xref: /linux/security/selinux/hooks.c (revision dd9a41bc61cc62d38306465ed62373b98df0049e)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *  NSA Security-Enhanced Linux (SELinux) security module
4  *
5  *  This file contains the SELinux hook function implementations.
6  *
7  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
8  *	      Chris Vance, <cvance@nai.com>
9  *	      Wayne Salamon, <wsalamon@nai.com>
10  *	      James Morris <jmorris@redhat.com>
11  *
12  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14  *					   Eric Paris <eparis@redhat.com>
15  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16  *			    <dgoeddel@trustedcs.com>
17  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18  *	Paul Moore <paul@paul-moore.com>
19  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
21  *  Copyright (C) 2016 Mellanox Technologies
22  */
23 
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/tracehook.h>
28 #include <linux/errno.h>
29 #include <linux/sched/signal.h>
30 #include <linux/sched/task.h>
31 #include <linux/lsm_hooks.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/proc_fs.h>
40 #include <linux/swap.h>
41 #include <linux/spinlock.h>
42 #include <linux/syscalls.h>
43 #include <linux/dcache.h>
44 #include <linux/file.h>
45 #include <linux/fdtable.h>
46 #include <linux/namei.h>
47 #include <linux/mount.h>
48 #include <linux/fs_context.h>
49 #include <linux/fs_parser.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>		/* for local_port_range[] */
55 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h>	/* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/sctp.h>
70 #include <net/sctp/structs.h>
71 #include <linux/quota.h>
72 #include <linux/un.h>		/* for Unix socket types */
73 #include <net/af_unix.h>	/* for Unix socket types */
74 #include <linux/parser.h>
75 #include <linux/nfs_mount.h>
76 #include <net/ipv6.h>
77 #include <linux/hugetlb.h>
78 #include <linux/personality.h>
79 #include <linux/audit.h>
80 #include <linux/string.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89 #include <linux/kernfs.h>
90 #include <linux/stringhash.h>	/* for hashlen_string() */
91 #include <uapi/linux/mount.h>
92 #include <linux/fsnotify.h>
93 #include <linux/fanotify.h>
94 
95 #include "avc.h"
96 #include "objsec.h"
97 #include "netif.h"
98 #include "netnode.h"
99 #include "netport.h"
100 #include "ibpkey.h"
101 #include "xfrm.h"
102 #include "netlabel.h"
103 #include "audit.h"
104 #include "avc_ss.h"
105 
106 struct selinux_state selinux_state;
107 
108 /* SECMARK reference count */
109 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
110 
111 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
112 static int selinux_enforcing_boot __initdata;
113 
114 static int __init enforcing_setup(char *str)
115 {
116 	unsigned long enforcing;
117 	if (!kstrtoul(str, 0, &enforcing))
118 		selinux_enforcing_boot = enforcing ? 1 : 0;
119 	return 1;
120 }
121 __setup("enforcing=", enforcing_setup);
122 #else
123 #define selinux_enforcing_boot 1
124 #endif
125 
126 int selinux_enabled_boot __initdata = 1;
127 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
128 static int __init selinux_enabled_setup(char *str)
129 {
130 	unsigned long enabled;
131 	if (!kstrtoul(str, 0, &enabled))
132 		selinux_enabled_boot = enabled ? 1 : 0;
133 	return 1;
134 }
135 __setup("selinux=", selinux_enabled_setup);
136 #endif
137 
138 static unsigned int selinux_checkreqprot_boot =
139 	CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140 
141 static int __init checkreqprot_setup(char *str)
142 {
143 	unsigned long checkreqprot;
144 
145 	if (!kstrtoul(str, 0, &checkreqprot)) {
146 		selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 		if (checkreqprot)
148 			pr_warn("SELinux: checkreqprot set to 1 via kernel parameter.  This is deprecated and will be rejected in a future kernel release.\n");
149 	}
150 	return 1;
151 }
152 __setup("checkreqprot=", checkreqprot_setup);
153 
154 /**
155  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
156  *
157  * Description:
158  * This function checks the SECMARK reference counter to see if any SECMARK
159  * targets are currently configured, if the reference counter is greater than
160  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
161  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
162  * policy capability is enabled, SECMARK is always considered enabled.
163  *
164  */
165 static int selinux_secmark_enabled(void)
166 {
167 	return (selinux_policycap_alwaysnetwork() ||
168 		atomic_read(&selinux_secmark_refcount));
169 }
170 
171 /**
172  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
173  *
174  * Description:
175  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
176  * (1) if any are enabled or false (0) if neither are enabled.  If the
177  * always_check_network policy capability is enabled, peer labeling
178  * is always considered enabled.
179  *
180  */
181 static int selinux_peerlbl_enabled(void)
182 {
183 	return (selinux_policycap_alwaysnetwork() ||
184 		netlbl_enabled() || selinux_xfrm_enabled());
185 }
186 
187 static int selinux_netcache_avc_callback(u32 event)
188 {
189 	if (event == AVC_CALLBACK_RESET) {
190 		sel_netif_flush();
191 		sel_netnode_flush();
192 		sel_netport_flush();
193 		synchronize_net();
194 	}
195 	return 0;
196 }
197 
198 static int selinux_lsm_notifier_avc_callback(u32 event)
199 {
200 	if (event == AVC_CALLBACK_RESET) {
201 		sel_ib_pkey_flush();
202 		call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
203 	}
204 
205 	return 0;
206 }
207 
208 /*
209  * initialise the security for the init task
210  */
211 static void cred_init_security(void)
212 {
213 	struct cred *cred = (struct cred *) current->real_cred;
214 	struct task_security_struct *tsec;
215 
216 	tsec = selinux_cred(cred);
217 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
218 }
219 
220 /*
221  * get the security ID of a set of credentials
222  */
223 static inline u32 cred_sid(const struct cred *cred)
224 {
225 	const struct task_security_struct *tsec;
226 
227 	tsec = selinux_cred(cred);
228 	return tsec->sid;
229 }
230 
231 /*
232  * get the objective security ID of a task
233  */
234 static inline u32 task_sid(const struct task_struct *task)
235 {
236 	u32 sid;
237 
238 	rcu_read_lock();
239 	sid = cred_sid(__task_cred(task));
240 	rcu_read_unlock();
241 	return sid;
242 }
243 
244 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
245 
246 /*
247  * Try reloading inode security labels that have been marked as invalid.  The
248  * @may_sleep parameter indicates when sleeping and thus reloading labels is
249  * allowed; when set to false, returns -ECHILD when the label is
250  * invalid.  The @dentry parameter should be set to a dentry of the inode.
251  */
252 static int __inode_security_revalidate(struct inode *inode,
253 				       struct dentry *dentry,
254 				       bool may_sleep)
255 {
256 	struct inode_security_struct *isec = selinux_inode(inode);
257 
258 	might_sleep_if(may_sleep);
259 
260 	if (selinux_initialized(&selinux_state) &&
261 	    isec->initialized != LABEL_INITIALIZED) {
262 		if (!may_sleep)
263 			return -ECHILD;
264 
265 		/*
266 		 * Try reloading the inode security label.  This will fail if
267 		 * @opt_dentry is NULL and no dentry for this inode can be
268 		 * found; in that case, continue using the old label.
269 		 */
270 		inode_doinit_with_dentry(inode, dentry);
271 	}
272 	return 0;
273 }
274 
275 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
276 {
277 	return selinux_inode(inode);
278 }
279 
280 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
281 {
282 	int error;
283 
284 	error = __inode_security_revalidate(inode, NULL, !rcu);
285 	if (error)
286 		return ERR_PTR(error);
287 	return selinux_inode(inode);
288 }
289 
290 /*
291  * Get the security label of an inode.
292  */
293 static struct inode_security_struct *inode_security(struct inode *inode)
294 {
295 	__inode_security_revalidate(inode, NULL, true);
296 	return selinux_inode(inode);
297 }
298 
299 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
300 {
301 	struct inode *inode = d_backing_inode(dentry);
302 
303 	return selinux_inode(inode);
304 }
305 
306 /*
307  * Get the security label of a dentry's backing inode.
308  */
309 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
310 {
311 	struct inode *inode = d_backing_inode(dentry);
312 
313 	__inode_security_revalidate(inode, dentry, true);
314 	return selinux_inode(inode);
315 }
316 
317 static void inode_free_security(struct inode *inode)
318 {
319 	struct inode_security_struct *isec = selinux_inode(inode);
320 	struct superblock_security_struct *sbsec;
321 
322 	if (!isec)
323 		return;
324 	sbsec = inode->i_sb->s_security;
325 	/*
326 	 * As not all inode security structures are in a list, we check for
327 	 * empty list outside of the lock to make sure that we won't waste
328 	 * time taking a lock doing nothing.
329 	 *
330 	 * The list_del_init() function can be safely called more than once.
331 	 * It should not be possible for this function to be called with
332 	 * concurrent list_add(), but for better safety against future changes
333 	 * in the code, we use list_empty_careful() here.
334 	 */
335 	if (!list_empty_careful(&isec->list)) {
336 		spin_lock(&sbsec->isec_lock);
337 		list_del_init(&isec->list);
338 		spin_unlock(&sbsec->isec_lock);
339 	}
340 }
341 
342 static void superblock_free_security(struct super_block *sb)
343 {
344 	struct superblock_security_struct *sbsec = sb->s_security;
345 	sb->s_security = NULL;
346 	kfree(sbsec);
347 }
348 
349 struct selinux_mnt_opts {
350 	const char *fscontext, *context, *rootcontext, *defcontext;
351 };
352 
353 static void selinux_free_mnt_opts(void *mnt_opts)
354 {
355 	struct selinux_mnt_opts *opts = mnt_opts;
356 	kfree(opts->fscontext);
357 	kfree(opts->context);
358 	kfree(opts->rootcontext);
359 	kfree(opts->defcontext);
360 	kfree(opts);
361 }
362 
363 enum {
364 	Opt_error = -1,
365 	Opt_context = 0,
366 	Opt_defcontext = 1,
367 	Opt_fscontext = 2,
368 	Opt_rootcontext = 3,
369 	Opt_seclabel = 4,
370 };
371 
372 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
373 static struct {
374 	const char *name;
375 	int len;
376 	int opt;
377 	bool has_arg;
378 } tokens[] = {
379 	A(context, true),
380 	A(fscontext, true),
381 	A(defcontext, true),
382 	A(rootcontext, true),
383 	A(seclabel, false),
384 };
385 #undef A
386 
387 static int match_opt_prefix(char *s, int l, char **arg)
388 {
389 	int i;
390 
391 	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
392 		size_t len = tokens[i].len;
393 		if (len > l || memcmp(s, tokens[i].name, len))
394 			continue;
395 		if (tokens[i].has_arg) {
396 			if (len == l || s[len] != '=')
397 				continue;
398 			*arg = s + len + 1;
399 		} else if (len != l)
400 			continue;
401 		return tokens[i].opt;
402 	}
403 	return Opt_error;
404 }
405 
406 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
407 
408 static int may_context_mount_sb_relabel(u32 sid,
409 			struct superblock_security_struct *sbsec,
410 			const struct cred *cred)
411 {
412 	const struct task_security_struct *tsec = selinux_cred(cred);
413 	int rc;
414 
415 	rc = avc_has_perm(&selinux_state,
416 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
417 			  FILESYSTEM__RELABELFROM, NULL);
418 	if (rc)
419 		return rc;
420 
421 	rc = avc_has_perm(&selinux_state,
422 			  tsec->sid, sid, SECCLASS_FILESYSTEM,
423 			  FILESYSTEM__RELABELTO, NULL);
424 	return rc;
425 }
426 
427 static int may_context_mount_inode_relabel(u32 sid,
428 			struct superblock_security_struct *sbsec,
429 			const struct cred *cred)
430 {
431 	const struct task_security_struct *tsec = selinux_cred(cred);
432 	int rc;
433 	rc = avc_has_perm(&selinux_state,
434 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
435 			  FILESYSTEM__RELABELFROM, NULL);
436 	if (rc)
437 		return rc;
438 
439 	rc = avc_has_perm(&selinux_state,
440 			  sid, sbsec->sid, SECCLASS_FILESYSTEM,
441 			  FILESYSTEM__ASSOCIATE, NULL);
442 	return rc;
443 }
444 
445 static int selinux_is_genfs_special_handling(struct super_block *sb)
446 {
447 	/* Special handling. Genfs but also in-core setxattr handler */
448 	return	!strcmp(sb->s_type->name, "sysfs") ||
449 		!strcmp(sb->s_type->name, "pstore") ||
450 		!strcmp(sb->s_type->name, "debugfs") ||
451 		!strcmp(sb->s_type->name, "tracefs") ||
452 		!strcmp(sb->s_type->name, "rootfs") ||
453 		(selinux_policycap_cgroupseclabel() &&
454 		 (!strcmp(sb->s_type->name, "cgroup") ||
455 		  !strcmp(sb->s_type->name, "cgroup2")));
456 }
457 
458 static int selinux_is_sblabel_mnt(struct super_block *sb)
459 {
460 	struct superblock_security_struct *sbsec = sb->s_security;
461 
462 	/*
463 	 * IMPORTANT: Double-check logic in this function when adding a new
464 	 * SECURITY_FS_USE_* definition!
465 	 */
466 	BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
467 
468 	switch (sbsec->behavior) {
469 	case SECURITY_FS_USE_XATTR:
470 	case SECURITY_FS_USE_TRANS:
471 	case SECURITY_FS_USE_TASK:
472 	case SECURITY_FS_USE_NATIVE:
473 		return 1;
474 
475 	case SECURITY_FS_USE_GENFS:
476 		return selinux_is_genfs_special_handling(sb);
477 
478 	/* Never allow relabeling on context mounts */
479 	case SECURITY_FS_USE_MNTPOINT:
480 	case SECURITY_FS_USE_NONE:
481 	default:
482 		return 0;
483 	}
484 }
485 
486 static int sb_finish_set_opts(struct super_block *sb)
487 {
488 	struct superblock_security_struct *sbsec = sb->s_security;
489 	struct dentry *root = sb->s_root;
490 	struct inode *root_inode = d_backing_inode(root);
491 	int rc = 0;
492 
493 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
494 		/* Make sure that the xattr handler exists and that no
495 		   error other than -ENODATA is returned by getxattr on
496 		   the root directory.  -ENODATA is ok, as this may be
497 		   the first boot of the SELinux kernel before we have
498 		   assigned xattr values to the filesystem. */
499 		if (!(root_inode->i_opflags & IOP_XATTR)) {
500 			pr_warn("SELinux: (dev %s, type %s) has no "
501 			       "xattr support\n", sb->s_id, sb->s_type->name);
502 			rc = -EOPNOTSUPP;
503 			goto out;
504 		}
505 
506 		rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
507 		if (rc < 0 && rc != -ENODATA) {
508 			if (rc == -EOPNOTSUPP)
509 				pr_warn("SELinux: (dev %s, type "
510 				       "%s) has no security xattr handler\n",
511 				       sb->s_id, sb->s_type->name);
512 			else
513 				pr_warn("SELinux: (dev %s, type "
514 				       "%s) getxattr errno %d\n", sb->s_id,
515 				       sb->s_type->name, -rc);
516 			goto out;
517 		}
518 	}
519 
520 	sbsec->flags |= SE_SBINITIALIZED;
521 
522 	/*
523 	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
524 	 * leave the flag untouched because sb_clone_mnt_opts might be handing
525 	 * us a superblock that needs the flag to be cleared.
526 	 */
527 	if (selinux_is_sblabel_mnt(sb))
528 		sbsec->flags |= SBLABEL_MNT;
529 	else
530 		sbsec->flags &= ~SBLABEL_MNT;
531 
532 	/* Initialize the root inode. */
533 	rc = inode_doinit_with_dentry(root_inode, root);
534 
535 	/* Initialize any other inodes associated with the superblock, e.g.
536 	   inodes created prior to initial policy load or inodes created
537 	   during get_sb by a pseudo filesystem that directly
538 	   populates itself. */
539 	spin_lock(&sbsec->isec_lock);
540 	while (!list_empty(&sbsec->isec_head)) {
541 		struct inode_security_struct *isec =
542 				list_first_entry(&sbsec->isec_head,
543 					   struct inode_security_struct, list);
544 		struct inode *inode = isec->inode;
545 		list_del_init(&isec->list);
546 		spin_unlock(&sbsec->isec_lock);
547 		inode = igrab(inode);
548 		if (inode) {
549 			if (!IS_PRIVATE(inode))
550 				inode_doinit_with_dentry(inode, NULL);
551 			iput(inode);
552 		}
553 		spin_lock(&sbsec->isec_lock);
554 	}
555 	spin_unlock(&sbsec->isec_lock);
556 out:
557 	return rc;
558 }
559 
560 static int bad_option(struct superblock_security_struct *sbsec, char flag,
561 		      u32 old_sid, u32 new_sid)
562 {
563 	char mnt_flags = sbsec->flags & SE_MNTMASK;
564 
565 	/* check if the old mount command had the same options */
566 	if (sbsec->flags & SE_SBINITIALIZED)
567 		if (!(sbsec->flags & flag) ||
568 		    (old_sid != new_sid))
569 			return 1;
570 
571 	/* check if we were passed the same options twice,
572 	 * aka someone passed context=a,context=b
573 	 */
574 	if (!(sbsec->flags & SE_SBINITIALIZED))
575 		if (mnt_flags & flag)
576 			return 1;
577 	return 0;
578 }
579 
580 static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
581 {
582 	int rc = security_context_str_to_sid(&selinux_state, s,
583 					     sid, GFP_KERNEL);
584 	if (rc)
585 		pr_warn("SELinux: security_context_str_to_sid"
586 		       "(%s) failed for (dev %s, type %s) errno=%d\n",
587 		       s, sb->s_id, sb->s_type->name, rc);
588 	return rc;
589 }
590 
591 /*
592  * Allow filesystems with binary mount data to explicitly set mount point
593  * labeling information.
594  */
595 static int selinux_set_mnt_opts(struct super_block *sb,
596 				void *mnt_opts,
597 				unsigned long kern_flags,
598 				unsigned long *set_kern_flags)
599 {
600 	const struct cred *cred = current_cred();
601 	struct superblock_security_struct *sbsec = sb->s_security;
602 	struct dentry *root = sbsec->sb->s_root;
603 	struct selinux_mnt_opts *opts = mnt_opts;
604 	struct inode_security_struct *root_isec;
605 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
606 	u32 defcontext_sid = 0;
607 	int rc = 0;
608 
609 	mutex_lock(&sbsec->lock);
610 
611 	if (!selinux_initialized(&selinux_state)) {
612 		if (!opts) {
613 			/* Defer initialization until selinux_complete_init,
614 			   after the initial policy is loaded and the security
615 			   server is ready to handle calls. */
616 			goto out;
617 		}
618 		rc = -EINVAL;
619 		pr_warn("SELinux: Unable to set superblock options "
620 			"before the security server is initialized\n");
621 		goto out;
622 	}
623 	if (kern_flags && !set_kern_flags) {
624 		/* Specifying internal flags without providing a place to
625 		 * place the results is not allowed */
626 		rc = -EINVAL;
627 		goto out;
628 	}
629 
630 	/*
631 	 * Binary mount data FS will come through this function twice.  Once
632 	 * from an explicit call and once from the generic calls from the vfs.
633 	 * Since the generic VFS calls will not contain any security mount data
634 	 * we need to skip the double mount verification.
635 	 *
636 	 * This does open a hole in which we will not notice if the first
637 	 * mount using this sb set explict options and a second mount using
638 	 * this sb does not set any security options.  (The first options
639 	 * will be used for both mounts)
640 	 */
641 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
642 	    && !opts)
643 		goto out;
644 
645 	root_isec = backing_inode_security_novalidate(root);
646 
647 	/*
648 	 * parse the mount options, check if they are valid sids.
649 	 * also check if someone is trying to mount the same sb more
650 	 * than once with different security options.
651 	 */
652 	if (opts) {
653 		if (opts->fscontext) {
654 			rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
655 			if (rc)
656 				goto out;
657 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
658 					fscontext_sid))
659 				goto out_double_mount;
660 			sbsec->flags |= FSCONTEXT_MNT;
661 		}
662 		if (opts->context) {
663 			rc = parse_sid(sb, opts->context, &context_sid);
664 			if (rc)
665 				goto out;
666 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
667 					context_sid))
668 				goto out_double_mount;
669 			sbsec->flags |= CONTEXT_MNT;
670 		}
671 		if (opts->rootcontext) {
672 			rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
673 			if (rc)
674 				goto out;
675 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
676 					rootcontext_sid))
677 				goto out_double_mount;
678 			sbsec->flags |= ROOTCONTEXT_MNT;
679 		}
680 		if (opts->defcontext) {
681 			rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
682 			if (rc)
683 				goto out;
684 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
685 					defcontext_sid))
686 				goto out_double_mount;
687 			sbsec->flags |= DEFCONTEXT_MNT;
688 		}
689 	}
690 
691 	if (sbsec->flags & SE_SBINITIALIZED) {
692 		/* previously mounted with options, but not on this attempt? */
693 		if ((sbsec->flags & SE_MNTMASK) && !opts)
694 			goto out_double_mount;
695 		rc = 0;
696 		goto out;
697 	}
698 
699 	if (strcmp(sb->s_type->name, "proc") == 0)
700 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
701 
702 	if (!strcmp(sb->s_type->name, "debugfs") ||
703 	    !strcmp(sb->s_type->name, "tracefs") ||
704 	    !strcmp(sb->s_type->name, "binder") ||
705 	    !strcmp(sb->s_type->name, "bpf") ||
706 	    !strcmp(sb->s_type->name, "pstore"))
707 		sbsec->flags |= SE_SBGENFS;
708 
709 	if (!strcmp(sb->s_type->name, "sysfs") ||
710 	    !strcmp(sb->s_type->name, "cgroup") ||
711 	    !strcmp(sb->s_type->name, "cgroup2"))
712 		sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
713 
714 	if (!sbsec->behavior) {
715 		/*
716 		 * Determine the labeling behavior to use for this
717 		 * filesystem type.
718 		 */
719 		rc = security_fs_use(&selinux_state, sb);
720 		if (rc) {
721 			pr_warn("%s: security_fs_use(%s) returned %d\n",
722 					__func__, sb->s_type->name, rc);
723 			goto out;
724 		}
725 	}
726 
727 	/*
728 	 * If this is a user namespace mount and the filesystem type is not
729 	 * explicitly whitelisted, then no contexts are allowed on the command
730 	 * line and security labels must be ignored.
731 	 */
732 	if (sb->s_user_ns != &init_user_ns &&
733 	    strcmp(sb->s_type->name, "tmpfs") &&
734 	    strcmp(sb->s_type->name, "ramfs") &&
735 	    strcmp(sb->s_type->name, "devpts")) {
736 		if (context_sid || fscontext_sid || rootcontext_sid ||
737 		    defcontext_sid) {
738 			rc = -EACCES;
739 			goto out;
740 		}
741 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
742 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
743 			rc = security_transition_sid(&selinux_state,
744 						     current_sid(),
745 						     current_sid(),
746 						     SECCLASS_FILE, NULL,
747 						     &sbsec->mntpoint_sid);
748 			if (rc)
749 				goto out;
750 		}
751 		goto out_set_opts;
752 	}
753 
754 	/* sets the context of the superblock for the fs being mounted. */
755 	if (fscontext_sid) {
756 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
757 		if (rc)
758 			goto out;
759 
760 		sbsec->sid = fscontext_sid;
761 	}
762 
763 	/*
764 	 * Switch to using mount point labeling behavior.
765 	 * sets the label used on all file below the mountpoint, and will set
766 	 * the superblock context if not already set.
767 	 */
768 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
769 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
770 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
771 	}
772 
773 	if (context_sid) {
774 		if (!fscontext_sid) {
775 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
776 							  cred);
777 			if (rc)
778 				goto out;
779 			sbsec->sid = context_sid;
780 		} else {
781 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
782 							     cred);
783 			if (rc)
784 				goto out;
785 		}
786 		if (!rootcontext_sid)
787 			rootcontext_sid = context_sid;
788 
789 		sbsec->mntpoint_sid = context_sid;
790 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
791 	}
792 
793 	if (rootcontext_sid) {
794 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
795 						     cred);
796 		if (rc)
797 			goto out;
798 
799 		root_isec->sid = rootcontext_sid;
800 		root_isec->initialized = LABEL_INITIALIZED;
801 	}
802 
803 	if (defcontext_sid) {
804 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
805 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
806 			rc = -EINVAL;
807 			pr_warn("SELinux: defcontext option is "
808 			       "invalid for this filesystem type\n");
809 			goto out;
810 		}
811 
812 		if (defcontext_sid != sbsec->def_sid) {
813 			rc = may_context_mount_inode_relabel(defcontext_sid,
814 							     sbsec, cred);
815 			if (rc)
816 				goto out;
817 		}
818 
819 		sbsec->def_sid = defcontext_sid;
820 	}
821 
822 out_set_opts:
823 	rc = sb_finish_set_opts(sb);
824 out:
825 	mutex_unlock(&sbsec->lock);
826 	return rc;
827 out_double_mount:
828 	rc = -EINVAL;
829 	pr_warn("SELinux: mount invalid.  Same superblock, different "
830 	       "security settings for (dev %s, type %s)\n", sb->s_id,
831 	       sb->s_type->name);
832 	goto out;
833 }
834 
835 static int selinux_cmp_sb_context(const struct super_block *oldsb,
836 				    const struct super_block *newsb)
837 {
838 	struct superblock_security_struct *old = oldsb->s_security;
839 	struct superblock_security_struct *new = newsb->s_security;
840 	char oldflags = old->flags & SE_MNTMASK;
841 	char newflags = new->flags & SE_MNTMASK;
842 
843 	if (oldflags != newflags)
844 		goto mismatch;
845 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
846 		goto mismatch;
847 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
848 		goto mismatch;
849 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
850 		goto mismatch;
851 	if (oldflags & ROOTCONTEXT_MNT) {
852 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
853 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
854 		if (oldroot->sid != newroot->sid)
855 			goto mismatch;
856 	}
857 	return 0;
858 mismatch:
859 	pr_warn("SELinux: mount invalid.  Same superblock, "
860 			    "different security settings for (dev %s, "
861 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
862 	return -EBUSY;
863 }
864 
865 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
866 					struct super_block *newsb,
867 					unsigned long kern_flags,
868 					unsigned long *set_kern_flags)
869 {
870 	int rc = 0;
871 	const struct superblock_security_struct *oldsbsec = oldsb->s_security;
872 	struct superblock_security_struct *newsbsec = newsb->s_security;
873 
874 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
875 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
876 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
877 
878 	/*
879 	 * if the parent was able to be mounted it clearly had no special lsm
880 	 * mount options.  thus we can safely deal with this superblock later
881 	 */
882 	if (!selinux_initialized(&selinux_state))
883 		return 0;
884 
885 	/*
886 	 * Specifying internal flags without providing a place to
887 	 * place the results is not allowed.
888 	 */
889 	if (kern_flags && !set_kern_flags)
890 		return -EINVAL;
891 
892 	/* how can we clone if the old one wasn't set up?? */
893 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
894 
895 	/* if fs is reusing a sb, make sure that the contexts match */
896 	if (newsbsec->flags & SE_SBINITIALIZED) {
897 		if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
898 			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
899 		return selinux_cmp_sb_context(oldsb, newsb);
900 	}
901 
902 	mutex_lock(&newsbsec->lock);
903 
904 	newsbsec->flags = oldsbsec->flags;
905 
906 	newsbsec->sid = oldsbsec->sid;
907 	newsbsec->def_sid = oldsbsec->def_sid;
908 	newsbsec->behavior = oldsbsec->behavior;
909 
910 	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
911 		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
912 		rc = security_fs_use(&selinux_state, newsb);
913 		if (rc)
914 			goto out;
915 	}
916 
917 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
918 		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
919 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
920 	}
921 
922 	if (set_context) {
923 		u32 sid = oldsbsec->mntpoint_sid;
924 
925 		if (!set_fscontext)
926 			newsbsec->sid = sid;
927 		if (!set_rootcontext) {
928 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
929 			newisec->sid = sid;
930 		}
931 		newsbsec->mntpoint_sid = sid;
932 	}
933 	if (set_rootcontext) {
934 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
935 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
936 
937 		newisec->sid = oldisec->sid;
938 	}
939 
940 	sb_finish_set_opts(newsb);
941 out:
942 	mutex_unlock(&newsbsec->lock);
943 	return rc;
944 }
945 
946 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
947 {
948 	struct selinux_mnt_opts *opts = *mnt_opts;
949 
950 	if (token == Opt_seclabel)	/* eaten and completely ignored */
951 		return 0;
952 
953 	if (!opts) {
954 		opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
955 		if (!opts)
956 			return -ENOMEM;
957 		*mnt_opts = opts;
958 	}
959 	if (!s)
960 		return -ENOMEM;
961 	switch (token) {
962 	case Opt_context:
963 		if (opts->context || opts->defcontext)
964 			goto Einval;
965 		opts->context = s;
966 		break;
967 	case Opt_fscontext:
968 		if (opts->fscontext)
969 			goto Einval;
970 		opts->fscontext = s;
971 		break;
972 	case Opt_rootcontext:
973 		if (opts->rootcontext)
974 			goto Einval;
975 		opts->rootcontext = s;
976 		break;
977 	case Opt_defcontext:
978 		if (opts->context || opts->defcontext)
979 			goto Einval;
980 		opts->defcontext = s;
981 		break;
982 	}
983 	return 0;
984 Einval:
985 	pr_warn(SEL_MOUNT_FAIL_MSG);
986 	return -EINVAL;
987 }
988 
989 static int selinux_add_mnt_opt(const char *option, const char *val, int len,
990 			       void **mnt_opts)
991 {
992 	int token = Opt_error;
993 	int rc, i;
994 
995 	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
996 		if (strcmp(option, tokens[i].name) == 0) {
997 			token = tokens[i].opt;
998 			break;
999 		}
1000 	}
1001 
1002 	if (token == Opt_error)
1003 		return -EINVAL;
1004 
1005 	if (token != Opt_seclabel) {
1006 		val = kmemdup_nul(val, len, GFP_KERNEL);
1007 		if (!val) {
1008 			rc = -ENOMEM;
1009 			goto free_opt;
1010 		}
1011 	}
1012 	rc = selinux_add_opt(token, val, mnt_opts);
1013 	if (unlikely(rc)) {
1014 		kfree(val);
1015 		goto free_opt;
1016 	}
1017 	return rc;
1018 
1019 free_opt:
1020 	if (*mnt_opts) {
1021 		selinux_free_mnt_opts(*mnt_opts);
1022 		*mnt_opts = NULL;
1023 	}
1024 	return rc;
1025 }
1026 
1027 static int show_sid(struct seq_file *m, u32 sid)
1028 {
1029 	char *context = NULL;
1030 	u32 len;
1031 	int rc;
1032 
1033 	rc = security_sid_to_context(&selinux_state, sid,
1034 					     &context, &len);
1035 	if (!rc) {
1036 		bool has_comma = context && strchr(context, ',');
1037 
1038 		seq_putc(m, '=');
1039 		if (has_comma)
1040 			seq_putc(m, '\"');
1041 		seq_escape(m, context, "\"\n\\");
1042 		if (has_comma)
1043 			seq_putc(m, '\"');
1044 	}
1045 	kfree(context);
1046 	return rc;
1047 }
1048 
1049 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1050 {
1051 	struct superblock_security_struct *sbsec = sb->s_security;
1052 	int rc;
1053 
1054 	if (!(sbsec->flags & SE_SBINITIALIZED))
1055 		return 0;
1056 
1057 	if (!selinux_initialized(&selinux_state))
1058 		return 0;
1059 
1060 	if (sbsec->flags & FSCONTEXT_MNT) {
1061 		seq_putc(m, ',');
1062 		seq_puts(m, FSCONTEXT_STR);
1063 		rc = show_sid(m, sbsec->sid);
1064 		if (rc)
1065 			return rc;
1066 	}
1067 	if (sbsec->flags & CONTEXT_MNT) {
1068 		seq_putc(m, ',');
1069 		seq_puts(m, CONTEXT_STR);
1070 		rc = show_sid(m, sbsec->mntpoint_sid);
1071 		if (rc)
1072 			return rc;
1073 	}
1074 	if (sbsec->flags & DEFCONTEXT_MNT) {
1075 		seq_putc(m, ',');
1076 		seq_puts(m, DEFCONTEXT_STR);
1077 		rc = show_sid(m, sbsec->def_sid);
1078 		if (rc)
1079 			return rc;
1080 	}
1081 	if (sbsec->flags & ROOTCONTEXT_MNT) {
1082 		struct dentry *root = sbsec->sb->s_root;
1083 		struct inode_security_struct *isec = backing_inode_security(root);
1084 		seq_putc(m, ',');
1085 		seq_puts(m, ROOTCONTEXT_STR);
1086 		rc = show_sid(m, isec->sid);
1087 		if (rc)
1088 			return rc;
1089 	}
1090 	if (sbsec->flags & SBLABEL_MNT) {
1091 		seq_putc(m, ',');
1092 		seq_puts(m, SECLABEL_STR);
1093 	}
1094 	return 0;
1095 }
1096 
1097 static inline u16 inode_mode_to_security_class(umode_t mode)
1098 {
1099 	switch (mode & S_IFMT) {
1100 	case S_IFSOCK:
1101 		return SECCLASS_SOCK_FILE;
1102 	case S_IFLNK:
1103 		return SECCLASS_LNK_FILE;
1104 	case S_IFREG:
1105 		return SECCLASS_FILE;
1106 	case S_IFBLK:
1107 		return SECCLASS_BLK_FILE;
1108 	case S_IFDIR:
1109 		return SECCLASS_DIR;
1110 	case S_IFCHR:
1111 		return SECCLASS_CHR_FILE;
1112 	case S_IFIFO:
1113 		return SECCLASS_FIFO_FILE;
1114 
1115 	}
1116 
1117 	return SECCLASS_FILE;
1118 }
1119 
1120 static inline int default_protocol_stream(int protocol)
1121 {
1122 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1123 }
1124 
1125 static inline int default_protocol_dgram(int protocol)
1126 {
1127 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1128 }
1129 
1130 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1131 {
1132 	int extsockclass = selinux_policycap_extsockclass();
1133 
1134 	switch (family) {
1135 	case PF_UNIX:
1136 		switch (type) {
1137 		case SOCK_STREAM:
1138 		case SOCK_SEQPACKET:
1139 			return SECCLASS_UNIX_STREAM_SOCKET;
1140 		case SOCK_DGRAM:
1141 		case SOCK_RAW:
1142 			return SECCLASS_UNIX_DGRAM_SOCKET;
1143 		}
1144 		break;
1145 	case PF_INET:
1146 	case PF_INET6:
1147 		switch (type) {
1148 		case SOCK_STREAM:
1149 		case SOCK_SEQPACKET:
1150 			if (default_protocol_stream(protocol))
1151 				return SECCLASS_TCP_SOCKET;
1152 			else if (extsockclass && protocol == IPPROTO_SCTP)
1153 				return SECCLASS_SCTP_SOCKET;
1154 			else
1155 				return SECCLASS_RAWIP_SOCKET;
1156 		case SOCK_DGRAM:
1157 			if (default_protocol_dgram(protocol))
1158 				return SECCLASS_UDP_SOCKET;
1159 			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1160 						  protocol == IPPROTO_ICMPV6))
1161 				return SECCLASS_ICMP_SOCKET;
1162 			else
1163 				return SECCLASS_RAWIP_SOCKET;
1164 		case SOCK_DCCP:
1165 			return SECCLASS_DCCP_SOCKET;
1166 		default:
1167 			return SECCLASS_RAWIP_SOCKET;
1168 		}
1169 		break;
1170 	case PF_NETLINK:
1171 		switch (protocol) {
1172 		case NETLINK_ROUTE:
1173 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1174 		case NETLINK_SOCK_DIAG:
1175 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1176 		case NETLINK_NFLOG:
1177 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1178 		case NETLINK_XFRM:
1179 			return SECCLASS_NETLINK_XFRM_SOCKET;
1180 		case NETLINK_SELINUX:
1181 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1182 		case NETLINK_ISCSI:
1183 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1184 		case NETLINK_AUDIT:
1185 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1186 		case NETLINK_FIB_LOOKUP:
1187 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1188 		case NETLINK_CONNECTOR:
1189 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1190 		case NETLINK_NETFILTER:
1191 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1192 		case NETLINK_DNRTMSG:
1193 			return SECCLASS_NETLINK_DNRT_SOCKET;
1194 		case NETLINK_KOBJECT_UEVENT:
1195 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1196 		case NETLINK_GENERIC:
1197 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1198 		case NETLINK_SCSITRANSPORT:
1199 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1200 		case NETLINK_RDMA:
1201 			return SECCLASS_NETLINK_RDMA_SOCKET;
1202 		case NETLINK_CRYPTO:
1203 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1204 		default:
1205 			return SECCLASS_NETLINK_SOCKET;
1206 		}
1207 	case PF_PACKET:
1208 		return SECCLASS_PACKET_SOCKET;
1209 	case PF_KEY:
1210 		return SECCLASS_KEY_SOCKET;
1211 	case PF_APPLETALK:
1212 		return SECCLASS_APPLETALK_SOCKET;
1213 	}
1214 
1215 	if (extsockclass) {
1216 		switch (family) {
1217 		case PF_AX25:
1218 			return SECCLASS_AX25_SOCKET;
1219 		case PF_IPX:
1220 			return SECCLASS_IPX_SOCKET;
1221 		case PF_NETROM:
1222 			return SECCLASS_NETROM_SOCKET;
1223 		case PF_ATMPVC:
1224 			return SECCLASS_ATMPVC_SOCKET;
1225 		case PF_X25:
1226 			return SECCLASS_X25_SOCKET;
1227 		case PF_ROSE:
1228 			return SECCLASS_ROSE_SOCKET;
1229 		case PF_DECnet:
1230 			return SECCLASS_DECNET_SOCKET;
1231 		case PF_ATMSVC:
1232 			return SECCLASS_ATMSVC_SOCKET;
1233 		case PF_RDS:
1234 			return SECCLASS_RDS_SOCKET;
1235 		case PF_IRDA:
1236 			return SECCLASS_IRDA_SOCKET;
1237 		case PF_PPPOX:
1238 			return SECCLASS_PPPOX_SOCKET;
1239 		case PF_LLC:
1240 			return SECCLASS_LLC_SOCKET;
1241 		case PF_CAN:
1242 			return SECCLASS_CAN_SOCKET;
1243 		case PF_TIPC:
1244 			return SECCLASS_TIPC_SOCKET;
1245 		case PF_BLUETOOTH:
1246 			return SECCLASS_BLUETOOTH_SOCKET;
1247 		case PF_IUCV:
1248 			return SECCLASS_IUCV_SOCKET;
1249 		case PF_RXRPC:
1250 			return SECCLASS_RXRPC_SOCKET;
1251 		case PF_ISDN:
1252 			return SECCLASS_ISDN_SOCKET;
1253 		case PF_PHONET:
1254 			return SECCLASS_PHONET_SOCKET;
1255 		case PF_IEEE802154:
1256 			return SECCLASS_IEEE802154_SOCKET;
1257 		case PF_CAIF:
1258 			return SECCLASS_CAIF_SOCKET;
1259 		case PF_ALG:
1260 			return SECCLASS_ALG_SOCKET;
1261 		case PF_NFC:
1262 			return SECCLASS_NFC_SOCKET;
1263 		case PF_VSOCK:
1264 			return SECCLASS_VSOCK_SOCKET;
1265 		case PF_KCM:
1266 			return SECCLASS_KCM_SOCKET;
1267 		case PF_QIPCRTR:
1268 			return SECCLASS_QIPCRTR_SOCKET;
1269 		case PF_SMC:
1270 			return SECCLASS_SMC_SOCKET;
1271 		case PF_XDP:
1272 			return SECCLASS_XDP_SOCKET;
1273 #if PF_MAX > 45
1274 #error New address family defined, please update this function.
1275 #endif
1276 		}
1277 	}
1278 
1279 	return SECCLASS_SOCKET;
1280 }
1281 
1282 static int selinux_genfs_get_sid(struct dentry *dentry,
1283 				 u16 tclass,
1284 				 u16 flags,
1285 				 u32 *sid)
1286 {
1287 	int rc;
1288 	struct super_block *sb = dentry->d_sb;
1289 	char *buffer, *path;
1290 
1291 	buffer = (char *)__get_free_page(GFP_KERNEL);
1292 	if (!buffer)
1293 		return -ENOMEM;
1294 
1295 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1296 	if (IS_ERR(path))
1297 		rc = PTR_ERR(path);
1298 	else {
1299 		if (flags & SE_SBPROC) {
1300 			/* each process gets a /proc/PID/ entry. Strip off the
1301 			 * PID part to get a valid selinux labeling.
1302 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1303 			while (path[1] >= '0' && path[1] <= '9') {
1304 				path[1] = '/';
1305 				path++;
1306 			}
1307 		}
1308 		rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1309 					path, tclass, sid);
1310 		if (rc == -ENOENT) {
1311 			/* No match in policy, mark as unlabeled. */
1312 			*sid = SECINITSID_UNLABELED;
1313 			rc = 0;
1314 		}
1315 	}
1316 	free_page((unsigned long)buffer);
1317 	return rc;
1318 }
1319 
1320 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1321 				  u32 def_sid, u32 *sid)
1322 {
1323 #define INITCONTEXTLEN 255
1324 	char *context;
1325 	unsigned int len;
1326 	int rc;
1327 
1328 	len = INITCONTEXTLEN;
1329 	context = kmalloc(len + 1, GFP_NOFS);
1330 	if (!context)
1331 		return -ENOMEM;
1332 
1333 	context[len] = '\0';
1334 	rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1335 	if (rc == -ERANGE) {
1336 		kfree(context);
1337 
1338 		/* Need a larger buffer.  Query for the right size. */
1339 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1340 		if (rc < 0)
1341 			return rc;
1342 
1343 		len = rc;
1344 		context = kmalloc(len + 1, GFP_NOFS);
1345 		if (!context)
1346 			return -ENOMEM;
1347 
1348 		context[len] = '\0';
1349 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1350 				    context, len);
1351 	}
1352 	if (rc < 0) {
1353 		kfree(context);
1354 		if (rc != -ENODATA) {
1355 			pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
1356 				__func__, -rc, inode->i_sb->s_id, inode->i_ino);
1357 			return rc;
1358 		}
1359 		*sid = def_sid;
1360 		return 0;
1361 	}
1362 
1363 	rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1364 					     def_sid, GFP_NOFS);
1365 	if (rc) {
1366 		char *dev = inode->i_sb->s_id;
1367 		unsigned long ino = inode->i_ino;
1368 
1369 		if (rc == -EINVAL) {
1370 			pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
1371 					      ino, dev, context);
1372 		} else {
1373 			pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1374 				__func__, context, -rc, dev, ino);
1375 		}
1376 	}
1377 	kfree(context);
1378 	return 0;
1379 }
1380 
1381 /* The inode's security attributes must be initialized before first use. */
1382 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1383 {
1384 	struct superblock_security_struct *sbsec = NULL;
1385 	struct inode_security_struct *isec = selinux_inode(inode);
1386 	u32 task_sid, sid = 0;
1387 	u16 sclass;
1388 	struct dentry *dentry;
1389 	int rc = 0;
1390 
1391 	if (isec->initialized == LABEL_INITIALIZED)
1392 		return 0;
1393 
1394 	spin_lock(&isec->lock);
1395 	if (isec->initialized == LABEL_INITIALIZED)
1396 		goto out_unlock;
1397 
1398 	if (isec->sclass == SECCLASS_FILE)
1399 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1400 
1401 	sbsec = inode->i_sb->s_security;
1402 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1403 		/* Defer initialization until selinux_complete_init,
1404 		   after the initial policy is loaded and the security
1405 		   server is ready to handle calls. */
1406 		spin_lock(&sbsec->isec_lock);
1407 		if (list_empty(&isec->list))
1408 			list_add(&isec->list, &sbsec->isec_head);
1409 		spin_unlock(&sbsec->isec_lock);
1410 		goto out_unlock;
1411 	}
1412 
1413 	sclass = isec->sclass;
1414 	task_sid = isec->task_sid;
1415 	sid = isec->sid;
1416 	isec->initialized = LABEL_PENDING;
1417 	spin_unlock(&isec->lock);
1418 
1419 	switch (sbsec->behavior) {
1420 	case SECURITY_FS_USE_NATIVE:
1421 		break;
1422 	case SECURITY_FS_USE_XATTR:
1423 		if (!(inode->i_opflags & IOP_XATTR)) {
1424 			sid = sbsec->def_sid;
1425 			break;
1426 		}
1427 		/* Need a dentry, since the xattr API requires one.
1428 		   Life would be simpler if we could just pass the inode. */
1429 		if (opt_dentry) {
1430 			/* Called from d_instantiate or d_splice_alias. */
1431 			dentry = dget(opt_dentry);
1432 		} else {
1433 			/*
1434 			 * Called from selinux_complete_init, try to find a dentry.
1435 			 * Some filesystems really want a connected one, so try
1436 			 * that first.  We could split SECURITY_FS_USE_XATTR in
1437 			 * two, depending upon that...
1438 			 */
1439 			dentry = d_find_alias(inode);
1440 			if (!dentry)
1441 				dentry = d_find_any_alias(inode);
1442 		}
1443 		if (!dentry) {
1444 			/*
1445 			 * this is can be hit on boot when a file is accessed
1446 			 * before the policy is loaded.  When we load policy we
1447 			 * may find inodes that have no dentry on the
1448 			 * sbsec->isec_head list.  No reason to complain as these
1449 			 * will get fixed up the next time we go through
1450 			 * inode_doinit with a dentry, before these inodes could
1451 			 * be used again by userspace.
1452 			 */
1453 			goto out;
1454 		}
1455 
1456 		rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1457 					    &sid);
1458 		dput(dentry);
1459 		if (rc)
1460 			goto out;
1461 		break;
1462 	case SECURITY_FS_USE_TASK:
1463 		sid = task_sid;
1464 		break;
1465 	case SECURITY_FS_USE_TRANS:
1466 		/* Default to the fs SID. */
1467 		sid = sbsec->sid;
1468 
1469 		/* Try to obtain a transition SID. */
1470 		rc = security_transition_sid(&selinux_state, task_sid, sid,
1471 					     sclass, NULL, &sid);
1472 		if (rc)
1473 			goto out;
1474 		break;
1475 	case SECURITY_FS_USE_MNTPOINT:
1476 		sid = sbsec->mntpoint_sid;
1477 		break;
1478 	default:
1479 		/* Default to the fs superblock SID. */
1480 		sid = sbsec->sid;
1481 
1482 		if ((sbsec->flags & SE_SBGENFS) &&
1483 		     (!S_ISLNK(inode->i_mode) ||
1484 		      selinux_policycap_genfs_seclabel_symlinks())) {
1485 			/* We must have a dentry to determine the label on
1486 			 * procfs inodes */
1487 			if (opt_dentry) {
1488 				/* Called from d_instantiate or
1489 				 * d_splice_alias. */
1490 				dentry = dget(opt_dentry);
1491 			} else {
1492 				/* Called from selinux_complete_init, try to
1493 				 * find a dentry.  Some filesystems really want
1494 				 * a connected one, so try that first.
1495 				 */
1496 				dentry = d_find_alias(inode);
1497 				if (!dentry)
1498 					dentry = d_find_any_alias(inode);
1499 			}
1500 			/*
1501 			 * This can be hit on boot when a file is accessed
1502 			 * before the policy is loaded.  When we load policy we
1503 			 * may find inodes that have no dentry on the
1504 			 * sbsec->isec_head list.  No reason to complain as
1505 			 * these will get fixed up the next time we go through
1506 			 * inode_doinit() with a dentry, before these inodes
1507 			 * could be used again by userspace.
1508 			 */
1509 			if (!dentry)
1510 				goto out;
1511 			rc = selinux_genfs_get_sid(dentry, sclass,
1512 						   sbsec->flags, &sid);
1513 			if (rc) {
1514 				dput(dentry);
1515 				goto out;
1516 			}
1517 
1518 			if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1519 			    (inode->i_opflags & IOP_XATTR)) {
1520 				rc = inode_doinit_use_xattr(inode, dentry,
1521 							    sid, &sid);
1522 				if (rc) {
1523 					dput(dentry);
1524 					goto out;
1525 				}
1526 			}
1527 			dput(dentry);
1528 		}
1529 		break;
1530 	}
1531 
1532 out:
1533 	spin_lock(&isec->lock);
1534 	if (isec->initialized == LABEL_PENDING) {
1535 		if (!sid || rc) {
1536 			isec->initialized = LABEL_INVALID;
1537 			goto out_unlock;
1538 		}
1539 
1540 		isec->initialized = LABEL_INITIALIZED;
1541 		isec->sid = sid;
1542 	}
1543 
1544 out_unlock:
1545 	spin_unlock(&isec->lock);
1546 	return rc;
1547 }
1548 
1549 /* Convert a Linux signal to an access vector. */
1550 static inline u32 signal_to_av(int sig)
1551 {
1552 	u32 perm = 0;
1553 
1554 	switch (sig) {
1555 	case SIGCHLD:
1556 		/* Commonly granted from child to parent. */
1557 		perm = PROCESS__SIGCHLD;
1558 		break;
1559 	case SIGKILL:
1560 		/* Cannot be caught or ignored */
1561 		perm = PROCESS__SIGKILL;
1562 		break;
1563 	case SIGSTOP:
1564 		/* Cannot be caught or ignored */
1565 		perm = PROCESS__SIGSTOP;
1566 		break;
1567 	default:
1568 		/* All other signals. */
1569 		perm = PROCESS__SIGNAL;
1570 		break;
1571 	}
1572 
1573 	return perm;
1574 }
1575 
1576 #if CAP_LAST_CAP > 63
1577 #error Fix SELinux to handle capabilities > 63.
1578 #endif
1579 
1580 /* Check whether a task is allowed to use a capability. */
1581 static int cred_has_capability(const struct cred *cred,
1582 			       int cap, unsigned int opts, bool initns)
1583 {
1584 	struct common_audit_data ad;
1585 	struct av_decision avd;
1586 	u16 sclass;
1587 	u32 sid = cred_sid(cred);
1588 	u32 av = CAP_TO_MASK(cap);
1589 	int rc;
1590 
1591 	ad.type = LSM_AUDIT_DATA_CAP;
1592 	ad.u.cap = cap;
1593 
1594 	switch (CAP_TO_INDEX(cap)) {
1595 	case 0:
1596 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1597 		break;
1598 	case 1:
1599 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1600 		break;
1601 	default:
1602 		pr_err("SELinux:  out of range capability %d\n", cap);
1603 		BUG();
1604 		return -EINVAL;
1605 	}
1606 
1607 	rc = avc_has_perm_noaudit(&selinux_state,
1608 				  sid, sid, sclass, av, 0, &avd);
1609 	if (!(opts & CAP_OPT_NOAUDIT)) {
1610 		int rc2 = avc_audit(&selinux_state,
1611 				    sid, sid, sclass, av, &avd, rc, &ad, 0);
1612 		if (rc2)
1613 			return rc2;
1614 	}
1615 	return rc;
1616 }
1617 
1618 /* Check whether a task has a particular permission to an inode.
1619    The 'adp' parameter is optional and allows other audit
1620    data to be passed (e.g. the dentry). */
1621 static int inode_has_perm(const struct cred *cred,
1622 			  struct inode *inode,
1623 			  u32 perms,
1624 			  struct common_audit_data *adp)
1625 {
1626 	struct inode_security_struct *isec;
1627 	u32 sid;
1628 
1629 	validate_creds(cred);
1630 
1631 	if (unlikely(IS_PRIVATE(inode)))
1632 		return 0;
1633 
1634 	sid = cred_sid(cred);
1635 	isec = selinux_inode(inode);
1636 
1637 	return avc_has_perm(&selinux_state,
1638 			    sid, isec->sid, isec->sclass, perms, adp);
1639 }
1640 
1641 /* Same as inode_has_perm, but pass explicit audit data containing
1642    the dentry to help the auditing code to more easily generate the
1643    pathname if needed. */
1644 static inline int dentry_has_perm(const struct cred *cred,
1645 				  struct dentry *dentry,
1646 				  u32 av)
1647 {
1648 	struct inode *inode = d_backing_inode(dentry);
1649 	struct common_audit_data ad;
1650 
1651 	ad.type = LSM_AUDIT_DATA_DENTRY;
1652 	ad.u.dentry = dentry;
1653 	__inode_security_revalidate(inode, dentry, true);
1654 	return inode_has_perm(cred, inode, av, &ad);
1655 }
1656 
1657 /* Same as inode_has_perm, but pass explicit audit data containing
1658    the path to help the auditing code to more easily generate the
1659    pathname if needed. */
1660 static inline int path_has_perm(const struct cred *cred,
1661 				const struct path *path,
1662 				u32 av)
1663 {
1664 	struct inode *inode = d_backing_inode(path->dentry);
1665 	struct common_audit_data ad;
1666 
1667 	ad.type = LSM_AUDIT_DATA_PATH;
1668 	ad.u.path = *path;
1669 	__inode_security_revalidate(inode, path->dentry, true);
1670 	return inode_has_perm(cred, inode, av, &ad);
1671 }
1672 
1673 /* Same as path_has_perm, but uses the inode from the file struct. */
1674 static inline int file_path_has_perm(const struct cred *cred,
1675 				     struct file *file,
1676 				     u32 av)
1677 {
1678 	struct common_audit_data ad;
1679 
1680 	ad.type = LSM_AUDIT_DATA_FILE;
1681 	ad.u.file = file;
1682 	return inode_has_perm(cred, file_inode(file), av, &ad);
1683 }
1684 
1685 #ifdef CONFIG_BPF_SYSCALL
1686 static int bpf_fd_pass(struct file *file, u32 sid);
1687 #endif
1688 
1689 /* Check whether a task can use an open file descriptor to
1690    access an inode in a given way.  Check access to the
1691    descriptor itself, and then use dentry_has_perm to
1692    check a particular permission to the file.
1693    Access to the descriptor is implicitly granted if it
1694    has the same SID as the process.  If av is zero, then
1695    access to the file is not checked, e.g. for cases
1696    where only the descriptor is affected like seek. */
1697 static int file_has_perm(const struct cred *cred,
1698 			 struct file *file,
1699 			 u32 av)
1700 {
1701 	struct file_security_struct *fsec = selinux_file(file);
1702 	struct inode *inode = file_inode(file);
1703 	struct common_audit_data ad;
1704 	u32 sid = cred_sid(cred);
1705 	int rc;
1706 
1707 	ad.type = LSM_AUDIT_DATA_FILE;
1708 	ad.u.file = file;
1709 
1710 	if (sid != fsec->sid) {
1711 		rc = avc_has_perm(&selinux_state,
1712 				  sid, fsec->sid,
1713 				  SECCLASS_FD,
1714 				  FD__USE,
1715 				  &ad);
1716 		if (rc)
1717 			goto out;
1718 	}
1719 
1720 #ifdef CONFIG_BPF_SYSCALL
1721 	rc = bpf_fd_pass(file, cred_sid(cred));
1722 	if (rc)
1723 		return rc;
1724 #endif
1725 
1726 	/* av is zero if only checking access to the descriptor. */
1727 	rc = 0;
1728 	if (av)
1729 		rc = inode_has_perm(cred, inode, av, &ad);
1730 
1731 out:
1732 	return rc;
1733 }
1734 
1735 /*
1736  * Determine the label for an inode that might be unioned.
1737  */
1738 static int
1739 selinux_determine_inode_label(const struct task_security_struct *tsec,
1740 				 struct inode *dir,
1741 				 const struct qstr *name, u16 tclass,
1742 				 u32 *_new_isid)
1743 {
1744 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1745 
1746 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1747 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1748 		*_new_isid = sbsec->mntpoint_sid;
1749 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1750 		   tsec->create_sid) {
1751 		*_new_isid = tsec->create_sid;
1752 	} else {
1753 		const struct inode_security_struct *dsec = inode_security(dir);
1754 		return security_transition_sid(&selinux_state, tsec->sid,
1755 					       dsec->sid, tclass,
1756 					       name, _new_isid);
1757 	}
1758 
1759 	return 0;
1760 }
1761 
1762 /* Check whether a task can create a file. */
1763 static int may_create(struct inode *dir,
1764 		      struct dentry *dentry,
1765 		      u16 tclass)
1766 {
1767 	const struct task_security_struct *tsec = selinux_cred(current_cred());
1768 	struct inode_security_struct *dsec;
1769 	struct superblock_security_struct *sbsec;
1770 	u32 sid, newsid;
1771 	struct common_audit_data ad;
1772 	int rc;
1773 
1774 	dsec = inode_security(dir);
1775 	sbsec = dir->i_sb->s_security;
1776 
1777 	sid = tsec->sid;
1778 
1779 	ad.type = LSM_AUDIT_DATA_DENTRY;
1780 	ad.u.dentry = dentry;
1781 
1782 	rc = avc_has_perm(&selinux_state,
1783 			  sid, dsec->sid, SECCLASS_DIR,
1784 			  DIR__ADD_NAME | DIR__SEARCH,
1785 			  &ad);
1786 	if (rc)
1787 		return rc;
1788 
1789 	rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1790 					   &newsid);
1791 	if (rc)
1792 		return rc;
1793 
1794 	rc = avc_has_perm(&selinux_state,
1795 			  sid, newsid, tclass, FILE__CREATE, &ad);
1796 	if (rc)
1797 		return rc;
1798 
1799 	return avc_has_perm(&selinux_state,
1800 			    newsid, sbsec->sid,
1801 			    SECCLASS_FILESYSTEM,
1802 			    FILESYSTEM__ASSOCIATE, &ad);
1803 }
1804 
1805 #define MAY_LINK	0
1806 #define MAY_UNLINK	1
1807 #define MAY_RMDIR	2
1808 
1809 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1810 static int may_link(struct inode *dir,
1811 		    struct dentry *dentry,
1812 		    int kind)
1813 
1814 {
1815 	struct inode_security_struct *dsec, *isec;
1816 	struct common_audit_data ad;
1817 	u32 sid = current_sid();
1818 	u32 av;
1819 	int rc;
1820 
1821 	dsec = inode_security(dir);
1822 	isec = backing_inode_security(dentry);
1823 
1824 	ad.type = LSM_AUDIT_DATA_DENTRY;
1825 	ad.u.dentry = dentry;
1826 
1827 	av = DIR__SEARCH;
1828 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1829 	rc = avc_has_perm(&selinux_state,
1830 			  sid, dsec->sid, SECCLASS_DIR, av, &ad);
1831 	if (rc)
1832 		return rc;
1833 
1834 	switch (kind) {
1835 	case MAY_LINK:
1836 		av = FILE__LINK;
1837 		break;
1838 	case MAY_UNLINK:
1839 		av = FILE__UNLINK;
1840 		break;
1841 	case MAY_RMDIR:
1842 		av = DIR__RMDIR;
1843 		break;
1844 	default:
1845 		pr_warn("SELinux: %s:  unrecognized kind %d\n",
1846 			__func__, kind);
1847 		return 0;
1848 	}
1849 
1850 	rc = avc_has_perm(&selinux_state,
1851 			  sid, isec->sid, isec->sclass, av, &ad);
1852 	return rc;
1853 }
1854 
1855 static inline int may_rename(struct inode *old_dir,
1856 			     struct dentry *old_dentry,
1857 			     struct inode *new_dir,
1858 			     struct dentry *new_dentry)
1859 {
1860 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1861 	struct common_audit_data ad;
1862 	u32 sid = current_sid();
1863 	u32 av;
1864 	int old_is_dir, new_is_dir;
1865 	int rc;
1866 
1867 	old_dsec = inode_security(old_dir);
1868 	old_isec = backing_inode_security(old_dentry);
1869 	old_is_dir = d_is_dir(old_dentry);
1870 	new_dsec = inode_security(new_dir);
1871 
1872 	ad.type = LSM_AUDIT_DATA_DENTRY;
1873 
1874 	ad.u.dentry = old_dentry;
1875 	rc = avc_has_perm(&selinux_state,
1876 			  sid, old_dsec->sid, SECCLASS_DIR,
1877 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1878 	if (rc)
1879 		return rc;
1880 	rc = avc_has_perm(&selinux_state,
1881 			  sid, old_isec->sid,
1882 			  old_isec->sclass, FILE__RENAME, &ad);
1883 	if (rc)
1884 		return rc;
1885 	if (old_is_dir && new_dir != old_dir) {
1886 		rc = avc_has_perm(&selinux_state,
1887 				  sid, old_isec->sid,
1888 				  old_isec->sclass, DIR__REPARENT, &ad);
1889 		if (rc)
1890 			return rc;
1891 	}
1892 
1893 	ad.u.dentry = new_dentry;
1894 	av = DIR__ADD_NAME | DIR__SEARCH;
1895 	if (d_is_positive(new_dentry))
1896 		av |= DIR__REMOVE_NAME;
1897 	rc = avc_has_perm(&selinux_state,
1898 			  sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1899 	if (rc)
1900 		return rc;
1901 	if (d_is_positive(new_dentry)) {
1902 		new_isec = backing_inode_security(new_dentry);
1903 		new_is_dir = d_is_dir(new_dentry);
1904 		rc = avc_has_perm(&selinux_state,
1905 				  sid, new_isec->sid,
1906 				  new_isec->sclass,
1907 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1908 		if (rc)
1909 			return rc;
1910 	}
1911 
1912 	return 0;
1913 }
1914 
1915 /* Check whether a task can perform a filesystem operation. */
1916 static int superblock_has_perm(const struct cred *cred,
1917 			       struct super_block *sb,
1918 			       u32 perms,
1919 			       struct common_audit_data *ad)
1920 {
1921 	struct superblock_security_struct *sbsec;
1922 	u32 sid = cred_sid(cred);
1923 
1924 	sbsec = sb->s_security;
1925 	return avc_has_perm(&selinux_state,
1926 			    sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1927 }
1928 
1929 /* Convert a Linux mode and permission mask to an access vector. */
1930 static inline u32 file_mask_to_av(int mode, int mask)
1931 {
1932 	u32 av = 0;
1933 
1934 	if (!S_ISDIR(mode)) {
1935 		if (mask & MAY_EXEC)
1936 			av |= FILE__EXECUTE;
1937 		if (mask & MAY_READ)
1938 			av |= FILE__READ;
1939 
1940 		if (mask & MAY_APPEND)
1941 			av |= FILE__APPEND;
1942 		else if (mask & MAY_WRITE)
1943 			av |= FILE__WRITE;
1944 
1945 	} else {
1946 		if (mask & MAY_EXEC)
1947 			av |= DIR__SEARCH;
1948 		if (mask & MAY_WRITE)
1949 			av |= DIR__WRITE;
1950 		if (mask & MAY_READ)
1951 			av |= DIR__READ;
1952 	}
1953 
1954 	return av;
1955 }
1956 
1957 /* Convert a Linux file to an access vector. */
1958 static inline u32 file_to_av(struct file *file)
1959 {
1960 	u32 av = 0;
1961 
1962 	if (file->f_mode & FMODE_READ)
1963 		av |= FILE__READ;
1964 	if (file->f_mode & FMODE_WRITE) {
1965 		if (file->f_flags & O_APPEND)
1966 			av |= FILE__APPEND;
1967 		else
1968 			av |= FILE__WRITE;
1969 	}
1970 	if (!av) {
1971 		/*
1972 		 * Special file opened with flags 3 for ioctl-only use.
1973 		 */
1974 		av = FILE__IOCTL;
1975 	}
1976 
1977 	return av;
1978 }
1979 
1980 /*
1981  * Convert a file to an access vector and include the correct open
1982  * open permission.
1983  */
1984 static inline u32 open_file_to_av(struct file *file)
1985 {
1986 	u32 av = file_to_av(file);
1987 	struct inode *inode = file_inode(file);
1988 
1989 	if (selinux_policycap_openperm() &&
1990 	    inode->i_sb->s_magic != SOCKFS_MAGIC)
1991 		av |= FILE__OPEN;
1992 
1993 	return av;
1994 }
1995 
1996 /* Hook functions begin here. */
1997 
1998 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
1999 {
2000 	u32 mysid = current_sid();
2001 	u32 mgrsid = task_sid(mgr);
2002 
2003 	return avc_has_perm(&selinux_state,
2004 			    mysid, mgrsid, SECCLASS_BINDER,
2005 			    BINDER__SET_CONTEXT_MGR, NULL);
2006 }
2007 
2008 static int selinux_binder_transaction(struct task_struct *from,
2009 				      struct task_struct *to)
2010 {
2011 	u32 mysid = current_sid();
2012 	u32 fromsid = task_sid(from);
2013 	u32 tosid = task_sid(to);
2014 	int rc;
2015 
2016 	if (mysid != fromsid) {
2017 		rc = avc_has_perm(&selinux_state,
2018 				  mysid, fromsid, SECCLASS_BINDER,
2019 				  BINDER__IMPERSONATE, NULL);
2020 		if (rc)
2021 			return rc;
2022 	}
2023 
2024 	return avc_has_perm(&selinux_state,
2025 			    fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2026 			    NULL);
2027 }
2028 
2029 static int selinux_binder_transfer_binder(struct task_struct *from,
2030 					  struct task_struct *to)
2031 {
2032 	u32 fromsid = task_sid(from);
2033 	u32 tosid = task_sid(to);
2034 
2035 	return avc_has_perm(&selinux_state,
2036 			    fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2037 			    NULL);
2038 }
2039 
2040 static int selinux_binder_transfer_file(struct task_struct *from,
2041 					struct task_struct *to,
2042 					struct file *file)
2043 {
2044 	u32 sid = task_sid(to);
2045 	struct file_security_struct *fsec = selinux_file(file);
2046 	struct dentry *dentry = file->f_path.dentry;
2047 	struct inode_security_struct *isec;
2048 	struct common_audit_data ad;
2049 	int rc;
2050 
2051 	ad.type = LSM_AUDIT_DATA_PATH;
2052 	ad.u.path = file->f_path;
2053 
2054 	if (sid != fsec->sid) {
2055 		rc = avc_has_perm(&selinux_state,
2056 				  sid, fsec->sid,
2057 				  SECCLASS_FD,
2058 				  FD__USE,
2059 				  &ad);
2060 		if (rc)
2061 			return rc;
2062 	}
2063 
2064 #ifdef CONFIG_BPF_SYSCALL
2065 	rc = bpf_fd_pass(file, sid);
2066 	if (rc)
2067 		return rc;
2068 #endif
2069 
2070 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2071 		return 0;
2072 
2073 	isec = backing_inode_security(dentry);
2074 	return avc_has_perm(&selinux_state,
2075 			    sid, isec->sid, isec->sclass, file_to_av(file),
2076 			    &ad);
2077 }
2078 
2079 static int selinux_ptrace_access_check(struct task_struct *child,
2080 				     unsigned int mode)
2081 {
2082 	u32 sid = current_sid();
2083 	u32 csid = task_sid(child);
2084 
2085 	if (mode & PTRACE_MODE_READ)
2086 		return avc_has_perm(&selinux_state,
2087 				    sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2088 
2089 	return avc_has_perm(&selinux_state,
2090 			    sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2091 }
2092 
2093 static int selinux_ptrace_traceme(struct task_struct *parent)
2094 {
2095 	return avc_has_perm(&selinux_state,
2096 			    task_sid(parent), current_sid(), SECCLASS_PROCESS,
2097 			    PROCESS__PTRACE, NULL);
2098 }
2099 
2100 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2101 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2102 {
2103 	return avc_has_perm(&selinux_state,
2104 			    current_sid(), task_sid(target), SECCLASS_PROCESS,
2105 			    PROCESS__GETCAP, NULL);
2106 }
2107 
2108 static int selinux_capset(struct cred *new, const struct cred *old,
2109 			  const kernel_cap_t *effective,
2110 			  const kernel_cap_t *inheritable,
2111 			  const kernel_cap_t *permitted)
2112 {
2113 	return avc_has_perm(&selinux_state,
2114 			    cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2115 			    PROCESS__SETCAP, NULL);
2116 }
2117 
2118 /*
2119  * (This comment used to live with the selinux_task_setuid hook,
2120  * which was removed).
2121  *
2122  * Since setuid only affects the current process, and since the SELinux
2123  * controls are not based on the Linux identity attributes, SELinux does not
2124  * need to control this operation.  However, SELinux does control the use of
2125  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2126  */
2127 
2128 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2129 			   int cap, unsigned int opts)
2130 {
2131 	return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2132 }
2133 
2134 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2135 {
2136 	const struct cred *cred = current_cred();
2137 	int rc = 0;
2138 
2139 	if (!sb)
2140 		return 0;
2141 
2142 	switch (cmds) {
2143 	case Q_SYNC:
2144 	case Q_QUOTAON:
2145 	case Q_QUOTAOFF:
2146 	case Q_SETINFO:
2147 	case Q_SETQUOTA:
2148 	case Q_XQUOTAOFF:
2149 	case Q_XQUOTAON:
2150 	case Q_XSETQLIM:
2151 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2152 		break;
2153 	case Q_GETFMT:
2154 	case Q_GETINFO:
2155 	case Q_GETQUOTA:
2156 	case Q_XGETQUOTA:
2157 	case Q_XGETQSTAT:
2158 	case Q_XGETQSTATV:
2159 	case Q_XGETNEXTQUOTA:
2160 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2161 		break;
2162 	default:
2163 		rc = 0;  /* let the kernel handle invalid cmds */
2164 		break;
2165 	}
2166 	return rc;
2167 }
2168 
2169 static int selinux_quota_on(struct dentry *dentry)
2170 {
2171 	const struct cred *cred = current_cred();
2172 
2173 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2174 }
2175 
2176 static int selinux_syslog(int type)
2177 {
2178 	switch (type) {
2179 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2180 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2181 		return avc_has_perm(&selinux_state,
2182 				    current_sid(), SECINITSID_KERNEL,
2183 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2184 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2185 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2186 	/* Set level of messages printed to console */
2187 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2188 		return avc_has_perm(&selinux_state,
2189 				    current_sid(), SECINITSID_KERNEL,
2190 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2191 				    NULL);
2192 	}
2193 	/* All other syslog types */
2194 	return avc_has_perm(&selinux_state,
2195 			    current_sid(), SECINITSID_KERNEL,
2196 			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2197 }
2198 
2199 /*
2200  * Check that a process has enough memory to allocate a new virtual
2201  * mapping. 0 means there is enough memory for the allocation to
2202  * succeed and -ENOMEM implies there is not.
2203  *
2204  * Do not audit the selinux permission check, as this is applied to all
2205  * processes that allocate mappings.
2206  */
2207 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2208 {
2209 	int rc, cap_sys_admin = 0;
2210 
2211 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2212 				 CAP_OPT_NOAUDIT, true);
2213 	if (rc == 0)
2214 		cap_sys_admin = 1;
2215 
2216 	return cap_sys_admin;
2217 }
2218 
2219 /* binprm security operations */
2220 
2221 static u32 ptrace_parent_sid(void)
2222 {
2223 	u32 sid = 0;
2224 	struct task_struct *tracer;
2225 
2226 	rcu_read_lock();
2227 	tracer = ptrace_parent(current);
2228 	if (tracer)
2229 		sid = task_sid(tracer);
2230 	rcu_read_unlock();
2231 
2232 	return sid;
2233 }
2234 
2235 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2236 			    const struct task_security_struct *old_tsec,
2237 			    const struct task_security_struct *new_tsec)
2238 {
2239 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2240 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2241 	int rc;
2242 	u32 av;
2243 
2244 	if (!nnp && !nosuid)
2245 		return 0; /* neither NNP nor nosuid */
2246 
2247 	if (new_tsec->sid == old_tsec->sid)
2248 		return 0; /* No change in credentials */
2249 
2250 	/*
2251 	 * If the policy enables the nnp_nosuid_transition policy capability,
2252 	 * then we permit transitions under NNP or nosuid if the
2253 	 * policy allows the corresponding permission between
2254 	 * the old and new contexts.
2255 	 */
2256 	if (selinux_policycap_nnp_nosuid_transition()) {
2257 		av = 0;
2258 		if (nnp)
2259 			av |= PROCESS2__NNP_TRANSITION;
2260 		if (nosuid)
2261 			av |= PROCESS2__NOSUID_TRANSITION;
2262 		rc = avc_has_perm(&selinux_state,
2263 				  old_tsec->sid, new_tsec->sid,
2264 				  SECCLASS_PROCESS2, av, NULL);
2265 		if (!rc)
2266 			return 0;
2267 	}
2268 
2269 	/*
2270 	 * We also permit NNP or nosuid transitions to bounded SIDs,
2271 	 * i.e. SIDs that are guaranteed to only be allowed a subset
2272 	 * of the permissions of the current SID.
2273 	 */
2274 	rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2275 					 new_tsec->sid);
2276 	if (!rc)
2277 		return 0;
2278 
2279 	/*
2280 	 * On failure, preserve the errno values for NNP vs nosuid.
2281 	 * NNP:  Operation not permitted for caller.
2282 	 * nosuid:  Permission denied to file.
2283 	 */
2284 	if (nnp)
2285 		return -EPERM;
2286 	return -EACCES;
2287 }
2288 
2289 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2290 {
2291 	const struct task_security_struct *old_tsec;
2292 	struct task_security_struct *new_tsec;
2293 	struct inode_security_struct *isec;
2294 	struct common_audit_data ad;
2295 	struct inode *inode = file_inode(bprm->file);
2296 	int rc;
2297 
2298 	/* SELinux context only depends on initial program or script and not
2299 	 * the script interpreter */
2300 	if (bprm->called_set_creds)
2301 		return 0;
2302 
2303 	old_tsec = selinux_cred(current_cred());
2304 	new_tsec = selinux_cred(bprm->cred);
2305 	isec = inode_security(inode);
2306 
2307 	/* Default to the current task SID. */
2308 	new_tsec->sid = old_tsec->sid;
2309 	new_tsec->osid = old_tsec->sid;
2310 
2311 	/* Reset fs, key, and sock SIDs on execve. */
2312 	new_tsec->create_sid = 0;
2313 	new_tsec->keycreate_sid = 0;
2314 	new_tsec->sockcreate_sid = 0;
2315 
2316 	if (old_tsec->exec_sid) {
2317 		new_tsec->sid = old_tsec->exec_sid;
2318 		/* Reset exec SID on execve. */
2319 		new_tsec->exec_sid = 0;
2320 
2321 		/* Fail on NNP or nosuid if not an allowed transition. */
2322 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2323 		if (rc)
2324 			return rc;
2325 	} else {
2326 		/* Check for a default transition on this program. */
2327 		rc = security_transition_sid(&selinux_state, old_tsec->sid,
2328 					     isec->sid, SECCLASS_PROCESS, NULL,
2329 					     &new_tsec->sid);
2330 		if (rc)
2331 			return rc;
2332 
2333 		/*
2334 		 * Fallback to old SID on NNP or nosuid if not an allowed
2335 		 * transition.
2336 		 */
2337 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2338 		if (rc)
2339 			new_tsec->sid = old_tsec->sid;
2340 	}
2341 
2342 	ad.type = LSM_AUDIT_DATA_FILE;
2343 	ad.u.file = bprm->file;
2344 
2345 	if (new_tsec->sid == old_tsec->sid) {
2346 		rc = avc_has_perm(&selinux_state,
2347 				  old_tsec->sid, isec->sid,
2348 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2349 		if (rc)
2350 			return rc;
2351 	} else {
2352 		/* Check permissions for the transition. */
2353 		rc = avc_has_perm(&selinux_state,
2354 				  old_tsec->sid, new_tsec->sid,
2355 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2356 		if (rc)
2357 			return rc;
2358 
2359 		rc = avc_has_perm(&selinux_state,
2360 				  new_tsec->sid, isec->sid,
2361 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2362 		if (rc)
2363 			return rc;
2364 
2365 		/* Check for shared state */
2366 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2367 			rc = avc_has_perm(&selinux_state,
2368 					  old_tsec->sid, new_tsec->sid,
2369 					  SECCLASS_PROCESS, PROCESS__SHARE,
2370 					  NULL);
2371 			if (rc)
2372 				return -EPERM;
2373 		}
2374 
2375 		/* Make sure that anyone attempting to ptrace over a task that
2376 		 * changes its SID has the appropriate permit */
2377 		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2378 			u32 ptsid = ptrace_parent_sid();
2379 			if (ptsid != 0) {
2380 				rc = avc_has_perm(&selinux_state,
2381 						  ptsid, new_tsec->sid,
2382 						  SECCLASS_PROCESS,
2383 						  PROCESS__PTRACE, NULL);
2384 				if (rc)
2385 					return -EPERM;
2386 			}
2387 		}
2388 
2389 		/* Clear any possibly unsafe personality bits on exec: */
2390 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2391 
2392 		/* Enable secure mode for SIDs transitions unless
2393 		   the noatsecure permission is granted between
2394 		   the two SIDs, i.e. ahp returns 0. */
2395 		rc = avc_has_perm(&selinux_state,
2396 				  old_tsec->sid, new_tsec->sid,
2397 				  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2398 				  NULL);
2399 		bprm->secureexec |= !!rc;
2400 	}
2401 
2402 	return 0;
2403 }
2404 
2405 static int match_file(const void *p, struct file *file, unsigned fd)
2406 {
2407 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2408 }
2409 
2410 /* Derived from fs/exec.c:flush_old_files. */
2411 static inline void flush_unauthorized_files(const struct cred *cred,
2412 					    struct files_struct *files)
2413 {
2414 	struct file *file, *devnull = NULL;
2415 	struct tty_struct *tty;
2416 	int drop_tty = 0;
2417 	unsigned n;
2418 
2419 	tty = get_current_tty();
2420 	if (tty) {
2421 		spin_lock(&tty->files_lock);
2422 		if (!list_empty(&tty->tty_files)) {
2423 			struct tty_file_private *file_priv;
2424 
2425 			/* Revalidate access to controlling tty.
2426 			   Use file_path_has_perm on the tty path directly
2427 			   rather than using file_has_perm, as this particular
2428 			   open file may belong to another process and we are
2429 			   only interested in the inode-based check here. */
2430 			file_priv = list_first_entry(&tty->tty_files,
2431 						struct tty_file_private, list);
2432 			file = file_priv->file;
2433 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2434 				drop_tty = 1;
2435 		}
2436 		spin_unlock(&tty->files_lock);
2437 		tty_kref_put(tty);
2438 	}
2439 	/* Reset controlling tty. */
2440 	if (drop_tty)
2441 		no_tty();
2442 
2443 	/* Revalidate access to inherited open files. */
2444 	n = iterate_fd(files, 0, match_file, cred);
2445 	if (!n) /* none found? */
2446 		return;
2447 
2448 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2449 	if (IS_ERR(devnull))
2450 		devnull = NULL;
2451 	/* replace all the matching ones with this */
2452 	do {
2453 		replace_fd(n - 1, devnull, 0);
2454 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2455 	if (devnull)
2456 		fput(devnull);
2457 }
2458 
2459 /*
2460  * Prepare a process for imminent new credential changes due to exec
2461  */
2462 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2463 {
2464 	struct task_security_struct *new_tsec;
2465 	struct rlimit *rlim, *initrlim;
2466 	int rc, i;
2467 
2468 	new_tsec = selinux_cred(bprm->cred);
2469 	if (new_tsec->sid == new_tsec->osid)
2470 		return;
2471 
2472 	/* Close files for which the new task SID is not authorized. */
2473 	flush_unauthorized_files(bprm->cred, current->files);
2474 
2475 	/* Always clear parent death signal on SID transitions. */
2476 	current->pdeath_signal = 0;
2477 
2478 	/* Check whether the new SID can inherit resource limits from the old
2479 	 * SID.  If not, reset all soft limits to the lower of the current
2480 	 * task's hard limit and the init task's soft limit.
2481 	 *
2482 	 * Note that the setting of hard limits (even to lower them) can be
2483 	 * controlled by the setrlimit check.  The inclusion of the init task's
2484 	 * soft limit into the computation is to avoid resetting soft limits
2485 	 * higher than the default soft limit for cases where the default is
2486 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2487 	 */
2488 	rc = avc_has_perm(&selinux_state,
2489 			  new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2490 			  PROCESS__RLIMITINH, NULL);
2491 	if (rc) {
2492 		/* protect against do_prlimit() */
2493 		task_lock(current);
2494 		for (i = 0; i < RLIM_NLIMITS; i++) {
2495 			rlim = current->signal->rlim + i;
2496 			initrlim = init_task.signal->rlim + i;
2497 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2498 		}
2499 		task_unlock(current);
2500 		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2501 			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2502 	}
2503 }
2504 
2505 /*
2506  * Clean up the process immediately after the installation of new credentials
2507  * due to exec
2508  */
2509 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2510 {
2511 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2512 	u32 osid, sid;
2513 	int rc;
2514 
2515 	osid = tsec->osid;
2516 	sid = tsec->sid;
2517 
2518 	if (sid == osid)
2519 		return;
2520 
2521 	/* Check whether the new SID can inherit signal state from the old SID.
2522 	 * If not, clear itimers to avoid subsequent signal generation and
2523 	 * flush and unblock signals.
2524 	 *
2525 	 * This must occur _after_ the task SID has been updated so that any
2526 	 * kill done after the flush will be checked against the new SID.
2527 	 */
2528 	rc = avc_has_perm(&selinux_state,
2529 			  osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2530 	if (rc) {
2531 		clear_itimer();
2532 
2533 		spin_lock_irq(&current->sighand->siglock);
2534 		if (!fatal_signal_pending(current)) {
2535 			flush_sigqueue(&current->pending);
2536 			flush_sigqueue(&current->signal->shared_pending);
2537 			flush_signal_handlers(current, 1);
2538 			sigemptyset(&current->blocked);
2539 			recalc_sigpending();
2540 		}
2541 		spin_unlock_irq(&current->sighand->siglock);
2542 	}
2543 
2544 	/* Wake up the parent if it is waiting so that it can recheck
2545 	 * wait permission to the new task SID. */
2546 	read_lock(&tasklist_lock);
2547 	__wake_up_parent(current, current->real_parent);
2548 	read_unlock(&tasklist_lock);
2549 }
2550 
2551 /* superblock security operations */
2552 
2553 static int selinux_sb_alloc_security(struct super_block *sb)
2554 {
2555 	struct superblock_security_struct *sbsec;
2556 
2557 	sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
2558 	if (!sbsec)
2559 		return -ENOMEM;
2560 
2561 	mutex_init(&sbsec->lock);
2562 	INIT_LIST_HEAD(&sbsec->isec_head);
2563 	spin_lock_init(&sbsec->isec_lock);
2564 	sbsec->sb = sb;
2565 	sbsec->sid = SECINITSID_UNLABELED;
2566 	sbsec->def_sid = SECINITSID_FILE;
2567 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2568 	sb->s_security = sbsec;
2569 
2570 	return 0;
2571 }
2572 
2573 static void selinux_sb_free_security(struct super_block *sb)
2574 {
2575 	superblock_free_security(sb);
2576 }
2577 
2578 static inline int opt_len(const char *s)
2579 {
2580 	bool open_quote = false;
2581 	int len;
2582 	char c;
2583 
2584 	for (len = 0; (c = s[len]) != '\0'; len++) {
2585 		if (c == '"')
2586 			open_quote = !open_quote;
2587 		if (c == ',' && !open_quote)
2588 			break;
2589 	}
2590 	return len;
2591 }
2592 
2593 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2594 {
2595 	char *from = options;
2596 	char *to = options;
2597 	bool first = true;
2598 	int rc;
2599 
2600 	while (1) {
2601 		int len = opt_len(from);
2602 		int token;
2603 		char *arg = NULL;
2604 
2605 		token = match_opt_prefix(from, len, &arg);
2606 
2607 		if (token != Opt_error) {
2608 			char *p, *q;
2609 
2610 			/* strip quotes */
2611 			if (arg) {
2612 				for (p = q = arg; p < from + len; p++) {
2613 					char c = *p;
2614 					if (c != '"')
2615 						*q++ = c;
2616 				}
2617 				arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2618 				if (!arg) {
2619 					rc = -ENOMEM;
2620 					goto free_opt;
2621 				}
2622 			}
2623 			rc = selinux_add_opt(token, arg, mnt_opts);
2624 			if (unlikely(rc)) {
2625 				kfree(arg);
2626 				goto free_opt;
2627 			}
2628 		} else {
2629 			if (!first) {	// copy with preceding comma
2630 				from--;
2631 				len++;
2632 			}
2633 			if (to != from)
2634 				memmove(to, from, len);
2635 			to += len;
2636 			first = false;
2637 		}
2638 		if (!from[len])
2639 			break;
2640 		from += len + 1;
2641 	}
2642 	*to = '\0';
2643 	return 0;
2644 
2645 free_opt:
2646 	if (*mnt_opts) {
2647 		selinux_free_mnt_opts(*mnt_opts);
2648 		*mnt_opts = NULL;
2649 	}
2650 	return rc;
2651 }
2652 
2653 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2654 {
2655 	struct selinux_mnt_opts *opts = mnt_opts;
2656 	struct superblock_security_struct *sbsec = sb->s_security;
2657 	u32 sid;
2658 	int rc;
2659 
2660 	if (!(sbsec->flags & SE_SBINITIALIZED))
2661 		return 0;
2662 
2663 	if (!opts)
2664 		return 0;
2665 
2666 	if (opts->fscontext) {
2667 		rc = parse_sid(sb, opts->fscontext, &sid);
2668 		if (rc)
2669 			return rc;
2670 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2671 			goto out_bad_option;
2672 	}
2673 	if (opts->context) {
2674 		rc = parse_sid(sb, opts->context, &sid);
2675 		if (rc)
2676 			return rc;
2677 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2678 			goto out_bad_option;
2679 	}
2680 	if (opts->rootcontext) {
2681 		struct inode_security_struct *root_isec;
2682 		root_isec = backing_inode_security(sb->s_root);
2683 		rc = parse_sid(sb, opts->rootcontext, &sid);
2684 		if (rc)
2685 			return rc;
2686 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2687 			goto out_bad_option;
2688 	}
2689 	if (opts->defcontext) {
2690 		rc = parse_sid(sb, opts->defcontext, &sid);
2691 		if (rc)
2692 			return rc;
2693 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2694 			goto out_bad_option;
2695 	}
2696 	return 0;
2697 
2698 out_bad_option:
2699 	pr_warn("SELinux: unable to change security options "
2700 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2701 	       sb->s_type->name);
2702 	return -EINVAL;
2703 }
2704 
2705 static int selinux_sb_kern_mount(struct super_block *sb)
2706 {
2707 	const struct cred *cred = current_cred();
2708 	struct common_audit_data ad;
2709 
2710 	ad.type = LSM_AUDIT_DATA_DENTRY;
2711 	ad.u.dentry = sb->s_root;
2712 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2713 }
2714 
2715 static int selinux_sb_statfs(struct dentry *dentry)
2716 {
2717 	const struct cred *cred = current_cred();
2718 	struct common_audit_data ad;
2719 
2720 	ad.type = LSM_AUDIT_DATA_DENTRY;
2721 	ad.u.dentry = dentry->d_sb->s_root;
2722 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2723 }
2724 
2725 static int selinux_mount(const char *dev_name,
2726 			 const struct path *path,
2727 			 const char *type,
2728 			 unsigned long flags,
2729 			 void *data)
2730 {
2731 	const struct cred *cred = current_cred();
2732 
2733 	if (flags & MS_REMOUNT)
2734 		return superblock_has_perm(cred, path->dentry->d_sb,
2735 					   FILESYSTEM__REMOUNT, NULL);
2736 	else
2737 		return path_has_perm(cred, path, FILE__MOUNTON);
2738 }
2739 
2740 static int selinux_move_mount(const struct path *from_path,
2741 			      const struct path *to_path)
2742 {
2743 	const struct cred *cred = current_cred();
2744 
2745 	return path_has_perm(cred, to_path, FILE__MOUNTON);
2746 }
2747 
2748 static int selinux_umount(struct vfsmount *mnt, int flags)
2749 {
2750 	const struct cred *cred = current_cred();
2751 
2752 	return superblock_has_perm(cred, mnt->mnt_sb,
2753 				   FILESYSTEM__UNMOUNT, NULL);
2754 }
2755 
2756 static int selinux_fs_context_dup(struct fs_context *fc,
2757 				  struct fs_context *src_fc)
2758 {
2759 	const struct selinux_mnt_opts *src = src_fc->security;
2760 	struct selinux_mnt_opts *opts;
2761 
2762 	if (!src)
2763 		return 0;
2764 
2765 	fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2766 	if (!fc->security)
2767 		return -ENOMEM;
2768 
2769 	opts = fc->security;
2770 
2771 	if (src->fscontext) {
2772 		opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2773 		if (!opts->fscontext)
2774 			return -ENOMEM;
2775 	}
2776 	if (src->context) {
2777 		opts->context = kstrdup(src->context, GFP_KERNEL);
2778 		if (!opts->context)
2779 			return -ENOMEM;
2780 	}
2781 	if (src->rootcontext) {
2782 		opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2783 		if (!opts->rootcontext)
2784 			return -ENOMEM;
2785 	}
2786 	if (src->defcontext) {
2787 		opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2788 		if (!opts->defcontext)
2789 			return -ENOMEM;
2790 	}
2791 	return 0;
2792 }
2793 
2794 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2795 	fsparam_string(CONTEXT_STR,	Opt_context),
2796 	fsparam_string(DEFCONTEXT_STR,	Opt_defcontext),
2797 	fsparam_string(FSCONTEXT_STR,	Opt_fscontext),
2798 	fsparam_string(ROOTCONTEXT_STR,	Opt_rootcontext),
2799 	fsparam_flag  (SECLABEL_STR,	Opt_seclabel),
2800 	{}
2801 };
2802 
2803 static int selinux_fs_context_parse_param(struct fs_context *fc,
2804 					  struct fs_parameter *param)
2805 {
2806 	struct fs_parse_result result;
2807 	int opt, rc;
2808 
2809 	opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2810 	if (opt < 0)
2811 		return opt;
2812 
2813 	rc = selinux_add_opt(opt, param->string, &fc->security);
2814 	if (!rc) {
2815 		param->string = NULL;
2816 		rc = 1;
2817 	}
2818 	return rc;
2819 }
2820 
2821 /* inode security operations */
2822 
2823 static int selinux_inode_alloc_security(struct inode *inode)
2824 {
2825 	struct inode_security_struct *isec = selinux_inode(inode);
2826 	u32 sid = current_sid();
2827 
2828 	spin_lock_init(&isec->lock);
2829 	INIT_LIST_HEAD(&isec->list);
2830 	isec->inode = inode;
2831 	isec->sid = SECINITSID_UNLABELED;
2832 	isec->sclass = SECCLASS_FILE;
2833 	isec->task_sid = sid;
2834 	isec->initialized = LABEL_INVALID;
2835 
2836 	return 0;
2837 }
2838 
2839 static void selinux_inode_free_security(struct inode *inode)
2840 {
2841 	inode_free_security(inode);
2842 }
2843 
2844 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2845 					const struct qstr *name, void **ctx,
2846 					u32 *ctxlen)
2847 {
2848 	u32 newsid;
2849 	int rc;
2850 
2851 	rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2852 					   d_inode(dentry->d_parent), name,
2853 					   inode_mode_to_security_class(mode),
2854 					   &newsid);
2855 	if (rc)
2856 		return rc;
2857 
2858 	return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2859 				       ctxlen);
2860 }
2861 
2862 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2863 					  struct qstr *name,
2864 					  const struct cred *old,
2865 					  struct cred *new)
2866 {
2867 	u32 newsid;
2868 	int rc;
2869 	struct task_security_struct *tsec;
2870 
2871 	rc = selinux_determine_inode_label(selinux_cred(old),
2872 					   d_inode(dentry->d_parent), name,
2873 					   inode_mode_to_security_class(mode),
2874 					   &newsid);
2875 	if (rc)
2876 		return rc;
2877 
2878 	tsec = selinux_cred(new);
2879 	tsec->create_sid = newsid;
2880 	return 0;
2881 }
2882 
2883 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2884 				       const struct qstr *qstr,
2885 				       const char **name,
2886 				       void **value, size_t *len)
2887 {
2888 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2889 	struct superblock_security_struct *sbsec;
2890 	u32 newsid, clen;
2891 	int rc;
2892 	char *context;
2893 
2894 	sbsec = dir->i_sb->s_security;
2895 
2896 	newsid = tsec->create_sid;
2897 
2898 	rc = selinux_determine_inode_label(tsec, dir, qstr,
2899 		inode_mode_to_security_class(inode->i_mode),
2900 		&newsid);
2901 	if (rc)
2902 		return rc;
2903 
2904 	/* Possibly defer initialization to selinux_complete_init. */
2905 	if (sbsec->flags & SE_SBINITIALIZED) {
2906 		struct inode_security_struct *isec = selinux_inode(inode);
2907 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2908 		isec->sid = newsid;
2909 		isec->initialized = LABEL_INITIALIZED;
2910 	}
2911 
2912 	if (!selinux_initialized(&selinux_state) ||
2913 	    !(sbsec->flags & SBLABEL_MNT))
2914 		return -EOPNOTSUPP;
2915 
2916 	if (name)
2917 		*name = XATTR_SELINUX_SUFFIX;
2918 
2919 	if (value && len) {
2920 		rc = security_sid_to_context_force(&selinux_state, newsid,
2921 						   &context, &clen);
2922 		if (rc)
2923 			return rc;
2924 		*value = context;
2925 		*len = clen;
2926 	}
2927 
2928 	return 0;
2929 }
2930 
2931 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2932 {
2933 	return may_create(dir, dentry, SECCLASS_FILE);
2934 }
2935 
2936 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2937 {
2938 	return may_link(dir, old_dentry, MAY_LINK);
2939 }
2940 
2941 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2942 {
2943 	return may_link(dir, dentry, MAY_UNLINK);
2944 }
2945 
2946 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2947 {
2948 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
2949 }
2950 
2951 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2952 {
2953 	return may_create(dir, dentry, SECCLASS_DIR);
2954 }
2955 
2956 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2957 {
2958 	return may_link(dir, dentry, MAY_RMDIR);
2959 }
2960 
2961 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2962 {
2963 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
2964 }
2965 
2966 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2967 				struct inode *new_inode, struct dentry *new_dentry)
2968 {
2969 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2970 }
2971 
2972 static int selinux_inode_readlink(struct dentry *dentry)
2973 {
2974 	const struct cred *cred = current_cred();
2975 
2976 	return dentry_has_perm(cred, dentry, FILE__READ);
2977 }
2978 
2979 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2980 				     bool rcu)
2981 {
2982 	const struct cred *cred = current_cred();
2983 	struct common_audit_data ad;
2984 	struct inode_security_struct *isec;
2985 	u32 sid;
2986 
2987 	validate_creds(cred);
2988 
2989 	ad.type = LSM_AUDIT_DATA_DENTRY;
2990 	ad.u.dentry = dentry;
2991 	sid = cred_sid(cred);
2992 	isec = inode_security_rcu(inode, rcu);
2993 	if (IS_ERR(isec))
2994 		return PTR_ERR(isec);
2995 
2996 	return avc_has_perm_flags(&selinux_state,
2997 				  sid, isec->sid, isec->sclass, FILE__READ, &ad,
2998 				  rcu ? MAY_NOT_BLOCK : 0);
2999 }
3000 
3001 static noinline int audit_inode_permission(struct inode *inode,
3002 					   u32 perms, u32 audited, u32 denied,
3003 					   int result)
3004 {
3005 	struct common_audit_data ad;
3006 	struct inode_security_struct *isec = selinux_inode(inode);
3007 	int rc;
3008 
3009 	ad.type = LSM_AUDIT_DATA_INODE;
3010 	ad.u.inode = inode;
3011 
3012 	rc = slow_avc_audit(&selinux_state,
3013 			    current_sid(), isec->sid, isec->sclass, perms,
3014 			    audited, denied, result, &ad);
3015 	if (rc)
3016 		return rc;
3017 	return 0;
3018 }
3019 
3020 static int selinux_inode_permission(struct inode *inode, int mask)
3021 {
3022 	const struct cred *cred = current_cred();
3023 	u32 perms;
3024 	bool from_access;
3025 	bool no_block = mask & MAY_NOT_BLOCK;
3026 	struct inode_security_struct *isec;
3027 	u32 sid;
3028 	struct av_decision avd;
3029 	int rc, rc2;
3030 	u32 audited, denied;
3031 
3032 	from_access = mask & MAY_ACCESS;
3033 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3034 
3035 	/* No permission to check.  Existence test. */
3036 	if (!mask)
3037 		return 0;
3038 
3039 	validate_creds(cred);
3040 
3041 	if (unlikely(IS_PRIVATE(inode)))
3042 		return 0;
3043 
3044 	perms = file_mask_to_av(inode->i_mode, mask);
3045 
3046 	sid = cred_sid(cred);
3047 	isec = inode_security_rcu(inode, no_block);
3048 	if (IS_ERR(isec))
3049 		return PTR_ERR(isec);
3050 
3051 	rc = avc_has_perm_noaudit(&selinux_state,
3052 				  sid, isec->sid, isec->sclass, perms,
3053 				  no_block ? AVC_NONBLOCKING : 0,
3054 				  &avd);
3055 	audited = avc_audit_required(perms, &avd, rc,
3056 				     from_access ? FILE__AUDIT_ACCESS : 0,
3057 				     &denied);
3058 	if (likely(!audited))
3059 		return rc;
3060 
3061 	/* fall back to ref-walk if we have to generate audit */
3062 	if (no_block)
3063 		return -ECHILD;
3064 
3065 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3066 	if (rc2)
3067 		return rc2;
3068 	return rc;
3069 }
3070 
3071 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3072 {
3073 	const struct cred *cred = current_cred();
3074 	struct inode *inode = d_backing_inode(dentry);
3075 	unsigned int ia_valid = iattr->ia_valid;
3076 	__u32 av = FILE__WRITE;
3077 
3078 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3079 	if (ia_valid & ATTR_FORCE) {
3080 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3081 			      ATTR_FORCE);
3082 		if (!ia_valid)
3083 			return 0;
3084 	}
3085 
3086 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3087 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3088 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3089 
3090 	if (selinux_policycap_openperm() &&
3091 	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3092 	    (ia_valid & ATTR_SIZE) &&
3093 	    !(ia_valid & ATTR_FILE))
3094 		av |= FILE__OPEN;
3095 
3096 	return dentry_has_perm(cred, dentry, av);
3097 }
3098 
3099 static int selinux_inode_getattr(const struct path *path)
3100 {
3101 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3102 }
3103 
3104 static bool has_cap_mac_admin(bool audit)
3105 {
3106 	const struct cred *cred = current_cred();
3107 	unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3108 
3109 	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3110 		return false;
3111 	if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3112 		return false;
3113 	return true;
3114 }
3115 
3116 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3117 				  const void *value, size_t size, int flags)
3118 {
3119 	struct inode *inode = d_backing_inode(dentry);
3120 	struct inode_security_struct *isec;
3121 	struct superblock_security_struct *sbsec;
3122 	struct common_audit_data ad;
3123 	u32 newsid, sid = current_sid();
3124 	int rc = 0;
3125 
3126 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3127 		rc = cap_inode_setxattr(dentry, name, value, size, flags);
3128 		if (rc)
3129 			return rc;
3130 
3131 		/* Not an attribute we recognize, so just check the
3132 		   ordinary setattr permission. */
3133 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3134 	}
3135 
3136 	if (!selinux_initialized(&selinux_state))
3137 		return (inode_owner_or_capable(inode) ? 0 : -EPERM);
3138 
3139 	sbsec = inode->i_sb->s_security;
3140 	if (!(sbsec->flags & SBLABEL_MNT))
3141 		return -EOPNOTSUPP;
3142 
3143 	if (!inode_owner_or_capable(inode))
3144 		return -EPERM;
3145 
3146 	ad.type = LSM_AUDIT_DATA_DENTRY;
3147 	ad.u.dentry = dentry;
3148 
3149 	isec = backing_inode_security(dentry);
3150 	rc = avc_has_perm(&selinux_state,
3151 			  sid, isec->sid, isec->sclass,
3152 			  FILE__RELABELFROM, &ad);
3153 	if (rc)
3154 		return rc;
3155 
3156 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3157 				     GFP_KERNEL);
3158 	if (rc == -EINVAL) {
3159 		if (!has_cap_mac_admin(true)) {
3160 			struct audit_buffer *ab;
3161 			size_t audit_size;
3162 
3163 			/* We strip a nul only if it is at the end, otherwise the
3164 			 * context contains a nul and we should audit that */
3165 			if (value) {
3166 				const char *str = value;
3167 
3168 				if (str[size - 1] == '\0')
3169 					audit_size = size - 1;
3170 				else
3171 					audit_size = size;
3172 			} else {
3173 				audit_size = 0;
3174 			}
3175 			ab = audit_log_start(audit_context(),
3176 					     GFP_ATOMIC, AUDIT_SELINUX_ERR);
3177 			audit_log_format(ab, "op=setxattr invalid_context=");
3178 			audit_log_n_untrustedstring(ab, value, audit_size);
3179 			audit_log_end(ab);
3180 
3181 			return rc;
3182 		}
3183 		rc = security_context_to_sid_force(&selinux_state, value,
3184 						   size, &newsid);
3185 	}
3186 	if (rc)
3187 		return rc;
3188 
3189 	rc = avc_has_perm(&selinux_state,
3190 			  sid, newsid, isec->sclass,
3191 			  FILE__RELABELTO, &ad);
3192 	if (rc)
3193 		return rc;
3194 
3195 	rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3196 					  sid, isec->sclass);
3197 	if (rc)
3198 		return rc;
3199 
3200 	return avc_has_perm(&selinux_state,
3201 			    newsid,
3202 			    sbsec->sid,
3203 			    SECCLASS_FILESYSTEM,
3204 			    FILESYSTEM__ASSOCIATE,
3205 			    &ad);
3206 }
3207 
3208 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3209 					const void *value, size_t size,
3210 					int flags)
3211 {
3212 	struct inode *inode = d_backing_inode(dentry);
3213 	struct inode_security_struct *isec;
3214 	u32 newsid;
3215 	int rc;
3216 
3217 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3218 		/* Not an attribute we recognize, so nothing to do. */
3219 		return;
3220 	}
3221 
3222 	if (!selinux_initialized(&selinux_state)) {
3223 		/* If we haven't even been initialized, then we can't validate
3224 		 * against a policy, so leave the label as invalid. It may
3225 		 * resolve to a valid label on the next revalidation try if
3226 		 * we've since initialized.
3227 		 */
3228 		return;
3229 	}
3230 
3231 	rc = security_context_to_sid_force(&selinux_state, value, size,
3232 					   &newsid);
3233 	if (rc) {
3234 		pr_err("SELinux:  unable to map context to SID"
3235 		       "for (%s, %lu), rc=%d\n",
3236 		       inode->i_sb->s_id, inode->i_ino, -rc);
3237 		return;
3238 	}
3239 
3240 	isec = backing_inode_security(dentry);
3241 	spin_lock(&isec->lock);
3242 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3243 	isec->sid = newsid;
3244 	isec->initialized = LABEL_INITIALIZED;
3245 	spin_unlock(&isec->lock);
3246 
3247 	return;
3248 }
3249 
3250 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3251 {
3252 	const struct cred *cred = current_cred();
3253 
3254 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3255 }
3256 
3257 static int selinux_inode_listxattr(struct dentry *dentry)
3258 {
3259 	const struct cred *cred = current_cred();
3260 
3261 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3262 }
3263 
3264 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3265 {
3266 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3267 		int rc = cap_inode_removexattr(dentry, name);
3268 		if (rc)
3269 			return rc;
3270 
3271 		/* Not an attribute we recognize, so just check the
3272 		   ordinary setattr permission. */
3273 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3274 	}
3275 
3276 	/* No one is allowed to remove a SELinux security label.
3277 	   You can change the label, but all data must be labeled. */
3278 	return -EACCES;
3279 }
3280 
3281 static int selinux_path_notify(const struct path *path, u64 mask,
3282 						unsigned int obj_type)
3283 {
3284 	int ret;
3285 	u32 perm;
3286 
3287 	struct common_audit_data ad;
3288 
3289 	ad.type = LSM_AUDIT_DATA_PATH;
3290 	ad.u.path = *path;
3291 
3292 	/*
3293 	 * Set permission needed based on the type of mark being set.
3294 	 * Performs an additional check for sb watches.
3295 	 */
3296 	switch (obj_type) {
3297 	case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3298 		perm = FILE__WATCH_MOUNT;
3299 		break;
3300 	case FSNOTIFY_OBJ_TYPE_SB:
3301 		perm = FILE__WATCH_SB;
3302 		ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3303 						FILESYSTEM__WATCH, &ad);
3304 		if (ret)
3305 			return ret;
3306 		break;
3307 	case FSNOTIFY_OBJ_TYPE_INODE:
3308 		perm = FILE__WATCH;
3309 		break;
3310 	default:
3311 		return -EINVAL;
3312 	}
3313 
3314 	/* blocking watches require the file:watch_with_perm permission */
3315 	if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3316 		perm |= FILE__WATCH_WITH_PERM;
3317 
3318 	/* watches on read-like events need the file:watch_reads permission */
3319 	if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3320 		perm |= FILE__WATCH_READS;
3321 
3322 	return path_has_perm(current_cred(), path, perm);
3323 }
3324 
3325 /*
3326  * Copy the inode security context value to the user.
3327  *
3328  * Permission check is handled by selinux_inode_getxattr hook.
3329  */
3330 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3331 {
3332 	u32 size;
3333 	int error;
3334 	char *context = NULL;
3335 	struct inode_security_struct *isec;
3336 
3337 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3338 		return -EOPNOTSUPP;
3339 
3340 	/*
3341 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3342 	 * value even if it is not defined by current policy; otherwise,
3343 	 * use the in-core value under current policy.
3344 	 * Use the non-auditing forms of the permission checks since
3345 	 * getxattr may be called by unprivileged processes commonly
3346 	 * and lack of permission just means that we fall back to the
3347 	 * in-core context value, not a denial.
3348 	 */
3349 	isec = inode_security(inode);
3350 	if (has_cap_mac_admin(false))
3351 		error = security_sid_to_context_force(&selinux_state,
3352 						      isec->sid, &context,
3353 						      &size);
3354 	else
3355 		error = security_sid_to_context(&selinux_state, isec->sid,
3356 						&context, &size);
3357 	if (error)
3358 		return error;
3359 	error = size;
3360 	if (alloc) {
3361 		*buffer = context;
3362 		goto out_nofree;
3363 	}
3364 	kfree(context);
3365 out_nofree:
3366 	return error;
3367 }
3368 
3369 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3370 				     const void *value, size_t size, int flags)
3371 {
3372 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3373 	struct superblock_security_struct *sbsec = inode->i_sb->s_security;
3374 	u32 newsid;
3375 	int rc;
3376 
3377 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3378 		return -EOPNOTSUPP;
3379 
3380 	if (!(sbsec->flags & SBLABEL_MNT))
3381 		return -EOPNOTSUPP;
3382 
3383 	if (!value || !size)
3384 		return -EACCES;
3385 
3386 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3387 				     GFP_KERNEL);
3388 	if (rc)
3389 		return rc;
3390 
3391 	spin_lock(&isec->lock);
3392 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3393 	isec->sid = newsid;
3394 	isec->initialized = LABEL_INITIALIZED;
3395 	spin_unlock(&isec->lock);
3396 	return 0;
3397 }
3398 
3399 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3400 {
3401 	const int len = sizeof(XATTR_NAME_SELINUX);
3402 	if (buffer && len <= buffer_size)
3403 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3404 	return len;
3405 }
3406 
3407 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3408 {
3409 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3410 	*secid = isec->sid;
3411 }
3412 
3413 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3414 {
3415 	u32 sid;
3416 	struct task_security_struct *tsec;
3417 	struct cred *new_creds = *new;
3418 
3419 	if (new_creds == NULL) {
3420 		new_creds = prepare_creds();
3421 		if (!new_creds)
3422 			return -ENOMEM;
3423 	}
3424 
3425 	tsec = selinux_cred(new_creds);
3426 	/* Get label from overlay inode and set it in create_sid */
3427 	selinux_inode_getsecid(d_inode(src), &sid);
3428 	tsec->create_sid = sid;
3429 	*new = new_creds;
3430 	return 0;
3431 }
3432 
3433 static int selinux_inode_copy_up_xattr(const char *name)
3434 {
3435 	/* The copy_up hook above sets the initial context on an inode, but we
3436 	 * don't then want to overwrite it by blindly copying all the lower
3437 	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3438 	 */
3439 	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3440 		return 1; /* Discard */
3441 	/*
3442 	 * Any other attribute apart from SELINUX is not claimed, supported
3443 	 * by selinux.
3444 	 */
3445 	return -EOPNOTSUPP;
3446 }
3447 
3448 /* kernfs node operations */
3449 
3450 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3451 					struct kernfs_node *kn)
3452 {
3453 	const struct task_security_struct *tsec = selinux_cred(current_cred());
3454 	u32 parent_sid, newsid, clen;
3455 	int rc;
3456 	char *context;
3457 
3458 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3459 	if (rc == -ENODATA)
3460 		return 0;
3461 	else if (rc < 0)
3462 		return rc;
3463 
3464 	clen = (u32)rc;
3465 	context = kmalloc(clen, GFP_KERNEL);
3466 	if (!context)
3467 		return -ENOMEM;
3468 
3469 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3470 	if (rc < 0) {
3471 		kfree(context);
3472 		return rc;
3473 	}
3474 
3475 	rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3476 				     GFP_KERNEL);
3477 	kfree(context);
3478 	if (rc)
3479 		return rc;
3480 
3481 	if (tsec->create_sid) {
3482 		newsid = tsec->create_sid;
3483 	} else {
3484 		u16 secclass = inode_mode_to_security_class(kn->mode);
3485 		struct qstr q;
3486 
3487 		q.name = kn->name;
3488 		q.hash_len = hashlen_string(kn_dir, kn->name);
3489 
3490 		rc = security_transition_sid(&selinux_state, tsec->sid,
3491 					     parent_sid, secclass, &q,
3492 					     &newsid);
3493 		if (rc)
3494 			return rc;
3495 	}
3496 
3497 	rc = security_sid_to_context_force(&selinux_state, newsid,
3498 					   &context, &clen);
3499 	if (rc)
3500 		return rc;
3501 
3502 	rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3503 			      XATTR_CREATE);
3504 	kfree(context);
3505 	return rc;
3506 }
3507 
3508 
3509 /* file security operations */
3510 
3511 static int selinux_revalidate_file_permission(struct file *file, int mask)
3512 {
3513 	const struct cred *cred = current_cred();
3514 	struct inode *inode = file_inode(file);
3515 
3516 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3517 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3518 		mask |= MAY_APPEND;
3519 
3520 	return file_has_perm(cred, file,
3521 			     file_mask_to_av(inode->i_mode, mask));
3522 }
3523 
3524 static int selinux_file_permission(struct file *file, int mask)
3525 {
3526 	struct inode *inode = file_inode(file);
3527 	struct file_security_struct *fsec = selinux_file(file);
3528 	struct inode_security_struct *isec;
3529 	u32 sid = current_sid();
3530 
3531 	if (!mask)
3532 		/* No permission to check.  Existence test. */
3533 		return 0;
3534 
3535 	isec = inode_security(inode);
3536 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3537 	    fsec->pseqno == avc_policy_seqno(&selinux_state))
3538 		/* No change since file_open check. */
3539 		return 0;
3540 
3541 	return selinux_revalidate_file_permission(file, mask);
3542 }
3543 
3544 static int selinux_file_alloc_security(struct file *file)
3545 {
3546 	struct file_security_struct *fsec = selinux_file(file);
3547 	u32 sid = current_sid();
3548 
3549 	fsec->sid = sid;
3550 	fsec->fown_sid = sid;
3551 
3552 	return 0;
3553 }
3554 
3555 /*
3556  * Check whether a task has the ioctl permission and cmd
3557  * operation to an inode.
3558  */
3559 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3560 		u32 requested, u16 cmd)
3561 {
3562 	struct common_audit_data ad;
3563 	struct file_security_struct *fsec = selinux_file(file);
3564 	struct inode *inode = file_inode(file);
3565 	struct inode_security_struct *isec;
3566 	struct lsm_ioctlop_audit ioctl;
3567 	u32 ssid = cred_sid(cred);
3568 	int rc;
3569 	u8 driver = cmd >> 8;
3570 	u8 xperm = cmd & 0xff;
3571 
3572 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3573 	ad.u.op = &ioctl;
3574 	ad.u.op->cmd = cmd;
3575 	ad.u.op->path = file->f_path;
3576 
3577 	if (ssid != fsec->sid) {
3578 		rc = avc_has_perm(&selinux_state,
3579 				  ssid, fsec->sid,
3580 				SECCLASS_FD,
3581 				FD__USE,
3582 				&ad);
3583 		if (rc)
3584 			goto out;
3585 	}
3586 
3587 	if (unlikely(IS_PRIVATE(inode)))
3588 		return 0;
3589 
3590 	isec = inode_security(inode);
3591 	rc = avc_has_extended_perms(&selinux_state,
3592 				    ssid, isec->sid, isec->sclass,
3593 				    requested, driver, xperm, &ad);
3594 out:
3595 	return rc;
3596 }
3597 
3598 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3599 			      unsigned long arg)
3600 {
3601 	const struct cred *cred = current_cred();
3602 	int error = 0;
3603 
3604 	switch (cmd) {
3605 	case FIONREAD:
3606 	/* fall through */
3607 	case FIBMAP:
3608 	/* fall through */
3609 	case FIGETBSZ:
3610 	/* fall through */
3611 	case FS_IOC_GETFLAGS:
3612 	/* fall through */
3613 	case FS_IOC_GETVERSION:
3614 		error = file_has_perm(cred, file, FILE__GETATTR);
3615 		break;
3616 
3617 	case FS_IOC_SETFLAGS:
3618 	/* fall through */
3619 	case FS_IOC_SETVERSION:
3620 		error = file_has_perm(cred, file, FILE__SETATTR);
3621 		break;
3622 
3623 	/* sys_ioctl() checks */
3624 	case FIONBIO:
3625 	/* fall through */
3626 	case FIOASYNC:
3627 		error = file_has_perm(cred, file, 0);
3628 		break;
3629 
3630 	case KDSKBENT:
3631 	case KDSKBSENT:
3632 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3633 					    CAP_OPT_NONE, true);
3634 		break;
3635 
3636 	/* default case assumes that the command will go
3637 	 * to the file's ioctl() function.
3638 	 */
3639 	default:
3640 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3641 	}
3642 	return error;
3643 }
3644 
3645 static int default_noexec __ro_after_init;
3646 
3647 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3648 {
3649 	const struct cred *cred = current_cred();
3650 	u32 sid = cred_sid(cred);
3651 	int rc = 0;
3652 
3653 	if (default_noexec &&
3654 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3655 				   (!shared && (prot & PROT_WRITE)))) {
3656 		/*
3657 		 * We are making executable an anonymous mapping or a
3658 		 * private file mapping that will also be writable.
3659 		 * This has an additional check.
3660 		 */
3661 		rc = avc_has_perm(&selinux_state,
3662 				  sid, sid, SECCLASS_PROCESS,
3663 				  PROCESS__EXECMEM, NULL);
3664 		if (rc)
3665 			goto error;
3666 	}
3667 
3668 	if (file) {
3669 		/* read access is always possible with a mapping */
3670 		u32 av = FILE__READ;
3671 
3672 		/* write access only matters if the mapping is shared */
3673 		if (shared && (prot & PROT_WRITE))
3674 			av |= FILE__WRITE;
3675 
3676 		if (prot & PROT_EXEC)
3677 			av |= FILE__EXECUTE;
3678 
3679 		return file_has_perm(cred, file, av);
3680 	}
3681 
3682 error:
3683 	return rc;
3684 }
3685 
3686 static int selinux_mmap_addr(unsigned long addr)
3687 {
3688 	int rc = 0;
3689 
3690 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3691 		u32 sid = current_sid();
3692 		rc = avc_has_perm(&selinux_state,
3693 				  sid, sid, SECCLASS_MEMPROTECT,
3694 				  MEMPROTECT__MMAP_ZERO, NULL);
3695 	}
3696 
3697 	return rc;
3698 }
3699 
3700 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3701 			     unsigned long prot, unsigned long flags)
3702 {
3703 	struct common_audit_data ad;
3704 	int rc;
3705 
3706 	if (file) {
3707 		ad.type = LSM_AUDIT_DATA_FILE;
3708 		ad.u.file = file;
3709 		rc = inode_has_perm(current_cred(), file_inode(file),
3710 				    FILE__MAP, &ad);
3711 		if (rc)
3712 			return rc;
3713 	}
3714 
3715 	if (selinux_state.checkreqprot)
3716 		prot = reqprot;
3717 
3718 	return file_map_prot_check(file, prot,
3719 				   (flags & MAP_TYPE) == MAP_SHARED);
3720 }
3721 
3722 static int selinux_file_mprotect(struct vm_area_struct *vma,
3723 				 unsigned long reqprot,
3724 				 unsigned long prot)
3725 {
3726 	const struct cred *cred = current_cred();
3727 	u32 sid = cred_sid(cred);
3728 
3729 	if (selinux_state.checkreqprot)
3730 		prot = reqprot;
3731 
3732 	if (default_noexec &&
3733 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3734 		int rc = 0;
3735 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3736 		    vma->vm_end <= vma->vm_mm->brk) {
3737 			rc = avc_has_perm(&selinux_state,
3738 					  sid, sid, SECCLASS_PROCESS,
3739 					  PROCESS__EXECHEAP, NULL);
3740 		} else if (!vma->vm_file &&
3741 			   ((vma->vm_start <= vma->vm_mm->start_stack &&
3742 			     vma->vm_end >= vma->vm_mm->start_stack) ||
3743 			    vma_is_stack_for_current(vma))) {
3744 			rc = avc_has_perm(&selinux_state,
3745 					  sid, sid, SECCLASS_PROCESS,
3746 					  PROCESS__EXECSTACK, NULL);
3747 		} else if (vma->vm_file && vma->anon_vma) {
3748 			/*
3749 			 * We are making executable a file mapping that has
3750 			 * had some COW done. Since pages might have been
3751 			 * written, check ability to execute the possibly
3752 			 * modified content.  This typically should only
3753 			 * occur for text relocations.
3754 			 */
3755 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3756 		}
3757 		if (rc)
3758 			return rc;
3759 	}
3760 
3761 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3762 }
3763 
3764 static int selinux_file_lock(struct file *file, unsigned int cmd)
3765 {
3766 	const struct cred *cred = current_cred();
3767 
3768 	return file_has_perm(cred, file, FILE__LOCK);
3769 }
3770 
3771 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3772 			      unsigned long arg)
3773 {
3774 	const struct cred *cred = current_cred();
3775 	int err = 0;
3776 
3777 	switch (cmd) {
3778 	case F_SETFL:
3779 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3780 			err = file_has_perm(cred, file, FILE__WRITE);
3781 			break;
3782 		}
3783 		/* fall through */
3784 	case F_SETOWN:
3785 	case F_SETSIG:
3786 	case F_GETFL:
3787 	case F_GETOWN:
3788 	case F_GETSIG:
3789 	case F_GETOWNER_UIDS:
3790 		/* Just check FD__USE permission */
3791 		err = file_has_perm(cred, file, 0);
3792 		break;
3793 	case F_GETLK:
3794 	case F_SETLK:
3795 	case F_SETLKW:
3796 	case F_OFD_GETLK:
3797 	case F_OFD_SETLK:
3798 	case F_OFD_SETLKW:
3799 #if BITS_PER_LONG == 32
3800 	case F_GETLK64:
3801 	case F_SETLK64:
3802 	case F_SETLKW64:
3803 #endif
3804 		err = file_has_perm(cred, file, FILE__LOCK);
3805 		break;
3806 	}
3807 
3808 	return err;
3809 }
3810 
3811 static void selinux_file_set_fowner(struct file *file)
3812 {
3813 	struct file_security_struct *fsec;
3814 
3815 	fsec = selinux_file(file);
3816 	fsec->fown_sid = current_sid();
3817 }
3818 
3819 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3820 				       struct fown_struct *fown, int signum)
3821 {
3822 	struct file *file;
3823 	u32 sid = task_sid(tsk);
3824 	u32 perm;
3825 	struct file_security_struct *fsec;
3826 
3827 	/* struct fown_struct is never outside the context of a struct file */
3828 	file = container_of(fown, struct file, f_owner);
3829 
3830 	fsec = selinux_file(file);
3831 
3832 	if (!signum)
3833 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3834 	else
3835 		perm = signal_to_av(signum);
3836 
3837 	return avc_has_perm(&selinux_state,
3838 			    fsec->fown_sid, sid,
3839 			    SECCLASS_PROCESS, perm, NULL);
3840 }
3841 
3842 static int selinux_file_receive(struct file *file)
3843 {
3844 	const struct cred *cred = current_cred();
3845 
3846 	return file_has_perm(cred, file, file_to_av(file));
3847 }
3848 
3849 static int selinux_file_open(struct file *file)
3850 {
3851 	struct file_security_struct *fsec;
3852 	struct inode_security_struct *isec;
3853 
3854 	fsec = selinux_file(file);
3855 	isec = inode_security(file_inode(file));
3856 	/*
3857 	 * Save inode label and policy sequence number
3858 	 * at open-time so that selinux_file_permission
3859 	 * can determine whether revalidation is necessary.
3860 	 * Task label is already saved in the file security
3861 	 * struct as its SID.
3862 	 */
3863 	fsec->isid = isec->sid;
3864 	fsec->pseqno = avc_policy_seqno(&selinux_state);
3865 	/*
3866 	 * Since the inode label or policy seqno may have changed
3867 	 * between the selinux_inode_permission check and the saving
3868 	 * of state above, recheck that access is still permitted.
3869 	 * Otherwise, access might never be revalidated against the
3870 	 * new inode label or new policy.
3871 	 * This check is not redundant - do not remove.
3872 	 */
3873 	return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3874 }
3875 
3876 /* task security operations */
3877 
3878 static int selinux_task_alloc(struct task_struct *task,
3879 			      unsigned long clone_flags)
3880 {
3881 	u32 sid = current_sid();
3882 
3883 	return avc_has_perm(&selinux_state,
3884 			    sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3885 }
3886 
3887 /*
3888  * prepare a new set of credentials for modification
3889  */
3890 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3891 				gfp_t gfp)
3892 {
3893 	const struct task_security_struct *old_tsec = selinux_cred(old);
3894 	struct task_security_struct *tsec = selinux_cred(new);
3895 
3896 	*tsec = *old_tsec;
3897 	return 0;
3898 }
3899 
3900 /*
3901  * transfer the SELinux data to a blank set of creds
3902  */
3903 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3904 {
3905 	const struct task_security_struct *old_tsec = selinux_cred(old);
3906 	struct task_security_struct *tsec = selinux_cred(new);
3907 
3908 	*tsec = *old_tsec;
3909 }
3910 
3911 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3912 {
3913 	*secid = cred_sid(c);
3914 }
3915 
3916 /*
3917  * set the security data for a kernel service
3918  * - all the creation contexts are set to unlabelled
3919  */
3920 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3921 {
3922 	struct task_security_struct *tsec = selinux_cred(new);
3923 	u32 sid = current_sid();
3924 	int ret;
3925 
3926 	ret = avc_has_perm(&selinux_state,
3927 			   sid, secid,
3928 			   SECCLASS_KERNEL_SERVICE,
3929 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3930 			   NULL);
3931 	if (ret == 0) {
3932 		tsec->sid = secid;
3933 		tsec->create_sid = 0;
3934 		tsec->keycreate_sid = 0;
3935 		tsec->sockcreate_sid = 0;
3936 	}
3937 	return ret;
3938 }
3939 
3940 /*
3941  * set the file creation context in a security record to the same as the
3942  * objective context of the specified inode
3943  */
3944 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3945 {
3946 	struct inode_security_struct *isec = inode_security(inode);
3947 	struct task_security_struct *tsec = selinux_cred(new);
3948 	u32 sid = current_sid();
3949 	int ret;
3950 
3951 	ret = avc_has_perm(&selinux_state,
3952 			   sid, isec->sid,
3953 			   SECCLASS_KERNEL_SERVICE,
3954 			   KERNEL_SERVICE__CREATE_FILES_AS,
3955 			   NULL);
3956 
3957 	if (ret == 0)
3958 		tsec->create_sid = isec->sid;
3959 	return ret;
3960 }
3961 
3962 static int selinux_kernel_module_request(char *kmod_name)
3963 {
3964 	struct common_audit_data ad;
3965 
3966 	ad.type = LSM_AUDIT_DATA_KMOD;
3967 	ad.u.kmod_name = kmod_name;
3968 
3969 	return avc_has_perm(&selinux_state,
3970 			    current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3971 			    SYSTEM__MODULE_REQUEST, &ad);
3972 }
3973 
3974 static int selinux_kernel_module_from_file(struct file *file)
3975 {
3976 	struct common_audit_data ad;
3977 	struct inode_security_struct *isec;
3978 	struct file_security_struct *fsec;
3979 	u32 sid = current_sid();
3980 	int rc;
3981 
3982 	/* init_module */
3983 	if (file == NULL)
3984 		return avc_has_perm(&selinux_state,
3985 				    sid, sid, SECCLASS_SYSTEM,
3986 					SYSTEM__MODULE_LOAD, NULL);
3987 
3988 	/* finit_module */
3989 
3990 	ad.type = LSM_AUDIT_DATA_FILE;
3991 	ad.u.file = file;
3992 
3993 	fsec = selinux_file(file);
3994 	if (sid != fsec->sid) {
3995 		rc = avc_has_perm(&selinux_state,
3996 				  sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3997 		if (rc)
3998 			return rc;
3999 	}
4000 
4001 	isec = inode_security(file_inode(file));
4002 	return avc_has_perm(&selinux_state,
4003 			    sid, isec->sid, SECCLASS_SYSTEM,
4004 				SYSTEM__MODULE_LOAD, &ad);
4005 }
4006 
4007 static int selinux_kernel_read_file(struct file *file,
4008 				    enum kernel_read_file_id id)
4009 {
4010 	int rc = 0;
4011 
4012 	switch (id) {
4013 	case READING_MODULE:
4014 		rc = selinux_kernel_module_from_file(file);
4015 		break;
4016 	default:
4017 		break;
4018 	}
4019 
4020 	return rc;
4021 }
4022 
4023 static int selinux_kernel_load_data(enum kernel_load_data_id id)
4024 {
4025 	int rc = 0;
4026 
4027 	switch (id) {
4028 	case LOADING_MODULE:
4029 		rc = selinux_kernel_module_from_file(NULL);
4030 	default:
4031 		break;
4032 	}
4033 
4034 	return rc;
4035 }
4036 
4037 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4038 {
4039 	return avc_has_perm(&selinux_state,
4040 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4041 			    PROCESS__SETPGID, NULL);
4042 }
4043 
4044 static int selinux_task_getpgid(struct task_struct *p)
4045 {
4046 	return avc_has_perm(&selinux_state,
4047 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4048 			    PROCESS__GETPGID, NULL);
4049 }
4050 
4051 static int selinux_task_getsid(struct task_struct *p)
4052 {
4053 	return avc_has_perm(&selinux_state,
4054 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4055 			    PROCESS__GETSESSION, NULL);
4056 }
4057 
4058 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4059 {
4060 	*secid = task_sid(p);
4061 }
4062 
4063 static int selinux_task_setnice(struct task_struct *p, int nice)
4064 {
4065 	return avc_has_perm(&selinux_state,
4066 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4067 			    PROCESS__SETSCHED, NULL);
4068 }
4069 
4070 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4071 {
4072 	return avc_has_perm(&selinux_state,
4073 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4074 			    PROCESS__SETSCHED, NULL);
4075 }
4076 
4077 static int selinux_task_getioprio(struct task_struct *p)
4078 {
4079 	return avc_has_perm(&selinux_state,
4080 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4081 			    PROCESS__GETSCHED, NULL);
4082 }
4083 
4084 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4085 				unsigned int flags)
4086 {
4087 	u32 av = 0;
4088 
4089 	if (!flags)
4090 		return 0;
4091 	if (flags & LSM_PRLIMIT_WRITE)
4092 		av |= PROCESS__SETRLIMIT;
4093 	if (flags & LSM_PRLIMIT_READ)
4094 		av |= PROCESS__GETRLIMIT;
4095 	return avc_has_perm(&selinux_state,
4096 			    cred_sid(cred), cred_sid(tcred),
4097 			    SECCLASS_PROCESS, av, NULL);
4098 }
4099 
4100 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4101 		struct rlimit *new_rlim)
4102 {
4103 	struct rlimit *old_rlim = p->signal->rlim + resource;
4104 
4105 	/* Control the ability to change the hard limit (whether
4106 	   lowering or raising it), so that the hard limit can
4107 	   later be used as a safe reset point for the soft limit
4108 	   upon context transitions.  See selinux_bprm_committing_creds. */
4109 	if (old_rlim->rlim_max != new_rlim->rlim_max)
4110 		return avc_has_perm(&selinux_state,
4111 				    current_sid(), task_sid(p),
4112 				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4113 
4114 	return 0;
4115 }
4116 
4117 static int selinux_task_setscheduler(struct task_struct *p)
4118 {
4119 	return avc_has_perm(&selinux_state,
4120 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4121 			    PROCESS__SETSCHED, NULL);
4122 }
4123 
4124 static int selinux_task_getscheduler(struct task_struct *p)
4125 {
4126 	return avc_has_perm(&selinux_state,
4127 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4128 			    PROCESS__GETSCHED, NULL);
4129 }
4130 
4131 static int selinux_task_movememory(struct task_struct *p)
4132 {
4133 	return avc_has_perm(&selinux_state,
4134 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4135 			    PROCESS__SETSCHED, NULL);
4136 }
4137 
4138 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4139 				int sig, const struct cred *cred)
4140 {
4141 	u32 secid;
4142 	u32 perm;
4143 
4144 	if (!sig)
4145 		perm = PROCESS__SIGNULL; /* null signal; existence test */
4146 	else
4147 		perm = signal_to_av(sig);
4148 	if (!cred)
4149 		secid = current_sid();
4150 	else
4151 		secid = cred_sid(cred);
4152 	return avc_has_perm(&selinux_state,
4153 			    secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4154 }
4155 
4156 static void selinux_task_to_inode(struct task_struct *p,
4157 				  struct inode *inode)
4158 {
4159 	struct inode_security_struct *isec = selinux_inode(inode);
4160 	u32 sid = task_sid(p);
4161 
4162 	spin_lock(&isec->lock);
4163 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4164 	isec->sid = sid;
4165 	isec->initialized = LABEL_INITIALIZED;
4166 	spin_unlock(&isec->lock);
4167 }
4168 
4169 /* Returns error only if unable to parse addresses */
4170 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4171 			struct common_audit_data *ad, u8 *proto)
4172 {
4173 	int offset, ihlen, ret = -EINVAL;
4174 	struct iphdr _iph, *ih;
4175 
4176 	offset = skb_network_offset(skb);
4177 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4178 	if (ih == NULL)
4179 		goto out;
4180 
4181 	ihlen = ih->ihl * 4;
4182 	if (ihlen < sizeof(_iph))
4183 		goto out;
4184 
4185 	ad->u.net->v4info.saddr = ih->saddr;
4186 	ad->u.net->v4info.daddr = ih->daddr;
4187 	ret = 0;
4188 
4189 	if (proto)
4190 		*proto = ih->protocol;
4191 
4192 	switch (ih->protocol) {
4193 	case IPPROTO_TCP: {
4194 		struct tcphdr _tcph, *th;
4195 
4196 		if (ntohs(ih->frag_off) & IP_OFFSET)
4197 			break;
4198 
4199 		offset += ihlen;
4200 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4201 		if (th == NULL)
4202 			break;
4203 
4204 		ad->u.net->sport = th->source;
4205 		ad->u.net->dport = th->dest;
4206 		break;
4207 	}
4208 
4209 	case IPPROTO_UDP: {
4210 		struct udphdr _udph, *uh;
4211 
4212 		if (ntohs(ih->frag_off) & IP_OFFSET)
4213 			break;
4214 
4215 		offset += ihlen;
4216 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4217 		if (uh == NULL)
4218 			break;
4219 
4220 		ad->u.net->sport = uh->source;
4221 		ad->u.net->dport = uh->dest;
4222 		break;
4223 	}
4224 
4225 	case IPPROTO_DCCP: {
4226 		struct dccp_hdr _dccph, *dh;
4227 
4228 		if (ntohs(ih->frag_off) & IP_OFFSET)
4229 			break;
4230 
4231 		offset += ihlen;
4232 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4233 		if (dh == NULL)
4234 			break;
4235 
4236 		ad->u.net->sport = dh->dccph_sport;
4237 		ad->u.net->dport = dh->dccph_dport;
4238 		break;
4239 	}
4240 
4241 #if IS_ENABLED(CONFIG_IP_SCTP)
4242 	case IPPROTO_SCTP: {
4243 		struct sctphdr _sctph, *sh;
4244 
4245 		if (ntohs(ih->frag_off) & IP_OFFSET)
4246 			break;
4247 
4248 		offset += ihlen;
4249 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4250 		if (sh == NULL)
4251 			break;
4252 
4253 		ad->u.net->sport = sh->source;
4254 		ad->u.net->dport = sh->dest;
4255 		break;
4256 	}
4257 #endif
4258 	default:
4259 		break;
4260 	}
4261 out:
4262 	return ret;
4263 }
4264 
4265 #if IS_ENABLED(CONFIG_IPV6)
4266 
4267 /* Returns error only if unable to parse addresses */
4268 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4269 			struct common_audit_data *ad, u8 *proto)
4270 {
4271 	u8 nexthdr;
4272 	int ret = -EINVAL, offset;
4273 	struct ipv6hdr _ipv6h, *ip6;
4274 	__be16 frag_off;
4275 
4276 	offset = skb_network_offset(skb);
4277 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4278 	if (ip6 == NULL)
4279 		goto out;
4280 
4281 	ad->u.net->v6info.saddr = ip6->saddr;
4282 	ad->u.net->v6info.daddr = ip6->daddr;
4283 	ret = 0;
4284 
4285 	nexthdr = ip6->nexthdr;
4286 	offset += sizeof(_ipv6h);
4287 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4288 	if (offset < 0)
4289 		goto out;
4290 
4291 	if (proto)
4292 		*proto = nexthdr;
4293 
4294 	switch (nexthdr) {
4295 	case IPPROTO_TCP: {
4296 		struct tcphdr _tcph, *th;
4297 
4298 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4299 		if (th == NULL)
4300 			break;
4301 
4302 		ad->u.net->sport = th->source;
4303 		ad->u.net->dport = th->dest;
4304 		break;
4305 	}
4306 
4307 	case IPPROTO_UDP: {
4308 		struct udphdr _udph, *uh;
4309 
4310 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4311 		if (uh == NULL)
4312 			break;
4313 
4314 		ad->u.net->sport = uh->source;
4315 		ad->u.net->dport = uh->dest;
4316 		break;
4317 	}
4318 
4319 	case IPPROTO_DCCP: {
4320 		struct dccp_hdr _dccph, *dh;
4321 
4322 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4323 		if (dh == NULL)
4324 			break;
4325 
4326 		ad->u.net->sport = dh->dccph_sport;
4327 		ad->u.net->dport = dh->dccph_dport;
4328 		break;
4329 	}
4330 
4331 #if IS_ENABLED(CONFIG_IP_SCTP)
4332 	case IPPROTO_SCTP: {
4333 		struct sctphdr _sctph, *sh;
4334 
4335 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4336 		if (sh == NULL)
4337 			break;
4338 
4339 		ad->u.net->sport = sh->source;
4340 		ad->u.net->dport = sh->dest;
4341 		break;
4342 	}
4343 #endif
4344 	/* includes fragments */
4345 	default:
4346 		break;
4347 	}
4348 out:
4349 	return ret;
4350 }
4351 
4352 #endif /* IPV6 */
4353 
4354 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4355 			     char **_addrp, int src, u8 *proto)
4356 {
4357 	char *addrp;
4358 	int ret;
4359 
4360 	switch (ad->u.net->family) {
4361 	case PF_INET:
4362 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4363 		if (ret)
4364 			goto parse_error;
4365 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4366 				       &ad->u.net->v4info.daddr);
4367 		goto okay;
4368 
4369 #if IS_ENABLED(CONFIG_IPV6)
4370 	case PF_INET6:
4371 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4372 		if (ret)
4373 			goto parse_error;
4374 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4375 				       &ad->u.net->v6info.daddr);
4376 		goto okay;
4377 #endif	/* IPV6 */
4378 	default:
4379 		addrp = NULL;
4380 		goto okay;
4381 	}
4382 
4383 parse_error:
4384 	pr_warn(
4385 	       "SELinux: failure in selinux_parse_skb(),"
4386 	       " unable to parse packet\n");
4387 	return ret;
4388 
4389 okay:
4390 	if (_addrp)
4391 		*_addrp = addrp;
4392 	return 0;
4393 }
4394 
4395 /**
4396  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4397  * @skb: the packet
4398  * @family: protocol family
4399  * @sid: the packet's peer label SID
4400  *
4401  * Description:
4402  * Check the various different forms of network peer labeling and determine
4403  * the peer label/SID for the packet; most of the magic actually occurs in
4404  * the security server function security_net_peersid_cmp().  The function
4405  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4406  * or -EACCES if @sid is invalid due to inconsistencies with the different
4407  * peer labels.
4408  *
4409  */
4410 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4411 {
4412 	int err;
4413 	u32 xfrm_sid;
4414 	u32 nlbl_sid;
4415 	u32 nlbl_type;
4416 
4417 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4418 	if (unlikely(err))
4419 		return -EACCES;
4420 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4421 	if (unlikely(err))
4422 		return -EACCES;
4423 
4424 	err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4425 					   nlbl_type, xfrm_sid, sid);
4426 	if (unlikely(err)) {
4427 		pr_warn(
4428 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4429 		       " unable to determine packet's peer label\n");
4430 		return -EACCES;
4431 	}
4432 
4433 	return 0;
4434 }
4435 
4436 /**
4437  * selinux_conn_sid - Determine the child socket label for a connection
4438  * @sk_sid: the parent socket's SID
4439  * @skb_sid: the packet's SID
4440  * @conn_sid: the resulting connection SID
4441  *
4442  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4443  * combined with the MLS information from @skb_sid in order to create
4444  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
4445  * of @sk_sid.  Returns zero on success, negative values on failure.
4446  *
4447  */
4448 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4449 {
4450 	int err = 0;
4451 
4452 	if (skb_sid != SECSID_NULL)
4453 		err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4454 					    conn_sid);
4455 	else
4456 		*conn_sid = sk_sid;
4457 
4458 	return err;
4459 }
4460 
4461 /* socket security operations */
4462 
4463 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4464 				 u16 secclass, u32 *socksid)
4465 {
4466 	if (tsec->sockcreate_sid > SECSID_NULL) {
4467 		*socksid = tsec->sockcreate_sid;
4468 		return 0;
4469 	}
4470 
4471 	return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4472 				       secclass, NULL, socksid);
4473 }
4474 
4475 static int sock_has_perm(struct sock *sk, u32 perms)
4476 {
4477 	struct sk_security_struct *sksec = sk->sk_security;
4478 	struct common_audit_data ad;
4479 	struct lsm_network_audit net = {0,};
4480 
4481 	if (sksec->sid == SECINITSID_KERNEL)
4482 		return 0;
4483 
4484 	ad.type = LSM_AUDIT_DATA_NET;
4485 	ad.u.net = &net;
4486 	ad.u.net->sk = sk;
4487 
4488 	return avc_has_perm(&selinux_state,
4489 			    current_sid(), sksec->sid, sksec->sclass, perms,
4490 			    &ad);
4491 }
4492 
4493 static int selinux_socket_create(int family, int type,
4494 				 int protocol, int kern)
4495 {
4496 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4497 	u32 newsid;
4498 	u16 secclass;
4499 	int rc;
4500 
4501 	if (kern)
4502 		return 0;
4503 
4504 	secclass = socket_type_to_security_class(family, type, protocol);
4505 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4506 	if (rc)
4507 		return rc;
4508 
4509 	return avc_has_perm(&selinux_state,
4510 			    tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4511 }
4512 
4513 static int selinux_socket_post_create(struct socket *sock, int family,
4514 				      int type, int protocol, int kern)
4515 {
4516 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4517 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4518 	struct sk_security_struct *sksec;
4519 	u16 sclass = socket_type_to_security_class(family, type, protocol);
4520 	u32 sid = SECINITSID_KERNEL;
4521 	int err = 0;
4522 
4523 	if (!kern) {
4524 		err = socket_sockcreate_sid(tsec, sclass, &sid);
4525 		if (err)
4526 			return err;
4527 	}
4528 
4529 	isec->sclass = sclass;
4530 	isec->sid = sid;
4531 	isec->initialized = LABEL_INITIALIZED;
4532 
4533 	if (sock->sk) {
4534 		sksec = sock->sk->sk_security;
4535 		sksec->sclass = sclass;
4536 		sksec->sid = sid;
4537 		/* Allows detection of the first association on this socket */
4538 		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4539 			sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4540 
4541 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4542 	}
4543 
4544 	return err;
4545 }
4546 
4547 static int selinux_socket_socketpair(struct socket *socka,
4548 				     struct socket *sockb)
4549 {
4550 	struct sk_security_struct *sksec_a = socka->sk->sk_security;
4551 	struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4552 
4553 	sksec_a->peer_sid = sksec_b->sid;
4554 	sksec_b->peer_sid = sksec_a->sid;
4555 
4556 	return 0;
4557 }
4558 
4559 /* Range of port numbers used to automatically bind.
4560    Need to determine whether we should perform a name_bind
4561    permission check between the socket and the port number. */
4562 
4563 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4564 {
4565 	struct sock *sk = sock->sk;
4566 	struct sk_security_struct *sksec = sk->sk_security;
4567 	u16 family;
4568 	int err;
4569 
4570 	err = sock_has_perm(sk, SOCKET__BIND);
4571 	if (err)
4572 		goto out;
4573 
4574 	/* If PF_INET or PF_INET6, check name_bind permission for the port. */
4575 	family = sk->sk_family;
4576 	if (family == PF_INET || family == PF_INET6) {
4577 		char *addrp;
4578 		struct common_audit_data ad;
4579 		struct lsm_network_audit net = {0,};
4580 		struct sockaddr_in *addr4 = NULL;
4581 		struct sockaddr_in6 *addr6 = NULL;
4582 		u16 family_sa;
4583 		unsigned short snum;
4584 		u32 sid, node_perm;
4585 
4586 		/*
4587 		 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4588 		 * that validates multiple binding addresses. Because of this
4589 		 * need to check address->sa_family as it is possible to have
4590 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4591 		 */
4592 		if (addrlen < offsetofend(struct sockaddr, sa_family))
4593 			return -EINVAL;
4594 		family_sa = address->sa_family;
4595 		switch (family_sa) {
4596 		case AF_UNSPEC:
4597 		case AF_INET:
4598 			if (addrlen < sizeof(struct sockaddr_in))
4599 				return -EINVAL;
4600 			addr4 = (struct sockaddr_in *)address;
4601 			if (family_sa == AF_UNSPEC) {
4602 				/* see __inet_bind(), we only want to allow
4603 				 * AF_UNSPEC if the address is INADDR_ANY
4604 				 */
4605 				if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4606 					goto err_af;
4607 				family_sa = AF_INET;
4608 			}
4609 			snum = ntohs(addr4->sin_port);
4610 			addrp = (char *)&addr4->sin_addr.s_addr;
4611 			break;
4612 		case AF_INET6:
4613 			if (addrlen < SIN6_LEN_RFC2133)
4614 				return -EINVAL;
4615 			addr6 = (struct sockaddr_in6 *)address;
4616 			snum = ntohs(addr6->sin6_port);
4617 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4618 			break;
4619 		default:
4620 			goto err_af;
4621 		}
4622 
4623 		ad.type = LSM_AUDIT_DATA_NET;
4624 		ad.u.net = &net;
4625 		ad.u.net->sport = htons(snum);
4626 		ad.u.net->family = family_sa;
4627 
4628 		if (snum) {
4629 			int low, high;
4630 
4631 			inet_get_local_port_range(sock_net(sk), &low, &high);
4632 
4633 			if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4634 			    snum < low || snum > high) {
4635 				err = sel_netport_sid(sk->sk_protocol,
4636 						      snum, &sid);
4637 				if (err)
4638 					goto out;
4639 				err = avc_has_perm(&selinux_state,
4640 						   sksec->sid, sid,
4641 						   sksec->sclass,
4642 						   SOCKET__NAME_BIND, &ad);
4643 				if (err)
4644 					goto out;
4645 			}
4646 		}
4647 
4648 		switch (sksec->sclass) {
4649 		case SECCLASS_TCP_SOCKET:
4650 			node_perm = TCP_SOCKET__NODE_BIND;
4651 			break;
4652 
4653 		case SECCLASS_UDP_SOCKET:
4654 			node_perm = UDP_SOCKET__NODE_BIND;
4655 			break;
4656 
4657 		case SECCLASS_DCCP_SOCKET:
4658 			node_perm = DCCP_SOCKET__NODE_BIND;
4659 			break;
4660 
4661 		case SECCLASS_SCTP_SOCKET:
4662 			node_perm = SCTP_SOCKET__NODE_BIND;
4663 			break;
4664 
4665 		default:
4666 			node_perm = RAWIP_SOCKET__NODE_BIND;
4667 			break;
4668 		}
4669 
4670 		err = sel_netnode_sid(addrp, family_sa, &sid);
4671 		if (err)
4672 			goto out;
4673 
4674 		if (family_sa == AF_INET)
4675 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4676 		else
4677 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4678 
4679 		err = avc_has_perm(&selinux_state,
4680 				   sksec->sid, sid,
4681 				   sksec->sclass, node_perm, &ad);
4682 		if (err)
4683 			goto out;
4684 	}
4685 out:
4686 	return err;
4687 err_af:
4688 	/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4689 	if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4690 		return -EINVAL;
4691 	return -EAFNOSUPPORT;
4692 }
4693 
4694 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4695  * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4696  */
4697 static int selinux_socket_connect_helper(struct socket *sock,
4698 					 struct sockaddr *address, int addrlen)
4699 {
4700 	struct sock *sk = sock->sk;
4701 	struct sk_security_struct *sksec = sk->sk_security;
4702 	int err;
4703 
4704 	err = sock_has_perm(sk, SOCKET__CONNECT);
4705 	if (err)
4706 		return err;
4707 	if (addrlen < offsetofend(struct sockaddr, sa_family))
4708 		return -EINVAL;
4709 
4710 	/* connect(AF_UNSPEC) has special handling, as it is a documented
4711 	 * way to disconnect the socket
4712 	 */
4713 	if (address->sa_family == AF_UNSPEC)
4714 		return 0;
4715 
4716 	/*
4717 	 * If a TCP, DCCP or SCTP socket, check name_connect permission
4718 	 * for the port.
4719 	 */
4720 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4721 	    sksec->sclass == SECCLASS_DCCP_SOCKET ||
4722 	    sksec->sclass == SECCLASS_SCTP_SOCKET) {
4723 		struct common_audit_data ad;
4724 		struct lsm_network_audit net = {0,};
4725 		struct sockaddr_in *addr4 = NULL;
4726 		struct sockaddr_in6 *addr6 = NULL;
4727 		unsigned short snum;
4728 		u32 sid, perm;
4729 
4730 		/* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4731 		 * that validates multiple connect addresses. Because of this
4732 		 * need to check address->sa_family as it is possible to have
4733 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4734 		 */
4735 		switch (address->sa_family) {
4736 		case AF_INET:
4737 			addr4 = (struct sockaddr_in *)address;
4738 			if (addrlen < sizeof(struct sockaddr_in))
4739 				return -EINVAL;
4740 			snum = ntohs(addr4->sin_port);
4741 			break;
4742 		case AF_INET6:
4743 			addr6 = (struct sockaddr_in6 *)address;
4744 			if (addrlen < SIN6_LEN_RFC2133)
4745 				return -EINVAL;
4746 			snum = ntohs(addr6->sin6_port);
4747 			break;
4748 		default:
4749 			/* Note that SCTP services expect -EINVAL, whereas
4750 			 * others expect -EAFNOSUPPORT.
4751 			 */
4752 			if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4753 				return -EINVAL;
4754 			else
4755 				return -EAFNOSUPPORT;
4756 		}
4757 
4758 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4759 		if (err)
4760 			return err;
4761 
4762 		switch (sksec->sclass) {
4763 		case SECCLASS_TCP_SOCKET:
4764 			perm = TCP_SOCKET__NAME_CONNECT;
4765 			break;
4766 		case SECCLASS_DCCP_SOCKET:
4767 			perm = DCCP_SOCKET__NAME_CONNECT;
4768 			break;
4769 		case SECCLASS_SCTP_SOCKET:
4770 			perm = SCTP_SOCKET__NAME_CONNECT;
4771 			break;
4772 		}
4773 
4774 		ad.type = LSM_AUDIT_DATA_NET;
4775 		ad.u.net = &net;
4776 		ad.u.net->dport = htons(snum);
4777 		ad.u.net->family = address->sa_family;
4778 		err = avc_has_perm(&selinux_state,
4779 				   sksec->sid, sid, sksec->sclass, perm, &ad);
4780 		if (err)
4781 			return err;
4782 	}
4783 
4784 	return 0;
4785 }
4786 
4787 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4788 static int selinux_socket_connect(struct socket *sock,
4789 				  struct sockaddr *address, int addrlen)
4790 {
4791 	int err;
4792 	struct sock *sk = sock->sk;
4793 
4794 	err = selinux_socket_connect_helper(sock, address, addrlen);
4795 	if (err)
4796 		return err;
4797 
4798 	return selinux_netlbl_socket_connect(sk, address);
4799 }
4800 
4801 static int selinux_socket_listen(struct socket *sock, int backlog)
4802 {
4803 	return sock_has_perm(sock->sk, SOCKET__LISTEN);
4804 }
4805 
4806 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4807 {
4808 	int err;
4809 	struct inode_security_struct *isec;
4810 	struct inode_security_struct *newisec;
4811 	u16 sclass;
4812 	u32 sid;
4813 
4814 	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4815 	if (err)
4816 		return err;
4817 
4818 	isec = inode_security_novalidate(SOCK_INODE(sock));
4819 	spin_lock(&isec->lock);
4820 	sclass = isec->sclass;
4821 	sid = isec->sid;
4822 	spin_unlock(&isec->lock);
4823 
4824 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4825 	newisec->sclass = sclass;
4826 	newisec->sid = sid;
4827 	newisec->initialized = LABEL_INITIALIZED;
4828 
4829 	return 0;
4830 }
4831 
4832 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4833 				  int size)
4834 {
4835 	return sock_has_perm(sock->sk, SOCKET__WRITE);
4836 }
4837 
4838 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4839 				  int size, int flags)
4840 {
4841 	return sock_has_perm(sock->sk, SOCKET__READ);
4842 }
4843 
4844 static int selinux_socket_getsockname(struct socket *sock)
4845 {
4846 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4847 }
4848 
4849 static int selinux_socket_getpeername(struct socket *sock)
4850 {
4851 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4852 }
4853 
4854 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4855 {
4856 	int err;
4857 
4858 	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4859 	if (err)
4860 		return err;
4861 
4862 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4863 }
4864 
4865 static int selinux_socket_getsockopt(struct socket *sock, int level,
4866 				     int optname)
4867 {
4868 	return sock_has_perm(sock->sk, SOCKET__GETOPT);
4869 }
4870 
4871 static int selinux_socket_shutdown(struct socket *sock, int how)
4872 {
4873 	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4874 }
4875 
4876 static int selinux_socket_unix_stream_connect(struct sock *sock,
4877 					      struct sock *other,
4878 					      struct sock *newsk)
4879 {
4880 	struct sk_security_struct *sksec_sock = sock->sk_security;
4881 	struct sk_security_struct *sksec_other = other->sk_security;
4882 	struct sk_security_struct *sksec_new = newsk->sk_security;
4883 	struct common_audit_data ad;
4884 	struct lsm_network_audit net = {0,};
4885 	int err;
4886 
4887 	ad.type = LSM_AUDIT_DATA_NET;
4888 	ad.u.net = &net;
4889 	ad.u.net->sk = other;
4890 
4891 	err = avc_has_perm(&selinux_state,
4892 			   sksec_sock->sid, sksec_other->sid,
4893 			   sksec_other->sclass,
4894 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4895 	if (err)
4896 		return err;
4897 
4898 	/* server child socket */
4899 	sksec_new->peer_sid = sksec_sock->sid;
4900 	err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4901 				    sksec_sock->sid, &sksec_new->sid);
4902 	if (err)
4903 		return err;
4904 
4905 	/* connecting socket */
4906 	sksec_sock->peer_sid = sksec_new->sid;
4907 
4908 	return 0;
4909 }
4910 
4911 static int selinux_socket_unix_may_send(struct socket *sock,
4912 					struct socket *other)
4913 {
4914 	struct sk_security_struct *ssec = sock->sk->sk_security;
4915 	struct sk_security_struct *osec = other->sk->sk_security;
4916 	struct common_audit_data ad;
4917 	struct lsm_network_audit net = {0,};
4918 
4919 	ad.type = LSM_AUDIT_DATA_NET;
4920 	ad.u.net = &net;
4921 	ad.u.net->sk = other->sk;
4922 
4923 	return avc_has_perm(&selinux_state,
4924 			    ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4925 			    &ad);
4926 }
4927 
4928 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4929 				    char *addrp, u16 family, u32 peer_sid,
4930 				    struct common_audit_data *ad)
4931 {
4932 	int err;
4933 	u32 if_sid;
4934 	u32 node_sid;
4935 
4936 	err = sel_netif_sid(ns, ifindex, &if_sid);
4937 	if (err)
4938 		return err;
4939 	err = avc_has_perm(&selinux_state,
4940 			   peer_sid, if_sid,
4941 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4942 	if (err)
4943 		return err;
4944 
4945 	err = sel_netnode_sid(addrp, family, &node_sid);
4946 	if (err)
4947 		return err;
4948 	return avc_has_perm(&selinux_state,
4949 			    peer_sid, node_sid,
4950 			    SECCLASS_NODE, NODE__RECVFROM, ad);
4951 }
4952 
4953 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4954 				       u16 family)
4955 {
4956 	int err = 0;
4957 	struct sk_security_struct *sksec = sk->sk_security;
4958 	u32 sk_sid = sksec->sid;
4959 	struct common_audit_data ad;
4960 	struct lsm_network_audit net = {0,};
4961 	char *addrp;
4962 
4963 	ad.type = LSM_AUDIT_DATA_NET;
4964 	ad.u.net = &net;
4965 	ad.u.net->netif = skb->skb_iif;
4966 	ad.u.net->family = family;
4967 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4968 	if (err)
4969 		return err;
4970 
4971 	if (selinux_secmark_enabled()) {
4972 		err = avc_has_perm(&selinux_state,
4973 				   sk_sid, skb->secmark, SECCLASS_PACKET,
4974 				   PACKET__RECV, &ad);
4975 		if (err)
4976 			return err;
4977 	}
4978 
4979 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4980 	if (err)
4981 		return err;
4982 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4983 
4984 	return err;
4985 }
4986 
4987 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4988 {
4989 	int err;
4990 	struct sk_security_struct *sksec = sk->sk_security;
4991 	u16 family = sk->sk_family;
4992 	u32 sk_sid = sksec->sid;
4993 	struct common_audit_data ad;
4994 	struct lsm_network_audit net = {0,};
4995 	char *addrp;
4996 	u8 secmark_active;
4997 	u8 peerlbl_active;
4998 
4999 	if (family != PF_INET && family != PF_INET6)
5000 		return 0;
5001 
5002 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
5003 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5004 		family = PF_INET;
5005 
5006 	/* If any sort of compatibility mode is enabled then handoff processing
5007 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
5008 	 * special handling.  We do this in an attempt to keep this function
5009 	 * as fast and as clean as possible. */
5010 	if (!selinux_policycap_netpeer())
5011 		return selinux_sock_rcv_skb_compat(sk, skb, family);
5012 
5013 	secmark_active = selinux_secmark_enabled();
5014 	peerlbl_active = selinux_peerlbl_enabled();
5015 	if (!secmark_active && !peerlbl_active)
5016 		return 0;
5017 
5018 	ad.type = LSM_AUDIT_DATA_NET;
5019 	ad.u.net = &net;
5020 	ad.u.net->netif = skb->skb_iif;
5021 	ad.u.net->family = family;
5022 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5023 	if (err)
5024 		return err;
5025 
5026 	if (peerlbl_active) {
5027 		u32 peer_sid;
5028 
5029 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5030 		if (err)
5031 			return err;
5032 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5033 					       addrp, family, peer_sid, &ad);
5034 		if (err) {
5035 			selinux_netlbl_err(skb, family, err, 0);
5036 			return err;
5037 		}
5038 		err = avc_has_perm(&selinux_state,
5039 				   sk_sid, peer_sid, SECCLASS_PEER,
5040 				   PEER__RECV, &ad);
5041 		if (err) {
5042 			selinux_netlbl_err(skb, family, err, 0);
5043 			return err;
5044 		}
5045 	}
5046 
5047 	if (secmark_active) {
5048 		err = avc_has_perm(&selinux_state,
5049 				   sk_sid, skb->secmark, SECCLASS_PACKET,
5050 				   PACKET__RECV, &ad);
5051 		if (err)
5052 			return err;
5053 	}
5054 
5055 	return err;
5056 }
5057 
5058 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5059 					    int __user *optlen, unsigned len)
5060 {
5061 	int err = 0;
5062 	char *scontext;
5063 	u32 scontext_len;
5064 	struct sk_security_struct *sksec = sock->sk->sk_security;
5065 	u32 peer_sid = SECSID_NULL;
5066 
5067 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5068 	    sksec->sclass == SECCLASS_TCP_SOCKET ||
5069 	    sksec->sclass == SECCLASS_SCTP_SOCKET)
5070 		peer_sid = sksec->peer_sid;
5071 	if (peer_sid == SECSID_NULL)
5072 		return -ENOPROTOOPT;
5073 
5074 	err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5075 				      &scontext_len);
5076 	if (err)
5077 		return err;
5078 
5079 	if (scontext_len > len) {
5080 		err = -ERANGE;
5081 		goto out_len;
5082 	}
5083 
5084 	if (copy_to_user(optval, scontext, scontext_len))
5085 		err = -EFAULT;
5086 
5087 out_len:
5088 	if (put_user(scontext_len, optlen))
5089 		err = -EFAULT;
5090 	kfree(scontext);
5091 	return err;
5092 }
5093 
5094 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5095 {
5096 	u32 peer_secid = SECSID_NULL;
5097 	u16 family;
5098 	struct inode_security_struct *isec;
5099 
5100 	if (skb && skb->protocol == htons(ETH_P_IP))
5101 		family = PF_INET;
5102 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
5103 		family = PF_INET6;
5104 	else if (sock)
5105 		family = sock->sk->sk_family;
5106 	else
5107 		goto out;
5108 
5109 	if (sock && family == PF_UNIX) {
5110 		isec = inode_security_novalidate(SOCK_INODE(sock));
5111 		peer_secid = isec->sid;
5112 	} else if (skb)
5113 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5114 
5115 out:
5116 	*secid = peer_secid;
5117 	if (peer_secid == SECSID_NULL)
5118 		return -EINVAL;
5119 	return 0;
5120 }
5121 
5122 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5123 {
5124 	struct sk_security_struct *sksec;
5125 
5126 	sksec = kzalloc(sizeof(*sksec), priority);
5127 	if (!sksec)
5128 		return -ENOMEM;
5129 
5130 	sksec->peer_sid = SECINITSID_UNLABELED;
5131 	sksec->sid = SECINITSID_UNLABELED;
5132 	sksec->sclass = SECCLASS_SOCKET;
5133 	selinux_netlbl_sk_security_reset(sksec);
5134 	sk->sk_security = sksec;
5135 
5136 	return 0;
5137 }
5138 
5139 static void selinux_sk_free_security(struct sock *sk)
5140 {
5141 	struct sk_security_struct *sksec = sk->sk_security;
5142 
5143 	sk->sk_security = NULL;
5144 	selinux_netlbl_sk_security_free(sksec);
5145 	kfree(sksec);
5146 }
5147 
5148 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5149 {
5150 	struct sk_security_struct *sksec = sk->sk_security;
5151 	struct sk_security_struct *newsksec = newsk->sk_security;
5152 
5153 	newsksec->sid = sksec->sid;
5154 	newsksec->peer_sid = sksec->peer_sid;
5155 	newsksec->sclass = sksec->sclass;
5156 
5157 	selinux_netlbl_sk_security_reset(newsksec);
5158 }
5159 
5160 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5161 {
5162 	if (!sk)
5163 		*secid = SECINITSID_ANY_SOCKET;
5164 	else {
5165 		struct sk_security_struct *sksec = sk->sk_security;
5166 
5167 		*secid = sksec->sid;
5168 	}
5169 }
5170 
5171 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5172 {
5173 	struct inode_security_struct *isec =
5174 		inode_security_novalidate(SOCK_INODE(parent));
5175 	struct sk_security_struct *sksec = sk->sk_security;
5176 
5177 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5178 	    sk->sk_family == PF_UNIX)
5179 		isec->sid = sksec->sid;
5180 	sksec->sclass = isec->sclass;
5181 }
5182 
5183 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5184  * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5185  * already present).
5186  */
5187 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5188 				      struct sk_buff *skb)
5189 {
5190 	struct sk_security_struct *sksec = ep->base.sk->sk_security;
5191 	struct common_audit_data ad;
5192 	struct lsm_network_audit net = {0,};
5193 	u8 peerlbl_active;
5194 	u32 peer_sid = SECINITSID_UNLABELED;
5195 	u32 conn_sid;
5196 	int err = 0;
5197 
5198 	if (!selinux_policycap_extsockclass())
5199 		return 0;
5200 
5201 	peerlbl_active = selinux_peerlbl_enabled();
5202 
5203 	if (peerlbl_active) {
5204 		/* This will return peer_sid = SECSID_NULL if there are
5205 		 * no peer labels, see security_net_peersid_resolve().
5206 		 */
5207 		err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5208 					      &peer_sid);
5209 		if (err)
5210 			return err;
5211 
5212 		if (peer_sid == SECSID_NULL)
5213 			peer_sid = SECINITSID_UNLABELED;
5214 	}
5215 
5216 	if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5217 		sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5218 
5219 		/* Here as first association on socket. As the peer SID
5220 		 * was allowed by peer recv (and the netif/node checks),
5221 		 * then it is approved by policy and used as the primary
5222 		 * peer SID for getpeercon(3).
5223 		 */
5224 		sksec->peer_sid = peer_sid;
5225 	} else if  (sksec->peer_sid != peer_sid) {
5226 		/* Other association peer SIDs are checked to enforce
5227 		 * consistency among the peer SIDs.
5228 		 */
5229 		ad.type = LSM_AUDIT_DATA_NET;
5230 		ad.u.net = &net;
5231 		ad.u.net->sk = ep->base.sk;
5232 		err = avc_has_perm(&selinux_state,
5233 				   sksec->peer_sid, peer_sid, sksec->sclass,
5234 				   SCTP_SOCKET__ASSOCIATION, &ad);
5235 		if (err)
5236 			return err;
5237 	}
5238 
5239 	/* Compute the MLS component for the connection and store
5240 	 * the information in ep. This will be used by SCTP TCP type
5241 	 * sockets and peeled off connections as they cause a new
5242 	 * socket to be generated. selinux_sctp_sk_clone() will then
5243 	 * plug this into the new socket.
5244 	 */
5245 	err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5246 	if (err)
5247 		return err;
5248 
5249 	ep->secid = conn_sid;
5250 	ep->peer_secid = peer_sid;
5251 
5252 	/* Set any NetLabel labels including CIPSO/CALIPSO options. */
5253 	return selinux_netlbl_sctp_assoc_request(ep, skb);
5254 }
5255 
5256 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5257  * based on their @optname.
5258  */
5259 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5260 				     struct sockaddr *address,
5261 				     int addrlen)
5262 {
5263 	int len, err = 0, walk_size = 0;
5264 	void *addr_buf;
5265 	struct sockaddr *addr;
5266 	struct socket *sock;
5267 
5268 	if (!selinux_policycap_extsockclass())
5269 		return 0;
5270 
5271 	/* Process one or more addresses that may be IPv4 or IPv6 */
5272 	sock = sk->sk_socket;
5273 	addr_buf = address;
5274 
5275 	while (walk_size < addrlen) {
5276 		if (walk_size + sizeof(sa_family_t) > addrlen)
5277 			return -EINVAL;
5278 
5279 		addr = addr_buf;
5280 		switch (addr->sa_family) {
5281 		case AF_UNSPEC:
5282 		case AF_INET:
5283 			len = sizeof(struct sockaddr_in);
5284 			break;
5285 		case AF_INET6:
5286 			len = sizeof(struct sockaddr_in6);
5287 			break;
5288 		default:
5289 			return -EINVAL;
5290 		}
5291 
5292 		if (walk_size + len > addrlen)
5293 			return -EINVAL;
5294 
5295 		err = -EINVAL;
5296 		switch (optname) {
5297 		/* Bind checks */
5298 		case SCTP_PRIMARY_ADDR:
5299 		case SCTP_SET_PEER_PRIMARY_ADDR:
5300 		case SCTP_SOCKOPT_BINDX_ADD:
5301 			err = selinux_socket_bind(sock, addr, len);
5302 			break;
5303 		/* Connect checks */
5304 		case SCTP_SOCKOPT_CONNECTX:
5305 		case SCTP_PARAM_SET_PRIMARY:
5306 		case SCTP_PARAM_ADD_IP:
5307 		case SCTP_SENDMSG_CONNECT:
5308 			err = selinux_socket_connect_helper(sock, addr, len);
5309 			if (err)
5310 				return err;
5311 
5312 			/* As selinux_sctp_bind_connect() is called by the
5313 			 * SCTP protocol layer, the socket is already locked,
5314 			 * therefore selinux_netlbl_socket_connect_locked() is
5315 			 * is called here. The situations handled are:
5316 			 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5317 			 * whenever a new IP address is added or when a new
5318 			 * primary address is selected.
5319 			 * Note that an SCTP connect(2) call happens before
5320 			 * the SCTP protocol layer and is handled via
5321 			 * selinux_socket_connect().
5322 			 */
5323 			err = selinux_netlbl_socket_connect_locked(sk, addr);
5324 			break;
5325 		}
5326 
5327 		if (err)
5328 			return err;
5329 
5330 		addr_buf += len;
5331 		walk_size += len;
5332 	}
5333 
5334 	return 0;
5335 }
5336 
5337 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5338 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5339 				  struct sock *newsk)
5340 {
5341 	struct sk_security_struct *sksec = sk->sk_security;
5342 	struct sk_security_struct *newsksec = newsk->sk_security;
5343 
5344 	/* If policy does not support SECCLASS_SCTP_SOCKET then call
5345 	 * the non-sctp clone version.
5346 	 */
5347 	if (!selinux_policycap_extsockclass())
5348 		return selinux_sk_clone_security(sk, newsk);
5349 
5350 	newsksec->sid = ep->secid;
5351 	newsksec->peer_sid = ep->peer_secid;
5352 	newsksec->sclass = sksec->sclass;
5353 	selinux_netlbl_sctp_sk_clone(sk, newsk);
5354 }
5355 
5356 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5357 				     struct request_sock *req)
5358 {
5359 	struct sk_security_struct *sksec = sk->sk_security;
5360 	int err;
5361 	u16 family = req->rsk_ops->family;
5362 	u32 connsid;
5363 	u32 peersid;
5364 
5365 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5366 	if (err)
5367 		return err;
5368 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5369 	if (err)
5370 		return err;
5371 	req->secid = connsid;
5372 	req->peer_secid = peersid;
5373 
5374 	return selinux_netlbl_inet_conn_request(req, family);
5375 }
5376 
5377 static void selinux_inet_csk_clone(struct sock *newsk,
5378 				   const struct request_sock *req)
5379 {
5380 	struct sk_security_struct *newsksec = newsk->sk_security;
5381 
5382 	newsksec->sid = req->secid;
5383 	newsksec->peer_sid = req->peer_secid;
5384 	/* NOTE: Ideally, we should also get the isec->sid for the
5385 	   new socket in sync, but we don't have the isec available yet.
5386 	   So we will wait until sock_graft to do it, by which
5387 	   time it will have been created and available. */
5388 
5389 	/* We don't need to take any sort of lock here as we are the only
5390 	 * thread with access to newsksec */
5391 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5392 }
5393 
5394 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5395 {
5396 	u16 family = sk->sk_family;
5397 	struct sk_security_struct *sksec = sk->sk_security;
5398 
5399 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5400 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5401 		family = PF_INET;
5402 
5403 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5404 }
5405 
5406 static int selinux_secmark_relabel_packet(u32 sid)
5407 {
5408 	const struct task_security_struct *__tsec;
5409 	u32 tsid;
5410 
5411 	__tsec = selinux_cred(current_cred());
5412 	tsid = __tsec->sid;
5413 
5414 	return avc_has_perm(&selinux_state,
5415 			    tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5416 			    NULL);
5417 }
5418 
5419 static void selinux_secmark_refcount_inc(void)
5420 {
5421 	atomic_inc(&selinux_secmark_refcount);
5422 }
5423 
5424 static void selinux_secmark_refcount_dec(void)
5425 {
5426 	atomic_dec(&selinux_secmark_refcount);
5427 }
5428 
5429 static void selinux_req_classify_flow(const struct request_sock *req,
5430 				      struct flowi *fl)
5431 {
5432 	fl->flowi_secid = req->secid;
5433 }
5434 
5435 static int selinux_tun_dev_alloc_security(void **security)
5436 {
5437 	struct tun_security_struct *tunsec;
5438 
5439 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5440 	if (!tunsec)
5441 		return -ENOMEM;
5442 	tunsec->sid = current_sid();
5443 
5444 	*security = tunsec;
5445 	return 0;
5446 }
5447 
5448 static void selinux_tun_dev_free_security(void *security)
5449 {
5450 	kfree(security);
5451 }
5452 
5453 static int selinux_tun_dev_create(void)
5454 {
5455 	u32 sid = current_sid();
5456 
5457 	/* we aren't taking into account the "sockcreate" SID since the socket
5458 	 * that is being created here is not a socket in the traditional sense,
5459 	 * instead it is a private sock, accessible only to the kernel, and
5460 	 * representing a wide range of network traffic spanning multiple
5461 	 * connections unlike traditional sockets - check the TUN driver to
5462 	 * get a better understanding of why this socket is special */
5463 
5464 	return avc_has_perm(&selinux_state,
5465 			    sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5466 			    NULL);
5467 }
5468 
5469 static int selinux_tun_dev_attach_queue(void *security)
5470 {
5471 	struct tun_security_struct *tunsec = security;
5472 
5473 	return avc_has_perm(&selinux_state,
5474 			    current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5475 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5476 }
5477 
5478 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5479 {
5480 	struct tun_security_struct *tunsec = security;
5481 	struct sk_security_struct *sksec = sk->sk_security;
5482 
5483 	/* we don't currently perform any NetLabel based labeling here and it
5484 	 * isn't clear that we would want to do so anyway; while we could apply
5485 	 * labeling without the support of the TUN user the resulting labeled
5486 	 * traffic from the other end of the connection would almost certainly
5487 	 * cause confusion to the TUN user that had no idea network labeling
5488 	 * protocols were being used */
5489 
5490 	sksec->sid = tunsec->sid;
5491 	sksec->sclass = SECCLASS_TUN_SOCKET;
5492 
5493 	return 0;
5494 }
5495 
5496 static int selinux_tun_dev_open(void *security)
5497 {
5498 	struct tun_security_struct *tunsec = security;
5499 	u32 sid = current_sid();
5500 	int err;
5501 
5502 	err = avc_has_perm(&selinux_state,
5503 			   sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5504 			   TUN_SOCKET__RELABELFROM, NULL);
5505 	if (err)
5506 		return err;
5507 	err = avc_has_perm(&selinux_state,
5508 			   sid, sid, SECCLASS_TUN_SOCKET,
5509 			   TUN_SOCKET__RELABELTO, NULL);
5510 	if (err)
5511 		return err;
5512 	tunsec->sid = sid;
5513 
5514 	return 0;
5515 }
5516 
5517 #ifdef CONFIG_NETFILTER
5518 
5519 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5520 				       const struct net_device *indev,
5521 				       u16 family)
5522 {
5523 	int err;
5524 	char *addrp;
5525 	u32 peer_sid;
5526 	struct common_audit_data ad;
5527 	struct lsm_network_audit net = {0,};
5528 	u8 secmark_active;
5529 	u8 netlbl_active;
5530 	u8 peerlbl_active;
5531 
5532 	if (!selinux_policycap_netpeer())
5533 		return NF_ACCEPT;
5534 
5535 	secmark_active = selinux_secmark_enabled();
5536 	netlbl_active = netlbl_enabled();
5537 	peerlbl_active = selinux_peerlbl_enabled();
5538 	if (!secmark_active && !peerlbl_active)
5539 		return NF_ACCEPT;
5540 
5541 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5542 		return NF_DROP;
5543 
5544 	ad.type = LSM_AUDIT_DATA_NET;
5545 	ad.u.net = &net;
5546 	ad.u.net->netif = indev->ifindex;
5547 	ad.u.net->family = family;
5548 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5549 		return NF_DROP;
5550 
5551 	if (peerlbl_active) {
5552 		err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5553 					       addrp, family, peer_sid, &ad);
5554 		if (err) {
5555 			selinux_netlbl_err(skb, family, err, 1);
5556 			return NF_DROP;
5557 		}
5558 	}
5559 
5560 	if (secmark_active)
5561 		if (avc_has_perm(&selinux_state,
5562 				 peer_sid, skb->secmark,
5563 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5564 			return NF_DROP;
5565 
5566 	if (netlbl_active)
5567 		/* we do this in the FORWARD path and not the POST_ROUTING
5568 		 * path because we want to make sure we apply the necessary
5569 		 * labeling before IPsec is applied so we can leverage AH
5570 		 * protection */
5571 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5572 			return NF_DROP;
5573 
5574 	return NF_ACCEPT;
5575 }
5576 
5577 static unsigned int selinux_ipv4_forward(void *priv,
5578 					 struct sk_buff *skb,
5579 					 const struct nf_hook_state *state)
5580 {
5581 	return selinux_ip_forward(skb, state->in, PF_INET);
5582 }
5583 
5584 #if IS_ENABLED(CONFIG_IPV6)
5585 static unsigned int selinux_ipv6_forward(void *priv,
5586 					 struct sk_buff *skb,
5587 					 const struct nf_hook_state *state)
5588 {
5589 	return selinux_ip_forward(skb, state->in, PF_INET6);
5590 }
5591 #endif	/* IPV6 */
5592 
5593 static unsigned int selinux_ip_output(struct sk_buff *skb,
5594 				      u16 family)
5595 {
5596 	struct sock *sk;
5597 	u32 sid;
5598 
5599 	if (!netlbl_enabled())
5600 		return NF_ACCEPT;
5601 
5602 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5603 	 * because we want to make sure we apply the necessary labeling
5604 	 * before IPsec is applied so we can leverage AH protection */
5605 	sk = skb->sk;
5606 	if (sk) {
5607 		struct sk_security_struct *sksec;
5608 
5609 		if (sk_listener(sk))
5610 			/* if the socket is the listening state then this
5611 			 * packet is a SYN-ACK packet which means it needs to
5612 			 * be labeled based on the connection/request_sock and
5613 			 * not the parent socket.  unfortunately, we can't
5614 			 * lookup the request_sock yet as it isn't queued on
5615 			 * the parent socket until after the SYN-ACK is sent.
5616 			 * the "solution" is to simply pass the packet as-is
5617 			 * as any IP option based labeling should be copied
5618 			 * from the initial connection request (in the IP
5619 			 * layer).  it is far from ideal, but until we get a
5620 			 * security label in the packet itself this is the
5621 			 * best we can do. */
5622 			return NF_ACCEPT;
5623 
5624 		/* standard practice, label using the parent socket */
5625 		sksec = sk->sk_security;
5626 		sid = sksec->sid;
5627 	} else
5628 		sid = SECINITSID_KERNEL;
5629 	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5630 		return NF_DROP;
5631 
5632 	return NF_ACCEPT;
5633 }
5634 
5635 static unsigned int selinux_ipv4_output(void *priv,
5636 					struct sk_buff *skb,
5637 					const struct nf_hook_state *state)
5638 {
5639 	return selinux_ip_output(skb, PF_INET);
5640 }
5641 
5642 #if IS_ENABLED(CONFIG_IPV6)
5643 static unsigned int selinux_ipv6_output(void *priv,
5644 					struct sk_buff *skb,
5645 					const struct nf_hook_state *state)
5646 {
5647 	return selinux_ip_output(skb, PF_INET6);
5648 }
5649 #endif	/* IPV6 */
5650 
5651 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5652 						int ifindex,
5653 						u16 family)
5654 {
5655 	struct sock *sk = skb_to_full_sk(skb);
5656 	struct sk_security_struct *sksec;
5657 	struct common_audit_data ad;
5658 	struct lsm_network_audit net = {0,};
5659 	char *addrp;
5660 	u8 proto;
5661 
5662 	if (sk == NULL)
5663 		return NF_ACCEPT;
5664 	sksec = sk->sk_security;
5665 
5666 	ad.type = LSM_AUDIT_DATA_NET;
5667 	ad.u.net = &net;
5668 	ad.u.net->netif = ifindex;
5669 	ad.u.net->family = family;
5670 	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5671 		return NF_DROP;
5672 
5673 	if (selinux_secmark_enabled())
5674 		if (avc_has_perm(&selinux_state,
5675 				 sksec->sid, skb->secmark,
5676 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5677 			return NF_DROP_ERR(-ECONNREFUSED);
5678 
5679 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5680 		return NF_DROP_ERR(-ECONNREFUSED);
5681 
5682 	return NF_ACCEPT;
5683 }
5684 
5685 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5686 					 const struct net_device *outdev,
5687 					 u16 family)
5688 {
5689 	u32 secmark_perm;
5690 	u32 peer_sid;
5691 	int ifindex = outdev->ifindex;
5692 	struct sock *sk;
5693 	struct common_audit_data ad;
5694 	struct lsm_network_audit net = {0,};
5695 	char *addrp;
5696 	u8 secmark_active;
5697 	u8 peerlbl_active;
5698 
5699 	/* If any sort of compatibility mode is enabled then handoff processing
5700 	 * to the selinux_ip_postroute_compat() function to deal with the
5701 	 * special handling.  We do this in an attempt to keep this function
5702 	 * as fast and as clean as possible. */
5703 	if (!selinux_policycap_netpeer())
5704 		return selinux_ip_postroute_compat(skb, ifindex, family);
5705 
5706 	secmark_active = selinux_secmark_enabled();
5707 	peerlbl_active = selinux_peerlbl_enabled();
5708 	if (!secmark_active && !peerlbl_active)
5709 		return NF_ACCEPT;
5710 
5711 	sk = skb_to_full_sk(skb);
5712 
5713 #ifdef CONFIG_XFRM
5714 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5715 	 * packet transformation so allow the packet to pass without any checks
5716 	 * since we'll have another chance to perform access control checks
5717 	 * when the packet is on it's final way out.
5718 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5719 	 *       is NULL, in this case go ahead and apply access control.
5720 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5721 	 *       TCP listening state we cannot wait until the XFRM processing
5722 	 *       is done as we will miss out on the SA label if we do;
5723 	 *       unfortunately, this means more work, but it is only once per
5724 	 *       connection. */
5725 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5726 	    !(sk && sk_listener(sk)))
5727 		return NF_ACCEPT;
5728 #endif
5729 
5730 	if (sk == NULL) {
5731 		/* Without an associated socket the packet is either coming
5732 		 * from the kernel or it is being forwarded; check the packet
5733 		 * to determine which and if the packet is being forwarded
5734 		 * query the packet directly to determine the security label. */
5735 		if (skb->skb_iif) {
5736 			secmark_perm = PACKET__FORWARD_OUT;
5737 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5738 				return NF_DROP;
5739 		} else {
5740 			secmark_perm = PACKET__SEND;
5741 			peer_sid = SECINITSID_KERNEL;
5742 		}
5743 	} else if (sk_listener(sk)) {
5744 		/* Locally generated packet but the associated socket is in the
5745 		 * listening state which means this is a SYN-ACK packet.  In
5746 		 * this particular case the correct security label is assigned
5747 		 * to the connection/request_sock but unfortunately we can't
5748 		 * query the request_sock as it isn't queued on the parent
5749 		 * socket until after the SYN-ACK packet is sent; the only
5750 		 * viable choice is to regenerate the label like we do in
5751 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5752 		 * for similar problems. */
5753 		u32 skb_sid;
5754 		struct sk_security_struct *sksec;
5755 
5756 		sksec = sk->sk_security;
5757 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5758 			return NF_DROP;
5759 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5760 		 * and the packet has been through at least one XFRM
5761 		 * transformation then we must be dealing with the "final"
5762 		 * form of labeled IPsec packet; since we've already applied
5763 		 * all of our access controls on this packet we can safely
5764 		 * pass the packet. */
5765 		if (skb_sid == SECSID_NULL) {
5766 			switch (family) {
5767 			case PF_INET:
5768 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5769 					return NF_ACCEPT;
5770 				break;
5771 			case PF_INET6:
5772 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5773 					return NF_ACCEPT;
5774 				break;
5775 			default:
5776 				return NF_DROP_ERR(-ECONNREFUSED);
5777 			}
5778 		}
5779 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5780 			return NF_DROP;
5781 		secmark_perm = PACKET__SEND;
5782 	} else {
5783 		/* Locally generated packet, fetch the security label from the
5784 		 * associated socket. */
5785 		struct sk_security_struct *sksec = sk->sk_security;
5786 		peer_sid = sksec->sid;
5787 		secmark_perm = PACKET__SEND;
5788 	}
5789 
5790 	ad.type = LSM_AUDIT_DATA_NET;
5791 	ad.u.net = &net;
5792 	ad.u.net->netif = ifindex;
5793 	ad.u.net->family = family;
5794 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5795 		return NF_DROP;
5796 
5797 	if (secmark_active)
5798 		if (avc_has_perm(&selinux_state,
5799 				 peer_sid, skb->secmark,
5800 				 SECCLASS_PACKET, secmark_perm, &ad))
5801 			return NF_DROP_ERR(-ECONNREFUSED);
5802 
5803 	if (peerlbl_active) {
5804 		u32 if_sid;
5805 		u32 node_sid;
5806 
5807 		if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5808 			return NF_DROP;
5809 		if (avc_has_perm(&selinux_state,
5810 				 peer_sid, if_sid,
5811 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5812 			return NF_DROP_ERR(-ECONNREFUSED);
5813 
5814 		if (sel_netnode_sid(addrp, family, &node_sid))
5815 			return NF_DROP;
5816 		if (avc_has_perm(&selinux_state,
5817 				 peer_sid, node_sid,
5818 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5819 			return NF_DROP_ERR(-ECONNREFUSED);
5820 	}
5821 
5822 	return NF_ACCEPT;
5823 }
5824 
5825 static unsigned int selinux_ipv4_postroute(void *priv,
5826 					   struct sk_buff *skb,
5827 					   const struct nf_hook_state *state)
5828 {
5829 	return selinux_ip_postroute(skb, state->out, PF_INET);
5830 }
5831 
5832 #if IS_ENABLED(CONFIG_IPV6)
5833 static unsigned int selinux_ipv6_postroute(void *priv,
5834 					   struct sk_buff *skb,
5835 					   const struct nf_hook_state *state)
5836 {
5837 	return selinux_ip_postroute(skb, state->out, PF_INET6);
5838 }
5839 #endif	/* IPV6 */
5840 
5841 #endif	/* CONFIG_NETFILTER */
5842 
5843 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5844 {
5845 	int err = 0;
5846 	u32 perm;
5847 	struct nlmsghdr *nlh;
5848 	struct sk_security_struct *sksec = sk->sk_security;
5849 
5850 	if (skb->len < NLMSG_HDRLEN) {
5851 		err = -EINVAL;
5852 		goto out;
5853 	}
5854 	nlh = nlmsg_hdr(skb);
5855 
5856 	err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5857 	if (err) {
5858 		if (err == -EINVAL) {
5859 			pr_warn_ratelimited("SELinux: unrecognized netlink"
5860 			       " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5861 			       " pid=%d comm=%s\n",
5862 			       sk->sk_protocol, nlh->nlmsg_type,
5863 			       secclass_map[sksec->sclass - 1].name,
5864 			       task_pid_nr(current), current->comm);
5865 			if (!enforcing_enabled(&selinux_state) ||
5866 			    security_get_allow_unknown(&selinux_state))
5867 				err = 0;
5868 		}
5869 
5870 		/* Ignore */
5871 		if (err == -ENOENT)
5872 			err = 0;
5873 		goto out;
5874 	}
5875 
5876 	err = sock_has_perm(sk, perm);
5877 out:
5878 	return err;
5879 }
5880 
5881 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5882 {
5883 	isec->sclass = sclass;
5884 	isec->sid = current_sid();
5885 }
5886 
5887 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5888 			u32 perms)
5889 {
5890 	struct ipc_security_struct *isec;
5891 	struct common_audit_data ad;
5892 	u32 sid = current_sid();
5893 
5894 	isec = selinux_ipc(ipc_perms);
5895 
5896 	ad.type = LSM_AUDIT_DATA_IPC;
5897 	ad.u.ipc_id = ipc_perms->key;
5898 
5899 	return avc_has_perm(&selinux_state,
5900 			    sid, isec->sid, isec->sclass, perms, &ad);
5901 }
5902 
5903 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5904 {
5905 	struct msg_security_struct *msec;
5906 
5907 	msec = selinux_msg_msg(msg);
5908 	msec->sid = SECINITSID_UNLABELED;
5909 
5910 	return 0;
5911 }
5912 
5913 /* message queue security operations */
5914 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5915 {
5916 	struct ipc_security_struct *isec;
5917 	struct common_audit_data ad;
5918 	u32 sid = current_sid();
5919 	int rc;
5920 
5921 	isec = selinux_ipc(msq);
5922 	ipc_init_security(isec, SECCLASS_MSGQ);
5923 
5924 	ad.type = LSM_AUDIT_DATA_IPC;
5925 	ad.u.ipc_id = msq->key;
5926 
5927 	rc = avc_has_perm(&selinux_state,
5928 			  sid, isec->sid, SECCLASS_MSGQ,
5929 			  MSGQ__CREATE, &ad);
5930 	return rc;
5931 }
5932 
5933 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5934 {
5935 	struct ipc_security_struct *isec;
5936 	struct common_audit_data ad;
5937 	u32 sid = current_sid();
5938 
5939 	isec = selinux_ipc(msq);
5940 
5941 	ad.type = LSM_AUDIT_DATA_IPC;
5942 	ad.u.ipc_id = msq->key;
5943 
5944 	return avc_has_perm(&selinux_state,
5945 			    sid, isec->sid, SECCLASS_MSGQ,
5946 			    MSGQ__ASSOCIATE, &ad);
5947 }
5948 
5949 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
5950 {
5951 	int err;
5952 	int perms;
5953 
5954 	switch (cmd) {
5955 	case IPC_INFO:
5956 	case MSG_INFO:
5957 		/* No specific object, just general system-wide information. */
5958 		return avc_has_perm(&selinux_state,
5959 				    current_sid(), SECINITSID_KERNEL,
5960 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5961 	case IPC_STAT:
5962 	case MSG_STAT:
5963 	case MSG_STAT_ANY:
5964 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5965 		break;
5966 	case IPC_SET:
5967 		perms = MSGQ__SETATTR;
5968 		break;
5969 	case IPC_RMID:
5970 		perms = MSGQ__DESTROY;
5971 		break;
5972 	default:
5973 		return 0;
5974 	}
5975 
5976 	err = ipc_has_perm(msq, perms);
5977 	return err;
5978 }
5979 
5980 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
5981 {
5982 	struct ipc_security_struct *isec;
5983 	struct msg_security_struct *msec;
5984 	struct common_audit_data ad;
5985 	u32 sid = current_sid();
5986 	int rc;
5987 
5988 	isec = selinux_ipc(msq);
5989 	msec = selinux_msg_msg(msg);
5990 
5991 	/*
5992 	 * First time through, need to assign label to the message
5993 	 */
5994 	if (msec->sid == SECINITSID_UNLABELED) {
5995 		/*
5996 		 * Compute new sid based on current process and
5997 		 * message queue this message will be stored in
5998 		 */
5999 		rc = security_transition_sid(&selinux_state, sid, isec->sid,
6000 					     SECCLASS_MSG, NULL, &msec->sid);
6001 		if (rc)
6002 			return rc;
6003 	}
6004 
6005 	ad.type = LSM_AUDIT_DATA_IPC;
6006 	ad.u.ipc_id = msq->key;
6007 
6008 	/* Can this process write to the queue? */
6009 	rc = avc_has_perm(&selinux_state,
6010 			  sid, isec->sid, SECCLASS_MSGQ,
6011 			  MSGQ__WRITE, &ad);
6012 	if (!rc)
6013 		/* Can this process send the message */
6014 		rc = avc_has_perm(&selinux_state,
6015 				  sid, msec->sid, SECCLASS_MSG,
6016 				  MSG__SEND, &ad);
6017 	if (!rc)
6018 		/* Can the message be put in the queue? */
6019 		rc = avc_has_perm(&selinux_state,
6020 				  msec->sid, isec->sid, SECCLASS_MSGQ,
6021 				  MSGQ__ENQUEUE, &ad);
6022 
6023 	return rc;
6024 }
6025 
6026 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6027 				    struct task_struct *target,
6028 				    long type, int mode)
6029 {
6030 	struct ipc_security_struct *isec;
6031 	struct msg_security_struct *msec;
6032 	struct common_audit_data ad;
6033 	u32 sid = task_sid(target);
6034 	int rc;
6035 
6036 	isec = selinux_ipc(msq);
6037 	msec = selinux_msg_msg(msg);
6038 
6039 	ad.type = LSM_AUDIT_DATA_IPC;
6040 	ad.u.ipc_id = msq->key;
6041 
6042 	rc = avc_has_perm(&selinux_state,
6043 			  sid, isec->sid,
6044 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
6045 	if (!rc)
6046 		rc = avc_has_perm(&selinux_state,
6047 				  sid, msec->sid,
6048 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
6049 	return rc;
6050 }
6051 
6052 /* Shared Memory security operations */
6053 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6054 {
6055 	struct ipc_security_struct *isec;
6056 	struct common_audit_data ad;
6057 	u32 sid = current_sid();
6058 	int rc;
6059 
6060 	isec = selinux_ipc(shp);
6061 	ipc_init_security(isec, SECCLASS_SHM);
6062 
6063 	ad.type = LSM_AUDIT_DATA_IPC;
6064 	ad.u.ipc_id = shp->key;
6065 
6066 	rc = avc_has_perm(&selinux_state,
6067 			  sid, isec->sid, SECCLASS_SHM,
6068 			  SHM__CREATE, &ad);
6069 	return rc;
6070 }
6071 
6072 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6073 {
6074 	struct ipc_security_struct *isec;
6075 	struct common_audit_data ad;
6076 	u32 sid = current_sid();
6077 
6078 	isec = selinux_ipc(shp);
6079 
6080 	ad.type = LSM_AUDIT_DATA_IPC;
6081 	ad.u.ipc_id = shp->key;
6082 
6083 	return avc_has_perm(&selinux_state,
6084 			    sid, isec->sid, SECCLASS_SHM,
6085 			    SHM__ASSOCIATE, &ad);
6086 }
6087 
6088 /* Note, at this point, shp is locked down */
6089 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6090 {
6091 	int perms;
6092 	int err;
6093 
6094 	switch (cmd) {
6095 	case IPC_INFO:
6096 	case SHM_INFO:
6097 		/* No specific object, just general system-wide information. */
6098 		return avc_has_perm(&selinux_state,
6099 				    current_sid(), SECINITSID_KERNEL,
6100 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6101 	case IPC_STAT:
6102 	case SHM_STAT:
6103 	case SHM_STAT_ANY:
6104 		perms = SHM__GETATTR | SHM__ASSOCIATE;
6105 		break;
6106 	case IPC_SET:
6107 		perms = SHM__SETATTR;
6108 		break;
6109 	case SHM_LOCK:
6110 	case SHM_UNLOCK:
6111 		perms = SHM__LOCK;
6112 		break;
6113 	case IPC_RMID:
6114 		perms = SHM__DESTROY;
6115 		break;
6116 	default:
6117 		return 0;
6118 	}
6119 
6120 	err = ipc_has_perm(shp, perms);
6121 	return err;
6122 }
6123 
6124 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6125 			     char __user *shmaddr, int shmflg)
6126 {
6127 	u32 perms;
6128 
6129 	if (shmflg & SHM_RDONLY)
6130 		perms = SHM__READ;
6131 	else
6132 		perms = SHM__READ | SHM__WRITE;
6133 
6134 	return ipc_has_perm(shp, perms);
6135 }
6136 
6137 /* Semaphore security operations */
6138 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6139 {
6140 	struct ipc_security_struct *isec;
6141 	struct common_audit_data ad;
6142 	u32 sid = current_sid();
6143 	int rc;
6144 
6145 	isec = selinux_ipc(sma);
6146 	ipc_init_security(isec, SECCLASS_SEM);
6147 
6148 	ad.type = LSM_AUDIT_DATA_IPC;
6149 	ad.u.ipc_id = sma->key;
6150 
6151 	rc = avc_has_perm(&selinux_state,
6152 			  sid, isec->sid, SECCLASS_SEM,
6153 			  SEM__CREATE, &ad);
6154 	return rc;
6155 }
6156 
6157 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6158 {
6159 	struct ipc_security_struct *isec;
6160 	struct common_audit_data ad;
6161 	u32 sid = current_sid();
6162 
6163 	isec = selinux_ipc(sma);
6164 
6165 	ad.type = LSM_AUDIT_DATA_IPC;
6166 	ad.u.ipc_id = sma->key;
6167 
6168 	return avc_has_perm(&selinux_state,
6169 			    sid, isec->sid, SECCLASS_SEM,
6170 			    SEM__ASSOCIATE, &ad);
6171 }
6172 
6173 /* Note, at this point, sma is locked down */
6174 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6175 {
6176 	int err;
6177 	u32 perms;
6178 
6179 	switch (cmd) {
6180 	case IPC_INFO:
6181 	case SEM_INFO:
6182 		/* No specific object, just general system-wide information. */
6183 		return avc_has_perm(&selinux_state,
6184 				    current_sid(), SECINITSID_KERNEL,
6185 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6186 	case GETPID:
6187 	case GETNCNT:
6188 	case GETZCNT:
6189 		perms = SEM__GETATTR;
6190 		break;
6191 	case GETVAL:
6192 	case GETALL:
6193 		perms = SEM__READ;
6194 		break;
6195 	case SETVAL:
6196 	case SETALL:
6197 		perms = SEM__WRITE;
6198 		break;
6199 	case IPC_RMID:
6200 		perms = SEM__DESTROY;
6201 		break;
6202 	case IPC_SET:
6203 		perms = SEM__SETATTR;
6204 		break;
6205 	case IPC_STAT:
6206 	case SEM_STAT:
6207 	case SEM_STAT_ANY:
6208 		perms = SEM__GETATTR | SEM__ASSOCIATE;
6209 		break;
6210 	default:
6211 		return 0;
6212 	}
6213 
6214 	err = ipc_has_perm(sma, perms);
6215 	return err;
6216 }
6217 
6218 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6219 			     struct sembuf *sops, unsigned nsops, int alter)
6220 {
6221 	u32 perms;
6222 
6223 	if (alter)
6224 		perms = SEM__READ | SEM__WRITE;
6225 	else
6226 		perms = SEM__READ;
6227 
6228 	return ipc_has_perm(sma, perms);
6229 }
6230 
6231 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6232 {
6233 	u32 av = 0;
6234 
6235 	av = 0;
6236 	if (flag & S_IRUGO)
6237 		av |= IPC__UNIX_READ;
6238 	if (flag & S_IWUGO)
6239 		av |= IPC__UNIX_WRITE;
6240 
6241 	if (av == 0)
6242 		return 0;
6243 
6244 	return ipc_has_perm(ipcp, av);
6245 }
6246 
6247 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6248 {
6249 	struct ipc_security_struct *isec = selinux_ipc(ipcp);
6250 	*secid = isec->sid;
6251 }
6252 
6253 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6254 {
6255 	if (inode)
6256 		inode_doinit_with_dentry(inode, dentry);
6257 }
6258 
6259 static int selinux_getprocattr(struct task_struct *p,
6260 			       char *name, char **value)
6261 {
6262 	const struct task_security_struct *__tsec;
6263 	u32 sid;
6264 	int error;
6265 	unsigned len;
6266 
6267 	rcu_read_lock();
6268 	__tsec = selinux_cred(__task_cred(p));
6269 
6270 	if (current != p) {
6271 		error = avc_has_perm(&selinux_state,
6272 				     current_sid(), __tsec->sid,
6273 				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6274 		if (error)
6275 			goto bad;
6276 	}
6277 
6278 	if (!strcmp(name, "current"))
6279 		sid = __tsec->sid;
6280 	else if (!strcmp(name, "prev"))
6281 		sid = __tsec->osid;
6282 	else if (!strcmp(name, "exec"))
6283 		sid = __tsec->exec_sid;
6284 	else if (!strcmp(name, "fscreate"))
6285 		sid = __tsec->create_sid;
6286 	else if (!strcmp(name, "keycreate"))
6287 		sid = __tsec->keycreate_sid;
6288 	else if (!strcmp(name, "sockcreate"))
6289 		sid = __tsec->sockcreate_sid;
6290 	else {
6291 		error = -EINVAL;
6292 		goto bad;
6293 	}
6294 	rcu_read_unlock();
6295 
6296 	if (!sid)
6297 		return 0;
6298 
6299 	error = security_sid_to_context(&selinux_state, sid, value, &len);
6300 	if (error)
6301 		return error;
6302 	return len;
6303 
6304 bad:
6305 	rcu_read_unlock();
6306 	return error;
6307 }
6308 
6309 static int selinux_setprocattr(const char *name, void *value, size_t size)
6310 {
6311 	struct task_security_struct *tsec;
6312 	struct cred *new;
6313 	u32 mysid = current_sid(), sid = 0, ptsid;
6314 	int error;
6315 	char *str = value;
6316 
6317 	/*
6318 	 * Basic control over ability to set these attributes at all.
6319 	 */
6320 	if (!strcmp(name, "exec"))
6321 		error = avc_has_perm(&selinux_state,
6322 				     mysid, mysid, SECCLASS_PROCESS,
6323 				     PROCESS__SETEXEC, NULL);
6324 	else if (!strcmp(name, "fscreate"))
6325 		error = avc_has_perm(&selinux_state,
6326 				     mysid, mysid, SECCLASS_PROCESS,
6327 				     PROCESS__SETFSCREATE, NULL);
6328 	else if (!strcmp(name, "keycreate"))
6329 		error = avc_has_perm(&selinux_state,
6330 				     mysid, mysid, SECCLASS_PROCESS,
6331 				     PROCESS__SETKEYCREATE, NULL);
6332 	else if (!strcmp(name, "sockcreate"))
6333 		error = avc_has_perm(&selinux_state,
6334 				     mysid, mysid, SECCLASS_PROCESS,
6335 				     PROCESS__SETSOCKCREATE, NULL);
6336 	else if (!strcmp(name, "current"))
6337 		error = avc_has_perm(&selinux_state,
6338 				     mysid, mysid, SECCLASS_PROCESS,
6339 				     PROCESS__SETCURRENT, NULL);
6340 	else
6341 		error = -EINVAL;
6342 	if (error)
6343 		return error;
6344 
6345 	/* Obtain a SID for the context, if one was specified. */
6346 	if (size && str[0] && str[0] != '\n') {
6347 		if (str[size-1] == '\n') {
6348 			str[size-1] = 0;
6349 			size--;
6350 		}
6351 		error = security_context_to_sid(&selinux_state, value, size,
6352 						&sid, GFP_KERNEL);
6353 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
6354 			if (!has_cap_mac_admin(true)) {
6355 				struct audit_buffer *ab;
6356 				size_t audit_size;
6357 
6358 				/* We strip a nul only if it is at the end, otherwise the
6359 				 * context contains a nul and we should audit that */
6360 				if (str[size - 1] == '\0')
6361 					audit_size = size - 1;
6362 				else
6363 					audit_size = size;
6364 				ab = audit_log_start(audit_context(),
6365 						     GFP_ATOMIC,
6366 						     AUDIT_SELINUX_ERR);
6367 				audit_log_format(ab, "op=fscreate invalid_context=");
6368 				audit_log_n_untrustedstring(ab, value, audit_size);
6369 				audit_log_end(ab);
6370 
6371 				return error;
6372 			}
6373 			error = security_context_to_sid_force(
6374 						      &selinux_state,
6375 						      value, size, &sid);
6376 		}
6377 		if (error)
6378 			return error;
6379 	}
6380 
6381 	new = prepare_creds();
6382 	if (!new)
6383 		return -ENOMEM;
6384 
6385 	/* Permission checking based on the specified context is
6386 	   performed during the actual operation (execve,
6387 	   open/mkdir/...), when we know the full context of the
6388 	   operation.  See selinux_bprm_set_creds for the execve
6389 	   checks and may_create for the file creation checks. The
6390 	   operation will then fail if the context is not permitted. */
6391 	tsec = selinux_cred(new);
6392 	if (!strcmp(name, "exec")) {
6393 		tsec->exec_sid = sid;
6394 	} else if (!strcmp(name, "fscreate")) {
6395 		tsec->create_sid = sid;
6396 	} else if (!strcmp(name, "keycreate")) {
6397 		if (sid) {
6398 			error = avc_has_perm(&selinux_state, mysid, sid,
6399 					     SECCLASS_KEY, KEY__CREATE, NULL);
6400 			if (error)
6401 				goto abort_change;
6402 		}
6403 		tsec->keycreate_sid = sid;
6404 	} else if (!strcmp(name, "sockcreate")) {
6405 		tsec->sockcreate_sid = sid;
6406 	} else if (!strcmp(name, "current")) {
6407 		error = -EINVAL;
6408 		if (sid == 0)
6409 			goto abort_change;
6410 
6411 		/* Only allow single threaded processes to change context */
6412 		error = -EPERM;
6413 		if (!current_is_single_threaded()) {
6414 			error = security_bounded_transition(&selinux_state,
6415 							    tsec->sid, sid);
6416 			if (error)
6417 				goto abort_change;
6418 		}
6419 
6420 		/* Check permissions for the transition. */
6421 		error = avc_has_perm(&selinux_state,
6422 				     tsec->sid, sid, SECCLASS_PROCESS,
6423 				     PROCESS__DYNTRANSITION, NULL);
6424 		if (error)
6425 			goto abort_change;
6426 
6427 		/* Check for ptracing, and update the task SID if ok.
6428 		   Otherwise, leave SID unchanged and fail. */
6429 		ptsid = ptrace_parent_sid();
6430 		if (ptsid != 0) {
6431 			error = avc_has_perm(&selinux_state,
6432 					     ptsid, sid, SECCLASS_PROCESS,
6433 					     PROCESS__PTRACE, NULL);
6434 			if (error)
6435 				goto abort_change;
6436 		}
6437 
6438 		tsec->sid = sid;
6439 	} else {
6440 		error = -EINVAL;
6441 		goto abort_change;
6442 	}
6443 
6444 	commit_creds(new);
6445 	return size;
6446 
6447 abort_change:
6448 	abort_creds(new);
6449 	return error;
6450 }
6451 
6452 static int selinux_ismaclabel(const char *name)
6453 {
6454 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6455 }
6456 
6457 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6458 {
6459 	return security_sid_to_context(&selinux_state, secid,
6460 				       secdata, seclen);
6461 }
6462 
6463 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6464 {
6465 	return security_context_to_sid(&selinux_state, secdata, seclen,
6466 				       secid, GFP_KERNEL);
6467 }
6468 
6469 static void selinux_release_secctx(char *secdata, u32 seclen)
6470 {
6471 	kfree(secdata);
6472 }
6473 
6474 static void selinux_inode_invalidate_secctx(struct inode *inode)
6475 {
6476 	struct inode_security_struct *isec = selinux_inode(inode);
6477 
6478 	spin_lock(&isec->lock);
6479 	isec->initialized = LABEL_INVALID;
6480 	spin_unlock(&isec->lock);
6481 }
6482 
6483 /*
6484  *	called with inode->i_mutex locked
6485  */
6486 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6487 {
6488 	int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6489 					   ctx, ctxlen, 0);
6490 	/* Do not return error when suppressing label (SBLABEL_MNT not set). */
6491 	return rc == -EOPNOTSUPP ? 0 : rc;
6492 }
6493 
6494 /*
6495  *	called with inode->i_mutex locked
6496  */
6497 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6498 {
6499 	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6500 }
6501 
6502 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6503 {
6504 	int len = 0;
6505 	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6506 						ctx, true);
6507 	if (len < 0)
6508 		return len;
6509 	*ctxlen = len;
6510 	return 0;
6511 }
6512 #ifdef CONFIG_KEYS
6513 
6514 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6515 			     unsigned long flags)
6516 {
6517 	const struct task_security_struct *tsec;
6518 	struct key_security_struct *ksec;
6519 
6520 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6521 	if (!ksec)
6522 		return -ENOMEM;
6523 
6524 	tsec = selinux_cred(cred);
6525 	if (tsec->keycreate_sid)
6526 		ksec->sid = tsec->keycreate_sid;
6527 	else
6528 		ksec->sid = tsec->sid;
6529 
6530 	k->security = ksec;
6531 	return 0;
6532 }
6533 
6534 static void selinux_key_free(struct key *k)
6535 {
6536 	struct key_security_struct *ksec = k->security;
6537 
6538 	k->security = NULL;
6539 	kfree(ksec);
6540 }
6541 
6542 static int selinux_key_permission(key_ref_t key_ref,
6543 				  const struct cred *cred,
6544 				  unsigned perm)
6545 {
6546 	struct key *key;
6547 	struct key_security_struct *ksec;
6548 	u32 sid;
6549 
6550 	/* if no specific permissions are requested, we skip the
6551 	   permission check. No serious, additional covert channels
6552 	   appear to be created. */
6553 	if (perm == 0)
6554 		return 0;
6555 
6556 	sid = cred_sid(cred);
6557 
6558 	key = key_ref_to_ptr(key_ref);
6559 	ksec = key->security;
6560 
6561 	return avc_has_perm(&selinux_state,
6562 			    sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6563 }
6564 
6565 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6566 {
6567 	struct key_security_struct *ksec = key->security;
6568 	char *context = NULL;
6569 	unsigned len;
6570 	int rc;
6571 
6572 	rc = security_sid_to_context(&selinux_state, ksec->sid,
6573 				     &context, &len);
6574 	if (!rc)
6575 		rc = len;
6576 	*_buffer = context;
6577 	return rc;
6578 }
6579 #endif
6580 
6581 #ifdef CONFIG_SECURITY_INFINIBAND
6582 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6583 {
6584 	struct common_audit_data ad;
6585 	int err;
6586 	u32 sid = 0;
6587 	struct ib_security_struct *sec = ib_sec;
6588 	struct lsm_ibpkey_audit ibpkey;
6589 
6590 	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6591 	if (err)
6592 		return err;
6593 
6594 	ad.type = LSM_AUDIT_DATA_IBPKEY;
6595 	ibpkey.subnet_prefix = subnet_prefix;
6596 	ibpkey.pkey = pkey_val;
6597 	ad.u.ibpkey = &ibpkey;
6598 	return avc_has_perm(&selinux_state,
6599 			    sec->sid, sid,
6600 			    SECCLASS_INFINIBAND_PKEY,
6601 			    INFINIBAND_PKEY__ACCESS, &ad);
6602 }
6603 
6604 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6605 					    u8 port_num)
6606 {
6607 	struct common_audit_data ad;
6608 	int err;
6609 	u32 sid = 0;
6610 	struct ib_security_struct *sec = ib_sec;
6611 	struct lsm_ibendport_audit ibendport;
6612 
6613 	err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6614 				      &sid);
6615 
6616 	if (err)
6617 		return err;
6618 
6619 	ad.type = LSM_AUDIT_DATA_IBENDPORT;
6620 	strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6621 	ibendport.port = port_num;
6622 	ad.u.ibendport = &ibendport;
6623 	return avc_has_perm(&selinux_state,
6624 			    sec->sid, sid,
6625 			    SECCLASS_INFINIBAND_ENDPORT,
6626 			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6627 }
6628 
6629 static int selinux_ib_alloc_security(void **ib_sec)
6630 {
6631 	struct ib_security_struct *sec;
6632 
6633 	sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6634 	if (!sec)
6635 		return -ENOMEM;
6636 	sec->sid = current_sid();
6637 
6638 	*ib_sec = sec;
6639 	return 0;
6640 }
6641 
6642 static void selinux_ib_free_security(void *ib_sec)
6643 {
6644 	kfree(ib_sec);
6645 }
6646 #endif
6647 
6648 #ifdef CONFIG_BPF_SYSCALL
6649 static int selinux_bpf(int cmd, union bpf_attr *attr,
6650 				     unsigned int size)
6651 {
6652 	u32 sid = current_sid();
6653 	int ret;
6654 
6655 	switch (cmd) {
6656 	case BPF_MAP_CREATE:
6657 		ret = avc_has_perm(&selinux_state,
6658 				   sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6659 				   NULL);
6660 		break;
6661 	case BPF_PROG_LOAD:
6662 		ret = avc_has_perm(&selinux_state,
6663 				   sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6664 				   NULL);
6665 		break;
6666 	default:
6667 		ret = 0;
6668 		break;
6669 	}
6670 
6671 	return ret;
6672 }
6673 
6674 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6675 {
6676 	u32 av = 0;
6677 
6678 	if (fmode & FMODE_READ)
6679 		av |= BPF__MAP_READ;
6680 	if (fmode & FMODE_WRITE)
6681 		av |= BPF__MAP_WRITE;
6682 	return av;
6683 }
6684 
6685 /* This function will check the file pass through unix socket or binder to see
6686  * if it is a bpf related object. And apply correspinding checks on the bpf
6687  * object based on the type. The bpf maps and programs, not like other files and
6688  * socket, are using a shared anonymous inode inside the kernel as their inode.
6689  * So checking that inode cannot identify if the process have privilege to
6690  * access the bpf object and that's why we have to add this additional check in
6691  * selinux_file_receive and selinux_binder_transfer_files.
6692  */
6693 static int bpf_fd_pass(struct file *file, u32 sid)
6694 {
6695 	struct bpf_security_struct *bpfsec;
6696 	struct bpf_prog *prog;
6697 	struct bpf_map *map;
6698 	int ret;
6699 
6700 	if (file->f_op == &bpf_map_fops) {
6701 		map = file->private_data;
6702 		bpfsec = map->security;
6703 		ret = avc_has_perm(&selinux_state,
6704 				   sid, bpfsec->sid, SECCLASS_BPF,
6705 				   bpf_map_fmode_to_av(file->f_mode), NULL);
6706 		if (ret)
6707 			return ret;
6708 	} else if (file->f_op == &bpf_prog_fops) {
6709 		prog = file->private_data;
6710 		bpfsec = prog->aux->security;
6711 		ret = avc_has_perm(&selinux_state,
6712 				   sid, bpfsec->sid, SECCLASS_BPF,
6713 				   BPF__PROG_RUN, NULL);
6714 		if (ret)
6715 			return ret;
6716 	}
6717 	return 0;
6718 }
6719 
6720 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6721 {
6722 	u32 sid = current_sid();
6723 	struct bpf_security_struct *bpfsec;
6724 
6725 	bpfsec = map->security;
6726 	return avc_has_perm(&selinux_state,
6727 			    sid, bpfsec->sid, SECCLASS_BPF,
6728 			    bpf_map_fmode_to_av(fmode), NULL);
6729 }
6730 
6731 static int selinux_bpf_prog(struct bpf_prog *prog)
6732 {
6733 	u32 sid = current_sid();
6734 	struct bpf_security_struct *bpfsec;
6735 
6736 	bpfsec = prog->aux->security;
6737 	return avc_has_perm(&selinux_state,
6738 			    sid, bpfsec->sid, SECCLASS_BPF,
6739 			    BPF__PROG_RUN, NULL);
6740 }
6741 
6742 static int selinux_bpf_map_alloc(struct bpf_map *map)
6743 {
6744 	struct bpf_security_struct *bpfsec;
6745 
6746 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6747 	if (!bpfsec)
6748 		return -ENOMEM;
6749 
6750 	bpfsec->sid = current_sid();
6751 	map->security = bpfsec;
6752 
6753 	return 0;
6754 }
6755 
6756 static void selinux_bpf_map_free(struct bpf_map *map)
6757 {
6758 	struct bpf_security_struct *bpfsec = map->security;
6759 
6760 	map->security = NULL;
6761 	kfree(bpfsec);
6762 }
6763 
6764 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6765 {
6766 	struct bpf_security_struct *bpfsec;
6767 
6768 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6769 	if (!bpfsec)
6770 		return -ENOMEM;
6771 
6772 	bpfsec->sid = current_sid();
6773 	aux->security = bpfsec;
6774 
6775 	return 0;
6776 }
6777 
6778 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6779 {
6780 	struct bpf_security_struct *bpfsec = aux->security;
6781 
6782 	aux->security = NULL;
6783 	kfree(bpfsec);
6784 }
6785 #endif
6786 
6787 static int selinux_lockdown(enum lockdown_reason what)
6788 {
6789 	struct common_audit_data ad;
6790 	u32 sid = current_sid();
6791 	int invalid_reason = (what <= LOCKDOWN_NONE) ||
6792 			     (what == LOCKDOWN_INTEGRITY_MAX) ||
6793 			     (what >= LOCKDOWN_CONFIDENTIALITY_MAX);
6794 
6795 	if (WARN(invalid_reason, "Invalid lockdown reason")) {
6796 		audit_log(audit_context(),
6797 			  GFP_ATOMIC, AUDIT_SELINUX_ERR,
6798 			  "lockdown_reason=invalid");
6799 		return -EINVAL;
6800 	}
6801 
6802 	ad.type = LSM_AUDIT_DATA_LOCKDOWN;
6803 	ad.u.reason = what;
6804 
6805 	if (what <= LOCKDOWN_INTEGRITY_MAX)
6806 		return avc_has_perm(&selinux_state,
6807 				    sid, sid, SECCLASS_LOCKDOWN,
6808 				    LOCKDOWN__INTEGRITY, &ad);
6809 	else
6810 		return avc_has_perm(&selinux_state,
6811 				    sid, sid, SECCLASS_LOCKDOWN,
6812 				    LOCKDOWN__CONFIDENTIALITY, &ad);
6813 }
6814 
6815 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
6816 	.lbs_cred = sizeof(struct task_security_struct),
6817 	.lbs_file = sizeof(struct file_security_struct),
6818 	.lbs_inode = sizeof(struct inode_security_struct),
6819 	.lbs_ipc = sizeof(struct ipc_security_struct),
6820 	.lbs_msg_msg = sizeof(struct msg_security_struct),
6821 };
6822 
6823 #ifdef CONFIG_PERF_EVENTS
6824 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6825 {
6826 	u32 requested, sid = current_sid();
6827 
6828 	if (type == PERF_SECURITY_OPEN)
6829 		requested = PERF_EVENT__OPEN;
6830 	else if (type == PERF_SECURITY_CPU)
6831 		requested = PERF_EVENT__CPU;
6832 	else if (type == PERF_SECURITY_KERNEL)
6833 		requested = PERF_EVENT__KERNEL;
6834 	else if (type == PERF_SECURITY_TRACEPOINT)
6835 		requested = PERF_EVENT__TRACEPOINT;
6836 	else
6837 		return -EINVAL;
6838 
6839 	return avc_has_perm(&selinux_state, sid, sid, SECCLASS_PERF_EVENT,
6840 			    requested, NULL);
6841 }
6842 
6843 static int selinux_perf_event_alloc(struct perf_event *event)
6844 {
6845 	struct perf_event_security_struct *perfsec;
6846 
6847 	perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
6848 	if (!perfsec)
6849 		return -ENOMEM;
6850 
6851 	perfsec->sid = current_sid();
6852 	event->security = perfsec;
6853 
6854 	return 0;
6855 }
6856 
6857 static void selinux_perf_event_free(struct perf_event *event)
6858 {
6859 	struct perf_event_security_struct *perfsec = event->security;
6860 
6861 	event->security = NULL;
6862 	kfree(perfsec);
6863 }
6864 
6865 static int selinux_perf_event_read(struct perf_event *event)
6866 {
6867 	struct perf_event_security_struct *perfsec = event->security;
6868 	u32 sid = current_sid();
6869 
6870 	return avc_has_perm(&selinux_state, sid, perfsec->sid,
6871 			    SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
6872 }
6873 
6874 static int selinux_perf_event_write(struct perf_event *event)
6875 {
6876 	struct perf_event_security_struct *perfsec = event->security;
6877 	u32 sid = current_sid();
6878 
6879 	return avc_has_perm(&selinux_state, sid, perfsec->sid,
6880 			    SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
6881 }
6882 #endif
6883 
6884 /*
6885  * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
6886  * 1. any hooks that don't belong to (2.) or (3.) below,
6887  * 2. hooks that both access structures allocated by other hooks, and allocate
6888  *    structures that can be later accessed by other hooks (mostly "cloning"
6889  *    hooks),
6890  * 3. hooks that only allocate structures that can be later accessed by other
6891  *    hooks ("allocating" hooks).
6892  *
6893  * Please follow block comment delimiters in the list to keep this order.
6894  *
6895  * This ordering is needed for SELinux runtime disable to work at least somewhat
6896  * safely. Breaking the ordering rules above might lead to NULL pointer derefs
6897  * when disabling SELinux at runtime.
6898  */
6899 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6900 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6901 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6902 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6903 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6904 
6905 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6906 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6907 	LSM_HOOK_INIT(capget, selinux_capget),
6908 	LSM_HOOK_INIT(capset, selinux_capset),
6909 	LSM_HOOK_INIT(capable, selinux_capable),
6910 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
6911 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
6912 	LSM_HOOK_INIT(syslog, selinux_syslog),
6913 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6914 
6915 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6916 
6917 	LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6918 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6919 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6920 
6921 	LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6922 	LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
6923 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6924 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6925 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6926 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6927 	LSM_HOOK_INIT(sb_mount, selinux_mount),
6928 	LSM_HOOK_INIT(sb_umount, selinux_umount),
6929 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6930 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6931 
6932 	LSM_HOOK_INIT(move_mount, selinux_move_mount),
6933 
6934 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6935 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6936 
6937 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6938 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6939 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
6940 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
6941 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6942 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6943 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6944 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6945 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6946 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6947 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6948 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6949 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6950 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6951 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6952 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6953 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6954 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6955 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6956 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6957 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6958 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6959 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6960 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6961 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6962 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6963 	LSM_HOOK_INIT(path_notify, selinux_path_notify),
6964 
6965 	LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
6966 
6967 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
6968 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6969 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6970 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6971 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6972 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6973 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
6974 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6975 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6976 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6977 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
6978 
6979 	LSM_HOOK_INIT(file_open, selinux_file_open),
6980 
6981 	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6982 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6983 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6984 	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6985 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6986 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6987 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6988 	LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
6989 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6990 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6991 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6992 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6993 	LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6994 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6995 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6996 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6997 	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6998 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6999 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7000 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7001 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7002 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
7003 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7004 
7005 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7006 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7007 
7008 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7009 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7010 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7011 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7012 
7013 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7014 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7015 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7016 
7017 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7018 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7019 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7020 
7021 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7022 
7023 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7024 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7025 
7026 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7027 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7028 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7029 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7030 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7031 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7032 
7033 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7034 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7035 
7036 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
7037 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7038 	LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7039 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7040 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7041 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7042 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7043 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7044 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7045 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7046 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7047 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7048 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7049 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7050 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7051 	LSM_HOOK_INIT(socket_getpeersec_stream,
7052 			selinux_socket_getpeersec_stream),
7053 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7054 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7055 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7056 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7057 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7058 	LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7059 	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7060 	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7061 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7062 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7063 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7064 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7065 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7066 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7067 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7068 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7069 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7070 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7071 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7072 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7073 #ifdef CONFIG_SECURITY_INFINIBAND
7074 	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7075 	LSM_HOOK_INIT(ib_endport_manage_subnet,
7076 		      selinux_ib_endport_manage_subnet),
7077 	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7078 #endif
7079 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7080 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7081 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7082 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7083 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7084 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7085 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7086 			selinux_xfrm_state_pol_flow_match),
7087 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7088 #endif
7089 
7090 #ifdef CONFIG_KEYS
7091 	LSM_HOOK_INIT(key_free, selinux_key_free),
7092 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
7093 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7094 #endif
7095 
7096 #ifdef CONFIG_AUDIT
7097 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7098 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7099 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7100 #endif
7101 
7102 #ifdef CONFIG_BPF_SYSCALL
7103 	LSM_HOOK_INIT(bpf, selinux_bpf),
7104 	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7105 	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7106 	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7107 	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7108 #endif
7109 
7110 #ifdef CONFIG_PERF_EVENTS
7111 	LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7112 	LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7113 	LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7114 	LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7115 #endif
7116 
7117 	LSM_HOOK_INIT(locked_down, selinux_lockdown),
7118 
7119 	/*
7120 	 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7121 	 */
7122 	LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7123 	LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7124 	LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7125 	LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt),
7126 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7127 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7128 #endif
7129 
7130 	/*
7131 	 * PUT "ALLOCATING" HOOKS HERE
7132 	 */
7133 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7134 	LSM_HOOK_INIT(msg_queue_alloc_security,
7135 		      selinux_msg_queue_alloc_security),
7136 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7137 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7138 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7139 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7140 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7141 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7142 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7143 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7144 #ifdef CONFIG_SECURITY_INFINIBAND
7145 	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7146 #endif
7147 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7148 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7149 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7150 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7151 		      selinux_xfrm_state_alloc_acquire),
7152 #endif
7153 #ifdef CONFIG_KEYS
7154 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7155 #endif
7156 #ifdef CONFIG_AUDIT
7157 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7158 #endif
7159 #ifdef CONFIG_BPF_SYSCALL
7160 	LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7161 	LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7162 #endif
7163 #ifdef CONFIG_PERF_EVENTS
7164 	LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7165 #endif
7166 };
7167 
7168 static __init int selinux_init(void)
7169 {
7170 	pr_info("SELinux:  Initializing.\n");
7171 
7172 	memset(&selinux_state, 0, sizeof(selinux_state));
7173 	enforcing_set(&selinux_state, selinux_enforcing_boot);
7174 	selinux_state.checkreqprot = selinux_checkreqprot_boot;
7175 	selinux_ss_init(&selinux_state.ss);
7176 	selinux_avc_init(&selinux_state.avc);
7177 	mutex_init(&selinux_state.status_lock);
7178 
7179 	/* Set the security state for the initial task. */
7180 	cred_init_security();
7181 
7182 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7183 
7184 	avc_init();
7185 
7186 	avtab_cache_init();
7187 
7188 	ebitmap_cache_init();
7189 
7190 	hashtab_cache_init();
7191 
7192 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7193 
7194 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7195 		panic("SELinux: Unable to register AVC netcache callback\n");
7196 
7197 	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7198 		panic("SELinux: Unable to register AVC LSM notifier callback\n");
7199 
7200 	if (selinux_enforcing_boot)
7201 		pr_debug("SELinux:  Starting in enforcing mode\n");
7202 	else
7203 		pr_debug("SELinux:  Starting in permissive mode\n");
7204 
7205 	fs_validate_description("selinux", selinux_fs_parameters);
7206 
7207 	return 0;
7208 }
7209 
7210 static void delayed_superblock_init(struct super_block *sb, void *unused)
7211 {
7212 	selinux_set_mnt_opts(sb, NULL, 0, NULL);
7213 }
7214 
7215 void selinux_complete_init(void)
7216 {
7217 	pr_debug("SELinux:  Completing initialization.\n");
7218 
7219 	/* Set up any superblocks initialized prior to the policy load. */
7220 	pr_debug("SELinux:  Setting up existing superblocks.\n");
7221 	iterate_supers(delayed_superblock_init, NULL);
7222 }
7223 
7224 /* SELinux requires early initialization in order to label
7225    all processes and objects when they are created. */
7226 DEFINE_LSM(selinux) = {
7227 	.name = "selinux",
7228 	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7229 	.enabled = &selinux_enabled_boot,
7230 	.blobs = &selinux_blob_sizes,
7231 	.init = selinux_init,
7232 };
7233 
7234 #if defined(CONFIG_NETFILTER)
7235 
7236 static const struct nf_hook_ops selinux_nf_ops[] = {
7237 	{
7238 		.hook =		selinux_ipv4_postroute,
7239 		.pf =		NFPROTO_IPV4,
7240 		.hooknum =	NF_INET_POST_ROUTING,
7241 		.priority =	NF_IP_PRI_SELINUX_LAST,
7242 	},
7243 	{
7244 		.hook =		selinux_ipv4_forward,
7245 		.pf =		NFPROTO_IPV4,
7246 		.hooknum =	NF_INET_FORWARD,
7247 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7248 	},
7249 	{
7250 		.hook =		selinux_ipv4_output,
7251 		.pf =		NFPROTO_IPV4,
7252 		.hooknum =	NF_INET_LOCAL_OUT,
7253 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7254 	},
7255 #if IS_ENABLED(CONFIG_IPV6)
7256 	{
7257 		.hook =		selinux_ipv6_postroute,
7258 		.pf =		NFPROTO_IPV6,
7259 		.hooknum =	NF_INET_POST_ROUTING,
7260 		.priority =	NF_IP6_PRI_SELINUX_LAST,
7261 	},
7262 	{
7263 		.hook =		selinux_ipv6_forward,
7264 		.pf =		NFPROTO_IPV6,
7265 		.hooknum =	NF_INET_FORWARD,
7266 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7267 	},
7268 	{
7269 		.hook =		selinux_ipv6_output,
7270 		.pf =		NFPROTO_IPV6,
7271 		.hooknum =	NF_INET_LOCAL_OUT,
7272 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7273 	},
7274 #endif	/* IPV6 */
7275 };
7276 
7277 static int __net_init selinux_nf_register(struct net *net)
7278 {
7279 	return nf_register_net_hooks(net, selinux_nf_ops,
7280 				     ARRAY_SIZE(selinux_nf_ops));
7281 }
7282 
7283 static void __net_exit selinux_nf_unregister(struct net *net)
7284 {
7285 	nf_unregister_net_hooks(net, selinux_nf_ops,
7286 				ARRAY_SIZE(selinux_nf_ops));
7287 }
7288 
7289 static struct pernet_operations selinux_net_ops = {
7290 	.init = selinux_nf_register,
7291 	.exit = selinux_nf_unregister,
7292 };
7293 
7294 static int __init selinux_nf_ip_init(void)
7295 {
7296 	int err;
7297 
7298 	if (!selinux_enabled_boot)
7299 		return 0;
7300 
7301 	pr_debug("SELinux:  Registering netfilter hooks\n");
7302 
7303 	err = register_pernet_subsys(&selinux_net_ops);
7304 	if (err)
7305 		panic("SELinux: register_pernet_subsys: error %d\n", err);
7306 
7307 	return 0;
7308 }
7309 __initcall(selinux_nf_ip_init);
7310 
7311 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7312 static void selinux_nf_ip_exit(void)
7313 {
7314 	pr_debug("SELinux:  Unregistering netfilter hooks\n");
7315 
7316 	unregister_pernet_subsys(&selinux_net_ops);
7317 }
7318 #endif
7319 
7320 #else /* CONFIG_NETFILTER */
7321 
7322 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7323 #define selinux_nf_ip_exit()
7324 #endif
7325 
7326 #endif /* CONFIG_NETFILTER */
7327 
7328 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7329 int selinux_disable(struct selinux_state *state)
7330 {
7331 	if (selinux_initialized(state)) {
7332 		/* Not permitted after initial policy load. */
7333 		return -EINVAL;
7334 	}
7335 
7336 	if (selinux_disabled(state)) {
7337 		/* Only do this once. */
7338 		return -EINVAL;
7339 	}
7340 
7341 	selinux_mark_disabled(state);
7342 
7343 	pr_info("SELinux:  Disabled at runtime.\n");
7344 
7345 	/*
7346 	 * Unregister netfilter hooks.
7347 	 * Must be done before security_delete_hooks() to avoid breaking
7348 	 * runtime disable.
7349 	 */
7350 	selinux_nf_ip_exit();
7351 
7352 	security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7353 
7354 	/* Try to destroy the avc node cache */
7355 	avc_disable();
7356 
7357 	/* Unregister selinuxfs. */
7358 	exit_sel_fs();
7359 
7360 	return 0;
7361 }
7362 #endif
7363