xref: /openbmc/linux/security/selinux/hooks.c (revision 8730046c)
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *	      Chris Vance, <cvance@nai.com>
8  *	      Wayne Salamon, <wsalamon@nai.com>
9  *	      James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *					   Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *			    <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *	Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *	This program is free software; you can redistribute it and/or modify
22  *	it under the terms of the GNU General Public License version 2,
23  *	as published by the Free Software Foundation.
24  */
25 
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h>		/* for local_port_range[] */
54 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
55 #include <net/inet_connection_sock.h>
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h>	/* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h>		/* for Unix socket types */
70 #include <net/af_unix.h>	/* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
86 
87 #include "avc.h"
88 #include "objsec.h"
89 #include "netif.h"
90 #include "netnode.h"
91 #include "netport.h"
92 #include "xfrm.h"
93 #include "netlabel.h"
94 #include "audit.h"
95 #include "avc_ss.h"
96 
97 /* SECMARK reference count */
98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99 
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
102 
103 static int __init enforcing_setup(char *str)
104 {
105 	unsigned long enforcing;
106 	if (!kstrtoul(str, 0, &enforcing))
107 		selinux_enforcing = enforcing ? 1 : 0;
108 	return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112 
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115 
116 static int __init selinux_enabled_setup(char *str)
117 {
118 	unsigned long enabled;
119 	if (!kstrtoul(str, 0, &enabled))
120 		selinux_enabled = enabled ? 1 : 0;
121 	return 1;
122 }
123 __setup("selinux=", selinux_enabled_setup);
124 #else
125 int selinux_enabled = 1;
126 #endif
127 
128 static struct kmem_cache *sel_inode_cache;
129 static struct kmem_cache *file_security_cache;
130 
131 /**
132  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133  *
134  * Description:
135  * This function checks the SECMARK reference counter to see if any SECMARK
136  * targets are currently configured, if the reference counter is greater than
137  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
138  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
139  * policy capability is enabled, SECMARK is always considered enabled.
140  *
141  */
142 static int selinux_secmark_enabled(void)
143 {
144 	return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145 }
146 
147 /**
148  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149  *
150  * Description:
151  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
152  * (1) if any are enabled or false (0) if neither are enabled.  If the
153  * always_check_network policy capability is enabled, peer labeling
154  * is always considered enabled.
155  *
156  */
157 static int selinux_peerlbl_enabled(void)
158 {
159 	return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
160 }
161 
162 static int selinux_netcache_avc_callback(u32 event)
163 {
164 	if (event == AVC_CALLBACK_RESET) {
165 		sel_netif_flush();
166 		sel_netnode_flush();
167 		sel_netport_flush();
168 		synchronize_net();
169 	}
170 	return 0;
171 }
172 
173 /*
174  * initialise the security for the init task
175  */
176 static void cred_init_security(void)
177 {
178 	struct cred *cred = (struct cred *) current->real_cred;
179 	struct task_security_struct *tsec;
180 
181 	tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
182 	if (!tsec)
183 		panic("SELinux:  Failed to initialize initial task.\n");
184 
185 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
186 	cred->security = tsec;
187 }
188 
189 /*
190  * get the security ID of a set of credentials
191  */
192 static inline u32 cred_sid(const struct cred *cred)
193 {
194 	const struct task_security_struct *tsec;
195 
196 	tsec = cred->security;
197 	return tsec->sid;
198 }
199 
200 /*
201  * get the objective security ID of a task
202  */
203 static inline u32 task_sid(const struct task_struct *task)
204 {
205 	u32 sid;
206 
207 	rcu_read_lock();
208 	sid = cred_sid(__task_cred(task));
209 	rcu_read_unlock();
210 	return sid;
211 }
212 
213 /*
214  * get the subjective security ID of the current task
215  */
216 static inline u32 current_sid(void)
217 {
218 	const struct task_security_struct *tsec = current_security();
219 
220 	return tsec->sid;
221 }
222 
223 /* Allocate and free functions for each kind of security blob. */
224 
225 static int inode_alloc_security(struct inode *inode)
226 {
227 	struct inode_security_struct *isec;
228 	u32 sid = current_sid();
229 
230 	isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
231 	if (!isec)
232 		return -ENOMEM;
233 
234 	spin_lock_init(&isec->lock);
235 	INIT_LIST_HEAD(&isec->list);
236 	isec->inode = inode;
237 	isec->sid = SECINITSID_UNLABELED;
238 	isec->sclass = SECCLASS_FILE;
239 	isec->task_sid = sid;
240 	isec->initialized = LABEL_INVALID;
241 	inode->i_security = isec;
242 
243 	return 0;
244 }
245 
246 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
247 
248 /*
249  * Try reloading inode security labels that have been marked as invalid.  The
250  * @may_sleep parameter indicates when sleeping and thus reloading labels is
251  * allowed; when set to false, returns -ECHILD when the label is
252  * invalid.  The @opt_dentry parameter should be set to a dentry of the inode;
253  * when no dentry is available, set it to NULL instead.
254  */
255 static int __inode_security_revalidate(struct inode *inode,
256 				       struct dentry *opt_dentry,
257 				       bool may_sleep)
258 {
259 	struct inode_security_struct *isec = inode->i_security;
260 
261 	might_sleep_if(may_sleep);
262 
263 	if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
264 		if (!may_sleep)
265 			return -ECHILD;
266 
267 		/*
268 		 * Try reloading the inode security label.  This will fail if
269 		 * @opt_dentry is NULL and no dentry for this inode can be
270 		 * found; in that case, continue using the old label.
271 		 */
272 		inode_doinit_with_dentry(inode, opt_dentry);
273 	}
274 	return 0;
275 }
276 
277 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
278 {
279 	return inode->i_security;
280 }
281 
282 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
283 {
284 	int error;
285 
286 	error = __inode_security_revalidate(inode, NULL, !rcu);
287 	if (error)
288 		return ERR_PTR(error);
289 	return inode->i_security;
290 }
291 
292 /*
293  * Get the security label of an inode.
294  */
295 static struct inode_security_struct *inode_security(struct inode *inode)
296 {
297 	__inode_security_revalidate(inode, NULL, true);
298 	return inode->i_security;
299 }
300 
301 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
302 {
303 	struct inode *inode = d_backing_inode(dentry);
304 
305 	return inode->i_security;
306 }
307 
308 /*
309  * Get the security label of a dentry's backing inode.
310  */
311 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
312 {
313 	struct inode *inode = d_backing_inode(dentry);
314 
315 	__inode_security_revalidate(inode, dentry, true);
316 	return inode->i_security;
317 }
318 
319 static void inode_free_rcu(struct rcu_head *head)
320 {
321 	struct inode_security_struct *isec;
322 
323 	isec = container_of(head, struct inode_security_struct, rcu);
324 	kmem_cache_free(sel_inode_cache, isec);
325 }
326 
327 static void inode_free_security(struct inode *inode)
328 {
329 	struct inode_security_struct *isec = inode->i_security;
330 	struct superblock_security_struct *sbsec = inode->i_sb->s_security;
331 
332 	/*
333 	 * As not all inode security structures are in a list, we check for
334 	 * empty list outside of the lock to make sure that we won't waste
335 	 * time taking a lock doing nothing.
336 	 *
337 	 * The list_del_init() function can be safely called more than once.
338 	 * It should not be possible for this function to be called with
339 	 * concurrent list_add(), but for better safety against future changes
340 	 * in the code, we use list_empty_careful() here.
341 	 */
342 	if (!list_empty_careful(&isec->list)) {
343 		spin_lock(&sbsec->isec_lock);
344 		list_del_init(&isec->list);
345 		spin_unlock(&sbsec->isec_lock);
346 	}
347 
348 	/*
349 	 * The inode may still be referenced in a path walk and
350 	 * a call to selinux_inode_permission() can be made
351 	 * after inode_free_security() is called. Ideally, the VFS
352 	 * wouldn't do this, but fixing that is a much harder
353 	 * job. For now, simply free the i_security via RCU, and
354 	 * leave the current inode->i_security pointer intact.
355 	 * The inode will be freed after the RCU grace period too.
356 	 */
357 	call_rcu(&isec->rcu, inode_free_rcu);
358 }
359 
360 static int file_alloc_security(struct file *file)
361 {
362 	struct file_security_struct *fsec;
363 	u32 sid = current_sid();
364 
365 	fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
366 	if (!fsec)
367 		return -ENOMEM;
368 
369 	fsec->sid = sid;
370 	fsec->fown_sid = sid;
371 	file->f_security = fsec;
372 
373 	return 0;
374 }
375 
376 static void file_free_security(struct file *file)
377 {
378 	struct file_security_struct *fsec = file->f_security;
379 	file->f_security = NULL;
380 	kmem_cache_free(file_security_cache, fsec);
381 }
382 
383 static int superblock_alloc_security(struct super_block *sb)
384 {
385 	struct superblock_security_struct *sbsec;
386 
387 	sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
388 	if (!sbsec)
389 		return -ENOMEM;
390 
391 	mutex_init(&sbsec->lock);
392 	INIT_LIST_HEAD(&sbsec->isec_head);
393 	spin_lock_init(&sbsec->isec_lock);
394 	sbsec->sb = sb;
395 	sbsec->sid = SECINITSID_UNLABELED;
396 	sbsec->def_sid = SECINITSID_FILE;
397 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
398 	sb->s_security = sbsec;
399 
400 	return 0;
401 }
402 
403 static void superblock_free_security(struct super_block *sb)
404 {
405 	struct superblock_security_struct *sbsec = sb->s_security;
406 	sb->s_security = NULL;
407 	kfree(sbsec);
408 }
409 
410 /* The file system's label must be initialized prior to use. */
411 
412 static const char *labeling_behaviors[7] = {
413 	"uses xattr",
414 	"uses transition SIDs",
415 	"uses task SIDs",
416 	"uses genfs_contexts",
417 	"not configured for labeling",
418 	"uses mountpoint labeling",
419 	"uses native labeling",
420 };
421 
422 static inline int inode_doinit(struct inode *inode)
423 {
424 	return inode_doinit_with_dentry(inode, NULL);
425 }
426 
427 enum {
428 	Opt_error = -1,
429 	Opt_context = 1,
430 	Opt_fscontext = 2,
431 	Opt_defcontext = 3,
432 	Opt_rootcontext = 4,
433 	Opt_labelsupport = 5,
434 	Opt_nextmntopt = 6,
435 };
436 
437 #define NUM_SEL_MNT_OPTS	(Opt_nextmntopt - 1)
438 
439 static const match_table_t tokens = {
440 	{Opt_context, CONTEXT_STR "%s"},
441 	{Opt_fscontext, FSCONTEXT_STR "%s"},
442 	{Opt_defcontext, DEFCONTEXT_STR "%s"},
443 	{Opt_rootcontext, ROOTCONTEXT_STR "%s"},
444 	{Opt_labelsupport, LABELSUPP_STR},
445 	{Opt_error, NULL},
446 };
447 
448 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
449 
450 static int may_context_mount_sb_relabel(u32 sid,
451 			struct superblock_security_struct *sbsec,
452 			const struct cred *cred)
453 {
454 	const struct task_security_struct *tsec = cred->security;
455 	int rc;
456 
457 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
458 			  FILESYSTEM__RELABELFROM, NULL);
459 	if (rc)
460 		return rc;
461 
462 	rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
463 			  FILESYSTEM__RELABELTO, NULL);
464 	return rc;
465 }
466 
467 static int may_context_mount_inode_relabel(u32 sid,
468 			struct superblock_security_struct *sbsec,
469 			const struct cred *cred)
470 {
471 	const struct task_security_struct *tsec = cred->security;
472 	int rc;
473 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
474 			  FILESYSTEM__RELABELFROM, NULL);
475 	if (rc)
476 		return rc;
477 
478 	rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
479 			  FILESYSTEM__ASSOCIATE, NULL);
480 	return rc;
481 }
482 
483 static int selinux_is_sblabel_mnt(struct super_block *sb)
484 {
485 	struct superblock_security_struct *sbsec = sb->s_security;
486 
487 	return sbsec->behavior == SECURITY_FS_USE_XATTR ||
488 		sbsec->behavior == SECURITY_FS_USE_TRANS ||
489 		sbsec->behavior == SECURITY_FS_USE_TASK ||
490 		sbsec->behavior == SECURITY_FS_USE_NATIVE ||
491 		/* Special handling. Genfs but also in-core setxattr handler */
492 		!strcmp(sb->s_type->name, "sysfs") ||
493 		!strcmp(sb->s_type->name, "pstore") ||
494 		!strcmp(sb->s_type->name, "debugfs") ||
495 		!strcmp(sb->s_type->name, "rootfs");
496 }
497 
498 static int sb_finish_set_opts(struct super_block *sb)
499 {
500 	struct superblock_security_struct *sbsec = sb->s_security;
501 	struct dentry *root = sb->s_root;
502 	struct inode *root_inode = d_backing_inode(root);
503 	int rc = 0;
504 
505 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
506 		/* Make sure that the xattr handler exists and that no
507 		   error other than -ENODATA is returned by getxattr on
508 		   the root directory.  -ENODATA is ok, as this may be
509 		   the first boot of the SELinux kernel before we have
510 		   assigned xattr values to the filesystem. */
511 		if (!(root_inode->i_opflags & IOP_XATTR)) {
512 			printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
513 			       "xattr support\n", sb->s_id, sb->s_type->name);
514 			rc = -EOPNOTSUPP;
515 			goto out;
516 		}
517 
518 		rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
519 		if (rc < 0 && rc != -ENODATA) {
520 			if (rc == -EOPNOTSUPP)
521 				printk(KERN_WARNING "SELinux: (dev %s, type "
522 				       "%s) has no security xattr handler\n",
523 				       sb->s_id, sb->s_type->name);
524 			else
525 				printk(KERN_WARNING "SELinux: (dev %s, type "
526 				       "%s) getxattr errno %d\n", sb->s_id,
527 				       sb->s_type->name, -rc);
528 			goto out;
529 		}
530 	}
531 
532 	if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
533 		printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
534 		       sb->s_id, sb->s_type->name);
535 
536 	sbsec->flags |= SE_SBINITIALIZED;
537 	if (selinux_is_sblabel_mnt(sb))
538 		sbsec->flags |= SBLABEL_MNT;
539 
540 	/* Initialize the root inode. */
541 	rc = inode_doinit_with_dentry(root_inode, root);
542 
543 	/* Initialize any other inodes associated with the superblock, e.g.
544 	   inodes created prior to initial policy load or inodes created
545 	   during get_sb by a pseudo filesystem that directly
546 	   populates itself. */
547 	spin_lock(&sbsec->isec_lock);
548 next_inode:
549 	if (!list_empty(&sbsec->isec_head)) {
550 		struct inode_security_struct *isec =
551 				list_entry(sbsec->isec_head.next,
552 					   struct inode_security_struct, list);
553 		struct inode *inode = isec->inode;
554 		list_del_init(&isec->list);
555 		spin_unlock(&sbsec->isec_lock);
556 		inode = igrab(inode);
557 		if (inode) {
558 			if (!IS_PRIVATE(inode))
559 				inode_doinit(inode);
560 			iput(inode);
561 		}
562 		spin_lock(&sbsec->isec_lock);
563 		goto next_inode;
564 	}
565 	spin_unlock(&sbsec->isec_lock);
566 out:
567 	return rc;
568 }
569 
570 /*
571  * This function should allow an FS to ask what it's mount security
572  * options were so it can use those later for submounts, displaying
573  * mount options, or whatever.
574  */
575 static int selinux_get_mnt_opts(const struct super_block *sb,
576 				struct security_mnt_opts *opts)
577 {
578 	int rc = 0, i;
579 	struct superblock_security_struct *sbsec = sb->s_security;
580 	char *context = NULL;
581 	u32 len;
582 	char tmp;
583 
584 	security_init_mnt_opts(opts);
585 
586 	if (!(sbsec->flags & SE_SBINITIALIZED))
587 		return -EINVAL;
588 
589 	if (!ss_initialized)
590 		return -EINVAL;
591 
592 	/* make sure we always check enough bits to cover the mask */
593 	BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
594 
595 	tmp = sbsec->flags & SE_MNTMASK;
596 	/* count the number of mount options for this sb */
597 	for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
598 		if (tmp & 0x01)
599 			opts->num_mnt_opts++;
600 		tmp >>= 1;
601 	}
602 	/* Check if the Label support flag is set */
603 	if (sbsec->flags & SBLABEL_MNT)
604 		opts->num_mnt_opts++;
605 
606 	opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
607 	if (!opts->mnt_opts) {
608 		rc = -ENOMEM;
609 		goto out_free;
610 	}
611 
612 	opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
613 	if (!opts->mnt_opts_flags) {
614 		rc = -ENOMEM;
615 		goto out_free;
616 	}
617 
618 	i = 0;
619 	if (sbsec->flags & FSCONTEXT_MNT) {
620 		rc = security_sid_to_context(sbsec->sid, &context, &len);
621 		if (rc)
622 			goto out_free;
623 		opts->mnt_opts[i] = context;
624 		opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
625 	}
626 	if (sbsec->flags & CONTEXT_MNT) {
627 		rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
628 		if (rc)
629 			goto out_free;
630 		opts->mnt_opts[i] = context;
631 		opts->mnt_opts_flags[i++] = CONTEXT_MNT;
632 	}
633 	if (sbsec->flags & DEFCONTEXT_MNT) {
634 		rc = security_sid_to_context(sbsec->def_sid, &context, &len);
635 		if (rc)
636 			goto out_free;
637 		opts->mnt_opts[i] = context;
638 		opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
639 	}
640 	if (sbsec->flags & ROOTCONTEXT_MNT) {
641 		struct dentry *root = sbsec->sb->s_root;
642 		struct inode_security_struct *isec = backing_inode_security(root);
643 
644 		rc = security_sid_to_context(isec->sid, &context, &len);
645 		if (rc)
646 			goto out_free;
647 		opts->mnt_opts[i] = context;
648 		opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
649 	}
650 	if (sbsec->flags & SBLABEL_MNT) {
651 		opts->mnt_opts[i] = NULL;
652 		opts->mnt_opts_flags[i++] = SBLABEL_MNT;
653 	}
654 
655 	BUG_ON(i != opts->num_mnt_opts);
656 
657 	return 0;
658 
659 out_free:
660 	security_free_mnt_opts(opts);
661 	return rc;
662 }
663 
664 static int bad_option(struct superblock_security_struct *sbsec, char flag,
665 		      u32 old_sid, u32 new_sid)
666 {
667 	char mnt_flags = sbsec->flags & SE_MNTMASK;
668 
669 	/* check if the old mount command had the same options */
670 	if (sbsec->flags & SE_SBINITIALIZED)
671 		if (!(sbsec->flags & flag) ||
672 		    (old_sid != new_sid))
673 			return 1;
674 
675 	/* check if we were passed the same options twice,
676 	 * aka someone passed context=a,context=b
677 	 */
678 	if (!(sbsec->flags & SE_SBINITIALIZED))
679 		if (mnt_flags & flag)
680 			return 1;
681 	return 0;
682 }
683 
684 /*
685  * Allow filesystems with binary mount data to explicitly set mount point
686  * labeling information.
687  */
688 static int selinux_set_mnt_opts(struct super_block *sb,
689 				struct security_mnt_opts *opts,
690 				unsigned long kern_flags,
691 				unsigned long *set_kern_flags)
692 {
693 	const struct cred *cred = current_cred();
694 	int rc = 0, i;
695 	struct superblock_security_struct *sbsec = sb->s_security;
696 	const char *name = sb->s_type->name;
697 	struct dentry *root = sbsec->sb->s_root;
698 	struct inode_security_struct *root_isec;
699 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
700 	u32 defcontext_sid = 0;
701 	char **mount_options = opts->mnt_opts;
702 	int *flags = opts->mnt_opts_flags;
703 	int num_opts = opts->num_mnt_opts;
704 
705 	mutex_lock(&sbsec->lock);
706 
707 	if (!ss_initialized) {
708 		if (!num_opts) {
709 			/* Defer initialization until selinux_complete_init,
710 			   after the initial policy is loaded and the security
711 			   server is ready to handle calls. */
712 			goto out;
713 		}
714 		rc = -EINVAL;
715 		printk(KERN_WARNING "SELinux: Unable to set superblock options "
716 			"before the security server is initialized\n");
717 		goto out;
718 	}
719 	if (kern_flags && !set_kern_flags) {
720 		/* Specifying internal flags without providing a place to
721 		 * place the results is not allowed */
722 		rc = -EINVAL;
723 		goto out;
724 	}
725 
726 	/*
727 	 * Binary mount data FS will come through this function twice.  Once
728 	 * from an explicit call and once from the generic calls from the vfs.
729 	 * Since the generic VFS calls will not contain any security mount data
730 	 * we need to skip the double mount verification.
731 	 *
732 	 * This does open a hole in which we will not notice if the first
733 	 * mount using this sb set explict options and a second mount using
734 	 * this sb does not set any security options.  (The first options
735 	 * will be used for both mounts)
736 	 */
737 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
738 	    && (num_opts == 0))
739 		goto out;
740 
741 	root_isec = backing_inode_security_novalidate(root);
742 
743 	/*
744 	 * parse the mount options, check if they are valid sids.
745 	 * also check if someone is trying to mount the same sb more
746 	 * than once with different security options.
747 	 */
748 	for (i = 0; i < num_opts; i++) {
749 		u32 sid;
750 
751 		if (flags[i] == SBLABEL_MNT)
752 			continue;
753 		rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
754 		if (rc) {
755 			printk(KERN_WARNING "SELinux: security_context_str_to_sid"
756 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
757 			       mount_options[i], sb->s_id, name, rc);
758 			goto out;
759 		}
760 		switch (flags[i]) {
761 		case FSCONTEXT_MNT:
762 			fscontext_sid = sid;
763 
764 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
765 					fscontext_sid))
766 				goto out_double_mount;
767 
768 			sbsec->flags |= FSCONTEXT_MNT;
769 			break;
770 		case CONTEXT_MNT:
771 			context_sid = sid;
772 
773 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
774 					context_sid))
775 				goto out_double_mount;
776 
777 			sbsec->flags |= CONTEXT_MNT;
778 			break;
779 		case ROOTCONTEXT_MNT:
780 			rootcontext_sid = sid;
781 
782 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
783 					rootcontext_sid))
784 				goto out_double_mount;
785 
786 			sbsec->flags |= ROOTCONTEXT_MNT;
787 
788 			break;
789 		case DEFCONTEXT_MNT:
790 			defcontext_sid = sid;
791 
792 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
793 					defcontext_sid))
794 				goto out_double_mount;
795 
796 			sbsec->flags |= DEFCONTEXT_MNT;
797 
798 			break;
799 		default:
800 			rc = -EINVAL;
801 			goto out;
802 		}
803 	}
804 
805 	if (sbsec->flags & SE_SBINITIALIZED) {
806 		/* previously mounted with options, but not on this attempt? */
807 		if ((sbsec->flags & SE_MNTMASK) && !num_opts)
808 			goto out_double_mount;
809 		rc = 0;
810 		goto out;
811 	}
812 
813 	if (strcmp(sb->s_type->name, "proc") == 0)
814 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
815 
816 	if (!strcmp(sb->s_type->name, "debugfs") ||
817 	    !strcmp(sb->s_type->name, "sysfs") ||
818 	    !strcmp(sb->s_type->name, "pstore"))
819 		sbsec->flags |= SE_SBGENFS;
820 
821 	if (!sbsec->behavior) {
822 		/*
823 		 * Determine the labeling behavior to use for this
824 		 * filesystem type.
825 		 */
826 		rc = security_fs_use(sb);
827 		if (rc) {
828 			printk(KERN_WARNING
829 				"%s: security_fs_use(%s) returned %d\n",
830 					__func__, sb->s_type->name, rc);
831 			goto out;
832 		}
833 	}
834 
835 	/*
836 	 * If this is a user namespace mount, no contexts are allowed
837 	 * on the command line and security labels must be ignored.
838 	 */
839 	if (sb->s_user_ns != &init_user_ns) {
840 		if (context_sid || fscontext_sid || rootcontext_sid ||
841 		    defcontext_sid) {
842 			rc = -EACCES;
843 			goto out;
844 		}
845 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
846 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
847 			rc = security_transition_sid(current_sid(), current_sid(),
848 						     SECCLASS_FILE, NULL,
849 						     &sbsec->mntpoint_sid);
850 			if (rc)
851 				goto out;
852 		}
853 		goto out_set_opts;
854 	}
855 
856 	/* sets the context of the superblock for the fs being mounted. */
857 	if (fscontext_sid) {
858 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
859 		if (rc)
860 			goto out;
861 
862 		sbsec->sid = fscontext_sid;
863 	}
864 
865 	/*
866 	 * Switch to using mount point labeling behavior.
867 	 * sets the label used on all file below the mountpoint, and will set
868 	 * the superblock context if not already set.
869 	 */
870 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
871 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
872 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
873 	}
874 
875 	if (context_sid) {
876 		if (!fscontext_sid) {
877 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
878 							  cred);
879 			if (rc)
880 				goto out;
881 			sbsec->sid = context_sid;
882 		} else {
883 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
884 							     cred);
885 			if (rc)
886 				goto out;
887 		}
888 		if (!rootcontext_sid)
889 			rootcontext_sid = context_sid;
890 
891 		sbsec->mntpoint_sid = context_sid;
892 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
893 	}
894 
895 	if (rootcontext_sid) {
896 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
897 						     cred);
898 		if (rc)
899 			goto out;
900 
901 		root_isec->sid = rootcontext_sid;
902 		root_isec->initialized = LABEL_INITIALIZED;
903 	}
904 
905 	if (defcontext_sid) {
906 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
907 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
908 			rc = -EINVAL;
909 			printk(KERN_WARNING "SELinux: defcontext option is "
910 			       "invalid for this filesystem type\n");
911 			goto out;
912 		}
913 
914 		if (defcontext_sid != sbsec->def_sid) {
915 			rc = may_context_mount_inode_relabel(defcontext_sid,
916 							     sbsec, cred);
917 			if (rc)
918 				goto out;
919 		}
920 
921 		sbsec->def_sid = defcontext_sid;
922 	}
923 
924 out_set_opts:
925 	rc = sb_finish_set_opts(sb);
926 out:
927 	mutex_unlock(&sbsec->lock);
928 	return rc;
929 out_double_mount:
930 	rc = -EINVAL;
931 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
932 	       "security settings for (dev %s, type %s)\n", sb->s_id, name);
933 	goto out;
934 }
935 
936 static int selinux_cmp_sb_context(const struct super_block *oldsb,
937 				    const struct super_block *newsb)
938 {
939 	struct superblock_security_struct *old = oldsb->s_security;
940 	struct superblock_security_struct *new = newsb->s_security;
941 	char oldflags = old->flags & SE_MNTMASK;
942 	char newflags = new->flags & SE_MNTMASK;
943 
944 	if (oldflags != newflags)
945 		goto mismatch;
946 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
947 		goto mismatch;
948 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
949 		goto mismatch;
950 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
951 		goto mismatch;
952 	if (oldflags & ROOTCONTEXT_MNT) {
953 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
954 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
955 		if (oldroot->sid != newroot->sid)
956 			goto mismatch;
957 	}
958 	return 0;
959 mismatch:
960 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
961 			    "different security settings for (dev %s, "
962 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
963 	return -EBUSY;
964 }
965 
966 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
967 					struct super_block *newsb)
968 {
969 	const struct superblock_security_struct *oldsbsec = oldsb->s_security;
970 	struct superblock_security_struct *newsbsec = newsb->s_security;
971 
972 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
973 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
974 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
975 
976 	/*
977 	 * if the parent was able to be mounted it clearly had no special lsm
978 	 * mount options.  thus we can safely deal with this superblock later
979 	 */
980 	if (!ss_initialized)
981 		return 0;
982 
983 	/* how can we clone if the old one wasn't set up?? */
984 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
985 
986 	/* if fs is reusing a sb, make sure that the contexts match */
987 	if (newsbsec->flags & SE_SBINITIALIZED)
988 		return selinux_cmp_sb_context(oldsb, newsb);
989 
990 	mutex_lock(&newsbsec->lock);
991 
992 	newsbsec->flags = oldsbsec->flags;
993 
994 	newsbsec->sid = oldsbsec->sid;
995 	newsbsec->def_sid = oldsbsec->def_sid;
996 	newsbsec->behavior = oldsbsec->behavior;
997 
998 	if (set_context) {
999 		u32 sid = oldsbsec->mntpoint_sid;
1000 
1001 		if (!set_fscontext)
1002 			newsbsec->sid = sid;
1003 		if (!set_rootcontext) {
1004 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1005 			newisec->sid = sid;
1006 		}
1007 		newsbsec->mntpoint_sid = sid;
1008 	}
1009 	if (set_rootcontext) {
1010 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1011 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1012 
1013 		newisec->sid = oldisec->sid;
1014 	}
1015 
1016 	sb_finish_set_opts(newsb);
1017 	mutex_unlock(&newsbsec->lock);
1018 	return 0;
1019 }
1020 
1021 static int selinux_parse_opts_str(char *options,
1022 				  struct security_mnt_opts *opts)
1023 {
1024 	char *p;
1025 	char *context = NULL, *defcontext = NULL;
1026 	char *fscontext = NULL, *rootcontext = NULL;
1027 	int rc, num_mnt_opts = 0;
1028 
1029 	opts->num_mnt_opts = 0;
1030 
1031 	/* Standard string-based options. */
1032 	while ((p = strsep(&options, "|")) != NULL) {
1033 		int token;
1034 		substring_t args[MAX_OPT_ARGS];
1035 
1036 		if (!*p)
1037 			continue;
1038 
1039 		token = match_token(p, tokens, args);
1040 
1041 		switch (token) {
1042 		case Opt_context:
1043 			if (context || defcontext) {
1044 				rc = -EINVAL;
1045 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1046 				goto out_err;
1047 			}
1048 			context = match_strdup(&args[0]);
1049 			if (!context) {
1050 				rc = -ENOMEM;
1051 				goto out_err;
1052 			}
1053 			break;
1054 
1055 		case Opt_fscontext:
1056 			if (fscontext) {
1057 				rc = -EINVAL;
1058 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1059 				goto out_err;
1060 			}
1061 			fscontext = match_strdup(&args[0]);
1062 			if (!fscontext) {
1063 				rc = -ENOMEM;
1064 				goto out_err;
1065 			}
1066 			break;
1067 
1068 		case Opt_rootcontext:
1069 			if (rootcontext) {
1070 				rc = -EINVAL;
1071 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1072 				goto out_err;
1073 			}
1074 			rootcontext = match_strdup(&args[0]);
1075 			if (!rootcontext) {
1076 				rc = -ENOMEM;
1077 				goto out_err;
1078 			}
1079 			break;
1080 
1081 		case Opt_defcontext:
1082 			if (context || defcontext) {
1083 				rc = -EINVAL;
1084 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1085 				goto out_err;
1086 			}
1087 			defcontext = match_strdup(&args[0]);
1088 			if (!defcontext) {
1089 				rc = -ENOMEM;
1090 				goto out_err;
1091 			}
1092 			break;
1093 		case Opt_labelsupport:
1094 			break;
1095 		default:
1096 			rc = -EINVAL;
1097 			printk(KERN_WARNING "SELinux:  unknown mount option\n");
1098 			goto out_err;
1099 
1100 		}
1101 	}
1102 
1103 	rc = -ENOMEM;
1104 	opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1105 	if (!opts->mnt_opts)
1106 		goto out_err;
1107 
1108 	opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1109 				       GFP_KERNEL);
1110 	if (!opts->mnt_opts_flags) {
1111 		kfree(opts->mnt_opts);
1112 		goto out_err;
1113 	}
1114 
1115 	if (fscontext) {
1116 		opts->mnt_opts[num_mnt_opts] = fscontext;
1117 		opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1118 	}
1119 	if (context) {
1120 		opts->mnt_opts[num_mnt_opts] = context;
1121 		opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1122 	}
1123 	if (rootcontext) {
1124 		opts->mnt_opts[num_mnt_opts] = rootcontext;
1125 		opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1126 	}
1127 	if (defcontext) {
1128 		opts->mnt_opts[num_mnt_opts] = defcontext;
1129 		opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1130 	}
1131 
1132 	opts->num_mnt_opts = num_mnt_opts;
1133 	return 0;
1134 
1135 out_err:
1136 	kfree(context);
1137 	kfree(defcontext);
1138 	kfree(fscontext);
1139 	kfree(rootcontext);
1140 	return rc;
1141 }
1142 /*
1143  * string mount options parsing and call set the sbsec
1144  */
1145 static int superblock_doinit(struct super_block *sb, void *data)
1146 {
1147 	int rc = 0;
1148 	char *options = data;
1149 	struct security_mnt_opts opts;
1150 
1151 	security_init_mnt_opts(&opts);
1152 
1153 	if (!data)
1154 		goto out;
1155 
1156 	BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1157 
1158 	rc = selinux_parse_opts_str(options, &opts);
1159 	if (rc)
1160 		goto out_err;
1161 
1162 out:
1163 	rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1164 
1165 out_err:
1166 	security_free_mnt_opts(&opts);
1167 	return rc;
1168 }
1169 
1170 static void selinux_write_opts(struct seq_file *m,
1171 			       struct security_mnt_opts *opts)
1172 {
1173 	int i;
1174 	char *prefix;
1175 
1176 	for (i = 0; i < opts->num_mnt_opts; i++) {
1177 		char *has_comma;
1178 
1179 		if (opts->mnt_opts[i])
1180 			has_comma = strchr(opts->mnt_opts[i], ',');
1181 		else
1182 			has_comma = NULL;
1183 
1184 		switch (opts->mnt_opts_flags[i]) {
1185 		case CONTEXT_MNT:
1186 			prefix = CONTEXT_STR;
1187 			break;
1188 		case FSCONTEXT_MNT:
1189 			prefix = FSCONTEXT_STR;
1190 			break;
1191 		case ROOTCONTEXT_MNT:
1192 			prefix = ROOTCONTEXT_STR;
1193 			break;
1194 		case DEFCONTEXT_MNT:
1195 			prefix = DEFCONTEXT_STR;
1196 			break;
1197 		case SBLABEL_MNT:
1198 			seq_putc(m, ',');
1199 			seq_puts(m, LABELSUPP_STR);
1200 			continue;
1201 		default:
1202 			BUG();
1203 			return;
1204 		};
1205 		/* we need a comma before each option */
1206 		seq_putc(m, ',');
1207 		seq_puts(m, prefix);
1208 		if (has_comma)
1209 			seq_putc(m, '\"');
1210 		seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1211 		if (has_comma)
1212 			seq_putc(m, '\"');
1213 	}
1214 }
1215 
1216 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1217 {
1218 	struct security_mnt_opts opts;
1219 	int rc;
1220 
1221 	rc = selinux_get_mnt_opts(sb, &opts);
1222 	if (rc) {
1223 		/* before policy load we may get EINVAL, don't show anything */
1224 		if (rc == -EINVAL)
1225 			rc = 0;
1226 		return rc;
1227 	}
1228 
1229 	selinux_write_opts(m, &opts);
1230 
1231 	security_free_mnt_opts(&opts);
1232 
1233 	return rc;
1234 }
1235 
1236 static inline u16 inode_mode_to_security_class(umode_t mode)
1237 {
1238 	switch (mode & S_IFMT) {
1239 	case S_IFSOCK:
1240 		return SECCLASS_SOCK_FILE;
1241 	case S_IFLNK:
1242 		return SECCLASS_LNK_FILE;
1243 	case S_IFREG:
1244 		return SECCLASS_FILE;
1245 	case S_IFBLK:
1246 		return SECCLASS_BLK_FILE;
1247 	case S_IFDIR:
1248 		return SECCLASS_DIR;
1249 	case S_IFCHR:
1250 		return SECCLASS_CHR_FILE;
1251 	case S_IFIFO:
1252 		return SECCLASS_FIFO_FILE;
1253 
1254 	}
1255 
1256 	return SECCLASS_FILE;
1257 }
1258 
1259 static inline int default_protocol_stream(int protocol)
1260 {
1261 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1262 }
1263 
1264 static inline int default_protocol_dgram(int protocol)
1265 {
1266 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1267 }
1268 
1269 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1270 {
1271 	switch (family) {
1272 	case PF_UNIX:
1273 		switch (type) {
1274 		case SOCK_STREAM:
1275 		case SOCK_SEQPACKET:
1276 			return SECCLASS_UNIX_STREAM_SOCKET;
1277 		case SOCK_DGRAM:
1278 			return SECCLASS_UNIX_DGRAM_SOCKET;
1279 		}
1280 		break;
1281 	case PF_INET:
1282 	case PF_INET6:
1283 		switch (type) {
1284 		case SOCK_STREAM:
1285 			if (default_protocol_stream(protocol))
1286 				return SECCLASS_TCP_SOCKET;
1287 			else
1288 				return SECCLASS_RAWIP_SOCKET;
1289 		case SOCK_DGRAM:
1290 			if (default_protocol_dgram(protocol))
1291 				return SECCLASS_UDP_SOCKET;
1292 			else
1293 				return SECCLASS_RAWIP_SOCKET;
1294 		case SOCK_DCCP:
1295 			return SECCLASS_DCCP_SOCKET;
1296 		default:
1297 			return SECCLASS_RAWIP_SOCKET;
1298 		}
1299 		break;
1300 	case PF_NETLINK:
1301 		switch (protocol) {
1302 		case NETLINK_ROUTE:
1303 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1304 		case NETLINK_SOCK_DIAG:
1305 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1306 		case NETLINK_NFLOG:
1307 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1308 		case NETLINK_XFRM:
1309 			return SECCLASS_NETLINK_XFRM_SOCKET;
1310 		case NETLINK_SELINUX:
1311 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1312 		case NETLINK_ISCSI:
1313 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1314 		case NETLINK_AUDIT:
1315 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1316 		case NETLINK_FIB_LOOKUP:
1317 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1318 		case NETLINK_CONNECTOR:
1319 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1320 		case NETLINK_NETFILTER:
1321 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1322 		case NETLINK_DNRTMSG:
1323 			return SECCLASS_NETLINK_DNRT_SOCKET;
1324 		case NETLINK_KOBJECT_UEVENT:
1325 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1326 		case NETLINK_GENERIC:
1327 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1328 		case NETLINK_SCSITRANSPORT:
1329 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1330 		case NETLINK_RDMA:
1331 			return SECCLASS_NETLINK_RDMA_SOCKET;
1332 		case NETLINK_CRYPTO:
1333 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1334 		default:
1335 			return SECCLASS_NETLINK_SOCKET;
1336 		}
1337 	case PF_PACKET:
1338 		return SECCLASS_PACKET_SOCKET;
1339 	case PF_KEY:
1340 		return SECCLASS_KEY_SOCKET;
1341 	case PF_APPLETALK:
1342 		return SECCLASS_APPLETALK_SOCKET;
1343 	}
1344 
1345 	return SECCLASS_SOCKET;
1346 }
1347 
1348 static int selinux_genfs_get_sid(struct dentry *dentry,
1349 				 u16 tclass,
1350 				 u16 flags,
1351 				 u32 *sid)
1352 {
1353 	int rc;
1354 	struct super_block *sb = dentry->d_sb;
1355 	char *buffer, *path;
1356 
1357 	buffer = (char *)__get_free_page(GFP_KERNEL);
1358 	if (!buffer)
1359 		return -ENOMEM;
1360 
1361 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1362 	if (IS_ERR(path))
1363 		rc = PTR_ERR(path);
1364 	else {
1365 		if (flags & SE_SBPROC) {
1366 			/* each process gets a /proc/PID/ entry. Strip off the
1367 			 * PID part to get a valid selinux labeling.
1368 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1369 			while (path[1] >= '0' && path[1] <= '9') {
1370 				path[1] = '/';
1371 				path++;
1372 			}
1373 		}
1374 		rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1375 	}
1376 	free_page((unsigned long)buffer);
1377 	return rc;
1378 }
1379 
1380 /* The inode's security attributes must be initialized before first use. */
1381 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1382 {
1383 	struct superblock_security_struct *sbsec = NULL;
1384 	struct inode_security_struct *isec = inode->i_security;
1385 	u32 task_sid, sid = 0;
1386 	u16 sclass;
1387 	struct dentry *dentry;
1388 #define INITCONTEXTLEN 255
1389 	char *context = NULL;
1390 	unsigned len = 0;
1391 	int rc = 0;
1392 
1393 	if (isec->initialized == LABEL_INITIALIZED)
1394 		return 0;
1395 
1396 	spin_lock(&isec->lock);
1397 	if (isec->initialized == LABEL_INITIALIZED)
1398 		goto out_unlock;
1399 
1400 	if (isec->sclass == SECCLASS_FILE)
1401 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1402 
1403 	sbsec = inode->i_sb->s_security;
1404 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1405 		/* Defer initialization until selinux_complete_init,
1406 		   after the initial policy is loaded and the security
1407 		   server is ready to handle calls. */
1408 		spin_lock(&sbsec->isec_lock);
1409 		if (list_empty(&isec->list))
1410 			list_add(&isec->list, &sbsec->isec_head);
1411 		spin_unlock(&sbsec->isec_lock);
1412 		goto out_unlock;
1413 	}
1414 
1415 	sclass = isec->sclass;
1416 	task_sid = isec->task_sid;
1417 	sid = isec->sid;
1418 	isec->initialized = LABEL_PENDING;
1419 	spin_unlock(&isec->lock);
1420 
1421 	switch (sbsec->behavior) {
1422 	case SECURITY_FS_USE_NATIVE:
1423 		break;
1424 	case SECURITY_FS_USE_XATTR:
1425 		if (!(inode->i_opflags & IOP_XATTR)) {
1426 			sid = sbsec->def_sid;
1427 			break;
1428 		}
1429 		/* Need a dentry, since the xattr API requires one.
1430 		   Life would be simpler if we could just pass the inode. */
1431 		if (opt_dentry) {
1432 			/* Called from d_instantiate or d_splice_alias. */
1433 			dentry = dget(opt_dentry);
1434 		} else {
1435 			/* Called from selinux_complete_init, try to find a dentry. */
1436 			dentry = d_find_alias(inode);
1437 		}
1438 		if (!dentry) {
1439 			/*
1440 			 * this is can be hit on boot when a file is accessed
1441 			 * before the policy is loaded.  When we load policy we
1442 			 * may find inodes that have no dentry on the
1443 			 * sbsec->isec_head list.  No reason to complain as these
1444 			 * will get fixed up the next time we go through
1445 			 * inode_doinit with a dentry, before these inodes could
1446 			 * be used again by userspace.
1447 			 */
1448 			goto out;
1449 		}
1450 
1451 		len = INITCONTEXTLEN;
1452 		context = kmalloc(len+1, GFP_NOFS);
1453 		if (!context) {
1454 			rc = -ENOMEM;
1455 			dput(dentry);
1456 			goto out;
1457 		}
1458 		context[len] = '\0';
1459 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1460 		if (rc == -ERANGE) {
1461 			kfree(context);
1462 
1463 			/* Need a larger buffer.  Query for the right size. */
1464 			rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1465 			if (rc < 0) {
1466 				dput(dentry);
1467 				goto out;
1468 			}
1469 			len = rc;
1470 			context = kmalloc(len+1, GFP_NOFS);
1471 			if (!context) {
1472 				rc = -ENOMEM;
1473 				dput(dentry);
1474 				goto out;
1475 			}
1476 			context[len] = '\0';
1477 			rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1478 		}
1479 		dput(dentry);
1480 		if (rc < 0) {
1481 			if (rc != -ENODATA) {
1482 				printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1483 				       "%d for dev=%s ino=%ld\n", __func__,
1484 				       -rc, inode->i_sb->s_id, inode->i_ino);
1485 				kfree(context);
1486 				goto out;
1487 			}
1488 			/* Map ENODATA to the default file SID */
1489 			sid = sbsec->def_sid;
1490 			rc = 0;
1491 		} else {
1492 			rc = security_context_to_sid_default(context, rc, &sid,
1493 							     sbsec->def_sid,
1494 							     GFP_NOFS);
1495 			if (rc) {
1496 				char *dev = inode->i_sb->s_id;
1497 				unsigned long ino = inode->i_ino;
1498 
1499 				if (rc == -EINVAL) {
1500 					if (printk_ratelimit())
1501 						printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1502 							"context=%s.  This indicates you may need to relabel the inode or the "
1503 							"filesystem in question.\n", ino, dev, context);
1504 				} else {
1505 					printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1506 					       "returned %d for dev=%s ino=%ld\n",
1507 					       __func__, context, -rc, dev, ino);
1508 				}
1509 				kfree(context);
1510 				/* Leave with the unlabeled SID */
1511 				rc = 0;
1512 				break;
1513 			}
1514 		}
1515 		kfree(context);
1516 		break;
1517 	case SECURITY_FS_USE_TASK:
1518 		sid = task_sid;
1519 		break;
1520 	case SECURITY_FS_USE_TRANS:
1521 		/* Default to the fs SID. */
1522 		sid = sbsec->sid;
1523 
1524 		/* Try to obtain a transition SID. */
1525 		rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1526 		if (rc)
1527 			goto out;
1528 		break;
1529 	case SECURITY_FS_USE_MNTPOINT:
1530 		sid = sbsec->mntpoint_sid;
1531 		break;
1532 	default:
1533 		/* Default to the fs superblock SID. */
1534 		sid = sbsec->sid;
1535 
1536 		if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1537 			/* We must have a dentry to determine the label on
1538 			 * procfs inodes */
1539 			if (opt_dentry)
1540 				/* Called from d_instantiate or
1541 				 * d_splice_alias. */
1542 				dentry = dget(opt_dentry);
1543 			else
1544 				/* Called from selinux_complete_init, try to
1545 				 * find a dentry. */
1546 				dentry = d_find_alias(inode);
1547 			/*
1548 			 * This can be hit on boot when a file is accessed
1549 			 * before the policy is loaded.  When we load policy we
1550 			 * may find inodes that have no dentry on the
1551 			 * sbsec->isec_head list.  No reason to complain as
1552 			 * these will get fixed up the next time we go through
1553 			 * inode_doinit() with a dentry, before these inodes
1554 			 * could be used again by userspace.
1555 			 */
1556 			if (!dentry)
1557 				goto out;
1558 			rc = selinux_genfs_get_sid(dentry, sclass,
1559 						   sbsec->flags, &sid);
1560 			dput(dentry);
1561 			if (rc)
1562 				goto out;
1563 		}
1564 		break;
1565 	}
1566 
1567 out:
1568 	spin_lock(&isec->lock);
1569 	if (isec->initialized == LABEL_PENDING) {
1570 		if (!sid || rc) {
1571 			isec->initialized = LABEL_INVALID;
1572 			goto out_unlock;
1573 		}
1574 
1575 		isec->initialized = LABEL_INITIALIZED;
1576 		isec->sid = sid;
1577 	}
1578 
1579 out_unlock:
1580 	spin_unlock(&isec->lock);
1581 	return rc;
1582 }
1583 
1584 /* Convert a Linux signal to an access vector. */
1585 static inline u32 signal_to_av(int sig)
1586 {
1587 	u32 perm = 0;
1588 
1589 	switch (sig) {
1590 	case SIGCHLD:
1591 		/* Commonly granted from child to parent. */
1592 		perm = PROCESS__SIGCHLD;
1593 		break;
1594 	case SIGKILL:
1595 		/* Cannot be caught or ignored */
1596 		perm = PROCESS__SIGKILL;
1597 		break;
1598 	case SIGSTOP:
1599 		/* Cannot be caught or ignored */
1600 		perm = PROCESS__SIGSTOP;
1601 		break;
1602 	default:
1603 		/* All other signals. */
1604 		perm = PROCESS__SIGNAL;
1605 		break;
1606 	}
1607 
1608 	return perm;
1609 }
1610 
1611 /*
1612  * Check permission between a pair of credentials
1613  * fork check, ptrace check, etc.
1614  */
1615 static int cred_has_perm(const struct cred *actor,
1616 			 const struct cred *target,
1617 			 u32 perms)
1618 {
1619 	u32 asid = cred_sid(actor), tsid = cred_sid(target);
1620 
1621 	return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1622 }
1623 
1624 /*
1625  * Check permission between a pair of tasks, e.g. signal checks,
1626  * fork check, ptrace check, etc.
1627  * tsk1 is the actor and tsk2 is the target
1628  * - this uses the default subjective creds of tsk1
1629  */
1630 static int task_has_perm(const struct task_struct *tsk1,
1631 			 const struct task_struct *tsk2,
1632 			 u32 perms)
1633 {
1634 	const struct task_security_struct *__tsec1, *__tsec2;
1635 	u32 sid1, sid2;
1636 
1637 	rcu_read_lock();
1638 	__tsec1 = __task_cred(tsk1)->security;	sid1 = __tsec1->sid;
1639 	__tsec2 = __task_cred(tsk2)->security;	sid2 = __tsec2->sid;
1640 	rcu_read_unlock();
1641 	return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1642 }
1643 
1644 /*
1645  * Check permission between current and another task, e.g. signal checks,
1646  * fork check, ptrace check, etc.
1647  * current is the actor and tsk2 is the target
1648  * - this uses current's subjective creds
1649  */
1650 static int current_has_perm(const struct task_struct *tsk,
1651 			    u32 perms)
1652 {
1653 	u32 sid, tsid;
1654 
1655 	sid = current_sid();
1656 	tsid = task_sid(tsk);
1657 	return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1658 }
1659 
1660 #if CAP_LAST_CAP > 63
1661 #error Fix SELinux to handle capabilities > 63.
1662 #endif
1663 
1664 /* Check whether a task is allowed to use a capability. */
1665 static int cred_has_capability(const struct cred *cred,
1666 			       int cap, int audit, bool initns)
1667 {
1668 	struct common_audit_data ad;
1669 	struct av_decision avd;
1670 	u16 sclass;
1671 	u32 sid = cred_sid(cred);
1672 	u32 av = CAP_TO_MASK(cap);
1673 	int rc;
1674 
1675 	ad.type = LSM_AUDIT_DATA_CAP;
1676 	ad.u.cap = cap;
1677 
1678 	switch (CAP_TO_INDEX(cap)) {
1679 	case 0:
1680 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1681 		break;
1682 	case 1:
1683 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1684 		break;
1685 	default:
1686 		printk(KERN_ERR
1687 		       "SELinux:  out of range capability %d\n", cap);
1688 		BUG();
1689 		return -EINVAL;
1690 	}
1691 
1692 	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1693 	if (audit == SECURITY_CAP_AUDIT) {
1694 		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1695 		if (rc2)
1696 			return rc2;
1697 	}
1698 	return rc;
1699 }
1700 
1701 /* Check whether a task is allowed to use a system operation. */
1702 static int task_has_system(struct task_struct *tsk,
1703 			   u32 perms)
1704 {
1705 	u32 sid = task_sid(tsk);
1706 
1707 	return avc_has_perm(sid, SECINITSID_KERNEL,
1708 			    SECCLASS_SYSTEM, perms, NULL);
1709 }
1710 
1711 /* Check whether a task has a particular permission to an inode.
1712    The 'adp' parameter is optional and allows other audit
1713    data to be passed (e.g. the dentry). */
1714 static int inode_has_perm(const struct cred *cred,
1715 			  struct inode *inode,
1716 			  u32 perms,
1717 			  struct common_audit_data *adp)
1718 {
1719 	struct inode_security_struct *isec;
1720 	u32 sid;
1721 
1722 	validate_creds(cred);
1723 
1724 	if (unlikely(IS_PRIVATE(inode)))
1725 		return 0;
1726 
1727 	sid = cred_sid(cred);
1728 	isec = inode->i_security;
1729 
1730 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1731 }
1732 
1733 /* Same as inode_has_perm, but pass explicit audit data containing
1734    the dentry to help the auditing code to more easily generate the
1735    pathname if needed. */
1736 static inline int dentry_has_perm(const struct cred *cred,
1737 				  struct dentry *dentry,
1738 				  u32 av)
1739 {
1740 	struct inode *inode = d_backing_inode(dentry);
1741 	struct common_audit_data ad;
1742 
1743 	ad.type = LSM_AUDIT_DATA_DENTRY;
1744 	ad.u.dentry = dentry;
1745 	__inode_security_revalidate(inode, dentry, true);
1746 	return inode_has_perm(cred, inode, av, &ad);
1747 }
1748 
1749 /* Same as inode_has_perm, but pass explicit audit data containing
1750    the path to help the auditing code to more easily generate the
1751    pathname if needed. */
1752 static inline int path_has_perm(const struct cred *cred,
1753 				const struct path *path,
1754 				u32 av)
1755 {
1756 	struct inode *inode = d_backing_inode(path->dentry);
1757 	struct common_audit_data ad;
1758 
1759 	ad.type = LSM_AUDIT_DATA_PATH;
1760 	ad.u.path = *path;
1761 	__inode_security_revalidate(inode, path->dentry, true);
1762 	return inode_has_perm(cred, inode, av, &ad);
1763 }
1764 
1765 /* Same as path_has_perm, but uses the inode from the file struct. */
1766 static inline int file_path_has_perm(const struct cred *cred,
1767 				     struct file *file,
1768 				     u32 av)
1769 {
1770 	struct common_audit_data ad;
1771 
1772 	ad.type = LSM_AUDIT_DATA_FILE;
1773 	ad.u.file = file;
1774 	return inode_has_perm(cred, file_inode(file), av, &ad);
1775 }
1776 
1777 /* Check whether a task can use an open file descriptor to
1778    access an inode in a given way.  Check access to the
1779    descriptor itself, and then use dentry_has_perm to
1780    check a particular permission to the file.
1781    Access to the descriptor is implicitly granted if it
1782    has the same SID as the process.  If av is zero, then
1783    access to the file is not checked, e.g. for cases
1784    where only the descriptor is affected like seek. */
1785 static int file_has_perm(const struct cred *cred,
1786 			 struct file *file,
1787 			 u32 av)
1788 {
1789 	struct file_security_struct *fsec = file->f_security;
1790 	struct inode *inode = file_inode(file);
1791 	struct common_audit_data ad;
1792 	u32 sid = cred_sid(cred);
1793 	int rc;
1794 
1795 	ad.type = LSM_AUDIT_DATA_FILE;
1796 	ad.u.file = file;
1797 
1798 	if (sid != fsec->sid) {
1799 		rc = avc_has_perm(sid, fsec->sid,
1800 				  SECCLASS_FD,
1801 				  FD__USE,
1802 				  &ad);
1803 		if (rc)
1804 			goto out;
1805 	}
1806 
1807 	/* av is zero if only checking access to the descriptor. */
1808 	rc = 0;
1809 	if (av)
1810 		rc = inode_has_perm(cred, inode, av, &ad);
1811 
1812 out:
1813 	return rc;
1814 }
1815 
1816 /*
1817  * Determine the label for an inode that might be unioned.
1818  */
1819 static int
1820 selinux_determine_inode_label(const struct task_security_struct *tsec,
1821 				 struct inode *dir,
1822 				 const struct qstr *name, u16 tclass,
1823 				 u32 *_new_isid)
1824 {
1825 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1826 
1827 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1828 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1829 		*_new_isid = sbsec->mntpoint_sid;
1830 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1831 		   tsec->create_sid) {
1832 		*_new_isid = tsec->create_sid;
1833 	} else {
1834 		const struct inode_security_struct *dsec = inode_security(dir);
1835 		return security_transition_sid(tsec->sid, dsec->sid, tclass,
1836 					       name, _new_isid);
1837 	}
1838 
1839 	return 0;
1840 }
1841 
1842 /* Check whether a task can create a file. */
1843 static int may_create(struct inode *dir,
1844 		      struct dentry *dentry,
1845 		      u16 tclass)
1846 {
1847 	const struct task_security_struct *tsec = current_security();
1848 	struct inode_security_struct *dsec;
1849 	struct superblock_security_struct *sbsec;
1850 	u32 sid, newsid;
1851 	struct common_audit_data ad;
1852 	int rc;
1853 
1854 	dsec = inode_security(dir);
1855 	sbsec = dir->i_sb->s_security;
1856 
1857 	sid = tsec->sid;
1858 
1859 	ad.type = LSM_AUDIT_DATA_DENTRY;
1860 	ad.u.dentry = dentry;
1861 
1862 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1863 			  DIR__ADD_NAME | DIR__SEARCH,
1864 			  &ad);
1865 	if (rc)
1866 		return rc;
1867 
1868 	rc = selinux_determine_inode_label(current_security(), dir,
1869 					   &dentry->d_name, tclass, &newsid);
1870 	if (rc)
1871 		return rc;
1872 
1873 	rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1874 	if (rc)
1875 		return rc;
1876 
1877 	return avc_has_perm(newsid, sbsec->sid,
1878 			    SECCLASS_FILESYSTEM,
1879 			    FILESYSTEM__ASSOCIATE, &ad);
1880 }
1881 
1882 /* Check whether a task can create a key. */
1883 static int may_create_key(u32 ksid,
1884 			  struct task_struct *ctx)
1885 {
1886 	u32 sid = task_sid(ctx);
1887 
1888 	return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1889 }
1890 
1891 #define MAY_LINK	0
1892 #define MAY_UNLINK	1
1893 #define MAY_RMDIR	2
1894 
1895 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1896 static int may_link(struct inode *dir,
1897 		    struct dentry *dentry,
1898 		    int kind)
1899 
1900 {
1901 	struct inode_security_struct *dsec, *isec;
1902 	struct common_audit_data ad;
1903 	u32 sid = current_sid();
1904 	u32 av;
1905 	int rc;
1906 
1907 	dsec = inode_security(dir);
1908 	isec = backing_inode_security(dentry);
1909 
1910 	ad.type = LSM_AUDIT_DATA_DENTRY;
1911 	ad.u.dentry = dentry;
1912 
1913 	av = DIR__SEARCH;
1914 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1915 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1916 	if (rc)
1917 		return rc;
1918 
1919 	switch (kind) {
1920 	case MAY_LINK:
1921 		av = FILE__LINK;
1922 		break;
1923 	case MAY_UNLINK:
1924 		av = FILE__UNLINK;
1925 		break;
1926 	case MAY_RMDIR:
1927 		av = DIR__RMDIR;
1928 		break;
1929 	default:
1930 		printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1931 			__func__, kind);
1932 		return 0;
1933 	}
1934 
1935 	rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1936 	return rc;
1937 }
1938 
1939 static inline int may_rename(struct inode *old_dir,
1940 			     struct dentry *old_dentry,
1941 			     struct inode *new_dir,
1942 			     struct dentry *new_dentry)
1943 {
1944 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1945 	struct common_audit_data ad;
1946 	u32 sid = current_sid();
1947 	u32 av;
1948 	int old_is_dir, new_is_dir;
1949 	int rc;
1950 
1951 	old_dsec = inode_security(old_dir);
1952 	old_isec = backing_inode_security(old_dentry);
1953 	old_is_dir = d_is_dir(old_dentry);
1954 	new_dsec = inode_security(new_dir);
1955 
1956 	ad.type = LSM_AUDIT_DATA_DENTRY;
1957 
1958 	ad.u.dentry = old_dentry;
1959 	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1960 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1961 	if (rc)
1962 		return rc;
1963 	rc = avc_has_perm(sid, old_isec->sid,
1964 			  old_isec->sclass, FILE__RENAME, &ad);
1965 	if (rc)
1966 		return rc;
1967 	if (old_is_dir && new_dir != old_dir) {
1968 		rc = avc_has_perm(sid, old_isec->sid,
1969 				  old_isec->sclass, DIR__REPARENT, &ad);
1970 		if (rc)
1971 			return rc;
1972 	}
1973 
1974 	ad.u.dentry = new_dentry;
1975 	av = DIR__ADD_NAME | DIR__SEARCH;
1976 	if (d_is_positive(new_dentry))
1977 		av |= DIR__REMOVE_NAME;
1978 	rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1979 	if (rc)
1980 		return rc;
1981 	if (d_is_positive(new_dentry)) {
1982 		new_isec = backing_inode_security(new_dentry);
1983 		new_is_dir = d_is_dir(new_dentry);
1984 		rc = avc_has_perm(sid, new_isec->sid,
1985 				  new_isec->sclass,
1986 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1987 		if (rc)
1988 			return rc;
1989 	}
1990 
1991 	return 0;
1992 }
1993 
1994 /* Check whether a task can perform a filesystem operation. */
1995 static int superblock_has_perm(const struct cred *cred,
1996 			       struct super_block *sb,
1997 			       u32 perms,
1998 			       struct common_audit_data *ad)
1999 {
2000 	struct superblock_security_struct *sbsec;
2001 	u32 sid = cred_sid(cred);
2002 
2003 	sbsec = sb->s_security;
2004 	return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2005 }
2006 
2007 /* Convert a Linux mode and permission mask to an access vector. */
2008 static inline u32 file_mask_to_av(int mode, int mask)
2009 {
2010 	u32 av = 0;
2011 
2012 	if (!S_ISDIR(mode)) {
2013 		if (mask & MAY_EXEC)
2014 			av |= FILE__EXECUTE;
2015 		if (mask & MAY_READ)
2016 			av |= FILE__READ;
2017 
2018 		if (mask & MAY_APPEND)
2019 			av |= FILE__APPEND;
2020 		else if (mask & MAY_WRITE)
2021 			av |= FILE__WRITE;
2022 
2023 	} else {
2024 		if (mask & MAY_EXEC)
2025 			av |= DIR__SEARCH;
2026 		if (mask & MAY_WRITE)
2027 			av |= DIR__WRITE;
2028 		if (mask & MAY_READ)
2029 			av |= DIR__READ;
2030 	}
2031 
2032 	return av;
2033 }
2034 
2035 /* Convert a Linux file to an access vector. */
2036 static inline u32 file_to_av(struct file *file)
2037 {
2038 	u32 av = 0;
2039 
2040 	if (file->f_mode & FMODE_READ)
2041 		av |= FILE__READ;
2042 	if (file->f_mode & FMODE_WRITE) {
2043 		if (file->f_flags & O_APPEND)
2044 			av |= FILE__APPEND;
2045 		else
2046 			av |= FILE__WRITE;
2047 	}
2048 	if (!av) {
2049 		/*
2050 		 * Special file opened with flags 3 for ioctl-only use.
2051 		 */
2052 		av = FILE__IOCTL;
2053 	}
2054 
2055 	return av;
2056 }
2057 
2058 /*
2059  * Convert a file to an access vector and include the correct open
2060  * open permission.
2061  */
2062 static inline u32 open_file_to_av(struct file *file)
2063 {
2064 	u32 av = file_to_av(file);
2065 
2066 	if (selinux_policycap_openperm)
2067 		av |= FILE__OPEN;
2068 
2069 	return av;
2070 }
2071 
2072 /* Hook functions begin here. */
2073 
2074 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2075 {
2076 	u32 mysid = current_sid();
2077 	u32 mgrsid = task_sid(mgr);
2078 
2079 	return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2080 			    BINDER__SET_CONTEXT_MGR, NULL);
2081 }
2082 
2083 static int selinux_binder_transaction(struct task_struct *from,
2084 				      struct task_struct *to)
2085 {
2086 	u32 mysid = current_sid();
2087 	u32 fromsid = task_sid(from);
2088 	u32 tosid = task_sid(to);
2089 	int rc;
2090 
2091 	if (mysid != fromsid) {
2092 		rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2093 				  BINDER__IMPERSONATE, NULL);
2094 		if (rc)
2095 			return rc;
2096 	}
2097 
2098 	return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2099 			    NULL);
2100 }
2101 
2102 static int selinux_binder_transfer_binder(struct task_struct *from,
2103 					  struct task_struct *to)
2104 {
2105 	u32 fromsid = task_sid(from);
2106 	u32 tosid = task_sid(to);
2107 
2108 	return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2109 			    NULL);
2110 }
2111 
2112 static int selinux_binder_transfer_file(struct task_struct *from,
2113 					struct task_struct *to,
2114 					struct file *file)
2115 {
2116 	u32 sid = task_sid(to);
2117 	struct file_security_struct *fsec = file->f_security;
2118 	struct dentry *dentry = file->f_path.dentry;
2119 	struct inode_security_struct *isec;
2120 	struct common_audit_data ad;
2121 	int rc;
2122 
2123 	ad.type = LSM_AUDIT_DATA_PATH;
2124 	ad.u.path = file->f_path;
2125 
2126 	if (sid != fsec->sid) {
2127 		rc = avc_has_perm(sid, fsec->sid,
2128 				  SECCLASS_FD,
2129 				  FD__USE,
2130 				  &ad);
2131 		if (rc)
2132 			return rc;
2133 	}
2134 
2135 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2136 		return 0;
2137 
2138 	isec = backing_inode_security(dentry);
2139 	return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2140 			    &ad);
2141 }
2142 
2143 static int selinux_ptrace_access_check(struct task_struct *child,
2144 				     unsigned int mode)
2145 {
2146 	if (mode & PTRACE_MODE_READ) {
2147 		u32 sid = current_sid();
2148 		u32 csid = task_sid(child);
2149 		return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2150 	}
2151 
2152 	return current_has_perm(child, PROCESS__PTRACE);
2153 }
2154 
2155 static int selinux_ptrace_traceme(struct task_struct *parent)
2156 {
2157 	return task_has_perm(parent, current, PROCESS__PTRACE);
2158 }
2159 
2160 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2161 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2162 {
2163 	return current_has_perm(target, PROCESS__GETCAP);
2164 }
2165 
2166 static int selinux_capset(struct cred *new, const struct cred *old,
2167 			  const kernel_cap_t *effective,
2168 			  const kernel_cap_t *inheritable,
2169 			  const kernel_cap_t *permitted)
2170 {
2171 	return cred_has_perm(old, new, PROCESS__SETCAP);
2172 }
2173 
2174 /*
2175  * (This comment used to live with the selinux_task_setuid hook,
2176  * which was removed).
2177  *
2178  * Since setuid only affects the current process, and since the SELinux
2179  * controls are not based on the Linux identity attributes, SELinux does not
2180  * need to control this operation.  However, SELinux does control the use of
2181  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2182  */
2183 
2184 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2185 			   int cap, int audit)
2186 {
2187 	return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2188 }
2189 
2190 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2191 {
2192 	const struct cred *cred = current_cred();
2193 	int rc = 0;
2194 
2195 	if (!sb)
2196 		return 0;
2197 
2198 	switch (cmds) {
2199 	case Q_SYNC:
2200 	case Q_QUOTAON:
2201 	case Q_QUOTAOFF:
2202 	case Q_SETINFO:
2203 	case Q_SETQUOTA:
2204 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2205 		break;
2206 	case Q_GETFMT:
2207 	case Q_GETINFO:
2208 	case Q_GETQUOTA:
2209 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2210 		break;
2211 	default:
2212 		rc = 0;  /* let the kernel handle invalid cmds */
2213 		break;
2214 	}
2215 	return rc;
2216 }
2217 
2218 static int selinux_quota_on(struct dentry *dentry)
2219 {
2220 	const struct cred *cred = current_cred();
2221 
2222 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2223 }
2224 
2225 static int selinux_syslog(int type)
2226 {
2227 	int rc;
2228 
2229 	switch (type) {
2230 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2231 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2232 		rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2233 		break;
2234 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2235 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2236 	/* Set level of messages printed to console */
2237 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2238 		rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2239 		break;
2240 	case SYSLOG_ACTION_CLOSE:	/* Close log */
2241 	case SYSLOG_ACTION_OPEN:	/* Open log */
2242 	case SYSLOG_ACTION_READ:	/* Read from log */
2243 	case SYSLOG_ACTION_READ_CLEAR:	/* Read/clear last kernel messages */
2244 	case SYSLOG_ACTION_CLEAR:	/* Clear ring buffer */
2245 	default:
2246 		rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2247 		break;
2248 	}
2249 	return rc;
2250 }
2251 
2252 /*
2253  * Check that a process has enough memory to allocate a new virtual
2254  * mapping. 0 means there is enough memory for the allocation to
2255  * succeed and -ENOMEM implies there is not.
2256  *
2257  * Do not audit the selinux permission check, as this is applied to all
2258  * processes that allocate mappings.
2259  */
2260 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2261 {
2262 	int rc, cap_sys_admin = 0;
2263 
2264 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2265 				 SECURITY_CAP_NOAUDIT, true);
2266 	if (rc == 0)
2267 		cap_sys_admin = 1;
2268 
2269 	return cap_sys_admin;
2270 }
2271 
2272 /* binprm security operations */
2273 
2274 static u32 ptrace_parent_sid(struct task_struct *task)
2275 {
2276 	u32 sid = 0;
2277 	struct task_struct *tracer;
2278 
2279 	rcu_read_lock();
2280 	tracer = ptrace_parent(task);
2281 	if (tracer)
2282 		sid = task_sid(tracer);
2283 	rcu_read_unlock();
2284 
2285 	return sid;
2286 }
2287 
2288 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2289 			    const struct task_security_struct *old_tsec,
2290 			    const struct task_security_struct *new_tsec)
2291 {
2292 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2293 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2294 	int rc;
2295 
2296 	if (!nnp && !nosuid)
2297 		return 0; /* neither NNP nor nosuid */
2298 
2299 	if (new_tsec->sid == old_tsec->sid)
2300 		return 0; /* No change in credentials */
2301 
2302 	/*
2303 	 * The only transitions we permit under NNP or nosuid
2304 	 * are transitions to bounded SIDs, i.e. SIDs that are
2305 	 * guaranteed to only be allowed a subset of the permissions
2306 	 * of the current SID.
2307 	 */
2308 	rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2309 	if (rc) {
2310 		/*
2311 		 * On failure, preserve the errno values for NNP vs nosuid.
2312 		 * NNP:  Operation not permitted for caller.
2313 		 * nosuid:  Permission denied to file.
2314 		 */
2315 		if (nnp)
2316 			return -EPERM;
2317 		else
2318 			return -EACCES;
2319 	}
2320 	return 0;
2321 }
2322 
2323 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2324 {
2325 	const struct task_security_struct *old_tsec;
2326 	struct task_security_struct *new_tsec;
2327 	struct inode_security_struct *isec;
2328 	struct common_audit_data ad;
2329 	struct inode *inode = file_inode(bprm->file);
2330 	int rc;
2331 
2332 	/* SELinux context only depends on initial program or script and not
2333 	 * the script interpreter */
2334 	if (bprm->cred_prepared)
2335 		return 0;
2336 
2337 	old_tsec = current_security();
2338 	new_tsec = bprm->cred->security;
2339 	isec = inode_security(inode);
2340 
2341 	/* Default to the current task SID. */
2342 	new_tsec->sid = old_tsec->sid;
2343 	new_tsec->osid = old_tsec->sid;
2344 
2345 	/* Reset fs, key, and sock SIDs on execve. */
2346 	new_tsec->create_sid = 0;
2347 	new_tsec->keycreate_sid = 0;
2348 	new_tsec->sockcreate_sid = 0;
2349 
2350 	if (old_tsec->exec_sid) {
2351 		new_tsec->sid = old_tsec->exec_sid;
2352 		/* Reset exec SID on execve. */
2353 		new_tsec->exec_sid = 0;
2354 
2355 		/* Fail on NNP or nosuid if not an allowed transition. */
2356 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2357 		if (rc)
2358 			return rc;
2359 	} else {
2360 		/* Check for a default transition on this program. */
2361 		rc = security_transition_sid(old_tsec->sid, isec->sid,
2362 					     SECCLASS_PROCESS, NULL,
2363 					     &new_tsec->sid);
2364 		if (rc)
2365 			return rc;
2366 
2367 		/*
2368 		 * Fallback to old SID on NNP or nosuid if not an allowed
2369 		 * transition.
2370 		 */
2371 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2372 		if (rc)
2373 			new_tsec->sid = old_tsec->sid;
2374 	}
2375 
2376 	ad.type = LSM_AUDIT_DATA_FILE;
2377 	ad.u.file = bprm->file;
2378 
2379 	if (new_tsec->sid == old_tsec->sid) {
2380 		rc = avc_has_perm(old_tsec->sid, isec->sid,
2381 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2382 		if (rc)
2383 			return rc;
2384 	} else {
2385 		/* Check permissions for the transition. */
2386 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2387 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2388 		if (rc)
2389 			return rc;
2390 
2391 		rc = avc_has_perm(new_tsec->sid, isec->sid,
2392 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2393 		if (rc)
2394 			return rc;
2395 
2396 		/* Check for shared state */
2397 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2398 			rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2399 					  SECCLASS_PROCESS, PROCESS__SHARE,
2400 					  NULL);
2401 			if (rc)
2402 				return -EPERM;
2403 		}
2404 
2405 		/* Make sure that anyone attempting to ptrace over a task that
2406 		 * changes its SID has the appropriate permit */
2407 		if (bprm->unsafe &
2408 		    (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2409 			u32 ptsid = ptrace_parent_sid(current);
2410 			if (ptsid != 0) {
2411 				rc = avc_has_perm(ptsid, new_tsec->sid,
2412 						  SECCLASS_PROCESS,
2413 						  PROCESS__PTRACE, NULL);
2414 				if (rc)
2415 					return -EPERM;
2416 			}
2417 		}
2418 
2419 		/* Clear any possibly unsafe personality bits on exec: */
2420 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2421 	}
2422 
2423 	return 0;
2424 }
2425 
2426 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2427 {
2428 	const struct task_security_struct *tsec = current_security();
2429 	u32 sid, osid;
2430 	int atsecure = 0;
2431 
2432 	sid = tsec->sid;
2433 	osid = tsec->osid;
2434 
2435 	if (osid != sid) {
2436 		/* Enable secure mode for SIDs transitions unless
2437 		   the noatsecure permission is granted between
2438 		   the two SIDs, i.e. ahp returns 0. */
2439 		atsecure = avc_has_perm(osid, sid,
2440 					SECCLASS_PROCESS,
2441 					PROCESS__NOATSECURE, NULL);
2442 	}
2443 
2444 	return !!atsecure;
2445 }
2446 
2447 static int match_file(const void *p, struct file *file, unsigned fd)
2448 {
2449 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2450 }
2451 
2452 /* Derived from fs/exec.c:flush_old_files. */
2453 static inline void flush_unauthorized_files(const struct cred *cred,
2454 					    struct files_struct *files)
2455 {
2456 	struct file *file, *devnull = NULL;
2457 	struct tty_struct *tty;
2458 	int drop_tty = 0;
2459 	unsigned n;
2460 
2461 	tty = get_current_tty();
2462 	if (tty) {
2463 		spin_lock(&tty->files_lock);
2464 		if (!list_empty(&tty->tty_files)) {
2465 			struct tty_file_private *file_priv;
2466 
2467 			/* Revalidate access to controlling tty.
2468 			   Use file_path_has_perm on the tty path directly
2469 			   rather than using file_has_perm, as this particular
2470 			   open file may belong to another process and we are
2471 			   only interested in the inode-based check here. */
2472 			file_priv = list_first_entry(&tty->tty_files,
2473 						struct tty_file_private, list);
2474 			file = file_priv->file;
2475 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2476 				drop_tty = 1;
2477 		}
2478 		spin_unlock(&tty->files_lock);
2479 		tty_kref_put(tty);
2480 	}
2481 	/* Reset controlling tty. */
2482 	if (drop_tty)
2483 		no_tty();
2484 
2485 	/* Revalidate access to inherited open files. */
2486 	n = iterate_fd(files, 0, match_file, cred);
2487 	if (!n) /* none found? */
2488 		return;
2489 
2490 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2491 	if (IS_ERR(devnull))
2492 		devnull = NULL;
2493 	/* replace all the matching ones with this */
2494 	do {
2495 		replace_fd(n - 1, devnull, 0);
2496 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2497 	if (devnull)
2498 		fput(devnull);
2499 }
2500 
2501 /*
2502  * Prepare a process for imminent new credential changes due to exec
2503  */
2504 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2505 {
2506 	struct task_security_struct *new_tsec;
2507 	struct rlimit *rlim, *initrlim;
2508 	int rc, i;
2509 
2510 	new_tsec = bprm->cred->security;
2511 	if (new_tsec->sid == new_tsec->osid)
2512 		return;
2513 
2514 	/* Close files for which the new task SID is not authorized. */
2515 	flush_unauthorized_files(bprm->cred, current->files);
2516 
2517 	/* Always clear parent death signal on SID transitions. */
2518 	current->pdeath_signal = 0;
2519 
2520 	/* Check whether the new SID can inherit resource limits from the old
2521 	 * SID.  If not, reset all soft limits to the lower of the current
2522 	 * task's hard limit and the init task's soft limit.
2523 	 *
2524 	 * Note that the setting of hard limits (even to lower them) can be
2525 	 * controlled by the setrlimit check.  The inclusion of the init task's
2526 	 * soft limit into the computation is to avoid resetting soft limits
2527 	 * higher than the default soft limit for cases where the default is
2528 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2529 	 */
2530 	rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2531 			  PROCESS__RLIMITINH, NULL);
2532 	if (rc) {
2533 		/* protect against do_prlimit() */
2534 		task_lock(current);
2535 		for (i = 0; i < RLIM_NLIMITS; i++) {
2536 			rlim = current->signal->rlim + i;
2537 			initrlim = init_task.signal->rlim + i;
2538 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2539 		}
2540 		task_unlock(current);
2541 		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2542 			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2543 	}
2544 }
2545 
2546 /*
2547  * Clean up the process immediately after the installation of new credentials
2548  * due to exec
2549  */
2550 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2551 {
2552 	const struct task_security_struct *tsec = current_security();
2553 	struct itimerval itimer;
2554 	u32 osid, sid;
2555 	int rc, i;
2556 
2557 	osid = tsec->osid;
2558 	sid = tsec->sid;
2559 
2560 	if (sid == osid)
2561 		return;
2562 
2563 	/* Check whether the new SID can inherit signal state from the old SID.
2564 	 * If not, clear itimers to avoid subsequent signal generation and
2565 	 * flush and unblock signals.
2566 	 *
2567 	 * This must occur _after_ the task SID has been updated so that any
2568 	 * kill done after the flush will be checked against the new SID.
2569 	 */
2570 	rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2571 	if (rc) {
2572 		if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2573 			memset(&itimer, 0, sizeof itimer);
2574 			for (i = 0; i < 3; i++)
2575 				do_setitimer(i, &itimer, NULL);
2576 		}
2577 		spin_lock_irq(&current->sighand->siglock);
2578 		if (!fatal_signal_pending(current)) {
2579 			flush_sigqueue(&current->pending);
2580 			flush_sigqueue(&current->signal->shared_pending);
2581 			flush_signal_handlers(current, 1);
2582 			sigemptyset(&current->blocked);
2583 			recalc_sigpending();
2584 		}
2585 		spin_unlock_irq(&current->sighand->siglock);
2586 	}
2587 
2588 	/* Wake up the parent if it is waiting so that it can recheck
2589 	 * wait permission to the new task SID. */
2590 	read_lock(&tasklist_lock);
2591 	__wake_up_parent(current, current->real_parent);
2592 	read_unlock(&tasklist_lock);
2593 }
2594 
2595 /* superblock security operations */
2596 
2597 static int selinux_sb_alloc_security(struct super_block *sb)
2598 {
2599 	return superblock_alloc_security(sb);
2600 }
2601 
2602 static void selinux_sb_free_security(struct super_block *sb)
2603 {
2604 	superblock_free_security(sb);
2605 }
2606 
2607 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2608 {
2609 	if (plen > olen)
2610 		return 0;
2611 
2612 	return !memcmp(prefix, option, plen);
2613 }
2614 
2615 static inline int selinux_option(char *option, int len)
2616 {
2617 	return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2618 		match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2619 		match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2620 		match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2621 		match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2622 }
2623 
2624 static inline void take_option(char **to, char *from, int *first, int len)
2625 {
2626 	if (!*first) {
2627 		**to = ',';
2628 		*to += 1;
2629 	} else
2630 		*first = 0;
2631 	memcpy(*to, from, len);
2632 	*to += len;
2633 }
2634 
2635 static inline void take_selinux_option(char **to, char *from, int *first,
2636 				       int len)
2637 {
2638 	int current_size = 0;
2639 
2640 	if (!*first) {
2641 		**to = '|';
2642 		*to += 1;
2643 	} else
2644 		*first = 0;
2645 
2646 	while (current_size < len) {
2647 		if (*from != '"') {
2648 			**to = *from;
2649 			*to += 1;
2650 		}
2651 		from += 1;
2652 		current_size += 1;
2653 	}
2654 }
2655 
2656 static int selinux_sb_copy_data(char *orig, char *copy)
2657 {
2658 	int fnosec, fsec, rc = 0;
2659 	char *in_save, *in_curr, *in_end;
2660 	char *sec_curr, *nosec_save, *nosec;
2661 	int open_quote = 0;
2662 
2663 	in_curr = orig;
2664 	sec_curr = copy;
2665 
2666 	nosec = (char *)get_zeroed_page(GFP_KERNEL);
2667 	if (!nosec) {
2668 		rc = -ENOMEM;
2669 		goto out;
2670 	}
2671 
2672 	nosec_save = nosec;
2673 	fnosec = fsec = 1;
2674 	in_save = in_end = orig;
2675 
2676 	do {
2677 		if (*in_end == '"')
2678 			open_quote = !open_quote;
2679 		if ((*in_end == ',' && open_quote == 0) ||
2680 				*in_end == '\0') {
2681 			int len = in_end - in_curr;
2682 
2683 			if (selinux_option(in_curr, len))
2684 				take_selinux_option(&sec_curr, in_curr, &fsec, len);
2685 			else
2686 				take_option(&nosec, in_curr, &fnosec, len);
2687 
2688 			in_curr = in_end + 1;
2689 		}
2690 	} while (*in_end++);
2691 
2692 	strcpy(in_save, nosec_save);
2693 	free_page((unsigned long)nosec_save);
2694 out:
2695 	return rc;
2696 }
2697 
2698 static int selinux_sb_remount(struct super_block *sb, void *data)
2699 {
2700 	int rc, i, *flags;
2701 	struct security_mnt_opts opts;
2702 	char *secdata, **mount_options;
2703 	struct superblock_security_struct *sbsec = sb->s_security;
2704 
2705 	if (!(sbsec->flags & SE_SBINITIALIZED))
2706 		return 0;
2707 
2708 	if (!data)
2709 		return 0;
2710 
2711 	if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2712 		return 0;
2713 
2714 	security_init_mnt_opts(&opts);
2715 	secdata = alloc_secdata();
2716 	if (!secdata)
2717 		return -ENOMEM;
2718 	rc = selinux_sb_copy_data(data, secdata);
2719 	if (rc)
2720 		goto out_free_secdata;
2721 
2722 	rc = selinux_parse_opts_str(secdata, &opts);
2723 	if (rc)
2724 		goto out_free_secdata;
2725 
2726 	mount_options = opts.mnt_opts;
2727 	flags = opts.mnt_opts_flags;
2728 
2729 	for (i = 0; i < opts.num_mnt_opts; i++) {
2730 		u32 sid;
2731 
2732 		if (flags[i] == SBLABEL_MNT)
2733 			continue;
2734 		rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2735 		if (rc) {
2736 			printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2737 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
2738 			       mount_options[i], sb->s_id, sb->s_type->name, rc);
2739 			goto out_free_opts;
2740 		}
2741 		rc = -EINVAL;
2742 		switch (flags[i]) {
2743 		case FSCONTEXT_MNT:
2744 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2745 				goto out_bad_option;
2746 			break;
2747 		case CONTEXT_MNT:
2748 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2749 				goto out_bad_option;
2750 			break;
2751 		case ROOTCONTEXT_MNT: {
2752 			struct inode_security_struct *root_isec;
2753 			root_isec = backing_inode_security(sb->s_root);
2754 
2755 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2756 				goto out_bad_option;
2757 			break;
2758 		}
2759 		case DEFCONTEXT_MNT:
2760 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2761 				goto out_bad_option;
2762 			break;
2763 		default:
2764 			goto out_free_opts;
2765 		}
2766 	}
2767 
2768 	rc = 0;
2769 out_free_opts:
2770 	security_free_mnt_opts(&opts);
2771 out_free_secdata:
2772 	free_secdata(secdata);
2773 	return rc;
2774 out_bad_option:
2775 	printk(KERN_WARNING "SELinux: unable to change security options "
2776 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2777 	       sb->s_type->name);
2778 	goto out_free_opts;
2779 }
2780 
2781 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2782 {
2783 	const struct cred *cred = current_cred();
2784 	struct common_audit_data ad;
2785 	int rc;
2786 
2787 	rc = superblock_doinit(sb, data);
2788 	if (rc)
2789 		return rc;
2790 
2791 	/* Allow all mounts performed by the kernel */
2792 	if (flags & MS_KERNMOUNT)
2793 		return 0;
2794 
2795 	ad.type = LSM_AUDIT_DATA_DENTRY;
2796 	ad.u.dentry = sb->s_root;
2797 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2798 }
2799 
2800 static int selinux_sb_statfs(struct dentry *dentry)
2801 {
2802 	const struct cred *cred = current_cred();
2803 	struct common_audit_data ad;
2804 
2805 	ad.type = LSM_AUDIT_DATA_DENTRY;
2806 	ad.u.dentry = dentry->d_sb->s_root;
2807 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2808 }
2809 
2810 static int selinux_mount(const char *dev_name,
2811 			 const struct path *path,
2812 			 const char *type,
2813 			 unsigned long flags,
2814 			 void *data)
2815 {
2816 	const struct cred *cred = current_cred();
2817 
2818 	if (flags & MS_REMOUNT)
2819 		return superblock_has_perm(cred, path->dentry->d_sb,
2820 					   FILESYSTEM__REMOUNT, NULL);
2821 	else
2822 		return path_has_perm(cred, path, FILE__MOUNTON);
2823 }
2824 
2825 static int selinux_umount(struct vfsmount *mnt, int flags)
2826 {
2827 	const struct cred *cred = current_cred();
2828 
2829 	return superblock_has_perm(cred, mnt->mnt_sb,
2830 				   FILESYSTEM__UNMOUNT, NULL);
2831 }
2832 
2833 /* inode security operations */
2834 
2835 static int selinux_inode_alloc_security(struct inode *inode)
2836 {
2837 	return inode_alloc_security(inode);
2838 }
2839 
2840 static void selinux_inode_free_security(struct inode *inode)
2841 {
2842 	inode_free_security(inode);
2843 }
2844 
2845 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2846 					const struct qstr *name, void **ctx,
2847 					u32 *ctxlen)
2848 {
2849 	u32 newsid;
2850 	int rc;
2851 
2852 	rc = selinux_determine_inode_label(current_security(),
2853 					   d_inode(dentry->d_parent), name,
2854 					   inode_mode_to_security_class(mode),
2855 					   &newsid);
2856 	if (rc)
2857 		return rc;
2858 
2859 	return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2860 }
2861 
2862 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2863 					  struct qstr *name,
2864 					  const struct cred *old,
2865 					  struct cred *new)
2866 {
2867 	u32 newsid;
2868 	int rc;
2869 	struct task_security_struct *tsec;
2870 
2871 	rc = selinux_determine_inode_label(old->security,
2872 					   d_inode(dentry->d_parent), name,
2873 					   inode_mode_to_security_class(mode),
2874 					   &newsid);
2875 	if (rc)
2876 		return rc;
2877 
2878 	tsec = new->security;
2879 	tsec->create_sid = newsid;
2880 	return 0;
2881 }
2882 
2883 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2884 				       const struct qstr *qstr,
2885 				       const char **name,
2886 				       void **value, size_t *len)
2887 {
2888 	const struct task_security_struct *tsec = current_security();
2889 	struct superblock_security_struct *sbsec;
2890 	u32 sid, newsid, clen;
2891 	int rc;
2892 	char *context;
2893 
2894 	sbsec = dir->i_sb->s_security;
2895 
2896 	sid = tsec->sid;
2897 	newsid = tsec->create_sid;
2898 
2899 	rc = selinux_determine_inode_label(current_security(),
2900 		dir, qstr,
2901 		inode_mode_to_security_class(inode->i_mode),
2902 		&newsid);
2903 	if (rc)
2904 		return rc;
2905 
2906 	/* Possibly defer initialization to selinux_complete_init. */
2907 	if (sbsec->flags & SE_SBINITIALIZED) {
2908 		struct inode_security_struct *isec = inode->i_security;
2909 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2910 		isec->sid = newsid;
2911 		isec->initialized = LABEL_INITIALIZED;
2912 	}
2913 
2914 	if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2915 		return -EOPNOTSUPP;
2916 
2917 	if (name)
2918 		*name = XATTR_SELINUX_SUFFIX;
2919 
2920 	if (value && len) {
2921 		rc = security_sid_to_context_force(newsid, &context, &clen);
2922 		if (rc)
2923 			return rc;
2924 		*value = context;
2925 		*len = clen;
2926 	}
2927 
2928 	return 0;
2929 }
2930 
2931 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2932 {
2933 	return may_create(dir, dentry, SECCLASS_FILE);
2934 }
2935 
2936 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2937 {
2938 	return may_link(dir, old_dentry, MAY_LINK);
2939 }
2940 
2941 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2942 {
2943 	return may_link(dir, dentry, MAY_UNLINK);
2944 }
2945 
2946 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2947 {
2948 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
2949 }
2950 
2951 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2952 {
2953 	return may_create(dir, dentry, SECCLASS_DIR);
2954 }
2955 
2956 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2957 {
2958 	return may_link(dir, dentry, MAY_RMDIR);
2959 }
2960 
2961 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2962 {
2963 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
2964 }
2965 
2966 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2967 				struct inode *new_inode, struct dentry *new_dentry)
2968 {
2969 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2970 }
2971 
2972 static int selinux_inode_readlink(struct dentry *dentry)
2973 {
2974 	const struct cred *cred = current_cred();
2975 
2976 	return dentry_has_perm(cred, dentry, FILE__READ);
2977 }
2978 
2979 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2980 				     bool rcu)
2981 {
2982 	const struct cred *cred = current_cred();
2983 	struct common_audit_data ad;
2984 	struct inode_security_struct *isec;
2985 	u32 sid;
2986 
2987 	validate_creds(cred);
2988 
2989 	ad.type = LSM_AUDIT_DATA_DENTRY;
2990 	ad.u.dentry = dentry;
2991 	sid = cred_sid(cred);
2992 	isec = inode_security_rcu(inode, rcu);
2993 	if (IS_ERR(isec))
2994 		return PTR_ERR(isec);
2995 
2996 	return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2997 				  rcu ? MAY_NOT_BLOCK : 0);
2998 }
2999 
3000 static noinline int audit_inode_permission(struct inode *inode,
3001 					   u32 perms, u32 audited, u32 denied,
3002 					   int result,
3003 					   unsigned flags)
3004 {
3005 	struct common_audit_data ad;
3006 	struct inode_security_struct *isec = inode->i_security;
3007 	int rc;
3008 
3009 	ad.type = LSM_AUDIT_DATA_INODE;
3010 	ad.u.inode = inode;
3011 
3012 	rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3013 			    audited, denied, result, &ad, flags);
3014 	if (rc)
3015 		return rc;
3016 	return 0;
3017 }
3018 
3019 static int selinux_inode_permission(struct inode *inode, int mask)
3020 {
3021 	const struct cred *cred = current_cred();
3022 	u32 perms;
3023 	bool from_access;
3024 	unsigned flags = mask & MAY_NOT_BLOCK;
3025 	struct inode_security_struct *isec;
3026 	u32 sid;
3027 	struct av_decision avd;
3028 	int rc, rc2;
3029 	u32 audited, denied;
3030 
3031 	from_access = mask & MAY_ACCESS;
3032 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3033 
3034 	/* No permission to check.  Existence test. */
3035 	if (!mask)
3036 		return 0;
3037 
3038 	validate_creds(cred);
3039 
3040 	if (unlikely(IS_PRIVATE(inode)))
3041 		return 0;
3042 
3043 	perms = file_mask_to_av(inode->i_mode, mask);
3044 
3045 	sid = cred_sid(cred);
3046 	isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3047 	if (IS_ERR(isec))
3048 		return PTR_ERR(isec);
3049 
3050 	rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3051 	audited = avc_audit_required(perms, &avd, rc,
3052 				     from_access ? FILE__AUDIT_ACCESS : 0,
3053 				     &denied);
3054 	if (likely(!audited))
3055 		return rc;
3056 
3057 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3058 	if (rc2)
3059 		return rc2;
3060 	return rc;
3061 }
3062 
3063 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3064 {
3065 	const struct cred *cred = current_cred();
3066 	unsigned int ia_valid = iattr->ia_valid;
3067 	__u32 av = FILE__WRITE;
3068 
3069 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3070 	if (ia_valid & ATTR_FORCE) {
3071 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3072 			      ATTR_FORCE);
3073 		if (!ia_valid)
3074 			return 0;
3075 	}
3076 
3077 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3078 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3079 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3080 
3081 	if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3082 			&& !(ia_valid & ATTR_FILE))
3083 		av |= FILE__OPEN;
3084 
3085 	return dentry_has_perm(cred, dentry, av);
3086 }
3087 
3088 static int selinux_inode_getattr(const struct path *path)
3089 {
3090 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3091 }
3092 
3093 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3094 {
3095 	const struct cred *cred = current_cred();
3096 
3097 	if (!strncmp(name, XATTR_SECURITY_PREFIX,
3098 		     sizeof XATTR_SECURITY_PREFIX - 1)) {
3099 		if (!strcmp(name, XATTR_NAME_CAPS)) {
3100 			if (!capable(CAP_SETFCAP))
3101 				return -EPERM;
3102 		} else if (!capable(CAP_SYS_ADMIN)) {
3103 			/* A different attribute in the security namespace.
3104 			   Restrict to administrator. */
3105 			return -EPERM;
3106 		}
3107 	}
3108 
3109 	/* Not an attribute we recognize, so just check the
3110 	   ordinary setattr permission. */
3111 	return dentry_has_perm(cred, dentry, FILE__SETATTR);
3112 }
3113 
3114 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3115 				  const void *value, size_t size, int flags)
3116 {
3117 	struct inode *inode = d_backing_inode(dentry);
3118 	struct inode_security_struct *isec;
3119 	struct superblock_security_struct *sbsec;
3120 	struct common_audit_data ad;
3121 	u32 newsid, sid = current_sid();
3122 	int rc = 0;
3123 
3124 	if (strcmp(name, XATTR_NAME_SELINUX))
3125 		return selinux_inode_setotherxattr(dentry, name);
3126 
3127 	sbsec = inode->i_sb->s_security;
3128 	if (!(sbsec->flags & SBLABEL_MNT))
3129 		return -EOPNOTSUPP;
3130 
3131 	if (!inode_owner_or_capable(inode))
3132 		return -EPERM;
3133 
3134 	ad.type = LSM_AUDIT_DATA_DENTRY;
3135 	ad.u.dentry = dentry;
3136 
3137 	isec = backing_inode_security(dentry);
3138 	rc = avc_has_perm(sid, isec->sid, isec->sclass,
3139 			  FILE__RELABELFROM, &ad);
3140 	if (rc)
3141 		return rc;
3142 
3143 	rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3144 	if (rc == -EINVAL) {
3145 		if (!capable(CAP_MAC_ADMIN)) {
3146 			struct audit_buffer *ab;
3147 			size_t audit_size;
3148 			const char *str;
3149 
3150 			/* We strip a nul only if it is at the end, otherwise the
3151 			 * context contains a nul and we should audit that */
3152 			if (value) {
3153 				str = value;
3154 				if (str[size - 1] == '\0')
3155 					audit_size = size - 1;
3156 				else
3157 					audit_size = size;
3158 			} else {
3159 				str = "";
3160 				audit_size = 0;
3161 			}
3162 			ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3163 			audit_log_format(ab, "op=setxattr invalid_context=");
3164 			audit_log_n_untrustedstring(ab, value, audit_size);
3165 			audit_log_end(ab);
3166 
3167 			return rc;
3168 		}
3169 		rc = security_context_to_sid_force(value, size, &newsid);
3170 	}
3171 	if (rc)
3172 		return rc;
3173 
3174 	rc = avc_has_perm(sid, newsid, isec->sclass,
3175 			  FILE__RELABELTO, &ad);
3176 	if (rc)
3177 		return rc;
3178 
3179 	rc = security_validate_transition(isec->sid, newsid, sid,
3180 					  isec->sclass);
3181 	if (rc)
3182 		return rc;
3183 
3184 	return avc_has_perm(newsid,
3185 			    sbsec->sid,
3186 			    SECCLASS_FILESYSTEM,
3187 			    FILESYSTEM__ASSOCIATE,
3188 			    &ad);
3189 }
3190 
3191 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3192 					const void *value, size_t size,
3193 					int flags)
3194 {
3195 	struct inode *inode = d_backing_inode(dentry);
3196 	struct inode_security_struct *isec;
3197 	u32 newsid;
3198 	int rc;
3199 
3200 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3201 		/* Not an attribute we recognize, so nothing to do. */
3202 		return;
3203 	}
3204 
3205 	rc = security_context_to_sid_force(value, size, &newsid);
3206 	if (rc) {
3207 		printk(KERN_ERR "SELinux:  unable to map context to SID"
3208 		       "for (%s, %lu), rc=%d\n",
3209 		       inode->i_sb->s_id, inode->i_ino, -rc);
3210 		return;
3211 	}
3212 
3213 	isec = backing_inode_security(dentry);
3214 	spin_lock(&isec->lock);
3215 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3216 	isec->sid = newsid;
3217 	isec->initialized = LABEL_INITIALIZED;
3218 	spin_unlock(&isec->lock);
3219 
3220 	return;
3221 }
3222 
3223 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3224 {
3225 	const struct cred *cred = current_cred();
3226 
3227 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3228 }
3229 
3230 static int selinux_inode_listxattr(struct dentry *dentry)
3231 {
3232 	const struct cred *cred = current_cred();
3233 
3234 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3235 }
3236 
3237 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3238 {
3239 	if (strcmp(name, XATTR_NAME_SELINUX))
3240 		return selinux_inode_setotherxattr(dentry, name);
3241 
3242 	/* No one is allowed to remove a SELinux security label.
3243 	   You can change the label, but all data must be labeled. */
3244 	return -EACCES;
3245 }
3246 
3247 /*
3248  * Copy the inode security context value to the user.
3249  *
3250  * Permission check is handled by selinux_inode_getxattr hook.
3251  */
3252 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3253 {
3254 	u32 size;
3255 	int error;
3256 	char *context = NULL;
3257 	struct inode_security_struct *isec;
3258 
3259 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3260 		return -EOPNOTSUPP;
3261 
3262 	/*
3263 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3264 	 * value even if it is not defined by current policy; otherwise,
3265 	 * use the in-core value under current policy.
3266 	 * Use the non-auditing forms of the permission checks since
3267 	 * getxattr may be called by unprivileged processes commonly
3268 	 * and lack of permission just means that we fall back to the
3269 	 * in-core context value, not a denial.
3270 	 */
3271 	error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3272 			    SECURITY_CAP_NOAUDIT);
3273 	if (!error)
3274 		error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3275 					    SECURITY_CAP_NOAUDIT, true);
3276 	isec = inode_security(inode);
3277 	if (!error)
3278 		error = security_sid_to_context_force(isec->sid, &context,
3279 						      &size);
3280 	else
3281 		error = security_sid_to_context(isec->sid, &context, &size);
3282 	if (error)
3283 		return error;
3284 	error = size;
3285 	if (alloc) {
3286 		*buffer = context;
3287 		goto out_nofree;
3288 	}
3289 	kfree(context);
3290 out_nofree:
3291 	return error;
3292 }
3293 
3294 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3295 				     const void *value, size_t size, int flags)
3296 {
3297 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3298 	u32 newsid;
3299 	int rc;
3300 
3301 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3302 		return -EOPNOTSUPP;
3303 
3304 	if (!value || !size)
3305 		return -EACCES;
3306 
3307 	rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3308 	if (rc)
3309 		return rc;
3310 
3311 	spin_lock(&isec->lock);
3312 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3313 	isec->sid = newsid;
3314 	isec->initialized = LABEL_INITIALIZED;
3315 	spin_unlock(&isec->lock);
3316 	return 0;
3317 }
3318 
3319 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3320 {
3321 	const int len = sizeof(XATTR_NAME_SELINUX);
3322 	if (buffer && len <= buffer_size)
3323 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3324 	return len;
3325 }
3326 
3327 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3328 {
3329 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3330 	*secid = isec->sid;
3331 }
3332 
3333 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3334 {
3335 	u32 sid;
3336 	struct task_security_struct *tsec;
3337 	struct cred *new_creds = *new;
3338 
3339 	if (new_creds == NULL) {
3340 		new_creds = prepare_creds();
3341 		if (!new_creds)
3342 			return -ENOMEM;
3343 	}
3344 
3345 	tsec = new_creds->security;
3346 	/* Get label from overlay inode and set it in create_sid */
3347 	selinux_inode_getsecid(d_inode(src), &sid);
3348 	tsec->create_sid = sid;
3349 	*new = new_creds;
3350 	return 0;
3351 }
3352 
3353 static int selinux_inode_copy_up_xattr(const char *name)
3354 {
3355 	/* The copy_up hook above sets the initial context on an inode, but we
3356 	 * don't then want to overwrite it by blindly copying all the lower
3357 	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3358 	 */
3359 	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3360 		return 1; /* Discard */
3361 	/*
3362 	 * Any other attribute apart from SELINUX is not claimed, supported
3363 	 * by selinux.
3364 	 */
3365 	return -EOPNOTSUPP;
3366 }
3367 
3368 /* file security operations */
3369 
3370 static int selinux_revalidate_file_permission(struct file *file, int mask)
3371 {
3372 	const struct cred *cred = current_cred();
3373 	struct inode *inode = file_inode(file);
3374 
3375 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3376 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3377 		mask |= MAY_APPEND;
3378 
3379 	return file_has_perm(cred, file,
3380 			     file_mask_to_av(inode->i_mode, mask));
3381 }
3382 
3383 static int selinux_file_permission(struct file *file, int mask)
3384 {
3385 	struct inode *inode = file_inode(file);
3386 	struct file_security_struct *fsec = file->f_security;
3387 	struct inode_security_struct *isec;
3388 	u32 sid = current_sid();
3389 
3390 	if (!mask)
3391 		/* No permission to check.  Existence test. */
3392 		return 0;
3393 
3394 	isec = inode_security(inode);
3395 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3396 	    fsec->pseqno == avc_policy_seqno())
3397 		/* No change since file_open check. */
3398 		return 0;
3399 
3400 	return selinux_revalidate_file_permission(file, mask);
3401 }
3402 
3403 static int selinux_file_alloc_security(struct file *file)
3404 {
3405 	return file_alloc_security(file);
3406 }
3407 
3408 static void selinux_file_free_security(struct file *file)
3409 {
3410 	file_free_security(file);
3411 }
3412 
3413 /*
3414  * Check whether a task has the ioctl permission and cmd
3415  * operation to an inode.
3416  */
3417 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3418 		u32 requested, u16 cmd)
3419 {
3420 	struct common_audit_data ad;
3421 	struct file_security_struct *fsec = file->f_security;
3422 	struct inode *inode = file_inode(file);
3423 	struct inode_security_struct *isec;
3424 	struct lsm_ioctlop_audit ioctl;
3425 	u32 ssid = cred_sid(cred);
3426 	int rc;
3427 	u8 driver = cmd >> 8;
3428 	u8 xperm = cmd & 0xff;
3429 
3430 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3431 	ad.u.op = &ioctl;
3432 	ad.u.op->cmd = cmd;
3433 	ad.u.op->path = file->f_path;
3434 
3435 	if (ssid != fsec->sid) {
3436 		rc = avc_has_perm(ssid, fsec->sid,
3437 				SECCLASS_FD,
3438 				FD__USE,
3439 				&ad);
3440 		if (rc)
3441 			goto out;
3442 	}
3443 
3444 	if (unlikely(IS_PRIVATE(inode)))
3445 		return 0;
3446 
3447 	isec = inode_security(inode);
3448 	rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3449 			requested, driver, xperm, &ad);
3450 out:
3451 	return rc;
3452 }
3453 
3454 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3455 			      unsigned long arg)
3456 {
3457 	const struct cred *cred = current_cred();
3458 	int error = 0;
3459 
3460 	switch (cmd) {
3461 	case FIONREAD:
3462 	/* fall through */
3463 	case FIBMAP:
3464 	/* fall through */
3465 	case FIGETBSZ:
3466 	/* fall through */
3467 	case FS_IOC_GETFLAGS:
3468 	/* fall through */
3469 	case FS_IOC_GETVERSION:
3470 		error = file_has_perm(cred, file, FILE__GETATTR);
3471 		break;
3472 
3473 	case FS_IOC_SETFLAGS:
3474 	/* fall through */
3475 	case FS_IOC_SETVERSION:
3476 		error = file_has_perm(cred, file, FILE__SETATTR);
3477 		break;
3478 
3479 	/* sys_ioctl() checks */
3480 	case FIONBIO:
3481 	/* fall through */
3482 	case FIOASYNC:
3483 		error = file_has_perm(cred, file, 0);
3484 		break;
3485 
3486 	case KDSKBENT:
3487 	case KDSKBSENT:
3488 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3489 					    SECURITY_CAP_AUDIT, true);
3490 		break;
3491 
3492 	/* default case assumes that the command will go
3493 	 * to the file's ioctl() function.
3494 	 */
3495 	default:
3496 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3497 	}
3498 	return error;
3499 }
3500 
3501 static int default_noexec;
3502 
3503 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3504 {
3505 	const struct cred *cred = current_cred();
3506 	int rc = 0;
3507 
3508 	if (default_noexec &&
3509 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3510 				   (!shared && (prot & PROT_WRITE)))) {
3511 		/*
3512 		 * We are making executable an anonymous mapping or a
3513 		 * private file mapping that will also be writable.
3514 		 * This has an additional check.
3515 		 */
3516 		rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3517 		if (rc)
3518 			goto error;
3519 	}
3520 
3521 	if (file) {
3522 		/* read access is always possible with a mapping */
3523 		u32 av = FILE__READ;
3524 
3525 		/* write access only matters if the mapping is shared */
3526 		if (shared && (prot & PROT_WRITE))
3527 			av |= FILE__WRITE;
3528 
3529 		if (prot & PROT_EXEC)
3530 			av |= FILE__EXECUTE;
3531 
3532 		return file_has_perm(cred, file, av);
3533 	}
3534 
3535 error:
3536 	return rc;
3537 }
3538 
3539 static int selinux_mmap_addr(unsigned long addr)
3540 {
3541 	int rc = 0;
3542 
3543 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3544 		u32 sid = current_sid();
3545 		rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3546 				  MEMPROTECT__MMAP_ZERO, NULL);
3547 	}
3548 
3549 	return rc;
3550 }
3551 
3552 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3553 			     unsigned long prot, unsigned long flags)
3554 {
3555 	if (selinux_checkreqprot)
3556 		prot = reqprot;
3557 
3558 	return file_map_prot_check(file, prot,
3559 				   (flags & MAP_TYPE) == MAP_SHARED);
3560 }
3561 
3562 static int selinux_file_mprotect(struct vm_area_struct *vma,
3563 				 unsigned long reqprot,
3564 				 unsigned long prot)
3565 {
3566 	const struct cred *cred = current_cred();
3567 
3568 	if (selinux_checkreqprot)
3569 		prot = reqprot;
3570 
3571 	if (default_noexec &&
3572 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3573 		int rc = 0;
3574 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3575 		    vma->vm_end <= vma->vm_mm->brk) {
3576 			rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3577 		} else if (!vma->vm_file &&
3578 			   ((vma->vm_start <= vma->vm_mm->start_stack &&
3579 			     vma->vm_end >= vma->vm_mm->start_stack) ||
3580 			    vma_is_stack_for_current(vma))) {
3581 			rc = current_has_perm(current, PROCESS__EXECSTACK);
3582 		} else if (vma->vm_file && vma->anon_vma) {
3583 			/*
3584 			 * We are making executable a file mapping that has
3585 			 * had some COW done. Since pages might have been
3586 			 * written, check ability to execute the possibly
3587 			 * modified content.  This typically should only
3588 			 * occur for text relocations.
3589 			 */
3590 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3591 		}
3592 		if (rc)
3593 			return rc;
3594 	}
3595 
3596 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3597 }
3598 
3599 static int selinux_file_lock(struct file *file, unsigned int cmd)
3600 {
3601 	const struct cred *cred = current_cred();
3602 
3603 	return file_has_perm(cred, file, FILE__LOCK);
3604 }
3605 
3606 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3607 			      unsigned long arg)
3608 {
3609 	const struct cred *cred = current_cred();
3610 	int err = 0;
3611 
3612 	switch (cmd) {
3613 	case F_SETFL:
3614 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3615 			err = file_has_perm(cred, file, FILE__WRITE);
3616 			break;
3617 		}
3618 		/* fall through */
3619 	case F_SETOWN:
3620 	case F_SETSIG:
3621 	case F_GETFL:
3622 	case F_GETOWN:
3623 	case F_GETSIG:
3624 	case F_GETOWNER_UIDS:
3625 		/* Just check FD__USE permission */
3626 		err = file_has_perm(cred, file, 0);
3627 		break;
3628 	case F_GETLK:
3629 	case F_SETLK:
3630 	case F_SETLKW:
3631 	case F_OFD_GETLK:
3632 	case F_OFD_SETLK:
3633 	case F_OFD_SETLKW:
3634 #if BITS_PER_LONG == 32
3635 	case F_GETLK64:
3636 	case F_SETLK64:
3637 	case F_SETLKW64:
3638 #endif
3639 		err = file_has_perm(cred, file, FILE__LOCK);
3640 		break;
3641 	}
3642 
3643 	return err;
3644 }
3645 
3646 static void selinux_file_set_fowner(struct file *file)
3647 {
3648 	struct file_security_struct *fsec;
3649 
3650 	fsec = file->f_security;
3651 	fsec->fown_sid = current_sid();
3652 }
3653 
3654 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3655 				       struct fown_struct *fown, int signum)
3656 {
3657 	struct file *file;
3658 	u32 sid = task_sid(tsk);
3659 	u32 perm;
3660 	struct file_security_struct *fsec;
3661 
3662 	/* struct fown_struct is never outside the context of a struct file */
3663 	file = container_of(fown, struct file, f_owner);
3664 
3665 	fsec = file->f_security;
3666 
3667 	if (!signum)
3668 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3669 	else
3670 		perm = signal_to_av(signum);
3671 
3672 	return avc_has_perm(fsec->fown_sid, sid,
3673 			    SECCLASS_PROCESS, perm, NULL);
3674 }
3675 
3676 static int selinux_file_receive(struct file *file)
3677 {
3678 	const struct cred *cred = current_cred();
3679 
3680 	return file_has_perm(cred, file, file_to_av(file));
3681 }
3682 
3683 static int selinux_file_open(struct file *file, const struct cred *cred)
3684 {
3685 	struct file_security_struct *fsec;
3686 	struct inode_security_struct *isec;
3687 
3688 	fsec = file->f_security;
3689 	isec = inode_security(file_inode(file));
3690 	/*
3691 	 * Save inode label and policy sequence number
3692 	 * at open-time so that selinux_file_permission
3693 	 * can determine whether revalidation is necessary.
3694 	 * Task label is already saved in the file security
3695 	 * struct as its SID.
3696 	 */
3697 	fsec->isid = isec->sid;
3698 	fsec->pseqno = avc_policy_seqno();
3699 	/*
3700 	 * Since the inode label or policy seqno may have changed
3701 	 * between the selinux_inode_permission check and the saving
3702 	 * of state above, recheck that access is still permitted.
3703 	 * Otherwise, access might never be revalidated against the
3704 	 * new inode label or new policy.
3705 	 * This check is not redundant - do not remove.
3706 	 */
3707 	return file_path_has_perm(cred, file, open_file_to_av(file));
3708 }
3709 
3710 /* task security operations */
3711 
3712 static int selinux_task_create(unsigned long clone_flags)
3713 {
3714 	return current_has_perm(current, PROCESS__FORK);
3715 }
3716 
3717 /*
3718  * allocate the SELinux part of blank credentials
3719  */
3720 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3721 {
3722 	struct task_security_struct *tsec;
3723 
3724 	tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3725 	if (!tsec)
3726 		return -ENOMEM;
3727 
3728 	cred->security = tsec;
3729 	return 0;
3730 }
3731 
3732 /*
3733  * detach and free the LSM part of a set of credentials
3734  */
3735 static void selinux_cred_free(struct cred *cred)
3736 {
3737 	struct task_security_struct *tsec = cred->security;
3738 
3739 	/*
3740 	 * cred->security == NULL if security_cred_alloc_blank() or
3741 	 * security_prepare_creds() returned an error.
3742 	 */
3743 	BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3744 	cred->security = (void *) 0x7UL;
3745 	kfree(tsec);
3746 }
3747 
3748 /*
3749  * prepare a new set of credentials for modification
3750  */
3751 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3752 				gfp_t gfp)
3753 {
3754 	const struct task_security_struct *old_tsec;
3755 	struct task_security_struct *tsec;
3756 
3757 	old_tsec = old->security;
3758 
3759 	tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3760 	if (!tsec)
3761 		return -ENOMEM;
3762 
3763 	new->security = tsec;
3764 	return 0;
3765 }
3766 
3767 /*
3768  * transfer the SELinux data to a blank set of creds
3769  */
3770 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3771 {
3772 	const struct task_security_struct *old_tsec = old->security;
3773 	struct task_security_struct *tsec = new->security;
3774 
3775 	*tsec = *old_tsec;
3776 }
3777 
3778 /*
3779  * set the security data for a kernel service
3780  * - all the creation contexts are set to unlabelled
3781  */
3782 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3783 {
3784 	struct task_security_struct *tsec = new->security;
3785 	u32 sid = current_sid();
3786 	int ret;
3787 
3788 	ret = avc_has_perm(sid, secid,
3789 			   SECCLASS_KERNEL_SERVICE,
3790 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3791 			   NULL);
3792 	if (ret == 0) {
3793 		tsec->sid = secid;
3794 		tsec->create_sid = 0;
3795 		tsec->keycreate_sid = 0;
3796 		tsec->sockcreate_sid = 0;
3797 	}
3798 	return ret;
3799 }
3800 
3801 /*
3802  * set the file creation context in a security record to the same as the
3803  * objective context of the specified inode
3804  */
3805 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3806 {
3807 	struct inode_security_struct *isec = inode_security(inode);
3808 	struct task_security_struct *tsec = new->security;
3809 	u32 sid = current_sid();
3810 	int ret;
3811 
3812 	ret = avc_has_perm(sid, isec->sid,
3813 			   SECCLASS_KERNEL_SERVICE,
3814 			   KERNEL_SERVICE__CREATE_FILES_AS,
3815 			   NULL);
3816 
3817 	if (ret == 0)
3818 		tsec->create_sid = isec->sid;
3819 	return ret;
3820 }
3821 
3822 static int selinux_kernel_module_request(char *kmod_name)
3823 {
3824 	u32 sid;
3825 	struct common_audit_data ad;
3826 
3827 	sid = task_sid(current);
3828 
3829 	ad.type = LSM_AUDIT_DATA_KMOD;
3830 	ad.u.kmod_name = kmod_name;
3831 
3832 	return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3833 			    SYSTEM__MODULE_REQUEST, &ad);
3834 }
3835 
3836 static int selinux_kernel_module_from_file(struct file *file)
3837 {
3838 	struct common_audit_data ad;
3839 	struct inode_security_struct *isec;
3840 	struct file_security_struct *fsec;
3841 	u32 sid = current_sid();
3842 	int rc;
3843 
3844 	/* init_module */
3845 	if (file == NULL)
3846 		return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3847 					SYSTEM__MODULE_LOAD, NULL);
3848 
3849 	/* finit_module */
3850 
3851 	ad.type = LSM_AUDIT_DATA_FILE;
3852 	ad.u.file = file;
3853 
3854 	fsec = file->f_security;
3855 	if (sid != fsec->sid) {
3856 		rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3857 		if (rc)
3858 			return rc;
3859 	}
3860 
3861 	isec = inode_security(file_inode(file));
3862 	return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3863 				SYSTEM__MODULE_LOAD, &ad);
3864 }
3865 
3866 static int selinux_kernel_read_file(struct file *file,
3867 				    enum kernel_read_file_id id)
3868 {
3869 	int rc = 0;
3870 
3871 	switch (id) {
3872 	case READING_MODULE:
3873 		rc = selinux_kernel_module_from_file(file);
3874 		break;
3875 	default:
3876 		break;
3877 	}
3878 
3879 	return rc;
3880 }
3881 
3882 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3883 {
3884 	return current_has_perm(p, PROCESS__SETPGID);
3885 }
3886 
3887 static int selinux_task_getpgid(struct task_struct *p)
3888 {
3889 	return current_has_perm(p, PROCESS__GETPGID);
3890 }
3891 
3892 static int selinux_task_getsid(struct task_struct *p)
3893 {
3894 	return current_has_perm(p, PROCESS__GETSESSION);
3895 }
3896 
3897 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3898 {
3899 	*secid = task_sid(p);
3900 }
3901 
3902 static int selinux_task_setnice(struct task_struct *p, int nice)
3903 {
3904 	return current_has_perm(p, PROCESS__SETSCHED);
3905 }
3906 
3907 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3908 {
3909 	return current_has_perm(p, PROCESS__SETSCHED);
3910 }
3911 
3912 static int selinux_task_getioprio(struct task_struct *p)
3913 {
3914 	return current_has_perm(p, PROCESS__GETSCHED);
3915 }
3916 
3917 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3918 		struct rlimit *new_rlim)
3919 {
3920 	struct rlimit *old_rlim = p->signal->rlim + resource;
3921 
3922 	/* Control the ability to change the hard limit (whether
3923 	   lowering or raising it), so that the hard limit can
3924 	   later be used as a safe reset point for the soft limit
3925 	   upon context transitions.  See selinux_bprm_committing_creds. */
3926 	if (old_rlim->rlim_max != new_rlim->rlim_max)
3927 		return current_has_perm(p, PROCESS__SETRLIMIT);
3928 
3929 	return 0;
3930 }
3931 
3932 static int selinux_task_setscheduler(struct task_struct *p)
3933 {
3934 	return current_has_perm(p, PROCESS__SETSCHED);
3935 }
3936 
3937 static int selinux_task_getscheduler(struct task_struct *p)
3938 {
3939 	return current_has_perm(p, PROCESS__GETSCHED);
3940 }
3941 
3942 static int selinux_task_movememory(struct task_struct *p)
3943 {
3944 	return current_has_perm(p, PROCESS__SETSCHED);
3945 }
3946 
3947 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3948 				int sig, u32 secid)
3949 {
3950 	u32 perm;
3951 	int rc;
3952 
3953 	if (!sig)
3954 		perm = PROCESS__SIGNULL; /* null signal; existence test */
3955 	else
3956 		perm = signal_to_av(sig);
3957 	if (secid)
3958 		rc = avc_has_perm(secid, task_sid(p),
3959 				  SECCLASS_PROCESS, perm, NULL);
3960 	else
3961 		rc = current_has_perm(p, perm);
3962 	return rc;
3963 }
3964 
3965 static int selinux_task_wait(struct task_struct *p)
3966 {
3967 	return task_has_perm(p, current, PROCESS__SIGCHLD);
3968 }
3969 
3970 static void selinux_task_to_inode(struct task_struct *p,
3971 				  struct inode *inode)
3972 {
3973 	struct inode_security_struct *isec = inode->i_security;
3974 	u32 sid = task_sid(p);
3975 
3976 	spin_lock(&isec->lock);
3977 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3978 	isec->sid = sid;
3979 	isec->initialized = LABEL_INITIALIZED;
3980 	spin_unlock(&isec->lock);
3981 }
3982 
3983 /* Returns error only if unable to parse addresses */
3984 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3985 			struct common_audit_data *ad, u8 *proto)
3986 {
3987 	int offset, ihlen, ret = -EINVAL;
3988 	struct iphdr _iph, *ih;
3989 
3990 	offset = skb_network_offset(skb);
3991 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3992 	if (ih == NULL)
3993 		goto out;
3994 
3995 	ihlen = ih->ihl * 4;
3996 	if (ihlen < sizeof(_iph))
3997 		goto out;
3998 
3999 	ad->u.net->v4info.saddr = ih->saddr;
4000 	ad->u.net->v4info.daddr = ih->daddr;
4001 	ret = 0;
4002 
4003 	if (proto)
4004 		*proto = ih->protocol;
4005 
4006 	switch (ih->protocol) {
4007 	case IPPROTO_TCP: {
4008 		struct tcphdr _tcph, *th;
4009 
4010 		if (ntohs(ih->frag_off) & IP_OFFSET)
4011 			break;
4012 
4013 		offset += ihlen;
4014 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4015 		if (th == NULL)
4016 			break;
4017 
4018 		ad->u.net->sport = th->source;
4019 		ad->u.net->dport = th->dest;
4020 		break;
4021 	}
4022 
4023 	case IPPROTO_UDP: {
4024 		struct udphdr _udph, *uh;
4025 
4026 		if (ntohs(ih->frag_off) & IP_OFFSET)
4027 			break;
4028 
4029 		offset += ihlen;
4030 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4031 		if (uh == NULL)
4032 			break;
4033 
4034 		ad->u.net->sport = uh->source;
4035 		ad->u.net->dport = uh->dest;
4036 		break;
4037 	}
4038 
4039 	case IPPROTO_DCCP: {
4040 		struct dccp_hdr _dccph, *dh;
4041 
4042 		if (ntohs(ih->frag_off) & IP_OFFSET)
4043 			break;
4044 
4045 		offset += ihlen;
4046 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4047 		if (dh == NULL)
4048 			break;
4049 
4050 		ad->u.net->sport = dh->dccph_sport;
4051 		ad->u.net->dport = dh->dccph_dport;
4052 		break;
4053 	}
4054 
4055 	default:
4056 		break;
4057 	}
4058 out:
4059 	return ret;
4060 }
4061 
4062 #if IS_ENABLED(CONFIG_IPV6)
4063 
4064 /* Returns error only if unable to parse addresses */
4065 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4066 			struct common_audit_data *ad, u8 *proto)
4067 {
4068 	u8 nexthdr;
4069 	int ret = -EINVAL, offset;
4070 	struct ipv6hdr _ipv6h, *ip6;
4071 	__be16 frag_off;
4072 
4073 	offset = skb_network_offset(skb);
4074 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4075 	if (ip6 == NULL)
4076 		goto out;
4077 
4078 	ad->u.net->v6info.saddr = ip6->saddr;
4079 	ad->u.net->v6info.daddr = ip6->daddr;
4080 	ret = 0;
4081 
4082 	nexthdr = ip6->nexthdr;
4083 	offset += sizeof(_ipv6h);
4084 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4085 	if (offset < 0)
4086 		goto out;
4087 
4088 	if (proto)
4089 		*proto = nexthdr;
4090 
4091 	switch (nexthdr) {
4092 	case IPPROTO_TCP: {
4093 		struct tcphdr _tcph, *th;
4094 
4095 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4096 		if (th == NULL)
4097 			break;
4098 
4099 		ad->u.net->sport = th->source;
4100 		ad->u.net->dport = th->dest;
4101 		break;
4102 	}
4103 
4104 	case IPPROTO_UDP: {
4105 		struct udphdr _udph, *uh;
4106 
4107 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4108 		if (uh == NULL)
4109 			break;
4110 
4111 		ad->u.net->sport = uh->source;
4112 		ad->u.net->dport = uh->dest;
4113 		break;
4114 	}
4115 
4116 	case IPPROTO_DCCP: {
4117 		struct dccp_hdr _dccph, *dh;
4118 
4119 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4120 		if (dh == NULL)
4121 			break;
4122 
4123 		ad->u.net->sport = dh->dccph_sport;
4124 		ad->u.net->dport = dh->dccph_dport;
4125 		break;
4126 	}
4127 
4128 	/* includes fragments */
4129 	default:
4130 		break;
4131 	}
4132 out:
4133 	return ret;
4134 }
4135 
4136 #endif /* IPV6 */
4137 
4138 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4139 			     char **_addrp, int src, u8 *proto)
4140 {
4141 	char *addrp;
4142 	int ret;
4143 
4144 	switch (ad->u.net->family) {
4145 	case PF_INET:
4146 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4147 		if (ret)
4148 			goto parse_error;
4149 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4150 				       &ad->u.net->v4info.daddr);
4151 		goto okay;
4152 
4153 #if IS_ENABLED(CONFIG_IPV6)
4154 	case PF_INET6:
4155 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4156 		if (ret)
4157 			goto parse_error;
4158 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4159 				       &ad->u.net->v6info.daddr);
4160 		goto okay;
4161 #endif	/* IPV6 */
4162 	default:
4163 		addrp = NULL;
4164 		goto okay;
4165 	}
4166 
4167 parse_error:
4168 	printk(KERN_WARNING
4169 	       "SELinux: failure in selinux_parse_skb(),"
4170 	       " unable to parse packet\n");
4171 	return ret;
4172 
4173 okay:
4174 	if (_addrp)
4175 		*_addrp = addrp;
4176 	return 0;
4177 }
4178 
4179 /**
4180  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4181  * @skb: the packet
4182  * @family: protocol family
4183  * @sid: the packet's peer label SID
4184  *
4185  * Description:
4186  * Check the various different forms of network peer labeling and determine
4187  * the peer label/SID for the packet; most of the magic actually occurs in
4188  * the security server function security_net_peersid_cmp().  The function
4189  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4190  * or -EACCES if @sid is invalid due to inconsistencies with the different
4191  * peer labels.
4192  *
4193  */
4194 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4195 {
4196 	int err;
4197 	u32 xfrm_sid;
4198 	u32 nlbl_sid;
4199 	u32 nlbl_type;
4200 
4201 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4202 	if (unlikely(err))
4203 		return -EACCES;
4204 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4205 	if (unlikely(err))
4206 		return -EACCES;
4207 
4208 	err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4209 	if (unlikely(err)) {
4210 		printk(KERN_WARNING
4211 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4212 		       " unable to determine packet's peer label\n");
4213 		return -EACCES;
4214 	}
4215 
4216 	return 0;
4217 }
4218 
4219 /**
4220  * selinux_conn_sid - Determine the child socket label for a connection
4221  * @sk_sid: the parent socket's SID
4222  * @skb_sid: the packet's SID
4223  * @conn_sid: the resulting connection SID
4224  *
4225  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4226  * combined with the MLS information from @skb_sid in order to create
4227  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
4228  * of @sk_sid.  Returns zero on success, negative values on failure.
4229  *
4230  */
4231 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4232 {
4233 	int err = 0;
4234 
4235 	if (skb_sid != SECSID_NULL)
4236 		err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4237 	else
4238 		*conn_sid = sk_sid;
4239 
4240 	return err;
4241 }
4242 
4243 /* socket security operations */
4244 
4245 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4246 				 u16 secclass, u32 *socksid)
4247 {
4248 	if (tsec->sockcreate_sid > SECSID_NULL) {
4249 		*socksid = tsec->sockcreate_sid;
4250 		return 0;
4251 	}
4252 
4253 	return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4254 				       socksid);
4255 }
4256 
4257 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
4258 {
4259 	struct sk_security_struct *sksec = sk->sk_security;
4260 	struct common_audit_data ad;
4261 	struct lsm_network_audit net = {0,};
4262 	u32 tsid = task_sid(task);
4263 
4264 	if (sksec->sid == SECINITSID_KERNEL)
4265 		return 0;
4266 
4267 	ad.type = LSM_AUDIT_DATA_NET;
4268 	ad.u.net = &net;
4269 	ad.u.net->sk = sk;
4270 
4271 	return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
4272 }
4273 
4274 static int selinux_socket_create(int family, int type,
4275 				 int protocol, int kern)
4276 {
4277 	const struct task_security_struct *tsec = current_security();
4278 	u32 newsid;
4279 	u16 secclass;
4280 	int rc;
4281 
4282 	if (kern)
4283 		return 0;
4284 
4285 	secclass = socket_type_to_security_class(family, type, protocol);
4286 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4287 	if (rc)
4288 		return rc;
4289 
4290 	return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4291 }
4292 
4293 static int selinux_socket_post_create(struct socket *sock, int family,
4294 				      int type, int protocol, int kern)
4295 {
4296 	const struct task_security_struct *tsec = current_security();
4297 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4298 	struct sk_security_struct *sksec;
4299 	u16 sclass = socket_type_to_security_class(family, type, protocol);
4300 	u32 sid = SECINITSID_KERNEL;
4301 	int err = 0;
4302 
4303 	if (!kern) {
4304 		err = socket_sockcreate_sid(tsec, sclass, &sid);
4305 		if (err)
4306 			return err;
4307 	}
4308 
4309 	isec->sclass = sclass;
4310 	isec->sid = sid;
4311 	isec->initialized = LABEL_INITIALIZED;
4312 
4313 	if (sock->sk) {
4314 		sksec = sock->sk->sk_security;
4315 		sksec->sclass = sclass;
4316 		sksec->sid = sid;
4317 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4318 	}
4319 
4320 	return err;
4321 }
4322 
4323 /* Range of port numbers used to automatically bind.
4324    Need to determine whether we should perform a name_bind
4325    permission check between the socket and the port number. */
4326 
4327 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4328 {
4329 	struct sock *sk = sock->sk;
4330 	u16 family;
4331 	int err;
4332 
4333 	err = sock_has_perm(current, sk, SOCKET__BIND);
4334 	if (err)
4335 		goto out;
4336 
4337 	/*
4338 	 * If PF_INET or PF_INET6, check name_bind permission for the port.
4339 	 * Multiple address binding for SCTP is not supported yet: we just
4340 	 * check the first address now.
4341 	 */
4342 	family = sk->sk_family;
4343 	if (family == PF_INET || family == PF_INET6) {
4344 		char *addrp;
4345 		struct sk_security_struct *sksec = sk->sk_security;
4346 		struct common_audit_data ad;
4347 		struct lsm_network_audit net = {0,};
4348 		struct sockaddr_in *addr4 = NULL;
4349 		struct sockaddr_in6 *addr6 = NULL;
4350 		unsigned short snum;
4351 		u32 sid, node_perm;
4352 
4353 		if (family == PF_INET) {
4354 			addr4 = (struct sockaddr_in *)address;
4355 			snum = ntohs(addr4->sin_port);
4356 			addrp = (char *)&addr4->sin_addr.s_addr;
4357 		} else {
4358 			addr6 = (struct sockaddr_in6 *)address;
4359 			snum = ntohs(addr6->sin6_port);
4360 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4361 		}
4362 
4363 		if (snum) {
4364 			int low, high;
4365 
4366 			inet_get_local_port_range(sock_net(sk), &low, &high);
4367 
4368 			if (snum < max(PROT_SOCK, low) || snum > high) {
4369 				err = sel_netport_sid(sk->sk_protocol,
4370 						      snum, &sid);
4371 				if (err)
4372 					goto out;
4373 				ad.type = LSM_AUDIT_DATA_NET;
4374 				ad.u.net = &net;
4375 				ad.u.net->sport = htons(snum);
4376 				ad.u.net->family = family;
4377 				err = avc_has_perm(sksec->sid, sid,
4378 						   sksec->sclass,
4379 						   SOCKET__NAME_BIND, &ad);
4380 				if (err)
4381 					goto out;
4382 			}
4383 		}
4384 
4385 		switch (sksec->sclass) {
4386 		case SECCLASS_TCP_SOCKET:
4387 			node_perm = TCP_SOCKET__NODE_BIND;
4388 			break;
4389 
4390 		case SECCLASS_UDP_SOCKET:
4391 			node_perm = UDP_SOCKET__NODE_BIND;
4392 			break;
4393 
4394 		case SECCLASS_DCCP_SOCKET:
4395 			node_perm = DCCP_SOCKET__NODE_BIND;
4396 			break;
4397 
4398 		default:
4399 			node_perm = RAWIP_SOCKET__NODE_BIND;
4400 			break;
4401 		}
4402 
4403 		err = sel_netnode_sid(addrp, family, &sid);
4404 		if (err)
4405 			goto out;
4406 
4407 		ad.type = LSM_AUDIT_DATA_NET;
4408 		ad.u.net = &net;
4409 		ad.u.net->sport = htons(snum);
4410 		ad.u.net->family = family;
4411 
4412 		if (family == PF_INET)
4413 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4414 		else
4415 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4416 
4417 		err = avc_has_perm(sksec->sid, sid,
4418 				   sksec->sclass, node_perm, &ad);
4419 		if (err)
4420 			goto out;
4421 	}
4422 out:
4423 	return err;
4424 }
4425 
4426 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4427 {
4428 	struct sock *sk = sock->sk;
4429 	struct sk_security_struct *sksec = sk->sk_security;
4430 	int err;
4431 
4432 	err = sock_has_perm(current, sk, SOCKET__CONNECT);
4433 	if (err)
4434 		return err;
4435 
4436 	/*
4437 	 * If a TCP or DCCP socket, check name_connect permission for the port.
4438 	 */
4439 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4440 	    sksec->sclass == SECCLASS_DCCP_SOCKET) {
4441 		struct common_audit_data ad;
4442 		struct lsm_network_audit net = {0,};
4443 		struct sockaddr_in *addr4 = NULL;
4444 		struct sockaddr_in6 *addr6 = NULL;
4445 		unsigned short snum;
4446 		u32 sid, perm;
4447 
4448 		if (sk->sk_family == PF_INET) {
4449 			addr4 = (struct sockaddr_in *)address;
4450 			if (addrlen < sizeof(struct sockaddr_in))
4451 				return -EINVAL;
4452 			snum = ntohs(addr4->sin_port);
4453 		} else {
4454 			addr6 = (struct sockaddr_in6 *)address;
4455 			if (addrlen < SIN6_LEN_RFC2133)
4456 				return -EINVAL;
4457 			snum = ntohs(addr6->sin6_port);
4458 		}
4459 
4460 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4461 		if (err)
4462 			goto out;
4463 
4464 		perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4465 		       TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4466 
4467 		ad.type = LSM_AUDIT_DATA_NET;
4468 		ad.u.net = &net;
4469 		ad.u.net->dport = htons(snum);
4470 		ad.u.net->family = sk->sk_family;
4471 		err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4472 		if (err)
4473 			goto out;
4474 	}
4475 
4476 	err = selinux_netlbl_socket_connect(sk, address);
4477 
4478 out:
4479 	return err;
4480 }
4481 
4482 static int selinux_socket_listen(struct socket *sock, int backlog)
4483 {
4484 	return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4485 }
4486 
4487 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4488 {
4489 	int err;
4490 	struct inode_security_struct *isec;
4491 	struct inode_security_struct *newisec;
4492 	u16 sclass;
4493 	u32 sid;
4494 
4495 	err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4496 	if (err)
4497 		return err;
4498 
4499 	isec = inode_security_novalidate(SOCK_INODE(sock));
4500 	spin_lock(&isec->lock);
4501 	sclass = isec->sclass;
4502 	sid = isec->sid;
4503 	spin_unlock(&isec->lock);
4504 
4505 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4506 	newisec->sclass = sclass;
4507 	newisec->sid = sid;
4508 	newisec->initialized = LABEL_INITIALIZED;
4509 
4510 	return 0;
4511 }
4512 
4513 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4514 				  int size)
4515 {
4516 	return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4517 }
4518 
4519 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4520 				  int size, int flags)
4521 {
4522 	return sock_has_perm(current, sock->sk, SOCKET__READ);
4523 }
4524 
4525 static int selinux_socket_getsockname(struct socket *sock)
4526 {
4527 	return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4528 }
4529 
4530 static int selinux_socket_getpeername(struct socket *sock)
4531 {
4532 	return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4533 }
4534 
4535 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4536 {
4537 	int err;
4538 
4539 	err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4540 	if (err)
4541 		return err;
4542 
4543 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4544 }
4545 
4546 static int selinux_socket_getsockopt(struct socket *sock, int level,
4547 				     int optname)
4548 {
4549 	return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4550 }
4551 
4552 static int selinux_socket_shutdown(struct socket *sock, int how)
4553 {
4554 	return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4555 }
4556 
4557 static int selinux_socket_unix_stream_connect(struct sock *sock,
4558 					      struct sock *other,
4559 					      struct sock *newsk)
4560 {
4561 	struct sk_security_struct *sksec_sock = sock->sk_security;
4562 	struct sk_security_struct *sksec_other = other->sk_security;
4563 	struct sk_security_struct *sksec_new = newsk->sk_security;
4564 	struct common_audit_data ad;
4565 	struct lsm_network_audit net = {0,};
4566 	int err;
4567 
4568 	ad.type = LSM_AUDIT_DATA_NET;
4569 	ad.u.net = &net;
4570 	ad.u.net->sk = other;
4571 
4572 	err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4573 			   sksec_other->sclass,
4574 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4575 	if (err)
4576 		return err;
4577 
4578 	/* server child socket */
4579 	sksec_new->peer_sid = sksec_sock->sid;
4580 	err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4581 				    &sksec_new->sid);
4582 	if (err)
4583 		return err;
4584 
4585 	/* connecting socket */
4586 	sksec_sock->peer_sid = sksec_new->sid;
4587 
4588 	return 0;
4589 }
4590 
4591 static int selinux_socket_unix_may_send(struct socket *sock,
4592 					struct socket *other)
4593 {
4594 	struct sk_security_struct *ssec = sock->sk->sk_security;
4595 	struct sk_security_struct *osec = other->sk->sk_security;
4596 	struct common_audit_data ad;
4597 	struct lsm_network_audit net = {0,};
4598 
4599 	ad.type = LSM_AUDIT_DATA_NET;
4600 	ad.u.net = &net;
4601 	ad.u.net->sk = other->sk;
4602 
4603 	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4604 			    &ad);
4605 }
4606 
4607 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4608 				    char *addrp, u16 family, u32 peer_sid,
4609 				    struct common_audit_data *ad)
4610 {
4611 	int err;
4612 	u32 if_sid;
4613 	u32 node_sid;
4614 
4615 	err = sel_netif_sid(ns, ifindex, &if_sid);
4616 	if (err)
4617 		return err;
4618 	err = avc_has_perm(peer_sid, if_sid,
4619 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4620 	if (err)
4621 		return err;
4622 
4623 	err = sel_netnode_sid(addrp, family, &node_sid);
4624 	if (err)
4625 		return err;
4626 	return avc_has_perm(peer_sid, node_sid,
4627 			    SECCLASS_NODE, NODE__RECVFROM, ad);
4628 }
4629 
4630 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4631 				       u16 family)
4632 {
4633 	int err = 0;
4634 	struct sk_security_struct *sksec = sk->sk_security;
4635 	u32 sk_sid = sksec->sid;
4636 	struct common_audit_data ad;
4637 	struct lsm_network_audit net = {0,};
4638 	char *addrp;
4639 
4640 	ad.type = LSM_AUDIT_DATA_NET;
4641 	ad.u.net = &net;
4642 	ad.u.net->netif = skb->skb_iif;
4643 	ad.u.net->family = family;
4644 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4645 	if (err)
4646 		return err;
4647 
4648 	if (selinux_secmark_enabled()) {
4649 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4650 				   PACKET__RECV, &ad);
4651 		if (err)
4652 			return err;
4653 	}
4654 
4655 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4656 	if (err)
4657 		return err;
4658 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4659 
4660 	return err;
4661 }
4662 
4663 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4664 {
4665 	int err;
4666 	struct sk_security_struct *sksec = sk->sk_security;
4667 	u16 family = sk->sk_family;
4668 	u32 sk_sid = sksec->sid;
4669 	struct common_audit_data ad;
4670 	struct lsm_network_audit net = {0,};
4671 	char *addrp;
4672 	u8 secmark_active;
4673 	u8 peerlbl_active;
4674 
4675 	if (family != PF_INET && family != PF_INET6)
4676 		return 0;
4677 
4678 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
4679 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4680 		family = PF_INET;
4681 
4682 	/* If any sort of compatibility mode is enabled then handoff processing
4683 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
4684 	 * special handling.  We do this in an attempt to keep this function
4685 	 * as fast and as clean as possible. */
4686 	if (!selinux_policycap_netpeer)
4687 		return selinux_sock_rcv_skb_compat(sk, skb, family);
4688 
4689 	secmark_active = selinux_secmark_enabled();
4690 	peerlbl_active = selinux_peerlbl_enabled();
4691 	if (!secmark_active && !peerlbl_active)
4692 		return 0;
4693 
4694 	ad.type = LSM_AUDIT_DATA_NET;
4695 	ad.u.net = &net;
4696 	ad.u.net->netif = skb->skb_iif;
4697 	ad.u.net->family = family;
4698 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4699 	if (err)
4700 		return err;
4701 
4702 	if (peerlbl_active) {
4703 		u32 peer_sid;
4704 
4705 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4706 		if (err)
4707 			return err;
4708 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4709 					       addrp, family, peer_sid, &ad);
4710 		if (err) {
4711 			selinux_netlbl_err(skb, family, err, 0);
4712 			return err;
4713 		}
4714 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4715 				   PEER__RECV, &ad);
4716 		if (err) {
4717 			selinux_netlbl_err(skb, family, err, 0);
4718 			return err;
4719 		}
4720 	}
4721 
4722 	if (secmark_active) {
4723 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4724 				   PACKET__RECV, &ad);
4725 		if (err)
4726 			return err;
4727 	}
4728 
4729 	return err;
4730 }
4731 
4732 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4733 					    int __user *optlen, unsigned len)
4734 {
4735 	int err = 0;
4736 	char *scontext;
4737 	u32 scontext_len;
4738 	struct sk_security_struct *sksec = sock->sk->sk_security;
4739 	u32 peer_sid = SECSID_NULL;
4740 
4741 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4742 	    sksec->sclass == SECCLASS_TCP_SOCKET)
4743 		peer_sid = sksec->peer_sid;
4744 	if (peer_sid == SECSID_NULL)
4745 		return -ENOPROTOOPT;
4746 
4747 	err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4748 	if (err)
4749 		return err;
4750 
4751 	if (scontext_len > len) {
4752 		err = -ERANGE;
4753 		goto out_len;
4754 	}
4755 
4756 	if (copy_to_user(optval, scontext, scontext_len))
4757 		err = -EFAULT;
4758 
4759 out_len:
4760 	if (put_user(scontext_len, optlen))
4761 		err = -EFAULT;
4762 	kfree(scontext);
4763 	return err;
4764 }
4765 
4766 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4767 {
4768 	u32 peer_secid = SECSID_NULL;
4769 	u16 family;
4770 	struct inode_security_struct *isec;
4771 
4772 	if (skb && skb->protocol == htons(ETH_P_IP))
4773 		family = PF_INET;
4774 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
4775 		family = PF_INET6;
4776 	else if (sock)
4777 		family = sock->sk->sk_family;
4778 	else
4779 		goto out;
4780 
4781 	if (sock && family == PF_UNIX) {
4782 		isec = inode_security_novalidate(SOCK_INODE(sock));
4783 		peer_secid = isec->sid;
4784 	} else if (skb)
4785 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4786 
4787 out:
4788 	*secid = peer_secid;
4789 	if (peer_secid == SECSID_NULL)
4790 		return -EINVAL;
4791 	return 0;
4792 }
4793 
4794 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4795 {
4796 	struct sk_security_struct *sksec;
4797 
4798 	sksec = kzalloc(sizeof(*sksec), priority);
4799 	if (!sksec)
4800 		return -ENOMEM;
4801 
4802 	sksec->peer_sid = SECINITSID_UNLABELED;
4803 	sksec->sid = SECINITSID_UNLABELED;
4804 	sksec->sclass = SECCLASS_SOCKET;
4805 	selinux_netlbl_sk_security_reset(sksec);
4806 	sk->sk_security = sksec;
4807 
4808 	return 0;
4809 }
4810 
4811 static void selinux_sk_free_security(struct sock *sk)
4812 {
4813 	struct sk_security_struct *sksec = sk->sk_security;
4814 
4815 	sk->sk_security = NULL;
4816 	selinux_netlbl_sk_security_free(sksec);
4817 	kfree(sksec);
4818 }
4819 
4820 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4821 {
4822 	struct sk_security_struct *sksec = sk->sk_security;
4823 	struct sk_security_struct *newsksec = newsk->sk_security;
4824 
4825 	newsksec->sid = sksec->sid;
4826 	newsksec->peer_sid = sksec->peer_sid;
4827 	newsksec->sclass = sksec->sclass;
4828 
4829 	selinux_netlbl_sk_security_reset(newsksec);
4830 }
4831 
4832 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4833 {
4834 	if (!sk)
4835 		*secid = SECINITSID_ANY_SOCKET;
4836 	else {
4837 		struct sk_security_struct *sksec = sk->sk_security;
4838 
4839 		*secid = sksec->sid;
4840 	}
4841 }
4842 
4843 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4844 {
4845 	struct inode_security_struct *isec =
4846 		inode_security_novalidate(SOCK_INODE(parent));
4847 	struct sk_security_struct *sksec = sk->sk_security;
4848 
4849 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4850 	    sk->sk_family == PF_UNIX)
4851 		isec->sid = sksec->sid;
4852 	sksec->sclass = isec->sclass;
4853 }
4854 
4855 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4856 				     struct request_sock *req)
4857 {
4858 	struct sk_security_struct *sksec = sk->sk_security;
4859 	int err;
4860 	u16 family = req->rsk_ops->family;
4861 	u32 connsid;
4862 	u32 peersid;
4863 
4864 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4865 	if (err)
4866 		return err;
4867 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4868 	if (err)
4869 		return err;
4870 	req->secid = connsid;
4871 	req->peer_secid = peersid;
4872 
4873 	return selinux_netlbl_inet_conn_request(req, family);
4874 }
4875 
4876 static void selinux_inet_csk_clone(struct sock *newsk,
4877 				   const struct request_sock *req)
4878 {
4879 	struct sk_security_struct *newsksec = newsk->sk_security;
4880 
4881 	newsksec->sid = req->secid;
4882 	newsksec->peer_sid = req->peer_secid;
4883 	/* NOTE: Ideally, we should also get the isec->sid for the
4884 	   new socket in sync, but we don't have the isec available yet.
4885 	   So we will wait until sock_graft to do it, by which
4886 	   time it will have been created and available. */
4887 
4888 	/* We don't need to take any sort of lock here as we are the only
4889 	 * thread with access to newsksec */
4890 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4891 }
4892 
4893 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4894 {
4895 	u16 family = sk->sk_family;
4896 	struct sk_security_struct *sksec = sk->sk_security;
4897 
4898 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
4899 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4900 		family = PF_INET;
4901 
4902 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4903 }
4904 
4905 static int selinux_secmark_relabel_packet(u32 sid)
4906 {
4907 	const struct task_security_struct *__tsec;
4908 	u32 tsid;
4909 
4910 	__tsec = current_security();
4911 	tsid = __tsec->sid;
4912 
4913 	return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4914 }
4915 
4916 static void selinux_secmark_refcount_inc(void)
4917 {
4918 	atomic_inc(&selinux_secmark_refcount);
4919 }
4920 
4921 static void selinux_secmark_refcount_dec(void)
4922 {
4923 	atomic_dec(&selinux_secmark_refcount);
4924 }
4925 
4926 static void selinux_req_classify_flow(const struct request_sock *req,
4927 				      struct flowi *fl)
4928 {
4929 	fl->flowi_secid = req->secid;
4930 }
4931 
4932 static int selinux_tun_dev_alloc_security(void **security)
4933 {
4934 	struct tun_security_struct *tunsec;
4935 
4936 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4937 	if (!tunsec)
4938 		return -ENOMEM;
4939 	tunsec->sid = current_sid();
4940 
4941 	*security = tunsec;
4942 	return 0;
4943 }
4944 
4945 static void selinux_tun_dev_free_security(void *security)
4946 {
4947 	kfree(security);
4948 }
4949 
4950 static int selinux_tun_dev_create(void)
4951 {
4952 	u32 sid = current_sid();
4953 
4954 	/* we aren't taking into account the "sockcreate" SID since the socket
4955 	 * that is being created here is not a socket in the traditional sense,
4956 	 * instead it is a private sock, accessible only to the kernel, and
4957 	 * representing a wide range of network traffic spanning multiple
4958 	 * connections unlike traditional sockets - check the TUN driver to
4959 	 * get a better understanding of why this socket is special */
4960 
4961 	return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4962 			    NULL);
4963 }
4964 
4965 static int selinux_tun_dev_attach_queue(void *security)
4966 {
4967 	struct tun_security_struct *tunsec = security;
4968 
4969 	return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4970 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
4971 }
4972 
4973 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4974 {
4975 	struct tun_security_struct *tunsec = security;
4976 	struct sk_security_struct *sksec = sk->sk_security;
4977 
4978 	/* we don't currently perform any NetLabel based labeling here and it
4979 	 * isn't clear that we would want to do so anyway; while we could apply
4980 	 * labeling without the support of the TUN user the resulting labeled
4981 	 * traffic from the other end of the connection would almost certainly
4982 	 * cause confusion to the TUN user that had no idea network labeling
4983 	 * protocols were being used */
4984 
4985 	sksec->sid = tunsec->sid;
4986 	sksec->sclass = SECCLASS_TUN_SOCKET;
4987 
4988 	return 0;
4989 }
4990 
4991 static int selinux_tun_dev_open(void *security)
4992 {
4993 	struct tun_security_struct *tunsec = security;
4994 	u32 sid = current_sid();
4995 	int err;
4996 
4997 	err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4998 			   TUN_SOCKET__RELABELFROM, NULL);
4999 	if (err)
5000 		return err;
5001 	err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5002 			   TUN_SOCKET__RELABELTO, NULL);
5003 	if (err)
5004 		return err;
5005 	tunsec->sid = sid;
5006 
5007 	return 0;
5008 }
5009 
5010 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5011 {
5012 	int err = 0;
5013 	u32 perm;
5014 	struct nlmsghdr *nlh;
5015 	struct sk_security_struct *sksec = sk->sk_security;
5016 
5017 	if (skb->len < NLMSG_HDRLEN) {
5018 		err = -EINVAL;
5019 		goto out;
5020 	}
5021 	nlh = nlmsg_hdr(skb);
5022 
5023 	err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5024 	if (err) {
5025 		if (err == -EINVAL) {
5026 			pr_warn_ratelimited("SELinux: unrecognized netlink"
5027 			       " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5028 			       " pig=%d comm=%s\n",
5029 			       sk->sk_protocol, nlh->nlmsg_type,
5030 			       secclass_map[sksec->sclass - 1].name,
5031 			       task_pid_nr(current), current->comm);
5032 			if (!selinux_enforcing || security_get_allow_unknown())
5033 				err = 0;
5034 		}
5035 
5036 		/* Ignore */
5037 		if (err == -ENOENT)
5038 			err = 0;
5039 		goto out;
5040 	}
5041 
5042 	err = sock_has_perm(current, sk, perm);
5043 out:
5044 	return err;
5045 }
5046 
5047 #ifdef CONFIG_NETFILTER
5048 
5049 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5050 				       const struct net_device *indev,
5051 				       u16 family)
5052 {
5053 	int err;
5054 	char *addrp;
5055 	u32 peer_sid;
5056 	struct common_audit_data ad;
5057 	struct lsm_network_audit net = {0,};
5058 	u8 secmark_active;
5059 	u8 netlbl_active;
5060 	u8 peerlbl_active;
5061 
5062 	if (!selinux_policycap_netpeer)
5063 		return NF_ACCEPT;
5064 
5065 	secmark_active = selinux_secmark_enabled();
5066 	netlbl_active = netlbl_enabled();
5067 	peerlbl_active = selinux_peerlbl_enabled();
5068 	if (!secmark_active && !peerlbl_active)
5069 		return NF_ACCEPT;
5070 
5071 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5072 		return NF_DROP;
5073 
5074 	ad.type = LSM_AUDIT_DATA_NET;
5075 	ad.u.net = &net;
5076 	ad.u.net->netif = indev->ifindex;
5077 	ad.u.net->family = family;
5078 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5079 		return NF_DROP;
5080 
5081 	if (peerlbl_active) {
5082 		err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5083 					       addrp, family, peer_sid, &ad);
5084 		if (err) {
5085 			selinux_netlbl_err(skb, family, err, 1);
5086 			return NF_DROP;
5087 		}
5088 	}
5089 
5090 	if (secmark_active)
5091 		if (avc_has_perm(peer_sid, skb->secmark,
5092 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5093 			return NF_DROP;
5094 
5095 	if (netlbl_active)
5096 		/* we do this in the FORWARD path and not the POST_ROUTING
5097 		 * path because we want to make sure we apply the necessary
5098 		 * labeling before IPsec is applied so we can leverage AH
5099 		 * protection */
5100 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5101 			return NF_DROP;
5102 
5103 	return NF_ACCEPT;
5104 }
5105 
5106 static unsigned int selinux_ipv4_forward(void *priv,
5107 					 struct sk_buff *skb,
5108 					 const struct nf_hook_state *state)
5109 {
5110 	return selinux_ip_forward(skb, state->in, PF_INET);
5111 }
5112 
5113 #if IS_ENABLED(CONFIG_IPV6)
5114 static unsigned int selinux_ipv6_forward(void *priv,
5115 					 struct sk_buff *skb,
5116 					 const struct nf_hook_state *state)
5117 {
5118 	return selinux_ip_forward(skb, state->in, PF_INET6);
5119 }
5120 #endif	/* IPV6 */
5121 
5122 static unsigned int selinux_ip_output(struct sk_buff *skb,
5123 				      u16 family)
5124 {
5125 	struct sock *sk;
5126 	u32 sid;
5127 
5128 	if (!netlbl_enabled())
5129 		return NF_ACCEPT;
5130 
5131 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5132 	 * because we want to make sure we apply the necessary labeling
5133 	 * before IPsec is applied so we can leverage AH protection */
5134 	sk = skb->sk;
5135 	if (sk) {
5136 		struct sk_security_struct *sksec;
5137 
5138 		if (sk_listener(sk))
5139 			/* if the socket is the listening state then this
5140 			 * packet is a SYN-ACK packet which means it needs to
5141 			 * be labeled based on the connection/request_sock and
5142 			 * not the parent socket.  unfortunately, we can't
5143 			 * lookup the request_sock yet as it isn't queued on
5144 			 * the parent socket until after the SYN-ACK is sent.
5145 			 * the "solution" is to simply pass the packet as-is
5146 			 * as any IP option based labeling should be copied
5147 			 * from the initial connection request (in the IP
5148 			 * layer).  it is far from ideal, but until we get a
5149 			 * security label in the packet itself this is the
5150 			 * best we can do. */
5151 			return NF_ACCEPT;
5152 
5153 		/* standard practice, label using the parent socket */
5154 		sksec = sk->sk_security;
5155 		sid = sksec->sid;
5156 	} else
5157 		sid = SECINITSID_KERNEL;
5158 	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5159 		return NF_DROP;
5160 
5161 	return NF_ACCEPT;
5162 }
5163 
5164 static unsigned int selinux_ipv4_output(void *priv,
5165 					struct sk_buff *skb,
5166 					const struct nf_hook_state *state)
5167 {
5168 	return selinux_ip_output(skb, PF_INET);
5169 }
5170 
5171 #if IS_ENABLED(CONFIG_IPV6)
5172 static unsigned int selinux_ipv6_output(void *priv,
5173 					struct sk_buff *skb,
5174 					const struct nf_hook_state *state)
5175 {
5176 	return selinux_ip_output(skb, PF_INET6);
5177 }
5178 #endif	/* IPV6 */
5179 
5180 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5181 						int ifindex,
5182 						u16 family)
5183 {
5184 	struct sock *sk = skb_to_full_sk(skb);
5185 	struct sk_security_struct *sksec;
5186 	struct common_audit_data ad;
5187 	struct lsm_network_audit net = {0,};
5188 	char *addrp;
5189 	u8 proto;
5190 
5191 	if (sk == NULL)
5192 		return NF_ACCEPT;
5193 	sksec = sk->sk_security;
5194 
5195 	ad.type = LSM_AUDIT_DATA_NET;
5196 	ad.u.net = &net;
5197 	ad.u.net->netif = ifindex;
5198 	ad.u.net->family = family;
5199 	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5200 		return NF_DROP;
5201 
5202 	if (selinux_secmark_enabled())
5203 		if (avc_has_perm(sksec->sid, skb->secmark,
5204 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5205 			return NF_DROP_ERR(-ECONNREFUSED);
5206 
5207 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5208 		return NF_DROP_ERR(-ECONNREFUSED);
5209 
5210 	return NF_ACCEPT;
5211 }
5212 
5213 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5214 					 const struct net_device *outdev,
5215 					 u16 family)
5216 {
5217 	u32 secmark_perm;
5218 	u32 peer_sid;
5219 	int ifindex = outdev->ifindex;
5220 	struct sock *sk;
5221 	struct common_audit_data ad;
5222 	struct lsm_network_audit net = {0,};
5223 	char *addrp;
5224 	u8 secmark_active;
5225 	u8 peerlbl_active;
5226 
5227 	/* If any sort of compatibility mode is enabled then handoff processing
5228 	 * to the selinux_ip_postroute_compat() function to deal with the
5229 	 * special handling.  We do this in an attempt to keep this function
5230 	 * as fast and as clean as possible. */
5231 	if (!selinux_policycap_netpeer)
5232 		return selinux_ip_postroute_compat(skb, ifindex, family);
5233 
5234 	secmark_active = selinux_secmark_enabled();
5235 	peerlbl_active = selinux_peerlbl_enabled();
5236 	if (!secmark_active && !peerlbl_active)
5237 		return NF_ACCEPT;
5238 
5239 	sk = skb_to_full_sk(skb);
5240 
5241 #ifdef CONFIG_XFRM
5242 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5243 	 * packet transformation so allow the packet to pass without any checks
5244 	 * since we'll have another chance to perform access control checks
5245 	 * when the packet is on it's final way out.
5246 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5247 	 *       is NULL, in this case go ahead and apply access control.
5248 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5249 	 *       TCP listening state we cannot wait until the XFRM processing
5250 	 *       is done as we will miss out on the SA label if we do;
5251 	 *       unfortunately, this means more work, but it is only once per
5252 	 *       connection. */
5253 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5254 	    !(sk && sk_listener(sk)))
5255 		return NF_ACCEPT;
5256 #endif
5257 
5258 	if (sk == NULL) {
5259 		/* Without an associated socket the packet is either coming
5260 		 * from the kernel or it is being forwarded; check the packet
5261 		 * to determine which and if the packet is being forwarded
5262 		 * query the packet directly to determine the security label. */
5263 		if (skb->skb_iif) {
5264 			secmark_perm = PACKET__FORWARD_OUT;
5265 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5266 				return NF_DROP;
5267 		} else {
5268 			secmark_perm = PACKET__SEND;
5269 			peer_sid = SECINITSID_KERNEL;
5270 		}
5271 	} else if (sk_listener(sk)) {
5272 		/* Locally generated packet but the associated socket is in the
5273 		 * listening state which means this is a SYN-ACK packet.  In
5274 		 * this particular case the correct security label is assigned
5275 		 * to the connection/request_sock but unfortunately we can't
5276 		 * query the request_sock as it isn't queued on the parent
5277 		 * socket until after the SYN-ACK packet is sent; the only
5278 		 * viable choice is to regenerate the label like we do in
5279 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5280 		 * for similar problems. */
5281 		u32 skb_sid;
5282 		struct sk_security_struct *sksec;
5283 
5284 		sksec = sk->sk_security;
5285 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5286 			return NF_DROP;
5287 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5288 		 * and the packet has been through at least one XFRM
5289 		 * transformation then we must be dealing with the "final"
5290 		 * form of labeled IPsec packet; since we've already applied
5291 		 * all of our access controls on this packet we can safely
5292 		 * pass the packet. */
5293 		if (skb_sid == SECSID_NULL) {
5294 			switch (family) {
5295 			case PF_INET:
5296 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5297 					return NF_ACCEPT;
5298 				break;
5299 			case PF_INET6:
5300 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5301 					return NF_ACCEPT;
5302 				break;
5303 			default:
5304 				return NF_DROP_ERR(-ECONNREFUSED);
5305 			}
5306 		}
5307 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5308 			return NF_DROP;
5309 		secmark_perm = PACKET__SEND;
5310 	} else {
5311 		/* Locally generated packet, fetch the security label from the
5312 		 * associated socket. */
5313 		struct sk_security_struct *sksec = sk->sk_security;
5314 		peer_sid = sksec->sid;
5315 		secmark_perm = PACKET__SEND;
5316 	}
5317 
5318 	ad.type = LSM_AUDIT_DATA_NET;
5319 	ad.u.net = &net;
5320 	ad.u.net->netif = ifindex;
5321 	ad.u.net->family = family;
5322 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5323 		return NF_DROP;
5324 
5325 	if (secmark_active)
5326 		if (avc_has_perm(peer_sid, skb->secmark,
5327 				 SECCLASS_PACKET, secmark_perm, &ad))
5328 			return NF_DROP_ERR(-ECONNREFUSED);
5329 
5330 	if (peerlbl_active) {
5331 		u32 if_sid;
5332 		u32 node_sid;
5333 
5334 		if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5335 			return NF_DROP;
5336 		if (avc_has_perm(peer_sid, if_sid,
5337 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5338 			return NF_DROP_ERR(-ECONNREFUSED);
5339 
5340 		if (sel_netnode_sid(addrp, family, &node_sid))
5341 			return NF_DROP;
5342 		if (avc_has_perm(peer_sid, node_sid,
5343 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5344 			return NF_DROP_ERR(-ECONNREFUSED);
5345 	}
5346 
5347 	return NF_ACCEPT;
5348 }
5349 
5350 static unsigned int selinux_ipv4_postroute(void *priv,
5351 					   struct sk_buff *skb,
5352 					   const struct nf_hook_state *state)
5353 {
5354 	return selinux_ip_postroute(skb, state->out, PF_INET);
5355 }
5356 
5357 #if IS_ENABLED(CONFIG_IPV6)
5358 static unsigned int selinux_ipv6_postroute(void *priv,
5359 					   struct sk_buff *skb,
5360 					   const struct nf_hook_state *state)
5361 {
5362 	return selinux_ip_postroute(skb, state->out, PF_INET6);
5363 }
5364 #endif	/* IPV6 */
5365 
5366 #endif	/* CONFIG_NETFILTER */
5367 
5368 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5369 {
5370 	return selinux_nlmsg_perm(sk, skb);
5371 }
5372 
5373 static int ipc_alloc_security(struct task_struct *task,
5374 			      struct kern_ipc_perm *perm,
5375 			      u16 sclass)
5376 {
5377 	struct ipc_security_struct *isec;
5378 	u32 sid;
5379 
5380 	isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5381 	if (!isec)
5382 		return -ENOMEM;
5383 
5384 	sid = task_sid(task);
5385 	isec->sclass = sclass;
5386 	isec->sid = sid;
5387 	perm->security = isec;
5388 
5389 	return 0;
5390 }
5391 
5392 static void ipc_free_security(struct kern_ipc_perm *perm)
5393 {
5394 	struct ipc_security_struct *isec = perm->security;
5395 	perm->security = NULL;
5396 	kfree(isec);
5397 }
5398 
5399 static int msg_msg_alloc_security(struct msg_msg *msg)
5400 {
5401 	struct msg_security_struct *msec;
5402 
5403 	msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5404 	if (!msec)
5405 		return -ENOMEM;
5406 
5407 	msec->sid = SECINITSID_UNLABELED;
5408 	msg->security = msec;
5409 
5410 	return 0;
5411 }
5412 
5413 static void msg_msg_free_security(struct msg_msg *msg)
5414 {
5415 	struct msg_security_struct *msec = msg->security;
5416 
5417 	msg->security = NULL;
5418 	kfree(msec);
5419 }
5420 
5421 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5422 			u32 perms)
5423 {
5424 	struct ipc_security_struct *isec;
5425 	struct common_audit_data ad;
5426 	u32 sid = current_sid();
5427 
5428 	isec = ipc_perms->security;
5429 
5430 	ad.type = LSM_AUDIT_DATA_IPC;
5431 	ad.u.ipc_id = ipc_perms->key;
5432 
5433 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5434 }
5435 
5436 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5437 {
5438 	return msg_msg_alloc_security(msg);
5439 }
5440 
5441 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5442 {
5443 	msg_msg_free_security(msg);
5444 }
5445 
5446 /* message queue security operations */
5447 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5448 {
5449 	struct ipc_security_struct *isec;
5450 	struct common_audit_data ad;
5451 	u32 sid = current_sid();
5452 	int rc;
5453 
5454 	rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5455 	if (rc)
5456 		return rc;
5457 
5458 	isec = msq->q_perm.security;
5459 
5460 	ad.type = LSM_AUDIT_DATA_IPC;
5461 	ad.u.ipc_id = msq->q_perm.key;
5462 
5463 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5464 			  MSGQ__CREATE, &ad);
5465 	if (rc) {
5466 		ipc_free_security(&msq->q_perm);
5467 		return rc;
5468 	}
5469 	return 0;
5470 }
5471 
5472 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5473 {
5474 	ipc_free_security(&msq->q_perm);
5475 }
5476 
5477 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5478 {
5479 	struct ipc_security_struct *isec;
5480 	struct common_audit_data ad;
5481 	u32 sid = current_sid();
5482 
5483 	isec = msq->q_perm.security;
5484 
5485 	ad.type = LSM_AUDIT_DATA_IPC;
5486 	ad.u.ipc_id = msq->q_perm.key;
5487 
5488 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5489 			    MSGQ__ASSOCIATE, &ad);
5490 }
5491 
5492 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5493 {
5494 	int err;
5495 	int perms;
5496 
5497 	switch (cmd) {
5498 	case IPC_INFO:
5499 	case MSG_INFO:
5500 		/* No specific object, just general system-wide information. */
5501 		return task_has_system(current, SYSTEM__IPC_INFO);
5502 	case IPC_STAT:
5503 	case MSG_STAT:
5504 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5505 		break;
5506 	case IPC_SET:
5507 		perms = MSGQ__SETATTR;
5508 		break;
5509 	case IPC_RMID:
5510 		perms = MSGQ__DESTROY;
5511 		break;
5512 	default:
5513 		return 0;
5514 	}
5515 
5516 	err = ipc_has_perm(&msq->q_perm, perms);
5517 	return err;
5518 }
5519 
5520 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5521 {
5522 	struct ipc_security_struct *isec;
5523 	struct msg_security_struct *msec;
5524 	struct common_audit_data ad;
5525 	u32 sid = current_sid();
5526 	int rc;
5527 
5528 	isec = msq->q_perm.security;
5529 	msec = msg->security;
5530 
5531 	/*
5532 	 * First time through, need to assign label to the message
5533 	 */
5534 	if (msec->sid == SECINITSID_UNLABELED) {
5535 		/*
5536 		 * Compute new sid based on current process and
5537 		 * message queue this message will be stored in
5538 		 */
5539 		rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5540 					     NULL, &msec->sid);
5541 		if (rc)
5542 			return rc;
5543 	}
5544 
5545 	ad.type = LSM_AUDIT_DATA_IPC;
5546 	ad.u.ipc_id = msq->q_perm.key;
5547 
5548 	/* Can this process write to the queue? */
5549 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5550 			  MSGQ__WRITE, &ad);
5551 	if (!rc)
5552 		/* Can this process send the message */
5553 		rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5554 				  MSG__SEND, &ad);
5555 	if (!rc)
5556 		/* Can the message be put in the queue? */
5557 		rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5558 				  MSGQ__ENQUEUE, &ad);
5559 
5560 	return rc;
5561 }
5562 
5563 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5564 				    struct task_struct *target,
5565 				    long type, int mode)
5566 {
5567 	struct ipc_security_struct *isec;
5568 	struct msg_security_struct *msec;
5569 	struct common_audit_data ad;
5570 	u32 sid = task_sid(target);
5571 	int rc;
5572 
5573 	isec = msq->q_perm.security;
5574 	msec = msg->security;
5575 
5576 	ad.type = LSM_AUDIT_DATA_IPC;
5577 	ad.u.ipc_id = msq->q_perm.key;
5578 
5579 	rc = avc_has_perm(sid, isec->sid,
5580 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
5581 	if (!rc)
5582 		rc = avc_has_perm(sid, msec->sid,
5583 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
5584 	return rc;
5585 }
5586 
5587 /* Shared Memory security operations */
5588 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5589 {
5590 	struct ipc_security_struct *isec;
5591 	struct common_audit_data ad;
5592 	u32 sid = current_sid();
5593 	int rc;
5594 
5595 	rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5596 	if (rc)
5597 		return rc;
5598 
5599 	isec = shp->shm_perm.security;
5600 
5601 	ad.type = LSM_AUDIT_DATA_IPC;
5602 	ad.u.ipc_id = shp->shm_perm.key;
5603 
5604 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5605 			  SHM__CREATE, &ad);
5606 	if (rc) {
5607 		ipc_free_security(&shp->shm_perm);
5608 		return rc;
5609 	}
5610 	return 0;
5611 }
5612 
5613 static void selinux_shm_free_security(struct shmid_kernel *shp)
5614 {
5615 	ipc_free_security(&shp->shm_perm);
5616 }
5617 
5618 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5619 {
5620 	struct ipc_security_struct *isec;
5621 	struct common_audit_data ad;
5622 	u32 sid = current_sid();
5623 
5624 	isec = shp->shm_perm.security;
5625 
5626 	ad.type = LSM_AUDIT_DATA_IPC;
5627 	ad.u.ipc_id = shp->shm_perm.key;
5628 
5629 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5630 			    SHM__ASSOCIATE, &ad);
5631 }
5632 
5633 /* Note, at this point, shp is locked down */
5634 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5635 {
5636 	int perms;
5637 	int err;
5638 
5639 	switch (cmd) {
5640 	case IPC_INFO:
5641 	case SHM_INFO:
5642 		/* No specific object, just general system-wide information. */
5643 		return task_has_system(current, SYSTEM__IPC_INFO);
5644 	case IPC_STAT:
5645 	case SHM_STAT:
5646 		perms = SHM__GETATTR | SHM__ASSOCIATE;
5647 		break;
5648 	case IPC_SET:
5649 		perms = SHM__SETATTR;
5650 		break;
5651 	case SHM_LOCK:
5652 	case SHM_UNLOCK:
5653 		perms = SHM__LOCK;
5654 		break;
5655 	case IPC_RMID:
5656 		perms = SHM__DESTROY;
5657 		break;
5658 	default:
5659 		return 0;
5660 	}
5661 
5662 	err = ipc_has_perm(&shp->shm_perm, perms);
5663 	return err;
5664 }
5665 
5666 static int selinux_shm_shmat(struct shmid_kernel *shp,
5667 			     char __user *shmaddr, int shmflg)
5668 {
5669 	u32 perms;
5670 
5671 	if (shmflg & SHM_RDONLY)
5672 		perms = SHM__READ;
5673 	else
5674 		perms = SHM__READ | SHM__WRITE;
5675 
5676 	return ipc_has_perm(&shp->shm_perm, perms);
5677 }
5678 
5679 /* Semaphore security operations */
5680 static int selinux_sem_alloc_security(struct sem_array *sma)
5681 {
5682 	struct ipc_security_struct *isec;
5683 	struct common_audit_data ad;
5684 	u32 sid = current_sid();
5685 	int rc;
5686 
5687 	rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5688 	if (rc)
5689 		return rc;
5690 
5691 	isec = sma->sem_perm.security;
5692 
5693 	ad.type = LSM_AUDIT_DATA_IPC;
5694 	ad.u.ipc_id = sma->sem_perm.key;
5695 
5696 	rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5697 			  SEM__CREATE, &ad);
5698 	if (rc) {
5699 		ipc_free_security(&sma->sem_perm);
5700 		return rc;
5701 	}
5702 	return 0;
5703 }
5704 
5705 static void selinux_sem_free_security(struct sem_array *sma)
5706 {
5707 	ipc_free_security(&sma->sem_perm);
5708 }
5709 
5710 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5711 {
5712 	struct ipc_security_struct *isec;
5713 	struct common_audit_data ad;
5714 	u32 sid = current_sid();
5715 
5716 	isec = sma->sem_perm.security;
5717 
5718 	ad.type = LSM_AUDIT_DATA_IPC;
5719 	ad.u.ipc_id = sma->sem_perm.key;
5720 
5721 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5722 			    SEM__ASSOCIATE, &ad);
5723 }
5724 
5725 /* Note, at this point, sma is locked down */
5726 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5727 {
5728 	int err;
5729 	u32 perms;
5730 
5731 	switch (cmd) {
5732 	case IPC_INFO:
5733 	case SEM_INFO:
5734 		/* No specific object, just general system-wide information. */
5735 		return task_has_system(current, SYSTEM__IPC_INFO);
5736 	case GETPID:
5737 	case GETNCNT:
5738 	case GETZCNT:
5739 		perms = SEM__GETATTR;
5740 		break;
5741 	case GETVAL:
5742 	case GETALL:
5743 		perms = SEM__READ;
5744 		break;
5745 	case SETVAL:
5746 	case SETALL:
5747 		perms = SEM__WRITE;
5748 		break;
5749 	case IPC_RMID:
5750 		perms = SEM__DESTROY;
5751 		break;
5752 	case IPC_SET:
5753 		perms = SEM__SETATTR;
5754 		break;
5755 	case IPC_STAT:
5756 	case SEM_STAT:
5757 		perms = SEM__GETATTR | SEM__ASSOCIATE;
5758 		break;
5759 	default:
5760 		return 0;
5761 	}
5762 
5763 	err = ipc_has_perm(&sma->sem_perm, perms);
5764 	return err;
5765 }
5766 
5767 static int selinux_sem_semop(struct sem_array *sma,
5768 			     struct sembuf *sops, unsigned nsops, int alter)
5769 {
5770 	u32 perms;
5771 
5772 	if (alter)
5773 		perms = SEM__READ | SEM__WRITE;
5774 	else
5775 		perms = SEM__READ;
5776 
5777 	return ipc_has_perm(&sma->sem_perm, perms);
5778 }
5779 
5780 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5781 {
5782 	u32 av = 0;
5783 
5784 	av = 0;
5785 	if (flag & S_IRUGO)
5786 		av |= IPC__UNIX_READ;
5787 	if (flag & S_IWUGO)
5788 		av |= IPC__UNIX_WRITE;
5789 
5790 	if (av == 0)
5791 		return 0;
5792 
5793 	return ipc_has_perm(ipcp, av);
5794 }
5795 
5796 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5797 {
5798 	struct ipc_security_struct *isec = ipcp->security;
5799 	*secid = isec->sid;
5800 }
5801 
5802 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5803 {
5804 	if (inode)
5805 		inode_doinit_with_dentry(inode, dentry);
5806 }
5807 
5808 static int selinux_getprocattr(struct task_struct *p,
5809 			       char *name, char **value)
5810 {
5811 	const struct task_security_struct *__tsec;
5812 	u32 sid;
5813 	int error;
5814 	unsigned len;
5815 
5816 	if (current != p) {
5817 		error = current_has_perm(p, PROCESS__GETATTR);
5818 		if (error)
5819 			return error;
5820 	}
5821 
5822 	rcu_read_lock();
5823 	__tsec = __task_cred(p)->security;
5824 
5825 	if (!strcmp(name, "current"))
5826 		sid = __tsec->sid;
5827 	else if (!strcmp(name, "prev"))
5828 		sid = __tsec->osid;
5829 	else if (!strcmp(name, "exec"))
5830 		sid = __tsec->exec_sid;
5831 	else if (!strcmp(name, "fscreate"))
5832 		sid = __tsec->create_sid;
5833 	else if (!strcmp(name, "keycreate"))
5834 		sid = __tsec->keycreate_sid;
5835 	else if (!strcmp(name, "sockcreate"))
5836 		sid = __tsec->sockcreate_sid;
5837 	else
5838 		goto invalid;
5839 	rcu_read_unlock();
5840 
5841 	if (!sid)
5842 		return 0;
5843 
5844 	error = security_sid_to_context(sid, value, &len);
5845 	if (error)
5846 		return error;
5847 	return len;
5848 
5849 invalid:
5850 	rcu_read_unlock();
5851 	return -EINVAL;
5852 }
5853 
5854 static int selinux_setprocattr(struct task_struct *p,
5855 			       char *name, void *value, size_t size)
5856 {
5857 	struct task_security_struct *tsec;
5858 	struct cred *new;
5859 	u32 sid = 0, ptsid;
5860 	int error;
5861 	char *str = value;
5862 
5863 	if (current != p) {
5864 		/* SELinux only allows a process to change its own
5865 		   security attributes. */
5866 		return -EACCES;
5867 	}
5868 
5869 	/*
5870 	 * Basic control over ability to set these attributes at all.
5871 	 * current == p, but we'll pass them separately in case the
5872 	 * above restriction is ever removed.
5873 	 */
5874 	if (!strcmp(name, "exec"))
5875 		error = current_has_perm(p, PROCESS__SETEXEC);
5876 	else if (!strcmp(name, "fscreate"))
5877 		error = current_has_perm(p, PROCESS__SETFSCREATE);
5878 	else if (!strcmp(name, "keycreate"))
5879 		error = current_has_perm(p, PROCESS__SETKEYCREATE);
5880 	else if (!strcmp(name, "sockcreate"))
5881 		error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5882 	else if (!strcmp(name, "current"))
5883 		error = current_has_perm(p, PROCESS__SETCURRENT);
5884 	else
5885 		error = -EINVAL;
5886 	if (error)
5887 		return error;
5888 
5889 	/* Obtain a SID for the context, if one was specified. */
5890 	if (size && str[1] && str[1] != '\n') {
5891 		if (str[size-1] == '\n') {
5892 			str[size-1] = 0;
5893 			size--;
5894 		}
5895 		error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5896 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
5897 			if (!capable(CAP_MAC_ADMIN)) {
5898 				struct audit_buffer *ab;
5899 				size_t audit_size;
5900 
5901 				/* We strip a nul only if it is at the end, otherwise the
5902 				 * context contains a nul and we should audit that */
5903 				if (str[size - 1] == '\0')
5904 					audit_size = size - 1;
5905 				else
5906 					audit_size = size;
5907 				ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5908 				audit_log_format(ab, "op=fscreate invalid_context=");
5909 				audit_log_n_untrustedstring(ab, value, audit_size);
5910 				audit_log_end(ab);
5911 
5912 				return error;
5913 			}
5914 			error = security_context_to_sid_force(value, size,
5915 							      &sid);
5916 		}
5917 		if (error)
5918 			return error;
5919 	}
5920 
5921 	new = prepare_creds();
5922 	if (!new)
5923 		return -ENOMEM;
5924 
5925 	/* Permission checking based on the specified context is
5926 	   performed during the actual operation (execve,
5927 	   open/mkdir/...), when we know the full context of the
5928 	   operation.  See selinux_bprm_set_creds for the execve
5929 	   checks and may_create for the file creation checks. The
5930 	   operation will then fail if the context is not permitted. */
5931 	tsec = new->security;
5932 	if (!strcmp(name, "exec")) {
5933 		tsec->exec_sid = sid;
5934 	} else if (!strcmp(name, "fscreate")) {
5935 		tsec->create_sid = sid;
5936 	} else if (!strcmp(name, "keycreate")) {
5937 		error = may_create_key(sid, p);
5938 		if (error)
5939 			goto abort_change;
5940 		tsec->keycreate_sid = sid;
5941 	} else if (!strcmp(name, "sockcreate")) {
5942 		tsec->sockcreate_sid = sid;
5943 	} else if (!strcmp(name, "current")) {
5944 		error = -EINVAL;
5945 		if (sid == 0)
5946 			goto abort_change;
5947 
5948 		/* Only allow single threaded processes to change context */
5949 		error = -EPERM;
5950 		if (!current_is_single_threaded()) {
5951 			error = security_bounded_transition(tsec->sid, sid);
5952 			if (error)
5953 				goto abort_change;
5954 		}
5955 
5956 		/* Check permissions for the transition. */
5957 		error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5958 				     PROCESS__DYNTRANSITION, NULL);
5959 		if (error)
5960 			goto abort_change;
5961 
5962 		/* Check for ptracing, and update the task SID if ok.
5963 		   Otherwise, leave SID unchanged and fail. */
5964 		ptsid = ptrace_parent_sid(p);
5965 		if (ptsid != 0) {
5966 			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5967 					     PROCESS__PTRACE, NULL);
5968 			if (error)
5969 				goto abort_change;
5970 		}
5971 
5972 		tsec->sid = sid;
5973 	} else {
5974 		error = -EINVAL;
5975 		goto abort_change;
5976 	}
5977 
5978 	commit_creds(new);
5979 	return size;
5980 
5981 abort_change:
5982 	abort_creds(new);
5983 	return error;
5984 }
5985 
5986 static int selinux_ismaclabel(const char *name)
5987 {
5988 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5989 }
5990 
5991 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5992 {
5993 	return security_sid_to_context(secid, secdata, seclen);
5994 }
5995 
5996 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5997 {
5998 	return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5999 }
6000 
6001 static void selinux_release_secctx(char *secdata, u32 seclen)
6002 {
6003 	kfree(secdata);
6004 }
6005 
6006 static void selinux_inode_invalidate_secctx(struct inode *inode)
6007 {
6008 	struct inode_security_struct *isec = inode->i_security;
6009 
6010 	spin_lock(&isec->lock);
6011 	isec->initialized = LABEL_INVALID;
6012 	spin_unlock(&isec->lock);
6013 }
6014 
6015 /*
6016  *	called with inode->i_mutex locked
6017  */
6018 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6019 {
6020 	return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6021 }
6022 
6023 /*
6024  *	called with inode->i_mutex locked
6025  */
6026 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6027 {
6028 	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6029 }
6030 
6031 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6032 {
6033 	int len = 0;
6034 	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6035 						ctx, true);
6036 	if (len < 0)
6037 		return len;
6038 	*ctxlen = len;
6039 	return 0;
6040 }
6041 #ifdef CONFIG_KEYS
6042 
6043 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6044 			     unsigned long flags)
6045 {
6046 	const struct task_security_struct *tsec;
6047 	struct key_security_struct *ksec;
6048 
6049 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6050 	if (!ksec)
6051 		return -ENOMEM;
6052 
6053 	tsec = cred->security;
6054 	if (tsec->keycreate_sid)
6055 		ksec->sid = tsec->keycreate_sid;
6056 	else
6057 		ksec->sid = tsec->sid;
6058 
6059 	k->security = ksec;
6060 	return 0;
6061 }
6062 
6063 static void selinux_key_free(struct key *k)
6064 {
6065 	struct key_security_struct *ksec = k->security;
6066 
6067 	k->security = NULL;
6068 	kfree(ksec);
6069 }
6070 
6071 static int selinux_key_permission(key_ref_t key_ref,
6072 				  const struct cred *cred,
6073 				  unsigned perm)
6074 {
6075 	struct key *key;
6076 	struct key_security_struct *ksec;
6077 	u32 sid;
6078 
6079 	/* if no specific permissions are requested, we skip the
6080 	   permission check. No serious, additional covert channels
6081 	   appear to be created. */
6082 	if (perm == 0)
6083 		return 0;
6084 
6085 	sid = cred_sid(cred);
6086 
6087 	key = key_ref_to_ptr(key_ref);
6088 	ksec = key->security;
6089 
6090 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6091 }
6092 
6093 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6094 {
6095 	struct key_security_struct *ksec = key->security;
6096 	char *context = NULL;
6097 	unsigned len;
6098 	int rc;
6099 
6100 	rc = security_sid_to_context(ksec->sid, &context, &len);
6101 	if (!rc)
6102 		rc = len;
6103 	*_buffer = context;
6104 	return rc;
6105 }
6106 
6107 #endif
6108 
6109 static struct security_hook_list selinux_hooks[] = {
6110 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6111 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6112 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6113 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6114 
6115 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6116 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6117 	LSM_HOOK_INIT(capget, selinux_capget),
6118 	LSM_HOOK_INIT(capset, selinux_capset),
6119 	LSM_HOOK_INIT(capable, selinux_capable),
6120 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
6121 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
6122 	LSM_HOOK_INIT(syslog, selinux_syslog),
6123 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6124 
6125 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6126 
6127 	LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6128 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6129 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6130 	LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
6131 
6132 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6133 	LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6134 	LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6135 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6136 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6137 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6138 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6139 	LSM_HOOK_INIT(sb_mount, selinux_mount),
6140 	LSM_HOOK_INIT(sb_umount, selinux_umount),
6141 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6142 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6143 	LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6144 
6145 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6146 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6147 
6148 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6149 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6150 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6151 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
6152 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
6153 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6154 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6155 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6156 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6157 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6158 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6159 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6160 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6161 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6162 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6163 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6164 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6165 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6166 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6167 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6168 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6169 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6170 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6171 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6172 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6173 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6174 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6175 
6176 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
6177 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6178 	LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6179 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6180 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6181 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6182 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6183 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
6184 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6185 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6186 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6187 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
6188 
6189 	LSM_HOOK_INIT(file_open, selinux_file_open),
6190 
6191 	LSM_HOOK_INIT(task_create, selinux_task_create),
6192 	LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6193 	LSM_HOOK_INIT(cred_free, selinux_cred_free),
6194 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6195 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6196 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6197 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6198 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6199 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6200 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6201 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6202 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6203 	LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6204 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6205 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6206 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6207 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6208 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6209 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6210 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6211 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
6212 	LSM_HOOK_INIT(task_wait, selinux_task_wait),
6213 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6214 
6215 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6216 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6217 
6218 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6219 	LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6220 
6221 	LSM_HOOK_INIT(msg_queue_alloc_security,
6222 			selinux_msg_queue_alloc_security),
6223 	LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6224 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6225 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6226 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6227 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6228 
6229 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6230 	LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6231 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6232 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6233 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6234 
6235 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6236 	LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6237 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6238 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6239 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6240 
6241 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6242 
6243 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6244 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6245 
6246 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6247 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6248 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6249 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6250 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6251 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6252 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6253 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6254 
6255 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6256 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6257 
6258 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
6259 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6260 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6261 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6262 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6263 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6264 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6265 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6266 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6267 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6268 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6269 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6270 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6271 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6272 	LSM_HOOK_INIT(socket_getpeersec_stream,
6273 			selinux_socket_getpeersec_stream),
6274 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6275 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6276 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6277 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6278 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6279 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6280 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6281 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6282 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6283 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6284 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6285 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6286 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6287 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6288 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6289 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6290 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6291 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6292 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6293 
6294 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6295 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6296 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6297 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6298 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6299 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6300 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6301 			selinux_xfrm_state_alloc_acquire),
6302 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6303 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6304 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6305 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6306 			selinux_xfrm_state_pol_flow_match),
6307 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6308 #endif
6309 
6310 #ifdef CONFIG_KEYS
6311 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6312 	LSM_HOOK_INIT(key_free, selinux_key_free),
6313 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
6314 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6315 #endif
6316 
6317 #ifdef CONFIG_AUDIT
6318 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6319 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6320 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6321 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6322 #endif
6323 };
6324 
6325 static __init int selinux_init(void)
6326 {
6327 	if (!security_module_enable("selinux")) {
6328 		selinux_enabled = 0;
6329 		return 0;
6330 	}
6331 
6332 	if (!selinux_enabled) {
6333 		printk(KERN_INFO "SELinux:  Disabled at boot.\n");
6334 		return 0;
6335 	}
6336 
6337 	printk(KERN_INFO "SELinux:  Initializing.\n");
6338 
6339 	/* Set the security state for the initial task. */
6340 	cred_init_security();
6341 
6342 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6343 
6344 	sel_inode_cache = kmem_cache_create("selinux_inode_security",
6345 					    sizeof(struct inode_security_struct),
6346 					    0, SLAB_PANIC, NULL);
6347 	file_security_cache = kmem_cache_create("selinux_file_security",
6348 					    sizeof(struct file_security_struct),
6349 					    0, SLAB_PANIC, NULL);
6350 	avc_init();
6351 
6352 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6353 
6354 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6355 		panic("SELinux: Unable to register AVC netcache callback\n");
6356 
6357 	if (selinux_enforcing)
6358 		printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
6359 	else
6360 		printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
6361 
6362 	return 0;
6363 }
6364 
6365 static void delayed_superblock_init(struct super_block *sb, void *unused)
6366 {
6367 	superblock_doinit(sb, NULL);
6368 }
6369 
6370 void selinux_complete_init(void)
6371 {
6372 	printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
6373 
6374 	/* Set up any superblocks initialized prior to the policy load. */
6375 	printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
6376 	iterate_supers(delayed_superblock_init, NULL);
6377 }
6378 
6379 /* SELinux requires early initialization in order to label
6380    all processes and objects when they are created. */
6381 security_initcall(selinux_init);
6382 
6383 #if defined(CONFIG_NETFILTER)
6384 
6385 static struct nf_hook_ops selinux_nf_ops[] = {
6386 	{
6387 		.hook =		selinux_ipv4_postroute,
6388 		.pf =		NFPROTO_IPV4,
6389 		.hooknum =	NF_INET_POST_ROUTING,
6390 		.priority =	NF_IP_PRI_SELINUX_LAST,
6391 	},
6392 	{
6393 		.hook =		selinux_ipv4_forward,
6394 		.pf =		NFPROTO_IPV4,
6395 		.hooknum =	NF_INET_FORWARD,
6396 		.priority =	NF_IP_PRI_SELINUX_FIRST,
6397 	},
6398 	{
6399 		.hook =		selinux_ipv4_output,
6400 		.pf =		NFPROTO_IPV4,
6401 		.hooknum =	NF_INET_LOCAL_OUT,
6402 		.priority =	NF_IP_PRI_SELINUX_FIRST,
6403 	},
6404 #if IS_ENABLED(CONFIG_IPV6)
6405 	{
6406 		.hook =		selinux_ipv6_postroute,
6407 		.pf =		NFPROTO_IPV6,
6408 		.hooknum =	NF_INET_POST_ROUTING,
6409 		.priority =	NF_IP6_PRI_SELINUX_LAST,
6410 	},
6411 	{
6412 		.hook =		selinux_ipv6_forward,
6413 		.pf =		NFPROTO_IPV6,
6414 		.hooknum =	NF_INET_FORWARD,
6415 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
6416 	},
6417 	{
6418 		.hook =		selinux_ipv6_output,
6419 		.pf =		NFPROTO_IPV6,
6420 		.hooknum =	NF_INET_LOCAL_OUT,
6421 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
6422 	},
6423 #endif	/* IPV6 */
6424 };
6425 
6426 static int __init selinux_nf_ip_init(void)
6427 {
6428 	int err;
6429 
6430 	if (!selinux_enabled)
6431 		return 0;
6432 
6433 	printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
6434 
6435 	err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6436 	if (err)
6437 		panic("SELinux: nf_register_hooks: error %d\n", err);
6438 
6439 	return 0;
6440 }
6441 
6442 __initcall(selinux_nf_ip_init);
6443 
6444 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6445 static void selinux_nf_ip_exit(void)
6446 {
6447 	printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
6448 
6449 	nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6450 }
6451 #endif
6452 
6453 #else /* CONFIG_NETFILTER */
6454 
6455 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6456 #define selinux_nf_ip_exit()
6457 #endif
6458 
6459 #endif /* CONFIG_NETFILTER */
6460 
6461 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6462 static int selinux_disabled;
6463 
6464 int selinux_disable(void)
6465 {
6466 	if (ss_initialized) {
6467 		/* Not permitted after initial policy load. */
6468 		return -EINVAL;
6469 	}
6470 
6471 	if (selinux_disabled) {
6472 		/* Only do this once. */
6473 		return -EINVAL;
6474 	}
6475 
6476 	printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
6477 
6478 	selinux_disabled = 1;
6479 	selinux_enabled = 0;
6480 
6481 	security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6482 
6483 	/* Try to destroy the avc node cache */
6484 	avc_disable();
6485 
6486 	/* Unregister netfilter hooks. */
6487 	selinux_nf_ip_exit();
6488 
6489 	/* Unregister selinuxfs. */
6490 	exit_sel_fs();
6491 
6492 	return 0;
6493 }
6494 #endif
6495