xref: /openbmc/linux/security/selinux/hooks.c (revision 2ae2e7cf)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *  Security-Enhanced Linux (SELinux) security module
4  *
5  *  This file contains the SELinux hook function implementations.
6  *
7  *  Authors:  Stephen Smalley, <stephen.smalley.work@gmail.com>
8  *	      Chris Vance, <cvance@nai.com>
9  *	      Wayne Salamon, <wsalamon@nai.com>
10  *	      James Morris <jmorris@redhat.com>
11  *
12  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14  *					   Eric Paris <eparis@redhat.com>
15  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16  *			    <dgoeddel@trustedcs.com>
17  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18  *	Paul Moore <paul@paul-moore.com>
19  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
21  *  Copyright (C) 2016 Mellanox Technologies
22  */
23 
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/kernel_read_file.h>
28 #include <linux/errno.h>
29 #include <linux/sched/signal.h>
30 #include <linux/sched/task.h>
31 #include <linux/lsm_hooks.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/proc_fs.h>
40 #include <linux/swap.h>
41 #include <linux/spinlock.h>
42 #include <linux/syscalls.h>
43 #include <linux/dcache.h>
44 #include <linux/file.h>
45 #include <linux/fdtable.h>
46 #include <linux/namei.h>
47 #include <linux/mount.h>
48 #include <linux/fs_context.h>
49 #include <linux/fs_parser.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>		/* for local_port_range[] */
55 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h>	/* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/sctp.h>
70 #include <net/sctp/structs.h>
71 #include <linux/quota.h>
72 #include <linux/un.h>		/* for Unix socket types */
73 #include <net/af_unix.h>	/* for Unix socket types */
74 #include <linux/parser.h>
75 #include <linux/nfs_mount.h>
76 #include <net/ipv6.h>
77 #include <linux/hugetlb.h>
78 #include <linux/personality.h>
79 #include <linux/audit.h>
80 #include <linux/string.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89 #include <linux/kernfs.h>
90 #include <linux/stringhash.h>	/* for hashlen_string() */
91 #include <uapi/linux/mount.h>
92 #include <linux/fsnotify.h>
93 #include <linux/fanotify.h>
94 #include <linux/io_uring.h>
95 
96 #include "avc.h"
97 #include "objsec.h"
98 #include "netif.h"
99 #include "netnode.h"
100 #include "netport.h"
101 #include "ibpkey.h"
102 #include "xfrm.h"
103 #include "netlabel.h"
104 #include "audit.h"
105 #include "avc_ss.h"
106 
107 #define SELINUX_INODE_INIT_XATTRS 1
108 
109 struct selinux_state selinux_state;
110 
111 /* SECMARK reference count */
112 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
113 
114 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
115 static int selinux_enforcing_boot __initdata;
116 
117 static int __init enforcing_setup(char *str)
118 {
119 	unsigned long enforcing;
120 	if (!kstrtoul(str, 0, &enforcing))
121 		selinux_enforcing_boot = enforcing ? 1 : 0;
122 	return 1;
123 }
124 __setup("enforcing=", enforcing_setup);
125 #else
126 #define selinux_enforcing_boot 1
127 #endif
128 
129 int selinux_enabled_boot __initdata = 1;
130 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
131 static int __init selinux_enabled_setup(char *str)
132 {
133 	unsigned long enabled;
134 	if (!kstrtoul(str, 0, &enabled))
135 		selinux_enabled_boot = enabled ? 1 : 0;
136 	return 1;
137 }
138 __setup("selinux=", selinux_enabled_setup);
139 #endif
140 
141 static int __init checkreqprot_setup(char *str)
142 {
143 	unsigned long checkreqprot;
144 
145 	if (!kstrtoul(str, 0, &checkreqprot)) {
146 		if (checkreqprot)
147 			pr_err("SELinux: checkreqprot set to 1 via kernel parameter.  This is no longer supported.\n");
148 	}
149 	return 1;
150 }
151 __setup("checkreqprot=", checkreqprot_setup);
152 
153 /**
154  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
155  *
156  * Description:
157  * This function checks the SECMARK reference counter to see if any SECMARK
158  * targets are currently configured, if the reference counter is greater than
159  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
160  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
161  * policy capability is enabled, SECMARK is always considered enabled.
162  *
163  */
164 static int selinux_secmark_enabled(void)
165 {
166 	return (selinux_policycap_alwaysnetwork() ||
167 		atomic_read(&selinux_secmark_refcount));
168 }
169 
170 /**
171  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
172  *
173  * Description:
174  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
175  * (1) if any are enabled or false (0) if neither are enabled.  If the
176  * always_check_network policy capability is enabled, peer labeling
177  * is always considered enabled.
178  *
179  */
180 static int selinux_peerlbl_enabled(void)
181 {
182 	return (selinux_policycap_alwaysnetwork() ||
183 		netlbl_enabled() || selinux_xfrm_enabled());
184 }
185 
186 static int selinux_netcache_avc_callback(u32 event)
187 {
188 	if (event == AVC_CALLBACK_RESET) {
189 		sel_netif_flush();
190 		sel_netnode_flush();
191 		sel_netport_flush();
192 		synchronize_net();
193 	}
194 	return 0;
195 }
196 
197 static int selinux_lsm_notifier_avc_callback(u32 event)
198 {
199 	if (event == AVC_CALLBACK_RESET) {
200 		sel_ib_pkey_flush();
201 		call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
202 	}
203 
204 	return 0;
205 }
206 
207 /*
208  * initialise the security for the init task
209  */
210 static void cred_init_security(void)
211 {
212 	struct task_security_struct *tsec;
213 
214 	tsec = selinux_cred(unrcu_pointer(current->real_cred));
215 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
216 }
217 
218 /*
219  * get the security ID of a set of credentials
220  */
221 static inline u32 cred_sid(const struct cred *cred)
222 {
223 	const struct task_security_struct *tsec;
224 
225 	tsec = selinux_cred(cred);
226 	return tsec->sid;
227 }
228 
229 static void __ad_net_init(struct common_audit_data *ad,
230 			  struct lsm_network_audit *net,
231 			  int ifindex, struct sock *sk, u16 family)
232 {
233 	ad->type = LSM_AUDIT_DATA_NET;
234 	ad->u.net = net;
235 	net->netif = ifindex;
236 	net->sk = sk;
237 	net->family = family;
238 }
239 
240 static void ad_net_init_from_sk(struct common_audit_data *ad,
241 				struct lsm_network_audit *net,
242 				struct sock *sk)
243 {
244 	__ad_net_init(ad, net, 0, sk, 0);
245 }
246 
247 static void ad_net_init_from_iif(struct common_audit_data *ad,
248 				 struct lsm_network_audit *net,
249 				 int ifindex, u16 family)
250 {
251 	__ad_net_init(ad, net, ifindex, NULL, family);
252 }
253 
254 /*
255  * get the objective security ID of a task
256  */
257 static inline u32 task_sid_obj(const struct task_struct *task)
258 {
259 	u32 sid;
260 
261 	rcu_read_lock();
262 	sid = cred_sid(__task_cred(task));
263 	rcu_read_unlock();
264 	return sid;
265 }
266 
267 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
268 
269 /*
270  * Try reloading inode security labels that have been marked as invalid.  The
271  * @may_sleep parameter indicates when sleeping and thus reloading labels is
272  * allowed; when set to false, returns -ECHILD when the label is
273  * invalid.  The @dentry parameter should be set to a dentry of the inode.
274  */
275 static int __inode_security_revalidate(struct inode *inode,
276 				       struct dentry *dentry,
277 				       bool may_sleep)
278 {
279 	struct inode_security_struct *isec = selinux_inode(inode);
280 
281 	might_sleep_if(may_sleep);
282 
283 	if (selinux_initialized() &&
284 	    isec->initialized != LABEL_INITIALIZED) {
285 		if (!may_sleep)
286 			return -ECHILD;
287 
288 		/*
289 		 * Try reloading the inode security label.  This will fail if
290 		 * @opt_dentry is NULL and no dentry for this inode can be
291 		 * found; in that case, continue using the old label.
292 		 */
293 		inode_doinit_with_dentry(inode, dentry);
294 	}
295 	return 0;
296 }
297 
298 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
299 {
300 	return selinux_inode(inode);
301 }
302 
303 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
304 {
305 	int error;
306 
307 	error = __inode_security_revalidate(inode, NULL, !rcu);
308 	if (error)
309 		return ERR_PTR(error);
310 	return selinux_inode(inode);
311 }
312 
313 /*
314  * Get the security label of an inode.
315  */
316 static struct inode_security_struct *inode_security(struct inode *inode)
317 {
318 	__inode_security_revalidate(inode, NULL, true);
319 	return selinux_inode(inode);
320 }
321 
322 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
323 {
324 	struct inode *inode = d_backing_inode(dentry);
325 
326 	return selinux_inode(inode);
327 }
328 
329 /*
330  * Get the security label of a dentry's backing inode.
331  */
332 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
333 {
334 	struct inode *inode = d_backing_inode(dentry);
335 
336 	__inode_security_revalidate(inode, dentry, true);
337 	return selinux_inode(inode);
338 }
339 
340 static void inode_free_security(struct inode *inode)
341 {
342 	struct inode_security_struct *isec = selinux_inode(inode);
343 	struct superblock_security_struct *sbsec;
344 
345 	if (!isec)
346 		return;
347 	sbsec = selinux_superblock(inode->i_sb);
348 	/*
349 	 * As not all inode security structures are in a list, we check for
350 	 * empty list outside of the lock to make sure that we won't waste
351 	 * time taking a lock doing nothing.
352 	 *
353 	 * The list_del_init() function can be safely called more than once.
354 	 * It should not be possible for this function to be called with
355 	 * concurrent list_add(), but for better safety against future changes
356 	 * in the code, we use list_empty_careful() here.
357 	 */
358 	if (!list_empty_careful(&isec->list)) {
359 		spin_lock(&sbsec->isec_lock);
360 		list_del_init(&isec->list);
361 		spin_unlock(&sbsec->isec_lock);
362 	}
363 }
364 
365 struct selinux_mnt_opts {
366 	u32 fscontext_sid;
367 	u32 context_sid;
368 	u32 rootcontext_sid;
369 	u32 defcontext_sid;
370 };
371 
372 static void selinux_free_mnt_opts(void *mnt_opts)
373 {
374 	kfree(mnt_opts);
375 }
376 
377 enum {
378 	Opt_error = -1,
379 	Opt_context = 0,
380 	Opt_defcontext = 1,
381 	Opt_fscontext = 2,
382 	Opt_rootcontext = 3,
383 	Opt_seclabel = 4,
384 };
385 
386 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
387 static const struct {
388 	const char *name;
389 	int len;
390 	int opt;
391 	bool has_arg;
392 } tokens[] = {
393 	A(context, true),
394 	A(fscontext, true),
395 	A(defcontext, true),
396 	A(rootcontext, true),
397 	A(seclabel, false),
398 };
399 #undef A
400 
401 static int match_opt_prefix(char *s, int l, char **arg)
402 {
403 	int i;
404 
405 	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
406 		size_t len = tokens[i].len;
407 		if (len > l || memcmp(s, tokens[i].name, len))
408 			continue;
409 		if (tokens[i].has_arg) {
410 			if (len == l || s[len] != '=')
411 				continue;
412 			*arg = s + len + 1;
413 		} else if (len != l)
414 			continue;
415 		return tokens[i].opt;
416 	}
417 	return Opt_error;
418 }
419 
420 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
421 
422 static int may_context_mount_sb_relabel(u32 sid,
423 			struct superblock_security_struct *sbsec,
424 			const struct cred *cred)
425 {
426 	const struct task_security_struct *tsec = selinux_cred(cred);
427 	int rc;
428 
429 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
430 			  FILESYSTEM__RELABELFROM, NULL);
431 	if (rc)
432 		return rc;
433 
434 	rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
435 			  FILESYSTEM__RELABELTO, NULL);
436 	return rc;
437 }
438 
439 static int may_context_mount_inode_relabel(u32 sid,
440 			struct superblock_security_struct *sbsec,
441 			const struct cred *cred)
442 {
443 	const struct task_security_struct *tsec = selinux_cred(cred);
444 	int rc;
445 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
446 			  FILESYSTEM__RELABELFROM, NULL);
447 	if (rc)
448 		return rc;
449 
450 	rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
451 			  FILESYSTEM__ASSOCIATE, NULL);
452 	return rc;
453 }
454 
455 static int selinux_is_genfs_special_handling(struct super_block *sb)
456 {
457 	/* Special handling. Genfs but also in-core setxattr handler */
458 	return	!strcmp(sb->s_type->name, "sysfs") ||
459 		!strcmp(sb->s_type->name, "pstore") ||
460 		!strcmp(sb->s_type->name, "debugfs") ||
461 		!strcmp(sb->s_type->name, "tracefs") ||
462 		!strcmp(sb->s_type->name, "rootfs") ||
463 		(selinux_policycap_cgroupseclabel() &&
464 		 (!strcmp(sb->s_type->name, "cgroup") ||
465 		  !strcmp(sb->s_type->name, "cgroup2")));
466 }
467 
468 static int selinux_is_sblabel_mnt(struct super_block *sb)
469 {
470 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
471 
472 	/*
473 	 * IMPORTANT: Double-check logic in this function when adding a new
474 	 * SECURITY_FS_USE_* definition!
475 	 */
476 	BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
477 
478 	switch (sbsec->behavior) {
479 	case SECURITY_FS_USE_XATTR:
480 	case SECURITY_FS_USE_TRANS:
481 	case SECURITY_FS_USE_TASK:
482 	case SECURITY_FS_USE_NATIVE:
483 		return 1;
484 
485 	case SECURITY_FS_USE_GENFS:
486 		return selinux_is_genfs_special_handling(sb);
487 
488 	/* Never allow relabeling on context mounts */
489 	case SECURITY_FS_USE_MNTPOINT:
490 	case SECURITY_FS_USE_NONE:
491 	default:
492 		return 0;
493 	}
494 }
495 
496 static int sb_check_xattr_support(struct super_block *sb)
497 {
498 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
499 	struct dentry *root = sb->s_root;
500 	struct inode *root_inode = d_backing_inode(root);
501 	u32 sid;
502 	int rc;
503 
504 	/*
505 	 * Make sure that the xattr handler exists and that no
506 	 * error other than -ENODATA is returned by getxattr on
507 	 * the root directory.  -ENODATA is ok, as this may be
508 	 * the first boot of the SELinux kernel before we have
509 	 * assigned xattr values to the filesystem.
510 	 */
511 	if (!(root_inode->i_opflags & IOP_XATTR)) {
512 		pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
513 			sb->s_id, sb->s_type->name);
514 		goto fallback;
515 	}
516 
517 	rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
518 	if (rc < 0 && rc != -ENODATA) {
519 		if (rc == -EOPNOTSUPP) {
520 			pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
521 				sb->s_id, sb->s_type->name);
522 			goto fallback;
523 		} else {
524 			pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
525 				sb->s_id, sb->s_type->name, -rc);
526 			return rc;
527 		}
528 	}
529 	return 0;
530 
531 fallback:
532 	/* No xattr support - try to fallback to genfs if possible. */
533 	rc = security_genfs_sid(sb->s_type->name, "/",
534 				SECCLASS_DIR, &sid);
535 	if (rc)
536 		return -EOPNOTSUPP;
537 
538 	pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
539 		sb->s_id, sb->s_type->name);
540 	sbsec->behavior = SECURITY_FS_USE_GENFS;
541 	sbsec->sid = sid;
542 	return 0;
543 }
544 
545 static int sb_finish_set_opts(struct super_block *sb)
546 {
547 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
548 	struct dentry *root = sb->s_root;
549 	struct inode *root_inode = d_backing_inode(root);
550 	int rc = 0;
551 
552 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
553 		rc = sb_check_xattr_support(sb);
554 		if (rc)
555 			return rc;
556 	}
557 
558 	sbsec->flags |= SE_SBINITIALIZED;
559 
560 	/*
561 	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
562 	 * leave the flag untouched because sb_clone_mnt_opts might be handing
563 	 * us a superblock that needs the flag to be cleared.
564 	 */
565 	if (selinux_is_sblabel_mnt(sb))
566 		sbsec->flags |= SBLABEL_MNT;
567 	else
568 		sbsec->flags &= ~SBLABEL_MNT;
569 
570 	/* Initialize the root inode. */
571 	rc = inode_doinit_with_dentry(root_inode, root);
572 
573 	/* Initialize any other inodes associated with the superblock, e.g.
574 	   inodes created prior to initial policy load or inodes created
575 	   during get_sb by a pseudo filesystem that directly
576 	   populates itself. */
577 	spin_lock(&sbsec->isec_lock);
578 	while (!list_empty(&sbsec->isec_head)) {
579 		struct inode_security_struct *isec =
580 				list_first_entry(&sbsec->isec_head,
581 					   struct inode_security_struct, list);
582 		struct inode *inode = isec->inode;
583 		list_del_init(&isec->list);
584 		spin_unlock(&sbsec->isec_lock);
585 		inode = igrab(inode);
586 		if (inode) {
587 			if (!IS_PRIVATE(inode))
588 				inode_doinit_with_dentry(inode, NULL);
589 			iput(inode);
590 		}
591 		spin_lock(&sbsec->isec_lock);
592 	}
593 	spin_unlock(&sbsec->isec_lock);
594 	return rc;
595 }
596 
597 static int bad_option(struct superblock_security_struct *sbsec, char flag,
598 		      u32 old_sid, u32 new_sid)
599 {
600 	char mnt_flags = sbsec->flags & SE_MNTMASK;
601 
602 	/* check if the old mount command had the same options */
603 	if (sbsec->flags & SE_SBINITIALIZED)
604 		if (!(sbsec->flags & flag) ||
605 		    (old_sid != new_sid))
606 			return 1;
607 
608 	/* check if we were passed the same options twice,
609 	 * aka someone passed context=a,context=b
610 	 */
611 	if (!(sbsec->flags & SE_SBINITIALIZED))
612 		if (mnt_flags & flag)
613 			return 1;
614 	return 0;
615 }
616 
617 /*
618  * Allow filesystems with binary mount data to explicitly set mount point
619  * labeling information.
620  */
621 static int selinux_set_mnt_opts(struct super_block *sb,
622 				void *mnt_opts,
623 				unsigned long kern_flags,
624 				unsigned long *set_kern_flags)
625 {
626 	const struct cred *cred = current_cred();
627 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
628 	struct dentry *root = sb->s_root;
629 	struct selinux_mnt_opts *opts = mnt_opts;
630 	struct inode_security_struct *root_isec;
631 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
632 	u32 defcontext_sid = 0;
633 	int rc = 0;
634 
635 	/*
636 	 * Specifying internal flags without providing a place to
637 	 * place the results is not allowed
638 	 */
639 	if (kern_flags && !set_kern_flags)
640 		return -EINVAL;
641 
642 	mutex_lock(&sbsec->lock);
643 
644 	if (!selinux_initialized()) {
645 		if (!opts) {
646 			/* Defer initialization until selinux_complete_init,
647 			   after the initial policy is loaded and the security
648 			   server is ready to handle calls. */
649 			if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
650 				sbsec->flags |= SE_SBNATIVE;
651 				*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
652 			}
653 			goto out;
654 		}
655 		rc = -EINVAL;
656 		pr_warn("SELinux: Unable to set superblock options "
657 			"before the security server is initialized\n");
658 		goto out;
659 	}
660 
661 	/*
662 	 * Binary mount data FS will come through this function twice.  Once
663 	 * from an explicit call and once from the generic calls from the vfs.
664 	 * Since the generic VFS calls will not contain any security mount data
665 	 * we need to skip the double mount verification.
666 	 *
667 	 * This does open a hole in which we will not notice if the first
668 	 * mount using this sb set explicit options and a second mount using
669 	 * this sb does not set any security options.  (The first options
670 	 * will be used for both mounts)
671 	 */
672 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
673 	    && !opts)
674 		goto out;
675 
676 	root_isec = backing_inode_security_novalidate(root);
677 
678 	/*
679 	 * parse the mount options, check if they are valid sids.
680 	 * also check if someone is trying to mount the same sb more
681 	 * than once with different security options.
682 	 */
683 	if (opts) {
684 		if (opts->fscontext_sid) {
685 			fscontext_sid = opts->fscontext_sid;
686 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
687 					fscontext_sid))
688 				goto out_double_mount;
689 			sbsec->flags |= FSCONTEXT_MNT;
690 		}
691 		if (opts->context_sid) {
692 			context_sid = opts->context_sid;
693 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
694 					context_sid))
695 				goto out_double_mount;
696 			sbsec->flags |= CONTEXT_MNT;
697 		}
698 		if (opts->rootcontext_sid) {
699 			rootcontext_sid = opts->rootcontext_sid;
700 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
701 					rootcontext_sid))
702 				goto out_double_mount;
703 			sbsec->flags |= ROOTCONTEXT_MNT;
704 		}
705 		if (opts->defcontext_sid) {
706 			defcontext_sid = opts->defcontext_sid;
707 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
708 					defcontext_sid))
709 				goto out_double_mount;
710 			sbsec->flags |= DEFCONTEXT_MNT;
711 		}
712 	}
713 
714 	if (sbsec->flags & SE_SBINITIALIZED) {
715 		/* previously mounted with options, but not on this attempt? */
716 		if ((sbsec->flags & SE_MNTMASK) && !opts)
717 			goto out_double_mount;
718 		rc = 0;
719 		goto out;
720 	}
721 
722 	if (strcmp(sb->s_type->name, "proc") == 0)
723 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
724 
725 	if (!strcmp(sb->s_type->name, "debugfs") ||
726 	    !strcmp(sb->s_type->name, "tracefs") ||
727 	    !strcmp(sb->s_type->name, "binder") ||
728 	    !strcmp(sb->s_type->name, "bpf") ||
729 	    !strcmp(sb->s_type->name, "pstore") ||
730 	    !strcmp(sb->s_type->name, "securityfs"))
731 		sbsec->flags |= SE_SBGENFS;
732 
733 	if (!strcmp(sb->s_type->name, "sysfs") ||
734 	    !strcmp(sb->s_type->name, "cgroup") ||
735 	    !strcmp(sb->s_type->name, "cgroup2"))
736 		sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
737 
738 	if (!sbsec->behavior) {
739 		/*
740 		 * Determine the labeling behavior to use for this
741 		 * filesystem type.
742 		 */
743 		rc = security_fs_use(sb);
744 		if (rc) {
745 			pr_warn("%s: security_fs_use(%s) returned %d\n",
746 					__func__, sb->s_type->name, rc);
747 			goto out;
748 		}
749 	}
750 
751 	/*
752 	 * If this is a user namespace mount and the filesystem type is not
753 	 * explicitly whitelisted, then no contexts are allowed on the command
754 	 * line and security labels must be ignored.
755 	 */
756 	if (sb->s_user_ns != &init_user_ns &&
757 	    strcmp(sb->s_type->name, "tmpfs") &&
758 	    strcmp(sb->s_type->name, "ramfs") &&
759 	    strcmp(sb->s_type->name, "devpts") &&
760 	    strcmp(sb->s_type->name, "overlay")) {
761 		if (context_sid || fscontext_sid || rootcontext_sid ||
762 		    defcontext_sid) {
763 			rc = -EACCES;
764 			goto out;
765 		}
766 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
767 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
768 			rc = security_transition_sid(current_sid(),
769 						     current_sid(),
770 						     SECCLASS_FILE, NULL,
771 						     &sbsec->mntpoint_sid);
772 			if (rc)
773 				goto out;
774 		}
775 		goto out_set_opts;
776 	}
777 
778 	/* sets the context of the superblock for the fs being mounted. */
779 	if (fscontext_sid) {
780 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
781 		if (rc)
782 			goto out;
783 
784 		sbsec->sid = fscontext_sid;
785 	}
786 
787 	/*
788 	 * Switch to using mount point labeling behavior.
789 	 * sets the label used on all file below the mountpoint, and will set
790 	 * the superblock context if not already set.
791 	 */
792 	if (sbsec->flags & SE_SBNATIVE) {
793 		/*
794 		 * This means we are initializing a superblock that has been
795 		 * mounted before the SELinux was initialized and the
796 		 * filesystem requested native labeling. We had already
797 		 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags
798 		 * in the original mount attempt, so now we just need to set
799 		 * the SECURITY_FS_USE_NATIVE behavior.
800 		 */
801 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
802 	} else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
803 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
804 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
805 	}
806 
807 	if (context_sid) {
808 		if (!fscontext_sid) {
809 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
810 							  cred);
811 			if (rc)
812 				goto out;
813 			sbsec->sid = context_sid;
814 		} else {
815 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
816 							     cred);
817 			if (rc)
818 				goto out;
819 		}
820 		if (!rootcontext_sid)
821 			rootcontext_sid = context_sid;
822 
823 		sbsec->mntpoint_sid = context_sid;
824 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
825 	}
826 
827 	if (rootcontext_sid) {
828 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
829 						     cred);
830 		if (rc)
831 			goto out;
832 
833 		root_isec->sid = rootcontext_sid;
834 		root_isec->initialized = LABEL_INITIALIZED;
835 	}
836 
837 	if (defcontext_sid) {
838 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
839 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
840 			rc = -EINVAL;
841 			pr_warn("SELinux: defcontext option is "
842 			       "invalid for this filesystem type\n");
843 			goto out;
844 		}
845 
846 		if (defcontext_sid != sbsec->def_sid) {
847 			rc = may_context_mount_inode_relabel(defcontext_sid,
848 							     sbsec, cred);
849 			if (rc)
850 				goto out;
851 		}
852 
853 		sbsec->def_sid = defcontext_sid;
854 	}
855 
856 out_set_opts:
857 	rc = sb_finish_set_opts(sb);
858 out:
859 	mutex_unlock(&sbsec->lock);
860 	return rc;
861 out_double_mount:
862 	rc = -EINVAL;
863 	pr_warn("SELinux: mount invalid.  Same superblock, different "
864 	       "security settings for (dev %s, type %s)\n", sb->s_id,
865 	       sb->s_type->name);
866 	goto out;
867 }
868 
869 static int selinux_cmp_sb_context(const struct super_block *oldsb,
870 				    const struct super_block *newsb)
871 {
872 	struct superblock_security_struct *old = selinux_superblock(oldsb);
873 	struct superblock_security_struct *new = selinux_superblock(newsb);
874 	char oldflags = old->flags & SE_MNTMASK;
875 	char newflags = new->flags & SE_MNTMASK;
876 
877 	if (oldflags != newflags)
878 		goto mismatch;
879 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
880 		goto mismatch;
881 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
882 		goto mismatch;
883 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
884 		goto mismatch;
885 	if (oldflags & ROOTCONTEXT_MNT) {
886 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
887 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
888 		if (oldroot->sid != newroot->sid)
889 			goto mismatch;
890 	}
891 	return 0;
892 mismatch:
893 	pr_warn("SELinux: mount invalid.  Same superblock, "
894 			    "different security settings for (dev %s, "
895 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
896 	return -EBUSY;
897 }
898 
899 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
900 					struct super_block *newsb,
901 					unsigned long kern_flags,
902 					unsigned long *set_kern_flags)
903 {
904 	int rc = 0;
905 	const struct superblock_security_struct *oldsbsec =
906 						selinux_superblock(oldsb);
907 	struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
908 
909 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
910 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
911 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
912 
913 	/*
914 	 * Specifying internal flags without providing a place to
915 	 * place the results is not allowed.
916 	 */
917 	if (kern_flags && !set_kern_flags)
918 		return -EINVAL;
919 
920 	mutex_lock(&newsbsec->lock);
921 
922 	/*
923 	 * if the parent was able to be mounted it clearly had no special lsm
924 	 * mount options.  thus we can safely deal with this superblock later
925 	 */
926 	if (!selinux_initialized()) {
927 		if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
928 			newsbsec->flags |= SE_SBNATIVE;
929 			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
930 		}
931 		goto out;
932 	}
933 
934 	/* how can we clone if the old one wasn't set up?? */
935 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
936 
937 	/* if fs is reusing a sb, make sure that the contexts match */
938 	if (newsbsec->flags & SE_SBINITIALIZED) {
939 		mutex_unlock(&newsbsec->lock);
940 		if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
941 			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
942 		return selinux_cmp_sb_context(oldsb, newsb);
943 	}
944 
945 	newsbsec->flags = oldsbsec->flags;
946 
947 	newsbsec->sid = oldsbsec->sid;
948 	newsbsec->def_sid = oldsbsec->def_sid;
949 	newsbsec->behavior = oldsbsec->behavior;
950 
951 	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
952 		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
953 		rc = security_fs_use(newsb);
954 		if (rc)
955 			goto out;
956 	}
957 
958 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
959 		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
960 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
961 	}
962 
963 	if (set_context) {
964 		u32 sid = oldsbsec->mntpoint_sid;
965 
966 		if (!set_fscontext)
967 			newsbsec->sid = sid;
968 		if (!set_rootcontext) {
969 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
970 			newisec->sid = sid;
971 		}
972 		newsbsec->mntpoint_sid = sid;
973 	}
974 	if (set_rootcontext) {
975 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
976 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
977 
978 		newisec->sid = oldisec->sid;
979 	}
980 
981 	sb_finish_set_opts(newsb);
982 out:
983 	mutex_unlock(&newsbsec->lock);
984 	return rc;
985 }
986 
987 /*
988  * NOTE: the caller is responsible for freeing the memory even if on error.
989  */
990 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
991 {
992 	struct selinux_mnt_opts *opts = *mnt_opts;
993 	u32 *dst_sid;
994 	int rc;
995 
996 	if (token == Opt_seclabel)
997 		/* eaten and completely ignored */
998 		return 0;
999 	if (!s)
1000 		return -EINVAL;
1001 
1002 	if (!selinux_initialized()) {
1003 		pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
1004 		return -EINVAL;
1005 	}
1006 
1007 	if (!opts) {
1008 		opts = kzalloc(sizeof(*opts), GFP_KERNEL);
1009 		if (!opts)
1010 			return -ENOMEM;
1011 		*mnt_opts = opts;
1012 	}
1013 
1014 	switch (token) {
1015 	case Opt_context:
1016 		if (opts->context_sid || opts->defcontext_sid)
1017 			goto err;
1018 		dst_sid = &opts->context_sid;
1019 		break;
1020 	case Opt_fscontext:
1021 		if (opts->fscontext_sid)
1022 			goto err;
1023 		dst_sid = &opts->fscontext_sid;
1024 		break;
1025 	case Opt_rootcontext:
1026 		if (opts->rootcontext_sid)
1027 			goto err;
1028 		dst_sid = &opts->rootcontext_sid;
1029 		break;
1030 	case Opt_defcontext:
1031 		if (opts->context_sid || opts->defcontext_sid)
1032 			goto err;
1033 		dst_sid = &opts->defcontext_sid;
1034 		break;
1035 	default:
1036 		WARN_ON(1);
1037 		return -EINVAL;
1038 	}
1039 	rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL);
1040 	if (rc)
1041 		pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
1042 			s, rc);
1043 	return rc;
1044 
1045 err:
1046 	pr_warn(SEL_MOUNT_FAIL_MSG);
1047 	return -EINVAL;
1048 }
1049 
1050 static int show_sid(struct seq_file *m, u32 sid)
1051 {
1052 	char *context = NULL;
1053 	u32 len;
1054 	int rc;
1055 
1056 	rc = security_sid_to_context(sid, &context, &len);
1057 	if (!rc) {
1058 		bool has_comma = strchr(context, ',');
1059 
1060 		seq_putc(m, '=');
1061 		if (has_comma)
1062 			seq_putc(m, '\"');
1063 		seq_escape(m, context, "\"\n\\");
1064 		if (has_comma)
1065 			seq_putc(m, '\"');
1066 	}
1067 	kfree(context);
1068 	return rc;
1069 }
1070 
1071 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1072 {
1073 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
1074 	int rc;
1075 
1076 	if (!(sbsec->flags & SE_SBINITIALIZED))
1077 		return 0;
1078 
1079 	if (!selinux_initialized())
1080 		return 0;
1081 
1082 	if (sbsec->flags & FSCONTEXT_MNT) {
1083 		seq_putc(m, ',');
1084 		seq_puts(m, FSCONTEXT_STR);
1085 		rc = show_sid(m, sbsec->sid);
1086 		if (rc)
1087 			return rc;
1088 	}
1089 	if (sbsec->flags & CONTEXT_MNT) {
1090 		seq_putc(m, ',');
1091 		seq_puts(m, CONTEXT_STR);
1092 		rc = show_sid(m, sbsec->mntpoint_sid);
1093 		if (rc)
1094 			return rc;
1095 	}
1096 	if (sbsec->flags & DEFCONTEXT_MNT) {
1097 		seq_putc(m, ',');
1098 		seq_puts(m, DEFCONTEXT_STR);
1099 		rc = show_sid(m, sbsec->def_sid);
1100 		if (rc)
1101 			return rc;
1102 	}
1103 	if (sbsec->flags & ROOTCONTEXT_MNT) {
1104 		struct dentry *root = sb->s_root;
1105 		struct inode_security_struct *isec = backing_inode_security(root);
1106 		seq_putc(m, ',');
1107 		seq_puts(m, ROOTCONTEXT_STR);
1108 		rc = show_sid(m, isec->sid);
1109 		if (rc)
1110 			return rc;
1111 	}
1112 	if (sbsec->flags & SBLABEL_MNT) {
1113 		seq_putc(m, ',');
1114 		seq_puts(m, SECLABEL_STR);
1115 	}
1116 	return 0;
1117 }
1118 
1119 static inline u16 inode_mode_to_security_class(umode_t mode)
1120 {
1121 	switch (mode & S_IFMT) {
1122 	case S_IFSOCK:
1123 		return SECCLASS_SOCK_FILE;
1124 	case S_IFLNK:
1125 		return SECCLASS_LNK_FILE;
1126 	case S_IFREG:
1127 		return SECCLASS_FILE;
1128 	case S_IFBLK:
1129 		return SECCLASS_BLK_FILE;
1130 	case S_IFDIR:
1131 		return SECCLASS_DIR;
1132 	case S_IFCHR:
1133 		return SECCLASS_CHR_FILE;
1134 	case S_IFIFO:
1135 		return SECCLASS_FIFO_FILE;
1136 
1137 	}
1138 
1139 	return SECCLASS_FILE;
1140 }
1141 
1142 static inline int default_protocol_stream(int protocol)
1143 {
1144 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1145 		protocol == IPPROTO_MPTCP);
1146 }
1147 
1148 static inline int default_protocol_dgram(int protocol)
1149 {
1150 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1151 }
1152 
1153 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1154 {
1155 	bool extsockclass = selinux_policycap_extsockclass();
1156 
1157 	switch (family) {
1158 	case PF_UNIX:
1159 		switch (type) {
1160 		case SOCK_STREAM:
1161 		case SOCK_SEQPACKET:
1162 			return SECCLASS_UNIX_STREAM_SOCKET;
1163 		case SOCK_DGRAM:
1164 		case SOCK_RAW:
1165 			return SECCLASS_UNIX_DGRAM_SOCKET;
1166 		}
1167 		break;
1168 	case PF_INET:
1169 	case PF_INET6:
1170 		switch (type) {
1171 		case SOCK_STREAM:
1172 		case SOCK_SEQPACKET:
1173 			if (default_protocol_stream(protocol))
1174 				return SECCLASS_TCP_SOCKET;
1175 			else if (extsockclass && protocol == IPPROTO_SCTP)
1176 				return SECCLASS_SCTP_SOCKET;
1177 			else
1178 				return SECCLASS_RAWIP_SOCKET;
1179 		case SOCK_DGRAM:
1180 			if (default_protocol_dgram(protocol))
1181 				return SECCLASS_UDP_SOCKET;
1182 			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1183 						  protocol == IPPROTO_ICMPV6))
1184 				return SECCLASS_ICMP_SOCKET;
1185 			else
1186 				return SECCLASS_RAWIP_SOCKET;
1187 		case SOCK_DCCP:
1188 			return SECCLASS_DCCP_SOCKET;
1189 		default:
1190 			return SECCLASS_RAWIP_SOCKET;
1191 		}
1192 		break;
1193 	case PF_NETLINK:
1194 		switch (protocol) {
1195 		case NETLINK_ROUTE:
1196 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1197 		case NETLINK_SOCK_DIAG:
1198 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1199 		case NETLINK_NFLOG:
1200 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1201 		case NETLINK_XFRM:
1202 			return SECCLASS_NETLINK_XFRM_SOCKET;
1203 		case NETLINK_SELINUX:
1204 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1205 		case NETLINK_ISCSI:
1206 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1207 		case NETLINK_AUDIT:
1208 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1209 		case NETLINK_FIB_LOOKUP:
1210 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1211 		case NETLINK_CONNECTOR:
1212 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1213 		case NETLINK_NETFILTER:
1214 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1215 		case NETLINK_DNRTMSG:
1216 			return SECCLASS_NETLINK_DNRT_SOCKET;
1217 		case NETLINK_KOBJECT_UEVENT:
1218 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1219 		case NETLINK_GENERIC:
1220 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1221 		case NETLINK_SCSITRANSPORT:
1222 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1223 		case NETLINK_RDMA:
1224 			return SECCLASS_NETLINK_RDMA_SOCKET;
1225 		case NETLINK_CRYPTO:
1226 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1227 		default:
1228 			return SECCLASS_NETLINK_SOCKET;
1229 		}
1230 	case PF_PACKET:
1231 		return SECCLASS_PACKET_SOCKET;
1232 	case PF_KEY:
1233 		return SECCLASS_KEY_SOCKET;
1234 	case PF_APPLETALK:
1235 		return SECCLASS_APPLETALK_SOCKET;
1236 	}
1237 
1238 	if (extsockclass) {
1239 		switch (family) {
1240 		case PF_AX25:
1241 			return SECCLASS_AX25_SOCKET;
1242 		case PF_IPX:
1243 			return SECCLASS_IPX_SOCKET;
1244 		case PF_NETROM:
1245 			return SECCLASS_NETROM_SOCKET;
1246 		case PF_ATMPVC:
1247 			return SECCLASS_ATMPVC_SOCKET;
1248 		case PF_X25:
1249 			return SECCLASS_X25_SOCKET;
1250 		case PF_ROSE:
1251 			return SECCLASS_ROSE_SOCKET;
1252 		case PF_DECnet:
1253 			return SECCLASS_DECNET_SOCKET;
1254 		case PF_ATMSVC:
1255 			return SECCLASS_ATMSVC_SOCKET;
1256 		case PF_RDS:
1257 			return SECCLASS_RDS_SOCKET;
1258 		case PF_IRDA:
1259 			return SECCLASS_IRDA_SOCKET;
1260 		case PF_PPPOX:
1261 			return SECCLASS_PPPOX_SOCKET;
1262 		case PF_LLC:
1263 			return SECCLASS_LLC_SOCKET;
1264 		case PF_CAN:
1265 			return SECCLASS_CAN_SOCKET;
1266 		case PF_TIPC:
1267 			return SECCLASS_TIPC_SOCKET;
1268 		case PF_BLUETOOTH:
1269 			return SECCLASS_BLUETOOTH_SOCKET;
1270 		case PF_IUCV:
1271 			return SECCLASS_IUCV_SOCKET;
1272 		case PF_RXRPC:
1273 			return SECCLASS_RXRPC_SOCKET;
1274 		case PF_ISDN:
1275 			return SECCLASS_ISDN_SOCKET;
1276 		case PF_PHONET:
1277 			return SECCLASS_PHONET_SOCKET;
1278 		case PF_IEEE802154:
1279 			return SECCLASS_IEEE802154_SOCKET;
1280 		case PF_CAIF:
1281 			return SECCLASS_CAIF_SOCKET;
1282 		case PF_ALG:
1283 			return SECCLASS_ALG_SOCKET;
1284 		case PF_NFC:
1285 			return SECCLASS_NFC_SOCKET;
1286 		case PF_VSOCK:
1287 			return SECCLASS_VSOCK_SOCKET;
1288 		case PF_KCM:
1289 			return SECCLASS_KCM_SOCKET;
1290 		case PF_QIPCRTR:
1291 			return SECCLASS_QIPCRTR_SOCKET;
1292 		case PF_SMC:
1293 			return SECCLASS_SMC_SOCKET;
1294 		case PF_XDP:
1295 			return SECCLASS_XDP_SOCKET;
1296 		case PF_MCTP:
1297 			return SECCLASS_MCTP_SOCKET;
1298 #if PF_MAX > 46
1299 #error New address family defined, please update this function.
1300 #endif
1301 		}
1302 	}
1303 
1304 	return SECCLASS_SOCKET;
1305 }
1306 
1307 static int selinux_genfs_get_sid(struct dentry *dentry,
1308 				 u16 tclass,
1309 				 u16 flags,
1310 				 u32 *sid)
1311 {
1312 	int rc;
1313 	struct super_block *sb = dentry->d_sb;
1314 	char *buffer, *path;
1315 
1316 	buffer = (char *)__get_free_page(GFP_KERNEL);
1317 	if (!buffer)
1318 		return -ENOMEM;
1319 
1320 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1321 	if (IS_ERR(path))
1322 		rc = PTR_ERR(path);
1323 	else {
1324 		if (flags & SE_SBPROC) {
1325 			/* each process gets a /proc/PID/ entry. Strip off the
1326 			 * PID part to get a valid selinux labeling.
1327 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1328 			while (path[1] >= '0' && path[1] <= '9') {
1329 				path[1] = '/';
1330 				path++;
1331 			}
1332 		}
1333 		rc = security_genfs_sid(sb->s_type->name,
1334 					path, tclass, sid);
1335 		if (rc == -ENOENT) {
1336 			/* No match in policy, mark as unlabeled. */
1337 			*sid = SECINITSID_UNLABELED;
1338 			rc = 0;
1339 		}
1340 	}
1341 	free_page((unsigned long)buffer);
1342 	return rc;
1343 }
1344 
1345 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1346 				  u32 def_sid, u32 *sid)
1347 {
1348 #define INITCONTEXTLEN 255
1349 	char *context;
1350 	unsigned int len;
1351 	int rc;
1352 
1353 	len = INITCONTEXTLEN;
1354 	context = kmalloc(len + 1, GFP_NOFS);
1355 	if (!context)
1356 		return -ENOMEM;
1357 
1358 	context[len] = '\0';
1359 	rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1360 	if (rc == -ERANGE) {
1361 		kfree(context);
1362 
1363 		/* Need a larger buffer.  Query for the right size. */
1364 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1365 		if (rc < 0)
1366 			return rc;
1367 
1368 		len = rc;
1369 		context = kmalloc(len + 1, GFP_NOFS);
1370 		if (!context)
1371 			return -ENOMEM;
1372 
1373 		context[len] = '\0';
1374 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1375 				    context, len);
1376 	}
1377 	if (rc < 0) {
1378 		kfree(context);
1379 		if (rc != -ENODATA) {
1380 			pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
1381 				__func__, -rc, inode->i_sb->s_id, inode->i_ino);
1382 			return rc;
1383 		}
1384 		*sid = def_sid;
1385 		return 0;
1386 	}
1387 
1388 	rc = security_context_to_sid_default(context, rc, sid,
1389 					     def_sid, GFP_NOFS);
1390 	if (rc) {
1391 		char *dev = inode->i_sb->s_id;
1392 		unsigned long ino = inode->i_ino;
1393 
1394 		if (rc == -EINVAL) {
1395 			pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
1396 					      ino, dev, context);
1397 		} else {
1398 			pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1399 				__func__, context, -rc, dev, ino);
1400 		}
1401 	}
1402 	kfree(context);
1403 	return 0;
1404 }
1405 
1406 /* The inode's security attributes must be initialized before first use. */
1407 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1408 {
1409 	struct superblock_security_struct *sbsec = NULL;
1410 	struct inode_security_struct *isec = selinux_inode(inode);
1411 	u32 task_sid, sid = 0;
1412 	u16 sclass;
1413 	struct dentry *dentry;
1414 	int rc = 0;
1415 
1416 	if (isec->initialized == LABEL_INITIALIZED)
1417 		return 0;
1418 
1419 	spin_lock(&isec->lock);
1420 	if (isec->initialized == LABEL_INITIALIZED)
1421 		goto out_unlock;
1422 
1423 	if (isec->sclass == SECCLASS_FILE)
1424 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1425 
1426 	sbsec = selinux_superblock(inode->i_sb);
1427 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1428 		/* Defer initialization until selinux_complete_init,
1429 		   after the initial policy is loaded and the security
1430 		   server is ready to handle calls. */
1431 		spin_lock(&sbsec->isec_lock);
1432 		if (list_empty(&isec->list))
1433 			list_add(&isec->list, &sbsec->isec_head);
1434 		spin_unlock(&sbsec->isec_lock);
1435 		goto out_unlock;
1436 	}
1437 
1438 	sclass = isec->sclass;
1439 	task_sid = isec->task_sid;
1440 	sid = isec->sid;
1441 	isec->initialized = LABEL_PENDING;
1442 	spin_unlock(&isec->lock);
1443 
1444 	switch (sbsec->behavior) {
1445 	/*
1446 	 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels
1447 	 * via xattr when called from delayed_superblock_init().
1448 	 */
1449 	case SECURITY_FS_USE_NATIVE:
1450 	case SECURITY_FS_USE_XATTR:
1451 		if (!(inode->i_opflags & IOP_XATTR)) {
1452 			sid = sbsec->def_sid;
1453 			break;
1454 		}
1455 		/* Need a dentry, since the xattr API requires one.
1456 		   Life would be simpler if we could just pass the inode. */
1457 		if (opt_dentry) {
1458 			/* Called from d_instantiate or d_splice_alias. */
1459 			dentry = dget(opt_dentry);
1460 		} else {
1461 			/*
1462 			 * Called from selinux_complete_init, try to find a dentry.
1463 			 * Some filesystems really want a connected one, so try
1464 			 * that first.  We could split SECURITY_FS_USE_XATTR in
1465 			 * two, depending upon that...
1466 			 */
1467 			dentry = d_find_alias(inode);
1468 			if (!dentry)
1469 				dentry = d_find_any_alias(inode);
1470 		}
1471 		if (!dentry) {
1472 			/*
1473 			 * this is can be hit on boot when a file is accessed
1474 			 * before the policy is loaded.  When we load policy we
1475 			 * may find inodes that have no dentry on the
1476 			 * sbsec->isec_head list.  No reason to complain as these
1477 			 * will get fixed up the next time we go through
1478 			 * inode_doinit with a dentry, before these inodes could
1479 			 * be used again by userspace.
1480 			 */
1481 			goto out_invalid;
1482 		}
1483 
1484 		rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1485 					    &sid);
1486 		dput(dentry);
1487 		if (rc)
1488 			goto out;
1489 		break;
1490 	case SECURITY_FS_USE_TASK:
1491 		sid = task_sid;
1492 		break;
1493 	case SECURITY_FS_USE_TRANS:
1494 		/* Default to the fs SID. */
1495 		sid = sbsec->sid;
1496 
1497 		/* Try to obtain a transition SID. */
1498 		rc = security_transition_sid(task_sid, sid,
1499 					     sclass, NULL, &sid);
1500 		if (rc)
1501 			goto out;
1502 		break;
1503 	case SECURITY_FS_USE_MNTPOINT:
1504 		sid = sbsec->mntpoint_sid;
1505 		break;
1506 	default:
1507 		/* Default to the fs superblock SID. */
1508 		sid = sbsec->sid;
1509 
1510 		if ((sbsec->flags & SE_SBGENFS) &&
1511 		     (!S_ISLNK(inode->i_mode) ||
1512 		      selinux_policycap_genfs_seclabel_symlinks())) {
1513 			/* We must have a dentry to determine the label on
1514 			 * procfs inodes */
1515 			if (opt_dentry) {
1516 				/* Called from d_instantiate or
1517 				 * d_splice_alias. */
1518 				dentry = dget(opt_dentry);
1519 			} else {
1520 				/* Called from selinux_complete_init, try to
1521 				 * find a dentry.  Some filesystems really want
1522 				 * a connected one, so try that first.
1523 				 */
1524 				dentry = d_find_alias(inode);
1525 				if (!dentry)
1526 					dentry = d_find_any_alias(inode);
1527 			}
1528 			/*
1529 			 * This can be hit on boot when a file is accessed
1530 			 * before the policy is loaded.  When we load policy we
1531 			 * may find inodes that have no dentry on the
1532 			 * sbsec->isec_head list.  No reason to complain as
1533 			 * these will get fixed up the next time we go through
1534 			 * inode_doinit() with a dentry, before these inodes
1535 			 * could be used again by userspace.
1536 			 */
1537 			if (!dentry)
1538 				goto out_invalid;
1539 			rc = selinux_genfs_get_sid(dentry, sclass,
1540 						   sbsec->flags, &sid);
1541 			if (rc) {
1542 				dput(dentry);
1543 				goto out;
1544 			}
1545 
1546 			if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1547 			    (inode->i_opflags & IOP_XATTR)) {
1548 				rc = inode_doinit_use_xattr(inode, dentry,
1549 							    sid, &sid);
1550 				if (rc) {
1551 					dput(dentry);
1552 					goto out;
1553 				}
1554 			}
1555 			dput(dentry);
1556 		}
1557 		break;
1558 	}
1559 
1560 out:
1561 	spin_lock(&isec->lock);
1562 	if (isec->initialized == LABEL_PENDING) {
1563 		if (rc) {
1564 			isec->initialized = LABEL_INVALID;
1565 			goto out_unlock;
1566 		}
1567 		isec->initialized = LABEL_INITIALIZED;
1568 		isec->sid = sid;
1569 	}
1570 
1571 out_unlock:
1572 	spin_unlock(&isec->lock);
1573 	return rc;
1574 
1575 out_invalid:
1576 	spin_lock(&isec->lock);
1577 	if (isec->initialized == LABEL_PENDING) {
1578 		isec->initialized = LABEL_INVALID;
1579 		isec->sid = sid;
1580 	}
1581 	spin_unlock(&isec->lock);
1582 	return 0;
1583 }
1584 
1585 /* Convert a Linux signal to an access vector. */
1586 static inline u32 signal_to_av(int sig)
1587 {
1588 	u32 perm = 0;
1589 
1590 	switch (sig) {
1591 	case SIGCHLD:
1592 		/* Commonly granted from child to parent. */
1593 		perm = PROCESS__SIGCHLD;
1594 		break;
1595 	case SIGKILL:
1596 		/* Cannot be caught or ignored */
1597 		perm = PROCESS__SIGKILL;
1598 		break;
1599 	case SIGSTOP:
1600 		/* Cannot be caught or ignored */
1601 		perm = PROCESS__SIGSTOP;
1602 		break;
1603 	default:
1604 		/* All other signals. */
1605 		perm = PROCESS__SIGNAL;
1606 		break;
1607 	}
1608 
1609 	return perm;
1610 }
1611 
1612 #if CAP_LAST_CAP > 63
1613 #error Fix SELinux to handle capabilities > 63.
1614 #endif
1615 
1616 /* Check whether a task is allowed to use a capability. */
1617 static int cred_has_capability(const struct cred *cred,
1618 			       int cap, unsigned int opts, bool initns)
1619 {
1620 	struct common_audit_data ad;
1621 	struct av_decision avd;
1622 	u16 sclass;
1623 	u32 sid = cred_sid(cred);
1624 	u32 av = CAP_TO_MASK(cap);
1625 	int rc;
1626 
1627 	ad.type = LSM_AUDIT_DATA_CAP;
1628 	ad.u.cap = cap;
1629 
1630 	switch (CAP_TO_INDEX(cap)) {
1631 	case 0:
1632 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1633 		break;
1634 	case 1:
1635 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1636 		break;
1637 	default:
1638 		pr_err("SELinux:  out of range capability %d\n", cap);
1639 		BUG();
1640 		return -EINVAL;
1641 	}
1642 
1643 	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1644 	if (!(opts & CAP_OPT_NOAUDIT)) {
1645 		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1646 		if (rc2)
1647 			return rc2;
1648 	}
1649 	return rc;
1650 }
1651 
1652 /* Check whether a task has a particular permission to an inode.
1653    The 'adp' parameter is optional and allows other audit
1654    data to be passed (e.g. the dentry). */
1655 static int inode_has_perm(const struct cred *cred,
1656 			  struct inode *inode,
1657 			  u32 perms,
1658 			  struct common_audit_data *adp)
1659 {
1660 	struct inode_security_struct *isec;
1661 	u32 sid;
1662 
1663 	if (unlikely(IS_PRIVATE(inode)))
1664 		return 0;
1665 
1666 	sid = cred_sid(cred);
1667 	isec = selinux_inode(inode);
1668 
1669 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1670 }
1671 
1672 /* Same as inode_has_perm, but pass explicit audit data containing
1673    the dentry to help the auditing code to more easily generate the
1674    pathname if needed. */
1675 static inline int dentry_has_perm(const struct cred *cred,
1676 				  struct dentry *dentry,
1677 				  u32 av)
1678 {
1679 	struct inode *inode = d_backing_inode(dentry);
1680 	struct common_audit_data ad;
1681 
1682 	ad.type = LSM_AUDIT_DATA_DENTRY;
1683 	ad.u.dentry = dentry;
1684 	__inode_security_revalidate(inode, dentry, true);
1685 	return inode_has_perm(cred, inode, av, &ad);
1686 }
1687 
1688 /* Same as inode_has_perm, but pass explicit audit data containing
1689    the path to help the auditing code to more easily generate the
1690    pathname if needed. */
1691 static inline int path_has_perm(const struct cred *cred,
1692 				const struct path *path,
1693 				u32 av)
1694 {
1695 	struct inode *inode = d_backing_inode(path->dentry);
1696 	struct common_audit_data ad;
1697 
1698 	ad.type = LSM_AUDIT_DATA_PATH;
1699 	ad.u.path = *path;
1700 	__inode_security_revalidate(inode, path->dentry, true);
1701 	return inode_has_perm(cred, inode, av, &ad);
1702 }
1703 
1704 /* Same as path_has_perm, but uses the inode from the file struct. */
1705 static inline int file_path_has_perm(const struct cred *cred,
1706 				     struct file *file,
1707 				     u32 av)
1708 {
1709 	struct common_audit_data ad;
1710 
1711 	ad.type = LSM_AUDIT_DATA_FILE;
1712 	ad.u.file = file;
1713 	return inode_has_perm(cred, file_inode(file), av, &ad);
1714 }
1715 
1716 #ifdef CONFIG_BPF_SYSCALL
1717 static int bpf_fd_pass(const struct file *file, u32 sid);
1718 #endif
1719 
1720 /* Check whether a task can use an open file descriptor to
1721    access an inode in a given way.  Check access to the
1722    descriptor itself, and then use dentry_has_perm to
1723    check a particular permission to the file.
1724    Access to the descriptor is implicitly granted if it
1725    has the same SID as the process.  If av is zero, then
1726    access to the file is not checked, e.g. for cases
1727    where only the descriptor is affected like seek. */
1728 static int file_has_perm(const struct cred *cred,
1729 			 struct file *file,
1730 			 u32 av)
1731 {
1732 	struct file_security_struct *fsec = selinux_file(file);
1733 	struct inode *inode = file_inode(file);
1734 	struct common_audit_data ad;
1735 	u32 sid = cred_sid(cred);
1736 	int rc;
1737 
1738 	ad.type = LSM_AUDIT_DATA_FILE;
1739 	ad.u.file = file;
1740 
1741 	if (sid != fsec->sid) {
1742 		rc = avc_has_perm(sid, fsec->sid,
1743 				  SECCLASS_FD,
1744 				  FD__USE,
1745 				  &ad);
1746 		if (rc)
1747 			goto out;
1748 	}
1749 
1750 #ifdef CONFIG_BPF_SYSCALL
1751 	rc = bpf_fd_pass(file, cred_sid(cred));
1752 	if (rc)
1753 		return rc;
1754 #endif
1755 
1756 	/* av is zero if only checking access to the descriptor. */
1757 	rc = 0;
1758 	if (av)
1759 		rc = inode_has_perm(cred, inode, av, &ad);
1760 
1761 out:
1762 	return rc;
1763 }
1764 
1765 /*
1766  * Determine the label for an inode that might be unioned.
1767  */
1768 static int
1769 selinux_determine_inode_label(const struct task_security_struct *tsec,
1770 				 struct inode *dir,
1771 				 const struct qstr *name, u16 tclass,
1772 				 u32 *_new_isid)
1773 {
1774 	const struct superblock_security_struct *sbsec =
1775 						selinux_superblock(dir->i_sb);
1776 
1777 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1778 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1779 		*_new_isid = sbsec->mntpoint_sid;
1780 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1781 		   tsec->create_sid) {
1782 		*_new_isid = tsec->create_sid;
1783 	} else {
1784 		const struct inode_security_struct *dsec = inode_security(dir);
1785 		return security_transition_sid(tsec->sid,
1786 					       dsec->sid, tclass,
1787 					       name, _new_isid);
1788 	}
1789 
1790 	return 0;
1791 }
1792 
1793 /* Check whether a task can create a file. */
1794 static int may_create(struct inode *dir,
1795 		      struct dentry *dentry,
1796 		      u16 tclass)
1797 {
1798 	const struct task_security_struct *tsec = selinux_cred(current_cred());
1799 	struct inode_security_struct *dsec;
1800 	struct superblock_security_struct *sbsec;
1801 	u32 sid, newsid;
1802 	struct common_audit_data ad;
1803 	int rc;
1804 
1805 	dsec = inode_security(dir);
1806 	sbsec = selinux_superblock(dir->i_sb);
1807 
1808 	sid = tsec->sid;
1809 
1810 	ad.type = LSM_AUDIT_DATA_DENTRY;
1811 	ad.u.dentry = dentry;
1812 
1813 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1814 			  DIR__ADD_NAME | DIR__SEARCH,
1815 			  &ad);
1816 	if (rc)
1817 		return rc;
1818 
1819 	rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1820 					   &newsid);
1821 	if (rc)
1822 		return rc;
1823 
1824 	rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1825 	if (rc)
1826 		return rc;
1827 
1828 	return avc_has_perm(newsid, sbsec->sid,
1829 			    SECCLASS_FILESYSTEM,
1830 			    FILESYSTEM__ASSOCIATE, &ad);
1831 }
1832 
1833 #define MAY_LINK	0
1834 #define MAY_UNLINK	1
1835 #define MAY_RMDIR	2
1836 
1837 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1838 static int may_link(struct inode *dir,
1839 		    struct dentry *dentry,
1840 		    int kind)
1841 
1842 {
1843 	struct inode_security_struct *dsec, *isec;
1844 	struct common_audit_data ad;
1845 	u32 sid = current_sid();
1846 	u32 av;
1847 	int rc;
1848 
1849 	dsec = inode_security(dir);
1850 	isec = backing_inode_security(dentry);
1851 
1852 	ad.type = LSM_AUDIT_DATA_DENTRY;
1853 	ad.u.dentry = dentry;
1854 
1855 	av = DIR__SEARCH;
1856 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1857 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1858 	if (rc)
1859 		return rc;
1860 
1861 	switch (kind) {
1862 	case MAY_LINK:
1863 		av = FILE__LINK;
1864 		break;
1865 	case MAY_UNLINK:
1866 		av = FILE__UNLINK;
1867 		break;
1868 	case MAY_RMDIR:
1869 		av = DIR__RMDIR;
1870 		break;
1871 	default:
1872 		pr_warn("SELinux: %s:  unrecognized kind %d\n",
1873 			__func__, kind);
1874 		return 0;
1875 	}
1876 
1877 	rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1878 	return rc;
1879 }
1880 
1881 static inline int may_rename(struct inode *old_dir,
1882 			     struct dentry *old_dentry,
1883 			     struct inode *new_dir,
1884 			     struct dentry *new_dentry)
1885 {
1886 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1887 	struct common_audit_data ad;
1888 	u32 sid = current_sid();
1889 	u32 av;
1890 	int old_is_dir, new_is_dir;
1891 	int rc;
1892 
1893 	old_dsec = inode_security(old_dir);
1894 	old_isec = backing_inode_security(old_dentry);
1895 	old_is_dir = d_is_dir(old_dentry);
1896 	new_dsec = inode_security(new_dir);
1897 
1898 	ad.type = LSM_AUDIT_DATA_DENTRY;
1899 
1900 	ad.u.dentry = old_dentry;
1901 	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1902 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1903 	if (rc)
1904 		return rc;
1905 	rc = avc_has_perm(sid, old_isec->sid,
1906 			  old_isec->sclass, FILE__RENAME, &ad);
1907 	if (rc)
1908 		return rc;
1909 	if (old_is_dir && new_dir != old_dir) {
1910 		rc = avc_has_perm(sid, old_isec->sid,
1911 				  old_isec->sclass, DIR__REPARENT, &ad);
1912 		if (rc)
1913 			return rc;
1914 	}
1915 
1916 	ad.u.dentry = new_dentry;
1917 	av = DIR__ADD_NAME | DIR__SEARCH;
1918 	if (d_is_positive(new_dentry))
1919 		av |= DIR__REMOVE_NAME;
1920 	rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1921 	if (rc)
1922 		return rc;
1923 	if (d_is_positive(new_dentry)) {
1924 		new_isec = backing_inode_security(new_dentry);
1925 		new_is_dir = d_is_dir(new_dentry);
1926 		rc = avc_has_perm(sid, new_isec->sid,
1927 				  new_isec->sclass,
1928 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1929 		if (rc)
1930 			return rc;
1931 	}
1932 
1933 	return 0;
1934 }
1935 
1936 /* Check whether a task can perform a filesystem operation. */
1937 static int superblock_has_perm(const struct cred *cred,
1938 			       struct super_block *sb,
1939 			       u32 perms,
1940 			       struct common_audit_data *ad)
1941 {
1942 	struct superblock_security_struct *sbsec;
1943 	u32 sid = cred_sid(cred);
1944 
1945 	sbsec = selinux_superblock(sb);
1946 	return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1947 }
1948 
1949 /* Convert a Linux mode and permission mask to an access vector. */
1950 static inline u32 file_mask_to_av(int mode, int mask)
1951 {
1952 	u32 av = 0;
1953 
1954 	if (!S_ISDIR(mode)) {
1955 		if (mask & MAY_EXEC)
1956 			av |= FILE__EXECUTE;
1957 		if (mask & MAY_READ)
1958 			av |= FILE__READ;
1959 
1960 		if (mask & MAY_APPEND)
1961 			av |= FILE__APPEND;
1962 		else if (mask & MAY_WRITE)
1963 			av |= FILE__WRITE;
1964 
1965 	} else {
1966 		if (mask & MAY_EXEC)
1967 			av |= DIR__SEARCH;
1968 		if (mask & MAY_WRITE)
1969 			av |= DIR__WRITE;
1970 		if (mask & MAY_READ)
1971 			av |= DIR__READ;
1972 	}
1973 
1974 	return av;
1975 }
1976 
1977 /* Convert a Linux file to an access vector. */
1978 static inline u32 file_to_av(const struct file *file)
1979 {
1980 	u32 av = 0;
1981 
1982 	if (file->f_mode & FMODE_READ)
1983 		av |= FILE__READ;
1984 	if (file->f_mode & FMODE_WRITE) {
1985 		if (file->f_flags & O_APPEND)
1986 			av |= FILE__APPEND;
1987 		else
1988 			av |= FILE__WRITE;
1989 	}
1990 	if (!av) {
1991 		/*
1992 		 * Special file opened with flags 3 for ioctl-only use.
1993 		 */
1994 		av = FILE__IOCTL;
1995 	}
1996 
1997 	return av;
1998 }
1999 
2000 /*
2001  * Convert a file to an access vector and include the correct
2002  * open permission.
2003  */
2004 static inline u32 open_file_to_av(struct file *file)
2005 {
2006 	u32 av = file_to_av(file);
2007 	struct inode *inode = file_inode(file);
2008 
2009 	if (selinux_policycap_openperm() &&
2010 	    inode->i_sb->s_magic != SOCKFS_MAGIC)
2011 		av |= FILE__OPEN;
2012 
2013 	return av;
2014 }
2015 
2016 /* Hook functions begin here. */
2017 
2018 static int selinux_binder_set_context_mgr(const struct cred *mgr)
2019 {
2020 	return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER,
2021 			    BINDER__SET_CONTEXT_MGR, NULL);
2022 }
2023 
2024 static int selinux_binder_transaction(const struct cred *from,
2025 				      const struct cred *to)
2026 {
2027 	u32 mysid = current_sid();
2028 	u32 fromsid = cred_sid(from);
2029 	u32 tosid = cred_sid(to);
2030 	int rc;
2031 
2032 	if (mysid != fromsid) {
2033 		rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2034 				  BINDER__IMPERSONATE, NULL);
2035 		if (rc)
2036 			return rc;
2037 	}
2038 
2039 	return avc_has_perm(fromsid, tosid,
2040 			    SECCLASS_BINDER, BINDER__CALL, NULL);
2041 }
2042 
2043 static int selinux_binder_transfer_binder(const struct cred *from,
2044 					  const struct cred *to)
2045 {
2046 	return avc_has_perm(cred_sid(from), cred_sid(to),
2047 			    SECCLASS_BINDER, BINDER__TRANSFER,
2048 			    NULL);
2049 }
2050 
2051 static int selinux_binder_transfer_file(const struct cred *from,
2052 					const struct cred *to,
2053 					const struct file *file)
2054 {
2055 	u32 sid = cred_sid(to);
2056 	struct file_security_struct *fsec = selinux_file(file);
2057 	struct dentry *dentry = file->f_path.dentry;
2058 	struct inode_security_struct *isec;
2059 	struct common_audit_data ad;
2060 	int rc;
2061 
2062 	ad.type = LSM_AUDIT_DATA_PATH;
2063 	ad.u.path = file->f_path;
2064 
2065 	if (sid != fsec->sid) {
2066 		rc = avc_has_perm(sid, fsec->sid,
2067 				  SECCLASS_FD,
2068 				  FD__USE,
2069 				  &ad);
2070 		if (rc)
2071 			return rc;
2072 	}
2073 
2074 #ifdef CONFIG_BPF_SYSCALL
2075 	rc = bpf_fd_pass(file, sid);
2076 	if (rc)
2077 		return rc;
2078 #endif
2079 
2080 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2081 		return 0;
2082 
2083 	isec = backing_inode_security(dentry);
2084 	return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2085 			    &ad);
2086 }
2087 
2088 static int selinux_ptrace_access_check(struct task_struct *child,
2089 				       unsigned int mode)
2090 {
2091 	u32 sid = current_sid();
2092 	u32 csid = task_sid_obj(child);
2093 
2094 	if (mode & PTRACE_MODE_READ)
2095 		return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ,
2096 				NULL);
2097 
2098 	return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE,
2099 			NULL);
2100 }
2101 
2102 static int selinux_ptrace_traceme(struct task_struct *parent)
2103 {
2104 	return avc_has_perm(task_sid_obj(parent), task_sid_obj(current),
2105 			    SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2106 }
2107 
2108 static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective,
2109 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2110 {
2111 	return avc_has_perm(current_sid(), task_sid_obj(target),
2112 			SECCLASS_PROCESS, PROCESS__GETCAP, NULL);
2113 }
2114 
2115 static int selinux_capset(struct cred *new, const struct cred *old,
2116 			  const kernel_cap_t *effective,
2117 			  const kernel_cap_t *inheritable,
2118 			  const kernel_cap_t *permitted)
2119 {
2120 	return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2121 			    PROCESS__SETCAP, NULL);
2122 }
2123 
2124 /*
2125  * (This comment used to live with the selinux_task_setuid hook,
2126  * which was removed).
2127  *
2128  * Since setuid only affects the current process, and since the SELinux
2129  * controls are not based on the Linux identity attributes, SELinux does not
2130  * need to control this operation.  However, SELinux does control the use of
2131  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2132  */
2133 
2134 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2135 			   int cap, unsigned int opts)
2136 {
2137 	return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2138 }
2139 
2140 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2141 {
2142 	const struct cred *cred = current_cred();
2143 	int rc = 0;
2144 
2145 	if (!sb)
2146 		return 0;
2147 
2148 	switch (cmds) {
2149 	case Q_SYNC:
2150 	case Q_QUOTAON:
2151 	case Q_QUOTAOFF:
2152 	case Q_SETINFO:
2153 	case Q_SETQUOTA:
2154 	case Q_XQUOTAOFF:
2155 	case Q_XQUOTAON:
2156 	case Q_XSETQLIM:
2157 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2158 		break;
2159 	case Q_GETFMT:
2160 	case Q_GETINFO:
2161 	case Q_GETQUOTA:
2162 	case Q_XGETQUOTA:
2163 	case Q_XGETQSTAT:
2164 	case Q_XGETQSTATV:
2165 	case Q_XGETNEXTQUOTA:
2166 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2167 		break;
2168 	default:
2169 		rc = 0;  /* let the kernel handle invalid cmds */
2170 		break;
2171 	}
2172 	return rc;
2173 }
2174 
2175 static int selinux_quota_on(struct dentry *dentry)
2176 {
2177 	const struct cred *cred = current_cred();
2178 
2179 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2180 }
2181 
2182 static int selinux_syslog(int type)
2183 {
2184 	switch (type) {
2185 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2186 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2187 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2188 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2189 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2190 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2191 	/* Set level of messages printed to console */
2192 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2193 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2194 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2195 				    NULL);
2196 	}
2197 	/* All other syslog types */
2198 	return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2199 			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2200 }
2201 
2202 /*
2203  * Check that a process has enough memory to allocate a new virtual
2204  * mapping. 0 means there is enough memory for the allocation to
2205  * succeed and -ENOMEM implies there is not.
2206  *
2207  * Do not audit the selinux permission check, as this is applied to all
2208  * processes that allocate mappings.
2209  */
2210 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2211 {
2212 	int rc, cap_sys_admin = 0;
2213 
2214 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2215 				 CAP_OPT_NOAUDIT, true);
2216 	if (rc == 0)
2217 		cap_sys_admin = 1;
2218 
2219 	return cap_sys_admin;
2220 }
2221 
2222 /* binprm security operations */
2223 
2224 static u32 ptrace_parent_sid(void)
2225 {
2226 	u32 sid = 0;
2227 	struct task_struct *tracer;
2228 
2229 	rcu_read_lock();
2230 	tracer = ptrace_parent(current);
2231 	if (tracer)
2232 		sid = task_sid_obj(tracer);
2233 	rcu_read_unlock();
2234 
2235 	return sid;
2236 }
2237 
2238 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2239 			    const struct task_security_struct *old_tsec,
2240 			    const struct task_security_struct *new_tsec)
2241 {
2242 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2243 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2244 	int rc;
2245 	u32 av;
2246 
2247 	if (!nnp && !nosuid)
2248 		return 0; /* neither NNP nor nosuid */
2249 
2250 	if (new_tsec->sid == old_tsec->sid)
2251 		return 0; /* No change in credentials */
2252 
2253 	/*
2254 	 * If the policy enables the nnp_nosuid_transition policy capability,
2255 	 * then we permit transitions under NNP or nosuid if the
2256 	 * policy allows the corresponding permission between
2257 	 * the old and new contexts.
2258 	 */
2259 	if (selinux_policycap_nnp_nosuid_transition()) {
2260 		av = 0;
2261 		if (nnp)
2262 			av |= PROCESS2__NNP_TRANSITION;
2263 		if (nosuid)
2264 			av |= PROCESS2__NOSUID_TRANSITION;
2265 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2266 				  SECCLASS_PROCESS2, av, NULL);
2267 		if (!rc)
2268 			return 0;
2269 	}
2270 
2271 	/*
2272 	 * We also permit NNP or nosuid transitions to bounded SIDs,
2273 	 * i.e. SIDs that are guaranteed to only be allowed a subset
2274 	 * of the permissions of the current SID.
2275 	 */
2276 	rc = security_bounded_transition(old_tsec->sid,
2277 					 new_tsec->sid);
2278 	if (!rc)
2279 		return 0;
2280 
2281 	/*
2282 	 * On failure, preserve the errno values for NNP vs nosuid.
2283 	 * NNP:  Operation not permitted for caller.
2284 	 * nosuid:  Permission denied to file.
2285 	 */
2286 	if (nnp)
2287 		return -EPERM;
2288 	return -EACCES;
2289 }
2290 
2291 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2292 {
2293 	const struct task_security_struct *old_tsec;
2294 	struct task_security_struct *new_tsec;
2295 	struct inode_security_struct *isec;
2296 	struct common_audit_data ad;
2297 	struct inode *inode = file_inode(bprm->file);
2298 	int rc;
2299 
2300 	/* SELinux context only depends on initial program or script and not
2301 	 * the script interpreter */
2302 
2303 	old_tsec = selinux_cred(current_cred());
2304 	new_tsec = selinux_cred(bprm->cred);
2305 	isec = inode_security(inode);
2306 
2307 	/* Default to the current task SID. */
2308 	new_tsec->sid = old_tsec->sid;
2309 	new_tsec->osid = old_tsec->sid;
2310 
2311 	/* Reset fs, key, and sock SIDs on execve. */
2312 	new_tsec->create_sid = 0;
2313 	new_tsec->keycreate_sid = 0;
2314 	new_tsec->sockcreate_sid = 0;
2315 
2316 	if (old_tsec->exec_sid) {
2317 		new_tsec->sid = old_tsec->exec_sid;
2318 		/* Reset exec SID on execve. */
2319 		new_tsec->exec_sid = 0;
2320 
2321 		/* Fail on NNP or nosuid if not an allowed transition. */
2322 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2323 		if (rc)
2324 			return rc;
2325 	} else {
2326 		/* Check for a default transition on this program. */
2327 		rc = security_transition_sid(old_tsec->sid,
2328 					     isec->sid, SECCLASS_PROCESS, NULL,
2329 					     &new_tsec->sid);
2330 		if (rc)
2331 			return rc;
2332 
2333 		/*
2334 		 * Fallback to old SID on NNP or nosuid if not an allowed
2335 		 * transition.
2336 		 */
2337 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2338 		if (rc)
2339 			new_tsec->sid = old_tsec->sid;
2340 	}
2341 
2342 	ad.type = LSM_AUDIT_DATA_FILE;
2343 	ad.u.file = bprm->file;
2344 
2345 	if (new_tsec->sid == old_tsec->sid) {
2346 		rc = avc_has_perm(old_tsec->sid, isec->sid,
2347 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2348 		if (rc)
2349 			return rc;
2350 	} else {
2351 		/* Check permissions for the transition. */
2352 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2353 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2354 		if (rc)
2355 			return rc;
2356 
2357 		rc = avc_has_perm(new_tsec->sid, isec->sid,
2358 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2359 		if (rc)
2360 			return rc;
2361 
2362 		/* Check for shared state */
2363 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2364 			rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2365 					  SECCLASS_PROCESS, PROCESS__SHARE,
2366 					  NULL);
2367 			if (rc)
2368 				return -EPERM;
2369 		}
2370 
2371 		/* Make sure that anyone attempting to ptrace over a task that
2372 		 * changes its SID has the appropriate permit */
2373 		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2374 			u32 ptsid = ptrace_parent_sid();
2375 			if (ptsid != 0) {
2376 				rc = avc_has_perm(ptsid, new_tsec->sid,
2377 						  SECCLASS_PROCESS,
2378 						  PROCESS__PTRACE, NULL);
2379 				if (rc)
2380 					return -EPERM;
2381 			}
2382 		}
2383 
2384 		/* Clear any possibly unsafe personality bits on exec: */
2385 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2386 
2387 		/* Enable secure mode for SIDs transitions unless
2388 		   the noatsecure permission is granted between
2389 		   the two SIDs, i.e. ahp returns 0. */
2390 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2391 				  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2392 				  NULL);
2393 		bprm->secureexec |= !!rc;
2394 	}
2395 
2396 	return 0;
2397 }
2398 
2399 static int match_file(const void *p, struct file *file, unsigned fd)
2400 {
2401 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2402 }
2403 
2404 /* Derived from fs/exec.c:flush_old_files. */
2405 static inline void flush_unauthorized_files(const struct cred *cred,
2406 					    struct files_struct *files)
2407 {
2408 	struct file *file, *devnull = NULL;
2409 	struct tty_struct *tty;
2410 	int drop_tty = 0;
2411 	unsigned n;
2412 
2413 	tty = get_current_tty();
2414 	if (tty) {
2415 		spin_lock(&tty->files_lock);
2416 		if (!list_empty(&tty->tty_files)) {
2417 			struct tty_file_private *file_priv;
2418 
2419 			/* Revalidate access to controlling tty.
2420 			   Use file_path_has_perm on the tty path directly
2421 			   rather than using file_has_perm, as this particular
2422 			   open file may belong to another process and we are
2423 			   only interested in the inode-based check here. */
2424 			file_priv = list_first_entry(&tty->tty_files,
2425 						struct tty_file_private, list);
2426 			file = file_priv->file;
2427 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2428 				drop_tty = 1;
2429 		}
2430 		spin_unlock(&tty->files_lock);
2431 		tty_kref_put(tty);
2432 	}
2433 	/* Reset controlling tty. */
2434 	if (drop_tty)
2435 		no_tty();
2436 
2437 	/* Revalidate access to inherited open files. */
2438 	n = iterate_fd(files, 0, match_file, cred);
2439 	if (!n) /* none found? */
2440 		return;
2441 
2442 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2443 	if (IS_ERR(devnull))
2444 		devnull = NULL;
2445 	/* replace all the matching ones with this */
2446 	do {
2447 		replace_fd(n - 1, devnull, 0);
2448 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2449 	if (devnull)
2450 		fput(devnull);
2451 }
2452 
2453 /*
2454  * Prepare a process for imminent new credential changes due to exec
2455  */
2456 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2457 {
2458 	struct task_security_struct *new_tsec;
2459 	struct rlimit *rlim, *initrlim;
2460 	int rc, i;
2461 
2462 	new_tsec = selinux_cred(bprm->cred);
2463 	if (new_tsec->sid == new_tsec->osid)
2464 		return;
2465 
2466 	/* Close files for which the new task SID is not authorized. */
2467 	flush_unauthorized_files(bprm->cred, current->files);
2468 
2469 	/* Always clear parent death signal on SID transitions. */
2470 	current->pdeath_signal = 0;
2471 
2472 	/* Check whether the new SID can inherit resource limits from the old
2473 	 * SID.  If not, reset all soft limits to the lower of the current
2474 	 * task's hard limit and the init task's soft limit.
2475 	 *
2476 	 * Note that the setting of hard limits (even to lower them) can be
2477 	 * controlled by the setrlimit check.  The inclusion of the init task's
2478 	 * soft limit into the computation is to avoid resetting soft limits
2479 	 * higher than the default soft limit for cases where the default is
2480 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2481 	 */
2482 	rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2483 			  PROCESS__RLIMITINH, NULL);
2484 	if (rc) {
2485 		/* protect against do_prlimit() */
2486 		task_lock(current);
2487 		for (i = 0; i < RLIM_NLIMITS; i++) {
2488 			rlim = current->signal->rlim + i;
2489 			initrlim = init_task.signal->rlim + i;
2490 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2491 		}
2492 		task_unlock(current);
2493 		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2494 			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2495 	}
2496 }
2497 
2498 /*
2499  * Clean up the process immediately after the installation of new credentials
2500  * due to exec
2501  */
2502 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2503 {
2504 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2505 	u32 osid, sid;
2506 	int rc;
2507 
2508 	osid = tsec->osid;
2509 	sid = tsec->sid;
2510 
2511 	if (sid == osid)
2512 		return;
2513 
2514 	/* Check whether the new SID can inherit signal state from the old SID.
2515 	 * If not, clear itimers to avoid subsequent signal generation and
2516 	 * flush and unblock signals.
2517 	 *
2518 	 * This must occur _after_ the task SID has been updated so that any
2519 	 * kill done after the flush will be checked against the new SID.
2520 	 */
2521 	rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2522 	if (rc) {
2523 		clear_itimer();
2524 
2525 		spin_lock_irq(&unrcu_pointer(current->sighand)->siglock);
2526 		if (!fatal_signal_pending(current)) {
2527 			flush_sigqueue(&current->pending);
2528 			flush_sigqueue(&current->signal->shared_pending);
2529 			flush_signal_handlers(current, 1);
2530 			sigemptyset(&current->blocked);
2531 			recalc_sigpending();
2532 		}
2533 		spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock);
2534 	}
2535 
2536 	/* Wake up the parent if it is waiting so that it can recheck
2537 	 * wait permission to the new task SID. */
2538 	read_lock(&tasklist_lock);
2539 	__wake_up_parent(current, unrcu_pointer(current->real_parent));
2540 	read_unlock(&tasklist_lock);
2541 }
2542 
2543 /* superblock security operations */
2544 
2545 static int selinux_sb_alloc_security(struct super_block *sb)
2546 {
2547 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2548 
2549 	mutex_init(&sbsec->lock);
2550 	INIT_LIST_HEAD(&sbsec->isec_head);
2551 	spin_lock_init(&sbsec->isec_lock);
2552 	sbsec->sid = SECINITSID_UNLABELED;
2553 	sbsec->def_sid = SECINITSID_FILE;
2554 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2555 
2556 	return 0;
2557 }
2558 
2559 static inline int opt_len(const char *s)
2560 {
2561 	bool open_quote = false;
2562 	int len;
2563 	char c;
2564 
2565 	for (len = 0; (c = s[len]) != '\0'; len++) {
2566 		if (c == '"')
2567 			open_quote = !open_quote;
2568 		if (c == ',' && !open_quote)
2569 			break;
2570 	}
2571 	return len;
2572 }
2573 
2574 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2575 {
2576 	char *from = options;
2577 	char *to = options;
2578 	bool first = true;
2579 	int rc;
2580 
2581 	while (1) {
2582 		int len = opt_len(from);
2583 		int token;
2584 		char *arg = NULL;
2585 
2586 		token = match_opt_prefix(from, len, &arg);
2587 
2588 		if (token != Opt_error) {
2589 			char *p, *q;
2590 
2591 			/* strip quotes */
2592 			if (arg) {
2593 				for (p = q = arg; p < from + len; p++) {
2594 					char c = *p;
2595 					if (c != '"')
2596 						*q++ = c;
2597 				}
2598 				arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2599 				if (!arg) {
2600 					rc = -ENOMEM;
2601 					goto free_opt;
2602 				}
2603 			}
2604 			rc = selinux_add_opt(token, arg, mnt_opts);
2605 			kfree(arg);
2606 			arg = NULL;
2607 			if (unlikely(rc)) {
2608 				goto free_opt;
2609 			}
2610 		} else {
2611 			if (!first) {	// copy with preceding comma
2612 				from--;
2613 				len++;
2614 			}
2615 			if (to != from)
2616 				memmove(to, from, len);
2617 			to += len;
2618 			first = false;
2619 		}
2620 		if (!from[len])
2621 			break;
2622 		from += len + 1;
2623 	}
2624 	*to = '\0';
2625 	return 0;
2626 
2627 free_opt:
2628 	if (*mnt_opts) {
2629 		selinux_free_mnt_opts(*mnt_opts);
2630 		*mnt_opts = NULL;
2631 	}
2632 	return rc;
2633 }
2634 
2635 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2636 {
2637 	struct selinux_mnt_opts *opts = mnt_opts;
2638 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2639 
2640 	/*
2641 	 * Superblock not initialized (i.e. no options) - reject if any
2642 	 * options specified, otherwise accept.
2643 	 */
2644 	if (!(sbsec->flags & SE_SBINITIALIZED))
2645 		return opts ? 1 : 0;
2646 
2647 	/*
2648 	 * Superblock initialized and no options specified - reject if
2649 	 * superblock has any options set, otherwise accept.
2650 	 */
2651 	if (!opts)
2652 		return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2653 
2654 	if (opts->fscontext_sid) {
2655 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2656 			       opts->fscontext_sid))
2657 			return 1;
2658 	}
2659 	if (opts->context_sid) {
2660 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2661 			       opts->context_sid))
2662 			return 1;
2663 	}
2664 	if (opts->rootcontext_sid) {
2665 		struct inode_security_struct *root_isec;
2666 
2667 		root_isec = backing_inode_security(sb->s_root);
2668 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2669 			       opts->rootcontext_sid))
2670 			return 1;
2671 	}
2672 	if (opts->defcontext_sid) {
2673 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2674 			       opts->defcontext_sid))
2675 			return 1;
2676 	}
2677 	return 0;
2678 }
2679 
2680 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2681 {
2682 	struct selinux_mnt_opts *opts = mnt_opts;
2683 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2684 
2685 	if (!(sbsec->flags & SE_SBINITIALIZED))
2686 		return 0;
2687 
2688 	if (!opts)
2689 		return 0;
2690 
2691 	if (opts->fscontext_sid) {
2692 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2693 			       opts->fscontext_sid))
2694 			goto out_bad_option;
2695 	}
2696 	if (opts->context_sid) {
2697 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2698 			       opts->context_sid))
2699 			goto out_bad_option;
2700 	}
2701 	if (opts->rootcontext_sid) {
2702 		struct inode_security_struct *root_isec;
2703 		root_isec = backing_inode_security(sb->s_root);
2704 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2705 			       opts->rootcontext_sid))
2706 			goto out_bad_option;
2707 	}
2708 	if (opts->defcontext_sid) {
2709 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2710 			       opts->defcontext_sid))
2711 			goto out_bad_option;
2712 	}
2713 	return 0;
2714 
2715 out_bad_option:
2716 	pr_warn("SELinux: unable to change security options "
2717 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2718 	       sb->s_type->name);
2719 	return -EINVAL;
2720 }
2721 
2722 static int selinux_sb_kern_mount(struct super_block *sb)
2723 {
2724 	const struct cred *cred = current_cred();
2725 	struct common_audit_data ad;
2726 
2727 	ad.type = LSM_AUDIT_DATA_DENTRY;
2728 	ad.u.dentry = sb->s_root;
2729 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2730 }
2731 
2732 static int selinux_sb_statfs(struct dentry *dentry)
2733 {
2734 	const struct cred *cred = current_cred();
2735 	struct common_audit_data ad;
2736 
2737 	ad.type = LSM_AUDIT_DATA_DENTRY;
2738 	ad.u.dentry = dentry->d_sb->s_root;
2739 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2740 }
2741 
2742 static int selinux_mount(const char *dev_name,
2743 			 const struct path *path,
2744 			 const char *type,
2745 			 unsigned long flags,
2746 			 void *data)
2747 {
2748 	const struct cred *cred = current_cred();
2749 
2750 	if (flags & MS_REMOUNT)
2751 		return superblock_has_perm(cred, path->dentry->d_sb,
2752 					   FILESYSTEM__REMOUNT, NULL);
2753 	else
2754 		return path_has_perm(cred, path, FILE__MOUNTON);
2755 }
2756 
2757 static int selinux_move_mount(const struct path *from_path,
2758 			      const struct path *to_path)
2759 {
2760 	const struct cred *cred = current_cred();
2761 
2762 	return path_has_perm(cred, to_path, FILE__MOUNTON);
2763 }
2764 
2765 static int selinux_umount(struct vfsmount *mnt, int flags)
2766 {
2767 	const struct cred *cred = current_cred();
2768 
2769 	return superblock_has_perm(cred, mnt->mnt_sb,
2770 				   FILESYSTEM__UNMOUNT, NULL);
2771 }
2772 
2773 static int selinux_fs_context_submount(struct fs_context *fc,
2774 				   struct super_block *reference)
2775 {
2776 	const struct superblock_security_struct *sbsec = selinux_superblock(reference);
2777 	struct selinux_mnt_opts *opts;
2778 
2779 	/*
2780 	 * Ensure that fc->security remains NULL when no options are set
2781 	 * as expected by selinux_set_mnt_opts().
2782 	 */
2783 	if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT)))
2784 		return 0;
2785 
2786 	opts = kzalloc(sizeof(*opts), GFP_KERNEL);
2787 	if (!opts)
2788 		return -ENOMEM;
2789 
2790 	if (sbsec->flags & FSCONTEXT_MNT)
2791 		opts->fscontext_sid = sbsec->sid;
2792 	if (sbsec->flags & CONTEXT_MNT)
2793 		opts->context_sid = sbsec->mntpoint_sid;
2794 	if (sbsec->flags & DEFCONTEXT_MNT)
2795 		opts->defcontext_sid = sbsec->def_sid;
2796 	fc->security = opts;
2797 	return 0;
2798 }
2799 
2800 static int selinux_fs_context_dup(struct fs_context *fc,
2801 				  struct fs_context *src_fc)
2802 {
2803 	const struct selinux_mnt_opts *src = src_fc->security;
2804 
2805 	if (!src)
2806 		return 0;
2807 
2808 	fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
2809 	return fc->security ? 0 : -ENOMEM;
2810 }
2811 
2812 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2813 	fsparam_string(CONTEXT_STR,	Opt_context),
2814 	fsparam_string(DEFCONTEXT_STR,	Opt_defcontext),
2815 	fsparam_string(FSCONTEXT_STR,	Opt_fscontext),
2816 	fsparam_string(ROOTCONTEXT_STR,	Opt_rootcontext),
2817 	fsparam_flag  (SECLABEL_STR,	Opt_seclabel),
2818 	{}
2819 };
2820 
2821 static int selinux_fs_context_parse_param(struct fs_context *fc,
2822 					  struct fs_parameter *param)
2823 {
2824 	struct fs_parse_result result;
2825 	int opt;
2826 
2827 	opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2828 	if (opt < 0)
2829 		return opt;
2830 
2831 	return selinux_add_opt(opt, param->string, &fc->security);
2832 }
2833 
2834 /* inode security operations */
2835 
2836 static int selinux_inode_alloc_security(struct inode *inode)
2837 {
2838 	struct inode_security_struct *isec = selinux_inode(inode);
2839 	u32 sid = current_sid();
2840 
2841 	spin_lock_init(&isec->lock);
2842 	INIT_LIST_HEAD(&isec->list);
2843 	isec->inode = inode;
2844 	isec->sid = SECINITSID_UNLABELED;
2845 	isec->sclass = SECCLASS_FILE;
2846 	isec->task_sid = sid;
2847 	isec->initialized = LABEL_INVALID;
2848 
2849 	return 0;
2850 }
2851 
2852 static void selinux_inode_free_security(struct inode *inode)
2853 {
2854 	inode_free_security(inode);
2855 }
2856 
2857 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2858 					const struct qstr *name,
2859 					const char **xattr_name, void **ctx,
2860 					u32 *ctxlen)
2861 {
2862 	u32 newsid;
2863 	int rc;
2864 
2865 	rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2866 					   d_inode(dentry->d_parent), name,
2867 					   inode_mode_to_security_class(mode),
2868 					   &newsid);
2869 	if (rc)
2870 		return rc;
2871 
2872 	if (xattr_name)
2873 		*xattr_name = XATTR_NAME_SELINUX;
2874 
2875 	return security_sid_to_context(newsid, (char **)ctx,
2876 				       ctxlen);
2877 }
2878 
2879 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2880 					  struct qstr *name,
2881 					  const struct cred *old,
2882 					  struct cred *new)
2883 {
2884 	u32 newsid;
2885 	int rc;
2886 	struct task_security_struct *tsec;
2887 
2888 	rc = selinux_determine_inode_label(selinux_cred(old),
2889 					   d_inode(dentry->d_parent), name,
2890 					   inode_mode_to_security_class(mode),
2891 					   &newsid);
2892 	if (rc)
2893 		return rc;
2894 
2895 	tsec = selinux_cred(new);
2896 	tsec->create_sid = newsid;
2897 	return 0;
2898 }
2899 
2900 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2901 				       const struct qstr *qstr,
2902 				       struct xattr *xattrs, int *xattr_count)
2903 {
2904 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2905 	struct superblock_security_struct *sbsec;
2906 	struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
2907 	u32 newsid, clen;
2908 	int rc;
2909 	char *context;
2910 
2911 	sbsec = selinux_superblock(dir->i_sb);
2912 
2913 	newsid = tsec->create_sid;
2914 
2915 	rc = selinux_determine_inode_label(tsec, dir, qstr,
2916 		inode_mode_to_security_class(inode->i_mode),
2917 		&newsid);
2918 	if (rc)
2919 		return rc;
2920 
2921 	/* Possibly defer initialization to selinux_complete_init. */
2922 	if (sbsec->flags & SE_SBINITIALIZED) {
2923 		struct inode_security_struct *isec = selinux_inode(inode);
2924 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2925 		isec->sid = newsid;
2926 		isec->initialized = LABEL_INITIALIZED;
2927 	}
2928 
2929 	if (!selinux_initialized() ||
2930 	    !(sbsec->flags & SBLABEL_MNT))
2931 		return -EOPNOTSUPP;
2932 
2933 	if (xattr) {
2934 		rc = security_sid_to_context_force(newsid,
2935 						   &context, &clen);
2936 		if (rc)
2937 			return rc;
2938 		xattr->value = context;
2939 		xattr->value_len = clen;
2940 		xattr->name = XATTR_SELINUX_SUFFIX;
2941 	}
2942 
2943 	return 0;
2944 }
2945 
2946 static int selinux_inode_init_security_anon(struct inode *inode,
2947 					    const struct qstr *name,
2948 					    const struct inode *context_inode)
2949 {
2950 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2951 	struct common_audit_data ad;
2952 	struct inode_security_struct *isec;
2953 	int rc;
2954 
2955 	if (unlikely(!selinux_initialized()))
2956 		return 0;
2957 
2958 	isec = selinux_inode(inode);
2959 
2960 	/*
2961 	 * We only get here once per ephemeral inode.  The inode has
2962 	 * been initialized via inode_alloc_security but is otherwise
2963 	 * untouched.
2964 	 */
2965 
2966 	if (context_inode) {
2967 		struct inode_security_struct *context_isec =
2968 			selinux_inode(context_inode);
2969 		if (context_isec->initialized != LABEL_INITIALIZED) {
2970 			pr_err("SELinux:  context_inode is not initialized\n");
2971 			return -EACCES;
2972 		}
2973 
2974 		isec->sclass = context_isec->sclass;
2975 		isec->sid = context_isec->sid;
2976 	} else {
2977 		isec->sclass = SECCLASS_ANON_INODE;
2978 		rc = security_transition_sid(
2979 			tsec->sid, tsec->sid,
2980 			isec->sclass, name, &isec->sid);
2981 		if (rc)
2982 			return rc;
2983 	}
2984 
2985 	isec->initialized = LABEL_INITIALIZED;
2986 	/*
2987 	 * Now that we've initialized security, check whether we're
2988 	 * allowed to actually create this type of anonymous inode.
2989 	 */
2990 
2991 	ad.type = LSM_AUDIT_DATA_ANONINODE;
2992 	ad.u.anonclass = name ? (const char *)name->name : "?";
2993 
2994 	return avc_has_perm(tsec->sid,
2995 			    isec->sid,
2996 			    isec->sclass,
2997 			    FILE__CREATE,
2998 			    &ad);
2999 }
3000 
3001 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3002 {
3003 	return may_create(dir, dentry, SECCLASS_FILE);
3004 }
3005 
3006 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3007 {
3008 	return may_link(dir, old_dentry, MAY_LINK);
3009 }
3010 
3011 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3012 {
3013 	return may_link(dir, dentry, MAY_UNLINK);
3014 }
3015 
3016 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3017 {
3018 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
3019 }
3020 
3021 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3022 {
3023 	return may_create(dir, dentry, SECCLASS_DIR);
3024 }
3025 
3026 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3027 {
3028 	return may_link(dir, dentry, MAY_RMDIR);
3029 }
3030 
3031 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3032 {
3033 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
3034 }
3035 
3036 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3037 				struct inode *new_inode, struct dentry *new_dentry)
3038 {
3039 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3040 }
3041 
3042 static int selinux_inode_readlink(struct dentry *dentry)
3043 {
3044 	const struct cred *cred = current_cred();
3045 
3046 	return dentry_has_perm(cred, dentry, FILE__READ);
3047 }
3048 
3049 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3050 				     bool rcu)
3051 {
3052 	const struct cred *cred = current_cred();
3053 	struct common_audit_data ad;
3054 	struct inode_security_struct *isec;
3055 	u32 sid;
3056 
3057 	ad.type = LSM_AUDIT_DATA_DENTRY;
3058 	ad.u.dentry = dentry;
3059 	sid = cred_sid(cred);
3060 	isec = inode_security_rcu(inode, rcu);
3061 	if (IS_ERR(isec))
3062 		return PTR_ERR(isec);
3063 
3064 	return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad);
3065 }
3066 
3067 static noinline int audit_inode_permission(struct inode *inode,
3068 					   u32 perms, u32 audited, u32 denied,
3069 					   int result)
3070 {
3071 	struct common_audit_data ad;
3072 	struct inode_security_struct *isec = selinux_inode(inode);
3073 
3074 	ad.type = LSM_AUDIT_DATA_INODE;
3075 	ad.u.inode = inode;
3076 
3077 	return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3078 			    audited, denied, result, &ad);
3079 }
3080 
3081 static int selinux_inode_permission(struct inode *inode, int mask)
3082 {
3083 	const struct cred *cred = current_cred();
3084 	u32 perms;
3085 	bool from_access;
3086 	bool no_block = mask & MAY_NOT_BLOCK;
3087 	struct inode_security_struct *isec;
3088 	u32 sid;
3089 	struct av_decision avd;
3090 	int rc, rc2;
3091 	u32 audited, denied;
3092 
3093 	from_access = mask & MAY_ACCESS;
3094 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3095 
3096 	/* No permission to check.  Existence test. */
3097 	if (!mask)
3098 		return 0;
3099 
3100 	if (unlikely(IS_PRIVATE(inode)))
3101 		return 0;
3102 
3103 	perms = file_mask_to_av(inode->i_mode, mask);
3104 
3105 	sid = cred_sid(cred);
3106 	isec = inode_security_rcu(inode, no_block);
3107 	if (IS_ERR(isec))
3108 		return PTR_ERR(isec);
3109 
3110 	rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0,
3111 				  &avd);
3112 	audited = avc_audit_required(perms, &avd, rc,
3113 				     from_access ? FILE__AUDIT_ACCESS : 0,
3114 				     &denied);
3115 	if (likely(!audited))
3116 		return rc;
3117 
3118 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3119 	if (rc2)
3120 		return rc2;
3121 	return rc;
3122 }
3123 
3124 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3125 {
3126 	const struct cred *cred = current_cred();
3127 	struct inode *inode = d_backing_inode(dentry);
3128 	unsigned int ia_valid = iattr->ia_valid;
3129 	__u32 av = FILE__WRITE;
3130 
3131 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3132 	if (ia_valid & ATTR_FORCE) {
3133 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3134 			      ATTR_FORCE);
3135 		if (!ia_valid)
3136 			return 0;
3137 	}
3138 
3139 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3140 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3141 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3142 
3143 	if (selinux_policycap_openperm() &&
3144 	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3145 	    (ia_valid & ATTR_SIZE) &&
3146 	    !(ia_valid & ATTR_FILE))
3147 		av |= FILE__OPEN;
3148 
3149 	return dentry_has_perm(cred, dentry, av);
3150 }
3151 
3152 static int selinux_inode_getattr(const struct path *path)
3153 {
3154 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3155 }
3156 
3157 static bool has_cap_mac_admin(bool audit)
3158 {
3159 	const struct cred *cred = current_cred();
3160 	unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3161 
3162 	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3163 		return false;
3164 	if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3165 		return false;
3166 	return true;
3167 }
3168 
3169 static int selinux_inode_setxattr(struct mnt_idmap *idmap,
3170 				  struct dentry *dentry, const char *name,
3171 				  const void *value, size_t size, int flags)
3172 {
3173 	struct inode *inode = d_backing_inode(dentry);
3174 	struct inode_security_struct *isec;
3175 	struct superblock_security_struct *sbsec;
3176 	struct common_audit_data ad;
3177 	u32 newsid, sid = current_sid();
3178 	int rc = 0;
3179 
3180 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3181 		rc = cap_inode_setxattr(dentry, name, value, size, flags);
3182 		if (rc)
3183 			return rc;
3184 
3185 		/* Not an attribute we recognize, so just check the
3186 		   ordinary setattr permission. */
3187 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3188 	}
3189 
3190 	if (!selinux_initialized())
3191 		return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM);
3192 
3193 	sbsec = selinux_superblock(inode->i_sb);
3194 	if (!(sbsec->flags & SBLABEL_MNT))
3195 		return -EOPNOTSUPP;
3196 
3197 	if (!inode_owner_or_capable(idmap, inode))
3198 		return -EPERM;
3199 
3200 	ad.type = LSM_AUDIT_DATA_DENTRY;
3201 	ad.u.dentry = dentry;
3202 
3203 	isec = backing_inode_security(dentry);
3204 	rc = avc_has_perm(sid, isec->sid, isec->sclass,
3205 			  FILE__RELABELFROM, &ad);
3206 	if (rc)
3207 		return rc;
3208 
3209 	rc = security_context_to_sid(value, size, &newsid,
3210 				     GFP_KERNEL);
3211 	if (rc == -EINVAL) {
3212 		if (!has_cap_mac_admin(true)) {
3213 			struct audit_buffer *ab;
3214 			size_t audit_size;
3215 
3216 			/* We strip a nul only if it is at the end, otherwise the
3217 			 * context contains a nul and we should audit that */
3218 			if (value) {
3219 				const char *str = value;
3220 
3221 				if (str[size - 1] == '\0')
3222 					audit_size = size - 1;
3223 				else
3224 					audit_size = size;
3225 			} else {
3226 				audit_size = 0;
3227 			}
3228 			ab = audit_log_start(audit_context(),
3229 					     GFP_ATOMIC, AUDIT_SELINUX_ERR);
3230 			if (!ab)
3231 				return rc;
3232 			audit_log_format(ab, "op=setxattr invalid_context=");
3233 			audit_log_n_untrustedstring(ab, value, audit_size);
3234 			audit_log_end(ab);
3235 
3236 			return rc;
3237 		}
3238 		rc = security_context_to_sid_force(value,
3239 						   size, &newsid);
3240 	}
3241 	if (rc)
3242 		return rc;
3243 
3244 	rc = avc_has_perm(sid, newsid, isec->sclass,
3245 			  FILE__RELABELTO, &ad);
3246 	if (rc)
3247 		return rc;
3248 
3249 	rc = security_validate_transition(isec->sid, newsid,
3250 					  sid, isec->sclass);
3251 	if (rc)
3252 		return rc;
3253 
3254 	return avc_has_perm(newsid,
3255 			    sbsec->sid,
3256 			    SECCLASS_FILESYSTEM,
3257 			    FILESYSTEM__ASSOCIATE,
3258 			    &ad);
3259 }
3260 
3261 static int selinux_inode_set_acl(struct mnt_idmap *idmap,
3262 				 struct dentry *dentry, const char *acl_name,
3263 				 struct posix_acl *kacl)
3264 {
3265 	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3266 }
3267 
3268 static int selinux_inode_get_acl(struct mnt_idmap *idmap,
3269 				 struct dentry *dentry, const char *acl_name)
3270 {
3271 	return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3272 }
3273 
3274 static int selinux_inode_remove_acl(struct mnt_idmap *idmap,
3275 				    struct dentry *dentry, const char *acl_name)
3276 {
3277 	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3278 }
3279 
3280 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3281 					const void *value, size_t size,
3282 					int flags)
3283 {
3284 	struct inode *inode = d_backing_inode(dentry);
3285 	struct inode_security_struct *isec;
3286 	u32 newsid;
3287 	int rc;
3288 
3289 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3290 		/* Not an attribute we recognize, so nothing to do. */
3291 		return;
3292 	}
3293 
3294 	if (!selinux_initialized()) {
3295 		/* If we haven't even been initialized, then we can't validate
3296 		 * against a policy, so leave the label as invalid. It may
3297 		 * resolve to a valid label on the next revalidation try if
3298 		 * we've since initialized.
3299 		 */
3300 		return;
3301 	}
3302 
3303 	rc = security_context_to_sid_force(value, size,
3304 					   &newsid);
3305 	if (rc) {
3306 		pr_err("SELinux:  unable to map context to SID"
3307 		       "for (%s, %lu), rc=%d\n",
3308 		       inode->i_sb->s_id, inode->i_ino, -rc);
3309 		return;
3310 	}
3311 
3312 	isec = backing_inode_security(dentry);
3313 	spin_lock(&isec->lock);
3314 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3315 	isec->sid = newsid;
3316 	isec->initialized = LABEL_INITIALIZED;
3317 	spin_unlock(&isec->lock);
3318 }
3319 
3320 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3321 {
3322 	const struct cred *cred = current_cred();
3323 
3324 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3325 }
3326 
3327 static int selinux_inode_listxattr(struct dentry *dentry)
3328 {
3329 	const struct cred *cred = current_cred();
3330 
3331 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3332 }
3333 
3334 static int selinux_inode_removexattr(struct mnt_idmap *idmap,
3335 				     struct dentry *dentry, const char *name)
3336 {
3337 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3338 		int rc = cap_inode_removexattr(idmap, dentry, name);
3339 		if (rc)
3340 			return rc;
3341 
3342 		/* Not an attribute we recognize, so just check the
3343 		   ordinary setattr permission. */
3344 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3345 	}
3346 
3347 	if (!selinux_initialized())
3348 		return 0;
3349 
3350 	/* No one is allowed to remove a SELinux security label.
3351 	   You can change the label, but all data must be labeled. */
3352 	return -EACCES;
3353 }
3354 
3355 static int selinux_path_notify(const struct path *path, u64 mask,
3356 						unsigned int obj_type)
3357 {
3358 	int ret;
3359 	u32 perm;
3360 
3361 	struct common_audit_data ad;
3362 
3363 	ad.type = LSM_AUDIT_DATA_PATH;
3364 	ad.u.path = *path;
3365 
3366 	/*
3367 	 * Set permission needed based on the type of mark being set.
3368 	 * Performs an additional check for sb watches.
3369 	 */
3370 	switch (obj_type) {
3371 	case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3372 		perm = FILE__WATCH_MOUNT;
3373 		break;
3374 	case FSNOTIFY_OBJ_TYPE_SB:
3375 		perm = FILE__WATCH_SB;
3376 		ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3377 						FILESYSTEM__WATCH, &ad);
3378 		if (ret)
3379 			return ret;
3380 		break;
3381 	case FSNOTIFY_OBJ_TYPE_INODE:
3382 		perm = FILE__WATCH;
3383 		break;
3384 	default:
3385 		return -EINVAL;
3386 	}
3387 
3388 	/* blocking watches require the file:watch_with_perm permission */
3389 	if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3390 		perm |= FILE__WATCH_WITH_PERM;
3391 
3392 	/* watches on read-like events need the file:watch_reads permission */
3393 	if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3394 		perm |= FILE__WATCH_READS;
3395 
3396 	return path_has_perm(current_cred(), path, perm);
3397 }
3398 
3399 /*
3400  * Copy the inode security context value to the user.
3401  *
3402  * Permission check is handled by selinux_inode_getxattr hook.
3403  */
3404 static int selinux_inode_getsecurity(struct mnt_idmap *idmap,
3405 				     struct inode *inode, const char *name,
3406 				     void **buffer, bool alloc)
3407 {
3408 	u32 size;
3409 	int error;
3410 	char *context = NULL;
3411 	struct inode_security_struct *isec;
3412 
3413 	/*
3414 	 * If we're not initialized yet, then we can't validate contexts, so
3415 	 * just let vfs_getxattr fall back to using the on-disk xattr.
3416 	 */
3417 	if (!selinux_initialized() ||
3418 	    strcmp(name, XATTR_SELINUX_SUFFIX))
3419 		return -EOPNOTSUPP;
3420 
3421 	/*
3422 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3423 	 * value even if it is not defined by current policy; otherwise,
3424 	 * use the in-core value under current policy.
3425 	 * Use the non-auditing forms of the permission checks since
3426 	 * getxattr may be called by unprivileged processes commonly
3427 	 * and lack of permission just means that we fall back to the
3428 	 * in-core context value, not a denial.
3429 	 */
3430 	isec = inode_security(inode);
3431 	if (has_cap_mac_admin(false))
3432 		error = security_sid_to_context_force(isec->sid, &context,
3433 						      &size);
3434 	else
3435 		error = security_sid_to_context(isec->sid,
3436 						&context, &size);
3437 	if (error)
3438 		return error;
3439 	error = size;
3440 	if (alloc) {
3441 		*buffer = context;
3442 		goto out_nofree;
3443 	}
3444 	kfree(context);
3445 out_nofree:
3446 	return error;
3447 }
3448 
3449 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3450 				     const void *value, size_t size, int flags)
3451 {
3452 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3453 	struct superblock_security_struct *sbsec;
3454 	u32 newsid;
3455 	int rc;
3456 
3457 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3458 		return -EOPNOTSUPP;
3459 
3460 	sbsec = selinux_superblock(inode->i_sb);
3461 	if (!(sbsec->flags & SBLABEL_MNT))
3462 		return -EOPNOTSUPP;
3463 
3464 	if (!value || !size)
3465 		return -EACCES;
3466 
3467 	rc = security_context_to_sid(value, size, &newsid,
3468 				     GFP_KERNEL);
3469 	if (rc)
3470 		return rc;
3471 
3472 	spin_lock(&isec->lock);
3473 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3474 	isec->sid = newsid;
3475 	isec->initialized = LABEL_INITIALIZED;
3476 	spin_unlock(&isec->lock);
3477 	return 0;
3478 }
3479 
3480 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3481 {
3482 	const int len = sizeof(XATTR_NAME_SELINUX);
3483 
3484 	if (!selinux_initialized())
3485 		return 0;
3486 
3487 	if (buffer && len <= buffer_size)
3488 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3489 	return len;
3490 }
3491 
3492 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3493 {
3494 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3495 	*secid = isec->sid;
3496 }
3497 
3498 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3499 {
3500 	u32 sid;
3501 	struct task_security_struct *tsec;
3502 	struct cred *new_creds = *new;
3503 
3504 	if (new_creds == NULL) {
3505 		new_creds = prepare_creds();
3506 		if (!new_creds)
3507 			return -ENOMEM;
3508 	}
3509 
3510 	tsec = selinux_cred(new_creds);
3511 	/* Get label from overlay inode and set it in create_sid */
3512 	selinux_inode_getsecid(d_inode(src), &sid);
3513 	tsec->create_sid = sid;
3514 	*new = new_creds;
3515 	return 0;
3516 }
3517 
3518 static int selinux_inode_copy_up_xattr(const char *name)
3519 {
3520 	/* The copy_up hook above sets the initial context on an inode, but we
3521 	 * don't then want to overwrite it by blindly copying all the lower
3522 	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3523 	 */
3524 	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3525 		return 1; /* Discard */
3526 	/*
3527 	 * Any other attribute apart from SELINUX is not claimed, supported
3528 	 * by selinux.
3529 	 */
3530 	return -EOPNOTSUPP;
3531 }
3532 
3533 /* kernfs node operations */
3534 
3535 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3536 					struct kernfs_node *kn)
3537 {
3538 	const struct task_security_struct *tsec = selinux_cred(current_cred());
3539 	u32 parent_sid, newsid, clen;
3540 	int rc;
3541 	char *context;
3542 
3543 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3544 	if (rc == -ENODATA)
3545 		return 0;
3546 	else if (rc < 0)
3547 		return rc;
3548 
3549 	clen = (u32)rc;
3550 	context = kmalloc(clen, GFP_KERNEL);
3551 	if (!context)
3552 		return -ENOMEM;
3553 
3554 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3555 	if (rc < 0) {
3556 		kfree(context);
3557 		return rc;
3558 	}
3559 
3560 	rc = security_context_to_sid(context, clen, &parent_sid,
3561 				     GFP_KERNEL);
3562 	kfree(context);
3563 	if (rc)
3564 		return rc;
3565 
3566 	if (tsec->create_sid) {
3567 		newsid = tsec->create_sid;
3568 	} else {
3569 		u16 secclass = inode_mode_to_security_class(kn->mode);
3570 		struct qstr q;
3571 
3572 		q.name = kn->name;
3573 		q.hash_len = hashlen_string(kn_dir, kn->name);
3574 
3575 		rc = security_transition_sid(tsec->sid,
3576 					     parent_sid, secclass, &q,
3577 					     &newsid);
3578 		if (rc)
3579 			return rc;
3580 	}
3581 
3582 	rc = security_sid_to_context_force(newsid,
3583 					   &context, &clen);
3584 	if (rc)
3585 		return rc;
3586 
3587 	rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3588 			      XATTR_CREATE);
3589 	kfree(context);
3590 	return rc;
3591 }
3592 
3593 
3594 /* file security operations */
3595 
3596 static int selinux_revalidate_file_permission(struct file *file, int mask)
3597 {
3598 	const struct cred *cred = current_cred();
3599 	struct inode *inode = file_inode(file);
3600 
3601 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3602 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3603 		mask |= MAY_APPEND;
3604 
3605 	return file_has_perm(cred, file,
3606 			     file_mask_to_av(inode->i_mode, mask));
3607 }
3608 
3609 static int selinux_file_permission(struct file *file, int mask)
3610 {
3611 	struct inode *inode = file_inode(file);
3612 	struct file_security_struct *fsec = selinux_file(file);
3613 	struct inode_security_struct *isec;
3614 	u32 sid = current_sid();
3615 
3616 	if (!mask)
3617 		/* No permission to check.  Existence test. */
3618 		return 0;
3619 
3620 	isec = inode_security(inode);
3621 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3622 	    fsec->pseqno == avc_policy_seqno())
3623 		/* No change since file_open check. */
3624 		return 0;
3625 
3626 	return selinux_revalidate_file_permission(file, mask);
3627 }
3628 
3629 static int selinux_file_alloc_security(struct file *file)
3630 {
3631 	struct file_security_struct *fsec = selinux_file(file);
3632 	u32 sid = current_sid();
3633 
3634 	fsec->sid = sid;
3635 	fsec->fown_sid = sid;
3636 
3637 	return 0;
3638 }
3639 
3640 /*
3641  * Check whether a task has the ioctl permission and cmd
3642  * operation to an inode.
3643  */
3644 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3645 		u32 requested, u16 cmd)
3646 {
3647 	struct common_audit_data ad;
3648 	struct file_security_struct *fsec = selinux_file(file);
3649 	struct inode *inode = file_inode(file);
3650 	struct inode_security_struct *isec;
3651 	struct lsm_ioctlop_audit ioctl;
3652 	u32 ssid = cred_sid(cred);
3653 	int rc;
3654 	u8 driver = cmd >> 8;
3655 	u8 xperm = cmd & 0xff;
3656 
3657 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3658 	ad.u.op = &ioctl;
3659 	ad.u.op->cmd = cmd;
3660 	ad.u.op->path = file->f_path;
3661 
3662 	if (ssid != fsec->sid) {
3663 		rc = avc_has_perm(ssid, fsec->sid,
3664 				SECCLASS_FD,
3665 				FD__USE,
3666 				&ad);
3667 		if (rc)
3668 			goto out;
3669 	}
3670 
3671 	if (unlikely(IS_PRIVATE(inode)))
3672 		return 0;
3673 
3674 	isec = inode_security(inode);
3675 	rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3676 				    requested, driver, xperm, &ad);
3677 out:
3678 	return rc;
3679 }
3680 
3681 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3682 			      unsigned long arg)
3683 {
3684 	const struct cred *cred = current_cred();
3685 	int error = 0;
3686 
3687 	switch (cmd) {
3688 	case FIONREAD:
3689 	case FIBMAP:
3690 	case FIGETBSZ:
3691 	case FS_IOC_GETFLAGS:
3692 	case FS_IOC_GETVERSION:
3693 		error = file_has_perm(cred, file, FILE__GETATTR);
3694 		break;
3695 
3696 	case FS_IOC_SETFLAGS:
3697 	case FS_IOC_SETVERSION:
3698 		error = file_has_perm(cred, file, FILE__SETATTR);
3699 		break;
3700 
3701 	/* sys_ioctl() checks */
3702 	case FIONBIO:
3703 	case FIOASYNC:
3704 		error = file_has_perm(cred, file, 0);
3705 		break;
3706 
3707 	case KDSKBENT:
3708 	case KDSKBSENT:
3709 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3710 					    CAP_OPT_NONE, true);
3711 		break;
3712 
3713 	case FIOCLEX:
3714 	case FIONCLEX:
3715 		if (!selinux_policycap_ioctl_skip_cloexec())
3716 			error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3717 		break;
3718 
3719 	/* default case assumes that the command will go
3720 	 * to the file's ioctl() function.
3721 	 */
3722 	default:
3723 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3724 	}
3725 	return error;
3726 }
3727 
3728 static int default_noexec __ro_after_init;
3729 
3730 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3731 {
3732 	const struct cred *cred = current_cred();
3733 	u32 sid = cred_sid(cred);
3734 	int rc = 0;
3735 
3736 	if (default_noexec &&
3737 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3738 				   (!shared && (prot & PROT_WRITE)))) {
3739 		/*
3740 		 * We are making executable an anonymous mapping or a
3741 		 * private file mapping that will also be writable.
3742 		 * This has an additional check.
3743 		 */
3744 		rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3745 				  PROCESS__EXECMEM, NULL);
3746 		if (rc)
3747 			goto error;
3748 	}
3749 
3750 	if (file) {
3751 		/* read access is always possible with a mapping */
3752 		u32 av = FILE__READ;
3753 
3754 		/* write access only matters if the mapping is shared */
3755 		if (shared && (prot & PROT_WRITE))
3756 			av |= FILE__WRITE;
3757 
3758 		if (prot & PROT_EXEC)
3759 			av |= FILE__EXECUTE;
3760 
3761 		return file_has_perm(cred, file, av);
3762 	}
3763 
3764 error:
3765 	return rc;
3766 }
3767 
3768 static int selinux_mmap_addr(unsigned long addr)
3769 {
3770 	int rc = 0;
3771 
3772 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3773 		u32 sid = current_sid();
3774 		rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3775 				  MEMPROTECT__MMAP_ZERO, NULL);
3776 	}
3777 
3778 	return rc;
3779 }
3780 
3781 static int selinux_mmap_file(struct file *file,
3782 			     unsigned long reqprot __always_unused,
3783 			     unsigned long prot, unsigned long flags)
3784 {
3785 	struct common_audit_data ad;
3786 	int rc;
3787 
3788 	if (file) {
3789 		ad.type = LSM_AUDIT_DATA_FILE;
3790 		ad.u.file = file;
3791 		rc = inode_has_perm(current_cred(), file_inode(file),
3792 				    FILE__MAP, &ad);
3793 		if (rc)
3794 			return rc;
3795 	}
3796 
3797 	return file_map_prot_check(file, prot,
3798 				   (flags & MAP_TYPE) == MAP_SHARED);
3799 }
3800 
3801 static int selinux_file_mprotect(struct vm_area_struct *vma,
3802 				 unsigned long reqprot __always_unused,
3803 				 unsigned long prot)
3804 {
3805 	const struct cred *cred = current_cred();
3806 	u32 sid = cred_sid(cred);
3807 
3808 	if (default_noexec &&
3809 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3810 		int rc = 0;
3811 		if (vma_is_initial_heap(vma)) {
3812 			rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3813 					  PROCESS__EXECHEAP, NULL);
3814 		} else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
3815 			    vma_is_stack_for_current(vma))) {
3816 			rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3817 					  PROCESS__EXECSTACK, NULL);
3818 		} else if (vma->vm_file && vma->anon_vma) {
3819 			/*
3820 			 * We are making executable a file mapping that has
3821 			 * had some COW done. Since pages might have been
3822 			 * written, check ability to execute the possibly
3823 			 * modified content.  This typically should only
3824 			 * occur for text relocations.
3825 			 */
3826 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3827 		}
3828 		if (rc)
3829 			return rc;
3830 	}
3831 
3832 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3833 }
3834 
3835 static int selinux_file_lock(struct file *file, unsigned int cmd)
3836 {
3837 	const struct cred *cred = current_cred();
3838 
3839 	return file_has_perm(cred, file, FILE__LOCK);
3840 }
3841 
3842 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3843 			      unsigned long arg)
3844 {
3845 	const struct cred *cred = current_cred();
3846 	int err = 0;
3847 
3848 	switch (cmd) {
3849 	case F_SETFL:
3850 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3851 			err = file_has_perm(cred, file, FILE__WRITE);
3852 			break;
3853 		}
3854 		fallthrough;
3855 	case F_SETOWN:
3856 	case F_SETSIG:
3857 	case F_GETFL:
3858 	case F_GETOWN:
3859 	case F_GETSIG:
3860 	case F_GETOWNER_UIDS:
3861 		/* Just check FD__USE permission */
3862 		err = file_has_perm(cred, file, 0);
3863 		break;
3864 	case F_GETLK:
3865 	case F_SETLK:
3866 	case F_SETLKW:
3867 	case F_OFD_GETLK:
3868 	case F_OFD_SETLK:
3869 	case F_OFD_SETLKW:
3870 #if BITS_PER_LONG == 32
3871 	case F_GETLK64:
3872 	case F_SETLK64:
3873 	case F_SETLKW64:
3874 #endif
3875 		err = file_has_perm(cred, file, FILE__LOCK);
3876 		break;
3877 	}
3878 
3879 	return err;
3880 }
3881 
3882 static void selinux_file_set_fowner(struct file *file)
3883 {
3884 	struct file_security_struct *fsec;
3885 
3886 	fsec = selinux_file(file);
3887 	fsec->fown_sid = current_sid();
3888 }
3889 
3890 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3891 				       struct fown_struct *fown, int signum)
3892 {
3893 	struct file *file;
3894 	u32 sid = task_sid_obj(tsk);
3895 	u32 perm;
3896 	struct file_security_struct *fsec;
3897 
3898 	/* struct fown_struct is never outside the context of a struct file */
3899 	file = container_of(fown, struct file, f_owner);
3900 
3901 	fsec = selinux_file(file);
3902 
3903 	if (!signum)
3904 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3905 	else
3906 		perm = signal_to_av(signum);
3907 
3908 	return avc_has_perm(fsec->fown_sid, sid,
3909 			    SECCLASS_PROCESS, perm, NULL);
3910 }
3911 
3912 static int selinux_file_receive(struct file *file)
3913 {
3914 	const struct cred *cred = current_cred();
3915 
3916 	return file_has_perm(cred, file, file_to_av(file));
3917 }
3918 
3919 static int selinux_file_open(struct file *file)
3920 {
3921 	struct file_security_struct *fsec;
3922 	struct inode_security_struct *isec;
3923 
3924 	fsec = selinux_file(file);
3925 	isec = inode_security(file_inode(file));
3926 	/*
3927 	 * Save inode label and policy sequence number
3928 	 * at open-time so that selinux_file_permission
3929 	 * can determine whether revalidation is necessary.
3930 	 * Task label is already saved in the file security
3931 	 * struct as its SID.
3932 	 */
3933 	fsec->isid = isec->sid;
3934 	fsec->pseqno = avc_policy_seqno();
3935 	/*
3936 	 * Since the inode label or policy seqno may have changed
3937 	 * between the selinux_inode_permission check and the saving
3938 	 * of state above, recheck that access is still permitted.
3939 	 * Otherwise, access might never be revalidated against the
3940 	 * new inode label or new policy.
3941 	 * This check is not redundant - do not remove.
3942 	 */
3943 	return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3944 }
3945 
3946 /* task security operations */
3947 
3948 static int selinux_task_alloc(struct task_struct *task,
3949 			      unsigned long clone_flags)
3950 {
3951 	u32 sid = current_sid();
3952 
3953 	return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3954 }
3955 
3956 /*
3957  * prepare a new set of credentials for modification
3958  */
3959 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3960 				gfp_t gfp)
3961 {
3962 	const struct task_security_struct *old_tsec = selinux_cred(old);
3963 	struct task_security_struct *tsec = selinux_cred(new);
3964 
3965 	*tsec = *old_tsec;
3966 	return 0;
3967 }
3968 
3969 /*
3970  * transfer the SELinux data to a blank set of creds
3971  */
3972 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3973 {
3974 	const struct task_security_struct *old_tsec = selinux_cred(old);
3975 	struct task_security_struct *tsec = selinux_cred(new);
3976 
3977 	*tsec = *old_tsec;
3978 }
3979 
3980 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3981 {
3982 	*secid = cred_sid(c);
3983 }
3984 
3985 /*
3986  * set the security data for a kernel service
3987  * - all the creation contexts are set to unlabelled
3988  */
3989 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3990 {
3991 	struct task_security_struct *tsec = selinux_cred(new);
3992 	u32 sid = current_sid();
3993 	int ret;
3994 
3995 	ret = avc_has_perm(sid, secid,
3996 			   SECCLASS_KERNEL_SERVICE,
3997 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3998 			   NULL);
3999 	if (ret == 0) {
4000 		tsec->sid = secid;
4001 		tsec->create_sid = 0;
4002 		tsec->keycreate_sid = 0;
4003 		tsec->sockcreate_sid = 0;
4004 	}
4005 	return ret;
4006 }
4007 
4008 /*
4009  * set the file creation context in a security record to the same as the
4010  * objective context of the specified inode
4011  */
4012 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4013 {
4014 	struct inode_security_struct *isec = inode_security(inode);
4015 	struct task_security_struct *tsec = selinux_cred(new);
4016 	u32 sid = current_sid();
4017 	int ret;
4018 
4019 	ret = avc_has_perm(sid, isec->sid,
4020 			   SECCLASS_KERNEL_SERVICE,
4021 			   KERNEL_SERVICE__CREATE_FILES_AS,
4022 			   NULL);
4023 
4024 	if (ret == 0)
4025 		tsec->create_sid = isec->sid;
4026 	return ret;
4027 }
4028 
4029 static int selinux_kernel_module_request(char *kmod_name)
4030 {
4031 	struct common_audit_data ad;
4032 
4033 	ad.type = LSM_AUDIT_DATA_KMOD;
4034 	ad.u.kmod_name = kmod_name;
4035 
4036 	return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4037 			    SYSTEM__MODULE_REQUEST, &ad);
4038 }
4039 
4040 static int selinux_kernel_module_from_file(struct file *file)
4041 {
4042 	struct common_audit_data ad;
4043 	struct inode_security_struct *isec;
4044 	struct file_security_struct *fsec;
4045 	u32 sid = current_sid();
4046 	int rc;
4047 
4048 	/* init_module */
4049 	if (file == NULL)
4050 		return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
4051 					SYSTEM__MODULE_LOAD, NULL);
4052 
4053 	/* finit_module */
4054 
4055 	ad.type = LSM_AUDIT_DATA_FILE;
4056 	ad.u.file = file;
4057 
4058 	fsec = selinux_file(file);
4059 	if (sid != fsec->sid) {
4060 		rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4061 		if (rc)
4062 			return rc;
4063 	}
4064 
4065 	isec = inode_security(file_inode(file));
4066 	return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
4067 				SYSTEM__MODULE_LOAD, &ad);
4068 }
4069 
4070 static int selinux_kernel_read_file(struct file *file,
4071 				    enum kernel_read_file_id id,
4072 				    bool contents)
4073 {
4074 	int rc = 0;
4075 
4076 	switch (id) {
4077 	case READING_MODULE:
4078 		rc = selinux_kernel_module_from_file(contents ? file : NULL);
4079 		break;
4080 	default:
4081 		break;
4082 	}
4083 
4084 	return rc;
4085 }
4086 
4087 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4088 {
4089 	int rc = 0;
4090 
4091 	switch (id) {
4092 	case LOADING_MODULE:
4093 		rc = selinux_kernel_module_from_file(NULL);
4094 		break;
4095 	default:
4096 		break;
4097 	}
4098 
4099 	return rc;
4100 }
4101 
4102 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4103 {
4104 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4105 			    PROCESS__SETPGID, NULL);
4106 }
4107 
4108 static int selinux_task_getpgid(struct task_struct *p)
4109 {
4110 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4111 			    PROCESS__GETPGID, NULL);
4112 }
4113 
4114 static int selinux_task_getsid(struct task_struct *p)
4115 {
4116 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4117 			    PROCESS__GETSESSION, NULL);
4118 }
4119 
4120 static void selinux_current_getsecid_subj(u32 *secid)
4121 {
4122 	*secid = current_sid();
4123 }
4124 
4125 static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid)
4126 {
4127 	*secid = task_sid_obj(p);
4128 }
4129 
4130 static int selinux_task_setnice(struct task_struct *p, int nice)
4131 {
4132 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4133 			    PROCESS__SETSCHED, NULL);
4134 }
4135 
4136 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4137 {
4138 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4139 			    PROCESS__SETSCHED, NULL);
4140 }
4141 
4142 static int selinux_task_getioprio(struct task_struct *p)
4143 {
4144 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4145 			    PROCESS__GETSCHED, NULL);
4146 }
4147 
4148 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4149 				unsigned int flags)
4150 {
4151 	u32 av = 0;
4152 
4153 	if (!flags)
4154 		return 0;
4155 	if (flags & LSM_PRLIMIT_WRITE)
4156 		av |= PROCESS__SETRLIMIT;
4157 	if (flags & LSM_PRLIMIT_READ)
4158 		av |= PROCESS__GETRLIMIT;
4159 	return avc_has_perm(cred_sid(cred), cred_sid(tcred),
4160 			    SECCLASS_PROCESS, av, NULL);
4161 }
4162 
4163 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4164 		struct rlimit *new_rlim)
4165 {
4166 	struct rlimit *old_rlim = p->signal->rlim + resource;
4167 
4168 	/* Control the ability to change the hard limit (whether
4169 	   lowering or raising it), so that the hard limit can
4170 	   later be used as a safe reset point for the soft limit
4171 	   upon context transitions.  See selinux_bprm_committing_creds. */
4172 	if (old_rlim->rlim_max != new_rlim->rlim_max)
4173 		return avc_has_perm(current_sid(), task_sid_obj(p),
4174 				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4175 
4176 	return 0;
4177 }
4178 
4179 static int selinux_task_setscheduler(struct task_struct *p)
4180 {
4181 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4182 			    PROCESS__SETSCHED, NULL);
4183 }
4184 
4185 static int selinux_task_getscheduler(struct task_struct *p)
4186 {
4187 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4188 			    PROCESS__GETSCHED, NULL);
4189 }
4190 
4191 static int selinux_task_movememory(struct task_struct *p)
4192 {
4193 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4194 			    PROCESS__SETSCHED, NULL);
4195 }
4196 
4197 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4198 				int sig, const struct cred *cred)
4199 {
4200 	u32 secid;
4201 	u32 perm;
4202 
4203 	if (!sig)
4204 		perm = PROCESS__SIGNULL; /* null signal; existence test */
4205 	else
4206 		perm = signal_to_av(sig);
4207 	if (!cred)
4208 		secid = current_sid();
4209 	else
4210 		secid = cred_sid(cred);
4211 	return avc_has_perm(secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
4212 }
4213 
4214 static void selinux_task_to_inode(struct task_struct *p,
4215 				  struct inode *inode)
4216 {
4217 	struct inode_security_struct *isec = selinux_inode(inode);
4218 	u32 sid = task_sid_obj(p);
4219 
4220 	spin_lock(&isec->lock);
4221 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4222 	isec->sid = sid;
4223 	isec->initialized = LABEL_INITIALIZED;
4224 	spin_unlock(&isec->lock);
4225 }
4226 
4227 static int selinux_userns_create(const struct cred *cred)
4228 {
4229 	u32 sid = current_sid();
4230 
4231 	return avc_has_perm(sid, sid, SECCLASS_USER_NAMESPACE,
4232 			USER_NAMESPACE__CREATE, NULL);
4233 }
4234 
4235 /* Returns error only if unable to parse addresses */
4236 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4237 			struct common_audit_data *ad, u8 *proto)
4238 {
4239 	int offset, ihlen, ret = -EINVAL;
4240 	struct iphdr _iph, *ih;
4241 
4242 	offset = skb_network_offset(skb);
4243 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4244 	if (ih == NULL)
4245 		goto out;
4246 
4247 	ihlen = ih->ihl * 4;
4248 	if (ihlen < sizeof(_iph))
4249 		goto out;
4250 
4251 	ad->u.net->v4info.saddr = ih->saddr;
4252 	ad->u.net->v4info.daddr = ih->daddr;
4253 	ret = 0;
4254 
4255 	if (proto)
4256 		*proto = ih->protocol;
4257 
4258 	switch (ih->protocol) {
4259 	case IPPROTO_TCP: {
4260 		struct tcphdr _tcph, *th;
4261 
4262 		if (ntohs(ih->frag_off) & IP_OFFSET)
4263 			break;
4264 
4265 		offset += ihlen;
4266 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4267 		if (th == NULL)
4268 			break;
4269 
4270 		ad->u.net->sport = th->source;
4271 		ad->u.net->dport = th->dest;
4272 		break;
4273 	}
4274 
4275 	case IPPROTO_UDP: {
4276 		struct udphdr _udph, *uh;
4277 
4278 		if (ntohs(ih->frag_off) & IP_OFFSET)
4279 			break;
4280 
4281 		offset += ihlen;
4282 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4283 		if (uh == NULL)
4284 			break;
4285 
4286 		ad->u.net->sport = uh->source;
4287 		ad->u.net->dport = uh->dest;
4288 		break;
4289 	}
4290 
4291 	case IPPROTO_DCCP: {
4292 		struct dccp_hdr _dccph, *dh;
4293 
4294 		if (ntohs(ih->frag_off) & IP_OFFSET)
4295 			break;
4296 
4297 		offset += ihlen;
4298 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4299 		if (dh == NULL)
4300 			break;
4301 
4302 		ad->u.net->sport = dh->dccph_sport;
4303 		ad->u.net->dport = dh->dccph_dport;
4304 		break;
4305 	}
4306 
4307 #if IS_ENABLED(CONFIG_IP_SCTP)
4308 	case IPPROTO_SCTP: {
4309 		struct sctphdr _sctph, *sh;
4310 
4311 		if (ntohs(ih->frag_off) & IP_OFFSET)
4312 			break;
4313 
4314 		offset += ihlen;
4315 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4316 		if (sh == NULL)
4317 			break;
4318 
4319 		ad->u.net->sport = sh->source;
4320 		ad->u.net->dport = sh->dest;
4321 		break;
4322 	}
4323 #endif
4324 	default:
4325 		break;
4326 	}
4327 out:
4328 	return ret;
4329 }
4330 
4331 #if IS_ENABLED(CONFIG_IPV6)
4332 
4333 /* Returns error only if unable to parse addresses */
4334 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4335 			struct common_audit_data *ad, u8 *proto)
4336 {
4337 	u8 nexthdr;
4338 	int ret = -EINVAL, offset;
4339 	struct ipv6hdr _ipv6h, *ip6;
4340 	__be16 frag_off;
4341 
4342 	offset = skb_network_offset(skb);
4343 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4344 	if (ip6 == NULL)
4345 		goto out;
4346 
4347 	ad->u.net->v6info.saddr = ip6->saddr;
4348 	ad->u.net->v6info.daddr = ip6->daddr;
4349 	ret = 0;
4350 
4351 	nexthdr = ip6->nexthdr;
4352 	offset += sizeof(_ipv6h);
4353 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4354 	if (offset < 0)
4355 		goto out;
4356 
4357 	if (proto)
4358 		*proto = nexthdr;
4359 
4360 	switch (nexthdr) {
4361 	case IPPROTO_TCP: {
4362 		struct tcphdr _tcph, *th;
4363 
4364 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4365 		if (th == NULL)
4366 			break;
4367 
4368 		ad->u.net->sport = th->source;
4369 		ad->u.net->dport = th->dest;
4370 		break;
4371 	}
4372 
4373 	case IPPROTO_UDP: {
4374 		struct udphdr _udph, *uh;
4375 
4376 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4377 		if (uh == NULL)
4378 			break;
4379 
4380 		ad->u.net->sport = uh->source;
4381 		ad->u.net->dport = uh->dest;
4382 		break;
4383 	}
4384 
4385 	case IPPROTO_DCCP: {
4386 		struct dccp_hdr _dccph, *dh;
4387 
4388 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4389 		if (dh == NULL)
4390 			break;
4391 
4392 		ad->u.net->sport = dh->dccph_sport;
4393 		ad->u.net->dport = dh->dccph_dport;
4394 		break;
4395 	}
4396 
4397 #if IS_ENABLED(CONFIG_IP_SCTP)
4398 	case IPPROTO_SCTP: {
4399 		struct sctphdr _sctph, *sh;
4400 
4401 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4402 		if (sh == NULL)
4403 			break;
4404 
4405 		ad->u.net->sport = sh->source;
4406 		ad->u.net->dport = sh->dest;
4407 		break;
4408 	}
4409 #endif
4410 	/* includes fragments */
4411 	default:
4412 		break;
4413 	}
4414 out:
4415 	return ret;
4416 }
4417 
4418 #endif /* IPV6 */
4419 
4420 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4421 			     char **_addrp, int src, u8 *proto)
4422 {
4423 	char *addrp;
4424 	int ret;
4425 
4426 	switch (ad->u.net->family) {
4427 	case PF_INET:
4428 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4429 		if (ret)
4430 			goto parse_error;
4431 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4432 				       &ad->u.net->v4info.daddr);
4433 		goto okay;
4434 
4435 #if IS_ENABLED(CONFIG_IPV6)
4436 	case PF_INET6:
4437 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4438 		if (ret)
4439 			goto parse_error;
4440 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4441 				       &ad->u.net->v6info.daddr);
4442 		goto okay;
4443 #endif	/* IPV6 */
4444 	default:
4445 		addrp = NULL;
4446 		goto okay;
4447 	}
4448 
4449 parse_error:
4450 	pr_warn(
4451 	       "SELinux: failure in selinux_parse_skb(),"
4452 	       " unable to parse packet\n");
4453 	return ret;
4454 
4455 okay:
4456 	if (_addrp)
4457 		*_addrp = addrp;
4458 	return 0;
4459 }
4460 
4461 /**
4462  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4463  * @skb: the packet
4464  * @family: protocol family
4465  * @sid: the packet's peer label SID
4466  *
4467  * Description:
4468  * Check the various different forms of network peer labeling and determine
4469  * the peer label/SID for the packet; most of the magic actually occurs in
4470  * the security server function security_net_peersid_cmp().  The function
4471  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4472  * or -EACCES if @sid is invalid due to inconsistencies with the different
4473  * peer labels.
4474  *
4475  */
4476 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4477 {
4478 	int err;
4479 	u32 xfrm_sid;
4480 	u32 nlbl_sid;
4481 	u32 nlbl_type;
4482 
4483 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4484 	if (unlikely(err))
4485 		return -EACCES;
4486 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4487 	if (unlikely(err))
4488 		return -EACCES;
4489 
4490 	err = security_net_peersid_resolve(nlbl_sid,
4491 					   nlbl_type, xfrm_sid, sid);
4492 	if (unlikely(err)) {
4493 		pr_warn(
4494 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4495 		       " unable to determine packet's peer label\n");
4496 		return -EACCES;
4497 	}
4498 
4499 	return 0;
4500 }
4501 
4502 /**
4503  * selinux_conn_sid - Determine the child socket label for a connection
4504  * @sk_sid: the parent socket's SID
4505  * @skb_sid: the packet's SID
4506  * @conn_sid: the resulting connection SID
4507  *
4508  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4509  * combined with the MLS information from @skb_sid in order to create
4510  * @conn_sid.  If @skb_sid is not valid then @conn_sid is simply a copy
4511  * of @sk_sid.  Returns zero on success, negative values on failure.
4512  *
4513  */
4514 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4515 {
4516 	int err = 0;
4517 
4518 	if (skb_sid != SECSID_NULL)
4519 		err = security_sid_mls_copy(sk_sid, skb_sid,
4520 					    conn_sid);
4521 	else
4522 		*conn_sid = sk_sid;
4523 
4524 	return err;
4525 }
4526 
4527 /* socket security operations */
4528 
4529 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4530 				 u16 secclass, u32 *socksid)
4531 {
4532 	if (tsec->sockcreate_sid > SECSID_NULL) {
4533 		*socksid = tsec->sockcreate_sid;
4534 		return 0;
4535 	}
4536 
4537 	return security_transition_sid(tsec->sid, tsec->sid,
4538 				       secclass, NULL, socksid);
4539 }
4540 
4541 static int sock_has_perm(struct sock *sk, u32 perms)
4542 {
4543 	struct sk_security_struct *sksec = sk->sk_security;
4544 	struct common_audit_data ad;
4545 	struct lsm_network_audit net;
4546 
4547 	if (sksec->sid == SECINITSID_KERNEL)
4548 		return 0;
4549 
4550 	ad_net_init_from_sk(&ad, &net, sk);
4551 
4552 	return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4553 			    &ad);
4554 }
4555 
4556 static int selinux_socket_create(int family, int type,
4557 				 int protocol, int kern)
4558 {
4559 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4560 	u32 newsid;
4561 	u16 secclass;
4562 	int rc;
4563 
4564 	if (kern)
4565 		return 0;
4566 
4567 	secclass = socket_type_to_security_class(family, type, protocol);
4568 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4569 	if (rc)
4570 		return rc;
4571 
4572 	return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4573 }
4574 
4575 static int selinux_socket_post_create(struct socket *sock, int family,
4576 				      int type, int protocol, int kern)
4577 {
4578 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4579 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4580 	struct sk_security_struct *sksec;
4581 	u16 sclass = socket_type_to_security_class(family, type, protocol);
4582 	u32 sid = SECINITSID_KERNEL;
4583 	int err = 0;
4584 
4585 	if (!kern) {
4586 		err = socket_sockcreate_sid(tsec, sclass, &sid);
4587 		if (err)
4588 			return err;
4589 	}
4590 
4591 	isec->sclass = sclass;
4592 	isec->sid = sid;
4593 	isec->initialized = LABEL_INITIALIZED;
4594 
4595 	if (sock->sk) {
4596 		sksec = sock->sk->sk_security;
4597 		sksec->sclass = sclass;
4598 		sksec->sid = sid;
4599 		/* Allows detection of the first association on this socket */
4600 		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4601 			sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4602 
4603 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4604 	}
4605 
4606 	return err;
4607 }
4608 
4609 static int selinux_socket_socketpair(struct socket *socka,
4610 				     struct socket *sockb)
4611 {
4612 	struct sk_security_struct *sksec_a = socka->sk->sk_security;
4613 	struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4614 
4615 	sksec_a->peer_sid = sksec_b->sid;
4616 	sksec_b->peer_sid = sksec_a->sid;
4617 
4618 	return 0;
4619 }
4620 
4621 /* Range of port numbers used to automatically bind.
4622    Need to determine whether we should perform a name_bind
4623    permission check between the socket and the port number. */
4624 
4625 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4626 {
4627 	struct sock *sk = sock->sk;
4628 	struct sk_security_struct *sksec = sk->sk_security;
4629 	u16 family;
4630 	int err;
4631 
4632 	err = sock_has_perm(sk, SOCKET__BIND);
4633 	if (err)
4634 		goto out;
4635 
4636 	/* If PF_INET or PF_INET6, check name_bind permission for the port. */
4637 	family = sk->sk_family;
4638 	if (family == PF_INET || family == PF_INET6) {
4639 		char *addrp;
4640 		struct common_audit_data ad;
4641 		struct lsm_network_audit net = {0,};
4642 		struct sockaddr_in *addr4 = NULL;
4643 		struct sockaddr_in6 *addr6 = NULL;
4644 		u16 family_sa;
4645 		unsigned short snum;
4646 		u32 sid, node_perm;
4647 
4648 		/*
4649 		 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4650 		 * that validates multiple binding addresses. Because of this
4651 		 * need to check address->sa_family as it is possible to have
4652 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4653 		 */
4654 		if (addrlen < offsetofend(struct sockaddr, sa_family))
4655 			return -EINVAL;
4656 		family_sa = address->sa_family;
4657 		switch (family_sa) {
4658 		case AF_UNSPEC:
4659 		case AF_INET:
4660 			if (addrlen < sizeof(struct sockaddr_in))
4661 				return -EINVAL;
4662 			addr4 = (struct sockaddr_in *)address;
4663 			if (family_sa == AF_UNSPEC) {
4664 				if (family == PF_INET6) {
4665 					/* Length check from inet6_bind_sk() */
4666 					if (addrlen < SIN6_LEN_RFC2133)
4667 						return -EINVAL;
4668 					/* Family check from __inet6_bind() */
4669 					goto err_af;
4670 				}
4671 				/* see __inet_bind(), we only want to allow
4672 				 * AF_UNSPEC if the address is INADDR_ANY
4673 				 */
4674 				if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4675 					goto err_af;
4676 				family_sa = AF_INET;
4677 			}
4678 			snum = ntohs(addr4->sin_port);
4679 			addrp = (char *)&addr4->sin_addr.s_addr;
4680 			break;
4681 		case AF_INET6:
4682 			if (addrlen < SIN6_LEN_RFC2133)
4683 				return -EINVAL;
4684 			addr6 = (struct sockaddr_in6 *)address;
4685 			snum = ntohs(addr6->sin6_port);
4686 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4687 			break;
4688 		default:
4689 			goto err_af;
4690 		}
4691 
4692 		ad.type = LSM_AUDIT_DATA_NET;
4693 		ad.u.net = &net;
4694 		ad.u.net->sport = htons(snum);
4695 		ad.u.net->family = family_sa;
4696 
4697 		if (snum) {
4698 			int low, high;
4699 
4700 			inet_get_local_port_range(sock_net(sk), &low, &high);
4701 
4702 			if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4703 			    snum < low || snum > high) {
4704 				err = sel_netport_sid(sk->sk_protocol,
4705 						      snum, &sid);
4706 				if (err)
4707 					goto out;
4708 				err = avc_has_perm(sksec->sid, sid,
4709 						   sksec->sclass,
4710 						   SOCKET__NAME_BIND, &ad);
4711 				if (err)
4712 					goto out;
4713 			}
4714 		}
4715 
4716 		switch (sksec->sclass) {
4717 		case SECCLASS_TCP_SOCKET:
4718 			node_perm = TCP_SOCKET__NODE_BIND;
4719 			break;
4720 
4721 		case SECCLASS_UDP_SOCKET:
4722 			node_perm = UDP_SOCKET__NODE_BIND;
4723 			break;
4724 
4725 		case SECCLASS_DCCP_SOCKET:
4726 			node_perm = DCCP_SOCKET__NODE_BIND;
4727 			break;
4728 
4729 		case SECCLASS_SCTP_SOCKET:
4730 			node_perm = SCTP_SOCKET__NODE_BIND;
4731 			break;
4732 
4733 		default:
4734 			node_perm = RAWIP_SOCKET__NODE_BIND;
4735 			break;
4736 		}
4737 
4738 		err = sel_netnode_sid(addrp, family_sa, &sid);
4739 		if (err)
4740 			goto out;
4741 
4742 		if (family_sa == AF_INET)
4743 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4744 		else
4745 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4746 
4747 		err = avc_has_perm(sksec->sid, sid,
4748 				   sksec->sclass, node_perm, &ad);
4749 		if (err)
4750 			goto out;
4751 	}
4752 out:
4753 	return err;
4754 err_af:
4755 	/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4756 	if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4757 		return -EINVAL;
4758 	return -EAFNOSUPPORT;
4759 }
4760 
4761 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4762  * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4763  */
4764 static int selinux_socket_connect_helper(struct socket *sock,
4765 					 struct sockaddr *address, int addrlen)
4766 {
4767 	struct sock *sk = sock->sk;
4768 	struct sk_security_struct *sksec = sk->sk_security;
4769 	int err;
4770 
4771 	err = sock_has_perm(sk, SOCKET__CONNECT);
4772 	if (err)
4773 		return err;
4774 	if (addrlen < offsetofend(struct sockaddr, sa_family))
4775 		return -EINVAL;
4776 
4777 	/* connect(AF_UNSPEC) has special handling, as it is a documented
4778 	 * way to disconnect the socket
4779 	 */
4780 	if (address->sa_family == AF_UNSPEC)
4781 		return 0;
4782 
4783 	/*
4784 	 * If a TCP, DCCP or SCTP socket, check name_connect permission
4785 	 * for the port.
4786 	 */
4787 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4788 	    sksec->sclass == SECCLASS_DCCP_SOCKET ||
4789 	    sksec->sclass == SECCLASS_SCTP_SOCKET) {
4790 		struct common_audit_data ad;
4791 		struct lsm_network_audit net = {0,};
4792 		struct sockaddr_in *addr4 = NULL;
4793 		struct sockaddr_in6 *addr6 = NULL;
4794 		unsigned short snum;
4795 		u32 sid, perm;
4796 
4797 		/* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4798 		 * that validates multiple connect addresses. Because of this
4799 		 * need to check address->sa_family as it is possible to have
4800 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4801 		 */
4802 		switch (address->sa_family) {
4803 		case AF_INET:
4804 			addr4 = (struct sockaddr_in *)address;
4805 			if (addrlen < sizeof(struct sockaddr_in))
4806 				return -EINVAL;
4807 			snum = ntohs(addr4->sin_port);
4808 			break;
4809 		case AF_INET6:
4810 			addr6 = (struct sockaddr_in6 *)address;
4811 			if (addrlen < SIN6_LEN_RFC2133)
4812 				return -EINVAL;
4813 			snum = ntohs(addr6->sin6_port);
4814 			break;
4815 		default:
4816 			/* Note that SCTP services expect -EINVAL, whereas
4817 			 * others expect -EAFNOSUPPORT.
4818 			 */
4819 			if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4820 				return -EINVAL;
4821 			else
4822 				return -EAFNOSUPPORT;
4823 		}
4824 
4825 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4826 		if (err)
4827 			return err;
4828 
4829 		switch (sksec->sclass) {
4830 		case SECCLASS_TCP_SOCKET:
4831 			perm = TCP_SOCKET__NAME_CONNECT;
4832 			break;
4833 		case SECCLASS_DCCP_SOCKET:
4834 			perm = DCCP_SOCKET__NAME_CONNECT;
4835 			break;
4836 		case SECCLASS_SCTP_SOCKET:
4837 			perm = SCTP_SOCKET__NAME_CONNECT;
4838 			break;
4839 		}
4840 
4841 		ad.type = LSM_AUDIT_DATA_NET;
4842 		ad.u.net = &net;
4843 		ad.u.net->dport = htons(snum);
4844 		ad.u.net->family = address->sa_family;
4845 		err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4846 		if (err)
4847 			return err;
4848 	}
4849 
4850 	return 0;
4851 }
4852 
4853 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4854 static int selinux_socket_connect(struct socket *sock,
4855 				  struct sockaddr *address, int addrlen)
4856 {
4857 	int err;
4858 	struct sock *sk = sock->sk;
4859 
4860 	err = selinux_socket_connect_helper(sock, address, addrlen);
4861 	if (err)
4862 		return err;
4863 
4864 	return selinux_netlbl_socket_connect(sk, address);
4865 }
4866 
4867 static int selinux_socket_listen(struct socket *sock, int backlog)
4868 {
4869 	return sock_has_perm(sock->sk, SOCKET__LISTEN);
4870 }
4871 
4872 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4873 {
4874 	int err;
4875 	struct inode_security_struct *isec;
4876 	struct inode_security_struct *newisec;
4877 	u16 sclass;
4878 	u32 sid;
4879 
4880 	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4881 	if (err)
4882 		return err;
4883 
4884 	isec = inode_security_novalidate(SOCK_INODE(sock));
4885 	spin_lock(&isec->lock);
4886 	sclass = isec->sclass;
4887 	sid = isec->sid;
4888 	spin_unlock(&isec->lock);
4889 
4890 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4891 	newisec->sclass = sclass;
4892 	newisec->sid = sid;
4893 	newisec->initialized = LABEL_INITIALIZED;
4894 
4895 	return 0;
4896 }
4897 
4898 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4899 				  int size)
4900 {
4901 	return sock_has_perm(sock->sk, SOCKET__WRITE);
4902 }
4903 
4904 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4905 				  int size, int flags)
4906 {
4907 	return sock_has_perm(sock->sk, SOCKET__READ);
4908 }
4909 
4910 static int selinux_socket_getsockname(struct socket *sock)
4911 {
4912 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4913 }
4914 
4915 static int selinux_socket_getpeername(struct socket *sock)
4916 {
4917 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4918 }
4919 
4920 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4921 {
4922 	int err;
4923 
4924 	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4925 	if (err)
4926 		return err;
4927 
4928 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4929 }
4930 
4931 static int selinux_socket_getsockopt(struct socket *sock, int level,
4932 				     int optname)
4933 {
4934 	return sock_has_perm(sock->sk, SOCKET__GETOPT);
4935 }
4936 
4937 static int selinux_socket_shutdown(struct socket *sock, int how)
4938 {
4939 	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4940 }
4941 
4942 static int selinux_socket_unix_stream_connect(struct sock *sock,
4943 					      struct sock *other,
4944 					      struct sock *newsk)
4945 {
4946 	struct sk_security_struct *sksec_sock = sock->sk_security;
4947 	struct sk_security_struct *sksec_other = other->sk_security;
4948 	struct sk_security_struct *sksec_new = newsk->sk_security;
4949 	struct common_audit_data ad;
4950 	struct lsm_network_audit net;
4951 	int err;
4952 
4953 	ad_net_init_from_sk(&ad, &net, other);
4954 
4955 	err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4956 			   sksec_other->sclass,
4957 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4958 	if (err)
4959 		return err;
4960 
4961 	/* server child socket */
4962 	sksec_new->peer_sid = sksec_sock->sid;
4963 	err = security_sid_mls_copy(sksec_other->sid,
4964 				    sksec_sock->sid, &sksec_new->sid);
4965 	if (err)
4966 		return err;
4967 
4968 	/* connecting socket */
4969 	sksec_sock->peer_sid = sksec_new->sid;
4970 
4971 	return 0;
4972 }
4973 
4974 static int selinux_socket_unix_may_send(struct socket *sock,
4975 					struct socket *other)
4976 {
4977 	struct sk_security_struct *ssec = sock->sk->sk_security;
4978 	struct sk_security_struct *osec = other->sk->sk_security;
4979 	struct common_audit_data ad;
4980 	struct lsm_network_audit net;
4981 
4982 	ad_net_init_from_sk(&ad, &net, other->sk);
4983 
4984 	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4985 			    &ad);
4986 }
4987 
4988 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4989 				    char *addrp, u16 family, u32 peer_sid,
4990 				    struct common_audit_data *ad)
4991 {
4992 	int err;
4993 	u32 if_sid;
4994 	u32 node_sid;
4995 
4996 	err = sel_netif_sid(ns, ifindex, &if_sid);
4997 	if (err)
4998 		return err;
4999 	err = avc_has_perm(peer_sid, if_sid,
5000 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
5001 	if (err)
5002 		return err;
5003 
5004 	err = sel_netnode_sid(addrp, family, &node_sid);
5005 	if (err)
5006 		return err;
5007 	return avc_has_perm(peer_sid, node_sid,
5008 			    SECCLASS_NODE, NODE__RECVFROM, ad);
5009 }
5010 
5011 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5012 				       u16 family)
5013 {
5014 	int err = 0;
5015 	struct sk_security_struct *sksec = sk->sk_security;
5016 	u32 sk_sid = sksec->sid;
5017 	struct common_audit_data ad;
5018 	struct lsm_network_audit net;
5019 	char *addrp;
5020 
5021 	ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
5022 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5023 	if (err)
5024 		return err;
5025 
5026 	if (selinux_secmark_enabled()) {
5027 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5028 				   PACKET__RECV, &ad);
5029 		if (err)
5030 			return err;
5031 	}
5032 
5033 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5034 	if (err)
5035 		return err;
5036 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5037 
5038 	return err;
5039 }
5040 
5041 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5042 {
5043 	int err, peerlbl_active, secmark_active;
5044 	struct sk_security_struct *sksec = sk->sk_security;
5045 	u16 family = sk->sk_family;
5046 	u32 sk_sid = sksec->sid;
5047 	struct common_audit_data ad;
5048 	struct lsm_network_audit net;
5049 	char *addrp;
5050 
5051 	if (family != PF_INET && family != PF_INET6)
5052 		return 0;
5053 
5054 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
5055 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5056 		family = PF_INET;
5057 
5058 	/* If any sort of compatibility mode is enabled then handoff processing
5059 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
5060 	 * special handling.  We do this in an attempt to keep this function
5061 	 * as fast and as clean as possible. */
5062 	if (!selinux_policycap_netpeer())
5063 		return selinux_sock_rcv_skb_compat(sk, skb, family);
5064 
5065 	secmark_active = selinux_secmark_enabled();
5066 	peerlbl_active = selinux_peerlbl_enabled();
5067 	if (!secmark_active && !peerlbl_active)
5068 		return 0;
5069 
5070 	ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
5071 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5072 	if (err)
5073 		return err;
5074 
5075 	if (peerlbl_active) {
5076 		u32 peer_sid;
5077 
5078 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5079 		if (err)
5080 			return err;
5081 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5082 					       addrp, family, peer_sid, &ad);
5083 		if (err) {
5084 			selinux_netlbl_err(skb, family, err, 0);
5085 			return err;
5086 		}
5087 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
5088 				   PEER__RECV, &ad);
5089 		if (err) {
5090 			selinux_netlbl_err(skb, family, err, 0);
5091 			return err;
5092 		}
5093 	}
5094 
5095 	if (secmark_active) {
5096 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5097 				   PACKET__RECV, &ad);
5098 		if (err)
5099 			return err;
5100 	}
5101 
5102 	return err;
5103 }
5104 
5105 static int selinux_socket_getpeersec_stream(struct socket *sock,
5106 					    sockptr_t optval, sockptr_t optlen,
5107 					    unsigned int len)
5108 {
5109 	int err = 0;
5110 	char *scontext = NULL;
5111 	u32 scontext_len;
5112 	struct sk_security_struct *sksec = sock->sk->sk_security;
5113 	u32 peer_sid = SECSID_NULL;
5114 
5115 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5116 	    sksec->sclass == SECCLASS_TCP_SOCKET ||
5117 	    sksec->sclass == SECCLASS_SCTP_SOCKET)
5118 		peer_sid = sksec->peer_sid;
5119 	if (peer_sid == SECSID_NULL)
5120 		return -ENOPROTOOPT;
5121 
5122 	err = security_sid_to_context(peer_sid, &scontext,
5123 				      &scontext_len);
5124 	if (err)
5125 		return err;
5126 	if (scontext_len > len) {
5127 		err = -ERANGE;
5128 		goto out_len;
5129 	}
5130 
5131 	if (copy_to_sockptr(optval, scontext, scontext_len))
5132 		err = -EFAULT;
5133 out_len:
5134 	if (copy_to_sockptr(optlen, &scontext_len, sizeof(scontext_len)))
5135 		err = -EFAULT;
5136 	kfree(scontext);
5137 	return err;
5138 }
5139 
5140 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5141 {
5142 	u32 peer_secid = SECSID_NULL;
5143 	u16 family;
5144 	struct inode_security_struct *isec;
5145 
5146 	if (skb && skb->protocol == htons(ETH_P_IP))
5147 		family = PF_INET;
5148 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
5149 		family = PF_INET6;
5150 	else if (sock)
5151 		family = sock->sk->sk_family;
5152 	else
5153 		goto out;
5154 
5155 	if (sock && family == PF_UNIX) {
5156 		isec = inode_security_novalidate(SOCK_INODE(sock));
5157 		peer_secid = isec->sid;
5158 	} else if (skb)
5159 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5160 
5161 out:
5162 	*secid = peer_secid;
5163 	if (peer_secid == SECSID_NULL)
5164 		return -EINVAL;
5165 	return 0;
5166 }
5167 
5168 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5169 {
5170 	struct sk_security_struct *sksec;
5171 
5172 	sksec = kzalloc(sizeof(*sksec), priority);
5173 	if (!sksec)
5174 		return -ENOMEM;
5175 
5176 	sksec->peer_sid = SECINITSID_UNLABELED;
5177 	sksec->sid = SECINITSID_UNLABELED;
5178 	sksec->sclass = SECCLASS_SOCKET;
5179 	selinux_netlbl_sk_security_reset(sksec);
5180 	sk->sk_security = sksec;
5181 
5182 	return 0;
5183 }
5184 
5185 static void selinux_sk_free_security(struct sock *sk)
5186 {
5187 	struct sk_security_struct *sksec = sk->sk_security;
5188 
5189 	sk->sk_security = NULL;
5190 	selinux_netlbl_sk_security_free(sksec);
5191 	kfree(sksec);
5192 }
5193 
5194 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5195 {
5196 	struct sk_security_struct *sksec = sk->sk_security;
5197 	struct sk_security_struct *newsksec = newsk->sk_security;
5198 
5199 	newsksec->sid = sksec->sid;
5200 	newsksec->peer_sid = sksec->peer_sid;
5201 	newsksec->sclass = sksec->sclass;
5202 
5203 	selinux_netlbl_sk_security_reset(newsksec);
5204 }
5205 
5206 static void selinux_sk_getsecid(const struct sock *sk, u32 *secid)
5207 {
5208 	if (!sk)
5209 		*secid = SECINITSID_ANY_SOCKET;
5210 	else {
5211 		const struct sk_security_struct *sksec = sk->sk_security;
5212 
5213 		*secid = sksec->sid;
5214 	}
5215 }
5216 
5217 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5218 {
5219 	struct inode_security_struct *isec =
5220 		inode_security_novalidate(SOCK_INODE(parent));
5221 	struct sk_security_struct *sksec = sk->sk_security;
5222 
5223 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5224 	    sk->sk_family == PF_UNIX)
5225 		isec->sid = sksec->sid;
5226 	sksec->sclass = isec->sclass;
5227 }
5228 
5229 /*
5230  * Determines peer_secid for the asoc and updates socket's peer label
5231  * if it's the first association on the socket.
5232  */
5233 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
5234 					  struct sk_buff *skb)
5235 {
5236 	struct sock *sk = asoc->base.sk;
5237 	u16 family = sk->sk_family;
5238 	struct sk_security_struct *sksec = sk->sk_security;
5239 	struct common_audit_data ad;
5240 	struct lsm_network_audit net;
5241 	int err;
5242 
5243 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5244 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5245 		family = PF_INET;
5246 
5247 	if (selinux_peerlbl_enabled()) {
5248 		asoc->peer_secid = SECSID_NULL;
5249 
5250 		/* This will return peer_sid = SECSID_NULL if there are
5251 		 * no peer labels, see security_net_peersid_resolve().
5252 		 */
5253 		err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid);
5254 		if (err)
5255 			return err;
5256 
5257 		if (asoc->peer_secid == SECSID_NULL)
5258 			asoc->peer_secid = SECINITSID_UNLABELED;
5259 	} else {
5260 		asoc->peer_secid = SECINITSID_UNLABELED;
5261 	}
5262 
5263 	if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5264 		sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5265 
5266 		/* Here as first association on socket. As the peer SID
5267 		 * was allowed by peer recv (and the netif/node checks),
5268 		 * then it is approved by policy and used as the primary
5269 		 * peer SID for getpeercon(3).
5270 		 */
5271 		sksec->peer_sid = asoc->peer_secid;
5272 	} else if (sksec->peer_sid != asoc->peer_secid) {
5273 		/* Other association peer SIDs are checked to enforce
5274 		 * consistency among the peer SIDs.
5275 		 */
5276 		ad_net_init_from_sk(&ad, &net, asoc->base.sk);
5277 		err = avc_has_perm(sksec->peer_sid, asoc->peer_secid,
5278 				   sksec->sclass, SCTP_SOCKET__ASSOCIATION,
5279 				   &ad);
5280 		if (err)
5281 			return err;
5282 	}
5283 	return 0;
5284 }
5285 
5286 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This
5287  * happens on an incoming connect(2), sctp_connectx(3) or
5288  * sctp_sendmsg(3) (with no association already present).
5289  */
5290 static int selinux_sctp_assoc_request(struct sctp_association *asoc,
5291 				      struct sk_buff *skb)
5292 {
5293 	struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5294 	u32 conn_sid;
5295 	int err;
5296 
5297 	if (!selinux_policycap_extsockclass())
5298 		return 0;
5299 
5300 	err = selinux_sctp_process_new_assoc(asoc, skb);
5301 	if (err)
5302 		return err;
5303 
5304 	/* Compute the MLS component for the connection and store
5305 	 * the information in asoc. This will be used by SCTP TCP type
5306 	 * sockets and peeled off connections as they cause a new
5307 	 * socket to be generated. selinux_sctp_sk_clone() will then
5308 	 * plug this into the new socket.
5309 	 */
5310 	err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid);
5311 	if (err)
5312 		return err;
5313 
5314 	asoc->secid = conn_sid;
5315 
5316 	/* Set any NetLabel labels including CIPSO/CALIPSO options. */
5317 	return selinux_netlbl_sctp_assoc_request(asoc, skb);
5318 }
5319 
5320 /* Called when SCTP receives a COOKIE ACK chunk as the final
5321  * response to an association request (initited by us).
5322  */
5323 static int selinux_sctp_assoc_established(struct sctp_association *asoc,
5324 					  struct sk_buff *skb)
5325 {
5326 	struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5327 
5328 	if (!selinux_policycap_extsockclass())
5329 		return 0;
5330 
5331 	/* Inherit secid from the parent socket - this will be picked up
5332 	 * by selinux_sctp_sk_clone() if the association gets peeled off
5333 	 * into a new socket.
5334 	 */
5335 	asoc->secid = sksec->sid;
5336 
5337 	return selinux_sctp_process_new_assoc(asoc, skb);
5338 }
5339 
5340 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5341  * based on their @optname.
5342  */
5343 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5344 				     struct sockaddr *address,
5345 				     int addrlen)
5346 {
5347 	int len, err = 0, walk_size = 0;
5348 	void *addr_buf;
5349 	struct sockaddr *addr;
5350 	struct socket *sock;
5351 
5352 	if (!selinux_policycap_extsockclass())
5353 		return 0;
5354 
5355 	/* Process one or more addresses that may be IPv4 or IPv6 */
5356 	sock = sk->sk_socket;
5357 	addr_buf = address;
5358 
5359 	while (walk_size < addrlen) {
5360 		if (walk_size + sizeof(sa_family_t) > addrlen)
5361 			return -EINVAL;
5362 
5363 		addr = addr_buf;
5364 		switch (addr->sa_family) {
5365 		case AF_UNSPEC:
5366 		case AF_INET:
5367 			len = sizeof(struct sockaddr_in);
5368 			break;
5369 		case AF_INET6:
5370 			len = sizeof(struct sockaddr_in6);
5371 			break;
5372 		default:
5373 			return -EINVAL;
5374 		}
5375 
5376 		if (walk_size + len > addrlen)
5377 			return -EINVAL;
5378 
5379 		err = -EINVAL;
5380 		switch (optname) {
5381 		/* Bind checks */
5382 		case SCTP_PRIMARY_ADDR:
5383 		case SCTP_SET_PEER_PRIMARY_ADDR:
5384 		case SCTP_SOCKOPT_BINDX_ADD:
5385 			err = selinux_socket_bind(sock, addr, len);
5386 			break;
5387 		/* Connect checks */
5388 		case SCTP_SOCKOPT_CONNECTX:
5389 		case SCTP_PARAM_SET_PRIMARY:
5390 		case SCTP_PARAM_ADD_IP:
5391 		case SCTP_SENDMSG_CONNECT:
5392 			err = selinux_socket_connect_helper(sock, addr, len);
5393 			if (err)
5394 				return err;
5395 
5396 			/* As selinux_sctp_bind_connect() is called by the
5397 			 * SCTP protocol layer, the socket is already locked,
5398 			 * therefore selinux_netlbl_socket_connect_locked()
5399 			 * is called here. The situations handled are:
5400 			 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5401 			 * whenever a new IP address is added or when a new
5402 			 * primary address is selected.
5403 			 * Note that an SCTP connect(2) call happens before
5404 			 * the SCTP protocol layer and is handled via
5405 			 * selinux_socket_connect().
5406 			 */
5407 			err = selinux_netlbl_socket_connect_locked(sk, addr);
5408 			break;
5409 		}
5410 
5411 		if (err)
5412 			return err;
5413 
5414 		addr_buf += len;
5415 		walk_size += len;
5416 	}
5417 
5418 	return 0;
5419 }
5420 
5421 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5422 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
5423 				  struct sock *newsk)
5424 {
5425 	struct sk_security_struct *sksec = sk->sk_security;
5426 	struct sk_security_struct *newsksec = newsk->sk_security;
5427 
5428 	/* If policy does not support SECCLASS_SCTP_SOCKET then call
5429 	 * the non-sctp clone version.
5430 	 */
5431 	if (!selinux_policycap_extsockclass())
5432 		return selinux_sk_clone_security(sk, newsk);
5433 
5434 	newsksec->sid = asoc->secid;
5435 	newsksec->peer_sid = asoc->peer_secid;
5436 	newsksec->sclass = sksec->sclass;
5437 	selinux_netlbl_sctp_sk_clone(sk, newsk);
5438 }
5439 
5440 static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
5441 {
5442 	struct sk_security_struct *ssksec = ssk->sk_security;
5443 	struct sk_security_struct *sksec = sk->sk_security;
5444 
5445 	ssksec->sclass = sksec->sclass;
5446 	ssksec->sid = sksec->sid;
5447 
5448 	/* replace the existing subflow label deleting the existing one
5449 	 * and re-recreating a new label using the updated context
5450 	 */
5451 	selinux_netlbl_sk_security_free(ssksec);
5452 	return selinux_netlbl_socket_post_create(ssk, ssk->sk_family);
5453 }
5454 
5455 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
5456 				     struct request_sock *req)
5457 {
5458 	struct sk_security_struct *sksec = sk->sk_security;
5459 	int err;
5460 	u16 family = req->rsk_ops->family;
5461 	u32 connsid;
5462 	u32 peersid;
5463 
5464 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5465 	if (err)
5466 		return err;
5467 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5468 	if (err)
5469 		return err;
5470 	req->secid = connsid;
5471 	req->peer_secid = peersid;
5472 
5473 	return selinux_netlbl_inet_conn_request(req, family);
5474 }
5475 
5476 static void selinux_inet_csk_clone(struct sock *newsk,
5477 				   const struct request_sock *req)
5478 {
5479 	struct sk_security_struct *newsksec = newsk->sk_security;
5480 
5481 	newsksec->sid = req->secid;
5482 	newsksec->peer_sid = req->peer_secid;
5483 	/* NOTE: Ideally, we should also get the isec->sid for the
5484 	   new socket in sync, but we don't have the isec available yet.
5485 	   So we will wait until sock_graft to do it, by which
5486 	   time it will have been created and available. */
5487 
5488 	/* We don't need to take any sort of lock here as we are the only
5489 	 * thread with access to newsksec */
5490 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5491 }
5492 
5493 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5494 {
5495 	u16 family = sk->sk_family;
5496 	struct sk_security_struct *sksec = sk->sk_security;
5497 
5498 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5499 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5500 		family = PF_INET;
5501 
5502 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5503 }
5504 
5505 static int selinux_secmark_relabel_packet(u32 sid)
5506 {
5507 	const struct task_security_struct *tsec;
5508 	u32 tsid;
5509 
5510 	tsec = selinux_cred(current_cred());
5511 	tsid = tsec->sid;
5512 
5513 	return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5514 			    NULL);
5515 }
5516 
5517 static void selinux_secmark_refcount_inc(void)
5518 {
5519 	atomic_inc(&selinux_secmark_refcount);
5520 }
5521 
5522 static void selinux_secmark_refcount_dec(void)
5523 {
5524 	atomic_dec(&selinux_secmark_refcount);
5525 }
5526 
5527 static void selinux_req_classify_flow(const struct request_sock *req,
5528 				      struct flowi_common *flic)
5529 {
5530 	flic->flowic_secid = req->secid;
5531 }
5532 
5533 static int selinux_tun_dev_alloc_security(void **security)
5534 {
5535 	struct tun_security_struct *tunsec;
5536 
5537 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5538 	if (!tunsec)
5539 		return -ENOMEM;
5540 	tunsec->sid = current_sid();
5541 
5542 	*security = tunsec;
5543 	return 0;
5544 }
5545 
5546 static void selinux_tun_dev_free_security(void *security)
5547 {
5548 	kfree(security);
5549 }
5550 
5551 static int selinux_tun_dev_create(void)
5552 {
5553 	u32 sid = current_sid();
5554 
5555 	/* we aren't taking into account the "sockcreate" SID since the socket
5556 	 * that is being created here is not a socket in the traditional sense,
5557 	 * instead it is a private sock, accessible only to the kernel, and
5558 	 * representing a wide range of network traffic spanning multiple
5559 	 * connections unlike traditional sockets - check the TUN driver to
5560 	 * get a better understanding of why this socket is special */
5561 
5562 	return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5563 			    NULL);
5564 }
5565 
5566 static int selinux_tun_dev_attach_queue(void *security)
5567 {
5568 	struct tun_security_struct *tunsec = security;
5569 
5570 	return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5571 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5572 }
5573 
5574 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5575 {
5576 	struct tun_security_struct *tunsec = security;
5577 	struct sk_security_struct *sksec = sk->sk_security;
5578 
5579 	/* we don't currently perform any NetLabel based labeling here and it
5580 	 * isn't clear that we would want to do so anyway; while we could apply
5581 	 * labeling without the support of the TUN user the resulting labeled
5582 	 * traffic from the other end of the connection would almost certainly
5583 	 * cause confusion to the TUN user that had no idea network labeling
5584 	 * protocols were being used */
5585 
5586 	sksec->sid = tunsec->sid;
5587 	sksec->sclass = SECCLASS_TUN_SOCKET;
5588 
5589 	return 0;
5590 }
5591 
5592 static int selinux_tun_dev_open(void *security)
5593 {
5594 	struct tun_security_struct *tunsec = security;
5595 	u32 sid = current_sid();
5596 	int err;
5597 
5598 	err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5599 			   TUN_SOCKET__RELABELFROM, NULL);
5600 	if (err)
5601 		return err;
5602 	err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5603 			   TUN_SOCKET__RELABELTO, NULL);
5604 	if (err)
5605 		return err;
5606 	tunsec->sid = sid;
5607 
5608 	return 0;
5609 }
5610 
5611 #ifdef CONFIG_NETFILTER
5612 
5613 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
5614 				       const struct nf_hook_state *state)
5615 {
5616 	int ifindex;
5617 	u16 family;
5618 	char *addrp;
5619 	u32 peer_sid;
5620 	struct common_audit_data ad;
5621 	struct lsm_network_audit net;
5622 	int secmark_active, peerlbl_active;
5623 
5624 	if (!selinux_policycap_netpeer())
5625 		return NF_ACCEPT;
5626 
5627 	secmark_active = selinux_secmark_enabled();
5628 	peerlbl_active = selinux_peerlbl_enabled();
5629 	if (!secmark_active && !peerlbl_active)
5630 		return NF_ACCEPT;
5631 
5632 	family = state->pf;
5633 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5634 		return NF_DROP;
5635 
5636 	ifindex = state->in->ifindex;
5637 	ad_net_init_from_iif(&ad, &net, ifindex, family);
5638 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5639 		return NF_DROP;
5640 
5641 	if (peerlbl_active) {
5642 		int err;
5643 
5644 		err = selinux_inet_sys_rcv_skb(state->net, ifindex,
5645 					       addrp, family, peer_sid, &ad);
5646 		if (err) {
5647 			selinux_netlbl_err(skb, family, err, 1);
5648 			return NF_DROP;
5649 		}
5650 	}
5651 
5652 	if (secmark_active)
5653 		if (avc_has_perm(peer_sid, skb->secmark,
5654 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5655 			return NF_DROP;
5656 
5657 	if (netlbl_enabled())
5658 		/* we do this in the FORWARD path and not the POST_ROUTING
5659 		 * path because we want to make sure we apply the necessary
5660 		 * labeling before IPsec is applied so we can leverage AH
5661 		 * protection */
5662 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5663 			return NF_DROP;
5664 
5665 	return NF_ACCEPT;
5666 }
5667 
5668 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
5669 				      const struct nf_hook_state *state)
5670 {
5671 	struct sock *sk;
5672 	u32 sid;
5673 
5674 	if (!netlbl_enabled())
5675 		return NF_ACCEPT;
5676 
5677 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5678 	 * because we want to make sure we apply the necessary labeling
5679 	 * before IPsec is applied so we can leverage AH protection */
5680 	sk = skb->sk;
5681 	if (sk) {
5682 		struct sk_security_struct *sksec;
5683 
5684 		if (sk_listener(sk))
5685 			/* if the socket is the listening state then this
5686 			 * packet is a SYN-ACK packet which means it needs to
5687 			 * be labeled based on the connection/request_sock and
5688 			 * not the parent socket.  unfortunately, we can't
5689 			 * lookup the request_sock yet as it isn't queued on
5690 			 * the parent socket until after the SYN-ACK is sent.
5691 			 * the "solution" is to simply pass the packet as-is
5692 			 * as any IP option based labeling should be copied
5693 			 * from the initial connection request (in the IP
5694 			 * layer).  it is far from ideal, but until we get a
5695 			 * security label in the packet itself this is the
5696 			 * best we can do. */
5697 			return NF_ACCEPT;
5698 
5699 		/* standard practice, label using the parent socket */
5700 		sksec = sk->sk_security;
5701 		sid = sksec->sid;
5702 	} else
5703 		sid = SECINITSID_KERNEL;
5704 	if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0)
5705 		return NF_DROP;
5706 
5707 	return NF_ACCEPT;
5708 }
5709 
5710 
5711 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5712 					const struct nf_hook_state *state)
5713 {
5714 	struct sock *sk;
5715 	struct sk_security_struct *sksec;
5716 	struct common_audit_data ad;
5717 	struct lsm_network_audit net;
5718 	u8 proto = 0;
5719 
5720 	sk = skb_to_full_sk(skb);
5721 	if (sk == NULL)
5722 		return NF_ACCEPT;
5723 	sksec = sk->sk_security;
5724 
5725 	ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf);
5726 	if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))
5727 		return NF_DROP;
5728 
5729 	if (selinux_secmark_enabled())
5730 		if (avc_has_perm(sksec->sid, skb->secmark,
5731 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5732 			return NF_DROP_ERR(-ECONNREFUSED);
5733 
5734 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5735 		return NF_DROP_ERR(-ECONNREFUSED);
5736 
5737 	return NF_ACCEPT;
5738 }
5739 
5740 static unsigned int selinux_ip_postroute(void *priv,
5741 					 struct sk_buff *skb,
5742 					 const struct nf_hook_state *state)
5743 {
5744 	u16 family;
5745 	u32 secmark_perm;
5746 	u32 peer_sid;
5747 	int ifindex;
5748 	struct sock *sk;
5749 	struct common_audit_data ad;
5750 	struct lsm_network_audit net;
5751 	char *addrp;
5752 	int secmark_active, peerlbl_active;
5753 
5754 	/* If any sort of compatibility mode is enabled then handoff processing
5755 	 * to the selinux_ip_postroute_compat() function to deal with the
5756 	 * special handling.  We do this in an attempt to keep this function
5757 	 * as fast and as clean as possible. */
5758 	if (!selinux_policycap_netpeer())
5759 		return selinux_ip_postroute_compat(skb, state);
5760 
5761 	secmark_active = selinux_secmark_enabled();
5762 	peerlbl_active = selinux_peerlbl_enabled();
5763 	if (!secmark_active && !peerlbl_active)
5764 		return NF_ACCEPT;
5765 
5766 	sk = skb_to_full_sk(skb);
5767 
5768 #ifdef CONFIG_XFRM
5769 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5770 	 * packet transformation so allow the packet to pass without any checks
5771 	 * since we'll have another chance to perform access control checks
5772 	 * when the packet is on it's final way out.
5773 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5774 	 *       is NULL, in this case go ahead and apply access control.
5775 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5776 	 *       TCP listening state we cannot wait until the XFRM processing
5777 	 *       is done as we will miss out on the SA label if we do;
5778 	 *       unfortunately, this means more work, but it is only once per
5779 	 *       connection. */
5780 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5781 	    !(sk && sk_listener(sk)))
5782 		return NF_ACCEPT;
5783 #endif
5784 
5785 	family = state->pf;
5786 	if (sk == NULL) {
5787 		/* Without an associated socket the packet is either coming
5788 		 * from the kernel or it is being forwarded; check the packet
5789 		 * to determine which and if the packet is being forwarded
5790 		 * query the packet directly to determine the security label. */
5791 		if (skb->skb_iif) {
5792 			secmark_perm = PACKET__FORWARD_OUT;
5793 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5794 				return NF_DROP;
5795 		} else {
5796 			secmark_perm = PACKET__SEND;
5797 			peer_sid = SECINITSID_KERNEL;
5798 		}
5799 	} else if (sk_listener(sk)) {
5800 		/* Locally generated packet but the associated socket is in the
5801 		 * listening state which means this is a SYN-ACK packet.  In
5802 		 * this particular case the correct security label is assigned
5803 		 * to the connection/request_sock but unfortunately we can't
5804 		 * query the request_sock as it isn't queued on the parent
5805 		 * socket until after the SYN-ACK packet is sent; the only
5806 		 * viable choice is to regenerate the label like we do in
5807 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5808 		 * for similar problems. */
5809 		u32 skb_sid;
5810 		struct sk_security_struct *sksec;
5811 
5812 		sksec = sk->sk_security;
5813 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5814 			return NF_DROP;
5815 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5816 		 * and the packet has been through at least one XFRM
5817 		 * transformation then we must be dealing with the "final"
5818 		 * form of labeled IPsec packet; since we've already applied
5819 		 * all of our access controls on this packet we can safely
5820 		 * pass the packet. */
5821 		if (skb_sid == SECSID_NULL) {
5822 			switch (family) {
5823 			case PF_INET:
5824 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5825 					return NF_ACCEPT;
5826 				break;
5827 			case PF_INET6:
5828 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5829 					return NF_ACCEPT;
5830 				break;
5831 			default:
5832 				return NF_DROP_ERR(-ECONNREFUSED);
5833 			}
5834 		}
5835 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5836 			return NF_DROP;
5837 		secmark_perm = PACKET__SEND;
5838 	} else {
5839 		/* Locally generated packet, fetch the security label from the
5840 		 * associated socket. */
5841 		struct sk_security_struct *sksec = sk->sk_security;
5842 		peer_sid = sksec->sid;
5843 		secmark_perm = PACKET__SEND;
5844 	}
5845 
5846 	ifindex = state->out->ifindex;
5847 	ad_net_init_from_iif(&ad, &net, ifindex, family);
5848 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5849 		return NF_DROP;
5850 
5851 	if (secmark_active)
5852 		if (avc_has_perm(peer_sid, skb->secmark,
5853 				 SECCLASS_PACKET, secmark_perm, &ad))
5854 			return NF_DROP_ERR(-ECONNREFUSED);
5855 
5856 	if (peerlbl_active) {
5857 		u32 if_sid;
5858 		u32 node_sid;
5859 
5860 		if (sel_netif_sid(state->net, ifindex, &if_sid))
5861 			return NF_DROP;
5862 		if (avc_has_perm(peer_sid, if_sid,
5863 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5864 			return NF_DROP_ERR(-ECONNREFUSED);
5865 
5866 		if (sel_netnode_sid(addrp, family, &node_sid))
5867 			return NF_DROP;
5868 		if (avc_has_perm(peer_sid, node_sid,
5869 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5870 			return NF_DROP_ERR(-ECONNREFUSED);
5871 	}
5872 
5873 	return NF_ACCEPT;
5874 }
5875 #endif	/* CONFIG_NETFILTER */
5876 
5877 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5878 {
5879 	int rc = 0;
5880 	unsigned int msg_len;
5881 	unsigned int data_len = skb->len;
5882 	unsigned char *data = skb->data;
5883 	struct nlmsghdr *nlh;
5884 	struct sk_security_struct *sksec = sk->sk_security;
5885 	u16 sclass = sksec->sclass;
5886 	u32 perm;
5887 
5888 	while (data_len >= nlmsg_total_size(0)) {
5889 		nlh = (struct nlmsghdr *)data;
5890 
5891 		/* NOTE: the nlmsg_len field isn't reliably set by some netlink
5892 		 *       users which means we can't reject skb's with bogus
5893 		 *       length fields; our solution is to follow what
5894 		 *       netlink_rcv_skb() does and simply skip processing at
5895 		 *       messages with length fields that are clearly junk
5896 		 */
5897 		if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5898 			return 0;
5899 
5900 		rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5901 		if (rc == 0) {
5902 			rc = sock_has_perm(sk, perm);
5903 			if (rc)
5904 				return rc;
5905 		} else if (rc == -EINVAL) {
5906 			/* -EINVAL is a missing msg/perm mapping */
5907 			pr_warn_ratelimited("SELinux: unrecognized netlink"
5908 				" message: protocol=%hu nlmsg_type=%hu sclass=%s"
5909 				" pid=%d comm=%s\n",
5910 				sk->sk_protocol, nlh->nlmsg_type,
5911 				secclass_map[sclass - 1].name,
5912 				task_pid_nr(current), current->comm);
5913 			if (enforcing_enabled() &&
5914 			    !security_get_allow_unknown())
5915 				return rc;
5916 			rc = 0;
5917 		} else if (rc == -ENOENT) {
5918 			/* -ENOENT is a missing socket/class mapping, ignore */
5919 			rc = 0;
5920 		} else {
5921 			return rc;
5922 		}
5923 
5924 		/* move to the next message after applying netlink padding */
5925 		msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5926 		if (msg_len >= data_len)
5927 			return 0;
5928 		data_len -= msg_len;
5929 		data += msg_len;
5930 	}
5931 
5932 	return rc;
5933 }
5934 
5935 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5936 {
5937 	isec->sclass = sclass;
5938 	isec->sid = current_sid();
5939 }
5940 
5941 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5942 			u32 perms)
5943 {
5944 	struct ipc_security_struct *isec;
5945 	struct common_audit_data ad;
5946 	u32 sid = current_sid();
5947 
5948 	isec = selinux_ipc(ipc_perms);
5949 
5950 	ad.type = LSM_AUDIT_DATA_IPC;
5951 	ad.u.ipc_id = ipc_perms->key;
5952 
5953 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5954 }
5955 
5956 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5957 {
5958 	struct msg_security_struct *msec;
5959 
5960 	msec = selinux_msg_msg(msg);
5961 	msec->sid = SECINITSID_UNLABELED;
5962 
5963 	return 0;
5964 }
5965 
5966 /* message queue security operations */
5967 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5968 {
5969 	struct ipc_security_struct *isec;
5970 	struct common_audit_data ad;
5971 	u32 sid = current_sid();
5972 
5973 	isec = selinux_ipc(msq);
5974 	ipc_init_security(isec, SECCLASS_MSGQ);
5975 
5976 	ad.type = LSM_AUDIT_DATA_IPC;
5977 	ad.u.ipc_id = msq->key;
5978 
5979 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5980 			    MSGQ__CREATE, &ad);
5981 }
5982 
5983 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5984 {
5985 	struct ipc_security_struct *isec;
5986 	struct common_audit_data ad;
5987 	u32 sid = current_sid();
5988 
5989 	isec = selinux_ipc(msq);
5990 
5991 	ad.type = LSM_AUDIT_DATA_IPC;
5992 	ad.u.ipc_id = msq->key;
5993 
5994 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5995 			    MSGQ__ASSOCIATE, &ad);
5996 }
5997 
5998 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
5999 {
6000 	u32 perms;
6001 
6002 	switch (cmd) {
6003 	case IPC_INFO:
6004 	case MSG_INFO:
6005 		/* No specific object, just general system-wide information. */
6006 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6007 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6008 	case IPC_STAT:
6009 	case MSG_STAT:
6010 	case MSG_STAT_ANY:
6011 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6012 		break;
6013 	case IPC_SET:
6014 		perms = MSGQ__SETATTR;
6015 		break;
6016 	case IPC_RMID:
6017 		perms = MSGQ__DESTROY;
6018 		break;
6019 	default:
6020 		return 0;
6021 	}
6022 
6023 	return ipc_has_perm(msq, perms);
6024 }
6025 
6026 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6027 {
6028 	struct ipc_security_struct *isec;
6029 	struct msg_security_struct *msec;
6030 	struct common_audit_data ad;
6031 	u32 sid = current_sid();
6032 	int rc;
6033 
6034 	isec = selinux_ipc(msq);
6035 	msec = selinux_msg_msg(msg);
6036 
6037 	/*
6038 	 * First time through, need to assign label to the message
6039 	 */
6040 	if (msec->sid == SECINITSID_UNLABELED) {
6041 		/*
6042 		 * Compute new sid based on current process and
6043 		 * message queue this message will be stored in
6044 		 */
6045 		rc = security_transition_sid(sid, isec->sid,
6046 					     SECCLASS_MSG, NULL, &msec->sid);
6047 		if (rc)
6048 			return rc;
6049 	}
6050 
6051 	ad.type = LSM_AUDIT_DATA_IPC;
6052 	ad.u.ipc_id = msq->key;
6053 
6054 	/* Can this process write to the queue? */
6055 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6056 			  MSGQ__WRITE, &ad);
6057 	if (!rc)
6058 		/* Can this process send the message */
6059 		rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
6060 				  MSG__SEND, &ad);
6061 	if (!rc)
6062 		/* Can the message be put in the queue? */
6063 		rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
6064 				  MSGQ__ENQUEUE, &ad);
6065 
6066 	return rc;
6067 }
6068 
6069 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6070 				    struct task_struct *target,
6071 				    long type, int mode)
6072 {
6073 	struct ipc_security_struct *isec;
6074 	struct msg_security_struct *msec;
6075 	struct common_audit_data ad;
6076 	u32 sid = task_sid_obj(target);
6077 	int rc;
6078 
6079 	isec = selinux_ipc(msq);
6080 	msec = selinux_msg_msg(msg);
6081 
6082 	ad.type = LSM_AUDIT_DATA_IPC;
6083 	ad.u.ipc_id = msq->key;
6084 
6085 	rc = avc_has_perm(sid, isec->sid,
6086 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
6087 	if (!rc)
6088 		rc = avc_has_perm(sid, msec->sid,
6089 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
6090 	return rc;
6091 }
6092 
6093 /* Shared Memory security operations */
6094 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6095 {
6096 	struct ipc_security_struct *isec;
6097 	struct common_audit_data ad;
6098 	u32 sid = current_sid();
6099 
6100 	isec = selinux_ipc(shp);
6101 	ipc_init_security(isec, SECCLASS_SHM);
6102 
6103 	ad.type = LSM_AUDIT_DATA_IPC;
6104 	ad.u.ipc_id = shp->key;
6105 
6106 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6107 			    SHM__CREATE, &ad);
6108 }
6109 
6110 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6111 {
6112 	struct ipc_security_struct *isec;
6113 	struct common_audit_data ad;
6114 	u32 sid = current_sid();
6115 
6116 	isec = selinux_ipc(shp);
6117 
6118 	ad.type = LSM_AUDIT_DATA_IPC;
6119 	ad.u.ipc_id = shp->key;
6120 
6121 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6122 			    SHM__ASSOCIATE, &ad);
6123 }
6124 
6125 /* Note, at this point, shp is locked down */
6126 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6127 {
6128 	u32 perms;
6129 
6130 	switch (cmd) {
6131 	case IPC_INFO:
6132 	case SHM_INFO:
6133 		/* No specific object, just general system-wide information. */
6134 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6135 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6136 	case IPC_STAT:
6137 	case SHM_STAT:
6138 	case SHM_STAT_ANY:
6139 		perms = SHM__GETATTR | SHM__ASSOCIATE;
6140 		break;
6141 	case IPC_SET:
6142 		perms = SHM__SETATTR;
6143 		break;
6144 	case SHM_LOCK:
6145 	case SHM_UNLOCK:
6146 		perms = SHM__LOCK;
6147 		break;
6148 	case IPC_RMID:
6149 		perms = SHM__DESTROY;
6150 		break;
6151 	default:
6152 		return 0;
6153 	}
6154 
6155 	return ipc_has_perm(shp, perms);
6156 }
6157 
6158 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6159 			     char __user *shmaddr, int shmflg)
6160 {
6161 	u32 perms;
6162 
6163 	if (shmflg & SHM_RDONLY)
6164 		perms = SHM__READ;
6165 	else
6166 		perms = SHM__READ | SHM__WRITE;
6167 
6168 	return ipc_has_perm(shp, perms);
6169 }
6170 
6171 /* Semaphore security operations */
6172 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6173 {
6174 	struct ipc_security_struct *isec;
6175 	struct common_audit_data ad;
6176 	u32 sid = current_sid();
6177 
6178 	isec = selinux_ipc(sma);
6179 	ipc_init_security(isec, SECCLASS_SEM);
6180 
6181 	ad.type = LSM_AUDIT_DATA_IPC;
6182 	ad.u.ipc_id = sma->key;
6183 
6184 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6185 			    SEM__CREATE, &ad);
6186 }
6187 
6188 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6189 {
6190 	struct ipc_security_struct *isec;
6191 	struct common_audit_data ad;
6192 	u32 sid = current_sid();
6193 
6194 	isec = selinux_ipc(sma);
6195 
6196 	ad.type = LSM_AUDIT_DATA_IPC;
6197 	ad.u.ipc_id = sma->key;
6198 
6199 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6200 			    SEM__ASSOCIATE, &ad);
6201 }
6202 
6203 /* Note, at this point, sma is locked down */
6204 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6205 {
6206 	int err;
6207 	u32 perms;
6208 
6209 	switch (cmd) {
6210 	case IPC_INFO:
6211 	case SEM_INFO:
6212 		/* No specific object, just general system-wide information. */
6213 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6214 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6215 	case GETPID:
6216 	case GETNCNT:
6217 	case GETZCNT:
6218 		perms = SEM__GETATTR;
6219 		break;
6220 	case GETVAL:
6221 	case GETALL:
6222 		perms = SEM__READ;
6223 		break;
6224 	case SETVAL:
6225 	case SETALL:
6226 		perms = SEM__WRITE;
6227 		break;
6228 	case IPC_RMID:
6229 		perms = SEM__DESTROY;
6230 		break;
6231 	case IPC_SET:
6232 		perms = SEM__SETATTR;
6233 		break;
6234 	case IPC_STAT:
6235 	case SEM_STAT:
6236 	case SEM_STAT_ANY:
6237 		perms = SEM__GETATTR | SEM__ASSOCIATE;
6238 		break;
6239 	default:
6240 		return 0;
6241 	}
6242 
6243 	err = ipc_has_perm(sma, perms);
6244 	return err;
6245 }
6246 
6247 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6248 			     struct sembuf *sops, unsigned nsops, int alter)
6249 {
6250 	u32 perms;
6251 
6252 	if (alter)
6253 		perms = SEM__READ | SEM__WRITE;
6254 	else
6255 		perms = SEM__READ;
6256 
6257 	return ipc_has_perm(sma, perms);
6258 }
6259 
6260 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6261 {
6262 	u32 av = 0;
6263 
6264 	av = 0;
6265 	if (flag & S_IRUGO)
6266 		av |= IPC__UNIX_READ;
6267 	if (flag & S_IWUGO)
6268 		av |= IPC__UNIX_WRITE;
6269 
6270 	if (av == 0)
6271 		return 0;
6272 
6273 	return ipc_has_perm(ipcp, av);
6274 }
6275 
6276 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6277 {
6278 	struct ipc_security_struct *isec = selinux_ipc(ipcp);
6279 	*secid = isec->sid;
6280 }
6281 
6282 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6283 {
6284 	if (inode)
6285 		inode_doinit_with_dentry(inode, dentry);
6286 }
6287 
6288 static int selinux_getprocattr(struct task_struct *p,
6289 			       const char *name, char **value)
6290 {
6291 	const struct task_security_struct *__tsec;
6292 	u32 sid;
6293 	int error;
6294 	unsigned len;
6295 
6296 	rcu_read_lock();
6297 	__tsec = selinux_cred(__task_cred(p));
6298 
6299 	if (current != p) {
6300 		error = avc_has_perm(current_sid(), __tsec->sid,
6301 				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6302 		if (error)
6303 			goto bad;
6304 	}
6305 
6306 	if (!strcmp(name, "current"))
6307 		sid = __tsec->sid;
6308 	else if (!strcmp(name, "prev"))
6309 		sid = __tsec->osid;
6310 	else if (!strcmp(name, "exec"))
6311 		sid = __tsec->exec_sid;
6312 	else if (!strcmp(name, "fscreate"))
6313 		sid = __tsec->create_sid;
6314 	else if (!strcmp(name, "keycreate"))
6315 		sid = __tsec->keycreate_sid;
6316 	else if (!strcmp(name, "sockcreate"))
6317 		sid = __tsec->sockcreate_sid;
6318 	else {
6319 		error = -EINVAL;
6320 		goto bad;
6321 	}
6322 	rcu_read_unlock();
6323 
6324 	if (!sid)
6325 		return 0;
6326 
6327 	error = security_sid_to_context(sid, value, &len);
6328 	if (error)
6329 		return error;
6330 	return len;
6331 
6332 bad:
6333 	rcu_read_unlock();
6334 	return error;
6335 }
6336 
6337 static int selinux_setprocattr(const char *name, void *value, size_t size)
6338 {
6339 	struct task_security_struct *tsec;
6340 	struct cred *new;
6341 	u32 mysid = current_sid(), sid = 0, ptsid;
6342 	int error;
6343 	char *str = value;
6344 
6345 	/*
6346 	 * Basic control over ability to set these attributes at all.
6347 	 */
6348 	if (!strcmp(name, "exec"))
6349 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6350 				     PROCESS__SETEXEC, NULL);
6351 	else if (!strcmp(name, "fscreate"))
6352 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6353 				     PROCESS__SETFSCREATE, NULL);
6354 	else if (!strcmp(name, "keycreate"))
6355 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6356 				     PROCESS__SETKEYCREATE, NULL);
6357 	else if (!strcmp(name, "sockcreate"))
6358 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6359 				     PROCESS__SETSOCKCREATE, NULL);
6360 	else if (!strcmp(name, "current"))
6361 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6362 				     PROCESS__SETCURRENT, NULL);
6363 	else
6364 		error = -EINVAL;
6365 	if (error)
6366 		return error;
6367 
6368 	/* Obtain a SID for the context, if one was specified. */
6369 	if (size && str[0] && str[0] != '\n') {
6370 		if (str[size-1] == '\n') {
6371 			str[size-1] = 0;
6372 			size--;
6373 		}
6374 		error = security_context_to_sid(value, size,
6375 						&sid, GFP_KERNEL);
6376 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
6377 			if (!has_cap_mac_admin(true)) {
6378 				struct audit_buffer *ab;
6379 				size_t audit_size;
6380 
6381 				/* We strip a nul only if it is at the end, otherwise the
6382 				 * context contains a nul and we should audit that */
6383 				if (str[size - 1] == '\0')
6384 					audit_size = size - 1;
6385 				else
6386 					audit_size = size;
6387 				ab = audit_log_start(audit_context(),
6388 						     GFP_ATOMIC,
6389 						     AUDIT_SELINUX_ERR);
6390 				if (!ab)
6391 					return error;
6392 				audit_log_format(ab, "op=fscreate invalid_context=");
6393 				audit_log_n_untrustedstring(ab, value, audit_size);
6394 				audit_log_end(ab);
6395 
6396 				return error;
6397 			}
6398 			error = security_context_to_sid_force(value, size,
6399 							&sid);
6400 		}
6401 		if (error)
6402 			return error;
6403 	}
6404 
6405 	new = prepare_creds();
6406 	if (!new)
6407 		return -ENOMEM;
6408 
6409 	/* Permission checking based on the specified context is
6410 	   performed during the actual operation (execve,
6411 	   open/mkdir/...), when we know the full context of the
6412 	   operation.  See selinux_bprm_creds_for_exec for the execve
6413 	   checks and may_create for the file creation checks. The
6414 	   operation will then fail if the context is not permitted. */
6415 	tsec = selinux_cred(new);
6416 	if (!strcmp(name, "exec")) {
6417 		tsec->exec_sid = sid;
6418 	} else if (!strcmp(name, "fscreate")) {
6419 		tsec->create_sid = sid;
6420 	} else if (!strcmp(name, "keycreate")) {
6421 		if (sid) {
6422 			error = avc_has_perm(mysid, sid,
6423 					     SECCLASS_KEY, KEY__CREATE, NULL);
6424 			if (error)
6425 				goto abort_change;
6426 		}
6427 		tsec->keycreate_sid = sid;
6428 	} else if (!strcmp(name, "sockcreate")) {
6429 		tsec->sockcreate_sid = sid;
6430 	} else if (!strcmp(name, "current")) {
6431 		error = -EINVAL;
6432 		if (sid == 0)
6433 			goto abort_change;
6434 
6435 		/* Only allow single threaded processes to change context */
6436 		if (!current_is_single_threaded()) {
6437 			error = security_bounded_transition(tsec->sid, sid);
6438 			if (error)
6439 				goto abort_change;
6440 		}
6441 
6442 		/* Check permissions for the transition. */
6443 		error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6444 				     PROCESS__DYNTRANSITION, NULL);
6445 		if (error)
6446 			goto abort_change;
6447 
6448 		/* Check for ptracing, and update the task SID if ok.
6449 		   Otherwise, leave SID unchanged and fail. */
6450 		ptsid = ptrace_parent_sid();
6451 		if (ptsid != 0) {
6452 			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6453 					     PROCESS__PTRACE, NULL);
6454 			if (error)
6455 				goto abort_change;
6456 		}
6457 
6458 		tsec->sid = sid;
6459 	} else {
6460 		error = -EINVAL;
6461 		goto abort_change;
6462 	}
6463 
6464 	commit_creds(new);
6465 	return size;
6466 
6467 abort_change:
6468 	abort_creds(new);
6469 	return error;
6470 }
6471 
6472 static int selinux_ismaclabel(const char *name)
6473 {
6474 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6475 }
6476 
6477 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6478 {
6479 	return security_sid_to_context(secid,
6480 				       secdata, seclen);
6481 }
6482 
6483 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6484 {
6485 	return security_context_to_sid(secdata, seclen,
6486 				       secid, GFP_KERNEL);
6487 }
6488 
6489 static void selinux_release_secctx(char *secdata, u32 seclen)
6490 {
6491 	kfree(secdata);
6492 }
6493 
6494 static void selinux_inode_invalidate_secctx(struct inode *inode)
6495 {
6496 	struct inode_security_struct *isec = selinux_inode(inode);
6497 
6498 	spin_lock(&isec->lock);
6499 	isec->initialized = LABEL_INVALID;
6500 	spin_unlock(&isec->lock);
6501 }
6502 
6503 /*
6504  *	called with inode->i_mutex locked
6505  */
6506 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6507 {
6508 	int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6509 					   ctx, ctxlen, 0);
6510 	/* Do not return error when suppressing label (SBLABEL_MNT not set). */
6511 	return rc == -EOPNOTSUPP ? 0 : rc;
6512 }
6513 
6514 /*
6515  *	called with inode->i_mutex locked
6516  */
6517 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6518 {
6519 	return __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX,
6520 				     ctx, ctxlen, 0);
6521 }
6522 
6523 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6524 {
6525 	int len = 0;
6526 	len = selinux_inode_getsecurity(&nop_mnt_idmap, inode,
6527 					XATTR_SELINUX_SUFFIX, ctx, true);
6528 	if (len < 0)
6529 		return len;
6530 	*ctxlen = len;
6531 	return 0;
6532 }
6533 #ifdef CONFIG_KEYS
6534 
6535 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6536 			     unsigned long flags)
6537 {
6538 	const struct task_security_struct *tsec;
6539 	struct key_security_struct *ksec;
6540 
6541 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6542 	if (!ksec)
6543 		return -ENOMEM;
6544 
6545 	tsec = selinux_cred(cred);
6546 	if (tsec->keycreate_sid)
6547 		ksec->sid = tsec->keycreate_sid;
6548 	else
6549 		ksec->sid = tsec->sid;
6550 
6551 	k->security = ksec;
6552 	return 0;
6553 }
6554 
6555 static void selinux_key_free(struct key *k)
6556 {
6557 	struct key_security_struct *ksec = k->security;
6558 
6559 	k->security = NULL;
6560 	kfree(ksec);
6561 }
6562 
6563 static int selinux_key_permission(key_ref_t key_ref,
6564 				  const struct cred *cred,
6565 				  enum key_need_perm need_perm)
6566 {
6567 	struct key *key;
6568 	struct key_security_struct *ksec;
6569 	u32 perm, sid;
6570 
6571 	switch (need_perm) {
6572 	case KEY_NEED_VIEW:
6573 		perm = KEY__VIEW;
6574 		break;
6575 	case KEY_NEED_READ:
6576 		perm = KEY__READ;
6577 		break;
6578 	case KEY_NEED_WRITE:
6579 		perm = KEY__WRITE;
6580 		break;
6581 	case KEY_NEED_SEARCH:
6582 		perm = KEY__SEARCH;
6583 		break;
6584 	case KEY_NEED_LINK:
6585 		perm = KEY__LINK;
6586 		break;
6587 	case KEY_NEED_SETATTR:
6588 		perm = KEY__SETATTR;
6589 		break;
6590 	case KEY_NEED_UNLINK:
6591 	case KEY_SYSADMIN_OVERRIDE:
6592 	case KEY_AUTHTOKEN_OVERRIDE:
6593 	case KEY_DEFER_PERM_CHECK:
6594 		return 0;
6595 	default:
6596 		WARN_ON(1);
6597 		return -EPERM;
6598 
6599 	}
6600 
6601 	sid = cred_sid(cred);
6602 	key = key_ref_to_ptr(key_ref);
6603 	ksec = key->security;
6604 
6605 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6606 }
6607 
6608 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6609 {
6610 	struct key_security_struct *ksec = key->security;
6611 	char *context = NULL;
6612 	unsigned len;
6613 	int rc;
6614 
6615 	rc = security_sid_to_context(ksec->sid,
6616 				     &context, &len);
6617 	if (!rc)
6618 		rc = len;
6619 	*_buffer = context;
6620 	return rc;
6621 }
6622 
6623 #ifdef CONFIG_KEY_NOTIFICATIONS
6624 static int selinux_watch_key(struct key *key)
6625 {
6626 	struct key_security_struct *ksec = key->security;
6627 	u32 sid = current_sid();
6628 
6629 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6630 }
6631 #endif
6632 #endif
6633 
6634 #ifdef CONFIG_SECURITY_INFINIBAND
6635 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6636 {
6637 	struct common_audit_data ad;
6638 	int err;
6639 	u32 sid = 0;
6640 	struct ib_security_struct *sec = ib_sec;
6641 	struct lsm_ibpkey_audit ibpkey;
6642 
6643 	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6644 	if (err)
6645 		return err;
6646 
6647 	ad.type = LSM_AUDIT_DATA_IBPKEY;
6648 	ibpkey.subnet_prefix = subnet_prefix;
6649 	ibpkey.pkey = pkey_val;
6650 	ad.u.ibpkey = &ibpkey;
6651 	return avc_has_perm(sec->sid, sid,
6652 			    SECCLASS_INFINIBAND_PKEY,
6653 			    INFINIBAND_PKEY__ACCESS, &ad);
6654 }
6655 
6656 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6657 					    u8 port_num)
6658 {
6659 	struct common_audit_data ad;
6660 	int err;
6661 	u32 sid = 0;
6662 	struct ib_security_struct *sec = ib_sec;
6663 	struct lsm_ibendport_audit ibendport;
6664 
6665 	err = security_ib_endport_sid(dev_name, port_num,
6666 				      &sid);
6667 
6668 	if (err)
6669 		return err;
6670 
6671 	ad.type = LSM_AUDIT_DATA_IBENDPORT;
6672 	ibendport.dev_name = dev_name;
6673 	ibendport.port = port_num;
6674 	ad.u.ibendport = &ibendport;
6675 	return avc_has_perm(sec->sid, sid,
6676 			    SECCLASS_INFINIBAND_ENDPORT,
6677 			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6678 }
6679 
6680 static int selinux_ib_alloc_security(void **ib_sec)
6681 {
6682 	struct ib_security_struct *sec;
6683 
6684 	sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6685 	if (!sec)
6686 		return -ENOMEM;
6687 	sec->sid = current_sid();
6688 
6689 	*ib_sec = sec;
6690 	return 0;
6691 }
6692 
6693 static void selinux_ib_free_security(void *ib_sec)
6694 {
6695 	kfree(ib_sec);
6696 }
6697 #endif
6698 
6699 #ifdef CONFIG_BPF_SYSCALL
6700 static int selinux_bpf(int cmd, union bpf_attr *attr,
6701 				     unsigned int size)
6702 {
6703 	u32 sid = current_sid();
6704 	int ret;
6705 
6706 	switch (cmd) {
6707 	case BPF_MAP_CREATE:
6708 		ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6709 				   NULL);
6710 		break;
6711 	case BPF_PROG_LOAD:
6712 		ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6713 				   NULL);
6714 		break;
6715 	default:
6716 		ret = 0;
6717 		break;
6718 	}
6719 
6720 	return ret;
6721 }
6722 
6723 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6724 {
6725 	u32 av = 0;
6726 
6727 	if (fmode & FMODE_READ)
6728 		av |= BPF__MAP_READ;
6729 	if (fmode & FMODE_WRITE)
6730 		av |= BPF__MAP_WRITE;
6731 	return av;
6732 }
6733 
6734 /* This function will check the file pass through unix socket or binder to see
6735  * if it is a bpf related object. And apply corresponding checks on the bpf
6736  * object based on the type. The bpf maps and programs, not like other files and
6737  * socket, are using a shared anonymous inode inside the kernel as their inode.
6738  * So checking that inode cannot identify if the process have privilege to
6739  * access the bpf object and that's why we have to add this additional check in
6740  * selinux_file_receive and selinux_binder_transfer_files.
6741  */
6742 static int bpf_fd_pass(const struct file *file, u32 sid)
6743 {
6744 	struct bpf_security_struct *bpfsec;
6745 	struct bpf_prog *prog;
6746 	struct bpf_map *map;
6747 	int ret;
6748 
6749 	if (file->f_op == &bpf_map_fops) {
6750 		map = file->private_data;
6751 		bpfsec = map->security;
6752 		ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6753 				   bpf_map_fmode_to_av(file->f_mode), NULL);
6754 		if (ret)
6755 			return ret;
6756 	} else if (file->f_op == &bpf_prog_fops) {
6757 		prog = file->private_data;
6758 		bpfsec = prog->aux->security;
6759 		ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6760 				   BPF__PROG_RUN, NULL);
6761 		if (ret)
6762 			return ret;
6763 	}
6764 	return 0;
6765 }
6766 
6767 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6768 {
6769 	u32 sid = current_sid();
6770 	struct bpf_security_struct *bpfsec;
6771 
6772 	bpfsec = map->security;
6773 	return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6774 			    bpf_map_fmode_to_av(fmode), NULL);
6775 }
6776 
6777 static int selinux_bpf_prog(struct bpf_prog *prog)
6778 {
6779 	u32 sid = current_sid();
6780 	struct bpf_security_struct *bpfsec;
6781 
6782 	bpfsec = prog->aux->security;
6783 	return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6784 			    BPF__PROG_RUN, NULL);
6785 }
6786 
6787 static int selinux_bpf_map_alloc(struct bpf_map *map)
6788 {
6789 	struct bpf_security_struct *bpfsec;
6790 
6791 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6792 	if (!bpfsec)
6793 		return -ENOMEM;
6794 
6795 	bpfsec->sid = current_sid();
6796 	map->security = bpfsec;
6797 
6798 	return 0;
6799 }
6800 
6801 static void selinux_bpf_map_free(struct bpf_map *map)
6802 {
6803 	struct bpf_security_struct *bpfsec = map->security;
6804 
6805 	map->security = NULL;
6806 	kfree(bpfsec);
6807 }
6808 
6809 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6810 {
6811 	struct bpf_security_struct *bpfsec;
6812 
6813 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6814 	if (!bpfsec)
6815 		return -ENOMEM;
6816 
6817 	bpfsec->sid = current_sid();
6818 	aux->security = bpfsec;
6819 
6820 	return 0;
6821 }
6822 
6823 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6824 {
6825 	struct bpf_security_struct *bpfsec = aux->security;
6826 
6827 	aux->security = NULL;
6828 	kfree(bpfsec);
6829 }
6830 #endif
6831 
6832 struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
6833 	.lbs_cred = sizeof(struct task_security_struct),
6834 	.lbs_file = sizeof(struct file_security_struct),
6835 	.lbs_inode = sizeof(struct inode_security_struct),
6836 	.lbs_ipc = sizeof(struct ipc_security_struct),
6837 	.lbs_msg_msg = sizeof(struct msg_security_struct),
6838 	.lbs_superblock = sizeof(struct superblock_security_struct),
6839 	.lbs_xattr_count = SELINUX_INODE_INIT_XATTRS,
6840 };
6841 
6842 #ifdef CONFIG_PERF_EVENTS
6843 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6844 {
6845 	u32 requested, sid = current_sid();
6846 
6847 	if (type == PERF_SECURITY_OPEN)
6848 		requested = PERF_EVENT__OPEN;
6849 	else if (type == PERF_SECURITY_CPU)
6850 		requested = PERF_EVENT__CPU;
6851 	else if (type == PERF_SECURITY_KERNEL)
6852 		requested = PERF_EVENT__KERNEL;
6853 	else if (type == PERF_SECURITY_TRACEPOINT)
6854 		requested = PERF_EVENT__TRACEPOINT;
6855 	else
6856 		return -EINVAL;
6857 
6858 	return avc_has_perm(sid, sid, SECCLASS_PERF_EVENT,
6859 			    requested, NULL);
6860 }
6861 
6862 static int selinux_perf_event_alloc(struct perf_event *event)
6863 {
6864 	struct perf_event_security_struct *perfsec;
6865 
6866 	perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
6867 	if (!perfsec)
6868 		return -ENOMEM;
6869 
6870 	perfsec->sid = current_sid();
6871 	event->security = perfsec;
6872 
6873 	return 0;
6874 }
6875 
6876 static void selinux_perf_event_free(struct perf_event *event)
6877 {
6878 	struct perf_event_security_struct *perfsec = event->security;
6879 
6880 	event->security = NULL;
6881 	kfree(perfsec);
6882 }
6883 
6884 static int selinux_perf_event_read(struct perf_event *event)
6885 {
6886 	struct perf_event_security_struct *perfsec = event->security;
6887 	u32 sid = current_sid();
6888 
6889 	return avc_has_perm(sid, perfsec->sid,
6890 			    SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
6891 }
6892 
6893 static int selinux_perf_event_write(struct perf_event *event)
6894 {
6895 	struct perf_event_security_struct *perfsec = event->security;
6896 	u32 sid = current_sid();
6897 
6898 	return avc_has_perm(sid, perfsec->sid,
6899 			    SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
6900 }
6901 #endif
6902 
6903 #ifdef CONFIG_IO_URING
6904 /**
6905  * selinux_uring_override_creds - check the requested cred override
6906  * @new: the target creds
6907  *
6908  * Check to see if the current task is allowed to override it's credentials
6909  * to service an io_uring operation.
6910  */
6911 static int selinux_uring_override_creds(const struct cred *new)
6912 {
6913 	return avc_has_perm(current_sid(), cred_sid(new),
6914 			    SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL);
6915 }
6916 
6917 /**
6918  * selinux_uring_sqpoll - check if a io_uring polling thread can be created
6919  *
6920  * Check to see if the current task is allowed to create a new io_uring
6921  * kernel polling thread.
6922  */
6923 static int selinux_uring_sqpoll(void)
6924 {
6925 	u32 sid = current_sid();
6926 
6927 	return avc_has_perm(sid, sid,
6928 			    SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
6929 }
6930 
6931 /**
6932  * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed
6933  * @ioucmd: the io_uring command structure
6934  *
6935  * Check to see if the current domain is allowed to execute an
6936  * IORING_OP_URING_CMD against the device/file specified in @ioucmd.
6937  *
6938  */
6939 static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
6940 {
6941 	struct file *file = ioucmd->file;
6942 	struct inode *inode = file_inode(file);
6943 	struct inode_security_struct *isec = selinux_inode(inode);
6944 	struct common_audit_data ad;
6945 
6946 	ad.type = LSM_AUDIT_DATA_FILE;
6947 	ad.u.file = file;
6948 
6949 	return avc_has_perm(current_sid(), isec->sid,
6950 			    SECCLASS_IO_URING, IO_URING__CMD, &ad);
6951 }
6952 #endif /* CONFIG_IO_URING */
6953 
6954 /*
6955  * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
6956  * 1. any hooks that don't belong to (2.) or (3.) below,
6957  * 2. hooks that both access structures allocated by other hooks, and allocate
6958  *    structures that can be later accessed by other hooks (mostly "cloning"
6959  *    hooks),
6960  * 3. hooks that only allocate structures that can be later accessed by other
6961  *    hooks ("allocating" hooks).
6962  *
6963  * Please follow block comment delimiters in the list to keep this order.
6964  */
6965 static struct security_hook_list selinux_hooks[] __ro_after_init = {
6966 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6967 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6968 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6969 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6970 
6971 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6972 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6973 	LSM_HOOK_INIT(capget, selinux_capget),
6974 	LSM_HOOK_INIT(capset, selinux_capset),
6975 	LSM_HOOK_INIT(capable, selinux_capable),
6976 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
6977 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
6978 	LSM_HOOK_INIT(syslog, selinux_syslog),
6979 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6980 
6981 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6982 
6983 	LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
6984 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6985 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6986 
6987 	LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
6988 	LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat),
6989 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6990 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6991 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6992 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6993 	LSM_HOOK_INIT(sb_mount, selinux_mount),
6994 	LSM_HOOK_INIT(sb_umount, selinux_umount),
6995 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6996 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6997 
6998 	LSM_HOOK_INIT(move_mount, selinux_move_mount),
6999 
7000 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7001 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7002 
7003 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7004 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7005 	LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
7006 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
7007 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
7008 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7009 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7010 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7011 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7012 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7013 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7014 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7015 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7016 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7017 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7018 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7019 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7020 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7021 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7022 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7023 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7024 	LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl),
7025 	LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl),
7026 	LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl),
7027 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7028 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7029 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7030 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7031 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7032 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7033 	LSM_HOOK_INIT(path_notify, selinux_path_notify),
7034 
7035 	LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7036 
7037 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
7038 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7039 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7040 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7041 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7042 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7043 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
7044 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7045 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7046 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7047 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
7048 
7049 	LSM_HOOK_INIT(file_open, selinux_file_open),
7050 
7051 	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7052 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7053 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7054 	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7055 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7056 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7057 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7058 	LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7059 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7060 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7061 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7062 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7063 	LSM_HOOK_INIT(current_getsecid_subj, selinux_current_getsecid_subj),
7064 	LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj),
7065 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7066 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7067 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7068 	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7069 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7070 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7071 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7072 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7073 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
7074 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7075 	LSM_HOOK_INIT(userns_create, selinux_userns_create),
7076 
7077 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7078 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7079 
7080 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7081 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7082 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7083 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7084 
7085 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7086 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7087 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7088 
7089 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7090 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7091 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7092 
7093 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7094 
7095 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7096 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7097 
7098 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7099 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7100 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7101 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7102 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7103 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7104 
7105 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7106 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7107 
7108 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
7109 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7110 	LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7111 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7112 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7113 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7114 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7115 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7116 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7117 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7118 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7119 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7120 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7121 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7122 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7123 	LSM_HOOK_INIT(socket_getpeersec_stream,
7124 			selinux_socket_getpeersec_stream),
7125 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7126 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7127 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7128 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7129 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7130 	LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7131 	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7132 	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7133 	LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
7134 	LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow),
7135 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7136 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7137 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7138 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7139 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7140 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7141 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7142 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7143 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7144 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7145 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7146 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7147 #ifdef CONFIG_SECURITY_INFINIBAND
7148 	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7149 	LSM_HOOK_INIT(ib_endport_manage_subnet,
7150 		      selinux_ib_endport_manage_subnet),
7151 	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7152 #endif
7153 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7154 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7155 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7156 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7157 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7158 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7159 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7160 			selinux_xfrm_state_pol_flow_match),
7161 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7162 #endif
7163 
7164 #ifdef CONFIG_KEYS
7165 	LSM_HOOK_INIT(key_free, selinux_key_free),
7166 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
7167 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7168 #ifdef CONFIG_KEY_NOTIFICATIONS
7169 	LSM_HOOK_INIT(watch_key, selinux_watch_key),
7170 #endif
7171 #endif
7172 
7173 #ifdef CONFIG_AUDIT
7174 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7175 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7176 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7177 #endif
7178 
7179 #ifdef CONFIG_BPF_SYSCALL
7180 	LSM_HOOK_INIT(bpf, selinux_bpf),
7181 	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7182 	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7183 	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7184 	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7185 #endif
7186 
7187 #ifdef CONFIG_PERF_EVENTS
7188 	LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7189 	LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7190 	LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7191 	LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7192 #endif
7193 
7194 #ifdef CONFIG_IO_URING
7195 	LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
7196 	LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
7197 	LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
7198 #endif
7199 
7200 	/*
7201 	 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7202 	 */
7203 	LSM_HOOK_INIT(fs_context_submount, selinux_fs_context_submount),
7204 	LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7205 	LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7206 	LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7207 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7208 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7209 #endif
7210 
7211 	/*
7212 	 * PUT "ALLOCATING" HOOKS HERE
7213 	 */
7214 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7215 	LSM_HOOK_INIT(msg_queue_alloc_security,
7216 		      selinux_msg_queue_alloc_security),
7217 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7218 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7219 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7220 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7221 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7222 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7223 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7224 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7225 #ifdef CONFIG_SECURITY_INFINIBAND
7226 	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7227 #endif
7228 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7229 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7230 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7231 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7232 		      selinux_xfrm_state_alloc_acquire),
7233 #endif
7234 #ifdef CONFIG_KEYS
7235 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7236 #endif
7237 #ifdef CONFIG_AUDIT
7238 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7239 #endif
7240 #ifdef CONFIG_BPF_SYSCALL
7241 	LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7242 	LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7243 #endif
7244 #ifdef CONFIG_PERF_EVENTS
7245 	LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7246 #endif
7247 };
7248 
7249 static __init int selinux_init(void)
7250 {
7251 	pr_info("SELinux:  Initializing.\n");
7252 
7253 	memset(&selinux_state, 0, sizeof(selinux_state));
7254 	enforcing_set(selinux_enforcing_boot);
7255 	selinux_avc_init();
7256 	mutex_init(&selinux_state.status_lock);
7257 	mutex_init(&selinux_state.policy_mutex);
7258 
7259 	/* Set the security state for the initial task. */
7260 	cred_init_security();
7261 
7262 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7263 	if (!default_noexec)
7264 		pr_notice("SELinux:  virtual memory is executable by default\n");
7265 
7266 	avc_init();
7267 
7268 	avtab_cache_init();
7269 
7270 	ebitmap_cache_init();
7271 
7272 	hashtab_cache_init();
7273 
7274 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7275 
7276 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7277 		panic("SELinux: Unable to register AVC netcache callback\n");
7278 
7279 	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7280 		panic("SELinux: Unable to register AVC LSM notifier callback\n");
7281 
7282 	if (selinux_enforcing_boot)
7283 		pr_debug("SELinux:  Starting in enforcing mode\n");
7284 	else
7285 		pr_debug("SELinux:  Starting in permissive mode\n");
7286 
7287 	fs_validate_description("selinux", selinux_fs_parameters);
7288 
7289 	return 0;
7290 }
7291 
7292 static void delayed_superblock_init(struct super_block *sb, void *unused)
7293 {
7294 	selinux_set_mnt_opts(sb, NULL, 0, NULL);
7295 }
7296 
7297 void selinux_complete_init(void)
7298 {
7299 	pr_debug("SELinux:  Completing initialization.\n");
7300 
7301 	/* Set up any superblocks initialized prior to the policy load. */
7302 	pr_debug("SELinux:  Setting up existing superblocks.\n");
7303 	iterate_supers(delayed_superblock_init, NULL);
7304 }
7305 
7306 /* SELinux requires early initialization in order to label
7307    all processes and objects when they are created. */
7308 DEFINE_LSM(selinux) = {
7309 	.name = "selinux",
7310 	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7311 	.enabled = &selinux_enabled_boot,
7312 	.blobs = &selinux_blob_sizes,
7313 	.init = selinux_init,
7314 };
7315 
7316 #if defined(CONFIG_NETFILTER)
7317 static const struct nf_hook_ops selinux_nf_ops[] = {
7318 	{
7319 		.hook =		selinux_ip_postroute,
7320 		.pf =		NFPROTO_IPV4,
7321 		.hooknum =	NF_INET_POST_ROUTING,
7322 		.priority =	NF_IP_PRI_SELINUX_LAST,
7323 	},
7324 	{
7325 		.hook =		selinux_ip_forward,
7326 		.pf =		NFPROTO_IPV4,
7327 		.hooknum =	NF_INET_FORWARD,
7328 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7329 	},
7330 	{
7331 		.hook =		selinux_ip_output,
7332 		.pf =		NFPROTO_IPV4,
7333 		.hooknum =	NF_INET_LOCAL_OUT,
7334 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7335 	},
7336 #if IS_ENABLED(CONFIG_IPV6)
7337 	{
7338 		.hook =		selinux_ip_postroute,
7339 		.pf =		NFPROTO_IPV6,
7340 		.hooknum =	NF_INET_POST_ROUTING,
7341 		.priority =	NF_IP6_PRI_SELINUX_LAST,
7342 	},
7343 	{
7344 		.hook =		selinux_ip_forward,
7345 		.pf =		NFPROTO_IPV6,
7346 		.hooknum =	NF_INET_FORWARD,
7347 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7348 	},
7349 	{
7350 		.hook =		selinux_ip_output,
7351 		.pf =		NFPROTO_IPV6,
7352 		.hooknum =	NF_INET_LOCAL_OUT,
7353 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7354 	},
7355 #endif	/* IPV6 */
7356 };
7357 
7358 static int __net_init selinux_nf_register(struct net *net)
7359 {
7360 	return nf_register_net_hooks(net, selinux_nf_ops,
7361 				     ARRAY_SIZE(selinux_nf_ops));
7362 }
7363 
7364 static void __net_exit selinux_nf_unregister(struct net *net)
7365 {
7366 	nf_unregister_net_hooks(net, selinux_nf_ops,
7367 				ARRAY_SIZE(selinux_nf_ops));
7368 }
7369 
7370 static struct pernet_operations selinux_net_ops = {
7371 	.init = selinux_nf_register,
7372 	.exit = selinux_nf_unregister,
7373 };
7374 
7375 static int __init selinux_nf_ip_init(void)
7376 {
7377 	int err;
7378 
7379 	if (!selinux_enabled_boot)
7380 		return 0;
7381 
7382 	pr_debug("SELinux:  Registering netfilter hooks\n");
7383 
7384 	err = register_pernet_subsys(&selinux_net_ops);
7385 	if (err)
7386 		panic("SELinux: register_pernet_subsys: error %d\n", err);
7387 
7388 	return 0;
7389 }
7390 __initcall(selinux_nf_ip_init);
7391 #endif /* CONFIG_NETFILTER */
7392