[PATCH] fix audit_init failure path
[sfrench/cifs-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76 #include "xfrm.h"
77
78 #define XATTR_SELINUX_SUFFIX "selinux"
79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81 extern unsigned int policydb_loaded_version;
82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83
84 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
85 int selinux_enforcing = 0;
86
87 static int __init enforcing_setup(char *str)
88 {
89         selinux_enforcing = simple_strtol(str,NULL,0);
90         return 1;
91 }
92 __setup("enforcing=", enforcing_setup);
93 #endif
94
95 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
96 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
97
98 static int __init selinux_enabled_setup(char *str)
99 {
100         selinux_enabled = simple_strtol(str, NULL, 0);
101         return 1;
102 }
103 __setup("selinux=", selinux_enabled_setup);
104 #endif
105
106 /* Original (dummy) security module. */
107 static struct security_operations *original_ops = NULL;
108
109 /* Minimal support for a secondary security module,
110    just to allow the use of the dummy or capability modules.
111    The owlsm module can alternatively be used as a secondary
112    module as long as CONFIG_OWLSM_FD is not enabled. */
113 static struct security_operations *secondary_ops = NULL;
114
115 /* Lists of inode and superblock security structures initialized
116    before the policy was loaded. */
117 static LIST_HEAD(superblock_security_head);
118 static DEFINE_SPINLOCK(sb_security_lock);
119
120 /* Return security context for a given sid or just the context 
121    length if the buffer is null or length is 0 */
122 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
123 {
124         char *context;
125         unsigned len;
126         int rc;
127
128         rc = security_sid_to_context(sid, &context, &len);
129         if (rc)
130                 return rc;
131
132         if (!buffer || !size)
133                 goto getsecurity_exit;
134
135         if (size < len) {
136                 len = -ERANGE;
137                 goto getsecurity_exit;
138         }
139         memcpy(buffer, context, len);
140
141 getsecurity_exit:
142         kfree(context);
143         return len;
144 }
145
146 /* Allocate and free functions for each kind of security blob. */
147
148 static int task_alloc_security(struct task_struct *task)
149 {
150         struct task_security_struct *tsec;
151
152         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
153         if (!tsec)
154                 return -ENOMEM;
155
156         tsec->task = task;
157         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
158         task->security = tsec;
159
160         return 0;
161 }
162
163 static void task_free_security(struct task_struct *task)
164 {
165         struct task_security_struct *tsec = task->security;
166         task->security = NULL;
167         kfree(tsec);
168 }
169
170 static int inode_alloc_security(struct inode *inode)
171 {
172         struct task_security_struct *tsec = current->security;
173         struct inode_security_struct *isec;
174
175         isec = kzalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
176         if (!isec)
177                 return -ENOMEM;
178
179         init_MUTEX(&isec->sem);
180         INIT_LIST_HEAD(&isec->list);
181         isec->inode = inode;
182         isec->sid = SECINITSID_UNLABELED;
183         isec->sclass = SECCLASS_FILE;
184         isec->task_sid = tsec->sid;
185         inode->i_security = isec;
186
187         return 0;
188 }
189
190 static void inode_free_security(struct inode *inode)
191 {
192         struct inode_security_struct *isec = inode->i_security;
193         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
194
195         spin_lock(&sbsec->isec_lock);
196         if (!list_empty(&isec->list))
197                 list_del_init(&isec->list);
198         spin_unlock(&sbsec->isec_lock);
199
200         inode->i_security = NULL;
201         kfree(isec);
202 }
203
204 static int file_alloc_security(struct file *file)
205 {
206         struct task_security_struct *tsec = current->security;
207         struct file_security_struct *fsec;
208
209         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
210         if (!fsec)
211                 return -ENOMEM;
212
213         fsec->file = file;
214         fsec->sid = tsec->sid;
215         fsec->fown_sid = tsec->sid;
216         file->f_security = fsec;
217
218         return 0;
219 }
220
221 static void file_free_security(struct file *file)
222 {
223         struct file_security_struct *fsec = file->f_security;
224         file->f_security = NULL;
225         kfree(fsec);
226 }
227
228 static int superblock_alloc_security(struct super_block *sb)
229 {
230         struct superblock_security_struct *sbsec;
231
232         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
233         if (!sbsec)
234                 return -ENOMEM;
235
236         init_MUTEX(&sbsec->sem);
237         INIT_LIST_HEAD(&sbsec->list);
238         INIT_LIST_HEAD(&sbsec->isec_head);
239         spin_lock_init(&sbsec->isec_lock);
240         sbsec->sb = sb;
241         sbsec->sid = SECINITSID_UNLABELED;
242         sbsec->def_sid = SECINITSID_FILE;
243         sb->s_security = sbsec;
244
245         return 0;
246 }
247
248 static void superblock_free_security(struct super_block *sb)
249 {
250         struct superblock_security_struct *sbsec = sb->s_security;
251
252         spin_lock(&sb_security_lock);
253         if (!list_empty(&sbsec->list))
254                 list_del_init(&sbsec->list);
255         spin_unlock(&sb_security_lock);
256
257         sb->s_security = NULL;
258         kfree(sbsec);
259 }
260
261 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
262 {
263         struct sk_security_struct *ssec;
264
265         if (family != PF_UNIX)
266                 return 0;
267
268         ssec = kzalloc(sizeof(*ssec), priority);
269         if (!ssec)
270                 return -ENOMEM;
271
272         ssec->sk = sk;
273         ssec->peer_sid = SECINITSID_UNLABELED;
274         sk->sk_security = ssec;
275
276         return 0;
277 }
278
279 static void sk_free_security(struct sock *sk)
280 {
281         struct sk_security_struct *ssec = sk->sk_security;
282
283         if (sk->sk_family != PF_UNIX)
284                 return;
285
286         sk->sk_security = NULL;
287         kfree(ssec);
288 }
289
290 /* The security server must be initialized before
291    any labeling or access decisions can be provided. */
292 extern int ss_initialized;
293
294 /* The file system's label must be initialized prior to use. */
295
296 static char *labeling_behaviors[6] = {
297         "uses xattr",
298         "uses transition SIDs",
299         "uses task SIDs",
300         "uses genfs_contexts",
301         "not configured for labeling",
302         "uses mountpoint labeling",
303 };
304
305 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
306
307 static inline int inode_doinit(struct inode *inode)
308 {
309         return inode_doinit_with_dentry(inode, NULL);
310 }
311
312 enum {
313         Opt_context = 1,
314         Opt_fscontext = 2,
315         Opt_defcontext = 4,
316 };
317
318 static match_table_t tokens = {
319         {Opt_context, "context=%s"},
320         {Opt_fscontext, "fscontext=%s"},
321         {Opt_defcontext, "defcontext=%s"},
322 };
323
324 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
325
326 static int try_context_mount(struct super_block *sb, void *data)
327 {
328         char *context = NULL, *defcontext = NULL;
329         const char *name;
330         u32 sid;
331         int alloc = 0, rc = 0, seen = 0;
332         struct task_security_struct *tsec = current->security;
333         struct superblock_security_struct *sbsec = sb->s_security;
334
335         if (!data)
336                 goto out;
337
338         name = sb->s_type->name;
339
340         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
341
342                 /* NFS we understand. */
343                 if (!strcmp(name, "nfs")) {
344                         struct nfs_mount_data *d = data;
345
346                         if (d->version <  NFS_MOUNT_VERSION)
347                                 goto out;
348
349                         if (d->context[0]) {
350                                 context = d->context;
351                                 seen |= Opt_context;
352                         }
353                 } else
354                         goto out;
355
356         } else {
357                 /* Standard string-based options. */
358                 char *p, *options = data;
359
360                 while ((p = strsep(&options, ",")) != NULL) {
361                         int token;
362                         substring_t args[MAX_OPT_ARGS];
363
364                         if (!*p)
365                                 continue;
366
367                         token = match_token(p, tokens, args);
368
369                         switch (token) {
370                         case Opt_context:
371                                 if (seen) {
372                                         rc = -EINVAL;
373                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
374                                         goto out_free;
375                                 }
376                                 context = match_strdup(&args[0]);
377                                 if (!context) {
378                                         rc = -ENOMEM;
379                                         goto out_free;
380                                 }
381                                 if (!alloc)
382                                         alloc = 1;
383                                 seen |= Opt_context;
384                                 break;
385
386                         case Opt_fscontext:
387                                 if (seen & (Opt_context|Opt_fscontext)) {
388                                         rc = -EINVAL;
389                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
390                                         goto out_free;
391                                 }
392                                 context = match_strdup(&args[0]);
393                                 if (!context) {
394                                         rc = -ENOMEM;
395                                         goto out_free;
396                                 }
397                                 if (!alloc)
398                                         alloc = 1;
399                                 seen |= Opt_fscontext;
400                                 break;
401
402                         case Opt_defcontext:
403                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
404                                         rc = -EINVAL;
405                                         printk(KERN_WARNING "SELinux:  "
406                                                "defcontext option is invalid "
407                                                "for this filesystem type\n");
408                                         goto out_free;
409                                 }
410                                 if (seen & (Opt_context|Opt_defcontext)) {
411                                         rc = -EINVAL;
412                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
413                                         goto out_free;
414                                 }
415                                 defcontext = match_strdup(&args[0]);
416                                 if (!defcontext) {
417                                         rc = -ENOMEM;
418                                         goto out_free;
419                                 }
420                                 if (!alloc)
421                                         alloc = 1;
422                                 seen |= Opt_defcontext;
423                                 break;
424
425                         default:
426                                 rc = -EINVAL;
427                                 printk(KERN_WARNING "SELinux:  unknown mount "
428                                        "option\n");
429                                 goto out_free;
430
431                         }
432                 }
433         }
434
435         if (!seen)
436                 goto out;
437
438         if (context) {
439                 rc = security_context_to_sid(context, strlen(context), &sid);
440                 if (rc) {
441                         printk(KERN_WARNING "SELinux: security_context_to_sid"
442                                "(%s) failed for (dev %s, type %s) errno=%d\n",
443                                context, sb->s_id, name, rc);
444                         goto out_free;
445                 }
446
447                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
448                                   FILESYSTEM__RELABELFROM, NULL);
449                 if (rc)
450                         goto out_free;
451
452                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
453                                   FILESYSTEM__RELABELTO, NULL);
454                 if (rc)
455                         goto out_free;
456
457                 sbsec->sid = sid;
458
459                 if (seen & Opt_context)
460                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
461         }
462
463         if (defcontext) {
464                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
465                 if (rc) {
466                         printk(KERN_WARNING "SELinux: security_context_to_sid"
467                                "(%s) failed for (dev %s, type %s) errno=%d\n",
468                                defcontext, sb->s_id, name, rc);
469                         goto out_free;
470                 }
471
472                 if (sid == sbsec->def_sid)
473                         goto out_free;
474
475                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
476                                   FILESYSTEM__RELABELFROM, NULL);
477                 if (rc)
478                         goto out_free;
479
480                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
481                                   FILESYSTEM__ASSOCIATE, NULL);
482                 if (rc)
483                         goto out_free;
484
485                 sbsec->def_sid = sid;
486         }
487
488 out_free:
489         if (alloc) {
490                 kfree(context);
491                 kfree(defcontext);
492         }
493 out:
494         return rc;
495 }
496
497 static int superblock_doinit(struct super_block *sb, void *data)
498 {
499         struct superblock_security_struct *sbsec = sb->s_security;
500         struct dentry *root = sb->s_root;
501         struct inode *inode = root->d_inode;
502         int rc = 0;
503
504         down(&sbsec->sem);
505         if (sbsec->initialized)
506                 goto out;
507
508         if (!ss_initialized) {
509                 /* Defer initialization until selinux_complete_init,
510                    after the initial policy is loaded and the security
511                    server is ready to handle calls. */
512                 spin_lock(&sb_security_lock);
513                 if (list_empty(&sbsec->list))
514                         list_add(&sbsec->list, &superblock_security_head);
515                 spin_unlock(&sb_security_lock);
516                 goto out;
517         }
518
519         /* Determine the labeling behavior to use for this filesystem type. */
520         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
521         if (rc) {
522                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
523                        __FUNCTION__, sb->s_type->name, rc);
524                 goto out;
525         }
526
527         rc = try_context_mount(sb, data);
528         if (rc)
529                 goto out;
530
531         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
532                 /* Make sure that the xattr handler exists and that no
533                    error other than -ENODATA is returned by getxattr on
534                    the root directory.  -ENODATA is ok, as this may be
535                    the first boot of the SELinux kernel before we have
536                    assigned xattr values to the filesystem. */
537                 if (!inode->i_op->getxattr) {
538                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
539                                "xattr support\n", sb->s_id, sb->s_type->name);
540                         rc = -EOPNOTSUPP;
541                         goto out;
542                 }
543                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
544                 if (rc < 0 && rc != -ENODATA) {
545                         if (rc == -EOPNOTSUPP)
546                                 printk(KERN_WARNING "SELinux: (dev %s, type "
547                                        "%s) has no security xattr handler\n",
548                                        sb->s_id, sb->s_type->name);
549                         else
550                                 printk(KERN_WARNING "SELinux: (dev %s, type "
551                                        "%s) getxattr errno %d\n", sb->s_id,
552                                        sb->s_type->name, -rc);
553                         goto out;
554                 }
555         }
556
557         if (strcmp(sb->s_type->name, "proc") == 0)
558                 sbsec->proc = 1;
559
560         sbsec->initialized = 1;
561
562         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
563                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
564                        sb->s_id, sb->s_type->name);
565         }
566         else {
567                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
568                        sb->s_id, sb->s_type->name,
569                        labeling_behaviors[sbsec->behavior-1]);
570         }
571
572         /* Initialize the root inode. */
573         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
574
575         /* Initialize any other inodes associated with the superblock, e.g.
576            inodes created prior to initial policy load or inodes created
577            during get_sb by a pseudo filesystem that directly
578            populates itself. */
579         spin_lock(&sbsec->isec_lock);
580 next_inode:
581         if (!list_empty(&sbsec->isec_head)) {
582                 struct inode_security_struct *isec =
583                                 list_entry(sbsec->isec_head.next,
584                                            struct inode_security_struct, list);
585                 struct inode *inode = isec->inode;
586                 spin_unlock(&sbsec->isec_lock);
587                 inode = igrab(inode);
588                 if (inode) {
589                         if (!IS_PRIVATE (inode))
590                                 inode_doinit(inode);
591                         iput(inode);
592                 }
593                 spin_lock(&sbsec->isec_lock);
594                 list_del_init(&isec->list);
595                 goto next_inode;
596         }
597         spin_unlock(&sbsec->isec_lock);
598 out:
599         up(&sbsec->sem);
600         return rc;
601 }
602
603 static inline u16 inode_mode_to_security_class(umode_t mode)
604 {
605         switch (mode & S_IFMT) {
606         case S_IFSOCK:
607                 return SECCLASS_SOCK_FILE;
608         case S_IFLNK:
609                 return SECCLASS_LNK_FILE;
610         case S_IFREG:
611                 return SECCLASS_FILE;
612         case S_IFBLK:
613                 return SECCLASS_BLK_FILE;
614         case S_IFDIR:
615                 return SECCLASS_DIR;
616         case S_IFCHR:
617                 return SECCLASS_CHR_FILE;
618         case S_IFIFO:
619                 return SECCLASS_FIFO_FILE;
620
621         }
622
623         return SECCLASS_FILE;
624 }
625
626 static inline int default_protocol_stream(int protocol)
627 {
628         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
629 }
630
631 static inline int default_protocol_dgram(int protocol)
632 {
633         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
634 }
635
636 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
637 {
638         switch (family) {
639         case PF_UNIX:
640                 switch (type) {
641                 case SOCK_STREAM:
642                 case SOCK_SEQPACKET:
643                         return SECCLASS_UNIX_STREAM_SOCKET;
644                 case SOCK_DGRAM:
645                         return SECCLASS_UNIX_DGRAM_SOCKET;
646                 }
647                 break;
648         case PF_INET:
649         case PF_INET6:
650                 switch (type) {
651                 case SOCK_STREAM:
652                         if (default_protocol_stream(protocol))
653                                 return SECCLASS_TCP_SOCKET;
654                         else
655                                 return SECCLASS_RAWIP_SOCKET;
656                 case SOCK_DGRAM:
657                         if (default_protocol_dgram(protocol))
658                                 return SECCLASS_UDP_SOCKET;
659                         else
660                                 return SECCLASS_RAWIP_SOCKET;
661                 default:
662                         return SECCLASS_RAWIP_SOCKET;
663                 }
664                 break;
665         case PF_NETLINK:
666                 switch (protocol) {
667                 case NETLINK_ROUTE:
668                         return SECCLASS_NETLINK_ROUTE_SOCKET;
669                 case NETLINK_FIREWALL:
670                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
671                 case NETLINK_INET_DIAG:
672                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
673                 case NETLINK_NFLOG:
674                         return SECCLASS_NETLINK_NFLOG_SOCKET;
675                 case NETLINK_XFRM:
676                         return SECCLASS_NETLINK_XFRM_SOCKET;
677                 case NETLINK_SELINUX:
678                         return SECCLASS_NETLINK_SELINUX_SOCKET;
679                 case NETLINK_AUDIT:
680                         return SECCLASS_NETLINK_AUDIT_SOCKET;
681                 case NETLINK_IP6_FW:
682                         return SECCLASS_NETLINK_IP6FW_SOCKET;
683                 case NETLINK_DNRTMSG:
684                         return SECCLASS_NETLINK_DNRT_SOCKET;
685                 case NETLINK_KOBJECT_UEVENT:
686                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
687                 default:
688                         return SECCLASS_NETLINK_SOCKET;
689                 }
690         case PF_PACKET:
691                 return SECCLASS_PACKET_SOCKET;
692         case PF_KEY:
693                 return SECCLASS_KEY_SOCKET;
694         }
695
696         return SECCLASS_SOCKET;
697 }
698
699 #ifdef CONFIG_PROC_FS
700 static int selinux_proc_get_sid(struct proc_dir_entry *de,
701                                 u16 tclass,
702                                 u32 *sid)
703 {
704         int buflen, rc;
705         char *buffer, *path, *end;
706
707         buffer = (char*)__get_free_page(GFP_KERNEL);
708         if (!buffer)
709                 return -ENOMEM;
710
711         buflen = PAGE_SIZE;
712         end = buffer+buflen;
713         *--end = '\0';
714         buflen--;
715         path = end-1;
716         *path = '/';
717         while (de && de != de->parent) {
718                 buflen -= de->namelen + 1;
719                 if (buflen < 0)
720                         break;
721                 end -= de->namelen;
722                 memcpy(end, de->name, de->namelen);
723                 *--end = '/';
724                 path = end;
725                 de = de->parent;
726         }
727         rc = security_genfs_sid("proc", path, tclass, sid);
728         free_page((unsigned long)buffer);
729         return rc;
730 }
731 #else
732 static int selinux_proc_get_sid(struct proc_dir_entry *de,
733                                 u16 tclass,
734                                 u32 *sid)
735 {
736         return -EINVAL;
737 }
738 #endif
739
740 /* The inode's security attributes must be initialized before first use. */
741 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
742 {
743         struct superblock_security_struct *sbsec = NULL;
744         struct inode_security_struct *isec = inode->i_security;
745         u32 sid;
746         struct dentry *dentry;
747 #define INITCONTEXTLEN 255
748         char *context = NULL;
749         unsigned len = 0;
750         int rc = 0;
751         int hold_sem = 0;
752
753         if (isec->initialized)
754                 goto out;
755
756         down(&isec->sem);
757         hold_sem = 1;
758         if (isec->initialized)
759                 goto out;
760
761         sbsec = inode->i_sb->s_security;
762         if (!sbsec->initialized) {
763                 /* Defer initialization until selinux_complete_init,
764                    after the initial policy is loaded and the security
765                    server is ready to handle calls. */
766                 spin_lock(&sbsec->isec_lock);
767                 if (list_empty(&isec->list))
768                         list_add(&isec->list, &sbsec->isec_head);
769                 spin_unlock(&sbsec->isec_lock);
770                 goto out;
771         }
772
773         switch (sbsec->behavior) {
774         case SECURITY_FS_USE_XATTR:
775                 if (!inode->i_op->getxattr) {
776                         isec->sid = sbsec->def_sid;
777                         break;
778                 }
779
780                 /* Need a dentry, since the xattr API requires one.
781                    Life would be simpler if we could just pass the inode. */
782                 if (opt_dentry) {
783                         /* Called from d_instantiate or d_splice_alias. */
784                         dentry = dget(opt_dentry);
785                 } else {
786                         /* Called from selinux_complete_init, try to find a dentry. */
787                         dentry = d_find_alias(inode);
788                 }
789                 if (!dentry) {
790                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
791                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
792                                inode->i_ino);
793                         goto out;
794                 }
795
796                 len = INITCONTEXTLEN;
797                 context = kmalloc(len, GFP_KERNEL);
798                 if (!context) {
799                         rc = -ENOMEM;
800                         dput(dentry);
801                         goto out;
802                 }
803                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
804                                            context, len);
805                 if (rc == -ERANGE) {
806                         /* Need a larger buffer.  Query for the right size. */
807                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
808                                                    NULL, 0);
809                         if (rc < 0) {
810                                 dput(dentry);
811                                 goto out;
812                         }
813                         kfree(context);
814                         len = rc;
815                         context = kmalloc(len, GFP_KERNEL);
816                         if (!context) {
817                                 rc = -ENOMEM;
818                                 dput(dentry);
819                                 goto out;
820                         }
821                         rc = inode->i_op->getxattr(dentry,
822                                                    XATTR_NAME_SELINUX,
823                                                    context, len);
824                 }
825                 dput(dentry);
826                 if (rc < 0) {
827                         if (rc != -ENODATA) {
828                                 printk(KERN_WARNING "%s:  getxattr returned "
829                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
830                                        -rc, inode->i_sb->s_id, inode->i_ino);
831                                 kfree(context);
832                                 goto out;
833                         }
834                         /* Map ENODATA to the default file SID */
835                         sid = sbsec->def_sid;
836                         rc = 0;
837                 } else {
838                         rc = security_context_to_sid_default(context, rc, &sid,
839                                                              sbsec->def_sid);
840                         if (rc) {
841                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
842                                        "returned %d for dev=%s ino=%ld\n",
843                                        __FUNCTION__, context, -rc,
844                                        inode->i_sb->s_id, inode->i_ino);
845                                 kfree(context);
846                                 /* Leave with the unlabeled SID */
847                                 rc = 0;
848                                 break;
849                         }
850                 }
851                 kfree(context);
852                 isec->sid = sid;
853                 break;
854         case SECURITY_FS_USE_TASK:
855                 isec->sid = isec->task_sid;
856                 break;
857         case SECURITY_FS_USE_TRANS:
858                 /* Default to the fs SID. */
859                 isec->sid = sbsec->sid;
860
861                 /* Try to obtain a transition SID. */
862                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
863                 rc = security_transition_sid(isec->task_sid,
864                                              sbsec->sid,
865                                              isec->sclass,
866                                              &sid);
867                 if (rc)
868                         goto out;
869                 isec->sid = sid;
870                 break;
871         default:
872                 /* Default to the fs SID. */
873                 isec->sid = sbsec->sid;
874
875                 if (sbsec->proc) {
876                         struct proc_inode *proci = PROC_I(inode);
877                         if (proci->pde) {
878                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
879                                 rc = selinux_proc_get_sid(proci->pde,
880                                                           isec->sclass,
881                                                           &sid);
882                                 if (rc)
883                                         goto out;
884                                 isec->sid = sid;
885                         }
886                 }
887                 break;
888         }
889
890         isec->initialized = 1;
891
892 out:
893         if (isec->sclass == SECCLASS_FILE)
894                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
895
896         if (hold_sem)
897                 up(&isec->sem);
898         return rc;
899 }
900
901 /* Convert a Linux signal to an access vector. */
902 static inline u32 signal_to_av(int sig)
903 {
904         u32 perm = 0;
905
906         switch (sig) {
907         case SIGCHLD:
908                 /* Commonly granted from child to parent. */
909                 perm = PROCESS__SIGCHLD;
910                 break;
911         case SIGKILL:
912                 /* Cannot be caught or ignored */
913                 perm = PROCESS__SIGKILL;
914                 break;
915         case SIGSTOP:
916                 /* Cannot be caught or ignored */
917                 perm = PROCESS__SIGSTOP;
918                 break;
919         default:
920                 /* All other signals. */
921                 perm = PROCESS__SIGNAL;
922                 break;
923         }
924
925         return perm;
926 }
927
928 /* Check permission betweeen a pair of tasks, e.g. signal checks,
929    fork check, ptrace check, etc. */
930 static int task_has_perm(struct task_struct *tsk1,
931                          struct task_struct *tsk2,
932                          u32 perms)
933 {
934         struct task_security_struct *tsec1, *tsec2;
935
936         tsec1 = tsk1->security;
937         tsec2 = tsk2->security;
938         return avc_has_perm(tsec1->sid, tsec2->sid,
939                             SECCLASS_PROCESS, perms, NULL);
940 }
941
942 /* Check whether a task is allowed to use a capability. */
943 static int task_has_capability(struct task_struct *tsk,
944                                int cap)
945 {
946         struct task_security_struct *tsec;
947         struct avc_audit_data ad;
948
949         tsec = tsk->security;
950
951         AVC_AUDIT_DATA_INIT(&ad,CAP);
952         ad.tsk = tsk;
953         ad.u.cap = cap;
954
955         return avc_has_perm(tsec->sid, tsec->sid,
956                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
957 }
958
959 /* Check whether a task is allowed to use a system operation. */
960 static int task_has_system(struct task_struct *tsk,
961                            u32 perms)
962 {
963         struct task_security_struct *tsec;
964
965         tsec = tsk->security;
966
967         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
968                             SECCLASS_SYSTEM, perms, NULL);
969 }
970
971 /* Check whether a task has a particular permission to an inode.
972    The 'adp' parameter is optional and allows other audit
973    data to be passed (e.g. the dentry). */
974 static int inode_has_perm(struct task_struct *tsk,
975                           struct inode *inode,
976                           u32 perms,
977                           struct avc_audit_data *adp)
978 {
979         struct task_security_struct *tsec;
980         struct inode_security_struct *isec;
981         struct avc_audit_data ad;
982
983         tsec = tsk->security;
984         isec = inode->i_security;
985
986         if (!adp) {
987                 adp = &ad;
988                 AVC_AUDIT_DATA_INIT(&ad, FS);
989                 ad.u.fs.inode = inode;
990         }
991
992         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
993 }
994
995 /* Same as inode_has_perm, but pass explicit audit data containing
996    the dentry to help the auditing code to more easily generate the
997    pathname if needed. */
998 static inline int dentry_has_perm(struct task_struct *tsk,
999                                   struct vfsmount *mnt,
1000                                   struct dentry *dentry,
1001                                   u32 av)
1002 {
1003         struct inode *inode = dentry->d_inode;
1004         struct avc_audit_data ad;
1005         AVC_AUDIT_DATA_INIT(&ad,FS);
1006         ad.u.fs.mnt = mnt;
1007         ad.u.fs.dentry = dentry;
1008         return inode_has_perm(tsk, inode, av, &ad);
1009 }
1010
1011 /* Check whether a task can use an open file descriptor to
1012    access an inode in a given way.  Check access to the
1013    descriptor itself, and then use dentry_has_perm to
1014    check a particular permission to the file.
1015    Access to the descriptor is implicitly granted if it
1016    has the same SID as the process.  If av is zero, then
1017    access to the file is not checked, e.g. for cases
1018    where only the descriptor is affected like seek. */
1019 static int file_has_perm(struct task_struct *tsk,
1020                                 struct file *file,
1021                                 u32 av)
1022 {
1023         struct task_security_struct *tsec = tsk->security;
1024         struct file_security_struct *fsec = file->f_security;
1025         struct vfsmount *mnt = file->f_vfsmnt;
1026         struct dentry *dentry = file->f_dentry;
1027         struct inode *inode = dentry->d_inode;
1028         struct avc_audit_data ad;
1029         int rc;
1030
1031         AVC_AUDIT_DATA_INIT(&ad, FS);
1032         ad.u.fs.mnt = mnt;
1033         ad.u.fs.dentry = dentry;
1034
1035         if (tsec->sid != fsec->sid) {
1036                 rc = avc_has_perm(tsec->sid, fsec->sid,
1037                                   SECCLASS_FD,
1038                                   FD__USE,
1039                                   &ad);
1040                 if (rc)
1041                         return rc;
1042         }
1043
1044         /* av is zero if only checking access to the descriptor. */
1045         if (av)
1046                 return inode_has_perm(tsk, inode, av, &ad);
1047
1048         return 0;
1049 }
1050
1051 /* Check whether a task can create a file. */
1052 static int may_create(struct inode *dir,
1053                       struct dentry *dentry,
1054                       u16 tclass)
1055 {
1056         struct task_security_struct *tsec;
1057         struct inode_security_struct *dsec;
1058         struct superblock_security_struct *sbsec;
1059         u32 newsid;
1060         struct avc_audit_data ad;
1061         int rc;
1062
1063         tsec = current->security;
1064         dsec = dir->i_security;
1065         sbsec = dir->i_sb->s_security;
1066
1067         AVC_AUDIT_DATA_INIT(&ad, FS);
1068         ad.u.fs.dentry = dentry;
1069
1070         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1071                           DIR__ADD_NAME | DIR__SEARCH,
1072                           &ad);
1073         if (rc)
1074                 return rc;
1075
1076         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1077                 newsid = tsec->create_sid;
1078         } else {
1079                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1080                                              &newsid);
1081                 if (rc)
1082                         return rc;
1083         }
1084
1085         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1086         if (rc)
1087                 return rc;
1088
1089         return avc_has_perm(newsid, sbsec->sid,
1090                             SECCLASS_FILESYSTEM,
1091                             FILESYSTEM__ASSOCIATE, &ad);
1092 }
1093
1094 #define MAY_LINK   0
1095 #define MAY_UNLINK 1
1096 #define MAY_RMDIR  2
1097
1098 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1099 static int may_link(struct inode *dir,
1100                     struct dentry *dentry,
1101                     int kind)
1102
1103 {
1104         struct task_security_struct *tsec;
1105         struct inode_security_struct *dsec, *isec;
1106         struct avc_audit_data ad;
1107         u32 av;
1108         int rc;
1109
1110         tsec = current->security;
1111         dsec = dir->i_security;
1112         isec = dentry->d_inode->i_security;
1113
1114         AVC_AUDIT_DATA_INIT(&ad, FS);
1115         ad.u.fs.dentry = dentry;
1116
1117         av = DIR__SEARCH;
1118         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1119         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1120         if (rc)
1121                 return rc;
1122
1123         switch (kind) {
1124         case MAY_LINK:
1125                 av = FILE__LINK;
1126                 break;
1127         case MAY_UNLINK:
1128                 av = FILE__UNLINK;
1129                 break;
1130         case MAY_RMDIR:
1131                 av = DIR__RMDIR;
1132                 break;
1133         default:
1134                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1135                 return 0;
1136         }
1137
1138         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1139         return rc;
1140 }
1141
1142 static inline int may_rename(struct inode *old_dir,
1143                              struct dentry *old_dentry,
1144                              struct inode *new_dir,
1145                              struct dentry *new_dentry)
1146 {
1147         struct task_security_struct *tsec;
1148         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1149         struct avc_audit_data ad;
1150         u32 av;
1151         int old_is_dir, new_is_dir;
1152         int rc;
1153
1154         tsec = current->security;
1155         old_dsec = old_dir->i_security;
1156         old_isec = old_dentry->d_inode->i_security;
1157         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1158         new_dsec = new_dir->i_security;
1159
1160         AVC_AUDIT_DATA_INIT(&ad, FS);
1161
1162         ad.u.fs.dentry = old_dentry;
1163         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1164                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1165         if (rc)
1166                 return rc;
1167         rc = avc_has_perm(tsec->sid, old_isec->sid,
1168                           old_isec->sclass, FILE__RENAME, &ad);
1169         if (rc)
1170                 return rc;
1171         if (old_is_dir && new_dir != old_dir) {
1172                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1173                                   old_isec->sclass, DIR__REPARENT, &ad);
1174                 if (rc)
1175                         return rc;
1176         }
1177
1178         ad.u.fs.dentry = new_dentry;
1179         av = DIR__ADD_NAME | DIR__SEARCH;
1180         if (new_dentry->d_inode)
1181                 av |= DIR__REMOVE_NAME;
1182         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1183         if (rc)
1184                 return rc;
1185         if (new_dentry->d_inode) {
1186                 new_isec = new_dentry->d_inode->i_security;
1187                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1188                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1189                                   new_isec->sclass,
1190                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1191                 if (rc)
1192                         return rc;
1193         }
1194
1195         return 0;
1196 }
1197
1198 /* Check whether a task can perform a filesystem operation. */
1199 static int superblock_has_perm(struct task_struct *tsk,
1200                                struct super_block *sb,
1201                                u32 perms,
1202                                struct avc_audit_data *ad)
1203 {
1204         struct task_security_struct *tsec;
1205         struct superblock_security_struct *sbsec;
1206
1207         tsec = tsk->security;
1208         sbsec = sb->s_security;
1209         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1210                             perms, ad);
1211 }
1212
1213 /* Convert a Linux mode and permission mask to an access vector. */
1214 static inline u32 file_mask_to_av(int mode, int mask)
1215 {
1216         u32 av = 0;
1217
1218         if ((mode & S_IFMT) != S_IFDIR) {
1219                 if (mask & MAY_EXEC)
1220                         av |= FILE__EXECUTE;
1221                 if (mask & MAY_READ)
1222                         av |= FILE__READ;
1223
1224                 if (mask & MAY_APPEND)
1225                         av |= FILE__APPEND;
1226                 else if (mask & MAY_WRITE)
1227                         av |= FILE__WRITE;
1228
1229         } else {
1230                 if (mask & MAY_EXEC)
1231                         av |= DIR__SEARCH;
1232                 if (mask & MAY_WRITE)
1233                         av |= DIR__WRITE;
1234                 if (mask & MAY_READ)
1235                         av |= DIR__READ;
1236         }
1237
1238         return av;
1239 }
1240
1241 /* Convert a Linux file to an access vector. */
1242 static inline u32 file_to_av(struct file *file)
1243 {
1244         u32 av = 0;
1245
1246         if (file->f_mode & FMODE_READ)
1247                 av |= FILE__READ;
1248         if (file->f_mode & FMODE_WRITE) {
1249                 if (file->f_flags & O_APPEND)
1250                         av |= FILE__APPEND;
1251                 else
1252                         av |= FILE__WRITE;
1253         }
1254
1255         return av;
1256 }
1257
1258 /* Set an inode's SID to a specified value. */
1259 static int inode_security_set_sid(struct inode *inode, u32 sid)
1260 {
1261         struct inode_security_struct *isec = inode->i_security;
1262         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1263
1264         if (!sbsec->initialized) {
1265                 /* Defer initialization to selinux_complete_init. */
1266                 return 0;
1267         }
1268
1269         down(&isec->sem);
1270         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1271         isec->sid = sid;
1272         isec->initialized = 1;
1273         up(&isec->sem);
1274         return 0;
1275 }
1276
1277 /* Hook functions begin here. */
1278
1279 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1280 {
1281         struct task_security_struct *psec = parent->security;
1282         struct task_security_struct *csec = child->security;
1283         int rc;
1284
1285         rc = secondary_ops->ptrace(parent,child);
1286         if (rc)
1287                 return rc;
1288
1289         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1290         /* Save the SID of the tracing process for later use in apply_creds. */
1291         if (!(child->ptrace & PT_PTRACED) && !rc)
1292                 csec->ptrace_sid = psec->sid;
1293         return rc;
1294 }
1295
1296 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1297                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1298 {
1299         int error;
1300
1301         error = task_has_perm(current, target, PROCESS__GETCAP);
1302         if (error)
1303                 return error;
1304
1305         return secondary_ops->capget(target, effective, inheritable, permitted);
1306 }
1307
1308 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1309                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1310 {
1311         int error;
1312
1313         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1314         if (error)
1315                 return error;
1316
1317         return task_has_perm(current, target, PROCESS__SETCAP);
1318 }
1319
1320 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1321                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1322 {
1323         secondary_ops->capset_set(target, effective, inheritable, permitted);
1324 }
1325
1326 static int selinux_capable(struct task_struct *tsk, int cap)
1327 {
1328         int rc;
1329
1330         rc = secondary_ops->capable(tsk, cap);
1331         if (rc)
1332                 return rc;
1333
1334         return task_has_capability(tsk,cap);
1335 }
1336
1337 static int selinux_sysctl(ctl_table *table, int op)
1338 {
1339         int error = 0;
1340         u32 av;
1341         struct task_security_struct *tsec;
1342         u32 tsid;
1343         int rc;
1344
1345         rc = secondary_ops->sysctl(table, op);
1346         if (rc)
1347                 return rc;
1348
1349         tsec = current->security;
1350
1351         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1352                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1353         if (rc) {
1354                 /* Default to the well-defined sysctl SID. */
1355                 tsid = SECINITSID_SYSCTL;
1356         }
1357
1358         /* The op values are "defined" in sysctl.c, thereby creating
1359          * a bad coupling between this module and sysctl.c */
1360         if(op == 001) {
1361                 error = avc_has_perm(tsec->sid, tsid,
1362                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1363         } else {
1364                 av = 0;
1365                 if (op & 004)
1366                         av |= FILE__READ;
1367                 if (op & 002)
1368                         av |= FILE__WRITE;
1369                 if (av)
1370                         error = avc_has_perm(tsec->sid, tsid,
1371                                              SECCLASS_FILE, av, NULL);
1372         }
1373
1374         return error;
1375 }
1376
1377 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1378 {
1379         int rc = 0;
1380
1381         if (!sb)
1382                 return 0;
1383
1384         switch (cmds) {
1385                 case Q_SYNC:
1386                 case Q_QUOTAON:
1387                 case Q_QUOTAOFF:
1388                 case Q_SETINFO:
1389                 case Q_SETQUOTA:
1390                         rc = superblock_has_perm(current,
1391                                                  sb,
1392                                                  FILESYSTEM__QUOTAMOD, NULL);
1393                         break;
1394                 case Q_GETFMT:
1395                 case Q_GETINFO:
1396                 case Q_GETQUOTA:
1397                         rc = superblock_has_perm(current,
1398                                                  sb,
1399                                                  FILESYSTEM__QUOTAGET, NULL);
1400                         break;
1401                 default:
1402                         rc = 0;  /* let the kernel handle invalid cmds */
1403                         break;
1404         }
1405         return rc;
1406 }
1407
1408 static int selinux_quota_on(struct dentry *dentry)
1409 {
1410         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1411 }
1412
1413 static int selinux_syslog(int type)
1414 {
1415         int rc;
1416
1417         rc = secondary_ops->syslog(type);
1418         if (rc)
1419                 return rc;
1420
1421         switch (type) {
1422                 case 3:         /* Read last kernel messages */
1423                 case 10:        /* Return size of the log buffer */
1424                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1425                         break;
1426                 case 6:         /* Disable logging to console */
1427                 case 7:         /* Enable logging to console */
1428                 case 8:         /* Set level of messages printed to console */
1429                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1430                         break;
1431                 case 0:         /* Close log */
1432                 case 1:         /* Open log */
1433                 case 2:         /* Read from log */
1434                 case 4:         /* Read/clear last kernel messages */
1435                 case 5:         /* Clear ring buffer */
1436                 default:
1437                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1438                         break;
1439         }
1440         return rc;
1441 }
1442
1443 /*
1444  * Check that a process has enough memory to allocate a new virtual
1445  * mapping. 0 means there is enough memory for the allocation to
1446  * succeed and -ENOMEM implies there is not.
1447  *
1448  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1449  * if the capability is granted, but __vm_enough_memory requires 1 if
1450  * the capability is granted.
1451  *
1452  * Do not audit the selinux permission check, as this is applied to all
1453  * processes that allocate mappings.
1454  */
1455 static int selinux_vm_enough_memory(long pages)
1456 {
1457         int rc, cap_sys_admin = 0;
1458         struct task_security_struct *tsec = current->security;
1459
1460         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1461         if (rc == 0)
1462                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1463                                         SECCLASS_CAPABILITY,
1464                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1465                                         NULL);
1466
1467         if (rc == 0)
1468                 cap_sys_admin = 1;
1469
1470         return __vm_enough_memory(pages, cap_sys_admin);
1471 }
1472
1473 /* binprm security operations */
1474
1475 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1476 {
1477         struct bprm_security_struct *bsec;
1478
1479         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1480         if (!bsec)
1481                 return -ENOMEM;
1482
1483         bsec->bprm = bprm;
1484         bsec->sid = SECINITSID_UNLABELED;
1485         bsec->set = 0;
1486
1487         bprm->security = bsec;
1488         return 0;
1489 }
1490
1491 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1492 {
1493         struct task_security_struct *tsec;
1494         struct inode *inode = bprm->file->f_dentry->d_inode;
1495         struct inode_security_struct *isec;
1496         struct bprm_security_struct *bsec;
1497         u32 newsid;
1498         struct avc_audit_data ad;
1499         int rc;
1500
1501         rc = secondary_ops->bprm_set_security(bprm);
1502         if (rc)
1503                 return rc;
1504
1505         bsec = bprm->security;
1506
1507         if (bsec->set)
1508                 return 0;
1509
1510         tsec = current->security;
1511         isec = inode->i_security;
1512
1513         /* Default to the current task SID. */
1514         bsec->sid = tsec->sid;
1515
1516         /* Reset create SID on execve. */
1517         tsec->create_sid = 0;
1518
1519         if (tsec->exec_sid) {
1520                 newsid = tsec->exec_sid;
1521                 /* Reset exec SID on execve. */
1522                 tsec->exec_sid = 0;
1523         } else {
1524                 /* Check for a default transition on this program. */
1525                 rc = security_transition_sid(tsec->sid, isec->sid,
1526                                              SECCLASS_PROCESS, &newsid);
1527                 if (rc)
1528                         return rc;
1529         }
1530
1531         AVC_AUDIT_DATA_INIT(&ad, FS);
1532         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1533         ad.u.fs.dentry = bprm->file->f_dentry;
1534
1535         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1536                 newsid = tsec->sid;
1537
1538         if (tsec->sid == newsid) {
1539                 rc = avc_has_perm(tsec->sid, isec->sid,
1540                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1541                 if (rc)
1542                         return rc;
1543         } else {
1544                 /* Check permissions for the transition. */
1545                 rc = avc_has_perm(tsec->sid, newsid,
1546                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1547                 if (rc)
1548                         return rc;
1549
1550                 rc = avc_has_perm(newsid, isec->sid,
1551                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1552                 if (rc)
1553                         return rc;
1554
1555                 /* Clear any possibly unsafe personality bits on exec: */
1556                 current->personality &= ~PER_CLEAR_ON_SETID;
1557
1558                 /* Set the security field to the new SID. */
1559                 bsec->sid = newsid;
1560         }
1561
1562         bsec->set = 1;
1563         return 0;
1564 }
1565
1566 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1567 {
1568         return secondary_ops->bprm_check_security(bprm);
1569 }
1570
1571
1572 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1573 {
1574         struct task_security_struct *tsec = current->security;
1575         int atsecure = 0;
1576
1577         if (tsec->osid != tsec->sid) {
1578                 /* Enable secure mode for SIDs transitions unless
1579                    the noatsecure permission is granted between
1580                    the two SIDs, i.e. ahp returns 0. */
1581                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1582                                          SECCLASS_PROCESS,
1583                                          PROCESS__NOATSECURE, NULL);
1584         }
1585
1586         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1587 }
1588
1589 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1590 {
1591         kfree(bprm->security);
1592         bprm->security = NULL;
1593 }
1594
1595 extern struct vfsmount *selinuxfs_mount;
1596 extern struct dentry *selinux_null;
1597
1598 /* Derived from fs/exec.c:flush_old_files. */
1599 static inline void flush_unauthorized_files(struct files_struct * files)
1600 {
1601         struct avc_audit_data ad;
1602         struct file *file, *devnull = NULL;
1603         struct tty_struct *tty = current->signal->tty;
1604         struct fdtable *fdt;
1605         long j = -1;
1606
1607         if (tty) {
1608                 file_list_lock();
1609                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1610                 if (file) {
1611                         /* Revalidate access to controlling tty.
1612                            Use inode_has_perm on the tty inode directly rather
1613                            than using file_has_perm, as this particular open
1614                            file may belong to another process and we are only
1615                            interested in the inode-based check here. */
1616                         struct inode *inode = file->f_dentry->d_inode;
1617                         if (inode_has_perm(current, inode,
1618                                            FILE__READ | FILE__WRITE, NULL)) {
1619                                 /* Reset controlling tty. */
1620                                 current->signal->tty = NULL;
1621                                 current->signal->tty_old_pgrp = 0;
1622                         }
1623                 }
1624                 file_list_unlock();
1625         }
1626
1627         /* Revalidate access to inherited open files. */
1628
1629         AVC_AUDIT_DATA_INIT(&ad,FS);
1630
1631         spin_lock(&files->file_lock);
1632         for (;;) {
1633                 unsigned long set, i;
1634                 int fd;
1635
1636                 j++;
1637                 i = j * __NFDBITS;
1638                 fdt = files_fdtable(files);
1639                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1640                         break;
1641                 set = fdt->open_fds->fds_bits[j];
1642                 if (!set)
1643                         continue;
1644                 spin_unlock(&files->file_lock);
1645                 for ( ; set ; i++,set >>= 1) {
1646                         if (set & 1) {
1647                                 file = fget(i);
1648                                 if (!file)
1649                                         continue;
1650                                 if (file_has_perm(current,
1651                                                   file,
1652                                                   file_to_av(file))) {
1653                                         sys_close(i);
1654                                         fd = get_unused_fd();
1655                                         if (fd != i) {
1656                                                 if (fd >= 0)
1657                                                         put_unused_fd(fd);
1658                                                 fput(file);
1659                                                 continue;
1660                                         }
1661                                         if (devnull) {
1662                                                 get_file(devnull);
1663                                         } else {
1664                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1665                                                 if (!devnull) {
1666                                                         put_unused_fd(fd);
1667                                                         fput(file);
1668                                                         continue;
1669                                                 }
1670                                         }
1671                                         fd_install(fd, devnull);
1672                                 }
1673                                 fput(file);
1674                         }
1675                 }
1676                 spin_lock(&files->file_lock);
1677
1678         }
1679         spin_unlock(&files->file_lock);
1680 }
1681
1682 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1683 {
1684         struct task_security_struct *tsec;
1685         struct bprm_security_struct *bsec;
1686         u32 sid;
1687         int rc;
1688
1689         secondary_ops->bprm_apply_creds(bprm, unsafe);
1690
1691         tsec = current->security;
1692
1693         bsec = bprm->security;
1694         sid = bsec->sid;
1695
1696         tsec->osid = tsec->sid;
1697         bsec->unsafe = 0;
1698         if (tsec->sid != sid) {
1699                 /* Check for shared state.  If not ok, leave SID
1700                    unchanged and kill. */
1701                 if (unsafe & LSM_UNSAFE_SHARE) {
1702                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1703                                         PROCESS__SHARE, NULL);
1704                         if (rc) {
1705                                 bsec->unsafe = 1;
1706                                 return;
1707                         }
1708                 }
1709
1710                 /* Check for ptracing, and update the task SID if ok.
1711                    Otherwise, leave SID unchanged and kill. */
1712                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1713                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1714                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1715                                           NULL);
1716                         if (rc) {
1717                                 bsec->unsafe = 1;
1718                                 return;
1719                         }
1720                 }
1721                 tsec->sid = sid;
1722         }
1723 }
1724
1725 /*
1726  * called after apply_creds without the task lock held
1727  */
1728 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1729 {
1730         struct task_security_struct *tsec;
1731         struct rlimit *rlim, *initrlim;
1732         struct itimerval itimer;
1733         struct bprm_security_struct *bsec;
1734         int rc, i;
1735
1736         tsec = current->security;
1737         bsec = bprm->security;
1738
1739         if (bsec->unsafe) {
1740                 force_sig_specific(SIGKILL, current);
1741                 return;
1742         }
1743         if (tsec->osid == tsec->sid)
1744                 return;
1745
1746         /* Close files for which the new task SID is not authorized. */
1747         flush_unauthorized_files(current->files);
1748
1749         /* Check whether the new SID can inherit signal state
1750            from the old SID.  If not, clear itimers to avoid
1751            subsequent signal generation and flush and unblock
1752            signals. This must occur _after_ the task SID has
1753           been updated so that any kill done after the flush
1754           will be checked against the new SID. */
1755         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1756                           PROCESS__SIGINH, NULL);
1757         if (rc) {
1758                 memset(&itimer, 0, sizeof itimer);
1759                 for (i = 0; i < 3; i++)
1760                         do_setitimer(i, &itimer, NULL);
1761                 flush_signals(current);
1762                 spin_lock_irq(&current->sighand->siglock);
1763                 flush_signal_handlers(current, 1);
1764                 sigemptyset(&current->blocked);
1765                 recalc_sigpending();
1766                 spin_unlock_irq(&current->sighand->siglock);
1767         }
1768
1769         /* Check whether the new SID can inherit resource limits
1770            from the old SID.  If not, reset all soft limits to
1771            the lower of the current task's hard limit and the init
1772            task's soft limit.  Note that the setting of hard limits
1773            (even to lower them) can be controlled by the setrlimit
1774            check. The inclusion of the init task's soft limit into
1775            the computation is to avoid resetting soft limits higher
1776            than the default soft limit for cases where the default
1777            is lower than the hard limit, e.g. RLIMIT_CORE or
1778            RLIMIT_STACK.*/
1779         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1780                           PROCESS__RLIMITINH, NULL);
1781         if (rc) {
1782                 for (i = 0; i < RLIM_NLIMITS; i++) {
1783                         rlim = current->signal->rlim + i;
1784                         initrlim = init_task.signal->rlim+i;
1785                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1786                 }
1787                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1788                         /*
1789                          * This will cause RLIMIT_CPU calculations
1790                          * to be refigured.
1791                          */
1792                         current->it_prof_expires = jiffies_to_cputime(1);
1793                 }
1794         }
1795
1796         /* Wake up the parent if it is waiting so that it can
1797            recheck wait permission to the new task SID. */
1798         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1799 }
1800
1801 /* superblock security operations */
1802
1803 static int selinux_sb_alloc_security(struct super_block *sb)
1804 {
1805         return superblock_alloc_security(sb);
1806 }
1807
1808 static void selinux_sb_free_security(struct super_block *sb)
1809 {
1810         superblock_free_security(sb);
1811 }
1812
1813 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1814 {
1815         if (plen > olen)
1816                 return 0;
1817
1818         return !memcmp(prefix, option, plen);
1819 }
1820
1821 static inline int selinux_option(char *option, int len)
1822 {
1823         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1824                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1825                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1826 }
1827
1828 static inline void take_option(char **to, char *from, int *first, int len)
1829 {
1830         if (!*first) {
1831                 **to = ',';
1832                 *to += 1;
1833         }
1834         else
1835                 *first = 0;
1836         memcpy(*to, from, len);
1837         *to += len;
1838 }
1839
1840 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1841 {
1842         int fnosec, fsec, rc = 0;
1843         char *in_save, *in_curr, *in_end;
1844         char *sec_curr, *nosec_save, *nosec;
1845
1846         in_curr = orig;
1847         sec_curr = copy;
1848
1849         /* Binary mount data: just copy */
1850         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1851                 copy_page(sec_curr, in_curr);
1852                 goto out;
1853         }
1854
1855         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1856         if (!nosec) {
1857                 rc = -ENOMEM;
1858                 goto out;
1859         }
1860
1861         nosec_save = nosec;
1862         fnosec = fsec = 1;
1863         in_save = in_end = orig;
1864
1865         do {
1866                 if (*in_end == ',' || *in_end == '\0') {
1867                         int len = in_end - in_curr;
1868
1869                         if (selinux_option(in_curr, len))
1870                                 take_option(&sec_curr, in_curr, &fsec, len);
1871                         else
1872                                 take_option(&nosec, in_curr, &fnosec, len);
1873
1874                         in_curr = in_end + 1;
1875                 }
1876         } while (*in_end++);
1877
1878         strcpy(in_save, nosec_save);
1879         free_page((unsigned long)nosec_save);
1880 out:
1881         return rc;
1882 }
1883
1884 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1885 {
1886         struct avc_audit_data ad;
1887         int rc;
1888
1889         rc = superblock_doinit(sb, data);
1890         if (rc)
1891                 return rc;
1892
1893         AVC_AUDIT_DATA_INIT(&ad,FS);
1894         ad.u.fs.dentry = sb->s_root;
1895         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1896 }
1897
1898 static int selinux_sb_statfs(struct super_block *sb)
1899 {
1900         struct avc_audit_data ad;
1901
1902         AVC_AUDIT_DATA_INIT(&ad,FS);
1903         ad.u.fs.dentry = sb->s_root;
1904         return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1905 }
1906
1907 static int selinux_mount(char * dev_name,
1908                          struct nameidata *nd,
1909                          char * type,
1910                          unsigned long flags,
1911                          void * data)
1912 {
1913         int rc;
1914
1915         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1916         if (rc)
1917                 return rc;
1918
1919         if (flags & MS_REMOUNT)
1920                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1921                                            FILESYSTEM__REMOUNT, NULL);
1922         else
1923                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1924                                        FILE__MOUNTON);
1925 }
1926
1927 static int selinux_umount(struct vfsmount *mnt, int flags)
1928 {
1929         int rc;
1930
1931         rc = secondary_ops->sb_umount(mnt, flags);
1932         if (rc)
1933                 return rc;
1934
1935         return superblock_has_perm(current,mnt->mnt_sb,
1936                                    FILESYSTEM__UNMOUNT,NULL);
1937 }
1938
1939 /* inode security operations */
1940
1941 static int selinux_inode_alloc_security(struct inode *inode)
1942 {
1943         return inode_alloc_security(inode);
1944 }
1945
1946 static void selinux_inode_free_security(struct inode *inode)
1947 {
1948         inode_free_security(inode);
1949 }
1950
1951 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1952                                        char **name, void **value,
1953                                        size_t *len)
1954 {
1955         struct task_security_struct *tsec;
1956         struct inode_security_struct *dsec;
1957         struct superblock_security_struct *sbsec;
1958         struct inode_security_struct *isec;
1959         u32 newsid, clen;
1960         int rc;
1961         char *namep = NULL, *context;
1962
1963         tsec = current->security;
1964         dsec = dir->i_security;
1965         sbsec = dir->i_sb->s_security;
1966         isec = inode->i_security;
1967
1968         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1969                 newsid = tsec->create_sid;
1970         } else {
1971                 rc = security_transition_sid(tsec->sid, dsec->sid,
1972                                              inode_mode_to_security_class(inode->i_mode),
1973                                              &newsid);
1974                 if (rc) {
1975                         printk(KERN_WARNING "%s:  "
1976                                "security_transition_sid failed, rc=%d (dev=%s "
1977                                "ino=%ld)\n",
1978                                __FUNCTION__,
1979                                -rc, inode->i_sb->s_id, inode->i_ino);
1980                         return rc;
1981                 }
1982         }
1983
1984         inode_security_set_sid(inode, newsid);
1985
1986         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
1987                 return -EOPNOTSUPP;
1988
1989         if (name) {
1990                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1991                 if (!namep)
1992                         return -ENOMEM;
1993                 *name = namep;
1994         }
1995
1996         if (value && len) {
1997                 rc = security_sid_to_context(newsid, &context, &clen);
1998                 if (rc) {
1999                         kfree(namep);
2000                         return rc;
2001                 }
2002                 *value = context;
2003                 *len = clen;
2004         }
2005
2006         return 0;
2007 }
2008
2009 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2010 {
2011         return may_create(dir, dentry, SECCLASS_FILE);
2012 }
2013
2014 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2015 {
2016         int rc;
2017
2018         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2019         if (rc)
2020                 return rc;
2021         return may_link(dir, old_dentry, MAY_LINK);
2022 }
2023
2024 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2025 {
2026         int rc;
2027
2028         rc = secondary_ops->inode_unlink(dir, dentry);
2029         if (rc)
2030                 return rc;
2031         return may_link(dir, dentry, MAY_UNLINK);
2032 }
2033
2034 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2035 {
2036         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2037 }
2038
2039 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2040 {
2041         return may_create(dir, dentry, SECCLASS_DIR);
2042 }
2043
2044 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2045 {
2046         return may_link(dir, dentry, MAY_RMDIR);
2047 }
2048
2049 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2050 {
2051         int rc;
2052
2053         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2054         if (rc)
2055                 return rc;
2056
2057         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2058 }
2059
2060 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2061                                 struct inode *new_inode, struct dentry *new_dentry)
2062 {
2063         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2064 }
2065
2066 static int selinux_inode_readlink(struct dentry *dentry)
2067 {
2068         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2069 }
2070
2071 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2072 {
2073         int rc;
2074
2075         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2076         if (rc)
2077                 return rc;
2078         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2079 }
2080
2081 static int selinux_inode_permission(struct inode *inode, int mask,
2082                                     struct nameidata *nd)
2083 {
2084         int rc;
2085
2086         rc = secondary_ops->inode_permission(inode, mask, nd);
2087         if (rc)
2088                 return rc;
2089
2090         if (!mask) {
2091                 /* No permission to check.  Existence test. */
2092                 return 0;
2093         }
2094
2095         return inode_has_perm(current, inode,
2096                                file_mask_to_av(inode->i_mode, mask), NULL);
2097 }
2098
2099 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2100 {
2101         int rc;
2102
2103         rc = secondary_ops->inode_setattr(dentry, iattr);
2104         if (rc)
2105                 return rc;
2106
2107         if (iattr->ia_valid & ATTR_FORCE)
2108                 return 0;
2109
2110         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2111                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2112                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2113
2114         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2115 }
2116
2117 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2118 {
2119         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2120 }
2121
2122 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2123 {
2124         struct task_security_struct *tsec = current->security;
2125         struct inode *inode = dentry->d_inode;
2126         struct inode_security_struct *isec = inode->i_security;
2127         struct superblock_security_struct *sbsec;
2128         struct avc_audit_data ad;
2129         u32 newsid;
2130         int rc = 0;
2131
2132         if (strcmp(name, XATTR_NAME_SELINUX)) {
2133                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2134                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2135                     !capable(CAP_SYS_ADMIN)) {
2136                         /* A different attribute in the security namespace.
2137                            Restrict to administrator. */
2138                         return -EPERM;
2139                 }
2140
2141                 /* Not an attribute we recognize, so just check the
2142                    ordinary setattr permission. */
2143                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2144         }
2145
2146         sbsec = inode->i_sb->s_security;
2147         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2148                 return -EOPNOTSUPP;
2149
2150         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2151                 return -EPERM;
2152
2153         AVC_AUDIT_DATA_INIT(&ad,FS);
2154         ad.u.fs.dentry = dentry;
2155
2156         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2157                           FILE__RELABELFROM, &ad);
2158         if (rc)
2159                 return rc;
2160
2161         rc = security_context_to_sid(value, size, &newsid);
2162         if (rc)
2163                 return rc;
2164
2165         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2166                           FILE__RELABELTO, &ad);
2167         if (rc)
2168                 return rc;
2169
2170         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2171                                           isec->sclass);
2172         if (rc)
2173                 return rc;
2174
2175         return avc_has_perm(newsid,
2176                             sbsec->sid,
2177                             SECCLASS_FILESYSTEM,
2178                             FILESYSTEM__ASSOCIATE,
2179                             &ad);
2180 }
2181
2182 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2183                                         void *value, size_t size, int flags)
2184 {
2185         struct inode *inode = dentry->d_inode;
2186         struct inode_security_struct *isec = inode->i_security;
2187         u32 newsid;
2188         int rc;
2189
2190         if (strcmp(name, XATTR_NAME_SELINUX)) {
2191                 /* Not an attribute we recognize, so nothing to do. */
2192                 return;
2193         }
2194
2195         rc = security_context_to_sid(value, size, &newsid);
2196         if (rc) {
2197                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2198                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2199                 return;
2200         }
2201
2202         isec->sid = newsid;
2203         return;
2204 }
2205
2206 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2207 {
2208         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2209 }
2210
2211 static int selinux_inode_listxattr (struct dentry *dentry)
2212 {
2213         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2214 }
2215
2216 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2217 {
2218         if (strcmp(name, XATTR_NAME_SELINUX)) {
2219                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2220                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2221                     !capable(CAP_SYS_ADMIN)) {
2222                         /* A different attribute in the security namespace.
2223                            Restrict to administrator. */
2224                         return -EPERM;
2225                 }
2226
2227                 /* Not an attribute we recognize, so just check the
2228                    ordinary setattr permission. Might want a separate
2229                    permission for removexattr. */
2230                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2231         }
2232
2233         /* No one is allowed to remove a SELinux security label.
2234            You can change the label, but all data must be labeled. */
2235         return -EACCES;
2236 }
2237
2238 static const char *selinux_inode_xattr_getsuffix(void)
2239 {
2240       return XATTR_SELINUX_SUFFIX;
2241 }
2242
2243 /*
2244  * Copy the in-core inode security context value to the user.  If the
2245  * getxattr() prior to this succeeded, check to see if we need to
2246  * canonicalize the value to be finally returned to the user.
2247  *
2248  * Permission check is handled by selinux_inode_getxattr hook.
2249  */
2250 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2251 {
2252         struct inode_security_struct *isec = inode->i_security;
2253
2254         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2255                 return -EOPNOTSUPP;
2256
2257         return selinux_getsecurity(isec->sid, buffer, size);
2258 }
2259
2260 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2261                                      const void *value, size_t size, int flags)
2262 {
2263         struct inode_security_struct *isec = inode->i_security;
2264         u32 newsid;
2265         int rc;
2266
2267         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2268                 return -EOPNOTSUPP;
2269
2270         if (!value || !size)
2271                 return -EACCES;
2272
2273         rc = security_context_to_sid((void*)value, size, &newsid);
2274         if (rc)
2275                 return rc;
2276
2277         isec->sid = newsid;
2278         return 0;
2279 }
2280
2281 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2282 {
2283         const int len = sizeof(XATTR_NAME_SELINUX);
2284         if (buffer && len <= buffer_size)
2285                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2286         return len;
2287 }
2288
2289 /* file security operations */
2290
2291 static int selinux_file_permission(struct file *file, int mask)
2292 {
2293         struct inode *inode = file->f_dentry->d_inode;
2294
2295         if (!mask) {
2296                 /* No permission to check.  Existence test. */
2297                 return 0;
2298         }
2299
2300         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2301         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2302                 mask |= MAY_APPEND;
2303
2304         return file_has_perm(current, file,
2305                              file_mask_to_av(inode->i_mode, mask));
2306 }
2307
2308 static int selinux_file_alloc_security(struct file *file)
2309 {
2310         return file_alloc_security(file);
2311 }
2312
2313 static void selinux_file_free_security(struct file *file)
2314 {
2315         file_free_security(file);
2316 }
2317
2318 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2319                               unsigned long arg)
2320 {
2321         int error = 0;
2322
2323         switch (cmd) {
2324                 case FIONREAD:
2325                 /* fall through */
2326                 case FIBMAP:
2327                 /* fall through */
2328                 case FIGETBSZ:
2329                 /* fall through */
2330                 case EXT2_IOC_GETFLAGS:
2331                 /* fall through */
2332                 case EXT2_IOC_GETVERSION:
2333                         error = file_has_perm(current, file, FILE__GETATTR);
2334                         break;
2335
2336                 case EXT2_IOC_SETFLAGS:
2337                 /* fall through */
2338                 case EXT2_IOC_SETVERSION:
2339                         error = file_has_perm(current, file, FILE__SETATTR);
2340                         break;
2341
2342                 /* sys_ioctl() checks */
2343                 case FIONBIO:
2344                 /* fall through */
2345                 case FIOASYNC:
2346                         error = file_has_perm(current, file, 0);
2347                         break;
2348
2349                 case KDSKBENT:
2350                 case KDSKBSENT:
2351                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2352                         break;
2353
2354                 /* default case assumes that the command will go
2355                  * to the file's ioctl() function.
2356                  */
2357                 default:
2358                         error = file_has_perm(current, file, FILE__IOCTL);
2359
2360         }
2361         return error;
2362 }
2363
2364 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2365 {
2366 #ifndef CONFIG_PPC32
2367         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2368                 /*
2369                  * We are making executable an anonymous mapping or a
2370                  * private file mapping that will also be writable.
2371                  * This has an additional check.
2372                  */
2373                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2374                 if (rc)
2375                         return rc;
2376         }
2377 #endif
2378
2379         if (file) {
2380                 /* read access is always possible with a mapping */
2381                 u32 av = FILE__READ;
2382
2383                 /* write access only matters if the mapping is shared */
2384                 if (shared && (prot & PROT_WRITE))
2385                         av |= FILE__WRITE;
2386
2387                 if (prot & PROT_EXEC)
2388                         av |= FILE__EXECUTE;
2389
2390                 return file_has_perm(current, file, av);
2391         }
2392         return 0;
2393 }
2394
2395 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2396                              unsigned long prot, unsigned long flags)
2397 {
2398         int rc;
2399
2400         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2401         if (rc)
2402                 return rc;
2403
2404         if (selinux_checkreqprot)
2405                 prot = reqprot;
2406
2407         return file_map_prot_check(file, prot,
2408                                    (flags & MAP_TYPE) == MAP_SHARED);
2409 }
2410
2411 static int selinux_file_mprotect(struct vm_area_struct *vma,
2412                                  unsigned long reqprot,
2413                                  unsigned long prot)
2414 {
2415         int rc;
2416
2417         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2418         if (rc)
2419                 return rc;
2420
2421         if (selinux_checkreqprot)
2422                 prot = reqprot;
2423
2424 #ifndef CONFIG_PPC32
2425         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2426                 rc = 0;
2427                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2428                     vma->vm_end <= vma->vm_mm->brk) {
2429                         rc = task_has_perm(current, current,
2430                                            PROCESS__EXECHEAP);
2431                 } else if (!vma->vm_file &&
2432                            vma->vm_start <= vma->vm_mm->start_stack &&
2433                            vma->vm_end >= vma->vm_mm->start_stack) {
2434                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2435                 } else if (vma->vm_file && vma->anon_vma) {
2436                         /*
2437                          * We are making executable a file mapping that has
2438                          * had some COW done. Since pages might have been
2439                          * written, check ability to execute the possibly
2440                          * modified content.  This typically should only
2441                          * occur for text relocations.
2442                          */
2443                         rc = file_has_perm(current, vma->vm_file,
2444                                            FILE__EXECMOD);
2445                 }
2446                 if (rc)
2447                         return rc;
2448         }
2449 #endif
2450
2451         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2452 }
2453
2454 static int selinux_file_lock(struct file *file, unsigned int cmd)
2455 {
2456         return file_has_perm(current, file, FILE__LOCK);
2457 }
2458
2459 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2460                               unsigned long arg)
2461 {
2462         int err = 0;
2463
2464         switch (cmd) {
2465                 case F_SETFL:
2466                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2467                                 err = -EINVAL;
2468                                 break;
2469                         }
2470
2471                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2472                                 err = file_has_perm(current, file,FILE__WRITE);
2473                                 break;
2474                         }
2475                         /* fall through */
2476                 case F_SETOWN:
2477                 case F_SETSIG:
2478                 case F_GETFL:
2479                 case F_GETOWN:
2480                 case F_GETSIG:
2481                         /* Just check FD__USE permission */
2482                         err = file_has_perm(current, file, 0);
2483                         break;
2484                 case F_GETLK:
2485                 case F_SETLK:
2486                 case F_SETLKW:
2487 #if BITS_PER_LONG == 32
2488                 case F_GETLK64:
2489                 case F_SETLK64:
2490                 case F_SETLKW64:
2491 #endif
2492                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2493                                 err = -EINVAL;
2494                                 break;
2495                         }
2496                         err = file_has_perm(current, file, FILE__LOCK);
2497                         break;
2498         }
2499
2500         return err;
2501 }
2502
2503 static int selinux_file_set_fowner(struct file *file)
2504 {
2505         struct task_security_struct *tsec;
2506         struct file_security_struct *fsec;
2507
2508         tsec = current->security;
2509         fsec = file->f_security;
2510         fsec->fown_sid = tsec->sid;
2511
2512         return 0;
2513 }
2514
2515 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2516                                        struct fown_struct *fown, int signum)
2517 {
2518         struct file *file;
2519         u32 perm;
2520         struct task_security_struct *tsec;
2521         struct file_security_struct *fsec;
2522
2523         /* struct fown_struct is never outside the context of a struct file */
2524         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2525
2526         tsec = tsk->security;
2527         fsec = file->f_security;
2528
2529         if (!signum)
2530                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2531         else
2532                 perm = signal_to_av(signum);
2533
2534         return avc_has_perm(fsec->fown_sid, tsec->sid,
2535                             SECCLASS_PROCESS, perm, NULL);
2536 }
2537
2538 static int selinux_file_receive(struct file *file)
2539 {
2540         return file_has_perm(current, file, file_to_av(file));
2541 }
2542
2543 /* task security operations */
2544
2545 static int selinux_task_create(unsigned long clone_flags)
2546 {
2547         int rc;
2548
2549         rc = secondary_ops->task_create(clone_flags);
2550         if (rc)
2551                 return rc;
2552
2553         return task_has_perm(current, current, PROCESS__FORK);
2554 }
2555
2556 static int selinux_task_alloc_security(struct task_struct *tsk)
2557 {
2558         struct task_security_struct *tsec1, *tsec2;
2559         int rc;
2560
2561         tsec1 = current->security;
2562
2563         rc = task_alloc_security(tsk);
2564         if (rc)
2565                 return rc;
2566         tsec2 = tsk->security;
2567
2568         tsec2->osid = tsec1->osid;
2569         tsec2->sid = tsec1->sid;
2570
2571         /* Retain the exec and create SIDs across fork */
2572         tsec2->exec_sid = tsec1->exec_sid;
2573         tsec2->create_sid = tsec1->create_sid;
2574
2575         /* Retain ptracer SID across fork, if any.
2576            This will be reset by the ptrace hook upon any
2577            subsequent ptrace_attach operations. */
2578         tsec2->ptrace_sid = tsec1->ptrace_sid;
2579
2580         return 0;
2581 }
2582
2583 static void selinux_task_free_security(struct task_struct *tsk)
2584 {
2585         task_free_security(tsk);
2586 }
2587
2588 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2589 {
2590         /* Since setuid only affects the current process, and
2591            since the SELinux controls are not based on the Linux
2592            identity attributes, SELinux does not need to control
2593            this operation.  However, SELinux does control the use
2594            of the CAP_SETUID and CAP_SETGID capabilities using the
2595            capable hook. */
2596         return 0;
2597 }
2598
2599 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2600 {
2601         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2602 }
2603
2604 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2605 {
2606         /* See the comment for setuid above. */
2607         return 0;
2608 }
2609
2610 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2611 {
2612         return task_has_perm(current, p, PROCESS__SETPGID);
2613 }
2614
2615 static int selinux_task_getpgid(struct task_struct *p)
2616 {
2617         return task_has_perm(current, p, PROCESS__GETPGID);
2618 }
2619
2620 static int selinux_task_getsid(struct task_struct *p)
2621 {
2622         return task_has_perm(current, p, PROCESS__GETSESSION);
2623 }
2624
2625 static int selinux_task_setgroups(struct group_info *group_info)
2626 {
2627         /* See the comment for setuid above. */
2628         return 0;
2629 }
2630
2631 static int selinux_task_setnice(struct task_struct *p, int nice)
2632 {
2633         int rc;
2634
2635         rc = secondary_ops->task_setnice(p, nice);
2636         if (rc)
2637                 return rc;
2638
2639         return task_has_perm(current,p, PROCESS__SETSCHED);
2640 }
2641
2642 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2643 {
2644         struct rlimit *old_rlim = current->signal->rlim + resource;
2645         int rc;
2646
2647         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2648         if (rc)
2649                 return rc;
2650
2651         /* Control the ability to change the hard limit (whether
2652            lowering or raising it), so that the hard limit can
2653            later be used as a safe reset point for the soft limit
2654            upon context transitions. See selinux_bprm_apply_creds. */
2655         if (old_rlim->rlim_max != new_rlim->rlim_max)
2656                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2657
2658         return 0;
2659 }
2660
2661 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2662 {
2663         return task_has_perm(current, p, PROCESS__SETSCHED);
2664 }
2665
2666 static int selinux_task_getscheduler(struct task_struct *p)
2667 {
2668         return task_has_perm(current, p, PROCESS__GETSCHED);
2669 }
2670
2671 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2672 {
2673         u32 perm;
2674         int rc;
2675
2676         rc = secondary_ops->task_kill(p, info, sig);
2677         if (rc)
2678                 return rc;
2679
2680         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2681                 return 0;
2682
2683         if (!sig)
2684                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2685         else
2686                 perm = signal_to_av(sig);
2687
2688         return task_has_perm(current, p, perm);
2689 }
2690
2691 static int selinux_task_prctl(int option,
2692                               unsigned long arg2,
2693                               unsigned long arg3,
2694                               unsigned long arg4,
2695                               unsigned long arg5)
2696 {
2697         /* The current prctl operations do not appear to require
2698            any SELinux controls since they merely observe or modify
2699            the state of the current process. */
2700         return 0;
2701 }
2702
2703 static int selinux_task_wait(struct task_struct *p)
2704 {
2705         u32 perm;
2706
2707         perm = signal_to_av(p->exit_signal);
2708
2709         return task_has_perm(p, current, perm);
2710 }
2711
2712 static void selinux_task_reparent_to_init(struct task_struct *p)
2713 {
2714         struct task_security_struct *tsec;
2715
2716         secondary_ops->task_reparent_to_init(p);
2717
2718         tsec = p->security;
2719         tsec->osid = tsec->sid;
2720         tsec->sid = SECINITSID_KERNEL;
2721         return;
2722 }
2723
2724 static void selinux_task_to_inode(struct task_struct *p,
2725                                   struct inode *inode)
2726 {
2727         struct task_security_struct *tsec = p->security;
2728         struct inode_security_struct *isec = inode->i_security;
2729
2730         isec->sid = tsec->sid;
2731         isec->initialized = 1;
2732         return;
2733 }
2734
2735 /* Returns error only if unable to parse addresses */
2736 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2737 {
2738         int offset, ihlen, ret = -EINVAL;
2739         struct iphdr _iph, *ih;
2740
2741         offset = skb->nh.raw - skb->data;
2742         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2743         if (ih == NULL)
2744                 goto out;
2745
2746         ihlen = ih->ihl * 4;
2747         if (ihlen < sizeof(_iph))
2748                 goto out;
2749
2750         ad->u.net.v4info.saddr = ih->saddr;
2751         ad->u.net.v4info.daddr = ih->daddr;
2752         ret = 0;
2753
2754         switch (ih->protocol) {
2755         case IPPROTO_TCP: {
2756                 struct tcphdr _tcph, *th;
2757
2758                 if (ntohs(ih->frag_off) & IP_OFFSET)
2759                         break;
2760
2761                 offset += ihlen;
2762                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2763                 if (th == NULL)
2764                         break;
2765
2766                 ad->u.net.sport = th->source;
2767                 ad->u.net.dport = th->dest;
2768                 break;
2769         }
2770         
2771         case IPPROTO_UDP: {
2772                 struct udphdr _udph, *uh;
2773                 
2774                 if (ntohs(ih->frag_off) & IP_OFFSET)
2775                         break;
2776                         
2777                 offset += ihlen;
2778                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2779                 if (uh == NULL)
2780                         break;  
2781
2782                 ad->u.net.sport = uh->source;
2783                 ad->u.net.dport = uh->dest;
2784                 break;
2785         }
2786
2787         default:
2788                 break;
2789         }
2790 out:
2791         return ret;
2792 }
2793
2794 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2795
2796 /* Returns error only if unable to parse addresses */
2797 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2798 {
2799         u8 nexthdr;
2800         int ret = -EINVAL, offset;
2801         struct ipv6hdr _ipv6h, *ip6;
2802
2803         offset = skb->nh.raw - skb->data;
2804         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2805         if (ip6 == NULL)
2806                 goto out;
2807
2808         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2809         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2810         ret = 0;
2811
2812         nexthdr = ip6->nexthdr;
2813         offset += sizeof(_ipv6h);
2814         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2815         if (offset < 0)
2816                 goto out;
2817
2818         switch (nexthdr) {
2819         case IPPROTO_TCP: {
2820                 struct tcphdr _tcph, *th;
2821
2822                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2823                 if (th == NULL)
2824                         break;
2825
2826                 ad->u.net.sport = th->source;
2827                 ad->u.net.dport = th->dest;
2828                 break;
2829         }
2830
2831         case IPPROTO_UDP: {
2832                 struct udphdr _udph, *uh;
2833
2834                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2835                 if (uh == NULL)
2836                         break;
2837
2838                 ad->u.net.sport = uh->source;
2839                 ad->u.net.dport = uh->dest;
2840                 break;
2841         }
2842
2843         /* includes fragments */
2844         default:
2845                 break;
2846         }
2847 out:
2848         return ret;
2849 }
2850
2851 #endif /* IPV6 */
2852
2853 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2854                              char **addrp, int *len, int src)
2855 {
2856         int ret = 0;
2857
2858         switch (ad->u.net.family) {
2859         case PF_INET:
2860                 ret = selinux_parse_skb_ipv4(skb, ad);
2861                 if (ret || !addrp)
2862                         break;
2863                 *len = 4;
2864                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2865                                         &ad->u.net.v4info.daddr);
2866                 break;
2867
2868 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2869         case PF_INET6:
2870                 ret = selinux_parse_skb_ipv6(skb, ad);
2871                 if (ret || !addrp)
2872                         break;
2873                 *len = 16;
2874                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2875                                         &ad->u.net.v6info.daddr);
2876                 break;
2877 #endif  /* IPV6 */
2878         default:
2879                 break;
2880         }
2881
2882         return ret;
2883 }
2884
2885 /* socket security operations */
2886 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2887                            u32 perms)
2888 {
2889         struct inode_security_struct *isec;
2890         struct task_security_struct *tsec;
2891         struct avc_audit_data ad;
2892         int err = 0;
2893
2894         tsec = task->security;
2895         isec = SOCK_INODE(sock)->i_security;
2896
2897         if (isec->sid == SECINITSID_KERNEL)
2898                 goto out;
2899
2900         AVC_AUDIT_DATA_INIT(&ad,NET);
2901         ad.u.net.sk = sock->sk;
2902         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2903
2904 out:
2905         return err;
2906 }
2907
2908 static int selinux_socket_create(int family, int type,
2909                                  int protocol, int kern)
2910 {
2911         int err = 0;
2912         struct task_security_struct *tsec;
2913
2914         if (kern)
2915                 goto out;
2916
2917         tsec = current->security;
2918         err = avc_has_perm(tsec->sid, tsec->sid,
2919                            socket_type_to_security_class(family, type,
2920                            protocol), SOCKET__CREATE, NULL);
2921
2922 out:
2923         return err;
2924 }
2925
2926 static void selinux_socket_post_create(struct socket *sock, int family,
2927                                        int type, int protocol, int kern)
2928 {
2929         struct inode_security_struct *isec;
2930         struct task_security_struct *tsec;
2931
2932         isec = SOCK_INODE(sock)->i_security;
2933
2934         tsec = current->security;
2935         isec->sclass = socket_type_to_security_class(family, type, protocol);
2936         isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2937         isec->initialized = 1;
2938
2939         return;
2940 }
2941
2942 /* Range of port numbers used to automatically bind.
2943    Need to determine whether we should perform a name_bind
2944    permission check between the socket and the port number. */
2945 #define ip_local_port_range_0 sysctl_local_port_range[0]
2946 #define ip_local_port_range_1 sysctl_local_port_range[1]
2947
2948 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2949 {
2950         u16 family;
2951         int err;
2952
2953         err = socket_has_perm(current, sock, SOCKET__BIND);
2954         if (err)
2955                 goto out;
2956
2957         /*
2958          * If PF_INET or PF_INET6, check name_bind permission for the port.
2959          * Multiple address binding for SCTP is not supported yet: we just
2960          * check the first address now.
2961          */
2962         family = sock->sk->sk_family;
2963         if (family == PF_INET || family == PF_INET6) {
2964                 char *addrp;
2965                 struct inode_security_struct *isec;
2966                 struct task_security_struct *tsec;
2967                 struct avc_audit_data ad;
2968                 struct sockaddr_in *addr4 = NULL;
2969                 struct sockaddr_in6 *addr6 = NULL;
2970                 unsigned short snum;
2971                 struct sock *sk = sock->sk;
2972                 u32 sid, node_perm, addrlen;
2973
2974                 tsec = current->security;
2975                 isec = SOCK_INODE(sock)->i_security;
2976
2977                 if (family == PF_INET) {
2978                         addr4 = (struct sockaddr_in *)address;
2979                         snum = ntohs(addr4->sin_port);
2980                         addrlen = sizeof(addr4->sin_addr.s_addr);
2981                         addrp = (char *)&addr4->sin_addr.s_addr;
2982                 } else {
2983                         addr6 = (struct sockaddr_in6 *)address;
2984                         snum = ntohs(addr6->sin6_port);
2985                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
2986                         addrp = (char *)&addr6->sin6_addr.s6_addr;
2987                 }
2988
2989                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
2990                            snum > ip_local_port_range_1)) {
2991                         err = security_port_sid(sk->sk_family, sk->sk_type,
2992                                                 sk->sk_protocol, snum, &sid);
2993                         if (err)
2994                                 goto out;
2995                         AVC_AUDIT_DATA_INIT(&ad,NET);
2996                         ad.u.net.sport = htons(snum);
2997                         ad.u.net.family = family;
2998                         err = avc_has_perm(isec->sid, sid,
2999                                            isec->sclass,
3000                                            SOCKET__NAME_BIND, &ad);
3001                         if (err)
3002                                 goto out;
3003                 }
3004                 
3005                 switch(isec->sclass) {
3006                 case SECCLASS_TCP_SOCKET:
3007                         node_perm = TCP_SOCKET__NODE_BIND;
3008                         break;
3009                         
3010                 case SECCLASS_UDP_SOCKET:
3011                         node_perm = UDP_SOCKET__NODE_BIND;
3012                         break;
3013                         
3014                 default:
3015                         node_perm = RAWIP_SOCKET__NODE_BIND;
3016                         break;
3017                 }
3018                 
3019                 err = security_node_sid(family, addrp, addrlen, &sid);
3020                 if (err)
3021                         goto out;
3022                 
3023                 AVC_AUDIT_DATA_INIT(&ad,NET);
3024                 ad.u.net.sport = htons(snum);
3025                 ad.u.net.family = family;
3026
3027                 if (family == PF_INET)
3028                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3029                 else
3030                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3031
3032                 err = avc_has_perm(isec->sid, sid,
3033                                    isec->sclass, node_perm, &ad);
3034                 if (err)
3035                         goto out;
3036         }
3037 out:
3038         return err;
3039 }
3040
3041 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3042 {
3043         struct inode_security_struct *isec;
3044         int err;
3045
3046         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3047         if (err)
3048                 return err;
3049
3050         /*
3051          * If a TCP socket, check name_connect permission for the port.
3052          */
3053         isec = SOCK_INODE(sock)->i_security;
3054         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3055                 struct sock *sk = sock->sk;
3056                 struct avc_audit_data ad;
3057                 struct sockaddr_in *addr4 = NULL;
3058                 struct sockaddr_in6 *addr6 = NULL;
3059                 unsigned short snum;
3060                 u32 sid;
3061
3062                 if (sk->sk_family == PF_INET) {
3063                         addr4 = (struct sockaddr_in *)address;
3064                         if (addrlen < sizeof(struct sockaddr_in))
3065                                 return -EINVAL;
3066                         snum = ntohs(addr4->sin_port);
3067                 } else {
3068                         addr6 = (struct sockaddr_in6 *)address;
3069                         if (addrlen < SIN6_LEN_RFC2133)
3070                                 return -EINVAL;
3071                         snum = ntohs(addr6->sin6_port);
3072                 }
3073
3074                 err = security_port_sid(sk->sk_family, sk->sk_type,
3075                                         sk->sk_protocol, snum, &sid);
3076                 if (err)
3077                         goto out;
3078
3079                 AVC_AUDIT_DATA_INIT(&ad,NET);
3080                 ad.u.net.dport = htons(snum);
3081                 ad.u.net.family = sk->sk_family;
3082                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3083                                    TCP_SOCKET__NAME_CONNECT, &ad);
3084                 if (err)
3085                         goto out;
3086         }
3087
3088 out:
3089         return err;
3090 }
3091
3092 static int selinux_socket_listen(struct socket *sock, int backlog)
3093 {
3094         return socket_has_perm(current, sock, SOCKET__LISTEN);
3095 }
3096
3097 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3098 {
3099         int err;
3100         struct inode_security_struct *isec;
3101         struct inode_security_struct *newisec;
3102
3103         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3104         if (err)
3105                 return err;
3106
3107         newisec = SOCK_INODE(newsock)->i_security;
3108
3109         isec = SOCK_INODE(sock)->i_security;
3110         newisec->sclass = isec->sclass;
3111         newisec->sid = isec->sid;
3112         newisec->initialized = 1;
3113
3114         return 0;
3115 }
3116
3117 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3118                                   int size)
3119 {
3120         return socket_has_perm(current, sock, SOCKET__WRITE);
3121 }
3122
3123 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3124                                   int size, int flags)
3125 {
3126         return socket_has_perm(current, sock, SOCKET__READ);
3127 }
3128
3129 static int selinux_socket_getsockname(struct socket *sock)
3130 {
3131         return socket_has_perm(current, sock, SOCKET__GETATTR);
3132 }
3133
3134 static int selinux_socket_getpeername(struct socket *sock)
3135 {
3136         return socket_has_perm(current, sock, SOCKET__GETATTR);
3137 }
3138
3139 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3140 {
3141         return socket_has_perm(current, sock, SOCKET__SETOPT);
3142 }
3143
3144 static int selinux_socket_getsockopt(struct socket *sock, int level,
3145                                      int optname)
3146 {
3147         return socket_has_perm(current, sock, SOCKET__GETOPT);
3148 }
3149
3150 static int selinux_socket_shutdown(struct socket *sock, int how)
3151 {
3152         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3153 }
3154
3155 static int selinux_socket_unix_stream_connect(struct socket *sock,
3156                                               struct socket *other,
3157                                               struct sock *newsk)
3158 {
3159         struct sk_security_struct *ssec;
3160         struct inode_security_struct *isec;
3161         struct inode_security_struct *other_isec;
3162         struct avc_audit_data ad;
3163         int err;
3164
3165         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3166         if (err)
3167                 return err;
3168
3169         isec = SOCK_INODE(sock)->i_security;
3170         other_isec = SOCK_INODE(other)->i_security;
3171
3172         AVC_AUDIT_DATA_INIT(&ad,NET);
3173         ad.u.net.sk = other->sk;
3174
3175         err = avc_has_perm(isec->sid, other_isec->sid,
3176                            isec->sclass,
3177                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3178         if (err)
3179                 return err;
3180
3181         /* connecting socket */
3182         ssec = sock->sk->sk_security;
3183         ssec->peer_sid = other_isec->sid;
3184         
3185         /* server child socket */
3186         ssec = newsk->sk_security;
3187         ssec->peer_sid = isec->sid;
3188         
3189         return 0;
3190 }
3191
3192 static int selinux_socket_unix_may_send(struct socket *sock,
3193                                         struct socket *other)
3194 {
3195         struct inode_security_struct *isec;
3196         struct inode_security_struct *other_isec;
3197         struct avc_audit_data ad;
3198         int err;
3199
3200         isec = SOCK_INODE(sock)->i_security;
3201         other_isec = SOCK_INODE(other)->i_security;
3202
3203         AVC_AUDIT_DATA_INIT(&ad,NET);
3204         ad.u.net.sk = other->sk;
3205
3206         err = avc_has_perm(isec->sid, other_isec->sid,
3207