Merge master.kernel.org:/pub/scm/linux/kernel/git/dwmw2/audit-2.6
[sfrench/cifs-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76
77 #define XATTR_SELINUX_SUFFIX "selinux"
78 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
79
80 extern unsigned int policydb_loaded_version;
81 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
82
83 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
84 int selinux_enforcing = 0;
85
86 static int __init enforcing_setup(char *str)
87 {
88         selinux_enforcing = simple_strtol(str,NULL,0);
89         return 1;
90 }
91 __setup("enforcing=", enforcing_setup);
92 #endif
93
94 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
95 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
96
97 static int __init selinux_enabled_setup(char *str)
98 {
99         selinux_enabled = simple_strtol(str, NULL, 0);
100         return 1;
101 }
102 __setup("selinux=", selinux_enabled_setup);
103 #endif
104
105 /* Original (dummy) security module. */
106 static struct security_operations *original_ops = NULL;
107
108 /* Minimal support for a secondary security module,
109    just to allow the use of the dummy or capability modules.
110    The owlsm module can alternatively be used as a secondary
111    module as long as CONFIG_OWLSM_FD is not enabled. */
112 static struct security_operations *secondary_ops = NULL;
113
114 /* Lists of inode and superblock security structures initialized
115    before the policy was loaded. */
116 static LIST_HEAD(superblock_security_head);
117 static DEFINE_SPINLOCK(sb_security_lock);
118
119 /* Allocate and free functions for each kind of security blob. */
120
121 static int task_alloc_security(struct task_struct *task)
122 {
123         struct task_security_struct *tsec;
124
125         tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL);
126         if (!tsec)
127                 return -ENOMEM;
128
129         memset(tsec, 0, sizeof(struct task_security_struct));
130         tsec->magic = SELINUX_MAGIC;
131         tsec->task = task;
132         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
133         task->security = tsec;
134
135         return 0;
136 }
137
138 static void task_free_security(struct task_struct *task)
139 {
140         struct task_security_struct *tsec = task->security;
141
142         if (!tsec || tsec->magic != SELINUX_MAGIC)
143                 return;
144
145         task->security = NULL;
146         kfree(tsec);
147 }
148
149 static int inode_alloc_security(struct inode *inode)
150 {
151         struct task_security_struct *tsec = current->security;
152         struct inode_security_struct *isec;
153
154         isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
155         if (!isec)
156                 return -ENOMEM;
157
158         memset(isec, 0, sizeof(struct inode_security_struct));
159         init_MUTEX(&isec->sem);
160         INIT_LIST_HEAD(&isec->list);
161         isec->magic = SELINUX_MAGIC;
162         isec->inode = inode;
163         isec->sid = SECINITSID_UNLABELED;
164         isec->sclass = SECCLASS_FILE;
165         if (tsec && tsec->magic == SELINUX_MAGIC)
166                 isec->task_sid = tsec->sid;
167         else
168                 isec->task_sid = SECINITSID_UNLABELED;
169         inode->i_security = isec;
170
171         return 0;
172 }
173
174 static void inode_free_security(struct inode *inode)
175 {
176         struct inode_security_struct *isec = inode->i_security;
177         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
178
179         if (!isec || isec->magic != SELINUX_MAGIC)
180                 return;
181
182         spin_lock(&sbsec->isec_lock);
183         if (!list_empty(&isec->list))
184                 list_del_init(&isec->list);
185         spin_unlock(&sbsec->isec_lock);
186
187         inode->i_security = NULL;
188         kfree(isec);
189 }
190
191 static int file_alloc_security(struct file *file)
192 {
193         struct task_security_struct *tsec = current->security;
194         struct file_security_struct *fsec;
195
196         fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
197         if (!fsec)
198                 return -ENOMEM;
199
200         memset(fsec, 0, sizeof(struct file_security_struct));
201         fsec->magic = SELINUX_MAGIC;
202         fsec->file = file;
203         if (tsec && tsec->magic == SELINUX_MAGIC) {
204                 fsec->sid = tsec->sid;
205                 fsec->fown_sid = tsec->sid;
206         } else {
207                 fsec->sid = SECINITSID_UNLABELED;
208                 fsec->fown_sid = SECINITSID_UNLABELED;
209         }
210         file->f_security = fsec;
211
212         return 0;
213 }
214
215 static void file_free_security(struct file *file)
216 {
217         struct file_security_struct *fsec = file->f_security;
218
219         if (!fsec || fsec->magic != SELINUX_MAGIC)
220                 return;
221
222         file->f_security = NULL;
223         kfree(fsec);
224 }
225
226 static int superblock_alloc_security(struct super_block *sb)
227 {
228         struct superblock_security_struct *sbsec;
229
230         sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
231         if (!sbsec)
232                 return -ENOMEM;
233
234         memset(sbsec, 0, sizeof(struct superblock_security_struct));
235         init_MUTEX(&sbsec->sem);
236         INIT_LIST_HEAD(&sbsec->list);
237         INIT_LIST_HEAD(&sbsec->isec_head);
238         spin_lock_init(&sbsec->isec_lock);
239         sbsec->magic = SELINUX_MAGIC;
240         sbsec->sb = sb;
241         sbsec->sid = SECINITSID_UNLABELED;
242         sbsec->def_sid = SECINITSID_FILE;
243         sb->s_security = sbsec;
244
245         return 0;
246 }
247
248 static void superblock_free_security(struct super_block *sb)
249 {
250         struct superblock_security_struct *sbsec = sb->s_security;
251
252         if (!sbsec || sbsec->magic != SELINUX_MAGIC)
253                 return;
254
255         spin_lock(&sb_security_lock);
256         if (!list_empty(&sbsec->list))
257                 list_del_init(&sbsec->list);
258         spin_unlock(&sb_security_lock);
259
260         sb->s_security = NULL;
261         kfree(sbsec);
262 }
263
264 #ifdef CONFIG_SECURITY_NETWORK
265 static int sk_alloc_security(struct sock *sk, int family, int priority)
266 {
267         struct sk_security_struct *ssec;
268
269         if (family != PF_UNIX)
270                 return 0;
271
272         ssec = kmalloc(sizeof(*ssec), priority);
273         if (!ssec)
274                 return -ENOMEM;
275
276         memset(ssec, 0, sizeof(*ssec));
277         ssec->magic = SELINUX_MAGIC;
278         ssec->sk = sk;
279         ssec->peer_sid = SECINITSID_UNLABELED;
280         sk->sk_security = ssec;
281
282         return 0;
283 }
284
285 static void sk_free_security(struct sock *sk)
286 {
287         struct sk_security_struct *ssec = sk->sk_security;
288
289         if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
290                 return;
291
292         sk->sk_security = NULL;
293         kfree(ssec);
294 }
295 #endif  /* CONFIG_SECURITY_NETWORK */
296
297 /* The security server must be initialized before
298    any labeling or access decisions can be provided. */
299 extern int ss_initialized;
300
301 /* The file system's label must be initialized prior to use. */
302
303 static char *labeling_behaviors[6] = {
304         "uses xattr",
305         "uses transition SIDs",
306         "uses task SIDs",
307         "uses genfs_contexts",
308         "not configured for labeling",
309         "uses mountpoint labeling",
310 };
311
312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313
314 static inline int inode_doinit(struct inode *inode)
315 {
316         return inode_doinit_with_dentry(inode, NULL);
317 }
318
319 enum {
320         Opt_context = 1,
321         Opt_fscontext = 2,
322         Opt_defcontext = 4,
323 };
324
325 static match_table_t tokens = {
326         {Opt_context, "context=%s"},
327         {Opt_fscontext, "fscontext=%s"},
328         {Opt_defcontext, "defcontext=%s"},
329 };
330
331 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
332
333 static int try_context_mount(struct super_block *sb, void *data)
334 {
335         char *context = NULL, *defcontext = NULL;
336         const char *name;
337         u32 sid;
338         int alloc = 0, rc = 0, seen = 0;
339         struct task_security_struct *tsec = current->security;
340         struct superblock_security_struct *sbsec = sb->s_security;
341
342         if (!data)
343                 goto out;
344
345         name = sb->s_type->name;
346
347         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
348
349                 /* NFS we understand. */
350                 if (!strcmp(name, "nfs")) {
351                         struct nfs_mount_data *d = data;
352
353                         if (d->version <  NFS_MOUNT_VERSION)
354                                 goto out;
355
356                         if (d->context[0]) {
357                                 context = d->context;
358                                 seen |= Opt_context;
359                         }
360                 } else
361                         goto out;
362
363         } else {
364                 /* Standard string-based options. */
365                 char *p, *options = data;
366
367                 while ((p = strsep(&options, ",")) != NULL) {
368                         int token;
369                         substring_t args[MAX_OPT_ARGS];
370
371                         if (!*p)
372                                 continue;
373
374                         token = match_token(p, tokens, args);
375
376                         switch (token) {
377                         case Opt_context:
378                                 if (seen) {
379                                         rc = -EINVAL;
380                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
381                                         goto out_free;
382                                 }
383                                 context = match_strdup(&args[0]);
384                                 if (!context) {
385                                         rc = -ENOMEM;
386                                         goto out_free;
387                                 }
388                                 if (!alloc)
389                                         alloc = 1;
390                                 seen |= Opt_context;
391                                 break;
392
393                         case Opt_fscontext:
394                                 if (seen & (Opt_context|Opt_fscontext)) {
395                                         rc = -EINVAL;
396                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
397                                         goto out_free;
398                                 }
399                                 context = match_strdup(&args[0]);
400                                 if (!context) {
401                                         rc = -ENOMEM;
402                                         goto out_free;
403                                 }
404                                 if (!alloc)
405                                         alloc = 1;
406                                 seen |= Opt_fscontext;
407                                 break;
408
409                         case Opt_defcontext:
410                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
411                                         rc = -EINVAL;
412                                         printk(KERN_WARNING "SELinux:  "
413                                                "defcontext option is invalid "
414                                                "for this filesystem type\n");
415                                         goto out_free;
416                                 }
417                                 if (seen & (Opt_context|Opt_defcontext)) {
418                                         rc = -EINVAL;
419                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
420                                         goto out_free;
421                                 }
422                                 defcontext = match_strdup(&args[0]);
423                                 if (!defcontext) {
424                                         rc = -ENOMEM;
425                                         goto out_free;
426                                 }
427                                 if (!alloc)
428                                         alloc = 1;
429                                 seen |= Opt_defcontext;
430                                 break;
431
432                         default:
433                                 rc = -EINVAL;
434                                 printk(KERN_WARNING "SELinux:  unknown mount "
435                                        "option\n");
436                                 goto out_free;
437
438                         }
439                 }
440         }
441
442         if (!seen)
443                 goto out;
444
445         if (context) {
446                 rc = security_context_to_sid(context, strlen(context), &sid);
447                 if (rc) {
448                         printk(KERN_WARNING "SELinux: security_context_to_sid"
449                                "(%s) failed for (dev %s, type %s) errno=%d\n",
450                                context, sb->s_id, name, rc);
451                         goto out_free;
452                 }
453
454                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
455                                   FILESYSTEM__RELABELFROM, NULL);
456                 if (rc)
457                         goto out_free;
458
459                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
460                                   FILESYSTEM__RELABELTO, NULL);
461                 if (rc)
462                         goto out_free;
463
464                 sbsec->sid = sid;
465
466                 if (seen & Opt_context)
467                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
468         }
469
470         if (defcontext) {
471                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
472                 if (rc) {
473                         printk(KERN_WARNING "SELinux: security_context_to_sid"
474                                "(%s) failed for (dev %s, type %s) errno=%d\n",
475                                defcontext, sb->s_id, name, rc);
476                         goto out_free;
477                 }
478
479                 if (sid == sbsec->def_sid)
480                         goto out_free;
481
482                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
483                                   FILESYSTEM__RELABELFROM, NULL);
484                 if (rc)
485                         goto out_free;
486
487                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
488                                   FILESYSTEM__ASSOCIATE, NULL);
489                 if (rc)
490                         goto out_free;
491
492                 sbsec->def_sid = sid;
493         }
494
495 out_free:
496         if (alloc) {
497                 kfree(context);
498                 kfree(defcontext);
499         }
500 out:
501         return rc;
502 }
503
504 static int superblock_doinit(struct super_block *sb, void *data)
505 {
506         struct superblock_security_struct *sbsec = sb->s_security;
507         struct dentry *root = sb->s_root;
508         struct inode *inode = root->d_inode;
509         int rc = 0;
510
511         down(&sbsec->sem);
512         if (sbsec->initialized)
513                 goto out;
514
515         if (!ss_initialized) {
516                 /* Defer initialization until selinux_complete_init,
517                    after the initial policy is loaded and the security
518                    server is ready to handle calls. */
519                 spin_lock(&sb_security_lock);
520                 if (list_empty(&sbsec->list))
521                         list_add(&sbsec->list, &superblock_security_head);
522                 spin_unlock(&sb_security_lock);
523                 goto out;
524         }
525
526         /* Determine the labeling behavior to use for this filesystem type. */
527         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
528         if (rc) {
529                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
530                        __FUNCTION__, sb->s_type->name, rc);
531                 goto out;
532         }
533
534         rc = try_context_mount(sb, data);
535         if (rc)
536                 goto out;
537
538         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
539                 /* Make sure that the xattr handler exists and that no
540                    error other than -ENODATA is returned by getxattr on
541                    the root directory.  -ENODATA is ok, as this may be
542                    the first boot of the SELinux kernel before we have
543                    assigned xattr values to the filesystem. */
544                 if (!inode->i_op->getxattr) {
545                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
546                                "xattr support\n", sb->s_id, sb->s_type->name);
547                         rc = -EOPNOTSUPP;
548                         goto out;
549                 }
550                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
551                 if (rc < 0 && rc != -ENODATA) {
552                         if (rc == -EOPNOTSUPP)
553                                 printk(KERN_WARNING "SELinux: (dev %s, type "
554                                        "%s) has no security xattr handler\n",
555                                        sb->s_id, sb->s_type->name);
556                         else
557                                 printk(KERN_WARNING "SELinux: (dev %s, type "
558                                        "%s) getxattr errno %d\n", sb->s_id,
559                                        sb->s_type->name, -rc);
560                         goto out;
561                 }
562         }
563
564         if (strcmp(sb->s_type->name, "proc") == 0)
565                 sbsec->proc = 1;
566
567         sbsec->initialized = 1;
568
569         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
570                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
571                        sb->s_id, sb->s_type->name);
572         }
573         else {
574                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
575                        sb->s_id, sb->s_type->name,
576                        labeling_behaviors[sbsec->behavior-1]);
577         }
578
579         /* Initialize the root inode. */
580         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
581
582         /* Initialize any other inodes associated with the superblock, e.g.
583            inodes created prior to initial policy load or inodes created
584            during get_sb by a pseudo filesystem that directly
585            populates itself. */
586         spin_lock(&sbsec->isec_lock);
587 next_inode:
588         if (!list_empty(&sbsec->isec_head)) {
589                 struct inode_security_struct *isec =
590                                 list_entry(sbsec->isec_head.next,
591                                            struct inode_security_struct, list);
592                 struct inode *inode = isec->inode;
593                 spin_unlock(&sbsec->isec_lock);
594                 inode = igrab(inode);
595                 if (inode) {
596                         if (!IS_PRIVATE (inode))
597                                 inode_doinit(inode);
598                         iput(inode);
599                 }
600                 spin_lock(&sbsec->isec_lock);
601                 list_del_init(&isec->list);
602                 goto next_inode;
603         }
604         spin_unlock(&sbsec->isec_lock);
605 out:
606         up(&sbsec->sem);
607         return rc;
608 }
609
610 static inline u16 inode_mode_to_security_class(umode_t mode)
611 {
612         switch (mode & S_IFMT) {
613         case S_IFSOCK:
614                 return SECCLASS_SOCK_FILE;
615         case S_IFLNK:
616                 return SECCLASS_LNK_FILE;
617         case S_IFREG:
618                 return SECCLASS_FILE;
619         case S_IFBLK:
620                 return SECCLASS_BLK_FILE;
621         case S_IFDIR:
622                 return SECCLASS_DIR;
623         case S_IFCHR:
624                 return SECCLASS_CHR_FILE;
625         case S_IFIFO:
626                 return SECCLASS_FIFO_FILE;
627
628         }
629
630         return SECCLASS_FILE;
631 }
632
633 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
634 {
635         switch (family) {
636         case PF_UNIX:
637                 switch (type) {
638                 case SOCK_STREAM:
639                 case SOCK_SEQPACKET:
640                         return SECCLASS_UNIX_STREAM_SOCKET;
641                 case SOCK_DGRAM:
642                         return SECCLASS_UNIX_DGRAM_SOCKET;
643                 }
644                 break;
645         case PF_INET:
646         case PF_INET6:
647                 switch (type) {
648                 case SOCK_STREAM:
649                         return SECCLASS_TCP_SOCKET;
650                 case SOCK_DGRAM:
651                         return SECCLASS_UDP_SOCKET;
652                 case SOCK_RAW:
653                         return SECCLASS_RAWIP_SOCKET;
654                 }
655                 break;
656         case PF_NETLINK:
657                 switch (protocol) {
658                 case NETLINK_ROUTE:
659                         return SECCLASS_NETLINK_ROUTE_SOCKET;
660                 case NETLINK_FIREWALL:
661                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
662                 case NETLINK_INET_DIAG:
663                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
664                 case NETLINK_NFLOG:
665                         return SECCLASS_NETLINK_NFLOG_SOCKET;
666                 case NETLINK_XFRM:
667                         return SECCLASS_NETLINK_XFRM_SOCKET;
668                 case NETLINK_SELINUX:
669                         return SECCLASS_NETLINK_SELINUX_SOCKET;
670                 case NETLINK_AUDIT:
671                         return SECCLASS_NETLINK_AUDIT_SOCKET;
672                 case NETLINK_IP6_FW:
673                         return SECCLASS_NETLINK_IP6FW_SOCKET;
674                 case NETLINK_DNRTMSG:
675                         return SECCLASS_NETLINK_DNRT_SOCKET;
676                 case NETLINK_KOBJECT_UEVENT:
677                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
678                 default:
679                         return SECCLASS_NETLINK_SOCKET;
680                 }
681         case PF_PACKET:
682                 return SECCLASS_PACKET_SOCKET;
683         case PF_KEY:
684                 return SECCLASS_KEY_SOCKET;
685         }
686
687         return SECCLASS_SOCKET;
688 }
689
690 #ifdef CONFIG_PROC_FS
691 static int selinux_proc_get_sid(struct proc_dir_entry *de,
692                                 u16 tclass,
693                                 u32 *sid)
694 {
695         int buflen, rc;
696         char *buffer, *path, *end;
697
698         buffer = (char*)__get_free_page(GFP_KERNEL);
699         if (!buffer)
700                 return -ENOMEM;
701
702         buflen = PAGE_SIZE;
703         end = buffer+buflen;
704         *--end = '\0';
705         buflen--;
706         path = end-1;
707         *path = '/';
708         while (de && de != de->parent) {
709                 buflen -= de->namelen + 1;
710                 if (buflen < 0)
711                         break;
712                 end -= de->namelen;
713                 memcpy(end, de->name, de->namelen);
714                 *--end = '/';
715                 path = end;
716                 de = de->parent;
717         }
718         rc = security_genfs_sid("proc", path, tclass, sid);
719         free_page((unsigned long)buffer);
720         return rc;
721 }
722 #else
723 static int selinux_proc_get_sid(struct proc_dir_entry *de,
724                                 u16 tclass,
725                                 u32 *sid)
726 {
727         return -EINVAL;
728 }
729 #endif
730
731 /* The inode's security attributes must be initialized before first use. */
732 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
733 {
734         struct superblock_security_struct *sbsec = NULL;
735         struct inode_security_struct *isec = inode->i_security;
736         u32 sid;
737         struct dentry *dentry;
738 #define INITCONTEXTLEN 255
739         char *context = NULL;
740         unsigned len = 0;
741         int rc = 0;
742         int hold_sem = 0;
743
744         if (isec->initialized)
745                 goto out;
746
747         down(&isec->sem);
748         hold_sem = 1;
749         if (isec->initialized)
750                 goto out;
751
752         sbsec = inode->i_sb->s_security;
753         if (!sbsec->initialized) {
754                 /* Defer initialization until selinux_complete_init,
755                    after the initial policy is loaded and the security
756                    server is ready to handle calls. */
757                 spin_lock(&sbsec->isec_lock);
758                 if (list_empty(&isec->list))
759                         list_add(&isec->list, &sbsec->isec_head);
760                 spin_unlock(&sbsec->isec_lock);
761                 goto out;
762         }
763
764         switch (sbsec->behavior) {
765         case SECURITY_FS_USE_XATTR:
766                 if (!inode->i_op->getxattr) {
767                         isec->sid = sbsec->def_sid;
768                         break;
769                 }
770
771                 /* Need a dentry, since the xattr API requires one.
772                    Life would be simpler if we could just pass the inode. */
773                 if (opt_dentry) {
774                         /* Called from d_instantiate or d_splice_alias. */
775                         dentry = dget(opt_dentry);
776                 } else {
777                         /* Called from selinux_complete_init, try to find a dentry. */
778                         dentry = d_find_alias(inode);
779                 }
780                 if (!dentry) {
781                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
782                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
783                                inode->i_ino);
784                         goto out;
785                 }
786
787                 len = INITCONTEXTLEN;
788                 context = kmalloc(len, GFP_KERNEL);
789                 if (!context) {
790                         rc = -ENOMEM;
791                         dput(dentry);
792                         goto out;
793                 }
794                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
795                                            context, len);
796                 if (rc == -ERANGE) {
797                         /* Need a larger buffer.  Query for the right size. */
798                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
799                                                    NULL, 0);
800                         if (rc < 0) {
801                                 dput(dentry);
802                                 goto out;
803                         }
804                         kfree(context);
805                         len = rc;
806                         context = kmalloc(len, GFP_KERNEL);
807                         if (!context) {
808                                 rc = -ENOMEM;
809                                 dput(dentry);
810                                 goto out;
811                         }
812                         rc = inode->i_op->getxattr(dentry,
813                                                    XATTR_NAME_SELINUX,
814                                                    context, len);
815                 }
816                 dput(dentry);
817                 if (rc < 0) {
818                         if (rc != -ENODATA) {
819                                 printk(KERN_WARNING "%s:  getxattr returned "
820                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
821                                        -rc, inode->i_sb->s_id, inode->i_ino);
822                                 kfree(context);
823                                 goto out;
824                         }
825                         /* Map ENODATA to the default file SID */
826                         sid = sbsec->def_sid;
827                         rc = 0;
828                 } else {
829                         rc = security_context_to_sid_default(context, rc, &sid,
830                                                              sbsec->def_sid);
831                         if (rc) {
832                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
833                                        "returned %d for dev=%s ino=%ld\n",
834                                        __FUNCTION__, context, -rc,
835                                        inode->i_sb->s_id, inode->i_ino);
836                                 kfree(context);
837                                 /* Leave with the unlabeled SID */
838                                 rc = 0;
839                                 break;
840                         }
841                 }
842                 kfree(context);
843                 isec->sid = sid;
844                 break;
845         case SECURITY_FS_USE_TASK:
846                 isec->sid = isec->task_sid;
847                 break;
848         case SECURITY_FS_USE_TRANS:
849                 /* Default to the fs SID. */
850                 isec->sid = sbsec->sid;
851
852                 /* Try to obtain a transition SID. */
853                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
854                 rc = security_transition_sid(isec->task_sid,
855                                              sbsec->sid,
856                                              isec->sclass,
857                                              &sid);
858                 if (rc)
859                         goto out;
860                 isec->sid = sid;
861                 break;
862         default:
863                 /* Default to the fs SID. */
864                 isec->sid = sbsec->sid;
865
866                 if (sbsec->proc) {
867                         struct proc_inode *proci = PROC_I(inode);
868                         if (proci->pde) {
869                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
870                                 rc = selinux_proc_get_sid(proci->pde,
871                                                           isec->sclass,
872                                                           &sid);
873                                 if (rc)
874                                         goto out;
875                                 isec->sid = sid;
876                         }
877                 }
878                 break;
879         }
880
881         isec->initialized = 1;
882
883 out:
884         if (isec->sclass == SECCLASS_FILE)
885                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
886
887         if (hold_sem)
888                 up(&isec->sem);
889         return rc;
890 }
891
892 /* Convert a Linux signal to an access vector. */
893 static inline u32 signal_to_av(int sig)
894 {
895         u32 perm = 0;
896
897         switch (sig) {
898         case SIGCHLD:
899                 /* Commonly granted from child to parent. */
900                 perm = PROCESS__SIGCHLD;
901                 break;
902         case SIGKILL:
903                 /* Cannot be caught or ignored */
904                 perm = PROCESS__SIGKILL;
905                 break;
906         case SIGSTOP:
907                 /* Cannot be caught or ignored */
908                 perm = PROCESS__SIGSTOP;
909                 break;
910         default:
911                 /* All other signals. */
912                 perm = PROCESS__SIGNAL;
913                 break;
914         }
915
916         return perm;
917 }
918
919 /* Check permission betweeen a pair of tasks, e.g. signal checks,
920    fork check, ptrace check, etc. */
921 static int task_has_perm(struct task_struct *tsk1,
922                          struct task_struct *tsk2,
923                          u32 perms)
924 {
925         struct task_security_struct *tsec1, *tsec2;
926
927         tsec1 = tsk1->security;
928         tsec2 = tsk2->security;
929         return avc_has_perm(tsec1->sid, tsec2->sid,
930                             SECCLASS_PROCESS, perms, NULL);
931 }
932
933 /* Check whether a task is allowed to use a capability. */
934 static int task_has_capability(struct task_struct *tsk,
935                                int cap)
936 {
937         struct task_security_struct *tsec;
938         struct avc_audit_data ad;
939
940         tsec = tsk->security;
941
942         AVC_AUDIT_DATA_INIT(&ad,CAP);
943         ad.tsk = tsk;
944         ad.u.cap = cap;
945
946         return avc_has_perm(tsec->sid, tsec->sid,
947                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
948 }
949
950 /* Check whether a task is allowed to use a system operation. */
951 static int task_has_system(struct task_struct *tsk,
952                            u32 perms)
953 {
954         struct task_security_struct *tsec;
955
956         tsec = tsk->security;
957
958         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
959                             SECCLASS_SYSTEM, perms, NULL);
960 }
961
962 /* Check whether a task has a particular permission to an inode.
963    The 'adp' parameter is optional and allows other audit
964    data to be passed (e.g. the dentry). */
965 static int inode_has_perm(struct task_struct *tsk,
966                           struct inode *inode,
967                           u32 perms,
968                           struct avc_audit_data *adp)
969 {
970         struct task_security_struct *tsec;
971         struct inode_security_struct *isec;
972         struct avc_audit_data ad;
973
974         tsec = tsk->security;
975         isec = inode->i_security;
976
977         if (!adp) {
978                 adp = &ad;
979                 AVC_AUDIT_DATA_INIT(&ad, FS);
980                 ad.u.fs.inode = inode;
981         }
982
983         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
984 }
985
986 /* Same as inode_has_perm, but pass explicit audit data containing
987    the dentry to help the auditing code to more easily generate the
988    pathname if needed. */
989 static inline int dentry_has_perm(struct task_struct *tsk,
990                                   struct vfsmount *mnt,
991                                   struct dentry *dentry,
992                                   u32 av)
993 {
994         struct inode *inode = dentry->d_inode;
995         struct avc_audit_data ad;
996         AVC_AUDIT_DATA_INIT(&ad,FS);
997         ad.u.fs.mnt = mnt;
998         ad.u.fs.dentry = dentry;
999         return inode_has_perm(tsk, inode, av, &ad);
1000 }
1001
1002 /* Check whether a task can use an open file descriptor to
1003    access an inode in a given way.  Check access to the
1004    descriptor itself, and then use dentry_has_perm to
1005    check a particular permission to the file.
1006    Access to the descriptor is implicitly granted if it
1007    has the same SID as the process.  If av is zero, then
1008    access to the file is not checked, e.g. for cases
1009    where only the descriptor is affected like seek. */
1010 static inline int file_has_perm(struct task_struct *tsk,
1011                                 struct file *file,
1012                                 u32 av)
1013 {
1014         struct task_security_struct *tsec = tsk->security;
1015         struct file_security_struct *fsec = file->f_security;
1016         struct vfsmount *mnt = file->f_vfsmnt;
1017         struct dentry *dentry = file->f_dentry;
1018         struct inode *inode = dentry->d_inode;
1019         struct avc_audit_data ad;
1020         int rc;
1021
1022         AVC_AUDIT_DATA_INIT(&ad, FS);
1023         ad.u.fs.mnt = mnt;
1024         ad.u.fs.dentry = dentry;
1025
1026         if (tsec->sid != fsec->sid) {
1027                 rc = avc_has_perm(tsec->sid, fsec->sid,
1028                                   SECCLASS_FD,
1029                                   FD__USE,
1030                                   &ad);
1031                 if (rc)
1032                         return rc;
1033         }
1034
1035         /* av is zero if only checking access to the descriptor. */
1036         if (av)
1037                 return inode_has_perm(tsk, inode, av, &ad);
1038
1039         return 0;
1040 }
1041
1042 /* Check whether a task can create a file. */
1043 static int may_create(struct inode *dir,
1044                       struct dentry *dentry,
1045                       u16 tclass)
1046 {
1047         struct task_security_struct *tsec;
1048         struct inode_security_struct *dsec;
1049         struct superblock_security_struct *sbsec;
1050         u32 newsid;
1051         struct avc_audit_data ad;
1052         int rc;
1053
1054         tsec = current->security;
1055         dsec = dir->i_security;
1056         sbsec = dir->i_sb->s_security;
1057
1058         AVC_AUDIT_DATA_INIT(&ad, FS);
1059         ad.u.fs.dentry = dentry;
1060
1061         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1062                           DIR__ADD_NAME | DIR__SEARCH,
1063                           &ad);
1064         if (rc)
1065                 return rc;
1066
1067         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1068                 newsid = tsec->create_sid;
1069         } else {
1070                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1071                                              &newsid);
1072                 if (rc)
1073                         return rc;
1074         }
1075
1076         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1077         if (rc)
1078                 return rc;
1079
1080         return avc_has_perm(newsid, sbsec->sid,
1081                             SECCLASS_FILESYSTEM,
1082                             FILESYSTEM__ASSOCIATE, &ad);
1083 }
1084
1085 #define MAY_LINK   0
1086 #define MAY_UNLINK 1
1087 #define MAY_RMDIR  2
1088
1089 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1090 static int may_link(struct inode *dir,
1091                     struct dentry *dentry,
1092                     int kind)
1093
1094 {
1095         struct task_security_struct *tsec;
1096         struct inode_security_struct *dsec, *isec;
1097         struct avc_audit_data ad;
1098         u32 av;
1099         int rc;
1100
1101         tsec = current->security;
1102         dsec = dir->i_security;
1103         isec = dentry->d_inode->i_security;
1104
1105         AVC_AUDIT_DATA_INIT(&ad, FS);
1106         ad.u.fs.dentry = dentry;
1107
1108         av = DIR__SEARCH;
1109         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1110         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1111         if (rc)
1112                 return rc;
1113
1114         switch (kind) {
1115         case MAY_LINK:
1116                 av = FILE__LINK;
1117                 break;
1118         case MAY_UNLINK:
1119                 av = FILE__UNLINK;
1120                 break;
1121         case MAY_RMDIR:
1122                 av = DIR__RMDIR;
1123                 break;
1124         default:
1125                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1126                 return 0;
1127         }
1128
1129         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1130         return rc;
1131 }
1132
1133 static inline int may_rename(struct inode *old_dir,
1134                              struct dentry *old_dentry,
1135                              struct inode *new_dir,
1136                              struct dentry *new_dentry)
1137 {
1138         struct task_security_struct *tsec;
1139         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1140         struct avc_audit_data ad;
1141         u32 av;
1142         int old_is_dir, new_is_dir;
1143         int rc;
1144
1145         tsec = current->security;
1146         old_dsec = old_dir->i_security;
1147         old_isec = old_dentry->d_inode->i_security;
1148         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1149         new_dsec = new_dir->i_security;
1150
1151         AVC_AUDIT_DATA_INIT(&ad, FS);
1152
1153         ad.u.fs.dentry = old_dentry;
1154         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1155                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1156         if (rc)
1157                 return rc;
1158         rc = avc_has_perm(tsec->sid, old_isec->sid,
1159                           old_isec->sclass, FILE__RENAME, &ad);
1160         if (rc)
1161                 return rc;
1162         if (old_is_dir && new_dir != old_dir) {
1163                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1164                                   old_isec->sclass, DIR__REPARENT, &ad);
1165                 if (rc)
1166                         return rc;
1167         }
1168
1169         ad.u.fs.dentry = new_dentry;
1170         av = DIR__ADD_NAME | DIR__SEARCH;
1171         if (new_dentry->d_inode)
1172                 av |= DIR__REMOVE_NAME;
1173         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1174         if (rc)
1175                 return rc;
1176         if (new_dentry->d_inode) {
1177                 new_isec = new_dentry->d_inode->i_security;
1178                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1179                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1180                                   new_isec->sclass,
1181                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1182                 if (rc)
1183                         return rc;
1184         }
1185
1186         return 0;
1187 }
1188
1189 /* Check whether a task can perform a filesystem operation. */
1190 static int superblock_has_perm(struct task_struct *tsk,
1191                                struct super_block *sb,
1192                                u32 perms,
1193                                struct avc_audit_data *ad)
1194 {
1195         struct task_security_struct *tsec;
1196         struct superblock_security_struct *sbsec;
1197
1198         tsec = tsk->security;
1199         sbsec = sb->s_security;
1200         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1201                             perms, ad);
1202 }
1203
1204 /* Convert a Linux mode and permission mask to an access vector. */
1205 static inline u32 file_mask_to_av(int mode, int mask)
1206 {
1207         u32 av = 0;
1208
1209         if ((mode & S_IFMT) != S_IFDIR) {
1210                 if (mask & MAY_EXEC)
1211                         av |= FILE__EXECUTE;
1212                 if (mask & MAY_READ)
1213                         av |= FILE__READ;
1214
1215                 if (mask & MAY_APPEND)
1216                         av |= FILE__APPEND;
1217                 else if (mask & MAY_WRITE)
1218                         av |= FILE__WRITE;
1219
1220         } else {
1221                 if (mask & MAY_EXEC)
1222                         av |= DIR__SEARCH;
1223                 if (mask & MAY_WRITE)
1224                         av |= DIR__WRITE;
1225                 if (mask & MAY_READ)
1226                         av |= DIR__READ;
1227         }
1228
1229         return av;
1230 }
1231
1232 /* Convert a Linux file to an access vector. */
1233 static inline u32 file_to_av(struct file *file)
1234 {
1235         u32 av = 0;
1236
1237         if (file->f_mode & FMODE_READ)
1238                 av |= FILE__READ;
1239         if (file->f_mode & FMODE_WRITE) {
1240                 if (file->f_flags & O_APPEND)
1241                         av |= FILE__APPEND;
1242                 else
1243                         av |= FILE__WRITE;
1244         }
1245
1246         return av;
1247 }
1248
1249 /* Set an inode's SID to a specified value. */
1250 static int inode_security_set_sid(struct inode *inode, u32 sid)
1251 {
1252         struct inode_security_struct *isec = inode->i_security;
1253         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1254
1255         if (!sbsec->initialized) {
1256                 /* Defer initialization to selinux_complete_init. */
1257                 return 0;
1258         }
1259
1260         down(&isec->sem);
1261         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1262         isec->sid = sid;
1263         isec->initialized = 1;
1264         up(&isec->sem);
1265         return 0;
1266 }
1267
1268 /* Hook functions begin here. */
1269
1270 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1271 {
1272         struct task_security_struct *psec = parent->security;
1273         struct task_security_struct *csec = child->security;
1274         int rc;
1275
1276         rc = secondary_ops->ptrace(parent,child);
1277         if (rc)
1278                 return rc;
1279
1280         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1281         /* Save the SID of the tracing process for later use in apply_creds. */
1282         if (!rc)
1283                 csec->ptrace_sid = psec->sid;
1284         return rc;
1285 }
1286
1287 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1288                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1289 {
1290         int error;
1291
1292         error = task_has_perm(current, target, PROCESS__GETCAP);
1293         if (error)
1294                 return error;
1295
1296         return secondary_ops->capget(target, effective, inheritable, permitted);
1297 }
1298
1299 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1300                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1301 {
1302         int error;
1303
1304         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1305         if (error)
1306                 return error;
1307
1308         return task_has_perm(current, target, PROCESS__SETCAP);
1309 }
1310
1311 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1312                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1313 {
1314         secondary_ops->capset_set(target, effective, inheritable, permitted);
1315 }
1316
1317 static int selinux_capable(struct task_struct *tsk, int cap)
1318 {
1319         int rc;
1320
1321         rc = secondary_ops->capable(tsk, cap);
1322         if (rc)
1323                 return rc;
1324
1325         return task_has_capability(tsk,cap);
1326 }
1327
1328 static int selinux_sysctl(ctl_table *table, int op)
1329 {
1330         int error = 0;
1331         u32 av;
1332         struct task_security_struct *tsec;
1333         u32 tsid;
1334         int rc;
1335
1336         rc = secondary_ops->sysctl(table, op);
1337         if (rc)
1338                 return rc;
1339
1340         tsec = current->security;
1341
1342         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1343                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1344         if (rc) {
1345                 /* Default to the well-defined sysctl SID. */
1346                 tsid = SECINITSID_SYSCTL;
1347         }
1348
1349         /* The op values are "defined" in sysctl.c, thereby creating
1350          * a bad coupling between this module and sysctl.c */
1351         if(op == 001) {
1352                 error = avc_has_perm(tsec->sid, tsid,
1353                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1354         } else {
1355                 av = 0;
1356                 if (op & 004)
1357                         av |= FILE__READ;
1358                 if (op & 002)
1359                         av |= FILE__WRITE;
1360                 if (av)
1361                         error = avc_has_perm(tsec->sid, tsid,
1362                                              SECCLASS_FILE, av, NULL);
1363         }
1364
1365         return error;
1366 }
1367
1368 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1369 {
1370         int rc = 0;
1371
1372         if (!sb)
1373                 return 0;
1374
1375         switch (cmds) {
1376                 case Q_SYNC:
1377                 case Q_QUOTAON:
1378                 case Q_QUOTAOFF:
1379                 case Q_SETINFO:
1380                 case Q_SETQUOTA:
1381                         rc = superblock_has_perm(current,
1382                                                  sb,
1383                                                  FILESYSTEM__QUOTAMOD, NULL);
1384                         break;
1385                 case Q_GETFMT:
1386                 case Q_GETINFO:
1387                 case Q_GETQUOTA:
1388                         rc = superblock_has_perm(current,
1389                                                  sb,
1390                                                  FILESYSTEM__QUOTAGET, NULL);
1391                         break;
1392                 default:
1393                         rc = 0;  /* let the kernel handle invalid cmds */
1394                         break;
1395         }
1396         return rc;
1397 }
1398
1399 static int selinux_quota_on(struct dentry *dentry)
1400 {
1401         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1402 }
1403
1404 static int selinux_syslog(int type)
1405 {
1406         int rc;
1407
1408         rc = secondary_ops->syslog(type);
1409         if (rc)
1410                 return rc;
1411
1412         switch (type) {
1413                 case 3:         /* Read last kernel messages */
1414                 case 10:        /* Return size of the log buffer */
1415                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1416                         break;
1417                 case 6:         /* Disable logging to console */
1418                 case 7:         /* Enable logging to console */
1419                 case 8:         /* Set level of messages printed to console */
1420                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1421                         break;
1422                 case 0:         /* Close log */
1423                 case 1:         /* Open log */
1424                 case 2:         /* Read from log */
1425                 case 4:         /* Read/clear last kernel messages */
1426                 case 5:         /* Clear ring buffer */
1427                 default:
1428                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1429                         break;
1430         }
1431         return rc;
1432 }
1433
1434 /*
1435  * Check that a process has enough memory to allocate a new virtual
1436  * mapping. 0 means there is enough memory for the allocation to
1437  * succeed and -ENOMEM implies there is not.
1438  *
1439  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1440  * if the capability is granted, but __vm_enough_memory requires 1 if
1441  * the capability is granted.
1442  *
1443  * Do not audit the selinux permission check, as this is applied to all
1444  * processes that allocate mappings.
1445  */
1446 static int selinux_vm_enough_memory(long pages)
1447 {
1448         int rc, cap_sys_admin = 0;
1449         struct task_security_struct *tsec = current->security;
1450
1451         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1452         if (rc == 0)
1453                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1454                                         SECCLASS_CAPABILITY,
1455                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1456                                         NULL);
1457
1458         if (rc == 0)
1459                 cap_sys_admin = 1;
1460
1461         return __vm_enough_memory(pages, cap_sys_admin);
1462 }
1463
1464 /* binprm security operations */
1465
1466 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1467 {
1468         struct bprm_security_struct *bsec;
1469
1470         bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1471         if (!bsec)
1472                 return -ENOMEM;
1473
1474         memset(bsec, 0, sizeof *bsec);
1475         bsec->magic = SELINUX_MAGIC;
1476         bsec->bprm = bprm;
1477         bsec->sid = SECINITSID_UNLABELED;
1478         bsec->set = 0;
1479
1480         bprm->security = bsec;
1481         return 0;
1482 }
1483
1484 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1485 {
1486         struct task_security_struct *tsec;
1487         struct inode *inode = bprm->file->f_dentry->d_inode;
1488         struct inode_security_struct *isec;
1489         struct bprm_security_struct *bsec;
1490         u32 newsid;
1491         struct avc_audit_data ad;
1492         int rc;
1493
1494         rc = secondary_ops->bprm_set_security(bprm);
1495         if (rc)
1496                 return rc;
1497
1498         bsec = bprm->security;
1499
1500         if (bsec->set)
1501                 return 0;
1502
1503         tsec = current->security;
1504         isec = inode->i_security;
1505
1506         /* Default to the current task SID. */
1507         bsec->sid = tsec->sid;
1508
1509         /* Reset create SID on execve. */
1510         tsec->create_sid = 0;
1511
1512         if (tsec->exec_sid) {
1513                 newsid = tsec->exec_sid;
1514                 /* Reset exec SID on execve. */
1515                 tsec->exec_sid = 0;
1516         } else {
1517                 /* Check for a default transition on this program. */
1518                 rc = security_transition_sid(tsec->sid, isec->sid,
1519                                              SECCLASS_PROCESS, &newsid);
1520                 if (rc)
1521                         return rc;
1522         }
1523
1524         AVC_AUDIT_DATA_INIT(&ad, FS);
1525         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1526         ad.u.fs.dentry = bprm->file->f_dentry;
1527
1528         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1529                 newsid = tsec->sid;
1530
1531         if (tsec->sid == newsid) {
1532                 rc = avc_has_perm(tsec->sid, isec->sid,
1533                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1534                 if (rc)
1535                         return rc;
1536         } else {
1537                 /* Check permissions for the transition. */
1538                 rc = avc_has_perm(tsec->sid, newsid,
1539                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1540                 if (rc)
1541                         return rc;
1542
1543                 rc = avc_has_perm(newsid, isec->sid,
1544                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1545                 if (rc)
1546                         return rc;
1547
1548                 /* Clear any possibly unsafe personality bits on exec: */
1549                 current->personality &= ~PER_CLEAR_ON_SETID;
1550
1551                 /* Set the security field to the new SID. */
1552                 bsec->sid = newsid;
1553         }
1554
1555         bsec->set = 1;
1556         return 0;
1557 }
1558
1559 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1560 {
1561         return secondary_ops->bprm_check_security(bprm);
1562 }
1563
1564
1565 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1566 {
1567         struct task_security_struct *tsec = current->security;
1568         int atsecure = 0;
1569
1570         if (tsec->osid != tsec->sid) {
1571                 /* Enable secure mode for SIDs transitions unless
1572                    the noatsecure permission is granted between
1573                    the two SIDs, i.e. ahp returns 0. */
1574                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1575                                          SECCLASS_PROCESS,
1576                                          PROCESS__NOATSECURE, NULL);
1577         }
1578
1579         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1580 }
1581
1582 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1583 {
1584         kfree(bprm->security);
1585         bprm->security = NULL;
1586 }
1587
1588 extern struct vfsmount *selinuxfs_mount;
1589 extern struct dentry *selinux_null;
1590
1591 /* Derived from fs/exec.c:flush_old_files. */
1592 static inline void flush_unauthorized_files(struct files_struct * files)
1593 {
1594         struct avc_audit_data ad;
1595         struct file *file, *devnull = NULL;
1596         struct tty_struct *tty = current->signal->tty;
1597         struct fdtable *fdt;
1598         long j = -1;
1599
1600         if (tty) {
1601                 file_list_lock();
1602                 file = list_entry(tty->tty_files.next, typeof(*file), f_list);
1603                 if (file) {
1604                         /* Revalidate access to controlling tty.
1605                            Use inode_has_perm on the tty inode directly rather
1606                            than using file_has_perm, as this particular open
1607                            file may belong to another process and we are only
1608                            interested in the inode-based check here. */
1609                         struct inode *inode = file->f_dentry->d_inode;
1610                         if (inode_has_perm(current, inode,
1611                                            FILE__READ | FILE__WRITE, NULL)) {
1612                                 /* Reset controlling tty. */
1613                                 current->signal->tty = NULL;
1614                                 current->signal->tty_old_pgrp = 0;
1615                         }
1616                 }
1617                 file_list_unlock();
1618         }
1619
1620         /* Revalidate access to inherited open files. */
1621
1622         AVC_AUDIT_DATA_INIT(&ad,FS);
1623
1624         spin_lock(&files->file_lock);
1625         for (;;) {
1626                 unsigned long set, i;
1627                 int fd;
1628
1629                 j++;
1630                 i = j * __NFDBITS;
1631                 fdt = files_fdtable(files);
1632                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1633                         break;
1634                 set = fdt->open_fds->fds_bits[j];
1635                 if (!set)
1636                         continue;
1637                 spin_unlock(&files->file_lock);
1638                 for ( ; set ; i++,set >>= 1) {
1639                         if (set & 1) {
1640                                 file = fget(i);
1641                                 if (!file)
1642                                         continue;
1643                                 if (file_has_perm(current,
1644                                                   file,
1645                                                   file_to_av(file))) {
1646                                         sys_close(i);
1647                                         fd = get_unused_fd();
1648                                         if (fd != i) {
1649                                                 if (fd >= 0)
1650                                                         put_unused_fd(fd);
1651                                                 fput(file);
1652                                                 continue;
1653                                         }
1654                                         if (devnull) {
1655                                                 rcuref_inc(&devnull->f_count);
1656                                         } else {
1657                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1658                                                 if (!devnull) {
1659                                                         put_unused_fd(fd);
1660                                                         fput(file);
1661                                                         continue;
1662                                                 }
1663                                         }
1664                                         fd_install(fd, devnull);
1665                                 }
1666                                 fput(file);
1667                         }
1668                 }
1669                 spin_lock(&files->file_lock);
1670
1671         }
1672         spin_unlock(&files->file_lock);
1673 }
1674
1675 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1676 {
1677         struct task_security_struct *tsec;
1678         struct bprm_security_struct *bsec;
1679         u32 sid;
1680         int rc;
1681
1682         secondary_ops->bprm_apply_creds(bprm, unsafe);
1683
1684         tsec = current->security;
1685
1686         bsec = bprm->security;
1687         sid = bsec->sid;
1688
1689         tsec->osid = tsec->sid;
1690         bsec->unsafe = 0;
1691         if (tsec->sid != sid) {
1692                 /* Check for shared state.  If not ok, leave SID
1693                    unchanged and kill. */
1694                 if (unsafe & LSM_UNSAFE_SHARE) {
1695                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1696                                         PROCESS__SHARE, NULL);
1697                         if (rc) {
1698                                 bsec->unsafe = 1;
1699                                 return;
1700                         }
1701                 }
1702
1703                 /* Check for ptracing, and update the task SID if ok.
1704                    Otherwise, leave SID unchanged and kill. */
1705                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1706                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1707                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1708                                           NULL);
1709                         if (rc) {
1710                                 bsec->unsafe = 1;
1711                                 return;
1712                         }
1713                 }
1714                 tsec->sid = sid;
1715         }
1716 }
1717
1718 /*
1719  * called after apply_creds without the task lock held
1720  */
1721 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1722 {
1723         struct task_security_struct *tsec;
1724         struct rlimit *rlim, *initrlim;
1725         struct itimerval itimer;
1726         struct bprm_security_struct *bsec;
1727         int rc, i;
1728
1729         tsec = current->security;
1730         bsec = bprm->security;
1731
1732         if (bsec->unsafe) {
1733                 force_sig_specific(SIGKILL, current);
1734                 return;
1735         }
1736         if (tsec->osid == tsec->sid)
1737                 return;
1738
1739         /* Close files for which the new task SID is not authorized. */
1740         flush_unauthorized_files(current->files);
1741
1742         /* Check whether the new SID can inherit signal state
1743            from the old SID.  If not, clear itimers to avoid
1744            subsequent signal generation and flush and unblock
1745            signals. This must occur _after_ the task SID has
1746           been updated so that any kill done after the flush
1747           will be checked against the new SID. */
1748         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1749                           PROCESS__SIGINH, NULL);
1750         if (rc) {
1751                 memset(&itimer, 0, sizeof itimer);
1752                 for (i = 0; i < 3; i++)
1753                         do_setitimer(i, &itimer, NULL);
1754                 flush_signals(current);
1755                 spin_lock_irq(&current->sighand->siglock);
1756                 flush_signal_handlers(current, 1);
1757                 sigemptyset(&current->blocked);
1758                 recalc_sigpending();
1759                 spin_unlock_irq(&current->sighand->siglock);
1760         }
1761
1762         /* Check whether the new SID can inherit resource limits
1763            from the old SID.  If not, reset all soft limits to
1764            the lower of the current task's hard limit and the init
1765            task's soft limit.  Note that the setting of hard limits
1766            (even to lower them) can be controlled by the setrlimit
1767            check. The inclusion of the init task's soft limit into
1768            the computation is to avoid resetting soft limits higher
1769            than the default soft limit for cases where the default
1770            is lower than the hard limit, e.g. RLIMIT_CORE or
1771            RLIMIT_STACK.*/
1772         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1773                           PROCESS__RLIMITINH, NULL);
1774         if (rc) {
1775                 for (i = 0; i < RLIM_NLIMITS; i++) {
1776                         rlim = current->signal->rlim + i;
1777                         initrlim = init_task.signal->rlim+i;
1778                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1779                 }
1780                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1781                         /*
1782                          * This will cause RLIMIT_CPU calculations
1783                          * to be refigured.
1784                          */
1785                         current->it_prof_expires = jiffies_to_cputime(1);
1786                 }
1787         }
1788
1789         /* Wake up the parent if it is waiting so that it can
1790            recheck wait permission to the new task SID. */
1791         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1792 }
1793
1794 /* superblock security operations */
1795
1796 static int selinux_sb_alloc_security(struct super_block *sb)
1797 {
1798         return superblock_alloc_security(sb);
1799 }
1800
1801 static void selinux_sb_free_security(struct super_block *sb)
1802 {
1803         superblock_free_security(sb);
1804 }
1805
1806 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1807 {
1808         if (plen > olen)
1809                 return 0;
1810
1811         return !memcmp(prefix, option, plen);
1812 }
1813
1814 static inline int selinux_option(char *option, int len)
1815 {
1816         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1817                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1818                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1819 }
1820
1821 static inline void take_option(char **to, char *from, int *first, int len)
1822 {
1823         if (!*first) {
1824                 **to = ',';
1825                 *to += 1;
1826         }
1827         else
1828                 *first = 0;
1829         memcpy(*to, from, len);
1830         *to += len;
1831 }
1832
1833 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1834 {
1835         int fnosec, fsec, rc = 0;
1836         char *in_save, *in_curr, *in_end;
1837         char *sec_curr, *nosec_save, *nosec;
1838
1839         in_curr = orig;
1840         sec_curr = copy;
1841
1842         /* Binary mount data: just copy */
1843         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1844                 copy_page(sec_curr, in_curr);
1845                 goto out;
1846         }
1847
1848         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1849         if (!nosec) {
1850                 rc = -ENOMEM;
1851                 goto out;
1852         }
1853
1854         nosec_save = nosec;
1855         fnosec = fsec = 1;
1856         in_save = in_end = orig;
1857
1858         do {
1859                 if (*in_end == ',' || *in_end == '\0') {
1860                         int len = in_end - in_curr;
1861
1862                         if (selinux_option(in_curr, len))
1863                                 take_option(&sec_curr, in_curr, &fsec, len);
1864                         else
1865                                 take_option(&nosec, in_curr, &fnosec, len);
1866
1867                         in_curr = in_end + 1;
1868                 }
1869         } while (*in_end++);
1870
1871         strcpy(in_save, nosec_save);
1872         free_page((unsigned long)nosec_save);
1873 out:
1874         return rc;
1875 }
1876
1877 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1878 {
1879         struct avc_audit_data ad;
1880         int rc;
1881
1882         rc = superblock_doinit(sb, data);
1883         if (rc)
1884                 return rc;
1885
1886         AVC_AUDIT_DATA_INIT(&ad,FS);
1887         ad.u.fs.dentry = sb->s_root;
1888         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1889 }
1890
1891 static int selinux_sb_statfs(struct super_block *sb)
1892 {
1893         struct avc_audit_data ad;
1894
1895         AVC_AUDIT_DATA_INIT(&ad,FS);
1896         ad.u.fs.dentry = sb->s_root;
1897         return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1898 }
1899
1900 static int selinux_mount(char * dev_name,
1901                          struct nameidata *nd,
1902                          char * type,
1903                          unsigned long flags,
1904                          void * data)
1905 {
1906         int rc;
1907
1908         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1909         if (rc)
1910                 return rc;
1911
1912         if (flags & MS_REMOUNT)
1913                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1914                                            FILESYSTEM__REMOUNT, NULL);
1915         else
1916                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1917                                        FILE__MOUNTON);
1918 }
1919
1920 static int selinux_umount(struct vfsmount *mnt, int flags)
1921 {
1922         int rc;
1923
1924         rc = secondary_ops->sb_umount(mnt, flags);
1925         if (rc)
1926                 return rc;
1927
1928         return superblock_has_perm(current,mnt->mnt_sb,
1929                                    FILESYSTEM__UNMOUNT,NULL);
1930 }
1931
1932 /* inode security operations */
1933
1934 static int selinux_inode_alloc_security(struct inode *inode)
1935 {
1936         return inode_alloc_security(inode);
1937 }
1938
1939 static void selinux_inode_free_security(struct inode *inode)
1940 {
1941         inode_free_security(inode);
1942 }
1943
1944 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1945                                        char **name, void **value,
1946                                        size_t *len)
1947 {
1948         struct task_security_struct *tsec;
1949         struct inode_security_struct *dsec;
1950         struct superblock_security_struct *sbsec;
1951         struct inode_security_struct *isec;
1952         u32 newsid, clen;
1953         int rc;
1954         char *namep = NULL, *context;
1955
1956         tsec = current->security;
1957         dsec = dir->i_security;
1958         sbsec = dir->i_sb->s_security;
1959         isec = inode->i_security;
1960
1961         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1962                 newsid = tsec->create_sid;
1963         } else {
1964                 rc = security_transition_sid(tsec->sid, dsec->sid,
1965                                              inode_mode_to_security_class(inode->i_mode),
1966                                              &newsid);
1967                 if (rc) {
1968                         printk(KERN_WARNING "%s:  "
1969                                "security_transition_sid failed, rc=%d (dev=%s "
1970                                "ino=%ld)\n",
1971                                __FUNCTION__,
1972                                -rc, inode->i_sb->s_id, inode->i_ino);
1973                         return rc;
1974                 }
1975         }
1976
1977         inode_security_set_sid(inode, newsid);
1978
1979         if (name) {
1980                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1981                 if (!namep)
1982                         return -ENOMEM;
1983                 *name = namep;
1984         }
1985
1986         if (value && len) {
1987                 rc = security_sid_to_context(newsid, &context, &clen);
1988                 if (rc) {
1989                         kfree(namep);
1990                         return rc;
1991                 }
1992                 *value = context;
1993                 *len = clen;
1994         }
1995
1996         return 0;
1997 }
1998
1999 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2000 {
2001         return may_create(dir, dentry, SECCLASS_FILE);
2002 }
2003
2004 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2005 {
2006         int rc;
2007
2008         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2009         if (rc)
2010                 return rc;
2011         return may_link(dir, old_dentry, MAY_LINK);
2012 }
2013
2014 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2015 {
2016         int rc;
2017
2018         rc = secondary_ops->inode_unlink(dir, dentry);
2019         if (rc)
2020                 return rc;
2021         return may_link(dir, dentry, MAY_UNLINK);
2022 }
2023
2024 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2025 {
2026         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2027 }
2028
2029 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2030 {
2031         return may_create(dir, dentry, SECCLASS_DIR);
2032 }
2033
2034 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2035 {
2036         return may_link(dir, dentry, MAY_RMDIR);
2037 }
2038
2039 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2040 {
2041         int rc;
2042
2043         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2044         if (rc)
2045                 return rc;
2046
2047         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2048 }
2049
2050 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2051                                 struct inode *new_inode, struct dentry *new_dentry)
2052 {
2053         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2054 }
2055
2056 static int selinux_inode_readlink(struct dentry *dentry)
2057 {
2058         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2059 }
2060
2061 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2062 {
2063         int rc;
2064
2065         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2066         if (rc)
2067                 return rc;
2068         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2069 }
2070
2071 static int selinux_inode_permission(struct inode *inode, int mask,
2072                                     struct nameidata *nd)
2073 {
2074         int rc;
2075
2076         rc = secondary_ops->inode_permission(inode, mask, nd);
2077         if (rc)
2078                 return rc;
2079
2080         if (!mask) {
2081                 /* No permission to check.  Existence test. */
2082                 return 0;
2083         }
2084
2085         return inode_has_perm(current, inode,
2086                                file_mask_to_av(inode->i_mode, mask), NULL);
2087 }
2088
2089 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2090 {
2091         int rc;
2092
2093         rc = secondary_ops->inode_setattr(dentry, iattr);
2094         if (rc)
2095                 return rc;
2096
2097         if (iattr->ia_valid & ATTR_FORCE)
2098                 return 0;
2099
2100         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2101                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2102                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2103
2104         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2105 }
2106
2107 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2108 {
2109         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2110 }
2111
2112 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2113 {
2114         struct task_security_struct *tsec = current->security;
2115         struct inode *inode = dentry->d_inode;
2116         struct inode_security_struct *isec = inode->i_security;
2117         struct superblock_security_struct *sbsec;
2118         struct avc_audit_data ad;
2119         u32 newsid;
2120         int rc = 0;
2121
2122         if (strcmp(name, XATTR_NAME_SELINUX)) {
2123                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2124                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2125                     !capable(CAP_SYS_ADMIN)) {
2126                         /* A different attribute in the security namespace.
2127                            Restrict to administrator. */
2128                         return -EPERM;
2129                 }
2130
2131                 /* Not an attribute we recognize, so just check the
2132                    ordinary setattr permission. */
2133                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2134         }
2135
2136         sbsec = inode->i_sb->s_security;
2137         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2138                 return -EOPNOTSUPP;
2139
2140         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2141                 return -EPERM;
2142
2143         AVC_AUDIT_DATA_INIT(&ad,FS);
2144         ad.u.fs.dentry = dentry;
2145
2146         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2147                           FILE__RELABELFROM, &ad);
2148         if (rc)
2149                 return rc;
2150
2151         rc = security_context_to_sid(value, size, &newsid);
2152         if (rc)
2153                 return rc;
2154
2155         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2156                           FILE__RELABELTO, &ad);
2157         if (rc)
2158                 return rc;
2159
2160         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2161                                           isec->sclass);
2162         if (rc)
2163                 return rc;
2164
2165         return avc_has_perm(newsid,
2166                             sbsec->sid,
2167                             SECCLASS_FILESYSTEM,
2168                             FILESYSTEM__ASSOCIATE,
2169                             &ad);
2170 }
2171
2172 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2173                                         void *value, size_t size, int flags)
2174 {
2175         struct inode *inode = dentry->d_inode;
2176         struct inode_security_struct *isec = inode->i_security;
2177         u32 newsid;
2178         int rc;
2179
2180         if (strcmp(name, XATTR_NAME_SELINUX)) {
2181                 /* Not an attribute we recognize, so nothing to do. */
2182                 return;
2183         }
2184
2185         rc = security_context_to_sid(value, size, &newsid);
2186         if (rc) {
2187                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2188                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2189                 return;
2190         }
2191
2192         isec->sid = newsid;
2193         return;
2194 }
2195
2196 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2197 {
2198         struct inode *inode = dentry->d_inode;
2199         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
2200
2201         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2202                 return -EOPNOTSUPP;
2203
2204         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2205 }
2206
2207 static int selinux_inode_listxattr (struct dentry *dentry)
2208 {
2209         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2210 }
2211
2212 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2213 {
2214         if (strcmp(name, XATTR_NAME_SELINUX)) {
2215                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2216                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2217                     !capable(CAP_SYS_ADMIN)) {
2218                         /* A different attribute in the security namespace.
2219                            Restrict to administrator. */
2220                         return -EPERM;
2221                 }
2222
2223                 /* Not an attribute we recognize, so just check the
2224                    ordinary setattr permission. Might want a separate
2225                    permission for removexattr. */
2226                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2227         }
2228
2229         /* No one is allowed to remove a SELinux security label.
2230            You can change the label, but all data must be labeled. */
2231         return -EACCES;
2232 }
2233
2234 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size)
2235 {
2236         struct inode_security_struct *isec = inode->i_security;
2237         char *context;
2238         unsigned len;
2239         int rc;
2240
2241         /* Permission check handled by selinux_inode_getxattr hook.*/
2242
2243         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2244                 return -EOPNOTSUPP;
2245
2246         rc = security_sid_to_context(isec->sid, &context, &len);
2247         if (rc)
2248                 return rc;
2249
2250         if (!buffer || !size) {
2251                 kfree(context);
2252                 return len;
2253         }
2254         if (size < len) {
2255                 kfree(context);
2256                 return -ERANGE;
2257         }
2258         memcpy(buffer, context, len);
2259         kfree(context);
2260         return len;
2261 }
2262
2263 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2264                                      const void *value, size_t size, int flags)
2265 {
2266         struct inode_security_struct *isec = inode->i_security;
2267         u32 newsid;
2268         int rc;
2269
2270         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2271                 return -EOPNOTSUPP;
2272
2273         if (!value || !size)
2274                 return -EACCES;
2275
2276         rc = security_context_to_sid((void*)value, size, &newsid);
2277         if (rc)
2278                 return rc;
2279
2280         isec->sid = newsid;
2281         return 0;
2282 }
2283
2284 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2285 {
2286         const int len = sizeof(XATTR_NAME_SELINUX);
2287         if (buffer && len <= buffer_size)
2288                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2289         return len;
2290 }
2291
2292 /* file security operations */
2293
2294 static int selinux_file_permission(struct file *file, int mask)
2295 {
2296         struct inode *inode = file->f_dentry->d_inode;
2297
2298         if (!mask) {
2299                 /* No permission to check.  Existence test. */
2300                 return 0;
2301         }
2302
2303         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2304         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2305                 mask |= MAY_APPEND;
2306
2307         return file_has_perm(current, file,
2308                              file_mask_to_av(inode->i_mode, mask));
2309 }
2310
2311 static int selinux_file_alloc_security(struct file *file)
2312 {
2313         return file_alloc_security(file);
2314 }
2315
2316 static void selinux_file_free_security(struct file *file)
2317 {
2318         file_free_security(file);
2319 }
2320
2321 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2322                               unsigned long arg)
2323 {
2324         int error = 0;
2325
2326         switch (cmd) {
2327                 case FIONREAD:
2328                 /* fall through */
2329                 case FIBMAP:
2330                 /* fall through */
2331                 case FIGETBSZ:
2332                 /* fall through */
2333                 case EXT2_IOC_GETFLAGS:
2334                 /* fall through */
2335                 case EXT2_IOC_GETVERSION:
2336                         error = file_has_perm(current, file, FILE__GETATTR);
2337                         break;
2338
2339                 case EXT2_IOC_SETFLAGS:
2340                 /* fall through */
2341                 case EXT2_IOC_SETVERSION:
2342                         error = file_has_perm(current, file, FILE__SETATTR);
2343                         break;
2344
2345                 /* sys_ioctl() checks */
2346                 case FIONBIO:
2347                 /* fall through */
2348                 case FIOASYNC:
2349                         error = file_has_perm(current, file, 0);
2350                         break;
2351
2352                 case KDSKBENT:
2353                 case KDSKBSENT:
2354                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2355                         break;
2356
2357                 /* default case assumes that the command will go
2358                  * to the file's ioctl() function.
2359                  */
2360                 default:
2361                         error = file_has_perm(current, file, FILE__IOCTL);
2362
2363         }
2364         return error;
2365 }
2366
2367 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2368 {
2369 #ifndef CONFIG_PPC32
2370         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2371                 /*
2372                  * We are making executable an anonymous mapping or a
2373                  * private file mapping that will also be writable.
2374                  * This has an additional check.
2375                  */
2376                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2377                 if (rc)
2378                         return rc;
2379         }
2380 #endif
2381
2382         if (file) {
2383                 /* read access is always possible with a mapping */
2384                 u32 av = FILE__READ;
2385
2386                 /* write access only matters if the mapping is shared */
2387                 if (shared && (prot & PROT_WRITE))
2388                         av |= FILE__WRITE;
2389
2390                 if (prot & PROT_EXEC)
2391                         av |= FILE__EXECUTE;
2392
2393                 return file_has_perm(current, file, av);
2394         }
2395         return 0;
2396 }
2397
2398 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2399                              unsigned long prot, unsigned long flags)
2400 {
2401         int rc;
2402
2403         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2404         if (rc)
2405                 return rc;
2406
2407         if (selinux_checkreqprot)
2408                 prot = reqprot;
2409
2410         return file_map_prot_check(file, prot,
2411                                    (flags & MAP_TYPE) == MAP_SHARED);
2412 }
2413
2414 static int selinux_file_mprotect(struct vm_area_struct *vma,
2415                                  unsigned long reqprot,
2416                                  unsigned long prot)
2417 {
2418         int rc;
2419
2420         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2421         if (rc)
2422                 return rc;
2423
2424         if (selinux_checkreqprot)
2425                 prot = reqprot;
2426
2427 #ifndef CONFIG_PPC32
2428         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) &&
2429            (vma->vm_start >= vma->vm_mm->start_brk &&
2430             vma->vm_end <= vma->vm_mm->brk)) {
2431                 /*
2432                  * We are making an executable mapping in the brk region.
2433                  * This has an additional execheap check.
2434                  */
2435                 rc = task_has_perm(current, current, PROCESS__EXECHEAP);
2436                 if (rc)
2437                         return rc;
2438         }
2439         if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
2440                 /*
2441                  * We are making executable a file mapping that has
2442                  * had some COW done. Since pages might have been written,
2443                  * check ability to execute the possibly modified content.
2444                  * This typically should only occur for text relocations.
2445                  */
2446                 int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
2447                 if (rc)
2448                         return rc;
2449         }
2450         if (!vma->vm_file && (prot & PROT_EXEC) &&
2451                 vma->vm_start <= vma->vm_mm->start_stack &&
2452                 vma->vm_end >= vma->vm_mm->start_stack) {
2453                 /* Attempt to make the process stack executable.
2454                  * This has an additional execstack check.
2455                  */
2456                 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2457                 if (rc)
2458                         return rc;
2459         }
2460 #endif
2461
2462         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2463 }
2464
2465 static int selinux_file_lock(struct file *file, unsigned int cmd)
2466 {
2467         return file_has_perm(current, file, FILE__LOCK);
2468 }
2469
2470 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2471                               unsigned long arg)
2472 {
2473         int err = 0;
2474
2475         switch (cmd) {
2476                 case F_SETFL:
2477                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2478                                 err = -EINVAL;
2479                                 break;
2480                         }
2481
2482                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2483                                 err = file_has_perm(current, file,FILE__WRITE);
2484                                 break;
2485                         }
2486                         /* fall through */
2487                 case F_SETOWN:
2488                 case F_SETSIG:
2489                 case F_GETFL:
2490                 case F_GETOWN:
2491                 case F_GETSIG:
2492                         /* Just check FD__USE permission */
2493                         err = file_has_perm(current, file, 0);
2494                         break;
2495                 case F_GETLK:
2496                 case F_SETLK:
2497                 case F_SETLKW:
2498 #if BITS_PER_LONG == 32
2499                 case F_GETLK64:
2500                 case F_SETLK64:
2501                 case F_SETLKW64:
2502 #endif
2503                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2504                                 err = -EINVAL;
2505                                 break;
2506                         }
2507                         err = file_has_perm(current, file, FILE__LOCK);
2508                         break;
2509         }
2510
2511         return err;
2512 }
2513
2514 static int selinux_file_set_fowner(struct file *file)
2515 {
2516         struct task_security_struct *tsec;
2517         struct file_security_struct *fsec;
2518
2519         tsec = current->security;
2520         fsec = file->f_security;
2521         fsec->fown_sid = tsec->sid;
2522
2523         return 0;
2524 }
2525
2526 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2527                                        struct fown_struct *fown, int signum)
2528 {
2529         struct file *file;
2530         u32 perm;
2531         struct task_security_struct *tsec;
2532         struct file_security_struct *fsec;
2533
2534         /* struct fown_struct is never outside the context of a struct file */
2535         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2536
2537         tsec = tsk->security;
2538         fsec = file->f_security;
2539
2540         if (!signum)
2541                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2542         else
2543                 perm = signal_to_av(signum);
2544
2545         return avc_has_perm(fsec->fown_sid, tsec->sid,
2546                             SECCLASS_PROCESS, perm, NULL);
2547 }
2548
2549 static int selinux_file_receive(struct file *file)
2550 {
2551         return file_has_perm(current, file, file_to_av(file));
2552 }
2553
2554 /* task security operations */
2555
2556 static int selinux_task_create(unsigned long clone_flags)
2557 {
2558         int rc;
2559
2560         rc = secondary_ops->task_create(clone_flags);
2561         if (rc)
2562                 return rc;
2563
2564         return task_has_perm(current, current, PROCESS__FORK);
2565 }
2566
2567 static int selinux_task_alloc_security(struct task_struct *tsk)
2568 {
2569         struct task_security_struct *tsec1, *tsec2;
2570         int rc;
2571
2572         tsec1 = current->security;
2573
2574         rc = task_alloc_security(tsk);
2575         if (rc)
2576                 return rc;
2577         tsec2 = tsk->security;
2578
2579         tsec2->osid = tsec1->osid;
2580         tsec2->sid = tsec1->sid;
2581
2582         /* Retain the exec and create SIDs across fork */
2583         tsec2->exec_sid = tsec1->exec_sid;
2584         tsec2->create_sid = tsec1->create_sid;
2585
2586         /* Retain ptracer SID across fork, if any.
2587            This will be reset by the ptrace hook upon any
2588            subsequent ptrace_attach operations. */
2589         tsec2->ptrace_sid = tsec1->ptrace_sid;
2590
2591         return 0;
2592 }
2593
2594 static void selinux_task_free_security(struct task_struct *tsk)
2595 {
2596         task_free_security(tsk);
2597 }
2598
2599 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2600 {
2601         /* Since setuid only affects the current process, and
2602            since the SELinux controls are not based on the Linux
2603            identity attributes, SELinux does not need to control
2604            this operation.  However, SELinux does control the use
2605            of the CAP_SETUID and CAP_SETGID capabilities using the
2606            capable hook. */
2607         return 0;
2608 }
2609
2610 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2611 {
2612         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2613 }
2614
2615 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2616 {
2617         /* See the comment for setuid above. */
2618         return 0;
2619 }
2620
2621 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2622 {
2623         return task_has_perm(current, p, PROCESS__SETPGID);
2624 }
2625
2626 static int selinux_task_getpgid(struct task_struct *p)
2627 {
2628         return task_has_perm(current, p, PROCESS__GETPGID);
2629 }
2630
2631 static int selinux_task_getsid(struct task_struct *p)
2632 {
2633         return task_has_perm(current, p, PROCESS__GETSESSION);
2634 }
2635
2636 static int selinux_task_setgroups(struct group_info *group_info)
2637 {
2638         /* See the comment for setuid above. */
2639         return 0;
2640 }
2641
2642 static int selinux_task_setnice(struct task_struct *p, int nice)
2643 {
2644         int rc;
2645
2646         rc = secondary_ops->task_setnice(p, nice);
2647         if (rc)
2648                 return rc;
2649
2650         return task_has_perm(current,p, PROCESS__SETSCHED);
2651 }
2652
2653 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2654 {
2655         struct rlimit *old_rlim = current->signal->rlim + resource;
2656         int rc;
2657
2658         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2659         if (rc)
2660                 return rc;
2661
2662         /* Control the ability to change the hard limit (whether
2663            lowering or raising it), so that the hard limit can
2664            later be used as a safe reset point for the soft limit
2665            upon context transitions. See selinux_bprm_apply_creds. */
2666         if (old_rlim->rlim_max != new_rlim->rlim_max)
2667                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2668
2669         return 0;
2670 }
2671
2672 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2673 {
2674         return task_has_perm(current, p, PROCESS__SETSCHED);
2675 }
2676
2677 static int selinux_task_getscheduler(struct task_struct *p)
2678 {
2679         return task_has_perm(current, p, PROCESS__GETSCHED);
2680 }
2681
2682 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2683 {
2684         u32 perm;
2685         int rc;
2686
2687         rc = secondary_ops->task_kill(p, info, sig);
2688         if (rc)
2689                 return rc;
2690
2691         if (info && ((unsigned long)info == 1 ||
2692                      (unsigned long)info == 2 || SI_FROMKERNEL(info)))
2693                 return 0;
2694
2695         if (!sig)
2696                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2697         else
2698                 perm = signal_to_av(sig);
2699
2700         return task_has_perm(current, p, perm);
2701 }
2702
2703 static int selinux_task_prctl(int option,
2704                               unsigned long arg2,
2705                               unsigned long arg3,
2706                               unsigned long arg4,
2707                               unsigned long arg5)
2708 {
2709         /* The current prctl operations do not appear to require
2710            any SELinux controls since they merely observe or modify
2711            the state of the current process. */
2712         return 0;
2713 }
2714
2715 static int selinux_task_wait(struct task_struct *p)
2716 {
2717         u32 perm;
2718
2719         perm = signal_to_av(p->exit_signal);
2720
2721         return task_has_perm(p, current, perm);
2722 }
2723
2724 static void selinux_task_reparent_to_init(struct task_struct *p)
2725 {
2726         struct task_security_struct *tsec;
2727
2728         secondary_ops->task_reparent_to_init(p);
2729
2730         tsec = p->security;
2731         tsec->osid = tsec->sid;
2732         tsec->sid = SECINITSID_KERNEL;
2733         return;
2734 }
2735
2736 static void selinux_task_to_inode(struct task_struct *p,
2737                                   struct inode *inode)
2738 {
2739         struct task_security_struct *tsec = p->security;
2740         struct inode_security_struct *isec = inode->i_security;
2741
2742         isec->sid = tsec->sid;
2743         isec->initialized = 1;
2744         return;
2745 }
2746
2747 #ifdef CONFIG_SECURITY_NETWORK
2748
2749 /* Returns error only if unable to parse addresses */
2750 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2751 {
2752         int offset, ihlen, ret = -EINVAL;
2753         struct iphdr _iph, *ih;
2754
2755         offset = skb->nh.raw - skb->data;
2756         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2757         if (ih == NULL)
2758                 goto out;
2759
2760         ihlen = ih->ihl * 4;
2761         if (ihlen < sizeof(_iph))
2762                 goto out;
2763
2764         ad->u.net.v4info.saddr = ih->saddr;
2765         ad->u.net.v4info.daddr = ih->daddr;
2766         ret = 0;
2767
2768         switch (ih->protocol) {
2769         case IPPROTO_TCP: {
2770                 struct tcphdr _tcph, *th;
2771
2772                 if (ntohs(ih->frag_off) & IP_OFFSET)
2773                         break;
2774
2775                 offset += ihlen;
2776                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2777                 if (th == NULL)
2778                         break;
2779
2780                 ad->u.net.sport = th->source;
2781                 ad->u.net.dport = th->dest;
2782                 break;
2783         }
2784         
2785         case IPPROTO_UDP: {
2786                 struct udphdr _udph, *uh;
2787                 
2788                 if (ntohs(ih->frag_off) & IP_OFFSET)
2789                         break;
2790                         
2791                 offset += ihlen;
2792                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2793                 if (uh == NULL)
2794                         break;  
2795
2796                 ad->u.net.sport = uh->source;
2797                 ad->u.net.dport = uh->dest;
2798                 break;
2799         }
2800
2801         default:
2802                 break;
2803         }
2804 out:
2805         return ret;
2806 }
2807
2808 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2809
2810 /* Returns error only if unable to parse addresses */
2811 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2812 {
2813         u8 nexthdr;
2814         int ret = -EINVAL, offset;
2815         struct ipv6hdr _ipv6h, *ip6;
2816
2817         offset = skb->nh.raw - skb->data;
2818         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2819         if (ip6 == NULL)
2820                 goto out;
2821
2822         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2823         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2824         ret = 0;
2825
2826         nexthdr = ip6->nexthdr;
2827         offset += sizeof(_ipv6h);
2828         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2829         if (offset < 0)
2830                 goto out;
2831
2832         switch (nexthdr) {
2833         case IPPROTO_TCP: {
2834                 struct tcphdr _tcph, *th;
2835
2836                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2837                 if (th == NULL)
2838                         break;
2839
2840                 ad->u.net.sport = th->source;
2841                 ad->u.net.dport = th->dest;
2842                 break;
2843         }
2844
2845         case IPPROTO_UDP: {
2846                 struct udphdr _udph, *uh;
2847
2848                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2849                 if (uh == NULL)
2850                         break;
2851
2852                 ad->u.net.sport = uh->source;
2853                 ad->u.net.dport = uh->dest;
2854                 break;
2855         }
2856
2857         /* includes fragments */
2858         default:
2859                 break;
2860         }
2861 out:
2862         return ret;
2863 }
2864
2865 #endif /* IPV6 */
2866
2867 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2868                              char **addrp, int *len, int src)
2869 {
2870         int ret = 0;
2871
2872         switch (ad->u.net.family) {
2873         case PF_INET:
2874                 ret = selinux_parse_skb_ipv4(skb, ad);
2875                 if (ret || !addrp)
2876                         break;
2877                 *len = 4;
2878                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2879                                         &ad->u.net.v4info.daddr);
2880                 break;
2881
2882 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2883         case PF_INET6:
2884                 ret = selinux_parse_skb_ipv6(skb, ad);
2885                 if (ret || !addrp)
2886                         break;
2887                 *len = 16;
2888                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2889                                         &ad->u.net.v6info.daddr);
2890                 break;
2891 #endif  /* IPV6 */
2892         default:
2893                 break;
2894         }
2895
2896         return ret;
2897 }
2898
2899 /* socket security operations */
2900 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2901                            u32 perms)
2902 {
2903         struct inode_security_struct *isec;
2904         struct task_security_struct *tsec;
2905         struct avc_audit_data ad;
2906         int err = 0;
2907
2908         tsec = task->security;
2909         isec = SOCK_INODE(sock)->i_security;
2910
2911         if (isec->sid == SECINITSID_KERNEL)
2912                 goto out;
2913
2914         AVC_AUDIT_DATA_INIT(&ad,NET);
2915         ad.u.net.sk = sock->sk;
2916         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2917
2918 out:
2919         return err;
2920 }
2921
2922 static int selinux_socket_create(int family, int type,
2923                                  int protocol, int kern)
2924 {
2925         int err = 0;
2926         struct task_security_struct *tsec;
2927
2928         if (kern)
2929                 goto out;
2930
2931         tsec = current->security;
2932         err = avc_has_perm(tsec->sid, tsec->sid,
2933                            socket_type_to_security_class(family, type,
2934                            protocol), SOCKET__CREATE, NULL);
2935
2936 out:
2937         return err;
2938 }
2939
2940 static void selinux_socket_post_create(struct socket *sock, int family,
2941                                        int type, int protocol, int kern)
2942 {
2943         struct inode_security_struct *isec;
2944         struct task_security_struct *tsec;
2945
2946         isec = SOCK_INODE(sock)->i_security;
2947
2948         tsec = current->security;
2949         isec->sclass = socket_type_to_security_class(family, type, protocol);
2950         isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2951         isec->initialized = 1;
2952
2953         return;
2954 }
2955
2956 /* Range of port numbers used to automatically bind.
2957    Need to determine whether we should perform a name_bind
2958    permission check between the socket and the port number. */
2959 #define ip_local_port_range_0 sysctl_local_port_range[0]
2960 #define ip_local_port_range_1 sysctl_local_port_range[1]
2961
2962 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2963 {
2964         u16 family;
2965         int err;
2966
2967         err = socket_has_perm(current, sock, SOCKET__BIND);
2968         if (err)
2969                 goto out;
2970
2971         /*
2972          * If PF_INET or PF_INET6, check name_bind permission for the port.
2973          */
2974         family = sock->sk->sk_family;
2975         if (family == PF_INET || family == PF_INET6) {
2976                 char *addrp;
2977                 struct inode_security_struct *isec;
2978                 struct task_security_struct *tsec;
2979                 struct avc_audit_data ad;
2980                 struct sockaddr_in *addr4 = NULL;
2981                 struct sockaddr_in6 *addr6 = NULL;
2982                 unsigned short snum;
2983                 struct sock *sk = sock->sk;
2984                 u32 sid, node_perm, addrlen;
2985
2986                 tsec = current->security;
2987                 isec = SOCK_INODE(sock)->i_security;
2988
2989                 if (family == PF_INET) {
2990                         addr4 = (struct sockaddr_in *)address;
2991                         snum = ntohs(addr4->sin_port);
2992                         addrlen = sizeof(addr4->sin_addr.s_addr);
2993                         addrp = (char *)&addr4->sin_addr.s_addr;
2994                 } else {
2995                         addr6 = (struct sockaddr_in6 *)address;
2996                         snum = ntohs(addr6->sin6_port);
2997                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
2998                         addrp = (char *)&addr6->sin6_addr.s6_addr;
2999                 }
3000
3001                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3002                            snum > ip_local_port_range_1)) {
3003                         err = security_port_sid(sk->sk_family, sk->sk_type,
3004                                                 sk->sk_protocol, snum, &sid);
3005                         if (err)
3006                                 goto out;
3007                         AVC_AUDIT_DATA_INIT(&ad,NET);
3008                         ad.u.net.sport = htons(snum);
3009                         ad.u.net.family = family;
3010                         err = avc_has_perm(isec->sid, sid,
3011                                            isec->sclass,
3012                                            SOCKET__NAME_BIND, &ad);
3013                         if (err)
3014                                 goto out;
3015                 }
3016                 
3017                 switch(sk->sk_protocol) {
3018                 case IPPROTO_TCP:
3019                         node_perm = TCP_SOCKET__NODE_BIND;
3020                         break;
3021                         
3022                 case IPPROTO_UDP:
3023                         node_perm = UDP_SOCKET__NODE_BIND;
3024                         break;
3025                         
3026                 default:
3027                         node_perm = RAWIP_SOCKET__NODE_BIND;
3028                         break;
3029                 }
3030                 
3031                 err = security_node_sid(family, addrp, addrlen, &sid);
3032                 if (err)
3033                         goto out;
3034                 
3035                 AVC_AUDIT_DATA_INIT(&ad,NET);
3036                 ad.u.net.sport = htons(snum);
3037                 ad.u.net.family = family;
3038
3039                 if (family == PF_INET)
3040                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3041                 else
3042                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3043
3044                 err = avc_has_perm(isec->sid, sid,
3045                                    isec->sclass, node_perm, &ad);
3046                 if (err)
3047                         goto out;
3048         }
3049 out:
3050         return err;
3051 }
3052
3053 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3054 {
3055         struct inode_security_struct *isec;
3056         int err;
3057
3058         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3059         if (err)
3060                 return err;
3061
3062         /*
3063          * If a TCP socket, check name_connect permission for the port.
3064          */
3065         isec = SOCK_INODE(sock)->i_security;
3066         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3067                 struct sock *sk = sock->sk;
3068                 struct avc_audit_data ad;
3069                 struct sockaddr_in *addr4 = NULL;
3070                 struct sockaddr_in6 *addr6 = NULL;
3071                 unsigned short snum;
3072                 u32 sid;
3073
3074                 if (sk->sk_family == PF_INET) {
3075                         addr4 = (struct sockaddr_in *)address;
3076                         if (addrlen < sizeof(struct sockaddr_in))
3077                                 return -EINVAL;
3078                         snum = ntohs(addr4->sin_port);
3079                 } else {
3080                         addr6 = (struct sockaddr_in6 *)address;
3081                         if (addrlen < SIN6_LEN_RFC2133)
3082                                 return -EINVAL;
3083                         snum = ntohs(addr6->sin6_port);
3084                 }
3085
3086                 err = security_port_sid(sk->sk_family, sk->sk_type,
3087                                         sk->sk_protocol, snum, &sid);
3088                 if (err)
3089                         goto out;
3090
3091                 AVC_AUDIT_DATA_INIT(&ad,NET);
3092                 ad.u.net.dport = htons(snum);
3093                 ad.u.net.family = sk->sk_family;
3094                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3095                                    TCP_SOCKET__NAME_CONNECT, &ad);
3096                 if (err)
3097                         goto out;
3098         }
3099
3100 out:
3101         return err;
3102 }
3103
3104 static int selinux_socket_listen(struct socket *sock, int backlog)
3105 {
3106         return socket_has_perm(current, sock, SOCKET__LISTEN);
3107 }
3108
3109 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3110 {
3111         int err;
3112         struct inode_security_struct *isec;
3113         struct inode_security_struct *newisec;
3114
3115         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3116         if (err)
3117                 return err;
3118
3119         newisec = SOCK_INODE(newsock)->i_security;
3120
3121         isec = SOCK_INODE(sock)->i_security;
3122         newisec->sclass = isec->sclass;
3123         newisec->sid = isec->sid;
3124         newisec->initialized = 1;
3125
3126         return 0;
3127 }
3128
3129 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3130                                   int size)
3131 {
3132         return socket_has_perm(current, sock, SOCKET__WRITE);
3133 }
3134
3135 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3136                                   int size, int flags)
3137 {
3138         return socket_has_perm(current, sock, SOCKET__READ);
3139 }
3140
3141 static int selinux_socket_getsockname(struct socket *sock)
3142 {
3143         return socket_has_perm(current, sock, SOCKET__GETATTR);
3144 }
3145
3146 static int selinux_socket_getpeername(struct socket *sock)
3147 {
3148         return socket_has_perm(current, sock, SOCKET__GETATTR);
3149 }
3150
3151 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3152 {
3153         return socket_has_perm(current, sock, SOCKET__SETOPT);
3154 }
3155
3156 static int selinux_socket_getsockopt(struct socket *sock, int level,
3157                                      int optname)
3158 {
3159         return socket_has_perm(current, sock, SOCKET__GETOPT);
3160 }
3161
3162 static int selinux_socket_shutdown(struct socket *sock, int how)
3163 {
3164         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3165 }
3166
3167 static int selinux_socket_unix_stream_connect(struct socket *sock,
3168                                               struct socket *other,
3169                                               struct sock *newsk)
3170 {
3171         struct sk_security_struct *ssec;
3172         struct inode_security_struct *isec;
3173         struct inode_security_struct *other_isec;
3174         struct avc_audit_data ad;
3175         int err;
3176
3177         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3178         if (err)
3179                 return err;
3180
3181         isec = SOCK_INODE(sock)->i_security;
3182         other_isec = SOCK_INODE(other)->i_security;
3183
3184         AVC_AUDIT_DATA_INIT(&ad,NET);
3185         ad.u.net.sk = other->sk;
3186
3187         err = avc_has_perm(isec->sid, other_isec->sid,
3188                            isec->sclass,
3189                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3190         if (err)
3191                 return err;
3192
3193         /* connecting socket */
3194         ssec = sock->sk->sk_security;
3195         ssec->peer_sid = other_isec->sid;
3196         
3197         /* server child socket */
3198         ssec = newsk->sk_security;
3199         ssec->peer_sid = isec->sid;
3200         
3201         return 0;
3202 }
3203
3204 static int selinux_socket_unix_may_send(struct socket *sock,
3205                                         struct socket *other)
3206 {