xref: /openbmc/linux/security/selinux/hooks.c (revision 584eab291c67894cb17cc87544b9d086228ea70f)
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
7  *	      Chris Vance, <cvance@nai.com>
8  *	      Wayne Salamon, <wsalamon@nai.com>
9  *	      James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *					   Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *			    <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *	Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *  Copyright (C) 2016 Mellanox Technologies
21  *
22  *	This program is free software; you can redistribute it and/or modify
23  *	it under the terms of the GNU General Public License version 2,
24  *	as published by the Free Software Foundation.
25  */
26 
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h>		/* for local_port_range[] */
56 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h>	/* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h>		/* for Unix socket types */
74 #include <net/af_unix.h>	/* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
77 #include <net/ipv6.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/selinux.h>
83 #include <linux/mutex.h>
84 #include <linux/posix-timers.h>
85 #include <linux/syslog.h>
86 #include <linux/user_namespace.h>
87 #include <linux/export.h>
88 #include <linux/msg.h>
89 #include <linux/shm.h>
90 #include <linux/bpf.h>
91 
92 #include "avc.h"
93 #include "objsec.h"
94 #include "netif.h"
95 #include "netnode.h"
96 #include "netport.h"
97 #include "ibpkey.h"
98 #include "xfrm.h"
99 #include "netlabel.h"
100 #include "audit.h"
101 #include "avc_ss.h"
102 
103 struct selinux_state selinux_state;
104 
105 /* SECMARK reference count */
106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
107 
108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109 static int selinux_enforcing_boot;
110 
111 static int __init enforcing_setup(char *str)
112 {
113 	unsigned long enforcing;
114 	if (!kstrtoul(str, 0, &enforcing))
115 		selinux_enforcing_boot = enforcing ? 1 : 0;
116 	return 1;
117 }
118 __setup("enforcing=", enforcing_setup);
119 #else
120 #define selinux_enforcing_boot 1
121 #endif
122 
123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
125 
126 static int __init selinux_enabled_setup(char *str)
127 {
128 	unsigned long enabled;
129 	if (!kstrtoul(str, 0, &enabled))
130 		selinux_enabled = enabled ? 1 : 0;
131 	return 1;
132 }
133 __setup("selinux=", selinux_enabled_setup);
134 #else
135 int selinux_enabled = 1;
136 #endif
137 
138 static unsigned int selinux_checkreqprot_boot =
139 	CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140 
141 static int __init checkreqprot_setup(char *str)
142 {
143 	unsigned long checkreqprot;
144 
145 	if (!kstrtoul(str, 0, &checkreqprot))
146 		selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 	return 1;
148 }
149 __setup("checkreqprot=", checkreqprot_setup);
150 
151 static struct kmem_cache *sel_inode_cache;
152 static struct kmem_cache *file_security_cache;
153 
154 /**
155  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
156  *
157  * Description:
158  * This function checks the SECMARK reference counter to see if any SECMARK
159  * targets are currently configured, if the reference counter is greater than
160  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
161  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
162  * policy capability is enabled, SECMARK is always considered enabled.
163  *
164  */
165 static int selinux_secmark_enabled(void)
166 {
167 	return (selinux_policycap_alwaysnetwork() ||
168 		atomic_read(&selinux_secmark_refcount));
169 }
170 
171 /**
172  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
173  *
174  * Description:
175  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
176  * (1) if any are enabled or false (0) if neither are enabled.  If the
177  * always_check_network policy capability is enabled, peer labeling
178  * is always considered enabled.
179  *
180  */
181 static int selinux_peerlbl_enabled(void)
182 {
183 	return (selinux_policycap_alwaysnetwork() ||
184 		netlbl_enabled() || selinux_xfrm_enabled());
185 }
186 
187 static int selinux_netcache_avc_callback(u32 event)
188 {
189 	if (event == AVC_CALLBACK_RESET) {
190 		sel_netif_flush();
191 		sel_netnode_flush();
192 		sel_netport_flush();
193 		synchronize_net();
194 	}
195 	return 0;
196 }
197 
198 static int selinux_lsm_notifier_avc_callback(u32 event)
199 {
200 	if (event == AVC_CALLBACK_RESET) {
201 		sel_ib_pkey_flush();
202 		call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
203 	}
204 
205 	return 0;
206 }
207 
208 /*
209  * initialise the security for the init task
210  */
211 static void cred_init_security(void)
212 {
213 	struct cred *cred = (struct cred *) current->real_cred;
214 	struct task_security_struct *tsec;
215 
216 	tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
217 	if (!tsec)
218 		panic("SELinux:  Failed to initialize initial task.\n");
219 
220 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
221 	cred->security = tsec;
222 }
223 
224 /*
225  * get the security ID of a set of credentials
226  */
227 static inline u32 cred_sid(const struct cred *cred)
228 {
229 	const struct task_security_struct *tsec;
230 
231 	tsec = cred->security;
232 	return tsec->sid;
233 }
234 
235 /*
236  * get the objective security ID of a task
237  */
238 static inline u32 task_sid(const struct task_struct *task)
239 {
240 	u32 sid;
241 
242 	rcu_read_lock();
243 	sid = cred_sid(__task_cred(task));
244 	rcu_read_unlock();
245 	return sid;
246 }
247 
248 /* Allocate and free functions for each kind of security blob. */
249 
250 static int inode_alloc_security(struct inode *inode)
251 {
252 	struct inode_security_struct *isec;
253 	u32 sid = current_sid();
254 
255 	isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
256 	if (!isec)
257 		return -ENOMEM;
258 
259 	spin_lock_init(&isec->lock);
260 	INIT_LIST_HEAD(&isec->list);
261 	isec->inode = inode;
262 	isec->sid = SECINITSID_UNLABELED;
263 	isec->sclass = SECCLASS_FILE;
264 	isec->task_sid = sid;
265 	isec->initialized = LABEL_INVALID;
266 	inode->i_security = isec;
267 
268 	return 0;
269 }
270 
271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
272 
273 /*
274  * Try reloading inode security labels that have been marked as invalid.  The
275  * @may_sleep parameter indicates when sleeping and thus reloading labels is
276  * allowed; when set to false, returns -ECHILD when the label is
277  * invalid.  The @dentry parameter should be set to a dentry of the inode.
278  */
279 static int __inode_security_revalidate(struct inode *inode,
280 				       struct dentry *dentry,
281 				       bool may_sleep)
282 {
283 	struct inode_security_struct *isec = inode->i_security;
284 
285 	might_sleep_if(may_sleep);
286 
287 	if (selinux_state.initialized &&
288 	    isec->initialized != LABEL_INITIALIZED) {
289 		if (!may_sleep)
290 			return -ECHILD;
291 
292 		/*
293 		 * Try reloading the inode security label.  This will fail if
294 		 * @opt_dentry is NULL and no dentry for this inode can be
295 		 * found; in that case, continue using the old label.
296 		 */
297 		inode_doinit_with_dentry(inode, dentry);
298 	}
299 	return 0;
300 }
301 
302 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
303 {
304 	return inode->i_security;
305 }
306 
307 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
308 {
309 	int error;
310 
311 	error = __inode_security_revalidate(inode, NULL, !rcu);
312 	if (error)
313 		return ERR_PTR(error);
314 	return inode->i_security;
315 }
316 
317 /*
318  * Get the security label of an inode.
319  */
320 static struct inode_security_struct *inode_security(struct inode *inode)
321 {
322 	__inode_security_revalidate(inode, NULL, true);
323 	return inode->i_security;
324 }
325 
326 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
327 {
328 	struct inode *inode = d_backing_inode(dentry);
329 
330 	return inode->i_security;
331 }
332 
333 /*
334  * Get the security label of a dentry's backing inode.
335  */
336 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
337 {
338 	struct inode *inode = d_backing_inode(dentry);
339 
340 	__inode_security_revalidate(inode, dentry, true);
341 	return inode->i_security;
342 }
343 
344 static void inode_free_rcu(struct rcu_head *head)
345 {
346 	struct inode_security_struct *isec;
347 
348 	isec = container_of(head, struct inode_security_struct, rcu);
349 	kmem_cache_free(sel_inode_cache, isec);
350 }
351 
352 static void inode_free_security(struct inode *inode)
353 {
354 	struct inode_security_struct *isec = inode->i_security;
355 	struct superblock_security_struct *sbsec = inode->i_sb->s_security;
356 
357 	/*
358 	 * As not all inode security structures are in a list, we check for
359 	 * empty list outside of the lock to make sure that we won't waste
360 	 * time taking a lock doing nothing.
361 	 *
362 	 * The list_del_init() function can be safely called more than once.
363 	 * It should not be possible for this function to be called with
364 	 * concurrent list_add(), but for better safety against future changes
365 	 * in the code, we use list_empty_careful() here.
366 	 */
367 	if (!list_empty_careful(&isec->list)) {
368 		spin_lock(&sbsec->isec_lock);
369 		list_del_init(&isec->list);
370 		spin_unlock(&sbsec->isec_lock);
371 	}
372 
373 	/*
374 	 * The inode may still be referenced in a path walk and
375 	 * a call to selinux_inode_permission() can be made
376 	 * after inode_free_security() is called. Ideally, the VFS
377 	 * wouldn't do this, but fixing that is a much harder
378 	 * job. For now, simply free the i_security via RCU, and
379 	 * leave the current inode->i_security pointer intact.
380 	 * The inode will be freed after the RCU grace period too.
381 	 */
382 	call_rcu(&isec->rcu, inode_free_rcu);
383 }
384 
385 static int file_alloc_security(struct file *file)
386 {
387 	struct file_security_struct *fsec;
388 	u32 sid = current_sid();
389 
390 	fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
391 	if (!fsec)
392 		return -ENOMEM;
393 
394 	fsec->sid = sid;
395 	fsec->fown_sid = sid;
396 	file->f_security = fsec;
397 
398 	return 0;
399 }
400 
401 static void file_free_security(struct file *file)
402 {
403 	struct file_security_struct *fsec = file->f_security;
404 	file->f_security = NULL;
405 	kmem_cache_free(file_security_cache, fsec);
406 }
407 
408 static int superblock_alloc_security(struct super_block *sb)
409 {
410 	struct superblock_security_struct *sbsec;
411 
412 	sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
413 	if (!sbsec)
414 		return -ENOMEM;
415 
416 	mutex_init(&sbsec->lock);
417 	INIT_LIST_HEAD(&sbsec->isec_head);
418 	spin_lock_init(&sbsec->isec_lock);
419 	sbsec->sb = sb;
420 	sbsec->sid = SECINITSID_UNLABELED;
421 	sbsec->def_sid = SECINITSID_FILE;
422 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
423 	sb->s_security = sbsec;
424 
425 	return 0;
426 }
427 
428 static void superblock_free_security(struct super_block *sb)
429 {
430 	struct superblock_security_struct *sbsec = sb->s_security;
431 	sb->s_security = NULL;
432 	kfree(sbsec);
433 }
434 
435 static inline int inode_doinit(struct inode *inode)
436 {
437 	return inode_doinit_with_dentry(inode, NULL);
438 }
439 
440 enum {
441 	Opt_error = -1,
442 	Opt_context = 1,
443 	Opt_fscontext = 2,
444 	Opt_defcontext = 3,
445 	Opt_rootcontext = 4,
446 	Opt_labelsupport = 5,
447 	Opt_nextmntopt = 6,
448 };
449 
450 #define NUM_SEL_MNT_OPTS	(Opt_nextmntopt - 1)
451 
452 static const match_table_t tokens = {
453 	{Opt_context, CONTEXT_STR "%s"},
454 	{Opt_fscontext, FSCONTEXT_STR "%s"},
455 	{Opt_defcontext, DEFCONTEXT_STR "%s"},
456 	{Opt_rootcontext, ROOTCONTEXT_STR "%s"},
457 	{Opt_labelsupport, LABELSUPP_STR},
458 	{Opt_error, NULL},
459 };
460 
461 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
462 
463 static int may_context_mount_sb_relabel(u32 sid,
464 			struct superblock_security_struct *sbsec,
465 			const struct cred *cred)
466 {
467 	const struct task_security_struct *tsec = cred->security;
468 	int rc;
469 
470 	rc = avc_has_perm(&selinux_state,
471 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
472 			  FILESYSTEM__RELABELFROM, NULL);
473 	if (rc)
474 		return rc;
475 
476 	rc = avc_has_perm(&selinux_state,
477 			  tsec->sid, sid, SECCLASS_FILESYSTEM,
478 			  FILESYSTEM__RELABELTO, NULL);
479 	return rc;
480 }
481 
482 static int may_context_mount_inode_relabel(u32 sid,
483 			struct superblock_security_struct *sbsec,
484 			const struct cred *cred)
485 {
486 	const struct task_security_struct *tsec = cred->security;
487 	int rc;
488 	rc = avc_has_perm(&selinux_state,
489 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
490 			  FILESYSTEM__RELABELFROM, NULL);
491 	if (rc)
492 		return rc;
493 
494 	rc = avc_has_perm(&selinux_state,
495 			  sid, sbsec->sid, SECCLASS_FILESYSTEM,
496 			  FILESYSTEM__ASSOCIATE, NULL);
497 	return rc;
498 }
499 
500 static int selinux_is_sblabel_mnt(struct super_block *sb)
501 {
502 	struct superblock_security_struct *sbsec = sb->s_security;
503 
504 	return sbsec->behavior == SECURITY_FS_USE_XATTR ||
505 		sbsec->behavior == SECURITY_FS_USE_TRANS ||
506 		sbsec->behavior == SECURITY_FS_USE_TASK ||
507 		sbsec->behavior == SECURITY_FS_USE_NATIVE ||
508 		/* Special handling. Genfs but also in-core setxattr handler */
509 		!strcmp(sb->s_type->name, "sysfs") ||
510 		!strcmp(sb->s_type->name, "pstore") ||
511 		!strcmp(sb->s_type->name, "debugfs") ||
512 		!strcmp(sb->s_type->name, "tracefs") ||
513 		!strcmp(sb->s_type->name, "rootfs") ||
514 		(selinux_policycap_cgroupseclabel() &&
515 		 (!strcmp(sb->s_type->name, "cgroup") ||
516 		  !strcmp(sb->s_type->name, "cgroup2")));
517 }
518 
519 static int sb_finish_set_opts(struct super_block *sb)
520 {
521 	struct superblock_security_struct *sbsec = sb->s_security;
522 	struct dentry *root = sb->s_root;
523 	struct inode *root_inode = d_backing_inode(root);
524 	int rc = 0;
525 
526 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
527 		/* Make sure that the xattr handler exists and that no
528 		   error other than -ENODATA is returned by getxattr on
529 		   the root directory.  -ENODATA is ok, as this may be
530 		   the first boot of the SELinux kernel before we have
531 		   assigned xattr values to the filesystem. */
532 		if (!(root_inode->i_opflags & IOP_XATTR)) {
533 			pr_warn("SELinux: (dev %s, type %s) has no "
534 			       "xattr support\n", sb->s_id, sb->s_type->name);
535 			rc = -EOPNOTSUPP;
536 			goto out;
537 		}
538 
539 		rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
540 		if (rc < 0 && rc != -ENODATA) {
541 			if (rc == -EOPNOTSUPP)
542 				pr_warn("SELinux: (dev %s, type "
543 				       "%s) has no security xattr handler\n",
544 				       sb->s_id, sb->s_type->name);
545 			else
546 				pr_warn("SELinux: (dev %s, type "
547 				       "%s) getxattr errno %d\n", sb->s_id,
548 				       sb->s_type->name, -rc);
549 			goto out;
550 		}
551 	}
552 
553 	sbsec->flags |= SE_SBINITIALIZED;
554 
555 	/*
556 	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
557 	 * leave the flag untouched because sb_clone_mnt_opts might be handing
558 	 * us a superblock that needs the flag to be cleared.
559 	 */
560 	if (selinux_is_sblabel_mnt(sb))
561 		sbsec->flags |= SBLABEL_MNT;
562 	else
563 		sbsec->flags &= ~SBLABEL_MNT;
564 
565 	/* Initialize the root inode. */
566 	rc = inode_doinit_with_dentry(root_inode, root);
567 
568 	/* Initialize any other inodes associated with the superblock, e.g.
569 	   inodes created prior to initial policy load or inodes created
570 	   during get_sb by a pseudo filesystem that directly
571 	   populates itself. */
572 	spin_lock(&sbsec->isec_lock);
573 next_inode:
574 	if (!list_empty(&sbsec->isec_head)) {
575 		struct inode_security_struct *isec =
576 				list_entry(sbsec->isec_head.next,
577 					   struct inode_security_struct, list);
578 		struct inode *inode = isec->inode;
579 		list_del_init(&isec->list);
580 		spin_unlock(&sbsec->isec_lock);
581 		inode = igrab(inode);
582 		if (inode) {
583 			if (!IS_PRIVATE(inode))
584 				inode_doinit(inode);
585 			iput(inode);
586 		}
587 		spin_lock(&sbsec->isec_lock);
588 		goto next_inode;
589 	}
590 	spin_unlock(&sbsec->isec_lock);
591 out:
592 	return rc;
593 }
594 
595 /*
596  * This function should allow an FS to ask what it's mount security
597  * options were so it can use those later for submounts, displaying
598  * mount options, or whatever.
599  */
600 static int selinux_get_mnt_opts(const struct super_block *sb,
601 				struct security_mnt_opts *opts)
602 {
603 	int rc = 0, i;
604 	struct superblock_security_struct *sbsec = sb->s_security;
605 	char *context = NULL;
606 	u32 len;
607 	char tmp;
608 
609 	security_init_mnt_opts(opts);
610 
611 	if (!(sbsec->flags & SE_SBINITIALIZED))
612 		return -EINVAL;
613 
614 	if (!selinux_state.initialized)
615 		return -EINVAL;
616 
617 	/* make sure we always check enough bits to cover the mask */
618 	BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
619 
620 	tmp = sbsec->flags & SE_MNTMASK;
621 	/* count the number of mount options for this sb */
622 	for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
623 		if (tmp & 0x01)
624 			opts->num_mnt_opts++;
625 		tmp >>= 1;
626 	}
627 	/* Check if the Label support flag is set */
628 	if (sbsec->flags & SBLABEL_MNT)
629 		opts->num_mnt_opts++;
630 
631 	opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
632 	if (!opts->mnt_opts) {
633 		rc = -ENOMEM;
634 		goto out_free;
635 	}
636 
637 	opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
638 	if (!opts->mnt_opts_flags) {
639 		rc = -ENOMEM;
640 		goto out_free;
641 	}
642 
643 	i = 0;
644 	if (sbsec->flags & FSCONTEXT_MNT) {
645 		rc = security_sid_to_context(&selinux_state, sbsec->sid,
646 					     &context, &len);
647 		if (rc)
648 			goto out_free;
649 		opts->mnt_opts[i] = context;
650 		opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
651 	}
652 	if (sbsec->flags & CONTEXT_MNT) {
653 		rc = security_sid_to_context(&selinux_state,
654 					     sbsec->mntpoint_sid,
655 					     &context, &len);
656 		if (rc)
657 			goto out_free;
658 		opts->mnt_opts[i] = context;
659 		opts->mnt_opts_flags[i++] = CONTEXT_MNT;
660 	}
661 	if (sbsec->flags & DEFCONTEXT_MNT) {
662 		rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
663 					     &context, &len);
664 		if (rc)
665 			goto out_free;
666 		opts->mnt_opts[i] = context;
667 		opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
668 	}
669 	if (sbsec->flags & ROOTCONTEXT_MNT) {
670 		struct dentry *root = sbsec->sb->s_root;
671 		struct inode_security_struct *isec = backing_inode_security(root);
672 
673 		rc = security_sid_to_context(&selinux_state, isec->sid,
674 					     &context, &len);
675 		if (rc)
676 			goto out_free;
677 		opts->mnt_opts[i] = context;
678 		opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
679 	}
680 	if (sbsec->flags & SBLABEL_MNT) {
681 		opts->mnt_opts[i] = NULL;
682 		opts->mnt_opts_flags[i++] = SBLABEL_MNT;
683 	}
684 
685 	BUG_ON(i != opts->num_mnt_opts);
686 
687 	return 0;
688 
689 out_free:
690 	security_free_mnt_opts(opts);
691 	return rc;
692 }
693 
694 static int bad_option(struct superblock_security_struct *sbsec, char flag,
695 		      u32 old_sid, u32 new_sid)
696 {
697 	char mnt_flags = sbsec->flags & SE_MNTMASK;
698 
699 	/* check if the old mount command had the same options */
700 	if (sbsec->flags & SE_SBINITIALIZED)
701 		if (!(sbsec->flags & flag) ||
702 		    (old_sid != new_sid))
703 			return 1;
704 
705 	/* check if we were passed the same options twice,
706 	 * aka someone passed context=a,context=b
707 	 */
708 	if (!(sbsec->flags & SE_SBINITIALIZED))
709 		if (mnt_flags & flag)
710 			return 1;
711 	return 0;
712 }
713 
714 /*
715  * Allow filesystems with binary mount data to explicitly set mount point
716  * labeling information.
717  */
718 static int selinux_set_mnt_opts(struct super_block *sb,
719 				struct security_mnt_opts *opts,
720 				unsigned long kern_flags,
721 				unsigned long *set_kern_flags)
722 {
723 	const struct cred *cred = current_cred();
724 	int rc = 0, i;
725 	struct superblock_security_struct *sbsec = sb->s_security;
726 	const char *name = sb->s_type->name;
727 	struct dentry *root = sbsec->sb->s_root;
728 	struct inode_security_struct *root_isec;
729 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
730 	u32 defcontext_sid = 0;
731 	char **mount_options = opts->mnt_opts;
732 	int *flags = opts->mnt_opts_flags;
733 	int num_opts = opts->num_mnt_opts;
734 
735 	mutex_lock(&sbsec->lock);
736 
737 	if (!selinux_state.initialized) {
738 		if (!num_opts) {
739 			/* Defer initialization until selinux_complete_init,
740 			   after the initial policy is loaded and the security
741 			   server is ready to handle calls. */
742 			goto out;
743 		}
744 		rc = -EINVAL;
745 		pr_warn("SELinux: Unable to set superblock options "
746 			"before the security server is initialized\n");
747 		goto out;
748 	}
749 	if (kern_flags && !set_kern_flags) {
750 		/* Specifying internal flags without providing a place to
751 		 * place the results is not allowed */
752 		rc = -EINVAL;
753 		goto out;
754 	}
755 
756 	/*
757 	 * Binary mount data FS will come through this function twice.  Once
758 	 * from an explicit call and once from the generic calls from the vfs.
759 	 * Since the generic VFS calls will not contain any security mount data
760 	 * we need to skip the double mount verification.
761 	 *
762 	 * This does open a hole in which we will not notice if the first
763 	 * mount using this sb set explict options and a second mount using
764 	 * this sb does not set any security options.  (The first options
765 	 * will be used for both mounts)
766 	 */
767 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
768 	    && (num_opts == 0))
769 		goto out;
770 
771 	root_isec = backing_inode_security_novalidate(root);
772 
773 	/*
774 	 * parse the mount options, check if they are valid sids.
775 	 * also check if someone is trying to mount the same sb more
776 	 * than once with different security options.
777 	 */
778 	for (i = 0; i < num_opts; i++) {
779 		u32 sid;
780 
781 		if (flags[i] == SBLABEL_MNT)
782 			continue;
783 		rc = security_context_str_to_sid(&selinux_state,
784 						 mount_options[i], &sid,
785 						 GFP_KERNEL);
786 		if (rc) {
787 			pr_warn("SELinux: security_context_str_to_sid"
788 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
789 			       mount_options[i], sb->s_id, name, rc);
790 			goto out;
791 		}
792 		switch (flags[i]) {
793 		case FSCONTEXT_MNT:
794 			fscontext_sid = sid;
795 
796 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
797 					fscontext_sid))
798 				goto out_double_mount;
799 
800 			sbsec->flags |= FSCONTEXT_MNT;
801 			break;
802 		case CONTEXT_MNT:
803 			context_sid = sid;
804 
805 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
806 					context_sid))
807 				goto out_double_mount;
808 
809 			sbsec->flags |= CONTEXT_MNT;
810 			break;
811 		case ROOTCONTEXT_MNT:
812 			rootcontext_sid = sid;
813 
814 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
815 					rootcontext_sid))
816 				goto out_double_mount;
817 
818 			sbsec->flags |= ROOTCONTEXT_MNT;
819 
820 			break;
821 		case DEFCONTEXT_MNT:
822 			defcontext_sid = sid;
823 
824 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
825 					defcontext_sid))
826 				goto out_double_mount;
827 
828 			sbsec->flags |= DEFCONTEXT_MNT;
829 
830 			break;
831 		default:
832 			rc = -EINVAL;
833 			goto out;
834 		}
835 	}
836 
837 	if (sbsec->flags & SE_SBINITIALIZED) {
838 		/* previously mounted with options, but not on this attempt? */
839 		if ((sbsec->flags & SE_MNTMASK) && !num_opts)
840 			goto out_double_mount;
841 		rc = 0;
842 		goto out;
843 	}
844 
845 	if (strcmp(sb->s_type->name, "proc") == 0)
846 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
847 
848 	if (!strcmp(sb->s_type->name, "debugfs") ||
849 	    !strcmp(sb->s_type->name, "tracefs") ||
850 	    !strcmp(sb->s_type->name, "sysfs") ||
851 	    !strcmp(sb->s_type->name, "pstore") ||
852 	    !strcmp(sb->s_type->name, "cgroup") ||
853 	    !strcmp(sb->s_type->name, "cgroup2"))
854 		sbsec->flags |= SE_SBGENFS;
855 
856 	if (!sbsec->behavior) {
857 		/*
858 		 * Determine the labeling behavior to use for this
859 		 * filesystem type.
860 		 */
861 		rc = security_fs_use(&selinux_state, sb);
862 		if (rc) {
863 			pr_warn("%s: security_fs_use(%s) returned %d\n",
864 					__func__, sb->s_type->name, rc);
865 			goto out;
866 		}
867 	}
868 
869 	/*
870 	 * If this is a user namespace mount and the filesystem type is not
871 	 * explicitly whitelisted, then no contexts are allowed on the command
872 	 * line and security labels must be ignored.
873 	 */
874 	if (sb->s_user_ns != &init_user_ns &&
875 	    strcmp(sb->s_type->name, "tmpfs") &&
876 	    strcmp(sb->s_type->name, "ramfs") &&
877 	    strcmp(sb->s_type->name, "devpts")) {
878 		if (context_sid || fscontext_sid || rootcontext_sid ||
879 		    defcontext_sid) {
880 			rc = -EACCES;
881 			goto out;
882 		}
883 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
884 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
885 			rc = security_transition_sid(&selinux_state,
886 						     current_sid(),
887 						     current_sid(),
888 						     SECCLASS_FILE, NULL,
889 						     &sbsec->mntpoint_sid);
890 			if (rc)
891 				goto out;
892 		}
893 		goto out_set_opts;
894 	}
895 
896 	/* sets the context of the superblock for the fs being mounted. */
897 	if (fscontext_sid) {
898 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
899 		if (rc)
900 			goto out;
901 
902 		sbsec->sid = fscontext_sid;
903 	}
904 
905 	/*
906 	 * Switch to using mount point labeling behavior.
907 	 * sets the label used on all file below the mountpoint, and will set
908 	 * the superblock context if not already set.
909 	 */
910 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
911 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
912 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
913 	}
914 
915 	if (context_sid) {
916 		if (!fscontext_sid) {
917 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
918 							  cred);
919 			if (rc)
920 				goto out;
921 			sbsec->sid = context_sid;
922 		} else {
923 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
924 							     cred);
925 			if (rc)
926 				goto out;
927 		}
928 		if (!rootcontext_sid)
929 			rootcontext_sid = context_sid;
930 
931 		sbsec->mntpoint_sid = context_sid;
932 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
933 	}
934 
935 	if (rootcontext_sid) {
936 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
937 						     cred);
938 		if (rc)
939 			goto out;
940 
941 		root_isec->sid = rootcontext_sid;
942 		root_isec->initialized = LABEL_INITIALIZED;
943 	}
944 
945 	if (defcontext_sid) {
946 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
947 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
948 			rc = -EINVAL;
949 			pr_warn("SELinux: defcontext option is "
950 			       "invalid for this filesystem type\n");
951 			goto out;
952 		}
953 
954 		if (defcontext_sid != sbsec->def_sid) {
955 			rc = may_context_mount_inode_relabel(defcontext_sid,
956 							     sbsec, cred);
957 			if (rc)
958 				goto out;
959 		}
960 
961 		sbsec->def_sid = defcontext_sid;
962 	}
963 
964 out_set_opts:
965 	rc = sb_finish_set_opts(sb);
966 out:
967 	mutex_unlock(&sbsec->lock);
968 	return rc;
969 out_double_mount:
970 	rc = -EINVAL;
971 	pr_warn("SELinux: mount invalid.  Same superblock, different "
972 	       "security settings for (dev %s, type %s)\n", sb->s_id, name);
973 	goto out;
974 }
975 
976 static int selinux_cmp_sb_context(const struct super_block *oldsb,
977 				    const struct super_block *newsb)
978 {
979 	struct superblock_security_struct *old = oldsb->s_security;
980 	struct superblock_security_struct *new = newsb->s_security;
981 	char oldflags = old->flags & SE_MNTMASK;
982 	char newflags = new->flags & SE_MNTMASK;
983 
984 	if (oldflags != newflags)
985 		goto mismatch;
986 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
987 		goto mismatch;
988 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
989 		goto mismatch;
990 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
991 		goto mismatch;
992 	if (oldflags & ROOTCONTEXT_MNT) {
993 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
994 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
995 		if (oldroot->sid != newroot->sid)
996 			goto mismatch;
997 	}
998 	return 0;
999 mismatch:
1000 	pr_warn("SELinux: mount invalid.  Same superblock, "
1001 			    "different security settings for (dev %s, "
1002 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
1003 	return -EBUSY;
1004 }
1005 
1006 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1007 					struct super_block *newsb,
1008 					unsigned long kern_flags,
1009 					unsigned long *set_kern_flags)
1010 {
1011 	int rc = 0;
1012 	const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1013 	struct superblock_security_struct *newsbsec = newsb->s_security;
1014 
1015 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
1016 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
1017 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
1018 
1019 	/*
1020 	 * if the parent was able to be mounted it clearly had no special lsm
1021 	 * mount options.  thus we can safely deal with this superblock later
1022 	 */
1023 	if (!selinux_state.initialized)
1024 		return 0;
1025 
1026 	/*
1027 	 * Specifying internal flags without providing a place to
1028 	 * place the results is not allowed.
1029 	 */
1030 	if (kern_flags && !set_kern_flags)
1031 		return -EINVAL;
1032 
1033 	/* how can we clone if the old one wasn't set up?? */
1034 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1035 
1036 	/* if fs is reusing a sb, make sure that the contexts match */
1037 	if (newsbsec->flags & SE_SBINITIALIZED)
1038 		return selinux_cmp_sb_context(oldsb, newsb);
1039 
1040 	mutex_lock(&newsbsec->lock);
1041 
1042 	newsbsec->flags = oldsbsec->flags;
1043 
1044 	newsbsec->sid = oldsbsec->sid;
1045 	newsbsec->def_sid = oldsbsec->def_sid;
1046 	newsbsec->behavior = oldsbsec->behavior;
1047 
1048 	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1049 		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1050 		rc = security_fs_use(&selinux_state, newsb);
1051 		if (rc)
1052 			goto out;
1053 	}
1054 
1055 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1056 		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1057 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1058 	}
1059 
1060 	if (set_context) {
1061 		u32 sid = oldsbsec->mntpoint_sid;
1062 
1063 		if (!set_fscontext)
1064 			newsbsec->sid = sid;
1065 		if (!set_rootcontext) {
1066 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1067 			newisec->sid = sid;
1068 		}
1069 		newsbsec->mntpoint_sid = sid;
1070 	}
1071 	if (set_rootcontext) {
1072 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1073 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1074 
1075 		newisec->sid = oldisec->sid;
1076 	}
1077 
1078 	sb_finish_set_opts(newsb);
1079 out:
1080 	mutex_unlock(&newsbsec->lock);
1081 	return rc;
1082 }
1083 
1084 static int selinux_parse_opts_str(char *options,
1085 				  struct security_mnt_opts *opts)
1086 {
1087 	char *p;
1088 	char *context = NULL, *defcontext = NULL;
1089 	char *fscontext = NULL, *rootcontext = NULL;
1090 	int rc, num_mnt_opts = 0;
1091 
1092 	opts->num_mnt_opts = 0;
1093 
1094 	/* Standard string-based options. */
1095 	while ((p = strsep(&options, "|")) != NULL) {
1096 		int token;
1097 		substring_t args[MAX_OPT_ARGS];
1098 
1099 		if (!*p)
1100 			continue;
1101 
1102 		token = match_token(p, tokens, args);
1103 
1104 		switch (token) {
1105 		case Opt_context:
1106 			if (context || defcontext) {
1107 				rc = -EINVAL;
1108 				pr_warn(SEL_MOUNT_FAIL_MSG);
1109 				goto out_err;
1110 			}
1111 			context = match_strdup(&args[0]);
1112 			if (!context) {
1113 				rc = -ENOMEM;
1114 				goto out_err;
1115 			}
1116 			break;
1117 
1118 		case Opt_fscontext:
1119 			if (fscontext) {
1120 				rc = -EINVAL;
1121 				pr_warn(SEL_MOUNT_FAIL_MSG);
1122 				goto out_err;
1123 			}
1124 			fscontext = match_strdup(&args[0]);
1125 			if (!fscontext) {
1126 				rc = -ENOMEM;
1127 				goto out_err;
1128 			}
1129 			break;
1130 
1131 		case Opt_rootcontext:
1132 			if (rootcontext) {
1133 				rc = -EINVAL;
1134 				pr_warn(SEL_MOUNT_FAIL_MSG);
1135 				goto out_err;
1136 			}
1137 			rootcontext = match_strdup(&args[0]);
1138 			if (!rootcontext) {
1139 				rc = -ENOMEM;
1140 				goto out_err;
1141 			}
1142 			break;
1143 
1144 		case Opt_defcontext:
1145 			if (context || defcontext) {
1146 				rc = -EINVAL;
1147 				pr_warn(SEL_MOUNT_FAIL_MSG);
1148 				goto out_err;
1149 			}
1150 			defcontext = match_strdup(&args[0]);
1151 			if (!defcontext) {
1152 				rc = -ENOMEM;
1153 				goto out_err;
1154 			}
1155 			break;
1156 		case Opt_labelsupport:
1157 			break;
1158 		default:
1159 			rc = -EINVAL;
1160 			pr_warn("SELinux:  unknown mount option\n");
1161 			goto out_err;
1162 
1163 		}
1164 	}
1165 
1166 	rc = -ENOMEM;
1167 	opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1168 	if (!opts->mnt_opts)
1169 		goto out_err;
1170 
1171 	opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1172 				       GFP_KERNEL);
1173 	if (!opts->mnt_opts_flags)
1174 		goto out_err;
1175 
1176 	if (fscontext) {
1177 		opts->mnt_opts[num_mnt_opts] = fscontext;
1178 		opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1179 	}
1180 	if (context) {
1181 		opts->mnt_opts[num_mnt_opts] = context;
1182 		opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1183 	}
1184 	if (rootcontext) {
1185 		opts->mnt_opts[num_mnt_opts] = rootcontext;
1186 		opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1187 	}
1188 	if (defcontext) {
1189 		opts->mnt_opts[num_mnt_opts] = defcontext;
1190 		opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1191 	}
1192 
1193 	opts->num_mnt_opts = num_mnt_opts;
1194 	return 0;
1195 
1196 out_err:
1197 	security_free_mnt_opts(opts);
1198 	kfree(context);
1199 	kfree(defcontext);
1200 	kfree(fscontext);
1201 	kfree(rootcontext);
1202 	return rc;
1203 }
1204 /*
1205  * string mount options parsing and call set the sbsec
1206  */
1207 static int superblock_doinit(struct super_block *sb, void *data)
1208 {
1209 	int rc = 0;
1210 	char *options = data;
1211 	struct security_mnt_opts opts;
1212 
1213 	security_init_mnt_opts(&opts);
1214 
1215 	if (!data)
1216 		goto out;
1217 
1218 	BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1219 
1220 	rc = selinux_parse_opts_str(options, &opts);
1221 	if (rc)
1222 		goto out_err;
1223 
1224 out:
1225 	rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1226 
1227 out_err:
1228 	security_free_mnt_opts(&opts);
1229 	return rc;
1230 }
1231 
1232 static void selinux_write_opts(struct seq_file *m,
1233 			       struct security_mnt_opts *opts)
1234 {
1235 	int i;
1236 	char *prefix;
1237 
1238 	for (i = 0; i < opts->num_mnt_opts; i++) {
1239 		char *has_comma;
1240 
1241 		if (opts->mnt_opts[i])
1242 			has_comma = strchr(opts->mnt_opts[i], ',');
1243 		else
1244 			has_comma = NULL;
1245 
1246 		switch (opts->mnt_opts_flags[i]) {
1247 		case CONTEXT_MNT:
1248 			prefix = CONTEXT_STR;
1249 			break;
1250 		case FSCONTEXT_MNT:
1251 			prefix = FSCONTEXT_STR;
1252 			break;
1253 		case ROOTCONTEXT_MNT:
1254 			prefix = ROOTCONTEXT_STR;
1255 			break;
1256 		case DEFCONTEXT_MNT:
1257 			prefix = DEFCONTEXT_STR;
1258 			break;
1259 		case SBLABEL_MNT:
1260 			seq_putc(m, ',');
1261 			seq_puts(m, LABELSUPP_STR);
1262 			continue;
1263 		default:
1264 			BUG();
1265 			return;
1266 		};
1267 		/* we need a comma before each option */
1268 		seq_putc(m, ',');
1269 		seq_puts(m, prefix);
1270 		if (has_comma)
1271 			seq_putc(m, '\"');
1272 		seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1273 		if (has_comma)
1274 			seq_putc(m, '\"');
1275 	}
1276 }
1277 
1278 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1279 {
1280 	struct security_mnt_opts opts;
1281 	int rc;
1282 
1283 	rc = selinux_get_mnt_opts(sb, &opts);
1284 	if (rc) {
1285 		/* before policy load we may get EINVAL, don't show anything */
1286 		if (rc == -EINVAL)
1287 			rc = 0;
1288 		return rc;
1289 	}
1290 
1291 	selinux_write_opts(m, &opts);
1292 
1293 	security_free_mnt_opts(&opts);
1294 
1295 	return rc;
1296 }
1297 
1298 static inline u16 inode_mode_to_security_class(umode_t mode)
1299 {
1300 	switch (mode & S_IFMT) {
1301 	case S_IFSOCK:
1302 		return SECCLASS_SOCK_FILE;
1303 	case S_IFLNK:
1304 		return SECCLASS_LNK_FILE;
1305 	case S_IFREG:
1306 		return SECCLASS_FILE;
1307 	case S_IFBLK:
1308 		return SECCLASS_BLK_FILE;
1309 	case S_IFDIR:
1310 		return SECCLASS_DIR;
1311 	case S_IFCHR:
1312 		return SECCLASS_CHR_FILE;
1313 	case S_IFIFO:
1314 		return SECCLASS_FIFO_FILE;
1315 
1316 	}
1317 
1318 	return SECCLASS_FILE;
1319 }
1320 
1321 static inline int default_protocol_stream(int protocol)
1322 {
1323 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1324 }
1325 
1326 static inline int default_protocol_dgram(int protocol)
1327 {
1328 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1329 }
1330 
1331 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1332 {
1333 	int extsockclass = selinux_policycap_extsockclass();
1334 
1335 	switch (family) {
1336 	case PF_UNIX:
1337 		switch (type) {
1338 		case SOCK_STREAM:
1339 		case SOCK_SEQPACKET:
1340 			return SECCLASS_UNIX_STREAM_SOCKET;
1341 		case SOCK_DGRAM:
1342 		case SOCK_RAW:
1343 			return SECCLASS_UNIX_DGRAM_SOCKET;
1344 		}
1345 		break;
1346 	case PF_INET:
1347 	case PF_INET6:
1348 		switch (type) {
1349 		case SOCK_STREAM:
1350 		case SOCK_SEQPACKET:
1351 			if (default_protocol_stream(protocol))
1352 				return SECCLASS_TCP_SOCKET;
1353 			else if (extsockclass && protocol == IPPROTO_SCTP)
1354 				return SECCLASS_SCTP_SOCKET;
1355 			else
1356 				return SECCLASS_RAWIP_SOCKET;
1357 		case SOCK_DGRAM:
1358 			if (default_protocol_dgram(protocol))
1359 				return SECCLASS_UDP_SOCKET;
1360 			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1361 						  protocol == IPPROTO_ICMPV6))
1362 				return SECCLASS_ICMP_SOCKET;
1363 			else
1364 				return SECCLASS_RAWIP_SOCKET;
1365 		case SOCK_DCCP:
1366 			return SECCLASS_DCCP_SOCKET;
1367 		default:
1368 			return SECCLASS_RAWIP_SOCKET;
1369 		}
1370 		break;
1371 	case PF_NETLINK:
1372 		switch (protocol) {
1373 		case NETLINK_ROUTE:
1374 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1375 		case NETLINK_SOCK_DIAG:
1376 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1377 		case NETLINK_NFLOG:
1378 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1379 		case NETLINK_XFRM:
1380 			return SECCLASS_NETLINK_XFRM_SOCKET;
1381 		case NETLINK_SELINUX:
1382 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1383 		case NETLINK_ISCSI:
1384 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1385 		case NETLINK_AUDIT:
1386 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1387 		case NETLINK_FIB_LOOKUP:
1388 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1389 		case NETLINK_CONNECTOR:
1390 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1391 		case NETLINK_NETFILTER:
1392 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1393 		case NETLINK_DNRTMSG:
1394 			return SECCLASS_NETLINK_DNRT_SOCKET;
1395 		case NETLINK_KOBJECT_UEVENT:
1396 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1397 		case NETLINK_GENERIC:
1398 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1399 		case NETLINK_SCSITRANSPORT:
1400 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1401 		case NETLINK_RDMA:
1402 			return SECCLASS_NETLINK_RDMA_SOCKET;
1403 		case NETLINK_CRYPTO:
1404 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1405 		default:
1406 			return SECCLASS_NETLINK_SOCKET;
1407 		}
1408 	case PF_PACKET:
1409 		return SECCLASS_PACKET_SOCKET;
1410 	case PF_KEY:
1411 		return SECCLASS_KEY_SOCKET;
1412 	case PF_APPLETALK:
1413 		return SECCLASS_APPLETALK_SOCKET;
1414 	}
1415 
1416 	if (extsockclass) {
1417 		switch (family) {
1418 		case PF_AX25:
1419 			return SECCLASS_AX25_SOCKET;
1420 		case PF_IPX:
1421 			return SECCLASS_IPX_SOCKET;
1422 		case PF_NETROM:
1423 			return SECCLASS_NETROM_SOCKET;
1424 		case PF_ATMPVC:
1425 			return SECCLASS_ATMPVC_SOCKET;
1426 		case PF_X25:
1427 			return SECCLASS_X25_SOCKET;
1428 		case PF_ROSE:
1429 			return SECCLASS_ROSE_SOCKET;
1430 		case PF_DECnet:
1431 			return SECCLASS_DECNET_SOCKET;
1432 		case PF_ATMSVC:
1433 			return SECCLASS_ATMSVC_SOCKET;
1434 		case PF_RDS:
1435 			return SECCLASS_RDS_SOCKET;
1436 		case PF_IRDA:
1437 			return SECCLASS_IRDA_SOCKET;
1438 		case PF_PPPOX:
1439 			return SECCLASS_PPPOX_SOCKET;
1440 		case PF_LLC:
1441 			return SECCLASS_LLC_SOCKET;
1442 		case PF_CAN:
1443 			return SECCLASS_CAN_SOCKET;
1444 		case PF_TIPC:
1445 			return SECCLASS_TIPC_SOCKET;
1446 		case PF_BLUETOOTH:
1447 			return SECCLASS_BLUETOOTH_SOCKET;
1448 		case PF_IUCV:
1449 			return SECCLASS_IUCV_SOCKET;
1450 		case PF_RXRPC:
1451 			return SECCLASS_RXRPC_SOCKET;
1452 		case PF_ISDN:
1453 			return SECCLASS_ISDN_SOCKET;
1454 		case PF_PHONET:
1455 			return SECCLASS_PHONET_SOCKET;
1456 		case PF_IEEE802154:
1457 			return SECCLASS_IEEE802154_SOCKET;
1458 		case PF_CAIF:
1459 			return SECCLASS_CAIF_SOCKET;
1460 		case PF_ALG:
1461 			return SECCLASS_ALG_SOCKET;
1462 		case PF_NFC:
1463 			return SECCLASS_NFC_SOCKET;
1464 		case PF_VSOCK:
1465 			return SECCLASS_VSOCK_SOCKET;
1466 		case PF_KCM:
1467 			return SECCLASS_KCM_SOCKET;
1468 		case PF_QIPCRTR:
1469 			return SECCLASS_QIPCRTR_SOCKET;
1470 		case PF_SMC:
1471 			return SECCLASS_SMC_SOCKET;
1472 		case PF_XDP:
1473 			return SECCLASS_XDP_SOCKET;
1474 #if PF_MAX > 45
1475 #error New address family defined, please update this function.
1476 #endif
1477 		}
1478 	}
1479 
1480 	return SECCLASS_SOCKET;
1481 }
1482 
1483 static int selinux_genfs_get_sid(struct dentry *dentry,
1484 				 u16 tclass,
1485 				 u16 flags,
1486 				 u32 *sid)
1487 {
1488 	int rc;
1489 	struct super_block *sb = dentry->d_sb;
1490 	char *buffer, *path;
1491 
1492 	buffer = (char *)__get_free_page(GFP_KERNEL);
1493 	if (!buffer)
1494 		return -ENOMEM;
1495 
1496 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1497 	if (IS_ERR(path))
1498 		rc = PTR_ERR(path);
1499 	else {
1500 		if (flags & SE_SBPROC) {
1501 			/* each process gets a /proc/PID/ entry. Strip off the
1502 			 * PID part to get a valid selinux labeling.
1503 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1504 			while (path[1] >= '0' && path[1] <= '9') {
1505 				path[1] = '/';
1506 				path++;
1507 			}
1508 		}
1509 		rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1510 					path, tclass, sid);
1511 		if (rc == -ENOENT) {
1512 			/* No match in policy, mark as unlabeled. */
1513 			*sid = SECINITSID_UNLABELED;
1514 			rc = 0;
1515 		}
1516 	}
1517 	free_page((unsigned long)buffer);
1518 	return rc;
1519 }
1520 
1521 /* The inode's security attributes must be initialized before first use. */
1522 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1523 {
1524 	struct superblock_security_struct *sbsec = NULL;
1525 	struct inode_security_struct *isec = inode->i_security;
1526 	u32 task_sid, sid = 0;
1527 	u16 sclass;
1528 	struct dentry *dentry;
1529 #define INITCONTEXTLEN 255
1530 	char *context = NULL;
1531 	unsigned len = 0;
1532 	int rc = 0;
1533 
1534 	if (isec->initialized == LABEL_INITIALIZED)
1535 		return 0;
1536 
1537 	spin_lock(&isec->lock);
1538 	if (isec->initialized == LABEL_INITIALIZED)
1539 		goto out_unlock;
1540 
1541 	if (isec->sclass == SECCLASS_FILE)
1542 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1543 
1544 	sbsec = inode->i_sb->s_security;
1545 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1546 		/* Defer initialization until selinux_complete_init,
1547 		   after the initial policy is loaded and the security
1548 		   server is ready to handle calls. */
1549 		spin_lock(&sbsec->isec_lock);
1550 		if (list_empty(&isec->list))
1551 			list_add(&isec->list, &sbsec->isec_head);
1552 		spin_unlock(&sbsec->isec_lock);
1553 		goto out_unlock;
1554 	}
1555 
1556 	sclass = isec->sclass;
1557 	task_sid = isec->task_sid;
1558 	sid = isec->sid;
1559 	isec->initialized = LABEL_PENDING;
1560 	spin_unlock(&isec->lock);
1561 
1562 	switch (sbsec->behavior) {
1563 	case SECURITY_FS_USE_NATIVE:
1564 		break;
1565 	case SECURITY_FS_USE_XATTR:
1566 		if (!(inode->i_opflags & IOP_XATTR)) {
1567 			sid = sbsec->def_sid;
1568 			break;
1569 		}
1570 		/* Need a dentry, since the xattr API requires one.
1571 		   Life would be simpler if we could just pass the inode. */
1572 		if (opt_dentry) {
1573 			/* Called from d_instantiate or d_splice_alias. */
1574 			dentry = dget(opt_dentry);
1575 		} else {
1576 			/*
1577 			 * Called from selinux_complete_init, try to find a dentry.
1578 			 * Some filesystems really want a connected one, so try
1579 			 * that first.  We could split SECURITY_FS_USE_XATTR in
1580 			 * two, depending upon that...
1581 			 */
1582 			dentry = d_find_alias(inode);
1583 			if (!dentry)
1584 				dentry = d_find_any_alias(inode);
1585 		}
1586 		if (!dentry) {
1587 			/*
1588 			 * this is can be hit on boot when a file is accessed
1589 			 * before the policy is loaded.  When we load policy we
1590 			 * may find inodes that have no dentry on the
1591 			 * sbsec->isec_head list.  No reason to complain as these
1592 			 * will get fixed up the next time we go through
1593 			 * inode_doinit with a dentry, before these inodes could
1594 			 * be used again by userspace.
1595 			 */
1596 			goto out;
1597 		}
1598 
1599 		len = INITCONTEXTLEN;
1600 		context = kmalloc(len+1, GFP_NOFS);
1601 		if (!context) {
1602 			rc = -ENOMEM;
1603 			dput(dentry);
1604 			goto out;
1605 		}
1606 		context[len] = '\0';
1607 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1608 		if (rc == -ERANGE) {
1609 			kfree(context);
1610 
1611 			/* Need a larger buffer.  Query for the right size. */
1612 			rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1613 			if (rc < 0) {
1614 				dput(dentry);
1615 				goto out;
1616 			}
1617 			len = rc;
1618 			context = kmalloc(len+1, GFP_NOFS);
1619 			if (!context) {
1620 				rc = -ENOMEM;
1621 				dput(dentry);
1622 				goto out;
1623 			}
1624 			context[len] = '\0';
1625 			rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1626 		}
1627 		dput(dentry);
1628 		if (rc < 0) {
1629 			if (rc != -ENODATA) {
1630 				pr_warn("SELinux: %s:  getxattr returned "
1631 				       "%d for dev=%s ino=%ld\n", __func__,
1632 				       -rc, inode->i_sb->s_id, inode->i_ino);
1633 				kfree(context);
1634 				goto out;
1635 			}
1636 			/* Map ENODATA to the default file SID */
1637 			sid = sbsec->def_sid;
1638 			rc = 0;
1639 		} else {
1640 			rc = security_context_to_sid_default(&selinux_state,
1641 							     context, rc, &sid,
1642 							     sbsec->def_sid,
1643 							     GFP_NOFS);
1644 			if (rc) {
1645 				char *dev = inode->i_sb->s_id;
1646 				unsigned long ino = inode->i_ino;
1647 
1648 				if (rc == -EINVAL) {
1649 					if (printk_ratelimit())
1650 						pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
1651 							"context=%s.  This indicates you may need to relabel the inode or the "
1652 							"filesystem in question.\n", ino, dev, context);
1653 				} else {
1654 					pr_warn("SELinux: %s:  context_to_sid(%s) "
1655 					       "returned %d for dev=%s ino=%ld\n",
1656 					       __func__, context, -rc, dev, ino);
1657 				}
1658 				kfree(context);
1659 				/* Leave with the unlabeled SID */
1660 				rc = 0;
1661 				break;
1662 			}
1663 		}
1664 		kfree(context);
1665 		break;
1666 	case SECURITY_FS_USE_TASK:
1667 		sid = task_sid;
1668 		break;
1669 	case SECURITY_FS_USE_TRANS:
1670 		/* Default to the fs SID. */
1671 		sid = sbsec->sid;
1672 
1673 		/* Try to obtain a transition SID. */
1674 		rc = security_transition_sid(&selinux_state, task_sid, sid,
1675 					     sclass, NULL, &sid);
1676 		if (rc)
1677 			goto out;
1678 		break;
1679 	case SECURITY_FS_USE_MNTPOINT:
1680 		sid = sbsec->mntpoint_sid;
1681 		break;
1682 	default:
1683 		/* Default to the fs superblock SID. */
1684 		sid = sbsec->sid;
1685 
1686 		if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1687 			/* We must have a dentry to determine the label on
1688 			 * procfs inodes */
1689 			if (opt_dentry) {
1690 				/* Called from d_instantiate or
1691 				 * d_splice_alias. */
1692 				dentry = dget(opt_dentry);
1693 			} else {
1694 				/* Called from selinux_complete_init, try to
1695 				 * find a dentry.  Some filesystems really want
1696 				 * a connected one, so try that first.
1697 				 */
1698 				dentry = d_find_alias(inode);
1699 				if (!dentry)
1700 					dentry = d_find_any_alias(inode);
1701 			}
1702 			/*
1703 			 * This can be hit on boot when a file is accessed
1704 			 * before the policy is loaded.  When we load policy we
1705 			 * may find inodes that have no dentry on the
1706 			 * sbsec->isec_head list.  No reason to complain as
1707 			 * these will get fixed up the next time we go through
1708 			 * inode_doinit() with a dentry, before these inodes
1709 			 * could be used again by userspace.
1710 			 */
1711 			if (!dentry)
1712 				goto out;
1713 			rc = selinux_genfs_get_sid(dentry, sclass,
1714 						   sbsec->flags, &sid);
1715 			dput(dentry);
1716 			if (rc)
1717 				goto out;
1718 		}
1719 		break;
1720 	}
1721 
1722 out:
1723 	spin_lock(&isec->lock);
1724 	if (isec->initialized == LABEL_PENDING) {
1725 		if (!sid || rc) {
1726 			isec->initialized = LABEL_INVALID;
1727 			goto out_unlock;
1728 		}
1729 
1730 		isec->initialized = LABEL_INITIALIZED;
1731 		isec->sid = sid;
1732 	}
1733 
1734 out_unlock:
1735 	spin_unlock(&isec->lock);
1736 	return rc;
1737 }
1738 
1739 /* Convert a Linux signal to an access vector. */
1740 static inline u32 signal_to_av(int sig)
1741 {
1742 	u32 perm = 0;
1743 
1744 	switch (sig) {
1745 	case SIGCHLD:
1746 		/* Commonly granted from child to parent. */
1747 		perm = PROCESS__SIGCHLD;
1748 		break;
1749 	case SIGKILL:
1750 		/* Cannot be caught or ignored */
1751 		perm = PROCESS__SIGKILL;
1752 		break;
1753 	case SIGSTOP:
1754 		/* Cannot be caught or ignored */
1755 		perm = PROCESS__SIGSTOP;
1756 		break;
1757 	default:
1758 		/* All other signals. */
1759 		perm = PROCESS__SIGNAL;
1760 		break;
1761 	}
1762 
1763 	return perm;
1764 }
1765 
1766 #if CAP_LAST_CAP > 63
1767 #error Fix SELinux to handle capabilities > 63.
1768 #endif
1769 
1770 /* Check whether a task is allowed to use a capability. */
1771 static int cred_has_capability(const struct cred *cred,
1772 			       int cap, int audit, bool initns)
1773 {
1774 	struct common_audit_data ad;
1775 	struct av_decision avd;
1776 	u16 sclass;
1777 	u32 sid = cred_sid(cred);
1778 	u32 av = CAP_TO_MASK(cap);
1779 	int rc;
1780 
1781 	ad.type = LSM_AUDIT_DATA_CAP;
1782 	ad.u.cap = cap;
1783 
1784 	switch (CAP_TO_INDEX(cap)) {
1785 	case 0:
1786 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1787 		break;
1788 	case 1:
1789 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1790 		break;
1791 	default:
1792 		pr_err("SELinux:  out of range capability %d\n", cap);
1793 		BUG();
1794 		return -EINVAL;
1795 	}
1796 
1797 	rc = avc_has_perm_noaudit(&selinux_state,
1798 				  sid, sid, sclass, av, 0, &avd);
1799 	if (audit == SECURITY_CAP_AUDIT) {
1800 		int rc2 = avc_audit(&selinux_state,
1801 				    sid, sid, sclass, av, &avd, rc, &ad, 0);
1802 		if (rc2)
1803 			return rc2;
1804 	}
1805 	return rc;
1806 }
1807 
1808 /* Check whether a task has a particular permission to an inode.
1809    The 'adp' parameter is optional and allows other audit
1810    data to be passed (e.g. the dentry). */
1811 static int inode_has_perm(const struct cred *cred,
1812 			  struct inode *inode,
1813 			  u32 perms,
1814 			  struct common_audit_data *adp)
1815 {
1816 	struct inode_security_struct *isec;
1817 	u32 sid;
1818 
1819 	validate_creds(cred);
1820 
1821 	if (unlikely(IS_PRIVATE(inode)))
1822 		return 0;
1823 
1824 	sid = cred_sid(cred);
1825 	isec = inode->i_security;
1826 
1827 	return avc_has_perm(&selinux_state,
1828 			    sid, isec->sid, isec->sclass, perms, adp);
1829 }
1830 
1831 /* Same as inode_has_perm, but pass explicit audit data containing
1832    the dentry to help the auditing code to more easily generate the
1833    pathname if needed. */
1834 static inline int dentry_has_perm(const struct cred *cred,
1835 				  struct dentry *dentry,
1836 				  u32 av)
1837 {
1838 	struct inode *inode = d_backing_inode(dentry);
1839 	struct common_audit_data ad;
1840 
1841 	ad.type = LSM_AUDIT_DATA_DENTRY;
1842 	ad.u.dentry = dentry;
1843 	__inode_security_revalidate(inode, dentry, true);
1844 	return inode_has_perm(cred, inode, av, &ad);
1845 }
1846 
1847 /* Same as inode_has_perm, but pass explicit audit data containing
1848    the path to help the auditing code to more easily generate the
1849    pathname if needed. */
1850 static inline int path_has_perm(const struct cred *cred,
1851 				const struct path *path,
1852 				u32 av)
1853 {
1854 	struct inode *inode = d_backing_inode(path->dentry);
1855 	struct common_audit_data ad;
1856 
1857 	ad.type = LSM_AUDIT_DATA_PATH;
1858 	ad.u.path = *path;
1859 	__inode_security_revalidate(inode, path->dentry, true);
1860 	return inode_has_perm(cred, inode, av, &ad);
1861 }
1862 
1863 /* Same as path_has_perm, but uses the inode from the file struct. */
1864 static inline int file_path_has_perm(const struct cred *cred,
1865 				     struct file *file,
1866 				     u32 av)
1867 {
1868 	struct common_audit_data ad;
1869 
1870 	ad.type = LSM_AUDIT_DATA_FILE;
1871 	ad.u.file = file;
1872 	return inode_has_perm(cred, file_inode(file), av, &ad);
1873 }
1874 
1875 #ifdef CONFIG_BPF_SYSCALL
1876 static int bpf_fd_pass(struct file *file, u32 sid);
1877 #endif
1878 
1879 /* Check whether a task can use an open file descriptor to
1880    access an inode in a given way.  Check access to the
1881    descriptor itself, and then use dentry_has_perm to
1882    check a particular permission to the file.
1883    Access to the descriptor is implicitly granted if it
1884    has the same SID as the process.  If av is zero, then
1885    access to the file is not checked, e.g. for cases
1886    where only the descriptor is affected like seek. */
1887 static int file_has_perm(const struct cred *cred,
1888 			 struct file *file,
1889 			 u32 av)
1890 {
1891 	struct file_security_struct *fsec = file->f_security;
1892 	struct inode *inode = file_inode(file);
1893 	struct common_audit_data ad;
1894 	u32 sid = cred_sid(cred);
1895 	int rc;
1896 
1897 	ad.type = LSM_AUDIT_DATA_FILE;
1898 	ad.u.file = file;
1899 
1900 	if (sid != fsec->sid) {
1901 		rc = avc_has_perm(&selinux_state,
1902 				  sid, fsec->sid,
1903 				  SECCLASS_FD,
1904 				  FD__USE,
1905 				  &ad);
1906 		if (rc)
1907 			goto out;
1908 	}
1909 
1910 #ifdef CONFIG_BPF_SYSCALL
1911 	rc = bpf_fd_pass(file, cred_sid(cred));
1912 	if (rc)
1913 		return rc;
1914 #endif
1915 
1916 	/* av is zero if only checking access to the descriptor. */
1917 	rc = 0;
1918 	if (av)
1919 		rc = inode_has_perm(cred, inode, av, &ad);
1920 
1921 out:
1922 	return rc;
1923 }
1924 
1925 /*
1926  * Determine the label for an inode that might be unioned.
1927  */
1928 static int
1929 selinux_determine_inode_label(const struct task_security_struct *tsec,
1930 				 struct inode *dir,
1931 				 const struct qstr *name, u16 tclass,
1932 				 u32 *_new_isid)
1933 {
1934 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1935 
1936 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1937 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1938 		*_new_isid = sbsec->mntpoint_sid;
1939 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1940 		   tsec->create_sid) {
1941 		*_new_isid = tsec->create_sid;
1942 	} else {
1943 		const struct inode_security_struct *dsec = inode_security(dir);
1944 		return security_transition_sid(&selinux_state, tsec->sid,
1945 					       dsec->sid, tclass,
1946 					       name, _new_isid);
1947 	}
1948 
1949 	return 0;
1950 }
1951 
1952 /* Check whether a task can create a file. */
1953 static int may_create(struct inode *dir,
1954 		      struct dentry *dentry,
1955 		      u16 tclass)
1956 {
1957 	const struct task_security_struct *tsec = current_security();
1958 	struct inode_security_struct *dsec;
1959 	struct superblock_security_struct *sbsec;
1960 	u32 sid, newsid;
1961 	struct common_audit_data ad;
1962 	int rc;
1963 
1964 	dsec = inode_security(dir);
1965 	sbsec = dir->i_sb->s_security;
1966 
1967 	sid = tsec->sid;
1968 
1969 	ad.type = LSM_AUDIT_DATA_DENTRY;
1970 	ad.u.dentry = dentry;
1971 
1972 	rc = avc_has_perm(&selinux_state,
1973 			  sid, dsec->sid, SECCLASS_DIR,
1974 			  DIR__ADD_NAME | DIR__SEARCH,
1975 			  &ad);
1976 	if (rc)
1977 		return rc;
1978 
1979 	rc = selinux_determine_inode_label(current_security(), dir,
1980 					   &dentry->d_name, tclass, &newsid);
1981 	if (rc)
1982 		return rc;
1983 
1984 	rc = avc_has_perm(&selinux_state,
1985 			  sid, newsid, tclass, FILE__CREATE, &ad);
1986 	if (rc)
1987 		return rc;
1988 
1989 	return avc_has_perm(&selinux_state,
1990 			    newsid, sbsec->sid,
1991 			    SECCLASS_FILESYSTEM,
1992 			    FILESYSTEM__ASSOCIATE, &ad);
1993 }
1994 
1995 #define MAY_LINK	0
1996 #define MAY_UNLINK	1
1997 #define MAY_RMDIR	2
1998 
1999 /* Check whether a task can link, unlink, or rmdir a file/directory. */
2000 static int may_link(struct inode *dir,
2001 		    struct dentry *dentry,
2002 		    int kind)
2003 
2004 {
2005 	struct inode_security_struct *dsec, *isec;
2006 	struct common_audit_data ad;
2007 	u32 sid = current_sid();
2008 	u32 av;
2009 	int rc;
2010 
2011 	dsec = inode_security(dir);
2012 	isec = backing_inode_security(dentry);
2013 
2014 	ad.type = LSM_AUDIT_DATA_DENTRY;
2015 	ad.u.dentry = dentry;
2016 
2017 	av = DIR__SEARCH;
2018 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
2019 	rc = avc_has_perm(&selinux_state,
2020 			  sid, dsec->sid, SECCLASS_DIR, av, &ad);
2021 	if (rc)
2022 		return rc;
2023 
2024 	switch (kind) {
2025 	case MAY_LINK:
2026 		av = FILE__LINK;
2027 		break;
2028 	case MAY_UNLINK:
2029 		av = FILE__UNLINK;
2030 		break;
2031 	case MAY_RMDIR:
2032 		av = DIR__RMDIR;
2033 		break;
2034 	default:
2035 		pr_warn("SELinux: %s:  unrecognized kind %d\n",
2036 			__func__, kind);
2037 		return 0;
2038 	}
2039 
2040 	rc = avc_has_perm(&selinux_state,
2041 			  sid, isec->sid, isec->sclass, av, &ad);
2042 	return rc;
2043 }
2044 
2045 static inline int may_rename(struct inode *old_dir,
2046 			     struct dentry *old_dentry,
2047 			     struct inode *new_dir,
2048 			     struct dentry *new_dentry)
2049 {
2050 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2051 	struct common_audit_data ad;
2052 	u32 sid = current_sid();
2053 	u32 av;
2054 	int old_is_dir, new_is_dir;
2055 	int rc;
2056 
2057 	old_dsec = inode_security(old_dir);
2058 	old_isec = backing_inode_security(old_dentry);
2059 	old_is_dir = d_is_dir(old_dentry);
2060 	new_dsec = inode_security(new_dir);
2061 
2062 	ad.type = LSM_AUDIT_DATA_DENTRY;
2063 
2064 	ad.u.dentry = old_dentry;
2065 	rc = avc_has_perm(&selinux_state,
2066 			  sid, old_dsec->sid, SECCLASS_DIR,
2067 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2068 	if (rc)
2069 		return rc;
2070 	rc = avc_has_perm(&selinux_state,
2071 			  sid, old_isec->sid,
2072 			  old_isec->sclass, FILE__RENAME, &ad);
2073 	if (rc)
2074 		return rc;
2075 	if (old_is_dir && new_dir != old_dir) {
2076 		rc = avc_has_perm(&selinux_state,
2077 				  sid, old_isec->sid,
2078 				  old_isec->sclass, DIR__REPARENT, &ad);
2079 		if (rc)
2080 			return rc;
2081 	}
2082 
2083 	ad.u.dentry = new_dentry;
2084 	av = DIR__ADD_NAME | DIR__SEARCH;
2085 	if (d_is_positive(new_dentry))
2086 		av |= DIR__REMOVE_NAME;
2087 	rc = avc_has_perm(&selinux_state,
2088 			  sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2089 	if (rc)
2090 		return rc;
2091 	if (d_is_positive(new_dentry)) {
2092 		new_isec = backing_inode_security(new_dentry);
2093 		new_is_dir = d_is_dir(new_dentry);
2094 		rc = avc_has_perm(&selinux_state,
2095 				  sid, new_isec->sid,
2096 				  new_isec->sclass,
2097 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2098 		if (rc)
2099 			return rc;
2100 	}
2101 
2102 	return 0;
2103 }
2104 
2105 /* Check whether a task can perform a filesystem operation. */
2106 static int superblock_has_perm(const struct cred *cred,
2107 			       struct super_block *sb,
2108 			       u32 perms,
2109 			       struct common_audit_data *ad)
2110 {
2111 	struct superblock_security_struct *sbsec;
2112 	u32 sid = cred_sid(cred);
2113 
2114 	sbsec = sb->s_security;
2115 	return avc_has_perm(&selinux_state,
2116 			    sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2117 }
2118 
2119 /* Convert a Linux mode and permission mask to an access vector. */
2120 static inline u32 file_mask_to_av(int mode, int mask)
2121 {
2122 	u32 av = 0;
2123 
2124 	if (!S_ISDIR(mode)) {
2125 		if (mask & MAY_EXEC)
2126 			av |= FILE__EXECUTE;
2127 		if (mask & MAY_READ)
2128 			av |= FILE__READ;
2129 
2130 		if (mask & MAY_APPEND)
2131 			av |= FILE__APPEND;
2132 		else if (mask & MAY_WRITE)
2133 			av |= FILE__WRITE;
2134 
2135 	} else {
2136 		if (mask & MAY_EXEC)
2137 			av |= DIR__SEARCH;
2138 		if (mask & MAY_WRITE)
2139 			av |= DIR__WRITE;
2140 		if (mask & MAY_READ)
2141 			av |= DIR__READ;
2142 	}
2143 
2144 	return av;
2145 }
2146 
2147 /* Convert a Linux file to an access vector. */
2148 static inline u32 file_to_av(struct file *file)
2149 {
2150 	u32 av = 0;
2151 
2152 	if (file->f_mode & FMODE_READ)
2153 		av |= FILE__READ;
2154 	if (file->f_mode & FMODE_WRITE) {
2155 		if (file->f_flags & O_APPEND)
2156 			av |= FILE__APPEND;
2157 		else
2158 			av |= FILE__WRITE;
2159 	}
2160 	if (!av) {
2161 		/*
2162 		 * Special file opened with flags 3 for ioctl-only use.
2163 		 */
2164 		av = FILE__IOCTL;
2165 	}
2166 
2167 	return av;
2168 }
2169 
2170 /*
2171  * Convert a file to an access vector and include the correct open
2172  * open permission.
2173  */
2174 static inline u32 open_file_to_av(struct file *file)
2175 {
2176 	u32 av = file_to_av(file);
2177 	struct inode *inode = file_inode(file);
2178 
2179 	if (selinux_policycap_openperm() &&
2180 	    inode->i_sb->s_magic != SOCKFS_MAGIC)
2181 		av |= FILE__OPEN;
2182 
2183 	return av;
2184 }
2185 
2186 /* Hook functions begin here. */
2187 
2188 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2189 {
2190 	u32 mysid = current_sid();
2191 	u32 mgrsid = task_sid(mgr);
2192 
2193 	return avc_has_perm(&selinux_state,
2194 			    mysid, mgrsid, SECCLASS_BINDER,
2195 			    BINDER__SET_CONTEXT_MGR, NULL);
2196 }
2197 
2198 static int selinux_binder_transaction(struct task_struct *from,
2199 				      struct task_struct *to)
2200 {
2201 	u32 mysid = current_sid();
2202 	u32 fromsid = task_sid(from);
2203 	u32 tosid = task_sid(to);
2204 	int rc;
2205 
2206 	if (mysid != fromsid) {
2207 		rc = avc_has_perm(&selinux_state,
2208 				  mysid, fromsid, SECCLASS_BINDER,
2209 				  BINDER__IMPERSONATE, NULL);
2210 		if (rc)
2211 			return rc;
2212 	}
2213 
2214 	return avc_has_perm(&selinux_state,
2215 			    fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2216 			    NULL);
2217 }
2218 
2219 static int selinux_binder_transfer_binder(struct task_struct *from,
2220 					  struct task_struct *to)
2221 {
2222 	u32 fromsid = task_sid(from);
2223 	u32 tosid = task_sid(to);
2224 
2225 	return avc_has_perm(&selinux_state,
2226 			    fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2227 			    NULL);
2228 }
2229 
2230 static int selinux_binder_transfer_file(struct task_struct *from,
2231 					struct task_struct *to,
2232 					struct file *file)
2233 {
2234 	u32 sid = task_sid(to);
2235 	struct file_security_struct *fsec = file->f_security;
2236 	struct dentry *dentry = file->f_path.dentry;
2237 	struct inode_security_struct *isec;
2238 	struct common_audit_data ad;
2239 	int rc;
2240 
2241 	ad.type = LSM_AUDIT_DATA_PATH;
2242 	ad.u.path = file->f_path;
2243 
2244 	if (sid != fsec->sid) {
2245 		rc = avc_has_perm(&selinux_state,
2246 				  sid, fsec->sid,
2247 				  SECCLASS_FD,
2248 				  FD__USE,
2249 				  &ad);
2250 		if (rc)
2251 			return rc;
2252 	}
2253 
2254 #ifdef CONFIG_BPF_SYSCALL
2255 	rc = bpf_fd_pass(file, sid);
2256 	if (rc)
2257 		return rc;
2258 #endif
2259 
2260 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2261 		return 0;
2262 
2263 	isec = backing_inode_security(dentry);
2264 	return avc_has_perm(&selinux_state,
2265 			    sid, isec->sid, isec->sclass, file_to_av(file),
2266 			    &ad);
2267 }
2268 
2269 static int selinux_ptrace_access_check(struct task_struct *child,
2270 				     unsigned int mode)
2271 {
2272 	u32 sid = current_sid();
2273 	u32 csid = task_sid(child);
2274 
2275 	if (mode & PTRACE_MODE_READ)
2276 		return avc_has_perm(&selinux_state,
2277 				    sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2278 
2279 	return avc_has_perm(&selinux_state,
2280 			    sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2281 }
2282 
2283 static int selinux_ptrace_traceme(struct task_struct *parent)
2284 {
2285 	return avc_has_perm(&selinux_state,
2286 			    task_sid(parent), current_sid(), SECCLASS_PROCESS,
2287 			    PROCESS__PTRACE, NULL);
2288 }
2289 
2290 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2291 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2292 {
2293 	return avc_has_perm(&selinux_state,
2294 			    current_sid(), task_sid(target), SECCLASS_PROCESS,
2295 			    PROCESS__GETCAP, NULL);
2296 }
2297 
2298 static int selinux_capset(struct cred *new, const struct cred *old,
2299 			  const kernel_cap_t *effective,
2300 			  const kernel_cap_t *inheritable,
2301 			  const kernel_cap_t *permitted)
2302 {
2303 	return avc_has_perm(&selinux_state,
2304 			    cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2305 			    PROCESS__SETCAP, NULL);
2306 }
2307 
2308 /*
2309  * (This comment used to live with the selinux_task_setuid hook,
2310  * which was removed).
2311  *
2312  * Since setuid only affects the current process, and since the SELinux
2313  * controls are not based on the Linux identity attributes, SELinux does not
2314  * need to control this operation.  However, SELinux does control the use of
2315  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2316  */
2317 
2318 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2319 			   int cap, int audit)
2320 {
2321 	return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2322 }
2323 
2324 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2325 {
2326 	const struct cred *cred = current_cred();
2327 	int rc = 0;
2328 
2329 	if (!sb)
2330 		return 0;
2331 
2332 	switch (cmds) {
2333 	case Q_SYNC:
2334 	case Q_QUOTAON:
2335 	case Q_QUOTAOFF:
2336 	case Q_SETINFO:
2337 	case Q_SETQUOTA:
2338 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2339 		break;
2340 	case Q_GETFMT:
2341 	case Q_GETINFO:
2342 	case Q_GETQUOTA:
2343 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2344 		break;
2345 	default:
2346 		rc = 0;  /* let the kernel handle invalid cmds */
2347 		break;
2348 	}
2349 	return rc;
2350 }
2351 
2352 static int selinux_quota_on(struct dentry *dentry)
2353 {
2354 	const struct cred *cred = current_cred();
2355 
2356 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2357 }
2358 
2359 static int selinux_syslog(int type)
2360 {
2361 	switch (type) {
2362 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2363 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2364 		return avc_has_perm(&selinux_state,
2365 				    current_sid(), SECINITSID_KERNEL,
2366 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2367 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2368 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2369 	/* Set level of messages printed to console */
2370 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2371 		return avc_has_perm(&selinux_state,
2372 				    current_sid(), SECINITSID_KERNEL,
2373 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2374 				    NULL);
2375 	}
2376 	/* All other syslog types */
2377 	return avc_has_perm(&selinux_state,
2378 			    current_sid(), SECINITSID_KERNEL,
2379 			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2380 }
2381 
2382 /*
2383  * Check that a process has enough memory to allocate a new virtual
2384  * mapping. 0 means there is enough memory for the allocation to
2385  * succeed and -ENOMEM implies there is not.
2386  *
2387  * Do not audit the selinux permission check, as this is applied to all
2388  * processes that allocate mappings.
2389  */
2390 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2391 {
2392 	int rc, cap_sys_admin = 0;
2393 
2394 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2395 				 SECURITY_CAP_NOAUDIT, true);
2396 	if (rc == 0)
2397 		cap_sys_admin = 1;
2398 
2399 	return cap_sys_admin;
2400 }
2401 
2402 /* binprm security operations */
2403 
2404 static u32 ptrace_parent_sid(void)
2405 {
2406 	u32 sid = 0;
2407 	struct task_struct *tracer;
2408 
2409 	rcu_read_lock();
2410 	tracer = ptrace_parent(current);
2411 	if (tracer)
2412 		sid = task_sid(tracer);
2413 	rcu_read_unlock();
2414 
2415 	return sid;
2416 }
2417 
2418 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2419 			    const struct task_security_struct *old_tsec,
2420 			    const struct task_security_struct *new_tsec)
2421 {
2422 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2423 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2424 	int rc;
2425 	u32 av;
2426 
2427 	if (!nnp && !nosuid)
2428 		return 0; /* neither NNP nor nosuid */
2429 
2430 	if (new_tsec->sid == old_tsec->sid)
2431 		return 0; /* No change in credentials */
2432 
2433 	/*
2434 	 * If the policy enables the nnp_nosuid_transition policy capability,
2435 	 * then we permit transitions under NNP or nosuid if the
2436 	 * policy allows the corresponding permission between
2437 	 * the old and new contexts.
2438 	 */
2439 	if (selinux_policycap_nnp_nosuid_transition()) {
2440 		av = 0;
2441 		if (nnp)
2442 			av |= PROCESS2__NNP_TRANSITION;
2443 		if (nosuid)
2444 			av |= PROCESS2__NOSUID_TRANSITION;
2445 		rc = avc_has_perm(&selinux_state,
2446 				  old_tsec->sid, new_tsec->sid,
2447 				  SECCLASS_PROCESS2, av, NULL);
2448 		if (!rc)
2449 			return 0;
2450 	}
2451 
2452 	/*
2453 	 * We also permit NNP or nosuid transitions to bounded SIDs,
2454 	 * i.e. SIDs that are guaranteed to only be allowed a subset
2455 	 * of the permissions of the current SID.
2456 	 */
2457 	rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2458 					 new_tsec->sid);
2459 	if (!rc)
2460 		return 0;
2461 
2462 	/*
2463 	 * On failure, preserve the errno values for NNP vs nosuid.
2464 	 * NNP:  Operation not permitted for caller.
2465 	 * nosuid:  Permission denied to file.
2466 	 */
2467 	if (nnp)
2468 		return -EPERM;
2469 	return -EACCES;
2470 }
2471 
2472 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2473 {
2474 	const struct task_security_struct *old_tsec;
2475 	struct task_security_struct *new_tsec;
2476 	struct inode_security_struct *isec;
2477 	struct common_audit_data ad;
2478 	struct inode *inode = file_inode(bprm->file);
2479 	int rc;
2480 
2481 	/* SELinux context only depends on initial program or script and not
2482 	 * the script interpreter */
2483 	if (bprm->called_set_creds)
2484 		return 0;
2485 
2486 	old_tsec = current_security();
2487 	new_tsec = bprm->cred->security;
2488 	isec = inode_security(inode);
2489 
2490 	/* Default to the current task SID. */
2491 	new_tsec->sid = old_tsec->sid;
2492 	new_tsec->osid = old_tsec->sid;
2493 
2494 	/* Reset fs, key, and sock SIDs on execve. */
2495 	new_tsec->create_sid = 0;
2496 	new_tsec->keycreate_sid = 0;
2497 	new_tsec->sockcreate_sid = 0;
2498 
2499 	if (old_tsec->exec_sid) {
2500 		new_tsec->sid = old_tsec->exec_sid;
2501 		/* Reset exec SID on execve. */
2502 		new_tsec->exec_sid = 0;
2503 
2504 		/* Fail on NNP or nosuid if not an allowed transition. */
2505 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2506 		if (rc)
2507 			return rc;
2508 	} else {
2509 		/* Check for a default transition on this program. */
2510 		rc = security_transition_sid(&selinux_state, old_tsec->sid,
2511 					     isec->sid, SECCLASS_PROCESS, NULL,
2512 					     &new_tsec->sid);
2513 		if (rc)
2514 			return rc;
2515 
2516 		/*
2517 		 * Fallback to old SID on NNP or nosuid if not an allowed
2518 		 * transition.
2519 		 */
2520 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2521 		if (rc)
2522 			new_tsec->sid = old_tsec->sid;
2523 	}
2524 
2525 	ad.type = LSM_AUDIT_DATA_FILE;
2526 	ad.u.file = bprm->file;
2527 
2528 	if (new_tsec->sid == old_tsec->sid) {
2529 		rc = avc_has_perm(&selinux_state,
2530 				  old_tsec->sid, isec->sid,
2531 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2532 		if (rc)
2533 			return rc;
2534 	} else {
2535 		/* Check permissions for the transition. */
2536 		rc = avc_has_perm(&selinux_state,
2537 				  old_tsec->sid, new_tsec->sid,
2538 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2539 		if (rc)
2540 			return rc;
2541 
2542 		rc = avc_has_perm(&selinux_state,
2543 				  new_tsec->sid, isec->sid,
2544 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2545 		if (rc)
2546 			return rc;
2547 
2548 		/* Check for shared state */
2549 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2550 			rc = avc_has_perm(&selinux_state,
2551 					  old_tsec->sid, new_tsec->sid,
2552 					  SECCLASS_PROCESS, PROCESS__SHARE,
2553 					  NULL);
2554 			if (rc)
2555 				return -EPERM;
2556 		}
2557 
2558 		/* Make sure that anyone attempting to ptrace over a task that
2559 		 * changes its SID has the appropriate permit */
2560 		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2561 			u32 ptsid = ptrace_parent_sid();
2562 			if (ptsid != 0) {
2563 				rc = avc_has_perm(&selinux_state,
2564 						  ptsid, new_tsec->sid,
2565 						  SECCLASS_PROCESS,
2566 						  PROCESS__PTRACE, NULL);
2567 				if (rc)
2568 					return -EPERM;
2569 			}
2570 		}
2571 
2572 		/* Clear any possibly unsafe personality bits on exec: */
2573 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2574 
2575 		/* Enable secure mode for SIDs transitions unless
2576 		   the noatsecure permission is granted between
2577 		   the two SIDs, i.e. ahp returns 0. */
2578 		rc = avc_has_perm(&selinux_state,
2579 				  old_tsec->sid, new_tsec->sid,
2580 				  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2581 				  NULL);
2582 		bprm->secureexec |= !!rc;
2583 	}
2584 
2585 	return 0;
2586 }
2587 
2588 static int match_file(const void *p, struct file *file, unsigned fd)
2589 {
2590 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2591 }
2592 
2593 /* Derived from fs/exec.c:flush_old_files. */
2594 static inline void flush_unauthorized_files(const struct cred *cred,
2595 					    struct files_struct *files)
2596 {
2597 	struct file *file, *devnull = NULL;
2598 	struct tty_struct *tty;
2599 	int drop_tty = 0;
2600 	unsigned n;
2601 
2602 	tty = get_current_tty();
2603 	if (tty) {
2604 		spin_lock(&tty->files_lock);
2605 		if (!list_empty(&tty->tty_files)) {
2606 			struct tty_file_private *file_priv;
2607 
2608 			/* Revalidate access to controlling tty.
2609 			   Use file_path_has_perm on the tty path directly
2610 			   rather than using file_has_perm, as this particular
2611 			   open file may belong to another process and we are
2612 			   only interested in the inode-based check here. */
2613 			file_priv = list_first_entry(&tty->tty_files,
2614 						struct tty_file_private, list);
2615 			file = file_priv->file;
2616 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2617 				drop_tty = 1;
2618 		}
2619 		spin_unlock(&tty->files_lock);
2620 		tty_kref_put(tty);
2621 	}
2622 	/* Reset controlling tty. */
2623 	if (drop_tty)
2624 		no_tty();
2625 
2626 	/* Revalidate access to inherited open files. */
2627 	n = iterate_fd(files, 0, match_file, cred);
2628 	if (!n) /* none found? */
2629 		return;
2630 
2631 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2632 	if (IS_ERR(devnull))
2633 		devnull = NULL;
2634 	/* replace all the matching ones with this */
2635 	do {
2636 		replace_fd(n - 1, devnull, 0);
2637 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2638 	if (devnull)
2639 		fput(devnull);
2640 }
2641 
2642 /*
2643  * Prepare a process for imminent new credential changes due to exec
2644  */
2645 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2646 {
2647 	struct task_security_struct *new_tsec;
2648 	struct rlimit *rlim, *initrlim;
2649 	int rc, i;
2650 
2651 	new_tsec = bprm->cred->security;
2652 	if (new_tsec->sid == new_tsec->osid)
2653 		return;
2654 
2655 	/* Close files for which the new task SID is not authorized. */
2656 	flush_unauthorized_files(bprm->cred, current->files);
2657 
2658 	/* Always clear parent death signal on SID transitions. */
2659 	current->pdeath_signal = 0;
2660 
2661 	/* Check whether the new SID can inherit resource limits from the old
2662 	 * SID.  If not, reset all soft limits to the lower of the current
2663 	 * task's hard limit and the init task's soft limit.
2664 	 *
2665 	 * Note that the setting of hard limits (even to lower them) can be
2666 	 * controlled by the setrlimit check.  The inclusion of the init task's
2667 	 * soft limit into the computation is to avoid resetting soft limits
2668 	 * higher than the default soft limit for cases where the default is
2669 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2670 	 */
2671 	rc = avc_has_perm(&selinux_state,
2672 			  new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2673 			  PROCESS__RLIMITINH, NULL);
2674 	if (rc) {
2675 		/* protect against do_prlimit() */
2676 		task_lock(current);
2677 		for (i = 0; i < RLIM_NLIMITS; i++) {
2678 			rlim = current->signal->rlim + i;
2679 			initrlim = init_task.signal->rlim + i;
2680 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2681 		}
2682 		task_unlock(current);
2683 		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2684 			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2685 	}
2686 }
2687 
2688 /*
2689  * Clean up the process immediately after the installation of new credentials
2690  * due to exec
2691  */
2692 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2693 {
2694 	const struct task_security_struct *tsec = current_security();
2695 	struct itimerval itimer;
2696 	u32 osid, sid;
2697 	int rc, i;
2698 
2699 	osid = tsec->osid;
2700 	sid = tsec->sid;
2701 
2702 	if (sid == osid)
2703 		return;
2704 
2705 	/* Check whether the new SID can inherit signal state from the old SID.
2706 	 * If not, clear itimers to avoid subsequent signal generation and
2707 	 * flush and unblock signals.
2708 	 *
2709 	 * This must occur _after_ the task SID has been updated so that any
2710 	 * kill done after the flush will be checked against the new SID.
2711 	 */
2712 	rc = avc_has_perm(&selinux_state,
2713 			  osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2714 	if (rc) {
2715 		if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2716 			memset(&itimer, 0, sizeof itimer);
2717 			for (i = 0; i < 3; i++)
2718 				do_setitimer(i, &itimer, NULL);
2719 		}
2720 		spin_lock_irq(&current->sighand->siglock);
2721 		if (!fatal_signal_pending(current)) {
2722 			flush_sigqueue(&current->pending);
2723 			flush_sigqueue(&current->signal->shared_pending);
2724 			flush_signal_handlers(current, 1);
2725 			sigemptyset(&current->blocked);
2726 			recalc_sigpending();
2727 		}
2728 		spin_unlock_irq(&current->sighand->siglock);
2729 	}
2730 
2731 	/* Wake up the parent if it is waiting so that it can recheck
2732 	 * wait permission to the new task SID. */
2733 	read_lock(&tasklist_lock);
2734 	__wake_up_parent(current, current->real_parent);
2735 	read_unlock(&tasklist_lock);
2736 }
2737 
2738 /* superblock security operations */
2739 
2740 static int selinux_sb_alloc_security(struct super_block *sb)
2741 {
2742 	return superblock_alloc_security(sb);
2743 }
2744 
2745 static void selinux_sb_free_security(struct super_block *sb)
2746 {
2747 	superblock_free_security(sb);
2748 }
2749 
2750 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2751 {
2752 	if (plen > olen)
2753 		return 0;
2754 
2755 	return !memcmp(prefix, option, plen);
2756 }
2757 
2758 static inline int selinux_option(char *option, int len)
2759 {
2760 	return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2761 		match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2762 		match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2763 		match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2764 		match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2765 }
2766 
2767 static inline void take_option(char **to, char *from, int *first, int len)
2768 {
2769 	if (!*first) {
2770 		**to = ',';
2771 		*to += 1;
2772 	} else
2773 		*first = 0;
2774 	memcpy(*to, from, len);
2775 	*to += len;
2776 }
2777 
2778 static inline void take_selinux_option(char **to, char *from, int *first,
2779 				       int len)
2780 {
2781 	int current_size = 0;
2782 
2783 	if (!*first) {
2784 		**to = '|';
2785 		*to += 1;
2786 	} else
2787 		*first = 0;
2788 
2789 	while (current_size < len) {
2790 		if (*from != '"') {
2791 			**to = *from;
2792 			*to += 1;
2793 		}
2794 		from += 1;
2795 		current_size += 1;
2796 	}
2797 }
2798 
2799 static int selinux_sb_copy_data(char *orig, char *copy)
2800 {
2801 	int fnosec, fsec, rc = 0;
2802 	char *in_save, *in_curr, *in_end;
2803 	char *sec_curr, *nosec_save, *nosec;
2804 	int open_quote = 0;
2805 
2806 	in_curr = orig;
2807 	sec_curr = copy;
2808 
2809 	nosec = (char *)get_zeroed_page(GFP_KERNEL);
2810 	if (!nosec) {
2811 		rc = -ENOMEM;
2812 		goto out;
2813 	}
2814 
2815 	nosec_save = nosec;
2816 	fnosec = fsec = 1;
2817 	in_save = in_end = orig;
2818 
2819 	do {
2820 		if (*in_end == '"')
2821 			open_quote = !open_quote;
2822 		if ((*in_end == ',' && open_quote == 0) ||
2823 				*in_end == '\0') {
2824 			int len = in_end - in_curr;
2825 
2826 			if (selinux_option(in_curr, len))
2827 				take_selinux_option(&sec_curr, in_curr, &fsec, len);
2828 			else
2829 				take_option(&nosec, in_curr, &fnosec, len);
2830 
2831 			in_curr = in_end + 1;
2832 		}
2833 	} while (*in_end++);
2834 
2835 	strcpy(in_save, nosec_save);
2836 	free_page((unsigned long)nosec_save);
2837 out:
2838 	return rc;
2839 }
2840 
2841 static int selinux_sb_remount(struct super_block *sb, void *data)
2842 {
2843 	int rc, i, *flags;
2844 	struct security_mnt_opts opts;
2845 	char *secdata, **mount_options;
2846 	struct superblock_security_struct *sbsec = sb->s_security;
2847 
2848 	if (!(sbsec->flags & SE_SBINITIALIZED))
2849 		return 0;
2850 
2851 	if (!data)
2852 		return 0;
2853 
2854 	if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2855 		return 0;
2856 
2857 	security_init_mnt_opts(&opts);
2858 	secdata = alloc_secdata();
2859 	if (!secdata)
2860 		return -ENOMEM;
2861 	rc = selinux_sb_copy_data(data, secdata);
2862 	if (rc)
2863 		goto out_free_secdata;
2864 
2865 	rc = selinux_parse_opts_str(secdata, &opts);
2866 	if (rc)
2867 		goto out_free_secdata;
2868 
2869 	mount_options = opts.mnt_opts;
2870 	flags = opts.mnt_opts_flags;
2871 
2872 	for (i = 0; i < opts.num_mnt_opts; i++) {
2873 		u32 sid;
2874 
2875 		if (flags[i] == SBLABEL_MNT)
2876 			continue;
2877 		rc = security_context_str_to_sid(&selinux_state,
2878 						 mount_options[i], &sid,
2879 						 GFP_KERNEL);
2880 		if (rc) {
2881 			pr_warn("SELinux: security_context_str_to_sid"
2882 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
2883 			       mount_options[i], sb->s_id, sb->s_type->name, rc);
2884 			goto out_free_opts;
2885 		}
2886 		rc = -EINVAL;
2887 		switch (flags[i]) {
2888 		case FSCONTEXT_MNT:
2889 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2890 				goto out_bad_option;
2891 			break;
2892 		case CONTEXT_MNT:
2893 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2894 				goto out_bad_option;
2895 			break;
2896 		case ROOTCONTEXT_MNT: {
2897 			struct inode_security_struct *root_isec;
2898 			root_isec = backing_inode_security(sb->s_root);
2899 
2900 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2901 				goto out_bad_option;
2902 			break;
2903 		}
2904 		case DEFCONTEXT_MNT:
2905 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2906 				goto out_bad_option;
2907 			break;
2908 		default:
2909 			goto out_free_opts;
2910 		}
2911 	}
2912 
2913 	rc = 0;
2914 out_free_opts:
2915 	security_free_mnt_opts(&opts);
2916 out_free_secdata:
2917 	free_secdata(secdata);
2918 	return rc;
2919 out_bad_option:
2920 	pr_warn("SELinux: unable to change security options "
2921 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2922 	       sb->s_type->name);
2923 	goto out_free_opts;
2924 }
2925 
2926 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2927 {
2928 	const struct cred *cred = current_cred();
2929 	struct common_audit_data ad;
2930 	int rc;
2931 
2932 	rc = superblock_doinit(sb, data);
2933 	if (rc)
2934 		return rc;
2935 
2936 	/* Allow all mounts performed by the kernel */
2937 	if (flags & MS_KERNMOUNT)
2938 		return 0;
2939 
2940 	ad.type = LSM_AUDIT_DATA_DENTRY;
2941 	ad.u.dentry = sb->s_root;
2942 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2943 }
2944 
2945 static int selinux_sb_statfs(struct dentry *dentry)
2946 {
2947 	const struct cred *cred = current_cred();
2948 	struct common_audit_data ad;
2949 
2950 	ad.type = LSM_AUDIT_DATA_DENTRY;
2951 	ad.u.dentry = dentry->d_sb->s_root;
2952 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2953 }
2954 
2955 static int selinux_mount(const char *dev_name,
2956 			 const struct path *path,
2957 			 const char *type,
2958 			 unsigned long flags,
2959 			 void *data)
2960 {
2961 	const struct cred *cred = current_cred();
2962 
2963 	if (flags & MS_REMOUNT)
2964 		return superblock_has_perm(cred, path->dentry->d_sb,
2965 					   FILESYSTEM__REMOUNT, NULL);
2966 	else
2967 		return path_has_perm(cred, path, FILE__MOUNTON);
2968 }
2969 
2970 static int selinux_umount(struct vfsmount *mnt, int flags)
2971 {
2972 	const struct cred *cred = current_cred();
2973 
2974 	return superblock_has_perm(cred, mnt->mnt_sb,
2975 				   FILESYSTEM__UNMOUNT, NULL);
2976 }
2977 
2978 /* inode security operations */
2979 
2980 static int selinux_inode_alloc_security(struct inode *inode)
2981 {
2982 	return inode_alloc_security(inode);
2983 }
2984 
2985 static void selinux_inode_free_security(struct inode *inode)
2986 {
2987 	inode_free_security(inode);
2988 }
2989 
2990 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2991 					const struct qstr *name, void **ctx,
2992 					u32 *ctxlen)
2993 {
2994 	u32 newsid;
2995 	int rc;
2996 
2997 	rc = selinux_determine_inode_label(current_security(),
2998 					   d_inode(dentry->d_parent), name,
2999 					   inode_mode_to_security_class(mode),
3000 					   &newsid);
3001 	if (rc)
3002 		return rc;
3003 
3004 	return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
3005 				       ctxlen);
3006 }
3007 
3008 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
3009 					  struct qstr *name,
3010 					  const struct cred *old,
3011 					  struct cred *new)
3012 {
3013 	u32 newsid;
3014 	int rc;
3015 	struct task_security_struct *tsec;
3016 
3017 	rc = selinux_determine_inode_label(old->security,
3018 					   d_inode(dentry->d_parent), name,
3019 					   inode_mode_to_security_class(mode),
3020 					   &newsid);
3021 	if (rc)
3022 		return rc;
3023 
3024 	tsec = new->security;
3025 	tsec->create_sid = newsid;
3026 	return 0;
3027 }
3028 
3029 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
3030 				       const struct qstr *qstr,
3031 				       const char **name,
3032 				       void **value, size_t *len)
3033 {
3034 	const struct task_security_struct *tsec = current_security();
3035 	struct superblock_security_struct *sbsec;
3036 	u32 newsid, clen;
3037 	int rc;
3038 	char *context;
3039 
3040 	sbsec = dir->i_sb->s_security;
3041 
3042 	newsid = tsec->create_sid;
3043 
3044 	rc = selinux_determine_inode_label(current_security(),
3045 		dir, qstr,
3046 		inode_mode_to_security_class(inode->i_mode),
3047 		&newsid);
3048 	if (rc)
3049 		return rc;
3050 
3051 	/* Possibly defer initialization to selinux_complete_init. */
3052 	if (sbsec->flags & SE_SBINITIALIZED) {
3053 		struct inode_security_struct *isec = inode->i_security;
3054 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
3055 		isec->sid = newsid;
3056 		isec->initialized = LABEL_INITIALIZED;
3057 	}
3058 
3059 	if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
3060 		return -EOPNOTSUPP;
3061 
3062 	if (name)
3063 		*name = XATTR_SELINUX_SUFFIX;
3064 
3065 	if (value && len) {
3066 		rc = security_sid_to_context_force(&selinux_state, newsid,
3067 						   &context, &clen);
3068 		if (rc)
3069 			return rc;
3070 		*value = context;
3071 		*len = clen;
3072 	}
3073 
3074 	return 0;
3075 }
3076 
3077 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3078 {
3079 	return may_create(dir, dentry, SECCLASS_FILE);
3080 }
3081 
3082 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3083 {
3084 	return may_link(dir, old_dentry, MAY_LINK);
3085 }
3086 
3087 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3088 {
3089 	return may_link(dir, dentry, MAY_UNLINK);
3090 }
3091 
3092 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3093 {
3094 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
3095 }
3096 
3097 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3098 {
3099 	return may_create(dir, dentry, SECCLASS_DIR);
3100 }
3101 
3102 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3103 {
3104 	return may_link(dir, dentry, MAY_RMDIR);
3105 }
3106 
3107 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3108 {
3109 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
3110 }
3111 
3112 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3113 				struct inode *new_inode, struct dentry *new_dentry)
3114 {
3115 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3116 }
3117 
3118 static int selinux_inode_readlink(struct dentry *dentry)
3119 {
3120 	const struct cred *cred = current_cred();
3121 
3122 	return dentry_has_perm(cred, dentry, FILE__READ);
3123 }
3124 
3125 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3126 				     bool rcu)
3127 {
3128 	const struct cred *cred = current_cred();
3129 	struct common_audit_data ad;
3130 	struct inode_security_struct *isec;
3131 	u32 sid;
3132 
3133 	validate_creds(cred);
3134 
3135 	ad.type = LSM_AUDIT_DATA_DENTRY;
3136 	ad.u.dentry = dentry;
3137 	sid = cred_sid(cred);
3138 	isec = inode_security_rcu(inode, rcu);
3139 	if (IS_ERR(isec))
3140 		return PTR_ERR(isec);
3141 
3142 	return avc_has_perm_flags(&selinux_state,
3143 				  sid, isec->sid, isec->sclass, FILE__READ, &ad,
3144 				  rcu ? MAY_NOT_BLOCK : 0);
3145 }
3146 
3147 static noinline int audit_inode_permission(struct inode *inode,
3148 					   u32 perms, u32 audited, u32 denied,
3149 					   int result,
3150 					   unsigned flags)
3151 {
3152 	struct common_audit_data ad;
3153 	struct inode_security_struct *isec = inode->i_security;
3154 	int rc;
3155 
3156 	ad.type = LSM_AUDIT_DATA_INODE;
3157 	ad.u.inode = inode;
3158 
3159 	rc = slow_avc_audit(&selinux_state,
3160 			    current_sid(), isec->sid, isec->sclass, perms,
3161 			    audited, denied, result, &ad, flags);
3162 	if (rc)
3163 		return rc;
3164 	return 0;
3165 }
3166 
3167 static int selinux_inode_permission(struct inode *inode, int mask)
3168 {
3169 	const struct cred *cred = current_cred();
3170 	u32 perms;
3171 	bool from_access;
3172 	unsigned flags = mask & MAY_NOT_BLOCK;
3173 	struct inode_security_struct *isec;
3174 	u32 sid;
3175 	struct av_decision avd;
3176 	int rc, rc2;
3177 	u32 audited, denied;
3178 
3179 	from_access = mask & MAY_ACCESS;
3180 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3181 
3182 	/* No permission to check.  Existence test. */
3183 	if (!mask)
3184 		return 0;
3185 
3186 	validate_creds(cred);
3187 
3188 	if (unlikely(IS_PRIVATE(inode)))
3189 		return 0;
3190 
3191 	perms = file_mask_to_av(inode->i_mode, mask);
3192 
3193 	sid = cred_sid(cred);
3194 	isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3195 	if (IS_ERR(isec))
3196 		return PTR_ERR(isec);
3197 
3198 	rc = avc_has_perm_noaudit(&selinux_state,
3199 				  sid, isec->sid, isec->sclass, perms, 0, &avd);
3200 	audited = avc_audit_required(perms, &avd, rc,
3201 				     from_access ? FILE__AUDIT_ACCESS : 0,
3202 				     &denied);
3203 	if (likely(!audited))
3204 		return rc;
3205 
3206 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3207 	if (rc2)
3208 		return rc2;
3209 	return rc;
3210 }
3211 
3212 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3213 {
3214 	const struct cred *cred = current_cred();
3215 	struct inode *inode = d_backing_inode(dentry);
3216 	unsigned int ia_valid = iattr->ia_valid;
3217 	__u32 av = FILE__WRITE;
3218 
3219 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3220 	if (ia_valid & ATTR_FORCE) {
3221 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3222 			      ATTR_FORCE);
3223 		if (!ia_valid)
3224 			return 0;
3225 	}
3226 
3227 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3228 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3229 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3230 
3231 	if (selinux_policycap_openperm() &&
3232 	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3233 	    (ia_valid & ATTR_SIZE) &&
3234 	    !(ia_valid & ATTR_FILE))
3235 		av |= FILE__OPEN;
3236 
3237 	return dentry_has_perm(cred, dentry, av);
3238 }
3239 
3240 static int selinux_inode_getattr(const struct path *path)
3241 {
3242 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3243 }
3244 
3245 static bool has_cap_mac_admin(bool audit)
3246 {
3247 	const struct cred *cred = current_cred();
3248 	int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3249 
3250 	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3251 		return false;
3252 	if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3253 		return false;
3254 	return true;
3255 }
3256 
3257 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3258 				  const void *value, size_t size, int flags)
3259 {
3260 	struct inode *inode = d_backing_inode(dentry);
3261 	struct inode_security_struct *isec;
3262 	struct superblock_security_struct *sbsec;
3263 	struct common_audit_data ad;
3264 	u32 newsid, sid = current_sid();
3265 	int rc = 0;
3266 
3267 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3268 		rc = cap_inode_setxattr(dentry, name, value, size, flags);
3269 		if (rc)
3270 			return rc;
3271 
3272 		/* Not an attribute we recognize, so just check the
3273 		   ordinary setattr permission. */
3274 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3275 	}
3276 
3277 	sbsec = inode->i_sb->s_security;
3278 	if (!(sbsec->flags & SBLABEL_MNT))
3279 		return -EOPNOTSUPP;
3280 
3281 	if (!inode_owner_or_capable(inode))
3282 		return -EPERM;
3283 
3284 	ad.type = LSM_AUDIT_DATA_DENTRY;
3285 	ad.u.dentry = dentry;
3286 
3287 	isec = backing_inode_security(dentry);
3288 	rc = avc_has_perm(&selinux_state,
3289 			  sid, isec->sid, isec->sclass,
3290 			  FILE__RELABELFROM, &ad);
3291 	if (rc)
3292 		return rc;
3293 
3294 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3295 				     GFP_KERNEL);
3296 	if (rc == -EINVAL) {
3297 		if (!has_cap_mac_admin(true)) {
3298 			struct audit_buffer *ab;
3299 			size_t audit_size;
3300 
3301 			/* We strip a nul only if it is at the end, otherwise the
3302 			 * context contains a nul and we should audit that */
3303 			if (value) {
3304 				const char *str = value;
3305 
3306 				if (str[size - 1] == '\0')
3307 					audit_size = size - 1;
3308 				else
3309 					audit_size = size;
3310 			} else {
3311 				audit_size = 0;
3312 			}
3313 			ab = audit_log_start(audit_context(),
3314 					     GFP_ATOMIC, AUDIT_SELINUX_ERR);
3315 			audit_log_format(ab, "op=setxattr invalid_context=");
3316 			audit_log_n_untrustedstring(ab, value, audit_size);
3317 			audit_log_end(ab);
3318 
3319 			return rc;
3320 		}
3321 		rc = security_context_to_sid_force(&selinux_state, value,
3322 						   size, &newsid);
3323 	}
3324 	if (rc)
3325 		return rc;
3326 
3327 	rc = avc_has_perm(&selinux_state,
3328 			  sid, newsid, isec->sclass,
3329 			  FILE__RELABELTO, &ad);
3330 	if (rc)
3331 		return rc;
3332 
3333 	rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3334 					  sid, isec->sclass);
3335 	if (rc)
3336 		return rc;
3337 
3338 	return avc_has_perm(&selinux_state,
3339 			    newsid,
3340 			    sbsec->sid,
3341 			    SECCLASS_FILESYSTEM,
3342 			    FILESYSTEM__ASSOCIATE,
3343 			    &ad);
3344 }
3345 
3346 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3347 					const void *value, size_t size,
3348 					int flags)
3349 {
3350 	struct inode *inode = d_backing_inode(dentry);
3351 	struct inode_security_struct *isec;
3352 	u32 newsid;
3353 	int rc;
3354 
3355 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3356 		/* Not an attribute we recognize, so nothing to do. */
3357 		return;
3358 	}
3359 
3360 	rc = security_context_to_sid_force(&selinux_state, value, size,
3361 					   &newsid);
3362 	if (rc) {
3363 		pr_err("SELinux:  unable to map context to SID"
3364 		       "for (%s, %lu), rc=%d\n",
3365 		       inode->i_sb->s_id, inode->i_ino, -rc);
3366 		return;
3367 	}
3368 
3369 	isec = backing_inode_security(dentry);
3370 	spin_lock(&isec->lock);
3371 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3372 	isec->sid = newsid;
3373 	isec->initialized = LABEL_INITIALIZED;
3374 	spin_unlock(&isec->lock);
3375 
3376 	return;
3377 }
3378 
3379 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3380 {
3381 	const struct cred *cred = current_cred();
3382 
3383 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3384 }
3385 
3386 static int selinux_inode_listxattr(struct dentry *dentry)
3387 {
3388 	const struct cred *cred = current_cred();
3389 
3390 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3391 }
3392 
3393 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3394 {
3395 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3396 		int rc = cap_inode_removexattr(dentry, name);
3397 		if (rc)
3398 			return rc;
3399 
3400 		/* Not an attribute we recognize, so just check the
3401 		   ordinary setattr permission. */
3402 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3403 	}
3404 
3405 	/* No one is allowed to remove a SELinux security label.
3406 	   You can change the label, but all data must be labeled. */
3407 	return -EACCES;
3408 }
3409 
3410 /*
3411  * Copy the inode security context value to the user.
3412  *
3413  * Permission check is handled by selinux_inode_getxattr hook.
3414  */
3415 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3416 {
3417 	u32 size;
3418 	int error;
3419 	char *context = NULL;
3420 	struct inode_security_struct *isec;
3421 
3422 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3423 		return -EOPNOTSUPP;
3424 
3425 	/*
3426 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3427 	 * value even if it is not defined by current policy; otherwise,
3428 	 * use the in-core value under current policy.
3429 	 * Use the non-auditing forms of the permission checks since
3430 	 * getxattr may be called by unprivileged processes commonly
3431 	 * and lack of permission just means that we fall back to the
3432 	 * in-core context value, not a denial.
3433 	 */
3434 	isec = inode_security(inode);
3435 	if (has_cap_mac_admin(false))
3436 		error = security_sid_to_context_force(&selinux_state,
3437 						      isec->sid, &context,
3438 						      &size);
3439 	else
3440 		error = security_sid_to_context(&selinux_state, isec->sid,
3441 						&context, &size);
3442 	if (error)
3443 		return error;
3444 	error = size;
3445 	if (alloc) {
3446 		*buffer = context;
3447 		goto out_nofree;
3448 	}
3449 	kfree(context);
3450 out_nofree:
3451 	return error;
3452 }
3453 
3454 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3455 				     const void *value, size_t size, int flags)
3456 {
3457 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3458 	u32 newsid;
3459 	int rc;
3460 
3461 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3462 		return -EOPNOTSUPP;
3463 
3464 	if (!value || !size)
3465 		return -EACCES;
3466 
3467 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3468 				     GFP_KERNEL);
3469 	if (rc)
3470 		return rc;
3471 
3472 	spin_lock(&isec->lock);
3473 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3474 	isec->sid = newsid;
3475 	isec->initialized = LABEL_INITIALIZED;
3476 	spin_unlock(&isec->lock);
3477 	return 0;
3478 }
3479 
3480 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3481 {
3482 	const int len = sizeof(XATTR_NAME_SELINUX);
3483 	if (buffer && len <= buffer_size)
3484 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3485 	return len;
3486 }
3487 
3488 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3489 {
3490 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3491 	*secid = isec->sid;
3492 }
3493 
3494 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3495 {
3496 	u32 sid;
3497 	struct task_security_struct *tsec;
3498 	struct cred *new_creds = *new;
3499 
3500 	if (new_creds == NULL) {
3501 		new_creds = prepare_creds();
3502 		if (!new_creds)
3503 			return -ENOMEM;
3504 	}
3505 
3506 	tsec = new_creds->security;
3507 	/* Get label from overlay inode and set it in create_sid */
3508 	selinux_inode_getsecid(d_inode(src), &sid);
3509 	tsec->create_sid = sid;
3510 	*new = new_creds;
3511 	return 0;
3512 }
3513 
3514 static int selinux_inode_copy_up_xattr(const char *name)
3515 {
3516 	/* The copy_up hook above sets the initial context on an inode, but we
3517 	 * don't then want to overwrite it by blindly copying all the lower
3518 	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3519 	 */
3520 	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3521 		return 1; /* Discard */
3522 	/*
3523 	 * Any other attribute apart from SELINUX is not claimed, supported
3524 	 * by selinux.
3525 	 */
3526 	return -EOPNOTSUPP;
3527 }
3528 
3529 /* file security operations */
3530 
3531 static int selinux_revalidate_file_permission(struct file *file, int mask)
3532 {
3533 	const struct cred *cred = current_cred();
3534 	struct inode *inode = file_inode(file);
3535 
3536 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3537 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3538 		mask |= MAY_APPEND;
3539 
3540 	return file_has_perm(cred, file,
3541 			     file_mask_to_av(inode->i_mode, mask));
3542 }
3543 
3544 static int selinux_file_permission(struct file *file, int mask)
3545 {
3546 	struct inode *inode = file_inode(file);
3547 	struct file_security_struct *fsec = file->f_security;
3548 	struct inode_security_struct *isec;
3549 	u32 sid = current_sid();
3550 
3551 	if (!mask)
3552 		/* No permission to check.  Existence test. */
3553 		return 0;
3554 
3555 	isec = inode_security(inode);
3556 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3557 	    fsec->pseqno == avc_policy_seqno(&selinux_state))
3558 		/* No change since file_open check. */
3559 		return 0;
3560 
3561 	return selinux_revalidate_file_permission(file, mask);
3562 }
3563 
3564 static int selinux_file_alloc_security(struct file *file)
3565 {
3566 	return file_alloc_security(file);
3567 }
3568 
3569 static void selinux_file_free_security(struct file *file)
3570 {
3571 	file_free_security(file);
3572 }
3573 
3574 /*
3575  * Check whether a task has the ioctl permission and cmd
3576  * operation to an inode.
3577  */
3578 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3579 		u32 requested, u16 cmd)
3580 {
3581 	struct common_audit_data ad;
3582 	struct file_security_struct *fsec = file->f_security;
3583 	struct inode *inode = file_inode(file);
3584 	struct inode_security_struct *isec;
3585 	struct lsm_ioctlop_audit ioctl;
3586 	u32 ssid = cred_sid(cred);
3587 	int rc;
3588 	u8 driver = cmd >> 8;
3589 	u8 xperm = cmd & 0xff;
3590 
3591 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3592 	ad.u.op = &ioctl;
3593 	ad.u.op->cmd = cmd;
3594 	ad.u.op->path = file->f_path;
3595 
3596 	if (ssid != fsec->sid) {
3597 		rc = avc_has_perm(&selinux_state,
3598 				  ssid, fsec->sid,
3599 				SECCLASS_FD,
3600 				FD__USE,
3601 				&ad);
3602 		if (rc)
3603 			goto out;
3604 	}
3605 
3606 	if (unlikely(IS_PRIVATE(inode)))
3607 		return 0;
3608 
3609 	isec = inode_security(inode);
3610 	rc = avc_has_extended_perms(&selinux_state,
3611 				    ssid, isec->sid, isec->sclass,
3612 				    requested, driver, xperm, &ad);
3613 out:
3614 	return rc;
3615 }
3616 
3617 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3618 			      unsigned long arg)
3619 {
3620 	const struct cred *cred = current_cred();
3621 	int error = 0;
3622 
3623 	switch (cmd) {
3624 	case FIONREAD:
3625 	/* fall through */
3626 	case FIBMAP:
3627 	/* fall through */
3628 	case FIGETBSZ:
3629 	/* fall through */
3630 	case FS_IOC_GETFLAGS:
3631 	/* fall through */
3632 	case FS_IOC_GETVERSION:
3633 		error = file_has_perm(cred, file, FILE__GETATTR);
3634 		break;
3635 
3636 	case FS_IOC_SETFLAGS:
3637 	/* fall through */
3638 	case FS_IOC_SETVERSION:
3639 		error = file_has_perm(cred, file, FILE__SETATTR);
3640 		break;
3641 
3642 	/* sys_ioctl() checks */
3643 	case FIONBIO:
3644 	/* fall through */
3645 	case FIOASYNC:
3646 		error = file_has_perm(cred, file, 0);
3647 		break;
3648 
3649 	case KDSKBENT:
3650 	case KDSKBSENT:
3651 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3652 					    SECURITY_CAP_AUDIT, true);
3653 		break;
3654 
3655 	/* default case assumes that the command will go
3656 	 * to the file's ioctl() function.
3657 	 */
3658 	default:
3659 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3660 	}
3661 	return error;
3662 }
3663 
3664 static int default_noexec;
3665 
3666 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3667 {
3668 	const struct cred *cred = current_cred();
3669 	u32 sid = cred_sid(cred);
3670 	int rc = 0;
3671 
3672 	if (default_noexec &&
3673 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3674 				   (!shared && (prot & PROT_WRITE)))) {
3675 		/*
3676 		 * We are making executable an anonymous mapping or a
3677 		 * private file mapping that will also be writable.
3678 		 * This has an additional check.
3679 		 */
3680 		rc = avc_has_perm(&selinux_state,
3681 				  sid, sid, SECCLASS_PROCESS,
3682 				  PROCESS__EXECMEM, NULL);
3683 		if (rc)
3684 			goto error;
3685 	}
3686 
3687 	if (file) {
3688 		/* read access is always possible with a mapping */
3689 		u32 av = FILE__READ;
3690 
3691 		/* write access only matters if the mapping is shared */
3692 		if (shared && (prot & PROT_WRITE))
3693 			av |= FILE__WRITE;
3694 
3695 		if (prot & PROT_EXEC)
3696 			av |= FILE__EXECUTE;
3697 
3698 		return file_has_perm(cred, file, av);
3699 	}
3700 
3701 error:
3702 	return rc;
3703 }
3704 
3705 static int selinux_mmap_addr(unsigned long addr)
3706 {
3707 	int rc = 0;
3708 
3709 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3710 		u32 sid = current_sid();
3711 		rc = avc_has_perm(&selinux_state,
3712 				  sid, sid, SECCLASS_MEMPROTECT,
3713 				  MEMPROTECT__MMAP_ZERO, NULL);
3714 	}
3715 
3716 	return rc;
3717 }
3718 
3719 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3720 			     unsigned long prot, unsigned long flags)
3721 {
3722 	struct common_audit_data ad;
3723 	int rc;
3724 
3725 	if (file) {
3726 		ad.type = LSM_AUDIT_DATA_FILE;
3727 		ad.u.file = file;
3728 		rc = inode_has_perm(current_cred(), file_inode(file),
3729 				    FILE__MAP, &ad);
3730 		if (rc)
3731 			return rc;
3732 	}
3733 
3734 	if (selinux_state.checkreqprot)
3735 		prot = reqprot;
3736 
3737 	return file_map_prot_check(file, prot,
3738 				   (flags & MAP_TYPE) == MAP_SHARED);
3739 }
3740 
3741 static int selinux_file_mprotect(struct vm_area_struct *vma,
3742 				 unsigned long reqprot,
3743 				 unsigned long prot)
3744 {
3745 	const struct cred *cred = current_cred();
3746 	u32 sid = cred_sid(cred);
3747 
3748 	if (selinux_state.checkreqprot)
3749 		prot = reqprot;
3750 
3751 	if (default_noexec &&
3752 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3753 		int rc = 0;
3754 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3755 		    vma->vm_end <= vma->vm_mm->brk) {
3756 			rc = avc_has_perm(&selinux_state,
3757 					  sid, sid, SECCLASS_PROCESS,
3758 					  PROCESS__EXECHEAP, NULL);
3759 		} else if (!vma->vm_file &&
3760 			   ((vma->vm_start <= vma->vm_mm->start_stack &&
3761 			     vma->vm_end >= vma->vm_mm->start_stack) ||
3762 			    vma_is_stack_for_current(vma))) {
3763 			rc = avc_has_perm(&selinux_state,
3764 					  sid, sid, SECCLASS_PROCESS,
3765 					  PROCESS__EXECSTACK, NULL);
3766 		} else if (vma->vm_file && vma->anon_vma) {
3767 			/*
3768 			 * We are making executable a file mapping that has
3769 			 * had some COW done. Since pages might have been
3770 			 * written, check ability to execute the possibly
3771 			 * modified content.  This typically should only
3772 			 * occur for text relocations.
3773 			 */
3774 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3775 		}
3776 		if (rc)
3777 			return rc;
3778 	}
3779 
3780 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3781 }
3782 
3783 static int selinux_file_lock(struct file *file, unsigned int cmd)
3784 {
3785 	const struct cred *cred = current_cred();
3786 
3787 	return file_has_perm(cred, file, FILE__LOCK);
3788 }
3789 
3790 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3791 			      unsigned long arg)
3792 {
3793 	const struct cred *cred = current_cred();
3794 	int err = 0;
3795 
3796 	switch (cmd) {
3797 	case F_SETFL:
3798 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3799 			err = file_has_perm(cred, file, FILE__WRITE);
3800 			break;
3801 		}
3802 		/* fall through */
3803 	case F_SETOWN:
3804 	case F_SETSIG:
3805 	case F_GETFL:
3806 	case F_GETOWN:
3807 	case F_GETSIG:
3808 	case F_GETOWNER_UIDS:
3809 		/* Just check FD__USE permission */
3810 		err = file_has_perm(cred, file, 0);
3811 		break;
3812 	case F_GETLK:
3813 	case F_SETLK:
3814 	case F_SETLKW:
3815 	case F_OFD_GETLK:
3816 	case F_OFD_SETLK:
3817 	case F_OFD_SETLKW:
3818 #if BITS_PER_LONG == 32
3819 	case F_GETLK64:
3820 	case F_SETLK64:
3821 	case F_SETLKW64:
3822 #endif
3823 		err = file_has_perm(cred, file, FILE__LOCK);
3824 		break;
3825 	}
3826 
3827 	return err;
3828 }
3829 
3830 static void selinux_file_set_fowner(struct file *file)
3831 {
3832 	struct file_security_struct *fsec;
3833 
3834 	fsec = file->f_security;
3835 	fsec->fown_sid = current_sid();
3836 }
3837 
3838 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3839 				       struct fown_struct *fown, int signum)
3840 {
3841 	struct file *file;
3842 	u32 sid = task_sid(tsk);
3843 	u32 perm;
3844 	struct file_security_struct *fsec;
3845 
3846 	/* struct fown_struct is never outside the context of a struct file */
3847 	file = container_of(fown, struct file, f_owner);
3848 
3849 	fsec = file->f_security;
3850 
3851 	if (!signum)
3852 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3853 	else
3854 		perm = signal_to_av(signum);
3855 
3856 	return avc_has_perm(&selinux_state,
3857 			    fsec->fown_sid, sid,
3858 			    SECCLASS_PROCESS, perm, NULL);
3859 }
3860 
3861 static int selinux_file_receive(struct file *file)
3862 {
3863 	const struct cred *cred = current_cred();
3864 
3865 	return file_has_perm(cred, file, file_to_av(file));
3866 }
3867 
3868 static int selinux_file_open(struct file *file)
3869 {
3870 	struct file_security_struct *fsec;
3871 	struct inode_security_struct *isec;
3872 
3873 	fsec = file->f_security;
3874 	isec = inode_security(file_inode(file));
3875 	/*
3876 	 * Save inode label and policy sequence number
3877 	 * at open-time so that selinux_file_permission
3878 	 * can determine whether revalidation is necessary.
3879 	 * Task label is already saved in the file security
3880 	 * struct as its SID.
3881 	 */
3882 	fsec->isid = isec->sid;
3883 	fsec->pseqno = avc_policy_seqno(&selinux_state);
3884 	/*
3885 	 * Since the inode label or policy seqno may have changed
3886 	 * between the selinux_inode_permission check and the saving
3887 	 * of state above, recheck that access is still permitted.
3888 	 * Otherwise, access might never be revalidated against the
3889 	 * new inode label or new policy.
3890 	 * This check is not redundant - do not remove.
3891 	 */
3892 	return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3893 }
3894 
3895 /* task security operations */
3896 
3897 static int selinux_task_alloc(struct task_struct *task,
3898 			      unsigned long clone_flags)
3899 {
3900 	u32 sid = current_sid();
3901 
3902 	return avc_has_perm(&selinux_state,
3903 			    sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3904 }
3905 
3906 /*
3907  * allocate the SELinux part of blank credentials
3908  */
3909 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3910 {
3911 	struct task_security_struct *tsec;
3912 
3913 	tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3914 	if (!tsec)
3915 		return -ENOMEM;
3916 
3917 	cred->security = tsec;
3918 	return 0;
3919 }
3920 
3921 /*
3922  * detach and free the LSM part of a set of credentials
3923  */
3924 static void selinux_cred_free(struct cred *cred)
3925 {
3926 	struct task_security_struct *tsec = cred->security;
3927 
3928 	/*
3929 	 * cred->security == NULL if security_cred_alloc_blank() or
3930 	 * security_prepare_creds() returned an error.
3931 	 */
3932 	BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3933 	cred->security = (void *) 0x7UL;
3934 	kfree(tsec);
3935 }
3936 
3937 /*
3938  * prepare a new set of credentials for modification
3939  */
3940 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3941 				gfp_t gfp)
3942 {
3943 	const struct task_security_struct *old_tsec;
3944 	struct task_security_struct *tsec;
3945 
3946 	old_tsec = old->security;
3947 
3948 	tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3949 	if (!tsec)
3950 		return -ENOMEM;
3951 
3952 	new->security = tsec;
3953 	return 0;
3954 }
3955 
3956 /*
3957  * transfer the SELinux data to a blank set of creds
3958  */
3959 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3960 {
3961 	const struct task_security_struct *old_tsec = old->security;
3962 	struct task_security_struct *tsec = new->security;
3963 
3964 	*tsec = *old_tsec;
3965 }
3966 
3967 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3968 {
3969 	*secid = cred_sid(c);
3970 }
3971 
3972 /*
3973  * set the security data for a kernel service
3974  * - all the creation contexts are set to unlabelled
3975  */
3976 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3977 {
3978 	struct task_security_struct *tsec = new->security;
3979 	u32 sid = current_sid();
3980 	int ret;
3981 
3982 	ret = avc_has_perm(&selinux_state,
3983 			   sid, secid,
3984 			   SECCLASS_KERNEL_SERVICE,
3985 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3986 			   NULL);
3987 	if (ret == 0) {
3988 		tsec->sid = secid;
3989 		tsec->create_sid = 0;
3990 		tsec->keycreate_sid = 0;
3991 		tsec->sockcreate_sid = 0;
3992 	}
3993 	return ret;
3994 }
3995 
3996 /*
3997  * set the file creation context in a security record to the same as the
3998  * objective context of the specified inode
3999  */
4000 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4001 {
4002 	struct inode_security_struct *isec = inode_security(inode);
4003 	struct task_security_struct *tsec = new->security;
4004 	u32 sid = current_sid();
4005 	int ret;
4006 
4007 	ret = avc_has_perm(&selinux_state,
4008 			   sid, isec->sid,
4009 			   SECCLASS_KERNEL_SERVICE,
4010 			   KERNEL_SERVICE__CREATE_FILES_AS,
4011 			   NULL);
4012 
4013 	if (ret == 0)
4014 		tsec->create_sid = isec->sid;
4015 	return ret;
4016 }
4017 
4018 static int selinux_kernel_module_request(char *kmod_name)
4019 {
4020 	struct common_audit_data ad;
4021 
4022 	ad.type = LSM_AUDIT_DATA_KMOD;
4023 	ad.u.kmod_name = kmod_name;
4024 
4025 	return avc_has_perm(&selinux_state,
4026 			    current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4027 			    SYSTEM__MODULE_REQUEST, &ad);
4028 }
4029 
4030 static int selinux_kernel_module_from_file(struct file *file)
4031 {
4032 	struct common_audit_data ad;
4033 	struct inode_security_struct *isec;
4034 	struct file_security_struct *fsec;
4035 	u32 sid = current_sid();
4036 	int rc;
4037 
4038 	/* init_module */
4039 	if (file == NULL)
4040 		return avc_has_perm(&selinux_state,
4041 				    sid, sid, SECCLASS_SYSTEM,
4042 					SYSTEM__MODULE_LOAD, NULL);
4043 
4044 	/* finit_module */
4045 
4046 	ad.type = LSM_AUDIT_DATA_FILE;
4047 	ad.u.file = file;
4048 
4049 	fsec = file->f_security;
4050 	if (sid != fsec->sid) {
4051 		rc = avc_has_perm(&selinux_state,
4052 				  sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4053 		if (rc)
4054 			return rc;
4055 	}
4056 
4057 	isec = inode_security(file_inode(file));
4058 	return avc_has_perm(&selinux_state,
4059 			    sid, isec->sid, SECCLASS_SYSTEM,
4060 				SYSTEM__MODULE_LOAD, &ad);
4061 }
4062 
4063 static int selinux_kernel_read_file(struct file *file,
4064 				    enum kernel_read_file_id id)
4065 {
4066 	int rc = 0;
4067 
4068 	switch (id) {
4069 	case READING_MODULE:
4070 		rc = selinux_kernel_module_from_file(file);
4071 		break;
4072 	default:
4073 		break;
4074 	}
4075 
4076 	return rc;
4077 }
4078 
4079 static int selinux_kernel_load_data(enum kernel_load_data_id id)
4080 {
4081 	int rc = 0;
4082 
4083 	switch (id) {
4084 	case LOADING_MODULE:
4085 		rc = selinux_kernel_module_from_file(NULL);
4086 	default:
4087 		break;
4088 	}
4089 
4090 	return rc;
4091 }
4092 
4093 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4094 {
4095 	return avc_has_perm(&selinux_state,
4096 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4097 			    PROCESS__SETPGID, NULL);
4098 }
4099 
4100 static int selinux_task_getpgid(struct task_struct *p)
4101 {
4102 	return avc_has_perm(&selinux_state,
4103 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4104 			    PROCESS__GETPGID, NULL);
4105 }
4106 
4107 static int selinux_task_getsid(struct task_struct *p)
4108 {
4109 	return avc_has_perm(&selinux_state,
4110 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4111 			    PROCESS__GETSESSION, NULL);
4112 }
4113 
4114 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4115 {
4116 	*secid = task_sid(p);
4117 }
4118 
4119 static int selinux_task_setnice(struct task_struct *p, int nice)
4120 {
4121 	return avc_has_perm(&selinux_state,
4122 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4123 			    PROCESS__SETSCHED, NULL);
4124 }
4125 
4126 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4127 {
4128 	return avc_has_perm(&selinux_state,
4129 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4130 			    PROCESS__SETSCHED, NULL);
4131 }
4132 
4133 static int selinux_task_getioprio(struct task_struct *p)
4134 {
4135 	return avc_has_perm(&selinux_state,
4136 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4137 			    PROCESS__GETSCHED, NULL);
4138 }
4139 
4140 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4141 				unsigned int flags)
4142 {
4143 	u32 av = 0;
4144 
4145 	if (!flags)
4146 		return 0;
4147 	if (flags & LSM_PRLIMIT_WRITE)
4148 		av |= PROCESS__SETRLIMIT;
4149 	if (flags & LSM_PRLIMIT_READ)
4150 		av |= PROCESS__GETRLIMIT;
4151 	return avc_has_perm(&selinux_state,
4152 			    cred_sid(cred), cred_sid(tcred),
4153 			    SECCLASS_PROCESS, av, NULL);
4154 }
4155 
4156 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4157 		struct rlimit *new_rlim)
4158 {
4159 	struct rlimit *old_rlim = p->signal->rlim + resource;
4160 
4161 	/* Control the ability to change the hard limit (whether
4162 	   lowering or raising it), so that the hard limit can
4163 	   later be used as a safe reset point for the soft limit
4164 	   upon context transitions.  See selinux_bprm_committing_creds. */
4165 	if (old_rlim->rlim_max != new_rlim->rlim_max)
4166 		return avc_has_perm(&selinux_state,
4167 				    current_sid(), task_sid(p),
4168 				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4169 
4170 	return 0;
4171 }
4172 
4173 static int selinux_task_setscheduler(struct task_struct *p)
4174 {
4175 	return avc_has_perm(&selinux_state,
4176 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4177 			    PROCESS__SETSCHED, NULL);
4178 }
4179 
4180 static int selinux_task_getscheduler(struct task_struct *p)
4181 {
4182 	return avc_has_perm(&selinux_state,
4183 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4184 			    PROCESS__GETSCHED, NULL);
4185 }
4186 
4187 static int selinux_task_movememory(struct task_struct *p)
4188 {
4189 	return avc_has_perm(&selinux_state,
4190 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4191 			    PROCESS__SETSCHED, NULL);
4192 }
4193 
4194 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4195 				int sig, const struct cred *cred)
4196 {
4197 	u32 secid;
4198 	u32 perm;
4199 
4200 	if (!sig)
4201 		perm = PROCESS__SIGNULL; /* null signal; existence test */
4202 	else
4203 		perm = signal_to_av(sig);
4204 	if (!cred)
4205 		secid = current_sid();
4206 	else
4207 		secid = cred_sid(cred);
4208 	return avc_has_perm(&selinux_state,
4209 			    secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4210 }
4211 
4212 static void selinux_task_to_inode(struct task_struct *p,
4213 				  struct inode *inode)
4214 {
4215 	struct inode_security_struct *isec = inode->i_security;
4216 	u32 sid = task_sid(p);
4217 
4218 	spin_lock(&isec->lock);
4219 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4220 	isec->sid = sid;
4221 	isec->initialized = LABEL_INITIALIZED;
4222 	spin_unlock(&isec->lock);
4223 }
4224 
4225 /* Returns error only if unable to parse addresses */
4226 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4227 			struct common_audit_data *ad, u8 *proto)
4228 {
4229 	int offset, ihlen, ret = -EINVAL;
4230 	struct iphdr _iph, *ih;
4231 
4232 	offset = skb_network_offset(skb);
4233 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4234 	if (ih == NULL)
4235 		goto out;
4236 
4237 	ihlen = ih->ihl * 4;
4238 	if (ihlen < sizeof(_iph))
4239 		goto out;
4240 
4241 	ad->u.net->v4info.saddr = ih->saddr;
4242 	ad->u.net->v4info.daddr = ih->daddr;
4243 	ret = 0;
4244 
4245 	if (proto)
4246 		*proto = ih->protocol;
4247 
4248 	switch (ih->protocol) {
4249 	case IPPROTO_TCP: {
4250 		struct tcphdr _tcph, *th;
4251 
4252 		if (ntohs(ih->frag_off) & IP_OFFSET)
4253 			break;
4254 
4255 		offset += ihlen;
4256 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4257 		if (th == NULL)
4258 			break;
4259 
4260 		ad->u.net->sport = th->source;
4261 		ad->u.net->dport = th->dest;
4262 		break;
4263 	}
4264 
4265 	case IPPROTO_UDP: {
4266 		struct udphdr _udph, *uh;
4267 
4268 		if (ntohs(ih->frag_off) & IP_OFFSET)
4269 			break;
4270 
4271 		offset += ihlen;
4272 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4273 		if (uh == NULL)
4274 			break;
4275 
4276 		ad->u.net->sport = uh->source;
4277 		ad->u.net->dport = uh->dest;
4278 		break;
4279 	}
4280 
4281 	case IPPROTO_DCCP: {
4282 		struct dccp_hdr _dccph, *dh;
4283 
4284 		if (ntohs(ih->frag_off) & IP_OFFSET)
4285 			break;
4286 
4287 		offset += ihlen;
4288 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4289 		if (dh == NULL)
4290 			break;
4291 
4292 		ad->u.net->sport = dh->dccph_sport;
4293 		ad->u.net->dport = dh->dccph_dport;
4294 		break;
4295 	}
4296 
4297 #if IS_ENABLED(CONFIG_IP_SCTP)
4298 	case IPPROTO_SCTP: {
4299 		struct sctphdr _sctph, *sh;
4300 
4301 		if (ntohs(ih->frag_off) & IP_OFFSET)
4302 			break;
4303 
4304 		offset += ihlen;
4305 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4306 		if (sh == NULL)
4307 			break;
4308 
4309 		ad->u.net->sport = sh->source;
4310 		ad->u.net->dport = sh->dest;
4311 		break;
4312 	}
4313 #endif
4314 	default:
4315 		break;
4316 	}
4317 out:
4318 	return ret;
4319 }
4320 
4321 #if IS_ENABLED(CONFIG_IPV6)
4322 
4323 /* Returns error only if unable to parse addresses */
4324 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4325 			struct common_audit_data *ad, u8 *proto)
4326 {
4327 	u8 nexthdr;
4328 	int ret = -EINVAL, offset;
4329 	struct ipv6hdr _ipv6h, *ip6;
4330 	__be16 frag_off;
4331 
4332 	offset = skb_network_offset(skb);
4333 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4334 	if (ip6 == NULL)
4335 		goto out;
4336 
4337 	ad->u.net->v6info.saddr = ip6->saddr;
4338 	ad->u.net->v6info.daddr = ip6->daddr;
4339 	ret = 0;
4340 
4341 	nexthdr = ip6->nexthdr;
4342 	offset += sizeof(_ipv6h);
4343 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4344 	if (offset < 0)
4345 		goto out;
4346 
4347 	if (proto)
4348 		*proto = nexthdr;
4349 
4350 	switch (nexthdr) {
4351 	case IPPROTO_TCP: {
4352 		struct tcphdr _tcph, *th;
4353 
4354 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4355 		if (th == NULL)
4356 			break;
4357 
4358 		ad->u.net->sport = th->source;
4359 		ad->u.net->dport = th->dest;
4360 		break;
4361 	}
4362 
4363 	case IPPROTO_UDP: {
4364 		struct udphdr _udph, *uh;
4365 
4366 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4367 		if (uh == NULL)
4368 			break;
4369 
4370 		ad->u.net->sport = uh->source;
4371 		ad->u.net->dport = uh->dest;
4372 		break;
4373 	}
4374 
4375 	case IPPROTO_DCCP: {
4376 		struct dccp_hdr _dccph, *dh;
4377 
4378 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4379 		if (dh == NULL)
4380 			break;
4381 
4382 		ad->u.net->sport = dh->dccph_sport;
4383 		ad->u.net->dport = dh->dccph_dport;
4384 		break;
4385 	}
4386 
4387 #if IS_ENABLED(CONFIG_IP_SCTP)
4388 	case IPPROTO_SCTP: {
4389 		struct sctphdr _sctph, *sh;
4390 
4391 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4392 		if (sh == NULL)
4393 			break;
4394 
4395 		ad->u.net->sport = sh->source;
4396 		ad->u.net->dport = sh->dest;
4397 		break;
4398 	}
4399 #endif
4400 	/* includes fragments */
4401 	default:
4402 		break;
4403 	}
4404 out:
4405 	return ret;
4406 }
4407 
4408 #endif /* IPV6 */
4409 
4410 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4411 			     char **_addrp, int src, u8 *proto)
4412 {
4413 	char *addrp;
4414 	int ret;
4415 
4416 	switch (ad->u.net->family) {
4417 	case PF_INET:
4418 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4419 		if (ret)
4420 			goto parse_error;
4421 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4422 				       &ad->u.net->v4info.daddr);
4423 		goto okay;
4424 
4425 #if IS_ENABLED(CONFIG_IPV6)
4426 	case PF_INET6:
4427 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4428 		if (ret)
4429 			goto parse_error;
4430 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4431 				       &ad->u.net->v6info.daddr);
4432 		goto okay;
4433 #endif	/* IPV6 */
4434 	default:
4435 		addrp = NULL;
4436 		goto okay;
4437 	}
4438 
4439 parse_error:
4440 	pr_warn(
4441 	       "SELinux: failure in selinux_parse_skb(),"
4442 	       " unable to parse packet\n");
4443 	return ret;
4444 
4445 okay:
4446 	if (_addrp)
4447 		*_addrp = addrp;
4448 	return 0;
4449 }
4450 
4451 /**
4452  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4453  * @skb: the packet
4454  * @family: protocol family
4455  * @sid: the packet's peer label SID
4456  *
4457  * Description:
4458  * Check the various different forms of network peer labeling and determine
4459  * the peer label/SID for the packet; most of the magic actually occurs in
4460  * the security server function security_net_peersid_cmp().  The function
4461  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4462  * or -EACCES if @sid is invalid due to inconsistencies with the different
4463  * peer labels.
4464  *
4465  */
4466 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4467 {
4468 	int err;
4469 	u32 xfrm_sid;
4470 	u32 nlbl_sid;
4471 	u32 nlbl_type;
4472 
4473 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4474 	if (unlikely(err))
4475 		return -EACCES;
4476 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4477 	if (unlikely(err))
4478 		return -EACCES;
4479 
4480 	err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4481 					   nlbl_type, xfrm_sid, sid);
4482 	if (unlikely(err)) {
4483 		pr_warn(
4484 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4485 		       " unable to determine packet's peer label\n");
4486 		return -EACCES;
4487 	}
4488 
4489 	return 0;
4490 }
4491 
4492 /**
4493  * selinux_conn_sid - Determine the child socket label for a connection
4494  * @sk_sid: the parent socket's SID
4495  * @skb_sid: the packet's SID
4496  * @conn_sid: the resulting connection SID
4497  *
4498  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4499  * combined with the MLS information from @skb_sid in order to create
4500  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
4501  * of @sk_sid.  Returns zero on success, negative values on failure.
4502  *
4503  */
4504 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4505 {
4506 	int err = 0;
4507 
4508 	if (skb_sid != SECSID_NULL)
4509 		err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4510 					    conn_sid);
4511 	else
4512 		*conn_sid = sk_sid;
4513 
4514 	return err;
4515 }
4516 
4517 /* socket security operations */
4518 
4519 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4520 				 u16 secclass, u32 *socksid)
4521 {
4522 	if (tsec->sockcreate_sid > SECSID_NULL) {
4523 		*socksid = tsec->sockcreate_sid;
4524 		return 0;
4525 	}
4526 
4527 	return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4528 				       secclass, NULL, socksid);
4529 }
4530 
4531 static int sock_has_perm(struct sock *sk, u32 perms)
4532 {
4533 	struct sk_security_struct *sksec = sk->sk_security;
4534 	struct common_audit_data ad;
4535 	struct lsm_network_audit net = {0,};
4536 
4537 	if (sksec->sid == SECINITSID_KERNEL)
4538 		return 0;
4539 
4540 	ad.type = LSM_AUDIT_DATA_NET;
4541 	ad.u.net = &net;
4542 	ad.u.net->sk = sk;
4543 
4544 	return avc_has_perm(&selinux_state,
4545 			    current_sid(), sksec->sid, sksec->sclass, perms,
4546 			    &ad);
4547 }
4548 
4549 static int selinux_socket_create(int family, int type,
4550 				 int protocol, int kern)
4551 {
4552 	const struct task_security_struct *tsec = current_security();
4553 	u32 newsid;
4554 	u16 secclass;
4555 	int rc;
4556 
4557 	if (kern)
4558 		return 0;
4559 
4560 	secclass = socket_type_to_security_class(family, type, protocol);
4561 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4562 	if (rc)
4563 		return rc;
4564 
4565 	return avc_has_perm(&selinux_state,
4566 			    tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4567 }
4568 
4569 static int selinux_socket_post_create(struct socket *sock, int family,
4570 				      int type, int protocol, int kern)
4571 {
4572 	const struct task_security_struct *tsec = current_security();
4573 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4574 	struct sk_security_struct *sksec;
4575 	u16 sclass = socket_type_to_security_class(family, type, protocol);
4576 	u32 sid = SECINITSID_KERNEL;
4577 	int err = 0;
4578 
4579 	if (!kern) {
4580 		err = socket_sockcreate_sid(tsec, sclass, &sid);
4581 		if (err)
4582 			return err;
4583 	}
4584 
4585 	isec->sclass = sclass;
4586 	isec->sid = sid;
4587 	isec->initialized = LABEL_INITIALIZED;
4588 
4589 	if (sock->sk) {
4590 		sksec = sock->sk->sk_security;
4591 		sksec->sclass = sclass;
4592 		sksec->sid = sid;
4593 		/* Allows detection of the first association on this socket */
4594 		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4595 			sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4596 
4597 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4598 	}
4599 
4600 	return err;
4601 }
4602 
4603 static int selinux_socket_socketpair(struct socket *socka,
4604 				     struct socket *sockb)
4605 {
4606 	struct sk_security_struct *sksec_a = socka->sk->sk_security;
4607 	struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4608 
4609 	sksec_a->peer_sid = sksec_b->sid;
4610 	sksec_b->peer_sid = sksec_a->sid;
4611 
4612 	return 0;
4613 }
4614 
4615 /* Range of port numbers used to automatically bind.
4616    Need to determine whether we should perform a name_bind
4617    permission check between the socket and the port number. */
4618 
4619 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4620 {
4621 	struct sock *sk = sock->sk;
4622 	struct sk_security_struct *sksec = sk->sk_security;
4623 	u16 family;
4624 	int err;
4625 
4626 	err = sock_has_perm(sk, SOCKET__BIND);
4627 	if (err)
4628 		goto out;
4629 
4630 	/* If PF_INET or PF_INET6, check name_bind permission for the port. */
4631 	family = sk->sk_family;
4632 	if (family == PF_INET || family == PF_INET6) {
4633 		char *addrp;
4634 		struct common_audit_data ad;
4635 		struct lsm_network_audit net = {0,};
4636 		struct sockaddr_in *addr4 = NULL;
4637 		struct sockaddr_in6 *addr6 = NULL;
4638 		u16 family_sa = address->sa_family;
4639 		unsigned short snum;
4640 		u32 sid, node_perm;
4641 
4642 		/*
4643 		 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4644 		 * that validates multiple binding addresses. Because of this
4645 		 * need to check address->sa_family as it is possible to have
4646 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4647 		 */
4648 		switch (family_sa) {
4649 		case AF_UNSPEC:
4650 		case AF_INET:
4651 			if (addrlen < sizeof(struct sockaddr_in))
4652 				return -EINVAL;
4653 			addr4 = (struct sockaddr_in *)address;
4654 			if (family_sa == AF_UNSPEC) {
4655 				/* see __inet_bind(), we only want to allow
4656 				 * AF_UNSPEC if the address is INADDR_ANY
4657 				 */
4658 				if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4659 					goto err_af;
4660 				family_sa = AF_INET;
4661 			}
4662 			snum = ntohs(addr4->sin_port);
4663 			addrp = (char *)&addr4->sin_addr.s_addr;
4664 			break;
4665 		case AF_INET6:
4666 			if (addrlen < SIN6_LEN_RFC2133)
4667 				return -EINVAL;
4668 			addr6 = (struct sockaddr_in6 *)address;
4669 			snum = ntohs(addr6->sin6_port);
4670 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4671 			break;
4672 		default:
4673 			goto err_af;
4674 		}
4675 
4676 		ad.type = LSM_AUDIT_DATA_NET;
4677 		ad.u.net = &net;
4678 		ad.u.net->sport = htons(snum);
4679 		ad.u.net->family = family_sa;
4680 
4681 		if (snum) {
4682 			int low, high;
4683 
4684 			inet_get_local_port_range(sock_net(sk), &low, &high);
4685 
4686 			if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4687 			    snum > high) {
4688 				err = sel_netport_sid(sk->sk_protocol,
4689 						      snum, &sid);
4690 				if (err)
4691 					goto out;
4692 				err = avc_has_perm(&selinux_state,
4693 						   sksec->sid, sid,
4694 						   sksec->sclass,
4695 						   SOCKET__NAME_BIND, &ad);
4696 				if (err)
4697 					goto out;
4698 			}
4699 		}
4700 
4701 		switch (sksec->sclass) {
4702 		case SECCLASS_TCP_SOCKET:
4703 			node_perm = TCP_SOCKET__NODE_BIND;
4704 			break;
4705 
4706 		case SECCLASS_UDP_SOCKET:
4707 			node_perm = UDP_SOCKET__NODE_BIND;
4708 			break;
4709 
4710 		case SECCLASS_DCCP_SOCKET:
4711 			node_perm = DCCP_SOCKET__NODE_BIND;
4712 			break;
4713 
4714 		case SECCLASS_SCTP_SOCKET:
4715 			node_perm = SCTP_SOCKET__NODE_BIND;
4716 			break;
4717 
4718 		default:
4719 			node_perm = RAWIP_SOCKET__NODE_BIND;
4720 			break;
4721 		}
4722 
4723 		err = sel_netnode_sid(addrp, family_sa, &sid);
4724 		if (err)
4725 			goto out;
4726 
4727 		if (family_sa == AF_INET)
4728 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4729 		else
4730 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4731 
4732 		err = avc_has_perm(&selinux_state,
4733 				   sksec->sid, sid,
4734 				   sksec->sclass, node_perm, &ad);
4735 		if (err)
4736 			goto out;
4737 	}
4738 out:
4739 	return err;
4740 err_af:
4741 	/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4742 	if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4743 		return -EINVAL;
4744 	return -EAFNOSUPPORT;
4745 }
4746 
4747 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4748  * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.rst
4749  */
4750 static int selinux_socket_connect_helper(struct socket *sock,
4751 					 struct sockaddr *address, int addrlen)
4752 {
4753 	struct sock *sk = sock->sk;
4754 	struct sk_security_struct *sksec = sk->sk_security;
4755 	int err;
4756 
4757 	err = sock_has_perm(sk, SOCKET__CONNECT);
4758 	if (err)
4759 		return err;
4760 
4761 	/*
4762 	 * If a TCP, DCCP or SCTP socket, check name_connect permission
4763 	 * for the port.
4764 	 */
4765 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4766 	    sksec->sclass == SECCLASS_DCCP_SOCKET ||
4767 	    sksec->sclass == SECCLASS_SCTP_SOCKET) {
4768 		struct common_audit_data ad;
4769 		struct lsm_network_audit net = {0,};
4770 		struct sockaddr_in *addr4 = NULL;
4771 		struct sockaddr_in6 *addr6 = NULL;
4772 		unsigned short snum;
4773 		u32 sid, perm;
4774 
4775 		/* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4776 		 * that validates multiple connect addresses. Because of this
4777 		 * need to check address->sa_family as it is possible to have
4778 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4779 		 */
4780 		switch (address->sa_family) {
4781 		case AF_INET:
4782 			addr4 = (struct sockaddr_in *)address;
4783 			if (addrlen < sizeof(struct sockaddr_in))
4784 				return -EINVAL;
4785 			snum = ntohs(addr4->sin_port);
4786 			break;
4787 		case AF_INET6:
4788 			addr6 = (struct sockaddr_in6 *)address;
4789 			if (addrlen < SIN6_LEN_RFC2133)
4790 				return -EINVAL;
4791 			snum = ntohs(addr6->sin6_port);
4792 			break;
4793 		default:
4794 			/* Note that SCTP services expect -EINVAL, whereas
4795 			 * others expect -EAFNOSUPPORT.
4796 			 */
4797 			if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4798 				return -EINVAL;
4799 			else
4800 				return -EAFNOSUPPORT;
4801 		}
4802 
4803 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4804 		if (err)
4805 			return err;
4806 
4807 		switch (sksec->sclass) {
4808 		case SECCLASS_TCP_SOCKET:
4809 			perm = TCP_SOCKET__NAME_CONNECT;
4810 			break;
4811 		case SECCLASS_DCCP_SOCKET:
4812 			perm = DCCP_SOCKET__NAME_CONNECT;
4813 			break;
4814 		case SECCLASS_SCTP_SOCKET:
4815 			perm = SCTP_SOCKET__NAME_CONNECT;
4816 			break;
4817 		}
4818 
4819 		ad.type = LSM_AUDIT_DATA_NET;
4820 		ad.u.net = &net;
4821 		ad.u.net->dport = htons(snum);
4822 		ad.u.net->family = address->sa_family;
4823 		err = avc_has_perm(&selinux_state,
4824 				   sksec->sid, sid, sksec->sclass, perm, &ad);
4825 		if (err)
4826 			return err;
4827 	}
4828 
4829 	return 0;
4830 }
4831 
4832 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4833 static int selinux_socket_connect(struct socket *sock,
4834 				  struct sockaddr *address, int addrlen)
4835 {
4836 	int err;
4837 	struct sock *sk = sock->sk;
4838 
4839 	err = selinux_socket_connect_helper(sock, address, addrlen);
4840 	if (err)
4841 		return err;
4842 
4843 	return selinux_netlbl_socket_connect(sk, address);
4844 }
4845 
4846 static int selinux_socket_listen(struct socket *sock, int backlog)
4847 {
4848 	return sock_has_perm(sock->sk, SOCKET__LISTEN);
4849 }
4850 
4851 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4852 {
4853 	int err;
4854 	struct inode_security_struct *isec;
4855 	struct inode_security_struct *newisec;
4856 	u16 sclass;
4857 	u32 sid;
4858 
4859 	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4860 	if (err)
4861 		return err;
4862 
4863 	isec = inode_security_novalidate(SOCK_INODE(sock));
4864 	spin_lock(&isec->lock);
4865 	sclass = isec->sclass;
4866 	sid = isec->sid;
4867 	spin_unlock(&isec->lock);
4868 
4869 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4870 	newisec->sclass = sclass;
4871 	newisec->sid = sid;
4872 	newisec->initialized = LABEL_INITIALIZED;
4873 
4874 	return 0;
4875 }
4876 
4877 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4878 				  int size)
4879 {
4880 	return sock_has_perm(sock->sk, SOCKET__WRITE);
4881 }
4882 
4883 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4884 				  int size, int flags)
4885 {
4886 	return sock_has_perm(sock->sk, SOCKET__READ);
4887 }
4888 
4889 static int selinux_socket_getsockname(struct socket *sock)
4890 {
4891 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4892 }
4893 
4894 static int selinux_socket_getpeername(struct socket *sock)
4895 {
4896 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4897 }
4898 
4899 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4900 {
4901 	int err;
4902 
4903 	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4904 	if (err)
4905 		return err;
4906 
4907 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4908 }
4909 
4910 static int selinux_socket_getsockopt(struct socket *sock, int level,
4911 				     int optname)
4912 {
4913 	return sock_has_perm(sock->sk, SOCKET__GETOPT);
4914 }
4915 
4916 static int selinux_socket_shutdown(struct socket *sock, int how)
4917 {
4918 	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4919 }
4920 
4921 static int selinux_socket_unix_stream_connect(struct sock *sock,
4922 					      struct sock *other,
4923 					      struct sock *newsk)
4924 {
4925 	struct sk_security_struct *sksec_sock = sock->sk_security;
4926 	struct sk_security_struct *sksec_other = other->sk_security;
4927 	struct sk_security_struct *sksec_new = newsk->sk_security;
4928 	struct common_audit_data ad;
4929 	struct lsm_network_audit net = {0,};
4930 	int err;
4931 
4932 	ad.type = LSM_AUDIT_DATA_NET;
4933 	ad.u.net = &net;
4934 	ad.u.net->sk = other;
4935 
4936 	err = avc_has_perm(&selinux_state,
4937 			   sksec_sock->sid, sksec_other->sid,
4938 			   sksec_other->sclass,
4939 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4940 	if (err)
4941 		return err;
4942 
4943 	/* server child socket */
4944 	sksec_new->peer_sid = sksec_sock->sid;
4945 	err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4946 				    sksec_sock->sid, &sksec_new->sid);
4947 	if (err)
4948 		return err;
4949 
4950 	/* connecting socket */
4951 	sksec_sock->peer_sid = sksec_new->sid;
4952 
4953 	return 0;
4954 }
4955 
4956 static int selinux_socket_unix_may_send(struct socket *sock,
4957 					struct socket *other)
4958 {
4959 	struct sk_security_struct *ssec = sock->sk->sk_security;
4960 	struct sk_security_struct *osec = other->sk->sk_security;
4961 	struct common_audit_data ad;
4962 	struct lsm_network_audit net = {0,};
4963 
4964 	ad.type = LSM_AUDIT_DATA_NET;
4965 	ad.u.net = &net;
4966 	ad.u.net->sk = other->sk;
4967 
4968 	return avc_has_perm(&selinux_state,
4969 			    ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4970 			    &ad);
4971 }
4972 
4973 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4974 				    char *addrp, u16 family, u32 peer_sid,
4975 				    struct common_audit_data *ad)
4976 {
4977 	int err;
4978 	u32 if_sid;
4979 	u32 node_sid;
4980 
4981 	err = sel_netif_sid(ns, ifindex, &if_sid);
4982 	if (err)
4983 		return err;
4984 	err = avc_has_perm(&selinux_state,
4985 			   peer_sid, if_sid,
4986 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4987 	if (err)
4988 		return err;
4989 
4990 	err = sel_netnode_sid(addrp, family, &node_sid);
4991 	if (err)
4992 		return err;
4993 	return avc_has_perm(&selinux_state,
4994 			    peer_sid, node_sid,
4995 			    SECCLASS_NODE, NODE__RECVFROM, ad);
4996 }
4997 
4998 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4999 				       u16 family)
5000 {
5001 	int err = 0;
5002 	struct sk_security_struct *sksec = sk->sk_security;
5003 	u32 sk_sid = sksec->sid;
5004 	struct common_audit_data ad;
5005 	struct lsm_network_audit net = {0,};
5006 	char *addrp;
5007 
5008 	ad.type = LSM_AUDIT_DATA_NET;
5009 	ad.u.net = &net;
5010 	ad.u.net->netif = skb->skb_iif;
5011 	ad.u.net->family = family;
5012 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5013 	if (err)
5014 		return err;
5015 
5016 	if (selinux_secmark_enabled()) {
5017 		err = avc_has_perm(&selinux_state,
5018 				   sk_sid, skb->secmark, SECCLASS_PACKET,
5019 				   PACKET__RECV, &ad);
5020 		if (err)
5021 			return err;
5022 	}
5023 
5024 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5025 	if (err)
5026 		return err;
5027 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5028 
5029 	return err;
5030 }
5031 
5032 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5033 {
5034 	int err;
5035 	struct sk_security_struct *sksec = sk->sk_security;
5036 	u16 family = sk->sk_family;
5037 	u32 sk_sid = sksec->sid;
5038 	struct common_audit_data ad;
5039 	struct lsm_network_audit net = {0,};
5040 	char *addrp;
5041 	u8 secmark_active;
5042 	u8 peerlbl_active;
5043 
5044 	if (family != PF_INET && family != PF_INET6)
5045 		return 0;
5046 
5047 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
5048 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5049 		family = PF_INET;
5050 
5051 	/* If any sort of compatibility mode is enabled then handoff processing
5052 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
5053 	 * special handling.  We do this in an attempt to keep this function
5054 	 * as fast and as clean as possible. */
5055 	if (!selinux_policycap_netpeer())
5056 		return selinux_sock_rcv_skb_compat(sk, skb, family);
5057 
5058 	secmark_active = selinux_secmark_enabled();
5059 	peerlbl_active = selinux_peerlbl_enabled();
5060 	if (!secmark_active && !peerlbl_active)
5061 		return 0;
5062 
5063 	ad.type = LSM_AUDIT_DATA_NET;
5064 	ad.u.net = &net;
5065 	ad.u.net->netif = skb->skb_iif;
5066 	ad.u.net->family = family;
5067 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5068 	if (err)
5069 		return err;
5070 
5071 	if (peerlbl_active) {
5072 		u32 peer_sid;
5073 
5074 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5075 		if (err)
5076 			return err;
5077 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5078 					       addrp, family, peer_sid, &ad);
5079 		if (err) {
5080 			selinux_netlbl_err(skb, family, err, 0);
5081 			return err;
5082 		}
5083 		err = avc_has_perm(&selinux_state,
5084 				   sk_sid, peer_sid, SECCLASS_PEER,
5085 				   PEER__RECV, &ad);
5086 		if (err) {
5087 			selinux_netlbl_err(skb, family, err, 0);
5088 			return err;
5089 		}
5090 	}
5091 
5092 	if (secmark_active) {
5093 		err = avc_has_perm(&selinux_state,
5094 				   sk_sid, skb->secmark, SECCLASS_PACKET,
5095 				   PACKET__RECV, &ad);
5096 		if (err)
5097 			return err;
5098 	}
5099 
5100 	return err;
5101 }
5102 
5103 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5104 					    int __user *optlen, unsigned len)
5105 {
5106 	int err = 0;
5107 	char *scontext;
5108 	u32 scontext_len;
5109 	struct sk_security_struct *sksec = sock->sk->sk_security;
5110 	u32 peer_sid = SECSID_NULL;
5111 
5112 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5113 	    sksec->sclass == SECCLASS_TCP_SOCKET ||
5114 	    sksec->sclass == SECCLASS_SCTP_SOCKET)
5115 		peer_sid = sksec->peer_sid;
5116 	if (peer_sid == SECSID_NULL)
5117 		return -ENOPROTOOPT;
5118 
5119 	err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5120 				      &scontext_len);
5121 	if (err)
5122 		return err;
5123 
5124 	if (scontext_len > len) {
5125 		err = -ERANGE;
5126 		goto out_len;
5127 	}
5128 
5129 	if (copy_to_user(optval, scontext, scontext_len))
5130 		err = -EFAULT;
5131 
5132 out_len:
5133 	if (put_user(scontext_len, optlen))
5134 		err = -EFAULT;
5135 	kfree(scontext);
5136 	return err;
5137 }
5138 
5139 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5140 {
5141 	u32 peer_secid = SECSID_NULL;
5142 	u16 family;
5143 	struct inode_security_struct *isec;
5144 
5145 	if (skb && skb->protocol == htons(ETH_P_IP))
5146 		family = PF_INET;
5147 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
5148 		family = PF_INET6;
5149 	else if (sock)
5150 		family = sock->sk->sk_family;
5151 	else
5152 		goto out;
5153 
5154 	if (sock && family == PF_UNIX) {
5155 		isec = inode_security_novalidate(SOCK_INODE(sock));
5156 		peer_secid = isec->sid;
5157 	} else if (skb)
5158 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5159 
5160 out:
5161 	*secid = peer_secid;
5162 	if (peer_secid == SECSID_NULL)
5163 		return -EINVAL;
5164 	return 0;
5165 }
5166 
5167 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5168 {
5169 	struct sk_security_struct *sksec;
5170 
5171 	sksec = kzalloc(sizeof(*sksec), priority);
5172 	if (!sksec)
5173 		return -ENOMEM;
5174 
5175 	sksec->peer_sid = SECINITSID_UNLABELED;
5176 	sksec->sid = SECINITSID_UNLABELED;
5177 	sksec->sclass = SECCLASS_SOCKET;
5178 	selinux_netlbl_sk_security_reset(sksec);
5179 	sk->sk_security = sksec;
5180 
5181 	return 0;
5182 }
5183 
5184 static void selinux_sk_free_security(struct sock *sk)
5185 {
5186 	struct sk_security_struct *sksec = sk->sk_security;
5187 
5188 	sk->sk_security = NULL;
5189 	selinux_netlbl_sk_security_free(sksec);
5190 	kfree(sksec);
5191 }
5192 
5193 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5194 {
5195 	struct sk_security_struct *sksec = sk->sk_security;
5196 	struct sk_security_struct *newsksec = newsk->sk_security;
5197 
5198 	newsksec->sid = sksec->sid;
5199 	newsksec->peer_sid = sksec->peer_sid;
5200 	newsksec->sclass = sksec->sclass;
5201 
5202 	selinux_netlbl_sk_security_reset(newsksec);
5203 }
5204 
5205 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5206 {
5207 	if (!sk)
5208 		*secid = SECINITSID_ANY_SOCKET;
5209 	else {
5210 		struct sk_security_struct *sksec = sk->sk_security;
5211 
5212 		*secid = sksec->sid;
5213 	}
5214 }
5215 
5216 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5217 {
5218 	struct inode_security_struct *isec =
5219 		inode_security_novalidate(SOCK_INODE(parent));
5220 	struct sk_security_struct *sksec = sk->sk_security;
5221 
5222 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5223 	    sk->sk_family == PF_UNIX)
5224 		isec->sid = sksec->sid;
5225 	sksec->sclass = isec->sclass;
5226 }
5227 
5228 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5229  * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5230  * already present).
5231  */
5232 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5233 				      struct sk_buff *skb)
5234 {
5235 	struct sk_security_struct *sksec = ep->base.sk->sk_security;
5236 	struct common_audit_data ad;
5237 	struct lsm_network_audit net = {0,};
5238 	u8 peerlbl_active;
5239 	u32 peer_sid = SECINITSID_UNLABELED;
5240 	u32 conn_sid;
5241 	int err = 0;
5242 
5243 	if (!selinux_policycap_extsockclass())
5244 		return 0;
5245 
5246 	peerlbl_active = selinux_peerlbl_enabled();
5247 
5248 	if (peerlbl_active) {
5249 		/* This will return peer_sid = SECSID_NULL if there are
5250 		 * no peer labels, see security_net_peersid_resolve().
5251 		 */
5252 		err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5253 					      &peer_sid);
5254 		if (err)
5255 			return err;
5256 
5257 		if (peer_sid == SECSID_NULL)
5258 			peer_sid = SECINITSID_UNLABELED;
5259 	}
5260 
5261 	if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5262 		sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5263 
5264 		/* Here as first association on socket. As the peer SID
5265 		 * was allowed by peer recv (and the netif/node checks),
5266 		 * then it is approved by policy and used as the primary
5267 		 * peer SID for getpeercon(3).
5268 		 */
5269 		sksec->peer_sid = peer_sid;
5270 	} else if  (sksec->peer_sid != peer_sid) {
5271 		/* Other association peer SIDs are checked to enforce
5272 		 * consistency among the peer SIDs.
5273 		 */
5274 		ad.type = LSM_AUDIT_DATA_NET;
5275 		ad.u.net = &net;
5276 		ad.u.net->sk = ep->base.sk;
5277 		err = avc_has_perm(&selinux_state,
5278 				   sksec->peer_sid, peer_sid, sksec->sclass,
5279 				   SCTP_SOCKET__ASSOCIATION, &ad);
5280 		if (err)
5281 			return err;
5282 	}
5283 
5284 	/* Compute the MLS component for the connection and store
5285 	 * the information in ep. This will be used by SCTP TCP type
5286 	 * sockets and peeled off connections as they cause a new
5287 	 * socket to be generated. selinux_sctp_sk_clone() will then
5288 	 * plug this into the new socket.
5289 	 */
5290 	err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5291 	if (err)
5292 		return err;
5293 
5294 	ep->secid = conn_sid;
5295 	ep->peer_secid = peer_sid;
5296 
5297 	/* Set any NetLabel labels including CIPSO/CALIPSO options. */
5298 	return selinux_netlbl_sctp_assoc_request(ep, skb);
5299 }
5300 
5301 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5302  * based on their @optname.
5303  */
5304 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5305 				     struct sockaddr *address,
5306 				     int addrlen)
5307 {
5308 	int len, err = 0, walk_size = 0;
5309 	void *addr_buf;
5310 	struct sockaddr *addr;
5311 	struct socket *sock;
5312 
5313 	if (!selinux_policycap_extsockclass())
5314 		return 0;
5315 
5316 	/* Process one or more addresses that may be IPv4 or IPv6 */
5317 	sock = sk->sk_socket;
5318 	addr_buf = address;
5319 
5320 	while (walk_size < addrlen) {
5321 		addr = addr_buf;
5322 		switch (addr->sa_family) {
5323 		case AF_UNSPEC:
5324 		case AF_INET:
5325 			len = sizeof(struct sockaddr_in);
5326 			break;
5327 		case AF_INET6:
5328 			len = sizeof(struct sockaddr_in6);
5329 			break;
5330 		default:
5331 			return -EINVAL;
5332 		}
5333 
5334 		err = -EINVAL;
5335 		switch (optname) {
5336 		/* Bind checks */
5337 		case SCTP_PRIMARY_ADDR:
5338 		case SCTP_SET_PEER_PRIMARY_ADDR:
5339 		case SCTP_SOCKOPT_BINDX_ADD:
5340 			err = selinux_socket_bind(sock, addr, len);
5341 			break;
5342 		/* Connect checks */
5343 		case SCTP_SOCKOPT_CONNECTX:
5344 		case SCTP_PARAM_SET_PRIMARY:
5345 		case SCTP_PARAM_ADD_IP:
5346 		case SCTP_SENDMSG_CONNECT:
5347 			err = selinux_socket_connect_helper(sock, addr, len);
5348 			if (err)
5349 				return err;
5350 
5351 			/* As selinux_sctp_bind_connect() is called by the
5352 			 * SCTP protocol layer, the socket is already locked,
5353 			 * therefore selinux_netlbl_socket_connect_locked() is
5354 			 * is called here. The situations handled are:
5355 			 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5356 			 * whenever a new IP address is added or when a new
5357 			 * primary address is selected.
5358 			 * Note that an SCTP connect(2) call happens before
5359 			 * the SCTP protocol layer and is handled via
5360 			 * selinux_socket_connect().
5361 			 */
5362 			err = selinux_netlbl_socket_connect_locked(sk, addr);
5363 			break;
5364 		}
5365 
5366 		if (err)
5367 			return err;
5368 
5369 		addr_buf += len;
5370 		walk_size += len;
5371 	}
5372 
5373 	return 0;
5374 }
5375 
5376 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5377 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5378 				  struct sock *newsk)
5379 {
5380 	struct sk_security_struct *sksec = sk->sk_security;
5381 	struct sk_security_struct *newsksec = newsk->sk_security;
5382 
5383 	/* If policy does not support SECCLASS_SCTP_SOCKET then call
5384 	 * the non-sctp clone version.
5385 	 */
5386 	if (!selinux_policycap_extsockclass())
5387 		return selinux_sk_clone_security(sk, newsk);
5388 
5389 	newsksec->sid = ep->secid;
5390 	newsksec->peer_sid = ep->peer_secid;
5391 	newsksec->sclass = sksec->sclass;
5392 	selinux_netlbl_sctp_sk_clone(sk, newsk);
5393 }
5394 
5395 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5396 				     struct request_sock *req)
5397 {
5398 	struct sk_security_struct *sksec = sk->sk_security;
5399 	int err;
5400 	u16 family = req->rsk_ops->family;
5401 	u32 connsid;
5402 	u32 peersid;
5403 
5404 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5405 	if (err)
5406 		return err;
5407 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5408 	if (err)
5409 		return err;
5410 	req->secid = connsid;
5411 	req->peer_secid = peersid;
5412 
5413 	return selinux_netlbl_inet_conn_request(req, family);
5414 }
5415 
5416 static void selinux_inet_csk_clone(struct sock *newsk,
5417 				   const struct request_sock *req)
5418 {
5419 	struct sk_security_struct *newsksec = newsk->sk_security;
5420 
5421 	newsksec->sid = req->secid;
5422 	newsksec->peer_sid = req->peer_secid;
5423 	/* NOTE: Ideally, we should also get the isec->sid for the
5424 	   new socket in sync, but we don't have the isec available yet.
5425 	   So we will wait until sock_graft to do it, by which
5426 	   time it will have been created and available. */
5427 
5428 	/* We don't need to take any sort of lock here as we are the only
5429 	 * thread with access to newsksec */
5430 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5431 }
5432 
5433 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5434 {
5435 	u16 family = sk->sk_family;
5436 	struct sk_security_struct *sksec = sk->sk_security;
5437 
5438 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5439 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5440 		family = PF_INET;
5441 
5442 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5443 }
5444 
5445 static int selinux_secmark_relabel_packet(u32 sid)
5446 {
5447 	const struct task_security_struct *__tsec;
5448 	u32 tsid;
5449 
5450 	__tsec = current_security();
5451 	tsid = __tsec->sid;
5452 
5453 	return avc_has_perm(&selinux_state,
5454 			    tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5455 			    NULL);
5456 }
5457 
5458 static void selinux_secmark_refcount_inc(void)
5459 {
5460 	atomic_inc(&selinux_secmark_refcount);
5461 }
5462 
5463 static void selinux_secmark_refcount_dec(void)
5464 {
5465 	atomic_dec(&selinux_secmark_refcount);
5466 }
5467 
5468 static void selinux_req_classify_flow(const struct request_sock *req,
5469 				      struct flowi *fl)
5470 {
5471 	fl->flowi_secid = req->secid;
5472 }
5473 
5474 static int selinux_tun_dev_alloc_security(void **security)
5475 {
5476 	struct tun_security_struct *tunsec;
5477 
5478 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5479 	if (!tunsec)
5480 		return -ENOMEM;
5481 	tunsec->sid = current_sid();
5482 
5483 	*security = tunsec;
5484 	return 0;
5485 }
5486 
5487 static void selinux_tun_dev_free_security(void *security)
5488 {
5489 	kfree(security);
5490 }
5491 
5492 static int selinux_tun_dev_create(void)
5493 {
5494 	u32 sid = current_sid();
5495 
5496 	/* we aren't taking into account the "sockcreate" SID since the socket
5497 	 * that is being created here is not a socket in the traditional sense,
5498 	 * instead it is a private sock, accessible only to the kernel, and
5499 	 * representing a wide range of network traffic spanning multiple
5500 	 * connections unlike traditional sockets - check the TUN driver to
5501 	 * get a better understanding of why this socket is special */
5502 
5503 	return avc_has_perm(&selinux_state,
5504 			    sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5505 			    NULL);
5506 }
5507 
5508 static int selinux_tun_dev_attach_queue(void *security)
5509 {
5510 	struct tun_security_struct *tunsec = security;
5511 
5512 	return avc_has_perm(&selinux_state,
5513 			    current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5514 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5515 }
5516 
5517 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5518 {
5519 	struct tun_security_struct *tunsec = security;
5520 	struct sk_security_struct *sksec = sk->sk_security;
5521 
5522 	/* we don't currently perform any NetLabel based labeling here and it
5523 	 * isn't clear that we would want to do so anyway; while we could apply
5524 	 * labeling without the support of the TUN user the resulting labeled
5525 	 * traffic from the other end of the connection would almost certainly
5526 	 * cause confusion to the TUN user that had no idea network labeling
5527 	 * protocols were being used */
5528 
5529 	sksec->sid = tunsec->sid;
5530 	sksec->sclass = SECCLASS_TUN_SOCKET;
5531 
5532 	return 0;
5533 }
5534 
5535 static int selinux_tun_dev_open(void *security)
5536 {
5537 	struct tun_security_struct *tunsec = security;
5538 	u32 sid = current_sid();
5539 	int err;
5540 
5541 	err = avc_has_perm(&selinux_state,
5542 			   sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5543 			   TUN_SOCKET__RELABELFROM, NULL);
5544 	if (err)
5545 		return err;
5546 	err = avc_has_perm(&selinux_state,
5547 			   sid, sid, SECCLASS_TUN_SOCKET,
5548 			   TUN_SOCKET__RELABELTO, NULL);
5549 	if (err)
5550 		return err;
5551 	tunsec->sid = sid;
5552 
5553 	return 0;
5554 }
5555 
5556 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5557 {
5558 	int err = 0;
5559 	u32 perm;
5560 	struct nlmsghdr *nlh;
5561 	struct sk_security_struct *sksec = sk->sk_security;
5562 
5563 	if (skb->len < NLMSG_HDRLEN) {
5564 		err = -EINVAL;
5565 		goto out;
5566 	}
5567 	nlh = nlmsg_hdr(skb);
5568 
5569 	err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5570 	if (err) {
5571 		if (err == -EINVAL) {
5572 			pr_warn_ratelimited("SELinux: unrecognized netlink"
5573 			       " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5574 			       " pig=%d comm=%s\n",
5575 			       sk->sk_protocol, nlh->nlmsg_type,
5576 			       secclass_map[sksec->sclass - 1].name,
5577 			       task_pid_nr(current), current->comm);
5578 			if (!enforcing_enabled(&selinux_state) ||
5579 			    security_get_allow_unknown(&selinux_state))
5580 				err = 0;
5581 		}
5582 
5583 		/* Ignore */
5584 		if (err == -ENOENT)
5585 			err = 0;
5586 		goto out;
5587 	}
5588 
5589 	err = sock_has_perm(sk, perm);
5590 out:
5591 	return err;
5592 }
5593 
5594 #ifdef CONFIG_NETFILTER
5595 
5596 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5597 				       const struct net_device *indev,
5598 				       u16 family)
5599 {
5600 	int err;
5601 	char *addrp;
5602 	u32 peer_sid;
5603 	struct common_audit_data ad;
5604 	struct lsm_network_audit net = {0,};
5605 	u8 secmark_active;
5606 	u8 netlbl_active;
5607 	u8 peerlbl_active;
5608 
5609 	if (!selinux_policycap_netpeer())
5610 		return NF_ACCEPT;
5611 
5612 	secmark_active = selinux_secmark_enabled();
5613 	netlbl_active = netlbl_enabled();
5614 	peerlbl_active = selinux_peerlbl_enabled();
5615 	if (!secmark_active && !peerlbl_active)
5616 		return NF_ACCEPT;
5617 
5618 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5619 		return NF_DROP;
5620 
5621 	ad.type = LSM_AUDIT_DATA_NET;
5622 	ad.u.net = &net;
5623 	ad.u.net->netif = indev->ifindex;
5624 	ad.u.net->family = family;
5625 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5626 		return NF_DROP;
5627 
5628 	if (peerlbl_active) {
5629 		err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5630 					       addrp, family, peer_sid, &ad);
5631 		if (err) {
5632 			selinux_netlbl_err(skb, family, err, 1);
5633 			return NF_DROP;
5634 		}
5635 	}
5636 
5637 	if (secmark_active)
5638 		if (avc_has_perm(&selinux_state,
5639 				 peer_sid, skb->secmark,
5640 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5641 			return NF_DROP;
5642 
5643 	if (netlbl_active)
5644 		/* we do this in the FORWARD path and not the POST_ROUTING
5645 		 * path because we want to make sure we apply the necessary
5646 		 * labeling before IPsec is applied so we can leverage AH
5647 		 * protection */
5648 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5649 			return NF_DROP;
5650 
5651 	return NF_ACCEPT;
5652 }
5653 
5654 static unsigned int selinux_ipv4_forward(void *priv,
5655 					 struct sk_buff *skb,
5656 					 const struct nf_hook_state *state)
5657 {
5658 	return selinux_ip_forward(skb, state->in, PF_INET);
5659 }
5660 
5661 #if IS_ENABLED(CONFIG_IPV6)
5662 static unsigned int selinux_ipv6_forward(void *priv,
5663 					 struct sk_buff *skb,
5664 					 const struct nf_hook_state *state)
5665 {
5666 	return selinux_ip_forward(skb, state->in, PF_INET6);
5667 }
5668 #endif	/* IPV6 */
5669 
5670 static unsigned int selinux_ip_output(struct sk_buff *skb,
5671 				      u16 family)
5672 {
5673 	struct sock *sk;
5674 	u32 sid;
5675 
5676 	if (!netlbl_enabled())
5677 		return NF_ACCEPT;
5678 
5679 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5680 	 * because we want to make sure we apply the necessary labeling
5681 	 * before IPsec is applied so we can leverage AH protection */
5682 	sk = skb->sk;
5683 	if (sk) {
5684 		struct sk_security_struct *sksec;
5685 
5686 		if (sk_listener(sk))
5687 			/* if the socket is the listening state then this
5688 			 * packet is a SYN-ACK packet which means it needs to
5689 			 * be labeled based on the connection/request_sock and
5690 			 * not the parent socket.  unfortunately, we can't
5691 			 * lookup the request_sock yet as it isn't queued on
5692 			 * the parent socket until after the SYN-ACK is sent.
5693 			 * the "solution" is to simply pass the packet as-is
5694 			 * as any IP option based labeling should be copied
5695 			 * from the initial connection request (in the IP
5696 			 * layer).  it is far from ideal, but until we get a
5697 			 * security label in the packet itself this is the
5698 			 * best we can do. */
5699 			return NF_ACCEPT;
5700 
5701 		/* standard practice, label using the parent socket */
5702 		sksec = sk->sk_security;
5703 		sid = sksec->sid;
5704 	} else
5705 		sid = SECINITSID_KERNEL;
5706 	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5707 		return NF_DROP;
5708 
5709 	return NF_ACCEPT;
5710 }
5711 
5712 static unsigned int selinux_ipv4_output(void *priv,
5713 					struct sk_buff *skb,
5714 					const struct nf_hook_state *state)
5715 {
5716 	return selinux_ip_output(skb, PF_INET);
5717 }
5718 
5719 #if IS_ENABLED(CONFIG_IPV6)
5720 static unsigned int selinux_ipv6_output(void *priv,
5721 					struct sk_buff *skb,
5722 					const struct nf_hook_state *state)
5723 {
5724 	return selinux_ip_output(skb, PF_INET6);
5725 }
5726 #endif	/* IPV6 */
5727 
5728 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5729 						int ifindex,
5730 						u16 family)
5731 {
5732 	struct sock *sk = skb_to_full_sk(skb);
5733 	struct sk_security_struct *sksec;
5734 	struct common_audit_data ad;
5735 	struct lsm_network_audit net = {0,};
5736 	char *addrp;
5737 	u8 proto;
5738 
5739 	if (sk == NULL)
5740 		return NF_ACCEPT;
5741 	sksec = sk->sk_security;
5742 
5743 	ad.type = LSM_AUDIT_DATA_NET;
5744 	ad.u.net = &net;
5745 	ad.u.net->netif = ifindex;
5746 	ad.u.net->family = family;
5747 	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5748 		return NF_DROP;
5749 
5750 	if (selinux_secmark_enabled())
5751 		if (avc_has_perm(&selinux_state,
5752 				 sksec->sid, skb->secmark,
5753 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5754 			return NF_DROP_ERR(-ECONNREFUSED);
5755 
5756 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5757 		return NF_DROP_ERR(-ECONNREFUSED);
5758 
5759 	return NF_ACCEPT;
5760 }
5761 
5762 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5763 					 const struct net_device *outdev,
5764 					 u16 family)
5765 {
5766 	u32 secmark_perm;
5767 	u32 peer_sid;
5768 	int ifindex = outdev->ifindex;
5769 	struct sock *sk;
5770 	struct common_audit_data ad;
5771 	struct lsm_network_audit net = {0,};
5772 	char *addrp;
5773 	u8 secmark_active;
5774 	u8 peerlbl_active;
5775 
5776 	/* If any sort of compatibility mode is enabled then handoff processing
5777 	 * to the selinux_ip_postroute_compat() function to deal with the
5778 	 * special handling.  We do this in an attempt to keep this function
5779 	 * as fast and as clean as possible. */
5780 	if (!selinux_policycap_netpeer())
5781 		return selinux_ip_postroute_compat(skb, ifindex, family);
5782 
5783 	secmark_active = selinux_secmark_enabled();
5784 	peerlbl_active = selinux_peerlbl_enabled();
5785 	if (!secmark_active && !peerlbl_active)
5786 		return NF_ACCEPT;
5787 
5788 	sk = skb_to_full_sk(skb);
5789 
5790 #ifdef CONFIG_XFRM
5791 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5792 	 * packet transformation so allow the packet to pass without any checks
5793 	 * since we'll have another chance to perform access control checks
5794 	 * when the packet is on it's final way out.
5795 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5796 	 *       is NULL, in this case go ahead and apply access control.
5797 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5798 	 *       TCP listening state we cannot wait until the XFRM processing
5799 	 *       is done as we will miss out on the SA label if we do;
5800 	 *       unfortunately, this means more work, but it is only once per
5801 	 *       connection. */
5802 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5803 	    !(sk && sk_listener(sk)))
5804 		return NF_ACCEPT;
5805 #endif
5806 
5807 	if (sk == NULL) {
5808 		/* Without an associated socket the packet is either coming
5809 		 * from the kernel or it is being forwarded; check the packet
5810 		 * to determine which and if the packet is being forwarded
5811 		 * query the packet directly to determine the security label. */
5812 		if (skb->skb_iif) {
5813 			secmark_perm = PACKET__FORWARD_OUT;
5814 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5815 				return NF_DROP;
5816 		} else {
5817 			secmark_perm = PACKET__SEND;
5818 			peer_sid = SECINITSID_KERNEL;
5819 		}
5820 	} else if (sk_listener(sk)) {
5821 		/* Locally generated packet but the associated socket is in the
5822 		 * listening state which means this is a SYN-ACK packet.  In
5823 		 * this particular case the correct security label is assigned
5824 		 * to the connection/request_sock but unfortunately we can't
5825 		 * query the request_sock as it isn't queued on the parent
5826 		 * socket until after the SYN-ACK packet is sent; the only
5827 		 * viable choice is to regenerate the label like we do in
5828 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5829 		 * for similar problems. */
5830 		u32 skb_sid;
5831 		struct sk_security_struct *sksec;
5832 
5833 		sksec = sk->sk_security;
5834 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5835 			return NF_DROP;
5836 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5837 		 * and the packet has been through at least one XFRM
5838 		 * transformation then we must be dealing with the "final"
5839 		 * form of labeled IPsec packet; since we've already applied
5840 		 * all of our access controls on this packet we can safely
5841 		 * pass the packet. */
5842 		if (skb_sid == SECSID_NULL) {
5843 			switch (family) {
5844 			case PF_INET:
5845 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5846 					return NF_ACCEPT;
5847 				break;
5848 			case PF_INET6:
5849 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5850 					return NF_ACCEPT;
5851 				break;
5852 			default:
5853 				return NF_DROP_ERR(-ECONNREFUSED);
5854 			}
5855 		}
5856 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5857 			return NF_DROP;
5858 		secmark_perm = PACKET__SEND;
5859 	} else {
5860 		/* Locally generated packet, fetch the security label from the
5861 		 * associated socket. */
5862 		struct sk_security_struct *sksec = sk->sk_security;
5863 		peer_sid = sksec->sid;
5864 		secmark_perm = PACKET__SEND;
5865 	}
5866 
5867 	ad.type = LSM_AUDIT_DATA_NET;
5868 	ad.u.net = &net;
5869 	ad.u.net->netif = ifindex;
5870 	ad.u.net->family = family;
5871 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5872 		return NF_DROP;
5873 
5874 	if (secmark_active)
5875 		if (avc_has_perm(&selinux_state,
5876 				 peer_sid, skb->secmark,
5877 				 SECCLASS_PACKET, secmark_perm, &ad))
5878 			return NF_DROP_ERR(-ECONNREFUSED);
5879 
5880 	if (peerlbl_active) {
5881 		u32 if_sid;
5882 		u32 node_sid;
5883 
5884 		if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5885 			return NF_DROP;
5886 		if (avc_has_perm(&selinux_state,
5887 				 peer_sid, if_sid,
5888 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5889 			return NF_DROP_ERR(-ECONNREFUSED);
5890 
5891 		if (sel_netnode_sid(addrp, family, &node_sid))
5892 			return NF_DROP;
5893 		if (avc_has_perm(&selinux_state,
5894 				 peer_sid, node_sid,
5895 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5896 			return NF_DROP_ERR(-ECONNREFUSED);
5897 	}
5898 
5899 	return NF_ACCEPT;
5900 }
5901 
5902 static unsigned int selinux_ipv4_postroute(void *priv,
5903 					   struct sk_buff *skb,
5904 					   const struct nf_hook_state *state)
5905 {
5906 	return selinux_ip_postroute(skb, state->out, PF_INET);
5907 }
5908 
5909 #if IS_ENABLED(CONFIG_IPV6)
5910 static unsigned int selinux_ipv6_postroute(void *priv,
5911 					   struct sk_buff *skb,
5912 					   const struct nf_hook_state *state)
5913 {
5914 	return selinux_ip_postroute(skb, state->out, PF_INET6);
5915 }
5916 #endif	/* IPV6 */
5917 
5918 #endif	/* CONFIG_NETFILTER */
5919 
5920 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5921 {
5922 	return selinux_nlmsg_perm(sk, skb);
5923 }
5924 
5925 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5926 			      u16 sclass)
5927 {
5928 	struct ipc_security_struct *isec;
5929 
5930 	isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5931 	if (!isec)
5932 		return -ENOMEM;
5933 
5934 	isec->sclass = sclass;
5935 	isec->sid = current_sid();
5936 	perm->security = isec;
5937 
5938 	return 0;
5939 }
5940 
5941 static void ipc_free_security(struct kern_ipc_perm *perm)
5942 {
5943 	struct ipc_security_struct *isec = perm->security;
5944 	perm->security = NULL;
5945 	kfree(isec);
5946 }
5947 
5948 static int msg_msg_alloc_security(struct msg_msg *msg)
5949 {
5950 	struct msg_security_struct *msec;
5951 
5952 	msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5953 	if (!msec)
5954 		return -ENOMEM;
5955 
5956 	msec->sid = SECINITSID_UNLABELED;
5957 	msg->security = msec;
5958 
5959 	return 0;
5960 }
5961 
5962 static void msg_msg_free_security(struct msg_msg *msg)
5963 {
5964 	struct msg_security_struct *msec = msg->security;
5965 
5966 	msg->security = NULL;
5967 	kfree(msec);
5968 }
5969 
5970 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5971 			u32 perms)
5972 {
5973 	struct ipc_security_struct *isec;
5974 	struct common_audit_data ad;
5975 	u32 sid = current_sid();
5976 
5977 	isec = ipc_perms->security;
5978 
5979 	ad.type = LSM_AUDIT_DATA_IPC;
5980 	ad.u.ipc_id = ipc_perms->key;
5981 
5982 	return avc_has_perm(&selinux_state,
5983 			    sid, isec->sid, isec->sclass, perms, &ad);
5984 }
5985 
5986 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5987 {
5988 	return msg_msg_alloc_security(msg);
5989 }
5990 
5991 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5992 {
5993 	msg_msg_free_security(msg);
5994 }
5995 
5996 /* message queue security operations */
5997 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5998 {
5999 	struct ipc_security_struct *isec;
6000 	struct common_audit_data ad;
6001 	u32 sid = current_sid();
6002 	int rc;
6003 
6004 	rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
6005 	if (rc)
6006 		return rc;
6007 
6008 	isec = msq->security;
6009 
6010 	ad.type = LSM_AUDIT_DATA_IPC;
6011 	ad.u.ipc_id = msq->key;
6012 
6013 	rc = avc_has_perm(&selinux_state,
6014 			  sid, isec->sid, SECCLASS_MSGQ,
6015 			  MSGQ__CREATE, &ad);
6016 	if (rc) {
6017 		ipc_free_security(msq);
6018 		return rc;
6019 	}
6020 	return 0;
6021 }
6022 
6023 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
6024 {
6025 	ipc_free_security(msq);
6026 }
6027 
6028 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6029 {
6030 	struct ipc_security_struct *isec;
6031 	struct common_audit_data ad;
6032 	u32 sid = current_sid();
6033 
6034 	isec = msq->security;
6035 
6036 	ad.type = LSM_AUDIT_DATA_IPC;
6037 	ad.u.ipc_id = msq->key;
6038 
6039 	return avc_has_perm(&selinux_state,
6040 			    sid, isec->sid, SECCLASS_MSGQ,
6041 			    MSGQ__ASSOCIATE, &ad);
6042 }
6043 
6044 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6045 {
6046 	int err;
6047 	int perms;
6048 
6049 	switch (cmd) {
6050 	case IPC_INFO:
6051 	case MSG_INFO:
6052 		/* No specific object, just general system-wide information. */
6053 		return avc_has_perm(&selinux_state,
6054 				    current_sid(), SECINITSID_KERNEL,
6055 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6056 	case IPC_STAT:
6057 	case MSG_STAT:
6058 	case MSG_STAT_ANY:
6059 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6060 		break;
6061 	case IPC_SET:
6062 		perms = MSGQ__SETATTR;
6063 		break;
6064 	case IPC_RMID:
6065 		perms = MSGQ__DESTROY;
6066 		break;
6067 	default:
6068 		return 0;
6069 	}
6070 
6071 	err = ipc_has_perm(msq, perms);
6072 	return err;
6073 }
6074 
6075 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6076 {
6077 	struct ipc_security_struct *isec;
6078 	struct msg_security_struct *msec;
6079 	struct common_audit_data ad;
6080 	u32 sid = current_sid();
6081 	int rc;
6082 
6083 	isec = msq->security;
6084 	msec = msg->security;
6085 
6086 	/*
6087 	 * First time through, need to assign label to the message
6088 	 */
6089 	if (msec->sid == SECINITSID_UNLABELED) {
6090 		/*
6091 		 * Compute new sid based on current process and
6092 		 * message queue this message will be stored in
6093 		 */
6094 		rc = security_transition_sid(&selinux_state, sid, isec->sid,
6095 					     SECCLASS_MSG, NULL, &msec->sid);
6096 		if (rc)
6097 			return rc;
6098 	}
6099 
6100 	ad.type = LSM_AUDIT_DATA_IPC;
6101 	ad.u.ipc_id = msq->key;
6102 
6103 	/* Can this process write to the queue? */
6104 	rc = avc_has_perm(&selinux_state,
6105 			  sid, isec->sid, SECCLASS_MSGQ,
6106 			  MSGQ__WRITE, &ad);
6107 	if (!rc)
6108 		/* Can this process send the message */
6109 		rc = avc_has_perm(&selinux_state,
6110 				  sid, msec->sid, SECCLASS_MSG,
6111 				  MSG__SEND, &ad);
6112 	if (!rc)
6113 		/* Can the message be put in the queue? */
6114 		rc = avc_has_perm(&selinux_state,
6115 				  msec->sid, isec->sid, SECCLASS_MSGQ,
6116 				  MSGQ__ENQUEUE, &ad);
6117 
6118 	return rc;
6119 }
6120 
6121 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6122 				    struct task_struct *target,
6123 				    long type, int mode)
6124 {
6125 	struct ipc_security_struct *isec;
6126 	struct msg_security_struct *msec;
6127 	struct common_audit_data ad;
6128 	u32 sid = task_sid(target);
6129 	int rc;
6130 
6131 	isec = msq->security;
6132 	msec = msg->security;
6133 
6134 	ad.type = LSM_AUDIT_DATA_IPC;
6135 	ad.u.ipc_id = msq->key;
6136 
6137 	rc = avc_has_perm(&selinux_state,
6138 			  sid, isec->sid,
6139 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
6140 	if (!rc)
6141 		rc = avc_has_perm(&selinux_state,
6142 				  sid, msec->sid,
6143 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
6144 	return rc;
6145 }
6146 
6147 /* Shared Memory security operations */
6148 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6149 {
6150 	struct ipc_security_struct *isec;
6151 	struct common_audit_data ad;
6152 	u32 sid = current_sid();
6153 	int rc;
6154 
6155 	rc = ipc_alloc_security(shp, SECCLASS_SHM);
6156 	if (rc)
6157 		return rc;
6158 
6159 	isec = shp->security;
6160 
6161 	ad.type = LSM_AUDIT_DATA_IPC;
6162 	ad.u.ipc_id = shp->key;
6163 
6164 	rc = avc_has_perm(&selinux_state,
6165 			  sid, isec->sid, SECCLASS_SHM,
6166 			  SHM__CREATE, &ad);
6167 	if (rc) {
6168 		ipc_free_security(shp);
6169 		return rc;
6170 	}
6171 	return 0;
6172 }
6173 
6174 static void selinux_shm_free_security(struct kern_ipc_perm *shp)
6175 {
6176 	ipc_free_security(shp);
6177 }
6178 
6179 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6180 {
6181 	struct ipc_security_struct *isec;
6182 	struct common_audit_data ad;
6183 	u32 sid = current_sid();
6184 
6185 	isec = shp->security;
6186 
6187 	ad.type = LSM_AUDIT_DATA_IPC;
6188 	ad.u.ipc_id = shp->key;
6189 
6190 	return avc_has_perm(&selinux_state,
6191 			    sid, isec->sid, SECCLASS_SHM,
6192 			    SHM__ASSOCIATE, &ad);
6193 }
6194 
6195 /* Note, at this point, shp is locked down */
6196 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6197 {
6198 	int perms;
6199 	int err;
6200 
6201 	switch (cmd) {
6202 	case IPC_INFO:
6203 	case SHM_INFO:
6204 		/* No specific object, just general system-wide information. */
6205 		return avc_has_perm(&selinux_state,
6206 				    current_sid(), SECINITSID_KERNEL,
6207 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6208 	case IPC_STAT:
6209 	case SHM_STAT:
6210 	case SHM_STAT_ANY:
6211 		perms = SHM__GETATTR | SHM__ASSOCIATE;
6212 		break;
6213 	case IPC_SET:
6214 		perms = SHM__SETATTR;
6215 		break;
6216 	case SHM_LOCK:
6217 	case SHM_UNLOCK:
6218 		perms = SHM__LOCK;
6219 		break;
6220 	case IPC_RMID:
6221 		perms = SHM__DESTROY;
6222 		break;
6223 	default:
6224 		return 0;
6225 	}
6226 
6227 	err = ipc_has_perm(shp, perms);
6228 	return err;
6229 }
6230 
6231 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6232 			     char __user *shmaddr, int shmflg)
6233 {
6234 	u32 perms;
6235 
6236 	if (shmflg & SHM_RDONLY)
6237 		perms = SHM__READ;
6238 	else
6239 		perms = SHM__READ | SHM__WRITE;
6240 
6241 	return ipc_has_perm(shp, perms);
6242 }
6243 
6244 /* Semaphore security operations */
6245 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6246 {
6247 	struct ipc_security_struct *isec;
6248 	struct common_audit_data ad;
6249 	u32 sid = current_sid();
6250 	int rc;
6251 
6252 	rc = ipc_alloc_security(sma, SECCLASS_SEM);
6253 	if (rc)
6254 		return rc;
6255 
6256 	isec = sma->security;
6257 
6258 	ad.type = LSM_AUDIT_DATA_IPC;
6259 	ad.u.ipc_id = sma->key;
6260 
6261 	rc = avc_has_perm(&selinux_state,
6262 			  sid, isec->sid, SECCLASS_SEM,
6263 			  SEM__CREATE, &ad);
6264 	if (rc) {
6265 		ipc_free_security(sma);
6266 		return rc;
6267 	}
6268 	return 0;
6269 }
6270 
6271 static void selinux_sem_free_security(struct kern_ipc_perm *sma)
6272 {
6273 	ipc_free_security(sma);
6274 }
6275 
6276 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6277 {
6278 	struct ipc_security_struct *isec;
6279 	struct common_audit_data ad;
6280 	u32 sid = current_sid();
6281 
6282 	isec = sma->security;
6283 
6284 	ad.type = LSM_AUDIT_DATA_IPC;
6285 	ad.u.ipc_id = sma->key;
6286 
6287 	return avc_has_perm(&selinux_state,
6288 			    sid, isec->sid, SECCLASS_SEM,
6289 			    SEM__ASSOCIATE, &ad);
6290 }
6291 
6292 /* Note, at this point, sma is locked down */
6293 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6294 {
6295 	int err;
6296 	u32 perms;
6297 
6298 	switch (cmd) {
6299 	case IPC_INFO:
6300 	case SEM_INFO:
6301 		/* No specific object, just general system-wide information. */
6302 		return avc_has_perm(&selinux_state,
6303 				    current_sid(), SECINITSID_KERNEL,
6304 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6305 	case GETPID:
6306 	case GETNCNT:
6307 	case GETZCNT:
6308 		perms = SEM__GETATTR;
6309 		break;
6310 	case GETVAL:
6311 	case GETALL:
6312 		perms = SEM__READ;
6313 		break;
6314 	case SETVAL:
6315 	case SETALL:
6316 		perms = SEM__WRITE;
6317 		break;
6318 	case IPC_RMID:
6319 		perms = SEM__DESTROY;
6320 		break;
6321 	case IPC_SET:
6322 		perms = SEM__SETATTR;
6323 		break;
6324 	case IPC_STAT:
6325 	case SEM_STAT:
6326 	case SEM_STAT_ANY:
6327 		perms = SEM__GETATTR | SEM__ASSOCIATE;
6328 		break;
6329 	default:
6330 		return 0;
6331 	}
6332 
6333 	err = ipc_has_perm(sma, perms);
6334 	return err;
6335 }
6336 
6337 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6338 			     struct sembuf *sops, unsigned nsops, int alter)
6339 {
6340 	u32 perms;
6341 
6342 	if (alter)
6343 		perms = SEM__READ | SEM__WRITE;
6344 	else
6345 		perms = SEM__READ;
6346 
6347 	return ipc_has_perm(sma, perms);
6348 }
6349 
6350 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6351 {
6352 	u32 av = 0;
6353 
6354 	av = 0;
6355 	if (flag & S_IRUGO)
6356 		av |= IPC__UNIX_READ;
6357 	if (flag & S_IWUGO)
6358 		av |= IPC__UNIX_WRITE;
6359 
6360 	if (av == 0)
6361 		return 0;
6362 
6363 	return ipc_has_perm(ipcp, av);
6364 }
6365 
6366 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6367 {
6368 	struct ipc_security_struct *isec = ipcp->security;
6369 	*secid = isec->sid;
6370 }
6371 
6372 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6373 {
6374 	if (inode)
6375 		inode_doinit_with_dentry(inode, dentry);
6376 }
6377 
6378 static int selinux_getprocattr(struct task_struct *p,
6379 			       char *name, char **value)
6380 {
6381 	const struct task_security_struct *__tsec;
6382 	u32 sid;
6383 	int error;
6384 	unsigned len;
6385 
6386 	rcu_read_lock();
6387 	__tsec = __task_cred(p)->security;
6388 
6389 	if (current != p) {
6390 		error = avc_has_perm(&selinux_state,
6391 				     current_sid(), __tsec->sid,
6392 				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6393 		if (error)
6394 			goto bad;
6395 	}
6396 
6397 	if (!strcmp(name, "current"))
6398 		sid = __tsec->sid;
6399 	else if (!strcmp(name, "prev"))
6400 		sid = __tsec->osid;
6401 	else if (!strcmp(name, "exec"))
6402 		sid = __tsec->exec_sid;
6403 	else if (!strcmp(name, "fscreate"))
6404 		sid = __tsec->create_sid;
6405 	else if (!strcmp(name, "keycreate"))
6406 		sid = __tsec->keycreate_sid;
6407 	else if (!strcmp(name, "sockcreate"))
6408 		sid = __tsec->sockcreate_sid;
6409 	else {
6410 		error = -EINVAL;
6411 		goto bad;
6412 	}
6413 	rcu_read_unlock();
6414 
6415 	if (!sid)
6416 		return 0;
6417 
6418 	error = security_sid_to_context(&selinux_state, sid, value, &len);
6419 	if (error)
6420 		return error;
6421 	return len;
6422 
6423 bad:
6424 	rcu_read_unlock();
6425 	return error;
6426 }
6427 
6428 static int selinux_setprocattr(const char *name, void *value, size_t size)
6429 {
6430 	struct task_security_struct *tsec;
6431 	struct cred *new;
6432 	u32 mysid = current_sid(), sid = 0, ptsid;
6433 	int error;
6434 	char *str = value;
6435 
6436 	/*
6437 	 * Basic control over ability to set these attributes at all.
6438 	 */
6439 	if (!strcmp(name, "exec"))
6440 		error = avc_has_perm(&selinux_state,
6441 				     mysid, mysid, SECCLASS_PROCESS,
6442 				     PROCESS__SETEXEC, NULL);
6443 	else if (!strcmp(name, "fscreate"))
6444 		error = avc_has_perm(&selinux_state,
6445 				     mysid, mysid, SECCLASS_PROCESS,
6446 				     PROCESS__SETFSCREATE, NULL);
6447 	else if (!strcmp(name, "keycreate"))
6448 		error = avc_has_perm(&selinux_state,
6449 				     mysid, mysid, SECCLASS_PROCESS,
6450 				     PROCESS__SETKEYCREATE, NULL);
6451 	else if (!strcmp(name, "sockcreate"))
6452 		error = avc_has_perm(&selinux_state,
6453 				     mysid, mysid, SECCLASS_PROCESS,
6454 				     PROCESS__SETSOCKCREATE, NULL);
6455 	else if (!strcmp(name, "current"))
6456 		error = avc_has_perm(&selinux_state,
6457 				     mysid, mysid, SECCLASS_PROCESS,
6458 				     PROCESS__SETCURRENT, NULL);
6459 	else
6460 		error = -EINVAL;
6461 	if (error)
6462 		return error;
6463 
6464 	/* Obtain a SID for the context, if one was specified. */
6465 	if (size && str[0] && str[0] != '\n') {
6466 		if (str[size-1] == '\n') {
6467 			str[size-1] = 0;
6468 			size--;
6469 		}
6470 		error = security_context_to_sid(&selinux_state, value, size,
6471 						&sid, GFP_KERNEL);
6472 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
6473 			if (!has_cap_mac_admin(true)) {
6474 				struct audit_buffer *ab;
6475 				size_t audit_size;
6476 
6477 				/* We strip a nul only if it is at the end, otherwise the
6478 				 * context contains a nul and we should audit that */
6479 				if (str[size - 1] == '\0')
6480 					audit_size = size - 1;
6481 				else
6482 					audit_size = size;
6483 				ab = audit_log_start(audit_context(),
6484 						     GFP_ATOMIC,
6485 						     AUDIT_SELINUX_ERR);
6486 				audit_log_format(ab, "op=fscreate invalid_context=");
6487 				audit_log_n_untrustedstring(ab, value, audit_size);
6488 				audit_log_end(ab);
6489 
6490 				return error;
6491 			}
6492 			error = security_context_to_sid_force(
6493 						      &selinux_state,
6494 						      value, size, &sid);
6495 		}
6496 		if (error)
6497 			return error;
6498 	}
6499 
6500 	new = prepare_creds();
6501 	if (!new)
6502 		return -ENOMEM;
6503 
6504 	/* Permission checking based on the specified context is
6505 	   performed during the actual operation (execve,
6506 	   open/mkdir/...), when we know the full context of the
6507 	   operation.  See selinux_bprm_set_creds for the execve
6508 	   checks and may_create for the file creation checks. The
6509 	   operation will then fail if the context is not permitted. */
6510 	tsec = new->security;
6511 	if (!strcmp(name, "exec")) {
6512 		tsec->exec_sid = sid;
6513 	} else if (!strcmp(name, "fscreate")) {
6514 		tsec->create_sid = sid;
6515 	} else if (!strcmp(name, "keycreate")) {
6516 		error = avc_has_perm(&selinux_state,
6517 				     mysid, sid, SECCLASS_KEY, KEY__CREATE,
6518 				     NULL);
6519 		if (error)
6520 			goto abort_change;
6521 		tsec->keycreate_sid = sid;
6522 	} else if (!strcmp(name, "sockcreate")) {
6523 		tsec->sockcreate_sid = sid;
6524 	} else if (!strcmp(name, "current")) {
6525 		error = -EINVAL;
6526 		if (sid == 0)
6527 			goto abort_change;
6528 
6529 		/* Only allow single threaded processes to change context */
6530 		error = -EPERM;
6531 		if (!current_is_single_threaded()) {
6532 			error = security_bounded_transition(&selinux_state,
6533 							    tsec->sid, sid);
6534 			if (error)
6535 				goto abort_change;
6536 		}
6537 
6538 		/* Check permissions for the transition. */
6539 		error = avc_has_perm(&selinux_state,
6540 				     tsec->sid, sid, SECCLASS_PROCESS,
6541 				     PROCESS__DYNTRANSITION, NULL);
6542 		if (error)
6543 			goto abort_change;
6544 
6545 		/* Check for ptracing, and update the task SID if ok.
6546 		   Otherwise, leave SID unchanged and fail. */
6547 		ptsid = ptrace_parent_sid();
6548 		if (ptsid != 0) {
6549 			error = avc_has_perm(&selinux_state,
6550 					     ptsid, sid, SECCLASS_PROCESS,
6551 					     PROCESS__PTRACE, NULL);
6552 			if (error)
6553 				goto abort_change;
6554 		}
6555 
6556 		tsec->sid = sid;
6557 	} else {
6558 		error = -EINVAL;
6559 		goto abort_change;
6560 	}
6561 
6562 	commit_creds(new);
6563 	return size;
6564 
6565 abort_change:
6566 	abort_creds(new);
6567 	return error;
6568 }
6569 
6570 static int selinux_ismaclabel(const char *name)
6571 {
6572 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6573 }
6574 
6575 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6576 {
6577 	return security_sid_to_context(&selinux_state, secid,
6578 				       secdata, seclen);
6579 }
6580 
6581 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6582 {
6583 	return security_context_to_sid(&selinux_state, secdata, seclen,
6584 				       secid, GFP_KERNEL);
6585 }
6586 
6587 static void selinux_release_secctx(char *secdata, u32 seclen)
6588 {
6589 	kfree(secdata);
6590 }
6591 
6592 static void selinux_inode_invalidate_secctx(struct inode *inode)
6593 {
6594 	struct inode_security_struct *isec = inode->i_security;
6595 
6596 	spin_lock(&isec->lock);
6597 	isec->initialized = LABEL_INVALID;
6598 	spin_unlock(&isec->lock);
6599 }
6600 
6601 /*
6602  *	called with inode->i_mutex locked
6603  */
6604 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6605 {
6606 	return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6607 }
6608 
6609 /*
6610  *	called with inode->i_mutex locked
6611  */
6612 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6613 {
6614 	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6615 }
6616 
6617 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6618 {
6619 	int len = 0;
6620 	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6621 						ctx, true);
6622 	if (len < 0)
6623 		return len;
6624 	*ctxlen = len;
6625 	return 0;
6626 }
6627 #ifdef CONFIG_KEYS
6628 
6629 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6630 			     unsigned long flags)
6631 {
6632 	const struct task_security_struct *tsec;
6633 	struct key_security_struct *ksec;
6634 
6635 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6636 	if (!ksec)
6637 		return -ENOMEM;
6638 
6639 	tsec = cred->security;
6640 	if (tsec->keycreate_sid)
6641 		ksec->sid = tsec->keycreate_sid;
6642 	else
6643 		ksec->sid = tsec->sid;
6644 
6645 	k->security = ksec;
6646 	return 0;
6647 }
6648 
6649 static void selinux_key_free(struct key *k)
6650 {
6651 	struct key_security_struct *ksec = k->security;
6652 
6653 	k->security = NULL;
6654 	kfree(ksec);
6655 }
6656 
6657 static int selinux_key_permission(key_ref_t key_ref,
6658 				  const struct cred *cred,
6659 				  unsigned perm)
6660 {
6661 	struct key *key;
6662 	struct key_security_struct *ksec;
6663 	u32 sid;
6664 
6665 	/* if no specific permissions are requested, we skip the
6666 	   permission check. No serious, additional covert channels
6667 	   appear to be created. */
6668 	if (perm == 0)
6669 		return 0;
6670 
6671 	sid = cred_sid(cred);
6672 
6673 	key = key_ref_to_ptr(key_ref);
6674 	ksec = key->security;
6675 
6676 	return avc_has_perm(&selinux_state,
6677 			    sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6678 }
6679 
6680 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6681 {
6682 	struct key_security_struct *ksec = key->security;
6683 	char *context = NULL;
6684 	unsigned len;
6685 	int rc;
6686 
6687 	rc = security_sid_to_context(&selinux_state, ksec->sid,
6688 				     &context, &len);
6689 	if (!rc)
6690 		rc = len;
6691 	*_buffer = context;
6692 	return rc;
6693 }
6694 #endif
6695 
6696 #ifdef CONFIG_SECURITY_INFINIBAND
6697 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6698 {
6699 	struct common_audit_data ad;
6700 	int err;
6701 	u32 sid = 0;
6702 	struct ib_security_struct *sec = ib_sec;
6703 	struct lsm_ibpkey_audit ibpkey;
6704 
6705 	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6706 	if (err)
6707 		return err;
6708 
6709 	ad.type = LSM_AUDIT_DATA_IBPKEY;
6710 	ibpkey.subnet_prefix = subnet_prefix;
6711 	ibpkey.pkey = pkey_val;
6712 	ad.u.ibpkey = &ibpkey;
6713 	return avc_has_perm(&selinux_state,
6714 			    sec->sid, sid,
6715 			    SECCLASS_INFINIBAND_PKEY,
6716 			    INFINIBAND_PKEY__ACCESS, &ad);
6717 }
6718 
6719 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6720 					    u8 port_num)
6721 {
6722 	struct common_audit_data ad;
6723 	int err;
6724 	u32 sid = 0;
6725 	struct ib_security_struct *sec = ib_sec;
6726 	struct lsm_ibendport_audit ibendport;
6727 
6728 	err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6729 				      &sid);
6730 
6731 	if (err)
6732 		return err;
6733 
6734 	ad.type = LSM_AUDIT_DATA_IBENDPORT;
6735 	strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6736 	ibendport.port = port_num;
6737 	ad.u.ibendport = &ibendport;
6738 	return avc_has_perm(&selinux_state,
6739 			    sec->sid, sid,
6740 			    SECCLASS_INFINIBAND_ENDPORT,
6741 			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6742 }
6743 
6744 static int selinux_ib_alloc_security(void **ib_sec)
6745 {
6746 	struct ib_security_struct *sec;
6747 
6748 	sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6749 	if (!sec)
6750 		return -ENOMEM;
6751 	sec->sid = current_sid();
6752 
6753 	*ib_sec = sec;
6754 	return 0;
6755 }
6756 
6757 static void selinux_ib_free_security(void *ib_sec)
6758 {
6759 	kfree(ib_sec);
6760 }
6761 #endif
6762 
6763 #ifdef CONFIG_BPF_SYSCALL
6764 static int selinux_bpf(int cmd, union bpf_attr *attr,
6765 				     unsigned int size)
6766 {
6767 	u32 sid = current_sid();
6768 	int ret;
6769 
6770 	switch (cmd) {
6771 	case BPF_MAP_CREATE:
6772 		ret = avc_has_perm(&selinux_state,
6773 				   sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6774 				   NULL);
6775 		break;
6776 	case BPF_PROG_LOAD:
6777 		ret = avc_has_perm(&selinux_state,
6778 				   sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6779 				   NULL);
6780 		break;
6781 	default:
6782 		ret = 0;
6783 		break;
6784 	}
6785 
6786 	return ret;
6787 }
6788 
6789 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6790 {
6791 	u32 av = 0;
6792 
6793 	if (fmode & FMODE_READ)
6794 		av |= BPF__MAP_READ;
6795 	if (fmode & FMODE_WRITE)
6796 		av |= BPF__MAP_WRITE;
6797 	return av;
6798 }
6799 
6800 /* This function will check the file pass through unix socket or binder to see
6801  * if it is a bpf related object. And apply correspinding checks on the bpf
6802  * object based on the type. The bpf maps and programs, not like other files and
6803  * socket, are using a shared anonymous inode inside the kernel as their inode.
6804  * So checking that inode cannot identify if the process have privilege to
6805  * access the bpf object and that's why we have to add this additional check in
6806  * selinux_file_receive and selinux_binder_transfer_files.
6807  */
6808 static int bpf_fd_pass(struct file *file, u32 sid)
6809 {
6810 	struct bpf_security_struct *bpfsec;
6811 	struct bpf_prog *prog;
6812 	struct bpf_map *map;
6813 	int ret;
6814 
6815 	if (file->f_op == &bpf_map_fops) {
6816 		map = file->private_data;
6817 		bpfsec = map->security;
6818 		ret = avc_has_perm(&selinux_state,
6819 				   sid, bpfsec->sid, SECCLASS_BPF,
6820 				   bpf_map_fmode_to_av(file->f_mode), NULL);
6821 		if (ret)
6822 			return ret;
6823 	} else if (file->f_op == &bpf_prog_fops) {
6824 		prog = file->private_data;
6825 		bpfsec = prog->aux->security;
6826 		ret = avc_has_perm(&selinux_state,
6827 				   sid, bpfsec->sid, SECCLASS_BPF,
6828 				   BPF__PROG_RUN, NULL);
6829 		if (ret)
6830 			return ret;
6831 	}
6832 	return 0;
6833 }
6834 
6835 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6836 {
6837 	u32 sid = current_sid();
6838 	struct bpf_security_struct *bpfsec;
6839 
6840 	bpfsec = map->security;
6841 	return avc_has_perm(&selinux_state,
6842 			    sid, bpfsec->sid, SECCLASS_BPF,
6843 			    bpf_map_fmode_to_av(fmode), NULL);
6844 }
6845 
6846 static int selinux_bpf_prog(struct bpf_prog *prog)
6847 {
6848 	u32 sid = current_sid();
6849 	struct bpf_security_struct *bpfsec;
6850 
6851 	bpfsec = prog->aux->security;
6852 	return avc_has_perm(&selinux_state,
6853 			    sid, bpfsec->sid, SECCLASS_BPF,
6854 			    BPF__PROG_RUN, NULL);
6855 }
6856 
6857 static int selinux_bpf_map_alloc(struct bpf_map *map)
6858 {
6859 	struct bpf_security_struct *bpfsec;
6860 
6861 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6862 	if (!bpfsec)
6863 		return -ENOMEM;
6864 
6865 	bpfsec->sid = current_sid();
6866 	map->security = bpfsec;
6867 
6868 	return 0;
6869 }
6870 
6871 static void selinux_bpf_map_free(struct bpf_map *map)
6872 {
6873 	struct bpf_security_struct *bpfsec = map->security;
6874 
6875 	map->security = NULL;
6876 	kfree(bpfsec);
6877 }
6878 
6879 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6880 {
6881 	struct bpf_security_struct *bpfsec;
6882 
6883 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6884 	if (!bpfsec)
6885 		return -ENOMEM;
6886 
6887 	bpfsec->sid = current_sid();
6888 	aux->security = bpfsec;
6889 
6890 	return 0;
6891 }
6892 
6893 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6894 {
6895 	struct bpf_security_struct *bpfsec = aux->security;
6896 
6897 	aux->security = NULL;
6898 	kfree(bpfsec);
6899 }
6900 #endif
6901 
6902 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6903 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6904 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6905 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6906 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6907 
6908 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6909 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6910 	LSM_HOOK_INIT(capget, selinux_capget),
6911 	LSM_HOOK_INIT(capset, selinux_capset),
6912 	LSM_HOOK_INIT(capable, selinux_capable),
6913 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
6914 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
6915 	LSM_HOOK_INIT(syslog, selinux_syslog),
6916 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6917 
6918 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6919 
6920 	LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6921 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6922 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6923 
6924 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6925 	LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6926 	LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6927 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6928 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6929 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6930 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6931 	LSM_HOOK_INIT(sb_mount, selinux_mount),
6932 	LSM_HOOK_INIT(sb_umount, selinux_umount),
6933 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6934 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6935 	LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6936 
6937 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6938 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6939 
6940 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6941 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6942 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6943 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
6944 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
6945 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6946 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6947 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6948 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6949 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6950 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6951 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6952 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6953 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6954 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6955 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6956 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6957 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6958 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6959 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6960 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6961 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6962 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6963 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6964 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6965 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6966 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6967 
6968 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
6969 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6970 	LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6971 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6972 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6973 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6974 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6975 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
6976 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6977 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6978 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6979 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
6980 
6981 	LSM_HOOK_INIT(file_open, selinux_file_open),
6982 
6983 	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6984 	LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6985 	LSM_HOOK_INIT(cred_free, selinux_cred_free),
6986 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6987 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6988 	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6989 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6990 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6991 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6992 	LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
6993 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6994 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6995 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6996 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6997 	LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6998 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6999 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7000 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7001 	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7002 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7003 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7004 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7005 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7006 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
7007 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7008 
7009 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7010 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7011 
7012 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7013 	LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
7014 
7015 	LSM_HOOK_INIT(msg_queue_alloc_security,
7016 			selinux_msg_queue_alloc_security),
7017 	LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
7018 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7019 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7020 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7021 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7022 
7023 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7024 	LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
7025 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7026 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7027 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7028 
7029 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7030 	LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
7031 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7032 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7033 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7034 
7035 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7036 
7037 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7038 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7039 
7040 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7041 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7042 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7043 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7044 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7045 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7046 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7047 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7048 
7049 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7050 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7051 
7052 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
7053 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7054 	LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7055 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7056 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7057 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7058 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7059 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7060 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7061 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7062 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7063 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7064 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7065 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7066 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7067 	LSM_HOOK_INIT(socket_getpeersec_stream,
7068 			selinux_socket_getpeersec_stream),
7069 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7070 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7071 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7072 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7073 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7074 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7075 	LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7076 	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7077 	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7078 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7079 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7080 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7081 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7082 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7083 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7084 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7085 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7086 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7087 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7088 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7089 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7090 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7091 #ifdef CONFIG_SECURITY_INFINIBAND
7092 	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7093 	LSM_HOOK_INIT(ib_endport_manage_subnet,
7094 		      selinux_ib_endport_manage_subnet),
7095 	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7096 	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7097 #endif
7098 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7099 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7100 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7101 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7102 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7103 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7104 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7105 			selinux_xfrm_state_alloc_acquire),
7106 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7107 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7108 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7109 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7110 			selinux_xfrm_state_pol_flow_match),
7111 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7112 #endif
7113 
7114 #ifdef CONFIG_KEYS
7115 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7116 	LSM_HOOK_INIT(key_free, selinux_key_free),
7117 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
7118 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7119 #endif
7120 
7121 #ifdef CONFIG_AUDIT
7122 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7123 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7124 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7125 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7126 #endif
7127 
7128 #ifdef CONFIG_BPF_SYSCALL
7129 	LSM_HOOK_INIT(bpf, selinux_bpf),
7130 	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7131 	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7132 	LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7133 	LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7134 	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7135 	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7136 #endif
7137 };
7138 
7139 static __init int selinux_init(void)
7140 {
7141 	if (!security_module_enable("selinux")) {
7142 		selinux_enabled = 0;
7143 		return 0;
7144 	}
7145 
7146 	if (!selinux_enabled) {
7147 		pr_info("SELinux:  Disabled at boot.\n");
7148 		return 0;
7149 	}
7150 
7151 	pr_info("SELinux:  Initializing.\n");
7152 
7153 	memset(&selinux_state, 0, sizeof(selinux_state));
7154 	enforcing_set(&selinux_state, selinux_enforcing_boot);
7155 	selinux_state.checkreqprot = selinux_checkreqprot_boot;
7156 	selinux_ss_init(&selinux_state.ss);
7157 	selinux_avc_init(&selinux_state.avc);
7158 
7159 	/* Set the security state for the initial task. */
7160 	cred_init_security();
7161 
7162 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7163 
7164 	sel_inode_cache = kmem_cache_create("selinux_inode_security",
7165 					    sizeof(struct inode_security_struct),
7166 					    0, SLAB_PANIC, NULL);
7167 	file_security_cache = kmem_cache_create("selinux_file_security",
7168 					    sizeof(struct file_security_struct),
7169 					    0, SLAB_PANIC, NULL);
7170 	avc_init();
7171 
7172 	avtab_cache_init();
7173 
7174 	ebitmap_cache_init();
7175 
7176 	hashtab_cache_init();
7177 
7178 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7179 
7180 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7181 		panic("SELinux: Unable to register AVC netcache callback\n");
7182 
7183 	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7184 		panic("SELinux: Unable to register AVC LSM notifier callback\n");
7185 
7186 	if (selinux_enforcing_boot)
7187 		pr_debug("SELinux:  Starting in enforcing mode\n");
7188 	else
7189 		pr_debug("SELinux:  Starting in permissive mode\n");
7190 
7191 	return 0;
7192 }
7193 
7194 static void delayed_superblock_init(struct super_block *sb, void *unused)
7195 {
7196 	superblock_doinit(sb, NULL);
7197 }
7198 
7199 void selinux_complete_init(void)
7200 {
7201 	pr_debug("SELinux:  Completing initialization.\n");
7202 
7203 	/* Set up any superblocks initialized prior to the policy load. */
7204 	pr_debug("SELinux:  Setting up existing superblocks.\n");
7205 	iterate_supers(delayed_superblock_init, NULL);
7206 }
7207 
7208 /* SELinux requires early initialization in order to label
7209    all processes and objects when they are created. */
7210 DEFINE_LSM(selinux) = {
7211 	.name = "selinux",
7212 	.init = selinux_init,
7213 };
7214 
7215 #if defined(CONFIG_NETFILTER)
7216 
7217 static const struct nf_hook_ops selinux_nf_ops[] = {
7218 	{
7219 		.hook =		selinux_ipv4_postroute,
7220 		.pf =		NFPROTO_IPV4,
7221 		.hooknum =	NF_INET_POST_ROUTING,
7222 		.priority =	NF_IP_PRI_SELINUX_LAST,
7223 	},
7224 	{
7225 		.hook =		selinux_ipv4_forward,
7226 		.pf =		NFPROTO_IPV4,
7227 		.hooknum =	NF_INET_FORWARD,
7228 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7229 	},
7230 	{
7231 		.hook =		selinux_ipv4_output,
7232 		.pf =		NFPROTO_IPV4,
7233 		.hooknum =	NF_INET_LOCAL_OUT,
7234 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7235 	},
7236 #if IS_ENABLED(CONFIG_IPV6)
7237 	{
7238 		.hook =		selinux_ipv6_postroute,
7239 		.pf =		NFPROTO_IPV6,
7240 		.hooknum =	NF_INET_POST_ROUTING,
7241 		.priority =	NF_IP6_PRI_SELINUX_LAST,
7242 	},
7243 	{
7244 		.hook =		selinux_ipv6_forward,
7245 		.pf =		NFPROTO_IPV6,
7246 		.hooknum =	NF_INET_FORWARD,
7247 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7248 	},
7249 	{
7250 		.hook =		selinux_ipv6_output,
7251 		.pf =		NFPROTO_IPV6,
7252 		.hooknum =	NF_INET_LOCAL_OUT,
7253 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7254 	},
7255 #endif	/* IPV6 */
7256 };
7257 
7258 static int __net_init selinux_nf_register(struct net *net)
7259 {
7260 	return nf_register_net_hooks(net, selinux_nf_ops,
7261 				     ARRAY_SIZE(selinux_nf_ops));
7262 }
7263 
7264 static void __net_exit selinux_nf_unregister(struct net *net)
7265 {
7266 	nf_unregister_net_hooks(net, selinux_nf_ops,
7267 				ARRAY_SIZE(selinux_nf_ops));
7268 }
7269 
7270 static struct pernet_operations selinux_net_ops = {
7271 	.init = selinux_nf_register,
7272 	.exit = selinux_nf_unregister,
7273 };
7274 
7275 static int __init selinux_nf_ip_init(void)
7276 {
7277 	int err;
7278 
7279 	if (!selinux_enabled)
7280 		return 0;
7281 
7282 	pr_debug("SELinux:  Registering netfilter hooks\n");
7283 
7284 	err = register_pernet_subsys(&selinux_net_ops);
7285 	if (err)
7286 		panic("SELinux: register_pernet_subsys: error %d\n", err);
7287 
7288 	return 0;
7289 }
7290 __initcall(selinux_nf_ip_init);
7291 
7292 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7293 static void selinux_nf_ip_exit(void)
7294 {
7295 	pr_debug("SELinux:  Unregistering netfilter hooks\n");
7296 
7297 	unregister_pernet_subsys(&selinux_net_ops);
7298 }
7299 #endif
7300 
7301 #else /* CONFIG_NETFILTER */
7302 
7303 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7304 #define selinux_nf_ip_exit()
7305 #endif
7306 
7307 #endif /* CONFIG_NETFILTER */
7308 
7309 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7310 int selinux_disable(struct selinux_state *state)
7311 {
7312 	if (state->initialized) {
7313 		/* Not permitted after initial policy load. */
7314 		return -EINVAL;
7315 	}
7316 
7317 	if (state->disabled) {
7318 		/* Only do this once. */
7319 		return -EINVAL;
7320 	}
7321 
7322 	state->disabled = 1;
7323 
7324 	pr_info("SELinux:  Disabled at runtime.\n");
7325 
7326 	selinux_enabled = 0;
7327 
7328 	security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7329 
7330 	/* Try to destroy the avc node cache */
7331 	avc_disable();
7332 
7333 	/* Unregister netfilter hooks. */
7334 	selinux_nf_ip_exit();
7335 
7336 	/* Unregister selinuxfs. */
7337 	exit_sel_fs();
7338 
7339 	return 0;
7340 }
7341 #endif
7342