xref: /openbmc/linux/security/selinux/hooks.c (revision 54618888)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *  NSA Security-Enhanced Linux (SELinux) security module
4  *
5  *  This file contains the SELinux hook function implementations.
6  *
7  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
8  *	      Chris Vance, <cvance@nai.com>
9  *	      Wayne Salamon, <wsalamon@nai.com>
10  *	      James Morris <jmorris@redhat.com>
11  *
12  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14  *					   Eric Paris <eparis@redhat.com>
15  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16  *			    <dgoeddel@trustedcs.com>
17  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18  *	Paul Moore <paul@paul-moore.com>
19  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
21  *  Copyright (C) 2016 Mellanox Technologies
22  */
23 
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/kernel_read_file.h>
28 #include <linux/errno.h>
29 #include <linux/sched/signal.h>
30 #include <linux/sched/task.h>
31 #include <linux/lsm_hooks.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/proc_fs.h>
40 #include <linux/swap.h>
41 #include <linux/spinlock.h>
42 #include <linux/syscalls.h>
43 #include <linux/dcache.h>
44 #include <linux/file.h>
45 #include <linux/fdtable.h>
46 #include <linux/namei.h>
47 #include <linux/mount.h>
48 #include <linux/fs_context.h>
49 #include <linux/fs_parser.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>		/* for local_port_range[] */
55 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h>	/* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/sctp.h>
70 #include <net/sctp/structs.h>
71 #include <linux/quota.h>
72 #include <linux/un.h>		/* for Unix socket types */
73 #include <net/af_unix.h>	/* for Unix socket types */
74 #include <linux/parser.h>
75 #include <linux/nfs_mount.h>
76 #include <net/ipv6.h>
77 #include <linux/hugetlb.h>
78 #include <linux/personality.h>
79 #include <linux/audit.h>
80 #include <linux/string.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89 #include <linux/kernfs.h>
90 #include <linux/stringhash.h>	/* for hashlen_string() */
91 #include <uapi/linux/mount.h>
92 #include <linux/fsnotify.h>
93 #include <linux/fanotify.h>
94 #include <linux/io_uring.h>
95 
96 #include "avc.h"
97 #include "objsec.h"
98 #include "netif.h"
99 #include "netnode.h"
100 #include "netport.h"
101 #include "ibpkey.h"
102 #include "xfrm.h"
103 #include "netlabel.h"
104 #include "audit.h"
105 #include "avc_ss.h"
106 
107 struct selinux_state selinux_state;
108 
109 /* SECMARK reference count */
110 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
111 
112 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
113 static int selinux_enforcing_boot __initdata;
114 
115 static int __init enforcing_setup(char *str)
116 {
117 	unsigned long enforcing;
118 	if (!kstrtoul(str, 0, &enforcing))
119 		selinux_enforcing_boot = enforcing ? 1 : 0;
120 	return 1;
121 }
122 __setup("enforcing=", enforcing_setup);
123 #else
124 #define selinux_enforcing_boot 1
125 #endif
126 
127 int selinux_enabled_boot __initdata = 1;
128 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
129 static int __init selinux_enabled_setup(char *str)
130 {
131 	unsigned long enabled;
132 	if (!kstrtoul(str, 0, &enabled))
133 		selinux_enabled_boot = enabled ? 1 : 0;
134 	return 1;
135 }
136 __setup("selinux=", selinux_enabled_setup);
137 #endif
138 
139 static unsigned int selinux_checkreqprot_boot =
140 	CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141 
142 static int __init checkreqprot_setup(char *str)
143 {
144 	unsigned long checkreqprot;
145 
146 	if (!kstrtoul(str, 0, &checkreqprot)) {
147 		selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
148 		if (checkreqprot)
149 			pr_err("SELinux: checkreqprot set to 1 via kernel parameter.  This is deprecated and will be rejected in a future kernel release.\n");
150 	}
151 	return 1;
152 }
153 __setup("checkreqprot=", checkreqprot_setup);
154 
155 /**
156  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
157  *
158  * Description:
159  * This function checks the SECMARK reference counter to see if any SECMARK
160  * targets are currently configured, if the reference counter is greater than
161  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
162  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
163  * policy capability is enabled, SECMARK is always considered enabled.
164  *
165  */
166 static int selinux_secmark_enabled(void)
167 {
168 	return (selinux_policycap_alwaysnetwork() ||
169 		atomic_read(&selinux_secmark_refcount));
170 }
171 
172 /**
173  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
174  *
175  * Description:
176  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
177  * (1) if any are enabled or false (0) if neither are enabled.  If the
178  * always_check_network policy capability is enabled, peer labeling
179  * is always considered enabled.
180  *
181  */
182 static int selinux_peerlbl_enabled(void)
183 {
184 	return (selinux_policycap_alwaysnetwork() ||
185 		netlbl_enabled() || selinux_xfrm_enabled());
186 }
187 
188 static int selinux_netcache_avc_callback(u32 event)
189 {
190 	if (event == AVC_CALLBACK_RESET) {
191 		sel_netif_flush();
192 		sel_netnode_flush();
193 		sel_netport_flush();
194 		synchronize_net();
195 	}
196 	return 0;
197 }
198 
199 static int selinux_lsm_notifier_avc_callback(u32 event)
200 {
201 	if (event == AVC_CALLBACK_RESET) {
202 		sel_ib_pkey_flush();
203 		call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
204 	}
205 
206 	return 0;
207 }
208 
209 /*
210  * initialise the security for the init task
211  */
212 static void cred_init_security(void)
213 {
214 	struct task_security_struct *tsec;
215 
216 	tsec = selinux_cred(unrcu_pointer(current->real_cred));
217 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
218 }
219 
220 /*
221  * get the security ID of a set of credentials
222  */
223 static inline u32 cred_sid(const struct cred *cred)
224 {
225 	const struct task_security_struct *tsec;
226 
227 	tsec = selinux_cred(cred);
228 	return tsec->sid;
229 }
230 
231 /*
232  * get the objective security ID of a task
233  */
234 static inline u32 task_sid_obj(const struct task_struct *task)
235 {
236 	u32 sid;
237 
238 	rcu_read_lock();
239 	sid = cred_sid(__task_cred(task));
240 	rcu_read_unlock();
241 	return sid;
242 }
243 
244 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
245 
246 /*
247  * Try reloading inode security labels that have been marked as invalid.  The
248  * @may_sleep parameter indicates when sleeping and thus reloading labels is
249  * allowed; when set to false, returns -ECHILD when the label is
250  * invalid.  The @dentry parameter should be set to a dentry of the inode.
251  */
252 static int __inode_security_revalidate(struct inode *inode,
253 				       struct dentry *dentry,
254 				       bool may_sleep)
255 {
256 	struct inode_security_struct *isec = selinux_inode(inode);
257 
258 	might_sleep_if(may_sleep);
259 
260 	if (selinux_initialized(&selinux_state) &&
261 	    isec->initialized != LABEL_INITIALIZED) {
262 		if (!may_sleep)
263 			return -ECHILD;
264 
265 		/*
266 		 * Try reloading the inode security label.  This will fail if
267 		 * @opt_dentry is NULL and no dentry for this inode can be
268 		 * found; in that case, continue using the old label.
269 		 */
270 		inode_doinit_with_dentry(inode, dentry);
271 	}
272 	return 0;
273 }
274 
275 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
276 {
277 	return selinux_inode(inode);
278 }
279 
280 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
281 {
282 	int error;
283 
284 	error = __inode_security_revalidate(inode, NULL, !rcu);
285 	if (error)
286 		return ERR_PTR(error);
287 	return selinux_inode(inode);
288 }
289 
290 /*
291  * Get the security label of an inode.
292  */
293 static struct inode_security_struct *inode_security(struct inode *inode)
294 {
295 	__inode_security_revalidate(inode, NULL, true);
296 	return selinux_inode(inode);
297 }
298 
299 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
300 {
301 	struct inode *inode = d_backing_inode(dentry);
302 
303 	return selinux_inode(inode);
304 }
305 
306 /*
307  * Get the security label of a dentry's backing inode.
308  */
309 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
310 {
311 	struct inode *inode = d_backing_inode(dentry);
312 
313 	__inode_security_revalidate(inode, dentry, true);
314 	return selinux_inode(inode);
315 }
316 
317 static void inode_free_security(struct inode *inode)
318 {
319 	struct inode_security_struct *isec = selinux_inode(inode);
320 	struct superblock_security_struct *sbsec;
321 
322 	if (!isec)
323 		return;
324 	sbsec = selinux_superblock(inode->i_sb);
325 	/*
326 	 * As not all inode security structures are in a list, we check for
327 	 * empty list outside of the lock to make sure that we won't waste
328 	 * time taking a lock doing nothing.
329 	 *
330 	 * The list_del_init() function can be safely called more than once.
331 	 * It should not be possible for this function to be called with
332 	 * concurrent list_add(), but for better safety against future changes
333 	 * in the code, we use list_empty_careful() here.
334 	 */
335 	if (!list_empty_careful(&isec->list)) {
336 		spin_lock(&sbsec->isec_lock);
337 		list_del_init(&isec->list);
338 		spin_unlock(&sbsec->isec_lock);
339 	}
340 }
341 
342 struct selinux_mnt_opts {
343 	u32 fscontext_sid;
344 	u32 context_sid;
345 	u32 rootcontext_sid;
346 	u32 defcontext_sid;
347 };
348 
349 static void selinux_free_mnt_opts(void *mnt_opts)
350 {
351 	kfree(mnt_opts);
352 }
353 
354 enum {
355 	Opt_error = -1,
356 	Opt_context = 0,
357 	Opt_defcontext = 1,
358 	Opt_fscontext = 2,
359 	Opt_rootcontext = 3,
360 	Opt_seclabel = 4,
361 };
362 
363 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
364 static struct {
365 	const char *name;
366 	int len;
367 	int opt;
368 	bool has_arg;
369 } tokens[] = {
370 	A(context, true),
371 	A(fscontext, true),
372 	A(defcontext, true),
373 	A(rootcontext, true),
374 	A(seclabel, false),
375 };
376 #undef A
377 
378 static int match_opt_prefix(char *s, int l, char **arg)
379 {
380 	int i;
381 
382 	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
383 		size_t len = tokens[i].len;
384 		if (len > l || memcmp(s, tokens[i].name, len))
385 			continue;
386 		if (tokens[i].has_arg) {
387 			if (len == l || s[len] != '=')
388 				continue;
389 			*arg = s + len + 1;
390 		} else if (len != l)
391 			continue;
392 		return tokens[i].opt;
393 	}
394 	return Opt_error;
395 }
396 
397 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
398 
399 static int may_context_mount_sb_relabel(u32 sid,
400 			struct superblock_security_struct *sbsec,
401 			const struct cred *cred)
402 {
403 	const struct task_security_struct *tsec = selinux_cred(cred);
404 	int rc;
405 
406 	rc = avc_has_perm(&selinux_state,
407 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
408 			  FILESYSTEM__RELABELFROM, NULL);
409 	if (rc)
410 		return rc;
411 
412 	rc = avc_has_perm(&selinux_state,
413 			  tsec->sid, sid, SECCLASS_FILESYSTEM,
414 			  FILESYSTEM__RELABELTO, NULL);
415 	return rc;
416 }
417 
418 static int may_context_mount_inode_relabel(u32 sid,
419 			struct superblock_security_struct *sbsec,
420 			const struct cred *cred)
421 {
422 	const struct task_security_struct *tsec = selinux_cred(cred);
423 	int rc;
424 	rc = avc_has_perm(&selinux_state,
425 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
426 			  FILESYSTEM__RELABELFROM, NULL);
427 	if (rc)
428 		return rc;
429 
430 	rc = avc_has_perm(&selinux_state,
431 			  sid, sbsec->sid, SECCLASS_FILESYSTEM,
432 			  FILESYSTEM__ASSOCIATE, NULL);
433 	return rc;
434 }
435 
436 static int selinux_is_genfs_special_handling(struct super_block *sb)
437 {
438 	/* Special handling. Genfs but also in-core setxattr handler */
439 	return	!strcmp(sb->s_type->name, "sysfs") ||
440 		!strcmp(sb->s_type->name, "pstore") ||
441 		!strcmp(sb->s_type->name, "debugfs") ||
442 		!strcmp(sb->s_type->name, "tracefs") ||
443 		!strcmp(sb->s_type->name, "rootfs") ||
444 		(selinux_policycap_cgroupseclabel() &&
445 		 (!strcmp(sb->s_type->name, "cgroup") ||
446 		  !strcmp(sb->s_type->name, "cgroup2")));
447 }
448 
449 static int selinux_is_sblabel_mnt(struct super_block *sb)
450 {
451 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
452 
453 	/*
454 	 * IMPORTANT: Double-check logic in this function when adding a new
455 	 * SECURITY_FS_USE_* definition!
456 	 */
457 	BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
458 
459 	switch (sbsec->behavior) {
460 	case SECURITY_FS_USE_XATTR:
461 	case SECURITY_FS_USE_TRANS:
462 	case SECURITY_FS_USE_TASK:
463 	case SECURITY_FS_USE_NATIVE:
464 		return 1;
465 
466 	case SECURITY_FS_USE_GENFS:
467 		return selinux_is_genfs_special_handling(sb);
468 
469 	/* Never allow relabeling on context mounts */
470 	case SECURITY_FS_USE_MNTPOINT:
471 	case SECURITY_FS_USE_NONE:
472 	default:
473 		return 0;
474 	}
475 }
476 
477 static int sb_check_xattr_support(struct super_block *sb)
478 {
479 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
480 	struct dentry *root = sb->s_root;
481 	struct inode *root_inode = d_backing_inode(root);
482 	u32 sid;
483 	int rc;
484 
485 	/*
486 	 * Make sure that the xattr handler exists and that no
487 	 * error other than -ENODATA is returned by getxattr on
488 	 * the root directory.  -ENODATA is ok, as this may be
489 	 * the first boot of the SELinux kernel before we have
490 	 * assigned xattr values to the filesystem.
491 	 */
492 	if (!(root_inode->i_opflags & IOP_XATTR)) {
493 		pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
494 			sb->s_id, sb->s_type->name);
495 		goto fallback;
496 	}
497 
498 	rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
499 	if (rc < 0 && rc != -ENODATA) {
500 		if (rc == -EOPNOTSUPP) {
501 			pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
502 				sb->s_id, sb->s_type->name);
503 			goto fallback;
504 		} else {
505 			pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
506 				sb->s_id, sb->s_type->name, -rc);
507 			return rc;
508 		}
509 	}
510 	return 0;
511 
512 fallback:
513 	/* No xattr support - try to fallback to genfs if possible. */
514 	rc = security_genfs_sid(&selinux_state, sb->s_type->name, "/",
515 				SECCLASS_DIR, &sid);
516 	if (rc)
517 		return -EOPNOTSUPP;
518 
519 	pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
520 		sb->s_id, sb->s_type->name);
521 	sbsec->behavior = SECURITY_FS_USE_GENFS;
522 	sbsec->sid = sid;
523 	return 0;
524 }
525 
526 static int sb_finish_set_opts(struct super_block *sb)
527 {
528 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
529 	struct dentry *root = sb->s_root;
530 	struct inode *root_inode = d_backing_inode(root);
531 	int rc = 0;
532 
533 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
534 		rc = sb_check_xattr_support(sb);
535 		if (rc)
536 			return rc;
537 	}
538 
539 	sbsec->flags |= SE_SBINITIALIZED;
540 
541 	/*
542 	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
543 	 * leave the flag untouched because sb_clone_mnt_opts might be handing
544 	 * us a superblock that needs the flag to be cleared.
545 	 */
546 	if (selinux_is_sblabel_mnt(sb))
547 		sbsec->flags |= SBLABEL_MNT;
548 	else
549 		sbsec->flags &= ~SBLABEL_MNT;
550 
551 	/* Initialize the root inode. */
552 	rc = inode_doinit_with_dentry(root_inode, root);
553 
554 	/* Initialize any other inodes associated with the superblock, e.g.
555 	   inodes created prior to initial policy load or inodes created
556 	   during get_sb by a pseudo filesystem that directly
557 	   populates itself. */
558 	spin_lock(&sbsec->isec_lock);
559 	while (!list_empty(&sbsec->isec_head)) {
560 		struct inode_security_struct *isec =
561 				list_first_entry(&sbsec->isec_head,
562 					   struct inode_security_struct, list);
563 		struct inode *inode = isec->inode;
564 		list_del_init(&isec->list);
565 		spin_unlock(&sbsec->isec_lock);
566 		inode = igrab(inode);
567 		if (inode) {
568 			if (!IS_PRIVATE(inode))
569 				inode_doinit_with_dentry(inode, NULL);
570 			iput(inode);
571 		}
572 		spin_lock(&sbsec->isec_lock);
573 	}
574 	spin_unlock(&sbsec->isec_lock);
575 	return rc;
576 }
577 
578 static int bad_option(struct superblock_security_struct *sbsec, char flag,
579 		      u32 old_sid, u32 new_sid)
580 {
581 	char mnt_flags = sbsec->flags & SE_MNTMASK;
582 
583 	/* check if the old mount command had the same options */
584 	if (sbsec->flags & SE_SBINITIALIZED)
585 		if (!(sbsec->flags & flag) ||
586 		    (old_sid != new_sid))
587 			return 1;
588 
589 	/* check if we were passed the same options twice,
590 	 * aka someone passed context=a,context=b
591 	 */
592 	if (!(sbsec->flags & SE_SBINITIALIZED))
593 		if (mnt_flags & flag)
594 			return 1;
595 	return 0;
596 }
597 
598 /*
599  * Allow filesystems with binary mount data to explicitly set mount point
600  * labeling information.
601  */
602 static int selinux_set_mnt_opts(struct super_block *sb,
603 				void *mnt_opts,
604 				unsigned long kern_flags,
605 				unsigned long *set_kern_flags)
606 {
607 	const struct cred *cred = current_cred();
608 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
609 	struct dentry *root = sb->s_root;
610 	struct selinux_mnt_opts *opts = mnt_opts;
611 	struct inode_security_struct *root_isec;
612 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
613 	u32 defcontext_sid = 0;
614 	int rc = 0;
615 
616 	mutex_lock(&sbsec->lock);
617 
618 	if (!selinux_initialized(&selinux_state)) {
619 		if (!opts) {
620 			/* Defer initialization until selinux_complete_init,
621 			   after the initial policy is loaded and the security
622 			   server is ready to handle calls. */
623 			goto out;
624 		}
625 		rc = -EINVAL;
626 		pr_warn("SELinux: Unable to set superblock options "
627 			"before the security server is initialized\n");
628 		goto out;
629 	}
630 	if (kern_flags && !set_kern_flags) {
631 		/* Specifying internal flags without providing a place to
632 		 * place the results is not allowed */
633 		rc = -EINVAL;
634 		goto out;
635 	}
636 
637 	/*
638 	 * Binary mount data FS will come through this function twice.  Once
639 	 * from an explicit call and once from the generic calls from the vfs.
640 	 * Since the generic VFS calls will not contain any security mount data
641 	 * we need to skip the double mount verification.
642 	 *
643 	 * This does open a hole in which we will not notice if the first
644 	 * mount using this sb set explicit options and a second mount using
645 	 * this sb does not set any security options.  (The first options
646 	 * will be used for both mounts)
647 	 */
648 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
649 	    && !opts)
650 		goto out;
651 
652 	root_isec = backing_inode_security_novalidate(root);
653 
654 	/*
655 	 * parse the mount options, check if they are valid sids.
656 	 * also check if someone is trying to mount the same sb more
657 	 * than once with different security options.
658 	 */
659 	if (opts) {
660 		if (opts->fscontext_sid) {
661 			fscontext_sid = opts->fscontext_sid;
662 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
663 					fscontext_sid))
664 				goto out_double_mount;
665 			sbsec->flags |= FSCONTEXT_MNT;
666 		}
667 		if (opts->context_sid) {
668 			context_sid = opts->context_sid;
669 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
670 					context_sid))
671 				goto out_double_mount;
672 			sbsec->flags |= CONTEXT_MNT;
673 		}
674 		if (opts->rootcontext_sid) {
675 			rootcontext_sid = opts->rootcontext_sid;
676 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
677 					rootcontext_sid))
678 				goto out_double_mount;
679 			sbsec->flags |= ROOTCONTEXT_MNT;
680 		}
681 		if (opts->defcontext_sid) {
682 			defcontext_sid = opts->defcontext_sid;
683 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
684 					defcontext_sid))
685 				goto out_double_mount;
686 			sbsec->flags |= DEFCONTEXT_MNT;
687 		}
688 	}
689 
690 	if (sbsec->flags & SE_SBINITIALIZED) {
691 		/* previously mounted with options, but not on this attempt? */
692 		if ((sbsec->flags & SE_MNTMASK) && !opts)
693 			goto out_double_mount;
694 		rc = 0;
695 		goto out;
696 	}
697 
698 	if (strcmp(sb->s_type->name, "proc") == 0)
699 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
700 
701 	if (!strcmp(sb->s_type->name, "debugfs") ||
702 	    !strcmp(sb->s_type->name, "tracefs") ||
703 	    !strcmp(sb->s_type->name, "binder") ||
704 	    !strcmp(sb->s_type->name, "bpf") ||
705 	    !strcmp(sb->s_type->name, "pstore") ||
706 	    !strcmp(sb->s_type->name, "securityfs"))
707 		sbsec->flags |= SE_SBGENFS;
708 
709 	if (!strcmp(sb->s_type->name, "sysfs") ||
710 	    !strcmp(sb->s_type->name, "cgroup") ||
711 	    !strcmp(sb->s_type->name, "cgroup2"))
712 		sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
713 
714 	if (!sbsec->behavior) {
715 		/*
716 		 * Determine the labeling behavior to use for this
717 		 * filesystem type.
718 		 */
719 		rc = security_fs_use(&selinux_state, sb);
720 		if (rc) {
721 			pr_warn("%s: security_fs_use(%s) returned %d\n",
722 					__func__, sb->s_type->name, rc);
723 			goto out;
724 		}
725 	}
726 
727 	/*
728 	 * If this is a user namespace mount and the filesystem type is not
729 	 * explicitly whitelisted, then no contexts are allowed on the command
730 	 * line and security labels must be ignored.
731 	 */
732 	if (sb->s_user_ns != &init_user_ns &&
733 	    strcmp(sb->s_type->name, "tmpfs") &&
734 	    strcmp(sb->s_type->name, "ramfs") &&
735 	    strcmp(sb->s_type->name, "devpts") &&
736 	    strcmp(sb->s_type->name, "overlay")) {
737 		if (context_sid || fscontext_sid || rootcontext_sid ||
738 		    defcontext_sid) {
739 			rc = -EACCES;
740 			goto out;
741 		}
742 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
743 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
744 			rc = security_transition_sid(&selinux_state,
745 						     current_sid(),
746 						     current_sid(),
747 						     SECCLASS_FILE, NULL,
748 						     &sbsec->mntpoint_sid);
749 			if (rc)
750 				goto out;
751 		}
752 		goto out_set_opts;
753 	}
754 
755 	/* sets the context of the superblock for the fs being mounted. */
756 	if (fscontext_sid) {
757 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
758 		if (rc)
759 			goto out;
760 
761 		sbsec->sid = fscontext_sid;
762 	}
763 
764 	/*
765 	 * Switch to using mount point labeling behavior.
766 	 * sets the label used on all file below the mountpoint, and will set
767 	 * the superblock context if not already set.
768 	 */
769 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
770 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
771 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
772 	}
773 
774 	if (context_sid) {
775 		if (!fscontext_sid) {
776 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
777 							  cred);
778 			if (rc)
779 				goto out;
780 			sbsec->sid = context_sid;
781 		} else {
782 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
783 							     cred);
784 			if (rc)
785 				goto out;
786 		}
787 		if (!rootcontext_sid)
788 			rootcontext_sid = context_sid;
789 
790 		sbsec->mntpoint_sid = context_sid;
791 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
792 	}
793 
794 	if (rootcontext_sid) {
795 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
796 						     cred);
797 		if (rc)
798 			goto out;
799 
800 		root_isec->sid = rootcontext_sid;
801 		root_isec->initialized = LABEL_INITIALIZED;
802 	}
803 
804 	if (defcontext_sid) {
805 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
806 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
807 			rc = -EINVAL;
808 			pr_warn("SELinux: defcontext option is "
809 			       "invalid for this filesystem type\n");
810 			goto out;
811 		}
812 
813 		if (defcontext_sid != sbsec->def_sid) {
814 			rc = may_context_mount_inode_relabel(defcontext_sid,
815 							     sbsec, cred);
816 			if (rc)
817 				goto out;
818 		}
819 
820 		sbsec->def_sid = defcontext_sid;
821 	}
822 
823 out_set_opts:
824 	rc = sb_finish_set_opts(sb);
825 out:
826 	mutex_unlock(&sbsec->lock);
827 	return rc;
828 out_double_mount:
829 	rc = -EINVAL;
830 	pr_warn("SELinux: mount invalid.  Same superblock, different "
831 	       "security settings for (dev %s, type %s)\n", sb->s_id,
832 	       sb->s_type->name);
833 	goto out;
834 }
835 
836 static int selinux_cmp_sb_context(const struct super_block *oldsb,
837 				    const struct super_block *newsb)
838 {
839 	struct superblock_security_struct *old = selinux_superblock(oldsb);
840 	struct superblock_security_struct *new = selinux_superblock(newsb);
841 	char oldflags = old->flags & SE_MNTMASK;
842 	char newflags = new->flags & SE_MNTMASK;
843 
844 	if (oldflags != newflags)
845 		goto mismatch;
846 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
847 		goto mismatch;
848 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
849 		goto mismatch;
850 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
851 		goto mismatch;
852 	if (oldflags & ROOTCONTEXT_MNT) {
853 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
854 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
855 		if (oldroot->sid != newroot->sid)
856 			goto mismatch;
857 	}
858 	return 0;
859 mismatch:
860 	pr_warn("SELinux: mount invalid.  Same superblock, "
861 			    "different security settings for (dev %s, "
862 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
863 	return -EBUSY;
864 }
865 
866 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
867 					struct super_block *newsb,
868 					unsigned long kern_flags,
869 					unsigned long *set_kern_flags)
870 {
871 	int rc = 0;
872 	const struct superblock_security_struct *oldsbsec =
873 						selinux_superblock(oldsb);
874 	struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
875 
876 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
877 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
878 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
879 
880 	/*
881 	 * if the parent was able to be mounted it clearly had no special lsm
882 	 * mount options.  thus we can safely deal with this superblock later
883 	 */
884 	if (!selinux_initialized(&selinux_state))
885 		return 0;
886 
887 	/*
888 	 * Specifying internal flags without providing a place to
889 	 * place the results is not allowed.
890 	 */
891 	if (kern_flags && !set_kern_flags)
892 		return -EINVAL;
893 
894 	/* how can we clone if the old one wasn't set up?? */
895 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
896 
897 	/* if fs is reusing a sb, make sure that the contexts match */
898 	if (newsbsec->flags & SE_SBINITIALIZED) {
899 		if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
900 			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
901 		return selinux_cmp_sb_context(oldsb, newsb);
902 	}
903 
904 	mutex_lock(&newsbsec->lock);
905 
906 	newsbsec->flags = oldsbsec->flags;
907 
908 	newsbsec->sid = oldsbsec->sid;
909 	newsbsec->def_sid = oldsbsec->def_sid;
910 	newsbsec->behavior = oldsbsec->behavior;
911 
912 	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
913 		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
914 		rc = security_fs_use(&selinux_state, newsb);
915 		if (rc)
916 			goto out;
917 	}
918 
919 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
920 		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
921 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
922 	}
923 
924 	if (set_context) {
925 		u32 sid = oldsbsec->mntpoint_sid;
926 
927 		if (!set_fscontext)
928 			newsbsec->sid = sid;
929 		if (!set_rootcontext) {
930 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
931 			newisec->sid = sid;
932 		}
933 		newsbsec->mntpoint_sid = sid;
934 	}
935 	if (set_rootcontext) {
936 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
937 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
938 
939 		newisec->sid = oldisec->sid;
940 	}
941 
942 	sb_finish_set_opts(newsb);
943 out:
944 	mutex_unlock(&newsbsec->lock);
945 	return rc;
946 }
947 
948 /*
949  * NOTE: the caller is resposible for freeing the memory even if on error.
950  */
951 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
952 {
953 	struct selinux_mnt_opts *opts = *mnt_opts;
954 	u32 *dst_sid;
955 	int rc;
956 
957 	if (token == Opt_seclabel)
958 		/* eaten and completely ignored */
959 		return 0;
960 	if (!s)
961 		return -EINVAL;
962 
963 	if (!selinux_initialized(&selinux_state)) {
964 		pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
965 		return -EINVAL;
966 	}
967 
968 	if (!opts) {
969 		opts = kzalloc(sizeof(*opts), GFP_KERNEL);
970 		if (!opts)
971 			return -ENOMEM;
972 		*mnt_opts = opts;
973 	}
974 
975 	switch (token) {
976 	case Opt_context:
977 		if (opts->context_sid || opts->defcontext_sid)
978 			goto err;
979 		dst_sid = &opts->context_sid;
980 		break;
981 	case Opt_fscontext:
982 		if (opts->fscontext_sid)
983 			goto err;
984 		dst_sid = &opts->fscontext_sid;
985 		break;
986 	case Opt_rootcontext:
987 		if (opts->rootcontext_sid)
988 			goto err;
989 		dst_sid = &opts->rootcontext_sid;
990 		break;
991 	case Opt_defcontext:
992 		if (opts->context_sid || opts->defcontext_sid)
993 			goto err;
994 		dst_sid = &opts->defcontext_sid;
995 		break;
996 	default:
997 		WARN_ON(1);
998 		return -EINVAL;
999 	}
1000 	rc = security_context_str_to_sid(&selinux_state, s, dst_sid, GFP_KERNEL);
1001 	if (rc)
1002 		pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
1003 			s, rc);
1004 	return rc;
1005 
1006 err:
1007 	pr_warn(SEL_MOUNT_FAIL_MSG);
1008 	return -EINVAL;
1009 }
1010 
1011 static int show_sid(struct seq_file *m, u32 sid)
1012 {
1013 	char *context = NULL;
1014 	u32 len;
1015 	int rc;
1016 
1017 	rc = security_sid_to_context(&selinux_state, sid,
1018 					     &context, &len);
1019 	if (!rc) {
1020 		bool has_comma = strchr(context, ',');
1021 
1022 		seq_putc(m, '=');
1023 		if (has_comma)
1024 			seq_putc(m, '\"');
1025 		seq_escape(m, context, "\"\n\\");
1026 		if (has_comma)
1027 			seq_putc(m, '\"');
1028 	}
1029 	kfree(context);
1030 	return rc;
1031 }
1032 
1033 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1034 {
1035 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
1036 	int rc;
1037 
1038 	if (!(sbsec->flags & SE_SBINITIALIZED))
1039 		return 0;
1040 
1041 	if (!selinux_initialized(&selinux_state))
1042 		return 0;
1043 
1044 	if (sbsec->flags & FSCONTEXT_MNT) {
1045 		seq_putc(m, ',');
1046 		seq_puts(m, FSCONTEXT_STR);
1047 		rc = show_sid(m, sbsec->sid);
1048 		if (rc)
1049 			return rc;
1050 	}
1051 	if (sbsec->flags & CONTEXT_MNT) {
1052 		seq_putc(m, ',');
1053 		seq_puts(m, CONTEXT_STR);
1054 		rc = show_sid(m, sbsec->mntpoint_sid);
1055 		if (rc)
1056 			return rc;
1057 	}
1058 	if (sbsec->flags & DEFCONTEXT_MNT) {
1059 		seq_putc(m, ',');
1060 		seq_puts(m, DEFCONTEXT_STR);
1061 		rc = show_sid(m, sbsec->def_sid);
1062 		if (rc)
1063 			return rc;
1064 	}
1065 	if (sbsec->flags & ROOTCONTEXT_MNT) {
1066 		struct dentry *root = sb->s_root;
1067 		struct inode_security_struct *isec = backing_inode_security(root);
1068 		seq_putc(m, ',');
1069 		seq_puts(m, ROOTCONTEXT_STR);
1070 		rc = show_sid(m, isec->sid);
1071 		if (rc)
1072 			return rc;
1073 	}
1074 	if (sbsec->flags & SBLABEL_MNT) {
1075 		seq_putc(m, ',');
1076 		seq_puts(m, SECLABEL_STR);
1077 	}
1078 	return 0;
1079 }
1080 
1081 static inline u16 inode_mode_to_security_class(umode_t mode)
1082 {
1083 	switch (mode & S_IFMT) {
1084 	case S_IFSOCK:
1085 		return SECCLASS_SOCK_FILE;
1086 	case S_IFLNK:
1087 		return SECCLASS_LNK_FILE;
1088 	case S_IFREG:
1089 		return SECCLASS_FILE;
1090 	case S_IFBLK:
1091 		return SECCLASS_BLK_FILE;
1092 	case S_IFDIR:
1093 		return SECCLASS_DIR;
1094 	case S_IFCHR:
1095 		return SECCLASS_CHR_FILE;
1096 	case S_IFIFO:
1097 		return SECCLASS_FIFO_FILE;
1098 
1099 	}
1100 
1101 	return SECCLASS_FILE;
1102 }
1103 
1104 static inline int default_protocol_stream(int protocol)
1105 {
1106 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1107 		protocol == IPPROTO_MPTCP);
1108 }
1109 
1110 static inline int default_protocol_dgram(int protocol)
1111 {
1112 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1113 }
1114 
1115 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1116 {
1117 	int extsockclass = selinux_policycap_extsockclass();
1118 
1119 	switch (family) {
1120 	case PF_UNIX:
1121 		switch (type) {
1122 		case SOCK_STREAM:
1123 		case SOCK_SEQPACKET:
1124 			return SECCLASS_UNIX_STREAM_SOCKET;
1125 		case SOCK_DGRAM:
1126 		case SOCK_RAW:
1127 			return SECCLASS_UNIX_DGRAM_SOCKET;
1128 		}
1129 		break;
1130 	case PF_INET:
1131 	case PF_INET6:
1132 		switch (type) {
1133 		case SOCK_STREAM:
1134 		case SOCK_SEQPACKET:
1135 			if (default_protocol_stream(protocol))
1136 				return SECCLASS_TCP_SOCKET;
1137 			else if (extsockclass && protocol == IPPROTO_SCTP)
1138 				return SECCLASS_SCTP_SOCKET;
1139 			else
1140 				return SECCLASS_RAWIP_SOCKET;
1141 		case SOCK_DGRAM:
1142 			if (default_protocol_dgram(protocol))
1143 				return SECCLASS_UDP_SOCKET;
1144 			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1145 						  protocol == IPPROTO_ICMPV6))
1146 				return SECCLASS_ICMP_SOCKET;
1147 			else
1148 				return SECCLASS_RAWIP_SOCKET;
1149 		case SOCK_DCCP:
1150 			return SECCLASS_DCCP_SOCKET;
1151 		default:
1152 			return SECCLASS_RAWIP_SOCKET;
1153 		}
1154 		break;
1155 	case PF_NETLINK:
1156 		switch (protocol) {
1157 		case NETLINK_ROUTE:
1158 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1159 		case NETLINK_SOCK_DIAG:
1160 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1161 		case NETLINK_NFLOG:
1162 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1163 		case NETLINK_XFRM:
1164 			return SECCLASS_NETLINK_XFRM_SOCKET;
1165 		case NETLINK_SELINUX:
1166 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1167 		case NETLINK_ISCSI:
1168 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1169 		case NETLINK_AUDIT:
1170 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1171 		case NETLINK_FIB_LOOKUP:
1172 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1173 		case NETLINK_CONNECTOR:
1174 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1175 		case NETLINK_NETFILTER:
1176 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1177 		case NETLINK_DNRTMSG:
1178 			return SECCLASS_NETLINK_DNRT_SOCKET;
1179 		case NETLINK_KOBJECT_UEVENT:
1180 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1181 		case NETLINK_GENERIC:
1182 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1183 		case NETLINK_SCSITRANSPORT:
1184 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1185 		case NETLINK_RDMA:
1186 			return SECCLASS_NETLINK_RDMA_SOCKET;
1187 		case NETLINK_CRYPTO:
1188 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1189 		default:
1190 			return SECCLASS_NETLINK_SOCKET;
1191 		}
1192 	case PF_PACKET:
1193 		return SECCLASS_PACKET_SOCKET;
1194 	case PF_KEY:
1195 		return SECCLASS_KEY_SOCKET;
1196 	case PF_APPLETALK:
1197 		return SECCLASS_APPLETALK_SOCKET;
1198 	}
1199 
1200 	if (extsockclass) {
1201 		switch (family) {
1202 		case PF_AX25:
1203 			return SECCLASS_AX25_SOCKET;
1204 		case PF_IPX:
1205 			return SECCLASS_IPX_SOCKET;
1206 		case PF_NETROM:
1207 			return SECCLASS_NETROM_SOCKET;
1208 		case PF_ATMPVC:
1209 			return SECCLASS_ATMPVC_SOCKET;
1210 		case PF_X25:
1211 			return SECCLASS_X25_SOCKET;
1212 		case PF_ROSE:
1213 			return SECCLASS_ROSE_SOCKET;
1214 		case PF_DECnet:
1215 			return SECCLASS_DECNET_SOCKET;
1216 		case PF_ATMSVC:
1217 			return SECCLASS_ATMSVC_SOCKET;
1218 		case PF_RDS:
1219 			return SECCLASS_RDS_SOCKET;
1220 		case PF_IRDA:
1221 			return SECCLASS_IRDA_SOCKET;
1222 		case PF_PPPOX:
1223 			return SECCLASS_PPPOX_SOCKET;
1224 		case PF_LLC:
1225 			return SECCLASS_LLC_SOCKET;
1226 		case PF_CAN:
1227 			return SECCLASS_CAN_SOCKET;
1228 		case PF_TIPC:
1229 			return SECCLASS_TIPC_SOCKET;
1230 		case PF_BLUETOOTH:
1231 			return SECCLASS_BLUETOOTH_SOCKET;
1232 		case PF_IUCV:
1233 			return SECCLASS_IUCV_SOCKET;
1234 		case PF_RXRPC:
1235 			return SECCLASS_RXRPC_SOCKET;
1236 		case PF_ISDN:
1237 			return SECCLASS_ISDN_SOCKET;
1238 		case PF_PHONET:
1239 			return SECCLASS_PHONET_SOCKET;
1240 		case PF_IEEE802154:
1241 			return SECCLASS_IEEE802154_SOCKET;
1242 		case PF_CAIF:
1243 			return SECCLASS_CAIF_SOCKET;
1244 		case PF_ALG:
1245 			return SECCLASS_ALG_SOCKET;
1246 		case PF_NFC:
1247 			return SECCLASS_NFC_SOCKET;
1248 		case PF_VSOCK:
1249 			return SECCLASS_VSOCK_SOCKET;
1250 		case PF_KCM:
1251 			return SECCLASS_KCM_SOCKET;
1252 		case PF_QIPCRTR:
1253 			return SECCLASS_QIPCRTR_SOCKET;
1254 		case PF_SMC:
1255 			return SECCLASS_SMC_SOCKET;
1256 		case PF_XDP:
1257 			return SECCLASS_XDP_SOCKET;
1258 		case PF_MCTP:
1259 			return SECCLASS_MCTP_SOCKET;
1260 #if PF_MAX > 46
1261 #error New address family defined, please update this function.
1262 #endif
1263 		}
1264 	}
1265 
1266 	return SECCLASS_SOCKET;
1267 }
1268 
1269 static int selinux_genfs_get_sid(struct dentry *dentry,
1270 				 u16 tclass,
1271 				 u16 flags,
1272 				 u32 *sid)
1273 {
1274 	int rc;
1275 	struct super_block *sb = dentry->d_sb;
1276 	char *buffer, *path;
1277 
1278 	buffer = (char *)__get_free_page(GFP_KERNEL);
1279 	if (!buffer)
1280 		return -ENOMEM;
1281 
1282 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1283 	if (IS_ERR(path))
1284 		rc = PTR_ERR(path);
1285 	else {
1286 		if (flags & SE_SBPROC) {
1287 			/* each process gets a /proc/PID/ entry. Strip off the
1288 			 * PID part to get a valid selinux labeling.
1289 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1290 			while (path[1] >= '0' && path[1] <= '9') {
1291 				path[1] = '/';
1292 				path++;
1293 			}
1294 		}
1295 		rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1296 					path, tclass, sid);
1297 		if (rc == -ENOENT) {
1298 			/* No match in policy, mark as unlabeled. */
1299 			*sid = SECINITSID_UNLABELED;
1300 			rc = 0;
1301 		}
1302 	}
1303 	free_page((unsigned long)buffer);
1304 	return rc;
1305 }
1306 
1307 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1308 				  u32 def_sid, u32 *sid)
1309 {
1310 #define INITCONTEXTLEN 255
1311 	char *context;
1312 	unsigned int len;
1313 	int rc;
1314 
1315 	len = INITCONTEXTLEN;
1316 	context = kmalloc(len + 1, GFP_NOFS);
1317 	if (!context)
1318 		return -ENOMEM;
1319 
1320 	context[len] = '\0';
1321 	rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1322 	if (rc == -ERANGE) {
1323 		kfree(context);
1324 
1325 		/* Need a larger buffer.  Query for the right size. */
1326 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1327 		if (rc < 0)
1328 			return rc;
1329 
1330 		len = rc;
1331 		context = kmalloc(len + 1, GFP_NOFS);
1332 		if (!context)
1333 			return -ENOMEM;
1334 
1335 		context[len] = '\0';
1336 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1337 				    context, len);
1338 	}
1339 	if (rc < 0) {
1340 		kfree(context);
1341 		if (rc != -ENODATA) {
1342 			pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
1343 				__func__, -rc, inode->i_sb->s_id, inode->i_ino);
1344 			return rc;
1345 		}
1346 		*sid = def_sid;
1347 		return 0;
1348 	}
1349 
1350 	rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1351 					     def_sid, GFP_NOFS);
1352 	if (rc) {
1353 		char *dev = inode->i_sb->s_id;
1354 		unsigned long ino = inode->i_ino;
1355 
1356 		if (rc == -EINVAL) {
1357 			pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
1358 					      ino, dev, context);
1359 		} else {
1360 			pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1361 				__func__, context, -rc, dev, ino);
1362 		}
1363 	}
1364 	kfree(context);
1365 	return 0;
1366 }
1367 
1368 /* The inode's security attributes must be initialized before first use. */
1369 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1370 {
1371 	struct superblock_security_struct *sbsec = NULL;
1372 	struct inode_security_struct *isec = selinux_inode(inode);
1373 	u32 task_sid, sid = 0;
1374 	u16 sclass;
1375 	struct dentry *dentry;
1376 	int rc = 0;
1377 
1378 	if (isec->initialized == LABEL_INITIALIZED)
1379 		return 0;
1380 
1381 	spin_lock(&isec->lock);
1382 	if (isec->initialized == LABEL_INITIALIZED)
1383 		goto out_unlock;
1384 
1385 	if (isec->sclass == SECCLASS_FILE)
1386 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1387 
1388 	sbsec = selinux_superblock(inode->i_sb);
1389 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1390 		/* Defer initialization until selinux_complete_init,
1391 		   after the initial policy is loaded and the security
1392 		   server is ready to handle calls. */
1393 		spin_lock(&sbsec->isec_lock);
1394 		if (list_empty(&isec->list))
1395 			list_add(&isec->list, &sbsec->isec_head);
1396 		spin_unlock(&sbsec->isec_lock);
1397 		goto out_unlock;
1398 	}
1399 
1400 	sclass = isec->sclass;
1401 	task_sid = isec->task_sid;
1402 	sid = isec->sid;
1403 	isec->initialized = LABEL_PENDING;
1404 	spin_unlock(&isec->lock);
1405 
1406 	switch (sbsec->behavior) {
1407 	case SECURITY_FS_USE_NATIVE:
1408 		break;
1409 	case SECURITY_FS_USE_XATTR:
1410 		if (!(inode->i_opflags & IOP_XATTR)) {
1411 			sid = sbsec->def_sid;
1412 			break;
1413 		}
1414 		/* Need a dentry, since the xattr API requires one.
1415 		   Life would be simpler if we could just pass the inode. */
1416 		if (opt_dentry) {
1417 			/* Called from d_instantiate or d_splice_alias. */
1418 			dentry = dget(opt_dentry);
1419 		} else {
1420 			/*
1421 			 * Called from selinux_complete_init, try to find a dentry.
1422 			 * Some filesystems really want a connected one, so try
1423 			 * that first.  We could split SECURITY_FS_USE_XATTR in
1424 			 * two, depending upon that...
1425 			 */
1426 			dentry = d_find_alias(inode);
1427 			if (!dentry)
1428 				dentry = d_find_any_alias(inode);
1429 		}
1430 		if (!dentry) {
1431 			/*
1432 			 * this is can be hit on boot when a file is accessed
1433 			 * before the policy is loaded.  When we load policy we
1434 			 * may find inodes that have no dentry on the
1435 			 * sbsec->isec_head list.  No reason to complain as these
1436 			 * will get fixed up the next time we go through
1437 			 * inode_doinit with a dentry, before these inodes could
1438 			 * be used again by userspace.
1439 			 */
1440 			goto out_invalid;
1441 		}
1442 
1443 		rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1444 					    &sid);
1445 		dput(dentry);
1446 		if (rc)
1447 			goto out;
1448 		break;
1449 	case SECURITY_FS_USE_TASK:
1450 		sid = task_sid;
1451 		break;
1452 	case SECURITY_FS_USE_TRANS:
1453 		/* Default to the fs SID. */
1454 		sid = sbsec->sid;
1455 
1456 		/* Try to obtain a transition SID. */
1457 		rc = security_transition_sid(&selinux_state, task_sid, sid,
1458 					     sclass, NULL, &sid);
1459 		if (rc)
1460 			goto out;
1461 		break;
1462 	case SECURITY_FS_USE_MNTPOINT:
1463 		sid = sbsec->mntpoint_sid;
1464 		break;
1465 	default:
1466 		/* Default to the fs superblock SID. */
1467 		sid = sbsec->sid;
1468 
1469 		if ((sbsec->flags & SE_SBGENFS) &&
1470 		     (!S_ISLNK(inode->i_mode) ||
1471 		      selinux_policycap_genfs_seclabel_symlinks())) {
1472 			/* We must have a dentry to determine the label on
1473 			 * procfs inodes */
1474 			if (opt_dentry) {
1475 				/* Called from d_instantiate or
1476 				 * d_splice_alias. */
1477 				dentry = dget(opt_dentry);
1478 			} else {
1479 				/* Called from selinux_complete_init, try to
1480 				 * find a dentry.  Some filesystems really want
1481 				 * a connected one, so try that first.
1482 				 */
1483 				dentry = d_find_alias(inode);
1484 				if (!dentry)
1485 					dentry = d_find_any_alias(inode);
1486 			}
1487 			/*
1488 			 * This can be hit on boot when a file is accessed
1489 			 * before the policy is loaded.  When we load policy we
1490 			 * may find inodes that have no dentry on the
1491 			 * sbsec->isec_head list.  No reason to complain as
1492 			 * these will get fixed up the next time we go through
1493 			 * inode_doinit() with a dentry, before these inodes
1494 			 * could be used again by userspace.
1495 			 */
1496 			if (!dentry)
1497 				goto out_invalid;
1498 			rc = selinux_genfs_get_sid(dentry, sclass,
1499 						   sbsec->flags, &sid);
1500 			if (rc) {
1501 				dput(dentry);
1502 				goto out;
1503 			}
1504 
1505 			if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1506 			    (inode->i_opflags & IOP_XATTR)) {
1507 				rc = inode_doinit_use_xattr(inode, dentry,
1508 							    sid, &sid);
1509 				if (rc) {
1510 					dput(dentry);
1511 					goto out;
1512 				}
1513 			}
1514 			dput(dentry);
1515 		}
1516 		break;
1517 	}
1518 
1519 out:
1520 	spin_lock(&isec->lock);
1521 	if (isec->initialized == LABEL_PENDING) {
1522 		if (rc) {
1523 			isec->initialized = LABEL_INVALID;
1524 			goto out_unlock;
1525 		}
1526 		isec->initialized = LABEL_INITIALIZED;
1527 		isec->sid = sid;
1528 	}
1529 
1530 out_unlock:
1531 	spin_unlock(&isec->lock);
1532 	return rc;
1533 
1534 out_invalid:
1535 	spin_lock(&isec->lock);
1536 	if (isec->initialized == LABEL_PENDING) {
1537 		isec->initialized = LABEL_INVALID;
1538 		isec->sid = sid;
1539 	}
1540 	spin_unlock(&isec->lock);
1541 	return 0;
1542 }
1543 
1544 /* Convert a Linux signal to an access vector. */
1545 static inline u32 signal_to_av(int sig)
1546 {
1547 	u32 perm = 0;
1548 
1549 	switch (sig) {
1550 	case SIGCHLD:
1551 		/* Commonly granted from child to parent. */
1552 		perm = PROCESS__SIGCHLD;
1553 		break;
1554 	case SIGKILL:
1555 		/* Cannot be caught or ignored */
1556 		perm = PROCESS__SIGKILL;
1557 		break;
1558 	case SIGSTOP:
1559 		/* Cannot be caught or ignored */
1560 		perm = PROCESS__SIGSTOP;
1561 		break;
1562 	default:
1563 		/* All other signals. */
1564 		perm = PROCESS__SIGNAL;
1565 		break;
1566 	}
1567 
1568 	return perm;
1569 }
1570 
1571 #if CAP_LAST_CAP > 63
1572 #error Fix SELinux to handle capabilities > 63.
1573 #endif
1574 
1575 /* Check whether a task is allowed to use a capability. */
1576 static int cred_has_capability(const struct cred *cred,
1577 			       int cap, unsigned int opts, bool initns)
1578 {
1579 	struct common_audit_data ad;
1580 	struct av_decision avd;
1581 	u16 sclass;
1582 	u32 sid = cred_sid(cred);
1583 	u32 av = CAP_TO_MASK(cap);
1584 	int rc;
1585 
1586 	ad.type = LSM_AUDIT_DATA_CAP;
1587 	ad.u.cap = cap;
1588 
1589 	switch (CAP_TO_INDEX(cap)) {
1590 	case 0:
1591 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1592 		break;
1593 	case 1:
1594 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1595 		break;
1596 	default:
1597 		pr_err("SELinux:  out of range capability %d\n", cap);
1598 		BUG();
1599 		return -EINVAL;
1600 	}
1601 
1602 	rc = avc_has_perm_noaudit(&selinux_state,
1603 				  sid, sid, sclass, av, 0, &avd);
1604 	if (!(opts & CAP_OPT_NOAUDIT)) {
1605 		int rc2 = avc_audit(&selinux_state,
1606 				    sid, sid, sclass, av, &avd, rc, &ad);
1607 		if (rc2)
1608 			return rc2;
1609 	}
1610 	return rc;
1611 }
1612 
1613 /* Check whether a task has a particular permission to an inode.
1614    The 'adp' parameter is optional and allows other audit
1615    data to be passed (e.g. the dentry). */
1616 static int inode_has_perm(const struct cred *cred,
1617 			  struct inode *inode,
1618 			  u32 perms,
1619 			  struct common_audit_data *adp)
1620 {
1621 	struct inode_security_struct *isec;
1622 	u32 sid;
1623 
1624 	validate_creds(cred);
1625 
1626 	if (unlikely(IS_PRIVATE(inode)))
1627 		return 0;
1628 
1629 	sid = cred_sid(cred);
1630 	isec = selinux_inode(inode);
1631 
1632 	return avc_has_perm(&selinux_state,
1633 			    sid, isec->sid, isec->sclass, perms, adp);
1634 }
1635 
1636 /* Same as inode_has_perm, but pass explicit audit data containing
1637    the dentry to help the auditing code to more easily generate the
1638    pathname if needed. */
1639 static inline int dentry_has_perm(const struct cred *cred,
1640 				  struct dentry *dentry,
1641 				  u32 av)
1642 {
1643 	struct inode *inode = d_backing_inode(dentry);
1644 	struct common_audit_data ad;
1645 
1646 	ad.type = LSM_AUDIT_DATA_DENTRY;
1647 	ad.u.dentry = dentry;
1648 	__inode_security_revalidate(inode, dentry, true);
1649 	return inode_has_perm(cred, inode, av, &ad);
1650 }
1651 
1652 /* Same as inode_has_perm, but pass explicit audit data containing
1653    the path to help the auditing code to more easily generate the
1654    pathname if needed. */
1655 static inline int path_has_perm(const struct cred *cred,
1656 				const struct path *path,
1657 				u32 av)
1658 {
1659 	struct inode *inode = d_backing_inode(path->dentry);
1660 	struct common_audit_data ad;
1661 
1662 	ad.type = LSM_AUDIT_DATA_PATH;
1663 	ad.u.path = *path;
1664 	__inode_security_revalidate(inode, path->dentry, true);
1665 	return inode_has_perm(cred, inode, av, &ad);
1666 }
1667 
1668 /* Same as path_has_perm, but uses the inode from the file struct. */
1669 static inline int file_path_has_perm(const struct cred *cred,
1670 				     struct file *file,
1671 				     u32 av)
1672 {
1673 	struct common_audit_data ad;
1674 
1675 	ad.type = LSM_AUDIT_DATA_FILE;
1676 	ad.u.file = file;
1677 	return inode_has_perm(cred, file_inode(file), av, &ad);
1678 }
1679 
1680 #ifdef CONFIG_BPF_SYSCALL
1681 static int bpf_fd_pass(struct file *file, u32 sid);
1682 #endif
1683 
1684 /* Check whether a task can use an open file descriptor to
1685    access an inode in a given way.  Check access to the
1686    descriptor itself, and then use dentry_has_perm to
1687    check a particular permission to the file.
1688    Access to the descriptor is implicitly granted if it
1689    has the same SID as the process.  If av is zero, then
1690    access to the file is not checked, e.g. for cases
1691    where only the descriptor is affected like seek. */
1692 static int file_has_perm(const struct cred *cred,
1693 			 struct file *file,
1694 			 u32 av)
1695 {
1696 	struct file_security_struct *fsec = selinux_file(file);
1697 	struct inode *inode = file_inode(file);
1698 	struct common_audit_data ad;
1699 	u32 sid = cred_sid(cred);
1700 	int rc;
1701 
1702 	ad.type = LSM_AUDIT_DATA_FILE;
1703 	ad.u.file = file;
1704 
1705 	if (sid != fsec->sid) {
1706 		rc = avc_has_perm(&selinux_state,
1707 				  sid, fsec->sid,
1708 				  SECCLASS_FD,
1709 				  FD__USE,
1710 				  &ad);
1711 		if (rc)
1712 			goto out;
1713 	}
1714 
1715 #ifdef CONFIG_BPF_SYSCALL
1716 	rc = bpf_fd_pass(file, cred_sid(cred));
1717 	if (rc)
1718 		return rc;
1719 #endif
1720 
1721 	/* av is zero if only checking access to the descriptor. */
1722 	rc = 0;
1723 	if (av)
1724 		rc = inode_has_perm(cred, inode, av, &ad);
1725 
1726 out:
1727 	return rc;
1728 }
1729 
1730 /*
1731  * Determine the label for an inode that might be unioned.
1732  */
1733 static int
1734 selinux_determine_inode_label(const struct task_security_struct *tsec,
1735 				 struct inode *dir,
1736 				 const struct qstr *name, u16 tclass,
1737 				 u32 *_new_isid)
1738 {
1739 	const struct superblock_security_struct *sbsec =
1740 						selinux_superblock(dir->i_sb);
1741 
1742 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1743 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1744 		*_new_isid = sbsec->mntpoint_sid;
1745 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1746 		   tsec->create_sid) {
1747 		*_new_isid = tsec->create_sid;
1748 	} else {
1749 		const struct inode_security_struct *dsec = inode_security(dir);
1750 		return security_transition_sid(&selinux_state, tsec->sid,
1751 					       dsec->sid, tclass,
1752 					       name, _new_isid);
1753 	}
1754 
1755 	return 0;
1756 }
1757 
1758 /* Check whether a task can create a file. */
1759 static int may_create(struct inode *dir,
1760 		      struct dentry *dentry,
1761 		      u16 tclass)
1762 {
1763 	const struct task_security_struct *tsec = selinux_cred(current_cred());
1764 	struct inode_security_struct *dsec;
1765 	struct superblock_security_struct *sbsec;
1766 	u32 sid, newsid;
1767 	struct common_audit_data ad;
1768 	int rc;
1769 
1770 	dsec = inode_security(dir);
1771 	sbsec = selinux_superblock(dir->i_sb);
1772 
1773 	sid = tsec->sid;
1774 
1775 	ad.type = LSM_AUDIT_DATA_DENTRY;
1776 	ad.u.dentry = dentry;
1777 
1778 	rc = avc_has_perm(&selinux_state,
1779 			  sid, dsec->sid, SECCLASS_DIR,
1780 			  DIR__ADD_NAME | DIR__SEARCH,
1781 			  &ad);
1782 	if (rc)
1783 		return rc;
1784 
1785 	rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1786 					   &newsid);
1787 	if (rc)
1788 		return rc;
1789 
1790 	rc = avc_has_perm(&selinux_state,
1791 			  sid, newsid, tclass, FILE__CREATE, &ad);
1792 	if (rc)
1793 		return rc;
1794 
1795 	return avc_has_perm(&selinux_state,
1796 			    newsid, sbsec->sid,
1797 			    SECCLASS_FILESYSTEM,
1798 			    FILESYSTEM__ASSOCIATE, &ad);
1799 }
1800 
1801 #define MAY_LINK	0
1802 #define MAY_UNLINK	1
1803 #define MAY_RMDIR	2
1804 
1805 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1806 static int may_link(struct inode *dir,
1807 		    struct dentry *dentry,
1808 		    int kind)
1809 
1810 {
1811 	struct inode_security_struct *dsec, *isec;
1812 	struct common_audit_data ad;
1813 	u32 sid = current_sid();
1814 	u32 av;
1815 	int rc;
1816 
1817 	dsec = inode_security(dir);
1818 	isec = backing_inode_security(dentry);
1819 
1820 	ad.type = LSM_AUDIT_DATA_DENTRY;
1821 	ad.u.dentry = dentry;
1822 
1823 	av = DIR__SEARCH;
1824 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1825 	rc = avc_has_perm(&selinux_state,
1826 			  sid, dsec->sid, SECCLASS_DIR, av, &ad);
1827 	if (rc)
1828 		return rc;
1829 
1830 	switch (kind) {
1831 	case MAY_LINK:
1832 		av = FILE__LINK;
1833 		break;
1834 	case MAY_UNLINK:
1835 		av = FILE__UNLINK;
1836 		break;
1837 	case MAY_RMDIR:
1838 		av = DIR__RMDIR;
1839 		break;
1840 	default:
1841 		pr_warn("SELinux: %s:  unrecognized kind %d\n",
1842 			__func__, kind);
1843 		return 0;
1844 	}
1845 
1846 	rc = avc_has_perm(&selinux_state,
1847 			  sid, isec->sid, isec->sclass, av, &ad);
1848 	return rc;
1849 }
1850 
1851 static inline int may_rename(struct inode *old_dir,
1852 			     struct dentry *old_dentry,
1853 			     struct inode *new_dir,
1854 			     struct dentry *new_dentry)
1855 {
1856 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1857 	struct common_audit_data ad;
1858 	u32 sid = current_sid();
1859 	u32 av;
1860 	int old_is_dir, new_is_dir;
1861 	int rc;
1862 
1863 	old_dsec = inode_security(old_dir);
1864 	old_isec = backing_inode_security(old_dentry);
1865 	old_is_dir = d_is_dir(old_dentry);
1866 	new_dsec = inode_security(new_dir);
1867 
1868 	ad.type = LSM_AUDIT_DATA_DENTRY;
1869 
1870 	ad.u.dentry = old_dentry;
1871 	rc = avc_has_perm(&selinux_state,
1872 			  sid, old_dsec->sid, SECCLASS_DIR,
1873 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1874 	if (rc)
1875 		return rc;
1876 	rc = avc_has_perm(&selinux_state,
1877 			  sid, old_isec->sid,
1878 			  old_isec->sclass, FILE__RENAME, &ad);
1879 	if (rc)
1880 		return rc;
1881 	if (old_is_dir && new_dir != old_dir) {
1882 		rc = avc_has_perm(&selinux_state,
1883 				  sid, old_isec->sid,
1884 				  old_isec->sclass, DIR__REPARENT, &ad);
1885 		if (rc)
1886 			return rc;
1887 	}
1888 
1889 	ad.u.dentry = new_dentry;
1890 	av = DIR__ADD_NAME | DIR__SEARCH;
1891 	if (d_is_positive(new_dentry))
1892 		av |= DIR__REMOVE_NAME;
1893 	rc = avc_has_perm(&selinux_state,
1894 			  sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1895 	if (rc)
1896 		return rc;
1897 	if (d_is_positive(new_dentry)) {
1898 		new_isec = backing_inode_security(new_dentry);
1899 		new_is_dir = d_is_dir(new_dentry);
1900 		rc = avc_has_perm(&selinux_state,
1901 				  sid, new_isec->sid,
1902 				  new_isec->sclass,
1903 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1904 		if (rc)
1905 			return rc;
1906 	}
1907 
1908 	return 0;
1909 }
1910 
1911 /* Check whether a task can perform a filesystem operation. */
1912 static int superblock_has_perm(const struct cred *cred,
1913 			       struct super_block *sb,
1914 			       u32 perms,
1915 			       struct common_audit_data *ad)
1916 {
1917 	struct superblock_security_struct *sbsec;
1918 	u32 sid = cred_sid(cred);
1919 
1920 	sbsec = selinux_superblock(sb);
1921 	return avc_has_perm(&selinux_state,
1922 			    sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1923 }
1924 
1925 /* Convert a Linux mode and permission mask to an access vector. */
1926 static inline u32 file_mask_to_av(int mode, int mask)
1927 {
1928 	u32 av = 0;
1929 
1930 	if (!S_ISDIR(mode)) {
1931 		if (mask & MAY_EXEC)
1932 			av |= FILE__EXECUTE;
1933 		if (mask & MAY_READ)
1934 			av |= FILE__READ;
1935 
1936 		if (mask & MAY_APPEND)
1937 			av |= FILE__APPEND;
1938 		else if (mask & MAY_WRITE)
1939 			av |= FILE__WRITE;
1940 
1941 	} else {
1942 		if (mask & MAY_EXEC)
1943 			av |= DIR__SEARCH;
1944 		if (mask & MAY_WRITE)
1945 			av |= DIR__WRITE;
1946 		if (mask & MAY_READ)
1947 			av |= DIR__READ;
1948 	}
1949 
1950 	return av;
1951 }
1952 
1953 /* Convert a Linux file to an access vector. */
1954 static inline u32 file_to_av(struct file *file)
1955 {
1956 	u32 av = 0;
1957 
1958 	if (file->f_mode & FMODE_READ)
1959 		av |= FILE__READ;
1960 	if (file->f_mode & FMODE_WRITE) {
1961 		if (file->f_flags & O_APPEND)
1962 			av |= FILE__APPEND;
1963 		else
1964 			av |= FILE__WRITE;
1965 	}
1966 	if (!av) {
1967 		/*
1968 		 * Special file opened with flags 3 for ioctl-only use.
1969 		 */
1970 		av = FILE__IOCTL;
1971 	}
1972 
1973 	return av;
1974 }
1975 
1976 /*
1977  * Convert a file to an access vector and include the correct
1978  * open permission.
1979  */
1980 static inline u32 open_file_to_av(struct file *file)
1981 {
1982 	u32 av = file_to_av(file);
1983 	struct inode *inode = file_inode(file);
1984 
1985 	if (selinux_policycap_openperm() &&
1986 	    inode->i_sb->s_magic != SOCKFS_MAGIC)
1987 		av |= FILE__OPEN;
1988 
1989 	return av;
1990 }
1991 
1992 /* Hook functions begin here. */
1993 
1994 static int selinux_binder_set_context_mgr(const struct cred *mgr)
1995 {
1996 	return avc_has_perm(&selinux_state,
1997 			    current_sid(), cred_sid(mgr), SECCLASS_BINDER,
1998 			    BINDER__SET_CONTEXT_MGR, NULL);
1999 }
2000 
2001 static int selinux_binder_transaction(const struct cred *from,
2002 				      const struct cred *to)
2003 {
2004 	u32 mysid = current_sid();
2005 	u32 fromsid = cred_sid(from);
2006 	u32 tosid = cred_sid(to);
2007 	int rc;
2008 
2009 	if (mysid != fromsid) {
2010 		rc = avc_has_perm(&selinux_state,
2011 				  mysid, fromsid, SECCLASS_BINDER,
2012 				  BINDER__IMPERSONATE, NULL);
2013 		if (rc)
2014 			return rc;
2015 	}
2016 
2017 	return avc_has_perm(&selinux_state, fromsid, tosid,
2018 			    SECCLASS_BINDER, BINDER__CALL, NULL);
2019 }
2020 
2021 static int selinux_binder_transfer_binder(const struct cred *from,
2022 					  const struct cred *to)
2023 {
2024 	return avc_has_perm(&selinux_state,
2025 			    cred_sid(from), cred_sid(to),
2026 			    SECCLASS_BINDER, BINDER__TRANSFER,
2027 			    NULL);
2028 }
2029 
2030 static int selinux_binder_transfer_file(const struct cred *from,
2031 					const struct cred *to,
2032 					struct file *file)
2033 {
2034 	u32 sid = cred_sid(to);
2035 	struct file_security_struct *fsec = selinux_file(file);
2036 	struct dentry *dentry = file->f_path.dentry;
2037 	struct inode_security_struct *isec;
2038 	struct common_audit_data ad;
2039 	int rc;
2040 
2041 	ad.type = LSM_AUDIT_DATA_PATH;
2042 	ad.u.path = file->f_path;
2043 
2044 	if (sid != fsec->sid) {
2045 		rc = avc_has_perm(&selinux_state,
2046 				  sid, fsec->sid,
2047 				  SECCLASS_FD,
2048 				  FD__USE,
2049 				  &ad);
2050 		if (rc)
2051 			return rc;
2052 	}
2053 
2054 #ifdef CONFIG_BPF_SYSCALL
2055 	rc = bpf_fd_pass(file, sid);
2056 	if (rc)
2057 		return rc;
2058 #endif
2059 
2060 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2061 		return 0;
2062 
2063 	isec = backing_inode_security(dentry);
2064 	return avc_has_perm(&selinux_state,
2065 			    sid, isec->sid, isec->sclass, file_to_av(file),
2066 			    &ad);
2067 }
2068 
2069 static int selinux_ptrace_access_check(struct task_struct *child,
2070 				       unsigned int mode)
2071 {
2072 	u32 sid = current_sid();
2073 	u32 csid = task_sid_obj(child);
2074 
2075 	if (mode & PTRACE_MODE_READ)
2076 		return avc_has_perm(&selinux_state,
2077 				    sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2078 
2079 	return avc_has_perm(&selinux_state,
2080 			    sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2081 }
2082 
2083 static int selinux_ptrace_traceme(struct task_struct *parent)
2084 {
2085 	return avc_has_perm(&selinux_state,
2086 			    task_sid_obj(parent), task_sid_obj(current),
2087 			    SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2088 }
2089 
2090 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2091 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2092 {
2093 	return avc_has_perm(&selinux_state,
2094 			    current_sid(), task_sid_obj(target), SECCLASS_PROCESS,
2095 			    PROCESS__GETCAP, NULL);
2096 }
2097 
2098 static int selinux_capset(struct cred *new, const struct cred *old,
2099 			  const kernel_cap_t *effective,
2100 			  const kernel_cap_t *inheritable,
2101 			  const kernel_cap_t *permitted)
2102 {
2103 	return avc_has_perm(&selinux_state,
2104 			    cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2105 			    PROCESS__SETCAP, NULL);
2106 }
2107 
2108 /*
2109  * (This comment used to live with the selinux_task_setuid hook,
2110  * which was removed).
2111  *
2112  * Since setuid only affects the current process, and since the SELinux
2113  * controls are not based on the Linux identity attributes, SELinux does not
2114  * need to control this operation.  However, SELinux does control the use of
2115  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2116  */
2117 
2118 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2119 			   int cap, unsigned int opts)
2120 {
2121 	return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2122 }
2123 
2124 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2125 {
2126 	const struct cred *cred = current_cred();
2127 	int rc = 0;
2128 
2129 	if (!sb)
2130 		return 0;
2131 
2132 	switch (cmds) {
2133 	case Q_SYNC:
2134 	case Q_QUOTAON:
2135 	case Q_QUOTAOFF:
2136 	case Q_SETINFO:
2137 	case Q_SETQUOTA:
2138 	case Q_XQUOTAOFF:
2139 	case Q_XQUOTAON:
2140 	case Q_XSETQLIM:
2141 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2142 		break;
2143 	case Q_GETFMT:
2144 	case Q_GETINFO:
2145 	case Q_GETQUOTA:
2146 	case Q_XGETQUOTA:
2147 	case Q_XGETQSTAT:
2148 	case Q_XGETQSTATV:
2149 	case Q_XGETNEXTQUOTA:
2150 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2151 		break;
2152 	default:
2153 		rc = 0;  /* let the kernel handle invalid cmds */
2154 		break;
2155 	}
2156 	return rc;
2157 }
2158 
2159 static int selinux_quota_on(struct dentry *dentry)
2160 {
2161 	const struct cred *cred = current_cred();
2162 
2163 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2164 }
2165 
2166 static int selinux_syslog(int type)
2167 {
2168 	switch (type) {
2169 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2170 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2171 		return avc_has_perm(&selinux_state,
2172 				    current_sid(), SECINITSID_KERNEL,
2173 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2174 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2175 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2176 	/* Set level of messages printed to console */
2177 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2178 		return avc_has_perm(&selinux_state,
2179 				    current_sid(), SECINITSID_KERNEL,
2180 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2181 				    NULL);
2182 	}
2183 	/* All other syslog types */
2184 	return avc_has_perm(&selinux_state,
2185 			    current_sid(), SECINITSID_KERNEL,
2186 			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2187 }
2188 
2189 /*
2190  * Check that a process has enough memory to allocate a new virtual
2191  * mapping. 0 means there is enough memory for the allocation to
2192  * succeed and -ENOMEM implies there is not.
2193  *
2194  * Do not audit the selinux permission check, as this is applied to all
2195  * processes that allocate mappings.
2196  */
2197 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2198 {
2199 	int rc, cap_sys_admin = 0;
2200 
2201 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2202 				 CAP_OPT_NOAUDIT, true);
2203 	if (rc == 0)
2204 		cap_sys_admin = 1;
2205 
2206 	return cap_sys_admin;
2207 }
2208 
2209 /* binprm security operations */
2210 
2211 static u32 ptrace_parent_sid(void)
2212 {
2213 	u32 sid = 0;
2214 	struct task_struct *tracer;
2215 
2216 	rcu_read_lock();
2217 	tracer = ptrace_parent(current);
2218 	if (tracer)
2219 		sid = task_sid_obj(tracer);
2220 	rcu_read_unlock();
2221 
2222 	return sid;
2223 }
2224 
2225 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2226 			    const struct task_security_struct *old_tsec,
2227 			    const struct task_security_struct *new_tsec)
2228 {
2229 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2230 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2231 	int rc;
2232 	u32 av;
2233 
2234 	if (!nnp && !nosuid)
2235 		return 0; /* neither NNP nor nosuid */
2236 
2237 	if (new_tsec->sid == old_tsec->sid)
2238 		return 0; /* No change in credentials */
2239 
2240 	/*
2241 	 * If the policy enables the nnp_nosuid_transition policy capability,
2242 	 * then we permit transitions under NNP or nosuid if the
2243 	 * policy allows the corresponding permission between
2244 	 * the old and new contexts.
2245 	 */
2246 	if (selinux_policycap_nnp_nosuid_transition()) {
2247 		av = 0;
2248 		if (nnp)
2249 			av |= PROCESS2__NNP_TRANSITION;
2250 		if (nosuid)
2251 			av |= PROCESS2__NOSUID_TRANSITION;
2252 		rc = avc_has_perm(&selinux_state,
2253 				  old_tsec->sid, new_tsec->sid,
2254 				  SECCLASS_PROCESS2, av, NULL);
2255 		if (!rc)
2256 			return 0;
2257 	}
2258 
2259 	/*
2260 	 * We also permit NNP or nosuid transitions to bounded SIDs,
2261 	 * i.e. SIDs that are guaranteed to only be allowed a subset
2262 	 * of the permissions of the current SID.
2263 	 */
2264 	rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2265 					 new_tsec->sid);
2266 	if (!rc)
2267 		return 0;
2268 
2269 	/*
2270 	 * On failure, preserve the errno values for NNP vs nosuid.
2271 	 * NNP:  Operation not permitted for caller.
2272 	 * nosuid:  Permission denied to file.
2273 	 */
2274 	if (nnp)
2275 		return -EPERM;
2276 	return -EACCES;
2277 }
2278 
2279 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2280 {
2281 	const struct task_security_struct *old_tsec;
2282 	struct task_security_struct *new_tsec;
2283 	struct inode_security_struct *isec;
2284 	struct common_audit_data ad;
2285 	struct inode *inode = file_inode(bprm->file);
2286 	int rc;
2287 
2288 	/* SELinux context only depends on initial program or script and not
2289 	 * the script interpreter */
2290 
2291 	old_tsec = selinux_cred(current_cred());
2292 	new_tsec = selinux_cred(bprm->cred);
2293 	isec = inode_security(inode);
2294 
2295 	/* Default to the current task SID. */
2296 	new_tsec->sid = old_tsec->sid;
2297 	new_tsec->osid = old_tsec->sid;
2298 
2299 	/* Reset fs, key, and sock SIDs on execve. */
2300 	new_tsec->create_sid = 0;
2301 	new_tsec->keycreate_sid = 0;
2302 	new_tsec->sockcreate_sid = 0;
2303 
2304 	if (old_tsec->exec_sid) {
2305 		new_tsec->sid = old_tsec->exec_sid;
2306 		/* Reset exec SID on execve. */
2307 		new_tsec->exec_sid = 0;
2308 
2309 		/* Fail on NNP or nosuid if not an allowed transition. */
2310 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2311 		if (rc)
2312 			return rc;
2313 	} else {
2314 		/* Check for a default transition on this program. */
2315 		rc = security_transition_sid(&selinux_state, old_tsec->sid,
2316 					     isec->sid, SECCLASS_PROCESS, NULL,
2317 					     &new_tsec->sid);
2318 		if (rc)
2319 			return rc;
2320 
2321 		/*
2322 		 * Fallback to old SID on NNP or nosuid if not an allowed
2323 		 * transition.
2324 		 */
2325 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2326 		if (rc)
2327 			new_tsec->sid = old_tsec->sid;
2328 	}
2329 
2330 	ad.type = LSM_AUDIT_DATA_FILE;
2331 	ad.u.file = bprm->file;
2332 
2333 	if (new_tsec->sid == old_tsec->sid) {
2334 		rc = avc_has_perm(&selinux_state,
2335 				  old_tsec->sid, isec->sid,
2336 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2337 		if (rc)
2338 			return rc;
2339 	} else {
2340 		/* Check permissions for the transition. */
2341 		rc = avc_has_perm(&selinux_state,
2342 				  old_tsec->sid, new_tsec->sid,
2343 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2344 		if (rc)
2345 			return rc;
2346 
2347 		rc = avc_has_perm(&selinux_state,
2348 				  new_tsec->sid, isec->sid,
2349 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2350 		if (rc)
2351 			return rc;
2352 
2353 		/* Check for shared state */
2354 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2355 			rc = avc_has_perm(&selinux_state,
2356 					  old_tsec->sid, new_tsec->sid,
2357 					  SECCLASS_PROCESS, PROCESS__SHARE,
2358 					  NULL);
2359 			if (rc)
2360 				return -EPERM;
2361 		}
2362 
2363 		/* Make sure that anyone attempting to ptrace over a task that
2364 		 * changes its SID has the appropriate permit */
2365 		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2366 			u32 ptsid = ptrace_parent_sid();
2367 			if (ptsid != 0) {
2368 				rc = avc_has_perm(&selinux_state,
2369 						  ptsid, new_tsec->sid,
2370 						  SECCLASS_PROCESS,
2371 						  PROCESS__PTRACE, NULL);
2372 				if (rc)
2373 					return -EPERM;
2374 			}
2375 		}
2376 
2377 		/* Clear any possibly unsafe personality bits on exec: */
2378 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2379 
2380 		/* Enable secure mode for SIDs transitions unless
2381 		   the noatsecure permission is granted between
2382 		   the two SIDs, i.e. ahp returns 0. */
2383 		rc = avc_has_perm(&selinux_state,
2384 				  old_tsec->sid, new_tsec->sid,
2385 				  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2386 				  NULL);
2387 		bprm->secureexec |= !!rc;
2388 	}
2389 
2390 	return 0;
2391 }
2392 
2393 static int match_file(const void *p, struct file *file, unsigned fd)
2394 {
2395 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2396 }
2397 
2398 /* Derived from fs/exec.c:flush_old_files. */
2399 static inline void flush_unauthorized_files(const struct cred *cred,
2400 					    struct files_struct *files)
2401 {
2402 	struct file *file, *devnull = NULL;
2403 	struct tty_struct *tty;
2404 	int drop_tty = 0;
2405 	unsigned n;
2406 
2407 	tty = get_current_tty();
2408 	if (tty) {
2409 		spin_lock(&tty->files_lock);
2410 		if (!list_empty(&tty->tty_files)) {
2411 			struct tty_file_private *file_priv;
2412 
2413 			/* Revalidate access to controlling tty.
2414 			   Use file_path_has_perm on the tty path directly
2415 			   rather than using file_has_perm, as this particular
2416 			   open file may belong to another process and we are
2417 			   only interested in the inode-based check here. */
2418 			file_priv = list_first_entry(&tty->tty_files,
2419 						struct tty_file_private, list);
2420 			file = file_priv->file;
2421 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2422 				drop_tty = 1;
2423 		}
2424 		spin_unlock(&tty->files_lock);
2425 		tty_kref_put(tty);
2426 	}
2427 	/* Reset controlling tty. */
2428 	if (drop_tty)
2429 		no_tty();
2430 
2431 	/* Revalidate access to inherited open files. */
2432 	n = iterate_fd(files, 0, match_file, cred);
2433 	if (!n) /* none found? */
2434 		return;
2435 
2436 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2437 	if (IS_ERR(devnull))
2438 		devnull = NULL;
2439 	/* replace all the matching ones with this */
2440 	do {
2441 		replace_fd(n - 1, devnull, 0);
2442 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2443 	if (devnull)
2444 		fput(devnull);
2445 }
2446 
2447 /*
2448  * Prepare a process for imminent new credential changes due to exec
2449  */
2450 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2451 {
2452 	struct task_security_struct *new_tsec;
2453 	struct rlimit *rlim, *initrlim;
2454 	int rc, i;
2455 
2456 	new_tsec = selinux_cred(bprm->cred);
2457 	if (new_tsec->sid == new_tsec->osid)
2458 		return;
2459 
2460 	/* Close files for which the new task SID is not authorized. */
2461 	flush_unauthorized_files(bprm->cred, current->files);
2462 
2463 	/* Always clear parent death signal on SID transitions. */
2464 	current->pdeath_signal = 0;
2465 
2466 	/* Check whether the new SID can inherit resource limits from the old
2467 	 * SID.  If not, reset all soft limits to the lower of the current
2468 	 * task's hard limit and the init task's soft limit.
2469 	 *
2470 	 * Note that the setting of hard limits (even to lower them) can be
2471 	 * controlled by the setrlimit check.  The inclusion of the init task's
2472 	 * soft limit into the computation is to avoid resetting soft limits
2473 	 * higher than the default soft limit for cases where the default is
2474 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2475 	 */
2476 	rc = avc_has_perm(&selinux_state,
2477 			  new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2478 			  PROCESS__RLIMITINH, NULL);
2479 	if (rc) {
2480 		/* protect against do_prlimit() */
2481 		task_lock(current);
2482 		for (i = 0; i < RLIM_NLIMITS; i++) {
2483 			rlim = current->signal->rlim + i;
2484 			initrlim = init_task.signal->rlim + i;
2485 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2486 		}
2487 		task_unlock(current);
2488 		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2489 			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2490 	}
2491 }
2492 
2493 /*
2494  * Clean up the process immediately after the installation of new credentials
2495  * due to exec
2496  */
2497 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2498 {
2499 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2500 	u32 osid, sid;
2501 	int rc;
2502 
2503 	osid = tsec->osid;
2504 	sid = tsec->sid;
2505 
2506 	if (sid == osid)
2507 		return;
2508 
2509 	/* Check whether the new SID can inherit signal state from the old SID.
2510 	 * If not, clear itimers to avoid subsequent signal generation and
2511 	 * flush and unblock signals.
2512 	 *
2513 	 * This must occur _after_ the task SID has been updated so that any
2514 	 * kill done after the flush will be checked against the new SID.
2515 	 */
2516 	rc = avc_has_perm(&selinux_state,
2517 			  osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2518 	if (rc) {
2519 		clear_itimer();
2520 
2521 		spin_lock_irq(&unrcu_pointer(current->sighand)->siglock);
2522 		if (!fatal_signal_pending(current)) {
2523 			flush_sigqueue(&current->pending);
2524 			flush_sigqueue(&current->signal->shared_pending);
2525 			flush_signal_handlers(current, 1);
2526 			sigemptyset(&current->blocked);
2527 			recalc_sigpending();
2528 		}
2529 		spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock);
2530 	}
2531 
2532 	/* Wake up the parent if it is waiting so that it can recheck
2533 	 * wait permission to the new task SID. */
2534 	read_lock(&tasklist_lock);
2535 	__wake_up_parent(current, unrcu_pointer(current->real_parent));
2536 	read_unlock(&tasklist_lock);
2537 }
2538 
2539 /* superblock security operations */
2540 
2541 static int selinux_sb_alloc_security(struct super_block *sb)
2542 {
2543 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2544 
2545 	mutex_init(&sbsec->lock);
2546 	INIT_LIST_HEAD(&sbsec->isec_head);
2547 	spin_lock_init(&sbsec->isec_lock);
2548 	sbsec->sid = SECINITSID_UNLABELED;
2549 	sbsec->def_sid = SECINITSID_FILE;
2550 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2551 
2552 	return 0;
2553 }
2554 
2555 static inline int opt_len(const char *s)
2556 {
2557 	bool open_quote = false;
2558 	int len;
2559 	char c;
2560 
2561 	for (len = 0; (c = s[len]) != '\0'; len++) {
2562 		if (c == '"')
2563 			open_quote = !open_quote;
2564 		if (c == ',' && !open_quote)
2565 			break;
2566 	}
2567 	return len;
2568 }
2569 
2570 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2571 {
2572 	char *from = options;
2573 	char *to = options;
2574 	bool first = true;
2575 	int rc;
2576 
2577 	while (1) {
2578 		int len = opt_len(from);
2579 		int token;
2580 		char *arg = NULL;
2581 
2582 		token = match_opt_prefix(from, len, &arg);
2583 
2584 		if (token != Opt_error) {
2585 			char *p, *q;
2586 
2587 			/* strip quotes */
2588 			if (arg) {
2589 				for (p = q = arg; p < from + len; p++) {
2590 					char c = *p;
2591 					if (c != '"')
2592 						*q++ = c;
2593 				}
2594 				arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2595 				if (!arg) {
2596 					rc = -ENOMEM;
2597 					goto free_opt;
2598 				}
2599 			}
2600 			rc = selinux_add_opt(token, arg, mnt_opts);
2601 			kfree(arg);
2602 			arg = NULL;
2603 			if (unlikely(rc)) {
2604 				goto free_opt;
2605 			}
2606 		} else {
2607 			if (!first) {	// copy with preceding comma
2608 				from--;
2609 				len++;
2610 			}
2611 			if (to != from)
2612 				memmove(to, from, len);
2613 			to += len;
2614 			first = false;
2615 		}
2616 		if (!from[len])
2617 			break;
2618 		from += len + 1;
2619 	}
2620 	*to = '\0';
2621 	return 0;
2622 
2623 free_opt:
2624 	if (*mnt_opts) {
2625 		selinux_free_mnt_opts(*mnt_opts);
2626 		*mnt_opts = NULL;
2627 	}
2628 	return rc;
2629 }
2630 
2631 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2632 {
2633 	struct selinux_mnt_opts *opts = mnt_opts;
2634 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2635 
2636 	/*
2637 	 * Superblock not initialized (i.e. no options) - reject if any
2638 	 * options specified, otherwise accept.
2639 	 */
2640 	if (!(sbsec->flags & SE_SBINITIALIZED))
2641 		return opts ? 1 : 0;
2642 
2643 	/*
2644 	 * Superblock initialized and no options specified - reject if
2645 	 * superblock has any options set, otherwise accept.
2646 	 */
2647 	if (!opts)
2648 		return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2649 
2650 	if (opts->fscontext_sid) {
2651 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2652 			       opts->fscontext_sid))
2653 			return 1;
2654 	}
2655 	if (opts->context_sid) {
2656 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2657 			       opts->context_sid))
2658 			return 1;
2659 	}
2660 	if (opts->rootcontext_sid) {
2661 		struct inode_security_struct *root_isec;
2662 
2663 		root_isec = backing_inode_security(sb->s_root);
2664 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2665 			       opts->rootcontext_sid))
2666 			return 1;
2667 	}
2668 	if (opts->defcontext_sid) {
2669 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2670 			       opts->defcontext_sid))
2671 			return 1;
2672 	}
2673 	return 0;
2674 }
2675 
2676 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2677 {
2678 	struct selinux_mnt_opts *opts = mnt_opts;
2679 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2680 
2681 	if (!(sbsec->flags & SE_SBINITIALIZED))
2682 		return 0;
2683 
2684 	if (!opts)
2685 		return 0;
2686 
2687 	if (opts->fscontext_sid) {
2688 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2689 			       opts->fscontext_sid))
2690 			goto out_bad_option;
2691 	}
2692 	if (opts->context_sid) {
2693 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2694 			       opts->context_sid))
2695 			goto out_bad_option;
2696 	}
2697 	if (opts->rootcontext_sid) {
2698 		struct inode_security_struct *root_isec;
2699 		root_isec = backing_inode_security(sb->s_root);
2700 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2701 			       opts->rootcontext_sid))
2702 			goto out_bad_option;
2703 	}
2704 	if (opts->defcontext_sid) {
2705 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2706 			       opts->defcontext_sid))
2707 			goto out_bad_option;
2708 	}
2709 	return 0;
2710 
2711 out_bad_option:
2712 	pr_warn("SELinux: unable to change security options "
2713 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2714 	       sb->s_type->name);
2715 	return -EINVAL;
2716 }
2717 
2718 static int selinux_sb_kern_mount(struct super_block *sb)
2719 {
2720 	const struct cred *cred = current_cred();
2721 	struct common_audit_data ad;
2722 
2723 	ad.type = LSM_AUDIT_DATA_DENTRY;
2724 	ad.u.dentry = sb->s_root;
2725 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2726 }
2727 
2728 static int selinux_sb_statfs(struct dentry *dentry)
2729 {
2730 	const struct cred *cred = current_cred();
2731 	struct common_audit_data ad;
2732 
2733 	ad.type = LSM_AUDIT_DATA_DENTRY;
2734 	ad.u.dentry = dentry->d_sb->s_root;
2735 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2736 }
2737 
2738 static int selinux_mount(const char *dev_name,
2739 			 const struct path *path,
2740 			 const char *type,
2741 			 unsigned long flags,
2742 			 void *data)
2743 {
2744 	const struct cred *cred = current_cred();
2745 
2746 	if (flags & MS_REMOUNT)
2747 		return superblock_has_perm(cred, path->dentry->d_sb,
2748 					   FILESYSTEM__REMOUNT, NULL);
2749 	else
2750 		return path_has_perm(cred, path, FILE__MOUNTON);
2751 }
2752 
2753 static int selinux_move_mount(const struct path *from_path,
2754 			      const struct path *to_path)
2755 {
2756 	const struct cred *cred = current_cred();
2757 
2758 	return path_has_perm(cred, to_path, FILE__MOUNTON);
2759 }
2760 
2761 static int selinux_umount(struct vfsmount *mnt, int flags)
2762 {
2763 	const struct cred *cred = current_cred();
2764 
2765 	return superblock_has_perm(cred, mnt->mnt_sb,
2766 				   FILESYSTEM__UNMOUNT, NULL);
2767 }
2768 
2769 static int selinux_fs_context_dup(struct fs_context *fc,
2770 				  struct fs_context *src_fc)
2771 {
2772 	const struct selinux_mnt_opts *src = src_fc->security;
2773 
2774 	if (!src)
2775 		return 0;
2776 
2777 	fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
2778 	return fc->security ? 0 : -ENOMEM;
2779 }
2780 
2781 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2782 	fsparam_string(CONTEXT_STR,	Opt_context),
2783 	fsparam_string(DEFCONTEXT_STR,	Opt_defcontext),
2784 	fsparam_string(FSCONTEXT_STR,	Opt_fscontext),
2785 	fsparam_string(ROOTCONTEXT_STR,	Opt_rootcontext),
2786 	fsparam_flag  (SECLABEL_STR,	Opt_seclabel),
2787 	{}
2788 };
2789 
2790 static int selinux_fs_context_parse_param(struct fs_context *fc,
2791 					  struct fs_parameter *param)
2792 {
2793 	struct fs_parse_result result;
2794 	int opt;
2795 
2796 	opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2797 	if (opt < 0)
2798 		return opt;
2799 
2800 	return selinux_add_opt(opt, param->string, &fc->security);
2801 }
2802 
2803 /* inode security operations */
2804 
2805 static int selinux_inode_alloc_security(struct inode *inode)
2806 {
2807 	struct inode_security_struct *isec = selinux_inode(inode);
2808 	u32 sid = current_sid();
2809 
2810 	spin_lock_init(&isec->lock);
2811 	INIT_LIST_HEAD(&isec->list);
2812 	isec->inode = inode;
2813 	isec->sid = SECINITSID_UNLABELED;
2814 	isec->sclass = SECCLASS_FILE;
2815 	isec->task_sid = sid;
2816 	isec->initialized = LABEL_INVALID;
2817 
2818 	return 0;
2819 }
2820 
2821 static void selinux_inode_free_security(struct inode *inode)
2822 {
2823 	inode_free_security(inode);
2824 }
2825 
2826 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2827 					const struct qstr *name,
2828 					const char **xattr_name, void **ctx,
2829 					u32 *ctxlen)
2830 {
2831 	u32 newsid;
2832 	int rc;
2833 
2834 	rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2835 					   d_inode(dentry->d_parent), name,
2836 					   inode_mode_to_security_class(mode),
2837 					   &newsid);
2838 	if (rc)
2839 		return rc;
2840 
2841 	if (xattr_name)
2842 		*xattr_name = XATTR_NAME_SELINUX;
2843 
2844 	return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2845 				       ctxlen);
2846 }
2847 
2848 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2849 					  struct qstr *name,
2850 					  const struct cred *old,
2851 					  struct cred *new)
2852 {
2853 	u32 newsid;
2854 	int rc;
2855 	struct task_security_struct *tsec;
2856 
2857 	rc = selinux_determine_inode_label(selinux_cred(old),
2858 					   d_inode(dentry->d_parent), name,
2859 					   inode_mode_to_security_class(mode),
2860 					   &newsid);
2861 	if (rc)
2862 		return rc;
2863 
2864 	tsec = selinux_cred(new);
2865 	tsec->create_sid = newsid;
2866 	return 0;
2867 }
2868 
2869 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2870 				       const struct qstr *qstr,
2871 				       const char **name,
2872 				       void **value, size_t *len)
2873 {
2874 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2875 	struct superblock_security_struct *sbsec;
2876 	u32 newsid, clen;
2877 	int rc;
2878 	char *context;
2879 
2880 	sbsec = selinux_superblock(dir->i_sb);
2881 
2882 	newsid = tsec->create_sid;
2883 
2884 	rc = selinux_determine_inode_label(tsec, dir, qstr,
2885 		inode_mode_to_security_class(inode->i_mode),
2886 		&newsid);
2887 	if (rc)
2888 		return rc;
2889 
2890 	/* Possibly defer initialization to selinux_complete_init. */
2891 	if (sbsec->flags & SE_SBINITIALIZED) {
2892 		struct inode_security_struct *isec = selinux_inode(inode);
2893 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2894 		isec->sid = newsid;
2895 		isec->initialized = LABEL_INITIALIZED;
2896 	}
2897 
2898 	if (!selinux_initialized(&selinux_state) ||
2899 	    !(sbsec->flags & SBLABEL_MNT))
2900 		return -EOPNOTSUPP;
2901 
2902 	if (name)
2903 		*name = XATTR_SELINUX_SUFFIX;
2904 
2905 	if (value && len) {
2906 		rc = security_sid_to_context_force(&selinux_state, newsid,
2907 						   &context, &clen);
2908 		if (rc)
2909 			return rc;
2910 		*value = context;
2911 		*len = clen;
2912 	}
2913 
2914 	return 0;
2915 }
2916 
2917 static int selinux_inode_init_security_anon(struct inode *inode,
2918 					    const struct qstr *name,
2919 					    const struct inode *context_inode)
2920 {
2921 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2922 	struct common_audit_data ad;
2923 	struct inode_security_struct *isec;
2924 	int rc;
2925 
2926 	if (unlikely(!selinux_initialized(&selinux_state)))
2927 		return 0;
2928 
2929 	isec = selinux_inode(inode);
2930 
2931 	/*
2932 	 * We only get here once per ephemeral inode.  The inode has
2933 	 * been initialized via inode_alloc_security but is otherwise
2934 	 * untouched.
2935 	 */
2936 
2937 	if (context_inode) {
2938 		struct inode_security_struct *context_isec =
2939 			selinux_inode(context_inode);
2940 		if (context_isec->initialized != LABEL_INITIALIZED) {
2941 			pr_err("SELinux:  context_inode is not initialized");
2942 			return -EACCES;
2943 		}
2944 
2945 		isec->sclass = context_isec->sclass;
2946 		isec->sid = context_isec->sid;
2947 	} else {
2948 		isec->sclass = SECCLASS_ANON_INODE;
2949 		rc = security_transition_sid(
2950 			&selinux_state, tsec->sid, tsec->sid,
2951 			isec->sclass, name, &isec->sid);
2952 		if (rc)
2953 			return rc;
2954 	}
2955 
2956 	isec->initialized = LABEL_INITIALIZED;
2957 	/*
2958 	 * Now that we've initialized security, check whether we're
2959 	 * allowed to actually create this type of anonymous inode.
2960 	 */
2961 
2962 	ad.type = LSM_AUDIT_DATA_ANONINODE;
2963 	ad.u.anonclass = name ? (const char *)name->name : "?";
2964 
2965 	return avc_has_perm(&selinux_state,
2966 			    tsec->sid,
2967 			    isec->sid,
2968 			    isec->sclass,
2969 			    FILE__CREATE,
2970 			    &ad);
2971 }
2972 
2973 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2974 {
2975 	return may_create(dir, dentry, SECCLASS_FILE);
2976 }
2977 
2978 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2979 {
2980 	return may_link(dir, old_dentry, MAY_LINK);
2981 }
2982 
2983 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2984 {
2985 	return may_link(dir, dentry, MAY_UNLINK);
2986 }
2987 
2988 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2989 {
2990 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
2991 }
2992 
2993 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2994 {
2995 	return may_create(dir, dentry, SECCLASS_DIR);
2996 }
2997 
2998 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2999 {
3000 	return may_link(dir, dentry, MAY_RMDIR);
3001 }
3002 
3003 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3004 {
3005 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
3006 }
3007 
3008 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3009 				struct inode *new_inode, struct dentry *new_dentry)
3010 {
3011 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3012 }
3013 
3014 static int selinux_inode_readlink(struct dentry *dentry)
3015 {
3016 	const struct cred *cred = current_cred();
3017 
3018 	return dentry_has_perm(cred, dentry, FILE__READ);
3019 }
3020 
3021 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3022 				     bool rcu)
3023 {
3024 	const struct cred *cred = current_cred();
3025 	struct common_audit_data ad;
3026 	struct inode_security_struct *isec;
3027 	u32 sid;
3028 
3029 	validate_creds(cred);
3030 
3031 	ad.type = LSM_AUDIT_DATA_DENTRY;
3032 	ad.u.dentry = dentry;
3033 	sid = cred_sid(cred);
3034 	isec = inode_security_rcu(inode, rcu);
3035 	if (IS_ERR(isec))
3036 		return PTR_ERR(isec);
3037 
3038 	return avc_has_perm(&selinux_state,
3039 				  sid, isec->sid, isec->sclass, FILE__READ, &ad);
3040 }
3041 
3042 static noinline int audit_inode_permission(struct inode *inode,
3043 					   u32 perms, u32 audited, u32 denied,
3044 					   int result)
3045 {
3046 	struct common_audit_data ad;
3047 	struct inode_security_struct *isec = selinux_inode(inode);
3048 
3049 	ad.type = LSM_AUDIT_DATA_INODE;
3050 	ad.u.inode = inode;
3051 
3052 	return slow_avc_audit(&selinux_state,
3053 			    current_sid(), isec->sid, isec->sclass, perms,
3054 			    audited, denied, result, &ad);
3055 }
3056 
3057 static int selinux_inode_permission(struct inode *inode, int mask)
3058 {
3059 	const struct cred *cred = current_cred();
3060 	u32 perms;
3061 	bool from_access;
3062 	bool no_block = mask & MAY_NOT_BLOCK;
3063 	struct inode_security_struct *isec;
3064 	u32 sid;
3065 	struct av_decision avd;
3066 	int rc, rc2;
3067 	u32 audited, denied;
3068 
3069 	from_access = mask & MAY_ACCESS;
3070 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3071 
3072 	/* No permission to check.  Existence test. */
3073 	if (!mask)
3074 		return 0;
3075 
3076 	validate_creds(cred);
3077 
3078 	if (unlikely(IS_PRIVATE(inode)))
3079 		return 0;
3080 
3081 	perms = file_mask_to_av(inode->i_mode, mask);
3082 
3083 	sid = cred_sid(cred);
3084 	isec = inode_security_rcu(inode, no_block);
3085 	if (IS_ERR(isec))
3086 		return PTR_ERR(isec);
3087 
3088 	rc = avc_has_perm_noaudit(&selinux_state,
3089 				  sid, isec->sid, isec->sclass, perms, 0,
3090 				  &avd);
3091 	audited = avc_audit_required(perms, &avd, rc,
3092 				     from_access ? FILE__AUDIT_ACCESS : 0,
3093 				     &denied);
3094 	if (likely(!audited))
3095 		return rc;
3096 
3097 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3098 	if (rc2)
3099 		return rc2;
3100 	return rc;
3101 }
3102 
3103 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3104 {
3105 	const struct cred *cred = current_cred();
3106 	struct inode *inode = d_backing_inode(dentry);
3107 	unsigned int ia_valid = iattr->ia_valid;
3108 	__u32 av = FILE__WRITE;
3109 
3110 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3111 	if (ia_valid & ATTR_FORCE) {
3112 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3113 			      ATTR_FORCE);
3114 		if (!ia_valid)
3115 			return 0;
3116 	}
3117 
3118 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3119 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3120 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3121 
3122 	if (selinux_policycap_openperm() &&
3123 	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3124 	    (ia_valid & ATTR_SIZE) &&
3125 	    !(ia_valid & ATTR_FILE))
3126 		av |= FILE__OPEN;
3127 
3128 	return dentry_has_perm(cred, dentry, av);
3129 }
3130 
3131 static int selinux_inode_getattr(const struct path *path)
3132 {
3133 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3134 }
3135 
3136 static bool has_cap_mac_admin(bool audit)
3137 {
3138 	const struct cred *cred = current_cred();
3139 	unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3140 
3141 	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3142 		return false;
3143 	if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3144 		return false;
3145 	return true;
3146 }
3147 
3148 static int selinux_inode_setxattr(struct user_namespace *mnt_userns,
3149 				  struct dentry *dentry, const char *name,
3150 				  const void *value, size_t size, int flags)
3151 {
3152 	struct inode *inode = d_backing_inode(dentry);
3153 	struct inode_security_struct *isec;
3154 	struct superblock_security_struct *sbsec;
3155 	struct common_audit_data ad;
3156 	u32 newsid, sid = current_sid();
3157 	int rc = 0;
3158 
3159 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3160 		rc = cap_inode_setxattr(dentry, name, value, size, flags);
3161 		if (rc)
3162 			return rc;
3163 
3164 		/* Not an attribute we recognize, so just check the
3165 		   ordinary setattr permission. */
3166 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3167 	}
3168 
3169 	if (!selinux_initialized(&selinux_state))
3170 		return (inode_owner_or_capable(mnt_userns, inode) ? 0 : -EPERM);
3171 
3172 	sbsec = selinux_superblock(inode->i_sb);
3173 	if (!(sbsec->flags & SBLABEL_MNT))
3174 		return -EOPNOTSUPP;
3175 
3176 	if (!inode_owner_or_capable(mnt_userns, inode))
3177 		return -EPERM;
3178 
3179 	ad.type = LSM_AUDIT_DATA_DENTRY;
3180 	ad.u.dentry = dentry;
3181 
3182 	isec = backing_inode_security(dentry);
3183 	rc = avc_has_perm(&selinux_state,
3184 			  sid, isec->sid, isec->sclass,
3185 			  FILE__RELABELFROM, &ad);
3186 	if (rc)
3187 		return rc;
3188 
3189 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3190 				     GFP_KERNEL);
3191 	if (rc == -EINVAL) {
3192 		if (!has_cap_mac_admin(true)) {
3193 			struct audit_buffer *ab;
3194 			size_t audit_size;
3195 
3196 			/* We strip a nul only if it is at the end, otherwise the
3197 			 * context contains a nul and we should audit that */
3198 			if (value) {
3199 				const char *str = value;
3200 
3201 				if (str[size - 1] == '\0')
3202 					audit_size = size - 1;
3203 				else
3204 					audit_size = size;
3205 			} else {
3206 				audit_size = 0;
3207 			}
3208 			ab = audit_log_start(audit_context(),
3209 					     GFP_ATOMIC, AUDIT_SELINUX_ERR);
3210 			if (!ab)
3211 				return rc;
3212 			audit_log_format(ab, "op=setxattr invalid_context=");
3213 			audit_log_n_untrustedstring(ab, value, audit_size);
3214 			audit_log_end(ab);
3215 
3216 			return rc;
3217 		}
3218 		rc = security_context_to_sid_force(&selinux_state, value,
3219 						   size, &newsid);
3220 	}
3221 	if (rc)
3222 		return rc;
3223 
3224 	rc = avc_has_perm(&selinux_state,
3225 			  sid, newsid, isec->sclass,
3226 			  FILE__RELABELTO, &ad);
3227 	if (rc)
3228 		return rc;
3229 
3230 	rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3231 					  sid, isec->sclass);
3232 	if (rc)
3233 		return rc;
3234 
3235 	return avc_has_perm(&selinux_state,
3236 			    newsid,
3237 			    sbsec->sid,
3238 			    SECCLASS_FILESYSTEM,
3239 			    FILESYSTEM__ASSOCIATE,
3240 			    &ad);
3241 }
3242 
3243 static int selinux_inode_set_acl(struct user_namespace *mnt_userns,
3244 				 struct dentry *dentry, const char *acl_name,
3245 				 struct posix_acl *kacl)
3246 {
3247 	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3248 }
3249 
3250 static int selinux_inode_get_acl(struct user_namespace *mnt_userns,
3251 				 struct dentry *dentry, const char *acl_name)
3252 {
3253 	return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3254 }
3255 
3256 static int selinux_inode_remove_acl(struct user_namespace *mnt_userns,
3257 				    struct dentry *dentry, const char *acl_name)
3258 {
3259 	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3260 }
3261 
3262 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3263 					const void *value, size_t size,
3264 					int flags)
3265 {
3266 	struct inode *inode = d_backing_inode(dentry);
3267 	struct inode_security_struct *isec;
3268 	u32 newsid;
3269 	int rc;
3270 
3271 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3272 		/* Not an attribute we recognize, so nothing to do. */
3273 		return;
3274 	}
3275 
3276 	if (!selinux_initialized(&selinux_state)) {
3277 		/* If we haven't even been initialized, then we can't validate
3278 		 * against a policy, so leave the label as invalid. It may
3279 		 * resolve to a valid label on the next revalidation try if
3280 		 * we've since initialized.
3281 		 */
3282 		return;
3283 	}
3284 
3285 	rc = security_context_to_sid_force(&selinux_state, value, size,
3286 					   &newsid);
3287 	if (rc) {
3288 		pr_err("SELinux:  unable to map context to SID"
3289 		       "for (%s, %lu), rc=%d\n",
3290 		       inode->i_sb->s_id, inode->i_ino, -rc);
3291 		return;
3292 	}
3293 
3294 	isec = backing_inode_security(dentry);
3295 	spin_lock(&isec->lock);
3296 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3297 	isec->sid = newsid;
3298 	isec->initialized = LABEL_INITIALIZED;
3299 	spin_unlock(&isec->lock);
3300 }
3301 
3302 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3303 {
3304 	const struct cred *cred = current_cred();
3305 
3306 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3307 }
3308 
3309 static int selinux_inode_listxattr(struct dentry *dentry)
3310 {
3311 	const struct cred *cred = current_cred();
3312 
3313 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3314 }
3315 
3316 static int selinux_inode_removexattr(struct user_namespace *mnt_userns,
3317 				     struct dentry *dentry, const char *name)
3318 {
3319 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3320 		int rc = cap_inode_removexattr(mnt_userns, dentry, name);
3321 		if (rc)
3322 			return rc;
3323 
3324 		/* Not an attribute we recognize, so just check the
3325 		   ordinary setattr permission. */
3326 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3327 	}
3328 
3329 	if (!selinux_initialized(&selinux_state))
3330 		return 0;
3331 
3332 	/* No one is allowed to remove a SELinux security label.
3333 	   You can change the label, but all data must be labeled. */
3334 	return -EACCES;
3335 }
3336 
3337 static int selinux_path_notify(const struct path *path, u64 mask,
3338 						unsigned int obj_type)
3339 {
3340 	int ret;
3341 	u32 perm;
3342 
3343 	struct common_audit_data ad;
3344 
3345 	ad.type = LSM_AUDIT_DATA_PATH;
3346 	ad.u.path = *path;
3347 
3348 	/*
3349 	 * Set permission needed based on the type of mark being set.
3350 	 * Performs an additional check for sb watches.
3351 	 */
3352 	switch (obj_type) {
3353 	case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3354 		perm = FILE__WATCH_MOUNT;
3355 		break;
3356 	case FSNOTIFY_OBJ_TYPE_SB:
3357 		perm = FILE__WATCH_SB;
3358 		ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3359 						FILESYSTEM__WATCH, &ad);
3360 		if (ret)
3361 			return ret;
3362 		break;
3363 	case FSNOTIFY_OBJ_TYPE_INODE:
3364 		perm = FILE__WATCH;
3365 		break;
3366 	default:
3367 		return -EINVAL;
3368 	}
3369 
3370 	/* blocking watches require the file:watch_with_perm permission */
3371 	if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3372 		perm |= FILE__WATCH_WITH_PERM;
3373 
3374 	/* watches on read-like events need the file:watch_reads permission */
3375 	if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3376 		perm |= FILE__WATCH_READS;
3377 
3378 	return path_has_perm(current_cred(), path, perm);
3379 }
3380 
3381 /*
3382  * Copy the inode security context value to the user.
3383  *
3384  * Permission check is handled by selinux_inode_getxattr hook.
3385  */
3386 static int selinux_inode_getsecurity(struct user_namespace *mnt_userns,
3387 				     struct inode *inode, const char *name,
3388 				     void **buffer, bool alloc)
3389 {
3390 	u32 size;
3391 	int error;
3392 	char *context = NULL;
3393 	struct inode_security_struct *isec;
3394 
3395 	/*
3396 	 * If we're not initialized yet, then we can't validate contexts, so
3397 	 * just let vfs_getxattr fall back to using the on-disk xattr.
3398 	 */
3399 	if (!selinux_initialized(&selinux_state) ||
3400 	    strcmp(name, XATTR_SELINUX_SUFFIX))
3401 		return -EOPNOTSUPP;
3402 
3403 	/*
3404 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3405 	 * value even if it is not defined by current policy; otherwise,
3406 	 * use the in-core value under current policy.
3407 	 * Use the non-auditing forms of the permission checks since
3408 	 * getxattr may be called by unprivileged processes commonly
3409 	 * and lack of permission just means that we fall back to the
3410 	 * in-core context value, not a denial.
3411 	 */
3412 	isec = inode_security(inode);
3413 	if (has_cap_mac_admin(false))
3414 		error = security_sid_to_context_force(&selinux_state,
3415 						      isec->sid, &context,
3416 						      &size);
3417 	else
3418 		error = security_sid_to_context(&selinux_state, isec->sid,
3419 						&context, &size);
3420 	if (error)
3421 		return error;
3422 	error = size;
3423 	if (alloc) {
3424 		*buffer = context;
3425 		goto out_nofree;
3426 	}
3427 	kfree(context);
3428 out_nofree:
3429 	return error;
3430 }
3431 
3432 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3433 				     const void *value, size_t size, int flags)
3434 {
3435 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3436 	struct superblock_security_struct *sbsec;
3437 	u32 newsid;
3438 	int rc;
3439 
3440 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3441 		return -EOPNOTSUPP;
3442 
3443 	sbsec = selinux_superblock(inode->i_sb);
3444 	if (!(sbsec->flags & SBLABEL_MNT))
3445 		return -EOPNOTSUPP;
3446 
3447 	if (!value || !size)
3448 		return -EACCES;
3449 
3450 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3451 				     GFP_KERNEL);
3452 	if (rc)
3453 		return rc;
3454 
3455 	spin_lock(&isec->lock);
3456 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3457 	isec->sid = newsid;
3458 	isec->initialized = LABEL_INITIALIZED;
3459 	spin_unlock(&isec->lock);
3460 	return 0;
3461 }
3462 
3463 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3464 {
3465 	const int len = sizeof(XATTR_NAME_SELINUX);
3466 
3467 	if (!selinux_initialized(&selinux_state))
3468 		return 0;
3469 
3470 	if (buffer && len <= buffer_size)
3471 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3472 	return len;
3473 }
3474 
3475 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3476 {
3477 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3478 	*secid = isec->sid;
3479 }
3480 
3481 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3482 {
3483 	u32 sid;
3484 	struct task_security_struct *tsec;
3485 	struct cred *new_creds = *new;
3486 
3487 	if (new_creds == NULL) {
3488 		new_creds = prepare_creds();
3489 		if (!new_creds)
3490 			return -ENOMEM;
3491 	}
3492 
3493 	tsec = selinux_cred(new_creds);
3494 	/* Get label from overlay inode and set it in create_sid */
3495 	selinux_inode_getsecid(d_inode(src), &sid);
3496 	tsec->create_sid = sid;
3497 	*new = new_creds;
3498 	return 0;
3499 }
3500 
3501 static int selinux_inode_copy_up_xattr(const char *name)
3502 {
3503 	/* The copy_up hook above sets the initial context on an inode, but we
3504 	 * don't then want to overwrite it by blindly copying all the lower
3505 	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3506 	 */
3507 	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3508 		return 1; /* Discard */
3509 	/*
3510 	 * Any other attribute apart from SELINUX is not claimed, supported
3511 	 * by selinux.
3512 	 */
3513 	return -EOPNOTSUPP;
3514 }
3515 
3516 /* kernfs node operations */
3517 
3518 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3519 					struct kernfs_node *kn)
3520 {
3521 	const struct task_security_struct *tsec = selinux_cred(current_cred());
3522 	u32 parent_sid, newsid, clen;
3523 	int rc;
3524 	char *context;
3525 
3526 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3527 	if (rc == -ENODATA)
3528 		return 0;
3529 	else if (rc < 0)
3530 		return rc;
3531 
3532 	clen = (u32)rc;
3533 	context = kmalloc(clen, GFP_KERNEL);
3534 	if (!context)
3535 		return -ENOMEM;
3536 
3537 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3538 	if (rc < 0) {
3539 		kfree(context);
3540 		return rc;
3541 	}
3542 
3543 	rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3544 				     GFP_KERNEL);
3545 	kfree(context);
3546 	if (rc)
3547 		return rc;
3548 
3549 	if (tsec->create_sid) {
3550 		newsid = tsec->create_sid;
3551 	} else {
3552 		u16 secclass = inode_mode_to_security_class(kn->mode);
3553 		struct qstr q;
3554 
3555 		q.name = kn->name;
3556 		q.hash_len = hashlen_string(kn_dir, kn->name);
3557 
3558 		rc = security_transition_sid(&selinux_state, tsec->sid,
3559 					     parent_sid, secclass, &q,
3560 					     &newsid);
3561 		if (rc)
3562 			return rc;
3563 	}
3564 
3565 	rc = security_sid_to_context_force(&selinux_state, newsid,
3566 					   &context, &clen);
3567 	if (rc)
3568 		return rc;
3569 
3570 	rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3571 			      XATTR_CREATE);
3572 	kfree(context);
3573 	return rc;
3574 }
3575 
3576 
3577 /* file security operations */
3578 
3579 static int selinux_revalidate_file_permission(struct file *file, int mask)
3580 {
3581 	const struct cred *cred = current_cred();
3582 	struct inode *inode = file_inode(file);
3583 
3584 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3585 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3586 		mask |= MAY_APPEND;
3587 
3588 	return file_has_perm(cred, file,
3589 			     file_mask_to_av(inode->i_mode, mask));
3590 }
3591 
3592 static int selinux_file_permission(struct file *file, int mask)
3593 {
3594 	struct inode *inode = file_inode(file);
3595 	struct file_security_struct *fsec = selinux_file(file);
3596 	struct inode_security_struct *isec;
3597 	u32 sid = current_sid();
3598 
3599 	if (!mask)
3600 		/* No permission to check.  Existence test. */
3601 		return 0;
3602 
3603 	isec = inode_security(inode);
3604 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3605 	    fsec->pseqno == avc_policy_seqno(&selinux_state))
3606 		/* No change since file_open check. */
3607 		return 0;
3608 
3609 	return selinux_revalidate_file_permission(file, mask);
3610 }
3611 
3612 static int selinux_file_alloc_security(struct file *file)
3613 {
3614 	struct file_security_struct *fsec = selinux_file(file);
3615 	u32 sid = current_sid();
3616 
3617 	fsec->sid = sid;
3618 	fsec->fown_sid = sid;
3619 
3620 	return 0;
3621 }
3622 
3623 /*
3624  * Check whether a task has the ioctl permission and cmd
3625  * operation to an inode.
3626  */
3627 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3628 		u32 requested, u16 cmd)
3629 {
3630 	struct common_audit_data ad;
3631 	struct file_security_struct *fsec = selinux_file(file);
3632 	struct inode *inode = file_inode(file);
3633 	struct inode_security_struct *isec;
3634 	struct lsm_ioctlop_audit ioctl;
3635 	u32 ssid = cred_sid(cred);
3636 	int rc;
3637 	u8 driver = cmd >> 8;
3638 	u8 xperm = cmd & 0xff;
3639 
3640 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3641 	ad.u.op = &ioctl;
3642 	ad.u.op->cmd = cmd;
3643 	ad.u.op->path = file->f_path;
3644 
3645 	if (ssid != fsec->sid) {
3646 		rc = avc_has_perm(&selinux_state,
3647 				  ssid, fsec->sid,
3648 				SECCLASS_FD,
3649 				FD__USE,
3650 				&ad);
3651 		if (rc)
3652 			goto out;
3653 	}
3654 
3655 	if (unlikely(IS_PRIVATE(inode)))
3656 		return 0;
3657 
3658 	isec = inode_security(inode);
3659 	rc = avc_has_extended_perms(&selinux_state,
3660 				    ssid, isec->sid, isec->sclass,
3661 				    requested, driver, xperm, &ad);
3662 out:
3663 	return rc;
3664 }
3665 
3666 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3667 			      unsigned long arg)
3668 {
3669 	const struct cred *cred = current_cred();
3670 	int error = 0;
3671 
3672 	switch (cmd) {
3673 	case FIONREAD:
3674 	case FIBMAP:
3675 	case FIGETBSZ:
3676 	case FS_IOC_GETFLAGS:
3677 	case FS_IOC_GETVERSION:
3678 		error = file_has_perm(cred, file, FILE__GETATTR);
3679 		break;
3680 
3681 	case FS_IOC_SETFLAGS:
3682 	case FS_IOC_SETVERSION:
3683 		error = file_has_perm(cred, file, FILE__SETATTR);
3684 		break;
3685 
3686 	/* sys_ioctl() checks */
3687 	case FIONBIO:
3688 	case FIOASYNC:
3689 		error = file_has_perm(cred, file, 0);
3690 		break;
3691 
3692 	case KDSKBENT:
3693 	case KDSKBSENT:
3694 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3695 					    CAP_OPT_NONE, true);
3696 		break;
3697 
3698 	case FIOCLEX:
3699 	case FIONCLEX:
3700 		if (!selinux_policycap_ioctl_skip_cloexec())
3701 			error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3702 		break;
3703 
3704 	/* default case assumes that the command will go
3705 	 * to the file's ioctl() function.
3706 	 */
3707 	default:
3708 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3709 	}
3710 	return error;
3711 }
3712 
3713 static int default_noexec __ro_after_init;
3714 
3715 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3716 {
3717 	const struct cred *cred = current_cred();
3718 	u32 sid = cred_sid(cred);
3719 	int rc = 0;
3720 
3721 	if (default_noexec &&
3722 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3723 				   (!shared && (prot & PROT_WRITE)))) {
3724 		/*
3725 		 * We are making executable an anonymous mapping or a
3726 		 * private file mapping that will also be writable.
3727 		 * This has an additional check.
3728 		 */
3729 		rc = avc_has_perm(&selinux_state,
3730 				  sid, sid, SECCLASS_PROCESS,
3731 				  PROCESS__EXECMEM, NULL);
3732 		if (rc)
3733 			goto error;
3734 	}
3735 
3736 	if (file) {
3737 		/* read access is always possible with a mapping */
3738 		u32 av = FILE__READ;
3739 
3740 		/* write access only matters if the mapping is shared */
3741 		if (shared && (prot & PROT_WRITE))
3742 			av |= FILE__WRITE;
3743 
3744 		if (prot & PROT_EXEC)
3745 			av |= FILE__EXECUTE;
3746 
3747 		return file_has_perm(cred, file, av);
3748 	}
3749 
3750 error:
3751 	return rc;
3752 }
3753 
3754 static int selinux_mmap_addr(unsigned long addr)
3755 {
3756 	int rc = 0;
3757 
3758 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3759 		u32 sid = current_sid();
3760 		rc = avc_has_perm(&selinux_state,
3761 				  sid, sid, SECCLASS_MEMPROTECT,
3762 				  MEMPROTECT__MMAP_ZERO, NULL);
3763 	}
3764 
3765 	return rc;
3766 }
3767 
3768 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3769 			     unsigned long prot, unsigned long flags)
3770 {
3771 	struct common_audit_data ad;
3772 	int rc;
3773 
3774 	if (file) {
3775 		ad.type = LSM_AUDIT_DATA_FILE;
3776 		ad.u.file = file;
3777 		rc = inode_has_perm(current_cred(), file_inode(file),
3778 				    FILE__MAP, &ad);
3779 		if (rc)
3780 			return rc;
3781 	}
3782 
3783 	if (checkreqprot_get(&selinux_state))
3784 		prot = reqprot;
3785 
3786 	return file_map_prot_check(file, prot,
3787 				   (flags & MAP_TYPE) == MAP_SHARED);
3788 }
3789 
3790 static int selinux_file_mprotect(struct vm_area_struct *vma,
3791 				 unsigned long reqprot,
3792 				 unsigned long prot)
3793 {
3794 	const struct cred *cred = current_cred();
3795 	u32 sid = cred_sid(cred);
3796 
3797 	if (checkreqprot_get(&selinux_state))
3798 		prot = reqprot;
3799 
3800 	if (default_noexec &&
3801 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3802 		int rc = 0;
3803 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3804 		    vma->vm_end <= vma->vm_mm->brk) {
3805 			rc = avc_has_perm(&selinux_state,
3806 					  sid, sid, SECCLASS_PROCESS,
3807 					  PROCESS__EXECHEAP, NULL);
3808 		} else if (!vma->vm_file &&
3809 			   ((vma->vm_start <= vma->vm_mm->start_stack &&
3810 			     vma->vm_end >= vma->vm_mm->start_stack) ||
3811 			    vma_is_stack_for_current(vma))) {
3812 			rc = avc_has_perm(&selinux_state,
3813 					  sid, sid, SECCLASS_PROCESS,
3814 					  PROCESS__EXECSTACK, NULL);
3815 		} else if (vma->vm_file && vma->anon_vma) {
3816 			/*
3817 			 * We are making executable a file mapping that has
3818 			 * had some COW done. Since pages might have been
3819 			 * written, check ability to execute the possibly
3820 			 * modified content.  This typically should only
3821 			 * occur for text relocations.
3822 			 */
3823 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3824 		}
3825 		if (rc)
3826 			return rc;
3827 	}
3828 
3829 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3830 }
3831 
3832 static int selinux_file_lock(struct file *file, unsigned int cmd)
3833 {
3834 	const struct cred *cred = current_cred();
3835 
3836 	return file_has_perm(cred, file, FILE__LOCK);
3837 }
3838 
3839 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3840 			      unsigned long arg)
3841 {
3842 	const struct cred *cred = current_cred();
3843 	int err = 0;
3844 
3845 	switch (cmd) {
3846 	case F_SETFL:
3847 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3848 			err = file_has_perm(cred, file, FILE__WRITE);
3849 			break;
3850 		}
3851 		fallthrough;
3852 	case F_SETOWN:
3853 	case F_SETSIG:
3854 	case F_GETFL:
3855 	case F_GETOWN:
3856 	case F_GETSIG:
3857 	case F_GETOWNER_UIDS:
3858 		/* Just check FD__USE permission */
3859 		err = file_has_perm(cred, file, 0);
3860 		break;
3861 	case F_GETLK:
3862 	case F_SETLK:
3863 	case F_SETLKW:
3864 	case F_OFD_GETLK:
3865 	case F_OFD_SETLK:
3866 	case F_OFD_SETLKW:
3867 #if BITS_PER_LONG == 32
3868 	case F_GETLK64:
3869 	case F_SETLK64:
3870 	case F_SETLKW64:
3871 #endif
3872 		err = file_has_perm(cred, file, FILE__LOCK);
3873 		break;
3874 	}
3875 
3876 	return err;
3877 }
3878 
3879 static void selinux_file_set_fowner(struct file *file)
3880 {
3881 	struct file_security_struct *fsec;
3882 
3883 	fsec = selinux_file(file);
3884 	fsec->fown_sid = current_sid();
3885 }
3886 
3887 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3888 				       struct fown_struct *fown, int signum)
3889 {
3890 	struct file *file;
3891 	u32 sid = task_sid_obj(tsk);
3892 	u32 perm;
3893 	struct file_security_struct *fsec;
3894 
3895 	/* struct fown_struct is never outside the context of a struct file */
3896 	file = container_of(fown, struct file, f_owner);
3897 
3898 	fsec = selinux_file(file);
3899 
3900 	if (!signum)
3901 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3902 	else
3903 		perm = signal_to_av(signum);
3904 
3905 	return avc_has_perm(&selinux_state,
3906 			    fsec->fown_sid, sid,
3907 			    SECCLASS_PROCESS, perm, NULL);
3908 }
3909 
3910 static int selinux_file_receive(struct file *file)
3911 {
3912 	const struct cred *cred = current_cred();
3913 
3914 	return file_has_perm(cred, file, file_to_av(file));
3915 }
3916 
3917 static int selinux_file_open(struct file *file)
3918 {
3919 	struct file_security_struct *fsec;
3920 	struct inode_security_struct *isec;
3921 
3922 	fsec = selinux_file(file);
3923 	isec = inode_security(file_inode(file));
3924 	/*
3925 	 * Save inode label and policy sequence number
3926 	 * at open-time so that selinux_file_permission
3927 	 * can determine whether revalidation is necessary.
3928 	 * Task label is already saved in the file security
3929 	 * struct as its SID.
3930 	 */
3931 	fsec->isid = isec->sid;
3932 	fsec->pseqno = avc_policy_seqno(&selinux_state);
3933 	/*
3934 	 * Since the inode label or policy seqno may have changed
3935 	 * between the selinux_inode_permission check and the saving
3936 	 * of state above, recheck that access is still permitted.
3937 	 * Otherwise, access might never be revalidated against the
3938 	 * new inode label or new policy.
3939 	 * This check is not redundant - do not remove.
3940 	 */
3941 	return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3942 }
3943 
3944 /* task security operations */
3945 
3946 static int selinux_task_alloc(struct task_struct *task,
3947 			      unsigned long clone_flags)
3948 {
3949 	u32 sid = current_sid();
3950 
3951 	return avc_has_perm(&selinux_state,
3952 			    sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3953 }
3954 
3955 /*
3956  * prepare a new set of credentials for modification
3957  */
3958 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3959 				gfp_t gfp)
3960 {
3961 	const struct task_security_struct *old_tsec = selinux_cred(old);
3962 	struct task_security_struct *tsec = selinux_cred(new);
3963 
3964 	*tsec = *old_tsec;
3965 	return 0;
3966 }
3967 
3968 /*
3969  * transfer the SELinux data to a blank set of creds
3970  */
3971 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3972 {
3973 	const struct task_security_struct *old_tsec = selinux_cred(old);
3974 	struct task_security_struct *tsec = selinux_cred(new);
3975 
3976 	*tsec = *old_tsec;
3977 }
3978 
3979 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3980 {
3981 	*secid = cred_sid(c);
3982 }
3983 
3984 /*
3985  * set the security data for a kernel service
3986  * - all the creation contexts are set to unlabelled
3987  */
3988 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3989 {
3990 	struct task_security_struct *tsec = selinux_cred(new);
3991 	u32 sid = current_sid();
3992 	int ret;
3993 
3994 	ret = avc_has_perm(&selinux_state,
3995 			   sid, secid,
3996 			   SECCLASS_KERNEL_SERVICE,
3997 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3998 			   NULL);
3999 	if (ret == 0) {
4000 		tsec->sid = secid;
4001 		tsec->create_sid = 0;
4002 		tsec->keycreate_sid = 0;
4003 		tsec->sockcreate_sid = 0;
4004 	}
4005 	return ret;
4006 }
4007 
4008 /*
4009  * set the file creation context in a security record to the same as the
4010  * objective context of the specified inode
4011  */
4012 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4013 {
4014 	struct inode_security_struct *isec = inode_security(inode);
4015 	struct task_security_struct *tsec = selinux_cred(new);
4016 	u32 sid = current_sid();
4017 	int ret;
4018 
4019 	ret = avc_has_perm(&selinux_state,
4020 			   sid, isec->sid,
4021 			   SECCLASS_KERNEL_SERVICE,
4022 			   KERNEL_SERVICE__CREATE_FILES_AS,
4023 			   NULL);
4024 
4025 	if (ret == 0)
4026 		tsec->create_sid = isec->sid;
4027 	return ret;
4028 }
4029 
4030 static int selinux_kernel_module_request(char *kmod_name)
4031 {
4032 	struct common_audit_data ad;
4033 
4034 	ad.type = LSM_AUDIT_DATA_KMOD;
4035 	ad.u.kmod_name = kmod_name;
4036 
4037 	return avc_has_perm(&selinux_state,
4038 			    current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4039 			    SYSTEM__MODULE_REQUEST, &ad);
4040 }
4041 
4042 static int selinux_kernel_module_from_file(struct file *file)
4043 {
4044 	struct common_audit_data ad;
4045 	struct inode_security_struct *isec;
4046 	struct file_security_struct *fsec;
4047 	u32 sid = current_sid();
4048 	int rc;
4049 
4050 	/* init_module */
4051 	if (file == NULL)
4052 		return avc_has_perm(&selinux_state,
4053 				    sid, sid, SECCLASS_SYSTEM,
4054 					SYSTEM__MODULE_LOAD, NULL);
4055 
4056 	/* finit_module */
4057 
4058 	ad.type = LSM_AUDIT_DATA_FILE;
4059 	ad.u.file = file;
4060 
4061 	fsec = selinux_file(file);
4062 	if (sid != fsec->sid) {
4063 		rc = avc_has_perm(&selinux_state,
4064 				  sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4065 		if (rc)
4066 			return rc;
4067 	}
4068 
4069 	isec = inode_security(file_inode(file));
4070 	return avc_has_perm(&selinux_state,
4071 			    sid, isec->sid, SECCLASS_SYSTEM,
4072 				SYSTEM__MODULE_LOAD, &ad);
4073 }
4074 
4075 static int selinux_kernel_read_file(struct file *file,
4076 				    enum kernel_read_file_id id,
4077 				    bool contents)
4078 {
4079 	int rc = 0;
4080 
4081 	switch (id) {
4082 	case READING_MODULE:
4083 		rc = selinux_kernel_module_from_file(contents ? file : NULL);
4084 		break;
4085 	default:
4086 		break;
4087 	}
4088 
4089 	return rc;
4090 }
4091 
4092 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4093 {
4094 	int rc = 0;
4095 
4096 	switch (id) {
4097 	case LOADING_MODULE:
4098 		rc = selinux_kernel_module_from_file(NULL);
4099 		break;
4100 	default:
4101 		break;
4102 	}
4103 
4104 	return rc;
4105 }
4106 
4107 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4108 {
4109 	return avc_has_perm(&selinux_state,
4110 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4111 			    PROCESS__SETPGID, NULL);
4112 }
4113 
4114 static int selinux_task_getpgid(struct task_struct *p)
4115 {
4116 	return avc_has_perm(&selinux_state,
4117 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4118 			    PROCESS__GETPGID, NULL);
4119 }
4120 
4121 static int selinux_task_getsid(struct task_struct *p)
4122 {
4123 	return avc_has_perm(&selinux_state,
4124 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4125 			    PROCESS__GETSESSION, NULL);
4126 }
4127 
4128 static void selinux_current_getsecid_subj(u32 *secid)
4129 {
4130 	*secid = current_sid();
4131 }
4132 
4133 static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid)
4134 {
4135 	*secid = task_sid_obj(p);
4136 }
4137 
4138 static int selinux_task_setnice(struct task_struct *p, int nice)
4139 {
4140 	return avc_has_perm(&selinux_state,
4141 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4142 			    PROCESS__SETSCHED, NULL);
4143 }
4144 
4145 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4146 {
4147 	return avc_has_perm(&selinux_state,
4148 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4149 			    PROCESS__SETSCHED, NULL);
4150 }
4151 
4152 static int selinux_task_getioprio(struct task_struct *p)
4153 {
4154 	return avc_has_perm(&selinux_state,
4155 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4156 			    PROCESS__GETSCHED, NULL);
4157 }
4158 
4159 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4160 				unsigned int flags)
4161 {
4162 	u32 av = 0;
4163 
4164 	if (!flags)
4165 		return 0;
4166 	if (flags & LSM_PRLIMIT_WRITE)
4167 		av |= PROCESS__SETRLIMIT;
4168 	if (flags & LSM_PRLIMIT_READ)
4169 		av |= PROCESS__GETRLIMIT;
4170 	return avc_has_perm(&selinux_state,
4171 			    cred_sid(cred), cred_sid(tcred),
4172 			    SECCLASS_PROCESS, av, NULL);
4173 }
4174 
4175 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4176 		struct rlimit *new_rlim)
4177 {
4178 	struct rlimit *old_rlim = p->signal->rlim + resource;
4179 
4180 	/* Control the ability to change the hard limit (whether
4181 	   lowering or raising it), so that the hard limit can
4182 	   later be used as a safe reset point for the soft limit
4183 	   upon context transitions.  See selinux_bprm_committing_creds. */
4184 	if (old_rlim->rlim_max != new_rlim->rlim_max)
4185 		return avc_has_perm(&selinux_state,
4186 				    current_sid(), task_sid_obj(p),
4187 				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4188 
4189 	return 0;
4190 }
4191 
4192 static int selinux_task_setscheduler(struct task_struct *p)
4193 {
4194 	return avc_has_perm(&selinux_state,
4195 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4196 			    PROCESS__SETSCHED, NULL);
4197 }
4198 
4199 static int selinux_task_getscheduler(struct task_struct *p)
4200 {
4201 	return avc_has_perm(&selinux_state,
4202 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4203 			    PROCESS__GETSCHED, NULL);
4204 }
4205 
4206 static int selinux_task_movememory(struct task_struct *p)
4207 {
4208 	return avc_has_perm(&selinux_state,
4209 			    current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4210 			    PROCESS__SETSCHED, NULL);
4211 }
4212 
4213 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4214 				int sig, const struct cred *cred)
4215 {
4216 	u32 secid;
4217 	u32 perm;
4218 
4219 	if (!sig)
4220 		perm = PROCESS__SIGNULL; /* null signal; existence test */
4221 	else
4222 		perm = signal_to_av(sig);
4223 	if (!cred)
4224 		secid = current_sid();
4225 	else
4226 		secid = cred_sid(cred);
4227 	return avc_has_perm(&selinux_state,
4228 			    secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
4229 }
4230 
4231 static void selinux_task_to_inode(struct task_struct *p,
4232 				  struct inode *inode)
4233 {
4234 	struct inode_security_struct *isec = selinux_inode(inode);
4235 	u32 sid = task_sid_obj(p);
4236 
4237 	spin_lock(&isec->lock);
4238 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4239 	isec->sid = sid;
4240 	isec->initialized = LABEL_INITIALIZED;
4241 	spin_unlock(&isec->lock);
4242 }
4243 
4244 static int selinux_userns_create(const struct cred *cred)
4245 {
4246 	u32 sid = current_sid();
4247 
4248 	return avc_has_perm(&selinux_state, sid, sid, SECCLASS_USER_NAMESPACE,
4249 						USER_NAMESPACE__CREATE, NULL);
4250 }
4251 
4252 /* Returns error only if unable to parse addresses */
4253 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4254 			struct common_audit_data *ad, u8 *proto)
4255 {
4256 	int offset, ihlen, ret = -EINVAL;
4257 	struct iphdr _iph, *ih;
4258 
4259 	offset = skb_network_offset(skb);
4260 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4261 	if (ih == NULL)
4262 		goto out;
4263 
4264 	ihlen = ih->ihl * 4;
4265 	if (ihlen < sizeof(_iph))
4266 		goto out;
4267 
4268 	ad->u.net->v4info.saddr = ih->saddr;
4269 	ad->u.net->v4info.daddr = ih->daddr;
4270 	ret = 0;
4271 
4272 	if (proto)
4273 		*proto = ih->protocol;
4274 
4275 	switch (ih->protocol) {
4276 	case IPPROTO_TCP: {
4277 		struct tcphdr _tcph, *th;
4278 
4279 		if (ntohs(ih->frag_off) & IP_OFFSET)
4280 			break;
4281 
4282 		offset += ihlen;
4283 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4284 		if (th == NULL)
4285 			break;
4286 
4287 		ad->u.net->sport = th->source;
4288 		ad->u.net->dport = th->dest;
4289 		break;
4290 	}
4291 
4292 	case IPPROTO_UDP: {
4293 		struct udphdr _udph, *uh;
4294 
4295 		if (ntohs(ih->frag_off) & IP_OFFSET)
4296 			break;
4297 
4298 		offset += ihlen;
4299 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4300 		if (uh == NULL)
4301 			break;
4302 
4303 		ad->u.net->sport = uh->source;
4304 		ad->u.net->dport = uh->dest;
4305 		break;
4306 	}
4307 
4308 	case IPPROTO_DCCP: {
4309 		struct dccp_hdr _dccph, *dh;
4310 
4311 		if (ntohs(ih->frag_off) & IP_OFFSET)
4312 			break;
4313 
4314 		offset += ihlen;
4315 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4316 		if (dh == NULL)
4317 			break;
4318 
4319 		ad->u.net->sport = dh->dccph_sport;
4320 		ad->u.net->dport = dh->dccph_dport;
4321 		break;
4322 	}
4323 
4324 #if IS_ENABLED(CONFIG_IP_SCTP)
4325 	case IPPROTO_SCTP: {
4326 		struct sctphdr _sctph, *sh;
4327 
4328 		if (ntohs(ih->frag_off) & IP_OFFSET)
4329 			break;
4330 
4331 		offset += ihlen;
4332 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4333 		if (sh == NULL)
4334 			break;
4335 
4336 		ad->u.net->sport = sh->source;
4337 		ad->u.net->dport = sh->dest;
4338 		break;
4339 	}
4340 #endif
4341 	default:
4342 		break;
4343 	}
4344 out:
4345 	return ret;
4346 }
4347 
4348 #if IS_ENABLED(CONFIG_IPV6)
4349 
4350 /* Returns error only if unable to parse addresses */
4351 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4352 			struct common_audit_data *ad, u8 *proto)
4353 {
4354 	u8 nexthdr;
4355 	int ret = -EINVAL, offset;
4356 	struct ipv6hdr _ipv6h, *ip6;
4357 	__be16 frag_off;
4358 
4359 	offset = skb_network_offset(skb);
4360 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4361 	if (ip6 == NULL)
4362 		goto out;
4363 
4364 	ad->u.net->v6info.saddr = ip6->saddr;
4365 	ad->u.net->v6info.daddr = ip6->daddr;
4366 	ret = 0;
4367 
4368 	nexthdr = ip6->nexthdr;
4369 	offset += sizeof(_ipv6h);
4370 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4371 	if (offset < 0)
4372 		goto out;
4373 
4374 	if (proto)
4375 		*proto = nexthdr;
4376 
4377 	switch (nexthdr) {
4378 	case IPPROTO_TCP: {
4379 		struct tcphdr _tcph, *th;
4380 
4381 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4382 		if (th == NULL)
4383 			break;
4384 
4385 		ad->u.net->sport = th->source;
4386 		ad->u.net->dport = th->dest;
4387 		break;
4388 	}
4389 
4390 	case IPPROTO_UDP: {
4391 		struct udphdr _udph, *uh;
4392 
4393 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4394 		if (uh == NULL)
4395 			break;
4396 
4397 		ad->u.net->sport = uh->source;
4398 		ad->u.net->dport = uh->dest;
4399 		break;
4400 	}
4401 
4402 	case IPPROTO_DCCP: {
4403 		struct dccp_hdr _dccph, *dh;
4404 
4405 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4406 		if (dh == NULL)
4407 			break;
4408 
4409 		ad->u.net->sport = dh->dccph_sport;
4410 		ad->u.net->dport = dh->dccph_dport;
4411 		break;
4412 	}
4413 
4414 #if IS_ENABLED(CONFIG_IP_SCTP)
4415 	case IPPROTO_SCTP: {
4416 		struct sctphdr _sctph, *sh;
4417 
4418 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4419 		if (sh == NULL)
4420 			break;
4421 
4422 		ad->u.net->sport = sh->source;
4423 		ad->u.net->dport = sh->dest;
4424 		break;
4425 	}
4426 #endif
4427 	/* includes fragments */
4428 	default:
4429 		break;
4430 	}
4431 out:
4432 	return ret;
4433 }
4434 
4435 #endif /* IPV6 */
4436 
4437 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4438 			     char **_addrp, int src, u8 *proto)
4439 {
4440 	char *addrp;
4441 	int ret;
4442 
4443 	switch (ad->u.net->family) {
4444 	case PF_INET:
4445 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4446 		if (ret)
4447 			goto parse_error;
4448 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4449 				       &ad->u.net->v4info.daddr);
4450 		goto okay;
4451 
4452 #if IS_ENABLED(CONFIG_IPV6)
4453 	case PF_INET6:
4454 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4455 		if (ret)
4456 			goto parse_error;
4457 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4458 				       &ad->u.net->v6info.daddr);
4459 		goto okay;
4460 #endif	/* IPV6 */
4461 	default:
4462 		addrp = NULL;
4463 		goto okay;
4464 	}
4465 
4466 parse_error:
4467 	pr_warn(
4468 	       "SELinux: failure in selinux_parse_skb(),"
4469 	       " unable to parse packet\n");
4470 	return ret;
4471 
4472 okay:
4473 	if (_addrp)
4474 		*_addrp = addrp;
4475 	return 0;
4476 }
4477 
4478 /**
4479  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4480  * @skb: the packet
4481  * @family: protocol family
4482  * @sid: the packet's peer label SID
4483  *
4484  * Description:
4485  * Check the various different forms of network peer labeling and determine
4486  * the peer label/SID for the packet; most of the magic actually occurs in
4487  * the security server function security_net_peersid_cmp().  The function
4488  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4489  * or -EACCES if @sid is invalid due to inconsistencies with the different
4490  * peer labels.
4491  *
4492  */
4493 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4494 {
4495 	int err;
4496 	u32 xfrm_sid;
4497 	u32 nlbl_sid;
4498 	u32 nlbl_type;
4499 
4500 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4501 	if (unlikely(err))
4502 		return -EACCES;
4503 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4504 	if (unlikely(err))
4505 		return -EACCES;
4506 
4507 	err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4508 					   nlbl_type, xfrm_sid, sid);
4509 	if (unlikely(err)) {
4510 		pr_warn(
4511 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4512 		       " unable to determine packet's peer label\n");
4513 		return -EACCES;
4514 	}
4515 
4516 	return 0;
4517 }
4518 
4519 /**
4520  * selinux_conn_sid - Determine the child socket label for a connection
4521  * @sk_sid: the parent socket's SID
4522  * @skb_sid: the packet's SID
4523  * @conn_sid: the resulting connection SID
4524  *
4525  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4526  * combined with the MLS information from @skb_sid in order to create
4527  * @conn_sid.  If @skb_sid is not valid then @conn_sid is simply a copy
4528  * of @sk_sid.  Returns zero on success, negative values on failure.
4529  *
4530  */
4531 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4532 {
4533 	int err = 0;
4534 
4535 	if (skb_sid != SECSID_NULL)
4536 		err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4537 					    conn_sid);
4538 	else
4539 		*conn_sid = sk_sid;
4540 
4541 	return err;
4542 }
4543 
4544 /* socket security operations */
4545 
4546 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4547 				 u16 secclass, u32 *socksid)
4548 {
4549 	if (tsec->sockcreate_sid > SECSID_NULL) {
4550 		*socksid = tsec->sockcreate_sid;
4551 		return 0;
4552 	}
4553 
4554 	return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4555 				       secclass, NULL, socksid);
4556 }
4557 
4558 static int sock_has_perm(struct sock *sk, u32 perms)
4559 {
4560 	struct sk_security_struct *sksec = sk->sk_security;
4561 	struct common_audit_data ad;
4562 	struct lsm_network_audit net = {0,};
4563 
4564 	if (sksec->sid == SECINITSID_KERNEL)
4565 		return 0;
4566 
4567 	ad.type = LSM_AUDIT_DATA_NET;
4568 	ad.u.net = &net;
4569 	ad.u.net->sk = sk;
4570 
4571 	return avc_has_perm(&selinux_state,
4572 			    current_sid(), sksec->sid, sksec->sclass, perms,
4573 			    &ad);
4574 }
4575 
4576 static int selinux_socket_create(int family, int type,
4577 				 int protocol, int kern)
4578 {
4579 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4580 	u32 newsid;
4581 	u16 secclass;
4582 	int rc;
4583 
4584 	if (kern)
4585 		return 0;
4586 
4587 	secclass = socket_type_to_security_class(family, type, protocol);
4588 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4589 	if (rc)
4590 		return rc;
4591 
4592 	return avc_has_perm(&selinux_state,
4593 			    tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4594 }
4595 
4596 static int selinux_socket_post_create(struct socket *sock, int family,
4597 				      int type, int protocol, int kern)
4598 {
4599 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4600 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4601 	struct sk_security_struct *sksec;
4602 	u16 sclass = socket_type_to_security_class(family, type, protocol);
4603 	u32 sid = SECINITSID_KERNEL;
4604 	int err = 0;
4605 
4606 	if (!kern) {
4607 		err = socket_sockcreate_sid(tsec, sclass, &sid);
4608 		if (err)
4609 			return err;
4610 	}
4611 
4612 	isec->sclass = sclass;
4613 	isec->sid = sid;
4614 	isec->initialized = LABEL_INITIALIZED;
4615 
4616 	if (sock->sk) {
4617 		sksec = sock->sk->sk_security;
4618 		sksec->sclass = sclass;
4619 		sksec->sid = sid;
4620 		/* Allows detection of the first association on this socket */
4621 		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4622 			sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4623 
4624 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4625 	}
4626 
4627 	return err;
4628 }
4629 
4630 static int selinux_socket_socketpair(struct socket *socka,
4631 				     struct socket *sockb)
4632 {
4633 	struct sk_security_struct *sksec_a = socka->sk->sk_security;
4634 	struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4635 
4636 	sksec_a->peer_sid = sksec_b->sid;
4637 	sksec_b->peer_sid = sksec_a->sid;
4638 
4639 	return 0;
4640 }
4641 
4642 /* Range of port numbers used to automatically bind.
4643    Need to determine whether we should perform a name_bind
4644    permission check between the socket and the port number. */
4645 
4646 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4647 {
4648 	struct sock *sk = sock->sk;
4649 	struct sk_security_struct *sksec = sk->sk_security;
4650 	u16 family;
4651 	int err;
4652 
4653 	err = sock_has_perm(sk, SOCKET__BIND);
4654 	if (err)
4655 		goto out;
4656 
4657 	/* If PF_INET or PF_INET6, check name_bind permission for the port. */
4658 	family = sk->sk_family;
4659 	if (family == PF_INET || family == PF_INET6) {
4660 		char *addrp;
4661 		struct common_audit_data ad;
4662 		struct lsm_network_audit net = {0,};
4663 		struct sockaddr_in *addr4 = NULL;
4664 		struct sockaddr_in6 *addr6 = NULL;
4665 		u16 family_sa;
4666 		unsigned short snum;
4667 		u32 sid, node_perm;
4668 
4669 		/*
4670 		 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4671 		 * that validates multiple binding addresses. Because of this
4672 		 * need to check address->sa_family as it is possible to have
4673 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4674 		 */
4675 		if (addrlen < offsetofend(struct sockaddr, sa_family))
4676 			return -EINVAL;
4677 		family_sa = address->sa_family;
4678 		switch (family_sa) {
4679 		case AF_UNSPEC:
4680 		case AF_INET:
4681 			if (addrlen < sizeof(struct sockaddr_in))
4682 				return -EINVAL;
4683 			addr4 = (struct sockaddr_in *)address;
4684 			if (family_sa == AF_UNSPEC) {
4685 				/* see __inet_bind(), we only want to allow
4686 				 * AF_UNSPEC if the address is INADDR_ANY
4687 				 */
4688 				if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4689 					goto err_af;
4690 				family_sa = AF_INET;
4691 			}
4692 			snum = ntohs(addr4->sin_port);
4693 			addrp = (char *)&addr4->sin_addr.s_addr;
4694 			break;
4695 		case AF_INET6:
4696 			if (addrlen < SIN6_LEN_RFC2133)
4697 				return -EINVAL;
4698 			addr6 = (struct sockaddr_in6 *)address;
4699 			snum = ntohs(addr6->sin6_port);
4700 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4701 			break;
4702 		default:
4703 			goto err_af;
4704 		}
4705 
4706 		ad.type = LSM_AUDIT_DATA_NET;
4707 		ad.u.net = &net;
4708 		ad.u.net->sport = htons(snum);
4709 		ad.u.net->family = family_sa;
4710 
4711 		if (snum) {
4712 			int low, high;
4713 
4714 			inet_get_local_port_range(sock_net(sk), &low, &high);
4715 
4716 			if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4717 			    snum < low || snum > high) {
4718 				err = sel_netport_sid(sk->sk_protocol,
4719 						      snum, &sid);
4720 				if (err)
4721 					goto out;
4722 				err = avc_has_perm(&selinux_state,
4723 						   sksec->sid, sid,
4724 						   sksec->sclass,
4725 						   SOCKET__NAME_BIND, &ad);
4726 				if (err)
4727 					goto out;
4728 			}
4729 		}
4730 
4731 		switch (sksec->sclass) {
4732 		case SECCLASS_TCP_SOCKET:
4733 			node_perm = TCP_SOCKET__NODE_BIND;
4734 			break;
4735 
4736 		case SECCLASS_UDP_SOCKET:
4737 			node_perm = UDP_SOCKET__NODE_BIND;
4738 			break;
4739 
4740 		case SECCLASS_DCCP_SOCKET:
4741 			node_perm = DCCP_SOCKET__NODE_BIND;
4742 			break;
4743 
4744 		case SECCLASS_SCTP_SOCKET:
4745 			node_perm = SCTP_SOCKET__NODE_BIND;
4746 			break;
4747 
4748 		default:
4749 			node_perm = RAWIP_SOCKET__NODE_BIND;
4750 			break;
4751 		}
4752 
4753 		err = sel_netnode_sid(addrp, family_sa, &sid);
4754 		if (err)
4755 			goto out;
4756 
4757 		if (family_sa == AF_INET)
4758 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4759 		else
4760 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4761 
4762 		err = avc_has_perm(&selinux_state,
4763 				   sksec->sid, sid,
4764 				   sksec->sclass, node_perm, &ad);
4765 		if (err)
4766 			goto out;
4767 	}
4768 out:
4769 	return err;
4770 err_af:
4771 	/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4772 	if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4773 		return -EINVAL;
4774 	return -EAFNOSUPPORT;
4775 }
4776 
4777 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4778  * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4779  */
4780 static int selinux_socket_connect_helper(struct socket *sock,
4781 					 struct sockaddr *address, int addrlen)
4782 {
4783 	struct sock *sk = sock->sk;
4784 	struct sk_security_struct *sksec = sk->sk_security;
4785 	int err;
4786 
4787 	err = sock_has_perm(sk, SOCKET__CONNECT);
4788 	if (err)
4789 		return err;
4790 	if (addrlen < offsetofend(struct sockaddr, sa_family))
4791 		return -EINVAL;
4792 
4793 	/* connect(AF_UNSPEC) has special handling, as it is a documented
4794 	 * way to disconnect the socket
4795 	 */
4796 	if (address->sa_family == AF_UNSPEC)
4797 		return 0;
4798 
4799 	/*
4800 	 * If a TCP, DCCP or SCTP socket, check name_connect permission
4801 	 * for the port.
4802 	 */
4803 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4804 	    sksec->sclass == SECCLASS_DCCP_SOCKET ||
4805 	    sksec->sclass == SECCLASS_SCTP_SOCKET) {
4806 		struct common_audit_data ad;
4807 		struct lsm_network_audit net = {0,};
4808 		struct sockaddr_in *addr4 = NULL;
4809 		struct sockaddr_in6 *addr6 = NULL;
4810 		unsigned short snum;
4811 		u32 sid, perm;
4812 
4813 		/* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4814 		 * that validates multiple connect addresses. Because of this
4815 		 * need to check address->sa_family as it is possible to have
4816 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4817 		 */
4818 		switch (address->sa_family) {
4819 		case AF_INET:
4820 			addr4 = (struct sockaddr_in *)address;
4821 			if (addrlen < sizeof(struct sockaddr_in))
4822 				return -EINVAL;
4823 			snum = ntohs(addr4->sin_port);
4824 			break;
4825 		case AF_INET6:
4826 			addr6 = (struct sockaddr_in6 *)address;
4827 			if (addrlen < SIN6_LEN_RFC2133)
4828 				return -EINVAL;
4829 			snum = ntohs(addr6->sin6_port);
4830 			break;
4831 		default:
4832 			/* Note that SCTP services expect -EINVAL, whereas
4833 			 * others expect -EAFNOSUPPORT.
4834 			 */
4835 			if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4836 				return -EINVAL;
4837 			else
4838 				return -EAFNOSUPPORT;
4839 		}
4840 
4841 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4842 		if (err)
4843 			return err;
4844 
4845 		switch (sksec->sclass) {
4846 		case SECCLASS_TCP_SOCKET:
4847 			perm = TCP_SOCKET__NAME_CONNECT;
4848 			break;
4849 		case SECCLASS_DCCP_SOCKET:
4850 			perm = DCCP_SOCKET__NAME_CONNECT;
4851 			break;
4852 		case SECCLASS_SCTP_SOCKET:
4853 			perm = SCTP_SOCKET__NAME_CONNECT;
4854 			break;
4855 		}
4856 
4857 		ad.type = LSM_AUDIT_DATA_NET;
4858 		ad.u.net = &net;
4859 		ad.u.net->dport = htons(snum);
4860 		ad.u.net->family = address->sa_family;
4861 		err = avc_has_perm(&selinux_state,
4862 				   sksec->sid, sid, sksec->sclass, perm, &ad);
4863 		if (err)
4864 			return err;
4865 	}
4866 
4867 	return 0;
4868 }
4869 
4870 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4871 static int selinux_socket_connect(struct socket *sock,
4872 				  struct sockaddr *address, int addrlen)
4873 {
4874 	int err;
4875 	struct sock *sk = sock->sk;
4876 
4877 	err = selinux_socket_connect_helper(sock, address, addrlen);
4878 	if (err)
4879 		return err;
4880 
4881 	return selinux_netlbl_socket_connect(sk, address);
4882 }
4883 
4884 static int selinux_socket_listen(struct socket *sock, int backlog)
4885 {
4886 	return sock_has_perm(sock->sk, SOCKET__LISTEN);
4887 }
4888 
4889 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4890 {
4891 	int err;
4892 	struct inode_security_struct *isec;
4893 	struct inode_security_struct *newisec;
4894 	u16 sclass;
4895 	u32 sid;
4896 
4897 	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4898 	if (err)
4899 		return err;
4900 
4901 	isec = inode_security_novalidate(SOCK_INODE(sock));
4902 	spin_lock(&isec->lock);
4903 	sclass = isec->sclass;
4904 	sid = isec->sid;
4905 	spin_unlock(&isec->lock);
4906 
4907 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4908 	newisec->sclass = sclass;
4909 	newisec->sid = sid;
4910 	newisec->initialized = LABEL_INITIALIZED;
4911 
4912 	return 0;
4913 }
4914 
4915 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4916 				  int size)
4917 {
4918 	return sock_has_perm(sock->sk, SOCKET__WRITE);
4919 }
4920 
4921 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4922 				  int size, int flags)
4923 {
4924 	return sock_has_perm(sock->sk, SOCKET__READ);
4925 }
4926 
4927 static int selinux_socket_getsockname(struct socket *sock)
4928 {
4929 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4930 }
4931 
4932 static int selinux_socket_getpeername(struct socket *sock)
4933 {
4934 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4935 }
4936 
4937 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4938 {
4939 	int err;
4940 
4941 	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4942 	if (err)
4943 		return err;
4944 
4945 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4946 }
4947 
4948 static int selinux_socket_getsockopt(struct socket *sock, int level,
4949 				     int optname)
4950 {
4951 	return sock_has_perm(sock->sk, SOCKET__GETOPT);
4952 }
4953 
4954 static int selinux_socket_shutdown(struct socket *sock, int how)
4955 {
4956 	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4957 }
4958 
4959 static int selinux_socket_unix_stream_connect(struct sock *sock,
4960 					      struct sock *other,
4961 					      struct sock *newsk)
4962 {
4963 	struct sk_security_struct *sksec_sock = sock->sk_security;
4964 	struct sk_security_struct *sksec_other = other->sk_security;
4965 	struct sk_security_struct *sksec_new = newsk->sk_security;
4966 	struct common_audit_data ad;
4967 	struct lsm_network_audit net = {0,};
4968 	int err;
4969 
4970 	ad.type = LSM_AUDIT_DATA_NET;
4971 	ad.u.net = &net;
4972 	ad.u.net->sk = other;
4973 
4974 	err = avc_has_perm(&selinux_state,
4975 			   sksec_sock->sid, sksec_other->sid,
4976 			   sksec_other->sclass,
4977 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4978 	if (err)
4979 		return err;
4980 
4981 	/* server child socket */
4982 	sksec_new->peer_sid = sksec_sock->sid;
4983 	err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4984 				    sksec_sock->sid, &sksec_new->sid);
4985 	if (err)
4986 		return err;
4987 
4988 	/* connecting socket */
4989 	sksec_sock->peer_sid = sksec_new->sid;
4990 
4991 	return 0;
4992 }
4993 
4994 static int selinux_socket_unix_may_send(struct socket *sock,
4995 					struct socket *other)
4996 {
4997 	struct sk_security_struct *ssec = sock->sk->sk_security;
4998 	struct sk_security_struct *osec = other->sk->sk_security;
4999 	struct common_audit_data ad;
5000 	struct lsm_network_audit net = {0,};
5001 
5002 	ad.type = LSM_AUDIT_DATA_NET;
5003 	ad.u.net = &net;
5004 	ad.u.net->sk = other->sk;
5005 
5006 	return avc_has_perm(&selinux_state,
5007 			    ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
5008 			    &ad);
5009 }
5010 
5011 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
5012 				    char *addrp, u16 family, u32 peer_sid,
5013 				    struct common_audit_data *ad)
5014 {
5015 	int err;
5016 	u32 if_sid;
5017 	u32 node_sid;
5018 
5019 	err = sel_netif_sid(ns, ifindex, &if_sid);
5020 	if (err)
5021 		return err;
5022 	err = avc_has_perm(&selinux_state,
5023 			   peer_sid, if_sid,
5024 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
5025 	if (err)
5026 		return err;
5027 
5028 	err = sel_netnode_sid(addrp, family, &node_sid);
5029 	if (err)
5030 		return err;
5031 	return avc_has_perm(&selinux_state,
5032 			    peer_sid, node_sid,
5033 			    SECCLASS_NODE, NODE__RECVFROM, ad);
5034 }
5035 
5036 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5037 				       u16 family)
5038 {
5039 	int err = 0;
5040 	struct sk_security_struct *sksec = sk->sk_security;
5041 	u32 sk_sid = sksec->sid;
5042 	struct common_audit_data ad;
5043 	struct lsm_network_audit net = {0,};
5044 	char *addrp;
5045 
5046 	ad.type = LSM_AUDIT_DATA_NET;
5047 	ad.u.net = &net;
5048 	ad.u.net->netif = skb->skb_iif;
5049 	ad.u.net->family = family;
5050 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5051 	if (err)
5052 		return err;
5053 
5054 	if (selinux_secmark_enabled()) {
5055 		err = avc_has_perm(&selinux_state,
5056 				   sk_sid, skb->secmark, SECCLASS_PACKET,
5057 				   PACKET__RECV, &ad);
5058 		if (err)
5059 			return err;
5060 	}
5061 
5062 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5063 	if (err)
5064 		return err;
5065 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5066 
5067 	return err;
5068 }
5069 
5070 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5071 {
5072 	int err;
5073 	struct sk_security_struct *sksec = sk->sk_security;
5074 	u16 family = sk->sk_family;
5075 	u32 sk_sid = sksec->sid;
5076 	struct common_audit_data ad;
5077 	struct lsm_network_audit net = {0,};
5078 	char *addrp;
5079 	u8 secmark_active;
5080 	u8 peerlbl_active;
5081 
5082 	if (family != PF_INET && family != PF_INET6)
5083 		return 0;
5084 
5085 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
5086 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5087 		family = PF_INET;
5088 
5089 	/* If any sort of compatibility mode is enabled then handoff processing
5090 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
5091 	 * special handling.  We do this in an attempt to keep this function
5092 	 * as fast and as clean as possible. */
5093 	if (!selinux_policycap_netpeer())
5094 		return selinux_sock_rcv_skb_compat(sk, skb, family);
5095 
5096 	secmark_active = selinux_secmark_enabled();
5097 	peerlbl_active = selinux_peerlbl_enabled();
5098 	if (!secmark_active && !peerlbl_active)
5099 		return 0;
5100 
5101 	ad.type = LSM_AUDIT_DATA_NET;
5102 	ad.u.net = &net;
5103 	ad.u.net->netif = skb->skb_iif;
5104 	ad.u.net->family = family;
5105 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5106 	if (err)
5107 		return err;
5108 
5109 	if (peerlbl_active) {
5110 		u32 peer_sid;
5111 
5112 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5113 		if (err)
5114 			return err;
5115 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5116 					       addrp, family, peer_sid, &ad);
5117 		if (err) {
5118 			selinux_netlbl_err(skb, family, err, 0);
5119 			return err;
5120 		}
5121 		err = avc_has_perm(&selinux_state,
5122 				   sk_sid, peer_sid, SECCLASS_PEER,
5123 				   PEER__RECV, &ad);
5124 		if (err) {
5125 			selinux_netlbl_err(skb, family, err, 0);
5126 			return err;
5127 		}
5128 	}
5129 
5130 	if (secmark_active) {
5131 		err = avc_has_perm(&selinux_state,
5132 				   sk_sid, skb->secmark, SECCLASS_PACKET,
5133 				   PACKET__RECV, &ad);
5134 		if (err)
5135 			return err;
5136 	}
5137 
5138 	return err;
5139 }
5140 
5141 static int selinux_socket_getpeersec_stream(struct socket *sock,
5142 					    sockptr_t optval, sockptr_t optlen,
5143 					    unsigned int len)
5144 {
5145 	int err = 0;
5146 	char *scontext = NULL;
5147 	u32 scontext_len;
5148 	struct sk_security_struct *sksec = sock->sk->sk_security;
5149 	u32 peer_sid = SECSID_NULL;
5150 
5151 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5152 	    sksec->sclass == SECCLASS_TCP_SOCKET ||
5153 	    sksec->sclass == SECCLASS_SCTP_SOCKET)
5154 		peer_sid = sksec->peer_sid;
5155 	if (peer_sid == SECSID_NULL)
5156 		return -ENOPROTOOPT;
5157 
5158 	err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5159 				      &scontext_len);
5160 	if (err)
5161 		return err;
5162 	if (scontext_len > len) {
5163 		err = -ERANGE;
5164 		goto out_len;
5165 	}
5166 
5167 	if (copy_to_sockptr(optval, scontext, scontext_len))
5168 		err = -EFAULT;
5169 out_len:
5170 	if (copy_to_sockptr(optlen, &scontext_len, sizeof(scontext_len)))
5171 		err = -EFAULT;
5172 	kfree(scontext);
5173 	return err;
5174 }
5175 
5176 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5177 {
5178 	u32 peer_secid = SECSID_NULL;
5179 	u16 family;
5180 	struct inode_security_struct *isec;
5181 
5182 	if (skb && skb->protocol == htons(ETH_P_IP))
5183 		family = PF_INET;
5184 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
5185 		family = PF_INET6;
5186 	else if (sock)
5187 		family = sock->sk->sk_family;
5188 	else
5189 		goto out;
5190 
5191 	if (sock && family == PF_UNIX) {
5192 		isec = inode_security_novalidate(SOCK_INODE(sock));
5193 		peer_secid = isec->sid;
5194 	} else if (skb)
5195 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5196 
5197 out:
5198 	*secid = peer_secid;
5199 	if (peer_secid == SECSID_NULL)
5200 		return -EINVAL;
5201 	return 0;
5202 }
5203 
5204 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5205 {
5206 	struct sk_security_struct *sksec;
5207 
5208 	sksec = kzalloc(sizeof(*sksec), priority);
5209 	if (!sksec)
5210 		return -ENOMEM;
5211 
5212 	sksec->peer_sid = SECINITSID_UNLABELED;
5213 	sksec->sid = SECINITSID_UNLABELED;
5214 	sksec->sclass = SECCLASS_SOCKET;
5215 	selinux_netlbl_sk_security_reset(sksec);
5216 	sk->sk_security = sksec;
5217 
5218 	return 0;
5219 }
5220 
5221 static void selinux_sk_free_security(struct sock *sk)
5222 {
5223 	struct sk_security_struct *sksec = sk->sk_security;
5224 
5225 	sk->sk_security = NULL;
5226 	selinux_netlbl_sk_security_free(sksec);
5227 	kfree(sksec);
5228 }
5229 
5230 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5231 {
5232 	struct sk_security_struct *sksec = sk->sk_security;
5233 	struct sk_security_struct *newsksec = newsk->sk_security;
5234 
5235 	newsksec->sid = sksec->sid;
5236 	newsksec->peer_sid = sksec->peer_sid;
5237 	newsksec->sclass = sksec->sclass;
5238 
5239 	selinux_netlbl_sk_security_reset(newsksec);
5240 }
5241 
5242 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5243 {
5244 	if (!sk)
5245 		*secid = SECINITSID_ANY_SOCKET;
5246 	else {
5247 		struct sk_security_struct *sksec = sk->sk_security;
5248 
5249 		*secid = sksec->sid;
5250 	}
5251 }
5252 
5253 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5254 {
5255 	struct inode_security_struct *isec =
5256 		inode_security_novalidate(SOCK_INODE(parent));
5257 	struct sk_security_struct *sksec = sk->sk_security;
5258 
5259 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5260 	    sk->sk_family == PF_UNIX)
5261 		isec->sid = sksec->sid;
5262 	sksec->sclass = isec->sclass;
5263 }
5264 
5265 /*
5266  * Determines peer_secid for the asoc and updates socket's peer label
5267  * if it's the first association on the socket.
5268  */
5269 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
5270 					  struct sk_buff *skb)
5271 {
5272 	struct sock *sk = asoc->base.sk;
5273 	u16 family = sk->sk_family;
5274 	struct sk_security_struct *sksec = sk->sk_security;
5275 	struct common_audit_data ad;
5276 	struct lsm_network_audit net = {0,};
5277 	int err;
5278 
5279 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5280 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5281 		family = PF_INET;
5282 
5283 	if (selinux_peerlbl_enabled()) {
5284 		asoc->peer_secid = SECSID_NULL;
5285 
5286 		/* This will return peer_sid = SECSID_NULL if there are
5287 		 * no peer labels, see security_net_peersid_resolve().
5288 		 */
5289 		err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid);
5290 		if (err)
5291 			return err;
5292 
5293 		if (asoc->peer_secid == SECSID_NULL)
5294 			asoc->peer_secid = SECINITSID_UNLABELED;
5295 	} else {
5296 		asoc->peer_secid = SECINITSID_UNLABELED;
5297 	}
5298 
5299 	if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5300 		sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5301 
5302 		/* Here as first association on socket. As the peer SID
5303 		 * was allowed by peer recv (and the netif/node checks),
5304 		 * then it is approved by policy and used as the primary
5305 		 * peer SID for getpeercon(3).
5306 		 */
5307 		sksec->peer_sid = asoc->peer_secid;
5308 	} else if (sksec->peer_sid != asoc->peer_secid) {
5309 		/* Other association peer SIDs are checked to enforce
5310 		 * consistency among the peer SIDs.
5311 		 */
5312 		ad.type = LSM_AUDIT_DATA_NET;
5313 		ad.u.net = &net;
5314 		ad.u.net->sk = asoc->base.sk;
5315 		err = avc_has_perm(&selinux_state,
5316 				   sksec->peer_sid, asoc->peer_secid,
5317 				   sksec->sclass, SCTP_SOCKET__ASSOCIATION,
5318 				   &ad);
5319 		if (err)
5320 			return err;
5321 	}
5322 	return 0;
5323 }
5324 
5325 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This
5326  * happens on an incoming connect(2), sctp_connectx(3) or
5327  * sctp_sendmsg(3) (with no association already present).
5328  */
5329 static int selinux_sctp_assoc_request(struct sctp_association *asoc,
5330 				      struct sk_buff *skb)
5331 {
5332 	struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5333 	u32 conn_sid;
5334 	int err;
5335 
5336 	if (!selinux_policycap_extsockclass())
5337 		return 0;
5338 
5339 	err = selinux_sctp_process_new_assoc(asoc, skb);
5340 	if (err)
5341 		return err;
5342 
5343 	/* Compute the MLS component for the connection and store
5344 	 * the information in asoc. This will be used by SCTP TCP type
5345 	 * sockets and peeled off connections as they cause a new
5346 	 * socket to be generated. selinux_sctp_sk_clone() will then
5347 	 * plug this into the new socket.
5348 	 */
5349 	err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid);
5350 	if (err)
5351 		return err;
5352 
5353 	asoc->secid = conn_sid;
5354 
5355 	/* Set any NetLabel labels including CIPSO/CALIPSO options. */
5356 	return selinux_netlbl_sctp_assoc_request(asoc, skb);
5357 }
5358 
5359 /* Called when SCTP receives a COOKIE ACK chunk as the final
5360  * response to an association request (initited by us).
5361  */
5362 static int selinux_sctp_assoc_established(struct sctp_association *asoc,
5363 					  struct sk_buff *skb)
5364 {
5365 	struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5366 
5367 	if (!selinux_policycap_extsockclass())
5368 		return 0;
5369 
5370 	/* Inherit secid from the parent socket - this will be picked up
5371 	 * by selinux_sctp_sk_clone() if the association gets peeled off
5372 	 * into a new socket.
5373 	 */
5374 	asoc->secid = sksec->sid;
5375 
5376 	return selinux_sctp_process_new_assoc(asoc, skb);
5377 }
5378 
5379 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5380  * based on their @optname.
5381  */
5382 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5383 				     struct sockaddr *address,
5384 				     int addrlen)
5385 {
5386 	int len, err = 0, walk_size = 0;
5387 	void *addr_buf;
5388 	struct sockaddr *addr;
5389 	struct socket *sock;
5390 
5391 	if (!selinux_policycap_extsockclass())
5392 		return 0;
5393 
5394 	/* Process one or more addresses that may be IPv4 or IPv6 */
5395 	sock = sk->sk_socket;
5396 	addr_buf = address;
5397 
5398 	while (walk_size < addrlen) {
5399 		if (walk_size + sizeof(sa_family_t) > addrlen)
5400 			return -EINVAL;
5401 
5402 		addr = addr_buf;
5403 		switch (addr->sa_family) {
5404 		case AF_UNSPEC:
5405 		case AF_INET:
5406 			len = sizeof(struct sockaddr_in);
5407 			break;
5408 		case AF_INET6:
5409 			len = sizeof(struct sockaddr_in6);
5410 			break;
5411 		default:
5412 			return -EINVAL;
5413 		}
5414 
5415 		if (walk_size + len > addrlen)
5416 			return -EINVAL;
5417 
5418 		err = -EINVAL;
5419 		switch (optname) {
5420 		/* Bind checks */
5421 		case SCTP_PRIMARY_ADDR:
5422 		case SCTP_SET_PEER_PRIMARY_ADDR:
5423 		case SCTP_SOCKOPT_BINDX_ADD:
5424 			err = selinux_socket_bind(sock, addr, len);
5425 			break;
5426 		/* Connect checks */
5427 		case SCTP_SOCKOPT_CONNECTX:
5428 		case SCTP_PARAM_SET_PRIMARY:
5429 		case SCTP_PARAM_ADD_IP:
5430 		case SCTP_SENDMSG_CONNECT:
5431 			err = selinux_socket_connect_helper(sock, addr, len);
5432 			if (err)
5433 				return err;
5434 
5435 			/* As selinux_sctp_bind_connect() is called by the
5436 			 * SCTP protocol layer, the socket is already locked,
5437 			 * therefore selinux_netlbl_socket_connect_locked()
5438 			 * is called here. The situations handled are:
5439 			 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5440 			 * whenever a new IP address is added or when a new
5441 			 * primary address is selected.
5442 			 * Note that an SCTP connect(2) call happens before
5443 			 * the SCTP protocol layer and is handled via
5444 			 * selinux_socket_connect().
5445 			 */
5446 			err = selinux_netlbl_socket_connect_locked(sk, addr);
5447 			break;
5448 		}
5449 
5450 		if (err)
5451 			return err;
5452 
5453 		addr_buf += len;
5454 		walk_size += len;
5455 	}
5456 
5457 	return 0;
5458 }
5459 
5460 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5461 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
5462 				  struct sock *newsk)
5463 {
5464 	struct sk_security_struct *sksec = sk->sk_security;
5465 	struct sk_security_struct *newsksec = newsk->sk_security;
5466 
5467 	/* If policy does not support SECCLASS_SCTP_SOCKET then call
5468 	 * the non-sctp clone version.
5469 	 */
5470 	if (!selinux_policycap_extsockclass())
5471 		return selinux_sk_clone_security(sk, newsk);
5472 
5473 	newsksec->sid = asoc->secid;
5474 	newsksec->peer_sid = asoc->peer_secid;
5475 	newsksec->sclass = sksec->sclass;
5476 	selinux_netlbl_sctp_sk_clone(sk, newsk);
5477 }
5478 
5479 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
5480 				     struct request_sock *req)
5481 {
5482 	struct sk_security_struct *sksec = sk->sk_security;
5483 	int err;
5484 	u16 family = req->rsk_ops->family;
5485 	u32 connsid;
5486 	u32 peersid;
5487 
5488 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5489 	if (err)
5490 		return err;
5491 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5492 	if (err)
5493 		return err;
5494 	req->secid = connsid;
5495 	req->peer_secid = peersid;
5496 
5497 	return selinux_netlbl_inet_conn_request(req, family);
5498 }
5499 
5500 static void selinux_inet_csk_clone(struct sock *newsk,
5501 				   const struct request_sock *req)
5502 {
5503 	struct sk_security_struct *newsksec = newsk->sk_security;
5504 
5505 	newsksec->sid = req->secid;
5506 	newsksec->peer_sid = req->peer_secid;
5507 	/* NOTE: Ideally, we should also get the isec->sid for the
5508 	   new socket in sync, but we don't have the isec available yet.
5509 	   So we will wait until sock_graft to do it, by which
5510 	   time it will have been created and available. */
5511 
5512 	/* We don't need to take any sort of lock here as we are the only
5513 	 * thread with access to newsksec */
5514 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5515 }
5516 
5517 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5518 {
5519 	u16 family = sk->sk_family;
5520 	struct sk_security_struct *sksec = sk->sk_security;
5521 
5522 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5523 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5524 		family = PF_INET;
5525 
5526 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5527 }
5528 
5529 static int selinux_secmark_relabel_packet(u32 sid)
5530 {
5531 	const struct task_security_struct *__tsec;
5532 	u32 tsid;
5533 
5534 	__tsec = selinux_cred(current_cred());
5535 	tsid = __tsec->sid;
5536 
5537 	return avc_has_perm(&selinux_state,
5538 			    tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5539 			    NULL);
5540 }
5541 
5542 static void selinux_secmark_refcount_inc(void)
5543 {
5544 	atomic_inc(&selinux_secmark_refcount);
5545 }
5546 
5547 static void selinux_secmark_refcount_dec(void)
5548 {
5549 	atomic_dec(&selinux_secmark_refcount);
5550 }
5551 
5552 static void selinux_req_classify_flow(const struct request_sock *req,
5553 				      struct flowi_common *flic)
5554 {
5555 	flic->flowic_secid = req->secid;
5556 }
5557 
5558 static int selinux_tun_dev_alloc_security(void **security)
5559 {
5560 	struct tun_security_struct *tunsec;
5561 
5562 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5563 	if (!tunsec)
5564 		return -ENOMEM;
5565 	tunsec->sid = current_sid();
5566 
5567 	*security = tunsec;
5568 	return 0;
5569 }
5570 
5571 static void selinux_tun_dev_free_security(void *security)
5572 {
5573 	kfree(security);
5574 }
5575 
5576 static int selinux_tun_dev_create(void)
5577 {
5578 	u32 sid = current_sid();
5579 
5580 	/* we aren't taking into account the "sockcreate" SID since the socket
5581 	 * that is being created here is not a socket in the traditional sense,
5582 	 * instead it is a private sock, accessible only to the kernel, and
5583 	 * representing a wide range of network traffic spanning multiple
5584 	 * connections unlike traditional sockets - check the TUN driver to
5585 	 * get a better understanding of why this socket is special */
5586 
5587 	return avc_has_perm(&selinux_state,
5588 			    sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5589 			    NULL);
5590 }
5591 
5592 static int selinux_tun_dev_attach_queue(void *security)
5593 {
5594 	struct tun_security_struct *tunsec = security;
5595 
5596 	return avc_has_perm(&selinux_state,
5597 			    current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5598 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5599 }
5600 
5601 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5602 {
5603 	struct tun_security_struct *tunsec = security;
5604 	struct sk_security_struct *sksec = sk->sk_security;
5605 
5606 	/* we don't currently perform any NetLabel based labeling here and it
5607 	 * isn't clear that we would want to do so anyway; while we could apply
5608 	 * labeling without the support of the TUN user the resulting labeled
5609 	 * traffic from the other end of the connection would almost certainly
5610 	 * cause confusion to the TUN user that had no idea network labeling
5611 	 * protocols were being used */
5612 
5613 	sksec->sid = tunsec->sid;
5614 	sksec->sclass = SECCLASS_TUN_SOCKET;
5615 
5616 	return 0;
5617 }
5618 
5619 static int selinux_tun_dev_open(void *security)
5620 {
5621 	struct tun_security_struct *tunsec = security;
5622 	u32 sid = current_sid();
5623 	int err;
5624 
5625 	err = avc_has_perm(&selinux_state,
5626 			   sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5627 			   TUN_SOCKET__RELABELFROM, NULL);
5628 	if (err)
5629 		return err;
5630 	err = avc_has_perm(&selinux_state,
5631 			   sid, sid, SECCLASS_TUN_SOCKET,
5632 			   TUN_SOCKET__RELABELTO, NULL);
5633 	if (err)
5634 		return err;
5635 	tunsec->sid = sid;
5636 
5637 	return 0;
5638 }
5639 
5640 #ifdef CONFIG_NETFILTER
5641 
5642 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
5643 				       const struct nf_hook_state *state)
5644 {
5645 	int ifindex;
5646 	u16 family;
5647 	char *addrp;
5648 	u32 peer_sid;
5649 	struct common_audit_data ad;
5650 	struct lsm_network_audit net = {0,};
5651 	int secmark_active, peerlbl_active;
5652 
5653 	if (!selinux_policycap_netpeer())
5654 		return NF_ACCEPT;
5655 
5656 	secmark_active = selinux_secmark_enabled();
5657 	peerlbl_active = selinux_peerlbl_enabled();
5658 	if (!secmark_active && !peerlbl_active)
5659 		return NF_ACCEPT;
5660 
5661 	family = state->pf;
5662 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5663 		return NF_DROP;
5664 
5665 	ifindex = state->in->ifindex;
5666 	ad.type = LSM_AUDIT_DATA_NET;
5667 	ad.u.net = &net;
5668 	ad.u.net->netif = ifindex;
5669 	ad.u.net->family = family;
5670 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5671 		return NF_DROP;
5672 
5673 	if (peerlbl_active) {
5674 		int err;
5675 
5676 		err = selinux_inet_sys_rcv_skb(state->net, ifindex,
5677 					       addrp, family, peer_sid, &ad);
5678 		if (err) {
5679 			selinux_netlbl_err(skb, family, err, 1);
5680 			return NF_DROP;
5681 		}
5682 	}
5683 
5684 	if (secmark_active)
5685 		if (avc_has_perm(&selinux_state,
5686 				 peer_sid, skb->secmark,
5687 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5688 			return NF_DROP;
5689 
5690 	if (netlbl_enabled())
5691 		/* we do this in the FORWARD path and not the POST_ROUTING
5692 		 * path because we want to make sure we apply the necessary
5693 		 * labeling before IPsec is applied so we can leverage AH
5694 		 * protection */
5695 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5696 			return NF_DROP;
5697 
5698 	return NF_ACCEPT;
5699 }
5700 
5701 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
5702 				      const struct nf_hook_state *state)
5703 {
5704 	struct sock *sk;
5705 	u32 sid;
5706 
5707 	if (!netlbl_enabled())
5708 		return NF_ACCEPT;
5709 
5710 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5711 	 * because we want to make sure we apply the necessary labeling
5712 	 * before IPsec is applied so we can leverage AH protection */
5713 	sk = skb->sk;
5714 	if (sk) {
5715 		struct sk_security_struct *sksec;
5716 
5717 		if (sk_listener(sk))
5718 			/* if the socket is the listening state then this
5719 			 * packet is a SYN-ACK packet which means it needs to
5720 			 * be labeled based on the connection/request_sock and
5721 			 * not the parent socket.  unfortunately, we can't
5722 			 * lookup the request_sock yet as it isn't queued on
5723 			 * the parent socket until after the SYN-ACK is sent.
5724 			 * the "solution" is to simply pass the packet as-is
5725 			 * as any IP option based labeling should be copied
5726 			 * from the initial connection request (in the IP
5727 			 * layer).  it is far from ideal, but until we get a
5728 			 * security label in the packet itself this is the
5729 			 * best we can do. */
5730 			return NF_ACCEPT;
5731 
5732 		/* standard practice, label using the parent socket */
5733 		sksec = sk->sk_security;
5734 		sid = sksec->sid;
5735 	} else
5736 		sid = SECINITSID_KERNEL;
5737 	if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0)
5738 		return NF_DROP;
5739 
5740 	return NF_ACCEPT;
5741 }
5742 
5743 
5744 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5745 					const struct nf_hook_state *state)
5746 {
5747 	struct sock *sk;
5748 	struct sk_security_struct *sksec;
5749 	struct common_audit_data ad;
5750 	struct lsm_network_audit net = {0,};
5751 	u8 proto = 0;
5752 
5753 	sk = skb_to_full_sk(skb);
5754 	if (sk == NULL)
5755 		return NF_ACCEPT;
5756 	sksec = sk->sk_security;
5757 
5758 	ad.type = LSM_AUDIT_DATA_NET;
5759 	ad.u.net = &net;
5760 	ad.u.net->netif = state->out->ifindex;
5761 	ad.u.net->family = state->pf;
5762 	if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))
5763 		return NF_DROP;
5764 
5765 	if (selinux_secmark_enabled())
5766 		if (avc_has_perm(&selinux_state,
5767 				 sksec->sid, skb->secmark,
5768 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5769 			return NF_DROP_ERR(-ECONNREFUSED);
5770 
5771 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5772 		return NF_DROP_ERR(-ECONNREFUSED);
5773 
5774 	return NF_ACCEPT;
5775 }
5776 
5777 static unsigned int selinux_ip_postroute(void *priv,
5778 					 struct sk_buff *skb,
5779 					 const struct nf_hook_state *state)
5780 {
5781 	u16 family;
5782 	u32 secmark_perm;
5783 	u32 peer_sid;
5784 	int ifindex;
5785 	struct sock *sk;
5786 	struct common_audit_data ad;
5787 	struct lsm_network_audit net = {0,};
5788 	char *addrp;
5789 	int secmark_active, peerlbl_active;
5790 
5791 	/* If any sort of compatibility mode is enabled then handoff processing
5792 	 * to the selinux_ip_postroute_compat() function to deal with the
5793 	 * special handling.  We do this in an attempt to keep this function
5794 	 * as fast and as clean as possible. */
5795 	if (!selinux_policycap_netpeer())
5796 		return selinux_ip_postroute_compat(skb, state);
5797 
5798 	secmark_active = selinux_secmark_enabled();
5799 	peerlbl_active = selinux_peerlbl_enabled();
5800 	if (!secmark_active && !peerlbl_active)
5801 		return NF_ACCEPT;
5802 
5803 	sk = skb_to_full_sk(skb);
5804 
5805 #ifdef CONFIG_XFRM
5806 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5807 	 * packet transformation so allow the packet to pass without any checks
5808 	 * since we'll have another chance to perform access control checks
5809 	 * when the packet is on it's final way out.
5810 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5811 	 *       is NULL, in this case go ahead and apply access control.
5812 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5813 	 *       TCP listening state we cannot wait until the XFRM processing
5814 	 *       is done as we will miss out on the SA label if we do;
5815 	 *       unfortunately, this means more work, but it is only once per
5816 	 *       connection. */
5817 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5818 	    !(sk && sk_listener(sk)))
5819 		return NF_ACCEPT;
5820 #endif
5821 
5822 	family = state->pf;
5823 	if (sk == NULL) {
5824 		/* Without an associated socket the packet is either coming
5825 		 * from the kernel or it is being forwarded; check the packet
5826 		 * to determine which and if the packet is being forwarded
5827 		 * query the packet directly to determine the security label. */
5828 		if (skb->skb_iif) {
5829 			secmark_perm = PACKET__FORWARD_OUT;
5830 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5831 				return NF_DROP;
5832 		} else {
5833 			secmark_perm = PACKET__SEND;
5834 			peer_sid = SECINITSID_KERNEL;
5835 		}
5836 	} else if (sk_listener(sk)) {
5837 		/* Locally generated packet but the associated socket is in the
5838 		 * listening state which means this is a SYN-ACK packet.  In
5839 		 * this particular case the correct security label is assigned
5840 		 * to the connection/request_sock but unfortunately we can't
5841 		 * query the request_sock as it isn't queued on the parent
5842 		 * socket until after the SYN-ACK packet is sent; the only
5843 		 * viable choice is to regenerate the label like we do in
5844 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5845 		 * for similar problems. */
5846 		u32 skb_sid;
5847 		struct sk_security_struct *sksec;
5848 
5849 		sksec = sk->sk_security;
5850 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5851 			return NF_DROP;
5852 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5853 		 * and the packet has been through at least one XFRM
5854 		 * transformation then we must be dealing with the "final"
5855 		 * form of labeled IPsec packet; since we've already applied
5856 		 * all of our access controls on this packet we can safely
5857 		 * pass the packet. */
5858 		if (skb_sid == SECSID_NULL) {
5859 			switch (family) {
5860 			case PF_INET:
5861 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5862 					return NF_ACCEPT;
5863 				break;
5864 			case PF_INET6:
5865 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5866 					return NF_ACCEPT;
5867 				break;
5868 			default:
5869 				return NF_DROP_ERR(-ECONNREFUSED);
5870 			}
5871 		}
5872 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5873 			return NF_DROP;
5874 		secmark_perm = PACKET__SEND;
5875 	} else {
5876 		/* Locally generated packet, fetch the security label from the
5877 		 * associated socket. */
5878 		struct sk_security_struct *sksec = sk->sk_security;
5879 		peer_sid = sksec->sid;
5880 		secmark_perm = PACKET__SEND;
5881 	}
5882 
5883 	ifindex = state->out->ifindex;
5884 	ad.type = LSM_AUDIT_DATA_NET;
5885 	ad.u.net = &net;
5886 	ad.u.net->netif = ifindex;
5887 	ad.u.net->family = family;
5888 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5889 		return NF_DROP;
5890 
5891 	if (secmark_active)
5892 		if (avc_has_perm(&selinux_state,
5893 				 peer_sid, skb->secmark,
5894 				 SECCLASS_PACKET, secmark_perm, &ad))
5895 			return NF_DROP_ERR(-ECONNREFUSED);
5896 
5897 	if (peerlbl_active) {
5898 		u32 if_sid;
5899 		u32 node_sid;
5900 
5901 		if (sel_netif_sid(state->net, ifindex, &if_sid))
5902 			return NF_DROP;
5903 		if (avc_has_perm(&selinux_state,
5904 				 peer_sid, if_sid,
5905 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5906 			return NF_DROP_ERR(-ECONNREFUSED);
5907 
5908 		if (sel_netnode_sid(addrp, family, &node_sid))
5909 			return NF_DROP;
5910 		if (avc_has_perm(&selinux_state,
5911 				 peer_sid, node_sid,
5912 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5913 			return NF_DROP_ERR(-ECONNREFUSED);
5914 	}
5915 
5916 	return NF_ACCEPT;
5917 }
5918 #endif	/* CONFIG_NETFILTER */
5919 
5920 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5921 {
5922 	int rc = 0;
5923 	unsigned int msg_len;
5924 	unsigned int data_len = skb->len;
5925 	unsigned char *data = skb->data;
5926 	struct nlmsghdr *nlh;
5927 	struct sk_security_struct *sksec = sk->sk_security;
5928 	u16 sclass = sksec->sclass;
5929 	u32 perm;
5930 
5931 	while (data_len >= nlmsg_total_size(0)) {
5932 		nlh = (struct nlmsghdr *)data;
5933 
5934 		/* NOTE: the nlmsg_len field isn't reliably set by some netlink
5935 		 *       users which means we can't reject skb's with bogus
5936 		 *       length fields; our solution is to follow what
5937 		 *       netlink_rcv_skb() does and simply skip processing at
5938 		 *       messages with length fields that are clearly junk
5939 		 */
5940 		if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5941 			return 0;
5942 
5943 		rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5944 		if (rc == 0) {
5945 			rc = sock_has_perm(sk, perm);
5946 			if (rc)
5947 				return rc;
5948 		} else if (rc == -EINVAL) {
5949 			/* -EINVAL is a missing msg/perm mapping */
5950 			pr_warn_ratelimited("SELinux: unrecognized netlink"
5951 				" message: protocol=%hu nlmsg_type=%hu sclass=%s"
5952 				" pid=%d comm=%s\n",
5953 				sk->sk_protocol, nlh->nlmsg_type,
5954 				secclass_map[sclass - 1].name,
5955 				task_pid_nr(current), current->comm);
5956 			if (enforcing_enabled(&selinux_state) &&
5957 			    !security_get_allow_unknown(&selinux_state))
5958 				return rc;
5959 			rc = 0;
5960 		} else if (rc == -ENOENT) {
5961 			/* -ENOENT is a missing socket/class mapping, ignore */
5962 			rc = 0;
5963 		} else {
5964 			return rc;
5965 		}
5966 
5967 		/* move to the next message after applying netlink padding */
5968 		msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5969 		if (msg_len >= data_len)
5970 			return 0;
5971 		data_len -= msg_len;
5972 		data += msg_len;
5973 	}
5974 
5975 	return rc;
5976 }
5977 
5978 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5979 {
5980 	isec->sclass = sclass;
5981 	isec->sid = current_sid();
5982 }
5983 
5984 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5985 			u32 perms)
5986 {
5987 	struct ipc_security_struct *isec;
5988 	struct common_audit_data ad;
5989 	u32 sid = current_sid();
5990 
5991 	isec = selinux_ipc(ipc_perms);
5992 
5993 	ad.type = LSM_AUDIT_DATA_IPC;
5994 	ad.u.ipc_id = ipc_perms->key;
5995 
5996 	return avc_has_perm(&selinux_state,
5997 			    sid, isec->sid, isec->sclass, perms, &ad);
5998 }
5999 
6000 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
6001 {
6002 	struct msg_security_struct *msec;
6003 
6004 	msec = selinux_msg_msg(msg);
6005 	msec->sid = SECINITSID_UNLABELED;
6006 
6007 	return 0;
6008 }
6009 
6010 /* message queue security operations */
6011 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
6012 {
6013 	struct ipc_security_struct *isec;
6014 	struct common_audit_data ad;
6015 	u32 sid = current_sid();
6016 
6017 	isec = selinux_ipc(msq);
6018 	ipc_init_security(isec, SECCLASS_MSGQ);
6019 
6020 	ad.type = LSM_AUDIT_DATA_IPC;
6021 	ad.u.ipc_id = msq->key;
6022 
6023 	return avc_has_perm(&selinux_state,
6024 			    sid, isec->sid, SECCLASS_MSGQ,
6025 			    MSGQ__CREATE, &ad);
6026 }
6027 
6028 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6029 {
6030 	struct ipc_security_struct *isec;
6031 	struct common_audit_data ad;
6032 	u32 sid = current_sid();
6033 
6034 	isec = selinux_ipc(msq);
6035 
6036 	ad.type = LSM_AUDIT_DATA_IPC;
6037 	ad.u.ipc_id = msq->key;
6038 
6039 	return avc_has_perm(&selinux_state,
6040 			    sid, isec->sid, SECCLASS_MSGQ,
6041 			    MSGQ__ASSOCIATE, &ad);
6042 }
6043 
6044 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6045 {
6046 	int err;
6047 	int perms;
6048 
6049 	switch (cmd) {
6050 	case IPC_INFO:
6051 	case MSG_INFO:
6052 		/* No specific object, just general system-wide information. */
6053 		return avc_has_perm(&selinux_state,
6054 				    current_sid(), SECINITSID_KERNEL,
6055 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6056 	case IPC_STAT:
6057 	case MSG_STAT:
6058 	case MSG_STAT_ANY:
6059 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6060 		break;
6061 	case IPC_SET:
6062 		perms = MSGQ__SETATTR;
6063 		break;
6064 	case IPC_RMID:
6065 		perms = MSGQ__DESTROY;
6066 		break;
6067 	default:
6068 		return 0;
6069 	}
6070 
6071 	err = ipc_has_perm(msq, perms);
6072 	return err;
6073 }
6074 
6075 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6076 {
6077 	struct ipc_security_struct *isec;
6078 	struct msg_security_struct *msec;
6079 	struct common_audit_data ad;
6080 	u32 sid = current_sid();
6081 	int rc;
6082 
6083 	isec = selinux_ipc(msq);
6084 	msec = selinux_msg_msg(msg);
6085 
6086 	/*
6087 	 * First time through, need to assign label to the message
6088 	 */
6089 	if (msec->sid == SECINITSID_UNLABELED) {
6090 		/*
6091 		 * Compute new sid based on current process and
6092 		 * message queue this message will be stored in
6093 		 */
6094 		rc = security_transition_sid(&selinux_state, sid, isec->sid,
6095 					     SECCLASS_MSG, NULL, &msec->sid);
6096 		if (rc)
6097 			return rc;
6098 	}
6099 
6100 	ad.type = LSM_AUDIT_DATA_IPC;
6101 	ad.u.ipc_id = msq->key;
6102 
6103 	/* Can this process write to the queue? */
6104 	rc = avc_has_perm(&selinux_state,
6105 			  sid, isec->sid, SECCLASS_MSGQ,
6106 			  MSGQ__WRITE, &ad);
6107 	if (!rc)
6108 		/* Can this process send the message */
6109 		rc = avc_has_perm(&selinux_state,
6110 				  sid, msec->sid, SECCLASS_MSG,
6111 				  MSG__SEND, &ad);
6112 	if (!rc)
6113 		/* Can the message be put in the queue? */
6114 		rc = avc_has_perm(&selinux_state,
6115 				  msec->sid, isec->sid, SECCLASS_MSGQ,
6116 				  MSGQ__ENQUEUE, &ad);
6117 
6118 	return rc;
6119 }
6120 
6121 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6122 				    struct task_struct *target,
6123 				    long type, int mode)
6124 {
6125 	struct ipc_security_struct *isec;
6126 	struct msg_security_struct *msec;
6127 	struct common_audit_data ad;
6128 	u32 sid = task_sid_obj(target);
6129 	int rc;
6130 
6131 	isec = selinux_ipc(msq);
6132 	msec = selinux_msg_msg(msg);
6133 
6134 	ad.type = LSM_AUDIT_DATA_IPC;
6135 	ad.u.ipc_id = msq->key;
6136 
6137 	rc = avc_has_perm(&selinux_state,
6138 			  sid, isec->sid,
6139 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
6140 	if (!rc)
6141 		rc = avc_has_perm(&selinux_state,
6142 				  sid, msec->sid,
6143 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
6144 	return rc;
6145 }
6146 
6147 /* Shared Memory security operations */
6148 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6149 {
6150 	struct ipc_security_struct *isec;
6151 	struct common_audit_data ad;
6152 	u32 sid = current_sid();
6153 
6154 	isec = selinux_ipc(shp);
6155 	ipc_init_security(isec, SECCLASS_SHM);
6156 
6157 	ad.type = LSM_AUDIT_DATA_IPC;
6158 	ad.u.ipc_id = shp->key;
6159 
6160 	return avc_has_perm(&selinux_state,
6161 			    sid, isec->sid, SECCLASS_SHM,
6162 			    SHM__CREATE, &ad);
6163 }
6164 
6165 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6166 {
6167 	struct ipc_security_struct *isec;
6168 	struct common_audit_data ad;
6169 	u32 sid = current_sid();
6170 
6171 	isec = selinux_ipc(shp);
6172 
6173 	ad.type = LSM_AUDIT_DATA_IPC;
6174 	ad.u.ipc_id = shp->key;
6175 
6176 	return avc_has_perm(&selinux_state,
6177 			    sid, isec->sid, SECCLASS_SHM,
6178 			    SHM__ASSOCIATE, &ad);
6179 }
6180 
6181 /* Note, at this point, shp is locked down */
6182 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6183 {
6184 	int perms;
6185 	int err;
6186 
6187 	switch (cmd) {
6188 	case IPC_INFO:
6189 	case SHM_INFO:
6190 		/* No specific object, just general system-wide information. */
6191 		return avc_has_perm(&selinux_state,
6192 				    current_sid(), SECINITSID_KERNEL,
6193 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6194 	case IPC_STAT:
6195 	case SHM_STAT:
6196 	case SHM_STAT_ANY:
6197 		perms = SHM__GETATTR | SHM__ASSOCIATE;
6198 		break;
6199 	case IPC_SET:
6200 		perms = SHM__SETATTR;
6201 		break;
6202 	case SHM_LOCK:
6203 	case SHM_UNLOCK:
6204 		perms = SHM__LOCK;
6205 		break;
6206 	case IPC_RMID:
6207 		perms = SHM__DESTROY;
6208 		break;
6209 	default:
6210 		return 0;
6211 	}
6212 
6213 	err = ipc_has_perm(shp, perms);
6214 	return err;
6215 }
6216 
6217 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6218 			     char __user *shmaddr, int shmflg)
6219 {
6220 	u32 perms;
6221 
6222 	if (shmflg & SHM_RDONLY)
6223 		perms = SHM__READ;
6224 	else
6225 		perms = SHM__READ | SHM__WRITE;
6226 
6227 	return ipc_has_perm(shp, perms);
6228 }
6229 
6230 /* Semaphore security operations */
6231 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6232 {
6233 	struct ipc_security_struct *isec;
6234 	struct common_audit_data ad;
6235 	u32 sid = current_sid();
6236 
6237 	isec = selinux_ipc(sma);
6238 	ipc_init_security(isec, SECCLASS_SEM);
6239 
6240 	ad.type = LSM_AUDIT_DATA_IPC;
6241 	ad.u.ipc_id = sma->key;
6242 
6243 	return avc_has_perm(&selinux_state,
6244 			    sid, isec->sid, SECCLASS_SEM,
6245 			    SEM__CREATE, &ad);
6246 }
6247 
6248 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6249 {
6250 	struct ipc_security_struct *isec;
6251 	struct common_audit_data ad;
6252 	u32 sid = current_sid();
6253 
6254 	isec = selinux_ipc(sma);
6255 
6256 	ad.type = LSM_AUDIT_DATA_IPC;
6257 	ad.u.ipc_id = sma->key;
6258 
6259 	return avc_has_perm(&selinux_state,
6260 			    sid, isec->sid, SECCLASS_SEM,
6261 			    SEM__ASSOCIATE, &ad);
6262 }
6263 
6264 /* Note, at this point, sma is locked down */
6265 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6266 {
6267 	int err;
6268 	u32 perms;
6269 
6270 	switch (cmd) {
6271 	case IPC_INFO:
6272 	case SEM_INFO:
6273 		/* No specific object, just general system-wide information. */
6274 		return avc_has_perm(&selinux_state,
6275 				    current_sid(), SECINITSID_KERNEL,
6276 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6277 	case GETPID:
6278 	case GETNCNT:
6279 	case GETZCNT:
6280 		perms = SEM__GETATTR;
6281 		break;
6282 	case GETVAL:
6283 	case GETALL:
6284 		perms = SEM__READ;
6285 		break;
6286 	case SETVAL:
6287 	case SETALL:
6288 		perms = SEM__WRITE;
6289 		break;
6290 	case IPC_RMID:
6291 		perms = SEM__DESTROY;
6292 		break;
6293 	case IPC_SET:
6294 		perms = SEM__SETATTR;
6295 		break;
6296 	case IPC_STAT:
6297 	case SEM_STAT:
6298 	case SEM_STAT_ANY:
6299 		perms = SEM__GETATTR | SEM__ASSOCIATE;
6300 		break;
6301 	default:
6302 		return 0;
6303 	}
6304 
6305 	err = ipc_has_perm(sma, perms);
6306 	return err;
6307 }
6308 
6309 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6310 			     struct sembuf *sops, unsigned nsops, int alter)
6311 {
6312 	u32 perms;
6313 
6314 	if (alter)
6315 		perms = SEM__READ | SEM__WRITE;
6316 	else
6317 		perms = SEM__READ;
6318 
6319 	return ipc_has_perm(sma, perms);
6320 }
6321 
6322 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6323 {
6324 	u32 av = 0;
6325 
6326 	av = 0;
6327 	if (flag & S_IRUGO)
6328 		av |= IPC__UNIX_READ;
6329 	if (flag & S_IWUGO)
6330 		av |= IPC__UNIX_WRITE;
6331 
6332 	if (av == 0)
6333 		return 0;
6334 
6335 	return ipc_has_perm(ipcp, av);
6336 }
6337 
6338 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6339 {
6340 	struct ipc_security_struct *isec = selinux_ipc(ipcp);
6341 	*secid = isec->sid;
6342 }
6343 
6344 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6345 {
6346 	if (inode)
6347 		inode_doinit_with_dentry(inode, dentry);
6348 }
6349 
6350 static int selinux_getprocattr(struct task_struct *p,
6351 			       const char *name, char **value)
6352 {
6353 	const struct task_security_struct *__tsec;
6354 	u32 sid;
6355 	int error;
6356 	unsigned len;
6357 
6358 	rcu_read_lock();
6359 	__tsec = selinux_cred(__task_cred(p));
6360 
6361 	if (current != p) {
6362 		error = avc_has_perm(&selinux_state,
6363 				     current_sid(), __tsec->sid,
6364 				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6365 		if (error)
6366 			goto bad;
6367 	}
6368 
6369 	if (!strcmp(name, "current"))
6370 		sid = __tsec->sid;
6371 	else if (!strcmp(name, "prev"))
6372 		sid = __tsec->osid;
6373 	else if (!strcmp(name, "exec"))
6374 		sid = __tsec->exec_sid;
6375 	else if (!strcmp(name, "fscreate"))
6376 		sid = __tsec->create_sid;
6377 	else if (!strcmp(name, "keycreate"))
6378 		sid = __tsec->keycreate_sid;
6379 	else if (!strcmp(name, "sockcreate"))
6380 		sid = __tsec->sockcreate_sid;
6381 	else {
6382 		error = -EINVAL;
6383 		goto bad;
6384 	}
6385 	rcu_read_unlock();
6386 
6387 	if (!sid)
6388 		return 0;
6389 
6390 	error = security_sid_to_context(&selinux_state, sid, value, &len);
6391 	if (error)
6392 		return error;
6393 	return len;
6394 
6395 bad:
6396 	rcu_read_unlock();
6397 	return error;
6398 }
6399 
6400 static int selinux_setprocattr(const char *name, void *value, size_t size)
6401 {
6402 	struct task_security_struct *tsec;
6403 	struct cred *new;
6404 	u32 mysid = current_sid(), sid = 0, ptsid;
6405 	int error;
6406 	char *str = value;
6407 
6408 	/*
6409 	 * Basic control over ability to set these attributes at all.
6410 	 */
6411 	if (!strcmp(name, "exec"))
6412 		error = avc_has_perm(&selinux_state,
6413 				     mysid, mysid, SECCLASS_PROCESS,
6414 				     PROCESS__SETEXEC, NULL);
6415 	else if (!strcmp(name, "fscreate"))
6416 		error = avc_has_perm(&selinux_state,
6417 				     mysid, mysid, SECCLASS_PROCESS,
6418 				     PROCESS__SETFSCREATE, NULL);
6419 	else if (!strcmp(name, "keycreate"))
6420 		error = avc_has_perm(&selinux_state,
6421 				     mysid, mysid, SECCLASS_PROCESS,
6422 				     PROCESS__SETKEYCREATE, NULL);
6423 	else if (!strcmp(name, "sockcreate"))
6424 		error = avc_has_perm(&selinux_state,
6425 				     mysid, mysid, SECCLASS_PROCESS,
6426 				     PROCESS__SETSOCKCREATE, NULL);
6427 	else if (!strcmp(name, "current"))
6428 		error = avc_has_perm(&selinux_state,
6429 				     mysid, mysid, SECCLASS_PROCESS,
6430 				     PROCESS__SETCURRENT, NULL);
6431 	else
6432 		error = -EINVAL;
6433 	if (error)
6434 		return error;
6435 
6436 	/* Obtain a SID for the context, if one was specified. */
6437 	if (size && str[0] && str[0] != '\n') {
6438 		if (str[size-1] == '\n') {
6439 			str[size-1] = 0;
6440 			size--;
6441 		}
6442 		error = security_context_to_sid(&selinux_state, value, size,
6443 						&sid, GFP_KERNEL);
6444 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
6445 			if (!has_cap_mac_admin(true)) {
6446 				struct audit_buffer *ab;
6447 				size_t audit_size;
6448 
6449 				/* We strip a nul only if it is at the end, otherwise the
6450 				 * context contains a nul and we should audit that */
6451 				if (str[size - 1] == '\0')
6452 					audit_size = size - 1;
6453 				else
6454 					audit_size = size;
6455 				ab = audit_log_start(audit_context(),
6456 						     GFP_ATOMIC,
6457 						     AUDIT_SELINUX_ERR);
6458 				if (!ab)
6459 					return error;
6460 				audit_log_format(ab, "op=fscreate invalid_context=");
6461 				audit_log_n_untrustedstring(ab, value, audit_size);
6462 				audit_log_end(ab);
6463 
6464 				return error;
6465 			}
6466 			error = security_context_to_sid_force(
6467 						      &selinux_state,
6468 						      value, size, &sid);
6469 		}
6470 		if (error)
6471 			return error;
6472 	}
6473 
6474 	new = prepare_creds();
6475 	if (!new)
6476 		return -ENOMEM;
6477 
6478 	/* Permission checking based on the specified context is
6479 	   performed during the actual operation (execve,
6480 	   open/mkdir/...), when we know the full context of the
6481 	   operation.  See selinux_bprm_creds_for_exec for the execve
6482 	   checks and may_create for the file creation checks. The
6483 	   operation will then fail if the context is not permitted. */
6484 	tsec = selinux_cred(new);
6485 	if (!strcmp(name, "exec")) {
6486 		tsec->exec_sid = sid;
6487 	} else if (!strcmp(name, "fscreate")) {
6488 		tsec->create_sid = sid;
6489 	} else if (!strcmp(name, "keycreate")) {
6490 		if (sid) {
6491 			error = avc_has_perm(&selinux_state, mysid, sid,
6492 					     SECCLASS_KEY, KEY__CREATE, NULL);
6493 			if (error)
6494 				goto abort_change;
6495 		}
6496 		tsec->keycreate_sid = sid;
6497 	} else if (!strcmp(name, "sockcreate")) {
6498 		tsec->sockcreate_sid = sid;
6499 	} else if (!strcmp(name, "current")) {
6500 		error = -EINVAL;
6501 		if (sid == 0)
6502 			goto abort_change;
6503 
6504 		/* Only allow single threaded processes to change context */
6505 		if (!current_is_single_threaded()) {
6506 			error = security_bounded_transition(&selinux_state,
6507 							    tsec->sid, sid);
6508 			if (error)
6509 				goto abort_change;
6510 		}
6511 
6512 		/* Check permissions for the transition. */
6513 		error = avc_has_perm(&selinux_state,
6514 				     tsec->sid, sid, SECCLASS_PROCESS,
6515 				     PROCESS__DYNTRANSITION, NULL);
6516 		if (error)
6517 			goto abort_change;
6518 
6519 		/* Check for ptracing, and update the task SID if ok.
6520 		   Otherwise, leave SID unchanged and fail. */
6521 		ptsid = ptrace_parent_sid();
6522 		if (ptsid != 0) {
6523 			error = avc_has_perm(&selinux_state,
6524 					     ptsid, sid, SECCLASS_PROCESS,
6525 					     PROCESS__PTRACE, NULL);
6526 			if (error)
6527 				goto abort_change;
6528 		}
6529 
6530 		tsec->sid = sid;
6531 	} else {
6532 		error = -EINVAL;
6533 		goto abort_change;
6534 	}
6535 
6536 	commit_creds(new);
6537 	return size;
6538 
6539 abort_change:
6540 	abort_creds(new);
6541 	return error;
6542 }
6543 
6544 static int selinux_ismaclabel(const char *name)
6545 {
6546 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6547 }
6548 
6549 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6550 {
6551 	return security_sid_to_context(&selinux_state, secid,
6552 				       secdata, seclen);
6553 }
6554 
6555 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6556 {
6557 	return security_context_to_sid(&selinux_state, secdata, seclen,
6558 				       secid, GFP_KERNEL);
6559 }
6560 
6561 static void selinux_release_secctx(char *secdata, u32 seclen)
6562 {
6563 	kfree(secdata);
6564 }
6565 
6566 static void selinux_inode_invalidate_secctx(struct inode *inode)
6567 {
6568 	struct inode_security_struct *isec = selinux_inode(inode);
6569 
6570 	spin_lock(&isec->lock);
6571 	isec->initialized = LABEL_INVALID;
6572 	spin_unlock(&isec->lock);
6573 }
6574 
6575 /*
6576  *	called with inode->i_mutex locked
6577  */
6578 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6579 {
6580 	int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6581 					   ctx, ctxlen, 0);
6582 	/* Do not return error when suppressing label (SBLABEL_MNT not set). */
6583 	return rc == -EOPNOTSUPP ? 0 : rc;
6584 }
6585 
6586 /*
6587  *	called with inode->i_mutex locked
6588  */
6589 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6590 {
6591 	return __vfs_setxattr_noperm(&init_user_ns, dentry, XATTR_NAME_SELINUX,
6592 				     ctx, ctxlen, 0);
6593 }
6594 
6595 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6596 {
6597 	int len = 0;
6598 	len = selinux_inode_getsecurity(&init_user_ns, inode,
6599 					XATTR_SELINUX_SUFFIX, ctx, true);
6600 	if (len < 0)
6601 		return len;
6602 	*ctxlen = len;
6603 	return 0;
6604 }
6605 #ifdef CONFIG_KEYS
6606 
6607 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6608 			     unsigned long flags)
6609 {
6610 	const struct task_security_struct *tsec;
6611 	struct key_security_struct *ksec;
6612 
6613 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6614 	if (!ksec)
6615 		return -ENOMEM;
6616 
6617 	tsec = selinux_cred(cred);
6618 	if (tsec->keycreate_sid)
6619 		ksec->sid = tsec->keycreate_sid;
6620 	else
6621 		ksec->sid = tsec->sid;
6622 
6623 	k->security = ksec;
6624 	return 0;
6625 }
6626 
6627 static void selinux_key_free(struct key *k)
6628 {
6629 	struct key_security_struct *ksec = k->security;
6630 
6631 	k->security = NULL;
6632 	kfree(ksec);
6633 }
6634 
6635 static int selinux_key_permission(key_ref_t key_ref,
6636 				  const struct cred *cred,
6637 				  enum key_need_perm need_perm)
6638 {
6639 	struct key *key;
6640 	struct key_security_struct *ksec;
6641 	u32 perm, sid;
6642 
6643 	switch (need_perm) {
6644 	case KEY_NEED_VIEW:
6645 		perm = KEY__VIEW;
6646 		break;
6647 	case KEY_NEED_READ:
6648 		perm = KEY__READ;
6649 		break;
6650 	case KEY_NEED_WRITE:
6651 		perm = KEY__WRITE;
6652 		break;
6653 	case KEY_NEED_SEARCH:
6654 		perm = KEY__SEARCH;
6655 		break;
6656 	case KEY_NEED_LINK:
6657 		perm = KEY__LINK;
6658 		break;
6659 	case KEY_NEED_SETATTR:
6660 		perm = KEY__SETATTR;
6661 		break;
6662 	case KEY_NEED_UNLINK:
6663 	case KEY_SYSADMIN_OVERRIDE:
6664 	case KEY_AUTHTOKEN_OVERRIDE:
6665 	case KEY_DEFER_PERM_CHECK:
6666 		return 0;
6667 	default:
6668 		WARN_ON(1);
6669 		return -EPERM;
6670 
6671 	}
6672 
6673 	sid = cred_sid(cred);
6674 	key = key_ref_to_ptr(key_ref);
6675 	ksec = key->security;
6676 
6677 	return avc_has_perm(&selinux_state,
6678 			    sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6679 }
6680 
6681 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6682 {
6683 	struct key_security_struct *ksec = key->security;
6684 	char *context = NULL;
6685 	unsigned len;
6686 	int rc;
6687 
6688 	rc = security_sid_to_context(&selinux_state, ksec->sid,
6689 				     &context, &len);
6690 	if (!rc)
6691 		rc = len;
6692 	*_buffer = context;
6693 	return rc;
6694 }
6695 
6696 #ifdef CONFIG_KEY_NOTIFICATIONS
6697 static int selinux_watch_key(struct key *key)
6698 {
6699 	struct key_security_struct *ksec = key->security;
6700 	u32 sid = current_sid();
6701 
6702 	return avc_has_perm(&selinux_state,
6703 			    sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6704 }
6705 #endif
6706 #endif
6707 
6708 #ifdef CONFIG_SECURITY_INFINIBAND
6709 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6710 {
6711 	struct common_audit_data ad;
6712 	int err;
6713 	u32 sid = 0;
6714 	struct ib_security_struct *sec = ib_sec;
6715 	struct lsm_ibpkey_audit ibpkey;
6716 
6717 	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6718 	if (err)
6719 		return err;
6720 
6721 	ad.type = LSM_AUDIT_DATA_IBPKEY;
6722 	ibpkey.subnet_prefix = subnet_prefix;
6723 	ibpkey.pkey = pkey_val;
6724 	ad.u.ibpkey = &ibpkey;
6725 	return avc_has_perm(&selinux_state,
6726 			    sec->sid, sid,
6727 			    SECCLASS_INFINIBAND_PKEY,
6728 			    INFINIBAND_PKEY__ACCESS, &ad);
6729 }
6730 
6731 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6732 					    u8 port_num)
6733 {
6734 	struct common_audit_data ad;
6735 	int err;
6736 	u32 sid = 0;
6737 	struct ib_security_struct *sec = ib_sec;
6738 	struct lsm_ibendport_audit ibendport;
6739 
6740 	err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6741 				      &sid);
6742 
6743 	if (err)
6744 		return err;
6745 
6746 	ad.type = LSM_AUDIT_DATA_IBENDPORT;
6747 	ibendport.dev_name = dev_name;
6748 	ibendport.port = port_num;
6749 	ad.u.ibendport = &ibendport;
6750 	return avc_has_perm(&selinux_state,
6751 			    sec->sid, sid,
6752 			    SECCLASS_INFINIBAND_ENDPORT,
6753 			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6754 }
6755 
6756 static int selinux_ib_alloc_security(void **ib_sec)
6757 {
6758 	struct ib_security_struct *sec;
6759 
6760 	sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6761 	if (!sec)
6762 		return -ENOMEM;
6763 	sec->sid = current_sid();
6764 
6765 	*ib_sec = sec;
6766 	return 0;
6767 }
6768 
6769 static void selinux_ib_free_security(void *ib_sec)
6770 {
6771 	kfree(ib_sec);
6772 }
6773 #endif
6774 
6775 #ifdef CONFIG_BPF_SYSCALL
6776 static int selinux_bpf(int cmd, union bpf_attr *attr,
6777 				     unsigned int size)
6778 {
6779 	u32 sid = current_sid();
6780 	int ret;
6781 
6782 	switch (cmd) {
6783 	case BPF_MAP_CREATE:
6784 		ret = avc_has_perm(&selinux_state,
6785 				   sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6786 				   NULL);
6787 		break;
6788 	case BPF_PROG_LOAD:
6789 		ret = avc_has_perm(&selinux_state,
6790 				   sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6791 				   NULL);
6792 		break;
6793 	default:
6794 		ret = 0;
6795 		break;
6796 	}
6797 
6798 	return ret;
6799 }
6800 
6801 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6802 {
6803 	u32 av = 0;
6804 
6805 	if (fmode & FMODE_READ)
6806 		av |= BPF__MAP_READ;
6807 	if (fmode & FMODE_WRITE)
6808 		av |= BPF__MAP_WRITE;
6809 	return av;
6810 }
6811 
6812 /* This function will check the file pass through unix socket or binder to see
6813  * if it is a bpf related object. And apply corresponding checks on the bpf
6814  * object based on the type. The bpf maps and programs, not like other files and
6815  * socket, are using a shared anonymous inode inside the kernel as their inode.
6816  * So checking that inode cannot identify if the process have privilege to
6817  * access the bpf object and that's why we have to add this additional check in
6818  * selinux_file_receive and selinux_binder_transfer_files.
6819  */
6820 static int bpf_fd_pass(struct file *file, u32 sid)
6821 {
6822 	struct bpf_security_struct *bpfsec;
6823 	struct bpf_prog *prog;
6824 	struct bpf_map *map;
6825 	int ret;
6826 
6827 	if (file->f_op == &bpf_map_fops) {
6828 		map = file->private_data;
6829 		bpfsec = map->security;
6830 		ret = avc_has_perm(&selinux_state,
6831 				   sid, bpfsec->sid, SECCLASS_BPF,
6832 				   bpf_map_fmode_to_av(file->f_mode), NULL);
6833 		if (ret)
6834 			return ret;
6835 	} else if (file->f_op == &bpf_prog_fops) {
6836 		prog = file->private_data;
6837 		bpfsec = prog->aux->security;
6838 		ret = avc_has_perm(&selinux_state,
6839 				   sid, bpfsec->sid, SECCLASS_BPF,
6840 				   BPF__PROG_RUN, NULL);
6841 		if (ret)
6842 			return ret;
6843 	}
6844 	return 0;
6845 }
6846 
6847 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6848 {
6849 	u32 sid = current_sid();
6850 	struct bpf_security_struct *bpfsec;
6851 
6852 	bpfsec = map->security;
6853 	return avc_has_perm(&selinux_state,
6854 			    sid, bpfsec->sid, SECCLASS_BPF,
6855 			    bpf_map_fmode_to_av(fmode), NULL);
6856 }
6857 
6858 static int selinux_bpf_prog(struct bpf_prog *prog)
6859 {
6860 	u32 sid = current_sid();
6861 	struct bpf_security_struct *bpfsec;
6862 
6863 	bpfsec = prog->aux->security;
6864 	return avc_has_perm(&selinux_state,
6865 			    sid, bpfsec->sid, SECCLASS_BPF,
6866 			    BPF__PROG_RUN, NULL);
6867 }
6868 
6869 static int selinux_bpf_map_alloc(struct bpf_map *map)
6870 {
6871 	struct bpf_security_struct *bpfsec;
6872 
6873 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6874 	if (!bpfsec)
6875 		return -ENOMEM;
6876 
6877 	bpfsec->sid = current_sid();
6878 	map->security = bpfsec;
6879 
6880 	return 0;
6881 }
6882 
6883 static void selinux_bpf_map_free(struct bpf_map *map)
6884 {
6885 	struct bpf_security_struct *bpfsec = map->security;
6886 
6887 	map->security = NULL;
6888 	kfree(bpfsec);
6889 }
6890 
6891 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6892 {
6893 	struct bpf_security_struct *bpfsec;
6894 
6895 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6896 	if (!bpfsec)
6897 		return -ENOMEM;
6898 
6899 	bpfsec->sid = current_sid();
6900 	aux->security = bpfsec;
6901 
6902 	return 0;
6903 }
6904 
6905 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6906 {
6907 	struct bpf_security_struct *bpfsec = aux->security;
6908 
6909 	aux->security = NULL;
6910 	kfree(bpfsec);
6911 }
6912 #endif
6913 
6914 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
6915 	.lbs_cred = sizeof(struct task_security_struct),
6916 	.lbs_file = sizeof(struct file_security_struct),
6917 	.lbs_inode = sizeof(struct inode_security_struct),
6918 	.lbs_ipc = sizeof(struct ipc_security_struct),
6919 	.lbs_msg_msg = sizeof(struct msg_security_struct),
6920 	.lbs_superblock = sizeof(struct superblock_security_struct),
6921 };
6922 
6923 #ifdef CONFIG_PERF_EVENTS
6924 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6925 {
6926 	u32 requested, sid = current_sid();
6927 
6928 	if (type == PERF_SECURITY_OPEN)
6929 		requested = PERF_EVENT__OPEN;
6930 	else if (type == PERF_SECURITY_CPU)
6931 		requested = PERF_EVENT__CPU;
6932 	else if (type == PERF_SECURITY_KERNEL)
6933 		requested = PERF_EVENT__KERNEL;
6934 	else if (type == PERF_SECURITY_TRACEPOINT)
6935 		requested = PERF_EVENT__TRACEPOINT;
6936 	else
6937 		return -EINVAL;
6938 
6939 	return avc_has_perm(&selinux_state, sid, sid, SECCLASS_PERF_EVENT,
6940 			    requested, NULL);
6941 }
6942 
6943 static int selinux_perf_event_alloc(struct perf_event *event)
6944 {
6945 	struct perf_event_security_struct *perfsec;
6946 
6947 	perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
6948 	if (!perfsec)
6949 		return -ENOMEM;
6950 
6951 	perfsec->sid = current_sid();
6952 	event->security = perfsec;
6953 
6954 	return 0;
6955 }
6956 
6957 static void selinux_perf_event_free(struct perf_event *event)
6958 {
6959 	struct perf_event_security_struct *perfsec = event->security;
6960 
6961 	event->security = NULL;
6962 	kfree(perfsec);
6963 }
6964 
6965 static int selinux_perf_event_read(struct perf_event *event)
6966 {
6967 	struct perf_event_security_struct *perfsec = event->security;
6968 	u32 sid = current_sid();
6969 
6970 	return avc_has_perm(&selinux_state, sid, perfsec->sid,
6971 			    SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
6972 }
6973 
6974 static int selinux_perf_event_write(struct perf_event *event)
6975 {
6976 	struct perf_event_security_struct *perfsec = event->security;
6977 	u32 sid = current_sid();
6978 
6979 	return avc_has_perm(&selinux_state, sid, perfsec->sid,
6980 			    SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
6981 }
6982 #endif
6983 
6984 #ifdef CONFIG_IO_URING
6985 /**
6986  * selinux_uring_override_creds - check the requested cred override
6987  * @new: the target creds
6988  *
6989  * Check to see if the current task is allowed to override it's credentials
6990  * to service an io_uring operation.
6991  */
6992 static int selinux_uring_override_creds(const struct cred *new)
6993 {
6994 	return avc_has_perm(&selinux_state, current_sid(), cred_sid(new),
6995 			    SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL);
6996 }
6997 
6998 /**
6999  * selinux_uring_sqpoll - check if a io_uring polling thread can be created
7000  *
7001  * Check to see if the current task is allowed to create a new io_uring
7002  * kernel polling thread.
7003  */
7004 static int selinux_uring_sqpoll(void)
7005 {
7006 	int sid = current_sid();
7007 
7008 	return avc_has_perm(&selinux_state, sid, sid,
7009 			    SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
7010 }
7011 
7012 /**
7013  * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed
7014  * @ioucmd: the io_uring command structure
7015  *
7016  * Check to see if the current domain is allowed to execute an
7017  * IORING_OP_URING_CMD against the device/file specified in @ioucmd.
7018  *
7019  */
7020 static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
7021 {
7022 	struct file *file = ioucmd->file;
7023 	struct inode *inode = file_inode(file);
7024 	struct inode_security_struct *isec = selinux_inode(inode);
7025 	struct common_audit_data ad;
7026 
7027 	ad.type = LSM_AUDIT_DATA_FILE;
7028 	ad.u.file = file;
7029 
7030 	return avc_has_perm(&selinux_state, current_sid(), isec->sid,
7031 			    SECCLASS_IO_URING, IO_URING__CMD, &ad);
7032 }
7033 #endif /* CONFIG_IO_URING */
7034 
7035 /*
7036  * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
7037  * 1. any hooks that don't belong to (2.) or (3.) below,
7038  * 2. hooks that both access structures allocated by other hooks, and allocate
7039  *    structures that can be later accessed by other hooks (mostly "cloning"
7040  *    hooks),
7041  * 3. hooks that only allocate structures that can be later accessed by other
7042  *    hooks ("allocating" hooks).
7043  *
7044  * Please follow block comment delimiters in the list to keep this order.
7045  *
7046  * This ordering is needed for SELinux runtime disable to work at least somewhat
7047  * safely. Breaking the ordering rules above might lead to NULL pointer derefs
7048  * when disabling SELinux at runtime.
7049  */
7050 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
7051 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
7052 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
7053 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
7054 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
7055 
7056 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
7057 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
7058 	LSM_HOOK_INIT(capget, selinux_capget),
7059 	LSM_HOOK_INIT(capset, selinux_capset),
7060 	LSM_HOOK_INIT(capable, selinux_capable),
7061 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
7062 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
7063 	LSM_HOOK_INIT(syslog, selinux_syslog),
7064 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
7065 
7066 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
7067 
7068 	LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
7069 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
7070 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
7071 
7072 	LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
7073 	LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat),
7074 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
7075 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7076 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
7077 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
7078 	LSM_HOOK_INIT(sb_mount, selinux_mount),
7079 	LSM_HOOK_INIT(sb_umount, selinux_umount),
7080 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7081 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7082 
7083 	LSM_HOOK_INIT(move_mount, selinux_move_mount),
7084 
7085 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7086 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7087 
7088 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7089 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7090 	LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
7091 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
7092 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
7093 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7094 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7095 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7096 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7097 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7098 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7099 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7100 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7101 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7102 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7103 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7104 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7105 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7106 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7107 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7108 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7109 	LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl),
7110 	LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl),
7111 	LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl),
7112 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7113 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7114 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7115 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7116 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7117 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7118 	LSM_HOOK_INIT(path_notify, selinux_path_notify),
7119 
7120 	LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7121 
7122 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
7123 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7124 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7125 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7126 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7127 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7128 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
7129 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7130 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7131 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7132 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
7133 
7134 	LSM_HOOK_INIT(file_open, selinux_file_open),
7135 
7136 	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7137 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7138 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7139 	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7140 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7141 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7142 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7143 	LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7144 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7145 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7146 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7147 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7148 	LSM_HOOK_INIT(current_getsecid_subj, selinux_current_getsecid_subj),
7149 	LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj),
7150 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7151 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7152 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7153 	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7154 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7155 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7156 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7157 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7158 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
7159 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7160 	LSM_HOOK_INIT(userns_create, selinux_userns_create),
7161 
7162 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7163 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7164 
7165 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7166 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7167 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7168 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7169 
7170 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7171 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7172 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7173 
7174 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7175 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7176 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7177 
7178 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7179 
7180 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7181 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7182 
7183 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7184 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7185 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7186 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7187 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7188 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7189 
7190 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7191 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7192 
7193 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
7194 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7195 	LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7196 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7197 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7198 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7199 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7200 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7201 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7202 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7203 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7204 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7205 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7206 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7207 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7208 	LSM_HOOK_INIT(socket_getpeersec_stream,
7209 			selinux_socket_getpeersec_stream),
7210 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7211 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7212 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7213 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7214 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7215 	LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7216 	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7217 	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7218 	LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
7219 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7220 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7221 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7222 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7223 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7224 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7225 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7226 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7227 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7228 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7229 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7230 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7231 #ifdef CONFIG_SECURITY_INFINIBAND
7232 	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7233 	LSM_HOOK_INIT(ib_endport_manage_subnet,
7234 		      selinux_ib_endport_manage_subnet),
7235 	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7236 #endif
7237 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7238 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7239 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7240 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7241 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7242 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7243 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7244 			selinux_xfrm_state_pol_flow_match),
7245 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7246 #endif
7247 
7248 #ifdef CONFIG_KEYS
7249 	LSM_HOOK_INIT(key_free, selinux_key_free),
7250 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
7251 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7252 #ifdef CONFIG_KEY_NOTIFICATIONS
7253 	LSM_HOOK_INIT(watch_key, selinux_watch_key),
7254 #endif
7255 #endif
7256 
7257 #ifdef CONFIG_AUDIT
7258 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7259 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7260 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7261 #endif
7262 
7263 #ifdef CONFIG_BPF_SYSCALL
7264 	LSM_HOOK_INIT(bpf, selinux_bpf),
7265 	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7266 	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7267 	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7268 	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7269 #endif
7270 
7271 #ifdef CONFIG_PERF_EVENTS
7272 	LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7273 	LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7274 	LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7275 	LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7276 #endif
7277 
7278 #ifdef CONFIG_IO_URING
7279 	LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
7280 	LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
7281 	LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
7282 #endif
7283 
7284 	/*
7285 	 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7286 	 */
7287 	LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7288 	LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7289 	LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7290 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7291 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7292 #endif
7293 
7294 	/*
7295 	 * PUT "ALLOCATING" HOOKS HERE
7296 	 */
7297 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7298 	LSM_HOOK_INIT(msg_queue_alloc_security,
7299 		      selinux_msg_queue_alloc_security),
7300 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7301 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7302 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7303 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7304 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7305 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7306 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7307 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7308 #ifdef CONFIG_SECURITY_INFINIBAND
7309 	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7310 #endif
7311 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7312 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7313 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7314 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7315 		      selinux_xfrm_state_alloc_acquire),
7316 #endif
7317 #ifdef CONFIG_KEYS
7318 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7319 #endif
7320 #ifdef CONFIG_AUDIT
7321 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7322 #endif
7323 #ifdef CONFIG_BPF_SYSCALL
7324 	LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7325 	LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7326 #endif
7327 #ifdef CONFIG_PERF_EVENTS
7328 	LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7329 #endif
7330 };
7331 
7332 static __init int selinux_init(void)
7333 {
7334 	pr_info("SELinux:  Initializing.\n");
7335 
7336 	memset(&selinux_state, 0, sizeof(selinux_state));
7337 	enforcing_set(&selinux_state, selinux_enforcing_boot);
7338 	if (CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE)
7339 		pr_err("SELinux: CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE is non-zero.  This is deprecated and will be rejected in a future kernel release.\n");
7340 	checkreqprot_set(&selinux_state, selinux_checkreqprot_boot);
7341 	selinux_avc_init(&selinux_state.avc);
7342 	mutex_init(&selinux_state.status_lock);
7343 	mutex_init(&selinux_state.policy_mutex);
7344 
7345 	/* Set the security state for the initial task. */
7346 	cred_init_security();
7347 
7348 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7349 
7350 	avc_init();
7351 
7352 	avtab_cache_init();
7353 
7354 	ebitmap_cache_init();
7355 
7356 	hashtab_cache_init();
7357 
7358 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7359 
7360 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7361 		panic("SELinux: Unable to register AVC netcache callback\n");
7362 
7363 	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7364 		panic("SELinux: Unable to register AVC LSM notifier callback\n");
7365 
7366 	if (selinux_enforcing_boot)
7367 		pr_debug("SELinux:  Starting in enforcing mode\n");
7368 	else
7369 		pr_debug("SELinux:  Starting in permissive mode\n");
7370 
7371 	fs_validate_description("selinux", selinux_fs_parameters);
7372 
7373 	return 0;
7374 }
7375 
7376 static void delayed_superblock_init(struct super_block *sb, void *unused)
7377 {
7378 	selinux_set_mnt_opts(sb, NULL, 0, NULL);
7379 }
7380 
7381 void selinux_complete_init(void)
7382 {
7383 	pr_debug("SELinux:  Completing initialization.\n");
7384 
7385 	/* Set up any superblocks initialized prior to the policy load. */
7386 	pr_debug("SELinux:  Setting up existing superblocks.\n");
7387 	iterate_supers(delayed_superblock_init, NULL);
7388 }
7389 
7390 /* SELinux requires early initialization in order to label
7391    all processes and objects when they are created. */
7392 DEFINE_LSM(selinux) = {
7393 	.name = "selinux",
7394 	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7395 	.enabled = &selinux_enabled_boot,
7396 	.blobs = &selinux_blob_sizes,
7397 	.init = selinux_init,
7398 };
7399 
7400 #if defined(CONFIG_NETFILTER)
7401 
7402 static const struct nf_hook_ops selinux_nf_ops[] = {
7403 	{
7404 		.hook =		selinux_ip_postroute,
7405 		.pf =		NFPROTO_IPV4,
7406 		.hooknum =	NF_INET_POST_ROUTING,
7407 		.priority =	NF_IP_PRI_SELINUX_LAST,
7408 	},
7409 	{
7410 		.hook =		selinux_ip_forward,
7411 		.pf =		NFPROTO_IPV4,
7412 		.hooknum =	NF_INET_FORWARD,
7413 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7414 	},
7415 	{
7416 		.hook =		selinux_ip_output,
7417 		.pf =		NFPROTO_IPV4,
7418 		.hooknum =	NF_INET_LOCAL_OUT,
7419 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7420 	},
7421 #if IS_ENABLED(CONFIG_IPV6)
7422 	{
7423 		.hook =		selinux_ip_postroute,
7424 		.pf =		NFPROTO_IPV6,
7425 		.hooknum =	NF_INET_POST_ROUTING,
7426 		.priority =	NF_IP6_PRI_SELINUX_LAST,
7427 	},
7428 	{
7429 		.hook =		selinux_ip_forward,
7430 		.pf =		NFPROTO_IPV6,
7431 		.hooknum =	NF_INET_FORWARD,
7432 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7433 	},
7434 	{
7435 		.hook =		selinux_ip_output,
7436 		.pf =		NFPROTO_IPV6,
7437 		.hooknum =	NF_INET_LOCAL_OUT,
7438 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7439 	},
7440 #endif	/* IPV6 */
7441 };
7442 
7443 static int __net_init selinux_nf_register(struct net *net)
7444 {
7445 	return nf_register_net_hooks(net, selinux_nf_ops,
7446 				     ARRAY_SIZE(selinux_nf_ops));
7447 }
7448 
7449 static void __net_exit selinux_nf_unregister(struct net *net)
7450 {
7451 	nf_unregister_net_hooks(net, selinux_nf_ops,
7452 				ARRAY_SIZE(selinux_nf_ops));
7453 }
7454 
7455 static struct pernet_operations selinux_net_ops = {
7456 	.init = selinux_nf_register,
7457 	.exit = selinux_nf_unregister,
7458 };
7459 
7460 static int __init selinux_nf_ip_init(void)
7461 {
7462 	int err;
7463 
7464 	if (!selinux_enabled_boot)
7465 		return 0;
7466 
7467 	pr_debug("SELinux:  Registering netfilter hooks\n");
7468 
7469 	err = register_pernet_subsys(&selinux_net_ops);
7470 	if (err)
7471 		panic("SELinux: register_pernet_subsys: error %d\n", err);
7472 
7473 	return 0;
7474 }
7475 __initcall(selinux_nf_ip_init);
7476 
7477 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7478 static void selinux_nf_ip_exit(void)
7479 {
7480 	pr_debug("SELinux:  Unregistering netfilter hooks\n");
7481 
7482 	unregister_pernet_subsys(&selinux_net_ops);
7483 }
7484 #endif
7485 
7486 #else /* CONFIG_NETFILTER */
7487 
7488 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7489 #define selinux_nf_ip_exit()
7490 #endif
7491 
7492 #endif /* CONFIG_NETFILTER */
7493 
7494 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7495 int selinux_disable(struct selinux_state *state)
7496 {
7497 	if (selinux_initialized(state)) {
7498 		/* Not permitted after initial policy load. */
7499 		return -EINVAL;
7500 	}
7501 
7502 	if (selinux_disabled(state)) {
7503 		/* Only do this once. */
7504 		return -EINVAL;
7505 	}
7506 
7507 	selinux_mark_disabled(state);
7508 
7509 	pr_info("SELinux:  Disabled at runtime.\n");
7510 
7511 	/*
7512 	 * Unregister netfilter hooks.
7513 	 * Must be done before security_delete_hooks() to avoid breaking
7514 	 * runtime disable.
7515 	 */
7516 	selinux_nf_ip_exit();
7517 
7518 	security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7519 
7520 	/* Try to destroy the avc node cache */
7521 	avc_disable();
7522 
7523 	/* Unregister selinuxfs. */
7524 	exit_sel_fs();
7525 
7526 	return 0;
7527 }
7528 #endif
7529