xref: /linux/security/selinux/hooks.c (revision ebf68996de0ab250c5d520eb2291ab65643e9a1e)
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
7  *	      Chris Vance, <cvance@nai.com>
8  *	      Wayne Salamon, <wsalamon@nai.com>
9  *	      James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *					   Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *			    <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *	Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *  Copyright (C) 2016 Mellanox Technologies
21  *
22  *	This program is free software; you can redistribute it and/or modify
23  *	it under the terms of the GNU General Public License version 2,
24  *	as published by the Free Software Foundation.
25  */
26 
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/fs_context.h>
52 #include <linux/fs_parser.h>
53 #include <linux/netfilter_ipv4.h>
54 #include <linux/netfilter_ipv6.h>
55 #include <linux/tty.h>
56 #include <net/icmp.h>
57 #include <net/ip.h>		/* for local_port_range[] */
58 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
59 #include <net/inet_connection_sock.h>
60 #include <net/net_namespace.h>
61 #include <net/netlabel.h>
62 #include <linux/uaccess.h>
63 #include <asm/ioctls.h>
64 #include <linux/atomic.h>
65 #include <linux/bitops.h>
66 #include <linux/interrupt.h>
67 #include <linux/netdevice.h>	/* for network interface checks */
68 #include <net/netlink.h>
69 #include <linux/tcp.h>
70 #include <linux/udp.h>
71 #include <linux/dccp.h>
72 #include <linux/sctp.h>
73 #include <net/sctp/structs.h>
74 #include <linux/quota.h>
75 #include <linux/un.h>		/* for Unix socket types */
76 #include <net/af_unix.h>	/* for Unix socket types */
77 #include <linux/parser.h>
78 #include <linux/nfs_mount.h>
79 #include <net/ipv6.h>
80 #include <linux/hugetlb.h>
81 #include <linux/personality.h>
82 #include <linux/audit.h>
83 #include <linux/string.h>
84 #include <linux/mutex.h>
85 #include <linux/posix-timers.h>
86 #include <linux/syslog.h>
87 #include <linux/user_namespace.h>
88 #include <linux/export.h>
89 #include <linux/msg.h>
90 #include <linux/shm.h>
91 #include <linux/bpf.h>
92 #include <linux/kernfs.h>
93 #include <linux/stringhash.h>	/* for hashlen_string() */
94 #include <uapi/linux/mount.h>
95 
96 #include "avc.h"
97 #include "objsec.h"
98 #include "netif.h"
99 #include "netnode.h"
100 #include "netport.h"
101 #include "ibpkey.h"
102 #include "xfrm.h"
103 #include "netlabel.h"
104 #include "audit.h"
105 #include "avc_ss.h"
106 
107 struct selinux_state selinux_state;
108 
109 /* SECMARK reference count */
110 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
111 
112 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
113 static int selinux_enforcing_boot;
114 
115 static int __init enforcing_setup(char *str)
116 {
117 	unsigned long enforcing;
118 	if (!kstrtoul(str, 0, &enforcing))
119 		selinux_enforcing_boot = enforcing ? 1 : 0;
120 	return 1;
121 }
122 __setup("enforcing=", enforcing_setup);
123 #else
124 #define selinux_enforcing_boot 1
125 #endif
126 
127 int selinux_enabled __lsm_ro_after_init = 1;
128 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
129 static int __init selinux_enabled_setup(char *str)
130 {
131 	unsigned long enabled;
132 	if (!kstrtoul(str, 0, &enabled))
133 		selinux_enabled = enabled ? 1 : 0;
134 	return 1;
135 }
136 __setup("selinux=", selinux_enabled_setup);
137 #endif
138 
139 static unsigned int selinux_checkreqprot_boot =
140 	CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141 
142 static int __init checkreqprot_setup(char *str)
143 {
144 	unsigned long checkreqprot;
145 
146 	if (!kstrtoul(str, 0, &checkreqprot))
147 		selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
148 	return 1;
149 }
150 __setup("checkreqprot=", checkreqprot_setup);
151 
152 /**
153  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
154  *
155  * Description:
156  * This function checks the SECMARK reference counter to see if any SECMARK
157  * targets are currently configured, if the reference counter is greater than
158  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
159  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
160  * policy capability is enabled, SECMARK is always considered enabled.
161  *
162  */
163 static int selinux_secmark_enabled(void)
164 {
165 	return (selinux_policycap_alwaysnetwork() ||
166 		atomic_read(&selinux_secmark_refcount));
167 }
168 
169 /**
170  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
171  *
172  * Description:
173  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
174  * (1) if any are enabled or false (0) if neither are enabled.  If the
175  * always_check_network policy capability is enabled, peer labeling
176  * is always considered enabled.
177  *
178  */
179 static int selinux_peerlbl_enabled(void)
180 {
181 	return (selinux_policycap_alwaysnetwork() ||
182 		netlbl_enabled() || selinux_xfrm_enabled());
183 }
184 
185 static int selinux_netcache_avc_callback(u32 event)
186 {
187 	if (event == AVC_CALLBACK_RESET) {
188 		sel_netif_flush();
189 		sel_netnode_flush();
190 		sel_netport_flush();
191 		synchronize_net();
192 	}
193 	return 0;
194 }
195 
196 static int selinux_lsm_notifier_avc_callback(u32 event)
197 {
198 	if (event == AVC_CALLBACK_RESET) {
199 		sel_ib_pkey_flush();
200 		call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
201 	}
202 
203 	return 0;
204 }
205 
206 /*
207  * initialise the security for the init task
208  */
209 static void cred_init_security(void)
210 {
211 	struct cred *cred = (struct cred *) current->real_cred;
212 	struct task_security_struct *tsec;
213 
214 	tsec = selinux_cred(cred);
215 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
216 }
217 
218 /*
219  * get the security ID of a set of credentials
220  */
221 static inline u32 cred_sid(const struct cred *cred)
222 {
223 	const struct task_security_struct *tsec;
224 
225 	tsec = selinux_cred(cred);
226 	return tsec->sid;
227 }
228 
229 /*
230  * get the objective security ID of a task
231  */
232 static inline u32 task_sid(const struct task_struct *task)
233 {
234 	u32 sid;
235 
236 	rcu_read_lock();
237 	sid = cred_sid(__task_cred(task));
238 	rcu_read_unlock();
239 	return sid;
240 }
241 
242 /* Allocate and free functions for each kind of security blob. */
243 
244 static int inode_alloc_security(struct inode *inode)
245 {
246 	struct inode_security_struct *isec = selinux_inode(inode);
247 	u32 sid = current_sid();
248 
249 	spin_lock_init(&isec->lock);
250 	INIT_LIST_HEAD(&isec->list);
251 	isec->inode = inode;
252 	isec->sid = SECINITSID_UNLABELED;
253 	isec->sclass = SECCLASS_FILE;
254 	isec->task_sid = sid;
255 	isec->initialized = LABEL_INVALID;
256 
257 	return 0;
258 }
259 
260 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
261 
262 /*
263  * Try reloading inode security labels that have been marked as invalid.  The
264  * @may_sleep parameter indicates when sleeping and thus reloading labels is
265  * allowed; when set to false, returns -ECHILD when the label is
266  * invalid.  The @dentry parameter should be set to a dentry of the inode.
267  */
268 static int __inode_security_revalidate(struct inode *inode,
269 				       struct dentry *dentry,
270 				       bool may_sleep)
271 {
272 	struct inode_security_struct *isec = selinux_inode(inode);
273 
274 	might_sleep_if(may_sleep);
275 
276 	if (selinux_state.initialized &&
277 	    isec->initialized != LABEL_INITIALIZED) {
278 		if (!may_sleep)
279 			return -ECHILD;
280 
281 		/*
282 		 * Try reloading the inode security label.  This will fail if
283 		 * @opt_dentry is NULL and no dentry for this inode can be
284 		 * found; in that case, continue using the old label.
285 		 */
286 		inode_doinit_with_dentry(inode, dentry);
287 	}
288 	return 0;
289 }
290 
291 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
292 {
293 	return selinux_inode(inode);
294 }
295 
296 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
297 {
298 	int error;
299 
300 	error = __inode_security_revalidate(inode, NULL, !rcu);
301 	if (error)
302 		return ERR_PTR(error);
303 	return selinux_inode(inode);
304 }
305 
306 /*
307  * Get the security label of an inode.
308  */
309 static struct inode_security_struct *inode_security(struct inode *inode)
310 {
311 	__inode_security_revalidate(inode, NULL, true);
312 	return selinux_inode(inode);
313 }
314 
315 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
316 {
317 	struct inode *inode = d_backing_inode(dentry);
318 
319 	return selinux_inode(inode);
320 }
321 
322 /*
323  * Get the security label of a dentry's backing inode.
324  */
325 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
326 {
327 	struct inode *inode = d_backing_inode(dentry);
328 
329 	__inode_security_revalidate(inode, dentry, true);
330 	return selinux_inode(inode);
331 }
332 
333 static void inode_free_security(struct inode *inode)
334 {
335 	struct inode_security_struct *isec = selinux_inode(inode);
336 	struct superblock_security_struct *sbsec;
337 
338 	if (!isec)
339 		return;
340 	sbsec = inode->i_sb->s_security;
341 	/*
342 	 * As not all inode security structures are in a list, we check for
343 	 * empty list outside of the lock to make sure that we won't waste
344 	 * time taking a lock doing nothing.
345 	 *
346 	 * The list_del_init() function can be safely called more than once.
347 	 * It should not be possible for this function to be called with
348 	 * concurrent list_add(), but for better safety against future changes
349 	 * in the code, we use list_empty_careful() here.
350 	 */
351 	if (!list_empty_careful(&isec->list)) {
352 		spin_lock(&sbsec->isec_lock);
353 		list_del_init(&isec->list);
354 		spin_unlock(&sbsec->isec_lock);
355 	}
356 }
357 
358 static int file_alloc_security(struct file *file)
359 {
360 	struct file_security_struct *fsec = selinux_file(file);
361 	u32 sid = current_sid();
362 
363 	fsec->sid = sid;
364 	fsec->fown_sid = sid;
365 
366 	return 0;
367 }
368 
369 static int superblock_alloc_security(struct super_block *sb)
370 {
371 	struct superblock_security_struct *sbsec;
372 
373 	sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
374 	if (!sbsec)
375 		return -ENOMEM;
376 
377 	mutex_init(&sbsec->lock);
378 	INIT_LIST_HEAD(&sbsec->isec_head);
379 	spin_lock_init(&sbsec->isec_lock);
380 	sbsec->sb = sb;
381 	sbsec->sid = SECINITSID_UNLABELED;
382 	sbsec->def_sid = SECINITSID_FILE;
383 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
384 	sb->s_security = sbsec;
385 
386 	return 0;
387 }
388 
389 static void superblock_free_security(struct super_block *sb)
390 {
391 	struct superblock_security_struct *sbsec = sb->s_security;
392 	sb->s_security = NULL;
393 	kfree(sbsec);
394 }
395 
396 struct selinux_mnt_opts {
397 	const char *fscontext, *context, *rootcontext, *defcontext;
398 };
399 
400 static void selinux_free_mnt_opts(void *mnt_opts)
401 {
402 	struct selinux_mnt_opts *opts = mnt_opts;
403 	kfree(opts->fscontext);
404 	kfree(opts->context);
405 	kfree(opts->rootcontext);
406 	kfree(opts->defcontext);
407 	kfree(opts);
408 }
409 
410 static inline int inode_doinit(struct inode *inode)
411 {
412 	return inode_doinit_with_dentry(inode, NULL);
413 }
414 
415 enum {
416 	Opt_error = -1,
417 	Opt_context = 0,
418 	Opt_defcontext = 1,
419 	Opt_fscontext = 2,
420 	Opt_rootcontext = 3,
421 	Opt_seclabel = 4,
422 };
423 
424 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
425 static struct {
426 	const char *name;
427 	int len;
428 	int opt;
429 	bool has_arg;
430 } tokens[] = {
431 	A(context, true),
432 	A(fscontext, true),
433 	A(defcontext, true),
434 	A(rootcontext, true),
435 	A(seclabel, false),
436 };
437 #undef A
438 
439 static int match_opt_prefix(char *s, int l, char **arg)
440 {
441 	int i;
442 
443 	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
444 		size_t len = tokens[i].len;
445 		if (len > l || memcmp(s, tokens[i].name, len))
446 			continue;
447 		if (tokens[i].has_arg) {
448 			if (len == l || s[len] != '=')
449 				continue;
450 			*arg = s + len + 1;
451 		} else if (len != l)
452 			continue;
453 		return tokens[i].opt;
454 	}
455 	return Opt_error;
456 }
457 
458 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
459 
460 static int may_context_mount_sb_relabel(u32 sid,
461 			struct superblock_security_struct *sbsec,
462 			const struct cred *cred)
463 {
464 	const struct task_security_struct *tsec = selinux_cred(cred);
465 	int rc;
466 
467 	rc = avc_has_perm(&selinux_state,
468 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
469 			  FILESYSTEM__RELABELFROM, NULL);
470 	if (rc)
471 		return rc;
472 
473 	rc = avc_has_perm(&selinux_state,
474 			  tsec->sid, sid, SECCLASS_FILESYSTEM,
475 			  FILESYSTEM__RELABELTO, NULL);
476 	return rc;
477 }
478 
479 static int may_context_mount_inode_relabel(u32 sid,
480 			struct superblock_security_struct *sbsec,
481 			const struct cred *cred)
482 {
483 	const struct task_security_struct *tsec = selinux_cred(cred);
484 	int rc;
485 	rc = avc_has_perm(&selinux_state,
486 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
487 			  FILESYSTEM__RELABELFROM, NULL);
488 	if (rc)
489 		return rc;
490 
491 	rc = avc_has_perm(&selinux_state,
492 			  sid, sbsec->sid, SECCLASS_FILESYSTEM,
493 			  FILESYSTEM__ASSOCIATE, NULL);
494 	return rc;
495 }
496 
497 static int selinux_is_genfs_special_handling(struct super_block *sb)
498 {
499 	/* Special handling. Genfs but also in-core setxattr handler */
500 	return	!strcmp(sb->s_type->name, "sysfs") ||
501 		!strcmp(sb->s_type->name, "pstore") ||
502 		!strcmp(sb->s_type->name, "debugfs") ||
503 		!strcmp(sb->s_type->name, "tracefs") ||
504 		!strcmp(sb->s_type->name, "rootfs") ||
505 		(selinux_policycap_cgroupseclabel() &&
506 		 (!strcmp(sb->s_type->name, "cgroup") ||
507 		  !strcmp(sb->s_type->name, "cgroup2")));
508 }
509 
510 static int selinux_is_sblabel_mnt(struct super_block *sb)
511 {
512 	struct superblock_security_struct *sbsec = sb->s_security;
513 
514 	/*
515 	 * IMPORTANT: Double-check logic in this function when adding a new
516 	 * SECURITY_FS_USE_* definition!
517 	 */
518 	BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
519 
520 	switch (sbsec->behavior) {
521 	case SECURITY_FS_USE_XATTR:
522 	case SECURITY_FS_USE_TRANS:
523 	case SECURITY_FS_USE_TASK:
524 	case SECURITY_FS_USE_NATIVE:
525 		return 1;
526 
527 	case SECURITY_FS_USE_GENFS:
528 		return selinux_is_genfs_special_handling(sb);
529 
530 	/* Never allow relabeling on context mounts */
531 	case SECURITY_FS_USE_MNTPOINT:
532 	case SECURITY_FS_USE_NONE:
533 	default:
534 		return 0;
535 	}
536 }
537 
538 static int sb_finish_set_opts(struct super_block *sb)
539 {
540 	struct superblock_security_struct *sbsec = sb->s_security;
541 	struct dentry *root = sb->s_root;
542 	struct inode *root_inode = d_backing_inode(root);
543 	int rc = 0;
544 
545 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
546 		/* Make sure that the xattr handler exists and that no
547 		   error other than -ENODATA is returned by getxattr on
548 		   the root directory.  -ENODATA is ok, as this may be
549 		   the first boot of the SELinux kernel before we have
550 		   assigned xattr values to the filesystem. */
551 		if (!(root_inode->i_opflags & IOP_XATTR)) {
552 			pr_warn("SELinux: (dev %s, type %s) has no "
553 			       "xattr support\n", sb->s_id, sb->s_type->name);
554 			rc = -EOPNOTSUPP;
555 			goto out;
556 		}
557 
558 		rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
559 		if (rc < 0 && rc != -ENODATA) {
560 			if (rc == -EOPNOTSUPP)
561 				pr_warn("SELinux: (dev %s, type "
562 				       "%s) has no security xattr handler\n",
563 				       sb->s_id, sb->s_type->name);
564 			else
565 				pr_warn("SELinux: (dev %s, type "
566 				       "%s) getxattr errno %d\n", sb->s_id,
567 				       sb->s_type->name, -rc);
568 			goto out;
569 		}
570 	}
571 
572 	sbsec->flags |= SE_SBINITIALIZED;
573 
574 	/*
575 	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
576 	 * leave the flag untouched because sb_clone_mnt_opts might be handing
577 	 * us a superblock that needs the flag to be cleared.
578 	 */
579 	if (selinux_is_sblabel_mnt(sb))
580 		sbsec->flags |= SBLABEL_MNT;
581 	else
582 		sbsec->flags &= ~SBLABEL_MNT;
583 
584 	/* Initialize the root inode. */
585 	rc = inode_doinit_with_dentry(root_inode, root);
586 
587 	/* Initialize any other inodes associated with the superblock, e.g.
588 	   inodes created prior to initial policy load or inodes created
589 	   during get_sb by a pseudo filesystem that directly
590 	   populates itself. */
591 	spin_lock(&sbsec->isec_lock);
592 	while (!list_empty(&sbsec->isec_head)) {
593 		struct inode_security_struct *isec =
594 				list_first_entry(&sbsec->isec_head,
595 					   struct inode_security_struct, list);
596 		struct inode *inode = isec->inode;
597 		list_del_init(&isec->list);
598 		spin_unlock(&sbsec->isec_lock);
599 		inode = igrab(inode);
600 		if (inode) {
601 			if (!IS_PRIVATE(inode))
602 				inode_doinit(inode);
603 			iput(inode);
604 		}
605 		spin_lock(&sbsec->isec_lock);
606 	}
607 	spin_unlock(&sbsec->isec_lock);
608 out:
609 	return rc;
610 }
611 
612 static int bad_option(struct superblock_security_struct *sbsec, char flag,
613 		      u32 old_sid, u32 new_sid)
614 {
615 	char mnt_flags = sbsec->flags & SE_MNTMASK;
616 
617 	/* check if the old mount command had the same options */
618 	if (sbsec->flags & SE_SBINITIALIZED)
619 		if (!(sbsec->flags & flag) ||
620 		    (old_sid != new_sid))
621 			return 1;
622 
623 	/* check if we were passed the same options twice,
624 	 * aka someone passed context=a,context=b
625 	 */
626 	if (!(sbsec->flags & SE_SBINITIALIZED))
627 		if (mnt_flags & flag)
628 			return 1;
629 	return 0;
630 }
631 
632 static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
633 {
634 	int rc = security_context_str_to_sid(&selinux_state, s,
635 					     sid, GFP_KERNEL);
636 	if (rc)
637 		pr_warn("SELinux: security_context_str_to_sid"
638 		       "(%s) failed for (dev %s, type %s) errno=%d\n",
639 		       s, sb->s_id, sb->s_type->name, rc);
640 	return rc;
641 }
642 
643 /*
644  * Allow filesystems with binary mount data to explicitly set mount point
645  * labeling information.
646  */
647 static int selinux_set_mnt_opts(struct super_block *sb,
648 				void *mnt_opts,
649 				unsigned long kern_flags,
650 				unsigned long *set_kern_flags)
651 {
652 	const struct cred *cred = current_cred();
653 	struct superblock_security_struct *sbsec = sb->s_security;
654 	struct dentry *root = sbsec->sb->s_root;
655 	struct selinux_mnt_opts *opts = mnt_opts;
656 	struct inode_security_struct *root_isec;
657 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
658 	u32 defcontext_sid = 0;
659 	int rc = 0;
660 
661 	mutex_lock(&sbsec->lock);
662 
663 	if (!selinux_state.initialized) {
664 		if (!opts) {
665 			/* Defer initialization until selinux_complete_init,
666 			   after the initial policy is loaded and the security
667 			   server is ready to handle calls. */
668 			goto out;
669 		}
670 		rc = -EINVAL;
671 		pr_warn("SELinux: Unable to set superblock options "
672 			"before the security server is initialized\n");
673 		goto out;
674 	}
675 	if (kern_flags && !set_kern_flags) {
676 		/* Specifying internal flags without providing a place to
677 		 * place the results is not allowed */
678 		rc = -EINVAL;
679 		goto out;
680 	}
681 
682 	/*
683 	 * Binary mount data FS will come through this function twice.  Once
684 	 * from an explicit call and once from the generic calls from the vfs.
685 	 * Since the generic VFS calls will not contain any security mount data
686 	 * we need to skip the double mount verification.
687 	 *
688 	 * This does open a hole in which we will not notice if the first
689 	 * mount using this sb set explict options and a second mount using
690 	 * this sb does not set any security options.  (The first options
691 	 * will be used for both mounts)
692 	 */
693 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
694 	    && !opts)
695 		goto out;
696 
697 	root_isec = backing_inode_security_novalidate(root);
698 
699 	/*
700 	 * parse the mount options, check if they are valid sids.
701 	 * also check if someone is trying to mount the same sb more
702 	 * than once with different security options.
703 	 */
704 	if (opts) {
705 		if (opts->fscontext) {
706 			rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
707 			if (rc)
708 				goto out;
709 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
710 					fscontext_sid))
711 				goto out_double_mount;
712 			sbsec->flags |= FSCONTEXT_MNT;
713 		}
714 		if (opts->context) {
715 			rc = parse_sid(sb, opts->context, &context_sid);
716 			if (rc)
717 				goto out;
718 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
719 					context_sid))
720 				goto out_double_mount;
721 			sbsec->flags |= CONTEXT_MNT;
722 		}
723 		if (opts->rootcontext) {
724 			rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
725 			if (rc)
726 				goto out;
727 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
728 					rootcontext_sid))
729 				goto out_double_mount;
730 			sbsec->flags |= ROOTCONTEXT_MNT;
731 		}
732 		if (opts->defcontext) {
733 			rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
734 			if (rc)
735 				goto out;
736 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
737 					defcontext_sid))
738 				goto out_double_mount;
739 			sbsec->flags |= DEFCONTEXT_MNT;
740 		}
741 	}
742 
743 	if (sbsec->flags & SE_SBINITIALIZED) {
744 		/* previously mounted with options, but not on this attempt? */
745 		if ((sbsec->flags & SE_MNTMASK) && !opts)
746 			goto out_double_mount;
747 		rc = 0;
748 		goto out;
749 	}
750 
751 	if (strcmp(sb->s_type->name, "proc") == 0)
752 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
753 
754 	if (!strcmp(sb->s_type->name, "debugfs") ||
755 	    !strcmp(sb->s_type->name, "tracefs") ||
756 	    !strcmp(sb->s_type->name, "pstore"))
757 		sbsec->flags |= SE_SBGENFS;
758 
759 	if (!strcmp(sb->s_type->name, "sysfs") ||
760 	    !strcmp(sb->s_type->name, "cgroup") ||
761 	    !strcmp(sb->s_type->name, "cgroup2"))
762 		sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
763 
764 	if (!sbsec->behavior) {
765 		/*
766 		 * Determine the labeling behavior to use for this
767 		 * filesystem type.
768 		 */
769 		rc = security_fs_use(&selinux_state, sb);
770 		if (rc) {
771 			pr_warn("%s: security_fs_use(%s) returned %d\n",
772 					__func__, sb->s_type->name, rc);
773 			goto out;
774 		}
775 	}
776 
777 	/*
778 	 * If this is a user namespace mount and the filesystem type is not
779 	 * explicitly whitelisted, then no contexts are allowed on the command
780 	 * line and security labels must be ignored.
781 	 */
782 	if (sb->s_user_ns != &init_user_ns &&
783 	    strcmp(sb->s_type->name, "tmpfs") &&
784 	    strcmp(sb->s_type->name, "ramfs") &&
785 	    strcmp(sb->s_type->name, "devpts")) {
786 		if (context_sid || fscontext_sid || rootcontext_sid ||
787 		    defcontext_sid) {
788 			rc = -EACCES;
789 			goto out;
790 		}
791 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
792 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
793 			rc = security_transition_sid(&selinux_state,
794 						     current_sid(),
795 						     current_sid(),
796 						     SECCLASS_FILE, NULL,
797 						     &sbsec->mntpoint_sid);
798 			if (rc)
799 				goto out;
800 		}
801 		goto out_set_opts;
802 	}
803 
804 	/* sets the context of the superblock for the fs being mounted. */
805 	if (fscontext_sid) {
806 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
807 		if (rc)
808 			goto out;
809 
810 		sbsec->sid = fscontext_sid;
811 	}
812 
813 	/*
814 	 * Switch to using mount point labeling behavior.
815 	 * sets the label used on all file below the mountpoint, and will set
816 	 * the superblock context if not already set.
817 	 */
818 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
819 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
820 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
821 	}
822 
823 	if (context_sid) {
824 		if (!fscontext_sid) {
825 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
826 							  cred);
827 			if (rc)
828 				goto out;
829 			sbsec->sid = context_sid;
830 		} else {
831 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
832 							     cred);
833 			if (rc)
834 				goto out;
835 		}
836 		if (!rootcontext_sid)
837 			rootcontext_sid = context_sid;
838 
839 		sbsec->mntpoint_sid = context_sid;
840 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
841 	}
842 
843 	if (rootcontext_sid) {
844 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
845 						     cred);
846 		if (rc)
847 			goto out;
848 
849 		root_isec->sid = rootcontext_sid;
850 		root_isec->initialized = LABEL_INITIALIZED;
851 	}
852 
853 	if (defcontext_sid) {
854 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
855 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
856 			rc = -EINVAL;
857 			pr_warn("SELinux: defcontext option is "
858 			       "invalid for this filesystem type\n");
859 			goto out;
860 		}
861 
862 		if (defcontext_sid != sbsec->def_sid) {
863 			rc = may_context_mount_inode_relabel(defcontext_sid,
864 							     sbsec, cred);
865 			if (rc)
866 				goto out;
867 		}
868 
869 		sbsec->def_sid = defcontext_sid;
870 	}
871 
872 out_set_opts:
873 	rc = sb_finish_set_opts(sb);
874 out:
875 	mutex_unlock(&sbsec->lock);
876 	return rc;
877 out_double_mount:
878 	rc = -EINVAL;
879 	pr_warn("SELinux: mount invalid.  Same superblock, different "
880 	       "security settings for (dev %s, type %s)\n", sb->s_id,
881 	       sb->s_type->name);
882 	goto out;
883 }
884 
885 static int selinux_cmp_sb_context(const struct super_block *oldsb,
886 				    const struct super_block *newsb)
887 {
888 	struct superblock_security_struct *old = oldsb->s_security;
889 	struct superblock_security_struct *new = newsb->s_security;
890 	char oldflags = old->flags & SE_MNTMASK;
891 	char newflags = new->flags & SE_MNTMASK;
892 
893 	if (oldflags != newflags)
894 		goto mismatch;
895 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
896 		goto mismatch;
897 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
898 		goto mismatch;
899 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
900 		goto mismatch;
901 	if (oldflags & ROOTCONTEXT_MNT) {
902 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
903 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
904 		if (oldroot->sid != newroot->sid)
905 			goto mismatch;
906 	}
907 	return 0;
908 mismatch:
909 	pr_warn("SELinux: mount invalid.  Same superblock, "
910 			    "different security settings for (dev %s, "
911 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
912 	return -EBUSY;
913 }
914 
915 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
916 					struct super_block *newsb,
917 					unsigned long kern_flags,
918 					unsigned long *set_kern_flags)
919 {
920 	int rc = 0;
921 	const struct superblock_security_struct *oldsbsec = oldsb->s_security;
922 	struct superblock_security_struct *newsbsec = newsb->s_security;
923 
924 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
925 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
926 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
927 
928 	/*
929 	 * if the parent was able to be mounted it clearly had no special lsm
930 	 * mount options.  thus we can safely deal with this superblock later
931 	 */
932 	if (!selinux_state.initialized)
933 		return 0;
934 
935 	/*
936 	 * Specifying internal flags without providing a place to
937 	 * place the results is not allowed.
938 	 */
939 	if (kern_flags && !set_kern_flags)
940 		return -EINVAL;
941 
942 	/* how can we clone if the old one wasn't set up?? */
943 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
944 
945 	/* if fs is reusing a sb, make sure that the contexts match */
946 	if (newsbsec->flags & SE_SBINITIALIZED) {
947 		if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
948 			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
949 		return selinux_cmp_sb_context(oldsb, newsb);
950 	}
951 
952 	mutex_lock(&newsbsec->lock);
953 
954 	newsbsec->flags = oldsbsec->flags;
955 
956 	newsbsec->sid = oldsbsec->sid;
957 	newsbsec->def_sid = oldsbsec->def_sid;
958 	newsbsec->behavior = oldsbsec->behavior;
959 
960 	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
961 		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
962 		rc = security_fs_use(&selinux_state, newsb);
963 		if (rc)
964 			goto out;
965 	}
966 
967 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
968 		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
969 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
970 	}
971 
972 	if (set_context) {
973 		u32 sid = oldsbsec->mntpoint_sid;
974 
975 		if (!set_fscontext)
976 			newsbsec->sid = sid;
977 		if (!set_rootcontext) {
978 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
979 			newisec->sid = sid;
980 		}
981 		newsbsec->mntpoint_sid = sid;
982 	}
983 	if (set_rootcontext) {
984 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
985 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
986 
987 		newisec->sid = oldisec->sid;
988 	}
989 
990 	sb_finish_set_opts(newsb);
991 out:
992 	mutex_unlock(&newsbsec->lock);
993 	return rc;
994 }
995 
996 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
997 {
998 	struct selinux_mnt_opts *opts = *mnt_opts;
999 
1000 	if (token == Opt_seclabel)	/* eaten and completely ignored */
1001 		return 0;
1002 
1003 	if (!opts) {
1004 		opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1005 		if (!opts)
1006 			return -ENOMEM;
1007 		*mnt_opts = opts;
1008 	}
1009 	if (!s)
1010 		return -ENOMEM;
1011 	switch (token) {
1012 	case Opt_context:
1013 		if (opts->context || opts->defcontext)
1014 			goto Einval;
1015 		opts->context = s;
1016 		break;
1017 	case Opt_fscontext:
1018 		if (opts->fscontext)
1019 			goto Einval;
1020 		opts->fscontext = s;
1021 		break;
1022 	case Opt_rootcontext:
1023 		if (opts->rootcontext)
1024 			goto Einval;
1025 		opts->rootcontext = s;
1026 		break;
1027 	case Opt_defcontext:
1028 		if (opts->context || opts->defcontext)
1029 			goto Einval;
1030 		opts->defcontext = s;
1031 		break;
1032 	}
1033 	return 0;
1034 Einval:
1035 	pr_warn(SEL_MOUNT_FAIL_MSG);
1036 	return -EINVAL;
1037 }
1038 
1039 static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1040 			       void **mnt_opts)
1041 {
1042 	int token = Opt_error;
1043 	int rc, i;
1044 
1045 	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1046 		if (strcmp(option, tokens[i].name) == 0) {
1047 			token = tokens[i].opt;
1048 			break;
1049 		}
1050 	}
1051 
1052 	if (token == Opt_error)
1053 		return -EINVAL;
1054 
1055 	if (token != Opt_seclabel) {
1056 		val = kmemdup_nul(val, len, GFP_KERNEL);
1057 		if (!val) {
1058 			rc = -ENOMEM;
1059 			goto free_opt;
1060 		}
1061 	}
1062 	rc = selinux_add_opt(token, val, mnt_opts);
1063 	if (unlikely(rc)) {
1064 		kfree(val);
1065 		goto free_opt;
1066 	}
1067 	return rc;
1068 
1069 free_opt:
1070 	if (*mnt_opts) {
1071 		selinux_free_mnt_opts(*mnt_opts);
1072 		*mnt_opts = NULL;
1073 	}
1074 	return rc;
1075 }
1076 
1077 static int show_sid(struct seq_file *m, u32 sid)
1078 {
1079 	char *context = NULL;
1080 	u32 len;
1081 	int rc;
1082 
1083 	rc = security_sid_to_context(&selinux_state, sid,
1084 					     &context, &len);
1085 	if (!rc) {
1086 		bool has_comma = context && strchr(context, ',');
1087 
1088 		seq_putc(m, '=');
1089 		if (has_comma)
1090 			seq_putc(m, '\"');
1091 		seq_escape(m, context, "\"\n\\");
1092 		if (has_comma)
1093 			seq_putc(m, '\"');
1094 	}
1095 	kfree(context);
1096 	return rc;
1097 }
1098 
1099 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1100 {
1101 	struct superblock_security_struct *sbsec = sb->s_security;
1102 	int rc;
1103 
1104 	if (!(sbsec->flags & SE_SBINITIALIZED))
1105 		return 0;
1106 
1107 	if (!selinux_state.initialized)
1108 		return 0;
1109 
1110 	if (sbsec->flags & FSCONTEXT_MNT) {
1111 		seq_putc(m, ',');
1112 		seq_puts(m, FSCONTEXT_STR);
1113 		rc = show_sid(m, sbsec->sid);
1114 		if (rc)
1115 			return rc;
1116 	}
1117 	if (sbsec->flags & CONTEXT_MNT) {
1118 		seq_putc(m, ',');
1119 		seq_puts(m, CONTEXT_STR);
1120 		rc = show_sid(m, sbsec->mntpoint_sid);
1121 		if (rc)
1122 			return rc;
1123 	}
1124 	if (sbsec->flags & DEFCONTEXT_MNT) {
1125 		seq_putc(m, ',');
1126 		seq_puts(m, DEFCONTEXT_STR);
1127 		rc = show_sid(m, sbsec->def_sid);
1128 		if (rc)
1129 			return rc;
1130 	}
1131 	if (sbsec->flags & ROOTCONTEXT_MNT) {
1132 		struct dentry *root = sbsec->sb->s_root;
1133 		struct inode_security_struct *isec = backing_inode_security(root);
1134 		seq_putc(m, ',');
1135 		seq_puts(m, ROOTCONTEXT_STR);
1136 		rc = show_sid(m, isec->sid);
1137 		if (rc)
1138 			return rc;
1139 	}
1140 	if (sbsec->flags & SBLABEL_MNT) {
1141 		seq_putc(m, ',');
1142 		seq_puts(m, SECLABEL_STR);
1143 	}
1144 	return 0;
1145 }
1146 
1147 static inline u16 inode_mode_to_security_class(umode_t mode)
1148 {
1149 	switch (mode & S_IFMT) {
1150 	case S_IFSOCK:
1151 		return SECCLASS_SOCK_FILE;
1152 	case S_IFLNK:
1153 		return SECCLASS_LNK_FILE;
1154 	case S_IFREG:
1155 		return SECCLASS_FILE;
1156 	case S_IFBLK:
1157 		return SECCLASS_BLK_FILE;
1158 	case S_IFDIR:
1159 		return SECCLASS_DIR;
1160 	case S_IFCHR:
1161 		return SECCLASS_CHR_FILE;
1162 	case S_IFIFO:
1163 		return SECCLASS_FIFO_FILE;
1164 
1165 	}
1166 
1167 	return SECCLASS_FILE;
1168 }
1169 
1170 static inline int default_protocol_stream(int protocol)
1171 {
1172 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1173 }
1174 
1175 static inline int default_protocol_dgram(int protocol)
1176 {
1177 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1178 }
1179 
1180 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1181 {
1182 	int extsockclass = selinux_policycap_extsockclass();
1183 
1184 	switch (family) {
1185 	case PF_UNIX:
1186 		switch (type) {
1187 		case SOCK_STREAM:
1188 		case SOCK_SEQPACKET:
1189 			return SECCLASS_UNIX_STREAM_SOCKET;
1190 		case SOCK_DGRAM:
1191 		case SOCK_RAW:
1192 			return SECCLASS_UNIX_DGRAM_SOCKET;
1193 		}
1194 		break;
1195 	case PF_INET:
1196 	case PF_INET6:
1197 		switch (type) {
1198 		case SOCK_STREAM:
1199 		case SOCK_SEQPACKET:
1200 			if (default_protocol_stream(protocol))
1201 				return SECCLASS_TCP_SOCKET;
1202 			else if (extsockclass && protocol == IPPROTO_SCTP)
1203 				return SECCLASS_SCTP_SOCKET;
1204 			else
1205 				return SECCLASS_RAWIP_SOCKET;
1206 		case SOCK_DGRAM:
1207 			if (default_protocol_dgram(protocol))
1208 				return SECCLASS_UDP_SOCKET;
1209 			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1210 						  protocol == IPPROTO_ICMPV6))
1211 				return SECCLASS_ICMP_SOCKET;
1212 			else
1213 				return SECCLASS_RAWIP_SOCKET;
1214 		case SOCK_DCCP:
1215 			return SECCLASS_DCCP_SOCKET;
1216 		default:
1217 			return SECCLASS_RAWIP_SOCKET;
1218 		}
1219 		break;
1220 	case PF_NETLINK:
1221 		switch (protocol) {
1222 		case NETLINK_ROUTE:
1223 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1224 		case NETLINK_SOCK_DIAG:
1225 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1226 		case NETLINK_NFLOG:
1227 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1228 		case NETLINK_XFRM:
1229 			return SECCLASS_NETLINK_XFRM_SOCKET;
1230 		case NETLINK_SELINUX:
1231 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1232 		case NETLINK_ISCSI:
1233 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1234 		case NETLINK_AUDIT:
1235 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1236 		case NETLINK_FIB_LOOKUP:
1237 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1238 		case NETLINK_CONNECTOR:
1239 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1240 		case NETLINK_NETFILTER:
1241 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1242 		case NETLINK_DNRTMSG:
1243 			return SECCLASS_NETLINK_DNRT_SOCKET;
1244 		case NETLINK_KOBJECT_UEVENT:
1245 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1246 		case NETLINK_GENERIC:
1247 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1248 		case NETLINK_SCSITRANSPORT:
1249 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1250 		case NETLINK_RDMA:
1251 			return SECCLASS_NETLINK_RDMA_SOCKET;
1252 		case NETLINK_CRYPTO:
1253 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1254 		default:
1255 			return SECCLASS_NETLINK_SOCKET;
1256 		}
1257 	case PF_PACKET:
1258 		return SECCLASS_PACKET_SOCKET;
1259 	case PF_KEY:
1260 		return SECCLASS_KEY_SOCKET;
1261 	case PF_APPLETALK:
1262 		return SECCLASS_APPLETALK_SOCKET;
1263 	}
1264 
1265 	if (extsockclass) {
1266 		switch (family) {
1267 		case PF_AX25:
1268 			return SECCLASS_AX25_SOCKET;
1269 		case PF_IPX:
1270 			return SECCLASS_IPX_SOCKET;
1271 		case PF_NETROM:
1272 			return SECCLASS_NETROM_SOCKET;
1273 		case PF_ATMPVC:
1274 			return SECCLASS_ATMPVC_SOCKET;
1275 		case PF_X25:
1276 			return SECCLASS_X25_SOCKET;
1277 		case PF_ROSE:
1278 			return SECCLASS_ROSE_SOCKET;
1279 		case PF_DECnet:
1280 			return SECCLASS_DECNET_SOCKET;
1281 		case PF_ATMSVC:
1282 			return SECCLASS_ATMSVC_SOCKET;
1283 		case PF_RDS:
1284 			return SECCLASS_RDS_SOCKET;
1285 		case PF_IRDA:
1286 			return SECCLASS_IRDA_SOCKET;
1287 		case PF_PPPOX:
1288 			return SECCLASS_PPPOX_SOCKET;
1289 		case PF_LLC:
1290 			return SECCLASS_LLC_SOCKET;
1291 		case PF_CAN:
1292 			return SECCLASS_CAN_SOCKET;
1293 		case PF_TIPC:
1294 			return SECCLASS_TIPC_SOCKET;
1295 		case PF_BLUETOOTH:
1296 			return SECCLASS_BLUETOOTH_SOCKET;
1297 		case PF_IUCV:
1298 			return SECCLASS_IUCV_SOCKET;
1299 		case PF_RXRPC:
1300 			return SECCLASS_RXRPC_SOCKET;
1301 		case PF_ISDN:
1302 			return SECCLASS_ISDN_SOCKET;
1303 		case PF_PHONET:
1304 			return SECCLASS_PHONET_SOCKET;
1305 		case PF_IEEE802154:
1306 			return SECCLASS_IEEE802154_SOCKET;
1307 		case PF_CAIF:
1308 			return SECCLASS_CAIF_SOCKET;
1309 		case PF_ALG:
1310 			return SECCLASS_ALG_SOCKET;
1311 		case PF_NFC:
1312 			return SECCLASS_NFC_SOCKET;
1313 		case PF_VSOCK:
1314 			return SECCLASS_VSOCK_SOCKET;
1315 		case PF_KCM:
1316 			return SECCLASS_KCM_SOCKET;
1317 		case PF_QIPCRTR:
1318 			return SECCLASS_QIPCRTR_SOCKET;
1319 		case PF_SMC:
1320 			return SECCLASS_SMC_SOCKET;
1321 		case PF_XDP:
1322 			return SECCLASS_XDP_SOCKET;
1323 #if PF_MAX > 45
1324 #error New address family defined, please update this function.
1325 #endif
1326 		}
1327 	}
1328 
1329 	return SECCLASS_SOCKET;
1330 }
1331 
1332 static int selinux_genfs_get_sid(struct dentry *dentry,
1333 				 u16 tclass,
1334 				 u16 flags,
1335 				 u32 *sid)
1336 {
1337 	int rc;
1338 	struct super_block *sb = dentry->d_sb;
1339 	char *buffer, *path;
1340 
1341 	buffer = (char *)__get_free_page(GFP_KERNEL);
1342 	if (!buffer)
1343 		return -ENOMEM;
1344 
1345 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1346 	if (IS_ERR(path))
1347 		rc = PTR_ERR(path);
1348 	else {
1349 		if (flags & SE_SBPROC) {
1350 			/* each process gets a /proc/PID/ entry. Strip off the
1351 			 * PID part to get a valid selinux labeling.
1352 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1353 			while (path[1] >= '0' && path[1] <= '9') {
1354 				path[1] = '/';
1355 				path++;
1356 			}
1357 		}
1358 		rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1359 					path, tclass, sid);
1360 		if (rc == -ENOENT) {
1361 			/* No match in policy, mark as unlabeled. */
1362 			*sid = SECINITSID_UNLABELED;
1363 			rc = 0;
1364 		}
1365 	}
1366 	free_page((unsigned long)buffer);
1367 	return rc;
1368 }
1369 
1370 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1371 				  u32 def_sid, u32 *sid)
1372 {
1373 #define INITCONTEXTLEN 255
1374 	char *context;
1375 	unsigned int len;
1376 	int rc;
1377 
1378 	len = INITCONTEXTLEN;
1379 	context = kmalloc(len + 1, GFP_NOFS);
1380 	if (!context)
1381 		return -ENOMEM;
1382 
1383 	context[len] = '\0';
1384 	rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1385 	if (rc == -ERANGE) {
1386 		kfree(context);
1387 
1388 		/* Need a larger buffer.  Query for the right size. */
1389 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1390 		if (rc < 0)
1391 			return rc;
1392 
1393 		len = rc;
1394 		context = kmalloc(len + 1, GFP_NOFS);
1395 		if (!context)
1396 			return -ENOMEM;
1397 
1398 		context[len] = '\0';
1399 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1400 				    context, len);
1401 	}
1402 	if (rc < 0) {
1403 		kfree(context);
1404 		if (rc != -ENODATA) {
1405 			pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
1406 				__func__, -rc, inode->i_sb->s_id, inode->i_ino);
1407 			return rc;
1408 		}
1409 		*sid = def_sid;
1410 		return 0;
1411 	}
1412 
1413 	rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1414 					     def_sid, GFP_NOFS);
1415 	if (rc) {
1416 		char *dev = inode->i_sb->s_id;
1417 		unsigned long ino = inode->i_ino;
1418 
1419 		if (rc == -EINVAL) {
1420 			pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
1421 					      ino, dev, context);
1422 		} else {
1423 			pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1424 				__func__, context, -rc, dev, ino);
1425 		}
1426 	}
1427 	kfree(context);
1428 	return 0;
1429 }
1430 
1431 /* The inode's security attributes must be initialized before first use. */
1432 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1433 {
1434 	struct superblock_security_struct *sbsec = NULL;
1435 	struct inode_security_struct *isec = selinux_inode(inode);
1436 	u32 task_sid, sid = 0;
1437 	u16 sclass;
1438 	struct dentry *dentry;
1439 	int rc = 0;
1440 
1441 	if (isec->initialized == LABEL_INITIALIZED)
1442 		return 0;
1443 
1444 	spin_lock(&isec->lock);
1445 	if (isec->initialized == LABEL_INITIALIZED)
1446 		goto out_unlock;
1447 
1448 	if (isec->sclass == SECCLASS_FILE)
1449 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1450 
1451 	sbsec = inode->i_sb->s_security;
1452 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1453 		/* Defer initialization until selinux_complete_init,
1454 		   after the initial policy is loaded and the security
1455 		   server is ready to handle calls. */
1456 		spin_lock(&sbsec->isec_lock);
1457 		if (list_empty(&isec->list))
1458 			list_add(&isec->list, &sbsec->isec_head);
1459 		spin_unlock(&sbsec->isec_lock);
1460 		goto out_unlock;
1461 	}
1462 
1463 	sclass = isec->sclass;
1464 	task_sid = isec->task_sid;
1465 	sid = isec->sid;
1466 	isec->initialized = LABEL_PENDING;
1467 	spin_unlock(&isec->lock);
1468 
1469 	switch (sbsec->behavior) {
1470 	case SECURITY_FS_USE_NATIVE:
1471 		break;
1472 	case SECURITY_FS_USE_XATTR:
1473 		if (!(inode->i_opflags & IOP_XATTR)) {
1474 			sid = sbsec->def_sid;
1475 			break;
1476 		}
1477 		/* Need a dentry, since the xattr API requires one.
1478 		   Life would be simpler if we could just pass the inode. */
1479 		if (opt_dentry) {
1480 			/* Called from d_instantiate or d_splice_alias. */
1481 			dentry = dget(opt_dentry);
1482 		} else {
1483 			/*
1484 			 * Called from selinux_complete_init, try to find a dentry.
1485 			 * Some filesystems really want a connected one, so try
1486 			 * that first.  We could split SECURITY_FS_USE_XATTR in
1487 			 * two, depending upon that...
1488 			 */
1489 			dentry = d_find_alias(inode);
1490 			if (!dentry)
1491 				dentry = d_find_any_alias(inode);
1492 		}
1493 		if (!dentry) {
1494 			/*
1495 			 * this is can be hit on boot when a file is accessed
1496 			 * before the policy is loaded.  When we load policy we
1497 			 * may find inodes that have no dentry on the
1498 			 * sbsec->isec_head list.  No reason to complain as these
1499 			 * will get fixed up the next time we go through
1500 			 * inode_doinit with a dentry, before these inodes could
1501 			 * be used again by userspace.
1502 			 */
1503 			goto out;
1504 		}
1505 
1506 		rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1507 					    &sid);
1508 		dput(dentry);
1509 		if (rc)
1510 			goto out;
1511 		break;
1512 	case SECURITY_FS_USE_TASK:
1513 		sid = task_sid;
1514 		break;
1515 	case SECURITY_FS_USE_TRANS:
1516 		/* Default to the fs SID. */
1517 		sid = sbsec->sid;
1518 
1519 		/* Try to obtain a transition SID. */
1520 		rc = security_transition_sid(&selinux_state, task_sid, sid,
1521 					     sclass, NULL, &sid);
1522 		if (rc)
1523 			goto out;
1524 		break;
1525 	case SECURITY_FS_USE_MNTPOINT:
1526 		sid = sbsec->mntpoint_sid;
1527 		break;
1528 	default:
1529 		/* Default to the fs superblock SID. */
1530 		sid = sbsec->sid;
1531 
1532 		if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1533 			/* We must have a dentry to determine the label on
1534 			 * procfs inodes */
1535 			if (opt_dentry) {
1536 				/* Called from d_instantiate or
1537 				 * d_splice_alias. */
1538 				dentry = dget(opt_dentry);
1539 			} else {
1540 				/* Called from selinux_complete_init, try to
1541 				 * find a dentry.  Some filesystems really want
1542 				 * a connected one, so try that first.
1543 				 */
1544 				dentry = d_find_alias(inode);
1545 				if (!dentry)
1546 					dentry = d_find_any_alias(inode);
1547 			}
1548 			/*
1549 			 * This can be hit on boot when a file is accessed
1550 			 * before the policy is loaded.  When we load policy we
1551 			 * may find inodes that have no dentry on the
1552 			 * sbsec->isec_head list.  No reason to complain as
1553 			 * these will get fixed up the next time we go through
1554 			 * inode_doinit() with a dentry, before these inodes
1555 			 * could be used again by userspace.
1556 			 */
1557 			if (!dentry)
1558 				goto out;
1559 			rc = selinux_genfs_get_sid(dentry, sclass,
1560 						   sbsec->flags, &sid);
1561 			if (rc) {
1562 				dput(dentry);
1563 				goto out;
1564 			}
1565 
1566 			if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1567 			    (inode->i_opflags & IOP_XATTR)) {
1568 				rc = inode_doinit_use_xattr(inode, dentry,
1569 							    sid, &sid);
1570 				if (rc) {
1571 					dput(dentry);
1572 					goto out;
1573 				}
1574 			}
1575 			dput(dentry);
1576 		}
1577 		break;
1578 	}
1579 
1580 out:
1581 	spin_lock(&isec->lock);
1582 	if (isec->initialized == LABEL_PENDING) {
1583 		if (!sid || rc) {
1584 			isec->initialized = LABEL_INVALID;
1585 			goto out_unlock;
1586 		}
1587 
1588 		isec->initialized = LABEL_INITIALIZED;
1589 		isec->sid = sid;
1590 	}
1591 
1592 out_unlock:
1593 	spin_unlock(&isec->lock);
1594 	return rc;
1595 }
1596 
1597 /* Convert a Linux signal to an access vector. */
1598 static inline u32 signal_to_av(int sig)
1599 {
1600 	u32 perm = 0;
1601 
1602 	switch (sig) {
1603 	case SIGCHLD:
1604 		/* Commonly granted from child to parent. */
1605 		perm = PROCESS__SIGCHLD;
1606 		break;
1607 	case SIGKILL:
1608 		/* Cannot be caught or ignored */
1609 		perm = PROCESS__SIGKILL;
1610 		break;
1611 	case SIGSTOP:
1612 		/* Cannot be caught or ignored */
1613 		perm = PROCESS__SIGSTOP;
1614 		break;
1615 	default:
1616 		/* All other signals. */
1617 		perm = PROCESS__SIGNAL;
1618 		break;
1619 	}
1620 
1621 	return perm;
1622 }
1623 
1624 #if CAP_LAST_CAP > 63
1625 #error Fix SELinux to handle capabilities > 63.
1626 #endif
1627 
1628 /* Check whether a task is allowed to use a capability. */
1629 static int cred_has_capability(const struct cred *cred,
1630 			       int cap, unsigned int opts, bool initns)
1631 {
1632 	struct common_audit_data ad;
1633 	struct av_decision avd;
1634 	u16 sclass;
1635 	u32 sid = cred_sid(cred);
1636 	u32 av = CAP_TO_MASK(cap);
1637 	int rc;
1638 
1639 	ad.type = LSM_AUDIT_DATA_CAP;
1640 	ad.u.cap = cap;
1641 
1642 	switch (CAP_TO_INDEX(cap)) {
1643 	case 0:
1644 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1645 		break;
1646 	case 1:
1647 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1648 		break;
1649 	default:
1650 		pr_err("SELinux:  out of range capability %d\n", cap);
1651 		BUG();
1652 		return -EINVAL;
1653 	}
1654 
1655 	rc = avc_has_perm_noaudit(&selinux_state,
1656 				  sid, sid, sclass, av, 0, &avd);
1657 	if (!(opts & CAP_OPT_NOAUDIT)) {
1658 		int rc2 = avc_audit(&selinux_state,
1659 				    sid, sid, sclass, av, &avd, rc, &ad, 0);
1660 		if (rc2)
1661 			return rc2;
1662 	}
1663 	return rc;
1664 }
1665 
1666 /* Check whether a task has a particular permission to an inode.
1667    The 'adp' parameter is optional and allows other audit
1668    data to be passed (e.g. the dentry). */
1669 static int inode_has_perm(const struct cred *cred,
1670 			  struct inode *inode,
1671 			  u32 perms,
1672 			  struct common_audit_data *adp)
1673 {
1674 	struct inode_security_struct *isec;
1675 	u32 sid;
1676 
1677 	validate_creds(cred);
1678 
1679 	if (unlikely(IS_PRIVATE(inode)))
1680 		return 0;
1681 
1682 	sid = cred_sid(cred);
1683 	isec = selinux_inode(inode);
1684 
1685 	return avc_has_perm(&selinux_state,
1686 			    sid, isec->sid, isec->sclass, perms, adp);
1687 }
1688 
1689 /* Same as inode_has_perm, but pass explicit audit data containing
1690    the dentry to help the auditing code to more easily generate the
1691    pathname if needed. */
1692 static inline int dentry_has_perm(const struct cred *cred,
1693 				  struct dentry *dentry,
1694 				  u32 av)
1695 {
1696 	struct inode *inode = d_backing_inode(dentry);
1697 	struct common_audit_data ad;
1698 
1699 	ad.type = LSM_AUDIT_DATA_DENTRY;
1700 	ad.u.dentry = dentry;
1701 	__inode_security_revalidate(inode, dentry, true);
1702 	return inode_has_perm(cred, inode, av, &ad);
1703 }
1704 
1705 /* Same as inode_has_perm, but pass explicit audit data containing
1706    the path to help the auditing code to more easily generate the
1707    pathname if needed. */
1708 static inline int path_has_perm(const struct cred *cred,
1709 				const struct path *path,
1710 				u32 av)
1711 {
1712 	struct inode *inode = d_backing_inode(path->dentry);
1713 	struct common_audit_data ad;
1714 
1715 	ad.type = LSM_AUDIT_DATA_PATH;
1716 	ad.u.path = *path;
1717 	__inode_security_revalidate(inode, path->dentry, true);
1718 	return inode_has_perm(cred, inode, av, &ad);
1719 }
1720 
1721 /* Same as path_has_perm, but uses the inode from the file struct. */
1722 static inline int file_path_has_perm(const struct cred *cred,
1723 				     struct file *file,
1724 				     u32 av)
1725 {
1726 	struct common_audit_data ad;
1727 
1728 	ad.type = LSM_AUDIT_DATA_FILE;
1729 	ad.u.file = file;
1730 	return inode_has_perm(cred, file_inode(file), av, &ad);
1731 }
1732 
1733 #ifdef CONFIG_BPF_SYSCALL
1734 static int bpf_fd_pass(struct file *file, u32 sid);
1735 #endif
1736 
1737 /* Check whether a task can use an open file descriptor to
1738    access an inode in a given way.  Check access to the
1739    descriptor itself, and then use dentry_has_perm to
1740    check a particular permission to the file.
1741    Access to the descriptor is implicitly granted if it
1742    has the same SID as the process.  If av is zero, then
1743    access to the file is not checked, e.g. for cases
1744    where only the descriptor is affected like seek. */
1745 static int file_has_perm(const struct cred *cred,
1746 			 struct file *file,
1747 			 u32 av)
1748 {
1749 	struct file_security_struct *fsec = selinux_file(file);
1750 	struct inode *inode = file_inode(file);
1751 	struct common_audit_data ad;
1752 	u32 sid = cred_sid(cred);
1753 	int rc;
1754 
1755 	ad.type = LSM_AUDIT_DATA_FILE;
1756 	ad.u.file = file;
1757 
1758 	if (sid != fsec->sid) {
1759 		rc = avc_has_perm(&selinux_state,
1760 				  sid, fsec->sid,
1761 				  SECCLASS_FD,
1762 				  FD__USE,
1763 				  &ad);
1764 		if (rc)
1765 			goto out;
1766 	}
1767 
1768 #ifdef CONFIG_BPF_SYSCALL
1769 	rc = bpf_fd_pass(file, cred_sid(cred));
1770 	if (rc)
1771 		return rc;
1772 #endif
1773 
1774 	/* av is zero if only checking access to the descriptor. */
1775 	rc = 0;
1776 	if (av)
1777 		rc = inode_has_perm(cred, inode, av, &ad);
1778 
1779 out:
1780 	return rc;
1781 }
1782 
1783 /*
1784  * Determine the label for an inode that might be unioned.
1785  */
1786 static int
1787 selinux_determine_inode_label(const struct task_security_struct *tsec,
1788 				 struct inode *dir,
1789 				 const struct qstr *name, u16 tclass,
1790 				 u32 *_new_isid)
1791 {
1792 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1793 
1794 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1795 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1796 		*_new_isid = sbsec->mntpoint_sid;
1797 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1798 		   tsec->create_sid) {
1799 		*_new_isid = tsec->create_sid;
1800 	} else {
1801 		const struct inode_security_struct *dsec = inode_security(dir);
1802 		return security_transition_sid(&selinux_state, tsec->sid,
1803 					       dsec->sid, tclass,
1804 					       name, _new_isid);
1805 	}
1806 
1807 	return 0;
1808 }
1809 
1810 /* Check whether a task can create a file. */
1811 static int may_create(struct inode *dir,
1812 		      struct dentry *dentry,
1813 		      u16 tclass)
1814 {
1815 	const struct task_security_struct *tsec = selinux_cred(current_cred());
1816 	struct inode_security_struct *dsec;
1817 	struct superblock_security_struct *sbsec;
1818 	u32 sid, newsid;
1819 	struct common_audit_data ad;
1820 	int rc;
1821 
1822 	dsec = inode_security(dir);
1823 	sbsec = dir->i_sb->s_security;
1824 
1825 	sid = tsec->sid;
1826 
1827 	ad.type = LSM_AUDIT_DATA_DENTRY;
1828 	ad.u.dentry = dentry;
1829 
1830 	rc = avc_has_perm(&selinux_state,
1831 			  sid, dsec->sid, SECCLASS_DIR,
1832 			  DIR__ADD_NAME | DIR__SEARCH,
1833 			  &ad);
1834 	if (rc)
1835 		return rc;
1836 
1837 	rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
1838 					   &dentry->d_name, tclass, &newsid);
1839 	if (rc)
1840 		return rc;
1841 
1842 	rc = avc_has_perm(&selinux_state,
1843 			  sid, newsid, tclass, FILE__CREATE, &ad);
1844 	if (rc)
1845 		return rc;
1846 
1847 	return avc_has_perm(&selinux_state,
1848 			    newsid, sbsec->sid,
1849 			    SECCLASS_FILESYSTEM,
1850 			    FILESYSTEM__ASSOCIATE, &ad);
1851 }
1852 
1853 #define MAY_LINK	0
1854 #define MAY_UNLINK	1
1855 #define MAY_RMDIR	2
1856 
1857 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1858 static int may_link(struct inode *dir,
1859 		    struct dentry *dentry,
1860 		    int kind)
1861 
1862 {
1863 	struct inode_security_struct *dsec, *isec;
1864 	struct common_audit_data ad;
1865 	u32 sid = current_sid();
1866 	u32 av;
1867 	int rc;
1868 
1869 	dsec = inode_security(dir);
1870 	isec = backing_inode_security(dentry);
1871 
1872 	ad.type = LSM_AUDIT_DATA_DENTRY;
1873 	ad.u.dentry = dentry;
1874 
1875 	av = DIR__SEARCH;
1876 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1877 	rc = avc_has_perm(&selinux_state,
1878 			  sid, dsec->sid, SECCLASS_DIR, av, &ad);
1879 	if (rc)
1880 		return rc;
1881 
1882 	switch (kind) {
1883 	case MAY_LINK:
1884 		av = FILE__LINK;
1885 		break;
1886 	case MAY_UNLINK:
1887 		av = FILE__UNLINK;
1888 		break;
1889 	case MAY_RMDIR:
1890 		av = DIR__RMDIR;
1891 		break;
1892 	default:
1893 		pr_warn("SELinux: %s:  unrecognized kind %d\n",
1894 			__func__, kind);
1895 		return 0;
1896 	}
1897 
1898 	rc = avc_has_perm(&selinux_state,
1899 			  sid, isec->sid, isec->sclass, av, &ad);
1900 	return rc;
1901 }
1902 
1903 static inline int may_rename(struct inode *old_dir,
1904 			     struct dentry *old_dentry,
1905 			     struct inode *new_dir,
1906 			     struct dentry *new_dentry)
1907 {
1908 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1909 	struct common_audit_data ad;
1910 	u32 sid = current_sid();
1911 	u32 av;
1912 	int old_is_dir, new_is_dir;
1913 	int rc;
1914 
1915 	old_dsec = inode_security(old_dir);
1916 	old_isec = backing_inode_security(old_dentry);
1917 	old_is_dir = d_is_dir(old_dentry);
1918 	new_dsec = inode_security(new_dir);
1919 
1920 	ad.type = LSM_AUDIT_DATA_DENTRY;
1921 
1922 	ad.u.dentry = old_dentry;
1923 	rc = avc_has_perm(&selinux_state,
1924 			  sid, old_dsec->sid, SECCLASS_DIR,
1925 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1926 	if (rc)
1927 		return rc;
1928 	rc = avc_has_perm(&selinux_state,
1929 			  sid, old_isec->sid,
1930 			  old_isec->sclass, FILE__RENAME, &ad);
1931 	if (rc)
1932 		return rc;
1933 	if (old_is_dir && new_dir != old_dir) {
1934 		rc = avc_has_perm(&selinux_state,
1935 				  sid, old_isec->sid,
1936 				  old_isec->sclass, DIR__REPARENT, &ad);
1937 		if (rc)
1938 			return rc;
1939 	}
1940 
1941 	ad.u.dentry = new_dentry;
1942 	av = DIR__ADD_NAME | DIR__SEARCH;
1943 	if (d_is_positive(new_dentry))
1944 		av |= DIR__REMOVE_NAME;
1945 	rc = avc_has_perm(&selinux_state,
1946 			  sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1947 	if (rc)
1948 		return rc;
1949 	if (d_is_positive(new_dentry)) {
1950 		new_isec = backing_inode_security(new_dentry);
1951 		new_is_dir = d_is_dir(new_dentry);
1952 		rc = avc_has_perm(&selinux_state,
1953 				  sid, new_isec->sid,
1954 				  new_isec->sclass,
1955 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1956 		if (rc)
1957 			return rc;
1958 	}
1959 
1960 	return 0;
1961 }
1962 
1963 /* Check whether a task can perform a filesystem operation. */
1964 static int superblock_has_perm(const struct cred *cred,
1965 			       struct super_block *sb,
1966 			       u32 perms,
1967 			       struct common_audit_data *ad)
1968 {
1969 	struct superblock_security_struct *sbsec;
1970 	u32 sid = cred_sid(cred);
1971 
1972 	sbsec = sb->s_security;
1973 	return avc_has_perm(&selinux_state,
1974 			    sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1975 }
1976 
1977 /* Convert a Linux mode and permission mask to an access vector. */
1978 static inline u32 file_mask_to_av(int mode, int mask)
1979 {
1980 	u32 av = 0;
1981 
1982 	if (!S_ISDIR(mode)) {
1983 		if (mask & MAY_EXEC)
1984 			av |= FILE__EXECUTE;
1985 		if (mask & MAY_READ)
1986 			av |= FILE__READ;
1987 
1988 		if (mask & MAY_APPEND)
1989 			av |= FILE__APPEND;
1990 		else if (mask & MAY_WRITE)
1991 			av |= FILE__WRITE;
1992 
1993 	} else {
1994 		if (mask & MAY_EXEC)
1995 			av |= DIR__SEARCH;
1996 		if (mask & MAY_WRITE)
1997 			av |= DIR__WRITE;
1998 		if (mask & MAY_READ)
1999 			av |= DIR__READ;
2000 	}
2001 
2002 	return av;
2003 }
2004 
2005 /* Convert a Linux file to an access vector. */
2006 static inline u32 file_to_av(struct file *file)
2007 {
2008 	u32 av = 0;
2009 
2010 	if (file->f_mode & FMODE_READ)
2011 		av |= FILE__READ;
2012 	if (file->f_mode & FMODE_WRITE) {
2013 		if (file->f_flags & O_APPEND)
2014 			av |= FILE__APPEND;
2015 		else
2016 			av |= FILE__WRITE;
2017 	}
2018 	if (!av) {
2019 		/*
2020 		 * Special file opened with flags 3 for ioctl-only use.
2021 		 */
2022 		av = FILE__IOCTL;
2023 	}
2024 
2025 	return av;
2026 }
2027 
2028 /*
2029  * Convert a file to an access vector and include the correct open
2030  * open permission.
2031  */
2032 static inline u32 open_file_to_av(struct file *file)
2033 {
2034 	u32 av = file_to_av(file);
2035 	struct inode *inode = file_inode(file);
2036 
2037 	if (selinux_policycap_openperm() &&
2038 	    inode->i_sb->s_magic != SOCKFS_MAGIC)
2039 		av |= FILE__OPEN;
2040 
2041 	return av;
2042 }
2043 
2044 /* Hook functions begin here. */
2045 
2046 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2047 {
2048 	u32 mysid = current_sid();
2049 	u32 mgrsid = task_sid(mgr);
2050 
2051 	return avc_has_perm(&selinux_state,
2052 			    mysid, mgrsid, SECCLASS_BINDER,
2053 			    BINDER__SET_CONTEXT_MGR, NULL);
2054 }
2055 
2056 static int selinux_binder_transaction(struct task_struct *from,
2057 				      struct task_struct *to)
2058 {
2059 	u32 mysid = current_sid();
2060 	u32 fromsid = task_sid(from);
2061 	u32 tosid = task_sid(to);
2062 	int rc;
2063 
2064 	if (mysid != fromsid) {
2065 		rc = avc_has_perm(&selinux_state,
2066 				  mysid, fromsid, SECCLASS_BINDER,
2067 				  BINDER__IMPERSONATE, NULL);
2068 		if (rc)
2069 			return rc;
2070 	}
2071 
2072 	return avc_has_perm(&selinux_state,
2073 			    fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2074 			    NULL);
2075 }
2076 
2077 static int selinux_binder_transfer_binder(struct task_struct *from,
2078 					  struct task_struct *to)
2079 {
2080 	u32 fromsid = task_sid(from);
2081 	u32 tosid = task_sid(to);
2082 
2083 	return avc_has_perm(&selinux_state,
2084 			    fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2085 			    NULL);
2086 }
2087 
2088 static int selinux_binder_transfer_file(struct task_struct *from,
2089 					struct task_struct *to,
2090 					struct file *file)
2091 {
2092 	u32 sid = task_sid(to);
2093 	struct file_security_struct *fsec = selinux_file(file);
2094 	struct dentry *dentry = file->f_path.dentry;
2095 	struct inode_security_struct *isec;
2096 	struct common_audit_data ad;
2097 	int rc;
2098 
2099 	ad.type = LSM_AUDIT_DATA_PATH;
2100 	ad.u.path = file->f_path;
2101 
2102 	if (sid != fsec->sid) {
2103 		rc = avc_has_perm(&selinux_state,
2104 				  sid, fsec->sid,
2105 				  SECCLASS_FD,
2106 				  FD__USE,
2107 				  &ad);
2108 		if (rc)
2109 			return rc;
2110 	}
2111 
2112 #ifdef CONFIG_BPF_SYSCALL
2113 	rc = bpf_fd_pass(file, sid);
2114 	if (rc)
2115 		return rc;
2116 #endif
2117 
2118 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2119 		return 0;
2120 
2121 	isec = backing_inode_security(dentry);
2122 	return avc_has_perm(&selinux_state,
2123 			    sid, isec->sid, isec->sclass, file_to_av(file),
2124 			    &ad);
2125 }
2126 
2127 static int selinux_ptrace_access_check(struct task_struct *child,
2128 				     unsigned int mode)
2129 {
2130 	u32 sid = current_sid();
2131 	u32 csid = task_sid(child);
2132 
2133 	if (mode & PTRACE_MODE_READ)
2134 		return avc_has_perm(&selinux_state,
2135 				    sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2136 
2137 	return avc_has_perm(&selinux_state,
2138 			    sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2139 }
2140 
2141 static int selinux_ptrace_traceme(struct task_struct *parent)
2142 {
2143 	return avc_has_perm(&selinux_state,
2144 			    task_sid(parent), current_sid(), SECCLASS_PROCESS,
2145 			    PROCESS__PTRACE, NULL);
2146 }
2147 
2148 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2149 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2150 {
2151 	return avc_has_perm(&selinux_state,
2152 			    current_sid(), task_sid(target), SECCLASS_PROCESS,
2153 			    PROCESS__GETCAP, NULL);
2154 }
2155 
2156 static int selinux_capset(struct cred *new, const struct cred *old,
2157 			  const kernel_cap_t *effective,
2158 			  const kernel_cap_t *inheritable,
2159 			  const kernel_cap_t *permitted)
2160 {
2161 	return avc_has_perm(&selinux_state,
2162 			    cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2163 			    PROCESS__SETCAP, NULL);
2164 }
2165 
2166 /*
2167  * (This comment used to live with the selinux_task_setuid hook,
2168  * which was removed).
2169  *
2170  * Since setuid only affects the current process, and since the SELinux
2171  * controls are not based on the Linux identity attributes, SELinux does not
2172  * need to control this operation.  However, SELinux does control the use of
2173  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2174  */
2175 
2176 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2177 			   int cap, unsigned int opts)
2178 {
2179 	return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2180 }
2181 
2182 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2183 {
2184 	const struct cred *cred = current_cred();
2185 	int rc = 0;
2186 
2187 	if (!sb)
2188 		return 0;
2189 
2190 	switch (cmds) {
2191 	case Q_SYNC:
2192 	case Q_QUOTAON:
2193 	case Q_QUOTAOFF:
2194 	case Q_SETINFO:
2195 	case Q_SETQUOTA:
2196 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2197 		break;
2198 	case Q_GETFMT:
2199 	case Q_GETINFO:
2200 	case Q_GETQUOTA:
2201 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2202 		break;
2203 	default:
2204 		rc = 0;  /* let the kernel handle invalid cmds */
2205 		break;
2206 	}
2207 	return rc;
2208 }
2209 
2210 static int selinux_quota_on(struct dentry *dentry)
2211 {
2212 	const struct cred *cred = current_cred();
2213 
2214 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2215 }
2216 
2217 static int selinux_syslog(int type)
2218 {
2219 	switch (type) {
2220 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2221 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2222 		return avc_has_perm(&selinux_state,
2223 				    current_sid(), SECINITSID_KERNEL,
2224 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2225 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2226 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2227 	/* Set level of messages printed to console */
2228 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2229 		return avc_has_perm(&selinux_state,
2230 				    current_sid(), SECINITSID_KERNEL,
2231 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2232 				    NULL);
2233 	}
2234 	/* All other syslog types */
2235 	return avc_has_perm(&selinux_state,
2236 			    current_sid(), SECINITSID_KERNEL,
2237 			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2238 }
2239 
2240 /*
2241  * Check that a process has enough memory to allocate a new virtual
2242  * mapping. 0 means there is enough memory for the allocation to
2243  * succeed and -ENOMEM implies there is not.
2244  *
2245  * Do not audit the selinux permission check, as this is applied to all
2246  * processes that allocate mappings.
2247  */
2248 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2249 {
2250 	int rc, cap_sys_admin = 0;
2251 
2252 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2253 				 CAP_OPT_NOAUDIT, true);
2254 	if (rc == 0)
2255 		cap_sys_admin = 1;
2256 
2257 	return cap_sys_admin;
2258 }
2259 
2260 /* binprm security operations */
2261 
2262 static u32 ptrace_parent_sid(void)
2263 {
2264 	u32 sid = 0;
2265 	struct task_struct *tracer;
2266 
2267 	rcu_read_lock();
2268 	tracer = ptrace_parent(current);
2269 	if (tracer)
2270 		sid = task_sid(tracer);
2271 	rcu_read_unlock();
2272 
2273 	return sid;
2274 }
2275 
2276 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2277 			    const struct task_security_struct *old_tsec,
2278 			    const struct task_security_struct *new_tsec)
2279 {
2280 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2281 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2282 	int rc;
2283 	u32 av;
2284 
2285 	if (!nnp && !nosuid)
2286 		return 0; /* neither NNP nor nosuid */
2287 
2288 	if (new_tsec->sid == old_tsec->sid)
2289 		return 0; /* No change in credentials */
2290 
2291 	/*
2292 	 * If the policy enables the nnp_nosuid_transition policy capability,
2293 	 * then we permit transitions under NNP or nosuid if the
2294 	 * policy allows the corresponding permission between
2295 	 * the old and new contexts.
2296 	 */
2297 	if (selinux_policycap_nnp_nosuid_transition()) {
2298 		av = 0;
2299 		if (nnp)
2300 			av |= PROCESS2__NNP_TRANSITION;
2301 		if (nosuid)
2302 			av |= PROCESS2__NOSUID_TRANSITION;
2303 		rc = avc_has_perm(&selinux_state,
2304 				  old_tsec->sid, new_tsec->sid,
2305 				  SECCLASS_PROCESS2, av, NULL);
2306 		if (!rc)
2307 			return 0;
2308 	}
2309 
2310 	/*
2311 	 * We also permit NNP or nosuid transitions to bounded SIDs,
2312 	 * i.e. SIDs that are guaranteed to only be allowed a subset
2313 	 * of the permissions of the current SID.
2314 	 */
2315 	rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2316 					 new_tsec->sid);
2317 	if (!rc)
2318 		return 0;
2319 
2320 	/*
2321 	 * On failure, preserve the errno values for NNP vs nosuid.
2322 	 * NNP:  Operation not permitted for caller.
2323 	 * nosuid:  Permission denied to file.
2324 	 */
2325 	if (nnp)
2326 		return -EPERM;
2327 	return -EACCES;
2328 }
2329 
2330 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2331 {
2332 	const struct task_security_struct *old_tsec;
2333 	struct task_security_struct *new_tsec;
2334 	struct inode_security_struct *isec;
2335 	struct common_audit_data ad;
2336 	struct inode *inode = file_inode(bprm->file);
2337 	int rc;
2338 
2339 	/* SELinux context only depends on initial program or script and not
2340 	 * the script interpreter */
2341 	if (bprm->called_set_creds)
2342 		return 0;
2343 
2344 	old_tsec = selinux_cred(current_cred());
2345 	new_tsec = selinux_cred(bprm->cred);
2346 	isec = inode_security(inode);
2347 
2348 	/* Default to the current task SID. */
2349 	new_tsec->sid = old_tsec->sid;
2350 	new_tsec->osid = old_tsec->sid;
2351 
2352 	/* Reset fs, key, and sock SIDs on execve. */
2353 	new_tsec->create_sid = 0;
2354 	new_tsec->keycreate_sid = 0;
2355 	new_tsec->sockcreate_sid = 0;
2356 
2357 	if (old_tsec->exec_sid) {
2358 		new_tsec->sid = old_tsec->exec_sid;
2359 		/* Reset exec SID on execve. */
2360 		new_tsec->exec_sid = 0;
2361 
2362 		/* Fail on NNP or nosuid if not an allowed transition. */
2363 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2364 		if (rc)
2365 			return rc;
2366 	} else {
2367 		/* Check for a default transition on this program. */
2368 		rc = security_transition_sid(&selinux_state, old_tsec->sid,
2369 					     isec->sid, SECCLASS_PROCESS, NULL,
2370 					     &new_tsec->sid);
2371 		if (rc)
2372 			return rc;
2373 
2374 		/*
2375 		 * Fallback to old SID on NNP or nosuid if not an allowed
2376 		 * transition.
2377 		 */
2378 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2379 		if (rc)
2380 			new_tsec->sid = old_tsec->sid;
2381 	}
2382 
2383 	ad.type = LSM_AUDIT_DATA_FILE;
2384 	ad.u.file = bprm->file;
2385 
2386 	if (new_tsec->sid == old_tsec->sid) {
2387 		rc = avc_has_perm(&selinux_state,
2388 				  old_tsec->sid, isec->sid,
2389 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2390 		if (rc)
2391 			return rc;
2392 	} else {
2393 		/* Check permissions for the transition. */
2394 		rc = avc_has_perm(&selinux_state,
2395 				  old_tsec->sid, new_tsec->sid,
2396 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2397 		if (rc)
2398 			return rc;
2399 
2400 		rc = avc_has_perm(&selinux_state,
2401 				  new_tsec->sid, isec->sid,
2402 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2403 		if (rc)
2404 			return rc;
2405 
2406 		/* Check for shared state */
2407 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2408 			rc = avc_has_perm(&selinux_state,
2409 					  old_tsec->sid, new_tsec->sid,
2410 					  SECCLASS_PROCESS, PROCESS__SHARE,
2411 					  NULL);
2412 			if (rc)
2413 				return -EPERM;
2414 		}
2415 
2416 		/* Make sure that anyone attempting to ptrace over a task that
2417 		 * changes its SID has the appropriate permit */
2418 		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2419 			u32 ptsid = ptrace_parent_sid();
2420 			if (ptsid != 0) {
2421 				rc = avc_has_perm(&selinux_state,
2422 						  ptsid, new_tsec->sid,
2423 						  SECCLASS_PROCESS,
2424 						  PROCESS__PTRACE, NULL);
2425 				if (rc)
2426 					return -EPERM;
2427 			}
2428 		}
2429 
2430 		/* Clear any possibly unsafe personality bits on exec: */
2431 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2432 
2433 		/* Enable secure mode for SIDs transitions unless
2434 		   the noatsecure permission is granted between
2435 		   the two SIDs, i.e. ahp returns 0. */
2436 		rc = avc_has_perm(&selinux_state,
2437 				  old_tsec->sid, new_tsec->sid,
2438 				  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2439 				  NULL);
2440 		bprm->secureexec |= !!rc;
2441 	}
2442 
2443 	return 0;
2444 }
2445 
2446 static int match_file(const void *p, struct file *file, unsigned fd)
2447 {
2448 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2449 }
2450 
2451 /* Derived from fs/exec.c:flush_old_files. */
2452 static inline void flush_unauthorized_files(const struct cred *cred,
2453 					    struct files_struct *files)
2454 {
2455 	struct file *file, *devnull = NULL;
2456 	struct tty_struct *tty;
2457 	int drop_tty = 0;
2458 	unsigned n;
2459 
2460 	tty = get_current_tty();
2461 	if (tty) {
2462 		spin_lock(&tty->files_lock);
2463 		if (!list_empty(&tty->tty_files)) {
2464 			struct tty_file_private *file_priv;
2465 
2466 			/* Revalidate access to controlling tty.
2467 			   Use file_path_has_perm on the tty path directly
2468 			   rather than using file_has_perm, as this particular
2469 			   open file may belong to another process and we are
2470 			   only interested in the inode-based check here. */
2471 			file_priv = list_first_entry(&tty->tty_files,
2472 						struct tty_file_private, list);
2473 			file = file_priv->file;
2474 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2475 				drop_tty = 1;
2476 		}
2477 		spin_unlock(&tty->files_lock);
2478 		tty_kref_put(tty);
2479 	}
2480 	/* Reset controlling tty. */
2481 	if (drop_tty)
2482 		no_tty();
2483 
2484 	/* Revalidate access to inherited open files. */
2485 	n = iterate_fd(files, 0, match_file, cred);
2486 	if (!n) /* none found? */
2487 		return;
2488 
2489 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2490 	if (IS_ERR(devnull))
2491 		devnull = NULL;
2492 	/* replace all the matching ones with this */
2493 	do {
2494 		replace_fd(n - 1, devnull, 0);
2495 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2496 	if (devnull)
2497 		fput(devnull);
2498 }
2499 
2500 /*
2501  * Prepare a process for imminent new credential changes due to exec
2502  */
2503 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2504 {
2505 	struct task_security_struct *new_tsec;
2506 	struct rlimit *rlim, *initrlim;
2507 	int rc, i;
2508 
2509 	new_tsec = selinux_cred(bprm->cred);
2510 	if (new_tsec->sid == new_tsec->osid)
2511 		return;
2512 
2513 	/* Close files for which the new task SID is not authorized. */
2514 	flush_unauthorized_files(bprm->cred, current->files);
2515 
2516 	/* Always clear parent death signal on SID transitions. */
2517 	current->pdeath_signal = 0;
2518 
2519 	/* Check whether the new SID can inherit resource limits from the old
2520 	 * SID.  If not, reset all soft limits to the lower of the current
2521 	 * task's hard limit and the init task's soft limit.
2522 	 *
2523 	 * Note that the setting of hard limits (even to lower them) can be
2524 	 * controlled by the setrlimit check.  The inclusion of the init task's
2525 	 * soft limit into the computation is to avoid resetting soft limits
2526 	 * higher than the default soft limit for cases where the default is
2527 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2528 	 */
2529 	rc = avc_has_perm(&selinux_state,
2530 			  new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2531 			  PROCESS__RLIMITINH, NULL);
2532 	if (rc) {
2533 		/* protect against do_prlimit() */
2534 		task_lock(current);
2535 		for (i = 0; i < RLIM_NLIMITS; i++) {
2536 			rlim = current->signal->rlim + i;
2537 			initrlim = init_task.signal->rlim + i;
2538 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2539 		}
2540 		task_unlock(current);
2541 		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2542 			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2543 	}
2544 }
2545 
2546 /*
2547  * Clean up the process immediately after the installation of new credentials
2548  * due to exec
2549  */
2550 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2551 {
2552 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2553 	struct itimerval itimer;
2554 	u32 osid, sid;
2555 	int rc, i;
2556 
2557 	osid = tsec->osid;
2558 	sid = tsec->sid;
2559 
2560 	if (sid == osid)
2561 		return;
2562 
2563 	/* Check whether the new SID can inherit signal state from the old SID.
2564 	 * If not, clear itimers to avoid subsequent signal generation and
2565 	 * flush and unblock signals.
2566 	 *
2567 	 * This must occur _after_ the task SID has been updated so that any
2568 	 * kill done after the flush will be checked against the new SID.
2569 	 */
2570 	rc = avc_has_perm(&selinux_state,
2571 			  osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2572 	if (rc) {
2573 		if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2574 			memset(&itimer, 0, sizeof itimer);
2575 			for (i = 0; i < 3; i++)
2576 				do_setitimer(i, &itimer, NULL);
2577 		}
2578 		spin_lock_irq(&current->sighand->siglock);
2579 		if (!fatal_signal_pending(current)) {
2580 			flush_sigqueue(&current->pending);
2581 			flush_sigqueue(&current->signal->shared_pending);
2582 			flush_signal_handlers(current, 1);
2583 			sigemptyset(&current->blocked);
2584 			recalc_sigpending();
2585 		}
2586 		spin_unlock_irq(&current->sighand->siglock);
2587 	}
2588 
2589 	/* Wake up the parent if it is waiting so that it can recheck
2590 	 * wait permission to the new task SID. */
2591 	read_lock(&tasklist_lock);
2592 	__wake_up_parent(current, current->real_parent);
2593 	read_unlock(&tasklist_lock);
2594 }
2595 
2596 /* superblock security operations */
2597 
2598 static int selinux_sb_alloc_security(struct super_block *sb)
2599 {
2600 	return superblock_alloc_security(sb);
2601 }
2602 
2603 static void selinux_sb_free_security(struct super_block *sb)
2604 {
2605 	superblock_free_security(sb);
2606 }
2607 
2608 static inline int opt_len(const char *s)
2609 {
2610 	bool open_quote = false;
2611 	int len;
2612 	char c;
2613 
2614 	for (len = 0; (c = s[len]) != '\0'; len++) {
2615 		if (c == '"')
2616 			open_quote = !open_quote;
2617 		if (c == ',' && !open_quote)
2618 			break;
2619 	}
2620 	return len;
2621 }
2622 
2623 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2624 {
2625 	char *from = options;
2626 	char *to = options;
2627 	bool first = true;
2628 	int rc;
2629 
2630 	while (1) {
2631 		int len = opt_len(from);
2632 		int token;
2633 		char *arg = NULL;
2634 
2635 		token = match_opt_prefix(from, len, &arg);
2636 
2637 		if (token != Opt_error) {
2638 			char *p, *q;
2639 
2640 			/* strip quotes */
2641 			if (arg) {
2642 				for (p = q = arg; p < from + len; p++) {
2643 					char c = *p;
2644 					if (c != '"')
2645 						*q++ = c;
2646 				}
2647 				arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2648 				if (!arg) {
2649 					rc = -ENOMEM;
2650 					goto free_opt;
2651 				}
2652 			}
2653 			rc = selinux_add_opt(token, arg, mnt_opts);
2654 			if (unlikely(rc)) {
2655 				kfree(arg);
2656 				goto free_opt;
2657 			}
2658 		} else {
2659 			if (!first) {	// copy with preceding comma
2660 				from--;
2661 				len++;
2662 			}
2663 			if (to != from)
2664 				memmove(to, from, len);
2665 			to += len;
2666 			first = false;
2667 		}
2668 		if (!from[len])
2669 			break;
2670 		from += len + 1;
2671 	}
2672 	*to = '\0';
2673 	return 0;
2674 
2675 free_opt:
2676 	if (*mnt_opts) {
2677 		selinux_free_mnt_opts(*mnt_opts);
2678 		*mnt_opts = NULL;
2679 	}
2680 	return rc;
2681 }
2682 
2683 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2684 {
2685 	struct selinux_mnt_opts *opts = mnt_opts;
2686 	struct superblock_security_struct *sbsec = sb->s_security;
2687 	u32 sid;
2688 	int rc;
2689 
2690 	if (!(sbsec->flags & SE_SBINITIALIZED))
2691 		return 0;
2692 
2693 	if (!opts)
2694 		return 0;
2695 
2696 	if (opts->fscontext) {
2697 		rc = parse_sid(sb, opts->fscontext, &sid);
2698 		if (rc)
2699 			return rc;
2700 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2701 			goto out_bad_option;
2702 	}
2703 	if (opts->context) {
2704 		rc = parse_sid(sb, opts->context, &sid);
2705 		if (rc)
2706 			return rc;
2707 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2708 			goto out_bad_option;
2709 	}
2710 	if (opts->rootcontext) {
2711 		struct inode_security_struct *root_isec;
2712 		root_isec = backing_inode_security(sb->s_root);
2713 		rc = parse_sid(sb, opts->rootcontext, &sid);
2714 		if (rc)
2715 			return rc;
2716 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2717 			goto out_bad_option;
2718 	}
2719 	if (opts->defcontext) {
2720 		rc = parse_sid(sb, opts->defcontext, &sid);
2721 		if (rc)
2722 			return rc;
2723 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2724 			goto out_bad_option;
2725 	}
2726 	return 0;
2727 
2728 out_bad_option:
2729 	pr_warn("SELinux: unable to change security options "
2730 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2731 	       sb->s_type->name);
2732 	return -EINVAL;
2733 }
2734 
2735 static int selinux_sb_kern_mount(struct super_block *sb)
2736 {
2737 	const struct cred *cred = current_cred();
2738 	struct common_audit_data ad;
2739 
2740 	ad.type = LSM_AUDIT_DATA_DENTRY;
2741 	ad.u.dentry = sb->s_root;
2742 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2743 }
2744 
2745 static int selinux_sb_statfs(struct dentry *dentry)
2746 {
2747 	const struct cred *cred = current_cred();
2748 	struct common_audit_data ad;
2749 
2750 	ad.type = LSM_AUDIT_DATA_DENTRY;
2751 	ad.u.dentry = dentry->d_sb->s_root;
2752 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2753 }
2754 
2755 static int selinux_mount(const char *dev_name,
2756 			 const struct path *path,
2757 			 const char *type,
2758 			 unsigned long flags,
2759 			 void *data)
2760 {
2761 	const struct cred *cred = current_cred();
2762 
2763 	if (flags & MS_REMOUNT)
2764 		return superblock_has_perm(cred, path->dentry->d_sb,
2765 					   FILESYSTEM__REMOUNT, NULL);
2766 	else
2767 		return path_has_perm(cred, path, FILE__MOUNTON);
2768 }
2769 
2770 static int selinux_umount(struct vfsmount *mnt, int flags)
2771 {
2772 	const struct cred *cred = current_cred();
2773 
2774 	return superblock_has_perm(cred, mnt->mnt_sb,
2775 				   FILESYSTEM__UNMOUNT, NULL);
2776 }
2777 
2778 static int selinux_fs_context_dup(struct fs_context *fc,
2779 				  struct fs_context *src_fc)
2780 {
2781 	const struct selinux_mnt_opts *src = src_fc->security;
2782 	struct selinux_mnt_opts *opts;
2783 
2784 	if (!src)
2785 		return 0;
2786 
2787 	fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2788 	if (!fc->security)
2789 		return -ENOMEM;
2790 
2791 	opts = fc->security;
2792 
2793 	if (src->fscontext) {
2794 		opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2795 		if (!opts->fscontext)
2796 			return -ENOMEM;
2797 	}
2798 	if (src->context) {
2799 		opts->context = kstrdup(src->context, GFP_KERNEL);
2800 		if (!opts->context)
2801 			return -ENOMEM;
2802 	}
2803 	if (src->rootcontext) {
2804 		opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2805 		if (!opts->rootcontext)
2806 			return -ENOMEM;
2807 	}
2808 	if (src->defcontext) {
2809 		opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2810 		if (!opts->defcontext)
2811 			return -ENOMEM;
2812 	}
2813 	return 0;
2814 }
2815 
2816 static const struct fs_parameter_spec selinux_param_specs[] = {
2817 	fsparam_string(CONTEXT_STR,	Opt_context),
2818 	fsparam_string(DEFCONTEXT_STR,	Opt_defcontext),
2819 	fsparam_string(FSCONTEXT_STR,	Opt_fscontext),
2820 	fsparam_string(ROOTCONTEXT_STR,	Opt_rootcontext),
2821 	fsparam_flag  (SECLABEL_STR,	Opt_seclabel),
2822 	{}
2823 };
2824 
2825 static const struct fs_parameter_description selinux_fs_parameters = {
2826 	.name		= "SELinux",
2827 	.specs		= selinux_param_specs,
2828 };
2829 
2830 static int selinux_fs_context_parse_param(struct fs_context *fc,
2831 					  struct fs_parameter *param)
2832 {
2833 	struct fs_parse_result result;
2834 	int opt, rc;
2835 
2836 	opt = fs_parse(fc, &selinux_fs_parameters, param, &result);
2837 	if (opt < 0)
2838 		return opt;
2839 
2840 	rc = selinux_add_opt(opt, param->string, &fc->security);
2841 	if (!rc) {
2842 		param->string = NULL;
2843 		rc = 1;
2844 	}
2845 	return rc;
2846 }
2847 
2848 /* inode security operations */
2849 
2850 static int selinux_inode_alloc_security(struct inode *inode)
2851 {
2852 	return inode_alloc_security(inode);
2853 }
2854 
2855 static void selinux_inode_free_security(struct inode *inode)
2856 {
2857 	inode_free_security(inode);
2858 }
2859 
2860 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2861 					const struct qstr *name, void **ctx,
2862 					u32 *ctxlen)
2863 {
2864 	u32 newsid;
2865 	int rc;
2866 
2867 	rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2868 					   d_inode(dentry->d_parent), name,
2869 					   inode_mode_to_security_class(mode),
2870 					   &newsid);
2871 	if (rc)
2872 		return rc;
2873 
2874 	return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2875 				       ctxlen);
2876 }
2877 
2878 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2879 					  struct qstr *name,
2880 					  const struct cred *old,
2881 					  struct cred *new)
2882 {
2883 	u32 newsid;
2884 	int rc;
2885 	struct task_security_struct *tsec;
2886 
2887 	rc = selinux_determine_inode_label(selinux_cred(old),
2888 					   d_inode(dentry->d_parent), name,
2889 					   inode_mode_to_security_class(mode),
2890 					   &newsid);
2891 	if (rc)
2892 		return rc;
2893 
2894 	tsec = selinux_cred(new);
2895 	tsec->create_sid = newsid;
2896 	return 0;
2897 }
2898 
2899 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2900 				       const struct qstr *qstr,
2901 				       const char **name,
2902 				       void **value, size_t *len)
2903 {
2904 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2905 	struct superblock_security_struct *sbsec;
2906 	u32 newsid, clen;
2907 	int rc;
2908 	char *context;
2909 
2910 	sbsec = dir->i_sb->s_security;
2911 
2912 	newsid = tsec->create_sid;
2913 
2914 	rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2915 		dir, qstr,
2916 		inode_mode_to_security_class(inode->i_mode),
2917 		&newsid);
2918 	if (rc)
2919 		return rc;
2920 
2921 	/* Possibly defer initialization to selinux_complete_init. */
2922 	if (sbsec->flags & SE_SBINITIALIZED) {
2923 		struct inode_security_struct *isec = selinux_inode(inode);
2924 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2925 		isec->sid = newsid;
2926 		isec->initialized = LABEL_INITIALIZED;
2927 	}
2928 
2929 	if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
2930 		return -EOPNOTSUPP;
2931 
2932 	if (name)
2933 		*name = XATTR_SELINUX_SUFFIX;
2934 
2935 	if (value && len) {
2936 		rc = security_sid_to_context_force(&selinux_state, newsid,
2937 						   &context, &clen);
2938 		if (rc)
2939 			return rc;
2940 		*value = context;
2941 		*len = clen;
2942 	}
2943 
2944 	return 0;
2945 }
2946 
2947 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2948 {
2949 	return may_create(dir, dentry, SECCLASS_FILE);
2950 }
2951 
2952 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2953 {
2954 	return may_link(dir, old_dentry, MAY_LINK);
2955 }
2956 
2957 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2958 {
2959 	return may_link(dir, dentry, MAY_UNLINK);
2960 }
2961 
2962 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2963 {
2964 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
2965 }
2966 
2967 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2968 {
2969 	return may_create(dir, dentry, SECCLASS_DIR);
2970 }
2971 
2972 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2973 {
2974 	return may_link(dir, dentry, MAY_RMDIR);
2975 }
2976 
2977 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2978 {
2979 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
2980 }
2981 
2982 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2983 				struct inode *new_inode, struct dentry *new_dentry)
2984 {
2985 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2986 }
2987 
2988 static int selinux_inode_readlink(struct dentry *dentry)
2989 {
2990 	const struct cred *cred = current_cred();
2991 
2992 	return dentry_has_perm(cred, dentry, FILE__READ);
2993 }
2994 
2995 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2996 				     bool rcu)
2997 {
2998 	const struct cred *cred = current_cred();
2999 	struct common_audit_data ad;
3000 	struct inode_security_struct *isec;
3001 	u32 sid;
3002 
3003 	validate_creds(cred);
3004 
3005 	ad.type = LSM_AUDIT_DATA_DENTRY;
3006 	ad.u.dentry = dentry;
3007 	sid = cred_sid(cred);
3008 	isec = inode_security_rcu(inode, rcu);
3009 	if (IS_ERR(isec))
3010 		return PTR_ERR(isec);
3011 
3012 	return avc_has_perm(&selinux_state,
3013 			    sid, isec->sid, isec->sclass, FILE__READ, &ad);
3014 }
3015 
3016 static noinline int audit_inode_permission(struct inode *inode,
3017 					   u32 perms, u32 audited, u32 denied,
3018 					   int result,
3019 					   unsigned flags)
3020 {
3021 	struct common_audit_data ad;
3022 	struct inode_security_struct *isec = selinux_inode(inode);
3023 	int rc;
3024 
3025 	ad.type = LSM_AUDIT_DATA_INODE;
3026 	ad.u.inode = inode;
3027 
3028 	rc = slow_avc_audit(&selinux_state,
3029 			    current_sid(), isec->sid, isec->sclass, perms,
3030 			    audited, denied, result, &ad, flags);
3031 	if (rc)
3032 		return rc;
3033 	return 0;
3034 }
3035 
3036 static int selinux_inode_permission(struct inode *inode, int mask)
3037 {
3038 	const struct cred *cred = current_cred();
3039 	u32 perms;
3040 	bool from_access;
3041 	unsigned flags = mask & MAY_NOT_BLOCK;
3042 	struct inode_security_struct *isec;
3043 	u32 sid;
3044 	struct av_decision avd;
3045 	int rc, rc2;
3046 	u32 audited, denied;
3047 
3048 	from_access = mask & MAY_ACCESS;
3049 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3050 
3051 	/* No permission to check.  Existence test. */
3052 	if (!mask)
3053 		return 0;
3054 
3055 	validate_creds(cred);
3056 
3057 	if (unlikely(IS_PRIVATE(inode)))
3058 		return 0;
3059 
3060 	perms = file_mask_to_av(inode->i_mode, mask);
3061 
3062 	sid = cred_sid(cred);
3063 	isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3064 	if (IS_ERR(isec))
3065 		return PTR_ERR(isec);
3066 
3067 	rc = avc_has_perm_noaudit(&selinux_state,
3068 				  sid, isec->sid, isec->sclass, perms,
3069 				  (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
3070 				  &avd);
3071 	audited = avc_audit_required(perms, &avd, rc,
3072 				     from_access ? FILE__AUDIT_ACCESS : 0,
3073 				     &denied);
3074 	if (likely(!audited))
3075 		return rc;
3076 
3077 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3078 	if (rc2)
3079 		return rc2;
3080 	return rc;
3081 }
3082 
3083 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3084 {
3085 	const struct cred *cred = current_cred();
3086 	struct inode *inode = d_backing_inode(dentry);
3087 	unsigned int ia_valid = iattr->ia_valid;
3088 	__u32 av = FILE__WRITE;
3089 
3090 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3091 	if (ia_valid & ATTR_FORCE) {
3092 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3093 			      ATTR_FORCE);
3094 		if (!ia_valid)
3095 			return 0;
3096 	}
3097 
3098 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3099 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3100 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3101 
3102 	if (selinux_policycap_openperm() &&
3103 	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3104 	    (ia_valid & ATTR_SIZE) &&
3105 	    !(ia_valid & ATTR_FILE))
3106 		av |= FILE__OPEN;
3107 
3108 	return dentry_has_perm(cred, dentry, av);
3109 }
3110 
3111 static int selinux_inode_getattr(const struct path *path)
3112 {
3113 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3114 }
3115 
3116 static bool has_cap_mac_admin(bool audit)
3117 {
3118 	const struct cred *cred = current_cred();
3119 	unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3120 
3121 	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3122 		return false;
3123 	if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3124 		return false;
3125 	return true;
3126 }
3127 
3128 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3129 				  const void *value, size_t size, int flags)
3130 {
3131 	struct inode *inode = d_backing_inode(dentry);
3132 	struct inode_security_struct *isec;
3133 	struct superblock_security_struct *sbsec;
3134 	struct common_audit_data ad;
3135 	u32 newsid, sid = current_sid();
3136 	int rc = 0;
3137 
3138 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3139 		rc = cap_inode_setxattr(dentry, name, value, size, flags);
3140 		if (rc)
3141 			return rc;
3142 
3143 		/* Not an attribute we recognize, so just check the
3144 		   ordinary setattr permission. */
3145 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3146 	}
3147 
3148 	sbsec = inode->i_sb->s_security;
3149 	if (!(sbsec->flags & SBLABEL_MNT))
3150 		return -EOPNOTSUPP;
3151 
3152 	if (!inode_owner_or_capable(inode))
3153 		return -EPERM;
3154 
3155 	ad.type = LSM_AUDIT_DATA_DENTRY;
3156 	ad.u.dentry = dentry;
3157 
3158 	isec = backing_inode_security(dentry);
3159 	rc = avc_has_perm(&selinux_state,
3160 			  sid, isec->sid, isec->sclass,
3161 			  FILE__RELABELFROM, &ad);
3162 	if (rc)
3163 		return rc;
3164 
3165 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3166 				     GFP_KERNEL);
3167 	if (rc == -EINVAL) {
3168 		if (!has_cap_mac_admin(true)) {
3169 			struct audit_buffer *ab;
3170 			size_t audit_size;
3171 
3172 			/* We strip a nul only if it is at the end, otherwise the
3173 			 * context contains a nul and we should audit that */
3174 			if (value) {
3175 				const char *str = value;
3176 
3177 				if (str[size - 1] == '\0')
3178 					audit_size = size - 1;
3179 				else
3180 					audit_size = size;
3181 			} else {
3182 				audit_size = 0;
3183 			}
3184 			ab = audit_log_start(audit_context(),
3185 					     GFP_ATOMIC, AUDIT_SELINUX_ERR);
3186 			audit_log_format(ab, "op=setxattr invalid_context=");
3187 			audit_log_n_untrustedstring(ab, value, audit_size);
3188 			audit_log_end(ab);
3189 
3190 			return rc;
3191 		}
3192 		rc = security_context_to_sid_force(&selinux_state, value,
3193 						   size, &newsid);
3194 	}
3195 	if (rc)
3196 		return rc;
3197 
3198 	rc = avc_has_perm(&selinux_state,
3199 			  sid, newsid, isec->sclass,
3200 			  FILE__RELABELTO, &ad);
3201 	if (rc)
3202 		return rc;
3203 
3204 	rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3205 					  sid, isec->sclass);
3206 	if (rc)
3207 		return rc;
3208 
3209 	return avc_has_perm(&selinux_state,
3210 			    newsid,
3211 			    sbsec->sid,
3212 			    SECCLASS_FILESYSTEM,
3213 			    FILESYSTEM__ASSOCIATE,
3214 			    &ad);
3215 }
3216 
3217 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3218 					const void *value, size_t size,
3219 					int flags)
3220 {
3221 	struct inode *inode = d_backing_inode(dentry);
3222 	struct inode_security_struct *isec;
3223 	u32 newsid;
3224 	int rc;
3225 
3226 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3227 		/* Not an attribute we recognize, so nothing to do. */
3228 		return;
3229 	}
3230 
3231 	rc = security_context_to_sid_force(&selinux_state, value, size,
3232 					   &newsid);
3233 	if (rc) {
3234 		pr_err("SELinux:  unable to map context to SID"
3235 		       "for (%s, %lu), rc=%d\n",
3236 		       inode->i_sb->s_id, inode->i_ino, -rc);
3237 		return;
3238 	}
3239 
3240 	isec = backing_inode_security(dentry);
3241 	spin_lock(&isec->lock);
3242 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3243 	isec->sid = newsid;
3244 	isec->initialized = LABEL_INITIALIZED;
3245 	spin_unlock(&isec->lock);
3246 
3247 	return;
3248 }
3249 
3250 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3251 {
3252 	const struct cred *cred = current_cred();
3253 
3254 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3255 }
3256 
3257 static int selinux_inode_listxattr(struct dentry *dentry)
3258 {
3259 	const struct cred *cred = current_cred();
3260 
3261 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3262 }
3263 
3264 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3265 {
3266 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3267 		int rc = cap_inode_removexattr(dentry, name);
3268 		if (rc)
3269 			return rc;
3270 
3271 		/* Not an attribute we recognize, so just check the
3272 		   ordinary setattr permission. */
3273 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3274 	}
3275 
3276 	/* No one is allowed to remove a SELinux security label.
3277 	   You can change the label, but all data must be labeled. */
3278 	return -EACCES;
3279 }
3280 
3281 /*
3282  * Copy the inode security context value to the user.
3283  *
3284  * Permission check is handled by selinux_inode_getxattr hook.
3285  */
3286 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3287 {
3288 	u32 size;
3289 	int error;
3290 	char *context = NULL;
3291 	struct inode_security_struct *isec;
3292 
3293 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3294 		return -EOPNOTSUPP;
3295 
3296 	/*
3297 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3298 	 * value even if it is not defined by current policy; otherwise,
3299 	 * use the in-core value under current policy.
3300 	 * Use the non-auditing forms of the permission checks since
3301 	 * getxattr may be called by unprivileged processes commonly
3302 	 * and lack of permission just means that we fall back to the
3303 	 * in-core context value, not a denial.
3304 	 */
3305 	isec = inode_security(inode);
3306 	if (has_cap_mac_admin(false))
3307 		error = security_sid_to_context_force(&selinux_state,
3308 						      isec->sid, &context,
3309 						      &size);
3310 	else
3311 		error = security_sid_to_context(&selinux_state, isec->sid,
3312 						&context, &size);
3313 	if (error)
3314 		return error;
3315 	error = size;
3316 	if (alloc) {
3317 		*buffer = context;
3318 		goto out_nofree;
3319 	}
3320 	kfree(context);
3321 out_nofree:
3322 	return error;
3323 }
3324 
3325 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3326 				     const void *value, size_t size, int flags)
3327 {
3328 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3329 	struct superblock_security_struct *sbsec = inode->i_sb->s_security;
3330 	u32 newsid;
3331 	int rc;
3332 
3333 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3334 		return -EOPNOTSUPP;
3335 
3336 	if (!(sbsec->flags & SBLABEL_MNT))
3337 		return -EOPNOTSUPP;
3338 
3339 	if (!value || !size)
3340 		return -EACCES;
3341 
3342 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3343 				     GFP_KERNEL);
3344 	if (rc)
3345 		return rc;
3346 
3347 	spin_lock(&isec->lock);
3348 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3349 	isec->sid = newsid;
3350 	isec->initialized = LABEL_INITIALIZED;
3351 	spin_unlock(&isec->lock);
3352 	return 0;
3353 }
3354 
3355 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3356 {
3357 	const int len = sizeof(XATTR_NAME_SELINUX);
3358 	if (buffer && len <= buffer_size)
3359 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3360 	return len;
3361 }
3362 
3363 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3364 {
3365 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3366 	*secid = isec->sid;
3367 }
3368 
3369 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3370 {
3371 	u32 sid;
3372 	struct task_security_struct *tsec;
3373 	struct cred *new_creds = *new;
3374 
3375 	if (new_creds == NULL) {
3376 		new_creds = prepare_creds();
3377 		if (!new_creds)
3378 			return -ENOMEM;
3379 	}
3380 
3381 	tsec = selinux_cred(new_creds);
3382 	/* Get label from overlay inode and set it in create_sid */
3383 	selinux_inode_getsecid(d_inode(src), &sid);
3384 	tsec->create_sid = sid;
3385 	*new = new_creds;
3386 	return 0;
3387 }
3388 
3389 static int selinux_inode_copy_up_xattr(const char *name)
3390 {
3391 	/* The copy_up hook above sets the initial context on an inode, but we
3392 	 * don't then want to overwrite it by blindly copying all the lower
3393 	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3394 	 */
3395 	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3396 		return 1; /* Discard */
3397 	/*
3398 	 * Any other attribute apart from SELINUX is not claimed, supported
3399 	 * by selinux.
3400 	 */
3401 	return -EOPNOTSUPP;
3402 }
3403 
3404 /* kernfs node operations */
3405 
3406 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3407 					struct kernfs_node *kn)
3408 {
3409 	const struct task_security_struct *tsec = current_security();
3410 	u32 parent_sid, newsid, clen;
3411 	int rc;
3412 	char *context;
3413 
3414 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3415 	if (rc == -ENODATA)
3416 		return 0;
3417 	else if (rc < 0)
3418 		return rc;
3419 
3420 	clen = (u32)rc;
3421 	context = kmalloc(clen, GFP_KERNEL);
3422 	if (!context)
3423 		return -ENOMEM;
3424 
3425 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3426 	if (rc < 0) {
3427 		kfree(context);
3428 		return rc;
3429 	}
3430 
3431 	rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3432 				     GFP_KERNEL);
3433 	kfree(context);
3434 	if (rc)
3435 		return rc;
3436 
3437 	if (tsec->create_sid) {
3438 		newsid = tsec->create_sid;
3439 	} else {
3440 		u16 secclass = inode_mode_to_security_class(kn->mode);
3441 		struct qstr q;
3442 
3443 		q.name = kn->name;
3444 		q.hash_len = hashlen_string(kn_dir, kn->name);
3445 
3446 		rc = security_transition_sid(&selinux_state, tsec->sid,
3447 					     parent_sid, secclass, &q,
3448 					     &newsid);
3449 		if (rc)
3450 			return rc;
3451 	}
3452 
3453 	rc = security_sid_to_context_force(&selinux_state, newsid,
3454 					   &context, &clen);
3455 	if (rc)
3456 		return rc;
3457 
3458 	rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3459 			      XATTR_CREATE);
3460 	kfree(context);
3461 	return rc;
3462 }
3463 
3464 
3465 /* file security operations */
3466 
3467 static int selinux_revalidate_file_permission(struct file *file, int mask)
3468 {
3469 	const struct cred *cred = current_cred();
3470 	struct inode *inode = file_inode(file);
3471 
3472 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3473 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3474 		mask |= MAY_APPEND;
3475 
3476 	return file_has_perm(cred, file,
3477 			     file_mask_to_av(inode->i_mode, mask));
3478 }
3479 
3480 static int selinux_file_permission(struct file *file, int mask)
3481 {
3482 	struct inode *inode = file_inode(file);
3483 	struct file_security_struct *fsec = selinux_file(file);
3484 	struct inode_security_struct *isec;
3485 	u32 sid = current_sid();
3486 
3487 	if (!mask)
3488 		/* No permission to check.  Existence test. */
3489 		return 0;
3490 
3491 	isec = inode_security(inode);
3492 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3493 	    fsec->pseqno == avc_policy_seqno(&selinux_state))
3494 		/* No change since file_open check. */
3495 		return 0;
3496 
3497 	return selinux_revalidate_file_permission(file, mask);
3498 }
3499 
3500 static int selinux_file_alloc_security(struct file *file)
3501 {
3502 	return file_alloc_security(file);
3503 }
3504 
3505 /*
3506  * Check whether a task has the ioctl permission and cmd
3507  * operation to an inode.
3508  */
3509 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3510 		u32 requested, u16 cmd)
3511 {
3512 	struct common_audit_data ad;
3513 	struct file_security_struct *fsec = selinux_file(file);
3514 	struct inode *inode = file_inode(file);
3515 	struct inode_security_struct *isec;
3516 	struct lsm_ioctlop_audit ioctl;
3517 	u32 ssid = cred_sid(cred);
3518 	int rc;
3519 	u8 driver = cmd >> 8;
3520 	u8 xperm = cmd & 0xff;
3521 
3522 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3523 	ad.u.op = &ioctl;
3524 	ad.u.op->cmd = cmd;
3525 	ad.u.op->path = file->f_path;
3526 
3527 	if (ssid != fsec->sid) {
3528 		rc = avc_has_perm(&selinux_state,
3529 				  ssid, fsec->sid,
3530 				SECCLASS_FD,
3531 				FD__USE,
3532 				&ad);
3533 		if (rc)
3534 			goto out;
3535 	}
3536 
3537 	if (unlikely(IS_PRIVATE(inode)))
3538 		return 0;
3539 
3540 	isec = inode_security(inode);
3541 	rc = avc_has_extended_perms(&selinux_state,
3542 				    ssid, isec->sid, isec->sclass,
3543 				    requested, driver, xperm, &ad);
3544 out:
3545 	return rc;
3546 }
3547 
3548 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3549 			      unsigned long arg)
3550 {
3551 	const struct cred *cred = current_cred();
3552 	int error = 0;
3553 
3554 	switch (cmd) {
3555 	case FIONREAD:
3556 	/* fall through */
3557 	case FIBMAP:
3558 	/* fall through */
3559 	case FIGETBSZ:
3560 	/* fall through */
3561 	case FS_IOC_GETFLAGS:
3562 	/* fall through */
3563 	case FS_IOC_GETVERSION:
3564 		error = file_has_perm(cred, file, FILE__GETATTR);
3565 		break;
3566 
3567 	case FS_IOC_SETFLAGS:
3568 	/* fall through */
3569 	case FS_IOC_SETVERSION:
3570 		error = file_has_perm(cred, file, FILE__SETATTR);
3571 		break;
3572 
3573 	/* sys_ioctl() checks */
3574 	case FIONBIO:
3575 	/* fall through */
3576 	case FIOASYNC:
3577 		error = file_has_perm(cred, file, 0);
3578 		break;
3579 
3580 	case KDSKBENT:
3581 	case KDSKBSENT:
3582 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3583 					    CAP_OPT_NONE, true);
3584 		break;
3585 
3586 	/* default case assumes that the command will go
3587 	 * to the file's ioctl() function.
3588 	 */
3589 	default:
3590 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3591 	}
3592 	return error;
3593 }
3594 
3595 static int default_noexec;
3596 
3597 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3598 {
3599 	const struct cred *cred = current_cred();
3600 	u32 sid = cred_sid(cred);
3601 	int rc = 0;
3602 
3603 	if (default_noexec &&
3604 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3605 				   (!shared && (prot & PROT_WRITE)))) {
3606 		/*
3607 		 * We are making executable an anonymous mapping or a
3608 		 * private file mapping that will also be writable.
3609 		 * This has an additional check.
3610 		 */
3611 		rc = avc_has_perm(&selinux_state,
3612 				  sid, sid, SECCLASS_PROCESS,
3613 				  PROCESS__EXECMEM, NULL);
3614 		if (rc)
3615 			goto error;
3616 	}
3617 
3618 	if (file) {
3619 		/* read access is always possible with a mapping */
3620 		u32 av = FILE__READ;
3621 
3622 		/* write access only matters if the mapping is shared */
3623 		if (shared && (prot & PROT_WRITE))
3624 			av |= FILE__WRITE;
3625 
3626 		if (prot & PROT_EXEC)
3627 			av |= FILE__EXECUTE;
3628 
3629 		return file_has_perm(cred, file, av);
3630 	}
3631 
3632 error:
3633 	return rc;
3634 }
3635 
3636 static int selinux_mmap_addr(unsigned long addr)
3637 {
3638 	int rc = 0;
3639 
3640 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3641 		u32 sid = current_sid();
3642 		rc = avc_has_perm(&selinux_state,
3643 				  sid, sid, SECCLASS_MEMPROTECT,
3644 				  MEMPROTECT__MMAP_ZERO, NULL);
3645 	}
3646 
3647 	return rc;
3648 }
3649 
3650 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3651 			     unsigned long prot, unsigned long flags)
3652 {
3653 	struct common_audit_data ad;
3654 	int rc;
3655 
3656 	if (file) {
3657 		ad.type = LSM_AUDIT_DATA_FILE;
3658 		ad.u.file = file;
3659 		rc = inode_has_perm(current_cred(), file_inode(file),
3660 				    FILE__MAP, &ad);
3661 		if (rc)
3662 			return rc;
3663 	}
3664 
3665 	if (selinux_state.checkreqprot)
3666 		prot = reqprot;
3667 
3668 	return file_map_prot_check(file, prot,
3669 				   (flags & MAP_TYPE) == MAP_SHARED);
3670 }
3671 
3672 static int selinux_file_mprotect(struct vm_area_struct *vma,
3673 				 unsigned long reqprot,
3674 				 unsigned long prot)
3675 {
3676 	const struct cred *cred = current_cred();
3677 	u32 sid = cred_sid(cred);
3678 
3679 	if (selinux_state.checkreqprot)
3680 		prot = reqprot;
3681 
3682 	if (default_noexec &&
3683 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3684 		int rc = 0;
3685 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3686 		    vma->vm_end <= vma->vm_mm->brk) {
3687 			rc = avc_has_perm(&selinux_state,
3688 					  sid, sid, SECCLASS_PROCESS,
3689 					  PROCESS__EXECHEAP, NULL);
3690 		} else if (!vma->vm_file &&
3691 			   ((vma->vm_start <= vma->vm_mm->start_stack &&
3692 			     vma->vm_end >= vma->vm_mm->start_stack) ||
3693 			    vma_is_stack_for_current(vma))) {
3694 			rc = avc_has_perm(&selinux_state,
3695 					  sid, sid, SECCLASS_PROCESS,
3696 					  PROCESS__EXECSTACK, NULL);
3697 		} else if (vma->vm_file && vma->anon_vma) {
3698 			/*
3699 			 * We are making executable a file mapping that has
3700 			 * had some COW done. Since pages might have been
3701 			 * written, check ability to execute the possibly
3702 			 * modified content.  This typically should only
3703 			 * occur for text relocations.
3704 			 */
3705 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3706 		}
3707 		if (rc)
3708 			return rc;
3709 	}
3710 
3711 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3712 }
3713 
3714 static int selinux_file_lock(struct file *file, unsigned int cmd)
3715 {
3716 	const struct cred *cred = current_cred();
3717 
3718 	return file_has_perm(cred, file, FILE__LOCK);
3719 }
3720 
3721 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3722 			      unsigned long arg)
3723 {
3724 	const struct cred *cred = current_cred();
3725 	int err = 0;
3726 
3727 	switch (cmd) {
3728 	case F_SETFL:
3729 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3730 			err = file_has_perm(cred, file, FILE__WRITE);
3731 			break;
3732 		}
3733 		/* fall through */
3734 	case F_SETOWN:
3735 	case F_SETSIG:
3736 	case F_GETFL:
3737 	case F_GETOWN:
3738 	case F_GETSIG:
3739 	case F_GETOWNER_UIDS:
3740 		/* Just check FD__USE permission */
3741 		err = file_has_perm(cred, file, 0);
3742 		break;
3743 	case F_GETLK:
3744 	case F_SETLK:
3745 	case F_SETLKW:
3746 	case F_OFD_GETLK:
3747 	case F_OFD_SETLK:
3748 	case F_OFD_SETLKW:
3749 #if BITS_PER_LONG == 32
3750 	case F_GETLK64:
3751 	case F_SETLK64:
3752 	case F_SETLKW64:
3753 #endif
3754 		err = file_has_perm(cred, file, FILE__LOCK);
3755 		break;
3756 	}
3757 
3758 	return err;
3759 }
3760 
3761 static void selinux_file_set_fowner(struct file *file)
3762 {
3763 	struct file_security_struct *fsec;
3764 
3765 	fsec = selinux_file(file);
3766 	fsec->fown_sid = current_sid();
3767 }
3768 
3769 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3770 				       struct fown_struct *fown, int signum)
3771 {
3772 	struct file *file;
3773 	u32 sid = task_sid(tsk);
3774 	u32 perm;
3775 	struct file_security_struct *fsec;
3776 
3777 	/* struct fown_struct is never outside the context of a struct file */
3778 	file = container_of(fown, struct file, f_owner);
3779 
3780 	fsec = selinux_file(file);
3781 
3782 	if (!signum)
3783 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3784 	else
3785 		perm = signal_to_av(signum);
3786 
3787 	return avc_has_perm(&selinux_state,
3788 			    fsec->fown_sid, sid,
3789 			    SECCLASS_PROCESS, perm, NULL);
3790 }
3791 
3792 static int selinux_file_receive(struct file *file)
3793 {
3794 	const struct cred *cred = current_cred();
3795 
3796 	return file_has_perm(cred, file, file_to_av(file));
3797 }
3798 
3799 static int selinux_file_open(struct file *file)
3800 {
3801 	struct file_security_struct *fsec;
3802 	struct inode_security_struct *isec;
3803 
3804 	fsec = selinux_file(file);
3805 	isec = inode_security(file_inode(file));
3806 	/*
3807 	 * Save inode label and policy sequence number
3808 	 * at open-time so that selinux_file_permission
3809 	 * can determine whether revalidation is necessary.
3810 	 * Task label is already saved in the file security
3811 	 * struct as its SID.
3812 	 */
3813 	fsec->isid = isec->sid;
3814 	fsec->pseqno = avc_policy_seqno(&selinux_state);
3815 	/*
3816 	 * Since the inode label or policy seqno may have changed
3817 	 * between the selinux_inode_permission check and the saving
3818 	 * of state above, recheck that access is still permitted.
3819 	 * Otherwise, access might never be revalidated against the
3820 	 * new inode label or new policy.
3821 	 * This check is not redundant - do not remove.
3822 	 */
3823 	return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3824 }
3825 
3826 /* task security operations */
3827 
3828 static int selinux_task_alloc(struct task_struct *task,
3829 			      unsigned long clone_flags)
3830 {
3831 	u32 sid = current_sid();
3832 
3833 	return avc_has_perm(&selinux_state,
3834 			    sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3835 }
3836 
3837 /*
3838  * prepare a new set of credentials for modification
3839  */
3840 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3841 				gfp_t gfp)
3842 {
3843 	const struct task_security_struct *old_tsec = selinux_cred(old);
3844 	struct task_security_struct *tsec = selinux_cred(new);
3845 
3846 	*tsec = *old_tsec;
3847 	return 0;
3848 }
3849 
3850 /*
3851  * transfer the SELinux data to a blank set of creds
3852  */
3853 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3854 {
3855 	const struct task_security_struct *old_tsec = selinux_cred(old);
3856 	struct task_security_struct *tsec = selinux_cred(new);
3857 
3858 	*tsec = *old_tsec;
3859 }
3860 
3861 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3862 {
3863 	*secid = cred_sid(c);
3864 }
3865 
3866 /*
3867  * set the security data for a kernel service
3868  * - all the creation contexts are set to unlabelled
3869  */
3870 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3871 {
3872 	struct task_security_struct *tsec = selinux_cred(new);
3873 	u32 sid = current_sid();
3874 	int ret;
3875 
3876 	ret = avc_has_perm(&selinux_state,
3877 			   sid, secid,
3878 			   SECCLASS_KERNEL_SERVICE,
3879 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3880 			   NULL);
3881 	if (ret == 0) {
3882 		tsec->sid = secid;
3883 		tsec->create_sid = 0;
3884 		tsec->keycreate_sid = 0;
3885 		tsec->sockcreate_sid = 0;
3886 	}
3887 	return ret;
3888 }
3889 
3890 /*
3891  * set the file creation context in a security record to the same as the
3892  * objective context of the specified inode
3893  */
3894 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3895 {
3896 	struct inode_security_struct *isec = inode_security(inode);
3897 	struct task_security_struct *tsec = selinux_cred(new);
3898 	u32 sid = current_sid();
3899 	int ret;
3900 
3901 	ret = avc_has_perm(&selinux_state,
3902 			   sid, isec->sid,
3903 			   SECCLASS_KERNEL_SERVICE,
3904 			   KERNEL_SERVICE__CREATE_FILES_AS,
3905 			   NULL);
3906 
3907 	if (ret == 0)
3908 		tsec->create_sid = isec->sid;
3909 	return ret;
3910 }
3911 
3912 static int selinux_kernel_module_request(char *kmod_name)
3913 {
3914 	struct common_audit_data ad;
3915 
3916 	ad.type = LSM_AUDIT_DATA_KMOD;
3917 	ad.u.kmod_name = kmod_name;
3918 
3919 	return avc_has_perm(&selinux_state,
3920 			    current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3921 			    SYSTEM__MODULE_REQUEST, &ad);
3922 }
3923 
3924 static int selinux_kernel_module_from_file(struct file *file)
3925 {
3926 	struct common_audit_data ad;
3927 	struct inode_security_struct *isec;
3928 	struct file_security_struct *fsec;
3929 	u32 sid = current_sid();
3930 	int rc;
3931 
3932 	/* init_module */
3933 	if (file == NULL)
3934 		return avc_has_perm(&selinux_state,
3935 				    sid, sid, SECCLASS_SYSTEM,
3936 					SYSTEM__MODULE_LOAD, NULL);
3937 
3938 	/* finit_module */
3939 
3940 	ad.type = LSM_AUDIT_DATA_FILE;
3941 	ad.u.file = file;
3942 
3943 	fsec = selinux_file(file);
3944 	if (sid != fsec->sid) {
3945 		rc = avc_has_perm(&selinux_state,
3946 				  sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3947 		if (rc)
3948 			return rc;
3949 	}
3950 
3951 	isec = inode_security(file_inode(file));
3952 	return avc_has_perm(&selinux_state,
3953 			    sid, isec->sid, SECCLASS_SYSTEM,
3954 				SYSTEM__MODULE_LOAD, &ad);
3955 }
3956 
3957 static int selinux_kernel_read_file(struct file *file,
3958 				    enum kernel_read_file_id id)
3959 {
3960 	int rc = 0;
3961 
3962 	switch (id) {
3963 	case READING_MODULE:
3964 		rc = selinux_kernel_module_from_file(file);
3965 		break;
3966 	default:
3967 		break;
3968 	}
3969 
3970 	return rc;
3971 }
3972 
3973 static int selinux_kernel_load_data(enum kernel_load_data_id id)
3974 {
3975 	int rc = 0;
3976 
3977 	switch (id) {
3978 	case LOADING_MODULE:
3979 		rc = selinux_kernel_module_from_file(NULL);
3980 	default:
3981 		break;
3982 	}
3983 
3984 	return rc;
3985 }
3986 
3987 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3988 {
3989 	return avc_has_perm(&selinux_state,
3990 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
3991 			    PROCESS__SETPGID, NULL);
3992 }
3993 
3994 static int selinux_task_getpgid(struct task_struct *p)
3995 {
3996 	return avc_has_perm(&selinux_state,
3997 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
3998 			    PROCESS__GETPGID, NULL);
3999 }
4000 
4001 static int selinux_task_getsid(struct task_struct *p)
4002 {
4003 	return avc_has_perm(&selinux_state,
4004 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4005 			    PROCESS__GETSESSION, NULL);
4006 }
4007 
4008 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4009 {
4010 	*secid = task_sid(p);
4011 }
4012 
4013 static int selinux_task_setnice(struct task_struct *p, int nice)
4014 {
4015 	return avc_has_perm(&selinux_state,
4016 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4017 			    PROCESS__SETSCHED, NULL);
4018 }
4019 
4020 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4021 {
4022 	return avc_has_perm(&selinux_state,
4023 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4024 			    PROCESS__SETSCHED, NULL);
4025 }
4026 
4027 static int selinux_task_getioprio(struct task_struct *p)
4028 {
4029 	return avc_has_perm(&selinux_state,
4030 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4031 			    PROCESS__GETSCHED, NULL);
4032 }
4033 
4034 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4035 				unsigned int flags)
4036 {
4037 	u32 av = 0;
4038 
4039 	if (!flags)
4040 		return 0;
4041 	if (flags & LSM_PRLIMIT_WRITE)
4042 		av |= PROCESS__SETRLIMIT;
4043 	if (flags & LSM_PRLIMIT_READ)
4044 		av |= PROCESS__GETRLIMIT;
4045 	return avc_has_perm(&selinux_state,
4046 			    cred_sid(cred), cred_sid(tcred),
4047 			    SECCLASS_PROCESS, av, NULL);
4048 }
4049 
4050 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4051 		struct rlimit *new_rlim)
4052 {
4053 	struct rlimit *old_rlim = p->signal->rlim + resource;
4054 
4055 	/* Control the ability to change the hard limit (whether
4056 	   lowering or raising it), so that the hard limit can
4057 	   later be used as a safe reset point for the soft limit
4058 	   upon context transitions.  See selinux_bprm_committing_creds. */
4059 	if (old_rlim->rlim_max != new_rlim->rlim_max)
4060 		return avc_has_perm(&selinux_state,
4061 				    current_sid(), task_sid(p),
4062 				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4063 
4064 	return 0;
4065 }
4066 
4067 static int selinux_task_setscheduler(struct task_struct *p)
4068 {
4069 	return avc_has_perm(&selinux_state,
4070 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4071 			    PROCESS__SETSCHED, NULL);
4072 }
4073 
4074 static int selinux_task_getscheduler(struct task_struct *p)
4075 {
4076 	return avc_has_perm(&selinux_state,
4077 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4078 			    PROCESS__GETSCHED, NULL);
4079 }
4080 
4081 static int selinux_task_movememory(struct task_struct *p)
4082 {
4083 	return avc_has_perm(&selinux_state,
4084 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4085 			    PROCESS__SETSCHED, NULL);
4086 }
4087 
4088 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4089 				int sig, const struct cred *cred)
4090 {
4091 	u32 secid;
4092 	u32 perm;
4093 
4094 	if (!sig)
4095 		perm = PROCESS__SIGNULL; /* null signal; existence test */
4096 	else
4097 		perm = signal_to_av(sig);
4098 	if (!cred)
4099 		secid = current_sid();
4100 	else
4101 		secid = cred_sid(cred);
4102 	return avc_has_perm(&selinux_state,
4103 			    secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4104 }
4105 
4106 static void selinux_task_to_inode(struct task_struct *p,
4107 				  struct inode *inode)
4108 {
4109 	struct inode_security_struct *isec = selinux_inode(inode);
4110 	u32 sid = task_sid(p);
4111 
4112 	spin_lock(&isec->lock);
4113 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4114 	isec->sid = sid;
4115 	isec->initialized = LABEL_INITIALIZED;
4116 	spin_unlock(&isec->lock);
4117 }
4118 
4119 /* Returns error only if unable to parse addresses */
4120 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4121 			struct common_audit_data *ad, u8 *proto)
4122 {
4123 	int offset, ihlen, ret = -EINVAL;
4124 	struct iphdr _iph, *ih;
4125 
4126 	offset = skb_network_offset(skb);
4127 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4128 	if (ih == NULL)
4129 		goto out;
4130 
4131 	ihlen = ih->ihl * 4;
4132 	if (ihlen < sizeof(_iph))
4133 		goto out;
4134 
4135 	ad->u.net->v4info.saddr = ih->saddr;
4136 	ad->u.net->v4info.daddr = ih->daddr;
4137 	ret = 0;
4138 
4139 	if (proto)
4140 		*proto = ih->protocol;
4141 
4142 	switch (ih->protocol) {
4143 	case IPPROTO_TCP: {
4144 		struct tcphdr _tcph, *th;
4145 
4146 		if (ntohs(ih->frag_off) & IP_OFFSET)
4147 			break;
4148 
4149 		offset += ihlen;
4150 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4151 		if (th == NULL)
4152 			break;
4153 
4154 		ad->u.net->sport = th->source;
4155 		ad->u.net->dport = th->dest;
4156 		break;
4157 	}
4158 
4159 	case IPPROTO_UDP: {
4160 		struct udphdr _udph, *uh;
4161 
4162 		if (ntohs(ih->frag_off) & IP_OFFSET)
4163 			break;
4164 
4165 		offset += ihlen;
4166 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4167 		if (uh == NULL)
4168 			break;
4169 
4170 		ad->u.net->sport = uh->source;
4171 		ad->u.net->dport = uh->dest;
4172 		break;
4173 	}
4174 
4175 	case IPPROTO_DCCP: {
4176 		struct dccp_hdr _dccph, *dh;
4177 
4178 		if (ntohs(ih->frag_off) & IP_OFFSET)
4179 			break;
4180 
4181 		offset += ihlen;
4182 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4183 		if (dh == NULL)
4184 			break;
4185 
4186 		ad->u.net->sport = dh->dccph_sport;
4187 		ad->u.net->dport = dh->dccph_dport;
4188 		break;
4189 	}
4190 
4191 #if IS_ENABLED(CONFIG_IP_SCTP)
4192 	case IPPROTO_SCTP: {
4193 		struct sctphdr _sctph, *sh;
4194 
4195 		if (ntohs(ih->frag_off) & IP_OFFSET)
4196 			break;
4197 
4198 		offset += ihlen;
4199 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4200 		if (sh == NULL)
4201 			break;
4202 
4203 		ad->u.net->sport = sh->source;
4204 		ad->u.net->dport = sh->dest;
4205 		break;
4206 	}
4207 #endif
4208 	default:
4209 		break;
4210 	}
4211 out:
4212 	return ret;
4213 }
4214 
4215 #if IS_ENABLED(CONFIG_IPV6)
4216 
4217 /* Returns error only if unable to parse addresses */
4218 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4219 			struct common_audit_data *ad, u8 *proto)
4220 {
4221 	u8 nexthdr;
4222 	int ret = -EINVAL, offset;
4223 	struct ipv6hdr _ipv6h, *ip6;
4224 	__be16 frag_off;
4225 
4226 	offset = skb_network_offset(skb);
4227 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4228 	if (ip6 == NULL)
4229 		goto out;
4230 
4231 	ad->u.net->v6info.saddr = ip6->saddr;
4232 	ad->u.net->v6info.daddr = ip6->daddr;
4233 	ret = 0;
4234 
4235 	nexthdr = ip6->nexthdr;
4236 	offset += sizeof(_ipv6h);
4237 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4238 	if (offset < 0)
4239 		goto out;
4240 
4241 	if (proto)
4242 		*proto = nexthdr;
4243 
4244 	switch (nexthdr) {
4245 	case IPPROTO_TCP: {
4246 		struct tcphdr _tcph, *th;
4247 
4248 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4249 		if (th == NULL)
4250 			break;
4251 
4252 		ad->u.net->sport = th->source;
4253 		ad->u.net->dport = th->dest;
4254 		break;
4255 	}
4256 
4257 	case IPPROTO_UDP: {
4258 		struct udphdr _udph, *uh;
4259 
4260 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4261 		if (uh == NULL)
4262 			break;
4263 
4264 		ad->u.net->sport = uh->source;
4265 		ad->u.net->dport = uh->dest;
4266 		break;
4267 	}
4268 
4269 	case IPPROTO_DCCP: {
4270 		struct dccp_hdr _dccph, *dh;
4271 
4272 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4273 		if (dh == NULL)
4274 			break;
4275 
4276 		ad->u.net->sport = dh->dccph_sport;
4277 		ad->u.net->dport = dh->dccph_dport;
4278 		break;
4279 	}
4280 
4281 #if IS_ENABLED(CONFIG_IP_SCTP)
4282 	case IPPROTO_SCTP: {
4283 		struct sctphdr _sctph, *sh;
4284 
4285 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4286 		if (sh == NULL)
4287 			break;
4288 
4289 		ad->u.net->sport = sh->source;
4290 		ad->u.net->dport = sh->dest;
4291 		break;
4292 	}
4293 #endif
4294 	/* includes fragments */
4295 	default:
4296 		break;
4297 	}
4298 out:
4299 	return ret;
4300 }
4301 
4302 #endif /* IPV6 */
4303 
4304 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4305 			     char **_addrp, int src, u8 *proto)
4306 {
4307 	char *addrp;
4308 	int ret;
4309 
4310 	switch (ad->u.net->family) {
4311 	case PF_INET:
4312 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4313 		if (ret)
4314 			goto parse_error;
4315 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4316 				       &ad->u.net->v4info.daddr);
4317 		goto okay;
4318 
4319 #if IS_ENABLED(CONFIG_IPV6)
4320 	case PF_INET6:
4321 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4322 		if (ret)
4323 			goto parse_error;
4324 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4325 				       &ad->u.net->v6info.daddr);
4326 		goto okay;
4327 #endif	/* IPV6 */
4328 	default:
4329 		addrp = NULL;
4330 		goto okay;
4331 	}
4332 
4333 parse_error:
4334 	pr_warn(
4335 	       "SELinux: failure in selinux_parse_skb(),"
4336 	       " unable to parse packet\n");
4337 	return ret;
4338 
4339 okay:
4340 	if (_addrp)
4341 		*_addrp = addrp;
4342 	return 0;
4343 }
4344 
4345 /**
4346  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4347  * @skb: the packet
4348  * @family: protocol family
4349  * @sid: the packet's peer label SID
4350  *
4351  * Description:
4352  * Check the various different forms of network peer labeling and determine
4353  * the peer label/SID for the packet; most of the magic actually occurs in
4354  * the security server function security_net_peersid_cmp().  The function
4355  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4356  * or -EACCES if @sid is invalid due to inconsistencies with the different
4357  * peer labels.
4358  *
4359  */
4360 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4361 {
4362 	int err;
4363 	u32 xfrm_sid;
4364 	u32 nlbl_sid;
4365 	u32 nlbl_type;
4366 
4367 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4368 	if (unlikely(err))
4369 		return -EACCES;
4370 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4371 	if (unlikely(err))
4372 		return -EACCES;
4373 
4374 	err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4375 					   nlbl_type, xfrm_sid, sid);
4376 	if (unlikely(err)) {
4377 		pr_warn(
4378 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4379 		       " unable to determine packet's peer label\n");
4380 		return -EACCES;
4381 	}
4382 
4383 	return 0;
4384 }
4385 
4386 /**
4387  * selinux_conn_sid - Determine the child socket label for a connection
4388  * @sk_sid: the parent socket's SID
4389  * @skb_sid: the packet's SID
4390  * @conn_sid: the resulting connection SID
4391  *
4392  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4393  * combined with the MLS information from @skb_sid in order to create
4394  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
4395  * of @sk_sid.  Returns zero on success, negative values on failure.
4396  *
4397  */
4398 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4399 {
4400 	int err = 0;
4401 
4402 	if (skb_sid != SECSID_NULL)
4403 		err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4404 					    conn_sid);
4405 	else
4406 		*conn_sid = sk_sid;
4407 
4408 	return err;
4409 }
4410 
4411 /* socket security operations */
4412 
4413 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4414 				 u16 secclass, u32 *socksid)
4415 {
4416 	if (tsec->sockcreate_sid > SECSID_NULL) {
4417 		*socksid = tsec->sockcreate_sid;
4418 		return 0;
4419 	}
4420 
4421 	return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4422 				       secclass, NULL, socksid);
4423 }
4424 
4425 static int sock_has_perm(struct sock *sk, u32 perms)
4426 {
4427 	struct sk_security_struct *sksec = sk->sk_security;
4428 	struct common_audit_data ad;
4429 	struct lsm_network_audit net = {0,};
4430 
4431 	if (sksec->sid == SECINITSID_KERNEL)
4432 		return 0;
4433 
4434 	ad.type = LSM_AUDIT_DATA_NET;
4435 	ad.u.net = &net;
4436 	ad.u.net->sk = sk;
4437 
4438 	return avc_has_perm(&selinux_state,
4439 			    current_sid(), sksec->sid, sksec->sclass, perms,
4440 			    &ad);
4441 }
4442 
4443 static int selinux_socket_create(int family, int type,
4444 				 int protocol, int kern)
4445 {
4446 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4447 	u32 newsid;
4448 	u16 secclass;
4449 	int rc;
4450 
4451 	if (kern)
4452 		return 0;
4453 
4454 	secclass = socket_type_to_security_class(family, type, protocol);
4455 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4456 	if (rc)
4457 		return rc;
4458 
4459 	return avc_has_perm(&selinux_state,
4460 			    tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4461 }
4462 
4463 static int selinux_socket_post_create(struct socket *sock, int family,
4464 				      int type, int protocol, int kern)
4465 {
4466 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4467 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4468 	struct sk_security_struct *sksec;
4469 	u16 sclass = socket_type_to_security_class(family, type, protocol);
4470 	u32 sid = SECINITSID_KERNEL;
4471 	int err = 0;
4472 
4473 	if (!kern) {
4474 		err = socket_sockcreate_sid(tsec, sclass, &sid);
4475 		if (err)
4476 			return err;
4477 	}
4478 
4479 	isec->sclass = sclass;
4480 	isec->sid = sid;
4481 	isec->initialized = LABEL_INITIALIZED;
4482 
4483 	if (sock->sk) {
4484 		sksec = sock->sk->sk_security;
4485 		sksec->sclass = sclass;
4486 		sksec->sid = sid;
4487 		/* Allows detection of the first association on this socket */
4488 		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4489 			sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4490 
4491 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4492 	}
4493 
4494 	return err;
4495 }
4496 
4497 static int selinux_socket_socketpair(struct socket *socka,
4498 				     struct socket *sockb)
4499 {
4500 	struct sk_security_struct *sksec_a = socka->sk->sk_security;
4501 	struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4502 
4503 	sksec_a->peer_sid = sksec_b->sid;
4504 	sksec_b->peer_sid = sksec_a->sid;
4505 
4506 	return 0;
4507 }
4508 
4509 /* Range of port numbers used to automatically bind.
4510    Need to determine whether we should perform a name_bind
4511    permission check between the socket and the port number. */
4512 
4513 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4514 {
4515 	struct sock *sk = sock->sk;
4516 	struct sk_security_struct *sksec = sk->sk_security;
4517 	u16 family;
4518 	int err;
4519 
4520 	err = sock_has_perm(sk, SOCKET__BIND);
4521 	if (err)
4522 		goto out;
4523 
4524 	/* If PF_INET or PF_INET6, check name_bind permission for the port. */
4525 	family = sk->sk_family;
4526 	if (family == PF_INET || family == PF_INET6) {
4527 		char *addrp;
4528 		struct common_audit_data ad;
4529 		struct lsm_network_audit net = {0,};
4530 		struct sockaddr_in *addr4 = NULL;
4531 		struct sockaddr_in6 *addr6 = NULL;
4532 		u16 family_sa;
4533 		unsigned short snum;
4534 		u32 sid, node_perm;
4535 
4536 		/*
4537 		 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4538 		 * that validates multiple binding addresses. Because of this
4539 		 * need to check address->sa_family as it is possible to have
4540 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4541 		 */
4542 		if (addrlen < offsetofend(struct sockaddr, sa_family))
4543 			return -EINVAL;
4544 		family_sa = address->sa_family;
4545 		switch (family_sa) {
4546 		case AF_UNSPEC:
4547 		case AF_INET:
4548 			if (addrlen < sizeof(struct sockaddr_in))
4549 				return -EINVAL;
4550 			addr4 = (struct sockaddr_in *)address;
4551 			if (family_sa == AF_UNSPEC) {
4552 				/* see __inet_bind(), we only want to allow
4553 				 * AF_UNSPEC if the address is INADDR_ANY
4554 				 */
4555 				if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4556 					goto err_af;
4557 				family_sa = AF_INET;
4558 			}
4559 			snum = ntohs(addr4->sin_port);
4560 			addrp = (char *)&addr4->sin_addr.s_addr;
4561 			break;
4562 		case AF_INET6:
4563 			if (addrlen < SIN6_LEN_RFC2133)
4564 				return -EINVAL;
4565 			addr6 = (struct sockaddr_in6 *)address;
4566 			snum = ntohs(addr6->sin6_port);
4567 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4568 			break;
4569 		default:
4570 			goto err_af;
4571 		}
4572 
4573 		ad.type = LSM_AUDIT_DATA_NET;
4574 		ad.u.net = &net;
4575 		ad.u.net->sport = htons(snum);
4576 		ad.u.net->family = family_sa;
4577 
4578 		if (snum) {
4579 			int low, high;
4580 
4581 			inet_get_local_port_range(sock_net(sk), &low, &high);
4582 
4583 			if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4584 			    snum > high) {
4585 				err = sel_netport_sid(sk->sk_protocol,
4586 						      snum, &sid);
4587 				if (err)
4588 					goto out;
4589 				err = avc_has_perm(&selinux_state,
4590 						   sksec->sid, sid,
4591 						   sksec->sclass,
4592 						   SOCKET__NAME_BIND, &ad);
4593 				if (err)
4594 					goto out;
4595 			}
4596 		}
4597 
4598 		switch (sksec->sclass) {
4599 		case SECCLASS_TCP_SOCKET:
4600 			node_perm = TCP_SOCKET__NODE_BIND;
4601 			break;
4602 
4603 		case SECCLASS_UDP_SOCKET:
4604 			node_perm = UDP_SOCKET__NODE_BIND;
4605 			break;
4606 
4607 		case SECCLASS_DCCP_SOCKET:
4608 			node_perm = DCCP_SOCKET__NODE_BIND;
4609 			break;
4610 
4611 		case SECCLASS_SCTP_SOCKET:
4612 			node_perm = SCTP_SOCKET__NODE_BIND;
4613 			break;
4614 
4615 		default:
4616 			node_perm = RAWIP_SOCKET__NODE_BIND;
4617 			break;
4618 		}
4619 
4620 		err = sel_netnode_sid(addrp, family_sa, &sid);
4621 		if (err)
4622 			goto out;
4623 
4624 		if (family_sa == AF_INET)
4625 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4626 		else
4627 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4628 
4629 		err = avc_has_perm(&selinux_state,
4630 				   sksec->sid, sid,
4631 				   sksec->sclass, node_perm, &ad);
4632 		if (err)
4633 			goto out;
4634 	}
4635 out:
4636 	return err;
4637 err_af:
4638 	/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4639 	if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4640 		return -EINVAL;
4641 	return -EAFNOSUPPORT;
4642 }
4643 
4644 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4645  * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4646  */
4647 static int selinux_socket_connect_helper(struct socket *sock,
4648 					 struct sockaddr *address, int addrlen)
4649 {
4650 	struct sock *sk = sock->sk;
4651 	struct sk_security_struct *sksec = sk->sk_security;
4652 	int err;
4653 
4654 	err = sock_has_perm(sk, SOCKET__CONNECT);
4655 	if (err)
4656 		return err;
4657 	if (addrlen < offsetofend(struct sockaddr, sa_family))
4658 		return -EINVAL;
4659 
4660 	/* connect(AF_UNSPEC) has special handling, as it is a documented
4661 	 * way to disconnect the socket
4662 	 */
4663 	if (address->sa_family == AF_UNSPEC)
4664 		return 0;
4665 
4666 	/*
4667 	 * If a TCP, DCCP or SCTP socket, check name_connect permission
4668 	 * for the port.
4669 	 */
4670 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4671 	    sksec->sclass == SECCLASS_DCCP_SOCKET ||
4672 	    sksec->sclass == SECCLASS_SCTP_SOCKET) {
4673 		struct common_audit_data ad;
4674 		struct lsm_network_audit net = {0,};
4675 		struct sockaddr_in *addr4 = NULL;
4676 		struct sockaddr_in6 *addr6 = NULL;
4677 		unsigned short snum;
4678 		u32 sid, perm;
4679 
4680 		/* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4681 		 * that validates multiple connect addresses. Because of this
4682 		 * need to check address->sa_family as it is possible to have
4683 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4684 		 */
4685 		switch (address->sa_family) {
4686 		case AF_INET:
4687 			addr4 = (struct sockaddr_in *)address;
4688 			if (addrlen < sizeof(struct sockaddr_in))
4689 				return -EINVAL;
4690 			snum = ntohs(addr4->sin_port);
4691 			break;
4692 		case AF_INET6:
4693 			addr6 = (struct sockaddr_in6 *)address;
4694 			if (addrlen < SIN6_LEN_RFC2133)
4695 				return -EINVAL;
4696 			snum = ntohs(addr6->sin6_port);
4697 			break;
4698 		default:
4699 			/* Note that SCTP services expect -EINVAL, whereas
4700 			 * others expect -EAFNOSUPPORT.
4701 			 */
4702 			if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4703 				return -EINVAL;
4704 			else
4705 				return -EAFNOSUPPORT;
4706 		}
4707 
4708 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4709 		if (err)
4710 			return err;
4711 
4712 		switch (sksec->sclass) {
4713 		case SECCLASS_TCP_SOCKET:
4714 			perm = TCP_SOCKET__NAME_CONNECT;
4715 			break;
4716 		case SECCLASS_DCCP_SOCKET:
4717 			perm = DCCP_SOCKET__NAME_CONNECT;
4718 			break;
4719 		case SECCLASS_SCTP_SOCKET:
4720 			perm = SCTP_SOCKET__NAME_CONNECT;
4721 			break;
4722 		}
4723 
4724 		ad.type = LSM_AUDIT_DATA_NET;
4725 		ad.u.net = &net;
4726 		ad.u.net->dport = htons(snum);
4727 		ad.u.net->family = address->sa_family;
4728 		err = avc_has_perm(&selinux_state,
4729 				   sksec->sid, sid, sksec->sclass, perm, &ad);
4730 		if (err)
4731 			return err;
4732 	}
4733 
4734 	return 0;
4735 }
4736 
4737 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4738 static int selinux_socket_connect(struct socket *sock,
4739 				  struct sockaddr *address, int addrlen)
4740 {
4741 	int err;
4742 	struct sock *sk = sock->sk;
4743 
4744 	err = selinux_socket_connect_helper(sock, address, addrlen);
4745 	if (err)
4746 		return err;
4747 
4748 	return selinux_netlbl_socket_connect(sk, address);
4749 }
4750 
4751 static int selinux_socket_listen(struct socket *sock, int backlog)
4752 {
4753 	return sock_has_perm(sock->sk, SOCKET__LISTEN);
4754 }
4755 
4756 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4757 {
4758 	int err;
4759 	struct inode_security_struct *isec;
4760 	struct inode_security_struct *newisec;
4761 	u16 sclass;
4762 	u32 sid;
4763 
4764 	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4765 	if (err)
4766 		return err;
4767 
4768 	isec = inode_security_novalidate(SOCK_INODE(sock));
4769 	spin_lock(&isec->lock);
4770 	sclass = isec->sclass;
4771 	sid = isec->sid;
4772 	spin_unlock(&isec->lock);
4773 
4774 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4775 	newisec->sclass = sclass;
4776 	newisec->sid = sid;
4777 	newisec->initialized = LABEL_INITIALIZED;
4778 
4779 	return 0;
4780 }
4781 
4782 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4783 				  int size)
4784 {
4785 	return sock_has_perm(sock->sk, SOCKET__WRITE);
4786 }
4787 
4788 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4789 				  int size, int flags)
4790 {
4791 	return sock_has_perm(sock->sk, SOCKET__READ);
4792 }
4793 
4794 static int selinux_socket_getsockname(struct socket *sock)
4795 {
4796 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4797 }
4798 
4799 static int selinux_socket_getpeername(struct socket *sock)
4800 {
4801 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4802 }
4803 
4804 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4805 {
4806 	int err;
4807 
4808 	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4809 	if (err)
4810 		return err;
4811 
4812 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4813 }
4814 
4815 static int selinux_socket_getsockopt(struct socket *sock, int level,
4816 				     int optname)
4817 {
4818 	return sock_has_perm(sock->sk, SOCKET__GETOPT);
4819 }
4820 
4821 static int selinux_socket_shutdown(struct socket *sock, int how)
4822 {
4823 	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4824 }
4825 
4826 static int selinux_socket_unix_stream_connect(struct sock *sock,
4827 					      struct sock *other,
4828 					      struct sock *newsk)
4829 {
4830 	struct sk_security_struct *sksec_sock = sock->sk_security;
4831 	struct sk_security_struct *sksec_other = other->sk_security;
4832 	struct sk_security_struct *sksec_new = newsk->sk_security;
4833 	struct common_audit_data ad;
4834 	struct lsm_network_audit net = {0,};
4835 	int err;
4836 
4837 	ad.type = LSM_AUDIT_DATA_NET;
4838 	ad.u.net = &net;
4839 	ad.u.net->sk = other;
4840 
4841 	err = avc_has_perm(&selinux_state,
4842 			   sksec_sock->sid, sksec_other->sid,
4843 			   sksec_other->sclass,
4844 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4845 	if (err)
4846 		return err;
4847 
4848 	/* server child socket */
4849 	sksec_new->peer_sid = sksec_sock->sid;
4850 	err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4851 				    sksec_sock->sid, &sksec_new->sid);
4852 	if (err)
4853 		return err;
4854 
4855 	/* connecting socket */
4856 	sksec_sock->peer_sid = sksec_new->sid;
4857 
4858 	return 0;
4859 }
4860 
4861 static int selinux_socket_unix_may_send(struct socket *sock,
4862 					struct socket *other)
4863 {
4864 	struct sk_security_struct *ssec = sock->sk->sk_security;
4865 	struct sk_security_struct *osec = other->sk->sk_security;
4866 	struct common_audit_data ad;
4867 	struct lsm_network_audit net = {0,};
4868 
4869 	ad.type = LSM_AUDIT_DATA_NET;
4870 	ad.u.net = &net;
4871 	ad.u.net->sk = other->sk;
4872 
4873 	return avc_has_perm(&selinux_state,
4874 			    ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4875 			    &ad);
4876 }
4877 
4878 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4879 				    char *addrp, u16 family, u32 peer_sid,
4880 				    struct common_audit_data *ad)
4881 {
4882 	int err;
4883 	u32 if_sid;
4884 	u32 node_sid;
4885 
4886 	err = sel_netif_sid(ns, ifindex, &if_sid);
4887 	if (err)
4888 		return err;
4889 	err = avc_has_perm(&selinux_state,
4890 			   peer_sid, if_sid,
4891 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4892 	if (err)
4893 		return err;
4894 
4895 	err = sel_netnode_sid(addrp, family, &node_sid);
4896 	if (err)
4897 		return err;
4898 	return avc_has_perm(&selinux_state,
4899 			    peer_sid, node_sid,
4900 			    SECCLASS_NODE, NODE__RECVFROM, ad);
4901 }
4902 
4903 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4904 				       u16 family)
4905 {
4906 	int err = 0;
4907 	struct sk_security_struct *sksec = sk->sk_security;
4908 	u32 sk_sid = sksec->sid;
4909 	struct common_audit_data ad;
4910 	struct lsm_network_audit net = {0,};
4911 	char *addrp;
4912 
4913 	ad.type = LSM_AUDIT_DATA_NET;
4914 	ad.u.net = &net;
4915 	ad.u.net->netif = skb->skb_iif;
4916 	ad.u.net->family = family;
4917 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4918 	if (err)
4919 		return err;
4920 
4921 	if (selinux_secmark_enabled()) {
4922 		err = avc_has_perm(&selinux_state,
4923 				   sk_sid, skb->secmark, SECCLASS_PACKET,
4924 				   PACKET__RECV, &ad);
4925 		if (err)
4926 			return err;
4927 	}
4928 
4929 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4930 	if (err)
4931 		return err;
4932 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4933 
4934 	return err;
4935 }
4936 
4937 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4938 {
4939 	int err;
4940 	struct sk_security_struct *sksec = sk->sk_security;
4941 	u16 family = sk->sk_family;
4942 	u32 sk_sid = sksec->sid;
4943 	struct common_audit_data ad;
4944 	struct lsm_network_audit net = {0,};
4945 	char *addrp;
4946 	u8 secmark_active;
4947 	u8 peerlbl_active;
4948 
4949 	if (family != PF_INET && family != PF_INET6)
4950 		return 0;
4951 
4952 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
4953 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4954 		family = PF_INET;
4955 
4956 	/* If any sort of compatibility mode is enabled then handoff processing
4957 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
4958 	 * special handling.  We do this in an attempt to keep this function
4959 	 * as fast and as clean as possible. */
4960 	if (!selinux_policycap_netpeer())
4961 		return selinux_sock_rcv_skb_compat(sk, skb, family);
4962 
4963 	secmark_active = selinux_secmark_enabled();
4964 	peerlbl_active = selinux_peerlbl_enabled();
4965 	if (!secmark_active && !peerlbl_active)
4966 		return 0;
4967 
4968 	ad.type = LSM_AUDIT_DATA_NET;
4969 	ad.u.net = &net;
4970 	ad.u.net->netif = skb->skb_iif;
4971 	ad.u.net->family = family;
4972 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4973 	if (err)
4974 		return err;
4975 
4976 	if (peerlbl_active) {
4977 		u32 peer_sid;
4978 
4979 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4980 		if (err)
4981 			return err;
4982 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4983 					       addrp, family, peer_sid, &ad);
4984 		if (err) {
4985 			selinux_netlbl_err(skb, family, err, 0);
4986 			return err;
4987 		}
4988 		err = avc_has_perm(&selinux_state,
4989 				   sk_sid, peer_sid, SECCLASS_PEER,
4990 				   PEER__RECV, &ad);
4991 		if (err) {
4992 			selinux_netlbl_err(skb, family, err, 0);
4993 			return err;
4994 		}
4995 	}
4996 
4997 	if (secmark_active) {
4998 		err = avc_has_perm(&selinux_state,
4999 				   sk_sid, skb->secmark, SECCLASS_PACKET,
5000 				   PACKET__RECV, &ad);
5001 		if (err)
5002 			return err;
5003 	}
5004 
5005 	return err;
5006 }
5007 
5008 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5009 					    int __user *optlen, unsigned len)
5010 {
5011 	int err = 0;
5012 	char *scontext;
5013 	u32 scontext_len;
5014 	struct sk_security_struct *sksec = sock->sk->sk_security;
5015 	u32 peer_sid = SECSID_NULL;
5016 
5017 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5018 	    sksec->sclass == SECCLASS_TCP_SOCKET ||
5019 	    sksec->sclass == SECCLASS_SCTP_SOCKET)
5020 		peer_sid = sksec->peer_sid;
5021 	if (peer_sid == SECSID_NULL)
5022 		return -ENOPROTOOPT;
5023 
5024 	err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5025 				      &scontext_len);
5026 	if (err)
5027 		return err;
5028 
5029 	if (scontext_len > len) {
5030 		err = -ERANGE;
5031 		goto out_len;
5032 	}
5033 
5034 	if (copy_to_user(optval, scontext, scontext_len))
5035 		err = -EFAULT;
5036 
5037 out_len:
5038 	if (put_user(scontext_len, optlen))
5039 		err = -EFAULT;
5040 	kfree(scontext);
5041 	return err;
5042 }
5043 
5044 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5045 {
5046 	u32 peer_secid = SECSID_NULL;
5047 	u16 family;
5048 	struct inode_security_struct *isec;
5049 
5050 	if (skb && skb->protocol == htons(ETH_P_IP))
5051 		family = PF_INET;
5052 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
5053 		family = PF_INET6;
5054 	else if (sock)
5055 		family = sock->sk->sk_family;
5056 	else
5057 		goto out;
5058 
5059 	if (sock && family == PF_UNIX) {
5060 		isec = inode_security_novalidate(SOCK_INODE(sock));
5061 		peer_secid = isec->sid;
5062 	} else if (skb)
5063 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5064 
5065 out:
5066 	*secid = peer_secid;
5067 	if (peer_secid == SECSID_NULL)
5068 		return -EINVAL;
5069 	return 0;
5070 }
5071 
5072 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5073 {
5074 	struct sk_security_struct *sksec;
5075 
5076 	sksec = kzalloc(sizeof(*sksec), priority);
5077 	if (!sksec)
5078 		return -ENOMEM;
5079 
5080 	sksec->peer_sid = SECINITSID_UNLABELED;
5081 	sksec->sid = SECINITSID_UNLABELED;
5082 	sksec->sclass = SECCLASS_SOCKET;
5083 	selinux_netlbl_sk_security_reset(sksec);
5084 	sk->sk_security = sksec;
5085 
5086 	return 0;
5087 }
5088 
5089 static void selinux_sk_free_security(struct sock *sk)
5090 {
5091 	struct sk_security_struct *sksec = sk->sk_security;
5092 
5093 	sk->sk_security = NULL;
5094 	selinux_netlbl_sk_security_free(sksec);
5095 	kfree(sksec);
5096 }
5097 
5098 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5099 {
5100 	struct sk_security_struct *sksec = sk->sk_security;
5101 	struct sk_security_struct *newsksec = newsk->sk_security;
5102 
5103 	newsksec->sid = sksec->sid;
5104 	newsksec->peer_sid = sksec->peer_sid;
5105 	newsksec->sclass = sksec->sclass;
5106 
5107 	selinux_netlbl_sk_security_reset(newsksec);
5108 }
5109 
5110 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5111 {
5112 	if (!sk)
5113 		*secid = SECINITSID_ANY_SOCKET;
5114 	else {
5115 		struct sk_security_struct *sksec = sk->sk_security;
5116 
5117 		*secid = sksec->sid;
5118 	}
5119 }
5120 
5121 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5122 {
5123 	struct inode_security_struct *isec =
5124 		inode_security_novalidate(SOCK_INODE(parent));
5125 	struct sk_security_struct *sksec = sk->sk_security;
5126 
5127 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5128 	    sk->sk_family == PF_UNIX)
5129 		isec->sid = sksec->sid;
5130 	sksec->sclass = isec->sclass;
5131 }
5132 
5133 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5134  * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5135  * already present).
5136  */
5137 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5138 				      struct sk_buff *skb)
5139 {
5140 	struct sk_security_struct *sksec = ep->base.sk->sk_security;
5141 	struct common_audit_data ad;
5142 	struct lsm_network_audit net = {0,};
5143 	u8 peerlbl_active;
5144 	u32 peer_sid = SECINITSID_UNLABELED;
5145 	u32 conn_sid;
5146 	int err = 0;
5147 
5148 	if (!selinux_policycap_extsockclass())
5149 		return 0;
5150 
5151 	peerlbl_active = selinux_peerlbl_enabled();
5152 
5153 	if (peerlbl_active) {
5154 		/* This will return peer_sid = SECSID_NULL if there are
5155 		 * no peer labels, see security_net_peersid_resolve().
5156 		 */
5157 		err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5158 					      &peer_sid);
5159 		if (err)
5160 			return err;
5161 
5162 		if (peer_sid == SECSID_NULL)
5163 			peer_sid = SECINITSID_UNLABELED;
5164 	}
5165 
5166 	if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5167 		sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5168 
5169 		/* Here as first association on socket. As the peer SID
5170 		 * was allowed by peer recv (and the netif/node checks),
5171 		 * then it is approved by policy and used as the primary
5172 		 * peer SID for getpeercon(3).
5173 		 */
5174 		sksec->peer_sid = peer_sid;
5175 	} else if  (sksec->peer_sid != peer_sid) {
5176 		/* Other association peer SIDs are checked to enforce
5177 		 * consistency among the peer SIDs.
5178 		 */
5179 		ad.type = LSM_AUDIT_DATA_NET;
5180 		ad.u.net = &net;
5181 		ad.u.net->sk = ep->base.sk;
5182 		err = avc_has_perm(&selinux_state,
5183 				   sksec->peer_sid, peer_sid, sksec->sclass,
5184 				   SCTP_SOCKET__ASSOCIATION, &ad);
5185 		if (err)
5186 			return err;
5187 	}
5188 
5189 	/* Compute the MLS component for the connection and store
5190 	 * the information in ep. This will be used by SCTP TCP type
5191 	 * sockets and peeled off connections as they cause a new
5192 	 * socket to be generated. selinux_sctp_sk_clone() will then
5193 	 * plug this into the new socket.
5194 	 */
5195 	err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5196 	if (err)
5197 		return err;
5198 
5199 	ep->secid = conn_sid;
5200 	ep->peer_secid = peer_sid;
5201 
5202 	/* Set any NetLabel labels including CIPSO/CALIPSO options. */
5203 	return selinux_netlbl_sctp_assoc_request(ep, skb);
5204 }
5205 
5206 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5207  * based on their @optname.
5208  */
5209 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5210 				     struct sockaddr *address,
5211 				     int addrlen)
5212 {
5213 	int len, err = 0, walk_size = 0;
5214 	void *addr_buf;
5215 	struct sockaddr *addr;
5216 	struct socket *sock;
5217 
5218 	if (!selinux_policycap_extsockclass())
5219 		return 0;
5220 
5221 	/* Process one or more addresses that may be IPv4 or IPv6 */
5222 	sock = sk->sk_socket;
5223 	addr_buf = address;
5224 
5225 	while (walk_size < addrlen) {
5226 		if (walk_size + sizeof(sa_family_t) > addrlen)
5227 			return -EINVAL;
5228 
5229 		addr = addr_buf;
5230 		switch (addr->sa_family) {
5231 		case AF_UNSPEC:
5232 		case AF_INET:
5233 			len = sizeof(struct sockaddr_in);
5234 			break;
5235 		case AF_INET6:
5236 			len = sizeof(struct sockaddr_in6);
5237 			break;
5238 		default:
5239 			return -EINVAL;
5240 		}
5241 
5242 		if (walk_size + len > addrlen)
5243 			return -EINVAL;
5244 
5245 		err = -EINVAL;
5246 		switch (optname) {
5247 		/* Bind checks */
5248 		case SCTP_PRIMARY_ADDR:
5249 		case SCTP_SET_PEER_PRIMARY_ADDR:
5250 		case SCTP_SOCKOPT_BINDX_ADD:
5251 			err = selinux_socket_bind(sock, addr, len);
5252 			break;
5253 		/* Connect checks */
5254 		case SCTP_SOCKOPT_CONNECTX:
5255 		case SCTP_PARAM_SET_PRIMARY:
5256 		case SCTP_PARAM_ADD_IP:
5257 		case SCTP_SENDMSG_CONNECT:
5258 			err = selinux_socket_connect_helper(sock, addr, len);
5259 			if (err)
5260 				return err;
5261 
5262 			/* As selinux_sctp_bind_connect() is called by the
5263 			 * SCTP protocol layer, the socket is already locked,
5264 			 * therefore selinux_netlbl_socket_connect_locked() is
5265 			 * is called here. The situations handled are:
5266 			 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5267 			 * whenever a new IP address is added or when a new
5268 			 * primary address is selected.
5269 			 * Note that an SCTP connect(2) call happens before
5270 			 * the SCTP protocol layer and is handled via
5271 			 * selinux_socket_connect().
5272 			 */
5273 			err = selinux_netlbl_socket_connect_locked(sk, addr);
5274 			break;
5275 		}
5276 
5277 		if (err)
5278 			return err;
5279 
5280 		addr_buf += len;
5281 		walk_size += len;
5282 	}
5283 
5284 	return 0;
5285 }
5286 
5287 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5288 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5289 				  struct sock *newsk)
5290 {
5291 	struct sk_security_struct *sksec = sk->sk_security;
5292 	struct sk_security_struct *newsksec = newsk->sk_security;
5293 
5294 	/* If policy does not support SECCLASS_SCTP_SOCKET then call
5295 	 * the non-sctp clone version.
5296 	 */
5297 	if (!selinux_policycap_extsockclass())
5298 		return selinux_sk_clone_security(sk, newsk);
5299 
5300 	newsksec->sid = ep->secid;
5301 	newsksec->peer_sid = ep->peer_secid;
5302 	newsksec->sclass = sksec->sclass;
5303 	selinux_netlbl_sctp_sk_clone(sk, newsk);
5304 }
5305 
5306 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5307 				     struct request_sock *req)
5308 {
5309 	struct sk_security_struct *sksec = sk->sk_security;
5310 	int err;
5311 	u16 family = req->rsk_ops->family;
5312 	u32 connsid;
5313 	u32 peersid;
5314 
5315 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5316 	if (err)
5317 		return err;
5318 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5319 	if (err)
5320 		return err;
5321 	req->secid = connsid;
5322 	req->peer_secid = peersid;
5323 
5324 	return selinux_netlbl_inet_conn_request(req, family);
5325 }
5326 
5327 static void selinux_inet_csk_clone(struct sock *newsk,
5328 				   const struct request_sock *req)
5329 {
5330 	struct sk_security_struct *newsksec = newsk->sk_security;
5331 
5332 	newsksec->sid = req->secid;
5333 	newsksec->peer_sid = req->peer_secid;
5334 	/* NOTE: Ideally, we should also get the isec->sid for the
5335 	   new socket in sync, but we don't have the isec available yet.
5336 	   So we will wait until sock_graft to do it, by which
5337 	   time it will have been created and available. */
5338 
5339 	/* We don't need to take any sort of lock here as we are the only
5340 	 * thread with access to newsksec */
5341 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5342 }
5343 
5344 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5345 {
5346 	u16 family = sk->sk_family;
5347 	struct sk_security_struct *sksec = sk->sk_security;
5348 
5349 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5350 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5351 		family = PF_INET;
5352 
5353 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5354 }
5355 
5356 static int selinux_secmark_relabel_packet(u32 sid)
5357 {
5358 	const struct task_security_struct *__tsec;
5359 	u32 tsid;
5360 
5361 	__tsec = selinux_cred(current_cred());
5362 	tsid = __tsec->sid;
5363 
5364 	return avc_has_perm(&selinux_state,
5365 			    tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5366 			    NULL);
5367 }
5368 
5369 static void selinux_secmark_refcount_inc(void)
5370 {
5371 	atomic_inc(&selinux_secmark_refcount);
5372 }
5373 
5374 static void selinux_secmark_refcount_dec(void)
5375 {
5376 	atomic_dec(&selinux_secmark_refcount);
5377 }
5378 
5379 static void selinux_req_classify_flow(const struct request_sock *req,
5380 				      struct flowi *fl)
5381 {
5382 	fl->flowi_secid = req->secid;
5383 }
5384 
5385 static int selinux_tun_dev_alloc_security(void **security)
5386 {
5387 	struct tun_security_struct *tunsec;
5388 
5389 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5390 	if (!tunsec)
5391 		return -ENOMEM;
5392 	tunsec->sid = current_sid();
5393 
5394 	*security = tunsec;
5395 	return 0;
5396 }
5397 
5398 static void selinux_tun_dev_free_security(void *security)
5399 {
5400 	kfree(security);
5401 }
5402 
5403 static int selinux_tun_dev_create(void)
5404 {
5405 	u32 sid = current_sid();
5406 
5407 	/* we aren't taking into account the "sockcreate" SID since the socket
5408 	 * that is being created here is not a socket in the traditional sense,
5409 	 * instead it is a private sock, accessible only to the kernel, and
5410 	 * representing a wide range of network traffic spanning multiple
5411 	 * connections unlike traditional sockets - check the TUN driver to
5412 	 * get a better understanding of why this socket is special */
5413 
5414 	return avc_has_perm(&selinux_state,
5415 			    sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5416 			    NULL);
5417 }
5418 
5419 static int selinux_tun_dev_attach_queue(void *security)
5420 {
5421 	struct tun_security_struct *tunsec = security;
5422 
5423 	return avc_has_perm(&selinux_state,
5424 			    current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5425 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5426 }
5427 
5428 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5429 {
5430 	struct tun_security_struct *tunsec = security;
5431 	struct sk_security_struct *sksec = sk->sk_security;
5432 
5433 	/* we don't currently perform any NetLabel based labeling here and it
5434 	 * isn't clear that we would want to do so anyway; while we could apply
5435 	 * labeling without the support of the TUN user the resulting labeled
5436 	 * traffic from the other end of the connection would almost certainly
5437 	 * cause confusion to the TUN user that had no idea network labeling
5438 	 * protocols were being used */
5439 
5440 	sksec->sid = tunsec->sid;
5441 	sksec->sclass = SECCLASS_TUN_SOCKET;
5442 
5443 	return 0;
5444 }
5445 
5446 static int selinux_tun_dev_open(void *security)
5447 {
5448 	struct tun_security_struct *tunsec = security;
5449 	u32 sid = current_sid();
5450 	int err;
5451 
5452 	err = avc_has_perm(&selinux_state,
5453 			   sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5454 			   TUN_SOCKET__RELABELFROM, NULL);
5455 	if (err)
5456 		return err;
5457 	err = avc_has_perm(&selinux_state,
5458 			   sid, sid, SECCLASS_TUN_SOCKET,
5459 			   TUN_SOCKET__RELABELTO, NULL);
5460 	if (err)
5461 		return err;
5462 	tunsec->sid = sid;
5463 
5464 	return 0;
5465 }
5466 
5467 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5468 {
5469 	int err = 0;
5470 	u32 perm;
5471 	struct nlmsghdr *nlh;
5472 	struct sk_security_struct *sksec = sk->sk_security;
5473 
5474 	if (skb->len < NLMSG_HDRLEN) {
5475 		err = -EINVAL;
5476 		goto out;
5477 	}
5478 	nlh = nlmsg_hdr(skb);
5479 
5480 	err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5481 	if (err) {
5482 		if (err == -EINVAL) {
5483 			pr_warn_ratelimited("SELinux: unrecognized netlink"
5484 			       " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5485 			       " pig=%d comm=%s\n",
5486 			       sk->sk_protocol, nlh->nlmsg_type,
5487 			       secclass_map[sksec->sclass - 1].name,
5488 			       task_pid_nr(current), current->comm);
5489 			if (!enforcing_enabled(&selinux_state) ||
5490 			    security_get_allow_unknown(&selinux_state))
5491 				err = 0;
5492 		}
5493 
5494 		/* Ignore */
5495 		if (err == -ENOENT)
5496 			err = 0;
5497 		goto out;
5498 	}
5499 
5500 	err = sock_has_perm(sk, perm);
5501 out:
5502 	return err;
5503 }
5504 
5505 #ifdef CONFIG_NETFILTER
5506 
5507 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5508 				       const struct net_device *indev,
5509 				       u16 family)
5510 {
5511 	int err;
5512 	char *addrp;
5513 	u32 peer_sid;
5514 	struct common_audit_data ad;
5515 	struct lsm_network_audit net = {0,};
5516 	u8 secmark_active;
5517 	u8 netlbl_active;
5518 	u8 peerlbl_active;
5519 
5520 	if (!selinux_policycap_netpeer())
5521 		return NF_ACCEPT;
5522 
5523 	secmark_active = selinux_secmark_enabled();
5524 	netlbl_active = netlbl_enabled();
5525 	peerlbl_active = selinux_peerlbl_enabled();
5526 	if (!secmark_active && !peerlbl_active)
5527 		return NF_ACCEPT;
5528 
5529 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5530 		return NF_DROP;
5531 
5532 	ad.type = LSM_AUDIT_DATA_NET;
5533 	ad.u.net = &net;
5534 	ad.u.net->netif = indev->ifindex;
5535 	ad.u.net->family = family;
5536 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5537 		return NF_DROP;
5538 
5539 	if (peerlbl_active) {
5540 		err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5541 					       addrp, family, peer_sid, &ad);
5542 		if (err) {
5543 			selinux_netlbl_err(skb, family, err, 1);
5544 			return NF_DROP;
5545 		}
5546 	}
5547 
5548 	if (secmark_active)
5549 		if (avc_has_perm(&selinux_state,
5550 				 peer_sid, skb->secmark,
5551 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5552 			return NF_DROP;
5553 
5554 	if (netlbl_active)
5555 		/* we do this in the FORWARD path and not the POST_ROUTING
5556 		 * path because we want to make sure we apply the necessary
5557 		 * labeling before IPsec is applied so we can leverage AH
5558 		 * protection */
5559 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5560 			return NF_DROP;
5561 
5562 	return NF_ACCEPT;
5563 }
5564 
5565 static unsigned int selinux_ipv4_forward(void *priv,
5566 					 struct sk_buff *skb,
5567 					 const struct nf_hook_state *state)
5568 {
5569 	return selinux_ip_forward(skb, state->in, PF_INET);
5570 }
5571 
5572 #if IS_ENABLED(CONFIG_IPV6)
5573 static unsigned int selinux_ipv6_forward(void *priv,
5574 					 struct sk_buff *skb,
5575 					 const struct nf_hook_state *state)
5576 {
5577 	return selinux_ip_forward(skb, state->in, PF_INET6);
5578 }
5579 #endif	/* IPV6 */
5580 
5581 static unsigned int selinux_ip_output(struct sk_buff *skb,
5582 				      u16 family)
5583 {
5584 	struct sock *sk;
5585 	u32 sid;
5586 
5587 	if (!netlbl_enabled())
5588 		return NF_ACCEPT;
5589 
5590 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5591 	 * because we want to make sure we apply the necessary labeling
5592 	 * before IPsec is applied so we can leverage AH protection */
5593 	sk = skb->sk;
5594 	if (sk) {
5595 		struct sk_security_struct *sksec;
5596 
5597 		if (sk_listener(sk))
5598 			/* if the socket is the listening state then this
5599 			 * packet is a SYN-ACK packet which means it needs to
5600 			 * be labeled based on the connection/request_sock and
5601 			 * not the parent socket.  unfortunately, we can't
5602 			 * lookup the request_sock yet as it isn't queued on
5603 			 * the parent socket until after the SYN-ACK is sent.
5604 			 * the "solution" is to simply pass the packet as-is
5605 			 * as any IP option based labeling should be copied
5606 			 * from the initial connection request (in the IP
5607 			 * layer).  it is far from ideal, but until we get a
5608 			 * security label in the packet itself this is the
5609 			 * best we can do. */
5610 			return NF_ACCEPT;
5611 
5612 		/* standard practice, label using the parent socket */
5613 		sksec = sk->sk_security;
5614 		sid = sksec->sid;
5615 	} else
5616 		sid = SECINITSID_KERNEL;
5617 	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5618 		return NF_DROP;
5619 
5620 	return NF_ACCEPT;
5621 }
5622 
5623 static unsigned int selinux_ipv4_output(void *priv,
5624 					struct sk_buff *skb,
5625 					const struct nf_hook_state *state)
5626 {
5627 	return selinux_ip_output(skb, PF_INET);
5628 }
5629 
5630 #if IS_ENABLED(CONFIG_IPV6)
5631 static unsigned int selinux_ipv6_output(void *priv,
5632 					struct sk_buff *skb,
5633 					const struct nf_hook_state *state)
5634 {
5635 	return selinux_ip_output(skb, PF_INET6);
5636 }
5637 #endif	/* IPV6 */
5638 
5639 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5640 						int ifindex,
5641 						u16 family)
5642 {
5643 	struct sock *sk = skb_to_full_sk(skb);
5644 	struct sk_security_struct *sksec;
5645 	struct common_audit_data ad;
5646 	struct lsm_network_audit net = {0,};
5647 	char *addrp;
5648 	u8 proto;
5649 
5650 	if (sk == NULL)
5651 		return NF_ACCEPT;
5652 	sksec = sk->sk_security;
5653 
5654 	ad.type = LSM_AUDIT_DATA_NET;
5655 	ad.u.net = &net;
5656 	ad.u.net->netif = ifindex;
5657 	ad.u.net->family = family;
5658 	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5659 		return NF_DROP;
5660 
5661 	if (selinux_secmark_enabled())
5662 		if (avc_has_perm(&selinux_state,
5663 				 sksec->sid, skb->secmark,
5664 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5665 			return NF_DROP_ERR(-ECONNREFUSED);
5666 
5667 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5668 		return NF_DROP_ERR(-ECONNREFUSED);
5669 
5670 	return NF_ACCEPT;
5671 }
5672 
5673 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5674 					 const struct net_device *outdev,
5675 					 u16 family)
5676 {
5677 	u32 secmark_perm;
5678 	u32 peer_sid;
5679 	int ifindex = outdev->ifindex;
5680 	struct sock *sk;
5681 	struct common_audit_data ad;
5682 	struct lsm_network_audit net = {0,};
5683 	char *addrp;
5684 	u8 secmark_active;
5685 	u8 peerlbl_active;
5686 
5687 	/* If any sort of compatibility mode is enabled then handoff processing
5688 	 * to the selinux_ip_postroute_compat() function to deal with the
5689 	 * special handling.  We do this in an attempt to keep this function
5690 	 * as fast and as clean as possible. */
5691 	if (!selinux_policycap_netpeer())
5692 		return selinux_ip_postroute_compat(skb, ifindex, family);
5693 
5694 	secmark_active = selinux_secmark_enabled();
5695 	peerlbl_active = selinux_peerlbl_enabled();
5696 	if (!secmark_active && !peerlbl_active)
5697 		return NF_ACCEPT;
5698 
5699 	sk = skb_to_full_sk(skb);
5700 
5701 #ifdef CONFIG_XFRM
5702 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5703 	 * packet transformation so allow the packet to pass without any checks
5704 	 * since we'll have another chance to perform access control checks
5705 	 * when the packet is on it's final way out.
5706 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5707 	 *       is NULL, in this case go ahead and apply access control.
5708 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5709 	 *       TCP listening state we cannot wait until the XFRM processing
5710 	 *       is done as we will miss out on the SA label if we do;
5711 	 *       unfortunately, this means more work, but it is only once per
5712 	 *       connection. */
5713 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5714 	    !(sk && sk_listener(sk)))
5715 		return NF_ACCEPT;
5716 #endif
5717 
5718 	if (sk == NULL) {
5719 		/* Without an associated socket the packet is either coming
5720 		 * from the kernel or it is being forwarded; check the packet
5721 		 * to determine which and if the packet is being forwarded
5722 		 * query the packet directly to determine the security label. */
5723 		if (skb->skb_iif) {
5724 			secmark_perm = PACKET__FORWARD_OUT;
5725 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5726 				return NF_DROP;
5727 		} else {
5728 			secmark_perm = PACKET__SEND;
5729 			peer_sid = SECINITSID_KERNEL;
5730 		}
5731 	} else if (sk_listener(sk)) {
5732 		/* Locally generated packet but the associated socket is in the
5733 		 * listening state which means this is a SYN-ACK packet.  In
5734 		 * this particular case the correct security label is assigned
5735 		 * to the connection/request_sock but unfortunately we can't
5736 		 * query the request_sock as it isn't queued on the parent
5737 		 * socket until after the SYN-ACK packet is sent; the only
5738 		 * viable choice is to regenerate the label like we do in
5739 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5740 		 * for similar problems. */
5741 		u32 skb_sid;
5742 		struct sk_security_struct *sksec;
5743 
5744 		sksec = sk->sk_security;
5745 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5746 			return NF_DROP;
5747 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5748 		 * and the packet has been through at least one XFRM
5749 		 * transformation then we must be dealing with the "final"
5750 		 * form of labeled IPsec packet; since we've already applied
5751 		 * all of our access controls on this packet we can safely
5752 		 * pass the packet. */
5753 		if (skb_sid == SECSID_NULL) {
5754 			switch (family) {
5755 			case PF_INET:
5756 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5757 					return NF_ACCEPT;
5758 				break;
5759 			case PF_INET6:
5760 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5761 					return NF_ACCEPT;
5762 				break;
5763 			default:
5764 				return NF_DROP_ERR(-ECONNREFUSED);
5765 			}
5766 		}
5767 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5768 			return NF_DROP;
5769 		secmark_perm = PACKET__SEND;
5770 	} else {
5771 		/* Locally generated packet, fetch the security label from the
5772 		 * associated socket. */
5773 		struct sk_security_struct *sksec = sk->sk_security;
5774 		peer_sid = sksec->sid;
5775 		secmark_perm = PACKET__SEND;
5776 	}
5777 
5778 	ad.type = LSM_AUDIT_DATA_NET;
5779 	ad.u.net = &net;
5780 	ad.u.net->netif = ifindex;
5781 	ad.u.net->family = family;
5782 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5783 		return NF_DROP;
5784 
5785 	if (secmark_active)
5786 		if (avc_has_perm(&selinux_state,
5787 				 peer_sid, skb->secmark,
5788 				 SECCLASS_PACKET, secmark_perm, &ad))
5789 			return NF_DROP_ERR(-ECONNREFUSED);
5790 
5791 	if (peerlbl_active) {
5792 		u32 if_sid;
5793 		u32 node_sid;
5794 
5795 		if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5796 			return NF_DROP;
5797 		if (avc_has_perm(&selinux_state,
5798 				 peer_sid, if_sid,
5799 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5800 			return NF_DROP_ERR(-ECONNREFUSED);
5801 
5802 		if (sel_netnode_sid(addrp, family, &node_sid))
5803 			return NF_DROP;
5804 		if (avc_has_perm(&selinux_state,
5805 				 peer_sid, node_sid,
5806 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5807 			return NF_DROP_ERR(-ECONNREFUSED);
5808 	}
5809 
5810 	return NF_ACCEPT;
5811 }
5812 
5813 static unsigned int selinux_ipv4_postroute(void *priv,
5814 					   struct sk_buff *skb,
5815 					   const struct nf_hook_state *state)
5816 {
5817 	return selinux_ip_postroute(skb, state->out, PF_INET);
5818 }
5819 
5820 #if IS_ENABLED(CONFIG_IPV6)
5821 static unsigned int selinux_ipv6_postroute(void *priv,
5822 					   struct sk_buff *skb,
5823 					   const struct nf_hook_state *state)
5824 {
5825 	return selinux_ip_postroute(skb, state->out, PF_INET6);
5826 }
5827 #endif	/* IPV6 */
5828 
5829 #endif	/* CONFIG_NETFILTER */
5830 
5831 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5832 {
5833 	return selinux_nlmsg_perm(sk, skb);
5834 }
5835 
5836 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5837 {
5838 	isec->sclass = sclass;
5839 	isec->sid = current_sid();
5840 }
5841 
5842 static int msg_msg_alloc_security(struct msg_msg *msg)
5843 {
5844 	struct msg_security_struct *msec;
5845 
5846 	msec = selinux_msg_msg(msg);
5847 	msec->sid = SECINITSID_UNLABELED;
5848 
5849 	return 0;
5850 }
5851 
5852 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5853 			u32 perms)
5854 {
5855 	struct ipc_security_struct *isec;
5856 	struct common_audit_data ad;
5857 	u32 sid = current_sid();
5858 
5859 	isec = selinux_ipc(ipc_perms);
5860 
5861 	ad.type = LSM_AUDIT_DATA_IPC;
5862 	ad.u.ipc_id = ipc_perms->key;
5863 
5864 	return avc_has_perm(&selinux_state,
5865 			    sid, isec->sid, isec->sclass, perms, &ad);
5866 }
5867 
5868 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5869 {
5870 	return msg_msg_alloc_security(msg);
5871 }
5872 
5873 /* message queue security operations */
5874 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5875 {
5876 	struct ipc_security_struct *isec;
5877 	struct common_audit_data ad;
5878 	u32 sid = current_sid();
5879 	int rc;
5880 
5881 	isec = selinux_ipc(msq);
5882 	ipc_init_security(isec, SECCLASS_MSGQ);
5883 
5884 	ad.type = LSM_AUDIT_DATA_IPC;
5885 	ad.u.ipc_id = msq->key;
5886 
5887 	rc = avc_has_perm(&selinux_state,
5888 			  sid, isec->sid, SECCLASS_MSGQ,
5889 			  MSGQ__CREATE, &ad);
5890 	return rc;
5891 }
5892 
5893 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5894 {
5895 	struct ipc_security_struct *isec;
5896 	struct common_audit_data ad;
5897 	u32 sid = current_sid();
5898 
5899 	isec = selinux_ipc(msq);
5900 
5901 	ad.type = LSM_AUDIT_DATA_IPC;
5902 	ad.u.ipc_id = msq->key;
5903 
5904 	return avc_has_perm(&selinux_state,
5905 			    sid, isec->sid, SECCLASS_MSGQ,
5906 			    MSGQ__ASSOCIATE, &ad);
5907 }
5908 
5909 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
5910 {
5911 	int err;
5912 	int perms;
5913 
5914 	switch (cmd) {
5915 	case IPC_INFO:
5916 	case MSG_INFO:
5917 		/* No specific object, just general system-wide information. */
5918 		return avc_has_perm(&selinux_state,
5919 				    current_sid(), SECINITSID_KERNEL,
5920 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5921 	case IPC_STAT:
5922 	case MSG_STAT:
5923 	case MSG_STAT_ANY:
5924 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5925 		break;
5926 	case IPC_SET:
5927 		perms = MSGQ__SETATTR;
5928 		break;
5929 	case IPC_RMID:
5930 		perms = MSGQ__DESTROY;
5931 		break;
5932 	default:
5933 		return 0;
5934 	}
5935 
5936 	err = ipc_has_perm(msq, perms);
5937 	return err;
5938 }
5939 
5940 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
5941 {
5942 	struct ipc_security_struct *isec;
5943 	struct msg_security_struct *msec;
5944 	struct common_audit_data ad;
5945 	u32 sid = current_sid();
5946 	int rc;
5947 
5948 	isec = selinux_ipc(msq);
5949 	msec = selinux_msg_msg(msg);
5950 
5951 	/*
5952 	 * First time through, need to assign label to the message
5953 	 */
5954 	if (msec->sid == SECINITSID_UNLABELED) {
5955 		/*
5956 		 * Compute new sid based on current process and
5957 		 * message queue this message will be stored in
5958 		 */
5959 		rc = security_transition_sid(&selinux_state, sid, isec->sid,
5960 					     SECCLASS_MSG, NULL, &msec->sid);
5961 		if (rc)
5962 			return rc;
5963 	}
5964 
5965 	ad.type = LSM_AUDIT_DATA_IPC;
5966 	ad.u.ipc_id = msq->key;
5967 
5968 	/* Can this process write to the queue? */
5969 	rc = avc_has_perm(&selinux_state,
5970 			  sid, isec->sid, SECCLASS_MSGQ,
5971 			  MSGQ__WRITE, &ad);
5972 	if (!rc)
5973 		/* Can this process send the message */
5974 		rc = avc_has_perm(&selinux_state,
5975 				  sid, msec->sid, SECCLASS_MSG,
5976 				  MSG__SEND, &ad);
5977 	if (!rc)
5978 		/* Can the message be put in the queue? */
5979 		rc = avc_has_perm(&selinux_state,
5980 				  msec->sid, isec->sid, SECCLASS_MSGQ,
5981 				  MSGQ__ENQUEUE, &ad);
5982 
5983 	return rc;
5984 }
5985 
5986 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
5987 				    struct task_struct *target,
5988 				    long type, int mode)
5989 {
5990 	struct ipc_security_struct *isec;
5991 	struct msg_security_struct *msec;
5992 	struct common_audit_data ad;
5993 	u32 sid = task_sid(target);
5994 	int rc;
5995 
5996 	isec = selinux_ipc(msq);
5997 	msec = selinux_msg_msg(msg);
5998 
5999 	ad.type = LSM_AUDIT_DATA_IPC;
6000 	ad.u.ipc_id = msq->key;
6001 
6002 	rc = avc_has_perm(&selinux_state,
6003 			  sid, isec->sid,
6004 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
6005 	if (!rc)
6006 		rc = avc_has_perm(&selinux_state,
6007 				  sid, msec->sid,
6008 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
6009 	return rc;
6010 }
6011 
6012 /* Shared Memory security operations */
6013 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6014 {
6015 	struct ipc_security_struct *isec;
6016 	struct common_audit_data ad;
6017 	u32 sid = current_sid();
6018 	int rc;
6019 
6020 	isec = selinux_ipc(shp);
6021 	ipc_init_security(isec, SECCLASS_SHM);
6022 
6023 	ad.type = LSM_AUDIT_DATA_IPC;
6024 	ad.u.ipc_id = shp->key;
6025 
6026 	rc = avc_has_perm(&selinux_state,
6027 			  sid, isec->sid, SECCLASS_SHM,
6028 			  SHM__CREATE, &ad);
6029 	return rc;
6030 }
6031 
6032 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6033 {
6034 	struct ipc_security_struct *isec;
6035 	struct common_audit_data ad;
6036 	u32 sid = current_sid();
6037 
6038 	isec = selinux_ipc(shp);
6039 
6040 	ad.type = LSM_AUDIT_DATA_IPC;
6041 	ad.u.ipc_id = shp->key;
6042 
6043 	return avc_has_perm(&selinux_state,
6044 			    sid, isec->sid, SECCLASS_SHM,
6045 			    SHM__ASSOCIATE, &ad);
6046 }
6047 
6048 /* Note, at this point, shp is locked down */
6049 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6050 {
6051 	int perms;
6052 	int err;
6053 
6054 	switch (cmd) {
6055 	case IPC_INFO:
6056 	case SHM_INFO:
6057 		/* No specific object, just general system-wide information. */
6058 		return avc_has_perm(&selinux_state,
6059 				    current_sid(), SECINITSID_KERNEL,
6060 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6061 	case IPC_STAT:
6062 	case SHM_STAT:
6063 	case SHM_STAT_ANY:
6064 		perms = SHM__GETATTR | SHM__ASSOCIATE;
6065 		break;
6066 	case IPC_SET:
6067 		perms = SHM__SETATTR;
6068 		break;
6069 	case SHM_LOCK:
6070 	case SHM_UNLOCK:
6071 		perms = SHM__LOCK;
6072 		break;
6073 	case IPC_RMID:
6074 		perms = SHM__DESTROY;
6075 		break;
6076 	default:
6077 		return 0;
6078 	}
6079 
6080 	err = ipc_has_perm(shp, perms);
6081 	return err;
6082 }
6083 
6084 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6085 			     char __user *shmaddr, int shmflg)
6086 {
6087 	u32 perms;
6088 
6089 	if (shmflg & SHM_RDONLY)
6090 		perms = SHM__READ;
6091 	else
6092 		perms = SHM__READ | SHM__WRITE;
6093 
6094 	return ipc_has_perm(shp, perms);
6095 }
6096 
6097 /* Semaphore security operations */
6098 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6099 {
6100 	struct ipc_security_struct *isec;
6101 	struct common_audit_data ad;
6102 	u32 sid = current_sid();
6103 	int rc;
6104 
6105 	isec = selinux_ipc(sma);
6106 	ipc_init_security(isec, SECCLASS_SEM);
6107 
6108 	ad.type = LSM_AUDIT_DATA_IPC;
6109 	ad.u.ipc_id = sma->key;
6110 
6111 	rc = avc_has_perm(&selinux_state,
6112 			  sid, isec->sid, SECCLASS_SEM,
6113 			  SEM__CREATE, &ad);
6114 	return rc;
6115 }
6116 
6117 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6118 {
6119 	struct ipc_security_struct *isec;
6120 	struct common_audit_data ad;
6121 	u32 sid = current_sid();
6122 
6123 	isec = selinux_ipc(sma);
6124 
6125 	ad.type = LSM_AUDIT_DATA_IPC;
6126 	ad.u.ipc_id = sma->key;
6127 
6128 	return avc_has_perm(&selinux_state,
6129 			    sid, isec->sid, SECCLASS_SEM,
6130 			    SEM__ASSOCIATE, &ad);
6131 }
6132 
6133 /* Note, at this point, sma is locked down */
6134 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6135 {
6136 	int err;
6137 	u32 perms;
6138 
6139 	switch (cmd) {
6140 	case IPC_INFO:
6141 	case SEM_INFO:
6142 		/* No specific object, just general system-wide information. */
6143 		return avc_has_perm(&selinux_state,
6144 				    current_sid(), SECINITSID_KERNEL,
6145 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6146 	case GETPID:
6147 	case GETNCNT:
6148 	case GETZCNT:
6149 		perms = SEM__GETATTR;
6150 		break;
6151 	case GETVAL:
6152 	case GETALL:
6153 		perms = SEM__READ;
6154 		break;
6155 	case SETVAL:
6156 	case SETALL:
6157 		perms = SEM__WRITE;
6158 		break;
6159 	case IPC_RMID:
6160 		perms = SEM__DESTROY;
6161 		break;
6162 	case IPC_SET:
6163 		perms = SEM__SETATTR;
6164 		break;
6165 	case IPC_STAT:
6166 	case SEM_STAT:
6167 	case SEM_STAT_ANY:
6168 		perms = SEM__GETATTR | SEM__ASSOCIATE;
6169 		break;
6170 	default:
6171 		return 0;
6172 	}
6173 
6174 	err = ipc_has_perm(sma, perms);
6175 	return err;
6176 }
6177 
6178 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6179 			     struct sembuf *sops, unsigned nsops, int alter)
6180 {
6181 	u32 perms;
6182 
6183 	if (alter)
6184 		perms = SEM__READ | SEM__WRITE;
6185 	else
6186 		perms = SEM__READ;
6187 
6188 	return ipc_has_perm(sma, perms);
6189 }
6190 
6191 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6192 {
6193 	u32 av = 0;
6194 
6195 	av = 0;
6196 	if (flag & S_IRUGO)
6197 		av |= IPC__UNIX_READ;
6198 	if (flag & S_IWUGO)
6199 		av |= IPC__UNIX_WRITE;
6200 
6201 	if (av == 0)
6202 		return 0;
6203 
6204 	return ipc_has_perm(ipcp, av);
6205 }
6206 
6207 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6208 {
6209 	struct ipc_security_struct *isec = selinux_ipc(ipcp);
6210 	*secid = isec->sid;
6211 }
6212 
6213 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6214 {
6215 	if (inode)
6216 		inode_doinit_with_dentry(inode, dentry);
6217 }
6218 
6219 static int selinux_getprocattr(struct task_struct *p,
6220 			       char *name, char **value)
6221 {
6222 	const struct task_security_struct *__tsec;
6223 	u32 sid;
6224 	int error;
6225 	unsigned len;
6226 
6227 	rcu_read_lock();
6228 	__tsec = selinux_cred(__task_cred(p));
6229 
6230 	if (current != p) {
6231 		error = avc_has_perm(&selinux_state,
6232 				     current_sid(), __tsec->sid,
6233 				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6234 		if (error)
6235 			goto bad;
6236 	}
6237 
6238 	if (!strcmp(name, "current"))
6239 		sid = __tsec->sid;
6240 	else if (!strcmp(name, "prev"))
6241 		sid = __tsec->osid;
6242 	else if (!strcmp(name, "exec"))
6243 		sid = __tsec->exec_sid;
6244 	else if (!strcmp(name, "fscreate"))
6245 		sid = __tsec->create_sid;
6246 	else if (!strcmp(name, "keycreate"))
6247 		sid = __tsec->keycreate_sid;
6248 	else if (!strcmp(name, "sockcreate"))
6249 		sid = __tsec->sockcreate_sid;
6250 	else {
6251 		error = -EINVAL;
6252 		goto bad;
6253 	}
6254 	rcu_read_unlock();
6255 
6256 	if (!sid)
6257 		return 0;
6258 
6259 	error = security_sid_to_context(&selinux_state, sid, value, &len);
6260 	if (error)
6261 		return error;
6262 	return len;
6263 
6264 bad:
6265 	rcu_read_unlock();
6266 	return error;
6267 }
6268 
6269 static int selinux_setprocattr(const char *name, void *value, size_t size)
6270 {
6271 	struct task_security_struct *tsec;
6272 	struct cred *new;
6273 	u32 mysid = current_sid(), sid = 0, ptsid;
6274 	int error;
6275 	char *str = value;
6276 
6277 	/*
6278 	 * Basic control over ability to set these attributes at all.
6279 	 */
6280 	if (!strcmp(name, "exec"))
6281 		error = avc_has_perm(&selinux_state,
6282 				     mysid, mysid, SECCLASS_PROCESS,
6283 				     PROCESS__SETEXEC, NULL);
6284 	else if (!strcmp(name, "fscreate"))
6285 		error = avc_has_perm(&selinux_state,
6286 				     mysid, mysid, SECCLASS_PROCESS,
6287 				     PROCESS__SETFSCREATE, NULL);
6288 	else if (!strcmp(name, "keycreate"))
6289 		error = avc_has_perm(&selinux_state,
6290 				     mysid, mysid, SECCLASS_PROCESS,
6291 				     PROCESS__SETKEYCREATE, NULL);
6292 	else if (!strcmp(name, "sockcreate"))
6293 		error = avc_has_perm(&selinux_state,
6294 				     mysid, mysid, SECCLASS_PROCESS,
6295 				     PROCESS__SETSOCKCREATE, NULL);
6296 	else if (!strcmp(name, "current"))
6297 		error = avc_has_perm(&selinux_state,
6298 				     mysid, mysid, SECCLASS_PROCESS,
6299 				     PROCESS__SETCURRENT, NULL);
6300 	else
6301 		error = -EINVAL;
6302 	if (error)
6303 		return error;
6304 
6305 	/* Obtain a SID for the context, if one was specified. */
6306 	if (size && str[0] && str[0] != '\n') {
6307 		if (str[size-1] == '\n') {
6308 			str[size-1] = 0;
6309 			size--;
6310 		}
6311 		error = security_context_to_sid(&selinux_state, value, size,
6312 						&sid, GFP_KERNEL);
6313 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
6314 			if (!has_cap_mac_admin(true)) {
6315 				struct audit_buffer *ab;
6316 				size_t audit_size;
6317 
6318 				/* We strip a nul only if it is at the end, otherwise the
6319 				 * context contains a nul and we should audit that */
6320 				if (str[size - 1] == '\0')
6321 					audit_size = size - 1;
6322 				else
6323 					audit_size = size;
6324 				ab = audit_log_start(audit_context(),
6325 						     GFP_ATOMIC,
6326 						     AUDIT_SELINUX_ERR);
6327 				audit_log_format(ab, "op=fscreate invalid_context=");
6328 				audit_log_n_untrustedstring(ab, value, audit_size);
6329 				audit_log_end(ab);
6330 
6331 				return error;
6332 			}
6333 			error = security_context_to_sid_force(
6334 						      &selinux_state,
6335 						      value, size, &sid);
6336 		}
6337 		if (error)
6338 			return error;
6339 	}
6340 
6341 	new = prepare_creds();
6342 	if (!new)
6343 		return -ENOMEM;
6344 
6345 	/* Permission checking based on the specified context is
6346 	   performed during the actual operation (execve,
6347 	   open/mkdir/...), when we know the full context of the
6348 	   operation.  See selinux_bprm_set_creds for the execve
6349 	   checks and may_create for the file creation checks. The
6350 	   operation will then fail if the context is not permitted. */
6351 	tsec = selinux_cred(new);
6352 	if (!strcmp(name, "exec")) {
6353 		tsec->exec_sid = sid;
6354 	} else if (!strcmp(name, "fscreate")) {
6355 		tsec->create_sid = sid;
6356 	} else if (!strcmp(name, "keycreate")) {
6357 		error = avc_has_perm(&selinux_state,
6358 				     mysid, sid, SECCLASS_KEY, KEY__CREATE,
6359 				     NULL);
6360 		if (error)
6361 			goto abort_change;
6362 		tsec->keycreate_sid = sid;
6363 	} else if (!strcmp(name, "sockcreate")) {
6364 		tsec->sockcreate_sid = sid;
6365 	} else if (!strcmp(name, "current")) {
6366 		error = -EINVAL;
6367 		if (sid == 0)
6368 			goto abort_change;
6369 
6370 		/* Only allow single threaded processes to change context */
6371 		error = -EPERM;
6372 		if (!current_is_single_threaded()) {
6373 			error = security_bounded_transition(&selinux_state,
6374 							    tsec->sid, sid);
6375 			if (error)
6376 				goto abort_change;
6377 		}
6378 
6379 		/* Check permissions for the transition. */
6380 		error = avc_has_perm(&selinux_state,
6381 				     tsec->sid, sid, SECCLASS_PROCESS,
6382 				     PROCESS__DYNTRANSITION, NULL);
6383 		if (error)
6384 			goto abort_change;
6385 
6386 		/* Check for ptracing, and update the task SID if ok.
6387 		   Otherwise, leave SID unchanged and fail. */
6388 		ptsid = ptrace_parent_sid();
6389 		if (ptsid != 0) {
6390 			error = avc_has_perm(&selinux_state,
6391 					     ptsid, sid, SECCLASS_PROCESS,
6392 					     PROCESS__PTRACE, NULL);
6393 			if (error)
6394 				goto abort_change;
6395 		}
6396 
6397 		tsec->sid = sid;
6398 	} else {
6399 		error = -EINVAL;
6400 		goto abort_change;
6401 	}
6402 
6403 	commit_creds(new);
6404 	return size;
6405 
6406 abort_change:
6407 	abort_creds(new);
6408 	return error;
6409 }
6410 
6411 static int selinux_ismaclabel(const char *name)
6412 {
6413 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6414 }
6415 
6416 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6417 {
6418 	return security_sid_to_context(&selinux_state, secid,
6419 				       secdata, seclen);
6420 }
6421 
6422 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6423 {
6424 	return security_context_to_sid(&selinux_state, secdata, seclen,
6425 				       secid, GFP_KERNEL);
6426 }
6427 
6428 static void selinux_release_secctx(char *secdata, u32 seclen)
6429 {
6430 	kfree(secdata);
6431 }
6432 
6433 static void selinux_inode_invalidate_secctx(struct inode *inode)
6434 {
6435 	struct inode_security_struct *isec = selinux_inode(inode);
6436 
6437 	spin_lock(&isec->lock);
6438 	isec->initialized = LABEL_INVALID;
6439 	spin_unlock(&isec->lock);
6440 }
6441 
6442 /*
6443  *	called with inode->i_mutex locked
6444  */
6445 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6446 {
6447 	int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6448 					   ctx, ctxlen, 0);
6449 	/* Do not return error when suppressing label (SBLABEL_MNT not set). */
6450 	return rc == -EOPNOTSUPP ? 0 : rc;
6451 }
6452 
6453 /*
6454  *	called with inode->i_mutex locked
6455  */
6456 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6457 {
6458 	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6459 }
6460 
6461 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6462 {
6463 	int len = 0;
6464 	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6465 						ctx, true);
6466 	if (len < 0)
6467 		return len;
6468 	*ctxlen = len;
6469 	return 0;
6470 }
6471 #ifdef CONFIG_KEYS
6472 
6473 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6474 			     unsigned long flags)
6475 {
6476 	const struct task_security_struct *tsec;
6477 	struct key_security_struct *ksec;
6478 
6479 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6480 	if (!ksec)
6481 		return -ENOMEM;
6482 
6483 	tsec = selinux_cred(cred);
6484 	if (tsec->keycreate_sid)
6485 		ksec->sid = tsec->keycreate_sid;
6486 	else
6487 		ksec->sid = tsec->sid;
6488 
6489 	k->security = ksec;
6490 	return 0;
6491 }
6492 
6493 static void selinux_key_free(struct key *k)
6494 {
6495 	struct key_security_struct *ksec = k->security;
6496 
6497 	k->security = NULL;
6498 	kfree(ksec);
6499 }
6500 
6501 static int selinux_key_permission(key_ref_t key_ref,
6502 				  const struct cred *cred,
6503 				  unsigned perm)
6504 {
6505 	struct key *key;
6506 	struct key_security_struct *ksec;
6507 	u32 sid;
6508 
6509 	/* if no specific permissions are requested, we skip the
6510 	   permission check. No serious, additional covert channels
6511 	   appear to be created. */
6512 	if (perm == 0)
6513 		return 0;
6514 
6515 	sid = cred_sid(cred);
6516 
6517 	key = key_ref_to_ptr(key_ref);
6518 	ksec = key->security;
6519 
6520 	return avc_has_perm(&selinux_state,
6521 			    sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6522 }
6523 
6524 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6525 {
6526 	struct key_security_struct *ksec = key->security;
6527 	char *context = NULL;
6528 	unsigned len;
6529 	int rc;
6530 
6531 	rc = security_sid_to_context(&selinux_state, ksec->sid,
6532 				     &context, &len);
6533 	if (!rc)
6534 		rc = len;
6535 	*_buffer = context;
6536 	return rc;
6537 }
6538 #endif
6539 
6540 #ifdef CONFIG_SECURITY_INFINIBAND
6541 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6542 {
6543 	struct common_audit_data ad;
6544 	int err;
6545 	u32 sid = 0;
6546 	struct ib_security_struct *sec = ib_sec;
6547 	struct lsm_ibpkey_audit ibpkey;
6548 
6549 	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6550 	if (err)
6551 		return err;
6552 
6553 	ad.type = LSM_AUDIT_DATA_IBPKEY;
6554 	ibpkey.subnet_prefix = subnet_prefix;
6555 	ibpkey.pkey = pkey_val;
6556 	ad.u.ibpkey = &ibpkey;
6557 	return avc_has_perm(&selinux_state,
6558 			    sec->sid, sid,
6559 			    SECCLASS_INFINIBAND_PKEY,
6560 			    INFINIBAND_PKEY__ACCESS, &ad);
6561 }
6562 
6563 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6564 					    u8 port_num)
6565 {
6566 	struct common_audit_data ad;
6567 	int err;
6568 	u32 sid = 0;
6569 	struct ib_security_struct *sec = ib_sec;
6570 	struct lsm_ibendport_audit ibendport;
6571 
6572 	err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6573 				      &sid);
6574 
6575 	if (err)
6576 		return err;
6577 
6578 	ad.type = LSM_AUDIT_DATA_IBENDPORT;
6579 	strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6580 	ibendport.port = port_num;
6581 	ad.u.ibendport = &ibendport;
6582 	return avc_has_perm(&selinux_state,
6583 			    sec->sid, sid,
6584 			    SECCLASS_INFINIBAND_ENDPORT,
6585 			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6586 }
6587 
6588 static int selinux_ib_alloc_security(void **ib_sec)
6589 {
6590 	struct ib_security_struct *sec;
6591 
6592 	sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6593 	if (!sec)
6594 		return -ENOMEM;
6595 	sec->sid = current_sid();
6596 
6597 	*ib_sec = sec;
6598 	return 0;
6599 }
6600 
6601 static void selinux_ib_free_security(void *ib_sec)
6602 {
6603 	kfree(ib_sec);
6604 }
6605 #endif
6606 
6607 #ifdef CONFIG_BPF_SYSCALL
6608 static int selinux_bpf(int cmd, union bpf_attr *attr,
6609 				     unsigned int size)
6610 {
6611 	u32 sid = current_sid();
6612 	int ret;
6613 
6614 	switch (cmd) {
6615 	case BPF_MAP_CREATE:
6616 		ret = avc_has_perm(&selinux_state,
6617 				   sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6618 				   NULL);
6619 		break;
6620 	case BPF_PROG_LOAD:
6621 		ret = avc_has_perm(&selinux_state,
6622 				   sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6623 				   NULL);
6624 		break;
6625 	default:
6626 		ret = 0;
6627 		break;
6628 	}
6629 
6630 	return ret;
6631 }
6632 
6633 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6634 {
6635 	u32 av = 0;
6636 
6637 	if (fmode & FMODE_READ)
6638 		av |= BPF__MAP_READ;
6639 	if (fmode & FMODE_WRITE)
6640 		av |= BPF__MAP_WRITE;
6641 	return av;
6642 }
6643 
6644 /* This function will check the file pass through unix socket or binder to see
6645  * if it is a bpf related object. And apply correspinding checks on the bpf
6646  * object based on the type. The bpf maps and programs, not like other files and
6647  * socket, are using a shared anonymous inode inside the kernel as their inode.
6648  * So checking that inode cannot identify if the process have privilege to
6649  * access the bpf object and that's why we have to add this additional check in
6650  * selinux_file_receive and selinux_binder_transfer_files.
6651  */
6652 static int bpf_fd_pass(struct file *file, u32 sid)
6653 {
6654 	struct bpf_security_struct *bpfsec;
6655 	struct bpf_prog *prog;
6656 	struct bpf_map *map;
6657 	int ret;
6658 
6659 	if (file->f_op == &bpf_map_fops) {
6660 		map = file->private_data;
6661 		bpfsec = map->security;
6662 		ret = avc_has_perm(&selinux_state,
6663 				   sid, bpfsec->sid, SECCLASS_BPF,
6664 				   bpf_map_fmode_to_av(file->f_mode), NULL);
6665 		if (ret)
6666 			return ret;
6667 	} else if (file->f_op == &bpf_prog_fops) {
6668 		prog = file->private_data;
6669 		bpfsec = prog->aux->security;
6670 		ret = avc_has_perm(&selinux_state,
6671 				   sid, bpfsec->sid, SECCLASS_BPF,
6672 				   BPF__PROG_RUN, NULL);
6673 		if (ret)
6674 			return ret;
6675 	}
6676 	return 0;
6677 }
6678 
6679 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6680 {
6681 	u32 sid = current_sid();
6682 	struct bpf_security_struct *bpfsec;
6683 
6684 	bpfsec = map->security;
6685 	return avc_has_perm(&selinux_state,
6686 			    sid, bpfsec->sid, SECCLASS_BPF,
6687 			    bpf_map_fmode_to_av(fmode), NULL);
6688 }
6689 
6690 static int selinux_bpf_prog(struct bpf_prog *prog)
6691 {
6692 	u32 sid = current_sid();
6693 	struct bpf_security_struct *bpfsec;
6694 
6695 	bpfsec = prog->aux->security;
6696 	return avc_has_perm(&selinux_state,
6697 			    sid, bpfsec->sid, SECCLASS_BPF,
6698 			    BPF__PROG_RUN, NULL);
6699 }
6700 
6701 static int selinux_bpf_map_alloc(struct bpf_map *map)
6702 {
6703 	struct bpf_security_struct *bpfsec;
6704 
6705 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6706 	if (!bpfsec)
6707 		return -ENOMEM;
6708 
6709 	bpfsec->sid = current_sid();
6710 	map->security = bpfsec;
6711 
6712 	return 0;
6713 }
6714 
6715 static void selinux_bpf_map_free(struct bpf_map *map)
6716 {
6717 	struct bpf_security_struct *bpfsec = map->security;
6718 
6719 	map->security = NULL;
6720 	kfree(bpfsec);
6721 }
6722 
6723 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6724 {
6725 	struct bpf_security_struct *bpfsec;
6726 
6727 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6728 	if (!bpfsec)
6729 		return -ENOMEM;
6730 
6731 	bpfsec->sid = current_sid();
6732 	aux->security = bpfsec;
6733 
6734 	return 0;
6735 }
6736 
6737 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6738 {
6739 	struct bpf_security_struct *bpfsec = aux->security;
6740 
6741 	aux->security = NULL;
6742 	kfree(bpfsec);
6743 }
6744 #endif
6745 
6746 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
6747 	.lbs_cred = sizeof(struct task_security_struct),
6748 	.lbs_file = sizeof(struct file_security_struct),
6749 	.lbs_inode = sizeof(struct inode_security_struct),
6750 	.lbs_ipc = sizeof(struct ipc_security_struct),
6751 	.lbs_msg_msg = sizeof(struct msg_security_struct),
6752 };
6753 
6754 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6755 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6756 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6757 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6758 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6759 
6760 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6761 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6762 	LSM_HOOK_INIT(capget, selinux_capget),
6763 	LSM_HOOK_INIT(capset, selinux_capset),
6764 	LSM_HOOK_INIT(capable, selinux_capable),
6765 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
6766 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
6767 	LSM_HOOK_INIT(syslog, selinux_syslog),
6768 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6769 
6770 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6771 
6772 	LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6773 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6774 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6775 
6776 	LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
6777 	LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
6778 
6779 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6780 	LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6781 	LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
6782 	LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
6783 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6784 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6785 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6786 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6787 	LSM_HOOK_INIT(sb_mount, selinux_mount),
6788 	LSM_HOOK_INIT(sb_umount, selinux_umount),
6789 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6790 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6791 	LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt),
6792 
6793 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6794 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6795 
6796 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6797 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6798 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6799 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
6800 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
6801 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6802 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6803 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6804 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6805 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6806 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6807 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6808 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6809 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6810 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6811 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6812 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6813 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6814 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6815 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6816 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6817 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6818 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6819 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6820 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6821 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6822 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6823 
6824 	LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
6825 
6826 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
6827 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6828 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6829 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6830 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6831 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6832 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
6833 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6834 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6835 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6836 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
6837 
6838 	LSM_HOOK_INIT(file_open, selinux_file_open),
6839 
6840 	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6841 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6842 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6843 	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6844 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6845 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6846 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6847 	LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
6848 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6849 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6850 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6851 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6852 	LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6853 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6854 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6855 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6856 	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6857 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6858 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6859 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6860 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6861 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
6862 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6863 
6864 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6865 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6866 
6867 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6868 
6869 	LSM_HOOK_INIT(msg_queue_alloc_security,
6870 			selinux_msg_queue_alloc_security),
6871 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6872 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6873 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6874 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6875 
6876 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6877 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6878 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6879 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6880 
6881 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6882 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6883 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6884 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6885 
6886 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6887 
6888 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6889 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6890 
6891 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6892 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6893 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6894 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6895 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6896 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6897 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6898 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6899 
6900 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6901 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6902 
6903 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
6904 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6905 	LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
6906 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6907 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6908 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6909 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6910 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6911 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6912 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6913 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6914 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6915 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6916 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6917 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6918 	LSM_HOOK_INIT(socket_getpeersec_stream,
6919 			selinux_socket_getpeersec_stream),
6920 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6921 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6922 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6923 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6924 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6925 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6926 	LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
6927 	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
6928 	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
6929 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6930 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6931 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6932 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6933 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6934 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6935 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6936 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6937 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6938 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6939 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6940 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6941 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6942 #ifdef CONFIG_SECURITY_INFINIBAND
6943 	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
6944 	LSM_HOOK_INIT(ib_endport_manage_subnet,
6945 		      selinux_ib_endport_manage_subnet),
6946 	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
6947 	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
6948 #endif
6949 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6950 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6951 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6952 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6953 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6954 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6955 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6956 			selinux_xfrm_state_alloc_acquire),
6957 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6958 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6959 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6960 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6961 			selinux_xfrm_state_pol_flow_match),
6962 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6963 #endif
6964 
6965 #ifdef CONFIG_KEYS
6966 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6967 	LSM_HOOK_INIT(key_free, selinux_key_free),
6968 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
6969 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6970 #endif
6971 
6972 #ifdef CONFIG_AUDIT
6973 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6974 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6975 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6976 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6977 #endif
6978 
6979 #ifdef CONFIG_BPF_SYSCALL
6980 	LSM_HOOK_INIT(bpf, selinux_bpf),
6981 	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
6982 	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
6983 	LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
6984 	LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
6985 	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
6986 	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
6987 #endif
6988 };
6989 
6990 static __init int selinux_init(void)
6991 {
6992 	pr_info("SELinux:  Initializing.\n");
6993 
6994 	memset(&selinux_state, 0, sizeof(selinux_state));
6995 	enforcing_set(&selinux_state, selinux_enforcing_boot);
6996 	selinux_state.checkreqprot = selinux_checkreqprot_boot;
6997 	selinux_ss_init(&selinux_state.ss);
6998 	selinux_avc_init(&selinux_state.avc);
6999 
7000 	/* Set the security state for the initial task. */
7001 	cred_init_security();
7002 
7003 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7004 
7005 	avc_init();
7006 
7007 	avtab_cache_init();
7008 
7009 	ebitmap_cache_init();
7010 
7011 	hashtab_cache_init();
7012 
7013 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7014 
7015 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7016 		panic("SELinux: Unable to register AVC netcache callback\n");
7017 
7018 	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7019 		panic("SELinux: Unable to register AVC LSM notifier callback\n");
7020 
7021 	if (selinux_enforcing_boot)
7022 		pr_debug("SELinux:  Starting in enforcing mode\n");
7023 	else
7024 		pr_debug("SELinux:  Starting in permissive mode\n");
7025 
7026 	fs_validate_description(&selinux_fs_parameters);
7027 
7028 	return 0;
7029 }
7030 
7031 static void delayed_superblock_init(struct super_block *sb, void *unused)
7032 {
7033 	selinux_set_mnt_opts(sb, NULL, 0, NULL);
7034 }
7035 
7036 void selinux_complete_init(void)
7037 {
7038 	pr_debug("SELinux:  Completing initialization.\n");
7039 
7040 	/* Set up any superblocks initialized prior to the policy load. */
7041 	pr_debug("SELinux:  Setting up existing superblocks.\n");
7042 	iterate_supers(delayed_superblock_init, NULL);
7043 }
7044 
7045 /* SELinux requires early initialization in order to label
7046    all processes and objects when they are created. */
7047 DEFINE_LSM(selinux) = {
7048 	.name = "selinux",
7049 	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7050 	.enabled = &selinux_enabled,
7051 	.blobs = &selinux_blob_sizes,
7052 	.init = selinux_init,
7053 };
7054 
7055 #if defined(CONFIG_NETFILTER)
7056 
7057 static const struct nf_hook_ops selinux_nf_ops[] = {
7058 	{
7059 		.hook =		selinux_ipv4_postroute,
7060 		.pf =		NFPROTO_IPV4,
7061 		.hooknum =	NF_INET_POST_ROUTING,
7062 		.priority =	NF_IP_PRI_SELINUX_LAST,
7063 	},
7064 	{
7065 		.hook =		selinux_ipv4_forward,
7066 		.pf =		NFPROTO_IPV4,
7067 		.hooknum =	NF_INET_FORWARD,
7068 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7069 	},
7070 	{
7071 		.hook =		selinux_ipv4_output,
7072 		.pf =		NFPROTO_IPV4,
7073 		.hooknum =	NF_INET_LOCAL_OUT,
7074 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7075 	},
7076 #if IS_ENABLED(CONFIG_IPV6)
7077 	{
7078 		.hook =		selinux_ipv6_postroute,
7079 		.pf =		NFPROTO_IPV6,
7080 		.hooknum =	NF_INET_POST_ROUTING,
7081 		.priority =	NF_IP6_PRI_SELINUX_LAST,
7082 	},
7083 	{
7084 		.hook =		selinux_ipv6_forward,
7085 		.pf =		NFPROTO_IPV6,
7086 		.hooknum =	NF_INET_FORWARD,
7087 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7088 	},
7089 	{
7090 		.hook =		selinux_ipv6_output,
7091 		.pf =		NFPROTO_IPV6,
7092 		.hooknum =	NF_INET_LOCAL_OUT,
7093 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7094 	},
7095 #endif	/* IPV6 */
7096 };
7097 
7098 static int __net_init selinux_nf_register(struct net *net)
7099 {
7100 	return nf_register_net_hooks(net, selinux_nf_ops,
7101 				     ARRAY_SIZE(selinux_nf_ops));
7102 }
7103 
7104 static void __net_exit selinux_nf_unregister(struct net *net)
7105 {
7106 	nf_unregister_net_hooks(net, selinux_nf_ops,
7107 				ARRAY_SIZE(selinux_nf_ops));
7108 }
7109 
7110 static struct pernet_operations selinux_net_ops = {
7111 	.init = selinux_nf_register,
7112 	.exit = selinux_nf_unregister,
7113 };
7114 
7115 static int __init selinux_nf_ip_init(void)
7116 {
7117 	int err;
7118 
7119 	if (!selinux_enabled)
7120 		return 0;
7121 
7122 	pr_debug("SELinux:  Registering netfilter hooks\n");
7123 
7124 	err = register_pernet_subsys(&selinux_net_ops);
7125 	if (err)
7126 		panic("SELinux: register_pernet_subsys: error %d\n", err);
7127 
7128 	return 0;
7129 }
7130 __initcall(selinux_nf_ip_init);
7131 
7132 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7133 static void selinux_nf_ip_exit(void)
7134 {
7135 	pr_debug("SELinux:  Unregistering netfilter hooks\n");
7136 
7137 	unregister_pernet_subsys(&selinux_net_ops);
7138 }
7139 #endif
7140 
7141 #else /* CONFIG_NETFILTER */
7142 
7143 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7144 #define selinux_nf_ip_exit()
7145 #endif
7146 
7147 #endif /* CONFIG_NETFILTER */
7148 
7149 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7150 int selinux_disable(struct selinux_state *state)
7151 {
7152 	if (state->initialized) {
7153 		/* Not permitted after initial policy load. */
7154 		return -EINVAL;
7155 	}
7156 
7157 	if (state->disabled) {
7158 		/* Only do this once. */
7159 		return -EINVAL;
7160 	}
7161 
7162 	state->disabled = 1;
7163 
7164 	pr_info("SELinux:  Disabled at runtime.\n");
7165 
7166 	selinux_enabled = 0;
7167 
7168 	security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7169 
7170 	/* Try to destroy the avc node cache */
7171 	avc_disable();
7172 
7173 	/* Unregister netfilter hooks. */
7174 	selinux_nf_ip_exit();
7175 
7176 	/* Unregister selinuxfs. */
7177 	exit_sel_fs();
7178 
7179 	return 0;
7180 }
7181 #endif
7182