xref: /linux/security/selinux/hooks.c (revision 34f7c6e7d4396090692a09789db231e12cb4762b)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *  NSA Security-Enhanced Linux (SELinux) security module
4  *
5  *  This file contains the SELinux hook function implementations.
6  *
7  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
8  *	      Chris Vance, <cvance@nai.com>
9  *	      Wayne Salamon, <wsalamon@nai.com>
10  *	      James Morris <jmorris@redhat.com>
11  *
12  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14  *					   Eric Paris <eparis@redhat.com>
15  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16  *			    <dgoeddel@trustedcs.com>
17  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18  *	Paul Moore <paul@paul-moore.com>
19  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
21  *  Copyright (C) 2016 Mellanox Technologies
22  */
23 
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/kernel_read_file.h>
28 #include <linux/errno.h>
29 #include <linux/sched/signal.h>
30 #include <linux/sched/task.h>
31 #include <linux/lsm_hooks.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/proc_fs.h>
40 #include <linux/swap.h>
41 #include <linux/spinlock.h>
42 #include <linux/syscalls.h>
43 #include <linux/dcache.h>
44 #include <linux/file.h>
45 #include <linux/fdtable.h>
46 #include <linux/namei.h>
47 #include <linux/mount.h>
48 #include <linux/fs_context.h>
49 #include <linux/fs_parser.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>		/* for local_port_range[] */
55 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h>	/* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/sctp.h>
70 #include <net/sctp/structs.h>
71 #include <linux/quota.h>
72 #include <linux/un.h>		/* for Unix socket types */
73 #include <net/af_unix.h>	/* for Unix socket types */
74 #include <linux/parser.h>
75 #include <linux/nfs_mount.h>
76 #include <net/ipv6.h>
77 #include <linux/hugetlb.h>
78 #include <linux/personality.h>
79 #include <linux/audit.h>
80 #include <linux/string.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89 #include <linux/kernfs.h>
90 #include <linux/stringhash.h>	/* for hashlen_string() */
91 #include <uapi/linux/mount.h>
92 #include <linux/fsnotify.h>
93 #include <linux/fanotify.h>
94 
95 #include "avc.h"
96 #include "objsec.h"
97 #include "netif.h"
98 #include "netnode.h"
99 #include "netport.h"
100 #include "ibpkey.h"
101 #include "xfrm.h"
102 #include "netlabel.h"
103 #include "audit.h"
104 #include "avc_ss.h"
105 
106 struct selinux_state selinux_state;
107 
108 /* SECMARK reference count */
109 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
110 
111 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
112 static int selinux_enforcing_boot __initdata;
113 
114 static int __init enforcing_setup(char *str)
115 {
116 	unsigned long enforcing;
117 	if (!kstrtoul(str, 0, &enforcing))
118 		selinux_enforcing_boot = enforcing ? 1 : 0;
119 	return 1;
120 }
121 __setup("enforcing=", enforcing_setup);
122 #else
123 #define selinux_enforcing_boot 1
124 #endif
125 
126 int selinux_enabled_boot __initdata = 1;
127 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
128 static int __init selinux_enabled_setup(char *str)
129 {
130 	unsigned long enabled;
131 	if (!kstrtoul(str, 0, &enabled))
132 		selinux_enabled_boot = enabled ? 1 : 0;
133 	return 1;
134 }
135 __setup("selinux=", selinux_enabled_setup);
136 #endif
137 
138 static unsigned int selinux_checkreqprot_boot =
139 	CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140 
141 static int __init checkreqprot_setup(char *str)
142 {
143 	unsigned long checkreqprot;
144 
145 	if (!kstrtoul(str, 0, &checkreqprot)) {
146 		selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 		if (checkreqprot)
148 			pr_warn("SELinux: checkreqprot set to 1 via kernel parameter.  This is deprecated and will be rejected in a future kernel release.\n");
149 	}
150 	return 1;
151 }
152 __setup("checkreqprot=", checkreqprot_setup);
153 
154 /**
155  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
156  *
157  * Description:
158  * This function checks the SECMARK reference counter to see if any SECMARK
159  * targets are currently configured, if the reference counter is greater than
160  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
161  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
162  * policy capability is enabled, SECMARK is always considered enabled.
163  *
164  */
165 static int selinux_secmark_enabled(void)
166 {
167 	return (selinux_policycap_alwaysnetwork() ||
168 		atomic_read(&selinux_secmark_refcount));
169 }
170 
171 /**
172  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
173  *
174  * Description:
175  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
176  * (1) if any are enabled or false (0) if neither are enabled.  If the
177  * always_check_network policy capability is enabled, peer labeling
178  * is always considered enabled.
179  *
180  */
181 static int selinux_peerlbl_enabled(void)
182 {
183 	return (selinux_policycap_alwaysnetwork() ||
184 		netlbl_enabled() || selinux_xfrm_enabled());
185 }
186 
187 static int selinux_netcache_avc_callback(u32 event)
188 {
189 	if (event == AVC_CALLBACK_RESET) {
190 		sel_netif_flush();
191 		sel_netnode_flush();
192 		sel_netport_flush();
193 		synchronize_net();
194 	}
195 	return 0;
196 }
197 
198 static int selinux_lsm_notifier_avc_callback(u32 event)
199 {
200 	if (event == AVC_CALLBACK_RESET) {
201 		sel_ib_pkey_flush();
202 		call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
203 	}
204 
205 	return 0;
206 }
207 
208 /*
209  * initialise the security for the init task
210  */
211 static void cred_init_security(void)
212 {
213 	struct task_security_struct *tsec;
214 
215 	tsec = selinux_cred(unrcu_pointer(current->real_cred));
216 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
217 }
218 
219 /*
220  * get the security ID of a set of credentials
221  */
222 static inline u32 cred_sid(const struct cred *cred)
223 {
224 	const struct task_security_struct *tsec;
225 
226 	tsec = selinux_cred(cred);
227 	return tsec->sid;
228 }
229 
230 /*
231  * get the objective security ID of a task
232  */
233 static inline u32 task_sid_obj(const struct task_struct *task)
234 {
235 	u32 sid;
236 
237 	rcu_read_lock();
238 	sid = cred_sid(__task_cred(task));
239 	rcu_read_unlock();
240 	return sid;
241 }
242 
243 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
244 
245 /*
246  * Try reloading inode security labels that have been marked as invalid.  The
247  * @may_sleep parameter indicates when sleeping and thus reloading labels is
248  * allowed; when set to false, returns -ECHILD when the label is
249  * invalid.  The @dentry parameter should be set to a dentry of the inode.
250  */
251 static int __inode_security_revalidate(struct inode *inode,
252 				       struct dentry *dentry,
253 				       bool may_sleep)
254 {
255 	struct inode_security_struct *isec = selinux_inode(inode);
256 
257 	might_sleep_if(may_sleep);
258 
259 	if (selinux_initialized(&selinux_state) &&
260 	    isec->initialized != LABEL_INITIALIZED) {
261 		if (!may_sleep)
262 			return -ECHILD;
263 
264 		/*
265 		 * Try reloading the inode security label.  This will fail if
266 		 * @opt_dentry is NULL and no dentry for this inode can be
267 		 * found; in that case, continue using the old label.
268 		 */
269 		inode_doinit_with_dentry(inode, dentry);
270 	}
271 	return 0;
272 }
273 
274 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
275 {
276 	return selinux_inode(inode);
277 }
278 
279 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
280 {
281 	int error;
282 
283 	error = __inode_security_revalidate(inode, NULL, !rcu);
284 	if (error)
285 		return ERR_PTR(error);
286 	return selinux_inode(inode);
287 }
288 
289 /*
290  * Get the security label of an inode.
291  */
292 static struct inode_security_struct *inode_security(struct inode *inode)
293 {
294 	__inode_security_revalidate(inode, NULL, true);
295 	return selinux_inode(inode);
296 }
297 
298 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
299 {
300 	struct inode *inode = d_backing_inode(dentry);
301 
302 	return selinux_inode(inode);
303 }
304 
305 /*
306  * Get the security label of a dentry's backing inode.
307  */
308 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
309 {
310 	struct inode *inode = d_backing_inode(dentry);
311 
312 	__inode_security_revalidate(inode, dentry, true);
313 	return selinux_inode(inode);
314 }
315 
316 static void inode_free_security(struct inode *inode)
317 {
318 	struct inode_security_struct *isec = selinux_inode(inode);
319 	struct superblock_security_struct *sbsec;
320 
321 	if (!isec)
322 		return;
323 	sbsec = selinux_superblock(inode->i_sb);
324 	/*
325 	 * As not all inode security structures are in a list, we check for
326 	 * empty list outside of the lock to make sure that we won't waste
327 	 * time taking a lock doing nothing.
328 	 *
329 	 * The list_del_init() function can be safely called more than once.
330 	 * It should not be possible for this function to be called with
331 	 * concurrent list_add(), but for better safety against future changes
332 	 * in the code, we use list_empty_careful() here.
333 	 */
334 	if (!list_empty_careful(&isec->list)) {
335 		spin_lock(&sbsec->isec_lock);
336 		list_del_init(&isec->list);
337 		spin_unlock(&sbsec->isec_lock);
338 	}
339 }
340 
341 struct selinux_mnt_opts {
342 	u32 fscontext_sid;
343 	u32 context_sid;
344 	u32 rootcontext_sid;
345 	u32 defcontext_sid;
346 };
347 
348 static void selinux_free_mnt_opts(void *mnt_opts)
349 {
350 	kfree(mnt_opts);
351 }
352 
353 enum {
354 	Opt_error = -1,
355 	Opt_context = 0,
356 	Opt_defcontext = 1,
357 	Opt_fscontext = 2,
358 	Opt_rootcontext = 3,
359 	Opt_seclabel = 4,
360 };
361 
362 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
363 static struct {
364 	const char *name;
365 	int len;
366 	int opt;
367 	bool has_arg;
368 } tokens[] = {
369 	A(context, true),
370 	A(fscontext, true),
371 	A(defcontext, true),
372 	A(rootcontext, true),
373 	A(seclabel, false),
374 };
375 #undef A
376 
377 static int match_opt_prefix(char *s, int l, char **arg)
378 {
379 	int i;
380 
381 	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
382 		size_t len = tokens[i].len;
383 		if (len > l || memcmp(s, tokens[i].name, len))
384 			continue;
385 		if (tokens[i].has_arg) {
386 			if (len == l || s[len] != '=')
387 				continue;
388 			*arg = s + len + 1;
389 		} else if (len != l)
390 			continue;
391 		return tokens[i].opt;
392 	}
393 	return Opt_error;
394 }
395 
396 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
397 
398 static int may_context_mount_sb_relabel(u32 sid,
399 			struct superblock_security_struct *sbsec,
400 			const struct cred *cred)
401 {
402 	const struct task_security_struct *tsec = selinux_cred(cred);
403 	int rc;
404 
405 	rc = avc_has_perm(&selinux_state,
406 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
407 			  FILESYSTEM__RELABELFROM, NULL);
408 	if (rc)
409 		return rc;
410 
411 	rc = avc_has_perm(&selinux_state,
412 			  tsec->sid, sid, SECCLASS_FILESYSTEM,
413 			  FILESYSTEM__RELABELTO, NULL);
414 	return rc;
415 }
416 
417 static int may_context_mount_inode_relabel(u32 sid,
418 			struct superblock_security_struct *sbsec,
419 			const struct cred *cred)
420 {
421 	const struct task_security_struct *tsec = selinux_cred(cred);
422 	int rc;
423 	rc = avc_has_perm(&selinux_state,
424 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
425 			  FILESYSTEM__RELABELFROM, NULL);
426 	if (rc)
427 		return rc;
428 
429 	rc = avc_has_perm(&selinux_state,
430 			  sid, sbsec->sid, SECCLASS_FILESYSTEM,
431 			  FILESYSTEM__ASSOCIATE, NULL);
432 	return rc;
433 }
434 
435 static int selinux_is_genfs_special_handling(struct super_block *sb)
436 {
437 	/* Special handling. Genfs but also in-core setxattr handler */
438 	return	!strcmp(sb->s_type->name, "sysfs") ||
439 		!strcmp(sb->s_type->name, "pstore") ||
440 		!strcmp(sb->s_type->name, "debugfs") ||
441 		!strcmp(sb->s_type->name, "tracefs") ||
442 		!strcmp(sb->s_type->name, "rootfs") ||
443 		(selinux_policycap_cgroupseclabel() &&
444 		 (!strcmp(sb->s_type->name, "cgroup") ||
445 		  !strcmp(sb->s_type->name, "cgroup2")));
446 }
447 
448 static int selinux_is_sblabel_mnt(struct super_block *sb)
449 {
450 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
451 
452 	/*
453 	 * IMPORTANT: Double-check logic in this function when adding a new
454 	 * SECURITY_FS_USE_* definition!
455 	 */
456 	BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
457 
458 	switch (sbsec->behavior) {
459 	case SECURITY_FS_USE_XATTR:
460 	case SECURITY_FS_USE_TRANS:
461 	case SECURITY_FS_USE_TASK:
462 	case SECURITY_FS_USE_NATIVE:
463 		return 1;
464 
465 	case SECURITY_FS_USE_GENFS:
466 		return selinux_is_genfs_special_handling(sb);
467 
468 	/* Never allow relabeling on context mounts */
469 	case SECURITY_FS_USE_MNTPOINT:
470 	case SECURITY_FS_USE_NONE:
471 	default:
472 		return 0;
473 	}
474 }
475 
476 static int sb_check_xattr_support(struct super_block *sb)
477 {
478 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
479 	struct dentry *root = sb->s_root;
480 	struct inode *root_inode = d_backing_inode(root);
481 	u32 sid;
482 	int rc;
483 
484 	/*
485 	 * Make sure that the xattr handler exists and that no
486 	 * error other than -ENODATA is returned by getxattr on
487 	 * the root directory.  -ENODATA is ok, as this may be
488 	 * the first boot of the SELinux kernel before we have
489 	 * assigned xattr values to the filesystem.
490 	 */
491 	if (!(root_inode->i_opflags & IOP_XATTR)) {
492 		pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
493 			sb->s_id, sb->s_type->name);
494 		goto fallback;
495 	}
496 
497 	rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
498 	if (rc < 0 && rc != -ENODATA) {
499 		if (rc == -EOPNOTSUPP) {
500 			pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
501 				sb->s_id, sb->s_type->name);
502 			goto fallback;
503 		} else {
504 			pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
505 				sb->s_id, sb->s_type->name, -rc);
506 			return rc;
507 		}
508 	}
509 	return 0;
510 
511 fallback:
512 	/* No xattr support - try to fallback to genfs if possible. */
513 	rc = security_genfs_sid(&selinux_state, sb->s_type->name, "/",
514 				SECCLASS_DIR, &sid);
515 	if (rc)
516 		return -EOPNOTSUPP;
517 
518 	pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
519 		sb->s_id, sb->s_type->name);
520 	sbsec->behavior = SECURITY_FS_USE_GENFS;
521 	sbsec->sid = sid;
522 	return 0;
523 }
524 
525 static int sb_finish_set_opts(struct super_block *sb)
526 {
527 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
528 	struct dentry *root = sb->s_root;
529 	struct inode *root_inode = d_backing_inode(root);
530 	int rc = 0;
531 
532 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
533 		rc = sb_check_xattr_support(sb);
534 		if (rc)
535 			return rc;
536 	}
537 
538 	sbsec->flags |= SE_SBINITIALIZED;
539 
540 	/*
541 	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
542 	 * leave the flag untouched because sb_clone_mnt_opts might be handing
543 	 * us a superblock that needs the flag to be cleared.
544 	 */
545 	if (selinux_is_sblabel_mnt(sb))
546 		sbsec->flags |= SBLABEL_MNT;
547 	else
548 		sbsec->flags &= ~SBLABEL_MNT;
549 
550 	/* Initialize the root inode. */
551 	rc = inode_doinit_with_dentry(root_inode, root);
552 
553 	/* Initialize any other inodes associated with the superblock, e.g.
554 	   inodes created prior to initial policy load or inodes created
555 	   during get_sb by a pseudo filesystem that directly
556 	   populates itself. */
557 	spin_lock(&sbsec->isec_lock);
558 	while (!list_empty(&sbsec->isec_head)) {
559 		struct inode_security_struct *isec =
560 				list_first_entry(&sbsec->isec_head,
561 					   struct inode_security_struct, list);
562 		struct inode *inode = isec->inode;
563 		list_del_init(&isec->list);
564 		spin_unlock(&sbsec->isec_lock);
565 		inode = igrab(inode);
566 		if (inode) {
567 			if (!IS_PRIVATE(inode))
568 				inode_doinit_with_dentry(inode, NULL);
569 			iput(inode);
570 		}
571 		spin_lock(&sbsec->isec_lock);
572 	}
573 	spin_unlock(&sbsec->isec_lock);
574 	return rc;
575 }
576 
577 static int bad_option(struct superblock_security_struct *sbsec, char flag,
578 		      u32 old_sid, u32 new_sid)
579 {
580 	char mnt_flags = sbsec->flags & SE_MNTMASK;
581 
582 	/* check if the old mount command had the same options */
583 	if (sbsec->flags & SE_SBINITIALIZED)
584 		if (!(sbsec->flags & flag) ||
585 		    (old_sid != new_sid))
586 			return 1;
587 
588 	/* check if we were passed the same options twice,
589 	 * aka someone passed context=a,context=b
590 	 */
591 	if (!(sbsec->flags & SE_SBINITIALIZED))
592 		if (mnt_flags & flag)
593 			return 1;
594 	return 0;
595 }
596 
597 /*
598  * Allow filesystems with binary mount data to explicitly set mount point
599  * labeling information.
600  */
601 static int selinux_set_mnt_opts(struct super_block *sb,
602 				void *mnt_opts,
603 				unsigned long kern_flags,
604 				unsigned long *set_kern_flags)
605 {
606 	const struct cred *cred = current_cred();
607 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
608 	struct dentry *root = sb->s_root;
609 	struct selinux_mnt_opts *opts = mnt_opts;
610 	struct inode_security_struct *root_isec;
611 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
612 	u32 defcontext_sid = 0;
613 	int rc = 0;
614 
615 	mutex_lock(&sbsec->lock);
616 
617 	if (!selinux_initialized(&selinux_state)) {
618 		if (!opts) {
619 			/* Defer initialization until selinux_complete_init,
620 			   after the initial policy is loaded and the security
621 			   server is ready to handle calls. */
622 			goto out;
623 		}
624 		rc = -EINVAL;
625 		pr_warn("SELinux: Unable to set superblock options "
626 			"before the security server is initialized\n");
627 		goto out;
628 	}
629 	if (kern_flags && !set_kern_flags) {
630 		/* Specifying internal flags without providing a place to
631 		 * place the results is not allowed */
632 		rc = -EINVAL;
633 		goto out;
634 	}
635 
636 	/*
637 	 * Binary mount data FS will come through this function twice.  Once
638 	 * from an explicit call and once from the generic calls from the vfs.
639 	 * Since the generic VFS calls will not contain any security mount data
640 	 * we need to skip the double mount verification.
641 	 *
642 	 * This does open a hole in which we will not notice if the first
643 	 * mount using this sb set explict options and a second mount using
644 	 * this sb does not set any security options.  (The first options
645 	 * will be used for both mounts)
646 	 */
647 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
648 	    && !opts)
649 		goto out;
650 
651 	root_isec = backing_inode_security_novalidate(root);
652 
653 	/*
654 	 * parse the mount options, check if they are valid sids.
655 	 * also check if someone is trying to mount the same sb more
656 	 * than once with different security options.
657 	 */
658 	if (opts) {
659 		if (opts->fscontext_sid) {
660 			fscontext_sid = opts->fscontext_sid;
661 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
662 					fscontext_sid))
663 				goto out_double_mount;
664 			sbsec->flags |= FSCONTEXT_MNT;
665 		}
666 		if (opts->context_sid) {
667 			context_sid = opts->context_sid;
668 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
669 					context_sid))
670 				goto out_double_mount;
671 			sbsec->flags |= CONTEXT_MNT;
672 		}
673 		if (opts->rootcontext_sid) {
674 			rootcontext_sid = opts->rootcontext_sid;
675 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
676 					rootcontext_sid))
677 				goto out_double_mount;
678 			sbsec->flags |= ROOTCONTEXT_MNT;
679 		}
680 		if (opts->defcontext_sid) {
681 			defcontext_sid = opts->defcontext_sid;
682 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
683 					defcontext_sid))
684 				goto out_double_mount;
685 			sbsec->flags |= DEFCONTEXT_MNT;
686 		}
687 	}
688 
689 	if (sbsec->flags & SE_SBINITIALIZED) {
690 		/* previously mounted with options, but not on this attempt? */
691 		if ((sbsec->flags & SE_MNTMASK) && !opts)
692 			goto out_double_mount;
693 		rc = 0;
694 		goto out;
695 	}
696 
697 	if (strcmp(sb->s_type->name, "proc") == 0)
698 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
699 
700 	if (!strcmp(sb->s_type->name, "debugfs") ||
701 	    !strcmp(sb->s_type->name, "tracefs") ||
702 	    !strcmp(sb->s_type->name, "binder") ||
703 	    !strcmp(sb->s_type->name, "bpf") ||
704 	    !strcmp(sb->s_type->name, "pstore") ||
705 	    !strcmp(sb->s_type->name, "securityfs"))
706 		sbsec->flags |= SE_SBGENFS;
707 
708 	if (!strcmp(sb->s_type->name, "sysfs") ||
709 	    !strcmp(sb->s_type->name, "cgroup") ||
710 	    !strcmp(sb->s_type->name, "cgroup2"))
711 		sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
712 
713 	if (!sbsec->behavior) {
714 		/*
715 		 * Determine the labeling behavior to use for this
716 		 * filesystem type.
717 		 */
718 		rc = security_fs_use(&selinux_state, sb);
719 		if (rc) {
720 			pr_warn("%s: security_fs_use(%s) returned %d\n",
721 					__func__, sb->s_type->name, rc);
722 			goto out;
723 		}
724 	}
725 
726 	/*
727 	 * If this is a user namespace mount and the filesystem type is not
728 	 * explicitly whitelisted, then no contexts are allowed on the command
729 	 * line and security labels must be ignored.
730 	 */
731 	if (sb->s_user_ns != &init_user_ns &&
732 	    strcmp(sb->s_type->name, "tmpfs") &&
733 	    strcmp(sb->s_type->name, "ramfs") &&
734 	    strcmp(sb->s_type->name, "devpts") &&
735 	    strcmp(sb->s_type->name, "overlay")) {
736 		if (context_sid || fscontext_sid || rootcontext_sid ||
737 		    defcontext_sid) {
738 			rc = -EACCES;
739 			goto out;
740 		}
741 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
742 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
743 			rc = security_transition_sid(&selinux_state,
744 						     current_sid(),
745 						     current_sid(),
746 						     SECCLASS_FILE, NULL,
747 						     &sbsec->mntpoint_sid);
748 			if (rc)
749 				goto out;
750 		}
751 		goto out_set_opts;
752 	}
753 
754 	/* sets the context of the superblock for the fs being mounted. */
755 	if (fscontext_sid) {
756 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
757 		if (rc)
758 			goto out;
759 
760 		sbsec->sid = fscontext_sid;
761 	}
762 
763 	/*
764 	 * Switch to using mount point labeling behavior.
765 	 * sets the label used on all file below the mountpoint, and will set
766 	 * the superblock context if not already set.
767 	 */
768 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
769 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
770 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
771 	}
772 
773 	if (context_sid) {
774 		if (!fscontext_sid) {
775 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
776 							  cred);
777 			if (rc)
778 				goto out;
779 			sbsec->sid = context_sid;
780 		} else {
781 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
782 							     cred);
783 			if (rc)
784 				goto out;
785 		}
786 		if (!rootcontext_sid)
787 			rootcontext_sid = context_sid;
788 
789 		sbsec->mntpoint_sid = context_sid;
790 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
791 	}
792 
793 	if (rootcontext_sid) {
794 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
795 						     cred);
796 		if (rc)
797 			goto out;
798 
799 		root_isec->sid = rootcontext_sid;
800 		root_isec->initialized = LABEL_INITIALIZED;
801 	}
802 
803 	if (defcontext_sid) {
804 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
805 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
806 			rc = -EINVAL;
807 			pr_warn("SELinux: defcontext option is "
808 			       "invalid for this filesystem type\n");
809 			goto out;
810 		}
811 
812 		if (defcontext_sid != sbsec->def_sid) {
813 			rc = may_context_mount_inode_relabel(defcontext_sid,
814 							     sbsec, cred);
815 			if (rc)
816 				goto out;
817 		}
818 
819 		sbsec->def_sid = defcontext_sid;
820 	}
821 
822 out_set_opts:
823 	rc = sb_finish_set_opts(sb);
824 out:
825 	mutex_unlock(&sbsec->lock);
826 	return rc;
827 out_double_mount:
828 	rc = -EINVAL;
829 	pr_warn("SELinux: mount invalid.  Same superblock, different "
830 	       "security settings for (dev %s, type %s)\n", sb->s_id,
831 	       sb->s_type->name);
832 	goto out;
833 }
834 
835 static int selinux_cmp_sb_context(const struct super_block *oldsb,
836 				    const struct super_block *newsb)
837 {
838 	struct superblock_security_struct *old = selinux_superblock(oldsb);
839 	struct superblock_security_struct *new = selinux_superblock(newsb);
840 	char oldflags = old->flags & SE_MNTMASK;
841 	char newflags = new->flags & SE_MNTMASK;
842 
843 	if (oldflags != newflags)
844 		goto mismatch;
845 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
846 		goto mismatch;
847 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
848 		goto mismatch;
849 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
850 		goto mismatch;
851 	if (oldflags & ROOTCONTEXT_MNT) {
852 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
853 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
854 		if (oldroot->sid != newroot->sid)
855 			goto mismatch;
856 	}
857 	return 0;
858 mismatch:
859 	pr_warn("SELinux: mount invalid.  Same superblock, "
860 			    "different security settings for (dev %s, "
861 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
862 	return -EBUSY;
863 }
864 
865 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
866 					struct super_block *newsb,
867 					unsigned long kern_flags,
868 					unsigned long *set_kern_flags)
869 {
870 	int rc = 0;
871 	const struct superblock_security_struct *oldsbsec =
872 						selinux_superblock(oldsb);
873 	struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
874 
875 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
876 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
877 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
878 
879 	/*
880 	 * if the parent was able to be mounted it clearly had no special lsm
881 	 * mount options.  thus we can safely deal with this superblock later
882 	 */
883 	if (!selinux_initialized(&selinux_state))
884 		return 0;
885 
886 	/*
887 	 * Specifying internal flags without providing a place to
888 	 * place the results is not allowed.
889 	 */
890 	if (kern_flags && !set_kern_flags)
891 		return -EINVAL;
892 
893 	/* how can we clone if the old one wasn't set up?? */
894 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
895 
896 	/* if fs is reusing a sb, make sure that the contexts match */
897 	if (newsbsec->flags & SE_SBINITIALIZED) {
898 		if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
899 			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
900 		return selinux_cmp_sb_context(oldsb, newsb);
901 	}
902 
903 	mutex_lock(&newsbsec->lock);
904 
905 	newsbsec->flags = oldsbsec->flags;
906 
907 	newsbsec->sid = oldsbsec->sid;
908 	newsbsec->def_sid = oldsbsec->def_sid;
909 	newsbsec->behavior = oldsbsec->behavior;
910 
911 	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
912 		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
913 		rc = security_fs_use(&selinux_state, newsb);
914 		if (rc)
915 			goto out;
916 	}
917 
918 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
919 		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
920 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
921 	}
922 
923 	if (set_context) {
924 		u32 sid = oldsbsec->mntpoint_sid;
925 
926 		if (!set_fscontext)
927 			newsbsec->sid = sid;
928 		if (!set_rootcontext) {
929 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
930 			newisec->sid = sid;
931 		}
932 		newsbsec->mntpoint_sid = sid;
933 	}
934 	if (set_rootcontext) {
935 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
936 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
937 
938 		newisec->sid = oldisec->sid;
939 	}
940 
941 	sb_finish_set_opts(newsb);
942 out:
943 	mutex_unlock(&newsbsec->lock);
944 	return rc;
945 }
946 
947 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
948 {
949 	struct selinux_mnt_opts *opts = *mnt_opts;
950 	bool is_alloc_opts = false;
951 	u32 *dst_sid;
952 	int rc;
953 
954 	if (token == Opt_seclabel)
955 		/* eaten and completely ignored */
956 		return 0;
957 	if (!s)
958 		return -ENOMEM;
959 
960 	if (!selinux_initialized(&selinux_state)) {
961 		pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
962 		return -EINVAL;
963 	}
964 
965 	if (!opts) {
966 		opts = kzalloc(sizeof(*opts), GFP_KERNEL);
967 		if (!opts)
968 			return -ENOMEM;
969 		*mnt_opts = opts;
970 		is_alloc_opts = true;
971 	}
972 
973 	switch (token) {
974 	case Opt_context:
975 		if (opts->context_sid || opts->defcontext_sid)
976 			goto err;
977 		dst_sid = &opts->context_sid;
978 		break;
979 	case Opt_fscontext:
980 		if (opts->fscontext_sid)
981 			goto err;
982 		dst_sid = &opts->fscontext_sid;
983 		break;
984 	case Opt_rootcontext:
985 		if (opts->rootcontext_sid)
986 			goto err;
987 		dst_sid = &opts->rootcontext_sid;
988 		break;
989 	case Opt_defcontext:
990 		if (opts->context_sid || opts->defcontext_sid)
991 			goto err;
992 		dst_sid = &opts->defcontext_sid;
993 		break;
994 	default:
995 		WARN_ON(1);
996 		return -EINVAL;
997 	}
998 	rc = security_context_str_to_sid(&selinux_state, s, dst_sid, GFP_KERNEL);
999 	if (rc)
1000 		pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
1001 			s, rc);
1002 	return rc;
1003 
1004 err:
1005 	if (is_alloc_opts) {
1006 		kfree(opts);
1007 		*mnt_opts = NULL;
1008 	}
1009 	pr_warn(SEL_MOUNT_FAIL_MSG);
1010 	return -EINVAL;
1011 }
1012 
1013 static int show_sid(struct seq_file *m, u32 sid)
1014 {
1015 	char *context = NULL;
1016 	u32 len;
1017 	int rc;
1018 
1019 	rc = security_sid_to_context(&selinux_state, sid,
1020 					     &context, &len);
1021 	if (!rc) {
1022 		bool has_comma = context && strchr(context, ',');
1023 
1024 		seq_putc(m, '=');
1025 		if (has_comma)
1026 			seq_putc(m, '\"');
1027 		seq_escape(m, context, "\"\n\\");
1028 		if (has_comma)
1029 			seq_putc(m, '\"');
1030 	}
1031 	kfree(context);
1032 	return rc;
1033 }
1034 
1035 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1036 {
1037 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
1038 	int rc;
1039 
1040 	if (!(sbsec->flags & SE_SBINITIALIZED))
1041 		return 0;
1042 
1043 	if (!selinux_initialized(&selinux_state))
1044 		return 0;
1045 
1046 	if (sbsec->flags & FSCONTEXT_MNT) {
1047 		seq_putc(m, ',');
1048 		seq_puts(m, FSCONTEXT_STR);
1049 		rc = show_sid(m, sbsec->sid);
1050 		if (rc)
1051 			return rc;
1052 	}
1053 	if (sbsec->flags & CONTEXT_MNT) {
1054 		seq_putc(m, ',');
1055 		seq_puts(m, CONTEXT_STR);
1056 		rc = show_sid(m, sbsec->mntpoint_sid);
1057 		if (rc)
1058 			return rc;
1059 	}
1060 	if (sbsec->flags & DEFCONTEXT_MNT) {
1061 		seq_putc(m, ',');
1062 		seq_puts(m, DEFCONTEXT_STR);
1063 		rc = show_sid(m, sbsec->def_sid);
1064 		if (rc)
1065 			return rc;
1066 	}
1067 	if (sbsec->flags & ROOTCONTEXT_MNT) {
1068 		struct dentry *root = sb->s_root;
1069 		struct inode_security_struct *isec = backing_inode_security(root);
1070 		seq_putc(m, ',');
1071 		seq_puts(m, ROOTCONTEXT_STR);
1072 		rc = show_sid(m, isec->sid);
1073 		if (rc)
1074 			return rc;
1075 	}
1076 	if (sbsec->flags & SBLABEL_MNT) {
1077 		seq_putc(m, ',');
1078 		seq_puts(m, SECLABEL_STR);
1079 	}
1080 	return 0;
1081 }
1082 
1083 static inline u16 inode_mode_to_security_class(umode_t mode)
1084 {
1085 	switch (mode & S_IFMT) {
1086 	case S_IFSOCK:
1087 		return SECCLASS_SOCK_FILE;
1088 	case S_IFLNK:
1089 		return SECCLASS_LNK_FILE;
1090 	case S_IFREG:
1091 		return SECCLASS_FILE;
1092 	case S_IFBLK:
1093 		return SECCLASS_BLK_FILE;
1094 	case S_IFDIR:
1095 		return SECCLASS_DIR;
1096 	case S_IFCHR:
1097 		return SECCLASS_CHR_FILE;
1098 	case S_IFIFO:
1099 		return SECCLASS_FIFO_FILE;
1100 
1101 	}
1102 
1103 	return SECCLASS_FILE;
1104 }
1105 
1106 static inline int default_protocol_stream(int protocol)
1107 {
1108 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1109 		protocol == IPPROTO_MPTCP);
1110 }
1111 
1112 static inline int default_protocol_dgram(int protocol)
1113 {
1114 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1115 }
1116 
1117 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1118 {
1119 	int extsockclass = selinux_policycap_extsockclass();
1120 
1121 	switch (family) {
1122 	case PF_UNIX:
1123 		switch (type) {
1124 		case SOCK_STREAM:
1125 		case SOCK_SEQPACKET:
1126 			return SECCLASS_UNIX_STREAM_SOCKET;
1127 		case SOCK_DGRAM:
1128 		case SOCK_RAW:
1129 			return SECCLASS_UNIX_DGRAM_SOCKET;
1130 		}
1131 		break;
1132 	case PF_INET:
1133 	case PF_INET6:
1134 		switch (type) {
1135 		case SOCK_STREAM:
1136 		case SOCK_SEQPACKET:
1137 			if (default_protocol_stream(protocol))
1138 				return SECCLASS_TCP_SOCKET;
1139 			else if (extsockclass && protocol == IPPROTO_SCTP)
1140 				return SECCLASS_SCTP_SOCKET;
1141 			else
1142 				return SECCLASS_RAWIP_SOCKET;
1143 		case SOCK_DGRAM:
1144 			if (default_protocol_dgram(protocol))
1145 				return SECCLASS_UDP_SOCKET;
1146 			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1147 						  protocol == IPPROTO_ICMPV6))
1148 				return SECCLASS_ICMP_SOCKET;
1149 			else
1150 				return SECCLASS_RAWIP_SOCKET;
1151 		case SOCK_DCCP:
1152 			return SECCLASS_DCCP_SOCKET;
1153 		default:
1154 			return SECCLASS_RAWIP_SOCKET;
1155 		}
1156 		break;
1157 	case PF_NETLINK:
1158 		switch (protocol) {
1159 		case NETLINK_ROUTE:
1160 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1161 		case NETLINK_SOCK_DIAG:
1162 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1163 		case NETLINK_NFLOG:
1164 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1165 		case NETLINK_XFRM:
1166 			return SECCLASS_NETLINK_XFRM_SOCKET;
1167 		case NETLINK_SELINUX:
1168 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1169 		case NETLINK_ISCSI:
1170 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1171 		case NETLINK_AUDIT:
1172 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1173 		case NETLINK_FIB_LOOKUP:
1174 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1175 		case NETLINK_CONNECTOR:
1176 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1177 		case NETLINK_NETFILTER:
1178 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1179 		case NETLINK_DNRTMSG:
1180 			return SECCLASS_NETLINK_DNRT_SOCKET;
1181 		case NETLINK_KOBJECT_UEVENT:
1182 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1183 		case NETLINK_GENERIC:
1184 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1185 		case NETLINK_SCSITRANSPORT:
1186 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1187 		case NETLINK_RDMA:
1188 			return SECCLASS_NETLINK_RDMA_SOCKET;
1189 		case NETLINK_CRYPTO:
1190 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1191 		default:
1192 			return SECCLASS_NETLINK_SOCKET;
1193 		}
1194 	case PF_PACKET:
1195 		return SECCLASS_PACKET_SOCKET;
1196 	case PF_KEY:
1197 		return SECCLASS_KEY_SOCKET;
1198 	case PF_APPLETALK:
1199 		return SECCLASS_APPLETALK_SOCKET;
1200 	}
1201 
1202 	if (extsockclass) {
1203 		switch (family) {
1204 		case PF_AX25:
1205 			return SECCLASS_AX25_SOCKET;
1206 		case PF_IPX:
1207 			return SECCLASS_IPX_SOCKET;
1208 		case PF_NETROM:
1209 			return SECCLASS_NETROM_SOCKET;
1210 		case PF_ATMPVC:
1211 			return SECCLASS_ATMPVC_SOCKET;
1212 		case PF_X25:
1213 			return SECCLASS_X25_SOCKET;
1214 		case PF_ROSE:
1215 			return SECCLASS_ROSE_SOCKET;
1216 		case PF_DECnet:
1217 			return SECCLASS_DECNET_SOCKET;
1218 		case PF_ATMSVC:
1219 			return SECCLASS_ATMSVC_SOCKET;
1220 		case PF_RDS:
1221 			return SECCLASS_RDS_SOCKET;
1222 		case PF_IRDA:
1223 			return SECCLASS_IRDA_SOCKET;
1224 		case PF_PPPOX:
1225 			return SECCLASS_PPPOX_SOCKET;
1226 		case PF_LLC:
1227 			return SECCLASS_LLC_SOCKET;
1228 		case PF_CAN:
1229 			return SECCLASS_CAN_SOCKET;
1230 		case PF_TIPC:
1231 			return SECCLASS_TIPC_SOCKET;
1232 		case PF_BLUETOOTH:
1233 			return SECCLASS_BLUETOOTH_SOCKET;
1234 		case PF_IUCV:
1235 			return SECCLASS_IUCV_SOCKET;
1236 		case PF_RXRPC:
1237 			return SECCLASS_RXRPC_SOCKET;
1238 		case PF_ISDN:
1239 			return SECCLASS_ISDN_SOCKET;
1240 		case PF_PHONET:
1241 			return SECCLASS_PHONET_SOCKET;
1242 		case PF_IEEE802154:
1243 			return SECCLASS_IEEE802154_SOCKET;
1244 		case PF_CAIF:
1245 			return SECCLASS_CAIF_SOCKET;
1246 		case PF_ALG:
1247 			return SECCLASS_ALG_SOCKET;
1248 		case PF_NFC:
1249 			return SECCLASS_NFC_SOCKET;
1250 		case PF_VSOCK:
1251 			return SECCLASS_VSOCK_SOCKET;
1252 		case PF_KCM:
1253 			return SECCLASS_KCM_SOCKET;
1254 		case PF_QIPCRTR:
1255 			return SECCLASS_QIPCRTR_SOCKET;
1256 		case PF_SMC:
1257 			return SECCLASS_SMC_SOCKET;
1258 		case PF_XDP:
1259 			return SECCLASS_XDP_SOCKET;
1260 		case PF_MCTP:
1261 			return SECCLASS_MCTP_SOCKET;
1262 #if PF_MAX > 46
1263 #error New address family defined, please update this function.
1264 #endif
1265 		}
1266 	}
1267 
1268 	return SECCLASS_SOCKET;
1269 }
1270 
1271 static int selinux_genfs_get_sid(struct dentry *dentry,
1272 				 u16 tclass,
1273 				 u16 flags,
1274 				 u32 *sid)
1275 {
1276 	int rc;
1277 	struct super_block *sb = dentry->d_sb;
1278 	char *buffer, *path;
1279 
1280 	buffer = (char *)__get_free_page(GFP_KERNEL);
1281 	if (!buffer)
1282 		return -ENOMEM;
1283 
1284 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1285 	if (IS_ERR(path))
1286 		rc = PTR_ERR(path);
1287 	else {
1288 		if (flags & SE_SBPROC) {
1289 			/* each process gets a /proc/PID/ entry. Strip off the
1290 			 * PID part to get a valid selinux labeling.
1291 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1292 			while (path[1] >= '0' && path[1] <= '9') {
1293 				path[1] = '/';
1294 				path++;
1295 			}
1296 		}
1297 		rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1298 					path, tclass, sid);
1299 		if (rc == -ENOENT) {
1300 			/* No match in policy, mark as unlabeled. */
1301 			*sid = SECINITSID_UNLABELED;
1302 			rc = 0;
1303 		}
1304 	}
1305 	free_page((unsigned long)buffer);
1306 	return rc;
1307 }
1308 
1309 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1310 				  u32 def_sid, u32 *sid)
1311 {
1312 #define INITCONTEXTLEN 255
1313 	char *context;
1314 	unsigned int len;
1315 	int rc;
1316 
1317 	len = INITCONTEXTLEN;
1318 	context = kmalloc(len + 1, GFP_NOFS);
1319 	if (!context)
1320 		return -ENOMEM;
1321 
1322 	context[len] = '\0';
1323 	rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1324 	if (rc == -ERANGE) {
1325 		kfree(context);
1326 
1327 		/* Need a larger buffer.  Query for the right size. */
1328 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1329 		if (rc < 0)
1330 			return rc;
1331 
1332 		len = rc;
1333 		context = kmalloc(len + 1, GFP_NOFS);
1334 		if (!context)
1335 			return -ENOMEM;
1336 
1337 		context[len] = '\0';
1338 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1339 				    context, len);
1340 	}
1341 	if (rc < 0) {
1342 		kfree(context);
1343 		if (rc != -ENODATA) {
1344 			pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
1345 				__func__, -rc, inode->i_sb->s_id, inode->i_ino);
1346 			return rc;
1347 		}
1348 		*sid = def_sid;
1349 		return 0;
1350 	}
1351 
1352 	rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1353 					     def_sid, GFP_NOFS);
1354 	if (rc) {
1355 		char *dev = inode->i_sb->s_id;
1356 		unsigned long ino = inode->i_ino;
1357 
1358 		if (rc == -EINVAL) {
1359 			pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
1360 					      ino, dev, context);
1361 		} else {
1362 			pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1363 				__func__, context, -rc, dev, ino);
1364 		}
1365 	}
1366 	kfree(context);
1367 	return 0;
1368 }
1369 
1370 /* The inode's security attributes must be initialized before first use. */
1371 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1372 {
1373 	struct superblock_security_struct *sbsec = NULL;
1374 	struct inode_security_struct *isec = selinux_inode(inode);
1375 	u32 task_sid, sid = 0;
1376 	u16 sclass;
1377 	struct dentry *dentry;
1378 	int rc = 0;
1379 
1380 	if (isec->initialized == LABEL_INITIALIZED)
1381 		return 0;
1382 
1383 	spin_lock(&isec->lock);
1384 	if (isec->initialized == LABEL_INITIALIZED)
1385 		goto out_unlock;
1386 
1387 	if (isec->sclass == SECCLASS_FILE)
1388 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1389 
1390 	sbsec = selinux_superblock(inode->i_sb);
1391 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1392 		/* Defer initialization until selinux_complete_init,
1393 		   after the initial policy is loaded and the security
1394 		   server is ready to handle calls. */
1395 		spin_lock(&sbsec->isec_lock);
1396 		if (list_empty(&isec->list))
1397 			list_add(&isec->list, &sbsec->isec_head);
1398 		spin_unlock(&sbsec->isec_lock);
1399 		goto out_unlock;
1400 	}
1401 
1402 	sclass = isec->sclass;
1403 	task_sid = isec->task_sid;
1404 	sid = isec->sid;
1405 	isec->initialized = LABEL_PENDING;
1406 	spin_unlock(&isec->lock);
1407 
1408 	switch (sbsec->behavior) {
1409 	case SECURITY_FS_USE_NATIVE:
1410 		break;
1411 	case SECURITY_FS_USE_XATTR:
1412 		if (!(inode->i_opflags & IOP_XATTR)) {
1413 			sid = sbsec->def_sid;
1414 			break;
1415 		}
1416 		/* Need a dentry, since the xattr API requires one.
1417 		   Life would be simpler if we could just pass the inode. */
1418 		if (opt_dentry) {
1419 			/* Called from d_instantiate or d_splice_alias. */
1420 			dentry = dget(opt_dentry);
1421 		} else {
1422 			/*
1423 			 * Called from selinux_complete_init, try to find a dentry.
1424 			 * Some filesystems really want a connected one, so try
1425 			 * that first.  We could split SECURITY_FS_USE_XATTR in
1426 			 * two, depending upon that...
1427 			 */
1428 			dentry = d_find_alias(inode);
1429 			if (!dentry)
1430 				dentry = d_find_any_alias(inode);
1431 		}
1432 		if (!dentry) {
1433 			/*
1434 			 * this is can be hit on boot when a file is accessed
1435 			 * before the policy is loaded.  When we load policy we
1436 			 * may find inodes that have no dentry on the
1437 			 * sbsec->isec_head list.  No reason to complain as these
1438 			 * will get fixed up the next time we go through
1439 			 * inode_doinit with a dentry, before these inodes could
1440 			 * be used again by userspace.
1441 			 */
1442 			goto out_invalid;
1443 		}
1444 
1445 		rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1446 					    &sid);
1447 		dput(dentry);
1448 		if (rc)
1449 			goto out;
1450 		break;
1451 	case SECURITY_FS_USE_TASK:
1452 		sid = task_sid;
1453 		break;
1454 	case SECURITY_FS_USE_TRANS:
1455 		/* Default to the fs SID. */
1456 		sid = sbsec->sid;
1457 
1458 		/* Try to obtain a transition SID. */
1459 		rc = security_transition_sid(&selinux_state, task_sid, sid,
1460 					     sclass, NULL, &sid);
1461 		if (rc)
1462 			goto out;
1463 		break;
1464 	case SECURITY_FS_USE_MNTPOINT:
1465 		sid = sbsec->mntpoint_sid;
1466 		break;
1467 	default:
1468 		/* Default to the fs superblock SID. */
1469 		sid = sbsec->sid;
1470 
1471 		if ((sbsec->flags & SE_SBGENFS) &&
1472 		     (!S_ISLNK(inode->i_mode) ||
1473 		      selinux_policycap_genfs_seclabel_symlinks())) {
1474 			/* We must have a dentry to determine the label on
1475 			 * procfs inodes */
1476 			if (opt_dentry) {
1477 				/* Called from d_instantiate or
1478 				 * d_splice_alias. */
1479 				dentry = dget(opt_dentry);
1480 			} else {
1481 				/* Called from selinux_complete_init, try to
1482 				 * find a dentry.  Some filesystems really want
1483 				 * a connected one, so try that first.
1484 				 */
1485 				dentry = d_find_alias(inode);
1486 				if (!dentry)
1487 					dentry = d_find_any_alias(inode);
1488 			}
1489 			/*
1490 			 * This can be hit on boot when a file is accessed
1491 			 * before the policy is loaded.  When we load policy we
1492 			 * may find inodes that have no dentry on the
1493 			 * sbsec->isec_head list.  No reason to complain as
1494 			 * these will get fixed up the next time we go through
1495 			 * inode_doinit() with a dentry, before these inodes
1496 			 * could be used again by userspace.
1497 			 */
1498 			if (!dentry)
1499 				goto out_invalid;
1500 			rc = selinux_genfs_get_sid(dentry, sclass,
1501 						   sbsec->flags, &sid);
1502 			if (rc) {
1503 				dput(dentry);
1504 				goto out;
1505 			}
1506 
1507 			if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1508 			    (inode->i_opflags & IOP_XATTR)) {
1509 				rc = inode_doinit_use_xattr(inode, dentry,
1510 							    sid, &sid);
1511 				if (rc) {
1512 					dput(dentry);
1513 					goto out;
1514 				}
1515 			}
1516 			dput(dentry);
1517 		}
1518 		break;
1519 	}
1520 
1521 out:
1522 	spin_lock(&isec->lock);
1523 	if (isec->initialized == LABEL_PENDING) {
1524 		if (rc) {
1525 			isec->initialized = LABEL_INVALID;
1526 			goto out_unlock;
1527 		}
1528 		isec->initialized = LABEL_INITIALIZED;
1529 		isec->sid = sid;
1530 	}
1531 
1532 out_unlock:
1533 	spin_unlock(&isec->lock);
1534 	return rc;
1535 
1536 out_invalid:
1537 	spin_lock(&isec->lock);
1538 	if (isec->initialized == LABEL_PENDING) {
1539 		isec->initialized = LABEL_INVALID;
1540 		isec->sid = sid;
1541 	}
1542 	spin_unlock(&isec->lock);
1543 	return 0;
1544 }
1545 
1546 /* Convert a Linux signal to an access vector. */
1547 static inline u32 signal_to_av(int sig)
1548 {
1549 	u32 perm = 0;
1550 
1551 	switch (sig) {
1552 	case SIGCHLD:
1553 		/* Commonly granted from child to parent. */
1554 		perm = PROCESS__SIGCHLD;
1555 		break;
1556 	case SIGKILL:
1557 		/* Cannot be caught or ignored */
1558 		perm = PROCESS__SIGKILL;
1559 		break;
1560 	case SIGSTOP:
1561 		/* Cannot be caught or ignored */
1562 		perm = PROCESS__SIGSTOP;
1563 		break;
1564 	default:
1565 		/* All other signals. */
1566 		perm = PROCESS__SIGNAL;
1567 		break;
1568 	}
1569 
1570 	return perm;
1571 }
1572 
1573 #if CAP_LAST_CAP > 63
1574 #error Fix SELinux to handle capabilities > 63.
1575 #endif
1576 
1577 /* Check whether a task is allowed to use a capability. */
1578 static int cred_has_capability(const struct cred *cred,
1579 			       int cap, unsigned int opts, bool initns)
1580 {
1581 	struct common_audit_data ad;
1582 	struct av_decision avd;
1583 	u16 sclass;
1584 	u32 sid = cred_sid(cred);
1585 	u32 av = CAP_TO_MASK(cap);
1586 	int rc;
1587 
1588 	ad.type = LSM_AUDIT_DATA_CAP;
1589 	ad.u.cap = cap;
1590 
1591 	switch (CAP_TO_INDEX(cap)) {
1592 	case 0:
1593 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1594 		break;
1595 	case 1:
1596 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1597 		break;
1598 	default:
1599 		pr_err("SELinux:  out of range capability %d\n", cap);
1600 		BUG();
1601 		return -EINVAL;
1602 	}
1603 
1604 	rc = avc_has_perm_noaudit(&selinux_state,
1605 				  sid, sid, sclass, av, 0, &avd);
1606 	if (!(opts & CAP_OPT_NOAUDIT)) {
1607 		int rc2 = avc_audit(&selinux_state,
1608 				    sid, sid, sclass, av, &avd, rc, &ad);
1609 		if (rc2)
1610 			return rc2;
1611 	}
1612 	return rc;
1613 }
1614 
1615 /* Check whether a task has a particular permission to an inode.
1616    The 'adp' parameter is optional and allows other audit
1617    data to be passed (e.g. the dentry). */
1618 static int inode_has_perm(const struct cred *cred,
1619 			  struct inode *inode,
1620 			  u32 perms,
1621 			  struct common_audit_data *adp)
1622 {
1623 	struct inode_security_struct *isec;
1624 	u32 sid;
1625 
1626 	validate_creds(cred);
1627 
1628 	if (unlikely(IS_PRIVATE(inode)))
1629 		return 0;
1630 
1631 	sid = cred_sid(cred);
1632 	isec = selinux_inode(inode);
1633 
1634 	return avc_has_perm(&selinux_state,
1635 			    sid, isec->sid, isec->sclass, perms, adp);
1636 }
1637 
1638 /* Same as inode_has_perm, but pass explicit audit data containing
1639    the dentry to help the auditing code to more easily generate the
1640    pathname if needed. */
1641 static inline int dentry_has_perm(const struct cred *cred,
1642 				  struct dentry *dentry,
1643 				  u32 av)
1644 {
1645 	struct inode *inode = d_backing_inode(dentry);
1646 	struct common_audit_data ad;
1647 
1648 	ad.type = LSM_AUDIT_DATA_DENTRY;
1649 	ad.u.dentry = dentry;
1650 	__inode_security_revalidate(inode, dentry, true);
1651 	return inode_has_perm(cred, inode, av, &ad);
1652 }
1653 
1654 /* Same as inode_has_perm, but pass explicit audit data containing
1655    the path to help the auditing code to more easily generate the
1656    pathname if needed. */
1657 static inline int path_has_perm(const struct cred *cred,
1658 				const struct path *path,
1659 				u32 av)
1660 {
1661 	struct inode *inode = d_backing_inode(path->dentry);
1662 	struct common_audit_data ad;
1663 
1664 	ad.type = LSM_AUDIT_DATA_PATH;
1665 	ad.u.path = *path;
1666 	__inode_security_revalidate(inode, path->dentry, true);
1667 	return inode_has_perm(cred, inode, av, &ad);
1668 }
1669 
1670 /* Same as path_has_perm, but uses the inode from the file struct. */
1671 static inline int file_path_has_perm(const struct cred *cred,
1672 				     struct file *file,
1673 				     u32 av)
1674 {
1675 	struct common_audit_data ad;
1676 
1677 	ad.type = LSM_AUDIT_DATA_FILE;
1678 	ad.u.file = file;
1679 	return inode_has_perm(cred, file_inode(file), av, &ad);
1680 }
1681 
1682 #ifdef CONFIG_BPF_SYSCALL
1683 static int bpf_fd_pass(struct file *file, u32 sid);
1684 #endif
1685 
1686 /* Check whether a task can use an open file descriptor to
1687    access an inode in a given way.  Check access to the
1688    descriptor itself, and then use dentry_has_perm to
1689    check a particular permission to the file.
1690    Access to the descriptor is implicitly granted if it
1691    has the same SID as the process.  If av is zero, then
1692    access to the file is not checked, e.g. for cases
1693    where only the descriptor is affected like seek. */
1694 static int file_has_perm(const struct cred *cred,
1695 			 struct file *file,
1696 			 u32 av)
1697 {
1698 	struct file_security_struct *fsec = selinux_file(file);
1699 	struct inode *inode = file_inode(file);
1700 	struct common_audit_data ad;
1701 	u32 sid = cred_sid(cred);
1702 	int rc;
1703 
1704 	ad.type = LSM_AUDIT_DATA_FILE;
1705 	ad.u.file = file;
1706 
1707 	if (sid != fsec->sid) {
1708 		rc = avc_has_perm(&selinux_state,
1709 				  sid, fsec->sid,
1710 				  SECCLASS_FD,
1711 				  FD__USE,
1712 				  &ad);
1713 		if (rc)
1714 			goto out;
1715 	}
1716 
1717 #ifdef CONFIG_BPF_SYSCALL
1718 	rc = bpf_fd_pass(file, cred_sid(cred));
1719 	if (rc)
1720 		return rc;
1721 #endif
1722 
1723 	/* av is zero if only checking access to the descriptor. */
1724 	rc = 0;
1725 	if (av)
1726 		rc = inode_has_perm(cred, inode, av, &ad);
1727 
1728 out:
1729 	return rc;
1730 }
1731 
1732 /*
1733  * Determine the label for an inode that might be unioned.
1734  */
1735 static int
1736 selinux_determine_inode_label(const struct task_security_struct *tsec,
1737 				 struct inode *dir,
1738 				 const struct qstr *name, u16 tclass,
1739 				 u32 *_new_isid)
1740 {
1741 	const struct superblock_security_struct *sbsec =
1742 						selinux_superblock(dir->i_sb);
1743 
1744 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1745 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1746 		*_new_isid = sbsec->mntpoint_sid;
1747 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1748 		   tsec->create_sid) {
1749 		*_new_isid = tsec->create_sid;
1750 	} else {
1751 		const struct inode_security_struct *dsec = inode_security(dir);
1752 		return security_transition_sid(&selinux_state, tsec->sid,
1753 					       dsec->sid, tclass,
1754 					       name, _new_isid);
1755 	}
1756 
1757 	return 0;
1758 }
1759 
1760 /* Check whether a task can create a file. */
1761 static int may_create(struct inode *dir,
1762 		      struct dentry *dentry,
1763 		      u16 tclass)
1764 {
1765 	const struct task_security_struct *tsec = selinux_cred(current_cred());
1766 	struct inode_security_struct *dsec;
1767 	struct superblock_security_struct *sbsec;
1768 	u32 sid, newsid;
1769 	struct common_audit_data ad;
1770 	int rc;
1771 
1772 	dsec = inode_security(dir);
1773 	sbsec = selinux_superblock(dir->i_sb);
1774 
1775 	sid = tsec->sid;
1776 
1777 	ad.type = LSM_AUDIT_DATA_DENTRY;
1778 	ad.u.dentry = dentry;
1779 
1780 	rc = avc_has_perm(&selinux_state,
1781 			  sid, dsec->sid, SECCLASS_DIR,
1782 			  DIR__ADD_NAME | DIR__SEARCH,
1783 			  &ad);
1784 	if (rc)
1785 		return rc;
1786 
1787 	rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1788 					   &newsid);
1789 	if (rc)
1790 		return rc;
1791 
1792 	rc = avc_has_perm(&selinux_state,
1793 			  sid, newsid, tclass, FILE__CREATE, &ad);
1794 	if (rc)
1795 		return rc;
1796 
1797 	return avc_has_perm(&selinux_state,
1798 			    newsid, sbsec->sid,
1799 			    SECCLASS_FILESYSTEM,
1800 			    FILESYSTEM__ASSOCIATE, &ad);
1801 }
1802 
1803 #define MAY_LINK	0
1804 #define MAY_UNLINK	1
1805 #define MAY_RMDIR	2
1806 
1807 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1808 static int may_link(struct inode *dir,
1809 		    struct dentry *dentry,
1810 		    int kind)
1811 
1812 {
1813 	struct inode_security_struct *dsec, *isec;
1814 	struct common_audit_data ad;
1815 	u32 sid = current_sid();
1816 	u32 av;
1817 	int rc;
1818 
1819 	dsec = inode_security(dir);
1820 	isec = backing_inode_security(dentry);
1821 
1822 	ad.type = LSM_AUDIT_DATA_DENTRY;
1823 	ad.u.dentry = dentry;
1824 
1825 	av = DIR__SEARCH;
1826 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1827 	rc = avc_has_perm(&selinux_state,
1828 			  sid, dsec->sid, SECCLASS_DIR, av, &ad);
1829 	if (rc)
1830 		return rc;
1831 
1832 	switch (kind) {
1833 	case MAY_LINK:
1834 		av = FILE__LINK;
1835 		break;
1836 	case MAY_UNLINK:
1837 		av = FILE__UNLINK;
1838 		break;
1839 	case MAY_RMDIR:
1840 		av = DIR__RMDIR;
1841 		break;
1842 	default:
1843 		pr_warn("SELinux: %s:  unrecognized kind %d\n",
1844 			__func__, kind);
1845 		return 0;
1846 	}
1847 
1848 	rc = avc_has_perm(&selinux_state,
1849 			  sid, isec->sid, isec->sclass, av, &ad);
1850 	return rc;
1851 }
1852 
1853 static inline int may_rename(struct inode *old_dir,
1854 			     struct dentry *old_dentry,
1855 			     struct inode *new_dir,
1856 			     struct dentry *new_dentry)
1857 {
1858 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1859 	struct common_audit_data ad;
1860 	u32 sid = current_sid();
1861 	u32 av;
1862 	int old_is_dir, new_is_dir;
1863 	int rc;
1864 
1865 	old_dsec = inode_security(old_dir);
1866 	old_isec = backing_inode_security(old_dentry);
1867 	old_is_dir = d_is_dir(old_dentry);
1868 	new_dsec = inode_security(new_dir);
1869 
1870 	ad.type = LSM_AUDIT_DATA_DENTRY;
1871 
1872 	ad.u.dentry = old_dentry;
1873 	rc = avc_has_perm(&selinux_state,
1874 			  sid, old_dsec->sid, SECCLASS_DIR,
1875 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1876 	if (rc)
1877 		return rc;
1878 	rc = avc_has_perm(&selinux_state,
1879 			  sid, old_isec->sid,
1880 			  old_isec->sclass, FILE__RENAME, &ad);
1881 	if (rc)
1882 		return rc;
1883 	if (old_is_dir && new_dir != old_dir) {
1884 		rc = avc_has_perm(&selinux_state,
1885 				  sid, old_isec->sid,
1886 				  old_isec->sclass, DIR__REPARENT, &ad);
1887 		if (rc)
1888 			return rc;
1889 	}
1890 
1891 	ad.u.dentry = new_dentry;
1892 	av = DIR__ADD_NAME | DIR__SEARCH;
1893 	if (d_is_positive(new_dentry))
1894 		av |= DIR__REMOVE_NAME;
1895 	rc = avc_has_perm(&selinux_state,
1896 			  sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1897 	if (rc)
1898 		return rc;
1899 	if (d_is_positive(new_dentry)) {
1900 		new_isec = backing_inode_security(new_dentry);
1901 		new_is_dir = d_is_dir(new_dentry);
1902 		rc = avc_has_perm(&selinux_state,
1903 				  sid, new_isec->sid,
1904 				  new_isec->sclass,
1905 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1906 		if (rc)
1907 			return rc;
1908 	}
1909 
1910 	return 0;
1911 }
1912 
1913 /* Check whether a task can perform a filesystem operation. */
1914 static int superblock_has_perm(const struct cred *cred,
1915 			       struct super_block *sb,
1916 			       u32 perms,
1917 			       struct common_audit_data *ad)
1918 {
1919 	struct superblock_security_struct *sbsec;
1920 	u32 sid = cred_sid(cred);
1921 
1922 	sbsec = selinux_superblock(sb);
1923 	return avc_has_perm(&selinux_state,
1924 			    sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1925 }
1926 
1927 /* Convert a Linux mode and permission mask to an access vector. */
1928 static inline u32 file_mask_to_av(int mode, int mask)
1929 {
1930 	u32 av = 0;
1931 
1932 	if (!S_ISDIR(mode)) {
1933 		if (mask & MAY_EXEC)
1934 			av |= FILE__EXECUTE;
1935 		if (mask & MAY_READ)
1936 			av |= FILE__READ;
1937 
1938 		if (mask & MAY_APPEND)
1939 			av |= FILE__APPEND;
1940 		else if (mask & MAY_WRITE)
1941 			av |= FILE__WRITE;
1942 
1943 	} else {
1944 		if (mask & MAY_EXEC)
1945 			av |= DIR__SEARCH;
1946 		if (mask & MAY_WRITE)
1947 			av |= DIR__WRITE;
1948 		if (mask & MAY_READ)
1949 			av |= DIR__READ;
1950 	}
1951 
1952 	return av;
1953 }
1954 
1955 /* Convert a Linux file to an access vector. */
1956 static inline u32 file_to_av(struct file *file)
1957 {
1958 	u32 av = 0;
1959 
1960 	if (file->f_mode & FMODE_READ)
1961 		av |= FILE__READ;
1962 	if (file->f_mode & FMODE_WRITE) {
1963 		if (file->f_flags & O_APPEND)
1964 			av |= FILE__APPEND;
1965 		else
1966 			av |= FILE__WRITE;
1967 	}
1968 	if (!av) {
1969 		/*
1970 		 * Special file opened with flags 3 for ioctl-only use.
1971 		 */
1972 		av = FILE__IOCTL;
1973 	}
1974 
1975 	return av;
1976 }
1977 
1978 /*
1979  * Convert a file to an access vector and include the correct
1980  * open permission.
1981  */
1982 static inline u32 open_file_to_av(struct file *file)
1983 {
1984 	u32 av = file_to_av(file);
1985 	struct inode *inode = file_inode(file);
1986 
1987 	if (selinux_policycap_openperm() &&
1988 	    inode->i_sb->s_magic != SOCKFS_MAGIC)
1989 		av |= FILE__OPEN;
1990 
1991 	return av;
1992 }
1993 
1994 /* Hook functions begin here. */
1995 
1996 static int selinux_binder_set_context_mgr(const struct cred *mgr)
1997 {
1998 	return avc_has_perm(&selinux_state,
1999 			    current_sid(), cred_sid(mgr), SECCLASS_BINDER,
2000 			    BINDER__SET_CONTEXT_MGR, NULL);
2001 }
2002 
2003 static int selinux_binder_transaction(const struct cred *from,
2004 				      const struct cred *to)
2005 {
2006 	u32 mysid = current_sid();
2007 	u32 fromsid = cred_sid(from);
2008 	u32 tosid = cred_sid(to);
2009 	int rc;
2010 
2011 	if (mysid != fromsid) {
2012 		rc = avc_has_perm(&selinux_state,
2013 				  mysid, fromsid, SECCLASS_BINDER,
2014 				  BINDER__IMPERSONATE, NULL);
2015 		if (rc)
2016 			return rc;
2017 	}
2018 
2019 	return avc_has_perm(&selinux_state, fromsid, tosid,
2020 			    SECCLASS_BINDER, BINDER__CALL, NULL);
2021 }
2022 
2023 static int selinux_binder_transfer_binder(const struct cred *from,
2024 					  const struct cred *to)
2025 {
2026 	return avc_has_perm(&selinux_state,
2027 			    cred_sid(from), cred_sid(to),
2028 			    SECCLASS_BINDER, BINDER__TRANSFER,
2029 			    NULL);
2030 }
2031 
2032 static int selinux_binder_transfer_file(const struct cred *from,
2033 					const struct cred *to,
2034 					struct file *file)
2035 {
2036 	u32 sid = cred_sid(to);
2037 	struct file_security_struct *fsec = selinux_file(file);
2038 	struct dentry *dentry = file->f_path.dentry;
2039 	struct inode_security_struct *isec;
2040 	struct common_audit_data ad;
2041 	int rc;
2042 
2043 	ad.type = LSM_AUDIT_DATA_PATH;
2044 	ad.u.path = file->f_path;
2045 
2046 	if (sid != fsec->sid) {
2047 		rc = avc_has_perm(&selinux_state,
2048 				  sid, fsec->sid,
2049 				  SECCLASS_FD,
2050 				  FD__USE,
2051 				  &ad);
2052 		if (rc)
2053 			return rc;
2054 	}
2055 
2056 #ifdef CONFIG_BPF_SYSCALL
2057 	rc = bpf_fd_pass(file, sid);
2058 	if (rc)
2059 		return rc;
2060 #endif
2061 
2062 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2063 		return 0;
2064 
2065 	isec = backing_inode_security(dentry);
2066 	return avc_has_perm(&selinux_state,
2067 			    sid, isec->sid, isec->sclass, file_to_av(file),
2068 			    &ad);
2069 }
2070 
2071 static int selinux_ptrace_access_check(struct task_struct *child,
2072 				       unsigned int mode)
2073 {
2074 	u32 sid = current_sid();
2075 	u32 csid = task_sid_obj(child);
2076 
2077 	if (mode & PTRACE_MODE_READ)
2078 		return avc_has_perm(&selinux_state,
2079 				    sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2080 
2081 	return avc_has_perm(&selinux_state,
2082 			    sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2083 }
2084 
2085 static int selinux_ptrace_traceme(struct task_struct *parent)
2086 {
2087 	return avc_has_perm(&selinux_state,
2088 			    task_sid_obj(parent), task_sid_obj(current),
2089 			    SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2090 }
2091 
2092 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2093 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2094 {
2095 	return avc_has_perm(&selinux_state,
2096 			    current_sid(), task_sid_obj(target), SECCLASS_PROCESS,
2097 			    PROCESS__GETCAP, NULL);
2098 }
2099 
2100 static int selinux_capset(struct cred *new, const struct cred *old,
2101 			  const kernel_cap_t *effective,
2102 			  const kernel_cap_t *inheritable,
2103 			  const kernel_cap_t *permitted)
2104 {
2105 	return avc_has_perm(&selinux_state,
2106 			    cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2107 			    PROCESS__SETCAP, NULL);
2108 }
2109 
2110 /*
2111  * (This comment used to live with the selinux_task_setuid hook,
2112  * which was removed).
2113  *
2114  * Since setuid only affects the current process, and since the SELinux
2115  * controls are not based on the Linux identity attributes, SELinux does not
2116  * need to control this operation.  However, SELinux does control the use of
2117  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2118  */
2119 
2120 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2121 			   int cap, unsigned int opts)
2122 {
2123 	return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2124 }
2125 
2126 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2127 {
2128 	const struct cred *cred = current_cred();
2129 	int rc = 0;
2130 
2131 	if (!sb)
2132 		return 0;
2133 
2134 	switch (cmds) {
2135 	case Q_SYNC:
2136 	case Q_QUOTAON:
2137 	case Q_QUOTAOFF:
2138 	case Q_SETINFO:
2139 	case Q_SETQUOTA:
2140 	case Q_XQUOTAOFF:
2141 	case Q_XQUOTAON:
2142 	case Q_XSETQLIM:
2143 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2144 		break;
2145 	case Q_GETFMT:
2146 	case Q_GETINFO:
2147 	case Q_GETQUOTA:
2148 	case Q_XGETQUOTA:
2149 	case Q_XGETQSTAT:
2150 	case Q_XGETQSTATV:
2151 	case Q_XGETNEXTQUOTA:
2152 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2153 		break;
2154 	default:
2155 		rc = 0;  /* let the kernel handle invalid cmds */
2156 		break;
2157 	}
2158 	return rc;
2159 }
2160 
2161 static int selinux_quota_on(struct dentry *dentry)
2162 {
2163 	const struct cred *cred = current_cred();
2164 
2165 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2166 }
2167 
2168 static int selinux_syslog(int type)
2169 {
2170 	switch (type) {
2171 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2172 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2173 		return avc_has_perm(&selinux_state,
2174 				    current_sid(), SECINITSID_KERNEL,
2175 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2176 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2177 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2178 	/* Set level of messages printed to console */
2179 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2180 		return avc_has_perm(&selinux_state,
2181 				    current_sid(), SECINITSID_KERNEL,
2182 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2183 				    NULL);
2184 	}
2185 	/* All other syslog types */
2186 	return avc_has_perm(&selinux_state,
2187 			    current_sid(), SECINITSID_KERNEL,
2188 			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2189 }
2190 
2191 /*
2192  * Check that a process has enough memory to allocate a new virtual
2193  * mapping. 0 means there is enough memory for the allocation to
2194  * succeed and -ENOMEM implies there is not.
2195  *
2196  * Do not audit the selinux permission check, as this is applied to all
2197  * processes that allocate mappings.
2198  */
2199 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2200 {
2201 	int rc, cap_sys_admin = 0;
2202 
2203 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2204 				 CAP_OPT_NOAUDIT, true);
2205 	if (rc == 0)
2206 		cap_sys_admin = 1;
2207 
2208 	return cap_sys_admin;
2209 }
2210 
2211 /* binprm security operations */
2212 
2213 static u32 ptrace_parent_sid(void)
2214 {
2215 	u32 sid = 0;
2216 	struct task_struct *tracer;
2217 
2218 	rcu_read_lock();
2219 	tracer = ptrace_parent(current);
2220 	if (tracer)
2221 		sid = task_sid_obj(tracer);
2222 	rcu_read_unlock();
2223 
2224 	return sid;
2225 }
2226 
2227 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2228 			    const struct task_security_struct *old_tsec,
2229 			    const struct task_security_struct *new_tsec)
2230 {
2231 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2232 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2233 	int rc;
2234 	u32 av;
2235 
2236 	if (!nnp && !nosuid)
2237 		return 0; /* neither NNP nor nosuid */
2238 
2239 	if (new_tsec->sid == old_tsec->sid)
2240 		return 0; /* No change in credentials */
2241 
2242 	/*
2243 	 * If the policy enables the nnp_nosuid_transition policy capability,
2244 	 * then we permit transitions under NNP or nosuid if the
2245 	 * policy allows the corresponding permission between
2246 	 * the old and new contexts.
2247 	 */
2248 	if (selinux_policycap_nnp_nosuid_transition()) {
2249 		av = 0;
2250 		if (nnp)
2251 			av |= PROCESS2__NNP_TRANSITION;
2252 		if (nosuid)
2253 			av |= PROCESS2__NOSUID_TRANSITION;
2254 		rc = avc_has_perm(&selinux_state,
2255 				  old_tsec->sid, new_tsec->sid,
2256 				  SECCLASS_PROCESS2, av, NULL);
2257 		if (!rc)
2258 			return 0;
2259 	}
2260 
2261 	/*
2262 	 * We also permit NNP or nosuid transitions to bounded SIDs,
2263 	 * i.e. SIDs that are guaranteed to only be allowed a subset
2264 	 * of the permissions of the current SID.
2265 	 */
2266 	rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2267 					 new_tsec->sid);
2268 	if (!rc)
2269 		return 0;
2270 
2271 	/*
2272 	 * On failure, preserve the errno values for NNP vs nosuid.
2273 	 * NNP:  Operation not permitted for caller.
2274 	 * nosuid:  Permission denied to file.
2275 	 */
2276 	if (nnp)
2277 		return -EPERM;
2278 	return -EACCES;
2279 }
2280 
2281 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2282 {
2283 	const struct task_security_struct *old_tsec;
2284 	struct task_security_struct *new_tsec;
2285 	struct inode_security_struct *isec;
2286 	struct common_audit_data ad;
2287 	struct inode *inode = file_inode(bprm->file);
2288 	int rc;
2289 
2290 	/* SELinux context only depends on initial program or script and not
2291 	 * the script interpreter */
2292 
2293 	old_tsec = selinux_cred(current_cred());
2294 	new_tsec = selinux_cred(bprm->cred);
2295 	isec = inode_security(inode);
2296 
2297 	/* Default to the current task SID. */
2298 	new_tsec->sid = old_tsec->sid;
2299 	new_tsec->osid = old_tsec->sid;
2300 
2301 	/* Reset fs, key, and sock SIDs on execve. */
2302 	new_tsec->create_sid = 0;
2303 	new_tsec->keycreate_sid = 0;
2304 	new_tsec->sockcreate_sid = 0;
2305 
2306 	if (old_tsec->exec_sid) {
2307 		new_tsec->sid = old_tsec->exec_sid;
2308 		/* Reset exec SID on execve. */
2309 		new_tsec->exec_sid = 0;
2310 
2311 		/* Fail on NNP or nosuid if not an allowed transition. */
2312 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2313 		if (rc)
2314 			return rc;
2315 	} else {
2316 		/* Check for a default transition on this program. */
2317 		rc = security_transition_sid(&selinux_state, old_tsec->sid,
2318 					     isec->sid, SECCLASS_PROCESS, NULL,
2319 					     &new_tsec->sid);
2320 		if (rc)
2321 			return rc;
2322 
2323 		/*
2324 		 * Fallback to old SID on NNP or nosuid if not an allowed
2325 		 * transition.
2326 		 */
2327 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2328 		if (rc)
2329 			new_tsec->sid = old_tsec->sid;
2330 	}
2331 
2332 	ad.type = LSM_AUDIT_DATA_FILE;
2333 	ad.u.file = bprm->file;
2334 
2335 	if (new_tsec->sid == old_tsec->sid) {
2336 		rc = avc_has_perm(&selinux_state,
2337 				  old_tsec->sid, isec->sid,
2338 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2339 		if (rc)
2340 			return rc;
2341 	} else {
2342 		/* Check permissions for the transition. */
2343 		rc = avc_has_perm(&selinux_state,
2344 				  old_tsec->sid, new_tsec->sid,
2345 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2346 		if (rc)
2347 			return rc;
2348 
2349 		rc = avc_has_perm(&selinux_state,
2350 				  new_tsec->sid, isec->sid,
2351 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2352 		if (rc)
2353 			return rc;
2354 
2355 		/* Check for shared state */
2356 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2357 			rc = avc_has_perm(&selinux_state,
2358 					  old_tsec->sid, new_tsec->sid,
2359 					  SECCLASS_PROCESS, PROCESS__SHARE,
2360 					  NULL);
2361 			if (rc)
2362 				return -EPERM;
2363 		}
2364 
2365 		/* Make sure that anyone attempting to ptrace over a task that
2366 		 * changes its SID has the appropriate permit */
2367 		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2368 			u32 ptsid = ptrace_parent_sid();
2369 			if (ptsid != 0) {
2370 				rc = avc_has_perm(&selinux_state,
2371 						  ptsid, new_tsec->sid,
2372 						  SECCLASS_PROCESS,
2373 						  PROCESS__PTRACE, NULL);
2374 				if (rc)
2375 					return -EPERM;
2376 			}
2377 		}
2378 
2379 		/* Clear any possibly unsafe personality bits on exec: */
2380 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2381 
2382 		/* Enable secure mode for SIDs transitions unless
2383 		   the noatsecure permission is granted between
2384 		   the two SIDs, i.e. ahp returns 0. */
2385 		rc = avc_has_perm(&selinux_state,
2386 				  old_tsec->sid, new_tsec->sid,
2387 				  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2388 				  NULL);
2389 		bprm->secureexec |= !!rc;
2390 	}
2391 
2392 	return 0;
2393 }
2394 
2395 static int match_file(const void *p, struct file *file, unsigned fd)
2396 {
2397 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2398 }
2399 
2400 /* Derived from fs/exec.c:flush_old_files. */
2401 static inline void flush_unauthorized_files(const struct cred *cred,
2402 					    struct files_struct *files)
2403 {
2404 	struct file *file, *devnull = NULL;
2405 	struct tty_struct *tty;
2406 	int drop_tty = 0;
2407 	unsigned n;
2408 
2409 	tty = get_current_tty();
2410 	if (tty) {
2411 		spin_lock(&tty->files_lock);
2412 		if (!list_empty(&tty->tty_files)) {
2413 			struct tty_file_private *file_priv;
2414 
2415 			/* Revalidate access to controlling tty.
2416 			   Use file_path_has_perm on the tty path directly
2417 			   rather than using file_has_perm, as this particular
2418 			   open file may belong to another process and we are
2419 			   only interested in the inode-based check here. */
2420 			file_priv = list_first_entry(&tty->tty_files,
2421 						struct tty_file_private, list);
2422 			file = file_priv->file;
2423 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2424 				drop_tty = 1;
2425 		}
2426 		spin_unlock(&tty->files_lock);
2427 		tty_kref_put(tty);
2428 	}
2429 	/* Reset controlling tty. */
2430 	if (drop_tty)
2431 		no_tty();
2432 
2433 	/* Revalidate access to inherited open files. */
2434 	n = iterate_fd(files, 0, match_file, cred);
2435 	if (!n) /* none found? */
2436 		return;
2437 
2438 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2439 	if (IS_ERR(devnull))
2440 		devnull = NULL;
2441 	/* replace all the matching ones with this */
2442 	do {
2443 		replace_fd(n - 1, devnull, 0);
2444 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2445 	if (devnull)
2446 		fput(devnull);
2447 }
2448 
2449 /*
2450  * Prepare a process for imminent new credential changes due to exec
2451  */
2452 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2453 {
2454 	struct task_security_struct *new_tsec;
2455 	struct rlimit *rlim, *initrlim;
2456 	int rc, i;
2457 
2458 	new_tsec = selinux_cred(bprm->cred);
2459 	if (new_tsec->sid == new_tsec->osid)
2460 		return;
2461 
2462 	/* Close files for which the new task SID is not authorized. */
2463 	flush_unauthorized_files(bprm->cred, current->files);
2464 
2465 	/* Always clear parent death signal on SID transitions. */
2466 	current->pdeath_signal = 0;
2467 
2468 	/* Check whether the new SID can inherit resource limits from the old
2469 	 * SID.  If not, reset all soft limits to the lower of the current
2470 	 * task's hard limit and the init task's soft limit.
2471 	 *
2472 	 * Note that the setting of hard limits (even to lower them) can be
2473 	 * controlled by the setrlimit check.  The inclusion of the init task's
2474 	 * soft limit into the computation is to avoid resetting soft limits
2475 	 * higher than the default soft limit for cases where the default is
2476 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2477 	 */
2478 	rc = avc_has_perm(&selinux_state,
2479 			  new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2480 			  PROCESS__RLIMITINH, NULL);
2481 	if (rc) {
2482 		/* protect against do_prlimit() */
2483 		task_lock(current);
2484 		for (i = 0; i < RLIM_NLIMITS; i++) {
2485 			rlim = current->signal->rlim + i;
2486 			initrlim = init_task.signal->rlim + i;
2487 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2488 		}
2489 		task_unlock(current);
2490 		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2491 			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2492 	}
2493 }
2494 
2495 /*
2496  * Clean up the process immediately after the installation of new credentials
2497  * due to exec
2498  */
2499 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2500 {
2501 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2502 	u32 osid, sid;
2503 	int rc;
2504 
2505 	osid = tsec->osid;
2506 	sid = tsec->sid;
2507 
2508 	if (sid == osid)
2509 		return;
2510 
2511 	/* Check whether the new SID can inherit signal state from the old SID.
2512 	 * If not, clear itimers to avoid subsequent signal generation and
2513 	 * flush and unblock signals.
2514 	 *
2515 	 * This must occur _after_ the task SID has been updated so that any
2516 	 * kill done after the flush will be checked against the new SID.
2517 	 */
2518 	rc = avc_has_perm(&selinux_state,
2519 			  osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2520 	if (rc) {
2521 		clear_itimer();
2522 
2523 		spin_lock_irq(&unrcu_pointer(current->sighand)->siglock);
2524 		if (!fatal_signal_pending(current)) {
2525 			flush_sigqueue(&current->pending);
2526 			flush_sigqueue(&current->signal->shared_pending);
2527 			flush_signal_handlers(current, 1);
2528 			sigemptyset(&current->blocked);
2529 			recalc_sigpending();
2530 		}
2531 		spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock);
2532 	}
2533 
2534 	/* Wake up the parent if it is waiting so that it can recheck
2535 	 * wait permission to the new task SID. */
2536 	read_lock(&tasklist_lock);
2537 	__wake_up_parent(current, unrcu_pointer(current->real_parent));
2538 	read_unlock(&tasklist_lock);
2539 }
2540 
2541 /* superblock security operations */
2542 
2543 static int selinux_sb_alloc_security(struct super_block *sb)
2544 {
2545 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2546 
2547 	mutex_init(&sbsec->lock);
2548 	INIT_LIST_HEAD(&sbsec->isec_head);
2549 	spin_lock_init(&sbsec->isec_lock);
2550 	sbsec->sid = SECINITSID_UNLABELED;
2551 	sbsec->def_sid = SECINITSID_FILE;
2552 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2553 
2554 	return 0;
2555 }
2556 
2557 static inline int opt_len(const char *s)
2558 {
2559 	bool open_quote = false;
2560 	int len;
2561 	char c;
2562 
2563 	for (len = 0; (c = s[len]) != '\0'; len++) {
2564 		if (c == '"')
2565 			open_quote = !open_quote;
2566 		if (c == ',' && !open_quote)
2567 			break;
2568 	}
2569 	return len;
2570 }
2571 
2572 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2573 {
2574 	char *from = options;
2575 	char *to = options;
2576 	bool first = true;
2577 	int rc;
2578 
2579 	while (1) {
2580 		int len = opt_len(from);
2581 		int token;
2582 		char *arg = NULL;
2583 
2584 		token = match_opt_prefix(from, len, &arg);
2585 
2586 		if (token != Opt_error) {
2587 			char *p, *q;
2588 
2589 			/* strip quotes */
2590 			if (arg) {
2591 				for (p = q = arg; p < from + len; p++) {
2592 					char c = *p;
2593 					if (c != '"')
2594 						*q++ = c;
2595 				}
2596 				arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2597 				if (!arg) {
2598 					rc = -ENOMEM;
2599 					goto free_opt;
2600 				}
2601 			}
2602 			rc = selinux_add_opt(token, arg, mnt_opts);
2603 			if (unlikely(rc)) {
2604 				kfree(arg);
2605 				goto free_opt;
2606 			}
2607 		} else {
2608 			if (!first) {	// copy with preceding comma
2609 				from--;
2610 				len++;
2611 			}
2612 			if (to != from)
2613 				memmove(to, from, len);
2614 			to += len;
2615 			first = false;
2616 		}
2617 		if (!from[len])
2618 			break;
2619 		from += len + 1;
2620 	}
2621 	*to = '\0';
2622 	return 0;
2623 
2624 free_opt:
2625 	if (*mnt_opts) {
2626 		selinux_free_mnt_opts(*mnt_opts);
2627 		*mnt_opts = NULL;
2628 	}
2629 	return rc;
2630 }
2631 
2632 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2633 {
2634 	struct selinux_mnt_opts *opts = mnt_opts;
2635 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2636 
2637 	/*
2638 	 * Superblock not initialized (i.e. no options) - reject if any
2639 	 * options specified, otherwise accept.
2640 	 */
2641 	if (!(sbsec->flags & SE_SBINITIALIZED))
2642 		return opts ? 1 : 0;
2643 
2644 	/*
2645 	 * Superblock initialized and no options specified - reject if
2646 	 * superblock has any options set, otherwise accept.
2647 	 */
2648 	if (!opts)
2649 		return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2650 
2651 	if (opts->fscontext_sid) {
2652 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2653 			       opts->fscontext_sid))
2654 			return 1;
2655 	}
2656 	if (opts->context_sid) {
2657 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2658 			       opts->context_sid))
2659 			return 1;
2660 	}
2661 	if (opts->rootcontext_sid) {
2662 		struct inode_security_struct *root_isec;
2663 
2664 		root_isec = backing_inode_security(sb->s_root);
2665 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2666 			       opts->rootcontext_sid))
2667 			return 1;
2668 	}
2669 	if (opts->defcontext_sid) {
2670 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2671 			       opts->defcontext_sid))
2672 			return 1;
2673 	}
2674 	return 0;
2675 }
2676 
2677 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2678 {
2679 	struct selinux_mnt_opts *opts = mnt_opts;
2680 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2681 
2682 	if (!(sbsec->flags & SE_SBINITIALIZED))
2683 		return 0;
2684 
2685 	if (!opts)
2686 		return 0;
2687 
2688 	if (opts->fscontext_sid) {
2689 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2690 			       opts->fscontext_sid))
2691 			goto out_bad_option;
2692 	}
2693 	if (opts->context_sid) {
2694 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2695 			       opts->context_sid))
2696 			goto out_bad_option;
2697 	}
2698 	if (opts->rootcontext_sid) {
2699 		struct inode_security_struct *root_isec;
2700 		root_isec = backing_inode_security(sb->s_root);
2701 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2702 			       opts->rootcontext_sid))
2703 			goto out_bad_option;
2704 	}
2705 	if (opts->defcontext_sid) {
2706 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2707 			       opts->defcontext_sid))
2708 			goto out_bad_option;
2709 	}
2710 	return 0;
2711 
2712 out_bad_option:
2713 	pr_warn("SELinux: unable to change security options "
2714 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2715 	       sb->s_type->name);
2716 	return -EINVAL;
2717 }
2718 
2719 static int selinux_sb_kern_mount(struct super_block *sb)
2720 {
2721 	const struct cred *cred = current_cred();
2722 	struct common_audit_data ad;
2723 
2724 	ad.type = LSM_AUDIT_DATA_DENTRY;
2725 	ad.u.dentry = sb->s_root;
2726 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2727 }
2728 
2729 static int selinux_sb_statfs(struct dentry *dentry)
2730 {
2731 	const struct cred *cred = current_cred();
2732 	struct common_audit_data ad;
2733 
2734 	ad.type = LSM_AUDIT_DATA_DENTRY;
2735 	ad.u.dentry = dentry->d_sb->s_root;
2736 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2737 }
2738 
2739 static int selinux_mount(const char *dev_name,
2740 			 const struct path *path,
2741 			 const char *type,
2742 			 unsigned long flags,
2743 			 void *data)
2744 {
2745 	const struct cred *cred = current_cred();
2746 
2747 	if (flags & MS_REMOUNT)
2748 		return superblock_has_perm(cred, path->dentry->d_sb,
2749 					   FILESYSTEM__REMOUNT, NULL);
2750 	else
2751 		return path_has_perm(cred, path, FILE__MOUNTON);
2752 }
2753 
2754 static int selinux_move_mount(const struct path *from_path,
2755 			      const struct path *to_path)
2756 {
2757 	const struct cred *cred = current_cred();
2758 
2759 	return path_has_perm(cred, to_path, FILE__MOUNTON);
2760 }
2761 
2762 static int selinux_umount(struct vfsmount *mnt, int flags)
2763 {
2764 	const struct cred *cred = current_cred();
2765 
2766 	return superblock_has_perm(cred, mnt->mnt_sb,
2767 				   FILESYSTEM__UNMOUNT, NULL);
2768 }
2769 
2770 static int selinux_fs_context_dup(struct fs_context *fc,
2771 				  struct fs_context *src_fc)
2772 {
2773 	const struct selinux_mnt_opts *src = src_fc->security;
2774 
2775 	if (!src)
2776 		return 0;
2777 
2778 	fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
2779 	return fc->security ? 0 : -ENOMEM;
2780 }
2781 
2782 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2783 	fsparam_string(CONTEXT_STR,	Opt_context),
2784 	fsparam_string(DEFCONTEXT_STR,	Opt_defcontext),
2785 	fsparam_string(FSCONTEXT_STR,	Opt_fscontext),
2786 	fsparam_string(ROOTCONTEXT_STR,	Opt_rootcontext),
2787 	fsparam_flag  (SECLABEL_STR,	Opt_seclabel),
2788 	{}
2789 };
2790 
2791 static int selinux_fs_context_parse_param(struct fs_context *fc,
2792 					  struct fs_parameter *param)
2793 {
2794 	struct fs_parse_result result;
2795 	int opt, rc;
2796 
2797 	opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2798 	if (opt < 0)
2799 		return opt;
2800 
2801 	rc = selinux_add_opt(opt, param->string, &fc->security);
2802 	if (!rc)
2803 		param->string = NULL;
2804 
2805 	return rc;
2806 }
2807 
2808 /* inode security operations */
2809 
2810 static int selinux_inode_alloc_security(struct inode *inode)
2811 {
2812 	struct inode_security_struct *isec = selinux_inode(inode);
2813 	u32 sid = current_sid();
2814 
2815 	spin_lock_init(&isec->lock);
2816 	INIT_LIST_HEAD(&isec->list);
2817 	isec->inode = inode;
2818 	isec->sid = SECINITSID_UNLABELED;
2819 	isec->sclass = SECCLASS_FILE;
2820 	isec->task_sid = sid;
2821 	isec->initialized = LABEL_INVALID;
2822 
2823 	return 0;
2824 }
2825 
2826 static void selinux_inode_free_security(struct inode *inode)
2827 {
2828 	inode_free_security(inode);
2829 }
2830 
2831 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2832 					const struct qstr *name,
2833 					const char **xattr_name, void **ctx,
2834 					u32 *ctxlen)
2835 {
2836 	u32 newsid;
2837 	int rc;
2838 
2839 	rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2840 					   d_inode(dentry->d_parent), name,
2841 					   inode_mode_to_security_class(mode),
2842 					   &newsid);
2843 	if (rc)
2844 		return rc;
2845 
2846 	if (xattr_name)
2847 		*xattr_name = XATTR_NAME_SELINUX;
2848 
2849 	return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2850 				       ctxlen);
2851 }
2852 
2853 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2854 					  struct qstr *name,
2855 					  const struct cred *old,
2856 					  struct cred *new)
2857 {
2858 	u32 newsid;
2859 	int rc;
2860 	struct task_security_struct *tsec;
2861 
2862 	rc = selinux_determine_inode_label(selinux_cred(old),
2863 					   d_inode(dentry->d_parent), name,
2864 					   inode_mode_to_security_class(mode),
2865 					   &newsid);
2866 	if (rc)
2867 		return rc;
2868 
2869 	tsec = selinux_cred(new);
2870 	tsec->create_sid = newsid;
2871 	return 0;
2872 }
2873 
2874 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2875 				       const struct qstr *qstr,
2876 				       const char **name,
2877 				       void **value, size_t *len)
2878 {
2879 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2880 	struct superblock_security_struct *sbsec;
2881 	u32 newsid, clen;
2882 	int rc;
2883 	char *context;
2884 
2885 	sbsec = selinux_superblock(dir->i_sb);
2886 
2887 	newsid = tsec->create_sid;
2888 
2889 	rc = selinux_determine_inode_label(tsec, dir, qstr,
2890 		inode_mode_to_security_class(inode->i_mode),
2891 		&newsid);
2892 	if (rc)
2893 		return rc;
2894 
2895 	/* Possibly defer initialization to selinux_complete_init. */
2896 	if (sbsec->flags & SE_SBINITIALIZED) {
2897 		struct inode_security_struct *isec = selinux_inode(inode);
2898 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2899 		isec->sid = newsid;
2900 		isec->initialized = LABEL_INITIALIZED;
2901 	}
2902 
2903 	if (!selinux_initialized(&selinux_state) ||
2904 	    !(sbsec->flags & SBLABEL_MNT))
2905 		return -EOPNOTSUPP;
2906 
2907 	if (name)
2908 		*name = XATTR_SELINUX_SUFFIX;
2909 
2910 	if (value && len) {
2911 		rc = security_sid_to_context_force(&selinux_state, newsid,
2912 						   &context, &clen);
2913 		if (rc)
2914 			return rc;
2915 		*value = context;
2916 		*len = clen;
2917 	}
2918 
2919 	return 0;
2920 }
2921 
2922 static int selinux_inode_init_security_anon(struct inode *inode,
2923 					    const struct qstr *name,
2924 					    const struct inode *context_inode)
2925 {
2926 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2927 	struct common_audit_data ad;
2928 	struct inode_security_struct *isec;
2929 	int rc;
2930 
2931 	if (unlikely(!selinux_initialized(&selinux_state)))
2932 		return 0;
2933 
2934 	isec = selinux_inode(inode);
2935 
2936 	/*
2937 	 * We only get here once per ephemeral inode.  The inode has
2938 	 * been initialized via inode_alloc_security but is otherwise
2939 	 * untouched.
2940 	 */
2941 
2942 	if (context_inode) {
2943 		struct inode_security_struct *context_isec =
2944 			selinux_inode(context_inode);
2945 		if (context_isec->initialized != LABEL_INITIALIZED) {
2946 			pr_err("SELinux:  context_inode is not initialized");
2947 			return -EACCES;
2948 		}
2949 
2950 		isec->sclass = context_isec->sclass;
2951 		isec->sid = context_isec->sid;
2952 	} else {
2953 		isec->sclass = SECCLASS_ANON_INODE;
2954 		rc = security_transition_sid(
2955 			&selinux_state, tsec->sid, tsec->sid,
2956 			isec->sclass, name, &isec->sid);
2957 		if (rc)
2958 			return rc;
2959 	}
2960 
2961 	isec->initialized = LABEL_INITIALIZED;
2962 	/*
2963 	 * Now that we've initialized security, check whether we're
2964 	 * allowed to actually create this type of anonymous inode.
2965 	 */
2966 
2967 	ad.type = LSM_AUDIT_DATA_INODE;
2968 	ad.u.inode = inode;
2969 
2970 	return avc_has_perm(&selinux_state,
2971 			    tsec->sid,
2972 			    isec->sid,
2973 			    isec->sclass,
2974 			    FILE__CREATE,
2975 			    &ad);
2976 }
2977 
2978 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2979 {
2980 	return may_create(dir, dentry, SECCLASS_FILE);
2981 }
2982 
2983 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2984 {
2985 	return may_link(dir, old_dentry, MAY_LINK);
2986 }
2987 
2988 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2989 {
2990 	return may_link(dir, dentry, MAY_UNLINK);
2991 }
2992 
2993 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2994 {
2995 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
2996 }
2997 
2998 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2999 {
3000 	return may_create(dir, dentry, SECCLASS_DIR);
3001 }
3002 
3003 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3004 {
3005 	return may_link(dir, dentry, MAY_RMDIR);
3006 }
3007 
3008 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3009 {
3010 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
3011 }
3012 
3013 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3014 				struct inode *new_inode, struct dentry *new_dentry)
3015 {
3016 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3017 }
3018 
3019 static int selinux_inode_readlink(struct dentry *dentry)
3020 {
3021 	const struct cred *cred = current_cred();
3022 
3023 	return dentry_has_perm(cred, dentry, FILE__READ);
3024 }
3025 
3026 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3027 				     bool rcu)
3028 {
3029 	const struct cred *cred = current_cred();
3030 	struct common_audit_data ad;
3031 	struct inode_security_struct *isec;
3032 	u32 sid;
3033 
3034 	validate_creds(cred);
3035 
3036 	ad.type = LSM_AUDIT_DATA_DENTRY;
3037 	ad.u.dentry = dentry;
3038 	sid = cred_sid(cred);
3039 	isec = inode_security_rcu(inode, rcu);
3040 	if (IS_ERR(isec))
3041 		return PTR_ERR(isec);
3042 
3043 	return avc_has_perm(&selinux_state,
3044 				  sid, isec->sid, isec->sclass, FILE__READ, &ad);
3045 }
3046 
3047 static noinline int audit_inode_permission(struct inode *inode,
3048 					   u32 perms, u32 audited, u32 denied,
3049 					   int result)
3050 {
3051 	struct common_audit_data ad;
3052 	struct inode_security_struct *isec = selinux_inode(inode);
3053 
3054 	ad.type = LSM_AUDIT_DATA_INODE;
3055 	ad.u.inode = inode;
3056 
3057 	return slow_avc_audit(&selinux_state,
3058 			    current_sid(), isec->sid, isec->sclass, perms,
3059 			    audited, denied, result, &ad);
3060 }
3061 
3062 static int selinux_inode_permission(struct inode *inode, int mask)
3063 {
3064 	const struct cred *cred = current_cred();
3065 	u32 perms;
3066 	bool from_access;
3067 	bool no_block = mask & MAY_NOT_BLOCK;
3068 	struct inode_security_struct *isec;
3069 	u32 sid;
3070 	struct av_decision avd;
3071 	int rc, rc2;
3072 	u32 audited, denied;
3073 
3074 	from_access = mask & MAY_ACCESS;
3075 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3076 
3077 	/* No permission to check.  Existence test. */
3078 	if (!mask)
3079 		return 0;
3080 
3081 	validate_creds(cred);
3082 
3083 	if (unlikely(IS_PRIVATE(inode)))
3084 		return 0;
3085 
3086 	perms = file_mask_to_av(inode->i_mode, mask);
3087 
3088 	sid = cred_sid(cred);
3089 	isec = inode_security_rcu(inode, no_block);
3090 	if (IS_ERR(isec))
3091 		return PTR_ERR(isec);
3092 
3093 	rc = avc_has_perm_noaudit(&selinux_state,
3094 				  sid, isec->sid, isec->sclass, perms, 0,
3095 				  &avd);
3096 	audited = avc_audit_required(perms, &avd, rc,
3097 				     from_access ? FILE__AUDIT_ACCESS : 0,
3098 				     &denied);
3099 	if (likely(!audited))
3100 		return rc;
3101 
3102 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3103 	if (rc2)
3104 		return rc2;
3105 	return rc;
3106 }
3107 
3108 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3109 {
3110 	const struct cred *cred = current_cred();
3111 	struct inode *inode = d_backing_inode(dentry);
3112 	unsigned int ia_valid = iattr->ia_valid;
3113 	__u32 av = FILE__WRITE;
3114 
3115 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3116 	if (ia_valid & ATTR_FORCE) {
3117 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3118 			      ATTR_FORCE);
3119 		if (!ia_valid)
3120 			return 0;
3121 	}
3122 
3123 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3124 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3125 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3126 
3127 	if (selinux_policycap_openperm() &&
3128 	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3129 	    (ia_valid & ATTR_SIZE) &&
3130 	    !(ia_valid & ATTR_FILE))
3131 		av |= FILE__OPEN;
3132 
3133 	return dentry_has_perm(cred, dentry, av);
3134 }
3135 
3136 static int selinux_inode_getattr(const struct path *path)
3137 {
3138 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3139 }
3140 
3141 static bool has_cap_mac_admin(bool audit)
3142 {
3143 	const struct cred *cred = current_cred();
3144 	unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3145 
3146 	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3147 		return false;
3148 	if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3149 		return false;
3150 	return true;
3151 }
3152 
3153 static int selinux_inode_setxattr(struct user_namespace *mnt_userns,
3154 				  struct dentry *dentry, const char *name,
3155 				  const void *value, size_t size, int flags)
3156 {
3157 	struct inode *inode = d_backing_inode(dentry);
3158 	struct inode_security_struct *isec;
3159 	struct superblock_security_struct *sbsec;
3160 	struct common_audit_data ad;
3161 	u32 newsid, sid = current_sid();
3162 	int rc = 0;
3163 
3164 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3165 		rc = cap_inode_setxattr(dentry, name, value, size, flags);
3166 		if (rc)
3167 			return rc;
3168 
3169 		/* Not an attribute we recognize, so just check the
3170 		   ordinary setattr permission. */
3171 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3172 	}
3173 
3174 	if (!selinux_initialized(&selinux_state))
3175 		return (inode_owner_or_capable(mnt_userns, inode) ? 0 : -EPERM);
3176 
3177 	sbsec = selinux_superblock(inode->i_sb);
3178 	if (!(sbsec->flags & SBLABEL_MNT))
3179 		return -EOPNOTSUPP;
3180 
3181 	if (!inode_owner_or_capable(mnt_userns, inode))
3182 		return -EPERM;
3183 
3184 	ad.type = LSM_AUDIT_DATA_DENTRY;
3185 	ad.u.dentry = dentry;
3186 
3187 	isec = backing_inode_security(dentry);
3188 	rc = avc_has_perm(&selinux_state,
3189 			  sid, isec->sid, isec->sclass,
3190 			  FILE__RELABELFROM, &ad);
3191 	if (rc)
3192 		return rc;
3193 
3194 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3195 				     GFP_KERNEL);
3196 	if (rc == -EINVAL) {
3197 		if (!has_cap_mac_admin(true)) {
3198 			struct audit_buffer *ab;
3199 			size_t audit_size;
3200 
3201 			/* We strip a nul only if it is at the end, otherwise the
3202 			 * context contains a nul and we should audit that */
3203 			if (value) {
3204 				const char *str = value;
3205 
3206 				if (str[size - 1] == '\0')
3207 					audit_size = size - 1;
3208 				else
3209 					audit_size = size;
3210 			} else {
3211 				audit_size = 0;
3212 			}
3213 			ab = audit_log_start(audit_context(),
3214 					     GFP_ATOMIC, AUDIT_SELINUX_ERR);
3215 			if (!ab)
3216 				return rc;
3217 			audit_log_format(ab, "op=setxattr invalid_context=");
3218 			audit_log_n_untrustedstring(ab, value, audit_size);
3219 			audit_log_end(ab);
3220 
3221 			return rc;
3222 		}
3223 		rc = security_context_to_sid_force(&selinux_state, value,
3224 						   size, &newsid);
3225 	}
3226 	if (rc)
3227 		return rc;
3228 
3229 	rc = avc_has_perm(&selinux_state,
3230 			  sid, newsid, isec->sclass,
3231 			  FILE__RELABELTO, &ad);
3232 	if (rc)
3233 		return rc;
3234 
3235 	rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3236 					  sid, isec->sclass);
3237 	if (rc)
3238 		return rc;
3239 
3240 	return avc_has_perm(&selinux_state,
3241 			    newsid,
3242 			    sbsec->sid,
3243 			    SECCLASS_FILESYSTEM,
3244 			    FILESYSTEM__ASSOCIATE,
3245 			    &ad);
3246 }
3247 
3248 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3249 					const void *value, size_t size,
3250 					int flags)
3251 {
3252 	struct inode *inode = d_backing_inode(dentry);
3253 	struct inode_security_struct *isec;
3254 	u32 newsid;
3255 	int rc;
3256 
3257 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3258 		/* Not an attribute we recognize, so nothing to do. */
3259 		return;
3260 	}
3261 
3262 	if (!selinux_initialized(&selinux_state)) {
3263 		/* If we haven't even been initialized, then we can't validate
3264 		 * against a policy, so leave the label as invalid. It may
3265 		 * resolve to a valid label on the next revalidation try if
3266 		 * we've since initialized.
3267 		 */
3268 		return;
3269 	}
3270 
3271 	rc = security_context_to_sid_force(&selinux_state, value, size,
3272 					   &newsid);
3273 	if (rc) {
3274 		pr_err("SELinux:  unable to map context to SID"
3275 		       "for (%s, %lu), rc=%d\n",
3276 		       inode->i_sb->s_id, inode->i_ino, -rc);
3277 		return;
3278 	}
3279 
3280 	isec = backing_inode_security(dentry);
3281 	spin_lock(&isec->lock);
3282 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3283 	isec->sid = newsid;
3284 	isec->initialized = LABEL_INITIALIZED;
3285 	spin_unlock(&isec->lock);
3286 }
3287 
3288 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3289 {
3290 	const struct cred *cred = current_cred();
3291 
3292 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3293 }
3294 
3295 static int selinux_inode_listxattr(struct dentry *dentry)
3296 {
3297 	const struct cred *cred = current_cred();
3298 
3299 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3300 }
3301 
3302 static int selinux_inode_removexattr(struct user_namespace *mnt_userns,
3303 				     struct dentry *dentry, const char *name)
3304 {
3305 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3306 		int rc = cap_inode_removexattr(mnt_userns, dentry, name);
3307 		if (rc)
3308 			return rc;
3309 
3310 		/* Not an attribute we recognize, so just check the
3311 		   ordinary setattr permission. */
3312 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3313 	}
3314 
3315 	if (!selinux_initialized(&selinux_state))
3316 		return 0;
3317 
3318 	/* No one is allowed to remove a SELinux security label.
3319 	   You can change the label, but all data must be labeled. */
3320 	return -EACCES;
3321 }
3322 
3323 static int selinux_path_notify(const struct path *path, u64 mask,
3324 						unsigned int obj_type)
3325 {
3326 	int ret;
3327 	u32 perm;
3328 
3329 	struct common_audit_data ad;
3330 
3331 	ad.type = LSM_AUDIT_DATA_PATH;
3332 	ad.u.path = *path;
3333 
3334 	/*
3335 	 * Set permission needed based on the type of mark being set.
3336 	 * Performs an additional check for sb watches.
3337 	 */
3338 	switch (obj_type) {
3339 	case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3340 		perm = FILE__WATCH_MOUNT;
3341 		break;
3342 	case FSNOTIFY_OBJ_TYPE_SB:
3343 		perm = FILE__WATCH_SB;
3344 		ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3345 						FILESYSTEM__WATCH, &ad);
3346 		if (ret)
3347 			return ret;
3348 		break;
3349 	case FSNOTIFY_OBJ_TYPE_INODE:
3350 		perm = FILE__WATCH;
3351 		break;
3352 	default:
3353 		return -EINVAL;
3354 	}
3355 
3356 	/* blocking watches require the file:watch_with_perm permission */
3357 	if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3358 		perm |= FILE__WATCH_WITH_PERM;
3359 
3360 	/* watches on read-like events need the file:watch_reads permission */
3361 	if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3362 		perm |= FILE__WATCH_READS;
3363 
3364 	return path_has_perm(current_cred(), path, perm);
3365 }
3366 
3367 /*
3368  * Copy the inode security context value to the user.
3369  *
3370  * Permission check is handled by selinux_inode_getxattr hook.
3371  */
3372 static int selinux_inode_getsecurity(struct user_namespace *mnt_userns,
3373 				     struct inode *inode, const char *name,
3374 				     void **buffer, bool alloc)
3375 {
3376 	u32 size;
3377 	int error;
3378 	char *context = NULL;
3379 	struct inode_security_struct *isec;
3380 
3381 	/*
3382 	 * If we're not initialized yet, then we can't validate contexts, so
3383 	 * just let vfs_getxattr fall back to using the on-disk xattr.
3384 	 */
3385 	if (!selinux_initialized(&selinux_state) ||
3386 	    strcmp(name, XATTR_SELINUX_SUFFIX))
3387 		return -EOPNOTSUPP;
3388 
3389 	/*
3390 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3391 	 * value even if it is not defined by current policy; otherwise,
3392 	 * use the in-core value under current policy.
3393 	 * Use the non-auditing forms of the permission checks since
3394 	 * getxattr may be called by unprivileged processes commonly
3395 	 * and lack of permission just means that we fall back to the
3396 	 * in-core context value, not a denial.
3397 	 */
3398 	isec = inode_security(inode);
3399 	if (has_cap_mac_admin(false))
3400 		error = security_sid_to_context_force(&selinux_state,
3401 						      isec->sid, &context,
3402 						      &size);
3403 	else
3404 		error = security_sid_to_context(&selinux_state, isec->sid,
3405 						&context, &size);
3406 	if (error)
3407 		return error;
3408 	error = size;
3409 	if (alloc) {
3410 		*buffer = context;
3411 		goto out_nofree;
3412 	}
3413 	kfree(context);
3414 out_nofree:
3415 	return error;
3416 }
3417 
3418 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3419 				     const void *value, size_t size, int flags)
3420 {
3421 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3422 	struct superblock_security_struct *sbsec;
3423 	u32 newsid;
3424 	int rc;
3425 
3426 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3427 		return -EOPNOTSUPP;
3428 
3429 	sbsec = selinux_superblock(inode->i_sb);
3430 	if (!(sbsec->flags & SBLABEL_MNT))
3431 		return -EOPNOTSUPP;
3432 
3433 	if (!value || !size)
3434 		return -EACCES;
3435 
3436 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3437 				     GFP_KERNEL);
3438 	if (rc)
3439 		return rc;
3440 
3441 	spin_lock(&isec->lock);
3442 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3443 	isec->sid = newsid;
3444 	isec->initialized = LABEL_INITIALIZED;
3445 	spin_unlock(&isec->lock);
3446 	return 0;
3447 }
3448 
3449 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3450 {
3451 	const int len = sizeof(XATTR_NAME_SELINUX);
3452 
3453 	if (!selinux_initialized(&selinux_state))
3454 		return 0;
3455 
3456 	if (buffer && len <= buffer_size)
3457 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3458 	return len;
3459 }
3460 
3461 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3462 {
3463 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3464 	*secid = isec->sid;
3465 }
3466 
3467 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3468 {
3469 	u32 sid;
3470 	struct task_security_struct *tsec;
3471 	struct cred *new_creds = *new;
3472 
3473 	if (new_creds == NULL) {
3474 		new_creds = prepare_creds();
3475 		if (!new_creds)
3476 			return -ENOMEM;
3477 	}
3478 
3479 	tsec = selinux_cred(new_creds);
3480 	/* Get label from overlay inode and set it in create_sid */
3481 	selinux_inode_getsecid(d_inode(src), &sid);
3482 	tsec->create_sid = sid;
3483 	*new = new_creds;
3484 	return 0;
3485 }
3486 
3487 static int selinux_inode_copy_up_xattr(const char *name)
3488 {
3489 	/* The copy_up hook above sets the initial context on an inode, but we
3490 	 * don't then want to overwrite it by blindly copying all the lower
3491 	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3492 	 */
3493 	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3494 		return 1; /* Discard */
3495 	/*
3496 	 * Any other attribute apart from SELINUX is not claimed, supported
3497 	 * by selinux.
3498 	 */
3499 	return -EOPNOTSUPP;
3500 }
3501 
3502 /* kernfs node operations */
3503 
3504 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3505 					struct kernfs_node *kn)
3506 {
3507 	const struct task_security_struct *tsec = selinux_cred(current_cred());
3508 	u32 parent_sid, newsid, clen;
3509 	int rc;
3510 	char *context;
3511 
3512 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3513 	if (rc == -ENODATA)
3514 		return 0;
3515 	else if (rc < 0)
3516 		return rc;
3517 
3518 	clen = (u32)rc;
3519 	context = kmalloc(clen, GFP_KERNEL);
3520 	if (!context)
3521 		return -ENOMEM;
3522 
3523 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3524 	if (rc < 0) {
3525 		kfree(context);
3526 		return rc;
3527 	}
3528 
3529 	rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3530 				     GFP_KERNEL);
3531 	kfree(context);
3532 	if (rc)
3533 		return rc;
3534 
3535 	if (tsec->create_sid) {
3536 		newsid = tsec->create_sid;
3537 	} else {
3538 		u16 secclass = inode_mode_to_security_class(kn->mode);
3539 		struct qstr q;
3540 
3541 		q.name = kn->name;
3542 		q.hash_len = hashlen_string(kn_dir, kn->name);
3543 
3544 		rc = security_transition_sid(&selinux_state, tsec->sid,
3545 					     parent_sid, secclass, &q,
3546 					     &newsid);
3547 		if (rc)
3548 			return rc;
3549 	}
3550 
3551 	rc = security_sid_to_context_force(&selinux_state, newsid,
3552 					   &context, &clen);
3553 	if (rc)
3554 		return rc;
3555 
3556 	rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3557 			      XATTR_CREATE);
3558 	kfree(context);
3559 	return rc;
3560 }
3561 
3562 
3563 /* file security operations */
3564 
3565 static int selinux_revalidate_file_permission(struct file *file, int mask)
3566 {
3567 	const struct cred *cred = current_cred();
3568 	struct inode *inode = file_inode(file);
3569 
3570 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3571 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3572 		mask |= MAY_APPEND;
3573 
3574 	return file_has_perm(cred, file,
3575 			     file_mask_to_av(inode->i_mode, mask));
3576 }
3577 
3578 static int selinux_file_permission(struct file *file, int mask)
3579 {
3580 	struct inode *inode = file_inode(file);
3581 	struct file_security_struct *fsec = selinux_file(file);
3582 	struct inode_security_struct *isec;
3583 	u32 sid = current_sid();
3584 
3585 	if (!mask)
3586 		/* No permission to check.  Existence test. */
3587 		return 0;
3588 
3589 	isec = inode_security(inode);
3590 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3591 	    fsec->pseqno == avc_policy_seqno(&selinux_state))
3592 		/* No change since file_open check. */
3593 		return 0;
3594 
3595 	return selinux_revalidate_file_permission(file, mask);
3596 }
3597 
3598 static int selinux_file_alloc_security(struct file *file)
3599 {
3600 	struct file_security_struct *fsec = selinux_file(file);
3601 	u32 sid = current_sid();
3602 
3603 	fsec->sid = sid;
3604 	fsec->fown_sid = sid;
3605 
3606 	return 0;
3607 }
3608 
3609 /*
3610  * Check whether a task has the ioctl permission and cmd
3611  * operation to an inode.
3612  */
3613 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3614 		u32 requested, u16 cmd)
3615 {
3616 	struct common_audit_data ad;
3617 	struct file_security_struct *fsec = selinux_file(file);
3618 	struct inode *inode = file_inode(file);
3619 	struct inode_security_struct *isec;
3620 	struct lsm_ioctlop_audit ioctl;
3621 	u32 ssid = cred_sid(cred);
3622 	int rc;
3623 	u8 driver = cmd >> 8;
3624 	u8 xperm = cmd & 0xff;
3625 
3626 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3627 	ad.u.op = &ioctl;
3628 	ad.u.op->cmd = cmd;
3629 	ad.u.op->path = file->f_path;
3630 
3631 	if (ssid != fsec->sid) {
3632 		rc = avc_has_perm(&selinux_state,
3633 				  ssid, fsec->sid,
3634 				SECCLASS_FD,
3635 				FD__USE,
3636 				&ad);
3637 		if (rc)
3638 			goto out;
3639 	}
3640 
3641 	if (unlikely(IS_PRIVATE(inode)))
3642 		return 0;
3643 
3644 	isec = inode_security(inode);
3645 	rc = avc_has_extended_perms(&selinux_state,
3646 				    ssid, isec->sid, isec->sclass,
3647 				    requested, driver, xperm, &ad);
3648 out:
3649 	return rc;
3650 }
3651 
3652 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3653 			      unsigned long arg)
3654 {
3655 	const struct cred *cred = current_cred();
3656 	int error = 0;
3657 
3658 	switch (cmd) {
3659 	case FIONREAD:
3660 	case FIBMAP:
3661 	case FIGETBSZ:
3662 	case FS_IOC_GETFLAGS:
3663 	case FS_IOC_GETVERSION:
3664 		error = file_has_perm(cred, file, FILE__GETATTR);
3665 		break;
3666 
3667 	case FS_IOC_SETFLAGS:
3668 	case FS_IOC_SETVERSION:
3669 		error = file_has_perm(cred, file, FILE__SETATTR);
3670 		break;
3671 
3672 	/* sys_ioctl() checks */
3673 	case FIONBIO:
3674 	case FIOASYNC:
3675 		error = file_has_perm(cred, file, 0);
3676 		break;
3677 
3678 	case KDSKBENT:
3679 	case KDSKBSENT:
3680 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3681 					    CAP_OPT_NONE, true);
3682 		break;
3683 
3684 	case FIOCLEX:
3685 	case FIONCLEX:
3686 		if (!selinux_policycap_ioctl_skip_cloexec())
3687 			error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3688 		break;
3689 
3690 	/* default case assumes that the command will go
3691 	 * to the file's ioctl() function.
3692 	 */
3693 	default:
3694 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3695 	}
3696 	return error;
3697 }
3698 
3699 static int default_noexec __ro_after_init;
3700 
3701 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3702 {
3703 	const struct cred *cred = current_cred();
3704 	u32 sid = cred_sid(cred);
3705 	int rc = 0;
3706 
3707 	if (default_noexec &&
3708 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3709 				   (!shared && (prot & PROT_WRITE)))) {
3710 		/*
3711 		 * We are making executable an anonymous mapping or a
3712 		 * private file mapping that will also be writable.
3713 		 * This has an additional check.
3714 		 */
3715 		rc = avc_has_perm(&selinux_state,
3716 				  sid, sid, SECCLASS_PROCESS,
3717 				  PROCESS__EXECMEM, NULL);
3718 		if (rc)
3719 			goto error;
3720 	}
3721 
3722 	if (file) {
3723 		/* read access is always possible with a mapping */
3724 		u32 av = FILE__READ;
3725 
3726 		/* write access only matters if the mapping is shared */
3727 		if (shared && (prot & PROT_WRITE))
3728 			av |= FILE__WRITE;
3729 
3730 		if (prot & PROT_EXEC)
3731 			av |= FILE__EXECUTE;
3732 
3733 		return file_has_perm(cred, file, av);
3734 	}
3735 
3736 error:
3737 	return rc;
3738 }
3739 
3740 static int selinux_mmap_addr(unsigned long addr)
3741 {
3742 	int rc = 0;
3743 
3744 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3745 		u32 sid = current_sid();
3746 		rc = avc_has_perm(&selinux_state,
3747 				  sid, sid, SECCLASS_MEMPROTECT,
3748 				  MEMPROTECT__MMAP_ZERO, NULL);
3749 	}
3750 
3751 	return rc;
3752 }
3753 
3754 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3755 			     unsigned long prot, unsigned long flags)
3756 {
3757 	struct common_audit_data ad;
3758 	int rc;
3759 
3760 	if (file) {
3761 		ad.type = LSM_AUDIT_DATA_FILE;
3762 		ad.u.file = file;
3763 		rc = inode_has_perm(current_cred(), file_inode(file),
3764 				    FILE__MAP, &ad);
3765 		if (rc)
3766 			return rc;
3767 	}
3768 
3769 	if (checkreqprot_get(&selinux_state))
3770 		prot = reqprot;
3771 
3772 	return file_map_prot_check(file, prot,
3773 				   (flags & MAP_TYPE) == MAP_SHARED);
3774 }
3775 
3776 static int selinux_file_mprotect(struct vm_area_struct *vma,
3777 				 unsigned long reqprot,
3778 				 unsigned long prot)
3779 {
3780 	const struct cred *cred = current_cred();
3781 	u32 sid = cred_sid(cred);
3782 
3783 	if (checkreqprot_get(&selinux_state))
3784 		prot = reqprot;
3785 
3786 	if (default_noexec &&
3787 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3788 		int rc = 0;
3789 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3790 		    vma->vm_end <= vma->vm_mm->brk) {
3791 			rc = avc_has_perm(&selinux_state,
3792 					  sid, sid, SECCLASS_PROCESS,
3793 					  PROCESS__EXECHEAP, NULL);
3794 		} else if (!vma->vm_file &&
3795 			   ((vma->vm_start <= vma->vm_mm->start_stack &&
3796 			     vma->vm_end >= vma->vm_mm->start_stack) ||
3797 			    vma_is_stack_for_current(vma))) {
3798 			rc = avc_has_perm(&selinux_state,
3799 					  sid, sid, SECCLASS_PROCESS,
3800 					  PROCESS__EXECSTACK, NULL);
3801 		} else if (vma->vm_file && vma->anon_vma) {
3802 			/*
3803 			 * We are making executable a file mapping that has
3804 			 * had some COW done. Since pages might have been
3805 			 * written, check ability to execute the possibly
3806 			 * modified content.  This typically should only
3807 			 * occur for text relocations.
3808 			 */
3809 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3810 		}
3811 		if (rc)
3812 			return rc;
3813 	}
3814 
3815 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3816 }
3817 
3818 static int selinux_file_lock(struct file *file, unsigned int cmd)
3819 {
3820 	const struct cred *cred = current_cred();
3821 
3822 	return file_has_perm(cred, file, FILE__LOCK);
3823 }
3824 
3825 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3826 			      unsigned long arg)
3827 {
3828 	const struct cred *cred = current_cred();
3829 	int err = 0;
3830 
3831 	switch (cmd) {
3832 	case F_SETFL:
3833 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3834 			err = file_has_perm(cred, file, FILE__WRITE);
3835 			break;
3836 		}
3837 		fallthrough;
3838 	case F_SETOWN:
3839 	case F_SETSIG:
3840 	case F_GETFL:
3841 	case F_GETOWN:
3842 	case F_GETSIG:
3843 	case F_GETOWNER_UIDS:
3844 		/* Just check FD__USE permission */
3845 		err = file_has_perm(cred, file, 0);
3846 		break;
3847 	case F_GETLK:
3848 	case F_SETLK:
3849 	case F_SETLKW:
3850 	case F_OFD_GETLK:
3851 	case F_OFD_SETLK:
3852 	case F_OFD_SETLKW:
3853 #if BITS_PER_LONG == 32
3854 	case F_GETLK64:
3855 	case F_SETLK64:
3856 	case F_SETLKW64:
3857 #endif
3858 		err = file_has_perm(cred, file, FILE__LOCK);
3859 		break;
3860 	}
3861 
3862 	return err;
3863 }
3864 
3865 static void selinux_file_set_fowner(struct file *file)
3866 {
3867 	struct file_security_struct *fsec;
3868 
3869 	fsec = selinux_file(file);
3870 	fsec->fown_sid = current_sid();
3871 }
3872 
3873 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3874 				       struct fown_struct *fown, int signum)
3875 {
3876 	struct file *file;
3877 	u32 sid = task_sid_obj(tsk);
3878 	u32 perm;
3879 	struct file_security_struct *fsec;
3880 
3881 	/* struct fown_struct is never outside the context of a struct file */
3882 	file = container_of(fown, struct file, f_owner);
3883 
3884 	fsec = selinux_file(file);
3885 
3886 	if (!signum)
3887 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3888 	else
3889 		perm = signal_to_av(signum);
3890 
3891 	return avc_has_perm(&selinux_state,
3892 			    fsec->fown_sid, sid,
3893 			    SECCLASS_PROCESS, perm, NULL);
3894 }
3895 
3896 static int selinux_file_receive(struct file *file)
3897 {
3898 	const struct cred *cred = current_cred();
3899 
3900 	return file_has_perm(cred, file, file_to_av(file));
3901 }
3902 
3903 static int selinux_file_open(struct file *file)
3904 {
3905 	struct file_security_struct *fsec;
3906 	struct inode_security_struct *isec;
3907 
3908 	fsec = selinux_file(file);
3909 	isec = inode_security(file_inode(file));
3910 	/*
3911 	 * Save inode label and policy sequence number
3912 	 * at open-time so that selinux_file_permission
3913 	 * can determine whether revalidation is necessary.
3914 	 * Task label is already saved in the file security
3915 	 * struct as its SID.
3916 	 */
3917 	fsec->isid = isec->sid;
3918 	fsec->pseqno = avc_policy_seqno(&selinux_state);
3919 	/*
3920 	 * Since the inode label or policy seqno may have changed
3921 	 * between the selinux_inode_permission check and the saving
3922 	 * of state above, recheck that access is still permitted.
3923 	 * Otherwise, access might never be revalidated against the
3924 	 * new inode label or new policy.
3925 	 * This check is not redundant - do not remove.
3926 	 */
3927 	return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3928 }
3929 
3930 /* task security operations */
3931 
3932 static int selinux_task_alloc(struct task_struct *task,
3933 			      unsigned long clone_flags)
3934 {
3935 	u32 sid = current_sid();
3936 
3937 	return avc_has_perm(&selinux_state,
3938 			    sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3939 }
3940 
3941 /*
3942  * prepare a new set of credentials for modification
3943  */
3944 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3945 				gfp_t gfp)
3946 {
3947 	const struct task_security_struct *old_tsec = selinux_cred(old);
3948 	struct task_security_struct *tsec = selinux_cred(new);
3949 
3950 	*tsec = *old_tsec;
3951 	return 0;
3952 }
3953 
3954 /*
3955  * transfer the SELinux data to a blank set of creds
3956  */
3957 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3958 {
3959 	const struct task_security_struct *old_tsec = selinux_cred(old);
3960 	struct task_security_struct *tsec = selinux_cred(new);
3961 
3962 	*tsec = *old_tsec;
3963 }
3964 
3965 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3966 {
3967 	*secid = cred_sid(c);
3968 }
3969 
3970 /*
3971  * set the security data for a kernel service
3972  * - all the creation contexts are set to unlabelled
3973  */
3974 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3975 {
3976 	struct task_security_struct *tsec = selinux_cred(new);
3977 	u32 sid = current_sid();
3978 	int ret;
3979 
3980 	ret = avc_has_perm(&selinux_state,
3981 			   sid, secid,
3982 			   SECCLASS_KERNEL_SERVICE,
3983 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3984 			   NULL);
3985 	if (ret == 0) {
3986 		tsec->sid = secid;
3987 		tsec->create_sid = 0;
3988 		tsec->keycreate_sid = 0;
3989 		tsec->sockcreate_sid = 0;
3990 	}
3991 	return ret;
3992 }
3993 
3994 /*
3995  * set the file creation context in a security record to the same as the
3996  * objective context of the specified inode
3997  */
3998 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3999 {
4000 	struct inode_security_struct *isec = inode_security(inode);
4001 	struct task_security_struct *tsec = selinux_cred(new);
4002 	u32 sid = current_sid();
4003 	int ret;
4004 
4005 	ret = avc_has_perm(&selinux_state,
4006 			   sid, isec->sid,
4007 			   SECCLASS_KERNEL_SERVICE,
4008 			   KERNEL_SERVICE__CREATE_FILES_AS,
4009 			   NULL);
4010 
4011 	if (ret == 0)
4012 		tsec->create_sid = isec->sid;
4013 	return ret;
4014 }
4015 
4016 static int selinux_kernel_module_request(char *kmod_name)
4017 {
4018 	struct common_audit_data ad;
4019 
4020 	ad.type = LSM_AUDIT_DATA_KMOD;
4021 	ad.u.kmod_name = kmod_name;
4022 
4023 	return avc_has_perm(&selinux_state,
4024 			    current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4025 			    SYSTEM__MODULE_REQUEST, &ad);
4026 }
4027 
4028 static int selinux_kernel_module_from_file(struct file *file)
4029 {
4030 	struct common_audit_data ad;
4031 	struct inode_security_struct *isec;
4032 	struct file_security_struct *fsec;
4033 	u32 sid = current_sid();
4034 	int rc;
4035 
4036 	/* init_module */
4037 	if (file == NULL)
4038 		return avc_has_perm(&selinux_state,
4039 				    sid, sid, SECCLASS_SYSTEM,
4040 					SYSTEM__MODULE_LOAD, NULL);
4041 
4042 	/* finit_module */
4043 
4044 	ad.type = LSM_AUDIT_DATA_FILE;
4045 	ad.u.file = file;
4046 
4047 	fsec = selinux_file(file);
4048 	if (sid != fsec->sid) {
4049 		rc = avc_has_perm(&selinux_state,
4050 				  sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4051 		if (rc)
4052 			return rc;
4053 	}
4054 
4055 	isec = inode_security(file_inode(file));
4056 	return avc_has_perm(&selinux_state,
4057 			    sid, isec->sid, SECCLASS_SYSTEM,
4058 				SYSTEM__MODULE_LOAD, &ad);
4059 }
4060 
4061 static int selinux_kernel_read_file(struct file *file,
4062 				    enum kernel_read_file_id id,
4063 				    bool contents)
4064 {
4065 	int rc = 0;
4066 
4067 	switch (id) {
4068 	case READING_MODULE:
4069 		rc = selinux_kernel_module_from_file(contents ? file : NULL);
4070 		break;
4071 	default:
4072 		break;
4073 	}
4074 
4075 	return rc;
4076 }
4077 
4078 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4079 {
4080 	int rc = 0;
4081 
4082 	switch (id) {
4083 	case LOADING_MODULE:
4084 		rc = selinux_kernel_module_from_file(NULL);
4085 		break;
4086 	default:
4087 		break;
4088 	}
4089 
4090 	return rc;
4091 }
4092 
4093 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4094 {
4095 	return avc_has_perm(&selinux_state,
4096 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4097 			    PROCESS__SETPGID, NULL);
4098 }
4099 
4100 static int selinux_task_getpgid(struct task_struct *p)
4101 {
4102 	return avc_has_perm(&selinux_state,
4103 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4104 			    PROCESS__GETPGID, NULL);
4105 }
4106 
4107 static int selinux_task_getsid(struct task_struct *p)
4108 {
4109 	return avc_has_perm(&selinux_state,
4110 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4111 			    PROCESS__GETSESSION, NULL);
4112 }
4113 
4114 static void selinux_current_getsecid_subj(u32 *secid)
4115 {
4116 	*secid = current_sid();
4117 }
4118 
4119 static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid)
4120 {
4121 	*secid = task_sid_obj(p);
4122 }
4123 
4124 static int selinux_task_setnice(struct task_struct *p, int nice)
4125 {
4126 	return avc_has_perm(&selinux_state,
4127 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4128 			    PROCESS__SETSCHED, NULL);
4129 }
4130 
4131 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4132 {
4133 	return avc_has_perm(&selinux_state,
4134 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4135 			    PROCESS__SETSCHED, NULL);
4136 }
4137 
4138 static int selinux_task_getioprio(struct task_struct *p)
4139 {
4140 	return avc_has_perm(&selinux_state,
4141 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4142 			    PROCESS__GETSCHED, NULL);
4143 }
4144 
4145 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4146 				unsigned int flags)
4147 {
4148 	u32 av = 0;
4149 
4150 	if (!flags)
4151 		return 0;
4152 	if (flags & LSM_PRLIMIT_WRITE)
4153 		av |= PROCESS__SETRLIMIT;
4154 	if (flags & LSM_PRLIMIT_READ)
4155 		av |= PROCESS__GETRLIMIT;
4156 	return avc_has_perm(&selinux_state,
4157 			    cred_sid(cred), cred_sid(tcred),
4158 			    SECCLASS_PROCESS, av, NULL);
4159 }
4160 
4161 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4162 		struct rlimit *new_rlim)
4163 {
4164 	struct rlimit *old_rlim = p->signal->rlim + resource;
4165 
4166 	/* Control the ability to change the hard limit (whether
4167 	   lowering or raising it), so that the hard limit can
4168 	   later be used as a safe reset point for the soft limit
4169 	   upon context transitions.  See selinux_bprm_committing_creds. */
4170 	if (old_rlim->rlim_max != new_rlim->rlim_max)
4171 		return avc_has_perm(&selinux_state,
4172 				    current_sid(), task_sid_obj(p),
4173 				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4174 
4175 	return 0;
4176 }
4177 
4178 static int selinux_task_setscheduler(struct task_struct *p)
4179 {
4180 	return avc_has_perm(&selinux_state,
4181 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4182 			    PROCESS__SETSCHED, NULL);
4183 }
4184 
4185 static int selinux_task_getscheduler(struct task_struct *p)
4186 {
4187 	return avc_has_perm(&selinux_state,
4188 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4189 			    PROCESS__GETSCHED, NULL);
4190 }
4191 
4192 static int selinux_task_movememory(struct task_struct *p)
4193 {
4194 	return avc_has_perm(&selinux_state,
4195 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4196 			    PROCESS__SETSCHED, NULL);
4197 }
4198 
4199 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4200 				int sig, const struct cred *cred)
4201 {
4202 	u32 secid;
4203 	u32 perm;
4204 
4205 	if (!sig)
4206 		perm = PROCESS__SIGNULL; /* null signal; existence test */
4207 	else
4208 		perm = signal_to_av(sig);
4209 	if (!cred)
4210 		secid = current_sid();
4211 	else
4212 		secid = cred_sid(cred);
4213 	return avc_has_perm(&selinux_state,
4214 			    secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
4215 }
4216 
4217 static void selinux_task_to_inode(struct task_struct *p,
4218 				  struct inode *inode)
4219 {
4220 	struct inode_security_struct *isec = selinux_inode(inode);
4221 	u32 sid = task_sid_obj(p);
4222 
4223 	spin_lock(&isec->lock);
4224 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4225 	isec->sid = sid;
4226 	isec->initialized = LABEL_INITIALIZED;
4227 	spin_unlock(&isec->lock);
4228 }
4229 
4230 /* Returns error only if unable to parse addresses */
4231 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4232 			struct common_audit_data *ad, u8 *proto)
4233 {
4234 	int offset, ihlen, ret = -EINVAL;
4235 	struct iphdr _iph, *ih;
4236 
4237 	offset = skb_network_offset(skb);
4238 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4239 	if (ih == NULL)
4240 		goto out;
4241 
4242 	ihlen = ih->ihl * 4;
4243 	if (ihlen < sizeof(_iph))
4244 		goto out;
4245 
4246 	ad->u.net->v4info.saddr = ih->saddr;
4247 	ad->u.net->v4info.daddr = ih->daddr;
4248 	ret = 0;
4249 
4250 	if (proto)
4251 		*proto = ih->protocol;
4252 
4253 	switch (ih->protocol) {
4254 	case IPPROTO_TCP: {
4255 		struct tcphdr _tcph, *th;
4256 
4257 		if (ntohs(ih->frag_off) & IP_OFFSET)
4258 			break;
4259 
4260 		offset += ihlen;
4261 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4262 		if (th == NULL)
4263 			break;
4264 
4265 		ad->u.net->sport = th->source;
4266 		ad->u.net->dport = th->dest;
4267 		break;
4268 	}
4269 
4270 	case IPPROTO_UDP: {
4271 		struct udphdr _udph, *uh;
4272 
4273 		if (ntohs(ih->frag_off) & IP_OFFSET)
4274 			break;
4275 
4276 		offset += ihlen;
4277 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4278 		if (uh == NULL)
4279 			break;
4280 
4281 		ad->u.net->sport = uh->source;
4282 		ad->u.net->dport = uh->dest;
4283 		break;
4284 	}
4285 
4286 	case IPPROTO_DCCP: {
4287 		struct dccp_hdr _dccph, *dh;
4288 
4289 		if (ntohs(ih->frag_off) & IP_OFFSET)
4290 			break;
4291 
4292 		offset += ihlen;
4293 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4294 		if (dh == NULL)
4295 			break;
4296 
4297 		ad->u.net->sport = dh->dccph_sport;
4298 		ad->u.net->dport = dh->dccph_dport;
4299 		break;
4300 	}
4301 
4302 #if IS_ENABLED(CONFIG_IP_SCTP)
4303 	case IPPROTO_SCTP: {
4304 		struct sctphdr _sctph, *sh;
4305 
4306 		if (ntohs(ih->frag_off) & IP_OFFSET)
4307 			break;
4308 
4309 		offset += ihlen;
4310 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4311 		if (sh == NULL)
4312 			break;
4313 
4314 		ad->u.net->sport = sh->source;
4315 		ad->u.net->dport = sh->dest;
4316 		break;
4317 	}
4318 #endif
4319 	default:
4320 		break;
4321 	}
4322 out:
4323 	return ret;
4324 }
4325 
4326 #if IS_ENABLED(CONFIG_IPV6)
4327 
4328 /* Returns error only if unable to parse addresses */
4329 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4330 			struct common_audit_data *ad, u8 *proto)
4331 {
4332 	u8 nexthdr;
4333 	int ret = -EINVAL, offset;
4334 	struct ipv6hdr _ipv6h, *ip6;
4335 	__be16 frag_off;
4336 
4337 	offset = skb_network_offset(skb);
4338 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4339 	if (ip6 == NULL)
4340 		goto out;
4341 
4342 	ad->u.net->v6info.saddr = ip6->saddr;
4343 	ad->u.net->v6info.daddr = ip6->daddr;
4344 	ret = 0;
4345 
4346 	nexthdr = ip6->nexthdr;
4347 	offset += sizeof(_ipv6h);
4348 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4349 	if (offset < 0)
4350 		goto out;
4351 
4352 	if (proto)
4353 		*proto = nexthdr;
4354 
4355 	switch (nexthdr) {
4356 	case IPPROTO_TCP: {
4357 		struct tcphdr _tcph, *th;
4358 
4359 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4360 		if (th == NULL)
4361 			break;
4362 
4363 		ad->u.net->sport = th->source;
4364 		ad->u.net->dport = th->dest;
4365 		break;
4366 	}
4367 
4368 	case IPPROTO_UDP: {
4369 		struct udphdr _udph, *uh;
4370 
4371 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4372 		if (uh == NULL)
4373 			break;
4374 
4375 		ad->u.net->sport = uh->source;
4376 		ad->u.net->dport = uh->dest;
4377 		break;
4378 	}
4379 
4380 	case IPPROTO_DCCP: {
4381 		struct dccp_hdr _dccph, *dh;
4382 
4383 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4384 		if (dh == NULL)
4385 			break;
4386 
4387 		ad->u.net->sport = dh->dccph_sport;
4388 		ad->u.net->dport = dh->dccph_dport;
4389 		break;
4390 	}
4391 
4392 #if IS_ENABLED(CONFIG_IP_SCTP)
4393 	case IPPROTO_SCTP: {
4394 		struct sctphdr _sctph, *sh;
4395 
4396 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4397 		if (sh == NULL)
4398 			break;
4399 
4400 		ad->u.net->sport = sh->source;
4401 		ad->u.net->dport = sh->dest;
4402 		break;
4403 	}
4404 #endif
4405 	/* includes fragments */
4406 	default:
4407 		break;
4408 	}
4409 out:
4410 	return ret;
4411 }
4412 
4413 #endif /* IPV6 */
4414 
4415 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4416 			     char **_addrp, int src, u8 *proto)
4417 {
4418 	char *addrp;
4419 	int ret;
4420 
4421 	switch (ad->u.net->family) {
4422 	case PF_INET:
4423 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4424 		if (ret)
4425 			goto parse_error;
4426 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4427 				       &ad->u.net->v4info.daddr);
4428 		goto okay;
4429 
4430 #if IS_ENABLED(CONFIG_IPV6)
4431 	case PF_INET6:
4432 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4433 		if (ret)
4434 			goto parse_error;
4435 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4436 				       &ad->u.net->v6info.daddr);
4437 		goto okay;
4438 #endif	/* IPV6 */
4439 	default:
4440 		addrp = NULL;
4441 		goto okay;
4442 	}
4443 
4444 parse_error:
4445 	pr_warn(
4446 	       "SELinux: failure in selinux_parse_skb(),"
4447 	       " unable to parse packet\n");
4448 	return ret;
4449 
4450 okay:
4451 	if (_addrp)
4452 		*_addrp = addrp;
4453 	return 0;
4454 }
4455 
4456 /**
4457  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4458  * @skb: the packet
4459  * @family: protocol family
4460  * @sid: the packet's peer label SID
4461  *
4462  * Description:
4463  * Check the various different forms of network peer labeling and determine
4464  * the peer label/SID for the packet; most of the magic actually occurs in
4465  * the security server function security_net_peersid_cmp().  The function
4466  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4467  * or -EACCES if @sid is invalid due to inconsistencies with the different
4468  * peer labels.
4469  *
4470  */
4471 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4472 {
4473 	int err;
4474 	u32 xfrm_sid;
4475 	u32 nlbl_sid;
4476 	u32 nlbl_type;
4477 
4478 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4479 	if (unlikely(err))
4480 		return -EACCES;
4481 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4482 	if (unlikely(err))
4483 		return -EACCES;
4484 
4485 	err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4486 					   nlbl_type, xfrm_sid, sid);
4487 	if (unlikely(err)) {
4488 		pr_warn(
4489 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4490 		       " unable to determine packet's peer label\n");
4491 		return -EACCES;
4492 	}
4493 
4494 	return 0;
4495 }
4496 
4497 /**
4498  * selinux_conn_sid - Determine the child socket label for a connection
4499  * @sk_sid: the parent socket's SID
4500  * @skb_sid: the packet's SID
4501  * @conn_sid: the resulting connection SID
4502  *
4503  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4504  * combined with the MLS information from @skb_sid in order to create
4505  * @conn_sid.  If @skb_sid is not valid then @conn_sid is simply a copy
4506  * of @sk_sid.  Returns zero on success, negative values on failure.
4507  *
4508  */
4509 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4510 {
4511 	int err = 0;
4512 
4513 	if (skb_sid != SECSID_NULL)
4514 		err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4515 					    conn_sid);
4516 	else
4517 		*conn_sid = sk_sid;
4518 
4519 	return err;
4520 }
4521 
4522 /* socket security operations */
4523 
4524 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4525 				 u16 secclass, u32 *socksid)
4526 {
4527 	if (tsec->sockcreate_sid > SECSID_NULL) {
4528 		*socksid = tsec->sockcreate_sid;
4529 		return 0;
4530 	}
4531 
4532 	return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4533 				       secclass, NULL, socksid);
4534 }
4535 
4536 static int sock_has_perm(struct sock *sk, u32 perms)
4537 {
4538 	struct sk_security_struct *sksec = sk->sk_security;
4539 	struct common_audit_data ad;
4540 	struct lsm_network_audit net = {0,};
4541 
4542 	if (sksec->sid == SECINITSID_KERNEL)
4543 		return 0;
4544 
4545 	ad.type = LSM_AUDIT_DATA_NET;
4546 	ad.u.net = &net;
4547 	ad.u.net->sk = sk;
4548 
4549 	return avc_has_perm(&selinux_state,
4550 			    current_sid(), sksec->sid, sksec->sclass, perms,
4551 			    &ad);
4552 }
4553 
4554 static int selinux_socket_create(int family, int type,
4555 				 int protocol, int kern)
4556 {
4557 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4558 	u32 newsid;
4559 	u16 secclass;
4560 	int rc;
4561 
4562 	if (kern)
4563 		return 0;
4564 
4565 	secclass = socket_type_to_security_class(family, type, protocol);
4566 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4567 	if (rc)
4568 		return rc;
4569 
4570 	return avc_has_perm(&selinux_state,
4571 			    tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4572 }
4573 
4574 static int selinux_socket_post_create(struct socket *sock, int family,
4575 				      int type, int protocol, int kern)
4576 {
4577 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4578 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4579 	struct sk_security_struct *sksec;
4580 	u16 sclass = socket_type_to_security_class(family, type, protocol);
4581 	u32 sid = SECINITSID_KERNEL;
4582 	int err = 0;
4583 
4584 	if (!kern) {
4585 		err = socket_sockcreate_sid(tsec, sclass, &sid);
4586 		if (err)
4587 			return err;
4588 	}
4589 
4590 	isec->sclass = sclass;
4591 	isec->sid = sid;
4592 	isec->initialized = LABEL_INITIALIZED;
4593 
4594 	if (sock->sk) {
4595 		sksec = sock->sk->sk_security;
4596 		sksec->sclass = sclass;
4597 		sksec->sid = sid;
4598 		/* Allows detection of the first association on this socket */
4599 		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4600 			sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4601 
4602 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4603 	}
4604 
4605 	return err;
4606 }
4607 
4608 static int selinux_socket_socketpair(struct socket *socka,
4609 				     struct socket *sockb)
4610 {
4611 	struct sk_security_struct *sksec_a = socka->sk->sk_security;
4612 	struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4613 
4614 	sksec_a->peer_sid = sksec_b->sid;
4615 	sksec_b->peer_sid = sksec_a->sid;
4616 
4617 	return 0;
4618 }
4619 
4620 /* Range of port numbers used to automatically bind.
4621    Need to determine whether we should perform a name_bind
4622    permission check between the socket and the port number. */
4623 
4624 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4625 {
4626 	struct sock *sk = sock->sk;
4627 	struct sk_security_struct *sksec = sk->sk_security;
4628 	u16 family;
4629 	int err;
4630 
4631 	err = sock_has_perm(sk, SOCKET__BIND);
4632 	if (err)
4633 		goto out;
4634 
4635 	/* If PF_INET or PF_INET6, check name_bind permission for the port. */
4636 	family = sk->sk_family;
4637 	if (family == PF_INET || family == PF_INET6) {
4638 		char *addrp;
4639 		struct common_audit_data ad;
4640 		struct lsm_network_audit net = {0,};
4641 		struct sockaddr_in *addr4 = NULL;
4642 		struct sockaddr_in6 *addr6 = NULL;
4643 		u16 family_sa;
4644 		unsigned short snum;
4645 		u32 sid, node_perm;
4646 
4647 		/*
4648 		 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4649 		 * that validates multiple binding addresses. Because of this
4650 		 * need to check address->sa_family as it is possible to have
4651 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4652 		 */
4653 		if (addrlen < offsetofend(struct sockaddr, sa_family))
4654 			return -EINVAL;
4655 		family_sa = address->sa_family;
4656 		switch (family_sa) {
4657 		case AF_UNSPEC:
4658 		case AF_INET:
4659 			if (addrlen < sizeof(struct sockaddr_in))
4660 				return -EINVAL;
4661 			addr4 = (struct sockaddr_in *)address;
4662 			if (family_sa == AF_UNSPEC) {
4663 				/* see __inet_bind(), we only want to allow
4664 				 * AF_UNSPEC if the address is INADDR_ANY
4665 				 */
4666 				if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4667 					goto err_af;
4668 				family_sa = AF_INET;
4669 			}
4670 			snum = ntohs(addr4->sin_port);
4671 			addrp = (char *)&addr4->sin_addr.s_addr;
4672 			break;
4673 		case AF_INET6:
4674 			if (addrlen < SIN6_LEN_RFC2133)
4675 				return -EINVAL;
4676 			addr6 = (struct sockaddr_in6 *)address;
4677 			snum = ntohs(addr6->sin6_port);
4678 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4679 			break;
4680 		default:
4681 			goto err_af;
4682 		}
4683 
4684 		ad.type = LSM_AUDIT_DATA_NET;
4685 		ad.u.net = &net;
4686 		ad.u.net->sport = htons(snum);
4687 		ad.u.net->family = family_sa;
4688 
4689 		if (snum) {
4690 			int low, high;
4691 
4692 			inet_get_local_port_range(sock_net(sk), &low, &high);
4693 
4694 			if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4695 			    snum < low || snum > high) {
4696 				err = sel_netport_sid(sk->sk_protocol,
4697 						      snum, &sid);
4698 				if (err)
4699 					goto out;
4700 				err = avc_has_perm(&selinux_state,
4701 						   sksec->sid, sid,
4702 						   sksec->sclass,
4703 						   SOCKET__NAME_BIND, &ad);
4704 				if (err)
4705 					goto out;
4706 			}
4707 		}
4708 
4709 		switch (sksec->sclass) {
4710 		case SECCLASS_TCP_SOCKET:
4711 			node_perm = TCP_SOCKET__NODE_BIND;
4712 			break;
4713 
4714 		case SECCLASS_UDP_SOCKET:
4715 			node_perm = UDP_SOCKET__NODE_BIND;
4716 			break;
4717 
4718 		case SECCLASS_DCCP_SOCKET:
4719 			node_perm = DCCP_SOCKET__NODE_BIND;
4720 			break;
4721 
4722 		case SECCLASS_SCTP_SOCKET:
4723 			node_perm = SCTP_SOCKET__NODE_BIND;
4724 			break;
4725 
4726 		default:
4727 			node_perm = RAWIP_SOCKET__NODE_BIND;
4728 			break;
4729 		}
4730 
4731 		err = sel_netnode_sid(addrp, family_sa, &sid);
4732 		if (err)
4733 			goto out;
4734 
4735 		if (family_sa == AF_INET)
4736 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4737 		else
4738 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4739 
4740 		err = avc_has_perm(&selinux_state,
4741 				   sksec->sid, sid,
4742 				   sksec->sclass, node_perm, &ad);
4743 		if (err)
4744 			goto out;
4745 	}
4746 out:
4747 	return err;
4748 err_af:
4749 	/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4750 	if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4751 		return -EINVAL;
4752 	return -EAFNOSUPPORT;
4753 }
4754 
4755 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4756  * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4757  */
4758 static int selinux_socket_connect_helper(struct socket *sock,
4759 					 struct sockaddr *address, int addrlen)
4760 {
4761 	struct sock *sk = sock->sk;
4762 	struct sk_security_struct *sksec = sk->sk_security;
4763 	int err;
4764 
4765 	err = sock_has_perm(sk, SOCKET__CONNECT);
4766 	if (err)
4767 		return err;
4768 	if (addrlen < offsetofend(struct sockaddr, sa_family))
4769 		return -EINVAL;
4770 
4771 	/* connect(AF_UNSPEC) has special handling, as it is a documented
4772 	 * way to disconnect the socket
4773 	 */
4774 	if (address->sa_family == AF_UNSPEC)
4775 		return 0;
4776 
4777 	/*
4778 	 * If a TCP, DCCP or SCTP socket, check name_connect permission
4779 	 * for the port.
4780 	 */
4781 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4782 	    sksec->sclass == SECCLASS_DCCP_SOCKET ||
4783 	    sksec->sclass == SECCLASS_SCTP_SOCKET) {
4784 		struct common_audit_data ad;
4785 		struct lsm_network_audit net = {0,};
4786 		struct sockaddr_in *addr4 = NULL;
4787 		struct sockaddr_in6 *addr6 = NULL;
4788 		unsigned short snum;
4789 		u32 sid, perm;
4790 
4791 		/* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4792 		 * that validates multiple connect addresses. Because of this
4793 		 * need to check address->sa_family as it is possible to have
4794 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4795 		 */
4796 		switch (address->sa_family) {
4797 		case AF_INET:
4798 			addr4 = (struct sockaddr_in *)address;
4799 			if (addrlen < sizeof(struct sockaddr_in))
4800 				return -EINVAL;
4801 			snum = ntohs(addr4->sin_port);
4802 			break;
4803 		case AF_INET6:
4804 			addr6 = (struct sockaddr_in6 *)address;
4805 			if (addrlen < SIN6_LEN_RFC2133)
4806 				return -EINVAL;
4807 			snum = ntohs(addr6->sin6_port);
4808 			break;
4809 		default:
4810 			/* Note that SCTP services expect -EINVAL, whereas
4811 			 * others expect -EAFNOSUPPORT.
4812 			 */
4813 			if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4814 				return -EINVAL;
4815 			else
4816 				return -EAFNOSUPPORT;
4817 		}
4818 
4819 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4820 		if (err)
4821 			return err;
4822 
4823 		switch (sksec->sclass) {
4824 		case SECCLASS_TCP_SOCKET:
4825 			perm = TCP_SOCKET__NAME_CONNECT;
4826 			break;
4827 		case SECCLASS_DCCP_SOCKET:
4828 			perm = DCCP_SOCKET__NAME_CONNECT;
4829 			break;
4830 		case SECCLASS_SCTP_SOCKET:
4831 			perm = SCTP_SOCKET__NAME_CONNECT;
4832 			break;
4833 		}
4834 
4835 		ad.type = LSM_AUDIT_DATA_NET;
4836 		ad.u.net = &net;
4837 		ad.u.net->dport = htons(snum);
4838 		ad.u.net->family = address->sa_family;
4839 		err = avc_has_perm(&selinux_state,
4840 				   sksec->sid, sid, sksec->sclass, perm, &ad);
4841 		if (err)
4842 			return err;
4843 	}
4844 
4845 	return 0;
4846 }
4847 
4848 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4849 static int selinux_socket_connect(struct socket *sock,
4850 				  struct sockaddr *address, int addrlen)
4851 {
4852 	int err;
4853 	struct sock *sk = sock->sk;
4854 
4855 	err = selinux_socket_connect_helper(sock, address, addrlen);
4856 	if (err)
4857 		return err;
4858 
4859 	return selinux_netlbl_socket_connect(sk, address);
4860 }
4861 
4862 static int selinux_socket_listen(struct socket *sock, int backlog)
4863 {
4864 	return sock_has_perm(sock->sk, SOCKET__LISTEN);
4865 }
4866 
4867 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4868 {
4869 	int err;
4870 	struct inode_security_struct *isec;
4871 	struct inode_security_struct *newisec;
4872 	u16 sclass;
4873 	u32 sid;
4874 
4875 	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4876 	if (err)
4877 		return err;
4878 
4879 	isec = inode_security_novalidate(SOCK_INODE(sock));
4880 	spin_lock(&isec->lock);
4881 	sclass = isec->sclass;
4882 	sid = isec->sid;
4883 	spin_unlock(&isec->lock);
4884 
4885 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4886 	newisec->sclass = sclass;
4887 	newisec->sid = sid;
4888 	newisec->initialized = LABEL_INITIALIZED;
4889 
4890 	return 0;
4891 }
4892 
4893 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4894 				  int size)
4895 {
4896 	return sock_has_perm(sock->sk, SOCKET__WRITE);
4897 }
4898 
4899 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4900 				  int size, int flags)
4901 {
4902 	return sock_has_perm(sock->sk, SOCKET__READ);
4903 }
4904 
4905 static int selinux_socket_getsockname(struct socket *sock)
4906 {
4907 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4908 }
4909 
4910 static int selinux_socket_getpeername(struct socket *sock)
4911 {
4912 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4913 }
4914 
4915 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4916 {
4917 	int err;
4918 
4919 	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4920 	if (err)
4921 		return err;
4922 
4923 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4924 }
4925 
4926 static int selinux_socket_getsockopt(struct socket *sock, int level,
4927 				     int optname)
4928 {
4929 	return sock_has_perm(sock->sk, SOCKET__GETOPT);
4930 }
4931 
4932 static int selinux_socket_shutdown(struct socket *sock, int how)
4933 {
4934 	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4935 }
4936 
4937 static int selinux_socket_unix_stream_connect(struct sock *sock,
4938 					      struct sock *other,
4939 					      struct sock *newsk)
4940 {
4941 	struct sk_security_struct *sksec_sock = sock->sk_security;
4942 	struct sk_security_struct *sksec_other = other->sk_security;
4943 	struct sk_security_struct *sksec_new = newsk->sk_security;
4944 	struct common_audit_data ad;
4945 	struct lsm_network_audit net = {0,};
4946 	int err;
4947 
4948 	ad.type = LSM_AUDIT_DATA_NET;
4949 	ad.u.net = &net;
4950 	ad.u.net->sk = other;
4951 
4952 	err = avc_has_perm(&selinux_state,
4953 			   sksec_sock->sid, sksec_other->sid,
4954 			   sksec_other->sclass,
4955 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4956 	if (err)
4957 		return err;
4958 
4959 	/* server child socket */
4960 	sksec_new->peer_sid = sksec_sock->sid;
4961 	err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4962 				    sksec_sock->sid, &sksec_new->sid);
4963 	if (err)
4964 		return err;
4965 
4966 	/* connecting socket */
4967 	sksec_sock->peer_sid = sksec_new->sid;
4968 
4969 	return 0;
4970 }
4971 
4972 static int selinux_socket_unix_may_send(struct socket *sock,
4973 					struct socket *other)
4974 {
4975 	struct sk_security_struct *ssec = sock->sk->sk_security;
4976 	struct sk_security_struct *osec = other->sk->sk_security;
4977 	struct common_audit_data ad;
4978 	struct lsm_network_audit net = {0,};
4979 
4980 	ad.type = LSM_AUDIT_DATA_NET;
4981 	ad.u.net = &net;
4982 	ad.u.net->sk = other->sk;
4983 
4984 	return avc_has_perm(&selinux_state,
4985 			    ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4986 			    &ad);
4987 }
4988 
4989 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4990 				    char *addrp, u16 family, u32 peer_sid,
4991 				    struct common_audit_data *ad)
4992 {
4993 	int err;
4994 	u32 if_sid;
4995 	u32 node_sid;
4996 
4997 	err = sel_netif_sid(ns, ifindex, &if_sid);
4998 	if (err)
4999 		return err;
5000 	err = avc_has_perm(&selinux_state,
5001 			   peer_sid, if_sid,
5002 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
5003 	if (err)
5004 		return err;
5005 
5006 	err = sel_netnode_sid(addrp, family, &node_sid);
5007 	if (err)
5008 		return err;
5009 	return avc_has_perm(&selinux_state,
5010 			    peer_sid, node_sid,
5011 			    SECCLASS_NODE, NODE__RECVFROM, ad);
5012 }
5013 
5014 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5015 				       u16 family)
5016 {
5017 	int err = 0;
5018 	struct sk_security_struct *sksec = sk->sk_security;
5019 	u32 sk_sid = sksec->sid;
5020 	struct common_audit_data ad;
5021 	struct lsm_network_audit net = {0,};
5022 	char *addrp;
5023 
5024 	ad.type = LSM_AUDIT_DATA_NET;
5025 	ad.u.net = &net;
5026 	ad.u.net->netif = skb->skb_iif;
5027 	ad.u.net->family = family;
5028 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5029 	if (err)
5030 		return err;
5031 
5032 	if (selinux_secmark_enabled()) {
5033 		err = avc_has_perm(&selinux_state,
5034 				   sk_sid, skb->secmark, SECCLASS_PACKET,
5035 				   PACKET__RECV, &ad);
5036 		if (err)
5037 			return err;
5038 	}
5039 
5040 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5041 	if (err)
5042 		return err;
5043 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5044 
5045 	return err;
5046 }
5047 
5048 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5049 {
5050 	int err;
5051 	struct sk_security_struct *sksec = sk->sk_security;
5052 	u16 family = sk->sk_family;
5053 	u32 sk_sid = sksec->sid;
5054 	struct common_audit_data ad;
5055 	struct lsm_network_audit net = {0,};
5056 	char *addrp;
5057 	u8 secmark_active;
5058 	u8 peerlbl_active;
5059 
5060 	if (family != PF_INET && family != PF_INET6)
5061 		return 0;
5062 
5063 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
5064 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5065 		family = PF_INET;
5066 
5067 	/* If any sort of compatibility mode is enabled then handoff processing
5068 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
5069 	 * special handling.  We do this in an attempt to keep this function
5070 	 * as fast and as clean as possible. */
5071 	if (!selinux_policycap_netpeer())
5072 		return selinux_sock_rcv_skb_compat(sk, skb, family);
5073 
5074 	secmark_active = selinux_secmark_enabled();
5075 	peerlbl_active = selinux_peerlbl_enabled();
5076 	if (!secmark_active && !peerlbl_active)
5077 		return 0;
5078 
5079 	ad.type = LSM_AUDIT_DATA_NET;
5080 	ad.u.net = &net;
5081 	ad.u.net->netif = skb->skb_iif;
5082 	ad.u.net->family = family;
5083 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5084 	if (err)
5085 		return err;
5086 
5087 	if (peerlbl_active) {
5088 		u32 peer_sid;
5089 
5090 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5091 		if (err)
5092 			return err;
5093 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5094 					       addrp, family, peer_sid, &ad);
5095 		if (err) {
5096 			selinux_netlbl_err(skb, family, err, 0);
5097 			return err;
5098 		}
5099 		err = avc_has_perm(&selinux_state,
5100 				   sk_sid, peer_sid, SECCLASS_PEER,
5101 				   PEER__RECV, &ad);
5102 		if (err) {
5103 			selinux_netlbl_err(skb, family, err, 0);
5104 			return err;
5105 		}
5106 	}
5107 
5108 	if (secmark_active) {
5109 		err = avc_has_perm(&selinux_state,
5110 				   sk_sid, skb->secmark, SECCLASS_PACKET,
5111 				   PACKET__RECV, &ad);
5112 		if (err)
5113 			return err;
5114 	}
5115 
5116 	return err;
5117 }
5118 
5119 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5120 					    int __user *optlen, unsigned len)
5121 {
5122 	int err = 0;
5123 	char *scontext;
5124 	u32 scontext_len;
5125 	struct sk_security_struct *sksec = sock->sk->sk_security;
5126 	u32 peer_sid = SECSID_NULL;
5127 
5128 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5129 	    sksec->sclass == SECCLASS_TCP_SOCKET ||
5130 	    sksec->sclass == SECCLASS_SCTP_SOCKET)
5131 		peer_sid = sksec->peer_sid;
5132 	if (peer_sid == SECSID_NULL)
5133 		return -ENOPROTOOPT;
5134 
5135 	err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5136 				      &scontext_len);
5137 	if (err)
5138 		return err;
5139 
5140 	if (scontext_len > len) {
5141 		err = -ERANGE;
5142 		goto out_len;
5143 	}
5144 
5145 	if (copy_to_user(optval, scontext, scontext_len))
5146 		err = -EFAULT;
5147 
5148 out_len:
5149 	if (put_user(scontext_len, optlen))
5150 		err = -EFAULT;
5151 	kfree(scontext);
5152 	return err;
5153 }
5154 
5155 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5156 {
5157 	u32 peer_secid = SECSID_NULL;
5158 	u16 family;
5159 	struct inode_security_struct *isec;
5160 
5161 	if (skb && skb->protocol == htons(ETH_P_IP))
5162 		family = PF_INET;
5163 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
5164 		family = PF_INET6;
5165 	else if (sock)
5166 		family = sock->sk->sk_family;
5167 	else
5168 		goto out;
5169 
5170 	if (sock && family == PF_UNIX) {
5171 		isec = inode_security_novalidate(SOCK_INODE(sock));
5172 		peer_secid = isec->sid;
5173 	} else if (skb)
5174 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5175 
5176 out:
5177 	*secid = peer_secid;
5178 	if (peer_secid == SECSID_NULL)
5179 		return -EINVAL;
5180 	return 0;
5181 }
5182 
5183 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5184 {
5185 	struct sk_security_struct *sksec;
5186 
5187 	sksec = kzalloc(sizeof(*sksec), priority);
5188 	if (!sksec)
5189 		return -ENOMEM;
5190 
5191 	sksec->peer_sid = SECINITSID_UNLABELED;
5192 	sksec->sid = SECINITSID_UNLABELED;
5193 	sksec->sclass = SECCLASS_SOCKET;
5194 	selinux_netlbl_sk_security_reset(sksec);
5195 	sk->sk_security = sksec;
5196 
5197 	return 0;
5198 }
5199 
5200 static void selinux_sk_free_security(struct sock *sk)
5201 {
5202 	struct sk_security_struct *sksec = sk->sk_security;
5203 
5204 	sk->sk_security = NULL;
5205 	selinux_netlbl_sk_security_free(sksec);
5206 	kfree(sksec);
5207 }
5208 
5209 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5210 {
5211 	struct sk_security_struct *sksec = sk->sk_security;
5212 	struct sk_security_struct *newsksec = newsk->sk_security;
5213 
5214 	newsksec->sid = sksec->sid;
5215 	newsksec->peer_sid = sksec->peer_sid;
5216 	newsksec->sclass = sksec->sclass;
5217 
5218 	selinux_netlbl_sk_security_reset(newsksec);
5219 }
5220 
5221 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5222 {
5223 	if (!sk)
5224 		*secid = SECINITSID_ANY_SOCKET;
5225 	else {
5226 		struct sk_security_struct *sksec = sk->sk_security;
5227 
5228 		*secid = sksec->sid;
5229 	}
5230 }
5231 
5232 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5233 {
5234 	struct inode_security_struct *isec =
5235 		inode_security_novalidate(SOCK_INODE(parent));
5236 	struct sk_security_struct *sksec = sk->sk_security;
5237 
5238 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5239 	    sk->sk_family == PF_UNIX)
5240 		isec->sid = sksec->sid;
5241 	sksec->sclass = isec->sclass;
5242 }
5243 
5244 /*
5245  * Determines peer_secid for the asoc and updates socket's peer label
5246  * if it's the first association on the socket.
5247  */
5248 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
5249 					  struct sk_buff *skb)
5250 {
5251 	struct sock *sk = asoc->base.sk;
5252 	u16 family = sk->sk_family;
5253 	struct sk_security_struct *sksec = sk->sk_security;
5254 	struct common_audit_data ad;
5255 	struct lsm_network_audit net = {0,};
5256 	int err;
5257 
5258 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5259 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5260 		family = PF_INET;
5261 
5262 	if (selinux_peerlbl_enabled()) {
5263 		asoc->peer_secid = SECSID_NULL;
5264 
5265 		/* This will return peer_sid = SECSID_NULL if there are
5266 		 * no peer labels, see security_net_peersid_resolve().
5267 		 */
5268 		err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid);
5269 		if (err)
5270 			return err;
5271 
5272 		if (asoc->peer_secid == SECSID_NULL)
5273 			asoc->peer_secid = SECINITSID_UNLABELED;
5274 	} else {
5275 		asoc->peer_secid = SECINITSID_UNLABELED;
5276 	}
5277 
5278 	if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5279 		sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5280 
5281 		/* Here as first association on socket. As the peer SID
5282 		 * was allowed by peer recv (and the netif/node checks),
5283 		 * then it is approved by policy and used as the primary
5284 		 * peer SID for getpeercon(3).
5285 		 */
5286 		sksec->peer_sid = asoc->peer_secid;
5287 	} else if (sksec->peer_sid != asoc->peer_secid) {
5288 		/* Other association peer SIDs are checked to enforce
5289 		 * consistency among the peer SIDs.
5290 		 */
5291 		ad.type = LSM_AUDIT_DATA_NET;
5292 		ad.u.net = &net;
5293 		ad.u.net->sk = asoc->base.sk;
5294 		err = avc_has_perm(&selinux_state,
5295 				   sksec->peer_sid, asoc->peer_secid,
5296 				   sksec->sclass, SCTP_SOCKET__ASSOCIATION,
5297 				   &ad);
5298 		if (err)
5299 			return err;
5300 	}
5301 	return 0;
5302 }
5303 
5304 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This
5305  * happens on an incoming connect(2), sctp_connectx(3) or
5306  * sctp_sendmsg(3) (with no association already present).
5307  */
5308 static int selinux_sctp_assoc_request(struct sctp_association *asoc,
5309 				      struct sk_buff *skb)
5310 {
5311 	struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5312 	u32 conn_sid;
5313 	int err;
5314 
5315 	if (!selinux_policycap_extsockclass())
5316 		return 0;
5317 
5318 	err = selinux_sctp_process_new_assoc(asoc, skb);
5319 	if (err)
5320 		return err;
5321 
5322 	/* Compute the MLS component for the connection and store
5323 	 * the information in asoc. This will be used by SCTP TCP type
5324 	 * sockets and peeled off connections as they cause a new
5325 	 * socket to be generated. selinux_sctp_sk_clone() will then
5326 	 * plug this into the new socket.
5327 	 */
5328 	err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid);
5329 	if (err)
5330 		return err;
5331 
5332 	asoc->secid = conn_sid;
5333 
5334 	/* Set any NetLabel labels including CIPSO/CALIPSO options. */
5335 	return selinux_netlbl_sctp_assoc_request(asoc, skb);
5336 }
5337 
5338 /* Called when SCTP receives a COOKIE ACK chunk as the final
5339  * response to an association request (initited by us).
5340  */
5341 static int selinux_sctp_assoc_established(struct sctp_association *asoc,
5342 					  struct sk_buff *skb)
5343 {
5344 	struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5345 
5346 	if (!selinux_policycap_extsockclass())
5347 		return 0;
5348 
5349 	/* Inherit secid from the parent socket - this will be picked up
5350 	 * by selinux_sctp_sk_clone() if the association gets peeled off
5351 	 * into a new socket.
5352 	 */
5353 	asoc->secid = sksec->sid;
5354 
5355 	return selinux_sctp_process_new_assoc(asoc, skb);
5356 }
5357 
5358 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5359  * based on their @optname.
5360  */
5361 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5362 				     struct sockaddr *address,
5363 				     int addrlen)
5364 {
5365 	int len, err = 0, walk_size = 0;
5366 	void *addr_buf;
5367 	struct sockaddr *addr;
5368 	struct socket *sock;
5369 
5370 	if (!selinux_policycap_extsockclass())
5371 		return 0;
5372 
5373 	/* Process one or more addresses that may be IPv4 or IPv6 */
5374 	sock = sk->sk_socket;
5375 	addr_buf = address;
5376 
5377 	while (walk_size < addrlen) {
5378 		if (walk_size + sizeof(sa_family_t) > addrlen)
5379 			return -EINVAL;
5380 
5381 		addr = addr_buf;
5382 		switch (addr->sa_family) {
5383 		case AF_UNSPEC:
5384 		case AF_INET:
5385 			len = sizeof(struct sockaddr_in);
5386 			break;
5387 		case AF_INET6:
5388 			len = sizeof(struct sockaddr_in6);
5389 			break;
5390 		default:
5391 			return -EINVAL;
5392 		}
5393 
5394 		if (walk_size + len > addrlen)
5395 			return -EINVAL;
5396 
5397 		err = -EINVAL;
5398 		switch (optname) {
5399 		/* Bind checks */
5400 		case SCTP_PRIMARY_ADDR:
5401 		case SCTP_SET_PEER_PRIMARY_ADDR:
5402 		case SCTP_SOCKOPT_BINDX_ADD:
5403 			err = selinux_socket_bind(sock, addr, len);
5404 			break;
5405 		/* Connect checks */
5406 		case SCTP_SOCKOPT_CONNECTX:
5407 		case SCTP_PARAM_SET_PRIMARY:
5408 		case SCTP_PARAM_ADD_IP:
5409 		case SCTP_SENDMSG_CONNECT:
5410 			err = selinux_socket_connect_helper(sock, addr, len);
5411 			if (err)
5412 				return err;
5413 
5414 			/* As selinux_sctp_bind_connect() is called by the
5415 			 * SCTP protocol layer, the socket is already locked,
5416 			 * therefore selinux_netlbl_socket_connect_locked()
5417 			 * is called here. The situations handled are:
5418 			 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5419 			 * whenever a new IP address is added or when a new
5420 			 * primary address is selected.
5421 			 * Note that an SCTP connect(2) call happens before
5422 			 * the SCTP protocol layer and is handled via
5423 			 * selinux_socket_connect().
5424 			 */
5425 			err = selinux_netlbl_socket_connect_locked(sk, addr);
5426 			break;
5427 		}
5428 
5429 		if (err)
5430 			return err;
5431 
5432 		addr_buf += len;
5433 		walk_size += len;
5434 	}
5435 
5436 	return 0;
5437 }
5438 
5439 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5440 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
5441 				  struct sock *newsk)
5442 {
5443 	struct sk_security_struct *sksec = sk->sk_security;
5444 	struct sk_security_struct *newsksec = newsk->sk_security;
5445 
5446 	/* If policy does not support SECCLASS_SCTP_SOCKET then call
5447 	 * the non-sctp clone version.
5448 	 */
5449 	if (!selinux_policycap_extsockclass())
5450 		return selinux_sk_clone_security(sk, newsk);
5451 
5452 	newsksec->sid = asoc->secid;
5453 	newsksec->peer_sid = asoc->peer_secid;
5454 	newsksec->sclass = sksec->sclass;
5455 	selinux_netlbl_sctp_sk_clone(sk, newsk);
5456 }
5457 
5458 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
5459 				     struct request_sock *req)
5460 {
5461 	struct sk_security_struct *sksec = sk->sk_security;
5462 	int err;
5463 	u16 family = req->rsk_ops->family;
5464 	u32 connsid;
5465 	u32 peersid;
5466 
5467 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5468 	if (err)
5469 		return err;
5470 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5471 	if (err)
5472 		return err;
5473 	req->secid = connsid;
5474 	req->peer_secid = peersid;
5475 
5476 	return selinux_netlbl_inet_conn_request(req, family);
5477 }
5478 
5479 static void selinux_inet_csk_clone(struct sock *newsk,
5480 				   const struct request_sock *req)
5481 {
5482 	struct sk_security_struct *newsksec = newsk->sk_security;
5483 
5484 	newsksec->sid = req->secid;
5485 	newsksec->peer_sid = req->peer_secid;
5486 	/* NOTE: Ideally, we should also get the isec->sid for the
5487 	   new socket in sync, but we don't have the isec available yet.
5488 	   So we will wait until sock_graft to do it, by which
5489 	   time it will have been created and available. */
5490 
5491 	/* We don't need to take any sort of lock here as we are the only
5492 	 * thread with access to newsksec */
5493 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5494 }
5495 
5496 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5497 {
5498 	u16 family = sk->sk_family;
5499 	struct sk_security_struct *sksec = sk->sk_security;
5500 
5501 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5502 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5503 		family = PF_INET;
5504 
5505 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5506 }
5507 
5508 static int selinux_secmark_relabel_packet(u32 sid)
5509 {
5510 	const struct task_security_struct *__tsec;
5511 	u32 tsid;
5512 
5513 	__tsec = selinux_cred(current_cred());
5514 	tsid = __tsec->sid;
5515 
5516 	return avc_has_perm(&selinux_state,
5517 			    tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5518 			    NULL);
5519 }
5520 
5521 static void selinux_secmark_refcount_inc(void)
5522 {
5523 	atomic_inc(&selinux_secmark_refcount);
5524 }
5525 
5526 static void selinux_secmark_refcount_dec(void)
5527 {
5528 	atomic_dec(&selinux_secmark_refcount);
5529 }
5530 
5531 static void selinux_req_classify_flow(const struct request_sock *req,
5532 				      struct flowi_common *flic)
5533 {
5534 	flic->flowic_secid = req->secid;
5535 }
5536 
5537 static int selinux_tun_dev_alloc_security(void **security)
5538 {
5539 	struct tun_security_struct *tunsec;
5540 
5541 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5542 	if (!tunsec)
5543 		return -ENOMEM;
5544 	tunsec->sid = current_sid();
5545 
5546 	*security = tunsec;
5547 	return 0;
5548 }
5549 
5550 static void selinux_tun_dev_free_security(void *security)
5551 {
5552 	kfree(security);
5553 }
5554 
5555 static int selinux_tun_dev_create(void)
5556 {
5557 	u32 sid = current_sid();
5558 
5559 	/* we aren't taking into account the "sockcreate" SID since the socket
5560 	 * that is being created here is not a socket in the traditional sense,
5561 	 * instead it is a private sock, accessible only to the kernel, and
5562 	 * representing a wide range of network traffic spanning multiple
5563 	 * connections unlike traditional sockets - check the TUN driver to
5564 	 * get a better understanding of why this socket is special */
5565 
5566 	return avc_has_perm(&selinux_state,
5567 			    sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5568 			    NULL);
5569 }
5570 
5571 static int selinux_tun_dev_attach_queue(void *security)
5572 {
5573 	struct tun_security_struct *tunsec = security;
5574 
5575 	return avc_has_perm(&selinux_state,
5576 			    current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5577 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5578 }
5579 
5580 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5581 {
5582 	struct tun_security_struct *tunsec = security;
5583 	struct sk_security_struct *sksec = sk->sk_security;
5584 
5585 	/* we don't currently perform any NetLabel based labeling here and it
5586 	 * isn't clear that we would want to do so anyway; while we could apply
5587 	 * labeling without the support of the TUN user the resulting labeled
5588 	 * traffic from the other end of the connection would almost certainly
5589 	 * cause confusion to the TUN user that had no idea network labeling
5590 	 * protocols were being used */
5591 
5592 	sksec->sid = tunsec->sid;
5593 	sksec->sclass = SECCLASS_TUN_SOCKET;
5594 
5595 	return 0;
5596 }
5597 
5598 static int selinux_tun_dev_open(void *security)
5599 {
5600 	struct tun_security_struct *tunsec = security;
5601 	u32 sid = current_sid();
5602 	int err;
5603 
5604 	err = avc_has_perm(&selinux_state,
5605 			   sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5606 			   TUN_SOCKET__RELABELFROM, NULL);
5607 	if (err)
5608 		return err;
5609 	err = avc_has_perm(&selinux_state,
5610 			   sid, sid, SECCLASS_TUN_SOCKET,
5611 			   TUN_SOCKET__RELABELTO, NULL);
5612 	if (err)
5613 		return err;
5614 	tunsec->sid = sid;
5615 
5616 	return 0;
5617 }
5618 
5619 #ifdef CONFIG_NETFILTER
5620 
5621 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
5622 				       const struct nf_hook_state *state)
5623 {
5624 	int ifindex;
5625 	u16 family;
5626 	char *addrp;
5627 	u32 peer_sid;
5628 	struct common_audit_data ad;
5629 	struct lsm_network_audit net = {0,};
5630 	int secmark_active, peerlbl_active;
5631 
5632 	if (!selinux_policycap_netpeer())
5633 		return NF_ACCEPT;
5634 
5635 	secmark_active = selinux_secmark_enabled();
5636 	peerlbl_active = selinux_peerlbl_enabled();
5637 	if (!secmark_active && !peerlbl_active)
5638 		return NF_ACCEPT;
5639 
5640 	family = state->pf;
5641 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5642 		return NF_DROP;
5643 
5644 	ifindex = state->in->ifindex;
5645 	ad.type = LSM_AUDIT_DATA_NET;
5646 	ad.u.net = &net;
5647 	ad.u.net->netif = ifindex;
5648 	ad.u.net->family = family;
5649 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5650 		return NF_DROP;
5651 
5652 	if (peerlbl_active) {
5653 		int err;
5654 
5655 		err = selinux_inet_sys_rcv_skb(state->net, ifindex,
5656 					       addrp, family, peer_sid, &ad);
5657 		if (err) {
5658 			selinux_netlbl_err(skb, family, err, 1);
5659 			return NF_DROP;
5660 		}
5661 	}
5662 
5663 	if (secmark_active)
5664 		if (avc_has_perm(&selinux_state,
5665 				 peer_sid, skb->secmark,
5666 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5667 			return NF_DROP;
5668 
5669 	if (netlbl_enabled())
5670 		/* we do this in the FORWARD path and not the POST_ROUTING
5671 		 * path because we want to make sure we apply the necessary
5672 		 * labeling before IPsec is applied so we can leverage AH
5673 		 * protection */
5674 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5675 			return NF_DROP;
5676 
5677 	return NF_ACCEPT;
5678 }
5679 
5680 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
5681 				      const struct nf_hook_state *state)
5682 {
5683 	struct sock *sk;
5684 	u32 sid;
5685 
5686 	if (!netlbl_enabled())
5687 		return NF_ACCEPT;
5688 
5689 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5690 	 * because we want to make sure we apply the necessary labeling
5691 	 * before IPsec is applied so we can leverage AH protection */
5692 	sk = skb->sk;
5693 	if (sk) {
5694 		struct sk_security_struct *sksec;
5695 
5696 		if (sk_listener(sk))
5697 			/* if the socket is the listening state then this
5698 			 * packet is a SYN-ACK packet which means it needs to
5699 			 * be labeled based on the connection/request_sock and
5700 			 * not the parent socket.  unfortunately, we can't
5701 			 * lookup the request_sock yet as it isn't queued on
5702 			 * the parent socket until after the SYN-ACK is sent.
5703 			 * the "solution" is to simply pass the packet as-is
5704 			 * as any IP option based labeling should be copied
5705 			 * from the initial connection request (in the IP
5706 			 * layer).  it is far from ideal, but until we get a
5707 			 * security label in the packet itself this is the
5708 			 * best we can do. */
5709 			return NF_ACCEPT;
5710 
5711 		/* standard practice, label using the parent socket */
5712 		sksec = sk->sk_security;
5713 		sid = sksec->sid;
5714 	} else
5715 		sid = SECINITSID_KERNEL;
5716 	if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0)
5717 		return NF_DROP;
5718 
5719 	return NF_ACCEPT;
5720 }
5721 
5722 
5723 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5724 					const struct nf_hook_state *state)
5725 {
5726 	struct sock *sk;
5727 	struct sk_security_struct *sksec;
5728 	struct common_audit_data ad;
5729 	struct lsm_network_audit net = {0,};
5730 	u8 proto = 0;
5731 
5732 	sk = skb_to_full_sk(skb);
5733 	if (sk == NULL)
5734 		return NF_ACCEPT;
5735 	sksec = sk->sk_security;
5736 
5737 	ad.type = LSM_AUDIT_DATA_NET;
5738 	ad.u.net = &net;
5739 	ad.u.net->netif = state->out->ifindex;
5740 	ad.u.net->family = state->pf;
5741 	if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))
5742 		return NF_DROP;
5743 
5744 	if (selinux_secmark_enabled())
5745 		if (avc_has_perm(&selinux_state,
5746 				 sksec->sid, skb->secmark,
5747 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5748 			return NF_DROP_ERR(-ECONNREFUSED);
5749 
5750 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5751 		return NF_DROP_ERR(-ECONNREFUSED);
5752 
5753 	return NF_ACCEPT;
5754 }
5755 
5756 static unsigned int selinux_ip_postroute(void *priv,
5757 					 struct sk_buff *skb,
5758 					 const struct nf_hook_state *state)
5759 {
5760 	u16 family;
5761 	u32 secmark_perm;
5762 	u32 peer_sid;
5763 	int ifindex;
5764 	struct sock *sk;
5765 	struct common_audit_data ad;
5766 	struct lsm_network_audit net = {0,};
5767 	char *addrp;
5768 	int secmark_active, peerlbl_active;
5769 
5770 	/* If any sort of compatibility mode is enabled then handoff processing
5771 	 * to the selinux_ip_postroute_compat() function to deal with the
5772 	 * special handling.  We do this in an attempt to keep this function
5773 	 * as fast and as clean as possible. */
5774 	if (!selinux_policycap_netpeer())
5775 		return selinux_ip_postroute_compat(skb, state);
5776 
5777 	secmark_active = selinux_secmark_enabled();
5778 	peerlbl_active = selinux_peerlbl_enabled();
5779 	if (!secmark_active && !peerlbl_active)
5780 		return NF_ACCEPT;
5781 
5782 	sk = skb_to_full_sk(skb);
5783 
5784 #ifdef CONFIG_XFRM
5785 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5786 	 * packet transformation so allow the packet to pass without any checks
5787 	 * since we'll have another chance to perform access control checks
5788 	 * when the packet is on it's final way out.
5789 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5790 	 *       is NULL, in this case go ahead and apply access control.
5791 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5792 	 *       TCP listening state we cannot wait until the XFRM processing
5793 	 *       is done as we will miss out on the SA label if we do;
5794 	 *       unfortunately, this means more work, but it is only once per
5795 	 *       connection. */
5796 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5797 	    !(sk && sk_listener(sk)))
5798 		return NF_ACCEPT;
5799 #endif
5800 
5801 	family = state->pf;
5802 	if (sk == NULL) {
5803 		/* Without an associated socket the packet is either coming
5804 		 * from the kernel or it is being forwarded; check the packet
5805 		 * to determine which and if the packet is being forwarded
5806 		 * query the packet directly to determine the security label. */
5807 		if (skb->skb_iif) {
5808 			secmark_perm = PACKET__FORWARD_OUT;
5809 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5810 				return NF_DROP;
5811 		} else {
5812 			secmark_perm = PACKET__SEND;
5813 			peer_sid = SECINITSID_KERNEL;
5814 		}
5815 	} else if (sk_listener(sk)) {
5816 		/* Locally generated packet but the associated socket is in the
5817 		 * listening state which means this is a SYN-ACK packet.  In
5818 		 * this particular case the correct security label is assigned
5819 		 * to the connection/request_sock but unfortunately we can't
5820 		 * query the request_sock as it isn't queued on the parent
5821 		 * socket until after the SYN-ACK packet is sent; the only
5822 		 * viable choice is to regenerate the label like we do in
5823 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5824 		 * for similar problems. */
5825 		u32 skb_sid;
5826 		struct sk_security_struct *sksec;
5827 
5828 		sksec = sk->sk_security;
5829 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5830 			return NF_DROP;
5831 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5832 		 * and the packet has been through at least one XFRM
5833 		 * transformation then we must be dealing with the "final"
5834 		 * form of labeled IPsec packet; since we've already applied
5835 		 * all of our access controls on this packet we can safely
5836 		 * pass the packet. */
5837 		if (skb_sid == SECSID_NULL) {
5838 			switch (family) {
5839 			case PF_INET:
5840 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5841 					return NF_ACCEPT;
5842 				break;
5843 			case PF_INET6:
5844 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5845 					return NF_ACCEPT;
5846 				break;
5847 			default:
5848 				return NF_DROP_ERR(-ECONNREFUSED);
5849 			}
5850 		}
5851 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5852 			return NF_DROP;
5853 		secmark_perm = PACKET__SEND;
5854 	} else {
5855 		/* Locally generated packet, fetch the security label from the
5856 		 * associated socket. */
5857 		struct sk_security_struct *sksec = sk->sk_security;
5858 		peer_sid = sksec->sid;
5859 		secmark_perm = PACKET__SEND;
5860 	}
5861 
5862 	ifindex = state->out->ifindex;
5863 	ad.type = LSM_AUDIT_DATA_NET;
5864 	ad.u.net = &net;
5865 	ad.u.net->netif = ifindex;
5866 	ad.u.net->family = family;
5867 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5868 		return NF_DROP;
5869 
5870 	if (secmark_active)
5871 		if (avc_has_perm(&selinux_state,
5872 				 peer_sid, skb->secmark,
5873 				 SECCLASS_PACKET, secmark_perm, &ad))
5874 			return NF_DROP_ERR(-ECONNREFUSED);
5875 
5876 	if (peerlbl_active) {
5877 		u32 if_sid;
5878 		u32 node_sid;
5879 
5880 		if (sel_netif_sid(state->net, ifindex, &if_sid))
5881 			return NF_DROP;
5882 		if (avc_has_perm(&selinux_state,
5883 				 peer_sid, if_sid,
5884 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5885 			return NF_DROP_ERR(-ECONNREFUSED);
5886 
5887 		if (sel_netnode_sid(addrp, family, &node_sid))
5888 			return NF_DROP;
5889 		if (avc_has_perm(&selinux_state,
5890 				 peer_sid, node_sid,
5891 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5892 			return NF_DROP_ERR(-ECONNREFUSED);
5893 	}
5894 
5895 	return NF_ACCEPT;
5896 }
5897 #endif	/* CONFIG_NETFILTER */
5898 
5899 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5900 {
5901 	int rc = 0;
5902 	unsigned int msg_len;
5903 	unsigned int data_len = skb->len;
5904 	unsigned char *data = skb->data;
5905 	struct nlmsghdr *nlh;
5906 	struct sk_security_struct *sksec = sk->sk_security;
5907 	u16 sclass = sksec->sclass;
5908 	u32 perm;
5909 
5910 	while (data_len >= nlmsg_total_size(0)) {
5911 		nlh = (struct nlmsghdr *)data;
5912 
5913 		/* NOTE: the nlmsg_len field isn't reliably set by some netlink
5914 		 *       users which means we can't reject skb's with bogus
5915 		 *       length fields; our solution is to follow what
5916 		 *       netlink_rcv_skb() does and simply skip processing at
5917 		 *       messages with length fields that are clearly junk
5918 		 */
5919 		if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5920 			return 0;
5921 
5922 		rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5923 		if (rc == 0) {
5924 			rc = sock_has_perm(sk, perm);
5925 			if (rc)
5926 				return rc;
5927 		} else if (rc == -EINVAL) {
5928 			/* -EINVAL is a missing msg/perm mapping */
5929 			pr_warn_ratelimited("SELinux: unrecognized netlink"
5930 				" message: protocol=%hu nlmsg_type=%hu sclass=%s"
5931 				" pid=%d comm=%s\n",
5932 				sk->sk_protocol, nlh->nlmsg_type,
5933 				secclass_map[sclass - 1].name,
5934 				task_pid_nr(current), current->comm);
5935 			if (enforcing_enabled(&selinux_state) &&
5936 			    !security_get_allow_unknown(&selinux_state))
5937 				return rc;
5938 			rc = 0;
5939 		} else if (rc == -ENOENT) {
5940 			/* -ENOENT is a missing socket/class mapping, ignore */
5941 			rc = 0;
5942 		} else {
5943 			return rc;
5944 		}
5945 
5946 		/* move to the next message after applying netlink padding */
5947 		msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5948 		if (msg_len >= data_len)
5949 			return 0;
5950 		data_len -= msg_len;
5951 		data += msg_len;
5952 	}
5953 
5954 	return rc;
5955 }
5956 
5957 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5958 {
5959 	isec->sclass = sclass;
5960 	isec->sid = current_sid();
5961 }
5962 
5963 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5964 			u32 perms)
5965 {
5966 	struct ipc_security_struct *isec;
5967 	struct common_audit_data ad;
5968 	u32 sid = current_sid();
5969 
5970 	isec = selinux_ipc(ipc_perms);
5971 
5972 	ad.type = LSM_AUDIT_DATA_IPC;
5973 	ad.u.ipc_id = ipc_perms->key;
5974 
5975 	return avc_has_perm(&selinux_state,
5976 			    sid, isec->sid, isec->sclass, perms, &ad);
5977 }
5978 
5979 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5980 {
5981 	struct msg_security_struct *msec;
5982 
5983 	msec = selinux_msg_msg(msg);
5984 	msec->sid = SECINITSID_UNLABELED;
5985 
5986 	return 0;
5987 }
5988 
5989 /* message queue security operations */
5990 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5991 {
5992 	struct ipc_security_struct *isec;
5993 	struct common_audit_data ad;
5994 	u32 sid = current_sid();
5995 	int rc;
5996 
5997 	isec = selinux_ipc(msq);
5998 	ipc_init_security(isec, SECCLASS_MSGQ);
5999 
6000 	ad.type = LSM_AUDIT_DATA_IPC;
6001 	ad.u.ipc_id = msq->key;
6002 
6003 	rc = avc_has_perm(&selinux_state,
6004 			  sid, isec->sid, SECCLASS_MSGQ,
6005 			  MSGQ__CREATE, &ad);
6006 	return rc;
6007 }
6008 
6009 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6010 {
6011 	struct ipc_security_struct *isec;
6012 	struct common_audit_data ad;
6013 	u32 sid = current_sid();
6014 
6015 	isec = selinux_ipc(msq);
6016 
6017 	ad.type = LSM_AUDIT_DATA_IPC;
6018 	ad.u.ipc_id = msq->key;
6019 
6020 	return avc_has_perm(&selinux_state,
6021 			    sid, isec->sid, SECCLASS_MSGQ,
6022 			    MSGQ__ASSOCIATE, &ad);
6023 }
6024 
6025 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6026 {
6027 	int err;
6028 	int perms;
6029 
6030 	switch (cmd) {
6031 	case IPC_INFO:
6032 	case MSG_INFO:
6033 		/* No specific object, just general system-wide information. */
6034 		return avc_has_perm(&selinux_state,
6035 				    current_sid(), SECINITSID_KERNEL,
6036 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6037 	case IPC_STAT:
6038 	case MSG_STAT:
6039 	case MSG_STAT_ANY:
6040 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6041 		break;
6042 	case IPC_SET:
6043 		perms = MSGQ__SETATTR;
6044 		break;
6045 	case IPC_RMID:
6046 		perms = MSGQ__DESTROY;
6047 		break;
6048 	default:
6049 		return 0;
6050 	}
6051 
6052 	err = ipc_has_perm(msq, perms);
6053 	return err;
6054 }
6055 
6056 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6057 {
6058 	struct ipc_security_struct *isec;
6059 	struct msg_security_struct *msec;
6060 	struct common_audit_data ad;
6061 	u32 sid = current_sid();
6062 	int rc;
6063 
6064 	isec = selinux_ipc(msq);
6065 	msec = selinux_msg_msg(msg);
6066 
6067 	/*
6068 	 * First time through, need to assign label to the message
6069 	 */
6070 	if (msec->sid == SECINITSID_UNLABELED) {
6071 		/*
6072 		 * Compute new sid based on current process and
6073 		 * message queue this message will be stored in
6074 		 */
6075 		rc = security_transition_sid(&selinux_state, sid, isec->sid,
6076 					     SECCLASS_MSG, NULL, &msec->sid);
6077 		if (rc)
6078 			return rc;
6079 	}
6080 
6081 	ad.type = LSM_AUDIT_DATA_IPC;
6082 	ad.u.ipc_id = msq->key;
6083 
6084 	/* Can this process write to the queue? */
6085 	rc = avc_has_perm(&selinux_state,
6086 			  sid, isec->sid, SECCLASS_MSGQ,
6087 			  MSGQ__WRITE, &ad);
6088 	if (!rc)
6089 		/* Can this process send the message */
6090 		rc = avc_has_perm(&selinux_state,
6091 				  sid, msec->sid, SECCLASS_MSG,
6092 				  MSG__SEND, &ad);
6093 	if (!rc)
6094 		/* Can the message be put in the queue? */
6095 		rc = avc_has_perm(&selinux_state,
6096 				  msec->sid, isec->sid, SECCLASS_MSGQ,
6097 				  MSGQ__ENQUEUE, &ad);
6098 
6099 	return rc;
6100 }
6101 
6102 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6103 				    struct task_struct *target,
6104 				    long type, int mode)
6105 {
6106 	struct ipc_security_struct *isec;
6107 	struct msg_security_struct *msec;
6108 	struct common_audit_data ad;
6109 	u32 sid = task_sid_obj(target);
6110 	int rc;
6111 
6112 	isec = selinux_ipc(msq);
6113 	msec = selinux_msg_msg(msg);
6114 
6115 	ad.type = LSM_AUDIT_DATA_IPC;
6116 	ad.u.ipc_id = msq->key;
6117 
6118 	rc = avc_has_perm(&selinux_state,
6119 			  sid, isec->sid,
6120 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
6121 	if (!rc)
6122 		rc = avc_has_perm(&selinux_state,
6123 				  sid, msec->sid,
6124 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
6125 	return rc;
6126 }
6127 
6128 /* Shared Memory security operations */
6129 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6130 {
6131 	struct ipc_security_struct *isec;
6132 	struct common_audit_data ad;
6133 	u32 sid = current_sid();
6134 	int rc;
6135 
6136 	isec = selinux_ipc(shp);
6137 	ipc_init_security(isec, SECCLASS_SHM);
6138 
6139 	ad.type = LSM_AUDIT_DATA_IPC;
6140 	ad.u.ipc_id = shp->key;
6141 
6142 	rc = avc_has_perm(&selinux_state,
6143 			  sid, isec->sid, SECCLASS_SHM,
6144 			  SHM__CREATE, &ad);
6145 	return rc;
6146 }
6147 
6148 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6149 {
6150 	struct ipc_security_struct *isec;
6151 	struct common_audit_data ad;
6152 	u32 sid = current_sid();
6153 
6154 	isec = selinux_ipc(shp);
6155 
6156 	ad.type = LSM_AUDIT_DATA_IPC;
6157 	ad.u.ipc_id = shp->key;
6158 
6159 	return avc_has_perm(&selinux_state,
6160 			    sid, isec->sid, SECCLASS_SHM,
6161 			    SHM__ASSOCIATE, &ad);
6162 }
6163 
6164 /* Note, at this point, shp is locked down */
6165 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6166 {
6167 	int perms;
6168 	int err;
6169 
6170 	switch (cmd) {
6171 	case IPC_INFO:
6172 	case SHM_INFO:
6173 		/* No specific object, just general system-wide information. */
6174 		return avc_has_perm(&selinux_state,
6175 				    current_sid(), SECINITSID_KERNEL,
6176 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6177 	case IPC_STAT:
6178 	case SHM_STAT:
6179 	case SHM_STAT_ANY:
6180 		perms = SHM__GETATTR | SHM__ASSOCIATE;
6181 		break;
6182 	case IPC_SET:
6183 		perms = SHM__SETATTR;
6184 		break;
6185 	case SHM_LOCK:
6186 	case SHM_UNLOCK:
6187 		perms = SHM__LOCK;
6188 		break;
6189 	case IPC_RMID:
6190 		perms = SHM__DESTROY;
6191 		break;
6192 	default:
6193 		return 0;
6194 	}
6195 
6196 	err = ipc_has_perm(shp, perms);
6197 	return err;
6198 }
6199 
6200 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6201 			     char __user *shmaddr, int shmflg)
6202 {
6203 	u32 perms;
6204 
6205 	if (shmflg & SHM_RDONLY)
6206 		perms = SHM__READ;
6207 	else
6208 		perms = SHM__READ | SHM__WRITE;
6209 
6210 	return ipc_has_perm(shp, perms);
6211 }
6212 
6213 /* Semaphore security operations */
6214 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6215 {
6216 	struct ipc_security_struct *isec;
6217 	struct common_audit_data ad;
6218 	u32 sid = current_sid();
6219 	int rc;
6220 
6221 	isec = selinux_ipc(sma);
6222 	ipc_init_security(isec, SECCLASS_SEM);
6223 
6224 	ad.type = LSM_AUDIT_DATA_IPC;
6225 	ad.u.ipc_id = sma->key;
6226 
6227 	rc = avc_has_perm(&selinux_state,
6228 			  sid, isec->sid, SECCLASS_SEM,
6229 			  SEM__CREATE, &ad);
6230 	return rc;
6231 }
6232 
6233 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6234 {
6235 	struct ipc_security_struct *isec;
6236 	struct common_audit_data ad;
6237 	u32 sid = current_sid();
6238 
6239 	isec = selinux_ipc(sma);
6240 
6241 	ad.type = LSM_AUDIT_DATA_IPC;
6242 	ad.u.ipc_id = sma->key;
6243 
6244 	return avc_has_perm(&selinux_state,
6245 			    sid, isec->sid, SECCLASS_SEM,
6246 			    SEM__ASSOCIATE, &ad);
6247 }
6248 
6249 /* Note, at this point, sma is locked down */
6250 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6251 {
6252 	int err;
6253 	u32 perms;
6254 
6255 	switch (cmd) {
6256 	case IPC_INFO:
6257 	case SEM_INFO:
6258 		/* No specific object, just general system-wide information. */
6259 		return avc_has_perm(&selinux_state,
6260 				    current_sid(), SECINITSID_KERNEL,
6261 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6262 	case GETPID:
6263 	case GETNCNT:
6264 	case GETZCNT:
6265 		perms = SEM__GETATTR;
6266 		break;
6267 	case GETVAL:
6268 	case GETALL:
6269 		perms = SEM__READ;
6270 		break;
6271 	case SETVAL:
6272 	case SETALL:
6273 		perms = SEM__WRITE;
6274 		break;
6275 	case IPC_RMID:
6276 		perms = SEM__DESTROY;
6277 		break;
6278 	case IPC_SET:
6279 		perms = SEM__SETATTR;
6280 		break;
6281 	case IPC_STAT:
6282 	case SEM_STAT:
6283 	case SEM_STAT_ANY:
6284 		perms = SEM__GETATTR | SEM__ASSOCIATE;
6285 		break;
6286 	default:
6287 		return 0;
6288 	}
6289 
6290 	err = ipc_has_perm(sma, perms);
6291 	return err;
6292 }
6293 
6294 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6295 			     struct sembuf *sops, unsigned nsops, int alter)
6296 {
6297 	u32 perms;
6298 
6299 	if (alter)
6300 		perms = SEM__READ | SEM__WRITE;
6301 	else
6302 		perms = SEM__READ;
6303 
6304 	return ipc_has_perm(sma, perms);
6305 }
6306 
6307 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6308 {
6309 	u32 av = 0;
6310 
6311 	av = 0;
6312 	if (flag & S_IRUGO)
6313 		av |= IPC__UNIX_READ;
6314 	if (flag & S_IWUGO)
6315 		av |= IPC__UNIX_WRITE;
6316 
6317 	if (av == 0)
6318 		return 0;
6319 
6320 	return ipc_has_perm(ipcp, av);
6321 }
6322 
6323 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6324 {
6325 	struct ipc_security_struct *isec = selinux_ipc(ipcp);
6326 	*secid = isec->sid;
6327 }
6328 
6329 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6330 {
6331 	if (inode)
6332 		inode_doinit_with_dentry(inode, dentry);
6333 }
6334 
6335 static int selinux_getprocattr(struct task_struct *p,
6336 			       char *name, char **value)
6337 {
6338 	const struct task_security_struct *__tsec;
6339 	u32 sid;
6340 	int error;
6341 	unsigned len;
6342 
6343 	rcu_read_lock();
6344 	__tsec = selinux_cred(__task_cred(p));
6345 
6346 	if (current != p) {
6347 		error = avc_has_perm(&selinux_state,
6348 				     current_sid(), __tsec->sid,
6349 				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6350 		if (error)
6351 			goto bad;
6352 	}
6353 
6354 	if (!strcmp(name, "current"))
6355 		sid = __tsec->sid;
6356 	else if (!strcmp(name, "prev"))
6357 		sid = __tsec->osid;
6358 	else if (!strcmp(name, "exec"))
6359 		sid = __tsec->exec_sid;
6360 	else if (!strcmp(name, "fscreate"))
6361 		sid = __tsec->create_sid;
6362 	else if (!strcmp(name, "keycreate"))
6363 		sid = __tsec->keycreate_sid;
6364 	else if (!strcmp(name, "sockcreate"))
6365 		sid = __tsec->sockcreate_sid;
6366 	else {
6367 		error = -EINVAL;
6368 		goto bad;
6369 	}
6370 	rcu_read_unlock();
6371 
6372 	if (!sid)
6373 		return 0;
6374 
6375 	error = security_sid_to_context(&selinux_state, sid, value, &len);
6376 	if (error)
6377 		return error;
6378 	return len;
6379 
6380 bad:
6381 	rcu_read_unlock();
6382 	return error;
6383 }
6384 
6385 static int selinux_setprocattr(const char *name, void *value, size_t size)
6386 {
6387 	struct task_security_struct *tsec;
6388 	struct cred *new;
6389 	u32 mysid = current_sid(), sid = 0, ptsid;
6390 	int error;
6391 	char *str = value;
6392 
6393 	/*
6394 	 * Basic control over ability to set these attributes at all.
6395 	 */
6396 	if (!strcmp(name, "exec"))
6397 		error = avc_has_perm(&selinux_state,
6398 				     mysid, mysid, SECCLASS_PROCESS,
6399 				     PROCESS__SETEXEC, NULL);
6400 	else if (!strcmp(name, "fscreate"))
6401 		error = avc_has_perm(&selinux_state,
6402 				     mysid, mysid, SECCLASS_PROCESS,
6403 				     PROCESS__SETFSCREATE, NULL);
6404 	else if (!strcmp(name, "keycreate"))
6405 		error = avc_has_perm(&selinux_state,
6406 				     mysid, mysid, SECCLASS_PROCESS,
6407 				     PROCESS__SETKEYCREATE, NULL);
6408 	else if (!strcmp(name, "sockcreate"))
6409 		error = avc_has_perm(&selinux_state,
6410 				     mysid, mysid, SECCLASS_PROCESS,
6411 				     PROCESS__SETSOCKCREATE, NULL);
6412 	else if (!strcmp(name, "current"))
6413 		error = avc_has_perm(&selinux_state,
6414 				     mysid, mysid, SECCLASS_PROCESS,
6415 				     PROCESS__SETCURRENT, NULL);
6416 	else
6417 		error = -EINVAL;
6418 	if (error)
6419 		return error;
6420 
6421 	/* Obtain a SID for the context, if one was specified. */
6422 	if (size && str[0] && str[0] != '\n') {
6423 		if (str[size-1] == '\n') {
6424 			str[size-1] = 0;
6425 			size--;
6426 		}
6427 		error = security_context_to_sid(&selinux_state, value, size,
6428 						&sid, GFP_KERNEL);
6429 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
6430 			if (!has_cap_mac_admin(true)) {
6431 				struct audit_buffer *ab;
6432 				size_t audit_size;
6433 
6434 				/* We strip a nul only if it is at the end, otherwise the
6435 				 * context contains a nul and we should audit that */
6436 				if (str[size - 1] == '\0')
6437 					audit_size = size - 1;
6438 				else
6439 					audit_size = size;
6440 				ab = audit_log_start(audit_context(),
6441 						     GFP_ATOMIC,
6442 						     AUDIT_SELINUX_ERR);
6443 				if (!ab)
6444 					return error;
6445 				audit_log_format(ab, "op=fscreate invalid_context=");
6446 				audit_log_n_untrustedstring(ab, value, audit_size);
6447 				audit_log_end(ab);
6448 
6449 				return error;
6450 			}
6451 			error = security_context_to_sid_force(
6452 						      &selinux_state,
6453 						      value, size, &sid);
6454 		}
6455 		if (error)
6456 			return error;
6457 	}
6458 
6459 	new = prepare_creds();
6460 	if (!new)
6461 		return -ENOMEM;
6462 
6463 	/* Permission checking based on the specified context is
6464 	   performed during the actual operation (execve,
6465 	   open/mkdir/...), when we know the full context of the
6466 	   operation.  See selinux_bprm_creds_for_exec for the execve
6467 	   checks and may_create for the file creation checks. The
6468 	   operation will then fail if the context is not permitted. */
6469 	tsec = selinux_cred(new);
6470 	if (!strcmp(name, "exec")) {
6471 		tsec->exec_sid = sid;
6472 	} else if (!strcmp(name, "fscreate")) {
6473 		tsec->create_sid = sid;
6474 	} else if (!strcmp(name, "keycreate")) {
6475 		if (sid) {
6476 			error = avc_has_perm(&selinux_state, mysid, sid,
6477 					     SECCLASS_KEY, KEY__CREATE, NULL);
6478 			if (error)
6479 				goto abort_change;
6480 		}
6481 		tsec->keycreate_sid = sid;
6482 	} else if (!strcmp(name, "sockcreate")) {
6483 		tsec->sockcreate_sid = sid;
6484 	} else if (!strcmp(name, "current")) {
6485 		error = -EINVAL;
6486 		if (sid == 0)
6487 			goto abort_change;
6488 
6489 		/* Only allow single threaded processes to change context */
6490 		error = -EPERM;
6491 		if (!current_is_single_threaded()) {
6492 			error = security_bounded_transition(&selinux_state,
6493 							    tsec->sid, sid);
6494 			if (error)
6495 				goto abort_change;
6496 		}
6497 
6498 		/* Check permissions for the transition. */
6499 		error = avc_has_perm(&selinux_state,
6500 				     tsec->sid, sid, SECCLASS_PROCESS,
6501 				     PROCESS__DYNTRANSITION, NULL);
6502 		if (error)
6503 			goto abort_change;
6504 
6505 		/* Check for ptracing, and update the task SID if ok.
6506 		   Otherwise, leave SID unchanged and fail. */
6507 		ptsid = ptrace_parent_sid();
6508 		if (ptsid != 0) {
6509 			error = avc_has_perm(&selinux_state,
6510 					     ptsid, sid, SECCLASS_PROCESS,
6511 					     PROCESS__PTRACE, NULL);
6512 			if (error)
6513 				goto abort_change;
6514 		}
6515 
6516 		tsec->sid = sid;
6517 	} else {
6518 		error = -EINVAL;
6519 		goto abort_change;
6520 	}
6521 
6522 	commit_creds(new);
6523 	return size;
6524 
6525 abort_change:
6526 	abort_creds(new);
6527 	return error;
6528 }
6529 
6530 static int selinux_ismaclabel(const char *name)
6531 {
6532 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6533 }
6534 
6535 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6536 {
6537 	return security_sid_to_context(&selinux_state, secid,
6538 				       secdata, seclen);
6539 }
6540 
6541 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6542 {
6543 	return security_context_to_sid(&selinux_state, secdata, seclen,
6544 				       secid, GFP_KERNEL);
6545 }
6546 
6547 static void selinux_release_secctx(char *secdata, u32 seclen)
6548 {
6549 	kfree(secdata);
6550 }
6551 
6552 static void selinux_inode_invalidate_secctx(struct inode *inode)
6553 {
6554 	struct inode_security_struct *isec = selinux_inode(inode);
6555 
6556 	spin_lock(&isec->lock);
6557 	isec->initialized = LABEL_INVALID;
6558 	spin_unlock(&isec->lock);
6559 }
6560 
6561 /*
6562  *	called with inode->i_mutex locked
6563  */
6564 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6565 {
6566 	int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6567 					   ctx, ctxlen, 0);
6568 	/* Do not return error when suppressing label (SBLABEL_MNT not set). */
6569 	return rc == -EOPNOTSUPP ? 0 : rc;
6570 }
6571 
6572 /*
6573  *	called with inode->i_mutex locked
6574  */
6575 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6576 {
6577 	return __vfs_setxattr_noperm(&init_user_ns, dentry, XATTR_NAME_SELINUX,
6578 				     ctx, ctxlen, 0);
6579 }
6580 
6581 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6582 {
6583 	int len = 0;
6584 	len = selinux_inode_getsecurity(&init_user_ns, inode,
6585 					XATTR_SELINUX_SUFFIX, ctx, true);
6586 	if (len < 0)
6587 		return len;
6588 	*ctxlen = len;
6589 	return 0;
6590 }
6591 #ifdef CONFIG_KEYS
6592 
6593 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6594 			     unsigned long flags)
6595 {
6596 	const struct task_security_struct *tsec;
6597 	struct key_security_struct *ksec;
6598 
6599 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6600 	if (!ksec)
6601 		return -ENOMEM;
6602 
6603 	tsec = selinux_cred(cred);
6604 	if (tsec->keycreate_sid)
6605 		ksec->sid = tsec->keycreate_sid;
6606 	else
6607 		ksec->sid = tsec->sid;
6608 
6609 	k->security = ksec;
6610 	return 0;
6611 }
6612 
6613 static void selinux_key_free(struct key *k)
6614 {
6615 	struct key_security_struct *ksec = k->security;
6616 
6617 	k->security = NULL;
6618 	kfree(ksec);
6619 }
6620 
6621 static int selinux_key_permission(key_ref_t key_ref,
6622 				  const struct cred *cred,
6623 				  enum key_need_perm need_perm)
6624 {
6625 	struct key *key;
6626 	struct key_security_struct *ksec;
6627 	u32 perm, sid;
6628 
6629 	switch (need_perm) {
6630 	case KEY_NEED_VIEW:
6631 		perm = KEY__VIEW;
6632 		break;
6633 	case KEY_NEED_READ:
6634 		perm = KEY__READ;
6635 		break;
6636 	case KEY_NEED_WRITE:
6637 		perm = KEY__WRITE;
6638 		break;
6639 	case KEY_NEED_SEARCH:
6640 		perm = KEY__SEARCH;
6641 		break;
6642 	case KEY_NEED_LINK:
6643 		perm = KEY__LINK;
6644 		break;
6645 	case KEY_NEED_SETATTR:
6646 		perm = KEY__SETATTR;
6647 		break;
6648 	case KEY_NEED_UNLINK:
6649 	case KEY_SYSADMIN_OVERRIDE:
6650 	case KEY_AUTHTOKEN_OVERRIDE:
6651 	case KEY_DEFER_PERM_CHECK:
6652 		return 0;
6653 	default:
6654 		WARN_ON(1);
6655 		return -EPERM;
6656 
6657 	}
6658 
6659 	sid = cred_sid(cred);
6660 	key = key_ref_to_ptr(key_ref);
6661 	ksec = key->security;
6662 
6663 	return avc_has_perm(&selinux_state,
6664 			    sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6665 }
6666 
6667 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6668 {
6669 	struct key_security_struct *ksec = key->security;
6670 	char *context = NULL;
6671 	unsigned len;
6672 	int rc;
6673 
6674 	rc = security_sid_to_context(&selinux_state, ksec->sid,
6675 				     &context, &len);
6676 	if (!rc)
6677 		rc = len;
6678 	*_buffer = context;
6679 	return rc;
6680 }
6681 
6682 #ifdef CONFIG_KEY_NOTIFICATIONS
6683 static int selinux_watch_key(struct key *key)
6684 {
6685 	struct key_security_struct *ksec = key->security;
6686 	u32 sid = current_sid();
6687 
6688 	return avc_has_perm(&selinux_state,
6689 			    sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6690 }
6691 #endif
6692 #endif
6693 
6694 #ifdef CONFIG_SECURITY_INFINIBAND
6695 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6696 {
6697 	struct common_audit_data ad;
6698 	int err;
6699 	u32 sid = 0;
6700 	struct ib_security_struct *sec = ib_sec;
6701 	struct lsm_ibpkey_audit ibpkey;
6702 
6703 	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6704 	if (err)
6705 		return err;
6706 
6707 	ad.type = LSM_AUDIT_DATA_IBPKEY;
6708 	ibpkey.subnet_prefix = subnet_prefix;
6709 	ibpkey.pkey = pkey_val;
6710 	ad.u.ibpkey = &ibpkey;
6711 	return avc_has_perm(&selinux_state,
6712 			    sec->sid, sid,
6713 			    SECCLASS_INFINIBAND_PKEY,
6714 			    INFINIBAND_PKEY__ACCESS, &ad);
6715 }
6716 
6717 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6718 					    u8 port_num)
6719 {
6720 	struct common_audit_data ad;
6721 	int err;
6722 	u32 sid = 0;
6723 	struct ib_security_struct *sec = ib_sec;
6724 	struct lsm_ibendport_audit ibendport;
6725 
6726 	err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6727 				      &sid);
6728 
6729 	if (err)
6730 		return err;
6731 
6732 	ad.type = LSM_AUDIT_DATA_IBENDPORT;
6733 	ibendport.dev_name = dev_name;
6734 	ibendport.port = port_num;
6735 	ad.u.ibendport = &ibendport;
6736 	return avc_has_perm(&selinux_state,
6737 			    sec->sid, sid,
6738 			    SECCLASS_INFINIBAND_ENDPORT,
6739 			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6740 }
6741 
6742 static int selinux_ib_alloc_security(void **ib_sec)
6743 {
6744 	struct ib_security_struct *sec;
6745 
6746 	sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6747 	if (!sec)
6748 		return -ENOMEM;
6749 	sec->sid = current_sid();
6750 
6751 	*ib_sec = sec;
6752 	return 0;
6753 }
6754 
6755 static void selinux_ib_free_security(void *ib_sec)
6756 {
6757 	kfree(ib_sec);
6758 }
6759 #endif
6760 
6761 #ifdef CONFIG_BPF_SYSCALL
6762 static int selinux_bpf(int cmd, union bpf_attr *attr,
6763 				     unsigned int size)
6764 {
6765 	u32 sid = current_sid();
6766 	int ret;
6767 
6768 	switch (cmd) {
6769 	case BPF_MAP_CREATE:
6770 		ret = avc_has_perm(&selinux_state,
6771 				   sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6772 				   NULL);
6773 		break;
6774 	case BPF_PROG_LOAD:
6775 		ret = avc_has_perm(&selinux_state,
6776 				   sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6777 				   NULL);
6778 		break;
6779 	default:
6780 		ret = 0;
6781 		break;
6782 	}
6783 
6784 	return ret;
6785 }
6786 
6787 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6788 {
6789 	u32 av = 0;
6790 
6791 	if (fmode & FMODE_READ)
6792 		av |= BPF__MAP_READ;
6793 	if (fmode & FMODE_WRITE)
6794 		av |= BPF__MAP_WRITE;
6795 	return av;
6796 }
6797 
6798 /* This function will check the file pass through unix socket or binder to see
6799  * if it is a bpf related object. And apply correspinding checks on the bpf
6800  * object based on the type. The bpf maps and programs, not like other files and
6801  * socket, are using a shared anonymous inode inside the kernel as their inode.
6802  * So checking that inode cannot identify if the process have privilege to
6803  * access the bpf object and that's why we have to add this additional check in
6804  * selinux_file_receive and selinux_binder_transfer_files.
6805  */
6806 static int bpf_fd_pass(struct file *file, u32 sid)
6807 {
6808 	struct bpf_security_struct *bpfsec;
6809 	struct bpf_prog *prog;
6810 	struct bpf_map *map;
6811 	int ret;
6812 
6813 	if (file->f_op == &bpf_map_fops) {
6814 		map = file->private_data;
6815 		bpfsec = map->security;
6816 		ret = avc_has_perm(&selinux_state,
6817 				   sid, bpfsec->sid, SECCLASS_BPF,
6818 				   bpf_map_fmode_to_av(file->f_mode), NULL);
6819 		if (ret)
6820 			return ret;
6821 	} else if (file->f_op == &bpf_prog_fops) {
6822 		prog = file->private_data;
6823 		bpfsec = prog->aux->security;
6824 		ret = avc_has_perm(&selinux_state,
6825 				   sid, bpfsec->sid, SECCLASS_BPF,
6826 				   BPF__PROG_RUN, NULL);
6827 		if (ret)
6828 			return ret;
6829 	}
6830 	return 0;
6831 }
6832 
6833 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6834 {
6835 	u32 sid = current_sid();
6836 	struct bpf_security_struct *bpfsec;
6837 
6838 	bpfsec = map->security;
6839 	return avc_has_perm(&selinux_state,
6840 			    sid, bpfsec->sid, SECCLASS_BPF,
6841 			    bpf_map_fmode_to_av(fmode), NULL);
6842 }
6843 
6844 static int selinux_bpf_prog(struct bpf_prog *prog)
6845 {
6846 	u32 sid = current_sid();
6847 	struct bpf_security_struct *bpfsec;
6848 
6849 	bpfsec = prog->aux->security;
6850 	return avc_has_perm(&selinux_state,
6851 			    sid, bpfsec->sid, SECCLASS_BPF,
6852 			    BPF__PROG_RUN, NULL);
6853 }
6854 
6855 static int selinux_bpf_map_alloc(struct bpf_map *map)
6856 {
6857 	struct bpf_security_struct *bpfsec;
6858 
6859 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6860 	if (!bpfsec)
6861 		return -ENOMEM;
6862 
6863 	bpfsec->sid = current_sid();
6864 	map->security = bpfsec;
6865 
6866 	return 0;
6867 }
6868 
6869 static void selinux_bpf_map_free(struct bpf_map *map)
6870 {
6871 	struct bpf_security_struct *bpfsec = map->security;
6872 
6873 	map->security = NULL;
6874 	kfree(bpfsec);
6875 }
6876 
6877 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6878 {
6879 	struct bpf_security_struct *bpfsec;
6880 
6881 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6882 	if (!bpfsec)
6883 		return -ENOMEM;
6884 
6885 	bpfsec->sid = current_sid();
6886 	aux->security = bpfsec;
6887 
6888 	return 0;
6889 }
6890 
6891 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6892 {
6893 	struct bpf_security_struct *bpfsec = aux->security;
6894 
6895 	aux->security = NULL;
6896 	kfree(bpfsec);
6897 }
6898 #endif
6899 
6900 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
6901 	.lbs_cred = sizeof(struct task_security_struct),
6902 	.lbs_file = sizeof(struct file_security_struct),
6903 	.lbs_inode = sizeof(struct inode_security_struct),
6904 	.lbs_ipc = sizeof(struct ipc_security_struct),
6905 	.lbs_msg_msg = sizeof(struct msg_security_struct),
6906 	.lbs_superblock = sizeof(struct superblock_security_struct),
6907 };
6908 
6909 #ifdef CONFIG_PERF_EVENTS
6910 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6911 {
6912 	u32 requested, sid = current_sid();
6913 
6914 	if (type == PERF_SECURITY_OPEN)
6915 		requested = PERF_EVENT__OPEN;
6916 	else if (type == PERF_SECURITY_CPU)
6917 		requested = PERF_EVENT__CPU;
6918 	else if (type == PERF_SECURITY_KERNEL)
6919 		requested = PERF_EVENT__KERNEL;
6920 	else if (type == PERF_SECURITY_TRACEPOINT)
6921 		requested = PERF_EVENT__TRACEPOINT;
6922 	else
6923 		return -EINVAL;
6924 
6925 	return avc_has_perm(&selinux_state, sid, sid, SECCLASS_PERF_EVENT,
6926 			    requested, NULL);
6927 }
6928 
6929 static int selinux_perf_event_alloc(struct perf_event *event)
6930 {
6931 	struct perf_event_security_struct *perfsec;
6932 
6933 	perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
6934 	if (!perfsec)
6935 		return -ENOMEM;
6936 
6937 	perfsec->sid = current_sid();
6938 	event->security = perfsec;
6939 
6940 	return 0;
6941 }
6942 
6943 static void selinux_perf_event_free(struct perf_event *event)
6944 {
6945 	struct perf_event_security_struct *perfsec = event->security;
6946 
6947 	event->security = NULL;
6948 	kfree(perfsec);
6949 }
6950 
6951 static int selinux_perf_event_read(struct perf_event *event)
6952 {
6953 	struct perf_event_security_struct *perfsec = event->security;
6954 	u32 sid = current_sid();
6955 
6956 	return avc_has_perm(&selinux_state, sid, perfsec->sid,
6957 			    SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
6958 }
6959 
6960 static int selinux_perf_event_write(struct perf_event *event)
6961 {
6962 	struct perf_event_security_struct *perfsec = event->security;
6963 	u32 sid = current_sid();
6964 
6965 	return avc_has_perm(&selinux_state, sid, perfsec->sid,
6966 			    SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
6967 }
6968 #endif
6969 
6970 #ifdef CONFIG_IO_URING
6971 /**
6972  * selinux_uring_override_creds - check the requested cred override
6973  * @new: the target creds
6974  *
6975  * Check to see if the current task is allowed to override it's credentials
6976  * to service an io_uring operation.
6977  */
6978 static int selinux_uring_override_creds(const struct cred *new)
6979 {
6980 	return avc_has_perm(&selinux_state, current_sid(), cred_sid(new),
6981 			    SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL);
6982 }
6983 
6984 /**
6985  * selinux_uring_sqpoll - check if a io_uring polling thread can be created
6986  *
6987  * Check to see if the current task is allowed to create a new io_uring
6988  * kernel polling thread.
6989  */
6990 static int selinux_uring_sqpoll(void)
6991 {
6992 	int sid = current_sid();
6993 
6994 	return avc_has_perm(&selinux_state, sid, sid,
6995 			    SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
6996 }
6997 #endif /* CONFIG_IO_URING */
6998 
6999 /*
7000  * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
7001  * 1. any hooks that don't belong to (2.) or (3.) below,
7002  * 2. hooks that both access structures allocated by other hooks, and allocate
7003  *    structures that can be later accessed by other hooks (mostly "cloning"
7004  *    hooks),
7005  * 3. hooks that only allocate structures that can be later accessed by other
7006  *    hooks ("allocating" hooks).
7007  *
7008  * Please follow block comment delimiters in the list to keep this order.
7009  *
7010  * This ordering is needed for SELinux runtime disable to work at least somewhat
7011  * safely. Breaking the ordering rules above might lead to NULL pointer derefs
7012  * when disabling SELinux at runtime.
7013  */
7014 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
7015 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
7016 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
7017 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
7018 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
7019 
7020 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
7021 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
7022 	LSM_HOOK_INIT(capget, selinux_capget),
7023 	LSM_HOOK_INIT(capset, selinux_capset),
7024 	LSM_HOOK_INIT(capable, selinux_capable),
7025 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
7026 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
7027 	LSM_HOOK_INIT(syslog, selinux_syslog),
7028 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
7029 
7030 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
7031 
7032 	LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
7033 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
7034 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
7035 
7036 	LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
7037 	LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat),
7038 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
7039 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7040 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
7041 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
7042 	LSM_HOOK_INIT(sb_mount, selinux_mount),
7043 	LSM_HOOK_INIT(sb_umount, selinux_umount),
7044 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7045 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7046 
7047 	LSM_HOOK_INIT(move_mount, selinux_move_mount),
7048 
7049 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7050 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7051 
7052 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7053 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7054 	LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
7055 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
7056 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
7057 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7058 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7059 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7060 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7061 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7062 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7063 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7064 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7065 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7066 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7067 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7068 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7069 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7070 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7071 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7072 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7073 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7074 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7075 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7076 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7077 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7078 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7079 	LSM_HOOK_INIT(path_notify, selinux_path_notify),
7080 
7081 	LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7082 
7083 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
7084 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7085 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7086 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7087 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7088 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7089 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
7090 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7091 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7092 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7093 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
7094 
7095 	LSM_HOOK_INIT(file_open, selinux_file_open),
7096 
7097 	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7098 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7099 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7100 	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7101 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7102 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7103 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7104 	LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7105 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7106 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7107 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7108 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7109 	LSM_HOOK_INIT(current_getsecid_subj, selinux_current_getsecid_subj),
7110 	LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj),
7111 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7112 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7113 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7114 	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7115 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7116 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7117 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7118 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7119 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
7120 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7121 
7122 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7123 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7124 
7125 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7126 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7127 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7128 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7129 
7130 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7131 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7132 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7133 
7134 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7135 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7136 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7137 
7138 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7139 
7140 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7141 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7142 
7143 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7144 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7145 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7146 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7147 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7148 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7149 
7150 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7151 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7152 
7153 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
7154 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7155 	LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7156 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7157 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7158 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7159 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7160 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7161 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7162 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7163 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7164 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7165 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7166 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7167 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7168 	LSM_HOOK_INIT(socket_getpeersec_stream,
7169 			selinux_socket_getpeersec_stream),
7170 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7171 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7172 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7173 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7174 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7175 	LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7176 	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7177 	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7178 	LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
7179 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7180 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7181 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7182 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7183 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7184 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7185 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7186 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7187 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7188 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7189 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7190 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7191 #ifdef CONFIG_SECURITY_INFINIBAND
7192 	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7193 	LSM_HOOK_INIT(ib_endport_manage_subnet,
7194 		      selinux_ib_endport_manage_subnet),
7195 	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7196 #endif
7197 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7198 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7199 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7200 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7201 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7202 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7203 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7204 			selinux_xfrm_state_pol_flow_match),
7205 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7206 #endif
7207 
7208 #ifdef CONFIG_KEYS
7209 	LSM_HOOK_INIT(key_free, selinux_key_free),
7210 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
7211 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7212 #ifdef CONFIG_KEY_NOTIFICATIONS
7213 	LSM_HOOK_INIT(watch_key, selinux_watch_key),
7214 #endif
7215 #endif
7216 
7217 #ifdef CONFIG_AUDIT
7218 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7219 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7220 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7221 #endif
7222 
7223 #ifdef CONFIG_BPF_SYSCALL
7224 	LSM_HOOK_INIT(bpf, selinux_bpf),
7225 	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7226 	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7227 	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7228 	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7229 #endif
7230 
7231 #ifdef CONFIG_PERF_EVENTS
7232 	LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7233 	LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7234 	LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7235 	LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7236 #endif
7237 
7238 #ifdef CONFIG_IO_URING
7239 	LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
7240 	LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
7241 #endif
7242 
7243 	/*
7244 	 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7245 	 */
7246 	LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7247 	LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7248 	LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7249 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7250 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7251 #endif
7252 
7253 	/*
7254 	 * PUT "ALLOCATING" HOOKS HERE
7255 	 */
7256 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7257 	LSM_HOOK_INIT(msg_queue_alloc_security,
7258 		      selinux_msg_queue_alloc_security),
7259 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7260 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7261 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7262 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7263 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7264 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7265 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7266 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7267 #ifdef CONFIG_SECURITY_INFINIBAND
7268 	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7269 #endif
7270 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7271 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7272 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7273 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7274 		      selinux_xfrm_state_alloc_acquire),
7275 #endif
7276 #ifdef CONFIG_KEYS
7277 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7278 #endif
7279 #ifdef CONFIG_AUDIT
7280 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7281 #endif
7282 #ifdef CONFIG_BPF_SYSCALL
7283 	LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7284 	LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7285 #endif
7286 #ifdef CONFIG_PERF_EVENTS
7287 	LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7288 #endif
7289 };
7290 
7291 static __init int selinux_init(void)
7292 {
7293 	pr_info("SELinux:  Initializing.\n");
7294 
7295 	memset(&selinux_state, 0, sizeof(selinux_state));
7296 	enforcing_set(&selinux_state, selinux_enforcing_boot);
7297 	checkreqprot_set(&selinux_state, selinux_checkreqprot_boot);
7298 	selinux_avc_init(&selinux_state.avc);
7299 	mutex_init(&selinux_state.status_lock);
7300 	mutex_init(&selinux_state.policy_mutex);
7301 
7302 	/* Set the security state for the initial task. */
7303 	cred_init_security();
7304 
7305 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7306 
7307 	avc_init();
7308 
7309 	avtab_cache_init();
7310 
7311 	ebitmap_cache_init();
7312 
7313 	hashtab_cache_init();
7314 
7315 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7316 
7317 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7318 		panic("SELinux: Unable to register AVC netcache callback\n");
7319 
7320 	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7321 		panic("SELinux: Unable to register AVC LSM notifier callback\n");
7322 
7323 	if (selinux_enforcing_boot)
7324 		pr_debug("SELinux:  Starting in enforcing mode\n");
7325 	else
7326 		pr_debug("SELinux:  Starting in permissive mode\n");
7327 
7328 	fs_validate_description("selinux", selinux_fs_parameters);
7329 
7330 	return 0;
7331 }
7332 
7333 static void delayed_superblock_init(struct super_block *sb, void *unused)
7334 {
7335 	selinux_set_mnt_opts(sb, NULL, 0, NULL);
7336 }
7337 
7338 void selinux_complete_init(void)
7339 {
7340 	pr_debug("SELinux:  Completing initialization.\n");
7341 
7342 	/* Set up any superblocks initialized prior to the policy load. */
7343 	pr_debug("SELinux:  Setting up existing superblocks.\n");
7344 	iterate_supers(delayed_superblock_init, NULL);
7345 }
7346 
7347 /* SELinux requires early initialization in order to label
7348    all processes and objects when they are created. */
7349 DEFINE_LSM(selinux) = {
7350 	.name = "selinux",
7351 	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7352 	.enabled = &selinux_enabled_boot,
7353 	.blobs = &selinux_blob_sizes,
7354 	.init = selinux_init,
7355 };
7356 
7357 #if defined(CONFIG_NETFILTER)
7358 
7359 static const struct nf_hook_ops selinux_nf_ops[] = {
7360 	{
7361 		.hook =		selinux_ip_postroute,
7362 		.pf =		NFPROTO_IPV4,
7363 		.hooknum =	NF_INET_POST_ROUTING,
7364 		.priority =	NF_IP_PRI_SELINUX_LAST,
7365 	},
7366 	{
7367 		.hook =		selinux_ip_forward,
7368 		.pf =		NFPROTO_IPV4,
7369 		.hooknum =	NF_INET_FORWARD,
7370 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7371 	},
7372 	{
7373 		.hook =		selinux_ip_output,
7374 		.pf =		NFPROTO_IPV4,
7375 		.hooknum =	NF_INET_LOCAL_OUT,
7376 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7377 	},
7378 #if IS_ENABLED(CONFIG_IPV6)
7379 	{
7380 		.hook =		selinux_ip_postroute,
7381 		.pf =		NFPROTO_IPV6,
7382 		.hooknum =	NF_INET_POST_ROUTING,
7383 		.priority =	NF_IP6_PRI_SELINUX_LAST,
7384 	},
7385 	{
7386 		.hook =		selinux_ip_forward,
7387 		.pf =		NFPROTO_IPV6,
7388 		.hooknum =	NF_INET_FORWARD,
7389 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7390 	},
7391 	{
7392 		.hook =		selinux_ip_output,
7393 		.pf =		NFPROTO_IPV6,
7394 		.hooknum =	NF_INET_LOCAL_OUT,
7395 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7396 	},
7397 #endif	/* IPV6 */
7398 };
7399 
7400 static int __net_init selinux_nf_register(struct net *net)
7401 {
7402 	return nf_register_net_hooks(net, selinux_nf_ops,
7403 				     ARRAY_SIZE(selinux_nf_ops));
7404 }
7405 
7406 static void __net_exit selinux_nf_unregister(struct net *net)
7407 {
7408 	nf_unregister_net_hooks(net, selinux_nf_ops,
7409 				ARRAY_SIZE(selinux_nf_ops));
7410 }
7411 
7412 static struct pernet_operations selinux_net_ops = {
7413 	.init = selinux_nf_register,
7414 	.exit = selinux_nf_unregister,
7415 };
7416 
7417 static int __init selinux_nf_ip_init(void)
7418 {
7419 	int err;
7420 
7421 	if (!selinux_enabled_boot)
7422 		return 0;
7423 
7424 	pr_debug("SELinux:  Registering netfilter hooks\n");
7425 
7426 	err = register_pernet_subsys(&selinux_net_ops);
7427 	if (err)
7428 		panic("SELinux: register_pernet_subsys: error %d\n", err);
7429 
7430 	return 0;
7431 }
7432 __initcall(selinux_nf_ip_init);
7433 
7434 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7435 static void selinux_nf_ip_exit(void)
7436 {
7437 	pr_debug("SELinux:  Unregistering netfilter hooks\n");
7438 
7439 	unregister_pernet_subsys(&selinux_net_ops);
7440 }
7441 #endif
7442 
7443 #else /* CONFIG_NETFILTER */
7444 
7445 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7446 #define selinux_nf_ip_exit()
7447 #endif
7448 
7449 #endif /* CONFIG_NETFILTER */
7450 
7451 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7452 int selinux_disable(struct selinux_state *state)
7453 {
7454 	if (selinux_initialized(state)) {
7455 		/* Not permitted after initial policy load. */
7456 		return -EINVAL;
7457 	}
7458 
7459 	if (selinux_disabled(state)) {
7460 		/* Only do this once. */
7461 		return -EINVAL;
7462 	}
7463 
7464 	selinux_mark_disabled(state);
7465 
7466 	pr_info("SELinux:  Disabled at runtime.\n");
7467 
7468 	/*
7469 	 * Unregister netfilter hooks.
7470 	 * Must be done before security_delete_hooks() to avoid breaking
7471 	 * runtime disable.
7472 	 */
7473 	selinux_nf_ip_exit();
7474 
7475 	security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7476 
7477 	/* Try to destroy the avc node cache */
7478 	avc_disable();
7479 
7480 	/* Unregister selinuxfs. */
7481 	exit_sel_fs();
7482 
7483 	return 0;
7484 }
7485 #endif
7486