xref: /openbmc/linux/security/selinux/hooks.c (revision 9c6d26df1fae6ad4718d51c48e6517913304ed27)
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
7  *	      Chris Vance, <cvance@nai.com>
8  *	      Wayne Salamon, <wsalamon@nai.com>
9  *	      James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *					   Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *			    <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *	Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *  Copyright (C) 2016 Mellanox Technologies
21  *
22  *	This program is free software; you can redistribute it and/or modify
23  *	it under the terms of the GNU General Public License version 2,
24  *	as published by the Free Software Foundation.
25  */
26 
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h>		/* for local_port_range[] */
56 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h>	/* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h>		/* for Unix socket types */
74 #include <net/af_unix.h>	/* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
77 #include <net/ipv6.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/selinux.h>
83 #include <linux/mutex.h>
84 #include <linux/posix-timers.h>
85 #include <linux/syslog.h>
86 #include <linux/user_namespace.h>
87 #include <linux/export.h>
88 #include <linux/msg.h>
89 #include <linux/shm.h>
90 #include <linux/bpf.h>
91 
92 #include "avc.h"
93 #include "objsec.h"
94 #include "netif.h"
95 #include "netnode.h"
96 #include "netport.h"
97 #include "ibpkey.h"
98 #include "xfrm.h"
99 #include "netlabel.h"
100 #include "audit.h"
101 #include "avc_ss.h"
102 
103 struct selinux_state selinux_state;
104 
105 /* SECMARK reference count */
106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
107 
108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109 static int selinux_enforcing_boot;
110 
111 static int __init enforcing_setup(char *str)
112 {
113 	unsigned long enforcing;
114 	if (!kstrtoul(str, 0, &enforcing))
115 		selinux_enforcing_boot = enforcing ? 1 : 0;
116 	return 1;
117 }
118 __setup("enforcing=", enforcing_setup);
119 #else
120 #define selinux_enforcing_boot 1
121 #endif
122 
123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
125 
126 static int __init selinux_enabled_setup(char *str)
127 {
128 	unsigned long enabled;
129 	if (!kstrtoul(str, 0, &enabled))
130 		selinux_enabled = enabled ? 1 : 0;
131 	return 1;
132 }
133 __setup("selinux=", selinux_enabled_setup);
134 #else
135 int selinux_enabled = 1;
136 #endif
137 
138 static unsigned int selinux_checkreqprot_boot =
139 	CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140 
141 static int __init checkreqprot_setup(char *str)
142 {
143 	unsigned long checkreqprot;
144 
145 	if (!kstrtoul(str, 0, &checkreqprot))
146 		selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 	return 1;
148 }
149 __setup("checkreqprot=", checkreqprot_setup);
150 
151 static struct kmem_cache *sel_inode_cache;
152 static struct kmem_cache *file_security_cache;
153 
154 /**
155  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
156  *
157  * Description:
158  * This function checks the SECMARK reference counter to see if any SECMARK
159  * targets are currently configured, if the reference counter is greater than
160  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
161  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
162  * policy capability is enabled, SECMARK is always considered enabled.
163  *
164  */
165 static int selinux_secmark_enabled(void)
166 {
167 	return (selinux_policycap_alwaysnetwork() ||
168 		atomic_read(&selinux_secmark_refcount));
169 }
170 
171 /**
172  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
173  *
174  * Description:
175  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
176  * (1) if any are enabled or false (0) if neither are enabled.  If the
177  * always_check_network policy capability is enabled, peer labeling
178  * is always considered enabled.
179  *
180  */
181 static int selinux_peerlbl_enabled(void)
182 {
183 	return (selinux_policycap_alwaysnetwork() ||
184 		netlbl_enabled() || selinux_xfrm_enabled());
185 }
186 
187 static int selinux_netcache_avc_callback(u32 event)
188 {
189 	if (event == AVC_CALLBACK_RESET) {
190 		sel_netif_flush();
191 		sel_netnode_flush();
192 		sel_netport_flush();
193 		synchronize_net();
194 	}
195 	return 0;
196 }
197 
198 static int selinux_lsm_notifier_avc_callback(u32 event)
199 {
200 	if (event == AVC_CALLBACK_RESET) {
201 		sel_ib_pkey_flush();
202 		call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
203 	}
204 
205 	return 0;
206 }
207 
208 /*
209  * initialise the security for the init task
210  */
211 static void cred_init_security(void)
212 {
213 	struct cred *cred = (struct cred *) current->real_cred;
214 	struct task_security_struct *tsec;
215 
216 	tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
217 	if (!tsec)
218 		panic("SELinux:  Failed to initialize initial task.\n");
219 
220 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
221 	cred->security = tsec;
222 }
223 
224 /*
225  * get the security ID of a set of credentials
226  */
227 static inline u32 cred_sid(const struct cred *cred)
228 {
229 	const struct task_security_struct *tsec;
230 
231 	tsec = cred->security;
232 	return tsec->sid;
233 }
234 
235 /*
236  * get the objective security ID of a task
237  */
238 static inline u32 task_sid(const struct task_struct *task)
239 {
240 	u32 sid;
241 
242 	rcu_read_lock();
243 	sid = cred_sid(__task_cred(task));
244 	rcu_read_unlock();
245 	return sid;
246 }
247 
248 /* Allocate and free functions for each kind of security blob. */
249 
250 static int inode_alloc_security(struct inode *inode)
251 {
252 	struct inode_security_struct *isec;
253 	u32 sid = current_sid();
254 
255 	isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
256 	if (!isec)
257 		return -ENOMEM;
258 
259 	spin_lock_init(&isec->lock);
260 	INIT_LIST_HEAD(&isec->list);
261 	isec->inode = inode;
262 	isec->sid = SECINITSID_UNLABELED;
263 	isec->sclass = SECCLASS_FILE;
264 	isec->task_sid = sid;
265 	isec->initialized = LABEL_INVALID;
266 	inode->i_security = isec;
267 
268 	return 0;
269 }
270 
271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
272 
273 /*
274  * Try reloading inode security labels that have been marked as invalid.  The
275  * @may_sleep parameter indicates when sleeping and thus reloading labels is
276  * allowed; when set to false, returns -ECHILD when the label is
277  * invalid.  The @opt_dentry parameter should be set to a dentry of the inode;
278  * when no dentry is available, set it to NULL instead.
279  */
280 static int __inode_security_revalidate(struct inode *inode,
281 				       struct dentry *opt_dentry,
282 				       bool may_sleep)
283 {
284 	struct inode_security_struct *isec = inode->i_security;
285 
286 	might_sleep_if(may_sleep);
287 
288 	if (selinux_state.initialized &&
289 	    isec->initialized != LABEL_INITIALIZED) {
290 		if (!may_sleep)
291 			return -ECHILD;
292 
293 		/*
294 		 * Try reloading the inode security label.  This will fail if
295 		 * @opt_dentry is NULL and no dentry for this inode can be
296 		 * found; in that case, continue using the old label.
297 		 */
298 		inode_doinit_with_dentry(inode, opt_dentry);
299 	}
300 	return 0;
301 }
302 
303 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
304 {
305 	return inode->i_security;
306 }
307 
308 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
309 {
310 	int error;
311 
312 	error = __inode_security_revalidate(inode, NULL, !rcu);
313 	if (error)
314 		return ERR_PTR(error);
315 	return inode->i_security;
316 }
317 
318 /*
319  * Get the security label of an inode.
320  */
321 static struct inode_security_struct *inode_security(struct inode *inode)
322 {
323 	__inode_security_revalidate(inode, NULL, true);
324 	return inode->i_security;
325 }
326 
327 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
328 {
329 	struct inode *inode = d_backing_inode(dentry);
330 
331 	return inode->i_security;
332 }
333 
334 /*
335  * Get the security label of a dentry's backing inode.
336  */
337 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
338 {
339 	struct inode *inode = d_backing_inode(dentry);
340 
341 	__inode_security_revalidate(inode, dentry, true);
342 	return inode->i_security;
343 }
344 
345 static void inode_free_rcu(struct rcu_head *head)
346 {
347 	struct inode_security_struct *isec;
348 
349 	isec = container_of(head, struct inode_security_struct, rcu);
350 	kmem_cache_free(sel_inode_cache, isec);
351 }
352 
353 static void inode_free_security(struct inode *inode)
354 {
355 	struct inode_security_struct *isec = inode->i_security;
356 	struct superblock_security_struct *sbsec = inode->i_sb->s_security;
357 
358 	/*
359 	 * As not all inode security structures are in a list, we check for
360 	 * empty list outside of the lock to make sure that we won't waste
361 	 * time taking a lock doing nothing.
362 	 *
363 	 * The list_del_init() function can be safely called more than once.
364 	 * It should not be possible for this function to be called with
365 	 * concurrent list_add(), but for better safety against future changes
366 	 * in the code, we use list_empty_careful() here.
367 	 */
368 	if (!list_empty_careful(&isec->list)) {
369 		spin_lock(&sbsec->isec_lock);
370 		list_del_init(&isec->list);
371 		spin_unlock(&sbsec->isec_lock);
372 	}
373 
374 	/*
375 	 * The inode may still be referenced in a path walk and
376 	 * a call to selinux_inode_permission() can be made
377 	 * after inode_free_security() is called. Ideally, the VFS
378 	 * wouldn't do this, but fixing that is a much harder
379 	 * job. For now, simply free the i_security via RCU, and
380 	 * leave the current inode->i_security pointer intact.
381 	 * The inode will be freed after the RCU grace period too.
382 	 */
383 	call_rcu(&isec->rcu, inode_free_rcu);
384 }
385 
386 static int file_alloc_security(struct file *file)
387 {
388 	struct file_security_struct *fsec;
389 	u32 sid = current_sid();
390 
391 	fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
392 	if (!fsec)
393 		return -ENOMEM;
394 
395 	fsec->sid = sid;
396 	fsec->fown_sid = sid;
397 	file->f_security = fsec;
398 
399 	return 0;
400 }
401 
402 static void file_free_security(struct file *file)
403 {
404 	struct file_security_struct *fsec = file->f_security;
405 	file->f_security = NULL;
406 	kmem_cache_free(file_security_cache, fsec);
407 }
408 
409 static int superblock_alloc_security(struct super_block *sb)
410 {
411 	struct superblock_security_struct *sbsec;
412 
413 	sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
414 	if (!sbsec)
415 		return -ENOMEM;
416 
417 	mutex_init(&sbsec->lock);
418 	INIT_LIST_HEAD(&sbsec->isec_head);
419 	spin_lock_init(&sbsec->isec_lock);
420 	sbsec->sb = sb;
421 	sbsec->sid = SECINITSID_UNLABELED;
422 	sbsec->def_sid = SECINITSID_FILE;
423 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
424 	sb->s_security = sbsec;
425 
426 	return 0;
427 }
428 
429 static void superblock_free_security(struct super_block *sb)
430 {
431 	struct superblock_security_struct *sbsec = sb->s_security;
432 	sb->s_security = NULL;
433 	kfree(sbsec);
434 }
435 
436 static inline int inode_doinit(struct inode *inode)
437 {
438 	return inode_doinit_with_dentry(inode, NULL);
439 }
440 
441 enum {
442 	Opt_error = -1,
443 	Opt_context = 1,
444 	Opt_fscontext = 2,
445 	Opt_defcontext = 3,
446 	Opt_rootcontext = 4,
447 	Opt_labelsupport = 5,
448 	Opt_nextmntopt = 6,
449 };
450 
451 #define NUM_SEL_MNT_OPTS	(Opt_nextmntopt - 1)
452 
453 static const match_table_t tokens = {
454 	{Opt_context, CONTEXT_STR "%s"},
455 	{Opt_fscontext, FSCONTEXT_STR "%s"},
456 	{Opt_defcontext, DEFCONTEXT_STR "%s"},
457 	{Opt_rootcontext, ROOTCONTEXT_STR "%s"},
458 	{Opt_labelsupport, LABELSUPP_STR},
459 	{Opt_error, NULL},
460 };
461 
462 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
463 
464 static int may_context_mount_sb_relabel(u32 sid,
465 			struct superblock_security_struct *sbsec,
466 			const struct cred *cred)
467 {
468 	const struct task_security_struct *tsec = cred->security;
469 	int rc;
470 
471 	rc = avc_has_perm(&selinux_state,
472 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
473 			  FILESYSTEM__RELABELFROM, NULL);
474 	if (rc)
475 		return rc;
476 
477 	rc = avc_has_perm(&selinux_state,
478 			  tsec->sid, sid, SECCLASS_FILESYSTEM,
479 			  FILESYSTEM__RELABELTO, NULL);
480 	return rc;
481 }
482 
483 static int may_context_mount_inode_relabel(u32 sid,
484 			struct superblock_security_struct *sbsec,
485 			const struct cred *cred)
486 {
487 	const struct task_security_struct *tsec = cred->security;
488 	int rc;
489 	rc = avc_has_perm(&selinux_state,
490 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
491 			  FILESYSTEM__RELABELFROM, NULL);
492 	if (rc)
493 		return rc;
494 
495 	rc = avc_has_perm(&selinux_state,
496 			  sid, sbsec->sid, SECCLASS_FILESYSTEM,
497 			  FILESYSTEM__ASSOCIATE, NULL);
498 	return rc;
499 }
500 
501 static int selinux_is_sblabel_mnt(struct super_block *sb)
502 {
503 	struct superblock_security_struct *sbsec = sb->s_security;
504 
505 	return sbsec->behavior == SECURITY_FS_USE_XATTR ||
506 		sbsec->behavior == SECURITY_FS_USE_TRANS ||
507 		sbsec->behavior == SECURITY_FS_USE_TASK ||
508 		sbsec->behavior == SECURITY_FS_USE_NATIVE ||
509 		/* Special handling. Genfs but also in-core setxattr handler */
510 		!strcmp(sb->s_type->name, "sysfs") ||
511 		!strcmp(sb->s_type->name, "pstore") ||
512 		!strcmp(sb->s_type->name, "debugfs") ||
513 		!strcmp(sb->s_type->name, "tracefs") ||
514 		!strcmp(sb->s_type->name, "rootfs") ||
515 		(selinux_policycap_cgroupseclabel() &&
516 		 (!strcmp(sb->s_type->name, "cgroup") ||
517 		  !strcmp(sb->s_type->name, "cgroup2")));
518 }
519 
520 static int sb_finish_set_opts(struct super_block *sb)
521 {
522 	struct superblock_security_struct *sbsec = sb->s_security;
523 	struct dentry *root = sb->s_root;
524 	struct inode *root_inode = d_backing_inode(root);
525 	int rc = 0;
526 
527 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
528 		/* Make sure that the xattr handler exists and that no
529 		   error other than -ENODATA is returned by getxattr on
530 		   the root directory.  -ENODATA is ok, as this may be
531 		   the first boot of the SELinux kernel before we have
532 		   assigned xattr values to the filesystem. */
533 		if (!(root_inode->i_opflags & IOP_XATTR)) {
534 			printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
535 			       "xattr support\n", sb->s_id, sb->s_type->name);
536 			rc = -EOPNOTSUPP;
537 			goto out;
538 		}
539 
540 		rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
541 		if (rc < 0 && rc != -ENODATA) {
542 			if (rc == -EOPNOTSUPP)
543 				printk(KERN_WARNING "SELinux: (dev %s, type "
544 				       "%s) has no security xattr handler\n",
545 				       sb->s_id, sb->s_type->name);
546 			else
547 				printk(KERN_WARNING "SELinux: (dev %s, type "
548 				       "%s) getxattr errno %d\n", sb->s_id,
549 				       sb->s_type->name, -rc);
550 			goto out;
551 		}
552 	}
553 
554 	sbsec->flags |= SE_SBINITIALIZED;
555 
556 	/*
557 	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
558 	 * leave the flag untouched because sb_clone_mnt_opts might be handing
559 	 * us a superblock that needs the flag to be cleared.
560 	 */
561 	if (selinux_is_sblabel_mnt(sb))
562 		sbsec->flags |= SBLABEL_MNT;
563 	else
564 		sbsec->flags &= ~SBLABEL_MNT;
565 
566 	/* Initialize the root inode. */
567 	rc = inode_doinit_with_dentry(root_inode, root);
568 
569 	/* Initialize any other inodes associated with the superblock, e.g.
570 	   inodes created prior to initial policy load or inodes created
571 	   during get_sb by a pseudo filesystem that directly
572 	   populates itself. */
573 	spin_lock(&sbsec->isec_lock);
574 next_inode:
575 	if (!list_empty(&sbsec->isec_head)) {
576 		struct inode_security_struct *isec =
577 				list_entry(sbsec->isec_head.next,
578 					   struct inode_security_struct, list);
579 		struct inode *inode = isec->inode;
580 		list_del_init(&isec->list);
581 		spin_unlock(&sbsec->isec_lock);
582 		inode = igrab(inode);
583 		if (inode) {
584 			if (!IS_PRIVATE(inode))
585 				inode_doinit(inode);
586 			iput(inode);
587 		}
588 		spin_lock(&sbsec->isec_lock);
589 		goto next_inode;
590 	}
591 	spin_unlock(&sbsec->isec_lock);
592 out:
593 	return rc;
594 }
595 
596 /*
597  * This function should allow an FS to ask what it's mount security
598  * options were so it can use those later for submounts, displaying
599  * mount options, or whatever.
600  */
601 static int selinux_get_mnt_opts(const struct super_block *sb,
602 				struct security_mnt_opts *opts)
603 {
604 	int rc = 0, i;
605 	struct superblock_security_struct *sbsec = sb->s_security;
606 	char *context = NULL;
607 	u32 len;
608 	char tmp;
609 
610 	security_init_mnt_opts(opts);
611 
612 	if (!(sbsec->flags & SE_SBINITIALIZED))
613 		return -EINVAL;
614 
615 	if (!selinux_state.initialized)
616 		return -EINVAL;
617 
618 	/* make sure we always check enough bits to cover the mask */
619 	BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
620 
621 	tmp = sbsec->flags & SE_MNTMASK;
622 	/* count the number of mount options for this sb */
623 	for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
624 		if (tmp & 0x01)
625 			opts->num_mnt_opts++;
626 		tmp >>= 1;
627 	}
628 	/* Check if the Label support flag is set */
629 	if (sbsec->flags & SBLABEL_MNT)
630 		opts->num_mnt_opts++;
631 
632 	opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
633 	if (!opts->mnt_opts) {
634 		rc = -ENOMEM;
635 		goto out_free;
636 	}
637 
638 	opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
639 	if (!opts->mnt_opts_flags) {
640 		rc = -ENOMEM;
641 		goto out_free;
642 	}
643 
644 	i = 0;
645 	if (sbsec->flags & FSCONTEXT_MNT) {
646 		rc = security_sid_to_context(&selinux_state, sbsec->sid,
647 					     &context, &len);
648 		if (rc)
649 			goto out_free;
650 		opts->mnt_opts[i] = context;
651 		opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
652 	}
653 	if (sbsec->flags & CONTEXT_MNT) {
654 		rc = security_sid_to_context(&selinux_state,
655 					     sbsec->mntpoint_sid,
656 					     &context, &len);
657 		if (rc)
658 			goto out_free;
659 		opts->mnt_opts[i] = context;
660 		opts->mnt_opts_flags[i++] = CONTEXT_MNT;
661 	}
662 	if (sbsec->flags & DEFCONTEXT_MNT) {
663 		rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
664 					     &context, &len);
665 		if (rc)
666 			goto out_free;
667 		opts->mnt_opts[i] = context;
668 		opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
669 	}
670 	if (sbsec->flags & ROOTCONTEXT_MNT) {
671 		struct dentry *root = sbsec->sb->s_root;
672 		struct inode_security_struct *isec = backing_inode_security(root);
673 
674 		rc = security_sid_to_context(&selinux_state, isec->sid,
675 					     &context, &len);
676 		if (rc)
677 			goto out_free;
678 		opts->mnt_opts[i] = context;
679 		opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
680 	}
681 	if (sbsec->flags & SBLABEL_MNT) {
682 		opts->mnt_opts[i] = NULL;
683 		opts->mnt_opts_flags[i++] = SBLABEL_MNT;
684 	}
685 
686 	BUG_ON(i != opts->num_mnt_opts);
687 
688 	return 0;
689 
690 out_free:
691 	security_free_mnt_opts(opts);
692 	return rc;
693 }
694 
695 static int bad_option(struct superblock_security_struct *sbsec, char flag,
696 		      u32 old_sid, u32 new_sid)
697 {
698 	char mnt_flags = sbsec->flags & SE_MNTMASK;
699 
700 	/* check if the old mount command had the same options */
701 	if (sbsec->flags & SE_SBINITIALIZED)
702 		if (!(sbsec->flags & flag) ||
703 		    (old_sid != new_sid))
704 			return 1;
705 
706 	/* check if we were passed the same options twice,
707 	 * aka someone passed context=a,context=b
708 	 */
709 	if (!(sbsec->flags & SE_SBINITIALIZED))
710 		if (mnt_flags & flag)
711 			return 1;
712 	return 0;
713 }
714 
715 /*
716  * Allow filesystems with binary mount data to explicitly set mount point
717  * labeling information.
718  */
719 static int selinux_set_mnt_opts(struct super_block *sb,
720 				struct security_mnt_opts *opts,
721 				unsigned long kern_flags,
722 				unsigned long *set_kern_flags)
723 {
724 	const struct cred *cred = current_cred();
725 	int rc = 0, i;
726 	struct superblock_security_struct *sbsec = sb->s_security;
727 	const char *name = sb->s_type->name;
728 	struct dentry *root = sbsec->sb->s_root;
729 	struct inode_security_struct *root_isec;
730 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
731 	u32 defcontext_sid = 0;
732 	char **mount_options = opts->mnt_opts;
733 	int *flags = opts->mnt_opts_flags;
734 	int num_opts = opts->num_mnt_opts;
735 
736 	mutex_lock(&sbsec->lock);
737 
738 	if (!selinux_state.initialized) {
739 		if (!num_opts) {
740 			/* Defer initialization until selinux_complete_init,
741 			   after the initial policy is loaded and the security
742 			   server is ready to handle calls. */
743 			goto out;
744 		}
745 		rc = -EINVAL;
746 		printk(KERN_WARNING "SELinux: Unable to set superblock options "
747 			"before the security server is initialized\n");
748 		goto out;
749 	}
750 	if (kern_flags && !set_kern_flags) {
751 		/* Specifying internal flags without providing a place to
752 		 * place the results is not allowed */
753 		rc = -EINVAL;
754 		goto out;
755 	}
756 
757 	/*
758 	 * Binary mount data FS will come through this function twice.  Once
759 	 * from an explicit call and once from the generic calls from the vfs.
760 	 * Since the generic VFS calls will not contain any security mount data
761 	 * we need to skip the double mount verification.
762 	 *
763 	 * This does open a hole in which we will not notice if the first
764 	 * mount using this sb set explict options and a second mount using
765 	 * this sb does not set any security options.  (The first options
766 	 * will be used for both mounts)
767 	 */
768 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
769 	    && (num_opts == 0))
770 		goto out;
771 
772 	root_isec = backing_inode_security_novalidate(root);
773 
774 	/*
775 	 * parse the mount options, check if they are valid sids.
776 	 * also check if someone is trying to mount the same sb more
777 	 * than once with different security options.
778 	 */
779 	for (i = 0; i < num_opts; i++) {
780 		u32 sid;
781 
782 		if (flags[i] == SBLABEL_MNT)
783 			continue;
784 		rc = security_context_str_to_sid(&selinux_state,
785 						 mount_options[i], &sid,
786 						 GFP_KERNEL);
787 		if (rc) {
788 			printk(KERN_WARNING "SELinux: security_context_str_to_sid"
789 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
790 			       mount_options[i], sb->s_id, name, rc);
791 			goto out;
792 		}
793 		switch (flags[i]) {
794 		case FSCONTEXT_MNT:
795 			fscontext_sid = sid;
796 
797 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
798 					fscontext_sid))
799 				goto out_double_mount;
800 
801 			sbsec->flags |= FSCONTEXT_MNT;
802 			break;
803 		case CONTEXT_MNT:
804 			context_sid = sid;
805 
806 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
807 					context_sid))
808 				goto out_double_mount;
809 
810 			sbsec->flags |= CONTEXT_MNT;
811 			break;
812 		case ROOTCONTEXT_MNT:
813 			rootcontext_sid = sid;
814 
815 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
816 					rootcontext_sid))
817 				goto out_double_mount;
818 
819 			sbsec->flags |= ROOTCONTEXT_MNT;
820 
821 			break;
822 		case DEFCONTEXT_MNT:
823 			defcontext_sid = sid;
824 
825 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
826 					defcontext_sid))
827 				goto out_double_mount;
828 
829 			sbsec->flags |= DEFCONTEXT_MNT;
830 
831 			break;
832 		default:
833 			rc = -EINVAL;
834 			goto out;
835 		}
836 	}
837 
838 	if (sbsec->flags & SE_SBINITIALIZED) {
839 		/* previously mounted with options, but not on this attempt? */
840 		if ((sbsec->flags & SE_MNTMASK) && !num_opts)
841 			goto out_double_mount;
842 		rc = 0;
843 		goto out;
844 	}
845 
846 	if (strcmp(sb->s_type->name, "proc") == 0)
847 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
848 
849 	if (!strcmp(sb->s_type->name, "debugfs") ||
850 	    !strcmp(sb->s_type->name, "tracefs") ||
851 	    !strcmp(sb->s_type->name, "sysfs") ||
852 	    !strcmp(sb->s_type->name, "pstore") ||
853 	    !strcmp(sb->s_type->name, "cgroup") ||
854 	    !strcmp(sb->s_type->name, "cgroup2"))
855 		sbsec->flags |= SE_SBGENFS;
856 
857 	if (!sbsec->behavior) {
858 		/*
859 		 * Determine the labeling behavior to use for this
860 		 * filesystem type.
861 		 */
862 		rc = security_fs_use(&selinux_state, sb);
863 		if (rc) {
864 			printk(KERN_WARNING
865 				"%s: security_fs_use(%s) returned %d\n",
866 					__func__, sb->s_type->name, rc);
867 			goto out;
868 		}
869 	}
870 
871 	/*
872 	 * If this is a user namespace mount and the filesystem type is not
873 	 * explicitly whitelisted, then no contexts are allowed on the command
874 	 * line and security labels must be ignored.
875 	 */
876 	if (sb->s_user_ns != &init_user_ns &&
877 	    strcmp(sb->s_type->name, "tmpfs") &&
878 	    strcmp(sb->s_type->name, "ramfs") &&
879 	    strcmp(sb->s_type->name, "devpts")) {
880 		if (context_sid || fscontext_sid || rootcontext_sid ||
881 		    defcontext_sid) {
882 			rc = -EACCES;
883 			goto out;
884 		}
885 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
886 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
887 			rc = security_transition_sid(&selinux_state,
888 						     current_sid(),
889 						     current_sid(),
890 						     SECCLASS_FILE, NULL,
891 						     &sbsec->mntpoint_sid);
892 			if (rc)
893 				goto out;
894 		}
895 		goto out_set_opts;
896 	}
897 
898 	/* sets the context of the superblock for the fs being mounted. */
899 	if (fscontext_sid) {
900 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
901 		if (rc)
902 			goto out;
903 
904 		sbsec->sid = fscontext_sid;
905 	}
906 
907 	/*
908 	 * Switch to using mount point labeling behavior.
909 	 * sets the label used on all file below the mountpoint, and will set
910 	 * the superblock context if not already set.
911 	 */
912 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
913 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
914 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
915 	}
916 
917 	if (context_sid) {
918 		if (!fscontext_sid) {
919 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
920 							  cred);
921 			if (rc)
922 				goto out;
923 			sbsec->sid = context_sid;
924 		} else {
925 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
926 							     cred);
927 			if (rc)
928 				goto out;
929 		}
930 		if (!rootcontext_sid)
931 			rootcontext_sid = context_sid;
932 
933 		sbsec->mntpoint_sid = context_sid;
934 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
935 	}
936 
937 	if (rootcontext_sid) {
938 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
939 						     cred);
940 		if (rc)
941 			goto out;
942 
943 		root_isec->sid = rootcontext_sid;
944 		root_isec->initialized = LABEL_INITIALIZED;
945 	}
946 
947 	if (defcontext_sid) {
948 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
949 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
950 			rc = -EINVAL;
951 			printk(KERN_WARNING "SELinux: defcontext option is "
952 			       "invalid for this filesystem type\n");
953 			goto out;
954 		}
955 
956 		if (defcontext_sid != sbsec->def_sid) {
957 			rc = may_context_mount_inode_relabel(defcontext_sid,
958 							     sbsec, cred);
959 			if (rc)
960 				goto out;
961 		}
962 
963 		sbsec->def_sid = defcontext_sid;
964 	}
965 
966 out_set_opts:
967 	rc = sb_finish_set_opts(sb);
968 out:
969 	mutex_unlock(&sbsec->lock);
970 	return rc;
971 out_double_mount:
972 	rc = -EINVAL;
973 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
974 	       "security settings for (dev %s, type %s)\n", sb->s_id, name);
975 	goto out;
976 }
977 
978 static int selinux_cmp_sb_context(const struct super_block *oldsb,
979 				    const struct super_block *newsb)
980 {
981 	struct superblock_security_struct *old = oldsb->s_security;
982 	struct superblock_security_struct *new = newsb->s_security;
983 	char oldflags = old->flags & SE_MNTMASK;
984 	char newflags = new->flags & SE_MNTMASK;
985 
986 	if (oldflags != newflags)
987 		goto mismatch;
988 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
989 		goto mismatch;
990 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
991 		goto mismatch;
992 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
993 		goto mismatch;
994 	if (oldflags & ROOTCONTEXT_MNT) {
995 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
996 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
997 		if (oldroot->sid != newroot->sid)
998 			goto mismatch;
999 	}
1000 	return 0;
1001 mismatch:
1002 	printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
1003 			    "different security settings for (dev %s, "
1004 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
1005 	return -EBUSY;
1006 }
1007 
1008 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1009 					struct super_block *newsb,
1010 					unsigned long kern_flags,
1011 					unsigned long *set_kern_flags)
1012 {
1013 	int rc = 0;
1014 	const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1015 	struct superblock_security_struct *newsbsec = newsb->s_security;
1016 
1017 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
1018 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
1019 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
1020 
1021 	/*
1022 	 * if the parent was able to be mounted it clearly had no special lsm
1023 	 * mount options.  thus we can safely deal with this superblock later
1024 	 */
1025 	if (!selinux_state.initialized)
1026 		return 0;
1027 
1028 	/*
1029 	 * Specifying internal flags without providing a place to
1030 	 * place the results is not allowed.
1031 	 */
1032 	if (kern_flags && !set_kern_flags)
1033 		return -EINVAL;
1034 
1035 	/* how can we clone if the old one wasn't set up?? */
1036 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1037 
1038 	/* if fs is reusing a sb, make sure that the contexts match */
1039 	if (newsbsec->flags & SE_SBINITIALIZED)
1040 		return selinux_cmp_sb_context(oldsb, newsb);
1041 
1042 	mutex_lock(&newsbsec->lock);
1043 
1044 	newsbsec->flags = oldsbsec->flags;
1045 
1046 	newsbsec->sid = oldsbsec->sid;
1047 	newsbsec->def_sid = oldsbsec->def_sid;
1048 	newsbsec->behavior = oldsbsec->behavior;
1049 
1050 	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1051 		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1052 		rc = security_fs_use(&selinux_state, newsb);
1053 		if (rc)
1054 			goto out;
1055 	}
1056 
1057 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1058 		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1059 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1060 	}
1061 
1062 	if (set_context) {
1063 		u32 sid = oldsbsec->mntpoint_sid;
1064 
1065 		if (!set_fscontext)
1066 			newsbsec->sid = sid;
1067 		if (!set_rootcontext) {
1068 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1069 			newisec->sid = sid;
1070 		}
1071 		newsbsec->mntpoint_sid = sid;
1072 	}
1073 	if (set_rootcontext) {
1074 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1075 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1076 
1077 		newisec->sid = oldisec->sid;
1078 	}
1079 
1080 	sb_finish_set_opts(newsb);
1081 out:
1082 	mutex_unlock(&newsbsec->lock);
1083 	return rc;
1084 }
1085 
1086 static int selinux_parse_opts_str(char *options,
1087 				  struct security_mnt_opts *opts)
1088 {
1089 	char *p;
1090 	char *context = NULL, *defcontext = NULL;
1091 	char *fscontext = NULL, *rootcontext = NULL;
1092 	int rc, num_mnt_opts = 0;
1093 
1094 	opts->num_mnt_opts = 0;
1095 
1096 	/* Standard string-based options. */
1097 	while ((p = strsep(&options, "|")) != NULL) {
1098 		int token;
1099 		substring_t args[MAX_OPT_ARGS];
1100 
1101 		if (!*p)
1102 			continue;
1103 
1104 		token = match_token(p, tokens, args);
1105 
1106 		switch (token) {
1107 		case Opt_context:
1108 			if (context || defcontext) {
1109 				rc = -EINVAL;
1110 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1111 				goto out_err;
1112 			}
1113 			context = match_strdup(&args[0]);
1114 			if (!context) {
1115 				rc = -ENOMEM;
1116 				goto out_err;
1117 			}
1118 			break;
1119 
1120 		case Opt_fscontext:
1121 			if (fscontext) {
1122 				rc = -EINVAL;
1123 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1124 				goto out_err;
1125 			}
1126 			fscontext = match_strdup(&args[0]);
1127 			if (!fscontext) {
1128 				rc = -ENOMEM;
1129 				goto out_err;
1130 			}
1131 			break;
1132 
1133 		case Opt_rootcontext:
1134 			if (rootcontext) {
1135 				rc = -EINVAL;
1136 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1137 				goto out_err;
1138 			}
1139 			rootcontext = match_strdup(&args[0]);
1140 			if (!rootcontext) {
1141 				rc = -ENOMEM;
1142 				goto out_err;
1143 			}
1144 			break;
1145 
1146 		case Opt_defcontext:
1147 			if (context || defcontext) {
1148 				rc = -EINVAL;
1149 				printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1150 				goto out_err;
1151 			}
1152 			defcontext = match_strdup(&args[0]);
1153 			if (!defcontext) {
1154 				rc = -ENOMEM;
1155 				goto out_err;
1156 			}
1157 			break;
1158 		case Opt_labelsupport:
1159 			break;
1160 		default:
1161 			rc = -EINVAL;
1162 			printk(KERN_WARNING "SELinux:  unknown mount option\n");
1163 			goto out_err;
1164 
1165 		}
1166 	}
1167 
1168 	rc = -ENOMEM;
1169 	opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1170 	if (!opts->mnt_opts)
1171 		goto out_err;
1172 
1173 	opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1174 				       GFP_KERNEL);
1175 	if (!opts->mnt_opts_flags)
1176 		goto out_err;
1177 
1178 	if (fscontext) {
1179 		opts->mnt_opts[num_mnt_opts] = fscontext;
1180 		opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1181 	}
1182 	if (context) {
1183 		opts->mnt_opts[num_mnt_opts] = context;
1184 		opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1185 	}
1186 	if (rootcontext) {
1187 		opts->mnt_opts[num_mnt_opts] = rootcontext;
1188 		opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1189 	}
1190 	if (defcontext) {
1191 		opts->mnt_opts[num_mnt_opts] = defcontext;
1192 		opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1193 	}
1194 
1195 	opts->num_mnt_opts = num_mnt_opts;
1196 	return 0;
1197 
1198 out_err:
1199 	security_free_mnt_opts(opts);
1200 	kfree(context);
1201 	kfree(defcontext);
1202 	kfree(fscontext);
1203 	kfree(rootcontext);
1204 	return rc;
1205 }
1206 /*
1207  * string mount options parsing and call set the sbsec
1208  */
1209 static int superblock_doinit(struct super_block *sb, void *data)
1210 {
1211 	int rc = 0;
1212 	char *options = data;
1213 	struct security_mnt_opts opts;
1214 
1215 	security_init_mnt_opts(&opts);
1216 
1217 	if (!data)
1218 		goto out;
1219 
1220 	BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1221 
1222 	rc = selinux_parse_opts_str(options, &opts);
1223 	if (rc)
1224 		goto out_err;
1225 
1226 out:
1227 	rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1228 
1229 out_err:
1230 	security_free_mnt_opts(&opts);
1231 	return rc;
1232 }
1233 
1234 static void selinux_write_opts(struct seq_file *m,
1235 			       struct security_mnt_opts *opts)
1236 {
1237 	int i;
1238 	char *prefix;
1239 
1240 	for (i = 0; i < opts->num_mnt_opts; i++) {
1241 		char *has_comma;
1242 
1243 		if (opts->mnt_opts[i])
1244 			has_comma = strchr(opts->mnt_opts[i], ',');
1245 		else
1246 			has_comma = NULL;
1247 
1248 		switch (opts->mnt_opts_flags[i]) {
1249 		case CONTEXT_MNT:
1250 			prefix = CONTEXT_STR;
1251 			break;
1252 		case FSCONTEXT_MNT:
1253 			prefix = FSCONTEXT_STR;
1254 			break;
1255 		case ROOTCONTEXT_MNT:
1256 			prefix = ROOTCONTEXT_STR;
1257 			break;
1258 		case DEFCONTEXT_MNT:
1259 			prefix = DEFCONTEXT_STR;
1260 			break;
1261 		case SBLABEL_MNT:
1262 			seq_putc(m, ',');
1263 			seq_puts(m, LABELSUPP_STR);
1264 			continue;
1265 		default:
1266 			BUG();
1267 			return;
1268 		};
1269 		/* we need a comma before each option */
1270 		seq_putc(m, ',');
1271 		seq_puts(m, prefix);
1272 		if (has_comma)
1273 			seq_putc(m, '\"');
1274 		seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1275 		if (has_comma)
1276 			seq_putc(m, '\"');
1277 	}
1278 }
1279 
1280 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1281 {
1282 	struct security_mnt_opts opts;
1283 	int rc;
1284 
1285 	rc = selinux_get_mnt_opts(sb, &opts);
1286 	if (rc) {
1287 		/* before policy load we may get EINVAL, don't show anything */
1288 		if (rc == -EINVAL)
1289 			rc = 0;
1290 		return rc;
1291 	}
1292 
1293 	selinux_write_opts(m, &opts);
1294 
1295 	security_free_mnt_opts(&opts);
1296 
1297 	return rc;
1298 }
1299 
1300 static inline u16 inode_mode_to_security_class(umode_t mode)
1301 {
1302 	switch (mode & S_IFMT) {
1303 	case S_IFSOCK:
1304 		return SECCLASS_SOCK_FILE;
1305 	case S_IFLNK:
1306 		return SECCLASS_LNK_FILE;
1307 	case S_IFREG:
1308 		return SECCLASS_FILE;
1309 	case S_IFBLK:
1310 		return SECCLASS_BLK_FILE;
1311 	case S_IFDIR:
1312 		return SECCLASS_DIR;
1313 	case S_IFCHR:
1314 		return SECCLASS_CHR_FILE;
1315 	case S_IFIFO:
1316 		return SECCLASS_FIFO_FILE;
1317 
1318 	}
1319 
1320 	return SECCLASS_FILE;
1321 }
1322 
1323 static inline int default_protocol_stream(int protocol)
1324 {
1325 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1326 }
1327 
1328 static inline int default_protocol_dgram(int protocol)
1329 {
1330 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1331 }
1332 
1333 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1334 {
1335 	int extsockclass = selinux_policycap_extsockclass();
1336 
1337 	switch (family) {
1338 	case PF_UNIX:
1339 		switch (type) {
1340 		case SOCK_STREAM:
1341 		case SOCK_SEQPACKET:
1342 			return SECCLASS_UNIX_STREAM_SOCKET;
1343 		case SOCK_DGRAM:
1344 		case SOCK_RAW:
1345 			return SECCLASS_UNIX_DGRAM_SOCKET;
1346 		}
1347 		break;
1348 	case PF_INET:
1349 	case PF_INET6:
1350 		switch (type) {
1351 		case SOCK_STREAM:
1352 		case SOCK_SEQPACKET:
1353 			if (default_protocol_stream(protocol))
1354 				return SECCLASS_TCP_SOCKET;
1355 			else if (extsockclass && protocol == IPPROTO_SCTP)
1356 				return SECCLASS_SCTP_SOCKET;
1357 			else
1358 				return SECCLASS_RAWIP_SOCKET;
1359 		case SOCK_DGRAM:
1360 			if (default_protocol_dgram(protocol))
1361 				return SECCLASS_UDP_SOCKET;
1362 			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1363 						  protocol == IPPROTO_ICMPV6))
1364 				return SECCLASS_ICMP_SOCKET;
1365 			else
1366 				return SECCLASS_RAWIP_SOCKET;
1367 		case SOCK_DCCP:
1368 			return SECCLASS_DCCP_SOCKET;
1369 		default:
1370 			return SECCLASS_RAWIP_SOCKET;
1371 		}
1372 		break;
1373 	case PF_NETLINK:
1374 		switch (protocol) {
1375 		case NETLINK_ROUTE:
1376 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1377 		case NETLINK_SOCK_DIAG:
1378 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1379 		case NETLINK_NFLOG:
1380 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1381 		case NETLINK_XFRM:
1382 			return SECCLASS_NETLINK_XFRM_SOCKET;
1383 		case NETLINK_SELINUX:
1384 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1385 		case NETLINK_ISCSI:
1386 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1387 		case NETLINK_AUDIT:
1388 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1389 		case NETLINK_FIB_LOOKUP:
1390 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1391 		case NETLINK_CONNECTOR:
1392 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1393 		case NETLINK_NETFILTER:
1394 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1395 		case NETLINK_DNRTMSG:
1396 			return SECCLASS_NETLINK_DNRT_SOCKET;
1397 		case NETLINK_KOBJECT_UEVENT:
1398 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1399 		case NETLINK_GENERIC:
1400 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1401 		case NETLINK_SCSITRANSPORT:
1402 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1403 		case NETLINK_RDMA:
1404 			return SECCLASS_NETLINK_RDMA_SOCKET;
1405 		case NETLINK_CRYPTO:
1406 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1407 		default:
1408 			return SECCLASS_NETLINK_SOCKET;
1409 		}
1410 	case PF_PACKET:
1411 		return SECCLASS_PACKET_SOCKET;
1412 	case PF_KEY:
1413 		return SECCLASS_KEY_SOCKET;
1414 	case PF_APPLETALK:
1415 		return SECCLASS_APPLETALK_SOCKET;
1416 	}
1417 
1418 	if (extsockclass) {
1419 		switch (family) {
1420 		case PF_AX25:
1421 			return SECCLASS_AX25_SOCKET;
1422 		case PF_IPX:
1423 			return SECCLASS_IPX_SOCKET;
1424 		case PF_NETROM:
1425 			return SECCLASS_NETROM_SOCKET;
1426 		case PF_ATMPVC:
1427 			return SECCLASS_ATMPVC_SOCKET;
1428 		case PF_X25:
1429 			return SECCLASS_X25_SOCKET;
1430 		case PF_ROSE:
1431 			return SECCLASS_ROSE_SOCKET;
1432 		case PF_DECnet:
1433 			return SECCLASS_DECNET_SOCKET;
1434 		case PF_ATMSVC:
1435 			return SECCLASS_ATMSVC_SOCKET;
1436 		case PF_RDS:
1437 			return SECCLASS_RDS_SOCKET;
1438 		case PF_IRDA:
1439 			return SECCLASS_IRDA_SOCKET;
1440 		case PF_PPPOX:
1441 			return SECCLASS_PPPOX_SOCKET;
1442 		case PF_LLC:
1443 			return SECCLASS_LLC_SOCKET;
1444 		case PF_CAN:
1445 			return SECCLASS_CAN_SOCKET;
1446 		case PF_TIPC:
1447 			return SECCLASS_TIPC_SOCKET;
1448 		case PF_BLUETOOTH:
1449 			return SECCLASS_BLUETOOTH_SOCKET;
1450 		case PF_IUCV:
1451 			return SECCLASS_IUCV_SOCKET;
1452 		case PF_RXRPC:
1453 			return SECCLASS_RXRPC_SOCKET;
1454 		case PF_ISDN:
1455 			return SECCLASS_ISDN_SOCKET;
1456 		case PF_PHONET:
1457 			return SECCLASS_PHONET_SOCKET;
1458 		case PF_IEEE802154:
1459 			return SECCLASS_IEEE802154_SOCKET;
1460 		case PF_CAIF:
1461 			return SECCLASS_CAIF_SOCKET;
1462 		case PF_ALG:
1463 			return SECCLASS_ALG_SOCKET;
1464 		case PF_NFC:
1465 			return SECCLASS_NFC_SOCKET;
1466 		case PF_VSOCK:
1467 			return SECCLASS_VSOCK_SOCKET;
1468 		case PF_KCM:
1469 			return SECCLASS_KCM_SOCKET;
1470 		case PF_QIPCRTR:
1471 			return SECCLASS_QIPCRTR_SOCKET;
1472 		case PF_SMC:
1473 			return SECCLASS_SMC_SOCKET;
1474 #if PF_MAX > 44
1475 #error New address family defined, please update this function.
1476 #endif
1477 		}
1478 	}
1479 
1480 	return SECCLASS_SOCKET;
1481 }
1482 
1483 static int selinux_genfs_get_sid(struct dentry *dentry,
1484 				 u16 tclass,
1485 				 u16 flags,
1486 				 u32 *sid)
1487 {
1488 	int rc;
1489 	struct super_block *sb = dentry->d_sb;
1490 	char *buffer, *path;
1491 
1492 	buffer = (char *)__get_free_page(GFP_KERNEL);
1493 	if (!buffer)
1494 		return -ENOMEM;
1495 
1496 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1497 	if (IS_ERR(path))
1498 		rc = PTR_ERR(path);
1499 	else {
1500 		if (flags & SE_SBPROC) {
1501 			/* each process gets a /proc/PID/ entry. Strip off the
1502 			 * PID part to get a valid selinux labeling.
1503 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1504 			while (path[1] >= '0' && path[1] <= '9') {
1505 				path[1] = '/';
1506 				path++;
1507 			}
1508 		}
1509 		rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1510 					path, tclass, sid);
1511 	}
1512 	free_page((unsigned long)buffer);
1513 	return rc;
1514 }
1515 
1516 /* The inode's security attributes must be initialized before first use. */
1517 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1518 {
1519 	struct superblock_security_struct *sbsec = NULL;
1520 	struct inode_security_struct *isec = inode->i_security;
1521 	u32 task_sid, sid = 0;
1522 	u16 sclass;
1523 	struct dentry *dentry;
1524 #define INITCONTEXTLEN 255
1525 	char *context = NULL;
1526 	unsigned len = 0;
1527 	int rc = 0;
1528 
1529 	if (isec->initialized == LABEL_INITIALIZED)
1530 		return 0;
1531 
1532 	spin_lock(&isec->lock);
1533 	if (isec->initialized == LABEL_INITIALIZED)
1534 		goto out_unlock;
1535 
1536 	if (isec->sclass == SECCLASS_FILE)
1537 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1538 
1539 	sbsec = inode->i_sb->s_security;
1540 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1541 		/* Defer initialization until selinux_complete_init,
1542 		   after the initial policy is loaded and the security
1543 		   server is ready to handle calls. */
1544 		spin_lock(&sbsec->isec_lock);
1545 		if (list_empty(&isec->list))
1546 			list_add(&isec->list, &sbsec->isec_head);
1547 		spin_unlock(&sbsec->isec_lock);
1548 		goto out_unlock;
1549 	}
1550 
1551 	sclass = isec->sclass;
1552 	task_sid = isec->task_sid;
1553 	sid = isec->sid;
1554 	isec->initialized = LABEL_PENDING;
1555 	spin_unlock(&isec->lock);
1556 
1557 	switch (sbsec->behavior) {
1558 	case SECURITY_FS_USE_NATIVE:
1559 		break;
1560 	case SECURITY_FS_USE_XATTR:
1561 		if (!(inode->i_opflags & IOP_XATTR)) {
1562 			sid = sbsec->def_sid;
1563 			break;
1564 		}
1565 		/* Need a dentry, since the xattr API requires one.
1566 		   Life would be simpler if we could just pass the inode. */
1567 		if (opt_dentry) {
1568 			/* Called from d_instantiate or d_splice_alias. */
1569 			dentry = dget(opt_dentry);
1570 		} else {
1571 			/* Called from selinux_complete_init, try to find a dentry. */
1572 			dentry = d_find_alias(inode);
1573 		}
1574 		if (!dentry) {
1575 			/*
1576 			 * this is can be hit on boot when a file is accessed
1577 			 * before the policy is loaded.  When we load policy we
1578 			 * may find inodes that have no dentry on the
1579 			 * sbsec->isec_head list.  No reason to complain as these
1580 			 * will get fixed up the next time we go through
1581 			 * inode_doinit with a dentry, before these inodes could
1582 			 * be used again by userspace.
1583 			 */
1584 			goto out;
1585 		}
1586 
1587 		len = INITCONTEXTLEN;
1588 		context = kmalloc(len+1, GFP_NOFS);
1589 		if (!context) {
1590 			rc = -ENOMEM;
1591 			dput(dentry);
1592 			goto out;
1593 		}
1594 		context[len] = '\0';
1595 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1596 		if (rc == -ERANGE) {
1597 			kfree(context);
1598 
1599 			/* Need a larger buffer.  Query for the right size. */
1600 			rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1601 			if (rc < 0) {
1602 				dput(dentry);
1603 				goto out;
1604 			}
1605 			len = rc;
1606 			context = kmalloc(len+1, GFP_NOFS);
1607 			if (!context) {
1608 				rc = -ENOMEM;
1609 				dput(dentry);
1610 				goto out;
1611 			}
1612 			context[len] = '\0';
1613 			rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1614 		}
1615 		dput(dentry);
1616 		if (rc < 0) {
1617 			if (rc != -ENODATA) {
1618 				printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1619 				       "%d for dev=%s ino=%ld\n", __func__,
1620 				       -rc, inode->i_sb->s_id, inode->i_ino);
1621 				kfree(context);
1622 				goto out;
1623 			}
1624 			/* Map ENODATA to the default file SID */
1625 			sid = sbsec->def_sid;
1626 			rc = 0;
1627 		} else {
1628 			rc = security_context_to_sid_default(&selinux_state,
1629 							     context, rc, &sid,
1630 							     sbsec->def_sid,
1631 							     GFP_NOFS);
1632 			if (rc) {
1633 				char *dev = inode->i_sb->s_id;
1634 				unsigned long ino = inode->i_ino;
1635 
1636 				if (rc == -EINVAL) {
1637 					if (printk_ratelimit())
1638 						printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1639 							"context=%s.  This indicates you may need to relabel the inode or the "
1640 							"filesystem in question.\n", ino, dev, context);
1641 				} else {
1642 					printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1643 					       "returned %d for dev=%s ino=%ld\n",
1644 					       __func__, context, -rc, dev, ino);
1645 				}
1646 				kfree(context);
1647 				/* Leave with the unlabeled SID */
1648 				rc = 0;
1649 				break;
1650 			}
1651 		}
1652 		kfree(context);
1653 		break;
1654 	case SECURITY_FS_USE_TASK:
1655 		sid = task_sid;
1656 		break;
1657 	case SECURITY_FS_USE_TRANS:
1658 		/* Default to the fs SID. */
1659 		sid = sbsec->sid;
1660 
1661 		/* Try to obtain a transition SID. */
1662 		rc = security_transition_sid(&selinux_state, task_sid, sid,
1663 					     sclass, NULL, &sid);
1664 		if (rc)
1665 			goto out;
1666 		break;
1667 	case SECURITY_FS_USE_MNTPOINT:
1668 		sid = sbsec->mntpoint_sid;
1669 		break;
1670 	default:
1671 		/* Default to the fs superblock SID. */
1672 		sid = sbsec->sid;
1673 
1674 		if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1675 			/* We must have a dentry to determine the label on
1676 			 * procfs inodes */
1677 			if (opt_dentry)
1678 				/* Called from d_instantiate or
1679 				 * d_splice_alias. */
1680 				dentry = dget(opt_dentry);
1681 			else
1682 				/* Called from selinux_complete_init, try to
1683 				 * find a dentry. */
1684 				dentry = d_find_alias(inode);
1685 			/*
1686 			 * This can be hit on boot when a file is accessed
1687 			 * before the policy is loaded.  When we load policy we
1688 			 * may find inodes that have no dentry on the
1689 			 * sbsec->isec_head list.  No reason to complain as
1690 			 * these will get fixed up the next time we go through
1691 			 * inode_doinit() with a dentry, before these inodes
1692 			 * could be used again by userspace.
1693 			 */
1694 			if (!dentry)
1695 				goto out;
1696 			rc = selinux_genfs_get_sid(dentry, sclass,
1697 						   sbsec->flags, &sid);
1698 			dput(dentry);
1699 			if (rc)
1700 				goto out;
1701 		}
1702 		break;
1703 	}
1704 
1705 out:
1706 	spin_lock(&isec->lock);
1707 	if (isec->initialized == LABEL_PENDING) {
1708 		if (!sid || rc) {
1709 			isec->initialized = LABEL_INVALID;
1710 			goto out_unlock;
1711 		}
1712 
1713 		isec->initialized = LABEL_INITIALIZED;
1714 		isec->sid = sid;
1715 	}
1716 
1717 out_unlock:
1718 	spin_unlock(&isec->lock);
1719 	return rc;
1720 }
1721 
1722 /* Convert a Linux signal to an access vector. */
1723 static inline u32 signal_to_av(int sig)
1724 {
1725 	u32 perm = 0;
1726 
1727 	switch (sig) {
1728 	case SIGCHLD:
1729 		/* Commonly granted from child to parent. */
1730 		perm = PROCESS__SIGCHLD;
1731 		break;
1732 	case SIGKILL:
1733 		/* Cannot be caught or ignored */
1734 		perm = PROCESS__SIGKILL;
1735 		break;
1736 	case SIGSTOP:
1737 		/* Cannot be caught or ignored */
1738 		perm = PROCESS__SIGSTOP;
1739 		break;
1740 	default:
1741 		/* All other signals. */
1742 		perm = PROCESS__SIGNAL;
1743 		break;
1744 	}
1745 
1746 	return perm;
1747 }
1748 
1749 #if CAP_LAST_CAP > 63
1750 #error Fix SELinux to handle capabilities > 63.
1751 #endif
1752 
1753 /* Check whether a task is allowed to use a capability. */
1754 static int cred_has_capability(const struct cred *cred,
1755 			       int cap, int audit, bool initns)
1756 {
1757 	struct common_audit_data ad;
1758 	struct av_decision avd;
1759 	u16 sclass;
1760 	u32 sid = cred_sid(cred);
1761 	u32 av = CAP_TO_MASK(cap);
1762 	int rc;
1763 
1764 	ad.type = LSM_AUDIT_DATA_CAP;
1765 	ad.u.cap = cap;
1766 
1767 	switch (CAP_TO_INDEX(cap)) {
1768 	case 0:
1769 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1770 		break;
1771 	case 1:
1772 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1773 		break;
1774 	default:
1775 		printk(KERN_ERR
1776 		       "SELinux:  out of range capability %d\n", cap);
1777 		BUG();
1778 		return -EINVAL;
1779 	}
1780 
1781 	rc = avc_has_perm_noaudit(&selinux_state,
1782 				  sid, sid, sclass, av, 0, &avd);
1783 	if (audit == SECURITY_CAP_AUDIT) {
1784 		int rc2 = avc_audit(&selinux_state,
1785 				    sid, sid, sclass, av, &avd, rc, &ad, 0);
1786 		if (rc2)
1787 			return rc2;
1788 	}
1789 	return rc;
1790 }
1791 
1792 /* Check whether a task has a particular permission to an inode.
1793    The 'adp' parameter is optional and allows other audit
1794    data to be passed (e.g. the dentry). */
1795 static int inode_has_perm(const struct cred *cred,
1796 			  struct inode *inode,
1797 			  u32 perms,
1798 			  struct common_audit_data *adp)
1799 {
1800 	struct inode_security_struct *isec;
1801 	u32 sid;
1802 
1803 	validate_creds(cred);
1804 
1805 	if (unlikely(IS_PRIVATE(inode)))
1806 		return 0;
1807 
1808 	sid = cred_sid(cred);
1809 	isec = inode->i_security;
1810 
1811 	return avc_has_perm(&selinux_state,
1812 			    sid, isec->sid, isec->sclass, perms, adp);
1813 }
1814 
1815 /* Same as inode_has_perm, but pass explicit audit data containing
1816    the dentry to help the auditing code to more easily generate the
1817    pathname if needed. */
1818 static inline int dentry_has_perm(const struct cred *cred,
1819 				  struct dentry *dentry,
1820 				  u32 av)
1821 {
1822 	struct inode *inode = d_backing_inode(dentry);
1823 	struct common_audit_data ad;
1824 
1825 	ad.type = LSM_AUDIT_DATA_DENTRY;
1826 	ad.u.dentry = dentry;
1827 	__inode_security_revalidate(inode, dentry, true);
1828 	return inode_has_perm(cred, inode, av, &ad);
1829 }
1830 
1831 /* Same as inode_has_perm, but pass explicit audit data containing
1832    the path to help the auditing code to more easily generate the
1833    pathname if needed. */
1834 static inline int path_has_perm(const struct cred *cred,
1835 				const struct path *path,
1836 				u32 av)
1837 {
1838 	struct inode *inode = d_backing_inode(path->dentry);
1839 	struct common_audit_data ad;
1840 
1841 	ad.type = LSM_AUDIT_DATA_PATH;
1842 	ad.u.path = *path;
1843 	__inode_security_revalidate(inode, path->dentry, true);
1844 	return inode_has_perm(cred, inode, av, &ad);
1845 }
1846 
1847 /* Same as path_has_perm, but uses the inode from the file struct. */
1848 static inline int file_path_has_perm(const struct cred *cred,
1849 				     struct file *file,
1850 				     u32 av)
1851 {
1852 	struct common_audit_data ad;
1853 
1854 	ad.type = LSM_AUDIT_DATA_FILE;
1855 	ad.u.file = file;
1856 	return inode_has_perm(cred, file_inode(file), av, &ad);
1857 }
1858 
1859 #ifdef CONFIG_BPF_SYSCALL
1860 static int bpf_fd_pass(struct file *file, u32 sid);
1861 #endif
1862 
1863 /* Check whether a task can use an open file descriptor to
1864    access an inode in a given way.  Check access to the
1865    descriptor itself, and then use dentry_has_perm to
1866    check a particular permission to the file.
1867    Access to the descriptor is implicitly granted if it
1868    has the same SID as the process.  If av is zero, then
1869    access to the file is not checked, e.g. for cases
1870    where only the descriptor is affected like seek. */
1871 static int file_has_perm(const struct cred *cred,
1872 			 struct file *file,
1873 			 u32 av)
1874 {
1875 	struct file_security_struct *fsec = file->f_security;
1876 	struct inode *inode = file_inode(file);
1877 	struct common_audit_data ad;
1878 	u32 sid = cred_sid(cred);
1879 	int rc;
1880 
1881 	ad.type = LSM_AUDIT_DATA_FILE;
1882 	ad.u.file = file;
1883 
1884 	if (sid != fsec->sid) {
1885 		rc = avc_has_perm(&selinux_state,
1886 				  sid, fsec->sid,
1887 				  SECCLASS_FD,
1888 				  FD__USE,
1889 				  &ad);
1890 		if (rc)
1891 			goto out;
1892 	}
1893 
1894 #ifdef CONFIG_BPF_SYSCALL
1895 	rc = bpf_fd_pass(file, cred_sid(cred));
1896 	if (rc)
1897 		return rc;
1898 #endif
1899 
1900 	/* av is zero if only checking access to the descriptor. */
1901 	rc = 0;
1902 	if (av)
1903 		rc = inode_has_perm(cred, inode, av, &ad);
1904 
1905 out:
1906 	return rc;
1907 }
1908 
1909 /*
1910  * Determine the label for an inode that might be unioned.
1911  */
1912 static int
1913 selinux_determine_inode_label(const struct task_security_struct *tsec,
1914 				 struct inode *dir,
1915 				 const struct qstr *name, u16 tclass,
1916 				 u32 *_new_isid)
1917 {
1918 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1919 
1920 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1921 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1922 		*_new_isid = sbsec->mntpoint_sid;
1923 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1924 		   tsec->create_sid) {
1925 		*_new_isid = tsec->create_sid;
1926 	} else {
1927 		const struct inode_security_struct *dsec = inode_security(dir);
1928 		return security_transition_sid(&selinux_state, tsec->sid,
1929 					       dsec->sid, tclass,
1930 					       name, _new_isid);
1931 	}
1932 
1933 	return 0;
1934 }
1935 
1936 /* Check whether a task can create a file. */
1937 static int may_create(struct inode *dir,
1938 		      struct dentry *dentry,
1939 		      u16 tclass)
1940 {
1941 	const struct task_security_struct *tsec = current_security();
1942 	struct inode_security_struct *dsec;
1943 	struct superblock_security_struct *sbsec;
1944 	u32 sid, newsid;
1945 	struct common_audit_data ad;
1946 	int rc;
1947 
1948 	dsec = inode_security(dir);
1949 	sbsec = dir->i_sb->s_security;
1950 
1951 	sid = tsec->sid;
1952 
1953 	ad.type = LSM_AUDIT_DATA_DENTRY;
1954 	ad.u.dentry = dentry;
1955 
1956 	rc = avc_has_perm(&selinux_state,
1957 			  sid, dsec->sid, SECCLASS_DIR,
1958 			  DIR__ADD_NAME | DIR__SEARCH,
1959 			  &ad);
1960 	if (rc)
1961 		return rc;
1962 
1963 	rc = selinux_determine_inode_label(current_security(), dir,
1964 					   &dentry->d_name, tclass, &newsid);
1965 	if (rc)
1966 		return rc;
1967 
1968 	rc = avc_has_perm(&selinux_state,
1969 			  sid, newsid, tclass, FILE__CREATE, &ad);
1970 	if (rc)
1971 		return rc;
1972 
1973 	return avc_has_perm(&selinux_state,
1974 			    newsid, sbsec->sid,
1975 			    SECCLASS_FILESYSTEM,
1976 			    FILESYSTEM__ASSOCIATE, &ad);
1977 }
1978 
1979 #define MAY_LINK	0
1980 #define MAY_UNLINK	1
1981 #define MAY_RMDIR	2
1982 
1983 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1984 static int may_link(struct inode *dir,
1985 		    struct dentry *dentry,
1986 		    int kind)
1987 
1988 {
1989 	struct inode_security_struct *dsec, *isec;
1990 	struct common_audit_data ad;
1991 	u32 sid = current_sid();
1992 	u32 av;
1993 	int rc;
1994 
1995 	dsec = inode_security(dir);
1996 	isec = backing_inode_security(dentry);
1997 
1998 	ad.type = LSM_AUDIT_DATA_DENTRY;
1999 	ad.u.dentry = dentry;
2000 
2001 	av = DIR__SEARCH;
2002 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
2003 	rc = avc_has_perm(&selinux_state,
2004 			  sid, dsec->sid, SECCLASS_DIR, av, &ad);
2005 	if (rc)
2006 		return rc;
2007 
2008 	switch (kind) {
2009 	case MAY_LINK:
2010 		av = FILE__LINK;
2011 		break;
2012 	case MAY_UNLINK:
2013 		av = FILE__UNLINK;
2014 		break;
2015 	case MAY_RMDIR:
2016 		av = DIR__RMDIR;
2017 		break;
2018 	default:
2019 		printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
2020 			__func__, kind);
2021 		return 0;
2022 	}
2023 
2024 	rc = avc_has_perm(&selinux_state,
2025 			  sid, isec->sid, isec->sclass, av, &ad);
2026 	return rc;
2027 }
2028 
2029 static inline int may_rename(struct inode *old_dir,
2030 			     struct dentry *old_dentry,
2031 			     struct inode *new_dir,
2032 			     struct dentry *new_dentry)
2033 {
2034 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2035 	struct common_audit_data ad;
2036 	u32 sid = current_sid();
2037 	u32 av;
2038 	int old_is_dir, new_is_dir;
2039 	int rc;
2040 
2041 	old_dsec = inode_security(old_dir);
2042 	old_isec = backing_inode_security(old_dentry);
2043 	old_is_dir = d_is_dir(old_dentry);
2044 	new_dsec = inode_security(new_dir);
2045 
2046 	ad.type = LSM_AUDIT_DATA_DENTRY;
2047 
2048 	ad.u.dentry = old_dentry;
2049 	rc = avc_has_perm(&selinux_state,
2050 			  sid, old_dsec->sid, SECCLASS_DIR,
2051 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2052 	if (rc)
2053 		return rc;
2054 	rc = avc_has_perm(&selinux_state,
2055 			  sid, old_isec->sid,
2056 			  old_isec->sclass, FILE__RENAME, &ad);
2057 	if (rc)
2058 		return rc;
2059 	if (old_is_dir && new_dir != old_dir) {
2060 		rc = avc_has_perm(&selinux_state,
2061 				  sid, old_isec->sid,
2062 				  old_isec->sclass, DIR__REPARENT, &ad);
2063 		if (rc)
2064 			return rc;
2065 	}
2066 
2067 	ad.u.dentry = new_dentry;
2068 	av = DIR__ADD_NAME | DIR__SEARCH;
2069 	if (d_is_positive(new_dentry))
2070 		av |= DIR__REMOVE_NAME;
2071 	rc = avc_has_perm(&selinux_state,
2072 			  sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2073 	if (rc)
2074 		return rc;
2075 	if (d_is_positive(new_dentry)) {
2076 		new_isec = backing_inode_security(new_dentry);
2077 		new_is_dir = d_is_dir(new_dentry);
2078 		rc = avc_has_perm(&selinux_state,
2079 				  sid, new_isec->sid,
2080 				  new_isec->sclass,
2081 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2082 		if (rc)
2083 			return rc;
2084 	}
2085 
2086 	return 0;
2087 }
2088 
2089 /* Check whether a task can perform a filesystem operation. */
2090 static int superblock_has_perm(const struct cred *cred,
2091 			       struct super_block *sb,
2092 			       u32 perms,
2093 			       struct common_audit_data *ad)
2094 {
2095 	struct superblock_security_struct *sbsec;
2096 	u32 sid = cred_sid(cred);
2097 
2098 	sbsec = sb->s_security;
2099 	return avc_has_perm(&selinux_state,
2100 			    sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2101 }
2102 
2103 /* Convert a Linux mode and permission mask to an access vector. */
2104 static inline u32 file_mask_to_av(int mode, int mask)
2105 {
2106 	u32 av = 0;
2107 
2108 	if (!S_ISDIR(mode)) {
2109 		if (mask & MAY_EXEC)
2110 			av |= FILE__EXECUTE;
2111 		if (mask & MAY_READ)
2112 			av |= FILE__READ;
2113 
2114 		if (mask & MAY_APPEND)
2115 			av |= FILE__APPEND;
2116 		else if (mask & MAY_WRITE)
2117 			av |= FILE__WRITE;
2118 
2119 	} else {
2120 		if (mask & MAY_EXEC)
2121 			av |= DIR__SEARCH;
2122 		if (mask & MAY_WRITE)
2123 			av |= DIR__WRITE;
2124 		if (mask & MAY_READ)
2125 			av |= DIR__READ;
2126 	}
2127 
2128 	return av;
2129 }
2130 
2131 /* Convert a Linux file to an access vector. */
2132 static inline u32 file_to_av(struct file *file)
2133 {
2134 	u32 av = 0;
2135 
2136 	if (file->f_mode & FMODE_READ)
2137 		av |= FILE__READ;
2138 	if (file->f_mode & FMODE_WRITE) {
2139 		if (file->f_flags & O_APPEND)
2140 			av |= FILE__APPEND;
2141 		else
2142 			av |= FILE__WRITE;
2143 	}
2144 	if (!av) {
2145 		/*
2146 		 * Special file opened with flags 3 for ioctl-only use.
2147 		 */
2148 		av = FILE__IOCTL;
2149 	}
2150 
2151 	return av;
2152 }
2153 
2154 /*
2155  * Convert a file to an access vector and include the correct open
2156  * open permission.
2157  */
2158 static inline u32 open_file_to_av(struct file *file)
2159 {
2160 	u32 av = file_to_av(file);
2161 	struct inode *inode = file_inode(file);
2162 
2163 	if (selinux_policycap_openperm() &&
2164 	    inode->i_sb->s_magic != SOCKFS_MAGIC)
2165 		av |= FILE__OPEN;
2166 
2167 	return av;
2168 }
2169 
2170 /* Hook functions begin here. */
2171 
2172 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2173 {
2174 	u32 mysid = current_sid();
2175 	u32 mgrsid = task_sid(mgr);
2176 
2177 	return avc_has_perm(&selinux_state,
2178 			    mysid, mgrsid, SECCLASS_BINDER,
2179 			    BINDER__SET_CONTEXT_MGR, NULL);
2180 }
2181 
2182 static int selinux_binder_transaction(struct task_struct *from,
2183 				      struct task_struct *to)
2184 {
2185 	u32 mysid = current_sid();
2186 	u32 fromsid = task_sid(from);
2187 	u32 tosid = task_sid(to);
2188 	int rc;
2189 
2190 	if (mysid != fromsid) {
2191 		rc = avc_has_perm(&selinux_state,
2192 				  mysid, fromsid, SECCLASS_BINDER,
2193 				  BINDER__IMPERSONATE, NULL);
2194 		if (rc)
2195 			return rc;
2196 	}
2197 
2198 	return avc_has_perm(&selinux_state,
2199 			    fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2200 			    NULL);
2201 }
2202 
2203 static int selinux_binder_transfer_binder(struct task_struct *from,
2204 					  struct task_struct *to)
2205 {
2206 	u32 fromsid = task_sid(from);
2207 	u32 tosid = task_sid(to);
2208 
2209 	return avc_has_perm(&selinux_state,
2210 			    fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2211 			    NULL);
2212 }
2213 
2214 static int selinux_binder_transfer_file(struct task_struct *from,
2215 					struct task_struct *to,
2216 					struct file *file)
2217 {
2218 	u32 sid = task_sid(to);
2219 	struct file_security_struct *fsec = file->f_security;
2220 	struct dentry *dentry = file->f_path.dentry;
2221 	struct inode_security_struct *isec;
2222 	struct common_audit_data ad;
2223 	int rc;
2224 
2225 	ad.type = LSM_AUDIT_DATA_PATH;
2226 	ad.u.path = file->f_path;
2227 
2228 	if (sid != fsec->sid) {
2229 		rc = avc_has_perm(&selinux_state,
2230 				  sid, fsec->sid,
2231 				  SECCLASS_FD,
2232 				  FD__USE,
2233 				  &ad);
2234 		if (rc)
2235 			return rc;
2236 	}
2237 
2238 #ifdef CONFIG_BPF_SYSCALL
2239 	rc = bpf_fd_pass(file, sid);
2240 	if (rc)
2241 		return rc;
2242 #endif
2243 
2244 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2245 		return 0;
2246 
2247 	isec = backing_inode_security(dentry);
2248 	return avc_has_perm(&selinux_state,
2249 			    sid, isec->sid, isec->sclass, file_to_av(file),
2250 			    &ad);
2251 }
2252 
2253 static int selinux_ptrace_access_check(struct task_struct *child,
2254 				     unsigned int mode)
2255 {
2256 	u32 sid = current_sid();
2257 	u32 csid = task_sid(child);
2258 
2259 	if (mode & PTRACE_MODE_READ)
2260 		return avc_has_perm(&selinux_state,
2261 				    sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2262 
2263 	return avc_has_perm(&selinux_state,
2264 			    sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2265 }
2266 
2267 static int selinux_ptrace_traceme(struct task_struct *parent)
2268 {
2269 	return avc_has_perm(&selinux_state,
2270 			    task_sid(parent), current_sid(), SECCLASS_PROCESS,
2271 			    PROCESS__PTRACE, NULL);
2272 }
2273 
2274 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2275 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2276 {
2277 	return avc_has_perm(&selinux_state,
2278 			    current_sid(), task_sid(target), SECCLASS_PROCESS,
2279 			    PROCESS__GETCAP, NULL);
2280 }
2281 
2282 static int selinux_capset(struct cred *new, const struct cred *old,
2283 			  const kernel_cap_t *effective,
2284 			  const kernel_cap_t *inheritable,
2285 			  const kernel_cap_t *permitted)
2286 {
2287 	return avc_has_perm(&selinux_state,
2288 			    cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2289 			    PROCESS__SETCAP, NULL);
2290 }
2291 
2292 /*
2293  * (This comment used to live with the selinux_task_setuid hook,
2294  * which was removed).
2295  *
2296  * Since setuid only affects the current process, and since the SELinux
2297  * controls are not based on the Linux identity attributes, SELinux does not
2298  * need to control this operation.  However, SELinux does control the use of
2299  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2300  */
2301 
2302 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2303 			   int cap, int audit)
2304 {
2305 	return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2306 }
2307 
2308 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2309 {
2310 	const struct cred *cred = current_cred();
2311 	int rc = 0;
2312 
2313 	if (!sb)
2314 		return 0;
2315 
2316 	switch (cmds) {
2317 	case Q_SYNC:
2318 	case Q_QUOTAON:
2319 	case Q_QUOTAOFF:
2320 	case Q_SETINFO:
2321 	case Q_SETQUOTA:
2322 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2323 		break;
2324 	case Q_GETFMT:
2325 	case Q_GETINFO:
2326 	case Q_GETQUOTA:
2327 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2328 		break;
2329 	default:
2330 		rc = 0;  /* let the kernel handle invalid cmds */
2331 		break;
2332 	}
2333 	return rc;
2334 }
2335 
2336 static int selinux_quota_on(struct dentry *dentry)
2337 {
2338 	const struct cred *cred = current_cred();
2339 
2340 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2341 }
2342 
2343 static int selinux_syslog(int type)
2344 {
2345 	switch (type) {
2346 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2347 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2348 		return avc_has_perm(&selinux_state,
2349 				    current_sid(), SECINITSID_KERNEL,
2350 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2351 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2352 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2353 	/* Set level of messages printed to console */
2354 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2355 		return avc_has_perm(&selinux_state,
2356 				    current_sid(), SECINITSID_KERNEL,
2357 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2358 				    NULL);
2359 	}
2360 	/* All other syslog types */
2361 	return avc_has_perm(&selinux_state,
2362 			    current_sid(), SECINITSID_KERNEL,
2363 			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2364 }
2365 
2366 /*
2367  * Check that a process has enough memory to allocate a new virtual
2368  * mapping. 0 means there is enough memory for the allocation to
2369  * succeed and -ENOMEM implies there is not.
2370  *
2371  * Do not audit the selinux permission check, as this is applied to all
2372  * processes that allocate mappings.
2373  */
2374 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2375 {
2376 	int rc, cap_sys_admin = 0;
2377 
2378 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2379 				 SECURITY_CAP_NOAUDIT, true);
2380 	if (rc == 0)
2381 		cap_sys_admin = 1;
2382 
2383 	return cap_sys_admin;
2384 }
2385 
2386 /* binprm security operations */
2387 
2388 static u32 ptrace_parent_sid(void)
2389 {
2390 	u32 sid = 0;
2391 	struct task_struct *tracer;
2392 
2393 	rcu_read_lock();
2394 	tracer = ptrace_parent(current);
2395 	if (tracer)
2396 		sid = task_sid(tracer);
2397 	rcu_read_unlock();
2398 
2399 	return sid;
2400 }
2401 
2402 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2403 			    const struct task_security_struct *old_tsec,
2404 			    const struct task_security_struct *new_tsec)
2405 {
2406 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2407 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2408 	int rc;
2409 	u32 av;
2410 
2411 	if (!nnp && !nosuid)
2412 		return 0; /* neither NNP nor nosuid */
2413 
2414 	if (new_tsec->sid == old_tsec->sid)
2415 		return 0; /* No change in credentials */
2416 
2417 	/*
2418 	 * If the policy enables the nnp_nosuid_transition policy capability,
2419 	 * then we permit transitions under NNP or nosuid if the
2420 	 * policy allows the corresponding permission between
2421 	 * the old and new contexts.
2422 	 */
2423 	if (selinux_policycap_nnp_nosuid_transition()) {
2424 		av = 0;
2425 		if (nnp)
2426 			av |= PROCESS2__NNP_TRANSITION;
2427 		if (nosuid)
2428 			av |= PROCESS2__NOSUID_TRANSITION;
2429 		rc = avc_has_perm(&selinux_state,
2430 				  old_tsec->sid, new_tsec->sid,
2431 				  SECCLASS_PROCESS2, av, NULL);
2432 		if (!rc)
2433 			return 0;
2434 	}
2435 
2436 	/*
2437 	 * We also permit NNP or nosuid transitions to bounded SIDs,
2438 	 * i.e. SIDs that are guaranteed to only be allowed a subset
2439 	 * of the permissions of the current SID.
2440 	 */
2441 	rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2442 					 new_tsec->sid);
2443 	if (!rc)
2444 		return 0;
2445 
2446 	/*
2447 	 * On failure, preserve the errno values for NNP vs nosuid.
2448 	 * NNP:  Operation not permitted for caller.
2449 	 * nosuid:  Permission denied to file.
2450 	 */
2451 	if (nnp)
2452 		return -EPERM;
2453 	return -EACCES;
2454 }
2455 
2456 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2457 {
2458 	const struct task_security_struct *old_tsec;
2459 	struct task_security_struct *new_tsec;
2460 	struct inode_security_struct *isec;
2461 	struct common_audit_data ad;
2462 	struct inode *inode = file_inode(bprm->file);
2463 	int rc;
2464 
2465 	/* SELinux context only depends on initial program or script and not
2466 	 * the script interpreter */
2467 	if (bprm->called_set_creds)
2468 		return 0;
2469 
2470 	old_tsec = current_security();
2471 	new_tsec = bprm->cred->security;
2472 	isec = inode_security(inode);
2473 
2474 	/* Default to the current task SID. */
2475 	new_tsec->sid = old_tsec->sid;
2476 	new_tsec->osid = old_tsec->sid;
2477 
2478 	/* Reset fs, key, and sock SIDs on execve. */
2479 	new_tsec->create_sid = 0;
2480 	new_tsec->keycreate_sid = 0;
2481 	new_tsec->sockcreate_sid = 0;
2482 
2483 	if (old_tsec->exec_sid) {
2484 		new_tsec->sid = old_tsec->exec_sid;
2485 		/* Reset exec SID on execve. */
2486 		new_tsec->exec_sid = 0;
2487 
2488 		/* Fail on NNP or nosuid if not an allowed transition. */
2489 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2490 		if (rc)
2491 			return rc;
2492 	} else {
2493 		/* Check for a default transition on this program. */
2494 		rc = security_transition_sid(&selinux_state, old_tsec->sid,
2495 					     isec->sid, SECCLASS_PROCESS, NULL,
2496 					     &new_tsec->sid);
2497 		if (rc)
2498 			return rc;
2499 
2500 		/*
2501 		 * Fallback to old SID on NNP or nosuid if not an allowed
2502 		 * transition.
2503 		 */
2504 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2505 		if (rc)
2506 			new_tsec->sid = old_tsec->sid;
2507 	}
2508 
2509 	ad.type = LSM_AUDIT_DATA_FILE;
2510 	ad.u.file = bprm->file;
2511 
2512 	if (new_tsec->sid == old_tsec->sid) {
2513 		rc = avc_has_perm(&selinux_state,
2514 				  old_tsec->sid, isec->sid,
2515 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2516 		if (rc)
2517 			return rc;
2518 	} else {
2519 		/* Check permissions for the transition. */
2520 		rc = avc_has_perm(&selinux_state,
2521 				  old_tsec->sid, new_tsec->sid,
2522 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2523 		if (rc)
2524 			return rc;
2525 
2526 		rc = avc_has_perm(&selinux_state,
2527 				  new_tsec->sid, isec->sid,
2528 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2529 		if (rc)
2530 			return rc;
2531 
2532 		/* Check for shared state */
2533 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2534 			rc = avc_has_perm(&selinux_state,
2535 					  old_tsec->sid, new_tsec->sid,
2536 					  SECCLASS_PROCESS, PROCESS__SHARE,
2537 					  NULL);
2538 			if (rc)
2539 				return -EPERM;
2540 		}
2541 
2542 		/* Make sure that anyone attempting to ptrace over a task that
2543 		 * changes its SID has the appropriate permit */
2544 		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2545 			u32 ptsid = ptrace_parent_sid();
2546 			if (ptsid != 0) {
2547 				rc = avc_has_perm(&selinux_state,
2548 						  ptsid, new_tsec->sid,
2549 						  SECCLASS_PROCESS,
2550 						  PROCESS__PTRACE, NULL);
2551 				if (rc)
2552 					return -EPERM;
2553 			}
2554 		}
2555 
2556 		/* Clear any possibly unsafe personality bits on exec: */
2557 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2558 
2559 		/* Enable secure mode for SIDs transitions unless
2560 		   the noatsecure permission is granted between
2561 		   the two SIDs, i.e. ahp returns 0. */
2562 		rc = avc_has_perm(&selinux_state,
2563 				  old_tsec->sid, new_tsec->sid,
2564 				  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2565 				  NULL);
2566 		bprm->secureexec |= !!rc;
2567 	}
2568 
2569 	return 0;
2570 }
2571 
2572 static int match_file(const void *p, struct file *file, unsigned fd)
2573 {
2574 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2575 }
2576 
2577 /* Derived from fs/exec.c:flush_old_files. */
2578 static inline void flush_unauthorized_files(const struct cred *cred,
2579 					    struct files_struct *files)
2580 {
2581 	struct file *file, *devnull = NULL;
2582 	struct tty_struct *tty;
2583 	int drop_tty = 0;
2584 	unsigned n;
2585 
2586 	tty = get_current_tty();
2587 	if (tty) {
2588 		spin_lock(&tty->files_lock);
2589 		if (!list_empty(&tty->tty_files)) {
2590 			struct tty_file_private *file_priv;
2591 
2592 			/* Revalidate access to controlling tty.
2593 			   Use file_path_has_perm on the tty path directly
2594 			   rather than using file_has_perm, as this particular
2595 			   open file may belong to another process and we are
2596 			   only interested in the inode-based check here. */
2597 			file_priv = list_first_entry(&tty->tty_files,
2598 						struct tty_file_private, list);
2599 			file = file_priv->file;
2600 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2601 				drop_tty = 1;
2602 		}
2603 		spin_unlock(&tty->files_lock);
2604 		tty_kref_put(tty);
2605 	}
2606 	/* Reset controlling tty. */
2607 	if (drop_tty)
2608 		no_tty();
2609 
2610 	/* Revalidate access to inherited open files. */
2611 	n = iterate_fd(files, 0, match_file, cred);
2612 	if (!n) /* none found? */
2613 		return;
2614 
2615 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2616 	if (IS_ERR(devnull))
2617 		devnull = NULL;
2618 	/* replace all the matching ones with this */
2619 	do {
2620 		replace_fd(n - 1, devnull, 0);
2621 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2622 	if (devnull)
2623 		fput(devnull);
2624 }
2625 
2626 /*
2627  * Prepare a process for imminent new credential changes due to exec
2628  */
2629 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2630 {
2631 	struct task_security_struct *new_tsec;
2632 	struct rlimit *rlim, *initrlim;
2633 	int rc, i;
2634 
2635 	new_tsec = bprm->cred->security;
2636 	if (new_tsec->sid == new_tsec->osid)
2637 		return;
2638 
2639 	/* Close files for which the new task SID is not authorized. */
2640 	flush_unauthorized_files(bprm->cred, current->files);
2641 
2642 	/* Always clear parent death signal on SID transitions. */
2643 	current->pdeath_signal = 0;
2644 
2645 	/* Check whether the new SID can inherit resource limits from the old
2646 	 * SID.  If not, reset all soft limits to the lower of the current
2647 	 * task's hard limit and the init task's soft limit.
2648 	 *
2649 	 * Note that the setting of hard limits (even to lower them) can be
2650 	 * controlled by the setrlimit check.  The inclusion of the init task's
2651 	 * soft limit into the computation is to avoid resetting soft limits
2652 	 * higher than the default soft limit for cases where the default is
2653 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2654 	 */
2655 	rc = avc_has_perm(&selinux_state,
2656 			  new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2657 			  PROCESS__RLIMITINH, NULL);
2658 	if (rc) {
2659 		/* protect against do_prlimit() */
2660 		task_lock(current);
2661 		for (i = 0; i < RLIM_NLIMITS; i++) {
2662 			rlim = current->signal->rlim + i;
2663 			initrlim = init_task.signal->rlim + i;
2664 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2665 		}
2666 		task_unlock(current);
2667 		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2668 			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2669 	}
2670 }
2671 
2672 /*
2673  * Clean up the process immediately after the installation of new credentials
2674  * due to exec
2675  */
2676 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2677 {
2678 	const struct task_security_struct *tsec = current_security();
2679 	struct itimerval itimer;
2680 	u32 osid, sid;
2681 	int rc, i;
2682 
2683 	osid = tsec->osid;
2684 	sid = tsec->sid;
2685 
2686 	if (sid == osid)
2687 		return;
2688 
2689 	/* Check whether the new SID can inherit signal state from the old SID.
2690 	 * If not, clear itimers to avoid subsequent signal generation and
2691 	 * flush and unblock signals.
2692 	 *
2693 	 * This must occur _after_ the task SID has been updated so that any
2694 	 * kill done after the flush will be checked against the new SID.
2695 	 */
2696 	rc = avc_has_perm(&selinux_state,
2697 			  osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2698 	if (rc) {
2699 		if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2700 			memset(&itimer, 0, sizeof itimer);
2701 			for (i = 0; i < 3; i++)
2702 				do_setitimer(i, &itimer, NULL);
2703 		}
2704 		spin_lock_irq(&current->sighand->siglock);
2705 		if (!fatal_signal_pending(current)) {
2706 			flush_sigqueue(&current->pending);
2707 			flush_sigqueue(&current->signal->shared_pending);
2708 			flush_signal_handlers(current, 1);
2709 			sigemptyset(&current->blocked);
2710 			recalc_sigpending();
2711 		}
2712 		spin_unlock_irq(&current->sighand->siglock);
2713 	}
2714 
2715 	/* Wake up the parent if it is waiting so that it can recheck
2716 	 * wait permission to the new task SID. */
2717 	read_lock(&tasklist_lock);
2718 	__wake_up_parent(current, current->real_parent);
2719 	read_unlock(&tasklist_lock);
2720 }
2721 
2722 /* superblock security operations */
2723 
2724 static int selinux_sb_alloc_security(struct super_block *sb)
2725 {
2726 	return superblock_alloc_security(sb);
2727 }
2728 
2729 static void selinux_sb_free_security(struct super_block *sb)
2730 {
2731 	superblock_free_security(sb);
2732 }
2733 
2734 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2735 {
2736 	if (plen > olen)
2737 		return 0;
2738 
2739 	return !memcmp(prefix, option, plen);
2740 }
2741 
2742 static inline int selinux_option(char *option, int len)
2743 {
2744 	return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2745 		match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2746 		match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2747 		match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2748 		match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2749 }
2750 
2751 static inline void take_option(char **to, char *from, int *first, int len)
2752 {
2753 	if (!*first) {
2754 		**to = ',';
2755 		*to += 1;
2756 	} else
2757 		*first = 0;
2758 	memcpy(*to, from, len);
2759 	*to += len;
2760 }
2761 
2762 static inline void take_selinux_option(char **to, char *from, int *first,
2763 				       int len)
2764 {
2765 	int current_size = 0;
2766 
2767 	if (!*first) {
2768 		**to = '|';
2769 		*to += 1;
2770 	} else
2771 		*first = 0;
2772 
2773 	while (current_size < len) {
2774 		if (*from != '"') {
2775 			**to = *from;
2776 			*to += 1;
2777 		}
2778 		from += 1;
2779 		current_size += 1;
2780 	}
2781 }
2782 
2783 static int selinux_sb_copy_data(char *orig, char *copy)
2784 {
2785 	int fnosec, fsec, rc = 0;
2786 	char *in_save, *in_curr, *in_end;
2787 	char *sec_curr, *nosec_save, *nosec;
2788 	int open_quote = 0;
2789 
2790 	in_curr = orig;
2791 	sec_curr = copy;
2792 
2793 	nosec = (char *)get_zeroed_page(GFP_KERNEL);
2794 	if (!nosec) {
2795 		rc = -ENOMEM;
2796 		goto out;
2797 	}
2798 
2799 	nosec_save = nosec;
2800 	fnosec = fsec = 1;
2801 	in_save = in_end = orig;
2802 
2803 	do {
2804 		if (*in_end == '"')
2805 			open_quote = !open_quote;
2806 		if ((*in_end == ',' && open_quote == 0) ||
2807 				*in_end == '\0') {
2808 			int len = in_end - in_curr;
2809 
2810 			if (selinux_option(in_curr, len))
2811 				take_selinux_option(&sec_curr, in_curr, &fsec, len);
2812 			else
2813 				take_option(&nosec, in_curr, &fnosec, len);
2814 
2815 			in_curr = in_end + 1;
2816 		}
2817 	} while (*in_end++);
2818 
2819 	strcpy(in_save, nosec_save);
2820 	free_page((unsigned long)nosec_save);
2821 out:
2822 	return rc;
2823 }
2824 
2825 static int selinux_sb_remount(struct super_block *sb, void *data)
2826 {
2827 	int rc, i, *flags;
2828 	struct security_mnt_opts opts;
2829 	char *secdata, **mount_options;
2830 	struct superblock_security_struct *sbsec = sb->s_security;
2831 
2832 	if (!(sbsec->flags & SE_SBINITIALIZED))
2833 		return 0;
2834 
2835 	if (!data)
2836 		return 0;
2837 
2838 	if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2839 		return 0;
2840 
2841 	security_init_mnt_opts(&opts);
2842 	secdata = alloc_secdata();
2843 	if (!secdata)
2844 		return -ENOMEM;
2845 	rc = selinux_sb_copy_data(data, secdata);
2846 	if (rc)
2847 		goto out_free_secdata;
2848 
2849 	rc = selinux_parse_opts_str(secdata, &opts);
2850 	if (rc)
2851 		goto out_free_secdata;
2852 
2853 	mount_options = opts.mnt_opts;
2854 	flags = opts.mnt_opts_flags;
2855 
2856 	for (i = 0; i < opts.num_mnt_opts; i++) {
2857 		u32 sid;
2858 
2859 		if (flags[i] == SBLABEL_MNT)
2860 			continue;
2861 		rc = security_context_str_to_sid(&selinux_state,
2862 						 mount_options[i], &sid,
2863 						 GFP_KERNEL);
2864 		if (rc) {
2865 			printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2866 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
2867 			       mount_options[i], sb->s_id, sb->s_type->name, rc);
2868 			goto out_free_opts;
2869 		}
2870 		rc = -EINVAL;
2871 		switch (flags[i]) {
2872 		case FSCONTEXT_MNT:
2873 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2874 				goto out_bad_option;
2875 			break;
2876 		case CONTEXT_MNT:
2877 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2878 				goto out_bad_option;
2879 			break;
2880 		case ROOTCONTEXT_MNT: {
2881 			struct inode_security_struct *root_isec;
2882 			root_isec = backing_inode_security(sb->s_root);
2883 
2884 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2885 				goto out_bad_option;
2886 			break;
2887 		}
2888 		case DEFCONTEXT_MNT:
2889 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2890 				goto out_bad_option;
2891 			break;
2892 		default:
2893 			goto out_free_opts;
2894 		}
2895 	}
2896 
2897 	rc = 0;
2898 out_free_opts:
2899 	security_free_mnt_opts(&opts);
2900 out_free_secdata:
2901 	free_secdata(secdata);
2902 	return rc;
2903 out_bad_option:
2904 	printk(KERN_WARNING "SELinux: unable to change security options "
2905 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2906 	       sb->s_type->name);
2907 	goto out_free_opts;
2908 }
2909 
2910 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2911 {
2912 	const struct cred *cred = current_cred();
2913 	struct common_audit_data ad;
2914 	int rc;
2915 
2916 	rc = superblock_doinit(sb, data);
2917 	if (rc)
2918 		return rc;
2919 
2920 	/* Allow all mounts performed by the kernel */
2921 	if (flags & MS_KERNMOUNT)
2922 		return 0;
2923 
2924 	ad.type = LSM_AUDIT_DATA_DENTRY;
2925 	ad.u.dentry = sb->s_root;
2926 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2927 }
2928 
2929 static int selinux_sb_statfs(struct dentry *dentry)
2930 {
2931 	const struct cred *cred = current_cred();
2932 	struct common_audit_data ad;
2933 
2934 	ad.type = LSM_AUDIT_DATA_DENTRY;
2935 	ad.u.dentry = dentry->d_sb->s_root;
2936 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2937 }
2938 
2939 static int selinux_mount(const char *dev_name,
2940 			 const struct path *path,
2941 			 const char *type,
2942 			 unsigned long flags,
2943 			 void *data)
2944 {
2945 	const struct cred *cred = current_cred();
2946 
2947 	if (flags & MS_REMOUNT)
2948 		return superblock_has_perm(cred, path->dentry->d_sb,
2949 					   FILESYSTEM__REMOUNT, NULL);
2950 	else
2951 		return path_has_perm(cred, path, FILE__MOUNTON);
2952 }
2953 
2954 static int selinux_umount(struct vfsmount *mnt, int flags)
2955 {
2956 	const struct cred *cred = current_cred();
2957 
2958 	return superblock_has_perm(cred, mnt->mnt_sb,
2959 				   FILESYSTEM__UNMOUNT, NULL);
2960 }
2961 
2962 /* inode security operations */
2963 
2964 static int selinux_inode_alloc_security(struct inode *inode)
2965 {
2966 	return inode_alloc_security(inode);
2967 }
2968 
2969 static void selinux_inode_free_security(struct inode *inode)
2970 {
2971 	inode_free_security(inode);
2972 }
2973 
2974 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2975 					const struct qstr *name, void **ctx,
2976 					u32 *ctxlen)
2977 {
2978 	u32 newsid;
2979 	int rc;
2980 
2981 	rc = selinux_determine_inode_label(current_security(),
2982 					   d_inode(dentry->d_parent), name,
2983 					   inode_mode_to_security_class(mode),
2984 					   &newsid);
2985 	if (rc)
2986 		return rc;
2987 
2988 	return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2989 				       ctxlen);
2990 }
2991 
2992 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2993 					  struct qstr *name,
2994 					  const struct cred *old,
2995 					  struct cred *new)
2996 {
2997 	u32 newsid;
2998 	int rc;
2999 	struct task_security_struct *tsec;
3000 
3001 	rc = selinux_determine_inode_label(old->security,
3002 					   d_inode(dentry->d_parent), name,
3003 					   inode_mode_to_security_class(mode),
3004 					   &newsid);
3005 	if (rc)
3006 		return rc;
3007 
3008 	tsec = new->security;
3009 	tsec->create_sid = newsid;
3010 	return 0;
3011 }
3012 
3013 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
3014 				       const struct qstr *qstr,
3015 				       const char **name,
3016 				       void **value, size_t *len)
3017 {
3018 	const struct task_security_struct *tsec = current_security();
3019 	struct superblock_security_struct *sbsec;
3020 	u32 newsid, clen;
3021 	int rc;
3022 	char *context;
3023 
3024 	sbsec = dir->i_sb->s_security;
3025 
3026 	newsid = tsec->create_sid;
3027 
3028 	rc = selinux_determine_inode_label(current_security(),
3029 		dir, qstr,
3030 		inode_mode_to_security_class(inode->i_mode),
3031 		&newsid);
3032 	if (rc)
3033 		return rc;
3034 
3035 	/* Possibly defer initialization to selinux_complete_init. */
3036 	if (sbsec->flags & SE_SBINITIALIZED) {
3037 		struct inode_security_struct *isec = inode->i_security;
3038 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
3039 		isec->sid = newsid;
3040 		isec->initialized = LABEL_INITIALIZED;
3041 	}
3042 
3043 	if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
3044 		return -EOPNOTSUPP;
3045 
3046 	if (name)
3047 		*name = XATTR_SELINUX_SUFFIX;
3048 
3049 	if (value && len) {
3050 		rc = security_sid_to_context_force(&selinux_state, newsid,
3051 						   &context, &clen);
3052 		if (rc)
3053 			return rc;
3054 		*value = context;
3055 		*len = clen;
3056 	}
3057 
3058 	return 0;
3059 }
3060 
3061 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3062 {
3063 	return may_create(dir, dentry, SECCLASS_FILE);
3064 }
3065 
3066 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3067 {
3068 	return may_link(dir, old_dentry, MAY_LINK);
3069 }
3070 
3071 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3072 {
3073 	return may_link(dir, dentry, MAY_UNLINK);
3074 }
3075 
3076 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3077 {
3078 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
3079 }
3080 
3081 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3082 {
3083 	return may_create(dir, dentry, SECCLASS_DIR);
3084 }
3085 
3086 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3087 {
3088 	return may_link(dir, dentry, MAY_RMDIR);
3089 }
3090 
3091 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3092 {
3093 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
3094 }
3095 
3096 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3097 				struct inode *new_inode, struct dentry *new_dentry)
3098 {
3099 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3100 }
3101 
3102 static int selinux_inode_readlink(struct dentry *dentry)
3103 {
3104 	const struct cred *cred = current_cred();
3105 
3106 	return dentry_has_perm(cred, dentry, FILE__READ);
3107 }
3108 
3109 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3110 				     bool rcu)
3111 {
3112 	const struct cred *cred = current_cred();
3113 	struct common_audit_data ad;
3114 	struct inode_security_struct *isec;
3115 	u32 sid;
3116 
3117 	validate_creds(cred);
3118 
3119 	ad.type = LSM_AUDIT_DATA_DENTRY;
3120 	ad.u.dentry = dentry;
3121 	sid = cred_sid(cred);
3122 	isec = inode_security_rcu(inode, rcu);
3123 	if (IS_ERR(isec))
3124 		return PTR_ERR(isec);
3125 
3126 	return avc_has_perm_flags(&selinux_state,
3127 				  sid, isec->sid, isec->sclass, FILE__READ, &ad,
3128 				  rcu ? MAY_NOT_BLOCK : 0);
3129 }
3130 
3131 static noinline int audit_inode_permission(struct inode *inode,
3132 					   u32 perms, u32 audited, u32 denied,
3133 					   int result,
3134 					   unsigned flags)
3135 {
3136 	struct common_audit_data ad;
3137 	struct inode_security_struct *isec = inode->i_security;
3138 	int rc;
3139 
3140 	ad.type = LSM_AUDIT_DATA_INODE;
3141 	ad.u.inode = inode;
3142 
3143 	rc = slow_avc_audit(&selinux_state,
3144 			    current_sid(), isec->sid, isec->sclass, perms,
3145 			    audited, denied, result, &ad, flags);
3146 	if (rc)
3147 		return rc;
3148 	return 0;
3149 }
3150 
3151 static int selinux_inode_permission(struct inode *inode, int mask)
3152 {
3153 	const struct cred *cred = current_cred();
3154 	u32 perms;
3155 	bool from_access;
3156 	unsigned flags = mask & MAY_NOT_BLOCK;
3157 	struct inode_security_struct *isec;
3158 	u32 sid;
3159 	struct av_decision avd;
3160 	int rc, rc2;
3161 	u32 audited, denied;
3162 
3163 	from_access = mask & MAY_ACCESS;
3164 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3165 
3166 	/* No permission to check.  Existence test. */
3167 	if (!mask)
3168 		return 0;
3169 
3170 	validate_creds(cred);
3171 
3172 	if (unlikely(IS_PRIVATE(inode)))
3173 		return 0;
3174 
3175 	perms = file_mask_to_av(inode->i_mode, mask);
3176 
3177 	sid = cred_sid(cred);
3178 	isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3179 	if (IS_ERR(isec))
3180 		return PTR_ERR(isec);
3181 
3182 	rc = avc_has_perm_noaudit(&selinux_state,
3183 				  sid, isec->sid, isec->sclass, perms, 0, &avd);
3184 	audited = avc_audit_required(perms, &avd, rc,
3185 				     from_access ? FILE__AUDIT_ACCESS : 0,
3186 				     &denied);
3187 	if (likely(!audited))
3188 		return rc;
3189 
3190 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3191 	if (rc2)
3192 		return rc2;
3193 	return rc;
3194 }
3195 
3196 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3197 {
3198 	const struct cred *cred = current_cred();
3199 	struct inode *inode = d_backing_inode(dentry);
3200 	unsigned int ia_valid = iattr->ia_valid;
3201 	__u32 av = FILE__WRITE;
3202 
3203 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3204 	if (ia_valid & ATTR_FORCE) {
3205 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3206 			      ATTR_FORCE);
3207 		if (!ia_valid)
3208 			return 0;
3209 	}
3210 
3211 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3212 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3213 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3214 
3215 	if (selinux_policycap_openperm() &&
3216 	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3217 	    (ia_valid & ATTR_SIZE) &&
3218 	    !(ia_valid & ATTR_FILE))
3219 		av |= FILE__OPEN;
3220 
3221 	return dentry_has_perm(cred, dentry, av);
3222 }
3223 
3224 static int selinux_inode_getattr(const struct path *path)
3225 {
3226 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3227 }
3228 
3229 static bool has_cap_mac_admin(bool audit)
3230 {
3231 	const struct cred *cred = current_cred();
3232 	int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3233 
3234 	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3235 		return false;
3236 	if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3237 		return false;
3238 	return true;
3239 }
3240 
3241 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3242 				  const void *value, size_t size, int flags)
3243 {
3244 	struct inode *inode = d_backing_inode(dentry);
3245 	struct inode_security_struct *isec;
3246 	struct superblock_security_struct *sbsec;
3247 	struct common_audit_data ad;
3248 	u32 newsid, sid = current_sid();
3249 	int rc = 0;
3250 
3251 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3252 		rc = cap_inode_setxattr(dentry, name, value, size, flags);
3253 		if (rc)
3254 			return rc;
3255 
3256 		/* Not an attribute we recognize, so just check the
3257 		   ordinary setattr permission. */
3258 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3259 	}
3260 
3261 	sbsec = inode->i_sb->s_security;
3262 	if (!(sbsec->flags & SBLABEL_MNT))
3263 		return -EOPNOTSUPP;
3264 
3265 	if (!inode_owner_or_capable(inode))
3266 		return -EPERM;
3267 
3268 	ad.type = LSM_AUDIT_DATA_DENTRY;
3269 	ad.u.dentry = dentry;
3270 
3271 	isec = backing_inode_security(dentry);
3272 	rc = avc_has_perm(&selinux_state,
3273 			  sid, isec->sid, isec->sclass,
3274 			  FILE__RELABELFROM, &ad);
3275 	if (rc)
3276 		return rc;
3277 
3278 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3279 				     GFP_KERNEL);
3280 	if (rc == -EINVAL) {
3281 		if (!has_cap_mac_admin(true)) {
3282 			struct audit_buffer *ab;
3283 			size_t audit_size;
3284 
3285 			/* We strip a nul only if it is at the end, otherwise the
3286 			 * context contains a nul and we should audit that */
3287 			if (value) {
3288 				const char *str = value;
3289 
3290 				if (str[size - 1] == '\0')
3291 					audit_size = size - 1;
3292 				else
3293 					audit_size = size;
3294 			} else {
3295 				audit_size = 0;
3296 			}
3297 			ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3298 			audit_log_format(ab, "op=setxattr invalid_context=");
3299 			audit_log_n_untrustedstring(ab, value, audit_size);
3300 			audit_log_end(ab);
3301 
3302 			return rc;
3303 		}
3304 		rc = security_context_to_sid_force(&selinux_state, value,
3305 						   size, &newsid);
3306 	}
3307 	if (rc)
3308 		return rc;
3309 
3310 	rc = avc_has_perm(&selinux_state,
3311 			  sid, newsid, isec->sclass,
3312 			  FILE__RELABELTO, &ad);
3313 	if (rc)
3314 		return rc;
3315 
3316 	rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3317 					  sid, isec->sclass);
3318 	if (rc)
3319 		return rc;
3320 
3321 	return avc_has_perm(&selinux_state,
3322 			    newsid,
3323 			    sbsec->sid,
3324 			    SECCLASS_FILESYSTEM,
3325 			    FILESYSTEM__ASSOCIATE,
3326 			    &ad);
3327 }
3328 
3329 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3330 					const void *value, size_t size,
3331 					int flags)
3332 {
3333 	struct inode *inode = d_backing_inode(dentry);
3334 	struct inode_security_struct *isec;
3335 	u32 newsid;
3336 	int rc;
3337 
3338 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3339 		/* Not an attribute we recognize, so nothing to do. */
3340 		return;
3341 	}
3342 
3343 	rc = security_context_to_sid_force(&selinux_state, value, size,
3344 					   &newsid);
3345 	if (rc) {
3346 		printk(KERN_ERR "SELinux:  unable to map context to SID"
3347 		       "for (%s, %lu), rc=%d\n",
3348 		       inode->i_sb->s_id, inode->i_ino, -rc);
3349 		return;
3350 	}
3351 
3352 	isec = backing_inode_security(dentry);
3353 	spin_lock(&isec->lock);
3354 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3355 	isec->sid = newsid;
3356 	isec->initialized = LABEL_INITIALIZED;
3357 	spin_unlock(&isec->lock);
3358 
3359 	return;
3360 }
3361 
3362 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3363 {
3364 	const struct cred *cred = current_cred();
3365 
3366 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3367 }
3368 
3369 static int selinux_inode_listxattr(struct dentry *dentry)
3370 {
3371 	const struct cred *cred = current_cred();
3372 
3373 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3374 }
3375 
3376 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3377 {
3378 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3379 		int rc = cap_inode_removexattr(dentry, name);
3380 		if (rc)
3381 			return rc;
3382 
3383 		/* Not an attribute we recognize, so just check the
3384 		   ordinary setattr permission. */
3385 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3386 	}
3387 
3388 	/* No one is allowed to remove a SELinux security label.
3389 	   You can change the label, but all data must be labeled. */
3390 	return -EACCES;
3391 }
3392 
3393 /*
3394  * Copy the inode security context value to the user.
3395  *
3396  * Permission check is handled by selinux_inode_getxattr hook.
3397  */
3398 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3399 {
3400 	u32 size;
3401 	int error;
3402 	char *context = NULL;
3403 	struct inode_security_struct *isec;
3404 
3405 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3406 		return -EOPNOTSUPP;
3407 
3408 	/*
3409 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3410 	 * value even if it is not defined by current policy; otherwise,
3411 	 * use the in-core value under current policy.
3412 	 * Use the non-auditing forms of the permission checks since
3413 	 * getxattr may be called by unprivileged processes commonly
3414 	 * and lack of permission just means that we fall back to the
3415 	 * in-core context value, not a denial.
3416 	 */
3417 	isec = inode_security(inode);
3418 	if (has_cap_mac_admin(false))
3419 		error = security_sid_to_context_force(&selinux_state,
3420 						      isec->sid, &context,
3421 						      &size);
3422 	else
3423 		error = security_sid_to_context(&selinux_state, isec->sid,
3424 						&context, &size);
3425 	if (error)
3426 		return error;
3427 	error = size;
3428 	if (alloc) {
3429 		*buffer = context;
3430 		goto out_nofree;
3431 	}
3432 	kfree(context);
3433 out_nofree:
3434 	return error;
3435 }
3436 
3437 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3438 				     const void *value, size_t size, int flags)
3439 {
3440 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3441 	u32 newsid;
3442 	int rc;
3443 
3444 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3445 		return -EOPNOTSUPP;
3446 
3447 	if (!value || !size)
3448 		return -EACCES;
3449 
3450 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3451 				     GFP_KERNEL);
3452 	if (rc)
3453 		return rc;
3454 
3455 	spin_lock(&isec->lock);
3456 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3457 	isec->sid = newsid;
3458 	isec->initialized = LABEL_INITIALIZED;
3459 	spin_unlock(&isec->lock);
3460 	return 0;
3461 }
3462 
3463 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3464 {
3465 	const int len = sizeof(XATTR_NAME_SELINUX);
3466 	if (buffer && len <= buffer_size)
3467 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3468 	return len;
3469 }
3470 
3471 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3472 {
3473 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3474 	*secid = isec->sid;
3475 }
3476 
3477 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3478 {
3479 	u32 sid;
3480 	struct task_security_struct *tsec;
3481 	struct cred *new_creds = *new;
3482 
3483 	if (new_creds == NULL) {
3484 		new_creds = prepare_creds();
3485 		if (!new_creds)
3486 			return -ENOMEM;
3487 	}
3488 
3489 	tsec = new_creds->security;
3490 	/* Get label from overlay inode and set it in create_sid */
3491 	selinux_inode_getsecid(d_inode(src), &sid);
3492 	tsec->create_sid = sid;
3493 	*new = new_creds;
3494 	return 0;
3495 }
3496 
3497 static int selinux_inode_copy_up_xattr(const char *name)
3498 {
3499 	/* The copy_up hook above sets the initial context on an inode, but we
3500 	 * don't then want to overwrite it by blindly copying all the lower
3501 	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3502 	 */
3503 	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3504 		return 1; /* Discard */
3505 	/*
3506 	 * Any other attribute apart from SELINUX is not claimed, supported
3507 	 * by selinux.
3508 	 */
3509 	return -EOPNOTSUPP;
3510 }
3511 
3512 /* file security operations */
3513 
3514 static int selinux_revalidate_file_permission(struct file *file, int mask)
3515 {
3516 	const struct cred *cred = current_cred();
3517 	struct inode *inode = file_inode(file);
3518 
3519 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3520 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3521 		mask |= MAY_APPEND;
3522 
3523 	return file_has_perm(cred, file,
3524 			     file_mask_to_av(inode->i_mode, mask));
3525 }
3526 
3527 static int selinux_file_permission(struct file *file, int mask)
3528 {
3529 	struct inode *inode = file_inode(file);
3530 	struct file_security_struct *fsec = file->f_security;
3531 	struct inode_security_struct *isec;
3532 	u32 sid = current_sid();
3533 
3534 	if (!mask)
3535 		/* No permission to check.  Existence test. */
3536 		return 0;
3537 
3538 	isec = inode_security(inode);
3539 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3540 	    fsec->pseqno == avc_policy_seqno(&selinux_state))
3541 		/* No change since file_open check. */
3542 		return 0;
3543 
3544 	return selinux_revalidate_file_permission(file, mask);
3545 }
3546 
3547 static int selinux_file_alloc_security(struct file *file)
3548 {
3549 	return file_alloc_security(file);
3550 }
3551 
3552 static void selinux_file_free_security(struct file *file)
3553 {
3554 	file_free_security(file);
3555 }
3556 
3557 /*
3558  * Check whether a task has the ioctl permission and cmd
3559  * operation to an inode.
3560  */
3561 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3562 		u32 requested, u16 cmd)
3563 {
3564 	struct common_audit_data ad;
3565 	struct file_security_struct *fsec = file->f_security;
3566 	struct inode *inode = file_inode(file);
3567 	struct inode_security_struct *isec;
3568 	struct lsm_ioctlop_audit ioctl;
3569 	u32 ssid = cred_sid(cred);
3570 	int rc;
3571 	u8 driver = cmd >> 8;
3572 	u8 xperm = cmd & 0xff;
3573 
3574 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3575 	ad.u.op = &ioctl;
3576 	ad.u.op->cmd = cmd;
3577 	ad.u.op->path = file->f_path;
3578 
3579 	if (ssid != fsec->sid) {
3580 		rc = avc_has_perm(&selinux_state,
3581 				  ssid, fsec->sid,
3582 				SECCLASS_FD,
3583 				FD__USE,
3584 				&ad);
3585 		if (rc)
3586 			goto out;
3587 	}
3588 
3589 	if (unlikely(IS_PRIVATE(inode)))
3590 		return 0;
3591 
3592 	isec = inode_security(inode);
3593 	rc = avc_has_extended_perms(&selinux_state,
3594 				    ssid, isec->sid, isec->sclass,
3595 				    requested, driver, xperm, &ad);
3596 out:
3597 	return rc;
3598 }
3599 
3600 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3601 			      unsigned long arg)
3602 {
3603 	const struct cred *cred = current_cred();
3604 	int error = 0;
3605 
3606 	switch (cmd) {
3607 	case FIONREAD:
3608 	/* fall through */
3609 	case FIBMAP:
3610 	/* fall through */
3611 	case FIGETBSZ:
3612 	/* fall through */
3613 	case FS_IOC_GETFLAGS:
3614 	/* fall through */
3615 	case FS_IOC_GETVERSION:
3616 		error = file_has_perm(cred, file, FILE__GETATTR);
3617 		break;
3618 
3619 	case FS_IOC_SETFLAGS:
3620 	/* fall through */
3621 	case FS_IOC_SETVERSION:
3622 		error = file_has_perm(cred, file, FILE__SETATTR);
3623 		break;
3624 
3625 	/* sys_ioctl() checks */
3626 	case FIONBIO:
3627 	/* fall through */
3628 	case FIOASYNC:
3629 		error = file_has_perm(cred, file, 0);
3630 		break;
3631 
3632 	case KDSKBENT:
3633 	case KDSKBSENT:
3634 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3635 					    SECURITY_CAP_AUDIT, true);
3636 		break;
3637 
3638 	/* default case assumes that the command will go
3639 	 * to the file's ioctl() function.
3640 	 */
3641 	default:
3642 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3643 	}
3644 	return error;
3645 }
3646 
3647 static int default_noexec;
3648 
3649 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3650 {
3651 	const struct cred *cred = current_cred();
3652 	u32 sid = cred_sid(cred);
3653 	int rc = 0;
3654 
3655 	if (default_noexec &&
3656 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3657 				   (!shared && (prot & PROT_WRITE)))) {
3658 		/*
3659 		 * We are making executable an anonymous mapping or a
3660 		 * private file mapping that will also be writable.
3661 		 * This has an additional check.
3662 		 */
3663 		rc = avc_has_perm(&selinux_state,
3664 				  sid, sid, SECCLASS_PROCESS,
3665 				  PROCESS__EXECMEM, NULL);
3666 		if (rc)
3667 			goto error;
3668 	}
3669 
3670 	if (file) {
3671 		/* read access is always possible with a mapping */
3672 		u32 av = FILE__READ;
3673 
3674 		/* write access only matters if the mapping is shared */
3675 		if (shared && (prot & PROT_WRITE))
3676 			av |= FILE__WRITE;
3677 
3678 		if (prot & PROT_EXEC)
3679 			av |= FILE__EXECUTE;
3680 
3681 		return file_has_perm(cred, file, av);
3682 	}
3683 
3684 error:
3685 	return rc;
3686 }
3687 
3688 static int selinux_mmap_addr(unsigned long addr)
3689 {
3690 	int rc = 0;
3691 
3692 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3693 		u32 sid = current_sid();
3694 		rc = avc_has_perm(&selinux_state,
3695 				  sid, sid, SECCLASS_MEMPROTECT,
3696 				  MEMPROTECT__MMAP_ZERO, NULL);
3697 	}
3698 
3699 	return rc;
3700 }
3701 
3702 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3703 			     unsigned long prot, unsigned long flags)
3704 {
3705 	struct common_audit_data ad;
3706 	int rc;
3707 
3708 	if (file) {
3709 		ad.type = LSM_AUDIT_DATA_FILE;
3710 		ad.u.file = file;
3711 		rc = inode_has_perm(current_cred(), file_inode(file),
3712 				    FILE__MAP, &ad);
3713 		if (rc)
3714 			return rc;
3715 	}
3716 
3717 	if (selinux_state.checkreqprot)
3718 		prot = reqprot;
3719 
3720 	return file_map_prot_check(file, prot,
3721 				   (flags & MAP_TYPE) == MAP_SHARED);
3722 }
3723 
3724 static int selinux_file_mprotect(struct vm_area_struct *vma,
3725 				 unsigned long reqprot,
3726 				 unsigned long prot)
3727 {
3728 	const struct cred *cred = current_cred();
3729 	u32 sid = cred_sid(cred);
3730 
3731 	if (selinux_state.checkreqprot)
3732 		prot = reqprot;
3733 
3734 	if (default_noexec &&
3735 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3736 		int rc = 0;
3737 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3738 		    vma->vm_end <= vma->vm_mm->brk) {
3739 			rc = avc_has_perm(&selinux_state,
3740 					  sid, sid, SECCLASS_PROCESS,
3741 					  PROCESS__EXECHEAP, NULL);
3742 		} else if (!vma->vm_file &&
3743 			   ((vma->vm_start <= vma->vm_mm->start_stack &&
3744 			     vma->vm_end >= vma->vm_mm->start_stack) ||
3745 			    vma_is_stack_for_current(vma))) {
3746 			rc = avc_has_perm(&selinux_state,
3747 					  sid, sid, SECCLASS_PROCESS,
3748 					  PROCESS__EXECSTACK, NULL);
3749 		} else if (vma->vm_file && vma->anon_vma) {
3750 			/*
3751 			 * We are making executable a file mapping that has
3752 			 * had some COW done. Since pages might have been
3753 			 * written, check ability to execute the possibly
3754 			 * modified content.  This typically should only
3755 			 * occur for text relocations.
3756 			 */
3757 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3758 		}
3759 		if (rc)
3760 			return rc;
3761 	}
3762 
3763 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3764 }
3765 
3766 static int selinux_file_lock(struct file *file, unsigned int cmd)
3767 {
3768 	const struct cred *cred = current_cred();
3769 
3770 	return file_has_perm(cred, file, FILE__LOCK);
3771 }
3772 
3773 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3774 			      unsigned long arg)
3775 {
3776 	const struct cred *cred = current_cred();
3777 	int err = 0;
3778 
3779 	switch (cmd) {
3780 	case F_SETFL:
3781 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3782 			err = file_has_perm(cred, file, FILE__WRITE);
3783 			break;
3784 		}
3785 		/* fall through */
3786 	case F_SETOWN:
3787 	case F_SETSIG:
3788 	case F_GETFL:
3789 	case F_GETOWN:
3790 	case F_GETSIG:
3791 	case F_GETOWNER_UIDS:
3792 		/* Just check FD__USE permission */
3793 		err = file_has_perm(cred, file, 0);
3794 		break;
3795 	case F_GETLK:
3796 	case F_SETLK:
3797 	case F_SETLKW:
3798 	case F_OFD_GETLK:
3799 	case F_OFD_SETLK:
3800 	case F_OFD_SETLKW:
3801 #if BITS_PER_LONG == 32
3802 	case F_GETLK64:
3803 	case F_SETLK64:
3804 	case F_SETLKW64:
3805 #endif
3806 		err = file_has_perm(cred, file, FILE__LOCK);
3807 		break;
3808 	}
3809 
3810 	return err;
3811 }
3812 
3813 static void selinux_file_set_fowner(struct file *file)
3814 {
3815 	struct file_security_struct *fsec;
3816 
3817 	fsec = file->f_security;
3818 	fsec->fown_sid = current_sid();
3819 }
3820 
3821 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3822 				       struct fown_struct *fown, int signum)
3823 {
3824 	struct file *file;
3825 	u32 sid = task_sid(tsk);
3826 	u32 perm;
3827 	struct file_security_struct *fsec;
3828 
3829 	/* struct fown_struct is never outside the context of a struct file */
3830 	file = container_of(fown, struct file, f_owner);
3831 
3832 	fsec = file->f_security;
3833 
3834 	if (!signum)
3835 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3836 	else
3837 		perm = signal_to_av(signum);
3838 
3839 	return avc_has_perm(&selinux_state,
3840 			    fsec->fown_sid, sid,
3841 			    SECCLASS_PROCESS, perm, NULL);
3842 }
3843 
3844 static int selinux_file_receive(struct file *file)
3845 {
3846 	const struct cred *cred = current_cred();
3847 
3848 	return file_has_perm(cred, file, file_to_av(file));
3849 }
3850 
3851 static int selinux_file_open(struct file *file, const struct cred *cred)
3852 {
3853 	struct file_security_struct *fsec;
3854 	struct inode_security_struct *isec;
3855 
3856 	fsec = file->f_security;
3857 	isec = inode_security(file_inode(file));
3858 	/*
3859 	 * Save inode label and policy sequence number
3860 	 * at open-time so that selinux_file_permission
3861 	 * can determine whether revalidation is necessary.
3862 	 * Task label is already saved in the file security
3863 	 * struct as its SID.
3864 	 */
3865 	fsec->isid = isec->sid;
3866 	fsec->pseqno = avc_policy_seqno(&selinux_state);
3867 	/*
3868 	 * Since the inode label or policy seqno may have changed
3869 	 * between the selinux_inode_permission check and the saving
3870 	 * of state above, recheck that access is still permitted.
3871 	 * Otherwise, access might never be revalidated against the
3872 	 * new inode label or new policy.
3873 	 * This check is not redundant - do not remove.
3874 	 */
3875 	return file_path_has_perm(cred, file, open_file_to_av(file));
3876 }
3877 
3878 /* task security operations */
3879 
3880 static int selinux_task_alloc(struct task_struct *task,
3881 			      unsigned long clone_flags)
3882 {
3883 	u32 sid = current_sid();
3884 
3885 	return avc_has_perm(&selinux_state,
3886 			    sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3887 }
3888 
3889 /*
3890  * allocate the SELinux part of blank credentials
3891  */
3892 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3893 {
3894 	struct task_security_struct *tsec;
3895 
3896 	tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3897 	if (!tsec)
3898 		return -ENOMEM;
3899 
3900 	cred->security = tsec;
3901 	return 0;
3902 }
3903 
3904 /*
3905  * detach and free the LSM part of a set of credentials
3906  */
3907 static void selinux_cred_free(struct cred *cred)
3908 {
3909 	struct task_security_struct *tsec = cred->security;
3910 
3911 	/*
3912 	 * cred->security == NULL if security_cred_alloc_blank() or
3913 	 * security_prepare_creds() returned an error.
3914 	 */
3915 	BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3916 	cred->security = (void *) 0x7UL;
3917 	kfree(tsec);
3918 }
3919 
3920 /*
3921  * prepare a new set of credentials for modification
3922  */
3923 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3924 				gfp_t gfp)
3925 {
3926 	const struct task_security_struct *old_tsec;
3927 	struct task_security_struct *tsec;
3928 
3929 	old_tsec = old->security;
3930 
3931 	tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3932 	if (!tsec)
3933 		return -ENOMEM;
3934 
3935 	new->security = tsec;
3936 	return 0;
3937 }
3938 
3939 /*
3940  * transfer the SELinux data to a blank set of creds
3941  */
3942 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3943 {
3944 	const struct task_security_struct *old_tsec = old->security;
3945 	struct task_security_struct *tsec = new->security;
3946 
3947 	*tsec = *old_tsec;
3948 }
3949 
3950 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3951 {
3952 	*secid = cred_sid(c);
3953 }
3954 
3955 /*
3956  * set the security data for a kernel service
3957  * - all the creation contexts are set to unlabelled
3958  */
3959 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3960 {
3961 	struct task_security_struct *tsec = new->security;
3962 	u32 sid = current_sid();
3963 	int ret;
3964 
3965 	ret = avc_has_perm(&selinux_state,
3966 			   sid, secid,
3967 			   SECCLASS_KERNEL_SERVICE,
3968 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3969 			   NULL);
3970 	if (ret == 0) {
3971 		tsec->sid = secid;
3972 		tsec->create_sid = 0;
3973 		tsec->keycreate_sid = 0;
3974 		tsec->sockcreate_sid = 0;
3975 	}
3976 	return ret;
3977 }
3978 
3979 /*
3980  * set the file creation context in a security record to the same as the
3981  * objective context of the specified inode
3982  */
3983 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3984 {
3985 	struct inode_security_struct *isec = inode_security(inode);
3986 	struct task_security_struct *tsec = new->security;
3987 	u32 sid = current_sid();
3988 	int ret;
3989 
3990 	ret = avc_has_perm(&selinux_state,
3991 			   sid, isec->sid,
3992 			   SECCLASS_KERNEL_SERVICE,
3993 			   KERNEL_SERVICE__CREATE_FILES_AS,
3994 			   NULL);
3995 
3996 	if (ret == 0)
3997 		tsec->create_sid = isec->sid;
3998 	return ret;
3999 }
4000 
4001 static int selinux_kernel_module_request(char *kmod_name)
4002 {
4003 	struct common_audit_data ad;
4004 
4005 	ad.type = LSM_AUDIT_DATA_KMOD;
4006 	ad.u.kmod_name = kmod_name;
4007 
4008 	return avc_has_perm(&selinux_state,
4009 			    current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4010 			    SYSTEM__MODULE_REQUEST, &ad);
4011 }
4012 
4013 static int selinux_kernel_module_from_file(struct file *file)
4014 {
4015 	struct common_audit_data ad;
4016 	struct inode_security_struct *isec;
4017 	struct file_security_struct *fsec;
4018 	u32 sid = current_sid();
4019 	int rc;
4020 
4021 	/* init_module */
4022 	if (file == NULL)
4023 		return avc_has_perm(&selinux_state,
4024 				    sid, sid, SECCLASS_SYSTEM,
4025 					SYSTEM__MODULE_LOAD, NULL);
4026 
4027 	/* finit_module */
4028 
4029 	ad.type = LSM_AUDIT_DATA_FILE;
4030 	ad.u.file = file;
4031 
4032 	fsec = file->f_security;
4033 	if (sid != fsec->sid) {
4034 		rc = avc_has_perm(&selinux_state,
4035 				  sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4036 		if (rc)
4037 			return rc;
4038 	}
4039 
4040 	isec = inode_security(file_inode(file));
4041 	return avc_has_perm(&selinux_state,
4042 			    sid, isec->sid, SECCLASS_SYSTEM,
4043 				SYSTEM__MODULE_LOAD, &ad);
4044 }
4045 
4046 static int selinux_kernel_read_file(struct file *file,
4047 				    enum kernel_read_file_id id)
4048 {
4049 	int rc = 0;
4050 
4051 	switch (id) {
4052 	case READING_MODULE:
4053 		rc = selinux_kernel_module_from_file(file);
4054 		break;
4055 	default:
4056 		break;
4057 	}
4058 
4059 	return rc;
4060 }
4061 
4062 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4063 {
4064 	return avc_has_perm(&selinux_state,
4065 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4066 			    PROCESS__SETPGID, NULL);
4067 }
4068 
4069 static int selinux_task_getpgid(struct task_struct *p)
4070 {
4071 	return avc_has_perm(&selinux_state,
4072 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4073 			    PROCESS__GETPGID, NULL);
4074 }
4075 
4076 static int selinux_task_getsid(struct task_struct *p)
4077 {
4078 	return avc_has_perm(&selinux_state,
4079 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4080 			    PROCESS__GETSESSION, NULL);
4081 }
4082 
4083 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4084 {
4085 	*secid = task_sid(p);
4086 }
4087 
4088 static int selinux_task_setnice(struct task_struct *p, int nice)
4089 {
4090 	return avc_has_perm(&selinux_state,
4091 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4092 			    PROCESS__SETSCHED, NULL);
4093 }
4094 
4095 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4096 {
4097 	return avc_has_perm(&selinux_state,
4098 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4099 			    PROCESS__SETSCHED, NULL);
4100 }
4101 
4102 static int selinux_task_getioprio(struct task_struct *p)
4103 {
4104 	return avc_has_perm(&selinux_state,
4105 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4106 			    PROCESS__GETSCHED, NULL);
4107 }
4108 
4109 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4110 				unsigned int flags)
4111 {
4112 	u32 av = 0;
4113 
4114 	if (!flags)
4115 		return 0;
4116 	if (flags & LSM_PRLIMIT_WRITE)
4117 		av |= PROCESS__SETRLIMIT;
4118 	if (flags & LSM_PRLIMIT_READ)
4119 		av |= PROCESS__GETRLIMIT;
4120 	return avc_has_perm(&selinux_state,
4121 			    cred_sid(cred), cred_sid(tcred),
4122 			    SECCLASS_PROCESS, av, NULL);
4123 }
4124 
4125 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4126 		struct rlimit *new_rlim)
4127 {
4128 	struct rlimit *old_rlim = p->signal->rlim + resource;
4129 
4130 	/* Control the ability to change the hard limit (whether
4131 	   lowering or raising it), so that the hard limit can
4132 	   later be used as a safe reset point for the soft limit
4133 	   upon context transitions.  See selinux_bprm_committing_creds. */
4134 	if (old_rlim->rlim_max != new_rlim->rlim_max)
4135 		return avc_has_perm(&selinux_state,
4136 				    current_sid(), task_sid(p),
4137 				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4138 
4139 	return 0;
4140 }
4141 
4142 static int selinux_task_setscheduler(struct task_struct *p)
4143 {
4144 	return avc_has_perm(&selinux_state,
4145 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4146 			    PROCESS__SETSCHED, NULL);
4147 }
4148 
4149 static int selinux_task_getscheduler(struct task_struct *p)
4150 {
4151 	return avc_has_perm(&selinux_state,
4152 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4153 			    PROCESS__GETSCHED, NULL);
4154 }
4155 
4156 static int selinux_task_movememory(struct task_struct *p)
4157 {
4158 	return avc_has_perm(&selinux_state,
4159 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4160 			    PROCESS__SETSCHED, NULL);
4161 }
4162 
4163 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4164 				int sig, const struct cred *cred)
4165 {
4166 	u32 secid;
4167 	u32 perm;
4168 
4169 	if (!sig)
4170 		perm = PROCESS__SIGNULL; /* null signal; existence test */
4171 	else
4172 		perm = signal_to_av(sig);
4173 	if (!cred)
4174 		secid = current_sid();
4175 	else
4176 		secid = cred_sid(cred);
4177 	return avc_has_perm(&selinux_state,
4178 			    secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4179 }
4180 
4181 static void selinux_task_to_inode(struct task_struct *p,
4182 				  struct inode *inode)
4183 {
4184 	struct inode_security_struct *isec = inode->i_security;
4185 	u32 sid = task_sid(p);
4186 
4187 	spin_lock(&isec->lock);
4188 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4189 	isec->sid = sid;
4190 	isec->initialized = LABEL_INITIALIZED;
4191 	spin_unlock(&isec->lock);
4192 }
4193 
4194 /* Returns error only if unable to parse addresses */
4195 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4196 			struct common_audit_data *ad, u8 *proto)
4197 {
4198 	int offset, ihlen, ret = -EINVAL;
4199 	struct iphdr _iph, *ih;
4200 
4201 	offset = skb_network_offset(skb);
4202 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4203 	if (ih == NULL)
4204 		goto out;
4205 
4206 	ihlen = ih->ihl * 4;
4207 	if (ihlen < sizeof(_iph))
4208 		goto out;
4209 
4210 	ad->u.net->v4info.saddr = ih->saddr;
4211 	ad->u.net->v4info.daddr = ih->daddr;
4212 	ret = 0;
4213 
4214 	if (proto)
4215 		*proto = ih->protocol;
4216 
4217 	switch (ih->protocol) {
4218 	case IPPROTO_TCP: {
4219 		struct tcphdr _tcph, *th;
4220 
4221 		if (ntohs(ih->frag_off) & IP_OFFSET)
4222 			break;
4223 
4224 		offset += ihlen;
4225 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4226 		if (th == NULL)
4227 			break;
4228 
4229 		ad->u.net->sport = th->source;
4230 		ad->u.net->dport = th->dest;
4231 		break;
4232 	}
4233 
4234 	case IPPROTO_UDP: {
4235 		struct udphdr _udph, *uh;
4236 
4237 		if (ntohs(ih->frag_off) & IP_OFFSET)
4238 			break;
4239 
4240 		offset += ihlen;
4241 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4242 		if (uh == NULL)
4243 			break;
4244 
4245 		ad->u.net->sport = uh->source;
4246 		ad->u.net->dport = uh->dest;
4247 		break;
4248 	}
4249 
4250 	case IPPROTO_DCCP: {
4251 		struct dccp_hdr _dccph, *dh;
4252 
4253 		if (ntohs(ih->frag_off) & IP_OFFSET)
4254 			break;
4255 
4256 		offset += ihlen;
4257 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4258 		if (dh == NULL)
4259 			break;
4260 
4261 		ad->u.net->sport = dh->dccph_sport;
4262 		ad->u.net->dport = dh->dccph_dport;
4263 		break;
4264 	}
4265 
4266 #if IS_ENABLED(CONFIG_IP_SCTP)
4267 	case IPPROTO_SCTP: {
4268 		struct sctphdr _sctph, *sh;
4269 
4270 		if (ntohs(ih->frag_off) & IP_OFFSET)
4271 			break;
4272 
4273 		offset += ihlen;
4274 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4275 		if (sh == NULL)
4276 			break;
4277 
4278 		ad->u.net->sport = sh->source;
4279 		ad->u.net->dport = sh->dest;
4280 		break;
4281 	}
4282 #endif
4283 	default:
4284 		break;
4285 	}
4286 out:
4287 	return ret;
4288 }
4289 
4290 #if IS_ENABLED(CONFIG_IPV6)
4291 
4292 /* Returns error only if unable to parse addresses */
4293 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4294 			struct common_audit_data *ad, u8 *proto)
4295 {
4296 	u8 nexthdr;
4297 	int ret = -EINVAL, offset;
4298 	struct ipv6hdr _ipv6h, *ip6;
4299 	__be16 frag_off;
4300 
4301 	offset = skb_network_offset(skb);
4302 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4303 	if (ip6 == NULL)
4304 		goto out;
4305 
4306 	ad->u.net->v6info.saddr = ip6->saddr;
4307 	ad->u.net->v6info.daddr = ip6->daddr;
4308 	ret = 0;
4309 
4310 	nexthdr = ip6->nexthdr;
4311 	offset += sizeof(_ipv6h);
4312 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4313 	if (offset < 0)
4314 		goto out;
4315 
4316 	if (proto)
4317 		*proto = nexthdr;
4318 
4319 	switch (nexthdr) {
4320 	case IPPROTO_TCP: {
4321 		struct tcphdr _tcph, *th;
4322 
4323 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4324 		if (th == NULL)
4325 			break;
4326 
4327 		ad->u.net->sport = th->source;
4328 		ad->u.net->dport = th->dest;
4329 		break;
4330 	}
4331 
4332 	case IPPROTO_UDP: {
4333 		struct udphdr _udph, *uh;
4334 
4335 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4336 		if (uh == NULL)
4337 			break;
4338 
4339 		ad->u.net->sport = uh->source;
4340 		ad->u.net->dport = uh->dest;
4341 		break;
4342 	}
4343 
4344 	case IPPROTO_DCCP: {
4345 		struct dccp_hdr _dccph, *dh;
4346 
4347 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4348 		if (dh == NULL)
4349 			break;
4350 
4351 		ad->u.net->sport = dh->dccph_sport;
4352 		ad->u.net->dport = dh->dccph_dport;
4353 		break;
4354 	}
4355 
4356 #if IS_ENABLED(CONFIG_IP_SCTP)
4357 	case IPPROTO_SCTP: {
4358 		struct sctphdr _sctph, *sh;
4359 
4360 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4361 		if (sh == NULL)
4362 			break;
4363 
4364 		ad->u.net->sport = sh->source;
4365 		ad->u.net->dport = sh->dest;
4366 		break;
4367 	}
4368 #endif
4369 	/* includes fragments */
4370 	default:
4371 		break;
4372 	}
4373 out:
4374 	return ret;
4375 }
4376 
4377 #endif /* IPV6 */
4378 
4379 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4380 			     char **_addrp, int src, u8 *proto)
4381 {
4382 	char *addrp;
4383 	int ret;
4384 
4385 	switch (ad->u.net->family) {
4386 	case PF_INET:
4387 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4388 		if (ret)
4389 			goto parse_error;
4390 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4391 				       &ad->u.net->v4info.daddr);
4392 		goto okay;
4393 
4394 #if IS_ENABLED(CONFIG_IPV6)
4395 	case PF_INET6:
4396 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4397 		if (ret)
4398 			goto parse_error;
4399 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4400 				       &ad->u.net->v6info.daddr);
4401 		goto okay;
4402 #endif	/* IPV6 */
4403 	default:
4404 		addrp = NULL;
4405 		goto okay;
4406 	}
4407 
4408 parse_error:
4409 	printk(KERN_WARNING
4410 	       "SELinux: failure in selinux_parse_skb(),"
4411 	       " unable to parse packet\n");
4412 	return ret;
4413 
4414 okay:
4415 	if (_addrp)
4416 		*_addrp = addrp;
4417 	return 0;
4418 }
4419 
4420 /**
4421  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4422  * @skb: the packet
4423  * @family: protocol family
4424  * @sid: the packet's peer label SID
4425  *
4426  * Description:
4427  * Check the various different forms of network peer labeling and determine
4428  * the peer label/SID for the packet; most of the magic actually occurs in
4429  * the security server function security_net_peersid_cmp().  The function
4430  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4431  * or -EACCES if @sid is invalid due to inconsistencies with the different
4432  * peer labels.
4433  *
4434  */
4435 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4436 {
4437 	int err;
4438 	u32 xfrm_sid;
4439 	u32 nlbl_sid;
4440 	u32 nlbl_type;
4441 
4442 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4443 	if (unlikely(err))
4444 		return -EACCES;
4445 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4446 	if (unlikely(err))
4447 		return -EACCES;
4448 
4449 	err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4450 					   nlbl_type, xfrm_sid, sid);
4451 	if (unlikely(err)) {
4452 		printk(KERN_WARNING
4453 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4454 		       " unable to determine packet's peer label\n");
4455 		return -EACCES;
4456 	}
4457 
4458 	return 0;
4459 }
4460 
4461 /**
4462  * selinux_conn_sid - Determine the child socket label for a connection
4463  * @sk_sid: the parent socket's SID
4464  * @skb_sid: the packet's SID
4465  * @conn_sid: the resulting connection SID
4466  *
4467  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4468  * combined with the MLS information from @skb_sid in order to create
4469  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
4470  * of @sk_sid.  Returns zero on success, negative values on failure.
4471  *
4472  */
4473 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4474 {
4475 	int err = 0;
4476 
4477 	if (skb_sid != SECSID_NULL)
4478 		err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4479 					    conn_sid);
4480 	else
4481 		*conn_sid = sk_sid;
4482 
4483 	return err;
4484 }
4485 
4486 /* socket security operations */
4487 
4488 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4489 				 u16 secclass, u32 *socksid)
4490 {
4491 	if (tsec->sockcreate_sid > SECSID_NULL) {
4492 		*socksid = tsec->sockcreate_sid;
4493 		return 0;
4494 	}
4495 
4496 	return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4497 				       secclass, NULL, socksid);
4498 }
4499 
4500 static int sock_has_perm(struct sock *sk, u32 perms)
4501 {
4502 	struct sk_security_struct *sksec = sk->sk_security;
4503 	struct common_audit_data ad;
4504 	struct lsm_network_audit net = {0,};
4505 
4506 	if (sksec->sid == SECINITSID_KERNEL)
4507 		return 0;
4508 
4509 	ad.type = LSM_AUDIT_DATA_NET;
4510 	ad.u.net = &net;
4511 	ad.u.net->sk = sk;
4512 
4513 	return avc_has_perm(&selinux_state,
4514 			    current_sid(), sksec->sid, sksec->sclass, perms,
4515 			    &ad);
4516 }
4517 
4518 static int selinux_socket_create(int family, int type,
4519 				 int protocol, int kern)
4520 {
4521 	const struct task_security_struct *tsec = current_security();
4522 	u32 newsid;
4523 	u16 secclass;
4524 	int rc;
4525 
4526 	if (kern)
4527 		return 0;
4528 
4529 	secclass = socket_type_to_security_class(family, type, protocol);
4530 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4531 	if (rc)
4532 		return rc;
4533 
4534 	return avc_has_perm(&selinux_state,
4535 			    tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4536 }
4537 
4538 static int selinux_socket_post_create(struct socket *sock, int family,
4539 				      int type, int protocol, int kern)
4540 {
4541 	const struct task_security_struct *tsec = current_security();
4542 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4543 	struct sk_security_struct *sksec;
4544 	u16 sclass = socket_type_to_security_class(family, type, protocol);
4545 	u32 sid = SECINITSID_KERNEL;
4546 	int err = 0;
4547 
4548 	if (!kern) {
4549 		err = socket_sockcreate_sid(tsec, sclass, &sid);
4550 		if (err)
4551 			return err;
4552 	}
4553 
4554 	isec->sclass = sclass;
4555 	isec->sid = sid;
4556 	isec->initialized = LABEL_INITIALIZED;
4557 
4558 	if (sock->sk) {
4559 		sksec = sock->sk->sk_security;
4560 		sksec->sclass = sclass;
4561 		sksec->sid = sid;
4562 		/* Allows detection of the first association on this socket */
4563 		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4564 			sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4565 
4566 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4567 	}
4568 
4569 	return err;
4570 }
4571 
4572 /* Range of port numbers used to automatically bind.
4573    Need to determine whether we should perform a name_bind
4574    permission check between the socket and the port number. */
4575 
4576 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4577 {
4578 	struct sock *sk = sock->sk;
4579 	u16 family;
4580 	int err;
4581 
4582 	err = sock_has_perm(sk, SOCKET__BIND);
4583 	if (err)
4584 		goto out;
4585 
4586 	/* If PF_INET or PF_INET6, check name_bind permission for the port. */
4587 	family = sk->sk_family;
4588 	if (family == PF_INET || family == PF_INET6) {
4589 		char *addrp;
4590 		struct sk_security_struct *sksec = sk->sk_security;
4591 		struct common_audit_data ad;
4592 		struct lsm_network_audit net = {0,};
4593 		struct sockaddr_in *addr4 = NULL;
4594 		struct sockaddr_in6 *addr6 = NULL;
4595 		unsigned short snum;
4596 		u32 sid, node_perm;
4597 
4598 		/*
4599 		 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4600 		 * that validates multiple binding addresses. Because of this
4601 		 * need to check address->sa_family as it is possible to have
4602 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4603 		 */
4604 		switch (address->sa_family) {
4605 		case AF_INET:
4606 			if (addrlen < sizeof(struct sockaddr_in))
4607 				return -EINVAL;
4608 			addr4 = (struct sockaddr_in *)address;
4609 			snum = ntohs(addr4->sin_port);
4610 			addrp = (char *)&addr4->sin_addr.s_addr;
4611 			break;
4612 		case AF_INET6:
4613 			if (addrlen < SIN6_LEN_RFC2133)
4614 				return -EINVAL;
4615 			addr6 = (struct sockaddr_in6 *)address;
4616 			snum = ntohs(addr6->sin6_port);
4617 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4618 			break;
4619 		default:
4620 			/* Note that SCTP services expect -EINVAL, whereas
4621 			 * others expect -EAFNOSUPPORT.
4622 			 */
4623 			if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4624 				return -EINVAL;
4625 			else
4626 				return -EAFNOSUPPORT;
4627 		}
4628 
4629 		if (snum) {
4630 			int low, high;
4631 
4632 			inet_get_local_port_range(sock_net(sk), &low, &high);
4633 
4634 			if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4635 			    snum > high) {
4636 				err = sel_netport_sid(sk->sk_protocol,
4637 						      snum, &sid);
4638 				if (err)
4639 					goto out;
4640 				ad.type = LSM_AUDIT_DATA_NET;
4641 				ad.u.net = &net;
4642 				ad.u.net->sport = htons(snum);
4643 				ad.u.net->family = family;
4644 				err = avc_has_perm(&selinux_state,
4645 						   sksec->sid, sid,
4646 						   sksec->sclass,
4647 						   SOCKET__NAME_BIND, &ad);
4648 				if (err)
4649 					goto out;
4650 			}
4651 		}
4652 
4653 		switch (sksec->sclass) {
4654 		case SECCLASS_TCP_SOCKET:
4655 			node_perm = TCP_SOCKET__NODE_BIND;
4656 			break;
4657 
4658 		case SECCLASS_UDP_SOCKET:
4659 			node_perm = UDP_SOCKET__NODE_BIND;
4660 			break;
4661 
4662 		case SECCLASS_DCCP_SOCKET:
4663 			node_perm = DCCP_SOCKET__NODE_BIND;
4664 			break;
4665 
4666 		case SECCLASS_SCTP_SOCKET:
4667 			node_perm = SCTP_SOCKET__NODE_BIND;
4668 			break;
4669 
4670 		default:
4671 			node_perm = RAWIP_SOCKET__NODE_BIND;
4672 			break;
4673 		}
4674 
4675 		err = sel_netnode_sid(addrp, family, &sid);
4676 		if (err)
4677 			goto out;
4678 
4679 		ad.type = LSM_AUDIT_DATA_NET;
4680 		ad.u.net = &net;
4681 		ad.u.net->sport = htons(snum);
4682 		ad.u.net->family = family;
4683 
4684 		if (address->sa_family == AF_INET)
4685 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4686 		else
4687 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4688 
4689 		err = avc_has_perm(&selinux_state,
4690 				   sksec->sid, sid,
4691 				   sksec->sclass, node_perm, &ad);
4692 		if (err)
4693 			goto out;
4694 	}
4695 out:
4696 	return err;
4697 }
4698 
4699 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4700  * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.txt
4701  */
4702 static int selinux_socket_connect_helper(struct socket *sock,
4703 					 struct sockaddr *address, int addrlen)
4704 {
4705 	struct sock *sk = sock->sk;
4706 	struct sk_security_struct *sksec = sk->sk_security;
4707 	int err;
4708 
4709 	err = sock_has_perm(sk, SOCKET__CONNECT);
4710 	if (err)
4711 		return err;
4712 
4713 	/*
4714 	 * If a TCP, DCCP or SCTP socket, check name_connect permission
4715 	 * for the port.
4716 	 */
4717 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4718 	    sksec->sclass == SECCLASS_DCCP_SOCKET ||
4719 	    sksec->sclass == SECCLASS_SCTP_SOCKET) {
4720 		struct common_audit_data ad;
4721 		struct lsm_network_audit net = {0,};
4722 		struct sockaddr_in *addr4 = NULL;
4723 		struct sockaddr_in6 *addr6 = NULL;
4724 		unsigned short snum;
4725 		u32 sid, perm;
4726 
4727 		/* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4728 		 * that validates multiple connect addresses. Because of this
4729 		 * need to check address->sa_family as it is possible to have
4730 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4731 		 */
4732 		switch (address->sa_family) {
4733 		case AF_INET:
4734 			addr4 = (struct sockaddr_in *)address;
4735 			if (addrlen < sizeof(struct sockaddr_in))
4736 				return -EINVAL;
4737 			snum = ntohs(addr4->sin_port);
4738 			break;
4739 		case AF_INET6:
4740 			addr6 = (struct sockaddr_in6 *)address;
4741 			if (addrlen < SIN6_LEN_RFC2133)
4742 				return -EINVAL;
4743 			snum = ntohs(addr6->sin6_port);
4744 			break;
4745 		default:
4746 			/* Note that SCTP services expect -EINVAL, whereas
4747 			 * others expect -EAFNOSUPPORT.
4748 			 */
4749 			if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4750 				return -EINVAL;
4751 			else
4752 				return -EAFNOSUPPORT;
4753 		}
4754 
4755 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4756 		if (err)
4757 			return err;
4758 
4759 		switch (sksec->sclass) {
4760 		case SECCLASS_TCP_SOCKET:
4761 			perm = TCP_SOCKET__NAME_CONNECT;
4762 			break;
4763 		case SECCLASS_DCCP_SOCKET:
4764 			perm = DCCP_SOCKET__NAME_CONNECT;
4765 			break;
4766 		case SECCLASS_SCTP_SOCKET:
4767 			perm = SCTP_SOCKET__NAME_CONNECT;
4768 			break;
4769 		}
4770 
4771 		ad.type = LSM_AUDIT_DATA_NET;
4772 		ad.u.net = &net;
4773 		ad.u.net->dport = htons(snum);
4774 		ad.u.net->family = sk->sk_family;
4775 		err = avc_has_perm(&selinux_state,
4776 				   sksec->sid, sid, sksec->sclass, perm, &ad);
4777 		if (err)
4778 			return err;
4779 	}
4780 
4781 	return 0;
4782 }
4783 
4784 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4785 static int selinux_socket_connect(struct socket *sock,
4786 				  struct sockaddr *address, int addrlen)
4787 {
4788 	int err;
4789 	struct sock *sk = sock->sk;
4790 
4791 	err = selinux_socket_connect_helper(sock, address, addrlen);
4792 	if (err)
4793 		return err;
4794 
4795 	return selinux_netlbl_socket_connect(sk, address);
4796 }
4797 
4798 static int selinux_socket_listen(struct socket *sock, int backlog)
4799 {
4800 	return sock_has_perm(sock->sk, SOCKET__LISTEN);
4801 }
4802 
4803 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4804 {
4805 	int err;
4806 	struct inode_security_struct *isec;
4807 	struct inode_security_struct *newisec;
4808 	u16 sclass;
4809 	u32 sid;
4810 
4811 	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4812 	if (err)
4813 		return err;
4814 
4815 	isec = inode_security_novalidate(SOCK_INODE(sock));
4816 	spin_lock(&isec->lock);
4817 	sclass = isec->sclass;
4818 	sid = isec->sid;
4819 	spin_unlock(&isec->lock);
4820 
4821 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4822 	newisec->sclass = sclass;
4823 	newisec->sid = sid;
4824 	newisec->initialized = LABEL_INITIALIZED;
4825 
4826 	return 0;
4827 }
4828 
4829 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4830 				  int size)
4831 {
4832 	return sock_has_perm(sock->sk, SOCKET__WRITE);
4833 }
4834 
4835 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4836 				  int size, int flags)
4837 {
4838 	return sock_has_perm(sock->sk, SOCKET__READ);
4839 }
4840 
4841 static int selinux_socket_getsockname(struct socket *sock)
4842 {
4843 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4844 }
4845 
4846 static int selinux_socket_getpeername(struct socket *sock)
4847 {
4848 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4849 }
4850 
4851 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4852 {
4853 	int err;
4854 
4855 	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4856 	if (err)
4857 		return err;
4858 
4859 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4860 }
4861 
4862 static int selinux_socket_getsockopt(struct socket *sock, int level,
4863 				     int optname)
4864 {
4865 	return sock_has_perm(sock->sk, SOCKET__GETOPT);
4866 }
4867 
4868 static int selinux_socket_shutdown(struct socket *sock, int how)
4869 {
4870 	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4871 }
4872 
4873 static int selinux_socket_unix_stream_connect(struct sock *sock,
4874 					      struct sock *other,
4875 					      struct sock *newsk)
4876 {
4877 	struct sk_security_struct *sksec_sock = sock->sk_security;
4878 	struct sk_security_struct *sksec_other = other->sk_security;
4879 	struct sk_security_struct *sksec_new = newsk->sk_security;
4880 	struct common_audit_data ad;
4881 	struct lsm_network_audit net = {0,};
4882 	int err;
4883 
4884 	ad.type = LSM_AUDIT_DATA_NET;
4885 	ad.u.net = &net;
4886 	ad.u.net->sk = other;
4887 
4888 	err = avc_has_perm(&selinux_state,
4889 			   sksec_sock->sid, sksec_other->sid,
4890 			   sksec_other->sclass,
4891 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4892 	if (err)
4893 		return err;
4894 
4895 	/* server child socket */
4896 	sksec_new->peer_sid = sksec_sock->sid;
4897 	err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4898 				    sksec_sock->sid, &sksec_new->sid);
4899 	if (err)
4900 		return err;
4901 
4902 	/* connecting socket */
4903 	sksec_sock->peer_sid = sksec_new->sid;
4904 
4905 	return 0;
4906 }
4907 
4908 static int selinux_socket_unix_may_send(struct socket *sock,
4909 					struct socket *other)
4910 {
4911 	struct sk_security_struct *ssec = sock->sk->sk_security;
4912 	struct sk_security_struct *osec = other->sk->sk_security;
4913 	struct common_audit_data ad;
4914 	struct lsm_network_audit net = {0,};
4915 
4916 	ad.type = LSM_AUDIT_DATA_NET;
4917 	ad.u.net = &net;
4918 	ad.u.net->sk = other->sk;
4919 
4920 	return avc_has_perm(&selinux_state,
4921 			    ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4922 			    &ad);
4923 }
4924 
4925 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4926 				    char *addrp, u16 family, u32 peer_sid,
4927 				    struct common_audit_data *ad)
4928 {
4929 	int err;
4930 	u32 if_sid;
4931 	u32 node_sid;
4932 
4933 	err = sel_netif_sid(ns, ifindex, &if_sid);
4934 	if (err)
4935 		return err;
4936 	err = avc_has_perm(&selinux_state,
4937 			   peer_sid, if_sid,
4938 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4939 	if (err)
4940 		return err;
4941 
4942 	err = sel_netnode_sid(addrp, family, &node_sid);
4943 	if (err)
4944 		return err;
4945 	return avc_has_perm(&selinux_state,
4946 			    peer_sid, node_sid,
4947 			    SECCLASS_NODE, NODE__RECVFROM, ad);
4948 }
4949 
4950 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4951 				       u16 family)
4952 {
4953 	int err = 0;
4954 	struct sk_security_struct *sksec = sk->sk_security;
4955 	u32 sk_sid = sksec->sid;
4956 	struct common_audit_data ad;
4957 	struct lsm_network_audit net = {0,};
4958 	char *addrp;
4959 
4960 	ad.type = LSM_AUDIT_DATA_NET;
4961 	ad.u.net = &net;
4962 	ad.u.net->netif = skb->skb_iif;
4963 	ad.u.net->family = family;
4964 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4965 	if (err)
4966 		return err;
4967 
4968 	if (selinux_secmark_enabled()) {
4969 		err = avc_has_perm(&selinux_state,
4970 				   sk_sid, skb->secmark, SECCLASS_PACKET,
4971 				   PACKET__RECV, &ad);
4972 		if (err)
4973 			return err;
4974 	}
4975 
4976 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4977 	if (err)
4978 		return err;
4979 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4980 
4981 	return err;
4982 }
4983 
4984 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4985 {
4986 	int err;
4987 	struct sk_security_struct *sksec = sk->sk_security;
4988 	u16 family = sk->sk_family;
4989 	u32 sk_sid = sksec->sid;
4990 	struct common_audit_data ad;
4991 	struct lsm_network_audit net = {0,};
4992 	char *addrp;
4993 	u8 secmark_active;
4994 	u8 peerlbl_active;
4995 
4996 	if (family != PF_INET && family != PF_INET6)
4997 		return 0;
4998 
4999 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
5000 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5001 		family = PF_INET;
5002 
5003 	/* If any sort of compatibility mode is enabled then handoff processing
5004 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
5005 	 * special handling.  We do this in an attempt to keep this function
5006 	 * as fast and as clean as possible. */
5007 	if (!selinux_policycap_netpeer())
5008 		return selinux_sock_rcv_skb_compat(sk, skb, family);
5009 
5010 	secmark_active = selinux_secmark_enabled();
5011 	peerlbl_active = selinux_peerlbl_enabled();
5012 	if (!secmark_active && !peerlbl_active)
5013 		return 0;
5014 
5015 	ad.type = LSM_AUDIT_DATA_NET;
5016 	ad.u.net = &net;
5017 	ad.u.net->netif = skb->skb_iif;
5018 	ad.u.net->family = family;
5019 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5020 	if (err)
5021 		return err;
5022 
5023 	if (peerlbl_active) {
5024 		u32 peer_sid;
5025 
5026 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5027 		if (err)
5028 			return err;
5029 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5030 					       addrp, family, peer_sid, &ad);
5031 		if (err) {
5032 			selinux_netlbl_err(skb, family, err, 0);
5033 			return err;
5034 		}
5035 		err = avc_has_perm(&selinux_state,
5036 				   sk_sid, peer_sid, SECCLASS_PEER,
5037 				   PEER__RECV, &ad);
5038 		if (err) {
5039 			selinux_netlbl_err(skb, family, err, 0);
5040 			return err;
5041 		}
5042 	}
5043 
5044 	if (secmark_active) {
5045 		err = avc_has_perm(&selinux_state,
5046 				   sk_sid, skb->secmark, SECCLASS_PACKET,
5047 				   PACKET__RECV, &ad);
5048 		if (err)
5049 			return err;
5050 	}
5051 
5052 	return err;
5053 }
5054 
5055 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5056 					    int __user *optlen, unsigned len)
5057 {
5058 	int err = 0;
5059 	char *scontext;
5060 	u32 scontext_len;
5061 	struct sk_security_struct *sksec = sock->sk->sk_security;
5062 	u32 peer_sid = SECSID_NULL;
5063 
5064 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5065 	    sksec->sclass == SECCLASS_TCP_SOCKET ||
5066 	    sksec->sclass == SECCLASS_SCTP_SOCKET)
5067 		peer_sid = sksec->peer_sid;
5068 	if (peer_sid == SECSID_NULL)
5069 		return -ENOPROTOOPT;
5070 
5071 	err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5072 				      &scontext_len);
5073 	if (err)
5074 		return err;
5075 
5076 	if (scontext_len > len) {
5077 		err = -ERANGE;
5078 		goto out_len;
5079 	}
5080 
5081 	if (copy_to_user(optval, scontext, scontext_len))
5082 		err = -EFAULT;
5083 
5084 out_len:
5085 	if (put_user(scontext_len, optlen))
5086 		err = -EFAULT;
5087 	kfree(scontext);
5088 	return err;
5089 }
5090 
5091 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5092 {
5093 	u32 peer_secid = SECSID_NULL;
5094 	u16 family;
5095 	struct inode_security_struct *isec;
5096 
5097 	if (skb && skb->protocol == htons(ETH_P_IP))
5098 		family = PF_INET;
5099 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
5100 		family = PF_INET6;
5101 	else if (sock)
5102 		family = sock->sk->sk_family;
5103 	else
5104 		goto out;
5105 
5106 	if (sock && family == PF_UNIX) {
5107 		isec = inode_security_novalidate(SOCK_INODE(sock));
5108 		peer_secid = isec->sid;
5109 	} else if (skb)
5110 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5111 
5112 out:
5113 	*secid = peer_secid;
5114 	if (peer_secid == SECSID_NULL)
5115 		return -EINVAL;
5116 	return 0;
5117 }
5118 
5119 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5120 {
5121 	struct sk_security_struct *sksec;
5122 
5123 	sksec = kzalloc(sizeof(*sksec), priority);
5124 	if (!sksec)
5125 		return -ENOMEM;
5126 
5127 	sksec->peer_sid = SECINITSID_UNLABELED;
5128 	sksec->sid = SECINITSID_UNLABELED;
5129 	sksec->sclass = SECCLASS_SOCKET;
5130 	selinux_netlbl_sk_security_reset(sksec);
5131 	sk->sk_security = sksec;
5132 
5133 	return 0;
5134 }
5135 
5136 static void selinux_sk_free_security(struct sock *sk)
5137 {
5138 	struct sk_security_struct *sksec = sk->sk_security;
5139 
5140 	sk->sk_security = NULL;
5141 	selinux_netlbl_sk_security_free(sksec);
5142 	kfree(sksec);
5143 }
5144 
5145 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5146 {
5147 	struct sk_security_struct *sksec = sk->sk_security;
5148 	struct sk_security_struct *newsksec = newsk->sk_security;
5149 
5150 	newsksec->sid = sksec->sid;
5151 	newsksec->peer_sid = sksec->peer_sid;
5152 	newsksec->sclass = sksec->sclass;
5153 
5154 	selinux_netlbl_sk_security_reset(newsksec);
5155 }
5156 
5157 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5158 {
5159 	if (!sk)
5160 		*secid = SECINITSID_ANY_SOCKET;
5161 	else {
5162 		struct sk_security_struct *sksec = sk->sk_security;
5163 
5164 		*secid = sksec->sid;
5165 	}
5166 }
5167 
5168 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5169 {
5170 	struct inode_security_struct *isec =
5171 		inode_security_novalidate(SOCK_INODE(parent));
5172 	struct sk_security_struct *sksec = sk->sk_security;
5173 
5174 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5175 	    sk->sk_family == PF_UNIX)
5176 		isec->sid = sksec->sid;
5177 	sksec->sclass = isec->sclass;
5178 }
5179 
5180 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5181  * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5182  * already present).
5183  */
5184 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5185 				      struct sk_buff *skb)
5186 {
5187 	struct sk_security_struct *sksec = ep->base.sk->sk_security;
5188 	struct common_audit_data ad;
5189 	struct lsm_network_audit net = {0,};
5190 	u8 peerlbl_active;
5191 	u32 peer_sid = SECINITSID_UNLABELED;
5192 	u32 conn_sid;
5193 	int err = 0;
5194 
5195 	if (!selinux_policycap_extsockclass())
5196 		return 0;
5197 
5198 	peerlbl_active = selinux_peerlbl_enabled();
5199 
5200 	if (peerlbl_active) {
5201 		/* This will return peer_sid = SECSID_NULL if there are
5202 		 * no peer labels, see security_net_peersid_resolve().
5203 		 */
5204 		err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5205 					      &peer_sid);
5206 		if (err)
5207 			return err;
5208 
5209 		if (peer_sid == SECSID_NULL)
5210 			peer_sid = SECINITSID_UNLABELED;
5211 	}
5212 
5213 	if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5214 		sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5215 
5216 		/* Here as first association on socket. As the peer SID
5217 		 * was allowed by peer recv (and the netif/node checks),
5218 		 * then it is approved by policy and used as the primary
5219 		 * peer SID for getpeercon(3).
5220 		 */
5221 		sksec->peer_sid = peer_sid;
5222 	} else if  (sksec->peer_sid != peer_sid) {
5223 		/* Other association peer SIDs are checked to enforce
5224 		 * consistency among the peer SIDs.
5225 		 */
5226 		ad.type = LSM_AUDIT_DATA_NET;
5227 		ad.u.net = &net;
5228 		ad.u.net->sk = ep->base.sk;
5229 		err = avc_has_perm(&selinux_state,
5230 				   sksec->peer_sid, peer_sid, sksec->sclass,
5231 				   SCTP_SOCKET__ASSOCIATION, &ad);
5232 		if (err)
5233 			return err;
5234 	}
5235 
5236 	/* Compute the MLS component for the connection and store
5237 	 * the information in ep. This will be used by SCTP TCP type
5238 	 * sockets and peeled off connections as they cause a new
5239 	 * socket to be generated. selinux_sctp_sk_clone() will then
5240 	 * plug this into the new socket.
5241 	 */
5242 	err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5243 	if (err)
5244 		return err;
5245 
5246 	ep->secid = conn_sid;
5247 	ep->peer_secid = peer_sid;
5248 
5249 	/* Set any NetLabel labels including CIPSO/CALIPSO options. */
5250 	return selinux_netlbl_sctp_assoc_request(ep, skb);
5251 }
5252 
5253 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5254  * based on their @optname.
5255  */
5256 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5257 				     struct sockaddr *address,
5258 				     int addrlen)
5259 {
5260 	int len, err = 0, walk_size = 0;
5261 	void *addr_buf;
5262 	struct sockaddr *addr;
5263 	struct socket *sock;
5264 
5265 	if (!selinux_policycap_extsockclass())
5266 		return 0;
5267 
5268 	/* Process one or more addresses that may be IPv4 or IPv6 */
5269 	sock = sk->sk_socket;
5270 	addr_buf = address;
5271 
5272 	while (walk_size < addrlen) {
5273 		addr = addr_buf;
5274 		switch (addr->sa_family) {
5275 		case AF_INET:
5276 			len = sizeof(struct sockaddr_in);
5277 			break;
5278 		case AF_INET6:
5279 			len = sizeof(struct sockaddr_in6);
5280 			break;
5281 		default:
5282 			return -EAFNOSUPPORT;
5283 		}
5284 
5285 		err = -EINVAL;
5286 		switch (optname) {
5287 		/* Bind checks */
5288 		case SCTP_PRIMARY_ADDR:
5289 		case SCTP_SET_PEER_PRIMARY_ADDR:
5290 		case SCTP_SOCKOPT_BINDX_ADD:
5291 			err = selinux_socket_bind(sock, addr, len);
5292 			break;
5293 		/* Connect checks */
5294 		case SCTP_SOCKOPT_CONNECTX:
5295 		case SCTP_PARAM_SET_PRIMARY:
5296 		case SCTP_PARAM_ADD_IP:
5297 		case SCTP_SENDMSG_CONNECT:
5298 			err = selinux_socket_connect_helper(sock, addr, len);
5299 			if (err)
5300 				return err;
5301 
5302 			/* As selinux_sctp_bind_connect() is called by the
5303 			 * SCTP protocol layer, the socket is already locked,
5304 			 * therefore selinux_netlbl_socket_connect_locked() is
5305 			 * is called here. The situations handled are:
5306 			 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5307 			 * whenever a new IP address is added or when a new
5308 			 * primary address is selected.
5309 			 * Note that an SCTP connect(2) call happens before
5310 			 * the SCTP protocol layer and is handled via
5311 			 * selinux_socket_connect().
5312 			 */
5313 			err = selinux_netlbl_socket_connect_locked(sk, addr);
5314 			break;
5315 		}
5316 
5317 		if (err)
5318 			return err;
5319 
5320 		addr_buf += len;
5321 		walk_size += len;
5322 	}
5323 
5324 	return 0;
5325 }
5326 
5327 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5328 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5329 				  struct sock *newsk)
5330 {
5331 	struct sk_security_struct *sksec = sk->sk_security;
5332 	struct sk_security_struct *newsksec = newsk->sk_security;
5333 
5334 	/* If policy does not support SECCLASS_SCTP_SOCKET then call
5335 	 * the non-sctp clone version.
5336 	 */
5337 	if (!selinux_policycap_extsockclass())
5338 		return selinux_sk_clone_security(sk, newsk);
5339 
5340 	newsksec->sid = ep->secid;
5341 	newsksec->peer_sid = ep->peer_secid;
5342 	newsksec->sclass = sksec->sclass;
5343 	selinux_netlbl_sctp_sk_clone(sk, newsk);
5344 }
5345 
5346 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5347 				     struct request_sock *req)
5348 {
5349 	struct sk_security_struct *sksec = sk->sk_security;
5350 	int err;
5351 	u16 family = req->rsk_ops->family;
5352 	u32 connsid;
5353 	u32 peersid;
5354 
5355 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5356 	if (err)
5357 		return err;
5358 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5359 	if (err)
5360 		return err;
5361 	req->secid = connsid;
5362 	req->peer_secid = peersid;
5363 
5364 	return selinux_netlbl_inet_conn_request(req, family);
5365 }
5366 
5367 static void selinux_inet_csk_clone(struct sock *newsk,
5368 				   const struct request_sock *req)
5369 {
5370 	struct sk_security_struct *newsksec = newsk->sk_security;
5371 
5372 	newsksec->sid = req->secid;
5373 	newsksec->peer_sid = req->peer_secid;
5374 	/* NOTE: Ideally, we should also get the isec->sid for the
5375 	   new socket in sync, but we don't have the isec available yet.
5376 	   So we will wait until sock_graft to do it, by which
5377 	   time it will have been created and available. */
5378 
5379 	/* We don't need to take any sort of lock here as we are the only
5380 	 * thread with access to newsksec */
5381 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5382 }
5383 
5384 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5385 {
5386 	u16 family = sk->sk_family;
5387 	struct sk_security_struct *sksec = sk->sk_security;
5388 
5389 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5390 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5391 		family = PF_INET;
5392 
5393 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5394 }
5395 
5396 static int selinux_secmark_relabel_packet(u32 sid)
5397 {
5398 	const struct task_security_struct *__tsec;
5399 	u32 tsid;
5400 
5401 	__tsec = current_security();
5402 	tsid = __tsec->sid;
5403 
5404 	return avc_has_perm(&selinux_state,
5405 			    tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5406 			    NULL);
5407 }
5408 
5409 static void selinux_secmark_refcount_inc(void)
5410 {
5411 	atomic_inc(&selinux_secmark_refcount);
5412 }
5413 
5414 static void selinux_secmark_refcount_dec(void)
5415 {
5416 	atomic_dec(&selinux_secmark_refcount);
5417 }
5418 
5419 static void selinux_req_classify_flow(const struct request_sock *req,
5420 				      struct flowi *fl)
5421 {
5422 	fl->flowi_secid = req->secid;
5423 }
5424 
5425 static int selinux_tun_dev_alloc_security(void **security)
5426 {
5427 	struct tun_security_struct *tunsec;
5428 
5429 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5430 	if (!tunsec)
5431 		return -ENOMEM;
5432 	tunsec->sid = current_sid();
5433 
5434 	*security = tunsec;
5435 	return 0;
5436 }
5437 
5438 static void selinux_tun_dev_free_security(void *security)
5439 {
5440 	kfree(security);
5441 }
5442 
5443 static int selinux_tun_dev_create(void)
5444 {
5445 	u32 sid = current_sid();
5446 
5447 	/* we aren't taking into account the "sockcreate" SID since the socket
5448 	 * that is being created here is not a socket in the traditional sense,
5449 	 * instead it is a private sock, accessible only to the kernel, and
5450 	 * representing a wide range of network traffic spanning multiple
5451 	 * connections unlike traditional sockets - check the TUN driver to
5452 	 * get a better understanding of why this socket is special */
5453 
5454 	return avc_has_perm(&selinux_state,
5455 			    sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5456 			    NULL);
5457 }
5458 
5459 static int selinux_tun_dev_attach_queue(void *security)
5460 {
5461 	struct tun_security_struct *tunsec = security;
5462 
5463 	return avc_has_perm(&selinux_state,
5464 			    current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5465 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5466 }
5467 
5468 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5469 {
5470 	struct tun_security_struct *tunsec = security;
5471 	struct sk_security_struct *sksec = sk->sk_security;
5472 
5473 	/* we don't currently perform any NetLabel based labeling here and it
5474 	 * isn't clear that we would want to do so anyway; while we could apply
5475 	 * labeling without the support of the TUN user the resulting labeled
5476 	 * traffic from the other end of the connection would almost certainly
5477 	 * cause confusion to the TUN user that had no idea network labeling
5478 	 * protocols were being used */
5479 
5480 	sksec->sid = tunsec->sid;
5481 	sksec->sclass = SECCLASS_TUN_SOCKET;
5482 
5483 	return 0;
5484 }
5485 
5486 static int selinux_tun_dev_open(void *security)
5487 {
5488 	struct tun_security_struct *tunsec = security;
5489 	u32 sid = current_sid();
5490 	int err;
5491 
5492 	err = avc_has_perm(&selinux_state,
5493 			   sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5494 			   TUN_SOCKET__RELABELFROM, NULL);
5495 	if (err)
5496 		return err;
5497 	err = avc_has_perm(&selinux_state,
5498 			   sid, sid, SECCLASS_TUN_SOCKET,
5499 			   TUN_SOCKET__RELABELTO, NULL);
5500 	if (err)
5501 		return err;
5502 	tunsec->sid = sid;
5503 
5504 	return 0;
5505 }
5506 
5507 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5508 {
5509 	int err = 0;
5510 	u32 perm;
5511 	struct nlmsghdr *nlh;
5512 	struct sk_security_struct *sksec = sk->sk_security;
5513 
5514 	if (skb->len < NLMSG_HDRLEN) {
5515 		err = -EINVAL;
5516 		goto out;
5517 	}
5518 	nlh = nlmsg_hdr(skb);
5519 
5520 	err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5521 	if (err) {
5522 		if (err == -EINVAL) {
5523 			pr_warn_ratelimited("SELinux: unrecognized netlink"
5524 			       " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5525 			       " pig=%d comm=%s\n",
5526 			       sk->sk_protocol, nlh->nlmsg_type,
5527 			       secclass_map[sksec->sclass - 1].name,
5528 			       task_pid_nr(current), current->comm);
5529 			if (!enforcing_enabled(&selinux_state) ||
5530 			    security_get_allow_unknown(&selinux_state))
5531 				err = 0;
5532 		}
5533 
5534 		/* Ignore */
5535 		if (err == -ENOENT)
5536 			err = 0;
5537 		goto out;
5538 	}
5539 
5540 	err = sock_has_perm(sk, perm);
5541 out:
5542 	return err;
5543 }
5544 
5545 #ifdef CONFIG_NETFILTER
5546 
5547 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5548 				       const struct net_device *indev,
5549 				       u16 family)
5550 {
5551 	int err;
5552 	char *addrp;
5553 	u32 peer_sid;
5554 	struct common_audit_data ad;
5555 	struct lsm_network_audit net = {0,};
5556 	u8 secmark_active;
5557 	u8 netlbl_active;
5558 	u8 peerlbl_active;
5559 
5560 	if (!selinux_policycap_netpeer())
5561 		return NF_ACCEPT;
5562 
5563 	secmark_active = selinux_secmark_enabled();
5564 	netlbl_active = netlbl_enabled();
5565 	peerlbl_active = selinux_peerlbl_enabled();
5566 	if (!secmark_active && !peerlbl_active)
5567 		return NF_ACCEPT;
5568 
5569 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5570 		return NF_DROP;
5571 
5572 	ad.type = LSM_AUDIT_DATA_NET;
5573 	ad.u.net = &net;
5574 	ad.u.net->netif = indev->ifindex;
5575 	ad.u.net->family = family;
5576 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5577 		return NF_DROP;
5578 
5579 	if (peerlbl_active) {
5580 		err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5581 					       addrp, family, peer_sid, &ad);
5582 		if (err) {
5583 			selinux_netlbl_err(skb, family, err, 1);
5584 			return NF_DROP;
5585 		}
5586 	}
5587 
5588 	if (secmark_active)
5589 		if (avc_has_perm(&selinux_state,
5590 				 peer_sid, skb->secmark,
5591 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5592 			return NF_DROP;
5593 
5594 	if (netlbl_active)
5595 		/* we do this in the FORWARD path and not the POST_ROUTING
5596 		 * path because we want to make sure we apply the necessary
5597 		 * labeling before IPsec is applied so we can leverage AH
5598 		 * protection */
5599 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5600 			return NF_DROP;
5601 
5602 	return NF_ACCEPT;
5603 }
5604 
5605 static unsigned int selinux_ipv4_forward(void *priv,
5606 					 struct sk_buff *skb,
5607 					 const struct nf_hook_state *state)
5608 {
5609 	return selinux_ip_forward(skb, state->in, PF_INET);
5610 }
5611 
5612 #if IS_ENABLED(CONFIG_IPV6)
5613 static unsigned int selinux_ipv6_forward(void *priv,
5614 					 struct sk_buff *skb,
5615 					 const struct nf_hook_state *state)
5616 {
5617 	return selinux_ip_forward(skb, state->in, PF_INET6);
5618 }
5619 #endif	/* IPV6 */
5620 
5621 static unsigned int selinux_ip_output(struct sk_buff *skb,
5622 				      u16 family)
5623 {
5624 	struct sock *sk;
5625 	u32 sid;
5626 
5627 	if (!netlbl_enabled())
5628 		return NF_ACCEPT;
5629 
5630 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5631 	 * because we want to make sure we apply the necessary labeling
5632 	 * before IPsec is applied so we can leverage AH protection */
5633 	sk = skb->sk;
5634 	if (sk) {
5635 		struct sk_security_struct *sksec;
5636 
5637 		if (sk_listener(sk))
5638 			/* if the socket is the listening state then this
5639 			 * packet is a SYN-ACK packet which means it needs to
5640 			 * be labeled based on the connection/request_sock and
5641 			 * not the parent socket.  unfortunately, we can't
5642 			 * lookup the request_sock yet as it isn't queued on
5643 			 * the parent socket until after the SYN-ACK is sent.
5644 			 * the "solution" is to simply pass the packet as-is
5645 			 * as any IP option based labeling should be copied
5646 			 * from the initial connection request (in the IP
5647 			 * layer).  it is far from ideal, but until we get a
5648 			 * security label in the packet itself this is the
5649 			 * best we can do. */
5650 			return NF_ACCEPT;
5651 
5652 		/* standard practice, label using the parent socket */
5653 		sksec = sk->sk_security;
5654 		sid = sksec->sid;
5655 	} else
5656 		sid = SECINITSID_KERNEL;
5657 	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5658 		return NF_DROP;
5659 
5660 	return NF_ACCEPT;
5661 }
5662 
5663 static unsigned int selinux_ipv4_output(void *priv,
5664 					struct sk_buff *skb,
5665 					const struct nf_hook_state *state)
5666 {
5667 	return selinux_ip_output(skb, PF_INET);
5668 }
5669 
5670 #if IS_ENABLED(CONFIG_IPV6)
5671 static unsigned int selinux_ipv6_output(void *priv,
5672 					struct sk_buff *skb,
5673 					const struct nf_hook_state *state)
5674 {
5675 	return selinux_ip_output(skb, PF_INET6);
5676 }
5677 #endif	/* IPV6 */
5678 
5679 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5680 						int ifindex,
5681 						u16 family)
5682 {
5683 	struct sock *sk = skb_to_full_sk(skb);
5684 	struct sk_security_struct *sksec;
5685 	struct common_audit_data ad;
5686 	struct lsm_network_audit net = {0,};
5687 	char *addrp;
5688 	u8 proto;
5689 
5690 	if (sk == NULL)
5691 		return NF_ACCEPT;
5692 	sksec = sk->sk_security;
5693 
5694 	ad.type = LSM_AUDIT_DATA_NET;
5695 	ad.u.net = &net;
5696 	ad.u.net->netif = ifindex;
5697 	ad.u.net->family = family;
5698 	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5699 		return NF_DROP;
5700 
5701 	if (selinux_secmark_enabled())
5702 		if (avc_has_perm(&selinux_state,
5703 				 sksec->sid, skb->secmark,
5704 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5705 			return NF_DROP_ERR(-ECONNREFUSED);
5706 
5707 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5708 		return NF_DROP_ERR(-ECONNREFUSED);
5709 
5710 	return NF_ACCEPT;
5711 }
5712 
5713 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5714 					 const struct net_device *outdev,
5715 					 u16 family)
5716 {
5717 	u32 secmark_perm;
5718 	u32 peer_sid;
5719 	int ifindex = outdev->ifindex;
5720 	struct sock *sk;
5721 	struct common_audit_data ad;
5722 	struct lsm_network_audit net = {0,};
5723 	char *addrp;
5724 	u8 secmark_active;
5725 	u8 peerlbl_active;
5726 
5727 	/* If any sort of compatibility mode is enabled then handoff processing
5728 	 * to the selinux_ip_postroute_compat() function to deal with the
5729 	 * special handling.  We do this in an attempt to keep this function
5730 	 * as fast and as clean as possible. */
5731 	if (!selinux_policycap_netpeer())
5732 		return selinux_ip_postroute_compat(skb, ifindex, family);
5733 
5734 	secmark_active = selinux_secmark_enabled();
5735 	peerlbl_active = selinux_peerlbl_enabled();
5736 	if (!secmark_active && !peerlbl_active)
5737 		return NF_ACCEPT;
5738 
5739 	sk = skb_to_full_sk(skb);
5740 
5741 #ifdef CONFIG_XFRM
5742 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5743 	 * packet transformation so allow the packet to pass without any checks
5744 	 * since we'll have another chance to perform access control checks
5745 	 * when the packet is on it's final way out.
5746 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5747 	 *       is NULL, in this case go ahead and apply access control.
5748 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5749 	 *       TCP listening state we cannot wait until the XFRM processing
5750 	 *       is done as we will miss out on the SA label if we do;
5751 	 *       unfortunately, this means more work, but it is only once per
5752 	 *       connection. */
5753 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5754 	    !(sk && sk_listener(sk)))
5755 		return NF_ACCEPT;
5756 #endif
5757 
5758 	if (sk == NULL) {
5759 		/* Without an associated socket the packet is either coming
5760 		 * from the kernel or it is being forwarded; check the packet
5761 		 * to determine which and if the packet is being forwarded
5762 		 * query the packet directly to determine the security label. */
5763 		if (skb->skb_iif) {
5764 			secmark_perm = PACKET__FORWARD_OUT;
5765 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5766 				return NF_DROP;
5767 		} else {
5768 			secmark_perm = PACKET__SEND;
5769 			peer_sid = SECINITSID_KERNEL;
5770 		}
5771 	} else if (sk_listener(sk)) {
5772 		/* Locally generated packet but the associated socket is in the
5773 		 * listening state which means this is a SYN-ACK packet.  In
5774 		 * this particular case the correct security label is assigned
5775 		 * to the connection/request_sock but unfortunately we can't
5776 		 * query the request_sock as it isn't queued on the parent
5777 		 * socket until after the SYN-ACK packet is sent; the only
5778 		 * viable choice is to regenerate the label like we do in
5779 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5780 		 * for similar problems. */
5781 		u32 skb_sid;
5782 		struct sk_security_struct *sksec;
5783 
5784 		sksec = sk->sk_security;
5785 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5786 			return NF_DROP;
5787 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5788 		 * and the packet has been through at least one XFRM
5789 		 * transformation then we must be dealing with the "final"
5790 		 * form of labeled IPsec packet; since we've already applied
5791 		 * all of our access controls on this packet we can safely
5792 		 * pass the packet. */
5793 		if (skb_sid == SECSID_NULL) {
5794 			switch (family) {
5795 			case PF_INET:
5796 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5797 					return NF_ACCEPT;
5798 				break;
5799 			case PF_INET6:
5800 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5801 					return NF_ACCEPT;
5802 				break;
5803 			default:
5804 				return NF_DROP_ERR(-ECONNREFUSED);
5805 			}
5806 		}
5807 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5808 			return NF_DROP;
5809 		secmark_perm = PACKET__SEND;
5810 	} else {
5811 		/* Locally generated packet, fetch the security label from the
5812 		 * associated socket. */
5813 		struct sk_security_struct *sksec = sk->sk_security;
5814 		peer_sid = sksec->sid;
5815 		secmark_perm = PACKET__SEND;
5816 	}
5817 
5818 	ad.type = LSM_AUDIT_DATA_NET;
5819 	ad.u.net = &net;
5820 	ad.u.net->netif = ifindex;
5821 	ad.u.net->family = family;
5822 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5823 		return NF_DROP;
5824 
5825 	if (secmark_active)
5826 		if (avc_has_perm(&selinux_state,
5827 				 peer_sid, skb->secmark,
5828 				 SECCLASS_PACKET, secmark_perm, &ad))
5829 			return NF_DROP_ERR(-ECONNREFUSED);
5830 
5831 	if (peerlbl_active) {
5832 		u32 if_sid;
5833 		u32 node_sid;
5834 
5835 		if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5836 			return NF_DROP;
5837 		if (avc_has_perm(&selinux_state,
5838 				 peer_sid, if_sid,
5839 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5840 			return NF_DROP_ERR(-ECONNREFUSED);
5841 
5842 		if (sel_netnode_sid(addrp, family, &node_sid))
5843 			return NF_DROP;
5844 		if (avc_has_perm(&selinux_state,
5845 				 peer_sid, node_sid,
5846 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5847 			return NF_DROP_ERR(-ECONNREFUSED);
5848 	}
5849 
5850 	return NF_ACCEPT;
5851 }
5852 
5853 static unsigned int selinux_ipv4_postroute(void *priv,
5854 					   struct sk_buff *skb,
5855 					   const struct nf_hook_state *state)
5856 {
5857 	return selinux_ip_postroute(skb, state->out, PF_INET);
5858 }
5859 
5860 #if IS_ENABLED(CONFIG_IPV6)
5861 static unsigned int selinux_ipv6_postroute(void *priv,
5862 					   struct sk_buff *skb,
5863 					   const struct nf_hook_state *state)
5864 {
5865 	return selinux_ip_postroute(skb, state->out, PF_INET6);
5866 }
5867 #endif	/* IPV6 */
5868 
5869 #endif	/* CONFIG_NETFILTER */
5870 
5871 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5872 {
5873 	return selinux_nlmsg_perm(sk, skb);
5874 }
5875 
5876 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5877 			      u16 sclass)
5878 {
5879 	struct ipc_security_struct *isec;
5880 
5881 	isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5882 	if (!isec)
5883 		return -ENOMEM;
5884 
5885 	isec->sclass = sclass;
5886 	isec->sid = current_sid();
5887 	perm->security = isec;
5888 
5889 	return 0;
5890 }
5891 
5892 static void ipc_free_security(struct kern_ipc_perm *perm)
5893 {
5894 	struct ipc_security_struct *isec = perm->security;
5895 	perm->security = NULL;
5896 	kfree(isec);
5897 }
5898 
5899 static int msg_msg_alloc_security(struct msg_msg *msg)
5900 {
5901 	struct msg_security_struct *msec;
5902 
5903 	msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5904 	if (!msec)
5905 		return -ENOMEM;
5906 
5907 	msec->sid = SECINITSID_UNLABELED;
5908 	msg->security = msec;
5909 
5910 	return 0;
5911 }
5912 
5913 static void msg_msg_free_security(struct msg_msg *msg)
5914 {
5915 	struct msg_security_struct *msec = msg->security;
5916 
5917 	msg->security = NULL;
5918 	kfree(msec);
5919 }
5920 
5921 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5922 			u32 perms)
5923 {
5924 	struct ipc_security_struct *isec;
5925 	struct common_audit_data ad;
5926 	u32 sid = current_sid();
5927 
5928 	isec = ipc_perms->security;
5929 
5930 	ad.type = LSM_AUDIT_DATA_IPC;
5931 	ad.u.ipc_id = ipc_perms->key;
5932 
5933 	return avc_has_perm(&selinux_state,
5934 			    sid, isec->sid, isec->sclass, perms, &ad);
5935 }
5936 
5937 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5938 {
5939 	return msg_msg_alloc_security(msg);
5940 }
5941 
5942 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5943 {
5944 	msg_msg_free_security(msg);
5945 }
5946 
5947 /* message queue security operations */
5948 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5949 {
5950 	struct ipc_security_struct *isec;
5951 	struct common_audit_data ad;
5952 	u32 sid = current_sid();
5953 	int rc;
5954 
5955 	rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
5956 	if (rc)
5957 		return rc;
5958 
5959 	isec = msq->security;
5960 
5961 	ad.type = LSM_AUDIT_DATA_IPC;
5962 	ad.u.ipc_id = msq->key;
5963 
5964 	rc = avc_has_perm(&selinux_state,
5965 			  sid, isec->sid, SECCLASS_MSGQ,
5966 			  MSGQ__CREATE, &ad);
5967 	if (rc) {
5968 		ipc_free_security(msq);
5969 		return rc;
5970 	}
5971 	return 0;
5972 }
5973 
5974 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
5975 {
5976 	ipc_free_security(msq);
5977 }
5978 
5979 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5980 {
5981 	struct ipc_security_struct *isec;
5982 	struct common_audit_data ad;
5983 	u32 sid = current_sid();
5984 
5985 	isec = msq->security;
5986 
5987 	ad.type = LSM_AUDIT_DATA_IPC;
5988 	ad.u.ipc_id = msq->key;
5989 
5990 	return avc_has_perm(&selinux_state,
5991 			    sid, isec->sid, SECCLASS_MSGQ,
5992 			    MSGQ__ASSOCIATE, &ad);
5993 }
5994 
5995 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
5996 {
5997 	int err;
5998 	int perms;
5999 
6000 	switch (cmd) {
6001 	case IPC_INFO:
6002 	case MSG_INFO:
6003 		/* No specific object, just general system-wide information. */
6004 		return avc_has_perm(&selinux_state,
6005 				    current_sid(), SECINITSID_KERNEL,
6006 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6007 	case IPC_STAT:
6008 	case MSG_STAT:
6009 	case MSG_STAT_ANY:
6010 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6011 		break;
6012 	case IPC_SET:
6013 		perms = MSGQ__SETATTR;
6014 		break;
6015 	case IPC_RMID:
6016 		perms = MSGQ__DESTROY;
6017 		break;
6018 	default:
6019 		return 0;
6020 	}
6021 
6022 	err = ipc_has_perm(msq, perms);
6023 	return err;
6024 }
6025 
6026 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6027 {
6028 	struct ipc_security_struct *isec;
6029 	struct msg_security_struct *msec;
6030 	struct common_audit_data ad;
6031 	u32 sid = current_sid();
6032 	int rc;
6033 
6034 	isec = msq->security;
6035 	msec = msg->security;
6036 
6037 	/*
6038 	 * First time through, need to assign label to the message
6039 	 */
6040 	if (msec->sid == SECINITSID_UNLABELED) {
6041 		/*
6042 		 * Compute new sid based on current process and
6043 		 * message queue this message will be stored in
6044 		 */
6045 		rc = security_transition_sid(&selinux_state, sid, isec->sid,
6046 					     SECCLASS_MSG, NULL, &msec->sid);
6047 		if (rc)
6048 			return rc;
6049 	}
6050 
6051 	ad.type = LSM_AUDIT_DATA_IPC;
6052 	ad.u.ipc_id = msq->key;
6053 
6054 	/* Can this process write to the queue? */
6055 	rc = avc_has_perm(&selinux_state,
6056 			  sid, isec->sid, SECCLASS_MSGQ,
6057 			  MSGQ__WRITE, &ad);
6058 	if (!rc)
6059 		/* Can this process send the message */
6060 		rc = avc_has_perm(&selinux_state,
6061 				  sid, msec->sid, SECCLASS_MSG,
6062 				  MSG__SEND, &ad);
6063 	if (!rc)
6064 		/* Can the message be put in the queue? */
6065 		rc = avc_has_perm(&selinux_state,
6066 				  msec->sid, isec->sid, SECCLASS_MSGQ,
6067 				  MSGQ__ENQUEUE, &ad);
6068 
6069 	return rc;
6070 }
6071 
6072 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6073 				    struct task_struct *target,
6074 				    long type, int mode)
6075 {
6076 	struct ipc_security_struct *isec;
6077 	struct msg_security_struct *msec;
6078 	struct common_audit_data ad;
6079 	u32 sid = task_sid(target);
6080 	int rc;
6081 
6082 	isec = msq->security;
6083 	msec = msg->security;
6084 
6085 	ad.type = LSM_AUDIT_DATA_IPC;
6086 	ad.u.ipc_id = msq->key;
6087 
6088 	rc = avc_has_perm(&selinux_state,
6089 			  sid, isec->sid,
6090 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
6091 	if (!rc)
6092 		rc = avc_has_perm(&selinux_state,
6093 				  sid, msec->sid,
6094 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
6095 	return rc;
6096 }
6097 
6098 /* Shared Memory security operations */
6099 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6100 {
6101 	struct ipc_security_struct *isec;
6102 	struct common_audit_data ad;
6103 	u32 sid = current_sid();
6104 	int rc;
6105 
6106 	rc = ipc_alloc_security(shp, SECCLASS_SHM);
6107 	if (rc)
6108 		return rc;
6109 
6110 	isec = shp->security;
6111 
6112 	ad.type = LSM_AUDIT_DATA_IPC;
6113 	ad.u.ipc_id = shp->key;
6114 
6115 	rc = avc_has_perm(&selinux_state,
6116 			  sid, isec->sid, SECCLASS_SHM,
6117 			  SHM__CREATE, &ad);
6118 	if (rc) {
6119 		ipc_free_security(shp);
6120 		return rc;
6121 	}
6122 	return 0;
6123 }
6124 
6125 static void selinux_shm_free_security(struct kern_ipc_perm *shp)
6126 {
6127 	ipc_free_security(shp);
6128 }
6129 
6130 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6131 {
6132 	struct ipc_security_struct *isec;
6133 	struct common_audit_data ad;
6134 	u32 sid = current_sid();
6135 
6136 	isec = shp->security;
6137 
6138 	ad.type = LSM_AUDIT_DATA_IPC;
6139 	ad.u.ipc_id = shp->key;
6140 
6141 	return avc_has_perm(&selinux_state,
6142 			    sid, isec->sid, SECCLASS_SHM,
6143 			    SHM__ASSOCIATE, &ad);
6144 }
6145 
6146 /* Note, at this point, shp is locked down */
6147 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6148 {
6149 	int perms;
6150 	int err;
6151 
6152 	switch (cmd) {
6153 	case IPC_INFO:
6154 	case SHM_INFO:
6155 		/* No specific object, just general system-wide information. */
6156 		return avc_has_perm(&selinux_state,
6157 				    current_sid(), SECINITSID_KERNEL,
6158 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6159 	case IPC_STAT:
6160 	case SHM_STAT:
6161 	case SHM_STAT_ANY:
6162 		perms = SHM__GETATTR | SHM__ASSOCIATE;
6163 		break;
6164 	case IPC_SET:
6165 		perms = SHM__SETATTR;
6166 		break;
6167 	case SHM_LOCK:
6168 	case SHM_UNLOCK:
6169 		perms = SHM__LOCK;
6170 		break;
6171 	case IPC_RMID:
6172 		perms = SHM__DESTROY;
6173 		break;
6174 	default:
6175 		return 0;
6176 	}
6177 
6178 	err = ipc_has_perm(shp, perms);
6179 	return err;
6180 }
6181 
6182 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6183 			     char __user *shmaddr, int shmflg)
6184 {
6185 	u32 perms;
6186 
6187 	if (shmflg & SHM_RDONLY)
6188 		perms = SHM__READ;
6189 	else
6190 		perms = SHM__READ | SHM__WRITE;
6191 
6192 	return ipc_has_perm(shp, perms);
6193 }
6194 
6195 /* Semaphore security operations */
6196 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6197 {
6198 	struct ipc_security_struct *isec;
6199 	struct common_audit_data ad;
6200 	u32 sid = current_sid();
6201 	int rc;
6202 
6203 	rc = ipc_alloc_security(sma, SECCLASS_SEM);
6204 	if (rc)
6205 		return rc;
6206 
6207 	isec = sma->security;
6208 
6209 	ad.type = LSM_AUDIT_DATA_IPC;
6210 	ad.u.ipc_id = sma->key;
6211 
6212 	rc = avc_has_perm(&selinux_state,
6213 			  sid, isec->sid, SECCLASS_SEM,
6214 			  SEM__CREATE, &ad);
6215 	if (rc) {
6216 		ipc_free_security(sma);
6217 		return rc;
6218 	}
6219 	return 0;
6220 }
6221 
6222 static void selinux_sem_free_security(struct kern_ipc_perm *sma)
6223 {
6224 	ipc_free_security(sma);
6225 }
6226 
6227 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6228 {
6229 	struct ipc_security_struct *isec;
6230 	struct common_audit_data ad;
6231 	u32 sid = current_sid();
6232 
6233 	isec = sma->security;
6234 
6235 	ad.type = LSM_AUDIT_DATA_IPC;
6236 	ad.u.ipc_id = sma->key;
6237 
6238 	return avc_has_perm(&selinux_state,
6239 			    sid, isec->sid, SECCLASS_SEM,
6240 			    SEM__ASSOCIATE, &ad);
6241 }
6242 
6243 /* Note, at this point, sma is locked down */
6244 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6245 {
6246 	int err;
6247 	u32 perms;
6248 
6249 	switch (cmd) {
6250 	case IPC_INFO:
6251 	case SEM_INFO:
6252 		/* No specific object, just general system-wide information. */
6253 		return avc_has_perm(&selinux_state,
6254 				    current_sid(), SECINITSID_KERNEL,
6255 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6256 	case GETPID:
6257 	case GETNCNT:
6258 	case GETZCNT:
6259 		perms = SEM__GETATTR;
6260 		break;
6261 	case GETVAL:
6262 	case GETALL:
6263 		perms = SEM__READ;
6264 		break;
6265 	case SETVAL:
6266 	case SETALL:
6267 		perms = SEM__WRITE;
6268 		break;
6269 	case IPC_RMID:
6270 		perms = SEM__DESTROY;
6271 		break;
6272 	case IPC_SET:
6273 		perms = SEM__SETATTR;
6274 		break;
6275 	case IPC_STAT:
6276 	case SEM_STAT:
6277 	case SEM_STAT_ANY:
6278 		perms = SEM__GETATTR | SEM__ASSOCIATE;
6279 		break;
6280 	default:
6281 		return 0;
6282 	}
6283 
6284 	err = ipc_has_perm(sma, perms);
6285 	return err;
6286 }
6287 
6288 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6289 			     struct sembuf *sops, unsigned nsops, int alter)
6290 {
6291 	u32 perms;
6292 
6293 	if (alter)
6294 		perms = SEM__READ | SEM__WRITE;
6295 	else
6296 		perms = SEM__READ;
6297 
6298 	return ipc_has_perm(sma, perms);
6299 }
6300 
6301 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6302 {
6303 	u32 av = 0;
6304 
6305 	av = 0;
6306 	if (flag & S_IRUGO)
6307 		av |= IPC__UNIX_READ;
6308 	if (flag & S_IWUGO)
6309 		av |= IPC__UNIX_WRITE;
6310 
6311 	if (av == 0)
6312 		return 0;
6313 
6314 	return ipc_has_perm(ipcp, av);
6315 }
6316 
6317 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6318 {
6319 	struct ipc_security_struct *isec = ipcp->security;
6320 	*secid = isec->sid;
6321 }
6322 
6323 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6324 {
6325 	if (inode)
6326 		inode_doinit_with_dentry(inode, dentry);
6327 }
6328 
6329 static int selinux_getprocattr(struct task_struct *p,
6330 			       char *name, char **value)
6331 {
6332 	const struct task_security_struct *__tsec;
6333 	u32 sid;
6334 	int error;
6335 	unsigned len;
6336 
6337 	rcu_read_lock();
6338 	__tsec = __task_cred(p)->security;
6339 
6340 	if (current != p) {
6341 		error = avc_has_perm(&selinux_state,
6342 				     current_sid(), __tsec->sid,
6343 				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6344 		if (error)
6345 			goto bad;
6346 	}
6347 
6348 	if (!strcmp(name, "current"))
6349 		sid = __tsec->sid;
6350 	else if (!strcmp(name, "prev"))
6351 		sid = __tsec->osid;
6352 	else if (!strcmp(name, "exec"))
6353 		sid = __tsec->exec_sid;
6354 	else if (!strcmp(name, "fscreate"))
6355 		sid = __tsec->create_sid;
6356 	else if (!strcmp(name, "keycreate"))
6357 		sid = __tsec->keycreate_sid;
6358 	else if (!strcmp(name, "sockcreate"))
6359 		sid = __tsec->sockcreate_sid;
6360 	else {
6361 		error = -EINVAL;
6362 		goto bad;
6363 	}
6364 	rcu_read_unlock();
6365 
6366 	if (!sid)
6367 		return 0;
6368 
6369 	error = security_sid_to_context(&selinux_state, sid, value, &len);
6370 	if (error)
6371 		return error;
6372 	return len;
6373 
6374 bad:
6375 	rcu_read_unlock();
6376 	return error;
6377 }
6378 
6379 static int selinux_setprocattr(const char *name, void *value, size_t size)
6380 {
6381 	struct task_security_struct *tsec;
6382 	struct cred *new;
6383 	u32 mysid = current_sid(), sid = 0, ptsid;
6384 	int error;
6385 	char *str = value;
6386 
6387 	/*
6388 	 * Basic control over ability to set these attributes at all.
6389 	 */
6390 	if (!strcmp(name, "exec"))
6391 		error = avc_has_perm(&selinux_state,
6392 				     mysid, mysid, SECCLASS_PROCESS,
6393 				     PROCESS__SETEXEC, NULL);
6394 	else if (!strcmp(name, "fscreate"))
6395 		error = avc_has_perm(&selinux_state,
6396 				     mysid, mysid, SECCLASS_PROCESS,
6397 				     PROCESS__SETFSCREATE, NULL);
6398 	else if (!strcmp(name, "keycreate"))
6399 		error = avc_has_perm(&selinux_state,
6400 				     mysid, mysid, SECCLASS_PROCESS,
6401 				     PROCESS__SETKEYCREATE, NULL);
6402 	else if (!strcmp(name, "sockcreate"))
6403 		error = avc_has_perm(&selinux_state,
6404 				     mysid, mysid, SECCLASS_PROCESS,
6405 				     PROCESS__SETSOCKCREATE, NULL);
6406 	else if (!strcmp(name, "current"))
6407 		error = avc_has_perm(&selinux_state,
6408 				     mysid, mysid, SECCLASS_PROCESS,
6409 				     PROCESS__SETCURRENT, NULL);
6410 	else
6411 		error = -EINVAL;
6412 	if (error)
6413 		return error;
6414 
6415 	/* Obtain a SID for the context, if one was specified. */
6416 	if (size && str[0] && str[0] != '\n') {
6417 		if (str[size-1] == '\n') {
6418 			str[size-1] = 0;
6419 			size--;
6420 		}
6421 		error = security_context_to_sid(&selinux_state, value, size,
6422 						&sid, GFP_KERNEL);
6423 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
6424 			if (!has_cap_mac_admin(true)) {
6425 				struct audit_buffer *ab;
6426 				size_t audit_size;
6427 
6428 				/* We strip a nul only if it is at the end, otherwise the
6429 				 * context contains a nul and we should audit that */
6430 				if (str[size - 1] == '\0')
6431 					audit_size = size - 1;
6432 				else
6433 					audit_size = size;
6434 				ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
6435 				audit_log_format(ab, "op=fscreate invalid_context=");
6436 				audit_log_n_untrustedstring(ab, value, audit_size);
6437 				audit_log_end(ab);
6438 
6439 				return error;
6440 			}
6441 			error = security_context_to_sid_force(
6442 						      &selinux_state,
6443 						      value, size, &sid);
6444 		}
6445 		if (error)
6446 			return error;
6447 	}
6448 
6449 	new = prepare_creds();
6450 	if (!new)
6451 		return -ENOMEM;
6452 
6453 	/* Permission checking based on the specified context is
6454 	   performed during the actual operation (execve,
6455 	   open/mkdir/...), when we know the full context of the
6456 	   operation.  See selinux_bprm_set_creds for the execve
6457 	   checks and may_create for the file creation checks. The
6458 	   operation will then fail if the context is not permitted. */
6459 	tsec = new->security;
6460 	if (!strcmp(name, "exec")) {
6461 		tsec->exec_sid = sid;
6462 	} else if (!strcmp(name, "fscreate")) {
6463 		tsec->create_sid = sid;
6464 	} else if (!strcmp(name, "keycreate")) {
6465 		error = avc_has_perm(&selinux_state,
6466 				     mysid, sid, SECCLASS_KEY, KEY__CREATE,
6467 				     NULL);
6468 		if (error)
6469 			goto abort_change;
6470 		tsec->keycreate_sid = sid;
6471 	} else if (!strcmp(name, "sockcreate")) {
6472 		tsec->sockcreate_sid = sid;
6473 	} else if (!strcmp(name, "current")) {
6474 		error = -EINVAL;
6475 		if (sid == 0)
6476 			goto abort_change;
6477 
6478 		/* Only allow single threaded processes to change context */
6479 		error = -EPERM;
6480 		if (!current_is_single_threaded()) {
6481 			error = security_bounded_transition(&selinux_state,
6482 							    tsec->sid, sid);
6483 			if (error)
6484 				goto abort_change;
6485 		}
6486 
6487 		/* Check permissions for the transition. */
6488 		error = avc_has_perm(&selinux_state,
6489 				     tsec->sid, sid, SECCLASS_PROCESS,
6490 				     PROCESS__DYNTRANSITION, NULL);
6491 		if (error)
6492 			goto abort_change;
6493 
6494 		/* Check for ptracing, and update the task SID if ok.
6495 		   Otherwise, leave SID unchanged and fail. */
6496 		ptsid = ptrace_parent_sid();
6497 		if (ptsid != 0) {
6498 			error = avc_has_perm(&selinux_state,
6499 					     ptsid, sid, SECCLASS_PROCESS,
6500 					     PROCESS__PTRACE, NULL);
6501 			if (error)
6502 				goto abort_change;
6503 		}
6504 
6505 		tsec->sid = sid;
6506 	} else {
6507 		error = -EINVAL;
6508 		goto abort_change;
6509 	}
6510 
6511 	commit_creds(new);
6512 	return size;
6513 
6514 abort_change:
6515 	abort_creds(new);
6516 	return error;
6517 }
6518 
6519 static int selinux_ismaclabel(const char *name)
6520 {
6521 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6522 }
6523 
6524 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6525 {
6526 	return security_sid_to_context(&selinux_state, secid,
6527 				       secdata, seclen);
6528 }
6529 
6530 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6531 {
6532 	return security_context_to_sid(&selinux_state, secdata, seclen,
6533 				       secid, GFP_KERNEL);
6534 }
6535 
6536 static void selinux_release_secctx(char *secdata, u32 seclen)
6537 {
6538 	kfree(secdata);
6539 }
6540 
6541 static void selinux_inode_invalidate_secctx(struct inode *inode)
6542 {
6543 	struct inode_security_struct *isec = inode->i_security;
6544 
6545 	spin_lock(&isec->lock);
6546 	isec->initialized = LABEL_INVALID;
6547 	spin_unlock(&isec->lock);
6548 }
6549 
6550 /*
6551  *	called with inode->i_mutex locked
6552  */
6553 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6554 {
6555 	return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6556 }
6557 
6558 /*
6559  *	called with inode->i_mutex locked
6560  */
6561 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6562 {
6563 	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6564 }
6565 
6566 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6567 {
6568 	int len = 0;
6569 	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6570 						ctx, true);
6571 	if (len < 0)
6572 		return len;
6573 	*ctxlen = len;
6574 	return 0;
6575 }
6576 #ifdef CONFIG_KEYS
6577 
6578 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6579 			     unsigned long flags)
6580 {
6581 	const struct task_security_struct *tsec;
6582 	struct key_security_struct *ksec;
6583 
6584 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6585 	if (!ksec)
6586 		return -ENOMEM;
6587 
6588 	tsec = cred->security;
6589 	if (tsec->keycreate_sid)
6590 		ksec->sid = tsec->keycreate_sid;
6591 	else
6592 		ksec->sid = tsec->sid;
6593 
6594 	k->security = ksec;
6595 	return 0;
6596 }
6597 
6598 static void selinux_key_free(struct key *k)
6599 {
6600 	struct key_security_struct *ksec = k->security;
6601 
6602 	k->security = NULL;
6603 	kfree(ksec);
6604 }
6605 
6606 static int selinux_key_permission(key_ref_t key_ref,
6607 				  const struct cred *cred,
6608 				  unsigned perm)
6609 {
6610 	struct key *key;
6611 	struct key_security_struct *ksec;
6612 	u32 sid;
6613 
6614 	/* if no specific permissions are requested, we skip the
6615 	   permission check. No serious, additional covert channels
6616 	   appear to be created. */
6617 	if (perm == 0)
6618 		return 0;
6619 
6620 	sid = cred_sid(cred);
6621 
6622 	key = key_ref_to_ptr(key_ref);
6623 	ksec = key->security;
6624 
6625 	return avc_has_perm(&selinux_state,
6626 			    sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6627 }
6628 
6629 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6630 {
6631 	struct key_security_struct *ksec = key->security;
6632 	char *context = NULL;
6633 	unsigned len;
6634 	int rc;
6635 
6636 	rc = security_sid_to_context(&selinux_state, ksec->sid,
6637 				     &context, &len);
6638 	if (!rc)
6639 		rc = len;
6640 	*_buffer = context;
6641 	return rc;
6642 }
6643 #endif
6644 
6645 #ifdef CONFIG_SECURITY_INFINIBAND
6646 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6647 {
6648 	struct common_audit_data ad;
6649 	int err;
6650 	u32 sid = 0;
6651 	struct ib_security_struct *sec = ib_sec;
6652 	struct lsm_ibpkey_audit ibpkey;
6653 
6654 	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6655 	if (err)
6656 		return err;
6657 
6658 	ad.type = LSM_AUDIT_DATA_IBPKEY;
6659 	ibpkey.subnet_prefix = subnet_prefix;
6660 	ibpkey.pkey = pkey_val;
6661 	ad.u.ibpkey = &ibpkey;
6662 	return avc_has_perm(&selinux_state,
6663 			    sec->sid, sid,
6664 			    SECCLASS_INFINIBAND_PKEY,
6665 			    INFINIBAND_PKEY__ACCESS, &ad);
6666 }
6667 
6668 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6669 					    u8 port_num)
6670 {
6671 	struct common_audit_data ad;
6672 	int err;
6673 	u32 sid = 0;
6674 	struct ib_security_struct *sec = ib_sec;
6675 	struct lsm_ibendport_audit ibendport;
6676 
6677 	err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6678 				      &sid);
6679 
6680 	if (err)
6681 		return err;
6682 
6683 	ad.type = LSM_AUDIT_DATA_IBENDPORT;
6684 	strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6685 	ibendport.port = port_num;
6686 	ad.u.ibendport = &ibendport;
6687 	return avc_has_perm(&selinux_state,
6688 			    sec->sid, sid,
6689 			    SECCLASS_INFINIBAND_ENDPORT,
6690 			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6691 }
6692 
6693 static int selinux_ib_alloc_security(void **ib_sec)
6694 {
6695 	struct ib_security_struct *sec;
6696 
6697 	sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6698 	if (!sec)
6699 		return -ENOMEM;
6700 	sec->sid = current_sid();
6701 
6702 	*ib_sec = sec;
6703 	return 0;
6704 }
6705 
6706 static void selinux_ib_free_security(void *ib_sec)
6707 {
6708 	kfree(ib_sec);
6709 }
6710 #endif
6711 
6712 #ifdef CONFIG_BPF_SYSCALL
6713 static int selinux_bpf(int cmd, union bpf_attr *attr,
6714 				     unsigned int size)
6715 {
6716 	u32 sid = current_sid();
6717 	int ret;
6718 
6719 	switch (cmd) {
6720 	case BPF_MAP_CREATE:
6721 		ret = avc_has_perm(&selinux_state,
6722 				   sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6723 				   NULL);
6724 		break;
6725 	case BPF_PROG_LOAD:
6726 		ret = avc_has_perm(&selinux_state,
6727 				   sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6728 				   NULL);
6729 		break;
6730 	default:
6731 		ret = 0;
6732 		break;
6733 	}
6734 
6735 	return ret;
6736 }
6737 
6738 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6739 {
6740 	u32 av = 0;
6741 
6742 	if (fmode & FMODE_READ)
6743 		av |= BPF__MAP_READ;
6744 	if (fmode & FMODE_WRITE)
6745 		av |= BPF__MAP_WRITE;
6746 	return av;
6747 }
6748 
6749 /* This function will check the file pass through unix socket or binder to see
6750  * if it is a bpf related object. And apply correspinding checks on the bpf
6751  * object based on the type. The bpf maps and programs, not like other files and
6752  * socket, are using a shared anonymous inode inside the kernel as their inode.
6753  * So checking that inode cannot identify if the process have privilege to
6754  * access the bpf object and that's why we have to add this additional check in
6755  * selinux_file_receive and selinux_binder_transfer_files.
6756  */
6757 static int bpf_fd_pass(struct file *file, u32 sid)
6758 {
6759 	struct bpf_security_struct *bpfsec;
6760 	struct bpf_prog *prog;
6761 	struct bpf_map *map;
6762 	int ret;
6763 
6764 	if (file->f_op == &bpf_map_fops) {
6765 		map = file->private_data;
6766 		bpfsec = map->security;
6767 		ret = avc_has_perm(&selinux_state,
6768 				   sid, bpfsec->sid, SECCLASS_BPF,
6769 				   bpf_map_fmode_to_av(file->f_mode), NULL);
6770 		if (ret)
6771 			return ret;
6772 	} else if (file->f_op == &bpf_prog_fops) {
6773 		prog = file->private_data;
6774 		bpfsec = prog->aux->security;
6775 		ret = avc_has_perm(&selinux_state,
6776 				   sid, bpfsec->sid, SECCLASS_BPF,
6777 				   BPF__PROG_RUN, NULL);
6778 		if (ret)
6779 			return ret;
6780 	}
6781 	return 0;
6782 }
6783 
6784 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6785 {
6786 	u32 sid = current_sid();
6787 	struct bpf_security_struct *bpfsec;
6788 
6789 	bpfsec = map->security;
6790 	return avc_has_perm(&selinux_state,
6791 			    sid, bpfsec->sid, SECCLASS_BPF,
6792 			    bpf_map_fmode_to_av(fmode), NULL);
6793 }
6794 
6795 static int selinux_bpf_prog(struct bpf_prog *prog)
6796 {
6797 	u32 sid = current_sid();
6798 	struct bpf_security_struct *bpfsec;
6799 
6800 	bpfsec = prog->aux->security;
6801 	return avc_has_perm(&selinux_state,
6802 			    sid, bpfsec->sid, SECCLASS_BPF,
6803 			    BPF__PROG_RUN, NULL);
6804 }
6805 
6806 static int selinux_bpf_map_alloc(struct bpf_map *map)
6807 {
6808 	struct bpf_security_struct *bpfsec;
6809 
6810 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6811 	if (!bpfsec)
6812 		return -ENOMEM;
6813 
6814 	bpfsec->sid = current_sid();
6815 	map->security = bpfsec;
6816 
6817 	return 0;
6818 }
6819 
6820 static void selinux_bpf_map_free(struct bpf_map *map)
6821 {
6822 	struct bpf_security_struct *bpfsec = map->security;
6823 
6824 	map->security = NULL;
6825 	kfree(bpfsec);
6826 }
6827 
6828 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6829 {
6830 	struct bpf_security_struct *bpfsec;
6831 
6832 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6833 	if (!bpfsec)
6834 		return -ENOMEM;
6835 
6836 	bpfsec->sid = current_sid();
6837 	aux->security = bpfsec;
6838 
6839 	return 0;
6840 }
6841 
6842 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6843 {
6844 	struct bpf_security_struct *bpfsec = aux->security;
6845 
6846 	aux->security = NULL;
6847 	kfree(bpfsec);
6848 }
6849 #endif
6850 
6851 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6852 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6853 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6854 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6855 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6856 
6857 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6858 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6859 	LSM_HOOK_INIT(capget, selinux_capget),
6860 	LSM_HOOK_INIT(capset, selinux_capset),
6861 	LSM_HOOK_INIT(capable, selinux_capable),
6862 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
6863 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
6864 	LSM_HOOK_INIT(syslog, selinux_syslog),
6865 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6866 
6867 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6868 
6869 	LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6870 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6871 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6872 
6873 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6874 	LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6875 	LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6876 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6877 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6878 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6879 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6880 	LSM_HOOK_INIT(sb_mount, selinux_mount),
6881 	LSM_HOOK_INIT(sb_umount, selinux_umount),
6882 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6883 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6884 	LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6885 
6886 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6887 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6888 
6889 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6890 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6891 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6892 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
6893 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
6894 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6895 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6896 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6897 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6898 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6899 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6900 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6901 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6902 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6903 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6904 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6905 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6906 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6907 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6908 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6909 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6910 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6911 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6912 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6913 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6914 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6915 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6916 
6917 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
6918 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6919 	LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6920 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6921 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6922 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6923 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6924 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
6925 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6926 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6927 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6928 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
6929 
6930 	LSM_HOOK_INIT(file_open, selinux_file_open),
6931 
6932 	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6933 	LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6934 	LSM_HOOK_INIT(cred_free, selinux_cred_free),
6935 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6936 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6937 	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6938 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6939 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6940 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6941 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6942 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6943 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6944 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6945 	LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6946 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6947 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6948 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6949 	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6950 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6951 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6952 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6953 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6954 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
6955 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6956 
6957 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6958 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6959 
6960 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6961 	LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6962 
6963 	LSM_HOOK_INIT(msg_queue_alloc_security,
6964 			selinux_msg_queue_alloc_security),
6965 	LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6966 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6967 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6968 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6969 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6970 
6971 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6972 	LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6973 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6974 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6975 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6976 
6977 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6978 	LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6979 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6980 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6981 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6982 
6983 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6984 
6985 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6986 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6987 
6988 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6989 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6990 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6991 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6992 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6993 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6994 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6995 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6996 
6997 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6998 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6999 
7000 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
7001 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7002 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7003 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7004 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7005 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7006 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7007 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7008 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7009 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7010 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7011 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7012 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7013 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7014 	LSM_HOOK_INIT(socket_getpeersec_stream,
7015 			selinux_socket_getpeersec_stream),
7016 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7017 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7018 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7019 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7020 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7021 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7022 	LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7023 	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7024 	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7025 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7026 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7027 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7028 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7029 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7030 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7031 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7032 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7033 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7034 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7035 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7036 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7037 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7038 #ifdef CONFIG_SECURITY_INFINIBAND
7039 	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7040 	LSM_HOOK_INIT(ib_endport_manage_subnet,
7041 		      selinux_ib_endport_manage_subnet),
7042 	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7043 	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7044 #endif
7045 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7046 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7047 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7048 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7049 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7050 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7051 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7052 			selinux_xfrm_state_alloc_acquire),
7053 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7054 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7055 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7056 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7057 			selinux_xfrm_state_pol_flow_match),
7058 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7059 #endif
7060 
7061 #ifdef CONFIG_KEYS
7062 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7063 	LSM_HOOK_INIT(key_free, selinux_key_free),
7064 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
7065 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7066 #endif
7067 
7068 #ifdef CONFIG_AUDIT
7069 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7070 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7071 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7072 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7073 #endif
7074 
7075 #ifdef CONFIG_BPF_SYSCALL
7076 	LSM_HOOK_INIT(bpf, selinux_bpf),
7077 	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7078 	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7079 	LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7080 	LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7081 	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7082 	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7083 #endif
7084 };
7085 
7086 static __init int selinux_init(void)
7087 {
7088 	if (!security_module_enable("selinux")) {
7089 		selinux_enabled = 0;
7090 		return 0;
7091 	}
7092 
7093 	if (!selinux_enabled) {
7094 		printk(KERN_INFO "SELinux:  Disabled at boot.\n");
7095 		return 0;
7096 	}
7097 
7098 	printk(KERN_INFO "SELinux:  Initializing.\n");
7099 
7100 	memset(&selinux_state, 0, sizeof(selinux_state));
7101 	enforcing_set(&selinux_state, selinux_enforcing_boot);
7102 	selinux_state.checkreqprot = selinux_checkreqprot_boot;
7103 	selinux_ss_init(&selinux_state.ss);
7104 	selinux_avc_init(&selinux_state.avc);
7105 
7106 	/* Set the security state for the initial task. */
7107 	cred_init_security();
7108 
7109 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7110 
7111 	sel_inode_cache = kmem_cache_create("selinux_inode_security",
7112 					    sizeof(struct inode_security_struct),
7113 					    0, SLAB_PANIC, NULL);
7114 	file_security_cache = kmem_cache_create("selinux_file_security",
7115 					    sizeof(struct file_security_struct),
7116 					    0, SLAB_PANIC, NULL);
7117 	avc_init();
7118 
7119 	avtab_cache_init();
7120 
7121 	ebitmap_cache_init();
7122 
7123 	hashtab_cache_init();
7124 
7125 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7126 
7127 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7128 		panic("SELinux: Unable to register AVC netcache callback\n");
7129 
7130 	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7131 		panic("SELinux: Unable to register AVC LSM notifier callback\n");
7132 
7133 	if (selinux_enforcing_boot)
7134 		printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
7135 	else
7136 		printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
7137 
7138 	return 0;
7139 }
7140 
7141 static void delayed_superblock_init(struct super_block *sb, void *unused)
7142 {
7143 	superblock_doinit(sb, NULL);
7144 }
7145 
7146 void selinux_complete_init(void)
7147 {
7148 	printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
7149 
7150 	/* Set up any superblocks initialized prior to the policy load. */
7151 	printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
7152 	iterate_supers(delayed_superblock_init, NULL);
7153 }
7154 
7155 /* SELinux requires early initialization in order to label
7156    all processes and objects when they are created. */
7157 security_initcall(selinux_init);
7158 
7159 #if defined(CONFIG_NETFILTER)
7160 
7161 static const struct nf_hook_ops selinux_nf_ops[] = {
7162 	{
7163 		.hook =		selinux_ipv4_postroute,
7164 		.pf =		NFPROTO_IPV4,
7165 		.hooknum =	NF_INET_POST_ROUTING,
7166 		.priority =	NF_IP_PRI_SELINUX_LAST,
7167 	},
7168 	{
7169 		.hook =		selinux_ipv4_forward,
7170 		.pf =		NFPROTO_IPV4,
7171 		.hooknum =	NF_INET_FORWARD,
7172 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7173 	},
7174 	{
7175 		.hook =		selinux_ipv4_output,
7176 		.pf =		NFPROTO_IPV4,
7177 		.hooknum =	NF_INET_LOCAL_OUT,
7178 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7179 	},
7180 #if IS_ENABLED(CONFIG_IPV6)
7181 	{
7182 		.hook =		selinux_ipv6_postroute,
7183 		.pf =		NFPROTO_IPV6,
7184 		.hooknum =	NF_INET_POST_ROUTING,
7185 		.priority =	NF_IP6_PRI_SELINUX_LAST,
7186 	},
7187 	{
7188 		.hook =		selinux_ipv6_forward,
7189 		.pf =		NFPROTO_IPV6,
7190 		.hooknum =	NF_INET_FORWARD,
7191 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7192 	},
7193 	{
7194 		.hook =		selinux_ipv6_output,
7195 		.pf =		NFPROTO_IPV6,
7196 		.hooknum =	NF_INET_LOCAL_OUT,
7197 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7198 	},
7199 #endif	/* IPV6 */
7200 };
7201 
7202 static int __net_init selinux_nf_register(struct net *net)
7203 {
7204 	return nf_register_net_hooks(net, selinux_nf_ops,
7205 				     ARRAY_SIZE(selinux_nf_ops));
7206 }
7207 
7208 static void __net_exit selinux_nf_unregister(struct net *net)
7209 {
7210 	nf_unregister_net_hooks(net, selinux_nf_ops,
7211 				ARRAY_SIZE(selinux_nf_ops));
7212 }
7213 
7214 static struct pernet_operations selinux_net_ops = {
7215 	.init = selinux_nf_register,
7216 	.exit = selinux_nf_unregister,
7217 };
7218 
7219 static int __init selinux_nf_ip_init(void)
7220 {
7221 	int err;
7222 
7223 	if (!selinux_enabled)
7224 		return 0;
7225 
7226 	printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
7227 
7228 	err = register_pernet_subsys(&selinux_net_ops);
7229 	if (err)
7230 		panic("SELinux: register_pernet_subsys: error %d\n", err);
7231 
7232 	return 0;
7233 }
7234 __initcall(selinux_nf_ip_init);
7235 
7236 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7237 static void selinux_nf_ip_exit(void)
7238 {
7239 	printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
7240 
7241 	unregister_pernet_subsys(&selinux_net_ops);
7242 }
7243 #endif
7244 
7245 #else /* CONFIG_NETFILTER */
7246 
7247 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7248 #define selinux_nf_ip_exit()
7249 #endif
7250 
7251 #endif /* CONFIG_NETFILTER */
7252 
7253 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7254 int selinux_disable(struct selinux_state *state)
7255 {
7256 	if (state->initialized) {
7257 		/* Not permitted after initial policy load. */
7258 		return -EINVAL;
7259 	}
7260 
7261 	if (state->disabled) {
7262 		/* Only do this once. */
7263 		return -EINVAL;
7264 	}
7265 
7266 	state->disabled = 1;
7267 
7268 	printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
7269 
7270 	selinux_enabled = 0;
7271 
7272 	security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7273 
7274 	/* Try to destroy the avc node cache */
7275 	avc_disable();
7276 
7277 	/* Unregister netfilter hooks. */
7278 	selinux_nf_ip_exit();
7279 
7280 	/* Unregister selinuxfs. */
7281 	exit_sel_fs();
7282 
7283 	return 0;
7284 }
7285 #endif
7286