xref: /linux/security/selinux/hooks.c (revision 7c66e12136c2fa421ae75497e02728f252108a1b)
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *	      Chris Vance, <cvance@nai.com>
8  *	      Wayne Salamon, <wsalamon@nai.com>
9  *	      James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *					   Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *			    <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *	Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *	This program is free software; you can redistribute it and/or modify
22  *	it under the terms of the GNU General Public License version 2,
23  *	as published by the Free Software Foundation.
24  */
25 
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h>		/* for local_port_range[] */
54 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
55 #include <net/inet_connection_sock.h>
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h>	/* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h>		/* for Unix socket types */
70 #include <net/af_unix.h>	/* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
86 
87 #include "avc.h"
88 #include "objsec.h"
89 #include "netif.h"
90 #include "netnode.h"
91 #include "netport.h"
92 #include "xfrm.h"
93 #include "netlabel.h"
94 #include "audit.h"
95 #include "avc_ss.h"
96 
97 /* SECMARK reference count */
98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99 
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
102 
103 static int __init enforcing_setup(char *str)
104 {
105 	unsigned long enforcing;
106 	if (!kstrtoul(str, 0, &enforcing))
107 		selinux_enforcing = enforcing ? 1 : 0;
108 	return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112 
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115 
116 static int __init selinux_enabled_setup(char *str)
117 {
118 	unsigned long enabled;
119 	if (!kstrtoul(str, 0, &enabled))
120 		selinux_enabled = enabled ? 1 : 0;
121 	return 1;
122 }
123 __setup("selinux=", selinux_enabled_setup);
124 #else
125 int selinux_enabled = 1;
126 #endif
127 
128 static struct kmem_cache *sel_inode_cache;
129 static struct kmem_cache *file_security_cache;
130 
131 /**
132  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133  *
134  * Description:
135  * This function checks the SECMARK reference counter to see if any SECMARK
136  * targets are currently configured, if the reference counter is greater than
137  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
138  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
139  * policy capability is enabled, SECMARK is always considered enabled.
140  *
141  */
142 static int selinux_secmark_enabled(void)
143 {
144 	return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145 }
146 
147 /**
148  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149  *
150  * Description:
151  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
152  * (1) if any are enabled or false (0) if neither are enabled.  If the
153  * always_check_network policy capability is enabled, peer labeling
154  * is always considered enabled.
155  *
156  */
157 static int selinux_peerlbl_enabled(void)
158 {
159 	return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
160 }
161 
162 static int selinux_netcache_avc_callback(u32 event)
163 {
164 	if (event == AVC_CALLBACK_RESET) {
165 		sel_netif_flush();
166 		sel_netnode_flush();
167 		sel_netport_flush();
168 		synchronize_net();
169 	}
170 	return 0;
171 }
172 
173 /*
174  * initialise the security for the init task
175  */
176 static void cred_init_security(void)
177 {
178 	struct cred *cred = (struct cred *) current->real_cred;
179 	struct task_security_struct *tsec;
180 
181 	tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
182 	if (!tsec)
183 		panic("SELinux:  Failed to initialize initial task.\n");
184 
185 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
186 	cred->security = tsec;
187 }
188 
189 /*
190  * get the security ID of a set of credentials
191  */
192 static inline u32 cred_sid(const struct cred *cred)
193 {
194 	const struct task_security_struct *tsec;
195 
196 	tsec = cred->security;
197 	return tsec->sid;
198 }
199 
200 /*
201  * get the objective security ID of a task
202  */
203 static inline u32 task_sid(const struct task_struct *task)
204 {
205 	u32 sid;
206 
207 	rcu_read_lock();
208 	sid = cred_sid(__task_cred(task));
209 	rcu_read_unlock();
210 	return sid;
211 }
212 
213 /*
214  * get the subjective security ID of the current task
215  */
216 static inline u32 current_sid(void)
217 {
218 	const struct task_security_struct *tsec = current_security();
219 
220 	return tsec->sid;
221 }
222 
223 /* Allocate and free functions for each kind of security blob. */
224 
225 static int inode_alloc_security(struct inode *inode)
226 {
227 	struct inode_security_struct *isec;
228 	u32 sid = current_sid();
229 
230 	isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
231 	if (!isec)
232 		return -ENOMEM;
233 
234 	mutex_init(&isec->lock);
235 	INIT_LIST_HEAD(&isec->list);
236 	isec->inode = inode;
237 	isec->sid = SECINITSID_UNLABELED;
238 	isec->sclass = SECCLASS_FILE;
239 	isec->task_sid = sid;
240 	inode->i_security = isec;
241 
242 	return 0;
243 }
244 
245 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
246 
247 /*
248  * Try reloading inode security labels that have been marked as invalid.  The
249  * @may_sleep parameter indicates when sleeping and thus reloading labels is
250  * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is
251  * invalid.  The @opt_dentry parameter should be set to a dentry of the inode;
252  * when no dentry is available, set it to NULL instead.
253  */
254 static int __inode_security_revalidate(struct inode *inode,
255 				       struct dentry *opt_dentry,
256 				       bool may_sleep)
257 {
258 	struct inode_security_struct *isec = inode->i_security;
259 
260 	might_sleep_if(may_sleep);
261 
262 	if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
263 		if (!may_sleep)
264 			return -ECHILD;
265 
266 		/*
267 		 * Try reloading the inode security label.  This will fail if
268 		 * @opt_dentry is NULL and no dentry for this inode can be
269 		 * found; in that case, continue using the old label.
270 		 */
271 		inode_doinit_with_dentry(inode, opt_dentry);
272 	}
273 	return 0;
274 }
275 
276 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
277 {
278 	return inode->i_security;
279 }
280 
281 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
282 {
283 	int error;
284 
285 	error = __inode_security_revalidate(inode, NULL, !rcu);
286 	if (error)
287 		return ERR_PTR(error);
288 	return inode->i_security;
289 }
290 
291 /*
292  * Get the security label of an inode.
293  */
294 static struct inode_security_struct *inode_security(struct inode *inode)
295 {
296 	__inode_security_revalidate(inode, NULL, true);
297 	return inode->i_security;
298 }
299 
300 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
301 {
302 	struct inode *inode = d_backing_inode(dentry);
303 
304 	return inode->i_security;
305 }
306 
307 /*
308  * Get the security label of a dentry's backing inode.
309  */
310 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
311 {
312 	struct inode *inode = d_backing_inode(dentry);
313 
314 	__inode_security_revalidate(inode, dentry, true);
315 	return inode->i_security;
316 }
317 
318 static void inode_free_rcu(struct rcu_head *head)
319 {
320 	struct inode_security_struct *isec;
321 
322 	isec = container_of(head, struct inode_security_struct, rcu);
323 	kmem_cache_free(sel_inode_cache, isec);
324 }
325 
326 static void inode_free_security(struct inode *inode)
327 {
328 	struct inode_security_struct *isec = inode->i_security;
329 	struct superblock_security_struct *sbsec = inode->i_sb->s_security;
330 
331 	/*
332 	 * As not all inode security structures are in a list, we check for
333 	 * empty list outside of the lock to make sure that we won't waste
334 	 * time taking a lock doing nothing.
335 	 *
336 	 * The list_del_init() function can be safely called more than once.
337 	 * It should not be possible for this function to be called with
338 	 * concurrent list_add(), but for better safety against future changes
339 	 * in the code, we use list_empty_careful() here.
340 	 */
341 	if (!list_empty_careful(&isec->list)) {
342 		spin_lock(&sbsec->isec_lock);
343 		list_del_init(&isec->list);
344 		spin_unlock(&sbsec->isec_lock);
345 	}
346 
347 	/*
348 	 * The inode may still be referenced in a path walk and
349 	 * a call to selinux_inode_permission() can be made
350 	 * after inode_free_security() is called. Ideally, the VFS
351 	 * wouldn't do this, but fixing that is a much harder
352 	 * job. For now, simply free the i_security via RCU, and
353 	 * leave the current inode->i_security pointer intact.
354 	 * The inode will be freed after the RCU grace period too.
355 	 */
356 	call_rcu(&isec->rcu, inode_free_rcu);
357 }
358 
359 static int file_alloc_security(struct file *file)
360 {
361 	struct file_security_struct *fsec;
362 	u32 sid = current_sid();
363 
364 	fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
365 	if (!fsec)
366 		return -ENOMEM;
367 
368 	fsec->sid = sid;
369 	fsec->fown_sid = sid;
370 	file->f_security = fsec;
371 
372 	return 0;
373 }
374 
375 static void file_free_security(struct file *file)
376 {
377 	struct file_security_struct *fsec = file->f_security;
378 	file->f_security = NULL;
379 	kmem_cache_free(file_security_cache, fsec);
380 }
381 
382 static int superblock_alloc_security(struct super_block *sb)
383 {
384 	struct superblock_security_struct *sbsec;
385 
386 	sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
387 	if (!sbsec)
388 		return -ENOMEM;
389 
390 	mutex_init(&sbsec->lock);
391 	INIT_LIST_HEAD(&sbsec->isec_head);
392 	spin_lock_init(&sbsec->isec_lock);
393 	sbsec->sb = sb;
394 	sbsec->sid = SECINITSID_UNLABELED;
395 	sbsec->def_sid = SECINITSID_FILE;
396 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
397 	sb->s_security = sbsec;
398 
399 	return 0;
400 }
401 
402 static void superblock_free_security(struct super_block *sb)
403 {
404 	struct superblock_security_struct *sbsec = sb->s_security;
405 	sb->s_security = NULL;
406 	kfree(sbsec);
407 }
408 
409 /* The file system's label must be initialized prior to use. */
410 
411 static const char *labeling_behaviors[7] = {
412 	"uses xattr",
413 	"uses transition SIDs",
414 	"uses task SIDs",
415 	"uses genfs_contexts",
416 	"not configured for labeling",
417 	"uses mountpoint labeling",
418 	"uses native labeling",
419 };
420 
421 static inline int inode_doinit(struct inode *inode)
422 {
423 	return inode_doinit_with_dentry(inode, NULL);
424 }
425 
426 enum {
427 	Opt_error = -1,
428 	Opt_context = 1,
429 	Opt_fscontext = 2,
430 	Opt_defcontext = 3,
431 	Opt_rootcontext = 4,
432 	Opt_labelsupport = 5,
433 	Opt_nextmntopt = 6,
434 };
435 
436 #define NUM_SEL_MNT_OPTS	(Opt_nextmntopt - 1)
437 
438 static const match_table_t tokens = {
439 	{Opt_context, CONTEXT_STR "%s"},
440 	{Opt_fscontext, FSCONTEXT_STR "%s"},
441 	{Opt_defcontext, DEFCONTEXT_STR "%s"},
442 	{Opt_rootcontext, ROOTCONTEXT_STR "%s"},
443 	{Opt_labelsupport, LABELSUPP_STR},
444 	{Opt_error, NULL},
445 };
446 
447 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
448 
449 static int may_context_mount_sb_relabel(u32 sid,
450 			struct superblock_security_struct *sbsec,
451 			const struct cred *cred)
452 {
453 	const struct task_security_struct *tsec = cred->security;
454 	int rc;
455 
456 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
457 			  FILESYSTEM__RELABELFROM, NULL);
458 	if (rc)
459 		return rc;
460 
461 	rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
462 			  FILESYSTEM__RELABELTO, NULL);
463 	return rc;
464 }
465 
466 static int may_context_mount_inode_relabel(u32 sid,
467 			struct superblock_security_struct *sbsec,
468 			const struct cred *cred)
469 {
470 	const struct task_security_struct *tsec = cred->security;
471 	int rc;
472 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
473 			  FILESYSTEM__RELABELFROM, NULL);
474 	if (rc)
475 		return rc;
476 
477 	rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
478 			  FILESYSTEM__ASSOCIATE, NULL);
479 	return rc;
480 }
481 
482 static int selinux_is_sblabel_mnt(struct super_block *sb)
483 {
484 	struct superblock_security_struct *sbsec = sb->s_security;
485 
486 	return sbsec->behavior == SECURITY_FS_USE_XATTR ||
487 		sbsec->behavior == SECURITY_FS_USE_TRANS ||
488 		sbsec->behavior == SECURITY_FS_USE_TASK ||
489 		sbsec->behavior == SECURITY_FS_USE_NATIVE ||
490 		/* Special handling. Genfs but also in-core setxattr handler */
491 		!strcmp(sb->s_type->name, "sysfs") ||
492 		!strcmp(sb->s_type->name, "pstore") ||
493 		!strcmp(sb->s_type->name, "debugfs") ||
494 		!strcmp(sb->s_type->name, "rootfs");
495 }
496 
497 static int sb_finish_set_opts(struct super_block *sb)
498 {
499 	struct superblock_security_struct *sbsec = sb->s_security;
500 	struct dentry *root = sb->s_root;
501 	struct inode *root_inode = d_backing_inode(root);
502 	int rc = 0;
503 
504 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
505 		/* Make sure that the xattr handler exists and that no
506 		   error other than -ENODATA is returned by getxattr on
507 		   the root directory.  -ENODATA is ok, as this may be
508 		   the first boot of the SELinux kernel before we have
509 		   assigned xattr values to the filesystem. */
510 		if (!(root_inode->i_opflags & IOP_XATTR)) {
511 			printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
512 			       "xattr support\n", sb->s_id, sb->s_type->name);
513 			rc = -EOPNOTSUPP;
514 			goto out;
515 		}
516 
517 		rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
518 		if (rc < 0 && rc != -ENODATA) {
519 			if (rc == -EOPNOTSUPP)
520 				printk(KERN_WARNING "SELinux: (dev %s, type "
521 				       "%s) has no security xattr handler\n",
522 				       sb->s_id, sb->s_type->name);
523 			else
524 				printk(KERN_WARNING "SELinux: (dev %s, type "
525 				       "%s) getxattr errno %d\n", sb->s_id,
526 				       sb->s_type->name, -rc);
527 			goto out;
528 		}
529 	}
530 
531 	if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
532 		printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
533 		       sb->s_id, sb->s_type->name);
534 
535 	sbsec->flags |= SE_SBINITIALIZED;
536 	if (selinux_is_sblabel_mnt(sb))
537 		sbsec->flags |= SBLABEL_MNT;
538 
539 	/* Initialize the root inode. */
540 	rc = inode_doinit_with_dentry(root_inode, root);
541 
542 	/* Initialize any other inodes associated with the superblock, e.g.
543 	   inodes created prior to initial policy load or inodes created
544 	   during get_sb by a pseudo filesystem that directly
545 	   populates itself. */
546 	spin_lock(&sbsec->isec_lock);
547 next_inode:
548 	if (!list_empty(&sbsec->isec_head)) {
549 		struct inode_security_struct *isec =
550 				list_entry(sbsec->isec_head.next,
551 					   struct inode_security_struct, list);
552 		struct inode *inode = isec->inode;
553 		list_del_init(&isec->list);
554 		spin_unlock(&sbsec->isec_lock);
555 		inode = igrab(inode);
556 		if (inode) {
557 			if (!IS_PRIVATE(inode))
558 				inode_doinit(inode);
559 			iput(inode);
560 		}
561 		spin_lock(&sbsec->isec_lock);
562 		goto next_inode;
563 	}
564 	spin_unlock(&sbsec->isec_lock);
565 out:
566 	return rc;
567 }
568 
569 /*
570  * This function should allow an FS to ask what it's mount security
571  * options were so it can use those later for submounts, displaying
572  * mount options, or whatever.
573  */
574 static int selinux_get_mnt_opts(const struct super_block *sb,
575 				struct security_mnt_opts *opts)
576 {
577 	int rc = 0, i;
578 	struct superblock_security_struct *sbsec = sb->s_security;
579 	char *context = NULL;
580 	u32 len;
581 	char tmp;
582 
583 	security_init_mnt_opts(opts);
584 
585 	if (!(sbsec->flags & SE_SBINITIALIZED))
586 		return -EINVAL;
587 
588 	if (!ss_initialized)
589 		return -EINVAL;
590 
591 	/* make sure we always check enough bits to cover the mask */
592 	BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
593 
594 	tmp = sbsec->flags & SE_MNTMASK;
595 	/* count the number of mount options for this sb */
596 	for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
597 		if (tmp & 0x01)
598 			opts->num_mnt_opts++;
599 		tmp >>= 1;
600 	}
601 	/* Check if the Label support flag is set */
602 	if (sbsec->flags & SBLABEL_MNT)
603 		opts->num_mnt_opts++;
604 
605 	opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606 	if (!opts->mnt_opts) {
607 		rc = -ENOMEM;
608 		goto out_free;
609 	}
610 
611 	opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612 	if (!opts->mnt_opts_flags) {
613 		rc = -ENOMEM;
614 		goto out_free;
615 	}
616 
617 	i = 0;
618 	if (sbsec->flags & FSCONTEXT_MNT) {
619 		rc = security_sid_to_context(sbsec->sid, &context, &len);
620 		if (rc)
621 			goto out_free;
622 		opts->mnt_opts[i] = context;
623 		opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
624 	}
625 	if (sbsec->flags & CONTEXT_MNT) {
626 		rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
627 		if (rc)
628 			goto out_free;
629 		opts->mnt_opts[i] = context;
630 		opts->mnt_opts_flags[i++] = CONTEXT_MNT;
631 	}
632 	if (sbsec->flags & DEFCONTEXT_MNT) {
633 		rc = security_sid_to_context(sbsec->def_sid, &context, &len);
634 		if (rc)
635 			goto out_free;
636 		opts->mnt_opts[i] = context;
637 		opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
638 	}
639 	if (sbsec->flags & ROOTCONTEXT_MNT) {
640 		struct dentry *root = sbsec->sb->s_root;
641 		struct inode_security_struct *isec = backing_inode_security(root);
642 
643 		rc = security_sid_to_context(isec->sid, &context, &len);
644 		if (rc)
645 			goto out_free;
646 		opts->mnt_opts[i] = context;
647 		opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
648 	}
649 	if (sbsec->flags & SBLABEL_MNT) {
650 		opts->mnt_opts[i] = NULL;
651 		opts->mnt_opts_flags[i++] = SBLABEL_MNT;
652 	}
653 
654 	BUG_ON(i != opts->num_mnt_opts);
655 
656 	return 0;
657 
658 out_free:
659 	security_free_mnt_opts(opts);
660 	return rc;
661 }
662 
663 static int bad_option(struct superblock_security_struct *sbsec, char flag,
664 		      u32 old_sid, u32 new_sid)
665 {
666 	char mnt_flags = sbsec->flags & SE_MNTMASK;
667 
668 	/* check if the old mount command had the same options */
669 	if (sbsec->flags & SE_SBINITIALIZED)
670 		if (!(sbsec->flags & flag) ||
671 		    (old_sid != new_sid))
672 			return 1;
673 
674 	/* check if we were passed the same options twice,
675 	 * aka someone passed context=a,context=b
676 	 */
677 	if (!(sbsec->flags & SE_SBINITIALIZED))
678 		if (mnt_flags & flag)
679 			return 1;
680 	return 0;
681 }
682 
683 /*
684  * Allow filesystems with binary mount data to explicitly set mount point
685  * labeling information.
686  */
687 static int selinux_set_mnt_opts(struct super_block *sb,
688 				struct security_mnt_opts *opts,
689 				unsigned long kern_flags,
690 				unsigned long *set_kern_flags)
691 {
692 	const struct cred *cred = current_cred();
693 	int rc = 0, i;
694 	struct superblock_security_struct *sbsec = sb->s_security;
695 	const char *name = sb->s_type->name;
696 	struct dentry *root = sbsec->sb->s_root;
697 	struct inode_security_struct *root_isec;
698 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699 	u32 defcontext_sid = 0;
700 	char **mount_options = opts->mnt_opts;
701 	int *flags = opts->mnt_opts_flags;
702 	int num_opts = opts->num_mnt_opts;
703 
704 	mutex_lock(&sbsec->lock);
705 
706 	if (!ss_initialized) {
707 		if (!num_opts) {
708 			/* Defer initialization until selinux_complete_init,
709 			   after the initial policy is loaded and the security
710 			   server is ready to handle calls. */
711 			goto out;
712 		}
713 		rc = -EINVAL;
714 		printk(KERN_WARNING "SELinux: Unable to set superblock options "
715 			"before the security server is initialized\n");
716 		goto out;
717 	}
718 	if (kern_flags && !set_kern_flags) {
719 		/* Specifying internal flags without providing a place to
720 		 * place the results is not allowed */
721 		rc = -EINVAL;
722 		goto out;
723 	}
724 
725 	/*
726 	 * Binary mount data FS will come through this function twice.  Once
727 	 * from an explicit call and once from the generic calls from the vfs.
728 	 * Since the generic VFS calls will not contain any security mount data
729 	 * we need to skip the double mount verification.
730 	 *
731 	 * This does open a hole in which we will not notice if the first
732 	 * mount using this sb set explict options and a second mount using
733 	 * this sb does not set any security options.  (The first options
734 	 * will be used for both mounts)
735 	 */
736 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
737 	    && (num_opts == 0))
738 		goto out;
739 
740 	root_isec = backing_inode_security_novalidate(root);
741 
742 	/*
743 	 * parse the mount options, check if they are valid sids.
744 	 * also check if someone is trying to mount the same sb more
745 	 * than once with different security options.
746 	 */
747 	for (i = 0; i < num_opts; i++) {
748 		u32 sid;
749 
750 		if (flags[i] == SBLABEL_MNT)
751 			continue;
752 		rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
753 		if (rc) {
754 			printk(KERN_WARNING "SELinux: security_context_str_to_sid"
755 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
756 			       mount_options[i], sb->s_id, name, rc);
757 			goto out;
758 		}
759 		switch (flags[i]) {
760 		case FSCONTEXT_MNT:
761 			fscontext_sid = sid;
762 
763 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
764 					fscontext_sid))
765 				goto out_double_mount;
766 
767 			sbsec->flags |= FSCONTEXT_MNT;
768 			break;
769 		case CONTEXT_MNT:
770 			context_sid = sid;
771 
772 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
773 					context_sid))
774 				goto out_double_mount;
775 
776 			sbsec->flags |= CONTEXT_MNT;
777 			break;
778 		case ROOTCONTEXT_MNT:
779 			rootcontext_sid = sid;
780 
781 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
782 					rootcontext_sid))
783 				goto out_double_mount;
784 
785 			sbsec->flags |= ROOTCONTEXT_MNT;
786 
787 			break;
788 		case DEFCONTEXT_MNT:
789 			defcontext_sid = sid;
790 
791 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
792 					defcontext_sid))
793 				goto out_double_mount;
794 
795 			sbsec->flags |= DEFCONTEXT_MNT;
796 
797 			break;
798 		default:
799 			rc = -EINVAL;
800 			goto out;
801 		}
802 	}
803 
804 	if (sbsec->flags & SE_SBINITIALIZED) {
805 		/* previously mounted with options, but not on this attempt? */
806 		if ((sbsec->flags & SE_MNTMASK) && !num_opts)
807 			goto out_double_mount;
808 		rc = 0;
809 		goto out;
810 	}
811 
812 	if (strcmp(sb->s_type->name, "proc") == 0)
813 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
814 
815 	if (!strcmp(sb->s_type->name, "debugfs") ||
816 	    !strcmp(sb->s_type->name, "sysfs") ||
817 	    !strcmp(sb->s_type->name, "pstore"))
818 		sbsec->flags |= SE_SBGENFS;
819 
820 	if (!sbsec->behavior) {
821 		/*
822 		 * Determine the labeling behavior to use for this
823 		 * filesystem type.
824 		 */
825 		rc = security_fs_use(sb);
826 		if (rc) {
827 			printk(KERN_WARNING
828 				"%s: security_fs_use(%s) returned %d\n",
829 					__func__, sb->s_type->name, rc);
830 			goto out;
831 		}
832 	}
833 
834 	/*
835 	 * If this is a user namespace mount, no contexts are allowed
836 	 * on the command line and security labels must be ignored.
837 	 */
838 	if (sb->s_user_ns != &init_user_ns) {
839 		if (context_sid || fscontext_sid || rootcontext_sid ||
840 		    defcontext_sid) {
841 			rc = -EACCES;
842 			goto out;
843 		}
844 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
845 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
846 			rc = security_transition_sid(current_sid(), current_sid(),
847 						     SECCLASS_FILE, NULL,
848 						     &sbsec->mntpoint_sid);
849 			if (rc)
850 				goto out;
851 		}
852 		goto out_set_opts;
853 	}
854 
855 	/* sets the context of the superblock for the fs being mounted. */
856 	if (fscontext_sid) {
857 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
858 		if (rc)
859 			goto out;
860 
861 		sbsec->sid = fscontext_sid;
862 	}
863 
864 	/*
865 	 * Switch to using mount point labeling behavior.
866 	 * sets the label used on all file below the mountpoint, and will set
867 	 * the superblock context if not already set.
868 	 */
869 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
870 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
871 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
872 	}
873 
874 	if (context_sid) {
875 		if (!fscontext_sid) {
876 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
877 							  cred);
878 			if (rc)
879 				goto out;
880 			sbsec->sid = context_sid;
881 		} else {
882 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
883 							     cred);
884 			if (rc)
885 				goto out;
886 		}
887 		if (!rootcontext_sid)
888 			rootcontext_sid = context_sid;
889 
890 		sbsec->mntpoint_sid = context_sid;
891 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
892 	}
893 
894 	if (rootcontext_sid) {
895 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
896 						     cred);
897 		if (rc)
898 			goto out;
899 
900 		root_isec->sid = rootcontext_sid;
901 		root_isec->initialized = LABEL_INITIALIZED;
902 	}
903 
904 	if (defcontext_sid) {
905 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
906 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
907 			rc = -EINVAL;
908 			printk(KERN_WARNING "SELinux: defcontext option is "
909 			       "invalid for this filesystem type\n");
910 			goto out;
911 		}
912 
913 		if (defcontext_sid != sbsec->def_sid) {
914 			rc = may_context_mount_inode_relabel(defcontext_sid,
915 							     sbsec, cred);
916 			if (rc)
917 				goto out;
918 		}
919 
920 		sbsec->def_sid = defcontext_sid;
921 	}
922 
923 out_set_opts:
924 	rc = sb_finish_set_opts(sb);
925 out:
926 	mutex_unlock(&sbsec->lock);
927 	return rc;
928 out_double_mount:
929 	rc = -EINVAL;
930 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
931 	       "security settings for (dev %s, type %s)\n", sb->s_id, name);
932 	goto out;
933 }
934 
935 static int selinux_cmp_sb_context(const struct super_block *oldsb,
936 				    const struct super_block *newsb)
937 {
938 	struct superblock_security_struct *old = oldsb->s_security;
939 	struct superblock_security_struct *new = newsb->s_security;
940 	char oldflags = old->flags & SE_MNTMASK;
941 	char newflags = new->flags & SE_MNTMASK;
942 
943 	if (oldflags != newflags)
944 		goto mismatch;
945 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
946 		goto mismatch;
947 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
948 		goto mismatch;
949 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
950 		goto mismatch;
951 	if (oldflags & ROOTCONTEXT_MNT) {
952 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
953 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
954 		if (oldroot->sid != newroot->sid)
955 			goto mismatch;
956 	}
957 	return 0;
958 mismatch:
959 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
960 			    "different security settings for (dev %s, "
961 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
962 	return -EBUSY;
963 }
964 
965 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
966 					struct super_block *newsb)
967 {
968 	const struct superblock_security_struct *oldsbsec = oldsb->s_security;
969 	struct superblock_security_struct *newsbsec = newsb->s_security;
970 
971 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
972 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
973 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
974 
975 	/*
976 	 * if the parent was able to be mounted it clearly had no special lsm
977 	 * mount options.  thus we can safely deal with this superblock later
978 	 */
979 	if (!ss_initialized)
980 		return 0;
981 
982 	/* how can we clone if the old one wasn't set up?? */
983 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
984 
985 	/* if fs is reusing a sb, make sure that the contexts match */
986 	if (newsbsec->flags & SE_SBINITIALIZED)
987 		return selinux_cmp_sb_context(oldsb, newsb);
988 
989 	mutex_lock(&newsbsec->lock);
990 
991 	newsbsec->flags = oldsbsec->flags;
992 
993 	newsbsec->sid = oldsbsec->sid;
994 	newsbsec->def_sid = oldsbsec->def_sid;
995 	newsbsec->behavior = oldsbsec->behavior;
996 
997 	if (set_context) {
998 		u32 sid = oldsbsec->mntpoint_sid;
999 
1000 		if (!set_fscontext)
1001 			newsbsec->sid = sid;
1002 		if (!set_rootcontext) {
1003 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1004 			newisec->sid = sid;
1005 		}
1006 		newsbsec->mntpoint_sid = sid;
1007 	}
1008 	if (set_rootcontext) {
1009 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1010 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1011 
1012 		newisec->sid = oldisec->sid;
1013 	}
1014 
1015 	sb_finish_set_opts(newsb);
1016 	mutex_unlock(&newsbsec->lock);
1017 	return 0;
1018 }
1019 
1020 static int selinux_parse_opts_str(char *options,
1021 				  struct security_mnt_opts *opts)
1022 {
1023 	char *p;
1024 	char *context = NULL, *defcontext = NULL;
1025 	char *fscontext = NULL, *rootcontext = NULL;
1026 	int rc, num_mnt_opts = 0;
1027 
1028 	opts->num_mnt_opts = 0;
1029 
1030 	/* Standard string-based options. */
1031 	while ((p = strsep(&options, "|")) != NULL) {
1032 		int token;
1033 		substring_t args[MAX_OPT_ARGS];
1034 
1035 		if (!*p)
1036 			continue;
1037 
1038 		token = match_token(p, tokens, args);
1039 
1040 		switch (token) {
1041 		case Opt_context:
1042 			if (context || defcontext) {
1043 				rc = -EINVAL;
1044 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1045 				goto out_err;
1046 			}
1047 			context = match_strdup(&args[0]);
1048 			if (!context) {
1049 				rc = -ENOMEM;
1050 				goto out_err;
1051 			}
1052 			break;
1053 
1054 		case Opt_fscontext:
1055 			if (fscontext) {
1056 				rc = -EINVAL;
1057 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1058 				goto out_err;
1059 			}
1060 			fscontext = match_strdup(&args[0]);
1061 			if (!fscontext) {
1062 				rc = -ENOMEM;
1063 				goto out_err;
1064 			}
1065 			break;
1066 
1067 		case Opt_rootcontext:
1068 			if (rootcontext) {
1069 				rc = -EINVAL;
1070 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1071 				goto out_err;
1072 			}
1073 			rootcontext = match_strdup(&args[0]);
1074 			if (!rootcontext) {
1075 				rc = -ENOMEM;
1076 				goto out_err;
1077 			}
1078 			break;
1079 
1080 		case Opt_defcontext:
1081 			if (context || defcontext) {
1082 				rc = -EINVAL;
1083 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1084 				goto out_err;
1085 			}
1086 			defcontext = match_strdup(&args[0]);
1087 			if (!defcontext) {
1088 				rc = -ENOMEM;
1089 				goto out_err;
1090 			}
1091 			break;
1092 		case Opt_labelsupport:
1093 			break;
1094 		default:
1095 			rc = -EINVAL;
1096 			printk(KERN_WARNING "SELinux:  unknown mount option\n");
1097 			goto out_err;
1098 
1099 		}
1100 	}
1101 
1102 	rc = -ENOMEM;
1103 	opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1104 	if (!opts->mnt_opts)
1105 		goto out_err;
1106 
1107 	opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1108 	if (!opts->mnt_opts_flags) {
1109 		kfree(opts->mnt_opts);
1110 		goto out_err;
1111 	}
1112 
1113 	if (fscontext) {
1114 		opts->mnt_opts[num_mnt_opts] = fscontext;
1115 		opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1116 	}
1117 	if (context) {
1118 		opts->mnt_opts[num_mnt_opts] = context;
1119 		opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1120 	}
1121 	if (rootcontext) {
1122 		opts->mnt_opts[num_mnt_opts] = rootcontext;
1123 		opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1124 	}
1125 	if (defcontext) {
1126 		opts->mnt_opts[num_mnt_opts] = defcontext;
1127 		opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1128 	}
1129 
1130 	opts->num_mnt_opts = num_mnt_opts;
1131 	return 0;
1132 
1133 out_err:
1134 	kfree(context);
1135 	kfree(defcontext);
1136 	kfree(fscontext);
1137 	kfree(rootcontext);
1138 	return rc;
1139 }
1140 /*
1141  * string mount options parsing and call set the sbsec
1142  */
1143 static int superblock_doinit(struct super_block *sb, void *data)
1144 {
1145 	int rc = 0;
1146 	char *options = data;
1147 	struct security_mnt_opts opts;
1148 
1149 	security_init_mnt_opts(&opts);
1150 
1151 	if (!data)
1152 		goto out;
1153 
1154 	BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1155 
1156 	rc = selinux_parse_opts_str(options, &opts);
1157 	if (rc)
1158 		goto out_err;
1159 
1160 out:
1161 	rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1162 
1163 out_err:
1164 	security_free_mnt_opts(&opts);
1165 	return rc;
1166 }
1167 
1168 static void selinux_write_opts(struct seq_file *m,
1169 			       struct security_mnt_opts *opts)
1170 {
1171 	int i;
1172 	char *prefix;
1173 
1174 	for (i = 0; i < opts->num_mnt_opts; i++) {
1175 		char *has_comma;
1176 
1177 		if (opts->mnt_opts[i])
1178 			has_comma = strchr(opts->mnt_opts[i], ',');
1179 		else
1180 			has_comma = NULL;
1181 
1182 		switch (opts->mnt_opts_flags[i]) {
1183 		case CONTEXT_MNT:
1184 			prefix = CONTEXT_STR;
1185 			break;
1186 		case FSCONTEXT_MNT:
1187 			prefix = FSCONTEXT_STR;
1188 			break;
1189 		case ROOTCONTEXT_MNT:
1190 			prefix = ROOTCONTEXT_STR;
1191 			break;
1192 		case DEFCONTEXT_MNT:
1193 			prefix = DEFCONTEXT_STR;
1194 			break;
1195 		case SBLABEL_MNT:
1196 			seq_putc(m, ',');
1197 			seq_puts(m, LABELSUPP_STR);
1198 			continue;
1199 		default:
1200 			BUG();
1201 			return;
1202 		};
1203 		/* we need a comma before each option */
1204 		seq_putc(m, ',');
1205 		seq_puts(m, prefix);
1206 		if (has_comma)
1207 			seq_putc(m, '\"');
1208 		seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1209 		if (has_comma)
1210 			seq_putc(m, '\"');
1211 	}
1212 }
1213 
1214 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1215 {
1216 	struct security_mnt_opts opts;
1217 	int rc;
1218 
1219 	rc = selinux_get_mnt_opts(sb, &opts);
1220 	if (rc) {
1221 		/* before policy load we may get EINVAL, don't show anything */
1222 		if (rc == -EINVAL)
1223 			rc = 0;
1224 		return rc;
1225 	}
1226 
1227 	selinux_write_opts(m, &opts);
1228 
1229 	security_free_mnt_opts(&opts);
1230 
1231 	return rc;
1232 }
1233 
1234 static inline u16 inode_mode_to_security_class(umode_t mode)
1235 {
1236 	switch (mode & S_IFMT) {
1237 	case S_IFSOCK:
1238 		return SECCLASS_SOCK_FILE;
1239 	case S_IFLNK:
1240 		return SECCLASS_LNK_FILE;
1241 	case S_IFREG:
1242 		return SECCLASS_FILE;
1243 	case S_IFBLK:
1244 		return SECCLASS_BLK_FILE;
1245 	case S_IFDIR:
1246 		return SECCLASS_DIR;
1247 	case S_IFCHR:
1248 		return SECCLASS_CHR_FILE;
1249 	case S_IFIFO:
1250 		return SECCLASS_FIFO_FILE;
1251 
1252 	}
1253 
1254 	return SECCLASS_FILE;
1255 }
1256 
1257 static inline int default_protocol_stream(int protocol)
1258 {
1259 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1260 }
1261 
1262 static inline int default_protocol_dgram(int protocol)
1263 {
1264 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1265 }
1266 
1267 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1268 {
1269 	switch (family) {
1270 	case PF_UNIX:
1271 		switch (type) {
1272 		case SOCK_STREAM:
1273 		case SOCK_SEQPACKET:
1274 			return SECCLASS_UNIX_STREAM_SOCKET;
1275 		case SOCK_DGRAM:
1276 			return SECCLASS_UNIX_DGRAM_SOCKET;
1277 		}
1278 		break;
1279 	case PF_INET:
1280 	case PF_INET6:
1281 		switch (type) {
1282 		case SOCK_STREAM:
1283 			if (default_protocol_stream(protocol))
1284 				return SECCLASS_TCP_SOCKET;
1285 			else
1286 				return SECCLASS_RAWIP_SOCKET;
1287 		case SOCK_DGRAM:
1288 			if (default_protocol_dgram(protocol))
1289 				return SECCLASS_UDP_SOCKET;
1290 			else
1291 				return SECCLASS_RAWIP_SOCKET;
1292 		case SOCK_DCCP:
1293 			return SECCLASS_DCCP_SOCKET;
1294 		default:
1295 			return SECCLASS_RAWIP_SOCKET;
1296 		}
1297 		break;
1298 	case PF_NETLINK:
1299 		switch (protocol) {
1300 		case NETLINK_ROUTE:
1301 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1302 		case NETLINK_SOCK_DIAG:
1303 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1304 		case NETLINK_NFLOG:
1305 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1306 		case NETLINK_XFRM:
1307 			return SECCLASS_NETLINK_XFRM_SOCKET;
1308 		case NETLINK_SELINUX:
1309 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1310 		case NETLINK_ISCSI:
1311 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1312 		case NETLINK_AUDIT:
1313 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1314 		case NETLINK_FIB_LOOKUP:
1315 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1316 		case NETLINK_CONNECTOR:
1317 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1318 		case NETLINK_NETFILTER:
1319 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1320 		case NETLINK_DNRTMSG:
1321 			return SECCLASS_NETLINK_DNRT_SOCKET;
1322 		case NETLINK_KOBJECT_UEVENT:
1323 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1324 		case NETLINK_GENERIC:
1325 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1326 		case NETLINK_SCSITRANSPORT:
1327 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1328 		case NETLINK_RDMA:
1329 			return SECCLASS_NETLINK_RDMA_SOCKET;
1330 		case NETLINK_CRYPTO:
1331 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1332 		default:
1333 			return SECCLASS_NETLINK_SOCKET;
1334 		}
1335 	case PF_PACKET:
1336 		return SECCLASS_PACKET_SOCKET;
1337 	case PF_KEY:
1338 		return SECCLASS_KEY_SOCKET;
1339 	case PF_APPLETALK:
1340 		return SECCLASS_APPLETALK_SOCKET;
1341 	}
1342 
1343 	return SECCLASS_SOCKET;
1344 }
1345 
1346 static int selinux_genfs_get_sid(struct dentry *dentry,
1347 				 u16 tclass,
1348 				 u16 flags,
1349 				 u32 *sid)
1350 {
1351 	int rc;
1352 	struct super_block *sb = dentry->d_sb;
1353 	char *buffer, *path;
1354 
1355 	buffer = (char *)__get_free_page(GFP_KERNEL);
1356 	if (!buffer)
1357 		return -ENOMEM;
1358 
1359 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1360 	if (IS_ERR(path))
1361 		rc = PTR_ERR(path);
1362 	else {
1363 		if (flags & SE_SBPROC) {
1364 			/* each process gets a /proc/PID/ entry. Strip off the
1365 			 * PID part to get a valid selinux labeling.
1366 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1367 			while (path[1] >= '0' && path[1] <= '9') {
1368 				path[1] = '/';
1369 				path++;
1370 			}
1371 		}
1372 		rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1373 	}
1374 	free_page((unsigned long)buffer);
1375 	return rc;
1376 }
1377 
1378 /* The inode's security attributes must be initialized before first use. */
1379 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1380 {
1381 	struct superblock_security_struct *sbsec = NULL;
1382 	struct inode_security_struct *isec = inode->i_security;
1383 	u32 sid;
1384 	struct dentry *dentry;
1385 #define INITCONTEXTLEN 255
1386 	char *context = NULL;
1387 	unsigned len = 0;
1388 	int rc = 0;
1389 
1390 	if (isec->initialized == LABEL_INITIALIZED)
1391 		goto out;
1392 
1393 	mutex_lock(&isec->lock);
1394 	if (isec->initialized == LABEL_INITIALIZED)
1395 		goto out_unlock;
1396 
1397 	sbsec = inode->i_sb->s_security;
1398 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1399 		/* Defer initialization until selinux_complete_init,
1400 		   after the initial policy is loaded and the security
1401 		   server is ready to handle calls. */
1402 		spin_lock(&sbsec->isec_lock);
1403 		if (list_empty(&isec->list))
1404 			list_add(&isec->list, &sbsec->isec_head);
1405 		spin_unlock(&sbsec->isec_lock);
1406 		goto out_unlock;
1407 	}
1408 
1409 	switch (sbsec->behavior) {
1410 	case SECURITY_FS_USE_NATIVE:
1411 		break;
1412 	case SECURITY_FS_USE_XATTR:
1413 		if (!(inode->i_opflags & IOP_XATTR)) {
1414 			isec->sid = sbsec->def_sid;
1415 			break;
1416 		}
1417 		/* Need a dentry, since the xattr API requires one.
1418 		   Life would be simpler if we could just pass the inode. */
1419 		if (opt_dentry) {
1420 			/* Called from d_instantiate or d_splice_alias. */
1421 			dentry = dget(opt_dentry);
1422 		} else {
1423 			/* Called from selinux_complete_init, try to find a dentry. */
1424 			dentry = d_find_alias(inode);
1425 		}
1426 		if (!dentry) {
1427 			/*
1428 			 * this is can be hit on boot when a file is accessed
1429 			 * before the policy is loaded.  When we load policy we
1430 			 * may find inodes that have no dentry on the
1431 			 * sbsec->isec_head list.  No reason to complain as these
1432 			 * will get fixed up the next time we go through
1433 			 * inode_doinit with a dentry, before these inodes could
1434 			 * be used again by userspace.
1435 			 */
1436 			goto out_unlock;
1437 		}
1438 
1439 		len = INITCONTEXTLEN;
1440 		context = kmalloc(len+1, GFP_NOFS);
1441 		if (!context) {
1442 			rc = -ENOMEM;
1443 			dput(dentry);
1444 			goto out_unlock;
1445 		}
1446 		context[len] = '\0';
1447 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1448 		if (rc == -ERANGE) {
1449 			kfree(context);
1450 
1451 			/* Need a larger buffer.  Query for the right size. */
1452 			rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1453 			if (rc < 0) {
1454 				dput(dentry);
1455 				goto out_unlock;
1456 			}
1457 			len = rc;
1458 			context = kmalloc(len+1, GFP_NOFS);
1459 			if (!context) {
1460 				rc = -ENOMEM;
1461 				dput(dentry);
1462 				goto out_unlock;
1463 			}
1464 			context[len] = '\0';
1465 			rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1466 		}
1467 		dput(dentry);
1468 		if (rc < 0) {
1469 			if (rc != -ENODATA) {
1470 				printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1471 				       "%d for dev=%s ino=%ld\n", __func__,
1472 				       -rc, inode->i_sb->s_id, inode->i_ino);
1473 				kfree(context);
1474 				goto out_unlock;
1475 			}
1476 			/* Map ENODATA to the default file SID */
1477 			sid = sbsec->def_sid;
1478 			rc = 0;
1479 		} else {
1480 			rc = security_context_to_sid_default(context, rc, &sid,
1481 							     sbsec->def_sid,
1482 							     GFP_NOFS);
1483 			if (rc) {
1484 				char *dev = inode->i_sb->s_id;
1485 				unsigned long ino = inode->i_ino;
1486 
1487 				if (rc == -EINVAL) {
1488 					if (printk_ratelimit())
1489 						printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1490 							"context=%s.  This indicates you may need to relabel the inode or the "
1491 							"filesystem in question.\n", ino, dev, context);
1492 				} else {
1493 					printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1494 					       "returned %d for dev=%s ino=%ld\n",
1495 					       __func__, context, -rc, dev, ino);
1496 				}
1497 				kfree(context);
1498 				/* Leave with the unlabeled SID */
1499 				rc = 0;
1500 				break;
1501 			}
1502 		}
1503 		kfree(context);
1504 		isec->sid = sid;
1505 		break;
1506 	case SECURITY_FS_USE_TASK:
1507 		isec->sid = isec->task_sid;
1508 		break;
1509 	case SECURITY_FS_USE_TRANS:
1510 		/* Default to the fs SID. */
1511 		isec->sid = sbsec->sid;
1512 
1513 		/* Try to obtain a transition SID. */
1514 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1515 		rc = security_transition_sid(isec->task_sid, sbsec->sid,
1516 					     isec->sclass, NULL, &sid);
1517 		if (rc)
1518 			goto out_unlock;
1519 		isec->sid = sid;
1520 		break;
1521 	case SECURITY_FS_USE_MNTPOINT:
1522 		isec->sid = sbsec->mntpoint_sid;
1523 		break;
1524 	default:
1525 		/* Default to the fs superblock SID. */
1526 		isec->sid = sbsec->sid;
1527 
1528 		if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1529 			/* We must have a dentry to determine the label on
1530 			 * procfs inodes */
1531 			if (opt_dentry)
1532 				/* Called from d_instantiate or
1533 				 * d_splice_alias. */
1534 				dentry = dget(opt_dentry);
1535 			else
1536 				/* Called from selinux_complete_init, try to
1537 				 * find a dentry. */
1538 				dentry = d_find_alias(inode);
1539 			/*
1540 			 * This can be hit on boot when a file is accessed
1541 			 * before the policy is loaded.  When we load policy we
1542 			 * may find inodes that have no dentry on the
1543 			 * sbsec->isec_head list.  No reason to complain as
1544 			 * these will get fixed up the next time we go through
1545 			 * inode_doinit() with a dentry, before these inodes
1546 			 * could be used again by userspace.
1547 			 */
1548 			if (!dentry)
1549 				goto out_unlock;
1550 			isec->sclass = inode_mode_to_security_class(inode->i_mode);
1551 			rc = selinux_genfs_get_sid(dentry, isec->sclass,
1552 						   sbsec->flags, &sid);
1553 			dput(dentry);
1554 			if (rc)
1555 				goto out_unlock;
1556 			isec->sid = sid;
1557 		}
1558 		break;
1559 	}
1560 
1561 	isec->initialized = LABEL_INITIALIZED;
1562 
1563 out_unlock:
1564 	mutex_unlock(&isec->lock);
1565 out:
1566 	if (isec->sclass == SECCLASS_FILE)
1567 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1568 	return rc;
1569 }
1570 
1571 /* Convert a Linux signal to an access vector. */
1572 static inline u32 signal_to_av(int sig)
1573 {
1574 	u32 perm = 0;
1575 
1576 	switch (sig) {
1577 	case SIGCHLD:
1578 		/* Commonly granted from child to parent. */
1579 		perm = PROCESS__SIGCHLD;
1580 		break;
1581 	case SIGKILL:
1582 		/* Cannot be caught or ignored */
1583 		perm = PROCESS__SIGKILL;
1584 		break;
1585 	case SIGSTOP:
1586 		/* Cannot be caught or ignored */
1587 		perm = PROCESS__SIGSTOP;
1588 		break;
1589 	default:
1590 		/* All other signals. */
1591 		perm = PROCESS__SIGNAL;
1592 		break;
1593 	}
1594 
1595 	return perm;
1596 }
1597 
1598 /*
1599  * Check permission between a pair of credentials
1600  * fork check, ptrace check, etc.
1601  */
1602 static int cred_has_perm(const struct cred *actor,
1603 			 const struct cred *target,
1604 			 u32 perms)
1605 {
1606 	u32 asid = cred_sid(actor), tsid = cred_sid(target);
1607 
1608 	return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1609 }
1610 
1611 /*
1612  * Check permission between a pair of tasks, e.g. signal checks,
1613  * fork check, ptrace check, etc.
1614  * tsk1 is the actor and tsk2 is the target
1615  * - this uses the default subjective creds of tsk1
1616  */
1617 static int task_has_perm(const struct task_struct *tsk1,
1618 			 const struct task_struct *tsk2,
1619 			 u32 perms)
1620 {
1621 	const struct task_security_struct *__tsec1, *__tsec2;
1622 	u32 sid1, sid2;
1623 
1624 	rcu_read_lock();
1625 	__tsec1 = __task_cred(tsk1)->security;	sid1 = __tsec1->sid;
1626 	__tsec2 = __task_cred(tsk2)->security;	sid2 = __tsec2->sid;
1627 	rcu_read_unlock();
1628 	return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1629 }
1630 
1631 /*
1632  * Check permission between current and another task, e.g. signal checks,
1633  * fork check, ptrace check, etc.
1634  * current is the actor and tsk2 is the target
1635  * - this uses current's subjective creds
1636  */
1637 static int current_has_perm(const struct task_struct *tsk,
1638 			    u32 perms)
1639 {
1640 	u32 sid, tsid;
1641 
1642 	sid = current_sid();
1643 	tsid = task_sid(tsk);
1644 	return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1645 }
1646 
1647 #if CAP_LAST_CAP > 63
1648 #error Fix SELinux to handle capabilities > 63.
1649 #endif
1650 
1651 /* Check whether a task is allowed to use a capability. */
1652 static int cred_has_capability(const struct cred *cred,
1653 			       int cap, int audit, bool initns)
1654 {
1655 	struct common_audit_data ad;
1656 	struct av_decision avd;
1657 	u16 sclass;
1658 	u32 sid = cred_sid(cred);
1659 	u32 av = CAP_TO_MASK(cap);
1660 	int rc;
1661 
1662 	ad.type = LSM_AUDIT_DATA_CAP;
1663 	ad.u.cap = cap;
1664 
1665 	switch (CAP_TO_INDEX(cap)) {
1666 	case 0:
1667 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1668 		break;
1669 	case 1:
1670 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1671 		break;
1672 	default:
1673 		printk(KERN_ERR
1674 		       "SELinux:  out of range capability %d\n", cap);
1675 		BUG();
1676 		return -EINVAL;
1677 	}
1678 
1679 	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1680 	if (audit == SECURITY_CAP_AUDIT) {
1681 		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1682 		if (rc2)
1683 			return rc2;
1684 	}
1685 	return rc;
1686 }
1687 
1688 /* Check whether a task is allowed to use a system operation. */
1689 static int task_has_system(struct task_struct *tsk,
1690 			   u32 perms)
1691 {
1692 	u32 sid = task_sid(tsk);
1693 
1694 	return avc_has_perm(sid, SECINITSID_KERNEL,
1695 			    SECCLASS_SYSTEM, perms, NULL);
1696 }
1697 
1698 /* Check whether a task has a particular permission to an inode.
1699    The 'adp' parameter is optional and allows other audit
1700    data to be passed (e.g. the dentry). */
1701 static int inode_has_perm(const struct cred *cred,
1702 			  struct inode *inode,
1703 			  u32 perms,
1704 			  struct common_audit_data *adp)
1705 {
1706 	struct inode_security_struct *isec;
1707 	u32 sid;
1708 
1709 	validate_creds(cred);
1710 
1711 	if (unlikely(IS_PRIVATE(inode)))
1712 		return 0;
1713 
1714 	sid = cred_sid(cred);
1715 	isec = inode->i_security;
1716 
1717 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1718 }
1719 
1720 /* Same as inode_has_perm, but pass explicit audit data containing
1721    the dentry to help the auditing code to more easily generate the
1722    pathname if needed. */
1723 static inline int dentry_has_perm(const struct cred *cred,
1724 				  struct dentry *dentry,
1725 				  u32 av)
1726 {
1727 	struct inode *inode = d_backing_inode(dentry);
1728 	struct common_audit_data ad;
1729 
1730 	ad.type = LSM_AUDIT_DATA_DENTRY;
1731 	ad.u.dentry = dentry;
1732 	__inode_security_revalidate(inode, dentry, true);
1733 	return inode_has_perm(cred, inode, av, &ad);
1734 }
1735 
1736 /* Same as inode_has_perm, but pass explicit audit data containing
1737    the path to help the auditing code to more easily generate the
1738    pathname if needed. */
1739 static inline int path_has_perm(const struct cred *cred,
1740 				const struct path *path,
1741 				u32 av)
1742 {
1743 	struct inode *inode = d_backing_inode(path->dentry);
1744 	struct common_audit_data ad;
1745 
1746 	ad.type = LSM_AUDIT_DATA_PATH;
1747 	ad.u.path = *path;
1748 	__inode_security_revalidate(inode, path->dentry, true);
1749 	return inode_has_perm(cred, inode, av, &ad);
1750 }
1751 
1752 /* Same as path_has_perm, but uses the inode from the file struct. */
1753 static inline int file_path_has_perm(const struct cred *cred,
1754 				     struct file *file,
1755 				     u32 av)
1756 {
1757 	struct common_audit_data ad;
1758 
1759 	ad.type = LSM_AUDIT_DATA_FILE;
1760 	ad.u.file = file;
1761 	return inode_has_perm(cred, file_inode(file), av, &ad);
1762 }
1763 
1764 /* Check whether a task can use an open file descriptor to
1765    access an inode in a given way.  Check access to the
1766    descriptor itself, and then use dentry_has_perm to
1767    check a particular permission to the file.
1768    Access to the descriptor is implicitly granted if it
1769    has the same SID as the process.  If av is zero, then
1770    access to the file is not checked, e.g. for cases
1771    where only the descriptor is affected like seek. */
1772 static int file_has_perm(const struct cred *cred,
1773 			 struct file *file,
1774 			 u32 av)
1775 {
1776 	struct file_security_struct *fsec = file->f_security;
1777 	struct inode *inode = file_inode(file);
1778 	struct common_audit_data ad;
1779 	u32 sid = cred_sid(cred);
1780 	int rc;
1781 
1782 	ad.type = LSM_AUDIT_DATA_FILE;
1783 	ad.u.file = file;
1784 
1785 	if (sid != fsec->sid) {
1786 		rc = avc_has_perm(sid, fsec->sid,
1787 				  SECCLASS_FD,
1788 				  FD__USE,
1789 				  &ad);
1790 		if (rc)
1791 			goto out;
1792 	}
1793 
1794 	/* av is zero if only checking access to the descriptor. */
1795 	rc = 0;
1796 	if (av)
1797 		rc = inode_has_perm(cred, inode, av, &ad);
1798 
1799 out:
1800 	return rc;
1801 }
1802 
1803 /*
1804  * Determine the label for an inode that might be unioned.
1805  */
1806 static int
1807 selinux_determine_inode_label(const struct task_security_struct *tsec,
1808 				 struct inode *dir,
1809 				 const struct qstr *name, u16 tclass,
1810 				 u32 *_new_isid)
1811 {
1812 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1813 
1814 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1815 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1816 		*_new_isid = sbsec->mntpoint_sid;
1817 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1818 		   tsec->create_sid) {
1819 		*_new_isid = tsec->create_sid;
1820 	} else {
1821 		const struct inode_security_struct *dsec = inode_security(dir);
1822 		return security_transition_sid(tsec->sid, dsec->sid, tclass,
1823 					       name, _new_isid);
1824 	}
1825 
1826 	return 0;
1827 }
1828 
1829 /* Check whether a task can create a file. */
1830 static int may_create(struct inode *dir,
1831 		      struct dentry *dentry,
1832 		      u16 tclass)
1833 {
1834 	const struct task_security_struct *tsec = current_security();
1835 	struct inode_security_struct *dsec;
1836 	struct superblock_security_struct *sbsec;
1837 	u32 sid, newsid;
1838 	struct common_audit_data ad;
1839 	int rc;
1840 
1841 	dsec = inode_security(dir);
1842 	sbsec = dir->i_sb->s_security;
1843 
1844 	sid = tsec->sid;
1845 
1846 	ad.type = LSM_AUDIT_DATA_DENTRY;
1847 	ad.u.dentry = dentry;
1848 
1849 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1850 			  DIR__ADD_NAME | DIR__SEARCH,
1851 			  &ad);
1852 	if (rc)
1853 		return rc;
1854 
1855 	rc = selinux_determine_inode_label(current_security(), dir,
1856 					   &dentry->d_name, tclass, &newsid);
1857 	if (rc)
1858 		return rc;
1859 
1860 	rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1861 	if (rc)
1862 		return rc;
1863 
1864 	return avc_has_perm(newsid, sbsec->sid,
1865 			    SECCLASS_FILESYSTEM,
1866 			    FILESYSTEM__ASSOCIATE, &ad);
1867 }
1868 
1869 /* Check whether a task can create a key. */
1870 static int may_create_key(u32 ksid,
1871 			  struct task_struct *ctx)
1872 {
1873 	u32 sid = task_sid(ctx);
1874 
1875 	return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1876 }
1877 
1878 #define MAY_LINK	0
1879 #define MAY_UNLINK	1
1880 #define MAY_RMDIR	2
1881 
1882 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1883 static int may_link(struct inode *dir,
1884 		    struct dentry *dentry,
1885 		    int kind)
1886 
1887 {
1888 	struct inode_security_struct *dsec, *isec;
1889 	struct common_audit_data ad;
1890 	u32 sid = current_sid();
1891 	u32 av;
1892 	int rc;
1893 
1894 	dsec = inode_security(dir);
1895 	isec = backing_inode_security(dentry);
1896 
1897 	ad.type = LSM_AUDIT_DATA_DENTRY;
1898 	ad.u.dentry = dentry;
1899 
1900 	av = DIR__SEARCH;
1901 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1902 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1903 	if (rc)
1904 		return rc;
1905 
1906 	switch (kind) {
1907 	case MAY_LINK:
1908 		av = FILE__LINK;
1909 		break;
1910 	case MAY_UNLINK:
1911 		av = FILE__UNLINK;
1912 		break;
1913 	case MAY_RMDIR:
1914 		av = DIR__RMDIR;
1915 		break;
1916 	default:
1917 		printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1918 			__func__, kind);
1919 		return 0;
1920 	}
1921 
1922 	rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1923 	return rc;
1924 }
1925 
1926 static inline int may_rename(struct inode *old_dir,
1927 			     struct dentry *old_dentry,
1928 			     struct inode *new_dir,
1929 			     struct dentry *new_dentry)
1930 {
1931 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1932 	struct common_audit_data ad;
1933 	u32 sid = current_sid();
1934 	u32 av;
1935 	int old_is_dir, new_is_dir;
1936 	int rc;
1937 
1938 	old_dsec = inode_security(old_dir);
1939 	old_isec = backing_inode_security(old_dentry);
1940 	old_is_dir = d_is_dir(old_dentry);
1941 	new_dsec = inode_security(new_dir);
1942 
1943 	ad.type = LSM_AUDIT_DATA_DENTRY;
1944 
1945 	ad.u.dentry = old_dentry;
1946 	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1947 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1948 	if (rc)
1949 		return rc;
1950 	rc = avc_has_perm(sid, old_isec->sid,
1951 			  old_isec->sclass, FILE__RENAME, &ad);
1952 	if (rc)
1953 		return rc;
1954 	if (old_is_dir && new_dir != old_dir) {
1955 		rc = avc_has_perm(sid, old_isec->sid,
1956 				  old_isec->sclass, DIR__REPARENT, &ad);
1957 		if (rc)
1958 			return rc;
1959 	}
1960 
1961 	ad.u.dentry = new_dentry;
1962 	av = DIR__ADD_NAME | DIR__SEARCH;
1963 	if (d_is_positive(new_dentry))
1964 		av |= DIR__REMOVE_NAME;
1965 	rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1966 	if (rc)
1967 		return rc;
1968 	if (d_is_positive(new_dentry)) {
1969 		new_isec = backing_inode_security(new_dentry);
1970 		new_is_dir = d_is_dir(new_dentry);
1971 		rc = avc_has_perm(sid, new_isec->sid,
1972 				  new_isec->sclass,
1973 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1974 		if (rc)
1975 			return rc;
1976 	}
1977 
1978 	return 0;
1979 }
1980 
1981 /* Check whether a task can perform a filesystem operation. */
1982 static int superblock_has_perm(const struct cred *cred,
1983 			       struct super_block *sb,
1984 			       u32 perms,
1985 			       struct common_audit_data *ad)
1986 {
1987 	struct superblock_security_struct *sbsec;
1988 	u32 sid = cred_sid(cred);
1989 
1990 	sbsec = sb->s_security;
1991 	return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1992 }
1993 
1994 /* Convert a Linux mode and permission mask to an access vector. */
1995 static inline u32 file_mask_to_av(int mode, int mask)
1996 {
1997 	u32 av = 0;
1998 
1999 	if (!S_ISDIR(mode)) {
2000 		if (mask & MAY_EXEC)
2001 			av |= FILE__EXECUTE;
2002 		if (mask & MAY_READ)
2003 			av |= FILE__READ;
2004 
2005 		if (mask & MAY_APPEND)
2006 			av |= FILE__APPEND;
2007 		else if (mask & MAY_WRITE)
2008 			av |= FILE__WRITE;
2009 
2010 	} else {
2011 		if (mask & MAY_EXEC)
2012 			av |= DIR__SEARCH;
2013 		if (mask & MAY_WRITE)
2014 			av |= DIR__WRITE;
2015 		if (mask & MAY_READ)
2016 			av |= DIR__READ;
2017 	}
2018 
2019 	return av;
2020 }
2021 
2022 /* Convert a Linux file to an access vector. */
2023 static inline u32 file_to_av(struct file *file)
2024 {
2025 	u32 av = 0;
2026 
2027 	if (file->f_mode & FMODE_READ)
2028 		av |= FILE__READ;
2029 	if (file->f_mode & FMODE_WRITE) {
2030 		if (file->f_flags & O_APPEND)
2031 			av |= FILE__APPEND;
2032 		else
2033 			av |= FILE__WRITE;
2034 	}
2035 	if (!av) {
2036 		/*
2037 		 * Special file opened with flags 3 for ioctl-only use.
2038 		 */
2039 		av = FILE__IOCTL;
2040 	}
2041 
2042 	return av;
2043 }
2044 
2045 /*
2046  * Convert a file to an access vector and include the correct open
2047  * open permission.
2048  */
2049 static inline u32 open_file_to_av(struct file *file)
2050 {
2051 	u32 av = file_to_av(file);
2052 
2053 	if (selinux_policycap_openperm)
2054 		av |= FILE__OPEN;
2055 
2056 	return av;
2057 }
2058 
2059 /* Hook functions begin here. */
2060 
2061 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2062 {
2063 	u32 mysid = current_sid();
2064 	u32 mgrsid = task_sid(mgr);
2065 
2066 	return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2067 			    BINDER__SET_CONTEXT_MGR, NULL);
2068 }
2069 
2070 static int selinux_binder_transaction(struct task_struct *from,
2071 				      struct task_struct *to)
2072 {
2073 	u32 mysid = current_sid();
2074 	u32 fromsid = task_sid(from);
2075 	u32 tosid = task_sid(to);
2076 	int rc;
2077 
2078 	if (mysid != fromsid) {
2079 		rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2080 				  BINDER__IMPERSONATE, NULL);
2081 		if (rc)
2082 			return rc;
2083 	}
2084 
2085 	return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2086 			    NULL);
2087 }
2088 
2089 static int selinux_binder_transfer_binder(struct task_struct *from,
2090 					  struct task_struct *to)
2091 {
2092 	u32 fromsid = task_sid(from);
2093 	u32 tosid = task_sid(to);
2094 
2095 	return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2096 			    NULL);
2097 }
2098 
2099 static int selinux_binder_transfer_file(struct task_struct *from,
2100 					struct task_struct *to,
2101 					struct file *file)
2102 {
2103 	u32 sid = task_sid(to);
2104 	struct file_security_struct *fsec = file->f_security;
2105 	struct dentry *dentry = file->f_path.dentry;
2106 	struct inode_security_struct *isec;
2107 	struct common_audit_data ad;
2108 	int rc;
2109 
2110 	ad.type = LSM_AUDIT_DATA_PATH;
2111 	ad.u.path = file->f_path;
2112 
2113 	if (sid != fsec->sid) {
2114 		rc = avc_has_perm(sid, fsec->sid,
2115 				  SECCLASS_FD,
2116 				  FD__USE,
2117 				  &ad);
2118 		if (rc)
2119 			return rc;
2120 	}
2121 
2122 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2123 		return 0;
2124 
2125 	isec = backing_inode_security(dentry);
2126 	return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2127 			    &ad);
2128 }
2129 
2130 static int selinux_ptrace_access_check(struct task_struct *child,
2131 				     unsigned int mode)
2132 {
2133 	if (mode & PTRACE_MODE_READ) {
2134 		u32 sid = current_sid();
2135 		u32 csid = task_sid(child);
2136 		return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2137 	}
2138 
2139 	return current_has_perm(child, PROCESS__PTRACE);
2140 }
2141 
2142 static int selinux_ptrace_traceme(struct task_struct *parent)
2143 {
2144 	return task_has_perm(parent, current, PROCESS__PTRACE);
2145 }
2146 
2147 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2148 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2149 {
2150 	return current_has_perm(target, PROCESS__GETCAP);
2151 }
2152 
2153 static int selinux_capset(struct cred *new, const struct cred *old,
2154 			  const kernel_cap_t *effective,
2155 			  const kernel_cap_t *inheritable,
2156 			  const kernel_cap_t *permitted)
2157 {
2158 	return cred_has_perm(old, new, PROCESS__SETCAP);
2159 }
2160 
2161 /*
2162  * (This comment used to live with the selinux_task_setuid hook,
2163  * which was removed).
2164  *
2165  * Since setuid only affects the current process, and since the SELinux
2166  * controls are not based on the Linux identity attributes, SELinux does not
2167  * need to control this operation.  However, SELinux does control the use of
2168  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2169  */
2170 
2171 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2172 			   int cap, int audit)
2173 {
2174 	return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2175 }
2176 
2177 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2178 {
2179 	const struct cred *cred = current_cred();
2180 	int rc = 0;
2181 
2182 	if (!sb)
2183 		return 0;
2184 
2185 	switch (cmds) {
2186 	case Q_SYNC:
2187 	case Q_QUOTAON:
2188 	case Q_QUOTAOFF:
2189 	case Q_SETINFO:
2190 	case Q_SETQUOTA:
2191 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2192 		break;
2193 	case Q_GETFMT:
2194 	case Q_GETINFO:
2195 	case Q_GETQUOTA:
2196 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2197 		break;
2198 	default:
2199 		rc = 0;  /* let the kernel handle invalid cmds */
2200 		break;
2201 	}
2202 	return rc;
2203 }
2204 
2205 static int selinux_quota_on(struct dentry *dentry)
2206 {
2207 	const struct cred *cred = current_cred();
2208 
2209 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2210 }
2211 
2212 static int selinux_syslog(int type)
2213 {
2214 	int rc;
2215 
2216 	switch (type) {
2217 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2218 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2219 		rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2220 		break;
2221 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2222 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2223 	/* Set level of messages printed to console */
2224 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2225 		rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2226 		break;
2227 	case SYSLOG_ACTION_CLOSE:	/* Close log */
2228 	case SYSLOG_ACTION_OPEN:	/* Open log */
2229 	case SYSLOG_ACTION_READ:	/* Read from log */
2230 	case SYSLOG_ACTION_READ_CLEAR:	/* Read/clear last kernel messages */
2231 	case SYSLOG_ACTION_CLEAR:	/* Clear ring buffer */
2232 	default:
2233 		rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2234 		break;
2235 	}
2236 	return rc;
2237 }
2238 
2239 /*
2240  * Check that a process has enough memory to allocate a new virtual
2241  * mapping. 0 means there is enough memory for the allocation to
2242  * succeed and -ENOMEM implies there is not.
2243  *
2244  * Do not audit the selinux permission check, as this is applied to all
2245  * processes that allocate mappings.
2246  */
2247 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2248 {
2249 	int rc, cap_sys_admin = 0;
2250 
2251 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2252 				 SECURITY_CAP_NOAUDIT, true);
2253 	if (rc == 0)
2254 		cap_sys_admin = 1;
2255 
2256 	return cap_sys_admin;
2257 }
2258 
2259 /* binprm security operations */
2260 
2261 static u32 ptrace_parent_sid(struct task_struct *task)
2262 {
2263 	u32 sid = 0;
2264 	struct task_struct *tracer;
2265 
2266 	rcu_read_lock();
2267 	tracer = ptrace_parent(task);
2268 	if (tracer)
2269 		sid = task_sid(tracer);
2270 	rcu_read_unlock();
2271 
2272 	return sid;
2273 }
2274 
2275 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2276 			    const struct task_security_struct *old_tsec,
2277 			    const struct task_security_struct *new_tsec)
2278 {
2279 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2280 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2281 	int rc;
2282 
2283 	if (!nnp && !nosuid)
2284 		return 0; /* neither NNP nor nosuid */
2285 
2286 	if (new_tsec->sid == old_tsec->sid)
2287 		return 0; /* No change in credentials */
2288 
2289 	/*
2290 	 * The only transitions we permit under NNP or nosuid
2291 	 * are transitions to bounded SIDs, i.e. SIDs that are
2292 	 * guaranteed to only be allowed a subset of the permissions
2293 	 * of the current SID.
2294 	 */
2295 	rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2296 	if (rc) {
2297 		/*
2298 		 * On failure, preserve the errno values for NNP vs nosuid.
2299 		 * NNP:  Operation not permitted for caller.
2300 		 * nosuid:  Permission denied to file.
2301 		 */
2302 		if (nnp)
2303 			return -EPERM;
2304 		else
2305 			return -EACCES;
2306 	}
2307 	return 0;
2308 }
2309 
2310 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2311 {
2312 	const struct task_security_struct *old_tsec;
2313 	struct task_security_struct *new_tsec;
2314 	struct inode_security_struct *isec;
2315 	struct common_audit_data ad;
2316 	struct inode *inode = file_inode(bprm->file);
2317 	int rc;
2318 
2319 	/* SELinux context only depends on initial program or script and not
2320 	 * the script interpreter */
2321 	if (bprm->cred_prepared)
2322 		return 0;
2323 
2324 	old_tsec = current_security();
2325 	new_tsec = bprm->cred->security;
2326 	isec = inode_security(inode);
2327 
2328 	/* Default to the current task SID. */
2329 	new_tsec->sid = old_tsec->sid;
2330 	new_tsec->osid = old_tsec->sid;
2331 
2332 	/* Reset fs, key, and sock SIDs on execve. */
2333 	new_tsec->create_sid = 0;
2334 	new_tsec->keycreate_sid = 0;
2335 	new_tsec->sockcreate_sid = 0;
2336 
2337 	if (old_tsec->exec_sid) {
2338 		new_tsec->sid = old_tsec->exec_sid;
2339 		/* Reset exec SID on execve. */
2340 		new_tsec->exec_sid = 0;
2341 
2342 		/* Fail on NNP or nosuid if not an allowed transition. */
2343 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2344 		if (rc)
2345 			return rc;
2346 	} else {
2347 		/* Check for a default transition on this program. */
2348 		rc = security_transition_sid(old_tsec->sid, isec->sid,
2349 					     SECCLASS_PROCESS, NULL,
2350 					     &new_tsec->sid);
2351 		if (rc)
2352 			return rc;
2353 
2354 		/*
2355 		 * Fallback to old SID on NNP or nosuid if not an allowed
2356 		 * transition.
2357 		 */
2358 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2359 		if (rc)
2360 			new_tsec->sid = old_tsec->sid;
2361 	}
2362 
2363 	ad.type = LSM_AUDIT_DATA_FILE;
2364 	ad.u.file = bprm->file;
2365 
2366 	if (new_tsec->sid == old_tsec->sid) {
2367 		rc = avc_has_perm(old_tsec->sid, isec->sid,
2368 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2369 		if (rc)
2370 			return rc;
2371 	} else {
2372 		/* Check permissions for the transition. */
2373 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2374 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2375 		if (rc)
2376 			return rc;
2377 
2378 		rc = avc_has_perm(new_tsec->sid, isec->sid,
2379 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2380 		if (rc)
2381 			return rc;
2382 
2383 		/* Check for shared state */
2384 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2385 			rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2386 					  SECCLASS_PROCESS, PROCESS__SHARE,
2387 					  NULL);
2388 			if (rc)
2389 				return -EPERM;
2390 		}
2391 
2392 		/* Make sure that anyone attempting to ptrace over a task that
2393 		 * changes its SID has the appropriate permit */
2394 		if (bprm->unsafe &
2395 		    (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2396 			u32 ptsid = ptrace_parent_sid(current);
2397 			if (ptsid != 0) {
2398 				rc = avc_has_perm(ptsid, new_tsec->sid,
2399 						  SECCLASS_PROCESS,
2400 						  PROCESS__PTRACE, NULL);
2401 				if (rc)
2402 					return -EPERM;
2403 			}
2404 		}
2405 
2406 		/* Clear any possibly unsafe personality bits on exec: */
2407 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2408 	}
2409 
2410 	return 0;
2411 }
2412 
2413 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2414 {
2415 	const struct task_security_struct *tsec = current_security();
2416 	u32 sid, osid;
2417 	int atsecure = 0;
2418 
2419 	sid = tsec->sid;
2420 	osid = tsec->osid;
2421 
2422 	if (osid != sid) {
2423 		/* Enable secure mode for SIDs transitions unless
2424 		   the noatsecure permission is granted between
2425 		   the two SIDs, i.e. ahp returns 0. */
2426 		atsecure = avc_has_perm(osid, sid,
2427 					SECCLASS_PROCESS,
2428 					PROCESS__NOATSECURE, NULL);
2429 	}
2430 
2431 	return !!atsecure;
2432 }
2433 
2434 static int match_file(const void *p, struct file *file, unsigned fd)
2435 {
2436 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2437 }
2438 
2439 /* Derived from fs/exec.c:flush_old_files. */
2440 static inline void flush_unauthorized_files(const struct cred *cred,
2441 					    struct files_struct *files)
2442 {
2443 	struct file *file, *devnull = NULL;
2444 	struct tty_struct *tty;
2445 	int drop_tty = 0;
2446 	unsigned n;
2447 
2448 	tty = get_current_tty();
2449 	if (tty) {
2450 		spin_lock(&tty->files_lock);
2451 		if (!list_empty(&tty->tty_files)) {
2452 			struct tty_file_private *file_priv;
2453 
2454 			/* Revalidate access to controlling tty.
2455 			   Use file_path_has_perm on the tty path directly
2456 			   rather than using file_has_perm, as this particular
2457 			   open file may belong to another process and we are
2458 			   only interested in the inode-based check here. */
2459 			file_priv = list_first_entry(&tty->tty_files,
2460 						struct tty_file_private, list);
2461 			file = file_priv->file;
2462 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2463 				drop_tty = 1;
2464 		}
2465 		spin_unlock(&tty->files_lock);
2466 		tty_kref_put(tty);
2467 	}
2468 	/* Reset controlling tty. */
2469 	if (drop_tty)
2470 		no_tty();
2471 
2472 	/* Revalidate access to inherited open files. */
2473 	n = iterate_fd(files, 0, match_file, cred);
2474 	if (!n) /* none found? */
2475 		return;
2476 
2477 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2478 	if (IS_ERR(devnull))
2479 		devnull = NULL;
2480 	/* replace all the matching ones with this */
2481 	do {
2482 		replace_fd(n - 1, devnull, 0);
2483 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2484 	if (devnull)
2485 		fput(devnull);
2486 }
2487 
2488 /*
2489  * Prepare a process for imminent new credential changes due to exec
2490  */
2491 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2492 {
2493 	struct task_security_struct *new_tsec;
2494 	struct rlimit *rlim, *initrlim;
2495 	int rc, i;
2496 
2497 	new_tsec = bprm->cred->security;
2498 	if (new_tsec->sid == new_tsec->osid)
2499 		return;
2500 
2501 	/* Close files for which the new task SID is not authorized. */
2502 	flush_unauthorized_files(bprm->cred, current->files);
2503 
2504 	/* Always clear parent death signal on SID transitions. */
2505 	current->pdeath_signal = 0;
2506 
2507 	/* Check whether the new SID can inherit resource limits from the old
2508 	 * SID.  If not, reset all soft limits to the lower of the current
2509 	 * task's hard limit and the init task's soft limit.
2510 	 *
2511 	 * Note that the setting of hard limits (even to lower them) can be
2512 	 * controlled by the setrlimit check.  The inclusion of the init task's
2513 	 * soft limit into the computation is to avoid resetting soft limits
2514 	 * higher than the default soft limit for cases where the default is
2515 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2516 	 */
2517 	rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2518 			  PROCESS__RLIMITINH, NULL);
2519 	if (rc) {
2520 		/* protect against do_prlimit() */
2521 		task_lock(current);
2522 		for (i = 0; i < RLIM_NLIMITS; i++) {
2523 			rlim = current->signal->rlim + i;
2524 			initrlim = init_task.signal->rlim + i;
2525 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2526 		}
2527 		task_unlock(current);
2528 		update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2529 	}
2530 }
2531 
2532 /*
2533  * Clean up the process immediately after the installation of new credentials
2534  * due to exec
2535  */
2536 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2537 {
2538 	const struct task_security_struct *tsec = current_security();
2539 	struct itimerval itimer;
2540 	u32 osid, sid;
2541 	int rc, i;
2542 
2543 	osid = tsec->osid;
2544 	sid = tsec->sid;
2545 
2546 	if (sid == osid)
2547 		return;
2548 
2549 	/* Check whether the new SID can inherit signal state from the old SID.
2550 	 * If not, clear itimers to avoid subsequent signal generation and
2551 	 * flush and unblock signals.
2552 	 *
2553 	 * This must occur _after_ the task SID has been updated so that any
2554 	 * kill done after the flush will be checked against the new SID.
2555 	 */
2556 	rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2557 	if (rc) {
2558 		memset(&itimer, 0, sizeof itimer);
2559 		for (i = 0; i < 3; i++)
2560 			do_setitimer(i, &itimer, NULL);
2561 		spin_lock_irq(&current->sighand->siglock);
2562 		if (!fatal_signal_pending(current)) {
2563 			flush_sigqueue(&current->pending);
2564 			flush_sigqueue(&current->signal->shared_pending);
2565 			flush_signal_handlers(current, 1);
2566 			sigemptyset(&current->blocked);
2567 			recalc_sigpending();
2568 		}
2569 		spin_unlock_irq(&current->sighand->siglock);
2570 	}
2571 
2572 	/* Wake up the parent if it is waiting so that it can recheck
2573 	 * wait permission to the new task SID. */
2574 	read_lock(&tasklist_lock);
2575 	__wake_up_parent(current, current->real_parent);
2576 	read_unlock(&tasklist_lock);
2577 }
2578 
2579 /* superblock security operations */
2580 
2581 static int selinux_sb_alloc_security(struct super_block *sb)
2582 {
2583 	return superblock_alloc_security(sb);
2584 }
2585 
2586 static void selinux_sb_free_security(struct super_block *sb)
2587 {
2588 	superblock_free_security(sb);
2589 }
2590 
2591 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2592 {
2593 	if (plen > olen)
2594 		return 0;
2595 
2596 	return !memcmp(prefix, option, plen);
2597 }
2598 
2599 static inline int selinux_option(char *option, int len)
2600 {
2601 	return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2602 		match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2603 		match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2604 		match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2605 		match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2606 }
2607 
2608 static inline void take_option(char **to, char *from, int *first, int len)
2609 {
2610 	if (!*first) {
2611 		**to = ',';
2612 		*to += 1;
2613 	} else
2614 		*first = 0;
2615 	memcpy(*to, from, len);
2616 	*to += len;
2617 }
2618 
2619 static inline void take_selinux_option(char **to, char *from, int *first,
2620 				       int len)
2621 {
2622 	int current_size = 0;
2623 
2624 	if (!*first) {
2625 		**to = '|';
2626 		*to += 1;
2627 	} else
2628 		*first = 0;
2629 
2630 	while (current_size < len) {
2631 		if (*from != '"') {
2632 			**to = *from;
2633 			*to += 1;
2634 		}
2635 		from += 1;
2636 		current_size += 1;
2637 	}
2638 }
2639 
2640 static int selinux_sb_copy_data(char *orig, char *copy)
2641 {
2642 	int fnosec, fsec, rc = 0;
2643 	char *in_save, *in_curr, *in_end;
2644 	char *sec_curr, *nosec_save, *nosec;
2645 	int open_quote = 0;
2646 
2647 	in_curr = orig;
2648 	sec_curr = copy;
2649 
2650 	nosec = (char *)get_zeroed_page(GFP_KERNEL);
2651 	if (!nosec) {
2652 		rc = -ENOMEM;
2653 		goto out;
2654 	}
2655 
2656 	nosec_save = nosec;
2657 	fnosec = fsec = 1;
2658 	in_save = in_end = orig;
2659 
2660 	do {
2661 		if (*in_end == '"')
2662 			open_quote = !open_quote;
2663 		if ((*in_end == ',' && open_quote == 0) ||
2664 				*in_end == '\0') {
2665 			int len = in_end - in_curr;
2666 
2667 			if (selinux_option(in_curr, len))
2668 				take_selinux_option(&sec_curr, in_curr, &fsec, len);
2669 			else
2670 				take_option(&nosec, in_curr, &fnosec, len);
2671 
2672 			in_curr = in_end + 1;
2673 		}
2674 	} while (*in_end++);
2675 
2676 	strcpy(in_save, nosec_save);
2677 	free_page((unsigned long)nosec_save);
2678 out:
2679 	return rc;
2680 }
2681 
2682 static int selinux_sb_remount(struct super_block *sb, void *data)
2683 {
2684 	int rc, i, *flags;
2685 	struct security_mnt_opts opts;
2686 	char *secdata, **mount_options;
2687 	struct superblock_security_struct *sbsec = sb->s_security;
2688 
2689 	if (!(sbsec->flags & SE_SBINITIALIZED))
2690 		return 0;
2691 
2692 	if (!data)
2693 		return 0;
2694 
2695 	if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2696 		return 0;
2697 
2698 	security_init_mnt_opts(&opts);
2699 	secdata = alloc_secdata();
2700 	if (!secdata)
2701 		return -ENOMEM;
2702 	rc = selinux_sb_copy_data(data, secdata);
2703 	if (rc)
2704 		goto out_free_secdata;
2705 
2706 	rc = selinux_parse_opts_str(secdata, &opts);
2707 	if (rc)
2708 		goto out_free_secdata;
2709 
2710 	mount_options = opts.mnt_opts;
2711 	flags = opts.mnt_opts_flags;
2712 
2713 	for (i = 0; i < opts.num_mnt_opts; i++) {
2714 		u32 sid;
2715 
2716 		if (flags[i] == SBLABEL_MNT)
2717 			continue;
2718 		rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2719 		if (rc) {
2720 			printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2721 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
2722 			       mount_options[i], sb->s_id, sb->s_type->name, rc);
2723 			goto out_free_opts;
2724 		}
2725 		rc = -EINVAL;
2726 		switch (flags[i]) {
2727 		case FSCONTEXT_MNT:
2728 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2729 				goto out_bad_option;
2730 			break;
2731 		case CONTEXT_MNT:
2732 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2733 				goto out_bad_option;
2734 			break;
2735 		case ROOTCONTEXT_MNT: {
2736 			struct inode_security_struct *root_isec;
2737 			root_isec = backing_inode_security(sb->s_root);
2738 
2739 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2740 				goto out_bad_option;
2741 			break;
2742 		}
2743 		case DEFCONTEXT_MNT:
2744 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2745 				goto out_bad_option;
2746 			break;
2747 		default:
2748 			goto out_free_opts;
2749 		}
2750 	}
2751 
2752 	rc = 0;
2753 out_free_opts:
2754 	security_free_mnt_opts(&opts);
2755 out_free_secdata:
2756 	free_secdata(secdata);
2757 	return rc;
2758 out_bad_option:
2759 	printk(KERN_WARNING "SELinux: unable to change security options "
2760 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2761 	       sb->s_type->name);
2762 	goto out_free_opts;
2763 }
2764 
2765 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2766 {
2767 	const struct cred *cred = current_cred();
2768 	struct common_audit_data ad;
2769 	int rc;
2770 
2771 	rc = superblock_doinit(sb, data);
2772 	if (rc)
2773 		return rc;
2774 
2775 	/* Allow all mounts performed by the kernel */
2776 	if (flags & MS_KERNMOUNT)
2777 		return 0;
2778 
2779 	ad.type = LSM_AUDIT_DATA_DENTRY;
2780 	ad.u.dentry = sb->s_root;
2781 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2782 }
2783 
2784 static int selinux_sb_statfs(struct dentry *dentry)
2785 {
2786 	const struct cred *cred = current_cred();
2787 	struct common_audit_data ad;
2788 
2789 	ad.type = LSM_AUDIT_DATA_DENTRY;
2790 	ad.u.dentry = dentry->d_sb->s_root;
2791 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2792 }
2793 
2794 static int selinux_mount(const char *dev_name,
2795 			 const struct path *path,
2796 			 const char *type,
2797 			 unsigned long flags,
2798 			 void *data)
2799 {
2800 	const struct cred *cred = current_cred();
2801 
2802 	if (flags & MS_REMOUNT)
2803 		return superblock_has_perm(cred, path->dentry->d_sb,
2804 					   FILESYSTEM__REMOUNT, NULL);
2805 	else
2806 		return path_has_perm(cred, path, FILE__MOUNTON);
2807 }
2808 
2809 static int selinux_umount(struct vfsmount *mnt, int flags)
2810 {
2811 	const struct cred *cred = current_cred();
2812 
2813 	return superblock_has_perm(cred, mnt->mnt_sb,
2814 				   FILESYSTEM__UNMOUNT, NULL);
2815 }
2816 
2817 /* inode security operations */
2818 
2819 static int selinux_inode_alloc_security(struct inode *inode)
2820 {
2821 	return inode_alloc_security(inode);
2822 }
2823 
2824 static void selinux_inode_free_security(struct inode *inode)
2825 {
2826 	inode_free_security(inode);
2827 }
2828 
2829 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2830 					const struct qstr *name, void **ctx,
2831 					u32 *ctxlen)
2832 {
2833 	u32 newsid;
2834 	int rc;
2835 
2836 	rc = selinux_determine_inode_label(current_security(),
2837 					   d_inode(dentry->d_parent), name,
2838 					   inode_mode_to_security_class(mode),
2839 					   &newsid);
2840 	if (rc)
2841 		return rc;
2842 
2843 	return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2844 }
2845 
2846 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2847 					  struct qstr *name,
2848 					  const struct cred *old,
2849 					  struct cred *new)
2850 {
2851 	u32 newsid;
2852 	int rc;
2853 	struct task_security_struct *tsec;
2854 
2855 	rc = selinux_determine_inode_label(old->security,
2856 					   d_inode(dentry->d_parent), name,
2857 					   inode_mode_to_security_class(mode),
2858 					   &newsid);
2859 	if (rc)
2860 		return rc;
2861 
2862 	tsec = new->security;
2863 	tsec->create_sid = newsid;
2864 	return 0;
2865 }
2866 
2867 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2868 				       const struct qstr *qstr,
2869 				       const char **name,
2870 				       void **value, size_t *len)
2871 {
2872 	const struct task_security_struct *tsec = current_security();
2873 	struct superblock_security_struct *sbsec;
2874 	u32 sid, newsid, clen;
2875 	int rc;
2876 	char *context;
2877 
2878 	sbsec = dir->i_sb->s_security;
2879 
2880 	sid = tsec->sid;
2881 	newsid = tsec->create_sid;
2882 
2883 	rc = selinux_determine_inode_label(current_security(),
2884 		dir, qstr,
2885 		inode_mode_to_security_class(inode->i_mode),
2886 		&newsid);
2887 	if (rc)
2888 		return rc;
2889 
2890 	/* Possibly defer initialization to selinux_complete_init. */
2891 	if (sbsec->flags & SE_SBINITIALIZED) {
2892 		struct inode_security_struct *isec = inode->i_security;
2893 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2894 		isec->sid = newsid;
2895 		isec->initialized = LABEL_INITIALIZED;
2896 	}
2897 
2898 	if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2899 		return -EOPNOTSUPP;
2900 
2901 	if (name)
2902 		*name = XATTR_SELINUX_SUFFIX;
2903 
2904 	if (value && len) {
2905 		rc = security_sid_to_context_force(newsid, &context, &clen);
2906 		if (rc)
2907 			return rc;
2908 		*value = context;
2909 		*len = clen;
2910 	}
2911 
2912 	return 0;
2913 }
2914 
2915 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2916 {
2917 	return may_create(dir, dentry, SECCLASS_FILE);
2918 }
2919 
2920 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2921 {
2922 	return may_link(dir, old_dentry, MAY_LINK);
2923 }
2924 
2925 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2926 {
2927 	return may_link(dir, dentry, MAY_UNLINK);
2928 }
2929 
2930 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2931 {
2932 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
2933 }
2934 
2935 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2936 {
2937 	return may_create(dir, dentry, SECCLASS_DIR);
2938 }
2939 
2940 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2941 {
2942 	return may_link(dir, dentry, MAY_RMDIR);
2943 }
2944 
2945 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2946 {
2947 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
2948 }
2949 
2950 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2951 				struct inode *new_inode, struct dentry *new_dentry)
2952 {
2953 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2954 }
2955 
2956 static int selinux_inode_readlink(struct dentry *dentry)
2957 {
2958 	const struct cred *cred = current_cred();
2959 
2960 	return dentry_has_perm(cred, dentry, FILE__READ);
2961 }
2962 
2963 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2964 				     bool rcu)
2965 {
2966 	const struct cred *cred = current_cred();
2967 	struct common_audit_data ad;
2968 	struct inode_security_struct *isec;
2969 	u32 sid;
2970 
2971 	validate_creds(cred);
2972 
2973 	ad.type = LSM_AUDIT_DATA_DENTRY;
2974 	ad.u.dentry = dentry;
2975 	sid = cred_sid(cred);
2976 	isec = inode_security_rcu(inode, rcu);
2977 	if (IS_ERR(isec))
2978 		return PTR_ERR(isec);
2979 
2980 	return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2981 				  rcu ? MAY_NOT_BLOCK : 0);
2982 }
2983 
2984 static noinline int audit_inode_permission(struct inode *inode,
2985 					   u32 perms, u32 audited, u32 denied,
2986 					   int result,
2987 					   unsigned flags)
2988 {
2989 	struct common_audit_data ad;
2990 	struct inode_security_struct *isec = inode->i_security;
2991 	int rc;
2992 
2993 	ad.type = LSM_AUDIT_DATA_INODE;
2994 	ad.u.inode = inode;
2995 
2996 	rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2997 			    audited, denied, result, &ad, flags);
2998 	if (rc)
2999 		return rc;
3000 	return 0;
3001 }
3002 
3003 static int selinux_inode_permission(struct inode *inode, int mask)
3004 {
3005 	const struct cred *cred = current_cred();
3006 	u32 perms;
3007 	bool from_access;
3008 	unsigned flags = mask & MAY_NOT_BLOCK;
3009 	struct inode_security_struct *isec;
3010 	u32 sid;
3011 	struct av_decision avd;
3012 	int rc, rc2;
3013 	u32 audited, denied;
3014 
3015 	from_access = mask & MAY_ACCESS;
3016 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3017 
3018 	/* No permission to check.  Existence test. */
3019 	if (!mask)
3020 		return 0;
3021 
3022 	validate_creds(cred);
3023 
3024 	if (unlikely(IS_PRIVATE(inode)))
3025 		return 0;
3026 
3027 	perms = file_mask_to_av(inode->i_mode, mask);
3028 
3029 	sid = cred_sid(cred);
3030 	isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3031 	if (IS_ERR(isec))
3032 		return PTR_ERR(isec);
3033 
3034 	rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3035 	audited = avc_audit_required(perms, &avd, rc,
3036 				     from_access ? FILE__AUDIT_ACCESS : 0,
3037 				     &denied);
3038 	if (likely(!audited))
3039 		return rc;
3040 
3041 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3042 	if (rc2)
3043 		return rc2;
3044 	return rc;
3045 }
3046 
3047 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3048 {
3049 	const struct cred *cred = current_cred();
3050 	unsigned int ia_valid = iattr->ia_valid;
3051 	__u32 av = FILE__WRITE;
3052 
3053 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3054 	if (ia_valid & ATTR_FORCE) {
3055 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3056 			      ATTR_FORCE);
3057 		if (!ia_valid)
3058 			return 0;
3059 	}
3060 
3061 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3062 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3063 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3064 
3065 	if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3066 			&& !(ia_valid & ATTR_FILE))
3067 		av |= FILE__OPEN;
3068 
3069 	return dentry_has_perm(cred, dentry, av);
3070 }
3071 
3072 static int selinux_inode_getattr(const struct path *path)
3073 {
3074 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3075 }
3076 
3077 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3078 {
3079 	const struct cred *cred = current_cred();
3080 
3081 	if (!strncmp(name, XATTR_SECURITY_PREFIX,
3082 		     sizeof XATTR_SECURITY_PREFIX - 1)) {
3083 		if (!strcmp(name, XATTR_NAME_CAPS)) {
3084 			if (!capable(CAP_SETFCAP))
3085 				return -EPERM;
3086 		} else if (!capable(CAP_SYS_ADMIN)) {
3087 			/* A different attribute in the security namespace.
3088 			   Restrict to administrator. */
3089 			return -EPERM;
3090 		}
3091 	}
3092 
3093 	/* Not an attribute we recognize, so just check the
3094 	   ordinary setattr permission. */
3095 	return dentry_has_perm(cred, dentry, FILE__SETATTR);
3096 }
3097 
3098 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3099 				  const void *value, size_t size, int flags)
3100 {
3101 	struct inode *inode = d_backing_inode(dentry);
3102 	struct inode_security_struct *isec;
3103 	struct superblock_security_struct *sbsec;
3104 	struct common_audit_data ad;
3105 	u32 newsid, sid = current_sid();
3106 	int rc = 0;
3107 
3108 	if (strcmp(name, XATTR_NAME_SELINUX))
3109 		return selinux_inode_setotherxattr(dentry, name);
3110 
3111 	sbsec = inode->i_sb->s_security;
3112 	if (!(sbsec->flags & SBLABEL_MNT))
3113 		return -EOPNOTSUPP;
3114 
3115 	if (!inode_owner_or_capable(inode))
3116 		return -EPERM;
3117 
3118 	ad.type = LSM_AUDIT_DATA_DENTRY;
3119 	ad.u.dentry = dentry;
3120 
3121 	isec = backing_inode_security(dentry);
3122 	rc = avc_has_perm(sid, isec->sid, isec->sclass,
3123 			  FILE__RELABELFROM, &ad);
3124 	if (rc)
3125 		return rc;
3126 
3127 	rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3128 	if (rc == -EINVAL) {
3129 		if (!capable(CAP_MAC_ADMIN)) {
3130 			struct audit_buffer *ab;
3131 			size_t audit_size;
3132 			const char *str;
3133 
3134 			/* We strip a nul only if it is at the end, otherwise the
3135 			 * context contains a nul and we should audit that */
3136 			if (value) {
3137 				str = value;
3138 				if (str[size - 1] == '\0')
3139 					audit_size = size - 1;
3140 				else
3141 					audit_size = size;
3142 			} else {
3143 				str = "";
3144 				audit_size = 0;
3145 			}
3146 			ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3147 			audit_log_format(ab, "op=setxattr invalid_context=");
3148 			audit_log_n_untrustedstring(ab, value, audit_size);
3149 			audit_log_end(ab);
3150 
3151 			return rc;
3152 		}
3153 		rc = security_context_to_sid_force(value, size, &newsid);
3154 	}
3155 	if (rc)
3156 		return rc;
3157 
3158 	rc = avc_has_perm(sid, newsid, isec->sclass,
3159 			  FILE__RELABELTO, &ad);
3160 	if (rc)
3161 		return rc;
3162 
3163 	rc = security_validate_transition(isec->sid, newsid, sid,
3164 					  isec->sclass);
3165 	if (rc)
3166 		return rc;
3167 
3168 	return avc_has_perm(newsid,
3169 			    sbsec->sid,
3170 			    SECCLASS_FILESYSTEM,
3171 			    FILESYSTEM__ASSOCIATE,
3172 			    &ad);
3173 }
3174 
3175 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3176 					const void *value, size_t size,
3177 					int flags)
3178 {
3179 	struct inode *inode = d_backing_inode(dentry);
3180 	struct inode_security_struct *isec;
3181 	u32 newsid;
3182 	int rc;
3183 
3184 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3185 		/* Not an attribute we recognize, so nothing to do. */
3186 		return;
3187 	}
3188 
3189 	rc = security_context_to_sid_force(value, size, &newsid);
3190 	if (rc) {
3191 		printk(KERN_ERR "SELinux:  unable to map context to SID"
3192 		       "for (%s, %lu), rc=%d\n",
3193 		       inode->i_sb->s_id, inode->i_ino, -rc);
3194 		return;
3195 	}
3196 
3197 	isec = backing_inode_security(dentry);
3198 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3199 	isec->sid = newsid;
3200 	isec->initialized = LABEL_INITIALIZED;
3201 
3202 	return;
3203 }
3204 
3205 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3206 {
3207 	const struct cred *cred = current_cred();
3208 
3209 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3210 }
3211 
3212 static int selinux_inode_listxattr(struct dentry *dentry)
3213 {
3214 	const struct cred *cred = current_cred();
3215 
3216 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3217 }
3218 
3219 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3220 {
3221 	if (strcmp(name, XATTR_NAME_SELINUX))
3222 		return selinux_inode_setotherxattr(dentry, name);
3223 
3224 	/* No one is allowed to remove a SELinux security label.
3225 	   You can change the label, but all data must be labeled. */
3226 	return -EACCES;
3227 }
3228 
3229 /*
3230  * Copy the inode security context value to the user.
3231  *
3232  * Permission check is handled by selinux_inode_getxattr hook.
3233  */
3234 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3235 {
3236 	u32 size;
3237 	int error;
3238 	char *context = NULL;
3239 	struct inode_security_struct *isec;
3240 
3241 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3242 		return -EOPNOTSUPP;
3243 
3244 	/*
3245 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3246 	 * value even if it is not defined by current policy; otherwise,
3247 	 * use the in-core value under current policy.
3248 	 * Use the non-auditing forms of the permission checks since
3249 	 * getxattr may be called by unprivileged processes commonly
3250 	 * and lack of permission just means that we fall back to the
3251 	 * in-core context value, not a denial.
3252 	 */
3253 	error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3254 			    SECURITY_CAP_NOAUDIT);
3255 	if (!error)
3256 		error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3257 					    SECURITY_CAP_NOAUDIT, true);
3258 	isec = inode_security(inode);
3259 	if (!error)
3260 		error = security_sid_to_context_force(isec->sid, &context,
3261 						      &size);
3262 	else
3263 		error = security_sid_to_context(isec->sid, &context, &size);
3264 	if (error)
3265 		return error;
3266 	error = size;
3267 	if (alloc) {
3268 		*buffer = context;
3269 		goto out_nofree;
3270 	}
3271 	kfree(context);
3272 out_nofree:
3273 	return error;
3274 }
3275 
3276 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3277 				     const void *value, size_t size, int flags)
3278 {
3279 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3280 	u32 newsid;
3281 	int rc;
3282 
3283 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3284 		return -EOPNOTSUPP;
3285 
3286 	if (!value || !size)
3287 		return -EACCES;
3288 
3289 	rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3290 	if (rc)
3291 		return rc;
3292 
3293 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3294 	isec->sid = newsid;
3295 	isec->initialized = LABEL_INITIALIZED;
3296 	return 0;
3297 }
3298 
3299 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3300 {
3301 	const int len = sizeof(XATTR_NAME_SELINUX);
3302 	if (buffer && len <= buffer_size)
3303 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3304 	return len;
3305 }
3306 
3307 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3308 {
3309 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3310 	*secid = isec->sid;
3311 }
3312 
3313 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3314 {
3315 	u32 sid;
3316 	struct task_security_struct *tsec;
3317 	struct cred *new_creds = *new;
3318 
3319 	if (new_creds == NULL) {
3320 		new_creds = prepare_creds();
3321 		if (!new_creds)
3322 			return -ENOMEM;
3323 	}
3324 
3325 	tsec = new_creds->security;
3326 	/* Get label from overlay inode and set it in create_sid */
3327 	selinux_inode_getsecid(d_inode(src), &sid);
3328 	tsec->create_sid = sid;
3329 	*new = new_creds;
3330 	return 0;
3331 }
3332 
3333 static int selinux_inode_copy_up_xattr(const char *name)
3334 {
3335 	/* The copy_up hook above sets the initial context on an inode, but we
3336 	 * don't then want to overwrite it by blindly copying all the lower
3337 	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3338 	 */
3339 	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3340 		return 1; /* Discard */
3341 	/*
3342 	 * Any other attribute apart from SELINUX is not claimed, supported
3343 	 * by selinux.
3344 	 */
3345 	return -EOPNOTSUPP;
3346 }
3347 
3348 /* file security operations */
3349 
3350 static int selinux_revalidate_file_permission(struct file *file, int mask)
3351 {
3352 	const struct cred *cred = current_cred();
3353 	struct inode *inode = file_inode(file);
3354 
3355 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3356 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3357 		mask |= MAY_APPEND;
3358 
3359 	return file_has_perm(cred, file,
3360 			     file_mask_to_av(inode->i_mode, mask));
3361 }
3362 
3363 static int selinux_file_permission(struct file *file, int mask)
3364 {
3365 	struct inode *inode = file_inode(file);
3366 	struct file_security_struct *fsec = file->f_security;
3367 	struct inode_security_struct *isec;
3368 	u32 sid = current_sid();
3369 
3370 	if (!mask)
3371 		/* No permission to check.  Existence test. */
3372 		return 0;
3373 
3374 	isec = inode_security(inode);
3375 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3376 	    fsec->pseqno == avc_policy_seqno())
3377 		/* No change since file_open check. */
3378 		return 0;
3379 
3380 	return selinux_revalidate_file_permission(file, mask);
3381 }
3382 
3383 static int selinux_file_alloc_security(struct file *file)
3384 {
3385 	return file_alloc_security(file);
3386 }
3387 
3388 static void selinux_file_free_security(struct file *file)
3389 {
3390 	file_free_security(file);
3391 }
3392 
3393 /*
3394  * Check whether a task has the ioctl permission and cmd
3395  * operation to an inode.
3396  */
3397 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3398 		u32 requested, u16 cmd)
3399 {
3400 	struct common_audit_data ad;
3401 	struct file_security_struct *fsec = file->f_security;
3402 	struct inode *inode = file_inode(file);
3403 	struct inode_security_struct *isec;
3404 	struct lsm_ioctlop_audit ioctl;
3405 	u32 ssid = cred_sid(cred);
3406 	int rc;
3407 	u8 driver = cmd >> 8;
3408 	u8 xperm = cmd & 0xff;
3409 
3410 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3411 	ad.u.op = &ioctl;
3412 	ad.u.op->cmd = cmd;
3413 	ad.u.op->path = file->f_path;
3414 
3415 	if (ssid != fsec->sid) {
3416 		rc = avc_has_perm(ssid, fsec->sid,
3417 				SECCLASS_FD,
3418 				FD__USE,
3419 				&ad);
3420 		if (rc)
3421 			goto out;
3422 	}
3423 
3424 	if (unlikely(IS_PRIVATE(inode)))
3425 		return 0;
3426 
3427 	isec = inode_security(inode);
3428 	rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3429 			requested, driver, xperm, &ad);
3430 out:
3431 	return rc;
3432 }
3433 
3434 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3435 			      unsigned long arg)
3436 {
3437 	const struct cred *cred = current_cred();
3438 	int error = 0;
3439 
3440 	switch (cmd) {
3441 	case FIONREAD:
3442 	/* fall through */
3443 	case FIBMAP:
3444 	/* fall through */
3445 	case FIGETBSZ:
3446 	/* fall through */
3447 	case FS_IOC_GETFLAGS:
3448 	/* fall through */
3449 	case FS_IOC_GETVERSION:
3450 		error = file_has_perm(cred, file, FILE__GETATTR);
3451 		break;
3452 
3453 	case FS_IOC_SETFLAGS:
3454 	/* fall through */
3455 	case FS_IOC_SETVERSION:
3456 		error = file_has_perm(cred, file, FILE__SETATTR);
3457 		break;
3458 
3459 	/* sys_ioctl() checks */
3460 	case FIONBIO:
3461 	/* fall through */
3462 	case FIOASYNC:
3463 		error = file_has_perm(cred, file, 0);
3464 		break;
3465 
3466 	case KDSKBENT:
3467 	case KDSKBSENT:
3468 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3469 					    SECURITY_CAP_AUDIT, true);
3470 		break;
3471 
3472 	/* default case assumes that the command will go
3473 	 * to the file's ioctl() function.
3474 	 */
3475 	default:
3476 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3477 	}
3478 	return error;
3479 }
3480 
3481 static int default_noexec;
3482 
3483 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3484 {
3485 	const struct cred *cred = current_cred();
3486 	int rc = 0;
3487 
3488 	if (default_noexec &&
3489 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3490 				   (!shared && (prot & PROT_WRITE)))) {
3491 		/*
3492 		 * We are making executable an anonymous mapping or a
3493 		 * private file mapping that will also be writable.
3494 		 * This has an additional check.
3495 		 */
3496 		rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3497 		if (rc)
3498 			goto error;
3499 	}
3500 
3501 	if (file) {
3502 		/* read access is always possible with a mapping */
3503 		u32 av = FILE__READ;
3504 
3505 		/* write access only matters if the mapping is shared */
3506 		if (shared && (prot & PROT_WRITE))
3507 			av |= FILE__WRITE;
3508 
3509 		if (prot & PROT_EXEC)
3510 			av |= FILE__EXECUTE;
3511 
3512 		return file_has_perm(cred, file, av);
3513 	}
3514 
3515 error:
3516 	return rc;
3517 }
3518 
3519 static int selinux_mmap_addr(unsigned long addr)
3520 {
3521 	int rc = 0;
3522 
3523 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3524 		u32 sid = current_sid();
3525 		rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3526 				  MEMPROTECT__MMAP_ZERO, NULL);
3527 	}
3528 
3529 	return rc;
3530 }
3531 
3532 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3533 			     unsigned long prot, unsigned long flags)
3534 {
3535 	if (selinux_checkreqprot)
3536 		prot = reqprot;
3537 
3538 	return file_map_prot_check(file, prot,
3539 				   (flags & MAP_TYPE) == MAP_SHARED);
3540 }
3541 
3542 static int selinux_file_mprotect(struct vm_area_struct *vma,
3543 				 unsigned long reqprot,
3544 				 unsigned long prot)
3545 {
3546 	const struct cred *cred = current_cred();
3547 
3548 	if (selinux_checkreqprot)
3549 		prot = reqprot;
3550 
3551 	if (default_noexec &&
3552 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3553 		int rc = 0;
3554 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3555 		    vma->vm_end <= vma->vm_mm->brk) {
3556 			rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3557 		} else if (!vma->vm_file &&
3558 			   ((vma->vm_start <= vma->vm_mm->start_stack &&
3559 			     vma->vm_end >= vma->vm_mm->start_stack) ||
3560 			    vma_is_stack_for_current(vma))) {
3561 			rc = current_has_perm(current, PROCESS__EXECSTACK);
3562 		} else if (vma->vm_file && vma->anon_vma) {
3563 			/*
3564 			 * We are making executable a file mapping that has
3565 			 * had some COW done. Since pages might have been
3566 			 * written, check ability to execute the possibly
3567 			 * modified content.  This typically should only
3568 			 * occur for text relocations.
3569 			 */
3570 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3571 		}
3572 		if (rc)
3573 			return rc;
3574 	}
3575 
3576 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3577 }
3578 
3579 static int selinux_file_lock(struct file *file, unsigned int cmd)
3580 {
3581 	const struct cred *cred = current_cred();
3582 
3583 	return file_has_perm(cred, file, FILE__LOCK);
3584 }
3585 
3586 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3587 			      unsigned long arg)
3588 {
3589 	const struct cred *cred = current_cred();
3590 	int err = 0;
3591 
3592 	switch (cmd) {
3593 	case F_SETFL:
3594 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3595 			err = file_has_perm(cred, file, FILE__WRITE);
3596 			break;
3597 		}
3598 		/* fall through */
3599 	case F_SETOWN:
3600 	case F_SETSIG:
3601 	case F_GETFL:
3602 	case F_GETOWN:
3603 	case F_GETSIG:
3604 	case F_GETOWNER_UIDS:
3605 		/* Just check FD__USE permission */
3606 		err = file_has_perm(cred, file, 0);
3607 		break;
3608 	case F_GETLK:
3609 	case F_SETLK:
3610 	case F_SETLKW:
3611 	case F_OFD_GETLK:
3612 	case F_OFD_SETLK:
3613 	case F_OFD_SETLKW:
3614 #if BITS_PER_LONG == 32
3615 	case F_GETLK64:
3616 	case F_SETLK64:
3617 	case F_SETLKW64:
3618 #endif
3619 		err = file_has_perm(cred, file, FILE__LOCK);
3620 		break;
3621 	}
3622 
3623 	return err;
3624 }
3625 
3626 static void selinux_file_set_fowner(struct file *file)
3627 {
3628 	struct file_security_struct *fsec;
3629 
3630 	fsec = file->f_security;
3631 	fsec->fown_sid = current_sid();
3632 }
3633 
3634 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3635 				       struct fown_struct *fown, int signum)
3636 {
3637 	struct file *file;
3638 	u32 sid = task_sid(tsk);
3639 	u32 perm;
3640 	struct file_security_struct *fsec;
3641 
3642 	/* struct fown_struct is never outside the context of a struct file */
3643 	file = container_of(fown, struct file, f_owner);
3644 
3645 	fsec = file->f_security;
3646 
3647 	if (!signum)
3648 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3649 	else
3650 		perm = signal_to_av(signum);
3651 
3652 	return avc_has_perm(fsec->fown_sid, sid,
3653 			    SECCLASS_PROCESS, perm, NULL);
3654 }
3655 
3656 static int selinux_file_receive(struct file *file)
3657 {
3658 	const struct cred *cred = current_cred();
3659 
3660 	return file_has_perm(cred, file, file_to_av(file));
3661 }
3662 
3663 static int selinux_file_open(struct file *file, const struct cred *cred)
3664 {
3665 	struct file_security_struct *fsec;
3666 	struct inode_security_struct *isec;
3667 
3668 	fsec = file->f_security;
3669 	isec = inode_security(file_inode(file));
3670 	/*
3671 	 * Save inode label and policy sequence number
3672 	 * at open-time so that selinux_file_permission
3673 	 * can determine whether revalidation is necessary.
3674 	 * Task label is already saved in the file security
3675 	 * struct as its SID.
3676 	 */
3677 	fsec->isid = isec->sid;
3678 	fsec->pseqno = avc_policy_seqno();
3679 	/*
3680 	 * Since the inode label or policy seqno may have changed
3681 	 * between the selinux_inode_permission check and the saving
3682 	 * of state above, recheck that access is still permitted.
3683 	 * Otherwise, access might never be revalidated against the
3684 	 * new inode label or new policy.
3685 	 * This check is not redundant - do not remove.
3686 	 */
3687 	return file_path_has_perm(cred, file, open_file_to_av(file));
3688 }
3689 
3690 /* task security operations */
3691 
3692 static int selinux_task_create(unsigned long clone_flags)
3693 {
3694 	return current_has_perm(current, PROCESS__FORK);
3695 }
3696 
3697 /*
3698  * allocate the SELinux part of blank credentials
3699  */
3700 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3701 {
3702 	struct task_security_struct *tsec;
3703 
3704 	tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3705 	if (!tsec)
3706 		return -ENOMEM;
3707 
3708 	cred->security = tsec;
3709 	return 0;
3710 }
3711 
3712 /*
3713  * detach and free the LSM part of a set of credentials
3714  */
3715 static void selinux_cred_free(struct cred *cred)
3716 {
3717 	struct task_security_struct *tsec = cred->security;
3718 
3719 	/*
3720 	 * cred->security == NULL if security_cred_alloc_blank() or
3721 	 * security_prepare_creds() returned an error.
3722 	 */
3723 	BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3724 	cred->security = (void *) 0x7UL;
3725 	kfree(tsec);
3726 }
3727 
3728 /*
3729  * prepare a new set of credentials for modification
3730  */
3731 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3732 				gfp_t gfp)
3733 {
3734 	const struct task_security_struct *old_tsec;
3735 	struct task_security_struct *tsec;
3736 
3737 	old_tsec = old->security;
3738 
3739 	tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3740 	if (!tsec)
3741 		return -ENOMEM;
3742 
3743 	new->security = tsec;
3744 	return 0;
3745 }
3746 
3747 /*
3748  * transfer the SELinux data to a blank set of creds
3749  */
3750 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3751 {
3752 	const struct task_security_struct *old_tsec = old->security;
3753 	struct task_security_struct *tsec = new->security;
3754 
3755 	*tsec = *old_tsec;
3756 }
3757 
3758 /*
3759  * set the security data for a kernel service
3760  * - all the creation contexts are set to unlabelled
3761  */
3762 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3763 {
3764 	struct task_security_struct *tsec = new->security;
3765 	u32 sid = current_sid();
3766 	int ret;
3767 
3768 	ret = avc_has_perm(sid, secid,
3769 			   SECCLASS_KERNEL_SERVICE,
3770 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3771 			   NULL);
3772 	if (ret == 0) {
3773 		tsec->sid = secid;
3774 		tsec->create_sid = 0;
3775 		tsec->keycreate_sid = 0;
3776 		tsec->sockcreate_sid = 0;
3777 	}
3778 	return ret;
3779 }
3780 
3781 /*
3782  * set the file creation context in a security record to the same as the
3783  * objective context of the specified inode
3784  */
3785 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3786 {
3787 	struct inode_security_struct *isec = inode_security(inode);
3788 	struct task_security_struct *tsec = new->security;
3789 	u32 sid = current_sid();
3790 	int ret;
3791 
3792 	ret = avc_has_perm(sid, isec->sid,
3793 			   SECCLASS_KERNEL_SERVICE,
3794 			   KERNEL_SERVICE__CREATE_FILES_AS,
3795 			   NULL);
3796 
3797 	if (ret == 0)
3798 		tsec->create_sid = isec->sid;
3799 	return ret;
3800 }
3801 
3802 static int selinux_kernel_module_request(char *kmod_name)
3803 {
3804 	u32 sid;
3805 	struct common_audit_data ad;
3806 
3807 	sid = task_sid(current);
3808 
3809 	ad.type = LSM_AUDIT_DATA_KMOD;
3810 	ad.u.kmod_name = kmod_name;
3811 
3812 	return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3813 			    SYSTEM__MODULE_REQUEST, &ad);
3814 }
3815 
3816 static int selinux_kernel_module_from_file(struct file *file)
3817 {
3818 	struct common_audit_data ad;
3819 	struct inode_security_struct *isec;
3820 	struct file_security_struct *fsec;
3821 	u32 sid = current_sid();
3822 	int rc;
3823 
3824 	/* init_module */
3825 	if (file == NULL)
3826 		return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3827 					SYSTEM__MODULE_LOAD, NULL);
3828 
3829 	/* finit_module */
3830 
3831 	ad.type = LSM_AUDIT_DATA_FILE;
3832 	ad.u.file = file;
3833 
3834 	fsec = file->f_security;
3835 	if (sid != fsec->sid) {
3836 		rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3837 		if (rc)
3838 			return rc;
3839 	}
3840 
3841 	isec = inode_security(file_inode(file));
3842 	return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3843 				SYSTEM__MODULE_LOAD, &ad);
3844 }
3845 
3846 static int selinux_kernel_read_file(struct file *file,
3847 				    enum kernel_read_file_id id)
3848 {
3849 	int rc = 0;
3850 
3851 	switch (id) {
3852 	case READING_MODULE:
3853 		rc = selinux_kernel_module_from_file(file);
3854 		break;
3855 	default:
3856 		break;
3857 	}
3858 
3859 	return rc;
3860 }
3861 
3862 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3863 {
3864 	return current_has_perm(p, PROCESS__SETPGID);
3865 }
3866 
3867 static int selinux_task_getpgid(struct task_struct *p)
3868 {
3869 	return current_has_perm(p, PROCESS__GETPGID);
3870 }
3871 
3872 static int selinux_task_getsid(struct task_struct *p)
3873 {
3874 	return current_has_perm(p, PROCESS__GETSESSION);
3875 }
3876 
3877 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3878 {
3879 	*secid = task_sid(p);
3880 }
3881 
3882 static int selinux_task_setnice(struct task_struct *p, int nice)
3883 {
3884 	return current_has_perm(p, PROCESS__SETSCHED);
3885 }
3886 
3887 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3888 {
3889 	return current_has_perm(p, PROCESS__SETSCHED);
3890 }
3891 
3892 static int selinux_task_getioprio(struct task_struct *p)
3893 {
3894 	return current_has_perm(p, PROCESS__GETSCHED);
3895 }
3896 
3897 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3898 		struct rlimit *new_rlim)
3899 {
3900 	struct rlimit *old_rlim = p->signal->rlim + resource;
3901 
3902 	/* Control the ability to change the hard limit (whether
3903 	   lowering or raising it), so that the hard limit can
3904 	   later be used as a safe reset point for the soft limit
3905 	   upon context transitions.  See selinux_bprm_committing_creds. */
3906 	if (old_rlim->rlim_max != new_rlim->rlim_max)
3907 		return current_has_perm(p, PROCESS__SETRLIMIT);
3908 
3909 	return 0;
3910 }
3911 
3912 static int selinux_task_setscheduler(struct task_struct *p)
3913 {
3914 	return current_has_perm(p, PROCESS__SETSCHED);
3915 }
3916 
3917 static int selinux_task_getscheduler(struct task_struct *p)
3918 {
3919 	return current_has_perm(p, PROCESS__GETSCHED);
3920 }
3921 
3922 static int selinux_task_movememory(struct task_struct *p)
3923 {
3924 	return current_has_perm(p, PROCESS__SETSCHED);
3925 }
3926 
3927 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3928 				int sig, u32 secid)
3929 {
3930 	u32 perm;
3931 	int rc;
3932 
3933 	if (!sig)
3934 		perm = PROCESS__SIGNULL; /* null signal; existence test */
3935 	else
3936 		perm = signal_to_av(sig);
3937 	if (secid)
3938 		rc = avc_has_perm(secid, task_sid(p),
3939 				  SECCLASS_PROCESS, perm, NULL);
3940 	else
3941 		rc = current_has_perm(p, perm);
3942 	return rc;
3943 }
3944 
3945 static int selinux_task_wait(struct task_struct *p)
3946 {
3947 	return task_has_perm(p, current, PROCESS__SIGCHLD);
3948 }
3949 
3950 static void selinux_task_to_inode(struct task_struct *p,
3951 				  struct inode *inode)
3952 {
3953 	struct inode_security_struct *isec = inode->i_security;
3954 	u32 sid = task_sid(p);
3955 
3956 	isec->sid = sid;
3957 	isec->initialized = LABEL_INITIALIZED;
3958 }
3959 
3960 /* Returns error only if unable to parse addresses */
3961 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3962 			struct common_audit_data *ad, u8 *proto)
3963 {
3964 	int offset, ihlen, ret = -EINVAL;
3965 	struct iphdr _iph, *ih;
3966 
3967 	offset = skb_network_offset(skb);
3968 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3969 	if (ih == NULL)
3970 		goto out;
3971 
3972 	ihlen = ih->ihl * 4;
3973 	if (ihlen < sizeof(_iph))
3974 		goto out;
3975 
3976 	ad->u.net->v4info.saddr = ih->saddr;
3977 	ad->u.net->v4info.daddr = ih->daddr;
3978 	ret = 0;
3979 
3980 	if (proto)
3981 		*proto = ih->protocol;
3982 
3983 	switch (ih->protocol) {
3984 	case IPPROTO_TCP: {
3985 		struct tcphdr _tcph, *th;
3986 
3987 		if (ntohs(ih->frag_off) & IP_OFFSET)
3988 			break;
3989 
3990 		offset += ihlen;
3991 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3992 		if (th == NULL)
3993 			break;
3994 
3995 		ad->u.net->sport = th->source;
3996 		ad->u.net->dport = th->dest;
3997 		break;
3998 	}
3999 
4000 	case IPPROTO_UDP: {
4001 		struct udphdr _udph, *uh;
4002 
4003 		if (ntohs(ih->frag_off) & IP_OFFSET)
4004 			break;
4005 
4006 		offset += ihlen;
4007 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4008 		if (uh == NULL)
4009 			break;
4010 
4011 		ad->u.net->sport = uh->source;
4012 		ad->u.net->dport = uh->dest;
4013 		break;
4014 	}
4015 
4016 	case IPPROTO_DCCP: {
4017 		struct dccp_hdr _dccph, *dh;
4018 
4019 		if (ntohs(ih->frag_off) & IP_OFFSET)
4020 			break;
4021 
4022 		offset += ihlen;
4023 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4024 		if (dh == NULL)
4025 			break;
4026 
4027 		ad->u.net->sport = dh->dccph_sport;
4028 		ad->u.net->dport = dh->dccph_dport;
4029 		break;
4030 	}
4031 
4032 	default:
4033 		break;
4034 	}
4035 out:
4036 	return ret;
4037 }
4038 
4039 #if IS_ENABLED(CONFIG_IPV6)
4040 
4041 /* Returns error only if unable to parse addresses */
4042 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4043 			struct common_audit_data *ad, u8 *proto)
4044 {
4045 	u8 nexthdr;
4046 	int ret = -EINVAL, offset;
4047 	struct ipv6hdr _ipv6h, *ip6;
4048 	__be16 frag_off;
4049 
4050 	offset = skb_network_offset(skb);
4051 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4052 	if (ip6 == NULL)
4053 		goto out;
4054 
4055 	ad->u.net->v6info.saddr = ip6->saddr;
4056 	ad->u.net->v6info.daddr = ip6->daddr;
4057 	ret = 0;
4058 
4059 	nexthdr = ip6->nexthdr;
4060 	offset += sizeof(_ipv6h);
4061 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4062 	if (offset < 0)
4063 		goto out;
4064 
4065 	if (proto)
4066 		*proto = nexthdr;
4067 
4068 	switch (nexthdr) {
4069 	case IPPROTO_TCP: {
4070 		struct tcphdr _tcph, *th;
4071 
4072 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4073 		if (th == NULL)
4074 			break;
4075 
4076 		ad->u.net->sport = th->source;
4077 		ad->u.net->dport = th->dest;
4078 		break;
4079 	}
4080 
4081 	case IPPROTO_UDP: {
4082 		struct udphdr _udph, *uh;
4083 
4084 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4085 		if (uh == NULL)
4086 			break;
4087 
4088 		ad->u.net->sport = uh->source;
4089 		ad->u.net->dport = uh->dest;
4090 		break;
4091 	}
4092 
4093 	case IPPROTO_DCCP: {
4094 		struct dccp_hdr _dccph, *dh;
4095 
4096 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4097 		if (dh == NULL)
4098 			break;
4099 
4100 		ad->u.net->sport = dh->dccph_sport;
4101 		ad->u.net->dport = dh->dccph_dport;
4102 		break;
4103 	}
4104 
4105 	/* includes fragments */
4106 	default:
4107 		break;
4108 	}
4109 out:
4110 	return ret;
4111 }
4112 
4113 #endif /* IPV6 */
4114 
4115 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4116 			     char **_addrp, int src, u8 *proto)
4117 {
4118 	char *addrp;
4119 	int ret;
4120 
4121 	switch (ad->u.net->family) {
4122 	case PF_INET:
4123 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4124 		if (ret)
4125 			goto parse_error;
4126 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4127 				       &ad->u.net->v4info.daddr);
4128 		goto okay;
4129 
4130 #if IS_ENABLED(CONFIG_IPV6)
4131 	case PF_INET6:
4132 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4133 		if (ret)
4134 			goto parse_error;
4135 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4136 				       &ad->u.net->v6info.daddr);
4137 		goto okay;
4138 #endif	/* IPV6 */
4139 	default:
4140 		addrp = NULL;
4141 		goto okay;
4142 	}
4143 
4144 parse_error:
4145 	printk(KERN_WARNING
4146 	       "SELinux: failure in selinux_parse_skb(),"
4147 	       " unable to parse packet\n");
4148 	return ret;
4149 
4150 okay:
4151 	if (_addrp)
4152 		*_addrp = addrp;
4153 	return 0;
4154 }
4155 
4156 /**
4157  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4158  * @skb: the packet
4159  * @family: protocol family
4160  * @sid: the packet's peer label SID
4161  *
4162  * Description:
4163  * Check the various different forms of network peer labeling and determine
4164  * the peer label/SID for the packet; most of the magic actually occurs in
4165  * the security server function security_net_peersid_cmp().  The function
4166  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4167  * or -EACCES if @sid is invalid due to inconsistencies with the different
4168  * peer labels.
4169  *
4170  */
4171 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4172 {
4173 	int err;
4174 	u32 xfrm_sid;
4175 	u32 nlbl_sid;
4176 	u32 nlbl_type;
4177 
4178 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4179 	if (unlikely(err))
4180 		return -EACCES;
4181 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4182 	if (unlikely(err))
4183 		return -EACCES;
4184 
4185 	err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4186 	if (unlikely(err)) {
4187 		printk(KERN_WARNING
4188 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4189 		       " unable to determine packet's peer label\n");
4190 		return -EACCES;
4191 	}
4192 
4193 	return 0;
4194 }
4195 
4196 /**
4197  * selinux_conn_sid - Determine the child socket label for a connection
4198  * @sk_sid: the parent socket's SID
4199  * @skb_sid: the packet's SID
4200  * @conn_sid: the resulting connection SID
4201  *
4202  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4203  * combined with the MLS information from @skb_sid in order to create
4204  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
4205  * of @sk_sid.  Returns zero on success, negative values on failure.
4206  *
4207  */
4208 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4209 {
4210 	int err = 0;
4211 
4212 	if (skb_sid != SECSID_NULL)
4213 		err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4214 	else
4215 		*conn_sid = sk_sid;
4216 
4217 	return err;
4218 }
4219 
4220 /* socket security operations */
4221 
4222 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4223 				 u16 secclass, u32 *socksid)
4224 {
4225 	if (tsec->sockcreate_sid > SECSID_NULL) {
4226 		*socksid = tsec->sockcreate_sid;
4227 		return 0;
4228 	}
4229 
4230 	return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4231 				       socksid);
4232 }
4233 
4234 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
4235 {
4236 	struct sk_security_struct *sksec = sk->sk_security;
4237 	struct common_audit_data ad;
4238 	struct lsm_network_audit net = {0,};
4239 	u32 tsid = task_sid(task);
4240 
4241 	if (sksec->sid == SECINITSID_KERNEL)
4242 		return 0;
4243 
4244 	ad.type = LSM_AUDIT_DATA_NET;
4245 	ad.u.net = &net;
4246 	ad.u.net->sk = sk;
4247 
4248 	return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
4249 }
4250 
4251 static int selinux_socket_create(int family, int type,
4252 				 int protocol, int kern)
4253 {
4254 	const struct task_security_struct *tsec = current_security();
4255 	u32 newsid;
4256 	u16 secclass;
4257 	int rc;
4258 
4259 	if (kern)
4260 		return 0;
4261 
4262 	secclass = socket_type_to_security_class(family, type, protocol);
4263 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4264 	if (rc)
4265 		return rc;
4266 
4267 	return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4268 }
4269 
4270 static int selinux_socket_post_create(struct socket *sock, int family,
4271 				      int type, int protocol, int kern)
4272 {
4273 	const struct task_security_struct *tsec = current_security();
4274 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4275 	struct sk_security_struct *sksec;
4276 	int err = 0;
4277 
4278 	isec->sclass = socket_type_to_security_class(family, type, protocol);
4279 
4280 	if (kern)
4281 		isec->sid = SECINITSID_KERNEL;
4282 	else {
4283 		err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4284 		if (err)
4285 			return err;
4286 	}
4287 
4288 	isec->initialized = LABEL_INITIALIZED;
4289 
4290 	if (sock->sk) {
4291 		sksec = sock->sk->sk_security;
4292 		sksec->sid = isec->sid;
4293 		sksec->sclass = isec->sclass;
4294 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4295 	}
4296 
4297 	return err;
4298 }
4299 
4300 /* Range of port numbers used to automatically bind.
4301    Need to determine whether we should perform a name_bind
4302    permission check between the socket and the port number. */
4303 
4304 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4305 {
4306 	struct sock *sk = sock->sk;
4307 	u16 family;
4308 	int err;
4309 
4310 	err = sock_has_perm(current, sk, SOCKET__BIND);
4311 	if (err)
4312 		goto out;
4313 
4314 	/*
4315 	 * If PF_INET or PF_INET6, check name_bind permission for the port.
4316 	 * Multiple address binding for SCTP is not supported yet: we just
4317 	 * check the first address now.
4318 	 */
4319 	family = sk->sk_family;
4320 	if (family == PF_INET || family == PF_INET6) {
4321 		char *addrp;
4322 		struct sk_security_struct *sksec = sk->sk_security;
4323 		struct common_audit_data ad;
4324 		struct lsm_network_audit net = {0,};
4325 		struct sockaddr_in *addr4 = NULL;
4326 		struct sockaddr_in6 *addr6 = NULL;
4327 		unsigned short snum;
4328 		u32 sid, node_perm;
4329 
4330 		if (family == PF_INET) {
4331 			addr4 = (struct sockaddr_in *)address;
4332 			snum = ntohs(addr4->sin_port);
4333 			addrp = (char *)&addr4->sin_addr.s_addr;
4334 		} else {
4335 			addr6 = (struct sockaddr_in6 *)address;
4336 			snum = ntohs(addr6->sin6_port);
4337 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4338 		}
4339 
4340 		if (snum) {
4341 			int low, high;
4342 
4343 			inet_get_local_port_range(sock_net(sk), &low, &high);
4344 
4345 			if (snum < max(PROT_SOCK, low) || snum > high) {
4346 				err = sel_netport_sid(sk->sk_protocol,
4347 						      snum, &sid);
4348 				if (err)
4349 					goto out;
4350 				ad.type = LSM_AUDIT_DATA_NET;
4351 				ad.u.net = &net;
4352 				ad.u.net->sport = htons(snum);
4353 				ad.u.net->family = family;
4354 				err = avc_has_perm(sksec->sid, sid,
4355 						   sksec->sclass,
4356 						   SOCKET__NAME_BIND, &ad);
4357 				if (err)
4358 					goto out;
4359 			}
4360 		}
4361 
4362 		switch (sksec->sclass) {
4363 		case SECCLASS_TCP_SOCKET:
4364 			node_perm = TCP_SOCKET__NODE_BIND;
4365 			break;
4366 
4367 		case SECCLASS_UDP_SOCKET:
4368 			node_perm = UDP_SOCKET__NODE_BIND;
4369 			break;
4370 
4371 		case SECCLASS_DCCP_SOCKET:
4372 			node_perm = DCCP_SOCKET__NODE_BIND;
4373 			break;
4374 
4375 		default:
4376 			node_perm = RAWIP_SOCKET__NODE_BIND;
4377 			break;
4378 		}
4379 
4380 		err = sel_netnode_sid(addrp, family, &sid);
4381 		if (err)
4382 			goto out;
4383 
4384 		ad.type = LSM_AUDIT_DATA_NET;
4385 		ad.u.net = &net;
4386 		ad.u.net->sport = htons(snum);
4387 		ad.u.net->family = family;
4388 
4389 		if (family == PF_INET)
4390 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4391 		else
4392 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4393 
4394 		err = avc_has_perm(sksec->sid, sid,
4395 				   sksec->sclass, node_perm, &ad);
4396 		if (err)
4397 			goto out;
4398 	}
4399 out:
4400 	return err;
4401 }
4402 
4403 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4404 {
4405 	struct sock *sk = sock->sk;
4406 	struct sk_security_struct *sksec = sk->sk_security;
4407 	int err;
4408 
4409 	err = sock_has_perm(current, sk, SOCKET__CONNECT);
4410 	if (err)
4411 		return err;
4412 
4413 	/*
4414 	 * If a TCP or DCCP socket, check name_connect permission for the port.
4415 	 */
4416 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4417 	    sksec->sclass == SECCLASS_DCCP_SOCKET) {
4418 		struct common_audit_data ad;
4419 		struct lsm_network_audit net = {0,};
4420 		struct sockaddr_in *addr4 = NULL;
4421 		struct sockaddr_in6 *addr6 = NULL;
4422 		unsigned short snum;
4423 		u32 sid, perm;
4424 
4425 		if (sk->sk_family == PF_INET) {
4426 			addr4 = (struct sockaddr_in *)address;
4427 			if (addrlen < sizeof(struct sockaddr_in))
4428 				return -EINVAL;
4429 			snum = ntohs(addr4->sin_port);
4430 		} else {
4431 			addr6 = (struct sockaddr_in6 *)address;
4432 			if (addrlen < SIN6_LEN_RFC2133)
4433 				return -EINVAL;
4434 			snum = ntohs(addr6->sin6_port);
4435 		}
4436 
4437 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4438 		if (err)
4439 			goto out;
4440 
4441 		perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4442 		       TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4443 
4444 		ad.type = LSM_AUDIT_DATA_NET;
4445 		ad.u.net = &net;
4446 		ad.u.net->dport = htons(snum);
4447 		ad.u.net->family = sk->sk_family;
4448 		err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4449 		if (err)
4450 			goto out;
4451 	}
4452 
4453 	err = selinux_netlbl_socket_connect(sk, address);
4454 
4455 out:
4456 	return err;
4457 }
4458 
4459 static int selinux_socket_listen(struct socket *sock, int backlog)
4460 {
4461 	return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4462 }
4463 
4464 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4465 {
4466 	int err;
4467 	struct inode_security_struct *isec;
4468 	struct inode_security_struct *newisec;
4469 
4470 	err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4471 	if (err)
4472 		return err;
4473 
4474 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4475 
4476 	isec = inode_security_novalidate(SOCK_INODE(sock));
4477 	newisec->sclass = isec->sclass;
4478 	newisec->sid = isec->sid;
4479 	newisec->initialized = LABEL_INITIALIZED;
4480 
4481 	return 0;
4482 }
4483 
4484 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4485 				  int size)
4486 {
4487 	return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4488 }
4489 
4490 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4491 				  int size, int flags)
4492 {
4493 	return sock_has_perm(current, sock->sk, SOCKET__READ);
4494 }
4495 
4496 static int selinux_socket_getsockname(struct socket *sock)
4497 {
4498 	return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4499 }
4500 
4501 static int selinux_socket_getpeername(struct socket *sock)
4502 {
4503 	return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4504 }
4505 
4506 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4507 {
4508 	int err;
4509 
4510 	err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4511 	if (err)
4512 		return err;
4513 
4514 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4515 }
4516 
4517 static int selinux_socket_getsockopt(struct socket *sock, int level,
4518 				     int optname)
4519 {
4520 	return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4521 }
4522 
4523 static int selinux_socket_shutdown(struct socket *sock, int how)
4524 {
4525 	return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4526 }
4527 
4528 static int selinux_socket_unix_stream_connect(struct sock *sock,
4529 					      struct sock *other,
4530 					      struct sock *newsk)
4531 {
4532 	struct sk_security_struct *sksec_sock = sock->sk_security;
4533 	struct sk_security_struct *sksec_other = other->sk_security;
4534 	struct sk_security_struct *sksec_new = newsk->sk_security;
4535 	struct common_audit_data ad;
4536 	struct lsm_network_audit net = {0,};
4537 	int err;
4538 
4539 	ad.type = LSM_AUDIT_DATA_NET;
4540 	ad.u.net = &net;
4541 	ad.u.net->sk = other;
4542 
4543 	err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4544 			   sksec_other->sclass,
4545 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4546 	if (err)
4547 		return err;
4548 
4549 	/* server child socket */
4550 	sksec_new->peer_sid = sksec_sock->sid;
4551 	err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4552 				    &sksec_new->sid);
4553 	if (err)
4554 		return err;
4555 
4556 	/* connecting socket */
4557 	sksec_sock->peer_sid = sksec_new->sid;
4558 
4559 	return 0;
4560 }
4561 
4562 static int selinux_socket_unix_may_send(struct socket *sock,
4563 					struct socket *other)
4564 {
4565 	struct sk_security_struct *ssec = sock->sk->sk_security;
4566 	struct sk_security_struct *osec = other->sk->sk_security;
4567 	struct common_audit_data ad;
4568 	struct lsm_network_audit net = {0,};
4569 
4570 	ad.type = LSM_AUDIT_DATA_NET;
4571 	ad.u.net = &net;
4572 	ad.u.net->sk = other->sk;
4573 
4574 	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4575 			    &ad);
4576 }
4577 
4578 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4579 				    char *addrp, u16 family, u32 peer_sid,
4580 				    struct common_audit_data *ad)
4581 {
4582 	int err;
4583 	u32 if_sid;
4584 	u32 node_sid;
4585 
4586 	err = sel_netif_sid(ns, ifindex, &if_sid);
4587 	if (err)
4588 		return err;
4589 	err = avc_has_perm(peer_sid, if_sid,
4590 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4591 	if (err)
4592 		return err;
4593 
4594 	err = sel_netnode_sid(addrp, family, &node_sid);
4595 	if (err)
4596 		return err;
4597 	return avc_has_perm(peer_sid, node_sid,
4598 			    SECCLASS_NODE, NODE__RECVFROM, ad);
4599 }
4600 
4601 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4602 				       u16 family)
4603 {
4604 	int err = 0;
4605 	struct sk_security_struct *sksec = sk->sk_security;
4606 	u32 sk_sid = sksec->sid;
4607 	struct common_audit_data ad;
4608 	struct lsm_network_audit net = {0,};
4609 	char *addrp;
4610 
4611 	ad.type = LSM_AUDIT_DATA_NET;
4612 	ad.u.net = &net;
4613 	ad.u.net->netif = skb->skb_iif;
4614 	ad.u.net->family = family;
4615 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4616 	if (err)
4617 		return err;
4618 
4619 	if (selinux_secmark_enabled()) {
4620 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4621 				   PACKET__RECV, &ad);
4622 		if (err)
4623 			return err;
4624 	}
4625 
4626 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4627 	if (err)
4628 		return err;
4629 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4630 
4631 	return err;
4632 }
4633 
4634 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4635 {
4636 	int err;
4637 	struct sk_security_struct *sksec = sk->sk_security;
4638 	u16 family = sk->sk_family;
4639 	u32 sk_sid = sksec->sid;
4640 	struct common_audit_data ad;
4641 	struct lsm_network_audit net = {0,};
4642 	char *addrp;
4643 	u8 secmark_active;
4644 	u8 peerlbl_active;
4645 
4646 	if (family != PF_INET && family != PF_INET6)
4647 		return 0;
4648 
4649 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
4650 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4651 		family = PF_INET;
4652 
4653 	/* If any sort of compatibility mode is enabled then handoff processing
4654 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
4655 	 * special handling.  We do this in an attempt to keep this function
4656 	 * as fast and as clean as possible. */
4657 	if (!selinux_policycap_netpeer)
4658 		return selinux_sock_rcv_skb_compat(sk, skb, family);
4659 
4660 	secmark_active = selinux_secmark_enabled();
4661 	peerlbl_active = selinux_peerlbl_enabled();
4662 	if (!secmark_active && !peerlbl_active)
4663 		return 0;
4664 
4665 	ad.type = LSM_AUDIT_DATA_NET;
4666 	ad.u.net = &net;
4667 	ad.u.net->netif = skb->skb_iif;
4668 	ad.u.net->family = family;
4669 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4670 	if (err)
4671 		return err;
4672 
4673 	if (peerlbl_active) {
4674 		u32 peer_sid;
4675 
4676 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4677 		if (err)
4678 			return err;
4679 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4680 					       addrp, family, peer_sid, &ad);
4681 		if (err) {
4682 			selinux_netlbl_err(skb, family, err, 0);
4683 			return err;
4684 		}
4685 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4686 				   PEER__RECV, &ad);
4687 		if (err) {
4688 			selinux_netlbl_err(skb, family, err, 0);
4689 			return err;
4690 		}
4691 	}
4692 
4693 	if (secmark_active) {
4694 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4695 				   PACKET__RECV, &ad);
4696 		if (err)
4697 			return err;
4698 	}
4699 
4700 	return err;
4701 }
4702 
4703 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4704 					    int __user *optlen, unsigned len)
4705 {
4706 	int err = 0;
4707 	char *scontext;
4708 	u32 scontext_len;
4709 	struct sk_security_struct *sksec = sock->sk->sk_security;
4710 	u32 peer_sid = SECSID_NULL;
4711 
4712 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4713 	    sksec->sclass == SECCLASS_TCP_SOCKET)
4714 		peer_sid = sksec->peer_sid;
4715 	if (peer_sid == SECSID_NULL)
4716 		return -ENOPROTOOPT;
4717 
4718 	err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4719 	if (err)
4720 		return err;
4721 
4722 	if (scontext_len > len) {
4723 		err = -ERANGE;
4724 		goto out_len;
4725 	}
4726 
4727 	if (copy_to_user(optval, scontext, scontext_len))
4728 		err = -EFAULT;
4729 
4730 out_len:
4731 	if (put_user(scontext_len, optlen))
4732 		err = -EFAULT;
4733 	kfree(scontext);
4734 	return err;
4735 }
4736 
4737 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4738 {
4739 	u32 peer_secid = SECSID_NULL;
4740 	u16 family;
4741 	struct inode_security_struct *isec;
4742 
4743 	if (skb && skb->protocol == htons(ETH_P_IP))
4744 		family = PF_INET;
4745 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
4746 		family = PF_INET6;
4747 	else if (sock)
4748 		family = sock->sk->sk_family;
4749 	else
4750 		goto out;
4751 
4752 	if (sock && family == PF_UNIX) {
4753 		isec = inode_security_novalidate(SOCK_INODE(sock));
4754 		peer_secid = isec->sid;
4755 	} else if (skb)
4756 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4757 
4758 out:
4759 	*secid = peer_secid;
4760 	if (peer_secid == SECSID_NULL)
4761 		return -EINVAL;
4762 	return 0;
4763 }
4764 
4765 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4766 {
4767 	struct sk_security_struct *sksec;
4768 
4769 	sksec = kzalloc(sizeof(*sksec), priority);
4770 	if (!sksec)
4771 		return -ENOMEM;
4772 
4773 	sksec->peer_sid = SECINITSID_UNLABELED;
4774 	sksec->sid = SECINITSID_UNLABELED;
4775 	sksec->sclass = SECCLASS_SOCKET;
4776 	selinux_netlbl_sk_security_reset(sksec);
4777 	sk->sk_security = sksec;
4778 
4779 	return 0;
4780 }
4781 
4782 static void selinux_sk_free_security(struct sock *sk)
4783 {
4784 	struct sk_security_struct *sksec = sk->sk_security;
4785 
4786 	sk->sk_security = NULL;
4787 	selinux_netlbl_sk_security_free(sksec);
4788 	kfree(sksec);
4789 }
4790 
4791 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4792 {
4793 	struct sk_security_struct *sksec = sk->sk_security;
4794 	struct sk_security_struct *newsksec = newsk->sk_security;
4795 
4796 	newsksec->sid = sksec->sid;
4797 	newsksec->peer_sid = sksec->peer_sid;
4798 	newsksec->sclass = sksec->sclass;
4799 
4800 	selinux_netlbl_sk_security_reset(newsksec);
4801 }
4802 
4803 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4804 {
4805 	if (!sk)
4806 		*secid = SECINITSID_ANY_SOCKET;
4807 	else {
4808 		struct sk_security_struct *sksec = sk->sk_security;
4809 
4810 		*secid = sksec->sid;
4811 	}
4812 }
4813 
4814 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4815 {
4816 	struct inode_security_struct *isec =
4817 		inode_security_novalidate(SOCK_INODE(parent));
4818 	struct sk_security_struct *sksec = sk->sk_security;
4819 
4820 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4821 	    sk->sk_family == PF_UNIX)
4822 		isec->sid = sksec->sid;
4823 	sksec->sclass = isec->sclass;
4824 }
4825 
4826 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4827 				     struct request_sock *req)
4828 {
4829 	struct sk_security_struct *sksec = sk->sk_security;
4830 	int err;
4831 	u16 family = req->rsk_ops->family;
4832 	u32 connsid;
4833 	u32 peersid;
4834 
4835 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4836 	if (err)
4837 		return err;
4838 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4839 	if (err)
4840 		return err;
4841 	req->secid = connsid;
4842 	req->peer_secid = peersid;
4843 
4844 	return selinux_netlbl_inet_conn_request(req, family);
4845 }
4846 
4847 static void selinux_inet_csk_clone(struct sock *newsk,
4848 				   const struct request_sock *req)
4849 {
4850 	struct sk_security_struct *newsksec = newsk->sk_security;
4851 
4852 	newsksec->sid = req->secid;
4853 	newsksec->peer_sid = req->peer_secid;
4854 	/* NOTE: Ideally, we should also get the isec->sid for the
4855 	   new socket in sync, but we don't have the isec available yet.
4856 	   So we will wait until sock_graft to do it, by which
4857 	   time it will have been created and available. */
4858 
4859 	/* We don't need to take any sort of lock here as we are the only
4860 	 * thread with access to newsksec */
4861 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4862 }
4863 
4864 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4865 {
4866 	u16 family = sk->sk_family;
4867 	struct sk_security_struct *sksec = sk->sk_security;
4868 
4869 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
4870 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4871 		family = PF_INET;
4872 
4873 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4874 }
4875 
4876 static int selinux_secmark_relabel_packet(u32 sid)
4877 {
4878 	const struct task_security_struct *__tsec;
4879 	u32 tsid;
4880 
4881 	__tsec = current_security();
4882 	tsid = __tsec->sid;
4883 
4884 	return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4885 }
4886 
4887 static void selinux_secmark_refcount_inc(void)
4888 {
4889 	atomic_inc(&selinux_secmark_refcount);
4890 }
4891 
4892 static void selinux_secmark_refcount_dec(void)
4893 {
4894 	atomic_dec(&selinux_secmark_refcount);
4895 }
4896 
4897 static void selinux_req_classify_flow(const struct request_sock *req,
4898 				      struct flowi *fl)
4899 {
4900 	fl->flowi_secid = req->secid;
4901 }
4902 
4903 static int selinux_tun_dev_alloc_security(void **security)
4904 {
4905 	struct tun_security_struct *tunsec;
4906 
4907 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4908 	if (!tunsec)
4909 		return -ENOMEM;
4910 	tunsec->sid = current_sid();
4911 
4912 	*security = tunsec;
4913 	return 0;
4914 }
4915 
4916 static void selinux_tun_dev_free_security(void *security)
4917 {
4918 	kfree(security);
4919 }
4920 
4921 static int selinux_tun_dev_create(void)
4922 {
4923 	u32 sid = current_sid();
4924 
4925 	/* we aren't taking into account the "sockcreate" SID since the socket
4926 	 * that is being created here is not a socket in the traditional sense,
4927 	 * instead it is a private sock, accessible only to the kernel, and
4928 	 * representing a wide range of network traffic spanning multiple
4929 	 * connections unlike traditional sockets - check the TUN driver to
4930 	 * get a better understanding of why this socket is special */
4931 
4932 	return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4933 			    NULL);
4934 }
4935 
4936 static int selinux_tun_dev_attach_queue(void *security)
4937 {
4938 	struct tun_security_struct *tunsec = security;
4939 
4940 	return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4941 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
4942 }
4943 
4944 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4945 {
4946 	struct tun_security_struct *tunsec = security;
4947 	struct sk_security_struct *sksec = sk->sk_security;
4948 
4949 	/* we don't currently perform any NetLabel based labeling here and it
4950 	 * isn't clear that we would want to do so anyway; while we could apply
4951 	 * labeling without the support of the TUN user the resulting labeled
4952 	 * traffic from the other end of the connection would almost certainly
4953 	 * cause confusion to the TUN user that had no idea network labeling
4954 	 * protocols were being used */
4955 
4956 	sksec->sid = tunsec->sid;
4957 	sksec->sclass = SECCLASS_TUN_SOCKET;
4958 
4959 	return 0;
4960 }
4961 
4962 static int selinux_tun_dev_open(void *security)
4963 {
4964 	struct tun_security_struct *tunsec = security;
4965 	u32 sid = current_sid();
4966 	int err;
4967 
4968 	err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4969 			   TUN_SOCKET__RELABELFROM, NULL);
4970 	if (err)
4971 		return err;
4972 	err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4973 			   TUN_SOCKET__RELABELTO, NULL);
4974 	if (err)
4975 		return err;
4976 	tunsec->sid = sid;
4977 
4978 	return 0;
4979 }
4980 
4981 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4982 {
4983 	int err = 0;
4984 	u32 perm;
4985 	struct nlmsghdr *nlh;
4986 	struct sk_security_struct *sksec = sk->sk_security;
4987 
4988 	if (skb->len < NLMSG_HDRLEN) {
4989 		err = -EINVAL;
4990 		goto out;
4991 	}
4992 	nlh = nlmsg_hdr(skb);
4993 
4994 	err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4995 	if (err) {
4996 		if (err == -EINVAL) {
4997 			pr_warn_ratelimited("SELinux: unrecognized netlink"
4998 			       " message: protocol=%hu nlmsg_type=%hu sclass=%s"
4999 			       " pig=%d comm=%s\n",
5000 			       sk->sk_protocol, nlh->nlmsg_type,
5001 			       secclass_map[sksec->sclass - 1].name,
5002 			       task_pid_nr(current), current->comm);
5003 			if (!selinux_enforcing || security_get_allow_unknown())
5004 				err = 0;
5005 		}
5006 
5007 		/* Ignore */
5008 		if (err == -ENOENT)
5009 			err = 0;
5010 		goto out;
5011 	}
5012 
5013 	err = sock_has_perm(current, sk, perm);
5014 out:
5015 	return err;
5016 }
5017 
5018 #ifdef CONFIG_NETFILTER
5019 
5020 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5021 				       const struct net_device *indev,
5022 				       u16 family)
5023 {
5024 	int err;
5025 	char *addrp;
5026 	u32 peer_sid;
5027 	struct common_audit_data ad;
5028 	struct lsm_network_audit net = {0,};
5029 	u8 secmark_active;
5030 	u8 netlbl_active;
5031 	u8 peerlbl_active;
5032 
5033 	if (!selinux_policycap_netpeer)
5034 		return NF_ACCEPT;
5035 
5036 	secmark_active = selinux_secmark_enabled();
5037 	netlbl_active = netlbl_enabled();
5038 	peerlbl_active = selinux_peerlbl_enabled();
5039 	if (!secmark_active && !peerlbl_active)
5040 		return NF_ACCEPT;
5041 
5042 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5043 		return NF_DROP;
5044 
5045 	ad.type = LSM_AUDIT_DATA_NET;
5046 	ad.u.net = &net;
5047 	ad.u.net->netif = indev->ifindex;
5048 	ad.u.net->family = family;
5049 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5050 		return NF_DROP;
5051 
5052 	if (peerlbl_active) {
5053 		err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5054 					       addrp, family, peer_sid, &ad);
5055 		if (err) {
5056 			selinux_netlbl_err(skb, family, err, 1);
5057 			return NF_DROP;
5058 		}
5059 	}
5060 
5061 	if (secmark_active)
5062 		if (avc_has_perm(peer_sid, skb->secmark,
5063 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5064 			return NF_DROP;
5065 
5066 	if (netlbl_active)
5067 		/* we do this in the FORWARD path and not the POST_ROUTING
5068 		 * path because we want to make sure we apply the necessary
5069 		 * labeling before IPsec is applied so we can leverage AH
5070 		 * protection */
5071 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5072 			return NF_DROP;
5073 
5074 	return NF_ACCEPT;
5075 }
5076 
5077 static unsigned int selinux_ipv4_forward(void *priv,
5078 					 struct sk_buff *skb,
5079 					 const struct nf_hook_state *state)
5080 {
5081 	return selinux_ip_forward(skb, state->in, PF_INET);
5082 }
5083 
5084 #if IS_ENABLED(CONFIG_IPV6)
5085 static unsigned int selinux_ipv6_forward(void *priv,
5086 					 struct sk_buff *skb,
5087 					 const struct nf_hook_state *state)
5088 {
5089 	return selinux_ip_forward(skb, state->in, PF_INET6);
5090 }
5091 #endif	/* IPV6 */
5092 
5093 static unsigned int selinux_ip_output(struct sk_buff *skb,
5094 				      u16 family)
5095 {
5096 	struct sock *sk;
5097 	u32 sid;
5098 
5099 	if (!netlbl_enabled())
5100 		return NF_ACCEPT;
5101 
5102 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5103 	 * because we want to make sure we apply the necessary labeling
5104 	 * before IPsec is applied so we can leverage AH protection */
5105 	sk = skb->sk;
5106 	if (sk) {
5107 		struct sk_security_struct *sksec;
5108 
5109 		if (sk_listener(sk))
5110 			/* if the socket is the listening state then this
5111 			 * packet is a SYN-ACK packet which means it needs to
5112 			 * be labeled based on the connection/request_sock and
5113 			 * not the parent socket.  unfortunately, we can't
5114 			 * lookup the request_sock yet as it isn't queued on
5115 			 * the parent socket until after the SYN-ACK is sent.
5116 			 * the "solution" is to simply pass the packet as-is
5117 			 * as any IP option based labeling should be copied
5118 			 * from the initial connection request (in the IP
5119 			 * layer).  it is far from ideal, but until we get a
5120 			 * security label in the packet itself this is the
5121 			 * best we can do. */
5122 			return NF_ACCEPT;
5123 
5124 		/* standard practice, label using the parent socket */
5125 		sksec = sk->sk_security;
5126 		sid = sksec->sid;
5127 	} else
5128 		sid = SECINITSID_KERNEL;
5129 	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5130 		return NF_DROP;
5131 
5132 	return NF_ACCEPT;
5133 }
5134 
5135 static unsigned int selinux_ipv4_output(void *priv,
5136 					struct sk_buff *skb,
5137 					const struct nf_hook_state *state)
5138 {
5139 	return selinux_ip_output(skb, PF_INET);
5140 }
5141 
5142 #if IS_ENABLED(CONFIG_IPV6)
5143 static unsigned int selinux_ipv6_output(void *priv,
5144 					struct sk_buff *skb,
5145 					const struct nf_hook_state *state)
5146 {
5147 	return selinux_ip_output(skb, PF_INET6);
5148 }
5149 #endif	/* IPV6 */
5150 
5151 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5152 						int ifindex,
5153 						u16 family)
5154 {
5155 	struct sock *sk = skb_to_full_sk(skb);
5156 	struct sk_security_struct *sksec;
5157 	struct common_audit_data ad;
5158 	struct lsm_network_audit net = {0,};
5159 	char *addrp;
5160 	u8 proto;
5161 
5162 	if (sk == NULL)
5163 		return NF_ACCEPT;
5164 	sksec = sk->sk_security;
5165 
5166 	ad.type = LSM_AUDIT_DATA_NET;
5167 	ad.u.net = &net;
5168 	ad.u.net->netif = ifindex;
5169 	ad.u.net->family = family;
5170 	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5171 		return NF_DROP;
5172 
5173 	if (selinux_secmark_enabled())
5174 		if (avc_has_perm(sksec->sid, skb->secmark,
5175 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5176 			return NF_DROP_ERR(-ECONNREFUSED);
5177 
5178 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5179 		return NF_DROP_ERR(-ECONNREFUSED);
5180 
5181 	return NF_ACCEPT;
5182 }
5183 
5184 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5185 					 const struct net_device *outdev,
5186 					 u16 family)
5187 {
5188 	u32 secmark_perm;
5189 	u32 peer_sid;
5190 	int ifindex = outdev->ifindex;
5191 	struct sock *sk;
5192 	struct common_audit_data ad;
5193 	struct lsm_network_audit net = {0,};
5194 	char *addrp;
5195 	u8 secmark_active;
5196 	u8 peerlbl_active;
5197 
5198 	/* If any sort of compatibility mode is enabled then handoff processing
5199 	 * to the selinux_ip_postroute_compat() function to deal with the
5200 	 * special handling.  We do this in an attempt to keep this function
5201 	 * as fast and as clean as possible. */
5202 	if (!selinux_policycap_netpeer)
5203 		return selinux_ip_postroute_compat(skb, ifindex, family);
5204 
5205 	secmark_active = selinux_secmark_enabled();
5206 	peerlbl_active = selinux_peerlbl_enabled();
5207 	if (!secmark_active && !peerlbl_active)
5208 		return NF_ACCEPT;
5209 
5210 	sk = skb_to_full_sk(skb);
5211 
5212 #ifdef CONFIG_XFRM
5213 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5214 	 * packet transformation so allow the packet to pass without any checks
5215 	 * since we'll have another chance to perform access control checks
5216 	 * when the packet is on it's final way out.
5217 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5218 	 *       is NULL, in this case go ahead and apply access control.
5219 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5220 	 *       TCP listening state we cannot wait until the XFRM processing
5221 	 *       is done as we will miss out on the SA label if we do;
5222 	 *       unfortunately, this means more work, but it is only once per
5223 	 *       connection. */
5224 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5225 	    !(sk && sk_listener(sk)))
5226 		return NF_ACCEPT;
5227 #endif
5228 
5229 	if (sk == NULL) {
5230 		/* Without an associated socket the packet is either coming
5231 		 * from the kernel or it is being forwarded; check the packet
5232 		 * to determine which and if the packet is being forwarded
5233 		 * query the packet directly to determine the security label. */
5234 		if (skb->skb_iif) {
5235 			secmark_perm = PACKET__FORWARD_OUT;
5236 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5237 				return NF_DROP;
5238 		} else {
5239 			secmark_perm = PACKET__SEND;
5240 			peer_sid = SECINITSID_KERNEL;
5241 		}
5242 	} else if (sk_listener(sk)) {
5243 		/* Locally generated packet but the associated socket is in the
5244 		 * listening state which means this is a SYN-ACK packet.  In
5245 		 * this particular case the correct security label is assigned
5246 		 * to the connection/request_sock but unfortunately we can't
5247 		 * query the request_sock as it isn't queued on the parent
5248 		 * socket until after the SYN-ACK packet is sent; the only
5249 		 * viable choice is to regenerate the label like we do in
5250 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5251 		 * for similar problems. */
5252 		u32 skb_sid;
5253 		struct sk_security_struct *sksec;
5254 
5255 		sksec = sk->sk_security;
5256 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5257 			return NF_DROP;
5258 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5259 		 * and the packet has been through at least one XFRM
5260 		 * transformation then we must be dealing with the "final"
5261 		 * form of labeled IPsec packet; since we've already applied
5262 		 * all of our access controls on this packet we can safely
5263 		 * pass the packet. */
5264 		if (skb_sid == SECSID_NULL) {
5265 			switch (family) {
5266 			case PF_INET:
5267 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5268 					return NF_ACCEPT;
5269 				break;
5270 			case PF_INET6:
5271 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5272 					return NF_ACCEPT;
5273 				break;
5274 			default:
5275 				return NF_DROP_ERR(-ECONNREFUSED);
5276 			}
5277 		}
5278 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5279 			return NF_DROP;
5280 		secmark_perm = PACKET__SEND;
5281 	} else {
5282 		/* Locally generated packet, fetch the security label from the
5283 		 * associated socket. */
5284 		struct sk_security_struct *sksec = sk->sk_security;
5285 		peer_sid = sksec->sid;
5286 		secmark_perm = PACKET__SEND;
5287 	}
5288 
5289 	ad.type = LSM_AUDIT_DATA_NET;
5290 	ad.u.net = &net;
5291 	ad.u.net->netif = ifindex;
5292 	ad.u.net->family = family;
5293 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5294 		return NF_DROP;
5295 
5296 	if (secmark_active)
5297 		if (avc_has_perm(peer_sid, skb->secmark,
5298 				 SECCLASS_PACKET, secmark_perm, &ad))
5299 			return NF_DROP_ERR(-ECONNREFUSED);
5300 
5301 	if (peerlbl_active) {
5302 		u32 if_sid;
5303 		u32 node_sid;
5304 
5305 		if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5306 			return NF_DROP;
5307 		if (avc_has_perm(peer_sid, if_sid,
5308 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5309 			return NF_DROP_ERR(-ECONNREFUSED);
5310 
5311 		if (sel_netnode_sid(addrp, family, &node_sid))
5312 			return NF_DROP;
5313 		if (avc_has_perm(peer_sid, node_sid,
5314 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5315 			return NF_DROP_ERR(-ECONNREFUSED);
5316 	}
5317 
5318 	return NF_ACCEPT;
5319 }
5320 
5321 static unsigned int selinux_ipv4_postroute(void *priv,
5322 					   struct sk_buff *skb,
5323 					   const struct nf_hook_state *state)
5324 {
5325 	return selinux_ip_postroute(skb, state->out, PF_INET);
5326 }
5327 
5328 #if IS_ENABLED(CONFIG_IPV6)
5329 static unsigned int selinux_ipv6_postroute(void *priv,
5330 					   struct sk_buff *skb,
5331 					   const struct nf_hook_state *state)
5332 {
5333 	return selinux_ip_postroute(skb, state->out, PF_INET6);
5334 }
5335 #endif	/* IPV6 */
5336 
5337 #endif	/* CONFIG_NETFILTER */
5338 
5339 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5340 {
5341 	return selinux_nlmsg_perm(sk, skb);
5342 }
5343 
5344 static int ipc_alloc_security(struct task_struct *task,
5345 			      struct kern_ipc_perm *perm,
5346 			      u16 sclass)
5347 {
5348 	struct ipc_security_struct *isec;
5349 	u32 sid;
5350 
5351 	isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5352 	if (!isec)
5353 		return -ENOMEM;
5354 
5355 	sid = task_sid(task);
5356 	isec->sclass = sclass;
5357 	isec->sid = sid;
5358 	perm->security = isec;
5359 
5360 	return 0;
5361 }
5362 
5363 static void ipc_free_security(struct kern_ipc_perm *perm)
5364 {
5365 	struct ipc_security_struct *isec = perm->security;
5366 	perm->security = NULL;
5367 	kfree(isec);
5368 }
5369 
5370 static int msg_msg_alloc_security(struct msg_msg *msg)
5371 {
5372 	struct msg_security_struct *msec;
5373 
5374 	msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5375 	if (!msec)
5376 		return -ENOMEM;
5377 
5378 	msec->sid = SECINITSID_UNLABELED;
5379 	msg->security = msec;
5380 
5381 	return 0;
5382 }
5383 
5384 static void msg_msg_free_security(struct msg_msg *msg)
5385 {
5386 	struct msg_security_struct *msec = msg->security;
5387 
5388 	msg->security = NULL;
5389 	kfree(msec);
5390 }
5391 
5392 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5393 			u32 perms)
5394 {
5395 	struct ipc_security_struct *isec;
5396 	struct common_audit_data ad;
5397 	u32 sid = current_sid();
5398 
5399 	isec = ipc_perms->security;
5400 
5401 	ad.type = LSM_AUDIT_DATA_IPC;
5402 	ad.u.ipc_id = ipc_perms->key;
5403 
5404 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5405 }
5406 
5407 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5408 {
5409 	return msg_msg_alloc_security(msg);
5410 }
5411 
5412 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5413 {
5414 	msg_msg_free_security(msg);
5415 }
5416 
5417 /* message queue security operations */
5418 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5419 {
5420 	struct ipc_security_struct *isec;
5421 	struct common_audit_data ad;
5422 	u32 sid = current_sid();
5423 	int rc;
5424 
5425 	rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5426 	if (rc)
5427 		return rc;
5428 
5429 	isec = msq->q_perm.security;
5430 
5431 	ad.type = LSM_AUDIT_DATA_IPC;
5432 	ad.u.ipc_id = msq->q_perm.key;
5433 
5434 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5435 			  MSGQ__CREATE, &ad);
5436 	if (rc) {
5437 		ipc_free_security(&msq->q_perm);
5438 		return rc;
5439 	}
5440 	return 0;
5441 }
5442 
5443 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5444 {
5445 	ipc_free_security(&msq->q_perm);
5446 }
5447 
5448 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5449 {
5450 	struct ipc_security_struct *isec;
5451 	struct common_audit_data ad;
5452 	u32 sid = current_sid();
5453 
5454 	isec = msq->q_perm.security;
5455 
5456 	ad.type = LSM_AUDIT_DATA_IPC;
5457 	ad.u.ipc_id = msq->q_perm.key;
5458 
5459 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5460 			    MSGQ__ASSOCIATE, &ad);
5461 }
5462 
5463 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5464 {
5465 	int err;
5466 	int perms;
5467 
5468 	switch (cmd) {
5469 	case IPC_INFO:
5470 	case MSG_INFO:
5471 		/* No specific object, just general system-wide information. */
5472 		return task_has_system(current, SYSTEM__IPC_INFO);
5473 	case IPC_STAT:
5474 	case MSG_STAT:
5475 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5476 		break;
5477 	case IPC_SET:
5478 		perms = MSGQ__SETATTR;
5479 		break;
5480 	case IPC_RMID:
5481 		perms = MSGQ__DESTROY;
5482 		break;
5483 	default:
5484 		return 0;
5485 	}
5486 
5487 	err = ipc_has_perm(&msq->q_perm, perms);
5488 	return err;
5489 }
5490 
5491 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5492 {
5493 	struct ipc_security_struct *isec;
5494 	struct msg_security_struct *msec;
5495 	struct common_audit_data ad;
5496 	u32 sid = current_sid();
5497 	int rc;
5498 
5499 	isec = msq->q_perm.security;
5500 	msec = msg->security;
5501 
5502 	/*
5503 	 * First time through, need to assign label to the message
5504 	 */
5505 	if (msec->sid == SECINITSID_UNLABELED) {
5506 		/*
5507 		 * Compute new sid based on current process and
5508 		 * message queue this message will be stored in
5509 		 */
5510 		rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5511 					     NULL, &msec->sid);
5512 		if (rc)
5513 			return rc;
5514 	}
5515 
5516 	ad.type = LSM_AUDIT_DATA_IPC;
5517 	ad.u.ipc_id = msq->q_perm.key;
5518 
5519 	/* Can this process write to the queue? */
5520 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5521 			  MSGQ__WRITE, &ad);
5522 	if (!rc)
5523 		/* Can this process send the message */
5524 		rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5525 				  MSG__SEND, &ad);
5526 	if (!rc)
5527 		/* Can the message be put in the queue? */
5528 		rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5529 				  MSGQ__ENQUEUE, &ad);
5530 
5531 	return rc;
5532 }
5533 
5534 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5535 				    struct task_struct *target,
5536 				    long type, int mode)
5537 {
5538 	struct ipc_security_struct *isec;
5539 	struct msg_security_struct *msec;
5540 	struct common_audit_data ad;
5541 	u32 sid = task_sid(target);
5542 	int rc;
5543 
5544 	isec = msq->q_perm.security;
5545 	msec = msg->security;
5546 
5547 	ad.type = LSM_AUDIT_DATA_IPC;
5548 	ad.u.ipc_id = msq->q_perm.key;
5549 
5550 	rc = avc_has_perm(sid, isec->sid,
5551 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
5552 	if (!rc)
5553 		rc = avc_has_perm(sid, msec->sid,
5554 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
5555 	return rc;
5556 }
5557 
5558 /* Shared Memory security operations */
5559 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5560 {
5561 	struct ipc_security_struct *isec;
5562 	struct common_audit_data ad;
5563 	u32 sid = current_sid();
5564 	int rc;
5565 
5566 	rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5567 	if (rc)
5568 		return rc;
5569 
5570 	isec = shp->shm_perm.security;
5571 
5572 	ad.type = LSM_AUDIT_DATA_IPC;
5573 	ad.u.ipc_id = shp->shm_perm.key;
5574 
5575 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5576 			  SHM__CREATE, &ad);
5577 	if (rc) {
5578 		ipc_free_security(&shp->shm_perm);
5579 		return rc;
5580 	}
5581 	return 0;
5582 }
5583 
5584 static void selinux_shm_free_security(struct shmid_kernel *shp)
5585 {
5586 	ipc_free_security(&shp->shm_perm);
5587 }
5588 
5589 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5590 {
5591 	struct ipc_security_struct *isec;
5592 	struct common_audit_data ad;
5593 	u32 sid = current_sid();
5594 
5595 	isec = shp->shm_perm.security;
5596 
5597 	ad.type = LSM_AUDIT_DATA_IPC;
5598 	ad.u.ipc_id = shp->shm_perm.key;
5599 
5600 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5601 			    SHM__ASSOCIATE, &ad);
5602 }
5603 
5604 /* Note, at this point, shp is locked down */
5605 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5606 {
5607 	int perms;
5608 	int err;
5609 
5610 	switch (cmd) {
5611 	case IPC_INFO:
5612 	case SHM_INFO:
5613 		/* No specific object, just general system-wide information. */
5614 		return task_has_system(current, SYSTEM__IPC_INFO);
5615 	case IPC_STAT:
5616 	case SHM_STAT:
5617 		perms = SHM__GETATTR | SHM__ASSOCIATE;
5618 		break;
5619 	case IPC_SET:
5620 		perms = SHM__SETATTR;
5621 		break;
5622 	case SHM_LOCK:
5623 	case SHM_UNLOCK:
5624 		perms = SHM__LOCK;
5625 		break;
5626 	case IPC_RMID:
5627 		perms = SHM__DESTROY;
5628 		break;
5629 	default:
5630 		return 0;
5631 	}
5632 
5633 	err = ipc_has_perm(&shp->shm_perm, perms);
5634 	return err;
5635 }
5636 
5637 static int selinux_shm_shmat(struct shmid_kernel *shp,
5638 			     char __user *shmaddr, int shmflg)
5639 {
5640 	u32 perms;
5641 
5642 	if (shmflg & SHM_RDONLY)
5643 		perms = SHM__READ;
5644 	else
5645 		perms = SHM__READ | SHM__WRITE;
5646 
5647 	return ipc_has_perm(&shp->shm_perm, perms);
5648 }
5649 
5650 /* Semaphore security operations */
5651 static int selinux_sem_alloc_security(struct sem_array *sma)
5652 {
5653 	struct ipc_security_struct *isec;
5654 	struct common_audit_data ad;
5655 	u32 sid = current_sid();
5656 	int rc;
5657 
5658 	rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5659 	if (rc)
5660 		return rc;
5661 
5662 	isec = sma->sem_perm.security;
5663 
5664 	ad.type = LSM_AUDIT_DATA_IPC;
5665 	ad.u.ipc_id = sma->sem_perm.key;
5666 
5667 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5668 			  SEM__CREATE, &ad);
5669 	if (rc) {
5670 		ipc_free_security(&sma->sem_perm);
5671 		return rc;
5672 	}
5673 	return 0;
5674 }
5675 
5676 static void selinux_sem_free_security(struct sem_array *sma)
5677 {
5678 	ipc_free_security(&sma->sem_perm);
5679 }
5680 
5681 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5682 {
5683 	struct ipc_security_struct *isec;
5684 	struct common_audit_data ad;
5685 	u32 sid = current_sid();
5686 
5687 	isec = sma->sem_perm.security;
5688 
5689 	ad.type = LSM_AUDIT_DATA_IPC;
5690 	ad.u.ipc_id = sma->sem_perm.key;
5691 
5692 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5693 			    SEM__ASSOCIATE, &ad);
5694 }
5695 
5696 /* Note, at this point, sma is locked down */
5697 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5698 {
5699 	int err;
5700 	u32 perms;
5701 
5702 	switch (cmd) {
5703 	case IPC_INFO:
5704 	case SEM_INFO:
5705 		/* No specific object, just general system-wide information. */
5706 		return task_has_system(current, SYSTEM__IPC_INFO);
5707 	case GETPID:
5708 	case GETNCNT:
5709 	case GETZCNT:
5710 		perms = SEM__GETATTR;
5711 		break;
5712 	case GETVAL:
5713 	case GETALL:
5714 		perms = SEM__READ;
5715 		break;
5716 	case SETVAL:
5717 	case SETALL:
5718 		perms = SEM__WRITE;
5719 		break;
5720 	case IPC_RMID:
5721 		perms = SEM__DESTROY;
5722 		break;
5723 	case IPC_SET:
5724 		perms = SEM__SETATTR;
5725 		break;
5726 	case IPC_STAT:
5727 	case SEM_STAT:
5728 		perms = SEM__GETATTR | SEM__ASSOCIATE;
5729 		break;
5730 	default:
5731 		return 0;
5732 	}
5733 
5734 	err = ipc_has_perm(&sma->sem_perm, perms);
5735 	return err;
5736 }
5737 
5738 static int selinux_sem_semop(struct sem_array *sma,
5739 			     struct sembuf *sops, unsigned nsops, int alter)
5740 {
5741 	u32 perms;
5742 
5743 	if (alter)
5744 		perms = SEM__READ | SEM__WRITE;
5745 	else
5746 		perms = SEM__READ;
5747 
5748 	return ipc_has_perm(&sma->sem_perm, perms);
5749 }
5750 
5751 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5752 {
5753 	u32 av = 0;
5754 
5755 	av = 0;
5756 	if (flag & S_IRUGO)
5757 		av |= IPC__UNIX_READ;
5758 	if (flag & S_IWUGO)
5759 		av |= IPC__UNIX_WRITE;
5760 
5761 	if (av == 0)
5762 		return 0;
5763 
5764 	return ipc_has_perm(ipcp, av);
5765 }
5766 
5767 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5768 {
5769 	struct ipc_security_struct *isec = ipcp->security;
5770 	*secid = isec->sid;
5771 }
5772 
5773 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5774 {
5775 	if (inode)
5776 		inode_doinit_with_dentry(inode, dentry);
5777 }
5778 
5779 static int selinux_getprocattr(struct task_struct *p,
5780 			       char *name, char **value)
5781 {
5782 	const struct task_security_struct *__tsec;
5783 	u32 sid;
5784 	int error;
5785 	unsigned len;
5786 
5787 	if (current != p) {
5788 		error = current_has_perm(p, PROCESS__GETATTR);
5789 		if (error)
5790 			return error;
5791 	}
5792 
5793 	rcu_read_lock();
5794 	__tsec = __task_cred(p)->security;
5795 
5796 	if (!strcmp(name, "current"))
5797 		sid = __tsec->sid;
5798 	else if (!strcmp(name, "prev"))
5799 		sid = __tsec->osid;
5800 	else if (!strcmp(name, "exec"))
5801 		sid = __tsec->exec_sid;
5802 	else if (!strcmp(name, "fscreate"))
5803 		sid = __tsec->create_sid;
5804 	else if (!strcmp(name, "keycreate"))
5805 		sid = __tsec->keycreate_sid;
5806 	else if (!strcmp(name, "sockcreate"))
5807 		sid = __tsec->sockcreate_sid;
5808 	else
5809 		goto invalid;
5810 	rcu_read_unlock();
5811 
5812 	if (!sid)
5813 		return 0;
5814 
5815 	error = security_sid_to_context(sid, value, &len);
5816 	if (error)
5817 		return error;
5818 	return len;
5819 
5820 invalid:
5821 	rcu_read_unlock();
5822 	return -EINVAL;
5823 }
5824 
5825 static int selinux_setprocattr(struct task_struct *p,
5826 			       char *name, void *value, size_t size)
5827 {
5828 	struct task_security_struct *tsec;
5829 	struct cred *new;
5830 	u32 sid = 0, ptsid;
5831 	int error;
5832 	char *str = value;
5833 
5834 	if (current != p) {
5835 		/* SELinux only allows a process to change its own
5836 		   security attributes. */
5837 		return -EACCES;
5838 	}
5839 
5840 	/*
5841 	 * Basic control over ability to set these attributes at all.
5842 	 * current == p, but we'll pass them separately in case the
5843 	 * above restriction is ever removed.
5844 	 */
5845 	if (!strcmp(name, "exec"))
5846 		error = current_has_perm(p, PROCESS__SETEXEC);
5847 	else if (!strcmp(name, "fscreate"))
5848 		error = current_has_perm(p, PROCESS__SETFSCREATE);
5849 	else if (!strcmp(name, "keycreate"))
5850 		error = current_has_perm(p, PROCESS__SETKEYCREATE);
5851 	else if (!strcmp(name, "sockcreate"))
5852 		error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5853 	else if (!strcmp(name, "current"))
5854 		error = current_has_perm(p, PROCESS__SETCURRENT);
5855 	else
5856 		error = -EINVAL;
5857 	if (error)
5858 		return error;
5859 
5860 	/* Obtain a SID for the context, if one was specified. */
5861 	if (size && str[1] && str[1] != '\n') {
5862 		if (str[size-1] == '\n') {
5863 			str[size-1] = 0;
5864 			size--;
5865 		}
5866 		error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5867 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
5868 			if (!capable(CAP_MAC_ADMIN)) {
5869 				struct audit_buffer *ab;
5870 				size_t audit_size;
5871 
5872 				/* We strip a nul only if it is at the end, otherwise the
5873 				 * context contains a nul and we should audit that */
5874 				if (str[size - 1] == '\0')
5875 					audit_size = size - 1;
5876 				else
5877 					audit_size = size;
5878 				ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5879 				audit_log_format(ab, "op=fscreate invalid_context=");
5880 				audit_log_n_untrustedstring(ab, value, audit_size);
5881 				audit_log_end(ab);
5882 
5883 				return error;
5884 			}
5885 			error = security_context_to_sid_force(value, size,
5886 							      &sid);
5887 		}
5888 		if (error)
5889 			return error;
5890 	}
5891 
5892 	new = prepare_creds();
5893 	if (!new)
5894 		return -ENOMEM;
5895 
5896 	/* Permission checking based on the specified context is
5897 	   performed during the actual operation (execve,
5898 	   open/mkdir/...), when we know the full context of the
5899 	   operation.  See selinux_bprm_set_creds for the execve
5900 	   checks and may_create for the file creation checks. The
5901 	   operation will then fail if the context is not permitted. */
5902 	tsec = new->security;
5903 	if (!strcmp(name, "exec")) {
5904 		tsec->exec_sid = sid;
5905 	} else if (!strcmp(name, "fscreate")) {
5906 		tsec->create_sid = sid;
5907 	} else if (!strcmp(name, "keycreate")) {
5908 		error = may_create_key(sid, p);
5909 		if (error)
5910 			goto abort_change;
5911 		tsec->keycreate_sid = sid;
5912 	} else if (!strcmp(name, "sockcreate")) {
5913 		tsec->sockcreate_sid = sid;
5914 	} else if (!strcmp(name, "current")) {
5915 		error = -EINVAL;
5916 		if (sid == 0)
5917 			goto abort_change;
5918 
5919 		/* Only allow single threaded processes to change context */
5920 		error = -EPERM;
5921 		if (!current_is_single_threaded()) {
5922 			error = security_bounded_transition(tsec->sid, sid);
5923 			if (error)
5924 				goto abort_change;
5925 		}
5926 
5927 		/* Check permissions for the transition. */
5928 		error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5929 				     PROCESS__DYNTRANSITION, NULL);
5930 		if (error)
5931 			goto abort_change;
5932 
5933 		/* Check for ptracing, and update the task SID if ok.
5934 		   Otherwise, leave SID unchanged and fail. */
5935 		ptsid = ptrace_parent_sid(p);
5936 		if (ptsid != 0) {
5937 			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5938 					     PROCESS__PTRACE, NULL);
5939 			if (error)
5940 				goto abort_change;
5941 		}
5942 
5943 		tsec->sid = sid;
5944 	} else {
5945 		error = -EINVAL;
5946 		goto abort_change;
5947 	}
5948 
5949 	commit_creds(new);
5950 	return size;
5951 
5952 abort_change:
5953 	abort_creds(new);
5954 	return error;
5955 }
5956 
5957 static int selinux_ismaclabel(const char *name)
5958 {
5959 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5960 }
5961 
5962 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5963 {
5964 	return security_sid_to_context(secid, secdata, seclen);
5965 }
5966 
5967 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5968 {
5969 	return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5970 }
5971 
5972 static void selinux_release_secctx(char *secdata, u32 seclen)
5973 {
5974 	kfree(secdata);
5975 }
5976 
5977 static void selinux_inode_invalidate_secctx(struct inode *inode)
5978 {
5979 	struct inode_security_struct *isec = inode->i_security;
5980 
5981 	mutex_lock(&isec->lock);
5982 	isec->initialized = LABEL_INVALID;
5983 	mutex_unlock(&isec->lock);
5984 }
5985 
5986 /*
5987  *	called with inode->i_mutex locked
5988  */
5989 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5990 {
5991 	return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5992 }
5993 
5994 /*
5995  *	called with inode->i_mutex locked
5996  */
5997 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5998 {
5999 	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6000 }
6001 
6002 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6003 {
6004 	int len = 0;
6005 	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6006 						ctx, true);
6007 	if (len < 0)
6008 		return len;
6009 	*ctxlen = len;
6010 	return 0;
6011 }
6012 #ifdef CONFIG_KEYS
6013 
6014 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6015 			     unsigned long flags)
6016 {
6017 	const struct task_security_struct *tsec;
6018 	struct key_security_struct *ksec;
6019 
6020 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6021 	if (!ksec)
6022 		return -ENOMEM;
6023 
6024 	tsec = cred->security;
6025 	if (tsec->keycreate_sid)
6026 		ksec->sid = tsec->keycreate_sid;
6027 	else
6028 		ksec->sid = tsec->sid;
6029 
6030 	k->security = ksec;
6031 	return 0;
6032 }
6033 
6034 static void selinux_key_free(struct key *k)
6035 {
6036 	struct key_security_struct *ksec = k->security;
6037 
6038 	k->security = NULL;
6039 	kfree(ksec);
6040 }
6041 
6042 static int selinux_key_permission(key_ref_t key_ref,
6043 				  const struct cred *cred,
6044 				  unsigned perm)
6045 {
6046 	struct key *key;
6047 	struct key_security_struct *ksec;
6048 	u32 sid;
6049 
6050 	/* if no specific permissions are requested, we skip the
6051 	   permission check. No serious, additional covert channels
6052 	   appear to be created. */
6053 	if (perm == 0)
6054 		return 0;
6055 
6056 	sid = cred_sid(cred);
6057 
6058 	key = key_ref_to_ptr(key_ref);
6059 	ksec = key->security;
6060 
6061 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6062 }
6063 
6064 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6065 {
6066 	struct key_security_struct *ksec = key->security;
6067 	char *context = NULL;
6068 	unsigned len;
6069 	int rc;
6070 
6071 	rc = security_sid_to_context(ksec->sid, &context, &len);
6072 	if (!rc)
6073 		rc = len;
6074 	*_buffer = context;
6075 	return rc;
6076 }
6077 
6078 #endif
6079 
6080 static struct security_hook_list selinux_hooks[] = {
6081 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6082 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6083 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6084 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6085 
6086 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6087 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6088 	LSM_HOOK_INIT(capget, selinux_capget),
6089 	LSM_HOOK_INIT(capset, selinux_capset),
6090 	LSM_HOOK_INIT(capable, selinux_capable),
6091 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
6092 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
6093 	LSM_HOOK_INIT(syslog, selinux_syslog),
6094 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6095 
6096 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6097 
6098 	LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6099 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6100 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6101 	LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
6102 
6103 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6104 	LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6105 	LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6106 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6107 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6108 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6109 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6110 	LSM_HOOK_INIT(sb_mount, selinux_mount),
6111 	LSM_HOOK_INIT(sb_umount, selinux_umount),
6112 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6113 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6114 	LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6115 
6116 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6117 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6118 
6119 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6120 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6121 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6122 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
6123 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
6124 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6125 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6126 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6127 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6128 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6129 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6130 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6131 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6132 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6133 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6134 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6135 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6136 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6137 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6138 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6139 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6140 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6141 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6142 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6143 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6144 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6145 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6146 
6147 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
6148 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6149 	LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6150 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6151 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6152 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6153 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6154 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
6155 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6156 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6157 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6158 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
6159 
6160 	LSM_HOOK_INIT(file_open, selinux_file_open),
6161 
6162 	LSM_HOOK_INIT(task_create, selinux_task_create),
6163 	LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6164 	LSM_HOOK_INIT(cred_free, selinux_cred_free),
6165 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6166 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6167 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6168 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6169 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6170 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6171 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6172 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6173 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6174 	LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6175 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6176 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6177 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6178 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6179 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6180 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6181 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6182 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
6183 	LSM_HOOK_INIT(task_wait, selinux_task_wait),
6184 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6185 
6186 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6187 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6188 
6189 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6190 	LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6191 
6192 	LSM_HOOK_INIT(msg_queue_alloc_security,
6193 			selinux_msg_queue_alloc_security),
6194 	LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6195 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6196 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6197 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6198 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6199 
6200 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6201 	LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6202 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6203 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6204 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6205 
6206 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6207 	LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6208 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6209 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6210 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6211 
6212 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6213 
6214 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6215 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6216 
6217 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6218 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6219 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6220 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6221 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6222 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6223 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6224 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6225 
6226 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6227 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6228 
6229 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
6230 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6231 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6232 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6233 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6234 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6235 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6236 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6237 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6238 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6239 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6240 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6241 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6242 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6243 	LSM_HOOK_INIT(socket_getpeersec_stream,
6244 			selinux_socket_getpeersec_stream),
6245 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6246 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6247 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6248 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6249 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6250 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6251 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6252 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6253 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6254 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6255 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6256 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6257 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6258 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6259 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6260 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6261 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6262 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6263 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6264 
6265 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6266 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6267 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6268 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6269 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6270 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6271 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6272 			selinux_xfrm_state_alloc_acquire),
6273 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6274 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6275 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6276 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6277 			selinux_xfrm_state_pol_flow_match),
6278 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6279 #endif
6280 
6281 #ifdef CONFIG_KEYS
6282 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6283 	LSM_HOOK_INIT(key_free, selinux_key_free),
6284 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
6285 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6286 #endif
6287 
6288 #ifdef CONFIG_AUDIT
6289 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6290 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6291 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6292 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6293 #endif
6294 };
6295 
6296 static __init int selinux_init(void)
6297 {
6298 	if (!security_module_enable("selinux")) {
6299 		selinux_enabled = 0;
6300 		return 0;
6301 	}
6302 
6303 	if (!selinux_enabled) {
6304 		printk(KERN_INFO "SELinux:  Disabled at boot.\n");
6305 		return 0;
6306 	}
6307 
6308 	printk(KERN_INFO "SELinux:  Initializing.\n");
6309 
6310 	/* Set the security state for the initial task. */
6311 	cred_init_security();
6312 
6313 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6314 
6315 	sel_inode_cache = kmem_cache_create("selinux_inode_security",
6316 					    sizeof(struct inode_security_struct),
6317 					    0, SLAB_PANIC, NULL);
6318 	file_security_cache = kmem_cache_create("selinux_file_security",
6319 					    sizeof(struct file_security_struct),
6320 					    0, SLAB_PANIC, NULL);
6321 	avc_init();
6322 
6323 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6324 
6325 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6326 		panic("SELinux: Unable to register AVC netcache callback\n");
6327 
6328 	if (selinux_enforcing)
6329 		printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
6330 	else
6331 		printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
6332 
6333 	return 0;
6334 }
6335 
6336 static void delayed_superblock_init(struct super_block *sb, void *unused)
6337 {
6338 	superblock_doinit(sb, NULL);
6339 }
6340 
6341 void selinux_complete_init(void)
6342 {
6343 	printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
6344 
6345 	/* Set up any superblocks initialized prior to the policy load. */
6346 	printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
6347 	iterate_supers(delayed_superblock_init, NULL);
6348 }
6349 
6350 /* SELinux requires early initialization in order to label
6351    all processes and objects when they are created. */
6352 security_initcall(selinux_init);
6353 
6354 #if defined(CONFIG_NETFILTER)
6355 
6356 static struct nf_hook_ops selinux_nf_ops[] = {
6357 	{
6358 		.hook =		selinux_ipv4_postroute,
6359 		.pf =		NFPROTO_IPV4,
6360 		.hooknum =	NF_INET_POST_ROUTING,
6361 		.priority =	NF_IP_PRI_SELINUX_LAST,
6362 	},
6363 	{
6364 		.hook =		selinux_ipv4_forward,
6365 		.pf =		NFPROTO_IPV4,
6366 		.hooknum =	NF_INET_FORWARD,
6367 		.priority =	NF_IP_PRI_SELINUX_FIRST,
6368 	},
6369 	{
6370 		.hook =		selinux_ipv4_output,
6371 		.pf =		NFPROTO_IPV4,
6372 		.hooknum =	NF_INET_LOCAL_OUT,
6373 		.priority =	NF_IP_PRI_SELINUX_FIRST,
6374 	},
6375 #if IS_ENABLED(CONFIG_IPV6)
6376 	{
6377 		.hook =		selinux_ipv6_postroute,
6378 		.pf =		NFPROTO_IPV6,
6379 		.hooknum =	NF_INET_POST_ROUTING,
6380 		.priority =	NF_IP6_PRI_SELINUX_LAST,
6381 	},
6382 	{
6383 		.hook =		selinux_ipv6_forward,
6384 		.pf =		NFPROTO_IPV6,
6385 		.hooknum =	NF_INET_FORWARD,
6386 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
6387 	},
6388 	{
6389 		.hook =		selinux_ipv6_output,
6390 		.pf =		NFPROTO_IPV6,
6391 		.hooknum =	NF_INET_LOCAL_OUT,
6392 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
6393 	},
6394 #endif	/* IPV6 */
6395 };
6396 
6397 static int __init selinux_nf_ip_init(void)
6398 {
6399 	int err;
6400 
6401 	if (!selinux_enabled)
6402 		return 0;
6403 
6404 	printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
6405 
6406 	err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6407 	if (err)
6408 		panic("SELinux: nf_register_hooks: error %d\n", err);
6409 
6410 	return 0;
6411 }
6412 
6413 __initcall(selinux_nf_ip_init);
6414 
6415 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6416 static void selinux_nf_ip_exit(void)
6417 {
6418 	printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
6419 
6420 	nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6421 }
6422 #endif
6423 
6424 #else /* CONFIG_NETFILTER */
6425 
6426 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6427 #define selinux_nf_ip_exit()
6428 #endif
6429 
6430 #endif /* CONFIG_NETFILTER */
6431 
6432 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6433 static int selinux_disabled;
6434 
6435 int selinux_disable(void)
6436 {
6437 	if (ss_initialized) {
6438 		/* Not permitted after initial policy load. */
6439 		return -EINVAL;
6440 	}
6441 
6442 	if (selinux_disabled) {
6443 		/* Only do this once. */
6444 		return -EINVAL;
6445 	}
6446 
6447 	printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
6448 
6449 	selinux_disabled = 1;
6450 	selinux_enabled = 0;
6451 
6452 	security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6453 
6454 	/* Try to destroy the avc node cache */
6455 	avc_disable();
6456 
6457 	/* Unregister netfilter hooks. */
6458 	selinux_nf_ip_exit();
6459 
6460 	/* Unregister selinuxfs. */
6461 	exit_sel_fs();
6462 
6463 	return 0;
6464 }
6465 #endif
6466