Merge branch 'audit.b3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit...
[sfrench/cifs-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76 #include "xfrm.h"
77
78 #define XATTR_SELINUX_SUFFIX "selinux"
79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81 extern unsigned int policydb_loaded_version;
82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83
84 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
85 int selinux_enforcing = 0;
86
87 static int __init enforcing_setup(char *str)
88 {
89         selinux_enforcing = simple_strtol(str,NULL,0);
90         return 1;
91 }
92 __setup("enforcing=", enforcing_setup);
93 #endif
94
95 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
96 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
97
98 static int __init selinux_enabled_setup(char *str)
99 {
100         selinux_enabled = simple_strtol(str, NULL, 0);
101         return 1;
102 }
103 __setup("selinux=", selinux_enabled_setup);
104 #endif
105
106 /* Original (dummy) security module. */
107 static struct security_operations *original_ops = NULL;
108
109 /* Minimal support for a secondary security module,
110    just to allow the use of the dummy or capability modules.
111    The owlsm module can alternatively be used as a secondary
112    module as long as CONFIG_OWLSM_FD is not enabled. */
113 static struct security_operations *secondary_ops = NULL;
114
115 /* Lists of inode and superblock security structures initialized
116    before the policy was loaded. */
117 static LIST_HEAD(superblock_security_head);
118 static DEFINE_SPINLOCK(sb_security_lock);
119
120 static kmem_cache_t *sel_inode_cache;
121
122 /* Return security context for a given sid or just the context 
123    length if the buffer is null or length is 0 */
124 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
125 {
126         char *context;
127         unsigned len;
128         int rc;
129
130         rc = security_sid_to_context(sid, &context, &len);
131         if (rc)
132                 return rc;
133
134         if (!buffer || !size)
135                 goto getsecurity_exit;
136
137         if (size < len) {
138                 len = -ERANGE;
139                 goto getsecurity_exit;
140         }
141         memcpy(buffer, context, len);
142
143 getsecurity_exit:
144         kfree(context);
145         return len;
146 }
147
148 /* Allocate and free functions for each kind of security blob. */
149
150 static int task_alloc_security(struct task_struct *task)
151 {
152         struct task_security_struct *tsec;
153
154         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
155         if (!tsec)
156                 return -ENOMEM;
157
158         tsec->task = task;
159         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
160         task->security = tsec;
161
162         return 0;
163 }
164
165 static void task_free_security(struct task_struct *task)
166 {
167         struct task_security_struct *tsec = task->security;
168         task->security = NULL;
169         kfree(tsec);
170 }
171
172 static int inode_alloc_security(struct inode *inode)
173 {
174         struct task_security_struct *tsec = current->security;
175         struct inode_security_struct *isec;
176
177         isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
178         if (!isec)
179                 return -ENOMEM;
180
181         memset(isec, 0, sizeof(*isec));
182         init_MUTEX(&isec->sem);
183         INIT_LIST_HEAD(&isec->list);
184         isec->inode = inode;
185         isec->sid = SECINITSID_UNLABELED;
186         isec->sclass = SECCLASS_FILE;
187         isec->task_sid = tsec->sid;
188         inode->i_security = isec;
189
190         return 0;
191 }
192
193 static void inode_free_security(struct inode *inode)
194 {
195         struct inode_security_struct *isec = inode->i_security;
196         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
197
198         spin_lock(&sbsec->isec_lock);
199         if (!list_empty(&isec->list))
200                 list_del_init(&isec->list);
201         spin_unlock(&sbsec->isec_lock);
202
203         inode->i_security = NULL;
204         kmem_cache_free(sel_inode_cache, isec);
205 }
206
207 static int file_alloc_security(struct file *file)
208 {
209         struct task_security_struct *tsec = current->security;
210         struct file_security_struct *fsec;
211
212         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
213         if (!fsec)
214                 return -ENOMEM;
215
216         fsec->file = file;
217         fsec->sid = tsec->sid;
218         fsec->fown_sid = tsec->sid;
219         file->f_security = fsec;
220
221         return 0;
222 }
223
224 static void file_free_security(struct file *file)
225 {
226         struct file_security_struct *fsec = file->f_security;
227         file->f_security = NULL;
228         kfree(fsec);
229 }
230
231 static int superblock_alloc_security(struct super_block *sb)
232 {
233         struct superblock_security_struct *sbsec;
234
235         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
236         if (!sbsec)
237                 return -ENOMEM;
238
239         init_MUTEX(&sbsec->sem);
240         INIT_LIST_HEAD(&sbsec->list);
241         INIT_LIST_HEAD(&sbsec->isec_head);
242         spin_lock_init(&sbsec->isec_lock);
243         sbsec->sb = sb;
244         sbsec->sid = SECINITSID_UNLABELED;
245         sbsec->def_sid = SECINITSID_FILE;
246         sb->s_security = sbsec;
247
248         return 0;
249 }
250
251 static void superblock_free_security(struct super_block *sb)
252 {
253         struct superblock_security_struct *sbsec = sb->s_security;
254
255         spin_lock(&sb_security_lock);
256         if (!list_empty(&sbsec->list))
257                 list_del_init(&sbsec->list);
258         spin_unlock(&sb_security_lock);
259
260         sb->s_security = NULL;
261         kfree(sbsec);
262 }
263
264 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
265 {
266         struct sk_security_struct *ssec;
267
268         if (family != PF_UNIX)
269                 return 0;
270
271         ssec = kzalloc(sizeof(*ssec), priority);
272         if (!ssec)
273                 return -ENOMEM;
274
275         ssec->sk = sk;
276         ssec->peer_sid = SECINITSID_UNLABELED;
277         sk->sk_security = ssec;
278
279         return 0;
280 }
281
282 static void sk_free_security(struct sock *sk)
283 {
284         struct sk_security_struct *ssec = sk->sk_security;
285
286         if (sk->sk_family != PF_UNIX)
287                 return;
288
289         sk->sk_security = NULL;
290         kfree(ssec);
291 }
292
293 /* The security server must be initialized before
294    any labeling or access decisions can be provided. */
295 extern int ss_initialized;
296
297 /* The file system's label must be initialized prior to use. */
298
299 static char *labeling_behaviors[6] = {
300         "uses xattr",
301         "uses transition SIDs",
302         "uses task SIDs",
303         "uses genfs_contexts",
304         "not configured for labeling",
305         "uses mountpoint labeling",
306 };
307
308 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
309
310 static inline int inode_doinit(struct inode *inode)
311 {
312         return inode_doinit_with_dentry(inode, NULL);
313 }
314
315 enum {
316         Opt_context = 1,
317         Opt_fscontext = 2,
318         Opt_defcontext = 4,
319 };
320
321 static match_table_t tokens = {
322         {Opt_context, "context=%s"},
323         {Opt_fscontext, "fscontext=%s"},
324         {Opt_defcontext, "defcontext=%s"},
325 };
326
327 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
328
329 static int try_context_mount(struct super_block *sb, void *data)
330 {
331         char *context = NULL, *defcontext = NULL;
332         const char *name;
333         u32 sid;
334         int alloc = 0, rc = 0, seen = 0;
335         struct task_security_struct *tsec = current->security;
336         struct superblock_security_struct *sbsec = sb->s_security;
337
338         if (!data)
339                 goto out;
340
341         name = sb->s_type->name;
342
343         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
344
345                 /* NFS we understand. */
346                 if (!strcmp(name, "nfs")) {
347                         struct nfs_mount_data *d = data;
348
349                         if (d->version <  NFS_MOUNT_VERSION)
350                                 goto out;
351
352                         if (d->context[0]) {
353                                 context = d->context;
354                                 seen |= Opt_context;
355                         }
356                 } else
357                         goto out;
358
359         } else {
360                 /* Standard string-based options. */
361                 char *p, *options = data;
362
363                 while ((p = strsep(&options, ",")) != NULL) {
364                         int token;
365                         substring_t args[MAX_OPT_ARGS];
366
367                         if (!*p)
368                                 continue;
369
370                         token = match_token(p, tokens, args);
371
372                         switch (token) {
373                         case Opt_context:
374                                 if (seen) {
375                                         rc = -EINVAL;
376                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
377                                         goto out_free;
378                                 }
379                                 context = match_strdup(&args[0]);
380                                 if (!context) {
381                                         rc = -ENOMEM;
382                                         goto out_free;
383                                 }
384                                 if (!alloc)
385                                         alloc = 1;
386                                 seen |= Opt_context;
387                                 break;
388
389                         case Opt_fscontext:
390                                 if (seen & (Opt_context|Opt_fscontext)) {
391                                         rc = -EINVAL;
392                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
393                                         goto out_free;
394                                 }
395                                 context = match_strdup(&args[0]);
396                                 if (!context) {
397                                         rc = -ENOMEM;
398                                         goto out_free;
399                                 }
400                                 if (!alloc)
401                                         alloc = 1;
402                                 seen |= Opt_fscontext;
403                                 break;
404
405                         case Opt_defcontext:
406                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
407                                         rc = -EINVAL;
408                                         printk(KERN_WARNING "SELinux:  "
409                                                "defcontext option is invalid "
410                                                "for this filesystem type\n");
411                                         goto out_free;
412                                 }
413                                 if (seen & (Opt_context|Opt_defcontext)) {
414                                         rc = -EINVAL;
415                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
416                                         goto out_free;
417                                 }
418                                 defcontext = match_strdup(&args[0]);
419                                 if (!defcontext) {
420                                         rc = -ENOMEM;
421                                         goto out_free;
422                                 }
423                                 if (!alloc)
424                                         alloc = 1;
425                                 seen |= Opt_defcontext;
426                                 break;
427
428                         default:
429                                 rc = -EINVAL;
430                                 printk(KERN_WARNING "SELinux:  unknown mount "
431                                        "option\n");
432                                 goto out_free;
433
434                         }
435                 }
436         }
437
438         if (!seen)
439                 goto out;
440
441         if (context) {
442                 rc = security_context_to_sid(context, strlen(context), &sid);
443                 if (rc) {
444                         printk(KERN_WARNING "SELinux: security_context_to_sid"
445                                "(%s) failed for (dev %s, type %s) errno=%d\n",
446                                context, sb->s_id, name, rc);
447                         goto out_free;
448                 }
449
450                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
451                                   FILESYSTEM__RELABELFROM, NULL);
452                 if (rc)
453                         goto out_free;
454
455                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
456                                   FILESYSTEM__RELABELTO, NULL);
457                 if (rc)
458                         goto out_free;
459
460                 sbsec->sid = sid;
461
462                 if (seen & Opt_context)
463                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
464         }
465
466         if (defcontext) {
467                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
468                 if (rc) {
469                         printk(KERN_WARNING "SELinux: security_context_to_sid"
470                                "(%s) failed for (dev %s, type %s) errno=%d\n",
471                                defcontext, sb->s_id, name, rc);
472                         goto out_free;
473                 }
474
475                 if (sid == sbsec->def_sid)
476                         goto out_free;
477
478                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
479                                   FILESYSTEM__RELABELFROM, NULL);
480                 if (rc)
481                         goto out_free;
482
483                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
484                                   FILESYSTEM__ASSOCIATE, NULL);
485                 if (rc)
486                         goto out_free;
487
488                 sbsec->def_sid = sid;
489         }
490
491 out_free:
492         if (alloc) {
493                 kfree(context);
494                 kfree(defcontext);
495         }
496 out:
497         return rc;
498 }
499
500 static int superblock_doinit(struct super_block *sb, void *data)
501 {
502         struct superblock_security_struct *sbsec = sb->s_security;
503         struct dentry *root = sb->s_root;
504         struct inode *inode = root->d_inode;
505         int rc = 0;
506
507         down(&sbsec->sem);
508         if (sbsec->initialized)
509                 goto out;
510
511         if (!ss_initialized) {
512                 /* Defer initialization until selinux_complete_init,
513                    after the initial policy is loaded and the security
514                    server is ready to handle calls. */
515                 spin_lock(&sb_security_lock);
516                 if (list_empty(&sbsec->list))
517                         list_add(&sbsec->list, &superblock_security_head);
518                 spin_unlock(&sb_security_lock);
519                 goto out;
520         }
521
522         /* Determine the labeling behavior to use for this filesystem type. */
523         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
524         if (rc) {
525                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
526                        __FUNCTION__, sb->s_type->name, rc);
527                 goto out;
528         }
529
530         rc = try_context_mount(sb, data);
531         if (rc)
532                 goto out;
533
534         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
535                 /* Make sure that the xattr handler exists and that no
536                    error other than -ENODATA is returned by getxattr on
537                    the root directory.  -ENODATA is ok, as this may be
538                    the first boot of the SELinux kernel before we have
539                    assigned xattr values to the filesystem. */
540                 if (!inode->i_op->getxattr) {
541                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
542                                "xattr support\n", sb->s_id, sb->s_type->name);
543                         rc = -EOPNOTSUPP;
544                         goto out;
545                 }
546                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
547                 if (rc < 0 && rc != -ENODATA) {
548                         if (rc == -EOPNOTSUPP)
549                                 printk(KERN_WARNING "SELinux: (dev %s, type "
550                                        "%s) has no security xattr handler\n",
551                                        sb->s_id, sb->s_type->name);
552                         else
553                                 printk(KERN_WARNING "SELinux: (dev %s, type "
554                                        "%s) getxattr errno %d\n", sb->s_id,
555                                        sb->s_type->name, -rc);
556                         goto out;
557                 }
558         }
559
560         if (strcmp(sb->s_type->name, "proc") == 0)
561                 sbsec->proc = 1;
562
563         sbsec->initialized = 1;
564
565         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
566                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
567                        sb->s_id, sb->s_type->name);
568         }
569         else {
570                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
571                        sb->s_id, sb->s_type->name,
572                        labeling_behaviors[sbsec->behavior-1]);
573         }
574
575         /* Initialize the root inode. */
576         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
577
578         /* Initialize any other inodes associated with the superblock, e.g.
579            inodes created prior to initial policy load or inodes created
580            during get_sb by a pseudo filesystem that directly
581            populates itself. */
582         spin_lock(&sbsec->isec_lock);
583 next_inode:
584         if (!list_empty(&sbsec->isec_head)) {
585                 struct inode_security_struct *isec =
586                                 list_entry(sbsec->isec_head.next,
587                                            struct inode_security_struct, list);
588                 struct inode *inode = isec->inode;
589                 spin_unlock(&sbsec->isec_lock);
590                 inode = igrab(inode);
591                 if (inode) {
592                         if (!IS_PRIVATE (inode))
593                                 inode_doinit(inode);
594                         iput(inode);
595                 }
596                 spin_lock(&sbsec->isec_lock);
597                 list_del_init(&isec->list);
598                 goto next_inode;
599         }
600         spin_unlock(&sbsec->isec_lock);
601 out:
602         up(&sbsec->sem);
603         return rc;
604 }
605
606 static inline u16 inode_mode_to_security_class(umode_t mode)
607 {
608         switch (mode & S_IFMT) {
609         case S_IFSOCK:
610                 return SECCLASS_SOCK_FILE;
611         case S_IFLNK:
612                 return SECCLASS_LNK_FILE;
613         case S_IFREG:
614                 return SECCLASS_FILE;
615         case S_IFBLK:
616                 return SECCLASS_BLK_FILE;
617         case S_IFDIR:
618                 return SECCLASS_DIR;
619         case S_IFCHR:
620                 return SECCLASS_CHR_FILE;
621         case S_IFIFO:
622                 return SECCLASS_FIFO_FILE;
623
624         }
625
626         return SECCLASS_FILE;
627 }
628
629 static inline int default_protocol_stream(int protocol)
630 {
631         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
632 }
633
634 static inline int default_protocol_dgram(int protocol)
635 {
636         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
637 }
638
639 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
640 {
641         switch (family) {
642         case PF_UNIX:
643                 switch (type) {
644                 case SOCK_STREAM:
645                 case SOCK_SEQPACKET:
646                         return SECCLASS_UNIX_STREAM_SOCKET;
647                 case SOCK_DGRAM:
648                         return SECCLASS_UNIX_DGRAM_SOCKET;
649                 }
650                 break;
651         case PF_INET:
652         case PF_INET6:
653                 switch (type) {
654                 case SOCK_STREAM:
655                         if (default_protocol_stream(protocol))
656                                 return SECCLASS_TCP_SOCKET;
657                         else
658                                 return SECCLASS_RAWIP_SOCKET;
659                 case SOCK_DGRAM:
660                         if (default_protocol_dgram(protocol))
661                                 return SECCLASS_UDP_SOCKET;
662                         else
663                                 return SECCLASS_RAWIP_SOCKET;
664                 default:
665                         return SECCLASS_RAWIP_SOCKET;
666                 }
667                 break;
668         case PF_NETLINK:
669                 switch (protocol) {
670                 case NETLINK_ROUTE:
671                         return SECCLASS_NETLINK_ROUTE_SOCKET;
672                 case NETLINK_FIREWALL:
673                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
674                 case NETLINK_INET_DIAG:
675                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
676                 case NETLINK_NFLOG:
677                         return SECCLASS_NETLINK_NFLOG_SOCKET;
678                 case NETLINK_XFRM:
679                         return SECCLASS_NETLINK_XFRM_SOCKET;
680                 case NETLINK_SELINUX:
681                         return SECCLASS_NETLINK_SELINUX_SOCKET;
682                 case NETLINK_AUDIT:
683                         return SECCLASS_NETLINK_AUDIT_SOCKET;
684                 case NETLINK_IP6_FW:
685                         return SECCLASS_NETLINK_IP6FW_SOCKET;
686                 case NETLINK_DNRTMSG:
687                         return SECCLASS_NETLINK_DNRT_SOCKET;
688                 case NETLINK_KOBJECT_UEVENT:
689                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
690                 default:
691                         return SECCLASS_NETLINK_SOCKET;
692                 }
693         case PF_PACKET:
694                 return SECCLASS_PACKET_SOCKET;
695         case PF_KEY:
696                 return SECCLASS_KEY_SOCKET;
697         }
698
699         return SECCLASS_SOCKET;
700 }
701
702 #ifdef CONFIG_PROC_FS
703 static int selinux_proc_get_sid(struct proc_dir_entry *de,
704                                 u16 tclass,
705                                 u32 *sid)
706 {
707         int buflen, rc;
708         char *buffer, *path, *end;
709
710         buffer = (char*)__get_free_page(GFP_KERNEL);
711         if (!buffer)
712                 return -ENOMEM;
713
714         buflen = PAGE_SIZE;
715         end = buffer+buflen;
716         *--end = '\0';
717         buflen--;
718         path = end-1;
719         *path = '/';
720         while (de && de != de->parent) {
721                 buflen -= de->namelen + 1;
722                 if (buflen < 0)
723                         break;
724                 end -= de->namelen;
725                 memcpy(end, de->name, de->namelen);
726                 *--end = '/';
727                 path = end;
728                 de = de->parent;
729         }
730         rc = security_genfs_sid("proc", path, tclass, sid);
731         free_page((unsigned long)buffer);
732         return rc;
733 }
734 #else
735 static int selinux_proc_get_sid(struct proc_dir_entry *de,
736                                 u16 tclass,
737                                 u32 *sid)
738 {
739         return -EINVAL;
740 }
741 #endif
742
743 /* The inode's security attributes must be initialized before first use. */
744 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
745 {
746         struct superblock_security_struct *sbsec = NULL;
747         struct inode_security_struct *isec = inode->i_security;
748         u32 sid;
749         struct dentry *dentry;
750 #define INITCONTEXTLEN 255
751         char *context = NULL;
752         unsigned len = 0;
753         int rc = 0;
754         int hold_sem = 0;
755
756         if (isec->initialized)
757                 goto out;
758
759         down(&isec->sem);
760         hold_sem = 1;
761         if (isec->initialized)
762                 goto out;
763
764         sbsec = inode->i_sb->s_security;
765         if (!sbsec->initialized) {
766                 /* Defer initialization until selinux_complete_init,
767                    after the initial policy is loaded and the security
768                    server is ready to handle calls. */
769                 spin_lock(&sbsec->isec_lock);
770                 if (list_empty(&isec->list))
771                         list_add(&isec->list, &sbsec->isec_head);
772                 spin_unlock(&sbsec->isec_lock);
773                 goto out;
774         }
775
776         switch (sbsec->behavior) {
777         case SECURITY_FS_USE_XATTR:
778                 if (!inode->i_op->getxattr) {
779                         isec->sid = sbsec->def_sid;
780                         break;
781                 }
782
783                 /* Need a dentry, since the xattr API requires one.
784                    Life would be simpler if we could just pass the inode. */
785                 if (opt_dentry) {
786                         /* Called from d_instantiate or d_splice_alias. */
787                         dentry = dget(opt_dentry);
788                 } else {
789                         /* Called from selinux_complete_init, try to find a dentry. */
790                         dentry = d_find_alias(inode);
791                 }
792                 if (!dentry) {
793                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
794                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
795                                inode->i_ino);
796                         goto out;
797                 }
798
799                 len = INITCONTEXTLEN;
800                 context = kmalloc(len, GFP_KERNEL);
801                 if (!context) {
802                         rc = -ENOMEM;
803                         dput(dentry);
804                         goto out;
805                 }
806                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
807                                            context, len);
808                 if (rc == -ERANGE) {
809                         /* Need a larger buffer.  Query for the right size. */
810                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
811                                                    NULL, 0);
812                         if (rc < 0) {
813                                 dput(dentry);
814                                 goto out;
815                         }
816                         kfree(context);
817                         len = rc;
818                         context = kmalloc(len, GFP_KERNEL);
819                         if (!context) {
820                                 rc = -ENOMEM;
821                                 dput(dentry);
822                                 goto out;
823                         }
824                         rc = inode->i_op->getxattr(dentry,
825                                                    XATTR_NAME_SELINUX,
826                                                    context, len);
827                 }
828                 dput(dentry);
829                 if (rc < 0) {
830                         if (rc != -ENODATA) {
831                                 printk(KERN_WARNING "%s:  getxattr returned "
832                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
833                                        -rc, inode->i_sb->s_id, inode->i_ino);
834                                 kfree(context);
835                                 goto out;
836                         }
837                         /* Map ENODATA to the default file SID */
838                         sid = sbsec->def_sid;
839                         rc = 0;
840                 } else {
841                         rc = security_context_to_sid_default(context, rc, &sid,
842                                                              sbsec->def_sid);
843                         if (rc) {
844                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
845                                        "returned %d for dev=%s ino=%ld\n",
846                                        __FUNCTION__, context, -rc,
847                                        inode->i_sb->s_id, inode->i_ino);
848                                 kfree(context);
849                                 /* Leave with the unlabeled SID */
850                                 rc = 0;
851                                 break;
852                         }
853                 }
854                 kfree(context);
855                 isec->sid = sid;
856                 break;
857         case SECURITY_FS_USE_TASK:
858                 isec->sid = isec->task_sid;
859                 break;
860         case SECURITY_FS_USE_TRANS:
861                 /* Default to the fs SID. */
862                 isec->sid = sbsec->sid;
863
864                 /* Try to obtain a transition SID. */
865                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
866                 rc = security_transition_sid(isec->task_sid,
867                                              sbsec->sid,
868                                              isec->sclass,
869                                              &sid);
870                 if (rc)
871                         goto out;
872                 isec->sid = sid;
873                 break;
874         default:
875                 /* Default to the fs SID. */
876                 isec->sid = sbsec->sid;
877
878                 if (sbsec->proc) {
879                         struct proc_inode *proci = PROC_I(inode);
880                         if (proci->pde) {
881                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
882                                 rc = selinux_proc_get_sid(proci->pde,
883                                                           isec->sclass,
884                                                           &sid);
885                                 if (rc)
886                                         goto out;
887                                 isec->sid = sid;
888                         }
889                 }
890                 break;
891         }
892
893         isec->initialized = 1;
894
895 out:
896         if (isec->sclass == SECCLASS_FILE)
897                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
898
899         if (hold_sem)
900                 up(&isec->sem);
901         return rc;
902 }
903
904 /* Convert a Linux signal to an access vector. */
905 static inline u32 signal_to_av(int sig)
906 {
907         u32 perm = 0;
908
909         switch (sig) {
910         case SIGCHLD:
911                 /* Commonly granted from child to parent. */
912                 perm = PROCESS__SIGCHLD;
913                 break;
914         case SIGKILL:
915                 /* Cannot be caught or ignored */
916                 perm = PROCESS__SIGKILL;
917                 break;
918         case SIGSTOP:
919                 /* Cannot be caught or ignored */
920                 perm = PROCESS__SIGSTOP;
921                 break;
922         default:
923                 /* All other signals. */
924                 perm = PROCESS__SIGNAL;
925                 break;
926         }
927
928         return perm;
929 }
930
931 /* Check permission betweeen a pair of tasks, e.g. signal checks,
932    fork check, ptrace check, etc. */
933 static int task_has_perm(struct task_struct *tsk1,
934                          struct task_struct *tsk2,
935                          u32 perms)
936 {
937         struct task_security_struct *tsec1, *tsec2;
938
939         tsec1 = tsk1->security;
940         tsec2 = tsk2->security;
941         return avc_has_perm(tsec1->sid, tsec2->sid,
942                             SECCLASS_PROCESS, perms, NULL);
943 }
944
945 /* Check whether a task is allowed to use a capability. */
946 static int task_has_capability(struct task_struct *tsk,
947                                int cap)
948 {
949         struct task_security_struct *tsec;
950         struct avc_audit_data ad;
951
952         tsec = tsk->security;
953
954         AVC_AUDIT_DATA_INIT(&ad,CAP);
955         ad.tsk = tsk;
956         ad.u.cap = cap;
957
958         return avc_has_perm(tsec->sid, tsec->sid,
959                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
960 }
961
962 /* Check whether a task is allowed to use a system operation. */
963 static int task_has_system(struct task_struct *tsk,
964                            u32 perms)
965 {
966         struct task_security_struct *tsec;
967
968         tsec = tsk->security;
969
970         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
971                             SECCLASS_SYSTEM, perms, NULL);
972 }
973
974 /* Check whether a task has a particular permission to an inode.
975    The 'adp' parameter is optional and allows other audit
976    data to be passed (e.g. the dentry). */
977 static int inode_has_perm(struct task_struct *tsk,
978                           struct inode *inode,
979                           u32 perms,
980                           struct avc_audit_data *adp)
981 {
982         struct task_security_struct *tsec;
983         struct inode_security_struct *isec;
984         struct avc_audit_data ad;
985
986         tsec = tsk->security;
987         isec = inode->i_security;
988
989         if (!adp) {
990                 adp = &ad;
991                 AVC_AUDIT_DATA_INIT(&ad, FS);
992                 ad.u.fs.inode = inode;
993         }
994
995         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
996 }
997
998 /* Same as inode_has_perm, but pass explicit audit data containing
999    the dentry to help the auditing code to more easily generate the
1000    pathname if needed. */
1001 static inline int dentry_has_perm(struct task_struct *tsk,
1002                                   struct vfsmount *mnt,
1003                                   struct dentry *dentry,
1004                                   u32 av)
1005 {
1006         struct inode *inode = dentry->d_inode;
1007         struct avc_audit_data ad;
1008         AVC_AUDIT_DATA_INIT(&ad,FS);
1009         ad.u.fs.mnt = mnt;
1010         ad.u.fs.dentry = dentry;
1011         return inode_has_perm(tsk, inode, av, &ad);
1012 }
1013
1014 /* Check whether a task can use an open file descriptor to
1015    access an inode in a given way.  Check access to the
1016    descriptor itself, and then use dentry_has_perm to
1017    check a particular permission to the file.
1018    Access to the descriptor is implicitly granted if it
1019    has the same SID as the process.  If av is zero, then
1020    access to the file is not checked, e.g. for cases
1021    where only the descriptor is affected like seek. */
1022 static int file_has_perm(struct task_struct *tsk,
1023                                 struct file *file,
1024                                 u32 av)
1025 {
1026         struct task_security_struct *tsec = tsk->security;
1027         struct file_security_struct *fsec = file->f_security;
1028         struct vfsmount *mnt = file->f_vfsmnt;
1029         struct dentry *dentry = file->f_dentry;
1030         struct inode *inode = dentry->d_inode;
1031         struct avc_audit_data ad;
1032         int rc;
1033
1034         AVC_AUDIT_DATA_INIT(&ad, FS);
1035         ad.u.fs.mnt = mnt;
1036         ad.u.fs.dentry = dentry;
1037
1038         if (tsec->sid != fsec->sid) {
1039                 rc = avc_has_perm(tsec->sid, fsec->sid,
1040                                   SECCLASS_FD,
1041                                   FD__USE,
1042                                   &ad);
1043                 if (rc)
1044                         return rc;
1045         }
1046
1047         /* av is zero if only checking access to the descriptor. */
1048         if (av)
1049                 return inode_has_perm(tsk, inode, av, &ad);
1050
1051         return 0;
1052 }
1053
1054 /* Check whether a task can create a file. */
1055 static int may_create(struct inode *dir,
1056                       struct dentry *dentry,
1057                       u16 tclass)
1058 {
1059         struct task_security_struct *tsec;
1060         struct inode_security_struct *dsec;
1061         struct superblock_security_struct *sbsec;
1062         u32 newsid;
1063         struct avc_audit_data ad;
1064         int rc;
1065
1066         tsec = current->security;
1067         dsec = dir->i_security;
1068         sbsec = dir->i_sb->s_security;
1069
1070         AVC_AUDIT_DATA_INIT(&ad, FS);
1071         ad.u.fs.dentry = dentry;
1072
1073         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1074                           DIR__ADD_NAME | DIR__SEARCH,
1075                           &ad);
1076         if (rc)
1077                 return rc;
1078
1079         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1080                 newsid = tsec->create_sid;
1081         } else {
1082                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1083                                              &newsid);
1084                 if (rc)
1085                         return rc;
1086         }
1087
1088         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1089         if (rc)
1090                 return rc;
1091
1092         return avc_has_perm(newsid, sbsec->sid,
1093                             SECCLASS_FILESYSTEM,
1094                             FILESYSTEM__ASSOCIATE, &ad);
1095 }
1096
1097 #define MAY_LINK   0
1098 #define MAY_UNLINK 1
1099 #define MAY_RMDIR  2
1100
1101 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1102 static int may_link(struct inode *dir,
1103                     struct dentry *dentry,
1104                     int kind)
1105
1106 {
1107         struct task_security_struct *tsec;
1108         struct inode_security_struct *dsec, *isec;
1109         struct avc_audit_data ad;
1110         u32 av;
1111         int rc;
1112
1113         tsec = current->security;
1114         dsec = dir->i_security;
1115         isec = dentry->d_inode->i_security;
1116
1117         AVC_AUDIT_DATA_INIT(&ad, FS);
1118         ad.u.fs.dentry = dentry;
1119
1120         av = DIR__SEARCH;
1121         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1122         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1123         if (rc)
1124                 return rc;
1125
1126         switch (kind) {
1127         case MAY_LINK:
1128                 av = FILE__LINK;
1129                 break;
1130         case MAY_UNLINK:
1131                 av = FILE__UNLINK;
1132                 break;
1133         case MAY_RMDIR:
1134                 av = DIR__RMDIR;
1135                 break;
1136         default:
1137                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1138                 return 0;
1139         }
1140
1141         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1142         return rc;
1143 }
1144
1145 static inline int may_rename(struct inode *old_dir,
1146                              struct dentry *old_dentry,
1147                              struct inode *new_dir,
1148                              struct dentry *new_dentry)
1149 {
1150         struct task_security_struct *tsec;
1151         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1152         struct avc_audit_data ad;
1153         u32 av;
1154         int old_is_dir, new_is_dir;
1155         int rc;
1156
1157         tsec = current->security;
1158         old_dsec = old_dir->i_security;
1159         old_isec = old_dentry->d_inode->i_security;
1160         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1161         new_dsec = new_dir->i_security;
1162
1163         AVC_AUDIT_DATA_INIT(&ad, FS);
1164
1165         ad.u.fs.dentry = old_dentry;
1166         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1167                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1168         if (rc)
1169                 return rc;
1170         rc = avc_has_perm(tsec->sid, old_isec->sid,
1171                           old_isec->sclass, FILE__RENAME, &ad);
1172         if (rc)
1173                 return rc;
1174         if (old_is_dir && new_dir != old_dir) {
1175                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1176                                   old_isec->sclass, DIR__REPARENT, &ad);
1177                 if (rc)
1178                         return rc;
1179         }
1180
1181         ad.u.fs.dentry = new_dentry;
1182         av = DIR__ADD_NAME | DIR__SEARCH;
1183         if (new_dentry->d_inode)
1184                 av |= DIR__REMOVE_NAME;
1185         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1186         if (rc)
1187                 return rc;
1188         if (new_dentry->d_inode) {
1189                 new_isec = new_dentry->d_inode->i_security;
1190                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1191                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1192                                   new_isec->sclass,
1193                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1194                 if (rc)
1195                         return rc;
1196         }
1197
1198         return 0;
1199 }
1200
1201 /* Check whether a task can perform a filesystem operation. */
1202 static int superblock_has_perm(struct task_struct *tsk,
1203                                struct super_block *sb,
1204                                u32 perms,
1205                                struct avc_audit_data *ad)
1206 {
1207         struct task_security_struct *tsec;
1208         struct superblock_security_struct *sbsec;
1209
1210         tsec = tsk->security;
1211         sbsec = sb->s_security;
1212         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1213                             perms, ad);
1214 }
1215
1216 /* Convert a Linux mode and permission mask to an access vector. */
1217 static inline u32 file_mask_to_av(int mode, int mask)
1218 {
1219         u32 av = 0;
1220
1221         if ((mode & S_IFMT) != S_IFDIR) {
1222                 if (mask & MAY_EXEC)
1223                         av |= FILE__EXECUTE;
1224                 if (mask & MAY_READ)
1225                         av |= FILE__READ;
1226
1227                 if (mask & MAY_APPEND)
1228                         av |= FILE__APPEND;
1229                 else if (mask & MAY_WRITE)
1230                         av |= FILE__WRITE;
1231
1232         } else {
1233                 if (mask & MAY_EXEC)
1234                         av |= DIR__SEARCH;
1235                 if (mask & MAY_WRITE)
1236                         av |= DIR__WRITE;
1237                 if (mask & MAY_READ)
1238                         av |= DIR__READ;
1239         }
1240
1241         return av;
1242 }
1243
1244 /* Convert a Linux file to an access vector. */
1245 static inline u32 file_to_av(struct file *file)
1246 {
1247         u32 av = 0;
1248
1249         if (file->f_mode & FMODE_READ)
1250                 av |= FILE__READ;
1251         if (file->f_mode & FMODE_WRITE) {
1252                 if (file->f_flags & O_APPEND)
1253                         av |= FILE__APPEND;
1254                 else
1255                         av |= FILE__WRITE;
1256         }
1257
1258         return av;
1259 }
1260
1261 /* Set an inode's SID to a specified value. */
1262 static int inode_security_set_sid(struct inode *inode, u32 sid)
1263 {
1264         struct inode_security_struct *isec = inode->i_security;
1265         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1266
1267         if (!sbsec->initialized) {
1268                 /* Defer initialization to selinux_complete_init. */
1269                 return 0;
1270         }
1271
1272         down(&isec->sem);
1273         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1274         isec->sid = sid;
1275         isec->initialized = 1;
1276         up(&isec->sem);
1277         return 0;
1278 }
1279
1280 /* Hook functions begin here. */
1281
1282 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1283 {
1284         struct task_security_struct *psec = parent->security;
1285         struct task_security_struct *csec = child->security;
1286         int rc;
1287
1288         rc = secondary_ops->ptrace(parent,child);
1289         if (rc)
1290                 return rc;
1291
1292         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1293         /* Save the SID of the tracing process for later use in apply_creds. */
1294         if (!(child->ptrace & PT_PTRACED) && !rc)
1295                 csec->ptrace_sid = psec->sid;
1296         return rc;
1297 }
1298
1299 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1300                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1301 {
1302         int error;
1303
1304         error = task_has_perm(current, target, PROCESS__GETCAP);
1305         if (error)
1306                 return error;
1307
1308         return secondary_ops->capget(target, effective, inheritable, permitted);
1309 }
1310
1311 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1312                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1313 {
1314         int error;
1315
1316         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1317         if (error)
1318                 return error;
1319
1320         return task_has_perm(current, target, PROCESS__SETCAP);
1321 }
1322
1323 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1324                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1325 {
1326         secondary_ops->capset_set(target, effective, inheritable, permitted);
1327 }
1328
1329 static int selinux_capable(struct task_struct *tsk, int cap)
1330 {
1331         int rc;
1332
1333         rc = secondary_ops->capable(tsk, cap);
1334         if (rc)
1335                 return rc;
1336
1337         return task_has_capability(tsk,cap);
1338 }
1339
1340 static int selinux_sysctl(ctl_table *table, int op)
1341 {
1342         int error = 0;
1343         u32 av;
1344         struct task_security_struct *tsec;
1345         u32 tsid;
1346         int rc;
1347
1348         rc = secondary_ops->sysctl(table, op);
1349         if (rc)
1350                 return rc;
1351
1352         tsec = current->security;
1353
1354         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1355                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1356         if (rc) {
1357                 /* Default to the well-defined sysctl SID. */
1358                 tsid = SECINITSID_SYSCTL;
1359         }
1360
1361         /* The op values are "defined" in sysctl.c, thereby creating
1362          * a bad coupling between this module and sysctl.c */
1363         if(op == 001) {
1364                 error = avc_has_perm(tsec->sid, tsid,
1365                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1366         } else {
1367                 av = 0;
1368                 if (op & 004)
1369                         av |= FILE__READ;
1370                 if (op & 002)
1371                         av |= FILE__WRITE;
1372                 if (av)
1373                         error = avc_has_perm(tsec->sid, tsid,
1374                                              SECCLASS_FILE, av, NULL);
1375         }
1376
1377         return error;
1378 }
1379
1380 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1381 {
1382         int rc = 0;
1383
1384         if (!sb)
1385                 return 0;
1386
1387         switch (cmds) {
1388                 case Q_SYNC:
1389                 case Q_QUOTAON:
1390                 case Q_QUOTAOFF:
1391                 case Q_SETINFO:
1392                 case Q_SETQUOTA:
1393                         rc = superblock_has_perm(current,
1394                                                  sb,
1395                                                  FILESYSTEM__QUOTAMOD, NULL);
1396                         break;
1397                 case Q_GETFMT:
1398                 case Q_GETINFO:
1399                 case Q_GETQUOTA:
1400                         rc = superblock_has_perm(current,
1401                                                  sb,
1402                                                  FILESYSTEM__QUOTAGET, NULL);
1403                         break;
1404                 default:
1405                         rc = 0;  /* let the kernel handle invalid cmds */
1406                         break;
1407         }
1408         return rc;
1409 }
1410
1411 static int selinux_quota_on(struct dentry *dentry)
1412 {
1413         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1414 }
1415
1416 static int selinux_syslog(int type)
1417 {
1418         int rc;
1419
1420         rc = secondary_ops->syslog(type);
1421         if (rc)
1422                 return rc;
1423
1424         switch (type) {
1425                 case 3:         /* Read last kernel messages */
1426                 case 10:        /* Return size of the log buffer */
1427                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1428                         break;
1429                 case 6:         /* Disable logging to console */
1430                 case 7:         /* Enable logging to console */
1431                 case 8:         /* Set level of messages printed to console */
1432                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1433                         break;
1434                 case 0:         /* Close log */
1435                 case 1:         /* Open log */
1436                 case 2:         /* Read from log */
1437                 case 4:         /* Read/clear last kernel messages */
1438                 case 5:         /* Clear ring buffer */
1439                 default:
1440                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1441                         break;
1442         }
1443         return rc;
1444 }
1445
1446 /*
1447  * Check that a process has enough memory to allocate a new virtual
1448  * mapping. 0 means there is enough memory for the allocation to
1449  * succeed and -ENOMEM implies there is not.
1450  *
1451  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1452  * if the capability is granted, but __vm_enough_memory requires 1 if
1453  * the capability is granted.
1454  *
1455  * Do not audit the selinux permission check, as this is applied to all
1456  * processes that allocate mappings.
1457  */
1458 static int selinux_vm_enough_memory(long pages)
1459 {
1460         int rc, cap_sys_admin = 0;
1461         struct task_security_struct *tsec = current->security;
1462
1463         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1464         if (rc == 0)
1465                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1466                                         SECCLASS_CAPABILITY,
1467                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1468                                         NULL);
1469
1470         if (rc == 0)
1471                 cap_sys_admin = 1;
1472
1473         return __vm_enough_memory(pages, cap_sys_admin);
1474 }
1475
1476 /* binprm security operations */
1477
1478 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1479 {
1480         struct bprm_security_struct *bsec;
1481
1482         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1483         if (!bsec)
1484                 return -ENOMEM;
1485
1486         bsec->bprm = bprm;
1487         bsec->sid = SECINITSID_UNLABELED;
1488         bsec->set = 0;
1489
1490         bprm->security = bsec;
1491         return 0;
1492 }
1493
1494 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1495 {
1496         struct task_security_struct *tsec;
1497         struct inode *inode = bprm->file->f_dentry->d_inode;
1498         struct inode_security_struct *isec;
1499         struct bprm_security_struct *bsec;
1500         u32 newsid;
1501         struct avc_audit_data ad;
1502         int rc;
1503
1504         rc = secondary_ops->bprm_set_security(bprm);
1505         if (rc)
1506                 return rc;
1507
1508         bsec = bprm->security;
1509
1510         if (bsec->set)
1511                 return 0;
1512
1513         tsec = current->security;
1514         isec = inode->i_security;
1515
1516         /* Default to the current task SID. */
1517         bsec->sid = tsec->sid;
1518
1519         /* Reset create SID on execve. */
1520         tsec->create_sid = 0;
1521
1522         if (tsec->exec_sid) {
1523                 newsid = tsec->exec_sid;
1524                 /* Reset exec SID on execve. */
1525                 tsec->exec_sid = 0;
1526         } else {
1527                 /* Check for a default transition on this program. */
1528                 rc = security_transition_sid(tsec->sid, isec->sid,
1529                                              SECCLASS_PROCESS, &newsid);
1530                 if (rc)
1531                         return rc;
1532         }
1533
1534         AVC_AUDIT_DATA_INIT(&ad, FS);
1535         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1536         ad.u.fs.dentry = bprm->file->f_dentry;
1537
1538         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1539                 newsid = tsec->sid;
1540
1541         if (tsec->sid == newsid) {
1542                 rc = avc_has_perm(tsec->sid, isec->sid,
1543                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1544                 if (rc)
1545                         return rc;
1546         } else {
1547                 /* Check permissions for the transition. */
1548                 rc = avc_has_perm(tsec->sid, newsid,
1549                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1550                 if (rc)
1551                         return rc;
1552
1553                 rc = avc_has_perm(newsid, isec->sid,
1554                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1555                 if (rc)
1556                         return rc;
1557
1558                 /* Clear any possibly unsafe personality bits on exec: */
1559                 current->personality &= ~PER_CLEAR_ON_SETID;
1560
1561                 /* Set the security field to the new SID. */
1562                 bsec->sid = newsid;
1563         }
1564
1565         bsec->set = 1;
1566         return 0;
1567 }
1568
1569 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1570 {
1571         return secondary_ops->bprm_check_security(bprm);
1572 }
1573
1574
1575 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1576 {
1577         struct task_security_struct *tsec = current->security;
1578         int atsecure = 0;
1579
1580         if (tsec->osid != tsec->sid) {
1581                 /* Enable secure mode for SIDs transitions unless
1582                    the noatsecure permission is granted between
1583                    the two SIDs, i.e. ahp returns 0. */
1584                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1585                                          SECCLASS_PROCESS,
1586                                          PROCESS__NOATSECURE, NULL);
1587         }
1588
1589         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1590 }
1591
1592 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1593 {
1594         kfree(bprm->security);
1595         bprm->security = NULL;
1596 }
1597
1598 extern struct vfsmount *selinuxfs_mount;
1599 extern struct dentry *selinux_null;
1600
1601 /* Derived from fs/exec.c:flush_old_files. */
1602 static inline void flush_unauthorized_files(struct files_struct * files)
1603 {
1604         struct avc_audit_data ad;
1605         struct file *file, *devnull = NULL;
1606         struct tty_struct *tty = current->signal->tty;
1607         struct fdtable *fdt;
1608         long j = -1;
1609
1610         if (tty) {
1611                 file_list_lock();
1612                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1613                 if (file) {
1614                         /* Revalidate access to controlling tty.
1615                            Use inode_has_perm on the tty inode directly rather
1616                            than using file_has_perm, as this particular open
1617                            file may belong to another process and we are only
1618                            interested in the inode-based check here. */
1619                         struct inode *inode = file->f_dentry->d_inode;
1620                         if (inode_has_perm(current, inode,
1621                                            FILE__READ | FILE__WRITE, NULL)) {
1622                                 /* Reset controlling tty. */
1623                                 current->signal->tty = NULL;
1624                                 current->signal->tty_old_pgrp = 0;
1625                         }
1626                 }
1627                 file_list_unlock();
1628         }
1629
1630         /* Revalidate access to inherited open files. */
1631
1632         AVC_AUDIT_DATA_INIT(&ad,FS);
1633
1634         spin_lock(&files->file_lock);
1635         for (;;) {
1636                 unsigned long set, i;
1637                 int fd;
1638
1639                 j++;
1640                 i = j * __NFDBITS;
1641                 fdt = files_fdtable(files);
1642                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1643                         break;
1644                 set = fdt->open_fds->fds_bits[j];
1645                 if (!set)
1646                         continue;
1647                 spin_unlock(&files->file_lock);
1648                 for ( ; set ; i++,set >>= 1) {
1649                         if (set & 1) {
1650                                 file = fget(i);
1651                                 if (!file)
1652                                         continue;
1653                                 if (file_has_perm(current,
1654                                                   file,
1655                                                   file_to_av(file))) {
1656                                         sys_close(i);
1657                                         fd = get_unused_fd();
1658                                         if (fd != i) {
1659                                                 if (fd >= 0)
1660                                                         put_unused_fd(fd);
1661                                                 fput(file);
1662                                                 continue;
1663                                         }
1664                                         if (devnull) {
1665                                                 get_file(devnull);
1666                                         } else {
1667                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1668                                                 if (!devnull) {
1669                                                         put_unused_fd(fd);
1670                                                         fput(file);
1671                                                         continue;
1672                                                 }
1673                                         }
1674                                         fd_install(fd, devnull);
1675                                 }
1676                                 fput(file);
1677                         }
1678                 }
1679                 spin_lock(&files->file_lock);
1680
1681         }
1682         spin_unlock(&files->file_lock);
1683 }
1684
1685 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1686 {
1687         struct task_security_struct *tsec;
1688         struct bprm_security_struct *bsec;
1689         u32 sid;
1690         int rc;
1691
1692         secondary_ops->bprm_apply_creds(bprm, unsafe);
1693
1694         tsec = current->security;
1695
1696         bsec = bprm->security;
1697         sid = bsec->sid;
1698
1699         tsec->osid = tsec->sid;
1700         bsec->unsafe = 0;
1701         if (tsec->sid != sid) {
1702                 /* Check for shared state.  If not ok, leave SID
1703                    unchanged and kill. */
1704                 if (unsafe & LSM_UNSAFE_SHARE) {
1705                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1706                                         PROCESS__SHARE, NULL);
1707                         if (rc) {
1708                                 bsec->unsafe = 1;
1709                                 return;
1710                         }
1711                 }
1712
1713                 /* Check for ptracing, and update the task SID if ok.
1714                    Otherwise, leave SID unchanged and kill. */
1715                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1716                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1717                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1718                                           NULL);
1719                         if (rc) {
1720                                 bsec->unsafe = 1;
1721                                 return;
1722                         }
1723                 }
1724                 tsec->sid = sid;
1725         }
1726 }
1727
1728 /*
1729  * called after apply_creds without the task lock held
1730  */
1731 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1732 {
1733         struct task_security_struct *tsec;
1734         struct rlimit *rlim, *initrlim;
1735         struct itimerval itimer;
1736         struct bprm_security_struct *bsec;
1737         int rc, i;
1738
1739         tsec = current->security;
1740         bsec = bprm->security;
1741
1742         if (bsec->unsafe) {
1743                 force_sig_specific(SIGKILL, current);
1744                 return;
1745         }
1746         if (tsec->osid == tsec->sid)
1747                 return;
1748
1749         /* Close files for which the new task SID is not authorized. */
1750         flush_unauthorized_files(current->files);
1751
1752         /* Check whether the new SID can inherit signal state
1753            from the old SID.  If not, clear itimers to avoid
1754            subsequent signal generation and flush and unblock
1755            signals. This must occur _after_ the task SID has
1756           been updated so that any kill done after the flush
1757           will be checked against the new SID. */
1758         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1759                           PROCESS__SIGINH, NULL);
1760         if (rc) {
1761                 memset(&itimer, 0, sizeof itimer);
1762                 for (i = 0; i < 3; i++)
1763                         do_setitimer(i, &itimer, NULL);
1764                 flush_signals(current);
1765                 spin_lock_irq(&current->sighand->siglock);
1766                 flush_signal_handlers(current, 1);
1767                 sigemptyset(&current->blocked);
1768                 recalc_sigpending();
1769                 spin_unlock_irq(&current->sighand->siglock);
1770         }
1771
1772         /* Check whether the new SID can inherit resource limits
1773            from the old SID.  If not, reset all soft limits to
1774            the lower of the current task's hard limit and the init
1775            task's soft limit.  Note that the setting of hard limits
1776            (even to lower them) can be controlled by the setrlimit
1777            check. The inclusion of the init task's soft limit into
1778            the computation is to avoid resetting soft limits higher
1779            than the default soft limit for cases where the default
1780            is lower than the hard limit, e.g. RLIMIT_CORE or
1781            RLIMIT_STACK.*/
1782         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1783                           PROCESS__RLIMITINH, NULL);
1784         if (rc) {
1785                 for (i = 0; i < RLIM_NLIMITS; i++) {
1786                         rlim = current->signal->rlim + i;
1787                         initrlim = init_task.signal->rlim+i;
1788                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1789                 }
1790                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1791                         /*
1792                          * This will cause RLIMIT_CPU calculations
1793                          * to be refigured.
1794                          */
1795                         current->it_prof_expires = jiffies_to_cputime(1);
1796                 }
1797         }
1798
1799         /* Wake up the parent if it is waiting so that it can
1800            recheck wait permission to the new task SID. */
1801         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1802 }
1803
1804 /* superblock security operations */
1805
1806 static int selinux_sb_alloc_security(struct super_block *sb)
1807 {
1808         return superblock_alloc_security(sb);
1809 }
1810
1811 static void selinux_sb_free_security(struct super_block *sb)
1812 {
1813         superblock_free_security(sb);
1814 }
1815
1816 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1817 {
1818         if (plen > olen)
1819                 return 0;
1820
1821         return !memcmp(prefix, option, plen);
1822 }
1823
1824 static inline int selinux_option(char *option, int len)
1825 {
1826         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1827                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1828                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1829 }
1830
1831 static inline void take_option(char **to, char *from, int *first, int len)
1832 {
1833         if (!*first) {
1834                 **to = ',';
1835                 *to += 1;
1836         }
1837         else
1838                 *first = 0;
1839         memcpy(*to, from, len);
1840         *to += len;
1841 }
1842
1843 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1844 {
1845         int fnosec, fsec, rc = 0;
1846         char *in_save, *in_curr, *in_end;
1847         char *sec_curr, *nosec_save, *nosec;
1848
1849         in_curr = orig;
1850         sec_curr = copy;
1851
1852         /* Binary mount data: just copy */
1853         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1854                 copy_page(sec_curr, in_curr);
1855                 goto out;
1856         }
1857
1858         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1859         if (!nosec) {
1860                 rc = -ENOMEM;
1861                 goto out;
1862         }
1863
1864         nosec_save = nosec;
1865         fnosec = fsec = 1;
1866         in_save = in_end = orig;
1867
1868         do {
1869                 if (*in_end == ',' || *in_end == '\0') {
1870                         int len = in_end - in_curr;
1871
1872                         if (selinux_option(in_curr, len))
1873                                 take_option(&sec_curr, in_curr, &fsec, len);
1874                         else
1875                                 take_option(&nosec, in_curr, &fnosec, len);
1876
1877                         in_curr = in_end + 1;
1878                 }
1879         } while (*in_end++);
1880
1881         strcpy(in_save, nosec_save);
1882         free_page((unsigned long)nosec_save);
1883 out:
1884         return rc;
1885 }
1886
1887 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1888 {
1889         struct avc_audit_data ad;
1890         int rc;
1891
1892         rc = superblock_doinit(sb, data);
1893         if (rc)
1894                 return rc;
1895
1896         AVC_AUDIT_DATA_INIT(&ad,FS);
1897         ad.u.fs.dentry = sb->s_root;
1898         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1899 }
1900
1901 static int selinux_sb_statfs(struct super_block *sb)
1902 {
1903         struct avc_audit_data ad;
1904
1905         AVC_AUDIT_DATA_INIT(&ad,FS);
1906         ad.u.fs.dentry = sb->s_root;
1907         return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1908 }
1909
1910 static int selinux_mount(char * dev_name,
1911                          struct nameidata *nd,
1912                          char * type,
1913                          unsigned long flags,
1914                          void * data)
1915 {
1916         int rc;
1917
1918         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1919         if (rc)
1920                 return rc;
1921
1922         if (flags & MS_REMOUNT)
1923                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1924                                            FILESYSTEM__REMOUNT, NULL);
1925         else
1926                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1927                                        FILE__MOUNTON);
1928 }
1929
1930 static int selinux_umount(struct vfsmount *mnt, int flags)
1931 {
1932         int rc;
1933
1934         rc = secondary_ops->sb_umount(mnt, flags);
1935         if (rc)
1936                 return rc;
1937
1938         return superblock_has_perm(current,mnt->mnt_sb,
1939                                    FILESYSTEM__UNMOUNT,NULL);
1940 }
1941
1942 /* inode security operations */
1943
1944 static int selinux_inode_alloc_security(struct inode *inode)
1945 {
1946         return inode_alloc_security(inode);
1947 }
1948
1949 static void selinux_inode_free_security(struct inode *inode)
1950 {
1951         inode_free_security(inode);
1952 }
1953
1954 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1955                                        char **name, void **value,
1956                                        size_t *len)
1957 {
1958         struct task_security_struct *tsec;
1959         struct inode_security_struct *dsec;
1960         struct superblock_security_struct *sbsec;
1961         u32 newsid, clen;
1962         int rc;
1963         char *namep = NULL, *context;
1964
1965         tsec = current->security;
1966         dsec = dir->i_security;
1967         sbsec = dir->i_sb->s_security;
1968
1969         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1970                 newsid = tsec->create_sid;
1971         } else {
1972                 rc = security_transition_sid(tsec->sid, dsec->sid,
1973                                              inode_mode_to_security_class(inode->i_mode),
1974                                              &newsid);
1975                 if (rc) {
1976                         printk(KERN_WARNING "%s:  "
1977                                "security_transition_sid failed, rc=%d (dev=%s "
1978                                "ino=%ld)\n",
1979                                __FUNCTION__,
1980                                -rc, inode->i_sb->s_id, inode->i_ino);
1981                         return rc;
1982                 }
1983         }
1984
1985         inode_security_set_sid(inode, newsid);
1986
1987         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
1988                 return -EOPNOTSUPP;
1989
1990         if (name) {
1991                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1992                 if (!namep)
1993                         return -ENOMEM;
1994                 *name = namep;
1995         }
1996
1997         if (value && len) {
1998                 rc = security_sid_to_context(newsid, &context, &clen);
1999                 if (rc) {
2000                         kfree(namep);
2001                         return rc;
2002                 }
2003                 *value = context;
2004                 *len = clen;
2005         }
2006
2007         return 0;
2008 }
2009
2010 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2011 {
2012         return may_create(dir, dentry, SECCLASS_FILE);
2013 }
2014
2015 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2016 {
2017         int rc;
2018
2019         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2020         if (rc)
2021                 return rc;
2022         return may_link(dir, old_dentry, MAY_LINK);
2023 }
2024
2025 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2026 {
2027         int rc;
2028
2029         rc = secondary_ops->inode_unlink(dir, dentry);
2030         if (rc)
2031                 return rc;
2032         return may_link(dir, dentry, MAY_UNLINK);
2033 }
2034
2035 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2036 {
2037         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2038 }
2039
2040 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2041 {
2042         return may_create(dir, dentry, SECCLASS_DIR);
2043 }
2044
2045 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2046 {
2047         return may_link(dir, dentry, MAY_RMDIR);
2048 }
2049
2050 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2051 {
2052         int rc;
2053
2054         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2055         if (rc)
2056                 return rc;
2057
2058         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2059 }
2060
2061 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2062                                 struct inode *new_inode, struct dentry *new_dentry)
2063 {
2064         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2065 }
2066
2067 static int selinux_inode_readlink(struct dentry *dentry)
2068 {
2069         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2070 }
2071
2072 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2073 {
2074         int rc;
2075
2076         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2077         if (rc)
2078                 return rc;
2079         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2080 }
2081
2082 static int selinux_inode_permission(struct inode *inode, int mask,
2083                                     struct nameidata *nd)
2084 {
2085         int rc;
2086
2087         rc = secondary_ops->inode_permission(inode, mask, nd);
2088         if (rc)
2089                 return rc;
2090
2091         if (!mask) {
2092                 /* No permission to check.  Existence test. */
2093                 return 0;
2094         }
2095
2096         return inode_has_perm(current, inode,
2097                                file_mask_to_av(inode->i_mode, mask), NULL);
2098 }
2099
2100 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2101 {
2102         int rc;
2103
2104         rc = secondary_ops->inode_setattr(dentry, iattr);
2105         if (rc)
2106                 return rc;
2107
2108         if (iattr->ia_valid & ATTR_FORCE)
2109                 return 0;
2110
2111         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2112                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2113                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2114
2115         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2116 }
2117
2118 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2119 {
2120         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2121 }
2122
2123 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2124 {
2125         struct task_security_struct *tsec = current->security;
2126         struct inode *inode = dentry->d_inode;
2127         struct inode_security_struct *isec = inode->i_security;
2128         struct superblock_security_struct *sbsec;
2129         struct avc_audit_data ad;
2130         u32 newsid;
2131         int rc = 0;
2132
2133         if (strcmp(name, XATTR_NAME_SELINUX)) {
2134                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2135                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2136                     !capable(CAP_SYS_ADMIN)) {
2137                         /* A different attribute in the security namespace.
2138                            Restrict to administrator. */
2139                         return -EPERM;
2140                 }
2141
2142                 /* Not an attribute we recognize, so just check the
2143                    ordinary setattr permission. */
2144                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2145         }
2146
2147         sbsec = inode->i_sb->s_security;
2148         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2149                 return -EOPNOTSUPP;
2150
2151         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2152                 return -EPERM;
2153
2154         AVC_AUDIT_DATA_INIT(&ad,FS);
2155         ad.u.fs.dentry = dentry;
2156
2157         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2158                           FILE__RELABELFROM, &ad);
2159         if (rc)
2160                 return rc;
2161
2162         rc = security_context_to_sid(value, size, &newsid);
2163         if (rc)
2164                 return rc;
2165
2166         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2167                           FILE__RELABELTO, &ad);
2168         if (rc)
2169                 return rc;
2170
2171         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2172                                           isec->sclass);
2173         if (rc)
2174                 return rc;
2175
2176         return avc_has_perm(newsid,
2177                             sbsec->sid,
2178                             SECCLASS_FILESYSTEM,
2179                             FILESYSTEM__ASSOCIATE,
2180                             &ad);
2181 }
2182
2183 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2184                                         void *value, size_t size, int flags)
2185 {
2186         struct inode *inode = dentry->d_inode;
2187         struct inode_security_struct *isec = inode->i_security;
2188         u32 newsid;
2189         int rc;
2190
2191         if (strcmp(name, XATTR_NAME_SELINUX)) {
2192                 /* Not an attribute we recognize, so nothing to do. */
2193                 return;
2194         }
2195
2196         rc = security_context_to_sid(value, size, &newsid);
2197         if (rc) {
2198                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2199                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2200                 return;
2201         }
2202
2203         isec->sid = newsid;
2204         return;
2205 }
2206
2207 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2208 {
2209         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2210 }
2211
2212 static int selinux_inode_listxattr (struct dentry *dentry)
2213 {
2214         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2215 }
2216
2217 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2218 {
2219         if (strcmp(name, XATTR_NAME_SELINUX)) {
2220                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2221                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2222                     !capable(CAP_SYS_ADMIN)) {
2223                         /* A different attribute in the security namespace.
2224                            Restrict to administrator. */
2225                         return -EPERM;
2226                 }
2227
2228                 /* Not an attribute we recognize, so just check the
2229                    ordinary setattr permission. Might want a separate
2230                    permission for removexattr. */
2231                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2232         }
2233
2234         /* No one is allowed to remove a SELinux security label.
2235            You can change the label, but all data must be labeled. */
2236         return -EACCES;
2237 }
2238
2239 static const char *selinux_inode_xattr_getsuffix(void)
2240 {
2241       return XATTR_SELINUX_SUFFIX;
2242 }
2243
2244 /*
2245  * Copy the in-core inode security context value to the user.  If the
2246  * getxattr() prior to this succeeded, check to see if we need to
2247  * canonicalize the value to be finally returned to the user.
2248  *
2249  * Permission check is handled by selinux_inode_getxattr hook.
2250  */
2251 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2252 {
2253         struct inode_security_struct *isec = inode->i_security;
2254
2255         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2256                 return -EOPNOTSUPP;
2257
2258         return selinux_getsecurity(isec->sid, buffer, size);
2259 }
2260
2261 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2262                                      const void *value, size_t size, int flags)
2263 {
2264         struct inode_security_struct *isec = inode->i_security;
2265         u32 newsid;
2266         int rc;
2267
2268         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2269                 return -EOPNOTSUPP;
2270
2271         if (!value || !size)
2272                 return -EACCES;
2273
2274         rc = security_context_to_sid((void*)value, size, &newsid);
2275         if (rc)
2276                 return rc;
2277
2278         isec->sid = newsid;
2279         return 0;
2280 }
2281
2282 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2283 {
2284         const int len = sizeof(XATTR_NAME_SELINUX);
2285         if (buffer && len <= buffer_size)
2286                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2287         return len;
2288 }
2289
2290 /* file security operations */
2291
2292 static int selinux_file_permission(struct file *file, int mask)
2293 {
2294         struct inode *inode = file->f_dentry->d_inode;
2295
2296         if (!mask) {
2297                 /* No permission to check.  Existence test. */
2298                 return 0;
2299         }
2300
2301         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2302         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2303                 mask |= MAY_APPEND;
2304
2305         return file_has_perm(current, file,
2306                              file_mask_to_av(inode->i_mode, mask));
2307 }
2308
2309 static int selinux_file_alloc_security(struct file *file)
2310 {
2311         return file_alloc_security(file);
2312 }
2313
2314 static void selinux_file_free_security(struct file *file)
2315 {
2316         file_free_security(file);
2317 }
2318
2319 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2320                               unsigned long arg)
2321 {
2322         int error = 0;
2323
2324         switch (cmd) {
2325                 case FIONREAD:
2326                 /* fall through */
2327                 case FIBMAP:
2328                 /* fall through */
2329                 case FIGETBSZ:
2330                 /* fall through */
2331                 case EXT2_IOC_GETFLAGS:
2332                 /* fall through */
2333                 case EXT2_IOC_GETVERSION:
2334                         error = file_has_perm(current, file, FILE__GETATTR);
2335                         break;
2336
2337                 case EXT2_IOC_SETFLAGS:
2338                 /* fall through */
2339                 case EXT2_IOC_SETVERSION:
2340                         error = file_has_perm(current, file, FILE__SETATTR);
2341                         break;
2342
2343                 /* sys_ioctl() checks */
2344                 case FIONBIO:
2345                 /* fall through */
2346                 case FIOASYNC:
2347                         error = file_has_perm(current, file, 0);
2348                         break;
2349
2350                 case KDSKBENT:
2351                 case KDSKBSENT:
2352                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2353                         break;
2354
2355                 /* default case assumes that the command will go
2356                  * to the file's ioctl() function.
2357                  */
2358                 default:
2359                         error = file_has_perm(current, file, FILE__IOCTL);
2360
2361         }
2362         return error;
2363 }
2364
2365 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2366 {
2367 #ifndef CONFIG_PPC32
2368         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2369                 /*
2370                  * We are making executable an anonymous mapping or a
2371                  * private file mapping that will also be writable.
2372                  * This has an additional check.
2373                  */
2374                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2375                 if (rc)
2376                         return rc;
2377         }
2378 #endif
2379
2380         if (file) {
2381                 /* read access is always possible with a mapping */
2382                 u32 av = FILE__READ;
2383
2384                 /* write access only matters if the mapping is shared */
2385                 if (shared && (prot & PROT_WRITE))
2386                         av |= FILE__WRITE;
2387
2388                 if (prot & PROT_EXEC)
2389                         av |= FILE__EXECUTE;
2390
2391                 return file_has_perm(current, file, av);
2392         }
2393         return 0;
2394 }
2395
2396 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2397                              unsigned long prot, unsigned long flags)
2398 {
2399         int rc;
2400
2401         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2402         if (rc)
2403                 return rc;
2404
2405         if (selinux_checkreqprot)
2406                 prot = reqprot;
2407
2408         return file_map_prot_check(file, prot,
2409                                    (flags & MAP_TYPE) == MAP_SHARED);
2410 }
2411
2412 static int selinux_file_mprotect(struct vm_area_struct *vma,
2413                                  unsigned long reqprot,
2414                                  unsigned long prot)
2415 {
2416         int rc;
2417
2418         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2419         if (rc)
2420                 return rc;
2421
2422         if (selinux_checkreqprot)
2423                 prot = reqprot;
2424
2425 #ifndef CONFIG_PPC32
2426         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2427                 rc = 0;
2428                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2429                     vma->vm_end <= vma->vm_mm->brk) {
2430                         rc = task_has_perm(current, current,
2431                                            PROCESS__EXECHEAP);
2432                 } else if (!vma->vm_file &&
2433                            vma->vm_start <= vma->vm_mm->start_stack &&
2434                            vma->vm_end >= vma->vm_mm->start_stack) {
2435                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2436                 } else if (vma->vm_file && vma->anon_vma) {
2437                         /*
2438                          * We are making executable a file mapping that has
2439                          * had some COW done. Since pages might have been
2440                          * written, check ability to execute the possibly
2441                          * modified content.  This typically should only
2442                          * occur for text relocations.
2443                          */
2444                         rc = file_has_perm(current, vma->vm_file,
2445                                            FILE__EXECMOD);
2446                 }
2447                 if (rc)
2448                         return rc;
2449         }
2450 #endif
2451
2452         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2453 }
2454
2455 static int selinux_file_lock(struct file *file, unsigned int cmd)
2456 {
2457         return file_has_perm(current, file, FILE__LOCK);
2458 }
2459
2460 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2461                               unsigned long arg)
2462 {
2463         int err = 0;
2464
2465         switch (cmd) {
2466                 case F_SETFL:
2467                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2468                                 err = -EINVAL;
2469                                 break;
2470                         }
2471
2472                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2473                                 err = file_has_perm(current, file,FILE__WRITE);
2474                                 break;
2475                         }
2476                         /* fall through */
2477                 case F_SETOWN:
2478                 case F_SETSIG:
2479                 case F_GETFL:
2480                 case F_GETOWN:
2481                 case F_GETSIG:
2482                         /* Just check FD__USE permission */
2483                         err = file_has_perm(current, file, 0);
2484                         break;
2485                 case F_GETLK:
2486                 case F_SETLK:
2487                 case F_SETLKW:
2488 #if BITS_PER_LONG == 32
2489                 case F_GETLK64:
2490                 case F_SETLK64:
2491                 case F_SETLKW64:
2492 #endif
2493                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2494                                 err = -EINVAL;
2495                                 break;
2496                         }
2497                         err = file_has_perm(current, file, FILE__LOCK);
2498                         break;
2499         }
2500
2501         return err;
2502 }
2503
2504 static int selinux_file_set_fowner(struct file *file)
2505 {
2506         struct task_security_struct *tsec;
2507         struct file_security_struct *fsec;
2508
2509         tsec = current->security;
2510         fsec = file->f_security;
2511         fsec->fown_sid = tsec->sid;
2512
2513         return 0;
2514 }
2515
2516 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2517                                        struct fown_struct *fown, int signum)
2518 {
2519         struct file *file;
2520         u32 perm;
2521         struct task_security_struct *tsec;
2522         struct file_security_struct *fsec;
2523
2524         /* struct fown_struct is never outside the context of a struct file */
2525         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2526
2527         tsec = tsk->security;
2528         fsec = file->f_security;
2529
2530         if (!signum)
2531                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2532         else
2533                 perm = signal_to_av(signum);
2534
2535         return avc_has_perm(fsec->fown_sid, tsec->sid,
2536                             SECCLASS_PROCESS, perm, NULL);
2537 }
2538
2539 static int selinux_file_receive(struct file *file)
2540 {
2541         return file_has_perm(current, file, file_to_av(file));
2542 }
2543
2544 /* task security operations */
2545
2546 static int selinux_task_create(unsigned long clone_flags)
2547 {
2548         int rc;
2549
2550         rc = secondary_ops->task_create(clone_flags);
2551         if (rc)
2552                 return rc;
2553
2554         return task_has_perm(current, current, PROCESS__FORK);
2555 }
2556
2557 static int selinux_task_alloc_security(struct task_struct *tsk)
2558 {
2559         struct task_security_struct *tsec1, *tsec2;
2560         int rc;
2561
2562         tsec1 = current->security;
2563
2564         rc = task_alloc_security(tsk);
2565         if (rc)
2566                 return rc;
2567         tsec2 = tsk->security;
2568
2569         tsec2->osid = tsec1->osid;
2570         tsec2->sid = tsec1->sid;
2571
2572         /* Retain the exec and create SIDs across fork */
2573         tsec2->exec_sid = tsec1->exec_sid;
2574         tsec2->create_sid = tsec1->create_sid;
2575
2576         /* Retain ptracer SID across fork, if any.
2577            This will be reset by the ptrace hook upon any
2578            subsequent ptrace_attach operations. */
2579         tsec2->ptrace_sid = tsec1->ptrace_sid;
2580
2581         return 0;
2582 }
2583
2584 static void selinux_task_free_security(struct task_struct *tsk)
2585 {
2586         task_free_security(tsk);
2587 }
2588
2589 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2590 {
2591         /* Since setuid only affects the current process, and
2592            since the SELinux controls are not based on the Linux
2593            identity attributes, SELinux does not need to control
2594            this operation.  However, SELinux does control the use
2595            of the CAP_SETUID and CAP_SETGID capabilities using the
2596            capable hook. */
2597         return 0;
2598 }
2599
2600 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2601 {
2602         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2603 }
2604
2605 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2606 {
2607         /* See the comment for setuid above. */
2608         return 0;
2609 }
2610
2611 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2612 {
2613         return task_has_perm(current, p, PROCESS__SETPGID);
2614 }
2615
2616 static int selinux_task_getpgid(struct task_struct *p)
2617 {
2618         return task_has_perm(current, p, PROCESS__GETPGID);
2619 }
2620
2621 static int selinux_task_getsid(struct task_struct *p)
2622 {
2623         return task_has_perm(current, p, PROCESS__GETSESSION);
2624 }
2625
2626 static int selinux_task_setgroups(struct group_info *group_info)
2627 {
2628         /* See the comment for setuid above. */
2629         return 0;
2630 }
2631
2632 static int selinux_task_setnice(struct task_struct *p, int nice)
2633 {
2634         int rc;
2635
2636         rc = secondary_ops->task_setnice(p, nice);
2637         if (rc)
2638                 return rc;
2639
2640         return task_has_perm(current,p, PROCESS__SETSCHED);
2641 }
2642
2643 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2644 {
2645         struct rlimit *old_rlim = current->signal->rlim + resource;
2646         int rc;
2647
2648         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2649         if (rc)
2650                 return rc;
2651
2652         /* Control the ability to change the hard limit (whether
2653            lowering or raising it), so that the hard limit can
2654            later be used as a safe reset point for the soft limit
2655            upon context transitions. See selinux_bprm_apply_creds. */
2656         if (old_rlim->rlim_max != new_rlim->rlim_max)
2657                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2658
2659         return 0;
2660 }
2661
2662 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2663 {
2664         return task_has_perm(current, p, PROCESS__SETSCHED);
2665 }
2666
2667 static int selinux_task_getscheduler(struct task_struct *p)
2668 {
2669         return task_has_perm(current, p, PROCESS__GETSCHED);
2670 }
2671
2672 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2673 {
2674         u32 perm;
2675         int rc;
2676
2677         rc = secondary_ops->task_kill(p, info, sig);
2678         if (rc)
2679                 return rc;
2680
2681         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2682                 return 0;
2683
2684         if (!sig)
2685                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2686         else
2687                 perm = signal_to_av(sig);
2688
2689         return task_has_perm(current, p, perm);
2690 }
2691
2692 static int selinux_task_prctl(int option,
2693                               unsigned long arg2,
2694                               unsigned long arg3,
2695                               unsigned long arg4,
2696                               unsigned long arg5)
2697 {
2698         /* The current prctl operations do not appear to require
2699            any SELinux controls since they merely observe or modify
2700            the state of the current process. */
2701         return 0;
2702 }
2703
2704 static int selinux_task_wait(struct task_struct *p)
2705 {
2706         u32 perm;
2707
2708         perm = signal_to_av(p->exit_signal);
2709
2710         return task_has_perm(p, current, perm);
2711 }
2712
2713 static void selinux_task_reparent_to_init(struct task_struct *p)
2714 {
2715         struct task_security_struct *tsec;
2716
2717         secondary_ops->task_reparent_to_init(p);
2718
2719         tsec = p->security;
2720         tsec->osid = tsec->sid;
2721         tsec->sid = SECINITSID_KERNEL;
2722         return;
2723 }
2724
2725 static void selinux_task_to_inode(struct task_struct *p,
2726                                   struct inode *inode)
2727 {
2728         struct task_security_struct *tsec = p->security;
2729         struct inode_security_struct *isec = inode->i_security;
2730
2731         isec->sid = tsec->sid;
2732         isec->initialized = 1;
2733         return;
2734 }
2735
2736 /* Returns error only if unable to parse addresses */
2737 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2738 {
2739         int offset, ihlen, ret = -EINVAL;
2740         struct iphdr _iph, *ih;
2741
2742         offset = skb->nh.raw - skb->data;
2743         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2744         if (ih == NULL)
2745                 goto out;
2746
2747         ihlen = ih->ihl * 4;
2748         if (ihlen < sizeof(_iph))
2749                 goto out;
2750
2751         ad->u.net.v4info.saddr = ih->saddr;
2752         ad->u.net.v4info.daddr = ih->daddr;
2753         ret = 0;
2754
2755         switch (ih->protocol) {
2756         case IPPROTO_TCP: {
2757                 struct tcphdr _tcph, *th;
2758
2759                 if (ntohs(ih->frag_off) & IP_OFFSET)
2760                         break;
2761
2762                 offset += ihlen;
2763                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2764                 if (th == NULL)
2765                         break;
2766
2767                 ad->u.net.sport = th->source;
2768                 ad->u.net.dport = th->dest;
2769                 break;
2770         }
2771         
2772         case IPPROTO_UDP: {
2773                 struct udphdr _udph, *uh;
2774                 
2775                 if (ntohs(ih->frag_off) & IP_OFFSET)
2776                         break;
2777                         
2778                 offset += ihlen;
2779                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2780                 if (uh == NULL)
2781                         break;  
2782
2783                 ad->u.net.sport = uh->source;
2784                 ad->u.net.dport = uh->dest;
2785                 break;
2786         }
2787
2788         default:
2789                 break;
2790         }
2791 out:
2792         return ret;
2793 }
2794
2795 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2796
2797 /* Returns error only if unable to parse addresses */
2798 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2799 {
2800         u8 nexthdr;
2801         int ret = -EINVAL, offset;
2802         struct ipv6hdr _ipv6h, *ip6;
2803
2804         offset = skb->nh.raw - skb->data;
2805         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2806         if (ip6 == NULL)
2807                 goto out;
2808
2809         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2810         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2811         ret = 0;
2812
2813         nexthdr = ip6->nexthdr;
2814         offset += sizeof(_ipv6h);
2815         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2816         if (offset < 0)
2817                 goto out;
2818
2819         switch (nexthdr) {
2820         case IPPROTO_TCP: {
2821                 struct tcphdr _tcph, *th;
2822
2823                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2824                 if (th == NULL)
2825                         break;
2826
2827                 ad->u.net.sport = th->source;
2828                 ad->u.net.dport = th->dest;
2829                 break;
2830         }
2831
2832         case IPPROTO_UDP: {
2833                 struct udphdr _udph, *uh;
2834
2835                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2836                 if (uh == NULL)
2837                         break;
2838
2839                 ad->u.net.sport = uh->source;
2840                 ad->u.net.dport = uh->dest;
2841                 break;
2842         }
2843
2844         /* includes fragments */
2845         default:
2846                 break;
2847         }
2848 out:
2849         return ret;
2850 }
2851
2852 #endif /* IPV6 */
2853
2854 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2855                              char **addrp, int *len, int src)
2856 {
2857         int ret = 0;
2858
2859         switch (ad->u.net.family) {
2860         case PF_INET:
2861                 ret = selinux_parse_skb_ipv4(skb, ad);
2862                 if (ret || !addrp)
2863                         break;
2864                 *len = 4;
2865                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2866                                         &ad->u.net.v4info.daddr);
2867                 break;
2868
2869 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2870         case PF_INET6:
2871                 ret = selinux_parse_skb_ipv6(skb, ad);
2872                 if (ret || !addrp)
2873                         break;
2874                 *len = 16;
2875                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2876                                         &ad->u.net.v6info.daddr);
2877                 break;
2878 #endif  /* IPV6 */
2879         default:
2880                 break;
2881         }
2882
2883         return ret;
2884 }
2885
2886 /* socket security operations */
2887 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2888                            u32 perms)
2889 {
2890         struct inode_security_struct *isec;
2891         struct task_security_struct *tsec;
2892         struct avc_audit_data ad;
2893         int err = 0;
2894
2895         tsec = task->security;
2896         isec = SOCK_INODE(sock)->i_security;
2897
2898         if (isec->sid == SECINITSID_KERNEL)
2899                 goto out;
2900
2901         AVC_AUDIT_DATA_INIT(&ad,NET);
2902         ad.u.net.sk = sock->sk;
2903         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2904
2905 out:
2906         return err;
2907 }
2908
2909 static int selinux_socket_create(int family, int type,
2910                                  int protocol, int kern)
2911 {
2912         int err = 0;
2913         struct task_security_struct *tsec;
2914
2915         if (kern)
2916                 goto out;
2917
2918         tsec = current->security;
2919         err = avc_has_perm(tsec->sid, tsec->sid,
2920                            socket_type_to_security_class(family, type,
2921                            protocol), SOCKET__CREATE, NULL);
2922
2923 out:
2924         return err;
2925 }
2926
2927 static void selinux_socket_post_create(struct socket *sock, int family,
2928                                        int type, int protocol, int kern)
2929 {
2930         struct inode_security_struct *isec;
2931         struct task_security_struct *tsec;
2932
2933         isec = SOCK_INODE(sock)->i_security;
2934
2935         tsec = current->security;
2936         isec->sclass = socket_type_to_security_class(family, type, protocol);
2937         isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2938         isec->initialized = 1;
2939
2940         return;
2941 }
2942
2943 /* Range of port numbers used to automatically bind.
2944    Need to determine whether we should perform a name_bind
2945    permission check between the socket and the port number. */
2946 #define ip_local_port_range_0 sysctl_local_port_range[0]
2947 #define ip_local_port_range_1 sysctl_local_port_range[1]
2948
2949 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2950 {
2951         u16 family;
2952         int err;
2953
2954         err = socket_has_perm(current, sock, SOCKET__BIND);
2955         if (err)
2956                 goto out;
2957
2958         /*
2959          * If PF_INET or PF_INET6, check name_bind permission for the port.
2960          * Multiple address binding for SCTP is not supported yet: we just
2961          * check the first address now.
2962          */
2963         family = sock->sk->sk_family;
2964         if (family == PF_INET || family == PF_INET6) {
2965                 char *addrp;
2966                 struct inode_security_struct *isec;
2967                 struct task_security_struct *tsec;
2968                 struct avc_audit_data ad;
2969                 struct sockaddr_in *addr4 = NULL;
2970                 struct sockaddr_in6 *addr6 = NULL;
2971                 unsigned short snum;
2972                 struct sock *sk = sock->sk;
2973                 u32 sid, node_perm, addrlen;
2974
2975                 tsec = current->security;
2976                 isec = SOCK_INODE(sock)->i_security;
2977
2978                 if (family == PF_INET) {
2979                         addr4 = (struct sockaddr_in *)address;
2980                         snum = ntohs(addr4->sin_port);
2981                         addrlen = sizeof(addr4->sin_addr.s_addr);
2982                         addrp = (char *)&addr4->sin_addr.s_addr;
2983                 } else {
2984                         addr6 = (struct sockaddr_in6 *)address;
2985                         snum = ntohs(addr6->sin6_port);
2986                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
2987                         addrp = (char *)&addr6->sin6_addr.s6_addr;
2988                 }
2989
2990                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
2991                            snum > ip_local_port_range_1)) {
2992                         err = security_port_sid(sk->sk_family, sk->sk_type,
2993                                                 sk->sk_protocol, snum, &sid);
2994                         if (err)
2995                                 goto out;
2996                         AVC_AUDIT_DATA_INIT(&ad,NET);
2997                         ad.u.net.sport = htons(snum);
2998                         ad.u.net.family = family;
2999                         err = avc_has_perm(isec->sid, sid,
3000                                            isec->sclass,
3001                                            SOCKET__NAME_BIND, &ad);
3002                         if (err)
3003                                 goto out;
3004                 }
3005                 
3006                 switch(isec->sclass) {
3007                 case SECCLASS_TCP_SOCKET:
3008                         node_perm = TCP_SOCKET__NODE_BIND;
3009                         break;
3010                         
3011                 case SECCLASS_UDP_SOCKET:
3012                         node_perm = UDP_SOCKET__NODE_BIND;
3013                         break;
3014                         
3015                 default:
3016                         node_perm = RAWIP_SOCKET__NODE_BIND;
3017                         break;
3018                 }
3019                 
3020                 err = security_node_sid(family, addrp, addrlen, &sid);
3021                 if (err)
3022                         goto out;
3023                 
3024                 AVC_AUDIT_DATA_INIT(&ad,NET);
3025                 ad.u.net.sport = htons(snum);
3026                 ad.u.net.family = family;
3027
3028                 if (family == PF_INET)
3029                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3030                 else
3031                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3032
3033                 err = avc_has_perm(isec->sid, sid,
3034                                    isec->sclass, node_perm, &ad);
3035                 if (err)
3036                         goto out;
3037         }
3038 out:
3039         return err;
3040 }
3041
3042 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3043 {
3044         struct inode_security_struct *isec;
3045         int err;
3046
3047         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3048         if (err)
3049                 return err;
3050
3051         /*
3052          * If a TCP socket, check name_connect permission for the port.
3053          */
3054         isec = SOCK_INODE(sock)->i_security;
3055         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3056                 struct sock *sk = sock->sk;
3057                 struct avc_audit_data ad;
3058                 struct sockaddr_in *addr4 = NULL;
3059                 struct sockaddr_in6 *addr6 = NULL;
3060                 unsigned short snum;
3061                 u32 sid;
3062
3063                 if (sk->sk_family == PF_INET) {
3064                         addr4 = (struct sockaddr_in *)address;
3065                         if (addrlen < sizeof(struct sockaddr_in))
3066                                 return -EINVAL;
3067                         snum = ntohs(addr4->sin_port);
3068                 } else {
3069                         addr6 = (struct sockaddr_in6 *)address;
3070                         if (addrlen < SIN6_LEN_RFC2133)
3071                                 return -EINVAL;
3072                         snum = ntohs(addr6->sin6_port);
3073                 }
3074
3075                 err = security_port_sid(sk->sk_family, sk->sk_type,
3076                                         sk->sk_protocol, snum, &sid);
3077                 if (err)
3078                         goto out;
3079
3080                 AVC_AUDIT_DATA_INIT(&ad,NET);
3081                 ad.u.net.dport = htons(snum);
3082                 ad.u.net.family = sk->sk_family;
3083                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3084                                    TCP_SOCKET__NAME_CONNECT, &ad);
3085                 if (err)
3086                         goto out;
3087         }
3088
3089 out:
3090         return err;
3091 }
3092
3093 static int selinux_socket_listen(struct socket *sock, int backlog)
3094 {
3095         return socket_has_perm(current, sock, SOCKET__LISTEN);
3096 }
3097
3098 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3099 {
3100         int err;
3101         struct inode_security_struct *isec;
3102         struct inode_security_struct *newisec;
3103
3104         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3105         if (err)
3106                 return err;
3107
3108         newisec = SOCK_INODE(newsock)->i_security;
3109
3110         isec = SOCK_INODE(sock)->i_security;
3111         newisec->sclass = isec->sclass;
3112         newisec->sid = isec->sid;
3113         newisec->initialized = 1;
3114
3115         return 0;
3116 }
3117
3118 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3119                                   int size)
3120 {
3121         return socket_has_perm(current, sock, SOCKET__WRITE);
3122 }
3123
3124 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3125                                   int size, int flags)
3126 {
3127         return socket_has_perm(current, sock, SOCKET__READ);
3128 }
3129
3130 static int selinux_socket_getsockname(struct socket *sock)
3131 {
3132         return socket_has_perm(current, sock, SOCKET__GETATTR);
3133 }
3134
3135 static int selinux_socket_getpeername(struct socket *sock)
3136 {
3137         return socket_has_perm(current, sock, SOCKET__GETATTR);
3138 }
3139
3140 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3141 {
3142         return socket_has_perm(current, sock, SOCKET__SETOPT);
3143 }
3144
3145 static int selinux_socket_getsockopt(struct socket *sock, int level,
3146                                      int optname)
3147 {
3148         return socket_has_perm(current, sock, SOCKET__GETOPT);
3149 }
3150
3151 static int selinux_socket_shutdown(struct socket *sock, int how)
3152 {
3153         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3154 }
3155
3156 static int selinux_socket_unix_stream_connect(struct socket *sock,
3157                                               struct socket *other,
3158                                               struct sock *newsk)
3159 {
3160         struct sk_security_struct *ssec;
3161         struct inode_security_struct *isec;
3162         struct inode_security_struct *other_isec;
3163         struct avc_audit_data ad;
3164         int err;
3165
3166         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3167         if (err)
3168                 return err;
3169
3170         isec = SOCK_INODE(sock)->i_security;
3171         other_isec = SOCK_INODE(other)->i_security;
3172
3173         AVC_AUDIT_DATA_INIT(&ad,NET);
3174         ad.u.net.sk = other->sk;
3175
3176         err = avc_has_perm(isec->sid, other_isec->sid,
3177                            isec->sclass,
3178                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3179         if (err)
3180                 return err;
3181
3182         /* connecting socket */
3183         ssec = sock->sk->sk_security;
3184         ssec->peer_sid = other_isec->sid;
3185         
3186         /* server child socket */
3187         ssec = newsk->sk_security;
3188         ssec->peer_sid = isec->sid;
3189         
3190         return 0;
3191 }
3192
3193 static int selinux_socket_unix_may_send(struct socket *sock,
3194                                         struct socket *other)
3195 {
3196         struct inode_security_struct *isec;
3197         struct inode_security_struct *other_isec;
3198         struct avc_audit_data ad;
3199         int err;
3200
3201         isec = SOCK_INODE(sock)->i_security;
3202         other_isec = SOCK_INODE(other)->i_security;
3203
3204         AVC_AUDIT_DATA_INIT(&ad,NET);
3205         ad.u.net.sk = other->sk;
3206
3207         err&