xref: /linux/security/selinux/hooks.c (revision 52a9dab6d892763b2a8334a568bd4e2c1a6fde66)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *  NSA Security-Enhanced Linux (SELinux) security module
4  *
5  *  This file contains the SELinux hook function implementations.
6  *
7  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
8  *	      Chris Vance, <cvance@nai.com>
9  *	      Wayne Salamon, <wsalamon@nai.com>
10  *	      James Morris <jmorris@redhat.com>
11  *
12  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14  *					   Eric Paris <eparis@redhat.com>
15  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16  *			    <dgoeddel@trustedcs.com>
17  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18  *	Paul Moore <paul@paul-moore.com>
19  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
21  *  Copyright (C) 2016 Mellanox Technologies
22  */
23 
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/kernel_read_file.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched/signal.h>
31 #include <linux/sched/task.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/fs_context.h>
50 #include <linux/fs_parser.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h>		/* for local_port_range[] */
56 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h>	/* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h>		/* for Unix socket types */
74 #include <net/af_unix.h>	/* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
77 #include <net/ipv6.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/mutex.h>
83 #include <linux/posix-timers.h>
84 #include <linux/syslog.h>
85 #include <linux/user_namespace.h>
86 #include <linux/export.h>
87 #include <linux/msg.h>
88 #include <linux/shm.h>
89 #include <linux/bpf.h>
90 #include <linux/kernfs.h>
91 #include <linux/stringhash.h>	/* for hashlen_string() */
92 #include <uapi/linux/mount.h>
93 #include <linux/fsnotify.h>
94 #include <linux/fanotify.h>
95 
96 #include "avc.h"
97 #include "objsec.h"
98 #include "netif.h"
99 #include "netnode.h"
100 #include "netport.h"
101 #include "ibpkey.h"
102 #include "xfrm.h"
103 #include "netlabel.h"
104 #include "audit.h"
105 #include "avc_ss.h"
106 
107 struct selinux_state selinux_state;
108 
109 /* SECMARK reference count */
110 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
111 
112 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
113 static int selinux_enforcing_boot __initdata;
114 
115 static int __init enforcing_setup(char *str)
116 {
117 	unsigned long enforcing;
118 	if (!kstrtoul(str, 0, &enforcing))
119 		selinux_enforcing_boot = enforcing ? 1 : 0;
120 	return 1;
121 }
122 __setup("enforcing=", enforcing_setup);
123 #else
124 #define selinux_enforcing_boot 1
125 #endif
126 
127 int selinux_enabled_boot __initdata = 1;
128 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
129 static int __init selinux_enabled_setup(char *str)
130 {
131 	unsigned long enabled;
132 	if (!kstrtoul(str, 0, &enabled))
133 		selinux_enabled_boot = enabled ? 1 : 0;
134 	return 1;
135 }
136 __setup("selinux=", selinux_enabled_setup);
137 #endif
138 
139 static unsigned int selinux_checkreqprot_boot =
140 	CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141 
142 static int __init checkreqprot_setup(char *str)
143 {
144 	unsigned long checkreqprot;
145 
146 	if (!kstrtoul(str, 0, &checkreqprot)) {
147 		selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
148 		if (checkreqprot)
149 			pr_warn("SELinux: checkreqprot set to 1 via kernel parameter.  This is deprecated and will be rejected in a future kernel release.\n");
150 	}
151 	return 1;
152 }
153 __setup("checkreqprot=", checkreqprot_setup);
154 
155 /**
156  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
157  *
158  * Description:
159  * This function checks the SECMARK reference counter to see if any SECMARK
160  * targets are currently configured, if the reference counter is greater than
161  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
162  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
163  * policy capability is enabled, SECMARK is always considered enabled.
164  *
165  */
166 static int selinux_secmark_enabled(void)
167 {
168 	return (selinux_policycap_alwaysnetwork() ||
169 		atomic_read(&selinux_secmark_refcount));
170 }
171 
172 /**
173  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
174  *
175  * Description:
176  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
177  * (1) if any are enabled or false (0) if neither are enabled.  If the
178  * always_check_network policy capability is enabled, peer labeling
179  * is always considered enabled.
180  *
181  */
182 static int selinux_peerlbl_enabled(void)
183 {
184 	return (selinux_policycap_alwaysnetwork() ||
185 		netlbl_enabled() || selinux_xfrm_enabled());
186 }
187 
188 static int selinux_netcache_avc_callback(u32 event)
189 {
190 	if (event == AVC_CALLBACK_RESET) {
191 		sel_netif_flush();
192 		sel_netnode_flush();
193 		sel_netport_flush();
194 		synchronize_net();
195 	}
196 	return 0;
197 }
198 
199 static int selinux_lsm_notifier_avc_callback(u32 event)
200 {
201 	if (event == AVC_CALLBACK_RESET) {
202 		sel_ib_pkey_flush();
203 		call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
204 	}
205 
206 	return 0;
207 }
208 
209 /*
210  * initialise the security for the init task
211  */
212 static void cred_init_security(void)
213 {
214 	struct cred *cred = (struct cred *) current->real_cred;
215 	struct task_security_struct *tsec;
216 
217 	tsec = selinux_cred(cred);
218 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
219 }
220 
221 /*
222  * get the security ID of a set of credentials
223  */
224 static inline u32 cred_sid(const struct cred *cred)
225 {
226 	const struct task_security_struct *tsec;
227 
228 	tsec = selinux_cred(cred);
229 	return tsec->sid;
230 }
231 
232 /*
233  * get the objective security ID of a task
234  */
235 static inline u32 task_sid_obj(const struct task_struct *task)
236 {
237 	u32 sid;
238 
239 	rcu_read_lock();
240 	sid = cred_sid(__task_cred(task));
241 	rcu_read_unlock();
242 	return sid;
243 }
244 
245 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
246 
247 /*
248  * Try reloading inode security labels that have been marked as invalid.  The
249  * @may_sleep parameter indicates when sleeping and thus reloading labels is
250  * allowed; when set to false, returns -ECHILD when the label is
251  * invalid.  The @dentry parameter should be set to a dentry of the inode.
252  */
253 static int __inode_security_revalidate(struct inode *inode,
254 				       struct dentry *dentry,
255 				       bool may_sleep)
256 {
257 	struct inode_security_struct *isec = selinux_inode(inode);
258 
259 	might_sleep_if(may_sleep);
260 
261 	if (selinux_initialized(&selinux_state) &&
262 	    isec->initialized != LABEL_INITIALIZED) {
263 		if (!may_sleep)
264 			return -ECHILD;
265 
266 		/*
267 		 * Try reloading the inode security label.  This will fail if
268 		 * @opt_dentry is NULL and no dentry for this inode can be
269 		 * found; in that case, continue using the old label.
270 		 */
271 		inode_doinit_with_dentry(inode, dentry);
272 	}
273 	return 0;
274 }
275 
276 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
277 {
278 	return selinux_inode(inode);
279 }
280 
281 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
282 {
283 	int error;
284 
285 	error = __inode_security_revalidate(inode, NULL, !rcu);
286 	if (error)
287 		return ERR_PTR(error);
288 	return selinux_inode(inode);
289 }
290 
291 /*
292  * Get the security label of an inode.
293  */
294 static struct inode_security_struct *inode_security(struct inode *inode)
295 {
296 	__inode_security_revalidate(inode, NULL, true);
297 	return selinux_inode(inode);
298 }
299 
300 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
301 {
302 	struct inode *inode = d_backing_inode(dentry);
303 
304 	return selinux_inode(inode);
305 }
306 
307 /*
308  * Get the security label of a dentry's backing inode.
309  */
310 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
311 {
312 	struct inode *inode = d_backing_inode(dentry);
313 
314 	__inode_security_revalidate(inode, dentry, true);
315 	return selinux_inode(inode);
316 }
317 
318 static void inode_free_security(struct inode *inode)
319 {
320 	struct inode_security_struct *isec = selinux_inode(inode);
321 	struct superblock_security_struct *sbsec;
322 
323 	if (!isec)
324 		return;
325 	sbsec = selinux_superblock(inode->i_sb);
326 	/*
327 	 * As not all inode security structures are in a list, we check for
328 	 * empty list outside of the lock to make sure that we won't waste
329 	 * time taking a lock doing nothing.
330 	 *
331 	 * The list_del_init() function can be safely called more than once.
332 	 * It should not be possible for this function to be called with
333 	 * concurrent list_add(), but for better safety against future changes
334 	 * in the code, we use list_empty_careful() here.
335 	 */
336 	if (!list_empty_careful(&isec->list)) {
337 		spin_lock(&sbsec->isec_lock);
338 		list_del_init(&isec->list);
339 		spin_unlock(&sbsec->isec_lock);
340 	}
341 }
342 
343 struct selinux_mnt_opts {
344 	const char *fscontext, *context, *rootcontext, *defcontext;
345 };
346 
347 static void selinux_free_mnt_opts(void *mnt_opts)
348 {
349 	struct selinux_mnt_opts *opts = mnt_opts;
350 	kfree(opts->fscontext);
351 	kfree(opts->context);
352 	kfree(opts->rootcontext);
353 	kfree(opts->defcontext);
354 	kfree(opts);
355 }
356 
357 enum {
358 	Opt_error = -1,
359 	Opt_context = 0,
360 	Opt_defcontext = 1,
361 	Opt_fscontext = 2,
362 	Opt_rootcontext = 3,
363 	Opt_seclabel = 4,
364 };
365 
366 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
367 static struct {
368 	const char *name;
369 	int len;
370 	int opt;
371 	bool has_arg;
372 } tokens[] = {
373 	A(context, true),
374 	A(fscontext, true),
375 	A(defcontext, true),
376 	A(rootcontext, true),
377 	A(seclabel, false),
378 };
379 #undef A
380 
381 static int match_opt_prefix(char *s, int l, char **arg)
382 {
383 	int i;
384 
385 	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
386 		size_t len = tokens[i].len;
387 		if (len > l || memcmp(s, tokens[i].name, len))
388 			continue;
389 		if (tokens[i].has_arg) {
390 			if (len == l || s[len] != '=')
391 				continue;
392 			*arg = s + len + 1;
393 		} else if (len != l)
394 			continue;
395 		return tokens[i].opt;
396 	}
397 	return Opt_error;
398 }
399 
400 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
401 
402 static int may_context_mount_sb_relabel(u32 sid,
403 			struct superblock_security_struct *sbsec,
404 			const struct cred *cred)
405 {
406 	const struct task_security_struct *tsec = selinux_cred(cred);
407 	int rc;
408 
409 	rc = avc_has_perm(&selinux_state,
410 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
411 			  FILESYSTEM__RELABELFROM, NULL);
412 	if (rc)
413 		return rc;
414 
415 	rc = avc_has_perm(&selinux_state,
416 			  tsec->sid, sid, SECCLASS_FILESYSTEM,
417 			  FILESYSTEM__RELABELTO, NULL);
418 	return rc;
419 }
420 
421 static int may_context_mount_inode_relabel(u32 sid,
422 			struct superblock_security_struct *sbsec,
423 			const struct cred *cred)
424 {
425 	const struct task_security_struct *tsec = selinux_cred(cred);
426 	int rc;
427 	rc = avc_has_perm(&selinux_state,
428 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
429 			  FILESYSTEM__RELABELFROM, NULL);
430 	if (rc)
431 		return rc;
432 
433 	rc = avc_has_perm(&selinux_state,
434 			  sid, sbsec->sid, SECCLASS_FILESYSTEM,
435 			  FILESYSTEM__ASSOCIATE, NULL);
436 	return rc;
437 }
438 
439 static int selinux_is_genfs_special_handling(struct super_block *sb)
440 {
441 	/* Special handling. Genfs but also in-core setxattr handler */
442 	return	!strcmp(sb->s_type->name, "sysfs") ||
443 		!strcmp(sb->s_type->name, "pstore") ||
444 		!strcmp(sb->s_type->name, "debugfs") ||
445 		!strcmp(sb->s_type->name, "tracefs") ||
446 		!strcmp(sb->s_type->name, "rootfs") ||
447 		(selinux_policycap_cgroupseclabel() &&
448 		 (!strcmp(sb->s_type->name, "cgroup") ||
449 		  !strcmp(sb->s_type->name, "cgroup2")));
450 }
451 
452 static int selinux_is_sblabel_mnt(struct super_block *sb)
453 {
454 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
455 
456 	/*
457 	 * IMPORTANT: Double-check logic in this function when adding a new
458 	 * SECURITY_FS_USE_* definition!
459 	 */
460 	BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
461 
462 	switch (sbsec->behavior) {
463 	case SECURITY_FS_USE_XATTR:
464 	case SECURITY_FS_USE_TRANS:
465 	case SECURITY_FS_USE_TASK:
466 	case SECURITY_FS_USE_NATIVE:
467 		return 1;
468 
469 	case SECURITY_FS_USE_GENFS:
470 		return selinux_is_genfs_special_handling(sb);
471 
472 	/* Never allow relabeling on context mounts */
473 	case SECURITY_FS_USE_MNTPOINT:
474 	case SECURITY_FS_USE_NONE:
475 	default:
476 		return 0;
477 	}
478 }
479 
480 static int sb_check_xattr_support(struct super_block *sb)
481 {
482 	struct superblock_security_struct *sbsec = sb->s_security;
483 	struct dentry *root = sb->s_root;
484 	struct inode *root_inode = d_backing_inode(root);
485 	u32 sid;
486 	int rc;
487 
488 	/*
489 	 * Make sure that the xattr handler exists and that no
490 	 * error other than -ENODATA is returned by getxattr on
491 	 * the root directory.  -ENODATA is ok, as this may be
492 	 * the first boot of the SELinux kernel before we have
493 	 * assigned xattr values to the filesystem.
494 	 */
495 	if (!(root_inode->i_opflags & IOP_XATTR)) {
496 		pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
497 			sb->s_id, sb->s_type->name);
498 		goto fallback;
499 	}
500 
501 	rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
502 	if (rc < 0 && rc != -ENODATA) {
503 		if (rc == -EOPNOTSUPP) {
504 			pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
505 				sb->s_id, sb->s_type->name);
506 			goto fallback;
507 		} else {
508 			pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
509 				sb->s_id, sb->s_type->name, -rc);
510 			return rc;
511 		}
512 	}
513 	return 0;
514 
515 fallback:
516 	/* No xattr support - try to fallback to genfs if possible. */
517 	rc = security_genfs_sid(&selinux_state, sb->s_type->name, "/",
518 				SECCLASS_DIR, &sid);
519 	if (rc)
520 		return -EOPNOTSUPP;
521 
522 	pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
523 		sb->s_id, sb->s_type->name);
524 	sbsec->behavior = SECURITY_FS_USE_GENFS;
525 	sbsec->sid = sid;
526 	return 0;
527 }
528 
529 static int sb_finish_set_opts(struct super_block *sb)
530 {
531 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
532 	struct dentry *root = sb->s_root;
533 	struct inode *root_inode = d_backing_inode(root);
534 	int rc = 0;
535 
536 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
537 		rc = sb_check_xattr_support(sb);
538 		if (rc)
539 			return rc;
540 	}
541 
542 	sbsec->flags |= SE_SBINITIALIZED;
543 
544 	/*
545 	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
546 	 * leave the flag untouched because sb_clone_mnt_opts might be handing
547 	 * us a superblock that needs the flag to be cleared.
548 	 */
549 	if (selinux_is_sblabel_mnt(sb))
550 		sbsec->flags |= SBLABEL_MNT;
551 	else
552 		sbsec->flags &= ~SBLABEL_MNT;
553 
554 	/* Initialize the root inode. */
555 	rc = inode_doinit_with_dentry(root_inode, root);
556 
557 	/* Initialize any other inodes associated with the superblock, e.g.
558 	   inodes created prior to initial policy load or inodes created
559 	   during get_sb by a pseudo filesystem that directly
560 	   populates itself. */
561 	spin_lock(&sbsec->isec_lock);
562 	while (!list_empty(&sbsec->isec_head)) {
563 		struct inode_security_struct *isec =
564 				list_first_entry(&sbsec->isec_head,
565 					   struct inode_security_struct, list);
566 		struct inode *inode = isec->inode;
567 		list_del_init(&isec->list);
568 		spin_unlock(&sbsec->isec_lock);
569 		inode = igrab(inode);
570 		if (inode) {
571 			if (!IS_PRIVATE(inode))
572 				inode_doinit_with_dentry(inode, NULL);
573 			iput(inode);
574 		}
575 		spin_lock(&sbsec->isec_lock);
576 	}
577 	spin_unlock(&sbsec->isec_lock);
578 	return rc;
579 }
580 
581 static int bad_option(struct superblock_security_struct *sbsec, char flag,
582 		      u32 old_sid, u32 new_sid)
583 {
584 	char mnt_flags = sbsec->flags & SE_MNTMASK;
585 
586 	/* check if the old mount command had the same options */
587 	if (sbsec->flags & SE_SBINITIALIZED)
588 		if (!(sbsec->flags & flag) ||
589 		    (old_sid != new_sid))
590 			return 1;
591 
592 	/* check if we were passed the same options twice,
593 	 * aka someone passed context=a,context=b
594 	 */
595 	if (!(sbsec->flags & SE_SBINITIALIZED))
596 		if (mnt_flags & flag)
597 			return 1;
598 	return 0;
599 }
600 
601 static int parse_sid(struct super_block *sb, const char *s, u32 *sid,
602 		     gfp_t gfp)
603 {
604 	int rc = security_context_str_to_sid(&selinux_state, s,
605 					     sid, gfp);
606 	if (rc)
607 		pr_warn("SELinux: security_context_str_to_sid"
608 		       "(%s) failed for (dev %s, type %s) errno=%d\n",
609 		       s, sb->s_id, sb->s_type->name, rc);
610 	return rc;
611 }
612 
613 /*
614  * Allow filesystems with binary mount data to explicitly set mount point
615  * labeling information.
616  */
617 static int selinux_set_mnt_opts(struct super_block *sb,
618 				void *mnt_opts,
619 				unsigned long kern_flags,
620 				unsigned long *set_kern_flags)
621 {
622 	const struct cred *cred = current_cred();
623 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
624 	struct dentry *root = sb->s_root;
625 	struct selinux_mnt_opts *opts = mnt_opts;
626 	struct inode_security_struct *root_isec;
627 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
628 	u32 defcontext_sid = 0;
629 	int rc = 0;
630 
631 	mutex_lock(&sbsec->lock);
632 
633 	if (!selinux_initialized(&selinux_state)) {
634 		if (!opts) {
635 			/* Defer initialization until selinux_complete_init,
636 			   after the initial policy is loaded and the security
637 			   server is ready to handle calls. */
638 			goto out;
639 		}
640 		rc = -EINVAL;
641 		pr_warn("SELinux: Unable to set superblock options "
642 			"before the security server is initialized\n");
643 		goto out;
644 	}
645 	if (kern_flags && !set_kern_flags) {
646 		/* Specifying internal flags without providing a place to
647 		 * place the results is not allowed */
648 		rc = -EINVAL;
649 		goto out;
650 	}
651 
652 	/*
653 	 * Binary mount data FS will come through this function twice.  Once
654 	 * from an explicit call and once from the generic calls from the vfs.
655 	 * Since the generic VFS calls will not contain any security mount data
656 	 * we need to skip the double mount verification.
657 	 *
658 	 * This does open a hole in which we will not notice if the first
659 	 * mount using this sb set explict options and a second mount using
660 	 * this sb does not set any security options.  (The first options
661 	 * will be used for both mounts)
662 	 */
663 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
664 	    && !opts)
665 		goto out;
666 
667 	root_isec = backing_inode_security_novalidate(root);
668 
669 	/*
670 	 * parse the mount options, check if they are valid sids.
671 	 * also check if someone is trying to mount the same sb more
672 	 * than once with different security options.
673 	 */
674 	if (opts) {
675 		if (opts->fscontext) {
676 			rc = parse_sid(sb, opts->fscontext, &fscontext_sid,
677 					GFP_KERNEL);
678 			if (rc)
679 				goto out;
680 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
681 					fscontext_sid))
682 				goto out_double_mount;
683 			sbsec->flags |= FSCONTEXT_MNT;
684 		}
685 		if (opts->context) {
686 			rc = parse_sid(sb, opts->context, &context_sid,
687 					GFP_KERNEL);
688 			if (rc)
689 				goto out;
690 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
691 					context_sid))
692 				goto out_double_mount;
693 			sbsec->flags |= CONTEXT_MNT;
694 		}
695 		if (opts->rootcontext) {
696 			rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid,
697 					GFP_KERNEL);
698 			if (rc)
699 				goto out;
700 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
701 					rootcontext_sid))
702 				goto out_double_mount;
703 			sbsec->flags |= ROOTCONTEXT_MNT;
704 		}
705 		if (opts->defcontext) {
706 			rc = parse_sid(sb, opts->defcontext, &defcontext_sid,
707 					GFP_KERNEL);
708 			if (rc)
709 				goto out;
710 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
711 					defcontext_sid))
712 				goto out_double_mount;
713 			sbsec->flags |= DEFCONTEXT_MNT;
714 		}
715 	}
716 
717 	if (sbsec->flags & SE_SBINITIALIZED) {
718 		/* previously mounted with options, but not on this attempt? */
719 		if ((sbsec->flags & SE_MNTMASK) && !opts)
720 			goto out_double_mount;
721 		rc = 0;
722 		goto out;
723 	}
724 
725 	if (strcmp(sb->s_type->name, "proc") == 0)
726 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
727 
728 	if (!strcmp(sb->s_type->name, "debugfs") ||
729 	    !strcmp(sb->s_type->name, "tracefs") ||
730 	    !strcmp(sb->s_type->name, "binder") ||
731 	    !strcmp(sb->s_type->name, "bpf") ||
732 	    !strcmp(sb->s_type->name, "pstore") ||
733 	    !strcmp(sb->s_type->name, "securityfs"))
734 		sbsec->flags |= SE_SBGENFS;
735 
736 	if (!strcmp(sb->s_type->name, "sysfs") ||
737 	    !strcmp(sb->s_type->name, "cgroup") ||
738 	    !strcmp(sb->s_type->name, "cgroup2"))
739 		sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
740 
741 	if (!sbsec->behavior) {
742 		/*
743 		 * Determine the labeling behavior to use for this
744 		 * filesystem type.
745 		 */
746 		rc = security_fs_use(&selinux_state, sb);
747 		if (rc) {
748 			pr_warn("%s: security_fs_use(%s) returned %d\n",
749 					__func__, sb->s_type->name, rc);
750 			goto out;
751 		}
752 	}
753 
754 	/*
755 	 * If this is a user namespace mount and the filesystem type is not
756 	 * explicitly whitelisted, then no contexts are allowed on the command
757 	 * line and security labels must be ignored.
758 	 */
759 	if (sb->s_user_ns != &init_user_ns &&
760 	    strcmp(sb->s_type->name, "tmpfs") &&
761 	    strcmp(sb->s_type->name, "ramfs") &&
762 	    strcmp(sb->s_type->name, "devpts") &&
763 	    strcmp(sb->s_type->name, "overlay")) {
764 		if (context_sid || fscontext_sid || rootcontext_sid ||
765 		    defcontext_sid) {
766 			rc = -EACCES;
767 			goto out;
768 		}
769 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
770 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
771 			rc = security_transition_sid(&selinux_state,
772 						     current_sid(),
773 						     current_sid(),
774 						     SECCLASS_FILE, NULL,
775 						     &sbsec->mntpoint_sid);
776 			if (rc)
777 				goto out;
778 		}
779 		goto out_set_opts;
780 	}
781 
782 	/* sets the context of the superblock for the fs being mounted. */
783 	if (fscontext_sid) {
784 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
785 		if (rc)
786 			goto out;
787 
788 		sbsec->sid = fscontext_sid;
789 	}
790 
791 	/*
792 	 * Switch to using mount point labeling behavior.
793 	 * sets the label used on all file below the mountpoint, and will set
794 	 * the superblock context if not already set.
795 	 */
796 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
797 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
798 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
799 	}
800 
801 	if (context_sid) {
802 		if (!fscontext_sid) {
803 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
804 							  cred);
805 			if (rc)
806 				goto out;
807 			sbsec->sid = context_sid;
808 		} else {
809 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
810 							     cred);
811 			if (rc)
812 				goto out;
813 		}
814 		if (!rootcontext_sid)
815 			rootcontext_sid = context_sid;
816 
817 		sbsec->mntpoint_sid = context_sid;
818 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
819 	}
820 
821 	if (rootcontext_sid) {
822 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
823 						     cred);
824 		if (rc)
825 			goto out;
826 
827 		root_isec->sid = rootcontext_sid;
828 		root_isec->initialized = LABEL_INITIALIZED;
829 	}
830 
831 	if (defcontext_sid) {
832 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
833 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
834 			rc = -EINVAL;
835 			pr_warn("SELinux: defcontext option is "
836 			       "invalid for this filesystem type\n");
837 			goto out;
838 		}
839 
840 		if (defcontext_sid != sbsec->def_sid) {
841 			rc = may_context_mount_inode_relabel(defcontext_sid,
842 							     sbsec, cred);
843 			if (rc)
844 				goto out;
845 		}
846 
847 		sbsec->def_sid = defcontext_sid;
848 	}
849 
850 out_set_opts:
851 	rc = sb_finish_set_opts(sb);
852 out:
853 	mutex_unlock(&sbsec->lock);
854 	return rc;
855 out_double_mount:
856 	rc = -EINVAL;
857 	pr_warn("SELinux: mount invalid.  Same superblock, different "
858 	       "security settings for (dev %s, type %s)\n", sb->s_id,
859 	       sb->s_type->name);
860 	goto out;
861 }
862 
863 static int selinux_cmp_sb_context(const struct super_block *oldsb,
864 				    const struct super_block *newsb)
865 {
866 	struct superblock_security_struct *old = selinux_superblock(oldsb);
867 	struct superblock_security_struct *new = selinux_superblock(newsb);
868 	char oldflags = old->flags & SE_MNTMASK;
869 	char newflags = new->flags & SE_MNTMASK;
870 
871 	if (oldflags != newflags)
872 		goto mismatch;
873 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
874 		goto mismatch;
875 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
876 		goto mismatch;
877 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
878 		goto mismatch;
879 	if (oldflags & ROOTCONTEXT_MNT) {
880 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
881 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
882 		if (oldroot->sid != newroot->sid)
883 			goto mismatch;
884 	}
885 	return 0;
886 mismatch:
887 	pr_warn("SELinux: mount invalid.  Same superblock, "
888 			    "different security settings for (dev %s, "
889 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
890 	return -EBUSY;
891 }
892 
893 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
894 					struct super_block *newsb,
895 					unsigned long kern_flags,
896 					unsigned long *set_kern_flags)
897 {
898 	int rc = 0;
899 	const struct superblock_security_struct *oldsbsec =
900 						selinux_superblock(oldsb);
901 	struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
902 
903 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
904 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
905 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
906 
907 	/*
908 	 * if the parent was able to be mounted it clearly had no special lsm
909 	 * mount options.  thus we can safely deal with this superblock later
910 	 */
911 	if (!selinux_initialized(&selinux_state))
912 		return 0;
913 
914 	/*
915 	 * Specifying internal flags without providing a place to
916 	 * place the results is not allowed.
917 	 */
918 	if (kern_flags && !set_kern_flags)
919 		return -EINVAL;
920 
921 	/* how can we clone if the old one wasn't set up?? */
922 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
923 
924 	/* if fs is reusing a sb, make sure that the contexts match */
925 	if (newsbsec->flags & SE_SBINITIALIZED) {
926 		if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
927 			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
928 		return selinux_cmp_sb_context(oldsb, newsb);
929 	}
930 
931 	mutex_lock(&newsbsec->lock);
932 
933 	newsbsec->flags = oldsbsec->flags;
934 
935 	newsbsec->sid = oldsbsec->sid;
936 	newsbsec->def_sid = oldsbsec->def_sid;
937 	newsbsec->behavior = oldsbsec->behavior;
938 
939 	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
940 		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
941 		rc = security_fs_use(&selinux_state, newsb);
942 		if (rc)
943 			goto out;
944 	}
945 
946 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
947 		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
948 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
949 	}
950 
951 	if (set_context) {
952 		u32 sid = oldsbsec->mntpoint_sid;
953 
954 		if (!set_fscontext)
955 			newsbsec->sid = sid;
956 		if (!set_rootcontext) {
957 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
958 			newisec->sid = sid;
959 		}
960 		newsbsec->mntpoint_sid = sid;
961 	}
962 	if (set_rootcontext) {
963 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
964 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
965 
966 		newisec->sid = oldisec->sid;
967 	}
968 
969 	sb_finish_set_opts(newsb);
970 out:
971 	mutex_unlock(&newsbsec->lock);
972 	return rc;
973 }
974 
975 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
976 {
977 	struct selinux_mnt_opts *opts = *mnt_opts;
978 	bool is_alloc_opts = false;
979 
980 	if (token == Opt_seclabel)
981 		/* eaten and completely ignored */
982 		return 0;
983 	if (!s)
984 		return -ENOMEM;
985 
986 	if (!opts) {
987 		opts = kzalloc(sizeof(*opts), GFP_KERNEL);
988 		if (!opts)
989 			return -ENOMEM;
990 		*mnt_opts = opts;
991 		is_alloc_opts = true;
992 	}
993 
994 	switch (token) {
995 	case Opt_context:
996 		if (opts->context || opts->defcontext)
997 			goto err;
998 		opts->context = s;
999 		break;
1000 	case Opt_fscontext:
1001 		if (opts->fscontext)
1002 			goto err;
1003 		opts->fscontext = s;
1004 		break;
1005 	case Opt_rootcontext:
1006 		if (opts->rootcontext)
1007 			goto err;
1008 		opts->rootcontext = s;
1009 		break;
1010 	case Opt_defcontext:
1011 		if (opts->context || opts->defcontext)
1012 			goto err;
1013 		opts->defcontext = s;
1014 		break;
1015 	}
1016 
1017 	return 0;
1018 
1019 err:
1020 	if (is_alloc_opts) {
1021 		kfree(opts);
1022 		*mnt_opts = NULL;
1023 	}
1024 	pr_warn(SEL_MOUNT_FAIL_MSG);
1025 	return -EINVAL;
1026 }
1027 
1028 static int show_sid(struct seq_file *m, u32 sid)
1029 {
1030 	char *context = NULL;
1031 	u32 len;
1032 	int rc;
1033 
1034 	rc = security_sid_to_context(&selinux_state, sid,
1035 					     &context, &len);
1036 	if (!rc) {
1037 		bool has_comma = context && strchr(context, ',');
1038 
1039 		seq_putc(m, '=');
1040 		if (has_comma)
1041 			seq_putc(m, '\"');
1042 		seq_escape(m, context, "\"\n\\");
1043 		if (has_comma)
1044 			seq_putc(m, '\"');
1045 	}
1046 	kfree(context);
1047 	return rc;
1048 }
1049 
1050 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1051 {
1052 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
1053 	int rc;
1054 
1055 	if (!(sbsec->flags & SE_SBINITIALIZED))
1056 		return 0;
1057 
1058 	if (!selinux_initialized(&selinux_state))
1059 		return 0;
1060 
1061 	if (sbsec->flags & FSCONTEXT_MNT) {
1062 		seq_putc(m, ',');
1063 		seq_puts(m, FSCONTEXT_STR);
1064 		rc = show_sid(m, sbsec->sid);
1065 		if (rc)
1066 			return rc;
1067 	}
1068 	if (sbsec->flags & CONTEXT_MNT) {
1069 		seq_putc(m, ',');
1070 		seq_puts(m, CONTEXT_STR);
1071 		rc = show_sid(m, sbsec->mntpoint_sid);
1072 		if (rc)
1073 			return rc;
1074 	}
1075 	if (sbsec->flags & DEFCONTEXT_MNT) {
1076 		seq_putc(m, ',');
1077 		seq_puts(m, DEFCONTEXT_STR);
1078 		rc = show_sid(m, sbsec->def_sid);
1079 		if (rc)
1080 			return rc;
1081 	}
1082 	if (sbsec->flags & ROOTCONTEXT_MNT) {
1083 		struct dentry *root = sb->s_root;
1084 		struct inode_security_struct *isec = backing_inode_security(root);
1085 		seq_putc(m, ',');
1086 		seq_puts(m, ROOTCONTEXT_STR);
1087 		rc = show_sid(m, isec->sid);
1088 		if (rc)
1089 			return rc;
1090 	}
1091 	if (sbsec->flags & SBLABEL_MNT) {
1092 		seq_putc(m, ',');
1093 		seq_puts(m, SECLABEL_STR);
1094 	}
1095 	return 0;
1096 }
1097 
1098 static inline u16 inode_mode_to_security_class(umode_t mode)
1099 {
1100 	switch (mode & S_IFMT) {
1101 	case S_IFSOCK:
1102 		return SECCLASS_SOCK_FILE;
1103 	case S_IFLNK:
1104 		return SECCLASS_LNK_FILE;
1105 	case S_IFREG:
1106 		return SECCLASS_FILE;
1107 	case S_IFBLK:
1108 		return SECCLASS_BLK_FILE;
1109 	case S_IFDIR:
1110 		return SECCLASS_DIR;
1111 	case S_IFCHR:
1112 		return SECCLASS_CHR_FILE;
1113 	case S_IFIFO:
1114 		return SECCLASS_FIFO_FILE;
1115 
1116 	}
1117 
1118 	return SECCLASS_FILE;
1119 }
1120 
1121 static inline int default_protocol_stream(int protocol)
1122 {
1123 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1124 		protocol == IPPROTO_MPTCP);
1125 }
1126 
1127 static inline int default_protocol_dgram(int protocol)
1128 {
1129 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1130 }
1131 
1132 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1133 {
1134 	int extsockclass = selinux_policycap_extsockclass();
1135 
1136 	switch (family) {
1137 	case PF_UNIX:
1138 		switch (type) {
1139 		case SOCK_STREAM:
1140 		case SOCK_SEQPACKET:
1141 			return SECCLASS_UNIX_STREAM_SOCKET;
1142 		case SOCK_DGRAM:
1143 		case SOCK_RAW:
1144 			return SECCLASS_UNIX_DGRAM_SOCKET;
1145 		}
1146 		break;
1147 	case PF_INET:
1148 	case PF_INET6:
1149 		switch (type) {
1150 		case SOCK_STREAM:
1151 		case SOCK_SEQPACKET:
1152 			if (default_protocol_stream(protocol))
1153 				return SECCLASS_TCP_SOCKET;
1154 			else if (extsockclass && protocol == IPPROTO_SCTP)
1155 				return SECCLASS_SCTP_SOCKET;
1156 			else
1157 				return SECCLASS_RAWIP_SOCKET;
1158 		case SOCK_DGRAM:
1159 			if (default_protocol_dgram(protocol))
1160 				return SECCLASS_UDP_SOCKET;
1161 			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1162 						  protocol == IPPROTO_ICMPV6))
1163 				return SECCLASS_ICMP_SOCKET;
1164 			else
1165 				return SECCLASS_RAWIP_SOCKET;
1166 		case SOCK_DCCP:
1167 			return SECCLASS_DCCP_SOCKET;
1168 		default:
1169 			return SECCLASS_RAWIP_SOCKET;
1170 		}
1171 		break;
1172 	case PF_NETLINK:
1173 		switch (protocol) {
1174 		case NETLINK_ROUTE:
1175 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1176 		case NETLINK_SOCK_DIAG:
1177 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1178 		case NETLINK_NFLOG:
1179 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1180 		case NETLINK_XFRM:
1181 			return SECCLASS_NETLINK_XFRM_SOCKET;
1182 		case NETLINK_SELINUX:
1183 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1184 		case NETLINK_ISCSI:
1185 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1186 		case NETLINK_AUDIT:
1187 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1188 		case NETLINK_FIB_LOOKUP:
1189 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1190 		case NETLINK_CONNECTOR:
1191 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1192 		case NETLINK_NETFILTER:
1193 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1194 		case NETLINK_DNRTMSG:
1195 			return SECCLASS_NETLINK_DNRT_SOCKET;
1196 		case NETLINK_KOBJECT_UEVENT:
1197 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1198 		case NETLINK_GENERIC:
1199 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1200 		case NETLINK_SCSITRANSPORT:
1201 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1202 		case NETLINK_RDMA:
1203 			return SECCLASS_NETLINK_RDMA_SOCKET;
1204 		case NETLINK_CRYPTO:
1205 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1206 		default:
1207 			return SECCLASS_NETLINK_SOCKET;
1208 		}
1209 	case PF_PACKET:
1210 		return SECCLASS_PACKET_SOCKET;
1211 	case PF_KEY:
1212 		return SECCLASS_KEY_SOCKET;
1213 	case PF_APPLETALK:
1214 		return SECCLASS_APPLETALK_SOCKET;
1215 	}
1216 
1217 	if (extsockclass) {
1218 		switch (family) {
1219 		case PF_AX25:
1220 			return SECCLASS_AX25_SOCKET;
1221 		case PF_IPX:
1222 			return SECCLASS_IPX_SOCKET;
1223 		case PF_NETROM:
1224 			return SECCLASS_NETROM_SOCKET;
1225 		case PF_ATMPVC:
1226 			return SECCLASS_ATMPVC_SOCKET;
1227 		case PF_X25:
1228 			return SECCLASS_X25_SOCKET;
1229 		case PF_ROSE:
1230 			return SECCLASS_ROSE_SOCKET;
1231 		case PF_DECnet:
1232 			return SECCLASS_DECNET_SOCKET;
1233 		case PF_ATMSVC:
1234 			return SECCLASS_ATMSVC_SOCKET;
1235 		case PF_RDS:
1236 			return SECCLASS_RDS_SOCKET;
1237 		case PF_IRDA:
1238 			return SECCLASS_IRDA_SOCKET;
1239 		case PF_PPPOX:
1240 			return SECCLASS_PPPOX_SOCKET;
1241 		case PF_LLC:
1242 			return SECCLASS_LLC_SOCKET;
1243 		case PF_CAN:
1244 			return SECCLASS_CAN_SOCKET;
1245 		case PF_TIPC:
1246 			return SECCLASS_TIPC_SOCKET;
1247 		case PF_BLUETOOTH:
1248 			return SECCLASS_BLUETOOTH_SOCKET;
1249 		case PF_IUCV:
1250 			return SECCLASS_IUCV_SOCKET;
1251 		case PF_RXRPC:
1252 			return SECCLASS_RXRPC_SOCKET;
1253 		case PF_ISDN:
1254 			return SECCLASS_ISDN_SOCKET;
1255 		case PF_PHONET:
1256 			return SECCLASS_PHONET_SOCKET;
1257 		case PF_IEEE802154:
1258 			return SECCLASS_IEEE802154_SOCKET;
1259 		case PF_CAIF:
1260 			return SECCLASS_CAIF_SOCKET;
1261 		case PF_ALG:
1262 			return SECCLASS_ALG_SOCKET;
1263 		case PF_NFC:
1264 			return SECCLASS_NFC_SOCKET;
1265 		case PF_VSOCK:
1266 			return SECCLASS_VSOCK_SOCKET;
1267 		case PF_KCM:
1268 			return SECCLASS_KCM_SOCKET;
1269 		case PF_QIPCRTR:
1270 			return SECCLASS_QIPCRTR_SOCKET;
1271 		case PF_SMC:
1272 			return SECCLASS_SMC_SOCKET;
1273 		case PF_XDP:
1274 			return SECCLASS_XDP_SOCKET;
1275 		case PF_MCTP:
1276 			return SECCLASS_MCTP_SOCKET;
1277 #if PF_MAX > 46
1278 #error New address family defined, please update this function.
1279 #endif
1280 		}
1281 	}
1282 
1283 	return SECCLASS_SOCKET;
1284 }
1285 
1286 static int selinux_genfs_get_sid(struct dentry *dentry,
1287 				 u16 tclass,
1288 				 u16 flags,
1289 				 u32 *sid)
1290 {
1291 	int rc;
1292 	struct super_block *sb = dentry->d_sb;
1293 	char *buffer, *path;
1294 
1295 	buffer = (char *)__get_free_page(GFP_KERNEL);
1296 	if (!buffer)
1297 		return -ENOMEM;
1298 
1299 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1300 	if (IS_ERR(path))
1301 		rc = PTR_ERR(path);
1302 	else {
1303 		if (flags & SE_SBPROC) {
1304 			/* each process gets a /proc/PID/ entry. Strip off the
1305 			 * PID part to get a valid selinux labeling.
1306 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1307 			while (path[1] >= '0' && path[1] <= '9') {
1308 				path[1] = '/';
1309 				path++;
1310 			}
1311 		}
1312 		rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1313 					path, tclass, sid);
1314 		if (rc == -ENOENT) {
1315 			/* No match in policy, mark as unlabeled. */
1316 			*sid = SECINITSID_UNLABELED;
1317 			rc = 0;
1318 		}
1319 	}
1320 	free_page((unsigned long)buffer);
1321 	return rc;
1322 }
1323 
1324 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1325 				  u32 def_sid, u32 *sid)
1326 {
1327 #define INITCONTEXTLEN 255
1328 	char *context;
1329 	unsigned int len;
1330 	int rc;
1331 
1332 	len = INITCONTEXTLEN;
1333 	context = kmalloc(len + 1, GFP_NOFS);
1334 	if (!context)
1335 		return -ENOMEM;
1336 
1337 	context[len] = '\0';
1338 	rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1339 	if (rc == -ERANGE) {
1340 		kfree(context);
1341 
1342 		/* Need a larger buffer.  Query for the right size. */
1343 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1344 		if (rc < 0)
1345 			return rc;
1346 
1347 		len = rc;
1348 		context = kmalloc(len + 1, GFP_NOFS);
1349 		if (!context)
1350 			return -ENOMEM;
1351 
1352 		context[len] = '\0';
1353 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1354 				    context, len);
1355 	}
1356 	if (rc < 0) {
1357 		kfree(context);
1358 		if (rc != -ENODATA) {
1359 			pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
1360 				__func__, -rc, inode->i_sb->s_id, inode->i_ino);
1361 			return rc;
1362 		}
1363 		*sid = def_sid;
1364 		return 0;
1365 	}
1366 
1367 	rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1368 					     def_sid, GFP_NOFS);
1369 	if (rc) {
1370 		char *dev = inode->i_sb->s_id;
1371 		unsigned long ino = inode->i_ino;
1372 
1373 		if (rc == -EINVAL) {
1374 			pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
1375 					      ino, dev, context);
1376 		} else {
1377 			pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1378 				__func__, context, -rc, dev, ino);
1379 		}
1380 	}
1381 	kfree(context);
1382 	return 0;
1383 }
1384 
1385 /* The inode's security attributes must be initialized before first use. */
1386 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1387 {
1388 	struct superblock_security_struct *sbsec = NULL;
1389 	struct inode_security_struct *isec = selinux_inode(inode);
1390 	u32 task_sid, sid = 0;
1391 	u16 sclass;
1392 	struct dentry *dentry;
1393 	int rc = 0;
1394 
1395 	if (isec->initialized == LABEL_INITIALIZED)
1396 		return 0;
1397 
1398 	spin_lock(&isec->lock);
1399 	if (isec->initialized == LABEL_INITIALIZED)
1400 		goto out_unlock;
1401 
1402 	if (isec->sclass == SECCLASS_FILE)
1403 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1404 
1405 	sbsec = selinux_superblock(inode->i_sb);
1406 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1407 		/* Defer initialization until selinux_complete_init,
1408 		   after the initial policy is loaded and the security
1409 		   server is ready to handle calls. */
1410 		spin_lock(&sbsec->isec_lock);
1411 		if (list_empty(&isec->list))
1412 			list_add(&isec->list, &sbsec->isec_head);
1413 		spin_unlock(&sbsec->isec_lock);
1414 		goto out_unlock;
1415 	}
1416 
1417 	sclass = isec->sclass;
1418 	task_sid = isec->task_sid;
1419 	sid = isec->sid;
1420 	isec->initialized = LABEL_PENDING;
1421 	spin_unlock(&isec->lock);
1422 
1423 	switch (sbsec->behavior) {
1424 	case SECURITY_FS_USE_NATIVE:
1425 		break;
1426 	case SECURITY_FS_USE_XATTR:
1427 		if (!(inode->i_opflags & IOP_XATTR)) {
1428 			sid = sbsec->def_sid;
1429 			break;
1430 		}
1431 		/* Need a dentry, since the xattr API requires one.
1432 		   Life would be simpler if we could just pass the inode. */
1433 		if (opt_dentry) {
1434 			/* Called from d_instantiate or d_splice_alias. */
1435 			dentry = dget(opt_dentry);
1436 		} else {
1437 			/*
1438 			 * Called from selinux_complete_init, try to find a dentry.
1439 			 * Some filesystems really want a connected one, so try
1440 			 * that first.  We could split SECURITY_FS_USE_XATTR in
1441 			 * two, depending upon that...
1442 			 */
1443 			dentry = d_find_alias(inode);
1444 			if (!dentry)
1445 				dentry = d_find_any_alias(inode);
1446 		}
1447 		if (!dentry) {
1448 			/*
1449 			 * this is can be hit on boot when a file is accessed
1450 			 * before the policy is loaded.  When we load policy we
1451 			 * may find inodes that have no dentry on the
1452 			 * sbsec->isec_head list.  No reason to complain as these
1453 			 * will get fixed up the next time we go through
1454 			 * inode_doinit with a dentry, before these inodes could
1455 			 * be used again by userspace.
1456 			 */
1457 			goto out_invalid;
1458 		}
1459 
1460 		rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1461 					    &sid);
1462 		dput(dentry);
1463 		if (rc)
1464 			goto out;
1465 		break;
1466 	case SECURITY_FS_USE_TASK:
1467 		sid = task_sid;
1468 		break;
1469 	case SECURITY_FS_USE_TRANS:
1470 		/* Default to the fs SID. */
1471 		sid = sbsec->sid;
1472 
1473 		/* Try to obtain a transition SID. */
1474 		rc = security_transition_sid(&selinux_state, task_sid, sid,
1475 					     sclass, NULL, &sid);
1476 		if (rc)
1477 			goto out;
1478 		break;
1479 	case SECURITY_FS_USE_MNTPOINT:
1480 		sid = sbsec->mntpoint_sid;
1481 		break;
1482 	default:
1483 		/* Default to the fs superblock SID. */
1484 		sid = sbsec->sid;
1485 
1486 		if ((sbsec->flags & SE_SBGENFS) &&
1487 		     (!S_ISLNK(inode->i_mode) ||
1488 		      selinux_policycap_genfs_seclabel_symlinks())) {
1489 			/* We must have a dentry to determine the label on
1490 			 * procfs inodes */
1491 			if (opt_dentry) {
1492 				/* Called from d_instantiate or
1493 				 * d_splice_alias. */
1494 				dentry = dget(opt_dentry);
1495 			} else {
1496 				/* Called from selinux_complete_init, try to
1497 				 * find a dentry.  Some filesystems really want
1498 				 * a connected one, so try that first.
1499 				 */
1500 				dentry = d_find_alias(inode);
1501 				if (!dentry)
1502 					dentry = d_find_any_alias(inode);
1503 			}
1504 			/*
1505 			 * This can be hit on boot when a file is accessed
1506 			 * before the policy is loaded.  When we load policy we
1507 			 * may find inodes that have no dentry on the
1508 			 * sbsec->isec_head list.  No reason to complain as
1509 			 * these will get fixed up the next time we go through
1510 			 * inode_doinit() with a dentry, before these inodes
1511 			 * could be used again by userspace.
1512 			 */
1513 			if (!dentry)
1514 				goto out_invalid;
1515 			rc = selinux_genfs_get_sid(dentry, sclass,
1516 						   sbsec->flags, &sid);
1517 			if (rc) {
1518 				dput(dentry);
1519 				goto out;
1520 			}
1521 
1522 			if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1523 			    (inode->i_opflags & IOP_XATTR)) {
1524 				rc = inode_doinit_use_xattr(inode, dentry,
1525 							    sid, &sid);
1526 				if (rc) {
1527 					dput(dentry);
1528 					goto out;
1529 				}
1530 			}
1531 			dput(dentry);
1532 		}
1533 		break;
1534 	}
1535 
1536 out:
1537 	spin_lock(&isec->lock);
1538 	if (isec->initialized == LABEL_PENDING) {
1539 		if (rc) {
1540 			isec->initialized = LABEL_INVALID;
1541 			goto out_unlock;
1542 		}
1543 		isec->initialized = LABEL_INITIALIZED;
1544 		isec->sid = sid;
1545 	}
1546 
1547 out_unlock:
1548 	spin_unlock(&isec->lock);
1549 	return rc;
1550 
1551 out_invalid:
1552 	spin_lock(&isec->lock);
1553 	if (isec->initialized == LABEL_PENDING) {
1554 		isec->initialized = LABEL_INVALID;
1555 		isec->sid = sid;
1556 	}
1557 	spin_unlock(&isec->lock);
1558 	return 0;
1559 }
1560 
1561 /* Convert a Linux signal to an access vector. */
1562 static inline u32 signal_to_av(int sig)
1563 {
1564 	u32 perm = 0;
1565 
1566 	switch (sig) {
1567 	case SIGCHLD:
1568 		/* Commonly granted from child to parent. */
1569 		perm = PROCESS__SIGCHLD;
1570 		break;
1571 	case SIGKILL:
1572 		/* Cannot be caught or ignored */
1573 		perm = PROCESS__SIGKILL;
1574 		break;
1575 	case SIGSTOP:
1576 		/* Cannot be caught or ignored */
1577 		perm = PROCESS__SIGSTOP;
1578 		break;
1579 	default:
1580 		/* All other signals. */
1581 		perm = PROCESS__SIGNAL;
1582 		break;
1583 	}
1584 
1585 	return perm;
1586 }
1587 
1588 #if CAP_LAST_CAP > 63
1589 #error Fix SELinux to handle capabilities > 63.
1590 #endif
1591 
1592 /* Check whether a task is allowed to use a capability. */
1593 static int cred_has_capability(const struct cred *cred,
1594 			       int cap, unsigned int opts, bool initns)
1595 {
1596 	struct common_audit_data ad;
1597 	struct av_decision avd;
1598 	u16 sclass;
1599 	u32 sid = cred_sid(cred);
1600 	u32 av = CAP_TO_MASK(cap);
1601 	int rc;
1602 
1603 	ad.type = LSM_AUDIT_DATA_CAP;
1604 	ad.u.cap = cap;
1605 
1606 	switch (CAP_TO_INDEX(cap)) {
1607 	case 0:
1608 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1609 		break;
1610 	case 1:
1611 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1612 		break;
1613 	default:
1614 		pr_err("SELinux:  out of range capability %d\n", cap);
1615 		BUG();
1616 		return -EINVAL;
1617 	}
1618 
1619 	rc = avc_has_perm_noaudit(&selinux_state,
1620 				  sid, sid, sclass, av, 0, &avd);
1621 	if (!(opts & CAP_OPT_NOAUDIT)) {
1622 		int rc2 = avc_audit(&selinux_state,
1623 				    sid, sid, sclass, av, &avd, rc, &ad);
1624 		if (rc2)
1625 			return rc2;
1626 	}
1627 	return rc;
1628 }
1629 
1630 /* Check whether a task has a particular permission to an inode.
1631    The 'adp' parameter is optional and allows other audit
1632    data to be passed (e.g. the dentry). */
1633 static int inode_has_perm(const struct cred *cred,
1634 			  struct inode *inode,
1635 			  u32 perms,
1636 			  struct common_audit_data *adp)
1637 {
1638 	struct inode_security_struct *isec;
1639 	u32 sid;
1640 
1641 	validate_creds(cred);
1642 
1643 	if (unlikely(IS_PRIVATE(inode)))
1644 		return 0;
1645 
1646 	sid = cred_sid(cred);
1647 	isec = selinux_inode(inode);
1648 
1649 	return avc_has_perm(&selinux_state,
1650 			    sid, isec->sid, isec->sclass, perms, adp);
1651 }
1652 
1653 /* Same as inode_has_perm, but pass explicit audit data containing
1654    the dentry to help the auditing code to more easily generate the
1655    pathname if needed. */
1656 static inline int dentry_has_perm(const struct cred *cred,
1657 				  struct dentry *dentry,
1658 				  u32 av)
1659 {
1660 	struct inode *inode = d_backing_inode(dentry);
1661 	struct common_audit_data ad;
1662 
1663 	ad.type = LSM_AUDIT_DATA_DENTRY;
1664 	ad.u.dentry = dentry;
1665 	__inode_security_revalidate(inode, dentry, true);
1666 	return inode_has_perm(cred, inode, av, &ad);
1667 }
1668 
1669 /* Same as inode_has_perm, but pass explicit audit data containing
1670    the path to help the auditing code to more easily generate the
1671    pathname if needed. */
1672 static inline int path_has_perm(const struct cred *cred,
1673 				const struct path *path,
1674 				u32 av)
1675 {
1676 	struct inode *inode = d_backing_inode(path->dentry);
1677 	struct common_audit_data ad;
1678 
1679 	ad.type = LSM_AUDIT_DATA_PATH;
1680 	ad.u.path = *path;
1681 	__inode_security_revalidate(inode, path->dentry, true);
1682 	return inode_has_perm(cred, inode, av, &ad);
1683 }
1684 
1685 /* Same as path_has_perm, but uses the inode from the file struct. */
1686 static inline int file_path_has_perm(const struct cred *cred,
1687 				     struct file *file,
1688 				     u32 av)
1689 {
1690 	struct common_audit_data ad;
1691 
1692 	ad.type = LSM_AUDIT_DATA_FILE;
1693 	ad.u.file = file;
1694 	return inode_has_perm(cred, file_inode(file), av, &ad);
1695 }
1696 
1697 #ifdef CONFIG_BPF_SYSCALL
1698 static int bpf_fd_pass(struct file *file, u32 sid);
1699 #endif
1700 
1701 /* Check whether a task can use an open file descriptor to
1702    access an inode in a given way.  Check access to the
1703    descriptor itself, and then use dentry_has_perm to
1704    check a particular permission to the file.
1705    Access to the descriptor is implicitly granted if it
1706    has the same SID as the process.  If av is zero, then
1707    access to the file is not checked, e.g. for cases
1708    where only the descriptor is affected like seek. */
1709 static int file_has_perm(const struct cred *cred,
1710 			 struct file *file,
1711 			 u32 av)
1712 {
1713 	struct file_security_struct *fsec = selinux_file(file);
1714 	struct inode *inode = file_inode(file);
1715 	struct common_audit_data ad;
1716 	u32 sid = cred_sid(cred);
1717 	int rc;
1718 
1719 	ad.type = LSM_AUDIT_DATA_FILE;
1720 	ad.u.file = file;
1721 
1722 	if (sid != fsec->sid) {
1723 		rc = avc_has_perm(&selinux_state,
1724 				  sid, fsec->sid,
1725 				  SECCLASS_FD,
1726 				  FD__USE,
1727 				  &ad);
1728 		if (rc)
1729 			goto out;
1730 	}
1731 
1732 #ifdef CONFIG_BPF_SYSCALL
1733 	rc = bpf_fd_pass(file, cred_sid(cred));
1734 	if (rc)
1735 		return rc;
1736 #endif
1737 
1738 	/* av is zero if only checking access to the descriptor. */
1739 	rc = 0;
1740 	if (av)
1741 		rc = inode_has_perm(cred, inode, av, &ad);
1742 
1743 out:
1744 	return rc;
1745 }
1746 
1747 /*
1748  * Determine the label for an inode that might be unioned.
1749  */
1750 static int
1751 selinux_determine_inode_label(const struct task_security_struct *tsec,
1752 				 struct inode *dir,
1753 				 const struct qstr *name, u16 tclass,
1754 				 u32 *_new_isid)
1755 {
1756 	const struct superblock_security_struct *sbsec =
1757 						selinux_superblock(dir->i_sb);
1758 
1759 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1760 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1761 		*_new_isid = sbsec->mntpoint_sid;
1762 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1763 		   tsec->create_sid) {
1764 		*_new_isid = tsec->create_sid;
1765 	} else {
1766 		const struct inode_security_struct *dsec = inode_security(dir);
1767 		return security_transition_sid(&selinux_state, tsec->sid,
1768 					       dsec->sid, tclass,
1769 					       name, _new_isid);
1770 	}
1771 
1772 	return 0;
1773 }
1774 
1775 /* Check whether a task can create a file. */
1776 static int may_create(struct inode *dir,
1777 		      struct dentry *dentry,
1778 		      u16 tclass)
1779 {
1780 	const struct task_security_struct *tsec = selinux_cred(current_cred());
1781 	struct inode_security_struct *dsec;
1782 	struct superblock_security_struct *sbsec;
1783 	u32 sid, newsid;
1784 	struct common_audit_data ad;
1785 	int rc;
1786 
1787 	dsec = inode_security(dir);
1788 	sbsec = selinux_superblock(dir->i_sb);
1789 
1790 	sid = tsec->sid;
1791 
1792 	ad.type = LSM_AUDIT_DATA_DENTRY;
1793 	ad.u.dentry = dentry;
1794 
1795 	rc = avc_has_perm(&selinux_state,
1796 			  sid, dsec->sid, SECCLASS_DIR,
1797 			  DIR__ADD_NAME | DIR__SEARCH,
1798 			  &ad);
1799 	if (rc)
1800 		return rc;
1801 
1802 	rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1803 					   &newsid);
1804 	if (rc)
1805 		return rc;
1806 
1807 	rc = avc_has_perm(&selinux_state,
1808 			  sid, newsid, tclass, FILE__CREATE, &ad);
1809 	if (rc)
1810 		return rc;
1811 
1812 	return avc_has_perm(&selinux_state,
1813 			    newsid, sbsec->sid,
1814 			    SECCLASS_FILESYSTEM,
1815 			    FILESYSTEM__ASSOCIATE, &ad);
1816 }
1817 
1818 #define MAY_LINK	0
1819 #define MAY_UNLINK	1
1820 #define MAY_RMDIR	2
1821 
1822 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1823 static int may_link(struct inode *dir,
1824 		    struct dentry *dentry,
1825 		    int kind)
1826 
1827 {
1828 	struct inode_security_struct *dsec, *isec;
1829 	struct common_audit_data ad;
1830 	u32 sid = current_sid();
1831 	u32 av;
1832 	int rc;
1833 
1834 	dsec = inode_security(dir);
1835 	isec = backing_inode_security(dentry);
1836 
1837 	ad.type = LSM_AUDIT_DATA_DENTRY;
1838 	ad.u.dentry = dentry;
1839 
1840 	av = DIR__SEARCH;
1841 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1842 	rc = avc_has_perm(&selinux_state,
1843 			  sid, dsec->sid, SECCLASS_DIR, av, &ad);
1844 	if (rc)
1845 		return rc;
1846 
1847 	switch (kind) {
1848 	case MAY_LINK:
1849 		av = FILE__LINK;
1850 		break;
1851 	case MAY_UNLINK:
1852 		av = FILE__UNLINK;
1853 		break;
1854 	case MAY_RMDIR:
1855 		av = DIR__RMDIR;
1856 		break;
1857 	default:
1858 		pr_warn("SELinux: %s:  unrecognized kind %d\n",
1859 			__func__, kind);
1860 		return 0;
1861 	}
1862 
1863 	rc = avc_has_perm(&selinux_state,
1864 			  sid, isec->sid, isec->sclass, av, &ad);
1865 	return rc;
1866 }
1867 
1868 static inline int may_rename(struct inode *old_dir,
1869 			     struct dentry *old_dentry,
1870 			     struct inode *new_dir,
1871 			     struct dentry *new_dentry)
1872 {
1873 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1874 	struct common_audit_data ad;
1875 	u32 sid = current_sid();
1876 	u32 av;
1877 	int old_is_dir, new_is_dir;
1878 	int rc;
1879 
1880 	old_dsec = inode_security(old_dir);
1881 	old_isec = backing_inode_security(old_dentry);
1882 	old_is_dir = d_is_dir(old_dentry);
1883 	new_dsec = inode_security(new_dir);
1884 
1885 	ad.type = LSM_AUDIT_DATA_DENTRY;
1886 
1887 	ad.u.dentry = old_dentry;
1888 	rc = avc_has_perm(&selinux_state,
1889 			  sid, old_dsec->sid, SECCLASS_DIR,
1890 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1891 	if (rc)
1892 		return rc;
1893 	rc = avc_has_perm(&selinux_state,
1894 			  sid, old_isec->sid,
1895 			  old_isec->sclass, FILE__RENAME, &ad);
1896 	if (rc)
1897 		return rc;
1898 	if (old_is_dir && new_dir != old_dir) {
1899 		rc = avc_has_perm(&selinux_state,
1900 				  sid, old_isec->sid,
1901 				  old_isec->sclass, DIR__REPARENT, &ad);
1902 		if (rc)
1903 			return rc;
1904 	}
1905 
1906 	ad.u.dentry = new_dentry;
1907 	av = DIR__ADD_NAME | DIR__SEARCH;
1908 	if (d_is_positive(new_dentry))
1909 		av |= DIR__REMOVE_NAME;
1910 	rc = avc_has_perm(&selinux_state,
1911 			  sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1912 	if (rc)
1913 		return rc;
1914 	if (d_is_positive(new_dentry)) {
1915 		new_isec = backing_inode_security(new_dentry);
1916 		new_is_dir = d_is_dir(new_dentry);
1917 		rc = avc_has_perm(&selinux_state,
1918 				  sid, new_isec->sid,
1919 				  new_isec->sclass,
1920 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1921 		if (rc)
1922 			return rc;
1923 	}
1924 
1925 	return 0;
1926 }
1927 
1928 /* Check whether a task can perform a filesystem operation. */
1929 static int superblock_has_perm(const struct cred *cred,
1930 			       struct super_block *sb,
1931 			       u32 perms,
1932 			       struct common_audit_data *ad)
1933 {
1934 	struct superblock_security_struct *sbsec;
1935 	u32 sid = cred_sid(cred);
1936 
1937 	sbsec = selinux_superblock(sb);
1938 	return avc_has_perm(&selinux_state,
1939 			    sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1940 }
1941 
1942 /* Convert a Linux mode and permission mask to an access vector. */
1943 static inline u32 file_mask_to_av(int mode, int mask)
1944 {
1945 	u32 av = 0;
1946 
1947 	if (!S_ISDIR(mode)) {
1948 		if (mask & MAY_EXEC)
1949 			av |= FILE__EXECUTE;
1950 		if (mask & MAY_READ)
1951 			av |= FILE__READ;
1952 
1953 		if (mask & MAY_APPEND)
1954 			av |= FILE__APPEND;
1955 		else if (mask & MAY_WRITE)
1956 			av |= FILE__WRITE;
1957 
1958 	} else {
1959 		if (mask & MAY_EXEC)
1960 			av |= DIR__SEARCH;
1961 		if (mask & MAY_WRITE)
1962 			av |= DIR__WRITE;
1963 		if (mask & MAY_READ)
1964 			av |= DIR__READ;
1965 	}
1966 
1967 	return av;
1968 }
1969 
1970 /* Convert a Linux file to an access vector. */
1971 static inline u32 file_to_av(struct file *file)
1972 {
1973 	u32 av = 0;
1974 
1975 	if (file->f_mode & FMODE_READ)
1976 		av |= FILE__READ;
1977 	if (file->f_mode & FMODE_WRITE) {
1978 		if (file->f_flags & O_APPEND)
1979 			av |= FILE__APPEND;
1980 		else
1981 			av |= FILE__WRITE;
1982 	}
1983 	if (!av) {
1984 		/*
1985 		 * Special file opened with flags 3 for ioctl-only use.
1986 		 */
1987 		av = FILE__IOCTL;
1988 	}
1989 
1990 	return av;
1991 }
1992 
1993 /*
1994  * Convert a file to an access vector and include the correct
1995  * open permission.
1996  */
1997 static inline u32 open_file_to_av(struct file *file)
1998 {
1999 	u32 av = file_to_av(file);
2000 	struct inode *inode = file_inode(file);
2001 
2002 	if (selinux_policycap_openperm() &&
2003 	    inode->i_sb->s_magic != SOCKFS_MAGIC)
2004 		av |= FILE__OPEN;
2005 
2006 	return av;
2007 }
2008 
2009 /* Hook functions begin here. */
2010 
2011 static int selinux_binder_set_context_mgr(const struct cred *mgr)
2012 {
2013 	return avc_has_perm(&selinux_state,
2014 			    current_sid(), cred_sid(mgr), SECCLASS_BINDER,
2015 			    BINDER__SET_CONTEXT_MGR, NULL);
2016 }
2017 
2018 static int selinux_binder_transaction(const struct cred *from,
2019 				      const struct cred *to)
2020 {
2021 	u32 mysid = current_sid();
2022 	u32 fromsid = cred_sid(from);
2023 	u32 tosid = cred_sid(to);
2024 	int rc;
2025 
2026 	if (mysid != fromsid) {
2027 		rc = avc_has_perm(&selinux_state,
2028 				  mysid, fromsid, SECCLASS_BINDER,
2029 				  BINDER__IMPERSONATE, NULL);
2030 		if (rc)
2031 			return rc;
2032 	}
2033 
2034 	return avc_has_perm(&selinux_state, fromsid, tosid,
2035 			    SECCLASS_BINDER, BINDER__CALL, NULL);
2036 }
2037 
2038 static int selinux_binder_transfer_binder(const struct cred *from,
2039 					  const struct cred *to)
2040 {
2041 	return avc_has_perm(&selinux_state,
2042 			    cred_sid(from), cred_sid(to),
2043 			    SECCLASS_BINDER, BINDER__TRANSFER,
2044 			    NULL);
2045 }
2046 
2047 static int selinux_binder_transfer_file(const struct cred *from,
2048 					const struct cred *to,
2049 					struct file *file)
2050 {
2051 	u32 sid = cred_sid(to);
2052 	struct file_security_struct *fsec = selinux_file(file);
2053 	struct dentry *dentry = file->f_path.dentry;
2054 	struct inode_security_struct *isec;
2055 	struct common_audit_data ad;
2056 	int rc;
2057 
2058 	ad.type = LSM_AUDIT_DATA_PATH;
2059 	ad.u.path = file->f_path;
2060 
2061 	if (sid != fsec->sid) {
2062 		rc = avc_has_perm(&selinux_state,
2063 				  sid, fsec->sid,
2064 				  SECCLASS_FD,
2065 				  FD__USE,
2066 				  &ad);
2067 		if (rc)
2068 			return rc;
2069 	}
2070 
2071 #ifdef CONFIG_BPF_SYSCALL
2072 	rc = bpf_fd_pass(file, sid);
2073 	if (rc)
2074 		return rc;
2075 #endif
2076 
2077 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2078 		return 0;
2079 
2080 	isec = backing_inode_security(dentry);
2081 	return avc_has_perm(&selinux_state,
2082 			    sid, isec->sid, isec->sclass, file_to_av(file),
2083 			    &ad);
2084 }
2085 
2086 static int selinux_ptrace_access_check(struct task_struct *child,
2087 				       unsigned int mode)
2088 {
2089 	u32 sid = current_sid();
2090 	u32 csid = task_sid_obj(child);
2091 
2092 	if (mode & PTRACE_MODE_READ)
2093 		return avc_has_perm(&selinux_state,
2094 				    sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2095 
2096 	return avc_has_perm(&selinux_state,
2097 			    sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2098 }
2099 
2100 static int selinux_ptrace_traceme(struct task_struct *parent)
2101 {
2102 	return avc_has_perm(&selinux_state,
2103 			    task_sid_obj(parent), task_sid_obj(current),
2104 			    SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2105 }
2106 
2107 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2108 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2109 {
2110 	return avc_has_perm(&selinux_state,
2111 			    current_sid(), task_sid_obj(target), SECCLASS_PROCESS,
2112 			    PROCESS__GETCAP, NULL);
2113 }
2114 
2115 static int selinux_capset(struct cred *new, const struct cred *old,
2116 			  const kernel_cap_t *effective,
2117 			  const kernel_cap_t *inheritable,
2118 			  const kernel_cap_t *permitted)
2119 {
2120 	return avc_has_perm(&selinux_state,
2121 			    cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2122 			    PROCESS__SETCAP, NULL);
2123 }
2124 
2125 /*
2126  * (This comment used to live with the selinux_task_setuid hook,
2127  * which was removed).
2128  *
2129  * Since setuid only affects the current process, and since the SELinux
2130  * controls are not based on the Linux identity attributes, SELinux does not
2131  * need to control this operation.  However, SELinux does control the use of
2132  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2133  */
2134 
2135 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2136 			   int cap, unsigned int opts)
2137 {
2138 	return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2139 }
2140 
2141 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2142 {
2143 	const struct cred *cred = current_cred();
2144 	int rc = 0;
2145 
2146 	if (!sb)
2147 		return 0;
2148 
2149 	switch (cmds) {
2150 	case Q_SYNC:
2151 	case Q_QUOTAON:
2152 	case Q_QUOTAOFF:
2153 	case Q_SETINFO:
2154 	case Q_SETQUOTA:
2155 	case Q_XQUOTAOFF:
2156 	case Q_XQUOTAON:
2157 	case Q_XSETQLIM:
2158 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2159 		break;
2160 	case Q_GETFMT:
2161 	case Q_GETINFO:
2162 	case Q_GETQUOTA:
2163 	case Q_XGETQUOTA:
2164 	case Q_XGETQSTAT:
2165 	case Q_XGETQSTATV:
2166 	case Q_XGETNEXTQUOTA:
2167 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2168 		break;
2169 	default:
2170 		rc = 0;  /* let the kernel handle invalid cmds */
2171 		break;
2172 	}
2173 	return rc;
2174 }
2175 
2176 static int selinux_quota_on(struct dentry *dentry)
2177 {
2178 	const struct cred *cred = current_cred();
2179 
2180 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2181 }
2182 
2183 static int selinux_syslog(int type)
2184 {
2185 	switch (type) {
2186 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2187 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2188 		return avc_has_perm(&selinux_state,
2189 				    current_sid(), SECINITSID_KERNEL,
2190 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2191 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2192 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2193 	/* Set level of messages printed to console */
2194 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2195 		return avc_has_perm(&selinux_state,
2196 				    current_sid(), SECINITSID_KERNEL,
2197 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2198 				    NULL);
2199 	}
2200 	/* All other syslog types */
2201 	return avc_has_perm(&selinux_state,
2202 			    current_sid(), SECINITSID_KERNEL,
2203 			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2204 }
2205 
2206 /*
2207  * Check that a process has enough memory to allocate a new virtual
2208  * mapping. 0 means there is enough memory for the allocation to
2209  * succeed and -ENOMEM implies there is not.
2210  *
2211  * Do not audit the selinux permission check, as this is applied to all
2212  * processes that allocate mappings.
2213  */
2214 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2215 {
2216 	int rc, cap_sys_admin = 0;
2217 
2218 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2219 				 CAP_OPT_NOAUDIT, true);
2220 	if (rc == 0)
2221 		cap_sys_admin = 1;
2222 
2223 	return cap_sys_admin;
2224 }
2225 
2226 /* binprm security operations */
2227 
2228 static u32 ptrace_parent_sid(void)
2229 {
2230 	u32 sid = 0;
2231 	struct task_struct *tracer;
2232 
2233 	rcu_read_lock();
2234 	tracer = ptrace_parent(current);
2235 	if (tracer)
2236 		sid = task_sid_obj(tracer);
2237 	rcu_read_unlock();
2238 
2239 	return sid;
2240 }
2241 
2242 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2243 			    const struct task_security_struct *old_tsec,
2244 			    const struct task_security_struct *new_tsec)
2245 {
2246 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2247 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2248 	int rc;
2249 	u32 av;
2250 
2251 	if (!nnp && !nosuid)
2252 		return 0; /* neither NNP nor nosuid */
2253 
2254 	if (new_tsec->sid == old_tsec->sid)
2255 		return 0; /* No change in credentials */
2256 
2257 	/*
2258 	 * If the policy enables the nnp_nosuid_transition policy capability,
2259 	 * then we permit transitions under NNP or nosuid if the
2260 	 * policy allows the corresponding permission between
2261 	 * the old and new contexts.
2262 	 */
2263 	if (selinux_policycap_nnp_nosuid_transition()) {
2264 		av = 0;
2265 		if (nnp)
2266 			av |= PROCESS2__NNP_TRANSITION;
2267 		if (nosuid)
2268 			av |= PROCESS2__NOSUID_TRANSITION;
2269 		rc = avc_has_perm(&selinux_state,
2270 				  old_tsec->sid, new_tsec->sid,
2271 				  SECCLASS_PROCESS2, av, NULL);
2272 		if (!rc)
2273 			return 0;
2274 	}
2275 
2276 	/*
2277 	 * We also permit NNP or nosuid transitions to bounded SIDs,
2278 	 * i.e. SIDs that are guaranteed to only be allowed a subset
2279 	 * of the permissions of the current SID.
2280 	 */
2281 	rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2282 					 new_tsec->sid);
2283 	if (!rc)
2284 		return 0;
2285 
2286 	/*
2287 	 * On failure, preserve the errno values for NNP vs nosuid.
2288 	 * NNP:  Operation not permitted for caller.
2289 	 * nosuid:  Permission denied to file.
2290 	 */
2291 	if (nnp)
2292 		return -EPERM;
2293 	return -EACCES;
2294 }
2295 
2296 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2297 {
2298 	const struct task_security_struct *old_tsec;
2299 	struct task_security_struct *new_tsec;
2300 	struct inode_security_struct *isec;
2301 	struct common_audit_data ad;
2302 	struct inode *inode = file_inode(bprm->file);
2303 	int rc;
2304 
2305 	/* SELinux context only depends on initial program or script and not
2306 	 * the script interpreter */
2307 
2308 	old_tsec = selinux_cred(current_cred());
2309 	new_tsec = selinux_cred(bprm->cred);
2310 	isec = inode_security(inode);
2311 
2312 	/* Default to the current task SID. */
2313 	new_tsec->sid = old_tsec->sid;
2314 	new_tsec->osid = old_tsec->sid;
2315 
2316 	/* Reset fs, key, and sock SIDs on execve. */
2317 	new_tsec->create_sid = 0;
2318 	new_tsec->keycreate_sid = 0;
2319 	new_tsec->sockcreate_sid = 0;
2320 
2321 	if (old_tsec->exec_sid) {
2322 		new_tsec->sid = old_tsec->exec_sid;
2323 		/* Reset exec SID on execve. */
2324 		new_tsec->exec_sid = 0;
2325 
2326 		/* Fail on NNP or nosuid if not an allowed transition. */
2327 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2328 		if (rc)
2329 			return rc;
2330 	} else {
2331 		/* Check for a default transition on this program. */
2332 		rc = security_transition_sid(&selinux_state, old_tsec->sid,
2333 					     isec->sid, SECCLASS_PROCESS, NULL,
2334 					     &new_tsec->sid);
2335 		if (rc)
2336 			return rc;
2337 
2338 		/*
2339 		 * Fallback to old SID on NNP or nosuid if not an allowed
2340 		 * transition.
2341 		 */
2342 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2343 		if (rc)
2344 			new_tsec->sid = old_tsec->sid;
2345 	}
2346 
2347 	ad.type = LSM_AUDIT_DATA_FILE;
2348 	ad.u.file = bprm->file;
2349 
2350 	if (new_tsec->sid == old_tsec->sid) {
2351 		rc = avc_has_perm(&selinux_state,
2352 				  old_tsec->sid, isec->sid,
2353 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2354 		if (rc)
2355 			return rc;
2356 	} else {
2357 		/* Check permissions for the transition. */
2358 		rc = avc_has_perm(&selinux_state,
2359 				  old_tsec->sid, new_tsec->sid,
2360 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2361 		if (rc)
2362 			return rc;
2363 
2364 		rc = avc_has_perm(&selinux_state,
2365 				  new_tsec->sid, isec->sid,
2366 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2367 		if (rc)
2368 			return rc;
2369 
2370 		/* Check for shared state */
2371 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2372 			rc = avc_has_perm(&selinux_state,
2373 					  old_tsec->sid, new_tsec->sid,
2374 					  SECCLASS_PROCESS, PROCESS__SHARE,
2375 					  NULL);
2376 			if (rc)
2377 				return -EPERM;
2378 		}
2379 
2380 		/* Make sure that anyone attempting to ptrace over a task that
2381 		 * changes its SID has the appropriate permit */
2382 		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2383 			u32 ptsid = ptrace_parent_sid();
2384 			if (ptsid != 0) {
2385 				rc = avc_has_perm(&selinux_state,
2386 						  ptsid, new_tsec->sid,
2387 						  SECCLASS_PROCESS,
2388 						  PROCESS__PTRACE, NULL);
2389 				if (rc)
2390 					return -EPERM;
2391 			}
2392 		}
2393 
2394 		/* Clear any possibly unsafe personality bits on exec: */
2395 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2396 
2397 		/* Enable secure mode for SIDs transitions unless
2398 		   the noatsecure permission is granted between
2399 		   the two SIDs, i.e. ahp returns 0. */
2400 		rc = avc_has_perm(&selinux_state,
2401 				  old_tsec->sid, new_tsec->sid,
2402 				  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2403 				  NULL);
2404 		bprm->secureexec |= !!rc;
2405 	}
2406 
2407 	return 0;
2408 }
2409 
2410 static int match_file(const void *p, struct file *file, unsigned fd)
2411 {
2412 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2413 }
2414 
2415 /* Derived from fs/exec.c:flush_old_files. */
2416 static inline void flush_unauthorized_files(const struct cred *cred,
2417 					    struct files_struct *files)
2418 {
2419 	struct file *file, *devnull = NULL;
2420 	struct tty_struct *tty;
2421 	int drop_tty = 0;
2422 	unsigned n;
2423 
2424 	tty = get_current_tty();
2425 	if (tty) {
2426 		spin_lock(&tty->files_lock);
2427 		if (!list_empty(&tty->tty_files)) {
2428 			struct tty_file_private *file_priv;
2429 
2430 			/* Revalidate access to controlling tty.
2431 			   Use file_path_has_perm on the tty path directly
2432 			   rather than using file_has_perm, as this particular
2433 			   open file may belong to another process and we are
2434 			   only interested in the inode-based check here. */
2435 			file_priv = list_first_entry(&tty->tty_files,
2436 						struct tty_file_private, list);
2437 			file = file_priv->file;
2438 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2439 				drop_tty = 1;
2440 		}
2441 		spin_unlock(&tty->files_lock);
2442 		tty_kref_put(tty);
2443 	}
2444 	/* Reset controlling tty. */
2445 	if (drop_tty)
2446 		no_tty();
2447 
2448 	/* Revalidate access to inherited open files. */
2449 	n = iterate_fd(files, 0, match_file, cred);
2450 	if (!n) /* none found? */
2451 		return;
2452 
2453 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2454 	if (IS_ERR(devnull))
2455 		devnull = NULL;
2456 	/* replace all the matching ones with this */
2457 	do {
2458 		replace_fd(n - 1, devnull, 0);
2459 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2460 	if (devnull)
2461 		fput(devnull);
2462 }
2463 
2464 /*
2465  * Prepare a process for imminent new credential changes due to exec
2466  */
2467 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2468 {
2469 	struct task_security_struct *new_tsec;
2470 	struct rlimit *rlim, *initrlim;
2471 	int rc, i;
2472 
2473 	new_tsec = selinux_cred(bprm->cred);
2474 	if (new_tsec->sid == new_tsec->osid)
2475 		return;
2476 
2477 	/* Close files for which the new task SID is not authorized. */
2478 	flush_unauthorized_files(bprm->cred, current->files);
2479 
2480 	/* Always clear parent death signal on SID transitions. */
2481 	current->pdeath_signal = 0;
2482 
2483 	/* Check whether the new SID can inherit resource limits from the old
2484 	 * SID.  If not, reset all soft limits to the lower of the current
2485 	 * task's hard limit and the init task's soft limit.
2486 	 *
2487 	 * Note that the setting of hard limits (even to lower them) can be
2488 	 * controlled by the setrlimit check.  The inclusion of the init task's
2489 	 * soft limit into the computation is to avoid resetting soft limits
2490 	 * higher than the default soft limit for cases where the default is
2491 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2492 	 */
2493 	rc = avc_has_perm(&selinux_state,
2494 			  new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2495 			  PROCESS__RLIMITINH, NULL);
2496 	if (rc) {
2497 		/* protect against do_prlimit() */
2498 		task_lock(current);
2499 		for (i = 0; i < RLIM_NLIMITS; i++) {
2500 			rlim = current->signal->rlim + i;
2501 			initrlim = init_task.signal->rlim + i;
2502 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2503 		}
2504 		task_unlock(current);
2505 		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2506 			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2507 	}
2508 }
2509 
2510 /*
2511  * Clean up the process immediately after the installation of new credentials
2512  * due to exec
2513  */
2514 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2515 {
2516 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2517 	u32 osid, sid;
2518 	int rc;
2519 
2520 	osid = tsec->osid;
2521 	sid = tsec->sid;
2522 
2523 	if (sid == osid)
2524 		return;
2525 
2526 	/* Check whether the new SID can inherit signal state from the old SID.
2527 	 * If not, clear itimers to avoid subsequent signal generation and
2528 	 * flush and unblock signals.
2529 	 *
2530 	 * This must occur _after_ the task SID has been updated so that any
2531 	 * kill done after the flush will be checked against the new SID.
2532 	 */
2533 	rc = avc_has_perm(&selinux_state,
2534 			  osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2535 	if (rc) {
2536 		clear_itimer();
2537 
2538 		spin_lock_irq(&current->sighand->siglock);
2539 		if (!fatal_signal_pending(current)) {
2540 			flush_sigqueue(&current->pending);
2541 			flush_sigqueue(&current->signal->shared_pending);
2542 			flush_signal_handlers(current, 1);
2543 			sigemptyset(&current->blocked);
2544 			recalc_sigpending();
2545 		}
2546 		spin_unlock_irq(&current->sighand->siglock);
2547 	}
2548 
2549 	/* Wake up the parent if it is waiting so that it can recheck
2550 	 * wait permission to the new task SID. */
2551 	read_lock(&tasklist_lock);
2552 	__wake_up_parent(current, current->real_parent);
2553 	read_unlock(&tasklist_lock);
2554 }
2555 
2556 /* superblock security operations */
2557 
2558 static int selinux_sb_alloc_security(struct super_block *sb)
2559 {
2560 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2561 
2562 	mutex_init(&sbsec->lock);
2563 	INIT_LIST_HEAD(&sbsec->isec_head);
2564 	spin_lock_init(&sbsec->isec_lock);
2565 	sbsec->sid = SECINITSID_UNLABELED;
2566 	sbsec->def_sid = SECINITSID_FILE;
2567 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2568 
2569 	return 0;
2570 }
2571 
2572 static inline int opt_len(const char *s)
2573 {
2574 	bool open_quote = false;
2575 	int len;
2576 	char c;
2577 
2578 	for (len = 0; (c = s[len]) != '\0'; len++) {
2579 		if (c == '"')
2580 			open_quote = !open_quote;
2581 		if (c == ',' && !open_quote)
2582 			break;
2583 	}
2584 	return len;
2585 }
2586 
2587 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2588 {
2589 	char *from = options;
2590 	char *to = options;
2591 	bool first = true;
2592 	int rc;
2593 
2594 	while (1) {
2595 		int len = opt_len(from);
2596 		int token;
2597 		char *arg = NULL;
2598 
2599 		token = match_opt_prefix(from, len, &arg);
2600 
2601 		if (token != Opt_error) {
2602 			char *p, *q;
2603 
2604 			/* strip quotes */
2605 			if (arg) {
2606 				for (p = q = arg; p < from + len; p++) {
2607 					char c = *p;
2608 					if (c != '"')
2609 						*q++ = c;
2610 				}
2611 				arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2612 				if (!arg) {
2613 					rc = -ENOMEM;
2614 					goto free_opt;
2615 				}
2616 			}
2617 			rc = selinux_add_opt(token, arg, mnt_opts);
2618 			if (unlikely(rc)) {
2619 				kfree(arg);
2620 				goto free_opt;
2621 			}
2622 		} else {
2623 			if (!first) {	// copy with preceding comma
2624 				from--;
2625 				len++;
2626 			}
2627 			if (to != from)
2628 				memmove(to, from, len);
2629 			to += len;
2630 			first = false;
2631 		}
2632 		if (!from[len])
2633 			break;
2634 		from += len + 1;
2635 	}
2636 	*to = '\0';
2637 	return 0;
2638 
2639 free_opt:
2640 	if (*mnt_opts) {
2641 		selinux_free_mnt_opts(*mnt_opts);
2642 		*mnt_opts = NULL;
2643 	}
2644 	return rc;
2645 }
2646 
2647 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2648 {
2649 	struct selinux_mnt_opts *opts = mnt_opts;
2650 	struct superblock_security_struct *sbsec = sb->s_security;
2651 	u32 sid;
2652 	int rc;
2653 
2654 	/*
2655 	 * Superblock not initialized (i.e. no options) - reject if any
2656 	 * options specified, otherwise accept.
2657 	 */
2658 	if (!(sbsec->flags & SE_SBINITIALIZED))
2659 		return opts ? 1 : 0;
2660 
2661 	/*
2662 	 * Superblock initialized and no options specified - reject if
2663 	 * superblock has any options set, otherwise accept.
2664 	 */
2665 	if (!opts)
2666 		return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2667 
2668 	if (opts->fscontext) {
2669 		rc = parse_sid(sb, opts->fscontext, &sid, GFP_NOWAIT);
2670 		if (rc)
2671 			return 1;
2672 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2673 			return 1;
2674 	}
2675 	if (opts->context) {
2676 		rc = parse_sid(sb, opts->context, &sid, GFP_NOWAIT);
2677 		if (rc)
2678 			return 1;
2679 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2680 			return 1;
2681 	}
2682 	if (opts->rootcontext) {
2683 		struct inode_security_struct *root_isec;
2684 
2685 		root_isec = backing_inode_security(sb->s_root);
2686 		rc = parse_sid(sb, opts->rootcontext, &sid, GFP_NOWAIT);
2687 		if (rc)
2688 			return 1;
2689 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2690 			return 1;
2691 	}
2692 	if (opts->defcontext) {
2693 		rc = parse_sid(sb, opts->defcontext, &sid, GFP_NOWAIT);
2694 		if (rc)
2695 			return 1;
2696 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2697 			return 1;
2698 	}
2699 	return 0;
2700 }
2701 
2702 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2703 {
2704 	struct selinux_mnt_opts *opts = mnt_opts;
2705 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2706 	u32 sid;
2707 	int rc;
2708 
2709 	if (!(sbsec->flags & SE_SBINITIALIZED))
2710 		return 0;
2711 
2712 	if (!opts)
2713 		return 0;
2714 
2715 	if (opts->fscontext) {
2716 		rc = parse_sid(sb, opts->fscontext, &sid, GFP_KERNEL);
2717 		if (rc)
2718 			return rc;
2719 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2720 			goto out_bad_option;
2721 	}
2722 	if (opts->context) {
2723 		rc = parse_sid(sb, opts->context, &sid, GFP_KERNEL);
2724 		if (rc)
2725 			return rc;
2726 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2727 			goto out_bad_option;
2728 	}
2729 	if (opts->rootcontext) {
2730 		struct inode_security_struct *root_isec;
2731 		root_isec = backing_inode_security(sb->s_root);
2732 		rc = parse_sid(sb, opts->rootcontext, &sid, GFP_KERNEL);
2733 		if (rc)
2734 			return rc;
2735 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2736 			goto out_bad_option;
2737 	}
2738 	if (opts->defcontext) {
2739 		rc = parse_sid(sb, opts->defcontext, &sid, GFP_KERNEL);
2740 		if (rc)
2741 			return rc;
2742 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2743 			goto out_bad_option;
2744 	}
2745 	return 0;
2746 
2747 out_bad_option:
2748 	pr_warn("SELinux: unable to change security options "
2749 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2750 	       sb->s_type->name);
2751 	return -EINVAL;
2752 }
2753 
2754 static int selinux_sb_kern_mount(struct super_block *sb)
2755 {
2756 	const struct cred *cred = current_cred();
2757 	struct common_audit_data ad;
2758 
2759 	ad.type = LSM_AUDIT_DATA_DENTRY;
2760 	ad.u.dentry = sb->s_root;
2761 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2762 }
2763 
2764 static int selinux_sb_statfs(struct dentry *dentry)
2765 {
2766 	const struct cred *cred = current_cred();
2767 	struct common_audit_data ad;
2768 
2769 	ad.type = LSM_AUDIT_DATA_DENTRY;
2770 	ad.u.dentry = dentry->d_sb->s_root;
2771 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2772 }
2773 
2774 static int selinux_mount(const char *dev_name,
2775 			 const struct path *path,
2776 			 const char *type,
2777 			 unsigned long flags,
2778 			 void *data)
2779 {
2780 	const struct cred *cred = current_cred();
2781 
2782 	if (flags & MS_REMOUNT)
2783 		return superblock_has_perm(cred, path->dentry->d_sb,
2784 					   FILESYSTEM__REMOUNT, NULL);
2785 	else
2786 		return path_has_perm(cred, path, FILE__MOUNTON);
2787 }
2788 
2789 static int selinux_move_mount(const struct path *from_path,
2790 			      const struct path *to_path)
2791 {
2792 	const struct cred *cred = current_cred();
2793 
2794 	return path_has_perm(cred, to_path, FILE__MOUNTON);
2795 }
2796 
2797 static int selinux_umount(struct vfsmount *mnt, int flags)
2798 {
2799 	const struct cred *cred = current_cred();
2800 
2801 	return superblock_has_perm(cred, mnt->mnt_sb,
2802 				   FILESYSTEM__UNMOUNT, NULL);
2803 }
2804 
2805 static int selinux_fs_context_dup(struct fs_context *fc,
2806 				  struct fs_context *src_fc)
2807 {
2808 	const struct selinux_mnt_opts *src = src_fc->security;
2809 	struct selinux_mnt_opts *opts;
2810 
2811 	if (!src)
2812 		return 0;
2813 
2814 	fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2815 	if (!fc->security)
2816 		return -ENOMEM;
2817 
2818 	opts = fc->security;
2819 
2820 	if (src->fscontext) {
2821 		opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2822 		if (!opts->fscontext)
2823 			return -ENOMEM;
2824 	}
2825 	if (src->context) {
2826 		opts->context = kstrdup(src->context, GFP_KERNEL);
2827 		if (!opts->context)
2828 			return -ENOMEM;
2829 	}
2830 	if (src->rootcontext) {
2831 		opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2832 		if (!opts->rootcontext)
2833 			return -ENOMEM;
2834 	}
2835 	if (src->defcontext) {
2836 		opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2837 		if (!opts->defcontext)
2838 			return -ENOMEM;
2839 	}
2840 	return 0;
2841 }
2842 
2843 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2844 	fsparam_string(CONTEXT_STR,	Opt_context),
2845 	fsparam_string(DEFCONTEXT_STR,	Opt_defcontext),
2846 	fsparam_string(FSCONTEXT_STR,	Opt_fscontext),
2847 	fsparam_string(ROOTCONTEXT_STR,	Opt_rootcontext),
2848 	fsparam_flag  (SECLABEL_STR,	Opt_seclabel),
2849 	{}
2850 };
2851 
2852 static int selinux_fs_context_parse_param(struct fs_context *fc,
2853 					  struct fs_parameter *param)
2854 {
2855 	struct fs_parse_result result;
2856 	int opt, rc;
2857 
2858 	opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2859 	if (opt < 0)
2860 		return opt;
2861 
2862 	rc = selinux_add_opt(opt, param->string, &fc->security);
2863 	if (!rc) {
2864 		param->string = NULL;
2865 		rc = 1;
2866 	}
2867 	return rc;
2868 }
2869 
2870 /* inode security operations */
2871 
2872 static int selinux_inode_alloc_security(struct inode *inode)
2873 {
2874 	struct inode_security_struct *isec = selinux_inode(inode);
2875 	u32 sid = current_sid();
2876 
2877 	spin_lock_init(&isec->lock);
2878 	INIT_LIST_HEAD(&isec->list);
2879 	isec->inode = inode;
2880 	isec->sid = SECINITSID_UNLABELED;
2881 	isec->sclass = SECCLASS_FILE;
2882 	isec->task_sid = sid;
2883 	isec->initialized = LABEL_INVALID;
2884 
2885 	return 0;
2886 }
2887 
2888 static void selinux_inode_free_security(struct inode *inode)
2889 {
2890 	inode_free_security(inode);
2891 }
2892 
2893 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2894 					const struct qstr *name,
2895 					const char **xattr_name, void **ctx,
2896 					u32 *ctxlen)
2897 {
2898 	u32 newsid;
2899 	int rc;
2900 
2901 	rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2902 					   d_inode(dentry->d_parent), name,
2903 					   inode_mode_to_security_class(mode),
2904 					   &newsid);
2905 	if (rc)
2906 		return rc;
2907 
2908 	if (xattr_name)
2909 		*xattr_name = XATTR_NAME_SELINUX;
2910 
2911 	return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2912 				       ctxlen);
2913 }
2914 
2915 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2916 					  struct qstr *name,
2917 					  const struct cred *old,
2918 					  struct cred *new)
2919 {
2920 	u32 newsid;
2921 	int rc;
2922 	struct task_security_struct *tsec;
2923 
2924 	rc = selinux_determine_inode_label(selinux_cred(old),
2925 					   d_inode(dentry->d_parent), name,
2926 					   inode_mode_to_security_class(mode),
2927 					   &newsid);
2928 	if (rc)
2929 		return rc;
2930 
2931 	tsec = selinux_cred(new);
2932 	tsec->create_sid = newsid;
2933 	return 0;
2934 }
2935 
2936 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2937 				       const struct qstr *qstr,
2938 				       const char **name,
2939 				       void **value, size_t *len)
2940 {
2941 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2942 	struct superblock_security_struct *sbsec;
2943 	u32 newsid, clen;
2944 	int rc;
2945 	char *context;
2946 
2947 	sbsec = selinux_superblock(dir->i_sb);
2948 
2949 	newsid = tsec->create_sid;
2950 
2951 	rc = selinux_determine_inode_label(tsec, dir, qstr,
2952 		inode_mode_to_security_class(inode->i_mode),
2953 		&newsid);
2954 	if (rc)
2955 		return rc;
2956 
2957 	/* Possibly defer initialization to selinux_complete_init. */
2958 	if (sbsec->flags & SE_SBINITIALIZED) {
2959 		struct inode_security_struct *isec = selinux_inode(inode);
2960 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2961 		isec->sid = newsid;
2962 		isec->initialized = LABEL_INITIALIZED;
2963 	}
2964 
2965 	if (!selinux_initialized(&selinux_state) ||
2966 	    !(sbsec->flags & SBLABEL_MNT))
2967 		return -EOPNOTSUPP;
2968 
2969 	if (name)
2970 		*name = XATTR_SELINUX_SUFFIX;
2971 
2972 	if (value && len) {
2973 		rc = security_sid_to_context_force(&selinux_state, newsid,
2974 						   &context, &clen);
2975 		if (rc)
2976 			return rc;
2977 		*value = context;
2978 		*len = clen;
2979 	}
2980 
2981 	return 0;
2982 }
2983 
2984 static int selinux_inode_init_security_anon(struct inode *inode,
2985 					    const struct qstr *name,
2986 					    const struct inode *context_inode)
2987 {
2988 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2989 	struct common_audit_data ad;
2990 	struct inode_security_struct *isec;
2991 	int rc;
2992 
2993 	if (unlikely(!selinux_initialized(&selinux_state)))
2994 		return 0;
2995 
2996 	isec = selinux_inode(inode);
2997 
2998 	/*
2999 	 * We only get here once per ephemeral inode.  The inode has
3000 	 * been initialized via inode_alloc_security but is otherwise
3001 	 * untouched.
3002 	 */
3003 
3004 	if (context_inode) {
3005 		struct inode_security_struct *context_isec =
3006 			selinux_inode(context_inode);
3007 		if (context_isec->initialized != LABEL_INITIALIZED) {
3008 			pr_err("SELinux:  context_inode is not initialized");
3009 			return -EACCES;
3010 		}
3011 
3012 		isec->sclass = context_isec->sclass;
3013 		isec->sid = context_isec->sid;
3014 	} else {
3015 		isec->sclass = SECCLASS_ANON_INODE;
3016 		rc = security_transition_sid(
3017 			&selinux_state, tsec->sid, tsec->sid,
3018 			isec->sclass, name, &isec->sid);
3019 		if (rc)
3020 			return rc;
3021 	}
3022 
3023 	isec->initialized = LABEL_INITIALIZED;
3024 	/*
3025 	 * Now that we've initialized security, check whether we're
3026 	 * allowed to actually create this type of anonymous inode.
3027 	 */
3028 
3029 	ad.type = LSM_AUDIT_DATA_INODE;
3030 	ad.u.inode = inode;
3031 
3032 	return avc_has_perm(&selinux_state,
3033 			    tsec->sid,
3034 			    isec->sid,
3035 			    isec->sclass,
3036 			    FILE__CREATE,
3037 			    &ad);
3038 }
3039 
3040 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3041 {
3042 	return may_create(dir, dentry, SECCLASS_FILE);
3043 }
3044 
3045 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3046 {
3047 	return may_link(dir, old_dentry, MAY_LINK);
3048 }
3049 
3050 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3051 {
3052 	return may_link(dir, dentry, MAY_UNLINK);
3053 }
3054 
3055 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3056 {
3057 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
3058 }
3059 
3060 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3061 {
3062 	return may_create(dir, dentry, SECCLASS_DIR);
3063 }
3064 
3065 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3066 {
3067 	return may_link(dir, dentry, MAY_RMDIR);
3068 }
3069 
3070 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3071 {
3072 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
3073 }
3074 
3075 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3076 				struct inode *new_inode, struct dentry *new_dentry)
3077 {
3078 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3079 }
3080 
3081 static int selinux_inode_readlink(struct dentry *dentry)
3082 {
3083 	const struct cred *cred = current_cred();
3084 
3085 	return dentry_has_perm(cred, dentry, FILE__READ);
3086 }
3087 
3088 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3089 				     bool rcu)
3090 {
3091 	const struct cred *cred = current_cred();
3092 	struct common_audit_data ad;
3093 	struct inode_security_struct *isec;
3094 	u32 sid;
3095 
3096 	validate_creds(cred);
3097 
3098 	ad.type = LSM_AUDIT_DATA_DENTRY;
3099 	ad.u.dentry = dentry;
3100 	sid = cred_sid(cred);
3101 	isec = inode_security_rcu(inode, rcu);
3102 	if (IS_ERR(isec))
3103 		return PTR_ERR(isec);
3104 
3105 	return avc_has_perm(&selinux_state,
3106 				  sid, isec->sid, isec->sclass, FILE__READ, &ad);
3107 }
3108 
3109 static noinline int audit_inode_permission(struct inode *inode,
3110 					   u32 perms, u32 audited, u32 denied,
3111 					   int result)
3112 {
3113 	struct common_audit_data ad;
3114 	struct inode_security_struct *isec = selinux_inode(inode);
3115 
3116 	ad.type = LSM_AUDIT_DATA_INODE;
3117 	ad.u.inode = inode;
3118 
3119 	return slow_avc_audit(&selinux_state,
3120 			    current_sid(), isec->sid, isec->sclass, perms,
3121 			    audited, denied, result, &ad);
3122 }
3123 
3124 static int selinux_inode_permission(struct inode *inode, int mask)
3125 {
3126 	const struct cred *cred = current_cred();
3127 	u32 perms;
3128 	bool from_access;
3129 	bool no_block = mask & MAY_NOT_BLOCK;
3130 	struct inode_security_struct *isec;
3131 	u32 sid;
3132 	struct av_decision avd;
3133 	int rc, rc2;
3134 	u32 audited, denied;
3135 
3136 	from_access = mask & MAY_ACCESS;
3137 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3138 
3139 	/* No permission to check.  Existence test. */
3140 	if (!mask)
3141 		return 0;
3142 
3143 	validate_creds(cred);
3144 
3145 	if (unlikely(IS_PRIVATE(inode)))
3146 		return 0;
3147 
3148 	perms = file_mask_to_av(inode->i_mode, mask);
3149 
3150 	sid = cred_sid(cred);
3151 	isec = inode_security_rcu(inode, no_block);
3152 	if (IS_ERR(isec))
3153 		return PTR_ERR(isec);
3154 
3155 	rc = avc_has_perm_noaudit(&selinux_state,
3156 				  sid, isec->sid, isec->sclass, perms, 0,
3157 				  &avd);
3158 	audited = avc_audit_required(perms, &avd, rc,
3159 				     from_access ? FILE__AUDIT_ACCESS : 0,
3160 				     &denied);
3161 	if (likely(!audited))
3162 		return rc;
3163 
3164 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3165 	if (rc2)
3166 		return rc2;
3167 	return rc;
3168 }
3169 
3170 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3171 {
3172 	const struct cred *cred = current_cred();
3173 	struct inode *inode = d_backing_inode(dentry);
3174 	unsigned int ia_valid = iattr->ia_valid;
3175 	__u32 av = FILE__WRITE;
3176 
3177 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3178 	if (ia_valid & ATTR_FORCE) {
3179 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3180 			      ATTR_FORCE);
3181 		if (!ia_valid)
3182 			return 0;
3183 	}
3184 
3185 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3186 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3187 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3188 
3189 	if (selinux_policycap_openperm() &&
3190 	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3191 	    (ia_valid & ATTR_SIZE) &&
3192 	    !(ia_valid & ATTR_FILE))
3193 		av |= FILE__OPEN;
3194 
3195 	return dentry_has_perm(cred, dentry, av);
3196 }
3197 
3198 static int selinux_inode_getattr(const struct path *path)
3199 {
3200 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3201 }
3202 
3203 static bool has_cap_mac_admin(bool audit)
3204 {
3205 	const struct cred *cred = current_cred();
3206 	unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3207 
3208 	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3209 		return false;
3210 	if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3211 		return false;
3212 	return true;
3213 }
3214 
3215 static int selinux_inode_setxattr(struct user_namespace *mnt_userns,
3216 				  struct dentry *dentry, const char *name,
3217 				  const void *value, size_t size, int flags)
3218 {
3219 	struct inode *inode = d_backing_inode(dentry);
3220 	struct inode_security_struct *isec;
3221 	struct superblock_security_struct *sbsec;
3222 	struct common_audit_data ad;
3223 	u32 newsid, sid = current_sid();
3224 	int rc = 0;
3225 
3226 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3227 		rc = cap_inode_setxattr(dentry, name, value, size, flags);
3228 		if (rc)
3229 			return rc;
3230 
3231 		/* Not an attribute we recognize, so just check the
3232 		   ordinary setattr permission. */
3233 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3234 	}
3235 
3236 	if (!selinux_initialized(&selinux_state))
3237 		return (inode_owner_or_capable(mnt_userns, inode) ? 0 : -EPERM);
3238 
3239 	sbsec = selinux_superblock(inode->i_sb);
3240 	if (!(sbsec->flags & SBLABEL_MNT))
3241 		return -EOPNOTSUPP;
3242 
3243 	if (!inode_owner_or_capable(mnt_userns, inode))
3244 		return -EPERM;
3245 
3246 	ad.type = LSM_AUDIT_DATA_DENTRY;
3247 	ad.u.dentry = dentry;
3248 
3249 	isec = backing_inode_security(dentry);
3250 	rc = avc_has_perm(&selinux_state,
3251 			  sid, isec->sid, isec->sclass,
3252 			  FILE__RELABELFROM, &ad);
3253 	if (rc)
3254 		return rc;
3255 
3256 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3257 				     GFP_KERNEL);
3258 	if (rc == -EINVAL) {
3259 		if (!has_cap_mac_admin(true)) {
3260 			struct audit_buffer *ab;
3261 			size_t audit_size;
3262 
3263 			/* We strip a nul only if it is at the end, otherwise the
3264 			 * context contains a nul and we should audit that */
3265 			if (value) {
3266 				const char *str = value;
3267 
3268 				if (str[size - 1] == '\0')
3269 					audit_size = size - 1;
3270 				else
3271 					audit_size = size;
3272 			} else {
3273 				audit_size = 0;
3274 			}
3275 			ab = audit_log_start(audit_context(),
3276 					     GFP_ATOMIC, AUDIT_SELINUX_ERR);
3277 			if (!ab)
3278 				return rc;
3279 			audit_log_format(ab, "op=setxattr invalid_context=");
3280 			audit_log_n_untrustedstring(ab, value, audit_size);
3281 			audit_log_end(ab);
3282 
3283 			return rc;
3284 		}
3285 		rc = security_context_to_sid_force(&selinux_state, value,
3286 						   size, &newsid);
3287 	}
3288 	if (rc)
3289 		return rc;
3290 
3291 	rc = avc_has_perm(&selinux_state,
3292 			  sid, newsid, isec->sclass,
3293 			  FILE__RELABELTO, &ad);
3294 	if (rc)
3295 		return rc;
3296 
3297 	rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3298 					  sid, isec->sclass);
3299 	if (rc)
3300 		return rc;
3301 
3302 	return avc_has_perm(&selinux_state,
3303 			    newsid,
3304 			    sbsec->sid,
3305 			    SECCLASS_FILESYSTEM,
3306 			    FILESYSTEM__ASSOCIATE,
3307 			    &ad);
3308 }
3309 
3310 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3311 					const void *value, size_t size,
3312 					int flags)
3313 {
3314 	struct inode *inode = d_backing_inode(dentry);
3315 	struct inode_security_struct *isec;
3316 	u32 newsid;
3317 	int rc;
3318 
3319 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3320 		/* Not an attribute we recognize, so nothing to do. */
3321 		return;
3322 	}
3323 
3324 	if (!selinux_initialized(&selinux_state)) {
3325 		/* If we haven't even been initialized, then we can't validate
3326 		 * against a policy, so leave the label as invalid. It may
3327 		 * resolve to a valid label on the next revalidation try if
3328 		 * we've since initialized.
3329 		 */
3330 		return;
3331 	}
3332 
3333 	rc = security_context_to_sid_force(&selinux_state, value, size,
3334 					   &newsid);
3335 	if (rc) {
3336 		pr_err("SELinux:  unable to map context to SID"
3337 		       "for (%s, %lu), rc=%d\n",
3338 		       inode->i_sb->s_id, inode->i_ino, -rc);
3339 		return;
3340 	}
3341 
3342 	isec = backing_inode_security(dentry);
3343 	spin_lock(&isec->lock);
3344 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3345 	isec->sid = newsid;
3346 	isec->initialized = LABEL_INITIALIZED;
3347 	spin_unlock(&isec->lock);
3348 
3349 	return;
3350 }
3351 
3352 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3353 {
3354 	const struct cred *cred = current_cred();
3355 
3356 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3357 }
3358 
3359 static int selinux_inode_listxattr(struct dentry *dentry)
3360 {
3361 	const struct cred *cred = current_cred();
3362 
3363 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3364 }
3365 
3366 static int selinux_inode_removexattr(struct user_namespace *mnt_userns,
3367 				     struct dentry *dentry, const char *name)
3368 {
3369 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3370 		int rc = cap_inode_removexattr(mnt_userns, dentry, name);
3371 		if (rc)
3372 			return rc;
3373 
3374 		/* Not an attribute we recognize, so just check the
3375 		   ordinary setattr permission. */
3376 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3377 	}
3378 
3379 	if (!selinux_initialized(&selinux_state))
3380 		return 0;
3381 
3382 	/* No one is allowed to remove a SELinux security label.
3383 	   You can change the label, but all data must be labeled. */
3384 	return -EACCES;
3385 }
3386 
3387 static int selinux_path_notify(const struct path *path, u64 mask,
3388 						unsigned int obj_type)
3389 {
3390 	int ret;
3391 	u32 perm;
3392 
3393 	struct common_audit_data ad;
3394 
3395 	ad.type = LSM_AUDIT_DATA_PATH;
3396 	ad.u.path = *path;
3397 
3398 	/*
3399 	 * Set permission needed based on the type of mark being set.
3400 	 * Performs an additional check for sb watches.
3401 	 */
3402 	switch (obj_type) {
3403 	case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3404 		perm = FILE__WATCH_MOUNT;
3405 		break;
3406 	case FSNOTIFY_OBJ_TYPE_SB:
3407 		perm = FILE__WATCH_SB;
3408 		ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3409 						FILESYSTEM__WATCH, &ad);
3410 		if (ret)
3411 			return ret;
3412 		break;
3413 	case FSNOTIFY_OBJ_TYPE_INODE:
3414 		perm = FILE__WATCH;
3415 		break;
3416 	default:
3417 		return -EINVAL;
3418 	}
3419 
3420 	/* blocking watches require the file:watch_with_perm permission */
3421 	if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3422 		perm |= FILE__WATCH_WITH_PERM;
3423 
3424 	/* watches on read-like events need the file:watch_reads permission */
3425 	if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3426 		perm |= FILE__WATCH_READS;
3427 
3428 	return path_has_perm(current_cred(), path, perm);
3429 }
3430 
3431 /*
3432  * Copy the inode security context value to the user.
3433  *
3434  * Permission check is handled by selinux_inode_getxattr hook.
3435  */
3436 static int selinux_inode_getsecurity(struct user_namespace *mnt_userns,
3437 				     struct inode *inode, const char *name,
3438 				     void **buffer, bool alloc)
3439 {
3440 	u32 size;
3441 	int error;
3442 	char *context = NULL;
3443 	struct inode_security_struct *isec;
3444 
3445 	/*
3446 	 * If we're not initialized yet, then we can't validate contexts, so
3447 	 * just let vfs_getxattr fall back to using the on-disk xattr.
3448 	 */
3449 	if (!selinux_initialized(&selinux_state) ||
3450 	    strcmp(name, XATTR_SELINUX_SUFFIX))
3451 		return -EOPNOTSUPP;
3452 
3453 	/*
3454 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3455 	 * value even if it is not defined by current policy; otherwise,
3456 	 * use the in-core value under current policy.
3457 	 * Use the non-auditing forms of the permission checks since
3458 	 * getxattr may be called by unprivileged processes commonly
3459 	 * and lack of permission just means that we fall back to the
3460 	 * in-core context value, not a denial.
3461 	 */
3462 	isec = inode_security(inode);
3463 	if (has_cap_mac_admin(false))
3464 		error = security_sid_to_context_force(&selinux_state,
3465 						      isec->sid, &context,
3466 						      &size);
3467 	else
3468 		error = security_sid_to_context(&selinux_state, isec->sid,
3469 						&context, &size);
3470 	if (error)
3471 		return error;
3472 	error = size;
3473 	if (alloc) {
3474 		*buffer = context;
3475 		goto out_nofree;
3476 	}
3477 	kfree(context);
3478 out_nofree:
3479 	return error;
3480 }
3481 
3482 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3483 				     const void *value, size_t size, int flags)
3484 {
3485 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3486 	struct superblock_security_struct *sbsec;
3487 	u32 newsid;
3488 	int rc;
3489 
3490 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3491 		return -EOPNOTSUPP;
3492 
3493 	sbsec = selinux_superblock(inode->i_sb);
3494 	if (!(sbsec->flags & SBLABEL_MNT))
3495 		return -EOPNOTSUPP;
3496 
3497 	if (!value || !size)
3498 		return -EACCES;
3499 
3500 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3501 				     GFP_KERNEL);
3502 	if (rc)
3503 		return rc;
3504 
3505 	spin_lock(&isec->lock);
3506 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3507 	isec->sid = newsid;
3508 	isec->initialized = LABEL_INITIALIZED;
3509 	spin_unlock(&isec->lock);
3510 	return 0;
3511 }
3512 
3513 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3514 {
3515 	const int len = sizeof(XATTR_NAME_SELINUX);
3516 
3517 	if (!selinux_initialized(&selinux_state))
3518 		return 0;
3519 
3520 	if (buffer && len <= buffer_size)
3521 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3522 	return len;
3523 }
3524 
3525 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3526 {
3527 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3528 	*secid = isec->sid;
3529 }
3530 
3531 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3532 {
3533 	u32 sid;
3534 	struct task_security_struct *tsec;
3535 	struct cred *new_creds = *new;
3536 
3537 	if (new_creds == NULL) {
3538 		new_creds = prepare_creds();
3539 		if (!new_creds)
3540 			return -ENOMEM;
3541 	}
3542 
3543 	tsec = selinux_cred(new_creds);
3544 	/* Get label from overlay inode and set it in create_sid */
3545 	selinux_inode_getsecid(d_inode(src), &sid);
3546 	tsec->create_sid = sid;
3547 	*new = new_creds;
3548 	return 0;
3549 }
3550 
3551 static int selinux_inode_copy_up_xattr(const char *name)
3552 {
3553 	/* The copy_up hook above sets the initial context on an inode, but we
3554 	 * don't then want to overwrite it by blindly copying all the lower
3555 	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3556 	 */
3557 	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3558 		return 1; /* Discard */
3559 	/*
3560 	 * Any other attribute apart from SELINUX is not claimed, supported
3561 	 * by selinux.
3562 	 */
3563 	return -EOPNOTSUPP;
3564 }
3565 
3566 /* kernfs node operations */
3567 
3568 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3569 					struct kernfs_node *kn)
3570 {
3571 	const struct task_security_struct *tsec = selinux_cred(current_cred());
3572 	u32 parent_sid, newsid, clen;
3573 	int rc;
3574 	char *context;
3575 
3576 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3577 	if (rc == -ENODATA)
3578 		return 0;
3579 	else if (rc < 0)
3580 		return rc;
3581 
3582 	clen = (u32)rc;
3583 	context = kmalloc(clen, GFP_KERNEL);
3584 	if (!context)
3585 		return -ENOMEM;
3586 
3587 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3588 	if (rc < 0) {
3589 		kfree(context);
3590 		return rc;
3591 	}
3592 
3593 	rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3594 				     GFP_KERNEL);
3595 	kfree(context);
3596 	if (rc)
3597 		return rc;
3598 
3599 	if (tsec->create_sid) {
3600 		newsid = tsec->create_sid;
3601 	} else {
3602 		u16 secclass = inode_mode_to_security_class(kn->mode);
3603 		struct qstr q;
3604 
3605 		q.name = kn->name;
3606 		q.hash_len = hashlen_string(kn_dir, kn->name);
3607 
3608 		rc = security_transition_sid(&selinux_state, tsec->sid,
3609 					     parent_sid, secclass, &q,
3610 					     &newsid);
3611 		if (rc)
3612 			return rc;
3613 	}
3614 
3615 	rc = security_sid_to_context_force(&selinux_state, newsid,
3616 					   &context, &clen);
3617 	if (rc)
3618 		return rc;
3619 
3620 	rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3621 			      XATTR_CREATE);
3622 	kfree(context);
3623 	return rc;
3624 }
3625 
3626 
3627 /* file security operations */
3628 
3629 static int selinux_revalidate_file_permission(struct file *file, int mask)
3630 {
3631 	const struct cred *cred = current_cred();
3632 	struct inode *inode = file_inode(file);
3633 
3634 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3635 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3636 		mask |= MAY_APPEND;
3637 
3638 	return file_has_perm(cred, file,
3639 			     file_mask_to_av(inode->i_mode, mask));
3640 }
3641 
3642 static int selinux_file_permission(struct file *file, int mask)
3643 {
3644 	struct inode *inode = file_inode(file);
3645 	struct file_security_struct *fsec = selinux_file(file);
3646 	struct inode_security_struct *isec;
3647 	u32 sid = current_sid();
3648 
3649 	if (!mask)
3650 		/* No permission to check.  Existence test. */
3651 		return 0;
3652 
3653 	isec = inode_security(inode);
3654 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3655 	    fsec->pseqno == avc_policy_seqno(&selinux_state))
3656 		/* No change since file_open check. */
3657 		return 0;
3658 
3659 	return selinux_revalidate_file_permission(file, mask);
3660 }
3661 
3662 static int selinux_file_alloc_security(struct file *file)
3663 {
3664 	struct file_security_struct *fsec = selinux_file(file);
3665 	u32 sid = current_sid();
3666 
3667 	fsec->sid = sid;
3668 	fsec->fown_sid = sid;
3669 
3670 	return 0;
3671 }
3672 
3673 /*
3674  * Check whether a task has the ioctl permission and cmd
3675  * operation to an inode.
3676  */
3677 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3678 		u32 requested, u16 cmd)
3679 {
3680 	struct common_audit_data ad;
3681 	struct file_security_struct *fsec = selinux_file(file);
3682 	struct inode *inode = file_inode(file);
3683 	struct inode_security_struct *isec;
3684 	struct lsm_ioctlop_audit ioctl;
3685 	u32 ssid = cred_sid(cred);
3686 	int rc;
3687 	u8 driver = cmd >> 8;
3688 	u8 xperm = cmd & 0xff;
3689 
3690 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3691 	ad.u.op = &ioctl;
3692 	ad.u.op->cmd = cmd;
3693 	ad.u.op->path = file->f_path;
3694 
3695 	if (ssid != fsec->sid) {
3696 		rc = avc_has_perm(&selinux_state,
3697 				  ssid, fsec->sid,
3698 				SECCLASS_FD,
3699 				FD__USE,
3700 				&ad);
3701 		if (rc)
3702 			goto out;
3703 	}
3704 
3705 	if (unlikely(IS_PRIVATE(inode)))
3706 		return 0;
3707 
3708 	isec = inode_security(inode);
3709 	rc = avc_has_extended_perms(&selinux_state,
3710 				    ssid, isec->sid, isec->sclass,
3711 				    requested, driver, xperm, &ad);
3712 out:
3713 	return rc;
3714 }
3715 
3716 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3717 			      unsigned long arg)
3718 {
3719 	const struct cred *cred = current_cred();
3720 	int error = 0;
3721 
3722 	switch (cmd) {
3723 	case FIONREAD:
3724 	case FIBMAP:
3725 	case FIGETBSZ:
3726 	case FS_IOC_GETFLAGS:
3727 	case FS_IOC_GETVERSION:
3728 		error = file_has_perm(cred, file, FILE__GETATTR);
3729 		break;
3730 
3731 	case FS_IOC_SETFLAGS:
3732 	case FS_IOC_SETVERSION:
3733 		error = file_has_perm(cred, file, FILE__SETATTR);
3734 		break;
3735 
3736 	/* sys_ioctl() checks */
3737 	case FIONBIO:
3738 	case FIOASYNC:
3739 		error = file_has_perm(cred, file, 0);
3740 		break;
3741 
3742 	case KDSKBENT:
3743 	case KDSKBSENT:
3744 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3745 					    CAP_OPT_NONE, true);
3746 		break;
3747 
3748 	/* default case assumes that the command will go
3749 	 * to the file's ioctl() function.
3750 	 */
3751 	default:
3752 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3753 	}
3754 	return error;
3755 }
3756 
3757 static int default_noexec __ro_after_init;
3758 
3759 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3760 {
3761 	const struct cred *cred = current_cred();
3762 	u32 sid = cred_sid(cred);
3763 	int rc = 0;
3764 
3765 	if (default_noexec &&
3766 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3767 				   (!shared && (prot & PROT_WRITE)))) {
3768 		/*
3769 		 * We are making executable an anonymous mapping or a
3770 		 * private file mapping that will also be writable.
3771 		 * This has an additional check.
3772 		 */
3773 		rc = avc_has_perm(&selinux_state,
3774 				  sid, sid, SECCLASS_PROCESS,
3775 				  PROCESS__EXECMEM, NULL);
3776 		if (rc)
3777 			goto error;
3778 	}
3779 
3780 	if (file) {
3781 		/* read access is always possible with a mapping */
3782 		u32 av = FILE__READ;
3783 
3784 		/* write access only matters if the mapping is shared */
3785 		if (shared && (prot & PROT_WRITE))
3786 			av |= FILE__WRITE;
3787 
3788 		if (prot & PROT_EXEC)
3789 			av |= FILE__EXECUTE;
3790 
3791 		return file_has_perm(cred, file, av);
3792 	}
3793 
3794 error:
3795 	return rc;
3796 }
3797 
3798 static int selinux_mmap_addr(unsigned long addr)
3799 {
3800 	int rc = 0;
3801 
3802 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3803 		u32 sid = current_sid();
3804 		rc = avc_has_perm(&selinux_state,
3805 				  sid, sid, SECCLASS_MEMPROTECT,
3806 				  MEMPROTECT__MMAP_ZERO, NULL);
3807 	}
3808 
3809 	return rc;
3810 }
3811 
3812 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3813 			     unsigned long prot, unsigned long flags)
3814 {
3815 	struct common_audit_data ad;
3816 	int rc;
3817 
3818 	if (file) {
3819 		ad.type = LSM_AUDIT_DATA_FILE;
3820 		ad.u.file = file;
3821 		rc = inode_has_perm(current_cred(), file_inode(file),
3822 				    FILE__MAP, &ad);
3823 		if (rc)
3824 			return rc;
3825 	}
3826 
3827 	if (checkreqprot_get(&selinux_state))
3828 		prot = reqprot;
3829 
3830 	return file_map_prot_check(file, prot,
3831 				   (flags & MAP_TYPE) == MAP_SHARED);
3832 }
3833 
3834 static int selinux_file_mprotect(struct vm_area_struct *vma,
3835 				 unsigned long reqprot,
3836 				 unsigned long prot)
3837 {
3838 	const struct cred *cred = current_cred();
3839 	u32 sid = cred_sid(cred);
3840 
3841 	if (checkreqprot_get(&selinux_state))
3842 		prot = reqprot;
3843 
3844 	if (default_noexec &&
3845 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3846 		int rc = 0;
3847 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3848 		    vma->vm_end <= vma->vm_mm->brk) {
3849 			rc = avc_has_perm(&selinux_state,
3850 					  sid, sid, SECCLASS_PROCESS,
3851 					  PROCESS__EXECHEAP, NULL);
3852 		} else if (!vma->vm_file &&
3853 			   ((vma->vm_start <= vma->vm_mm->start_stack &&
3854 			     vma->vm_end >= vma->vm_mm->start_stack) ||
3855 			    vma_is_stack_for_current(vma))) {
3856 			rc = avc_has_perm(&selinux_state,
3857 					  sid, sid, SECCLASS_PROCESS,
3858 					  PROCESS__EXECSTACK, NULL);
3859 		} else if (vma->vm_file && vma->anon_vma) {
3860 			/*
3861 			 * We are making executable a file mapping that has
3862 			 * had some COW done. Since pages might have been
3863 			 * written, check ability to execute the possibly
3864 			 * modified content.  This typically should only
3865 			 * occur for text relocations.
3866 			 */
3867 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3868 		}
3869 		if (rc)
3870 			return rc;
3871 	}
3872 
3873 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3874 }
3875 
3876 static int selinux_file_lock(struct file *file, unsigned int cmd)
3877 {
3878 	const struct cred *cred = current_cred();
3879 
3880 	return file_has_perm(cred, file, FILE__LOCK);
3881 }
3882 
3883 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3884 			      unsigned long arg)
3885 {
3886 	const struct cred *cred = current_cred();
3887 	int err = 0;
3888 
3889 	switch (cmd) {
3890 	case F_SETFL:
3891 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3892 			err = file_has_perm(cred, file, FILE__WRITE);
3893 			break;
3894 		}
3895 		fallthrough;
3896 	case F_SETOWN:
3897 	case F_SETSIG:
3898 	case F_GETFL:
3899 	case F_GETOWN:
3900 	case F_GETSIG:
3901 	case F_GETOWNER_UIDS:
3902 		/* Just check FD__USE permission */
3903 		err = file_has_perm(cred, file, 0);
3904 		break;
3905 	case F_GETLK:
3906 	case F_SETLK:
3907 	case F_SETLKW:
3908 	case F_OFD_GETLK:
3909 	case F_OFD_SETLK:
3910 	case F_OFD_SETLKW:
3911 #if BITS_PER_LONG == 32
3912 	case F_GETLK64:
3913 	case F_SETLK64:
3914 	case F_SETLKW64:
3915 #endif
3916 		err = file_has_perm(cred, file, FILE__LOCK);
3917 		break;
3918 	}
3919 
3920 	return err;
3921 }
3922 
3923 static void selinux_file_set_fowner(struct file *file)
3924 {
3925 	struct file_security_struct *fsec;
3926 
3927 	fsec = selinux_file(file);
3928 	fsec->fown_sid = current_sid();
3929 }
3930 
3931 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3932 				       struct fown_struct *fown, int signum)
3933 {
3934 	struct file *file;
3935 	u32 sid = task_sid_obj(tsk);
3936 	u32 perm;
3937 	struct file_security_struct *fsec;
3938 
3939 	/* struct fown_struct is never outside the context of a struct file */
3940 	file = container_of(fown, struct file, f_owner);
3941 
3942 	fsec = selinux_file(file);
3943 
3944 	if (!signum)
3945 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3946 	else
3947 		perm = signal_to_av(signum);
3948 
3949 	return avc_has_perm(&selinux_state,
3950 			    fsec->fown_sid, sid,
3951 			    SECCLASS_PROCESS, perm, NULL);
3952 }
3953 
3954 static int selinux_file_receive(struct file *file)
3955 {
3956 	const struct cred *cred = current_cred();
3957 
3958 	return file_has_perm(cred, file, file_to_av(file));
3959 }
3960 
3961 static int selinux_file_open(struct file *file)
3962 {
3963 	struct file_security_struct *fsec;
3964 	struct inode_security_struct *isec;
3965 
3966 	fsec = selinux_file(file);
3967 	isec = inode_security(file_inode(file));
3968 	/*
3969 	 * Save inode label and policy sequence number
3970 	 * at open-time so that selinux_file_permission
3971 	 * can determine whether revalidation is necessary.
3972 	 * Task label is already saved in the file security
3973 	 * struct as its SID.
3974 	 */
3975 	fsec->isid = isec->sid;
3976 	fsec->pseqno = avc_policy_seqno(&selinux_state);
3977 	/*
3978 	 * Since the inode label or policy seqno may have changed
3979 	 * between the selinux_inode_permission check and the saving
3980 	 * of state above, recheck that access is still permitted.
3981 	 * Otherwise, access might never be revalidated against the
3982 	 * new inode label or new policy.
3983 	 * This check is not redundant - do not remove.
3984 	 */
3985 	return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3986 }
3987 
3988 /* task security operations */
3989 
3990 static int selinux_task_alloc(struct task_struct *task,
3991 			      unsigned long clone_flags)
3992 {
3993 	u32 sid = current_sid();
3994 
3995 	return avc_has_perm(&selinux_state,
3996 			    sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3997 }
3998 
3999 /*
4000  * prepare a new set of credentials for modification
4001  */
4002 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
4003 				gfp_t gfp)
4004 {
4005 	const struct task_security_struct *old_tsec = selinux_cred(old);
4006 	struct task_security_struct *tsec = selinux_cred(new);
4007 
4008 	*tsec = *old_tsec;
4009 	return 0;
4010 }
4011 
4012 /*
4013  * transfer the SELinux data to a blank set of creds
4014  */
4015 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
4016 {
4017 	const struct task_security_struct *old_tsec = selinux_cred(old);
4018 	struct task_security_struct *tsec = selinux_cred(new);
4019 
4020 	*tsec = *old_tsec;
4021 }
4022 
4023 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
4024 {
4025 	*secid = cred_sid(c);
4026 }
4027 
4028 /*
4029  * set the security data for a kernel service
4030  * - all the creation contexts are set to unlabelled
4031  */
4032 static int selinux_kernel_act_as(struct cred *new, u32 secid)
4033 {
4034 	struct task_security_struct *tsec = selinux_cred(new);
4035 	u32 sid = current_sid();
4036 	int ret;
4037 
4038 	ret = avc_has_perm(&selinux_state,
4039 			   sid, secid,
4040 			   SECCLASS_KERNEL_SERVICE,
4041 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
4042 			   NULL);
4043 	if (ret == 0) {
4044 		tsec->sid = secid;
4045 		tsec->create_sid = 0;
4046 		tsec->keycreate_sid = 0;
4047 		tsec->sockcreate_sid = 0;
4048 	}
4049 	return ret;
4050 }
4051 
4052 /*
4053  * set the file creation context in a security record to the same as the
4054  * objective context of the specified inode
4055  */
4056 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4057 {
4058 	struct inode_security_struct *isec = inode_security(inode);
4059 	struct task_security_struct *tsec = selinux_cred(new);
4060 	u32 sid = current_sid();
4061 	int ret;
4062 
4063 	ret = avc_has_perm(&selinux_state,
4064 			   sid, isec->sid,
4065 			   SECCLASS_KERNEL_SERVICE,
4066 			   KERNEL_SERVICE__CREATE_FILES_AS,
4067 			   NULL);
4068 
4069 	if (ret == 0)
4070 		tsec->create_sid = isec->sid;
4071 	return ret;
4072 }
4073 
4074 static int selinux_kernel_module_request(char *kmod_name)
4075 {
4076 	struct common_audit_data ad;
4077 
4078 	ad.type = LSM_AUDIT_DATA_KMOD;
4079 	ad.u.kmod_name = kmod_name;
4080 
4081 	return avc_has_perm(&selinux_state,
4082 			    current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4083 			    SYSTEM__MODULE_REQUEST, &ad);
4084 }
4085 
4086 static int selinux_kernel_module_from_file(struct file *file)
4087 {
4088 	struct common_audit_data ad;
4089 	struct inode_security_struct *isec;
4090 	struct file_security_struct *fsec;
4091 	u32 sid = current_sid();
4092 	int rc;
4093 
4094 	/* init_module */
4095 	if (file == NULL)
4096 		return avc_has_perm(&selinux_state,
4097 				    sid, sid, SECCLASS_SYSTEM,
4098 					SYSTEM__MODULE_LOAD, NULL);
4099 
4100 	/* finit_module */
4101 
4102 	ad.type = LSM_AUDIT_DATA_FILE;
4103 	ad.u.file = file;
4104 
4105 	fsec = selinux_file(file);
4106 	if (sid != fsec->sid) {
4107 		rc = avc_has_perm(&selinux_state,
4108 				  sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4109 		if (rc)
4110 			return rc;
4111 	}
4112 
4113 	isec = inode_security(file_inode(file));
4114 	return avc_has_perm(&selinux_state,
4115 			    sid, isec->sid, SECCLASS_SYSTEM,
4116 				SYSTEM__MODULE_LOAD, &ad);
4117 }
4118 
4119 static int selinux_kernel_read_file(struct file *file,
4120 				    enum kernel_read_file_id id,
4121 				    bool contents)
4122 {
4123 	int rc = 0;
4124 
4125 	switch (id) {
4126 	case READING_MODULE:
4127 		rc = selinux_kernel_module_from_file(contents ? file : NULL);
4128 		break;
4129 	default:
4130 		break;
4131 	}
4132 
4133 	return rc;
4134 }
4135 
4136 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4137 {
4138 	int rc = 0;
4139 
4140 	switch (id) {
4141 	case LOADING_MODULE:
4142 		rc = selinux_kernel_module_from_file(NULL);
4143 		break;
4144 	default:
4145 		break;
4146 	}
4147 
4148 	return rc;
4149 }
4150 
4151 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4152 {
4153 	return avc_has_perm(&selinux_state,
4154 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4155 			    PROCESS__SETPGID, NULL);
4156 }
4157 
4158 static int selinux_task_getpgid(struct task_struct *p)
4159 {
4160 	return avc_has_perm(&selinux_state,
4161 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4162 			    PROCESS__GETPGID, NULL);
4163 }
4164 
4165 static int selinux_task_getsid(struct task_struct *p)
4166 {
4167 	return avc_has_perm(&selinux_state,
4168 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4169 			    PROCESS__GETSESSION, NULL);
4170 }
4171 
4172 static void selinux_current_getsecid_subj(u32 *secid)
4173 {
4174 	*secid = current_sid();
4175 }
4176 
4177 static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid)
4178 {
4179 	*secid = task_sid_obj(p);
4180 }
4181 
4182 static int selinux_task_setnice(struct task_struct *p, int nice)
4183 {
4184 	return avc_has_perm(&selinux_state,
4185 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4186 			    PROCESS__SETSCHED, NULL);
4187 }
4188 
4189 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4190 {
4191 	return avc_has_perm(&selinux_state,
4192 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4193 			    PROCESS__SETSCHED, NULL);
4194 }
4195 
4196 static int selinux_task_getioprio(struct task_struct *p)
4197 {
4198 	return avc_has_perm(&selinux_state,
4199 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4200 			    PROCESS__GETSCHED, NULL);
4201 }
4202 
4203 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4204 				unsigned int flags)
4205 {
4206 	u32 av = 0;
4207 
4208 	if (!flags)
4209 		return 0;
4210 	if (flags & LSM_PRLIMIT_WRITE)
4211 		av |= PROCESS__SETRLIMIT;
4212 	if (flags & LSM_PRLIMIT_READ)
4213 		av |= PROCESS__GETRLIMIT;
4214 	return avc_has_perm(&selinux_state,
4215 			    cred_sid(cred), cred_sid(tcred),
4216 			    SECCLASS_PROCESS, av, NULL);
4217 }
4218 
4219 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4220 		struct rlimit *new_rlim)
4221 {
4222 	struct rlimit *old_rlim = p->signal->rlim + resource;
4223 
4224 	/* Control the ability to change the hard limit (whether
4225 	   lowering or raising it), so that the hard limit can
4226 	   later be used as a safe reset point for the soft limit
4227 	   upon context transitions.  See selinux_bprm_committing_creds. */
4228 	if (old_rlim->rlim_max != new_rlim->rlim_max)
4229 		return avc_has_perm(&selinux_state,
4230 				    current_sid(), task_sid_obj(p),
4231 				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4232 
4233 	return 0;
4234 }
4235 
4236 static int selinux_task_setscheduler(struct task_struct *p)
4237 {
4238 	return avc_has_perm(&selinux_state,
4239 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4240 			    PROCESS__SETSCHED, NULL);
4241 }
4242 
4243 static int selinux_task_getscheduler(struct task_struct *p)
4244 {
4245 	return avc_has_perm(&selinux_state,
4246 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4247 			    PROCESS__GETSCHED, NULL);
4248 }
4249 
4250 static int selinux_task_movememory(struct task_struct *p)
4251 {
4252 	return avc_has_perm(&selinux_state,
4253 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4254 			    PROCESS__SETSCHED, NULL);
4255 }
4256 
4257 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4258 				int sig, const struct cred *cred)
4259 {
4260 	u32 secid;
4261 	u32 perm;
4262 
4263 	if (!sig)
4264 		perm = PROCESS__SIGNULL; /* null signal; existence test */
4265 	else
4266 		perm = signal_to_av(sig);
4267 	if (!cred)
4268 		secid = current_sid();
4269 	else
4270 		secid = cred_sid(cred);
4271 	return avc_has_perm(&selinux_state,
4272 			    secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
4273 }
4274 
4275 static void selinux_task_to_inode(struct task_struct *p,
4276 				  struct inode *inode)
4277 {
4278 	struct inode_security_struct *isec = selinux_inode(inode);
4279 	u32 sid = task_sid_obj(p);
4280 
4281 	spin_lock(&isec->lock);
4282 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4283 	isec->sid = sid;
4284 	isec->initialized = LABEL_INITIALIZED;
4285 	spin_unlock(&isec->lock);
4286 }
4287 
4288 /* Returns error only if unable to parse addresses */
4289 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4290 			struct common_audit_data *ad, u8 *proto)
4291 {
4292 	int offset, ihlen, ret = -EINVAL;
4293 	struct iphdr _iph, *ih;
4294 
4295 	offset = skb_network_offset(skb);
4296 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4297 	if (ih == NULL)
4298 		goto out;
4299 
4300 	ihlen = ih->ihl * 4;
4301 	if (ihlen < sizeof(_iph))
4302 		goto out;
4303 
4304 	ad->u.net->v4info.saddr = ih->saddr;
4305 	ad->u.net->v4info.daddr = ih->daddr;
4306 	ret = 0;
4307 
4308 	if (proto)
4309 		*proto = ih->protocol;
4310 
4311 	switch (ih->protocol) {
4312 	case IPPROTO_TCP: {
4313 		struct tcphdr _tcph, *th;
4314 
4315 		if (ntohs(ih->frag_off) & IP_OFFSET)
4316 			break;
4317 
4318 		offset += ihlen;
4319 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4320 		if (th == NULL)
4321 			break;
4322 
4323 		ad->u.net->sport = th->source;
4324 		ad->u.net->dport = th->dest;
4325 		break;
4326 	}
4327 
4328 	case IPPROTO_UDP: {
4329 		struct udphdr _udph, *uh;
4330 
4331 		if (ntohs(ih->frag_off) & IP_OFFSET)
4332 			break;
4333 
4334 		offset += ihlen;
4335 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4336 		if (uh == NULL)
4337 			break;
4338 
4339 		ad->u.net->sport = uh->source;
4340 		ad->u.net->dport = uh->dest;
4341 		break;
4342 	}
4343 
4344 	case IPPROTO_DCCP: {
4345 		struct dccp_hdr _dccph, *dh;
4346 
4347 		if (ntohs(ih->frag_off) & IP_OFFSET)
4348 			break;
4349 
4350 		offset += ihlen;
4351 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4352 		if (dh == NULL)
4353 			break;
4354 
4355 		ad->u.net->sport = dh->dccph_sport;
4356 		ad->u.net->dport = dh->dccph_dport;
4357 		break;
4358 	}
4359 
4360 #if IS_ENABLED(CONFIG_IP_SCTP)
4361 	case IPPROTO_SCTP: {
4362 		struct sctphdr _sctph, *sh;
4363 
4364 		if (ntohs(ih->frag_off) & IP_OFFSET)
4365 			break;
4366 
4367 		offset += ihlen;
4368 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4369 		if (sh == NULL)
4370 			break;
4371 
4372 		ad->u.net->sport = sh->source;
4373 		ad->u.net->dport = sh->dest;
4374 		break;
4375 	}
4376 #endif
4377 	default:
4378 		break;
4379 	}
4380 out:
4381 	return ret;
4382 }
4383 
4384 #if IS_ENABLED(CONFIG_IPV6)
4385 
4386 /* Returns error only if unable to parse addresses */
4387 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4388 			struct common_audit_data *ad, u8 *proto)
4389 {
4390 	u8 nexthdr;
4391 	int ret = -EINVAL, offset;
4392 	struct ipv6hdr _ipv6h, *ip6;
4393 	__be16 frag_off;
4394 
4395 	offset = skb_network_offset(skb);
4396 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4397 	if (ip6 == NULL)
4398 		goto out;
4399 
4400 	ad->u.net->v6info.saddr = ip6->saddr;
4401 	ad->u.net->v6info.daddr = ip6->daddr;
4402 	ret = 0;
4403 
4404 	nexthdr = ip6->nexthdr;
4405 	offset += sizeof(_ipv6h);
4406 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4407 	if (offset < 0)
4408 		goto out;
4409 
4410 	if (proto)
4411 		*proto = nexthdr;
4412 
4413 	switch (nexthdr) {
4414 	case IPPROTO_TCP: {
4415 		struct tcphdr _tcph, *th;
4416 
4417 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4418 		if (th == NULL)
4419 			break;
4420 
4421 		ad->u.net->sport = th->source;
4422 		ad->u.net->dport = th->dest;
4423 		break;
4424 	}
4425 
4426 	case IPPROTO_UDP: {
4427 		struct udphdr _udph, *uh;
4428 
4429 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4430 		if (uh == NULL)
4431 			break;
4432 
4433 		ad->u.net->sport = uh->source;
4434 		ad->u.net->dport = uh->dest;
4435 		break;
4436 	}
4437 
4438 	case IPPROTO_DCCP: {
4439 		struct dccp_hdr _dccph, *dh;
4440 
4441 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4442 		if (dh == NULL)
4443 			break;
4444 
4445 		ad->u.net->sport = dh->dccph_sport;
4446 		ad->u.net->dport = dh->dccph_dport;
4447 		break;
4448 	}
4449 
4450 #if IS_ENABLED(CONFIG_IP_SCTP)
4451 	case IPPROTO_SCTP: {
4452 		struct sctphdr _sctph, *sh;
4453 
4454 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4455 		if (sh == NULL)
4456 			break;
4457 
4458 		ad->u.net->sport = sh->source;
4459 		ad->u.net->dport = sh->dest;
4460 		break;
4461 	}
4462 #endif
4463 	/* includes fragments */
4464 	default:
4465 		break;
4466 	}
4467 out:
4468 	return ret;
4469 }
4470 
4471 #endif /* IPV6 */
4472 
4473 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4474 			     char **_addrp, int src, u8 *proto)
4475 {
4476 	char *addrp;
4477 	int ret;
4478 
4479 	switch (ad->u.net->family) {
4480 	case PF_INET:
4481 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4482 		if (ret)
4483 			goto parse_error;
4484 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4485 				       &ad->u.net->v4info.daddr);
4486 		goto okay;
4487 
4488 #if IS_ENABLED(CONFIG_IPV6)
4489 	case PF_INET6:
4490 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4491 		if (ret)
4492 			goto parse_error;
4493 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4494 				       &ad->u.net->v6info.daddr);
4495 		goto okay;
4496 #endif	/* IPV6 */
4497 	default:
4498 		addrp = NULL;
4499 		goto okay;
4500 	}
4501 
4502 parse_error:
4503 	pr_warn(
4504 	       "SELinux: failure in selinux_parse_skb(),"
4505 	       " unable to parse packet\n");
4506 	return ret;
4507 
4508 okay:
4509 	if (_addrp)
4510 		*_addrp = addrp;
4511 	return 0;
4512 }
4513 
4514 /**
4515  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4516  * @skb: the packet
4517  * @family: protocol family
4518  * @sid: the packet's peer label SID
4519  *
4520  * Description:
4521  * Check the various different forms of network peer labeling and determine
4522  * the peer label/SID for the packet; most of the magic actually occurs in
4523  * the security server function security_net_peersid_cmp().  The function
4524  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4525  * or -EACCES if @sid is invalid due to inconsistencies with the different
4526  * peer labels.
4527  *
4528  */
4529 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4530 {
4531 	int err;
4532 	u32 xfrm_sid;
4533 	u32 nlbl_sid;
4534 	u32 nlbl_type;
4535 
4536 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4537 	if (unlikely(err))
4538 		return -EACCES;
4539 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4540 	if (unlikely(err))
4541 		return -EACCES;
4542 
4543 	err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4544 					   nlbl_type, xfrm_sid, sid);
4545 	if (unlikely(err)) {
4546 		pr_warn(
4547 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4548 		       " unable to determine packet's peer label\n");
4549 		return -EACCES;
4550 	}
4551 
4552 	return 0;
4553 }
4554 
4555 /**
4556  * selinux_conn_sid - Determine the child socket label for a connection
4557  * @sk_sid: the parent socket's SID
4558  * @skb_sid: the packet's SID
4559  * @conn_sid: the resulting connection SID
4560  *
4561  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4562  * combined with the MLS information from @skb_sid in order to create
4563  * @conn_sid.  If @skb_sid is not valid then @conn_sid is simply a copy
4564  * of @sk_sid.  Returns zero on success, negative values on failure.
4565  *
4566  */
4567 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4568 {
4569 	int err = 0;
4570 
4571 	if (skb_sid != SECSID_NULL)
4572 		err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4573 					    conn_sid);
4574 	else
4575 		*conn_sid = sk_sid;
4576 
4577 	return err;
4578 }
4579 
4580 /* socket security operations */
4581 
4582 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4583 				 u16 secclass, u32 *socksid)
4584 {
4585 	if (tsec->sockcreate_sid > SECSID_NULL) {
4586 		*socksid = tsec->sockcreate_sid;
4587 		return 0;
4588 	}
4589 
4590 	return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4591 				       secclass, NULL, socksid);
4592 }
4593 
4594 static int sock_has_perm(struct sock *sk, u32 perms)
4595 {
4596 	struct sk_security_struct *sksec = sk->sk_security;
4597 	struct common_audit_data ad;
4598 	struct lsm_network_audit net = {0,};
4599 
4600 	if (sksec->sid == SECINITSID_KERNEL)
4601 		return 0;
4602 
4603 	ad.type = LSM_AUDIT_DATA_NET;
4604 	ad.u.net = &net;
4605 	ad.u.net->sk = sk;
4606 
4607 	return avc_has_perm(&selinux_state,
4608 			    current_sid(), sksec->sid, sksec->sclass, perms,
4609 			    &ad);
4610 }
4611 
4612 static int selinux_socket_create(int family, int type,
4613 				 int protocol, int kern)
4614 {
4615 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4616 	u32 newsid;
4617 	u16 secclass;
4618 	int rc;
4619 
4620 	if (kern)
4621 		return 0;
4622 
4623 	secclass = socket_type_to_security_class(family, type, protocol);
4624 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4625 	if (rc)
4626 		return rc;
4627 
4628 	return avc_has_perm(&selinux_state,
4629 			    tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4630 }
4631 
4632 static int selinux_socket_post_create(struct socket *sock, int family,
4633 				      int type, int protocol, int kern)
4634 {
4635 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4636 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4637 	struct sk_security_struct *sksec;
4638 	u16 sclass = socket_type_to_security_class(family, type, protocol);
4639 	u32 sid = SECINITSID_KERNEL;
4640 	int err = 0;
4641 
4642 	if (!kern) {
4643 		err = socket_sockcreate_sid(tsec, sclass, &sid);
4644 		if (err)
4645 			return err;
4646 	}
4647 
4648 	isec->sclass = sclass;
4649 	isec->sid = sid;
4650 	isec->initialized = LABEL_INITIALIZED;
4651 
4652 	if (sock->sk) {
4653 		sksec = sock->sk->sk_security;
4654 		sksec->sclass = sclass;
4655 		sksec->sid = sid;
4656 		/* Allows detection of the first association on this socket */
4657 		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4658 			sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4659 
4660 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4661 	}
4662 
4663 	return err;
4664 }
4665 
4666 static int selinux_socket_socketpair(struct socket *socka,
4667 				     struct socket *sockb)
4668 {
4669 	struct sk_security_struct *sksec_a = socka->sk->sk_security;
4670 	struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4671 
4672 	sksec_a->peer_sid = sksec_b->sid;
4673 	sksec_b->peer_sid = sksec_a->sid;
4674 
4675 	return 0;
4676 }
4677 
4678 /* Range of port numbers used to automatically bind.
4679    Need to determine whether we should perform a name_bind
4680    permission check between the socket and the port number. */
4681 
4682 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4683 {
4684 	struct sock *sk = sock->sk;
4685 	struct sk_security_struct *sksec = sk->sk_security;
4686 	u16 family;
4687 	int err;
4688 
4689 	err = sock_has_perm(sk, SOCKET__BIND);
4690 	if (err)
4691 		goto out;
4692 
4693 	/* If PF_INET or PF_INET6, check name_bind permission for the port. */
4694 	family = sk->sk_family;
4695 	if (family == PF_INET || family == PF_INET6) {
4696 		char *addrp;
4697 		struct common_audit_data ad;
4698 		struct lsm_network_audit net = {0,};
4699 		struct sockaddr_in *addr4 = NULL;
4700 		struct sockaddr_in6 *addr6 = NULL;
4701 		u16 family_sa;
4702 		unsigned short snum;
4703 		u32 sid, node_perm;
4704 
4705 		/*
4706 		 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4707 		 * that validates multiple binding addresses. Because of this
4708 		 * need to check address->sa_family as it is possible to have
4709 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4710 		 */
4711 		if (addrlen < offsetofend(struct sockaddr, sa_family))
4712 			return -EINVAL;
4713 		family_sa = address->sa_family;
4714 		switch (family_sa) {
4715 		case AF_UNSPEC:
4716 		case AF_INET:
4717 			if (addrlen < sizeof(struct sockaddr_in))
4718 				return -EINVAL;
4719 			addr4 = (struct sockaddr_in *)address;
4720 			if (family_sa == AF_UNSPEC) {
4721 				/* see __inet_bind(), we only want to allow
4722 				 * AF_UNSPEC if the address is INADDR_ANY
4723 				 */
4724 				if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4725 					goto err_af;
4726 				family_sa = AF_INET;
4727 			}
4728 			snum = ntohs(addr4->sin_port);
4729 			addrp = (char *)&addr4->sin_addr.s_addr;
4730 			break;
4731 		case AF_INET6:
4732 			if (addrlen < SIN6_LEN_RFC2133)
4733 				return -EINVAL;
4734 			addr6 = (struct sockaddr_in6 *)address;
4735 			snum = ntohs(addr6->sin6_port);
4736 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4737 			break;
4738 		default:
4739 			goto err_af;
4740 		}
4741 
4742 		ad.type = LSM_AUDIT_DATA_NET;
4743 		ad.u.net = &net;
4744 		ad.u.net->sport = htons(snum);
4745 		ad.u.net->family = family_sa;
4746 
4747 		if (snum) {
4748 			int low, high;
4749 
4750 			inet_get_local_port_range(sock_net(sk), &low, &high);
4751 
4752 			if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4753 			    snum < low || snum > high) {
4754 				err = sel_netport_sid(sk->sk_protocol,
4755 						      snum, &sid);
4756 				if (err)
4757 					goto out;
4758 				err = avc_has_perm(&selinux_state,
4759 						   sksec->sid, sid,
4760 						   sksec->sclass,
4761 						   SOCKET__NAME_BIND, &ad);
4762 				if (err)
4763 					goto out;
4764 			}
4765 		}
4766 
4767 		switch (sksec->sclass) {
4768 		case SECCLASS_TCP_SOCKET:
4769 			node_perm = TCP_SOCKET__NODE_BIND;
4770 			break;
4771 
4772 		case SECCLASS_UDP_SOCKET:
4773 			node_perm = UDP_SOCKET__NODE_BIND;
4774 			break;
4775 
4776 		case SECCLASS_DCCP_SOCKET:
4777 			node_perm = DCCP_SOCKET__NODE_BIND;
4778 			break;
4779 
4780 		case SECCLASS_SCTP_SOCKET:
4781 			node_perm = SCTP_SOCKET__NODE_BIND;
4782 			break;
4783 
4784 		default:
4785 			node_perm = RAWIP_SOCKET__NODE_BIND;
4786 			break;
4787 		}
4788 
4789 		err = sel_netnode_sid(addrp, family_sa, &sid);
4790 		if (err)
4791 			goto out;
4792 
4793 		if (family_sa == AF_INET)
4794 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4795 		else
4796 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4797 
4798 		err = avc_has_perm(&selinux_state,
4799 				   sksec->sid, sid,
4800 				   sksec->sclass, node_perm, &ad);
4801 		if (err)
4802 			goto out;
4803 	}
4804 out:
4805 	return err;
4806 err_af:
4807 	/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4808 	if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4809 		return -EINVAL;
4810 	return -EAFNOSUPPORT;
4811 }
4812 
4813 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4814  * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4815  */
4816 static int selinux_socket_connect_helper(struct socket *sock,
4817 					 struct sockaddr *address, int addrlen)
4818 {
4819 	struct sock *sk = sock->sk;
4820 	struct sk_security_struct *sksec = sk->sk_security;
4821 	int err;
4822 
4823 	err = sock_has_perm(sk, SOCKET__CONNECT);
4824 	if (err)
4825 		return err;
4826 	if (addrlen < offsetofend(struct sockaddr, sa_family))
4827 		return -EINVAL;
4828 
4829 	/* connect(AF_UNSPEC) has special handling, as it is a documented
4830 	 * way to disconnect the socket
4831 	 */
4832 	if (address->sa_family == AF_UNSPEC)
4833 		return 0;
4834 
4835 	/*
4836 	 * If a TCP, DCCP or SCTP socket, check name_connect permission
4837 	 * for the port.
4838 	 */
4839 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4840 	    sksec->sclass == SECCLASS_DCCP_SOCKET ||
4841 	    sksec->sclass == SECCLASS_SCTP_SOCKET) {
4842 		struct common_audit_data ad;
4843 		struct lsm_network_audit net = {0,};
4844 		struct sockaddr_in *addr4 = NULL;
4845 		struct sockaddr_in6 *addr6 = NULL;
4846 		unsigned short snum;
4847 		u32 sid, perm;
4848 
4849 		/* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4850 		 * that validates multiple connect addresses. Because of this
4851 		 * need to check address->sa_family as it is possible to have
4852 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4853 		 */
4854 		switch (address->sa_family) {
4855 		case AF_INET:
4856 			addr4 = (struct sockaddr_in *)address;
4857 			if (addrlen < sizeof(struct sockaddr_in))
4858 				return -EINVAL;
4859 			snum = ntohs(addr4->sin_port);
4860 			break;
4861 		case AF_INET6:
4862 			addr6 = (struct sockaddr_in6 *)address;
4863 			if (addrlen < SIN6_LEN_RFC2133)
4864 				return -EINVAL;
4865 			snum = ntohs(addr6->sin6_port);
4866 			break;
4867 		default:
4868 			/* Note that SCTP services expect -EINVAL, whereas
4869 			 * others expect -EAFNOSUPPORT.
4870 			 */
4871 			if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4872 				return -EINVAL;
4873 			else
4874 				return -EAFNOSUPPORT;
4875 		}
4876 
4877 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4878 		if (err)
4879 			return err;
4880 
4881 		switch (sksec->sclass) {
4882 		case SECCLASS_TCP_SOCKET:
4883 			perm = TCP_SOCKET__NAME_CONNECT;
4884 			break;
4885 		case SECCLASS_DCCP_SOCKET:
4886 			perm = DCCP_SOCKET__NAME_CONNECT;
4887 			break;
4888 		case SECCLASS_SCTP_SOCKET:
4889 			perm = SCTP_SOCKET__NAME_CONNECT;
4890 			break;
4891 		}
4892 
4893 		ad.type = LSM_AUDIT_DATA_NET;
4894 		ad.u.net = &net;
4895 		ad.u.net->dport = htons(snum);
4896 		ad.u.net->family = address->sa_family;
4897 		err = avc_has_perm(&selinux_state,
4898 				   sksec->sid, sid, sksec->sclass, perm, &ad);
4899 		if (err)
4900 			return err;
4901 	}
4902 
4903 	return 0;
4904 }
4905 
4906 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4907 static int selinux_socket_connect(struct socket *sock,
4908 				  struct sockaddr *address, int addrlen)
4909 {
4910 	int err;
4911 	struct sock *sk = sock->sk;
4912 
4913 	err = selinux_socket_connect_helper(sock, address, addrlen);
4914 	if (err)
4915 		return err;
4916 
4917 	return selinux_netlbl_socket_connect(sk, address);
4918 }
4919 
4920 static int selinux_socket_listen(struct socket *sock, int backlog)
4921 {
4922 	return sock_has_perm(sock->sk, SOCKET__LISTEN);
4923 }
4924 
4925 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4926 {
4927 	int err;
4928 	struct inode_security_struct *isec;
4929 	struct inode_security_struct *newisec;
4930 	u16 sclass;
4931 	u32 sid;
4932 
4933 	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4934 	if (err)
4935 		return err;
4936 
4937 	isec = inode_security_novalidate(SOCK_INODE(sock));
4938 	spin_lock(&isec->lock);
4939 	sclass = isec->sclass;
4940 	sid = isec->sid;
4941 	spin_unlock(&isec->lock);
4942 
4943 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4944 	newisec->sclass = sclass;
4945 	newisec->sid = sid;
4946 	newisec->initialized = LABEL_INITIALIZED;
4947 
4948 	return 0;
4949 }
4950 
4951 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4952 				  int size)
4953 {
4954 	return sock_has_perm(sock->sk, SOCKET__WRITE);
4955 }
4956 
4957 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4958 				  int size, int flags)
4959 {
4960 	return sock_has_perm(sock->sk, SOCKET__READ);
4961 }
4962 
4963 static int selinux_socket_getsockname(struct socket *sock)
4964 {
4965 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4966 }
4967 
4968 static int selinux_socket_getpeername(struct socket *sock)
4969 {
4970 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4971 }
4972 
4973 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4974 {
4975 	int err;
4976 
4977 	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4978 	if (err)
4979 		return err;
4980 
4981 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4982 }
4983 
4984 static int selinux_socket_getsockopt(struct socket *sock, int level,
4985 				     int optname)
4986 {
4987 	return sock_has_perm(sock->sk, SOCKET__GETOPT);
4988 }
4989 
4990 static int selinux_socket_shutdown(struct socket *sock, int how)
4991 {
4992 	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4993 }
4994 
4995 static int selinux_socket_unix_stream_connect(struct sock *sock,
4996 					      struct sock *other,
4997 					      struct sock *newsk)
4998 {
4999 	struct sk_security_struct *sksec_sock = sock->sk_security;
5000 	struct sk_security_struct *sksec_other = other->sk_security;
5001 	struct sk_security_struct *sksec_new = newsk->sk_security;
5002 	struct common_audit_data ad;
5003 	struct lsm_network_audit net = {0,};
5004 	int err;
5005 
5006 	ad.type = LSM_AUDIT_DATA_NET;
5007 	ad.u.net = &net;
5008 	ad.u.net->sk = other;
5009 
5010 	err = avc_has_perm(&selinux_state,
5011 			   sksec_sock->sid, sksec_other->sid,
5012 			   sksec_other->sclass,
5013 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
5014 	if (err)
5015 		return err;
5016 
5017 	/* server child socket */
5018 	sksec_new->peer_sid = sksec_sock->sid;
5019 	err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
5020 				    sksec_sock->sid, &sksec_new->sid);
5021 	if (err)
5022 		return err;
5023 
5024 	/* connecting socket */
5025 	sksec_sock->peer_sid = sksec_new->sid;
5026 
5027 	return 0;
5028 }
5029 
5030 static int selinux_socket_unix_may_send(struct socket *sock,
5031 					struct socket *other)
5032 {
5033 	struct sk_security_struct *ssec = sock->sk->sk_security;
5034 	struct sk_security_struct *osec = other->sk->sk_security;
5035 	struct common_audit_data ad;
5036 	struct lsm_network_audit net = {0,};
5037 
5038 	ad.type = LSM_AUDIT_DATA_NET;
5039 	ad.u.net = &net;
5040 	ad.u.net->sk = other->sk;
5041 
5042 	return avc_has_perm(&selinux_state,
5043 			    ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
5044 			    &ad);
5045 }
5046 
5047 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
5048 				    char *addrp, u16 family, u32 peer_sid,
5049 				    struct common_audit_data *ad)
5050 {
5051 	int err;
5052 	u32 if_sid;
5053 	u32 node_sid;
5054 
5055 	err = sel_netif_sid(ns, ifindex, &if_sid);
5056 	if (err)
5057 		return err;
5058 	err = avc_has_perm(&selinux_state,
5059 			   peer_sid, if_sid,
5060 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
5061 	if (err)
5062 		return err;
5063 
5064 	err = sel_netnode_sid(addrp, family, &node_sid);
5065 	if (err)
5066 		return err;
5067 	return avc_has_perm(&selinux_state,
5068 			    peer_sid, node_sid,
5069 			    SECCLASS_NODE, NODE__RECVFROM, ad);
5070 }
5071 
5072 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5073 				       u16 family)
5074 {
5075 	int err = 0;
5076 	struct sk_security_struct *sksec = sk->sk_security;
5077 	u32 sk_sid = sksec->sid;
5078 	struct common_audit_data ad;
5079 	struct lsm_network_audit net = {0,};
5080 	char *addrp;
5081 
5082 	ad.type = LSM_AUDIT_DATA_NET;
5083 	ad.u.net = &net;
5084 	ad.u.net->netif = skb->skb_iif;
5085 	ad.u.net->family = family;
5086 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5087 	if (err)
5088 		return err;
5089 
5090 	if (selinux_secmark_enabled()) {
5091 		err = avc_has_perm(&selinux_state,
5092 				   sk_sid, skb->secmark, SECCLASS_PACKET,
5093 				   PACKET__RECV, &ad);
5094 		if (err)
5095 			return err;
5096 	}
5097 
5098 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5099 	if (err)
5100 		return err;
5101 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5102 
5103 	return err;
5104 }
5105 
5106 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5107 {
5108 	int err;
5109 	struct sk_security_struct *sksec = sk->sk_security;
5110 	u16 family = sk->sk_family;
5111 	u32 sk_sid = sksec->sid;
5112 	struct common_audit_data ad;
5113 	struct lsm_network_audit net = {0,};
5114 	char *addrp;
5115 	u8 secmark_active;
5116 	u8 peerlbl_active;
5117 
5118 	if (family != PF_INET && family != PF_INET6)
5119 		return 0;
5120 
5121 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
5122 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5123 		family = PF_INET;
5124 
5125 	/* If any sort of compatibility mode is enabled then handoff processing
5126 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
5127 	 * special handling.  We do this in an attempt to keep this function
5128 	 * as fast and as clean as possible. */
5129 	if (!selinux_policycap_netpeer())
5130 		return selinux_sock_rcv_skb_compat(sk, skb, family);
5131 
5132 	secmark_active = selinux_secmark_enabled();
5133 	peerlbl_active = selinux_peerlbl_enabled();
5134 	if (!secmark_active && !peerlbl_active)
5135 		return 0;
5136 
5137 	ad.type = LSM_AUDIT_DATA_NET;
5138 	ad.u.net = &net;
5139 	ad.u.net->netif = skb->skb_iif;
5140 	ad.u.net->family = family;
5141 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5142 	if (err)
5143 		return err;
5144 
5145 	if (peerlbl_active) {
5146 		u32 peer_sid;
5147 
5148 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5149 		if (err)
5150 			return err;
5151 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5152 					       addrp, family, peer_sid, &ad);
5153 		if (err) {
5154 			selinux_netlbl_err(skb, family, err, 0);
5155 			return err;
5156 		}
5157 		err = avc_has_perm(&selinux_state,
5158 				   sk_sid, peer_sid, SECCLASS_PEER,
5159 				   PEER__RECV, &ad);
5160 		if (err) {
5161 			selinux_netlbl_err(skb, family, err, 0);
5162 			return err;
5163 		}
5164 	}
5165 
5166 	if (secmark_active) {
5167 		err = avc_has_perm(&selinux_state,
5168 				   sk_sid, skb->secmark, SECCLASS_PACKET,
5169 				   PACKET__RECV, &ad);
5170 		if (err)
5171 			return err;
5172 	}
5173 
5174 	return err;
5175 }
5176 
5177 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5178 					    int __user *optlen, unsigned len)
5179 {
5180 	int err = 0;
5181 	char *scontext;
5182 	u32 scontext_len;
5183 	struct sk_security_struct *sksec = sock->sk->sk_security;
5184 	u32 peer_sid = SECSID_NULL;
5185 
5186 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5187 	    sksec->sclass == SECCLASS_TCP_SOCKET ||
5188 	    sksec->sclass == SECCLASS_SCTP_SOCKET)
5189 		peer_sid = sksec->peer_sid;
5190 	if (peer_sid == SECSID_NULL)
5191 		return -ENOPROTOOPT;
5192 
5193 	err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5194 				      &scontext_len);
5195 	if (err)
5196 		return err;
5197 
5198 	if (scontext_len > len) {
5199 		err = -ERANGE;
5200 		goto out_len;
5201 	}
5202 
5203 	if (copy_to_user(optval, scontext, scontext_len))
5204 		err = -EFAULT;
5205 
5206 out_len:
5207 	if (put_user(scontext_len, optlen))
5208 		err = -EFAULT;
5209 	kfree(scontext);
5210 	return err;
5211 }
5212 
5213 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5214 {
5215 	u32 peer_secid = SECSID_NULL;
5216 	u16 family;
5217 	struct inode_security_struct *isec;
5218 
5219 	if (skb && skb->protocol == htons(ETH_P_IP))
5220 		family = PF_INET;
5221 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
5222 		family = PF_INET6;
5223 	else if (sock)
5224 		family = sock->sk->sk_family;
5225 	else
5226 		goto out;
5227 
5228 	if (sock && family == PF_UNIX) {
5229 		isec = inode_security_novalidate(SOCK_INODE(sock));
5230 		peer_secid = isec->sid;
5231 	} else if (skb)
5232 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5233 
5234 out:
5235 	*secid = peer_secid;
5236 	if (peer_secid == SECSID_NULL)
5237 		return -EINVAL;
5238 	return 0;
5239 }
5240 
5241 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5242 {
5243 	struct sk_security_struct *sksec;
5244 
5245 	sksec = kzalloc(sizeof(*sksec), priority);
5246 	if (!sksec)
5247 		return -ENOMEM;
5248 
5249 	sksec->peer_sid = SECINITSID_UNLABELED;
5250 	sksec->sid = SECINITSID_UNLABELED;
5251 	sksec->sclass = SECCLASS_SOCKET;
5252 	selinux_netlbl_sk_security_reset(sksec);
5253 	sk->sk_security = sksec;
5254 
5255 	return 0;
5256 }
5257 
5258 static void selinux_sk_free_security(struct sock *sk)
5259 {
5260 	struct sk_security_struct *sksec = sk->sk_security;
5261 
5262 	sk->sk_security = NULL;
5263 	selinux_netlbl_sk_security_free(sksec);
5264 	kfree(sksec);
5265 }
5266 
5267 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5268 {
5269 	struct sk_security_struct *sksec = sk->sk_security;
5270 	struct sk_security_struct *newsksec = newsk->sk_security;
5271 
5272 	newsksec->sid = sksec->sid;
5273 	newsksec->peer_sid = sksec->peer_sid;
5274 	newsksec->sclass = sksec->sclass;
5275 
5276 	selinux_netlbl_sk_security_reset(newsksec);
5277 }
5278 
5279 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5280 {
5281 	if (!sk)
5282 		*secid = SECINITSID_ANY_SOCKET;
5283 	else {
5284 		struct sk_security_struct *sksec = sk->sk_security;
5285 
5286 		*secid = sksec->sid;
5287 	}
5288 }
5289 
5290 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5291 {
5292 	struct inode_security_struct *isec =
5293 		inode_security_novalidate(SOCK_INODE(parent));
5294 	struct sk_security_struct *sksec = sk->sk_security;
5295 
5296 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5297 	    sk->sk_family == PF_UNIX)
5298 		isec->sid = sksec->sid;
5299 	sksec->sclass = isec->sclass;
5300 }
5301 
5302 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5303  * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5304  * already present).
5305  */
5306 static int selinux_sctp_assoc_request(struct sctp_association *asoc,
5307 				      struct sk_buff *skb)
5308 {
5309 	struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5310 	struct common_audit_data ad;
5311 	struct lsm_network_audit net = {0,};
5312 	u8 peerlbl_active;
5313 	u32 peer_sid = SECINITSID_UNLABELED;
5314 	u32 conn_sid;
5315 	int err = 0;
5316 
5317 	if (!selinux_policycap_extsockclass())
5318 		return 0;
5319 
5320 	peerlbl_active = selinux_peerlbl_enabled();
5321 
5322 	if (peerlbl_active) {
5323 		/* This will return peer_sid = SECSID_NULL if there are
5324 		 * no peer labels, see security_net_peersid_resolve().
5325 		 */
5326 		err = selinux_skb_peerlbl_sid(skb, asoc->base.sk->sk_family,
5327 					      &peer_sid);
5328 		if (err)
5329 			return err;
5330 
5331 		if (peer_sid == SECSID_NULL)
5332 			peer_sid = SECINITSID_UNLABELED;
5333 	}
5334 
5335 	if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5336 		sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5337 
5338 		/* Here as first association on socket. As the peer SID
5339 		 * was allowed by peer recv (and the netif/node checks),
5340 		 * then it is approved by policy and used as the primary
5341 		 * peer SID for getpeercon(3).
5342 		 */
5343 		sksec->peer_sid = peer_sid;
5344 	} else if  (sksec->peer_sid != peer_sid) {
5345 		/* Other association peer SIDs are checked to enforce
5346 		 * consistency among the peer SIDs.
5347 		 */
5348 		ad.type = LSM_AUDIT_DATA_NET;
5349 		ad.u.net = &net;
5350 		ad.u.net->sk = asoc->base.sk;
5351 		err = avc_has_perm(&selinux_state,
5352 				   sksec->peer_sid, peer_sid, sksec->sclass,
5353 				   SCTP_SOCKET__ASSOCIATION, &ad);
5354 		if (err)
5355 			return err;
5356 	}
5357 
5358 	/* Compute the MLS component for the connection and store
5359 	 * the information in asoc. This will be used by SCTP TCP type
5360 	 * sockets and peeled off connections as they cause a new
5361 	 * socket to be generated. selinux_sctp_sk_clone() will then
5362 	 * plug this into the new socket.
5363 	 */
5364 	err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5365 	if (err)
5366 		return err;
5367 
5368 	asoc->secid = conn_sid;
5369 	asoc->peer_secid = peer_sid;
5370 
5371 	/* Set any NetLabel labels including CIPSO/CALIPSO options. */
5372 	return selinux_netlbl_sctp_assoc_request(asoc, skb);
5373 }
5374 
5375 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5376  * based on their @optname.
5377  */
5378 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5379 				     struct sockaddr *address,
5380 				     int addrlen)
5381 {
5382 	int len, err = 0, walk_size = 0;
5383 	void *addr_buf;
5384 	struct sockaddr *addr;
5385 	struct socket *sock;
5386 
5387 	if (!selinux_policycap_extsockclass())
5388 		return 0;
5389 
5390 	/* Process one or more addresses that may be IPv4 or IPv6 */
5391 	sock = sk->sk_socket;
5392 	addr_buf = address;
5393 
5394 	while (walk_size < addrlen) {
5395 		if (walk_size + sizeof(sa_family_t) > addrlen)
5396 			return -EINVAL;
5397 
5398 		addr = addr_buf;
5399 		switch (addr->sa_family) {
5400 		case AF_UNSPEC:
5401 		case AF_INET:
5402 			len = sizeof(struct sockaddr_in);
5403 			break;
5404 		case AF_INET6:
5405 			len = sizeof(struct sockaddr_in6);
5406 			break;
5407 		default:
5408 			return -EINVAL;
5409 		}
5410 
5411 		if (walk_size + len > addrlen)
5412 			return -EINVAL;
5413 
5414 		err = -EINVAL;
5415 		switch (optname) {
5416 		/* Bind checks */
5417 		case SCTP_PRIMARY_ADDR:
5418 		case SCTP_SET_PEER_PRIMARY_ADDR:
5419 		case SCTP_SOCKOPT_BINDX_ADD:
5420 			err = selinux_socket_bind(sock, addr, len);
5421 			break;
5422 		/* Connect checks */
5423 		case SCTP_SOCKOPT_CONNECTX:
5424 		case SCTP_PARAM_SET_PRIMARY:
5425 		case SCTP_PARAM_ADD_IP:
5426 		case SCTP_SENDMSG_CONNECT:
5427 			err = selinux_socket_connect_helper(sock, addr, len);
5428 			if (err)
5429 				return err;
5430 
5431 			/* As selinux_sctp_bind_connect() is called by the
5432 			 * SCTP protocol layer, the socket is already locked,
5433 			 * therefore selinux_netlbl_socket_connect_locked()
5434 			 * is called here. The situations handled are:
5435 			 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5436 			 * whenever a new IP address is added or when a new
5437 			 * primary address is selected.
5438 			 * Note that an SCTP connect(2) call happens before
5439 			 * the SCTP protocol layer and is handled via
5440 			 * selinux_socket_connect().
5441 			 */
5442 			err = selinux_netlbl_socket_connect_locked(sk, addr);
5443 			break;
5444 		}
5445 
5446 		if (err)
5447 			return err;
5448 
5449 		addr_buf += len;
5450 		walk_size += len;
5451 	}
5452 
5453 	return 0;
5454 }
5455 
5456 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5457 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
5458 				  struct sock *newsk)
5459 {
5460 	struct sk_security_struct *sksec = sk->sk_security;
5461 	struct sk_security_struct *newsksec = newsk->sk_security;
5462 
5463 	/* If policy does not support SECCLASS_SCTP_SOCKET then call
5464 	 * the non-sctp clone version.
5465 	 */
5466 	if (!selinux_policycap_extsockclass())
5467 		return selinux_sk_clone_security(sk, newsk);
5468 
5469 	newsksec->sid = asoc->secid;
5470 	newsksec->peer_sid = asoc->peer_secid;
5471 	newsksec->sclass = sksec->sclass;
5472 	selinux_netlbl_sctp_sk_clone(sk, newsk);
5473 }
5474 
5475 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
5476 				     struct request_sock *req)
5477 {
5478 	struct sk_security_struct *sksec = sk->sk_security;
5479 	int err;
5480 	u16 family = req->rsk_ops->family;
5481 	u32 connsid;
5482 	u32 peersid;
5483 
5484 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5485 	if (err)
5486 		return err;
5487 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5488 	if (err)
5489 		return err;
5490 	req->secid = connsid;
5491 	req->peer_secid = peersid;
5492 
5493 	return selinux_netlbl_inet_conn_request(req, family);
5494 }
5495 
5496 static void selinux_inet_csk_clone(struct sock *newsk,
5497 				   const struct request_sock *req)
5498 {
5499 	struct sk_security_struct *newsksec = newsk->sk_security;
5500 
5501 	newsksec->sid = req->secid;
5502 	newsksec->peer_sid = req->peer_secid;
5503 	/* NOTE: Ideally, we should also get the isec->sid for the
5504 	   new socket in sync, but we don't have the isec available yet.
5505 	   So we will wait until sock_graft to do it, by which
5506 	   time it will have been created and available. */
5507 
5508 	/* We don't need to take any sort of lock here as we are the only
5509 	 * thread with access to newsksec */
5510 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5511 }
5512 
5513 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5514 {
5515 	u16 family = sk->sk_family;
5516 	struct sk_security_struct *sksec = sk->sk_security;
5517 
5518 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5519 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5520 		family = PF_INET;
5521 
5522 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5523 }
5524 
5525 static int selinux_secmark_relabel_packet(u32 sid)
5526 {
5527 	const struct task_security_struct *__tsec;
5528 	u32 tsid;
5529 
5530 	__tsec = selinux_cred(current_cred());
5531 	tsid = __tsec->sid;
5532 
5533 	return avc_has_perm(&selinux_state,
5534 			    tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5535 			    NULL);
5536 }
5537 
5538 static void selinux_secmark_refcount_inc(void)
5539 {
5540 	atomic_inc(&selinux_secmark_refcount);
5541 }
5542 
5543 static void selinux_secmark_refcount_dec(void)
5544 {
5545 	atomic_dec(&selinux_secmark_refcount);
5546 }
5547 
5548 static void selinux_req_classify_flow(const struct request_sock *req,
5549 				      struct flowi_common *flic)
5550 {
5551 	flic->flowic_secid = req->secid;
5552 }
5553 
5554 static int selinux_tun_dev_alloc_security(void **security)
5555 {
5556 	struct tun_security_struct *tunsec;
5557 
5558 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5559 	if (!tunsec)
5560 		return -ENOMEM;
5561 	tunsec->sid = current_sid();
5562 
5563 	*security = tunsec;
5564 	return 0;
5565 }
5566 
5567 static void selinux_tun_dev_free_security(void *security)
5568 {
5569 	kfree(security);
5570 }
5571 
5572 static int selinux_tun_dev_create(void)
5573 {
5574 	u32 sid = current_sid();
5575 
5576 	/* we aren't taking into account the "sockcreate" SID since the socket
5577 	 * that is being created here is not a socket in the traditional sense,
5578 	 * instead it is a private sock, accessible only to the kernel, and
5579 	 * representing a wide range of network traffic spanning multiple
5580 	 * connections unlike traditional sockets - check the TUN driver to
5581 	 * get a better understanding of why this socket is special */
5582 
5583 	return avc_has_perm(&selinux_state,
5584 			    sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5585 			    NULL);
5586 }
5587 
5588 static int selinux_tun_dev_attach_queue(void *security)
5589 {
5590 	struct tun_security_struct *tunsec = security;
5591 
5592 	return avc_has_perm(&selinux_state,
5593 			    current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5594 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5595 }
5596 
5597 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5598 {
5599 	struct tun_security_struct *tunsec = security;
5600 	struct sk_security_struct *sksec = sk->sk_security;
5601 
5602 	/* we don't currently perform any NetLabel based labeling here and it
5603 	 * isn't clear that we would want to do so anyway; while we could apply
5604 	 * labeling without the support of the TUN user the resulting labeled
5605 	 * traffic from the other end of the connection would almost certainly
5606 	 * cause confusion to the TUN user that had no idea network labeling
5607 	 * protocols were being used */
5608 
5609 	sksec->sid = tunsec->sid;
5610 	sksec->sclass = SECCLASS_TUN_SOCKET;
5611 
5612 	return 0;
5613 }
5614 
5615 static int selinux_tun_dev_open(void *security)
5616 {
5617 	struct tun_security_struct *tunsec = security;
5618 	u32 sid = current_sid();
5619 	int err;
5620 
5621 	err = avc_has_perm(&selinux_state,
5622 			   sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5623 			   TUN_SOCKET__RELABELFROM, NULL);
5624 	if (err)
5625 		return err;
5626 	err = avc_has_perm(&selinux_state,
5627 			   sid, sid, SECCLASS_TUN_SOCKET,
5628 			   TUN_SOCKET__RELABELTO, NULL);
5629 	if (err)
5630 		return err;
5631 	tunsec->sid = sid;
5632 
5633 	return 0;
5634 }
5635 
5636 #ifdef CONFIG_NETFILTER
5637 
5638 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
5639 				       const struct nf_hook_state *state)
5640 {
5641 	int ifindex;
5642 	u16 family;
5643 	char *addrp;
5644 	u32 peer_sid;
5645 	struct common_audit_data ad;
5646 	struct lsm_network_audit net = {0,};
5647 	int secmark_active, peerlbl_active;
5648 
5649 	if (!selinux_policycap_netpeer())
5650 		return NF_ACCEPT;
5651 
5652 	secmark_active = selinux_secmark_enabled();
5653 	peerlbl_active = selinux_peerlbl_enabled();
5654 	if (!secmark_active && !peerlbl_active)
5655 		return NF_ACCEPT;
5656 
5657 	family = state->pf;
5658 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5659 		return NF_DROP;
5660 
5661 	ifindex = state->in->ifindex;
5662 	ad.type = LSM_AUDIT_DATA_NET;
5663 	ad.u.net = &net;
5664 	ad.u.net->netif = ifindex;
5665 	ad.u.net->family = family;
5666 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5667 		return NF_DROP;
5668 
5669 	if (peerlbl_active) {
5670 		int err;
5671 
5672 		err = selinux_inet_sys_rcv_skb(state->net, ifindex,
5673 					       addrp, family, peer_sid, &ad);
5674 		if (err) {
5675 			selinux_netlbl_err(skb, family, err, 1);
5676 			return NF_DROP;
5677 		}
5678 	}
5679 
5680 	if (secmark_active)
5681 		if (avc_has_perm(&selinux_state,
5682 				 peer_sid, skb->secmark,
5683 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5684 			return NF_DROP;
5685 
5686 	if (netlbl_enabled())
5687 		/* we do this in the FORWARD path and not the POST_ROUTING
5688 		 * path because we want to make sure we apply the necessary
5689 		 * labeling before IPsec is applied so we can leverage AH
5690 		 * protection */
5691 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5692 			return NF_DROP;
5693 
5694 	return NF_ACCEPT;
5695 }
5696 
5697 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
5698 				      const struct nf_hook_state *state)
5699 {
5700 	struct sock *sk;
5701 	u32 sid;
5702 
5703 	if (!netlbl_enabled())
5704 		return NF_ACCEPT;
5705 
5706 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5707 	 * because we want to make sure we apply the necessary labeling
5708 	 * before IPsec is applied so we can leverage AH protection */
5709 	sk = skb->sk;
5710 	if (sk) {
5711 		struct sk_security_struct *sksec;
5712 
5713 		if (sk_listener(sk))
5714 			/* if the socket is the listening state then this
5715 			 * packet is a SYN-ACK packet which means it needs to
5716 			 * be labeled based on the connection/request_sock and
5717 			 * not the parent socket.  unfortunately, we can't
5718 			 * lookup the request_sock yet as it isn't queued on
5719 			 * the parent socket until after the SYN-ACK is sent.
5720 			 * the "solution" is to simply pass the packet as-is
5721 			 * as any IP option based labeling should be copied
5722 			 * from the initial connection request (in the IP
5723 			 * layer).  it is far from ideal, but until we get a
5724 			 * security label in the packet itself this is the
5725 			 * best we can do. */
5726 			return NF_ACCEPT;
5727 
5728 		/* standard practice, label using the parent socket */
5729 		sksec = sk->sk_security;
5730 		sid = sksec->sid;
5731 	} else
5732 		sid = SECINITSID_KERNEL;
5733 	if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0)
5734 		return NF_DROP;
5735 
5736 	return NF_ACCEPT;
5737 }
5738 
5739 
5740 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5741 					const struct nf_hook_state *state)
5742 {
5743 	struct sock *sk;
5744 	struct sk_security_struct *sksec;
5745 	struct common_audit_data ad;
5746 	struct lsm_network_audit net = {0,};
5747 	u8 proto = 0;
5748 
5749 	sk = skb_to_full_sk(skb);
5750 	if (sk == NULL)
5751 		return NF_ACCEPT;
5752 	sksec = sk->sk_security;
5753 
5754 	ad.type = LSM_AUDIT_DATA_NET;
5755 	ad.u.net = &net;
5756 	ad.u.net->netif = state->out->ifindex;
5757 	ad.u.net->family = state->pf;
5758 	if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))
5759 		return NF_DROP;
5760 
5761 	if (selinux_secmark_enabled())
5762 		if (avc_has_perm(&selinux_state,
5763 				 sksec->sid, skb->secmark,
5764 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5765 			return NF_DROP_ERR(-ECONNREFUSED);
5766 
5767 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5768 		return NF_DROP_ERR(-ECONNREFUSED);
5769 
5770 	return NF_ACCEPT;
5771 }
5772 
5773 static unsigned int selinux_ip_postroute(void *priv,
5774 					 struct sk_buff *skb,
5775 					 const struct nf_hook_state *state)
5776 {
5777 	u16 family;
5778 	u32 secmark_perm;
5779 	u32 peer_sid;
5780 	int ifindex;
5781 	struct sock *sk;
5782 	struct common_audit_data ad;
5783 	struct lsm_network_audit net = {0,};
5784 	char *addrp;
5785 	int secmark_active, peerlbl_active;
5786 
5787 	/* If any sort of compatibility mode is enabled then handoff processing
5788 	 * to the selinux_ip_postroute_compat() function to deal with the
5789 	 * special handling.  We do this in an attempt to keep this function
5790 	 * as fast and as clean as possible. */
5791 	if (!selinux_policycap_netpeer())
5792 		return selinux_ip_postroute_compat(skb, state);
5793 
5794 	secmark_active = selinux_secmark_enabled();
5795 	peerlbl_active = selinux_peerlbl_enabled();
5796 	if (!secmark_active && !peerlbl_active)
5797 		return NF_ACCEPT;
5798 
5799 	sk = skb_to_full_sk(skb);
5800 
5801 #ifdef CONFIG_XFRM
5802 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5803 	 * packet transformation so allow the packet to pass without any checks
5804 	 * since we'll have another chance to perform access control checks
5805 	 * when the packet is on it's final way out.
5806 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5807 	 *       is NULL, in this case go ahead and apply access control.
5808 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5809 	 *       TCP listening state we cannot wait until the XFRM processing
5810 	 *       is done as we will miss out on the SA label if we do;
5811 	 *       unfortunately, this means more work, but it is only once per
5812 	 *       connection. */
5813 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5814 	    !(sk && sk_listener(sk)))
5815 		return NF_ACCEPT;
5816 #endif
5817 
5818 	family = state->pf;
5819 	if (sk == NULL) {
5820 		/* Without an associated socket the packet is either coming
5821 		 * from the kernel or it is being forwarded; check the packet
5822 		 * to determine which and if the packet is being forwarded
5823 		 * query the packet directly to determine the security label. */
5824 		if (skb->skb_iif) {
5825 			secmark_perm = PACKET__FORWARD_OUT;
5826 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5827 				return NF_DROP;
5828 		} else {
5829 			secmark_perm = PACKET__SEND;
5830 			peer_sid = SECINITSID_KERNEL;
5831 		}
5832 	} else if (sk_listener(sk)) {
5833 		/* Locally generated packet but the associated socket is in the
5834 		 * listening state which means this is a SYN-ACK packet.  In
5835 		 * this particular case the correct security label is assigned
5836 		 * to the connection/request_sock but unfortunately we can't
5837 		 * query the request_sock as it isn't queued on the parent
5838 		 * socket until after the SYN-ACK packet is sent; the only
5839 		 * viable choice is to regenerate the label like we do in
5840 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5841 		 * for similar problems. */
5842 		u32 skb_sid;
5843 		struct sk_security_struct *sksec;
5844 
5845 		sksec = sk->sk_security;
5846 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5847 			return NF_DROP;
5848 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5849 		 * and the packet has been through at least one XFRM
5850 		 * transformation then we must be dealing with the "final"
5851 		 * form of labeled IPsec packet; since we've already applied
5852 		 * all of our access controls on this packet we can safely
5853 		 * pass the packet. */
5854 		if (skb_sid == SECSID_NULL) {
5855 			switch (family) {
5856 			case PF_INET:
5857 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5858 					return NF_ACCEPT;
5859 				break;
5860 			case PF_INET6:
5861 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5862 					return NF_ACCEPT;
5863 				break;
5864 			default:
5865 				return NF_DROP_ERR(-ECONNREFUSED);
5866 			}
5867 		}
5868 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5869 			return NF_DROP;
5870 		secmark_perm = PACKET__SEND;
5871 	} else {
5872 		/* Locally generated packet, fetch the security label from the
5873 		 * associated socket. */
5874 		struct sk_security_struct *sksec = sk->sk_security;
5875 		peer_sid = sksec->sid;
5876 		secmark_perm = PACKET__SEND;
5877 	}
5878 
5879 	ifindex = state->out->ifindex;
5880 	ad.type = LSM_AUDIT_DATA_NET;
5881 	ad.u.net = &net;
5882 	ad.u.net->netif = ifindex;
5883 	ad.u.net->family = family;
5884 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5885 		return NF_DROP;
5886 
5887 	if (secmark_active)
5888 		if (avc_has_perm(&selinux_state,
5889 				 peer_sid, skb->secmark,
5890 				 SECCLASS_PACKET, secmark_perm, &ad))
5891 			return NF_DROP_ERR(-ECONNREFUSED);
5892 
5893 	if (peerlbl_active) {
5894 		u32 if_sid;
5895 		u32 node_sid;
5896 
5897 		if (sel_netif_sid(state->net, ifindex, &if_sid))
5898 			return NF_DROP;
5899 		if (avc_has_perm(&selinux_state,
5900 				 peer_sid, if_sid,
5901 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5902 			return NF_DROP_ERR(-ECONNREFUSED);
5903 
5904 		if (sel_netnode_sid(addrp, family, &node_sid))
5905 			return NF_DROP;
5906 		if (avc_has_perm(&selinux_state,
5907 				 peer_sid, node_sid,
5908 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5909 			return NF_DROP_ERR(-ECONNREFUSED);
5910 	}
5911 
5912 	return NF_ACCEPT;
5913 }
5914 #endif	/* CONFIG_NETFILTER */
5915 
5916 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5917 {
5918 	int rc = 0;
5919 	unsigned int msg_len;
5920 	unsigned int data_len = skb->len;
5921 	unsigned char *data = skb->data;
5922 	struct nlmsghdr *nlh;
5923 	struct sk_security_struct *sksec = sk->sk_security;
5924 	u16 sclass = sksec->sclass;
5925 	u32 perm;
5926 
5927 	while (data_len >= nlmsg_total_size(0)) {
5928 		nlh = (struct nlmsghdr *)data;
5929 
5930 		/* NOTE: the nlmsg_len field isn't reliably set by some netlink
5931 		 *       users which means we can't reject skb's with bogus
5932 		 *       length fields; our solution is to follow what
5933 		 *       netlink_rcv_skb() does and simply skip processing at
5934 		 *       messages with length fields that are clearly junk
5935 		 */
5936 		if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5937 			return 0;
5938 
5939 		rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5940 		if (rc == 0) {
5941 			rc = sock_has_perm(sk, perm);
5942 			if (rc)
5943 				return rc;
5944 		} else if (rc == -EINVAL) {
5945 			/* -EINVAL is a missing msg/perm mapping */
5946 			pr_warn_ratelimited("SELinux: unrecognized netlink"
5947 				" message: protocol=%hu nlmsg_type=%hu sclass=%s"
5948 				" pid=%d comm=%s\n",
5949 				sk->sk_protocol, nlh->nlmsg_type,
5950 				secclass_map[sclass - 1].name,
5951 				task_pid_nr(current), current->comm);
5952 			if (enforcing_enabled(&selinux_state) &&
5953 			    !security_get_allow_unknown(&selinux_state))
5954 				return rc;
5955 			rc = 0;
5956 		} else if (rc == -ENOENT) {
5957 			/* -ENOENT is a missing socket/class mapping, ignore */
5958 			rc = 0;
5959 		} else {
5960 			return rc;
5961 		}
5962 
5963 		/* move to the next message after applying netlink padding */
5964 		msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5965 		if (msg_len >= data_len)
5966 			return 0;
5967 		data_len -= msg_len;
5968 		data += msg_len;
5969 	}
5970 
5971 	return rc;
5972 }
5973 
5974 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5975 {
5976 	isec->sclass = sclass;
5977 	isec->sid = current_sid();
5978 }
5979 
5980 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5981 			u32 perms)
5982 {
5983 	struct ipc_security_struct *isec;
5984 	struct common_audit_data ad;
5985 	u32 sid = current_sid();
5986 
5987 	isec = selinux_ipc(ipc_perms);
5988 
5989 	ad.type = LSM_AUDIT_DATA_IPC;
5990 	ad.u.ipc_id = ipc_perms->key;
5991 
5992 	return avc_has_perm(&selinux_state,
5993 			    sid, isec->sid, isec->sclass, perms, &ad);
5994 }
5995 
5996 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5997 {
5998 	struct msg_security_struct *msec;
5999 
6000 	msec = selinux_msg_msg(msg);
6001 	msec->sid = SECINITSID_UNLABELED;
6002 
6003 	return 0;
6004 }
6005 
6006 /* message queue security operations */
6007 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
6008 {
6009 	struct ipc_security_struct *isec;
6010 	struct common_audit_data ad;
6011 	u32 sid = current_sid();
6012 	int rc;
6013 
6014 	isec = selinux_ipc(msq);
6015 	ipc_init_security(isec, SECCLASS_MSGQ);
6016 
6017 	ad.type = LSM_AUDIT_DATA_IPC;
6018 	ad.u.ipc_id = msq->key;
6019 
6020 	rc = avc_has_perm(&selinux_state,
6021 			  sid, isec->sid, SECCLASS_MSGQ,
6022 			  MSGQ__CREATE, &ad);
6023 	return rc;
6024 }
6025 
6026 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6027 {
6028 	struct ipc_security_struct *isec;
6029 	struct common_audit_data ad;
6030 	u32 sid = current_sid();
6031 
6032 	isec = selinux_ipc(msq);
6033 
6034 	ad.type = LSM_AUDIT_DATA_IPC;
6035 	ad.u.ipc_id = msq->key;
6036 
6037 	return avc_has_perm(&selinux_state,
6038 			    sid, isec->sid, SECCLASS_MSGQ,
6039 			    MSGQ__ASSOCIATE, &ad);
6040 }
6041 
6042 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6043 {
6044 	int err;
6045 	int perms;
6046 
6047 	switch (cmd) {
6048 	case IPC_INFO:
6049 	case MSG_INFO:
6050 		/* No specific object, just general system-wide information. */
6051 		return avc_has_perm(&selinux_state,
6052 				    current_sid(), SECINITSID_KERNEL,
6053 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6054 	case IPC_STAT:
6055 	case MSG_STAT:
6056 	case MSG_STAT_ANY:
6057 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6058 		break;
6059 	case IPC_SET:
6060 		perms = MSGQ__SETATTR;
6061 		break;
6062 	case IPC_RMID:
6063 		perms = MSGQ__DESTROY;
6064 		break;
6065 	default:
6066 		return 0;
6067 	}
6068 
6069 	err = ipc_has_perm(msq, perms);
6070 	return err;
6071 }
6072 
6073 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6074 {
6075 	struct ipc_security_struct *isec;
6076 	struct msg_security_struct *msec;
6077 	struct common_audit_data ad;
6078 	u32 sid = current_sid();
6079 	int rc;
6080 
6081 	isec = selinux_ipc(msq);
6082 	msec = selinux_msg_msg(msg);
6083 
6084 	/*
6085 	 * First time through, need to assign label to the message
6086 	 */
6087 	if (msec->sid == SECINITSID_UNLABELED) {
6088 		/*
6089 		 * Compute new sid based on current process and
6090 		 * message queue this message will be stored in
6091 		 */
6092 		rc = security_transition_sid(&selinux_state, sid, isec->sid,
6093 					     SECCLASS_MSG, NULL, &msec->sid);
6094 		if (rc)
6095 			return rc;
6096 	}
6097 
6098 	ad.type = LSM_AUDIT_DATA_IPC;
6099 	ad.u.ipc_id = msq->key;
6100 
6101 	/* Can this process write to the queue? */
6102 	rc = avc_has_perm(&selinux_state,
6103 			  sid, isec->sid, SECCLASS_MSGQ,
6104 			  MSGQ__WRITE, &ad);
6105 	if (!rc)
6106 		/* Can this process send the message */
6107 		rc = avc_has_perm(&selinux_state,
6108 				  sid, msec->sid, SECCLASS_MSG,
6109 				  MSG__SEND, &ad);
6110 	if (!rc)
6111 		/* Can the message be put in the queue? */
6112 		rc = avc_has_perm(&selinux_state,
6113 				  msec->sid, isec->sid, SECCLASS_MSGQ,
6114 				  MSGQ__ENQUEUE, &ad);
6115 
6116 	return rc;
6117 }
6118 
6119 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6120 				    struct task_struct *target,
6121 				    long type, int mode)
6122 {
6123 	struct ipc_security_struct *isec;
6124 	struct msg_security_struct *msec;
6125 	struct common_audit_data ad;
6126 	u32 sid = task_sid_obj(target);
6127 	int rc;
6128 
6129 	isec = selinux_ipc(msq);
6130 	msec = selinux_msg_msg(msg);
6131 
6132 	ad.type = LSM_AUDIT_DATA_IPC;
6133 	ad.u.ipc_id = msq->key;
6134 
6135 	rc = avc_has_perm(&selinux_state,
6136 			  sid, isec->sid,
6137 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
6138 	if (!rc)
6139 		rc = avc_has_perm(&selinux_state,
6140 				  sid, msec->sid,
6141 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
6142 	return rc;
6143 }
6144 
6145 /* Shared Memory security operations */
6146 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6147 {
6148 	struct ipc_security_struct *isec;
6149 	struct common_audit_data ad;
6150 	u32 sid = current_sid();
6151 	int rc;
6152 
6153 	isec = selinux_ipc(shp);
6154 	ipc_init_security(isec, SECCLASS_SHM);
6155 
6156 	ad.type = LSM_AUDIT_DATA_IPC;
6157 	ad.u.ipc_id = shp->key;
6158 
6159 	rc = avc_has_perm(&selinux_state,
6160 			  sid, isec->sid, SECCLASS_SHM,
6161 			  SHM__CREATE, &ad);
6162 	return rc;
6163 }
6164 
6165 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6166 {
6167 	struct ipc_security_struct *isec;
6168 	struct common_audit_data ad;
6169 	u32 sid = current_sid();
6170 
6171 	isec = selinux_ipc(shp);
6172 
6173 	ad.type = LSM_AUDIT_DATA_IPC;
6174 	ad.u.ipc_id = shp->key;
6175 
6176 	return avc_has_perm(&selinux_state,
6177 			    sid, isec->sid, SECCLASS_SHM,
6178 			    SHM__ASSOCIATE, &ad);
6179 }
6180 
6181 /* Note, at this point, shp is locked down */
6182 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6183 {
6184 	int perms;
6185 	int err;
6186 
6187 	switch (cmd) {
6188 	case IPC_INFO:
6189 	case SHM_INFO:
6190 		/* No specific object, just general system-wide information. */
6191 		return avc_has_perm(&selinux_state,
6192 				    current_sid(), SECINITSID_KERNEL,
6193 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6194 	case IPC_STAT:
6195 	case SHM_STAT:
6196 	case SHM_STAT_ANY:
6197 		perms = SHM__GETATTR | SHM__ASSOCIATE;
6198 		break;
6199 	case IPC_SET:
6200 		perms = SHM__SETATTR;
6201 		break;
6202 	case SHM_LOCK:
6203 	case SHM_UNLOCK:
6204 		perms = SHM__LOCK;
6205 		break;
6206 	case IPC_RMID:
6207 		perms = SHM__DESTROY;
6208 		break;
6209 	default:
6210 		return 0;
6211 	}
6212 
6213 	err = ipc_has_perm(shp, perms);
6214 	return err;
6215 }
6216 
6217 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6218 			     char __user *shmaddr, int shmflg)
6219 {
6220 	u32 perms;
6221 
6222 	if (shmflg & SHM_RDONLY)
6223 		perms = SHM__READ;
6224 	else
6225 		perms = SHM__READ | SHM__WRITE;
6226 
6227 	return ipc_has_perm(shp, perms);
6228 }
6229 
6230 /* Semaphore security operations */
6231 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6232 {
6233 	struct ipc_security_struct *isec;
6234 	struct common_audit_data ad;
6235 	u32 sid = current_sid();
6236 	int rc;
6237 
6238 	isec = selinux_ipc(sma);
6239 	ipc_init_security(isec, SECCLASS_SEM);
6240 
6241 	ad.type = LSM_AUDIT_DATA_IPC;
6242 	ad.u.ipc_id = sma->key;
6243 
6244 	rc = avc_has_perm(&selinux_state,
6245 			  sid, isec->sid, SECCLASS_SEM,
6246 			  SEM__CREATE, &ad);
6247 	return rc;
6248 }
6249 
6250 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6251 {
6252 	struct ipc_security_struct *isec;
6253 	struct common_audit_data ad;
6254 	u32 sid = current_sid();
6255 
6256 	isec = selinux_ipc(sma);
6257 
6258 	ad.type = LSM_AUDIT_DATA_IPC;
6259 	ad.u.ipc_id = sma->key;
6260 
6261 	return avc_has_perm(&selinux_state,
6262 			    sid, isec->sid, SECCLASS_SEM,
6263 			    SEM__ASSOCIATE, &ad);
6264 }
6265 
6266 /* Note, at this point, sma is locked down */
6267 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6268 {
6269 	int err;
6270 	u32 perms;
6271 
6272 	switch (cmd) {
6273 	case IPC_INFO:
6274 	case SEM_INFO:
6275 		/* No specific object, just general system-wide information. */
6276 		return avc_has_perm(&selinux_state,
6277 				    current_sid(), SECINITSID_KERNEL,
6278 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6279 	case GETPID:
6280 	case GETNCNT:
6281 	case GETZCNT:
6282 		perms = SEM__GETATTR;
6283 		break;
6284 	case GETVAL:
6285 	case GETALL:
6286 		perms = SEM__READ;
6287 		break;
6288 	case SETVAL:
6289 	case SETALL:
6290 		perms = SEM__WRITE;
6291 		break;
6292 	case IPC_RMID:
6293 		perms = SEM__DESTROY;
6294 		break;
6295 	case IPC_SET:
6296 		perms = SEM__SETATTR;
6297 		break;
6298 	case IPC_STAT:
6299 	case SEM_STAT:
6300 	case SEM_STAT_ANY:
6301 		perms = SEM__GETATTR | SEM__ASSOCIATE;
6302 		break;
6303 	default:
6304 		return 0;
6305 	}
6306 
6307 	err = ipc_has_perm(sma, perms);
6308 	return err;
6309 }
6310 
6311 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6312 			     struct sembuf *sops, unsigned nsops, int alter)
6313 {
6314 	u32 perms;
6315 
6316 	if (alter)
6317 		perms = SEM__READ | SEM__WRITE;
6318 	else
6319 		perms = SEM__READ;
6320 
6321 	return ipc_has_perm(sma, perms);
6322 }
6323 
6324 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6325 {
6326 	u32 av = 0;
6327 
6328 	av = 0;
6329 	if (flag & S_IRUGO)
6330 		av |= IPC__UNIX_READ;
6331 	if (flag & S_IWUGO)
6332 		av |= IPC__UNIX_WRITE;
6333 
6334 	if (av == 0)
6335 		return 0;
6336 
6337 	return ipc_has_perm(ipcp, av);
6338 }
6339 
6340 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6341 {
6342 	struct ipc_security_struct *isec = selinux_ipc(ipcp);
6343 	*secid = isec->sid;
6344 }
6345 
6346 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6347 {
6348 	if (inode)
6349 		inode_doinit_with_dentry(inode, dentry);
6350 }
6351 
6352 static int selinux_getprocattr(struct task_struct *p,
6353 			       char *name, char **value)
6354 {
6355 	const struct task_security_struct *__tsec;
6356 	u32 sid;
6357 	int error;
6358 	unsigned len;
6359 
6360 	rcu_read_lock();
6361 	__tsec = selinux_cred(__task_cred(p));
6362 
6363 	if (current != p) {
6364 		error = avc_has_perm(&selinux_state,
6365 				     current_sid(), __tsec->sid,
6366 				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6367 		if (error)
6368 			goto bad;
6369 	}
6370 
6371 	if (!strcmp(name, "current"))
6372 		sid = __tsec->sid;
6373 	else if (!strcmp(name, "prev"))
6374 		sid = __tsec->osid;
6375 	else if (!strcmp(name, "exec"))
6376 		sid = __tsec->exec_sid;
6377 	else if (!strcmp(name, "fscreate"))
6378 		sid = __tsec->create_sid;
6379 	else if (!strcmp(name, "keycreate"))
6380 		sid = __tsec->keycreate_sid;
6381 	else if (!strcmp(name, "sockcreate"))
6382 		sid = __tsec->sockcreate_sid;
6383 	else {
6384 		error = -EINVAL;
6385 		goto bad;
6386 	}
6387 	rcu_read_unlock();
6388 
6389 	if (!sid)
6390 		return 0;
6391 
6392 	error = security_sid_to_context(&selinux_state, sid, value, &len);
6393 	if (error)
6394 		return error;
6395 	return len;
6396 
6397 bad:
6398 	rcu_read_unlock();
6399 	return error;
6400 }
6401 
6402 static int selinux_setprocattr(const char *name, void *value, size_t size)
6403 {
6404 	struct task_security_struct *tsec;
6405 	struct cred *new;
6406 	u32 mysid = current_sid(), sid = 0, ptsid;
6407 	int error;
6408 	char *str = value;
6409 
6410 	/*
6411 	 * Basic control over ability to set these attributes at all.
6412 	 */
6413 	if (!strcmp(name, "exec"))
6414 		error = avc_has_perm(&selinux_state,
6415 				     mysid, mysid, SECCLASS_PROCESS,
6416 				     PROCESS__SETEXEC, NULL);
6417 	else if (!strcmp(name, "fscreate"))
6418 		error = avc_has_perm(&selinux_state,
6419 				     mysid, mysid, SECCLASS_PROCESS,
6420 				     PROCESS__SETFSCREATE, NULL);
6421 	else if (!strcmp(name, "keycreate"))
6422 		error = avc_has_perm(&selinux_state,
6423 				     mysid, mysid, SECCLASS_PROCESS,
6424 				     PROCESS__SETKEYCREATE, NULL);
6425 	else if (!strcmp(name, "sockcreate"))
6426 		error = avc_has_perm(&selinux_state,
6427 				     mysid, mysid, SECCLASS_PROCESS,
6428 				     PROCESS__SETSOCKCREATE, NULL);
6429 	else if (!strcmp(name, "current"))
6430 		error = avc_has_perm(&selinux_state,
6431 				     mysid, mysid, SECCLASS_PROCESS,
6432 				     PROCESS__SETCURRENT, NULL);
6433 	else
6434 		error = -EINVAL;
6435 	if (error)
6436 		return error;
6437 
6438 	/* Obtain a SID for the context, if one was specified. */
6439 	if (size && str[0] && str[0] != '\n') {
6440 		if (str[size-1] == '\n') {
6441 			str[size-1] = 0;
6442 			size--;
6443 		}
6444 		error = security_context_to_sid(&selinux_state, value, size,
6445 						&sid, GFP_KERNEL);
6446 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
6447 			if (!has_cap_mac_admin(true)) {
6448 				struct audit_buffer *ab;
6449 				size_t audit_size;
6450 
6451 				/* We strip a nul only if it is at the end, otherwise the
6452 				 * context contains a nul and we should audit that */
6453 				if (str[size - 1] == '\0')
6454 					audit_size = size - 1;
6455 				else
6456 					audit_size = size;
6457 				ab = audit_log_start(audit_context(),
6458 						     GFP_ATOMIC,
6459 						     AUDIT_SELINUX_ERR);
6460 				if (!ab)
6461 					return error;
6462 				audit_log_format(ab, "op=fscreate invalid_context=");
6463 				audit_log_n_untrustedstring(ab, value, audit_size);
6464 				audit_log_end(ab);
6465 
6466 				return error;
6467 			}
6468 			error = security_context_to_sid_force(
6469 						      &selinux_state,
6470 						      value, size, &sid);
6471 		}
6472 		if (error)
6473 			return error;
6474 	}
6475 
6476 	new = prepare_creds();
6477 	if (!new)
6478 		return -ENOMEM;
6479 
6480 	/* Permission checking based on the specified context is
6481 	   performed during the actual operation (execve,
6482 	   open/mkdir/...), when we know the full context of the
6483 	   operation.  See selinux_bprm_creds_for_exec for the execve
6484 	   checks and may_create for the file creation checks. The
6485 	   operation will then fail if the context is not permitted. */
6486 	tsec = selinux_cred(new);
6487 	if (!strcmp(name, "exec")) {
6488 		tsec->exec_sid = sid;
6489 	} else if (!strcmp(name, "fscreate")) {
6490 		tsec->create_sid = sid;
6491 	} else if (!strcmp(name, "keycreate")) {
6492 		if (sid) {
6493 			error = avc_has_perm(&selinux_state, mysid, sid,
6494 					     SECCLASS_KEY, KEY__CREATE, NULL);
6495 			if (error)
6496 				goto abort_change;
6497 		}
6498 		tsec->keycreate_sid = sid;
6499 	} else if (!strcmp(name, "sockcreate")) {
6500 		tsec->sockcreate_sid = sid;
6501 	} else if (!strcmp(name, "current")) {
6502 		error = -EINVAL;
6503 		if (sid == 0)
6504 			goto abort_change;
6505 
6506 		/* Only allow single threaded processes to change context */
6507 		error = -EPERM;
6508 		if (!current_is_single_threaded()) {
6509 			error = security_bounded_transition(&selinux_state,
6510 							    tsec->sid, sid);
6511 			if (error)
6512 				goto abort_change;
6513 		}
6514 
6515 		/* Check permissions for the transition. */
6516 		error = avc_has_perm(&selinux_state,
6517 				     tsec->sid, sid, SECCLASS_PROCESS,
6518 				     PROCESS__DYNTRANSITION, NULL);
6519 		if (error)
6520 			goto abort_change;
6521 
6522 		/* Check for ptracing, and update the task SID if ok.
6523 		   Otherwise, leave SID unchanged and fail. */
6524 		ptsid = ptrace_parent_sid();
6525 		if (ptsid != 0) {
6526 			error = avc_has_perm(&selinux_state,
6527 					     ptsid, sid, SECCLASS_PROCESS,
6528 					     PROCESS__PTRACE, NULL);
6529 			if (error)
6530 				goto abort_change;
6531 		}
6532 
6533 		tsec->sid = sid;
6534 	} else {
6535 		error = -EINVAL;
6536 		goto abort_change;
6537 	}
6538 
6539 	commit_creds(new);
6540 	return size;
6541 
6542 abort_change:
6543 	abort_creds(new);
6544 	return error;
6545 }
6546 
6547 static int selinux_ismaclabel(const char *name)
6548 {
6549 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6550 }
6551 
6552 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6553 {
6554 	return security_sid_to_context(&selinux_state, secid,
6555 				       secdata, seclen);
6556 }
6557 
6558 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6559 {
6560 	return security_context_to_sid(&selinux_state, secdata, seclen,
6561 				       secid, GFP_KERNEL);
6562 }
6563 
6564 static void selinux_release_secctx(char *secdata, u32 seclen)
6565 {
6566 	kfree(secdata);
6567 }
6568 
6569 static void selinux_inode_invalidate_secctx(struct inode *inode)
6570 {
6571 	struct inode_security_struct *isec = selinux_inode(inode);
6572 
6573 	spin_lock(&isec->lock);
6574 	isec->initialized = LABEL_INVALID;
6575 	spin_unlock(&isec->lock);
6576 }
6577 
6578 /*
6579  *	called with inode->i_mutex locked
6580  */
6581 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6582 {
6583 	int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6584 					   ctx, ctxlen, 0);
6585 	/* Do not return error when suppressing label (SBLABEL_MNT not set). */
6586 	return rc == -EOPNOTSUPP ? 0 : rc;
6587 }
6588 
6589 /*
6590  *	called with inode->i_mutex locked
6591  */
6592 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6593 {
6594 	return __vfs_setxattr_noperm(&init_user_ns, dentry, XATTR_NAME_SELINUX,
6595 				     ctx, ctxlen, 0);
6596 }
6597 
6598 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6599 {
6600 	int len = 0;
6601 	len = selinux_inode_getsecurity(&init_user_ns, inode,
6602 					XATTR_SELINUX_SUFFIX, ctx, true);
6603 	if (len < 0)
6604 		return len;
6605 	*ctxlen = len;
6606 	return 0;
6607 }
6608 #ifdef CONFIG_KEYS
6609 
6610 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6611 			     unsigned long flags)
6612 {
6613 	const struct task_security_struct *tsec;
6614 	struct key_security_struct *ksec;
6615 
6616 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6617 	if (!ksec)
6618 		return -ENOMEM;
6619 
6620 	tsec = selinux_cred(cred);
6621 	if (tsec->keycreate_sid)
6622 		ksec->sid = tsec->keycreate_sid;
6623 	else
6624 		ksec->sid = tsec->sid;
6625 
6626 	k->security = ksec;
6627 	return 0;
6628 }
6629 
6630 static void selinux_key_free(struct key *k)
6631 {
6632 	struct key_security_struct *ksec = k->security;
6633 
6634 	k->security = NULL;
6635 	kfree(ksec);
6636 }
6637 
6638 static int selinux_key_permission(key_ref_t key_ref,
6639 				  const struct cred *cred,
6640 				  enum key_need_perm need_perm)
6641 {
6642 	struct key *key;
6643 	struct key_security_struct *ksec;
6644 	u32 perm, sid;
6645 
6646 	switch (need_perm) {
6647 	case KEY_NEED_VIEW:
6648 		perm = KEY__VIEW;
6649 		break;
6650 	case KEY_NEED_READ:
6651 		perm = KEY__READ;
6652 		break;
6653 	case KEY_NEED_WRITE:
6654 		perm = KEY__WRITE;
6655 		break;
6656 	case KEY_NEED_SEARCH:
6657 		perm = KEY__SEARCH;
6658 		break;
6659 	case KEY_NEED_LINK:
6660 		perm = KEY__LINK;
6661 		break;
6662 	case KEY_NEED_SETATTR:
6663 		perm = KEY__SETATTR;
6664 		break;
6665 	case KEY_NEED_UNLINK:
6666 	case KEY_SYSADMIN_OVERRIDE:
6667 	case KEY_AUTHTOKEN_OVERRIDE:
6668 	case KEY_DEFER_PERM_CHECK:
6669 		return 0;
6670 	default:
6671 		WARN_ON(1);
6672 		return -EPERM;
6673 
6674 	}
6675 
6676 	sid = cred_sid(cred);
6677 	key = key_ref_to_ptr(key_ref);
6678 	ksec = key->security;
6679 
6680 	return avc_has_perm(&selinux_state,
6681 			    sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6682 }
6683 
6684 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6685 {
6686 	struct key_security_struct *ksec = key->security;
6687 	char *context = NULL;
6688 	unsigned len;
6689 	int rc;
6690 
6691 	rc = security_sid_to_context(&selinux_state, ksec->sid,
6692 				     &context, &len);
6693 	if (!rc)
6694 		rc = len;
6695 	*_buffer = context;
6696 	return rc;
6697 }
6698 
6699 #ifdef CONFIG_KEY_NOTIFICATIONS
6700 static int selinux_watch_key(struct key *key)
6701 {
6702 	struct key_security_struct *ksec = key->security;
6703 	u32 sid = current_sid();
6704 
6705 	return avc_has_perm(&selinux_state,
6706 			    sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6707 }
6708 #endif
6709 #endif
6710 
6711 #ifdef CONFIG_SECURITY_INFINIBAND
6712 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6713 {
6714 	struct common_audit_data ad;
6715 	int err;
6716 	u32 sid = 0;
6717 	struct ib_security_struct *sec = ib_sec;
6718 	struct lsm_ibpkey_audit ibpkey;
6719 
6720 	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6721 	if (err)
6722 		return err;
6723 
6724 	ad.type = LSM_AUDIT_DATA_IBPKEY;
6725 	ibpkey.subnet_prefix = subnet_prefix;
6726 	ibpkey.pkey = pkey_val;
6727 	ad.u.ibpkey = &ibpkey;
6728 	return avc_has_perm(&selinux_state,
6729 			    sec->sid, sid,
6730 			    SECCLASS_INFINIBAND_PKEY,
6731 			    INFINIBAND_PKEY__ACCESS, &ad);
6732 }
6733 
6734 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6735 					    u8 port_num)
6736 {
6737 	struct common_audit_data ad;
6738 	int err;
6739 	u32 sid = 0;
6740 	struct ib_security_struct *sec = ib_sec;
6741 	struct lsm_ibendport_audit ibendport;
6742 
6743 	err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6744 				      &sid);
6745 
6746 	if (err)
6747 		return err;
6748 
6749 	ad.type = LSM_AUDIT_DATA_IBENDPORT;
6750 	ibendport.dev_name = dev_name;
6751 	ibendport.port = port_num;
6752 	ad.u.ibendport = &ibendport;
6753 	return avc_has_perm(&selinux_state,
6754 			    sec->sid, sid,
6755 			    SECCLASS_INFINIBAND_ENDPORT,
6756 			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6757 }
6758 
6759 static int selinux_ib_alloc_security(void **ib_sec)
6760 {
6761 	struct ib_security_struct *sec;
6762 
6763 	sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6764 	if (!sec)
6765 		return -ENOMEM;
6766 	sec->sid = current_sid();
6767 
6768 	*ib_sec = sec;
6769 	return 0;
6770 }
6771 
6772 static void selinux_ib_free_security(void *ib_sec)
6773 {
6774 	kfree(ib_sec);
6775 }
6776 #endif
6777 
6778 #ifdef CONFIG_BPF_SYSCALL
6779 static int selinux_bpf(int cmd, union bpf_attr *attr,
6780 				     unsigned int size)
6781 {
6782 	u32 sid = current_sid();
6783 	int ret;
6784 
6785 	switch (cmd) {
6786 	case BPF_MAP_CREATE:
6787 		ret = avc_has_perm(&selinux_state,
6788 				   sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6789 				   NULL);
6790 		break;
6791 	case BPF_PROG_LOAD:
6792 		ret = avc_has_perm(&selinux_state,
6793 				   sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6794 				   NULL);
6795 		break;
6796 	default:
6797 		ret = 0;
6798 		break;
6799 	}
6800 
6801 	return ret;
6802 }
6803 
6804 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6805 {
6806 	u32 av = 0;
6807 
6808 	if (fmode & FMODE_READ)
6809 		av |= BPF__MAP_READ;
6810 	if (fmode & FMODE_WRITE)
6811 		av |= BPF__MAP_WRITE;
6812 	return av;
6813 }
6814 
6815 /* This function will check the file pass through unix socket or binder to see
6816  * if it is a bpf related object. And apply correspinding checks on the bpf
6817  * object based on the type. The bpf maps and programs, not like other files and
6818  * socket, are using a shared anonymous inode inside the kernel as their inode.
6819  * So checking that inode cannot identify if the process have privilege to
6820  * access the bpf object and that's why we have to add this additional check in
6821  * selinux_file_receive and selinux_binder_transfer_files.
6822  */
6823 static int bpf_fd_pass(struct file *file, u32 sid)
6824 {
6825 	struct bpf_security_struct *bpfsec;
6826 	struct bpf_prog *prog;
6827 	struct bpf_map *map;
6828 	int ret;
6829 
6830 	if (file->f_op == &bpf_map_fops) {
6831 		map = file->private_data;
6832 		bpfsec = map->security;
6833 		ret = avc_has_perm(&selinux_state,
6834 				   sid, bpfsec->sid, SECCLASS_BPF,
6835 				   bpf_map_fmode_to_av(file->f_mode), NULL);
6836 		if (ret)
6837 			return ret;
6838 	} else if (file->f_op == &bpf_prog_fops) {
6839 		prog = file->private_data;
6840 		bpfsec = prog->aux->security;
6841 		ret = avc_has_perm(&selinux_state,
6842 				   sid, bpfsec->sid, SECCLASS_BPF,
6843 				   BPF__PROG_RUN, NULL);
6844 		if (ret)
6845 			return ret;
6846 	}
6847 	return 0;
6848 }
6849 
6850 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6851 {
6852 	u32 sid = current_sid();
6853 	struct bpf_security_struct *bpfsec;
6854 
6855 	bpfsec = map->security;
6856 	return avc_has_perm(&selinux_state,
6857 			    sid, bpfsec->sid, SECCLASS_BPF,
6858 			    bpf_map_fmode_to_av(fmode), NULL);
6859 }
6860 
6861 static int selinux_bpf_prog(struct bpf_prog *prog)
6862 {
6863 	u32 sid = current_sid();
6864 	struct bpf_security_struct *bpfsec;
6865 
6866 	bpfsec = prog->aux->security;
6867 	return avc_has_perm(&selinux_state,
6868 			    sid, bpfsec->sid, SECCLASS_BPF,
6869 			    BPF__PROG_RUN, NULL);
6870 }
6871 
6872 static int selinux_bpf_map_alloc(struct bpf_map *map)
6873 {
6874 	struct bpf_security_struct *bpfsec;
6875 
6876 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6877 	if (!bpfsec)
6878 		return -ENOMEM;
6879 
6880 	bpfsec->sid = current_sid();
6881 	map->security = bpfsec;
6882 
6883 	return 0;
6884 }
6885 
6886 static void selinux_bpf_map_free(struct bpf_map *map)
6887 {
6888 	struct bpf_security_struct *bpfsec = map->security;
6889 
6890 	map->security = NULL;
6891 	kfree(bpfsec);
6892 }
6893 
6894 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6895 {
6896 	struct bpf_security_struct *bpfsec;
6897 
6898 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6899 	if (!bpfsec)
6900 		return -ENOMEM;
6901 
6902 	bpfsec->sid = current_sid();
6903 	aux->security = bpfsec;
6904 
6905 	return 0;
6906 }
6907 
6908 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6909 {
6910 	struct bpf_security_struct *bpfsec = aux->security;
6911 
6912 	aux->security = NULL;
6913 	kfree(bpfsec);
6914 }
6915 #endif
6916 
6917 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
6918 	.lbs_cred = sizeof(struct task_security_struct),
6919 	.lbs_file = sizeof(struct file_security_struct),
6920 	.lbs_inode = sizeof(struct inode_security_struct),
6921 	.lbs_ipc = sizeof(struct ipc_security_struct),
6922 	.lbs_msg_msg = sizeof(struct msg_security_struct),
6923 	.lbs_superblock = sizeof(struct superblock_security_struct),
6924 };
6925 
6926 #ifdef CONFIG_PERF_EVENTS
6927 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6928 {
6929 	u32 requested, sid = current_sid();
6930 
6931 	if (type == PERF_SECURITY_OPEN)
6932 		requested = PERF_EVENT__OPEN;
6933 	else if (type == PERF_SECURITY_CPU)
6934 		requested = PERF_EVENT__CPU;
6935 	else if (type == PERF_SECURITY_KERNEL)
6936 		requested = PERF_EVENT__KERNEL;
6937 	else if (type == PERF_SECURITY_TRACEPOINT)
6938 		requested = PERF_EVENT__TRACEPOINT;
6939 	else
6940 		return -EINVAL;
6941 
6942 	return avc_has_perm(&selinux_state, sid, sid, SECCLASS_PERF_EVENT,
6943 			    requested, NULL);
6944 }
6945 
6946 static int selinux_perf_event_alloc(struct perf_event *event)
6947 {
6948 	struct perf_event_security_struct *perfsec;
6949 
6950 	perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
6951 	if (!perfsec)
6952 		return -ENOMEM;
6953 
6954 	perfsec->sid = current_sid();
6955 	event->security = perfsec;
6956 
6957 	return 0;
6958 }
6959 
6960 static void selinux_perf_event_free(struct perf_event *event)
6961 {
6962 	struct perf_event_security_struct *perfsec = event->security;
6963 
6964 	event->security = NULL;
6965 	kfree(perfsec);
6966 }
6967 
6968 static int selinux_perf_event_read(struct perf_event *event)
6969 {
6970 	struct perf_event_security_struct *perfsec = event->security;
6971 	u32 sid = current_sid();
6972 
6973 	return avc_has_perm(&selinux_state, sid, perfsec->sid,
6974 			    SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
6975 }
6976 
6977 static int selinux_perf_event_write(struct perf_event *event)
6978 {
6979 	struct perf_event_security_struct *perfsec = event->security;
6980 	u32 sid = current_sid();
6981 
6982 	return avc_has_perm(&selinux_state, sid, perfsec->sid,
6983 			    SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
6984 }
6985 #endif
6986 
6987 #ifdef CONFIG_IO_URING
6988 /**
6989  * selinux_uring_override_creds - check the requested cred override
6990  * @new: the target creds
6991  *
6992  * Check to see if the current task is allowed to override it's credentials
6993  * to service an io_uring operation.
6994  */
6995 static int selinux_uring_override_creds(const struct cred *new)
6996 {
6997 	return avc_has_perm(&selinux_state, current_sid(), cred_sid(new),
6998 			    SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL);
6999 }
7000 
7001 /**
7002  * selinux_uring_sqpoll - check if a io_uring polling thread can be created
7003  *
7004  * Check to see if the current task is allowed to create a new io_uring
7005  * kernel polling thread.
7006  */
7007 static int selinux_uring_sqpoll(void)
7008 {
7009 	int sid = current_sid();
7010 
7011 	return avc_has_perm(&selinux_state, sid, sid,
7012 			    SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
7013 }
7014 #endif /* CONFIG_IO_URING */
7015 
7016 /*
7017  * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
7018  * 1. any hooks that don't belong to (2.) or (3.) below,
7019  * 2. hooks that both access structures allocated by other hooks, and allocate
7020  *    structures that can be later accessed by other hooks (mostly "cloning"
7021  *    hooks),
7022  * 3. hooks that only allocate structures that can be later accessed by other
7023  *    hooks ("allocating" hooks).
7024  *
7025  * Please follow block comment delimiters in the list to keep this order.
7026  *
7027  * This ordering is needed for SELinux runtime disable to work at least somewhat
7028  * safely. Breaking the ordering rules above might lead to NULL pointer derefs
7029  * when disabling SELinux at runtime.
7030  */
7031 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
7032 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
7033 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
7034 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
7035 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
7036 
7037 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
7038 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
7039 	LSM_HOOK_INIT(capget, selinux_capget),
7040 	LSM_HOOK_INIT(capset, selinux_capset),
7041 	LSM_HOOK_INIT(capable, selinux_capable),
7042 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
7043 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
7044 	LSM_HOOK_INIT(syslog, selinux_syslog),
7045 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
7046 
7047 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
7048 
7049 	LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
7050 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
7051 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
7052 
7053 	LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
7054 	LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat),
7055 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
7056 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7057 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
7058 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
7059 	LSM_HOOK_INIT(sb_mount, selinux_mount),
7060 	LSM_HOOK_INIT(sb_umount, selinux_umount),
7061 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7062 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7063 
7064 	LSM_HOOK_INIT(move_mount, selinux_move_mount),
7065 
7066 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7067 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7068 
7069 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7070 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7071 	LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
7072 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
7073 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
7074 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7075 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7076 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7077 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7078 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7079 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7080 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7081 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7082 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7083 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7084 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7085 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7086 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7087 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7088 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7089 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7090 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7091 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7092 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7093 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7094 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7095 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7096 	LSM_HOOK_INIT(path_notify, selinux_path_notify),
7097 
7098 	LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7099 
7100 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
7101 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7102 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7103 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7104 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7105 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7106 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
7107 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7108 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7109 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7110 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
7111 
7112 	LSM_HOOK_INIT(file_open, selinux_file_open),
7113 
7114 	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7115 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7116 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7117 	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7118 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7119 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7120 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7121 	LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7122 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7123 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7124 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7125 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7126 	LSM_HOOK_INIT(current_getsecid_subj, selinux_current_getsecid_subj),
7127 	LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj),
7128 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7129 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7130 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7131 	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7132 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7133 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7134 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7135 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7136 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
7137 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7138 
7139 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7140 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7141 
7142 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7143 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7144 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7145 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7146 
7147 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7148 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7149 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7150 
7151 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7152 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7153 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7154 
7155 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7156 
7157 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7158 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7159 
7160 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7161 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7162 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7163 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7164 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7165 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7166 
7167 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7168 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7169 
7170 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
7171 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7172 	LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7173 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7174 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7175 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7176 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7177 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7178 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7179 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7180 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7181 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7182 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7183 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7184 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7185 	LSM_HOOK_INIT(socket_getpeersec_stream,
7186 			selinux_socket_getpeersec_stream),
7187 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7188 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7189 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7190 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7191 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7192 	LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7193 	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7194 	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7195 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7196 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7197 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7198 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7199 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7200 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7201 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7202 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7203 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7204 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7205 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7206 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7207 #ifdef CONFIG_SECURITY_INFINIBAND
7208 	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7209 	LSM_HOOK_INIT(ib_endport_manage_subnet,
7210 		      selinux_ib_endport_manage_subnet),
7211 	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7212 #endif
7213 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7214 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7215 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7216 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7217 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7218 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7219 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7220 			selinux_xfrm_state_pol_flow_match),
7221 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7222 #endif
7223 
7224 #ifdef CONFIG_KEYS
7225 	LSM_HOOK_INIT(key_free, selinux_key_free),
7226 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
7227 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7228 #ifdef CONFIG_KEY_NOTIFICATIONS
7229 	LSM_HOOK_INIT(watch_key, selinux_watch_key),
7230 #endif
7231 #endif
7232 
7233 #ifdef CONFIG_AUDIT
7234 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7235 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7236 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7237 #endif
7238 
7239 #ifdef CONFIG_BPF_SYSCALL
7240 	LSM_HOOK_INIT(bpf, selinux_bpf),
7241 	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7242 	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7243 	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7244 	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7245 #endif
7246 
7247 #ifdef CONFIG_PERF_EVENTS
7248 	LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7249 	LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7250 	LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7251 	LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7252 #endif
7253 
7254 #ifdef CONFIG_IO_URING
7255 	LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
7256 	LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
7257 #endif
7258 
7259 	/*
7260 	 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7261 	 */
7262 	LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7263 	LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7264 	LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7265 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7266 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7267 #endif
7268 
7269 	/*
7270 	 * PUT "ALLOCATING" HOOKS HERE
7271 	 */
7272 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7273 	LSM_HOOK_INIT(msg_queue_alloc_security,
7274 		      selinux_msg_queue_alloc_security),
7275 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7276 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7277 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7278 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7279 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7280 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7281 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7282 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7283 #ifdef CONFIG_SECURITY_INFINIBAND
7284 	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7285 #endif
7286 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7287 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7288 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7289 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7290 		      selinux_xfrm_state_alloc_acquire),
7291 #endif
7292 #ifdef CONFIG_KEYS
7293 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7294 #endif
7295 #ifdef CONFIG_AUDIT
7296 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7297 #endif
7298 #ifdef CONFIG_BPF_SYSCALL
7299 	LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7300 	LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7301 #endif
7302 #ifdef CONFIG_PERF_EVENTS
7303 	LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7304 #endif
7305 };
7306 
7307 static __init int selinux_init(void)
7308 {
7309 	pr_info("SELinux:  Initializing.\n");
7310 
7311 	memset(&selinux_state, 0, sizeof(selinux_state));
7312 	enforcing_set(&selinux_state, selinux_enforcing_boot);
7313 	checkreqprot_set(&selinux_state, selinux_checkreqprot_boot);
7314 	selinux_avc_init(&selinux_state.avc);
7315 	mutex_init(&selinux_state.status_lock);
7316 	mutex_init(&selinux_state.policy_mutex);
7317 
7318 	/* Set the security state for the initial task. */
7319 	cred_init_security();
7320 
7321 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7322 
7323 	avc_init();
7324 
7325 	avtab_cache_init();
7326 
7327 	ebitmap_cache_init();
7328 
7329 	hashtab_cache_init();
7330 
7331 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7332 
7333 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7334 		panic("SELinux: Unable to register AVC netcache callback\n");
7335 
7336 	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7337 		panic("SELinux: Unable to register AVC LSM notifier callback\n");
7338 
7339 	if (selinux_enforcing_boot)
7340 		pr_debug("SELinux:  Starting in enforcing mode\n");
7341 	else
7342 		pr_debug("SELinux:  Starting in permissive mode\n");
7343 
7344 	fs_validate_description("selinux", selinux_fs_parameters);
7345 
7346 	return 0;
7347 }
7348 
7349 static void delayed_superblock_init(struct super_block *sb, void *unused)
7350 {
7351 	selinux_set_mnt_opts(sb, NULL, 0, NULL);
7352 }
7353 
7354 void selinux_complete_init(void)
7355 {
7356 	pr_debug("SELinux:  Completing initialization.\n");
7357 
7358 	/* Set up any superblocks initialized prior to the policy load. */
7359 	pr_debug("SELinux:  Setting up existing superblocks.\n");
7360 	iterate_supers(delayed_superblock_init, NULL);
7361 }
7362 
7363 /* SELinux requires early initialization in order to label
7364    all processes and objects when they are created. */
7365 DEFINE_LSM(selinux) = {
7366 	.name = "selinux",
7367 	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7368 	.enabled = &selinux_enabled_boot,
7369 	.blobs = &selinux_blob_sizes,
7370 	.init = selinux_init,
7371 };
7372 
7373 #if defined(CONFIG_NETFILTER)
7374 
7375 static const struct nf_hook_ops selinux_nf_ops[] = {
7376 	{
7377 		.hook =		selinux_ip_postroute,
7378 		.pf =		NFPROTO_IPV4,
7379 		.hooknum =	NF_INET_POST_ROUTING,
7380 		.priority =	NF_IP_PRI_SELINUX_LAST,
7381 	},
7382 	{
7383 		.hook =		selinux_ip_forward,
7384 		.pf =		NFPROTO_IPV4,
7385 		.hooknum =	NF_INET_FORWARD,
7386 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7387 	},
7388 	{
7389 		.hook =		selinux_ip_output,
7390 		.pf =		NFPROTO_IPV4,
7391 		.hooknum =	NF_INET_LOCAL_OUT,
7392 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7393 	},
7394 #if IS_ENABLED(CONFIG_IPV6)
7395 	{
7396 		.hook =		selinux_ip_postroute,
7397 		.pf =		NFPROTO_IPV6,
7398 		.hooknum =	NF_INET_POST_ROUTING,
7399 		.priority =	NF_IP6_PRI_SELINUX_LAST,
7400 	},
7401 	{
7402 		.hook =		selinux_ip_forward,
7403 		.pf =		NFPROTO_IPV6,
7404 		.hooknum =	NF_INET_FORWARD,
7405 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7406 	},
7407 	{
7408 		.hook =		selinux_ip_output,
7409 		.pf =		NFPROTO_IPV6,
7410 		.hooknum =	NF_INET_LOCAL_OUT,
7411 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7412 	},
7413 #endif	/* IPV6 */
7414 };
7415 
7416 static int __net_init selinux_nf_register(struct net *net)
7417 {
7418 	return nf_register_net_hooks(net, selinux_nf_ops,
7419 				     ARRAY_SIZE(selinux_nf_ops));
7420 }
7421 
7422 static void __net_exit selinux_nf_unregister(struct net *net)
7423 {
7424 	nf_unregister_net_hooks(net, selinux_nf_ops,
7425 				ARRAY_SIZE(selinux_nf_ops));
7426 }
7427 
7428 static struct pernet_operations selinux_net_ops = {
7429 	.init = selinux_nf_register,
7430 	.exit = selinux_nf_unregister,
7431 };
7432 
7433 static int __init selinux_nf_ip_init(void)
7434 {
7435 	int err;
7436 
7437 	if (!selinux_enabled_boot)
7438 		return 0;
7439 
7440 	pr_debug("SELinux:  Registering netfilter hooks\n");
7441 
7442 	err = register_pernet_subsys(&selinux_net_ops);
7443 	if (err)
7444 		panic("SELinux: register_pernet_subsys: error %d\n", err);
7445 
7446 	return 0;
7447 }
7448 __initcall(selinux_nf_ip_init);
7449 
7450 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7451 static void selinux_nf_ip_exit(void)
7452 {
7453 	pr_debug("SELinux:  Unregistering netfilter hooks\n");
7454 
7455 	unregister_pernet_subsys(&selinux_net_ops);
7456 }
7457 #endif
7458 
7459 #else /* CONFIG_NETFILTER */
7460 
7461 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7462 #define selinux_nf_ip_exit()
7463 #endif
7464 
7465 #endif /* CONFIG_NETFILTER */
7466 
7467 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7468 int selinux_disable(struct selinux_state *state)
7469 {
7470 	if (selinux_initialized(state)) {
7471 		/* Not permitted after initial policy load. */
7472 		return -EINVAL;
7473 	}
7474 
7475 	if (selinux_disabled(state)) {
7476 		/* Only do this once. */
7477 		return -EINVAL;
7478 	}
7479 
7480 	selinux_mark_disabled(state);
7481 
7482 	pr_info("SELinux:  Disabled at runtime.\n");
7483 
7484 	/*
7485 	 * Unregister netfilter hooks.
7486 	 * Must be done before security_delete_hooks() to avoid breaking
7487 	 * runtime disable.
7488 	 */
7489 	selinux_nf_ip_exit();
7490 
7491 	security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7492 
7493 	/* Try to destroy the avc node cache */
7494 	avc_disable();
7495 
7496 	/* Unregister selinuxfs. */
7497 	exit_sel_fs();
7498 
7499 	return 0;
7500 }
7501 #endif
7502