xref: /openbmc/linux/security/selinux/hooks.c (revision 5ed132db5ad4f58156ae9d28219396b6f764a9cb)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *  NSA Security-Enhanced Linux (SELinux) security module
4  *
5  *  This file contains the SELinux hook function implementations.
6  *
7  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
8  *	      Chris Vance, <cvance@nai.com>
9  *	      Wayne Salamon, <wsalamon@nai.com>
10  *	      James Morris <jmorris@redhat.com>
11  *
12  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14  *					   Eric Paris <eparis@redhat.com>
15  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16  *			    <dgoeddel@trustedcs.com>
17  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18  *	Paul Moore <paul@paul-moore.com>
19  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
21  *  Copyright (C) 2016 Mellanox Technologies
22  */
23 
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/kernel_read_file.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched/signal.h>
31 #include <linux/sched/task.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/fs_context.h>
50 #include <linux/fs_parser.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h>		/* for local_port_range[] */
56 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h>	/* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h>		/* for Unix socket types */
74 #include <net/af_unix.h>	/* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
77 #include <net/ipv6.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/mutex.h>
83 #include <linux/posix-timers.h>
84 #include <linux/syslog.h>
85 #include <linux/user_namespace.h>
86 #include <linux/export.h>
87 #include <linux/msg.h>
88 #include <linux/shm.h>
89 #include <linux/bpf.h>
90 #include <linux/kernfs.h>
91 #include <linux/stringhash.h>	/* for hashlen_string() */
92 #include <uapi/linux/mount.h>
93 #include <linux/fsnotify.h>
94 #include <linux/fanotify.h>
95 
96 #include "avc.h"
97 #include "objsec.h"
98 #include "netif.h"
99 #include "netnode.h"
100 #include "netport.h"
101 #include "ibpkey.h"
102 #include "xfrm.h"
103 #include "netlabel.h"
104 #include "audit.h"
105 #include "avc_ss.h"
106 
107 struct selinux_state selinux_state;
108 
109 /* SECMARK reference count */
110 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
111 
112 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
113 static int selinux_enforcing_boot __initdata;
114 
115 static int __init enforcing_setup(char *str)
116 {
117 	unsigned long enforcing;
118 	if (!kstrtoul(str, 0, &enforcing))
119 		selinux_enforcing_boot = enforcing ? 1 : 0;
120 	return 1;
121 }
122 __setup("enforcing=", enforcing_setup);
123 #else
124 #define selinux_enforcing_boot 1
125 #endif
126 
127 int selinux_enabled_boot __initdata = 1;
128 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
129 static int __init selinux_enabled_setup(char *str)
130 {
131 	unsigned long enabled;
132 	if (!kstrtoul(str, 0, &enabled))
133 		selinux_enabled_boot = enabled ? 1 : 0;
134 	return 1;
135 }
136 __setup("selinux=", selinux_enabled_setup);
137 #endif
138 
139 static unsigned int selinux_checkreqprot_boot =
140 	CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141 
142 static int __init checkreqprot_setup(char *str)
143 {
144 	unsigned long checkreqprot;
145 
146 	if (!kstrtoul(str, 0, &checkreqprot)) {
147 		selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
148 		if (checkreqprot)
149 			pr_warn("SELinux: checkreqprot set to 1 via kernel parameter.  This is deprecated and will be rejected in a future kernel release.\n");
150 	}
151 	return 1;
152 }
153 __setup("checkreqprot=", checkreqprot_setup);
154 
155 /**
156  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
157  *
158  * Description:
159  * This function checks the SECMARK reference counter to see if any SECMARK
160  * targets are currently configured, if the reference counter is greater than
161  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
162  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
163  * policy capability is enabled, SECMARK is always considered enabled.
164  *
165  */
166 static int selinux_secmark_enabled(void)
167 {
168 	return (selinux_policycap_alwaysnetwork() ||
169 		atomic_read(&selinux_secmark_refcount));
170 }
171 
172 /**
173  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
174  *
175  * Description:
176  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
177  * (1) if any are enabled or false (0) if neither are enabled.  If the
178  * always_check_network policy capability is enabled, peer labeling
179  * is always considered enabled.
180  *
181  */
182 static int selinux_peerlbl_enabled(void)
183 {
184 	return (selinux_policycap_alwaysnetwork() ||
185 		netlbl_enabled() || selinux_xfrm_enabled());
186 }
187 
188 static int selinux_netcache_avc_callback(u32 event)
189 {
190 	if (event == AVC_CALLBACK_RESET) {
191 		sel_netif_flush();
192 		sel_netnode_flush();
193 		sel_netport_flush();
194 		synchronize_net();
195 	}
196 	return 0;
197 }
198 
199 static int selinux_lsm_notifier_avc_callback(u32 event)
200 {
201 	if (event == AVC_CALLBACK_RESET) {
202 		sel_ib_pkey_flush();
203 		call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
204 	}
205 
206 	return 0;
207 }
208 
209 /*
210  * initialise the security for the init task
211  */
212 static void cred_init_security(void)
213 {
214 	struct cred *cred = (struct cred *) current->real_cred;
215 	struct task_security_struct *tsec;
216 
217 	tsec = selinux_cred(cred);
218 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
219 }
220 
221 /*
222  * get the security ID of a set of credentials
223  */
224 static inline u32 cred_sid(const struct cred *cred)
225 {
226 	const struct task_security_struct *tsec;
227 
228 	tsec = selinux_cred(cred);
229 	return tsec->sid;
230 }
231 
232 /*
233  * get the objective security ID of a task
234  */
235 static inline u32 task_sid(const struct task_struct *task)
236 {
237 	u32 sid;
238 
239 	rcu_read_lock();
240 	sid = cred_sid(__task_cred(task));
241 	rcu_read_unlock();
242 	return sid;
243 }
244 
245 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
246 
247 /*
248  * Try reloading inode security labels that have been marked as invalid.  The
249  * @may_sleep parameter indicates when sleeping and thus reloading labels is
250  * allowed; when set to false, returns -ECHILD when the label is
251  * invalid.  The @dentry parameter should be set to a dentry of the inode.
252  */
253 static int __inode_security_revalidate(struct inode *inode,
254 				       struct dentry *dentry,
255 				       bool may_sleep)
256 {
257 	struct inode_security_struct *isec = selinux_inode(inode);
258 
259 	might_sleep_if(may_sleep);
260 
261 	if (selinux_initialized(&selinux_state) &&
262 	    isec->initialized != LABEL_INITIALIZED) {
263 		if (!may_sleep)
264 			return -ECHILD;
265 
266 		/*
267 		 * Try reloading the inode security label.  This will fail if
268 		 * @opt_dentry is NULL and no dentry for this inode can be
269 		 * found; in that case, continue using the old label.
270 		 */
271 		inode_doinit_with_dentry(inode, dentry);
272 	}
273 	return 0;
274 }
275 
276 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
277 {
278 	return selinux_inode(inode);
279 }
280 
281 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
282 {
283 	int error;
284 
285 	error = __inode_security_revalidate(inode, NULL, !rcu);
286 	if (error)
287 		return ERR_PTR(error);
288 	return selinux_inode(inode);
289 }
290 
291 /*
292  * Get the security label of an inode.
293  */
294 static struct inode_security_struct *inode_security(struct inode *inode)
295 {
296 	__inode_security_revalidate(inode, NULL, true);
297 	return selinux_inode(inode);
298 }
299 
300 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
301 {
302 	struct inode *inode = d_backing_inode(dentry);
303 
304 	return selinux_inode(inode);
305 }
306 
307 /*
308  * Get the security label of a dentry's backing inode.
309  */
310 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
311 {
312 	struct inode *inode = d_backing_inode(dentry);
313 
314 	__inode_security_revalidate(inode, dentry, true);
315 	return selinux_inode(inode);
316 }
317 
318 static void inode_free_security(struct inode *inode)
319 {
320 	struct inode_security_struct *isec = selinux_inode(inode);
321 	struct superblock_security_struct *sbsec;
322 
323 	if (!isec)
324 		return;
325 	sbsec = inode->i_sb->s_security;
326 	/*
327 	 * As not all inode security structures are in a list, we check for
328 	 * empty list outside of the lock to make sure that we won't waste
329 	 * time taking a lock doing nothing.
330 	 *
331 	 * The list_del_init() function can be safely called more than once.
332 	 * It should not be possible for this function to be called with
333 	 * concurrent list_add(), but for better safety against future changes
334 	 * in the code, we use list_empty_careful() here.
335 	 */
336 	if (!list_empty_careful(&isec->list)) {
337 		spin_lock(&sbsec->isec_lock);
338 		list_del_init(&isec->list);
339 		spin_unlock(&sbsec->isec_lock);
340 	}
341 }
342 
343 static void superblock_free_security(struct super_block *sb)
344 {
345 	struct superblock_security_struct *sbsec = sb->s_security;
346 	sb->s_security = NULL;
347 	kfree(sbsec);
348 }
349 
350 struct selinux_mnt_opts {
351 	const char *fscontext, *context, *rootcontext, *defcontext;
352 };
353 
354 static void selinux_free_mnt_opts(void *mnt_opts)
355 {
356 	struct selinux_mnt_opts *opts = mnt_opts;
357 	kfree(opts->fscontext);
358 	kfree(opts->context);
359 	kfree(opts->rootcontext);
360 	kfree(opts->defcontext);
361 	kfree(opts);
362 }
363 
364 enum {
365 	Opt_error = -1,
366 	Opt_context = 0,
367 	Opt_defcontext = 1,
368 	Opt_fscontext = 2,
369 	Opt_rootcontext = 3,
370 	Opt_seclabel = 4,
371 };
372 
373 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
374 static struct {
375 	const char *name;
376 	int len;
377 	int opt;
378 	bool has_arg;
379 } tokens[] = {
380 	A(context, true),
381 	A(fscontext, true),
382 	A(defcontext, true),
383 	A(rootcontext, true),
384 	A(seclabel, false),
385 };
386 #undef A
387 
388 static int match_opt_prefix(char *s, int l, char **arg)
389 {
390 	int i;
391 
392 	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
393 		size_t len = tokens[i].len;
394 		if (len > l || memcmp(s, tokens[i].name, len))
395 			continue;
396 		if (tokens[i].has_arg) {
397 			if (len == l || s[len] != '=')
398 				continue;
399 			*arg = s + len + 1;
400 		} else if (len != l)
401 			continue;
402 		return tokens[i].opt;
403 	}
404 	return Opt_error;
405 }
406 
407 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
408 
409 static int may_context_mount_sb_relabel(u32 sid,
410 			struct superblock_security_struct *sbsec,
411 			const struct cred *cred)
412 {
413 	const struct task_security_struct *tsec = selinux_cred(cred);
414 	int rc;
415 
416 	rc = avc_has_perm(&selinux_state,
417 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
418 			  FILESYSTEM__RELABELFROM, NULL);
419 	if (rc)
420 		return rc;
421 
422 	rc = avc_has_perm(&selinux_state,
423 			  tsec->sid, sid, SECCLASS_FILESYSTEM,
424 			  FILESYSTEM__RELABELTO, NULL);
425 	return rc;
426 }
427 
428 static int may_context_mount_inode_relabel(u32 sid,
429 			struct superblock_security_struct *sbsec,
430 			const struct cred *cred)
431 {
432 	const struct task_security_struct *tsec = selinux_cred(cred);
433 	int rc;
434 	rc = avc_has_perm(&selinux_state,
435 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
436 			  FILESYSTEM__RELABELFROM, NULL);
437 	if (rc)
438 		return rc;
439 
440 	rc = avc_has_perm(&selinux_state,
441 			  sid, sbsec->sid, SECCLASS_FILESYSTEM,
442 			  FILESYSTEM__ASSOCIATE, NULL);
443 	return rc;
444 }
445 
446 static int selinux_is_genfs_special_handling(struct super_block *sb)
447 {
448 	/* Special handling. Genfs but also in-core setxattr handler */
449 	return	!strcmp(sb->s_type->name, "sysfs") ||
450 		!strcmp(sb->s_type->name, "pstore") ||
451 		!strcmp(sb->s_type->name, "debugfs") ||
452 		!strcmp(sb->s_type->name, "tracefs") ||
453 		!strcmp(sb->s_type->name, "rootfs") ||
454 		(selinux_policycap_cgroupseclabel() &&
455 		 (!strcmp(sb->s_type->name, "cgroup") ||
456 		  !strcmp(sb->s_type->name, "cgroup2")));
457 }
458 
459 static int selinux_is_sblabel_mnt(struct super_block *sb)
460 {
461 	struct superblock_security_struct *sbsec = sb->s_security;
462 
463 	/*
464 	 * IMPORTANT: Double-check logic in this function when adding a new
465 	 * SECURITY_FS_USE_* definition!
466 	 */
467 	BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
468 
469 	switch (sbsec->behavior) {
470 	case SECURITY_FS_USE_XATTR:
471 	case SECURITY_FS_USE_TRANS:
472 	case SECURITY_FS_USE_TASK:
473 	case SECURITY_FS_USE_NATIVE:
474 		return 1;
475 
476 	case SECURITY_FS_USE_GENFS:
477 		return selinux_is_genfs_special_handling(sb);
478 
479 	/* Never allow relabeling on context mounts */
480 	case SECURITY_FS_USE_MNTPOINT:
481 	case SECURITY_FS_USE_NONE:
482 	default:
483 		return 0;
484 	}
485 }
486 
487 static int sb_finish_set_opts(struct super_block *sb)
488 {
489 	struct superblock_security_struct *sbsec = sb->s_security;
490 	struct dentry *root = sb->s_root;
491 	struct inode *root_inode = d_backing_inode(root);
492 	int rc = 0;
493 
494 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
495 		/* Make sure that the xattr handler exists and that no
496 		   error other than -ENODATA is returned by getxattr on
497 		   the root directory.  -ENODATA is ok, as this may be
498 		   the first boot of the SELinux kernel before we have
499 		   assigned xattr values to the filesystem. */
500 		if (!(root_inode->i_opflags & IOP_XATTR)) {
501 			pr_warn("SELinux: (dev %s, type %s) has no "
502 			       "xattr support\n", sb->s_id, sb->s_type->name);
503 			rc = -EOPNOTSUPP;
504 			goto out;
505 		}
506 
507 		rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
508 		if (rc < 0 && rc != -ENODATA) {
509 			if (rc == -EOPNOTSUPP)
510 				pr_warn("SELinux: (dev %s, type "
511 				       "%s) has no security xattr handler\n",
512 				       sb->s_id, sb->s_type->name);
513 			else
514 				pr_warn("SELinux: (dev %s, type "
515 				       "%s) getxattr errno %d\n", sb->s_id,
516 				       sb->s_type->name, -rc);
517 			goto out;
518 		}
519 	}
520 
521 	sbsec->flags |= SE_SBINITIALIZED;
522 
523 	/*
524 	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
525 	 * leave the flag untouched because sb_clone_mnt_opts might be handing
526 	 * us a superblock that needs the flag to be cleared.
527 	 */
528 	if (selinux_is_sblabel_mnt(sb))
529 		sbsec->flags |= SBLABEL_MNT;
530 	else
531 		sbsec->flags &= ~SBLABEL_MNT;
532 
533 	/* Initialize the root inode. */
534 	rc = inode_doinit_with_dentry(root_inode, root);
535 
536 	/* Initialize any other inodes associated with the superblock, e.g.
537 	   inodes created prior to initial policy load or inodes created
538 	   during get_sb by a pseudo filesystem that directly
539 	   populates itself. */
540 	spin_lock(&sbsec->isec_lock);
541 	while (!list_empty(&sbsec->isec_head)) {
542 		struct inode_security_struct *isec =
543 				list_first_entry(&sbsec->isec_head,
544 					   struct inode_security_struct, list);
545 		struct inode *inode = isec->inode;
546 		list_del_init(&isec->list);
547 		spin_unlock(&sbsec->isec_lock);
548 		inode = igrab(inode);
549 		if (inode) {
550 			if (!IS_PRIVATE(inode))
551 				inode_doinit_with_dentry(inode, NULL);
552 			iput(inode);
553 		}
554 		spin_lock(&sbsec->isec_lock);
555 	}
556 	spin_unlock(&sbsec->isec_lock);
557 out:
558 	return rc;
559 }
560 
561 static int bad_option(struct superblock_security_struct *sbsec, char flag,
562 		      u32 old_sid, u32 new_sid)
563 {
564 	char mnt_flags = sbsec->flags & SE_MNTMASK;
565 
566 	/* check if the old mount command had the same options */
567 	if (sbsec->flags & SE_SBINITIALIZED)
568 		if (!(sbsec->flags & flag) ||
569 		    (old_sid != new_sid))
570 			return 1;
571 
572 	/* check if we were passed the same options twice,
573 	 * aka someone passed context=a,context=b
574 	 */
575 	if (!(sbsec->flags & SE_SBINITIALIZED))
576 		if (mnt_flags & flag)
577 			return 1;
578 	return 0;
579 }
580 
581 static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
582 {
583 	int rc = security_context_str_to_sid(&selinux_state, s,
584 					     sid, GFP_KERNEL);
585 	if (rc)
586 		pr_warn("SELinux: security_context_str_to_sid"
587 		       "(%s) failed for (dev %s, type %s) errno=%d\n",
588 		       s, sb->s_id, sb->s_type->name, rc);
589 	return rc;
590 }
591 
592 /*
593  * Allow filesystems with binary mount data to explicitly set mount point
594  * labeling information.
595  */
596 static int selinux_set_mnt_opts(struct super_block *sb,
597 				void *mnt_opts,
598 				unsigned long kern_flags,
599 				unsigned long *set_kern_flags)
600 {
601 	const struct cred *cred = current_cred();
602 	struct superblock_security_struct *sbsec = sb->s_security;
603 	struct dentry *root = sbsec->sb->s_root;
604 	struct selinux_mnt_opts *opts = mnt_opts;
605 	struct inode_security_struct *root_isec;
606 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
607 	u32 defcontext_sid = 0;
608 	int rc = 0;
609 
610 	mutex_lock(&sbsec->lock);
611 
612 	if (!selinux_initialized(&selinux_state)) {
613 		if (!opts) {
614 			/* Defer initialization until selinux_complete_init,
615 			   after the initial policy is loaded and the security
616 			   server is ready to handle calls. */
617 			goto out;
618 		}
619 		rc = -EINVAL;
620 		pr_warn("SELinux: Unable to set superblock options "
621 			"before the security server is initialized\n");
622 		goto out;
623 	}
624 	if (kern_flags && !set_kern_flags) {
625 		/* Specifying internal flags without providing a place to
626 		 * place the results is not allowed */
627 		rc = -EINVAL;
628 		goto out;
629 	}
630 
631 	/*
632 	 * Binary mount data FS will come through this function twice.  Once
633 	 * from an explicit call and once from the generic calls from the vfs.
634 	 * Since the generic VFS calls will not contain any security mount data
635 	 * we need to skip the double mount verification.
636 	 *
637 	 * This does open a hole in which we will not notice if the first
638 	 * mount using this sb set explict options and a second mount using
639 	 * this sb does not set any security options.  (The first options
640 	 * will be used for both mounts)
641 	 */
642 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
643 	    && !opts)
644 		goto out;
645 
646 	root_isec = backing_inode_security_novalidate(root);
647 
648 	/*
649 	 * parse the mount options, check if they are valid sids.
650 	 * also check if someone is trying to mount the same sb more
651 	 * than once with different security options.
652 	 */
653 	if (opts) {
654 		if (opts->fscontext) {
655 			rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
656 			if (rc)
657 				goto out;
658 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
659 					fscontext_sid))
660 				goto out_double_mount;
661 			sbsec->flags |= FSCONTEXT_MNT;
662 		}
663 		if (opts->context) {
664 			rc = parse_sid(sb, opts->context, &context_sid);
665 			if (rc)
666 				goto out;
667 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
668 					context_sid))
669 				goto out_double_mount;
670 			sbsec->flags |= CONTEXT_MNT;
671 		}
672 		if (opts->rootcontext) {
673 			rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
674 			if (rc)
675 				goto out;
676 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
677 					rootcontext_sid))
678 				goto out_double_mount;
679 			sbsec->flags |= ROOTCONTEXT_MNT;
680 		}
681 		if (opts->defcontext) {
682 			rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
683 			if (rc)
684 				goto out;
685 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
686 					defcontext_sid))
687 				goto out_double_mount;
688 			sbsec->flags |= DEFCONTEXT_MNT;
689 		}
690 	}
691 
692 	if (sbsec->flags & SE_SBINITIALIZED) {
693 		/* previously mounted with options, but not on this attempt? */
694 		if ((sbsec->flags & SE_MNTMASK) && !opts)
695 			goto out_double_mount;
696 		rc = 0;
697 		goto out;
698 	}
699 
700 	if (strcmp(sb->s_type->name, "proc") == 0)
701 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
702 
703 	if (!strcmp(sb->s_type->name, "debugfs") ||
704 	    !strcmp(sb->s_type->name, "tracefs") ||
705 	    !strcmp(sb->s_type->name, "binder") ||
706 	    !strcmp(sb->s_type->name, "bpf") ||
707 	    !strcmp(sb->s_type->name, "pstore"))
708 		sbsec->flags |= SE_SBGENFS;
709 
710 	if (!strcmp(sb->s_type->name, "sysfs") ||
711 	    !strcmp(sb->s_type->name, "cgroup") ||
712 	    !strcmp(sb->s_type->name, "cgroup2"))
713 		sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
714 
715 	if (!sbsec->behavior) {
716 		/*
717 		 * Determine the labeling behavior to use for this
718 		 * filesystem type.
719 		 */
720 		rc = security_fs_use(&selinux_state, sb);
721 		if (rc) {
722 			pr_warn("%s: security_fs_use(%s) returned %d\n",
723 					__func__, sb->s_type->name, rc);
724 			goto out;
725 		}
726 	}
727 
728 	/*
729 	 * If this is a user namespace mount and the filesystem type is not
730 	 * explicitly whitelisted, then no contexts are allowed on the command
731 	 * line and security labels must be ignored.
732 	 */
733 	if (sb->s_user_ns != &init_user_ns &&
734 	    strcmp(sb->s_type->name, "tmpfs") &&
735 	    strcmp(sb->s_type->name, "ramfs") &&
736 	    strcmp(sb->s_type->name, "devpts")) {
737 		if (context_sid || fscontext_sid || rootcontext_sid ||
738 		    defcontext_sid) {
739 			rc = -EACCES;
740 			goto out;
741 		}
742 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
743 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
744 			rc = security_transition_sid(&selinux_state,
745 						     current_sid(),
746 						     current_sid(),
747 						     SECCLASS_FILE, NULL,
748 						     &sbsec->mntpoint_sid);
749 			if (rc)
750 				goto out;
751 		}
752 		goto out_set_opts;
753 	}
754 
755 	/* sets the context of the superblock for the fs being mounted. */
756 	if (fscontext_sid) {
757 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
758 		if (rc)
759 			goto out;
760 
761 		sbsec->sid = fscontext_sid;
762 	}
763 
764 	/*
765 	 * Switch to using mount point labeling behavior.
766 	 * sets the label used on all file below the mountpoint, and will set
767 	 * the superblock context if not already set.
768 	 */
769 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
770 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
771 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
772 	}
773 
774 	if (context_sid) {
775 		if (!fscontext_sid) {
776 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
777 							  cred);
778 			if (rc)
779 				goto out;
780 			sbsec->sid = context_sid;
781 		} else {
782 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
783 							     cred);
784 			if (rc)
785 				goto out;
786 		}
787 		if (!rootcontext_sid)
788 			rootcontext_sid = context_sid;
789 
790 		sbsec->mntpoint_sid = context_sid;
791 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
792 	}
793 
794 	if (rootcontext_sid) {
795 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
796 						     cred);
797 		if (rc)
798 			goto out;
799 
800 		root_isec->sid = rootcontext_sid;
801 		root_isec->initialized = LABEL_INITIALIZED;
802 	}
803 
804 	if (defcontext_sid) {
805 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
806 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
807 			rc = -EINVAL;
808 			pr_warn("SELinux: defcontext option is "
809 			       "invalid for this filesystem type\n");
810 			goto out;
811 		}
812 
813 		if (defcontext_sid != sbsec->def_sid) {
814 			rc = may_context_mount_inode_relabel(defcontext_sid,
815 							     sbsec, cred);
816 			if (rc)
817 				goto out;
818 		}
819 
820 		sbsec->def_sid = defcontext_sid;
821 	}
822 
823 out_set_opts:
824 	rc = sb_finish_set_opts(sb);
825 out:
826 	mutex_unlock(&sbsec->lock);
827 	return rc;
828 out_double_mount:
829 	rc = -EINVAL;
830 	pr_warn("SELinux: mount invalid.  Same superblock, different "
831 	       "security settings for (dev %s, type %s)\n", sb->s_id,
832 	       sb->s_type->name);
833 	goto out;
834 }
835 
836 static int selinux_cmp_sb_context(const struct super_block *oldsb,
837 				    const struct super_block *newsb)
838 {
839 	struct superblock_security_struct *old = oldsb->s_security;
840 	struct superblock_security_struct *new = newsb->s_security;
841 	char oldflags = old->flags & SE_MNTMASK;
842 	char newflags = new->flags & SE_MNTMASK;
843 
844 	if (oldflags != newflags)
845 		goto mismatch;
846 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
847 		goto mismatch;
848 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
849 		goto mismatch;
850 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
851 		goto mismatch;
852 	if (oldflags & ROOTCONTEXT_MNT) {
853 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
854 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
855 		if (oldroot->sid != newroot->sid)
856 			goto mismatch;
857 	}
858 	return 0;
859 mismatch:
860 	pr_warn("SELinux: mount invalid.  Same superblock, "
861 			    "different security settings for (dev %s, "
862 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
863 	return -EBUSY;
864 }
865 
866 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
867 					struct super_block *newsb,
868 					unsigned long kern_flags,
869 					unsigned long *set_kern_flags)
870 {
871 	int rc = 0;
872 	const struct superblock_security_struct *oldsbsec = oldsb->s_security;
873 	struct superblock_security_struct *newsbsec = newsb->s_security;
874 
875 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
876 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
877 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
878 
879 	/*
880 	 * if the parent was able to be mounted it clearly had no special lsm
881 	 * mount options.  thus we can safely deal with this superblock later
882 	 */
883 	if (!selinux_initialized(&selinux_state))
884 		return 0;
885 
886 	/*
887 	 * Specifying internal flags without providing a place to
888 	 * place the results is not allowed.
889 	 */
890 	if (kern_flags && !set_kern_flags)
891 		return -EINVAL;
892 
893 	/* how can we clone if the old one wasn't set up?? */
894 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
895 
896 	/* if fs is reusing a sb, make sure that the contexts match */
897 	if (newsbsec->flags & SE_SBINITIALIZED) {
898 		if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
899 			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
900 		return selinux_cmp_sb_context(oldsb, newsb);
901 	}
902 
903 	mutex_lock(&newsbsec->lock);
904 
905 	newsbsec->flags = oldsbsec->flags;
906 
907 	newsbsec->sid = oldsbsec->sid;
908 	newsbsec->def_sid = oldsbsec->def_sid;
909 	newsbsec->behavior = oldsbsec->behavior;
910 
911 	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
912 		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
913 		rc = security_fs_use(&selinux_state, newsb);
914 		if (rc)
915 			goto out;
916 	}
917 
918 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
919 		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
920 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
921 	}
922 
923 	if (set_context) {
924 		u32 sid = oldsbsec->mntpoint_sid;
925 
926 		if (!set_fscontext)
927 			newsbsec->sid = sid;
928 		if (!set_rootcontext) {
929 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
930 			newisec->sid = sid;
931 		}
932 		newsbsec->mntpoint_sid = sid;
933 	}
934 	if (set_rootcontext) {
935 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
936 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
937 
938 		newisec->sid = oldisec->sid;
939 	}
940 
941 	sb_finish_set_opts(newsb);
942 out:
943 	mutex_unlock(&newsbsec->lock);
944 	return rc;
945 }
946 
947 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
948 {
949 	struct selinux_mnt_opts *opts = *mnt_opts;
950 
951 	if (token == Opt_seclabel)	/* eaten and completely ignored */
952 		return 0;
953 
954 	if (!opts) {
955 		opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
956 		if (!opts)
957 			return -ENOMEM;
958 		*mnt_opts = opts;
959 	}
960 	if (!s)
961 		return -ENOMEM;
962 	switch (token) {
963 	case Opt_context:
964 		if (opts->context || opts->defcontext)
965 			goto Einval;
966 		opts->context = s;
967 		break;
968 	case Opt_fscontext:
969 		if (opts->fscontext)
970 			goto Einval;
971 		opts->fscontext = s;
972 		break;
973 	case Opt_rootcontext:
974 		if (opts->rootcontext)
975 			goto Einval;
976 		opts->rootcontext = s;
977 		break;
978 	case Opt_defcontext:
979 		if (opts->context || opts->defcontext)
980 			goto Einval;
981 		opts->defcontext = s;
982 		break;
983 	}
984 	return 0;
985 Einval:
986 	pr_warn(SEL_MOUNT_FAIL_MSG);
987 	return -EINVAL;
988 }
989 
990 static int selinux_add_mnt_opt(const char *option, const char *val, int len,
991 			       void **mnt_opts)
992 {
993 	int token = Opt_error;
994 	int rc, i;
995 
996 	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
997 		if (strcmp(option, tokens[i].name) == 0) {
998 			token = tokens[i].opt;
999 			break;
1000 		}
1001 	}
1002 
1003 	if (token == Opt_error)
1004 		return -EINVAL;
1005 
1006 	if (token != Opt_seclabel) {
1007 		val = kmemdup_nul(val, len, GFP_KERNEL);
1008 		if (!val) {
1009 			rc = -ENOMEM;
1010 			goto free_opt;
1011 		}
1012 	}
1013 	rc = selinux_add_opt(token, val, mnt_opts);
1014 	if (unlikely(rc)) {
1015 		kfree(val);
1016 		goto free_opt;
1017 	}
1018 	return rc;
1019 
1020 free_opt:
1021 	if (*mnt_opts) {
1022 		selinux_free_mnt_opts(*mnt_opts);
1023 		*mnt_opts = NULL;
1024 	}
1025 	return rc;
1026 }
1027 
1028 static int show_sid(struct seq_file *m, u32 sid)
1029 {
1030 	char *context = NULL;
1031 	u32 len;
1032 	int rc;
1033 
1034 	rc = security_sid_to_context(&selinux_state, sid,
1035 					     &context, &len);
1036 	if (!rc) {
1037 		bool has_comma = context && strchr(context, ',');
1038 
1039 		seq_putc(m, '=');
1040 		if (has_comma)
1041 			seq_putc(m, '\"');
1042 		seq_escape(m, context, "\"\n\\");
1043 		if (has_comma)
1044 			seq_putc(m, '\"');
1045 	}
1046 	kfree(context);
1047 	return rc;
1048 }
1049 
1050 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1051 {
1052 	struct superblock_security_struct *sbsec = sb->s_security;
1053 	int rc;
1054 
1055 	if (!(sbsec->flags & SE_SBINITIALIZED))
1056 		return 0;
1057 
1058 	if (!selinux_initialized(&selinux_state))
1059 		return 0;
1060 
1061 	if (sbsec->flags & FSCONTEXT_MNT) {
1062 		seq_putc(m, ',');
1063 		seq_puts(m, FSCONTEXT_STR);
1064 		rc = show_sid(m, sbsec->sid);
1065 		if (rc)
1066 			return rc;
1067 	}
1068 	if (sbsec->flags & CONTEXT_MNT) {
1069 		seq_putc(m, ',');
1070 		seq_puts(m, CONTEXT_STR);
1071 		rc = show_sid(m, sbsec->mntpoint_sid);
1072 		if (rc)
1073 			return rc;
1074 	}
1075 	if (sbsec->flags & DEFCONTEXT_MNT) {
1076 		seq_putc(m, ',');
1077 		seq_puts(m, DEFCONTEXT_STR);
1078 		rc = show_sid(m, sbsec->def_sid);
1079 		if (rc)
1080 			return rc;
1081 	}
1082 	if (sbsec->flags & ROOTCONTEXT_MNT) {
1083 		struct dentry *root = sbsec->sb->s_root;
1084 		struct inode_security_struct *isec = backing_inode_security(root);
1085 		seq_putc(m, ',');
1086 		seq_puts(m, ROOTCONTEXT_STR);
1087 		rc = show_sid(m, isec->sid);
1088 		if (rc)
1089 			return rc;
1090 	}
1091 	if (sbsec->flags & SBLABEL_MNT) {
1092 		seq_putc(m, ',');
1093 		seq_puts(m, SECLABEL_STR);
1094 	}
1095 	return 0;
1096 }
1097 
1098 static inline u16 inode_mode_to_security_class(umode_t mode)
1099 {
1100 	switch (mode & S_IFMT) {
1101 	case S_IFSOCK:
1102 		return SECCLASS_SOCK_FILE;
1103 	case S_IFLNK:
1104 		return SECCLASS_LNK_FILE;
1105 	case S_IFREG:
1106 		return SECCLASS_FILE;
1107 	case S_IFBLK:
1108 		return SECCLASS_BLK_FILE;
1109 	case S_IFDIR:
1110 		return SECCLASS_DIR;
1111 	case S_IFCHR:
1112 		return SECCLASS_CHR_FILE;
1113 	case S_IFIFO:
1114 		return SECCLASS_FIFO_FILE;
1115 
1116 	}
1117 
1118 	return SECCLASS_FILE;
1119 }
1120 
1121 static inline int default_protocol_stream(int protocol)
1122 {
1123 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1124 }
1125 
1126 static inline int default_protocol_dgram(int protocol)
1127 {
1128 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1129 }
1130 
1131 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1132 {
1133 	int extsockclass = selinux_policycap_extsockclass();
1134 
1135 	switch (family) {
1136 	case PF_UNIX:
1137 		switch (type) {
1138 		case SOCK_STREAM:
1139 		case SOCK_SEQPACKET:
1140 			return SECCLASS_UNIX_STREAM_SOCKET;
1141 		case SOCK_DGRAM:
1142 		case SOCK_RAW:
1143 			return SECCLASS_UNIX_DGRAM_SOCKET;
1144 		}
1145 		break;
1146 	case PF_INET:
1147 	case PF_INET6:
1148 		switch (type) {
1149 		case SOCK_STREAM:
1150 		case SOCK_SEQPACKET:
1151 			if (default_protocol_stream(protocol))
1152 				return SECCLASS_TCP_SOCKET;
1153 			else if (extsockclass && protocol == IPPROTO_SCTP)
1154 				return SECCLASS_SCTP_SOCKET;
1155 			else
1156 				return SECCLASS_RAWIP_SOCKET;
1157 		case SOCK_DGRAM:
1158 			if (default_protocol_dgram(protocol))
1159 				return SECCLASS_UDP_SOCKET;
1160 			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1161 						  protocol == IPPROTO_ICMPV6))
1162 				return SECCLASS_ICMP_SOCKET;
1163 			else
1164 				return SECCLASS_RAWIP_SOCKET;
1165 		case SOCK_DCCP:
1166 			return SECCLASS_DCCP_SOCKET;
1167 		default:
1168 			return SECCLASS_RAWIP_SOCKET;
1169 		}
1170 		break;
1171 	case PF_NETLINK:
1172 		switch (protocol) {
1173 		case NETLINK_ROUTE:
1174 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1175 		case NETLINK_SOCK_DIAG:
1176 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1177 		case NETLINK_NFLOG:
1178 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1179 		case NETLINK_XFRM:
1180 			return SECCLASS_NETLINK_XFRM_SOCKET;
1181 		case NETLINK_SELINUX:
1182 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1183 		case NETLINK_ISCSI:
1184 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1185 		case NETLINK_AUDIT:
1186 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1187 		case NETLINK_FIB_LOOKUP:
1188 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1189 		case NETLINK_CONNECTOR:
1190 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1191 		case NETLINK_NETFILTER:
1192 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1193 		case NETLINK_DNRTMSG:
1194 			return SECCLASS_NETLINK_DNRT_SOCKET;
1195 		case NETLINK_KOBJECT_UEVENT:
1196 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1197 		case NETLINK_GENERIC:
1198 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1199 		case NETLINK_SCSITRANSPORT:
1200 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1201 		case NETLINK_RDMA:
1202 			return SECCLASS_NETLINK_RDMA_SOCKET;
1203 		case NETLINK_CRYPTO:
1204 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1205 		default:
1206 			return SECCLASS_NETLINK_SOCKET;
1207 		}
1208 	case PF_PACKET:
1209 		return SECCLASS_PACKET_SOCKET;
1210 	case PF_KEY:
1211 		return SECCLASS_KEY_SOCKET;
1212 	case PF_APPLETALK:
1213 		return SECCLASS_APPLETALK_SOCKET;
1214 	}
1215 
1216 	if (extsockclass) {
1217 		switch (family) {
1218 		case PF_AX25:
1219 			return SECCLASS_AX25_SOCKET;
1220 		case PF_IPX:
1221 			return SECCLASS_IPX_SOCKET;
1222 		case PF_NETROM:
1223 			return SECCLASS_NETROM_SOCKET;
1224 		case PF_ATMPVC:
1225 			return SECCLASS_ATMPVC_SOCKET;
1226 		case PF_X25:
1227 			return SECCLASS_X25_SOCKET;
1228 		case PF_ROSE:
1229 			return SECCLASS_ROSE_SOCKET;
1230 		case PF_DECnet:
1231 			return SECCLASS_DECNET_SOCKET;
1232 		case PF_ATMSVC:
1233 			return SECCLASS_ATMSVC_SOCKET;
1234 		case PF_RDS:
1235 			return SECCLASS_RDS_SOCKET;
1236 		case PF_IRDA:
1237 			return SECCLASS_IRDA_SOCKET;
1238 		case PF_PPPOX:
1239 			return SECCLASS_PPPOX_SOCKET;
1240 		case PF_LLC:
1241 			return SECCLASS_LLC_SOCKET;
1242 		case PF_CAN:
1243 			return SECCLASS_CAN_SOCKET;
1244 		case PF_TIPC:
1245 			return SECCLASS_TIPC_SOCKET;
1246 		case PF_BLUETOOTH:
1247 			return SECCLASS_BLUETOOTH_SOCKET;
1248 		case PF_IUCV:
1249 			return SECCLASS_IUCV_SOCKET;
1250 		case PF_RXRPC:
1251 			return SECCLASS_RXRPC_SOCKET;
1252 		case PF_ISDN:
1253 			return SECCLASS_ISDN_SOCKET;
1254 		case PF_PHONET:
1255 			return SECCLASS_PHONET_SOCKET;
1256 		case PF_IEEE802154:
1257 			return SECCLASS_IEEE802154_SOCKET;
1258 		case PF_CAIF:
1259 			return SECCLASS_CAIF_SOCKET;
1260 		case PF_ALG:
1261 			return SECCLASS_ALG_SOCKET;
1262 		case PF_NFC:
1263 			return SECCLASS_NFC_SOCKET;
1264 		case PF_VSOCK:
1265 			return SECCLASS_VSOCK_SOCKET;
1266 		case PF_KCM:
1267 			return SECCLASS_KCM_SOCKET;
1268 		case PF_QIPCRTR:
1269 			return SECCLASS_QIPCRTR_SOCKET;
1270 		case PF_SMC:
1271 			return SECCLASS_SMC_SOCKET;
1272 		case PF_XDP:
1273 			return SECCLASS_XDP_SOCKET;
1274 #if PF_MAX > 45
1275 #error New address family defined, please update this function.
1276 #endif
1277 		}
1278 	}
1279 
1280 	return SECCLASS_SOCKET;
1281 }
1282 
1283 static int selinux_genfs_get_sid(struct dentry *dentry,
1284 				 u16 tclass,
1285 				 u16 flags,
1286 				 u32 *sid)
1287 {
1288 	int rc;
1289 	struct super_block *sb = dentry->d_sb;
1290 	char *buffer, *path;
1291 
1292 	buffer = (char *)__get_free_page(GFP_KERNEL);
1293 	if (!buffer)
1294 		return -ENOMEM;
1295 
1296 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1297 	if (IS_ERR(path))
1298 		rc = PTR_ERR(path);
1299 	else {
1300 		if (flags & SE_SBPROC) {
1301 			/* each process gets a /proc/PID/ entry. Strip off the
1302 			 * PID part to get a valid selinux labeling.
1303 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1304 			while (path[1] >= '0' && path[1] <= '9') {
1305 				path[1] = '/';
1306 				path++;
1307 			}
1308 		}
1309 		rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1310 					path, tclass, sid);
1311 		if (rc == -ENOENT) {
1312 			/* No match in policy, mark as unlabeled. */
1313 			*sid = SECINITSID_UNLABELED;
1314 			rc = 0;
1315 		}
1316 	}
1317 	free_page((unsigned long)buffer);
1318 	return rc;
1319 }
1320 
1321 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1322 				  u32 def_sid, u32 *sid)
1323 {
1324 #define INITCONTEXTLEN 255
1325 	char *context;
1326 	unsigned int len;
1327 	int rc;
1328 
1329 	len = INITCONTEXTLEN;
1330 	context = kmalloc(len + 1, GFP_NOFS);
1331 	if (!context)
1332 		return -ENOMEM;
1333 
1334 	context[len] = '\0';
1335 	rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1336 	if (rc == -ERANGE) {
1337 		kfree(context);
1338 
1339 		/* Need a larger buffer.  Query for the right size. */
1340 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1341 		if (rc < 0)
1342 			return rc;
1343 
1344 		len = rc;
1345 		context = kmalloc(len + 1, GFP_NOFS);
1346 		if (!context)
1347 			return -ENOMEM;
1348 
1349 		context[len] = '\0';
1350 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1351 				    context, len);
1352 	}
1353 	if (rc < 0) {
1354 		kfree(context);
1355 		if (rc != -ENODATA) {
1356 			pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
1357 				__func__, -rc, inode->i_sb->s_id, inode->i_ino);
1358 			return rc;
1359 		}
1360 		*sid = def_sid;
1361 		return 0;
1362 	}
1363 
1364 	rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1365 					     def_sid, GFP_NOFS);
1366 	if (rc) {
1367 		char *dev = inode->i_sb->s_id;
1368 		unsigned long ino = inode->i_ino;
1369 
1370 		if (rc == -EINVAL) {
1371 			pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
1372 					      ino, dev, context);
1373 		} else {
1374 			pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1375 				__func__, context, -rc, dev, ino);
1376 		}
1377 	}
1378 	kfree(context);
1379 	return 0;
1380 }
1381 
1382 /* The inode's security attributes must be initialized before first use. */
1383 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1384 {
1385 	struct superblock_security_struct *sbsec = NULL;
1386 	struct inode_security_struct *isec = selinux_inode(inode);
1387 	u32 task_sid, sid = 0;
1388 	u16 sclass;
1389 	struct dentry *dentry;
1390 	int rc = 0;
1391 
1392 	if (isec->initialized == LABEL_INITIALIZED)
1393 		return 0;
1394 
1395 	spin_lock(&isec->lock);
1396 	if (isec->initialized == LABEL_INITIALIZED)
1397 		goto out_unlock;
1398 
1399 	if (isec->sclass == SECCLASS_FILE)
1400 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1401 
1402 	sbsec = inode->i_sb->s_security;
1403 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1404 		/* Defer initialization until selinux_complete_init,
1405 		   after the initial policy is loaded and the security
1406 		   server is ready to handle calls. */
1407 		spin_lock(&sbsec->isec_lock);
1408 		if (list_empty(&isec->list))
1409 			list_add(&isec->list, &sbsec->isec_head);
1410 		spin_unlock(&sbsec->isec_lock);
1411 		goto out_unlock;
1412 	}
1413 
1414 	sclass = isec->sclass;
1415 	task_sid = isec->task_sid;
1416 	sid = isec->sid;
1417 	isec->initialized = LABEL_PENDING;
1418 	spin_unlock(&isec->lock);
1419 
1420 	switch (sbsec->behavior) {
1421 	case SECURITY_FS_USE_NATIVE:
1422 		break;
1423 	case SECURITY_FS_USE_XATTR:
1424 		if (!(inode->i_opflags & IOP_XATTR)) {
1425 			sid = sbsec->def_sid;
1426 			break;
1427 		}
1428 		/* Need a dentry, since the xattr API requires one.
1429 		   Life would be simpler if we could just pass the inode. */
1430 		if (opt_dentry) {
1431 			/* Called from d_instantiate or d_splice_alias. */
1432 			dentry = dget(opt_dentry);
1433 		} else {
1434 			/*
1435 			 * Called from selinux_complete_init, try to find a dentry.
1436 			 * Some filesystems really want a connected one, so try
1437 			 * that first.  We could split SECURITY_FS_USE_XATTR in
1438 			 * two, depending upon that...
1439 			 */
1440 			dentry = d_find_alias(inode);
1441 			if (!dentry)
1442 				dentry = d_find_any_alias(inode);
1443 		}
1444 		if (!dentry) {
1445 			/*
1446 			 * this is can be hit on boot when a file is accessed
1447 			 * before the policy is loaded.  When we load policy we
1448 			 * may find inodes that have no dentry on the
1449 			 * sbsec->isec_head list.  No reason to complain as these
1450 			 * will get fixed up the next time we go through
1451 			 * inode_doinit with a dentry, before these inodes could
1452 			 * be used again by userspace.
1453 			 */
1454 			goto out;
1455 		}
1456 
1457 		rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1458 					    &sid);
1459 		dput(dentry);
1460 		if (rc)
1461 			goto out;
1462 		break;
1463 	case SECURITY_FS_USE_TASK:
1464 		sid = task_sid;
1465 		break;
1466 	case SECURITY_FS_USE_TRANS:
1467 		/* Default to the fs SID. */
1468 		sid = sbsec->sid;
1469 
1470 		/* Try to obtain a transition SID. */
1471 		rc = security_transition_sid(&selinux_state, task_sid, sid,
1472 					     sclass, NULL, &sid);
1473 		if (rc)
1474 			goto out;
1475 		break;
1476 	case SECURITY_FS_USE_MNTPOINT:
1477 		sid = sbsec->mntpoint_sid;
1478 		break;
1479 	default:
1480 		/* Default to the fs superblock SID. */
1481 		sid = sbsec->sid;
1482 
1483 		if ((sbsec->flags & SE_SBGENFS) &&
1484 		     (!S_ISLNK(inode->i_mode) ||
1485 		      selinux_policycap_genfs_seclabel_symlinks())) {
1486 			/* We must have a dentry to determine the label on
1487 			 * procfs inodes */
1488 			if (opt_dentry) {
1489 				/* Called from d_instantiate or
1490 				 * d_splice_alias. */
1491 				dentry = dget(opt_dentry);
1492 			} else {
1493 				/* Called from selinux_complete_init, try to
1494 				 * find a dentry.  Some filesystems really want
1495 				 * a connected one, so try that first.
1496 				 */
1497 				dentry = d_find_alias(inode);
1498 				if (!dentry)
1499 					dentry = d_find_any_alias(inode);
1500 			}
1501 			/*
1502 			 * This can be hit on boot when a file is accessed
1503 			 * before the policy is loaded.  When we load policy we
1504 			 * may find inodes that have no dentry on the
1505 			 * sbsec->isec_head list.  No reason to complain as
1506 			 * these will get fixed up the next time we go through
1507 			 * inode_doinit() with a dentry, before these inodes
1508 			 * could be used again by userspace.
1509 			 */
1510 			if (!dentry)
1511 				goto out;
1512 			rc = selinux_genfs_get_sid(dentry, sclass,
1513 						   sbsec->flags, &sid);
1514 			if (rc) {
1515 				dput(dentry);
1516 				goto out;
1517 			}
1518 
1519 			if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1520 			    (inode->i_opflags & IOP_XATTR)) {
1521 				rc = inode_doinit_use_xattr(inode, dentry,
1522 							    sid, &sid);
1523 				if (rc) {
1524 					dput(dentry);
1525 					goto out;
1526 				}
1527 			}
1528 			dput(dentry);
1529 		}
1530 		break;
1531 	}
1532 
1533 out:
1534 	spin_lock(&isec->lock);
1535 	if (isec->initialized == LABEL_PENDING) {
1536 		if (!sid || rc) {
1537 			isec->initialized = LABEL_INVALID;
1538 			goto out_unlock;
1539 		}
1540 
1541 		isec->initialized = LABEL_INITIALIZED;
1542 		isec->sid = sid;
1543 	}
1544 
1545 out_unlock:
1546 	spin_unlock(&isec->lock);
1547 	return rc;
1548 }
1549 
1550 /* Convert a Linux signal to an access vector. */
1551 static inline u32 signal_to_av(int sig)
1552 {
1553 	u32 perm = 0;
1554 
1555 	switch (sig) {
1556 	case SIGCHLD:
1557 		/* Commonly granted from child to parent. */
1558 		perm = PROCESS__SIGCHLD;
1559 		break;
1560 	case SIGKILL:
1561 		/* Cannot be caught or ignored */
1562 		perm = PROCESS__SIGKILL;
1563 		break;
1564 	case SIGSTOP:
1565 		/* Cannot be caught or ignored */
1566 		perm = PROCESS__SIGSTOP;
1567 		break;
1568 	default:
1569 		/* All other signals. */
1570 		perm = PROCESS__SIGNAL;
1571 		break;
1572 	}
1573 
1574 	return perm;
1575 }
1576 
1577 #if CAP_LAST_CAP > 63
1578 #error Fix SELinux to handle capabilities > 63.
1579 #endif
1580 
1581 /* Check whether a task is allowed to use a capability. */
1582 static int cred_has_capability(const struct cred *cred,
1583 			       int cap, unsigned int opts, bool initns)
1584 {
1585 	struct common_audit_data ad;
1586 	struct av_decision avd;
1587 	u16 sclass;
1588 	u32 sid = cred_sid(cred);
1589 	u32 av = CAP_TO_MASK(cap);
1590 	int rc;
1591 
1592 	ad.type = LSM_AUDIT_DATA_CAP;
1593 	ad.u.cap = cap;
1594 
1595 	switch (CAP_TO_INDEX(cap)) {
1596 	case 0:
1597 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1598 		break;
1599 	case 1:
1600 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1601 		break;
1602 	default:
1603 		pr_err("SELinux:  out of range capability %d\n", cap);
1604 		BUG();
1605 		return -EINVAL;
1606 	}
1607 
1608 	rc = avc_has_perm_noaudit(&selinux_state,
1609 				  sid, sid, sclass, av, 0, &avd);
1610 	if (!(opts & CAP_OPT_NOAUDIT)) {
1611 		int rc2 = avc_audit(&selinux_state,
1612 				    sid, sid, sclass, av, &avd, rc, &ad, 0);
1613 		if (rc2)
1614 			return rc2;
1615 	}
1616 	return rc;
1617 }
1618 
1619 /* Check whether a task has a particular permission to an inode.
1620    The 'adp' parameter is optional and allows other audit
1621    data to be passed (e.g. the dentry). */
1622 static int inode_has_perm(const struct cred *cred,
1623 			  struct inode *inode,
1624 			  u32 perms,
1625 			  struct common_audit_data *adp)
1626 {
1627 	struct inode_security_struct *isec;
1628 	u32 sid;
1629 
1630 	validate_creds(cred);
1631 
1632 	if (unlikely(IS_PRIVATE(inode)))
1633 		return 0;
1634 
1635 	sid = cred_sid(cred);
1636 	isec = selinux_inode(inode);
1637 
1638 	return avc_has_perm(&selinux_state,
1639 			    sid, isec->sid, isec->sclass, perms, adp);
1640 }
1641 
1642 /* Same as inode_has_perm, but pass explicit audit data containing
1643    the dentry to help the auditing code to more easily generate the
1644    pathname if needed. */
1645 static inline int dentry_has_perm(const struct cred *cred,
1646 				  struct dentry *dentry,
1647 				  u32 av)
1648 {
1649 	struct inode *inode = d_backing_inode(dentry);
1650 	struct common_audit_data ad;
1651 
1652 	ad.type = LSM_AUDIT_DATA_DENTRY;
1653 	ad.u.dentry = dentry;
1654 	__inode_security_revalidate(inode, dentry, true);
1655 	return inode_has_perm(cred, inode, av, &ad);
1656 }
1657 
1658 /* Same as inode_has_perm, but pass explicit audit data containing
1659    the path to help the auditing code to more easily generate the
1660    pathname if needed. */
1661 static inline int path_has_perm(const struct cred *cred,
1662 				const struct path *path,
1663 				u32 av)
1664 {
1665 	struct inode *inode = d_backing_inode(path->dentry);
1666 	struct common_audit_data ad;
1667 
1668 	ad.type = LSM_AUDIT_DATA_PATH;
1669 	ad.u.path = *path;
1670 	__inode_security_revalidate(inode, path->dentry, true);
1671 	return inode_has_perm(cred, inode, av, &ad);
1672 }
1673 
1674 /* Same as path_has_perm, but uses the inode from the file struct. */
1675 static inline int file_path_has_perm(const struct cred *cred,
1676 				     struct file *file,
1677 				     u32 av)
1678 {
1679 	struct common_audit_data ad;
1680 
1681 	ad.type = LSM_AUDIT_DATA_FILE;
1682 	ad.u.file = file;
1683 	return inode_has_perm(cred, file_inode(file), av, &ad);
1684 }
1685 
1686 #ifdef CONFIG_BPF_SYSCALL
1687 static int bpf_fd_pass(struct file *file, u32 sid);
1688 #endif
1689 
1690 /* Check whether a task can use an open file descriptor to
1691    access an inode in a given way.  Check access to the
1692    descriptor itself, and then use dentry_has_perm to
1693    check a particular permission to the file.
1694    Access to the descriptor is implicitly granted if it
1695    has the same SID as the process.  If av is zero, then
1696    access to the file is not checked, e.g. for cases
1697    where only the descriptor is affected like seek. */
1698 static int file_has_perm(const struct cred *cred,
1699 			 struct file *file,
1700 			 u32 av)
1701 {
1702 	struct file_security_struct *fsec = selinux_file(file);
1703 	struct inode *inode = file_inode(file);
1704 	struct common_audit_data ad;
1705 	u32 sid = cred_sid(cred);
1706 	int rc;
1707 
1708 	ad.type = LSM_AUDIT_DATA_FILE;
1709 	ad.u.file = file;
1710 
1711 	if (sid != fsec->sid) {
1712 		rc = avc_has_perm(&selinux_state,
1713 				  sid, fsec->sid,
1714 				  SECCLASS_FD,
1715 				  FD__USE,
1716 				  &ad);
1717 		if (rc)
1718 			goto out;
1719 	}
1720 
1721 #ifdef CONFIG_BPF_SYSCALL
1722 	rc = bpf_fd_pass(file, cred_sid(cred));
1723 	if (rc)
1724 		return rc;
1725 #endif
1726 
1727 	/* av is zero if only checking access to the descriptor. */
1728 	rc = 0;
1729 	if (av)
1730 		rc = inode_has_perm(cred, inode, av, &ad);
1731 
1732 out:
1733 	return rc;
1734 }
1735 
1736 /*
1737  * Determine the label for an inode that might be unioned.
1738  */
1739 static int
1740 selinux_determine_inode_label(const struct task_security_struct *tsec,
1741 				 struct inode *dir,
1742 				 const struct qstr *name, u16 tclass,
1743 				 u32 *_new_isid)
1744 {
1745 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1746 
1747 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1748 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1749 		*_new_isid = sbsec->mntpoint_sid;
1750 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1751 		   tsec->create_sid) {
1752 		*_new_isid = tsec->create_sid;
1753 	} else {
1754 		const struct inode_security_struct *dsec = inode_security(dir);
1755 		return security_transition_sid(&selinux_state, tsec->sid,
1756 					       dsec->sid, tclass,
1757 					       name, _new_isid);
1758 	}
1759 
1760 	return 0;
1761 }
1762 
1763 /* Check whether a task can create a file. */
1764 static int may_create(struct inode *dir,
1765 		      struct dentry *dentry,
1766 		      u16 tclass)
1767 {
1768 	const struct task_security_struct *tsec = selinux_cred(current_cred());
1769 	struct inode_security_struct *dsec;
1770 	struct superblock_security_struct *sbsec;
1771 	u32 sid, newsid;
1772 	struct common_audit_data ad;
1773 	int rc;
1774 
1775 	dsec = inode_security(dir);
1776 	sbsec = dir->i_sb->s_security;
1777 
1778 	sid = tsec->sid;
1779 
1780 	ad.type = LSM_AUDIT_DATA_DENTRY;
1781 	ad.u.dentry = dentry;
1782 
1783 	rc = avc_has_perm(&selinux_state,
1784 			  sid, dsec->sid, SECCLASS_DIR,
1785 			  DIR__ADD_NAME | DIR__SEARCH,
1786 			  &ad);
1787 	if (rc)
1788 		return rc;
1789 
1790 	rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1791 					   &newsid);
1792 	if (rc)
1793 		return rc;
1794 
1795 	rc = avc_has_perm(&selinux_state,
1796 			  sid, newsid, tclass, FILE__CREATE, &ad);
1797 	if (rc)
1798 		return rc;
1799 
1800 	return avc_has_perm(&selinux_state,
1801 			    newsid, sbsec->sid,
1802 			    SECCLASS_FILESYSTEM,
1803 			    FILESYSTEM__ASSOCIATE, &ad);
1804 }
1805 
1806 #define MAY_LINK	0
1807 #define MAY_UNLINK	1
1808 #define MAY_RMDIR	2
1809 
1810 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1811 static int may_link(struct inode *dir,
1812 		    struct dentry *dentry,
1813 		    int kind)
1814 
1815 {
1816 	struct inode_security_struct *dsec, *isec;
1817 	struct common_audit_data ad;
1818 	u32 sid = current_sid();
1819 	u32 av;
1820 	int rc;
1821 
1822 	dsec = inode_security(dir);
1823 	isec = backing_inode_security(dentry);
1824 
1825 	ad.type = LSM_AUDIT_DATA_DENTRY;
1826 	ad.u.dentry = dentry;
1827 
1828 	av = DIR__SEARCH;
1829 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1830 	rc = avc_has_perm(&selinux_state,
1831 			  sid, dsec->sid, SECCLASS_DIR, av, &ad);
1832 	if (rc)
1833 		return rc;
1834 
1835 	switch (kind) {
1836 	case MAY_LINK:
1837 		av = FILE__LINK;
1838 		break;
1839 	case MAY_UNLINK:
1840 		av = FILE__UNLINK;
1841 		break;
1842 	case MAY_RMDIR:
1843 		av = DIR__RMDIR;
1844 		break;
1845 	default:
1846 		pr_warn("SELinux: %s:  unrecognized kind %d\n",
1847 			__func__, kind);
1848 		return 0;
1849 	}
1850 
1851 	rc = avc_has_perm(&selinux_state,
1852 			  sid, isec->sid, isec->sclass, av, &ad);
1853 	return rc;
1854 }
1855 
1856 static inline int may_rename(struct inode *old_dir,
1857 			     struct dentry *old_dentry,
1858 			     struct inode *new_dir,
1859 			     struct dentry *new_dentry)
1860 {
1861 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1862 	struct common_audit_data ad;
1863 	u32 sid = current_sid();
1864 	u32 av;
1865 	int old_is_dir, new_is_dir;
1866 	int rc;
1867 
1868 	old_dsec = inode_security(old_dir);
1869 	old_isec = backing_inode_security(old_dentry);
1870 	old_is_dir = d_is_dir(old_dentry);
1871 	new_dsec = inode_security(new_dir);
1872 
1873 	ad.type = LSM_AUDIT_DATA_DENTRY;
1874 
1875 	ad.u.dentry = old_dentry;
1876 	rc = avc_has_perm(&selinux_state,
1877 			  sid, old_dsec->sid, SECCLASS_DIR,
1878 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1879 	if (rc)
1880 		return rc;
1881 	rc = avc_has_perm(&selinux_state,
1882 			  sid, old_isec->sid,
1883 			  old_isec->sclass, FILE__RENAME, &ad);
1884 	if (rc)
1885 		return rc;
1886 	if (old_is_dir && new_dir != old_dir) {
1887 		rc = avc_has_perm(&selinux_state,
1888 				  sid, old_isec->sid,
1889 				  old_isec->sclass, DIR__REPARENT, &ad);
1890 		if (rc)
1891 			return rc;
1892 	}
1893 
1894 	ad.u.dentry = new_dentry;
1895 	av = DIR__ADD_NAME | DIR__SEARCH;
1896 	if (d_is_positive(new_dentry))
1897 		av |= DIR__REMOVE_NAME;
1898 	rc = avc_has_perm(&selinux_state,
1899 			  sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1900 	if (rc)
1901 		return rc;
1902 	if (d_is_positive(new_dentry)) {
1903 		new_isec = backing_inode_security(new_dentry);
1904 		new_is_dir = d_is_dir(new_dentry);
1905 		rc = avc_has_perm(&selinux_state,
1906 				  sid, new_isec->sid,
1907 				  new_isec->sclass,
1908 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1909 		if (rc)
1910 			return rc;
1911 	}
1912 
1913 	return 0;
1914 }
1915 
1916 /* Check whether a task can perform a filesystem operation. */
1917 static int superblock_has_perm(const struct cred *cred,
1918 			       struct super_block *sb,
1919 			       u32 perms,
1920 			       struct common_audit_data *ad)
1921 {
1922 	struct superblock_security_struct *sbsec;
1923 	u32 sid = cred_sid(cred);
1924 
1925 	sbsec = sb->s_security;
1926 	return avc_has_perm(&selinux_state,
1927 			    sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1928 }
1929 
1930 /* Convert a Linux mode and permission mask to an access vector. */
1931 static inline u32 file_mask_to_av(int mode, int mask)
1932 {
1933 	u32 av = 0;
1934 
1935 	if (!S_ISDIR(mode)) {
1936 		if (mask & MAY_EXEC)
1937 			av |= FILE__EXECUTE;
1938 		if (mask & MAY_READ)
1939 			av |= FILE__READ;
1940 
1941 		if (mask & MAY_APPEND)
1942 			av |= FILE__APPEND;
1943 		else if (mask & MAY_WRITE)
1944 			av |= FILE__WRITE;
1945 
1946 	} else {
1947 		if (mask & MAY_EXEC)
1948 			av |= DIR__SEARCH;
1949 		if (mask & MAY_WRITE)
1950 			av |= DIR__WRITE;
1951 		if (mask & MAY_READ)
1952 			av |= DIR__READ;
1953 	}
1954 
1955 	return av;
1956 }
1957 
1958 /* Convert a Linux file to an access vector. */
1959 static inline u32 file_to_av(struct file *file)
1960 {
1961 	u32 av = 0;
1962 
1963 	if (file->f_mode & FMODE_READ)
1964 		av |= FILE__READ;
1965 	if (file->f_mode & FMODE_WRITE) {
1966 		if (file->f_flags & O_APPEND)
1967 			av |= FILE__APPEND;
1968 		else
1969 			av |= FILE__WRITE;
1970 	}
1971 	if (!av) {
1972 		/*
1973 		 * Special file opened with flags 3 for ioctl-only use.
1974 		 */
1975 		av = FILE__IOCTL;
1976 	}
1977 
1978 	return av;
1979 }
1980 
1981 /*
1982  * Convert a file to an access vector and include the correct
1983  * open permission.
1984  */
1985 static inline u32 open_file_to_av(struct file *file)
1986 {
1987 	u32 av = file_to_av(file);
1988 	struct inode *inode = file_inode(file);
1989 
1990 	if (selinux_policycap_openperm() &&
1991 	    inode->i_sb->s_magic != SOCKFS_MAGIC)
1992 		av |= FILE__OPEN;
1993 
1994 	return av;
1995 }
1996 
1997 /* Hook functions begin here. */
1998 
1999 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2000 {
2001 	u32 mysid = current_sid();
2002 	u32 mgrsid = task_sid(mgr);
2003 
2004 	return avc_has_perm(&selinux_state,
2005 			    mysid, mgrsid, SECCLASS_BINDER,
2006 			    BINDER__SET_CONTEXT_MGR, NULL);
2007 }
2008 
2009 static int selinux_binder_transaction(struct task_struct *from,
2010 				      struct task_struct *to)
2011 {
2012 	u32 mysid = current_sid();
2013 	u32 fromsid = task_sid(from);
2014 	u32 tosid = task_sid(to);
2015 	int rc;
2016 
2017 	if (mysid != fromsid) {
2018 		rc = avc_has_perm(&selinux_state,
2019 				  mysid, fromsid, SECCLASS_BINDER,
2020 				  BINDER__IMPERSONATE, NULL);
2021 		if (rc)
2022 			return rc;
2023 	}
2024 
2025 	return avc_has_perm(&selinux_state,
2026 			    fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2027 			    NULL);
2028 }
2029 
2030 static int selinux_binder_transfer_binder(struct task_struct *from,
2031 					  struct task_struct *to)
2032 {
2033 	u32 fromsid = task_sid(from);
2034 	u32 tosid = task_sid(to);
2035 
2036 	return avc_has_perm(&selinux_state,
2037 			    fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2038 			    NULL);
2039 }
2040 
2041 static int selinux_binder_transfer_file(struct task_struct *from,
2042 					struct task_struct *to,
2043 					struct file *file)
2044 {
2045 	u32 sid = task_sid(to);
2046 	struct file_security_struct *fsec = selinux_file(file);
2047 	struct dentry *dentry = file->f_path.dentry;
2048 	struct inode_security_struct *isec;
2049 	struct common_audit_data ad;
2050 	int rc;
2051 
2052 	ad.type = LSM_AUDIT_DATA_PATH;
2053 	ad.u.path = file->f_path;
2054 
2055 	if (sid != fsec->sid) {
2056 		rc = avc_has_perm(&selinux_state,
2057 				  sid, fsec->sid,
2058 				  SECCLASS_FD,
2059 				  FD__USE,
2060 				  &ad);
2061 		if (rc)
2062 			return rc;
2063 	}
2064 
2065 #ifdef CONFIG_BPF_SYSCALL
2066 	rc = bpf_fd_pass(file, sid);
2067 	if (rc)
2068 		return rc;
2069 #endif
2070 
2071 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2072 		return 0;
2073 
2074 	isec = backing_inode_security(dentry);
2075 	return avc_has_perm(&selinux_state,
2076 			    sid, isec->sid, isec->sclass, file_to_av(file),
2077 			    &ad);
2078 }
2079 
2080 static int selinux_ptrace_access_check(struct task_struct *child,
2081 				     unsigned int mode)
2082 {
2083 	u32 sid = current_sid();
2084 	u32 csid = task_sid(child);
2085 
2086 	if (mode & PTRACE_MODE_READ)
2087 		return avc_has_perm(&selinux_state,
2088 				    sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2089 
2090 	return avc_has_perm(&selinux_state,
2091 			    sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2092 }
2093 
2094 static int selinux_ptrace_traceme(struct task_struct *parent)
2095 {
2096 	return avc_has_perm(&selinux_state,
2097 			    task_sid(parent), current_sid(), SECCLASS_PROCESS,
2098 			    PROCESS__PTRACE, NULL);
2099 }
2100 
2101 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2102 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2103 {
2104 	return avc_has_perm(&selinux_state,
2105 			    current_sid(), task_sid(target), SECCLASS_PROCESS,
2106 			    PROCESS__GETCAP, NULL);
2107 }
2108 
2109 static int selinux_capset(struct cred *new, const struct cred *old,
2110 			  const kernel_cap_t *effective,
2111 			  const kernel_cap_t *inheritable,
2112 			  const kernel_cap_t *permitted)
2113 {
2114 	return avc_has_perm(&selinux_state,
2115 			    cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2116 			    PROCESS__SETCAP, NULL);
2117 }
2118 
2119 /*
2120  * (This comment used to live with the selinux_task_setuid hook,
2121  * which was removed).
2122  *
2123  * Since setuid only affects the current process, and since the SELinux
2124  * controls are not based on the Linux identity attributes, SELinux does not
2125  * need to control this operation.  However, SELinux does control the use of
2126  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2127  */
2128 
2129 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2130 			   int cap, unsigned int opts)
2131 {
2132 	return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2133 }
2134 
2135 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2136 {
2137 	const struct cred *cred = current_cred();
2138 	int rc = 0;
2139 
2140 	if (!sb)
2141 		return 0;
2142 
2143 	switch (cmds) {
2144 	case Q_SYNC:
2145 	case Q_QUOTAON:
2146 	case Q_QUOTAOFF:
2147 	case Q_SETINFO:
2148 	case Q_SETQUOTA:
2149 	case Q_XQUOTAOFF:
2150 	case Q_XQUOTAON:
2151 	case Q_XSETQLIM:
2152 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2153 		break;
2154 	case Q_GETFMT:
2155 	case Q_GETINFO:
2156 	case Q_GETQUOTA:
2157 	case Q_XGETQUOTA:
2158 	case Q_XGETQSTAT:
2159 	case Q_XGETQSTATV:
2160 	case Q_XGETNEXTQUOTA:
2161 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2162 		break;
2163 	default:
2164 		rc = 0;  /* let the kernel handle invalid cmds */
2165 		break;
2166 	}
2167 	return rc;
2168 }
2169 
2170 static int selinux_quota_on(struct dentry *dentry)
2171 {
2172 	const struct cred *cred = current_cred();
2173 
2174 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2175 }
2176 
2177 static int selinux_syslog(int type)
2178 {
2179 	switch (type) {
2180 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2181 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2182 		return avc_has_perm(&selinux_state,
2183 				    current_sid(), SECINITSID_KERNEL,
2184 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2185 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2186 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2187 	/* Set level of messages printed to console */
2188 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2189 		return avc_has_perm(&selinux_state,
2190 				    current_sid(), SECINITSID_KERNEL,
2191 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2192 				    NULL);
2193 	}
2194 	/* All other syslog types */
2195 	return avc_has_perm(&selinux_state,
2196 			    current_sid(), SECINITSID_KERNEL,
2197 			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2198 }
2199 
2200 /*
2201  * Check that a process has enough memory to allocate a new virtual
2202  * mapping. 0 means there is enough memory for the allocation to
2203  * succeed and -ENOMEM implies there is not.
2204  *
2205  * Do not audit the selinux permission check, as this is applied to all
2206  * processes that allocate mappings.
2207  */
2208 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2209 {
2210 	int rc, cap_sys_admin = 0;
2211 
2212 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2213 				 CAP_OPT_NOAUDIT, true);
2214 	if (rc == 0)
2215 		cap_sys_admin = 1;
2216 
2217 	return cap_sys_admin;
2218 }
2219 
2220 /* binprm security operations */
2221 
2222 static u32 ptrace_parent_sid(void)
2223 {
2224 	u32 sid = 0;
2225 	struct task_struct *tracer;
2226 
2227 	rcu_read_lock();
2228 	tracer = ptrace_parent(current);
2229 	if (tracer)
2230 		sid = task_sid(tracer);
2231 	rcu_read_unlock();
2232 
2233 	return sid;
2234 }
2235 
2236 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2237 			    const struct task_security_struct *old_tsec,
2238 			    const struct task_security_struct *new_tsec)
2239 {
2240 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2241 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2242 	int rc;
2243 	u32 av;
2244 
2245 	if (!nnp && !nosuid)
2246 		return 0; /* neither NNP nor nosuid */
2247 
2248 	if (new_tsec->sid == old_tsec->sid)
2249 		return 0; /* No change in credentials */
2250 
2251 	/*
2252 	 * If the policy enables the nnp_nosuid_transition policy capability,
2253 	 * then we permit transitions under NNP or nosuid if the
2254 	 * policy allows the corresponding permission between
2255 	 * the old and new contexts.
2256 	 */
2257 	if (selinux_policycap_nnp_nosuid_transition()) {
2258 		av = 0;
2259 		if (nnp)
2260 			av |= PROCESS2__NNP_TRANSITION;
2261 		if (nosuid)
2262 			av |= PROCESS2__NOSUID_TRANSITION;
2263 		rc = avc_has_perm(&selinux_state,
2264 				  old_tsec->sid, new_tsec->sid,
2265 				  SECCLASS_PROCESS2, av, NULL);
2266 		if (!rc)
2267 			return 0;
2268 	}
2269 
2270 	/*
2271 	 * We also permit NNP or nosuid transitions to bounded SIDs,
2272 	 * i.e. SIDs that are guaranteed to only be allowed a subset
2273 	 * of the permissions of the current SID.
2274 	 */
2275 	rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2276 					 new_tsec->sid);
2277 	if (!rc)
2278 		return 0;
2279 
2280 	/*
2281 	 * On failure, preserve the errno values for NNP vs nosuid.
2282 	 * NNP:  Operation not permitted for caller.
2283 	 * nosuid:  Permission denied to file.
2284 	 */
2285 	if (nnp)
2286 		return -EPERM;
2287 	return -EACCES;
2288 }
2289 
2290 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2291 {
2292 	const struct task_security_struct *old_tsec;
2293 	struct task_security_struct *new_tsec;
2294 	struct inode_security_struct *isec;
2295 	struct common_audit_data ad;
2296 	struct inode *inode = file_inode(bprm->file);
2297 	int rc;
2298 
2299 	/* SELinux context only depends on initial program or script and not
2300 	 * the script interpreter */
2301 
2302 	old_tsec = selinux_cred(current_cred());
2303 	new_tsec = selinux_cred(bprm->cred);
2304 	isec = inode_security(inode);
2305 
2306 	/* Default to the current task SID. */
2307 	new_tsec->sid = old_tsec->sid;
2308 	new_tsec->osid = old_tsec->sid;
2309 
2310 	/* Reset fs, key, and sock SIDs on execve. */
2311 	new_tsec->create_sid = 0;
2312 	new_tsec->keycreate_sid = 0;
2313 	new_tsec->sockcreate_sid = 0;
2314 
2315 	if (old_tsec->exec_sid) {
2316 		new_tsec->sid = old_tsec->exec_sid;
2317 		/* Reset exec SID on execve. */
2318 		new_tsec->exec_sid = 0;
2319 
2320 		/* Fail on NNP or nosuid if not an allowed transition. */
2321 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2322 		if (rc)
2323 			return rc;
2324 	} else {
2325 		/* Check for a default transition on this program. */
2326 		rc = security_transition_sid(&selinux_state, old_tsec->sid,
2327 					     isec->sid, SECCLASS_PROCESS, NULL,
2328 					     &new_tsec->sid);
2329 		if (rc)
2330 			return rc;
2331 
2332 		/*
2333 		 * Fallback to old SID on NNP or nosuid if not an allowed
2334 		 * transition.
2335 		 */
2336 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2337 		if (rc)
2338 			new_tsec->sid = old_tsec->sid;
2339 	}
2340 
2341 	ad.type = LSM_AUDIT_DATA_FILE;
2342 	ad.u.file = bprm->file;
2343 
2344 	if (new_tsec->sid == old_tsec->sid) {
2345 		rc = avc_has_perm(&selinux_state,
2346 				  old_tsec->sid, isec->sid,
2347 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2348 		if (rc)
2349 			return rc;
2350 	} else {
2351 		/* Check permissions for the transition. */
2352 		rc = avc_has_perm(&selinux_state,
2353 				  old_tsec->sid, new_tsec->sid,
2354 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2355 		if (rc)
2356 			return rc;
2357 
2358 		rc = avc_has_perm(&selinux_state,
2359 				  new_tsec->sid, isec->sid,
2360 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2361 		if (rc)
2362 			return rc;
2363 
2364 		/* Check for shared state */
2365 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2366 			rc = avc_has_perm(&selinux_state,
2367 					  old_tsec->sid, new_tsec->sid,
2368 					  SECCLASS_PROCESS, PROCESS__SHARE,
2369 					  NULL);
2370 			if (rc)
2371 				return -EPERM;
2372 		}
2373 
2374 		/* Make sure that anyone attempting to ptrace over a task that
2375 		 * changes its SID has the appropriate permit */
2376 		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2377 			u32 ptsid = ptrace_parent_sid();
2378 			if (ptsid != 0) {
2379 				rc = avc_has_perm(&selinux_state,
2380 						  ptsid, new_tsec->sid,
2381 						  SECCLASS_PROCESS,
2382 						  PROCESS__PTRACE, NULL);
2383 				if (rc)
2384 					return -EPERM;
2385 			}
2386 		}
2387 
2388 		/* Clear any possibly unsafe personality bits on exec: */
2389 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2390 
2391 		/* Enable secure mode for SIDs transitions unless
2392 		   the noatsecure permission is granted between
2393 		   the two SIDs, i.e. ahp returns 0. */
2394 		rc = avc_has_perm(&selinux_state,
2395 				  old_tsec->sid, new_tsec->sid,
2396 				  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2397 				  NULL);
2398 		bprm->secureexec |= !!rc;
2399 	}
2400 
2401 	return 0;
2402 }
2403 
2404 static int match_file(const void *p, struct file *file, unsigned fd)
2405 {
2406 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2407 }
2408 
2409 /* Derived from fs/exec.c:flush_old_files. */
2410 static inline void flush_unauthorized_files(const struct cred *cred,
2411 					    struct files_struct *files)
2412 {
2413 	struct file *file, *devnull = NULL;
2414 	struct tty_struct *tty;
2415 	int drop_tty = 0;
2416 	unsigned n;
2417 
2418 	tty = get_current_tty();
2419 	if (tty) {
2420 		spin_lock(&tty->files_lock);
2421 		if (!list_empty(&tty->tty_files)) {
2422 			struct tty_file_private *file_priv;
2423 
2424 			/* Revalidate access to controlling tty.
2425 			   Use file_path_has_perm on the tty path directly
2426 			   rather than using file_has_perm, as this particular
2427 			   open file may belong to another process and we are
2428 			   only interested in the inode-based check here. */
2429 			file_priv = list_first_entry(&tty->tty_files,
2430 						struct tty_file_private, list);
2431 			file = file_priv->file;
2432 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2433 				drop_tty = 1;
2434 		}
2435 		spin_unlock(&tty->files_lock);
2436 		tty_kref_put(tty);
2437 	}
2438 	/* Reset controlling tty. */
2439 	if (drop_tty)
2440 		no_tty();
2441 
2442 	/* Revalidate access to inherited open files. */
2443 	n = iterate_fd(files, 0, match_file, cred);
2444 	if (!n) /* none found? */
2445 		return;
2446 
2447 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2448 	if (IS_ERR(devnull))
2449 		devnull = NULL;
2450 	/* replace all the matching ones with this */
2451 	do {
2452 		replace_fd(n - 1, devnull, 0);
2453 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2454 	if (devnull)
2455 		fput(devnull);
2456 }
2457 
2458 /*
2459  * Prepare a process for imminent new credential changes due to exec
2460  */
2461 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2462 {
2463 	struct task_security_struct *new_tsec;
2464 	struct rlimit *rlim, *initrlim;
2465 	int rc, i;
2466 
2467 	new_tsec = selinux_cred(bprm->cred);
2468 	if (new_tsec->sid == new_tsec->osid)
2469 		return;
2470 
2471 	/* Close files for which the new task SID is not authorized. */
2472 	flush_unauthorized_files(bprm->cred, current->files);
2473 
2474 	/* Always clear parent death signal on SID transitions. */
2475 	current->pdeath_signal = 0;
2476 
2477 	/* Check whether the new SID can inherit resource limits from the old
2478 	 * SID.  If not, reset all soft limits to the lower of the current
2479 	 * task's hard limit and the init task's soft limit.
2480 	 *
2481 	 * Note that the setting of hard limits (even to lower them) can be
2482 	 * controlled by the setrlimit check.  The inclusion of the init task's
2483 	 * soft limit into the computation is to avoid resetting soft limits
2484 	 * higher than the default soft limit for cases where the default is
2485 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2486 	 */
2487 	rc = avc_has_perm(&selinux_state,
2488 			  new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2489 			  PROCESS__RLIMITINH, NULL);
2490 	if (rc) {
2491 		/* protect against do_prlimit() */
2492 		task_lock(current);
2493 		for (i = 0; i < RLIM_NLIMITS; i++) {
2494 			rlim = current->signal->rlim + i;
2495 			initrlim = init_task.signal->rlim + i;
2496 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2497 		}
2498 		task_unlock(current);
2499 		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2500 			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2501 	}
2502 }
2503 
2504 /*
2505  * Clean up the process immediately after the installation of new credentials
2506  * due to exec
2507  */
2508 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2509 {
2510 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2511 	u32 osid, sid;
2512 	int rc;
2513 
2514 	osid = tsec->osid;
2515 	sid = tsec->sid;
2516 
2517 	if (sid == osid)
2518 		return;
2519 
2520 	/* Check whether the new SID can inherit signal state from the old SID.
2521 	 * If not, clear itimers to avoid subsequent signal generation and
2522 	 * flush and unblock signals.
2523 	 *
2524 	 * This must occur _after_ the task SID has been updated so that any
2525 	 * kill done after the flush will be checked against the new SID.
2526 	 */
2527 	rc = avc_has_perm(&selinux_state,
2528 			  osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2529 	if (rc) {
2530 		clear_itimer();
2531 
2532 		spin_lock_irq(&current->sighand->siglock);
2533 		if (!fatal_signal_pending(current)) {
2534 			flush_sigqueue(&current->pending);
2535 			flush_sigqueue(&current->signal->shared_pending);
2536 			flush_signal_handlers(current, 1);
2537 			sigemptyset(&current->blocked);
2538 			recalc_sigpending();
2539 		}
2540 		spin_unlock_irq(&current->sighand->siglock);
2541 	}
2542 
2543 	/* Wake up the parent if it is waiting so that it can recheck
2544 	 * wait permission to the new task SID. */
2545 	read_lock(&tasklist_lock);
2546 	__wake_up_parent(current, current->real_parent);
2547 	read_unlock(&tasklist_lock);
2548 }
2549 
2550 /* superblock security operations */
2551 
2552 static int selinux_sb_alloc_security(struct super_block *sb)
2553 {
2554 	struct superblock_security_struct *sbsec;
2555 
2556 	sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
2557 	if (!sbsec)
2558 		return -ENOMEM;
2559 
2560 	mutex_init(&sbsec->lock);
2561 	INIT_LIST_HEAD(&sbsec->isec_head);
2562 	spin_lock_init(&sbsec->isec_lock);
2563 	sbsec->sb = sb;
2564 	sbsec->sid = SECINITSID_UNLABELED;
2565 	sbsec->def_sid = SECINITSID_FILE;
2566 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2567 	sb->s_security = sbsec;
2568 
2569 	return 0;
2570 }
2571 
2572 static void selinux_sb_free_security(struct super_block *sb)
2573 {
2574 	superblock_free_security(sb);
2575 }
2576 
2577 static inline int opt_len(const char *s)
2578 {
2579 	bool open_quote = false;
2580 	int len;
2581 	char c;
2582 
2583 	for (len = 0; (c = s[len]) != '\0'; len++) {
2584 		if (c == '"')
2585 			open_quote = !open_quote;
2586 		if (c == ',' && !open_quote)
2587 			break;
2588 	}
2589 	return len;
2590 }
2591 
2592 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2593 {
2594 	char *from = options;
2595 	char *to = options;
2596 	bool first = true;
2597 	int rc;
2598 
2599 	while (1) {
2600 		int len = opt_len(from);
2601 		int token;
2602 		char *arg = NULL;
2603 
2604 		token = match_opt_prefix(from, len, &arg);
2605 
2606 		if (token != Opt_error) {
2607 			char *p, *q;
2608 
2609 			/* strip quotes */
2610 			if (arg) {
2611 				for (p = q = arg; p < from + len; p++) {
2612 					char c = *p;
2613 					if (c != '"')
2614 						*q++ = c;
2615 				}
2616 				arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2617 				if (!arg) {
2618 					rc = -ENOMEM;
2619 					goto free_opt;
2620 				}
2621 			}
2622 			rc = selinux_add_opt(token, arg, mnt_opts);
2623 			if (unlikely(rc)) {
2624 				kfree(arg);
2625 				goto free_opt;
2626 			}
2627 		} else {
2628 			if (!first) {	// copy with preceding comma
2629 				from--;
2630 				len++;
2631 			}
2632 			if (to != from)
2633 				memmove(to, from, len);
2634 			to += len;
2635 			first = false;
2636 		}
2637 		if (!from[len])
2638 			break;
2639 		from += len + 1;
2640 	}
2641 	*to = '\0';
2642 	return 0;
2643 
2644 free_opt:
2645 	if (*mnt_opts) {
2646 		selinux_free_mnt_opts(*mnt_opts);
2647 		*mnt_opts = NULL;
2648 	}
2649 	return rc;
2650 }
2651 
2652 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2653 {
2654 	struct selinux_mnt_opts *opts = mnt_opts;
2655 	struct superblock_security_struct *sbsec = sb->s_security;
2656 	u32 sid;
2657 	int rc;
2658 
2659 	if (!(sbsec->flags & SE_SBINITIALIZED))
2660 		return 0;
2661 
2662 	if (!opts)
2663 		return 0;
2664 
2665 	if (opts->fscontext) {
2666 		rc = parse_sid(sb, opts->fscontext, &sid);
2667 		if (rc)
2668 			return rc;
2669 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2670 			goto out_bad_option;
2671 	}
2672 	if (opts->context) {
2673 		rc = parse_sid(sb, opts->context, &sid);
2674 		if (rc)
2675 			return rc;
2676 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2677 			goto out_bad_option;
2678 	}
2679 	if (opts->rootcontext) {
2680 		struct inode_security_struct *root_isec;
2681 		root_isec = backing_inode_security(sb->s_root);
2682 		rc = parse_sid(sb, opts->rootcontext, &sid);
2683 		if (rc)
2684 			return rc;
2685 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2686 			goto out_bad_option;
2687 	}
2688 	if (opts->defcontext) {
2689 		rc = parse_sid(sb, opts->defcontext, &sid);
2690 		if (rc)
2691 			return rc;
2692 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2693 			goto out_bad_option;
2694 	}
2695 	return 0;
2696 
2697 out_bad_option:
2698 	pr_warn("SELinux: unable to change security options "
2699 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2700 	       sb->s_type->name);
2701 	return -EINVAL;
2702 }
2703 
2704 static int selinux_sb_kern_mount(struct super_block *sb)
2705 {
2706 	const struct cred *cred = current_cred();
2707 	struct common_audit_data ad;
2708 
2709 	ad.type = LSM_AUDIT_DATA_DENTRY;
2710 	ad.u.dentry = sb->s_root;
2711 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2712 }
2713 
2714 static int selinux_sb_statfs(struct dentry *dentry)
2715 {
2716 	const struct cred *cred = current_cred();
2717 	struct common_audit_data ad;
2718 
2719 	ad.type = LSM_AUDIT_DATA_DENTRY;
2720 	ad.u.dentry = dentry->d_sb->s_root;
2721 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2722 }
2723 
2724 static int selinux_mount(const char *dev_name,
2725 			 const struct path *path,
2726 			 const char *type,
2727 			 unsigned long flags,
2728 			 void *data)
2729 {
2730 	const struct cred *cred = current_cred();
2731 
2732 	if (flags & MS_REMOUNT)
2733 		return superblock_has_perm(cred, path->dentry->d_sb,
2734 					   FILESYSTEM__REMOUNT, NULL);
2735 	else
2736 		return path_has_perm(cred, path, FILE__MOUNTON);
2737 }
2738 
2739 static int selinux_move_mount(const struct path *from_path,
2740 			      const struct path *to_path)
2741 {
2742 	const struct cred *cred = current_cred();
2743 
2744 	return path_has_perm(cred, to_path, FILE__MOUNTON);
2745 }
2746 
2747 static int selinux_umount(struct vfsmount *mnt, int flags)
2748 {
2749 	const struct cred *cred = current_cred();
2750 
2751 	return superblock_has_perm(cred, mnt->mnt_sb,
2752 				   FILESYSTEM__UNMOUNT, NULL);
2753 }
2754 
2755 static int selinux_fs_context_dup(struct fs_context *fc,
2756 				  struct fs_context *src_fc)
2757 {
2758 	const struct selinux_mnt_opts *src = src_fc->security;
2759 	struct selinux_mnt_opts *opts;
2760 
2761 	if (!src)
2762 		return 0;
2763 
2764 	fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2765 	if (!fc->security)
2766 		return -ENOMEM;
2767 
2768 	opts = fc->security;
2769 
2770 	if (src->fscontext) {
2771 		opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2772 		if (!opts->fscontext)
2773 			return -ENOMEM;
2774 	}
2775 	if (src->context) {
2776 		opts->context = kstrdup(src->context, GFP_KERNEL);
2777 		if (!opts->context)
2778 			return -ENOMEM;
2779 	}
2780 	if (src->rootcontext) {
2781 		opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2782 		if (!opts->rootcontext)
2783 			return -ENOMEM;
2784 	}
2785 	if (src->defcontext) {
2786 		opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2787 		if (!opts->defcontext)
2788 			return -ENOMEM;
2789 	}
2790 	return 0;
2791 }
2792 
2793 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2794 	fsparam_string(CONTEXT_STR,	Opt_context),
2795 	fsparam_string(DEFCONTEXT_STR,	Opt_defcontext),
2796 	fsparam_string(FSCONTEXT_STR,	Opt_fscontext),
2797 	fsparam_string(ROOTCONTEXT_STR,	Opt_rootcontext),
2798 	fsparam_flag  (SECLABEL_STR,	Opt_seclabel),
2799 	{}
2800 };
2801 
2802 static int selinux_fs_context_parse_param(struct fs_context *fc,
2803 					  struct fs_parameter *param)
2804 {
2805 	struct fs_parse_result result;
2806 	int opt, rc;
2807 
2808 	opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2809 	if (opt < 0)
2810 		return opt;
2811 
2812 	rc = selinux_add_opt(opt, param->string, &fc->security);
2813 	if (!rc) {
2814 		param->string = NULL;
2815 		rc = 1;
2816 	}
2817 	return rc;
2818 }
2819 
2820 /* inode security operations */
2821 
2822 static int selinux_inode_alloc_security(struct inode *inode)
2823 {
2824 	struct inode_security_struct *isec = selinux_inode(inode);
2825 	u32 sid = current_sid();
2826 
2827 	spin_lock_init(&isec->lock);
2828 	INIT_LIST_HEAD(&isec->list);
2829 	isec->inode = inode;
2830 	isec->sid = SECINITSID_UNLABELED;
2831 	isec->sclass = SECCLASS_FILE;
2832 	isec->task_sid = sid;
2833 	isec->initialized = LABEL_INVALID;
2834 
2835 	return 0;
2836 }
2837 
2838 static void selinux_inode_free_security(struct inode *inode)
2839 {
2840 	inode_free_security(inode);
2841 }
2842 
2843 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2844 					const struct qstr *name, void **ctx,
2845 					u32 *ctxlen)
2846 {
2847 	u32 newsid;
2848 	int rc;
2849 
2850 	rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2851 					   d_inode(dentry->d_parent), name,
2852 					   inode_mode_to_security_class(mode),
2853 					   &newsid);
2854 	if (rc)
2855 		return rc;
2856 
2857 	return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2858 				       ctxlen);
2859 }
2860 
2861 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2862 					  struct qstr *name,
2863 					  const struct cred *old,
2864 					  struct cred *new)
2865 {
2866 	u32 newsid;
2867 	int rc;
2868 	struct task_security_struct *tsec;
2869 
2870 	rc = selinux_determine_inode_label(selinux_cred(old),
2871 					   d_inode(dentry->d_parent), name,
2872 					   inode_mode_to_security_class(mode),
2873 					   &newsid);
2874 	if (rc)
2875 		return rc;
2876 
2877 	tsec = selinux_cred(new);
2878 	tsec->create_sid = newsid;
2879 	return 0;
2880 }
2881 
2882 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2883 				       const struct qstr *qstr,
2884 				       const char **name,
2885 				       void **value, size_t *len)
2886 {
2887 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2888 	struct superblock_security_struct *sbsec;
2889 	u32 newsid, clen;
2890 	int rc;
2891 	char *context;
2892 
2893 	sbsec = dir->i_sb->s_security;
2894 
2895 	newsid = tsec->create_sid;
2896 
2897 	rc = selinux_determine_inode_label(tsec, dir, qstr,
2898 		inode_mode_to_security_class(inode->i_mode),
2899 		&newsid);
2900 	if (rc)
2901 		return rc;
2902 
2903 	/* Possibly defer initialization to selinux_complete_init. */
2904 	if (sbsec->flags & SE_SBINITIALIZED) {
2905 		struct inode_security_struct *isec = selinux_inode(inode);
2906 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2907 		isec->sid = newsid;
2908 		isec->initialized = LABEL_INITIALIZED;
2909 	}
2910 
2911 	if (!selinux_initialized(&selinux_state) ||
2912 	    !(sbsec->flags & SBLABEL_MNT))
2913 		return -EOPNOTSUPP;
2914 
2915 	if (name)
2916 		*name = XATTR_SELINUX_SUFFIX;
2917 
2918 	if (value && len) {
2919 		rc = security_sid_to_context_force(&selinux_state, newsid,
2920 						   &context, &clen);
2921 		if (rc)
2922 			return rc;
2923 		*value = context;
2924 		*len = clen;
2925 	}
2926 
2927 	return 0;
2928 }
2929 
2930 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2931 {
2932 	return may_create(dir, dentry, SECCLASS_FILE);
2933 }
2934 
2935 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2936 {
2937 	return may_link(dir, old_dentry, MAY_LINK);
2938 }
2939 
2940 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2941 {
2942 	return may_link(dir, dentry, MAY_UNLINK);
2943 }
2944 
2945 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2946 {
2947 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
2948 }
2949 
2950 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2951 {
2952 	return may_create(dir, dentry, SECCLASS_DIR);
2953 }
2954 
2955 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2956 {
2957 	return may_link(dir, dentry, MAY_RMDIR);
2958 }
2959 
2960 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2961 {
2962 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
2963 }
2964 
2965 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2966 				struct inode *new_inode, struct dentry *new_dentry)
2967 {
2968 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2969 }
2970 
2971 static int selinux_inode_readlink(struct dentry *dentry)
2972 {
2973 	const struct cred *cred = current_cred();
2974 
2975 	return dentry_has_perm(cred, dentry, FILE__READ);
2976 }
2977 
2978 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2979 				     bool rcu)
2980 {
2981 	const struct cred *cred = current_cred();
2982 	struct common_audit_data ad;
2983 	struct inode_security_struct *isec;
2984 	u32 sid;
2985 
2986 	validate_creds(cred);
2987 
2988 	ad.type = LSM_AUDIT_DATA_DENTRY;
2989 	ad.u.dentry = dentry;
2990 	sid = cred_sid(cred);
2991 	isec = inode_security_rcu(inode, rcu);
2992 	if (IS_ERR(isec))
2993 		return PTR_ERR(isec);
2994 
2995 	return avc_has_perm_flags(&selinux_state,
2996 				  sid, isec->sid, isec->sclass, FILE__READ, &ad,
2997 				  rcu ? MAY_NOT_BLOCK : 0);
2998 }
2999 
3000 static noinline int audit_inode_permission(struct inode *inode,
3001 					   u32 perms, u32 audited, u32 denied,
3002 					   int result)
3003 {
3004 	struct common_audit_data ad;
3005 	struct inode_security_struct *isec = selinux_inode(inode);
3006 	int rc;
3007 
3008 	ad.type = LSM_AUDIT_DATA_INODE;
3009 	ad.u.inode = inode;
3010 
3011 	rc = slow_avc_audit(&selinux_state,
3012 			    current_sid(), isec->sid, isec->sclass, perms,
3013 			    audited, denied, result, &ad);
3014 	if (rc)
3015 		return rc;
3016 	return 0;
3017 }
3018 
3019 static int selinux_inode_permission(struct inode *inode, int mask)
3020 {
3021 	const struct cred *cred = current_cred();
3022 	u32 perms;
3023 	bool from_access;
3024 	bool no_block = mask & MAY_NOT_BLOCK;
3025 	struct inode_security_struct *isec;
3026 	u32 sid;
3027 	struct av_decision avd;
3028 	int rc, rc2;
3029 	u32 audited, denied;
3030 
3031 	from_access = mask & MAY_ACCESS;
3032 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3033 
3034 	/* No permission to check.  Existence test. */
3035 	if (!mask)
3036 		return 0;
3037 
3038 	validate_creds(cred);
3039 
3040 	if (unlikely(IS_PRIVATE(inode)))
3041 		return 0;
3042 
3043 	perms = file_mask_to_av(inode->i_mode, mask);
3044 
3045 	sid = cred_sid(cred);
3046 	isec = inode_security_rcu(inode, no_block);
3047 	if (IS_ERR(isec))
3048 		return PTR_ERR(isec);
3049 
3050 	rc = avc_has_perm_noaudit(&selinux_state,
3051 				  sid, isec->sid, isec->sclass, perms,
3052 				  no_block ? AVC_NONBLOCKING : 0,
3053 				  &avd);
3054 	audited = avc_audit_required(perms, &avd, rc,
3055 				     from_access ? FILE__AUDIT_ACCESS : 0,
3056 				     &denied);
3057 	if (likely(!audited))
3058 		return rc;
3059 
3060 	/* fall back to ref-walk if we have to generate audit */
3061 	if (no_block)
3062 		return -ECHILD;
3063 
3064 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3065 	if (rc2)
3066 		return rc2;
3067 	return rc;
3068 }
3069 
3070 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3071 {
3072 	const struct cred *cred = current_cred();
3073 	struct inode *inode = d_backing_inode(dentry);
3074 	unsigned int ia_valid = iattr->ia_valid;
3075 	__u32 av = FILE__WRITE;
3076 
3077 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3078 	if (ia_valid & ATTR_FORCE) {
3079 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3080 			      ATTR_FORCE);
3081 		if (!ia_valid)
3082 			return 0;
3083 	}
3084 
3085 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3086 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3087 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3088 
3089 	if (selinux_policycap_openperm() &&
3090 	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3091 	    (ia_valid & ATTR_SIZE) &&
3092 	    !(ia_valid & ATTR_FILE))
3093 		av |= FILE__OPEN;
3094 
3095 	return dentry_has_perm(cred, dentry, av);
3096 }
3097 
3098 static int selinux_inode_getattr(const struct path *path)
3099 {
3100 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3101 }
3102 
3103 static bool has_cap_mac_admin(bool audit)
3104 {
3105 	const struct cred *cred = current_cred();
3106 	unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3107 
3108 	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3109 		return false;
3110 	if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3111 		return false;
3112 	return true;
3113 }
3114 
3115 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3116 				  const void *value, size_t size, int flags)
3117 {
3118 	struct inode *inode = d_backing_inode(dentry);
3119 	struct inode_security_struct *isec;
3120 	struct superblock_security_struct *sbsec;
3121 	struct common_audit_data ad;
3122 	u32 newsid, sid = current_sid();
3123 	int rc = 0;
3124 
3125 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3126 		rc = cap_inode_setxattr(dentry, name, value, size, flags);
3127 		if (rc)
3128 			return rc;
3129 
3130 		/* Not an attribute we recognize, so just check the
3131 		   ordinary setattr permission. */
3132 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3133 	}
3134 
3135 	if (!selinux_initialized(&selinux_state))
3136 		return (inode_owner_or_capable(inode) ? 0 : -EPERM);
3137 
3138 	sbsec = inode->i_sb->s_security;
3139 	if (!(sbsec->flags & SBLABEL_MNT))
3140 		return -EOPNOTSUPP;
3141 
3142 	if (!inode_owner_or_capable(inode))
3143 		return -EPERM;
3144 
3145 	ad.type = LSM_AUDIT_DATA_DENTRY;
3146 	ad.u.dentry = dentry;
3147 
3148 	isec = backing_inode_security(dentry);
3149 	rc = avc_has_perm(&selinux_state,
3150 			  sid, isec->sid, isec->sclass,
3151 			  FILE__RELABELFROM, &ad);
3152 	if (rc)
3153 		return rc;
3154 
3155 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3156 				     GFP_KERNEL);
3157 	if (rc == -EINVAL) {
3158 		if (!has_cap_mac_admin(true)) {
3159 			struct audit_buffer *ab;
3160 			size_t audit_size;
3161 
3162 			/* We strip a nul only if it is at the end, otherwise the
3163 			 * context contains a nul and we should audit that */
3164 			if (value) {
3165 				const char *str = value;
3166 
3167 				if (str[size - 1] == '\0')
3168 					audit_size = size - 1;
3169 				else
3170 					audit_size = size;
3171 			} else {
3172 				audit_size = 0;
3173 			}
3174 			ab = audit_log_start(audit_context(),
3175 					     GFP_ATOMIC, AUDIT_SELINUX_ERR);
3176 			audit_log_format(ab, "op=setxattr invalid_context=");
3177 			audit_log_n_untrustedstring(ab, value, audit_size);
3178 			audit_log_end(ab);
3179 
3180 			return rc;
3181 		}
3182 		rc = security_context_to_sid_force(&selinux_state, value,
3183 						   size, &newsid);
3184 	}
3185 	if (rc)
3186 		return rc;
3187 
3188 	rc = avc_has_perm(&selinux_state,
3189 			  sid, newsid, isec->sclass,
3190 			  FILE__RELABELTO, &ad);
3191 	if (rc)
3192 		return rc;
3193 
3194 	rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3195 					  sid, isec->sclass);
3196 	if (rc)
3197 		return rc;
3198 
3199 	return avc_has_perm(&selinux_state,
3200 			    newsid,
3201 			    sbsec->sid,
3202 			    SECCLASS_FILESYSTEM,
3203 			    FILESYSTEM__ASSOCIATE,
3204 			    &ad);
3205 }
3206 
3207 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3208 					const void *value, size_t size,
3209 					int flags)
3210 {
3211 	struct inode *inode = d_backing_inode(dentry);
3212 	struct inode_security_struct *isec;
3213 	u32 newsid;
3214 	int rc;
3215 
3216 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3217 		/* Not an attribute we recognize, so nothing to do. */
3218 		return;
3219 	}
3220 
3221 	if (!selinux_initialized(&selinux_state)) {
3222 		/* If we haven't even been initialized, then we can't validate
3223 		 * against a policy, so leave the label as invalid. It may
3224 		 * resolve to a valid label on the next revalidation try if
3225 		 * we've since initialized.
3226 		 */
3227 		return;
3228 	}
3229 
3230 	rc = security_context_to_sid_force(&selinux_state, value, size,
3231 					   &newsid);
3232 	if (rc) {
3233 		pr_err("SELinux:  unable to map context to SID"
3234 		       "for (%s, %lu), rc=%d\n",
3235 		       inode->i_sb->s_id, inode->i_ino, -rc);
3236 		return;
3237 	}
3238 
3239 	isec = backing_inode_security(dentry);
3240 	spin_lock(&isec->lock);
3241 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3242 	isec->sid = newsid;
3243 	isec->initialized = LABEL_INITIALIZED;
3244 	spin_unlock(&isec->lock);
3245 
3246 	return;
3247 }
3248 
3249 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3250 {
3251 	const struct cred *cred = current_cred();
3252 
3253 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3254 }
3255 
3256 static int selinux_inode_listxattr(struct dentry *dentry)
3257 {
3258 	const struct cred *cred = current_cred();
3259 
3260 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3261 }
3262 
3263 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3264 {
3265 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3266 		int rc = cap_inode_removexattr(dentry, name);
3267 		if (rc)
3268 			return rc;
3269 
3270 		/* Not an attribute we recognize, so just check the
3271 		   ordinary setattr permission. */
3272 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3273 	}
3274 
3275 	if (!selinux_initialized(&selinux_state))
3276 		return 0;
3277 
3278 	/* No one is allowed to remove a SELinux security label.
3279 	   You can change the label, but all data must be labeled. */
3280 	return -EACCES;
3281 }
3282 
3283 static int selinux_path_notify(const struct path *path, u64 mask,
3284 						unsigned int obj_type)
3285 {
3286 	int ret;
3287 	u32 perm;
3288 
3289 	struct common_audit_data ad;
3290 
3291 	ad.type = LSM_AUDIT_DATA_PATH;
3292 	ad.u.path = *path;
3293 
3294 	/*
3295 	 * Set permission needed based on the type of mark being set.
3296 	 * Performs an additional check for sb watches.
3297 	 */
3298 	switch (obj_type) {
3299 	case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3300 		perm = FILE__WATCH_MOUNT;
3301 		break;
3302 	case FSNOTIFY_OBJ_TYPE_SB:
3303 		perm = FILE__WATCH_SB;
3304 		ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3305 						FILESYSTEM__WATCH, &ad);
3306 		if (ret)
3307 			return ret;
3308 		break;
3309 	case FSNOTIFY_OBJ_TYPE_INODE:
3310 		perm = FILE__WATCH;
3311 		break;
3312 	default:
3313 		return -EINVAL;
3314 	}
3315 
3316 	/* blocking watches require the file:watch_with_perm permission */
3317 	if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3318 		perm |= FILE__WATCH_WITH_PERM;
3319 
3320 	/* watches on read-like events need the file:watch_reads permission */
3321 	if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3322 		perm |= FILE__WATCH_READS;
3323 
3324 	return path_has_perm(current_cred(), path, perm);
3325 }
3326 
3327 /*
3328  * Copy the inode security context value to the user.
3329  *
3330  * Permission check is handled by selinux_inode_getxattr hook.
3331  */
3332 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3333 {
3334 	u32 size;
3335 	int error;
3336 	char *context = NULL;
3337 	struct inode_security_struct *isec;
3338 
3339 	/*
3340 	 * If we're not initialized yet, then we can't validate contexts, so
3341 	 * just let vfs_getxattr fall back to using the on-disk xattr.
3342 	 */
3343 	if (!selinux_initialized(&selinux_state) ||
3344 	    strcmp(name, XATTR_SELINUX_SUFFIX))
3345 		return -EOPNOTSUPP;
3346 
3347 	/*
3348 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3349 	 * value even if it is not defined by current policy; otherwise,
3350 	 * use the in-core value under current policy.
3351 	 * Use the non-auditing forms of the permission checks since
3352 	 * getxattr may be called by unprivileged processes commonly
3353 	 * and lack of permission just means that we fall back to the
3354 	 * in-core context value, not a denial.
3355 	 */
3356 	isec = inode_security(inode);
3357 	if (has_cap_mac_admin(false))
3358 		error = security_sid_to_context_force(&selinux_state,
3359 						      isec->sid, &context,
3360 						      &size);
3361 	else
3362 		error = security_sid_to_context(&selinux_state, isec->sid,
3363 						&context, &size);
3364 	if (error)
3365 		return error;
3366 	error = size;
3367 	if (alloc) {
3368 		*buffer = context;
3369 		goto out_nofree;
3370 	}
3371 	kfree(context);
3372 out_nofree:
3373 	return error;
3374 }
3375 
3376 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3377 				     const void *value, size_t size, int flags)
3378 {
3379 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3380 	struct superblock_security_struct *sbsec = inode->i_sb->s_security;
3381 	u32 newsid;
3382 	int rc;
3383 
3384 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3385 		return -EOPNOTSUPP;
3386 
3387 	if (!(sbsec->flags & SBLABEL_MNT))
3388 		return -EOPNOTSUPP;
3389 
3390 	if (!value || !size)
3391 		return -EACCES;
3392 
3393 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3394 				     GFP_KERNEL);
3395 	if (rc)
3396 		return rc;
3397 
3398 	spin_lock(&isec->lock);
3399 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3400 	isec->sid = newsid;
3401 	isec->initialized = LABEL_INITIALIZED;
3402 	spin_unlock(&isec->lock);
3403 	return 0;
3404 }
3405 
3406 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3407 {
3408 	const int len = sizeof(XATTR_NAME_SELINUX);
3409 	if (buffer && len <= buffer_size)
3410 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3411 	return len;
3412 }
3413 
3414 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3415 {
3416 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3417 	*secid = isec->sid;
3418 }
3419 
3420 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3421 {
3422 	u32 sid;
3423 	struct task_security_struct *tsec;
3424 	struct cred *new_creds = *new;
3425 
3426 	if (new_creds == NULL) {
3427 		new_creds = prepare_creds();
3428 		if (!new_creds)
3429 			return -ENOMEM;
3430 	}
3431 
3432 	tsec = selinux_cred(new_creds);
3433 	/* Get label from overlay inode and set it in create_sid */
3434 	selinux_inode_getsecid(d_inode(src), &sid);
3435 	tsec->create_sid = sid;
3436 	*new = new_creds;
3437 	return 0;
3438 }
3439 
3440 static int selinux_inode_copy_up_xattr(const char *name)
3441 {
3442 	/* The copy_up hook above sets the initial context on an inode, but we
3443 	 * don't then want to overwrite it by blindly copying all the lower
3444 	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3445 	 */
3446 	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3447 		return 1; /* Discard */
3448 	/*
3449 	 * Any other attribute apart from SELINUX is not claimed, supported
3450 	 * by selinux.
3451 	 */
3452 	return -EOPNOTSUPP;
3453 }
3454 
3455 /* kernfs node operations */
3456 
3457 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3458 					struct kernfs_node *kn)
3459 {
3460 	const struct task_security_struct *tsec = selinux_cred(current_cred());
3461 	u32 parent_sid, newsid, clen;
3462 	int rc;
3463 	char *context;
3464 
3465 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3466 	if (rc == -ENODATA)
3467 		return 0;
3468 	else if (rc < 0)
3469 		return rc;
3470 
3471 	clen = (u32)rc;
3472 	context = kmalloc(clen, GFP_KERNEL);
3473 	if (!context)
3474 		return -ENOMEM;
3475 
3476 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3477 	if (rc < 0) {
3478 		kfree(context);
3479 		return rc;
3480 	}
3481 
3482 	rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3483 				     GFP_KERNEL);
3484 	kfree(context);
3485 	if (rc)
3486 		return rc;
3487 
3488 	if (tsec->create_sid) {
3489 		newsid = tsec->create_sid;
3490 	} else {
3491 		u16 secclass = inode_mode_to_security_class(kn->mode);
3492 		struct qstr q;
3493 
3494 		q.name = kn->name;
3495 		q.hash_len = hashlen_string(kn_dir, kn->name);
3496 
3497 		rc = security_transition_sid(&selinux_state, tsec->sid,
3498 					     parent_sid, secclass, &q,
3499 					     &newsid);
3500 		if (rc)
3501 			return rc;
3502 	}
3503 
3504 	rc = security_sid_to_context_force(&selinux_state, newsid,
3505 					   &context, &clen);
3506 	if (rc)
3507 		return rc;
3508 
3509 	rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3510 			      XATTR_CREATE);
3511 	kfree(context);
3512 	return rc;
3513 }
3514 
3515 
3516 /* file security operations */
3517 
3518 static int selinux_revalidate_file_permission(struct file *file, int mask)
3519 {
3520 	const struct cred *cred = current_cred();
3521 	struct inode *inode = file_inode(file);
3522 
3523 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3524 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3525 		mask |= MAY_APPEND;
3526 
3527 	return file_has_perm(cred, file,
3528 			     file_mask_to_av(inode->i_mode, mask));
3529 }
3530 
3531 static int selinux_file_permission(struct file *file, int mask)
3532 {
3533 	struct inode *inode = file_inode(file);
3534 	struct file_security_struct *fsec = selinux_file(file);
3535 	struct inode_security_struct *isec;
3536 	u32 sid = current_sid();
3537 
3538 	if (!mask)
3539 		/* No permission to check.  Existence test. */
3540 		return 0;
3541 
3542 	isec = inode_security(inode);
3543 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3544 	    fsec->pseqno == avc_policy_seqno(&selinux_state))
3545 		/* No change since file_open check. */
3546 		return 0;
3547 
3548 	return selinux_revalidate_file_permission(file, mask);
3549 }
3550 
3551 static int selinux_file_alloc_security(struct file *file)
3552 {
3553 	struct file_security_struct *fsec = selinux_file(file);
3554 	u32 sid = current_sid();
3555 
3556 	fsec->sid = sid;
3557 	fsec->fown_sid = sid;
3558 
3559 	return 0;
3560 }
3561 
3562 /*
3563  * Check whether a task has the ioctl permission and cmd
3564  * operation to an inode.
3565  */
3566 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3567 		u32 requested, u16 cmd)
3568 {
3569 	struct common_audit_data ad;
3570 	struct file_security_struct *fsec = selinux_file(file);
3571 	struct inode *inode = file_inode(file);
3572 	struct inode_security_struct *isec;
3573 	struct lsm_ioctlop_audit ioctl;
3574 	u32 ssid = cred_sid(cred);
3575 	int rc;
3576 	u8 driver = cmd >> 8;
3577 	u8 xperm = cmd & 0xff;
3578 
3579 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3580 	ad.u.op = &ioctl;
3581 	ad.u.op->cmd = cmd;
3582 	ad.u.op->path = file->f_path;
3583 
3584 	if (ssid != fsec->sid) {
3585 		rc = avc_has_perm(&selinux_state,
3586 				  ssid, fsec->sid,
3587 				SECCLASS_FD,
3588 				FD__USE,
3589 				&ad);
3590 		if (rc)
3591 			goto out;
3592 	}
3593 
3594 	if (unlikely(IS_PRIVATE(inode)))
3595 		return 0;
3596 
3597 	isec = inode_security(inode);
3598 	rc = avc_has_extended_perms(&selinux_state,
3599 				    ssid, isec->sid, isec->sclass,
3600 				    requested, driver, xperm, &ad);
3601 out:
3602 	return rc;
3603 }
3604 
3605 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3606 			      unsigned long arg)
3607 {
3608 	const struct cred *cred = current_cred();
3609 	int error = 0;
3610 
3611 	switch (cmd) {
3612 	case FIONREAD:
3613 	case FIBMAP:
3614 	case FIGETBSZ:
3615 	case FS_IOC_GETFLAGS:
3616 	case FS_IOC_GETVERSION:
3617 		error = file_has_perm(cred, file, FILE__GETATTR);
3618 		break;
3619 
3620 	case FS_IOC_SETFLAGS:
3621 	case FS_IOC_SETVERSION:
3622 		error = file_has_perm(cred, file, FILE__SETATTR);
3623 		break;
3624 
3625 	/* sys_ioctl() checks */
3626 	case FIONBIO:
3627 	case FIOASYNC:
3628 		error = file_has_perm(cred, file, 0);
3629 		break;
3630 
3631 	case KDSKBENT:
3632 	case KDSKBSENT:
3633 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3634 					    CAP_OPT_NONE, true);
3635 		break;
3636 
3637 	/* default case assumes that the command will go
3638 	 * to the file's ioctl() function.
3639 	 */
3640 	default:
3641 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3642 	}
3643 	return error;
3644 }
3645 
3646 static int default_noexec __ro_after_init;
3647 
3648 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3649 {
3650 	const struct cred *cred = current_cred();
3651 	u32 sid = cred_sid(cred);
3652 	int rc = 0;
3653 
3654 	if (default_noexec &&
3655 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3656 				   (!shared && (prot & PROT_WRITE)))) {
3657 		/*
3658 		 * We are making executable an anonymous mapping or a
3659 		 * private file mapping that will also be writable.
3660 		 * This has an additional check.
3661 		 */
3662 		rc = avc_has_perm(&selinux_state,
3663 				  sid, sid, SECCLASS_PROCESS,
3664 				  PROCESS__EXECMEM, NULL);
3665 		if (rc)
3666 			goto error;
3667 	}
3668 
3669 	if (file) {
3670 		/* read access is always possible with a mapping */
3671 		u32 av = FILE__READ;
3672 
3673 		/* write access only matters if the mapping is shared */
3674 		if (shared && (prot & PROT_WRITE))
3675 			av |= FILE__WRITE;
3676 
3677 		if (prot & PROT_EXEC)
3678 			av |= FILE__EXECUTE;
3679 
3680 		return file_has_perm(cred, file, av);
3681 	}
3682 
3683 error:
3684 	return rc;
3685 }
3686 
3687 static int selinux_mmap_addr(unsigned long addr)
3688 {
3689 	int rc = 0;
3690 
3691 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3692 		u32 sid = current_sid();
3693 		rc = avc_has_perm(&selinux_state,
3694 				  sid, sid, SECCLASS_MEMPROTECT,
3695 				  MEMPROTECT__MMAP_ZERO, NULL);
3696 	}
3697 
3698 	return rc;
3699 }
3700 
3701 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3702 			     unsigned long prot, unsigned long flags)
3703 {
3704 	struct common_audit_data ad;
3705 	int rc;
3706 
3707 	if (file) {
3708 		ad.type = LSM_AUDIT_DATA_FILE;
3709 		ad.u.file = file;
3710 		rc = inode_has_perm(current_cred(), file_inode(file),
3711 				    FILE__MAP, &ad);
3712 		if (rc)
3713 			return rc;
3714 	}
3715 
3716 	if (checkreqprot_get(&selinux_state))
3717 		prot = reqprot;
3718 
3719 	return file_map_prot_check(file, prot,
3720 				   (flags & MAP_TYPE) == MAP_SHARED);
3721 }
3722 
3723 static int selinux_file_mprotect(struct vm_area_struct *vma,
3724 				 unsigned long reqprot,
3725 				 unsigned long prot)
3726 {
3727 	const struct cred *cred = current_cred();
3728 	u32 sid = cred_sid(cred);
3729 
3730 	if (checkreqprot_get(&selinux_state))
3731 		prot = reqprot;
3732 
3733 	if (default_noexec &&
3734 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3735 		int rc = 0;
3736 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3737 		    vma->vm_end <= vma->vm_mm->brk) {
3738 			rc = avc_has_perm(&selinux_state,
3739 					  sid, sid, SECCLASS_PROCESS,
3740 					  PROCESS__EXECHEAP, NULL);
3741 		} else if (!vma->vm_file &&
3742 			   ((vma->vm_start <= vma->vm_mm->start_stack &&
3743 			     vma->vm_end >= vma->vm_mm->start_stack) ||
3744 			    vma_is_stack_for_current(vma))) {
3745 			rc = avc_has_perm(&selinux_state,
3746 					  sid, sid, SECCLASS_PROCESS,
3747 					  PROCESS__EXECSTACK, NULL);
3748 		} else if (vma->vm_file && vma->anon_vma) {
3749 			/*
3750 			 * We are making executable a file mapping that has
3751 			 * had some COW done. Since pages might have been
3752 			 * written, check ability to execute the possibly
3753 			 * modified content.  This typically should only
3754 			 * occur for text relocations.
3755 			 */
3756 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3757 		}
3758 		if (rc)
3759 			return rc;
3760 	}
3761 
3762 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3763 }
3764 
3765 static int selinux_file_lock(struct file *file, unsigned int cmd)
3766 {
3767 	const struct cred *cred = current_cred();
3768 
3769 	return file_has_perm(cred, file, FILE__LOCK);
3770 }
3771 
3772 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3773 			      unsigned long arg)
3774 {
3775 	const struct cred *cred = current_cred();
3776 	int err = 0;
3777 
3778 	switch (cmd) {
3779 	case F_SETFL:
3780 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3781 			err = file_has_perm(cred, file, FILE__WRITE);
3782 			break;
3783 		}
3784 		fallthrough;
3785 	case F_SETOWN:
3786 	case F_SETSIG:
3787 	case F_GETFL:
3788 	case F_GETOWN:
3789 	case F_GETSIG:
3790 	case F_GETOWNER_UIDS:
3791 		/* Just check FD__USE permission */
3792 		err = file_has_perm(cred, file, 0);
3793 		break;
3794 	case F_GETLK:
3795 	case F_SETLK:
3796 	case F_SETLKW:
3797 	case F_OFD_GETLK:
3798 	case F_OFD_SETLK:
3799 	case F_OFD_SETLKW:
3800 #if BITS_PER_LONG == 32
3801 	case F_GETLK64:
3802 	case F_SETLK64:
3803 	case F_SETLKW64:
3804 #endif
3805 		err = file_has_perm(cred, file, FILE__LOCK);
3806 		break;
3807 	}
3808 
3809 	return err;
3810 }
3811 
3812 static void selinux_file_set_fowner(struct file *file)
3813 {
3814 	struct file_security_struct *fsec;
3815 
3816 	fsec = selinux_file(file);
3817 	fsec->fown_sid = current_sid();
3818 }
3819 
3820 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3821 				       struct fown_struct *fown, int signum)
3822 {
3823 	struct file *file;
3824 	u32 sid = task_sid(tsk);
3825 	u32 perm;
3826 	struct file_security_struct *fsec;
3827 
3828 	/* struct fown_struct is never outside the context of a struct file */
3829 	file = container_of(fown, struct file, f_owner);
3830 
3831 	fsec = selinux_file(file);
3832 
3833 	if (!signum)
3834 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3835 	else
3836 		perm = signal_to_av(signum);
3837 
3838 	return avc_has_perm(&selinux_state,
3839 			    fsec->fown_sid, sid,
3840 			    SECCLASS_PROCESS, perm, NULL);
3841 }
3842 
3843 static int selinux_file_receive(struct file *file)
3844 {
3845 	const struct cred *cred = current_cred();
3846 
3847 	return file_has_perm(cred, file, file_to_av(file));
3848 }
3849 
3850 static int selinux_file_open(struct file *file)
3851 {
3852 	struct file_security_struct *fsec;
3853 	struct inode_security_struct *isec;
3854 
3855 	fsec = selinux_file(file);
3856 	isec = inode_security(file_inode(file));
3857 	/*
3858 	 * Save inode label and policy sequence number
3859 	 * at open-time so that selinux_file_permission
3860 	 * can determine whether revalidation is necessary.
3861 	 * Task label is already saved in the file security
3862 	 * struct as its SID.
3863 	 */
3864 	fsec->isid = isec->sid;
3865 	fsec->pseqno = avc_policy_seqno(&selinux_state);
3866 	/*
3867 	 * Since the inode label or policy seqno may have changed
3868 	 * between the selinux_inode_permission check and the saving
3869 	 * of state above, recheck that access is still permitted.
3870 	 * Otherwise, access might never be revalidated against the
3871 	 * new inode label or new policy.
3872 	 * This check is not redundant - do not remove.
3873 	 */
3874 	return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3875 }
3876 
3877 /* task security operations */
3878 
3879 static int selinux_task_alloc(struct task_struct *task,
3880 			      unsigned long clone_flags)
3881 {
3882 	u32 sid = current_sid();
3883 
3884 	return avc_has_perm(&selinux_state,
3885 			    sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3886 }
3887 
3888 /*
3889  * prepare a new set of credentials for modification
3890  */
3891 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3892 				gfp_t gfp)
3893 {
3894 	const struct task_security_struct *old_tsec = selinux_cred(old);
3895 	struct task_security_struct *tsec = selinux_cred(new);
3896 
3897 	*tsec = *old_tsec;
3898 	return 0;
3899 }
3900 
3901 /*
3902  * transfer the SELinux data to a blank set of creds
3903  */
3904 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3905 {
3906 	const struct task_security_struct *old_tsec = selinux_cred(old);
3907 	struct task_security_struct *tsec = selinux_cred(new);
3908 
3909 	*tsec = *old_tsec;
3910 }
3911 
3912 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3913 {
3914 	*secid = cred_sid(c);
3915 }
3916 
3917 /*
3918  * set the security data for a kernel service
3919  * - all the creation contexts are set to unlabelled
3920  */
3921 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3922 {
3923 	struct task_security_struct *tsec = selinux_cred(new);
3924 	u32 sid = current_sid();
3925 	int ret;
3926 
3927 	ret = avc_has_perm(&selinux_state,
3928 			   sid, secid,
3929 			   SECCLASS_KERNEL_SERVICE,
3930 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3931 			   NULL);
3932 	if (ret == 0) {
3933 		tsec->sid = secid;
3934 		tsec->create_sid = 0;
3935 		tsec->keycreate_sid = 0;
3936 		tsec->sockcreate_sid = 0;
3937 	}
3938 	return ret;
3939 }
3940 
3941 /*
3942  * set the file creation context in a security record to the same as the
3943  * objective context of the specified inode
3944  */
3945 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3946 {
3947 	struct inode_security_struct *isec = inode_security(inode);
3948 	struct task_security_struct *tsec = selinux_cred(new);
3949 	u32 sid = current_sid();
3950 	int ret;
3951 
3952 	ret = avc_has_perm(&selinux_state,
3953 			   sid, isec->sid,
3954 			   SECCLASS_KERNEL_SERVICE,
3955 			   KERNEL_SERVICE__CREATE_FILES_AS,
3956 			   NULL);
3957 
3958 	if (ret == 0)
3959 		tsec->create_sid = isec->sid;
3960 	return ret;
3961 }
3962 
3963 static int selinux_kernel_module_request(char *kmod_name)
3964 {
3965 	struct common_audit_data ad;
3966 
3967 	ad.type = LSM_AUDIT_DATA_KMOD;
3968 	ad.u.kmod_name = kmod_name;
3969 
3970 	return avc_has_perm(&selinux_state,
3971 			    current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3972 			    SYSTEM__MODULE_REQUEST, &ad);
3973 }
3974 
3975 static int selinux_kernel_module_from_file(struct file *file)
3976 {
3977 	struct common_audit_data ad;
3978 	struct inode_security_struct *isec;
3979 	struct file_security_struct *fsec;
3980 	u32 sid = current_sid();
3981 	int rc;
3982 
3983 	/* init_module */
3984 	if (file == NULL)
3985 		return avc_has_perm(&selinux_state,
3986 				    sid, sid, SECCLASS_SYSTEM,
3987 					SYSTEM__MODULE_LOAD, NULL);
3988 
3989 	/* finit_module */
3990 
3991 	ad.type = LSM_AUDIT_DATA_FILE;
3992 	ad.u.file = file;
3993 
3994 	fsec = selinux_file(file);
3995 	if (sid != fsec->sid) {
3996 		rc = avc_has_perm(&selinux_state,
3997 				  sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3998 		if (rc)
3999 			return rc;
4000 	}
4001 
4002 	isec = inode_security(file_inode(file));
4003 	return avc_has_perm(&selinux_state,
4004 			    sid, isec->sid, SECCLASS_SYSTEM,
4005 				SYSTEM__MODULE_LOAD, &ad);
4006 }
4007 
4008 static int selinux_kernel_read_file(struct file *file,
4009 				    enum kernel_read_file_id id,
4010 				    bool contents)
4011 {
4012 	int rc = 0;
4013 
4014 	switch (id) {
4015 	case READING_MODULE:
4016 		rc = selinux_kernel_module_from_file(contents ? file : NULL);
4017 		break;
4018 	default:
4019 		break;
4020 	}
4021 
4022 	return rc;
4023 }
4024 
4025 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4026 {
4027 	int rc = 0;
4028 
4029 	switch (id) {
4030 	case LOADING_MODULE:
4031 		rc = selinux_kernel_module_from_file(NULL);
4032 	default:
4033 		break;
4034 	}
4035 
4036 	return rc;
4037 }
4038 
4039 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4040 {
4041 	return avc_has_perm(&selinux_state,
4042 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4043 			    PROCESS__SETPGID, NULL);
4044 }
4045 
4046 static int selinux_task_getpgid(struct task_struct *p)
4047 {
4048 	return avc_has_perm(&selinux_state,
4049 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4050 			    PROCESS__GETPGID, NULL);
4051 }
4052 
4053 static int selinux_task_getsid(struct task_struct *p)
4054 {
4055 	return avc_has_perm(&selinux_state,
4056 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4057 			    PROCESS__GETSESSION, NULL);
4058 }
4059 
4060 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4061 {
4062 	*secid = task_sid(p);
4063 }
4064 
4065 static int selinux_task_setnice(struct task_struct *p, int nice)
4066 {
4067 	return avc_has_perm(&selinux_state,
4068 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4069 			    PROCESS__SETSCHED, NULL);
4070 }
4071 
4072 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4073 {
4074 	return avc_has_perm(&selinux_state,
4075 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4076 			    PROCESS__SETSCHED, NULL);
4077 }
4078 
4079 static int selinux_task_getioprio(struct task_struct *p)
4080 {
4081 	return avc_has_perm(&selinux_state,
4082 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4083 			    PROCESS__GETSCHED, NULL);
4084 }
4085 
4086 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4087 				unsigned int flags)
4088 {
4089 	u32 av = 0;
4090 
4091 	if (!flags)
4092 		return 0;
4093 	if (flags & LSM_PRLIMIT_WRITE)
4094 		av |= PROCESS__SETRLIMIT;
4095 	if (flags & LSM_PRLIMIT_READ)
4096 		av |= PROCESS__GETRLIMIT;
4097 	return avc_has_perm(&selinux_state,
4098 			    cred_sid(cred), cred_sid(tcred),
4099 			    SECCLASS_PROCESS, av, NULL);
4100 }
4101 
4102 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4103 		struct rlimit *new_rlim)
4104 {
4105 	struct rlimit *old_rlim = p->signal->rlim + resource;
4106 
4107 	/* Control the ability to change the hard limit (whether
4108 	   lowering or raising it), so that the hard limit can
4109 	   later be used as a safe reset point for the soft limit
4110 	   upon context transitions.  See selinux_bprm_committing_creds. */
4111 	if (old_rlim->rlim_max != new_rlim->rlim_max)
4112 		return avc_has_perm(&selinux_state,
4113 				    current_sid(), task_sid(p),
4114 				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4115 
4116 	return 0;
4117 }
4118 
4119 static int selinux_task_setscheduler(struct task_struct *p)
4120 {
4121 	return avc_has_perm(&selinux_state,
4122 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4123 			    PROCESS__SETSCHED, NULL);
4124 }
4125 
4126 static int selinux_task_getscheduler(struct task_struct *p)
4127 {
4128 	return avc_has_perm(&selinux_state,
4129 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4130 			    PROCESS__GETSCHED, NULL);
4131 }
4132 
4133 static int selinux_task_movememory(struct task_struct *p)
4134 {
4135 	return avc_has_perm(&selinux_state,
4136 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4137 			    PROCESS__SETSCHED, NULL);
4138 }
4139 
4140 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4141 				int sig, const struct cred *cred)
4142 {
4143 	u32 secid;
4144 	u32 perm;
4145 
4146 	if (!sig)
4147 		perm = PROCESS__SIGNULL; /* null signal; existence test */
4148 	else
4149 		perm = signal_to_av(sig);
4150 	if (!cred)
4151 		secid = current_sid();
4152 	else
4153 		secid = cred_sid(cred);
4154 	return avc_has_perm(&selinux_state,
4155 			    secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4156 }
4157 
4158 static void selinux_task_to_inode(struct task_struct *p,
4159 				  struct inode *inode)
4160 {
4161 	struct inode_security_struct *isec = selinux_inode(inode);
4162 	u32 sid = task_sid(p);
4163 
4164 	spin_lock(&isec->lock);
4165 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4166 	isec->sid = sid;
4167 	isec->initialized = LABEL_INITIALIZED;
4168 	spin_unlock(&isec->lock);
4169 }
4170 
4171 /* Returns error only if unable to parse addresses */
4172 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4173 			struct common_audit_data *ad, u8 *proto)
4174 {
4175 	int offset, ihlen, ret = -EINVAL;
4176 	struct iphdr _iph, *ih;
4177 
4178 	offset = skb_network_offset(skb);
4179 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4180 	if (ih == NULL)
4181 		goto out;
4182 
4183 	ihlen = ih->ihl * 4;
4184 	if (ihlen < sizeof(_iph))
4185 		goto out;
4186 
4187 	ad->u.net->v4info.saddr = ih->saddr;
4188 	ad->u.net->v4info.daddr = ih->daddr;
4189 	ret = 0;
4190 
4191 	if (proto)
4192 		*proto = ih->protocol;
4193 
4194 	switch (ih->protocol) {
4195 	case IPPROTO_TCP: {
4196 		struct tcphdr _tcph, *th;
4197 
4198 		if (ntohs(ih->frag_off) & IP_OFFSET)
4199 			break;
4200 
4201 		offset += ihlen;
4202 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4203 		if (th == NULL)
4204 			break;
4205 
4206 		ad->u.net->sport = th->source;
4207 		ad->u.net->dport = th->dest;
4208 		break;
4209 	}
4210 
4211 	case IPPROTO_UDP: {
4212 		struct udphdr _udph, *uh;
4213 
4214 		if (ntohs(ih->frag_off) & IP_OFFSET)
4215 			break;
4216 
4217 		offset += ihlen;
4218 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4219 		if (uh == NULL)
4220 			break;
4221 
4222 		ad->u.net->sport = uh->source;
4223 		ad->u.net->dport = uh->dest;
4224 		break;
4225 	}
4226 
4227 	case IPPROTO_DCCP: {
4228 		struct dccp_hdr _dccph, *dh;
4229 
4230 		if (ntohs(ih->frag_off) & IP_OFFSET)
4231 			break;
4232 
4233 		offset += ihlen;
4234 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4235 		if (dh == NULL)
4236 			break;
4237 
4238 		ad->u.net->sport = dh->dccph_sport;
4239 		ad->u.net->dport = dh->dccph_dport;
4240 		break;
4241 	}
4242 
4243 #if IS_ENABLED(CONFIG_IP_SCTP)
4244 	case IPPROTO_SCTP: {
4245 		struct sctphdr _sctph, *sh;
4246 
4247 		if (ntohs(ih->frag_off) & IP_OFFSET)
4248 			break;
4249 
4250 		offset += ihlen;
4251 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4252 		if (sh == NULL)
4253 			break;
4254 
4255 		ad->u.net->sport = sh->source;
4256 		ad->u.net->dport = sh->dest;
4257 		break;
4258 	}
4259 #endif
4260 	default:
4261 		break;
4262 	}
4263 out:
4264 	return ret;
4265 }
4266 
4267 #if IS_ENABLED(CONFIG_IPV6)
4268 
4269 /* Returns error only if unable to parse addresses */
4270 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4271 			struct common_audit_data *ad, u8 *proto)
4272 {
4273 	u8 nexthdr;
4274 	int ret = -EINVAL, offset;
4275 	struct ipv6hdr _ipv6h, *ip6;
4276 	__be16 frag_off;
4277 
4278 	offset = skb_network_offset(skb);
4279 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4280 	if (ip6 == NULL)
4281 		goto out;
4282 
4283 	ad->u.net->v6info.saddr = ip6->saddr;
4284 	ad->u.net->v6info.daddr = ip6->daddr;
4285 	ret = 0;
4286 
4287 	nexthdr = ip6->nexthdr;
4288 	offset += sizeof(_ipv6h);
4289 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4290 	if (offset < 0)
4291 		goto out;
4292 
4293 	if (proto)
4294 		*proto = nexthdr;
4295 
4296 	switch (nexthdr) {
4297 	case IPPROTO_TCP: {
4298 		struct tcphdr _tcph, *th;
4299 
4300 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4301 		if (th == NULL)
4302 			break;
4303 
4304 		ad->u.net->sport = th->source;
4305 		ad->u.net->dport = th->dest;
4306 		break;
4307 	}
4308 
4309 	case IPPROTO_UDP: {
4310 		struct udphdr _udph, *uh;
4311 
4312 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4313 		if (uh == NULL)
4314 			break;
4315 
4316 		ad->u.net->sport = uh->source;
4317 		ad->u.net->dport = uh->dest;
4318 		break;
4319 	}
4320 
4321 	case IPPROTO_DCCP: {
4322 		struct dccp_hdr _dccph, *dh;
4323 
4324 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4325 		if (dh == NULL)
4326 			break;
4327 
4328 		ad->u.net->sport = dh->dccph_sport;
4329 		ad->u.net->dport = dh->dccph_dport;
4330 		break;
4331 	}
4332 
4333 #if IS_ENABLED(CONFIG_IP_SCTP)
4334 	case IPPROTO_SCTP: {
4335 		struct sctphdr _sctph, *sh;
4336 
4337 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4338 		if (sh == NULL)
4339 			break;
4340 
4341 		ad->u.net->sport = sh->source;
4342 		ad->u.net->dport = sh->dest;
4343 		break;
4344 	}
4345 #endif
4346 	/* includes fragments */
4347 	default:
4348 		break;
4349 	}
4350 out:
4351 	return ret;
4352 }
4353 
4354 #endif /* IPV6 */
4355 
4356 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4357 			     char **_addrp, int src, u8 *proto)
4358 {
4359 	char *addrp;
4360 	int ret;
4361 
4362 	switch (ad->u.net->family) {
4363 	case PF_INET:
4364 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4365 		if (ret)
4366 			goto parse_error;
4367 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4368 				       &ad->u.net->v4info.daddr);
4369 		goto okay;
4370 
4371 #if IS_ENABLED(CONFIG_IPV6)
4372 	case PF_INET6:
4373 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4374 		if (ret)
4375 			goto parse_error;
4376 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4377 				       &ad->u.net->v6info.daddr);
4378 		goto okay;
4379 #endif	/* IPV6 */
4380 	default:
4381 		addrp = NULL;
4382 		goto okay;
4383 	}
4384 
4385 parse_error:
4386 	pr_warn(
4387 	       "SELinux: failure in selinux_parse_skb(),"
4388 	       " unable to parse packet\n");
4389 	return ret;
4390 
4391 okay:
4392 	if (_addrp)
4393 		*_addrp = addrp;
4394 	return 0;
4395 }
4396 
4397 /**
4398  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4399  * @skb: the packet
4400  * @family: protocol family
4401  * @sid: the packet's peer label SID
4402  *
4403  * Description:
4404  * Check the various different forms of network peer labeling and determine
4405  * the peer label/SID for the packet; most of the magic actually occurs in
4406  * the security server function security_net_peersid_cmp().  The function
4407  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4408  * or -EACCES if @sid is invalid due to inconsistencies with the different
4409  * peer labels.
4410  *
4411  */
4412 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4413 {
4414 	int err;
4415 	u32 xfrm_sid;
4416 	u32 nlbl_sid;
4417 	u32 nlbl_type;
4418 
4419 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4420 	if (unlikely(err))
4421 		return -EACCES;
4422 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4423 	if (unlikely(err))
4424 		return -EACCES;
4425 
4426 	err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4427 					   nlbl_type, xfrm_sid, sid);
4428 	if (unlikely(err)) {
4429 		pr_warn(
4430 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4431 		       " unable to determine packet's peer label\n");
4432 		return -EACCES;
4433 	}
4434 
4435 	return 0;
4436 }
4437 
4438 /**
4439  * selinux_conn_sid - Determine the child socket label for a connection
4440  * @sk_sid: the parent socket's SID
4441  * @skb_sid: the packet's SID
4442  * @conn_sid: the resulting connection SID
4443  *
4444  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4445  * combined with the MLS information from @skb_sid in order to create
4446  * @conn_sid.  If @skb_sid is not valid then @conn_sid is simply a copy
4447  * of @sk_sid.  Returns zero on success, negative values on failure.
4448  *
4449  */
4450 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4451 {
4452 	int err = 0;
4453 
4454 	if (skb_sid != SECSID_NULL)
4455 		err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4456 					    conn_sid);
4457 	else
4458 		*conn_sid = sk_sid;
4459 
4460 	return err;
4461 }
4462 
4463 /* socket security operations */
4464 
4465 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4466 				 u16 secclass, u32 *socksid)
4467 {
4468 	if (tsec->sockcreate_sid > SECSID_NULL) {
4469 		*socksid = tsec->sockcreate_sid;
4470 		return 0;
4471 	}
4472 
4473 	return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4474 				       secclass, NULL, socksid);
4475 }
4476 
4477 static int sock_has_perm(struct sock *sk, u32 perms)
4478 {
4479 	struct sk_security_struct *sksec = sk->sk_security;
4480 	struct common_audit_data ad;
4481 	struct lsm_network_audit net = {0,};
4482 
4483 	if (sksec->sid == SECINITSID_KERNEL)
4484 		return 0;
4485 
4486 	ad.type = LSM_AUDIT_DATA_NET;
4487 	ad.u.net = &net;
4488 	ad.u.net->sk = sk;
4489 
4490 	return avc_has_perm(&selinux_state,
4491 			    current_sid(), sksec->sid, sksec->sclass, perms,
4492 			    &ad);
4493 }
4494 
4495 static int selinux_socket_create(int family, int type,
4496 				 int protocol, int kern)
4497 {
4498 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4499 	u32 newsid;
4500 	u16 secclass;
4501 	int rc;
4502 
4503 	if (kern)
4504 		return 0;
4505 
4506 	secclass = socket_type_to_security_class(family, type, protocol);
4507 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4508 	if (rc)
4509 		return rc;
4510 
4511 	return avc_has_perm(&selinux_state,
4512 			    tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4513 }
4514 
4515 static int selinux_socket_post_create(struct socket *sock, int family,
4516 				      int type, int protocol, int kern)
4517 {
4518 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4519 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4520 	struct sk_security_struct *sksec;
4521 	u16 sclass = socket_type_to_security_class(family, type, protocol);
4522 	u32 sid = SECINITSID_KERNEL;
4523 	int err = 0;
4524 
4525 	if (!kern) {
4526 		err = socket_sockcreate_sid(tsec, sclass, &sid);
4527 		if (err)
4528 			return err;
4529 	}
4530 
4531 	isec->sclass = sclass;
4532 	isec->sid = sid;
4533 	isec->initialized = LABEL_INITIALIZED;
4534 
4535 	if (sock->sk) {
4536 		sksec = sock->sk->sk_security;
4537 		sksec->sclass = sclass;
4538 		sksec->sid = sid;
4539 		/* Allows detection of the first association on this socket */
4540 		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4541 			sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4542 
4543 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4544 	}
4545 
4546 	return err;
4547 }
4548 
4549 static int selinux_socket_socketpair(struct socket *socka,
4550 				     struct socket *sockb)
4551 {
4552 	struct sk_security_struct *sksec_a = socka->sk->sk_security;
4553 	struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4554 
4555 	sksec_a->peer_sid = sksec_b->sid;
4556 	sksec_b->peer_sid = sksec_a->sid;
4557 
4558 	return 0;
4559 }
4560 
4561 /* Range of port numbers used to automatically bind.
4562    Need to determine whether we should perform a name_bind
4563    permission check between the socket and the port number. */
4564 
4565 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4566 {
4567 	struct sock *sk = sock->sk;
4568 	struct sk_security_struct *sksec = sk->sk_security;
4569 	u16 family;
4570 	int err;
4571 
4572 	err = sock_has_perm(sk, SOCKET__BIND);
4573 	if (err)
4574 		goto out;
4575 
4576 	/* If PF_INET or PF_INET6, check name_bind permission for the port. */
4577 	family = sk->sk_family;
4578 	if (family == PF_INET || family == PF_INET6) {
4579 		char *addrp;
4580 		struct common_audit_data ad;
4581 		struct lsm_network_audit net = {0,};
4582 		struct sockaddr_in *addr4 = NULL;
4583 		struct sockaddr_in6 *addr6 = NULL;
4584 		u16 family_sa;
4585 		unsigned short snum;
4586 		u32 sid, node_perm;
4587 
4588 		/*
4589 		 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4590 		 * that validates multiple binding addresses. Because of this
4591 		 * need to check address->sa_family as it is possible to have
4592 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4593 		 */
4594 		if (addrlen < offsetofend(struct sockaddr, sa_family))
4595 			return -EINVAL;
4596 		family_sa = address->sa_family;
4597 		switch (family_sa) {
4598 		case AF_UNSPEC:
4599 		case AF_INET:
4600 			if (addrlen < sizeof(struct sockaddr_in))
4601 				return -EINVAL;
4602 			addr4 = (struct sockaddr_in *)address;
4603 			if (family_sa == AF_UNSPEC) {
4604 				/* see __inet_bind(), we only want to allow
4605 				 * AF_UNSPEC if the address is INADDR_ANY
4606 				 */
4607 				if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4608 					goto err_af;
4609 				family_sa = AF_INET;
4610 			}
4611 			snum = ntohs(addr4->sin_port);
4612 			addrp = (char *)&addr4->sin_addr.s_addr;
4613 			break;
4614 		case AF_INET6:
4615 			if (addrlen < SIN6_LEN_RFC2133)
4616 				return -EINVAL;
4617 			addr6 = (struct sockaddr_in6 *)address;
4618 			snum = ntohs(addr6->sin6_port);
4619 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4620 			break;
4621 		default:
4622 			goto err_af;
4623 		}
4624 
4625 		ad.type = LSM_AUDIT_DATA_NET;
4626 		ad.u.net = &net;
4627 		ad.u.net->sport = htons(snum);
4628 		ad.u.net->family = family_sa;
4629 
4630 		if (snum) {
4631 			int low, high;
4632 
4633 			inet_get_local_port_range(sock_net(sk), &low, &high);
4634 
4635 			if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4636 			    snum < low || snum > high) {
4637 				err = sel_netport_sid(sk->sk_protocol,
4638 						      snum, &sid);
4639 				if (err)
4640 					goto out;
4641 				err = avc_has_perm(&selinux_state,
4642 						   sksec->sid, sid,
4643 						   sksec->sclass,
4644 						   SOCKET__NAME_BIND, &ad);
4645 				if (err)
4646 					goto out;
4647 			}
4648 		}
4649 
4650 		switch (sksec->sclass) {
4651 		case SECCLASS_TCP_SOCKET:
4652 			node_perm = TCP_SOCKET__NODE_BIND;
4653 			break;
4654 
4655 		case SECCLASS_UDP_SOCKET:
4656 			node_perm = UDP_SOCKET__NODE_BIND;
4657 			break;
4658 
4659 		case SECCLASS_DCCP_SOCKET:
4660 			node_perm = DCCP_SOCKET__NODE_BIND;
4661 			break;
4662 
4663 		case SECCLASS_SCTP_SOCKET:
4664 			node_perm = SCTP_SOCKET__NODE_BIND;
4665 			break;
4666 
4667 		default:
4668 			node_perm = RAWIP_SOCKET__NODE_BIND;
4669 			break;
4670 		}
4671 
4672 		err = sel_netnode_sid(addrp, family_sa, &sid);
4673 		if (err)
4674 			goto out;
4675 
4676 		if (family_sa == AF_INET)
4677 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4678 		else
4679 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4680 
4681 		err = avc_has_perm(&selinux_state,
4682 				   sksec->sid, sid,
4683 				   sksec->sclass, node_perm, &ad);
4684 		if (err)
4685 			goto out;
4686 	}
4687 out:
4688 	return err;
4689 err_af:
4690 	/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4691 	if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4692 		return -EINVAL;
4693 	return -EAFNOSUPPORT;
4694 }
4695 
4696 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4697  * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4698  */
4699 static int selinux_socket_connect_helper(struct socket *sock,
4700 					 struct sockaddr *address, int addrlen)
4701 {
4702 	struct sock *sk = sock->sk;
4703 	struct sk_security_struct *sksec = sk->sk_security;
4704 	int err;
4705 
4706 	err = sock_has_perm(sk, SOCKET__CONNECT);
4707 	if (err)
4708 		return err;
4709 	if (addrlen < offsetofend(struct sockaddr, sa_family))
4710 		return -EINVAL;
4711 
4712 	/* connect(AF_UNSPEC) has special handling, as it is a documented
4713 	 * way to disconnect the socket
4714 	 */
4715 	if (address->sa_family == AF_UNSPEC)
4716 		return 0;
4717 
4718 	/*
4719 	 * If a TCP, DCCP or SCTP socket, check name_connect permission
4720 	 * for the port.
4721 	 */
4722 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4723 	    sksec->sclass == SECCLASS_DCCP_SOCKET ||
4724 	    sksec->sclass == SECCLASS_SCTP_SOCKET) {
4725 		struct common_audit_data ad;
4726 		struct lsm_network_audit net = {0,};
4727 		struct sockaddr_in *addr4 = NULL;
4728 		struct sockaddr_in6 *addr6 = NULL;
4729 		unsigned short snum;
4730 		u32 sid, perm;
4731 
4732 		/* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4733 		 * that validates multiple connect addresses. Because of this
4734 		 * need to check address->sa_family as it is possible to have
4735 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4736 		 */
4737 		switch (address->sa_family) {
4738 		case AF_INET:
4739 			addr4 = (struct sockaddr_in *)address;
4740 			if (addrlen < sizeof(struct sockaddr_in))
4741 				return -EINVAL;
4742 			snum = ntohs(addr4->sin_port);
4743 			break;
4744 		case AF_INET6:
4745 			addr6 = (struct sockaddr_in6 *)address;
4746 			if (addrlen < SIN6_LEN_RFC2133)
4747 				return -EINVAL;
4748 			snum = ntohs(addr6->sin6_port);
4749 			break;
4750 		default:
4751 			/* Note that SCTP services expect -EINVAL, whereas
4752 			 * others expect -EAFNOSUPPORT.
4753 			 */
4754 			if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4755 				return -EINVAL;
4756 			else
4757 				return -EAFNOSUPPORT;
4758 		}
4759 
4760 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4761 		if (err)
4762 			return err;
4763 
4764 		switch (sksec->sclass) {
4765 		case SECCLASS_TCP_SOCKET:
4766 			perm = TCP_SOCKET__NAME_CONNECT;
4767 			break;
4768 		case SECCLASS_DCCP_SOCKET:
4769 			perm = DCCP_SOCKET__NAME_CONNECT;
4770 			break;
4771 		case SECCLASS_SCTP_SOCKET:
4772 			perm = SCTP_SOCKET__NAME_CONNECT;
4773 			break;
4774 		}
4775 
4776 		ad.type = LSM_AUDIT_DATA_NET;
4777 		ad.u.net = &net;
4778 		ad.u.net->dport = htons(snum);
4779 		ad.u.net->family = address->sa_family;
4780 		err = avc_has_perm(&selinux_state,
4781 				   sksec->sid, sid, sksec->sclass, perm, &ad);
4782 		if (err)
4783 			return err;
4784 	}
4785 
4786 	return 0;
4787 }
4788 
4789 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4790 static int selinux_socket_connect(struct socket *sock,
4791 				  struct sockaddr *address, int addrlen)
4792 {
4793 	int err;
4794 	struct sock *sk = sock->sk;
4795 
4796 	err = selinux_socket_connect_helper(sock, address, addrlen);
4797 	if (err)
4798 		return err;
4799 
4800 	return selinux_netlbl_socket_connect(sk, address);
4801 }
4802 
4803 static int selinux_socket_listen(struct socket *sock, int backlog)
4804 {
4805 	return sock_has_perm(sock->sk, SOCKET__LISTEN);
4806 }
4807 
4808 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4809 {
4810 	int err;
4811 	struct inode_security_struct *isec;
4812 	struct inode_security_struct *newisec;
4813 	u16 sclass;
4814 	u32 sid;
4815 
4816 	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4817 	if (err)
4818 		return err;
4819 
4820 	isec = inode_security_novalidate(SOCK_INODE(sock));
4821 	spin_lock(&isec->lock);
4822 	sclass = isec->sclass;
4823 	sid = isec->sid;
4824 	spin_unlock(&isec->lock);
4825 
4826 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4827 	newisec->sclass = sclass;
4828 	newisec->sid = sid;
4829 	newisec->initialized = LABEL_INITIALIZED;
4830 
4831 	return 0;
4832 }
4833 
4834 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4835 				  int size)
4836 {
4837 	return sock_has_perm(sock->sk, SOCKET__WRITE);
4838 }
4839 
4840 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4841 				  int size, int flags)
4842 {
4843 	return sock_has_perm(sock->sk, SOCKET__READ);
4844 }
4845 
4846 static int selinux_socket_getsockname(struct socket *sock)
4847 {
4848 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4849 }
4850 
4851 static int selinux_socket_getpeername(struct socket *sock)
4852 {
4853 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4854 }
4855 
4856 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4857 {
4858 	int err;
4859 
4860 	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4861 	if (err)
4862 		return err;
4863 
4864 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4865 }
4866 
4867 static int selinux_socket_getsockopt(struct socket *sock, int level,
4868 				     int optname)
4869 {
4870 	return sock_has_perm(sock->sk, SOCKET__GETOPT);
4871 }
4872 
4873 static int selinux_socket_shutdown(struct socket *sock, int how)
4874 {
4875 	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4876 }
4877 
4878 static int selinux_socket_unix_stream_connect(struct sock *sock,
4879 					      struct sock *other,
4880 					      struct sock *newsk)
4881 {
4882 	struct sk_security_struct *sksec_sock = sock->sk_security;
4883 	struct sk_security_struct *sksec_other = other->sk_security;
4884 	struct sk_security_struct *sksec_new = newsk->sk_security;
4885 	struct common_audit_data ad;
4886 	struct lsm_network_audit net = {0,};
4887 	int err;
4888 
4889 	ad.type = LSM_AUDIT_DATA_NET;
4890 	ad.u.net = &net;
4891 	ad.u.net->sk = other;
4892 
4893 	err = avc_has_perm(&selinux_state,
4894 			   sksec_sock->sid, sksec_other->sid,
4895 			   sksec_other->sclass,
4896 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4897 	if (err)
4898 		return err;
4899 
4900 	/* server child socket */
4901 	sksec_new->peer_sid = sksec_sock->sid;
4902 	err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4903 				    sksec_sock->sid, &sksec_new->sid);
4904 	if (err)
4905 		return err;
4906 
4907 	/* connecting socket */
4908 	sksec_sock->peer_sid = sksec_new->sid;
4909 
4910 	return 0;
4911 }
4912 
4913 static int selinux_socket_unix_may_send(struct socket *sock,
4914 					struct socket *other)
4915 {
4916 	struct sk_security_struct *ssec = sock->sk->sk_security;
4917 	struct sk_security_struct *osec = other->sk->sk_security;
4918 	struct common_audit_data ad;
4919 	struct lsm_network_audit net = {0,};
4920 
4921 	ad.type = LSM_AUDIT_DATA_NET;
4922 	ad.u.net = &net;
4923 	ad.u.net->sk = other->sk;
4924 
4925 	return avc_has_perm(&selinux_state,
4926 			    ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4927 			    &ad);
4928 }
4929 
4930 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4931 				    char *addrp, u16 family, u32 peer_sid,
4932 				    struct common_audit_data *ad)
4933 {
4934 	int err;
4935 	u32 if_sid;
4936 	u32 node_sid;
4937 
4938 	err = sel_netif_sid(ns, ifindex, &if_sid);
4939 	if (err)
4940 		return err;
4941 	err = avc_has_perm(&selinux_state,
4942 			   peer_sid, if_sid,
4943 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4944 	if (err)
4945 		return err;
4946 
4947 	err = sel_netnode_sid(addrp, family, &node_sid);
4948 	if (err)
4949 		return err;
4950 	return avc_has_perm(&selinux_state,
4951 			    peer_sid, node_sid,
4952 			    SECCLASS_NODE, NODE__RECVFROM, ad);
4953 }
4954 
4955 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4956 				       u16 family)
4957 {
4958 	int err = 0;
4959 	struct sk_security_struct *sksec = sk->sk_security;
4960 	u32 sk_sid = sksec->sid;
4961 	struct common_audit_data ad;
4962 	struct lsm_network_audit net = {0,};
4963 	char *addrp;
4964 
4965 	ad.type = LSM_AUDIT_DATA_NET;
4966 	ad.u.net = &net;
4967 	ad.u.net->netif = skb->skb_iif;
4968 	ad.u.net->family = family;
4969 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4970 	if (err)
4971 		return err;
4972 
4973 	if (selinux_secmark_enabled()) {
4974 		err = avc_has_perm(&selinux_state,
4975 				   sk_sid, skb->secmark, SECCLASS_PACKET,
4976 				   PACKET__RECV, &ad);
4977 		if (err)
4978 			return err;
4979 	}
4980 
4981 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4982 	if (err)
4983 		return err;
4984 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4985 
4986 	return err;
4987 }
4988 
4989 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4990 {
4991 	int err;
4992 	struct sk_security_struct *sksec = sk->sk_security;
4993 	u16 family = sk->sk_family;
4994 	u32 sk_sid = sksec->sid;
4995 	struct common_audit_data ad;
4996 	struct lsm_network_audit net = {0,};
4997 	char *addrp;
4998 	u8 secmark_active;
4999 	u8 peerlbl_active;
5000 
5001 	if (family != PF_INET && family != PF_INET6)
5002 		return 0;
5003 
5004 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
5005 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5006 		family = PF_INET;
5007 
5008 	/* If any sort of compatibility mode is enabled then handoff processing
5009 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
5010 	 * special handling.  We do this in an attempt to keep this function
5011 	 * as fast and as clean as possible. */
5012 	if (!selinux_policycap_netpeer())
5013 		return selinux_sock_rcv_skb_compat(sk, skb, family);
5014 
5015 	secmark_active = selinux_secmark_enabled();
5016 	peerlbl_active = selinux_peerlbl_enabled();
5017 	if (!secmark_active && !peerlbl_active)
5018 		return 0;
5019 
5020 	ad.type = LSM_AUDIT_DATA_NET;
5021 	ad.u.net = &net;
5022 	ad.u.net->netif = skb->skb_iif;
5023 	ad.u.net->family = family;
5024 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5025 	if (err)
5026 		return err;
5027 
5028 	if (peerlbl_active) {
5029 		u32 peer_sid;
5030 
5031 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5032 		if (err)
5033 			return err;
5034 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5035 					       addrp, family, peer_sid, &ad);
5036 		if (err) {
5037 			selinux_netlbl_err(skb, family, err, 0);
5038 			return err;
5039 		}
5040 		err = avc_has_perm(&selinux_state,
5041 				   sk_sid, peer_sid, SECCLASS_PEER,
5042 				   PEER__RECV, &ad);
5043 		if (err) {
5044 			selinux_netlbl_err(skb, family, err, 0);
5045 			return err;
5046 		}
5047 	}
5048 
5049 	if (secmark_active) {
5050 		err = avc_has_perm(&selinux_state,
5051 				   sk_sid, skb->secmark, SECCLASS_PACKET,
5052 				   PACKET__RECV, &ad);
5053 		if (err)
5054 			return err;
5055 	}
5056 
5057 	return err;
5058 }
5059 
5060 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5061 					    int __user *optlen, unsigned len)
5062 {
5063 	int err = 0;
5064 	char *scontext;
5065 	u32 scontext_len;
5066 	struct sk_security_struct *sksec = sock->sk->sk_security;
5067 	u32 peer_sid = SECSID_NULL;
5068 
5069 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5070 	    sksec->sclass == SECCLASS_TCP_SOCKET ||
5071 	    sksec->sclass == SECCLASS_SCTP_SOCKET)
5072 		peer_sid = sksec->peer_sid;
5073 	if (peer_sid == SECSID_NULL)
5074 		return -ENOPROTOOPT;
5075 
5076 	err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5077 				      &scontext_len);
5078 	if (err)
5079 		return err;
5080 
5081 	if (scontext_len > len) {
5082 		err = -ERANGE;
5083 		goto out_len;
5084 	}
5085 
5086 	if (copy_to_user(optval, scontext, scontext_len))
5087 		err = -EFAULT;
5088 
5089 out_len:
5090 	if (put_user(scontext_len, optlen))
5091 		err = -EFAULT;
5092 	kfree(scontext);
5093 	return err;
5094 }
5095 
5096 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5097 {
5098 	u32 peer_secid = SECSID_NULL;
5099 	u16 family;
5100 	struct inode_security_struct *isec;
5101 
5102 	if (skb && skb->protocol == htons(ETH_P_IP))
5103 		family = PF_INET;
5104 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
5105 		family = PF_INET6;
5106 	else if (sock)
5107 		family = sock->sk->sk_family;
5108 	else
5109 		goto out;
5110 
5111 	if (sock && family == PF_UNIX) {
5112 		isec = inode_security_novalidate(SOCK_INODE(sock));
5113 		peer_secid = isec->sid;
5114 	} else if (skb)
5115 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5116 
5117 out:
5118 	*secid = peer_secid;
5119 	if (peer_secid == SECSID_NULL)
5120 		return -EINVAL;
5121 	return 0;
5122 }
5123 
5124 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5125 {
5126 	struct sk_security_struct *sksec;
5127 
5128 	sksec = kzalloc(sizeof(*sksec), priority);
5129 	if (!sksec)
5130 		return -ENOMEM;
5131 
5132 	sksec->peer_sid = SECINITSID_UNLABELED;
5133 	sksec->sid = SECINITSID_UNLABELED;
5134 	sksec->sclass = SECCLASS_SOCKET;
5135 	selinux_netlbl_sk_security_reset(sksec);
5136 	sk->sk_security = sksec;
5137 
5138 	return 0;
5139 }
5140 
5141 static void selinux_sk_free_security(struct sock *sk)
5142 {
5143 	struct sk_security_struct *sksec = sk->sk_security;
5144 
5145 	sk->sk_security = NULL;
5146 	selinux_netlbl_sk_security_free(sksec);
5147 	kfree(sksec);
5148 }
5149 
5150 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5151 {
5152 	struct sk_security_struct *sksec = sk->sk_security;
5153 	struct sk_security_struct *newsksec = newsk->sk_security;
5154 
5155 	newsksec->sid = sksec->sid;
5156 	newsksec->peer_sid = sksec->peer_sid;
5157 	newsksec->sclass = sksec->sclass;
5158 
5159 	selinux_netlbl_sk_security_reset(newsksec);
5160 }
5161 
5162 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5163 {
5164 	if (!sk)
5165 		*secid = SECINITSID_ANY_SOCKET;
5166 	else {
5167 		struct sk_security_struct *sksec = sk->sk_security;
5168 
5169 		*secid = sksec->sid;
5170 	}
5171 }
5172 
5173 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5174 {
5175 	struct inode_security_struct *isec =
5176 		inode_security_novalidate(SOCK_INODE(parent));
5177 	struct sk_security_struct *sksec = sk->sk_security;
5178 
5179 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5180 	    sk->sk_family == PF_UNIX)
5181 		isec->sid = sksec->sid;
5182 	sksec->sclass = isec->sclass;
5183 }
5184 
5185 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5186  * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5187  * already present).
5188  */
5189 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5190 				      struct sk_buff *skb)
5191 {
5192 	struct sk_security_struct *sksec = ep->base.sk->sk_security;
5193 	struct common_audit_data ad;
5194 	struct lsm_network_audit net = {0,};
5195 	u8 peerlbl_active;
5196 	u32 peer_sid = SECINITSID_UNLABELED;
5197 	u32 conn_sid;
5198 	int err = 0;
5199 
5200 	if (!selinux_policycap_extsockclass())
5201 		return 0;
5202 
5203 	peerlbl_active = selinux_peerlbl_enabled();
5204 
5205 	if (peerlbl_active) {
5206 		/* This will return peer_sid = SECSID_NULL if there are
5207 		 * no peer labels, see security_net_peersid_resolve().
5208 		 */
5209 		err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5210 					      &peer_sid);
5211 		if (err)
5212 			return err;
5213 
5214 		if (peer_sid == SECSID_NULL)
5215 			peer_sid = SECINITSID_UNLABELED;
5216 	}
5217 
5218 	if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5219 		sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5220 
5221 		/* Here as first association on socket. As the peer SID
5222 		 * was allowed by peer recv (and the netif/node checks),
5223 		 * then it is approved by policy and used as the primary
5224 		 * peer SID for getpeercon(3).
5225 		 */
5226 		sksec->peer_sid = peer_sid;
5227 	} else if  (sksec->peer_sid != peer_sid) {
5228 		/* Other association peer SIDs are checked to enforce
5229 		 * consistency among the peer SIDs.
5230 		 */
5231 		ad.type = LSM_AUDIT_DATA_NET;
5232 		ad.u.net = &net;
5233 		ad.u.net->sk = ep->base.sk;
5234 		err = avc_has_perm(&selinux_state,
5235 				   sksec->peer_sid, peer_sid, sksec->sclass,
5236 				   SCTP_SOCKET__ASSOCIATION, &ad);
5237 		if (err)
5238 			return err;
5239 	}
5240 
5241 	/* Compute the MLS component for the connection and store
5242 	 * the information in ep. This will be used by SCTP TCP type
5243 	 * sockets and peeled off connections as they cause a new
5244 	 * socket to be generated. selinux_sctp_sk_clone() will then
5245 	 * plug this into the new socket.
5246 	 */
5247 	err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5248 	if (err)
5249 		return err;
5250 
5251 	ep->secid = conn_sid;
5252 	ep->peer_secid = peer_sid;
5253 
5254 	/* Set any NetLabel labels including CIPSO/CALIPSO options. */
5255 	return selinux_netlbl_sctp_assoc_request(ep, skb);
5256 }
5257 
5258 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5259  * based on their @optname.
5260  */
5261 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5262 				     struct sockaddr *address,
5263 				     int addrlen)
5264 {
5265 	int len, err = 0, walk_size = 0;
5266 	void *addr_buf;
5267 	struct sockaddr *addr;
5268 	struct socket *sock;
5269 
5270 	if (!selinux_policycap_extsockclass())
5271 		return 0;
5272 
5273 	/* Process one or more addresses that may be IPv4 or IPv6 */
5274 	sock = sk->sk_socket;
5275 	addr_buf = address;
5276 
5277 	while (walk_size < addrlen) {
5278 		if (walk_size + sizeof(sa_family_t) > addrlen)
5279 			return -EINVAL;
5280 
5281 		addr = addr_buf;
5282 		switch (addr->sa_family) {
5283 		case AF_UNSPEC:
5284 		case AF_INET:
5285 			len = sizeof(struct sockaddr_in);
5286 			break;
5287 		case AF_INET6:
5288 			len = sizeof(struct sockaddr_in6);
5289 			break;
5290 		default:
5291 			return -EINVAL;
5292 		}
5293 
5294 		if (walk_size + len > addrlen)
5295 			return -EINVAL;
5296 
5297 		err = -EINVAL;
5298 		switch (optname) {
5299 		/* Bind checks */
5300 		case SCTP_PRIMARY_ADDR:
5301 		case SCTP_SET_PEER_PRIMARY_ADDR:
5302 		case SCTP_SOCKOPT_BINDX_ADD:
5303 			err = selinux_socket_bind(sock, addr, len);
5304 			break;
5305 		/* Connect checks */
5306 		case SCTP_SOCKOPT_CONNECTX:
5307 		case SCTP_PARAM_SET_PRIMARY:
5308 		case SCTP_PARAM_ADD_IP:
5309 		case SCTP_SENDMSG_CONNECT:
5310 			err = selinux_socket_connect_helper(sock, addr, len);
5311 			if (err)
5312 				return err;
5313 
5314 			/* As selinux_sctp_bind_connect() is called by the
5315 			 * SCTP protocol layer, the socket is already locked,
5316 			 * therefore selinux_netlbl_socket_connect_locked()
5317 			 * is called here. The situations handled are:
5318 			 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5319 			 * whenever a new IP address is added or when a new
5320 			 * primary address is selected.
5321 			 * Note that an SCTP connect(2) call happens before
5322 			 * the SCTP protocol layer and is handled via
5323 			 * selinux_socket_connect().
5324 			 */
5325 			err = selinux_netlbl_socket_connect_locked(sk, addr);
5326 			break;
5327 		}
5328 
5329 		if (err)
5330 			return err;
5331 
5332 		addr_buf += len;
5333 		walk_size += len;
5334 	}
5335 
5336 	return 0;
5337 }
5338 
5339 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5340 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5341 				  struct sock *newsk)
5342 {
5343 	struct sk_security_struct *sksec = sk->sk_security;
5344 	struct sk_security_struct *newsksec = newsk->sk_security;
5345 
5346 	/* If policy does not support SECCLASS_SCTP_SOCKET then call
5347 	 * the non-sctp clone version.
5348 	 */
5349 	if (!selinux_policycap_extsockclass())
5350 		return selinux_sk_clone_security(sk, newsk);
5351 
5352 	newsksec->sid = ep->secid;
5353 	newsksec->peer_sid = ep->peer_secid;
5354 	newsksec->sclass = sksec->sclass;
5355 	selinux_netlbl_sctp_sk_clone(sk, newsk);
5356 }
5357 
5358 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5359 				     struct request_sock *req)
5360 {
5361 	struct sk_security_struct *sksec = sk->sk_security;
5362 	int err;
5363 	u16 family = req->rsk_ops->family;
5364 	u32 connsid;
5365 	u32 peersid;
5366 
5367 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5368 	if (err)
5369 		return err;
5370 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5371 	if (err)
5372 		return err;
5373 	req->secid = connsid;
5374 	req->peer_secid = peersid;
5375 
5376 	return selinux_netlbl_inet_conn_request(req, family);
5377 }
5378 
5379 static void selinux_inet_csk_clone(struct sock *newsk,
5380 				   const struct request_sock *req)
5381 {
5382 	struct sk_security_struct *newsksec = newsk->sk_security;
5383 
5384 	newsksec->sid = req->secid;
5385 	newsksec->peer_sid = req->peer_secid;
5386 	/* NOTE: Ideally, we should also get the isec->sid for the
5387 	   new socket in sync, but we don't have the isec available yet.
5388 	   So we will wait until sock_graft to do it, by which
5389 	   time it will have been created and available. */
5390 
5391 	/* We don't need to take any sort of lock here as we are the only
5392 	 * thread with access to newsksec */
5393 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5394 }
5395 
5396 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5397 {
5398 	u16 family = sk->sk_family;
5399 	struct sk_security_struct *sksec = sk->sk_security;
5400 
5401 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5402 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5403 		family = PF_INET;
5404 
5405 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5406 }
5407 
5408 static int selinux_secmark_relabel_packet(u32 sid)
5409 {
5410 	const struct task_security_struct *__tsec;
5411 	u32 tsid;
5412 
5413 	__tsec = selinux_cred(current_cred());
5414 	tsid = __tsec->sid;
5415 
5416 	return avc_has_perm(&selinux_state,
5417 			    tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5418 			    NULL);
5419 }
5420 
5421 static void selinux_secmark_refcount_inc(void)
5422 {
5423 	atomic_inc(&selinux_secmark_refcount);
5424 }
5425 
5426 static void selinux_secmark_refcount_dec(void)
5427 {
5428 	atomic_dec(&selinux_secmark_refcount);
5429 }
5430 
5431 static void selinux_req_classify_flow(const struct request_sock *req,
5432 				      struct flowi *fl)
5433 {
5434 	fl->flowi_secid = req->secid;
5435 }
5436 
5437 static int selinux_tun_dev_alloc_security(void **security)
5438 {
5439 	struct tun_security_struct *tunsec;
5440 
5441 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5442 	if (!tunsec)
5443 		return -ENOMEM;
5444 	tunsec->sid = current_sid();
5445 
5446 	*security = tunsec;
5447 	return 0;
5448 }
5449 
5450 static void selinux_tun_dev_free_security(void *security)
5451 {
5452 	kfree(security);
5453 }
5454 
5455 static int selinux_tun_dev_create(void)
5456 {
5457 	u32 sid = current_sid();
5458 
5459 	/* we aren't taking into account the "sockcreate" SID since the socket
5460 	 * that is being created here is not a socket in the traditional sense,
5461 	 * instead it is a private sock, accessible only to the kernel, and
5462 	 * representing a wide range of network traffic spanning multiple
5463 	 * connections unlike traditional sockets - check the TUN driver to
5464 	 * get a better understanding of why this socket is special */
5465 
5466 	return avc_has_perm(&selinux_state,
5467 			    sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5468 			    NULL);
5469 }
5470 
5471 static int selinux_tun_dev_attach_queue(void *security)
5472 {
5473 	struct tun_security_struct *tunsec = security;
5474 
5475 	return avc_has_perm(&selinux_state,
5476 			    current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5477 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5478 }
5479 
5480 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5481 {
5482 	struct tun_security_struct *tunsec = security;
5483 	struct sk_security_struct *sksec = sk->sk_security;
5484 
5485 	/* we don't currently perform any NetLabel based labeling here and it
5486 	 * isn't clear that we would want to do so anyway; while we could apply
5487 	 * labeling without the support of the TUN user the resulting labeled
5488 	 * traffic from the other end of the connection would almost certainly
5489 	 * cause confusion to the TUN user that had no idea network labeling
5490 	 * protocols were being used */
5491 
5492 	sksec->sid = tunsec->sid;
5493 	sksec->sclass = SECCLASS_TUN_SOCKET;
5494 
5495 	return 0;
5496 }
5497 
5498 static int selinux_tun_dev_open(void *security)
5499 {
5500 	struct tun_security_struct *tunsec = security;
5501 	u32 sid = current_sid();
5502 	int err;
5503 
5504 	err = avc_has_perm(&selinux_state,
5505 			   sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5506 			   TUN_SOCKET__RELABELFROM, NULL);
5507 	if (err)
5508 		return err;
5509 	err = avc_has_perm(&selinux_state,
5510 			   sid, sid, SECCLASS_TUN_SOCKET,
5511 			   TUN_SOCKET__RELABELTO, NULL);
5512 	if (err)
5513 		return err;
5514 	tunsec->sid = sid;
5515 
5516 	return 0;
5517 }
5518 
5519 #ifdef CONFIG_NETFILTER
5520 
5521 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5522 				       const struct net_device *indev,
5523 				       u16 family)
5524 {
5525 	int err;
5526 	char *addrp;
5527 	u32 peer_sid;
5528 	struct common_audit_data ad;
5529 	struct lsm_network_audit net = {0,};
5530 	u8 secmark_active;
5531 	u8 netlbl_active;
5532 	u8 peerlbl_active;
5533 
5534 	if (!selinux_policycap_netpeer())
5535 		return NF_ACCEPT;
5536 
5537 	secmark_active = selinux_secmark_enabled();
5538 	netlbl_active = netlbl_enabled();
5539 	peerlbl_active = selinux_peerlbl_enabled();
5540 	if (!secmark_active && !peerlbl_active)
5541 		return NF_ACCEPT;
5542 
5543 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5544 		return NF_DROP;
5545 
5546 	ad.type = LSM_AUDIT_DATA_NET;
5547 	ad.u.net = &net;
5548 	ad.u.net->netif = indev->ifindex;
5549 	ad.u.net->family = family;
5550 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5551 		return NF_DROP;
5552 
5553 	if (peerlbl_active) {
5554 		err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5555 					       addrp, family, peer_sid, &ad);
5556 		if (err) {
5557 			selinux_netlbl_err(skb, family, err, 1);
5558 			return NF_DROP;
5559 		}
5560 	}
5561 
5562 	if (secmark_active)
5563 		if (avc_has_perm(&selinux_state,
5564 				 peer_sid, skb->secmark,
5565 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5566 			return NF_DROP;
5567 
5568 	if (netlbl_active)
5569 		/* we do this in the FORWARD path and not the POST_ROUTING
5570 		 * path because we want to make sure we apply the necessary
5571 		 * labeling before IPsec is applied so we can leverage AH
5572 		 * protection */
5573 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5574 			return NF_DROP;
5575 
5576 	return NF_ACCEPT;
5577 }
5578 
5579 static unsigned int selinux_ipv4_forward(void *priv,
5580 					 struct sk_buff *skb,
5581 					 const struct nf_hook_state *state)
5582 {
5583 	return selinux_ip_forward(skb, state->in, PF_INET);
5584 }
5585 
5586 #if IS_ENABLED(CONFIG_IPV6)
5587 static unsigned int selinux_ipv6_forward(void *priv,
5588 					 struct sk_buff *skb,
5589 					 const struct nf_hook_state *state)
5590 {
5591 	return selinux_ip_forward(skb, state->in, PF_INET6);
5592 }
5593 #endif	/* IPV6 */
5594 
5595 static unsigned int selinux_ip_output(struct sk_buff *skb,
5596 				      u16 family)
5597 {
5598 	struct sock *sk;
5599 	u32 sid;
5600 
5601 	if (!netlbl_enabled())
5602 		return NF_ACCEPT;
5603 
5604 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5605 	 * because we want to make sure we apply the necessary labeling
5606 	 * before IPsec is applied so we can leverage AH protection */
5607 	sk = skb->sk;
5608 	if (sk) {
5609 		struct sk_security_struct *sksec;
5610 
5611 		if (sk_listener(sk))
5612 			/* if the socket is the listening state then this
5613 			 * packet is a SYN-ACK packet which means it needs to
5614 			 * be labeled based on the connection/request_sock and
5615 			 * not the parent socket.  unfortunately, we can't
5616 			 * lookup the request_sock yet as it isn't queued on
5617 			 * the parent socket until after the SYN-ACK is sent.
5618 			 * the "solution" is to simply pass the packet as-is
5619 			 * as any IP option based labeling should be copied
5620 			 * from the initial connection request (in the IP
5621 			 * layer).  it is far from ideal, but until we get a
5622 			 * security label in the packet itself this is the
5623 			 * best we can do. */
5624 			return NF_ACCEPT;
5625 
5626 		/* standard practice, label using the parent socket */
5627 		sksec = sk->sk_security;
5628 		sid = sksec->sid;
5629 	} else
5630 		sid = SECINITSID_KERNEL;
5631 	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5632 		return NF_DROP;
5633 
5634 	return NF_ACCEPT;
5635 }
5636 
5637 static unsigned int selinux_ipv4_output(void *priv,
5638 					struct sk_buff *skb,
5639 					const struct nf_hook_state *state)
5640 {
5641 	return selinux_ip_output(skb, PF_INET);
5642 }
5643 
5644 #if IS_ENABLED(CONFIG_IPV6)
5645 static unsigned int selinux_ipv6_output(void *priv,
5646 					struct sk_buff *skb,
5647 					const struct nf_hook_state *state)
5648 {
5649 	return selinux_ip_output(skb, PF_INET6);
5650 }
5651 #endif	/* IPV6 */
5652 
5653 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5654 						int ifindex,
5655 						u16 family)
5656 {
5657 	struct sock *sk = skb_to_full_sk(skb);
5658 	struct sk_security_struct *sksec;
5659 	struct common_audit_data ad;
5660 	struct lsm_network_audit net = {0,};
5661 	char *addrp;
5662 	u8 proto;
5663 
5664 	if (sk == NULL)
5665 		return NF_ACCEPT;
5666 	sksec = sk->sk_security;
5667 
5668 	ad.type = LSM_AUDIT_DATA_NET;
5669 	ad.u.net = &net;
5670 	ad.u.net->netif = ifindex;
5671 	ad.u.net->family = family;
5672 	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5673 		return NF_DROP;
5674 
5675 	if (selinux_secmark_enabled())
5676 		if (avc_has_perm(&selinux_state,
5677 				 sksec->sid, skb->secmark,
5678 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5679 			return NF_DROP_ERR(-ECONNREFUSED);
5680 
5681 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5682 		return NF_DROP_ERR(-ECONNREFUSED);
5683 
5684 	return NF_ACCEPT;
5685 }
5686 
5687 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5688 					 const struct net_device *outdev,
5689 					 u16 family)
5690 {
5691 	u32 secmark_perm;
5692 	u32 peer_sid;
5693 	int ifindex = outdev->ifindex;
5694 	struct sock *sk;
5695 	struct common_audit_data ad;
5696 	struct lsm_network_audit net = {0,};
5697 	char *addrp;
5698 	u8 secmark_active;
5699 	u8 peerlbl_active;
5700 
5701 	/* If any sort of compatibility mode is enabled then handoff processing
5702 	 * to the selinux_ip_postroute_compat() function to deal with the
5703 	 * special handling.  We do this in an attempt to keep this function
5704 	 * as fast and as clean as possible. */
5705 	if (!selinux_policycap_netpeer())
5706 		return selinux_ip_postroute_compat(skb, ifindex, family);
5707 
5708 	secmark_active = selinux_secmark_enabled();
5709 	peerlbl_active = selinux_peerlbl_enabled();
5710 	if (!secmark_active && !peerlbl_active)
5711 		return NF_ACCEPT;
5712 
5713 	sk = skb_to_full_sk(skb);
5714 
5715 #ifdef CONFIG_XFRM
5716 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5717 	 * packet transformation so allow the packet to pass without any checks
5718 	 * since we'll have another chance to perform access control checks
5719 	 * when the packet is on it's final way out.
5720 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5721 	 *       is NULL, in this case go ahead and apply access control.
5722 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5723 	 *       TCP listening state we cannot wait until the XFRM processing
5724 	 *       is done as we will miss out on the SA label if we do;
5725 	 *       unfortunately, this means more work, but it is only once per
5726 	 *       connection. */
5727 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5728 	    !(sk && sk_listener(sk)))
5729 		return NF_ACCEPT;
5730 #endif
5731 
5732 	if (sk == NULL) {
5733 		/* Without an associated socket the packet is either coming
5734 		 * from the kernel or it is being forwarded; check the packet
5735 		 * to determine which and if the packet is being forwarded
5736 		 * query the packet directly to determine the security label. */
5737 		if (skb->skb_iif) {
5738 			secmark_perm = PACKET__FORWARD_OUT;
5739 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5740 				return NF_DROP;
5741 		} else {
5742 			secmark_perm = PACKET__SEND;
5743 			peer_sid = SECINITSID_KERNEL;
5744 		}
5745 	} else if (sk_listener(sk)) {
5746 		/* Locally generated packet but the associated socket is in the
5747 		 * listening state which means this is a SYN-ACK packet.  In
5748 		 * this particular case the correct security label is assigned
5749 		 * to the connection/request_sock but unfortunately we can't
5750 		 * query the request_sock as it isn't queued on the parent
5751 		 * socket until after the SYN-ACK packet is sent; the only
5752 		 * viable choice is to regenerate the label like we do in
5753 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5754 		 * for similar problems. */
5755 		u32 skb_sid;
5756 		struct sk_security_struct *sksec;
5757 
5758 		sksec = sk->sk_security;
5759 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5760 			return NF_DROP;
5761 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5762 		 * and the packet has been through at least one XFRM
5763 		 * transformation then we must be dealing with the "final"
5764 		 * form of labeled IPsec packet; since we've already applied
5765 		 * all of our access controls on this packet we can safely
5766 		 * pass the packet. */
5767 		if (skb_sid == SECSID_NULL) {
5768 			switch (family) {
5769 			case PF_INET:
5770 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5771 					return NF_ACCEPT;
5772 				break;
5773 			case PF_INET6:
5774 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5775 					return NF_ACCEPT;
5776 				break;
5777 			default:
5778 				return NF_DROP_ERR(-ECONNREFUSED);
5779 			}
5780 		}
5781 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5782 			return NF_DROP;
5783 		secmark_perm = PACKET__SEND;
5784 	} else {
5785 		/* Locally generated packet, fetch the security label from the
5786 		 * associated socket. */
5787 		struct sk_security_struct *sksec = sk->sk_security;
5788 		peer_sid = sksec->sid;
5789 		secmark_perm = PACKET__SEND;
5790 	}
5791 
5792 	ad.type = LSM_AUDIT_DATA_NET;
5793 	ad.u.net = &net;
5794 	ad.u.net->netif = ifindex;
5795 	ad.u.net->family = family;
5796 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5797 		return NF_DROP;
5798 
5799 	if (secmark_active)
5800 		if (avc_has_perm(&selinux_state,
5801 				 peer_sid, skb->secmark,
5802 				 SECCLASS_PACKET, secmark_perm, &ad))
5803 			return NF_DROP_ERR(-ECONNREFUSED);
5804 
5805 	if (peerlbl_active) {
5806 		u32 if_sid;
5807 		u32 node_sid;
5808 
5809 		if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5810 			return NF_DROP;
5811 		if (avc_has_perm(&selinux_state,
5812 				 peer_sid, if_sid,
5813 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5814 			return NF_DROP_ERR(-ECONNREFUSED);
5815 
5816 		if (sel_netnode_sid(addrp, family, &node_sid))
5817 			return NF_DROP;
5818 		if (avc_has_perm(&selinux_state,
5819 				 peer_sid, node_sid,
5820 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5821 			return NF_DROP_ERR(-ECONNREFUSED);
5822 	}
5823 
5824 	return NF_ACCEPT;
5825 }
5826 
5827 static unsigned int selinux_ipv4_postroute(void *priv,
5828 					   struct sk_buff *skb,
5829 					   const struct nf_hook_state *state)
5830 {
5831 	return selinux_ip_postroute(skb, state->out, PF_INET);
5832 }
5833 
5834 #if IS_ENABLED(CONFIG_IPV6)
5835 static unsigned int selinux_ipv6_postroute(void *priv,
5836 					   struct sk_buff *skb,
5837 					   const struct nf_hook_state *state)
5838 {
5839 	return selinux_ip_postroute(skb, state->out, PF_INET6);
5840 }
5841 #endif	/* IPV6 */
5842 
5843 #endif	/* CONFIG_NETFILTER */
5844 
5845 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5846 {
5847 	int rc = 0;
5848 	unsigned int msg_len;
5849 	unsigned int data_len = skb->len;
5850 	unsigned char *data = skb->data;
5851 	struct nlmsghdr *nlh;
5852 	struct sk_security_struct *sksec = sk->sk_security;
5853 	u16 sclass = sksec->sclass;
5854 	u32 perm;
5855 
5856 	while (data_len >= nlmsg_total_size(0)) {
5857 		nlh = (struct nlmsghdr *)data;
5858 
5859 		/* NOTE: the nlmsg_len field isn't reliably set by some netlink
5860 		 *       users which means we can't reject skb's with bogus
5861 		 *       length fields; our solution is to follow what
5862 		 *       netlink_rcv_skb() does and simply skip processing at
5863 		 *       messages with length fields that are clearly junk
5864 		 */
5865 		if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5866 			return 0;
5867 
5868 		rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5869 		if (rc == 0) {
5870 			rc = sock_has_perm(sk, perm);
5871 			if (rc)
5872 				return rc;
5873 		} else if (rc == -EINVAL) {
5874 			/* -EINVAL is a missing msg/perm mapping */
5875 			pr_warn_ratelimited("SELinux: unrecognized netlink"
5876 				" message: protocol=%hu nlmsg_type=%hu sclass=%s"
5877 				" pid=%d comm=%s\n",
5878 				sk->sk_protocol, nlh->nlmsg_type,
5879 				secclass_map[sclass - 1].name,
5880 				task_pid_nr(current), current->comm);
5881 			if (enforcing_enabled(&selinux_state) &&
5882 			    !security_get_allow_unknown(&selinux_state))
5883 				return rc;
5884 			rc = 0;
5885 		} else if (rc == -ENOENT) {
5886 			/* -ENOENT is a missing socket/class mapping, ignore */
5887 			rc = 0;
5888 		} else {
5889 			return rc;
5890 		}
5891 
5892 		/* move to the next message after applying netlink padding */
5893 		msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5894 		if (msg_len >= data_len)
5895 			return 0;
5896 		data_len -= msg_len;
5897 		data += msg_len;
5898 	}
5899 
5900 	return rc;
5901 }
5902 
5903 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5904 {
5905 	isec->sclass = sclass;
5906 	isec->sid = current_sid();
5907 }
5908 
5909 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5910 			u32 perms)
5911 {
5912 	struct ipc_security_struct *isec;
5913 	struct common_audit_data ad;
5914 	u32 sid = current_sid();
5915 
5916 	isec = selinux_ipc(ipc_perms);
5917 
5918 	ad.type = LSM_AUDIT_DATA_IPC;
5919 	ad.u.ipc_id = ipc_perms->key;
5920 
5921 	return avc_has_perm(&selinux_state,
5922 			    sid, isec->sid, isec->sclass, perms, &ad);
5923 }
5924 
5925 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5926 {
5927 	struct msg_security_struct *msec;
5928 
5929 	msec = selinux_msg_msg(msg);
5930 	msec->sid = SECINITSID_UNLABELED;
5931 
5932 	return 0;
5933 }
5934 
5935 /* message queue security operations */
5936 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5937 {
5938 	struct ipc_security_struct *isec;
5939 	struct common_audit_data ad;
5940 	u32 sid = current_sid();
5941 	int rc;
5942 
5943 	isec = selinux_ipc(msq);
5944 	ipc_init_security(isec, SECCLASS_MSGQ);
5945 
5946 	ad.type = LSM_AUDIT_DATA_IPC;
5947 	ad.u.ipc_id = msq->key;
5948 
5949 	rc = avc_has_perm(&selinux_state,
5950 			  sid, isec->sid, SECCLASS_MSGQ,
5951 			  MSGQ__CREATE, &ad);
5952 	return rc;
5953 }
5954 
5955 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5956 {
5957 	struct ipc_security_struct *isec;
5958 	struct common_audit_data ad;
5959 	u32 sid = current_sid();
5960 
5961 	isec = selinux_ipc(msq);
5962 
5963 	ad.type = LSM_AUDIT_DATA_IPC;
5964 	ad.u.ipc_id = msq->key;
5965 
5966 	return avc_has_perm(&selinux_state,
5967 			    sid, isec->sid, SECCLASS_MSGQ,
5968 			    MSGQ__ASSOCIATE, &ad);
5969 }
5970 
5971 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
5972 {
5973 	int err;
5974 	int perms;
5975 
5976 	switch (cmd) {
5977 	case IPC_INFO:
5978 	case MSG_INFO:
5979 		/* No specific object, just general system-wide information. */
5980 		return avc_has_perm(&selinux_state,
5981 				    current_sid(), SECINITSID_KERNEL,
5982 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5983 	case IPC_STAT:
5984 	case MSG_STAT:
5985 	case MSG_STAT_ANY:
5986 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5987 		break;
5988 	case IPC_SET:
5989 		perms = MSGQ__SETATTR;
5990 		break;
5991 	case IPC_RMID:
5992 		perms = MSGQ__DESTROY;
5993 		break;
5994 	default:
5995 		return 0;
5996 	}
5997 
5998 	err = ipc_has_perm(msq, perms);
5999 	return err;
6000 }
6001 
6002 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6003 {
6004 	struct ipc_security_struct *isec;
6005 	struct msg_security_struct *msec;
6006 	struct common_audit_data ad;
6007 	u32 sid = current_sid();
6008 	int rc;
6009 
6010 	isec = selinux_ipc(msq);
6011 	msec = selinux_msg_msg(msg);
6012 
6013 	/*
6014 	 * First time through, need to assign label to the message
6015 	 */
6016 	if (msec->sid == SECINITSID_UNLABELED) {
6017 		/*
6018 		 * Compute new sid based on current process and
6019 		 * message queue this message will be stored in
6020 		 */
6021 		rc = security_transition_sid(&selinux_state, sid, isec->sid,
6022 					     SECCLASS_MSG, NULL, &msec->sid);
6023 		if (rc)
6024 			return rc;
6025 	}
6026 
6027 	ad.type = LSM_AUDIT_DATA_IPC;
6028 	ad.u.ipc_id = msq->key;
6029 
6030 	/* Can this process write to the queue? */
6031 	rc = avc_has_perm(&selinux_state,
6032 			  sid, isec->sid, SECCLASS_MSGQ,
6033 			  MSGQ__WRITE, &ad);
6034 	if (!rc)
6035 		/* Can this process send the message */
6036 		rc = avc_has_perm(&selinux_state,
6037 				  sid, msec->sid, SECCLASS_MSG,
6038 				  MSG__SEND, &ad);
6039 	if (!rc)
6040 		/* Can the message be put in the queue? */
6041 		rc = avc_has_perm(&selinux_state,
6042 				  msec->sid, isec->sid, SECCLASS_MSGQ,
6043 				  MSGQ__ENQUEUE, &ad);
6044 
6045 	return rc;
6046 }
6047 
6048 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6049 				    struct task_struct *target,
6050 				    long type, int mode)
6051 {
6052 	struct ipc_security_struct *isec;
6053 	struct msg_security_struct *msec;
6054 	struct common_audit_data ad;
6055 	u32 sid = task_sid(target);
6056 	int rc;
6057 
6058 	isec = selinux_ipc(msq);
6059 	msec = selinux_msg_msg(msg);
6060 
6061 	ad.type = LSM_AUDIT_DATA_IPC;
6062 	ad.u.ipc_id = msq->key;
6063 
6064 	rc = avc_has_perm(&selinux_state,
6065 			  sid, isec->sid,
6066 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
6067 	if (!rc)
6068 		rc = avc_has_perm(&selinux_state,
6069 				  sid, msec->sid,
6070 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
6071 	return rc;
6072 }
6073 
6074 /* Shared Memory security operations */
6075 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6076 {
6077 	struct ipc_security_struct *isec;
6078 	struct common_audit_data ad;
6079 	u32 sid = current_sid();
6080 	int rc;
6081 
6082 	isec = selinux_ipc(shp);
6083 	ipc_init_security(isec, SECCLASS_SHM);
6084 
6085 	ad.type = LSM_AUDIT_DATA_IPC;
6086 	ad.u.ipc_id = shp->key;
6087 
6088 	rc = avc_has_perm(&selinux_state,
6089 			  sid, isec->sid, SECCLASS_SHM,
6090 			  SHM__CREATE, &ad);
6091 	return rc;
6092 }
6093 
6094 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6095 {
6096 	struct ipc_security_struct *isec;
6097 	struct common_audit_data ad;
6098 	u32 sid = current_sid();
6099 
6100 	isec = selinux_ipc(shp);
6101 
6102 	ad.type = LSM_AUDIT_DATA_IPC;
6103 	ad.u.ipc_id = shp->key;
6104 
6105 	return avc_has_perm(&selinux_state,
6106 			    sid, isec->sid, SECCLASS_SHM,
6107 			    SHM__ASSOCIATE, &ad);
6108 }
6109 
6110 /* Note, at this point, shp is locked down */
6111 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6112 {
6113 	int perms;
6114 	int err;
6115 
6116 	switch (cmd) {
6117 	case IPC_INFO:
6118 	case SHM_INFO:
6119 		/* No specific object, just general system-wide information. */
6120 		return avc_has_perm(&selinux_state,
6121 				    current_sid(), SECINITSID_KERNEL,
6122 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6123 	case IPC_STAT:
6124 	case SHM_STAT:
6125 	case SHM_STAT_ANY:
6126 		perms = SHM__GETATTR | SHM__ASSOCIATE;
6127 		break;
6128 	case IPC_SET:
6129 		perms = SHM__SETATTR;
6130 		break;
6131 	case SHM_LOCK:
6132 	case SHM_UNLOCK:
6133 		perms = SHM__LOCK;
6134 		break;
6135 	case IPC_RMID:
6136 		perms = SHM__DESTROY;
6137 		break;
6138 	default:
6139 		return 0;
6140 	}
6141 
6142 	err = ipc_has_perm(shp, perms);
6143 	return err;
6144 }
6145 
6146 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6147 			     char __user *shmaddr, int shmflg)
6148 {
6149 	u32 perms;
6150 
6151 	if (shmflg & SHM_RDONLY)
6152 		perms = SHM__READ;
6153 	else
6154 		perms = SHM__READ | SHM__WRITE;
6155 
6156 	return ipc_has_perm(shp, perms);
6157 }
6158 
6159 /* Semaphore security operations */
6160 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6161 {
6162 	struct ipc_security_struct *isec;
6163 	struct common_audit_data ad;
6164 	u32 sid = current_sid();
6165 	int rc;
6166 
6167 	isec = selinux_ipc(sma);
6168 	ipc_init_security(isec, SECCLASS_SEM);
6169 
6170 	ad.type = LSM_AUDIT_DATA_IPC;
6171 	ad.u.ipc_id = sma->key;
6172 
6173 	rc = avc_has_perm(&selinux_state,
6174 			  sid, isec->sid, SECCLASS_SEM,
6175 			  SEM__CREATE, &ad);
6176 	return rc;
6177 }
6178 
6179 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6180 {
6181 	struct ipc_security_struct *isec;
6182 	struct common_audit_data ad;
6183 	u32 sid = current_sid();
6184 
6185 	isec = selinux_ipc(sma);
6186 
6187 	ad.type = LSM_AUDIT_DATA_IPC;
6188 	ad.u.ipc_id = sma->key;
6189 
6190 	return avc_has_perm(&selinux_state,
6191 			    sid, isec->sid, SECCLASS_SEM,
6192 			    SEM__ASSOCIATE, &ad);
6193 }
6194 
6195 /* Note, at this point, sma is locked down */
6196 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6197 {
6198 	int err;
6199 	u32 perms;
6200 
6201 	switch (cmd) {
6202 	case IPC_INFO:
6203 	case SEM_INFO:
6204 		/* No specific object, just general system-wide information. */
6205 		return avc_has_perm(&selinux_state,
6206 				    current_sid(), SECINITSID_KERNEL,
6207 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6208 	case GETPID:
6209 	case GETNCNT:
6210 	case GETZCNT:
6211 		perms = SEM__GETATTR;
6212 		break;
6213 	case GETVAL:
6214 	case GETALL:
6215 		perms = SEM__READ;
6216 		break;
6217 	case SETVAL:
6218 	case SETALL:
6219 		perms = SEM__WRITE;
6220 		break;
6221 	case IPC_RMID:
6222 		perms = SEM__DESTROY;
6223 		break;
6224 	case IPC_SET:
6225 		perms = SEM__SETATTR;
6226 		break;
6227 	case IPC_STAT:
6228 	case SEM_STAT:
6229 	case SEM_STAT_ANY:
6230 		perms = SEM__GETATTR | SEM__ASSOCIATE;
6231 		break;
6232 	default:
6233 		return 0;
6234 	}
6235 
6236 	err = ipc_has_perm(sma, perms);
6237 	return err;
6238 }
6239 
6240 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6241 			     struct sembuf *sops, unsigned nsops, int alter)
6242 {
6243 	u32 perms;
6244 
6245 	if (alter)
6246 		perms = SEM__READ | SEM__WRITE;
6247 	else
6248 		perms = SEM__READ;
6249 
6250 	return ipc_has_perm(sma, perms);
6251 }
6252 
6253 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6254 {
6255 	u32 av = 0;
6256 
6257 	av = 0;
6258 	if (flag & S_IRUGO)
6259 		av |= IPC__UNIX_READ;
6260 	if (flag & S_IWUGO)
6261 		av |= IPC__UNIX_WRITE;
6262 
6263 	if (av == 0)
6264 		return 0;
6265 
6266 	return ipc_has_perm(ipcp, av);
6267 }
6268 
6269 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6270 {
6271 	struct ipc_security_struct *isec = selinux_ipc(ipcp);
6272 	*secid = isec->sid;
6273 }
6274 
6275 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6276 {
6277 	if (inode)
6278 		inode_doinit_with_dentry(inode, dentry);
6279 }
6280 
6281 static int selinux_getprocattr(struct task_struct *p,
6282 			       char *name, char **value)
6283 {
6284 	const struct task_security_struct *__tsec;
6285 	u32 sid;
6286 	int error;
6287 	unsigned len;
6288 
6289 	rcu_read_lock();
6290 	__tsec = selinux_cred(__task_cred(p));
6291 
6292 	if (current != p) {
6293 		error = avc_has_perm(&selinux_state,
6294 				     current_sid(), __tsec->sid,
6295 				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6296 		if (error)
6297 			goto bad;
6298 	}
6299 
6300 	if (!strcmp(name, "current"))
6301 		sid = __tsec->sid;
6302 	else if (!strcmp(name, "prev"))
6303 		sid = __tsec->osid;
6304 	else if (!strcmp(name, "exec"))
6305 		sid = __tsec->exec_sid;
6306 	else if (!strcmp(name, "fscreate"))
6307 		sid = __tsec->create_sid;
6308 	else if (!strcmp(name, "keycreate"))
6309 		sid = __tsec->keycreate_sid;
6310 	else if (!strcmp(name, "sockcreate"))
6311 		sid = __tsec->sockcreate_sid;
6312 	else {
6313 		error = -EINVAL;
6314 		goto bad;
6315 	}
6316 	rcu_read_unlock();
6317 
6318 	if (!sid)
6319 		return 0;
6320 
6321 	error = security_sid_to_context(&selinux_state, sid, value, &len);
6322 	if (error)
6323 		return error;
6324 	return len;
6325 
6326 bad:
6327 	rcu_read_unlock();
6328 	return error;
6329 }
6330 
6331 static int selinux_setprocattr(const char *name, void *value, size_t size)
6332 {
6333 	struct task_security_struct *tsec;
6334 	struct cred *new;
6335 	u32 mysid = current_sid(), sid = 0, ptsid;
6336 	int error;
6337 	char *str = value;
6338 
6339 	/*
6340 	 * Basic control over ability to set these attributes at all.
6341 	 */
6342 	if (!strcmp(name, "exec"))
6343 		error = avc_has_perm(&selinux_state,
6344 				     mysid, mysid, SECCLASS_PROCESS,
6345 				     PROCESS__SETEXEC, NULL);
6346 	else if (!strcmp(name, "fscreate"))
6347 		error = avc_has_perm(&selinux_state,
6348 				     mysid, mysid, SECCLASS_PROCESS,
6349 				     PROCESS__SETFSCREATE, NULL);
6350 	else if (!strcmp(name, "keycreate"))
6351 		error = avc_has_perm(&selinux_state,
6352 				     mysid, mysid, SECCLASS_PROCESS,
6353 				     PROCESS__SETKEYCREATE, NULL);
6354 	else if (!strcmp(name, "sockcreate"))
6355 		error = avc_has_perm(&selinux_state,
6356 				     mysid, mysid, SECCLASS_PROCESS,
6357 				     PROCESS__SETSOCKCREATE, NULL);
6358 	else if (!strcmp(name, "current"))
6359 		error = avc_has_perm(&selinux_state,
6360 				     mysid, mysid, SECCLASS_PROCESS,
6361 				     PROCESS__SETCURRENT, NULL);
6362 	else
6363 		error = -EINVAL;
6364 	if (error)
6365 		return error;
6366 
6367 	/* Obtain a SID for the context, if one was specified. */
6368 	if (size && str[0] && str[0] != '\n') {
6369 		if (str[size-1] == '\n') {
6370 			str[size-1] = 0;
6371 			size--;
6372 		}
6373 		error = security_context_to_sid(&selinux_state, value, size,
6374 						&sid, GFP_KERNEL);
6375 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
6376 			if (!has_cap_mac_admin(true)) {
6377 				struct audit_buffer *ab;
6378 				size_t audit_size;
6379 
6380 				/* We strip a nul only if it is at the end, otherwise the
6381 				 * context contains a nul and we should audit that */
6382 				if (str[size - 1] == '\0')
6383 					audit_size = size - 1;
6384 				else
6385 					audit_size = size;
6386 				ab = audit_log_start(audit_context(),
6387 						     GFP_ATOMIC,
6388 						     AUDIT_SELINUX_ERR);
6389 				audit_log_format(ab, "op=fscreate invalid_context=");
6390 				audit_log_n_untrustedstring(ab, value, audit_size);
6391 				audit_log_end(ab);
6392 
6393 				return error;
6394 			}
6395 			error = security_context_to_sid_force(
6396 						      &selinux_state,
6397 						      value, size, &sid);
6398 		}
6399 		if (error)
6400 			return error;
6401 	}
6402 
6403 	new = prepare_creds();
6404 	if (!new)
6405 		return -ENOMEM;
6406 
6407 	/* Permission checking based on the specified context is
6408 	   performed during the actual operation (execve,
6409 	   open/mkdir/...), when we know the full context of the
6410 	   operation.  See selinux_bprm_creds_for_exec for the execve
6411 	   checks and may_create for the file creation checks. The
6412 	   operation will then fail if the context is not permitted. */
6413 	tsec = selinux_cred(new);
6414 	if (!strcmp(name, "exec")) {
6415 		tsec->exec_sid = sid;
6416 	} else if (!strcmp(name, "fscreate")) {
6417 		tsec->create_sid = sid;
6418 	} else if (!strcmp(name, "keycreate")) {
6419 		if (sid) {
6420 			error = avc_has_perm(&selinux_state, mysid, sid,
6421 					     SECCLASS_KEY, KEY__CREATE, NULL);
6422 			if (error)
6423 				goto abort_change;
6424 		}
6425 		tsec->keycreate_sid = sid;
6426 	} else if (!strcmp(name, "sockcreate")) {
6427 		tsec->sockcreate_sid = sid;
6428 	} else if (!strcmp(name, "current")) {
6429 		error = -EINVAL;
6430 		if (sid == 0)
6431 			goto abort_change;
6432 
6433 		/* Only allow single threaded processes to change context */
6434 		error = -EPERM;
6435 		if (!current_is_single_threaded()) {
6436 			error = security_bounded_transition(&selinux_state,
6437 							    tsec->sid, sid);
6438 			if (error)
6439 				goto abort_change;
6440 		}
6441 
6442 		/* Check permissions for the transition. */
6443 		error = avc_has_perm(&selinux_state,
6444 				     tsec->sid, sid, SECCLASS_PROCESS,
6445 				     PROCESS__DYNTRANSITION, NULL);
6446 		if (error)
6447 			goto abort_change;
6448 
6449 		/* Check for ptracing, and update the task SID if ok.
6450 		   Otherwise, leave SID unchanged and fail. */
6451 		ptsid = ptrace_parent_sid();
6452 		if (ptsid != 0) {
6453 			error = avc_has_perm(&selinux_state,
6454 					     ptsid, sid, SECCLASS_PROCESS,
6455 					     PROCESS__PTRACE, NULL);
6456 			if (error)
6457 				goto abort_change;
6458 		}
6459 
6460 		tsec->sid = sid;
6461 	} else {
6462 		error = -EINVAL;
6463 		goto abort_change;
6464 	}
6465 
6466 	commit_creds(new);
6467 	return size;
6468 
6469 abort_change:
6470 	abort_creds(new);
6471 	return error;
6472 }
6473 
6474 static int selinux_ismaclabel(const char *name)
6475 {
6476 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6477 }
6478 
6479 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6480 {
6481 	return security_sid_to_context(&selinux_state, secid,
6482 				       secdata, seclen);
6483 }
6484 
6485 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6486 {
6487 	return security_context_to_sid(&selinux_state, secdata, seclen,
6488 				       secid, GFP_KERNEL);
6489 }
6490 
6491 static void selinux_release_secctx(char *secdata, u32 seclen)
6492 {
6493 	kfree(secdata);
6494 }
6495 
6496 static void selinux_inode_invalidate_secctx(struct inode *inode)
6497 {
6498 	struct inode_security_struct *isec = selinux_inode(inode);
6499 
6500 	spin_lock(&isec->lock);
6501 	isec->initialized = LABEL_INVALID;
6502 	spin_unlock(&isec->lock);
6503 }
6504 
6505 /*
6506  *	called with inode->i_mutex locked
6507  */
6508 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6509 {
6510 	int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6511 					   ctx, ctxlen, 0);
6512 	/* Do not return error when suppressing label (SBLABEL_MNT not set). */
6513 	return rc == -EOPNOTSUPP ? 0 : rc;
6514 }
6515 
6516 /*
6517  *	called with inode->i_mutex locked
6518  */
6519 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6520 {
6521 	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6522 }
6523 
6524 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6525 {
6526 	int len = 0;
6527 	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6528 						ctx, true);
6529 	if (len < 0)
6530 		return len;
6531 	*ctxlen = len;
6532 	return 0;
6533 }
6534 #ifdef CONFIG_KEYS
6535 
6536 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6537 			     unsigned long flags)
6538 {
6539 	const struct task_security_struct *tsec;
6540 	struct key_security_struct *ksec;
6541 
6542 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6543 	if (!ksec)
6544 		return -ENOMEM;
6545 
6546 	tsec = selinux_cred(cred);
6547 	if (tsec->keycreate_sid)
6548 		ksec->sid = tsec->keycreate_sid;
6549 	else
6550 		ksec->sid = tsec->sid;
6551 
6552 	k->security = ksec;
6553 	return 0;
6554 }
6555 
6556 static void selinux_key_free(struct key *k)
6557 {
6558 	struct key_security_struct *ksec = k->security;
6559 
6560 	k->security = NULL;
6561 	kfree(ksec);
6562 }
6563 
6564 static int selinux_key_permission(key_ref_t key_ref,
6565 				  const struct cred *cred,
6566 				  enum key_need_perm need_perm)
6567 {
6568 	struct key *key;
6569 	struct key_security_struct *ksec;
6570 	u32 perm, sid;
6571 
6572 	switch (need_perm) {
6573 	case KEY_NEED_VIEW:
6574 		perm = KEY__VIEW;
6575 		break;
6576 	case KEY_NEED_READ:
6577 		perm = KEY__READ;
6578 		break;
6579 	case KEY_NEED_WRITE:
6580 		perm = KEY__WRITE;
6581 		break;
6582 	case KEY_NEED_SEARCH:
6583 		perm = KEY__SEARCH;
6584 		break;
6585 	case KEY_NEED_LINK:
6586 		perm = KEY__LINK;
6587 		break;
6588 	case KEY_NEED_SETATTR:
6589 		perm = KEY__SETATTR;
6590 		break;
6591 	case KEY_NEED_UNLINK:
6592 	case KEY_SYSADMIN_OVERRIDE:
6593 	case KEY_AUTHTOKEN_OVERRIDE:
6594 	case KEY_DEFER_PERM_CHECK:
6595 		return 0;
6596 	default:
6597 		WARN_ON(1);
6598 		return -EPERM;
6599 
6600 	}
6601 
6602 	sid = cred_sid(cred);
6603 	key = key_ref_to_ptr(key_ref);
6604 	ksec = key->security;
6605 
6606 	return avc_has_perm(&selinux_state,
6607 			    sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6608 }
6609 
6610 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6611 {
6612 	struct key_security_struct *ksec = key->security;
6613 	char *context = NULL;
6614 	unsigned len;
6615 	int rc;
6616 
6617 	rc = security_sid_to_context(&selinux_state, ksec->sid,
6618 				     &context, &len);
6619 	if (!rc)
6620 		rc = len;
6621 	*_buffer = context;
6622 	return rc;
6623 }
6624 
6625 #ifdef CONFIG_KEY_NOTIFICATIONS
6626 static int selinux_watch_key(struct key *key)
6627 {
6628 	struct key_security_struct *ksec = key->security;
6629 	u32 sid = current_sid();
6630 
6631 	return avc_has_perm(&selinux_state,
6632 			    sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6633 }
6634 #endif
6635 #endif
6636 
6637 #ifdef CONFIG_SECURITY_INFINIBAND
6638 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6639 {
6640 	struct common_audit_data ad;
6641 	int err;
6642 	u32 sid = 0;
6643 	struct ib_security_struct *sec = ib_sec;
6644 	struct lsm_ibpkey_audit ibpkey;
6645 
6646 	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6647 	if (err)
6648 		return err;
6649 
6650 	ad.type = LSM_AUDIT_DATA_IBPKEY;
6651 	ibpkey.subnet_prefix = subnet_prefix;
6652 	ibpkey.pkey = pkey_val;
6653 	ad.u.ibpkey = &ibpkey;
6654 	return avc_has_perm(&selinux_state,
6655 			    sec->sid, sid,
6656 			    SECCLASS_INFINIBAND_PKEY,
6657 			    INFINIBAND_PKEY__ACCESS, &ad);
6658 }
6659 
6660 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6661 					    u8 port_num)
6662 {
6663 	struct common_audit_data ad;
6664 	int err;
6665 	u32 sid = 0;
6666 	struct ib_security_struct *sec = ib_sec;
6667 	struct lsm_ibendport_audit ibendport;
6668 
6669 	err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6670 				      &sid);
6671 
6672 	if (err)
6673 		return err;
6674 
6675 	ad.type = LSM_AUDIT_DATA_IBENDPORT;
6676 	strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6677 	ibendport.port = port_num;
6678 	ad.u.ibendport = &ibendport;
6679 	return avc_has_perm(&selinux_state,
6680 			    sec->sid, sid,
6681 			    SECCLASS_INFINIBAND_ENDPORT,
6682 			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6683 }
6684 
6685 static int selinux_ib_alloc_security(void **ib_sec)
6686 {
6687 	struct ib_security_struct *sec;
6688 
6689 	sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6690 	if (!sec)
6691 		return -ENOMEM;
6692 	sec->sid = current_sid();
6693 
6694 	*ib_sec = sec;
6695 	return 0;
6696 }
6697 
6698 static void selinux_ib_free_security(void *ib_sec)
6699 {
6700 	kfree(ib_sec);
6701 }
6702 #endif
6703 
6704 #ifdef CONFIG_BPF_SYSCALL
6705 static int selinux_bpf(int cmd, union bpf_attr *attr,
6706 				     unsigned int size)
6707 {
6708 	u32 sid = current_sid();
6709 	int ret;
6710 
6711 	switch (cmd) {
6712 	case BPF_MAP_CREATE:
6713 		ret = avc_has_perm(&selinux_state,
6714 				   sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6715 				   NULL);
6716 		break;
6717 	case BPF_PROG_LOAD:
6718 		ret = avc_has_perm(&selinux_state,
6719 				   sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6720 				   NULL);
6721 		break;
6722 	default:
6723 		ret = 0;
6724 		break;
6725 	}
6726 
6727 	return ret;
6728 }
6729 
6730 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6731 {
6732 	u32 av = 0;
6733 
6734 	if (fmode & FMODE_READ)
6735 		av |= BPF__MAP_READ;
6736 	if (fmode & FMODE_WRITE)
6737 		av |= BPF__MAP_WRITE;
6738 	return av;
6739 }
6740 
6741 /* This function will check the file pass through unix socket or binder to see
6742  * if it is a bpf related object. And apply correspinding checks on the bpf
6743  * object based on the type. The bpf maps and programs, not like other files and
6744  * socket, are using a shared anonymous inode inside the kernel as their inode.
6745  * So checking that inode cannot identify if the process have privilege to
6746  * access the bpf object and that's why we have to add this additional check in
6747  * selinux_file_receive and selinux_binder_transfer_files.
6748  */
6749 static int bpf_fd_pass(struct file *file, u32 sid)
6750 {
6751 	struct bpf_security_struct *bpfsec;
6752 	struct bpf_prog *prog;
6753 	struct bpf_map *map;
6754 	int ret;
6755 
6756 	if (file->f_op == &bpf_map_fops) {
6757 		map = file->private_data;
6758 		bpfsec = map->security;
6759 		ret = avc_has_perm(&selinux_state,
6760 				   sid, bpfsec->sid, SECCLASS_BPF,
6761 				   bpf_map_fmode_to_av(file->f_mode), NULL);
6762 		if (ret)
6763 			return ret;
6764 	} else if (file->f_op == &bpf_prog_fops) {
6765 		prog = file->private_data;
6766 		bpfsec = prog->aux->security;
6767 		ret = avc_has_perm(&selinux_state,
6768 				   sid, bpfsec->sid, SECCLASS_BPF,
6769 				   BPF__PROG_RUN, NULL);
6770 		if (ret)
6771 			return ret;
6772 	}
6773 	return 0;
6774 }
6775 
6776 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6777 {
6778 	u32 sid = current_sid();
6779 	struct bpf_security_struct *bpfsec;
6780 
6781 	bpfsec = map->security;
6782 	return avc_has_perm(&selinux_state,
6783 			    sid, bpfsec->sid, SECCLASS_BPF,
6784 			    bpf_map_fmode_to_av(fmode), NULL);
6785 }
6786 
6787 static int selinux_bpf_prog(struct bpf_prog *prog)
6788 {
6789 	u32 sid = current_sid();
6790 	struct bpf_security_struct *bpfsec;
6791 
6792 	bpfsec = prog->aux->security;
6793 	return avc_has_perm(&selinux_state,
6794 			    sid, bpfsec->sid, SECCLASS_BPF,
6795 			    BPF__PROG_RUN, NULL);
6796 }
6797 
6798 static int selinux_bpf_map_alloc(struct bpf_map *map)
6799 {
6800 	struct bpf_security_struct *bpfsec;
6801 
6802 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6803 	if (!bpfsec)
6804 		return -ENOMEM;
6805 
6806 	bpfsec->sid = current_sid();
6807 	map->security = bpfsec;
6808 
6809 	return 0;
6810 }
6811 
6812 static void selinux_bpf_map_free(struct bpf_map *map)
6813 {
6814 	struct bpf_security_struct *bpfsec = map->security;
6815 
6816 	map->security = NULL;
6817 	kfree(bpfsec);
6818 }
6819 
6820 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6821 {
6822 	struct bpf_security_struct *bpfsec;
6823 
6824 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6825 	if (!bpfsec)
6826 		return -ENOMEM;
6827 
6828 	bpfsec->sid = current_sid();
6829 	aux->security = bpfsec;
6830 
6831 	return 0;
6832 }
6833 
6834 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6835 {
6836 	struct bpf_security_struct *bpfsec = aux->security;
6837 
6838 	aux->security = NULL;
6839 	kfree(bpfsec);
6840 }
6841 #endif
6842 
6843 static int selinux_lockdown(enum lockdown_reason what)
6844 {
6845 	struct common_audit_data ad;
6846 	u32 sid = current_sid();
6847 	int invalid_reason = (what <= LOCKDOWN_NONE) ||
6848 			     (what == LOCKDOWN_INTEGRITY_MAX) ||
6849 			     (what >= LOCKDOWN_CONFIDENTIALITY_MAX);
6850 
6851 	if (WARN(invalid_reason, "Invalid lockdown reason")) {
6852 		audit_log(audit_context(),
6853 			  GFP_ATOMIC, AUDIT_SELINUX_ERR,
6854 			  "lockdown_reason=invalid");
6855 		return -EINVAL;
6856 	}
6857 
6858 	ad.type = LSM_AUDIT_DATA_LOCKDOWN;
6859 	ad.u.reason = what;
6860 
6861 	if (what <= LOCKDOWN_INTEGRITY_MAX)
6862 		return avc_has_perm(&selinux_state,
6863 				    sid, sid, SECCLASS_LOCKDOWN,
6864 				    LOCKDOWN__INTEGRITY, &ad);
6865 	else
6866 		return avc_has_perm(&selinux_state,
6867 				    sid, sid, SECCLASS_LOCKDOWN,
6868 				    LOCKDOWN__CONFIDENTIALITY, &ad);
6869 }
6870 
6871 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
6872 	.lbs_cred = sizeof(struct task_security_struct),
6873 	.lbs_file = sizeof(struct file_security_struct),
6874 	.lbs_inode = sizeof(struct inode_security_struct),
6875 	.lbs_ipc = sizeof(struct ipc_security_struct),
6876 	.lbs_msg_msg = sizeof(struct msg_security_struct),
6877 };
6878 
6879 #ifdef CONFIG_PERF_EVENTS
6880 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6881 {
6882 	u32 requested, sid = current_sid();
6883 
6884 	if (type == PERF_SECURITY_OPEN)
6885 		requested = PERF_EVENT__OPEN;
6886 	else if (type == PERF_SECURITY_CPU)
6887 		requested = PERF_EVENT__CPU;
6888 	else if (type == PERF_SECURITY_KERNEL)
6889 		requested = PERF_EVENT__KERNEL;
6890 	else if (type == PERF_SECURITY_TRACEPOINT)
6891 		requested = PERF_EVENT__TRACEPOINT;
6892 	else
6893 		return -EINVAL;
6894 
6895 	return avc_has_perm(&selinux_state, sid, sid, SECCLASS_PERF_EVENT,
6896 			    requested, NULL);
6897 }
6898 
6899 static int selinux_perf_event_alloc(struct perf_event *event)
6900 {
6901 	struct perf_event_security_struct *perfsec;
6902 
6903 	perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
6904 	if (!perfsec)
6905 		return -ENOMEM;
6906 
6907 	perfsec->sid = current_sid();
6908 	event->security = perfsec;
6909 
6910 	return 0;
6911 }
6912 
6913 static void selinux_perf_event_free(struct perf_event *event)
6914 {
6915 	struct perf_event_security_struct *perfsec = event->security;
6916 
6917 	event->security = NULL;
6918 	kfree(perfsec);
6919 }
6920 
6921 static int selinux_perf_event_read(struct perf_event *event)
6922 {
6923 	struct perf_event_security_struct *perfsec = event->security;
6924 	u32 sid = current_sid();
6925 
6926 	return avc_has_perm(&selinux_state, sid, perfsec->sid,
6927 			    SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
6928 }
6929 
6930 static int selinux_perf_event_write(struct perf_event *event)
6931 {
6932 	struct perf_event_security_struct *perfsec = event->security;
6933 	u32 sid = current_sid();
6934 
6935 	return avc_has_perm(&selinux_state, sid, perfsec->sid,
6936 			    SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
6937 }
6938 #endif
6939 
6940 /*
6941  * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
6942  * 1. any hooks that don't belong to (2.) or (3.) below,
6943  * 2. hooks that both access structures allocated by other hooks, and allocate
6944  *    structures that can be later accessed by other hooks (mostly "cloning"
6945  *    hooks),
6946  * 3. hooks that only allocate structures that can be later accessed by other
6947  *    hooks ("allocating" hooks).
6948  *
6949  * Please follow block comment delimiters in the list to keep this order.
6950  *
6951  * This ordering is needed for SELinux runtime disable to work at least somewhat
6952  * safely. Breaking the ordering rules above might lead to NULL pointer derefs
6953  * when disabling SELinux at runtime.
6954  */
6955 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6956 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6957 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6958 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6959 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6960 
6961 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6962 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6963 	LSM_HOOK_INIT(capget, selinux_capget),
6964 	LSM_HOOK_INIT(capset, selinux_capset),
6965 	LSM_HOOK_INIT(capable, selinux_capable),
6966 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
6967 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
6968 	LSM_HOOK_INIT(syslog, selinux_syslog),
6969 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6970 
6971 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6972 
6973 	LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
6974 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6975 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6976 
6977 	LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6978 	LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
6979 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6980 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6981 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6982 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6983 	LSM_HOOK_INIT(sb_mount, selinux_mount),
6984 	LSM_HOOK_INIT(sb_umount, selinux_umount),
6985 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6986 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6987 
6988 	LSM_HOOK_INIT(move_mount, selinux_move_mount),
6989 
6990 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6991 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6992 
6993 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6994 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6995 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
6996 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
6997 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6998 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6999 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7000 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7001 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7002 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7003 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7004 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7005 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7006 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7007 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7008 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7009 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7010 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7011 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7012 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7013 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7014 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7015 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7016 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7017 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7018 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7019 	LSM_HOOK_INIT(path_notify, selinux_path_notify),
7020 
7021 	LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7022 
7023 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
7024 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7025 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7026 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7027 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7028 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7029 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
7030 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7031 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7032 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7033 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
7034 
7035 	LSM_HOOK_INIT(file_open, selinux_file_open),
7036 
7037 	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7038 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7039 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7040 	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7041 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7042 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7043 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7044 	LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7045 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7046 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7047 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7048 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7049 	LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
7050 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7051 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7052 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7053 	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7054 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7055 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7056 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7057 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7058 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
7059 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7060 
7061 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7062 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7063 
7064 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7065 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7066 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7067 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7068 
7069 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7070 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7071 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7072 
7073 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7074 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7075 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7076 
7077 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7078 
7079 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7080 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7081 
7082 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7083 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7084 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7085 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7086 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7087 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7088 
7089 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7090 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7091 
7092 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
7093 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7094 	LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7095 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7096 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7097 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7098 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7099 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7100 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7101 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7102 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7103 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7104 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7105 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7106 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7107 	LSM_HOOK_INIT(socket_getpeersec_stream,
7108 			selinux_socket_getpeersec_stream),
7109 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7110 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7111 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7112 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7113 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7114 	LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7115 	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7116 	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7117 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7118 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7119 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7120 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7121 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7122 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7123 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7124 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7125 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7126 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7127 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7128 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7129 #ifdef CONFIG_SECURITY_INFINIBAND
7130 	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7131 	LSM_HOOK_INIT(ib_endport_manage_subnet,
7132 		      selinux_ib_endport_manage_subnet),
7133 	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7134 #endif
7135 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7136 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7137 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7138 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7139 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7140 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7141 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7142 			selinux_xfrm_state_pol_flow_match),
7143 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7144 #endif
7145 
7146 #ifdef CONFIG_KEYS
7147 	LSM_HOOK_INIT(key_free, selinux_key_free),
7148 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
7149 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7150 #ifdef CONFIG_KEY_NOTIFICATIONS
7151 	LSM_HOOK_INIT(watch_key, selinux_watch_key),
7152 #endif
7153 #endif
7154 
7155 #ifdef CONFIG_AUDIT
7156 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7157 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7158 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7159 #endif
7160 
7161 #ifdef CONFIG_BPF_SYSCALL
7162 	LSM_HOOK_INIT(bpf, selinux_bpf),
7163 	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7164 	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7165 	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7166 	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7167 #endif
7168 
7169 #ifdef CONFIG_PERF_EVENTS
7170 	LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7171 	LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7172 	LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7173 	LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7174 #endif
7175 
7176 	LSM_HOOK_INIT(locked_down, selinux_lockdown),
7177 
7178 	/*
7179 	 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7180 	 */
7181 	LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7182 	LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7183 	LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7184 	LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt),
7185 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7186 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7187 #endif
7188 
7189 	/*
7190 	 * PUT "ALLOCATING" HOOKS HERE
7191 	 */
7192 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7193 	LSM_HOOK_INIT(msg_queue_alloc_security,
7194 		      selinux_msg_queue_alloc_security),
7195 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7196 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7197 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7198 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7199 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7200 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7201 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7202 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7203 #ifdef CONFIG_SECURITY_INFINIBAND
7204 	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7205 #endif
7206 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7207 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7208 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7209 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7210 		      selinux_xfrm_state_alloc_acquire),
7211 #endif
7212 #ifdef CONFIG_KEYS
7213 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7214 #endif
7215 #ifdef CONFIG_AUDIT
7216 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7217 #endif
7218 #ifdef CONFIG_BPF_SYSCALL
7219 	LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7220 	LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7221 #endif
7222 #ifdef CONFIG_PERF_EVENTS
7223 	LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7224 #endif
7225 };
7226 
7227 static __init int selinux_init(void)
7228 {
7229 	pr_info("SELinux:  Initializing.\n");
7230 
7231 	memset(&selinux_state, 0, sizeof(selinux_state));
7232 	enforcing_set(&selinux_state, selinux_enforcing_boot);
7233 	checkreqprot_set(&selinux_state, selinux_checkreqprot_boot);
7234 	selinux_avc_init(&selinux_state.avc);
7235 	mutex_init(&selinux_state.status_lock);
7236 	mutex_init(&selinux_state.policy_mutex);
7237 
7238 	/* Set the security state for the initial task. */
7239 	cred_init_security();
7240 
7241 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7242 
7243 	avc_init();
7244 
7245 	avtab_cache_init();
7246 
7247 	ebitmap_cache_init();
7248 
7249 	hashtab_cache_init();
7250 
7251 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7252 
7253 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7254 		panic("SELinux: Unable to register AVC netcache callback\n");
7255 
7256 	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7257 		panic("SELinux: Unable to register AVC LSM notifier callback\n");
7258 
7259 	if (selinux_enforcing_boot)
7260 		pr_debug("SELinux:  Starting in enforcing mode\n");
7261 	else
7262 		pr_debug("SELinux:  Starting in permissive mode\n");
7263 
7264 	fs_validate_description("selinux", selinux_fs_parameters);
7265 
7266 	return 0;
7267 }
7268 
7269 static void delayed_superblock_init(struct super_block *sb, void *unused)
7270 {
7271 	selinux_set_mnt_opts(sb, NULL, 0, NULL);
7272 }
7273 
7274 void selinux_complete_init(void)
7275 {
7276 	pr_debug("SELinux:  Completing initialization.\n");
7277 
7278 	/* Set up any superblocks initialized prior to the policy load. */
7279 	pr_debug("SELinux:  Setting up existing superblocks.\n");
7280 	iterate_supers(delayed_superblock_init, NULL);
7281 }
7282 
7283 /* SELinux requires early initialization in order to label
7284    all processes and objects when they are created. */
7285 DEFINE_LSM(selinux) = {
7286 	.name = "selinux",
7287 	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7288 	.enabled = &selinux_enabled_boot,
7289 	.blobs = &selinux_blob_sizes,
7290 	.init = selinux_init,
7291 };
7292 
7293 #if defined(CONFIG_NETFILTER)
7294 
7295 static const struct nf_hook_ops selinux_nf_ops[] = {
7296 	{
7297 		.hook =		selinux_ipv4_postroute,
7298 		.pf =		NFPROTO_IPV4,
7299 		.hooknum =	NF_INET_POST_ROUTING,
7300 		.priority =	NF_IP_PRI_SELINUX_LAST,
7301 	},
7302 	{
7303 		.hook =		selinux_ipv4_forward,
7304 		.pf =		NFPROTO_IPV4,
7305 		.hooknum =	NF_INET_FORWARD,
7306 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7307 	},
7308 	{
7309 		.hook =		selinux_ipv4_output,
7310 		.pf =		NFPROTO_IPV4,
7311 		.hooknum =	NF_INET_LOCAL_OUT,
7312 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7313 	},
7314 #if IS_ENABLED(CONFIG_IPV6)
7315 	{
7316 		.hook =		selinux_ipv6_postroute,
7317 		.pf =		NFPROTO_IPV6,
7318 		.hooknum =	NF_INET_POST_ROUTING,
7319 		.priority =	NF_IP6_PRI_SELINUX_LAST,
7320 	},
7321 	{
7322 		.hook =		selinux_ipv6_forward,
7323 		.pf =		NFPROTO_IPV6,
7324 		.hooknum =	NF_INET_FORWARD,
7325 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7326 	},
7327 	{
7328 		.hook =		selinux_ipv6_output,
7329 		.pf =		NFPROTO_IPV6,
7330 		.hooknum =	NF_INET_LOCAL_OUT,
7331 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7332 	},
7333 #endif	/* IPV6 */
7334 };
7335 
7336 static int __net_init selinux_nf_register(struct net *net)
7337 {
7338 	return nf_register_net_hooks(net, selinux_nf_ops,
7339 				     ARRAY_SIZE(selinux_nf_ops));
7340 }
7341 
7342 static void __net_exit selinux_nf_unregister(struct net *net)
7343 {
7344 	nf_unregister_net_hooks(net, selinux_nf_ops,
7345 				ARRAY_SIZE(selinux_nf_ops));
7346 }
7347 
7348 static struct pernet_operations selinux_net_ops = {
7349 	.init = selinux_nf_register,
7350 	.exit = selinux_nf_unregister,
7351 };
7352 
7353 static int __init selinux_nf_ip_init(void)
7354 {
7355 	int err;
7356 
7357 	if (!selinux_enabled_boot)
7358 		return 0;
7359 
7360 	pr_debug("SELinux:  Registering netfilter hooks\n");
7361 
7362 	err = register_pernet_subsys(&selinux_net_ops);
7363 	if (err)
7364 		panic("SELinux: register_pernet_subsys: error %d\n", err);
7365 
7366 	return 0;
7367 }
7368 __initcall(selinux_nf_ip_init);
7369 
7370 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7371 static void selinux_nf_ip_exit(void)
7372 {
7373 	pr_debug("SELinux:  Unregistering netfilter hooks\n");
7374 
7375 	unregister_pernet_subsys(&selinux_net_ops);
7376 }
7377 #endif
7378 
7379 #else /* CONFIG_NETFILTER */
7380 
7381 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7382 #define selinux_nf_ip_exit()
7383 #endif
7384 
7385 #endif /* CONFIG_NETFILTER */
7386 
7387 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7388 int selinux_disable(struct selinux_state *state)
7389 {
7390 	if (selinux_initialized(state)) {
7391 		/* Not permitted after initial policy load. */
7392 		return -EINVAL;
7393 	}
7394 
7395 	if (selinux_disabled(state)) {
7396 		/* Only do this once. */
7397 		return -EINVAL;
7398 	}
7399 
7400 	selinux_mark_disabled(state);
7401 
7402 	pr_info("SELinux:  Disabled at runtime.\n");
7403 
7404 	/*
7405 	 * Unregister netfilter hooks.
7406 	 * Must be done before security_delete_hooks() to avoid breaking
7407 	 * runtime disable.
7408 	 */
7409 	selinux_nf_ip_exit();
7410 
7411 	security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7412 
7413 	/* Try to destroy the avc node cache */
7414 	avc_disable();
7415 
7416 	/* Unregister selinuxfs. */
7417 	exit_sel_fs();
7418 
7419 	return 0;
7420 }
7421 #endif
7422