xref: /openbmc/linux/security/selinux/hooks.c (revision 28efb0046512e8a13ed9f9bdf0d68d10bbfbe9cf)
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
7  *	      Chris Vance, <cvance@nai.com>
8  *	      Wayne Salamon, <wsalamon@nai.com>
9  *	      James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *					   Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *			    <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *	Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *  Copyright (C) 2016 Mellanox Technologies
21  *
22  *	This program is free software; you can redistribute it and/or modify
23  *	it under the terms of the GNU General Public License version 2,
24  *	as published by the Free Software Foundation.
25  */
26 
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h>		/* for local_port_range[] */
56 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h>	/* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h>		/* for Unix socket types */
72 #include <net/af_unix.h>	/* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
75 #include <net/ipv6.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 
89 #include "avc.h"
90 #include "objsec.h"
91 #include "netif.h"
92 #include "netnode.h"
93 #include "netport.h"
94 #include "ibpkey.h"
95 #include "xfrm.h"
96 #include "netlabel.h"
97 #include "audit.h"
98 #include "avc_ss.h"
99 
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102 
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
105 
106 static int __init enforcing_setup(char *str)
107 {
108 	unsigned long enforcing;
109 	if (!kstrtoul(str, 0, &enforcing))
110 		selinux_enforcing = enforcing ? 1 : 0;
111 	return 1;
112 }
113 __setup("enforcing=", enforcing_setup);
114 #endif
115 
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118 
119 static int __init selinux_enabled_setup(char *str)
120 {
121 	unsigned long enabled;
122 	if (!kstrtoul(str, 0, &enabled))
123 		selinux_enabled = enabled ? 1 : 0;
124 	return 1;
125 }
126 __setup("selinux=", selinux_enabled_setup);
127 #else
128 int selinux_enabled = 1;
129 #endif
130 
131 static struct kmem_cache *sel_inode_cache;
132 static struct kmem_cache *file_security_cache;
133 
134 /**
135  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
136  *
137  * Description:
138  * This function checks the SECMARK reference counter to see if any SECMARK
139  * targets are currently configured, if the reference counter is greater than
140  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
141  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
142  * policy capability is enabled, SECMARK is always considered enabled.
143  *
144  */
145 static int selinux_secmark_enabled(void)
146 {
147 	return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
148 }
149 
150 /**
151  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
152  *
153  * Description:
154  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
155  * (1) if any are enabled or false (0) if neither are enabled.  If the
156  * always_check_network policy capability is enabled, peer labeling
157  * is always considered enabled.
158  *
159  */
160 static int selinux_peerlbl_enabled(void)
161 {
162 	return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
163 }
164 
165 static int selinux_netcache_avc_callback(u32 event)
166 {
167 	if (event == AVC_CALLBACK_RESET) {
168 		sel_netif_flush();
169 		sel_netnode_flush();
170 		sel_netport_flush();
171 		synchronize_net();
172 	}
173 	return 0;
174 }
175 
176 static int selinux_lsm_notifier_avc_callback(u32 event)
177 {
178 	if (event == AVC_CALLBACK_RESET) {
179 		sel_ib_pkey_flush();
180 		call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
181 	}
182 
183 	return 0;
184 }
185 
186 /*
187  * initialise the security for the init task
188  */
189 static void cred_init_security(void)
190 {
191 	struct cred *cred = (struct cred *) current->real_cred;
192 	struct task_security_struct *tsec;
193 
194 	tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
195 	if (!tsec)
196 		panic("SELinux:  Failed to initialize initial task.\n");
197 
198 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
199 	cred->security = tsec;
200 }
201 
202 /*
203  * get the security ID of a set of credentials
204  */
205 static inline u32 cred_sid(const struct cred *cred)
206 {
207 	const struct task_security_struct *tsec;
208 
209 	tsec = cred->security;
210 	return tsec->sid;
211 }
212 
213 /*
214  * get the objective security ID of a task
215  */
216 static inline u32 task_sid(const struct task_struct *task)
217 {
218 	u32 sid;
219 
220 	rcu_read_lock();
221 	sid = cred_sid(__task_cred(task));
222 	rcu_read_unlock();
223 	return sid;
224 }
225 
226 /* Allocate and free functions for each kind of security blob. */
227 
228 static int inode_alloc_security(struct inode *inode)
229 {
230 	struct inode_security_struct *isec;
231 	u32 sid = current_sid();
232 
233 	isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
234 	if (!isec)
235 		return -ENOMEM;
236 
237 	spin_lock_init(&isec->lock);
238 	INIT_LIST_HEAD(&isec->list);
239 	isec->inode = inode;
240 	isec->sid = SECINITSID_UNLABELED;
241 	isec->sclass = SECCLASS_FILE;
242 	isec->task_sid = sid;
243 	isec->initialized = LABEL_INVALID;
244 	inode->i_security = isec;
245 
246 	return 0;
247 }
248 
249 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
250 
251 /*
252  * Try reloading inode security labels that have been marked as invalid.  The
253  * @may_sleep parameter indicates when sleeping and thus reloading labels is
254  * allowed; when set to false, returns -ECHILD when the label is
255  * invalid.  The @opt_dentry parameter should be set to a dentry of the inode;
256  * when no dentry is available, set it to NULL instead.
257  */
258 static int __inode_security_revalidate(struct inode *inode,
259 				       struct dentry *opt_dentry,
260 				       bool may_sleep)
261 {
262 	struct inode_security_struct *isec = inode->i_security;
263 
264 	might_sleep_if(may_sleep);
265 
266 	if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
267 		if (!may_sleep)
268 			return -ECHILD;
269 
270 		/*
271 		 * Try reloading the inode security label.  This will fail if
272 		 * @opt_dentry is NULL and no dentry for this inode can be
273 		 * found; in that case, continue using the old label.
274 		 */
275 		inode_doinit_with_dentry(inode, opt_dentry);
276 	}
277 	return 0;
278 }
279 
280 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
281 {
282 	return inode->i_security;
283 }
284 
285 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
286 {
287 	int error;
288 
289 	error = __inode_security_revalidate(inode, NULL, !rcu);
290 	if (error)
291 		return ERR_PTR(error);
292 	return inode->i_security;
293 }
294 
295 /*
296  * Get the security label of an inode.
297  */
298 static struct inode_security_struct *inode_security(struct inode *inode)
299 {
300 	__inode_security_revalidate(inode, NULL, true);
301 	return inode->i_security;
302 }
303 
304 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
305 {
306 	struct inode *inode = d_backing_inode(dentry);
307 
308 	return inode->i_security;
309 }
310 
311 /*
312  * Get the security label of a dentry's backing inode.
313  */
314 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
315 {
316 	struct inode *inode = d_backing_inode(dentry);
317 
318 	__inode_security_revalidate(inode, dentry, true);
319 	return inode->i_security;
320 }
321 
322 static void inode_free_rcu(struct rcu_head *head)
323 {
324 	struct inode_security_struct *isec;
325 
326 	isec = container_of(head, struct inode_security_struct, rcu);
327 	kmem_cache_free(sel_inode_cache, isec);
328 }
329 
330 static void inode_free_security(struct inode *inode)
331 {
332 	struct inode_security_struct *isec = inode->i_security;
333 	struct superblock_security_struct *sbsec = inode->i_sb->s_security;
334 
335 	/*
336 	 * As not all inode security structures are in a list, we check for
337 	 * empty list outside of the lock to make sure that we won't waste
338 	 * time taking a lock doing nothing.
339 	 *
340 	 * The list_del_init() function can be safely called more than once.
341 	 * It should not be possible for this function to be called with
342 	 * concurrent list_add(), but for better safety against future changes
343 	 * in the code, we use list_empty_careful() here.
344 	 */
345 	if (!list_empty_careful(&isec->list)) {
346 		spin_lock(&sbsec->isec_lock);
347 		list_del_init(&isec->list);
348 		spin_unlock(&sbsec->isec_lock);
349 	}
350 
351 	/*
352 	 * The inode may still be referenced in a path walk and
353 	 * a call to selinux_inode_permission() can be made
354 	 * after inode_free_security() is called. Ideally, the VFS
355 	 * wouldn't do this, but fixing that is a much harder
356 	 * job. For now, simply free the i_security via RCU, and
357 	 * leave the current inode->i_security pointer intact.
358 	 * The inode will be freed after the RCU grace period too.
359 	 */
360 	call_rcu(&isec->rcu, inode_free_rcu);
361 }
362 
363 static int file_alloc_security(struct file *file)
364 {
365 	struct file_security_struct *fsec;
366 	u32 sid = current_sid();
367 
368 	fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
369 	if (!fsec)
370 		return -ENOMEM;
371 
372 	fsec->sid = sid;
373 	fsec->fown_sid = sid;
374 	file->f_security = fsec;
375 
376 	return 0;
377 }
378 
379 static void file_free_security(struct file *file)
380 {
381 	struct file_security_struct *fsec = file->f_security;
382 	file->f_security = NULL;
383 	kmem_cache_free(file_security_cache, fsec);
384 }
385 
386 static int superblock_alloc_security(struct super_block *sb)
387 {
388 	struct superblock_security_struct *sbsec;
389 
390 	sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
391 	if (!sbsec)
392 		return -ENOMEM;
393 
394 	mutex_init(&sbsec->lock);
395 	INIT_LIST_HEAD(&sbsec->isec_head);
396 	spin_lock_init(&sbsec->isec_lock);
397 	sbsec->sb = sb;
398 	sbsec->sid = SECINITSID_UNLABELED;
399 	sbsec->def_sid = SECINITSID_FILE;
400 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
401 	sb->s_security = sbsec;
402 
403 	return 0;
404 }
405 
406 static void superblock_free_security(struct super_block *sb)
407 {
408 	struct superblock_security_struct *sbsec = sb->s_security;
409 	sb->s_security = NULL;
410 	kfree(sbsec);
411 }
412 
413 static inline int inode_doinit(struct inode *inode)
414 {
415 	return inode_doinit_with_dentry(inode, NULL);
416 }
417 
418 enum {
419 	Opt_error = -1,
420 	Opt_context = 1,
421 	Opt_fscontext = 2,
422 	Opt_defcontext = 3,
423 	Opt_rootcontext = 4,
424 	Opt_labelsupport = 5,
425 	Opt_nextmntopt = 6,
426 };
427 
428 #define NUM_SEL_MNT_OPTS	(Opt_nextmntopt - 1)
429 
430 static const match_table_t tokens = {
431 	{Opt_context, CONTEXT_STR "%s"},
432 	{Opt_fscontext, FSCONTEXT_STR "%s"},
433 	{Opt_defcontext, DEFCONTEXT_STR "%s"},
434 	{Opt_rootcontext, ROOTCONTEXT_STR "%s"},
435 	{Opt_labelsupport, LABELSUPP_STR},
436 	{Opt_error, NULL},
437 };
438 
439 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
440 
441 static int may_context_mount_sb_relabel(u32 sid,
442 			struct superblock_security_struct *sbsec,
443 			const struct cred *cred)
444 {
445 	const struct task_security_struct *tsec = cred->security;
446 	int rc;
447 
448 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
449 			  FILESYSTEM__RELABELFROM, NULL);
450 	if (rc)
451 		return rc;
452 
453 	rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
454 			  FILESYSTEM__RELABELTO, NULL);
455 	return rc;
456 }
457 
458 static int may_context_mount_inode_relabel(u32 sid,
459 			struct superblock_security_struct *sbsec,
460 			const struct cred *cred)
461 {
462 	const struct task_security_struct *tsec = cred->security;
463 	int rc;
464 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
465 			  FILESYSTEM__RELABELFROM, NULL);
466 	if (rc)
467 		return rc;
468 
469 	rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
470 			  FILESYSTEM__ASSOCIATE, NULL);
471 	return rc;
472 }
473 
474 static int selinux_is_sblabel_mnt(struct super_block *sb)
475 {
476 	struct superblock_security_struct *sbsec = sb->s_security;
477 
478 	return sbsec->behavior == SECURITY_FS_USE_XATTR ||
479 		sbsec->behavior == SECURITY_FS_USE_TRANS ||
480 		sbsec->behavior == SECURITY_FS_USE_TASK ||
481 		sbsec->behavior == SECURITY_FS_USE_NATIVE ||
482 		/* Special handling. Genfs but also in-core setxattr handler */
483 		!strcmp(sb->s_type->name, "sysfs") ||
484 		!strcmp(sb->s_type->name, "pstore") ||
485 		!strcmp(sb->s_type->name, "debugfs") ||
486 		!strcmp(sb->s_type->name, "tracefs") ||
487 		!strcmp(sb->s_type->name, "rootfs") ||
488 		(selinux_policycap_cgroupseclabel &&
489 		 (!strcmp(sb->s_type->name, "cgroup") ||
490 		  !strcmp(sb->s_type->name, "cgroup2")));
491 }
492 
493 static int sb_finish_set_opts(struct super_block *sb)
494 {
495 	struct superblock_security_struct *sbsec = sb->s_security;
496 	struct dentry *root = sb->s_root;
497 	struct inode *root_inode = d_backing_inode(root);
498 	int rc = 0;
499 
500 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
501 		/* Make sure that the xattr handler exists and that no
502 		   error other than -ENODATA is returned by getxattr on
503 		   the root directory.  -ENODATA is ok, as this may be
504 		   the first boot of the SELinux kernel before we have
505 		   assigned xattr values to the filesystem. */
506 		if (!(root_inode->i_opflags & IOP_XATTR)) {
507 			printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
508 			       "xattr support\n", sb->s_id, sb->s_type->name);
509 			rc = -EOPNOTSUPP;
510 			goto out;
511 		}
512 
513 		rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
514 		if (rc < 0 && rc != -ENODATA) {
515 			if (rc == -EOPNOTSUPP)
516 				printk(KERN_WARNING "SELinux: (dev %s, type "
517 				       "%s) has no security xattr handler\n",
518 				       sb->s_id, sb->s_type->name);
519 			else
520 				printk(KERN_WARNING "SELinux: (dev %s, type "
521 				       "%s) getxattr errno %d\n", sb->s_id,
522 				       sb->s_type->name, -rc);
523 			goto out;
524 		}
525 	}
526 
527 	sbsec->flags |= SE_SBINITIALIZED;
528 
529 	/*
530 	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
531 	 * leave the flag untouched because sb_clone_mnt_opts might be handing
532 	 * us a superblock that needs the flag to be cleared.
533 	 */
534 	if (selinux_is_sblabel_mnt(sb))
535 		sbsec->flags |= SBLABEL_MNT;
536 	else
537 		sbsec->flags &= ~SBLABEL_MNT;
538 
539 	/* Initialize the root inode. */
540 	rc = inode_doinit_with_dentry(root_inode, root);
541 
542 	/* Initialize any other inodes associated with the superblock, e.g.
543 	   inodes created prior to initial policy load or inodes created
544 	   during get_sb by a pseudo filesystem that directly
545 	   populates itself. */
546 	spin_lock(&sbsec->isec_lock);
547 next_inode:
548 	if (!list_empty(&sbsec->isec_head)) {
549 		struct inode_security_struct *isec =
550 				list_entry(sbsec->isec_head.next,
551 					   struct inode_security_struct, list);
552 		struct inode *inode = isec->inode;
553 		list_del_init(&isec->list);
554 		spin_unlock(&sbsec->isec_lock);
555 		inode = igrab(inode);
556 		if (inode) {
557 			if (!IS_PRIVATE(inode))
558 				inode_doinit(inode);
559 			iput(inode);
560 		}
561 		spin_lock(&sbsec->isec_lock);
562 		goto next_inode;
563 	}
564 	spin_unlock(&sbsec->isec_lock);
565 out:
566 	return rc;
567 }
568 
569 /*
570  * This function should allow an FS to ask what it's mount security
571  * options were so it can use those later for submounts, displaying
572  * mount options, or whatever.
573  */
574 static int selinux_get_mnt_opts(const struct super_block *sb,
575 				struct security_mnt_opts *opts)
576 {
577 	int rc = 0, i;
578 	struct superblock_security_struct *sbsec = sb->s_security;
579 	char *context = NULL;
580 	u32 len;
581 	char tmp;
582 
583 	security_init_mnt_opts(opts);
584 
585 	if (!(sbsec->flags & SE_SBINITIALIZED))
586 		return -EINVAL;
587 
588 	if (!ss_initialized)
589 		return -EINVAL;
590 
591 	/* make sure we always check enough bits to cover the mask */
592 	BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
593 
594 	tmp = sbsec->flags & SE_MNTMASK;
595 	/* count the number of mount options for this sb */
596 	for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
597 		if (tmp & 0x01)
598 			opts->num_mnt_opts++;
599 		tmp >>= 1;
600 	}
601 	/* Check if the Label support flag is set */
602 	if (sbsec->flags & SBLABEL_MNT)
603 		opts->num_mnt_opts++;
604 
605 	opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606 	if (!opts->mnt_opts) {
607 		rc = -ENOMEM;
608 		goto out_free;
609 	}
610 
611 	opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612 	if (!opts->mnt_opts_flags) {
613 		rc = -ENOMEM;
614 		goto out_free;
615 	}
616 
617 	i = 0;
618 	if (sbsec->flags & FSCONTEXT_MNT) {
619 		rc = security_sid_to_context(sbsec->sid, &context, &len);
620 		if (rc)
621 			goto out_free;
622 		opts->mnt_opts[i] = context;
623 		opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
624 	}
625 	if (sbsec->flags & CONTEXT_MNT) {
626 		rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
627 		if (rc)
628 			goto out_free;
629 		opts->mnt_opts[i] = context;
630 		opts->mnt_opts_flags[i++] = CONTEXT_MNT;
631 	}
632 	if (sbsec->flags & DEFCONTEXT_MNT) {
633 		rc = security_sid_to_context(sbsec->def_sid, &context, &len);
634 		if (rc)
635 			goto out_free;
636 		opts->mnt_opts[i] = context;
637 		opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
638 	}
639 	if (sbsec->flags & ROOTCONTEXT_MNT) {
640 		struct dentry *root = sbsec->sb->s_root;
641 		struct inode_security_struct *isec = backing_inode_security(root);
642 
643 		rc = security_sid_to_context(isec->sid, &context, &len);
644 		if (rc)
645 			goto out_free;
646 		opts->mnt_opts[i] = context;
647 		opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
648 	}
649 	if (sbsec->flags & SBLABEL_MNT) {
650 		opts->mnt_opts[i] = NULL;
651 		opts->mnt_opts_flags[i++] = SBLABEL_MNT;
652 	}
653 
654 	BUG_ON(i != opts->num_mnt_opts);
655 
656 	return 0;
657 
658 out_free:
659 	security_free_mnt_opts(opts);
660 	return rc;
661 }
662 
663 static int bad_option(struct superblock_security_struct *sbsec, char flag,
664 		      u32 old_sid, u32 new_sid)
665 {
666 	char mnt_flags = sbsec->flags & SE_MNTMASK;
667 
668 	/* check if the old mount command had the same options */
669 	if (sbsec->flags & SE_SBINITIALIZED)
670 		if (!(sbsec->flags & flag) ||
671 		    (old_sid != new_sid))
672 			return 1;
673 
674 	/* check if we were passed the same options twice,
675 	 * aka someone passed context=a,context=b
676 	 */
677 	if (!(sbsec->flags & SE_SBINITIALIZED))
678 		if (mnt_flags & flag)
679 			return 1;
680 	return 0;
681 }
682 
683 /*
684  * Allow filesystems with binary mount data to explicitly set mount point
685  * labeling information.
686  */
687 static int selinux_set_mnt_opts(struct super_block *sb,
688 				struct security_mnt_opts *opts,
689 				unsigned long kern_flags,
690 				unsigned long *set_kern_flags)
691 {
692 	const struct cred *cred = current_cred();
693 	int rc = 0, i;
694 	struct superblock_security_struct *sbsec = sb->s_security;
695 	const char *name = sb->s_type->name;
696 	struct dentry *root = sbsec->sb->s_root;
697 	struct inode_security_struct *root_isec;
698 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699 	u32 defcontext_sid = 0;
700 	char **mount_options = opts->mnt_opts;
701 	int *flags = opts->mnt_opts_flags;
702 	int num_opts = opts->num_mnt_opts;
703 
704 	mutex_lock(&sbsec->lock);
705 
706 	if (!ss_initialized) {
707 		if (!num_opts) {
708 			/* Defer initialization until selinux_complete_init,
709 			   after the initial policy is loaded and the security
710 			   server is ready to handle calls. */
711 			goto out;
712 		}
713 		rc = -EINVAL;
714 		printk(KERN_WARNING "SELinux: Unable to set superblock options "
715 			"before the security server is initialized\n");
716 		goto out;
717 	}
718 	if (kern_flags && !set_kern_flags) {
719 		/* Specifying internal flags without providing a place to
720 		 * place the results is not allowed */
721 		rc = -EINVAL;
722 		goto out;
723 	}
724 
725 	/*
726 	 * Binary mount data FS will come through this function twice.  Once
727 	 * from an explicit call and once from the generic calls from the vfs.
728 	 * Since the generic VFS calls will not contain any security mount data
729 	 * we need to skip the double mount verification.
730 	 *
731 	 * This does open a hole in which we will not notice if the first
732 	 * mount using this sb set explict options and a second mount using
733 	 * this sb does not set any security options.  (The first options
734 	 * will be used for both mounts)
735 	 */
736 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
737 	    && (num_opts == 0))
738 		goto out;
739 
740 	root_isec = backing_inode_security_novalidate(root);
741 
742 	/*
743 	 * parse the mount options, check if they are valid sids.
744 	 * also check if someone is trying to mount the same sb more
745 	 * than once with different security options.
746 	 */
747 	for (i = 0; i < num_opts; i++) {
748 		u32 sid;
749 
750 		if (flags[i] == SBLABEL_MNT)
751 			continue;
752 		rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
753 		if (rc) {
754 			printk(KERN_WARNING "SELinux: security_context_str_to_sid"
755 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
756 			       mount_options[i], sb->s_id, name, rc);
757 			goto out;
758 		}
759 		switch (flags[i]) {
760 		case FSCONTEXT_MNT:
761 			fscontext_sid = sid;
762 
763 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
764 					fscontext_sid))
765 				goto out_double_mount;
766 
767 			sbsec->flags |= FSCONTEXT_MNT;
768 			break;
769 		case CONTEXT_MNT:
770 			context_sid = sid;
771 
772 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
773 					context_sid))
774 				goto out_double_mount;
775 
776 			sbsec->flags |= CONTEXT_MNT;
777 			break;
778 		case ROOTCONTEXT_MNT:
779 			rootcontext_sid = sid;
780 
781 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
782 					rootcontext_sid))
783 				goto out_double_mount;
784 
785 			sbsec->flags |= ROOTCONTEXT_MNT;
786 
787 			break;
788 		case DEFCONTEXT_MNT:
789 			defcontext_sid = sid;
790 
791 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
792 					defcontext_sid))
793 				goto out_double_mount;
794 
795 			sbsec->flags |= DEFCONTEXT_MNT;
796 
797 			break;
798 		default:
799 			rc = -EINVAL;
800 			goto out;
801 		}
802 	}
803 
804 	if (sbsec->flags & SE_SBINITIALIZED) {
805 		/* previously mounted with options, but not on this attempt? */
806 		if ((sbsec->flags & SE_MNTMASK) && !num_opts)
807 			goto out_double_mount;
808 		rc = 0;
809 		goto out;
810 	}
811 
812 	if (strcmp(sb->s_type->name, "proc") == 0)
813 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
814 
815 	if (!strcmp(sb->s_type->name, "debugfs") ||
816 	    !strcmp(sb->s_type->name, "tracefs") ||
817 	    !strcmp(sb->s_type->name, "sysfs") ||
818 	    !strcmp(sb->s_type->name, "pstore") ||
819 	    !strcmp(sb->s_type->name, "cgroup") ||
820 	    !strcmp(sb->s_type->name, "cgroup2"))
821 		sbsec->flags |= SE_SBGENFS;
822 
823 	if (!sbsec->behavior) {
824 		/*
825 		 * Determine the labeling behavior to use for this
826 		 * filesystem type.
827 		 */
828 		rc = security_fs_use(sb);
829 		if (rc) {
830 			printk(KERN_WARNING
831 				"%s: security_fs_use(%s) returned %d\n",
832 					__func__, sb->s_type->name, rc);
833 			goto out;
834 		}
835 	}
836 
837 	/*
838 	 * If this is a user namespace mount and the filesystem type is not
839 	 * explicitly whitelisted, then no contexts are allowed on the command
840 	 * line and security labels must be ignored.
841 	 */
842 	if (sb->s_user_ns != &init_user_ns &&
843 	    strcmp(sb->s_type->name, "tmpfs") &&
844 	    strcmp(sb->s_type->name, "ramfs") &&
845 	    strcmp(sb->s_type->name, "devpts")) {
846 		if (context_sid || fscontext_sid || rootcontext_sid ||
847 		    defcontext_sid) {
848 			rc = -EACCES;
849 			goto out;
850 		}
851 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
852 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
853 			rc = security_transition_sid(current_sid(), current_sid(),
854 						     SECCLASS_FILE, NULL,
855 						     &sbsec->mntpoint_sid);
856 			if (rc)
857 				goto out;
858 		}
859 		goto out_set_opts;
860 	}
861 
862 	/* sets the context of the superblock for the fs being mounted. */
863 	if (fscontext_sid) {
864 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
865 		if (rc)
866 			goto out;
867 
868 		sbsec->sid = fscontext_sid;
869 	}
870 
871 	/*
872 	 * Switch to using mount point labeling behavior.
873 	 * sets the label used on all file below the mountpoint, and will set
874 	 * the superblock context if not already set.
875 	 */
876 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
877 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
878 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
879 	}
880 
881 	if (context_sid) {
882 		if (!fscontext_sid) {
883 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
884 							  cred);
885 			if (rc)
886 				goto out;
887 			sbsec->sid = context_sid;
888 		} else {
889 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
890 							     cred);
891 			if (rc)
892 				goto out;
893 		}
894 		if (!rootcontext_sid)
895 			rootcontext_sid = context_sid;
896 
897 		sbsec->mntpoint_sid = context_sid;
898 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
899 	}
900 
901 	if (rootcontext_sid) {
902 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
903 						     cred);
904 		if (rc)
905 			goto out;
906 
907 		root_isec->sid = rootcontext_sid;
908 		root_isec->initialized = LABEL_INITIALIZED;
909 	}
910 
911 	if (defcontext_sid) {
912 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
913 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
914 			rc = -EINVAL;
915 			printk(KERN_WARNING "SELinux: defcontext option is "
916 			       "invalid for this filesystem type\n");
917 			goto out;
918 		}
919 
920 		if (defcontext_sid != sbsec->def_sid) {
921 			rc = may_context_mount_inode_relabel(defcontext_sid,
922 							     sbsec, cred);
923 			if (rc)
924 				goto out;
925 		}
926 
927 		sbsec->def_sid = defcontext_sid;
928 	}
929 
930 out_set_opts:
931 	rc = sb_finish_set_opts(sb);
932 out:
933 	mutex_unlock(&sbsec->lock);
934 	return rc;
935 out_double_mount:
936 	rc = -EINVAL;
937 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
938 	       "security settings for (dev %s, type %s)\n", sb->s_id, name);
939 	goto out;
940 }
941 
942 static int selinux_cmp_sb_context(const struct super_block *oldsb,
943 				    const struct super_block *newsb)
944 {
945 	struct superblock_security_struct *old = oldsb->s_security;
946 	struct superblock_security_struct *new = newsb->s_security;
947 	char oldflags = old->flags & SE_MNTMASK;
948 	char newflags = new->flags & SE_MNTMASK;
949 
950 	if (oldflags != newflags)
951 		goto mismatch;
952 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
953 		goto mismatch;
954 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
955 		goto mismatch;
956 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
957 		goto mismatch;
958 	if (oldflags & ROOTCONTEXT_MNT) {
959 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
960 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
961 		if (oldroot->sid != newroot->sid)
962 			goto mismatch;
963 	}
964 	return 0;
965 mismatch:
966 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
967 			    "different security settings for (dev %s, "
968 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
969 	return -EBUSY;
970 }
971 
972 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
973 					struct super_block *newsb,
974 					unsigned long kern_flags,
975 					unsigned long *set_kern_flags)
976 {
977 	int rc = 0;
978 	const struct superblock_security_struct *oldsbsec = oldsb->s_security;
979 	struct superblock_security_struct *newsbsec = newsb->s_security;
980 
981 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
982 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
983 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
984 
985 	/*
986 	 * if the parent was able to be mounted it clearly had no special lsm
987 	 * mount options.  thus we can safely deal with this superblock later
988 	 */
989 	if (!ss_initialized)
990 		return 0;
991 
992 	/*
993 	 * Specifying internal flags without providing a place to
994 	 * place the results is not allowed.
995 	 */
996 	if (kern_flags && !set_kern_flags)
997 		return -EINVAL;
998 
999 	/* how can we clone if the old one wasn't set up?? */
1000 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1001 
1002 	/* if fs is reusing a sb, make sure that the contexts match */
1003 	if (newsbsec->flags & SE_SBINITIALIZED)
1004 		return selinux_cmp_sb_context(oldsb, newsb);
1005 
1006 	mutex_lock(&newsbsec->lock);
1007 
1008 	newsbsec->flags = oldsbsec->flags;
1009 
1010 	newsbsec->sid = oldsbsec->sid;
1011 	newsbsec->def_sid = oldsbsec->def_sid;
1012 	newsbsec->behavior = oldsbsec->behavior;
1013 
1014 	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1015 		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1016 		rc = security_fs_use(newsb);
1017 		if (rc)
1018 			goto out;
1019 	}
1020 
1021 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1022 		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1023 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1024 	}
1025 
1026 	if (set_context) {
1027 		u32 sid = oldsbsec->mntpoint_sid;
1028 
1029 		if (!set_fscontext)
1030 			newsbsec->sid = sid;
1031 		if (!set_rootcontext) {
1032 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1033 			newisec->sid = sid;
1034 		}
1035 		newsbsec->mntpoint_sid = sid;
1036 	}
1037 	if (set_rootcontext) {
1038 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1039 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1040 
1041 		newisec->sid = oldisec->sid;
1042 	}
1043 
1044 	sb_finish_set_opts(newsb);
1045 out:
1046 	mutex_unlock(&newsbsec->lock);
1047 	return rc;
1048 }
1049 
1050 static int selinux_parse_opts_str(char *options,
1051 				  struct security_mnt_opts *opts)
1052 {
1053 	char *p;
1054 	char *context = NULL, *defcontext = NULL;
1055 	char *fscontext = NULL, *rootcontext = NULL;
1056 	int rc, num_mnt_opts = 0;
1057 
1058 	opts->num_mnt_opts = 0;
1059 
1060 	/* Standard string-based options. */
1061 	while ((p = strsep(&options, "|")) != NULL) {
1062 		int token;
1063 		substring_t args[MAX_OPT_ARGS];
1064 
1065 		if (!*p)
1066 			continue;
1067 
1068 		token = match_token(p, tokens, args);
1069 
1070 		switch (token) {
1071 		case Opt_context:
1072 			if (context || defcontext) {
1073 				rc = -EINVAL;
1074 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1075 				goto out_err;
1076 			}
1077 			context = match_strdup(&args[0]);
1078 			if (!context) {
1079 				rc = -ENOMEM;
1080 				goto out_err;
1081 			}
1082 			break;
1083 
1084 		case Opt_fscontext:
1085 			if (fscontext) {
1086 				rc = -EINVAL;
1087 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1088 				goto out_err;
1089 			}
1090 			fscontext = match_strdup(&args[0]);
1091 			if (!fscontext) {
1092 				rc = -ENOMEM;
1093 				goto out_err;
1094 			}
1095 			break;
1096 
1097 		case Opt_rootcontext:
1098 			if (rootcontext) {
1099 				rc = -EINVAL;
1100 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1101 				goto out_err;
1102 			}
1103 			rootcontext = match_strdup(&args[0]);
1104 			if (!rootcontext) {
1105 				rc = -ENOMEM;
1106 				goto out_err;
1107 			}
1108 			break;
1109 
1110 		case Opt_defcontext:
1111 			if (context || defcontext) {
1112 				rc = -EINVAL;
1113 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1114 				goto out_err;
1115 			}
1116 			defcontext = match_strdup(&args[0]);
1117 			if (!defcontext) {
1118 				rc = -ENOMEM;
1119 				goto out_err;
1120 			}
1121 			break;
1122 		case Opt_labelsupport:
1123 			break;
1124 		default:
1125 			rc = -EINVAL;
1126 			printk(KERN_WARNING "SELinux:  unknown mount option\n");
1127 			goto out_err;
1128 
1129 		}
1130 	}
1131 
1132 	rc = -ENOMEM;
1133 	opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1134 	if (!opts->mnt_opts)
1135 		goto out_err;
1136 
1137 	opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1138 				       GFP_KERNEL);
1139 	if (!opts->mnt_opts_flags)
1140 		goto out_err;
1141 
1142 	if (fscontext) {
1143 		opts->mnt_opts[num_mnt_opts] = fscontext;
1144 		opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1145 	}
1146 	if (context) {
1147 		opts->mnt_opts[num_mnt_opts] = context;
1148 		opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1149 	}
1150 	if (rootcontext) {
1151 		opts->mnt_opts[num_mnt_opts] = rootcontext;
1152 		opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1153 	}
1154 	if (defcontext) {
1155 		opts->mnt_opts[num_mnt_opts] = defcontext;
1156 		opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1157 	}
1158 
1159 	opts->num_mnt_opts = num_mnt_opts;
1160 	return 0;
1161 
1162 out_err:
1163 	security_free_mnt_opts(opts);
1164 	kfree(context);
1165 	kfree(defcontext);
1166 	kfree(fscontext);
1167 	kfree(rootcontext);
1168 	return rc;
1169 }
1170 /*
1171  * string mount options parsing and call set the sbsec
1172  */
1173 static int superblock_doinit(struct super_block *sb, void *data)
1174 {
1175 	int rc = 0;
1176 	char *options = data;
1177 	struct security_mnt_opts opts;
1178 
1179 	security_init_mnt_opts(&opts);
1180 
1181 	if (!data)
1182 		goto out;
1183 
1184 	BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1185 
1186 	rc = selinux_parse_opts_str(options, &opts);
1187 	if (rc)
1188 		goto out_err;
1189 
1190 out:
1191 	rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1192 
1193 out_err:
1194 	security_free_mnt_opts(&opts);
1195 	return rc;
1196 }
1197 
1198 static void selinux_write_opts(struct seq_file *m,
1199 			       struct security_mnt_opts *opts)
1200 {
1201 	int i;
1202 	char *prefix;
1203 
1204 	for (i = 0; i < opts->num_mnt_opts; i++) {
1205 		char *has_comma;
1206 
1207 		if (opts->mnt_opts[i])
1208 			has_comma = strchr(opts->mnt_opts[i], ',');
1209 		else
1210 			has_comma = NULL;
1211 
1212 		switch (opts->mnt_opts_flags[i]) {
1213 		case CONTEXT_MNT:
1214 			prefix = CONTEXT_STR;
1215 			break;
1216 		case FSCONTEXT_MNT:
1217 			prefix = FSCONTEXT_STR;
1218 			break;
1219 		case ROOTCONTEXT_MNT:
1220 			prefix = ROOTCONTEXT_STR;
1221 			break;
1222 		case DEFCONTEXT_MNT:
1223 			prefix = DEFCONTEXT_STR;
1224 			break;
1225 		case SBLABEL_MNT:
1226 			seq_putc(m, ',');
1227 			seq_puts(m, LABELSUPP_STR);
1228 			continue;
1229 		default:
1230 			BUG();
1231 			return;
1232 		};
1233 		/* we need a comma before each option */
1234 		seq_putc(m, ',');
1235 		seq_puts(m, prefix);
1236 		if (has_comma)
1237 			seq_putc(m, '\"');
1238 		seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1239 		if (has_comma)
1240 			seq_putc(m, '\"');
1241 	}
1242 }
1243 
1244 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1245 {
1246 	struct security_mnt_opts opts;
1247 	int rc;
1248 
1249 	rc = selinux_get_mnt_opts(sb, &opts);
1250 	if (rc) {
1251 		/* before policy load we may get EINVAL, don't show anything */
1252 		if (rc == -EINVAL)
1253 			rc = 0;
1254 		return rc;
1255 	}
1256 
1257 	selinux_write_opts(m, &opts);
1258 
1259 	security_free_mnt_opts(&opts);
1260 
1261 	return rc;
1262 }
1263 
1264 static inline u16 inode_mode_to_security_class(umode_t mode)
1265 {
1266 	switch (mode & S_IFMT) {
1267 	case S_IFSOCK:
1268 		return SECCLASS_SOCK_FILE;
1269 	case S_IFLNK:
1270 		return SECCLASS_LNK_FILE;
1271 	case S_IFREG:
1272 		return SECCLASS_FILE;
1273 	case S_IFBLK:
1274 		return SECCLASS_BLK_FILE;
1275 	case S_IFDIR:
1276 		return SECCLASS_DIR;
1277 	case S_IFCHR:
1278 		return SECCLASS_CHR_FILE;
1279 	case S_IFIFO:
1280 		return SECCLASS_FIFO_FILE;
1281 
1282 	}
1283 
1284 	return SECCLASS_FILE;
1285 }
1286 
1287 static inline int default_protocol_stream(int protocol)
1288 {
1289 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1290 }
1291 
1292 static inline int default_protocol_dgram(int protocol)
1293 {
1294 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1295 }
1296 
1297 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1298 {
1299 	int extsockclass = selinux_policycap_extsockclass;
1300 
1301 	switch (family) {
1302 	case PF_UNIX:
1303 		switch (type) {
1304 		case SOCK_STREAM:
1305 		case SOCK_SEQPACKET:
1306 			return SECCLASS_UNIX_STREAM_SOCKET;
1307 		case SOCK_DGRAM:
1308 		case SOCK_RAW:
1309 			return SECCLASS_UNIX_DGRAM_SOCKET;
1310 		}
1311 		break;
1312 	case PF_INET:
1313 	case PF_INET6:
1314 		switch (type) {
1315 		case SOCK_STREAM:
1316 		case SOCK_SEQPACKET:
1317 			if (default_protocol_stream(protocol))
1318 				return SECCLASS_TCP_SOCKET;
1319 			else if (extsockclass && protocol == IPPROTO_SCTP)
1320 				return SECCLASS_SCTP_SOCKET;
1321 			else
1322 				return SECCLASS_RAWIP_SOCKET;
1323 		case SOCK_DGRAM:
1324 			if (default_protocol_dgram(protocol))
1325 				return SECCLASS_UDP_SOCKET;
1326 			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1327 						  protocol == IPPROTO_ICMPV6))
1328 				return SECCLASS_ICMP_SOCKET;
1329 			else
1330 				return SECCLASS_RAWIP_SOCKET;
1331 		case SOCK_DCCP:
1332 			return SECCLASS_DCCP_SOCKET;
1333 		default:
1334 			return SECCLASS_RAWIP_SOCKET;
1335 		}
1336 		break;
1337 	case PF_NETLINK:
1338 		switch (protocol) {
1339 		case NETLINK_ROUTE:
1340 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1341 		case NETLINK_SOCK_DIAG:
1342 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1343 		case NETLINK_NFLOG:
1344 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1345 		case NETLINK_XFRM:
1346 			return SECCLASS_NETLINK_XFRM_SOCKET;
1347 		case NETLINK_SELINUX:
1348 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1349 		case NETLINK_ISCSI:
1350 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1351 		case NETLINK_AUDIT:
1352 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1353 		case NETLINK_FIB_LOOKUP:
1354 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1355 		case NETLINK_CONNECTOR:
1356 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1357 		case NETLINK_NETFILTER:
1358 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1359 		case NETLINK_DNRTMSG:
1360 			return SECCLASS_NETLINK_DNRT_SOCKET;
1361 		case NETLINK_KOBJECT_UEVENT:
1362 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1363 		case NETLINK_GENERIC:
1364 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1365 		case NETLINK_SCSITRANSPORT:
1366 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1367 		case NETLINK_RDMA:
1368 			return SECCLASS_NETLINK_RDMA_SOCKET;
1369 		case NETLINK_CRYPTO:
1370 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1371 		default:
1372 			return SECCLASS_NETLINK_SOCKET;
1373 		}
1374 	case PF_PACKET:
1375 		return SECCLASS_PACKET_SOCKET;
1376 	case PF_KEY:
1377 		return SECCLASS_KEY_SOCKET;
1378 	case PF_APPLETALK:
1379 		return SECCLASS_APPLETALK_SOCKET;
1380 	}
1381 
1382 	if (extsockclass) {
1383 		switch (family) {
1384 		case PF_AX25:
1385 			return SECCLASS_AX25_SOCKET;
1386 		case PF_IPX:
1387 			return SECCLASS_IPX_SOCKET;
1388 		case PF_NETROM:
1389 			return SECCLASS_NETROM_SOCKET;
1390 		case PF_ATMPVC:
1391 			return SECCLASS_ATMPVC_SOCKET;
1392 		case PF_X25:
1393 			return SECCLASS_X25_SOCKET;
1394 		case PF_ROSE:
1395 			return SECCLASS_ROSE_SOCKET;
1396 		case PF_DECnet:
1397 			return SECCLASS_DECNET_SOCKET;
1398 		case PF_ATMSVC:
1399 			return SECCLASS_ATMSVC_SOCKET;
1400 		case PF_RDS:
1401 			return SECCLASS_RDS_SOCKET;
1402 		case PF_IRDA:
1403 			return SECCLASS_IRDA_SOCKET;
1404 		case PF_PPPOX:
1405 			return SECCLASS_PPPOX_SOCKET;
1406 		case PF_LLC:
1407 			return SECCLASS_LLC_SOCKET;
1408 		case PF_CAN:
1409 			return SECCLASS_CAN_SOCKET;
1410 		case PF_TIPC:
1411 			return SECCLASS_TIPC_SOCKET;
1412 		case PF_BLUETOOTH:
1413 			return SECCLASS_BLUETOOTH_SOCKET;
1414 		case PF_IUCV:
1415 			return SECCLASS_IUCV_SOCKET;
1416 		case PF_RXRPC:
1417 			return SECCLASS_RXRPC_SOCKET;
1418 		case PF_ISDN:
1419 			return SECCLASS_ISDN_SOCKET;
1420 		case PF_PHONET:
1421 			return SECCLASS_PHONET_SOCKET;
1422 		case PF_IEEE802154:
1423 			return SECCLASS_IEEE802154_SOCKET;
1424 		case PF_CAIF:
1425 			return SECCLASS_CAIF_SOCKET;
1426 		case PF_ALG:
1427 			return SECCLASS_ALG_SOCKET;
1428 		case PF_NFC:
1429 			return SECCLASS_NFC_SOCKET;
1430 		case PF_VSOCK:
1431 			return SECCLASS_VSOCK_SOCKET;
1432 		case PF_KCM:
1433 			return SECCLASS_KCM_SOCKET;
1434 		case PF_QIPCRTR:
1435 			return SECCLASS_QIPCRTR_SOCKET;
1436 		case PF_SMC:
1437 			return SECCLASS_SMC_SOCKET;
1438 #if PF_MAX > 44
1439 #error New address family defined, please update this function.
1440 #endif
1441 		}
1442 	}
1443 
1444 	return SECCLASS_SOCKET;
1445 }
1446 
1447 static int selinux_genfs_get_sid(struct dentry *dentry,
1448 				 u16 tclass,
1449 				 u16 flags,
1450 				 u32 *sid)
1451 {
1452 	int rc;
1453 	struct super_block *sb = dentry->d_sb;
1454 	char *buffer, *path;
1455 
1456 	buffer = (char *)__get_free_page(GFP_KERNEL);
1457 	if (!buffer)
1458 		return -ENOMEM;
1459 
1460 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1461 	if (IS_ERR(path))
1462 		rc = PTR_ERR(path);
1463 	else {
1464 		if (flags & SE_SBPROC) {
1465 			/* each process gets a /proc/PID/ entry. Strip off the
1466 			 * PID part to get a valid selinux labeling.
1467 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1468 			while (path[1] >= '0' && path[1] <= '9') {
1469 				path[1] = '/';
1470 				path++;
1471 			}
1472 		}
1473 		rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1474 	}
1475 	free_page((unsigned long)buffer);
1476 	return rc;
1477 }
1478 
1479 /* The inode's security attributes must be initialized before first use. */
1480 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1481 {
1482 	struct superblock_security_struct *sbsec = NULL;
1483 	struct inode_security_struct *isec = inode->i_security;
1484 	u32 task_sid, sid = 0;
1485 	u16 sclass;
1486 	struct dentry *dentry;
1487 #define INITCONTEXTLEN 255
1488 	char *context = NULL;
1489 	unsigned len = 0;
1490 	int rc = 0;
1491 
1492 	if (isec->initialized == LABEL_INITIALIZED)
1493 		return 0;
1494 
1495 	spin_lock(&isec->lock);
1496 	if (isec->initialized == LABEL_INITIALIZED)
1497 		goto out_unlock;
1498 
1499 	if (isec->sclass == SECCLASS_FILE)
1500 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1501 
1502 	sbsec = inode->i_sb->s_security;
1503 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1504 		/* Defer initialization until selinux_complete_init,
1505 		   after the initial policy is loaded and the security
1506 		   server is ready to handle calls. */
1507 		spin_lock(&sbsec->isec_lock);
1508 		if (list_empty(&isec->list))
1509 			list_add(&isec->list, &sbsec->isec_head);
1510 		spin_unlock(&sbsec->isec_lock);
1511 		goto out_unlock;
1512 	}
1513 
1514 	sclass = isec->sclass;
1515 	task_sid = isec->task_sid;
1516 	sid = isec->sid;
1517 	isec->initialized = LABEL_PENDING;
1518 	spin_unlock(&isec->lock);
1519 
1520 	switch (sbsec->behavior) {
1521 	case SECURITY_FS_USE_NATIVE:
1522 		break;
1523 	case SECURITY_FS_USE_XATTR:
1524 		if (!(inode->i_opflags & IOP_XATTR)) {
1525 			sid = sbsec->def_sid;
1526 			break;
1527 		}
1528 		/* Need a dentry, since the xattr API requires one.
1529 		   Life would be simpler if we could just pass the inode. */
1530 		if (opt_dentry) {
1531 			/* Called from d_instantiate or d_splice_alias. */
1532 			dentry = dget(opt_dentry);
1533 		} else {
1534 			/* Called from selinux_complete_init, try to find a dentry. */
1535 			dentry = d_find_alias(inode);
1536 		}
1537 		if (!dentry) {
1538 			/*
1539 			 * this is can be hit on boot when a file is accessed
1540 			 * before the policy is loaded.  When we load policy we
1541 			 * may find inodes that have no dentry on the
1542 			 * sbsec->isec_head list.  No reason to complain as these
1543 			 * will get fixed up the next time we go through
1544 			 * inode_doinit with a dentry, before these inodes could
1545 			 * be used again by userspace.
1546 			 */
1547 			goto out;
1548 		}
1549 
1550 		len = INITCONTEXTLEN;
1551 		context = kmalloc(len+1, GFP_NOFS);
1552 		if (!context) {
1553 			rc = -ENOMEM;
1554 			dput(dentry);
1555 			goto out;
1556 		}
1557 		context[len] = '\0';
1558 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1559 		if (rc == -ERANGE) {
1560 			kfree(context);
1561 
1562 			/* Need a larger buffer.  Query for the right size. */
1563 			rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1564 			if (rc < 0) {
1565 				dput(dentry);
1566 				goto out;
1567 			}
1568 			len = rc;
1569 			context = kmalloc(len+1, GFP_NOFS);
1570 			if (!context) {
1571 				rc = -ENOMEM;
1572 				dput(dentry);
1573 				goto out;
1574 			}
1575 			context[len] = '\0';
1576 			rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1577 		}
1578 		dput(dentry);
1579 		if (rc < 0) {
1580 			if (rc != -ENODATA) {
1581 				printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1582 				       "%d for dev=%s ino=%ld\n", __func__,
1583 				       -rc, inode->i_sb->s_id, inode->i_ino);
1584 				kfree(context);
1585 				goto out;
1586 			}
1587 			/* Map ENODATA to the default file SID */
1588 			sid = sbsec->def_sid;
1589 			rc = 0;
1590 		} else {
1591 			rc = security_context_to_sid_default(context, rc, &sid,
1592 							     sbsec->def_sid,
1593 							     GFP_NOFS);
1594 			if (rc) {
1595 				char *dev = inode->i_sb->s_id;
1596 				unsigned long ino = inode->i_ino;
1597 
1598 				if (rc == -EINVAL) {
1599 					if (printk_ratelimit())
1600 						printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1601 							"context=%s.  This indicates you may need to relabel the inode or the "
1602 							"filesystem in question.\n", ino, dev, context);
1603 				} else {
1604 					printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1605 					       "returned %d for dev=%s ino=%ld\n",
1606 					       __func__, context, -rc, dev, ino);
1607 				}
1608 				kfree(context);
1609 				/* Leave with the unlabeled SID */
1610 				rc = 0;
1611 				break;
1612 			}
1613 		}
1614 		kfree(context);
1615 		break;
1616 	case SECURITY_FS_USE_TASK:
1617 		sid = task_sid;
1618 		break;
1619 	case SECURITY_FS_USE_TRANS:
1620 		/* Default to the fs SID. */
1621 		sid = sbsec->sid;
1622 
1623 		/* Try to obtain a transition SID. */
1624 		rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1625 		if (rc)
1626 			goto out;
1627 		break;
1628 	case SECURITY_FS_USE_MNTPOINT:
1629 		sid = sbsec->mntpoint_sid;
1630 		break;
1631 	default:
1632 		/* Default to the fs superblock SID. */
1633 		sid = sbsec->sid;
1634 
1635 		if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1636 			/* We must have a dentry to determine the label on
1637 			 * procfs inodes */
1638 			if (opt_dentry)
1639 				/* Called from d_instantiate or
1640 				 * d_splice_alias. */
1641 				dentry = dget(opt_dentry);
1642 			else
1643 				/* Called from selinux_complete_init, try to
1644 				 * find a dentry. */
1645 				dentry = d_find_alias(inode);
1646 			/*
1647 			 * This can be hit on boot when a file is accessed
1648 			 * before the policy is loaded.  When we load policy we
1649 			 * may find inodes that have no dentry on the
1650 			 * sbsec->isec_head list.  No reason to complain as
1651 			 * these will get fixed up the next time we go through
1652 			 * inode_doinit() with a dentry, before these inodes
1653 			 * could be used again by userspace.
1654 			 */
1655 			if (!dentry)
1656 				goto out;
1657 			rc = selinux_genfs_get_sid(dentry, sclass,
1658 						   sbsec->flags, &sid);
1659 			dput(dentry);
1660 			if (rc)
1661 				goto out;
1662 		}
1663 		break;
1664 	}
1665 
1666 out:
1667 	spin_lock(&isec->lock);
1668 	if (isec->initialized == LABEL_PENDING) {
1669 		if (!sid || rc) {
1670 			isec->initialized = LABEL_INVALID;
1671 			goto out_unlock;
1672 		}
1673 
1674 		isec->initialized = LABEL_INITIALIZED;
1675 		isec->sid = sid;
1676 	}
1677 
1678 out_unlock:
1679 	spin_unlock(&isec->lock);
1680 	return rc;
1681 }
1682 
1683 /* Convert a Linux signal to an access vector. */
1684 static inline u32 signal_to_av(int sig)
1685 {
1686 	u32 perm = 0;
1687 
1688 	switch (sig) {
1689 	case SIGCHLD:
1690 		/* Commonly granted from child to parent. */
1691 		perm = PROCESS__SIGCHLD;
1692 		break;
1693 	case SIGKILL:
1694 		/* Cannot be caught or ignored */
1695 		perm = PROCESS__SIGKILL;
1696 		break;
1697 	case SIGSTOP:
1698 		/* Cannot be caught or ignored */
1699 		perm = PROCESS__SIGSTOP;
1700 		break;
1701 	default:
1702 		/* All other signals. */
1703 		perm = PROCESS__SIGNAL;
1704 		break;
1705 	}
1706 
1707 	return perm;
1708 }
1709 
1710 #if CAP_LAST_CAP > 63
1711 #error Fix SELinux to handle capabilities > 63.
1712 #endif
1713 
1714 /* Check whether a task is allowed to use a capability. */
1715 static int cred_has_capability(const struct cred *cred,
1716 			       int cap, int audit, bool initns)
1717 {
1718 	struct common_audit_data ad;
1719 	struct av_decision avd;
1720 	u16 sclass;
1721 	u32 sid = cred_sid(cred);
1722 	u32 av = CAP_TO_MASK(cap);
1723 	int rc;
1724 
1725 	ad.type = LSM_AUDIT_DATA_CAP;
1726 	ad.u.cap = cap;
1727 
1728 	switch (CAP_TO_INDEX(cap)) {
1729 	case 0:
1730 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1731 		break;
1732 	case 1:
1733 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1734 		break;
1735 	default:
1736 		printk(KERN_ERR
1737 		       "SELinux:  out of range capability %d\n", cap);
1738 		BUG();
1739 		return -EINVAL;
1740 	}
1741 
1742 	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1743 	if (audit == SECURITY_CAP_AUDIT) {
1744 		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1745 		if (rc2)
1746 			return rc2;
1747 	}
1748 	return rc;
1749 }
1750 
1751 /* Check whether a task has a particular permission to an inode.
1752    The 'adp' parameter is optional and allows other audit
1753    data to be passed (e.g. the dentry). */
1754 static int inode_has_perm(const struct cred *cred,
1755 			  struct inode *inode,
1756 			  u32 perms,
1757 			  struct common_audit_data *adp)
1758 {
1759 	struct inode_security_struct *isec;
1760 	u32 sid;
1761 
1762 	validate_creds(cred);
1763 
1764 	if (unlikely(IS_PRIVATE(inode)))
1765 		return 0;
1766 
1767 	sid = cred_sid(cred);
1768 	isec = inode->i_security;
1769 
1770 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1771 }
1772 
1773 /* Same as inode_has_perm, but pass explicit audit data containing
1774    the dentry to help the auditing code to more easily generate the
1775    pathname if needed. */
1776 static inline int dentry_has_perm(const struct cred *cred,
1777 				  struct dentry *dentry,
1778 				  u32 av)
1779 {
1780 	struct inode *inode = d_backing_inode(dentry);
1781 	struct common_audit_data ad;
1782 
1783 	ad.type = LSM_AUDIT_DATA_DENTRY;
1784 	ad.u.dentry = dentry;
1785 	__inode_security_revalidate(inode, dentry, true);
1786 	return inode_has_perm(cred, inode, av, &ad);
1787 }
1788 
1789 /* Same as inode_has_perm, but pass explicit audit data containing
1790    the path to help the auditing code to more easily generate the
1791    pathname if needed. */
1792 static inline int path_has_perm(const struct cred *cred,
1793 				const struct path *path,
1794 				u32 av)
1795 {
1796 	struct inode *inode = d_backing_inode(path->dentry);
1797 	struct common_audit_data ad;
1798 
1799 	ad.type = LSM_AUDIT_DATA_PATH;
1800 	ad.u.path = *path;
1801 	__inode_security_revalidate(inode, path->dentry, true);
1802 	return inode_has_perm(cred, inode, av, &ad);
1803 }
1804 
1805 /* Same as path_has_perm, but uses the inode from the file struct. */
1806 static inline int file_path_has_perm(const struct cred *cred,
1807 				     struct file *file,
1808 				     u32 av)
1809 {
1810 	struct common_audit_data ad;
1811 
1812 	ad.type = LSM_AUDIT_DATA_FILE;
1813 	ad.u.file = file;
1814 	return inode_has_perm(cred, file_inode(file), av, &ad);
1815 }
1816 
1817 /* Check whether a task can use an open file descriptor to
1818    access an inode in a given way.  Check access to the
1819    descriptor itself, and then use dentry_has_perm to
1820    check a particular permission to the file.
1821    Access to the descriptor is implicitly granted if it
1822    has the same SID as the process.  If av is zero, then
1823    access to the file is not checked, e.g. for cases
1824    where only the descriptor is affected like seek. */
1825 static int file_has_perm(const struct cred *cred,
1826 			 struct file *file,
1827 			 u32 av)
1828 {
1829 	struct file_security_struct *fsec = file->f_security;
1830 	struct inode *inode = file_inode(file);
1831 	struct common_audit_data ad;
1832 	u32 sid = cred_sid(cred);
1833 	int rc;
1834 
1835 	ad.type = LSM_AUDIT_DATA_FILE;
1836 	ad.u.file = file;
1837 
1838 	if (sid != fsec->sid) {
1839 		rc = avc_has_perm(sid, fsec->sid,
1840 				  SECCLASS_FD,
1841 				  FD__USE,
1842 				  &ad);
1843 		if (rc)
1844 			goto out;
1845 	}
1846 
1847 	/* av is zero if only checking access to the descriptor. */
1848 	rc = 0;
1849 	if (av)
1850 		rc = inode_has_perm(cred, inode, av, &ad);
1851 
1852 out:
1853 	return rc;
1854 }
1855 
1856 /*
1857  * Determine the label for an inode that might be unioned.
1858  */
1859 static int
1860 selinux_determine_inode_label(const struct task_security_struct *tsec,
1861 				 struct inode *dir,
1862 				 const struct qstr *name, u16 tclass,
1863 				 u32 *_new_isid)
1864 {
1865 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1866 
1867 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1868 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1869 		*_new_isid = sbsec->mntpoint_sid;
1870 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1871 		   tsec->create_sid) {
1872 		*_new_isid = tsec->create_sid;
1873 	} else {
1874 		const struct inode_security_struct *dsec = inode_security(dir);
1875 		return security_transition_sid(tsec->sid, dsec->sid, tclass,
1876 					       name, _new_isid);
1877 	}
1878 
1879 	return 0;
1880 }
1881 
1882 /* Check whether a task can create a file. */
1883 static int may_create(struct inode *dir,
1884 		      struct dentry *dentry,
1885 		      u16 tclass)
1886 {
1887 	const struct task_security_struct *tsec = current_security();
1888 	struct inode_security_struct *dsec;
1889 	struct superblock_security_struct *sbsec;
1890 	u32 sid, newsid;
1891 	struct common_audit_data ad;
1892 	int rc;
1893 
1894 	dsec = inode_security(dir);
1895 	sbsec = dir->i_sb->s_security;
1896 
1897 	sid = tsec->sid;
1898 
1899 	ad.type = LSM_AUDIT_DATA_DENTRY;
1900 	ad.u.dentry = dentry;
1901 
1902 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1903 			  DIR__ADD_NAME | DIR__SEARCH,
1904 			  &ad);
1905 	if (rc)
1906 		return rc;
1907 
1908 	rc = selinux_determine_inode_label(current_security(), dir,
1909 					   &dentry->d_name, tclass, &newsid);
1910 	if (rc)
1911 		return rc;
1912 
1913 	rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1914 	if (rc)
1915 		return rc;
1916 
1917 	return avc_has_perm(newsid, sbsec->sid,
1918 			    SECCLASS_FILESYSTEM,
1919 			    FILESYSTEM__ASSOCIATE, &ad);
1920 }
1921 
1922 #define MAY_LINK	0
1923 #define MAY_UNLINK	1
1924 #define MAY_RMDIR	2
1925 
1926 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1927 static int may_link(struct inode *dir,
1928 		    struct dentry *dentry,
1929 		    int kind)
1930 
1931 {
1932 	struct inode_security_struct *dsec, *isec;
1933 	struct common_audit_data ad;
1934 	u32 sid = current_sid();
1935 	u32 av;
1936 	int rc;
1937 
1938 	dsec = inode_security(dir);
1939 	isec = backing_inode_security(dentry);
1940 
1941 	ad.type = LSM_AUDIT_DATA_DENTRY;
1942 	ad.u.dentry = dentry;
1943 
1944 	av = DIR__SEARCH;
1945 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1946 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1947 	if (rc)
1948 		return rc;
1949 
1950 	switch (kind) {
1951 	case MAY_LINK:
1952 		av = FILE__LINK;
1953 		break;
1954 	case MAY_UNLINK:
1955 		av = FILE__UNLINK;
1956 		break;
1957 	case MAY_RMDIR:
1958 		av = DIR__RMDIR;
1959 		break;
1960 	default:
1961 		printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1962 			__func__, kind);
1963 		return 0;
1964 	}
1965 
1966 	rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1967 	return rc;
1968 }
1969 
1970 static inline int may_rename(struct inode *old_dir,
1971 			     struct dentry *old_dentry,
1972 			     struct inode *new_dir,
1973 			     struct dentry *new_dentry)
1974 {
1975 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1976 	struct common_audit_data ad;
1977 	u32 sid = current_sid();
1978 	u32 av;
1979 	int old_is_dir, new_is_dir;
1980 	int rc;
1981 
1982 	old_dsec = inode_security(old_dir);
1983 	old_isec = backing_inode_security(old_dentry);
1984 	old_is_dir = d_is_dir(old_dentry);
1985 	new_dsec = inode_security(new_dir);
1986 
1987 	ad.type = LSM_AUDIT_DATA_DENTRY;
1988 
1989 	ad.u.dentry = old_dentry;
1990 	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1991 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1992 	if (rc)
1993 		return rc;
1994 	rc = avc_has_perm(sid, old_isec->sid,
1995 			  old_isec->sclass, FILE__RENAME, &ad);
1996 	if (rc)
1997 		return rc;
1998 	if (old_is_dir && new_dir != old_dir) {
1999 		rc = avc_has_perm(sid, old_isec->sid,
2000 				  old_isec->sclass, DIR__REPARENT, &ad);
2001 		if (rc)
2002 			return rc;
2003 	}
2004 
2005 	ad.u.dentry = new_dentry;
2006 	av = DIR__ADD_NAME | DIR__SEARCH;
2007 	if (d_is_positive(new_dentry))
2008 		av |= DIR__REMOVE_NAME;
2009 	rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2010 	if (rc)
2011 		return rc;
2012 	if (d_is_positive(new_dentry)) {
2013 		new_isec = backing_inode_security(new_dentry);
2014 		new_is_dir = d_is_dir(new_dentry);
2015 		rc = avc_has_perm(sid, new_isec->sid,
2016 				  new_isec->sclass,
2017 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2018 		if (rc)
2019 			return rc;
2020 	}
2021 
2022 	return 0;
2023 }
2024 
2025 /* Check whether a task can perform a filesystem operation. */
2026 static int superblock_has_perm(const struct cred *cred,
2027 			       struct super_block *sb,
2028 			       u32 perms,
2029 			       struct common_audit_data *ad)
2030 {
2031 	struct superblock_security_struct *sbsec;
2032 	u32 sid = cred_sid(cred);
2033 
2034 	sbsec = sb->s_security;
2035 	return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2036 }
2037 
2038 /* Convert a Linux mode and permission mask to an access vector. */
2039 static inline u32 file_mask_to_av(int mode, int mask)
2040 {
2041 	u32 av = 0;
2042 
2043 	if (!S_ISDIR(mode)) {
2044 		if (mask & MAY_EXEC)
2045 			av |= FILE__EXECUTE;
2046 		if (mask & MAY_READ)
2047 			av |= FILE__READ;
2048 
2049 		if (mask & MAY_APPEND)
2050 			av |= FILE__APPEND;
2051 		else if (mask & MAY_WRITE)
2052 			av |= FILE__WRITE;
2053 
2054 	} else {
2055 		if (mask & MAY_EXEC)
2056 			av |= DIR__SEARCH;
2057 		if (mask & MAY_WRITE)
2058 			av |= DIR__WRITE;
2059 		if (mask & MAY_READ)
2060 			av |= DIR__READ;
2061 	}
2062 
2063 	return av;
2064 }
2065 
2066 /* Convert a Linux file to an access vector. */
2067 static inline u32 file_to_av(struct file *file)
2068 {
2069 	u32 av = 0;
2070 
2071 	if (file->f_mode & FMODE_READ)
2072 		av |= FILE__READ;
2073 	if (file->f_mode & FMODE_WRITE) {
2074 		if (file->f_flags & O_APPEND)
2075 			av |= FILE__APPEND;
2076 		else
2077 			av |= FILE__WRITE;
2078 	}
2079 	if (!av) {
2080 		/*
2081 		 * Special file opened with flags 3 for ioctl-only use.
2082 		 */
2083 		av = FILE__IOCTL;
2084 	}
2085 
2086 	return av;
2087 }
2088 
2089 /*
2090  * Convert a file to an access vector and include the correct open
2091  * open permission.
2092  */
2093 static inline u32 open_file_to_av(struct file *file)
2094 {
2095 	u32 av = file_to_av(file);
2096 	struct inode *inode = file_inode(file);
2097 
2098 	if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2099 		av |= FILE__OPEN;
2100 
2101 	return av;
2102 }
2103 
2104 /* Hook functions begin here. */
2105 
2106 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2107 {
2108 	u32 mysid = current_sid();
2109 	u32 mgrsid = task_sid(mgr);
2110 
2111 	return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2112 			    BINDER__SET_CONTEXT_MGR, NULL);
2113 }
2114 
2115 static int selinux_binder_transaction(struct task_struct *from,
2116 				      struct task_struct *to)
2117 {
2118 	u32 mysid = current_sid();
2119 	u32 fromsid = task_sid(from);
2120 	u32 tosid = task_sid(to);
2121 	int rc;
2122 
2123 	if (mysid != fromsid) {
2124 		rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2125 				  BINDER__IMPERSONATE, NULL);
2126 		if (rc)
2127 			return rc;
2128 	}
2129 
2130 	return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2131 			    NULL);
2132 }
2133 
2134 static int selinux_binder_transfer_binder(struct task_struct *from,
2135 					  struct task_struct *to)
2136 {
2137 	u32 fromsid = task_sid(from);
2138 	u32 tosid = task_sid(to);
2139 
2140 	return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2141 			    NULL);
2142 }
2143 
2144 static int selinux_binder_transfer_file(struct task_struct *from,
2145 					struct task_struct *to,
2146 					struct file *file)
2147 {
2148 	u32 sid = task_sid(to);
2149 	struct file_security_struct *fsec = file->f_security;
2150 	struct dentry *dentry = file->f_path.dentry;
2151 	struct inode_security_struct *isec;
2152 	struct common_audit_data ad;
2153 	int rc;
2154 
2155 	ad.type = LSM_AUDIT_DATA_PATH;
2156 	ad.u.path = file->f_path;
2157 
2158 	if (sid != fsec->sid) {
2159 		rc = avc_has_perm(sid, fsec->sid,
2160 				  SECCLASS_FD,
2161 				  FD__USE,
2162 				  &ad);
2163 		if (rc)
2164 			return rc;
2165 	}
2166 
2167 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2168 		return 0;
2169 
2170 	isec = backing_inode_security(dentry);
2171 	return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2172 			    &ad);
2173 }
2174 
2175 static int selinux_ptrace_access_check(struct task_struct *child,
2176 				     unsigned int mode)
2177 {
2178 	u32 sid = current_sid();
2179 	u32 csid = task_sid(child);
2180 
2181 	if (mode & PTRACE_MODE_READ)
2182 		return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2183 
2184 	return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2185 }
2186 
2187 static int selinux_ptrace_traceme(struct task_struct *parent)
2188 {
2189 	return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2190 			    PROCESS__PTRACE, NULL);
2191 }
2192 
2193 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2194 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2195 {
2196 	return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2197 			    PROCESS__GETCAP, NULL);
2198 }
2199 
2200 static int selinux_capset(struct cred *new, const struct cred *old,
2201 			  const kernel_cap_t *effective,
2202 			  const kernel_cap_t *inheritable,
2203 			  const kernel_cap_t *permitted)
2204 {
2205 	return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2206 			    PROCESS__SETCAP, NULL);
2207 }
2208 
2209 /*
2210  * (This comment used to live with the selinux_task_setuid hook,
2211  * which was removed).
2212  *
2213  * Since setuid only affects the current process, and since the SELinux
2214  * controls are not based on the Linux identity attributes, SELinux does not
2215  * need to control this operation.  However, SELinux does control the use of
2216  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2217  */
2218 
2219 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2220 			   int cap, int audit)
2221 {
2222 	return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2223 }
2224 
2225 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2226 {
2227 	const struct cred *cred = current_cred();
2228 	int rc = 0;
2229 
2230 	if (!sb)
2231 		return 0;
2232 
2233 	switch (cmds) {
2234 	case Q_SYNC:
2235 	case Q_QUOTAON:
2236 	case Q_QUOTAOFF:
2237 	case Q_SETINFO:
2238 	case Q_SETQUOTA:
2239 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2240 		break;
2241 	case Q_GETFMT:
2242 	case Q_GETINFO:
2243 	case Q_GETQUOTA:
2244 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2245 		break;
2246 	default:
2247 		rc = 0;  /* let the kernel handle invalid cmds */
2248 		break;
2249 	}
2250 	return rc;
2251 }
2252 
2253 static int selinux_quota_on(struct dentry *dentry)
2254 {
2255 	const struct cred *cred = current_cred();
2256 
2257 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2258 }
2259 
2260 static int selinux_syslog(int type)
2261 {
2262 	switch (type) {
2263 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2264 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2265 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2266 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2267 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2268 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2269 	/* Set level of messages printed to console */
2270 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2271 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2272 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2273 				    NULL);
2274 	}
2275 	/* All other syslog types */
2276 	return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2277 			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2278 }
2279 
2280 /*
2281  * Check that a process has enough memory to allocate a new virtual
2282  * mapping. 0 means there is enough memory for the allocation to
2283  * succeed and -ENOMEM implies there is not.
2284  *
2285  * Do not audit the selinux permission check, as this is applied to all
2286  * processes that allocate mappings.
2287  */
2288 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2289 {
2290 	int rc, cap_sys_admin = 0;
2291 
2292 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2293 				 SECURITY_CAP_NOAUDIT, true);
2294 	if (rc == 0)
2295 		cap_sys_admin = 1;
2296 
2297 	return cap_sys_admin;
2298 }
2299 
2300 /* binprm security operations */
2301 
2302 static u32 ptrace_parent_sid(void)
2303 {
2304 	u32 sid = 0;
2305 	struct task_struct *tracer;
2306 
2307 	rcu_read_lock();
2308 	tracer = ptrace_parent(current);
2309 	if (tracer)
2310 		sid = task_sid(tracer);
2311 	rcu_read_unlock();
2312 
2313 	return sid;
2314 }
2315 
2316 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2317 			    const struct task_security_struct *old_tsec,
2318 			    const struct task_security_struct *new_tsec)
2319 {
2320 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2321 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2322 	int rc;
2323 	u32 av;
2324 
2325 	if (!nnp && !nosuid)
2326 		return 0; /* neither NNP nor nosuid */
2327 
2328 	if (new_tsec->sid == old_tsec->sid)
2329 		return 0; /* No change in credentials */
2330 
2331 	/*
2332 	 * If the policy enables the nnp_nosuid_transition policy capability,
2333 	 * then we permit transitions under NNP or nosuid if the
2334 	 * policy allows the corresponding permission between
2335 	 * the old and new contexts.
2336 	 */
2337 	if (selinux_policycap_nnp_nosuid_transition) {
2338 		av = 0;
2339 		if (nnp)
2340 			av |= PROCESS2__NNP_TRANSITION;
2341 		if (nosuid)
2342 			av |= PROCESS2__NOSUID_TRANSITION;
2343 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2344 				  SECCLASS_PROCESS2, av, NULL);
2345 		if (!rc)
2346 			return 0;
2347 	}
2348 
2349 	/*
2350 	 * We also permit NNP or nosuid transitions to bounded SIDs,
2351 	 * i.e. SIDs that are guaranteed to only be allowed a subset
2352 	 * of the permissions of the current SID.
2353 	 */
2354 	rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2355 	if (!rc)
2356 		return 0;
2357 
2358 	/*
2359 	 * On failure, preserve the errno values for NNP vs nosuid.
2360 	 * NNP:  Operation not permitted for caller.
2361 	 * nosuid:  Permission denied to file.
2362 	 */
2363 	if (nnp)
2364 		return -EPERM;
2365 	return -EACCES;
2366 }
2367 
2368 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2369 {
2370 	const struct task_security_struct *old_tsec;
2371 	struct task_security_struct *new_tsec;
2372 	struct inode_security_struct *isec;
2373 	struct common_audit_data ad;
2374 	struct inode *inode = file_inode(bprm->file);
2375 	int rc;
2376 
2377 	/* SELinux context only depends on initial program or script and not
2378 	 * the script interpreter */
2379 	if (bprm->called_set_creds)
2380 		return 0;
2381 
2382 	old_tsec = current_security();
2383 	new_tsec = bprm->cred->security;
2384 	isec = inode_security(inode);
2385 
2386 	/* Default to the current task SID. */
2387 	new_tsec->sid = old_tsec->sid;
2388 	new_tsec->osid = old_tsec->sid;
2389 
2390 	/* Reset fs, key, and sock SIDs on execve. */
2391 	new_tsec->create_sid = 0;
2392 	new_tsec->keycreate_sid = 0;
2393 	new_tsec->sockcreate_sid = 0;
2394 
2395 	if (old_tsec->exec_sid) {
2396 		new_tsec->sid = old_tsec->exec_sid;
2397 		/* Reset exec SID on execve. */
2398 		new_tsec->exec_sid = 0;
2399 
2400 		/* Fail on NNP or nosuid if not an allowed transition. */
2401 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2402 		if (rc)
2403 			return rc;
2404 	} else {
2405 		/* Check for a default transition on this program. */
2406 		rc = security_transition_sid(old_tsec->sid, isec->sid,
2407 					     SECCLASS_PROCESS, NULL,
2408 					     &new_tsec->sid);
2409 		if (rc)
2410 			return rc;
2411 
2412 		/*
2413 		 * Fallback to old SID on NNP or nosuid if not an allowed
2414 		 * transition.
2415 		 */
2416 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2417 		if (rc)
2418 			new_tsec->sid = old_tsec->sid;
2419 	}
2420 
2421 	ad.type = LSM_AUDIT_DATA_FILE;
2422 	ad.u.file = bprm->file;
2423 
2424 	if (new_tsec->sid == old_tsec->sid) {
2425 		rc = avc_has_perm(old_tsec->sid, isec->sid,
2426 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2427 		if (rc)
2428 			return rc;
2429 	} else {
2430 		/* Check permissions for the transition. */
2431 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2432 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2433 		if (rc)
2434 			return rc;
2435 
2436 		rc = avc_has_perm(new_tsec->sid, isec->sid,
2437 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2438 		if (rc)
2439 			return rc;
2440 
2441 		/* Check for shared state */
2442 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2443 			rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2444 					  SECCLASS_PROCESS, PROCESS__SHARE,
2445 					  NULL);
2446 			if (rc)
2447 				return -EPERM;
2448 		}
2449 
2450 		/* Make sure that anyone attempting to ptrace over a task that
2451 		 * changes its SID has the appropriate permit */
2452 		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2453 			u32 ptsid = ptrace_parent_sid();
2454 			if (ptsid != 0) {
2455 				rc = avc_has_perm(ptsid, new_tsec->sid,
2456 						  SECCLASS_PROCESS,
2457 						  PROCESS__PTRACE, NULL);
2458 				if (rc)
2459 					return -EPERM;
2460 			}
2461 		}
2462 
2463 		/* Clear any possibly unsafe personality bits on exec: */
2464 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2465 
2466 		/* Enable secure mode for SIDs transitions unless
2467 		   the noatsecure permission is granted between
2468 		   the two SIDs, i.e. ahp returns 0. */
2469 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2470 				  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2471 				  NULL);
2472 		bprm->secureexec |= !!rc;
2473 	}
2474 
2475 	return 0;
2476 }
2477 
2478 static int match_file(const void *p, struct file *file, unsigned fd)
2479 {
2480 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2481 }
2482 
2483 /* Derived from fs/exec.c:flush_old_files. */
2484 static inline void flush_unauthorized_files(const struct cred *cred,
2485 					    struct files_struct *files)
2486 {
2487 	struct file *file, *devnull = NULL;
2488 	struct tty_struct *tty;
2489 	int drop_tty = 0;
2490 	unsigned n;
2491 
2492 	tty = get_current_tty();
2493 	if (tty) {
2494 		spin_lock(&tty->files_lock);
2495 		if (!list_empty(&tty->tty_files)) {
2496 			struct tty_file_private *file_priv;
2497 
2498 			/* Revalidate access to controlling tty.
2499 			   Use file_path_has_perm on the tty path directly
2500 			   rather than using file_has_perm, as this particular
2501 			   open file may belong to another process and we are
2502 			   only interested in the inode-based check here. */
2503 			file_priv = list_first_entry(&tty->tty_files,
2504 						struct tty_file_private, list);
2505 			file = file_priv->file;
2506 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2507 				drop_tty = 1;
2508 		}
2509 		spin_unlock(&tty->files_lock);
2510 		tty_kref_put(tty);
2511 	}
2512 	/* Reset controlling tty. */
2513 	if (drop_tty)
2514 		no_tty();
2515 
2516 	/* Revalidate access to inherited open files. */
2517 	n = iterate_fd(files, 0, match_file, cred);
2518 	if (!n) /* none found? */
2519 		return;
2520 
2521 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2522 	if (IS_ERR(devnull))
2523 		devnull = NULL;
2524 	/* replace all the matching ones with this */
2525 	do {
2526 		replace_fd(n - 1, devnull, 0);
2527 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2528 	if (devnull)
2529 		fput(devnull);
2530 }
2531 
2532 /*
2533  * Prepare a process for imminent new credential changes due to exec
2534  */
2535 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2536 {
2537 	struct task_security_struct *new_tsec;
2538 	struct rlimit *rlim, *initrlim;
2539 	int rc, i;
2540 
2541 	new_tsec = bprm->cred->security;
2542 	if (new_tsec->sid == new_tsec->osid)
2543 		return;
2544 
2545 	/* Close files for which the new task SID is not authorized. */
2546 	flush_unauthorized_files(bprm->cred, current->files);
2547 
2548 	/* Always clear parent death signal on SID transitions. */
2549 	current->pdeath_signal = 0;
2550 
2551 	/* Check whether the new SID can inherit resource limits from the old
2552 	 * SID.  If not, reset all soft limits to the lower of the current
2553 	 * task's hard limit and the init task's soft limit.
2554 	 *
2555 	 * Note that the setting of hard limits (even to lower them) can be
2556 	 * controlled by the setrlimit check.  The inclusion of the init task's
2557 	 * soft limit into the computation is to avoid resetting soft limits
2558 	 * higher than the default soft limit for cases where the default is
2559 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2560 	 */
2561 	rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2562 			  PROCESS__RLIMITINH, NULL);
2563 	if (rc) {
2564 		/* protect against do_prlimit() */
2565 		task_lock(current);
2566 		for (i = 0; i < RLIM_NLIMITS; i++) {
2567 			rlim = current->signal->rlim + i;
2568 			initrlim = init_task.signal->rlim + i;
2569 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2570 		}
2571 		task_unlock(current);
2572 		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2573 			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2574 	}
2575 }
2576 
2577 /*
2578  * Clean up the process immediately after the installation of new credentials
2579  * due to exec
2580  */
2581 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2582 {
2583 	const struct task_security_struct *tsec = current_security();
2584 	struct itimerval itimer;
2585 	u32 osid, sid;
2586 	int rc, i;
2587 
2588 	osid = tsec->osid;
2589 	sid = tsec->sid;
2590 
2591 	if (sid == osid)
2592 		return;
2593 
2594 	/* Check whether the new SID can inherit signal state from the old SID.
2595 	 * If not, clear itimers to avoid subsequent signal generation and
2596 	 * flush and unblock signals.
2597 	 *
2598 	 * This must occur _after_ the task SID has been updated so that any
2599 	 * kill done after the flush will be checked against the new SID.
2600 	 */
2601 	rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2602 	if (rc) {
2603 		if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2604 			memset(&itimer, 0, sizeof itimer);
2605 			for (i = 0; i < 3; i++)
2606 				do_setitimer(i, &itimer, NULL);
2607 		}
2608 		spin_lock_irq(&current->sighand->siglock);
2609 		if (!fatal_signal_pending(current)) {
2610 			flush_sigqueue(&current->pending);
2611 			flush_sigqueue(&current->signal->shared_pending);
2612 			flush_signal_handlers(current, 1);
2613 			sigemptyset(&current->blocked);
2614 			recalc_sigpending();
2615 		}
2616 		spin_unlock_irq(&current->sighand->siglock);
2617 	}
2618 
2619 	/* Wake up the parent if it is waiting so that it can recheck
2620 	 * wait permission to the new task SID. */
2621 	read_lock(&tasklist_lock);
2622 	__wake_up_parent(current, current->real_parent);
2623 	read_unlock(&tasklist_lock);
2624 }
2625 
2626 /* superblock security operations */
2627 
2628 static int selinux_sb_alloc_security(struct super_block *sb)
2629 {
2630 	return superblock_alloc_security(sb);
2631 }
2632 
2633 static void selinux_sb_free_security(struct super_block *sb)
2634 {
2635 	superblock_free_security(sb);
2636 }
2637 
2638 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2639 {
2640 	if (plen > olen)
2641 		return 0;
2642 
2643 	return !memcmp(prefix, option, plen);
2644 }
2645 
2646 static inline int selinux_option(char *option, int len)
2647 {
2648 	return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2649 		match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2650 		match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2651 		match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2652 		match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2653 }
2654 
2655 static inline void take_option(char **to, char *from, int *first, int len)
2656 {
2657 	if (!*first) {
2658 		**to = ',';
2659 		*to += 1;
2660 	} else
2661 		*first = 0;
2662 	memcpy(*to, from, len);
2663 	*to += len;
2664 }
2665 
2666 static inline void take_selinux_option(char **to, char *from, int *first,
2667 				       int len)
2668 {
2669 	int current_size = 0;
2670 
2671 	if (!*first) {
2672 		**to = '|';
2673 		*to += 1;
2674 	} else
2675 		*first = 0;
2676 
2677 	while (current_size < len) {
2678 		if (*from != '"') {
2679 			**to = *from;
2680 			*to += 1;
2681 		}
2682 		from += 1;
2683 		current_size += 1;
2684 	}
2685 }
2686 
2687 static int selinux_sb_copy_data(char *orig, char *copy)
2688 {
2689 	int fnosec, fsec, rc = 0;
2690 	char *in_save, *in_curr, *in_end;
2691 	char *sec_curr, *nosec_save, *nosec;
2692 	int open_quote = 0;
2693 
2694 	in_curr = orig;
2695 	sec_curr = copy;
2696 
2697 	nosec = (char *)get_zeroed_page(GFP_KERNEL);
2698 	if (!nosec) {
2699 		rc = -ENOMEM;
2700 		goto out;
2701 	}
2702 
2703 	nosec_save = nosec;
2704 	fnosec = fsec = 1;
2705 	in_save = in_end = orig;
2706 
2707 	do {
2708 		if (*in_end == '"')
2709 			open_quote = !open_quote;
2710 		if ((*in_end == ',' && open_quote == 0) ||
2711 				*in_end == '\0') {
2712 			int len = in_end - in_curr;
2713 
2714 			if (selinux_option(in_curr, len))
2715 				take_selinux_option(&sec_curr, in_curr, &fsec, len);
2716 			else
2717 				take_option(&nosec, in_curr, &fnosec, len);
2718 
2719 			in_curr = in_end + 1;
2720 		}
2721 	} while (*in_end++);
2722 
2723 	strcpy(in_save, nosec_save);
2724 	free_page((unsigned long)nosec_save);
2725 out:
2726 	return rc;
2727 }
2728 
2729 static int selinux_sb_remount(struct super_block *sb, void *data)
2730 {
2731 	int rc, i, *flags;
2732 	struct security_mnt_opts opts;
2733 	char *secdata, **mount_options;
2734 	struct superblock_security_struct *sbsec = sb->s_security;
2735 
2736 	if (!(sbsec->flags & SE_SBINITIALIZED))
2737 		return 0;
2738 
2739 	if (!data)
2740 		return 0;
2741 
2742 	if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2743 		return 0;
2744 
2745 	security_init_mnt_opts(&opts);
2746 	secdata = alloc_secdata();
2747 	if (!secdata)
2748 		return -ENOMEM;
2749 	rc = selinux_sb_copy_data(data, secdata);
2750 	if (rc)
2751 		goto out_free_secdata;
2752 
2753 	rc = selinux_parse_opts_str(secdata, &opts);
2754 	if (rc)
2755 		goto out_free_secdata;
2756 
2757 	mount_options = opts.mnt_opts;
2758 	flags = opts.mnt_opts_flags;
2759 
2760 	for (i = 0; i < opts.num_mnt_opts; i++) {
2761 		u32 sid;
2762 
2763 		if (flags[i] == SBLABEL_MNT)
2764 			continue;
2765 		rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2766 		if (rc) {
2767 			printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2768 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
2769 			       mount_options[i], sb->s_id, sb->s_type->name, rc);
2770 			goto out_free_opts;
2771 		}
2772 		rc = -EINVAL;
2773 		switch (flags[i]) {
2774 		case FSCONTEXT_MNT:
2775 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2776 				goto out_bad_option;
2777 			break;
2778 		case CONTEXT_MNT:
2779 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2780 				goto out_bad_option;
2781 			break;
2782 		case ROOTCONTEXT_MNT: {
2783 			struct inode_security_struct *root_isec;
2784 			root_isec = backing_inode_security(sb->s_root);
2785 
2786 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2787 				goto out_bad_option;
2788 			break;
2789 		}
2790 		case DEFCONTEXT_MNT:
2791 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2792 				goto out_bad_option;
2793 			break;
2794 		default:
2795 			goto out_free_opts;
2796 		}
2797 	}
2798 
2799 	rc = 0;
2800 out_free_opts:
2801 	security_free_mnt_opts(&opts);
2802 out_free_secdata:
2803 	free_secdata(secdata);
2804 	return rc;
2805 out_bad_option:
2806 	printk(KERN_WARNING "SELinux: unable to change security options "
2807 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2808 	       sb->s_type->name);
2809 	goto out_free_opts;
2810 }
2811 
2812 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2813 {
2814 	const struct cred *cred = current_cred();
2815 	struct common_audit_data ad;
2816 	int rc;
2817 
2818 	rc = superblock_doinit(sb, data);
2819 	if (rc)
2820 		return rc;
2821 
2822 	/* Allow all mounts performed by the kernel */
2823 	if (flags & MS_KERNMOUNT)
2824 		return 0;
2825 
2826 	ad.type = LSM_AUDIT_DATA_DENTRY;
2827 	ad.u.dentry = sb->s_root;
2828 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2829 }
2830 
2831 static int selinux_sb_statfs(struct dentry *dentry)
2832 {
2833 	const struct cred *cred = current_cred();
2834 	struct common_audit_data ad;
2835 
2836 	ad.type = LSM_AUDIT_DATA_DENTRY;
2837 	ad.u.dentry = dentry->d_sb->s_root;
2838 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2839 }
2840 
2841 static int selinux_mount(const char *dev_name,
2842 			 const struct path *path,
2843 			 const char *type,
2844 			 unsigned long flags,
2845 			 void *data)
2846 {
2847 	const struct cred *cred = current_cred();
2848 
2849 	if (flags & MS_REMOUNT)
2850 		return superblock_has_perm(cred, path->dentry->d_sb,
2851 					   FILESYSTEM__REMOUNT, NULL);
2852 	else
2853 		return path_has_perm(cred, path, FILE__MOUNTON);
2854 }
2855 
2856 static int selinux_umount(struct vfsmount *mnt, int flags)
2857 {
2858 	const struct cred *cred = current_cred();
2859 
2860 	return superblock_has_perm(cred, mnt->mnt_sb,
2861 				   FILESYSTEM__UNMOUNT, NULL);
2862 }
2863 
2864 /* inode security operations */
2865 
2866 static int selinux_inode_alloc_security(struct inode *inode)
2867 {
2868 	return inode_alloc_security(inode);
2869 }
2870 
2871 static void selinux_inode_free_security(struct inode *inode)
2872 {
2873 	inode_free_security(inode);
2874 }
2875 
2876 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2877 					const struct qstr *name, void **ctx,
2878 					u32 *ctxlen)
2879 {
2880 	u32 newsid;
2881 	int rc;
2882 
2883 	rc = selinux_determine_inode_label(current_security(),
2884 					   d_inode(dentry->d_parent), name,
2885 					   inode_mode_to_security_class(mode),
2886 					   &newsid);
2887 	if (rc)
2888 		return rc;
2889 
2890 	return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2891 }
2892 
2893 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2894 					  struct qstr *name,
2895 					  const struct cred *old,
2896 					  struct cred *new)
2897 {
2898 	u32 newsid;
2899 	int rc;
2900 	struct task_security_struct *tsec;
2901 
2902 	rc = selinux_determine_inode_label(old->security,
2903 					   d_inode(dentry->d_parent), name,
2904 					   inode_mode_to_security_class(mode),
2905 					   &newsid);
2906 	if (rc)
2907 		return rc;
2908 
2909 	tsec = new->security;
2910 	tsec->create_sid = newsid;
2911 	return 0;
2912 }
2913 
2914 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2915 				       const struct qstr *qstr,
2916 				       const char **name,
2917 				       void **value, size_t *len)
2918 {
2919 	const struct task_security_struct *tsec = current_security();
2920 	struct superblock_security_struct *sbsec;
2921 	u32 sid, newsid, clen;
2922 	int rc;
2923 	char *context;
2924 
2925 	sbsec = dir->i_sb->s_security;
2926 
2927 	sid = tsec->sid;
2928 	newsid = tsec->create_sid;
2929 
2930 	rc = selinux_determine_inode_label(current_security(),
2931 		dir, qstr,
2932 		inode_mode_to_security_class(inode->i_mode),
2933 		&newsid);
2934 	if (rc)
2935 		return rc;
2936 
2937 	/* Possibly defer initialization to selinux_complete_init. */
2938 	if (sbsec->flags & SE_SBINITIALIZED) {
2939 		struct inode_security_struct *isec = inode->i_security;
2940 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2941 		isec->sid = newsid;
2942 		isec->initialized = LABEL_INITIALIZED;
2943 	}
2944 
2945 	if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2946 		return -EOPNOTSUPP;
2947 
2948 	if (name)
2949 		*name = XATTR_SELINUX_SUFFIX;
2950 
2951 	if (value && len) {
2952 		rc = security_sid_to_context_force(newsid, &context, &clen);
2953 		if (rc)
2954 			return rc;
2955 		*value = context;
2956 		*len = clen;
2957 	}
2958 
2959 	return 0;
2960 }
2961 
2962 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2963 {
2964 	return may_create(dir, dentry, SECCLASS_FILE);
2965 }
2966 
2967 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2968 {
2969 	return may_link(dir, old_dentry, MAY_LINK);
2970 }
2971 
2972 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2973 {
2974 	return may_link(dir, dentry, MAY_UNLINK);
2975 }
2976 
2977 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2978 {
2979 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
2980 }
2981 
2982 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2983 {
2984 	return may_create(dir, dentry, SECCLASS_DIR);
2985 }
2986 
2987 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2988 {
2989 	return may_link(dir, dentry, MAY_RMDIR);
2990 }
2991 
2992 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2993 {
2994 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
2995 }
2996 
2997 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2998 				struct inode *new_inode, struct dentry *new_dentry)
2999 {
3000 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3001 }
3002 
3003 static int selinux_inode_readlink(struct dentry *dentry)
3004 {
3005 	const struct cred *cred = current_cred();
3006 
3007 	return dentry_has_perm(cred, dentry, FILE__READ);
3008 }
3009 
3010 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3011 				     bool rcu)
3012 {
3013 	const struct cred *cred = current_cred();
3014 	struct common_audit_data ad;
3015 	struct inode_security_struct *isec;
3016 	u32 sid;
3017 
3018 	validate_creds(cred);
3019 
3020 	ad.type = LSM_AUDIT_DATA_DENTRY;
3021 	ad.u.dentry = dentry;
3022 	sid = cred_sid(cred);
3023 	isec = inode_security_rcu(inode, rcu);
3024 	if (IS_ERR(isec))
3025 		return PTR_ERR(isec);
3026 
3027 	return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3028 				  rcu ? MAY_NOT_BLOCK : 0);
3029 }
3030 
3031 static noinline int audit_inode_permission(struct inode *inode,
3032 					   u32 perms, u32 audited, u32 denied,
3033 					   int result,
3034 					   unsigned flags)
3035 {
3036 	struct common_audit_data ad;
3037 	struct inode_security_struct *isec = inode->i_security;
3038 	int rc;
3039 
3040 	ad.type = LSM_AUDIT_DATA_INODE;
3041 	ad.u.inode = inode;
3042 
3043 	rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3044 			    audited, denied, result, &ad, flags);
3045 	if (rc)
3046 		return rc;
3047 	return 0;
3048 }
3049 
3050 static int selinux_inode_permission(struct inode *inode, int mask)
3051 {
3052 	const struct cred *cred = current_cred();
3053 	u32 perms;
3054 	bool from_access;
3055 	unsigned flags = mask & MAY_NOT_BLOCK;
3056 	struct inode_security_struct *isec;
3057 	u32 sid;
3058 	struct av_decision avd;
3059 	int rc, rc2;
3060 	u32 audited, denied;
3061 
3062 	from_access = mask & MAY_ACCESS;
3063 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3064 
3065 	/* No permission to check.  Existence test. */
3066 	if (!mask)
3067 		return 0;
3068 
3069 	validate_creds(cred);
3070 
3071 	if (unlikely(IS_PRIVATE(inode)))
3072 		return 0;
3073 
3074 	perms = file_mask_to_av(inode->i_mode, mask);
3075 
3076 	sid = cred_sid(cred);
3077 	isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3078 	if (IS_ERR(isec))
3079 		return PTR_ERR(isec);
3080 
3081 	rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3082 	audited = avc_audit_required(perms, &avd, rc,
3083 				     from_access ? FILE__AUDIT_ACCESS : 0,
3084 				     &denied);
3085 	if (likely(!audited))
3086 		return rc;
3087 
3088 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3089 	if (rc2)
3090 		return rc2;
3091 	return rc;
3092 }
3093 
3094 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3095 {
3096 	const struct cred *cred = current_cred();
3097 	struct inode *inode = d_backing_inode(dentry);
3098 	unsigned int ia_valid = iattr->ia_valid;
3099 	__u32 av = FILE__WRITE;
3100 
3101 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3102 	if (ia_valid & ATTR_FORCE) {
3103 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3104 			      ATTR_FORCE);
3105 		if (!ia_valid)
3106 			return 0;
3107 	}
3108 
3109 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3110 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3111 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3112 
3113 	if (selinux_policycap_openperm &&
3114 	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3115 	    (ia_valid & ATTR_SIZE) &&
3116 	    !(ia_valid & ATTR_FILE))
3117 		av |= FILE__OPEN;
3118 
3119 	return dentry_has_perm(cred, dentry, av);
3120 }
3121 
3122 static int selinux_inode_getattr(const struct path *path)
3123 {
3124 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3125 }
3126 
3127 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3128 {
3129 	const struct cred *cred = current_cred();
3130 
3131 	if (!strncmp(name, XATTR_SECURITY_PREFIX,
3132 		     sizeof XATTR_SECURITY_PREFIX - 1)) {
3133 		if (!strcmp(name, XATTR_NAME_CAPS)) {
3134 			if (!capable(CAP_SETFCAP))
3135 				return -EPERM;
3136 		} else if (!capable(CAP_SYS_ADMIN)) {
3137 			/* A different attribute in the security namespace.
3138 			   Restrict to administrator. */
3139 			return -EPERM;
3140 		}
3141 	}
3142 
3143 	/* Not an attribute we recognize, so just check the
3144 	   ordinary setattr permission. */
3145 	return dentry_has_perm(cred, dentry, FILE__SETATTR);
3146 }
3147 
3148 static bool has_cap_mac_admin(bool audit)
3149 {
3150 	const struct cred *cred = current_cred();
3151 	int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3152 
3153 	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3154 		return false;
3155 	if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3156 		return false;
3157 	return true;
3158 }
3159 
3160 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3161 				  const void *value, size_t size, int flags)
3162 {
3163 	struct inode *inode = d_backing_inode(dentry);
3164 	struct inode_security_struct *isec;
3165 	struct superblock_security_struct *sbsec;
3166 	struct common_audit_data ad;
3167 	u32 newsid, sid = current_sid();
3168 	int rc = 0;
3169 
3170 	if (strcmp(name, XATTR_NAME_SELINUX))
3171 		return selinux_inode_setotherxattr(dentry, name);
3172 
3173 	sbsec = inode->i_sb->s_security;
3174 	if (!(sbsec->flags & SBLABEL_MNT))
3175 		return -EOPNOTSUPP;
3176 
3177 	if (!inode_owner_or_capable(inode))
3178 		return -EPERM;
3179 
3180 	ad.type = LSM_AUDIT_DATA_DENTRY;
3181 	ad.u.dentry = dentry;
3182 
3183 	isec = backing_inode_security(dentry);
3184 	rc = avc_has_perm(sid, isec->sid, isec->sclass,
3185 			  FILE__RELABELFROM, &ad);
3186 	if (rc)
3187 		return rc;
3188 
3189 	rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3190 	if (rc == -EINVAL) {
3191 		if (!has_cap_mac_admin(true)) {
3192 			struct audit_buffer *ab;
3193 			size_t audit_size;
3194 			const char *str;
3195 
3196 			/* We strip a nul only if it is at the end, otherwise the
3197 			 * context contains a nul and we should audit that */
3198 			if (value) {
3199 				str = value;
3200 				if (str[size - 1] == '\0')
3201 					audit_size = size - 1;
3202 				else
3203 					audit_size = size;
3204 			} else {
3205 				str = "";
3206 				audit_size = 0;
3207 			}
3208 			ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3209 			audit_log_format(ab, "op=setxattr invalid_context=");
3210 			audit_log_n_untrustedstring(ab, value, audit_size);
3211 			audit_log_end(ab);
3212 
3213 			return rc;
3214 		}
3215 		rc = security_context_to_sid_force(value, size, &newsid);
3216 	}
3217 	if (rc)
3218 		return rc;
3219 
3220 	rc = avc_has_perm(sid, newsid, isec->sclass,
3221 			  FILE__RELABELTO, &ad);
3222 	if (rc)
3223 		return rc;
3224 
3225 	rc = security_validate_transition(isec->sid, newsid, sid,
3226 					  isec->sclass);
3227 	if (rc)
3228 		return rc;
3229 
3230 	return avc_has_perm(newsid,
3231 			    sbsec->sid,
3232 			    SECCLASS_FILESYSTEM,
3233 			    FILESYSTEM__ASSOCIATE,
3234 			    &ad);
3235 }
3236 
3237 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3238 					const void *value, size_t size,
3239 					int flags)
3240 {
3241 	struct inode *inode = d_backing_inode(dentry);
3242 	struct inode_security_struct *isec;
3243 	u32 newsid;
3244 	int rc;
3245 
3246 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3247 		/* Not an attribute we recognize, so nothing to do. */
3248 		return;
3249 	}
3250 
3251 	rc = security_context_to_sid_force(value, size, &newsid);
3252 	if (rc) {
3253 		printk(KERN_ERR "SELinux:  unable to map context to SID"
3254 		       "for (%s, %lu), rc=%d\n",
3255 		       inode->i_sb->s_id, inode->i_ino, -rc);
3256 		return;
3257 	}
3258 
3259 	isec = backing_inode_security(dentry);
3260 	spin_lock(&isec->lock);
3261 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3262 	isec->sid = newsid;
3263 	isec->initialized = LABEL_INITIALIZED;
3264 	spin_unlock(&isec->lock);
3265 
3266 	return;
3267 }
3268 
3269 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3270 {
3271 	const struct cred *cred = current_cred();
3272 
3273 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3274 }
3275 
3276 static int selinux_inode_listxattr(struct dentry *dentry)
3277 {
3278 	const struct cred *cred = current_cred();
3279 
3280 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3281 }
3282 
3283 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3284 {
3285 	if (strcmp(name, XATTR_NAME_SELINUX))
3286 		return selinux_inode_setotherxattr(dentry, name);
3287 
3288 	/* No one is allowed to remove a SELinux security label.
3289 	   You can change the label, but all data must be labeled. */
3290 	return -EACCES;
3291 }
3292 
3293 /*
3294  * Copy the inode security context value to the user.
3295  *
3296  * Permission check is handled by selinux_inode_getxattr hook.
3297  */
3298 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3299 {
3300 	u32 size;
3301 	int error;
3302 	char *context = NULL;
3303 	struct inode_security_struct *isec;
3304 
3305 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3306 		return -EOPNOTSUPP;
3307 
3308 	/*
3309 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3310 	 * value even if it is not defined by current policy; otherwise,
3311 	 * use the in-core value under current policy.
3312 	 * Use the non-auditing forms of the permission checks since
3313 	 * getxattr may be called by unprivileged processes commonly
3314 	 * and lack of permission just means that we fall back to the
3315 	 * in-core context value, not a denial.
3316 	 */
3317 	isec = inode_security(inode);
3318 	if (has_cap_mac_admin(false))
3319 		error = security_sid_to_context_force(isec->sid, &context,
3320 						      &size);
3321 	else
3322 		error = security_sid_to_context(isec->sid, &context, &size);
3323 	if (error)
3324 		return error;
3325 	error = size;
3326 	if (alloc) {
3327 		*buffer = context;
3328 		goto out_nofree;
3329 	}
3330 	kfree(context);
3331 out_nofree:
3332 	return error;
3333 }
3334 
3335 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3336 				     const void *value, size_t size, int flags)
3337 {
3338 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3339 	u32 newsid;
3340 	int rc;
3341 
3342 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3343 		return -EOPNOTSUPP;
3344 
3345 	if (!value || !size)
3346 		return -EACCES;
3347 
3348 	rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3349 	if (rc)
3350 		return rc;
3351 
3352 	spin_lock(&isec->lock);
3353 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3354 	isec->sid = newsid;
3355 	isec->initialized = LABEL_INITIALIZED;
3356 	spin_unlock(&isec->lock);
3357 	return 0;
3358 }
3359 
3360 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3361 {
3362 	const int len = sizeof(XATTR_NAME_SELINUX);
3363 	if (buffer && len <= buffer_size)
3364 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3365 	return len;
3366 }
3367 
3368 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3369 {
3370 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3371 	*secid = isec->sid;
3372 }
3373 
3374 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3375 {
3376 	u32 sid;
3377 	struct task_security_struct *tsec;
3378 	struct cred *new_creds = *new;
3379 
3380 	if (new_creds == NULL) {
3381 		new_creds = prepare_creds();
3382 		if (!new_creds)
3383 			return -ENOMEM;
3384 	}
3385 
3386 	tsec = new_creds->security;
3387 	/* Get label from overlay inode and set it in create_sid */
3388 	selinux_inode_getsecid(d_inode(src), &sid);
3389 	tsec->create_sid = sid;
3390 	*new = new_creds;
3391 	return 0;
3392 }
3393 
3394 static int selinux_inode_copy_up_xattr(const char *name)
3395 {
3396 	/* The copy_up hook above sets the initial context on an inode, but we
3397 	 * don't then want to overwrite it by blindly copying all the lower
3398 	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3399 	 */
3400 	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3401 		return 1; /* Discard */
3402 	/*
3403 	 * Any other attribute apart from SELINUX is not claimed, supported
3404 	 * by selinux.
3405 	 */
3406 	return -EOPNOTSUPP;
3407 }
3408 
3409 /* file security operations */
3410 
3411 static int selinux_revalidate_file_permission(struct file *file, int mask)
3412 {
3413 	const struct cred *cred = current_cred();
3414 	struct inode *inode = file_inode(file);
3415 
3416 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3417 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3418 		mask |= MAY_APPEND;
3419 
3420 	return file_has_perm(cred, file,
3421 			     file_mask_to_av(inode->i_mode, mask));
3422 }
3423 
3424 static int selinux_file_permission(struct file *file, int mask)
3425 {
3426 	struct inode *inode = file_inode(file);
3427 	struct file_security_struct *fsec = file->f_security;
3428 	struct inode_security_struct *isec;
3429 	u32 sid = current_sid();
3430 
3431 	if (!mask)
3432 		/* No permission to check.  Existence test. */
3433 		return 0;
3434 
3435 	isec = inode_security(inode);
3436 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3437 	    fsec->pseqno == avc_policy_seqno())
3438 		/* No change since file_open check. */
3439 		return 0;
3440 
3441 	return selinux_revalidate_file_permission(file, mask);
3442 }
3443 
3444 static int selinux_file_alloc_security(struct file *file)
3445 {
3446 	return file_alloc_security(file);
3447 }
3448 
3449 static void selinux_file_free_security(struct file *file)
3450 {
3451 	file_free_security(file);
3452 }
3453 
3454 /*
3455  * Check whether a task has the ioctl permission and cmd
3456  * operation to an inode.
3457  */
3458 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3459 		u32 requested, u16 cmd)
3460 {
3461 	struct common_audit_data ad;
3462 	struct file_security_struct *fsec = file->f_security;
3463 	struct inode *inode = file_inode(file);
3464 	struct inode_security_struct *isec;
3465 	struct lsm_ioctlop_audit ioctl;
3466 	u32 ssid = cred_sid(cred);
3467 	int rc;
3468 	u8 driver = cmd >> 8;
3469 	u8 xperm = cmd & 0xff;
3470 
3471 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3472 	ad.u.op = &ioctl;
3473 	ad.u.op->cmd = cmd;
3474 	ad.u.op->path = file->f_path;
3475 
3476 	if (ssid != fsec->sid) {
3477 		rc = avc_has_perm(ssid, fsec->sid,
3478 				SECCLASS_FD,
3479 				FD__USE,
3480 				&ad);
3481 		if (rc)
3482 			goto out;
3483 	}
3484 
3485 	if (unlikely(IS_PRIVATE(inode)))
3486 		return 0;
3487 
3488 	isec = inode_security(inode);
3489 	rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3490 			requested, driver, xperm, &ad);
3491 out:
3492 	return rc;
3493 }
3494 
3495 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3496 			      unsigned long arg)
3497 {
3498 	const struct cred *cred = current_cred();
3499 	int error = 0;
3500 
3501 	switch (cmd) {
3502 	case FIONREAD:
3503 	/* fall through */
3504 	case FIBMAP:
3505 	/* fall through */
3506 	case FIGETBSZ:
3507 	/* fall through */
3508 	case FS_IOC_GETFLAGS:
3509 	/* fall through */
3510 	case FS_IOC_GETVERSION:
3511 		error = file_has_perm(cred, file, FILE__GETATTR);
3512 		break;
3513 
3514 	case FS_IOC_SETFLAGS:
3515 	/* fall through */
3516 	case FS_IOC_SETVERSION:
3517 		error = file_has_perm(cred, file, FILE__SETATTR);
3518 		break;
3519 
3520 	/* sys_ioctl() checks */
3521 	case FIONBIO:
3522 	/* fall through */
3523 	case FIOASYNC:
3524 		error = file_has_perm(cred, file, 0);
3525 		break;
3526 
3527 	case KDSKBENT:
3528 	case KDSKBSENT:
3529 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3530 					    SECURITY_CAP_AUDIT, true);
3531 		break;
3532 
3533 	/* default case assumes that the command will go
3534 	 * to the file's ioctl() function.
3535 	 */
3536 	default:
3537 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3538 	}
3539 	return error;
3540 }
3541 
3542 static int default_noexec;
3543 
3544 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3545 {
3546 	const struct cred *cred = current_cred();
3547 	u32 sid = cred_sid(cred);
3548 	int rc = 0;
3549 
3550 	if (default_noexec &&
3551 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3552 				   (!shared && (prot & PROT_WRITE)))) {
3553 		/*
3554 		 * We are making executable an anonymous mapping or a
3555 		 * private file mapping that will also be writable.
3556 		 * This has an additional check.
3557 		 */
3558 		rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3559 				  PROCESS__EXECMEM, NULL);
3560 		if (rc)
3561 			goto error;
3562 	}
3563 
3564 	if (file) {
3565 		/* read access is always possible with a mapping */
3566 		u32 av = FILE__READ;
3567 
3568 		/* write access only matters if the mapping is shared */
3569 		if (shared && (prot & PROT_WRITE))
3570 			av |= FILE__WRITE;
3571 
3572 		if (prot & PROT_EXEC)
3573 			av |= FILE__EXECUTE;
3574 
3575 		return file_has_perm(cred, file, av);
3576 	}
3577 
3578 error:
3579 	return rc;
3580 }
3581 
3582 static int selinux_mmap_addr(unsigned long addr)
3583 {
3584 	int rc = 0;
3585 
3586 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3587 		u32 sid = current_sid();
3588 		rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3589 				  MEMPROTECT__MMAP_ZERO, NULL);
3590 	}
3591 
3592 	return rc;
3593 }
3594 
3595 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3596 			     unsigned long prot, unsigned long flags)
3597 {
3598 	struct common_audit_data ad;
3599 	int rc;
3600 
3601 	if (file) {
3602 		ad.type = LSM_AUDIT_DATA_FILE;
3603 		ad.u.file = file;
3604 		rc = inode_has_perm(current_cred(), file_inode(file),
3605 				    FILE__MAP, &ad);
3606 		if (rc)
3607 			return rc;
3608 	}
3609 
3610 	if (selinux_checkreqprot)
3611 		prot = reqprot;
3612 
3613 	return file_map_prot_check(file, prot,
3614 				   (flags & MAP_TYPE) == MAP_SHARED);
3615 }
3616 
3617 static int selinux_file_mprotect(struct vm_area_struct *vma,
3618 				 unsigned long reqprot,
3619 				 unsigned long prot)
3620 {
3621 	const struct cred *cred = current_cred();
3622 	u32 sid = cred_sid(cred);
3623 
3624 	if (selinux_checkreqprot)
3625 		prot = reqprot;
3626 
3627 	if (default_noexec &&
3628 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3629 		int rc = 0;
3630 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3631 		    vma->vm_end <= vma->vm_mm->brk) {
3632 			rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3633 					  PROCESS__EXECHEAP, NULL);
3634 		} else if (!vma->vm_file &&
3635 			   ((vma->vm_start <= vma->vm_mm->start_stack &&
3636 			     vma->vm_end >= vma->vm_mm->start_stack) ||
3637 			    vma_is_stack_for_current(vma))) {
3638 			rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3639 					  PROCESS__EXECSTACK, NULL);
3640 		} else if (vma->vm_file && vma->anon_vma) {
3641 			/*
3642 			 * We are making executable a file mapping that has
3643 			 * had some COW done. Since pages might have been
3644 			 * written, check ability to execute the possibly
3645 			 * modified content.  This typically should only
3646 			 * occur for text relocations.
3647 			 */
3648 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3649 		}
3650 		if (rc)
3651 			return rc;
3652 	}
3653 
3654 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3655 }
3656 
3657 static int selinux_file_lock(struct file *file, unsigned int cmd)
3658 {
3659 	const struct cred *cred = current_cred();
3660 
3661 	return file_has_perm(cred, file, FILE__LOCK);
3662 }
3663 
3664 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3665 			      unsigned long arg)
3666 {
3667 	const struct cred *cred = current_cred();
3668 	int err = 0;
3669 
3670 	switch (cmd) {
3671 	case F_SETFL:
3672 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3673 			err = file_has_perm(cred, file, FILE__WRITE);
3674 			break;
3675 		}
3676 		/* fall through */
3677 	case F_SETOWN:
3678 	case F_SETSIG:
3679 	case F_GETFL:
3680 	case F_GETOWN:
3681 	case F_GETSIG:
3682 	case F_GETOWNER_UIDS:
3683 		/* Just check FD__USE permission */
3684 		err = file_has_perm(cred, file, 0);
3685 		break;
3686 	case F_GETLK:
3687 	case F_SETLK:
3688 	case F_SETLKW:
3689 	case F_OFD_GETLK:
3690 	case F_OFD_SETLK:
3691 	case F_OFD_SETLKW:
3692 #if BITS_PER_LONG == 32
3693 	case F_GETLK64:
3694 	case F_SETLK64:
3695 	case F_SETLKW64:
3696 #endif
3697 		err = file_has_perm(cred, file, FILE__LOCK);
3698 		break;
3699 	}
3700 
3701 	return err;
3702 }
3703 
3704 static void selinux_file_set_fowner(struct file *file)
3705 {
3706 	struct file_security_struct *fsec;
3707 
3708 	fsec = file->f_security;
3709 	fsec->fown_sid = current_sid();
3710 }
3711 
3712 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3713 				       struct fown_struct *fown, int signum)
3714 {
3715 	struct file *file;
3716 	u32 sid = task_sid(tsk);
3717 	u32 perm;
3718 	struct file_security_struct *fsec;
3719 
3720 	/* struct fown_struct is never outside the context of a struct file */
3721 	file = container_of(fown, struct file, f_owner);
3722 
3723 	fsec = file->f_security;
3724 
3725 	if (!signum)
3726 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3727 	else
3728 		perm = signal_to_av(signum);
3729 
3730 	return avc_has_perm(fsec->fown_sid, sid,
3731 			    SECCLASS_PROCESS, perm, NULL);
3732 }
3733 
3734 static int selinux_file_receive(struct file *file)
3735 {
3736 	const struct cred *cred = current_cred();
3737 
3738 	return file_has_perm(cred, file, file_to_av(file));
3739 }
3740 
3741 static int selinux_file_open(struct file *file, const struct cred *cred)
3742 {
3743 	struct file_security_struct *fsec;
3744 	struct inode_security_struct *isec;
3745 
3746 	fsec = file->f_security;
3747 	isec = inode_security(file_inode(file));
3748 	/*
3749 	 * Save inode label and policy sequence number
3750 	 * at open-time so that selinux_file_permission
3751 	 * can determine whether revalidation is necessary.
3752 	 * Task label is already saved in the file security
3753 	 * struct as its SID.
3754 	 */
3755 	fsec->isid = isec->sid;
3756 	fsec->pseqno = avc_policy_seqno();
3757 	/*
3758 	 * Since the inode label or policy seqno may have changed
3759 	 * between the selinux_inode_permission check and the saving
3760 	 * of state above, recheck that access is still permitted.
3761 	 * Otherwise, access might never be revalidated against the
3762 	 * new inode label or new policy.
3763 	 * This check is not redundant - do not remove.
3764 	 */
3765 	return file_path_has_perm(cred, file, open_file_to_av(file));
3766 }
3767 
3768 /* task security operations */
3769 
3770 static int selinux_task_alloc(struct task_struct *task,
3771 			      unsigned long clone_flags)
3772 {
3773 	u32 sid = current_sid();
3774 
3775 	return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3776 }
3777 
3778 /*
3779  * allocate the SELinux part of blank credentials
3780  */
3781 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3782 {
3783 	struct task_security_struct *tsec;
3784 
3785 	tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3786 	if (!tsec)
3787 		return -ENOMEM;
3788 
3789 	cred->security = tsec;
3790 	return 0;
3791 }
3792 
3793 /*
3794  * detach and free the LSM part of a set of credentials
3795  */
3796 static void selinux_cred_free(struct cred *cred)
3797 {
3798 	struct task_security_struct *tsec = cred->security;
3799 
3800 	/*
3801 	 * cred->security == NULL if security_cred_alloc_blank() or
3802 	 * security_prepare_creds() returned an error.
3803 	 */
3804 	BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3805 	cred->security = (void *) 0x7UL;
3806 	kfree(tsec);
3807 }
3808 
3809 /*
3810  * prepare a new set of credentials for modification
3811  */
3812 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3813 				gfp_t gfp)
3814 {
3815 	const struct task_security_struct *old_tsec;
3816 	struct task_security_struct *tsec;
3817 
3818 	old_tsec = old->security;
3819 
3820 	tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3821 	if (!tsec)
3822 		return -ENOMEM;
3823 
3824 	new->security = tsec;
3825 	return 0;
3826 }
3827 
3828 /*
3829  * transfer the SELinux data to a blank set of creds
3830  */
3831 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3832 {
3833 	const struct task_security_struct *old_tsec = old->security;
3834 	struct task_security_struct *tsec = new->security;
3835 
3836 	*tsec = *old_tsec;
3837 }
3838 
3839 /*
3840  * set the security data for a kernel service
3841  * - all the creation contexts are set to unlabelled
3842  */
3843 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3844 {
3845 	struct task_security_struct *tsec = new->security;
3846 	u32 sid = current_sid();
3847 	int ret;
3848 
3849 	ret = avc_has_perm(sid, secid,
3850 			   SECCLASS_KERNEL_SERVICE,
3851 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3852 			   NULL);
3853 	if (ret == 0) {
3854 		tsec->sid = secid;
3855 		tsec->create_sid = 0;
3856 		tsec->keycreate_sid = 0;
3857 		tsec->sockcreate_sid = 0;
3858 	}
3859 	return ret;
3860 }
3861 
3862 /*
3863  * set the file creation context in a security record to the same as the
3864  * objective context of the specified inode
3865  */
3866 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3867 {
3868 	struct inode_security_struct *isec = inode_security(inode);
3869 	struct task_security_struct *tsec = new->security;
3870 	u32 sid = current_sid();
3871 	int ret;
3872 
3873 	ret = avc_has_perm(sid, isec->sid,
3874 			   SECCLASS_KERNEL_SERVICE,
3875 			   KERNEL_SERVICE__CREATE_FILES_AS,
3876 			   NULL);
3877 
3878 	if (ret == 0)
3879 		tsec->create_sid = isec->sid;
3880 	return ret;
3881 }
3882 
3883 static int selinux_kernel_module_request(char *kmod_name)
3884 {
3885 	struct common_audit_data ad;
3886 
3887 	ad.type = LSM_AUDIT_DATA_KMOD;
3888 	ad.u.kmod_name = kmod_name;
3889 
3890 	return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3891 			    SYSTEM__MODULE_REQUEST, &ad);
3892 }
3893 
3894 static int selinux_kernel_module_from_file(struct file *file)
3895 {
3896 	struct common_audit_data ad;
3897 	struct inode_security_struct *isec;
3898 	struct file_security_struct *fsec;
3899 	u32 sid = current_sid();
3900 	int rc;
3901 
3902 	/* init_module */
3903 	if (file == NULL)
3904 		return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3905 					SYSTEM__MODULE_LOAD, NULL);
3906 
3907 	/* finit_module */
3908 
3909 	ad.type = LSM_AUDIT_DATA_FILE;
3910 	ad.u.file = file;
3911 
3912 	fsec = file->f_security;
3913 	if (sid != fsec->sid) {
3914 		rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3915 		if (rc)
3916 			return rc;
3917 	}
3918 
3919 	isec = inode_security(file_inode(file));
3920 	return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3921 				SYSTEM__MODULE_LOAD, &ad);
3922 }
3923 
3924 static int selinux_kernel_read_file(struct file *file,
3925 				    enum kernel_read_file_id id)
3926 {
3927 	int rc = 0;
3928 
3929 	switch (id) {
3930 	case READING_MODULE:
3931 		rc = selinux_kernel_module_from_file(file);
3932 		break;
3933 	default:
3934 		break;
3935 	}
3936 
3937 	return rc;
3938 }
3939 
3940 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3941 {
3942 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3943 			    PROCESS__SETPGID, NULL);
3944 }
3945 
3946 static int selinux_task_getpgid(struct task_struct *p)
3947 {
3948 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3949 			    PROCESS__GETPGID, NULL);
3950 }
3951 
3952 static int selinux_task_getsid(struct task_struct *p)
3953 {
3954 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3955 			    PROCESS__GETSESSION, NULL);
3956 }
3957 
3958 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3959 {
3960 	*secid = task_sid(p);
3961 }
3962 
3963 static int selinux_task_setnice(struct task_struct *p, int nice)
3964 {
3965 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3966 			    PROCESS__SETSCHED, NULL);
3967 }
3968 
3969 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3970 {
3971 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3972 			    PROCESS__SETSCHED, NULL);
3973 }
3974 
3975 static int selinux_task_getioprio(struct task_struct *p)
3976 {
3977 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3978 			    PROCESS__GETSCHED, NULL);
3979 }
3980 
3981 int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
3982 			 unsigned int flags)
3983 {
3984 	u32 av = 0;
3985 
3986 	if (!flags)
3987 		return 0;
3988 	if (flags & LSM_PRLIMIT_WRITE)
3989 		av |= PROCESS__SETRLIMIT;
3990 	if (flags & LSM_PRLIMIT_READ)
3991 		av |= PROCESS__GETRLIMIT;
3992 	return avc_has_perm(cred_sid(cred), cred_sid(tcred),
3993 			    SECCLASS_PROCESS, av, NULL);
3994 }
3995 
3996 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3997 		struct rlimit *new_rlim)
3998 {
3999 	struct rlimit *old_rlim = p->signal->rlim + resource;
4000 
4001 	/* Control the ability to change the hard limit (whether
4002 	   lowering or raising it), so that the hard limit can
4003 	   later be used as a safe reset point for the soft limit
4004 	   upon context transitions.  See selinux_bprm_committing_creds. */
4005 	if (old_rlim->rlim_max != new_rlim->rlim_max)
4006 		return avc_has_perm(current_sid(), task_sid(p),
4007 				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4008 
4009 	return 0;
4010 }
4011 
4012 static int selinux_task_setscheduler(struct task_struct *p)
4013 {
4014 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4015 			    PROCESS__SETSCHED, NULL);
4016 }
4017 
4018 static int selinux_task_getscheduler(struct task_struct *p)
4019 {
4020 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4021 			    PROCESS__GETSCHED, NULL);
4022 }
4023 
4024 static int selinux_task_movememory(struct task_struct *p)
4025 {
4026 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4027 			    PROCESS__SETSCHED, NULL);
4028 }
4029 
4030 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4031 				int sig, u32 secid)
4032 {
4033 	u32 perm;
4034 
4035 	if (!sig)
4036 		perm = PROCESS__SIGNULL; /* null signal; existence test */
4037 	else
4038 		perm = signal_to_av(sig);
4039 	if (!secid)
4040 		secid = current_sid();
4041 	return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4042 }
4043 
4044 static void selinux_task_to_inode(struct task_struct *p,
4045 				  struct inode *inode)
4046 {
4047 	struct inode_security_struct *isec = inode->i_security;
4048 	u32 sid = task_sid(p);
4049 
4050 	spin_lock(&isec->lock);
4051 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4052 	isec->sid = sid;
4053 	isec->initialized = LABEL_INITIALIZED;
4054 	spin_unlock(&isec->lock);
4055 }
4056 
4057 /* Returns error only if unable to parse addresses */
4058 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4059 			struct common_audit_data *ad, u8 *proto)
4060 {
4061 	int offset, ihlen, ret = -EINVAL;
4062 	struct iphdr _iph, *ih;
4063 
4064 	offset = skb_network_offset(skb);
4065 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4066 	if (ih == NULL)
4067 		goto out;
4068 
4069 	ihlen = ih->ihl * 4;
4070 	if (ihlen < sizeof(_iph))
4071 		goto out;
4072 
4073 	ad->u.net->v4info.saddr = ih->saddr;
4074 	ad->u.net->v4info.daddr = ih->daddr;
4075 	ret = 0;
4076 
4077 	if (proto)
4078 		*proto = ih->protocol;
4079 
4080 	switch (ih->protocol) {
4081 	case IPPROTO_TCP: {
4082 		struct tcphdr _tcph, *th;
4083 
4084 		if (ntohs(ih->frag_off) & IP_OFFSET)
4085 			break;
4086 
4087 		offset += ihlen;
4088 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4089 		if (th == NULL)
4090 			break;
4091 
4092 		ad->u.net->sport = th->source;
4093 		ad->u.net->dport = th->dest;
4094 		break;
4095 	}
4096 
4097 	case IPPROTO_UDP: {
4098 		struct udphdr _udph, *uh;
4099 
4100 		if (ntohs(ih->frag_off) & IP_OFFSET)
4101 			break;
4102 
4103 		offset += ihlen;
4104 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4105 		if (uh == NULL)
4106 			break;
4107 
4108 		ad->u.net->sport = uh->source;
4109 		ad->u.net->dport = uh->dest;
4110 		break;
4111 	}
4112 
4113 	case IPPROTO_DCCP: {
4114 		struct dccp_hdr _dccph, *dh;
4115 
4116 		if (ntohs(ih->frag_off) & IP_OFFSET)
4117 			break;
4118 
4119 		offset += ihlen;
4120 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4121 		if (dh == NULL)
4122 			break;
4123 
4124 		ad->u.net->sport = dh->dccph_sport;
4125 		ad->u.net->dport = dh->dccph_dport;
4126 		break;
4127 	}
4128 
4129 	default:
4130 		break;
4131 	}
4132 out:
4133 	return ret;
4134 }
4135 
4136 #if IS_ENABLED(CONFIG_IPV6)
4137 
4138 /* Returns error only if unable to parse addresses */
4139 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4140 			struct common_audit_data *ad, u8 *proto)
4141 {
4142 	u8 nexthdr;
4143 	int ret = -EINVAL, offset;
4144 	struct ipv6hdr _ipv6h, *ip6;
4145 	__be16 frag_off;
4146 
4147 	offset = skb_network_offset(skb);
4148 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4149 	if (ip6 == NULL)
4150 		goto out;
4151 
4152 	ad->u.net->v6info.saddr = ip6->saddr;
4153 	ad->u.net->v6info.daddr = ip6->daddr;
4154 	ret = 0;
4155 
4156 	nexthdr = ip6->nexthdr;
4157 	offset += sizeof(_ipv6h);
4158 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4159 	if (offset < 0)
4160 		goto out;
4161 
4162 	if (proto)
4163 		*proto = nexthdr;
4164 
4165 	switch (nexthdr) {
4166 	case IPPROTO_TCP: {
4167 		struct tcphdr _tcph, *th;
4168 
4169 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4170 		if (th == NULL)
4171 			break;
4172 
4173 		ad->u.net->sport = th->source;
4174 		ad->u.net->dport = th->dest;
4175 		break;
4176 	}
4177 
4178 	case IPPROTO_UDP: {
4179 		struct udphdr _udph, *uh;
4180 
4181 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4182 		if (uh == NULL)
4183 			break;
4184 
4185 		ad->u.net->sport = uh->source;
4186 		ad->u.net->dport = uh->dest;
4187 		break;
4188 	}
4189 
4190 	case IPPROTO_DCCP: {
4191 		struct dccp_hdr _dccph, *dh;
4192 
4193 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4194 		if (dh == NULL)
4195 			break;
4196 
4197 		ad->u.net->sport = dh->dccph_sport;
4198 		ad->u.net->dport = dh->dccph_dport;
4199 		break;
4200 	}
4201 
4202 	/* includes fragments */
4203 	default:
4204 		break;
4205 	}
4206 out:
4207 	return ret;
4208 }
4209 
4210 #endif /* IPV6 */
4211 
4212 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4213 			     char **_addrp, int src, u8 *proto)
4214 {
4215 	char *addrp;
4216 	int ret;
4217 
4218 	switch (ad->u.net->family) {
4219 	case PF_INET:
4220 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4221 		if (ret)
4222 			goto parse_error;
4223 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4224 				       &ad->u.net->v4info.daddr);
4225 		goto okay;
4226 
4227 #if IS_ENABLED(CONFIG_IPV6)
4228 	case PF_INET6:
4229 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4230 		if (ret)
4231 			goto parse_error;
4232 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4233 				       &ad->u.net->v6info.daddr);
4234 		goto okay;
4235 #endif	/* IPV6 */
4236 	default:
4237 		addrp = NULL;
4238 		goto okay;
4239 	}
4240 
4241 parse_error:
4242 	printk(KERN_WARNING
4243 	       "SELinux: failure in selinux_parse_skb(),"
4244 	       " unable to parse packet\n");
4245 	return ret;
4246 
4247 okay:
4248 	if (_addrp)
4249 		*_addrp = addrp;
4250 	return 0;
4251 }
4252 
4253 /**
4254  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4255  * @skb: the packet
4256  * @family: protocol family
4257  * @sid: the packet's peer label SID
4258  *
4259  * Description:
4260  * Check the various different forms of network peer labeling and determine
4261  * the peer label/SID for the packet; most of the magic actually occurs in
4262  * the security server function security_net_peersid_cmp().  The function
4263  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4264  * or -EACCES if @sid is invalid due to inconsistencies with the different
4265  * peer labels.
4266  *
4267  */
4268 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4269 {
4270 	int err;
4271 	u32 xfrm_sid;
4272 	u32 nlbl_sid;
4273 	u32 nlbl_type;
4274 
4275 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4276 	if (unlikely(err))
4277 		return -EACCES;
4278 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4279 	if (unlikely(err))
4280 		return -EACCES;
4281 
4282 	err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4283 	if (unlikely(err)) {
4284 		printk(KERN_WARNING
4285 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4286 		       " unable to determine packet's peer label\n");
4287 		return -EACCES;
4288 	}
4289 
4290 	return 0;
4291 }
4292 
4293 /**
4294  * selinux_conn_sid - Determine the child socket label for a connection
4295  * @sk_sid: the parent socket's SID
4296  * @skb_sid: the packet's SID
4297  * @conn_sid: the resulting connection SID
4298  *
4299  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4300  * combined with the MLS information from @skb_sid in order to create
4301  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
4302  * of @sk_sid.  Returns zero on success, negative values on failure.
4303  *
4304  */
4305 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4306 {
4307 	int err = 0;
4308 
4309 	if (skb_sid != SECSID_NULL)
4310 		err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4311 	else
4312 		*conn_sid = sk_sid;
4313 
4314 	return err;
4315 }
4316 
4317 /* socket security operations */
4318 
4319 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4320 				 u16 secclass, u32 *socksid)
4321 {
4322 	if (tsec->sockcreate_sid > SECSID_NULL) {
4323 		*socksid = tsec->sockcreate_sid;
4324 		return 0;
4325 	}
4326 
4327 	return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4328 				       socksid);
4329 }
4330 
4331 static int sock_has_perm(struct sock *sk, u32 perms)
4332 {
4333 	struct sk_security_struct *sksec = sk->sk_security;
4334 	struct common_audit_data ad;
4335 	struct lsm_network_audit net = {0,};
4336 
4337 	if (sksec->sid == SECINITSID_KERNEL)
4338 		return 0;
4339 
4340 	ad.type = LSM_AUDIT_DATA_NET;
4341 	ad.u.net = &net;
4342 	ad.u.net->sk = sk;
4343 
4344 	return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4345 			    &ad);
4346 }
4347 
4348 static int selinux_socket_create(int family, int type,
4349 				 int protocol, int kern)
4350 {
4351 	const struct task_security_struct *tsec = current_security();
4352 	u32 newsid;
4353 	u16 secclass;
4354 	int rc;
4355 
4356 	if (kern)
4357 		return 0;
4358 
4359 	secclass = socket_type_to_security_class(family, type, protocol);
4360 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4361 	if (rc)
4362 		return rc;
4363 
4364 	return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4365 }
4366 
4367 static int selinux_socket_post_create(struct socket *sock, int family,
4368 				      int type, int protocol, int kern)
4369 {
4370 	const struct task_security_struct *tsec = current_security();
4371 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4372 	struct sk_security_struct *sksec;
4373 	u16 sclass = socket_type_to_security_class(family, type, protocol);
4374 	u32 sid = SECINITSID_KERNEL;
4375 	int err = 0;
4376 
4377 	if (!kern) {
4378 		err = socket_sockcreate_sid(tsec, sclass, &sid);
4379 		if (err)
4380 			return err;
4381 	}
4382 
4383 	isec->sclass = sclass;
4384 	isec->sid = sid;
4385 	isec->initialized = LABEL_INITIALIZED;
4386 
4387 	if (sock->sk) {
4388 		sksec = sock->sk->sk_security;
4389 		sksec->sclass = sclass;
4390 		sksec->sid = sid;
4391 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4392 	}
4393 
4394 	return err;
4395 }
4396 
4397 /* Range of port numbers used to automatically bind.
4398    Need to determine whether we should perform a name_bind
4399    permission check between the socket and the port number. */
4400 
4401 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4402 {
4403 	struct sock *sk = sock->sk;
4404 	u16 family;
4405 	int err;
4406 
4407 	err = sock_has_perm(sk, SOCKET__BIND);
4408 	if (err)
4409 		goto out;
4410 
4411 	/*
4412 	 * If PF_INET or PF_INET6, check name_bind permission for the port.
4413 	 * Multiple address binding for SCTP is not supported yet: we just
4414 	 * check the first address now.
4415 	 */
4416 	family = sk->sk_family;
4417 	if (family == PF_INET || family == PF_INET6) {
4418 		char *addrp;
4419 		struct sk_security_struct *sksec = sk->sk_security;
4420 		struct common_audit_data ad;
4421 		struct lsm_network_audit net = {0,};
4422 		struct sockaddr_in *addr4 = NULL;
4423 		struct sockaddr_in6 *addr6 = NULL;
4424 		unsigned short snum;
4425 		u32 sid, node_perm;
4426 
4427 		if (family == PF_INET) {
4428 			if (addrlen < sizeof(struct sockaddr_in)) {
4429 				err = -EINVAL;
4430 				goto out;
4431 			}
4432 			addr4 = (struct sockaddr_in *)address;
4433 			snum = ntohs(addr4->sin_port);
4434 			addrp = (char *)&addr4->sin_addr.s_addr;
4435 		} else {
4436 			if (addrlen < SIN6_LEN_RFC2133) {
4437 				err = -EINVAL;
4438 				goto out;
4439 			}
4440 			addr6 = (struct sockaddr_in6 *)address;
4441 			snum = ntohs(addr6->sin6_port);
4442 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4443 		}
4444 
4445 		if (snum) {
4446 			int low, high;
4447 
4448 			inet_get_local_port_range(sock_net(sk), &low, &high);
4449 
4450 			if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4451 			    snum > high) {
4452 				err = sel_netport_sid(sk->sk_protocol,
4453 						      snum, &sid);
4454 				if (err)
4455 					goto out;
4456 				ad.type = LSM_AUDIT_DATA_NET;
4457 				ad.u.net = &net;
4458 				ad.u.net->sport = htons(snum);
4459 				ad.u.net->family = family;
4460 				err = avc_has_perm(sksec->sid, sid,
4461 						   sksec->sclass,
4462 						   SOCKET__NAME_BIND, &ad);
4463 				if (err)
4464 					goto out;
4465 			}
4466 		}
4467 
4468 		switch (sksec->sclass) {
4469 		case SECCLASS_TCP_SOCKET:
4470 			node_perm = TCP_SOCKET__NODE_BIND;
4471 			break;
4472 
4473 		case SECCLASS_UDP_SOCKET:
4474 			node_perm = UDP_SOCKET__NODE_BIND;
4475 			break;
4476 
4477 		case SECCLASS_DCCP_SOCKET:
4478 			node_perm = DCCP_SOCKET__NODE_BIND;
4479 			break;
4480 
4481 		default:
4482 			node_perm = RAWIP_SOCKET__NODE_BIND;
4483 			break;
4484 		}
4485 
4486 		err = sel_netnode_sid(addrp, family, &sid);
4487 		if (err)
4488 			goto out;
4489 
4490 		ad.type = LSM_AUDIT_DATA_NET;
4491 		ad.u.net = &net;
4492 		ad.u.net->sport = htons(snum);
4493 		ad.u.net->family = family;
4494 
4495 		if (family == PF_INET)
4496 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4497 		else
4498 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4499 
4500 		err = avc_has_perm(sksec->sid, sid,
4501 				   sksec->sclass, node_perm, &ad);
4502 		if (err)
4503 			goto out;
4504 	}
4505 out:
4506 	return err;
4507 }
4508 
4509 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4510 {
4511 	struct sock *sk = sock->sk;
4512 	struct sk_security_struct *sksec = sk->sk_security;
4513 	int err;
4514 
4515 	err = sock_has_perm(sk, SOCKET__CONNECT);
4516 	if (err)
4517 		return err;
4518 
4519 	/*
4520 	 * If a TCP or DCCP socket, check name_connect permission for the port.
4521 	 */
4522 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4523 	    sksec->sclass == SECCLASS_DCCP_SOCKET) {
4524 		struct common_audit_data ad;
4525 		struct lsm_network_audit net = {0,};
4526 		struct sockaddr_in *addr4 = NULL;
4527 		struct sockaddr_in6 *addr6 = NULL;
4528 		unsigned short snum;
4529 		u32 sid, perm;
4530 
4531 		if (sk->sk_family == PF_INET) {
4532 			addr4 = (struct sockaddr_in *)address;
4533 			if (addrlen < sizeof(struct sockaddr_in))
4534 				return -EINVAL;
4535 			snum = ntohs(addr4->sin_port);
4536 		} else {
4537 			addr6 = (struct sockaddr_in6 *)address;
4538 			if (addrlen < SIN6_LEN_RFC2133)
4539 				return -EINVAL;
4540 			snum = ntohs(addr6->sin6_port);
4541 		}
4542 
4543 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4544 		if (err)
4545 			goto out;
4546 
4547 		perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4548 		       TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4549 
4550 		ad.type = LSM_AUDIT_DATA_NET;
4551 		ad.u.net = &net;
4552 		ad.u.net->dport = htons(snum);
4553 		ad.u.net->family = sk->sk_family;
4554 		err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4555 		if (err)
4556 			goto out;
4557 	}
4558 
4559 	err = selinux_netlbl_socket_connect(sk, address);
4560 
4561 out:
4562 	return err;
4563 }
4564 
4565 static int selinux_socket_listen(struct socket *sock, int backlog)
4566 {
4567 	return sock_has_perm(sock->sk, SOCKET__LISTEN);
4568 }
4569 
4570 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4571 {
4572 	int err;
4573 	struct inode_security_struct *isec;
4574 	struct inode_security_struct *newisec;
4575 	u16 sclass;
4576 	u32 sid;
4577 
4578 	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4579 	if (err)
4580 		return err;
4581 
4582 	isec = inode_security_novalidate(SOCK_INODE(sock));
4583 	spin_lock(&isec->lock);
4584 	sclass = isec->sclass;
4585 	sid = isec->sid;
4586 	spin_unlock(&isec->lock);
4587 
4588 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4589 	newisec->sclass = sclass;
4590 	newisec->sid = sid;
4591 	newisec->initialized = LABEL_INITIALIZED;
4592 
4593 	return 0;
4594 }
4595 
4596 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4597 				  int size)
4598 {
4599 	return sock_has_perm(sock->sk, SOCKET__WRITE);
4600 }
4601 
4602 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4603 				  int size, int flags)
4604 {
4605 	return sock_has_perm(sock->sk, SOCKET__READ);
4606 }
4607 
4608 static int selinux_socket_getsockname(struct socket *sock)
4609 {
4610 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4611 }
4612 
4613 static int selinux_socket_getpeername(struct socket *sock)
4614 {
4615 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4616 }
4617 
4618 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4619 {
4620 	int err;
4621 
4622 	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4623 	if (err)
4624 		return err;
4625 
4626 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4627 }
4628 
4629 static int selinux_socket_getsockopt(struct socket *sock, int level,
4630 				     int optname)
4631 {
4632 	return sock_has_perm(sock->sk, SOCKET__GETOPT);
4633 }
4634 
4635 static int selinux_socket_shutdown(struct socket *sock, int how)
4636 {
4637 	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4638 }
4639 
4640 static int selinux_socket_unix_stream_connect(struct sock *sock,
4641 					      struct sock *other,
4642 					      struct sock *newsk)
4643 {
4644 	struct sk_security_struct *sksec_sock = sock->sk_security;
4645 	struct sk_security_struct *sksec_other = other->sk_security;
4646 	struct sk_security_struct *sksec_new = newsk->sk_security;
4647 	struct common_audit_data ad;
4648 	struct lsm_network_audit net = {0,};
4649 	int err;
4650 
4651 	ad.type = LSM_AUDIT_DATA_NET;
4652 	ad.u.net = &net;
4653 	ad.u.net->sk = other;
4654 
4655 	err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4656 			   sksec_other->sclass,
4657 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4658 	if (err)
4659 		return err;
4660 
4661 	/* server child socket */
4662 	sksec_new->peer_sid = sksec_sock->sid;
4663 	err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4664 				    &sksec_new->sid);
4665 	if (err)
4666 		return err;
4667 
4668 	/* connecting socket */
4669 	sksec_sock->peer_sid = sksec_new->sid;
4670 
4671 	return 0;
4672 }
4673 
4674 static int selinux_socket_unix_may_send(struct socket *sock,
4675 					struct socket *other)
4676 {
4677 	struct sk_security_struct *ssec = sock->sk->sk_security;
4678 	struct sk_security_struct *osec = other->sk->sk_security;
4679 	struct common_audit_data ad;
4680 	struct lsm_network_audit net = {0,};
4681 
4682 	ad.type = LSM_AUDIT_DATA_NET;
4683 	ad.u.net = &net;
4684 	ad.u.net->sk = other->sk;
4685 
4686 	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4687 			    &ad);
4688 }
4689 
4690 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4691 				    char *addrp, u16 family, u32 peer_sid,
4692 				    struct common_audit_data *ad)
4693 {
4694 	int err;
4695 	u32 if_sid;
4696 	u32 node_sid;
4697 
4698 	err = sel_netif_sid(ns, ifindex, &if_sid);
4699 	if (err)
4700 		return err;
4701 	err = avc_has_perm(peer_sid, if_sid,
4702 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4703 	if (err)
4704 		return err;
4705 
4706 	err = sel_netnode_sid(addrp, family, &node_sid);
4707 	if (err)
4708 		return err;
4709 	return avc_has_perm(peer_sid, node_sid,
4710 			    SECCLASS_NODE, NODE__RECVFROM, ad);
4711 }
4712 
4713 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4714 				       u16 family)
4715 {
4716 	int err = 0;
4717 	struct sk_security_struct *sksec = sk->sk_security;
4718 	u32 sk_sid = sksec->sid;
4719 	struct common_audit_data ad;
4720 	struct lsm_network_audit net = {0,};
4721 	char *addrp;
4722 
4723 	ad.type = LSM_AUDIT_DATA_NET;
4724 	ad.u.net = &net;
4725 	ad.u.net->netif = skb->skb_iif;
4726 	ad.u.net->family = family;
4727 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4728 	if (err)
4729 		return err;
4730 
4731 	if (selinux_secmark_enabled()) {
4732 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4733 				   PACKET__RECV, &ad);
4734 		if (err)
4735 			return err;
4736 	}
4737 
4738 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4739 	if (err)
4740 		return err;
4741 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4742 
4743 	return err;
4744 }
4745 
4746 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4747 {
4748 	int err;
4749 	struct sk_security_struct *sksec = sk->sk_security;
4750 	u16 family = sk->sk_family;
4751 	u32 sk_sid = sksec->sid;
4752 	struct common_audit_data ad;
4753 	struct lsm_network_audit net = {0,};
4754 	char *addrp;
4755 	u8 secmark_active;
4756 	u8 peerlbl_active;
4757 
4758 	if (family != PF_INET && family != PF_INET6)
4759 		return 0;
4760 
4761 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
4762 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4763 		family = PF_INET;
4764 
4765 	/* If any sort of compatibility mode is enabled then handoff processing
4766 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
4767 	 * special handling.  We do this in an attempt to keep this function
4768 	 * as fast and as clean as possible. */
4769 	if (!selinux_policycap_netpeer)
4770 		return selinux_sock_rcv_skb_compat(sk, skb, family);
4771 
4772 	secmark_active = selinux_secmark_enabled();
4773 	peerlbl_active = selinux_peerlbl_enabled();
4774 	if (!secmark_active && !peerlbl_active)
4775 		return 0;
4776 
4777 	ad.type = LSM_AUDIT_DATA_NET;
4778 	ad.u.net = &net;
4779 	ad.u.net->netif = skb->skb_iif;
4780 	ad.u.net->family = family;
4781 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4782 	if (err)
4783 		return err;
4784 
4785 	if (peerlbl_active) {
4786 		u32 peer_sid;
4787 
4788 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4789 		if (err)
4790 			return err;
4791 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4792 					       addrp, family, peer_sid, &ad);
4793 		if (err) {
4794 			selinux_netlbl_err(skb, family, err, 0);
4795 			return err;
4796 		}
4797 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4798 				   PEER__RECV, &ad);
4799 		if (err) {
4800 			selinux_netlbl_err(skb, family, err, 0);
4801 			return err;
4802 		}
4803 	}
4804 
4805 	if (secmark_active) {
4806 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4807 				   PACKET__RECV, &ad);
4808 		if (err)
4809 			return err;
4810 	}
4811 
4812 	return err;
4813 }
4814 
4815 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4816 					    int __user *optlen, unsigned len)
4817 {
4818 	int err = 0;
4819 	char *scontext;
4820 	u32 scontext_len;
4821 	struct sk_security_struct *sksec = sock->sk->sk_security;
4822 	u32 peer_sid = SECSID_NULL;
4823 
4824 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4825 	    sksec->sclass == SECCLASS_TCP_SOCKET)
4826 		peer_sid = sksec->peer_sid;
4827 	if (peer_sid == SECSID_NULL)
4828 		return -ENOPROTOOPT;
4829 
4830 	err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4831 	if (err)
4832 		return err;
4833 
4834 	if (scontext_len > len) {
4835 		err = -ERANGE;
4836 		goto out_len;
4837 	}
4838 
4839 	if (copy_to_user(optval, scontext, scontext_len))
4840 		err = -EFAULT;
4841 
4842 out_len:
4843 	if (put_user(scontext_len, optlen))
4844 		err = -EFAULT;
4845 	kfree(scontext);
4846 	return err;
4847 }
4848 
4849 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4850 {
4851 	u32 peer_secid = SECSID_NULL;
4852 	u16 family;
4853 	struct inode_security_struct *isec;
4854 
4855 	if (skb && skb->protocol == htons(ETH_P_IP))
4856 		family = PF_INET;
4857 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
4858 		family = PF_INET6;
4859 	else if (sock)
4860 		family = sock->sk->sk_family;
4861 	else
4862 		goto out;
4863 
4864 	if (sock && family == PF_UNIX) {
4865 		isec = inode_security_novalidate(SOCK_INODE(sock));
4866 		peer_secid = isec->sid;
4867 	} else if (skb)
4868 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4869 
4870 out:
4871 	*secid = peer_secid;
4872 	if (peer_secid == SECSID_NULL)
4873 		return -EINVAL;
4874 	return 0;
4875 }
4876 
4877 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4878 {
4879 	struct sk_security_struct *sksec;
4880 
4881 	sksec = kzalloc(sizeof(*sksec), priority);
4882 	if (!sksec)
4883 		return -ENOMEM;
4884 
4885 	sksec->peer_sid = SECINITSID_UNLABELED;
4886 	sksec->sid = SECINITSID_UNLABELED;
4887 	sksec->sclass = SECCLASS_SOCKET;
4888 	selinux_netlbl_sk_security_reset(sksec);
4889 	sk->sk_security = sksec;
4890 
4891 	return 0;
4892 }
4893 
4894 static void selinux_sk_free_security(struct sock *sk)
4895 {
4896 	struct sk_security_struct *sksec = sk->sk_security;
4897 
4898 	sk->sk_security = NULL;
4899 	selinux_netlbl_sk_security_free(sksec);
4900 	kfree(sksec);
4901 }
4902 
4903 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4904 {
4905 	struct sk_security_struct *sksec = sk->sk_security;
4906 	struct sk_security_struct *newsksec = newsk->sk_security;
4907 
4908 	newsksec->sid = sksec->sid;
4909 	newsksec->peer_sid = sksec->peer_sid;
4910 	newsksec->sclass = sksec->sclass;
4911 
4912 	selinux_netlbl_sk_security_reset(newsksec);
4913 }
4914 
4915 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4916 {
4917 	if (!sk)
4918 		*secid = SECINITSID_ANY_SOCKET;
4919 	else {
4920 		struct sk_security_struct *sksec = sk->sk_security;
4921 
4922 		*secid = sksec->sid;
4923 	}
4924 }
4925 
4926 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4927 {
4928 	struct inode_security_struct *isec =
4929 		inode_security_novalidate(SOCK_INODE(parent));
4930 	struct sk_security_struct *sksec = sk->sk_security;
4931 
4932 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4933 	    sk->sk_family == PF_UNIX)
4934 		isec->sid = sksec->sid;
4935 	sksec->sclass = isec->sclass;
4936 }
4937 
4938 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4939 				     struct request_sock *req)
4940 {
4941 	struct sk_security_struct *sksec = sk->sk_security;
4942 	int err;
4943 	u16 family = req->rsk_ops->family;
4944 	u32 connsid;
4945 	u32 peersid;
4946 
4947 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4948 	if (err)
4949 		return err;
4950 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4951 	if (err)
4952 		return err;
4953 	req->secid = connsid;
4954 	req->peer_secid = peersid;
4955 
4956 	return selinux_netlbl_inet_conn_request(req, family);
4957 }
4958 
4959 static void selinux_inet_csk_clone(struct sock *newsk,
4960 				   const struct request_sock *req)
4961 {
4962 	struct sk_security_struct *newsksec = newsk->sk_security;
4963 
4964 	newsksec->sid = req->secid;
4965 	newsksec->peer_sid = req->peer_secid;
4966 	/* NOTE: Ideally, we should also get the isec->sid for the
4967 	   new socket in sync, but we don't have the isec available yet.
4968 	   So we will wait until sock_graft to do it, by which
4969 	   time it will have been created and available. */
4970 
4971 	/* We don't need to take any sort of lock here as we are the only
4972 	 * thread with access to newsksec */
4973 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4974 }
4975 
4976 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4977 {
4978 	u16 family = sk->sk_family;
4979 	struct sk_security_struct *sksec = sk->sk_security;
4980 
4981 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
4982 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4983 		family = PF_INET;
4984 
4985 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4986 }
4987 
4988 static int selinux_secmark_relabel_packet(u32 sid)
4989 {
4990 	const struct task_security_struct *__tsec;
4991 	u32 tsid;
4992 
4993 	__tsec = current_security();
4994 	tsid = __tsec->sid;
4995 
4996 	return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4997 }
4998 
4999 static void selinux_secmark_refcount_inc(void)
5000 {
5001 	atomic_inc(&selinux_secmark_refcount);
5002 }
5003 
5004 static void selinux_secmark_refcount_dec(void)
5005 {
5006 	atomic_dec(&selinux_secmark_refcount);
5007 }
5008 
5009 static void selinux_req_classify_flow(const struct request_sock *req,
5010 				      struct flowi *fl)
5011 {
5012 	fl->flowi_secid = req->secid;
5013 }
5014 
5015 static int selinux_tun_dev_alloc_security(void **security)
5016 {
5017 	struct tun_security_struct *tunsec;
5018 
5019 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5020 	if (!tunsec)
5021 		return -ENOMEM;
5022 	tunsec->sid = current_sid();
5023 
5024 	*security = tunsec;
5025 	return 0;
5026 }
5027 
5028 static void selinux_tun_dev_free_security(void *security)
5029 {
5030 	kfree(security);
5031 }
5032 
5033 static int selinux_tun_dev_create(void)
5034 {
5035 	u32 sid = current_sid();
5036 
5037 	/* we aren't taking into account the "sockcreate" SID since the socket
5038 	 * that is being created here is not a socket in the traditional sense,
5039 	 * instead it is a private sock, accessible only to the kernel, and
5040 	 * representing a wide range of network traffic spanning multiple
5041 	 * connections unlike traditional sockets - check the TUN driver to
5042 	 * get a better understanding of why this socket is special */
5043 
5044 	return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5045 			    NULL);
5046 }
5047 
5048 static int selinux_tun_dev_attach_queue(void *security)
5049 {
5050 	struct tun_security_struct *tunsec = security;
5051 
5052 	return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5053 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5054 }
5055 
5056 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5057 {
5058 	struct tun_security_struct *tunsec = security;
5059 	struct sk_security_struct *sksec = sk->sk_security;
5060 
5061 	/* we don't currently perform any NetLabel based labeling here and it
5062 	 * isn't clear that we would want to do so anyway; while we could apply
5063 	 * labeling without the support of the TUN user the resulting labeled
5064 	 * traffic from the other end of the connection would almost certainly
5065 	 * cause confusion to the TUN user that had no idea network labeling
5066 	 * protocols were being used */
5067 
5068 	sksec->sid = tunsec->sid;
5069 	sksec->sclass = SECCLASS_TUN_SOCKET;
5070 
5071 	return 0;
5072 }
5073 
5074 static int selinux_tun_dev_open(void *security)
5075 {
5076 	struct tun_security_struct *tunsec = security;
5077 	u32 sid = current_sid();
5078 	int err;
5079 
5080 	err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5081 			   TUN_SOCKET__RELABELFROM, NULL);
5082 	if (err)
5083 		return err;
5084 	err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5085 			   TUN_SOCKET__RELABELTO, NULL);
5086 	if (err)
5087 		return err;
5088 	tunsec->sid = sid;
5089 
5090 	return 0;
5091 }
5092 
5093 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5094 {
5095 	int err = 0;
5096 	u32 perm;
5097 	struct nlmsghdr *nlh;
5098 	struct sk_security_struct *sksec = sk->sk_security;
5099 
5100 	if (skb->len < NLMSG_HDRLEN) {
5101 		err = -EINVAL;
5102 		goto out;
5103 	}
5104 	nlh = nlmsg_hdr(skb);
5105 
5106 	err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5107 	if (err) {
5108 		if (err == -EINVAL) {
5109 			pr_warn_ratelimited("SELinux: unrecognized netlink"
5110 			       " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5111 			       " pig=%d comm=%s\n",
5112 			       sk->sk_protocol, nlh->nlmsg_type,
5113 			       secclass_map[sksec->sclass - 1].name,
5114 			       task_pid_nr(current), current->comm);
5115 			if (!selinux_enforcing || security_get_allow_unknown())
5116 				err = 0;
5117 		}
5118 
5119 		/* Ignore */
5120 		if (err == -ENOENT)
5121 			err = 0;
5122 		goto out;
5123 	}
5124 
5125 	err = sock_has_perm(sk, perm);
5126 out:
5127 	return err;
5128 }
5129 
5130 #ifdef CONFIG_NETFILTER
5131 
5132 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5133 				       const struct net_device *indev,
5134 				       u16 family)
5135 {
5136 	int err;
5137 	char *addrp;
5138 	u32 peer_sid;
5139 	struct common_audit_data ad;
5140 	struct lsm_network_audit net = {0,};
5141 	u8 secmark_active;
5142 	u8 netlbl_active;
5143 	u8 peerlbl_active;
5144 
5145 	if (!selinux_policycap_netpeer)
5146 		return NF_ACCEPT;
5147 
5148 	secmark_active = selinux_secmark_enabled();
5149 	netlbl_active = netlbl_enabled();
5150 	peerlbl_active = selinux_peerlbl_enabled();
5151 	if (!secmark_active && !peerlbl_active)
5152 		return NF_ACCEPT;
5153 
5154 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5155 		return NF_DROP;
5156 
5157 	ad.type = LSM_AUDIT_DATA_NET;
5158 	ad.u.net = &net;
5159 	ad.u.net->netif = indev->ifindex;
5160 	ad.u.net->family = family;
5161 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5162 		return NF_DROP;
5163 
5164 	if (peerlbl_active) {
5165 		err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5166 					       addrp, family, peer_sid, &ad);
5167 		if (err) {
5168 			selinux_netlbl_err(skb, family, err, 1);
5169 			return NF_DROP;
5170 		}
5171 	}
5172 
5173 	if (secmark_active)
5174 		if (avc_has_perm(peer_sid, skb->secmark,
5175 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5176 			return NF_DROP;
5177 
5178 	if (netlbl_active)
5179 		/* we do this in the FORWARD path and not the POST_ROUTING
5180 		 * path because we want to make sure we apply the necessary
5181 		 * labeling before IPsec is applied so we can leverage AH
5182 		 * protection */
5183 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5184 			return NF_DROP;
5185 
5186 	return NF_ACCEPT;
5187 }
5188 
5189 static unsigned int selinux_ipv4_forward(void *priv,
5190 					 struct sk_buff *skb,
5191 					 const struct nf_hook_state *state)
5192 {
5193 	return selinux_ip_forward(skb, state->in, PF_INET);
5194 }
5195 
5196 #if IS_ENABLED(CONFIG_IPV6)
5197 static unsigned int selinux_ipv6_forward(void *priv,
5198 					 struct sk_buff *skb,
5199 					 const struct nf_hook_state *state)
5200 {
5201 	return selinux_ip_forward(skb, state->in, PF_INET6);
5202 }
5203 #endif	/* IPV6 */
5204 
5205 static unsigned int selinux_ip_output(struct sk_buff *skb,
5206 				      u16 family)
5207 {
5208 	struct sock *sk;
5209 	u32 sid;
5210 
5211 	if (!netlbl_enabled())
5212 		return NF_ACCEPT;
5213 
5214 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5215 	 * because we want to make sure we apply the necessary labeling
5216 	 * before IPsec is applied so we can leverage AH protection */
5217 	sk = skb->sk;
5218 	if (sk) {
5219 		struct sk_security_struct *sksec;
5220 
5221 		if (sk_listener(sk))
5222 			/* if the socket is the listening state then this
5223 			 * packet is a SYN-ACK packet which means it needs to
5224 			 * be labeled based on the connection/request_sock and
5225 			 * not the parent socket.  unfortunately, we can't
5226 			 * lookup the request_sock yet as it isn't queued on
5227 			 * the parent socket until after the SYN-ACK is sent.
5228 			 * the "solution" is to simply pass the packet as-is
5229 			 * as any IP option based labeling should be copied
5230 			 * from the initial connection request (in the IP
5231 			 * layer).  it is far from ideal, but until we get a
5232 			 * security label in the packet itself this is the
5233 			 * best we can do. */
5234 			return NF_ACCEPT;
5235 
5236 		/* standard practice, label using the parent socket */
5237 		sksec = sk->sk_security;
5238 		sid = sksec->sid;
5239 	} else
5240 		sid = SECINITSID_KERNEL;
5241 	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5242 		return NF_DROP;
5243 
5244 	return NF_ACCEPT;
5245 }
5246 
5247 static unsigned int selinux_ipv4_output(void *priv,
5248 					struct sk_buff *skb,
5249 					const struct nf_hook_state *state)
5250 {
5251 	return selinux_ip_output(skb, PF_INET);
5252 }
5253 
5254 #if IS_ENABLED(CONFIG_IPV6)
5255 static unsigned int selinux_ipv6_output(void *priv,
5256 					struct sk_buff *skb,
5257 					const struct nf_hook_state *state)
5258 {
5259 	return selinux_ip_output(skb, PF_INET6);
5260 }
5261 #endif	/* IPV6 */
5262 
5263 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5264 						int ifindex,
5265 						u16 family)
5266 {
5267 	struct sock *sk = skb_to_full_sk(skb);
5268 	struct sk_security_struct *sksec;
5269 	struct common_audit_data ad;
5270 	struct lsm_network_audit net = {0,};
5271 	char *addrp;
5272 	u8 proto;
5273 
5274 	if (sk == NULL)
5275 		return NF_ACCEPT;
5276 	sksec = sk->sk_security;
5277 
5278 	ad.type = LSM_AUDIT_DATA_NET;
5279 	ad.u.net = &net;
5280 	ad.u.net->netif = ifindex;
5281 	ad.u.net->family = family;
5282 	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5283 		return NF_DROP;
5284 
5285 	if (selinux_secmark_enabled())
5286 		if (avc_has_perm(sksec->sid, skb->secmark,
5287 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5288 			return NF_DROP_ERR(-ECONNREFUSED);
5289 
5290 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5291 		return NF_DROP_ERR(-ECONNREFUSED);
5292 
5293 	return NF_ACCEPT;
5294 }
5295 
5296 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5297 					 const struct net_device *outdev,
5298 					 u16 family)
5299 {
5300 	u32 secmark_perm;
5301 	u32 peer_sid;
5302 	int ifindex = outdev->ifindex;
5303 	struct sock *sk;
5304 	struct common_audit_data ad;
5305 	struct lsm_network_audit net = {0,};
5306 	char *addrp;
5307 	u8 secmark_active;
5308 	u8 peerlbl_active;
5309 
5310 	/* If any sort of compatibility mode is enabled then handoff processing
5311 	 * to the selinux_ip_postroute_compat() function to deal with the
5312 	 * special handling.  We do this in an attempt to keep this function
5313 	 * as fast and as clean as possible. */
5314 	if (!selinux_policycap_netpeer)
5315 		return selinux_ip_postroute_compat(skb, ifindex, family);
5316 
5317 	secmark_active = selinux_secmark_enabled();
5318 	peerlbl_active = selinux_peerlbl_enabled();
5319 	if (!secmark_active && !peerlbl_active)
5320 		return NF_ACCEPT;
5321 
5322 	sk = skb_to_full_sk(skb);
5323 
5324 #ifdef CONFIG_XFRM
5325 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5326 	 * packet transformation so allow the packet to pass without any checks
5327 	 * since we'll have another chance to perform access control checks
5328 	 * when the packet is on it's final way out.
5329 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5330 	 *       is NULL, in this case go ahead and apply access control.
5331 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5332 	 *       TCP listening state we cannot wait until the XFRM processing
5333 	 *       is done as we will miss out on the SA label if we do;
5334 	 *       unfortunately, this means more work, but it is only once per
5335 	 *       connection. */
5336 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5337 	    !(sk && sk_listener(sk)))
5338 		return NF_ACCEPT;
5339 #endif
5340 
5341 	if (sk == NULL) {
5342 		/* Without an associated socket the packet is either coming
5343 		 * from the kernel or it is being forwarded; check the packet
5344 		 * to determine which and if the packet is being forwarded
5345 		 * query the packet directly to determine the security label. */
5346 		if (skb->skb_iif) {
5347 			secmark_perm = PACKET__FORWARD_OUT;
5348 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5349 				return NF_DROP;
5350 		} else {
5351 			secmark_perm = PACKET__SEND;
5352 			peer_sid = SECINITSID_KERNEL;
5353 		}
5354 	} else if (sk_listener(sk)) {
5355 		/* Locally generated packet but the associated socket is in the
5356 		 * listening state which means this is a SYN-ACK packet.  In
5357 		 * this particular case the correct security label is assigned
5358 		 * to the connection/request_sock but unfortunately we can't
5359 		 * query the request_sock as it isn't queued on the parent
5360 		 * socket until after the SYN-ACK packet is sent; the only
5361 		 * viable choice is to regenerate the label like we do in
5362 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5363 		 * for similar problems. */
5364 		u32 skb_sid;
5365 		struct sk_security_struct *sksec;
5366 
5367 		sksec = sk->sk_security;
5368 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5369 			return NF_DROP;
5370 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5371 		 * and the packet has been through at least one XFRM
5372 		 * transformation then we must be dealing with the "final"
5373 		 * form of labeled IPsec packet; since we've already applied
5374 		 * all of our access controls on this packet we can safely
5375 		 * pass the packet. */
5376 		if (skb_sid == SECSID_NULL) {
5377 			switch (family) {
5378 			case PF_INET:
5379 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5380 					return NF_ACCEPT;
5381 				break;
5382 			case PF_INET6:
5383 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5384 					return NF_ACCEPT;
5385 				break;
5386 			default:
5387 				return NF_DROP_ERR(-ECONNREFUSED);
5388 			}
5389 		}
5390 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5391 			return NF_DROP;
5392 		secmark_perm = PACKET__SEND;
5393 	} else {
5394 		/* Locally generated packet, fetch the security label from the
5395 		 * associated socket. */
5396 		struct sk_security_struct *sksec = sk->sk_security;
5397 		peer_sid = sksec->sid;
5398 		secmark_perm = PACKET__SEND;
5399 	}
5400 
5401 	ad.type = LSM_AUDIT_DATA_NET;
5402 	ad.u.net = &net;
5403 	ad.u.net->netif = ifindex;
5404 	ad.u.net->family = family;
5405 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5406 		return NF_DROP;
5407 
5408 	if (secmark_active)
5409 		if (avc_has_perm(peer_sid, skb->secmark,
5410 				 SECCLASS_PACKET, secmark_perm, &ad))
5411 			return NF_DROP_ERR(-ECONNREFUSED);
5412 
5413 	if (peerlbl_active) {
5414 		u32 if_sid;
5415 		u32 node_sid;
5416 
5417 		if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5418 			return NF_DROP;
5419 		if (avc_has_perm(peer_sid, if_sid,
5420 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5421 			return NF_DROP_ERR(-ECONNREFUSED);
5422 
5423 		if (sel_netnode_sid(addrp, family, &node_sid))
5424 			return NF_DROP;
5425 		if (avc_has_perm(peer_sid, node_sid,
5426 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5427 			return NF_DROP_ERR(-ECONNREFUSED);
5428 	}
5429 
5430 	return NF_ACCEPT;
5431 }
5432 
5433 static unsigned int selinux_ipv4_postroute(void *priv,
5434 					   struct sk_buff *skb,
5435 					   const struct nf_hook_state *state)
5436 {
5437 	return selinux_ip_postroute(skb, state->out, PF_INET);
5438 }
5439 
5440 #if IS_ENABLED(CONFIG_IPV6)
5441 static unsigned int selinux_ipv6_postroute(void *priv,
5442 					   struct sk_buff *skb,
5443 					   const struct nf_hook_state *state)
5444 {
5445 	return selinux_ip_postroute(skb, state->out, PF_INET6);
5446 }
5447 #endif	/* IPV6 */
5448 
5449 #endif	/* CONFIG_NETFILTER */
5450 
5451 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5452 {
5453 	return selinux_nlmsg_perm(sk, skb);
5454 }
5455 
5456 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5457 			      u16 sclass)
5458 {
5459 	struct ipc_security_struct *isec;
5460 
5461 	isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5462 	if (!isec)
5463 		return -ENOMEM;
5464 
5465 	isec->sclass = sclass;
5466 	isec->sid = current_sid();
5467 	perm->security = isec;
5468 
5469 	return 0;
5470 }
5471 
5472 static void ipc_free_security(struct kern_ipc_perm *perm)
5473 {
5474 	struct ipc_security_struct *isec = perm->security;
5475 	perm->security = NULL;
5476 	kfree(isec);
5477 }
5478 
5479 static int msg_msg_alloc_security(struct msg_msg *msg)
5480 {
5481 	struct msg_security_struct *msec;
5482 
5483 	msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5484 	if (!msec)
5485 		return -ENOMEM;
5486 
5487 	msec->sid = SECINITSID_UNLABELED;
5488 	msg->security = msec;
5489 
5490 	return 0;
5491 }
5492 
5493 static void msg_msg_free_security(struct msg_msg *msg)
5494 {
5495 	struct msg_security_struct *msec = msg->security;
5496 
5497 	msg->security = NULL;
5498 	kfree(msec);
5499 }
5500 
5501 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5502 			u32 perms)
5503 {
5504 	struct ipc_security_struct *isec;
5505 	struct common_audit_data ad;
5506 	u32 sid = current_sid();
5507 
5508 	isec = ipc_perms->security;
5509 
5510 	ad.type = LSM_AUDIT_DATA_IPC;
5511 	ad.u.ipc_id = ipc_perms->key;
5512 
5513 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5514 }
5515 
5516 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5517 {
5518 	return msg_msg_alloc_security(msg);
5519 }
5520 
5521 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5522 {
5523 	msg_msg_free_security(msg);
5524 }
5525 
5526 /* message queue security operations */
5527 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5528 {
5529 	struct ipc_security_struct *isec;
5530 	struct common_audit_data ad;
5531 	u32 sid = current_sid();
5532 	int rc;
5533 
5534 	rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ);
5535 	if (rc)
5536 		return rc;
5537 
5538 	isec = msq->q_perm.security;
5539 
5540 	ad.type = LSM_AUDIT_DATA_IPC;
5541 	ad.u.ipc_id = msq->q_perm.key;
5542 
5543 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5544 			  MSGQ__CREATE, &ad);
5545 	if (rc) {
5546 		ipc_free_security(&msq->q_perm);
5547 		return rc;
5548 	}
5549 	return 0;
5550 }
5551 
5552 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5553 {
5554 	ipc_free_security(&msq->q_perm);
5555 }
5556 
5557 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5558 {
5559 	struct ipc_security_struct *isec;
5560 	struct common_audit_data ad;
5561 	u32 sid = current_sid();
5562 
5563 	isec = msq->q_perm.security;
5564 
5565 	ad.type = LSM_AUDIT_DATA_IPC;
5566 	ad.u.ipc_id = msq->q_perm.key;
5567 
5568 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5569 			    MSGQ__ASSOCIATE, &ad);
5570 }
5571 
5572 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5573 {
5574 	int err;
5575 	int perms;
5576 
5577 	switch (cmd) {
5578 	case IPC_INFO:
5579 	case MSG_INFO:
5580 		/* No specific object, just general system-wide information. */
5581 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5582 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5583 	case IPC_STAT:
5584 	case MSG_STAT:
5585 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5586 		break;
5587 	case IPC_SET:
5588 		perms = MSGQ__SETATTR;
5589 		break;
5590 	case IPC_RMID:
5591 		perms = MSGQ__DESTROY;
5592 		break;
5593 	default:
5594 		return 0;
5595 	}
5596 
5597 	err = ipc_has_perm(&msq->q_perm, perms);
5598 	return err;
5599 }
5600 
5601 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5602 {
5603 	struct ipc_security_struct *isec;
5604 	struct msg_security_struct *msec;
5605 	struct common_audit_data ad;
5606 	u32 sid = current_sid();
5607 	int rc;
5608 
5609 	isec = msq->q_perm.security;
5610 	msec = msg->security;
5611 
5612 	/*
5613 	 * First time through, need to assign label to the message
5614 	 */
5615 	if (msec->sid == SECINITSID_UNLABELED) {
5616 		/*
5617 		 * Compute new sid based on current process and
5618 		 * message queue this message will be stored in
5619 		 */
5620 		rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5621 					     NULL, &msec->sid);
5622 		if (rc)
5623 			return rc;
5624 	}
5625 
5626 	ad.type = LSM_AUDIT_DATA_IPC;
5627 	ad.u.ipc_id = msq->q_perm.key;
5628 
5629 	/* Can this process write to the queue? */
5630 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5631 			  MSGQ__WRITE, &ad);
5632 	if (!rc)
5633 		/* Can this process send the message */
5634 		rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5635 				  MSG__SEND, &ad);
5636 	if (!rc)
5637 		/* Can the message be put in the queue? */
5638 		rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5639 				  MSGQ__ENQUEUE, &ad);
5640 
5641 	return rc;
5642 }
5643 
5644 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5645 				    struct task_struct *target,
5646 				    long type, int mode)
5647 {
5648 	struct ipc_security_struct *isec;
5649 	struct msg_security_struct *msec;
5650 	struct common_audit_data ad;
5651 	u32 sid = task_sid(target);
5652 	int rc;
5653 
5654 	isec = msq->q_perm.security;
5655 	msec = msg->security;
5656 
5657 	ad.type = LSM_AUDIT_DATA_IPC;
5658 	ad.u.ipc_id = msq->q_perm.key;
5659 
5660 	rc = avc_has_perm(sid, isec->sid,
5661 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
5662 	if (!rc)
5663 		rc = avc_has_perm(sid, msec->sid,
5664 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
5665 	return rc;
5666 }
5667 
5668 /* Shared Memory security operations */
5669 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5670 {
5671 	struct ipc_security_struct *isec;
5672 	struct common_audit_data ad;
5673 	u32 sid = current_sid();
5674 	int rc;
5675 
5676 	rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM);
5677 	if (rc)
5678 		return rc;
5679 
5680 	isec = shp->shm_perm.security;
5681 
5682 	ad.type = LSM_AUDIT_DATA_IPC;
5683 	ad.u.ipc_id = shp->shm_perm.key;
5684 
5685 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5686 			  SHM__CREATE, &ad);
5687 	if (rc) {
5688 		ipc_free_security(&shp->shm_perm);
5689 		return rc;
5690 	}
5691 	return 0;
5692 }
5693 
5694 static void selinux_shm_free_security(struct shmid_kernel *shp)
5695 {
5696 	ipc_free_security(&shp->shm_perm);
5697 }
5698 
5699 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5700 {
5701 	struct ipc_security_struct *isec;
5702 	struct common_audit_data ad;
5703 	u32 sid = current_sid();
5704 
5705 	isec = shp->shm_perm.security;
5706 
5707 	ad.type = LSM_AUDIT_DATA_IPC;
5708 	ad.u.ipc_id = shp->shm_perm.key;
5709 
5710 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5711 			    SHM__ASSOCIATE, &ad);
5712 }
5713 
5714 /* Note, at this point, shp is locked down */
5715 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5716 {
5717 	int perms;
5718 	int err;
5719 
5720 	switch (cmd) {
5721 	case IPC_INFO:
5722 	case SHM_INFO:
5723 		/* No specific object, just general system-wide information. */
5724 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5725 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5726 	case IPC_STAT:
5727 	case SHM_STAT:
5728 		perms = SHM__GETATTR | SHM__ASSOCIATE;
5729 		break;
5730 	case IPC_SET:
5731 		perms = SHM__SETATTR;
5732 		break;
5733 	case SHM_LOCK:
5734 	case SHM_UNLOCK:
5735 		perms = SHM__LOCK;
5736 		break;
5737 	case IPC_RMID:
5738 		perms = SHM__DESTROY;
5739 		break;
5740 	default:
5741 		return 0;
5742 	}
5743 
5744 	err = ipc_has_perm(&shp->shm_perm, perms);
5745 	return err;
5746 }
5747 
5748 static int selinux_shm_shmat(struct shmid_kernel *shp,
5749 			     char __user *shmaddr, int shmflg)
5750 {
5751 	u32 perms;
5752 
5753 	if (shmflg & SHM_RDONLY)
5754 		perms = SHM__READ;
5755 	else
5756 		perms = SHM__READ | SHM__WRITE;
5757 
5758 	return ipc_has_perm(&shp->shm_perm, perms);
5759 }
5760 
5761 /* Semaphore security operations */
5762 static int selinux_sem_alloc_security(struct sem_array *sma)
5763 {
5764 	struct ipc_security_struct *isec;
5765 	struct common_audit_data ad;
5766 	u32 sid = current_sid();
5767 	int rc;
5768 
5769 	rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM);
5770 	if (rc)
5771 		return rc;
5772 
5773 	isec = sma->sem_perm.security;
5774 
5775 	ad.type = LSM_AUDIT_DATA_IPC;
5776 	ad.u.ipc_id = sma->sem_perm.key;
5777 
5778 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5779 			  SEM__CREATE, &ad);
5780 	if (rc) {
5781 		ipc_free_security(&sma->sem_perm);
5782 		return rc;
5783 	}
5784 	return 0;
5785 }
5786 
5787 static void selinux_sem_free_security(struct sem_array *sma)
5788 {
5789 	ipc_free_security(&sma->sem_perm);
5790 }
5791 
5792 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5793 {
5794 	struct ipc_security_struct *isec;
5795 	struct common_audit_data ad;
5796 	u32 sid = current_sid();
5797 
5798 	isec = sma->sem_perm.security;
5799 
5800 	ad.type = LSM_AUDIT_DATA_IPC;
5801 	ad.u.ipc_id = sma->sem_perm.key;
5802 
5803 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5804 			    SEM__ASSOCIATE, &ad);
5805 }
5806 
5807 /* Note, at this point, sma is locked down */
5808 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5809 {
5810 	int err;
5811 	u32 perms;
5812 
5813 	switch (cmd) {
5814 	case IPC_INFO:
5815 	case SEM_INFO:
5816 		/* No specific object, just general system-wide information. */
5817 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5818 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5819 	case GETPID:
5820 	case GETNCNT:
5821 	case GETZCNT:
5822 		perms = SEM__GETATTR;
5823 		break;
5824 	case GETVAL:
5825 	case GETALL:
5826 		perms = SEM__READ;
5827 		break;
5828 	case SETVAL:
5829 	case SETALL:
5830 		perms = SEM__WRITE;
5831 		break;
5832 	case IPC_RMID:
5833 		perms = SEM__DESTROY;
5834 		break;
5835 	case IPC_SET:
5836 		perms = SEM__SETATTR;
5837 		break;
5838 	case IPC_STAT:
5839 	case SEM_STAT:
5840 		perms = SEM__GETATTR | SEM__ASSOCIATE;
5841 		break;
5842 	default:
5843 		return 0;
5844 	}
5845 
5846 	err = ipc_has_perm(&sma->sem_perm, perms);
5847 	return err;
5848 }
5849 
5850 static int selinux_sem_semop(struct sem_array *sma,
5851 			     struct sembuf *sops, unsigned nsops, int alter)
5852 {
5853 	u32 perms;
5854 
5855 	if (alter)
5856 		perms = SEM__READ | SEM__WRITE;
5857 	else
5858 		perms = SEM__READ;
5859 
5860 	return ipc_has_perm(&sma->sem_perm, perms);
5861 }
5862 
5863 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5864 {
5865 	u32 av = 0;
5866 
5867 	av = 0;
5868 	if (flag & S_IRUGO)
5869 		av |= IPC__UNIX_READ;
5870 	if (flag & S_IWUGO)
5871 		av |= IPC__UNIX_WRITE;
5872 
5873 	if (av == 0)
5874 		return 0;
5875 
5876 	return ipc_has_perm(ipcp, av);
5877 }
5878 
5879 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5880 {
5881 	struct ipc_security_struct *isec = ipcp->security;
5882 	*secid = isec->sid;
5883 }
5884 
5885 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5886 {
5887 	if (inode)
5888 		inode_doinit_with_dentry(inode, dentry);
5889 }
5890 
5891 static int selinux_getprocattr(struct task_struct *p,
5892 			       char *name, char **value)
5893 {
5894 	const struct task_security_struct *__tsec;
5895 	u32 sid;
5896 	int error;
5897 	unsigned len;
5898 
5899 	rcu_read_lock();
5900 	__tsec = __task_cred(p)->security;
5901 
5902 	if (current != p) {
5903 		error = avc_has_perm(current_sid(), __tsec->sid,
5904 				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
5905 		if (error)
5906 			goto bad;
5907 	}
5908 
5909 	if (!strcmp(name, "current"))
5910 		sid = __tsec->sid;
5911 	else if (!strcmp(name, "prev"))
5912 		sid = __tsec->osid;
5913 	else if (!strcmp(name, "exec"))
5914 		sid = __tsec->exec_sid;
5915 	else if (!strcmp(name, "fscreate"))
5916 		sid = __tsec->create_sid;
5917 	else if (!strcmp(name, "keycreate"))
5918 		sid = __tsec->keycreate_sid;
5919 	else if (!strcmp(name, "sockcreate"))
5920 		sid = __tsec->sockcreate_sid;
5921 	else {
5922 		error = -EINVAL;
5923 		goto bad;
5924 	}
5925 	rcu_read_unlock();
5926 
5927 	if (!sid)
5928 		return 0;
5929 
5930 	error = security_sid_to_context(sid, value, &len);
5931 	if (error)
5932 		return error;
5933 	return len;
5934 
5935 bad:
5936 	rcu_read_unlock();
5937 	return error;
5938 }
5939 
5940 static int selinux_setprocattr(const char *name, void *value, size_t size)
5941 {
5942 	struct task_security_struct *tsec;
5943 	struct cred *new;
5944 	u32 mysid = current_sid(), sid = 0, ptsid;
5945 	int error;
5946 	char *str = value;
5947 
5948 	/*
5949 	 * Basic control over ability to set these attributes at all.
5950 	 */
5951 	if (!strcmp(name, "exec"))
5952 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5953 				     PROCESS__SETEXEC, NULL);
5954 	else if (!strcmp(name, "fscreate"))
5955 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5956 				     PROCESS__SETFSCREATE, NULL);
5957 	else if (!strcmp(name, "keycreate"))
5958 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5959 				     PROCESS__SETKEYCREATE, NULL);
5960 	else if (!strcmp(name, "sockcreate"))
5961 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5962 				     PROCESS__SETSOCKCREATE, NULL);
5963 	else if (!strcmp(name, "current"))
5964 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5965 				     PROCESS__SETCURRENT, NULL);
5966 	else
5967 		error = -EINVAL;
5968 	if (error)
5969 		return error;
5970 
5971 	/* Obtain a SID for the context, if one was specified. */
5972 	if (size && str[0] && str[0] != '\n') {
5973 		if (str[size-1] == '\n') {
5974 			str[size-1] = 0;
5975 			size--;
5976 		}
5977 		error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5978 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
5979 			if (!has_cap_mac_admin(true)) {
5980 				struct audit_buffer *ab;
5981 				size_t audit_size;
5982 
5983 				/* We strip a nul only if it is at the end, otherwise the
5984 				 * context contains a nul and we should audit that */
5985 				if (str[size - 1] == '\0')
5986 					audit_size = size - 1;
5987 				else
5988 					audit_size = size;
5989 				ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5990 				audit_log_format(ab, "op=fscreate invalid_context=");
5991 				audit_log_n_untrustedstring(ab, value, audit_size);
5992 				audit_log_end(ab);
5993 
5994 				return error;
5995 			}
5996 			error = security_context_to_sid_force(value, size,
5997 							      &sid);
5998 		}
5999 		if (error)
6000 			return error;
6001 	}
6002 
6003 	new = prepare_creds();
6004 	if (!new)
6005 		return -ENOMEM;
6006 
6007 	/* Permission checking based on the specified context is
6008 	   performed during the actual operation (execve,
6009 	   open/mkdir/...), when we know the full context of the
6010 	   operation.  See selinux_bprm_set_creds for the execve
6011 	   checks and may_create for the file creation checks. The
6012 	   operation will then fail if the context is not permitted. */
6013 	tsec = new->security;
6014 	if (!strcmp(name, "exec")) {
6015 		tsec->exec_sid = sid;
6016 	} else if (!strcmp(name, "fscreate")) {
6017 		tsec->create_sid = sid;
6018 	} else if (!strcmp(name, "keycreate")) {
6019 		error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE,
6020 				     NULL);
6021 		if (error)
6022 			goto abort_change;
6023 		tsec->keycreate_sid = sid;
6024 	} else if (!strcmp(name, "sockcreate")) {
6025 		tsec->sockcreate_sid = sid;
6026 	} else if (!strcmp(name, "current")) {
6027 		error = -EINVAL;
6028 		if (sid == 0)
6029 			goto abort_change;
6030 
6031 		/* Only allow single threaded processes to change context */
6032 		error = -EPERM;
6033 		if (!current_is_single_threaded()) {
6034 			error = security_bounded_transition(tsec->sid, sid);
6035 			if (error)
6036 				goto abort_change;
6037 		}
6038 
6039 		/* Check permissions for the transition. */
6040 		error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6041 				     PROCESS__DYNTRANSITION, NULL);
6042 		if (error)
6043 			goto abort_change;
6044 
6045 		/* Check for ptracing, and update the task SID if ok.
6046 		   Otherwise, leave SID unchanged and fail. */
6047 		ptsid = ptrace_parent_sid();
6048 		if (ptsid != 0) {
6049 			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6050 					     PROCESS__PTRACE, NULL);
6051 			if (error)
6052 				goto abort_change;
6053 		}
6054 
6055 		tsec->sid = sid;
6056 	} else {
6057 		error = -EINVAL;
6058 		goto abort_change;
6059 	}
6060 
6061 	commit_creds(new);
6062 	return size;
6063 
6064 abort_change:
6065 	abort_creds(new);
6066 	return error;
6067 }
6068 
6069 static int selinux_ismaclabel(const char *name)
6070 {
6071 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6072 }
6073 
6074 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6075 {
6076 	return security_sid_to_context(secid, secdata, seclen);
6077 }
6078 
6079 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6080 {
6081 	return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
6082 }
6083 
6084 static void selinux_release_secctx(char *secdata, u32 seclen)
6085 {
6086 	kfree(secdata);
6087 }
6088 
6089 static void selinux_inode_invalidate_secctx(struct inode *inode)
6090 {
6091 	struct inode_security_struct *isec = inode->i_security;
6092 
6093 	spin_lock(&isec->lock);
6094 	isec->initialized = LABEL_INVALID;
6095 	spin_unlock(&isec->lock);
6096 }
6097 
6098 /*
6099  *	called with inode->i_mutex locked
6100  */
6101 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6102 {
6103 	return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6104 }
6105 
6106 /*
6107  *	called with inode->i_mutex locked
6108  */
6109 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6110 {
6111 	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6112 }
6113 
6114 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6115 {
6116 	int len = 0;
6117 	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6118 						ctx, true);
6119 	if (len < 0)
6120 		return len;
6121 	*ctxlen = len;
6122 	return 0;
6123 }
6124 #ifdef CONFIG_KEYS
6125 
6126 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6127 			     unsigned long flags)
6128 {
6129 	const struct task_security_struct *tsec;
6130 	struct key_security_struct *ksec;
6131 
6132 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6133 	if (!ksec)
6134 		return -ENOMEM;
6135 
6136 	tsec = cred->security;
6137 	if (tsec->keycreate_sid)
6138 		ksec->sid = tsec->keycreate_sid;
6139 	else
6140 		ksec->sid = tsec->sid;
6141 
6142 	k->security = ksec;
6143 	return 0;
6144 }
6145 
6146 static void selinux_key_free(struct key *k)
6147 {
6148 	struct key_security_struct *ksec = k->security;
6149 
6150 	k->security = NULL;
6151 	kfree(ksec);
6152 }
6153 
6154 static int selinux_key_permission(key_ref_t key_ref,
6155 				  const struct cred *cred,
6156 				  unsigned perm)
6157 {
6158 	struct key *key;
6159 	struct key_security_struct *ksec;
6160 	u32 sid;
6161 
6162 	/* if no specific permissions are requested, we skip the
6163 	   permission check. No serious, additional covert channels
6164 	   appear to be created. */
6165 	if (perm == 0)
6166 		return 0;
6167 
6168 	sid = cred_sid(cred);
6169 
6170 	key = key_ref_to_ptr(key_ref);
6171 	ksec = key->security;
6172 
6173 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6174 }
6175 
6176 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6177 {
6178 	struct key_security_struct *ksec = key->security;
6179 	char *context = NULL;
6180 	unsigned len;
6181 	int rc;
6182 
6183 	rc = security_sid_to_context(ksec->sid, &context, &len);
6184 	if (!rc)
6185 		rc = len;
6186 	*_buffer = context;
6187 	return rc;
6188 }
6189 #endif
6190 
6191 #ifdef CONFIG_SECURITY_INFINIBAND
6192 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6193 {
6194 	struct common_audit_data ad;
6195 	int err;
6196 	u32 sid = 0;
6197 	struct ib_security_struct *sec = ib_sec;
6198 	struct lsm_ibpkey_audit ibpkey;
6199 
6200 	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6201 	if (err)
6202 		return err;
6203 
6204 	ad.type = LSM_AUDIT_DATA_IBPKEY;
6205 	ibpkey.subnet_prefix = subnet_prefix;
6206 	ibpkey.pkey = pkey_val;
6207 	ad.u.ibpkey = &ibpkey;
6208 	return avc_has_perm(sec->sid, sid,
6209 			    SECCLASS_INFINIBAND_PKEY,
6210 			    INFINIBAND_PKEY__ACCESS, &ad);
6211 }
6212 
6213 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6214 					    u8 port_num)
6215 {
6216 	struct common_audit_data ad;
6217 	int err;
6218 	u32 sid = 0;
6219 	struct ib_security_struct *sec = ib_sec;
6220 	struct lsm_ibendport_audit ibendport;
6221 
6222 	err = security_ib_endport_sid(dev_name, port_num, &sid);
6223 
6224 	if (err)
6225 		return err;
6226 
6227 	ad.type = LSM_AUDIT_DATA_IBENDPORT;
6228 	strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6229 	ibendport.port = port_num;
6230 	ad.u.ibendport = &ibendport;
6231 	return avc_has_perm(sec->sid, sid,
6232 			    SECCLASS_INFINIBAND_ENDPORT,
6233 			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6234 }
6235 
6236 static int selinux_ib_alloc_security(void **ib_sec)
6237 {
6238 	struct ib_security_struct *sec;
6239 
6240 	sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6241 	if (!sec)
6242 		return -ENOMEM;
6243 	sec->sid = current_sid();
6244 
6245 	*ib_sec = sec;
6246 	return 0;
6247 }
6248 
6249 static void selinux_ib_free_security(void *ib_sec)
6250 {
6251 	kfree(ib_sec);
6252 }
6253 #endif
6254 
6255 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6256 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6257 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6258 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6259 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6260 
6261 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6262 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6263 	LSM_HOOK_INIT(capget, selinux_capget),
6264 	LSM_HOOK_INIT(capset, selinux_capset),
6265 	LSM_HOOK_INIT(capable, selinux_capable),
6266 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
6267 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
6268 	LSM_HOOK_INIT(syslog, selinux_syslog),
6269 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6270 
6271 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6272 
6273 	LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6274 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6275 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6276 
6277 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6278 	LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6279 	LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6280 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6281 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6282 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6283 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6284 	LSM_HOOK_INIT(sb_mount, selinux_mount),
6285 	LSM_HOOK_INIT(sb_umount, selinux_umount),
6286 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6287 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6288 	LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6289 
6290 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6291 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6292 
6293 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6294 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6295 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6296 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
6297 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
6298 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6299 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6300 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6301 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6302 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6303 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6304 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6305 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6306 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6307 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6308 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6309 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6310 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6311 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6312 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6313 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6314 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6315 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6316 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6317 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6318 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6319 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6320 
6321 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
6322 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6323 	LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6324 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6325 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6326 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6327 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6328 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
6329 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6330 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6331 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6332 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
6333 
6334 	LSM_HOOK_INIT(file_open, selinux_file_open),
6335 
6336 	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6337 	LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6338 	LSM_HOOK_INIT(cred_free, selinux_cred_free),
6339 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6340 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6341 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6342 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6343 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6344 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6345 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6346 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6347 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6348 	LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6349 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6350 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6351 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6352 	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6353 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6354 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6355 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6356 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6357 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
6358 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6359 
6360 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6361 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6362 
6363 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6364 	LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6365 
6366 	LSM_HOOK_INIT(msg_queue_alloc_security,
6367 			selinux_msg_queue_alloc_security),
6368 	LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6369 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6370 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6371 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6372 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6373 
6374 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6375 	LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6376 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6377 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6378 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6379 
6380 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6381 	LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6382 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6383 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6384 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6385 
6386 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6387 
6388 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6389 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6390 
6391 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6392 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6393 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6394 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6395 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6396 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6397 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6398 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6399 
6400 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6401 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6402 
6403 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
6404 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6405 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6406 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6407 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6408 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6409 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6410 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6411 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6412 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6413 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6414 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6415 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6416 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6417 	LSM_HOOK_INIT(socket_getpeersec_stream,
6418 			selinux_socket_getpeersec_stream),
6419 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6420 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6421 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6422 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6423 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6424 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6425 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6426 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6427 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6428 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6429 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6430 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6431 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6432 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6433 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6434 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6435 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6436 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6437 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6438 #ifdef CONFIG_SECURITY_INFINIBAND
6439 	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
6440 	LSM_HOOK_INIT(ib_endport_manage_subnet,
6441 		      selinux_ib_endport_manage_subnet),
6442 	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
6443 	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
6444 #endif
6445 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6446 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6447 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6448 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6449 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6450 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6451 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6452 			selinux_xfrm_state_alloc_acquire),
6453 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6454 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6455 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6456 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6457 			selinux_xfrm_state_pol_flow_match),
6458 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6459 #endif
6460 
6461 #ifdef CONFIG_KEYS
6462 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6463 	LSM_HOOK_INIT(key_free, selinux_key_free),
6464 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
6465 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6466 #endif
6467 
6468 #ifdef CONFIG_AUDIT
6469 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6470 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6471 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6472 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6473 #endif
6474 };
6475 
6476 static __init int selinux_init(void)
6477 {
6478 	if (!security_module_enable("selinux")) {
6479 		selinux_enabled = 0;
6480 		return 0;
6481 	}
6482 
6483 	if (!selinux_enabled) {
6484 		printk(KERN_INFO "SELinux:  Disabled at boot.\n");
6485 		return 0;
6486 	}
6487 
6488 	printk(KERN_INFO "SELinux:  Initializing.\n");
6489 
6490 	/* Set the security state for the initial task. */
6491 	cred_init_security();
6492 
6493 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6494 
6495 	sel_inode_cache = kmem_cache_create("selinux_inode_security",
6496 					    sizeof(struct inode_security_struct),
6497 					    0, SLAB_PANIC, NULL);
6498 	file_security_cache = kmem_cache_create("selinux_file_security",
6499 					    sizeof(struct file_security_struct),
6500 					    0, SLAB_PANIC, NULL);
6501 	avc_init();
6502 
6503 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
6504 
6505 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6506 		panic("SELinux: Unable to register AVC netcache callback\n");
6507 
6508 	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
6509 		panic("SELinux: Unable to register AVC LSM notifier callback\n");
6510 
6511 	if (selinux_enforcing)
6512 		printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
6513 	else
6514 		printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
6515 
6516 	return 0;
6517 }
6518 
6519 static void delayed_superblock_init(struct super_block *sb, void *unused)
6520 {
6521 	superblock_doinit(sb, NULL);
6522 }
6523 
6524 void selinux_complete_init(void)
6525 {
6526 	printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
6527 
6528 	/* Set up any superblocks initialized prior to the policy load. */
6529 	printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
6530 	iterate_supers(delayed_superblock_init, NULL);
6531 }
6532 
6533 /* SELinux requires early initialization in order to label
6534    all processes and objects when they are created. */
6535 security_initcall(selinux_init);
6536 
6537 #if defined(CONFIG_NETFILTER)
6538 
6539 static const struct nf_hook_ops selinux_nf_ops[] = {
6540 	{
6541 		.hook =		selinux_ipv4_postroute,
6542 		.pf =		NFPROTO_IPV4,
6543 		.hooknum =	NF_INET_POST_ROUTING,
6544 		.priority =	NF_IP_PRI_SELINUX_LAST,
6545 	},
6546 	{
6547 		.hook =		selinux_ipv4_forward,
6548 		.pf =		NFPROTO_IPV4,
6549 		.hooknum =	NF_INET_FORWARD,
6550 		.priority =	NF_IP_PRI_SELINUX_FIRST,
6551 	},
6552 	{
6553 		.hook =		selinux_ipv4_output,
6554 		.pf =		NFPROTO_IPV4,
6555 		.hooknum =	NF_INET_LOCAL_OUT,
6556 		.priority =	NF_IP_PRI_SELINUX_FIRST,
6557 	},
6558 #if IS_ENABLED(CONFIG_IPV6)
6559 	{
6560 		.hook =		selinux_ipv6_postroute,
6561 		.pf =		NFPROTO_IPV6,
6562 		.hooknum =	NF_INET_POST_ROUTING,
6563 		.priority =	NF_IP6_PRI_SELINUX_LAST,
6564 	},
6565 	{
6566 		.hook =		selinux_ipv6_forward,
6567 		.pf =		NFPROTO_IPV6,
6568 		.hooknum =	NF_INET_FORWARD,
6569 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
6570 	},
6571 	{
6572 		.hook =		selinux_ipv6_output,
6573 		.pf =		NFPROTO_IPV6,
6574 		.hooknum =	NF_INET_LOCAL_OUT,
6575 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
6576 	},
6577 #endif	/* IPV6 */
6578 };
6579 
6580 static int __net_init selinux_nf_register(struct net *net)
6581 {
6582 	return nf_register_net_hooks(net, selinux_nf_ops,
6583 				     ARRAY_SIZE(selinux_nf_ops));
6584 }
6585 
6586 static void __net_exit selinux_nf_unregister(struct net *net)
6587 {
6588 	nf_unregister_net_hooks(net, selinux_nf_ops,
6589 				ARRAY_SIZE(selinux_nf_ops));
6590 }
6591 
6592 static struct pernet_operations selinux_net_ops = {
6593 	.init = selinux_nf_register,
6594 	.exit = selinux_nf_unregister,
6595 };
6596 
6597 static int __init selinux_nf_ip_init(void)
6598 {
6599 	int err;
6600 
6601 	if (!selinux_enabled)
6602 		return 0;
6603 
6604 	printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
6605 
6606 	err = register_pernet_subsys(&selinux_net_ops);
6607 	if (err)
6608 		panic("SELinux: register_pernet_subsys: error %d\n", err);
6609 
6610 	return 0;
6611 }
6612 __initcall(selinux_nf_ip_init);
6613 
6614 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6615 static void selinux_nf_ip_exit(void)
6616 {
6617 	printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
6618 
6619 	unregister_pernet_subsys(&selinux_net_ops);
6620 }
6621 #endif
6622 
6623 #else /* CONFIG_NETFILTER */
6624 
6625 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6626 #define selinux_nf_ip_exit()
6627 #endif
6628 
6629 #endif /* CONFIG_NETFILTER */
6630 
6631 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6632 static int selinux_disabled;
6633 
6634 int selinux_disable(void)
6635 {
6636 	if (ss_initialized) {
6637 		/* Not permitted after initial policy load. */
6638 		return -EINVAL;
6639 	}
6640 
6641 	if (selinux_disabled) {
6642 		/* Only do this once. */
6643 		return -EINVAL;
6644 	}
6645 
6646 	printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
6647 
6648 	selinux_disabled = 1;
6649 	selinux_enabled = 0;
6650 
6651 	security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6652 
6653 	/* Try to destroy the avc node cache */
6654 	avc_disable();
6655 
6656 	/* Unregister netfilter hooks. */
6657 	selinux_nf_ip_exit();
6658 
6659 	/* Unregister selinuxfs. */
6660 	exit_sel_fs();
6661 
6662 	return 0;
6663 }
6664 #endif
6665