xref: /openbmc/linux/security/selinux/hooks.c (revision 68198dca)
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
7  *	      Chris Vance, <cvance@nai.com>
8  *	      Wayne Salamon, <wsalamon@nai.com>
9  *	      James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *					   Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *			    <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *	Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *  Copyright (C) 2016 Mellanox Technologies
21  *
22  *	This program is free software; you can redistribute it and/or modify
23  *	it under the terms of the GNU General Public License version 2,
24  *	as published by the Free Software Foundation.
25  */
26 
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h>		/* for local_port_range[] */
56 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h>	/* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h>		/* for Unix socket types */
72 #include <net/af_unix.h>	/* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
75 #include <net/ipv6.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89 
90 #include "avc.h"
91 #include "objsec.h"
92 #include "netif.h"
93 #include "netnode.h"
94 #include "netport.h"
95 #include "ibpkey.h"
96 #include "xfrm.h"
97 #include "netlabel.h"
98 #include "audit.h"
99 #include "avc_ss.h"
100 
101 /* SECMARK reference count */
102 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
103 
104 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105 int selinux_enforcing;
106 
107 static int __init enforcing_setup(char *str)
108 {
109 	unsigned long enforcing;
110 	if (!kstrtoul(str, 0, &enforcing))
111 		selinux_enforcing = enforcing ? 1 : 0;
112 	return 1;
113 }
114 __setup("enforcing=", enforcing_setup);
115 #endif
116 
117 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
118 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
119 
120 static int __init selinux_enabled_setup(char *str)
121 {
122 	unsigned long enabled;
123 	if (!kstrtoul(str, 0, &enabled))
124 		selinux_enabled = enabled ? 1 : 0;
125 	return 1;
126 }
127 __setup("selinux=", selinux_enabled_setup);
128 #else
129 int selinux_enabled = 1;
130 #endif
131 
132 static struct kmem_cache *sel_inode_cache;
133 static struct kmem_cache *file_security_cache;
134 
135 /**
136  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
137  *
138  * Description:
139  * This function checks the SECMARK reference counter to see if any SECMARK
140  * targets are currently configured, if the reference counter is greater than
141  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
142  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
143  * policy capability is enabled, SECMARK is always considered enabled.
144  *
145  */
146 static int selinux_secmark_enabled(void)
147 {
148 	return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
149 }
150 
151 /**
152  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
153  *
154  * Description:
155  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
156  * (1) if any are enabled or false (0) if neither are enabled.  If the
157  * always_check_network policy capability is enabled, peer labeling
158  * is always considered enabled.
159  *
160  */
161 static int selinux_peerlbl_enabled(void)
162 {
163 	return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
164 }
165 
166 static int selinux_netcache_avc_callback(u32 event)
167 {
168 	if (event == AVC_CALLBACK_RESET) {
169 		sel_netif_flush();
170 		sel_netnode_flush();
171 		sel_netport_flush();
172 		synchronize_net();
173 	}
174 	return 0;
175 }
176 
177 static int selinux_lsm_notifier_avc_callback(u32 event)
178 {
179 	if (event == AVC_CALLBACK_RESET) {
180 		sel_ib_pkey_flush();
181 		call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
182 	}
183 
184 	return 0;
185 }
186 
187 /*
188  * initialise the security for the init task
189  */
190 static void cred_init_security(void)
191 {
192 	struct cred *cred = (struct cred *) current->real_cred;
193 	struct task_security_struct *tsec;
194 
195 	tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
196 	if (!tsec)
197 		panic("SELinux:  Failed to initialize initial task.\n");
198 
199 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
200 	cred->security = tsec;
201 }
202 
203 /*
204  * get the security ID of a set of credentials
205  */
206 static inline u32 cred_sid(const struct cred *cred)
207 {
208 	const struct task_security_struct *tsec;
209 
210 	tsec = cred->security;
211 	return tsec->sid;
212 }
213 
214 /*
215  * get the objective security ID of a task
216  */
217 static inline u32 task_sid(const struct task_struct *task)
218 {
219 	u32 sid;
220 
221 	rcu_read_lock();
222 	sid = cred_sid(__task_cred(task));
223 	rcu_read_unlock();
224 	return sid;
225 }
226 
227 /* Allocate and free functions for each kind of security blob. */
228 
229 static int inode_alloc_security(struct inode *inode)
230 {
231 	struct inode_security_struct *isec;
232 	u32 sid = current_sid();
233 
234 	isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
235 	if (!isec)
236 		return -ENOMEM;
237 
238 	spin_lock_init(&isec->lock);
239 	INIT_LIST_HEAD(&isec->list);
240 	isec->inode = inode;
241 	isec->sid = SECINITSID_UNLABELED;
242 	isec->sclass = SECCLASS_FILE;
243 	isec->task_sid = sid;
244 	isec->initialized = LABEL_INVALID;
245 	inode->i_security = isec;
246 
247 	return 0;
248 }
249 
250 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
251 
252 /*
253  * Try reloading inode security labels that have been marked as invalid.  The
254  * @may_sleep parameter indicates when sleeping and thus reloading labels is
255  * allowed; when set to false, returns -ECHILD when the label is
256  * invalid.  The @opt_dentry parameter should be set to a dentry of the inode;
257  * when no dentry is available, set it to NULL instead.
258  */
259 static int __inode_security_revalidate(struct inode *inode,
260 				       struct dentry *opt_dentry,
261 				       bool may_sleep)
262 {
263 	struct inode_security_struct *isec = inode->i_security;
264 
265 	might_sleep_if(may_sleep);
266 
267 	if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
268 		if (!may_sleep)
269 			return -ECHILD;
270 
271 		/*
272 		 * Try reloading the inode security label.  This will fail if
273 		 * @opt_dentry is NULL and no dentry for this inode can be
274 		 * found; in that case, continue using the old label.
275 		 */
276 		inode_doinit_with_dentry(inode, opt_dentry);
277 	}
278 	return 0;
279 }
280 
281 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
282 {
283 	return inode->i_security;
284 }
285 
286 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
287 {
288 	int error;
289 
290 	error = __inode_security_revalidate(inode, NULL, !rcu);
291 	if (error)
292 		return ERR_PTR(error);
293 	return inode->i_security;
294 }
295 
296 /*
297  * Get the security label of an inode.
298  */
299 static struct inode_security_struct *inode_security(struct inode *inode)
300 {
301 	__inode_security_revalidate(inode, NULL, true);
302 	return inode->i_security;
303 }
304 
305 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
306 {
307 	struct inode *inode = d_backing_inode(dentry);
308 
309 	return inode->i_security;
310 }
311 
312 /*
313  * Get the security label of a dentry's backing inode.
314  */
315 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
316 {
317 	struct inode *inode = d_backing_inode(dentry);
318 
319 	__inode_security_revalidate(inode, dentry, true);
320 	return inode->i_security;
321 }
322 
323 static void inode_free_rcu(struct rcu_head *head)
324 {
325 	struct inode_security_struct *isec;
326 
327 	isec = container_of(head, struct inode_security_struct, rcu);
328 	kmem_cache_free(sel_inode_cache, isec);
329 }
330 
331 static void inode_free_security(struct inode *inode)
332 {
333 	struct inode_security_struct *isec = inode->i_security;
334 	struct superblock_security_struct *sbsec = inode->i_sb->s_security;
335 
336 	/*
337 	 * As not all inode security structures are in a list, we check for
338 	 * empty list outside of the lock to make sure that we won't waste
339 	 * time taking a lock doing nothing.
340 	 *
341 	 * The list_del_init() function can be safely called more than once.
342 	 * It should not be possible for this function to be called with
343 	 * concurrent list_add(), but for better safety against future changes
344 	 * in the code, we use list_empty_careful() here.
345 	 */
346 	if (!list_empty_careful(&isec->list)) {
347 		spin_lock(&sbsec->isec_lock);
348 		list_del_init(&isec->list);
349 		spin_unlock(&sbsec->isec_lock);
350 	}
351 
352 	/*
353 	 * The inode may still be referenced in a path walk and
354 	 * a call to selinux_inode_permission() can be made
355 	 * after inode_free_security() is called. Ideally, the VFS
356 	 * wouldn't do this, but fixing that is a much harder
357 	 * job. For now, simply free the i_security via RCU, and
358 	 * leave the current inode->i_security pointer intact.
359 	 * The inode will be freed after the RCU grace period too.
360 	 */
361 	call_rcu(&isec->rcu, inode_free_rcu);
362 }
363 
364 static int file_alloc_security(struct file *file)
365 {
366 	struct file_security_struct *fsec;
367 	u32 sid = current_sid();
368 
369 	fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
370 	if (!fsec)
371 		return -ENOMEM;
372 
373 	fsec->sid = sid;
374 	fsec->fown_sid = sid;
375 	file->f_security = fsec;
376 
377 	return 0;
378 }
379 
380 static void file_free_security(struct file *file)
381 {
382 	struct file_security_struct *fsec = file->f_security;
383 	file->f_security = NULL;
384 	kmem_cache_free(file_security_cache, fsec);
385 }
386 
387 static int superblock_alloc_security(struct super_block *sb)
388 {
389 	struct superblock_security_struct *sbsec;
390 
391 	sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
392 	if (!sbsec)
393 		return -ENOMEM;
394 
395 	mutex_init(&sbsec->lock);
396 	INIT_LIST_HEAD(&sbsec->isec_head);
397 	spin_lock_init(&sbsec->isec_lock);
398 	sbsec->sb = sb;
399 	sbsec->sid = SECINITSID_UNLABELED;
400 	sbsec->def_sid = SECINITSID_FILE;
401 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
402 	sb->s_security = sbsec;
403 
404 	return 0;
405 }
406 
407 static void superblock_free_security(struct super_block *sb)
408 {
409 	struct superblock_security_struct *sbsec = sb->s_security;
410 	sb->s_security = NULL;
411 	kfree(sbsec);
412 }
413 
414 static inline int inode_doinit(struct inode *inode)
415 {
416 	return inode_doinit_with_dentry(inode, NULL);
417 }
418 
419 enum {
420 	Opt_error = -1,
421 	Opt_context = 1,
422 	Opt_fscontext = 2,
423 	Opt_defcontext = 3,
424 	Opt_rootcontext = 4,
425 	Opt_labelsupport = 5,
426 	Opt_nextmntopt = 6,
427 };
428 
429 #define NUM_SEL_MNT_OPTS	(Opt_nextmntopt - 1)
430 
431 static const match_table_t tokens = {
432 	{Opt_context, CONTEXT_STR "%s"},
433 	{Opt_fscontext, FSCONTEXT_STR "%s"},
434 	{Opt_defcontext, DEFCONTEXT_STR "%s"},
435 	{Opt_rootcontext, ROOTCONTEXT_STR "%s"},
436 	{Opt_labelsupport, LABELSUPP_STR},
437 	{Opt_error, NULL},
438 };
439 
440 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
441 
442 static int may_context_mount_sb_relabel(u32 sid,
443 			struct superblock_security_struct *sbsec,
444 			const struct cred *cred)
445 {
446 	const struct task_security_struct *tsec = cred->security;
447 	int rc;
448 
449 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450 			  FILESYSTEM__RELABELFROM, NULL);
451 	if (rc)
452 		return rc;
453 
454 	rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
455 			  FILESYSTEM__RELABELTO, NULL);
456 	return rc;
457 }
458 
459 static int may_context_mount_inode_relabel(u32 sid,
460 			struct superblock_security_struct *sbsec,
461 			const struct cred *cred)
462 {
463 	const struct task_security_struct *tsec = cred->security;
464 	int rc;
465 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
466 			  FILESYSTEM__RELABELFROM, NULL);
467 	if (rc)
468 		return rc;
469 
470 	rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
471 			  FILESYSTEM__ASSOCIATE, NULL);
472 	return rc;
473 }
474 
475 static int selinux_is_sblabel_mnt(struct super_block *sb)
476 {
477 	struct superblock_security_struct *sbsec = sb->s_security;
478 
479 	return sbsec->behavior == SECURITY_FS_USE_XATTR ||
480 		sbsec->behavior == SECURITY_FS_USE_TRANS ||
481 		sbsec->behavior == SECURITY_FS_USE_TASK ||
482 		sbsec->behavior == SECURITY_FS_USE_NATIVE ||
483 		/* Special handling. Genfs but also in-core setxattr handler */
484 		!strcmp(sb->s_type->name, "sysfs") ||
485 		!strcmp(sb->s_type->name, "pstore") ||
486 		!strcmp(sb->s_type->name, "debugfs") ||
487 		!strcmp(sb->s_type->name, "tracefs") ||
488 		!strcmp(sb->s_type->name, "rootfs") ||
489 		(selinux_policycap_cgroupseclabel &&
490 		 (!strcmp(sb->s_type->name, "cgroup") ||
491 		  !strcmp(sb->s_type->name, "cgroup2")));
492 }
493 
494 static int sb_finish_set_opts(struct super_block *sb)
495 {
496 	struct superblock_security_struct *sbsec = sb->s_security;
497 	struct dentry *root = sb->s_root;
498 	struct inode *root_inode = d_backing_inode(root);
499 	int rc = 0;
500 
501 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
502 		/* Make sure that the xattr handler exists and that no
503 		   error other than -ENODATA is returned by getxattr on
504 		   the root directory.  -ENODATA is ok, as this may be
505 		   the first boot of the SELinux kernel before we have
506 		   assigned xattr values to the filesystem. */
507 		if (!(root_inode->i_opflags & IOP_XATTR)) {
508 			printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
509 			       "xattr support\n", sb->s_id, sb->s_type->name);
510 			rc = -EOPNOTSUPP;
511 			goto out;
512 		}
513 
514 		rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
515 		if (rc < 0 && rc != -ENODATA) {
516 			if (rc == -EOPNOTSUPP)
517 				printk(KERN_WARNING "SELinux: (dev %s, type "
518 				       "%s) has no security xattr handler\n",
519 				       sb->s_id, sb->s_type->name);
520 			else
521 				printk(KERN_WARNING "SELinux: (dev %s, type "
522 				       "%s) getxattr errno %d\n", sb->s_id,
523 				       sb->s_type->name, -rc);
524 			goto out;
525 		}
526 	}
527 
528 	sbsec->flags |= SE_SBINITIALIZED;
529 
530 	/*
531 	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
532 	 * leave the flag untouched because sb_clone_mnt_opts might be handing
533 	 * us a superblock that needs the flag to be cleared.
534 	 */
535 	if (selinux_is_sblabel_mnt(sb))
536 		sbsec->flags |= SBLABEL_MNT;
537 	else
538 		sbsec->flags &= ~SBLABEL_MNT;
539 
540 	/* Initialize the root inode. */
541 	rc = inode_doinit_with_dentry(root_inode, root);
542 
543 	/* Initialize any other inodes associated with the superblock, e.g.
544 	   inodes created prior to initial policy load or inodes created
545 	   during get_sb by a pseudo filesystem that directly
546 	   populates itself. */
547 	spin_lock(&sbsec->isec_lock);
548 next_inode:
549 	if (!list_empty(&sbsec->isec_head)) {
550 		struct inode_security_struct *isec =
551 				list_entry(sbsec->isec_head.next,
552 					   struct inode_security_struct, list);
553 		struct inode *inode = isec->inode;
554 		list_del_init(&isec->list);
555 		spin_unlock(&sbsec->isec_lock);
556 		inode = igrab(inode);
557 		if (inode) {
558 			if (!IS_PRIVATE(inode))
559 				inode_doinit(inode);
560 			iput(inode);
561 		}
562 		spin_lock(&sbsec->isec_lock);
563 		goto next_inode;
564 	}
565 	spin_unlock(&sbsec->isec_lock);
566 out:
567 	return rc;
568 }
569 
570 /*
571  * This function should allow an FS to ask what it's mount security
572  * options were so it can use those later for submounts, displaying
573  * mount options, or whatever.
574  */
575 static int selinux_get_mnt_opts(const struct super_block *sb,
576 				struct security_mnt_opts *opts)
577 {
578 	int rc = 0, i;
579 	struct superblock_security_struct *sbsec = sb->s_security;
580 	char *context = NULL;
581 	u32 len;
582 	char tmp;
583 
584 	security_init_mnt_opts(opts);
585 
586 	if (!(sbsec->flags & SE_SBINITIALIZED))
587 		return -EINVAL;
588 
589 	if (!ss_initialized)
590 		return -EINVAL;
591 
592 	/* make sure we always check enough bits to cover the mask */
593 	BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
594 
595 	tmp = sbsec->flags & SE_MNTMASK;
596 	/* count the number of mount options for this sb */
597 	for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
598 		if (tmp & 0x01)
599 			opts->num_mnt_opts++;
600 		tmp >>= 1;
601 	}
602 	/* Check if the Label support flag is set */
603 	if (sbsec->flags & SBLABEL_MNT)
604 		opts->num_mnt_opts++;
605 
606 	opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
607 	if (!opts->mnt_opts) {
608 		rc = -ENOMEM;
609 		goto out_free;
610 	}
611 
612 	opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
613 	if (!opts->mnt_opts_flags) {
614 		rc = -ENOMEM;
615 		goto out_free;
616 	}
617 
618 	i = 0;
619 	if (sbsec->flags & FSCONTEXT_MNT) {
620 		rc = security_sid_to_context(sbsec->sid, &context, &len);
621 		if (rc)
622 			goto out_free;
623 		opts->mnt_opts[i] = context;
624 		opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
625 	}
626 	if (sbsec->flags & CONTEXT_MNT) {
627 		rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
628 		if (rc)
629 			goto out_free;
630 		opts->mnt_opts[i] = context;
631 		opts->mnt_opts_flags[i++] = CONTEXT_MNT;
632 	}
633 	if (sbsec->flags & DEFCONTEXT_MNT) {
634 		rc = security_sid_to_context(sbsec->def_sid, &context, &len);
635 		if (rc)
636 			goto out_free;
637 		opts->mnt_opts[i] = context;
638 		opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
639 	}
640 	if (sbsec->flags & ROOTCONTEXT_MNT) {
641 		struct dentry *root = sbsec->sb->s_root;
642 		struct inode_security_struct *isec = backing_inode_security(root);
643 
644 		rc = security_sid_to_context(isec->sid, &context, &len);
645 		if (rc)
646 			goto out_free;
647 		opts->mnt_opts[i] = context;
648 		opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
649 	}
650 	if (sbsec->flags & SBLABEL_MNT) {
651 		opts->mnt_opts[i] = NULL;
652 		opts->mnt_opts_flags[i++] = SBLABEL_MNT;
653 	}
654 
655 	BUG_ON(i != opts->num_mnt_opts);
656 
657 	return 0;
658 
659 out_free:
660 	security_free_mnt_opts(opts);
661 	return rc;
662 }
663 
664 static int bad_option(struct superblock_security_struct *sbsec, char flag,
665 		      u32 old_sid, u32 new_sid)
666 {
667 	char mnt_flags = sbsec->flags & SE_MNTMASK;
668 
669 	/* check if the old mount command had the same options */
670 	if (sbsec->flags & SE_SBINITIALIZED)
671 		if (!(sbsec->flags & flag) ||
672 		    (old_sid != new_sid))
673 			return 1;
674 
675 	/* check if we were passed the same options twice,
676 	 * aka someone passed context=a,context=b
677 	 */
678 	if (!(sbsec->flags & SE_SBINITIALIZED))
679 		if (mnt_flags & flag)
680 			return 1;
681 	return 0;
682 }
683 
684 /*
685  * Allow filesystems with binary mount data to explicitly set mount point
686  * labeling information.
687  */
688 static int selinux_set_mnt_opts(struct super_block *sb,
689 				struct security_mnt_opts *opts,
690 				unsigned long kern_flags,
691 				unsigned long *set_kern_flags)
692 {
693 	const struct cred *cred = current_cred();
694 	int rc = 0, i;
695 	struct superblock_security_struct *sbsec = sb->s_security;
696 	const char *name = sb->s_type->name;
697 	struct dentry *root = sbsec->sb->s_root;
698 	struct inode_security_struct *root_isec;
699 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
700 	u32 defcontext_sid = 0;
701 	char **mount_options = opts->mnt_opts;
702 	int *flags = opts->mnt_opts_flags;
703 	int num_opts = opts->num_mnt_opts;
704 
705 	mutex_lock(&sbsec->lock);
706 
707 	if (!ss_initialized) {
708 		if (!num_opts) {
709 			/* Defer initialization until selinux_complete_init,
710 			   after the initial policy is loaded and the security
711 			   server is ready to handle calls. */
712 			goto out;
713 		}
714 		rc = -EINVAL;
715 		printk(KERN_WARNING "SELinux: Unable to set superblock options "
716 			"before the security server is initialized\n");
717 		goto out;
718 	}
719 	if (kern_flags && !set_kern_flags) {
720 		/* Specifying internal flags without providing a place to
721 		 * place the results is not allowed */
722 		rc = -EINVAL;
723 		goto out;
724 	}
725 
726 	/*
727 	 * Binary mount data FS will come through this function twice.  Once
728 	 * from an explicit call and once from the generic calls from the vfs.
729 	 * Since the generic VFS calls will not contain any security mount data
730 	 * we need to skip the double mount verification.
731 	 *
732 	 * This does open a hole in which we will not notice if the first
733 	 * mount using this sb set explict options and a second mount using
734 	 * this sb does not set any security options.  (The first options
735 	 * will be used for both mounts)
736 	 */
737 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
738 	    && (num_opts == 0))
739 		goto out;
740 
741 	root_isec = backing_inode_security_novalidate(root);
742 
743 	/*
744 	 * parse the mount options, check if they are valid sids.
745 	 * also check if someone is trying to mount the same sb more
746 	 * than once with different security options.
747 	 */
748 	for (i = 0; i < num_opts; i++) {
749 		u32 sid;
750 
751 		if (flags[i] == SBLABEL_MNT)
752 			continue;
753 		rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
754 		if (rc) {
755 			printk(KERN_WARNING "SELinux: security_context_str_to_sid"
756 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
757 			       mount_options[i], sb->s_id, name, rc);
758 			goto out;
759 		}
760 		switch (flags[i]) {
761 		case FSCONTEXT_MNT:
762 			fscontext_sid = sid;
763 
764 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
765 					fscontext_sid))
766 				goto out_double_mount;
767 
768 			sbsec->flags |= FSCONTEXT_MNT;
769 			break;
770 		case CONTEXT_MNT:
771 			context_sid = sid;
772 
773 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
774 					context_sid))
775 				goto out_double_mount;
776 
777 			sbsec->flags |= CONTEXT_MNT;
778 			break;
779 		case ROOTCONTEXT_MNT:
780 			rootcontext_sid = sid;
781 
782 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
783 					rootcontext_sid))
784 				goto out_double_mount;
785 
786 			sbsec->flags |= ROOTCONTEXT_MNT;
787 
788 			break;
789 		case DEFCONTEXT_MNT:
790 			defcontext_sid = sid;
791 
792 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
793 					defcontext_sid))
794 				goto out_double_mount;
795 
796 			sbsec->flags |= DEFCONTEXT_MNT;
797 
798 			break;
799 		default:
800 			rc = -EINVAL;
801 			goto out;
802 		}
803 	}
804 
805 	if (sbsec->flags & SE_SBINITIALIZED) {
806 		/* previously mounted with options, but not on this attempt? */
807 		if ((sbsec->flags & SE_MNTMASK) && !num_opts)
808 			goto out_double_mount;
809 		rc = 0;
810 		goto out;
811 	}
812 
813 	if (strcmp(sb->s_type->name, "proc") == 0)
814 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
815 
816 	if (!strcmp(sb->s_type->name, "debugfs") ||
817 	    !strcmp(sb->s_type->name, "tracefs") ||
818 	    !strcmp(sb->s_type->name, "sysfs") ||
819 	    !strcmp(sb->s_type->name, "pstore") ||
820 	    !strcmp(sb->s_type->name, "cgroup") ||
821 	    !strcmp(sb->s_type->name, "cgroup2"))
822 		sbsec->flags |= SE_SBGENFS;
823 
824 	if (!sbsec->behavior) {
825 		/*
826 		 * Determine the labeling behavior to use for this
827 		 * filesystem type.
828 		 */
829 		rc = security_fs_use(sb);
830 		if (rc) {
831 			printk(KERN_WARNING
832 				"%s: security_fs_use(%s) returned %d\n",
833 					__func__, sb->s_type->name, rc);
834 			goto out;
835 		}
836 	}
837 
838 	/*
839 	 * If this is a user namespace mount and the filesystem type is not
840 	 * explicitly whitelisted, then no contexts are allowed on the command
841 	 * line and security labels must be ignored.
842 	 */
843 	if (sb->s_user_ns != &init_user_ns &&
844 	    strcmp(sb->s_type->name, "tmpfs") &&
845 	    strcmp(sb->s_type->name, "ramfs") &&
846 	    strcmp(sb->s_type->name, "devpts")) {
847 		if (context_sid || fscontext_sid || rootcontext_sid ||
848 		    defcontext_sid) {
849 			rc = -EACCES;
850 			goto out;
851 		}
852 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
853 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
854 			rc = security_transition_sid(current_sid(), current_sid(),
855 						     SECCLASS_FILE, NULL,
856 						     &sbsec->mntpoint_sid);
857 			if (rc)
858 				goto out;
859 		}
860 		goto out_set_opts;
861 	}
862 
863 	/* sets the context of the superblock for the fs being mounted. */
864 	if (fscontext_sid) {
865 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
866 		if (rc)
867 			goto out;
868 
869 		sbsec->sid = fscontext_sid;
870 	}
871 
872 	/*
873 	 * Switch to using mount point labeling behavior.
874 	 * sets the label used on all file below the mountpoint, and will set
875 	 * the superblock context if not already set.
876 	 */
877 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
878 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
879 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
880 	}
881 
882 	if (context_sid) {
883 		if (!fscontext_sid) {
884 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
885 							  cred);
886 			if (rc)
887 				goto out;
888 			sbsec->sid = context_sid;
889 		} else {
890 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
891 							     cred);
892 			if (rc)
893 				goto out;
894 		}
895 		if (!rootcontext_sid)
896 			rootcontext_sid = context_sid;
897 
898 		sbsec->mntpoint_sid = context_sid;
899 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
900 	}
901 
902 	if (rootcontext_sid) {
903 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
904 						     cred);
905 		if (rc)
906 			goto out;
907 
908 		root_isec->sid = rootcontext_sid;
909 		root_isec->initialized = LABEL_INITIALIZED;
910 	}
911 
912 	if (defcontext_sid) {
913 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
914 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
915 			rc = -EINVAL;
916 			printk(KERN_WARNING "SELinux: defcontext option is "
917 			       "invalid for this filesystem type\n");
918 			goto out;
919 		}
920 
921 		if (defcontext_sid != sbsec->def_sid) {
922 			rc = may_context_mount_inode_relabel(defcontext_sid,
923 							     sbsec, cred);
924 			if (rc)
925 				goto out;
926 		}
927 
928 		sbsec->def_sid = defcontext_sid;
929 	}
930 
931 out_set_opts:
932 	rc = sb_finish_set_opts(sb);
933 out:
934 	mutex_unlock(&sbsec->lock);
935 	return rc;
936 out_double_mount:
937 	rc = -EINVAL;
938 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
939 	       "security settings for (dev %s, type %s)\n", sb->s_id, name);
940 	goto out;
941 }
942 
943 static int selinux_cmp_sb_context(const struct super_block *oldsb,
944 				    const struct super_block *newsb)
945 {
946 	struct superblock_security_struct *old = oldsb->s_security;
947 	struct superblock_security_struct *new = newsb->s_security;
948 	char oldflags = old->flags & SE_MNTMASK;
949 	char newflags = new->flags & SE_MNTMASK;
950 
951 	if (oldflags != newflags)
952 		goto mismatch;
953 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
954 		goto mismatch;
955 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
956 		goto mismatch;
957 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
958 		goto mismatch;
959 	if (oldflags & ROOTCONTEXT_MNT) {
960 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
961 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
962 		if (oldroot->sid != newroot->sid)
963 			goto mismatch;
964 	}
965 	return 0;
966 mismatch:
967 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
968 			    "different security settings for (dev %s, "
969 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
970 	return -EBUSY;
971 }
972 
973 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
974 					struct super_block *newsb,
975 					unsigned long kern_flags,
976 					unsigned long *set_kern_flags)
977 {
978 	int rc = 0;
979 	const struct superblock_security_struct *oldsbsec = oldsb->s_security;
980 	struct superblock_security_struct *newsbsec = newsb->s_security;
981 
982 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
983 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
984 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
985 
986 	/*
987 	 * if the parent was able to be mounted it clearly had no special lsm
988 	 * mount options.  thus we can safely deal with this superblock later
989 	 */
990 	if (!ss_initialized)
991 		return 0;
992 
993 	/*
994 	 * Specifying internal flags without providing a place to
995 	 * place the results is not allowed.
996 	 */
997 	if (kern_flags && !set_kern_flags)
998 		return -EINVAL;
999 
1000 	/* how can we clone if the old one wasn't set up?? */
1001 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1002 
1003 	/* if fs is reusing a sb, make sure that the contexts match */
1004 	if (newsbsec->flags & SE_SBINITIALIZED)
1005 		return selinux_cmp_sb_context(oldsb, newsb);
1006 
1007 	mutex_lock(&newsbsec->lock);
1008 
1009 	newsbsec->flags = oldsbsec->flags;
1010 
1011 	newsbsec->sid = oldsbsec->sid;
1012 	newsbsec->def_sid = oldsbsec->def_sid;
1013 	newsbsec->behavior = oldsbsec->behavior;
1014 
1015 	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1016 		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1017 		rc = security_fs_use(newsb);
1018 		if (rc)
1019 			goto out;
1020 	}
1021 
1022 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1023 		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1024 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1025 	}
1026 
1027 	if (set_context) {
1028 		u32 sid = oldsbsec->mntpoint_sid;
1029 
1030 		if (!set_fscontext)
1031 			newsbsec->sid = sid;
1032 		if (!set_rootcontext) {
1033 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1034 			newisec->sid = sid;
1035 		}
1036 		newsbsec->mntpoint_sid = sid;
1037 	}
1038 	if (set_rootcontext) {
1039 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1040 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1041 
1042 		newisec->sid = oldisec->sid;
1043 	}
1044 
1045 	sb_finish_set_opts(newsb);
1046 out:
1047 	mutex_unlock(&newsbsec->lock);
1048 	return rc;
1049 }
1050 
1051 static int selinux_parse_opts_str(char *options,
1052 				  struct security_mnt_opts *opts)
1053 {
1054 	char *p;
1055 	char *context = NULL, *defcontext = NULL;
1056 	char *fscontext = NULL, *rootcontext = NULL;
1057 	int rc, num_mnt_opts = 0;
1058 
1059 	opts->num_mnt_opts = 0;
1060 
1061 	/* Standard string-based options. */
1062 	while ((p = strsep(&options, "|")) != NULL) {
1063 		int token;
1064 		substring_t args[MAX_OPT_ARGS];
1065 
1066 		if (!*p)
1067 			continue;
1068 
1069 		token = match_token(p, tokens, args);
1070 
1071 		switch (token) {
1072 		case Opt_context:
1073 			if (context || defcontext) {
1074 				rc = -EINVAL;
1075 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1076 				goto out_err;
1077 			}
1078 			context = match_strdup(&args[0]);
1079 			if (!context) {
1080 				rc = -ENOMEM;
1081 				goto out_err;
1082 			}
1083 			break;
1084 
1085 		case Opt_fscontext:
1086 			if (fscontext) {
1087 				rc = -EINVAL;
1088 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1089 				goto out_err;
1090 			}
1091 			fscontext = match_strdup(&args[0]);
1092 			if (!fscontext) {
1093 				rc = -ENOMEM;
1094 				goto out_err;
1095 			}
1096 			break;
1097 
1098 		case Opt_rootcontext:
1099 			if (rootcontext) {
1100 				rc = -EINVAL;
1101 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1102 				goto out_err;
1103 			}
1104 			rootcontext = match_strdup(&args[0]);
1105 			if (!rootcontext) {
1106 				rc = -ENOMEM;
1107 				goto out_err;
1108 			}
1109 			break;
1110 
1111 		case Opt_defcontext:
1112 			if (context || defcontext) {
1113 				rc = -EINVAL;
1114 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1115 				goto out_err;
1116 			}
1117 			defcontext = match_strdup(&args[0]);
1118 			if (!defcontext) {
1119 				rc = -ENOMEM;
1120 				goto out_err;
1121 			}
1122 			break;
1123 		case Opt_labelsupport:
1124 			break;
1125 		default:
1126 			rc = -EINVAL;
1127 			printk(KERN_WARNING "SELinux:  unknown mount option\n");
1128 			goto out_err;
1129 
1130 		}
1131 	}
1132 
1133 	rc = -ENOMEM;
1134 	opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1135 	if (!opts->mnt_opts)
1136 		goto out_err;
1137 
1138 	opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1139 				       GFP_KERNEL);
1140 	if (!opts->mnt_opts_flags)
1141 		goto out_err;
1142 
1143 	if (fscontext) {
1144 		opts->mnt_opts[num_mnt_opts] = fscontext;
1145 		opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1146 	}
1147 	if (context) {
1148 		opts->mnt_opts[num_mnt_opts] = context;
1149 		opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1150 	}
1151 	if (rootcontext) {
1152 		opts->mnt_opts[num_mnt_opts] = rootcontext;
1153 		opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1154 	}
1155 	if (defcontext) {
1156 		opts->mnt_opts[num_mnt_opts] = defcontext;
1157 		opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1158 	}
1159 
1160 	opts->num_mnt_opts = num_mnt_opts;
1161 	return 0;
1162 
1163 out_err:
1164 	security_free_mnt_opts(opts);
1165 	kfree(context);
1166 	kfree(defcontext);
1167 	kfree(fscontext);
1168 	kfree(rootcontext);
1169 	return rc;
1170 }
1171 /*
1172  * string mount options parsing and call set the sbsec
1173  */
1174 static int superblock_doinit(struct super_block *sb, void *data)
1175 {
1176 	int rc = 0;
1177 	char *options = data;
1178 	struct security_mnt_opts opts;
1179 
1180 	security_init_mnt_opts(&opts);
1181 
1182 	if (!data)
1183 		goto out;
1184 
1185 	BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1186 
1187 	rc = selinux_parse_opts_str(options, &opts);
1188 	if (rc)
1189 		goto out_err;
1190 
1191 out:
1192 	rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1193 
1194 out_err:
1195 	security_free_mnt_opts(&opts);
1196 	return rc;
1197 }
1198 
1199 static void selinux_write_opts(struct seq_file *m,
1200 			       struct security_mnt_opts *opts)
1201 {
1202 	int i;
1203 	char *prefix;
1204 
1205 	for (i = 0; i < opts->num_mnt_opts; i++) {
1206 		char *has_comma;
1207 
1208 		if (opts->mnt_opts[i])
1209 			has_comma = strchr(opts->mnt_opts[i], ',');
1210 		else
1211 			has_comma = NULL;
1212 
1213 		switch (opts->mnt_opts_flags[i]) {
1214 		case CONTEXT_MNT:
1215 			prefix = CONTEXT_STR;
1216 			break;
1217 		case FSCONTEXT_MNT:
1218 			prefix = FSCONTEXT_STR;
1219 			break;
1220 		case ROOTCONTEXT_MNT:
1221 			prefix = ROOTCONTEXT_STR;
1222 			break;
1223 		case DEFCONTEXT_MNT:
1224 			prefix = DEFCONTEXT_STR;
1225 			break;
1226 		case SBLABEL_MNT:
1227 			seq_putc(m, ',');
1228 			seq_puts(m, LABELSUPP_STR);
1229 			continue;
1230 		default:
1231 			BUG();
1232 			return;
1233 		};
1234 		/* we need a comma before each option */
1235 		seq_putc(m, ',');
1236 		seq_puts(m, prefix);
1237 		if (has_comma)
1238 			seq_putc(m, '\"');
1239 		seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1240 		if (has_comma)
1241 			seq_putc(m, '\"');
1242 	}
1243 }
1244 
1245 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1246 {
1247 	struct security_mnt_opts opts;
1248 	int rc;
1249 
1250 	rc = selinux_get_mnt_opts(sb, &opts);
1251 	if (rc) {
1252 		/* before policy load we may get EINVAL, don't show anything */
1253 		if (rc == -EINVAL)
1254 			rc = 0;
1255 		return rc;
1256 	}
1257 
1258 	selinux_write_opts(m, &opts);
1259 
1260 	security_free_mnt_opts(&opts);
1261 
1262 	return rc;
1263 }
1264 
1265 static inline u16 inode_mode_to_security_class(umode_t mode)
1266 {
1267 	switch (mode & S_IFMT) {
1268 	case S_IFSOCK:
1269 		return SECCLASS_SOCK_FILE;
1270 	case S_IFLNK:
1271 		return SECCLASS_LNK_FILE;
1272 	case S_IFREG:
1273 		return SECCLASS_FILE;
1274 	case S_IFBLK:
1275 		return SECCLASS_BLK_FILE;
1276 	case S_IFDIR:
1277 		return SECCLASS_DIR;
1278 	case S_IFCHR:
1279 		return SECCLASS_CHR_FILE;
1280 	case S_IFIFO:
1281 		return SECCLASS_FIFO_FILE;
1282 
1283 	}
1284 
1285 	return SECCLASS_FILE;
1286 }
1287 
1288 static inline int default_protocol_stream(int protocol)
1289 {
1290 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1291 }
1292 
1293 static inline int default_protocol_dgram(int protocol)
1294 {
1295 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1296 }
1297 
1298 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1299 {
1300 	int extsockclass = selinux_policycap_extsockclass;
1301 
1302 	switch (family) {
1303 	case PF_UNIX:
1304 		switch (type) {
1305 		case SOCK_STREAM:
1306 		case SOCK_SEQPACKET:
1307 			return SECCLASS_UNIX_STREAM_SOCKET;
1308 		case SOCK_DGRAM:
1309 		case SOCK_RAW:
1310 			return SECCLASS_UNIX_DGRAM_SOCKET;
1311 		}
1312 		break;
1313 	case PF_INET:
1314 	case PF_INET6:
1315 		switch (type) {
1316 		case SOCK_STREAM:
1317 		case SOCK_SEQPACKET:
1318 			if (default_protocol_stream(protocol))
1319 				return SECCLASS_TCP_SOCKET;
1320 			else if (extsockclass && protocol == IPPROTO_SCTP)
1321 				return SECCLASS_SCTP_SOCKET;
1322 			else
1323 				return SECCLASS_RAWIP_SOCKET;
1324 		case SOCK_DGRAM:
1325 			if (default_protocol_dgram(protocol))
1326 				return SECCLASS_UDP_SOCKET;
1327 			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1328 						  protocol == IPPROTO_ICMPV6))
1329 				return SECCLASS_ICMP_SOCKET;
1330 			else
1331 				return SECCLASS_RAWIP_SOCKET;
1332 		case SOCK_DCCP:
1333 			return SECCLASS_DCCP_SOCKET;
1334 		default:
1335 			return SECCLASS_RAWIP_SOCKET;
1336 		}
1337 		break;
1338 	case PF_NETLINK:
1339 		switch (protocol) {
1340 		case NETLINK_ROUTE:
1341 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1342 		case NETLINK_SOCK_DIAG:
1343 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1344 		case NETLINK_NFLOG:
1345 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1346 		case NETLINK_XFRM:
1347 			return SECCLASS_NETLINK_XFRM_SOCKET;
1348 		case NETLINK_SELINUX:
1349 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1350 		case NETLINK_ISCSI:
1351 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1352 		case NETLINK_AUDIT:
1353 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1354 		case NETLINK_FIB_LOOKUP:
1355 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1356 		case NETLINK_CONNECTOR:
1357 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1358 		case NETLINK_NETFILTER:
1359 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1360 		case NETLINK_DNRTMSG:
1361 			return SECCLASS_NETLINK_DNRT_SOCKET;
1362 		case NETLINK_KOBJECT_UEVENT:
1363 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1364 		case NETLINK_GENERIC:
1365 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1366 		case NETLINK_SCSITRANSPORT:
1367 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1368 		case NETLINK_RDMA:
1369 			return SECCLASS_NETLINK_RDMA_SOCKET;
1370 		case NETLINK_CRYPTO:
1371 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1372 		default:
1373 			return SECCLASS_NETLINK_SOCKET;
1374 		}
1375 	case PF_PACKET:
1376 		return SECCLASS_PACKET_SOCKET;
1377 	case PF_KEY:
1378 		return SECCLASS_KEY_SOCKET;
1379 	case PF_APPLETALK:
1380 		return SECCLASS_APPLETALK_SOCKET;
1381 	}
1382 
1383 	if (extsockclass) {
1384 		switch (family) {
1385 		case PF_AX25:
1386 			return SECCLASS_AX25_SOCKET;
1387 		case PF_IPX:
1388 			return SECCLASS_IPX_SOCKET;
1389 		case PF_NETROM:
1390 			return SECCLASS_NETROM_SOCKET;
1391 		case PF_ATMPVC:
1392 			return SECCLASS_ATMPVC_SOCKET;
1393 		case PF_X25:
1394 			return SECCLASS_X25_SOCKET;
1395 		case PF_ROSE:
1396 			return SECCLASS_ROSE_SOCKET;
1397 		case PF_DECnet:
1398 			return SECCLASS_DECNET_SOCKET;
1399 		case PF_ATMSVC:
1400 			return SECCLASS_ATMSVC_SOCKET;
1401 		case PF_RDS:
1402 			return SECCLASS_RDS_SOCKET;
1403 		case PF_IRDA:
1404 			return SECCLASS_IRDA_SOCKET;
1405 		case PF_PPPOX:
1406 			return SECCLASS_PPPOX_SOCKET;
1407 		case PF_LLC:
1408 			return SECCLASS_LLC_SOCKET;
1409 		case PF_CAN:
1410 			return SECCLASS_CAN_SOCKET;
1411 		case PF_TIPC:
1412 			return SECCLASS_TIPC_SOCKET;
1413 		case PF_BLUETOOTH:
1414 			return SECCLASS_BLUETOOTH_SOCKET;
1415 		case PF_IUCV:
1416 			return SECCLASS_IUCV_SOCKET;
1417 		case PF_RXRPC:
1418 			return SECCLASS_RXRPC_SOCKET;
1419 		case PF_ISDN:
1420 			return SECCLASS_ISDN_SOCKET;
1421 		case PF_PHONET:
1422 			return SECCLASS_PHONET_SOCKET;
1423 		case PF_IEEE802154:
1424 			return SECCLASS_IEEE802154_SOCKET;
1425 		case PF_CAIF:
1426 			return SECCLASS_CAIF_SOCKET;
1427 		case PF_ALG:
1428 			return SECCLASS_ALG_SOCKET;
1429 		case PF_NFC:
1430 			return SECCLASS_NFC_SOCKET;
1431 		case PF_VSOCK:
1432 			return SECCLASS_VSOCK_SOCKET;
1433 		case PF_KCM:
1434 			return SECCLASS_KCM_SOCKET;
1435 		case PF_QIPCRTR:
1436 			return SECCLASS_QIPCRTR_SOCKET;
1437 		case PF_SMC:
1438 			return SECCLASS_SMC_SOCKET;
1439 #if PF_MAX > 44
1440 #error New address family defined, please update this function.
1441 #endif
1442 		}
1443 	}
1444 
1445 	return SECCLASS_SOCKET;
1446 }
1447 
1448 static int selinux_genfs_get_sid(struct dentry *dentry,
1449 				 u16 tclass,
1450 				 u16 flags,
1451 				 u32 *sid)
1452 {
1453 	int rc;
1454 	struct super_block *sb = dentry->d_sb;
1455 	char *buffer, *path;
1456 
1457 	buffer = (char *)__get_free_page(GFP_KERNEL);
1458 	if (!buffer)
1459 		return -ENOMEM;
1460 
1461 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1462 	if (IS_ERR(path))
1463 		rc = PTR_ERR(path);
1464 	else {
1465 		if (flags & SE_SBPROC) {
1466 			/* each process gets a /proc/PID/ entry. Strip off the
1467 			 * PID part to get a valid selinux labeling.
1468 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1469 			while (path[1] >= '0' && path[1] <= '9') {
1470 				path[1] = '/';
1471 				path++;
1472 			}
1473 		}
1474 		rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1475 	}
1476 	free_page((unsigned long)buffer);
1477 	return rc;
1478 }
1479 
1480 /* The inode's security attributes must be initialized before first use. */
1481 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1482 {
1483 	struct superblock_security_struct *sbsec = NULL;
1484 	struct inode_security_struct *isec = inode->i_security;
1485 	u32 task_sid, sid = 0;
1486 	u16 sclass;
1487 	struct dentry *dentry;
1488 #define INITCONTEXTLEN 255
1489 	char *context = NULL;
1490 	unsigned len = 0;
1491 	int rc = 0;
1492 
1493 	if (isec->initialized == LABEL_INITIALIZED)
1494 		return 0;
1495 
1496 	spin_lock(&isec->lock);
1497 	if (isec->initialized == LABEL_INITIALIZED)
1498 		goto out_unlock;
1499 
1500 	if (isec->sclass == SECCLASS_FILE)
1501 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1502 
1503 	sbsec = inode->i_sb->s_security;
1504 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1505 		/* Defer initialization until selinux_complete_init,
1506 		   after the initial policy is loaded and the security
1507 		   server is ready to handle calls. */
1508 		spin_lock(&sbsec->isec_lock);
1509 		if (list_empty(&isec->list))
1510 			list_add(&isec->list, &sbsec->isec_head);
1511 		spin_unlock(&sbsec->isec_lock);
1512 		goto out_unlock;
1513 	}
1514 
1515 	sclass = isec->sclass;
1516 	task_sid = isec->task_sid;
1517 	sid = isec->sid;
1518 	isec->initialized = LABEL_PENDING;
1519 	spin_unlock(&isec->lock);
1520 
1521 	switch (sbsec->behavior) {
1522 	case SECURITY_FS_USE_NATIVE:
1523 		break;
1524 	case SECURITY_FS_USE_XATTR:
1525 		if (!(inode->i_opflags & IOP_XATTR)) {
1526 			sid = sbsec->def_sid;
1527 			break;
1528 		}
1529 		/* Need a dentry, since the xattr API requires one.
1530 		   Life would be simpler if we could just pass the inode. */
1531 		if (opt_dentry) {
1532 			/* Called from d_instantiate or d_splice_alias. */
1533 			dentry = dget(opt_dentry);
1534 		} else {
1535 			/* Called from selinux_complete_init, try to find a dentry. */
1536 			dentry = d_find_alias(inode);
1537 		}
1538 		if (!dentry) {
1539 			/*
1540 			 * this is can be hit on boot when a file is accessed
1541 			 * before the policy is loaded.  When we load policy we
1542 			 * may find inodes that have no dentry on the
1543 			 * sbsec->isec_head list.  No reason to complain as these
1544 			 * will get fixed up the next time we go through
1545 			 * inode_doinit with a dentry, before these inodes could
1546 			 * be used again by userspace.
1547 			 */
1548 			goto out;
1549 		}
1550 
1551 		len = INITCONTEXTLEN;
1552 		context = kmalloc(len+1, GFP_NOFS);
1553 		if (!context) {
1554 			rc = -ENOMEM;
1555 			dput(dentry);
1556 			goto out;
1557 		}
1558 		context[len] = '\0';
1559 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1560 		if (rc == -ERANGE) {
1561 			kfree(context);
1562 
1563 			/* Need a larger buffer.  Query for the right size. */
1564 			rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1565 			if (rc < 0) {
1566 				dput(dentry);
1567 				goto out;
1568 			}
1569 			len = rc;
1570 			context = kmalloc(len+1, GFP_NOFS);
1571 			if (!context) {
1572 				rc = -ENOMEM;
1573 				dput(dentry);
1574 				goto out;
1575 			}
1576 			context[len] = '\0';
1577 			rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1578 		}
1579 		dput(dentry);
1580 		if (rc < 0) {
1581 			if (rc != -ENODATA) {
1582 				printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1583 				       "%d for dev=%s ino=%ld\n", __func__,
1584 				       -rc, inode->i_sb->s_id, inode->i_ino);
1585 				kfree(context);
1586 				goto out;
1587 			}
1588 			/* Map ENODATA to the default file SID */
1589 			sid = sbsec->def_sid;
1590 			rc = 0;
1591 		} else {
1592 			rc = security_context_to_sid_default(context, rc, &sid,
1593 							     sbsec->def_sid,
1594 							     GFP_NOFS);
1595 			if (rc) {
1596 				char *dev = inode->i_sb->s_id;
1597 				unsigned long ino = inode->i_ino;
1598 
1599 				if (rc == -EINVAL) {
1600 					if (printk_ratelimit())
1601 						printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1602 							"context=%s.  This indicates you may need to relabel the inode or the "
1603 							"filesystem in question.\n", ino, dev, context);
1604 				} else {
1605 					printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1606 					       "returned %d for dev=%s ino=%ld\n",
1607 					       __func__, context, -rc, dev, ino);
1608 				}
1609 				kfree(context);
1610 				/* Leave with the unlabeled SID */
1611 				rc = 0;
1612 				break;
1613 			}
1614 		}
1615 		kfree(context);
1616 		break;
1617 	case SECURITY_FS_USE_TASK:
1618 		sid = task_sid;
1619 		break;
1620 	case SECURITY_FS_USE_TRANS:
1621 		/* Default to the fs SID. */
1622 		sid = sbsec->sid;
1623 
1624 		/* Try to obtain a transition SID. */
1625 		rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1626 		if (rc)
1627 			goto out;
1628 		break;
1629 	case SECURITY_FS_USE_MNTPOINT:
1630 		sid = sbsec->mntpoint_sid;
1631 		break;
1632 	default:
1633 		/* Default to the fs superblock SID. */
1634 		sid = sbsec->sid;
1635 
1636 		if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1637 			/* We must have a dentry to determine the label on
1638 			 * procfs inodes */
1639 			if (opt_dentry)
1640 				/* Called from d_instantiate or
1641 				 * d_splice_alias. */
1642 				dentry = dget(opt_dentry);
1643 			else
1644 				/* Called from selinux_complete_init, try to
1645 				 * find a dentry. */
1646 				dentry = d_find_alias(inode);
1647 			/*
1648 			 * This can be hit on boot when a file is accessed
1649 			 * before the policy is loaded.  When we load policy we
1650 			 * may find inodes that have no dentry on the
1651 			 * sbsec->isec_head list.  No reason to complain as
1652 			 * these will get fixed up the next time we go through
1653 			 * inode_doinit() with a dentry, before these inodes
1654 			 * could be used again by userspace.
1655 			 */
1656 			if (!dentry)
1657 				goto out;
1658 			rc = selinux_genfs_get_sid(dentry, sclass,
1659 						   sbsec->flags, &sid);
1660 			dput(dentry);
1661 			if (rc)
1662 				goto out;
1663 		}
1664 		break;
1665 	}
1666 
1667 out:
1668 	spin_lock(&isec->lock);
1669 	if (isec->initialized == LABEL_PENDING) {
1670 		if (!sid || rc) {
1671 			isec->initialized = LABEL_INVALID;
1672 			goto out_unlock;
1673 		}
1674 
1675 		isec->initialized = LABEL_INITIALIZED;
1676 		isec->sid = sid;
1677 	}
1678 
1679 out_unlock:
1680 	spin_unlock(&isec->lock);
1681 	return rc;
1682 }
1683 
1684 /* Convert a Linux signal to an access vector. */
1685 static inline u32 signal_to_av(int sig)
1686 {
1687 	u32 perm = 0;
1688 
1689 	switch (sig) {
1690 	case SIGCHLD:
1691 		/* Commonly granted from child to parent. */
1692 		perm = PROCESS__SIGCHLD;
1693 		break;
1694 	case SIGKILL:
1695 		/* Cannot be caught or ignored */
1696 		perm = PROCESS__SIGKILL;
1697 		break;
1698 	case SIGSTOP:
1699 		/* Cannot be caught or ignored */
1700 		perm = PROCESS__SIGSTOP;
1701 		break;
1702 	default:
1703 		/* All other signals. */
1704 		perm = PROCESS__SIGNAL;
1705 		break;
1706 	}
1707 
1708 	return perm;
1709 }
1710 
1711 #if CAP_LAST_CAP > 63
1712 #error Fix SELinux to handle capabilities > 63.
1713 #endif
1714 
1715 /* Check whether a task is allowed to use a capability. */
1716 static int cred_has_capability(const struct cred *cred,
1717 			       int cap, int audit, bool initns)
1718 {
1719 	struct common_audit_data ad;
1720 	struct av_decision avd;
1721 	u16 sclass;
1722 	u32 sid = cred_sid(cred);
1723 	u32 av = CAP_TO_MASK(cap);
1724 	int rc;
1725 
1726 	ad.type = LSM_AUDIT_DATA_CAP;
1727 	ad.u.cap = cap;
1728 
1729 	switch (CAP_TO_INDEX(cap)) {
1730 	case 0:
1731 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1732 		break;
1733 	case 1:
1734 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1735 		break;
1736 	default:
1737 		printk(KERN_ERR
1738 		       "SELinux:  out of range capability %d\n", cap);
1739 		BUG();
1740 		return -EINVAL;
1741 	}
1742 
1743 	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1744 	if (audit == SECURITY_CAP_AUDIT) {
1745 		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1746 		if (rc2)
1747 			return rc2;
1748 	}
1749 	return rc;
1750 }
1751 
1752 /* Check whether a task has a particular permission to an inode.
1753    The 'adp' parameter is optional and allows other audit
1754    data to be passed (e.g. the dentry). */
1755 static int inode_has_perm(const struct cred *cred,
1756 			  struct inode *inode,
1757 			  u32 perms,
1758 			  struct common_audit_data *adp)
1759 {
1760 	struct inode_security_struct *isec;
1761 	u32 sid;
1762 
1763 	validate_creds(cred);
1764 
1765 	if (unlikely(IS_PRIVATE(inode)))
1766 		return 0;
1767 
1768 	sid = cred_sid(cred);
1769 	isec = inode->i_security;
1770 
1771 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1772 }
1773 
1774 /* Same as inode_has_perm, but pass explicit audit data containing
1775    the dentry to help the auditing code to more easily generate the
1776    pathname if needed. */
1777 static inline int dentry_has_perm(const struct cred *cred,
1778 				  struct dentry *dentry,
1779 				  u32 av)
1780 {
1781 	struct inode *inode = d_backing_inode(dentry);
1782 	struct common_audit_data ad;
1783 
1784 	ad.type = LSM_AUDIT_DATA_DENTRY;
1785 	ad.u.dentry = dentry;
1786 	__inode_security_revalidate(inode, dentry, true);
1787 	return inode_has_perm(cred, inode, av, &ad);
1788 }
1789 
1790 /* Same as inode_has_perm, but pass explicit audit data containing
1791    the path to help the auditing code to more easily generate the
1792    pathname if needed. */
1793 static inline int path_has_perm(const struct cred *cred,
1794 				const struct path *path,
1795 				u32 av)
1796 {
1797 	struct inode *inode = d_backing_inode(path->dentry);
1798 	struct common_audit_data ad;
1799 
1800 	ad.type = LSM_AUDIT_DATA_PATH;
1801 	ad.u.path = *path;
1802 	__inode_security_revalidate(inode, path->dentry, true);
1803 	return inode_has_perm(cred, inode, av, &ad);
1804 }
1805 
1806 /* Same as path_has_perm, but uses the inode from the file struct. */
1807 static inline int file_path_has_perm(const struct cred *cred,
1808 				     struct file *file,
1809 				     u32 av)
1810 {
1811 	struct common_audit_data ad;
1812 
1813 	ad.type = LSM_AUDIT_DATA_FILE;
1814 	ad.u.file = file;
1815 	return inode_has_perm(cred, file_inode(file), av, &ad);
1816 }
1817 
1818 #ifdef CONFIG_BPF_SYSCALL
1819 static int bpf_fd_pass(struct file *file, u32 sid);
1820 #endif
1821 
1822 /* Check whether a task can use an open file descriptor to
1823    access an inode in a given way.  Check access to the
1824    descriptor itself, and then use dentry_has_perm to
1825    check a particular permission to the file.
1826    Access to the descriptor is implicitly granted if it
1827    has the same SID as the process.  If av is zero, then
1828    access to the file is not checked, e.g. for cases
1829    where only the descriptor is affected like seek. */
1830 static int file_has_perm(const struct cred *cred,
1831 			 struct file *file,
1832 			 u32 av)
1833 {
1834 	struct file_security_struct *fsec = file->f_security;
1835 	struct inode *inode = file_inode(file);
1836 	struct common_audit_data ad;
1837 	u32 sid = cred_sid(cred);
1838 	int rc;
1839 
1840 	ad.type = LSM_AUDIT_DATA_FILE;
1841 	ad.u.file = file;
1842 
1843 	if (sid != fsec->sid) {
1844 		rc = avc_has_perm(sid, fsec->sid,
1845 				  SECCLASS_FD,
1846 				  FD__USE,
1847 				  &ad);
1848 		if (rc)
1849 			goto out;
1850 	}
1851 
1852 #ifdef CONFIG_BPF_SYSCALL
1853 	rc = bpf_fd_pass(file, cred_sid(cred));
1854 	if (rc)
1855 		return rc;
1856 #endif
1857 
1858 	/* av is zero if only checking access to the descriptor. */
1859 	rc = 0;
1860 	if (av)
1861 		rc = inode_has_perm(cred, inode, av, &ad);
1862 
1863 out:
1864 	return rc;
1865 }
1866 
1867 /*
1868  * Determine the label for an inode that might be unioned.
1869  */
1870 static int
1871 selinux_determine_inode_label(const struct task_security_struct *tsec,
1872 				 struct inode *dir,
1873 				 const struct qstr *name, u16 tclass,
1874 				 u32 *_new_isid)
1875 {
1876 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1877 
1878 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1879 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1880 		*_new_isid = sbsec->mntpoint_sid;
1881 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1882 		   tsec->create_sid) {
1883 		*_new_isid = tsec->create_sid;
1884 	} else {
1885 		const struct inode_security_struct *dsec = inode_security(dir);
1886 		return security_transition_sid(tsec->sid, dsec->sid, tclass,
1887 					       name, _new_isid);
1888 	}
1889 
1890 	return 0;
1891 }
1892 
1893 /* Check whether a task can create a file. */
1894 static int may_create(struct inode *dir,
1895 		      struct dentry *dentry,
1896 		      u16 tclass)
1897 {
1898 	const struct task_security_struct *tsec = current_security();
1899 	struct inode_security_struct *dsec;
1900 	struct superblock_security_struct *sbsec;
1901 	u32 sid, newsid;
1902 	struct common_audit_data ad;
1903 	int rc;
1904 
1905 	dsec = inode_security(dir);
1906 	sbsec = dir->i_sb->s_security;
1907 
1908 	sid = tsec->sid;
1909 
1910 	ad.type = LSM_AUDIT_DATA_DENTRY;
1911 	ad.u.dentry = dentry;
1912 
1913 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1914 			  DIR__ADD_NAME | DIR__SEARCH,
1915 			  &ad);
1916 	if (rc)
1917 		return rc;
1918 
1919 	rc = selinux_determine_inode_label(current_security(), dir,
1920 					   &dentry->d_name, tclass, &newsid);
1921 	if (rc)
1922 		return rc;
1923 
1924 	rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1925 	if (rc)
1926 		return rc;
1927 
1928 	return avc_has_perm(newsid, sbsec->sid,
1929 			    SECCLASS_FILESYSTEM,
1930 			    FILESYSTEM__ASSOCIATE, &ad);
1931 }
1932 
1933 #define MAY_LINK	0
1934 #define MAY_UNLINK	1
1935 #define MAY_RMDIR	2
1936 
1937 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1938 static int may_link(struct inode *dir,
1939 		    struct dentry *dentry,
1940 		    int kind)
1941 
1942 {
1943 	struct inode_security_struct *dsec, *isec;
1944 	struct common_audit_data ad;
1945 	u32 sid = current_sid();
1946 	u32 av;
1947 	int rc;
1948 
1949 	dsec = inode_security(dir);
1950 	isec = backing_inode_security(dentry);
1951 
1952 	ad.type = LSM_AUDIT_DATA_DENTRY;
1953 	ad.u.dentry = dentry;
1954 
1955 	av = DIR__SEARCH;
1956 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1957 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1958 	if (rc)
1959 		return rc;
1960 
1961 	switch (kind) {
1962 	case MAY_LINK:
1963 		av = FILE__LINK;
1964 		break;
1965 	case MAY_UNLINK:
1966 		av = FILE__UNLINK;
1967 		break;
1968 	case MAY_RMDIR:
1969 		av = DIR__RMDIR;
1970 		break;
1971 	default:
1972 		printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1973 			__func__, kind);
1974 		return 0;
1975 	}
1976 
1977 	rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1978 	return rc;
1979 }
1980 
1981 static inline int may_rename(struct inode *old_dir,
1982 			     struct dentry *old_dentry,
1983 			     struct inode *new_dir,
1984 			     struct dentry *new_dentry)
1985 {
1986 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1987 	struct common_audit_data ad;
1988 	u32 sid = current_sid();
1989 	u32 av;
1990 	int old_is_dir, new_is_dir;
1991 	int rc;
1992 
1993 	old_dsec = inode_security(old_dir);
1994 	old_isec = backing_inode_security(old_dentry);
1995 	old_is_dir = d_is_dir(old_dentry);
1996 	new_dsec = inode_security(new_dir);
1997 
1998 	ad.type = LSM_AUDIT_DATA_DENTRY;
1999 
2000 	ad.u.dentry = old_dentry;
2001 	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
2002 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2003 	if (rc)
2004 		return rc;
2005 	rc = avc_has_perm(sid, old_isec->sid,
2006 			  old_isec->sclass, FILE__RENAME, &ad);
2007 	if (rc)
2008 		return rc;
2009 	if (old_is_dir && new_dir != old_dir) {
2010 		rc = avc_has_perm(sid, old_isec->sid,
2011 				  old_isec->sclass, DIR__REPARENT, &ad);
2012 		if (rc)
2013 			return rc;
2014 	}
2015 
2016 	ad.u.dentry = new_dentry;
2017 	av = DIR__ADD_NAME | DIR__SEARCH;
2018 	if (d_is_positive(new_dentry))
2019 		av |= DIR__REMOVE_NAME;
2020 	rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2021 	if (rc)
2022 		return rc;
2023 	if (d_is_positive(new_dentry)) {
2024 		new_isec = backing_inode_security(new_dentry);
2025 		new_is_dir = d_is_dir(new_dentry);
2026 		rc = avc_has_perm(sid, new_isec->sid,
2027 				  new_isec->sclass,
2028 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2029 		if (rc)
2030 			return rc;
2031 	}
2032 
2033 	return 0;
2034 }
2035 
2036 /* Check whether a task can perform a filesystem operation. */
2037 static int superblock_has_perm(const struct cred *cred,
2038 			       struct super_block *sb,
2039 			       u32 perms,
2040 			       struct common_audit_data *ad)
2041 {
2042 	struct superblock_security_struct *sbsec;
2043 	u32 sid = cred_sid(cred);
2044 
2045 	sbsec = sb->s_security;
2046 	return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2047 }
2048 
2049 /* Convert a Linux mode and permission mask to an access vector. */
2050 static inline u32 file_mask_to_av(int mode, int mask)
2051 {
2052 	u32 av = 0;
2053 
2054 	if (!S_ISDIR(mode)) {
2055 		if (mask & MAY_EXEC)
2056 			av |= FILE__EXECUTE;
2057 		if (mask & MAY_READ)
2058 			av |= FILE__READ;
2059 
2060 		if (mask & MAY_APPEND)
2061 			av |= FILE__APPEND;
2062 		else if (mask & MAY_WRITE)
2063 			av |= FILE__WRITE;
2064 
2065 	} else {
2066 		if (mask & MAY_EXEC)
2067 			av |= DIR__SEARCH;
2068 		if (mask & MAY_WRITE)
2069 			av |= DIR__WRITE;
2070 		if (mask & MAY_READ)
2071 			av |= DIR__READ;
2072 	}
2073 
2074 	return av;
2075 }
2076 
2077 /* Convert a Linux file to an access vector. */
2078 static inline u32 file_to_av(struct file *file)
2079 {
2080 	u32 av = 0;
2081 
2082 	if (file->f_mode & FMODE_READ)
2083 		av |= FILE__READ;
2084 	if (file->f_mode & FMODE_WRITE) {
2085 		if (file->f_flags & O_APPEND)
2086 			av |= FILE__APPEND;
2087 		else
2088 			av |= FILE__WRITE;
2089 	}
2090 	if (!av) {
2091 		/*
2092 		 * Special file opened with flags 3 for ioctl-only use.
2093 		 */
2094 		av = FILE__IOCTL;
2095 	}
2096 
2097 	return av;
2098 }
2099 
2100 /*
2101  * Convert a file to an access vector and include the correct open
2102  * open permission.
2103  */
2104 static inline u32 open_file_to_av(struct file *file)
2105 {
2106 	u32 av = file_to_av(file);
2107 	struct inode *inode = file_inode(file);
2108 
2109 	if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2110 		av |= FILE__OPEN;
2111 
2112 	return av;
2113 }
2114 
2115 /* Hook functions begin here. */
2116 
2117 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2118 {
2119 	u32 mysid = current_sid();
2120 	u32 mgrsid = task_sid(mgr);
2121 
2122 	return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2123 			    BINDER__SET_CONTEXT_MGR, NULL);
2124 }
2125 
2126 static int selinux_binder_transaction(struct task_struct *from,
2127 				      struct task_struct *to)
2128 {
2129 	u32 mysid = current_sid();
2130 	u32 fromsid = task_sid(from);
2131 	u32 tosid = task_sid(to);
2132 	int rc;
2133 
2134 	if (mysid != fromsid) {
2135 		rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2136 				  BINDER__IMPERSONATE, NULL);
2137 		if (rc)
2138 			return rc;
2139 	}
2140 
2141 	return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2142 			    NULL);
2143 }
2144 
2145 static int selinux_binder_transfer_binder(struct task_struct *from,
2146 					  struct task_struct *to)
2147 {
2148 	u32 fromsid = task_sid(from);
2149 	u32 tosid = task_sid(to);
2150 
2151 	return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2152 			    NULL);
2153 }
2154 
2155 static int selinux_binder_transfer_file(struct task_struct *from,
2156 					struct task_struct *to,
2157 					struct file *file)
2158 {
2159 	u32 sid = task_sid(to);
2160 	struct file_security_struct *fsec = file->f_security;
2161 	struct dentry *dentry = file->f_path.dentry;
2162 	struct inode_security_struct *isec;
2163 	struct common_audit_data ad;
2164 	int rc;
2165 
2166 	ad.type = LSM_AUDIT_DATA_PATH;
2167 	ad.u.path = file->f_path;
2168 
2169 	if (sid != fsec->sid) {
2170 		rc = avc_has_perm(sid, fsec->sid,
2171 				  SECCLASS_FD,
2172 				  FD__USE,
2173 				  &ad);
2174 		if (rc)
2175 			return rc;
2176 	}
2177 
2178 #ifdef CONFIG_BPF_SYSCALL
2179 	rc = bpf_fd_pass(file, sid);
2180 	if (rc)
2181 		return rc;
2182 #endif
2183 
2184 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2185 		return 0;
2186 
2187 	isec = backing_inode_security(dentry);
2188 	return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2189 			    &ad);
2190 }
2191 
2192 static int selinux_ptrace_access_check(struct task_struct *child,
2193 				     unsigned int mode)
2194 {
2195 	u32 sid = current_sid();
2196 	u32 csid = task_sid(child);
2197 
2198 	if (mode & PTRACE_MODE_READ)
2199 		return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2200 
2201 	return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2202 }
2203 
2204 static int selinux_ptrace_traceme(struct task_struct *parent)
2205 {
2206 	return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2207 			    PROCESS__PTRACE, NULL);
2208 }
2209 
2210 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2211 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2212 {
2213 	return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2214 			    PROCESS__GETCAP, NULL);
2215 }
2216 
2217 static int selinux_capset(struct cred *new, const struct cred *old,
2218 			  const kernel_cap_t *effective,
2219 			  const kernel_cap_t *inheritable,
2220 			  const kernel_cap_t *permitted)
2221 {
2222 	return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2223 			    PROCESS__SETCAP, NULL);
2224 }
2225 
2226 /*
2227  * (This comment used to live with the selinux_task_setuid hook,
2228  * which was removed).
2229  *
2230  * Since setuid only affects the current process, and since the SELinux
2231  * controls are not based on the Linux identity attributes, SELinux does not
2232  * need to control this operation.  However, SELinux does control the use of
2233  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2234  */
2235 
2236 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2237 			   int cap, int audit)
2238 {
2239 	return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2240 }
2241 
2242 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2243 {
2244 	const struct cred *cred = current_cred();
2245 	int rc = 0;
2246 
2247 	if (!sb)
2248 		return 0;
2249 
2250 	switch (cmds) {
2251 	case Q_SYNC:
2252 	case Q_QUOTAON:
2253 	case Q_QUOTAOFF:
2254 	case Q_SETINFO:
2255 	case Q_SETQUOTA:
2256 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2257 		break;
2258 	case Q_GETFMT:
2259 	case Q_GETINFO:
2260 	case Q_GETQUOTA:
2261 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2262 		break;
2263 	default:
2264 		rc = 0;  /* let the kernel handle invalid cmds */
2265 		break;
2266 	}
2267 	return rc;
2268 }
2269 
2270 static int selinux_quota_on(struct dentry *dentry)
2271 {
2272 	const struct cred *cred = current_cred();
2273 
2274 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2275 }
2276 
2277 static int selinux_syslog(int type)
2278 {
2279 	switch (type) {
2280 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2281 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2282 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2283 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2284 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2285 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2286 	/* Set level of messages printed to console */
2287 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2288 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2289 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2290 				    NULL);
2291 	}
2292 	/* All other syslog types */
2293 	return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2294 			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2295 }
2296 
2297 /*
2298  * Check that a process has enough memory to allocate a new virtual
2299  * mapping. 0 means there is enough memory for the allocation to
2300  * succeed and -ENOMEM implies there is not.
2301  *
2302  * Do not audit the selinux permission check, as this is applied to all
2303  * processes that allocate mappings.
2304  */
2305 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2306 {
2307 	int rc, cap_sys_admin = 0;
2308 
2309 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2310 				 SECURITY_CAP_NOAUDIT, true);
2311 	if (rc == 0)
2312 		cap_sys_admin = 1;
2313 
2314 	return cap_sys_admin;
2315 }
2316 
2317 /* binprm security operations */
2318 
2319 static u32 ptrace_parent_sid(void)
2320 {
2321 	u32 sid = 0;
2322 	struct task_struct *tracer;
2323 
2324 	rcu_read_lock();
2325 	tracer = ptrace_parent(current);
2326 	if (tracer)
2327 		sid = task_sid(tracer);
2328 	rcu_read_unlock();
2329 
2330 	return sid;
2331 }
2332 
2333 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2334 			    const struct task_security_struct *old_tsec,
2335 			    const struct task_security_struct *new_tsec)
2336 {
2337 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2338 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2339 	int rc;
2340 	u32 av;
2341 
2342 	if (!nnp && !nosuid)
2343 		return 0; /* neither NNP nor nosuid */
2344 
2345 	if (new_tsec->sid == old_tsec->sid)
2346 		return 0; /* No change in credentials */
2347 
2348 	/*
2349 	 * If the policy enables the nnp_nosuid_transition policy capability,
2350 	 * then we permit transitions under NNP or nosuid if the
2351 	 * policy allows the corresponding permission between
2352 	 * the old and new contexts.
2353 	 */
2354 	if (selinux_policycap_nnp_nosuid_transition) {
2355 		av = 0;
2356 		if (nnp)
2357 			av |= PROCESS2__NNP_TRANSITION;
2358 		if (nosuid)
2359 			av |= PROCESS2__NOSUID_TRANSITION;
2360 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2361 				  SECCLASS_PROCESS2, av, NULL);
2362 		if (!rc)
2363 			return 0;
2364 	}
2365 
2366 	/*
2367 	 * We also permit NNP or nosuid transitions to bounded SIDs,
2368 	 * i.e. SIDs that are guaranteed to only be allowed a subset
2369 	 * of the permissions of the current SID.
2370 	 */
2371 	rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2372 	if (!rc)
2373 		return 0;
2374 
2375 	/*
2376 	 * On failure, preserve the errno values for NNP vs nosuid.
2377 	 * NNP:  Operation not permitted for caller.
2378 	 * nosuid:  Permission denied to file.
2379 	 */
2380 	if (nnp)
2381 		return -EPERM;
2382 	return -EACCES;
2383 }
2384 
2385 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2386 {
2387 	const struct task_security_struct *old_tsec;
2388 	struct task_security_struct *new_tsec;
2389 	struct inode_security_struct *isec;
2390 	struct common_audit_data ad;
2391 	struct inode *inode = file_inode(bprm->file);
2392 	int rc;
2393 
2394 	/* SELinux context only depends on initial program or script and not
2395 	 * the script interpreter */
2396 	if (bprm->called_set_creds)
2397 		return 0;
2398 
2399 	old_tsec = current_security();
2400 	new_tsec = bprm->cred->security;
2401 	isec = inode_security(inode);
2402 
2403 	/* Default to the current task SID. */
2404 	new_tsec->sid = old_tsec->sid;
2405 	new_tsec->osid = old_tsec->sid;
2406 
2407 	/* Reset fs, key, and sock SIDs on execve. */
2408 	new_tsec->create_sid = 0;
2409 	new_tsec->keycreate_sid = 0;
2410 	new_tsec->sockcreate_sid = 0;
2411 
2412 	if (old_tsec->exec_sid) {
2413 		new_tsec->sid = old_tsec->exec_sid;
2414 		/* Reset exec SID on execve. */
2415 		new_tsec->exec_sid = 0;
2416 
2417 		/* Fail on NNP or nosuid if not an allowed transition. */
2418 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2419 		if (rc)
2420 			return rc;
2421 	} else {
2422 		/* Check for a default transition on this program. */
2423 		rc = security_transition_sid(old_tsec->sid, isec->sid,
2424 					     SECCLASS_PROCESS, NULL,
2425 					     &new_tsec->sid);
2426 		if (rc)
2427 			return rc;
2428 
2429 		/*
2430 		 * Fallback to old SID on NNP or nosuid if not an allowed
2431 		 * transition.
2432 		 */
2433 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2434 		if (rc)
2435 			new_tsec->sid = old_tsec->sid;
2436 	}
2437 
2438 	ad.type = LSM_AUDIT_DATA_FILE;
2439 	ad.u.file = bprm->file;
2440 
2441 	if (new_tsec->sid == old_tsec->sid) {
2442 		rc = avc_has_perm(old_tsec->sid, isec->sid,
2443 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2444 		if (rc)
2445 			return rc;
2446 	} else {
2447 		/* Check permissions for the transition. */
2448 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2449 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2450 		if (rc)
2451 			return rc;
2452 
2453 		rc = avc_has_perm(new_tsec->sid, isec->sid,
2454 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2455 		if (rc)
2456 			return rc;
2457 
2458 		/* Check for shared state */
2459 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2460 			rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2461 					  SECCLASS_PROCESS, PROCESS__SHARE,
2462 					  NULL);
2463 			if (rc)
2464 				return -EPERM;
2465 		}
2466 
2467 		/* Make sure that anyone attempting to ptrace over a task that
2468 		 * changes its SID has the appropriate permit */
2469 		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2470 			u32 ptsid = ptrace_parent_sid();
2471 			if (ptsid != 0) {
2472 				rc = avc_has_perm(ptsid, new_tsec->sid,
2473 						  SECCLASS_PROCESS,
2474 						  PROCESS__PTRACE, NULL);
2475 				if (rc)
2476 					return -EPERM;
2477 			}
2478 		}
2479 
2480 		/* Clear any possibly unsafe personality bits on exec: */
2481 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2482 
2483 		/* Enable secure mode for SIDs transitions unless
2484 		   the noatsecure permission is granted between
2485 		   the two SIDs, i.e. ahp returns 0. */
2486 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2487 				  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2488 				  NULL);
2489 		bprm->secureexec |= !!rc;
2490 	}
2491 
2492 	return 0;
2493 }
2494 
2495 static int match_file(const void *p, struct file *file, unsigned fd)
2496 {
2497 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2498 }
2499 
2500 /* Derived from fs/exec.c:flush_old_files. */
2501 static inline void flush_unauthorized_files(const struct cred *cred,
2502 					    struct files_struct *files)
2503 {
2504 	struct file *file, *devnull = NULL;
2505 	struct tty_struct *tty;
2506 	int drop_tty = 0;
2507 	unsigned n;
2508 
2509 	tty = get_current_tty();
2510 	if (tty) {
2511 		spin_lock(&tty->files_lock);
2512 		if (!list_empty(&tty->tty_files)) {
2513 			struct tty_file_private *file_priv;
2514 
2515 			/* Revalidate access to controlling tty.
2516 			   Use file_path_has_perm on the tty path directly
2517 			   rather than using file_has_perm, as this particular
2518 			   open file may belong to another process and we are
2519 			   only interested in the inode-based check here. */
2520 			file_priv = list_first_entry(&tty->tty_files,
2521 						struct tty_file_private, list);
2522 			file = file_priv->file;
2523 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2524 				drop_tty = 1;
2525 		}
2526 		spin_unlock(&tty->files_lock);
2527 		tty_kref_put(tty);
2528 	}
2529 	/* Reset controlling tty. */
2530 	if (drop_tty)
2531 		no_tty();
2532 
2533 	/* Revalidate access to inherited open files. */
2534 	n = iterate_fd(files, 0, match_file, cred);
2535 	if (!n) /* none found? */
2536 		return;
2537 
2538 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2539 	if (IS_ERR(devnull))
2540 		devnull = NULL;
2541 	/* replace all the matching ones with this */
2542 	do {
2543 		replace_fd(n - 1, devnull, 0);
2544 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2545 	if (devnull)
2546 		fput(devnull);
2547 }
2548 
2549 /*
2550  * Prepare a process for imminent new credential changes due to exec
2551  */
2552 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2553 {
2554 	struct task_security_struct *new_tsec;
2555 	struct rlimit *rlim, *initrlim;
2556 	int rc, i;
2557 
2558 	new_tsec = bprm->cred->security;
2559 	if (new_tsec->sid == new_tsec->osid)
2560 		return;
2561 
2562 	/* Close files for which the new task SID is not authorized. */
2563 	flush_unauthorized_files(bprm->cred, current->files);
2564 
2565 	/* Always clear parent death signal on SID transitions. */
2566 	current->pdeath_signal = 0;
2567 
2568 	/* Check whether the new SID can inherit resource limits from the old
2569 	 * SID.  If not, reset all soft limits to the lower of the current
2570 	 * task's hard limit and the init task's soft limit.
2571 	 *
2572 	 * Note that the setting of hard limits (even to lower them) can be
2573 	 * controlled by the setrlimit check.  The inclusion of the init task's
2574 	 * soft limit into the computation is to avoid resetting soft limits
2575 	 * higher than the default soft limit for cases where the default is
2576 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2577 	 */
2578 	rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2579 			  PROCESS__RLIMITINH, NULL);
2580 	if (rc) {
2581 		/* protect against do_prlimit() */
2582 		task_lock(current);
2583 		for (i = 0; i < RLIM_NLIMITS; i++) {
2584 			rlim = current->signal->rlim + i;
2585 			initrlim = init_task.signal->rlim + i;
2586 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2587 		}
2588 		task_unlock(current);
2589 		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2590 			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2591 	}
2592 }
2593 
2594 /*
2595  * Clean up the process immediately after the installation of new credentials
2596  * due to exec
2597  */
2598 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2599 {
2600 	const struct task_security_struct *tsec = current_security();
2601 	struct itimerval itimer;
2602 	u32 osid, sid;
2603 	int rc, i;
2604 
2605 	osid = tsec->osid;
2606 	sid = tsec->sid;
2607 
2608 	if (sid == osid)
2609 		return;
2610 
2611 	/* Check whether the new SID can inherit signal state from the old SID.
2612 	 * If not, clear itimers to avoid subsequent signal generation and
2613 	 * flush and unblock signals.
2614 	 *
2615 	 * This must occur _after_ the task SID has been updated so that any
2616 	 * kill done after the flush will be checked against the new SID.
2617 	 */
2618 	rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2619 	if (rc) {
2620 		if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2621 			memset(&itimer, 0, sizeof itimer);
2622 			for (i = 0; i < 3; i++)
2623 				do_setitimer(i, &itimer, NULL);
2624 		}
2625 		spin_lock_irq(&current->sighand->siglock);
2626 		if (!fatal_signal_pending(current)) {
2627 			flush_sigqueue(&current->pending);
2628 			flush_sigqueue(&current->signal->shared_pending);
2629 			flush_signal_handlers(current, 1);
2630 			sigemptyset(&current->blocked);
2631 			recalc_sigpending();
2632 		}
2633 		spin_unlock_irq(&current->sighand->siglock);
2634 	}
2635 
2636 	/* Wake up the parent if it is waiting so that it can recheck
2637 	 * wait permission to the new task SID. */
2638 	read_lock(&tasklist_lock);
2639 	__wake_up_parent(current, current->real_parent);
2640 	read_unlock(&tasklist_lock);
2641 }
2642 
2643 /* superblock security operations */
2644 
2645 static int selinux_sb_alloc_security(struct super_block *sb)
2646 {
2647 	return superblock_alloc_security(sb);
2648 }
2649 
2650 static void selinux_sb_free_security(struct super_block *sb)
2651 {
2652 	superblock_free_security(sb);
2653 }
2654 
2655 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2656 {
2657 	if (plen > olen)
2658 		return 0;
2659 
2660 	return !memcmp(prefix, option, plen);
2661 }
2662 
2663 static inline int selinux_option(char *option, int len)
2664 {
2665 	return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2666 		match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2667 		match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2668 		match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2669 		match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2670 }
2671 
2672 static inline void take_option(char **to, char *from, int *first, int len)
2673 {
2674 	if (!*first) {
2675 		**to = ',';
2676 		*to += 1;
2677 	} else
2678 		*first = 0;
2679 	memcpy(*to, from, len);
2680 	*to += len;
2681 }
2682 
2683 static inline void take_selinux_option(char **to, char *from, int *first,
2684 				       int len)
2685 {
2686 	int current_size = 0;
2687 
2688 	if (!*first) {
2689 		**to = '|';
2690 		*to += 1;
2691 	} else
2692 		*first = 0;
2693 
2694 	while (current_size < len) {
2695 		if (*from != '"') {
2696 			**to = *from;
2697 			*to += 1;
2698 		}
2699 		from += 1;
2700 		current_size += 1;
2701 	}
2702 }
2703 
2704 static int selinux_sb_copy_data(char *orig, char *copy)
2705 {
2706 	int fnosec, fsec, rc = 0;
2707 	char *in_save, *in_curr, *in_end;
2708 	char *sec_curr, *nosec_save, *nosec;
2709 	int open_quote = 0;
2710 
2711 	in_curr = orig;
2712 	sec_curr = copy;
2713 
2714 	nosec = (char *)get_zeroed_page(GFP_KERNEL);
2715 	if (!nosec) {
2716 		rc = -ENOMEM;
2717 		goto out;
2718 	}
2719 
2720 	nosec_save = nosec;
2721 	fnosec = fsec = 1;
2722 	in_save = in_end = orig;
2723 
2724 	do {
2725 		if (*in_end == '"')
2726 			open_quote = !open_quote;
2727 		if ((*in_end == ',' && open_quote == 0) ||
2728 				*in_end == '\0') {
2729 			int len = in_end - in_curr;
2730 
2731 			if (selinux_option(in_curr, len))
2732 				take_selinux_option(&sec_curr, in_curr, &fsec, len);
2733 			else
2734 				take_option(&nosec, in_curr, &fnosec, len);
2735 
2736 			in_curr = in_end + 1;
2737 		}
2738 	} while (*in_end++);
2739 
2740 	strcpy(in_save, nosec_save);
2741 	free_page((unsigned long)nosec_save);
2742 out:
2743 	return rc;
2744 }
2745 
2746 static int selinux_sb_remount(struct super_block *sb, void *data)
2747 {
2748 	int rc, i, *flags;
2749 	struct security_mnt_opts opts;
2750 	char *secdata, **mount_options;
2751 	struct superblock_security_struct *sbsec = sb->s_security;
2752 
2753 	if (!(sbsec->flags & SE_SBINITIALIZED))
2754 		return 0;
2755 
2756 	if (!data)
2757 		return 0;
2758 
2759 	if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2760 		return 0;
2761 
2762 	security_init_mnt_opts(&opts);
2763 	secdata = alloc_secdata();
2764 	if (!secdata)
2765 		return -ENOMEM;
2766 	rc = selinux_sb_copy_data(data, secdata);
2767 	if (rc)
2768 		goto out_free_secdata;
2769 
2770 	rc = selinux_parse_opts_str(secdata, &opts);
2771 	if (rc)
2772 		goto out_free_secdata;
2773 
2774 	mount_options = opts.mnt_opts;
2775 	flags = opts.mnt_opts_flags;
2776 
2777 	for (i = 0; i < opts.num_mnt_opts; i++) {
2778 		u32 sid;
2779 
2780 		if (flags[i] == SBLABEL_MNT)
2781 			continue;
2782 		rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2783 		if (rc) {
2784 			printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2785 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
2786 			       mount_options[i], sb->s_id, sb->s_type->name, rc);
2787 			goto out_free_opts;
2788 		}
2789 		rc = -EINVAL;
2790 		switch (flags[i]) {
2791 		case FSCONTEXT_MNT:
2792 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2793 				goto out_bad_option;
2794 			break;
2795 		case CONTEXT_MNT:
2796 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2797 				goto out_bad_option;
2798 			break;
2799 		case ROOTCONTEXT_MNT: {
2800 			struct inode_security_struct *root_isec;
2801 			root_isec = backing_inode_security(sb->s_root);
2802 
2803 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2804 				goto out_bad_option;
2805 			break;
2806 		}
2807 		case DEFCONTEXT_MNT:
2808 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2809 				goto out_bad_option;
2810 			break;
2811 		default:
2812 			goto out_free_opts;
2813 		}
2814 	}
2815 
2816 	rc = 0;
2817 out_free_opts:
2818 	security_free_mnt_opts(&opts);
2819 out_free_secdata:
2820 	free_secdata(secdata);
2821 	return rc;
2822 out_bad_option:
2823 	printk(KERN_WARNING "SELinux: unable to change security options "
2824 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2825 	       sb->s_type->name);
2826 	goto out_free_opts;
2827 }
2828 
2829 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2830 {
2831 	const struct cred *cred = current_cred();
2832 	struct common_audit_data ad;
2833 	int rc;
2834 
2835 	rc = superblock_doinit(sb, data);
2836 	if (rc)
2837 		return rc;
2838 
2839 	/* Allow all mounts performed by the kernel */
2840 	if (flags & MS_KERNMOUNT)
2841 		return 0;
2842 
2843 	ad.type = LSM_AUDIT_DATA_DENTRY;
2844 	ad.u.dentry = sb->s_root;
2845 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2846 }
2847 
2848 static int selinux_sb_statfs(struct dentry *dentry)
2849 {
2850 	const struct cred *cred = current_cred();
2851 	struct common_audit_data ad;
2852 
2853 	ad.type = LSM_AUDIT_DATA_DENTRY;
2854 	ad.u.dentry = dentry->d_sb->s_root;
2855 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2856 }
2857 
2858 static int selinux_mount(const char *dev_name,
2859 			 const struct path *path,
2860 			 const char *type,
2861 			 unsigned long flags,
2862 			 void *data)
2863 {
2864 	const struct cred *cred = current_cred();
2865 
2866 	if (flags & MS_REMOUNT)
2867 		return superblock_has_perm(cred, path->dentry->d_sb,
2868 					   FILESYSTEM__REMOUNT, NULL);
2869 	else
2870 		return path_has_perm(cred, path, FILE__MOUNTON);
2871 }
2872 
2873 static int selinux_umount(struct vfsmount *mnt, int flags)
2874 {
2875 	const struct cred *cred = current_cred();
2876 
2877 	return superblock_has_perm(cred, mnt->mnt_sb,
2878 				   FILESYSTEM__UNMOUNT, NULL);
2879 }
2880 
2881 /* inode security operations */
2882 
2883 static int selinux_inode_alloc_security(struct inode *inode)
2884 {
2885 	return inode_alloc_security(inode);
2886 }
2887 
2888 static void selinux_inode_free_security(struct inode *inode)
2889 {
2890 	inode_free_security(inode);
2891 }
2892 
2893 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2894 					const struct qstr *name, void **ctx,
2895 					u32 *ctxlen)
2896 {
2897 	u32 newsid;
2898 	int rc;
2899 
2900 	rc = selinux_determine_inode_label(current_security(),
2901 					   d_inode(dentry->d_parent), name,
2902 					   inode_mode_to_security_class(mode),
2903 					   &newsid);
2904 	if (rc)
2905 		return rc;
2906 
2907 	return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2908 }
2909 
2910 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2911 					  struct qstr *name,
2912 					  const struct cred *old,
2913 					  struct cred *new)
2914 {
2915 	u32 newsid;
2916 	int rc;
2917 	struct task_security_struct *tsec;
2918 
2919 	rc = selinux_determine_inode_label(old->security,
2920 					   d_inode(dentry->d_parent), name,
2921 					   inode_mode_to_security_class(mode),
2922 					   &newsid);
2923 	if (rc)
2924 		return rc;
2925 
2926 	tsec = new->security;
2927 	tsec->create_sid = newsid;
2928 	return 0;
2929 }
2930 
2931 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2932 				       const struct qstr *qstr,
2933 				       const char **name,
2934 				       void **value, size_t *len)
2935 {
2936 	const struct task_security_struct *tsec = current_security();
2937 	struct superblock_security_struct *sbsec;
2938 	u32 newsid, clen;
2939 	int rc;
2940 	char *context;
2941 
2942 	sbsec = dir->i_sb->s_security;
2943 
2944 	newsid = tsec->create_sid;
2945 
2946 	rc = selinux_determine_inode_label(current_security(),
2947 		dir, qstr,
2948 		inode_mode_to_security_class(inode->i_mode),
2949 		&newsid);
2950 	if (rc)
2951 		return rc;
2952 
2953 	/* Possibly defer initialization to selinux_complete_init. */
2954 	if (sbsec->flags & SE_SBINITIALIZED) {
2955 		struct inode_security_struct *isec = inode->i_security;
2956 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2957 		isec->sid = newsid;
2958 		isec->initialized = LABEL_INITIALIZED;
2959 	}
2960 
2961 	if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2962 		return -EOPNOTSUPP;
2963 
2964 	if (name)
2965 		*name = XATTR_SELINUX_SUFFIX;
2966 
2967 	if (value && len) {
2968 		rc = security_sid_to_context_force(newsid, &context, &clen);
2969 		if (rc)
2970 			return rc;
2971 		*value = context;
2972 		*len = clen;
2973 	}
2974 
2975 	return 0;
2976 }
2977 
2978 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2979 {
2980 	return may_create(dir, dentry, SECCLASS_FILE);
2981 }
2982 
2983 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2984 {
2985 	return may_link(dir, old_dentry, MAY_LINK);
2986 }
2987 
2988 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2989 {
2990 	return may_link(dir, dentry, MAY_UNLINK);
2991 }
2992 
2993 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2994 {
2995 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
2996 }
2997 
2998 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2999 {
3000 	return may_create(dir, dentry, SECCLASS_DIR);
3001 }
3002 
3003 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3004 {
3005 	return may_link(dir, dentry, MAY_RMDIR);
3006 }
3007 
3008 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3009 {
3010 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
3011 }
3012 
3013 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3014 				struct inode *new_inode, struct dentry *new_dentry)
3015 {
3016 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3017 }
3018 
3019 static int selinux_inode_readlink(struct dentry *dentry)
3020 {
3021 	const struct cred *cred = current_cred();
3022 
3023 	return dentry_has_perm(cred, dentry, FILE__READ);
3024 }
3025 
3026 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3027 				     bool rcu)
3028 {
3029 	const struct cred *cred = current_cred();
3030 	struct common_audit_data ad;
3031 	struct inode_security_struct *isec;
3032 	u32 sid;
3033 
3034 	validate_creds(cred);
3035 
3036 	ad.type = LSM_AUDIT_DATA_DENTRY;
3037 	ad.u.dentry = dentry;
3038 	sid = cred_sid(cred);
3039 	isec = inode_security_rcu(inode, rcu);
3040 	if (IS_ERR(isec))
3041 		return PTR_ERR(isec);
3042 
3043 	return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3044 				  rcu ? MAY_NOT_BLOCK : 0);
3045 }
3046 
3047 static noinline int audit_inode_permission(struct inode *inode,
3048 					   u32 perms, u32 audited, u32 denied,
3049 					   int result,
3050 					   unsigned flags)
3051 {
3052 	struct common_audit_data ad;
3053 	struct inode_security_struct *isec = inode->i_security;
3054 	int rc;
3055 
3056 	ad.type = LSM_AUDIT_DATA_INODE;
3057 	ad.u.inode = inode;
3058 
3059 	rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3060 			    audited, denied, result, &ad, flags);
3061 	if (rc)
3062 		return rc;
3063 	return 0;
3064 }
3065 
3066 static int selinux_inode_permission(struct inode *inode, int mask)
3067 {
3068 	const struct cred *cred = current_cred();
3069 	u32 perms;
3070 	bool from_access;
3071 	unsigned flags = mask & MAY_NOT_BLOCK;
3072 	struct inode_security_struct *isec;
3073 	u32 sid;
3074 	struct av_decision avd;
3075 	int rc, rc2;
3076 	u32 audited, denied;
3077 
3078 	from_access = mask & MAY_ACCESS;
3079 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3080 
3081 	/* No permission to check.  Existence test. */
3082 	if (!mask)
3083 		return 0;
3084 
3085 	validate_creds(cred);
3086 
3087 	if (unlikely(IS_PRIVATE(inode)))
3088 		return 0;
3089 
3090 	perms = file_mask_to_av(inode->i_mode, mask);
3091 
3092 	sid = cred_sid(cred);
3093 	isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3094 	if (IS_ERR(isec))
3095 		return PTR_ERR(isec);
3096 
3097 	rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3098 	audited = avc_audit_required(perms, &avd, rc,
3099 				     from_access ? FILE__AUDIT_ACCESS : 0,
3100 				     &denied);
3101 	if (likely(!audited))
3102 		return rc;
3103 
3104 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3105 	if (rc2)
3106 		return rc2;
3107 	return rc;
3108 }
3109 
3110 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3111 {
3112 	const struct cred *cred = current_cred();
3113 	struct inode *inode = d_backing_inode(dentry);
3114 	unsigned int ia_valid = iattr->ia_valid;
3115 	__u32 av = FILE__WRITE;
3116 
3117 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3118 	if (ia_valid & ATTR_FORCE) {
3119 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3120 			      ATTR_FORCE);
3121 		if (!ia_valid)
3122 			return 0;
3123 	}
3124 
3125 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3126 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3127 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3128 
3129 	if (selinux_policycap_openperm &&
3130 	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3131 	    (ia_valid & ATTR_SIZE) &&
3132 	    !(ia_valid & ATTR_FILE))
3133 		av |= FILE__OPEN;
3134 
3135 	return dentry_has_perm(cred, dentry, av);
3136 }
3137 
3138 static int selinux_inode_getattr(const struct path *path)
3139 {
3140 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3141 }
3142 
3143 static bool has_cap_mac_admin(bool audit)
3144 {
3145 	const struct cred *cred = current_cred();
3146 	int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3147 
3148 	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3149 		return false;
3150 	if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3151 		return false;
3152 	return true;
3153 }
3154 
3155 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3156 				  const void *value, size_t size, int flags)
3157 {
3158 	struct inode *inode = d_backing_inode(dentry);
3159 	struct inode_security_struct *isec;
3160 	struct superblock_security_struct *sbsec;
3161 	struct common_audit_data ad;
3162 	u32 newsid, sid = current_sid();
3163 	int rc = 0;
3164 
3165 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3166 		rc = cap_inode_setxattr(dentry, name, value, size, flags);
3167 		if (rc)
3168 			return rc;
3169 
3170 		/* Not an attribute we recognize, so just check the
3171 		   ordinary setattr permission. */
3172 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3173 	}
3174 
3175 	sbsec = inode->i_sb->s_security;
3176 	if (!(sbsec->flags & SBLABEL_MNT))
3177 		return -EOPNOTSUPP;
3178 
3179 	if (!inode_owner_or_capable(inode))
3180 		return -EPERM;
3181 
3182 	ad.type = LSM_AUDIT_DATA_DENTRY;
3183 	ad.u.dentry = dentry;
3184 
3185 	isec = backing_inode_security(dentry);
3186 	rc = avc_has_perm(sid, isec->sid, isec->sclass,
3187 			  FILE__RELABELFROM, &ad);
3188 	if (rc)
3189 		return rc;
3190 
3191 	rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3192 	if (rc == -EINVAL) {
3193 		if (!has_cap_mac_admin(true)) {
3194 			struct audit_buffer *ab;
3195 			size_t audit_size;
3196 
3197 			/* We strip a nul only if it is at the end, otherwise the
3198 			 * context contains a nul and we should audit that */
3199 			if (value) {
3200 				const char *str = value;
3201 
3202 				if (str[size - 1] == '\0')
3203 					audit_size = size - 1;
3204 				else
3205 					audit_size = size;
3206 			} else {
3207 				audit_size = 0;
3208 			}
3209 			ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3210 			audit_log_format(ab, "op=setxattr invalid_context=");
3211 			audit_log_n_untrustedstring(ab, value, audit_size);
3212 			audit_log_end(ab);
3213 
3214 			return rc;
3215 		}
3216 		rc = security_context_to_sid_force(value, size, &newsid);
3217 	}
3218 	if (rc)
3219 		return rc;
3220 
3221 	rc = avc_has_perm(sid, newsid, isec->sclass,
3222 			  FILE__RELABELTO, &ad);
3223 	if (rc)
3224 		return rc;
3225 
3226 	rc = security_validate_transition(isec->sid, newsid, sid,
3227 					  isec->sclass);
3228 	if (rc)
3229 		return rc;
3230 
3231 	return avc_has_perm(newsid,
3232 			    sbsec->sid,
3233 			    SECCLASS_FILESYSTEM,
3234 			    FILESYSTEM__ASSOCIATE,
3235 			    &ad);
3236 }
3237 
3238 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3239 					const void *value, size_t size,
3240 					int flags)
3241 {
3242 	struct inode *inode = d_backing_inode(dentry);
3243 	struct inode_security_struct *isec;
3244 	u32 newsid;
3245 	int rc;
3246 
3247 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3248 		/* Not an attribute we recognize, so nothing to do. */
3249 		return;
3250 	}
3251 
3252 	rc = security_context_to_sid_force(value, size, &newsid);
3253 	if (rc) {
3254 		printk(KERN_ERR "SELinux:  unable to map context to SID"
3255 		       "for (%s, %lu), rc=%d\n",
3256 		       inode->i_sb->s_id, inode->i_ino, -rc);
3257 		return;
3258 	}
3259 
3260 	isec = backing_inode_security(dentry);
3261 	spin_lock(&isec->lock);
3262 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3263 	isec->sid = newsid;
3264 	isec->initialized = LABEL_INITIALIZED;
3265 	spin_unlock(&isec->lock);
3266 
3267 	return;
3268 }
3269 
3270 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3271 {
3272 	const struct cred *cred = current_cred();
3273 
3274 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3275 }
3276 
3277 static int selinux_inode_listxattr(struct dentry *dentry)
3278 {
3279 	const struct cred *cred = current_cred();
3280 
3281 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3282 }
3283 
3284 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3285 {
3286 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3287 		int rc = cap_inode_removexattr(dentry, name);
3288 		if (rc)
3289 			return rc;
3290 
3291 		/* Not an attribute we recognize, so just check the
3292 		   ordinary setattr permission. */
3293 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3294 	}
3295 
3296 	/* No one is allowed to remove a SELinux security label.
3297 	   You can change the label, but all data must be labeled. */
3298 	return -EACCES;
3299 }
3300 
3301 /*
3302  * Copy the inode security context value to the user.
3303  *
3304  * Permission check is handled by selinux_inode_getxattr hook.
3305  */
3306 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3307 {
3308 	u32 size;
3309 	int error;
3310 	char *context = NULL;
3311 	struct inode_security_struct *isec;
3312 
3313 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3314 		return -EOPNOTSUPP;
3315 
3316 	/*
3317 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3318 	 * value even if it is not defined by current policy; otherwise,
3319 	 * use the in-core value under current policy.
3320 	 * Use the non-auditing forms of the permission checks since
3321 	 * getxattr may be called by unprivileged processes commonly
3322 	 * and lack of permission just means that we fall back to the
3323 	 * in-core context value, not a denial.
3324 	 */
3325 	isec = inode_security(inode);
3326 	if (has_cap_mac_admin(false))
3327 		error = security_sid_to_context_force(isec->sid, &context,
3328 						      &size);
3329 	else
3330 		error = security_sid_to_context(isec->sid, &context, &size);
3331 	if (error)
3332 		return error;
3333 	error = size;
3334 	if (alloc) {
3335 		*buffer = context;
3336 		goto out_nofree;
3337 	}
3338 	kfree(context);
3339 out_nofree:
3340 	return error;
3341 }
3342 
3343 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3344 				     const void *value, size_t size, int flags)
3345 {
3346 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3347 	u32 newsid;
3348 	int rc;
3349 
3350 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3351 		return -EOPNOTSUPP;
3352 
3353 	if (!value || !size)
3354 		return -EACCES;
3355 
3356 	rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3357 	if (rc)
3358 		return rc;
3359 
3360 	spin_lock(&isec->lock);
3361 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3362 	isec->sid = newsid;
3363 	isec->initialized = LABEL_INITIALIZED;
3364 	spin_unlock(&isec->lock);
3365 	return 0;
3366 }
3367 
3368 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3369 {
3370 	const int len = sizeof(XATTR_NAME_SELINUX);
3371 	if (buffer && len <= buffer_size)
3372 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3373 	return len;
3374 }
3375 
3376 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3377 {
3378 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3379 	*secid = isec->sid;
3380 }
3381 
3382 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3383 {
3384 	u32 sid;
3385 	struct task_security_struct *tsec;
3386 	struct cred *new_creds = *new;
3387 
3388 	if (new_creds == NULL) {
3389 		new_creds = prepare_creds();
3390 		if (!new_creds)
3391 			return -ENOMEM;
3392 	}
3393 
3394 	tsec = new_creds->security;
3395 	/* Get label from overlay inode and set it in create_sid */
3396 	selinux_inode_getsecid(d_inode(src), &sid);
3397 	tsec->create_sid = sid;
3398 	*new = new_creds;
3399 	return 0;
3400 }
3401 
3402 static int selinux_inode_copy_up_xattr(const char *name)
3403 {
3404 	/* The copy_up hook above sets the initial context on an inode, but we
3405 	 * don't then want to overwrite it by blindly copying all the lower
3406 	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3407 	 */
3408 	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3409 		return 1; /* Discard */
3410 	/*
3411 	 * Any other attribute apart from SELINUX is not claimed, supported
3412 	 * by selinux.
3413 	 */
3414 	return -EOPNOTSUPP;
3415 }
3416 
3417 /* file security operations */
3418 
3419 static int selinux_revalidate_file_permission(struct file *file, int mask)
3420 {
3421 	const struct cred *cred = current_cred();
3422 	struct inode *inode = file_inode(file);
3423 
3424 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3425 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3426 		mask |= MAY_APPEND;
3427 
3428 	return file_has_perm(cred, file,
3429 			     file_mask_to_av(inode->i_mode, mask));
3430 }
3431 
3432 static int selinux_file_permission(struct file *file, int mask)
3433 {
3434 	struct inode *inode = file_inode(file);
3435 	struct file_security_struct *fsec = file->f_security;
3436 	struct inode_security_struct *isec;
3437 	u32 sid = current_sid();
3438 
3439 	if (!mask)
3440 		/* No permission to check.  Existence test. */
3441 		return 0;
3442 
3443 	isec = inode_security(inode);
3444 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3445 	    fsec->pseqno == avc_policy_seqno())
3446 		/* No change since file_open check. */
3447 		return 0;
3448 
3449 	return selinux_revalidate_file_permission(file, mask);
3450 }
3451 
3452 static int selinux_file_alloc_security(struct file *file)
3453 {
3454 	return file_alloc_security(file);
3455 }
3456 
3457 static void selinux_file_free_security(struct file *file)
3458 {
3459 	file_free_security(file);
3460 }
3461 
3462 /*
3463  * Check whether a task has the ioctl permission and cmd
3464  * operation to an inode.
3465  */
3466 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3467 		u32 requested, u16 cmd)
3468 {
3469 	struct common_audit_data ad;
3470 	struct file_security_struct *fsec = file->f_security;
3471 	struct inode *inode = file_inode(file);
3472 	struct inode_security_struct *isec;
3473 	struct lsm_ioctlop_audit ioctl;
3474 	u32 ssid = cred_sid(cred);
3475 	int rc;
3476 	u8 driver = cmd >> 8;
3477 	u8 xperm = cmd & 0xff;
3478 
3479 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3480 	ad.u.op = &ioctl;
3481 	ad.u.op->cmd = cmd;
3482 	ad.u.op->path = file->f_path;
3483 
3484 	if (ssid != fsec->sid) {
3485 		rc = avc_has_perm(ssid, fsec->sid,
3486 				SECCLASS_FD,
3487 				FD__USE,
3488 				&ad);
3489 		if (rc)
3490 			goto out;
3491 	}
3492 
3493 	if (unlikely(IS_PRIVATE(inode)))
3494 		return 0;
3495 
3496 	isec = inode_security(inode);
3497 	rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3498 			requested, driver, xperm, &ad);
3499 out:
3500 	return rc;
3501 }
3502 
3503 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3504 			      unsigned long arg)
3505 {
3506 	const struct cred *cred = current_cred();
3507 	int error = 0;
3508 
3509 	switch (cmd) {
3510 	case FIONREAD:
3511 	/* fall through */
3512 	case FIBMAP:
3513 	/* fall through */
3514 	case FIGETBSZ:
3515 	/* fall through */
3516 	case FS_IOC_GETFLAGS:
3517 	/* fall through */
3518 	case FS_IOC_GETVERSION:
3519 		error = file_has_perm(cred, file, FILE__GETATTR);
3520 		break;
3521 
3522 	case FS_IOC_SETFLAGS:
3523 	/* fall through */
3524 	case FS_IOC_SETVERSION:
3525 		error = file_has_perm(cred, file, FILE__SETATTR);
3526 		break;
3527 
3528 	/* sys_ioctl() checks */
3529 	case FIONBIO:
3530 	/* fall through */
3531 	case FIOASYNC:
3532 		error = file_has_perm(cred, file, 0);
3533 		break;
3534 
3535 	case KDSKBENT:
3536 	case KDSKBSENT:
3537 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3538 					    SECURITY_CAP_AUDIT, true);
3539 		break;
3540 
3541 	/* default case assumes that the command will go
3542 	 * to the file's ioctl() function.
3543 	 */
3544 	default:
3545 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3546 	}
3547 	return error;
3548 }
3549 
3550 static int default_noexec;
3551 
3552 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3553 {
3554 	const struct cred *cred = current_cred();
3555 	u32 sid = cred_sid(cred);
3556 	int rc = 0;
3557 
3558 	if (default_noexec &&
3559 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3560 				   (!shared && (prot & PROT_WRITE)))) {
3561 		/*
3562 		 * We are making executable an anonymous mapping or a
3563 		 * private file mapping that will also be writable.
3564 		 * This has an additional check.
3565 		 */
3566 		rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3567 				  PROCESS__EXECMEM, NULL);
3568 		if (rc)
3569 			goto error;
3570 	}
3571 
3572 	if (file) {
3573 		/* read access is always possible with a mapping */
3574 		u32 av = FILE__READ;
3575 
3576 		/* write access only matters if the mapping is shared */
3577 		if (shared && (prot & PROT_WRITE))
3578 			av |= FILE__WRITE;
3579 
3580 		if (prot & PROT_EXEC)
3581 			av |= FILE__EXECUTE;
3582 
3583 		return file_has_perm(cred, file, av);
3584 	}
3585 
3586 error:
3587 	return rc;
3588 }
3589 
3590 static int selinux_mmap_addr(unsigned long addr)
3591 {
3592 	int rc = 0;
3593 
3594 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3595 		u32 sid = current_sid();
3596 		rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3597 				  MEMPROTECT__MMAP_ZERO, NULL);
3598 	}
3599 
3600 	return rc;
3601 }
3602 
3603 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3604 			     unsigned long prot, unsigned long flags)
3605 {
3606 	struct common_audit_data ad;
3607 	int rc;
3608 
3609 	if (file) {
3610 		ad.type = LSM_AUDIT_DATA_FILE;
3611 		ad.u.file = file;
3612 		rc = inode_has_perm(current_cred(), file_inode(file),
3613 				    FILE__MAP, &ad);
3614 		if (rc)
3615 			return rc;
3616 	}
3617 
3618 	if (selinux_checkreqprot)
3619 		prot = reqprot;
3620 
3621 	return file_map_prot_check(file, prot,
3622 				   (flags & MAP_TYPE) == MAP_SHARED);
3623 }
3624 
3625 static int selinux_file_mprotect(struct vm_area_struct *vma,
3626 				 unsigned long reqprot,
3627 				 unsigned long prot)
3628 {
3629 	const struct cred *cred = current_cred();
3630 	u32 sid = cred_sid(cred);
3631 
3632 	if (selinux_checkreqprot)
3633 		prot = reqprot;
3634 
3635 	if (default_noexec &&
3636 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3637 		int rc = 0;
3638 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3639 		    vma->vm_end <= vma->vm_mm->brk) {
3640 			rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3641 					  PROCESS__EXECHEAP, NULL);
3642 		} else if (!vma->vm_file &&
3643 			   ((vma->vm_start <= vma->vm_mm->start_stack &&
3644 			     vma->vm_end >= vma->vm_mm->start_stack) ||
3645 			    vma_is_stack_for_current(vma))) {
3646 			rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3647 					  PROCESS__EXECSTACK, NULL);
3648 		} else if (vma->vm_file && vma->anon_vma) {
3649 			/*
3650 			 * We are making executable a file mapping that has
3651 			 * had some COW done. Since pages might have been
3652 			 * written, check ability to execute the possibly
3653 			 * modified content.  This typically should only
3654 			 * occur for text relocations.
3655 			 */
3656 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3657 		}
3658 		if (rc)
3659 			return rc;
3660 	}
3661 
3662 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3663 }
3664 
3665 static int selinux_file_lock(struct file *file, unsigned int cmd)
3666 {
3667 	const struct cred *cred = current_cred();
3668 
3669 	return file_has_perm(cred, file, FILE__LOCK);
3670 }
3671 
3672 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3673 			      unsigned long arg)
3674 {
3675 	const struct cred *cred = current_cred();
3676 	int err = 0;
3677 
3678 	switch (cmd) {
3679 	case F_SETFL:
3680 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3681 			err = file_has_perm(cred, file, FILE__WRITE);
3682 			break;
3683 		}
3684 		/* fall through */
3685 	case F_SETOWN:
3686 	case F_SETSIG:
3687 	case F_GETFL:
3688 	case F_GETOWN:
3689 	case F_GETSIG:
3690 	case F_GETOWNER_UIDS:
3691 		/* Just check FD__USE permission */
3692 		err = file_has_perm(cred, file, 0);
3693 		break;
3694 	case F_GETLK:
3695 	case F_SETLK:
3696 	case F_SETLKW:
3697 	case F_OFD_GETLK:
3698 	case F_OFD_SETLK:
3699 	case F_OFD_SETLKW:
3700 #if BITS_PER_LONG == 32
3701 	case F_GETLK64:
3702 	case F_SETLK64:
3703 	case F_SETLKW64:
3704 #endif
3705 		err = file_has_perm(cred, file, FILE__LOCK);
3706 		break;
3707 	}
3708 
3709 	return err;
3710 }
3711 
3712 static void selinux_file_set_fowner(struct file *file)
3713 {
3714 	struct file_security_struct *fsec;
3715 
3716 	fsec = file->f_security;
3717 	fsec->fown_sid = current_sid();
3718 }
3719 
3720 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3721 				       struct fown_struct *fown, int signum)
3722 {
3723 	struct file *file;
3724 	u32 sid = task_sid(tsk);
3725 	u32 perm;
3726 	struct file_security_struct *fsec;
3727 
3728 	/* struct fown_struct is never outside the context of a struct file */
3729 	file = container_of(fown, struct file, f_owner);
3730 
3731 	fsec = file->f_security;
3732 
3733 	if (!signum)
3734 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3735 	else
3736 		perm = signal_to_av(signum);
3737 
3738 	return avc_has_perm(fsec->fown_sid, sid,
3739 			    SECCLASS_PROCESS, perm, NULL);
3740 }
3741 
3742 static int selinux_file_receive(struct file *file)
3743 {
3744 	const struct cred *cred = current_cred();
3745 
3746 	return file_has_perm(cred, file, file_to_av(file));
3747 }
3748 
3749 static int selinux_file_open(struct file *file, const struct cred *cred)
3750 {
3751 	struct file_security_struct *fsec;
3752 	struct inode_security_struct *isec;
3753 
3754 	fsec = file->f_security;
3755 	isec = inode_security(file_inode(file));
3756 	/*
3757 	 * Save inode label and policy sequence number
3758 	 * at open-time so that selinux_file_permission
3759 	 * can determine whether revalidation is necessary.
3760 	 * Task label is already saved in the file security
3761 	 * struct as its SID.
3762 	 */
3763 	fsec->isid = isec->sid;
3764 	fsec->pseqno = avc_policy_seqno();
3765 	/*
3766 	 * Since the inode label or policy seqno may have changed
3767 	 * between the selinux_inode_permission check and the saving
3768 	 * of state above, recheck that access is still permitted.
3769 	 * Otherwise, access might never be revalidated against the
3770 	 * new inode label or new policy.
3771 	 * This check is not redundant - do not remove.
3772 	 */
3773 	return file_path_has_perm(cred, file, open_file_to_av(file));
3774 }
3775 
3776 /* task security operations */
3777 
3778 static int selinux_task_alloc(struct task_struct *task,
3779 			      unsigned long clone_flags)
3780 {
3781 	u32 sid = current_sid();
3782 
3783 	return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3784 }
3785 
3786 /*
3787  * allocate the SELinux part of blank credentials
3788  */
3789 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3790 {
3791 	struct task_security_struct *tsec;
3792 
3793 	tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3794 	if (!tsec)
3795 		return -ENOMEM;
3796 
3797 	cred->security = tsec;
3798 	return 0;
3799 }
3800 
3801 /*
3802  * detach and free the LSM part of a set of credentials
3803  */
3804 static void selinux_cred_free(struct cred *cred)
3805 {
3806 	struct task_security_struct *tsec = cred->security;
3807 
3808 	/*
3809 	 * cred->security == NULL if security_cred_alloc_blank() or
3810 	 * security_prepare_creds() returned an error.
3811 	 */
3812 	BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3813 	cred->security = (void *) 0x7UL;
3814 	kfree(tsec);
3815 }
3816 
3817 /*
3818  * prepare a new set of credentials for modification
3819  */
3820 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3821 				gfp_t gfp)
3822 {
3823 	const struct task_security_struct *old_tsec;
3824 	struct task_security_struct *tsec;
3825 
3826 	old_tsec = old->security;
3827 
3828 	tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3829 	if (!tsec)
3830 		return -ENOMEM;
3831 
3832 	new->security = tsec;
3833 	return 0;
3834 }
3835 
3836 /*
3837  * transfer the SELinux data to a blank set of creds
3838  */
3839 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3840 {
3841 	const struct task_security_struct *old_tsec = old->security;
3842 	struct task_security_struct *tsec = new->security;
3843 
3844 	*tsec = *old_tsec;
3845 }
3846 
3847 /*
3848  * set the security data for a kernel service
3849  * - all the creation contexts are set to unlabelled
3850  */
3851 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3852 {
3853 	struct task_security_struct *tsec = new->security;
3854 	u32 sid = current_sid();
3855 	int ret;
3856 
3857 	ret = avc_has_perm(sid, secid,
3858 			   SECCLASS_KERNEL_SERVICE,
3859 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3860 			   NULL);
3861 	if (ret == 0) {
3862 		tsec->sid = secid;
3863 		tsec->create_sid = 0;
3864 		tsec->keycreate_sid = 0;
3865 		tsec->sockcreate_sid = 0;
3866 	}
3867 	return ret;
3868 }
3869 
3870 /*
3871  * set the file creation context in a security record to the same as the
3872  * objective context of the specified inode
3873  */
3874 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3875 {
3876 	struct inode_security_struct *isec = inode_security(inode);
3877 	struct task_security_struct *tsec = new->security;
3878 	u32 sid = current_sid();
3879 	int ret;
3880 
3881 	ret = avc_has_perm(sid, isec->sid,
3882 			   SECCLASS_KERNEL_SERVICE,
3883 			   KERNEL_SERVICE__CREATE_FILES_AS,
3884 			   NULL);
3885 
3886 	if (ret == 0)
3887 		tsec->create_sid = isec->sid;
3888 	return ret;
3889 }
3890 
3891 static int selinux_kernel_module_request(char *kmod_name)
3892 {
3893 	struct common_audit_data ad;
3894 
3895 	ad.type = LSM_AUDIT_DATA_KMOD;
3896 	ad.u.kmod_name = kmod_name;
3897 
3898 	return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3899 			    SYSTEM__MODULE_REQUEST, &ad);
3900 }
3901 
3902 static int selinux_kernel_module_from_file(struct file *file)
3903 {
3904 	struct common_audit_data ad;
3905 	struct inode_security_struct *isec;
3906 	struct file_security_struct *fsec;
3907 	u32 sid = current_sid();
3908 	int rc;
3909 
3910 	/* init_module */
3911 	if (file == NULL)
3912 		return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3913 					SYSTEM__MODULE_LOAD, NULL);
3914 
3915 	/* finit_module */
3916 
3917 	ad.type = LSM_AUDIT_DATA_FILE;
3918 	ad.u.file = file;
3919 
3920 	fsec = file->f_security;
3921 	if (sid != fsec->sid) {
3922 		rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3923 		if (rc)
3924 			return rc;
3925 	}
3926 
3927 	isec = inode_security(file_inode(file));
3928 	return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3929 				SYSTEM__MODULE_LOAD, &ad);
3930 }
3931 
3932 static int selinux_kernel_read_file(struct file *file,
3933 				    enum kernel_read_file_id id)
3934 {
3935 	int rc = 0;
3936 
3937 	switch (id) {
3938 	case READING_MODULE:
3939 		rc = selinux_kernel_module_from_file(file);
3940 		break;
3941 	default:
3942 		break;
3943 	}
3944 
3945 	return rc;
3946 }
3947 
3948 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3949 {
3950 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3951 			    PROCESS__SETPGID, NULL);
3952 }
3953 
3954 static int selinux_task_getpgid(struct task_struct *p)
3955 {
3956 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3957 			    PROCESS__GETPGID, NULL);
3958 }
3959 
3960 static int selinux_task_getsid(struct task_struct *p)
3961 {
3962 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3963 			    PROCESS__GETSESSION, NULL);
3964 }
3965 
3966 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3967 {
3968 	*secid = task_sid(p);
3969 }
3970 
3971 static int selinux_task_setnice(struct task_struct *p, int nice)
3972 {
3973 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3974 			    PROCESS__SETSCHED, NULL);
3975 }
3976 
3977 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3978 {
3979 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3980 			    PROCESS__SETSCHED, NULL);
3981 }
3982 
3983 static int selinux_task_getioprio(struct task_struct *p)
3984 {
3985 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3986 			    PROCESS__GETSCHED, NULL);
3987 }
3988 
3989 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
3990 				unsigned int flags)
3991 {
3992 	u32 av = 0;
3993 
3994 	if (!flags)
3995 		return 0;
3996 	if (flags & LSM_PRLIMIT_WRITE)
3997 		av |= PROCESS__SETRLIMIT;
3998 	if (flags & LSM_PRLIMIT_READ)
3999 		av |= PROCESS__GETRLIMIT;
4000 	return avc_has_perm(cred_sid(cred), cred_sid(tcred),
4001 			    SECCLASS_PROCESS, av, NULL);
4002 }
4003 
4004 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4005 		struct rlimit *new_rlim)
4006 {
4007 	struct rlimit *old_rlim = p->signal->rlim + resource;
4008 
4009 	/* Control the ability to change the hard limit (whether
4010 	   lowering or raising it), so that the hard limit can
4011 	   later be used as a safe reset point for the soft limit
4012 	   upon context transitions.  See selinux_bprm_committing_creds. */
4013 	if (old_rlim->rlim_max != new_rlim->rlim_max)
4014 		return avc_has_perm(current_sid(), task_sid(p),
4015 				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4016 
4017 	return 0;
4018 }
4019 
4020 static int selinux_task_setscheduler(struct task_struct *p)
4021 {
4022 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4023 			    PROCESS__SETSCHED, NULL);
4024 }
4025 
4026 static int selinux_task_getscheduler(struct task_struct *p)
4027 {
4028 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4029 			    PROCESS__GETSCHED, NULL);
4030 }
4031 
4032 static int selinux_task_movememory(struct task_struct *p)
4033 {
4034 	return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4035 			    PROCESS__SETSCHED, NULL);
4036 }
4037 
4038 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4039 				int sig, u32 secid)
4040 {
4041 	u32 perm;
4042 
4043 	if (!sig)
4044 		perm = PROCESS__SIGNULL; /* null signal; existence test */
4045 	else
4046 		perm = signal_to_av(sig);
4047 	if (!secid)
4048 		secid = current_sid();
4049 	return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4050 }
4051 
4052 static void selinux_task_to_inode(struct task_struct *p,
4053 				  struct inode *inode)
4054 {
4055 	struct inode_security_struct *isec = inode->i_security;
4056 	u32 sid = task_sid(p);
4057 
4058 	spin_lock(&isec->lock);
4059 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4060 	isec->sid = sid;
4061 	isec->initialized = LABEL_INITIALIZED;
4062 	spin_unlock(&isec->lock);
4063 }
4064 
4065 /* Returns error only if unable to parse addresses */
4066 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4067 			struct common_audit_data *ad, u8 *proto)
4068 {
4069 	int offset, ihlen, ret = -EINVAL;
4070 	struct iphdr _iph, *ih;
4071 
4072 	offset = skb_network_offset(skb);
4073 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4074 	if (ih == NULL)
4075 		goto out;
4076 
4077 	ihlen = ih->ihl * 4;
4078 	if (ihlen < sizeof(_iph))
4079 		goto out;
4080 
4081 	ad->u.net->v4info.saddr = ih->saddr;
4082 	ad->u.net->v4info.daddr = ih->daddr;
4083 	ret = 0;
4084 
4085 	if (proto)
4086 		*proto = ih->protocol;
4087 
4088 	switch (ih->protocol) {
4089 	case IPPROTO_TCP: {
4090 		struct tcphdr _tcph, *th;
4091 
4092 		if (ntohs(ih->frag_off) & IP_OFFSET)
4093 			break;
4094 
4095 		offset += ihlen;
4096 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4097 		if (th == NULL)
4098 			break;
4099 
4100 		ad->u.net->sport = th->source;
4101 		ad->u.net->dport = th->dest;
4102 		break;
4103 	}
4104 
4105 	case IPPROTO_UDP: {
4106 		struct udphdr _udph, *uh;
4107 
4108 		if (ntohs(ih->frag_off) & IP_OFFSET)
4109 			break;
4110 
4111 		offset += ihlen;
4112 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4113 		if (uh == NULL)
4114 			break;
4115 
4116 		ad->u.net->sport = uh->source;
4117 		ad->u.net->dport = uh->dest;
4118 		break;
4119 	}
4120 
4121 	case IPPROTO_DCCP: {
4122 		struct dccp_hdr _dccph, *dh;
4123 
4124 		if (ntohs(ih->frag_off) & IP_OFFSET)
4125 			break;
4126 
4127 		offset += ihlen;
4128 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4129 		if (dh == NULL)
4130 			break;
4131 
4132 		ad->u.net->sport = dh->dccph_sport;
4133 		ad->u.net->dport = dh->dccph_dport;
4134 		break;
4135 	}
4136 
4137 	default:
4138 		break;
4139 	}
4140 out:
4141 	return ret;
4142 }
4143 
4144 #if IS_ENABLED(CONFIG_IPV6)
4145 
4146 /* Returns error only if unable to parse addresses */
4147 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4148 			struct common_audit_data *ad, u8 *proto)
4149 {
4150 	u8 nexthdr;
4151 	int ret = -EINVAL, offset;
4152 	struct ipv6hdr _ipv6h, *ip6;
4153 	__be16 frag_off;
4154 
4155 	offset = skb_network_offset(skb);
4156 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4157 	if (ip6 == NULL)
4158 		goto out;
4159 
4160 	ad->u.net->v6info.saddr = ip6->saddr;
4161 	ad->u.net->v6info.daddr = ip6->daddr;
4162 	ret = 0;
4163 
4164 	nexthdr = ip6->nexthdr;
4165 	offset += sizeof(_ipv6h);
4166 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4167 	if (offset < 0)
4168 		goto out;
4169 
4170 	if (proto)
4171 		*proto = nexthdr;
4172 
4173 	switch (nexthdr) {
4174 	case IPPROTO_TCP: {
4175 		struct tcphdr _tcph, *th;
4176 
4177 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4178 		if (th == NULL)
4179 			break;
4180 
4181 		ad->u.net->sport = th->source;
4182 		ad->u.net->dport = th->dest;
4183 		break;
4184 	}
4185 
4186 	case IPPROTO_UDP: {
4187 		struct udphdr _udph, *uh;
4188 
4189 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4190 		if (uh == NULL)
4191 			break;
4192 
4193 		ad->u.net->sport = uh->source;
4194 		ad->u.net->dport = uh->dest;
4195 		break;
4196 	}
4197 
4198 	case IPPROTO_DCCP: {
4199 		struct dccp_hdr _dccph, *dh;
4200 
4201 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4202 		if (dh == NULL)
4203 			break;
4204 
4205 		ad->u.net->sport = dh->dccph_sport;
4206 		ad->u.net->dport = dh->dccph_dport;
4207 		break;
4208 	}
4209 
4210 	/* includes fragments */
4211 	default:
4212 		break;
4213 	}
4214 out:
4215 	return ret;
4216 }
4217 
4218 #endif /* IPV6 */
4219 
4220 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4221 			     char **_addrp, int src, u8 *proto)
4222 {
4223 	char *addrp;
4224 	int ret;
4225 
4226 	switch (ad->u.net->family) {
4227 	case PF_INET:
4228 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4229 		if (ret)
4230 			goto parse_error;
4231 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4232 				       &ad->u.net->v4info.daddr);
4233 		goto okay;
4234 
4235 #if IS_ENABLED(CONFIG_IPV6)
4236 	case PF_INET6:
4237 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4238 		if (ret)
4239 			goto parse_error;
4240 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4241 				       &ad->u.net->v6info.daddr);
4242 		goto okay;
4243 #endif	/* IPV6 */
4244 	default:
4245 		addrp = NULL;
4246 		goto okay;
4247 	}
4248 
4249 parse_error:
4250 	printk(KERN_WARNING
4251 	       "SELinux: failure in selinux_parse_skb(),"
4252 	       " unable to parse packet\n");
4253 	return ret;
4254 
4255 okay:
4256 	if (_addrp)
4257 		*_addrp = addrp;
4258 	return 0;
4259 }
4260 
4261 /**
4262  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4263  * @skb: the packet
4264  * @family: protocol family
4265  * @sid: the packet's peer label SID
4266  *
4267  * Description:
4268  * Check the various different forms of network peer labeling and determine
4269  * the peer label/SID for the packet; most of the magic actually occurs in
4270  * the security server function security_net_peersid_cmp().  The function
4271  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4272  * or -EACCES if @sid is invalid due to inconsistencies with the different
4273  * peer labels.
4274  *
4275  */
4276 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4277 {
4278 	int err;
4279 	u32 xfrm_sid;
4280 	u32 nlbl_sid;
4281 	u32 nlbl_type;
4282 
4283 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4284 	if (unlikely(err))
4285 		return -EACCES;
4286 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4287 	if (unlikely(err))
4288 		return -EACCES;
4289 
4290 	err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4291 	if (unlikely(err)) {
4292 		printk(KERN_WARNING
4293 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4294 		       " unable to determine packet's peer label\n");
4295 		return -EACCES;
4296 	}
4297 
4298 	return 0;
4299 }
4300 
4301 /**
4302  * selinux_conn_sid - Determine the child socket label for a connection
4303  * @sk_sid: the parent socket's SID
4304  * @skb_sid: the packet's SID
4305  * @conn_sid: the resulting connection SID
4306  *
4307  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4308  * combined with the MLS information from @skb_sid in order to create
4309  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
4310  * of @sk_sid.  Returns zero on success, negative values on failure.
4311  *
4312  */
4313 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4314 {
4315 	int err = 0;
4316 
4317 	if (skb_sid != SECSID_NULL)
4318 		err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4319 	else
4320 		*conn_sid = sk_sid;
4321 
4322 	return err;
4323 }
4324 
4325 /* socket security operations */
4326 
4327 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4328 				 u16 secclass, u32 *socksid)
4329 {
4330 	if (tsec->sockcreate_sid > SECSID_NULL) {
4331 		*socksid = tsec->sockcreate_sid;
4332 		return 0;
4333 	}
4334 
4335 	return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4336 				       socksid);
4337 }
4338 
4339 static int sock_has_perm(struct sock *sk, u32 perms)
4340 {
4341 	struct sk_security_struct *sksec = sk->sk_security;
4342 	struct common_audit_data ad;
4343 	struct lsm_network_audit net = {0,};
4344 
4345 	if (sksec->sid == SECINITSID_KERNEL)
4346 		return 0;
4347 
4348 	ad.type = LSM_AUDIT_DATA_NET;
4349 	ad.u.net = &net;
4350 	ad.u.net->sk = sk;
4351 
4352 	return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4353 			    &ad);
4354 }
4355 
4356 static int selinux_socket_create(int family, int type,
4357 				 int protocol, int kern)
4358 {
4359 	const struct task_security_struct *tsec = current_security();
4360 	u32 newsid;
4361 	u16 secclass;
4362 	int rc;
4363 
4364 	if (kern)
4365 		return 0;
4366 
4367 	secclass = socket_type_to_security_class(family, type, protocol);
4368 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4369 	if (rc)
4370 		return rc;
4371 
4372 	return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4373 }
4374 
4375 static int selinux_socket_post_create(struct socket *sock, int family,
4376 				      int type, int protocol, int kern)
4377 {
4378 	const struct task_security_struct *tsec = current_security();
4379 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4380 	struct sk_security_struct *sksec;
4381 	u16 sclass = socket_type_to_security_class(family, type, protocol);
4382 	u32 sid = SECINITSID_KERNEL;
4383 	int err = 0;
4384 
4385 	if (!kern) {
4386 		err = socket_sockcreate_sid(tsec, sclass, &sid);
4387 		if (err)
4388 			return err;
4389 	}
4390 
4391 	isec->sclass = sclass;
4392 	isec->sid = sid;
4393 	isec->initialized = LABEL_INITIALIZED;
4394 
4395 	if (sock->sk) {
4396 		sksec = sock->sk->sk_security;
4397 		sksec->sclass = sclass;
4398 		sksec->sid = sid;
4399 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4400 	}
4401 
4402 	return err;
4403 }
4404 
4405 /* Range of port numbers used to automatically bind.
4406    Need to determine whether we should perform a name_bind
4407    permission check between the socket and the port number. */
4408 
4409 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4410 {
4411 	struct sock *sk = sock->sk;
4412 	u16 family;
4413 	int err;
4414 
4415 	err = sock_has_perm(sk, SOCKET__BIND);
4416 	if (err)
4417 		goto out;
4418 
4419 	/*
4420 	 * If PF_INET or PF_INET6, check name_bind permission for the port.
4421 	 * Multiple address binding for SCTP is not supported yet: we just
4422 	 * check the first address now.
4423 	 */
4424 	family = sk->sk_family;
4425 	if (family == PF_INET || family == PF_INET6) {
4426 		char *addrp;
4427 		struct sk_security_struct *sksec = sk->sk_security;
4428 		struct common_audit_data ad;
4429 		struct lsm_network_audit net = {0,};
4430 		struct sockaddr_in *addr4 = NULL;
4431 		struct sockaddr_in6 *addr6 = NULL;
4432 		unsigned short snum;
4433 		u32 sid, node_perm;
4434 
4435 		if (family == PF_INET) {
4436 			if (addrlen < sizeof(struct sockaddr_in)) {
4437 				err = -EINVAL;
4438 				goto out;
4439 			}
4440 			addr4 = (struct sockaddr_in *)address;
4441 			snum = ntohs(addr4->sin_port);
4442 			addrp = (char *)&addr4->sin_addr.s_addr;
4443 		} else {
4444 			if (addrlen < SIN6_LEN_RFC2133) {
4445 				err = -EINVAL;
4446 				goto out;
4447 			}
4448 			addr6 = (struct sockaddr_in6 *)address;
4449 			snum = ntohs(addr6->sin6_port);
4450 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4451 		}
4452 
4453 		if (snum) {
4454 			int low, high;
4455 
4456 			inet_get_local_port_range(sock_net(sk), &low, &high);
4457 
4458 			if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4459 			    snum > high) {
4460 				err = sel_netport_sid(sk->sk_protocol,
4461 						      snum, &sid);
4462 				if (err)
4463 					goto out;
4464 				ad.type = LSM_AUDIT_DATA_NET;
4465 				ad.u.net = &net;
4466 				ad.u.net->sport = htons(snum);
4467 				ad.u.net->family = family;
4468 				err = avc_has_perm(sksec->sid, sid,
4469 						   sksec->sclass,
4470 						   SOCKET__NAME_BIND, &ad);
4471 				if (err)
4472 					goto out;
4473 			}
4474 		}
4475 
4476 		switch (sksec->sclass) {
4477 		case SECCLASS_TCP_SOCKET:
4478 			node_perm = TCP_SOCKET__NODE_BIND;
4479 			break;
4480 
4481 		case SECCLASS_UDP_SOCKET:
4482 			node_perm = UDP_SOCKET__NODE_BIND;
4483 			break;
4484 
4485 		case SECCLASS_DCCP_SOCKET:
4486 			node_perm = DCCP_SOCKET__NODE_BIND;
4487 			break;
4488 
4489 		default:
4490 			node_perm = RAWIP_SOCKET__NODE_BIND;
4491 			break;
4492 		}
4493 
4494 		err = sel_netnode_sid(addrp, family, &sid);
4495 		if (err)
4496 			goto out;
4497 
4498 		ad.type = LSM_AUDIT_DATA_NET;
4499 		ad.u.net = &net;
4500 		ad.u.net->sport = htons(snum);
4501 		ad.u.net->family = family;
4502 
4503 		if (family == PF_INET)
4504 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4505 		else
4506 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4507 
4508 		err = avc_has_perm(sksec->sid, sid,
4509 				   sksec->sclass, node_perm, &ad);
4510 		if (err)
4511 			goto out;
4512 	}
4513 out:
4514 	return err;
4515 }
4516 
4517 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4518 {
4519 	struct sock *sk = sock->sk;
4520 	struct sk_security_struct *sksec = sk->sk_security;
4521 	int err;
4522 
4523 	err = sock_has_perm(sk, SOCKET__CONNECT);
4524 	if (err)
4525 		return err;
4526 
4527 	/*
4528 	 * If a TCP or DCCP socket, check name_connect permission for the port.
4529 	 */
4530 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4531 	    sksec->sclass == SECCLASS_DCCP_SOCKET) {
4532 		struct common_audit_data ad;
4533 		struct lsm_network_audit net = {0,};
4534 		struct sockaddr_in *addr4 = NULL;
4535 		struct sockaddr_in6 *addr6 = NULL;
4536 		unsigned short snum;
4537 		u32 sid, perm;
4538 
4539 		if (sk->sk_family == PF_INET) {
4540 			addr4 = (struct sockaddr_in *)address;
4541 			if (addrlen < sizeof(struct sockaddr_in))
4542 				return -EINVAL;
4543 			snum = ntohs(addr4->sin_port);
4544 		} else {
4545 			addr6 = (struct sockaddr_in6 *)address;
4546 			if (addrlen < SIN6_LEN_RFC2133)
4547 				return -EINVAL;
4548 			snum = ntohs(addr6->sin6_port);
4549 		}
4550 
4551 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4552 		if (err)
4553 			goto out;
4554 
4555 		perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4556 		       TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4557 
4558 		ad.type = LSM_AUDIT_DATA_NET;
4559 		ad.u.net = &net;
4560 		ad.u.net->dport = htons(snum);
4561 		ad.u.net->family = sk->sk_family;
4562 		err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4563 		if (err)
4564 			goto out;
4565 	}
4566 
4567 	err = selinux_netlbl_socket_connect(sk, address);
4568 
4569 out:
4570 	return err;
4571 }
4572 
4573 static int selinux_socket_listen(struct socket *sock, int backlog)
4574 {
4575 	return sock_has_perm(sock->sk, SOCKET__LISTEN);
4576 }
4577 
4578 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4579 {
4580 	int err;
4581 	struct inode_security_struct *isec;
4582 	struct inode_security_struct *newisec;
4583 	u16 sclass;
4584 	u32 sid;
4585 
4586 	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4587 	if (err)
4588 		return err;
4589 
4590 	isec = inode_security_novalidate(SOCK_INODE(sock));
4591 	spin_lock(&isec->lock);
4592 	sclass = isec->sclass;
4593 	sid = isec->sid;
4594 	spin_unlock(&isec->lock);
4595 
4596 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4597 	newisec->sclass = sclass;
4598 	newisec->sid = sid;
4599 	newisec->initialized = LABEL_INITIALIZED;
4600 
4601 	return 0;
4602 }
4603 
4604 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4605 				  int size)
4606 {
4607 	return sock_has_perm(sock->sk, SOCKET__WRITE);
4608 }
4609 
4610 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4611 				  int size, int flags)
4612 {
4613 	return sock_has_perm(sock->sk, SOCKET__READ);
4614 }
4615 
4616 static int selinux_socket_getsockname(struct socket *sock)
4617 {
4618 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4619 }
4620 
4621 static int selinux_socket_getpeername(struct socket *sock)
4622 {
4623 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4624 }
4625 
4626 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4627 {
4628 	int err;
4629 
4630 	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4631 	if (err)
4632 		return err;
4633 
4634 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4635 }
4636 
4637 static int selinux_socket_getsockopt(struct socket *sock, int level,
4638 				     int optname)
4639 {
4640 	return sock_has_perm(sock->sk, SOCKET__GETOPT);
4641 }
4642 
4643 static int selinux_socket_shutdown(struct socket *sock, int how)
4644 {
4645 	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4646 }
4647 
4648 static int selinux_socket_unix_stream_connect(struct sock *sock,
4649 					      struct sock *other,
4650 					      struct sock *newsk)
4651 {
4652 	struct sk_security_struct *sksec_sock = sock->sk_security;
4653 	struct sk_security_struct *sksec_other = other->sk_security;
4654 	struct sk_security_struct *sksec_new = newsk->sk_security;
4655 	struct common_audit_data ad;
4656 	struct lsm_network_audit net = {0,};
4657 	int err;
4658 
4659 	ad.type = LSM_AUDIT_DATA_NET;
4660 	ad.u.net = &net;
4661 	ad.u.net->sk = other;
4662 
4663 	err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4664 			   sksec_other->sclass,
4665 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4666 	if (err)
4667 		return err;
4668 
4669 	/* server child socket */
4670 	sksec_new->peer_sid = sksec_sock->sid;
4671 	err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4672 				    &sksec_new->sid);
4673 	if (err)
4674 		return err;
4675 
4676 	/* connecting socket */
4677 	sksec_sock->peer_sid = sksec_new->sid;
4678 
4679 	return 0;
4680 }
4681 
4682 static int selinux_socket_unix_may_send(struct socket *sock,
4683 					struct socket *other)
4684 {
4685 	struct sk_security_struct *ssec = sock->sk->sk_security;
4686 	struct sk_security_struct *osec = other->sk->sk_security;
4687 	struct common_audit_data ad;
4688 	struct lsm_network_audit net = {0,};
4689 
4690 	ad.type = LSM_AUDIT_DATA_NET;
4691 	ad.u.net = &net;
4692 	ad.u.net->sk = other->sk;
4693 
4694 	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4695 			    &ad);
4696 }
4697 
4698 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4699 				    char *addrp, u16 family, u32 peer_sid,
4700 				    struct common_audit_data *ad)
4701 {
4702 	int err;
4703 	u32 if_sid;
4704 	u32 node_sid;
4705 
4706 	err = sel_netif_sid(ns, ifindex, &if_sid);
4707 	if (err)
4708 		return err;
4709 	err = avc_has_perm(peer_sid, if_sid,
4710 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4711 	if (err)
4712 		return err;
4713 
4714 	err = sel_netnode_sid(addrp, family, &node_sid);
4715 	if (err)
4716 		return err;
4717 	return avc_has_perm(peer_sid, node_sid,
4718 			    SECCLASS_NODE, NODE__RECVFROM, ad);
4719 }
4720 
4721 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4722 				       u16 family)
4723 {
4724 	int err = 0;
4725 	struct sk_security_struct *sksec = sk->sk_security;
4726 	u32 sk_sid = sksec->sid;
4727 	struct common_audit_data ad;
4728 	struct lsm_network_audit net = {0,};
4729 	char *addrp;
4730 
4731 	ad.type = LSM_AUDIT_DATA_NET;
4732 	ad.u.net = &net;
4733 	ad.u.net->netif = skb->skb_iif;
4734 	ad.u.net->family = family;
4735 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4736 	if (err)
4737 		return err;
4738 
4739 	if (selinux_secmark_enabled()) {
4740 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4741 				   PACKET__RECV, &ad);
4742 		if (err)
4743 			return err;
4744 	}
4745 
4746 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4747 	if (err)
4748 		return err;
4749 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4750 
4751 	return err;
4752 }
4753 
4754 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4755 {
4756 	int err;
4757 	struct sk_security_struct *sksec = sk->sk_security;
4758 	u16 family = sk->sk_family;
4759 	u32 sk_sid = sksec->sid;
4760 	struct common_audit_data ad;
4761 	struct lsm_network_audit net = {0,};
4762 	char *addrp;
4763 	u8 secmark_active;
4764 	u8 peerlbl_active;
4765 
4766 	if (family != PF_INET && family != PF_INET6)
4767 		return 0;
4768 
4769 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
4770 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4771 		family = PF_INET;
4772 
4773 	/* If any sort of compatibility mode is enabled then handoff processing
4774 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
4775 	 * special handling.  We do this in an attempt to keep this function
4776 	 * as fast and as clean as possible. */
4777 	if (!selinux_policycap_netpeer)
4778 		return selinux_sock_rcv_skb_compat(sk, skb, family);
4779 
4780 	secmark_active = selinux_secmark_enabled();
4781 	peerlbl_active = selinux_peerlbl_enabled();
4782 	if (!secmark_active && !peerlbl_active)
4783 		return 0;
4784 
4785 	ad.type = LSM_AUDIT_DATA_NET;
4786 	ad.u.net = &net;
4787 	ad.u.net->netif = skb->skb_iif;
4788 	ad.u.net->family = family;
4789 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4790 	if (err)
4791 		return err;
4792 
4793 	if (peerlbl_active) {
4794 		u32 peer_sid;
4795 
4796 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4797 		if (err)
4798 			return err;
4799 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4800 					       addrp, family, peer_sid, &ad);
4801 		if (err) {
4802 			selinux_netlbl_err(skb, family, err, 0);
4803 			return err;
4804 		}
4805 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4806 				   PEER__RECV, &ad);
4807 		if (err) {
4808 			selinux_netlbl_err(skb, family, err, 0);
4809 			return err;
4810 		}
4811 	}
4812 
4813 	if (secmark_active) {
4814 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4815 				   PACKET__RECV, &ad);
4816 		if (err)
4817 			return err;
4818 	}
4819 
4820 	return err;
4821 }
4822 
4823 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4824 					    int __user *optlen, unsigned len)
4825 {
4826 	int err = 0;
4827 	char *scontext;
4828 	u32 scontext_len;
4829 	struct sk_security_struct *sksec = sock->sk->sk_security;
4830 	u32 peer_sid = SECSID_NULL;
4831 
4832 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4833 	    sksec->sclass == SECCLASS_TCP_SOCKET)
4834 		peer_sid = sksec->peer_sid;
4835 	if (peer_sid == SECSID_NULL)
4836 		return -ENOPROTOOPT;
4837 
4838 	err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4839 	if (err)
4840 		return err;
4841 
4842 	if (scontext_len > len) {
4843 		err = -ERANGE;
4844 		goto out_len;
4845 	}
4846 
4847 	if (copy_to_user(optval, scontext, scontext_len))
4848 		err = -EFAULT;
4849 
4850 out_len:
4851 	if (put_user(scontext_len, optlen))
4852 		err = -EFAULT;
4853 	kfree(scontext);
4854 	return err;
4855 }
4856 
4857 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4858 {
4859 	u32 peer_secid = SECSID_NULL;
4860 	u16 family;
4861 	struct inode_security_struct *isec;
4862 
4863 	if (skb && skb->protocol == htons(ETH_P_IP))
4864 		family = PF_INET;
4865 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
4866 		family = PF_INET6;
4867 	else if (sock)
4868 		family = sock->sk->sk_family;
4869 	else
4870 		goto out;
4871 
4872 	if (sock && family == PF_UNIX) {
4873 		isec = inode_security_novalidate(SOCK_INODE(sock));
4874 		peer_secid = isec->sid;
4875 	} else if (skb)
4876 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4877 
4878 out:
4879 	*secid = peer_secid;
4880 	if (peer_secid == SECSID_NULL)
4881 		return -EINVAL;
4882 	return 0;
4883 }
4884 
4885 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4886 {
4887 	struct sk_security_struct *sksec;
4888 
4889 	sksec = kzalloc(sizeof(*sksec), priority);
4890 	if (!sksec)
4891 		return -ENOMEM;
4892 
4893 	sksec->peer_sid = SECINITSID_UNLABELED;
4894 	sksec->sid = SECINITSID_UNLABELED;
4895 	sksec->sclass = SECCLASS_SOCKET;
4896 	selinux_netlbl_sk_security_reset(sksec);
4897 	sk->sk_security = sksec;
4898 
4899 	return 0;
4900 }
4901 
4902 static void selinux_sk_free_security(struct sock *sk)
4903 {
4904 	struct sk_security_struct *sksec = sk->sk_security;
4905 
4906 	sk->sk_security = NULL;
4907 	selinux_netlbl_sk_security_free(sksec);
4908 	kfree(sksec);
4909 }
4910 
4911 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4912 {
4913 	struct sk_security_struct *sksec = sk->sk_security;
4914 	struct sk_security_struct *newsksec = newsk->sk_security;
4915 
4916 	newsksec->sid = sksec->sid;
4917 	newsksec->peer_sid = sksec->peer_sid;
4918 	newsksec->sclass = sksec->sclass;
4919 
4920 	selinux_netlbl_sk_security_reset(newsksec);
4921 }
4922 
4923 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4924 {
4925 	if (!sk)
4926 		*secid = SECINITSID_ANY_SOCKET;
4927 	else {
4928 		struct sk_security_struct *sksec = sk->sk_security;
4929 
4930 		*secid = sksec->sid;
4931 	}
4932 }
4933 
4934 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4935 {
4936 	struct inode_security_struct *isec =
4937 		inode_security_novalidate(SOCK_INODE(parent));
4938 	struct sk_security_struct *sksec = sk->sk_security;
4939 
4940 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4941 	    sk->sk_family == PF_UNIX)
4942 		isec->sid = sksec->sid;
4943 	sksec->sclass = isec->sclass;
4944 }
4945 
4946 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4947 				     struct request_sock *req)
4948 {
4949 	struct sk_security_struct *sksec = sk->sk_security;
4950 	int err;
4951 	u16 family = req->rsk_ops->family;
4952 	u32 connsid;
4953 	u32 peersid;
4954 
4955 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4956 	if (err)
4957 		return err;
4958 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4959 	if (err)
4960 		return err;
4961 	req->secid = connsid;
4962 	req->peer_secid = peersid;
4963 
4964 	return selinux_netlbl_inet_conn_request(req, family);
4965 }
4966 
4967 static void selinux_inet_csk_clone(struct sock *newsk,
4968 				   const struct request_sock *req)
4969 {
4970 	struct sk_security_struct *newsksec = newsk->sk_security;
4971 
4972 	newsksec->sid = req->secid;
4973 	newsksec->peer_sid = req->peer_secid;
4974 	/* NOTE: Ideally, we should also get the isec->sid for the
4975 	   new socket in sync, but we don't have the isec available yet.
4976 	   So we will wait until sock_graft to do it, by which
4977 	   time it will have been created and available. */
4978 
4979 	/* We don't need to take any sort of lock here as we are the only
4980 	 * thread with access to newsksec */
4981 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4982 }
4983 
4984 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4985 {
4986 	u16 family = sk->sk_family;
4987 	struct sk_security_struct *sksec = sk->sk_security;
4988 
4989 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
4990 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4991 		family = PF_INET;
4992 
4993 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4994 }
4995 
4996 static int selinux_secmark_relabel_packet(u32 sid)
4997 {
4998 	const struct task_security_struct *__tsec;
4999 	u32 tsid;
5000 
5001 	__tsec = current_security();
5002 	tsid = __tsec->sid;
5003 
5004 	return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
5005 }
5006 
5007 static void selinux_secmark_refcount_inc(void)
5008 {
5009 	atomic_inc(&selinux_secmark_refcount);
5010 }
5011 
5012 static void selinux_secmark_refcount_dec(void)
5013 {
5014 	atomic_dec(&selinux_secmark_refcount);
5015 }
5016 
5017 static void selinux_req_classify_flow(const struct request_sock *req,
5018 				      struct flowi *fl)
5019 {
5020 	fl->flowi_secid = req->secid;
5021 }
5022 
5023 static int selinux_tun_dev_alloc_security(void **security)
5024 {
5025 	struct tun_security_struct *tunsec;
5026 
5027 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5028 	if (!tunsec)
5029 		return -ENOMEM;
5030 	tunsec->sid = current_sid();
5031 
5032 	*security = tunsec;
5033 	return 0;
5034 }
5035 
5036 static void selinux_tun_dev_free_security(void *security)
5037 {
5038 	kfree(security);
5039 }
5040 
5041 static int selinux_tun_dev_create(void)
5042 {
5043 	u32 sid = current_sid();
5044 
5045 	/* we aren't taking into account the "sockcreate" SID since the socket
5046 	 * that is being created here is not a socket in the traditional sense,
5047 	 * instead it is a private sock, accessible only to the kernel, and
5048 	 * representing a wide range of network traffic spanning multiple
5049 	 * connections unlike traditional sockets - check the TUN driver to
5050 	 * get a better understanding of why this socket is special */
5051 
5052 	return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5053 			    NULL);
5054 }
5055 
5056 static int selinux_tun_dev_attach_queue(void *security)
5057 {
5058 	struct tun_security_struct *tunsec = security;
5059 
5060 	return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5061 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5062 }
5063 
5064 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5065 {
5066 	struct tun_security_struct *tunsec = security;
5067 	struct sk_security_struct *sksec = sk->sk_security;
5068 
5069 	/* we don't currently perform any NetLabel based labeling here and it
5070 	 * isn't clear that we would want to do so anyway; while we could apply
5071 	 * labeling without the support of the TUN user the resulting labeled
5072 	 * traffic from the other end of the connection would almost certainly
5073 	 * cause confusion to the TUN user that had no idea network labeling
5074 	 * protocols were being used */
5075 
5076 	sksec->sid = tunsec->sid;
5077 	sksec->sclass = SECCLASS_TUN_SOCKET;
5078 
5079 	return 0;
5080 }
5081 
5082 static int selinux_tun_dev_open(void *security)
5083 {
5084 	struct tun_security_struct *tunsec = security;
5085 	u32 sid = current_sid();
5086 	int err;
5087 
5088 	err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5089 			   TUN_SOCKET__RELABELFROM, NULL);
5090 	if (err)
5091 		return err;
5092 	err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5093 			   TUN_SOCKET__RELABELTO, NULL);
5094 	if (err)
5095 		return err;
5096 	tunsec->sid = sid;
5097 
5098 	return 0;
5099 }
5100 
5101 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5102 {
5103 	int err = 0;
5104 	u32 perm;
5105 	struct nlmsghdr *nlh;
5106 	struct sk_security_struct *sksec = sk->sk_security;
5107 
5108 	if (skb->len < NLMSG_HDRLEN) {
5109 		err = -EINVAL;
5110 		goto out;
5111 	}
5112 	nlh = nlmsg_hdr(skb);
5113 
5114 	err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5115 	if (err) {
5116 		if (err == -EINVAL) {
5117 			pr_warn_ratelimited("SELinux: unrecognized netlink"
5118 			       " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5119 			       " pig=%d comm=%s\n",
5120 			       sk->sk_protocol, nlh->nlmsg_type,
5121 			       secclass_map[sksec->sclass - 1].name,
5122 			       task_pid_nr(current), current->comm);
5123 			if (!selinux_enforcing || security_get_allow_unknown())
5124 				err = 0;
5125 		}
5126 
5127 		/* Ignore */
5128 		if (err == -ENOENT)
5129 			err = 0;
5130 		goto out;
5131 	}
5132 
5133 	err = sock_has_perm(sk, perm);
5134 out:
5135 	return err;
5136 }
5137 
5138 #ifdef CONFIG_NETFILTER
5139 
5140 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5141 				       const struct net_device *indev,
5142 				       u16 family)
5143 {
5144 	int err;
5145 	char *addrp;
5146 	u32 peer_sid;
5147 	struct common_audit_data ad;
5148 	struct lsm_network_audit net = {0,};
5149 	u8 secmark_active;
5150 	u8 netlbl_active;
5151 	u8 peerlbl_active;
5152 
5153 	if (!selinux_policycap_netpeer)
5154 		return NF_ACCEPT;
5155 
5156 	secmark_active = selinux_secmark_enabled();
5157 	netlbl_active = netlbl_enabled();
5158 	peerlbl_active = selinux_peerlbl_enabled();
5159 	if (!secmark_active && !peerlbl_active)
5160 		return NF_ACCEPT;
5161 
5162 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5163 		return NF_DROP;
5164 
5165 	ad.type = LSM_AUDIT_DATA_NET;
5166 	ad.u.net = &net;
5167 	ad.u.net->netif = indev->ifindex;
5168 	ad.u.net->family = family;
5169 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5170 		return NF_DROP;
5171 
5172 	if (peerlbl_active) {
5173 		err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5174 					       addrp, family, peer_sid, &ad);
5175 		if (err) {
5176 			selinux_netlbl_err(skb, family, err, 1);
5177 			return NF_DROP;
5178 		}
5179 	}
5180 
5181 	if (secmark_active)
5182 		if (avc_has_perm(peer_sid, skb->secmark,
5183 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5184 			return NF_DROP;
5185 
5186 	if (netlbl_active)
5187 		/* we do this in the FORWARD path and not the POST_ROUTING
5188 		 * path because we want to make sure we apply the necessary
5189 		 * labeling before IPsec is applied so we can leverage AH
5190 		 * protection */
5191 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5192 			return NF_DROP;
5193 
5194 	return NF_ACCEPT;
5195 }
5196 
5197 static unsigned int selinux_ipv4_forward(void *priv,
5198 					 struct sk_buff *skb,
5199 					 const struct nf_hook_state *state)
5200 {
5201 	return selinux_ip_forward(skb, state->in, PF_INET);
5202 }
5203 
5204 #if IS_ENABLED(CONFIG_IPV6)
5205 static unsigned int selinux_ipv6_forward(void *priv,
5206 					 struct sk_buff *skb,
5207 					 const struct nf_hook_state *state)
5208 {
5209 	return selinux_ip_forward(skb, state->in, PF_INET6);
5210 }
5211 #endif	/* IPV6 */
5212 
5213 static unsigned int selinux_ip_output(struct sk_buff *skb,
5214 				      u16 family)
5215 {
5216 	struct sock *sk;
5217 	u32 sid;
5218 
5219 	if (!netlbl_enabled())
5220 		return NF_ACCEPT;
5221 
5222 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5223 	 * because we want to make sure we apply the necessary labeling
5224 	 * before IPsec is applied so we can leverage AH protection */
5225 	sk = skb->sk;
5226 	if (sk) {
5227 		struct sk_security_struct *sksec;
5228 
5229 		if (sk_listener(sk))
5230 			/* if the socket is the listening state then this
5231 			 * packet is a SYN-ACK packet which means it needs to
5232 			 * be labeled based on the connection/request_sock and
5233 			 * not the parent socket.  unfortunately, we can't
5234 			 * lookup the request_sock yet as it isn't queued on
5235 			 * the parent socket until after the SYN-ACK is sent.
5236 			 * the "solution" is to simply pass the packet as-is
5237 			 * as any IP option based labeling should be copied
5238 			 * from the initial connection request (in the IP
5239 			 * layer).  it is far from ideal, but until we get a
5240 			 * security label in the packet itself this is the
5241 			 * best we can do. */
5242 			return NF_ACCEPT;
5243 
5244 		/* standard practice, label using the parent socket */
5245 		sksec = sk->sk_security;
5246 		sid = sksec->sid;
5247 	} else
5248 		sid = SECINITSID_KERNEL;
5249 	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5250 		return NF_DROP;
5251 
5252 	return NF_ACCEPT;
5253 }
5254 
5255 static unsigned int selinux_ipv4_output(void *priv,
5256 					struct sk_buff *skb,
5257 					const struct nf_hook_state *state)
5258 {
5259 	return selinux_ip_output(skb, PF_INET);
5260 }
5261 
5262 #if IS_ENABLED(CONFIG_IPV6)
5263 static unsigned int selinux_ipv6_output(void *priv,
5264 					struct sk_buff *skb,
5265 					const struct nf_hook_state *state)
5266 {
5267 	return selinux_ip_output(skb, PF_INET6);
5268 }
5269 #endif	/* IPV6 */
5270 
5271 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5272 						int ifindex,
5273 						u16 family)
5274 {
5275 	struct sock *sk = skb_to_full_sk(skb);
5276 	struct sk_security_struct *sksec;
5277 	struct common_audit_data ad;
5278 	struct lsm_network_audit net = {0,};
5279 	char *addrp;
5280 	u8 proto;
5281 
5282 	if (sk == NULL)
5283 		return NF_ACCEPT;
5284 	sksec = sk->sk_security;
5285 
5286 	ad.type = LSM_AUDIT_DATA_NET;
5287 	ad.u.net = &net;
5288 	ad.u.net->netif = ifindex;
5289 	ad.u.net->family = family;
5290 	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5291 		return NF_DROP;
5292 
5293 	if (selinux_secmark_enabled())
5294 		if (avc_has_perm(sksec->sid, skb->secmark,
5295 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5296 			return NF_DROP_ERR(-ECONNREFUSED);
5297 
5298 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5299 		return NF_DROP_ERR(-ECONNREFUSED);
5300 
5301 	return NF_ACCEPT;
5302 }
5303 
5304 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5305 					 const struct net_device *outdev,
5306 					 u16 family)
5307 {
5308 	u32 secmark_perm;
5309 	u32 peer_sid;
5310 	int ifindex = outdev->ifindex;
5311 	struct sock *sk;
5312 	struct common_audit_data ad;
5313 	struct lsm_network_audit net = {0,};
5314 	char *addrp;
5315 	u8 secmark_active;
5316 	u8 peerlbl_active;
5317 
5318 	/* If any sort of compatibility mode is enabled then handoff processing
5319 	 * to the selinux_ip_postroute_compat() function to deal with the
5320 	 * special handling.  We do this in an attempt to keep this function
5321 	 * as fast and as clean as possible. */
5322 	if (!selinux_policycap_netpeer)
5323 		return selinux_ip_postroute_compat(skb, ifindex, family);
5324 
5325 	secmark_active = selinux_secmark_enabled();
5326 	peerlbl_active = selinux_peerlbl_enabled();
5327 	if (!secmark_active && !peerlbl_active)
5328 		return NF_ACCEPT;
5329 
5330 	sk = skb_to_full_sk(skb);
5331 
5332 #ifdef CONFIG_XFRM
5333 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5334 	 * packet transformation so allow the packet to pass without any checks
5335 	 * since we'll have another chance to perform access control checks
5336 	 * when the packet is on it's final way out.
5337 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5338 	 *       is NULL, in this case go ahead and apply access control.
5339 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5340 	 *       TCP listening state we cannot wait until the XFRM processing
5341 	 *       is done as we will miss out on the SA label if we do;
5342 	 *       unfortunately, this means more work, but it is only once per
5343 	 *       connection. */
5344 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5345 	    !(sk && sk_listener(sk)))
5346 		return NF_ACCEPT;
5347 #endif
5348 
5349 	if (sk == NULL) {
5350 		/* Without an associated socket the packet is either coming
5351 		 * from the kernel or it is being forwarded; check the packet
5352 		 * to determine which and if the packet is being forwarded
5353 		 * query the packet directly to determine the security label. */
5354 		if (skb->skb_iif) {
5355 			secmark_perm = PACKET__FORWARD_OUT;
5356 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5357 				return NF_DROP;
5358 		} else {
5359 			secmark_perm = PACKET__SEND;
5360 			peer_sid = SECINITSID_KERNEL;
5361 		}
5362 	} else if (sk_listener(sk)) {
5363 		/* Locally generated packet but the associated socket is in the
5364 		 * listening state which means this is a SYN-ACK packet.  In
5365 		 * this particular case the correct security label is assigned
5366 		 * to the connection/request_sock but unfortunately we can't
5367 		 * query the request_sock as it isn't queued on the parent
5368 		 * socket until after the SYN-ACK packet is sent; the only
5369 		 * viable choice is to regenerate the label like we do in
5370 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5371 		 * for similar problems. */
5372 		u32 skb_sid;
5373 		struct sk_security_struct *sksec;
5374 
5375 		sksec = sk->sk_security;
5376 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5377 			return NF_DROP;
5378 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5379 		 * and the packet has been through at least one XFRM
5380 		 * transformation then we must be dealing with the "final"
5381 		 * form of labeled IPsec packet; since we've already applied
5382 		 * all of our access controls on this packet we can safely
5383 		 * pass the packet. */
5384 		if (skb_sid == SECSID_NULL) {
5385 			switch (family) {
5386 			case PF_INET:
5387 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5388 					return NF_ACCEPT;
5389 				break;
5390 			case PF_INET6:
5391 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5392 					return NF_ACCEPT;
5393 				break;
5394 			default:
5395 				return NF_DROP_ERR(-ECONNREFUSED);
5396 			}
5397 		}
5398 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5399 			return NF_DROP;
5400 		secmark_perm = PACKET__SEND;
5401 	} else {
5402 		/* Locally generated packet, fetch the security label from the
5403 		 * associated socket. */
5404 		struct sk_security_struct *sksec = sk->sk_security;
5405 		peer_sid = sksec->sid;
5406 		secmark_perm = PACKET__SEND;
5407 	}
5408 
5409 	ad.type = LSM_AUDIT_DATA_NET;
5410 	ad.u.net = &net;
5411 	ad.u.net->netif = ifindex;
5412 	ad.u.net->family = family;
5413 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5414 		return NF_DROP;
5415 
5416 	if (secmark_active)
5417 		if (avc_has_perm(peer_sid, skb->secmark,
5418 				 SECCLASS_PACKET, secmark_perm, &ad))
5419 			return NF_DROP_ERR(-ECONNREFUSED);
5420 
5421 	if (peerlbl_active) {
5422 		u32 if_sid;
5423 		u32 node_sid;
5424 
5425 		if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5426 			return NF_DROP;
5427 		if (avc_has_perm(peer_sid, if_sid,
5428 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5429 			return NF_DROP_ERR(-ECONNREFUSED);
5430 
5431 		if (sel_netnode_sid(addrp, family, &node_sid))
5432 			return NF_DROP;
5433 		if (avc_has_perm(peer_sid, node_sid,
5434 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5435 			return NF_DROP_ERR(-ECONNREFUSED);
5436 	}
5437 
5438 	return NF_ACCEPT;
5439 }
5440 
5441 static unsigned int selinux_ipv4_postroute(void *priv,
5442 					   struct sk_buff *skb,
5443 					   const struct nf_hook_state *state)
5444 {
5445 	return selinux_ip_postroute(skb, state->out, PF_INET);
5446 }
5447 
5448 #if IS_ENABLED(CONFIG_IPV6)
5449 static unsigned int selinux_ipv6_postroute(void *priv,
5450 					   struct sk_buff *skb,
5451 					   const struct nf_hook_state *state)
5452 {
5453 	return selinux_ip_postroute(skb, state->out, PF_INET6);
5454 }
5455 #endif	/* IPV6 */
5456 
5457 #endif	/* CONFIG_NETFILTER */
5458 
5459 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5460 {
5461 	return selinux_nlmsg_perm(sk, skb);
5462 }
5463 
5464 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5465 			      u16 sclass)
5466 {
5467 	struct ipc_security_struct *isec;
5468 
5469 	isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5470 	if (!isec)
5471 		return -ENOMEM;
5472 
5473 	isec->sclass = sclass;
5474 	isec->sid = current_sid();
5475 	perm->security = isec;
5476 
5477 	return 0;
5478 }
5479 
5480 static void ipc_free_security(struct kern_ipc_perm *perm)
5481 {
5482 	struct ipc_security_struct *isec = perm->security;
5483 	perm->security = NULL;
5484 	kfree(isec);
5485 }
5486 
5487 static int msg_msg_alloc_security(struct msg_msg *msg)
5488 {
5489 	struct msg_security_struct *msec;
5490 
5491 	msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5492 	if (!msec)
5493 		return -ENOMEM;
5494 
5495 	msec->sid = SECINITSID_UNLABELED;
5496 	msg->security = msec;
5497 
5498 	return 0;
5499 }
5500 
5501 static void msg_msg_free_security(struct msg_msg *msg)
5502 {
5503 	struct msg_security_struct *msec = msg->security;
5504 
5505 	msg->security = NULL;
5506 	kfree(msec);
5507 }
5508 
5509 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5510 			u32 perms)
5511 {
5512 	struct ipc_security_struct *isec;
5513 	struct common_audit_data ad;
5514 	u32 sid = current_sid();
5515 
5516 	isec = ipc_perms->security;
5517 
5518 	ad.type = LSM_AUDIT_DATA_IPC;
5519 	ad.u.ipc_id = ipc_perms->key;
5520 
5521 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5522 }
5523 
5524 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5525 {
5526 	return msg_msg_alloc_security(msg);
5527 }
5528 
5529 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5530 {
5531 	msg_msg_free_security(msg);
5532 }
5533 
5534 /* message queue security operations */
5535 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5536 {
5537 	struct ipc_security_struct *isec;
5538 	struct common_audit_data ad;
5539 	u32 sid = current_sid();
5540 	int rc;
5541 
5542 	rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ);
5543 	if (rc)
5544 		return rc;
5545 
5546 	isec = msq->q_perm.security;
5547 
5548 	ad.type = LSM_AUDIT_DATA_IPC;
5549 	ad.u.ipc_id = msq->q_perm.key;
5550 
5551 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5552 			  MSGQ__CREATE, &ad);
5553 	if (rc) {
5554 		ipc_free_security(&msq->q_perm);
5555 		return rc;
5556 	}
5557 	return 0;
5558 }
5559 
5560 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5561 {
5562 	ipc_free_security(&msq->q_perm);
5563 }
5564 
5565 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5566 {
5567 	struct ipc_security_struct *isec;
5568 	struct common_audit_data ad;
5569 	u32 sid = current_sid();
5570 
5571 	isec = msq->q_perm.security;
5572 
5573 	ad.type = LSM_AUDIT_DATA_IPC;
5574 	ad.u.ipc_id = msq->q_perm.key;
5575 
5576 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5577 			    MSGQ__ASSOCIATE, &ad);
5578 }
5579 
5580 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5581 {
5582 	int err;
5583 	int perms;
5584 
5585 	switch (cmd) {
5586 	case IPC_INFO:
5587 	case MSG_INFO:
5588 		/* No specific object, just general system-wide information. */
5589 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5590 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5591 	case IPC_STAT:
5592 	case MSG_STAT:
5593 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5594 		break;
5595 	case IPC_SET:
5596 		perms = MSGQ__SETATTR;
5597 		break;
5598 	case IPC_RMID:
5599 		perms = MSGQ__DESTROY;
5600 		break;
5601 	default:
5602 		return 0;
5603 	}
5604 
5605 	err = ipc_has_perm(&msq->q_perm, perms);
5606 	return err;
5607 }
5608 
5609 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5610 {
5611 	struct ipc_security_struct *isec;
5612 	struct msg_security_struct *msec;
5613 	struct common_audit_data ad;
5614 	u32 sid = current_sid();
5615 	int rc;
5616 
5617 	isec = msq->q_perm.security;
5618 	msec = msg->security;
5619 
5620 	/*
5621 	 * First time through, need to assign label to the message
5622 	 */
5623 	if (msec->sid == SECINITSID_UNLABELED) {
5624 		/*
5625 		 * Compute new sid based on current process and
5626 		 * message queue this message will be stored in
5627 		 */
5628 		rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5629 					     NULL, &msec->sid);
5630 		if (rc)
5631 			return rc;
5632 	}
5633 
5634 	ad.type = LSM_AUDIT_DATA_IPC;
5635 	ad.u.ipc_id = msq->q_perm.key;
5636 
5637 	/* Can this process write to the queue? */
5638 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5639 			  MSGQ__WRITE, &ad);
5640 	if (!rc)
5641 		/* Can this process send the message */
5642 		rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5643 				  MSG__SEND, &ad);
5644 	if (!rc)
5645 		/* Can the message be put in the queue? */
5646 		rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5647 				  MSGQ__ENQUEUE, &ad);
5648 
5649 	return rc;
5650 }
5651 
5652 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5653 				    struct task_struct *target,
5654 				    long type, int mode)
5655 {
5656 	struct ipc_security_struct *isec;
5657 	struct msg_security_struct *msec;
5658 	struct common_audit_data ad;
5659 	u32 sid = task_sid(target);
5660 	int rc;
5661 
5662 	isec = msq->q_perm.security;
5663 	msec = msg->security;
5664 
5665 	ad.type = LSM_AUDIT_DATA_IPC;
5666 	ad.u.ipc_id = msq->q_perm.key;
5667 
5668 	rc = avc_has_perm(sid, isec->sid,
5669 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
5670 	if (!rc)
5671 		rc = avc_has_perm(sid, msec->sid,
5672 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
5673 	return rc;
5674 }
5675 
5676 /* Shared Memory security operations */
5677 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5678 {
5679 	struct ipc_security_struct *isec;
5680 	struct common_audit_data ad;
5681 	u32 sid = current_sid();
5682 	int rc;
5683 
5684 	rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM);
5685 	if (rc)
5686 		return rc;
5687 
5688 	isec = shp->shm_perm.security;
5689 
5690 	ad.type = LSM_AUDIT_DATA_IPC;
5691 	ad.u.ipc_id = shp->shm_perm.key;
5692 
5693 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5694 			  SHM__CREATE, &ad);
5695 	if (rc) {
5696 		ipc_free_security(&shp->shm_perm);
5697 		return rc;
5698 	}
5699 	return 0;
5700 }
5701 
5702 static void selinux_shm_free_security(struct shmid_kernel *shp)
5703 {
5704 	ipc_free_security(&shp->shm_perm);
5705 }
5706 
5707 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5708 {
5709 	struct ipc_security_struct *isec;
5710 	struct common_audit_data ad;
5711 	u32 sid = current_sid();
5712 
5713 	isec = shp->shm_perm.security;
5714 
5715 	ad.type = LSM_AUDIT_DATA_IPC;
5716 	ad.u.ipc_id = shp->shm_perm.key;
5717 
5718 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5719 			    SHM__ASSOCIATE, &ad);
5720 }
5721 
5722 /* Note, at this point, shp is locked down */
5723 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5724 {
5725 	int perms;
5726 	int err;
5727 
5728 	switch (cmd) {
5729 	case IPC_INFO:
5730 	case SHM_INFO:
5731 		/* No specific object, just general system-wide information. */
5732 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5733 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5734 	case IPC_STAT:
5735 	case SHM_STAT:
5736 		perms = SHM__GETATTR | SHM__ASSOCIATE;
5737 		break;
5738 	case IPC_SET:
5739 		perms = SHM__SETATTR;
5740 		break;
5741 	case SHM_LOCK:
5742 	case SHM_UNLOCK:
5743 		perms = SHM__LOCK;
5744 		break;
5745 	case IPC_RMID:
5746 		perms = SHM__DESTROY;
5747 		break;
5748 	default:
5749 		return 0;
5750 	}
5751 
5752 	err = ipc_has_perm(&shp->shm_perm, perms);
5753 	return err;
5754 }
5755 
5756 static int selinux_shm_shmat(struct shmid_kernel *shp,
5757 			     char __user *shmaddr, int shmflg)
5758 {
5759 	u32 perms;
5760 
5761 	if (shmflg & SHM_RDONLY)
5762 		perms = SHM__READ;
5763 	else
5764 		perms = SHM__READ | SHM__WRITE;
5765 
5766 	return ipc_has_perm(&shp->shm_perm, perms);
5767 }
5768 
5769 /* Semaphore security operations */
5770 static int selinux_sem_alloc_security(struct sem_array *sma)
5771 {
5772 	struct ipc_security_struct *isec;
5773 	struct common_audit_data ad;
5774 	u32 sid = current_sid();
5775 	int rc;
5776 
5777 	rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM);
5778 	if (rc)
5779 		return rc;
5780 
5781 	isec = sma->sem_perm.security;
5782 
5783 	ad.type = LSM_AUDIT_DATA_IPC;
5784 	ad.u.ipc_id = sma->sem_perm.key;
5785 
5786 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5787 			  SEM__CREATE, &ad);
5788 	if (rc) {
5789 		ipc_free_security(&sma->sem_perm);
5790 		return rc;
5791 	}
5792 	return 0;
5793 }
5794 
5795 static void selinux_sem_free_security(struct sem_array *sma)
5796 {
5797 	ipc_free_security(&sma->sem_perm);
5798 }
5799 
5800 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5801 {
5802 	struct ipc_security_struct *isec;
5803 	struct common_audit_data ad;
5804 	u32 sid = current_sid();
5805 
5806 	isec = sma->sem_perm.security;
5807 
5808 	ad.type = LSM_AUDIT_DATA_IPC;
5809 	ad.u.ipc_id = sma->sem_perm.key;
5810 
5811 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5812 			    SEM__ASSOCIATE, &ad);
5813 }
5814 
5815 /* Note, at this point, sma is locked down */
5816 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5817 {
5818 	int err;
5819 	u32 perms;
5820 
5821 	switch (cmd) {
5822 	case IPC_INFO:
5823 	case SEM_INFO:
5824 		/* No specific object, just general system-wide information. */
5825 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5826 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5827 	case GETPID:
5828 	case GETNCNT:
5829 	case GETZCNT:
5830 		perms = SEM__GETATTR;
5831 		break;
5832 	case GETVAL:
5833 	case GETALL:
5834 		perms = SEM__READ;
5835 		break;
5836 	case SETVAL:
5837 	case SETALL:
5838 		perms = SEM__WRITE;
5839 		break;
5840 	case IPC_RMID:
5841 		perms = SEM__DESTROY;
5842 		break;
5843 	case IPC_SET:
5844 		perms = SEM__SETATTR;
5845 		break;
5846 	case IPC_STAT:
5847 	case SEM_STAT:
5848 		perms = SEM__GETATTR | SEM__ASSOCIATE;
5849 		break;
5850 	default:
5851 		return 0;
5852 	}
5853 
5854 	err = ipc_has_perm(&sma->sem_perm, perms);
5855 	return err;
5856 }
5857 
5858 static int selinux_sem_semop(struct sem_array *sma,
5859 			     struct sembuf *sops, unsigned nsops, int alter)
5860 {
5861 	u32 perms;
5862 
5863 	if (alter)
5864 		perms = SEM__READ | SEM__WRITE;
5865 	else
5866 		perms = SEM__READ;
5867 
5868 	return ipc_has_perm(&sma->sem_perm, perms);
5869 }
5870 
5871 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5872 {
5873 	u32 av = 0;
5874 
5875 	av = 0;
5876 	if (flag & S_IRUGO)
5877 		av |= IPC__UNIX_READ;
5878 	if (flag & S_IWUGO)
5879 		av |= IPC__UNIX_WRITE;
5880 
5881 	if (av == 0)
5882 		return 0;
5883 
5884 	return ipc_has_perm(ipcp, av);
5885 }
5886 
5887 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5888 {
5889 	struct ipc_security_struct *isec = ipcp->security;
5890 	*secid = isec->sid;
5891 }
5892 
5893 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5894 {
5895 	if (inode)
5896 		inode_doinit_with_dentry(inode, dentry);
5897 }
5898 
5899 static int selinux_getprocattr(struct task_struct *p,
5900 			       char *name, char **value)
5901 {
5902 	const struct task_security_struct *__tsec;
5903 	u32 sid;
5904 	int error;
5905 	unsigned len;
5906 
5907 	rcu_read_lock();
5908 	__tsec = __task_cred(p)->security;
5909 
5910 	if (current != p) {
5911 		error = avc_has_perm(current_sid(), __tsec->sid,
5912 				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
5913 		if (error)
5914 			goto bad;
5915 	}
5916 
5917 	if (!strcmp(name, "current"))
5918 		sid = __tsec->sid;
5919 	else if (!strcmp(name, "prev"))
5920 		sid = __tsec->osid;
5921 	else if (!strcmp(name, "exec"))
5922 		sid = __tsec->exec_sid;
5923 	else if (!strcmp(name, "fscreate"))
5924 		sid = __tsec->create_sid;
5925 	else if (!strcmp(name, "keycreate"))
5926 		sid = __tsec->keycreate_sid;
5927 	else if (!strcmp(name, "sockcreate"))
5928 		sid = __tsec->sockcreate_sid;
5929 	else {
5930 		error = -EINVAL;
5931 		goto bad;
5932 	}
5933 	rcu_read_unlock();
5934 
5935 	if (!sid)
5936 		return 0;
5937 
5938 	error = security_sid_to_context(sid, value, &len);
5939 	if (error)
5940 		return error;
5941 	return len;
5942 
5943 bad:
5944 	rcu_read_unlock();
5945 	return error;
5946 }
5947 
5948 static int selinux_setprocattr(const char *name, void *value, size_t size)
5949 {
5950 	struct task_security_struct *tsec;
5951 	struct cred *new;
5952 	u32 mysid = current_sid(), sid = 0, ptsid;
5953 	int error;
5954 	char *str = value;
5955 
5956 	/*
5957 	 * Basic control over ability to set these attributes at all.
5958 	 */
5959 	if (!strcmp(name, "exec"))
5960 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5961 				     PROCESS__SETEXEC, NULL);
5962 	else if (!strcmp(name, "fscreate"))
5963 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5964 				     PROCESS__SETFSCREATE, NULL);
5965 	else if (!strcmp(name, "keycreate"))
5966 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5967 				     PROCESS__SETKEYCREATE, NULL);
5968 	else if (!strcmp(name, "sockcreate"))
5969 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5970 				     PROCESS__SETSOCKCREATE, NULL);
5971 	else if (!strcmp(name, "current"))
5972 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5973 				     PROCESS__SETCURRENT, NULL);
5974 	else
5975 		error = -EINVAL;
5976 	if (error)
5977 		return error;
5978 
5979 	/* Obtain a SID for the context, if one was specified. */
5980 	if (size && str[0] && str[0] != '\n') {
5981 		if (str[size-1] == '\n') {
5982 			str[size-1] = 0;
5983 			size--;
5984 		}
5985 		error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5986 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
5987 			if (!has_cap_mac_admin(true)) {
5988 				struct audit_buffer *ab;
5989 				size_t audit_size;
5990 
5991 				/* We strip a nul only if it is at the end, otherwise the
5992 				 * context contains a nul and we should audit that */
5993 				if (str[size - 1] == '\0')
5994 					audit_size = size - 1;
5995 				else
5996 					audit_size = size;
5997 				ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5998 				audit_log_format(ab, "op=fscreate invalid_context=");
5999 				audit_log_n_untrustedstring(ab, value, audit_size);
6000 				audit_log_end(ab);
6001 
6002 				return error;
6003 			}
6004 			error = security_context_to_sid_force(value, size,
6005 							      &sid);
6006 		}
6007 		if (error)
6008 			return error;
6009 	}
6010 
6011 	new = prepare_creds();
6012 	if (!new)
6013 		return -ENOMEM;
6014 
6015 	/* Permission checking based on the specified context is
6016 	   performed during the actual operation (execve,
6017 	   open/mkdir/...), when we know the full context of the
6018 	   operation.  See selinux_bprm_set_creds for the execve
6019 	   checks and may_create for the file creation checks. The
6020 	   operation will then fail if the context is not permitted. */
6021 	tsec = new->security;
6022 	if (!strcmp(name, "exec")) {
6023 		tsec->exec_sid = sid;
6024 	} else if (!strcmp(name, "fscreate")) {
6025 		tsec->create_sid = sid;
6026 	} else if (!strcmp(name, "keycreate")) {
6027 		error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE,
6028 				     NULL);
6029 		if (error)
6030 			goto abort_change;
6031 		tsec->keycreate_sid = sid;
6032 	} else if (!strcmp(name, "sockcreate")) {
6033 		tsec->sockcreate_sid = sid;
6034 	} else if (!strcmp(name, "current")) {
6035 		error = -EINVAL;
6036 		if (sid == 0)
6037 			goto abort_change;
6038 
6039 		/* Only allow single threaded processes to change context */
6040 		error = -EPERM;
6041 		if (!current_is_single_threaded()) {
6042 			error = security_bounded_transition(tsec->sid, sid);
6043 			if (error)
6044 				goto abort_change;
6045 		}
6046 
6047 		/* Check permissions for the transition. */
6048 		error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6049 				     PROCESS__DYNTRANSITION, NULL);
6050 		if (error)
6051 			goto abort_change;
6052 
6053 		/* Check for ptracing, and update the task SID if ok.
6054 		   Otherwise, leave SID unchanged and fail. */
6055 		ptsid = ptrace_parent_sid();
6056 		if (ptsid != 0) {
6057 			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6058 					     PROCESS__PTRACE, NULL);
6059 			if (error)
6060 				goto abort_change;
6061 		}
6062 
6063 		tsec->sid = sid;
6064 	} else {
6065 		error = -EINVAL;
6066 		goto abort_change;
6067 	}
6068 
6069 	commit_creds(new);
6070 	return size;
6071 
6072 abort_change:
6073 	abort_creds(new);
6074 	return error;
6075 }
6076 
6077 static int selinux_ismaclabel(const char *name)
6078 {
6079 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6080 }
6081 
6082 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6083 {
6084 	return security_sid_to_context(secid, secdata, seclen);
6085 }
6086 
6087 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6088 {
6089 	return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
6090 }
6091 
6092 static void selinux_release_secctx(char *secdata, u32 seclen)
6093 {
6094 	kfree(secdata);
6095 }
6096 
6097 static void selinux_inode_invalidate_secctx(struct inode *inode)
6098 {
6099 	struct inode_security_struct *isec = inode->i_security;
6100 
6101 	spin_lock(&isec->lock);
6102 	isec->initialized = LABEL_INVALID;
6103 	spin_unlock(&isec->lock);
6104 }
6105 
6106 /*
6107  *	called with inode->i_mutex locked
6108  */
6109 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6110 {
6111 	return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6112 }
6113 
6114 /*
6115  *	called with inode->i_mutex locked
6116  */
6117 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6118 {
6119 	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6120 }
6121 
6122 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6123 {
6124 	int len = 0;
6125 	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6126 						ctx, true);
6127 	if (len < 0)
6128 		return len;
6129 	*ctxlen = len;
6130 	return 0;
6131 }
6132 #ifdef CONFIG_KEYS
6133 
6134 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6135 			     unsigned long flags)
6136 {
6137 	const struct task_security_struct *tsec;
6138 	struct key_security_struct *ksec;
6139 
6140 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6141 	if (!ksec)
6142 		return -ENOMEM;
6143 
6144 	tsec = cred->security;
6145 	if (tsec->keycreate_sid)
6146 		ksec->sid = tsec->keycreate_sid;
6147 	else
6148 		ksec->sid = tsec->sid;
6149 
6150 	k->security = ksec;
6151 	return 0;
6152 }
6153 
6154 static void selinux_key_free(struct key *k)
6155 {
6156 	struct key_security_struct *ksec = k->security;
6157 
6158 	k->security = NULL;
6159 	kfree(ksec);
6160 }
6161 
6162 static int selinux_key_permission(key_ref_t key_ref,
6163 				  const struct cred *cred,
6164 				  unsigned perm)
6165 {
6166 	struct key *key;
6167 	struct key_security_struct *ksec;
6168 	u32 sid;
6169 
6170 	/* if no specific permissions are requested, we skip the
6171 	   permission check. No serious, additional covert channels
6172 	   appear to be created. */
6173 	if (perm == 0)
6174 		return 0;
6175 
6176 	sid = cred_sid(cred);
6177 
6178 	key = key_ref_to_ptr(key_ref);
6179 	ksec = key->security;
6180 
6181 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6182 }
6183 
6184 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6185 {
6186 	struct key_security_struct *ksec = key->security;
6187 	char *context = NULL;
6188 	unsigned len;
6189 	int rc;
6190 
6191 	rc = security_sid_to_context(ksec->sid, &context, &len);
6192 	if (!rc)
6193 		rc = len;
6194 	*_buffer = context;
6195 	return rc;
6196 }
6197 #endif
6198 
6199 #ifdef CONFIG_SECURITY_INFINIBAND
6200 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6201 {
6202 	struct common_audit_data ad;
6203 	int err;
6204 	u32 sid = 0;
6205 	struct ib_security_struct *sec = ib_sec;
6206 	struct lsm_ibpkey_audit ibpkey;
6207 
6208 	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6209 	if (err)
6210 		return err;
6211 
6212 	ad.type = LSM_AUDIT_DATA_IBPKEY;
6213 	ibpkey.subnet_prefix = subnet_prefix;
6214 	ibpkey.pkey = pkey_val;
6215 	ad.u.ibpkey = &ibpkey;
6216 	return avc_has_perm(sec->sid, sid,
6217 			    SECCLASS_INFINIBAND_PKEY,
6218 			    INFINIBAND_PKEY__ACCESS, &ad);
6219 }
6220 
6221 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6222 					    u8 port_num)
6223 {
6224 	struct common_audit_data ad;
6225 	int err;
6226 	u32 sid = 0;
6227 	struct ib_security_struct *sec = ib_sec;
6228 	struct lsm_ibendport_audit ibendport;
6229 
6230 	err = security_ib_endport_sid(dev_name, port_num, &sid);
6231 
6232 	if (err)
6233 		return err;
6234 
6235 	ad.type = LSM_AUDIT_DATA_IBENDPORT;
6236 	strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6237 	ibendport.port = port_num;
6238 	ad.u.ibendport = &ibendport;
6239 	return avc_has_perm(sec->sid, sid,
6240 			    SECCLASS_INFINIBAND_ENDPORT,
6241 			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6242 }
6243 
6244 static int selinux_ib_alloc_security(void **ib_sec)
6245 {
6246 	struct ib_security_struct *sec;
6247 
6248 	sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6249 	if (!sec)
6250 		return -ENOMEM;
6251 	sec->sid = current_sid();
6252 
6253 	*ib_sec = sec;
6254 	return 0;
6255 }
6256 
6257 static void selinux_ib_free_security(void *ib_sec)
6258 {
6259 	kfree(ib_sec);
6260 }
6261 #endif
6262 
6263 #ifdef CONFIG_BPF_SYSCALL
6264 static int selinux_bpf(int cmd, union bpf_attr *attr,
6265 				     unsigned int size)
6266 {
6267 	u32 sid = current_sid();
6268 	int ret;
6269 
6270 	switch (cmd) {
6271 	case BPF_MAP_CREATE:
6272 		ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6273 				   NULL);
6274 		break;
6275 	case BPF_PROG_LOAD:
6276 		ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6277 				   NULL);
6278 		break;
6279 	default:
6280 		ret = 0;
6281 		break;
6282 	}
6283 
6284 	return ret;
6285 }
6286 
6287 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6288 {
6289 	u32 av = 0;
6290 
6291 	if (fmode & FMODE_READ)
6292 		av |= BPF__MAP_READ;
6293 	if (fmode & FMODE_WRITE)
6294 		av |= BPF__MAP_WRITE;
6295 	return av;
6296 }
6297 
6298 /* This function will check the file pass through unix socket or binder to see
6299  * if it is a bpf related object. And apply correspinding checks on the bpf
6300  * object based on the type. The bpf maps and programs, not like other files and
6301  * socket, are using a shared anonymous inode inside the kernel as their inode.
6302  * So checking that inode cannot identify if the process have privilege to
6303  * access the bpf object and that's why we have to add this additional check in
6304  * selinux_file_receive and selinux_binder_transfer_files.
6305  */
6306 static int bpf_fd_pass(struct file *file, u32 sid)
6307 {
6308 	struct bpf_security_struct *bpfsec;
6309 	struct bpf_prog *prog;
6310 	struct bpf_map *map;
6311 	int ret;
6312 
6313 	if (file->f_op == &bpf_map_fops) {
6314 		map = file->private_data;
6315 		bpfsec = map->security;
6316 		ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6317 				   bpf_map_fmode_to_av(file->f_mode), NULL);
6318 		if (ret)
6319 			return ret;
6320 	} else if (file->f_op == &bpf_prog_fops) {
6321 		prog = file->private_data;
6322 		bpfsec = prog->aux->security;
6323 		ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6324 				   BPF__PROG_RUN, NULL);
6325 		if (ret)
6326 			return ret;
6327 	}
6328 	return 0;
6329 }
6330 
6331 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6332 {
6333 	u32 sid = current_sid();
6334 	struct bpf_security_struct *bpfsec;
6335 
6336 	bpfsec = map->security;
6337 	return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6338 			    bpf_map_fmode_to_av(fmode), NULL);
6339 }
6340 
6341 static int selinux_bpf_prog(struct bpf_prog *prog)
6342 {
6343 	u32 sid = current_sid();
6344 	struct bpf_security_struct *bpfsec;
6345 
6346 	bpfsec = prog->aux->security;
6347 	return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6348 			    BPF__PROG_RUN, NULL);
6349 }
6350 
6351 static int selinux_bpf_map_alloc(struct bpf_map *map)
6352 {
6353 	struct bpf_security_struct *bpfsec;
6354 
6355 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6356 	if (!bpfsec)
6357 		return -ENOMEM;
6358 
6359 	bpfsec->sid = current_sid();
6360 	map->security = bpfsec;
6361 
6362 	return 0;
6363 }
6364 
6365 static void selinux_bpf_map_free(struct bpf_map *map)
6366 {
6367 	struct bpf_security_struct *bpfsec = map->security;
6368 
6369 	map->security = NULL;
6370 	kfree(bpfsec);
6371 }
6372 
6373 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6374 {
6375 	struct bpf_security_struct *bpfsec;
6376 
6377 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6378 	if (!bpfsec)
6379 		return -ENOMEM;
6380 
6381 	bpfsec->sid = current_sid();
6382 	aux->security = bpfsec;
6383 
6384 	return 0;
6385 }
6386 
6387 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6388 {
6389 	struct bpf_security_struct *bpfsec = aux->security;
6390 
6391 	aux->security = NULL;
6392 	kfree(bpfsec);
6393 }
6394 #endif
6395 
6396 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6397 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6398 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6399 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6400 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6401 
6402 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6403 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6404 	LSM_HOOK_INIT(capget, selinux_capget),
6405 	LSM_HOOK_INIT(capset, selinux_capset),
6406 	LSM_HOOK_INIT(capable, selinux_capable),
6407 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
6408 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
6409 	LSM_HOOK_INIT(syslog, selinux_syslog),
6410 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6411 
6412 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6413 
6414 	LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6415 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6416 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6417 
6418 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6419 	LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6420 	LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6421 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6422 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6423 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6424 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6425 	LSM_HOOK_INIT(sb_mount, selinux_mount),
6426 	LSM_HOOK_INIT(sb_umount, selinux_umount),
6427 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6428 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6429 	LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6430 
6431 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6432 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6433 
6434 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6435 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6436 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6437 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
6438 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
6439 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6440 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6441 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6442 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6443 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6444 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6445 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6446 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6447 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6448 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6449 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6450 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6451 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6452 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6453 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6454 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6455 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6456 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6457 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6458 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6459 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6460 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6461 
6462 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
6463 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6464 	LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6465 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6466 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6467 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6468 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6469 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
6470 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6471 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6472 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6473 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
6474 
6475 	LSM_HOOK_INIT(file_open, selinux_file_open),
6476 
6477 	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6478 	LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6479 	LSM_HOOK_INIT(cred_free, selinux_cred_free),
6480 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6481 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6482 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6483 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6484 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6485 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6486 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6487 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6488 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6489 	LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6490 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6491 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6492 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6493 	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6494 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6495 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6496 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6497 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6498 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
6499 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6500 
6501 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6502 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6503 
6504 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6505 	LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6506 
6507 	LSM_HOOK_INIT(msg_queue_alloc_security,
6508 			selinux_msg_queue_alloc_security),
6509 	LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6510 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6511 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6512 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6513 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6514 
6515 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6516 	LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6517 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6518 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6519 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6520 
6521 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6522 	LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6523 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6524 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6525 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6526 
6527 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6528 
6529 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6530 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6531 
6532 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6533 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6534 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6535 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6536 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6537 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6538 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6539 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6540 
6541 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6542 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6543 
6544 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
6545 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6546 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6547 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6548 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6549 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6550 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6551 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6552 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6553 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6554 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6555 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6556 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6557 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6558 	LSM_HOOK_INIT(socket_getpeersec_stream,
6559 			selinux_socket_getpeersec_stream),
6560 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6561 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6562 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6563 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6564 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6565 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6566 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6567 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6568 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6569 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6570 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6571 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6572 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6573 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6574 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6575 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6576 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6577 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6578 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6579 #ifdef CONFIG_SECURITY_INFINIBAND
6580 	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
6581 	LSM_HOOK_INIT(ib_endport_manage_subnet,
6582 		      selinux_ib_endport_manage_subnet),
6583 	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
6584 	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
6585 #endif
6586 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6587 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6588 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6589 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6590 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6591 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6592 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6593 			selinux_xfrm_state_alloc_acquire),
6594 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6595 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6596 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6597 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6598 			selinux_xfrm_state_pol_flow_match),
6599 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6600 #endif
6601 
6602 #ifdef CONFIG_KEYS
6603 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6604 	LSM_HOOK_INIT(key_free, selinux_key_free),
6605 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
6606 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6607 #endif
6608 
6609 #ifdef CONFIG_AUDIT
6610 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6611 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6612 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6613 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6614 #endif
6615 
6616 #ifdef CONFIG_BPF_SYSCALL
6617 	LSM_HOOK_INIT(bpf, selinux_bpf),
6618 	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
6619 	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
6620 	LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
6621 	LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
6622 	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
6623 	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
6624 #endif
6625 };
6626 
6627 static __init int selinux_init(void)
6628 {
6629 	if (!security_module_enable("selinux")) {
6630 		selinux_enabled = 0;
6631 		return 0;
6632 	}
6633 
6634 	if (!selinux_enabled) {
6635 		printk(KERN_INFO "SELinux:  Disabled at boot.\n");
6636 		return 0;
6637 	}
6638 
6639 	printk(KERN_INFO "SELinux:  Initializing.\n");
6640 
6641 	/* Set the security state for the initial task. */
6642 	cred_init_security();
6643 
6644 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6645 
6646 	sel_inode_cache = kmem_cache_create("selinux_inode_security",
6647 					    sizeof(struct inode_security_struct),
6648 					    0, SLAB_PANIC, NULL);
6649 	file_security_cache = kmem_cache_create("selinux_file_security",
6650 					    sizeof(struct file_security_struct),
6651 					    0, SLAB_PANIC, NULL);
6652 	avc_init();
6653 
6654 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
6655 
6656 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6657 		panic("SELinux: Unable to register AVC netcache callback\n");
6658 
6659 	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
6660 		panic("SELinux: Unable to register AVC LSM notifier callback\n");
6661 
6662 	if (selinux_enforcing)
6663 		printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
6664 	else
6665 		printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
6666 
6667 	return 0;
6668 }
6669 
6670 static void delayed_superblock_init(struct super_block *sb, void *unused)
6671 {
6672 	superblock_doinit(sb, NULL);
6673 }
6674 
6675 void selinux_complete_init(void)
6676 {
6677 	printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
6678 
6679 	/* Set up any superblocks initialized prior to the policy load. */
6680 	printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
6681 	iterate_supers(delayed_superblock_init, NULL);
6682 }
6683 
6684 /* SELinux requires early initialization in order to label
6685    all processes and objects when they are created. */
6686 security_initcall(selinux_init);
6687 
6688 #if defined(CONFIG_NETFILTER)
6689 
6690 static const struct nf_hook_ops selinux_nf_ops[] = {
6691 	{
6692 		.hook =		selinux_ipv4_postroute,
6693 		.pf =		NFPROTO_IPV4,
6694 		.hooknum =	NF_INET_POST_ROUTING,
6695 		.priority =	NF_IP_PRI_SELINUX_LAST,
6696 	},
6697 	{
6698 		.hook =		selinux_ipv4_forward,
6699 		.pf =		NFPROTO_IPV4,
6700 		.hooknum =	NF_INET_FORWARD,
6701 		.priority =	NF_IP_PRI_SELINUX_FIRST,
6702 	},
6703 	{
6704 		.hook =		selinux_ipv4_output,
6705 		.pf =		NFPROTO_IPV4,
6706 		.hooknum =	NF_INET_LOCAL_OUT,
6707 		.priority =	NF_IP_PRI_SELINUX_FIRST,
6708 	},
6709 #if IS_ENABLED(CONFIG_IPV6)
6710 	{
6711 		.hook =		selinux_ipv6_postroute,
6712 		.pf =		NFPROTO_IPV6,
6713 		.hooknum =	NF_INET_POST_ROUTING,
6714 		.priority =	NF_IP6_PRI_SELINUX_LAST,
6715 	},
6716 	{
6717 		.hook =		selinux_ipv6_forward,
6718 		.pf =		NFPROTO_IPV6,
6719 		.hooknum =	NF_INET_FORWARD,
6720 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
6721 	},
6722 	{
6723 		.hook =		selinux_ipv6_output,
6724 		.pf =		NFPROTO_IPV6,
6725 		.hooknum =	NF_INET_LOCAL_OUT,
6726 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
6727 	},
6728 #endif	/* IPV6 */
6729 };
6730 
6731 static int __net_init selinux_nf_register(struct net *net)
6732 {
6733 	return nf_register_net_hooks(net, selinux_nf_ops,
6734 				     ARRAY_SIZE(selinux_nf_ops));
6735 }
6736 
6737 static void __net_exit selinux_nf_unregister(struct net *net)
6738 {
6739 	nf_unregister_net_hooks(net, selinux_nf_ops,
6740 				ARRAY_SIZE(selinux_nf_ops));
6741 }
6742 
6743 static struct pernet_operations selinux_net_ops = {
6744 	.init = selinux_nf_register,
6745 	.exit = selinux_nf_unregister,
6746 };
6747 
6748 static int __init selinux_nf_ip_init(void)
6749 {
6750 	int err;
6751 
6752 	if (!selinux_enabled)
6753 		return 0;
6754 
6755 	printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
6756 
6757 	err = register_pernet_subsys(&selinux_net_ops);
6758 	if (err)
6759 		panic("SELinux: register_pernet_subsys: error %d\n", err);
6760 
6761 	return 0;
6762 }
6763 __initcall(selinux_nf_ip_init);
6764 
6765 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6766 static void selinux_nf_ip_exit(void)
6767 {
6768 	printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
6769 
6770 	unregister_pernet_subsys(&selinux_net_ops);
6771 }
6772 #endif
6773 
6774 #else /* CONFIG_NETFILTER */
6775 
6776 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6777 #define selinux_nf_ip_exit()
6778 #endif
6779 
6780 #endif /* CONFIG_NETFILTER */
6781 
6782 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6783 static int selinux_disabled;
6784 
6785 int selinux_disable(void)
6786 {
6787 	if (ss_initialized) {
6788 		/* Not permitted after initial policy load. */
6789 		return -EINVAL;
6790 	}
6791 
6792 	if (selinux_disabled) {
6793 		/* Only do this once. */
6794 		return -EINVAL;
6795 	}
6796 
6797 	printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
6798 
6799 	selinux_disabled = 1;
6800 	selinux_enabled = 0;
6801 
6802 	security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6803 
6804 	/* Try to destroy the avc node cache */
6805 	avc_disable();
6806 
6807 	/* Unregister netfilter hooks. */
6808 	selinux_nf_ip_exit();
6809 
6810 	/* Unregister selinuxfs. */
6811 	exit_sel_fs();
6812 
6813 	return 0;
6814 }
6815 #endif
6816