xref: /openbmc/linux/security/selinux/hooks.c (revision 88a6f899)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *  NSA Security-Enhanced Linux (SELinux) security module
4  *
5  *  This file contains the SELinux hook function implementations.
6  *
7  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
8  *	      Chris Vance, <cvance@nai.com>
9  *	      Wayne Salamon, <wsalamon@nai.com>
10  *	      James Morris <jmorris@redhat.com>
11  *
12  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14  *					   Eric Paris <eparis@redhat.com>
15  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16  *			    <dgoeddel@trustedcs.com>
17  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18  *	Paul Moore <paul@paul-moore.com>
19  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
21  *  Copyright (C) 2016 Mellanox Technologies
22  */
23 
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/kernel_read_file.h>
28 #include <linux/errno.h>
29 #include <linux/sched/signal.h>
30 #include <linux/sched/task.h>
31 #include <linux/lsm_hooks.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/proc_fs.h>
40 #include <linux/swap.h>
41 #include <linux/spinlock.h>
42 #include <linux/syscalls.h>
43 #include <linux/dcache.h>
44 #include <linux/file.h>
45 #include <linux/fdtable.h>
46 #include <linux/namei.h>
47 #include <linux/mount.h>
48 #include <linux/fs_context.h>
49 #include <linux/fs_parser.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>		/* for local_port_range[] */
55 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h>	/* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/sctp.h>
70 #include <net/sctp/structs.h>
71 #include <linux/quota.h>
72 #include <linux/un.h>		/* for Unix socket types */
73 #include <net/af_unix.h>	/* for Unix socket types */
74 #include <linux/parser.h>
75 #include <linux/nfs_mount.h>
76 #include <net/ipv6.h>
77 #include <linux/hugetlb.h>
78 #include <linux/personality.h>
79 #include <linux/audit.h>
80 #include <linux/string.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89 #include <linux/kernfs.h>
90 #include <linux/stringhash.h>	/* for hashlen_string() */
91 #include <uapi/linux/mount.h>
92 #include <linux/fsnotify.h>
93 #include <linux/fanotify.h>
94 #include <linux/io_uring.h>
95 
96 #include "avc.h"
97 #include "objsec.h"
98 #include "netif.h"
99 #include "netnode.h"
100 #include "netport.h"
101 #include "ibpkey.h"
102 #include "xfrm.h"
103 #include "netlabel.h"
104 #include "audit.h"
105 #include "avc_ss.h"
106 
107 struct selinux_state selinux_state;
108 
109 /* SECMARK reference count */
110 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
111 
112 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
113 static int selinux_enforcing_boot __initdata;
114 
115 static int __init enforcing_setup(char *str)
116 {
117 	unsigned long enforcing;
118 	if (!kstrtoul(str, 0, &enforcing))
119 		selinux_enforcing_boot = enforcing ? 1 : 0;
120 	return 1;
121 }
122 __setup("enforcing=", enforcing_setup);
123 #else
124 #define selinux_enforcing_boot 1
125 #endif
126 
127 int selinux_enabled_boot __initdata = 1;
128 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
129 static int __init selinux_enabled_setup(char *str)
130 {
131 	unsigned long enabled;
132 	if (!kstrtoul(str, 0, &enabled))
133 		selinux_enabled_boot = enabled ? 1 : 0;
134 	return 1;
135 }
136 __setup("selinux=", selinux_enabled_setup);
137 #endif
138 
139 static int __init checkreqprot_setup(char *str)
140 {
141 	unsigned long checkreqprot;
142 
143 	if (!kstrtoul(str, 0, &checkreqprot)) {
144 		if (checkreqprot)
145 			pr_err("SELinux: checkreqprot set to 1 via kernel parameter.  This is no longer supported.\n");
146 	}
147 	return 1;
148 }
149 __setup("checkreqprot=", checkreqprot_setup);
150 
151 /**
152  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
153  *
154  * Description:
155  * This function checks the SECMARK reference counter to see if any SECMARK
156  * targets are currently configured, if the reference counter is greater than
157  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
158  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
159  * policy capability is enabled, SECMARK is always considered enabled.
160  *
161  */
162 static int selinux_secmark_enabled(void)
163 {
164 	return (selinux_policycap_alwaysnetwork() ||
165 		atomic_read(&selinux_secmark_refcount));
166 }
167 
168 /**
169  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
170  *
171  * Description:
172  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
173  * (1) if any are enabled or false (0) if neither are enabled.  If the
174  * always_check_network policy capability is enabled, peer labeling
175  * is always considered enabled.
176  *
177  */
178 static int selinux_peerlbl_enabled(void)
179 {
180 	return (selinux_policycap_alwaysnetwork() ||
181 		netlbl_enabled() || selinux_xfrm_enabled());
182 }
183 
184 static int selinux_netcache_avc_callback(u32 event)
185 {
186 	if (event == AVC_CALLBACK_RESET) {
187 		sel_netif_flush();
188 		sel_netnode_flush();
189 		sel_netport_flush();
190 		synchronize_net();
191 	}
192 	return 0;
193 }
194 
195 static int selinux_lsm_notifier_avc_callback(u32 event)
196 {
197 	if (event == AVC_CALLBACK_RESET) {
198 		sel_ib_pkey_flush();
199 		call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
200 	}
201 
202 	return 0;
203 }
204 
205 /*
206  * initialise the security for the init task
207  */
208 static void cred_init_security(void)
209 {
210 	struct task_security_struct *tsec;
211 
212 	tsec = selinux_cred(unrcu_pointer(current->real_cred));
213 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
214 }
215 
216 /*
217  * get the security ID of a set of credentials
218  */
219 static inline u32 cred_sid(const struct cred *cred)
220 {
221 	const struct task_security_struct *tsec;
222 
223 	tsec = selinux_cred(cred);
224 	return tsec->sid;
225 }
226 
227 /*
228  * get the objective security ID of a task
229  */
230 static inline u32 task_sid_obj(const struct task_struct *task)
231 {
232 	u32 sid;
233 
234 	rcu_read_lock();
235 	sid = cred_sid(__task_cred(task));
236 	rcu_read_unlock();
237 	return sid;
238 }
239 
240 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
241 
242 /*
243  * Try reloading inode security labels that have been marked as invalid.  The
244  * @may_sleep parameter indicates when sleeping and thus reloading labels is
245  * allowed; when set to false, returns -ECHILD when the label is
246  * invalid.  The @dentry parameter should be set to a dentry of the inode.
247  */
248 static int __inode_security_revalidate(struct inode *inode,
249 				       struct dentry *dentry,
250 				       bool may_sleep)
251 {
252 	struct inode_security_struct *isec = selinux_inode(inode);
253 
254 	might_sleep_if(may_sleep);
255 
256 	if (selinux_initialized() &&
257 	    isec->initialized != LABEL_INITIALIZED) {
258 		if (!may_sleep)
259 			return -ECHILD;
260 
261 		/*
262 		 * Try reloading the inode security label.  This will fail if
263 		 * @opt_dentry is NULL and no dentry for this inode can be
264 		 * found; in that case, continue using the old label.
265 		 */
266 		inode_doinit_with_dentry(inode, dentry);
267 	}
268 	return 0;
269 }
270 
271 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
272 {
273 	return selinux_inode(inode);
274 }
275 
276 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
277 {
278 	int error;
279 
280 	error = __inode_security_revalidate(inode, NULL, !rcu);
281 	if (error)
282 		return ERR_PTR(error);
283 	return selinux_inode(inode);
284 }
285 
286 /*
287  * Get the security label of an inode.
288  */
289 static struct inode_security_struct *inode_security(struct inode *inode)
290 {
291 	__inode_security_revalidate(inode, NULL, true);
292 	return selinux_inode(inode);
293 }
294 
295 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
296 {
297 	struct inode *inode = d_backing_inode(dentry);
298 
299 	return selinux_inode(inode);
300 }
301 
302 /*
303  * Get the security label of a dentry's backing inode.
304  */
305 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
306 {
307 	struct inode *inode = d_backing_inode(dentry);
308 
309 	__inode_security_revalidate(inode, dentry, true);
310 	return selinux_inode(inode);
311 }
312 
313 static void inode_free_security(struct inode *inode)
314 {
315 	struct inode_security_struct *isec = selinux_inode(inode);
316 	struct superblock_security_struct *sbsec;
317 
318 	if (!isec)
319 		return;
320 	sbsec = selinux_superblock(inode->i_sb);
321 	/*
322 	 * As not all inode security structures are in a list, we check for
323 	 * empty list outside of the lock to make sure that we won't waste
324 	 * time taking a lock doing nothing.
325 	 *
326 	 * The list_del_init() function can be safely called more than once.
327 	 * It should not be possible for this function to be called with
328 	 * concurrent list_add(), but for better safety against future changes
329 	 * in the code, we use list_empty_careful() here.
330 	 */
331 	if (!list_empty_careful(&isec->list)) {
332 		spin_lock(&sbsec->isec_lock);
333 		list_del_init(&isec->list);
334 		spin_unlock(&sbsec->isec_lock);
335 	}
336 }
337 
338 struct selinux_mnt_opts {
339 	u32 fscontext_sid;
340 	u32 context_sid;
341 	u32 rootcontext_sid;
342 	u32 defcontext_sid;
343 };
344 
345 static void selinux_free_mnt_opts(void *mnt_opts)
346 {
347 	kfree(mnt_opts);
348 }
349 
350 enum {
351 	Opt_error = -1,
352 	Opt_context = 0,
353 	Opt_defcontext = 1,
354 	Opt_fscontext = 2,
355 	Opt_rootcontext = 3,
356 	Opt_seclabel = 4,
357 };
358 
359 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
360 static const struct {
361 	const char *name;
362 	int len;
363 	int opt;
364 	bool has_arg;
365 } tokens[] = {
366 	A(context, true),
367 	A(fscontext, true),
368 	A(defcontext, true),
369 	A(rootcontext, true),
370 	A(seclabel, false),
371 };
372 #undef A
373 
374 static int match_opt_prefix(char *s, int l, char **arg)
375 {
376 	int i;
377 
378 	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
379 		size_t len = tokens[i].len;
380 		if (len > l || memcmp(s, tokens[i].name, len))
381 			continue;
382 		if (tokens[i].has_arg) {
383 			if (len == l || s[len] != '=')
384 				continue;
385 			*arg = s + len + 1;
386 		} else if (len != l)
387 			continue;
388 		return tokens[i].opt;
389 	}
390 	return Opt_error;
391 }
392 
393 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
394 
395 static int may_context_mount_sb_relabel(u32 sid,
396 			struct superblock_security_struct *sbsec,
397 			const struct cred *cred)
398 {
399 	const struct task_security_struct *tsec = selinux_cred(cred);
400 	int rc;
401 
402 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
403 			  FILESYSTEM__RELABELFROM, NULL);
404 	if (rc)
405 		return rc;
406 
407 	rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
408 			  FILESYSTEM__RELABELTO, NULL);
409 	return rc;
410 }
411 
412 static int may_context_mount_inode_relabel(u32 sid,
413 			struct superblock_security_struct *sbsec,
414 			const struct cred *cred)
415 {
416 	const struct task_security_struct *tsec = selinux_cred(cred);
417 	int rc;
418 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
419 			  FILESYSTEM__RELABELFROM, NULL);
420 	if (rc)
421 		return rc;
422 
423 	rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
424 			  FILESYSTEM__ASSOCIATE, NULL);
425 	return rc;
426 }
427 
428 static int selinux_is_genfs_special_handling(struct super_block *sb)
429 {
430 	/* Special handling. Genfs but also in-core setxattr handler */
431 	return	!strcmp(sb->s_type->name, "sysfs") ||
432 		!strcmp(sb->s_type->name, "pstore") ||
433 		!strcmp(sb->s_type->name, "debugfs") ||
434 		!strcmp(sb->s_type->name, "tracefs") ||
435 		!strcmp(sb->s_type->name, "rootfs") ||
436 		(selinux_policycap_cgroupseclabel() &&
437 		 (!strcmp(sb->s_type->name, "cgroup") ||
438 		  !strcmp(sb->s_type->name, "cgroup2")));
439 }
440 
441 static int selinux_is_sblabel_mnt(struct super_block *sb)
442 {
443 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
444 
445 	/*
446 	 * IMPORTANT: Double-check logic in this function when adding a new
447 	 * SECURITY_FS_USE_* definition!
448 	 */
449 	BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
450 
451 	switch (sbsec->behavior) {
452 	case SECURITY_FS_USE_XATTR:
453 	case SECURITY_FS_USE_TRANS:
454 	case SECURITY_FS_USE_TASK:
455 	case SECURITY_FS_USE_NATIVE:
456 		return 1;
457 
458 	case SECURITY_FS_USE_GENFS:
459 		return selinux_is_genfs_special_handling(sb);
460 
461 	/* Never allow relabeling on context mounts */
462 	case SECURITY_FS_USE_MNTPOINT:
463 	case SECURITY_FS_USE_NONE:
464 	default:
465 		return 0;
466 	}
467 }
468 
469 static int sb_check_xattr_support(struct super_block *sb)
470 {
471 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
472 	struct dentry *root = sb->s_root;
473 	struct inode *root_inode = d_backing_inode(root);
474 	u32 sid;
475 	int rc;
476 
477 	/*
478 	 * Make sure that the xattr handler exists and that no
479 	 * error other than -ENODATA is returned by getxattr on
480 	 * the root directory.  -ENODATA is ok, as this may be
481 	 * the first boot of the SELinux kernel before we have
482 	 * assigned xattr values to the filesystem.
483 	 */
484 	if (!(root_inode->i_opflags & IOP_XATTR)) {
485 		pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
486 			sb->s_id, sb->s_type->name);
487 		goto fallback;
488 	}
489 
490 	rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
491 	if (rc < 0 && rc != -ENODATA) {
492 		if (rc == -EOPNOTSUPP) {
493 			pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
494 				sb->s_id, sb->s_type->name);
495 			goto fallback;
496 		} else {
497 			pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
498 				sb->s_id, sb->s_type->name, -rc);
499 			return rc;
500 		}
501 	}
502 	return 0;
503 
504 fallback:
505 	/* No xattr support - try to fallback to genfs if possible. */
506 	rc = security_genfs_sid(sb->s_type->name, "/",
507 				SECCLASS_DIR, &sid);
508 	if (rc)
509 		return -EOPNOTSUPP;
510 
511 	pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
512 		sb->s_id, sb->s_type->name);
513 	sbsec->behavior = SECURITY_FS_USE_GENFS;
514 	sbsec->sid = sid;
515 	return 0;
516 }
517 
518 static int sb_finish_set_opts(struct super_block *sb)
519 {
520 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
521 	struct dentry *root = sb->s_root;
522 	struct inode *root_inode = d_backing_inode(root);
523 	int rc = 0;
524 
525 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
526 		rc = sb_check_xattr_support(sb);
527 		if (rc)
528 			return rc;
529 	}
530 
531 	sbsec->flags |= SE_SBINITIALIZED;
532 
533 	/*
534 	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
535 	 * leave the flag untouched because sb_clone_mnt_opts might be handing
536 	 * us a superblock that needs the flag to be cleared.
537 	 */
538 	if (selinux_is_sblabel_mnt(sb))
539 		sbsec->flags |= SBLABEL_MNT;
540 	else
541 		sbsec->flags &= ~SBLABEL_MNT;
542 
543 	/* Initialize the root inode. */
544 	rc = inode_doinit_with_dentry(root_inode, root);
545 
546 	/* Initialize any other inodes associated with the superblock, e.g.
547 	   inodes created prior to initial policy load or inodes created
548 	   during get_sb by a pseudo filesystem that directly
549 	   populates itself. */
550 	spin_lock(&sbsec->isec_lock);
551 	while (!list_empty(&sbsec->isec_head)) {
552 		struct inode_security_struct *isec =
553 				list_first_entry(&sbsec->isec_head,
554 					   struct inode_security_struct, list);
555 		struct inode *inode = isec->inode;
556 		list_del_init(&isec->list);
557 		spin_unlock(&sbsec->isec_lock);
558 		inode = igrab(inode);
559 		if (inode) {
560 			if (!IS_PRIVATE(inode))
561 				inode_doinit_with_dentry(inode, NULL);
562 			iput(inode);
563 		}
564 		spin_lock(&sbsec->isec_lock);
565 	}
566 	spin_unlock(&sbsec->isec_lock);
567 	return rc;
568 }
569 
570 static int bad_option(struct superblock_security_struct *sbsec, char flag,
571 		      u32 old_sid, u32 new_sid)
572 {
573 	char mnt_flags = sbsec->flags & SE_MNTMASK;
574 
575 	/* check if the old mount command had the same options */
576 	if (sbsec->flags & SE_SBINITIALIZED)
577 		if (!(sbsec->flags & flag) ||
578 		    (old_sid != new_sid))
579 			return 1;
580 
581 	/* check if we were passed the same options twice,
582 	 * aka someone passed context=a,context=b
583 	 */
584 	if (!(sbsec->flags & SE_SBINITIALIZED))
585 		if (mnt_flags & flag)
586 			return 1;
587 	return 0;
588 }
589 
590 /*
591  * Allow filesystems with binary mount data to explicitly set mount point
592  * labeling information.
593  */
594 static int selinux_set_mnt_opts(struct super_block *sb,
595 				void *mnt_opts,
596 				unsigned long kern_flags,
597 				unsigned long *set_kern_flags)
598 {
599 	const struct cred *cred = current_cred();
600 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
601 	struct dentry *root = sb->s_root;
602 	struct selinux_mnt_opts *opts = mnt_opts;
603 	struct inode_security_struct *root_isec;
604 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
605 	u32 defcontext_sid = 0;
606 	int rc = 0;
607 
608 	/*
609 	 * Specifying internal flags without providing a place to
610 	 * place the results is not allowed
611 	 */
612 	if (kern_flags && !set_kern_flags)
613 		return -EINVAL;
614 
615 	mutex_lock(&sbsec->lock);
616 
617 	if (!selinux_initialized()) {
618 		if (!opts) {
619 			/* Defer initialization until selinux_complete_init,
620 			   after the initial policy is loaded and the security
621 			   server is ready to handle calls. */
622 			if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
623 				sbsec->flags |= SE_SBNATIVE;
624 				*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
625 			}
626 			goto out;
627 		}
628 		rc = -EINVAL;
629 		pr_warn("SELinux: Unable to set superblock options "
630 			"before the security server is initialized\n");
631 		goto out;
632 	}
633 
634 	/*
635 	 * Binary mount data FS will come through this function twice.  Once
636 	 * from an explicit call and once from the generic calls from the vfs.
637 	 * Since the generic VFS calls will not contain any security mount data
638 	 * we need to skip the double mount verification.
639 	 *
640 	 * This does open a hole in which we will not notice if the first
641 	 * mount using this sb set explicit options and a second mount using
642 	 * this sb does not set any security options.  (The first options
643 	 * will be used for both mounts)
644 	 */
645 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
646 	    && !opts)
647 		goto out;
648 
649 	root_isec = backing_inode_security_novalidate(root);
650 
651 	/*
652 	 * parse the mount options, check if they are valid sids.
653 	 * also check if someone is trying to mount the same sb more
654 	 * than once with different security options.
655 	 */
656 	if (opts) {
657 		if (opts->fscontext_sid) {
658 			fscontext_sid = opts->fscontext_sid;
659 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
660 					fscontext_sid))
661 				goto out_double_mount;
662 			sbsec->flags |= FSCONTEXT_MNT;
663 		}
664 		if (opts->context_sid) {
665 			context_sid = opts->context_sid;
666 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
667 					context_sid))
668 				goto out_double_mount;
669 			sbsec->flags |= CONTEXT_MNT;
670 		}
671 		if (opts->rootcontext_sid) {
672 			rootcontext_sid = opts->rootcontext_sid;
673 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
674 					rootcontext_sid))
675 				goto out_double_mount;
676 			sbsec->flags |= ROOTCONTEXT_MNT;
677 		}
678 		if (opts->defcontext_sid) {
679 			defcontext_sid = opts->defcontext_sid;
680 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
681 					defcontext_sid))
682 				goto out_double_mount;
683 			sbsec->flags |= DEFCONTEXT_MNT;
684 		}
685 	}
686 
687 	if (sbsec->flags & SE_SBINITIALIZED) {
688 		/* previously mounted with options, but not on this attempt? */
689 		if ((sbsec->flags & SE_MNTMASK) && !opts)
690 			goto out_double_mount;
691 		rc = 0;
692 		goto out;
693 	}
694 
695 	if (strcmp(sb->s_type->name, "proc") == 0)
696 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
697 
698 	if (!strcmp(sb->s_type->name, "debugfs") ||
699 	    !strcmp(sb->s_type->name, "tracefs") ||
700 	    !strcmp(sb->s_type->name, "binder") ||
701 	    !strcmp(sb->s_type->name, "bpf") ||
702 	    !strcmp(sb->s_type->name, "pstore") ||
703 	    !strcmp(sb->s_type->name, "securityfs"))
704 		sbsec->flags |= SE_SBGENFS;
705 
706 	if (!strcmp(sb->s_type->name, "sysfs") ||
707 	    !strcmp(sb->s_type->name, "cgroup") ||
708 	    !strcmp(sb->s_type->name, "cgroup2"))
709 		sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
710 
711 	if (!sbsec->behavior) {
712 		/*
713 		 * Determine the labeling behavior to use for this
714 		 * filesystem type.
715 		 */
716 		rc = security_fs_use(sb);
717 		if (rc) {
718 			pr_warn("%s: security_fs_use(%s) returned %d\n",
719 					__func__, sb->s_type->name, rc);
720 			goto out;
721 		}
722 	}
723 
724 	/*
725 	 * If this is a user namespace mount and the filesystem type is not
726 	 * explicitly whitelisted, then no contexts are allowed on the command
727 	 * line and security labels must be ignored.
728 	 */
729 	if (sb->s_user_ns != &init_user_ns &&
730 	    strcmp(sb->s_type->name, "tmpfs") &&
731 	    strcmp(sb->s_type->name, "ramfs") &&
732 	    strcmp(sb->s_type->name, "devpts") &&
733 	    strcmp(sb->s_type->name, "overlay")) {
734 		if (context_sid || fscontext_sid || rootcontext_sid ||
735 		    defcontext_sid) {
736 			rc = -EACCES;
737 			goto out;
738 		}
739 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
740 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
741 			rc = security_transition_sid(current_sid(),
742 						     current_sid(),
743 						     SECCLASS_FILE, NULL,
744 						     &sbsec->mntpoint_sid);
745 			if (rc)
746 				goto out;
747 		}
748 		goto out_set_opts;
749 	}
750 
751 	/* sets the context of the superblock for the fs being mounted. */
752 	if (fscontext_sid) {
753 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
754 		if (rc)
755 			goto out;
756 
757 		sbsec->sid = fscontext_sid;
758 	}
759 
760 	/*
761 	 * Switch to using mount point labeling behavior.
762 	 * sets the label used on all file below the mountpoint, and will set
763 	 * the superblock context if not already set.
764 	 */
765 	if (sbsec->flags & SE_SBNATIVE) {
766 		/*
767 		 * This means we are initializing a superblock that has been
768 		 * mounted before the SELinux was initialized and the
769 		 * filesystem requested native labeling. We had already
770 		 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags
771 		 * in the original mount attempt, so now we just need to set
772 		 * the SECURITY_FS_USE_NATIVE behavior.
773 		 */
774 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
775 	} else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
776 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
777 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
778 	}
779 
780 	if (context_sid) {
781 		if (!fscontext_sid) {
782 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
783 							  cred);
784 			if (rc)
785 				goto out;
786 			sbsec->sid = context_sid;
787 		} else {
788 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
789 							     cred);
790 			if (rc)
791 				goto out;
792 		}
793 		if (!rootcontext_sid)
794 			rootcontext_sid = context_sid;
795 
796 		sbsec->mntpoint_sid = context_sid;
797 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
798 	}
799 
800 	if (rootcontext_sid) {
801 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
802 						     cred);
803 		if (rc)
804 			goto out;
805 
806 		root_isec->sid = rootcontext_sid;
807 		root_isec->initialized = LABEL_INITIALIZED;
808 	}
809 
810 	if (defcontext_sid) {
811 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
812 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
813 			rc = -EINVAL;
814 			pr_warn("SELinux: defcontext option is "
815 			       "invalid for this filesystem type\n");
816 			goto out;
817 		}
818 
819 		if (defcontext_sid != sbsec->def_sid) {
820 			rc = may_context_mount_inode_relabel(defcontext_sid,
821 							     sbsec, cred);
822 			if (rc)
823 				goto out;
824 		}
825 
826 		sbsec->def_sid = defcontext_sid;
827 	}
828 
829 out_set_opts:
830 	rc = sb_finish_set_opts(sb);
831 out:
832 	mutex_unlock(&sbsec->lock);
833 	return rc;
834 out_double_mount:
835 	rc = -EINVAL;
836 	pr_warn("SELinux: mount invalid.  Same superblock, different "
837 	       "security settings for (dev %s, type %s)\n", sb->s_id,
838 	       sb->s_type->name);
839 	goto out;
840 }
841 
842 static int selinux_cmp_sb_context(const struct super_block *oldsb,
843 				    const struct super_block *newsb)
844 {
845 	struct superblock_security_struct *old = selinux_superblock(oldsb);
846 	struct superblock_security_struct *new = selinux_superblock(newsb);
847 	char oldflags = old->flags & SE_MNTMASK;
848 	char newflags = new->flags & SE_MNTMASK;
849 
850 	if (oldflags != newflags)
851 		goto mismatch;
852 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
853 		goto mismatch;
854 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
855 		goto mismatch;
856 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
857 		goto mismatch;
858 	if (oldflags & ROOTCONTEXT_MNT) {
859 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
860 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
861 		if (oldroot->sid != newroot->sid)
862 			goto mismatch;
863 	}
864 	return 0;
865 mismatch:
866 	pr_warn("SELinux: mount invalid.  Same superblock, "
867 			    "different security settings for (dev %s, "
868 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
869 	return -EBUSY;
870 }
871 
872 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
873 					struct super_block *newsb,
874 					unsigned long kern_flags,
875 					unsigned long *set_kern_flags)
876 {
877 	int rc = 0;
878 	const struct superblock_security_struct *oldsbsec =
879 						selinux_superblock(oldsb);
880 	struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
881 
882 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
883 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
884 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
885 
886 	/*
887 	 * Specifying internal flags without providing a place to
888 	 * place the results is not allowed.
889 	 */
890 	if (kern_flags && !set_kern_flags)
891 		return -EINVAL;
892 
893 	mutex_lock(&newsbsec->lock);
894 
895 	/*
896 	 * if the parent was able to be mounted it clearly had no special lsm
897 	 * mount options.  thus we can safely deal with this superblock later
898 	 */
899 	if (!selinux_initialized()) {
900 		if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
901 			newsbsec->flags |= SE_SBNATIVE;
902 			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
903 		}
904 		goto out;
905 	}
906 
907 	/* how can we clone if the old one wasn't set up?? */
908 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
909 
910 	/* if fs is reusing a sb, make sure that the contexts match */
911 	if (newsbsec->flags & SE_SBINITIALIZED) {
912 		mutex_unlock(&newsbsec->lock);
913 		if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
914 			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
915 		return selinux_cmp_sb_context(oldsb, newsb);
916 	}
917 
918 	newsbsec->flags = oldsbsec->flags;
919 
920 	newsbsec->sid = oldsbsec->sid;
921 	newsbsec->def_sid = oldsbsec->def_sid;
922 	newsbsec->behavior = oldsbsec->behavior;
923 
924 	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
925 		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
926 		rc = security_fs_use(newsb);
927 		if (rc)
928 			goto out;
929 	}
930 
931 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
932 		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
933 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
934 	}
935 
936 	if (set_context) {
937 		u32 sid = oldsbsec->mntpoint_sid;
938 
939 		if (!set_fscontext)
940 			newsbsec->sid = sid;
941 		if (!set_rootcontext) {
942 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
943 			newisec->sid = sid;
944 		}
945 		newsbsec->mntpoint_sid = sid;
946 	}
947 	if (set_rootcontext) {
948 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
949 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
950 
951 		newisec->sid = oldisec->sid;
952 	}
953 
954 	sb_finish_set_opts(newsb);
955 out:
956 	mutex_unlock(&newsbsec->lock);
957 	return rc;
958 }
959 
960 /*
961  * NOTE: the caller is responsible for freeing the memory even if on error.
962  */
963 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
964 {
965 	struct selinux_mnt_opts *opts = *mnt_opts;
966 	u32 *dst_sid;
967 	int rc;
968 
969 	if (token == Opt_seclabel)
970 		/* eaten and completely ignored */
971 		return 0;
972 	if (!s)
973 		return -EINVAL;
974 
975 	if (!selinux_initialized()) {
976 		pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
977 		return -EINVAL;
978 	}
979 
980 	if (!opts) {
981 		opts = kzalloc(sizeof(*opts), GFP_KERNEL);
982 		if (!opts)
983 			return -ENOMEM;
984 		*mnt_opts = opts;
985 	}
986 
987 	switch (token) {
988 	case Opt_context:
989 		if (opts->context_sid || opts->defcontext_sid)
990 			goto err;
991 		dst_sid = &opts->context_sid;
992 		break;
993 	case Opt_fscontext:
994 		if (opts->fscontext_sid)
995 			goto err;
996 		dst_sid = &opts->fscontext_sid;
997 		break;
998 	case Opt_rootcontext:
999 		if (opts->rootcontext_sid)
1000 			goto err;
1001 		dst_sid = &opts->rootcontext_sid;
1002 		break;
1003 	case Opt_defcontext:
1004 		if (opts->context_sid || opts->defcontext_sid)
1005 			goto err;
1006 		dst_sid = &opts->defcontext_sid;
1007 		break;
1008 	default:
1009 		WARN_ON(1);
1010 		return -EINVAL;
1011 	}
1012 	rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL);
1013 	if (rc)
1014 		pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
1015 			s, rc);
1016 	return rc;
1017 
1018 err:
1019 	pr_warn(SEL_MOUNT_FAIL_MSG);
1020 	return -EINVAL;
1021 }
1022 
1023 static int show_sid(struct seq_file *m, u32 sid)
1024 {
1025 	char *context = NULL;
1026 	u32 len;
1027 	int rc;
1028 
1029 	rc = security_sid_to_context(sid, &context, &len);
1030 	if (!rc) {
1031 		bool has_comma = strchr(context, ',');
1032 
1033 		seq_putc(m, '=');
1034 		if (has_comma)
1035 			seq_putc(m, '\"');
1036 		seq_escape(m, context, "\"\n\\");
1037 		if (has_comma)
1038 			seq_putc(m, '\"');
1039 	}
1040 	kfree(context);
1041 	return rc;
1042 }
1043 
1044 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1045 {
1046 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
1047 	int rc;
1048 
1049 	if (!(sbsec->flags & SE_SBINITIALIZED))
1050 		return 0;
1051 
1052 	if (!selinux_initialized())
1053 		return 0;
1054 
1055 	if (sbsec->flags & FSCONTEXT_MNT) {
1056 		seq_putc(m, ',');
1057 		seq_puts(m, FSCONTEXT_STR);
1058 		rc = show_sid(m, sbsec->sid);
1059 		if (rc)
1060 			return rc;
1061 	}
1062 	if (sbsec->flags & CONTEXT_MNT) {
1063 		seq_putc(m, ',');
1064 		seq_puts(m, CONTEXT_STR);
1065 		rc = show_sid(m, sbsec->mntpoint_sid);
1066 		if (rc)
1067 			return rc;
1068 	}
1069 	if (sbsec->flags & DEFCONTEXT_MNT) {
1070 		seq_putc(m, ',');
1071 		seq_puts(m, DEFCONTEXT_STR);
1072 		rc = show_sid(m, sbsec->def_sid);
1073 		if (rc)
1074 			return rc;
1075 	}
1076 	if (sbsec->flags & ROOTCONTEXT_MNT) {
1077 		struct dentry *root = sb->s_root;
1078 		struct inode_security_struct *isec = backing_inode_security(root);
1079 		seq_putc(m, ',');
1080 		seq_puts(m, ROOTCONTEXT_STR);
1081 		rc = show_sid(m, isec->sid);
1082 		if (rc)
1083 			return rc;
1084 	}
1085 	if (sbsec->flags & SBLABEL_MNT) {
1086 		seq_putc(m, ',');
1087 		seq_puts(m, SECLABEL_STR);
1088 	}
1089 	return 0;
1090 }
1091 
1092 static inline u16 inode_mode_to_security_class(umode_t mode)
1093 {
1094 	switch (mode & S_IFMT) {
1095 	case S_IFSOCK:
1096 		return SECCLASS_SOCK_FILE;
1097 	case S_IFLNK:
1098 		return SECCLASS_LNK_FILE;
1099 	case S_IFREG:
1100 		return SECCLASS_FILE;
1101 	case S_IFBLK:
1102 		return SECCLASS_BLK_FILE;
1103 	case S_IFDIR:
1104 		return SECCLASS_DIR;
1105 	case S_IFCHR:
1106 		return SECCLASS_CHR_FILE;
1107 	case S_IFIFO:
1108 		return SECCLASS_FIFO_FILE;
1109 
1110 	}
1111 
1112 	return SECCLASS_FILE;
1113 }
1114 
1115 static inline int default_protocol_stream(int protocol)
1116 {
1117 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1118 		protocol == IPPROTO_MPTCP);
1119 }
1120 
1121 static inline int default_protocol_dgram(int protocol)
1122 {
1123 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1124 }
1125 
1126 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1127 {
1128 	int extsockclass = selinux_policycap_extsockclass();
1129 
1130 	switch (family) {
1131 	case PF_UNIX:
1132 		switch (type) {
1133 		case SOCK_STREAM:
1134 		case SOCK_SEQPACKET:
1135 			return SECCLASS_UNIX_STREAM_SOCKET;
1136 		case SOCK_DGRAM:
1137 		case SOCK_RAW:
1138 			return SECCLASS_UNIX_DGRAM_SOCKET;
1139 		}
1140 		break;
1141 	case PF_INET:
1142 	case PF_INET6:
1143 		switch (type) {
1144 		case SOCK_STREAM:
1145 		case SOCK_SEQPACKET:
1146 			if (default_protocol_stream(protocol))
1147 				return SECCLASS_TCP_SOCKET;
1148 			else if (extsockclass && protocol == IPPROTO_SCTP)
1149 				return SECCLASS_SCTP_SOCKET;
1150 			else
1151 				return SECCLASS_RAWIP_SOCKET;
1152 		case SOCK_DGRAM:
1153 			if (default_protocol_dgram(protocol))
1154 				return SECCLASS_UDP_SOCKET;
1155 			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1156 						  protocol == IPPROTO_ICMPV6))
1157 				return SECCLASS_ICMP_SOCKET;
1158 			else
1159 				return SECCLASS_RAWIP_SOCKET;
1160 		case SOCK_DCCP:
1161 			return SECCLASS_DCCP_SOCKET;
1162 		default:
1163 			return SECCLASS_RAWIP_SOCKET;
1164 		}
1165 		break;
1166 	case PF_NETLINK:
1167 		switch (protocol) {
1168 		case NETLINK_ROUTE:
1169 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1170 		case NETLINK_SOCK_DIAG:
1171 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1172 		case NETLINK_NFLOG:
1173 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1174 		case NETLINK_XFRM:
1175 			return SECCLASS_NETLINK_XFRM_SOCKET;
1176 		case NETLINK_SELINUX:
1177 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1178 		case NETLINK_ISCSI:
1179 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1180 		case NETLINK_AUDIT:
1181 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1182 		case NETLINK_FIB_LOOKUP:
1183 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1184 		case NETLINK_CONNECTOR:
1185 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1186 		case NETLINK_NETFILTER:
1187 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1188 		case NETLINK_DNRTMSG:
1189 			return SECCLASS_NETLINK_DNRT_SOCKET;
1190 		case NETLINK_KOBJECT_UEVENT:
1191 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1192 		case NETLINK_GENERIC:
1193 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1194 		case NETLINK_SCSITRANSPORT:
1195 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1196 		case NETLINK_RDMA:
1197 			return SECCLASS_NETLINK_RDMA_SOCKET;
1198 		case NETLINK_CRYPTO:
1199 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1200 		default:
1201 			return SECCLASS_NETLINK_SOCKET;
1202 		}
1203 	case PF_PACKET:
1204 		return SECCLASS_PACKET_SOCKET;
1205 	case PF_KEY:
1206 		return SECCLASS_KEY_SOCKET;
1207 	case PF_APPLETALK:
1208 		return SECCLASS_APPLETALK_SOCKET;
1209 	}
1210 
1211 	if (extsockclass) {
1212 		switch (family) {
1213 		case PF_AX25:
1214 			return SECCLASS_AX25_SOCKET;
1215 		case PF_IPX:
1216 			return SECCLASS_IPX_SOCKET;
1217 		case PF_NETROM:
1218 			return SECCLASS_NETROM_SOCKET;
1219 		case PF_ATMPVC:
1220 			return SECCLASS_ATMPVC_SOCKET;
1221 		case PF_X25:
1222 			return SECCLASS_X25_SOCKET;
1223 		case PF_ROSE:
1224 			return SECCLASS_ROSE_SOCKET;
1225 		case PF_DECnet:
1226 			return SECCLASS_DECNET_SOCKET;
1227 		case PF_ATMSVC:
1228 			return SECCLASS_ATMSVC_SOCKET;
1229 		case PF_RDS:
1230 			return SECCLASS_RDS_SOCKET;
1231 		case PF_IRDA:
1232 			return SECCLASS_IRDA_SOCKET;
1233 		case PF_PPPOX:
1234 			return SECCLASS_PPPOX_SOCKET;
1235 		case PF_LLC:
1236 			return SECCLASS_LLC_SOCKET;
1237 		case PF_CAN:
1238 			return SECCLASS_CAN_SOCKET;
1239 		case PF_TIPC:
1240 			return SECCLASS_TIPC_SOCKET;
1241 		case PF_BLUETOOTH:
1242 			return SECCLASS_BLUETOOTH_SOCKET;
1243 		case PF_IUCV:
1244 			return SECCLASS_IUCV_SOCKET;
1245 		case PF_RXRPC:
1246 			return SECCLASS_RXRPC_SOCKET;
1247 		case PF_ISDN:
1248 			return SECCLASS_ISDN_SOCKET;
1249 		case PF_PHONET:
1250 			return SECCLASS_PHONET_SOCKET;
1251 		case PF_IEEE802154:
1252 			return SECCLASS_IEEE802154_SOCKET;
1253 		case PF_CAIF:
1254 			return SECCLASS_CAIF_SOCKET;
1255 		case PF_ALG:
1256 			return SECCLASS_ALG_SOCKET;
1257 		case PF_NFC:
1258 			return SECCLASS_NFC_SOCKET;
1259 		case PF_VSOCK:
1260 			return SECCLASS_VSOCK_SOCKET;
1261 		case PF_KCM:
1262 			return SECCLASS_KCM_SOCKET;
1263 		case PF_QIPCRTR:
1264 			return SECCLASS_QIPCRTR_SOCKET;
1265 		case PF_SMC:
1266 			return SECCLASS_SMC_SOCKET;
1267 		case PF_XDP:
1268 			return SECCLASS_XDP_SOCKET;
1269 		case PF_MCTP:
1270 			return SECCLASS_MCTP_SOCKET;
1271 #if PF_MAX > 46
1272 #error New address family defined, please update this function.
1273 #endif
1274 		}
1275 	}
1276 
1277 	return SECCLASS_SOCKET;
1278 }
1279 
1280 static int selinux_genfs_get_sid(struct dentry *dentry,
1281 				 u16 tclass,
1282 				 u16 flags,
1283 				 u32 *sid)
1284 {
1285 	int rc;
1286 	struct super_block *sb = dentry->d_sb;
1287 	char *buffer, *path;
1288 
1289 	buffer = (char *)__get_free_page(GFP_KERNEL);
1290 	if (!buffer)
1291 		return -ENOMEM;
1292 
1293 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1294 	if (IS_ERR(path))
1295 		rc = PTR_ERR(path);
1296 	else {
1297 		if (flags & SE_SBPROC) {
1298 			/* each process gets a /proc/PID/ entry. Strip off the
1299 			 * PID part to get a valid selinux labeling.
1300 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1301 			while (path[1] >= '0' && path[1] <= '9') {
1302 				path[1] = '/';
1303 				path++;
1304 			}
1305 		}
1306 		rc = security_genfs_sid(sb->s_type->name,
1307 					path, tclass, sid);
1308 		if (rc == -ENOENT) {
1309 			/* No match in policy, mark as unlabeled. */
1310 			*sid = SECINITSID_UNLABELED;
1311 			rc = 0;
1312 		}
1313 	}
1314 	free_page((unsigned long)buffer);
1315 	return rc;
1316 }
1317 
1318 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1319 				  u32 def_sid, u32 *sid)
1320 {
1321 #define INITCONTEXTLEN 255
1322 	char *context;
1323 	unsigned int len;
1324 	int rc;
1325 
1326 	len = INITCONTEXTLEN;
1327 	context = kmalloc(len + 1, GFP_NOFS);
1328 	if (!context)
1329 		return -ENOMEM;
1330 
1331 	context[len] = '\0';
1332 	rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1333 	if (rc == -ERANGE) {
1334 		kfree(context);
1335 
1336 		/* Need a larger buffer.  Query for the right size. */
1337 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1338 		if (rc < 0)
1339 			return rc;
1340 
1341 		len = rc;
1342 		context = kmalloc(len + 1, GFP_NOFS);
1343 		if (!context)
1344 			return -ENOMEM;
1345 
1346 		context[len] = '\0';
1347 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1348 				    context, len);
1349 	}
1350 	if (rc < 0) {
1351 		kfree(context);
1352 		if (rc != -ENODATA) {
1353 			pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
1354 				__func__, -rc, inode->i_sb->s_id, inode->i_ino);
1355 			return rc;
1356 		}
1357 		*sid = def_sid;
1358 		return 0;
1359 	}
1360 
1361 	rc = security_context_to_sid_default(context, rc, sid,
1362 					     def_sid, GFP_NOFS);
1363 	if (rc) {
1364 		char *dev = inode->i_sb->s_id;
1365 		unsigned long ino = inode->i_ino;
1366 
1367 		if (rc == -EINVAL) {
1368 			pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
1369 					      ino, dev, context);
1370 		} else {
1371 			pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1372 				__func__, context, -rc, dev, ino);
1373 		}
1374 	}
1375 	kfree(context);
1376 	return 0;
1377 }
1378 
1379 /* The inode's security attributes must be initialized before first use. */
1380 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1381 {
1382 	struct superblock_security_struct *sbsec = NULL;
1383 	struct inode_security_struct *isec = selinux_inode(inode);
1384 	u32 task_sid, sid = 0;
1385 	u16 sclass;
1386 	struct dentry *dentry;
1387 	int rc = 0;
1388 
1389 	if (isec->initialized == LABEL_INITIALIZED)
1390 		return 0;
1391 
1392 	spin_lock(&isec->lock);
1393 	if (isec->initialized == LABEL_INITIALIZED)
1394 		goto out_unlock;
1395 
1396 	if (isec->sclass == SECCLASS_FILE)
1397 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1398 
1399 	sbsec = selinux_superblock(inode->i_sb);
1400 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1401 		/* Defer initialization until selinux_complete_init,
1402 		   after the initial policy is loaded and the security
1403 		   server is ready to handle calls. */
1404 		spin_lock(&sbsec->isec_lock);
1405 		if (list_empty(&isec->list))
1406 			list_add(&isec->list, &sbsec->isec_head);
1407 		spin_unlock(&sbsec->isec_lock);
1408 		goto out_unlock;
1409 	}
1410 
1411 	sclass = isec->sclass;
1412 	task_sid = isec->task_sid;
1413 	sid = isec->sid;
1414 	isec->initialized = LABEL_PENDING;
1415 	spin_unlock(&isec->lock);
1416 
1417 	switch (sbsec->behavior) {
1418 	/*
1419 	 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels
1420 	 * via xattr when called from delayed_superblock_init().
1421 	 */
1422 	case SECURITY_FS_USE_NATIVE:
1423 	case SECURITY_FS_USE_XATTR:
1424 		if (!(inode->i_opflags & IOP_XATTR)) {
1425 			sid = sbsec->def_sid;
1426 			break;
1427 		}
1428 		/* Need a dentry, since the xattr API requires one.
1429 		   Life would be simpler if we could just pass the inode. */
1430 		if (opt_dentry) {
1431 			/* Called from d_instantiate or d_splice_alias. */
1432 			dentry = dget(opt_dentry);
1433 		} else {
1434 			/*
1435 			 * Called from selinux_complete_init, try to find a dentry.
1436 			 * Some filesystems really want a connected one, so try
1437 			 * that first.  We could split SECURITY_FS_USE_XATTR in
1438 			 * two, depending upon that...
1439 			 */
1440 			dentry = d_find_alias(inode);
1441 			if (!dentry)
1442 				dentry = d_find_any_alias(inode);
1443 		}
1444 		if (!dentry) {
1445 			/*
1446 			 * this is can be hit on boot when a file is accessed
1447 			 * before the policy is loaded.  When we load policy we
1448 			 * may find inodes that have no dentry on the
1449 			 * sbsec->isec_head list.  No reason to complain as these
1450 			 * will get fixed up the next time we go through
1451 			 * inode_doinit with a dentry, before these inodes could
1452 			 * be used again by userspace.
1453 			 */
1454 			goto out_invalid;
1455 		}
1456 
1457 		rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1458 					    &sid);
1459 		dput(dentry);
1460 		if (rc)
1461 			goto out;
1462 		break;
1463 	case SECURITY_FS_USE_TASK:
1464 		sid = task_sid;
1465 		break;
1466 	case SECURITY_FS_USE_TRANS:
1467 		/* Default to the fs SID. */
1468 		sid = sbsec->sid;
1469 
1470 		/* Try to obtain a transition SID. */
1471 		rc = security_transition_sid(task_sid, sid,
1472 					     sclass, NULL, &sid);
1473 		if (rc)
1474 			goto out;
1475 		break;
1476 	case SECURITY_FS_USE_MNTPOINT:
1477 		sid = sbsec->mntpoint_sid;
1478 		break;
1479 	default:
1480 		/* Default to the fs superblock SID. */
1481 		sid = sbsec->sid;
1482 
1483 		if ((sbsec->flags & SE_SBGENFS) &&
1484 		     (!S_ISLNK(inode->i_mode) ||
1485 		      selinux_policycap_genfs_seclabel_symlinks())) {
1486 			/* We must have a dentry to determine the label on
1487 			 * procfs inodes */
1488 			if (opt_dentry) {
1489 				/* Called from d_instantiate or
1490 				 * d_splice_alias. */
1491 				dentry = dget(opt_dentry);
1492 			} else {
1493 				/* Called from selinux_complete_init, try to
1494 				 * find a dentry.  Some filesystems really want
1495 				 * a connected one, so try that first.
1496 				 */
1497 				dentry = d_find_alias(inode);
1498 				if (!dentry)
1499 					dentry = d_find_any_alias(inode);
1500 			}
1501 			/*
1502 			 * This can be hit on boot when a file is accessed
1503 			 * before the policy is loaded.  When we load policy we
1504 			 * may find inodes that have no dentry on the
1505 			 * sbsec->isec_head list.  No reason to complain as
1506 			 * these will get fixed up the next time we go through
1507 			 * inode_doinit() with a dentry, before these inodes
1508 			 * could be used again by userspace.
1509 			 */
1510 			if (!dentry)
1511 				goto out_invalid;
1512 			rc = selinux_genfs_get_sid(dentry, sclass,
1513 						   sbsec->flags, &sid);
1514 			if (rc) {
1515 				dput(dentry);
1516 				goto out;
1517 			}
1518 
1519 			if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1520 			    (inode->i_opflags & IOP_XATTR)) {
1521 				rc = inode_doinit_use_xattr(inode, dentry,
1522 							    sid, &sid);
1523 				if (rc) {
1524 					dput(dentry);
1525 					goto out;
1526 				}
1527 			}
1528 			dput(dentry);
1529 		}
1530 		break;
1531 	}
1532 
1533 out:
1534 	spin_lock(&isec->lock);
1535 	if (isec->initialized == LABEL_PENDING) {
1536 		if (rc) {
1537 			isec->initialized = LABEL_INVALID;
1538 			goto out_unlock;
1539 		}
1540 		isec->initialized = LABEL_INITIALIZED;
1541 		isec->sid = sid;
1542 	}
1543 
1544 out_unlock:
1545 	spin_unlock(&isec->lock);
1546 	return rc;
1547 
1548 out_invalid:
1549 	spin_lock(&isec->lock);
1550 	if (isec->initialized == LABEL_PENDING) {
1551 		isec->initialized = LABEL_INVALID;
1552 		isec->sid = sid;
1553 	}
1554 	spin_unlock(&isec->lock);
1555 	return 0;
1556 }
1557 
1558 /* Convert a Linux signal to an access vector. */
1559 static inline u32 signal_to_av(int sig)
1560 {
1561 	u32 perm = 0;
1562 
1563 	switch (sig) {
1564 	case SIGCHLD:
1565 		/* Commonly granted from child to parent. */
1566 		perm = PROCESS__SIGCHLD;
1567 		break;
1568 	case SIGKILL:
1569 		/* Cannot be caught or ignored */
1570 		perm = PROCESS__SIGKILL;
1571 		break;
1572 	case SIGSTOP:
1573 		/* Cannot be caught or ignored */
1574 		perm = PROCESS__SIGSTOP;
1575 		break;
1576 	default:
1577 		/* All other signals. */
1578 		perm = PROCESS__SIGNAL;
1579 		break;
1580 	}
1581 
1582 	return perm;
1583 }
1584 
1585 #if CAP_LAST_CAP > 63
1586 #error Fix SELinux to handle capabilities > 63.
1587 #endif
1588 
1589 /* Check whether a task is allowed to use a capability. */
1590 static int cred_has_capability(const struct cred *cred,
1591 			       int cap, unsigned int opts, bool initns)
1592 {
1593 	struct common_audit_data ad;
1594 	struct av_decision avd;
1595 	u16 sclass;
1596 	u32 sid = cred_sid(cred);
1597 	u32 av = CAP_TO_MASK(cap);
1598 	int rc;
1599 
1600 	ad.type = LSM_AUDIT_DATA_CAP;
1601 	ad.u.cap = cap;
1602 
1603 	switch (CAP_TO_INDEX(cap)) {
1604 	case 0:
1605 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1606 		break;
1607 	case 1:
1608 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1609 		break;
1610 	default:
1611 		pr_err("SELinux:  out of range capability %d\n", cap);
1612 		BUG();
1613 		return -EINVAL;
1614 	}
1615 
1616 	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1617 	if (!(opts & CAP_OPT_NOAUDIT)) {
1618 		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1619 		if (rc2)
1620 			return rc2;
1621 	}
1622 	return rc;
1623 }
1624 
1625 /* Check whether a task has a particular permission to an inode.
1626    The 'adp' parameter is optional and allows other audit
1627    data to be passed (e.g. the dentry). */
1628 static int inode_has_perm(const struct cred *cred,
1629 			  struct inode *inode,
1630 			  u32 perms,
1631 			  struct common_audit_data *adp)
1632 {
1633 	struct inode_security_struct *isec;
1634 	u32 sid;
1635 
1636 	validate_creds(cred);
1637 
1638 	if (unlikely(IS_PRIVATE(inode)))
1639 		return 0;
1640 
1641 	sid = cred_sid(cred);
1642 	isec = selinux_inode(inode);
1643 
1644 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1645 }
1646 
1647 /* Same as inode_has_perm, but pass explicit audit data containing
1648    the dentry to help the auditing code to more easily generate the
1649    pathname if needed. */
1650 static inline int dentry_has_perm(const struct cred *cred,
1651 				  struct dentry *dentry,
1652 				  u32 av)
1653 {
1654 	struct inode *inode = d_backing_inode(dentry);
1655 	struct common_audit_data ad;
1656 
1657 	ad.type = LSM_AUDIT_DATA_DENTRY;
1658 	ad.u.dentry = dentry;
1659 	__inode_security_revalidate(inode, dentry, true);
1660 	return inode_has_perm(cred, inode, av, &ad);
1661 }
1662 
1663 /* Same as inode_has_perm, but pass explicit audit data containing
1664    the path to help the auditing code to more easily generate the
1665    pathname if needed. */
1666 static inline int path_has_perm(const struct cred *cred,
1667 				const struct path *path,
1668 				u32 av)
1669 {
1670 	struct inode *inode = d_backing_inode(path->dentry);
1671 	struct common_audit_data ad;
1672 
1673 	ad.type = LSM_AUDIT_DATA_PATH;
1674 	ad.u.path = *path;
1675 	__inode_security_revalidate(inode, path->dentry, true);
1676 	return inode_has_perm(cred, inode, av, &ad);
1677 }
1678 
1679 /* Same as path_has_perm, but uses the inode from the file struct. */
1680 static inline int file_path_has_perm(const struct cred *cred,
1681 				     struct file *file,
1682 				     u32 av)
1683 {
1684 	struct common_audit_data ad;
1685 
1686 	ad.type = LSM_AUDIT_DATA_FILE;
1687 	ad.u.file = file;
1688 	return inode_has_perm(cred, file_inode(file), av, &ad);
1689 }
1690 
1691 #ifdef CONFIG_BPF_SYSCALL
1692 static int bpf_fd_pass(struct file *file, u32 sid);
1693 #endif
1694 
1695 /* Check whether a task can use an open file descriptor to
1696    access an inode in a given way.  Check access to the
1697    descriptor itself, and then use dentry_has_perm to
1698    check a particular permission to the file.
1699    Access to the descriptor is implicitly granted if it
1700    has the same SID as the process.  If av is zero, then
1701    access to the file is not checked, e.g. for cases
1702    where only the descriptor is affected like seek. */
1703 static int file_has_perm(const struct cred *cred,
1704 			 struct file *file,
1705 			 u32 av)
1706 {
1707 	struct file_security_struct *fsec = selinux_file(file);
1708 	struct inode *inode = file_inode(file);
1709 	struct common_audit_data ad;
1710 	u32 sid = cred_sid(cred);
1711 	int rc;
1712 
1713 	ad.type = LSM_AUDIT_DATA_FILE;
1714 	ad.u.file = file;
1715 
1716 	if (sid != fsec->sid) {
1717 		rc = avc_has_perm(sid, fsec->sid,
1718 				  SECCLASS_FD,
1719 				  FD__USE,
1720 				  &ad);
1721 		if (rc)
1722 			goto out;
1723 	}
1724 
1725 #ifdef CONFIG_BPF_SYSCALL
1726 	rc = bpf_fd_pass(file, cred_sid(cred));
1727 	if (rc)
1728 		return rc;
1729 #endif
1730 
1731 	/* av is zero if only checking access to the descriptor. */
1732 	rc = 0;
1733 	if (av)
1734 		rc = inode_has_perm(cred, inode, av, &ad);
1735 
1736 out:
1737 	return rc;
1738 }
1739 
1740 /*
1741  * Determine the label for an inode that might be unioned.
1742  */
1743 static int
1744 selinux_determine_inode_label(const struct task_security_struct *tsec,
1745 				 struct inode *dir,
1746 				 const struct qstr *name, u16 tclass,
1747 				 u32 *_new_isid)
1748 {
1749 	const struct superblock_security_struct *sbsec =
1750 						selinux_superblock(dir->i_sb);
1751 
1752 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1753 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1754 		*_new_isid = sbsec->mntpoint_sid;
1755 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1756 		   tsec->create_sid) {
1757 		*_new_isid = tsec->create_sid;
1758 	} else {
1759 		const struct inode_security_struct *dsec = inode_security(dir);
1760 		return security_transition_sid(tsec->sid,
1761 					       dsec->sid, tclass,
1762 					       name, _new_isid);
1763 	}
1764 
1765 	return 0;
1766 }
1767 
1768 /* Check whether a task can create a file. */
1769 static int may_create(struct inode *dir,
1770 		      struct dentry *dentry,
1771 		      u16 tclass)
1772 {
1773 	const struct task_security_struct *tsec = selinux_cred(current_cred());
1774 	struct inode_security_struct *dsec;
1775 	struct superblock_security_struct *sbsec;
1776 	u32 sid, newsid;
1777 	struct common_audit_data ad;
1778 	int rc;
1779 
1780 	dsec = inode_security(dir);
1781 	sbsec = selinux_superblock(dir->i_sb);
1782 
1783 	sid = tsec->sid;
1784 
1785 	ad.type = LSM_AUDIT_DATA_DENTRY;
1786 	ad.u.dentry = dentry;
1787 
1788 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1789 			  DIR__ADD_NAME | DIR__SEARCH,
1790 			  &ad);
1791 	if (rc)
1792 		return rc;
1793 
1794 	rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1795 					   &newsid);
1796 	if (rc)
1797 		return rc;
1798 
1799 	rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1800 	if (rc)
1801 		return rc;
1802 
1803 	return avc_has_perm(newsid, sbsec->sid,
1804 			    SECCLASS_FILESYSTEM,
1805 			    FILESYSTEM__ASSOCIATE, &ad);
1806 }
1807 
1808 #define MAY_LINK	0
1809 #define MAY_UNLINK	1
1810 #define MAY_RMDIR	2
1811 
1812 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1813 static int may_link(struct inode *dir,
1814 		    struct dentry *dentry,
1815 		    int kind)
1816 
1817 {
1818 	struct inode_security_struct *dsec, *isec;
1819 	struct common_audit_data ad;
1820 	u32 sid = current_sid();
1821 	u32 av;
1822 	int rc;
1823 
1824 	dsec = inode_security(dir);
1825 	isec = backing_inode_security(dentry);
1826 
1827 	ad.type = LSM_AUDIT_DATA_DENTRY;
1828 	ad.u.dentry = dentry;
1829 
1830 	av = DIR__SEARCH;
1831 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1832 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1833 	if (rc)
1834 		return rc;
1835 
1836 	switch (kind) {
1837 	case MAY_LINK:
1838 		av = FILE__LINK;
1839 		break;
1840 	case MAY_UNLINK:
1841 		av = FILE__UNLINK;
1842 		break;
1843 	case MAY_RMDIR:
1844 		av = DIR__RMDIR;
1845 		break;
1846 	default:
1847 		pr_warn("SELinux: %s:  unrecognized kind %d\n",
1848 			__func__, kind);
1849 		return 0;
1850 	}
1851 
1852 	rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1853 	return rc;
1854 }
1855 
1856 static inline int may_rename(struct inode *old_dir,
1857 			     struct dentry *old_dentry,
1858 			     struct inode *new_dir,
1859 			     struct dentry *new_dentry)
1860 {
1861 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1862 	struct common_audit_data ad;
1863 	u32 sid = current_sid();
1864 	u32 av;
1865 	int old_is_dir, new_is_dir;
1866 	int rc;
1867 
1868 	old_dsec = inode_security(old_dir);
1869 	old_isec = backing_inode_security(old_dentry);
1870 	old_is_dir = d_is_dir(old_dentry);
1871 	new_dsec = inode_security(new_dir);
1872 
1873 	ad.type = LSM_AUDIT_DATA_DENTRY;
1874 
1875 	ad.u.dentry = old_dentry;
1876 	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1877 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1878 	if (rc)
1879 		return rc;
1880 	rc = avc_has_perm(sid, old_isec->sid,
1881 			  old_isec->sclass, FILE__RENAME, &ad);
1882 	if (rc)
1883 		return rc;
1884 	if (old_is_dir && new_dir != old_dir) {
1885 		rc = avc_has_perm(sid, old_isec->sid,
1886 				  old_isec->sclass, DIR__REPARENT, &ad);
1887 		if (rc)
1888 			return rc;
1889 	}
1890 
1891 	ad.u.dentry = new_dentry;
1892 	av = DIR__ADD_NAME | DIR__SEARCH;
1893 	if (d_is_positive(new_dentry))
1894 		av |= DIR__REMOVE_NAME;
1895 	rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1896 	if (rc)
1897 		return rc;
1898 	if (d_is_positive(new_dentry)) {
1899 		new_isec = backing_inode_security(new_dentry);
1900 		new_is_dir = d_is_dir(new_dentry);
1901 		rc = avc_has_perm(sid, new_isec->sid,
1902 				  new_isec->sclass,
1903 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1904 		if (rc)
1905 			return rc;
1906 	}
1907 
1908 	return 0;
1909 }
1910 
1911 /* Check whether a task can perform a filesystem operation. */
1912 static int superblock_has_perm(const struct cred *cred,
1913 			       struct super_block *sb,
1914 			       u32 perms,
1915 			       struct common_audit_data *ad)
1916 {
1917 	struct superblock_security_struct *sbsec;
1918 	u32 sid = cred_sid(cred);
1919 
1920 	sbsec = selinux_superblock(sb);
1921 	return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1922 }
1923 
1924 /* Convert a Linux mode and permission mask to an access vector. */
1925 static inline u32 file_mask_to_av(int mode, int mask)
1926 {
1927 	u32 av = 0;
1928 
1929 	if (!S_ISDIR(mode)) {
1930 		if (mask & MAY_EXEC)
1931 			av |= FILE__EXECUTE;
1932 		if (mask & MAY_READ)
1933 			av |= FILE__READ;
1934 
1935 		if (mask & MAY_APPEND)
1936 			av |= FILE__APPEND;
1937 		else if (mask & MAY_WRITE)
1938 			av |= FILE__WRITE;
1939 
1940 	} else {
1941 		if (mask & MAY_EXEC)
1942 			av |= DIR__SEARCH;
1943 		if (mask & MAY_WRITE)
1944 			av |= DIR__WRITE;
1945 		if (mask & MAY_READ)
1946 			av |= DIR__READ;
1947 	}
1948 
1949 	return av;
1950 }
1951 
1952 /* Convert a Linux file to an access vector. */
1953 static inline u32 file_to_av(struct file *file)
1954 {
1955 	u32 av = 0;
1956 
1957 	if (file->f_mode & FMODE_READ)
1958 		av |= FILE__READ;
1959 	if (file->f_mode & FMODE_WRITE) {
1960 		if (file->f_flags & O_APPEND)
1961 			av |= FILE__APPEND;
1962 		else
1963 			av |= FILE__WRITE;
1964 	}
1965 	if (!av) {
1966 		/*
1967 		 * Special file opened with flags 3 for ioctl-only use.
1968 		 */
1969 		av = FILE__IOCTL;
1970 	}
1971 
1972 	return av;
1973 }
1974 
1975 /*
1976  * Convert a file to an access vector and include the correct
1977  * open permission.
1978  */
1979 static inline u32 open_file_to_av(struct file *file)
1980 {
1981 	u32 av = file_to_av(file);
1982 	struct inode *inode = file_inode(file);
1983 
1984 	if (selinux_policycap_openperm() &&
1985 	    inode->i_sb->s_magic != SOCKFS_MAGIC)
1986 		av |= FILE__OPEN;
1987 
1988 	return av;
1989 }
1990 
1991 /* Hook functions begin here. */
1992 
1993 static int selinux_binder_set_context_mgr(const struct cred *mgr)
1994 {
1995 	return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER,
1996 			    BINDER__SET_CONTEXT_MGR, NULL);
1997 }
1998 
1999 static int selinux_binder_transaction(const struct cred *from,
2000 				      const struct cred *to)
2001 {
2002 	u32 mysid = current_sid();
2003 	u32 fromsid = cred_sid(from);
2004 	u32 tosid = cred_sid(to);
2005 	int rc;
2006 
2007 	if (mysid != fromsid) {
2008 		rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2009 				  BINDER__IMPERSONATE, NULL);
2010 		if (rc)
2011 			return rc;
2012 	}
2013 
2014 	return avc_has_perm(fromsid, tosid,
2015 			    SECCLASS_BINDER, BINDER__CALL, NULL);
2016 }
2017 
2018 static int selinux_binder_transfer_binder(const struct cred *from,
2019 					  const struct cred *to)
2020 {
2021 	return avc_has_perm(cred_sid(from), cred_sid(to),
2022 			    SECCLASS_BINDER, BINDER__TRANSFER,
2023 			    NULL);
2024 }
2025 
2026 static int selinux_binder_transfer_file(const struct cred *from,
2027 					const struct cred *to,
2028 					struct file *file)
2029 {
2030 	u32 sid = cred_sid(to);
2031 	struct file_security_struct *fsec = selinux_file(file);
2032 	struct dentry *dentry = file->f_path.dentry;
2033 	struct inode_security_struct *isec;
2034 	struct common_audit_data ad;
2035 	int rc;
2036 
2037 	ad.type = LSM_AUDIT_DATA_PATH;
2038 	ad.u.path = file->f_path;
2039 
2040 	if (sid != fsec->sid) {
2041 		rc = avc_has_perm(sid, fsec->sid,
2042 				  SECCLASS_FD,
2043 				  FD__USE,
2044 				  &ad);
2045 		if (rc)
2046 			return rc;
2047 	}
2048 
2049 #ifdef CONFIG_BPF_SYSCALL
2050 	rc = bpf_fd_pass(file, sid);
2051 	if (rc)
2052 		return rc;
2053 #endif
2054 
2055 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2056 		return 0;
2057 
2058 	isec = backing_inode_security(dentry);
2059 	return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2060 			    &ad);
2061 }
2062 
2063 static int selinux_ptrace_access_check(struct task_struct *child,
2064 				       unsigned int mode)
2065 {
2066 	u32 sid = current_sid();
2067 	u32 csid = task_sid_obj(child);
2068 
2069 	if (mode & PTRACE_MODE_READ)
2070 		return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ,
2071 				NULL);
2072 
2073 	return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE,
2074 			NULL);
2075 }
2076 
2077 static int selinux_ptrace_traceme(struct task_struct *parent)
2078 {
2079 	return avc_has_perm(task_sid_obj(parent), task_sid_obj(current),
2080 			    SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2081 }
2082 
2083 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2084 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2085 {
2086 	return avc_has_perm(current_sid(), task_sid_obj(target),
2087 			SECCLASS_PROCESS, PROCESS__GETCAP, NULL);
2088 }
2089 
2090 static int selinux_capset(struct cred *new, const struct cred *old,
2091 			  const kernel_cap_t *effective,
2092 			  const kernel_cap_t *inheritable,
2093 			  const kernel_cap_t *permitted)
2094 {
2095 	return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2096 			    PROCESS__SETCAP, NULL);
2097 }
2098 
2099 /*
2100  * (This comment used to live with the selinux_task_setuid hook,
2101  * which was removed).
2102  *
2103  * Since setuid only affects the current process, and since the SELinux
2104  * controls are not based on the Linux identity attributes, SELinux does not
2105  * need to control this operation.  However, SELinux does control the use of
2106  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2107  */
2108 
2109 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2110 			   int cap, unsigned int opts)
2111 {
2112 	return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2113 }
2114 
2115 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2116 {
2117 	const struct cred *cred = current_cred();
2118 	int rc = 0;
2119 
2120 	if (!sb)
2121 		return 0;
2122 
2123 	switch (cmds) {
2124 	case Q_SYNC:
2125 	case Q_QUOTAON:
2126 	case Q_QUOTAOFF:
2127 	case Q_SETINFO:
2128 	case Q_SETQUOTA:
2129 	case Q_XQUOTAOFF:
2130 	case Q_XQUOTAON:
2131 	case Q_XSETQLIM:
2132 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2133 		break;
2134 	case Q_GETFMT:
2135 	case Q_GETINFO:
2136 	case Q_GETQUOTA:
2137 	case Q_XGETQUOTA:
2138 	case Q_XGETQSTAT:
2139 	case Q_XGETQSTATV:
2140 	case Q_XGETNEXTQUOTA:
2141 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2142 		break;
2143 	default:
2144 		rc = 0;  /* let the kernel handle invalid cmds */
2145 		break;
2146 	}
2147 	return rc;
2148 }
2149 
2150 static int selinux_quota_on(struct dentry *dentry)
2151 {
2152 	const struct cred *cred = current_cred();
2153 
2154 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2155 }
2156 
2157 static int selinux_syslog(int type)
2158 {
2159 	switch (type) {
2160 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2161 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2162 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2163 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2164 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2165 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2166 	/* Set level of messages printed to console */
2167 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2168 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2169 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2170 				    NULL);
2171 	}
2172 	/* All other syslog types */
2173 	return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2174 			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2175 }
2176 
2177 /*
2178  * Check that a process has enough memory to allocate a new virtual
2179  * mapping. 0 means there is enough memory for the allocation to
2180  * succeed and -ENOMEM implies there is not.
2181  *
2182  * Do not audit the selinux permission check, as this is applied to all
2183  * processes that allocate mappings.
2184  */
2185 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2186 {
2187 	int rc, cap_sys_admin = 0;
2188 
2189 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2190 				 CAP_OPT_NOAUDIT, true);
2191 	if (rc == 0)
2192 		cap_sys_admin = 1;
2193 
2194 	return cap_sys_admin;
2195 }
2196 
2197 /* binprm security operations */
2198 
2199 static u32 ptrace_parent_sid(void)
2200 {
2201 	u32 sid = 0;
2202 	struct task_struct *tracer;
2203 
2204 	rcu_read_lock();
2205 	tracer = ptrace_parent(current);
2206 	if (tracer)
2207 		sid = task_sid_obj(tracer);
2208 	rcu_read_unlock();
2209 
2210 	return sid;
2211 }
2212 
2213 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2214 			    const struct task_security_struct *old_tsec,
2215 			    const struct task_security_struct *new_tsec)
2216 {
2217 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2218 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2219 	int rc;
2220 	u32 av;
2221 
2222 	if (!nnp && !nosuid)
2223 		return 0; /* neither NNP nor nosuid */
2224 
2225 	if (new_tsec->sid == old_tsec->sid)
2226 		return 0; /* No change in credentials */
2227 
2228 	/*
2229 	 * If the policy enables the nnp_nosuid_transition policy capability,
2230 	 * then we permit transitions under NNP or nosuid if the
2231 	 * policy allows the corresponding permission between
2232 	 * the old and new contexts.
2233 	 */
2234 	if (selinux_policycap_nnp_nosuid_transition()) {
2235 		av = 0;
2236 		if (nnp)
2237 			av |= PROCESS2__NNP_TRANSITION;
2238 		if (nosuid)
2239 			av |= PROCESS2__NOSUID_TRANSITION;
2240 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2241 				  SECCLASS_PROCESS2, av, NULL);
2242 		if (!rc)
2243 			return 0;
2244 	}
2245 
2246 	/*
2247 	 * We also permit NNP or nosuid transitions to bounded SIDs,
2248 	 * i.e. SIDs that are guaranteed to only be allowed a subset
2249 	 * of the permissions of the current SID.
2250 	 */
2251 	rc = security_bounded_transition(old_tsec->sid,
2252 					 new_tsec->sid);
2253 	if (!rc)
2254 		return 0;
2255 
2256 	/*
2257 	 * On failure, preserve the errno values for NNP vs nosuid.
2258 	 * NNP:  Operation not permitted for caller.
2259 	 * nosuid:  Permission denied to file.
2260 	 */
2261 	if (nnp)
2262 		return -EPERM;
2263 	return -EACCES;
2264 }
2265 
2266 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2267 {
2268 	const struct task_security_struct *old_tsec;
2269 	struct task_security_struct *new_tsec;
2270 	struct inode_security_struct *isec;
2271 	struct common_audit_data ad;
2272 	struct inode *inode = file_inode(bprm->file);
2273 	int rc;
2274 
2275 	/* SELinux context only depends on initial program or script and not
2276 	 * the script interpreter */
2277 
2278 	old_tsec = selinux_cred(current_cred());
2279 	new_tsec = selinux_cred(bprm->cred);
2280 	isec = inode_security(inode);
2281 
2282 	/* Default to the current task SID. */
2283 	new_tsec->sid = old_tsec->sid;
2284 	new_tsec->osid = old_tsec->sid;
2285 
2286 	/* Reset fs, key, and sock SIDs on execve. */
2287 	new_tsec->create_sid = 0;
2288 	new_tsec->keycreate_sid = 0;
2289 	new_tsec->sockcreate_sid = 0;
2290 
2291 	if (old_tsec->exec_sid) {
2292 		new_tsec->sid = old_tsec->exec_sid;
2293 		/* Reset exec SID on execve. */
2294 		new_tsec->exec_sid = 0;
2295 
2296 		/* Fail on NNP or nosuid if not an allowed transition. */
2297 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2298 		if (rc)
2299 			return rc;
2300 	} else {
2301 		/* Check for a default transition on this program. */
2302 		rc = security_transition_sid(old_tsec->sid,
2303 					     isec->sid, SECCLASS_PROCESS, NULL,
2304 					     &new_tsec->sid);
2305 		if (rc)
2306 			return rc;
2307 
2308 		/*
2309 		 * Fallback to old SID on NNP or nosuid if not an allowed
2310 		 * transition.
2311 		 */
2312 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2313 		if (rc)
2314 			new_tsec->sid = old_tsec->sid;
2315 	}
2316 
2317 	ad.type = LSM_AUDIT_DATA_FILE;
2318 	ad.u.file = bprm->file;
2319 
2320 	if (new_tsec->sid == old_tsec->sid) {
2321 		rc = avc_has_perm(old_tsec->sid, isec->sid,
2322 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2323 		if (rc)
2324 			return rc;
2325 	} else {
2326 		/* Check permissions for the transition. */
2327 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2328 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2329 		if (rc)
2330 			return rc;
2331 
2332 		rc = avc_has_perm(new_tsec->sid, isec->sid,
2333 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2334 		if (rc)
2335 			return rc;
2336 
2337 		/* Check for shared state */
2338 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2339 			rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2340 					  SECCLASS_PROCESS, PROCESS__SHARE,
2341 					  NULL);
2342 			if (rc)
2343 				return -EPERM;
2344 		}
2345 
2346 		/* Make sure that anyone attempting to ptrace over a task that
2347 		 * changes its SID has the appropriate permit */
2348 		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2349 			u32 ptsid = ptrace_parent_sid();
2350 			if (ptsid != 0) {
2351 				rc = avc_has_perm(ptsid, new_tsec->sid,
2352 						  SECCLASS_PROCESS,
2353 						  PROCESS__PTRACE, NULL);
2354 				if (rc)
2355 					return -EPERM;
2356 			}
2357 		}
2358 
2359 		/* Clear any possibly unsafe personality bits on exec: */
2360 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2361 
2362 		/* Enable secure mode for SIDs transitions unless
2363 		   the noatsecure permission is granted between
2364 		   the two SIDs, i.e. ahp returns 0. */
2365 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2366 				  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2367 				  NULL);
2368 		bprm->secureexec |= !!rc;
2369 	}
2370 
2371 	return 0;
2372 }
2373 
2374 static int match_file(const void *p, struct file *file, unsigned fd)
2375 {
2376 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2377 }
2378 
2379 /* Derived from fs/exec.c:flush_old_files. */
2380 static inline void flush_unauthorized_files(const struct cred *cred,
2381 					    struct files_struct *files)
2382 {
2383 	struct file *file, *devnull = NULL;
2384 	struct tty_struct *tty;
2385 	int drop_tty = 0;
2386 	unsigned n;
2387 
2388 	tty = get_current_tty();
2389 	if (tty) {
2390 		spin_lock(&tty->files_lock);
2391 		if (!list_empty(&tty->tty_files)) {
2392 			struct tty_file_private *file_priv;
2393 
2394 			/* Revalidate access to controlling tty.
2395 			   Use file_path_has_perm on the tty path directly
2396 			   rather than using file_has_perm, as this particular
2397 			   open file may belong to another process and we are
2398 			   only interested in the inode-based check here. */
2399 			file_priv = list_first_entry(&tty->tty_files,
2400 						struct tty_file_private, list);
2401 			file = file_priv->file;
2402 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2403 				drop_tty = 1;
2404 		}
2405 		spin_unlock(&tty->files_lock);
2406 		tty_kref_put(tty);
2407 	}
2408 	/* Reset controlling tty. */
2409 	if (drop_tty)
2410 		no_tty();
2411 
2412 	/* Revalidate access to inherited open files. */
2413 	n = iterate_fd(files, 0, match_file, cred);
2414 	if (!n) /* none found? */
2415 		return;
2416 
2417 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2418 	if (IS_ERR(devnull))
2419 		devnull = NULL;
2420 	/* replace all the matching ones with this */
2421 	do {
2422 		replace_fd(n - 1, devnull, 0);
2423 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2424 	if (devnull)
2425 		fput(devnull);
2426 }
2427 
2428 /*
2429  * Prepare a process for imminent new credential changes due to exec
2430  */
2431 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2432 {
2433 	struct task_security_struct *new_tsec;
2434 	struct rlimit *rlim, *initrlim;
2435 	int rc, i;
2436 
2437 	new_tsec = selinux_cred(bprm->cred);
2438 	if (new_tsec->sid == new_tsec->osid)
2439 		return;
2440 
2441 	/* Close files for which the new task SID is not authorized. */
2442 	flush_unauthorized_files(bprm->cred, current->files);
2443 
2444 	/* Always clear parent death signal on SID transitions. */
2445 	current->pdeath_signal = 0;
2446 
2447 	/* Check whether the new SID can inherit resource limits from the old
2448 	 * SID.  If not, reset all soft limits to the lower of the current
2449 	 * task's hard limit and the init task's soft limit.
2450 	 *
2451 	 * Note that the setting of hard limits (even to lower them) can be
2452 	 * controlled by the setrlimit check.  The inclusion of the init task's
2453 	 * soft limit into the computation is to avoid resetting soft limits
2454 	 * higher than the default soft limit for cases where the default is
2455 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2456 	 */
2457 	rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2458 			  PROCESS__RLIMITINH, NULL);
2459 	if (rc) {
2460 		/* protect against do_prlimit() */
2461 		task_lock(current);
2462 		for (i = 0; i < RLIM_NLIMITS; i++) {
2463 			rlim = current->signal->rlim + i;
2464 			initrlim = init_task.signal->rlim + i;
2465 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2466 		}
2467 		task_unlock(current);
2468 		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2469 			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2470 	}
2471 }
2472 
2473 /*
2474  * Clean up the process immediately after the installation of new credentials
2475  * due to exec
2476  */
2477 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2478 {
2479 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2480 	u32 osid, sid;
2481 	int rc;
2482 
2483 	osid = tsec->osid;
2484 	sid = tsec->sid;
2485 
2486 	if (sid == osid)
2487 		return;
2488 
2489 	/* Check whether the new SID can inherit signal state from the old SID.
2490 	 * If not, clear itimers to avoid subsequent signal generation and
2491 	 * flush and unblock signals.
2492 	 *
2493 	 * This must occur _after_ the task SID has been updated so that any
2494 	 * kill done after the flush will be checked against the new SID.
2495 	 */
2496 	rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2497 	if (rc) {
2498 		clear_itimer();
2499 
2500 		spin_lock_irq(&unrcu_pointer(current->sighand)->siglock);
2501 		if (!fatal_signal_pending(current)) {
2502 			flush_sigqueue(&current->pending);
2503 			flush_sigqueue(&current->signal->shared_pending);
2504 			flush_signal_handlers(current, 1);
2505 			sigemptyset(&current->blocked);
2506 			recalc_sigpending();
2507 		}
2508 		spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock);
2509 	}
2510 
2511 	/* Wake up the parent if it is waiting so that it can recheck
2512 	 * wait permission to the new task SID. */
2513 	read_lock(&tasklist_lock);
2514 	__wake_up_parent(current, unrcu_pointer(current->real_parent));
2515 	read_unlock(&tasklist_lock);
2516 }
2517 
2518 /* superblock security operations */
2519 
2520 static int selinux_sb_alloc_security(struct super_block *sb)
2521 {
2522 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2523 
2524 	mutex_init(&sbsec->lock);
2525 	INIT_LIST_HEAD(&sbsec->isec_head);
2526 	spin_lock_init(&sbsec->isec_lock);
2527 	sbsec->sid = SECINITSID_UNLABELED;
2528 	sbsec->def_sid = SECINITSID_FILE;
2529 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2530 
2531 	return 0;
2532 }
2533 
2534 static inline int opt_len(const char *s)
2535 {
2536 	bool open_quote = false;
2537 	int len;
2538 	char c;
2539 
2540 	for (len = 0; (c = s[len]) != '\0'; len++) {
2541 		if (c == '"')
2542 			open_quote = !open_quote;
2543 		if (c == ',' && !open_quote)
2544 			break;
2545 	}
2546 	return len;
2547 }
2548 
2549 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2550 {
2551 	char *from = options;
2552 	char *to = options;
2553 	bool first = true;
2554 	int rc;
2555 
2556 	while (1) {
2557 		int len = opt_len(from);
2558 		int token;
2559 		char *arg = NULL;
2560 
2561 		token = match_opt_prefix(from, len, &arg);
2562 
2563 		if (token != Opt_error) {
2564 			char *p, *q;
2565 
2566 			/* strip quotes */
2567 			if (arg) {
2568 				for (p = q = arg; p < from + len; p++) {
2569 					char c = *p;
2570 					if (c != '"')
2571 						*q++ = c;
2572 				}
2573 				arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2574 				if (!arg) {
2575 					rc = -ENOMEM;
2576 					goto free_opt;
2577 				}
2578 			}
2579 			rc = selinux_add_opt(token, arg, mnt_opts);
2580 			kfree(arg);
2581 			arg = NULL;
2582 			if (unlikely(rc)) {
2583 				goto free_opt;
2584 			}
2585 		} else {
2586 			if (!first) {	// copy with preceding comma
2587 				from--;
2588 				len++;
2589 			}
2590 			if (to != from)
2591 				memmove(to, from, len);
2592 			to += len;
2593 			first = false;
2594 		}
2595 		if (!from[len])
2596 			break;
2597 		from += len + 1;
2598 	}
2599 	*to = '\0';
2600 	return 0;
2601 
2602 free_opt:
2603 	if (*mnt_opts) {
2604 		selinux_free_mnt_opts(*mnt_opts);
2605 		*mnt_opts = NULL;
2606 	}
2607 	return rc;
2608 }
2609 
2610 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2611 {
2612 	struct selinux_mnt_opts *opts = mnt_opts;
2613 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2614 
2615 	/*
2616 	 * Superblock not initialized (i.e. no options) - reject if any
2617 	 * options specified, otherwise accept.
2618 	 */
2619 	if (!(sbsec->flags & SE_SBINITIALIZED))
2620 		return opts ? 1 : 0;
2621 
2622 	/*
2623 	 * Superblock initialized and no options specified - reject if
2624 	 * superblock has any options set, otherwise accept.
2625 	 */
2626 	if (!opts)
2627 		return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2628 
2629 	if (opts->fscontext_sid) {
2630 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2631 			       opts->fscontext_sid))
2632 			return 1;
2633 	}
2634 	if (opts->context_sid) {
2635 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2636 			       opts->context_sid))
2637 			return 1;
2638 	}
2639 	if (opts->rootcontext_sid) {
2640 		struct inode_security_struct *root_isec;
2641 
2642 		root_isec = backing_inode_security(sb->s_root);
2643 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2644 			       opts->rootcontext_sid))
2645 			return 1;
2646 	}
2647 	if (opts->defcontext_sid) {
2648 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2649 			       opts->defcontext_sid))
2650 			return 1;
2651 	}
2652 	return 0;
2653 }
2654 
2655 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2656 {
2657 	struct selinux_mnt_opts *opts = mnt_opts;
2658 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2659 
2660 	if (!(sbsec->flags & SE_SBINITIALIZED))
2661 		return 0;
2662 
2663 	if (!opts)
2664 		return 0;
2665 
2666 	if (opts->fscontext_sid) {
2667 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2668 			       opts->fscontext_sid))
2669 			goto out_bad_option;
2670 	}
2671 	if (opts->context_sid) {
2672 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2673 			       opts->context_sid))
2674 			goto out_bad_option;
2675 	}
2676 	if (opts->rootcontext_sid) {
2677 		struct inode_security_struct *root_isec;
2678 		root_isec = backing_inode_security(sb->s_root);
2679 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2680 			       opts->rootcontext_sid))
2681 			goto out_bad_option;
2682 	}
2683 	if (opts->defcontext_sid) {
2684 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2685 			       opts->defcontext_sid))
2686 			goto out_bad_option;
2687 	}
2688 	return 0;
2689 
2690 out_bad_option:
2691 	pr_warn("SELinux: unable to change security options "
2692 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2693 	       sb->s_type->name);
2694 	return -EINVAL;
2695 }
2696 
2697 static int selinux_sb_kern_mount(struct super_block *sb)
2698 {
2699 	const struct cred *cred = current_cred();
2700 	struct common_audit_data ad;
2701 
2702 	ad.type = LSM_AUDIT_DATA_DENTRY;
2703 	ad.u.dentry = sb->s_root;
2704 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2705 }
2706 
2707 static int selinux_sb_statfs(struct dentry *dentry)
2708 {
2709 	const struct cred *cred = current_cred();
2710 	struct common_audit_data ad;
2711 
2712 	ad.type = LSM_AUDIT_DATA_DENTRY;
2713 	ad.u.dentry = dentry->d_sb->s_root;
2714 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2715 }
2716 
2717 static int selinux_mount(const char *dev_name,
2718 			 const struct path *path,
2719 			 const char *type,
2720 			 unsigned long flags,
2721 			 void *data)
2722 {
2723 	const struct cred *cred = current_cred();
2724 
2725 	if (flags & MS_REMOUNT)
2726 		return superblock_has_perm(cred, path->dentry->d_sb,
2727 					   FILESYSTEM__REMOUNT, NULL);
2728 	else
2729 		return path_has_perm(cred, path, FILE__MOUNTON);
2730 }
2731 
2732 static int selinux_move_mount(const struct path *from_path,
2733 			      const struct path *to_path)
2734 {
2735 	const struct cred *cred = current_cred();
2736 
2737 	return path_has_perm(cred, to_path, FILE__MOUNTON);
2738 }
2739 
2740 static int selinux_umount(struct vfsmount *mnt, int flags)
2741 {
2742 	const struct cred *cred = current_cred();
2743 
2744 	return superblock_has_perm(cred, mnt->mnt_sb,
2745 				   FILESYSTEM__UNMOUNT, NULL);
2746 }
2747 
2748 static int selinux_fs_context_dup(struct fs_context *fc,
2749 				  struct fs_context *src_fc)
2750 {
2751 	const struct selinux_mnt_opts *src = src_fc->security;
2752 
2753 	if (!src)
2754 		return 0;
2755 
2756 	fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
2757 	return fc->security ? 0 : -ENOMEM;
2758 }
2759 
2760 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2761 	fsparam_string(CONTEXT_STR,	Opt_context),
2762 	fsparam_string(DEFCONTEXT_STR,	Opt_defcontext),
2763 	fsparam_string(FSCONTEXT_STR,	Opt_fscontext),
2764 	fsparam_string(ROOTCONTEXT_STR,	Opt_rootcontext),
2765 	fsparam_flag  (SECLABEL_STR,	Opt_seclabel),
2766 	{}
2767 };
2768 
2769 static int selinux_fs_context_parse_param(struct fs_context *fc,
2770 					  struct fs_parameter *param)
2771 {
2772 	struct fs_parse_result result;
2773 	int opt;
2774 
2775 	opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2776 	if (opt < 0)
2777 		return opt;
2778 
2779 	return selinux_add_opt(opt, param->string, &fc->security);
2780 }
2781 
2782 /* inode security operations */
2783 
2784 static int selinux_inode_alloc_security(struct inode *inode)
2785 {
2786 	struct inode_security_struct *isec = selinux_inode(inode);
2787 	u32 sid = current_sid();
2788 
2789 	spin_lock_init(&isec->lock);
2790 	INIT_LIST_HEAD(&isec->list);
2791 	isec->inode = inode;
2792 	isec->sid = SECINITSID_UNLABELED;
2793 	isec->sclass = SECCLASS_FILE;
2794 	isec->task_sid = sid;
2795 	isec->initialized = LABEL_INVALID;
2796 
2797 	return 0;
2798 }
2799 
2800 static void selinux_inode_free_security(struct inode *inode)
2801 {
2802 	inode_free_security(inode);
2803 }
2804 
2805 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2806 					const struct qstr *name,
2807 					const char **xattr_name, void **ctx,
2808 					u32 *ctxlen)
2809 {
2810 	u32 newsid;
2811 	int rc;
2812 
2813 	rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2814 					   d_inode(dentry->d_parent), name,
2815 					   inode_mode_to_security_class(mode),
2816 					   &newsid);
2817 	if (rc)
2818 		return rc;
2819 
2820 	if (xattr_name)
2821 		*xattr_name = XATTR_NAME_SELINUX;
2822 
2823 	return security_sid_to_context(newsid, (char **)ctx,
2824 				       ctxlen);
2825 }
2826 
2827 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2828 					  struct qstr *name,
2829 					  const struct cred *old,
2830 					  struct cred *new)
2831 {
2832 	u32 newsid;
2833 	int rc;
2834 	struct task_security_struct *tsec;
2835 
2836 	rc = selinux_determine_inode_label(selinux_cred(old),
2837 					   d_inode(dentry->d_parent), name,
2838 					   inode_mode_to_security_class(mode),
2839 					   &newsid);
2840 	if (rc)
2841 		return rc;
2842 
2843 	tsec = selinux_cred(new);
2844 	tsec->create_sid = newsid;
2845 	return 0;
2846 }
2847 
2848 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2849 				       const struct qstr *qstr,
2850 				       const char **name,
2851 				       void **value, size_t *len)
2852 {
2853 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2854 	struct superblock_security_struct *sbsec;
2855 	u32 newsid, clen;
2856 	int rc;
2857 	char *context;
2858 
2859 	sbsec = selinux_superblock(dir->i_sb);
2860 
2861 	newsid = tsec->create_sid;
2862 
2863 	rc = selinux_determine_inode_label(tsec, dir, qstr,
2864 		inode_mode_to_security_class(inode->i_mode),
2865 		&newsid);
2866 	if (rc)
2867 		return rc;
2868 
2869 	/* Possibly defer initialization to selinux_complete_init. */
2870 	if (sbsec->flags & SE_SBINITIALIZED) {
2871 		struct inode_security_struct *isec = selinux_inode(inode);
2872 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2873 		isec->sid = newsid;
2874 		isec->initialized = LABEL_INITIALIZED;
2875 	}
2876 
2877 	if (!selinux_initialized() ||
2878 	    !(sbsec->flags & SBLABEL_MNT))
2879 		return -EOPNOTSUPP;
2880 
2881 	if (name)
2882 		*name = XATTR_SELINUX_SUFFIX;
2883 
2884 	if (value && len) {
2885 		rc = security_sid_to_context_force(newsid,
2886 						   &context, &clen);
2887 		if (rc)
2888 			return rc;
2889 		*value = context;
2890 		*len = clen;
2891 	}
2892 
2893 	return 0;
2894 }
2895 
2896 static int selinux_inode_init_security_anon(struct inode *inode,
2897 					    const struct qstr *name,
2898 					    const struct inode *context_inode)
2899 {
2900 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2901 	struct common_audit_data ad;
2902 	struct inode_security_struct *isec;
2903 	int rc;
2904 
2905 	if (unlikely(!selinux_initialized()))
2906 		return 0;
2907 
2908 	isec = selinux_inode(inode);
2909 
2910 	/*
2911 	 * We only get here once per ephemeral inode.  The inode has
2912 	 * been initialized via inode_alloc_security but is otherwise
2913 	 * untouched.
2914 	 */
2915 
2916 	if (context_inode) {
2917 		struct inode_security_struct *context_isec =
2918 			selinux_inode(context_inode);
2919 		if (context_isec->initialized != LABEL_INITIALIZED) {
2920 			pr_err("SELinux:  context_inode is not initialized");
2921 			return -EACCES;
2922 		}
2923 
2924 		isec->sclass = context_isec->sclass;
2925 		isec->sid = context_isec->sid;
2926 	} else {
2927 		isec->sclass = SECCLASS_ANON_INODE;
2928 		rc = security_transition_sid(
2929 			tsec->sid, tsec->sid,
2930 			isec->sclass, name, &isec->sid);
2931 		if (rc)
2932 			return rc;
2933 	}
2934 
2935 	isec->initialized = LABEL_INITIALIZED;
2936 	/*
2937 	 * Now that we've initialized security, check whether we're
2938 	 * allowed to actually create this type of anonymous inode.
2939 	 */
2940 
2941 	ad.type = LSM_AUDIT_DATA_ANONINODE;
2942 	ad.u.anonclass = name ? (const char *)name->name : "?";
2943 
2944 	return avc_has_perm(tsec->sid,
2945 			    isec->sid,
2946 			    isec->sclass,
2947 			    FILE__CREATE,
2948 			    &ad);
2949 }
2950 
2951 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2952 {
2953 	return may_create(dir, dentry, SECCLASS_FILE);
2954 }
2955 
2956 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2957 {
2958 	return may_link(dir, old_dentry, MAY_LINK);
2959 }
2960 
2961 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2962 {
2963 	return may_link(dir, dentry, MAY_UNLINK);
2964 }
2965 
2966 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2967 {
2968 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
2969 }
2970 
2971 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2972 {
2973 	return may_create(dir, dentry, SECCLASS_DIR);
2974 }
2975 
2976 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2977 {
2978 	return may_link(dir, dentry, MAY_RMDIR);
2979 }
2980 
2981 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2982 {
2983 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
2984 }
2985 
2986 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2987 				struct inode *new_inode, struct dentry *new_dentry)
2988 {
2989 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2990 }
2991 
2992 static int selinux_inode_readlink(struct dentry *dentry)
2993 {
2994 	const struct cred *cred = current_cred();
2995 
2996 	return dentry_has_perm(cred, dentry, FILE__READ);
2997 }
2998 
2999 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3000 				     bool rcu)
3001 {
3002 	const struct cred *cred = current_cred();
3003 	struct common_audit_data ad;
3004 	struct inode_security_struct *isec;
3005 	u32 sid;
3006 
3007 	validate_creds(cred);
3008 
3009 	ad.type = LSM_AUDIT_DATA_DENTRY;
3010 	ad.u.dentry = dentry;
3011 	sid = cred_sid(cred);
3012 	isec = inode_security_rcu(inode, rcu);
3013 	if (IS_ERR(isec))
3014 		return PTR_ERR(isec);
3015 
3016 	return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad);
3017 }
3018 
3019 static noinline int audit_inode_permission(struct inode *inode,
3020 					   u32 perms, u32 audited, u32 denied,
3021 					   int result)
3022 {
3023 	struct common_audit_data ad;
3024 	struct inode_security_struct *isec = selinux_inode(inode);
3025 
3026 	ad.type = LSM_AUDIT_DATA_INODE;
3027 	ad.u.inode = inode;
3028 
3029 	return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3030 			    audited, denied, result, &ad);
3031 }
3032 
3033 static int selinux_inode_permission(struct inode *inode, int mask)
3034 {
3035 	const struct cred *cred = current_cred();
3036 	u32 perms;
3037 	bool from_access;
3038 	bool no_block = mask & MAY_NOT_BLOCK;
3039 	struct inode_security_struct *isec;
3040 	u32 sid;
3041 	struct av_decision avd;
3042 	int rc, rc2;
3043 	u32 audited, denied;
3044 
3045 	from_access = mask & MAY_ACCESS;
3046 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3047 
3048 	/* No permission to check.  Existence test. */
3049 	if (!mask)
3050 		return 0;
3051 
3052 	validate_creds(cred);
3053 
3054 	if (unlikely(IS_PRIVATE(inode)))
3055 		return 0;
3056 
3057 	perms = file_mask_to_av(inode->i_mode, mask);
3058 
3059 	sid = cred_sid(cred);
3060 	isec = inode_security_rcu(inode, no_block);
3061 	if (IS_ERR(isec))
3062 		return PTR_ERR(isec);
3063 
3064 	rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0,
3065 				  &avd);
3066 	audited = avc_audit_required(perms, &avd, rc,
3067 				     from_access ? FILE__AUDIT_ACCESS : 0,
3068 				     &denied);
3069 	if (likely(!audited))
3070 		return rc;
3071 
3072 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3073 	if (rc2)
3074 		return rc2;
3075 	return rc;
3076 }
3077 
3078 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3079 {
3080 	const struct cred *cred = current_cred();
3081 	struct inode *inode = d_backing_inode(dentry);
3082 	unsigned int ia_valid = iattr->ia_valid;
3083 	__u32 av = FILE__WRITE;
3084 
3085 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3086 	if (ia_valid & ATTR_FORCE) {
3087 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3088 			      ATTR_FORCE);
3089 		if (!ia_valid)
3090 			return 0;
3091 	}
3092 
3093 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3094 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3095 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3096 
3097 	if (selinux_policycap_openperm() &&
3098 	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3099 	    (ia_valid & ATTR_SIZE) &&
3100 	    !(ia_valid & ATTR_FILE))
3101 		av |= FILE__OPEN;
3102 
3103 	return dentry_has_perm(cred, dentry, av);
3104 }
3105 
3106 static int selinux_inode_getattr(const struct path *path)
3107 {
3108 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3109 }
3110 
3111 static bool has_cap_mac_admin(bool audit)
3112 {
3113 	const struct cred *cred = current_cred();
3114 	unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3115 
3116 	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3117 		return false;
3118 	if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3119 		return false;
3120 	return true;
3121 }
3122 
3123 static int selinux_inode_setxattr(struct mnt_idmap *idmap,
3124 				  struct dentry *dentry, const char *name,
3125 				  const void *value, size_t size, int flags)
3126 {
3127 	struct inode *inode = d_backing_inode(dentry);
3128 	struct inode_security_struct *isec;
3129 	struct superblock_security_struct *sbsec;
3130 	struct common_audit_data ad;
3131 	u32 newsid, sid = current_sid();
3132 	int rc = 0;
3133 
3134 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3135 		rc = cap_inode_setxattr(dentry, name, value, size, flags);
3136 		if (rc)
3137 			return rc;
3138 
3139 		/* Not an attribute we recognize, so just check the
3140 		   ordinary setattr permission. */
3141 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3142 	}
3143 
3144 	if (!selinux_initialized())
3145 		return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM);
3146 
3147 	sbsec = selinux_superblock(inode->i_sb);
3148 	if (!(sbsec->flags & SBLABEL_MNT))
3149 		return -EOPNOTSUPP;
3150 
3151 	if (!inode_owner_or_capable(idmap, inode))
3152 		return -EPERM;
3153 
3154 	ad.type = LSM_AUDIT_DATA_DENTRY;
3155 	ad.u.dentry = dentry;
3156 
3157 	isec = backing_inode_security(dentry);
3158 	rc = avc_has_perm(sid, isec->sid, isec->sclass,
3159 			  FILE__RELABELFROM, &ad);
3160 	if (rc)
3161 		return rc;
3162 
3163 	rc = security_context_to_sid(value, size, &newsid,
3164 				     GFP_KERNEL);
3165 	if (rc == -EINVAL) {
3166 		if (!has_cap_mac_admin(true)) {
3167 			struct audit_buffer *ab;
3168 			size_t audit_size;
3169 
3170 			/* We strip a nul only if it is at the end, otherwise the
3171 			 * context contains a nul and we should audit that */
3172 			if (value) {
3173 				const char *str = value;
3174 
3175 				if (str[size - 1] == '\0')
3176 					audit_size = size - 1;
3177 				else
3178 					audit_size = size;
3179 			} else {
3180 				audit_size = 0;
3181 			}
3182 			ab = audit_log_start(audit_context(),
3183 					     GFP_ATOMIC, AUDIT_SELINUX_ERR);
3184 			if (!ab)
3185 				return rc;
3186 			audit_log_format(ab, "op=setxattr invalid_context=");
3187 			audit_log_n_untrustedstring(ab, value, audit_size);
3188 			audit_log_end(ab);
3189 
3190 			return rc;
3191 		}
3192 		rc = security_context_to_sid_force(value,
3193 						   size, &newsid);
3194 	}
3195 	if (rc)
3196 		return rc;
3197 
3198 	rc = avc_has_perm(sid, newsid, isec->sclass,
3199 			  FILE__RELABELTO, &ad);
3200 	if (rc)
3201 		return rc;
3202 
3203 	rc = security_validate_transition(isec->sid, newsid,
3204 					  sid, isec->sclass);
3205 	if (rc)
3206 		return rc;
3207 
3208 	return avc_has_perm(newsid,
3209 			    sbsec->sid,
3210 			    SECCLASS_FILESYSTEM,
3211 			    FILESYSTEM__ASSOCIATE,
3212 			    &ad);
3213 }
3214 
3215 static int selinux_inode_set_acl(struct mnt_idmap *idmap,
3216 				 struct dentry *dentry, const char *acl_name,
3217 				 struct posix_acl *kacl)
3218 {
3219 	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3220 }
3221 
3222 static int selinux_inode_get_acl(struct mnt_idmap *idmap,
3223 				 struct dentry *dentry, const char *acl_name)
3224 {
3225 	return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3226 }
3227 
3228 static int selinux_inode_remove_acl(struct mnt_idmap *idmap,
3229 				    struct dentry *dentry, const char *acl_name)
3230 {
3231 	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3232 }
3233 
3234 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3235 					const void *value, size_t size,
3236 					int flags)
3237 {
3238 	struct inode *inode = d_backing_inode(dentry);
3239 	struct inode_security_struct *isec;
3240 	u32 newsid;
3241 	int rc;
3242 
3243 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3244 		/* Not an attribute we recognize, so nothing to do. */
3245 		return;
3246 	}
3247 
3248 	if (!selinux_initialized()) {
3249 		/* If we haven't even been initialized, then we can't validate
3250 		 * against a policy, so leave the label as invalid. It may
3251 		 * resolve to a valid label on the next revalidation try if
3252 		 * we've since initialized.
3253 		 */
3254 		return;
3255 	}
3256 
3257 	rc = security_context_to_sid_force(value, size,
3258 					   &newsid);
3259 	if (rc) {
3260 		pr_err("SELinux:  unable to map context to SID"
3261 		       "for (%s, %lu), rc=%d\n",
3262 		       inode->i_sb->s_id, inode->i_ino, -rc);
3263 		return;
3264 	}
3265 
3266 	isec = backing_inode_security(dentry);
3267 	spin_lock(&isec->lock);
3268 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3269 	isec->sid = newsid;
3270 	isec->initialized = LABEL_INITIALIZED;
3271 	spin_unlock(&isec->lock);
3272 }
3273 
3274 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3275 {
3276 	const struct cred *cred = current_cred();
3277 
3278 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3279 }
3280 
3281 static int selinux_inode_listxattr(struct dentry *dentry)
3282 {
3283 	const struct cred *cred = current_cred();
3284 
3285 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3286 }
3287 
3288 static int selinux_inode_removexattr(struct mnt_idmap *idmap,
3289 				     struct dentry *dentry, const char *name)
3290 {
3291 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3292 		int rc = cap_inode_removexattr(idmap, dentry, name);
3293 		if (rc)
3294 			return rc;
3295 
3296 		/* Not an attribute we recognize, so just check the
3297 		   ordinary setattr permission. */
3298 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3299 	}
3300 
3301 	if (!selinux_initialized())
3302 		return 0;
3303 
3304 	/* No one is allowed to remove a SELinux security label.
3305 	   You can change the label, but all data must be labeled. */
3306 	return -EACCES;
3307 }
3308 
3309 static int selinux_path_notify(const struct path *path, u64 mask,
3310 						unsigned int obj_type)
3311 {
3312 	int ret;
3313 	u32 perm;
3314 
3315 	struct common_audit_data ad;
3316 
3317 	ad.type = LSM_AUDIT_DATA_PATH;
3318 	ad.u.path = *path;
3319 
3320 	/*
3321 	 * Set permission needed based on the type of mark being set.
3322 	 * Performs an additional check for sb watches.
3323 	 */
3324 	switch (obj_type) {
3325 	case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3326 		perm = FILE__WATCH_MOUNT;
3327 		break;
3328 	case FSNOTIFY_OBJ_TYPE_SB:
3329 		perm = FILE__WATCH_SB;
3330 		ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3331 						FILESYSTEM__WATCH, &ad);
3332 		if (ret)
3333 			return ret;
3334 		break;
3335 	case FSNOTIFY_OBJ_TYPE_INODE:
3336 		perm = FILE__WATCH;
3337 		break;
3338 	default:
3339 		return -EINVAL;
3340 	}
3341 
3342 	/* blocking watches require the file:watch_with_perm permission */
3343 	if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3344 		perm |= FILE__WATCH_WITH_PERM;
3345 
3346 	/* watches on read-like events need the file:watch_reads permission */
3347 	if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3348 		perm |= FILE__WATCH_READS;
3349 
3350 	return path_has_perm(current_cred(), path, perm);
3351 }
3352 
3353 /*
3354  * Copy the inode security context value to the user.
3355  *
3356  * Permission check is handled by selinux_inode_getxattr hook.
3357  */
3358 static int selinux_inode_getsecurity(struct mnt_idmap *idmap,
3359 				     struct inode *inode, const char *name,
3360 				     void **buffer, bool alloc)
3361 {
3362 	u32 size;
3363 	int error;
3364 	char *context = NULL;
3365 	struct inode_security_struct *isec;
3366 
3367 	/*
3368 	 * If we're not initialized yet, then we can't validate contexts, so
3369 	 * just let vfs_getxattr fall back to using the on-disk xattr.
3370 	 */
3371 	if (!selinux_initialized() ||
3372 	    strcmp(name, XATTR_SELINUX_SUFFIX))
3373 		return -EOPNOTSUPP;
3374 
3375 	/*
3376 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3377 	 * value even if it is not defined by current policy; otherwise,
3378 	 * use the in-core value under current policy.
3379 	 * Use the non-auditing forms of the permission checks since
3380 	 * getxattr may be called by unprivileged processes commonly
3381 	 * and lack of permission just means that we fall back to the
3382 	 * in-core context value, not a denial.
3383 	 */
3384 	isec = inode_security(inode);
3385 	if (has_cap_mac_admin(false))
3386 		error = security_sid_to_context_force(isec->sid, &context,
3387 						      &size);
3388 	else
3389 		error = security_sid_to_context(isec->sid,
3390 						&context, &size);
3391 	if (error)
3392 		return error;
3393 	error = size;
3394 	if (alloc) {
3395 		*buffer = context;
3396 		goto out_nofree;
3397 	}
3398 	kfree(context);
3399 out_nofree:
3400 	return error;
3401 }
3402 
3403 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3404 				     const void *value, size_t size, int flags)
3405 {
3406 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3407 	struct superblock_security_struct *sbsec;
3408 	u32 newsid;
3409 	int rc;
3410 
3411 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3412 		return -EOPNOTSUPP;
3413 
3414 	sbsec = selinux_superblock(inode->i_sb);
3415 	if (!(sbsec->flags & SBLABEL_MNT))
3416 		return -EOPNOTSUPP;
3417 
3418 	if (!value || !size)
3419 		return -EACCES;
3420 
3421 	rc = security_context_to_sid(value, size, &newsid,
3422 				     GFP_KERNEL);
3423 	if (rc)
3424 		return rc;
3425 
3426 	spin_lock(&isec->lock);
3427 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3428 	isec->sid = newsid;
3429 	isec->initialized = LABEL_INITIALIZED;
3430 	spin_unlock(&isec->lock);
3431 	return 0;
3432 }
3433 
3434 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3435 {
3436 	const int len = sizeof(XATTR_NAME_SELINUX);
3437 
3438 	if (!selinux_initialized())
3439 		return 0;
3440 
3441 	if (buffer && len <= buffer_size)
3442 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3443 	return len;
3444 }
3445 
3446 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3447 {
3448 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3449 	*secid = isec->sid;
3450 }
3451 
3452 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3453 {
3454 	u32 sid;
3455 	struct task_security_struct *tsec;
3456 	struct cred *new_creds = *new;
3457 
3458 	if (new_creds == NULL) {
3459 		new_creds = prepare_creds();
3460 		if (!new_creds)
3461 			return -ENOMEM;
3462 	}
3463 
3464 	tsec = selinux_cred(new_creds);
3465 	/* Get label from overlay inode and set it in create_sid */
3466 	selinux_inode_getsecid(d_inode(src), &sid);
3467 	tsec->create_sid = sid;
3468 	*new = new_creds;
3469 	return 0;
3470 }
3471 
3472 static int selinux_inode_copy_up_xattr(const char *name)
3473 {
3474 	/* The copy_up hook above sets the initial context on an inode, but we
3475 	 * don't then want to overwrite it by blindly copying all the lower
3476 	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3477 	 */
3478 	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3479 		return 1; /* Discard */
3480 	/*
3481 	 * Any other attribute apart from SELINUX is not claimed, supported
3482 	 * by selinux.
3483 	 */
3484 	return -EOPNOTSUPP;
3485 }
3486 
3487 /* kernfs node operations */
3488 
3489 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3490 					struct kernfs_node *kn)
3491 {
3492 	const struct task_security_struct *tsec = selinux_cred(current_cred());
3493 	u32 parent_sid, newsid, clen;
3494 	int rc;
3495 	char *context;
3496 
3497 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3498 	if (rc == -ENODATA)
3499 		return 0;
3500 	else if (rc < 0)
3501 		return rc;
3502 
3503 	clen = (u32)rc;
3504 	context = kmalloc(clen, GFP_KERNEL);
3505 	if (!context)
3506 		return -ENOMEM;
3507 
3508 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3509 	if (rc < 0) {
3510 		kfree(context);
3511 		return rc;
3512 	}
3513 
3514 	rc = security_context_to_sid(context, clen, &parent_sid,
3515 				     GFP_KERNEL);
3516 	kfree(context);
3517 	if (rc)
3518 		return rc;
3519 
3520 	if (tsec->create_sid) {
3521 		newsid = tsec->create_sid;
3522 	} else {
3523 		u16 secclass = inode_mode_to_security_class(kn->mode);
3524 		struct qstr q;
3525 
3526 		q.name = kn->name;
3527 		q.hash_len = hashlen_string(kn_dir, kn->name);
3528 
3529 		rc = security_transition_sid(tsec->sid,
3530 					     parent_sid, secclass, &q,
3531 					     &newsid);
3532 		if (rc)
3533 			return rc;
3534 	}
3535 
3536 	rc = security_sid_to_context_force(newsid,
3537 					   &context, &clen);
3538 	if (rc)
3539 		return rc;
3540 
3541 	rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3542 			      XATTR_CREATE);
3543 	kfree(context);
3544 	return rc;
3545 }
3546 
3547 
3548 /* file security operations */
3549 
3550 static int selinux_revalidate_file_permission(struct file *file, int mask)
3551 {
3552 	const struct cred *cred = current_cred();
3553 	struct inode *inode = file_inode(file);
3554 
3555 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3556 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3557 		mask |= MAY_APPEND;
3558 
3559 	return file_has_perm(cred, file,
3560 			     file_mask_to_av(inode->i_mode, mask));
3561 }
3562 
3563 static int selinux_file_permission(struct file *file, int mask)
3564 {
3565 	struct inode *inode = file_inode(file);
3566 	struct file_security_struct *fsec = selinux_file(file);
3567 	struct inode_security_struct *isec;
3568 	u32 sid = current_sid();
3569 
3570 	if (!mask)
3571 		/* No permission to check.  Existence test. */
3572 		return 0;
3573 
3574 	isec = inode_security(inode);
3575 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3576 	    fsec->pseqno == avc_policy_seqno())
3577 		/* No change since file_open check. */
3578 		return 0;
3579 
3580 	return selinux_revalidate_file_permission(file, mask);
3581 }
3582 
3583 static int selinux_file_alloc_security(struct file *file)
3584 {
3585 	struct file_security_struct *fsec = selinux_file(file);
3586 	u32 sid = current_sid();
3587 
3588 	fsec->sid = sid;
3589 	fsec->fown_sid = sid;
3590 
3591 	return 0;
3592 }
3593 
3594 /*
3595  * Check whether a task has the ioctl permission and cmd
3596  * operation to an inode.
3597  */
3598 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3599 		u32 requested, u16 cmd)
3600 {
3601 	struct common_audit_data ad;
3602 	struct file_security_struct *fsec = selinux_file(file);
3603 	struct inode *inode = file_inode(file);
3604 	struct inode_security_struct *isec;
3605 	struct lsm_ioctlop_audit ioctl;
3606 	u32 ssid = cred_sid(cred);
3607 	int rc;
3608 	u8 driver = cmd >> 8;
3609 	u8 xperm = cmd & 0xff;
3610 
3611 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3612 	ad.u.op = &ioctl;
3613 	ad.u.op->cmd = cmd;
3614 	ad.u.op->path = file->f_path;
3615 
3616 	if (ssid != fsec->sid) {
3617 		rc = avc_has_perm(ssid, fsec->sid,
3618 				SECCLASS_FD,
3619 				FD__USE,
3620 				&ad);
3621 		if (rc)
3622 			goto out;
3623 	}
3624 
3625 	if (unlikely(IS_PRIVATE(inode)))
3626 		return 0;
3627 
3628 	isec = inode_security(inode);
3629 	rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3630 				    requested, driver, xperm, &ad);
3631 out:
3632 	return rc;
3633 }
3634 
3635 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3636 			      unsigned long arg)
3637 {
3638 	const struct cred *cred = current_cred();
3639 	int error = 0;
3640 
3641 	switch (cmd) {
3642 	case FIONREAD:
3643 	case FIBMAP:
3644 	case FIGETBSZ:
3645 	case FS_IOC_GETFLAGS:
3646 	case FS_IOC_GETVERSION:
3647 		error = file_has_perm(cred, file, FILE__GETATTR);
3648 		break;
3649 
3650 	case FS_IOC_SETFLAGS:
3651 	case FS_IOC_SETVERSION:
3652 		error = file_has_perm(cred, file, FILE__SETATTR);
3653 		break;
3654 
3655 	/* sys_ioctl() checks */
3656 	case FIONBIO:
3657 	case FIOASYNC:
3658 		error = file_has_perm(cred, file, 0);
3659 		break;
3660 
3661 	case KDSKBENT:
3662 	case KDSKBSENT:
3663 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3664 					    CAP_OPT_NONE, true);
3665 		break;
3666 
3667 	case FIOCLEX:
3668 	case FIONCLEX:
3669 		if (!selinux_policycap_ioctl_skip_cloexec())
3670 			error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3671 		break;
3672 
3673 	/* default case assumes that the command will go
3674 	 * to the file's ioctl() function.
3675 	 */
3676 	default:
3677 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3678 	}
3679 	return error;
3680 }
3681 
3682 static int default_noexec __ro_after_init;
3683 
3684 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3685 {
3686 	const struct cred *cred = current_cred();
3687 	u32 sid = cred_sid(cred);
3688 	int rc = 0;
3689 
3690 	if (default_noexec &&
3691 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3692 				   (!shared && (prot & PROT_WRITE)))) {
3693 		/*
3694 		 * We are making executable an anonymous mapping or a
3695 		 * private file mapping that will also be writable.
3696 		 * This has an additional check.
3697 		 */
3698 		rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3699 				  PROCESS__EXECMEM, NULL);
3700 		if (rc)
3701 			goto error;
3702 	}
3703 
3704 	if (file) {
3705 		/* read access is always possible with a mapping */
3706 		u32 av = FILE__READ;
3707 
3708 		/* write access only matters if the mapping is shared */
3709 		if (shared && (prot & PROT_WRITE))
3710 			av |= FILE__WRITE;
3711 
3712 		if (prot & PROT_EXEC)
3713 			av |= FILE__EXECUTE;
3714 
3715 		return file_has_perm(cred, file, av);
3716 	}
3717 
3718 error:
3719 	return rc;
3720 }
3721 
3722 static int selinux_mmap_addr(unsigned long addr)
3723 {
3724 	int rc = 0;
3725 
3726 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3727 		u32 sid = current_sid();
3728 		rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3729 				  MEMPROTECT__MMAP_ZERO, NULL);
3730 	}
3731 
3732 	return rc;
3733 }
3734 
3735 static int selinux_mmap_file(struct file *file,
3736 			     unsigned long reqprot __always_unused,
3737 			     unsigned long prot, unsigned long flags)
3738 {
3739 	struct common_audit_data ad;
3740 	int rc;
3741 
3742 	if (file) {
3743 		ad.type = LSM_AUDIT_DATA_FILE;
3744 		ad.u.file = file;
3745 		rc = inode_has_perm(current_cred(), file_inode(file),
3746 				    FILE__MAP, &ad);
3747 		if (rc)
3748 			return rc;
3749 	}
3750 
3751 	return file_map_prot_check(file, prot,
3752 				   (flags & MAP_TYPE) == MAP_SHARED);
3753 }
3754 
3755 static int selinux_file_mprotect(struct vm_area_struct *vma,
3756 				 unsigned long reqprot __always_unused,
3757 				 unsigned long prot)
3758 {
3759 	const struct cred *cred = current_cred();
3760 	u32 sid = cred_sid(cred);
3761 
3762 	if (default_noexec &&
3763 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3764 		int rc = 0;
3765 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3766 		    vma->vm_end <= vma->vm_mm->brk) {
3767 			rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3768 					  PROCESS__EXECHEAP, NULL);
3769 		} else if (!vma->vm_file &&
3770 			   ((vma->vm_start <= vma->vm_mm->start_stack &&
3771 			     vma->vm_end >= vma->vm_mm->start_stack) ||
3772 			    vma_is_stack_for_current(vma))) {
3773 			rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3774 					  PROCESS__EXECSTACK, NULL);
3775 		} else if (vma->vm_file && vma->anon_vma) {
3776 			/*
3777 			 * We are making executable a file mapping that has
3778 			 * had some COW done. Since pages might have been
3779 			 * written, check ability to execute the possibly
3780 			 * modified content.  This typically should only
3781 			 * occur for text relocations.
3782 			 */
3783 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3784 		}
3785 		if (rc)
3786 			return rc;
3787 	}
3788 
3789 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3790 }
3791 
3792 static int selinux_file_lock(struct file *file, unsigned int cmd)
3793 {
3794 	const struct cred *cred = current_cred();
3795 
3796 	return file_has_perm(cred, file, FILE__LOCK);
3797 }
3798 
3799 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3800 			      unsigned long arg)
3801 {
3802 	const struct cred *cred = current_cred();
3803 	int err = 0;
3804 
3805 	switch (cmd) {
3806 	case F_SETFL:
3807 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3808 			err = file_has_perm(cred, file, FILE__WRITE);
3809 			break;
3810 		}
3811 		fallthrough;
3812 	case F_SETOWN:
3813 	case F_SETSIG:
3814 	case F_GETFL:
3815 	case F_GETOWN:
3816 	case F_GETSIG:
3817 	case F_GETOWNER_UIDS:
3818 		/* Just check FD__USE permission */
3819 		err = file_has_perm(cred, file, 0);
3820 		break;
3821 	case F_GETLK:
3822 	case F_SETLK:
3823 	case F_SETLKW:
3824 	case F_OFD_GETLK:
3825 	case F_OFD_SETLK:
3826 	case F_OFD_SETLKW:
3827 #if BITS_PER_LONG == 32
3828 	case F_GETLK64:
3829 	case F_SETLK64:
3830 	case F_SETLKW64:
3831 #endif
3832 		err = file_has_perm(cred, file, FILE__LOCK);
3833 		break;
3834 	}
3835 
3836 	return err;
3837 }
3838 
3839 static void selinux_file_set_fowner(struct file *file)
3840 {
3841 	struct file_security_struct *fsec;
3842 
3843 	fsec = selinux_file(file);
3844 	fsec->fown_sid = current_sid();
3845 }
3846 
3847 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3848 				       struct fown_struct *fown, int signum)
3849 {
3850 	struct file *file;
3851 	u32 sid = task_sid_obj(tsk);
3852 	u32 perm;
3853 	struct file_security_struct *fsec;
3854 
3855 	/* struct fown_struct is never outside the context of a struct file */
3856 	file = container_of(fown, struct file, f_owner);
3857 
3858 	fsec = selinux_file(file);
3859 
3860 	if (!signum)
3861 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3862 	else
3863 		perm = signal_to_av(signum);
3864 
3865 	return avc_has_perm(fsec->fown_sid, sid,
3866 			    SECCLASS_PROCESS, perm, NULL);
3867 }
3868 
3869 static int selinux_file_receive(struct file *file)
3870 {
3871 	const struct cred *cred = current_cred();
3872 
3873 	return file_has_perm(cred, file, file_to_av(file));
3874 }
3875 
3876 static int selinux_file_open(struct file *file)
3877 {
3878 	struct file_security_struct *fsec;
3879 	struct inode_security_struct *isec;
3880 
3881 	fsec = selinux_file(file);
3882 	isec = inode_security(file_inode(file));
3883 	/*
3884 	 * Save inode label and policy sequence number
3885 	 * at open-time so that selinux_file_permission
3886 	 * can determine whether revalidation is necessary.
3887 	 * Task label is already saved in the file security
3888 	 * struct as its SID.
3889 	 */
3890 	fsec->isid = isec->sid;
3891 	fsec->pseqno = avc_policy_seqno();
3892 	/*
3893 	 * Since the inode label or policy seqno may have changed
3894 	 * between the selinux_inode_permission check and the saving
3895 	 * of state above, recheck that access is still permitted.
3896 	 * Otherwise, access might never be revalidated against the
3897 	 * new inode label or new policy.
3898 	 * This check is not redundant - do not remove.
3899 	 */
3900 	return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3901 }
3902 
3903 /* task security operations */
3904 
3905 static int selinux_task_alloc(struct task_struct *task,
3906 			      unsigned long clone_flags)
3907 {
3908 	u32 sid = current_sid();
3909 
3910 	return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3911 }
3912 
3913 /*
3914  * prepare a new set of credentials for modification
3915  */
3916 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3917 				gfp_t gfp)
3918 {
3919 	const struct task_security_struct *old_tsec = selinux_cred(old);
3920 	struct task_security_struct *tsec = selinux_cred(new);
3921 
3922 	*tsec = *old_tsec;
3923 	return 0;
3924 }
3925 
3926 /*
3927  * transfer the SELinux data to a blank set of creds
3928  */
3929 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3930 {
3931 	const struct task_security_struct *old_tsec = selinux_cred(old);
3932 	struct task_security_struct *tsec = selinux_cred(new);
3933 
3934 	*tsec = *old_tsec;
3935 }
3936 
3937 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3938 {
3939 	*secid = cred_sid(c);
3940 }
3941 
3942 /*
3943  * set the security data for a kernel service
3944  * - all the creation contexts are set to unlabelled
3945  */
3946 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3947 {
3948 	struct task_security_struct *tsec = selinux_cred(new);
3949 	u32 sid = current_sid();
3950 	int ret;
3951 
3952 	ret = avc_has_perm(sid, secid,
3953 			   SECCLASS_KERNEL_SERVICE,
3954 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3955 			   NULL);
3956 	if (ret == 0) {
3957 		tsec->sid = secid;
3958 		tsec->create_sid = 0;
3959 		tsec->keycreate_sid = 0;
3960 		tsec->sockcreate_sid = 0;
3961 	}
3962 	return ret;
3963 }
3964 
3965 /*
3966  * set the file creation context in a security record to the same as the
3967  * objective context of the specified inode
3968  */
3969 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3970 {
3971 	struct inode_security_struct *isec = inode_security(inode);
3972 	struct task_security_struct *tsec = selinux_cred(new);
3973 	u32 sid = current_sid();
3974 	int ret;
3975 
3976 	ret = avc_has_perm(sid, isec->sid,
3977 			   SECCLASS_KERNEL_SERVICE,
3978 			   KERNEL_SERVICE__CREATE_FILES_AS,
3979 			   NULL);
3980 
3981 	if (ret == 0)
3982 		tsec->create_sid = isec->sid;
3983 	return ret;
3984 }
3985 
3986 static int selinux_kernel_module_request(char *kmod_name)
3987 {
3988 	struct common_audit_data ad;
3989 
3990 	ad.type = LSM_AUDIT_DATA_KMOD;
3991 	ad.u.kmod_name = kmod_name;
3992 
3993 	return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3994 			    SYSTEM__MODULE_REQUEST, &ad);
3995 }
3996 
3997 static int selinux_kernel_module_from_file(struct file *file)
3998 {
3999 	struct common_audit_data ad;
4000 	struct inode_security_struct *isec;
4001 	struct file_security_struct *fsec;
4002 	u32 sid = current_sid();
4003 	int rc;
4004 
4005 	/* init_module */
4006 	if (file == NULL)
4007 		return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
4008 					SYSTEM__MODULE_LOAD, NULL);
4009 
4010 	/* finit_module */
4011 
4012 	ad.type = LSM_AUDIT_DATA_FILE;
4013 	ad.u.file = file;
4014 
4015 	fsec = selinux_file(file);
4016 	if (sid != fsec->sid) {
4017 		rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4018 		if (rc)
4019 			return rc;
4020 	}
4021 
4022 	isec = inode_security(file_inode(file));
4023 	return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
4024 				SYSTEM__MODULE_LOAD, &ad);
4025 }
4026 
4027 static int selinux_kernel_read_file(struct file *file,
4028 				    enum kernel_read_file_id id,
4029 				    bool contents)
4030 {
4031 	int rc = 0;
4032 
4033 	switch (id) {
4034 	case READING_MODULE:
4035 		rc = selinux_kernel_module_from_file(contents ? file : NULL);
4036 		break;
4037 	default:
4038 		break;
4039 	}
4040 
4041 	return rc;
4042 }
4043 
4044 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4045 {
4046 	int rc = 0;
4047 
4048 	switch (id) {
4049 	case LOADING_MODULE:
4050 		rc = selinux_kernel_module_from_file(NULL);
4051 		break;
4052 	default:
4053 		break;
4054 	}
4055 
4056 	return rc;
4057 }
4058 
4059 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4060 {
4061 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4062 			    PROCESS__SETPGID, NULL);
4063 }
4064 
4065 static int selinux_task_getpgid(struct task_struct *p)
4066 {
4067 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4068 			    PROCESS__GETPGID, NULL);
4069 }
4070 
4071 static int selinux_task_getsid(struct task_struct *p)
4072 {
4073 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4074 			    PROCESS__GETSESSION, NULL);
4075 }
4076 
4077 static void selinux_current_getsecid_subj(u32 *secid)
4078 {
4079 	*secid = current_sid();
4080 }
4081 
4082 static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid)
4083 {
4084 	*secid = task_sid_obj(p);
4085 }
4086 
4087 static int selinux_task_setnice(struct task_struct *p, int nice)
4088 {
4089 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4090 			    PROCESS__SETSCHED, NULL);
4091 }
4092 
4093 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4094 {
4095 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4096 			    PROCESS__SETSCHED, NULL);
4097 }
4098 
4099 static int selinux_task_getioprio(struct task_struct *p)
4100 {
4101 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4102 			    PROCESS__GETSCHED, NULL);
4103 }
4104 
4105 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4106 				unsigned int flags)
4107 {
4108 	u32 av = 0;
4109 
4110 	if (!flags)
4111 		return 0;
4112 	if (flags & LSM_PRLIMIT_WRITE)
4113 		av |= PROCESS__SETRLIMIT;
4114 	if (flags & LSM_PRLIMIT_READ)
4115 		av |= PROCESS__GETRLIMIT;
4116 	return avc_has_perm(cred_sid(cred), cred_sid(tcred),
4117 			    SECCLASS_PROCESS, av, NULL);
4118 }
4119 
4120 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4121 		struct rlimit *new_rlim)
4122 {
4123 	struct rlimit *old_rlim = p->signal->rlim + resource;
4124 
4125 	/* Control the ability to change the hard limit (whether
4126 	   lowering or raising it), so that the hard limit can
4127 	   later be used as a safe reset point for the soft limit
4128 	   upon context transitions.  See selinux_bprm_committing_creds. */
4129 	if (old_rlim->rlim_max != new_rlim->rlim_max)
4130 		return avc_has_perm(current_sid(), task_sid_obj(p),
4131 				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4132 
4133 	return 0;
4134 }
4135 
4136 static int selinux_task_setscheduler(struct task_struct *p)
4137 {
4138 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4139 			    PROCESS__SETSCHED, NULL);
4140 }
4141 
4142 static int selinux_task_getscheduler(struct task_struct *p)
4143 {
4144 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4145 			    PROCESS__GETSCHED, NULL);
4146 }
4147 
4148 static int selinux_task_movememory(struct task_struct *p)
4149 {
4150 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4151 			    PROCESS__SETSCHED, NULL);
4152 }
4153 
4154 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4155 				int sig, const struct cred *cred)
4156 {
4157 	u32 secid;
4158 	u32 perm;
4159 
4160 	if (!sig)
4161 		perm = PROCESS__SIGNULL; /* null signal; existence test */
4162 	else
4163 		perm = signal_to_av(sig);
4164 	if (!cred)
4165 		secid = current_sid();
4166 	else
4167 		secid = cred_sid(cred);
4168 	return avc_has_perm(secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
4169 }
4170 
4171 static void selinux_task_to_inode(struct task_struct *p,
4172 				  struct inode *inode)
4173 {
4174 	struct inode_security_struct *isec = selinux_inode(inode);
4175 	u32 sid = task_sid_obj(p);
4176 
4177 	spin_lock(&isec->lock);
4178 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4179 	isec->sid = sid;
4180 	isec->initialized = LABEL_INITIALIZED;
4181 	spin_unlock(&isec->lock);
4182 }
4183 
4184 static int selinux_userns_create(const struct cred *cred)
4185 {
4186 	u32 sid = current_sid();
4187 
4188 	return avc_has_perm(sid, sid, SECCLASS_USER_NAMESPACE,
4189 			USER_NAMESPACE__CREATE, NULL);
4190 }
4191 
4192 /* Returns error only if unable to parse addresses */
4193 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4194 			struct common_audit_data *ad, u8 *proto)
4195 {
4196 	int offset, ihlen, ret = -EINVAL;
4197 	struct iphdr _iph, *ih;
4198 
4199 	offset = skb_network_offset(skb);
4200 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4201 	if (ih == NULL)
4202 		goto out;
4203 
4204 	ihlen = ih->ihl * 4;
4205 	if (ihlen < sizeof(_iph))
4206 		goto out;
4207 
4208 	ad->u.net->v4info.saddr = ih->saddr;
4209 	ad->u.net->v4info.daddr = ih->daddr;
4210 	ret = 0;
4211 
4212 	if (proto)
4213 		*proto = ih->protocol;
4214 
4215 	switch (ih->protocol) {
4216 	case IPPROTO_TCP: {
4217 		struct tcphdr _tcph, *th;
4218 
4219 		if (ntohs(ih->frag_off) & IP_OFFSET)
4220 			break;
4221 
4222 		offset += ihlen;
4223 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4224 		if (th == NULL)
4225 			break;
4226 
4227 		ad->u.net->sport = th->source;
4228 		ad->u.net->dport = th->dest;
4229 		break;
4230 	}
4231 
4232 	case IPPROTO_UDP: {
4233 		struct udphdr _udph, *uh;
4234 
4235 		if (ntohs(ih->frag_off) & IP_OFFSET)
4236 			break;
4237 
4238 		offset += ihlen;
4239 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4240 		if (uh == NULL)
4241 			break;
4242 
4243 		ad->u.net->sport = uh->source;
4244 		ad->u.net->dport = uh->dest;
4245 		break;
4246 	}
4247 
4248 	case IPPROTO_DCCP: {
4249 		struct dccp_hdr _dccph, *dh;
4250 
4251 		if (ntohs(ih->frag_off) & IP_OFFSET)
4252 			break;
4253 
4254 		offset += ihlen;
4255 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4256 		if (dh == NULL)
4257 			break;
4258 
4259 		ad->u.net->sport = dh->dccph_sport;
4260 		ad->u.net->dport = dh->dccph_dport;
4261 		break;
4262 	}
4263 
4264 #if IS_ENABLED(CONFIG_IP_SCTP)
4265 	case IPPROTO_SCTP: {
4266 		struct sctphdr _sctph, *sh;
4267 
4268 		if (ntohs(ih->frag_off) & IP_OFFSET)
4269 			break;
4270 
4271 		offset += ihlen;
4272 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4273 		if (sh == NULL)
4274 			break;
4275 
4276 		ad->u.net->sport = sh->source;
4277 		ad->u.net->dport = sh->dest;
4278 		break;
4279 	}
4280 #endif
4281 	default:
4282 		break;
4283 	}
4284 out:
4285 	return ret;
4286 }
4287 
4288 #if IS_ENABLED(CONFIG_IPV6)
4289 
4290 /* Returns error only if unable to parse addresses */
4291 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4292 			struct common_audit_data *ad, u8 *proto)
4293 {
4294 	u8 nexthdr;
4295 	int ret = -EINVAL, offset;
4296 	struct ipv6hdr _ipv6h, *ip6;
4297 	__be16 frag_off;
4298 
4299 	offset = skb_network_offset(skb);
4300 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4301 	if (ip6 == NULL)
4302 		goto out;
4303 
4304 	ad->u.net->v6info.saddr = ip6->saddr;
4305 	ad->u.net->v6info.daddr = ip6->daddr;
4306 	ret = 0;
4307 
4308 	nexthdr = ip6->nexthdr;
4309 	offset += sizeof(_ipv6h);
4310 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4311 	if (offset < 0)
4312 		goto out;
4313 
4314 	if (proto)
4315 		*proto = nexthdr;
4316 
4317 	switch (nexthdr) {
4318 	case IPPROTO_TCP: {
4319 		struct tcphdr _tcph, *th;
4320 
4321 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4322 		if (th == NULL)
4323 			break;
4324 
4325 		ad->u.net->sport = th->source;
4326 		ad->u.net->dport = th->dest;
4327 		break;
4328 	}
4329 
4330 	case IPPROTO_UDP: {
4331 		struct udphdr _udph, *uh;
4332 
4333 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4334 		if (uh == NULL)
4335 			break;
4336 
4337 		ad->u.net->sport = uh->source;
4338 		ad->u.net->dport = uh->dest;
4339 		break;
4340 	}
4341 
4342 	case IPPROTO_DCCP: {
4343 		struct dccp_hdr _dccph, *dh;
4344 
4345 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4346 		if (dh == NULL)
4347 			break;
4348 
4349 		ad->u.net->sport = dh->dccph_sport;
4350 		ad->u.net->dport = dh->dccph_dport;
4351 		break;
4352 	}
4353 
4354 #if IS_ENABLED(CONFIG_IP_SCTP)
4355 	case IPPROTO_SCTP: {
4356 		struct sctphdr _sctph, *sh;
4357 
4358 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4359 		if (sh == NULL)
4360 			break;
4361 
4362 		ad->u.net->sport = sh->source;
4363 		ad->u.net->dport = sh->dest;
4364 		break;
4365 	}
4366 #endif
4367 	/* includes fragments */
4368 	default:
4369 		break;
4370 	}
4371 out:
4372 	return ret;
4373 }
4374 
4375 #endif /* IPV6 */
4376 
4377 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4378 			     char **_addrp, int src, u8 *proto)
4379 {
4380 	char *addrp;
4381 	int ret;
4382 
4383 	switch (ad->u.net->family) {
4384 	case PF_INET:
4385 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4386 		if (ret)
4387 			goto parse_error;
4388 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4389 				       &ad->u.net->v4info.daddr);
4390 		goto okay;
4391 
4392 #if IS_ENABLED(CONFIG_IPV6)
4393 	case PF_INET6:
4394 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4395 		if (ret)
4396 			goto parse_error;
4397 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4398 				       &ad->u.net->v6info.daddr);
4399 		goto okay;
4400 #endif	/* IPV6 */
4401 	default:
4402 		addrp = NULL;
4403 		goto okay;
4404 	}
4405 
4406 parse_error:
4407 	pr_warn(
4408 	       "SELinux: failure in selinux_parse_skb(),"
4409 	       " unable to parse packet\n");
4410 	return ret;
4411 
4412 okay:
4413 	if (_addrp)
4414 		*_addrp = addrp;
4415 	return 0;
4416 }
4417 
4418 /**
4419  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4420  * @skb: the packet
4421  * @family: protocol family
4422  * @sid: the packet's peer label SID
4423  *
4424  * Description:
4425  * Check the various different forms of network peer labeling and determine
4426  * the peer label/SID for the packet; most of the magic actually occurs in
4427  * the security server function security_net_peersid_cmp().  The function
4428  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4429  * or -EACCES if @sid is invalid due to inconsistencies with the different
4430  * peer labels.
4431  *
4432  */
4433 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4434 {
4435 	int err;
4436 	u32 xfrm_sid;
4437 	u32 nlbl_sid;
4438 	u32 nlbl_type;
4439 
4440 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4441 	if (unlikely(err))
4442 		return -EACCES;
4443 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4444 	if (unlikely(err))
4445 		return -EACCES;
4446 
4447 	err = security_net_peersid_resolve(nlbl_sid,
4448 					   nlbl_type, xfrm_sid, sid);
4449 	if (unlikely(err)) {
4450 		pr_warn(
4451 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4452 		       " unable to determine packet's peer label\n");
4453 		return -EACCES;
4454 	}
4455 
4456 	return 0;
4457 }
4458 
4459 /**
4460  * selinux_conn_sid - Determine the child socket label for a connection
4461  * @sk_sid: the parent socket's SID
4462  * @skb_sid: the packet's SID
4463  * @conn_sid: the resulting connection SID
4464  *
4465  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4466  * combined with the MLS information from @skb_sid in order to create
4467  * @conn_sid.  If @skb_sid is not valid then @conn_sid is simply a copy
4468  * of @sk_sid.  Returns zero on success, negative values on failure.
4469  *
4470  */
4471 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4472 {
4473 	int err = 0;
4474 
4475 	if (skb_sid != SECSID_NULL)
4476 		err = security_sid_mls_copy(sk_sid, skb_sid,
4477 					    conn_sid);
4478 	else
4479 		*conn_sid = sk_sid;
4480 
4481 	return err;
4482 }
4483 
4484 /* socket security operations */
4485 
4486 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4487 				 u16 secclass, u32 *socksid)
4488 {
4489 	if (tsec->sockcreate_sid > SECSID_NULL) {
4490 		*socksid = tsec->sockcreate_sid;
4491 		return 0;
4492 	}
4493 
4494 	return security_transition_sid(tsec->sid, tsec->sid,
4495 				       secclass, NULL, socksid);
4496 }
4497 
4498 static int sock_has_perm(struct sock *sk, u32 perms)
4499 {
4500 	struct sk_security_struct *sksec = sk->sk_security;
4501 	struct common_audit_data ad;
4502 	struct lsm_network_audit net = {0,};
4503 
4504 	if (sksec->sid == SECINITSID_KERNEL)
4505 		return 0;
4506 
4507 	ad.type = LSM_AUDIT_DATA_NET;
4508 	ad.u.net = &net;
4509 	ad.u.net->sk = sk;
4510 
4511 	return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4512 			    &ad);
4513 }
4514 
4515 static int selinux_socket_create(int family, int type,
4516 				 int protocol, int kern)
4517 {
4518 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4519 	u32 newsid;
4520 	u16 secclass;
4521 	int rc;
4522 
4523 	if (kern)
4524 		return 0;
4525 
4526 	secclass = socket_type_to_security_class(family, type, protocol);
4527 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4528 	if (rc)
4529 		return rc;
4530 
4531 	return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4532 }
4533 
4534 static int selinux_socket_post_create(struct socket *sock, int family,
4535 				      int type, int protocol, int kern)
4536 {
4537 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4538 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4539 	struct sk_security_struct *sksec;
4540 	u16 sclass = socket_type_to_security_class(family, type, protocol);
4541 	u32 sid = SECINITSID_KERNEL;
4542 	int err = 0;
4543 
4544 	if (!kern) {
4545 		err = socket_sockcreate_sid(tsec, sclass, &sid);
4546 		if (err)
4547 			return err;
4548 	}
4549 
4550 	isec->sclass = sclass;
4551 	isec->sid = sid;
4552 	isec->initialized = LABEL_INITIALIZED;
4553 
4554 	if (sock->sk) {
4555 		sksec = sock->sk->sk_security;
4556 		sksec->sclass = sclass;
4557 		sksec->sid = sid;
4558 		/* Allows detection of the first association on this socket */
4559 		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4560 			sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4561 
4562 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4563 	}
4564 
4565 	return err;
4566 }
4567 
4568 static int selinux_socket_socketpair(struct socket *socka,
4569 				     struct socket *sockb)
4570 {
4571 	struct sk_security_struct *sksec_a = socka->sk->sk_security;
4572 	struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4573 
4574 	sksec_a->peer_sid = sksec_b->sid;
4575 	sksec_b->peer_sid = sksec_a->sid;
4576 
4577 	return 0;
4578 }
4579 
4580 /* Range of port numbers used to automatically bind.
4581    Need to determine whether we should perform a name_bind
4582    permission check between the socket and the port number. */
4583 
4584 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4585 {
4586 	struct sock *sk = sock->sk;
4587 	struct sk_security_struct *sksec = sk->sk_security;
4588 	u16 family;
4589 	int err;
4590 
4591 	err = sock_has_perm(sk, SOCKET__BIND);
4592 	if (err)
4593 		goto out;
4594 
4595 	/* If PF_INET or PF_INET6, check name_bind permission for the port. */
4596 	family = sk->sk_family;
4597 	if (family == PF_INET || family == PF_INET6) {
4598 		char *addrp;
4599 		struct common_audit_data ad;
4600 		struct lsm_network_audit net = {0,};
4601 		struct sockaddr_in *addr4 = NULL;
4602 		struct sockaddr_in6 *addr6 = NULL;
4603 		u16 family_sa;
4604 		unsigned short snum;
4605 		u32 sid, node_perm;
4606 
4607 		/*
4608 		 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4609 		 * that validates multiple binding addresses. Because of this
4610 		 * need to check address->sa_family as it is possible to have
4611 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4612 		 */
4613 		if (addrlen < offsetofend(struct sockaddr, sa_family))
4614 			return -EINVAL;
4615 		family_sa = address->sa_family;
4616 		switch (family_sa) {
4617 		case AF_UNSPEC:
4618 		case AF_INET:
4619 			if (addrlen < sizeof(struct sockaddr_in))
4620 				return -EINVAL;
4621 			addr4 = (struct sockaddr_in *)address;
4622 			if (family_sa == AF_UNSPEC) {
4623 				/* see __inet_bind(), we only want to allow
4624 				 * AF_UNSPEC if the address is INADDR_ANY
4625 				 */
4626 				if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4627 					goto err_af;
4628 				family_sa = AF_INET;
4629 			}
4630 			snum = ntohs(addr4->sin_port);
4631 			addrp = (char *)&addr4->sin_addr.s_addr;
4632 			break;
4633 		case AF_INET6:
4634 			if (addrlen < SIN6_LEN_RFC2133)
4635 				return -EINVAL;
4636 			addr6 = (struct sockaddr_in6 *)address;
4637 			snum = ntohs(addr6->sin6_port);
4638 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4639 			break;
4640 		default:
4641 			goto err_af;
4642 		}
4643 
4644 		ad.type = LSM_AUDIT_DATA_NET;
4645 		ad.u.net = &net;
4646 		ad.u.net->sport = htons(snum);
4647 		ad.u.net->family = family_sa;
4648 
4649 		if (snum) {
4650 			int low, high;
4651 
4652 			inet_get_local_port_range(sock_net(sk), &low, &high);
4653 
4654 			if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4655 			    snum < low || snum > high) {
4656 				err = sel_netport_sid(sk->sk_protocol,
4657 						      snum, &sid);
4658 				if (err)
4659 					goto out;
4660 				err = avc_has_perm(sksec->sid, sid,
4661 						   sksec->sclass,
4662 						   SOCKET__NAME_BIND, &ad);
4663 				if (err)
4664 					goto out;
4665 			}
4666 		}
4667 
4668 		switch (sksec->sclass) {
4669 		case SECCLASS_TCP_SOCKET:
4670 			node_perm = TCP_SOCKET__NODE_BIND;
4671 			break;
4672 
4673 		case SECCLASS_UDP_SOCKET:
4674 			node_perm = UDP_SOCKET__NODE_BIND;
4675 			break;
4676 
4677 		case SECCLASS_DCCP_SOCKET:
4678 			node_perm = DCCP_SOCKET__NODE_BIND;
4679 			break;
4680 
4681 		case SECCLASS_SCTP_SOCKET:
4682 			node_perm = SCTP_SOCKET__NODE_BIND;
4683 			break;
4684 
4685 		default:
4686 			node_perm = RAWIP_SOCKET__NODE_BIND;
4687 			break;
4688 		}
4689 
4690 		err = sel_netnode_sid(addrp, family_sa, &sid);
4691 		if (err)
4692 			goto out;
4693 
4694 		if (family_sa == AF_INET)
4695 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4696 		else
4697 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4698 
4699 		err = avc_has_perm(sksec->sid, sid,
4700 				   sksec->sclass, node_perm, &ad);
4701 		if (err)
4702 			goto out;
4703 	}
4704 out:
4705 	return err;
4706 err_af:
4707 	/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4708 	if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4709 		return -EINVAL;
4710 	return -EAFNOSUPPORT;
4711 }
4712 
4713 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4714  * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4715  */
4716 static int selinux_socket_connect_helper(struct socket *sock,
4717 					 struct sockaddr *address, int addrlen)
4718 {
4719 	struct sock *sk = sock->sk;
4720 	struct sk_security_struct *sksec = sk->sk_security;
4721 	int err;
4722 
4723 	err = sock_has_perm(sk, SOCKET__CONNECT);
4724 	if (err)
4725 		return err;
4726 	if (addrlen < offsetofend(struct sockaddr, sa_family))
4727 		return -EINVAL;
4728 
4729 	/* connect(AF_UNSPEC) has special handling, as it is a documented
4730 	 * way to disconnect the socket
4731 	 */
4732 	if (address->sa_family == AF_UNSPEC)
4733 		return 0;
4734 
4735 	/*
4736 	 * If a TCP, DCCP or SCTP socket, check name_connect permission
4737 	 * for the port.
4738 	 */
4739 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4740 	    sksec->sclass == SECCLASS_DCCP_SOCKET ||
4741 	    sksec->sclass == SECCLASS_SCTP_SOCKET) {
4742 		struct common_audit_data ad;
4743 		struct lsm_network_audit net = {0,};
4744 		struct sockaddr_in *addr4 = NULL;
4745 		struct sockaddr_in6 *addr6 = NULL;
4746 		unsigned short snum;
4747 		u32 sid, perm;
4748 
4749 		/* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4750 		 * that validates multiple connect addresses. Because of this
4751 		 * need to check address->sa_family as it is possible to have
4752 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4753 		 */
4754 		switch (address->sa_family) {
4755 		case AF_INET:
4756 			addr4 = (struct sockaddr_in *)address;
4757 			if (addrlen < sizeof(struct sockaddr_in))
4758 				return -EINVAL;
4759 			snum = ntohs(addr4->sin_port);
4760 			break;
4761 		case AF_INET6:
4762 			addr6 = (struct sockaddr_in6 *)address;
4763 			if (addrlen < SIN6_LEN_RFC2133)
4764 				return -EINVAL;
4765 			snum = ntohs(addr6->sin6_port);
4766 			break;
4767 		default:
4768 			/* Note that SCTP services expect -EINVAL, whereas
4769 			 * others expect -EAFNOSUPPORT.
4770 			 */
4771 			if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4772 				return -EINVAL;
4773 			else
4774 				return -EAFNOSUPPORT;
4775 		}
4776 
4777 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4778 		if (err)
4779 			return err;
4780 
4781 		switch (sksec->sclass) {
4782 		case SECCLASS_TCP_SOCKET:
4783 			perm = TCP_SOCKET__NAME_CONNECT;
4784 			break;
4785 		case SECCLASS_DCCP_SOCKET:
4786 			perm = DCCP_SOCKET__NAME_CONNECT;
4787 			break;
4788 		case SECCLASS_SCTP_SOCKET:
4789 			perm = SCTP_SOCKET__NAME_CONNECT;
4790 			break;
4791 		}
4792 
4793 		ad.type = LSM_AUDIT_DATA_NET;
4794 		ad.u.net = &net;
4795 		ad.u.net->dport = htons(snum);
4796 		ad.u.net->family = address->sa_family;
4797 		err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4798 		if (err)
4799 			return err;
4800 	}
4801 
4802 	return 0;
4803 }
4804 
4805 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4806 static int selinux_socket_connect(struct socket *sock,
4807 				  struct sockaddr *address, int addrlen)
4808 {
4809 	int err;
4810 	struct sock *sk = sock->sk;
4811 
4812 	err = selinux_socket_connect_helper(sock, address, addrlen);
4813 	if (err)
4814 		return err;
4815 
4816 	return selinux_netlbl_socket_connect(sk, address);
4817 }
4818 
4819 static int selinux_socket_listen(struct socket *sock, int backlog)
4820 {
4821 	return sock_has_perm(sock->sk, SOCKET__LISTEN);
4822 }
4823 
4824 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4825 {
4826 	int err;
4827 	struct inode_security_struct *isec;
4828 	struct inode_security_struct *newisec;
4829 	u16 sclass;
4830 	u32 sid;
4831 
4832 	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4833 	if (err)
4834 		return err;
4835 
4836 	isec = inode_security_novalidate(SOCK_INODE(sock));
4837 	spin_lock(&isec->lock);
4838 	sclass = isec->sclass;
4839 	sid = isec->sid;
4840 	spin_unlock(&isec->lock);
4841 
4842 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4843 	newisec->sclass = sclass;
4844 	newisec->sid = sid;
4845 	newisec->initialized = LABEL_INITIALIZED;
4846 
4847 	return 0;
4848 }
4849 
4850 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4851 				  int size)
4852 {
4853 	return sock_has_perm(sock->sk, SOCKET__WRITE);
4854 }
4855 
4856 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4857 				  int size, int flags)
4858 {
4859 	return sock_has_perm(sock->sk, SOCKET__READ);
4860 }
4861 
4862 static int selinux_socket_getsockname(struct socket *sock)
4863 {
4864 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4865 }
4866 
4867 static int selinux_socket_getpeername(struct socket *sock)
4868 {
4869 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4870 }
4871 
4872 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4873 {
4874 	int err;
4875 
4876 	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4877 	if (err)
4878 		return err;
4879 
4880 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4881 }
4882 
4883 static int selinux_socket_getsockopt(struct socket *sock, int level,
4884 				     int optname)
4885 {
4886 	return sock_has_perm(sock->sk, SOCKET__GETOPT);
4887 }
4888 
4889 static int selinux_socket_shutdown(struct socket *sock, int how)
4890 {
4891 	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4892 }
4893 
4894 static int selinux_socket_unix_stream_connect(struct sock *sock,
4895 					      struct sock *other,
4896 					      struct sock *newsk)
4897 {
4898 	struct sk_security_struct *sksec_sock = sock->sk_security;
4899 	struct sk_security_struct *sksec_other = other->sk_security;
4900 	struct sk_security_struct *sksec_new = newsk->sk_security;
4901 	struct common_audit_data ad;
4902 	struct lsm_network_audit net = {0,};
4903 	int err;
4904 
4905 	ad.type = LSM_AUDIT_DATA_NET;
4906 	ad.u.net = &net;
4907 	ad.u.net->sk = other;
4908 
4909 	err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4910 			   sksec_other->sclass,
4911 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4912 	if (err)
4913 		return err;
4914 
4915 	/* server child socket */
4916 	sksec_new->peer_sid = sksec_sock->sid;
4917 	err = security_sid_mls_copy(sksec_other->sid,
4918 				    sksec_sock->sid, &sksec_new->sid);
4919 	if (err)
4920 		return err;
4921 
4922 	/* connecting socket */
4923 	sksec_sock->peer_sid = sksec_new->sid;
4924 
4925 	return 0;
4926 }
4927 
4928 static int selinux_socket_unix_may_send(struct socket *sock,
4929 					struct socket *other)
4930 {
4931 	struct sk_security_struct *ssec = sock->sk->sk_security;
4932 	struct sk_security_struct *osec = other->sk->sk_security;
4933 	struct common_audit_data ad;
4934 	struct lsm_network_audit net = {0,};
4935 
4936 	ad.type = LSM_AUDIT_DATA_NET;
4937 	ad.u.net = &net;
4938 	ad.u.net->sk = other->sk;
4939 
4940 	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4941 			    &ad);
4942 }
4943 
4944 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4945 				    char *addrp, u16 family, u32 peer_sid,
4946 				    struct common_audit_data *ad)
4947 {
4948 	int err;
4949 	u32 if_sid;
4950 	u32 node_sid;
4951 
4952 	err = sel_netif_sid(ns, ifindex, &if_sid);
4953 	if (err)
4954 		return err;
4955 	err = avc_has_perm(peer_sid, if_sid,
4956 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4957 	if (err)
4958 		return err;
4959 
4960 	err = sel_netnode_sid(addrp, family, &node_sid);
4961 	if (err)
4962 		return err;
4963 	return avc_has_perm(peer_sid, node_sid,
4964 			    SECCLASS_NODE, NODE__RECVFROM, ad);
4965 }
4966 
4967 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4968 				       u16 family)
4969 {
4970 	int err = 0;
4971 	struct sk_security_struct *sksec = sk->sk_security;
4972 	u32 sk_sid = sksec->sid;
4973 	struct common_audit_data ad;
4974 	struct lsm_network_audit net = {0,};
4975 	char *addrp;
4976 
4977 	ad.type = LSM_AUDIT_DATA_NET;
4978 	ad.u.net = &net;
4979 	ad.u.net->netif = skb->skb_iif;
4980 	ad.u.net->family = family;
4981 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4982 	if (err)
4983 		return err;
4984 
4985 	if (selinux_secmark_enabled()) {
4986 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4987 				   PACKET__RECV, &ad);
4988 		if (err)
4989 			return err;
4990 	}
4991 
4992 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4993 	if (err)
4994 		return err;
4995 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4996 
4997 	return err;
4998 }
4999 
5000 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5001 {
5002 	int err;
5003 	struct sk_security_struct *sksec = sk->sk_security;
5004 	u16 family = sk->sk_family;
5005 	u32 sk_sid = sksec->sid;
5006 	struct common_audit_data ad;
5007 	struct lsm_network_audit net = {0,};
5008 	char *addrp;
5009 	u8 secmark_active;
5010 	u8 peerlbl_active;
5011 
5012 	if (family != PF_INET && family != PF_INET6)
5013 		return 0;
5014 
5015 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
5016 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5017 		family = PF_INET;
5018 
5019 	/* If any sort of compatibility mode is enabled then handoff processing
5020 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
5021 	 * special handling.  We do this in an attempt to keep this function
5022 	 * as fast and as clean as possible. */
5023 	if (!selinux_policycap_netpeer())
5024 		return selinux_sock_rcv_skb_compat(sk, skb, family);
5025 
5026 	secmark_active = selinux_secmark_enabled();
5027 	peerlbl_active = selinux_peerlbl_enabled();
5028 	if (!secmark_active && !peerlbl_active)
5029 		return 0;
5030 
5031 	ad.type = LSM_AUDIT_DATA_NET;
5032 	ad.u.net = &net;
5033 	ad.u.net->netif = skb->skb_iif;
5034 	ad.u.net->family = family;
5035 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5036 	if (err)
5037 		return err;
5038 
5039 	if (peerlbl_active) {
5040 		u32 peer_sid;
5041 
5042 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5043 		if (err)
5044 			return err;
5045 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5046 					       addrp, family, peer_sid, &ad);
5047 		if (err) {
5048 			selinux_netlbl_err(skb, family, err, 0);
5049 			return err;
5050 		}
5051 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
5052 				   PEER__RECV, &ad);
5053 		if (err) {
5054 			selinux_netlbl_err(skb, family, err, 0);
5055 			return err;
5056 		}
5057 	}
5058 
5059 	if (secmark_active) {
5060 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5061 				   PACKET__RECV, &ad);
5062 		if (err)
5063 			return err;
5064 	}
5065 
5066 	return err;
5067 }
5068 
5069 static int selinux_socket_getpeersec_stream(struct socket *sock,
5070 					    sockptr_t optval, sockptr_t optlen,
5071 					    unsigned int len)
5072 {
5073 	int err = 0;
5074 	char *scontext = NULL;
5075 	u32 scontext_len;
5076 	struct sk_security_struct *sksec = sock->sk->sk_security;
5077 	u32 peer_sid = SECSID_NULL;
5078 
5079 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5080 	    sksec->sclass == SECCLASS_TCP_SOCKET ||
5081 	    sksec->sclass == SECCLASS_SCTP_SOCKET)
5082 		peer_sid = sksec->peer_sid;
5083 	if (peer_sid == SECSID_NULL)
5084 		return -ENOPROTOOPT;
5085 
5086 	err = security_sid_to_context(peer_sid, &scontext,
5087 				      &scontext_len);
5088 	if (err)
5089 		return err;
5090 	if (scontext_len > len) {
5091 		err = -ERANGE;
5092 		goto out_len;
5093 	}
5094 
5095 	if (copy_to_sockptr(optval, scontext, scontext_len))
5096 		err = -EFAULT;
5097 out_len:
5098 	if (copy_to_sockptr(optlen, &scontext_len, sizeof(scontext_len)))
5099 		err = -EFAULT;
5100 	kfree(scontext);
5101 	return err;
5102 }
5103 
5104 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5105 {
5106 	u32 peer_secid = SECSID_NULL;
5107 	u16 family;
5108 	struct inode_security_struct *isec;
5109 
5110 	if (skb && skb->protocol == htons(ETH_P_IP))
5111 		family = PF_INET;
5112 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
5113 		family = PF_INET6;
5114 	else if (sock)
5115 		family = sock->sk->sk_family;
5116 	else
5117 		goto out;
5118 
5119 	if (sock && family == PF_UNIX) {
5120 		isec = inode_security_novalidate(SOCK_INODE(sock));
5121 		peer_secid = isec->sid;
5122 	} else if (skb)
5123 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5124 
5125 out:
5126 	*secid = peer_secid;
5127 	if (peer_secid == SECSID_NULL)
5128 		return -EINVAL;
5129 	return 0;
5130 }
5131 
5132 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5133 {
5134 	struct sk_security_struct *sksec;
5135 
5136 	sksec = kzalloc(sizeof(*sksec), priority);
5137 	if (!sksec)
5138 		return -ENOMEM;
5139 
5140 	sksec->peer_sid = SECINITSID_UNLABELED;
5141 	sksec->sid = SECINITSID_UNLABELED;
5142 	sksec->sclass = SECCLASS_SOCKET;
5143 	selinux_netlbl_sk_security_reset(sksec);
5144 	sk->sk_security = sksec;
5145 
5146 	return 0;
5147 }
5148 
5149 static void selinux_sk_free_security(struct sock *sk)
5150 {
5151 	struct sk_security_struct *sksec = sk->sk_security;
5152 
5153 	sk->sk_security = NULL;
5154 	selinux_netlbl_sk_security_free(sksec);
5155 	kfree(sksec);
5156 }
5157 
5158 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5159 {
5160 	struct sk_security_struct *sksec = sk->sk_security;
5161 	struct sk_security_struct *newsksec = newsk->sk_security;
5162 
5163 	newsksec->sid = sksec->sid;
5164 	newsksec->peer_sid = sksec->peer_sid;
5165 	newsksec->sclass = sksec->sclass;
5166 
5167 	selinux_netlbl_sk_security_reset(newsksec);
5168 }
5169 
5170 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5171 {
5172 	if (!sk)
5173 		*secid = SECINITSID_ANY_SOCKET;
5174 	else {
5175 		struct sk_security_struct *sksec = sk->sk_security;
5176 
5177 		*secid = sksec->sid;
5178 	}
5179 }
5180 
5181 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5182 {
5183 	struct inode_security_struct *isec =
5184 		inode_security_novalidate(SOCK_INODE(parent));
5185 	struct sk_security_struct *sksec = sk->sk_security;
5186 
5187 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5188 	    sk->sk_family == PF_UNIX)
5189 		isec->sid = sksec->sid;
5190 	sksec->sclass = isec->sclass;
5191 }
5192 
5193 /*
5194  * Determines peer_secid for the asoc and updates socket's peer label
5195  * if it's the first association on the socket.
5196  */
5197 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
5198 					  struct sk_buff *skb)
5199 {
5200 	struct sock *sk = asoc->base.sk;
5201 	u16 family = sk->sk_family;
5202 	struct sk_security_struct *sksec = sk->sk_security;
5203 	struct common_audit_data ad;
5204 	struct lsm_network_audit net = {0,};
5205 	int err;
5206 
5207 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5208 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5209 		family = PF_INET;
5210 
5211 	if (selinux_peerlbl_enabled()) {
5212 		asoc->peer_secid = SECSID_NULL;
5213 
5214 		/* This will return peer_sid = SECSID_NULL if there are
5215 		 * no peer labels, see security_net_peersid_resolve().
5216 		 */
5217 		err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid);
5218 		if (err)
5219 			return err;
5220 
5221 		if (asoc->peer_secid == SECSID_NULL)
5222 			asoc->peer_secid = SECINITSID_UNLABELED;
5223 	} else {
5224 		asoc->peer_secid = SECINITSID_UNLABELED;
5225 	}
5226 
5227 	if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5228 		sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5229 
5230 		/* Here as first association on socket. As the peer SID
5231 		 * was allowed by peer recv (and the netif/node checks),
5232 		 * then it is approved by policy and used as the primary
5233 		 * peer SID for getpeercon(3).
5234 		 */
5235 		sksec->peer_sid = asoc->peer_secid;
5236 	} else if (sksec->peer_sid != asoc->peer_secid) {
5237 		/* Other association peer SIDs are checked to enforce
5238 		 * consistency among the peer SIDs.
5239 		 */
5240 		ad.type = LSM_AUDIT_DATA_NET;
5241 		ad.u.net = &net;
5242 		ad.u.net->sk = asoc->base.sk;
5243 		err = avc_has_perm(sksec->peer_sid, asoc->peer_secid,
5244 				   sksec->sclass, SCTP_SOCKET__ASSOCIATION,
5245 				   &ad);
5246 		if (err)
5247 			return err;
5248 	}
5249 	return 0;
5250 }
5251 
5252 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This
5253  * happens on an incoming connect(2), sctp_connectx(3) or
5254  * sctp_sendmsg(3) (with no association already present).
5255  */
5256 static int selinux_sctp_assoc_request(struct sctp_association *asoc,
5257 				      struct sk_buff *skb)
5258 {
5259 	struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5260 	u32 conn_sid;
5261 	int err;
5262 
5263 	if (!selinux_policycap_extsockclass())
5264 		return 0;
5265 
5266 	err = selinux_sctp_process_new_assoc(asoc, skb);
5267 	if (err)
5268 		return err;
5269 
5270 	/* Compute the MLS component for the connection and store
5271 	 * the information in asoc. This will be used by SCTP TCP type
5272 	 * sockets and peeled off connections as they cause a new
5273 	 * socket to be generated. selinux_sctp_sk_clone() will then
5274 	 * plug this into the new socket.
5275 	 */
5276 	err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid);
5277 	if (err)
5278 		return err;
5279 
5280 	asoc->secid = conn_sid;
5281 
5282 	/* Set any NetLabel labels including CIPSO/CALIPSO options. */
5283 	return selinux_netlbl_sctp_assoc_request(asoc, skb);
5284 }
5285 
5286 /* Called when SCTP receives a COOKIE ACK chunk as the final
5287  * response to an association request (initited by us).
5288  */
5289 static int selinux_sctp_assoc_established(struct sctp_association *asoc,
5290 					  struct sk_buff *skb)
5291 {
5292 	struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5293 
5294 	if (!selinux_policycap_extsockclass())
5295 		return 0;
5296 
5297 	/* Inherit secid from the parent socket - this will be picked up
5298 	 * by selinux_sctp_sk_clone() if the association gets peeled off
5299 	 * into a new socket.
5300 	 */
5301 	asoc->secid = sksec->sid;
5302 
5303 	return selinux_sctp_process_new_assoc(asoc, skb);
5304 }
5305 
5306 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5307  * based on their @optname.
5308  */
5309 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5310 				     struct sockaddr *address,
5311 				     int addrlen)
5312 {
5313 	int len, err = 0, walk_size = 0;
5314 	void *addr_buf;
5315 	struct sockaddr *addr;
5316 	struct socket *sock;
5317 
5318 	if (!selinux_policycap_extsockclass())
5319 		return 0;
5320 
5321 	/* Process one or more addresses that may be IPv4 or IPv6 */
5322 	sock = sk->sk_socket;
5323 	addr_buf = address;
5324 
5325 	while (walk_size < addrlen) {
5326 		if (walk_size + sizeof(sa_family_t) > addrlen)
5327 			return -EINVAL;
5328 
5329 		addr = addr_buf;
5330 		switch (addr->sa_family) {
5331 		case AF_UNSPEC:
5332 		case AF_INET:
5333 			len = sizeof(struct sockaddr_in);
5334 			break;
5335 		case AF_INET6:
5336 			len = sizeof(struct sockaddr_in6);
5337 			break;
5338 		default:
5339 			return -EINVAL;
5340 		}
5341 
5342 		if (walk_size + len > addrlen)
5343 			return -EINVAL;
5344 
5345 		err = -EINVAL;
5346 		switch (optname) {
5347 		/* Bind checks */
5348 		case SCTP_PRIMARY_ADDR:
5349 		case SCTP_SET_PEER_PRIMARY_ADDR:
5350 		case SCTP_SOCKOPT_BINDX_ADD:
5351 			err = selinux_socket_bind(sock, addr, len);
5352 			break;
5353 		/* Connect checks */
5354 		case SCTP_SOCKOPT_CONNECTX:
5355 		case SCTP_PARAM_SET_PRIMARY:
5356 		case SCTP_PARAM_ADD_IP:
5357 		case SCTP_SENDMSG_CONNECT:
5358 			err = selinux_socket_connect_helper(sock, addr, len);
5359 			if (err)
5360 				return err;
5361 
5362 			/* As selinux_sctp_bind_connect() is called by the
5363 			 * SCTP protocol layer, the socket is already locked,
5364 			 * therefore selinux_netlbl_socket_connect_locked()
5365 			 * is called here. The situations handled are:
5366 			 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5367 			 * whenever a new IP address is added or when a new
5368 			 * primary address is selected.
5369 			 * Note that an SCTP connect(2) call happens before
5370 			 * the SCTP protocol layer and is handled via
5371 			 * selinux_socket_connect().
5372 			 */
5373 			err = selinux_netlbl_socket_connect_locked(sk, addr);
5374 			break;
5375 		}
5376 
5377 		if (err)
5378 			return err;
5379 
5380 		addr_buf += len;
5381 		walk_size += len;
5382 	}
5383 
5384 	return 0;
5385 }
5386 
5387 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5388 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
5389 				  struct sock *newsk)
5390 {
5391 	struct sk_security_struct *sksec = sk->sk_security;
5392 	struct sk_security_struct *newsksec = newsk->sk_security;
5393 
5394 	/* If policy does not support SECCLASS_SCTP_SOCKET then call
5395 	 * the non-sctp clone version.
5396 	 */
5397 	if (!selinux_policycap_extsockclass())
5398 		return selinux_sk_clone_security(sk, newsk);
5399 
5400 	newsksec->sid = asoc->secid;
5401 	newsksec->peer_sid = asoc->peer_secid;
5402 	newsksec->sclass = sksec->sclass;
5403 	selinux_netlbl_sctp_sk_clone(sk, newsk);
5404 }
5405 
5406 static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
5407 {
5408 	struct sk_security_struct *ssksec = ssk->sk_security;
5409 	struct sk_security_struct *sksec = sk->sk_security;
5410 
5411 	ssksec->sclass = sksec->sclass;
5412 	ssksec->sid = sksec->sid;
5413 
5414 	/* replace the existing subflow label deleting the existing one
5415 	 * and re-recreating a new label using the updated context
5416 	 */
5417 	selinux_netlbl_sk_security_free(ssksec);
5418 	return selinux_netlbl_socket_post_create(ssk, ssk->sk_family);
5419 }
5420 
5421 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
5422 				     struct request_sock *req)
5423 {
5424 	struct sk_security_struct *sksec = sk->sk_security;
5425 	int err;
5426 	u16 family = req->rsk_ops->family;
5427 	u32 connsid;
5428 	u32 peersid;
5429 
5430 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5431 	if (err)
5432 		return err;
5433 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5434 	if (err)
5435 		return err;
5436 	req->secid = connsid;
5437 	req->peer_secid = peersid;
5438 
5439 	return selinux_netlbl_inet_conn_request(req, family);
5440 }
5441 
5442 static void selinux_inet_csk_clone(struct sock *newsk,
5443 				   const struct request_sock *req)
5444 {
5445 	struct sk_security_struct *newsksec = newsk->sk_security;
5446 
5447 	newsksec->sid = req->secid;
5448 	newsksec->peer_sid = req->peer_secid;
5449 	/* NOTE: Ideally, we should also get the isec->sid for the
5450 	   new socket in sync, but we don't have the isec available yet.
5451 	   So we will wait until sock_graft to do it, by which
5452 	   time it will have been created and available. */
5453 
5454 	/* We don't need to take any sort of lock here as we are the only
5455 	 * thread with access to newsksec */
5456 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5457 }
5458 
5459 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5460 {
5461 	u16 family = sk->sk_family;
5462 	struct sk_security_struct *sksec = sk->sk_security;
5463 
5464 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5465 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5466 		family = PF_INET;
5467 
5468 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5469 }
5470 
5471 static int selinux_secmark_relabel_packet(u32 sid)
5472 {
5473 	const struct task_security_struct *__tsec;
5474 	u32 tsid;
5475 
5476 	__tsec = selinux_cred(current_cred());
5477 	tsid = __tsec->sid;
5478 
5479 	return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5480 			    NULL);
5481 }
5482 
5483 static void selinux_secmark_refcount_inc(void)
5484 {
5485 	atomic_inc(&selinux_secmark_refcount);
5486 }
5487 
5488 static void selinux_secmark_refcount_dec(void)
5489 {
5490 	atomic_dec(&selinux_secmark_refcount);
5491 }
5492 
5493 static void selinux_req_classify_flow(const struct request_sock *req,
5494 				      struct flowi_common *flic)
5495 {
5496 	flic->flowic_secid = req->secid;
5497 }
5498 
5499 static int selinux_tun_dev_alloc_security(void **security)
5500 {
5501 	struct tun_security_struct *tunsec;
5502 
5503 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5504 	if (!tunsec)
5505 		return -ENOMEM;
5506 	tunsec->sid = current_sid();
5507 
5508 	*security = tunsec;
5509 	return 0;
5510 }
5511 
5512 static void selinux_tun_dev_free_security(void *security)
5513 {
5514 	kfree(security);
5515 }
5516 
5517 static int selinux_tun_dev_create(void)
5518 {
5519 	u32 sid = current_sid();
5520 
5521 	/* we aren't taking into account the "sockcreate" SID since the socket
5522 	 * that is being created here is not a socket in the traditional sense,
5523 	 * instead it is a private sock, accessible only to the kernel, and
5524 	 * representing a wide range of network traffic spanning multiple
5525 	 * connections unlike traditional sockets - check the TUN driver to
5526 	 * get a better understanding of why this socket is special */
5527 
5528 	return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5529 			    NULL);
5530 }
5531 
5532 static int selinux_tun_dev_attach_queue(void *security)
5533 {
5534 	struct tun_security_struct *tunsec = security;
5535 
5536 	return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5537 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5538 }
5539 
5540 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5541 {
5542 	struct tun_security_struct *tunsec = security;
5543 	struct sk_security_struct *sksec = sk->sk_security;
5544 
5545 	/* we don't currently perform any NetLabel based labeling here and it
5546 	 * isn't clear that we would want to do so anyway; while we could apply
5547 	 * labeling without the support of the TUN user the resulting labeled
5548 	 * traffic from the other end of the connection would almost certainly
5549 	 * cause confusion to the TUN user that had no idea network labeling
5550 	 * protocols were being used */
5551 
5552 	sksec->sid = tunsec->sid;
5553 	sksec->sclass = SECCLASS_TUN_SOCKET;
5554 
5555 	return 0;
5556 }
5557 
5558 static int selinux_tun_dev_open(void *security)
5559 {
5560 	struct tun_security_struct *tunsec = security;
5561 	u32 sid = current_sid();
5562 	int err;
5563 
5564 	err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5565 			   TUN_SOCKET__RELABELFROM, NULL);
5566 	if (err)
5567 		return err;
5568 	err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5569 			   TUN_SOCKET__RELABELTO, NULL);
5570 	if (err)
5571 		return err;
5572 	tunsec->sid = sid;
5573 
5574 	return 0;
5575 }
5576 
5577 #ifdef CONFIG_NETFILTER
5578 
5579 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
5580 				       const struct nf_hook_state *state)
5581 {
5582 	int ifindex;
5583 	u16 family;
5584 	char *addrp;
5585 	u32 peer_sid;
5586 	struct common_audit_data ad;
5587 	struct lsm_network_audit net = {0,};
5588 	int secmark_active, peerlbl_active;
5589 
5590 	if (!selinux_policycap_netpeer())
5591 		return NF_ACCEPT;
5592 
5593 	secmark_active = selinux_secmark_enabled();
5594 	peerlbl_active = selinux_peerlbl_enabled();
5595 	if (!secmark_active && !peerlbl_active)
5596 		return NF_ACCEPT;
5597 
5598 	family = state->pf;
5599 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5600 		return NF_DROP;
5601 
5602 	ifindex = state->in->ifindex;
5603 	ad.type = LSM_AUDIT_DATA_NET;
5604 	ad.u.net = &net;
5605 	ad.u.net->netif = ifindex;
5606 	ad.u.net->family = family;
5607 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5608 		return NF_DROP;
5609 
5610 	if (peerlbl_active) {
5611 		int err;
5612 
5613 		err = selinux_inet_sys_rcv_skb(state->net, ifindex,
5614 					       addrp, family, peer_sid, &ad);
5615 		if (err) {
5616 			selinux_netlbl_err(skb, family, err, 1);
5617 			return NF_DROP;
5618 		}
5619 	}
5620 
5621 	if (secmark_active)
5622 		if (avc_has_perm(peer_sid, skb->secmark,
5623 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5624 			return NF_DROP;
5625 
5626 	if (netlbl_enabled())
5627 		/* we do this in the FORWARD path and not the POST_ROUTING
5628 		 * path because we want to make sure we apply the necessary
5629 		 * labeling before IPsec is applied so we can leverage AH
5630 		 * protection */
5631 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5632 			return NF_DROP;
5633 
5634 	return NF_ACCEPT;
5635 }
5636 
5637 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
5638 				      const struct nf_hook_state *state)
5639 {
5640 	struct sock *sk;
5641 	u32 sid;
5642 
5643 	if (!netlbl_enabled())
5644 		return NF_ACCEPT;
5645 
5646 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5647 	 * because we want to make sure we apply the necessary labeling
5648 	 * before IPsec is applied so we can leverage AH protection */
5649 	sk = skb->sk;
5650 	if (sk) {
5651 		struct sk_security_struct *sksec;
5652 
5653 		if (sk_listener(sk))
5654 			/* if the socket is the listening state then this
5655 			 * packet is a SYN-ACK packet which means it needs to
5656 			 * be labeled based on the connection/request_sock and
5657 			 * not the parent socket.  unfortunately, we can't
5658 			 * lookup the request_sock yet as it isn't queued on
5659 			 * the parent socket until after the SYN-ACK is sent.
5660 			 * the "solution" is to simply pass the packet as-is
5661 			 * as any IP option based labeling should be copied
5662 			 * from the initial connection request (in the IP
5663 			 * layer).  it is far from ideal, but until we get a
5664 			 * security label in the packet itself this is the
5665 			 * best we can do. */
5666 			return NF_ACCEPT;
5667 
5668 		/* standard practice, label using the parent socket */
5669 		sksec = sk->sk_security;
5670 		sid = sksec->sid;
5671 	} else
5672 		sid = SECINITSID_KERNEL;
5673 	if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0)
5674 		return NF_DROP;
5675 
5676 	return NF_ACCEPT;
5677 }
5678 
5679 
5680 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5681 					const struct nf_hook_state *state)
5682 {
5683 	struct sock *sk;
5684 	struct sk_security_struct *sksec;
5685 	struct common_audit_data ad;
5686 	struct lsm_network_audit net = {0,};
5687 	u8 proto = 0;
5688 
5689 	sk = skb_to_full_sk(skb);
5690 	if (sk == NULL)
5691 		return NF_ACCEPT;
5692 	sksec = sk->sk_security;
5693 
5694 	ad.type = LSM_AUDIT_DATA_NET;
5695 	ad.u.net = &net;
5696 	ad.u.net->netif = state->out->ifindex;
5697 	ad.u.net->family = state->pf;
5698 	if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))
5699 		return NF_DROP;
5700 
5701 	if (selinux_secmark_enabled())
5702 		if (avc_has_perm(sksec->sid, skb->secmark,
5703 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5704 			return NF_DROP_ERR(-ECONNREFUSED);
5705 
5706 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5707 		return NF_DROP_ERR(-ECONNREFUSED);
5708 
5709 	return NF_ACCEPT;
5710 }
5711 
5712 static unsigned int selinux_ip_postroute(void *priv,
5713 					 struct sk_buff *skb,
5714 					 const struct nf_hook_state *state)
5715 {
5716 	u16 family;
5717 	u32 secmark_perm;
5718 	u32 peer_sid;
5719 	int ifindex;
5720 	struct sock *sk;
5721 	struct common_audit_data ad;
5722 	struct lsm_network_audit net = {0,};
5723 	char *addrp;
5724 	int secmark_active, peerlbl_active;
5725 
5726 	/* If any sort of compatibility mode is enabled then handoff processing
5727 	 * to the selinux_ip_postroute_compat() function to deal with the
5728 	 * special handling.  We do this in an attempt to keep this function
5729 	 * as fast and as clean as possible. */
5730 	if (!selinux_policycap_netpeer())
5731 		return selinux_ip_postroute_compat(skb, state);
5732 
5733 	secmark_active = selinux_secmark_enabled();
5734 	peerlbl_active = selinux_peerlbl_enabled();
5735 	if (!secmark_active && !peerlbl_active)
5736 		return NF_ACCEPT;
5737 
5738 	sk = skb_to_full_sk(skb);
5739 
5740 #ifdef CONFIG_XFRM
5741 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5742 	 * packet transformation so allow the packet to pass without any checks
5743 	 * since we'll have another chance to perform access control checks
5744 	 * when the packet is on it's final way out.
5745 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5746 	 *       is NULL, in this case go ahead and apply access control.
5747 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5748 	 *       TCP listening state we cannot wait until the XFRM processing
5749 	 *       is done as we will miss out on the SA label if we do;
5750 	 *       unfortunately, this means more work, but it is only once per
5751 	 *       connection. */
5752 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5753 	    !(sk && sk_listener(sk)))
5754 		return NF_ACCEPT;
5755 #endif
5756 
5757 	family = state->pf;
5758 	if (sk == NULL) {
5759 		/* Without an associated socket the packet is either coming
5760 		 * from the kernel or it is being forwarded; check the packet
5761 		 * to determine which and if the packet is being forwarded
5762 		 * query the packet directly to determine the security label. */
5763 		if (skb->skb_iif) {
5764 			secmark_perm = PACKET__FORWARD_OUT;
5765 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5766 				return NF_DROP;
5767 		} else {
5768 			secmark_perm = PACKET__SEND;
5769 			peer_sid = SECINITSID_KERNEL;
5770 		}
5771 	} else if (sk_listener(sk)) {
5772 		/* Locally generated packet but the associated socket is in the
5773 		 * listening state which means this is a SYN-ACK packet.  In
5774 		 * this particular case the correct security label is assigned
5775 		 * to the connection/request_sock but unfortunately we can't
5776 		 * query the request_sock as it isn't queued on the parent
5777 		 * socket until after the SYN-ACK packet is sent; the only
5778 		 * viable choice is to regenerate the label like we do in
5779 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5780 		 * for similar problems. */
5781 		u32 skb_sid;
5782 		struct sk_security_struct *sksec;
5783 
5784 		sksec = sk->sk_security;
5785 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5786 			return NF_DROP;
5787 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5788 		 * and the packet has been through at least one XFRM
5789 		 * transformation then we must be dealing with the "final"
5790 		 * form of labeled IPsec packet; since we've already applied
5791 		 * all of our access controls on this packet we can safely
5792 		 * pass the packet. */
5793 		if (skb_sid == SECSID_NULL) {
5794 			switch (family) {
5795 			case PF_INET:
5796 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5797 					return NF_ACCEPT;
5798 				break;
5799 			case PF_INET6:
5800 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5801 					return NF_ACCEPT;
5802 				break;
5803 			default:
5804 				return NF_DROP_ERR(-ECONNREFUSED);
5805 			}
5806 		}
5807 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5808 			return NF_DROP;
5809 		secmark_perm = PACKET__SEND;
5810 	} else {
5811 		/* Locally generated packet, fetch the security label from the
5812 		 * associated socket. */
5813 		struct sk_security_struct *sksec = sk->sk_security;
5814 		peer_sid = sksec->sid;
5815 		secmark_perm = PACKET__SEND;
5816 	}
5817 
5818 	ifindex = state->out->ifindex;
5819 	ad.type = LSM_AUDIT_DATA_NET;
5820 	ad.u.net = &net;
5821 	ad.u.net->netif = ifindex;
5822 	ad.u.net->family = family;
5823 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5824 		return NF_DROP;
5825 
5826 	if (secmark_active)
5827 		if (avc_has_perm(peer_sid, skb->secmark,
5828 				 SECCLASS_PACKET, secmark_perm, &ad))
5829 			return NF_DROP_ERR(-ECONNREFUSED);
5830 
5831 	if (peerlbl_active) {
5832 		u32 if_sid;
5833 		u32 node_sid;
5834 
5835 		if (sel_netif_sid(state->net, ifindex, &if_sid))
5836 			return NF_DROP;
5837 		if (avc_has_perm(peer_sid, if_sid,
5838 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5839 			return NF_DROP_ERR(-ECONNREFUSED);
5840 
5841 		if (sel_netnode_sid(addrp, family, &node_sid))
5842 			return NF_DROP;
5843 		if (avc_has_perm(peer_sid, node_sid,
5844 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5845 			return NF_DROP_ERR(-ECONNREFUSED);
5846 	}
5847 
5848 	return NF_ACCEPT;
5849 }
5850 #endif	/* CONFIG_NETFILTER */
5851 
5852 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5853 {
5854 	int rc = 0;
5855 	unsigned int msg_len;
5856 	unsigned int data_len = skb->len;
5857 	unsigned char *data = skb->data;
5858 	struct nlmsghdr *nlh;
5859 	struct sk_security_struct *sksec = sk->sk_security;
5860 	u16 sclass = sksec->sclass;
5861 	u32 perm;
5862 
5863 	while (data_len >= nlmsg_total_size(0)) {
5864 		nlh = (struct nlmsghdr *)data;
5865 
5866 		/* NOTE: the nlmsg_len field isn't reliably set by some netlink
5867 		 *       users which means we can't reject skb's with bogus
5868 		 *       length fields; our solution is to follow what
5869 		 *       netlink_rcv_skb() does and simply skip processing at
5870 		 *       messages with length fields that are clearly junk
5871 		 */
5872 		if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5873 			return 0;
5874 
5875 		rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5876 		if (rc == 0) {
5877 			rc = sock_has_perm(sk, perm);
5878 			if (rc)
5879 				return rc;
5880 		} else if (rc == -EINVAL) {
5881 			/* -EINVAL is a missing msg/perm mapping */
5882 			pr_warn_ratelimited("SELinux: unrecognized netlink"
5883 				" message: protocol=%hu nlmsg_type=%hu sclass=%s"
5884 				" pid=%d comm=%s\n",
5885 				sk->sk_protocol, nlh->nlmsg_type,
5886 				secclass_map[sclass - 1].name,
5887 				task_pid_nr(current), current->comm);
5888 			if (enforcing_enabled() &&
5889 			    !security_get_allow_unknown())
5890 				return rc;
5891 			rc = 0;
5892 		} else if (rc == -ENOENT) {
5893 			/* -ENOENT is a missing socket/class mapping, ignore */
5894 			rc = 0;
5895 		} else {
5896 			return rc;
5897 		}
5898 
5899 		/* move to the next message after applying netlink padding */
5900 		msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5901 		if (msg_len >= data_len)
5902 			return 0;
5903 		data_len -= msg_len;
5904 		data += msg_len;
5905 	}
5906 
5907 	return rc;
5908 }
5909 
5910 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5911 {
5912 	isec->sclass = sclass;
5913 	isec->sid = current_sid();
5914 }
5915 
5916 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5917 			u32 perms)
5918 {
5919 	struct ipc_security_struct *isec;
5920 	struct common_audit_data ad;
5921 	u32 sid = current_sid();
5922 
5923 	isec = selinux_ipc(ipc_perms);
5924 
5925 	ad.type = LSM_AUDIT_DATA_IPC;
5926 	ad.u.ipc_id = ipc_perms->key;
5927 
5928 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5929 }
5930 
5931 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5932 {
5933 	struct msg_security_struct *msec;
5934 
5935 	msec = selinux_msg_msg(msg);
5936 	msec->sid = SECINITSID_UNLABELED;
5937 
5938 	return 0;
5939 }
5940 
5941 /* message queue security operations */
5942 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5943 {
5944 	struct ipc_security_struct *isec;
5945 	struct common_audit_data ad;
5946 	u32 sid = current_sid();
5947 
5948 	isec = selinux_ipc(msq);
5949 	ipc_init_security(isec, SECCLASS_MSGQ);
5950 
5951 	ad.type = LSM_AUDIT_DATA_IPC;
5952 	ad.u.ipc_id = msq->key;
5953 
5954 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5955 			    MSGQ__CREATE, &ad);
5956 }
5957 
5958 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5959 {
5960 	struct ipc_security_struct *isec;
5961 	struct common_audit_data ad;
5962 	u32 sid = current_sid();
5963 
5964 	isec = selinux_ipc(msq);
5965 
5966 	ad.type = LSM_AUDIT_DATA_IPC;
5967 	ad.u.ipc_id = msq->key;
5968 
5969 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5970 			    MSGQ__ASSOCIATE, &ad);
5971 }
5972 
5973 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
5974 {
5975 	int err;
5976 	int perms;
5977 
5978 	switch (cmd) {
5979 	case IPC_INFO:
5980 	case MSG_INFO:
5981 		/* No specific object, just general system-wide information. */
5982 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5983 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5984 	case IPC_STAT:
5985 	case MSG_STAT:
5986 	case MSG_STAT_ANY:
5987 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5988 		break;
5989 	case IPC_SET:
5990 		perms = MSGQ__SETATTR;
5991 		break;
5992 	case IPC_RMID:
5993 		perms = MSGQ__DESTROY;
5994 		break;
5995 	default:
5996 		return 0;
5997 	}
5998 
5999 	err = ipc_has_perm(msq, perms);
6000 	return err;
6001 }
6002 
6003 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6004 {
6005 	struct ipc_security_struct *isec;
6006 	struct msg_security_struct *msec;
6007 	struct common_audit_data ad;
6008 	u32 sid = current_sid();
6009 	int rc;
6010 
6011 	isec = selinux_ipc(msq);
6012 	msec = selinux_msg_msg(msg);
6013 
6014 	/*
6015 	 * First time through, need to assign label to the message
6016 	 */
6017 	if (msec->sid == SECINITSID_UNLABELED) {
6018 		/*
6019 		 * Compute new sid based on current process and
6020 		 * message queue this message will be stored in
6021 		 */
6022 		rc = security_transition_sid(sid, isec->sid,
6023 					     SECCLASS_MSG, NULL, &msec->sid);
6024 		if (rc)
6025 			return rc;
6026 	}
6027 
6028 	ad.type = LSM_AUDIT_DATA_IPC;
6029 	ad.u.ipc_id = msq->key;
6030 
6031 	/* Can this process write to the queue? */
6032 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6033 			  MSGQ__WRITE, &ad);
6034 	if (!rc)
6035 		/* Can this process send the message */
6036 		rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
6037 				  MSG__SEND, &ad);
6038 	if (!rc)
6039 		/* Can the message be put in the queue? */
6040 		rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
6041 				  MSGQ__ENQUEUE, &ad);
6042 
6043 	return rc;
6044 }
6045 
6046 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6047 				    struct task_struct *target,
6048 				    long type, int mode)
6049 {
6050 	struct ipc_security_struct *isec;
6051 	struct msg_security_struct *msec;
6052 	struct common_audit_data ad;
6053 	u32 sid = task_sid_obj(target);
6054 	int rc;
6055 
6056 	isec = selinux_ipc(msq);
6057 	msec = selinux_msg_msg(msg);
6058 
6059 	ad.type = LSM_AUDIT_DATA_IPC;
6060 	ad.u.ipc_id = msq->key;
6061 
6062 	rc = avc_has_perm(sid, isec->sid,
6063 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
6064 	if (!rc)
6065 		rc = avc_has_perm(sid, msec->sid,
6066 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
6067 	return rc;
6068 }
6069 
6070 /* Shared Memory security operations */
6071 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6072 {
6073 	struct ipc_security_struct *isec;
6074 	struct common_audit_data ad;
6075 	u32 sid = current_sid();
6076 
6077 	isec = selinux_ipc(shp);
6078 	ipc_init_security(isec, SECCLASS_SHM);
6079 
6080 	ad.type = LSM_AUDIT_DATA_IPC;
6081 	ad.u.ipc_id = shp->key;
6082 
6083 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6084 			    SHM__CREATE, &ad);
6085 }
6086 
6087 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6088 {
6089 	struct ipc_security_struct *isec;
6090 	struct common_audit_data ad;
6091 	u32 sid = current_sid();
6092 
6093 	isec = selinux_ipc(shp);
6094 
6095 	ad.type = LSM_AUDIT_DATA_IPC;
6096 	ad.u.ipc_id = shp->key;
6097 
6098 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6099 			    SHM__ASSOCIATE, &ad);
6100 }
6101 
6102 /* Note, at this point, shp is locked down */
6103 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6104 {
6105 	int perms;
6106 	int err;
6107 
6108 	switch (cmd) {
6109 	case IPC_INFO:
6110 	case SHM_INFO:
6111 		/* No specific object, just general system-wide information. */
6112 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6113 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6114 	case IPC_STAT:
6115 	case SHM_STAT:
6116 	case SHM_STAT_ANY:
6117 		perms = SHM__GETATTR | SHM__ASSOCIATE;
6118 		break;
6119 	case IPC_SET:
6120 		perms = SHM__SETATTR;
6121 		break;
6122 	case SHM_LOCK:
6123 	case SHM_UNLOCK:
6124 		perms = SHM__LOCK;
6125 		break;
6126 	case IPC_RMID:
6127 		perms = SHM__DESTROY;
6128 		break;
6129 	default:
6130 		return 0;
6131 	}
6132 
6133 	err = ipc_has_perm(shp, perms);
6134 	return err;
6135 }
6136 
6137 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6138 			     char __user *shmaddr, int shmflg)
6139 {
6140 	u32 perms;
6141 
6142 	if (shmflg & SHM_RDONLY)
6143 		perms = SHM__READ;
6144 	else
6145 		perms = SHM__READ | SHM__WRITE;
6146 
6147 	return ipc_has_perm(shp, perms);
6148 }
6149 
6150 /* Semaphore security operations */
6151 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6152 {
6153 	struct ipc_security_struct *isec;
6154 	struct common_audit_data ad;
6155 	u32 sid = current_sid();
6156 
6157 	isec = selinux_ipc(sma);
6158 	ipc_init_security(isec, SECCLASS_SEM);
6159 
6160 	ad.type = LSM_AUDIT_DATA_IPC;
6161 	ad.u.ipc_id = sma->key;
6162 
6163 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6164 			    SEM__CREATE, &ad);
6165 }
6166 
6167 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6168 {
6169 	struct ipc_security_struct *isec;
6170 	struct common_audit_data ad;
6171 	u32 sid = current_sid();
6172 
6173 	isec = selinux_ipc(sma);
6174 
6175 	ad.type = LSM_AUDIT_DATA_IPC;
6176 	ad.u.ipc_id = sma->key;
6177 
6178 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6179 			    SEM__ASSOCIATE, &ad);
6180 }
6181 
6182 /* Note, at this point, sma is locked down */
6183 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6184 {
6185 	int err;
6186 	u32 perms;
6187 
6188 	switch (cmd) {
6189 	case IPC_INFO:
6190 	case SEM_INFO:
6191 		/* No specific object, just general system-wide information. */
6192 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6193 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6194 	case GETPID:
6195 	case GETNCNT:
6196 	case GETZCNT:
6197 		perms = SEM__GETATTR;
6198 		break;
6199 	case GETVAL:
6200 	case GETALL:
6201 		perms = SEM__READ;
6202 		break;
6203 	case SETVAL:
6204 	case SETALL:
6205 		perms = SEM__WRITE;
6206 		break;
6207 	case IPC_RMID:
6208 		perms = SEM__DESTROY;
6209 		break;
6210 	case IPC_SET:
6211 		perms = SEM__SETATTR;
6212 		break;
6213 	case IPC_STAT:
6214 	case SEM_STAT:
6215 	case SEM_STAT_ANY:
6216 		perms = SEM__GETATTR | SEM__ASSOCIATE;
6217 		break;
6218 	default:
6219 		return 0;
6220 	}
6221 
6222 	err = ipc_has_perm(sma, perms);
6223 	return err;
6224 }
6225 
6226 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6227 			     struct sembuf *sops, unsigned nsops, int alter)
6228 {
6229 	u32 perms;
6230 
6231 	if (alter)
6232 		perms = SEM__READ | SEM__WRITE;
6233 	else
6234 		perms = SEM__READ;
6235 
6236 	return ipc_has_perm(sma, perms);
6237 }
6238 
6239 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6240 {
6241 	u32 av = 0;
6242 
6243 	av = 0;
6244 	if (flag & S_IRUGO)
6245 		av |= IPC__UNIX_READ;
6246 	if (flag & S_IWUGO)
6247 		av |= IPC__UNIX_WRITE;
6248 
6249 	if (av == 0)
6250 		return 0;
6251 
6252 	return ipc_has_perm(ipcp, av);
6253 }
6254 
6255 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6256 {
6257 	struct ipc_security_struct *isec = selinux_ipc(ipcp);
6258 	*secid = isec->sid;
6259 }
6260 
6261 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6262 {
6263 	if (inode)
6264 		inode_doinit_with_dentry(inode, dentry);
6265 }
6266 
6267 static int selinux_getprocattr(struct task_struct *p,
6268 			       const char *name, char **value)
6269 {
6270 	const struct task_security_struct *__tsec;
6271 	u32 sid;
6272 	int error;
6273 	unsigned len;
6274 
6275 	rcu_read_lock();
6276 	__tsec = selinux_cred(__task_cred(p));
6277 
6278 	if (current != p) {
6279 		error = avc_has_perm(current_sid(), __tsec->sid,
6280 				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6281 		if (error)
6282 			goto bad;
6283 	}
6284 
6285 	if (!strcmp(name, "current"))
6286 		sid = __tsec->sid;
6287 	else if (!strcmp(name, "prev"))
6288 		sid = __tsec->osid;
6289 	else if (!strcmp(name, "exec"))
6290 		sid = __tsec->exec_sid;
6291 	else if (!strcmp(name, "fscreate"))
6292 		sid = __tsec->create_sid;
6293 	else if (!strcmp(name, "keycreate"))
6294 		sid = __tsec->keycreate_sid;
6295 	else if (!strcmp(name, "sockcreate"))
6296 		sid = __tsec->sockcreate_sid;
6297 	else {
6298 		error = -EINVAL;
6299 		goto bad;
6300 	}
6301 	rcu_read_unlock();
6302 
6303 	if (!sid)
6304 		return 0;
6305 
6306 	error = security_sid_to_context(sid, value, &len);
6307 	if (error)
6308 		return error;
6309 	return len;
6310 
6311 bad:
6312 	rcu_read_unlock();
6313 	return error;
6314 }
6315 
6316 static int selinux_setprocattr(const char *name, void *value, size_t size)
6317 {
6318 	struct task_security_struct *tsec;
6319 	struct cred *new;
6320 	u32 mysid = current_sid(), sid = 0, ptsid;
6321 	int error;
6322 	char *str = value;
6323 
6324 	/*
6325 	 * Basic control over ability to set these attributes at all.
6326 	 */
6327 	if (!strcmp(name, "exec"))
6328 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6329 				     PROCESS__SETEXEC, NULL);
6330 	else if (!strcmp(name, "fscreate"))
6331 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6332 				     PROCESS__SETFSCREATE, NULL);
6333 	else if (!strcmp(name, "keycreate"))
6334 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6335 				     PROCESS__SETKEYCREATE, NULL);
6336 	else if (!strcmp(name, "sockcreate"))
6337 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6338 				     PROCESS__SETSOCKCREATE, NULL);
6339 	else if (!strcmp(name, "current"))
6340 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6341 				     PROCESS__SETCURRENT, NULL);
6342 	else
6343 		error = -EINVAL;
6344 	if (error)
6345 		return error;
6346 
6347 	/* Obtain a SID for the context, if one was specified. */
6348 	if (size && str[0] && str[0] != '\n') {
6349 		if (str[size-1] == '\n') {
6350 			str[size-1] = 0;
6351 			size--;
6352 		}
6353 		error = security_context_to_sid(value, size,
6354 						&sid, GFP_KERNEL);
6355 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
6356 			if (!has_cap_mac_admin(true)) {
6357 				struct audit_buffer *ab;
6358 				size_t audit_size;
6359 
6360 				/* We strip a nul only if it is at the end, otherwise the
6361 				 * context contains a nul and we should audit that */
6362 				if (str[size - 1] == '\0')
6363 					audit_size = size - 1;
6364 				else
6365 					audit_size = size;
6366 				ab = audit_log_start(audit_context(),
6367 						     GFP_ATOMIC,
6368 						     AUDIT_SELINUX_ERR);
6369 				if (!ab)
6370 					return error;
6371 				audit_log_format(ab, "op=fscreate invalid_context=");
6372 				audit_log_n_untrustedstring(ab, value, audit_size);
6373 				audit_log_end(ab);
6374 
6375 				return error;
6376 			}
6377 			error = security_context_to_sid_force(value, size,
6378 							&sid);
6379 		}
6380 		if (error)
6381 			return error;
6382 	}
6383 
6384 	new = prepare_creds();
6385 	if (!new)
6386 		return -ENOMEM;
6387 
6388 	/* Permission checking based on the specified context is
6389 	   performed during the actual operation (execve,
6390 	   open/mkdir/...), when we know the full context of the
6391 	   operation.  See selinux_bprm_creds_for_exec for the execve
6392 	   checks and may_create for the file creation checks. The
6393 	   operation will then fail if the context is not permitted. */
6394 	tsec = selinux_cred(new);
6395 	if (!strcmp(name, "exec")) {
6396 		tsec->exec_sid = sid;
6397 	} else if (!strcmp(name, "fscreate")) {
6398 		tsec->create_sid = sid;
6399 	} else if (!strcmp(name, "keycreate")) {
6400 		if (sid) {
6401 			error = avc_has_perm(mysid, sid,
6402 					     SECCLASS_KEY, KEY__CREATE, NULL);
6403 			if (error)
6404 				goto abort_change;
6405 		}
6406 		tsec->keycreate_sid = sid;
6407 	} else if (!strcmp(name, "sockcreate")) {
6408 		tsec->sockcreate_sid = sid;
6409 	} else if (!strcmp(name, "current")) {
6410 		error = -EINVAL;
6411 		if (sid == 0)
6412 			goto abort_change;
6413 
6414 		/* Only allow single threaded processes to change context */
6415 		if (!current_is_single_threaded()) {
6416 			error = security_bounded_transition(tsec->sid, sid);
6417 			if (error)
6418 				goto abort_change;
6419 		}
6420 
6421 		/* Check permissions for the transition. */
6422 		error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6423 				     PROCESS__DYNTRANSITION, NULL);
6424 		if (error)
6425 			goto abort_change;
6426 
6427 		/* Check for ptracing, and update the task SID if ok.
6428 		   Otherwise, leave SID unchanged and fail. */
6429 		ptsid = ptrace_parent_sid();
6430 		if (ptsid != 0) {
6431 			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6432 					     PROCESS__PTRACE, NULL);
6433 			if (error)
6434 				goto abort_change;
6435 		}
6436 
6437 		tsec->sid = sid;
6438 	} else {
6439 		error = -EINVAL;
6440 		goto abort_change;
6441 	}
6442 
6443 	commit_creds(new);
6444 	return size;
6445 
6446 abort_change:
6447 	abort_creds(new);
6448 	return error;
6449 }
6450 
6451 static int selinux_ismaclabel(const char *name)
6452 {
6453 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6454 }
6455 
6456 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6457 {
6458 	return security_sid_to_context(secid,
6459 				       secdata, seclen);
6460 }
6461 
6462 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6463 {
6464 	return security_context_to_sid(secdata, seclen,
6465 				       secid, GFP_KERNEL);
6466 }
6467 
6468 static void selinux_release_secctx(char *secdata, u32 seclen)
6469 {
6470 	kfree(secdata);
6471 }
6472 
6473 static void selinux_inode_invalidate_secctx(struct inode *inode)
6474 {
6475 	struct inode_security_struct *isec = selinux_inode(inode);
6476 
6477 	spin_lock(&isec->lock);
6478 	isec->initialized = LABEL_INVALID;
6479 	spin_unlock(&isec->lock);
6480 }
6481 
6482 /*
6483  *	called with inode->i_mutex locked
6484  */
6485 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6486 {
6487 	int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6488 					   ctx, ctxlen, 0);
6489 	/* Do not return error when suppressing label (SBLABEL_MNT not set). */
6490 	return rc == -EOPNOTSUPP ? 0 : rc;
6491 }
6492 
6493 /*
6494  *	called with inode->i_mutex locked
6495  */
6496 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6497 {
6498 	return __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX,
6499 				     ctx, ctxlen, 0);
6500 }
6501 
6502 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6503 {
6504 	int len = 0;
6505 	len = selinux_inode_getsecurity(&nop_mnt_idmap, inode,
6506 					XATTR_SELINUX_SUFFIX, ctx, true);
6507 	if (len < 0)
6508 		return len;
6509 	*ctxlen = len;
6510 	return 0;
6511 }
6512 #ifdef CONFIG_KEYS
6513 
6514 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6515 			     unsigned long flags)
6516 {
6517 	const struct task_security_struct *tsec;
6518 	struct key_security_struct *ksec;
6519 
6520 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6521 	if (!ksec)
6522 		return -ENOMEM;
6523 
6524 	tsec = selinux_cred(cred);
6525 	if (tsec->keycreate_sid)
6526 		ksec->sid = tsec->keycreate_sid;
6527 	else
6528 		ksec->sid = tsec->sid;
6529 
6530 	k->security = ksec;
6531 	return 0;
6532 }
6533 
6534 static void selinux_key_free(struct key *k)
6535 {
6536 	struct key_security_struct *ksec = k->security;
6537 
6538 	k->security = NULL;
6539 	kfree(ksec);
6540 }
6541 
6542 static int selinux_key_permission(key_ref_t key_ref,
6543 				  const struct cred *cred,
6544 				  enum key_need_perm need_perm)
6545 {
6546 	struct key *key;
6547 	struct key_security_struct *ksec;
6548 	u32 perm, sid;
6549 
6550 	switch (need_perm) {
6551 	case KEY_NEED_VIEW:
6552 		perm = KEY__VIEW;
6553 		break;
6554 	case KEY_NEED_READ:
6555 		perm = KEY__READ;
6556 		break;
6557 	case KEY_NEED_WRITE:
6558 		perm = KEY__WRITE;
6559 		break;
6560 	case KEY_NEED_SEARCH:
6561 		perm = KEY__SEARCH;
6562 		break;
6563 	case KEY_NEED_LINK:
6564 		perm = KEY__LINK;
6565 		break;
6566 	case KEY_NEED_SETATTR:
6567 		perm = KEY__SETATTR;
6568 		break;
6569 	case KEY_NEED_UNLINK:
6570 	case KEY_SYSADMIN_OVERRIDE:
6571 	case KEY_AUTHTOKEN_OVERRIDE:
6572 	case KEY_DEFER_PERM_CHECK:
6573 		return 0;
6574 	default:
6575 		WARN_ON(1);
6576 		return -EPERM;
6577 
6578 	}
6579 
6580 	sid = cred_sid(cred);
6581 	key = key_ref_to_ptr(key_ref);
6582 	ksec = key->security;
6583 
6584 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6585 }
6586 
6587 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6588 {
6589 	struct key_security_struct *ksec = key->security;
6590 	char *context = NULL;
6591 	unsigned len;
6592 	int rc;
6593 
6594 	rc = security_sid_to_context(ksec->sid,
6595 				     &context, &len);
6596 	if (!rc)
6597 		rc = len;
6598 	*_buffer = context;
6599 	return rc;
6600 }
6601 
6602 #ifdef CONFIG_KEY_NOTIFICATIONS
6603 static int selinux_watch_key(struct key *key)
6604 {
6605 	struct key_security_struct *ksec = key->security;
6606 	u32 sid = current_sid();
6607 
6608 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6609 }
6610 #endif
6611 #endif
6612 
6613 #ifdef CONFIG_SECURITY_INFINIBAND
6614 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6615 {
6616 	struct common_audit_data ad;
6617 	int err;
6618 	u32 sid = 0;
6619 	struct ib_security_struct *sec = ib_sec;
6620 	struct lsm_ibpkey_audit ibpkey;
6621 
6622 	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6623 	if (err)
6624 		return err;
6625 
6626 	ad.type = LSM_AUDIT_DATA_IBPKEY;
6627 	ibpkey.subnet_prefix = subnet_prefix;
6628 	ibpkey.pkey = pkey_val;
6629 	ad.u.ibpkey = &ibpkey;
6630 	return avc_has_perm(sec->sid, sid,
6631 			    SECCLASS_INFINIBAND_PKEY,
6632 			    INFINIBAND_PKEY__ACCESS, &ad);
6633 }
6634 
6635 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6636 					    u8 port_num)
6637 {
6638 	struct common_audit_data ad;
6639 	int err;
6640 	u32 sid = 0;
6641 	struct ib_security_struct *sec = ib_sec;
6642 	struct lsm_ibendport_audit ibendport;
6643 
6644 	err = security_ib_endport_sid(dev_name, port_num,
6645 				      &sid);
6646 
6647 	if (err)
6648 		return err;
6649 
6650 	ad.type = LSM_AUDIT_DATA_IBENDPORT;
6651 	ibendport.dev_name = dev_name;
6652 	ibendport.port = port_num;
6653 	ad.u.ibendport = &ibendport;
6654 	return avc_has_perm(sec->sid, sid,
6655 			    SECCLASS_INFINIBAND_ENDPORT,
6656 			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6657 }
6658 
6659 static int selinux_ib_alloc_security(void **ib_sec)
6660 {
6661 	struct ib_security_struct *sec;
6662 
6663 	sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6664 	if (!sec)
6665 		return -ENOMEM;
6666 	sec->sid = current_sid();
6667 
6668 	*ib_sec = sec;
6669 	return 0;
6670 }
6671 
6672 static void selinux_ib_free_security(void *ib_sec)
6673 {
6674 	kfree(ib_sec);
6675 }
6676 #endif
6677 
6678 #ifdef CONFIG_BPF_SYSCALL
6679 static int selinux_bpf(int cmd, union bpf_attr *attr,
6680 				     unsigned int size)
6681 {
6682 	u32 sid = current_sid();
6683 	int ret;
6684 
6685 	switch (cmd) {
6686 	case BPF_MAP_CREATE:
6687 		ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6688 				   NULL);
6689 		break;
6690 	case BPF_PROG_LOAD:
6691 		ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6692 				   NULL);
6693 		break;
6694 	default:
6695 		ret = 0;
6696 		break;
6697 	}
6698 
6699 	return ret;
6700 }
6701 
6702 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6703 {
6704 	u32 av = 0;
6705 
6706 	if (fmode & FMODE_READ)
6707 		av |= BPF__MAP_READ;
6708 	if (fmode & FMODE_WRITE)
6709 		av |= BPF__MAP_WRITE;
6710 	return av;
6711 }
6712 
6713 /* This function will check the file pass through unix socket or binder to see
6714  * if it is a bpf related object. And apply corresponding checks on the bpf
6715  * object based on the type. The bpf maps and programs, not like other files and
6716  * socket, are using a shared anonymous inode inside the kernel as their inode.
6717  * So checking that inode cannot identify if the process have privilege to
6718  * access the bpf object and that's why we have to add this additional check in
6719  * selinux_file_receive and selinux_binder_transfer_files.
6720  */
6721 static int bpf_fd_pass(struct file *file, u32 sid)
6722 {
6723 	struct bpf_security_struct *bpfsec;
6724 	struct bpf_prog *prog;
6725 	struct bpf_map *map;
6726 	int ret;
6727 
6728 	if (file->f_op == &bpf_map_fops) {
6729 		map = file->private_data;
6730 		bpfsec = map->security;
6731 		ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6732 				   bpf_map_fmode_to_av(file->f_mode), NULL);
6733 		if (ret)
6734 			return ret;
6735 	} else if (file->f_op == &bpf_prog_fops) {
6736 		prog = file->private_data;
6737 		bpfsec = prog->aux->security;
6738 		ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6739 				   BPF__PROG_RUN, NULL);
6740 		if (ret)
6741 			return ret;
6742 	}
6743 	return 0;
6744 }
6745 
6746 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6747 {
6748 	u32 sid = current_sid();
6749 	struct bpf_security_struct *bpfsec;
6750 
6751 	bpfsec = map->security;
6752 	return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6753 			    bpf_map_fmode_to_av(fmode), NULL);
6754 }
6755 
6756 static int selinux_bpf_prog(struct bpf_prog *prog)
6757 {
6758 	u32 sid = current_sid();
6759 	struct bpf_security_struct *bpfsec;
6760 
6761 	bpfsec = prog->aux->security;
6762 	return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6763 			    BPF__PROG_RUN, NULL);
6764 }
6765 
6766 static int selinux_bpf_map_alloc(struct bpf_map *map)
6767 {
6768 	struct bpf_security_struct *bpfsec;
6769 
6770 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6771 	if (!bpfsec)
6772 		return -ENOMEM;
6773 
6774 	bpfsec->sid = current_sid();
6775 	map->security = bpfsec;
6776 
6777 	return 0;
6778 }
6779 
6780 static void selinux_bpf_map_free(struct bpf_map *map)
6781 {
6782 	struct bpf_security_struct *bpfsec = map->security;
6783 
6784 	map->security = NULL;
6785 	kfree(bpfsec);
6786 }
6787 
6788 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6789 {
6790 	struct bpf_security_struct *bpfsec;
6791 
6792 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6793 	if (!bpfsec)
6794 		return -ENOMEM;
6795 
6796 	bpfsec->sid = current_sid();
6797 	aux->security = bpfsec;
6798 
6799 	return 0;
6800 }
6801 
6802 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6803 {
6804 	struct bpf_security_struct *bpfsec = aux->security;
6805 
6806 	aux->security = NULL;
6807 	kfree(bpfsec);
6808 }
6809 #endif
6810 
6811 struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
6812 	.lbs_cred = sizeof(struct task_security_struct),
6813 	.lbs_file = sizeof(struct file_security_struct),
6814 	.lbs_inode = sizeof(struct inode_security_struct),
6815 	.lbs_ipc = sizeof(struct ipc_security_struct),
6816 	.lbs_msg_msg = sizeof(struct msg_security_struct),
6817 	.lbs_superblock = sizeof(struct superblock_security_struct),
6818 };
6819 
6820 #ifdef CONFIG_PERF_EVENTS
6821 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6822 {
6823 	u32 requested, sid = current_sid();
6824 
6825 	if (type == PERF_SECURITY_OPEN)
6826 		requested = PERF_EVENT__OPEN;
6827 	else if (type == PERF_SECURITY_CPU)
6828 		requested = PERF_EVENT__CPU;
6829 	else if (type == PERF_SECURITY_KERNEL)
6830 		requested = PERF_EVENT__KERNEL;
6831 	else if (type == PERF_SECURITY_TRACEPOINT)
6832 		requested = PERF_EVENT__TRACEPOINT;
6833 	else
6834 		return -EINVAL;
6835 
6836 	return avc_has_perm(sid, sid, SECCLASS_PERF_EVENT,
6837 			    requested, NULL);
6838 }
6839 
6840 static int selinux_perf_event_alloc(struct perf_event *event)
6841 {
6842 	struct perf_event_security_struct *perfsec;
6843 
6844 	perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
6845 	if (!perfsec)
6846 		return -ENOMEM;
6847 
6848 	perfsec->sid = current_sid();
6849 	event->security = perfsec;
6850 
6851 	return 0;
6852 }
6853 
6854 static void selinux_perf_event_free(struct perf_event *event)
6855 {
6856 	struct perf_event_security_struct *perfsec = event->security;
6857 
6858 	event->security = NULL;
6859 	kfree(perfsec);
6860 }
6861 
6862 static int selinux_perf_event_read(struct perf_event *event)
6863 {
6864 	struct perf_event_security_struct *perfsec = event->security;
6865 	u32 sid = current_sid();
6866 
6867 	return avc_has_perm(sid, perfsec->sid,
6868 			    SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
6869 }
6870 
6871 static int selinux_perf_event_write(struct perf_event *event)
6872 {
6873 	struct perf_event_security_struct *perfsec = event->security;
6874 	u32 sid = current_sid();
6875 
6876 	return avc_has_perm(sid, perfsec->sid,
6877 			    SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
6878 }
6879 #endif
6880 
6881 #ifdef CONFIG_IO_URING
6882 /**
6883  * selinux_uring_override_creds - check the requested cred override
6884  * @new: the target creds
6885  *
6886  * Check to see if the current task is allowed to override it's credentials
6887  * to service an io_uring operation.
6888  */
6889 static int selinux_uring_override_creds(const struct cred *new)
6890 {
6891 	return avc_has_perm(current_sid(), cred_sid(new),
6892 			    SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL);
6893 }
6894 
6895 /**
6896  * selinux_uring_sqpoll - check if a io_uring polling thread can be created
6897  *
6898  * Check to see if the current task is allowed to create a new io_uring
6899  * kernel polling thread.
6900  */
6901 static int selinux_uring_sqpoll(void)
6902 {
6903 	int sid = current_sid();
6904 
6905 	return avc_has_perm(sid, sid,
6906 			    SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
6907 }
6908 
6909 /**
6910  * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed
6911  * @ioucmd: the io_uring command structure
6912  *
6913  * Check to see if the current domain is allowed to execute an
6914  * IORING_OP_URING_CMD against the device/file specified in @ioucmd.
6915  *
6916  */
6917 static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
6918 {
6919 	struct file *file = ioucmd->file;
6920 	struct inode *inode = file_inode(file);
6921 	struct inode_security_struct *isec = selinux_inode(inode);
6922 	struct common_audit_data ad;
6923 
6924 	ad.type = LSM_AUDIT_DATA_FILE;
6925 	ad.u.file = file;
6926 
6927 	return avc_has_perm(current_sid(), isec->sid,
6928 			    SECCLASS_IO_URING, IO_URING__CMD, &ad);
6929 }
6930 #endif /* CONFIG_IO_URING */
6931 
6932 /*
6933  * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
6934  * 1. any hooks that don't belong to (2.) or (3.) below,
6935  * 2. hooks that both access structures allocated by other hooks, and allocate
6936  *    structures that can be later accessed by other hooks (mostly "cloning"
6937  *    hooks),
6938  * 3. hooks that only allocate structures that can be later accessed by other
6939  *    hooks ("allocating" hooks).
6940  *
6941  * Please follow block comment delimiters in the list to keep this order.
6942  *
6943  * This ordering is needed for SELinux runtime disable to work at least somewhat
6944  * safely. Breaking the ordering rules above might lead to NULL pointer derefs
6945  * when disabling SELinux at runtime.
6946  */
6947 static struct security_hook_list selinux_hooks[] __ro_after_init = {
6948 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6949 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6950 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6951 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6952 
6953 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6954 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6955 	LSM_HOOK_INIT(capget, selinux_capget),
6956 	LSM_HOOK_INIT(capset, selinux_capset),
6957 	LSM_HOOK_INIT(capable, selinux_capable),
6958 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
6959 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
6960 	LSM_HOOK_INIT(syslog, selinux_syslog),
6961 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6962 
6963 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6964 
6965 	LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
6966 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6967 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6968 
6969 	LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
6970 	LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat),
6971 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6972 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6973 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6974 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6975 	LSM_HOOK_INIT(sb_mount, selinux_mount),
6976 	LSM_HOOK_INIT(sb_umount, selinux_umount),
6977 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6978 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6979 
6980 	LSM_HOOK_INIT(move_mount, selinux_move_mount),
6981 
6982 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6983 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6984 
6985 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6986 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6987 	LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
6988 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
6989 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
6990 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6991 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6992 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6993 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6994 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6995 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6996 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6997 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6998 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6999 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7000 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7001 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7002 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7003 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7004 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7005 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7006 	LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl),
7007 	LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl),
7008 	LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl),
7009 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7010 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7011 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7012 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7013 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7014 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7015 	LSM_HOOK_INIT(path_notify, selinux_path_notify),
7016 
7017 	LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7018 
7019 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
7020 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7021 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7022 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7023 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7024 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7025 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
7026 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7027 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7028 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7029 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
7030 
7031 	LSM_HOOK_INIT(file_open, selinux_file_open),
7032 
7033 	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7034 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7035 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7036 	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7037 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7038 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7039 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7040 	LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7041 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7042 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7043 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7044 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7045 	LSM_HOOK_INIT(current_getsecid_subj, selinux_current_getsecid_subj),
7046 	LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj),
7047 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7048 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7049 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7050 	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7051 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7052 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7053 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7054 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7055 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
7056 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7057 	LSM_HOOK_INIT(userns_create, selinux_userns_create),
7058 
7059 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7060 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7061 
7062 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7063 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7064 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7065 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7066 
7067 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7068 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7069 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7070 
7071 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7072 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7073 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7074 
7075 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7076 
7077 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7078 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7079 
7080 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7081 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7082 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7083 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7084 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7085 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7086 
7087 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7088 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7089 
7090 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
7091 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7092 	LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7093 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7094 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7095 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7096 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7097 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7098 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7099 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7100 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7101 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7102 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7103 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7104 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7105 	LSM_HOOK_INIT(socket_getpeersec_stream,
7106 			selinux_socket_getpeersec_stream),
7107 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7108 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7109 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7110 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7111 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7112 	LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7113 	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7114 	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7115 	LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
7116 	LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow),
7117 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7118 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7119 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7120 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7121 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7122 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7123 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7124 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7125 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7126 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7127 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7128 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7129 #ifdef CONFIG_SECURITY_INFINIBAND
7130 	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7131 	LSM_HOOK_INIT(ib_endport_manage_subnet,
7132 		      selinux_ib_endport_manage_subnet),
7133 	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7134 #endif
7135 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7136 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7137 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7138 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7139 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7140 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7141 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7142 			selinux_xfrm_state_pol_flow_match),
7143 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7144 #endif
7145 
7146 #ifdef CONFIG_KEYS
7147 	LSM_HOOK_INIT(key_free, selinux_key_free),
7148 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
7149 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7150 #ifdef CONFIG_KEY_NOTIFICATIONS
7151 	LSM_HOOK_INIT(watch_key, selinux_watch_key),
7152 #endif
7153 #endif
7154 
7155 #ifdef CONFIG_AUDIT
7156 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7157 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7158 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7159 #endif
7160 
7161 #ifdef CONFIG_BPF_SYSCALL
7162 	LSM_HOOK_INIT(bpf, selinux_bpf),
7163 	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7164 	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7165 	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7166 	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7167 #endif
7168 
7169 #ifdef CONFIG_PERF_EVENTS
7170 	LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7171 	LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7172 	LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7173 	LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7174 #endif
7175 
7176 #ifdef CONFIG_IO_URING
7177 	LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
7178 	LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
7179 	LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
7180 #endif
7181 
7182 	/*
7183 	 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7184 	 */
7185 	LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7186 	LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7187 	LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7188 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7189 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7190 #endif
7191 
7192 	/*
7193 	 * PUT "ALLOCATING" HOOKS HERE
7194 	 */
7195 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7196 	LSM_HOOK_INIT(msg_queue_alloc_security,
7197 		      selinux_msg_queue_alloc_security),
7198 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7199 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7200 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7201 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7202 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7203 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7204 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7205 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7206 #ifdef CONFIG_SECURITY_INFINIBAND
7207 	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7208 #endif
7209 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7210 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7211 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7212 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7213 		      selinux_xfrm_state_alloc_acquire),
7214 #endif
7215 #ifdef CONFIG_KEYS
7216 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7217 #endif
7218 #ifdef CONFIG_AUDIT
7219 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7220 #endif
7221 #ifdef CONFIG_BPF_SYSCALL
7222 	LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7223 	LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7224 #endif
7225 #ifdef CONFIG_PERF_EVENTS
7226 	LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7227 #endif
7228 };
7229 
7230 static __init int selinux_init(void)
7231 {
7232 	pr_info("SELinux:  Initializing.\n");
7233 
7234 	memset(&selinux_state, 0, sizeof(selinux_state));
7235 	enforcing_set(selinux_enforcing_boot);
7236 	selinux_avc_init();
7237 	mutex_init(&selinux_state.status_lock);
7238 	mutex_init(&selinux_state.policy_mutex);
7239 
7240 	/* Set the security state for the initial task. */
7241 	cred_init_security();
7242 
7243 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7244 
7245 	avc_init();
7246 
7247 	avtab_cache_init();
7248 
7249 	ebitmap_cache_init();
7250 
7251 	hashtab_cache_init();
7252 
7253 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7254 
7255 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7256 		panic("SELinux: Unable to register AVC netcache callback\n");
7257 
7258 	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7259 		panic("SELinux: Unable to register AVC LSM notifier callback\n");
7260 
7261 	if (selinux_enforcing_boot)
7262 		pr_debug("SELinux:  Starting in enforcing mode\n");
7263 	else
7264 		pr_debug("SELinux:  Starting in permissive mode\n");
7265 
7266 	fs_validate_description("selinux", selinux_fs_parameters);
7267 
7268 	return 0;
7269 }
7270 
7271 static void delayed_superblock_init(struct super_block *sb, void *unused)
7272 {
7273 	selinux_set_mnt_opts(sb, NULL, 0, NULL);
7274 }
7275 
7276 void selinux_complete_init(void)
7277 {
7278 	pr_debug("SELinux:  Completing initialization.\n");
7279 
7280 	/* Set up any superblocks initialized prior to the policy load. */
7281 	pr_debug("SELinux:  Setting up existing superblocks.\n");
7282 	iterate_supers(delayed_superblock_init, NULL);
7283 }
7284 
7285 /* SELinux requires early initialization in order to label
7286    all processes and objects when they are created. */
7287 DEFINE_LSM(selinux) = {
7288 	.name = "selinux",
7289 	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7290 	.enabled = &selinux_enabled_boot,
7291 	.blobs = &selinux_blob_sizes,
7292 	.init = selinux_init,
7293 };
7294 
7295 #if defined(CONFIG_NETFILTER)
7296 static const struct nf_hook_ops selinux_nf_ops[] = {
7297 	{
7298 		.hook =		selinux_ip_postroute,
7299 		.pf =		NFPROTO_IPV4,
7300 		.hooknum =	NF_INET_POST_ROUTING,
7301 		.priority =	NF_IP_PRI_SELINUX_LAST,
7302 	},
7303 	{
7304 		.hook =		selinux_ip_forward,
7305 		.pf =		NFPROTO_IPV4,
7306 		.hooknum =	NF_INET_FORWARD,
7307 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7308 	},
7309 	{
7310 		.hook =		selinux_ip_output,
7311 		.pf =		NFPROTO_IPV4,
7312 		.hooknum =	NF_INET_LOCAL_OUT,
7313 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7314 	},
7315 #if IS_ENABLED(CONFIG_IPV6)
7316 	{
7317 		.hook =		selinux_ip_postroute,
7318 		.pf =		NFPROTO_IPV6,
7319 		.hooknum =	NF_INET_POST_ROUTING,
7320 		.priority =	NF_IP6_PRI_SELINUX_LAST,
7321 	},
7322 	{
7323 		.hook =		selinux_ip_forward,
7324 		.pf =		NFPROTO_IPV6,
7325 		.hooknum =	NF_INET_FORWARD,
7326 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7327 	},
7328 	{
7329 		.hook =		selinux_ip_output,
7330 		.pf =		NFPROTO_IPV6,
7331 		.hooknum =	NF_INET_LOCAL_OUT,
7332 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7333 	},
7334 #endif	/* IPV6 */
7335 };
7336 
7337 static int __net_init selinux_nf_register(struct net *net)
7338 {
7339 	return nf_register_net_hooks(net, selinux_nf_ops,
7340 				     ARRAY_SIZE(selinux_nf_ops));
7341 }
7342 
7343 static void __net_exit selinux_nf_unregister(struct net *net)
7344 {
7345 	nf_unregister_net_hooks(net, selinux_nf_ops,
7346 				ARRAY_SIZE(selinux_nf_ops));
7347 }
7348 
7349 static struct pernet_operations selinux_net_ops = {
7350 	.init = selinux_nf_register,
7351 	.exit = selinux_nf_unregister,
7352 };
7353 
7354 static int __init selinux_nf_ip_init(void)
7355 {
7356 	int err;
7357 
7358 	if (!selinux_enabled_boot)
7359 		return 0;
7360 
7361 	pr_debug("SELinux:  Registering netfilter hooks\n");
7362 
7363 	err = register_pernet_subsys(&selinux_net_ops);
7364 	if (err)
7365 		panic("SELinux: register_pernet_subsys: error %d\n", err);
7366 
7367 	return 0;
7368 }
7369 __initcall(selinux_nf_ip_init);
7370 #endif /* CONFIG_NETFILTER */
7371