xref: /openbmc/linux/security/selinux/hooks.c (revision 4da722ca)
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *	      Chris Vance, <cvance@nai.com>
8  *	      Wayne Salamon, <wsalamon@nai.com>
9  *	      James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *					   Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *			    <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *	Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *  Copyright (C) 2016 Mellanox Technologies
21  *
22  *	This program is free software; you can redistribute it and/or modify
23  *	it under the terms of the GNU General Public License version 2,
24  *	as published by the Free Software Foundation.
25  */
26 
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h>		/* for local_port_range[] */
56 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h>	/* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h>		/* for Unix socket types */
72 #include <net/af_unix.h>	/* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
75 #include <net/ipv6.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 
89 #include "avc.h"
90 #include "objsec.h"
91 #include "netif.h"
92 #include "netnode.h"
93 #include "netport.h"
94 #include "ibpkey.h"
95 #include "xfrm.h"
96 #include "netlabel.h"
97 #include "audit.h"
98 #include "avc_ss.h"
99 
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102 
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
105 
106 static int __init enforcing_setup(char *str)
107 {
108 	unsigned long enforcing;
109 	if (!kstrtoul(str, 0, &enforcing))
110 		selinux_enforcing = enforcing ? 1 : 0;
111 	return 1;
112 }
113 __setup("enforcing=", enforcing_setup);
114 #endif
115 
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118 
119 static int __init selinux_enabled_setup(char *str)
120 {
121 	unsigned long enabled;
122 	if (!kstrtoul(str, 0, &enabled))
123 		selinux_enabled = enabled ? 1 : 0;
124 	return 1;
125 }
126 __setup("selinux=", selinux_enabled_setup);
127 #else
128 int selinux_enabled = 1;
129 #endif
130 
131 static struct kmem_cache *sel_inode_cache;
132 static struct kmem_cache *file_security_cache;
133 
134 /**
135  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
136  *
137  * Description:
138  * This function checks the SECMARK reference counter to see if any SECMARK
139  * targets are currently configured, if the reference counter is greater than
140  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
141  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
142  * policy capability is enabled, SECMARK is always considered enabled.
143  *
144  */
145 static int selinux_secmark_enabled(void)
146 {
147 	return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
148 }
149 
150 /**
151  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
152  *
153  * Description:
154  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
155  * (1) if any are enabled or false (0) if neither are enabled.  If the
156  * always_check_network policy capability is enabled, peer labeling
157  * is always considered enabled.
158  *
159  */
160 static int selinux_peerlbl_enabled(void)
161 {
162 	return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
163 }
164 
165 static int selinux_netcache_avc_callback(u32 event)
166 {
167 	if (event == AVC_CALLBACK_RESET) {
168 		sel_netif_flush();
169 		sel_netnode_flush();
170 		sel_netport_flush();
171 		synchronize_net();
172 	}
173 	return 0;
174 }
175 
176 static int selinux_lsm_notifier_avc_callback(u32 event)
177 {
178 	if (event == AVC_CALLBACK_RESET) {
179 		sel_ib_pkey_flush();
180 		call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
181 	}
182 
183 	return 0;
184 }
185 
186 /*
187  * initialise the security for the init task
188  */
189 static void cred_init_security(void)
190 {
191 	struct cred *cred = (struct cred *) current->real_cred;
192 	struct task_security_struct *tsec;
193 
194 	tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
195 	if (!tsec)
196 		panic("SELinux:  Failed to initialize initial task.\n");
197 
198 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
199 	cred->security = tsec;
200 }
201 
202 /*
203  * get the security ID of a set of credentials
204  */
205 static inline u32 cred_sid(const struct cred *cred)
206 {
207 	const struct task_security_struct *tsec;
208 
209 	tsec = cred->security;
210 	return tsec->sid;
211 }
212 
213 /*
214  * get the objective security ID of a task
215  */
216 static inline u32 task_sid(const struct task_struct *task)
217 {
218 	u32 sid;
219 
220 	rcu_read_lock();
221 	sid = cred_sid(__task_cred(task));
222 	rcu_read_unlock();
223 	return sid;
224 }
225 
226 /* Allocate and free functions for each kind of security blob. */
227 
228 static int inode_alloc_security(struct inode *inode)
229 {
230 	struct inode_security_struct *isec;
231 	u32 sid = current_sid();
232 
233 	isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
234 	if (!isec)
235 		return -ENOMEM;
236 
237 	spin_lock_init(&isec->lock);
238 	INIT_LIST_HEAD(&isec->list);
239 	isec->inode = inode;
240 	isec->sid = SECINITSID_UNLABELED;
241 	isec->sclass = SECCLASS_FILE;
242 	isec->task_sid = sid;
243 	isec->initialized = LABEL_INVALID;
244 	inode->i_security = isec;
245 
246 	return 0;
247 }
248 
249 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
250 
251 /*
252  * Try reloading inode security labels that have been marked as invalid.  The
253  * @may_sleep parameter indicates when sleeping and thus reloading labels is
254  * allowed; when set to false, returns -ECHILD when the label is
255  * invalid.  The @opt_dentry parameter should be set to a dentry of the inode;
256  * when no dentry is available, set it to NULL instead.
257  */
258 static int __inode_security_revalidate(struct inode *inode,
259 				       struct dentry *opt_dentry,
260 				       bool may_sleep)
261 {
262 	struct inode_security_struct *isec = inode->i_security;
263 
264 	might_sleep_if(may_sleep);
265 
266 	if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
267 		if (!may_sleep)
268 			return -ECHILD;
269 
270 		/*
271 		 * Try reloading the inode security label.  This will fail if
272 		 * @opt_dentry is NULL and no dentry for this inode can be
273 		 * found; in that case, continue using the old label.
274 		 */
275 		inode_doinit_with_dentry(inode, opt_dentry);
276 	}
277 	return 0;
278 }
279 
280 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
281 {
282 	return inode->i_security;
283 }
284 
285 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
286 {
287 	int error;
288 
289 	error = __inode_security_revalidate(inode, NULL, !rcu);
290 	if (error)
291 		return ERR_PTR(error);
292 	return inode->i_security;
293 }
294 
295 /*
296  * Get the security label of an inode.
297  */
298 static struct inode_security_struct *inode_security(struct inode *inode)
299 {
300 	__inode_security_revalidate(inode, NULL, true);
301 	return inode->i_security;
302 }
303 
304 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
305 {
306 	struct inode *inode = d_backing_inode(dentry);
307 
308 	return inode->i_security;
309 }
310 
311 /*
312  * Get the security label of a dentry's backing inode.
313  */
314 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
315 {
316 	struct inode *inode = d_backing_inode(dentry);
317 
318 	__inode_security_revalidate(inode, dentry, true);
319 	return inode->i_security;
320 }
321 
322 static void inode_free_rcu(struct rcu_head *head)
323 {
324 	struct inode_security_struct *isec;
325 
326 	isec = container_of(head, struct inode_security_struct, rcu);
327 	kmem_cache_free(sel_inode_cache, isec);
328 }
329 
330 static void inode_free_security(struct inode *inode)
331 {
332 	struct inode_security_struct *isec = inode->i_security;
333 	struct superblock_security_struct *sbsec = inode->i_sb->s_security;
334 
335 	/*
336 	 * As not all inode security structures are in a list, we check for
337 	 * empty list outside of the lock to make sure that we won't waste
338 	 * time taking a lock doing nothing.
339 	 *
340 	 * The list_del_init() function can be safely called more than once.
341 	 * It should not be possible for this function to be called with
342 	 * concurrent list_add(), but for better safety against future changes
343 	 * in the code, we use list_empty_careful() here.
344 	 */
345 	if (!list_empty_careful(&isec->list)) {
346 		spin_lock(&sbsec->isec_lock);
347 		list_del_init(&isec->list);
348 		spin_unlock(&sbsec->isec_lock);
349 	}
350 
351 	/*
352 	 * The inode may still be referenced in a path walk and
353 	 * a call to selinux_inode_permission() can be made
354 	 * after inode_free_security() is called. Ideally, the VFS
355 	 * wouldn't do this, but fixing that is a much harder
356 	 * job. For now, simply free the i_security via RCU, and
357 	 * leave the current inode->i_security pointer intact.
358 	 * The inode will be freed after the RCU grace period too.
359 	 */
360 	call_rcu(&isec->rcu, inode_free_rcu);
361 }
362 
363 static int file_alloc_security(struct file *file)
364 {
365 	struct file_security_struct *fsec;
366 	u32 sid = current_sid();
367 
368 	fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
369 	if (!fsec)
370 		return -ENOMEM;
371 
372 	fsec->sid = sid;
373 	fsec->fown_sid = sid;
374 	file->f_security = fsec;
375 
376 	return 0;
377 }
378 
379 static void file_free_security(struct file *file)
380 {
381 	struct file_security_struct *fsec = file->f_security;
382 	file->f_security = NULL;
383 	kmem_cache_free(file_security_cache, fsec);
384 }
385 
386 static int superblock_alloc_security(struct super_block *sb)
387 {
388 	struct superblock_security_struct *sbsec;
389 
390 	sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
391 	if (!sbsec)
392 		return -ENOMEM;
393 
394 	mutex_init(&sbsec->lock);
395 	INIT_LIST_HEAD(&sbsec->isec_head);
396 	spin_lock_init(&sbsec->isec_lock);
397 	sbsec->sb = sb;
398 	sbsec->sid = SECINITSID_UNLABELED;
399 	sbsec->def_sid = SECINITSID_FILE;
400 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
401 	sb->s_security = sbsec;
402 
403 	return 0;
404 }
405 
406 static void superblock_free_security(struct super_block *sb)
407 {
408 	struct superblock_security_struct *sbsec = sb->s_security;
409 	sb->s_security = NULL;
410 	kfree(sbsec);
411 }
412 
413 static inline int inode_doinit(struct inode *inode)
414 {
415 	return inode_doinit_with_dentry(inode, NULL);
416 }
417 
418 enum {
419 	Opt_error = -1,
420 	Opt_context = 1,
421 	Opt_fscontext = 2,
422 	Opt_defcontext = 3,
423 	Opt_rootcontext = 4,
424 	Opt_labelsupport = 5,
425 	Opt_nextmntopt = 6,
426 };
427 
428 #define NUM_SEL_MNT_OPTS	(Opt_nextmntopt - 1)
429 
430 static const match_table_t tokens = {
431 	{Opt_context, CONTEXT_STR "%s"},
432 	{Opt_fscontext, FSCONTEXT_STR "%s"},
433 	{Opt_defcontext, DEFCONTEXT_STR "%s"},
434 	{Opt_rootcontext, ROOTCONTEXT_STR "%s"},
435 	{Opt_labelsupport, LABELSUPP_STR},
436 	{Opt_error, NULL},
437 };
438 
439 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
440 
441 static int may_context_mount_sb_relabel(u32 sid,
442 			struct superblock_security_struct *sbsec,
443 			const struct cred *cred)
444 {
445 	const struct task_security_struct *tsec = cred->security;
446 	int rc;
447 
448 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
449 			  FILESYSTEM__RELABELFROM, NULL);
450 	if (rc)
451 		return rc;
452 
453 	rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
454 			  FILESYSTEM__RELABELTO, NULL);
455 	return rc;
456 }
457 
458 static int may_context_mount_inode_relabel(u32 sid,
459 			struct superblock_security_struct *sbsec,
460 			const struct cred *cred)
461 {
462 	const struct task_security_struct *tsec = cred->security;
463 	int rc;
464 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
465 			  FILESYSTEM__RELABELFROM, NULL);
466 	if (rc)
467 		return rc;
468 
469 	rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
470 			  FILESYSTEM__ASSOCIATE, NULL);
471 	return rc;
472 }
473 
474 static int selinux_is_sblabel_mnt(struct super_block *sb)
475 {
476 	struct superblock_security_struct *sbsec = sb->s_security;
477 
478 	return sbsec->behavior == SECURITY_FS_USE_XATTR ||
479 		sbsec->behavior == SECURITY_FS_USE_TRANS ||
480 		sbsec->behavior == SECURITY_FS_USE_TASK ||
481 		sbsec->behavior == SECURITY_FS_USE_NATIVE ||
482 		/* Special handling. Genfs but also in-core setxattr handler */
483 		!strcmp(sb->s_type->name, "sysfs") ||
484 		!strcmp(sb->s_type->name, "pstore") ||
485 		!strcmp(sb->s_type->name, "debugfs") ||
486 		!strcmp(sb->s_type->name, "tracefs") ||
487 		!strcmp(sb->s_type->name, "rootfs") ||
488 		(selinux_policycap_cgroupseclabel &&
489 		 (!strcmp(sb->s_type->name, "cgroup") ||
490 		  !strcmp(sb->s_type->name, "cgroup2")));
491 }
492 
493 static int sb_finish_set_opts(struct super_block *sb)
494 {
495 	struct superblock_security_struct *sbsec = sb->s_security;
496 	struct dentry *root = sb->s_root;
497 	struct inode *root_inode = d_backing_inode(root);
498 	int rc = 0;
499 
500 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
501 		/* Make sure that the xattr handler exists and that no
502 		   error other than -ENODATA is returned by getxattr on
503 		   the root directory.  -ENODATA is ok, as this may be
504 		   the first boot of the SELinux kernel before we have
505 		   assigned xattr values to the filesystem. */
506 		if (!(root_inode->i_opflags & IOP_XATTR)) {
507 			printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
508 			       "xattr support\n", sb->s_id, sb->s_type->name);
509 			rc = -EOPNOTSUPP;
510 			goto out;
511 		}
512 
513 		rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
514 		if (rc < 0 && rc != -ENODATA) {
515 			if (rc == -EOPNOTSUPP)
516 				printk(KERN_WARNING "SELinux: (dev %s, type "
517 				       "%s) has no security xattr handler\n",
518 				       sb->s_id, sb->s_type->name);
519 			else
520 				printk(KERN_WARNING "SELinux: (dev %s, type "
521 				       "%s) getxattr errno %d\n", sb->s_id,
522 				       sb->s_type->name, -rc);
523 			goto out;
524 		}
525 	}
526 
527 	sbsec->flags |= SE_SBINITIALIZED;
528 
529 	/*
530 	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
531 	 * leave the flag untouched because sb_clone_mnt_opts might be handing
532 	 * us a superblock that needs the flag to be cleared.
533 	 */
534 	if (selinux_is_sblabel_mnt(sb))
535 		sbsec->flags |= SBLABEL_MNT;
536 	else
537 		sbsec->flags &= ~SBLABEL_MNT;
538 
539 	/* Initialize the root inode. */
540 	rc = inode_doinit_with_dentry(root_inode, root);
541 
542 	/* Initialize any other inodes associated with the superblock, e.g.
543 	   inodes created prior to initial policy load or inodes created
544 	   during get_sb by a pseudo filesystem that directly
545 	   populates itself. */
546 	spin_lock(&sbsec->isec_lock);
547 next_inode:
548 	if (!list_empty(&sbsec->isec_head)) {
549 		struct inode_security_struct *isec =
550 				list_entry(sbsec->isec_head.next,
551 					   struct inode_security_struct, list);
552 		struct inode *inode = isec->inode;
553 		list_del_init(&isec->list);
554 		spin_unlock(&sbsec->isec_lock);
555 		inode = igrab(inode);
556 		if (inode) {
557 			if (!IS_PRIVATE(inode))
558 				inode_doinit(inode);
559 			iput(inode);
560 		}
561 		spin_lock(&sbsec->isec_lock);
562 		goto next_inode;
563 	}
564 	spin_unlock(&sbsec->isec_lock);
565 out:
566 	return rc;
567 }
568 
569 /*
570  * This function should allow an FS to ask what it's mount security
571  * options were so it can use those later for submounts, displaying
572  * mount options, or whatever.
573  */
574 static int selinux_get_mnt_opts(const struct super_block *sb,
575 				struct security_mnt_opts *opts)
576 {
577 	int rc = 0, i;
578 	struct superblock_security_struct *sbsec = sb->s_security;
579 	char *context = NULL;
580 	u32 len;
581 	char tmp;
582 
583 	security_init_mnt_opts(opts);
584 
585 	if (!(sbsec->flags & SE_SBINITIALIZED))
586 		return -EINVAL;
587 
588 	if (!ss_initialized)
589 		return -EINVAL;
590 
591 	/* make sure we always check enough bits to cover the mask */
592 	BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
593 
594 	tmp = sbsec->flags & SE_MNTMASK;
595 	/* count the number of mount options for this sb */
596 	for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
597 		if (tmp & 0x01)
598 			opts->num_mnt_opts++;
599 		tmp >>= 1;
600 	}
601 	/* Check if the Label support flag is set */
602 	if (sbsec->flags & SBLABEL_MNT)
603 		opts->num_mnt_opts++;
604 
605 	opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606 	if (!opts->mnt_opts) {
607 		rc = -ENOMEM;
608 		goto out_free;
609 	}
610 
611 	opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612 	if (!opts->mnt_opts_flags) {
613 		rc = -ENOMEM;
614 		goto out_free;
615 	}
616 
617 	i = 0;
618 	if (sbsec->flags & FSCONTEXT_MNT) {
619 		rc = security_sid_to_context(sbsec->sid, &context, &len);
620 		if (rc)
621 			goto out_free;
622 		opts->mnt_opts[i] = context;
623 		opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
624 	}
625 	if (sbsec->flags & CONTEXT_MNT) {
626 		rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
627 		if (rc)
628 			goto out_free;
629 		opts->mnt_opts[i] = context;
630 		opts->mnt_opts_flags[i++] = CONTEXT_MNT;
631 	}
632 	if (sbsec->flags & DEFCONTEXT_MNT) {
633 		rc = security_sid_to_context(sbsec->def_sid, &context, &len);
634 		if (rc)
635 			goto out_free;
636 		opts->mnt_opts[i] = context;
637 		opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
638 	}
639 	if (sbsec->flags & ROOTCONTEXT_MNT) {
640 		struct dentry *root = sbsec->sb->s_root;
641 		struct inode_security_struct *isec = backing_inode_security(root);
642 
643 		rc = security_sid_to_context(isec->sid, &context, &len);
644 		if (rc)
645 			goto out_free;
646 		opts->mnt_opts[i] = context;
647 		opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
648 	}
649 	if (sbsec->flags & SBLABEL_MNT) {
650 		opts->mnt_opts[i] = NULL;
651 		opts->mnt_opts_flags[i++] = SBLABEL_MNT;
652 	}
653 
654 	BUG_ON(i != opts->num_mnt_opts);
655 
656 	return 0;
657 
658 out_free:
659 	security_free_mnt_opts(opts);
660 	return rc;
661 }
662 
663 static int bad_option(struct superblock_security_struct *sbsec, char flag,
664 		      u32 old_sid, u32 new_sid)
665 {
666 	char mnt_flags = sbsec->flags & SE_MNTMASK;
667 
668 	/* check if the old mount command had the same options */
669 	if (sbsec->flags & SE_SBINITIALIZED)
670 		if (!(sbsec->flags & flag) ||
671 		    (old_sid != new_sid))
672 			return 1;
673 
674 	/* check if we were passed the same options twice,
675 	 * aka someone passed context=a,context=b
676 	 */
677 	if (!(sbsec->flags & SE_SBINITIALIZED))
678 		if (mnt_flags & flag)
679 			return 1;
680 	return 0;
681 }
682 
683 /*
684  * Allow filesystems with binary mount data to explicitly set mount point
685  * labeling information.
686  */
687 static int selinux_set_mnt_opts(struct super_block *sb,
688 				struct security_mnt_opts *opts,
689 				unsigned long kern_flags,
690 				unsigned long *set_kern_flags)
691 {
692 	const struct cred *cred = current_cred();
693 	int rc = 0, i;
694 	struct superblock_security_struct *sbsec = sb->s_security;
695 	const char *name = sb->s_type->name;
696 	struct dentry *root = sbsec->sb->s_root;
697 	struct inode_security_struct *root_isec;
698 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699 	u32 defcontext_sid = 0;
700 	char **mount_options = opts->mnt_opts;
701 	int *flags = opts->mnt_opts_flags;
702 	int num_opts = opts->num_mnt_opts;
703 
704 	mutex_lock(&sbsec->lock);
705 
706 	if (!ss_initialized) {
707 		if (!num_opts) {
708 			/* Defer initialization until selinux_complete_init,
709 			   after the initial policy is loaded and the security
710 			   server is ready to handle calls. */
711 			goto out;
712 		}
713 		rc = -EINVAL;
714 		printk(KERN_WARNING "SELinux: Unable to set superblock options "
715 			"before the security server is initialized\n");
716 		goto out;
717 	}
718 	if (kern_flags && !set_kern_flags) {
719 		/* Specifying internal flags without providing a place to
720 		 * place the results is not allowed */
721 		rc = -EINVAL;
722 		goto out;
723 	}
724 
725 	/*
726 	 * Binary mount data FS will come through this function twice.  Once
727 	 * from an explicit call and once from the generic calls from the vfs.
728 	 * Since the generic VFS calls will not contain any security mount data
729 	 * we need to skip the double mount verification.
730 	 *
731 	 * This does open a hole in which we will not notice if the first
732 	 * mount using this sb set explict options and a second mount using
733 	 * this sb does not set any security options.  (The first options
734 	 * will be used for both mounts)
735 	 */
736 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
737 	    && (num_opts == 0))
738 		goto out;
739 
740 	root_isec = backing_inode_security_novalidate(root);
741 
742 	/*
743 	 * parse the mount options, check if they are valid sids.
744 	 * also check if someone is trying to mount the same sb more
745 	 * than once with different security options.
746 	 */
747 	for (i = 0; i < num_opts; i++) {
748 		u32 sid;
749 
750 		if (flags[i] == SBLABEL_MNT)
751 			continue;
752 		rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
753 		if (rc) {
754 			printk(KERN_WARNING "SELinux: security_context_str_to_sid"
755 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
756 			       mount_options[i], sb->s_id, name, rc);
757 			goto out;
758 		}
759 		switch (flags[i]) {
760 		case FSCONTEXT_MNT:
761 			fscontext_sid = sid;
762 
763 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
764 					fscontext_sid))
765 				goto out_double_mount;
766 
767 			sbsec->flags |= FSCONTEXT_MNT;
768 			break;
769 		case CONTEXT_MNT:
770 			context_sid = sid;
771 
772 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
773 					context_sid))
774 				goto out_double_mount;
775 
776 			sbsec->flags |= CONTEXT_MNT;
777 			break;
778 		case ROOTCONTEXT_MNT:
779 			rootcontext_sid = sid;
780 
781 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
782 					rootcontext_sid))
783 				goto out_double_mount;
784 
785 			sbsec->flags |= ROOTCONTEXT_MNT;
786 
787 			break;
788 		case DEFCONTEXT_MNT:
789 			defcontext_sid = sid;
790 
791 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
792 					defcontext_sid))
793 				goto out_double_mount;
794 
795 			sbsec->flags |= DEFCONTEXT_MNT;
796 
797 			break;
798 		default:
799 			rc = -EINVAL;
800 			goto out;
801 		}
802 	}
803 
804 	if (sbsec->flags & SE_SBINITIALIZED) {
805 		/* previously mounted with options, but not on this attempt? */
806 		if ((sbsec->flags & SE_MNTMASK) && !num_opts)
807 			goto out_double_mount;
808 		rc = 0;
809 		goto out;
810 	}
811 
812 	if (strcmp(sb->s_type->name, "proc") == 0)
813 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
814 
815 	if (!strcmp(sb->s_type->name, "debugfs") ||
816 	    !strcmp(sb->s_type->name, "tracefs") ||
817 	    !strcmp(sb->s_type->name, "sysfs") ||
818 	    !strcmp(sb->s_type->name, "pstore"))
819 		sbsec->flags |= SE_SBGENFS;
820 
821 	if (!sbsec->behavior) {
822 		/*
823 		 * Determine the labeling behavior to use for this
824 		 * filesystem type.
825 		 */
826 		rc = security_fs_use(sb);
827 		if (rc) {
828 			printk(KERN_WARNING
829 				"%s: security_fs_use(%s) returned %d\n",
830 					__func__, sb->s_type->name, rc);
831 			goto out;
832 		}
833 	}
834 
835 	/*
836 	 * If this is a user namespace mount and the filesystem type is not
837 	 * explicitly whitelisted, then no contexts are allowed on the command
838 	 * line and security labels must be ignored.
839 	 */
840 	if (sb->s_user_ns != &init_user_ns &&
841 	    strcmp(sb->s_type->name, "tmpfs") &&
842 	    strcmp(sb->s_type->name, "ramfs") &&
843 	    strcmp(sb->s_type->name, "devpts")) {
844 		if (context_sid || fscontext_sid || rootcontext_sid ||
845 		    defcontext_sid) {
846 			rc = -EACCES;
847 			goto out;
848 		}
849 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
850 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
851 			rc = security_transition_sid(current_sid(), current_sid(),
852 						     SECCLASS_FILE, NULL,
853 						     &sbsec->mntpoint_sid);
854 			if (rc)
855 				goto out;
856 		}
857 		goto out_set_opts;
858 	}
859 
860 	/* sets the context of the superblock for the fs being mounted. */
861 	if (fscontext_sid) {
862 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
863 		if (rc)
864 			goto out;
865 
866 		sbsec->sid = fscontext_sid;
867 	}
868 
869 	/*
870 	 * Switch to using mount point labeling behavior.
871 	 * sets the label used on all file below the mountpoint, and will set
872 	 * the superblock context if not already set.
873 	 */
874 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
875 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
876 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
877 	}
878 
879 	if (context_sid) {
880 		if (!fscontext_sid) {
881 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
882 							  cred);
883 			if (rc)
884 				goto out;
885 			sbsec->sid = context_sid;
886 		} else {
887 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
888 							     cred);
889 			if (rc)
890 				goto out;
891 		}
892 		if (!rootcontext_sid)
893 			rootcontext_sid = context_sid;
894 
895 		sbsec->mntpoint_sid = context_sid;
896 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
897 	}
898 
899 	if (rootcontext_sid) {
900 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
901 						     cred);
902 		if (rc)
903 			goto out;
904 
905 		root_isec->sid = rootcontext_sid;
906 		root_isec->initialized = LABEL_INITIALIZED;
907 	}
908 
909 	if (defcontext_sid) {
910 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
911 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
912 			rc = -EINVAL;
913 			printk(KERN_WARNING "SELinux: defcontext option is "
914 			       "invalid for this filesystem type\n");
915 			goto out;
916 		}
917 
918 		if (defcontext_sid != sbsec->def_sid) {
919 			rc = may_context_mount_inode_relabel(defcontext_sid,
920 							     sbsec, cred);
921 			if (rc)
922 				goto out;
923 		}
924 
925 		sbsec->def_sid = defcontext_sid;
926 	}
927 
928 out_set_opts:
929 	rc = sb_finish_set_opts(sb);
930 out:
931 	mutex_unlock(&sbsec->lock);
932 	return rc;
933 out_double_mount:
934 	rc = -EINVAL;
935 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
936 	       "security settings for (dev %s, type %s)\n", sb->s_id, name);
937 	goto out;
938 }
939 
940 static int selinux_cmp_sb_context(const struct super_block *oldsb,
941 				    const struct super_block *newsb)
942 {
943 	struct superblock_security_struct *old = oldsb->s_security;
944 	struct superblock_security_struct *new = newsb->s_security;
945 	char oldflags = old->flags & SE_MNTMASK;
946 	char newflags = new->flags & SE_MNTMASK;
947 
948 	if (oldflags != newflags)
949 		goto mismatch;
950 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
951 		goto mismatch;
952 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
953 		goto mismatch;
954 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
955 		goto mismatch;
956 	if (oldflags & ROOTCONTEXT_MNT) {
957 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
958 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
959 		if (oldroot->sid != newroot->sid)
960 			goto mismatch;
961 	}
962 	return 0;
963 mismatch:
964 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
965 			    "different security settings for (dev %s, "
966 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
967 	return -EBUSY;
968 }
969 
970 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
971 					struct super_block *newsb,
972 					unsigned long kern_flags,
973 					unsigned long *set_kern_flags)
974 {
975 	int rc = 0;
976 	const struct superblock_security_struct *oldsbsec = oldsb->s_security;
977 	struct superblock_security_struct *newsbsec = newsb->s_security;
978 
979 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
980 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
981 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
982 
983 	/*
984 	 * if the parent was able to be mounted it clearly had no special lsm
985 	 * mount options.  thus we can safely deal with this superblock later
986 	 */
987 	if (!ss_initialized)
988 		return 0;
989 
990 	/*
991 	 * Specifying internal flags without providing a place to
992 	 * place the results is not allowed.
993 	 */
994 	if (kern_flags && !set_kern_flags)
995 		return -EINVAL;
996 
997 	/* how can we clone if the old one wasn't set up?? */
998 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
999 
1000 	/* if fs is reusing a sb, make sure that the contexts match */
1001 	if (newsbsec->flags & SE_SBINITIALIZED)
1002 		return selinux_cmp_sb_context(oldsb, newsb);
1003 
1004 	mutex_lock(&newsbsec->lock);
1005 
1006 	newsbsec->flags = oldsbsec->flags;
1007 
1008 	newsbsec->sid = oldsbsec->sid;
1009 	newsbsec->def_sid = oldsbsec->def_sid;
1010 	newsbsec->behavior = oldsbsec->behavior;
1011 
1012 	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1013 		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1014 		rc = security_fs_use(newsb);
1015 		if (rc)
1016 			goto out;
1017 	}
1018 
1019 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1020 		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1021 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1022 	}
1023 
1024 	if (set_context) {
1025 		u32 sid = oldsbsec->mntpoint_sid;
1026 
1027 		if (!set_fscontext)
1028 			newsbsec->sid = sid;
1029 		if (!set_rootcontext) {
1030 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1031 			newisec->sid = sid;
1032 		}
1033 		newsbsec->mntpoint_sid = sid;
1034 	}
1035 	if (set_rootcontext) {
1036 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1037 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1038 
1039 		newisec->sid = oldisec->sid;
1040 	}
1041 
1042 	sb_finish_set_opts(newsb);
1043 out:
1044 	mutex_unlock(&newsbsec->lock);
1045 	return rc;
1046 }
1047 
1048 static int selinux_parse_opts_str(char *options,
1049 				  struct security_mnt_opts *opts)
1050 {
1051 	char *p;
1052 	char *context = NULL, *defcontext = NULL;
1053 	char *fscontext = NULL, *rootcontext = NULL;
1054 	int rc, num_mnt_opts = 0;
1055 
1056 	opts->num_mnt_opts = 0;
1057 
1058 	/* Standard string-based options. */
1059 	while ((p = strsep(&options, "|")) != NULL) {
1060 		int token;
1061 		substring_t args[MAX_OPT_ARGS];
1062 
1063 		if (!*p)
1064 			continue;
1065 
1066 		token = match_token(p, tokens, args);
1067 
1068 		switch (token) {
1069 		case Opt_context:
1070 			if (context || defcontext) {
1071 				rc = -EINVAL;
1072 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1073 				goto out_err;
1074 			}
1075 			context = match_strdup(&args[0]);
1076 			if (!context) {
1077 				rc = -ENOMEM;
1078 				goto out_err;
1079 			}
1080 			break;
1081 
1082 		case Opt_fscontext:
1083 			if (fscontext) {
1084 				rc = -EINVAL;
1085 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1086 				goto out_err;
1087 			}
1088 			fscontext = match_strdup(&args[0]);
1089 			if (!fscontext) {
1090 				rc = -ENOMEM;
1091 				goto out_err;
1092 			}
1093 			break;
1094 
1095 		case Opt_rootcontext:
1096 			if (rootcontext) {
1097 				rc = -EINVAL;
1098 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1099 				goto out_err;
1100 			}
1101 			rootcontext = match_strdup(&args[0]);
1102 			if (!rootcontext) {
1103 				rc = -ENOMEM;
1104 				goto out_err;
1105 			}
1106 			break;
1107 
1108 		case Opt_defcontext:
1109 			if (context || defcontext) {
1110 				rc = -EINVAL;
1111 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1112 				goto out_err;
1113 			}
1114 			defcontext = match_strdup(&args[0]);
1115 			if (!defcontext) {
1116 				rc = -ENOMEM;
1117 				goto out_err;
1118 			}
1119 			break;
1120 		case Opt_labelsupport:
1121 			break;
1122 		default:
1123 			rc = -EINVAL;
1124 			printk(KERN_WARNING "SELinux:  unknown mount option\n");
1125 			goto out_err;
1126 
1127 		}
1128 	}
1129 
1130 	rc = -ENOMEM;
1131 	opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1132 	if (!opts->mnt_opts)
1133 		goto out_err;
1134 
1135 	opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1136 				       GFP_KERNEL);
1137 	if (!opts->mnt_opts_flags)
1138 		goto out_err;
1139 
1140 	if (fscontext) {
1141 		opts->mnt_opts[num_mnt_opts] = fscontext;
1142 		opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1143 	}
1144 	if (context) {
1145 		opts->mnt_opts[num_mnt_opts] = context;
1146 		opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1147 	}
1148 	if (rootcontext) {
1149 		opts->mnt_opts[num_mnt_opts] = rootcontext;
1150 		opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1151 	}
1152 	if (defcontext) {
1153 		opts->mnt_opts[num_mnt_opts] = defcontext;
1154 		opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1155 	}
1156 
1157 	opts->num_mnt_opts = num_mnt_opts;
1158 	return 0;
1159 
1160 out_err:
1161 	security_free_mnt_opts(opts);
1162 	kfree(context);
1163 	kfree(defcontext);
1164 	kfree(fscontext);
1165 	kfree(rootcontext);
1166 	return rc;
1167 }
1168 /*
1169  * string mount options parsing and call set the sbsec
1170  */
1171 static int superblock_doinit(struct super_block *sb, void *data)
1172 {
1173 	int rc = 0;
1174 	char *options = data;
1175 	struct security_mnt_opts opts;
1176 
1177 	security_init_mnt_opts(&opts);
1178 
1179 	if (!data)
1180 		goto out;
1181 
1182 	BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1183 
1184 	rc = selinux_parse_opts_str(options, &opts);
1185 	if (rc)
1186 		goto out_err;
1187 
1188 out:
1189 	rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1190 
1191 out_err:
1192 	security_free_mnt_opts(&opts);
1193 	return rc;
1194 }
1195 
1196 static void selinux_write_opts(struct seq_file *m,
1197 			       struct security_mnt_opts *opts)
1198 {
1199 	int i;
1200 	char *prefix;
1201 
1202 	for (i = 0; i < opts->num_mnt_opts; i++) {
1203 		char *has_comma;
1204 
1205 		if (opts->mnt_opts[i])
1206 			has_comma = strchr(opts->mnt_opts[i], ',');
1207 		else
1208 			has_comma = NULL;
1209 
1210 		switch (opts->mnt_opts_flags[i]) {
1211 		case CONTEXT_MNT:
1212 			prefix = CONTEXT_STR;
1213 			break;
1214 		case FSCONTEXT_MNT:
1215 			prefix = FSCONTEXT_STR;
1216 			break;
1217 		case ROOTCONTEXT_MNT:
1218 			prefix = ROOTCONTEXT_STR;
1219 			break;
1220 		case DEFCONTEXT_MNT:
1221 			prefix = DEFCONTEXT_STR;
1222 			break;
1223 		case SBLABEL_MNT:
1224 			seq_putc(m, ',');
1225 			seq_puts(m, LABELSUPP_STR);
1226 			continue;
1227 		default:
1228 			BUG();
1229 			return;
1230 		};
1231 		/* we need a comma before each option */
1232 		seq_putc(m, ',');
1233 		seq_puts(m, prefix);
1234 		if (has_comma)
1235 			seq_putc(m, '\"');
1236 		seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1237 		if (has_comma)
1238 			seq_putc(m, '\"');
1239 	}
1240 }
1241 
1242 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1243 {
1244 	struct security_mnt_opts opts;
1245 	int rc;
1246 
1247 	rc = selinux_get_mnt_opts(sb, &opts);
1248 	if (rc) {
1249 		/* before policy load we may get EINVAL, don't show anything */
1250 		if (rc == -EINVAL)
1251 			rc = 0;
1252 		return rc;
1253 	}
1254 
1255 	selinux_write_opts(m, &opts);
1256 
1257 	security_free_mnt_opts(&opts);
1258 
1259 	return rc;
1260 }
1261 
1262 static inline u16 inode_mode_to_security_class(umode_t mode)
1263 {
1264 	switch (mode & S_IFMT) {
1265 	case S_IFSOCK:
1266 		return SECCLASS_SOCK_FILE;
1267 	case S_IFLNK:
1268 		return SECCLASS_LNK_FILE;
1269 	case S_IFREG:
1270 		return SECCLASS_FILE;
1271 	case S_IFBLK:
1272 		return SECCLASS_BLK_FILE;
1273 	case S_IFDIR:
1274 		return SECCLASS_DIR;
1275 	case S_IFCHR:
1276 		return SECCLASS_CHR_FILE;
1277 	case S_IFIFO:
1278 		return SECCLASS_FIFO_FILE;
1279 
1280 	}
1281 
1282 	return SECCLASS_FILE;
1283 }
1284 
1285 static inline int default_protocol_stream(int protocol)
1286 {
1287 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1288 }
1289 
1290 static inline int default_protocol_dgram(int protocol)
1291 {
1292 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1293 }
1294 
1295 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1296 {
1297 	int extsockclass = selinux_policycap_extsockclass;
1298 
1299 	switch (family) {
1300 	case PF_UNIX:
1301 		switch (type) {
1302 		case SOCK_STREAM:
1303 		case SOCK_SEQPACKET:
1304 			return SECCLASS_UNIX_STREAM_SOCKET;
1305 		case SOCK_DGRAM:
1306 			return SECCLASS_UNIX_DGRAM_SOCKET;
1307 		}
1308 		break;
1309 	case PF_INET:
1310 	case PF_INET6:
1311 		switch (type) {
1312 		case SOCK_STREAM:
1313 		case SOCK_SEQPACKET:
1314 			if (default_protocol_stream(protocol))
1315 				return SECCLASS_TCP_SOCKET;
1316 			else if (extsockclass && protocol == IPPROTO_SCTP)
1317 				return SECCLASS_SCTP_SOCKET;
1318 			else
1319 				return SECCLASS_RAWIP_SOCKET;
1320 		case SOCK_DGRAM:
1321 			if (default_protocol_dgram(protocol))
1322 				return SECCLASS_UDP_SOCKET;
1323 			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1324 						  protocol == IPPROTO_ICMPV6))
1325 				return SECCLASS_ICMP_SOCKET;
1326 			else
1327 				return SECCLASS_RAWIP_SOCKET;
1328 		case SOCK_DCCP:
1329 			return SECCLASS_DCCP_SOCKET;
1330 		default:
1331 			return SECCLASS_RAWIP_SOCKET;
1332 		}
1333 		break;
1334 	case PF_NETLINK:
1335 		switch (protocol) {
1336 		case NETLINK_ROUTE:
1337 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1338 		case NETLINK_SOCK_DIAG:
1339 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1340 		case NETLINK_NFLOG:
1341 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1342 		case NETLINK_XFRM:
1343 			return SECCLASS_NETLINK_XFRM_SOCKET;
1344 		case NETLINK_SELINUX:
1345 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1346 		case NETLINK_ISCSI:
1347 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1348 		case NETLINK_AUDIT:
1349 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1350 		case NETLINK_FIB_LOOKUP:
1351 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1352 		case NETLINK_CONNECTOR:
1353 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1354 		case NETLINK_NETFILTER:
1355 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1356 		case NETLINK_DNRTMSG:
1357 			return SECCLASS_NETLINK_DNRT_SOCKET;
1358 		case NETLINK_KOBJECT_UEVENT:
1359 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1360 		case NETLINK_GENERIC:
1361 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1362 		case NETLINK_SCSITRANSPORT:
1363 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1364 		case NETLINK_RDMA:
1365 			return SECCLASS_NETLINK_RDMA_SOCKET;
1366 		case NETLINK_CRYPTO:
1367 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1368 		default:
1369 			return SECCLASS_NETLINK_SOCKET;
1370 		}
1371 	case PF_PACKET:
1372 		return SECCLASS_PACKET_SOCKET;
1373 	case PF_KEY:
1374 		return SECCLASS_KEY_SOCKET;
1375 	case PF_APPLETALK:
1376 		return SECCLASS_APPLETALK_SOCKET;
1377 	}
1378 
1379 	if (extsockclass) {
1380 		switch (family) {
1381 		case PF_AX25:
1382 			return SECCLASS_AX25_SOCKET;
1383 		case PF_IPX:
1384 			return SECCLASS_IPX_SOCKET;
1385 		case PF_NETROM:
1386 			return SECCLASS_NETROM_SOCKET;
1387 		case PF_ATMPVC:
1388 			return SECCLASS_ATMPVC_SOCKET;
1389 		case PF_X25:
1390 			return SECCLASS_X25_SOCKET;
1391 		case PF_ROSE:
1392 			return SECCLASS_ROSE_SOCKET;
1393 		case PF_DECnet:
1394 			return SECCLASS_DECNET_SOCKET;
1395 		case PF_ATMSVC:
1396 			return SECCLASS_ATMSVC_SOCKET;
1397 		case PF_RDS:
1398 			return SECCLASS_RDS_SOCKET;
1399 		case PF_IRDA:
1400 			return SECCLASS_IRDA_SOCKET;
1401 		case PF_PPPOX:
1402 			return SECCLASS_PPPOX_SOCKET;
1403 		case PF_LLC:
1404 			return SECCLASS_LLC_SOCKET;
1405 		case PF_CAN:
1406 			return SECCLASS_CAN_SOCKET;
1407 		case PF_TIPC:
1408 			return SECCLASS_TIPC_SOCKET;
1409 		case PF_BLUETOOTH:
1410 			return SECCLASS_BLUETOOTH_SOCKET;
1411 		case PF_IUCV:
1412 			return SECCLASS_IUCV_SOCKET;
1413 		case PF_RXRPC:
1414 			return SECCLASS_RXRPC_SOCKET;
1415 		case PF_ISDN:
1416 			return SECCLASS_ISDN_SOCKET;
1417 		case PF_PHONET:
1418 			return SECCLASS_PHONET_SOCKET;
1419 		case PF_IEEE802154:
1420 			return SECCLASS_IEEE802154_SOCKET;
1421 		case PF_CAIF:
1422 			return SECCLASS_CAIF_SOCKET;
1423 		case PF_ALG:
1424 			return SECCLASS_ALG_SOCKET;
1425 		case PF_NFC:
1426 			return SECCLASS_NFC_SOCKET;
1427 		case PF_VSOCK:
1428 			return SECCLASS_VSOCK_SOCKET;
1429 		case PF_KCM:
1430 			return SECCLASS_KCM_SOCKET;
1431 		case PF_QIPCRTR:
1432 			return SECCLASS_QIPCRTR_SOCKET;
1433 		case PF_SMC:
1434 			return SECCLASS_SMC_SOCKET;
1435 #if PF_MAX > 44
1436 #error New address family defined, please update this function.
1437 #endif
1438 		}
1439 	}
1440 
1441 	return SECCLASS_SOCKET;
1442 }
1443 
1444 static int selinux_genfs_get_sid(struct dentry *dentry,
1445 				 u16 tclass,
1446 				 u16 flags,
1447 				 u32 *sid)
1448 {
1449 	int rc;
1450 	struct super_block *sb = dentry->d_sb;
1451 	char *buffer, *path;
1452 
1453 	buffer = (char *)__get_free_page(GFP_KERNEL);
1454 	if (!buffer)
1455 		return -ENOMEM;
1456 
1457 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1458 	if (IS_ERR(path))
1459 		rc = PTR_ERR(path);
1460 	else {
1461 		if (flags & SE_SBPROC) {
1462 			/* each process gets a /proc/PID/ entry. Strip off the
1463 			 * PID part to get a valid selinux labeling.
1464 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1465 			while (path[1] >= '0' && path[1] <= '9') {
1466 				path[1] = '/';
1467 				path++;
1468 			}
1469 		}
1470 		rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1471 	}
1472 	free_page((unsigned long)buffer);
1473 	return rc;
1474 }
1475 
1476 /* The inode's security attributes must be initialized before first use. */
1477 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1478 {
1479 	struct superblock_security_struct *sbsec = NULL;
1480 	struct inode_security_struct *isec = inode->i_security;
1481 	u32 task_sid, sid = 0;
1482 	u16 sclass;
1483 	struct dentry *dentry;
1484 #define INITCONTEXTLEN 255
1485 	char *context = NULL;
1486 	unsigned len = 0;
1487 	int rc = 0;
1488 
1489 	if (isec->initialized == LABEL_INITIALIZED)
1490 		return 0;
1491 
1492 	spin_lock(&isec->lock);
1493 	if (isec->initialized == LABEL_INITIALIZED)
1494 		goto out_unlock;
1495 
1496 	if (isec->sclass == SECCLASS_FILE)
1497 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1498 
1499 	sbsec = inode->i_sb->s_security;
1500 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1501 		/* Defer initialization until selinux_complete_init,
1502 		   after the initial policy is loaded and the security
1503 		   server is ready to handle calls. */
1504 		spin_lock(&sbsec->isec_lock);
1505 		if (list_empty(&isec->list))
1506 			list_add(&isec->list, &sbsec->isec_head);
1507 		spin_unlock(&sbsec->isec_lock);
1508 		goto out_unlock;
1509 	}
1510 
1511 	sclass = isec->sclass;
1512 	task_sid = isec->task_sid;
1513 	sid = isec->sid;
1514 	isec->initialized = LABEL_PENDING;
1515 	spin_unlock(&isec->lock);
1516 
1517 	switch (sbsec->behavior) {
1518 	case SECURITY_FS_USE_NATIVE:
1519 		break;
1520 	case SECURITY_FS_USE_XATTR:
1521 		if (!(inode->i_opflags & IOP_XATTR)) {
1522 			sid = sbsec->def_sid;
1523 			break;
1524 		}
1525 		/* Need a dentry, since the xattr API requires one.
1526 		   Life would be simpler if we could just pass the inode. */
1527 		if (opt_dentry) {
1528 			/* Called from d_instantiate or d_splice_alias. */
1529 			dentry = dget(opt_dentry);
1530 		} else {
1531 			/* Called from selinux_complete_init, try to find a dentry. */
1532 			dentry = d_find_alias(inode);
1533 		}
1534 		if (!dentry) {
1535 			/*
1536 			 * this is can be hit on boot when a file is accessed
1537 			 * before the policy is loaded.  When we load policy we
1538 			 * may find inodes that have no dentry on the
1539 			 * sbsec->isec_head list.  No reason to complain as these
1540 			 * will get fixed up the next time we go through
1541 			 * inode_doinit with a dentry, before these inodes could
1542 			 * be used again by userspace.
1543 			 */
1544 			goto out;
1545 		}
1546 
1547 		len = INITCONTEXTLEN;
1548 		context = kmalloc(len+1, GFP_NOFS);
1549 		if (!context) {
1550 			rc = -ENOMEM;
1551 			dput(dentry);
1552 			goto out;
1553 		}
1554 		context[len] = '\0';
1555 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1556 		if (rc == -ERANGE) {
1557 			kfree(context);
1558 
1559 			/* Need a larger buffer.  Query for the right size. */
1560 			rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1561 			if (rc < 0) {
1562 				dput(dentry);
1563 				goto out;
1564 			}
1565 			len = rc;
1566 			context = kmalloc(len+1, GFP_NOFS);
1567 			if (!context) {
1568 				rc = -ENOMEM;
1569 				dput(dentry);
1570 				goto out;
1571 			}
1572 			context[len] = '\0';
1573 			rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1574 		}
1575 		dput(dentry);
1576 		if (rc < 0) {
1577 			if (rc != -ENODATA) {
1578 				printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1579 				       "%d for dev=%s ino=%ld\n", __func__,
1580 				       -rc, inode->i_sb->s_id, inode->i_ino);
1581 				kfree(context);
1582 				goto out;
1583 			}
1584 			/* Map ENODATA to the default file SID */
1585 			sid = sbsec->def_sid;
1586 			rc = 0;
1587 		} else {
1588 			rc = security_context_to_sid_default(context, rc, &sid,
1589 							     sbsec->def_sid,
1590 							     GFP_NOFS);
1591 			if (rc) {
1592 				char *dev = inode->i_sb->s_id;
1593 				unsigned long ino = inode->i_ino;
1594 
1595 				if (rc == -EINVAL) {
1596 					if (printk_ratelimit())
1597 						printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1598 							"context=%s.  This indicates you may need to relabel the inode or the "
1599 							"filesystem in question.\n", ino, dev, context);
1600 				} else {
1601 					printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1602 					       "returned %d for dev=%s ino=%ld\n",
1603 					       __func__, context, -rc, dev, ino);
1604 				}
1605 				kfree(context);
1606 				/* Leave with the unlabeled SID */
1607 				rc = 0;
1608 				break;
1609 			}
1610 		}
1611 		kfree(context);
1612 		break;
1613 	case SECURITY_FS_USE_TASK:
1614 		sid = task_sid;
1615 		break;
1616 	case SECURITY_FS_USE_TRANS:
1617 		/* Default to the fs SID. */
1618 		sid = sbsec->sid;
1619 
1620 		/* Try to obtain a transition SID. */
1621 		rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1622 		if (rc)
1623 			goto out;
1624 		break;
1625 	case SECURITY_FS_USE_MNTPOINT:
1626 		sid = sbsec->mntpoint_sid;
1627 		break;
1628 	default:
1629 		/* Default to the fs superblock SID. */
1630 		sid = sbsec->sid;
1631 
1632 		if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1633 			/* We must have a dentry to determine the label on
1634 			 * procfs inodes */
1635 			if (opt_dentry)
1636 				/* Called from d_instantiate or
1637 				 * d_splice_alias. */
1638 				dentry = dget(opt_dentry);
1639 			else
1640 				/* Called from selinux_complete_init, try to
1641 				 * find a dentry. */
1642 				dentry = d_find_alias(inode);
1643 			/*
1644 			 * This can be hit on boot when a file is accessed
1645 			 * before the policy is loaded.  When we load policy we
1646 			 * may find inodes that have no dentry on the
1647 			 * sbsec->isec_head list.  No reason to complain as
1648 			 * these will get fixed up the next time we go through
1649 			 * inode_doinit() with a dentry, before these inodes
1650 			 * could be used again by userspace.
1651 			 */
1652 			if (!dentry)
1653 				goto out;
1654 			rc = selinux_genfs_get_sid(dentry, sclass,
1655 						   sbsec->flags, &sid);
1656 			dput(dentry);
1657 			if (rc)
1658 				goto out;
1659 		}
1660 		break;
1661 	}
1662 
1663 out:
1664 	spin_lock(&isec->lock);
1665 	if (isec->initialized == LABEL_PENDING) {
1666 		if (!sid || rc) {
1667 			isec->initialized = LABEL_INVALID;
1668 			goto out_unlock;
1669 		}
1670 
1671 		isec->initialized = LABEL_INITIALIZED;
1672 		isec->sid = sid;
1673 	}
1674 
1675 out_unlock:
1676 	spin_unlock(&isec->lock);
1677 	return rc;
1678 }
1679 
1680 /* Convert a Linux signal to an access vector. */
1681 static inline u32 signal_to_av(int sig)
1682 {
1683 	u32 perm = 0;
1684 
1685 	switch (sig) {
1686 	case SIGCHLD:
1687 		/* Commonly granted from child to parent. */
1688 		perm = PROCESS__SIGCHLD;
1689 		break;
1690 	case SIGKILL:
1691 		/* Cannot be caught or ignored */
1692 		perm = PROCESS__SIGKILL;
1693 		break;
1694 	case SIGSTOP:
1695 		/* Cannot be caught or ignored */
1696 		perm = PROCESS__SIGSTOP;
1697 		break;
1698 	default:
1699 		/* All other signals. */
1700 		perm = PROCESS__SIGNAL;
1701 		break;
1702 	}
1703 
1704 	return perm;
1705 }
1706 
1707 #if CAP_LAST_CAP > 63
1708 #error Fix SELinux to handle capabilities > 63.
1709 #endif
1710 
1711 /* Check whether a task is allowed to use a capability. */
1712 static int cred_has_capability(const struct cred *cred,
1713 			       int cap, int audit, bool initns)
1714 {
1715 	struct common_audit_data ad;
1716 	struct av_decision avd;
1717 	u16 sclass;
1718 	u32 sid = cred_sid(cred);
1719 	u32 av = CAP_TO_MASK(cap);
1720 	int rc;
1721 
1722 	ad.type = LSM_AUDIT_DATA_CAP;
1723 	ad.u.cap = cap;
1724 
1725 	switch (CAP_TO_INDEX(cap)) {
1726 	case 0:
1727 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1728 		break;
1729 	case 1:
1730 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1731 		break;
1732 	default:
1733 		printk(KERN_ERR
1734 		       "SELinux:  out of range capability %d\n", cap);
1735 		BUG();
1736 		return -EINVAL;
1737 	}
1738 
1739 	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1740 	if (audit == SECURITY_CAP_AUDIT) {
1741 		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1742 		if (rc2)
1743 			return rc2;
1744 	}
1745 	return rc;
1746 }
1747 
1748 /* Check whether a task has a particular permission to an inode.
1749    The 'adp' parameter is optional and allows other audit
1750    data to be passed (e.g. the dentry). */
1751 static int inode_has_perm(const struct cred *cred,
1752 			  struct inode *inode,
1753 			  u32 perms,
1754 			  struct common_audit_data *adp)
1755 {
1756 	struct inode_security_struct *isec;
1757 	u32 sid;
1758 
1759 	validate_creds(cred);
1760 
1761 	if (unlikely(IS_PRIVATE(inode)))
1762 		return 0;
1763 
1764 	sid = cred_sid(cred);
1765 	isec = inode->i_security;
1766 
1767 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1768 }
1769 
1770 /* Same as inode_has_perm, but pass explicit audit data containing
1771    the dentry to help the auditing code to more easily generate the
1772    pathname if needed. */
1773 static inline int dentry_has_perm(const struct cred *cred,
1774 				  struct dentry *dentry,
1775 				  u32 av)
1776 {
1777 	struct inode *inode = d_backing_inode(dentry);
1778 	struct common_audit_data ad;
1779 
1780 	ad.type = LSM_AUDIT_DATA_DENTRY;
1781 	ad.u.dentry = dentry;
1782 	__inode_security_revalidate(inode, dentry, true);
1783 	return inode_has_perm(cred, inode, av, &ad);
1784 }
1785 
1786 /* Same as inode_has_perm, but pass explicit audit data containing
1787    the path to help the auditing code to more easily generate the
1788    pathname if needed. */
1789 static inline int path_has_perm(const struct cred *cred,
1790 				const struct path *path,
1791 				u32 av)
1792 {
1793 	struct inode *inode = d_backing_inode(path->dentry);
1794 	struct common_audit_data ad;
1795 
1796 	ad.type = LSM_AUDIT_DATA_PATH;
1797 	ad.u.path = *path;
1798 	__inode_security_revalidate(inode, path->dentry, true);
1799 	return inode_has_perm(cred, inode, av, &ad);
1800 }
1801 
1802 /* Same as path_has_perm, but uses the inode from the file struct. */
1803 static inline int file_path_has_perm(const struct cred *cred,
1804 				     struct file *file,
1805 				     u32 av)
1806 {
1807 	struct common_audit_data ad;
1808 
1809 	ad.type = LSM_AUDIT_DATA_FILE;
1810 	ad.u.file = file;
1811 	return inode_has_perm(cred, file_inode(file), av, &ad);
1812 }
1813 
1814 /* Check whether a task can use an open file descriptor to
1815    access an inode in a given way.  Check access to the
1816    descriptor itself, and then use dentry_has_perm to
1817    check a particular permission to the file.
1818    Access to the descriptor is implicitly granted if it
1819    has the same SID as the process.  If av is zero, then
1820    access to the file is not checked, e.g. for cases
1821    where only the descriptor is affected like seek. */
1822 static int file_has_perm(const struct cred *cred,
1823 			 struct file *file,
1824 			 u32 av)
1825 {
1826 	struct file_security_struct *fsec = file->f_security;
1827 	struct inode *inode = file_inode(file);
1828 	struct common_audit_data ad;
1829 	u32 sid = cred_sid(cred);
1830 	int rc;
1831 
1832 	ad.type = LSM_AUDIT_DATA_FILE;
1833 	ad.u.file = file;
1834 
1835 	if (sid != fsec->sid) {
1836 		rc = avc_has_perm(sid, fsec->sid,
1837 				  SECCLASS_FD,
1838 				  FD__USE,
1839 				  &ad);
1840 		if (rc)
1841 			goto out;
1842 	}
1843 
1844 	/* av is zero if only checking access to the descriptor. */
1845 	rc = 0;
1846 	if (av)
1847 		rc = inode_has_perm(cred, inode, av, &ad);
1848 
1849 out:
1850 	return rc;
1851 }
1852 
1853 /*
1854  * Determine the label for an inode that might be unioned.
1855  */
1856 static int
1857 selinux_determine_inode_label(const struct task_security_struct *tsec,
1858 				 struct inode *dir,
1859 				 const struct qstr *name, u16 tclass,
1860 				 u32 *_new_isid)
1861 {
1862 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1863 
1864 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1865 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1866 		*_new_isid = sbsec->mntpoint_sid;
1867 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1868 		   tsec->create_sid) {
1869 		*_new_isid = tsec->create_sid;
1870 	} else {
1871 		const struct inode_security_struct *dsec = inode_security(dir);
1872 		return security_transition_sid(tsec->sid, dsec->sid, tclass,
1873 					       name, _new_isid);
1874 	}
1875 
1876 	return 0;
1877 }
1878 
1879 /* Check whether a task can create a file. */
1880 static int may_create(struct inode *dir,
1881 		      struct dentry *dentry,
1882 		      u16 tclass)
1883 {
1884 	const struct task_security_struct *tsec = current_security();
1885 	struct inode_security_struct *dsec;
1886 	struct superblock_security_struct *sbsec;
1887 	u32 sid, newsid;
1888 	struct common_audit_data ad;
1889 	int rc;
1890 
1891 	dsec = inode_security(dir);
1892 	sbsec = dir->i_sb->s_security;
1893 
1894 	sid = tsec->sid;
1895 
1896 	ad.type = LSM_AUDIT_DATA_DENTRY;
1897 	ad.u.dentry = dentry;
1898 
1899 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1900 			  DIR__ADD_NAME | DIR__SEARCH,
1901 			  &ad);
1902 	if (rc)
1903 		return rc;
1904 
1905 	rc = selinux_determine_inode_label(current_security(), dir,
1906 					   &dentry->d_name, tclass, &newsid);
1907 	if (rc)
1908 		return rc;
1909 
1910 	rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1911 	if (rc)
1912 		return rc;
1913 
1914 	return avc_has_perm(newsid, sbsec->sid,
1915 			    SECCLASS_FILESYSTEM,
1916 			    FILESYSTEM__ASSOCIATE, &ad);
1917 }
1918 
1919 #define MAY_LINK	0
1920 #define MAY_UNLINK	1
1921 #define MAY_RMDIR	2
1922 
1923 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1924 static int may_link(struct inode *dir,
1925 		    struct dentry *dentry,
1926 		    int kind)
1927 
1928 {
1929 	struct inode_security_struct *dsec, *isec;
1930 	struct common_audit_data ad;
1931 	u32 sid = current_sid();
1932 	u32 av;
1933 	int rc;
1934 
1935 	dsec = inode_security(dir);
1936 	isec = backing_inode_security(dentry);
1937 
1938 	ad.type = LSM_AUDIT_DATA_DENTRY;
1939 	ad.u.dentry = dentry;
1940 
1941 	av = DIR__SEARCH;
1942 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1943 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1944 	if (rc)
1945 		return rc;
1946 
1947 	switch (kind) {
1948 	case MAY_LINK:
1949 		av = FILE__LINK;
1950 		break;
1951 	case MAY_UNLINK:
1952 		av = FILE__UNLINK;
1953 		break;
1954 	case MAY_RMDIR:
1955 		av = DIR__RMDIR;
1956 		break;
1957 	default:
1958 		printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1959 			__func__, kind);
1960 		return 0;
1961 	}
1962 
1963 	rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1964 	return rc;
1965 }
1966 
1967 static inline int may_rename(struct inode *old_dir,
1968 			     struct dentry *old_dentry,
1969 			     struct inode *new_dir,
1970 			     struct dentry *new_dentry)
1971 {
1972 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1973 	struct common_audit_data ad;
1974 	u32 sid = current_sid();
1975 	u32 av;
1976 	int old_is_dir, new_is_dir;
1977 	int rc;
1978 
1979 	old_dsec = inode_security(old_dir);
1980 	old_isec = backing_inode_security(old_dentry);
1981 	old_is_dir = d_is_dir(old_dentry);
1982 	new_dsec = inode_security(new_dir);
1983 
1984 	ad.type = LSM_AUDIT_DATA_DENTRY;
1985 
1986 	ad.u.dentry = old_dentry;
1987 	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1988 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1989 	if (rc)
1990 		return rc;
1991 	rc = avc_has_perm(sid, old_isec->sid,
1992 			  old_isec->sclass, FILE__RENAME, &ad);
1993 	if (rc)
1994 		return rc;
1995 	if (old_is_dir && new_dir != old_dir) {
1996 		rc = avc_has_perm(sid, old_isec->sid,
1997 				  old_isec->sclass, DIR__REPARENT, &ad);
1998 		if (rc)
1999 			return rc;
2000 	}
2001 
2002 	ad.u.dentry = new_dentry;
2003 	av = DIR__ADD_NAME | DIR__SEARCH;
2004 	if (d_is_positive(new_dentry))
2005 		av |= DIR__REMOVE_NAME;
2006 	rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2007 	if (rc)
2008 		return rc;
2009 	if (d_is_positive(new_dentry)) {
2010 		new_isec = backing_inode_security(new_dentry);
2011 		new_is_dir = d_is_dir(new_dentry);
2012 		rc = avc_has_perm(sid, new_isec->sid,
2013 				  new_isec->sclass,
2014 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2015 		if (rc)
2016 			return rc;
2017 	}
2018 
2019 	return 0;
2020 }
2021 
2022 /* Check whether a task can perform a filesystem operation. */
2023 static int superblock_has_perm(const struct cred *cred,
2024 			       struct super_block *sb,
2025 			       u32 perms,
2026 			       struct common_audit_data *ad)
2027 {
2028 	struct superblock_security_struct *sbsec;
2029 	u32 sid = cred_sid(cred);
2030 
2031 	sbsec = sb->s_security;
2032 	return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2033 }
2034 
2035 /* Convert a Linux mode and permission mask to an access vector. */
2036 static inline u32 file_mask_to_av(int mode, int mask)
2037 {
2038 	u32 av = 0;
2039 
2040 	if (!S_ISDIR(mode)) {
2041 		if (mask & MAY_EXEC)
2042 			av |= FILE__EXECUTE;
2043 		if (mask & MAY_READ)
2044 			av |= FILE__READ;
2045 
2046 		if (mask & MAY_APPEND)
2047 			av |= FILE__APPEND;
2048 		else if (mask & MAY_WRITE)
2049 			av |= FILE__WRITE;
2050 
2051 	} else {
2052 		if (mask & MAY_EXEC)
2053 			av |= DIR__SEARCH;
2054 		if (mask & MAY_WRITE)
2055 			av |= DIR__WRITE;
2056 		if (mask & MAY_READ)
2057 			av |= DIR__READ;
2058 	}
2059 
2060 	return av;
2061 }
2062 
2063 /* Convert a Linux file to an access vector. */
2064 static inline u32 file_to_av(struct file *file)
2065 {
2066 	u32 av = 0;
2067 
2068 	if (file->f_mode & FMODE_READ)
2069 		av |= FILE__READ;
2070 	if (file->f_mode & FMODE_WRITE) {
2071 		if (file->f_flags & O_APPEND)
2072 			av |= FILE__APPEND;
2073 		else
2074 			av |= FILE__WRITE;
2075 	}
2076 	if (!av) {
2077 		/*
2078 		 * Special file opened with flags 3 for ioctl-only use.
2079 		 */
2080 		av = FILE__IOCTL;
2081 	}
2082 
2083 	return av;
2084 }
2085 
2086 /*
2087  * Convert a file to an access vector and include the correct open
2088  * open permission.
2089  */
2090 static inline u32 open_file_to_av(struct file *file)
2091 {
2092 	u32 av = file_to_av(file);
2093 	struct inode *inode = file_inode(file);
2094 
2095 	if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2096 		av |= FILE__OPEN;
2097 
2098 	return av;
2099 }
2100 
2101 /* Hook functions begin here. */
2102 
2103 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2104 {
2105 	u32 mysid = current_sid();
2106 	u32 mgrsid = task_sid(mgr);
2107 
2108 	return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2109 			    BINDER__SET_CONTEXT_MGR, NULL);
2110 }
2111 
2112 static int selinux_binder_transaction(struct task_struct *from,
2113 				      struct task_struct *to)
2114 {
2115 	u32 mysid = current_sid();
2116 	u32 fromsid = task_sid(from);
2117 	u32 tosid = task_sid(to);
2118 	int rc;
2119 
2120 	if (mysid != fromsid) {
2121 		rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2122 				  BINDER__IMPERSONATE, NULL);
2123 		if (rc)
2124 			return rc;
2125 	}
2126 
2127 	return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2128 			    NULL);
2129 }
2130 
2131 static int selinux_binder_transfer_binder(struct task_struct *from,
2132 					  struct task_struct *to)
2133 {
2134 	u32 fromsid = task_sid(from);
2135 	u32 tosid = task_sid(to);
2136 
2137 	return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2138 			    NULL);
2139 }
2140 
2141 static int selinux_binder_transfer_file(struct task_struct *from,
2142 					struct task_struct *to,
2143 					struct file *file)
2144 {
2145 	u32 sid = task_sid(to);
2146 	struct file_security_struct *fsec = file->f_security;
2147 	struct dentry *dentry = file->f_path.dentry;
2148 	struct inode_security_struct *isec;
2149 	struct common_audit_data ad;
2150 	int rc;
2151 
2152 	ad.type = LSM_AUDIT_DATA_PATH;
2153 	ad.u.path = file->f_path;
2154 
2155 	if (sid != fsec->sid) {
2156 		rc = avc_has_perm(sid, fsec->sid,
2157 				  SECCLASS_FD,
2158 				  FD__USE,
2159 				  &ad);
2160 		if (rc)
2161 			return rc;
2162 	}
2163 
2164 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2165 		return 0;
2166 
2167 	isec = backing_inode_security(dentry);
2168 	return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2169 			    &ad);
2170 }
2171 
2172 static int selinux_ptrace_access_check(struct task_struct *child,
2173 				     unsigned int mode)
2174 {
2175 	u32 sid = current_sid();
2176 	u32 csid = task_sid(child);
2177 
2178 	if (mode & PTRACE_MODE_READ)
2179 		return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2180 
2181 	return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2182 }
2183 
2184 static int selinux_ptrace_traceme(struct task_struct *parent)
2185 {
2186 	return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2187 			    PROCESS__PTRACE, NULL);
2188 }
2189 
2190 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2191 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2192 {
2193 	return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2194 			    PROCESS__GETCAP, NULL);
2195 }
2196 
2197 static int selinux_capset(struct cred *new, const struct cred *old,
2198 			  const kernel_cap_t *effective,
2199 			  const kernel_cap_t *inheritable,
2200 			  const kernel_cap_t *permitted)
2201 {
2202 	return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2203 			    PROCESS__SETCAP, NULL);
2204 }
2205 
2206 /*
2207  * (This comment used to live with the selinux_task_setuid hook,
2208  * which was removed).
2209  *
2210  * Since setuid only affects the current process, and since the SELinux
2211  * controls are not based on the Linux identity attributes, SELinux does not
2212  * need to control this operation.  However, SELinux does control the use of
2213  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2214  */
2215 
2216 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2217 			   int cap, int audit)
2218 {
2219 	return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2220 }
2221 
2222 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2223 {
2224 	const struct cred *cred = current_cred();
2225 	int rc = 0;
2226 
2227 	if (!sb)
2228 		return 0;
2229 
2230 	switch (cmds) {
2231 	case Q_SYNC:
2232 	case Q_QUOTAON:
2233 	case Q_QUOTAOFF:
2234 	case Q_SETINFO:
2235 	case Q_SETQUOTA:
2236 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2237 		break;
2238 	case Q_GETFMT:
2239 	case Q_GETINFO:
2240 	case Q_GETQUOTA:
2241 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2242 		break;
2243 	default:
2244 		rc = 0;  /* let the kernel handle invalid cmds */
2245 		break;
2246 	}
2247 	return rc;
2248 }
2249 
2250 static int selinux_quota_on(struct dentry *dentry)
2251 {
2252 	const struct cred *cred = current_cred();
2253 
2254 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2255 }
2256 
2257 static int selinux_syslog(int type)
2258 {
2259 	switch (type) {
2260 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2261 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2262 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2263 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2264 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2265 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2266 	/* Set level of messages printed to console */
2267 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2268 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2269 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2270 				    NULL);
2271 	}
2272 	/* All other syslog types */
2273 	return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2274 			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2275 }
2276 
2277 /*
2278  * Check that a process has enough memory to allocate a new virtual
2279  * mapping. 0 means there is enough memory for the allocation to
2280  * succeed and -ENOMEM implies there is not.
2281  *
2282  * Do not audit the selinux permission check, as this is applied to all
2283  * processes that allocate mappings.
2284  */
2285 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2286 {
2287 	int rc, cap_sys_admin = 0;
2288 
2289 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2290 				 SECURITY_CAP_NOAUDIT, true);
2291 	if (rc == 0)
2292 		cap_sys_admin = 1;
2293 
2294 	return cap_sys_admin;
2295 }
2296 
2297 /* binprm security operations */
2298 
2299 static u32 ptrace_parent_sid(void)
2300 {
2301 	u32 sid = 0;
2302 	struct task_struct *tracer;
2303 
2304 	rcu_read_lock();
2305 	tracer = ptrace_parent(current);
2306 	if (tracer)
2307 		sid = task_sid(tracer);
2308 	rcu_read_unlock();
2309 
2310 	return sid;
2311 }
2312 
2313 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2314 			    const struct task_security_struct *old_tsec,
2315 			    const struct task_security_struct *new_tsec)
2316 {
2317 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2318 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2319 	int rc;
2320 
2321 	if (!nnp && !nosuid)
2322 		return 0; /* neither NNP nor nosuid */
2323 
2324 	if (new_tsec->sid == old_tsec->sid)
2325 		return 0; /* No change in credentials */
2326 
2327 	/*
2328 	 * The only transitions we permit under NNP or nosuid
2329 	 * are transitions to bounded SIDs, i.e. SIDs that are
2330 	 * guaranteed to only be allowed a subset of the permissions
2331 	 * of the current SID.
2332 	 */
2333 	rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2334 	if (rc) {
2335 		/*
2336 		 * On failure, preserve the errno values for NNP vs nosuid.
2337 		 * NNP:  Operation not permitted for caller.
2338 		 * nosuid:  Permission denied to file.
2339 		 */
2340 		if (nnp)
2341 			return -EPERM;
2342 		else
2343 			return -EACCES;
2344 	}
2345 	return 0;
2346 }
2347 
2348 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2349 {
2350 	const struct task_security_struct *old_tsec;
2351 	struct task_security_struct *new_tsec;
2352 	struct inode_security_struct *isec;
2353 	struct common_audit_data ad;
2354 	struct inode *inode = file_inode(bprm->file);
2355 	int rc;
2356 
2357 	/* SELinux context only depends on initial program or script and not
2358 	 * the script interpreter */
2359 	if (bprm->cred_prepared)
2360 		return 0;
2361 
2362 	old_tsec = current_security();
2363 	new_tsec = bprm->cred->security;
2364 	isec = inode_security(inode);
2365 
2366 	/* Default to the current task SID. */
2367 	new_tsec->sid = old_tsec->sid;
2368 	new_tsec->osid = old_tsec->sid;
2369 
2370 	/* Reset fs, key, and sock SIDs on execve. */
2371 	new_tsec->create_sid = 0;
2372 	new_tsec->keycreate_sid = 0;
2373 	new_tsec->sockcreate_sid = 0;
2374 
2375 	if (old_tsec->exec_sid) {
2376 		new_tsec->sid = old_tsec->exec_sid;
2377 		/* Reset exec SID on execve. */
2378 		new_tsec->exec_sid = 0;
2379 
2380 		/* Fail on NNP or nosuid if not an allowed transition. */
2381 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2382 		if (rc)
2383 			return rc;
2384 	} else {
2385 		/* Check for a default transition on this program. */
2386 		rc = security_transition_sid(old_tsec->sid, isec->sid,
2387 					     SECCLASS_PROCESS, NULL,
2388 					     &new_tsec->sid);
2389 		if (rc)
2390 			return rc;
2391 
2392 		/*
2393 		 * Fallback to old SID on NNP or nosuid if not an allowed
2394 		 * transition.
2395 		 */
2396 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2397 		if (rc)
2398 			new_tsec->sid = old_tsec->sid;
2399 	}
2400 
2401 	ad.type = LSM_AUDIT_DATA_FILE;
2402 	ad.u.file = bprm->file;
2403 
2404 	if (new_tsec->sid == old_tsec->sid) {
2405 		rc = avc_has_perm(old_tsec->sid, isec->sid,
2406 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2407 		if (rc)
2408 			return rc;
2409 	} else {
2410 		/* Check permissions for the transition. */
2411 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2412 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2413 		if (rc)
2414 			return rc;
2415 
2416 		rc = avc_has_perm(new_tsec->sid, isec->sid,
2417 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2418 		if (rc)
2419 			return rc;
2420 
2421 		/* Check for shared state */
2422 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2423 			rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2424 					  SECCLASS_PROCESS, PROCESS__SHARE,
2425 					  NULL);
2426 			if (rc)
2427 				return -EPERM;
2428 		}
2429 
2430 		/* Make sure that anyone attempting to ptrace over a task that
2431 		 * changes its SID has the appropriate permit */
2432 		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2433 			u32 ptsid = ptrace_parent_sid();
2434 			if (ptsid != 0) {
2435 				rc = avc_has_perm(ptsid, new_tsec->sid,
2436 						  SECCLASS_PROCESS,
2437 						  PROCESS__PTRACE, NULL);
2438 				if (rc)
2439 					return -EPERM;
2440 			}
2441 		}
2442 
2443 		/* Clear any possibly unsafe personality bits on exec: */
2444 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2445 	}
2446 
2447 	return 0;
2448 }
2449 
2450 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2451 {
2452 	const struct task_security_struct *tsec = current_security();
2453 	u32 sid, osid;
2454 	int atsecure = 0;
2455 
2456 	sid = tsec->sid;
2457 	osid = tsec->osid;
2458 
2459 	if (osid != sid) {
2460 		/* Enable secure mode for SIDs transitions unless
2461 		   the noatsecure permission is granted between
2462 		   the two SIDs, i.e. ahp returns 0. */
2463 		atsecure = avc_has_perm(osid, sid,
2464 					SECCLASS_PROCESS,
2465 					PROCESS__NOATSECURE, NULL);
2466 	}
2467 
2468 	return !!atsecure;
2469 }
2470 
2471 static int match_file(const void *p, struct file *file, unsigned fd)
2472 {
2473 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2474 }
2475 
2476 /* Derived from fs/exec.c:flush_old_files. */
2477 static inline void flush_unauthorized_files(const struct cred *cred,
2478 					    struct files_struct *files)
2479 {
2480 	struct file *file, *devnull = NULL;
2481 	struct tty_struct *tty;
2482 	int drop_tty = 0;
2483 	unsigned n;
2484 
2485 	tty = get_current_tty();
2486 	if (tty) {
2487 		spin_lock(&tty->files_lock);
2488 		if (!list_empty(&tty->tty_files)) {
2489 			struct tty_file_private *file_priv;
2490 
2491 			/* Revalidate access to controlling tty.
2492 			   Use file_path_has_perm on the tty path directly
2493 			   rather than using file_has_perm, as this particular
2494 			   open file may belong to another process and we are
2495 			   only interested in the inode-based check here. */
2496 			file_priv = list_first_entry(&tty->tty_files,
2497 						struct tty_file_private, list);
2498 			file = file_priv->file;
2499 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2500 				drop_tty = 1;
2501 		}
2502 		spin_unlock(&tty->files_lock);
2503 		tty_kref_put(tty);
2504 	}
2505 	/* Reset controlling tty. */
2506 	if (drop_tty)
2507 		no_tty();
2508 
2509 	/* Revalidate access to inherited open files. */
2510 	n = iterate_fd(files, 0, match_file, cred);
2511 	if (!n) /* none found? */
2512 		return;
2513 
2514 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2515 	if (IS_ERR(devnull))
2516 		devnull = NULL;
2517 	/* replace all the matching ones with this */
2518 	do {
2519 		replace_fd(n - 1, devnull, 0);
2520 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2521 	if (devnull)
2522 		fput(devnull);
2523 }
2524 
2525 /*
2526  * Prepare a process for imminent new credential changes due to exec
2527  */
2528 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2529 {
2530 	struct task_security_struct *new_tsec;
2531 	struct rlimit *rlim, *initrlim;
2532 	int rc, i;
2533 
2534 	new_tsec = bprm->cred->security;
2535 	if (new_tsec->sid == new_tsec->osid)
2536 		return;
2537 
2538 	/* Close files for which the new task SID is not authorized. */
2539 	flush_unauthorized_files(bprm->cred, current->files);
2540 
2541 	/* Always clear parent death signal on SID transitions. */
2542 	current->pdeath_signal = 0;
2543 
2544 	/* Check whether the new SID can inherit resource limits from the old
2545 	 * SID.  If not, reset all soft limits to the lower of the current
2546 	 * task's hard limit and the init task's soft limit.
2547 	 *
2548 	 * Note that the setting of hard limits (even to lower them) can be
2549 	 * controlled by the setrlimit check.  The inclusion of the init task's
2550 	 * soft limit into the computation is to avoid resetting soft limits
2551 	 * higher than the default soft limit for cases where the default is
2552 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2553 	 */
2554 	rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2555 			  PROCESS__RLIMITINH, NULL);
2556 	if (rc) {
2557 		/* protect against do_prlimit() */
2558 		task_lock(current);
2559 		for (i = 0; i < RLIM_NLIMITS; i++) {
2560 			rlim = current->signal->rlim + i;
2561 			initrlim = init_task.signal->rlim + i;
2562 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2563 		}
2564 		task_unlock(current);
2565 		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2566 			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2567 	}
2568 }
2569 
2570 /*
2571  * Clean up the process immediately after the installation of new credentials
2572  * due to exec
2573  */
2574 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2575 {
2576 	const struct task_security_struct *tsec = current_security();
2577 	struct itimerval itimer;
2578 	u32 osid, sid;
2579 	int rc, i;
2580 
2581 	osid = tsec->osid;
2582 	sid = tsec->sid;
2583 
2584 	if (sid == osid)
2585 		return;
2586 
2587 	/* Check whether the new SID can inherit signal state from the old SID.
2588 	 * If not, clear itimers to avoid subsequent signal generation and
2589 	 * flush and unblock signals.
2590 	 *
2591 	 * This must occur _after_ the task SID has been updated so that any
2592 	 * kill done after the flush will be checked against the new SID.
2593 	 */
2594 	rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2595 	if (rc) {
2596 		if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2597 			memset(&itimer, 0, sizeof itimer);
2598 			for (i = 0; i < 3; i++)
2599 				do_setitimer(i, &itimer, NULL);
2600 		}
2601 		spin_lock_irq(&current->sighand->siglock);
2602 		if (!fatal_signal_pending(current)) {
2603 			flush_sigqueue(&current->pending);
2604 			flush_sigqueue(&current->signal->shared_pending);
2605 			flush_signal_handlers(current, 1);
2606 			sigemptyset(&current->blocked);
2607 			recalc_sigpending();
2608 		}
2609 		spin_unlock_irq(&current->sighand->siglock);
2610 	}
2611 
2612 	/* Wake up the parent if it is waiting so that it can recheck
2613 	 * wait permission to the new task SID. */
2614 	read_lock(&tasklist_lock);
2615 	__wake_up_parent(current, current->real_parent);
2616 	read_unlock(&tasklist_lock);
2617 }
2618 
2619 /* superblock security operations */
2620 
2621 static int selinux_sb_alloc_security(struct super_block *sb)
2622 {
2623 	return superblock_alloc_security(sb);
2624 }
2625 
2626 static void selinux_sb_free_security(struct super_block *sb)
2627 {
2628 	superblock_free_security(sb);
2629 }
2630 
2631 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2632 {
2633 	if (plen > olen)
2634 		return 0;
2635 
2636 	return !memcmp(prefix, option, plen);
2637 }
2638 
2639 static inline int selinux_option(char *option, int len)
2640 {
2641 	return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2642 		match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2643 		match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2644 		match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2645 		match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2646 }
2647 
2648 static inline void take_option(char **to, char *from, int *first, int len)
2649 {
2650 	if (!*first) {
2651 		**to = ',';
2652 		*to += 1;
2653 	} else
2654 		*first = 0;
2655 	memcpy(*to, from, len);
2656 	*to += len;
2657 }
2658 
2659 static inline void take_selinux_option(char **to, char *from, int *first,
2660 				       int len)
2661 {
2662 	int current_size = 0;
2663 
2664 	if (!*first) {
2665 		**to = '|';
2666 		*to += 1;
2667 	} else
2668 		*first = 0;
2669 
2670 	while (current_size < len) {
2671 		if (*from != '"') {
2672 			**to = *from;
2673 			*to += 1;
2674 		}
2675 		from += 1;
2676 		current_size += 1;
2677 	}
2678 }
2679 
2680 static int selinux_sb_copy_data(char *orig, char *copy)
2681 {
2682 	int fnosec, fsec, rc = 0;
2683 	char *in_save, *in_curr, *in_end;
2684 	char *sec_curr, *nosec_save, *nosec;
2685 	int open_quote = 0;
2686 
2687 	in_curr = orig;
2688 	sec_curr = copy;
2689 
2690 	nosec = (char *)get_zeroed_page(GFP_KERNEL);
2691 	if (!nosec) {
2692 		rc = -ENOMEM;
2693 		goto out;
2694 	}
2695 
2696 	nosec_save = nosec;
2697 	fnosec = fsec = 1;
2698 	in_save = in_end = orig;
2699 
2700 	do {
2701 		if (*in_end == '"')
2702 			open_quote = !open_quote;
2703 		if ((*in_end == ',' && open_quote == 0) ||
2704 				*in_end == '\0') {
2705 			int len = in_end - in_curr;
2706 
2707 			if (selinux_option(in_curr, len))
2708 				take_selinux_option(&sec_curr, in_curr, &fsec, len);
2709 			else
2710 				take_option(&nosec, in_curr, &fnosec, len);
2711 
2712 			in_curr = in_end + 1;
2713 		}
2714 	} while (*in_end++);
2715 
2716 	strcpy(in_save, nosec_save);
2717 	free_page((unsigned long)nosec_save);
2718 out:
2719 	return rc;
2720 }
2721 
2722 static int selinux_sb_remount(struct super_block *sb, void *data)
2723 {
2724 	int rc, i, *flags;
2725 	struct security_mnt_opts opts;
2726 	char *secdata, **mount_options;
2727 	struct superblock_security_struct *sbsec = sb->s_security;
2728 
2729 	if (!(sbsec->flags & SE_SBINITIALIZED))
2730 		return 0;
2731 
2732 	if (!data)
2733 		return 0;
2734 
2735 	if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2736 		return 0;
2737 
2738 	security_init_mnt_opts(&opts);
2739 	secdata = alloc_secdata();
2740 	if (!secdata)
2741 		return -ENOMEM;
2742 	rc = selinux_sb_copy_data(data, secdata);
2743 	if (rc)
2744 		goto out_free_secdata;
2745 
2746 	rc = selinux_parse_opts_str(secdata, &opts);
2747 	if (rc)
2748 		goto out_free_secdata;
2749 
2750 	mount_options = opts.mnt_opts;
2751 	flags = opts.mnt_opts_flags;
2752 
2753 	for (i = 0; i < opts.num_mnt_opts; i++) {
2754 		u32 sid;
2755 
2756 		if (flags[i] == SBLABEL_MNT)
2757 			continue;
2758 		rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2759 		if (rc) {
2760 			printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2761 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
2762 			       mount_options[i], sb->s_id, sb->s_type->name, rc);
2763 			goto out_free_opts;
2764 		}
2765 		rc = -EINVAL;
2766 		switch (flags[i]) {
2767 		case FSCONTEXT_MNT:
2768 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2769 				goto out_bad_option;
2770 			break;
2771 		case CONTEXT_MNT:
2772 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2773 				goto out_bad_option;
2774 			break;
2775 		case ROOTCONTEXT_MNT: {
2776 			struct inode_security_struct *root_isec;
2777 			root_isec = backing_inode_security(sb->s_root);
2778 
2779 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2780 				goto out_bad_option;
2781 			break;
2782 		}
2783 		case DEFCONTEXT_MNT:
2784 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2785 				goto out_bad_option;
2786 			break;
2787 		default:
2788 			goto out_free_opts;
2789 		}
2790 	}
2791 
2792 	rc = 0;
2793 out_free_opts:
2794 	security_free_mnt_opts(&opts);
2795 out_free_secdata:
2796 	free_secdata(secdata);
2797 	return rc;
2798 out_bad_option:
2799 	printk(KERN_WARNING "SELinux: unable to change security options "
2800 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2801 	       sb->s_type->name);
2802 	goto out_free_opts;
2803 }
2804 
2805 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2806 {
2807 	const struct cred *cred = current_cred();
2808 	struct common_audit_data ad;
2809 	int rc;
2810 
2811 	rc = superblock_doinit(sb, data);
2812 	if (rc)
2813 		return rc;
2814 
2815 	/* Allow all mounts performed by the kernel */
2816 	if (flags & MS_KERNMOUNT)
2817 		return 0;
2818 
2819 	ad.type = LSM_AUDIT_DATA_DENTRY;
2820 	ad.u.dentry = sb->s_root;
2821 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2822 }
2823 
2824 static int selinux_sb_statfs(struct dentry *dentry)
2825 {
2826 	const struct cred *cred = current_cred();
2827 	struct common_audit_data ad;
2828 
2829 	ad.type = LSM_AUDIT_DATA_DENTRY;
2830 	ad.u.dentry = dentry->d_sb->s_root;
2831 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2832 }
2833 
2834 static int selinux_mount(const char *dev_name,
2835 			 const struct path *path,
2836 			 const char *type,
2837 			 unsigned long flags,
2838 			 void *data)
2839 {
2840 	const struct cred *cred = current_cred();
2841 
2842 	if (flags & MS_REMOUNT)
2843 		return superblock_has_perm(cred, path->dentry->d_sb,
2844 					   FILESYSTEM__REMOUNT, NULL);
2845 	else
2846 		return path_has_perm(cred, path, FILE__MOUNTON);
2847 }
2848 
2849 static int selinux_umount(struct vfsmount *mnt, int flags)
2850 {
2851 	const struct cred *cred = current_cred();
2852 
2853 	return superblock_has_perm(cred, mnt->mnt_sb,
2854 				   FILESYSTEM__UNMOUNT, NULL);
2855 }
2856 
2857 /* inode security operations */
2858 
2859 static int selinux_inode_alloc_security(struct inode *inode)
2860 {
2861 	return inode_alloc_security(inode);
2862 }
2863 
2864 static void selinux_inode_free_security(struct inode *inode)
2865 {
2866 	inode_free_security(inode);
2867 }
2868 
2869 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2870 					const struct qstr *name, void **ctx,
2871 					u32 *ctxlen)
2872 {
2873 	u32 newsid;
2874 	int rc;
2875 
2876 	rc = selinux_determine_inode_label(current_security(),
2877 					   d_inode(dentry->d_parent), name,
2878 					   inode_mode_to_security_class(mode),
2879 					   &newsid);
2880 	if (rc)
2881 		return rc;
2882 
2883 	return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2884 }
2885 
2886 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2887 					  struct qstr *name,
2888 					  const struct cred *old,
2889 					  struct cred *new)
2890 {
2891 	u32 newsid;
2892 	int rc;
2893 	struct task_security_struct *tsec;
2894 
2895 	rc = selinux_determine_inode_label(old->security,
2896 					   d_inode(dentry->d_parent), name,
2897 					   inode_mode_to_security_class(mode),
2898 					   &newsid);
2899 	if (rc)
2900 		return rc;
2901 
2902 	tsec = new->security;
2903 	tsec->create_sid = newsid;
2904 	return 0;
2905 }
2906 
2907 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2908 				       const struct qstr *qstr,
2909 				       const char **name,
2910 				       void **value, size_t *len)
2911 {
2912 	const struct task_security_struct *tsec = current_security();
2913 	struct superblock_security_struct *sbsec;
2914 	u32 sid, newsid, clen;
2915 	int rc;
2916 	char *context;
2917 
2918 	sbsec = dir->i_sb->s_security;
2919 
2920 	sid = tsec->sid;
2921 	newsid = tsec->create_sid;
2922 
2923 	rc = selinux_determine_inode_label(current_security(),
2924 		dir, qstr,
2925 		inode_mode_to_security_class(inode->i_mode),
2926 		&newsid);
2927 	if (rc)
2928 		return rc;
2929 
2930 	/* Possibly defer initialization to selinux_complete_init. */
2931 	if (sbsec->flags & SE_SBINITIALIZED) {
2932 		struct inode_security_struct *isec = inode->i_security;
2933 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2934 		isec->sid = newsid;
2935 		isec->initialized = LABEL_INITIALIZED;
2936 	}
2937 
2938 	if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2939 		return -EOPNOTSUPP;
2940 
2941 	if (name)
2942 		*name = XATTR_SELINUX_SUFFIX;
2943 
2944 	if (value && len) {
2945 		rc = security_sid_to_context_force(newsid, &context, &clen);
2946 		if (rc)
2947 			return rc;
2948 		*value = context;
2949 		*len = clen;
2950 	}
2951 
2952 	return 0;
2953 }
2954 
2955 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2956 {
2957 	return may_create(dir, dentry, SECCLASS_FILE);
2958 }
2959 
2960 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2961 {
2962 	return may_link(dir, old_dentry, MAY_LINK);
2963 }
2964 
2965 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2966 {
2967 	return may_link(dir, dentry, MAY_UNLINK);
2968 }
2969 
2970 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2971 {
2972 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
2973 }
2974 
2975 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2976 {
2977 	return may_create(dir, dentry, SECCLASS_DIR);
2978 }
2979 
2980 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2981 {
2982 	return may_link(dir, dentry, MAY_RMDIR);
2983 }
2984 
2985 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2986 {
2987 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
2988 }
2989 
2990 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2991 				struct inode *new_inode, struct dentry *new_dentry)
2992 {
2993 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2994 }
2995 
2996 static int selinux_inode_readlink(struct dentry *dentry)
2997 {
2998 	const struct cred *cred = current_cred();
2999 
3000 	return dentry_has_perm(cred, dentry, FILE__READ);
3001 }
3002 
3003 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3004 				     bool rcu)
3005 {
3006 	const struct cred *cred = current_cred();
3007 	struct common_audit_data ad;
3008 	struct inode_security_struct *isec;
3009 	u32 sid;
3010 
3011 	validate_creds(cred);
3012 
3013 	ad.type = LSM_AUDIT_DATA_DENTRY;
3014 	ad.u.dentry = dentry;
3015 	sid = cred_sid(cred);
3016 	isec = inode_security_rcu(inode, rcu);
3017 	if (IS_ERR(isec))
3018 		return PTR_ERR(isec);
3019 
3020 	return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3021 				  rcu ? MAY_NOT_BLOCK : 0);
3022 }
3023 
3024 static noinline int audit_inode_permission(struct inode *inode,
3025 					   u32 perms, u32 audited, u32 denied,
3026 					   int result,
3027 					   unsigned flags)
3028 {
3029 	struct common_audit_data ad;
3030 	struct inode_security_struct *isec = inode->i_security;
3031 	int rc;
3032 
3033 	ad.type = LSM_AUDIT_DATA_INODE;
3034 	ad.u.inode = inode;
3035 
3036 	rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3037 			    audited, denied, result, &ad, flags);
3038 	if (rc)
3039 		return rc;
3040 	return 0;
3041 }
3042 
3043 static int selinux_inode_permission(struct inode *inode, int mask)
3044 {
3045 	const struct cred *cred = current_cred();
3046 	u32 perms;
3047 	bool from_access;
3048 	unsigned flags = mask & MAY_NOT_BLOCK;
3049 	struct inode_security_struct *isec;
3050 	u32 sid;
3051 	struct av_decision avd;
3052 	int rc, rc2;
3053 	u32 audited, denied;
3054 
3055 	from_access = mask & MAY_ACCESS;
3056 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3057 
3058 	/* No permission to check.  Existence test. */
3059 	if (!mask)
3060 		return 0;
3061 
3062 	validate_creds(cred);
3063 
3064 	if (unlikely(IS_PRIVATE(inode)))
3065 		return 0;
3066 
3067 	perms = file_mask_to_av(inode->i_mode, mask);
3068 
3069 	sid = cred_sid(cred);
3070 	isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3071 	if (IS_ERR(isec))
3072 		return PTR_ERR(isec);
3073 
3074 	rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3075 	audited = avc_audit_required(perms, &avd, rc,
3076 				     from_access ? FILE__AUDIT_ACCESS : 0,
3077 				     &denied);
3078 	if (likely(!audited))
3079 		return rc;
3080 
3081 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3082 	if (rc2)
3083 		return rc2;
3084 	return rc;
3085 }
3086 
3087 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3088 {
3089 	const struct cred *cred = current_cred();
3090 	struct inode *inode = d_backing_inode(dentry);
3091 	unsigned int ia_valid = iattr->ia_valid;
3092 	__u32 av = FILE__WRITE;
3093 
3094 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3095 	if (ia_valid & ATTR_FORCE) {
3096 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3097 			      ATTR_FORCE);
3098 		if (!ia_valid)
3099 			return 0;
3100 	}
3101 
3102 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3103 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3104 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3105 
3106 	if (selinux_policycap_openperm &&
3107 	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3108 	    (ia_valid & ATTR_SIZE) &&
3109 	    !(ia_valid & ATTR_FILE))
3110 		av |= FILE__OPEN;
3111 
3112 	return dentry_has_perm(cred, dentry, av);
3113 }
3114 
3115 static int selinux_inode_getattr(const struct path *path)
3116 {
3117 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3118 }
3119 
3120 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3121 {
3122 	const struct cred *cred = current_cred();
3123 
3124 	if (!strncmp(name, XATTR_SECURITY_PREFIX,
3125 		     sizeof XATTR_SECURITY_PREFIX - 1)) {
3126 		if (!strcmp(name, XATTR_NAME_CAPS)) {
3127 			if (!capable(CAP_SETFCAP))
3128 				return -EPERM;
3129 		} else if (!capable(CAP_SYS_ADMIN)) {
3130 			/* A different attribute in the security namespace.
3131 			   Restrict to administrator. */
3132 			return -EPERM;
3133 		}
3134 	}
3135 
3136 	/* Not an attribute we recognize, so just check the
3137 	   ordinary setattr permission. */
3138 	return dentry_has_perm(cred, dentry, FILE__SETATTR);
3139 }
3140 
3141 static bool has_cap_mac_admin(bool audit)
3142 {
3143 	const struct cred *cred = current_cred();
3144 	int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3145 
3146 	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3147 		return false;
3148 	if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3149 		return false;
3150 	return true;
3151 }
3152 
3153 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3154 				  const void *value, size_t size, int flags)
3155 {
3156 	struct inode *inode = d_backing_inode(dentry);
3157 	struct inode_security_struct *isec;
3158 	struct superblock_security_struct *sbsec;
3159 	struct common_audit_data ad;
3160 	u32 newsid, sid = current_sid();
3161 	int rc = 0;
3162 
3163 	if (strcmp(name, XATTR_NAME_SELINUX))
3164 		return selinux_inode_setotherxattr(dentry, name);
3165 
3166 	sbsec = inode->i_sb->s_security;
3167 	if (!(sbsec->flags & SBLABEL_MNT))
3168 		return -EOPNOTSUPP;
3169 
3170 	if (!inode_owner_or_capable(inode))
3171 		return -EPERM;
3172 
3173 	ad.type = LSM_AUDIT_DATA_DENTRY;
3174 	ad.u.dentry = dentry;
3175 
3176 	isec = backing_inode_security(dentry);
3177 	rc = avc_has_perm(sid, isec->sid, isec->sclass,
3178 			  FILE__RELABELFROM, &ad);
3179 	if (rc)
3180 		return rc;
3181 
3182 	rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3183 	if (rc == -EINVAL) {
3184 		if (!has_cap_mac_admin(true)) {
3185 			struct audit_buffer *ab;
3186 			size_t audit_size;
3187 			const char *str;
3188 
3189 			/* We strip a nul only if it is at the end, otherwise the
3190 			 * context contains a nul and we should audit that */
3191 			if (value) {
3192 				str = value;
3193 				if (str[size - 1] == '\0')
3194 					audit_size = size - 1;
3195 				else
3196 					audit_size = size;
3197 			} else {
3198 				str = "";
3199 				audit_size = 0;
3200 			}
3201 			ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3202 			audit_log_format(ab, "op=setxattr invalid_context=");
3203 			audit_log_n_untrustedstring(ab, value, audit_size);
3204 			audit_log_end(ab);
3205 
3206 			return rc;
3207 		}
3208 		rc = security_context_to_sid_force(value, size, &newsid);
3209 	}
3210 	if (rc)
3211 		return rc;
3212 
3213 	rc = avc_has_perm(sid, newsid, isec->sclass,
3214 			  FILE__RELABELTO, &ad);
3215 	if (rc)
3216 		return rc;
3217 
3218 	rc = security_validate_transition(isec->sid, newsid, sid,
3219 					  isec->sclass);
3220 	if (rc)
3221 		return rc;
3222 
3223 	return avc_has_perm(newsid,
3224 			    sbsec->sid,
3225 			    SECCLASS_FILESYSTEM,
3226 			    FILESYSTEM__ASSOCIATE,
3227 			    &ad);
3228 }
3229 
3230 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3231 					const void *value, size_t size,
3232 					int flags)
3233 {
3234 	struct inode *inode = d_backing_inode(dentry);
3235 	struct inode_security_struct *isec;
3236 	u32 newsid;
3237 	int rc;
3238 
3239 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3240 		/* Not an attribute we recognize, so nothing to do. */
3241 		return;
3242 	}
3243 
3244 	rc = security_context_to_sid_force(value, size, &newsid);
3245 	if (rc) {
3246 		printk(KERN_ERR "SELinux:  unable to map context to SID"
3247 		       "for (%s, %lu), rc=%d\n",
3248 		       inode->i_sb->s_id, inode->i_ino, -rc);
3249 		return;
3250 	}
3251 
3252 	isec = backing_inode_security(dentry);
3253 	spin_lock(&isec->lock);
3254 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3255 	isec->sid = newsid;
3256 	isec->initialized = LABEL_INITIALIZED;
3257 	spin_unlock(&isec->lock);
3258 
3259 	return;
3260 }
3261 
3262 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3263 {
3264 	const struct cred *cred = current_cred();
3265 
3266 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3267 }
3268 
3269 static int selinux_inode_listxattr(struct dentry *dentry)
3270 {
3271 	const struct cred *cred = current_cred();
3272 
3273 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3274 }
3275 
3276 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3277 {
3278 	if (strcmp(name, XATTR_NAME_SELINUX))
3279 		return selinux_inode_setotherxattr(dentry, name);
3280 
3281 	/* No one is allowed to remove a SELinux security label.
3282 	   You can change the label, but all data must be labeled. */
3283 	return -EACCES;
3284 }
3285 
3286 /*
3287  * Copy the inode security context value to the user.
3288  *
3289  * Permission check is handled by selinux_inode_getxattr hook.
3290  */
3291 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3292 {
3293 	u32 size;
3294 	int error;
3295 	char *context = NULL;
3296 	struct inode_security_struct *isec;
3297 
3298 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3299 		return -EOPNOTSUPP;
3300 
3301 	/*
3302 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3303 	 * value even if it is not defined by current policy; otherwise,
3304 	 * use the in-core value under current policy.
3305 	 * Use the non-auditing forms of the permission checks since
3306 	 * getxattr may be called by unprivileged processes commonly
3307 	 * and lack of permission just means that we fall back to the
3308 	 * in-core context value, not a denial.
3309 	 */
3310 	isec = inode_security(inode);
3311 	if (has_cap_mac_admin(false))
3312 		error = security_sid_to_context_force(isec->sid, &context,
3313 						      &size);
3314 	else
3315 		error = security_sid_to_context(isec->sid, &context, &size);
3316 	if (error)
3317 		return error;
3318 	error = size;
3319 	if (alloc) {
3320 		*buffer = context;
3321 		goto out_nofree;
3322 	}
3323 	kfree(context);
3324 out_nofree:
3325 	return error;
3326 }
3327 
3328 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3329 				     const void *value, size_t size, int flags)
3330 {
3331 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3332 	u32 newsid;
3333 	int rc;
3334 
3335 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3336 		return -EOPNOTSUPP;
3337 
3338 	if (!value || !size)
3339 		return -EACCES;
3340 
3341 	rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3342 	if (rc)
3343 		return rc;
3344 
3345 	spin_lock(&isec->lock);
3346 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3347 	isec->sid = newsid;
3348 	isec->initialized = LABEL_INITIALIZED;
3349 	spin_unlock(&isec->lock);
3350 	return 0;
3351 }
3352 
3353 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3354 {
3355 	const int len = sizeof(XATTR_NAME_SELINUX);
3356 	if (buffer && len <= buffer_size)
3357 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3358 	return len;
3359 }
3360 
3361 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3362 {
3363 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3364 	*secid = isec->sid;
3365 }
3366 
3367 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3368 {
3369 	u32 sid;
3370 	struct task_security_struct *tsec;
3371 	struct cred *new_creds = *new;
3372 
3373 	if (new_creds == NULL) {
3374 		new_creds = prepare_creds();
3375 		if (!new_creds)
3376 			return -ENOMEM;
3377 	}
3378 
3379 	tsec = new_creds->security;
3380 	/* Get label from overlay inode and set it in create_sid */
3381 	selinux_inode_getsecid(d_inode(src), &sid);
3382 	tsec->create_sid = sid;
3383 	*new = new_creds;
3384 	return 0;
3385 }
3386 
3387 static int selinux_inode_copy_up_xattr(const char *name)
3388 {
3389 	/* The copy_up hook above sets the initial context on an inode, but we
3390 	 * don't then want to overwrite it by blindly copying all the lower
3391 	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3392 	 */
3393 	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3394 		return 1; /* Discard */
3395 	/*
3396 	 * Any other attribute apart from SELINUX is not claimed, supported
3397 	 * by selinux.
3398 	 */
3399 	return -EOPNOTSUPP;
3400 }
3401 
3402 /* file security operations */
3403 
3404 static int selinux_revalidate_file_permission(struct file *file, int mask)
3405 {
3406 	const struct cred *cred = current_cred();
3407 	struct inode *inode = file_inode(file);
3408 
3409 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3410 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3411 		mask |= MAY_APPEND;
3412 
3413 	return file_has_perm(cred, file,
3414 			     file_mask_to_av(inode->i_mode, mask));
3415 }
3416 
3417 static int selinux_file_permission(struct file *file, int mask)
3418 {
3419 	struct inode *inode = file_inode(file);
3420 	struct file_security_struct *fsec = file->f_security;
3421 	struct inode_security_struct *isec;
3422 	u32 sid = current_sid();
3423 
3424 	if (!mask)
3425 		/* No permission to check.  Existence test. */
3426 		return 0;
3427 
3428 	isec = inode_security(inode);
3429 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3430 	    fsec->pseqno == avc_policy_seqno())
3431 		/* No change since file_open check. */
3432 		return 0;
3433 
3434 	return selinux_revalidate_file_permission(file, mask);
3435 }
3436 
3437 static int selinux_file_alloc_security(struct file *file)
3438 {
3439 	return file_alloc_security(file);
3440 }
3441 
3442 static void selinux_file_free_security(struct file *file)
3443 {
3444 	file_free_security(file);
3445 }
3446 
3447 /*
3448  * Check whether a task has the ioctl permission and cmd
3449  * operation to an inode.
3450  */
3451 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3452 		u32 requested, u16 cmd)
3453 {
3454 	struct common_audit_data ad;
3455 	struct file_security_struct *fsec = file->f_security;
3456 	struct inode *inode = file_inode(file);
3457 	struct inode_security_struct *isec;
3458 	struct lsm_ioctlop_audit ioctl;
3459 	u32 ssid = cred_sid(cred);
3460 	int rc;
3461 	u8 driver = cmd >> 8;
3462 	u8 xperm = cmd & 0xff;
3463 
3464 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3465 	ad.u.op = &ioctl;
3466 	ad.u.op->cmd = cmd;
3467 	ad.u.op->path = file->f_path;
3468 
3469 	if (ssid != fsec->sid) {
3470 		rc = avc_has_perm(ssid, fsec->sid,
3471 				SECCLASS_FD,
3472 				FD__USE,
3473 				&ad);
3474 		if (rc)
3475 			goto out;
3476 	}
3477 
3478 	if (unlikely(IS_PRIVATE(inode)))
3479 		return 0;
3480 
3481 	isec = inode_security(inode);
3482 	rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3483 			requested, driver, xperm, &ad);
3484 out:
3485 	return rc;
3486 }
3487 
3488 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3489 			      unsigned long arg)
3490 {
3491 	const struct cred *cred = current_cred();
3492 	int error = 0;
3493 
3494 	switch (cmd) {
3495 	case FIONREAD:
3496 	/* fall through */
3497 	case FIBMAP:
3498 	/* fall through */
3499 	case FIGETBSZ:
3500 	/* fall through */
3501 	case FS_IOC_GETFLAGS:
3502 	/* fall through */
3503 	case FS_IOC_GETVERSION:
3504 		error = file_has_perm(cred, file, FILE__GETATTR);
3505 		break;
3506 
3507 	case FS_IOC_SETFLAGS:
3508 	/* fall through */
3509 	case FS_IOC_SETVERSION:
3510 		error = file_has_perm(cred, file, FILE__SETATTR);
3511 		break;
3512 
3513 	/* sys_ioctl() checks */
3514 	case FIONBIO:
3515 	/* fall through */
3516 	case FIOASYNC:
3517 		error = file_has_perm(cred, file, 0);
3518 		break;
3519 
3520 	case KDSKBENT:
3521 	case KDSKBSENT:
3522 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3523 					    SECURITY_CAP_AUDIT, true);
3524 		break;
3525 
3526 	/* default case assumes that the command will go
3527 	 * to the file's ioctl() function.
3528 	 */
3529 	default:
3530 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3531 	}
3532 	return error;
3533 }
3534 
3535 static int default_noexec;
3536 
3537 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3538 {
3539 	const struct cred *cred = current_cred();
3540 	u32 sid = cred_sid(cred);
3541 	int rc = 0;
3542 
3543 	if (default_noexec &&
3544 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3545 				   (!shared && (prot & PROT_WRITE)))) {
3546 		/*
3547 		 * We are making executable an anonymous mapping or a
3548 		 * private file mapping that will also be writable.
3549 		 * This has an additional check.
3550 		 */
3551 		rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3552 				  PROCESS__EXECMEM, NULL);
3553 		if (rc)
3554 			goto error;
3555 	}
3556 
3557 	if (file) {
3558 		/* read access is always possible with a mapping */
3559 		u32 av = FILE__READ;
3560 
3561 		/* write access only matters if the mapping is shared */
3562 		if (shared && (prot & PROT_WRITE))
3563 			av |= FILE__WRITE;
3564 
3565 		if (prot & PROT_EXEC)
3566 			av |= FILE__EXECUTE;
3567 
3568 		return file_has_perm(cred, file, av);
3569 	}
3570 
3571 error:
3572 	return rc;
3573 }
3574 
3575 static int selinux_mmap_addr(unsigned long addr)
3576 {
3577 	int rc = 0;
3578 
3579 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3580 		u32 sid = current_sid();
3581 		rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3582 				  MEMPROTECT__MMAP_ZERO, NULL);
3583 	}
3584 
3585 	return rc;
3586 }
3587 
3588 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3589 			     unsigned long prot, unsigned long flags)
3590 {
3591 	struct common_audit_data ad;
3592 	int rc;
3593 
3594 	if (file) {
3595 		ad.type = LSM_AUDIT_DATA_FILE;
3596 		ad.u.file = file;
3597 		rc = inode_has_perm(current_cred(), file_inode(file),
3598 				    FILE__MAP, &ad);
3599 		if (rc)
3600 			return rc;
3601 	}
3602 
3603 	if (selinux_checkreqprot)
3604 		prot = reqprot;
3605 
3606 	return file_map_prot_check(file, prot,
3607 				   (flags & MAP_TYPE) == MAP_SHARED);
3608 }
3609 
3610 static int selinux_file_mprotect(struct vm_area_struct *vma,
3611 				 unsigned long reqprot,
3612 				 unsigned long prot)
3613 {
3614 	const struct cred *cred = current_cred();
3615 	u32 sid = cred_sid(cred);
3616 
3617 	if (selinux_checkreqprot)
3618 		prot = reqprot;
3619 
3620 	if (default_noexec &&
3621 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3622 		int rc = 0;
3623 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3624 		    vma->vm_end <= vma->vm_mm->brk) {
3625 			rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3626 					  PROCESS__EXECHEAP, NULL);
3627 		} else if (!vma->vm_file &&
3628 			   ((vma->vm_start <= vma->vm_mm->start_stack &&
3629 			     vma->vm_end >= vma->vm_mm->start_stack) ||
3630 			    vma_is_stack_for_current(vma))) {
3631 			rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3632 					  PROCESS__EXECSTACK, NULL);
3633 		} else if (vma->vm_file && vma->anon_vma) {
3634 			/*
3635 			 * We are making executable a file mapping that has
3636 			 * had some COW done. Since pages might have been
3637 			 * written, check ability to execute the possibly
3638 			 * modified content.  This typically should only
3639 			 * occur for text relocations.
3640 			 */
3641 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3642 		}
3643 		if (rc)
3644 			return rc;
3645 	}
3646 
3647 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3648 }
3649 
3650 static int selinux_file_lock(struct file *file, unsigned int cmd)
3651 {
3652 	const struct cred *cred = current_cred();
3653 
3654 	return file_has_perm(cred, file, FILE__LOCK);
3655 }
3656 
3657 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3658 			      unsigned long arg)
3659 {
3660 	const struct cred *cred = current_cred();
3661 	int err = 0;
3662 
3663 	switch (cmd) {
3664 	case F_SETFL:
3665 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3666 			err = file_has_perm(cred, file, FILE__WRITE);
3667 			break;
3668 		}
3669 		/* fall through */
3670 	case F_SETOWN:
3671 	case F_SETSIG:
3672 	case F_GETFL:
3673 	case F_GETOWN:
3674 	case F_GETSIG:
3675 	case F_GETOWNER_UIDS:
3676 		/* Just check FD__USE permission */
3677 		err = file_has_perm(cred, file, 0);
3678 		break;
3679 	case F_GETLK:
3680 	case F_SETLK:
3681 	case F_SETLKW:
3682 	case F_OFD_GETLK:
3683 	case F_OFD_SETLK:
3684 	case F_OFD_SETLKW:
3685 #if BITS_PER_LONG == 32
3686 	case F_GETLK64:
3687 	case F_SETLK64:
3688 	case F_SETLKW64:
3689 #endif
3690 		err = file_has_perm(cred, file, FILE__LOCK);
3691 		break;
3692 	}
3693 
3694 	return err;
3695 }
3696 
3697 static void selinux_file_set_fowner(struct file *file)
3698 {
3699 	struct file_security_struct *fsec;
3700 
3701 	fsec = file->f_security;
3702 	fsec->fown_sid = current_sid();
3703 }
3704 
3705 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3706 				       struct fown_struct *fown, int signum)
3707 {
3708 	struct file *file;
3709 	u32 sid = task_sid(tsk);
3710 	u32 perm;
3711 	struct file_security_struct *fsec;
3712 
3713 	/* struct fown_struct is never outside the context of a struct file */
3714 	file = container_of(fown, struct file, f_owner);
3715 
3716 	fsec = file->f_security;
3717 
3718 	if (!signum)
3719 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3720 	else
3721 		perm = signal_to_av(signum);
3722 
3723 	return avc_has_perm(fsec->fown_sid, sid,
3724 			    SECCLASS_PROCESS, perm, NULL);
3725 }
3726 
3727 static int selinux_file_receive(struct file *file)
3728 {
3729 	const struct cred *cred = current_cred();
3730 
3731 	return file_has_perm(cred, file, file_to_av(file));
3732 }
3733 
3734 static int selinux_file_open(struct file *file, const struct cred *cred)
3735 {
3736 	struct file_security_struct *fsec;
3737 	struct inode_security_struct *isec;
3738 
3739 	fsec = file->f_security;
3740 	isec = inode_security(file_inode(file));
3741 	/*
3742 	 * Save inode label and policy sequence number
3743 	 * at open-time so that selinux_file_permission
3744 	 * can determine whether revalidation is necessary.
3745 	 * Task label is already saved in the file security
3746 	 * struct as its SID.
3747 	 */
3748 	fsec->isid = isec->sid;
3749 	fsec->pseqno = avc_policy_seqno();
3750 	/*
3751 	 * Since the inode label or policy seqno may have changed
3752 	 * between the selinux_inode_permission check and the saving
3753 	 * of state above, recheck that access is still permitted.
3754 	 * Otherwise, access might never be revalidated against the
3755 	 * new inode label or new policy.
3756 	 * This check is not redundant - do not remove.
3757 	 */
3758 	return file_path_has_perm(cred, file, open_file_to_av(file));
3759 }
3760 
3761 /* task security operations */
3762 
3763 static int selinux_task_alloc(struct task_struct *task,
3764 			      unsigned long clone_flags)
3765 {
3766 	u32 sid = current_sid();
3767 
3768 	return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3769 }
3770 
3771 /*
3772  * allocate the SELinux part of blank credentials
3773  */
3774 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3775 {
3776 	struct task_security_struct *tsec;
3777 
3778 	tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3779 	if (!tsec)
3780 		return -ENOMEM;
3781 
3782 	cred->security = tsec;
3783 	return 0;
3784 }
3785 
3786 /*
3787  * detach and free the LSM part of a set of credentials
3788  */
3789 static void selinux_cred_free(struct cred *cred)
3790 {
3791 	struct task_security_struct *tsec = cred->security;
3792 
3793 	/*
3794 	 * cred->security == NULL if security_cred_alloc_blank() or
3795 	 * security_prepare_creds() returned an error.
3796 	 */
3797 	BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3798 	cred->security = (void *) 0x7UL;
3799 	kfree(tsec);
3800 }
3801 
3802 /*
3803  * prepare a new set of credentials for modification
3804  */
3805 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3806 				gfp_t gfp)
3807 {
3808 	const struct task_security_struct *old_tsec;
3809 	struct task_security_struct *tsec;
3810 
3811 	old_tsec = old->security;
3812 
3813 	tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3814 	if (!tsec)
3815 		return -ENOMEM;
3816 
3817 	new->security = tsec;
3818 	return 0;
3819 }
3820 
3821 /*
3822  * transfer the SELinux data to a blank set of creds
3823  */
3824 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3825 {
3826 	const struct task_security_struct *old_tsec = old->security;
3827 	struct task_security_struct *tsec = new->security;
3828 
3829 	*tsec = *old_tsec;
3830 }
3831 
3832 /*
3833  * set the security data for a kernel service
3834  * - all the creation contexts are set to unlabelled
3835  */
3836 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3837 {
3838 	struct task_security_struct *tsec = new->security;
3839 	u32 sid = current_sid();
3840 	int ret;
3841 
3842 	ret = avc_has_perm(sid, secid,
3843 			   SECCLASS_KERNEL_SERVICE,
3844 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3845 			   NULL);
3846 	if (ret == 0) {
3847 		tsec->sid = secid;
3848 		tsec->create_sid = 0;
3849 		tsec->keycreate_sid = 0;
3850 		tsec->sockcreate_sid = 0;
3851 	}
3852 	return ret;
3853 }
3854 
3855 /*
3856  * set the file creation context in a security record to the same as the
3857  * objective context of the specified inode
3858  */
3859 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3860 {
3861 	struct inode_security_struct *isec = inode_security(inode);
3862 	struct task_security_struct *tsec = new->security;
3863 	u32 sid = current_sid();
3864 	int ret;
3865 
3866 	ret = avc_has_perm(sid, isec->sid,
3867 			   SECCLASS_KERNEL_SERVICE,
3868 			   KERNEL_SERVICE__CREATE_FILES_AS,
3869 			   NULL);
3870 
3871 	if (ret == 0)
3872 		tsec->create_sid = isec->sid;
3873 	return ret;
3874 }
3875 
3876 static int selinux_kernel_module_request(char *kmod_name)
3877 {
3878 	struct common_audit_data ad;
3879 
3880 	ad.type = LSM_AUDIT_DATA_KMOD;
3881 	ad.u.kmod_name = kmod_name;
3882 
3883 	return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3884 			    SYSTEM__MODULE_REQUEST, &ad);
3885 }
3886 
3887 static int selinux_kernel_module_from_file(struct file *file)
3888 {
3889 	struct common_audit_data ad;
3890 	struct inode_security_struct *isec;
3891 	struct file_security_struct *fsec;
3892 	u32 sid = current_sid();
3893 	int rc;
3894 
3895 	/* init_module */
3896 	if (file == NULL)
3897 		return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3898 					SYSTEM__MODULE_LOAD, NULL);
3899 
3900 	/* finit_module */
3901 
3902 	ad.type = LSM_AUDIT_DATA_FILE;
3903 	ad.u.file = file;
3904 
3905 	fsec = file->f_security;
3906 	if (sid != fsec->sid) {
3907 		rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3908 		if (rc)
3909 			return rc;
3910 	}
3911 
3912 	isec = inode_security(file_inode(file));
3913 	return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3914 				SYSTEM__MODULE_LOAD, &ad);
3915 }
3916 
3917 static int selinux_kernel_read_file(struct file *file,
3918 				    enum kernel_read_file_id id)
3919 {
3920 	int rc = 0;
3921 
3922 	switch (id) {
3923 	case READING_MODULE:
3924 		rc = selinux_kernel_module_from_file(file);
3925 		break;
3926 	default:
3927 		break;
3928 	}
3929 
3930 	return rc;
3931 }
3932 
3933 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3934 {
3935 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3936 			    PROCESS__SETPGID, NULL);
3937 }
3938 
3939 static int selinux_task_getpgid(struct task_struct *p)
3940 {
3941 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3942 			    PROCESS__GETPGID, NULL);
3943 }
3944 
3945 static int selinux_task_getsid(struct task_struct *p)
3946 {
3947 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3948 			    PROCESS__GETSESSION, NULL);
3949 }
3950 
3951 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3952 {
3953 	*secid = task_sid(p);
3954 }
3955 
3956 static int selinux_task_setnice(struct task_struct *p, int nice)
3957 {
3958 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3959 			    PROCESS__SETSCHED, NULL);
3960 }
3961 
3962 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3963 {
3964 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3965 			    PROCESS__SETSCHED, NULL);
3966 }
3967 
3968 static int selinux_task_getioprio(struct task_struct *p)
3969 {
3970 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3971 			    PROCESS__GETSCHED, NULL);
3972 }
3973 
3974 int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
3975 			 unsigned int flags)
3976 {
3977 	u32 av = 0;
3978 
3979 	if (!flags)
3980 		return 0;
3981 	if (flags & LSM_PRLIMIT_WRITE)
3982 		av |= PROCESS__SETRLIMIT;
3983 	if (flags & LSM_PRLIMIT_READ)
3984 		av |= PROCESS__GETRLIMIT;
3985 	return avc_has_perm(cred_sid(cred), cred_sid(tcred),
3986 			    SECCLASS_PROCESS, av, NULL);
3987 }
3988 
3989 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3990 		struct rlimit *new_rlim)
3991 {
3992 	struct rlimit *old_rlim = p->signal->rlim + resource;
3993 
3994 	/* Control the ability to change the hard limit (whether
3995 	   lowering or raising it), so that the hard limit can
3996 	   later be used as a safe reset point for the soft limit
3997 	   upon context transitions.  See selinux_bprm_committing_creds. */
3998 	if (old_rlim->rlim_max != new_rlim->rlim_max)
3999 		return avc_has_perm(current_sid(), task_sid(p),
4000 				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4001 
4002 	return 0;
4003 }
4004 
4005 static int selinux_task_setscheduler(struct task_struct *p)
4006 {
4007 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4008 			    PROCESS__SETSCHED, NULL);
4009 }
4010 
4011 static int selinux_task_getscheduler(struct task_struct *p)
4012 {
4013 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4014 			    PROCESS__GETSCHED, NULL);
4015 }
4016 
4017 static int selinux_task_movememory(struct task_struct *p)
4018 {
4019 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4020 			    PROCESS__SETSCHED, NULL);
4021 }
4022 
4023 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4024 				int sig, u32 secid)
4025 {
4026 	u32 perm;
4027 
4028 	if (!sig)
4029 		perm = PROCESS__SIGNULL; /* null signal; existence test */
4030 	else
4031 		perm = signal_to_av(sig);
4032 	if (!secid)
4033 		secid = current_sid();
4034 	return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4035 }
4036 
4037 static void selinux_task_to_inode(struct task_struct *p,
4038 				  struct inode *inode)
4039 {
4040 	struct inode_security_struct *isec = inode->i_security;
4041 	u32 sid = task_sid(p);
4042 
4043 	spin_lock(&isec->lock);
4044 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4045 	isec->sid = sid;
4046 	isec->initialized = LABEL_INITIALIZED;
4047 	spin_unlock(&isec->lock);
4048 }
4049 
4050 /* Returns error only if unable to parse addresses */
4051 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4052 			struct common_audit_data *ad, u8 *proto)
4053 {
4054 	int offset, ihlen, ret = -EINVAL;
4055 	struct iphdr _iph, *ih;
4056 
4057 	offset = skb_network_offset(skb);
4058 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4059 	if (ih == NULL)
4060 		goto out;
4061 
4062 	ihlen = ih->ihl * 4;
4063 	if (ihlen < sizeof(_iph))
4064 		goto out;
4065 
4066 	ad->u.net->v4info.saddr = ih->saddr;
4067 	ad->u.net->v4info.daddr = ih->daddr;
4068 	ret = 0;
4069 
4070 	if (proto)
4071 		*proto = ih->protocol;
4072 
4073 	switch (ih->protocol) {
4074 	case IPPROTO_TCP: {
4075 		struct tcphdr _tcph, *th;
4076 
4077 		if (ntohs(ih->frag_off) & IP_OFFSET)
4078 			break;
4079 
4080 		offset += ihlen;
4081 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4082 		if (th == NULL)
4083 			break;
4084 
4085 		ad->u.net->sport = th->source;
4086 		ad->u.net->dport = th->dest;
4087 		break;
4088 	}
4089 
4090 	case IPPROTO_UDP: {
4091 		struct udphdr _udph, *uh;
4092 
4093 		if (ntohs(ih->frag_off) & IP_OFFSET)
4094 			break;
4095 
4096 		offset += ihlen;
4097 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4098 		if (uh == NULL)
4099 			break;
4100 
4101 		ad->u.net->sport = uh->source;
4102 		ad->u.net->dport = uh->dest;
4103 		break;
4104 	}
4105 
4106 	case IPPROTO_DCCP: {
4107 		struct dccp_hdr _dccph, *dh;
4108 
4109 		if (ntohs(ih->frag_off) & IP_OFFSET)
4110 			break;
4111 
4112 		offset += ihlen;
4113 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4114 		if (dh == NULL)
4115 			break;
4116 
4117 		ad->u.net->sport = dh->dccph_sport;
4118 		ad->u.net->dport = dh->dccph_dport;
4119 		break;
4120 	}
4121 
4122 	default:
4123 		break;
4124 	}
4125 out:
4126 	return ret;
4127 }
4128 
4129 #if IS_ENABLED(CONFIG_IPV6)
4130 
4131 /* Returns error only if unable to parse addresses */
4132 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4133 			struct common_audit_data *ad, u8 *proto)
4134 {
4135 	u8 nexthdr;
4136 	int ret = -EINVAL, offset;
4137 	struct ipv6hdr _ipv6h, *ip6;
4138 	__be16 frag_off;
4139 
4140 	offset = skb_network_offset(skb);
4141 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4142 	if (ip6 == NULL)
4143 		goto out;
4144 
4145 	ad->u.net->v6info.saddr = ip6->saddr;
4146 	ad->u.net->v6info.daddr = ip6->daddr;
4147 	ret = 0;
4148 
4149 	nexthdr = ip6->nexthdr;
4150 	offset += sizeof(_ipv6h);
4151 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4152 	if (offset < 0)
4153 		goto out;
4154 
4155 	if (proto)
4156 		*proto = nexthdr;
4157 
4158 	switch (nexthdr) {
4159 	case IPPROTO_TCP: {
4160 		struct tcphdr _tcph, *th;
4161 
4162 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4163 		if (th == NULL)
4164 			break;
4165 
4166 		ad->u.net->sport = th->source;
4167 		ad->u.net->dport = th->dest;
4168 		break;
4169 	}
4170 
4171 	case IPPROTO_UDP: {
4172 		struct udphdr _udph, *uh;
4173 
4174 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4175 		if (uh == NULL)
4176 			break;
4177 
4178 		ad->u.net->sport = uh->source;
4179 		ad->u.net->dport = uh->dest;
4180 		break;
4181 	}
4182 
4183 	case IPPROTO_DCCP: {
4184 		struct dccp_hdr _dccph, *dh;
4185 
4186 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4187 		if (dh == NULL)
4188 			break;
4189 
4190 		ad->u.net->sport = dh->dccph_sport;
4191 		ad->u.net->dport = dh->dccph_dport;
4192 		break;
4193 	}
4194 
4195 	/* includes fragments */
4196 	default:
4197 		break;
4198 	}
4199 out:
4200 	return ret;
4201 }
4202 
4203 #endif /* IPV6 */
4204 
4205 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4206 			     char **_addrp, int src, u8 *proto)
4207 {
4208 	char *addrp;
4209 	int ret;
4210 
4211 	switch (ad->u.net->family) {
4212 	case PF_INET:
4213 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4214 		if (ret)
4215 			goto parse_error;
4216 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4217 				       &ad->u.net->v4info.daddr);
4218 		goto okay;
4219 
4220 #if IS_ENABLED(CONFIG_IPV6)
4221 	case PF_INET6:
4222 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4223 		if (ret)
4224 			goto parse_error;
4225 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4226 				       &ad->u.net->v6info.daddr);
4227 		goto okay;
4228 #endif	/* IPV6 */
4229 	default:
4230 		addrp = NULL;
4231 		goto okay;
4232 	}
4233 
4234 parse_error:
4235 	printk(KERN_WARNING
4236 	       "SELinux: failure in selinux_parse_skb(),"
4237 	       " unable to parse packet\n");
4238 	return ret;
4239 
4240 okay:
4241 	if (_addrp)
4242 		*_addrp = addrp;
4243 	return 0;
4244 }
4245 
4246 /**
4247  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4248  * @skb: the packet
4249  * @family: protocol family
4250  * @sid: the packet's peer label SID
4251  *
4252  * Description:
4253  * Check the various different forms of network peer labeling and determine
4254  * the peer label/SID for the packet; most of the magic actually occurs in
4255  * the security server function security_net_peersid_cmp().  The function
4256  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4257  * or -EACCES if @sid is invalid due to inconsistencies with the different
4258  * peer labels.
4259  *
4260  */
4261 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4262 {
4263 	int err;
4264 	u32 xfrm_sid;
4265 	u32 nlbl_sid;
4266 	u32 nlbl_type;
4267 
4268 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4269 	if (unlikely(err))
4270 		return -EACCES;
4271 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4272 	if (unlikely(err))
4273 		return -EACCES;
4274 
4275 	err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4276 	if (unlikely(err)) {
4277 		printk(KERN_WARNING
4278 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4279 		       " unable to determine packet's peer label\n");
4280 		return -EACCES;
4281 	}
4282 
4283 	return 0;
4284 }
4285 
4286 /**
4287  * selinux_conn_sid - Determine the child socket label for a connection
4288  * @sk_sid: the parent socket's SID
4289  * @skb_sid: the packet's SID
4290  * @conn_sid: the resulting connection SID
4291  *
4292  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4293  * combined with the MLS information from @skb_sid in order to create
4294  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
4295  * of @sk_sid.  Returns zero on success, negative values on failure.
4296  *
4297  */
4298 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4299 {
4300 	int err = 0;
4301 
4302 	if (skb_sid != SECSID_NULL)
4303 		err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4304 	else
4305 		*conn_sid = sk_sid;
4306 
4307 	return err;
4308 }
4309 
4310 /* socket security operations */
4311 
4312 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4313 				 u16 secclass, u32 *socksid)
4314 {
4315 	if (tsec->sockcreate_sid > SECSID_NULL) {
4316 		*socksid = tsec->sockcreate_sid;
4317 		return 0;
4318 	}
4319 
4320 	return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4321 				       socksid);
4322 }
4323 
4324 static int sock_has_perm(struct sock *sk, u32 perms)
4325 {
4326 	struct sk_security_struct *sksec = sk->sk_security;
4327 	struct common_audit_data ad;
4328 	struct lsm_network_audit net = {0,};
4329 
4330 	if (sksec->sid == SECINITSID_KERNEL)
4331 		return 0;
4332 
4333 	ad.type = LSM_AUDIT_DATA_NET;
4334 	ad.u.net = &net;
4335 	ad.u.net->sk = sk;
4336 
4337 	return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4338 			    &ad);
4339 }
4340 
4341 static int selinux_socket_create(int family, int type,
4342 				 int protocol, int kern)
4343 {
4344 	const struct task_security_struct *tsec = current_security();
4345 	u32 newsid;
4346 	u16 secclass;
4347 	int rc;
4348 
4349 	if (kern)
4350 		return 0;
4351 
4352 	secclass = socket_type_to_security_class(family, type, protocol);
4353 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4354 	if (rc)
4355 		return rc;
4356 
4357 	return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4358 }
4359 
4360 static int selinux_socket_post_create(struct socket *sock, int family,
4361 				      int type, int protocol, int kern)
4362 {
4363 	const struct task_security_struct *tsec = current_security();
4364 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4365 	struct sk_security_struct *sksec;
4366 	u16 sclass = socket_type_to_security_class(family, type, protocol);
4367 	u32 sid = SECINITSID_KERNEL;
4368 	int err = 0;
4369 
4370 	if (!kern) {
4371 		err = socket_sockcreate_sid(tsec, sclass, &sid);
4372 		if (err)
4373 			return err;
4374 	}
4375 
4376 	isec->sclass = sclass;
4377 	isec->sid = sid;
4378 	isec->initialized = LABEL_INITIALIZED;
4379 
4380 	if (sock->sk) {
4381 		sksec = sock->sk->sk_security;
4382 		sksec->sclass = sclass;
4383 		sksec->sid = sid;
4384 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4385 	}
4386 
4387 	return err;
4388 }
4389 
4390 /* Range of port numbers used to automatically bind.
4391    Need to determine whether we should perform a name_bind
4392    permission check between the socket and the port number. */
4393 
4394 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4395 {
4396 	struct sock *sk = sock->sk;
4397 	u16 family;
4398 	int err;
4399 
4400 	err = sock_has_perm(sk, SOCKET__BIND);
4401 	if (err)
4402 		goto out;
4403 
4404 	/*
4405 	 * If PF_INET or PF_INET6, check name_bind permission for the port.
4406 	 * Multiple address binding for SCTP is not supported yet: we just
4407 	 * check the first address now.
4408 	 */
4409 	family = sk->sk_family;
4410 	if (family == PF_INET || family == PF_INET6) {
4411 		char *addrp;
4412 		struct sk_security_struct *sksec = sk->sk_security;
4413 		struct common_audit_data ad;
4414 		struct lsm_network_audit net = {0,};
4415 		struct sockaddr_in *addr4 = NULL;
4416 		struct sockaddr_in6 *addr6 = NULL;
4417 		unsigned short snum;
4418 		u32 sid, node_perm;
4419 
4420 		if (family == PF_INET) {
4421 			if (addrlen < sizeof(struct sockaddr_in)) {
4422 				err = -EINVAL;
4423 				goto out;
4424 			}
4425 			addr4 = (struct sockaddr_in *)address;
4426 			snum = ntohs(addr4->sin_port);
4427 			addrp = (char *)&addr4->sin_addr.s_addr;
4428 		} else {
4429 			if (addrlen < SIN6_LEN_RFC2133) {
4430 				err = -EINVAL;
4431 				goto out;
4432 			}
4433 			addr6 = (struct sockaddr_in6 *)address;
4434 			snum = ntohs(addr6->sin6_port);
4435 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4436 		}
4437 
4438 		if (snum) {
4439 			int low, high;
4440 
4441 			inet_get_local_port_range(sock_net(sk), &low, &high);
4442 
4443 			if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4444 			    snum > high) {
4445 				err = sel_netport_sid(sk->sk_protocol,
4446 						      snum, &sid);
4447 				if (err)
4448 					goto out;
4449 				ad.type = LSM_AUDIT_DATA_NET;
4450 				ad.u.net = &net;
4451 				ad.u.net->sport = htons(snum);
4452 				ad.u.net->family = family;
4453 				err = avc_has_perm(sksec->sid, sid,
4454 						   sksec->sclass,
4455 						   SOCKET__NAME_BIND, &ad);
4456 				if (err)
4457 					goto out;
4458 			}
4459 		}
4460 
4461 		switch (sksec->sclass) {
4462 		case SECCLASS_TCP_SOCKET:
4463 			node_perm = TCP_SOCKET__NODE_BIND;
4464 			break;
4465 
4466 		case SECCLASS_UDP_SOCKET:
4467 			node_perm = UDP_SOCKET__NODE_BIND;
4468 			break;
4469 
4470 		case SECCLASS_DCCP_SOCKET:
4471 			node_perm = DCCP_SOCKET__NODE_BIND;
4472 			break;
4473 
4474 		default:
4475 			node_perm = RAWIP_SOCKET__NODE_BIND;
4476 			break;
4477 		}
4478 
4479 		err = sel_netnode_sid(addrp, family, &sid);
4480 		if (err)
4481 			goto out;
4482 
4483 		ad.type = LSM_AUDIT_DATA_NET;
4484 		ad.u.net = &net;
4485 		ad.u.net->sport = htons(snum);
4486 		ad.u.net->family = family;
4487 
4488 		if (family == PF_INET)
4489 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4490 		else
4491 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4492 
4493 		err = avc_has_perm(sksec->sid, sid,
4494 				   sksec->sclass, node_perm, &ad);
4495 		if (err)
4496 			goto out;
4497 	}
4498 out:
4499 	return err;
4500 }
4501 
4502 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4503 {
4504 	struct sock *sk = sock->sk;
4505 	struct sk_security_struct *sksec = sk->sk_security;
4506 	int err;
4507 
4508 	err = sock_has_perm(sk, SOCKET__CONNECT);
4509 	if (err)
4510 		return err;
4511 
4512 	/*
4513 	 * If a TCP or DCCP socket, check name_connect permission for the port.
4514 	 */
4515 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4516 	    sksec->sclass == SECCLASS_DCCP_SOCKET) {
4517 		struct common_audit_data ad;
4518 		struct lsm_network_audit net = {0,};
4519 		struct sockaddr_in *addr4 = NULL;
4520 		struct sockaddr_in6 *addr6 = NULL;
4521 		unsigned short snum;
4522 		u32 sid, perm;
4523 
4524 		if (sk->sk_family == PF_INET) {
4525 			addr4 = (struct sockaddr_in *)address;
4526 			if (addrlen < sizeof(struct sockaddr_in))
4527 				return -EINVAL;
4528 			snum = ntohs(addr4->sin_port);
4529 		} else {
4530 			addr6 = (struct sockaddr_in6 *)address;
4531 			if (addrlen < SIN6_LEN_RFC2133)
4532 				return -EINVAL;
4533 			snum = ntohs(addr6->sin6_port);
4534 		}
4535 
4536 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4537 		if (err)
4538 			goto out;
4539 
4540 		perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4541 		       TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4542 
4543 		ad.type = LSM_AUDIT_DATA_NET;
4544 		ad.u.net = &net;
4545 		ad.u.net->dport = htons(snum);
4546 		ad.u.net->family = sk->sk_family;
4547 		err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4548 		if (err)
4549 			goto out;
4550 	}
4551 
4552 	err = selinux_netlbl_socket_connect(sk, address);
4553 
4554 out:
4555 	return err;
4556 }
4557 
4558 static int selinux_socket_listen(struct socket *sock, int backlog)
4559 {
4560 	return sock_has_perm(sock->sk, SOCKET__LISTEN);
4561 }
4562 
4563 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4564 {
4565 	int err;
4566 	struct inode_security_struct *isec;
4567 	struct inode_security_struct *newisec;
4568 	u16 sclass;
4569 	u32 sid;
4570 
4571 	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4572 	if (err)
4573 		return err;
4574 
4575 	isec = inode_security_novalidate(SOCK_INODE(sock));
4576 	spin_lock(&isec->lock);
4577 	sclass = isec->sclass;
4578 	sid = isec->sid;
4579 	spin_unlock(&isec->lock);
4580 
4581 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4582 	newisec->sclass = sclass;
4583 	newisec->sid = sid;
4584 	newisec->initialized = LABEL_INITIALIZED;
4585 
4586 	return 0;
4587 }
4588 
4589 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4590 				  int size)
4591 {
4592 	return sock_has_perm(sock->sk, SOCKET__WRITE);
4593 }
4594 
4595 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4596 				  int size, int flags)
4597 {
4598 	return sock_has_perm(sock->sk, SOCKET__READ);
4599 }
4600 
4601 static int selinux_socket_getsockname(struct socket *sock)
4602 {
4603 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4604 }
4605 
4606 static int selinux_socket_getpeername(struct socket *sock)
4607 {
4608 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4609 }
4610 
4611 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4612 {
4613 	int err;
4614 
4615 	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4616 	if (err)
4617 		return err;
4618 
4619 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4620 }
4621 
4622 static int selinux_socket_getsockopt(struct socket *sock, int level,
4623 				     int optname)
4624 {
4625 	return sock_has_perm(sock->sk, SOCKET__GETOPT);
4626 }
4627 
4628 static int selinux_socket_shutdown(struct socket *sock, int how)
4629 {
4630 	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4631 }
4632 
4633 static int selinux_socket_unix_stream_connect(struct sock *sock,
4634 					      struct sock *other,
4635 					      struct sock *newsk)
4636 {
4637 	struct sk_security_struct *sksec_sock = sock->sk_security;
4638 	struct sk_security_struct *sksec_other = other->sk_security;
4639 	struct sk_security_struct *sksec_new = newsk->sk_security;
4640 	struct common_audit_data ad;
4641 	struct lsm_network_audit net = {0,};
4642 	int err;
4643 
4644 	ad.type = LSM_AUDIT_DATA_NET;
4645 	ad.u.net = &net;
4646 	ad.u.net->sk = other;
4647 
4648 	err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4649 			   sksec_other->sclass,
4650 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4651 	if (err)
4652 		return err;
4653 
4654 	/* server child socket */
4655 	sksec_new->peer_sid = sksec_sock->sid;
4656 	err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4657 				    &sksec_new->sid);
4658 	if (err)
4659 		return err;
4660 
4661 	/* connecting socket */
4662 	sksec_sock->peer_sid = sksec_new->sid;
4663 
4664 	return 0;
4665 }
4666 
4667 static int selinux_socket_unix_may_send(struct socket *sock,
4668 					struct socket *other)
4669 {
4670 	struct sk_security_struct *ssec = sock->sk->sk_security;
4671 	struct sk_security_struct *osec = other->sk->sk_security;
4672 	struct common_audit_data ad;
4673 	struct lsm_network_audit net = {0,};
4674 
4675 	ad.type = LSM_AUDIT_DATA_NET;
4676 	ad.u.net = &net;
4677 	ad.u.net->sk = other->sk;
4678 
4679 	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4680 			    &ad);
4681 }
4682 
4683 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4684 				    char *addrp, u16 family, u32 peer_sid,
4685 				    struct common_audit_data *ad)
4686 {
4687 	int err;
4688 	u32 if_sid;
4689 	u32 node_sid;
4690 
4691 	err = sel_netif_sid(ns, ifindex, &if_sid);
4692 	if (err)
4693 		return err;
4694 	err = avc_has_perm(peer_sid, if_sid,
4695 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4696 	if (err)
4697 		return err;
4698 
4699 	err = sel_netnode_sid(addrp, family, &node_sid);
4700 	if (err)
4701 		return err;
4702 	return avc_has_perm(peer_sid, node_sid,
4703 			    SECCLASS_NODE, NODE__RECVFROM, ad);
4704 }
4705 
4706 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4707 				       u16 family)
4708 {
4709 	int err = 0;
4710 	struct sk_security_struct *sksec = sk->sk_security;
4711 	u32 sk_sid = sksec->sid;
4712 	struct common_audit_data ad;
4713 	struct lsm_network_audit net = {0,};
4714 	char *addrp;
4715 
4716 	ad.type = LSM_AUDIT_DATA_NET;
4717 	ad.u.net = &net;
4718 	ad.u.net->netif = skb->skb_iif;
4719 	ad.u.net->family = family;
4720 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4721 	if (err)
4722 		return err;
4723 
4724 	if (selinux_secmark_enabled()) {
4725 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4726 				   PACKET__RECV, &ad);
4727 		if (err)
4728 			return err;
4729 	}
4730 
4731 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4732 	if (err)
4733 		return err;
4734 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4735 
4736 	return err;
4737 }
4738 
4739 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4740 {
4741 	int err;
4742 	struct sk_security_struct *sksec = sk->sk_security;
4743 	u16 family = sk->sk_family;
4744 	u32 sk_sid = sksec->sid;
4745 	struct common_audit_data ad;
4746 	struct lsm_network_audit net = {0,};
4747 	char *addrp;
4748 	u8 secmark_active;
4749 	u8 peerlbl_active;
4750 
4751 	if (family != PF_INET && family != PF_INET6)
4752 		return 0;
4753 
4754 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
4755 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4756 		family = PF_INET;
4757 
4758 	/* If any sort of compatibility mode is enabled then handoff processing
4759 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
4760 	 * special handling.  We do this in an attempt to keep this function
4761 	 * as fast and as clean as possible. */
4762 	if (!selinux_policycap_netpeer)
4763 		return selinux_sock_rcv_skb_compat(sk, skb, family);
4764 
4765 	secmark_active = selinux_secmark_enabled();
4766 	peerlbl_active = selinux_peerlbl_enabled();
4767 	if (!secmark_active && !peerlbl_active)
4768 		return 0;
4769 
4770 	ad.type = LSM_AUDIT_DATA_NET;
4771 	ad.u.net = &net;
4772 	ad.u.net->netif = skb->skb_iif;
4773 	ad.u.net->family = family;
4774 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4775 	if (err)
4776 		return err;
4777 
4778 	if (peerlbl_active) {
4779 		u32 peer_sid;
4780 
4781 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4782 		if (err)
4783 			return err;
4784 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4785 					       addrp, family, peer_sid, &ad);
4786 		if (err) {
4787 			selinux_netlbl_err(skb, family, err, 0);
4788 			return err;
4789 		}
4790 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4791 				   PEER__RECV, &ad);
4792 		if (err) {
4793 			selinux_netlbl_err(skb, family, err, 0);
4794 			return err;
4795 		}
4796 	}
4797 
4798 	if (secmark_active) {
4799 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4800 				   PACKET__RECV, &ad);
4801 		if (err)
4802 			return err;
4803 	}
4804 
4805 	return err;
4806 }
4807 
4808 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4809 					    int __user *optlen, unsigned len)
4810 {
4811 	int err = 0;
4812 	char *scontext;
4813 	u32 scontext_len;
4814 	struct sk_security_struct *sksec = sock->sk->sk_security;
4815 	u32 peer_sid = SECSID_NULL;
4816 
4817 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4818 	    sksec->sclass == SECCLASS_TCP_SOCKET)
4819 		peer_sid = sksec->peer_sid;
4820 	if (peer_sid == SECSID_NULL)
4821 		return -ENOPROTOOPT;
4822 
4823 	err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4824 	if (err)
4825 		return err;
4826 
4827 	if (scontext_len > len) {
4828 		err = -ERANGE;
4829 		goto out_len;
4830 	}
4831 
4832 	if (copy_to_user(optval, scontext, scontext_len))
4833 		err = -EFAULT;
4834 
4835 out_len:
4836 	if (put_user(scontext_len, optlen))
4837 		err = -EFAULT;
4838 	kfree(scontext);
4839 	return err;
4840 }
4841 
4842 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4843 {
4844 	u32 peer_secid = SECSID_NULL;
4845 	u16 family;
4846 	struct inode_security_struct *isec;
4847 
4848 	if (skb && skb->protocol == htons(ETH_P_IP))
4849 		family = PF_INET;
4850 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
4851 		family = PF_INET6;
4852 	else if (sock)
4853 		family = sock->sk->sk_family;
4854 	else
4855 		goto out;
4856 
4857 	if (sock && family == PF_UNIX) {
4858 		isec = inode_security_novalidate(SOCK_INODE(sock));
4859 		peer_secid = isec->sid;
4860 	} else if (skb)
4861 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4862 
4863 out:
4864 	*secid = peer_secid;
4865 	if (peer_secid == SECSID_NULL)
4866 		return -EINVAL;
4867 	return 0;
4868 }
4869 
4870 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4871 {
4872 	struct sk_security_struct *sksec;
4873 
4874 	sksec = kzalloc(sizeof(*sksec), priority);
4875 	if (!sksec)
4876 		return -ENOMEM;
4877 
4878 	sksec->peer_sid = SECINITSID_UNLABELED;
4879 	sksec->sid = SECINITSID_UNLABELED;
4880 	sksec->sclass = SECCLASS_SOCKET;
4881 	selinux_netlbl_sk_security_reset(sksec);
4882 	sk->sk_security = sksec;
4883 
4884 	return 0;
4885 }
4886 
4887 static void selinux_sk_free_security(struct sock *sk)
4888 {
4889 	struct sk_security_struct *sksec = sk->sk_security;
4890 
4891 	sk->sk_security = NULL;
4892 	selinux_netlbl_sk_security_free(sksec);
4893 	kfree(sksec);
4894 }
4895 
4896 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4897 {
4898 	struct sk_security_struct *sksec = sk->sk_security;
4899 	struct sk_security_struct *newsksec = newsk->sk_security;
4900 
4901 	newsksec->sid = sksec->sid;
4902 	newsksec->peer_sid = sksec->peer_sid;
4903 	newsksec->sclass = sksec->sclass;
4904 
4905 	selinux_netlbl_sk_security_reset(newsksec);
4906 }
4907 
4908 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4909 {
4910 	if (!sk)
4911 		*secid = SECINITSID_ANY_SOCKET;
4912 	else {
4913 		struct sk_security_struct *sksec = sk->sk_security;
4914 
4915 		*secid = sksec->sid;
4916 	}
4917 }
4918 
4919 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4920 {
4921 	struct inode_security_struct *isec =
4922 		inode_security_novalidate(SOCK_INODE(parent));
4923 	struct sk_security_struct *sksec = sk->sk_security;
4924 
4925 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4926 	    sk->sk_family == PF_UNIX)
4927 		isec->sid = sksec->sid;
4928 	sksec->sclass = isec->sclass;
4929 }
4930 
4931 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4932 				     struct request_sock *req)
4933 {
4934 	struct sk_security_struct *sksec = sk->sk_security;
4935 	int err;
4936 	u16 family = req->rsk_ops->family;
4937 	u32 connsid;
4938 	u32 peersid;
4939 
4940 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4941 	if (err)
4942 		return err;
4943 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4944 	if (err)
4945 		return err;
4946 	req->secid = connsid;
4947 	req->peer_secid = peersid;
4948 
4949 	return selinux_netlbl_inet_conn_request(req, family);
4950 }
4951 
4952 static void selinux_inet_csk_clone(struct sock *newsk,
4953 				   const struct request_sock *req)
4954 {
4955 	struct sk_security_struct *newsksec = newsk->sk_security;
4956 
4957 	newsksec->sid = req->secid;
4958 	newsksec->peer_sid = req->peer_secid;
4959 	/* NOTE: Ideally, we should also get the isec->sid for the
4960 	   new socket in sync, but we don't have the isec available yet.
4961 	   So we will wait until sock_graft to do it, by which
4962 	   time it will have been created and available. */
4963 
4964 	/* We don't need to take any sort of lock here as we are the only
4965 	 * thread with access to newsksec */
4966 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4967 }
4968 
4969 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4970 {
4971 	u16 family = sk->sk_family;
4972 	struct sk_security_struct *sksec = sk->sk_security;
4973 
4974 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
4975 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4976 		family = PF_INET;
4977 
4978 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4979 }
4980 
4981 static int selinux_secmark_relabel_packet(u32 sid)
4982 {
4983 	const struct task_security_struct *__tsec;
4984 	u32 tsid;
4985 
4986 	__tsec = current_security();
4987 	tsid = __tsec->sid;
4988 
4989 	return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4990 }
4991 
4992 static void selinux_secmark_refcount_inc(void)
4993 {
4994 	atomic_inc(&selinux_secmark_refcount);
4995 }
4996 
4997 static void selinux_secmark_refcount_dec(void)
4998 {
4999 	atomic_dec(&selinux_secmark_refcount);
5000 }
5001 
5002 static void selinux_req_classify_flow(const struct request_sock *req,
5003 				      struct flowi *fl)
5004 {
5005 	fl->flowi_secid = req->secid;
5006 }
5007 
5008 static int selinux_tun_dev_alloc_security(void **security)
5009 {
5010 	struct tun_security_struct *tunsec;
5011 
5012 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5013 	if (!tunsec)
5014 		return -ENOMEM;
5015 	tunsec->sid = current_sid();
5016 
5017 	*security = tunsec;
5018 	return 0;
5019 }
5020 
5021 static void selinux_tun_dev_free_security(void *security)
5022 {
5023 	kfree(security);
5024 }
5025 
5026 static int selinux_tun_dev_create(void)
5027 {
5028 	u32 sid = current_sid();
5029 
5030 	/* we aren't taking into account the "sockcreate" SID since the socket
5031 	 * that is being created here is not a socket in the traditional sense,
5032 	 * instead it is a private sock, accessible only to the kernel, and
5033 	 * representing a wide range of network traffic spanning multiple
5034 	 * connections unlike traditional sockets - check the TUN driver to
5035 	 * get a better understanding of why this socket is special */
5036 
5037 	return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5038 			    NULL);
5039 }
5040 
5041 static int selinux_tun_dev_attach_queue(void *security)
5042 {
5043 	struct tun_security_struct *tunsec = security;
5044 
5045 	return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5046 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5047 }
5048 
5049 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5050 {
5051 	struct tun_security_struct *tunsec = security;
5052 	struct sk_security_struct *sksec = sk->sk_security;
5053 
5054 	/* we don't currently perform any NetLabel based labeling here and it
5055 	 * isn't clear that we would want to do so anyway; while we could apply
5056 	 * labeling without the support of the TUN user the resulting labeled
5057 	 * traffic from the other end of the connection would almost certainly
5058 	 * cause confusion to the TUN user that had no idea network labeling
5059 	 * protocols were being used */
5060 
5061 	sksec->sid = tunsec->sid;
5062 	sksec->sclass = SECCLASS_TUN_SOCKET;
5063 
5064 	return 0;
5065 }
5066 
5067 static int selinux_tun_dev_open(void *security)
5068 {
5069 	struct tun_security_struct *tunsec = security;
5070 	u32 sid = current_sid();
5071 	int err;
5072 
5073 	err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5074 			   TUN_SOCKET__RELABELFROM, NULL);
5075 	if (err)
5076 		return err;
5077 	err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5078 			   TUN_SOCKET__RELABELTO, NULL);
5079 	if (err)
5080 		return err;
5081 	tunsec->sid = sid;
5082 
5083 	return 0;
5084 }
5085 
5086 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5087 {
5088 	int err = 0;
5089 	u32 perm;
5090 	struct nlmsghdr *nlh;
5091 	struct sk_security_struct *sksec = sk->sk_security;
5092 
5093 	if (skb->len < NLMSG_HDRLEN) {
5094 		err = -EINVAL;
5095 		goto out;
5096 	}
5097 	nlh = nlmsg_hdr(skb);
5098 
5099 	err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5100 	if (err) {
5101 		if (err == -EINVAL) {
5102 			pr_warn_ratelimited("SELinux: unrecognized netlink"
5103 			       " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5104 			       " pig=%d comm=%s\n",
5105 			       sk->sk_protocol, nlh->nlmsg_type,
5106 			       secclass_map[sksec->sclass - 1].name,
5107 			       task_pid_nr(current), current->comm);
5108 			if (!selinux_enforcing || security_get_allow_unknown())
5109 				err = 0;
5110 		}
5111 
5112 		/* Ignore */
5113 		if (err == -ENOENT)
5114 			err = 0;
5115 		goto out;
5116 	}
5117 
5118 	err = sock_has_perm(sk, perm);
5119 out:
5120 	return err;
5121 }
5122 
5123 #ifdef CONFIG_NETFILTER
5124 
5125 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5126 				       const struct net_device *indev,
5127 				       u16 family)
5128 {
5129 	int err;
5130 	char *addrp;
5131 	u32 peer_sid;
5132 	struct common_audit_data ad;
5133 	struct lsm_network_audit net = {0,};
5134 	u8 secmark_active;
5135 	u8 netlbl_active;
5136 	u8 peerlbl_active;
5137 
5138 	if (!selinux_policycap_netpeer)
5139 		return NF_ACCEPT;
5140 
5141 	secmark_active = selinux_secmark_enabled();
5142 	netlbl_active = netlbl_enabled();
5143 	peerlbl_active = selinux_peerlbl_enabled();
5144 	if (!secmark_active && !peerlbl_active)
5145 		return NF_ACCEPT;
5146 
5147 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5148 		return NF_DROP;
5149 
5150 	ad.type = LSM_AUDIT_DATA_NET;
5151 	ad.u.net = &net;
5152 	ad.u.net->netif = indev->ifindex;
5153 	ad.u.net->family = family;
5154 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5155 		return NF_DROP;
5156 
5157 	if (peerlbl_active) {
5158 		err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5159 					       addrp, family, peer_sid, &ad);
5160 		if (err) {
5161 			selinux_netlbl_err(skb, family, err, 1);
5162 			return NF_DROP;
5163 		}
5164 	}
5165 
5166 	if (secmark_active)
5167 		if (avc_has_perm(peer_sid, skb->secmark,
5168 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5169 			return NF_DROP;
5170 
5171 	if (netlbl_active)
5172 		/* we do this in the FORWARD path and not the POST_ROUTING
5173 		 * path because we want to make sure we apply the necessary
5174 		 * labeling before IPsec is applied so we can leverage AH
5175 		 * protection */
5176 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5177 			return NF_DROP;
5178 
5179 	return NF_ACCEPT;
5180 }
5181 
5182 static unsigned int selinux_ipv4_forward(void *priv,
5183 					 struct sk_buff *skb,
5184 					 const struct nf_hook_state *state)
5185 {
5186 	return selinux_ip_forward(skb, state->in, PF_INET);
5187 }
5188 
5189 #if IS_ENABLED(CONFIG_IPV6)
5190 static unsigned int selinux_ipv6_forward(void *priv,
5191 					 struct sk_buff *skb,
5192 					 const struct nf_hook_state *state)
5193 {
5194 	return selinux_ip_forward(skb, state->in, PF_INET6);
5195 }
5196 #endif	/* IPV6 */
5197 
5198 static unsigned int selinux_ip_output(struct sk_buff *skb,
5199 				      u16 family)
5200 {
5201 	struct sock *sk;
5202 	u32 sid;
5203 
5204 	if (!netlbl_enabled())
5205 		return NF_ACCEPT;
5206 
5207 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5208 	 * because we want to make sure we apply the necessary labeling
5209 	 * before IPsec is applied so we can leverage AH protection */
5210 	sk = skb->sk;
5211 	if (sk) {
5212 		struct sk_security_struct *sksec;
5213 
5214 		if (sk_listener(sk))
5215 			/* if the socket is the listening state then this
5216 			 * packet is a SYN-ACK packet which means it needs to
5217 			 * be labeled based on the connection/request_sock and
5218 			 * not the parent socket.  unfortunately, we can't
5219 			 * lookup the request_sock yet as it isn't queued on
5220 			 * the parent socket until after the SYN-ACK is sent.
5221 			 * the "solution" is to simply pass the packet as-is
5222 			 * as any IP option based labeling should be copied
5223 			 * from the initial connection request (in the IP
5224 			 * layer).  it is far from ideal, but until we get a
5225 			 * security label in the packet itself this is the
5226 			 * best we can do. */
5227 			return NF_ACCEPT;
5228 
5229 		/* standard practice, label using the parent socket */
5230 		sksec = sk->sk_security;
5231 		sid = sksec->sid;
5232 	} else
5233 		sid = SECINITSID_KERNEL;
5234 	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5235 		return NF_DROP;
5236 
5237 	return NF_ACCEPT;
5238 }
5239 
5240 static unsigned int selinux_ipv4_output(void *priv,
5241 					struct sk_buff *skb,
5242 					const struct nf_hook_state *state)
5243 {
5244 	return selinux_ip_output(skb, PF_INET);
5245 }
5246 
5247 #if IS_ENABLED(CONFIG_IPV6)
5248 static unsigned int selinux_ipv6_output(void *priv,
5249 					struct sk_buff *skb,
5250 					const struct nf_hook_state *state)
5251 {
5252 	return selinux_ip_output(skb, PF_INET6);
5253 }
5254 #endif	/* IPV6 */
5255 
5256 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5257 						int ifindex,
5258 						u16 family)
5259 {
5260 	struct sock *sk = skb_to_full_sk(skb);
5261 	struct sk_security_struct *sksec;
5262 	struct common_audit_data ad;
5263 	struct lsm_network_audit net = {0,};
5264 	char *addrp;
5265 	u8 proto;
5266 
5267 	if (sk == NULL)
5268 		return NF_ACCEPT;
5269 	sksec = sk->sk_security;
5270 
5271 	ad.type = LSM_AUDIT_DATA_NET;
5272 	ad.u.net = &net;
5273 	ad.u.net->netif = ifindex;
5274 	ad.u.net->family = family;
5275 	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5276 		return NF_DROP;
5277 
5278 	if (selinux_secmark_enabled())
5279 		if (avc_has_perm(sksec->sid, skb->secmark,
5280 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5281 			return NF_DROP_ERR(-ECONNREFUSED);
5282 
5283 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5284 		return NF_DROP_ERR(-ECONNREFUSED);
5285 
5286 	return NF_ACCEPT;
5287 }
5288 
5289 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5290 					 const struct net_device *outdev,
5291 					 u16 family)
5292 {
5293 	u32 secmark_perm;
5294 	u32 peer_sid;
5295 	int ifindex = outdev->ifindex;
5296 	struct sock *sk;
5297 	struct common_audit_data ad;
5298 	struct lsm_network_audit net = {0,};
5299 	char *addrp;
5300 	u8 secmark_active;
5301 	u8 peerlbl_active;
5302 
5303 	/* If any sort of compatibility mode is enabled then handoff processing
5304 	 * to the selinux_ip_postroute_compat() function to deal with the
5305 	 * special handling.  We do this in an attempt to keep this function
5306 	 * as fast and as clean as possible. */
5307 	if (!selinux_policycap_netpeer)
5308 		return selinux_ip_postroute_compat(skb, ifindex, family);
5309 
5310 	secmark_active = selinux_secmark_enabled();
5311 	peerlbl_active = selinux_peerlbl_enabled();
5312 	if (!secmark_active && !peerlbl_active)
5313 		return NF_ACCEPT;
5314 
5315 	sk = skb_to_full_sk(skb);
5316 
5317 #ifdef CONFIG_XFRM
5318 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5319 	 * packet transformation so allow the packet to pass without any checks
5320 	 * since we'll have another chance to perform access control checks
5321 	 * when the packet is on it's final way out.
5322 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5323 	 *       is NULL, in this case go ahead and apply access control.
5324 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5325 	 *       TCP listening state we cannot wait until the XFRM processing
5326 	 *       is done as we will miss out on the SA label if we do;
5327 	 *       unfortunately, this means more work, but it is only once per
5328 	 *       connection. */
5329 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5330 	    !(sk && sk_listener(sk)))
5331 		return NF_ACCEPT;
5332 #endif
5333 
5334 	if (sk == NULL) {
5335 		/* Without an associated socket the packet is either coming
5336 		 * from the kernel or it is being forwarded; check the packet
5337 		 * to determine which and if the packet is being forwarded
5338 		 * query the packet directly to determine the security label. */
5339 		if (skb->skb_iif) {
5340 			secmark_perm = PACKET__FORWARD_OUT;
5341 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5342 				return NF_DROP;
5343 		} else {
5344 			secmark_perm = PACKET__SEND;
5345 			peer_sid = SECINITSID_KERNEL;
5346 		}
5347 	} else if (sk_listener(sk)) {
5348 		/* Locally generated packet but the associated socket is in the
5349 		 * listening state which means this is a SYN-ACK packet.  In
5350 		 * this particular case the correct security label is assigned
5351 		 * to the connection/request_sock but unfortunately we can't
5352 		 * query the request_sock as it isn't queued on the parent
5353 		 * socket until after the SYN-ACK packet is sent; the only
5354 		 * viable choice is to regenerate the label like we do in
5355 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5356 		 * for similar problems. */
5357 		u32 skb_sid;
5358 		struct sk_security_struct *sksec;
5359 
5360 		sksec = sk->sk_security;
5361 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5362 			return NF_DROP;
5363 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5364 		 * and the packet has been through at least one XFRM
5365 		 * transformation then we must be dealing with the "final"
5366 		 * form of labeled IPsec packet; since we've already applied
5367 		 * all of our access controls on this packet we can safely
5368 		 * pass the packet. */
5369 		if (skb_sid == SECSID_NULL) {
5370 			switch (family) {
5371 			case PF_INET:
5372 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5373 					return NF_ACCEPT;
5374 				break;
5375 			case PF_INET6:
5376 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5377 					return NF_ACCEPT;
5378 				break;
5379 			default:
5380 				return NF_DROP_ERR(-ECONNREFUSED);
5381 			}
5382 		}
5383 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5384 			return NF_DROP;
5385 		secmark_perm = PACKET__SEND;
5386 	} else {
5387 		/* Locally generated packet, fetch the security label from the
5388 		 * associated socket. */
5389 		struct sk_security_struct *sksec = sk->sk_security;
5390 		peer_sid = sksec->sid;
5391 		secmark_perm = PACKET__SEND;
5392 	}
5393 
5394 	ad.type = LSM_AUDIT_DATA_NET;
5395 	ad.u.net = &net;
5396 	ad.u.net->netif = ifindex;
5397 	ad.u.net->family = family;
5398 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5399 		return NF_DROP;
5400 
5401 	if (secmark_active)
5402 		if (avc_has_perm(peer_sid, skb->secmark,
5403 				 SECCLASS_PACKET, secmark_perm, &ad))
5404 			return NF_DROP_ERR(-ECONNREFUSED);
5405 
5406 	if (peerlbl_active) {
5407 		u32 if_sid;
5408 		u32 node_sid;
5409 
5410 		if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5411 			return NF_DROP;
5412 		if (avc_has_perm(peer_sid, if_sid,
5413 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5414 			return NF_DROP_ERR(-ECONNREFUSED);
5415 
5416 		if (sel_netnode_sid(addrp, family, &node_sid))
5417 			return NF_DROP;
5418 		if (avc_has_perm(peer_sid, node_sid,
5419 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5420 			return NF_DROP_ERR(-ECONNREFUSED);
5421 	}
5422 
5423 	return NF_ACCEPT;
5424 }
5425 
5426 static unsigned int selinux_ipv4_postroute(void *priv,
5427 					   struct sk_buff *skb,
5428 					   const struct nf_hook_state *state)
5429 {
5430 	return selinux_ip_postroute(skb, state->out, PF_INET);
5431 }
5432 
5433 #if IS_ENABLED(CONFIG_IPV6)
5434 static unsigned int selinux_ipv6_postroute(void *priv,
5435 					   struct sk_buff *skb,
5436 					   const struct nf_hook_state *state)
5437 {
5438 	return selinux_ip_postroute(skb, state->out, PF_INET6);
5439 }
5440 #endif	/* IPV6 */
5441 
5442 #endif	/* CONFIG_NETFILTER */
5443 
5444 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5445 {
5446 	return selinux_nlmsg_perm(sk, skb);
5447 }
5448 
5449 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5450 			      u16 sclass)
5451 {
5452 	struct ipc_security_struct *isec;
5453 
5454 	isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5455 	if (!isec)
5456 		return -ENOMEM;
5457 
5458 	isec->sclass = sclass;
5459 	isec->sid = current_sid();
5460 	perm->security = isec;
5461 
5462 	return 0;
5463 }
5464 
5465 static void ipc_free_security(struct kern_ipc_perm *perm)
5466 {
5467 	struct ipc_security_struct *isec = perm->security;
5468 	perm->security = NULL;
5469 	kfree(isec);
5470 }
5471 
5472 static int msg_msg_alloc_security(struct msg_msg *msg)
5473 {
5474 	struct msg_security_struct *msec;
5475 
5476 	msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5477 	if (!msec)
5478 		return -ENOMEM;
5479 
5480 	msec->sid = SECINITSID_UNLABELED;
5481 	msg->security = msec;
5482 
5483 	return 0;
5484 }
5485 
5486 static void msg_msg_free_security(struct msg_msg *msg)
5487 {
5488 	struct msg_security_struct *msec = msg->security;
5489 
5490 	msg->security = NULL;
5491 	kfree(msec);
5492 }
5493 
5494 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5495 			u32 perms)
5496 {
5497 	struct ipc_security_struct *isec;
5498 	struct common_audit_data ad;
5499 	u32 sid = current_sid();
5500 
5501 	isec = ipc_perms->security;
5502 
5503 	ad.type = LSM_AUDIT_DATA_IPC;
5504 	ad.u.ipc_id = ipc_perms->key;
5505 
5506 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5507 }
5508 
5509 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5510 {
5511 	return msg_msg_alloc_security(msg);
5512 }
5513 
5514 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5515 {
5516 	msg_msg_free_security(msg);
5517 }
5518 
5519 /* message queue security operations */
5520 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5521 {
5522 	struct ipc_security_struct *isec;
5523 	struct common_audit_data ad;
5524 	u32 sid = current_sid();
5525 	int rc;
5526 
5527 	rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ);
5528 	if (rc)
5529 		return rc;
5530 
5531 	isec = msq->q_perm.security;
5532 
5533 	ad.type = LSM_AUDIT_DATA_IPC;
5534 	ad.u.ipc_id = msq->q_perm.key;
5535 
5536 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5537 			  MSGQ__CREATE, &ad);
5538 	if (rc) {
5539 		ipc_free_security(&msq->q_perm);
5540 		return rc;
5541 	}
5542 	return 0;
5543 }
5544 
5545 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5546 {
5547 	ipc_free_security(&msq->q_perm);
5548 }
5549 
5550 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5551 {
5552 	struct ipc_security_struct *isec;
5553 	struct common_audit_data ad;
5554 	u32 sid = current_sid();
5555 
5556 	isec = msq->q_perm.security;
5557 
5558 	ad.type = LSM_AUDIT_DATA_IPC;
5559 	ad.u.ipc_id = msq->q_perm.key;
5560 
5561 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5562 			    MSGQ__ASSOCIATE, &ad);
5563 }
5564 
5565 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5566 {
5567 	int err;
5568 	int perms;
5569 
5570 	switch (cmd) {
5571 	case IPC_INFO:
5572 	case MSG_INFO:
5573 		/* No specific object, just general system-wide information. */
5574 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5575 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5576 	case IPC_STAT:
5577 	case MSG_STAT:
5578 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5579 		break;
5580 	case IPC_SET:
5581 		perms = MSGQ__SETATTR;
5582 		break;
5583 	case IPC_RMID:
5584 		perms = MSGQ__DESTROY;
5585 		break;
5586 	default:
5587 		return 0;
5588 	}
5589 
5590 	err = ipc_has_perm(&msq->q_perm, perms);
5591 	return err;
5592 }
5593 
5594 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5595 {
5596 	struct ipc_security_struct *isec;
5597 	struct msg_security_struct *msec;
5598 	struct common_audit_data ad;
5599 	u32 sid = current_sid();
5600 	int rc;
5601 
5602 	isec = msq->q_perm.security;
5603 	msec = msg->security;
5604 
5605 	/*
5606 	 * First time through, need to assign label to the message
5607 	 */
5608 	if (msec->sid == SECINITSID_UNLABELED) {
5609 		/*
5610 		 * Compute new sid based on current process and
5611 		 * message queue this message will be stored in
5612 		 */
5613 		rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5614 					     NULL, &msec->sid);
5615 		if (rc)
5616 			return rc;
5617 	}
5618 
5619 	ad.type = LSM_AUDIT_DATA_IPC;
5620 	ad.u.ipc_id = msq->q_perm.key;
5621 
5622 	/* Can this process write to the queue? */
5623 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5624 			  MSGQ__WRITE, &ad);
5625 	if (!rc)
5626 		/* Can this process send the message */
5627 		rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5628 				  MSG__SEND, &ad);
5629 	if (!rc)
5630 		/* Can the message be put in the queue? */
5631 		rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5632 				  MSGQ__ENQUEUE, &ad);
5633 
5634 	return rc;
5635 }
5636 
5637 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5638 				    struct task_struct *target,
5639 				    long type, int mode)
5640 {
5641 	struct ipc_security_struct *isec;
5642 	struct msg_security_struct *msec;
5643 	struct common_audit_data ad;
5644 	u32 sid = task_sid(target);
5645 	int rc;
5646 
5647 	isec = msq->q_perm.security;
5648 	msec = msg->security;
5649 
5650 	ad.type = LSM_AUDIT_DATA_IPC;
5651 	ad.u.ipc_id = msq->q_perm.key;
5652 
5653 	rc = avc_has_perm(sid, isec->sid,
5654 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
5655 	if (!rc)
5656 		rc = avc_has_perm(sid, msec->sid,
5657 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
5658 	return rc;
5659 }
5660 
5661 /* Shared Memory security operations */
5662 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5663 {
5664 	struct ipc_security_struct *isec;
5665 	struct common_audit_data ad;
5666 	u32 sid = current_sid();
5667 	int rc;
5668 
5669 	rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM);
5670 	if (rc)
5671 		return rc;
5672 
5673 	isec = shp->shm_perm.security;
5674 
5675 	ad.type = LSM_AUDIT_DATA_IPC;
5676 	ad.u.ipc_id = shp->shm_perm.key;
5677 
5678 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5679 			  SHM__CREATE, &ad);
5680 	if (rc) {
5681 		ipc_free_security(&shp->shm_perm);
5682 		return rc;
5683 	}
5684 	return 0;
5685 }
5686 
5687 static void selinux_shm_free_security(struct shmid_kernel *shp)
5688 {
5689 	ipc_free_security(&shp->shm_perm);
5690 }
5691 
5692 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5693 {
5694 	struct ipc_security_struct *isec;
5695 	struct common_audit_data ad;
5696 	u32 sid = current_sid();
5697 
5698 	isec = shp->shm_perm.security;
5699 
5700 	ad.type = LSM_AUDIT_DATA_IPC;
5701 	ad.u.ipc_id = shp->shm_perm.key;
5702 
5703 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5704 			    SHM__ASSOCIATE, &ad);
5705 }
5706 
5707 /* Note, at this point, shp is locked down */
5708 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5709 {
5710 	int perms;
5711 	int err;
5712 
5713 	switch (cmd) {
5714 	case IPC_INFO:
5715 	case SHM_INFO:
5716 		/* No specific object, just general system-wide information. */
5717 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5718 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5719 	case IPC_STAT:
5720 	case SHM_STAT:
5721 		perms = SHM__GETATTR | SHM__ASSOCIATE;
5722 		break;
5723 	case IPC_SET:
5724 		perms = SHM__SETATTR;
5725 		break;
5726 	case SHM_LOCK:
5727 	case SHM_UNLOCK:
5728 		perms = SHM__LOCK;
5729 		break;
5730 	case IPC_RMID:
5731 		perms = SHM__DESTROY;
5732 		break;
5733 	default:
5734 		return 0;
5735 	}
5736 
5737 	err = ipc_has_perm(&shp->shm_perm, perms);
5738 	return err;
5739 }
5740 
5741 static int selinux_shm_shmat(struct shmid_kernel *shp,
5742 			     char __user *shmaddr, int shmflg)
5743 {
5744 	u32 perms;
5745 
5746 	if (shmflg & SHM_RDONLY)
5747 		perms = SHM__READ;
5748 	else
5749 		perms = SHM__READ | SHM__WRITE;
5750 
5751 	return ipc_has_perm(&shp->shm_perm, perms);
5752 }
5753 
5754 /* Semaphore security operations */
5755 static int selinux_sem_alloc_security(struct sem_array *sma)
5756 {
5757 	struct ipc_security_struct *isec;
5758 	struct common_audit_data ad;
5759 	u32 sid = current_sid();
5760 	int rc;
5761 
5762 	rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM);
5763 	if (rc)
5764 		return rc;
5765 
5766 	isec = sma->sem_perm.security;
5767 
5768 	ad.type = LSM_AUDIT_DATA_IPC;
5769 	ad.u.ipc_id = sma->sem_perm.key;
5770 
5771 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5772 			  SEM__CREATE, &ad);
5773 	if (rc) {
5774 		ipc_free_security(&sma->sem_perm);
5775 		return rc;
5776 	}
5777 	return 0;
5778 }
5779 
5780 static void selinux_sem_free_security(struct sem_array *sma)
5781 {
5782 	ipc_free_security(&sma->sem_perm);
5783 }
5784 
5785 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5786 {
5787 	struct ipc_security_struct *isec;
5788 	struct common_audit_data ad;
5789 	u32 sid = current_sid();
5790 
5791 	isec = sma->sem_perm.security;
5792 
5793 	ad.type = LSM_AUDIT_DATA_IPC;
5794 	ad.u.ipc_id = sma->sem_perm.key;
5795 
5796 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5797 			    SEM__ASSOCIATE, &ad);
5798 }
5799 
5800 /* Note, at this point, sma is locked down */
5801 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5802 {
5803 	int err;
5804 	u32 perms;
5805 
5806 	switch (cmd) {
5807 	case IPC_INFO:
5808 	case SEM_INFO:
5809 		/* No specific object, just general system-wide information. */
5810 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5811 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5812 	case GETPID:
5813 	case GETNCNT:
5814 	case GETZCNT:
5815 		perms = SEM__GETATTR;
5816 		break;
5817 	case GETVAL:
5818 	case GETALL:
5819 		perms = SEM__READ;
5820 		break;
5821 	case SETVAL:
5822 	case SETALL:
5823 		perms = SEM__WRITE;
5824 		break;
5825 	case IPC_RMID:
5826 		perms = SEM__DESTROY;
5827 		break;
5828 	case IPC_SET:
5829 		perms = SEM__SETATTR;
5830 		break;
5831 	case IPC_STAT:
5832 	case SEM_STAT:
5833 		perms = SEM__GETATTR | SEM__ASSOCIATE;
5834 		break;
5835 	default:
5836 		return 0;
5837 	}
5838 
5839 	err = ipc_has_perm(&sma->sem_perm, perms);
5840 	return err;
5841 }
5842 
5843 static int selinux_sem_semop(struct sem_array *sma,
5844 			     struct sembuf *sops, unsigned nsops, int alter)
5845 {
5846 	u32 perms;
5847 
5848 	if (alter)
5849 		perms = SEM__READ | SEM__WRITE;
5850 	else
5851 		perms = SEM__READ;
5852 
5853 	return ipc_has_perm(&sma->sem_perm, perms);
5854 }
5855 
5856 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5857 {
5858 	u32 av = 0;
5859 
5860 	av = 0;
5861 	if (flag & S_IRUGO)
5862 		av |= IPC__UNIX_READ;
5863 	if (flag & S_IWUGO)
5864 		av |= IPC__UNIX_WRITE;
5865 
5866 	if (av == 0)
5867 		return 0;
5868 
5869 	return ipc_has_perm(ipcp, av);
5870 }
5871 
5872 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5873 {
5874 	struct ipc_security_struct *isec = ipcp->security;
5875 	*secid = isec->sid;
5876 }
5877 
5878 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5879 {
5880 	if (inode)
5881 		inode_doinit_with_dentry(inode, dentry);
5882 }
5883 
5884 static int selinux_getprocattr(struct task_struct *p,
5885 			       char *name, char **value)
5886 {
5887 	const struct task_security_struct *__tsec;
5888 	u32 sid;
5889 	int error;
5890 	unsigned len;
5891 
5892 	rcu_read_lock();
5893 	__tsec = __task_cred(p)->security;
5894 
5895 	if (current != p) {
5896 		error = avc_has_perm(current_sid(), __tsec->sid,
5897 				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
5898 		if (error)
5899 			goto bad;
5900 	}
5901 
5902 	if (!strcmp(name, "current"))
5903 		sid = __tsec->sid;
5904 	else if (!strcmp(name, "prev"))
5905 		sid = __tsec->osid;
5906 	else if (!strcmp(name, "exec"))
5907 		sid = __tsec->exec_sid;
5908 	else if (!strcmp(name, "fscreate"))
5909 		sid = __tsec->create_sid;
5910 	else if (!strcmp(name, "keycreate"))
5911 		sid = __tsec->keycreate_sid;
5912 	else if (!strcmp(name, "sockcreate"))
5913 		sid = __tsec->sockcreate_sid;
5914 	else {
5915 		error = -EINVAL;
5916 		goto bad;
5917 	}
5918 	rcu_read_unlock();
5919 
5920 	if (!sid)
5921 		return 0;
5922 
5923 	error = security_sid_to_context(sid, value, &len);
5924 	if (error)
5925 		return error;
5926 	return len;
5927 
5928 bad:
5929 	rcu_read_unlock();
5930 	return error;
5931 }
5932 
5933 static int selinux_setprocattr(const char *name, void *value, size_t size)
5934 {
5935 	struct task_security_struct *tsec;
5936 	struct cred *new;
5937 	u32 mysid = current_sid(), sid = 0, ptsid;
5938 	int error;
5939 	char *str = value;
5940 
5941 	/*
5942 	 * Basic control over ability to set these attributes at all.
5943 	 */
5944 	if (!strcmp(name, "exec"))
5945 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5946 				     PROCESS__SETEXEC, NULL);
5947 	else if (!strcmp(name, "fscreate"))
5948 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5949 				     PROCESS__SETFSCREATE, NULL);
5950 	else if (!strcmp(name, "keycreate"))
5951 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5952 				     PROCESS__SETKEYCREATE, NULL);
5953 	else if (!strcmp(name, "sockcreate"))
5954 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5955 				     PROCESS__SETSOCKCREATE, NULL);
5956 	else if (!strcmp(name, "current"))
5957 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5958 				     PROCESS__SETCURRENT, NULL);
5959 	else
5960 		error = -EINVAL;
5961 	if (error)
5962 		return error;
5963 
5964 	/* Obtain a SID for the context, if one was specified. */
5965 	if (size && str[0] && str[0] != '\n') {
5966 		if (str[size-1] == '\n') {
5967 			str[size-1] = 0;
5968 			size--;
5969 		}
5970 		error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5971 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
5972 			if (!has_cap_mac_admin(true)) {
5973 				struct audit_buffer *ab;
5974 				size_t audit_size;
5975 
5976 				/* We strip a nul only if it is at the end, otherwise the
5977 				 * context contains a nul and we should audit that */
5978 				if (str[size - 1] == '\0')
5979 					audit_size = size - 1;
5980 				else
5981 					audit_size = size;
5982 				ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5983 				audit_log_format(ab, "op=fscreate invalid_context=");
5984 				audit_log_n_untrustedstring(ab, value, audit_size);
5985 				audit_log_end(ab);
5986 
5987 				return error;
5988 			}
5989 			error = security_context_to_sid_force(value, size,
5990 							      &sid);
5991 		}
5992 		if (error)
5993 			return error;
5994 	}
5995 
5996 	new = prepare_creds();
5997 	if (!new)
5998 		return -ENOMEM;
5999 
6000 	/* Permission checking based on the specified context is
6001 	   performed during the actual operation (execve,
6002 	   open/mkdir/...), when we know the full context of the
6003 	   operation.  See selinux_bprm_set_creds for the execve
6004 	   checks and may_create for the file creation checks. The
6005 	   operation will then fail if the context is not permitted. */
6006 	tsec = new->security;
6007 	if (!strcmp(name, "exec")) {
6008 		tsec->exec_sid = sid;
6009 	} else if (!strcmp(name, "fscreate")) {
6010 		tsec->create_sid = sid;
6011 	} else if (!strcmp(name, "keycreate")) {
6012 		error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE,
6013 				     NULL);
6014 		if (error)
6015 			goto abort_change;
6016 		tsec->keycreate_sid = sid;
6017 	} else if (!strcmp(name, "sockcreate")) {
6018 		tsec->sockcreate_sid = sid;
6019 	} else if (!strcmp(name, "current")) {
6020 		error = -EINVAL;
6021 		if (sid == 0)
6022 			goto abort_change;
6023 
6024 		/* Only allow single threaded processes to change context */
6025 		error = -EPERM;
6026 		if (!current_is_single_threaded()) {
6027 			error = security_bounded_transition(tsec->sid, sid);
6028 			if (error)
6029 				goto abort_change;
6030 		}
6031 
6032 		/* Check permissions for the transition. */
6033 		error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6034 				     PROCESS__DYNTRANSITION, NULL);
6035 		if (error)
6036 			goto abort_change;
6037 
6038 		/* Check for ptracing, and update the task SID if ok.
6039 		   Otherwise, leave SID unchanged and fail. */
6040 		ptsid = ptrace_parent_sid();
6041 		if (ptsid != 0) {
6042 			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6043 					     PROCESS__PTRACE, NULL);
6044 			if (error)
6045 				goto abort_change;
6046 		}
6047 
6048 		tsec->sid = sid;
6049 	} else {
6050 		error = -EINVAL;
6051 		goto abort_change;
6052 	}
6053 
6054 	commit_creds(new);
6055 	return size;
6056 
6057 abort_change:
6058 	abort_creds(new);
6059 	return error;
6060 }
6061 
6062 static int selinux_ismaclabel(const char *name)
6063 {
6064 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6065 }
6066 
6067 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6068 {
6069 	return security_sid_to_context(secid, secdata, seclen);
6070 }
6071 
6072 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6073 {
6074 	return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
6075 }
6076 
6077 static void selinux_release_secctx(char *secdata, u32 seclen)
6078 {
6079 	kfree(secdata);
6080 }
6081 
6082 static void selinux_inode_invalidate_secctx(struct inode *inode)
6083 {
6084 	struct inode_security_struct *isec = inode->i_security;
6085 
6086 	spin_lock(&isec->lock);
6087 	isec->initialized = LABEL_INVALID;
6088 	spin_unlock(&isec->lock);
6089 }
6090 
6091 /*
6092  *	called with inode->i_mutex locked
6093  */
6094 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6095 {
6096 	return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6097 }
6098 
6099 /*
6100  *	called with inode->i_mutex locked
6101  */
6102 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6103 {
6104 	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6105 }
6106 
6107 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6108 {
6109 	int len = 0;
6110 	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6111 						ctx, true);
6112 	if (len < 0)
6113 		return len;
6114 	*ctxlen = len;
6115 	return 0;
6116 }
6117 #ifdef CONFIG_KEYS
6118 
6119 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6120 			     unsigned long flags)
6121 {
6122 	const struct task_security_struct *tsec;
6123 	struct key_security_struct *ksec;
6124 
6125 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6126 	if (!ksec)
6127 		return -ENOMEM;
6128 
6129 	tsec = cred->security;
6130 	if (tsec->keycreate_sid)
6131 		ksec->sid = tsec->keycreate_sid;
6132 	else
6133 		ksec->sid = tsec->sid;
6134 
6135 	k->security = ksec;
6136 	return 0;
6137 }
6138 
6139 static void selinux_key_free(struct key *k)
6140 {
6141 	struct key_security_struct *ksec = k->security;
6142 
6143 	k->security = NULL;
6144 	kfree(ksec);
6145 }
6146 
6147 static int selinux_key_permission(key_ref_t key_ref,
6148 				  const struct cred *cred,
6149 				  unsigned perm)
6150 {
6151 	struct key *key;
6152 	struct key_security_struct *ksec;
6153 	u32 sid;
6154 
6155 	/* if no specific permissions are requested, we skip the
6156 	   permission check. No serious, additional covert channels
6157 	   appear to be created. */
6158 	if (perm == 0)
6159 		return 0;
6160 
6161 	sid = cred_sid(cred);
6162 
6163 	key = key_ref_to_ptr(key_ref);
6164 	ksec = key->security;
6165 
6166 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6167 }
6168 
6169 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6170 {
6171 	struct key_security_struct *ksec = key->security;
6172 	char *context = NULL;
6173 	unsigned len;
6174 	int rc;
6175 
6176 	rc = security_sid_to_context(ksec->sid, &context, &len);
6177 	if (!rc)
6178 		rc = len;
6179 	*_buffer = context;
6180 	return rc;
6181 }
6182 #endif
6183 
6184 #ifdef CONFIG_SECURITY_INFINIBAND
6185 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6186 {
6187 	struct common_audit_data ad;
6188 	int err;
6189 	u32 sid = 0;
6190 	struct ib_security_struct *sec = ib_sec;
6191 	struct lsm_ibpkey_audit ibpkey;
6192 
6193 	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6194 	if (err)
6195 		return err;
6196 
6197 	ad.type = LSM_AUDIT_DATA_IBPKEY;
6198 	ibpkey.subnet_prefix = subnet_prefix;
6199 	ibpkey.pkey = pkey_val;
6200 	ad.u.ibpkey = &ibpkey;
6201 	return avc_has_perm(sec->sid, sid,
6202 			    SECCLASS_INFINIBAND_PKEY,
6203 			    INFINIBAND_PKEY__ACCESS, &ad);
6204 }
6205 
6206 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6207 					    u8 port_num)
6208 {
6209 	struct common_audit_data ad;
6210 	int err;
6211 	u32 sid = 0;
6212 	struct ib_security_struct *sec = ib_sec;
6213 	struct lsm_ibendport_audit ibendport;
6214 
6215 	err = security_ib_endport_sid(dev_name, port_num, &sid);
6216 
6217 	if (err)
6218 		return err;
6219 
6220 	ad.type = LSM_AUDIT_DATA_IBENDPORT;
6221 	strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6222 	ibendport.port = port_num;
6223 	ad.u.ibendport = &ibendport;
6224 	return avc_has_perm(sec->sid, sid,
6225 			    SECCLASS_INFINIBAND_ENDPORT,
6226 			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6227 }
6228 
6229 static int selinux_ib_alloc_security(void **ib_sec)
6230 {
6231 	struct ib_security_struct *sec;
6232 
6233 	sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6234 	if (!sec)
6235 		return -ENOMEM;
6236 	sec->sid = current_sid();
6237 
6238 	*ib_sec = sec;
6239 	return 0;
6240 }
6241 
6242 static void selinux_ib_free_security(void *ib_sec)
6243 {
6244 	kfree(ib_sec);
6245 }
6246 #endif
6247 
6248 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6249 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6250 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6251 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6252 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6253 
6254 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6255 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6256 	LSM_HOOK_INIT(capget, selinux_capget),
6257 	LSM_HOOK_INIT(capset, selinux_capset),
6258 	LSM_HOOK_INIT(capable, selinux_capable),
6259 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
6260 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
6261 	LSM_HOOK_INIT(syslog, selinux_syslog),
6262 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6263 
6264 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6265 
6266 	LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6267 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6268 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6269 	LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
6270 
6271 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6272 	LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6273 	LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6274 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6275 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6276 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6277 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6278 	LSM_HOOK_INIT(sb_mount, selinux_mount),
6279 	LSM_HOOK_INIT(sb_umount, selinux_umount),
6280 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6281 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6282 	LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6283 
6284 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6285 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6286 
6287 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6288 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6289 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6290 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
6291 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
6292 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6293 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6294 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6295 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6296 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6297 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6298 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6299 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6300 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6301 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6302 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6303 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6304 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6305 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6306 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6307 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6308 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6309 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6310 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6311 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6312 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6313 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6314 
6315 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
6316 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6317 	LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6318 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6319 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6320 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6321 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6322 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
6323 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6324 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6325 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6326 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
6327 
6328 	LSM_HOOK_INIT(file_open, selinux_file_open),
6329 
6330 	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6331 	LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6332 	LSM_HOOK_INIT(cred_free, selinux_cred_free),
6333 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6334 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6335 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6336 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6337 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6338 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6339 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6340 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6341 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6342 	LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6343 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6344 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6345 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6346 	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6347 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6348 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6349 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6350 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6351 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
6352 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6353 
6354 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6355 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6356 
6357 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6358 	LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6359 
6360 	LSM_HOOK_INIT(msg_queue_alloc_security,
6361 			selinux_msg_queue_alloc_security),
6362 	LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6363 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6364 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6365 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6366 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6367 
6368 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6369 	LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6370 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6371 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6372 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6373 
6374 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6375 	LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6376 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6377 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6378 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6379 
6380 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6381 
6382 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6383 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6384 
6385 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6386 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6387 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6388 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6389 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6390 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6391 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6392 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6393 
6394 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6395 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6396 
6397 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
6398 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6399 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6400 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6401 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6402 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6403 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6404 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6405 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6406 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6407 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6408 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6409 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6410 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6411 	LSM_HOOK_INIT(socket_getpeersec_stream,
6412 			selinux_socket_getpeersec_stream),
6413 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6414 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6415 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6416 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6417 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6418 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6419 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6420 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6421 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6422 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6423 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6424 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6425 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6426 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6427 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6428 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6429 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6430 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6431 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6432 #ifdef CONFIG_SECURITY_INFINIBAND
6433 	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
6434 	LSM_HOOK_INIT(ib_endport_manage_subnet,
6435 		      selinux_ib_endport_manage_subnet),
6436 	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
6437 	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
6438 #endif
6439 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6440 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6441 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6442 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6443 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6444 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6445 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6446 			selinux_xfrm_state_alloc_acquire),
6447 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6448 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6449 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6450 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6451 			selinux_xfrm_state_pol_flow_match),
6452 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6453 #endif
6454 
6455 #ifdef CONFIG_KEYS
6456 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6457 	LSM_HOOK_INIT(key_free, selinux_key_free),
6458 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
6459 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6460 #endif
6461 
6462 #ifdef CONFIG_AUDIT
6463 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6464 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6465 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6466 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6467 #endif
6468 };
6469 
6470 static __init int selinux_init(void)
6471 {
6472 	if (!security_module_enable("selinux")) {
6473 		selinux_enabled = 0;
6474 		return 0;
6475 	}
6476 
6477 	if (!selinux_enabled) {
6478 		printk(KERN_INFO "SELinux:  Disabled at boot.\n");
6479 		return 0;
6480 	}
6481 
6482 	printk(KERN_INFO "SELinux:  Initializing.\n");
6483 
6484 	/* Set the security state for the initial task. */
6485 	cred_init_security();
6486 
6487 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6488 
6489 	sel_inode_cache = kmem_cache_create("selinux_inode_security",
6490 					    sizeof(struct inode_security_struct),
6491 					    0, SLAB_PANIC, NULL);
6492 	file_security_cache = kmem_cache_create("selinux_file_security",
6493 					    sizeof(struct file_security_struct),
6494 					    0, SLAB_PANIC, NULL);
6495 	avc_init();
6496 
6497 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
6498 
6499 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6500 		panic("SELinux: Unable to register AVC netcache callback\n");
6501 
6502 	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
6503 		panic("SELinux: Unable to register AVC LSM notifier callback\n");
6504 
6505 	if (selinux_enforcing)
6506 		printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
6507 	else
6508 		printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
6509 
6510 	return 0;
6511 }
6512 
6513 static void delayed_superblock_init(struct super_block *sb, void *unused)
6514 {
6515 	superblock_doinit(sb, NULL);
6516 }
6517 
6518 void selinux_complete_init(void)
6519 {
6520 	printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
6521 
6522 	/* Set up any superblocks initialized prior to the policy load. */
6523 	printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
6524 	iterate_supers(delayed_superblock_init, NULL);
6525 }
6526 
6527 /* SELinux requires early initialization in order to label
6528    all processes and objects when they are created. */
6529 security_initcall(selinux_init);
6530 
6531 #if defined(CONFIG_NETFILTER)
6532 
6533 static struct nf_hook_ops selinux_nf_ops[] = {
6534 	{
6535 		.hook =		selinux_ipv4_postroute,
6536 		.pf =		NFPROTO_IPV4,
6537 		.hooknum =	NF_INET_POST_ROUTING,
6538 		.priority =	NF_IP_PRI_SELINUX_LAST,
6539 	},
6540 	{
6541 		.hook =		selinux_ipv4_forward,
6542 		.pf =		NFPROTO_IPV4,
6543 		.hooknum =	NF_INET_FORWARD,
6544 		.priority =	NF_IP_PRI_SELINUX_FIRST,
6545 	},
6546 	{
6547 		.hook =		selinux_ipv4_output,
6548 		.pf =		NFPROTO_IPV4,
6549 		.hooknum =	NF_INET_LOCAL_OUT,
6550 		.priority =	NF_IP_PRI_SELINUX_FIRST,
6551 	},
6552 #if IS_ENABLED(CONFIG_IPV6)
6553 	{
6554 		.hook =		selinux_ipv6_postroute,
6555 		.pf =		NFPROTO_IPV6,
6556 		.hooknum =	NF_INET_POST_ROUTING,
6557 		.priority =	NF_IP6_PRI_SELINUX_LAST,
6558 	},
6559 	{
6560 		.hook =		selinux_ipv6_forward,
6561 		.pf =		NFPROTO_IPV6,
6562 		.hooknum =	NF_INET_FORWARD,
6563 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
6564 	},
6565 	{
6566 		.hook =		selinux_ipv6_output,
6567 		.pf =		NFPROTO_IPV6,
6568 		.hooknum =	NF_INET_LOCAL_OUT,
6569 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
6570 	},
6571 #endif	/* IPV6 */
6572 };
6573 
6574 static int __net_init selinux_nf_register(struct net *net)
6575 {
6576 	return nf_register_net_hooks(net, selinux_nf_ops,
6577 				     ARRAY_SIZE(selinux_nf_ops));
6578 }
6579 
6580 static void __net_exit selinux_nf_unregister(struct net *net)
6581 {
6582 	nf_unregister_net_hooks(net, selinux_nf_ops,
6583 				ARRAY_SIZE(selinux_nf_ops));
6584 }
6585 
6586 static struct pernet_operations selinux_net_ops = {
6587 	.init = selinux_nf_register,
6588 	.exit = selinux_nf_unregister,
6589 };
6590 
6591 static int __init selinux_nf_ip_init(void)
6592 {
6593 	int err;
6594 
6595 	if (!selinux_enabled)
6596 		return 0;
6597 
6598 	printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
6599 
6600 	err = register_pernet_subsys(&selinux_net_ops);
6601 	if (err)
6602 		panic("SELinux: register_pernet_subsys: error %d\n", err);
6603 
6604 	return 0;
6605 }
6606 __initcall(selinux_nf_ip_init);
6607 
6608 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6609 static void selinux_nf_ip_exit(void)
6610 {
6611 	printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
6612 
6613 	unregister_pernet_subsys(&selinux_net_ops);
6614 }
6615 #endif
6616 
6617 #else /* CONFIG_NETFILTER */
6618 
6619 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6620 #define selinux_nf_ip_exit()
6621 #endif
6622 
6623 #endif /* CONFIG_NETFILTER */
6624 
6625 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6626 static int selinux_disabled;
6627 
6628 int selinux_disable(void)
6629 {
6630 	if (ss_initialized) {
6631 		/* Not permitted after initial policy load. */
6632 		return -EINVAL;
6633 	}
6634 
6635 	if (selinux_disabled) {
6636 		/* Only do this once. */
6637 		return -EINVAL;
6638 	}
6639 
6640 	printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
6641 
6642 	selinux_disabled = 1;
6643 	selinux_enabled = 0;
6644 
6645 	security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6646 
6647 	/* Try to destroy the avc node cache */
6648 	avc_disable();
6649 
6650 	/* Unregister netfilter hooks. */
6651 	selinux_nf_ip_exit();
6652 
6653 	/* Unregister selinuxfs. */
6654 	exit_sel_fs();
6655 
6656 	return 0;
6657 }
6658 #endif
6659