Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hskinnemoen...
[sfrench/cifs-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
16  *                     Paul Moore, <paul.moore@hp.com>
17  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
19  *
20  *      This program is free software; you can redistribute it and/or modify
21  *      it under the terms of the GNU General Public License version 2,
22  *      as published by the Free Software Foundation.
23  */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <asm/uaccess.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/dccp.h>
62 #include <linux/quota.h>
63 #include <linux/un.h>           /* for Unix socket types */
64 #include <net/af_unix.h>        /* for Unix socket types */
65 #include <linux/parser.h>
66 #include <linux/nfs_mount.h>
67 #include <net/ipv6.h>
68 #include <linux/hugetlb.h>
69 #include <linux/personality.h>
70 #include <linux/sysctl.h>
71 #include <linux/audit.h>
72 #include <linux/string.h>
73 #include <linux/selinux.h>
74 #include <linux/mutex.h>
75
76 #include "avc.h"
77 #include "objsec.h"
78 #include "netif.h"
79 #include "xfrm.h"
80 #include "netlabel.h"
81
82 #define XATTR_SELINUX_SUFFIX "selinux"
83 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
84
85 extern unsigned int policydb_loaded_version;
86 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
87 extern int selinux_compat_net;
88 extern struct security_operations *security_ops;
89
90 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
91 int selinux_enforcing = 0;
92
93 static int __init enforcing_setup(char *str)
94 {
95         selinux_enforcing = simple_strtol(str,NULL,0);
96         return 1;
97 }
98 __setup("enforcing=", enforcing_setup);
99 #endif
100
101 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
102 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
103
104 static int __init selinux_enabled_setup(char *str)
105 {
106         selinux_enabled = simple_strtol(str, NULL, 0);
107         return 1;
108 }
109 __setup("selinux=", selinux_enabled_setup);
110 #else
111 int selinux_enabled = 1;
112 #endif
113
114 /* Original (dummy) security module. */
115 static struct security_operations *original_ops = NULL;
116
117 /* Minimal support for a secondary security module,
118    just to allow the use of the dummy or capability modules.
119    The owlsm module can alternatively be used as a secondary
120    module as long as CONFIG_OWLSM_FD is not enabled. */
121 static struct security_operations *secondary_ops = NULL;
122
123 /* Lists of inode and superblock security structures initialized
124    before the policy was loaded. */
125 static LIST_HEAD(superblock_security_head);
126 static DEFINE_SPINLOCK(sb_security_lock);
127
128 static struct kmem_cache *sel_inode_cache;
129
130 /* Return security context for a given sid or just the context 
131    length if the buffer is null or length is 0 */
132 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
133 {
134         char *context;
135         unsigned len;
136         int rc;
137
138         rc = security_sid_to_context(sid, &context, &len);
139         if (rc)
140                 return rc;
141
142         if (!buffer || !size)
143                 goto getsecurity_exit;
144
145         if (size < len) {
146                 len = -ERANGE;
147                 goto getsecurity_exit;
148         }
149         memcpy(buffer, context, len);
150
151 getsecurity_exit:
152         kfree(context);
153         return len;
154 }
155
156 /* Allocate and free functions for each kind of security blob. */
157
158 static int task_alloc_security(struct task_struct *task)
159 {
160         struct task_security_struct *tsec;
161
162         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
163         if (!tsec)
164                 return -ENOMEM;
165
166         tsec->task = task;
167         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
168         task->security = tsec;
169
170         return 0;
171 }
172
173 static void task_free_security(struct task_struct *task)
174 {
175         struct task_security_struct *tsec = task->security;
176         task->security = NULL;
177         kfree(tsec);
178 }
179
180 static int inode_alloc_security(struct inode *inode)
181 {
182         struct task_security_struct *tsec = current->security;
183         struct inode_security_struct *isec;
184
185         isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
186         if (!isec)
187                 return -ENOMEM;
188
189         mutex_init(&isec->lock);
190         INIT_LIST_HEAD(&isec->list);
191         isec->inode = inode;
192         isec->sid = SECINITSID_UNLABELED;
193         isec->sclass = SECCLASS_FILE;
194         isec->task_sid = tsec->sid;
195         inode->i_security = isec;
196
197         return 0;
198 }
199
200 static void inode_free_security(struct inode *inode)
201 {
202         struct inode_security_struct *isec = inode->i_security;
203         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
204
205         spin_lock(&sbsec->isec_lock);
206         if (!list_empty(&isec->list))
207                 list_del_init(&isec->list);
208         spin_unlock(&sbsec->isec_lock);
209
210         inode->i_security = NULL;
211         kmem_cache_free(sel_inode_cache, isec);
212 }
213
214 static int file_alloc_security(struct file *file)
215 {
216         struct task_security_struct *tsec = current->security;
217         struct file_security_struct *fsec;
218
219         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
220         if (!fsec)
221                 return -ENOMEM;
222
223         fsec->file = file;
224         fsec->sid = tsec->sid;
225         fsec->fown_sid = tsec->sid;
226         file->f_security = fsec;
227
228         return 0;
229 }
230
231 static void file_free_security(struct file *file)
232 {
233         struct file_security_struct *fsec = file->f_security;
234         file->f_security = NULL;
235         kfree(fsec);
236 }
237
238 static int superblock_alloc_security(struct super_block *sb)
239 {
240         struct superblock_security_struct *sbsec;
241
242         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
243         if (!sbsec)
244                 return -ENOMEM;
245
246         mutex_init(&sbsec->lock);
247         INIT_LIST_HEAD(&sbsec->list);
248         INIT_LIST_HEAD(&sbsec->isec_head);
249         spin_lock_init(&sbsec->isec_lock);
250         sbsec->sb = sb;
251         sbsec->sid = SECINITSID_UNLABELED;
252         sbsec->def_sid = SECINITSID_FILE;
253         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
254         sb->s_security = sbsec;
255
256         return 0;
257 }
258
259 static void superblock_free_security(struct super_block *sb)
260 {
261         struct superblock_security_struct *sbsec = sb->s_security;
262
263         spin_lock(&sb_security_lock);
264         if (!list_empty(&sbsec->list))
265                 list_del_init(&sbsec->list);
266         spin_unlock(&sb_security_lock);
267
268         sb->s_security = NULL;
269         kfree(sbsec);
270 }
271
272 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
273 {
274         struct sk_security_struct *ssec;
275
276         ssec = kzalloc(sizeof(*ssec), priority);
277         if (!ssec)
278                 return -ENOMEM;
279
280         ssec->sk = sk;
281         ssec->peer_sid = SECINITSID_UNLABELED;
282         ssec->sid = SECINITSID_UNLABELED;
283         sk->sk_security = ssec;
284
285         selinux_netlbl_sk_security_init(ssec, family);
286
287         return 0;
288 }
289
290 static void sk_free_security(struct sock *sk)
291 {
292         struct sk_security_struct *ssec = sk->sk_security;
293
294         sk->sk_security = NULL;
295         kfree(ssec);
296 }
297
298 /* The security server must be initialized before
299    any labeling or access decisions can be provided. */
300 extern int ss_initialized;
301
302 /* The file system's label must be initialized prior to use. */
303
304 static char *labeling_behaviors[6] = {
305         "uses xattr",
306         "uses transition SIDs",
307         "uses task SIDs",
308         "uses genfs_contexts",
309         "not configured for labeling",
310         "uses mountpoint labeling",
311 };
312
313 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
314
315 static inline int inode_doinit(struct inode *inode)
316 {
317         return inode_doinit_with_dentry(inode, NULL);
318 }
319
320 enum {
321         Opt_error = -1,
322         Opt_context = 1,
323         Opt_fscontext = 2,
324         Opt_defcontext = 4,
325         Opt_rootcontext = 8,
326 };
327
328 static match_table_t tokens = {
329         {Opt_context, "context=%s"},
330         {Opt_fscontext, "fscontext=%s"},
331         {Opt_defcontext, "defcontext=%s"},
332         {Opt_rootcontext, "rootcontext=%s"},
333         {Opt_error, NULL},
334 };
335
336 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
337
338 static int may_context_mount_sb_relabel(u32 sid,
339                         struct superblock_security_struct *sbsec,
340                         struct task_security_struct *tsec)
341 {
342         int rc;
343
344         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
345                           FILESYSTEM__RELABELFROM, NULL);
346         if (rc)
347                 return rc;
348
349         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
350                           FILESYSTEM__RELABELTO, NULL);
351         return rc;
352 }
353
354 static int may_context_mount_inode_relabel(u32 sid,
355                         struct superblock_security_struct *sbsec,
356                         struct task_security_struct *tsec)
357 {
358         int rc;
359         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
360                           FILESYSTEM__RELABELFROM, NULL);
361         if (rc)
362                 return rc;
363
364         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
365                           FILESYSTEM__ASSOCIATE, NULL);
366         return rc;
367 }
368
369 static int try_context_mount(struct super_block *sb, void *data)
370 {
371         char *context = NULL, *defcontext = NULL;
372         char *fscontext = NULL, *rootcontext = NULL;
373         const char *name;
374         u32 sid;
375         int alloc = 0, rc = 0, seen = 0;
376         struct task_security_struct *tsec = current->security;
377         struct superblock_security_struct *sbsec = sb->s_security;
378
379         if (!data)
380                 goto out;
381
382         name = sb->s_type->name;
383
384         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
385
386                 /* NFS we understand. */
387                 if (!strcmp(name, "nfs")) {
388                         struct nfs_mount_data *d = data;
389
390                         if (d->version <  NFS_MOUNT_VERSION)
391                                 goto out;
392
393                         if (d->context[0]) {
394                                 context = d->context;
395                                 seen |= Opt_context;
396                         }
397                 } else
398                         goto out;
399
400         } else {
401                 /* Standard string-based options. */
402                 char *p, *options = data;
403
404                 while ((p = strsep(&options, "|")) != NULL) {
405                         int token;
406                         substring_t args[MAX_OPT_ARGS];
407
408                         if (!*p)
409                                 continue;
410
411                         token = match_token(p, tokens, args);
412
413                         switch (token) {
414                         case Opt_context:
415                                 if (seen & (Opt_context|Opt_defcontext)) {
416                                         rc = -EINVAL;
417                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
418                                         goto out_free;
419                                 }
420                                 context = match_strdup(&args[0]);
421                                 if (!context) {
422                                         rc = -ENOMEM;
423                                         goto out_free;
424                                 }
425                                 if (!alloc)
426                                         alloc = 1;
427                                 seen |= Opt_context;
428                                 break;
429
430                         case Opt_fscontext:
431                                 if (seen & Opt_fscontext) {
432                                         rc = -EINVAL;
433                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
434                                         goto out_free;
435                                 }
436                                 fscontext = match_strdup(&args[0]);
437                                 if (!fscontext) {
438                                         rc = -ENOMEM;
439                                         goto out_free;
440                                 }
441                                 if (!alloc)
442                                         alloc = 1;
443                                 seen |= Opt_fscontext;
444                                 break;
445
446                         case Opt_rootcontext:
447                                 if (seen & Opt_rootcontext) {
448                                         rc = -EINVAL;
449                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
450                                         goto out_free;
451                                 }
452                                 rootcontext = match_strdup(&args[0]);
453                                 if (!rootcontext) {
454                                         rc = -ENOMEM;
455                                         goto out_free;
456                                 }
457                                 if (!alloc)
458                                         alloc = 1;
459                                 seen |= Opt_rootcontext;
460                                 break;
461
462                         case Opt_defcontext:
463                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
464                                         rc = -EINVAL;
465                                         printk(KERN_WARNING "SELinux:  "
466                                                "defcontext option is invalid "
467                                                "for this filesystem type\n");
468                                         goto out_free;
469                                 }
470                                 if (seen & (Opt_context|Opt_defcontext)) {
471                                         rc = -EINVAL;
472                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
473                                         goto out_free;
474                                 }
475                                 defcontext = match_strdup(&args[0]);
476                                 if (!defcontext) {
477                                         rc = -ENOMEM;
478                                         goto out_free;
479                                 }
480                                 if (!alloc)
481                                         alloc = 1;
482                                 seen |= Opt_defcontext;
483                                 break;
484
485                         default:
486                                 rc = -EINVAL;
487                                 printk(KERN_WARNING "SELinux:  unknown mount "
488                                        "option\n");
489                                 goto out_free;
490
491                         }
492                 }
493         }
494
495         if (!seen)
496                 goto out;
497
498         /* sets the context of the superblock for the fs being mounted. */
499         if (fscontext) {
500                 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid);
501                 if (rc) {
502                         printk(KERN_WARNING "SELinux: security_context_to_sid"
503                                "(%s) failed for (dev %s, type %s) errno=%d\n",
504                                fscontext, sb->s_id, name, rc);
505                         goto out_free;
506                 }
507
508                 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
509                 if (rc)
510                         goto out_free;
511
512                 sbsec->sid = sid;
513         }
514
515         /*
516          * Switch to using mount point labeling behavior.
517          * sets the label used on all file below the mountpoint, and will set
518          * the superblock context if not already set.
519          */
520         if (context) {
521                 rc = security_context_to_sid(context, strlen(context), &sid);
522                 if (rc) {
523                         printk(KERN_WARNING "SELinux: security_context_to_sid"
524                                "(%s) failed for (dev %s, type %s) errno=%d\n",
525                                context, sb->s_id, name, rc);
526                         goto out_free;
527                 }
528
529                 if (!fscontext) {
530                         rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
531                         if (rc)
532                                 goto out_free;
533                         sbsec->sid = sid;
534                 } else {
535                         rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
536                         if (rc)
537                                 goto out_free;
538                 }
539                 sbsec->mntpoint_sid = sid;
540
541                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
542         }
543
544         if (rootcontext) {
545                 struct inode *inode = sb->s_root->d_inode;
546                 struct inode_security_struct *isec = inode->i_security;
547                 rc = security_context_to_sid(rootcontext, strlen(rootcontext), &sid);
548                 if (rc) {
549                         printk(KERN_WARNING "SELinux: security_context_to_sid"
550                                "(%s) failed for (dev %s, type %s) errno=%d\n",
551                                rootcontext, sb->s_id, name, rc);
552                         goto out_free;
553                 }
554
555                 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
556                 if (rc)
557                         goto out_free;
558
559                 isec->sid = sid;
560                 isec->initialized = 1;
561         }
562
563         if (defcontext) {
564                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
565                 if (rc) {
566                         printk(KERN_WARNING "SELinux: security_context_to_sid"
567                                "(%s) failed for (dev %s, type %s) errno=%d\n",
568                                defcontext, sb->s_id, name, rc);
569                         goto out_free;
570                 }
571
572                 if (sid == sbsec->def_sid)
573                         goto out_free;
574
575                 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
576                 if (rc)
577                         goto out_free;
578
579                 sbsec->def_sid = sid;
580         }
581
582 out_free:
583         if (alloc) {
584                 kfree(context);
585                 kfree(defcontext);
586                 kfree(fscontext);
587                 kfree(rootcontext);
588         }
589 out:
590         return rc;
591 }
592
593 static int superblock_doinit(struct super_block *sb, void *data)
594 {
595         struct superblock_security_struct *sbsec = sb->s_security;
596         struct dentry *root = sb->s_root;
597         struct inode *inode = root->d_inode;
598         int rc = 0;
599
600         mutex_lock(&sbsec->lock);
601         if (sbsec->initialized)
602                 goto out;
603
604         if (!ss_initialized) {
605                 /* Defer initialization until selinux_complete_init,
606                    after the initial policy is loaded and the security
607                    server is ready to handle calls. */
608                 spin_lock(&sb_security_lock);
609                 if (list_empty(&sbsec->list))
610                         list_add(&sbsec->list, &superblock_security_head);
611                 spin_unlock(&sb_security_lock);
612                 goto out;
613         }
614
615         /* Determine the labeling behavior to use for this filesystem type. */
616         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
617         if (rc) {
618                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
619                        __FUNCTION__, sb->s_type->name, rc);
620                 goto out;
621         }
622
623         rc = try_context_mount(sb, data);
624         if (rc)
625                 goto out;
626
627         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
628                 /* Make sure that the xattr handler exists and that no
629                    error other than -ENODATA is returned by getxattr on
630                    the root directory.  -ENODATA is ok, as this may be
631                    the first boot of the SELinux kernel before we have
632                    assigned xattr values to the filesystem. */
633                 if (!inode->i_op->getxattr) {
634                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
635                                "xattr support\n", sb->s_id, sb->s_type->name);
636                         rc = -EOPNOTSUPP;
637                         goto out;
638                 }
639                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
640                 if (rc < 0 && rc != -ENODATA) {
641                         if (rc == -EOPNOTSUPP)
642                                 printk(KERN_WARNING "SELinux: (dev %s, type "
643                                        "%s) has no security xattr handler\n",
644                                        sb->s_id, sb->s_type->name);
645                         else
646                                 printk(KERN_WARNING "SELinux: (dev %s, type "
647                                        "%s) getxattr errno %d\n", sb->s_id,
648                                        sb->s_type->name, -rc);
649                         goto out;
650                 }
651         }
652
653         if (strcmp(sb->s_type->name, "proc") == 0)
654                 sbsec->proc = 1;
655
656         sbsec->initialized = 1;
657
658         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
659                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
660                        sb->s_id, sb->s_type->name);
661         }
662         else {
663                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
664                        sb->s_id, sb->s_type->name,
665                        labeling_behaviors[sbsec->behavior-1]);
666         }
667
668         /* Initialize the root inode. */
669         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
670
671         /* Initialize any other inodes associated with the superblock, e.g.
672            inodes created prior to initial policy load or inodes created
673            during get_sb by a pseudo filesystem that directly
674            populates itself. */
675         spin_lock(&sbsec->isec_lock);
676 next_inode:
677         if (!list_empty(&sbsec->isec_head)) {
678                 struct inode_security_struct *isec =
679                                 list_entry(sbsec->isec_head.next,
680                                            struct inode_security_struct, list);
681                 struct inode *inode = isec->inode;
682                 spin_unlock(&sbsec->isec_lock);
683                 inode = igrab(inode);
684                 if (inode) {
685                         if (!IS_PRIVATE (inode))
686                                 inode_doinit(inode);
687                         iput(inode);
688                 }
689                 spin_lock(&sbsec->isec_lock);
690                 list_del_init(&isec->list);
691                 goto next_inode;
692         }
693         spin_unlock(&sbsec->isec_lock);
694 out:
695         mutex_unlock(&sbsec->lock);
696         return rc;
697 }
698
699 static inline u16 inode_mode_to_security_class(umode_t mode)
700 {
701         switch (mode & S_IFMT) {
702         case S_IFSOCK:
703                 return SECCLASS_SOCK_FILE;
704         case S_IFLNK:
705                 return SECCLASS_LNK_FILE;
706         case S_IFREG:
707                 return SECCLASS_FILE;
708         case S_IFBLK:
709                 return SECCLASS_BLK_FILE;
710         case S_IFDIR:
711                 return SECCLASS_DIR;
712         case S_IFCHR:
713                 return SECCLASS_CHR_FILE;
714         case S_IFIFO:
715                 return SECCLASS_FIFO_FILE;
716
717         }
718
719         return SECCLASS_FILE;
720 }
721
722 static inline int default_protocol_stream(int protocol)
723 {
724         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
725 }
726
727 static inline int default_protocol_dgram(int protocol)
728 {
729         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
730 }
731
732 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
733 {
734         switch (family) {
735         case PF_UNIX:
736                 switch (type) {
737                 case SOCK_STREAM:
738                 case SOCK_SEQPACKET:
739                         return SECCLASS_UNIX_STREAM_SOCKET;
740                 case SOCK_DGRAM:
741                         return SECCLASS_UNIX_DGRAM_SOCKET;
742                 }
743                 break;
744         case PF_INET:
745         case PF_INET6:
746                 switch (type) {
747                 case SOCK_STREAM:
748                         if (default_protocol_stream(protocol))
749                                 return SECCLASS_TCP_SOCKET;
750                         else
751                                 return SECCLASS_RAWIP_SOCKET;
752                 case SOCK_DGRAM:
753                         if (default_protocol_dgram(protocol))
754                                 return SECCLASS_UDP_SOCKET;
755                         else
756                                 return SECCLASS_RAWIP_SOCKET;
757                 case SOCK_DCCP:
758                         return SECCLASS_DCCP_SOCKET;
759                 default:
760                         return SECCLASS_RAWIP_SOCKET;
761                 }
762                 break;
763         case PF_NETLINK:
764                 switch (protocol) {
765                 case NETLINK_ROUTE:
766                         return SECCLASS_NETLINK_ROUTE_SOCKET;
767                 case NETLINK_FIREWALL:
768                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
769                 case NETLINK_INET_DIAG:
770                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
771                 case NETLINK_NFLOG:
772                         return SECCLASS_NETLINK_NFLOG_SOCKET;
773                 case NETLINK_XFRM:
774                         return SECCLASS_NETLINK_XFRM_SOCKET;
775                 case NETLINK_SELINUX:
776                         return SECCLASS_NETLINK_SELINUX_SOCKET;
777                 case NETLINK_AUDIT:
778                         return SECCLASS_NETLINK_AUDIT_SOCKET;
779                 case NETLINK_IP6_FW:
780                         return SECCLASS_NETLINK_IP6FW_SOCKET;
781                 case NETLINK_DNRTMSG:
782                         return SECCLASS_NETLINK_DNRT_SOCKET;
783                 case NETLINK_KOBJECT_UEVENT:
784                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
785                 default:
786                         return SECCLASS_NETLINK_SOCKET;
787                 }
788         case PF_PACKET:
789                 return SECCLASS_PACKET_SOCKET;
790         case PF_KEY:
791                 return SECCLASS_KEY_SOCKET;
792         case PF_APPLETALK:
793                 return SECCLASS_APPLETALK_SOCKET;
794         }
795
796         return SECCLASS_SOCKET;
797 }
798
799 #ifdef CONFIG_PROC_FS
800 static int selinux_proc_get_sid(struct proc_dir_entry *de,
801                                 u16 tclass,
802                                 u32 *sid)
803 {
804         int buflen, rc;
805         char *buffer, *path, *end;
806
807         buffer = (char*)__get_free_page(GFP_KERNEL);
808         if (!buffer)
809                 return -ENOMEM;
810
811         buflen = PAGE_SIZE;
812         end = buffer+buflen;
813         *--end = '\0';
814         buflen--;
815         path = end-1;
816         *path = '/';
817         while (de && de != de->parent) {
818                 buflen -= de->namelen + 1;
819                 if (buflen < 0)
820                         break;
821                 end -= de->namelen;
822                 memcpy(end, de->name, de->namelen);
823                 *--end = '/';
824                 path = end;
825                 de = de->parent;
826         }
827         rc = security_genfs_sid("proc", path, tclass, sid);
828         free_page((unsigned long)buffer);
829         return rc;
830 }
831 #else
832 static int selinux_proc_get_sid(struct proc_dir_entry *de,
833                                 u16 tclass,
834                                 u32 *sid)
835 {
836         return -EINVAL;
837 }
838 #endif
839
840 /* The inode's security attributes must be initialized before first use. */
841 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
842 {
843         struct superblock_security_struct *sbsec = NULL;
844         struct inode_security_struct *isec = inode->i_security;
845         u32 sid;
846         struct dentry *dentry;
847 #define INITCONTEXTLEN 255
848         char *context = NULL;
849         unsigned len = 0;
850         int rc = 0;
851
852         if (isec->initialized)
853                 goto out;
854
855         mutex_lock(&isec->lock);
856         if (isec->initialized)
857                 goto out_unlock;
858
859         sbsec = inode->i_sb->s_security;
860         if (!sbsec->initialized) {
861                 /* Defer initialization until selinux_complete_init,
862                    after the initial policy is loaded and the security
863                    server is ready to handle calls. */
864                 spin_lock(&sbsec->isec_lock);
865                 if (list_empty(&isec->list))
866                         list_add(&isec->list, &sbsec->isec_head);
867                 spin_unlock(&sbsec->isec_lock);
868                 goto out_unlock;
869         }
870
871         switch (sbsec->behavior) {
872         case SECURITY_FS_USE_XATTR:
873                 if (!inode->i_op->getxattr) {
874                         isec->sid = sbsec->def_sid;
875                         break;
876                 }
877
878                 /* Need a dentry, since the xattr API requires one.
879                    Life would be simpler if we could just pass the inode. */
880                 if (opt_dentry) {
881                         /* Called from d_instantiate or d_splice_alias. */
882                         dentry = dget(opt_dentry);
883                 } else {
884                         /* Called from selinux_complete_init, try to find a dentry. */
885                         dentry = d_find_alias(inode);
886                 }
887                 if (!dentry) {
888                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
889                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
890                                inode->i_ino);
891                         goto out_unlock;
892                 }
893
894                 len = INITCONTEXTLEN;
895                 context = kmalloc(len, GFP_KERNEL);
896                 if (!context) {
897                         rc = -ENOMEM;
898                         dput(dentry);
899                         goto out_unlock;
900                 }
901                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
902                                            context, len);
903                 if (rc == -ERANGE) {
904                         /* Need a larger buffer.  Query for the right size. */
905                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
906                                                    NULL, 0);
907                         if (rc < 0) {
908                                 dput(dentry);
909                                 goto out_unlock;
910                         }
911                         kfree(context);
912                         len = rc;
913                         context = kmalloc(len, GFP_KERNEL);
914                         if (!context) {
915                                 rc = -ENOMEM;
916                                 dput(dentry);
917                                 goto out_unlock;
918                         }
919                         rc = inode->i_op->getxattr(dentry,
920                                                    XATTR_NAME_SELINUX,
921                                                    context, len);
922                 }
923                 dput(dentry);
924                 if (rc < 0) {
925                         if (rc != -ENODATA) {
926                                 printk(KERN_WARNING "%s:  getxattr returned "
927                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
928                                        -rc, inode->i_sb->s_id, inode->i_ino);
929                                 kfree(context);
930                                 goto out_unlock;
931                         }
932                         /* Map ENODATA to the default file SID */
933                         sid = sbsec->def_sid;
934                         rc = 0;
935                 } else {
936                         rc = security_context_to_sid_default(context, rc, &sid,
937                                                              sbsec->def_sid);
938                         if (rc) {
939                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
940                                        "returned %d for dev=%s ino=%ld\n",
941                                        __FUNCTION__, context, -rc,
942                                        inode->i_sb->s_id, inode->i_ino);
943                                 kfree(context);
944                                 /* Leave with the unlabeled SID */
945                                 rc = 0;
946                                 break;
947                         }
948                 }
949                 kfree(context);
950                 isec->sid = sid;
951                 break;
952         case SECURITY_FS_USE_TASK:
953                 isec->sid = isec->task_sid;
954                 break;
955         case SECURITY_FS_USE_TRANS:
956                 /* Default to the fs SID. */
957                 isec->sid = sbsec->sid;
958
959                 /* Try to obtain a transition SID. */
960                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
961                 rc = security_transition_sid(isec->task_sid,
962                                              sbsec->sid,
963                                              isec->sclass,
964                                              &sid);
965                 if (rc)
966                         goto out_unlock;
967                 isec->sid = sid;
968                 break;
969         case SECURITY_FS_USE_MNTPOINT:
970                 isec->sid = sbsec->mntpoint_sid;
971                 break;
972         default:
973                 /* Default to the fs superblock SID. */
974                 isec->sid = sbsec->sid;
975
976                 if (sbsec->proc) {
977                         struct proc_inode *proci = PROC_I(inode);
978                         if (proci->pde) {
979                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
980                                 rc = selinux_proc_get_sid(proci->pde,
981                                                           isec->sclass,
982                                                           &sid);
983                                 if (rc)
984                                         goto out_unlock;
985                                 isec->sid = sid;
986                         }
987                 }
988                 break;
989         }
990
991         isec->initialized = 1;
992
993 out_unlock:
994         mutex_unlock(&isec->lock);
995 out:
996         if (isec->sclass == SECCLASS_FILE)
997                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
998         return rc;
999 }
1000
1001 /* Convert a Linux signal to an access vector. */
1002 static inline u32 signal_to_av(int sig)
1003 {
1004         u32 perm = 0;
1005
1006         switch (sig) {
1007         case SIGCHLD:
1008                 /* Commonly granted from child to parent. */
1009                 perm = PROCESS__SIGCHLD;
1010                 break;
1011         case SIGKILL:
1012                 /* Cannot be caught or ignored */
1013                 perm = PROCESS__SIGKILL;
1014                 break;
1015         case SIGSTOP:
1016                 /* Cannot be caught or ignored */
1017                 perm = PROCESS__SIGSTOP;
1018                 break;
1019         default:
1020                 /* All other signals. */
1021                 perm = PROCESS__SIGNAL;
1022                 break;
1023         }
1024
1025         return perm;
1026 }
1027
1028 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1029    fork check, ptrace check, etc. */
1030 static int task_has_perm(struct task_struct *tsk1,
1031                          struct task_struct *tsk2,
1032                          u32 perms)
1033 {
1034         struct task_security_struct *tsec1, *tsec2;
1035
1036         tsec1 = tsk1->security;
1037         tsec2 = tsk2->security;
1038         return avc_has_perm(tsec1->sid, tsec2->sid,
1039                             SECCLASS_PROCESS, perms, NULL);
1040 }
1041
1042 /* Check whether a task is allowed to use a capability. */
1043 static int task_has_capability(struct task_struct *tsk,
1044                                int cap)
1045 {
1046         struct task_security_struct *tsec;
1047         struct avc_audit_data ad;
1048
1049         tsec = tsk->security;
1050
1051         AVC_AUDIT_DATA_INIT(&ad,CAP);
1052         ad.tsk = tsk;
1053         ad.u.cap = cap;
1054
1055         return avc_has_perm(tsec->sid, tsec->sid,
1056                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1057 }
1058
1059 /* Check whether a task is allowed to use a system operation. */
1060 static int task_has_system(struct task_struct *tsk,
1061                            u32 perms)
1062 {
1063         struct task_security_struct *tsec;
1064
1065         tsec = tsk->security;
1066
1067         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1068                             SECCLASS_SYSTEM, perms, NULL);
1069 }
1070
1071 /* Check whether a task has a particular permission to an inode.
1072    The 'adp' parameter is optional and allows other audit
1073    data to be passed (e.g. the dentry). */
1074 static int inode_has_perm(struct task_struct *tsk,
1075                           struct inode *inode,
1076                           u32 perms,
1077                           struct avc_audit_data *adp)
1078 {
1079         struct task_security_struct *tsec;
1080         struct inode_security_struct *isec;
1081         struct avc_audit_data ad;
1082
1083         if (unlikely (IS_PRIVATE (inode)))
1084                 return 0;
1085
1086         tsec = tsk->security;
1087         isec = inode->i_security;
1088
1089         if (!adp) {
1090                 adp = &ad;
1091                 AVC_AUDIT_DATA_INIT(&ad, FS);
1092                 ad.u.fs.inode = inode;
1093         }
1094
1095         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1096 }
1097
1098 /* Same as inode_has_perm, but pass explicit audit data containing
1099    the dentry to help the auditing code to more easily generate the
1100    pathname if needed. */
1101 static inline int dentry_has_perm(struct task_struct *tsk,
1102                                   struct vfsmount *mnt,
1103                                   struct dentry *dentry,
1104                                   u32 av)
1105 {
1106         struct inode *inode = dentry->d_inode;
1107         struct avc_audit_data ad;
1108         AVC_AUDIT_DATA_INIT(&ad,FS);
1109         ad.u.fs.mnt = mnt;
1110         ad.u.fs.dentry = dentry;
1111         return inode_has_perm(tsk, inode, av, &ad);
1112 }
1113
1114 /* Check whether a task can use an open file descriptor to
1115    access an inode in a given way.  Check access to the
1116    descriptor itself, and then use dentry_has_perm to
1117    check a particular permission to the file.
1118    Access to the descriptor is implicitly granted if it
1119    has the same SID as the process.  If av is zero, then
1120    access to the file is not checked, e.g. for cases
1121    where only the descriptor is affected like seek. */
1122 static int file_has_perm(struct task_struct *tsk,
1123                                 struct file *file,
1124                                 u32 av)
1125 {
1126         struct task_security_struct *tsec = tsk->security;
1127         struct file_security_struct *fsec = file->f_security;
1128         struct vfsmount *mnt = file->f_path.mnt;
1129         struct dentry *dentry = file->f_path.dentry;
1130         struct inode *inode = dentry->d_inode;
1131         struct avc_audit_data ad;
1132         int rc;
1133
1134         AVC_AUDIT_DATA_INIT(&ad, FS);
1135         ad.u.fs.mnt = mnt;
1136         ad.u.fs.dentry = dentry;
1137
1138         if (tsec->sid != fsec->sid) {
1139                 rc = avc_has_perm(tsec->sid, fsec->sid,
1140                                   SECCLASS_FD,
1141                                   FD__USE,
1142                                   &ad);
1143                 if (rc)
1144                         return rc;
1145         }
1146
1147         /* av is zero if only checking access to the descriptor. */
1148         if (av)
1149                 return inode_has_perm(tsk, inode, av, &ad);
1150
1151         return 0;
1152 }
1153
1154 /* Check whether a task can create a file. */
1155 static int may_create(struct inode *dir,
1156                       struct dentry *dentry,
1157                       u16 tclass)
1158 {
1159         struct task_security_struct *tsec;
1160         struct inode_security_struct *dsec;
1161         struct superblock_security_struct *sbsec;
1162         u32 newsid;
1163         struct avc_audit_data ad;
1164         int rc;
1165
1166         tsec = current->security;
1167         dsec = dir->i_security;
1168         sbsec = dir->i_sb->s_security;
1169
1170         AVC_AUDIT_DATA_INIT(&ad, FS);
1171         ad.u.fs.dentry = dentry;
1172
1173         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1174                           DIR__ADD_NAME | DIR__SEARCH,
1175                           &ad);
1176         if (rc)
1177                 return rc;
1178
1179         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1180                 newsid = tsec->create_sid;
1181         } else {
1182                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1183                                              &newsid);
1184                 if (rc)
1185                         return rc;
1186         }
1187
1188         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1189         if (rc)
1190                 return rc;
1191
1192         return avc_has_perm(newsid, sbsec->sid,
1193                             SECCLASS_FILESYSTEM,
1194                             FILESYSTEM__ASSOCIATE, &ad);
1195 }
1196
1197 /* Check whether a task can create a key. */
1198 static int may_create_key(u32 ksid,
1199                           struct task_struct *ctx)
1200 {
1201         struct task_security_struct *tsec;
1202
1203         tsec = ctx->security;
1204
1205         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1206 }
1207
1208 #define MAY_LINK   0
1209 #define MAY_UNLINK 1
1210 #define MAY_RMDIR  2
1211
1212 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1213 static int may_link(struct inode *dir,
1214                     struct dentry *dentry,
1215                     int kind)
1216
1217 {
1218         struct task_security_struct *tsec;
1219         struct inode_security_struct *dsec, *isec;
1220         struct avc_audit_data ad;
1221         u32 av;
1222         int rc;
1223
1224         tsec = current->security;
1225         dsec = dir->i_security;
1226         isec = dentry->d_inode->i_security;
1227
1228         AVC_AUDIT_DATA_INIT(&ad, FS);
1229         ad.u.fs.dentry = dentry;
1230
1231         av = DIR__SEARCH;
1232         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1233         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1234         if (rc)
1235                 return rc;
1236
1237         switch (kind) {
1238         case MAY_LINK:
1239                 av = FILE__LINK;
1240                 break;
1241         case MAY_UNLINK:
1242                 av = FILE__UNLINK;
1243                 break;
1244         case MAY_RMDIR:
1245                 av = DIR__RMDIR;
1246                 break;
1247         default:
1248                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1249                 return 0;
1250         }
1251
1252         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1253         return rc;
1254 }
1255
1256 static inline int may_rename(struct inode *old_dir,
1257                              struct dentry *old_dentry,
1258                              struct inode *new_dir,
1259                              struct dentry *new_dentry)
1260 {
1261         struct task_security_struct *tsec;
1262         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1263         struct avc_audit_data ad;
1264         u32 av;
1265         int old_is_dir, new_is_dir;
1266         int rc;
1267
1268         tsec = current->security;
1269         old_dsec = old_dir->i_security;
1270         old_isec = old_dentry->d_inode->i_security;
1271         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1272         new_dsec = new_dir->i_security;
1273
1274         AVC_AUDIT_DATA_INIT(&ad, FS);
1275
1276         ad.u.fs.dentry = old_dentry;
1277         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1278                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1279         if (rc)
1280                 return rc;
1281         rc = avc_has_perm(tsec->sid, old_isec->sid,
1282                           old_isec->sclass, FILE__RENAME, &ad);
1283         if (rc)
1284                 return rc;
1285         if (old_is_dir && new_dir != old_dir) {
1286                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1287                                   old_isec->sclass, DIR__REPARENT, &ad);
1288                 if (rc)
1289                         return rc;
1290         }
1291
1292         ad.u.fs.dentry = new_dentry;
1293         av = DIR__ADD_NAME | DIR__SEARCH;
1294         if (new_dentry->d_inode)
1295                 av |= DIR__REMOVE_NAME;
1296         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1297         if (rc)
1298                 return rc;
1299         if (new_dentry->d_inode) {
1300                 new_isec = new_dentry->d_inode->i_security;
1301                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1302                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1303                                   new_isec->sclass,
1304                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1305                 if (rc)
1306                         return rc;
1307         }
1308
1309         return 0;
1310 }
1311
1312 /* Check whether a task can perform a filesystem operation. */
1313 static int superblock_has_perm(struct task_struct *tsk,
1314                                struct super_block *sb,
1315                                u32 perms,
1316                                struct avc_audit_data *ad)
1317 {
1318         struct task_security_struct *tsec;
1319         struct superblock_security_struct *sbsec;
1320
1321         tsec = tsk->security;
1322         sbsec = sb->s_security;
1323         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1324                             perms, ad);
1325 }
1326
1327 /* Convert a Linux mode and permission mask to an access vector. */
1328 static inline u32 file_mask_to_av(int mode, int mask)
1329 {
1330         u32 av = 0;
1331
1332         if ((mode & S_IFMT) != S_IFDIR) {
1333                 if (mask & MAY_EXEC)
1334                         av |= FILE__EXECUTE;
1335                 if (mask & MAY_READ)
1336                         av |= FILE__READ;
1337
1338                 if (mask & MAY_APPEND)
1339                         av |= FILE__APPEND;
1340                 else if (mask & MAY_WRITE)
1341                         av |= FILE__WRITE;
1342
1343         } else {
1344                 if (mask & MAY_EXEC)
1345                         av |= DIR__SEARCH;
1346                 if (mask & MAY_WRITE)
1347                         av |= DIR__WRITE;
1348                 if (mask & MAY_READ)
1349                         av |= DIR__READ;
1350         }
1351
1352         return av;
1353 }
1354
1355 /* Convert a Linux file to an access vector. */
1356 static inline u32 file_to_av(struct file *file)
1357 {
1358         u32 av = 0;
1359
1360         if (file->f_mode & FMODE_READ)
1361                 av |= FILE__READ;
1362         if (file->f_mode & FMODE_WRITE) {
1363                 if (file->f_flags & O_APPEND)
1364                         av |= FILE__APPEND;
1365                 else
1366                         av |= FILE__WRITE;
1367         }
1368
1369         return av;
1370 }
1371
1372 /* Hook functions begin here. */
1373
1374 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1375 {
1376         struct task_security_struct *psec = parent->security;
1377         struct task_security_struct *csec = child->security;
1378         int rc;
1379
1380         rc = secondary_ops->ptrace(parent,child);
1381         if (rc)
1382                 return rc;
1383
1384         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1385         /* Save the SID of the tracing process for later use in apply_creds. */
1386         if (!(child->ptrace & PT_PTRACED) && !rc)
1387                 csec->ptrace_sid = psec->sid;
1388         return rc;
1389 }
1390
1391 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1392                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1393 {
1394         int error;
1395
1396         error = task_has_perm(current, target, PROCESS__GETCAP);
1397         if (error)
1398                 return error;
1399
1400         return secondary_ops->capget(target, effective, inheritable, permitted);
1401 }
1402
1403 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1404                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1405 {
1406         int error;
1407
1408         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1409         if (error)
1410                 return error;
1411
1412         return task_has_perm(current, target, PROCESS__SETCAP);
1413 }
1414
1415 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1416                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1417 {
1418         secondary_ops->capset_set(target, effective, inheritable, permitted);
1419 }
1420
1421 static int selinux_capable(struct task_struct *tsk, int cap)
1422 {
1423         int rc;
1424
1425         rc = secondary_ops->capable(tsk, cap);
1426         if (rc)
1427                 return rc;
1428
1429         return task_has_capability(tsk,cap);
1430 }
1431
1432 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1433 {
1434         int buflen, rc;
1435         char *buffer, *path, *end;
1436
1437         rc = -ENOMEM;
1438         buffer = (char*)__get_free_page(GFP_KERNEL);
1439         if (!buffer)
1440                 goto out;
1441
1442         buflen = PAGE_SIZE;
1443         end = buffer+buflen;
1444         *--end = '\0';
1445         buflen--;
1446         path = end-1;
1447         *path = '/';
1448         while (table) {
1449                 const char *name = table->procname;
1450                 size_t namelen = strlen(name);
1451                 buflen -= namelen + 1;
1452                 if (buflen < 0)
1453                         goto out_free;
1454                 end -= namelen;
1455                 memcpy(end, name, namelen);
1456                 *--end = '/';
1457                 path = end;
1458                 table = table->parent;
1459         }
1460         buflen -= 4;
1461         if (buflen < 0)
1462                 goto out_free;
1463         end -= 4;
1464         memcpy(end, "/sys", 4);
1465         path = end;
1466         rc = security_genfs_sid("proc", path, tclass, sid);
1467 out_free:
1468         free_page((unsigned long)buffer);
1469 out:
1470         return rc;
1471 }
1472
1473 static int selinux_sysctl(ctl_table *table, int op)
1474 {
1475         int error = 0;
1476         u32 av;
1477         struct task_security_struct *tsec;
1478         u32 tsid;
1479         int rc;
1480
1481         rc = secondary_ops->sysctl(table, op);
1482         if (rc)
1483                 return rc;
1484
1485         tsec = current->security;
1486
1487         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1488                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1489         if (rc) {
1490                 /* Default to the well-defined sysctl SID. */
1491                 tsid = SECINITSID_SYSCTL;
1492         }
1493
1494         /* The op values are "defined" in sysctl.c, thereby creating
1495          * a bad coupling between this module and sysctl.c */
1496         if(op == 001) {
1497                 error = avc_has_perm(tsec->sid, tsid,
1498                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1499         } else {
1500                 av = 0;
1501                 if (op & 004)
1502                         av |= FILE__READ;
1503                 if (op & 002)
1504                         av |= FILE__WRITE;
1505                 if (av)
1506                         error = avc_has_perm(tsec->sid, tsid,
1507                                              SECCLASS_FILE, av, NULL);
1508         }
1509
1510         return error;
1511 }
1512
1513 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1514 {
1515         int rc = 0;
1516
1517         if (!sb)
1518                 return 0;
1519
1520         switch (cmds) {
1521                 case Q_SYNC:
1522                 case Q_QUOTAON:
1523                 case Q_QUOTAOFF:
1524                 case Q_SETINFO:
1525                 case Q_SETQUOTA:
1526                         rc = superblock_has_perm(current,
1527                                                  sb,
1528                                                  FILESYSTEM__QUOTAMOD, NULL);
1529                         break;
1530                 case Q_GETFMT:
1531                 case Q_GETINFO:
1532                 case Q_GETQUOTA:
1533                         rc = superblock_has_perm(current,
1534                                                  sb,
1535                                                  FILESYSTEM__QUOTAGET, NULL);
1536                         break;
1537                 default:
1538                         rc = 0;  /* let the kernel handle invalid cmds */
1539                         break;
1540         }
1541         return rc;
1542 }
1543
1544 static int selinux_quota_on(struct dentry *dentry)
1545 {
1546         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1547 }
1548
1549 static int selinux_syslog(int type)
1550 {
1551         int rc;
1552
1553         rc = secondary_ops->syslog(type);
1554         if (rc)
1555                 return rc;
1556
1557         switch (type) {
1558                 case 3:         /* Read last kernel messages */
1559                 case 10:        /* Return size of the log buffer */
1560                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1561                         break;
1562                 case 6:         /* Disable logging to console */
1563                 case 7:         /* Enable logging to console */
1564                 case 8:         /* Set level of messages printed to console */
1565                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1566                         break;
1567                 case 0:         /* Close log */
1568                 case 1:         /* Open log */
1569                 case 2:         /* Read from log */
1570                 case 4:         /* Read/clear last kernel messages */
1571                 case 5:         /* Clear ring buffer */
1572                 default:
1573                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1574                         break;
1575         }
1576         return rc;
1577 }
1578
1579 /*
1580  * Check that a process has enough memory to allocate a new virtual
1581  * mapping. 0 means there is enough memory for the allocation to
1582  * succeed and -ENOMEM implies there is not.
1583  *
1584  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1585  * if the capability is granted, but __vm_enough_memory requires 1 if
1586  * the capability is granted.
1587  *
1588  * Do not audit the selinux permission check, as this is applied to all
1589  * processes that allocate mappings.
1590  */
1591 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1592 {
1593         int rc, cap_sys_admin = 0;
1594         struct task_security_struct *tsec = current->security;
1595
1596         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1597         if (rc == 0)
1598                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1599                                           SECCLASS_CAPABILITY,
1600                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1601                                           0,
1602                                           NULL);
1603
1604         if (rc == 0)
1605                 cap_sys_admin = 1;
1606
1607         return __vm_enough_memory(mm, pages, cap_sys_admin);
1608 }
1609
1610 /* binprm security operations */
1611
1612 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1613 {
1614         struct bprm_security_struct *bsec;
1615
1616         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1617         if (!bsec)
1618                 return -ENOMEM;
1619
1620         bsec->bprm = bprm;
1621         bsec->sid = SECINITSID_UNLABELED;
1622         bsec->set = 0;
1623
1624         bprm->security = bsec;
1625         return 0;
1626 }
1627
1628 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1629 {
1630         struct task_security_struct *tsec;
1631         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1632         struct inode_security_struct *isec;
1633         struct bprm_security_struct *bsec;
1634         u32 newsid;
1635         struct avc_audit_data ad;
1636         int rc;
1637
1638         rc = secondary_ops->bprm_set_security(bprm);
1639         if (rc)
1640                 return rc;
1641
1642         bsec = bprm->security;
1643
1644         if (bsec->set)
1645                 return 0;
1646
1647         tsec = current->security;
1648         isec = inode->i_security;
1649
1650         /* Default to the current task SID. */
1651         bsec->sid = tsec->sid;
1652
1653         /* Reset fs, key, and sock SIDs on execve. */
1654         tsec->create_sid = 0;
1655         tsec->keycreate_sid = 0;
1656         tsec->sockcreate_sid = 0;
1657
1658         if (tsec->exec_sid) {
1659                 newsid = tsec->exec_sid;
1660                 /* Reset exec SID on execve. */
1661                 tsec->exec_sid = 0;
1662         } else {
1663                 /* Check for a default transition on this program. */
1664                 rc = security_transition_sid(tsec->sid, isec->sid,
1665                                              SECCLASS_PROCESS, &newsid);
1666                 if (rc)
1667                         return rc;
1668         }
1669
1670         AVC_AUDIT_DATA_INIT(&ad, FS);
1671         ad.u.fs.mnt = bprm->file->f_path.mnt;
1672         ad.u.fs.dentry = bprm->file->f_path.dentry;
1673
1674         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1675                 newsid = tsec->sid;
1676
1677         if (tsec->sid == newsid) {
1678                 rc = avc_has_perm(tsec->sid, isec->sid,
1679                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1680                 if (rc)
1681                         return rc;
1682         } else {
1683                 /* Check permissions for the transition. */
1684                 rc = avc_has_perm(tsec->sid, newsid,
1685                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1686                 if (rc)
1687                         return rc;
1688
1689                 rc = avc_has_perm(newsid, isec->sid,
1690                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1691                 if (rc)
1692                         return rc;
1693
1694                 /* Clear any possibly unsafe personality bits on exec: */
1695                 current->personality &= ~PER_CLEAR_ON_SETID;
1696
1697                 /* Set the security field to the new SID. */
1698                 bsec->sid = newsid;
1699         }
1700
1701         bsec->set = 1;
1702         return 0;
1703 }
1704
1705 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1706 {
1707         return secondary_ops->bprm_check_security(bprm);
1708 }
1709
1710
1711 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1712 {
1713         struct task_security_struct *tsec = current->security;
1714         int atsecure = 0;
1715
1716         if (tsec->osid != tsec->sid) {
1717                 /* Enable secure mode for SIDs transitions unless
1718                    the noatsecure permission is granted between
1719                    the two SIDs, i.e. ahp returns 0. */
1720                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1721                                          SECCLASS_PROCESS,
1722                                          PROCESS__NOATSECURE, NULL);
1723         }
1724
1725         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1726 }
1727
1728 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1729 {
1730         kfree(bprm->security);
1731         bprm->security = NULL;
1732 }
1733
1734 extern struct vfsmount *selinuxfs_mount;
1735 extern struct dentry *selinux_null;
1736
1737 /* Derived from fs/exec.c:flush_old_files. */
1738 static inline void flush_unauthorized_files(struct files_struct * files)
1739 {
1740         struct avc_audit_data ad;
1741         struct file *file, *devnull = NULL;
1742         struct tty_struct *tty;
1743         struct fdtable *fdt;
1744         long j = -1;
1745         int drop_tty = 0;
1746
1747         mutex_lock(&tty_mutex);
1748         tty = get_current_tty();
1749         if (tty) {
1750                 file_list_lock();
1751                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1752                 if (file) {
1753                         /* Revalidate access to controlling tty.
1754                            Use inode_has_perm on the tty inode directly rather
1755                            than using file_has_perm, as this particular open
1756                            file may belong to another process and we are only
1757                            interested in the inode-based check here. */
1758                         struct inode *inode = file->f_path.dentry->d_inode;
1759                         if (inode_has_perm(current, inode,
1760                                            FILE__READ | FILE__WRITE, NULL)) {
1761                                 drop_tty = 1;
1762                         }
1763                 }
1764                 file_list_unlock();
1765         }
1766         mutex_unlock(&tty_mutex);
1767         /* Reset controlling tty. */
1768         if (drop_tty)
1769                 no_tty();
1770
1771         /* Revalidate access to inherited open files. */
1772
1773         AVC_AUDIT_DATA_INIT(&ad,FS);
1774
1775         spin_lock(&files->file_lock);
1776         for (;;) {
1777                 unsigned long set, i;
1778                 int fd;
1779
1780                 j++;
1781                 i = j * __NFDBITS;
1782                 fdt = files_fdtable(files);
1783                 if (i >= fdt->max_fds)
1784                         break;
1785                 set = fdt->open_fds->fds_bits[j];
1786                 if (!set)
1787                         continue;
1788                 spin_unlock(&files->file_lock);
1789                 for ( ; set ; i++,set >>= 1) {
1790                         if (set & 1) {
1791                                 file = fget(i);
1792                                 if (!file)
1793                                         continue;
1794                                 if (file_has_perm(current,
1795                                                   file,
1796                                                   file_to_av(file))) {
1797                                         sys_close(i);
1798                                         fd = get_unused_fd();
1799                                         if (fd != i) {
1800                                                 if (fd >= 0)
1801                                                         put_unused_fd(fd);
1802                                                 fput(file);
1803                                                 continue;
1804                                         }
1805                                         if (devnull) {
1806                                                 get_file(devnull);
1807                                         } else {
1808                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1809                                                 if (IS_ERR(devnull)) {
1810                                                         devnull = NULL;
1811                                                         put_unused_fd(fd);
1812                                                         fput(file);
1813                                                         continue;
1814                                                 }
1815                                         }
1816                                         fd_install(fd, devnull);
1817                                 }
1818                                 fput(file);
1819                         }
1820                 }
1821                 spin_lock(&files->file_lock);
1822
1823         }
1824         spin_unlock(&files->file_lock);
1825 }
1826
1827 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1828 {
1829         struct task_security_struct *tsec;
1830         struct bprm_security_struct *bsec;
1831         u32 sid;
1832         int rc;
1833
1834         secondary_ops->bprm_apply_creds(bprm, unsafe);
1835
1836         tsec = current->security;
1837
1838         bsec = bprm->security;
1839         sid = bsec->sid;
1840
1841         tsec->osid = tsec->sid;
1842         bsec->unsafe = 0;
1843         if (tsec->sid != sid) {
1844                 /* Check for shared state.  If not ok, leave SID
1845                    unchanged and kill. */
1846                 if (unsafe & LSM_UNSAFE_SHARE) {
1847                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1848                                         PROCESS__SHARE, NULL);
1849                         if (rc) {
1850                                 bsec->unsafe = 1;
1851                                 return;
1852                         }
1853                 }
1854
1855                 /* Check for ptracing, and update the task SID if ok.
1856                    Otherwise, leave SID unchanged and kill. */
1857                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1858                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1859                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1860                                           NULL);
1861                         if (rc) {
1862                                 bsec->unsafe = 1;
1863                                 return;
1864                         }
1865                 }
1866                 tsec->sid = sid;
1867         }
1868 }
1869
1870 /*
1871  * called after apply_creds without the task lock held
1872  */
1873 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1874 {
1875         struct task_security_struct *tsec;
1876         struct rlimit *rlim, *initrlim;
1877         struct itimerval itimer;
1878         struct bprm_security_struct *bsec;
1879         int rc, i;
1880
1881         tsec = current->security;
1882         bsec = bprm->security;
1883
1884         if (bsec->unsafe) {
1885                 force_sig_specific(SIGKILL, current);
1886                 return;
1887         }
1888         if (tsec->osid == tsec->sid)
1889                 return;
1890
1891         /* Close files for which the new task SID is not authorized. */
1892         flush_unauthorized_files(current->files);
1893
1894         /* Check whether the new SID can inherit signal state
1895            from the old SID.  If not, clear itimers to avoid
1896            subsequent signal generation and flush and unblock
1897            signals. This must occur _after_ the task SID has
1898           been updated so that any kill done after the flush
1899           will be checked against the new SID. */
1900         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1901                           PROCESS__SIGINH, NULL);
1902         if (rc) {
1903                 memset(&itimer, 0, sizeof itimer);
1904                 for (i = 0; i < 3; i++)
1905                         do_setitimer(i, &itimer, NULL);
1906                 flush_signals(current);
1907                 spin_lock_irq(&current->sighand->siglock);
1908                 flush_signal_handlers(current, 1);
1909                 sigemptyset(&current->blocked);
1910                 recalc_sigpending();
1911                 spin_unlock_irq(&current->sighand->siglock);
1912         }
1913
1914         /* Always clear parent death signal on SID transitions. */
1915         current->pdeath_signal = 0;
1916
1917         /* Check whether the new SID can inherit resource limits
1918            from the old SID.  If not, reset all soft limits to
1919            the lower of the current task's hard limit and the init
1920            task's soft limit.  Note that the setting of hard limits
1921            (even to lower them) can be controlled by the setrlimit
1922            check. The inclusion of the init task's soft limit into
1923            the computation is to avoid resetting soft limits higher
1924            than the default soft limit for cases where the default
1925            is lower than the hard limit, e.g. RLIMIT_CORE or
1926            RLIMIT_STACK.*/
1927         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1928                           PROCESS__RLIMITINH, NULL);
1929         if (rc) {
1930                 for (i = 0; i < RLIM_NLIMITS; i++) {
1931                         rlim = current->signal->rlim + i;
1932                         initrlim = init_task.signal->rlim+i;
1933                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1934                 }
1935                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1936                         /*
1937                          * This will cause RLIMIT_CPU calculations
1938                          * to be refigured.
1939                          */
1940                         current->it_prof_expires = jiffies_to_cputime(1);
1941                 }
1942         }
1943
1944         /* Wake up the parent if it is waiting so that it can
1945            recheck wait permission to the new task SID. */
1946         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1947 }
1948
1949 /* superblock security operations */
1950
1951 static int selinux_sb_alloc_security(struct super_block *sb)
1952 {
1953         return superblock_alloc_security(sb);
1954 }
1955
1956 static void selinux_sb_free_security(struct super_block *sb)
1957 {
1958         superblock_free_security(sb);
1959 }
1960
1961 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1962 {
1963         if (plen > olen)
1964                 return 0;
1965
1966         return !memcmp(prefix, option, plen);
1967 }
1968
1969 static inline int selinux_option(char *option, int len)
1970 {
1971         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1972                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1973                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
1974                 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1975 }
1976
1977 static inline void take_option(char **to, char *from, int *first, int len)
1978 {
1979         if (!*first) {
1980                 **to = ',';
1981                 *to += 1;
1982         } else
1983                 *first = 0;
1984         memcpy(*to, from, len);
1985         *to += len;
1986 }
1987
1988 static inline void take_selinux_option(char **to, char *from, int *first, 
1989                                        int len)
1990 {
1991         int current_size = 0;
1992
1993         if (!*first) {
1994                 **to = '|';
1995                 *to += 1;
1996         }
1997         else
1998                 *first = 0;
1999
2000         while (current_size < len) {
2001                 if (*from != '"') {
2002                         **to = *from;
2003                         *to += 1;
2004                 }
2005                 from += 1;
2006                 current_size += 1;
2007         }
2008 }
2009
2010 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
2011 {
2012         int fnosec, fsec, rc = 0;
2013         char *in_save, *in_curr, *in_end;
2014         char *sec_curr, *nosec_save, *nosec;
2015         int open_quote = 0;
2016
2017         in_curr = orig;
2018         sec_curr = copy;
2019
2020         /* Binary mount data: just copy */
2021         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2022                 copy_page(sec_curr, in_curr);
2023                 goto out;
2024         }
2025
2026         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2027         if (!nosec) {
2028                 rc = -ENOMEM;
2029                 goto out;
2030         }
2031
2032         nosec_save = nosec;
2033         fnosec = fsec = 1;
2034         in_save = in_end = orig;
2035
2036         do {
2037                 if (*in_end == '"')
2038                         open_quote = !open_quote;
2039                 if ((*in_end == ',' && open_quote == 0) ||
2040                                 *in_end == '\0') {
2041                         int len = in_end - in_curr;
2042
2043                         if (selinux_option(in_curr, len))
2044                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2045                         else
2046                                 take_option(&nosec, in_curr, &fnosec, len);
2047
2048                         in_curr = in_end + 1;
2049                 }
2050         } while (*in_end++);
2051
2052         strcpy(in_save, nosec_save);
2053         free_page((unsigned long)nosec_save);
2054 out:
2055         return rc;
2056 }
2057
2058 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2059 {
2060         struct avc_audit_data ad;
2061         int rc;
2062
2063         rc = superblock_doinit(sb, data);
2064         if (rc)
2065                 return rc;
2066
2067         AVC_AUDIT_DATA_INIT(&ad,FS);
2068         ad.u.fs.dentry = sb->s_root;
2069         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2070 }
2071
2072 static int selinux_sb_statfs(struct dentry *dentry)
2073 {
2074         struct avc_audit_data ad;
2075
2076         AVC_AUDIT_DATA_INIT(&ad,FS);
2077         ad.u.fs.dentry = dentry->d_sb->s_root;
2078         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2079 }
2080
2081 static int selinux_mount(char * dev_name,
2082                          struct nameidata *nd,
2083                          char * type,
2084                          unsigned long flags,
2085                          void * data)
2086 {
2087         int rc;
2088
2089         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2090         if (rc)
2091                 return rc;
2092
2093         if (flags & MS_REMOUNT)
2094                 return superblock_has_perm(current, nd->mnt->mnt_sb,
2095                                            FILESYSTEM__REMOUNT, NULL);
2096         else
2097                 return dentry_has_perm(current, nd->mnt, nd->dentry,
2098                                        FILE__MOUNTON);
2099 }
2100
2101 static int selinux_umount(struct vfsmount *mnt, int flags)
2102 {
2103         int rc;
2104
2105         rc = secondary_ops->sb_umount(mnt, flags);
2106         if (rc)
2107                 return rc;
2108
2109         return superblock_has_perm(current,mnt->mnt_sb,
2110                                    FILESYSTEM__UNMOUNT,NULL);
2111 }
2112
2113 /* inode security operations */
2114
2115 static int selinux_inode_alloc_security(struct inode *inode)
2116 {
2117         return inode_alloc_security(inode);
2118 }
2119
2120 static void selinux_inode_free_security(struct inode *inode)
2121 {
2122         inode_free_security(inode);
2123 }
2124
2125 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2126                                        char **name, void **value,
2127                                        size_t *len)
2128 {
2129         struct task_security_struct *tsec;
2130         struct inode_security_struct *dsec;
2131         struct superblock_security_struct *sbsec;
2132         u32 newsid, clen;
2133         int rc;
2134         char *namep = NULL, *context;
2135
2136         tsec = current->security;
2137         dsec = dir->i_security;
2138         sbsec = dir->i_sb->s_security;
2139
2140         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2141                 newsid = tsec->create_sid;
2142         } else {
2143                 rc = security_transition_sid(tsec->sid, dsec->sid,
2144                                              inode_mode_to_security_class(inode->i_mode),
2145                                              &newsid);
2146                 if (rc) {
2147                         printk(KERN_WARNING "%s:  "
2148                                "security_transition_sid failed, rc=%d (dev=%s "
2149                                "ino=%ld)\n",
2150                                __FUNCTION__,
2151                                -rc, inode->i_sb->s_id, inode->i_ino);
2152                         return rc;
2153                 }
2154         }
2155
2156         /* Possibly defer initialization to selinux_complete_init. */
2157         if (sbsec->initialized) {
2158                 struct inode_security_struct *isec = inode->i_security;
2159                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2160                 isec->sid = newsid;
2161                 isec->initialized = 1;
2162         }
2163
2164         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2165                 return -EOPNOTSUPP;
2166
2167         if (name) {
2168                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2169                 if (!namep)
2170                         return -ENOMEM;
2171                 *name = namep;
2172         }
2173
2174         if (value && len) {
2175                 rc = security_sid_to_context(newsid, &context, &clen);
2176                 if (rc) {
2177                         kfree(namep);
2178                         return rc;
2179                 }
2180                 *value = context;
2181                 *len = clen;
2182         }
2183
2184         return 0;
2185 }
2186
2187 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2188 {
2189         return may_create(dir, dentry, SECCLASS_FILE);
2190 }
2191
2192 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2193 {
2194         int rc;
2195
2196         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2197         if (rc)
2198                 return rc;
2199         return may_link(dir, old_dentry, MAY_LINK);
2200 }
2201
2202 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2203 {
2204         int rc;
2205
2206         rc = secondary_ops->inode_unlink(dir, dentry);
2207         if (rc)
2208                 return rc;
2209         return may_link(dir, dentry, MAY_UNLINK);
2210 }
2211
2212 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2213 {
2214         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2215 }
2216
2217 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2218 {
2219         return may_create(dir, dentry, SECCLASS_DIR);
2220 }
2221
2222 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2223 {
2224         return may_link(dir, dentry, MAY_RMDIR);
2225 }
2226
2227 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2228 {
2229         int rc;
2230
2231         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2232         if (rc)
2233                 return rc;
2234
2235         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2236 }
2237
2238 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2239                                 struct inode *new_inode, struct dentry *new_dentry)
2240 {
2241         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2242 }
2243
2244 static int selinux_inode_readlink(struct dentry *dentry)
2245 {
2246         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2247 }
2248
2249 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2250 {
2251         int rc;
2252
2253         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2254         if (rc)
2255                 return rc;
2256         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2257 }
2258
2259 static int selinux_inode_permission(struct inode *inode, int mask,
2260                                     struct nameidata *nd)
2261 {
2262         int rc;
2263
2264         rc = secondary_ops->inode_permission(inode, mask, nd);
2265         if (rc)
2266                 return rc;
2267
2268         if (!mask) {
2269                 /* No permission to check.  Existence test. */
2270                 return 0;
2271         }
2272
2273         return inode_has_perm(current, inode,
2274                                file_mask_to_av(inode->i_mode, mask), NULL);
2275 }
2276
2277 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2278 {
2279         int rc;
2280
2281         rc = secondary_ops->inode_setattr(dentry, iattr);
2282         if (rc)
2283                 return rc;
2284
2285         if (iattr->ia_valid & ATTR_FORCE)
2286                 return 0;
2287
2288         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2289                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2290                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2291
2292         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2293 }
2294
2295 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2296 {
2297         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2298 }
2299
2300 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2301 {
2302         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2303                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2304                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2305                         if (!capable(CAP_SETFCAP))
2306                                 return -EPERM;
2307                 } else if (!capable(CAP_SYS_ADMIN)) {
2308                         /* A different attribute in the security namespace.
2309                            Restrict to administrator. */
2310                         return -EPERM;
2311                 }
2312         }
2313
2314         /* Not an attribute we recognize, so just check the
2315            ordinary setattr permission. */
2316         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2317 }
2318
2319 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2320 {
2321         struct task_security_struct *tsec = current->security;
2322         struct inode *inode = dentry->d_inode;
2323         struct inode_security_struct *isec = inode->i_security;
2324         struct superblock_security_struct *sbsec;
2325         struct avc_audit_data ad;
2326         u32 newsid;
2327         int rc = 0;
2328
2329         if (strcmp(name, XATTR_NAME_SELINUX))
2330                 return selinux_inode_setotherxattr(dentry, name);
2331
2332         sbsec = inode->i_sb->s_security;
2333         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2334                 return -EOPNOTSUPP;
2335
2336         if (!is_owner_or_cap(inode))
2337                 return -EPERM;
2338
2339         AVC_AUDIT_DATA_INIT(&ad,FS);
2340         ad.u.fs.dentry = dentry;
2341
2342         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2343                           FILE__RELABELFROM, &ad);
2344         if (rc)
2345                 return rc;
2346
2347         rc = security_context_to_sid(value, size, &newsid);
2348         if (rc)
2349                 return rc;
2350
2351         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2352                           FILE__RELABELTO, &ad);
2353         if (rc)
2354                 return rc;
2355
2356         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2357                                           isec->sclass);
2358         if (rc)
2359                 return rc;
2360
2361         return avc_has_perm(newsid,
2362                             sbsec->sid,
2363                             SECCLASS_FILESYSTEM,
2364                             FILESYSTEM__ASSOCIATE,
2365                             &ad);
2366 }
2367
2368 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2369                                         void *value, size_t size, int flags)
2370 {
2371         struct inode *inode = dentry->d_inode;
2372         struct inode_security_struct *isec = inode->i_security;
2373         u32 newsid;
2374         int rc;
2375
2376         if (strcmp(name, XATTR_NAME_SELINUX)) {
2377                 /* Not an attribute we recognize, so nothing to do. */
2378                 return;
2379         }
2380
2381         rc = security_context_to_sid(value, size, &newsid);
2382         if (rc) {
2383                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2384                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2385                 return;
2386         }
2387
2388         isec->sid = newsid;
2389         return;
2390 }
2391
2392 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2393 {
2394         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2395 }
2396
2397 static int selinux_inode_listxattr (struct dentry *dentry)
2398 {
2399         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2400 }
2401
2402 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2403 {
2404         if (strcmp(name, XATTR_NAME_SELINUX))
2405                 return selinux_inode_setotherxattr(dentry, name);
2406
2407         /* No one is allowed to remove a SELinux security label.
2408            You can change the label, but all data must be labeled. */
2409         return -EACCES;
2410 }
2411
2412 /*
2413  * Copy the in-core inode security context value to the user.  If the
2414  * getxattr() prior to this succeeded, check to see if we need to
2415  * canonicalize the value to be finally returned to the user.
2416  *
2417  * Permission check is handled by selinux_inode_getxattr hook.
2418  */
2419 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2420 {
2421         struct inode_security_struct *isec = inode->i_security;
2422
2423         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2424                 return -EOPNOTSUPP;
2425
2426         return selinux_getsecurity(isec->sid, buffer, size);
2427 }
2428
2429 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2430                                      const void *value, size_t size, int flags)
2431 {
2432         struct inode_security_struct *isec = inode->i_security;
2433         u32 newsid;
2434         int rc;
2435
2436         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2437                 return -EOPNOTSUPP;
2438
2439         if (!value || !size)
2440                 return -EACCES;
2441
2442         rc = security_context_to_sid((void*)value, size, &newsid);
2443         if (rc)
2444                 return rc;
2445
2446         isec->sid = newsid;
2447         return 0;
2448 }
2449
2450 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2451 {
2452         const int len = sizeof(XATTR_NAME_SELINUX);
2453         if (buffer && len <= buffer_size)
2454                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2455         return len;
2456 }
2457
2458 static int selinux_inode_need_killpriv(struct dentry *dentry)
2459 {
2460         return secondary_ops->inode_need_killpriv(dentry);
2461 }
2462
2463 static int selinux_inode_killpriv(struct dentry *dentry)
2464 {
2465         return secondary_ops->inode_killpriv(dentry);
2466 }
2467
2468 /* file security operations */
2469
2470 static int selinux_revalidate_file_permission(struct file *file, int mask)
2471 {
2472         int rc;
2473         struct inode *inode = file->f_path.dentry->d_inode;
2474
2475         if (!mask) {
2476                 /* No permission to check.  Existence test. */
2477                 return 0;
2478         }
2479
2480         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2481         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2482                 mask |= MAY_APPEND;
2483
2484         rc = file_has_perm(current, file,
2485                            file_mask_to_av(inode->i_mode, mask));
2486         if (rc)
2487                 return rc;
2488
2489         return selinux_netlbl_inode_permission(inode, mask);
2490 }
2491
2492 static int selinux_file_permission(struct file *file, int mask)
2493 {
2494         struct inode *inode = file->f_path.dentry->d_inode;
2495         struct task_security_struct *tsec = current->security;
2496         struct file_security_struct *fsec = file->f_security;
2497         struct inode_security_struct *isec = inode->i_security;
2498
2499         if (!mask) {
2500                 /* No permission to check.  Existence test. */
2501                 return 0;
2502         }
2503
2504         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2505             && fsec->pseqno == avc_policy_seqno())
2506                 return selinux_netlbl_inode_permission(inode, mask);
2507
2508         return selinux_revalidate_file_permission(file, mask);
2509 }
2510
2511 static int selinux_file_alloc_security(struct file *file)
2512 {
2513         return file_alloc_security(file);
2514 }
2515
2516 static void selinux_file_free_security(struct file *file)
2517 {
2518         file_free_security(file);
2519 }
2520
2521 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2522                               unsigned long arg)
2523 {
2524         int error = 0;
2525
2526         switch (cmd) {
2527                 case FIONREAD:
2528                 /* fall through */
2529                 case FIBMAP:
2530                 /* fall through */
2531                 case FIGETBSZ:
2532                 /* fall through */
2533                 case EXT2_IOC_GETFLAGS:
2534                 /* fall through */
2535                 case EXT2_IOC_GETVERSION:
2536                         error = file_has_perm(current, file, FILE__GETATTR);
2537                         break;
2538
2539                 case EXT2_IOC_SETFLAGS:
2540                 /* fall through */
2541                 case EXT2_IOC_SETVERSION:
2542                         error = file_has_perm(current, file, FILE__SETATTR);
2543                         break;
2544
2545                 /* sys_ioctl() checks */
2546                 case FIONBIO:
2547                 /* fall through */
2548                 case FIOASYNC:
2549                         error = file_has_perm(current, file, 0);
2550                         break;
2551
2552                 case KDSKBENT:
2553                 case KDSKBSENT:
2554                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2555                         break;
2556
2557                 /* default case assumes that the command will go
2558                  * to the file's ioctl() function.
2559                  */
2560                 default:
2561                         error = file_has_perm(current, file, FILE__IOCTL);
2562
2563         }
2564         return error;
2565 }
2566
2567 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2568 {
2569 #ifndef CONFIG_PPC32
2570         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2571                 /*
2572                  * We are making executable an anonymous mapping or a
2573                  * private file mapping that will also be writable.
2574                  * This has an additional check.
2575                  */
2576                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2577                 if (rc)
2578                         return rc;
2579         }
2580 #endif
2581
2582         if (file) {
2583                 /* read access is always possible with a mapping */
2584                 u32 av = FILE__READ;
2585
2586                 /* write access only matters if the mapping is shared */
2587                 if (shared && (prot & PROT_WRITE))
2588                         av |= FILE__WRITE;
2589
2590                 if (prot & PROT_EXEC)
2591                         av |= FILE__EXECUTE;
2592
2593                 return file_has_perm(current, file, av);
2594         }
2595         return 0;
2596 }
2597
2598 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2599                              unsigned long prot, unsigned long flags,
2600                              unsigned long addr, unsigned long addr_only)
2601 {
2602         int rc = 0;
2603         u32 sid = ((struct task_security_struct*)(current->security))->sid;
2604
2605         if (addr < mmap_min_addr)
2606                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2607                                   MEMPROTECT__MMAP_ZERO, NULL);
2608         if (rc || addr_only)
2609                 return rc;
2610
2611         if (selinux_checkreqprot)
2612                 prot = reqprot;
2613
2614         return file_map_prot_check(file, prot,
2615                                    (flags & MAP_TYPE) == MAP_SHARED);
2616 }
2617
2618 static int selinux_file_mprotect(struct vm_area_struct *vma,
2619                                  unsigned long reqprot,
2620                                  unsigned long prot)
2621 {
2622         int rc;
2623
2624         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2625         if (rc)
2626                 return rc;
2627
2628         if (selinux_checkreqprot)
2629                 prot = reqprot;
2630
2631 #ifndef CONFIG_PPC32
2632         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2633                 rc = 0;
2634                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2635                     vma->vm_end <= vma->vm_mm->brk) {
2636                         rc = task_has_perm(current, current,
2637                                            PROCESS__EXECHEAP);
2638                 } else if (!vma->vm_file &&
2639                            vma->vm_start <= vma->vm_mm->start_stack &&
2640                            vma->vm_end >= vma->vm_mm->start_stack) {
2641                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2642                 } else if (vma->vm_file && vma->anon_vma) {
2643                         /*
2644                          * We are making executable a file mapping that has
2645                          * had some COW done. Since pages might have been
2646                          * written, check ability to execute the possibly
2647                          * modified content.  This typically should only
2648                          * occur for text relocations.
2649                          */
2650                         rc = file_has_perm(current, vma->vm_file,
2651                                            FILE__EXECMOD);
2652                 }
2653                 if (rc)
2654                         return rc;
2655         }
2656 #endif
2657
2658         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2659 }
2660
2661 static int selinux_file_lock(struct file *file, unsigned int cmd)
2662 {
2663         return file_has_perm(current, file, FILE__LOCK);
2664 }
2665
2666 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2667                               unsigned long arg)
2668 {
2669         int err = 0;
2670
2671         switch (cmd) {
2672                 case F_SETFL:
2673                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2674                                 err = -EINVAL;
2675                                 break;
2676                         }
2677
2678                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2679                                 err = file_has_perm(current, file,FILE__WRITE);
2680                                 break;
2681                         }
2682                         /* fall through */
2683                 case F_SETOWN:
2684                 case F_SETSIG:
2685                 case F_GETFL:
2686                 case F_GETOWN:
2687                 case F_GETSIG:
2688                         /* Just check FD__USE permission */
2689                         err = file_has_perm(current, file, 0);
2690                         break;
2691                 case F_GETLK:
2692                 case F_SETLK:
2693                 case F_SETLKW:
2694 #if BITS_PER_LONG == 32
2695                 case F_GETLK64:
2696                 case F_SETLK64:
2697                 case F_SETLKW64:
2698 #endif
2699                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2700                                 err = -EINVAL;
2701                                 break;
2702                         }
2703                         err = file_has_perm(current, file, FILE__LOCK);
2704                         break;
2705         }
2706
2707         return err;
2708 }
2709
2710 static int selinux_file_set_fowner(struct file *file)
2711 {
2712         struct task_security_struct *tsec;
2713         struct file_security_struct *fsec;
2714
2715         tsec = current->security;
2716         fsec = file->f_security;
2717         fsec->fown_sid = tsec->sid;
2718
2719         return 0;
2720 }
2721
2722 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2723                                        struct fown_struct *fown, int signum)
2724 {
2725         struct file *file;
2726         u32 perm;
2727         struct task_security_struct *tsec;
2728         struct file_security_struct *fsec;
2729
2730         /* struct fown_struct is never outside the context of a struct file */
2731         file = container_of(fown, struct file, f_owner);
2732
2733         tsec = tsk->security;
2734         fsec = file->f_security;
2735
2736         if (!signum)
2737                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2738         else
2739                 perm = signal_to_av(signum);
2740
2741         return avc_has_perm(fsec->fown_sid, tsec->sid,
2742                             SECCLASS_PROCESS, perm, NULL);
2743 }
2744
2745 static int selinux_file_receive(struct file *file)
2746 {
2747         return file_has_perm(current, file, file_to_av(file));
2748 }
2749
2750 static int selinux_dentry_open(struct file *file)
2751 {
2752         struct file_security_struct *fsec;
2753         struct inode *inode;
2754         struct inode_security_struct *isec;
2755         inode = file->f_path.dentry->d_inode;
2756         fsec = file->f_security;
2757         isec = inode->i_security;
2758         /*
2759          * Save inode label and policy sequence number
2760          * at open-time so that selinux_file_permission
2761          * can determine whether revalidation is necessary.
2762          * Task label is already saved in the file security
2763          * struct as its SID.
2764          */
2765         fsec->isid = isec->sid;
2766         fsec->pseqno = avc_policy_seqno();
2767         /*
2768          * Since the inode label or policy seqno may have changed
2769          * between the selinux_inode_permission check and the saving
2770          * of state above, recheck that access is still permitted.
2771          * Otherwise, access might never be revalidated against the
2772          * new inode label or new policy.
2773          * This check is not redundant - do not remove.
2774          */
2775         return inode_has_perm(current, inode, file_to_av(file), NULL);
2776 }
2777
2778 /* task security operations */
2779
2780 static int selinux_task_create(unsigned long clone_flags)
2781 {
2782         int rc;
2783
2784         rc = secondary_ops->task_create(clone_flags);
2785         if (rc)
2786                 return rc;
2787
2788         return task_has_perm(current, current, PROCESS__FORK);
2789 }
2790
2791 static int selinux_task_alloc_security(struct task_struct *tsk)
2792 {
2793         struct task_security_struct *tsec1, *tsec2;
2794         int rc;
2795
2796         tsec1 = current->security;
2797
2798         rc = task_alloc_security(tsk);
2799         if (rc)
2800                 return rc;
2801         tsec2 = tsk->security;
2802
2803         tsec2->osid = tsec1->osid;
2804         tsec2->sid = tsec1->sid;
2805
2806         /* Retain the exec, fs, key, and sock SIDs across fork */
2807         tsec2->exec_sid = tsec1->exec_sid;
2808         tsec2->create_sid = tsec1->create_sid;
2809         tsec2->keycreate_sid = tsec1->keycreate_sid;
2810         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
2811
2812         /* Retain ptracer SID across fork, if any.
2813            This will be reset by the ptrace hook upon any
2814            subsequent ptrace_attach operations. */
2815         tsec2->ptrace_sid = tsec1->ptrace_sid;
2816
2817         return 0;
2818 }
2819
2820 static void selinux_task_free_security(struct task_struct *tsk)
2821 {
2822         task_free_security(tsk);
2823 }
2824
2825 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2826 {
2827         /* Since setuid only affects the current process, and
2828            since the SELinux controls are not based on the Linux
2829            identity attributes, SELinux does not need to control
2830            this operation.  However, SELinux does control the use
2831            of the CAP_SETUID and CAP_SETGID capabilities using the
2832            capable hook. */
2833         return 0;
2834 }
2835
2836 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2837 {
2838         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2839 }
2840
2841 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2842 {
2843         /* See the comment for setuid above. */
2844         return 0;
2845 }
2846
2847 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2848 {
2849         return task_has_perm(current, p, PROCESS__SETPGID);
2850 }
2851
2852 static int selinux_task_getpgid(struct task_struct *p)
2853 {
2854         return task_has_perm(current, p, PROCESS__GETPGID);
2855 }
2856
2857 static int selinux_task_getsid(struct task_struct *p)
2858 {
2859         return task_has_perm(current, p, PROCESS__GETSESSION);
2860 }
2861
2862 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
2863 {
2864         selinux_get_task_sid(p, secid);
2865 }
2866
2867 static int selinux_task_setgroups(struct group_info *group_info)
2868 {
2869         /* See the comment for setuid above. */
2870         return 0;
2871 }
2872
2873 static int selinux_task_setnice(struct task_struct *p, int nice)
2874 {
2875         int rc;
2876
2877         rc = secondary_ops->task_setnice(p, nice);
2878         if (rc)
2879                 return rc;
2880
2881         return task_has_perm(current,p, PROCESS__SETSCHED);
2882 }
2883
2884 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
2885 {
2886         int rc;
2887
2888         rc = secondary_ops->task_setioprio(p, ioprio);
2889         if (rc)
2890                 return rc;
2891
2892         return task_has_perm(current, p, PROCESS__SETSCHED);
2893 }
2894
2895 static int selinux_task_getioprio(struct task_struct *p)
2896 {
2897         return task_has_perm(current, p, PROCESS__GETSCHED);
2898 }
2899
2900 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2901 {
2902         struct rlimit *old_rlim = current->signal->rlim + resource;
2903         int rc;
2904
2905         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2906         if (rc)
2907                 return rc;
2908
2909         /* Control the ability to change the hard limit (whether
2910            lowering or raising it), so that the hard limit can
2911            later be used as a safe reset point for the soft limit
2912            upon context transitions. See selinux_bprm_apply_creds. */
2913         if (old_rlim->rlim_max != new_rlim->rlim_max)
2914                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2915
2916         return 0;
2917 }
2918
2919 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2920 {
2921         int rc;
2922
2923         rc = secondary_ops->task_setscheduler(p, policy, lp);
2924         if (rc)
2925                 return rc;
2926
2927         return task_has_perm(current, p, PROCESS__SETSCHED);
2928 }
2929
2930 static int selinux_task_getscheduler(struct task_struct *p)
2931 {
2932         return task_has_perm(current, p, PROCESS__GETSCHED);
2933 }
2934
2935 static int selinux_task_movememory(struct task_struct *p)
2936 {
2937         return task_has_perm(current, p, PROCESS__SETSCHED);
2938 }
2939
2940 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
2941                                 int sig, u32 secid)
2942 {
2943         u32 perm;
2944         int rc;
2945         struct task_security_struct *tsec;
2946
2947         rc = secondary_ops->task_kill(p, info, sig, secid);
2948         if (rc)
2949                 return rc;
2950
2951         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2952                 return 0;
2953
2954         if (!sig)
2955                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2956         else
2957                 perm = signal_to_av(sig);
2958         tsec = p->security;
2959         if (secid)
2960                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
2961         else
2962                 rc = task_has_perm(current, p, perm);
2963         return rc;
2964 }
2965
2966 static int selinux_task_prctl(int option,
2967                               unsigned long arg2,
2968                               unsigned long arg3,
2969                               unsigned long arg4,
2970                               unsigned long arg5)
2971 {
2972         /* The current prctl operations do not appear to require
2973            any SELinux controls since they merely observe or modify
2974            the state of the current process. */
2975         return 0;
2976 }
2977
2978 static int selinux_task_wait(struct task_struct *p)
2979 {
2980         return task_has_perm(p, current, PROCESS__SIGCHLD);
2981 }
2982
2983 static void selinux_task_reparent_to_init(struct task_struct *p)
2984 {
2985         struct task_security_struct *tsec;
2986
2987         secondary_ops->task_reparent_to_init(p);
2988
2989         tsec = p->security;
2990         tsec->osid = tsec->sid;
2991         tsec->sid = SECINITSID_KERNEL;
2992         return;
2993 }
2994
2995 static void selinux_task_to_inode(struct task_struct *p,
2996                                   struct inode *inode)
2997 {
2998         struct task_security_struct *tsec = p->security;
2999         struct inode_security_struct *isec = inode->i_security;
3000
3001         isec->sid = tsec->sid;
3002         isec->initialized = 1;
3003         return;
3004 }
3005
3006 /* Returns error only if unable to parse addresses */
3007 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3008                         struct avc_audit_data *ad, u8 *proto)
3009 {
3010         int offset, ihlen, ret = -EINVAL;
3011         struct iphdr _iph, *ih;
3012
3013         offset = skb_network_offset(skb);
3014         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3015         if (ih == NULL)
3016                 goto out;
3017
3018         ihlen = ih->ihl * 4;
3019         if (ihlen < sizeof(_iph))
3020                 goto out;
3021
3022         ad->u.net.v4info.saddr = ih->saddr;
3023         ad->u.net.v4info.daddr = ih->daddr;
3024         ret = 0;
3025
3026         if (proto)
3027                 *proto = ih->protocol;
3028
3029         switch (ih->protocol) {
3030         case IPPROTO_TCP: {
3031                 struct tcphdr _tcph, *th;
3032
3033                 if (ntohs(ih->frag_off) & IP_OFFSET)
3034                         break;
3035
3036                 offset += ihlen;
3037                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3038                 if (th == NULL)
3039                         break;
3040
3041                 ad->u.net.sport = th->source;
3042                 ad->u.net.dport = th->dest;
3043                 break;
3044         }
3045         
3046         case IPPROTO_UDP: {
3047                 struct udphdr _udph, *uh;
3048                 
3049                 if (ntohs(ih->frag_off) & IP_OFFSET)
3050                         break;
3051                         
3052                 offset += ihlen;
3053                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3054                 if (uh == NULL)
3055                         break;  
3056
3057                 ad->u.net.sport = uh->source;
3058                 ad->u.net.dport = uh->dest;
3059                 break;
3060         }
3061
3062         case IPPROTO_DCCP: {
3063                 struct dccp_hdr _dccph, *dh;
3064
3065                 if (ntohs(ih->frag_off) & IP_OFFSET)
3066                         break;
3067
3068                 offset += ihlen;
3069                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3070                 if (dh == NULL)
3071                         break;
3072
3073                 ad->u.net.sport = dh->dccph_sport;
3074                 ad->u.net.dport = dh->dccph_dport;
3075                 break;
3076         }
3077
3078         default:
3079                 break;
3080         }
3081 out:
3082         return ret;
3083 }
3084
3085 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3086
3087 /* Returns error only if unable to parse addresses */
3088 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3089                         struct avc_audit_data *ad, u8 *proto)
3090 {
3091         u8 nexthdr;
3092         int ret = -EINVAL, offset;
3093         struct ipv6hdr _ipv6h, *ip6;
3094
3095         offset = skb_network_offset(skb);
3096         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3097         if (ip6 == NULL)
3098                 goto out;
3099
3100         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3101         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3102         ret = 0;
3103
3104         nexthdr = ip6->nexthdr;
3105         offset += sizeof(_ipv6h);
3106         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3107         if (offset < 0)
3108                 goto out;
3109
3110         if (proto)
3111                 *proto = nexthdr;
3112
3113         switch (nexthdr) {
3114         case IPPROTO_TCP: {
3115                 struct tcphdr _tcph, *th;
3116
3117                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3118                 if (th == NULL)
3119                         break;
3120
3121                 ad->u.net.sport = th->source;
3122                 ad->u.net.dport = th->dest;
3123                 break;
3124         }
3125
3126         case IPPROTO_UDP: {
3127                 struct udphdr _udph, *uh;
3128
3129                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3130                 if (uh == NULL)
3131                         break;
3132
3133                 ad->u.net.sport = uh->source;
3134                 ad->u.net.dport = uh->dest;
3135                 break;
3136         }
3137
3138         case IPPROTO_DCCP: {
3139                 struct dccp_hdr _dccph, *dh;
3140
3141                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3142                 if (dh == NULL)
3143                         break;
3144
3145                 ad->u.net.sport = dh->dccph_sport;
3146                 ad->u.net.dport = dh->dccph_dport;
3147                 break;
3148         }
3149
3150         /* includes fragments */
3151         default:
3152                 break;
3153         }
3154 out:
3155         return ret;
3156 }
3157
3158 #endif /* IPV6 */
3159
3160 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3161                              char **addrp, int *len, int src, u8 *proto)
3162 {
3163         int ret = 0;
3164
3165         switch (ad->u.net.family) {
3166         case PF_INET:
3167                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3168                 if (ret || !addrp)
3169                         break;
3170                 *len = 4;
3171                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3172                                         &ad->u.net.v4info.daddr);
3173                 break;
3174
3175 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3176         case PF_INET6:
3177                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3178                 if (ret || !addrp)
3179                         break;
3180                 *len = 16;
3181                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3182                                         &ad->u.net.v6info.daddr);
3183                 break;
3184 #endif  /* IPV6 */
3185         default:
3186                 break;
3187         }
3188
3189         return ret;
3190 }
3191
3192 /**
3193  * selinux_skb_extlbl_sid - Determine the external label of a packet
3194  * @skb: the packet
3195  * @sid: the packet's SID
3196  *
3197  * Description:
3198  * Check the various different forms of external packet labeling and determine
3199  * the external SID for the packet.  If only one form of external labeling is
3200  * present then it is used, if both labeled IPsec and NetLabel labels are
3201  * present then the SELinux type information is taken from the labeled IPsec
3202  * SA and the MLS sensitivity label information is taken from the NetLabel
3203  * security attributes.  This bit of "magic" is done in the call to