         /* Read last kernel messages */
1489                 case 10:        /* Return size of the log buffer */
1490                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1491                         break;
1492                 case 6:         /* Disable logging to console */
1493                 case 7:         /* Enable logging to console */
1494                 case 8:         /* Set level of messages printed to console */
1495                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1496                         break;
1497                 case 0:         /* Close log */
1498                 case 1:         /* Open log */
1499                 case 2:         /* Read from log */
1500                 case 4:         /* Read/clear last kernel messages */
1501                 case 5:         /* Clear ring buffer */
1502                 default:
1503                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1504                         break;
1505         }
1506         return rc;
1507 }
1508
1509 /*
1510  * Check that a process has enough memory to allocate a new virtual
1511  * mapping. 0 means there is enough memory for the allocation to
1512  * succeed and -ENOMEM implies there is not.
1513  *
1514  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1515  * if the capability is granted, but __vm_enough_memory requires 1 if
1516  * the capability is granted.
1517  *
1518  * Do not audit the selinux permission check, as this is applied to all
1519  * processes that allocate mappings.
1520  */
1521 static int selinux_vm_enough_memory(long pages)
1522 {
1523         int rc, cap_sys_admin = 0;
1524         struct task_security_struct *tsec = current->security;
1525
1526         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1527         if (rc == 0)
1528                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1529                                         SECCLASS_CAPABILITY,
1530                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1531                                         NULL);
1532
1533         if (rc == 0)
1534                 cap_sys_admin = 1;
1535
1536         return __vm_enough_memory(pages, cap_sys_admin);
1537 }
1538
1539 /* binprm security operations */
1540
1541 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1542 {
1543         struct bprm_security_struct *bsec;
1544
1545         bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1546         if (!bsec)
1547                 return -ENOMEM;
1548
1549         memset(bsec, 0, sizeof *bsec);
1550         bsec->magic = SELINUX_MAGIC;
1551         bsec->bprm = bprm;
1552         bsec->sid = SECINITSID_UNLABELED;
1553         bsec->set = 0;
1554
1555         bprm->security = bsec;
1556         return 0;
1557 }
1558
1559 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1560 {
1561         struct task_security_struct *tsec;
1562         struct inode *inode = bprm->file->f_dentry->d_inode;
1563         struct inode_security_struct *isec;
1564         struct bprm_security_struct *bsec;
1565         u32 newsid;
1566         struct avc_audit_data ad;
1567         int rc;
1568
1569         rc = secondary_ops->bprm_set_security(bprm);
1570         if (rc)
1571                 return rc;
1572
1573         bsec = bprm->security;
1574
1575         if (bsec->set)
1576                 return 0;
1577
1578         tsec = current->security;
1579         isec = inode->i_security;
1580
1581         /* Default to the current task SID. */
1582         bsec->sid = tsec->sid;
1583
1584         /* Reset create SID on execve. */
1585         tsec->create_sid = 0;
1586
1587         if (tsec->exec_sid) {
1588                 newsid = tsec->exec_sid;
1589                 /* Reset exec SID on execve. */
1590                 tsec->exec_sid = 0;
1591         } else {
1592                 /* Check for a default transition on this program. */
1593                 rc = security_transition_sid(tsec->sid, isec->sid,
1594                                              SECCLASS_PROCESS, &newsid);
1595                 if (rc)
1596                         return rc;
1597         }
1598
1599         AVC_AUDIT_DATA_INIT(&ad, FS);
1600         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1601         ad.u.fs.dentry = bprm->file->f_dentry;
1602
1603         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1604                 newsid = tsec->sid;
1605
1606         if (tsec->sid == newsid) {
1607                 rc = avc_has_perm(tsec->sid, isec->sid,
1608                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1609                 if (rc)
1610                         return rc;
1611         } else {
1612                 /* Check permissions for the transition. */
1613                 rc = avc_has_perm(tsec->sid, newsid,
1614                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1615                 if (rc)
1616                         return rc;
1617
1618                 rc = avc_has_perm(newsid, isec->sid,
1619                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1620                 if (rc)
1621                         return rc;
1622
1623                 /* Clear any possibly unsafe personality bits on exec: */
1624                 current->personality &= ~PER_CLEAR_ON_SETID;
1625
1626                 /* Set the security field to the new SID. */
1627                 bsec->sid = newsid;
1628         }
1629
1630         bsec->set = 1;
1631         return 0;
1632 }
1633
1634 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1635 {
1636         return secondary_ops->bprm_check_security(bprm);
1637 }
1638
1639
1640 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1641 {
1642         struct task_security_struct *tsec = current->security;
1643         int atsecure = 0;
1644
1645         if (tsec->osid != tsec->sid) {
1646                 /* Enable secure mode for SIDs transitions unless
1647                    the noatsecure permission is granted between
1648                    the two SIDs, i.e. ahp returns 0. */
1649                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1650                                          SECCLASS_PROCESS,
1651                                          PROCESS__NOATSECURE, NULL);
1652         }
1653
1654         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1655 }
1656
1657 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1658 {
1659         struct bprm_security_struct *bsec = bprm->security;
1660         bprm->security = NULL;
1661         kfree(bsec);
1662 }
1663
1664 extern struct vfsmount *selinuxfs_mount;
1665 extern struct dentry *selinux_null;
1666
1667 /* Derived from fs/exec.c:flush_old_files. */
1668 static inline void flush_unauthorized_files(struct files_struct * files)
1669 {
1670         struct avc_audit_data ad;
1671         struct file *file, *devnull = NULL;
1672         struct tty_struct *tty = current->signal->tty;
1673         long j = -1;
1674
1675         if (tty) {
1676                 file_list_lock();
1677                 file = list_entry(tty->tty_files.next, typeof(*file), f_list);
1678                 if (file) {
1679                         /* Revalidate access to controlling tty.
1680                            Use inode_has_perm on the tty inode directly rather
1681                            than using file_has_perm, as this particular open
1682                            file may belong to another process and we are only
1683                            interested in the inode-based check here. */
1684                         struct inode *inode = file->f_dentry->d_inode;
1685                         if (inode_has_perm(current, inode,
1686                                            FILE__READ | FILE__WRITE, NULL)) {
1687                                 /* Reset controlling tty. */
1688                                 current->signal->tty = NULL;
1689                                 current->signal->tty_old_pgrp = 0;
1690                         }
1691                 }
1692                 file_list_unlock();
1693         }
1694
1695         /* Revalidate access to inherited open files. */
1696
1697         AVC_AUDIT_DATA_INIT(&ad,FS);
1698
1699         spin_lock(&files->file_lock);
1700         for (;;) {
1701                 unsigned long set, i;
1702                 int fd;
1703
1704                 j++;
1705                 i = j * __NFDBITS;
1706                 if (i >= files->max_fds || i >= files->max_fdset)
1707                         break;
1708                 set = files->open_fds->fds_bits[j];
1709                 if (!set)
1710                         continue;
1711                 spin_unlock(&files->file_lock);
1712                 for ( ; set ; i++,set >>= 1) {
1713                         if (set & 1) {
1714                                 file = fget(i);
1715                                 if (!file)
1716                                         continue;
1717                                 if (file_has_perm(current,
1718                                                   file,
1719                                                   file_to_av(file))) {
1720                                         sys_close(i);
1721                                         fd = get_unused_fd();
1722                                         if (fd != i) {
1723                                                 if (fd >= 0)
1724                                                         put_unused_fd(fd);
1725                                                 fput(file);
1726                                                 continue;
1727                                         }
1728                                         if (devnull) {
1729                                                 atomic_inc(&devnull->f_count);
1730                                         } else {
1731                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1732                                                 if (!devnull) {
1733                                                         put_unused_fd(fd);
1734                                                         fput(file);
1735                                                         continue;
1736                                                 }
1737                                         }
1738                                         fd_install(fd, devnull);
1739                                 }
1740                                 fput(file);
1741                         }
1742                 }
1743                 spin_lock(&files->file_lock);
1744
1745         }
1746         spin_unlock(&files->file_lock);
1747 }
1748
1749 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1750 {
1751         struct task_security_struct *tsec;
1752         struct bprm_security_struct *bsec;
1753         u32 sid;
1754         int rc;
1755
1756         secondary_ops->bprm_apply_creds(bprm, unsafe);
1757
1758         tsec = current->security;
1759
1760         bsec = bprm->security;
1761         sid = bsec->sid;
1762
1763         tsec->osid = tsec->sid;
1764         bsec->unsafe = 0;
1765         if (tsec->sid != sid) {
1766                 /* Check for shared state.  If not ok, leave SID
1767                    unchanged and kill. */
1768                 if (unsafe & LSM_UNSAFE_SHARE) {
1769                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1770                                         PROCESS__SHARE, NULL);
1771                         if (rc) {
1772                                 bsec->unsafe = 1;
1773                                 return;
1774                         }
1775                 }
1776
1777                 /* Check for ptracing, and update the task SID if ok.
1778                    Otherwise, leave SID unchanged and kill. */
1779                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1780                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1781                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1782                                           NULL);
1783                         if (rc) {
1784                                 bsec->unsafe = 1;
1785                                 return;
1786                         }
1787                 }
1788                 tsec->sid = sid;
1789         }
1790 }
1791
1792 /*
1793  * called after apply_creds without the task lock held
1794  */
1795 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1796 {
1797         struct task_security_struct *tsec;
1798         struct rlimit *rlim, *initrlim;
1799         struct itimerval itimer;
1800         struct bprm_security_struct *bsec;
1801         int rc, i;
1802
1803         tsec = current->security;
1804         bsec = bprm->security;
1805
1806         if (bsec->unsafe) {
1807                 force_sig_specific(SIGKILL, current);
1808                 return;
1809         }
1810         if (tsec->osid == tsec->sid)
1811                 return;
1812
1813         /* Close files for which the new task SID is not authorized. */
1814         flush_unauthorized_files(current->files);
1815
1816         /* Check whether the new SID can inherit signal state
1817            from the old SID.  If not, clear itimers to avoid
1818            subsequent signal generation and flush and unblock
1819            signals. This must occur _after_ the task SID has
1820           been updated so that any kill done after the flush
1821           will be checked against the new SID. */
1822         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1823                           PROCESS__SIGINH, NULL);
1824         if (rc) {
1825                 memset(&itimer, 0, sizeof itimer);
1826                 for (i = 0; i < 3; i++)
1827                         do_setitimer(i, &itimer, NULL);
1828                 flush_signals(current);
1829                 spin_lock_irq(&current->sighand->siglock);
1830                 flush_signal_handlers(current, 1);
1831                 sigemptyset(&current->blocked);
1832                 recalc_sigpending();
1833                 spin_unlock_irq(&current->sighand->siglock);
1834         }
1835
1836         /* Check whether the new SID can inherit resource limits
1837            from the old SID.  If not, reset all soft limits to
1838            the lower of the current task's hard limit and the init
1839            task's soft limit.  Note that the setting of hard limits
1840            (even to lower them) can be controlled by the setrlimit
1841            check. The inclusion of the init task's soft limit into
1842            the computation is to avoid resetting soft limits higher
1843            than the default soft limit for cases where the default
1844            is lower than the hard limit, e.g. RLIMIT_CORE or
1845            RLIMIT_STACK.*/
1846         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1847                           PROCESS__RLIMITINH, NULL);
1848         if (rc) {
1849                 for (i = 0; i < RLIM_NLIMITS; i++) {
1850                         rlim = current->signal->rlim + i;
1851                         initrlim = init_task.signal->rlim+i;
1852                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1853                 }
1854                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1855                         /*
1856                          * This will cause RLIMIT_CPU calculations
1857                          * to be refigured.
1858                          */
1859                         current->it_prof_expires = jiffies_to_cputime(1);
1860                 }
1861         }
1862
1863         /* Wake up the parent if it is waiting so that it can
1864            recheck wait permission to the new task SID. */
1865         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1866 }
1867
1868 /* superblock security operations */
1869
1870 static int selinux_sb_alloc_security(struct super_block *sb)
1871 {
1872         return superblock_alloc_security(sb);
1873 }
1874
1875 static void selinux_sb_free_security(struct super_block *sb)
1876 {
1877         superblock_free_security(sb);
1878 }
1879
1880 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1881 {
1882         if (plen > olen)
1883                 return 0;
1884
1885         return !memcmp(prefix, option, plen);
1886 }
1887
1888 static inline int selinux_option(char *option, int len)
1889 {
1890         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1891                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1892                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1893 }
1894
1895 static inline void take_option(char **to, char *from, int *first, int len)
1896 {
1897         if (!*first) {
1898                 **to = ',';
1899                 *to += 1;
1900         }
1901         else
1902                 *first = 0;
1903         memcpy(*to, from, len);
1904         *to += len;
1905 }
1906
1907 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1908 {
1909         int fnosec, fsec, rc = 0;
1910         char *in_save, *in_curr, *in_end;
1911         char *sec_curr, *nosec_save, *nosec;
1912
1913         in_curr = orig;
1914         sec_curr = copy;
1915
1916         /* Binary mount data: just copy */
1917         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1918                 copy_page(sec_curr, in_curr);
1919                 goto out;
1920         }
1921
1922         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1923         if (!nosec) {
1924                 rc = -ENOMEM;
1925                 goto out;
1926         }
1927
1928         nosec_save = nosec;
1929         fnosec = fsec = 1;
1930         in_save = in_end = orig;
1931
1932         do {
1933                 if (*in_end == ',' || *in_end == '\0') {
1934                         int len = in_end - in_curr;
1935
1936                         if (selinux_option(in_curr, len))
1937                                 take_option(&sec_curr, in_curr, &fsec, len);
1938                         else
1939                                 take_option(&nosec, in_curr, &fnosec, len);
1940
1941                         in_curr = in_end + 1;
1942                 }
1943         } while (*in_end++);
1944
1945         copy_page(in_save, nosec_save);
1946 out:
1947         return rc;
1948 }
1949
1950 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1951 {
1952         struct avc_audit_data ad;
1953         int rc;
1954
1955         rc = superblock_doinit(sb, data);
1956         if (rc)
1957                 return rc;
1958
1959         AVC_AUDIT_DATA_INIT(&ad,FS);
1960         ad.u.fs.dentry = sb->s_root;
1961         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1962 }
1963
1964 static int selinux_sb_statfs(struct super_block *sb)
1965 {
1966         struct avc_audit_data ad;
1967
1968         AVC_AUDIT_DATA_INIT(&ad,FS);
1969         ad.u.fs.dentry = sb->s_root;
1970         return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1971 }
1972
1973 static int selinux_mount(char * dev_name,
1974                          struct nameidata *nd,
1975                          char * type,
1976                          unsigned long flags,
1977                          void * data)
1978 {
1979         int rc;
1980
1981         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1982         if (rc)
1983                 return rc;
1984
1985         if (flags & MS_REMOUNT)
1986                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1987                                            FILESYSTEM__REMOUNT, NULL);
1988         else
1989                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1990                                        FILE__MOUNTON);
1991 }
1992
1993 static int selinux_umount(struct vfsmount *mnt, int flags)
1994 {
1995         int rc;
1996
1997         rc = secondary_ops->sb_umount(mnt, flags);
1998         if (rc)
1999                 return rc;
2000
2001         return superblock_has_perm(current,mnt->mnt_sb,
2002                                    FILESYSTEM__UNMOUNT,NULL);
2003 }
2004
2005 /* inode security operations */
2006
2007 static int selinux_inode_alloc_security(struct inode *inode)
2008 {
2009         return inode_alloc_security(inode);
2010 }
2011
2012 static void selinux_inode_free_security(struct inode *inode)
2013 {
2014         inode_free_security(inode);
2015 }
2016
2017 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2018 {
2019         return may_create(dir, dentry, SECCLASS_FILE);
2020 }
2021
2022 static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask)
2023 {
2024         post_create(dir, dentry);
2025 }
2026
2027 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2028 {
2029         int rc;
2030
2031         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2032         if (rc)
2033                 return rc;
2034         return may_link(dir, old_dentry, MAY_LINK);
2035 }
2036
2037 static void selinux_inode_post_link(struct dentry *old_dentry, struct inode *inode, struct dentry *new_dentry)
2038 {
2039         return;
2040 }
2041
2042 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2043 {
2044         int rc;
2045
2046         rc = secondary_ops->inode_unlink(dir, dentry);
2047         if (rc)
2048                 return rc;
2049         return may_link(dir, dentry, MAY_UNLINK);
2050 }
2051
2052 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2053 {
2054         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2055 }
2056
2057 static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2058 {
2059         post_create(dir, dentry);
2060 }
2061
2062 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2063 {
2064         return may_create(dir, dentry, SECCLASS_DIR);
2065 }
2066
2067 static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2068 {
2069         post_create(dir, dentry);
2070 }
2071
2072 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2073 {
2074         return may_link(dir, dentry, MAY_RMDIR);
2075 }
2076
2077 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2078 {
2079         int rc;
2080
2081         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2082         if (rc)
2083                 return rc;
2084
2085         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2086 }
2087
2088 static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2089 {
2090         post_create(dir, dentry);
2091 }
2092
2093 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2094                                 struct inode *new_inode, struct dentry *new_dentry)
2095 {
2096         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2097 }
2098
2099 static void selinux_inode_post_rename(struct inode *old_inode, struct dentry *old_dentry,
2100                                       struct inode *new_inode, struct dentry *new_dentry)
2101 {
2102         return;
2103 }
2104
2105 static int selinux_inode_readlink(struct dentry *dentry)
2106 {
2107         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2108 }
2109
2110 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2111 {
2112         int rc;
2113
2114         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2115         if (rc)
2116                 return rc;
2117         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2118 }
2119
2120 static int selinux_inode_permission(struct inode *inode, int mask,
2121                                     struct nameidata *nd)
2122 {
2123         int rc;
2124
2125         rc = secondary_ops->inode_permission(inode, mask, nd);
2126         if (rc)
2127                 return rc;
2128
2129         if (!mask) {
2130                 /* No permission to check.  Existence test. */
2131                 return 0;
2132         }
2133
2134         return inode_has_perm(current, inode,
2135                                file_mask_to_av(inode->i_mode, mask), NULL);
2136 }
2137
2138 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2139 {
2140         int rc;
2141
2142         rc = secondary_ops->inode_setattr(dentry, iattr);
2143         if (rc)
2144                 return rc;
2145
2146         if (iattr->ia_valid & ATTR_FORCE)
2147                 return 0;
2148
2149         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2150                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2151                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2152
2153         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2154 }
2155
2156 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2157 {
2158         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2159 }
2160
2161 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2162 {
2163         struct task_security_struct *tsec = current->security;
2164         struct inode *inode = dentry->d_inode;
2165         struct inode_security_struct *isec = inode->i_security;
2166         struct superblock_security_struct *sbsec;
2167         struct avc_audit_data ad;
2168         u32 newsid;
2169         int rc = 0;
2170
2171         if (strcmp(name, XATTR_NAME_SELINUX)) {
2172                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2173                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2174                     !capable(CAP_SYS_ADMIN)) {
2175                         /* A different attribute in the security namespace.
2176                            Restrict to administrator. */
2177                         return -EPERM;
2178                 }
2179
2180                 /* Not an attribute we recognize, so just check the
2181                    ordinary setattr permission. */
2182                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2183         }
2184
2185         sbsec = inode->i_sb->s_security;
2186         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2187                 return -EOPNOTSUPP;
2188
2189         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2190                 return -EPERM;
2191
2192         AVC_AUDIT_DATA_INIT(&ad,FS);
2193         ad.u.fs.dentry = dentry;
2194
2195         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2196                           FILE__RELABELFROM, &ad);
2197         if (rc)
2198                 return rc;
2199
2200         rc = security_context_to_sid(value, size, &newsid);
2201         if (rc)
2202                 return rc;
2203
2204         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2205                           FILE__RELABELTO, &ad);
2206         if (rc)
2207                 return rc;
2208
2209         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2210                                           isec->sclass);
2211         if (rc)
2212                 return rc;
2213
2214         return avc_has_perm(newsid,
2215                             sbsec->sid,
2216                             SECCLASS_FILESYSTEM,
2217                             FILESYSTEM__ASSOCIATE,
2218                             &ad);
2219 }
2220
2221 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2222                                         void *value, size_t size, int flags)
2223 {
2224         struct inode *inode = dentry->d_inode;
2225         struct inode_security_struct *isec = inode->i_security;
2226         u32 newsid;
2227         int rc;
2228
2229         if (strcmp(name, XATTR_NAME_SELINUX)) {
2230                 /* Not an attribute we recognize, so nothing to do. */
2231                 return;
2232         }
2233
2234         rc = security_context_to_sid(value, size, &newsid);
2235         if (rc) {
2236                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2237                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2238                 return;
2239         }
2240
2241         isec->sid = newsid;
2242         return;
2243 }
2244
2245 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2246 {
2247         struct inode *inode = dentry->d_inode;
2248         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
2249
2250         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2251                 return -EOPNOTSUPP;
2252
2253         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2254 }
2255
2256 static int selinux_inode_listxattr (struct dentry *dentry)
2257 {
2258         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2259 }
2260
2261 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2262 {
2263         if (strcmp(name, XATTR_NAME_SELINUX)) {
2264                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2265                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2266                     !capable(CAP_SYS_ADMIN)) {
2267                         /* A different attribute in the security namespace.
2268                            Restrict to administrator. */
2269                         return -EPERM;
2270                 }
2271
2272                 /* Not an attribute we recognize, so just check the
2273                    ordinary setattr permission. Might want a separate
2274                    permission for removexattr. */
2275                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2276         }
2277
2278         /* No one is allowed to remove a SELinux security label.
2279            You can change the label, but all data must be labeled. */
2280         return -EACCES;
2281 }
2282
2283 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size)
2284 {
2285         struct inode_security_struct *isec = inode->i_security;
2286         char *context;
2287         unsigned len;
2288         int rc;
2289
2290         /* Permission check handled by selinux_inode_getxattr hook.*/
2291
2292         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2293                 return -EOPNOTSUPP;
2294
2295         rc = security_sid_to_context(isec->sid, &context, &len);
2296         if (rc)
2297                 return rc;
2298
2299         if (!buffer || !size) {
2300                 kfree(context);
2301                 return len;
2302         }
2303         if (size < len) {
2304                 kfree(context);
2305                 return -ERANGE;
2306         }
2307         memcpy(buffer, context, len);
2308         kfree(context);
2309         return len;
2310 }
2311
2312 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2313                                      const void *value, size_t size, int flags)
2314 {
2315         struct inode_security_struct *isec = inode->i_security;
2316         u32 newsid;
2317         int rc;
2318
2319         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2320                 return -EOPNOTSUPP;
2321
2322         if (!value || !size)
2323                 return -EACCES;
2324
2325         rc = security_context_to_sid((void*)value, size, &newsid);
2326         if (rc)
2327                 return rc;
2328
2329         isec->sid = newsid;
2330         return 0;
2331 }
2332
2333 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2334 {
2335         const int len = sizeof(XATTR_NAME_SELINUX);
2336         if (buffer && len <= buffer_size)
2337                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2338         return len;
2339 }
2340
2341 /* file security operations */
2342
2343 static int selinux_file_permission(struct file *file, int mask)
2344 {
2345         struct inode *inode = file->f_dentry->d_inode;
2346
2347         if (!mask) {
2348                 /* No permission to check.  Existence test. */
2349                 return 0;
2350         }
2351
2352         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2353         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2354                 mask |= MAY_APPEND;
2355
2356         return file_has_perm(current, file,
2357                              file_mask_to_av(inode->i_mode, mask));
2358 }
2359
2360 static int selinux_file_alloc_security(struct file *file)
2361 {
2362         return file_alloc_security(file);
2363 }
2364
2365 static void selinux_file_free_security(struct file *file)
2366 {
2367         file_free_security(file);
2368 }
2369
2370 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2371                               unsigned long arg)
2372 {
2373         int error = 0;
2374
2375         switch (cmd) {
2376                 case FIONREAD:
2377                 /* fall through */
2378                 case FIBMAP:
2379                 /* fall through */
2380                 case FIGETBSZ:
2381                 /* fall through */
2382                 case EXT2_IOC_GETFLAGS:
2383                 /* fall through */
2384                 case EXT2_IOC_GETVERSION:
2385                         error = file_has_perm(current, file, FILE__GETATTR);
2386                         break;
2387
2388                 case EXT2_IOC_SETFLAGS:
2389                 /* fall through */
2390                 case EXT2_IOC_SETVERSION:
2391                         error = file_has_perm(current, file, FILE__SETATTR);
2392                         break;
2393
2394                 /* sys_ioctl() checks */
2395                 case FIONBIO:
2396                 /* fall through */
2397                 case FIOASYNC:
2398                         error = file_has_perm(current, file, 0);
2399                         break;
2400
2401                 case KDSKBENT:
2402                 case KDSKBSENT:
2403                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2404                         break;
2405
2406                 /* default case assumes that the command will go
2407                  * to the file's ioctl() function.
2408                  */
2409                 default:
2410                         error = file_has_perm(current, file, FILE__IOCTL);
2411
2412         }
2413         return error;
2414 }
2415
2416 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2417 {
2418 #ifndef CONFIG_PPC32
2419         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2420                 /*
2421                  * We are making executable an anonymous mapping or a
2422                  * private file mapping that will also be writable.
2423                  * This has an additional check.
2424                  */
2425                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2426                 if (rc)
2427                         return rc;
2428         }
2429 #endif
2430
2431         if (file) {
2432                 /* read access is always possible with a mapping */
2433                 u32 av = FILE__READ;
2434
2435                 /* write access only matters if the mapping is shared */
2436                 if (shared && (prot & PROT_WRITE))
2437                         av |= FILE__WRITE;
2438
2439                 if (prot & PROT_EXEC)
2440                         av |= FILE__EXECUTE;
2441
2442                 return file_has_perm(current, file, av);
2443         }
2444         return 0;
2445 }
2446
2447 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2448                              unsigned long prot, unsigned long flags)
2449 {
2450         int rc;
2451
2452         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2453         if (rc)
2454                 return rc;
2455
2456         if (selinux_checkreqprot)
2457                 prot = reqprot;
2458
2459         return file_map_prot_check(file, prot,
2460                                    (flags & MAP_TYPE) == MAP_SHARED);
2461 }
2462
2463 static int selinux_file_mprotect(struct vm_area_struct *vma,
2464                                  unsigned long reqprot,
2465                                  unsigned long prot)
2466 {
2467         int rc;
2468
2469         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2470         if (rc)
2471                 return rc;
2472
2473         if (selinux_checkreqprot)
2474                 prot = reqprot;
2475
2476 #ifndef CONFIG_PPC32
2477         if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
2478                 /*
2479                  * We are making executable a file mapping that has
2480                  * had some COW done. Since pages might have been written,
2481                  * check ability to execute the possibly modified content.
2482                  * This typically should only occur for text relocations.
2483                  */
2484                 int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
2485                 if (rc)
2486                         return rc;
2487         }
2488 #endif
2489
2490         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2491 }
2492
2493 static int selinux_file_lock(struct file *file, unsigned int cmd)
2494 {
2495         return file_has_perm(current, file, FILE__LOCK);
2496 }
2497
2498 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2499                               unsigned long arg)
2500 {
2501         int err = 0;
2502
2503         switch (cmd) {
2504                 case F_SETFL:
2505                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2506                                 err = -EINVAL;
2507                                 break;
2508                         }
2509
2510                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2511                                 err = file_has_perm(current, file,FILE__WRITE);
2512                                 break;
2513                         }
2514                         /* fall through */
2515                 case F_SETOWN:
2516                 case F_SETSIG:
2517                 case F_GETFL:
2518                 case F_GETOWN:
2519                 case F_GETSIG:
2520                         /* Just check FD__USE permission */
2521                         err = file_has_perm(current, file, 0);
2522                         break;
2523                 case F_GETLK:
2524                 case F_SETLK:
2525                 case F_SETLKW:
2526 #if BITS_PER_LONG == 32
2527                 case F_GETLK64:
2528                 case F_SETLK64:
2529                 case F_SETLKW64:
2530 #endif
2531                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2532                                 err = -EINVAL;
2533                                 break;
2534                         }
2535                         err = file_has_perm(current, file, FILE__LOCK);
2536                         break;
2537         }
2538
2539         return err;
2540 }
2541
2542 static int selinux_file_set_fowner(struct file *file)
2543 {
2544         struct task_security_struct *tsec;
2545         struct file_security_struct *fsec;
2546
2547         tsec = current->security;
2548         fsec = file->f_security;
2549         fsec->fown_sid = tsec->sid;
2550
2551         return 0;
2552 }
2553
2554 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2555                                        struct fown_struct *fown, int signum)
2556 {
2557         struct file *file;
2558         u32 perm;
2559         struct task_security_struct *tsec;
2560         struct file_security_struct *fsec;
2561
2562         /* struct fown_struct is never outside the context of a struct file */
2563         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2564
2565         tsec = tsk->security;
2566         fsec = file->f_security;
2567
2568         if (!signum)
2569                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2570         else
2571                 perm = signal_to_av(signum);
2572
2573         return avc_has_perm(fsec->fown_sid, tsec->sid,
2574                             SECCLASS_PROCESS, perm, NULL);
2575 }
2576
2577 static int selinux_file_receive(struct file *file)
2578 {
2579         return file_has_perm(current, file, file_to_av(file));
2580 }
2581
2582 /* task security operations */
2583
2584 static int selinux_task_create(unsigned long clone_flags)
2585 {
2586         int rc;
2587
2588         rc = secondary_ops->task_create(clone_flags);
2589         if (rc)
2590                 return rc;
2591
2592         return task_has_perm(current, current, PROCESS__FORK);
2593 }
2594
2595 static int selinux_task_alloc_security(struct task_struct *tsk)
2596 {
2597         struct task_security_struct *tsec1, *tsec2;
2598         int rc;
2599
2600         tsec1 = current->security;
2601
2602         rc = task_alloc_security(tsk);
2603         if (rc)
2604                 return rc;
2605         tsec2 = tsk->security;
2606
2607         tsec2->osid = tsec1->osid;
2608         tsec2->sid = tsec1->sid;
2609
2610         /* Retain the exec and create SIDs across fork */
2611         tsec2->exec_sid = tsec1->exec_sid;
2612         tsec2->create_sid = tsec1->create_sid;
2613
2614         /* Retain ptracer SID across fork, if any.
2615            This will be reset by the ptrace hook upon any
2616            subsequent ptrace_attach operations. */
2617         tsec2->ptrace_sid = tsec1->ptrace_sid;
2618
2619         return 0;
2620 }
2621
2622 static void selinux_task_free_security(struct task_struct *tsk)
2623 {
2624         task_free_security(tsk);
2625 }
2626
2627 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2628 {
2629         /* Since setuid only affects the current process, and
2630            since the SELinux controls are not based on the Linux
2631            identity attributes, SELinux does not need to control
2632            this operation.  However, SELinux does control the use
2633            of the CAP_SETUID and CAP_SETGID capabilities using the
2634            capable hook. */
2635         return 0;
2636 }
2637
2638 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2639 {
2640         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2641 }
2642
2643 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2644 {
2645         /* See the comment for setuid above. */
2646         return 0;
2647 }
2648
2649 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2650 {
2651         return task_has_perm(current, p, PROCESS__SETPGID);
2652 }
2653
2654 static int selinux_task_getpgid(struct task_struct *p)
2655 {
2656         return task_has_perm(current, p, PROCESS__GETPGID);
2657 }
2658
2659 static int selinux_task_getsid(struct task_struct *p)
2660 {
2661         return task_has_perm(current, p, PROCESS__GETSESSION);
2662 }
2663
2664 static int selinux_task_setgroups(struct group_info *group_info)
2665 {
2666         /* See the comment for setuid above. */
2667         return 0;
2668 }
2669
2670 static int selinux_task_setnice(struct task_struct *p, int nice)
2671 {
2672         int rc;
2673
2674         rc = secondary_ops->task_setnice(p, nice);
2675         if (rc)
2676                 return rc;
2677
2678         return task_has_perm(current,p, PROCESS__SETSCHED);
2679 }
2680
2681 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2682 {
2683         struct rlimit *old_rlim = current->signal->rlim + resource;
2684         int rc;
2685
2686         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2687         if (rc)
2688                 return rc;
2689
2690         /* Control the ability to change the hard limit (whether
2691            lowering or raising it), so that the hard limit can
2692            later be used as a safe reset point for the soft limit
2693            upon context transitions. See selinux_bprm_apply_creds. */
2694         if (old_rlim->rlim_max != new_rlim->rlim_max)
2695                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2696
2697         return 0;
2698 }
2699
2700 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2701 {
2702         return task_has_perm(current, p, PROCESS__SETSCHED);
2703 }
2704
2705 static int selinux_task_getscheduler(struct task_struct *p)
2706 {
2707         return task_has_perm(current, p, PROCESS__GETSCHED);
2708 }
2709
2710 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2711 {
2712         u32 perm;
2713         int rc;
2714
2715         rc = secondary_ops->task_kill(p, info, sig);
2716         if (rc)
2717                 return rc;
2718
2719         if (info && ((unsigned long)info == 1 ||
2720                      (unsigned long)info == 2 || SI_FROMKERNEL(info)))
2721                 return 0;
2722
2723         if (!sig)
2724                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2725         else
2726                 perm = signal_to_av(sig);
2727
2728         return task_has_perm(current, p, perm);
2729 }
2730
2731 static int selinux_task_prctl(int option,
2732                               unsigned long arg2,
2733                               unsigned long arg3,
2734                               unsigned long arg4,
2735                               unsigned long arg5)
2736 {
2737         /* The current prctl operations do not appear to require
2738            any SELinux controls since they merely observe or modify
2739            the state of the current process. */
2740         return 0;
2741 }
2742
2743 static int selinux_task_wait(struct task_struct *p)
2744 {
2745         u32 perm;
2746
2747         perm = signal_to_av(p->exit_signal);
2748
2749         return task_has_perm(p, current, perm);
2750 }
2751
2752 static void selinux_task_reparent_to_init(struct task_struct *p)
2753 {
2754         struct task_security_struct *tsec;
2755
2756         secondary_ops->task_reparent_to_init(p);
2757
2758         tsec = p->security;
2759         tsec->osid = tsec->sid;
2760         tsec->sid = SECINITSID_KERNEL;
2761         return;
2762 }
2763
2764 static void selinux_task_to_inode(struct task_struct *p,
2765                                   struct inode *inode)
2766 {
2767         struct task_security_struct *tsec = p->security;
2768         struct inode_security_struct *isec = inode->i_security;
2769
2770         isec->sid = tsec->sid;
2771         isec->initialized = 1;
2772         return;
2773 }
2774
2775 #ifdef CONFIG_SECURITY_NETWORK
2776
2777 /* Returns error only if unable to parse addresses */
2778 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2779 {
2780         int offset, ihlen, ret = -EINVAL;
2781         struct iphdr _iph, *ih;
2782
2783         offset = skb->nh.raw - skb->data;
2784         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2785         if (ih == NULL)
2786                 goto out;
2787
2788         ihlen = ih->ihl * 4;
2789         if (ihlen < sizeof(_iph))
2790                 goto out;
2791
2792         ad->u.net.v4info.saddr = ih->saddr;
2793         ad->u.net.v4info.daddr = ih->daddr;
2794         ret = 0;
2795
2796         switch (ih->protocol) {
2797         case IPPROTO_TCP: {
2798                 struct tcphdr _tcph, *th;
2799
2800                 if (ntohs(ih->frag_off) & IP_OFFSET)
2801                         break;
2802
2803                 offset += ihlen;
2804                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2805                 if (th == NULL)
2806                         break;
2807
2808                 ad->u.net.sport = th->source;
2809                 ad->u.net.dport = th->dest;
2810                 break;
2811         }
2812         
2813         case IPPROTO_UDP: {
2814                 struct udphdr _udph, *uh;
2815                 
2816                 if (ntohs(ih->frag_off) & IP_OFFSET)
2817                         break;
2818                         
2819                 offset += ihlen;
2820                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2821                 if (uh == NULL)
2822                         break;  
2823
2824                 ad->u.net.sport = uh->source;
2825                 ad->u.net.dport = uh->dest;
2826                 break;
2827         }
2828
2829         default:
2830                 break;
2831         }
2832 out:
2833         return ret;
2834 }
2835
2836 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2837
2838 /* Returns error only if unable to parse addresses */
2839 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2840 {
2841         u8 nexthdr;
2842         int ret = -EINVAL, offset;
2843         struct ipv6hdr _ipv6h, *ip6;
2844
2845         offset = skb->nh.raw - skb->data;
2846         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2847         if (ip6 == NULL)
2848                 goto out;
2849
2850         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2851         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2852         ret = 0;
2853
2854         nexthdr = ip6->nexthdr;
2855         offset += sizeof(_ipv6h);
2856         offset = ipv6_skip_exthdr(skb, offset, &nexthdr,
2857                                   skb->tail - skb->head - offset);
2858         if (offset < 0)
2859                 goto out;
2860
2861         switch (nexthdr) {
2862         case IPPROTO_TCP: {
2863                 struct tcphdr _tcph, *th;
2864
2865                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2866                 if (th == NULL)
2867                         break;
2868
2869                 ad->u.net.sport = th->source;
2870                 ad->u.net.dport = th->dest;
2871                 break;
2872         }
2873
2874         case IPPROTO_UDP: {
2875                 struct udphdr _udph, *uh;
2876
2877                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2878                 if (uh == NULL)
2879                         break;
2880
2881                 ad->u.net.sport = uh->source;
2882                 ad->u.net.dport = uh->dest;
2883                 break;
2884         }
2885
2886         /* includes fragments */
2887         default:
2888                 break;
2889         }
2890 out:
2891         return ret;
2892 }
2893
2894 #endif /* IPV6 */
2895
2896 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2897                              char **addrp, int *len, int src)
2898 {
2899         int ret = 0;
2900
2901         switch (ad->u.net.family) {
2902         case PF_INET:
2903                 ret = selinux_parse_skb_ipv4(skb, ad);
2904                 if (ret || !addrp)
2905                         break;
2906                 *len = 4;
2907                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2908                                         &ad->u.net.v4info.daddr);
2909                 break;
2910
2911 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2912         case PF_INET6:
2913                 ret = selinux_parse_skb_ipv6(skb, ad);
2914                 if (ret || !addrp)
2915                         break;
2916                 *len = 16;
2917                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2918                                         &ad->u.net.v6info.daddr);
2919                 break;
2920 #endif  /* IPV6 */
2921         default:
2922                 break;
2923         }
2924
2925         return ret;
2926 }
2927
2928 /* socket security operations */
2929 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2930                            u32 perms)
2931 {
2932         struct inode_security_struct *isec;
2933         struct task_security_struct *tsec;
2934         struct avc_audit_data ad;
2935         int err = 0;
2936
2937         tsec = task->security;
2938         isec = SOCK_INODE(sock)->i_security;
2939
2940         if (isec->sid == SECINITSID_KERNEL)
2941                 goto out;
2942
2943         AVC_AUDIT_DATA_INIT(&ad,NET);
2944         ad.u.net.sk = sock->sk;
2945         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2946
2947 out:
2948         return err;
2949 }
2950
2951 static int selinux_socket_create(int family, int type,
2952                                  int protocol, int kern)
2953 {
2954         int err = 0;
2955         struct task_security_struct *tsec;
2956
2957         if (kern)
2958                 goto out;
2959
2960         tsec = current->security;
2961         err = avc_has_perm(tsec->sid, tsec->sid,
2962                            socket_type_to_security_class(family, type,
2963                            protocol), SOCKET__CREATE, NULL);
2964
2965 out:
2966         return err;
2967 }
2968
2969 static void selinux_socket_post_create(struct socket *sock, int family,
2970                                        int type, int protocol, int kern)
2971 {
2972         struct inode_security_struct *isec;
2973         struct task_security_struct *tsec;
2974
2975         isec = SOCK_INODE(sock)->i_security;
2976
2977         tsec = current->security;
2978         isec->sclass = socket_type_to_security_class(family, type, protocol);
2979         isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2980         isec->initialized = 1;
2981
2982         return;
2983 }
2984
2985 /* Range of port numbers used to automatically bind.
2986    Need to determine whether we should perform a name_bind
2987    permission check between the socket and the port number. */
2988 #define ip_local_port_range_0 sysctl_local_port_range[0]
2989 #define ip_local_port_range_1 sysctl_local_port_range[1]
2990
2991 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2992 {
2993         u16 family;
2994         int err;
2995
2996         err = socket_has_perm(current, sock, SOCKET__BIND);
2997         if (err)
2998                 goto out;
2999
3000         /*
3001          * If PF_INET or PF_INET6, check name_bind permission for the port.
3002          */
3003         family = sock->sk->sk_family;
3004         if (family == PF_INET || family == PF_INET6) {
3005                 char *addrp;
3006                 struct inode_security_struct *isec;
3007                 struct task_security_struct *tsec;
3008                 struct avc_audit_data ad;
3009                 struct sockaddr_in *addr4 = NULL;
3010                 struct sockaddr_in6 *addr6 = NULL;
3011                 unsigned short snum;
3012                 struct sock *sk = sock->sk;
3013                 u32 sid, node_perm, addrlen;
3014
3015                 tsec = current->security;
3016                 isec = SOCK_INODE(sock)->i_security;
3017
3018                 if (family == PF_INET) {
3019                         addr4 = (struct sockaddr_in *)address;
3020                         snum = ntohs(addr4->sin_port);
3021                         addrlen = sizeof(addr4->sin_addr.s_addr);
3022                         addrp = (char *)&addr4->sin_addr.s_addr;
3023                 } else {
3024                         addr6 = (struct sockaddr_in6 *)address;
3025                         snum = ntohs(addr6->sin6_port);
3026                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3027                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3028                 }
3029
3030                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3031                            snum > ip_local_port_range_1)) {
3032                         err = security_port_sid(sk->sk_family, sk->sk_type,
3033                                                 sk->sk_protocol, snum, &sid);
3034                         if (err)
3035                                 goto out;
3036                         AVC_AUDIT_DATA_INIT(&ad,NET);
3037                         ad.u.net.sport = htons(snum);
3038                         ad.u.net.family = family;
3039                         err = avc_has_perm(isec->sid, sid,
3040                                            isec->sclass,
3041                                            SOCKET__NAME_BIND, &ad);
3042                         if (err)
3043                                 goto out;
3044                 }
3045                 
3046                 switch(sk->sk_protocol) {
3047                 case IPPROTO_TCP:
3048                         node_perm = TCP_SOCKET__NODE_BIND;
3049                         break;
3050                         
3051                 case IPPROTO_UDP:
3052                         node_perm = UDP_SOCKET__NODE_BIND;
3053                         break;
3054                         
3055                 default:
3056                         node_perm = RAWIP_SOCKET__NODE_BIND;
3057                         break;
3058                 }
3059                 
3060                 err = security_node_sid(family, addrp, addrlen, &sid);
3061                 if (err)
3062                         goto out;
3063                 
3064                 AVC_AUDIT_DATA_INIT(&ad,NET);
3065                 ad.u.net.sport = htons(snum);
3066                 ad.u.net.family = family;
3067
3068                 if (family == PF_INET)
3069                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3070                 else
3071                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3072
3073                 err = avc_has_perm(isec->sid, sid,
3074                                    isec->sclass, node_perm, &ad);
3075                 if (err)
3076                         goto out;
3077         }
3078 out:
3079         return err;
3080 }
3081
3082 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3083 {
3084         struct inode_security_struct *isec;
3085         int err;
3086
3087         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3088         if (err)
3089                 return err;
3090
3091         /*
3092          * If a TCP socket, check name_connect permission for the port.
3093          */
3094         isec = SOCK_INODE(sock)->i_security;
3095         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3096                 struct sock *sk = sock->sk;
3097                 struct avc_audit_data ad;
3098                 struct sockaddr_in *addr4 = NULL;
3099                 struct sockaddr_in6 *addr6 = NULL;
3100                 unsigned short snum;
3101                 u32 sid;
3102
3103                 if (sk->sk_family == PF_INET) {
3104                         addr4 = (struct sockaddr_in *)address;
3105                         if (addrlen != sizeof(struct sockaddr_in))
3106                                 return -EINVAL;
3107                         snum = ntohs(addr4->sin_port);
3108                 } else {
3109                         addr6 = (struct sockaddr_in6 *)address;
3110                         if (addrlen != sizeof(struct sockaddr_in6))
3111                                 return -EINVAL;
3112                         snum = ntohs(addr6->sin6_port);
3113                 }
3114
3115                 err = security_port_sid(sk->sk_family, sk->sk_type,
3116                                         sk->sk_protocol, snum, &sid);
3117                 if (err)
3118                         goto out;
3119
3120                 AVC_AUDIT_DATA_INIT(&ad,NET);
3121                 ad.u.net.dport = htons(snum);
3122                 ad.u.net.family = sk->sk_family;
3123                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3124                                    TCP_SOCKET__NAME_CONNECT, &ad);
3125                 if (err)
3126                         goto out;
3127         }
3128
3129 out:
3130         return err;
3131 }
3132
3133 static int selinux_socket_listen(struct socket *sock, int backlog)
3134 {
3135         return socket_has_perm(current, sock, SOCKET__LISTEN);
3136 }
3137
3138 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3139 {
3140         int err;
3141         struct inode_security_struct *isec;
3142         struct inode_security_struct *newisec;
3143
3144         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3145         if (err)
3146                 return err;
3147
3148         newisec = SOCK_INODE(newsock)->i_security;
3149
3150         isec = SOCK_INODE(sock)->i_security;
3151         newisec->sclass = isec->sclass;
3152         newisec->sid = isec->sid;
3153         newisec->initialized = 1;
3154
3155         return 0;
3156 }
3157
3158 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3159                                   int size)
3160 {
3161         return socket_has_perm(current, sock, SOCKET__WRITE);
3162 }
3163
3164 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3165                                   int size, int flags)
3166 {
3167         return socket_has_perm(current, sock, SOCKET__READ);
3168 }
3169
3170 static int selinux_socket_getsockname(struct socket *sock)
3171 {
3172         return socket_has_perm(current, sock, SOCKET__GETATTR);
3173 }
3174
3175 static int selinux_socket_getpeername(struct socket *sock)
3176 {
3177         return socket_has_perm(current, sock, SOCKET__GETATTR);
3178 }
3179
3180 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3181 {
3182         return socket_has_perm(current, sock, SOCKET__SETOPT);
3183 }
3184
3185 static int selinux_socket_getsockopt(struct socket *sock, int level,
3186                                      int optname)
3187 {
3188         return socket_has_perm(current, sock, SOCKET__GETOPT);
3189 }
3190
3191 static int selinux_socket_shutdown(struct socket *sock, int how)
3192 {
3193         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3194 }
3195
3196 static int selinux_socket_unix_stream_connect(struct socket *sock,
3197                                               struct socket *other,
3198                                               struct sock *newsk)
3199 {
3200         struct sk_security_struct *ssec;
3201         struct inode_security_struct *isec;
3202         struct inode_security_struct *other_isec;
3203         struct avc_audit_data ad;
3204         int err;
3205
3206         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3207         if (err)
3208                 return err;
3209
3210         isec = SOCK_INODE(sock)->i_security;
3211         other_isec = SOCK_INODE(other)->i_security;
3212
3213         AVC_AUDIT_DATA_INIT(&ad,NET);
3214         ad.u.net.sk = other->sk;
3215
3216         err = avc_has_perm(isec->sid, other_isec->sid,
3217                            isec->sclass,
3218                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3219         if (err)
3220                 return err;
3221
3222         /* connecting socket */
3223         ssec = sock->sk->sk_security;
3224         ssec->peer_sid = other_isec->sid;
3225         
3226         /* server child socket */
3227         ssec = newsk->sk_security;
3228         ssec->peer_sid = isec->sid;
3229         
3230         return 0;
3231 }
3232
3233 static int selinux_socket_unix_may_send(struct socket *sock,
3234                                         struct socket *other)
3235 {
3236         struct inode_security_struct *isec;
3237         struct inode_security_struct *other_isec;
3238         struct avc_audit_data ad;
3239         int err;
3240
3241         isec = SOCK_INODE(sock)->i_security;
3242         other_isec = SOCK_INODE(other)->i_security;
3243
3244         AVC_AUDIT_DATA_INIT(&ad,NET);
3245         ad.u.net.sk = other->sk;
3246
3247         err = avc_has_perm(isec->sid, other_isec->sid,
3248                            isec->sclass, SOCKET__SENDTO, &ad);
3249         if (err)
3250                 return err;
3251
3252         return 0;
3253 }
3254
3255 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3256 {
3257         u16 family;
3258         char *addrp;
3259         int len, err = 0;
3260         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3261         u32 sock_sid = 0;
3262         u16 sock_class = 0;
3263         struct socket *sock;
3264         struct net_device *dev;
3265         struct avc_audit_data ad;
3266
3267         family = sk->sk_family;
3268         if (family != PF_INET && family != PF_INET6)
3269                 goto out;
3270
3271         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3272         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3273                 family = PF_INET;
3274
3275         read_lock_bh(&sk->sk_callback_lock);
3276         sock = sk->sk_socket;
3277         if (sock) {
3278                 struct inode *inode;
3279                 inode = SOCK_INODE(sock);
3280                 if (inode) {
3281                         struct inode_security_struct *isec;
3282                         isec = inode->i_security;
3283                         sock_sid = isec->sid;
3284                         sock_class = isec->sclass;
3285                 }
3286         }
3287         read_unlock_bh(&sk->sk_callback_lock);
3288         if (!sock_sid)
3289                 goto out;
3290
3291         dev = skb->dev;
3292         if (!dev)
3293                 goto out;
3294
3295         err = sel_netif_sids(dev, &if_sid, NULL);
3296         if (err)
3297                 goto out;
3298
3299         switch (sock_class) {
3300         case SECCLASS_UDP_SOCKET:
3301                 netif_perm = NETIF__UDP_RECV;
3302                 node_perm = NODE__UDP_RECV;
3303                 recv_perm = UDP_SOCKET__RECV_MSG;
3304                 break;
3305         
3306         case SECCLASS_TCP_SOCKET:
3307                 netif_perm = NETIF__TCP_RECV;
3308                 node_perm = NODE__TCP_RECV;
3309                 recv_perm = TCP_SOCKET__RECV_MSG;
3310                 break;
3311         
3312         default:
3313                 netif_perm = NETIF__RAWIP_RECV;
3314                 node_perm = NODE__RAWIP_RECV;
3315                 break;
3316         }
3317
3318         AVC_AUDIT_DATA_INIT(&ad, NET);
3319         ad.u.net.netif = dev->name;
3320         ad.u.net.family = family;
3321
3322         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3323         if (err)
3324                 goto out;
3325
3326         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3327         if (err)
3328                 goto out;
3329         
3330         /* Fixme: this lookup is inefficient */
3331         err = security_node_sid(family, addrp, len, &node_sid);
3332         if (err)
3333                 goto out;
3334         
3335         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3336         if (err)
3337                 goto out;
3338
3339         if (recv_perm) {
3340                 u32 port_sid;
3341
3342                 /* Fixme: make this more efficient */
3343                 err = security_port_sid(sk->sk_family, sk->sk_type,
3344                                         sk->sk_protocol, ntohs(ad.u.net.sport),
3345                                         &port_sid);
3346                 if (err)
3347                         goto out;
3348
3349                 err = avc_has_perm(sock_sid, port_sid,
3350                                    sock_class, recv_perm, &ad);
3351         }
3352 out:    
3353         return err;
3354 }
3355
3356 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3357                                      int __user *optlen, unsigned len)
3358 {
3359         int err = 0;
3360         char *scontext;
3361         u32 scontext_len;
3362         struct sk_security_struct *ssec;
3363         struct inode_security_struct *isec;
3364
3365         isec = SOCK_INODE(sock)->i_security;
3366         if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3367                 err = -ENOPROTOOPT;
3368                 goto out;
3369         }
3370
3371         ssec = sock->sk->sk_security;
3372         
3373         err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3374         if (err)
3375                 goto out;
3376
3377         if (scontext_len > len) {
3378                 err = -ERANGE;
3379                 goto out_len;
3380         }
3381
3382         if (copy_to_user(optval, scontext, scontext_len))
3383                 err = -EFAULT;
3384
3385 out_len:
3386         if (put_user(scontext_len, optlen))
3387                 err = -EFAULT;
3388
3389         kfree(scontext);
3390 out:    
3391         return err;
3392 }
3393
3394 static int selinux_sk_alloc_security(struct sock *sk, int family, int priority)
3395 {
3396         return sk_alloc_security(sk, family, priority);
3397 }
3398
3399 static void selinux_sk_free_security(struct sock *sk)
3400 {
3401         sk_free_security(sk);
3402 }
3403
3404 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3405 {
3406         int err = 0;
3407         u32 perm;
3408         struct nlmsghdr *nlh;
3409         struct socket *sock = sk->sk_socket;
3410         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3411         
3412         if (skb->len < NLMSG_SPACE(0)) {
3413                 err = -EINVAL;
3414                 goto out;
3415         }
3416         nlh = (struct nlmsghdr *)skb->data;
3417         
3418         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3419         if (err) {
3420                 if (err == -EINVAL) {
3421                         audit_log(current->audit_context,
3422                                   "SELinux:  unrecognized netlink message"
3423                                   " type=%hu for sclass=%hu\n",
3424                                   nlh->nlmsg_type, isec->sclass);
3425                         if (!selinux_enforcing)
3426                                 err = 0;
3427                 }
3428
3429                 /* Ignore */
3430                 if (err == -ENOENT)
3431                         err = 0;
3432                 goto out;
3433         }
3434
3435         err = socket_has_perm(current, sock, perm);
3436 out:
3437         return err;
3438 }
3439
3440 #ifdef CONFIG_NETFILTER
3441
3442 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3443                                               struct sk_buff **pskb,
3444                                               const struct net_device *in,
3445                                               const struct net_device *out,
3446                                               int (*okfn)(struct sk_buff *),
3447                                               u16 family)
3448 {
3449         char *addrp;
3450         int len, err = NF_ACCEPT;
3451         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3452         struct sock *sk;
3453         struct socket *sock;
3454         struct inode *inode;
3455         struct sk_buff *skb = *pskb;
3456         struct inode_security_struct *isec;
3457         struct avc_audit_data ad;
3458         struct net_device *dev = (struct net_device *)out;
3459         
3460         sk = skb->sk;
3461         if (!sk)
3462                 goto out;
3463                 
3464         sock = sk->sk_socket;
3465         if (!sock)
3466                 goto out;
3467                 
3468         inode = SOCK_INODE(sock);
3469         if (!inode)
3470                 goto out;
3471
3472         err = sel_netif_sids(dev, &if_sid, NULL);
3473         if (err)
3474                 goto out;
3475
3476         isec = inode->i_security;
3477         
3478         switch (isec->sclass) {
3479         case SECCLASS_UDP_SOCKET:
3480                 netif_perm = NETIF__UDP_SEND;
3481                 node_perm = NODE__UDP_SEND;
3482                 send_perm = UDP_SOCKET__SEND_MSG;
3483                 break;
3484         
3485         case SECCLASS_TCP_SOCKET:
3486                 netif_perm = NETIF__TCP_SEND;
3487                 node_perm = NODE__TCP_SEND;
3488                 send_perm = TCP_SOCKET__SEND_MSG;
3489                 break;
3490         
3491         default:
3492                 netif_perm = NETIF__RAWIP_SEND;
3493                 node_perm = NODE__RAWIP_SEND;
3494                 break;
3495         }
3496
3497
3498         AVC_AUDIT_DATA_INIT(&ad, NET);
3499         ad.u.net.netif = dev->name;
3500         ad.u.net.family = family;
3501
3502         err = selinux_parse_skb(skb, &ad, &addrp,
3503                                 &len, 0) ? NF_DROP : NF_ACCEPT;
3504         if (err != NF_ACCEPT)
3505                 goto out;
3506
3507         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3508                            netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3509         if (err != NF_ACCEPT)
3510                 goto out;
3511                 
3512         /* Fixme: this lookup is inefficient */
3513         err = security_node_sid(family, addrp, len,
3514                                 &node_sid) ? NF_DROP : NF_ACCEPT;
3515         if (err != NF_ACCEPT)
3516                 goto out;
3517         
3518         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3519                            node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3520         if (err != NF_ACCEPT)
3521                 goto out;
3522
3523         if (send_perm) {
3524                 u32 port_sid;
3525                 
3526                 /* Fixme: make this more efficient */
3527                 err = security_port_sid(sk->sk_family,
3528                                         sk->sk_type,
3529                                         sk->sk_protocol,
3530                                         ntohs(ad.u.net.dport),
3531                                         &port_sid) ? NF_DROP : NF_ACCEPT;
3532                 if (err != NF_ACCEPT)
3533                         goto out;
3534
3535                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3536                                    send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3537         }
3538
3539 out:
3540         return err;
3541 }
3542
3543 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3544                                                 struct sk_buff **pskb,
3545                                                 const struct net_device *in,
3546                                                 const struct net_device *out,
3547                                                 int (*okfn)(struct sk_buff *))
3548 {
3549         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3550 }
3551
3552 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3553
3554 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3555                                                 struct sk_buff **pskb,
3556                                                 const struct net_device *in,
3557                                                 const struct net_device *out,
3558                                                 int (*okfn)(struct sk_buff *))
3559 {
3560         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3561 }
3562
3563 #endif  /* IPV6 */
3564
3565 #endif  /* CONFIG_NETFILTER */
3566
3567 #else
3568
3569 static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3570 {
3571         return 0;
3572 }
3573
3574 #endif  /* CONFIG_SECURITY_NETWORK */
3575
3576 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3577 {
3578         struct task_security_struct *tsec;
3579         struct av_decision avd;
3580         int err;
3581
3582         err = secondary_ops->netlink_send(sk, skb);
3583         if (err)
3584                 return err;
3585
3586         tsec = current->security;
3587
3588         avd.allowed = 0;
3589         avc_has_perm_noaudit(tsec->sid, tsec->sid,
3590                                 SECCLASS_CAPABILITY, ~0, &avd);
3591         cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3592
3593         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3594                 err = selinux_nlmsg_perm(sk, skb);
3595
3596         return err;
3597 }
3598
3599 static int selinux_netlink_recv(struct sk_buff *skb)
3600 {
3601         if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3602                 return -EPERM;
3603         return 0;
3604 }
3605
3606 static int ipc_alloc_security(struct task_struct *task,
3607                               struct kern_ipc_perm *perm,
3608                               u16 sclass)
3609 {
3610         struct task_security_struct *tsec = task->security;
3611         struct ipc_security_struct *isec;
3612
3613         isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3614         if (!isec)
3615                 return -ENOMEM;
3616
3617         memset(isec, 0, sizeof(struct ipc_security_struct));
3618         isec->magic = SELINUX_MAGIC;
3619         isec->sclass = sclass;
3620         isec->ipc_perm = perm;
3621         if (tsec) {
3622                 isec->sid = tsec->sid;
3623         } else {
3624                 isec->sid = SECINITSID_UNLABELED;
3625         }
3626         perm->security = isec;
3627
3628         return 0;
3629 }
3630
3631 static void ipc_free_security(struct kern_ipc_perm *perm)
3632 {
3633         struct ipc_security_struct *isec = perm->security;
3634         if (!isec || isec->magic != SELINUX_MAGIC)
3635                 return;
3636
3637         perm->security = NULL;
3638         kfree(isec);
3639 }
3640
3641 static int msg_msg_alloc_security(struct msg_msg *msg)
3642 {
3643         struct msg_security_struct *msec;
3644
3645         msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3646         if (!msec)
3647                 return -ENOMEM;
3648
3649         memset(msec, 0, sizeof(struct msg_security_struct));
3650         msec->magic = SELINUX_MAGIC;
3651         msec->msg = msg;
3652         msec->sid = SECINITSID_UNLABELED;
3653         msg->security = msec;
3654
3655         return 0;
3656 }
3657
3658 static void msg_msg_free_security(struct msg_msg *msg)
3659 {
3660         struct msg_security_struct *msec = msg->security;
3661         if (!msec || msec->magic != SELINUX_MAGIC)
3662                 return;
3663
3664         msg->security = NULL;
3665         kfree(msec);
3666 }
3667
3668 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3669                         u16 sclass, u32 perms)
3670 {
3671         struct task_security_struct *tsec;
3672         struct ipc_security_struct *isec;
3673         struct avc_audit_data ad;
3674
3675         tsec = current->security;
3676         isec = ipc_perms->security;
3677
3678         AVC_AUDIT_DATA_INIT(&ad, IPC);
3679         ad.u.ipc_id = ipc_perms->key;
3680
3681         return avc_has_perm(tsec->sid, isec->sid, sclass, perms, &ad);
3682 }
3683
3684 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3685 {
3686         return msg_msg_alloc_security(msg);
3687 }
3688
3689 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3690 {
3691         msg_msg_free_security(msg);
3692 }
3693
3694 /* message queue security operations */
3695 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3696 {
3697         struct task_security_struct *tsec;
3698         struct ipc_security_struct *isec;
3699         struct avc_audit_data ad;
3700         int rc;
3701
3702         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3703         if (rc)
3704                 return rc;
3705
3706         tsec = current->security;
3707         isec = msq->q_perm.security;
3708
3709         AVC_AUDIT_DATA_INIT(&ad, IPC);
3710         ad.u.ipc_id = msq->q_perm.key;
3711
3712         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3713                           MSGQ__CREATE, &ad);
3714         if (rc) {
3715                 ipc_free_security(&msq->q_perm);
3716                 return rc;
3717         }
3718         return 0;
3719 }
3720
3721 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3722 {
3723         ipc_free_security(&msq->q_perm);
3724 }
3725
3726 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3727 {
3728         struct task_security_struct *tsec;
3729         struct ipc_security_struct *isec;
3730         struct avc_audit_data ad;
3731
3732         tsec = current->security;
3733         isec = msq->q_perm.security;
3734
3735         AVC_AUDIT_DATA_INIT(&ad, IPC);
3736         ad.u.ipc_id = msq->q_perm.key;
3737
3738         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3739                             MSGQ__ASSOCIATE, &ad);
3740 }
3741
3742 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3743 {
3744         int err;
3745         int perms;
3746
3747         switch(cmd) {
3748         case IPC_INFO:
3749         case MSG_INFO:
3750                 /* No specific object, just general system-wide information. */
3751                 return task_has_system(current, SYSTEM__IPC_INFO);
3752         case IPC_STAT:
3753         case MSG_STAT:
3754                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3755                 break;
3756         case IPC_SET:
3757                 perms = MSGQ__SETATTR;
3758                 break;
3759         case IPC_RMID:
3760                 perms = MSGQ__DESTROY;
3761                 break;
3762         default:
3763                 return 0;
3764         }
3765
3766         err = ipc_has_perm(&msq->q_perm, SECCLASS_MSGQ, perms);
3767         return err;
3768 }
3769
3770 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3771 {
3772         struct task_security_struct *tsec;
3773         struct ipc_security_struct *isec;
3774         struct msg_security_struct *msec;
3775         struct avc_audit_data ad;
3776         int rc;
3777
3778         tsec = current->security;
3779         isec = msq->q_perm.security;
3780         msec = msg->security;
3781
3782         /*
3783          * First time through, need to assign label to the message
3784          */
3785         if (msec->sid == SECINITSID_UNLABELED) {
3786                 /*
3787                  * Compute new sid based on current process and
3788                  * message queue this message will be stored in
3789                  */
3790                 rc = security_transition_sid(tsec->sid,
3791                                              isec->sid,
3792                                              SECCLASS_MSG,
3793                                              &msec->sid);
3794                 if (rc)
3795                         return rc;
3796         }
3797
3798         AVC_AUDIT_DATA_INIT(&ad, IPC);
3799         ad.u.ipc_id = msq->q_perm.key;
3800
3801         /* Can this process write to the queue? */
3802         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3803                           MSGQ__WRITE, &ad);
3804         if (!rc)
3805                 /* Can this process send the message */
3806                 rc = avc_has_perm(tsec->sid, msec->sid,
3807                                   SECCLASS_MSG, MSG__SEND, &ad);
3808         if (!rc)
3809                 /* Can the message be put in the queue? */
3810                 rc = avc_has_perm(msec->sid, isec->sid,
3811                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3812
3813         return rc;
3814 }
3815
3816 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3817                                     struct task_struct *target,
3818                                     long type, int mode)
3819 {
3820         struct task_security_struct *tsec;
3821         struct ipc_security_struct *isec;
3822         struct msg_security_struct *msec;
3823         struct avc_audit_data ad;
3824         int rc;
3825