xref: /openbmc/linux/security/selinux/hooks.c (revision b9df3997)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *  NSA Security-Enhanced Linux (SELinux) security module
4  *
5  *  This file contains the SELinux hook function implementations.
6  *
7  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
8  *	      Chris Vance, <cvance@nai.com>
9  *	      Wayne Salamon, <wsalamon@nai.com>
10  *	      James Morris <jmorris@redhat.com>
11  *
12  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14  *					   Eric Paris <eparis@redhat.com>
15  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16  *			    <dgoeddel@trustedcs.com>
17  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18  *	Paul Moore <paul@paul-moore.com>
19  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
21  *  Copyright (C) 2016 Mellanox Technologies
22  */
23 
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/tracehook.h>
28 #include <linux/errno.h>
29 #include <linux/sched/signal.h>
30 #include <linux/sched/task.h>
31 #include <linux/lsm_hooks.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/proc_fs.h>
40 #include <linux/swap.h>
41 #include <linux/spinlock.h>
42 #include <linux/syscalls.h>
43 #include <linux/dcache.h>
44 #include <linux/file.h>
45 #include <linux/fdtable.h>
46 #include <linux/namei.h>
47 #include <linux/mount.h>
48 #include <linux/fs_context.h>
49 #include <linux/fs_parser.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>		/* for local_port_range[] */
55 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h>	/* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/sctp.h>
70 #include <net/sctp/structs.h>
71 #include <linux/quota.h>
72 #include <linux/un.h>		/* for Unix socket types */
73 #include <net/af_unix.h>	/* for Unix socket types */
74 #include <linux/parser.h>
75 #include <linux/nfs_mount.h>
76 #include <net/ipv6.h>
77 #include <linux/hugetlb.h>
78 #include <linux/personality.h>
79 #include <linux/audit.h>
80 #include <linux/string.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89 #include <linux/kernfs.h>
90 #include <linux/stringhash.h>	/* for hashlen_string() */
91 #include <uapi/linux/mount.h>
92 #include <linux/fsnotify.h>
93 #include <linux/fanotify.h>
94 
95 #include "avc.h"
96 #include "objsec.h"
97 #include "netif.h"
98 #include "netnode.h"
99 #include "netport.h"
100 #include "ibpkey.h"
101 #include "xfrm.h"
102 #include "netlabel.h"
103 #include "audit.h"
104 #include "avc_ss.h"
105 
106 struct selinux_state selinux_state;
107 
108 /* SECMARK reference count */
109 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
110 
111 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
112 static int selinux_enforcing_boot;
113 
114 static int __init enforcing_setup(char *str)
115 {
116 	unsigned long enforcing;
117 	if (!kstrtoul(str, 0, &enforcing))
118 		selinux_enforcing_boot = enforcing ? 1 : 0;
119 	return 1;
120 }
121 __setup("enforcing=", enforcing_setup);
122 #else
123 #define selinux_enforcing_boot 1
124 #endif
125 
126 int selinux_enabled __lsm_ro_after_init = 1;
127 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
128 static int __init selinux_enabled_setup(char *str)
129 {
130 	unsigned long enabled;
131 	if (!kstrtoul(str, 0, &enabled))
132 		selinux_enabled = enabled ? 1 : 0;
133 	return 1;
134 }
135 __setup("selinux=", selinux_enabled_setup);
136 #endif
137 
138 static unsigned int selinux_checkreqprot_boot =
139 	CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140 
141 static int __init checkreqprot_setup(char *str)
142 {
143 	unsigned long checkreqprot;
144 
145 	if (!kstrtoul(str, 0, &checkreqprot))
146 		selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 	return 1;
148 }
149 __setup("checkreqprot=", checkreqprot_setup);
150 
151 /**
152  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
153  *
154  * Description:
155  * This function checks the SECMARK reference counter to see if any SECMARK
156  * targets are currently configured, if the reference counter is greater than
157  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
158  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
159  * policy capability is enabled, SECMARK is always considered enabled.
160  *
161  */
162 static int selinux_secmark_enabled(void)
163 {
164 	return (selinux_policycap_alwaysnetwork() ||
165 		atomic_read(&selinux_secmark_refcount));
166 }
167 
168 /**
169  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
170  *
171  * Description:
172  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
173  * (1) if any are enabled or false (0) if neither are enabled.  If the
174  * always_check_network policy capability is enabled, peer labeling
175  * is always considered enabled.
176  *
177  */
178 static int selinux_peerlbl_enabled(void)
179 {
180 	return (selinux_policycap_alwaysnetwork() ||
181 		netlbl_enabled() || selinux_xfrm_enabled());
182 }
183 
184 static int selinux_netcache_avc_callback(u32 event)
185 {
186 	if (event == AVC_CALLBACK_RESET) {
187 		sel_netif_flush();
188 		sel_netnode_flush();
189 		sel_netport_flush();
190 		synchronize_net();
191 	}
192 	return 0;
193 }
194 
195 static int selinux_lsm_notifier_avc_callback(u32 event)
196 {
197 	if (event == AVC_CALLBACK_RESET) {
198 		sel_ib_pkey_flush();
199 		call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
200 	}
201 
202 	return 0;
203 }
204 
205 /*
206  * initialise the security for the init task
207  */
208 static void cred_init_security(void)
209 {
210 	struct cred *cred = (struct cred *) current->real_cred;
211 	struct task_security_struct *tsec;
212 
213 	tsec = selinux_cred(cred);
214 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
215 }
216 
217 /*
218  * get the security ID of a set of credentials
219  */
220 static inline u32 cred_sid(const struct cred *cred)
221 {
222 	const struct task_security_struct *tsec;
223 
224 	tsec = selinux_cred(cred);
225 	return tsec->sid;
226 }
227 
228 /*
229  * get the objective security ID of a task
230  */
231 static inline u32 task_sid(const struct task_struct *task)
232 {
233 	u32 sid;
234 
235 	rcu_read_lock();
236 	sid = cred_sid(__task_cred(task));
237 	rcu_read_unlock();
238 	return sid;
239 }
240 
241 /* Allocate and free functions for each kind of security blob. */
242 
243 static int inode_alloc_security(struct inode *inode)
244 {
245 	struct inode_security_struct *isec = selinux_inode(inode);
246 	u32 sid = current_sid();
247 
248 	spin_lock_init(&isec->lock);
249 	INIT_LIST_HEAD(&isec->list);
250 	isec->inode = inode;
251 	isec->sid = SECINITSID_UNLABELED;
252 	isec->sclass = SECCLASS_FILE;
253 	isec->task_sid = sid;
254 	isec->initialized = LABEL_INVALID;
255 
256 	return 0;
257 }
258 
259 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
260 
261 /*
262  * Try reloading inode security labels that have been marked as invalid.  The
263  * @may_sleep parameter indicates when sleeping and thus reloading labels is
264  * allowed; when set to false, returns -ECHILD when the label is
265  * invalid.  The @dentry parameter should be set to a dentry of the inode.
266  */
267 static int __inode_security_revalidate(struct inode *inode,
268 				       struct dentry *dentry,
269 				       bool may_sleep)
270 {
271 	struct inode_security_struct *isec = selinux_inode(inode);
272 
273 	might_sleep_if(may_sleep);
274 
275 	if (selinux_state.initialized &&
276 	    isec->initialized != LABEL_INITIALIZED) {
277 		if (!may_sleep)
278 			return -ECHILD;
279 
280 		/*
281 		 * Try reloading the inode security label.  This will fail if
282 		 * @opt_dentry is NULL and no dentry for this inode can be
283 		 * found; in that case, continue using the old label.
284 		 */
285 		inode_doinit_with_dentry(inode, dentry);
286 	}
287 	return 0;
288 }
289 
290 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
291 {
292 	return selinux_inode(inode);
293 }
294 
295 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
296 {
297 	int error;
298 
299 	error = __inode_security_revalidate(inode, NULL, !rcu);
300 	if (error)
301 		return ERR_PTR(error);
302 	return selinux_inode(inode);
303 }
304 
305 /*
306  * Get the security label of an inode.
307  */
308 static struct inode_security_struct *inode_security(struct inode *inode)
309 {
310 	__inode_security_revalidate(inode, NULL, true);
311 	return selinux_inode(inode);
312 }
313 
314 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
315 {
316 	struct inode *inode = d_backing_inode(dentry);
317 
318 	return selinux_inode(inode);
319 }
320 
321 /*
322  * Get the security label of a dentry's backing inode.
323  */
324 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
325 {
326 	struct inode *inode = d_backing_inode(dentry);
327 
328 	__inode_security_revalidate(inode, dentry, true);
329 	return selinux_inode(inode);
330 }
331 
332 static void inode_free_security(struct inode *inode)
333 {
334 	struct inode_security_struct *isec = selinux_inode(inode);
335 	struct superblock_security_struct *sbsec;
336 
337 	if (!isec)
338 		return;
339 	sbsec = inode->i_sb->s_security;
340 	/*
341 	 * As not all inode security structures are in a list, we check for
342 	 * empty list outside of the lock to make sure that we won't waste
343 	 * time taking a lock doing nothing.
344 	 *
345 	 * The list_del_init() function can be safely called more than once.
346 	 * It should not be possible for this function to be called with
347 	 * concurrent list_add(), but for better safety against future changes
348 	 * in the code, we use list_empty_careful() here.
349 	 */
350 	if (!list_empty_careful(&isec->list)) {
351 		spin_lock(&sbsec->isec_lock);
352 		list_del_init(&isec->list);
353 		spin_unlock(&sbsec->isec_lock);
354 	}
355 }
356 
357 static int file_alloc_security(struct file *file)
358 {
359 	struct file_security_struct *fsec = selinux_file(file);
360 	u32 sid = current_sid();
361 
362 	fsec->sid = sid;
363 	fsec->fown_sid = sid;
364 
365 	return 0;
366 }
367 
368 static int superblock_alloc_security(struct super_block *sb)
369 {
370 	struct superblock_security_struct *sbsec;
371 
372 	sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
373 	if (!sbsec)
374 		return -ENOMEM;
375 
376 	mutex_init(&sbsec->lock);
377 	INIT_LIST_HEAD(&sbsec->isec_head);
378 	spin_lock_init(&sbsec->isec_lock);
379 	sbsec->sb = sb;
380 	sbsec->sid = SECINITSID_UNLABELED;
381 	sbsec->def_sid = SECINITSID_FILE;
382 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
383 	sb->s_security = sbsec;
384 
385 	return 0;
386 }
387 
388 static void superblock_free_security(struct super_block *sb)
389 {
390 	struct superblock_security_struct *sbsec = sb->s_security;
391 	sb->s_security = NULL;
392 	kfree(sbsec);
393 }
394 
395 struct selinux_mnt_opts {
396 	const char *fscontext, *context, *rootcontext, *defcontext;
397 };
398 
399 static void selinux_free_mnt_opts(void *mnt_opts)
400 {
401 	struct selinux_mnt_opts *opts = mnt_opts;
402 	kfree(opts->fscontext);
403 	kfree(opts->context);
404 	kfree(opts->rootcontext);
405 	kfree(opts->defcontext);
406 	kfree(opts);
407 }
408 
409 static inline int inode_doinit(struct inode *inode)
410 {
411 	return inode_doinit_with_dentry(inode, NULL);
412 }
413 
414 enum {
415 	Opt_error = -1,
416 	Opt_context = 0,
417 	Opt_defcontext = 1,
418 	Opt_fscontext = 2,
419 	Opt_rootcontext = 3,
420 	Opt_seclabel = 4,
421 };
422 
423 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
424 static struct {
425 	const char *name;
426 	int len;
427 	int opt;
428 	bool has_arg;
429 } tokens[] = {
430 	A(context, true),
431 	A(fscontext, true),
432 	A(defcontext, true),
433 	A(rootcontext, true),
434 	A(seclabel, false),
435 };
436 #undef A
437 
438 static int match_opt_prefix(char *s, int l, char **arg)
439 {
440 	int i;
441 
442 	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
443 		size_t len = tokens[i].len;
444 		if (len > l || memcmp(s, tokens[i].name, len))
445 			continue;
446 		if (tokens[i].has_arg) {
447 			if (len == l || s[len] != '=')
448 				continue;
449 			*arg = s + len + 1;
450 		} else if (len != l)
451 			continue;
452 		return tokens[i].opt;
453 	}
454 	return Opt_error;
455 }
456 
457 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
458 
459 static int may_context_mount_sb_relabel(u32 sid,
460 			struct superblock_security_struct *sbsec,
461 			const struct cred *cred)
462 {
463 	const struct task_security_struct *tsec = selinux_cred(cred);
464 	int rc;
465 
466 	rc = avc_has_perm(&selinux_state,
467 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
468 			  FILESYSTEM__RELABELFROM, NULL);
469 	if (rc)
470 		return rc;
471 
472 	rc = avc_has_perm(&selinux_state,
473 			  tsec->sid, sid, SECCLASS_FILESYSTEM,
474 			  FILESYSTEM__RELABELTO, NULL);
475 	return rc;
476 }
477 
478 static int may_context_mount_inode_relabel(u32 sid,
479 			struct superblock_security_struct *sbsec,
480 			const struct cred *cred)
481 {
482 	const struct task_security_struct *tsec = selinux_cred(cred);
483 	int rc;
484 	rc = avc_has_perm(&selinux_state,
485 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
486 			  FILESYSTEM__RELABELFROM, NULL);
487 	if (rc)
488 		return rc;
489 
490 	rc = avc_has_perm(&selinux_state,
491 			  sid, sbsec->sid, SECCLASS_FILESYSTEM,
492 			  FILESYSTEM__ASSOCIATE, NULL);
493 	return rc;
494 }
495 
496 static int selinux_is_genfs_special_handling(struct super_block *sb)
497 {
498 	/* Special handling. Genfs but also in-core setxattr handler */
499 	return	!strcmp(sb->s_type->name, "sysfs") ||
500 		!strcmp(sb->s_type->name, "pstore") ||
501 		!strcmp(sb->s_type->name, "debugfs") ||
502 		!strcmp(sb->s_type->name, "tracefs") ||
503 		!strcmp(sb->s_type->name, "rootfs") ||
504 		(selinux_policycap_cgroupseclabel() &&
505 		 (!strcmp(sb->s_type->name, "cgroup") ||
506 		  !strcmp(sb->s_type->name, "cgroup2")));
507 }
508 
509 static int selinux_is_sblabel_mnt(struct super_block *sb)
510 {
511 	struct superblock_security_struct *sbsec = sb->s_security;
512 
513 	/*
514 	 * IMPORTANT: Double-check logic in this function when adding a new
515 	 * SECURITY_FS_USE_* definition!
516 	 */
517 	BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
518 
519 	switch (sbsec->behavior) {
520 	case SECURITY_FS_USE_XATTR:
521 	case SECURITY_FS_USE_TRANS:
522 	case SECURITY_FS_USE_TASK:
523 	case SECURITY_FS_USE_NATIVE:
524 		return 1;
525 
526 	case SECURITY_FS_USE_GENFS:
527 		return selinux_is_genfs_special_handling(sb);
528 
529 	/* Never allow relabeling on context mounts */
530 	case SECURITY_FS_USE_MNTPOINT:
531 	case SECURITY_FS_USE_NONE:
532 	default:
533 		return 0;
534 	}
535 }
536 
537 static int sb_finish_set_opts(struct super_block *sb)
538 {
539 	struct superblock_security_struct *sbsec = sb->s_security;
540 	struct dentry *root = sb->s_root;
541 	struct inode *root_inode = d_backing_inode(root);
542 	int rc = 0;
543 
544 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
545 		/* Make sure that the xattr handler exists and that no
546 		   error other than -ENODATA is returned by getxattr on
547 		   the root directory.  -ENODATA is ok, as this may be
548 		   the first boot of the SELinux kernel before we have
549 		   assigned xattr values to the filesystem. */
550 		if (!(root_inode->i_opflags & IOP_XATTR)) {
551 			pr_warn("SELinux: (dev %s, type %s) has no "
552 			       "xattr support\n", sb->s_id, sb->s_type->name);
553 			rc = -EOPNOTSUPP;
554 			goto out;
555 		}
556 
557 		rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
558 		if (rc < 0 && rc != -ENODATA) {
559 			if (rc == -EOPNOTSUPP)
560 				pr_warn("SELinux: (dev %s, type "
561 				       "%s) has no security xattr handler\n",
562 				       sb->s_id, sb->s_type->name);
563 			else
564 				pr_warn("SELinux: (dev %s, type "
565 				       "%s) getxattr errno %d\n", sb->s_id,
566 				       sb->s_type->name, -rc);
567 			goto out;
568 		}
569 	}
570 
571 	sbsec->flags |= SE_SBINITIALIZED;
572 
573 	/*
574 	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
575 	 * leave the flag untouched because sb_clone_mnt_opts might be handing
576 	 * us a superblock that needs the flag to be cleared.
577 	 */
578 	if (selinux_is_sblabel_mnt(sb))
579 		sbsec->flags |= SBLABEL_MNT;
580 	else
581 		sbsec->flags &= ~SBLABEL_MNT;
582 
583 	/* Initialize the root inode. */
584 	rc = inode_doinit_with_dentry(root_inode, root);
585 
586 	/* Initialize any other inodes associated with the superblock, e.g.
587 	   inodes created prior to initial policy load or inodes created
588 	   during get_sb by a pseudo filesystem that directly
589 	   populates itself. */
590 	spin_lock(&sbsec->isec_lock);
591 	while (!list_empty(&sbsec->isec_head)) {
592 		struct inode_security_struct *isec =
593 				list_first_entry(&sbsec->isec_head,
594 					   struct inode_security_struct, list);
595 		struct inode *inode = isec->inode;
596 		list_del_init(&isec->list);
597 		spin_unlock(&sbsec->isec_lock);
598 		inode = igrab(inode);
599 		if (inode) {
600 			if (!IS_PRIVATE(inode))
601 				inode_doinit(inode);
602 			iput(inode);
603 		}
604 		spin_lock(&sbsec->isec_lock);
605 	}
606 	spin_unlock(&sbsec->isec_lock);
607 out:
608 	return rc;
609 }
610 
611 static int bad_option(struct superblock_security_struct *sbsec, char flag,
612 		      u32 old_sid, u32 new_sid)
613 {
614 	char mnt_flags = sbsec->flags & SE_MNTMASK;
615 
616 	/* check if the old mount command had the same options */
617 	if (sbsec->flags & SE_SBINITIALIZED)
618 		if (!(sbsec->flags & flag) ||
619 		    (old_sid != new_sid))
620 			return 1;
621 
622 	/* check if we were passed the same options twice,
623 	 * aka someone passed context=a,context=b
624 	 */
625 	if (!(sbsec->flags & SE_SBINITIALIZED))
626 		if (mnt_flags & flag)
627 			return 1;
628 	return 0;
629 }
630 
631 static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
632 {
633 	int rc = security_context_str_to_sid(&selinux_state, s,
634 					     sid, GFP_KERNEL);
635 	if (rc)
636 		pr_warn("SELinux: security_context_str_to_sid"
637 		       "(%s) failed for (dev %s, type %s) errno=%d\n",
638 		       s, sb->s_id, sb->s_type->name, rc);
639 	return rc;
640 }
641 
642 /*
643  * Allow filesystems with binary mount data to explicitly set mount point
644  * labeling information.
645  */
646 static int selinux_set_mnt_opts(struct super_block *sb,
647 				void *mnt_opts,
648 				unsigned long kern_flags,
649 				unsigned long *set_kern_flags)
650 {
651 	const struct cred *cred = current_cred();
652 	struct superblock_security_struct *sbsec = sb->s_security;
653 	struct dentry *root = sbsec->sb->s_root;
654 	struct selinux_mnt_opts *opts = mnt_opts;
655 	struct inode_security_struct *root_isec;
656 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
657 	u32 defcontext_sid = 0;
658 	int rc = 0;
659 
660 	mutex_lock(&sbsec->lock);
661 
662 	if (!selinux_state.initialized) {
663 		if (!opts) {
664 			/* Defer initialization until selinux_complete_init,
665 			   after the initial policy is loaded and the security
666 			   server is ready to handle calls. */
667 			goto out;
668 		}
669 		rc = -EINVAL;
670 		pr_warn("SELinux: Unable to set superblock options "
671 			"before the security server is initialized\n");
672 		goto out;
673 	}
674 	if (kern_flags && !set_kern_flags) {
675 		/* Specifying internal flags without providing a place to
676 		 * place the results is not allowed */
677 		rc = -EINVAL;
678 		goto out;
679 	}
680 
681 	/*
682 	 * Binary mount data FS will come through this function twice.  Once
683 	 * from an explicit call and once from the generic calls from the vfs.
684 	 * Since the generic VFS calls will not contain any security mount data
685 	 * we need to skip the double mount verification.
686 	 *
687 	 * This does open a hole in which we will not notice if the first
688 	 * mount using this sb set explict options and a second mount using
689 	 * this sb does not set any security options.  (The first options
690 	 * will be used for both mounts)
691 	 */
692 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
693 	    && !opts)
694 		goto out;
695 
696 	root_isec = backing_inode_security_novalidate(root);
697 
698 	/*
699 	 * parse the mount options, check if they are valid sids.
700 	 * also check if someone is trying to mount the same sb more
701 	 * than once with different security options.
702 	 */
703 	if (opts) {
704 		if (opts->fscontext) {
705 			rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
706 			if (rc)
707 				goto out;
708 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
709 					fscontext_sid))
710 				goto out_double_mount;
711 			sbsec->flags |= FSCONTEXT_MNT;
712 		}
713 		if (opts->context) {
714 			rc = parse_sid(sb, opts->context, &context_sid);
715 			if (rc)
716 				goto out;
717 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
718 					context_sid))
719 				goto out_double_mount;
720 			sbsec->flags |= CONTEXT_MNT;
721 		}
722 		if (opts->rootcontext) {
723 			rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
724 			if (rc)
725 				goto out;
726 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
727 					rootcontext_sid))
728 				goto out_double_mount;
729 			sbsec->flags |= ROOTCONTEXT_MNT;
730 		}
731 		if (opts->defcontext) {
732 			rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
733 			if (rc)
734 				goto out;
735 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
736 					defcontext_sid))
737 				goto out_double_mount;
738 			sbsec->flags |= DEFCONTEXT_MNT;
739 		}
740 	}
741 
742 	if (sbsec->flags & SE_SBINITIALIZED) {
743 		/* previously mounted with options, but not on this attempt? */
744 		if ((sbsec->flags & SE_MNTMASK) && !opts)
745 			goto out_double_mount;
746 		rc = 0;
747 		goto out;
748 	}
749 
750 	if (strcmp(sb->s_type->name, "proc") == 0)
751 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
752 
753 	if (!strcmp(sb->s_type->name, "debugfs") ||
754 	    !strcmp(sb->s_type->name, "tracefs") ||
755 	    !strcmp(sb->s_type->name, "pstore"))
756 		sbsec->flags |= SE_SBGENFS;
757 
758 	if (!strcmp(sb->s_type->name, "sysfs") ||
759 	    !strcmp(sb->s_type->name, "cgroup") ||
760 	    !strcmp(sb->s_type->name, "cgroup2"))
761 		sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
762 
763 	if (!sbsec->behavior) {
764 		/*
765 		 * Determine the labeling behavior to use for this
766 		 * filesystem type.
767 		 */
768 		rc = security_fs_use(&selinux_state, sb);
769 		if (rc) {
770 			pr_warn("%s: security_fs_use(%s) returned %d\n",
771 					__func__, sb->s_type->name, rc);
772 			goto out;
773 		}
774 	}
775 
776 	/*
777 	 * If this is a user namespace mount and the filesystem type is not
778 	 * explicitly whitelisted, then no contexts are allowed on the command
779 	 * line and security labels must be ignored.
780 	 */
781 	if (sb->s_user_ns != &init_user_ns &&
782 	    strcmp(sb->s_type->name, "tmpfs") &&
783 	    strcmp(sb->s_type->name, "ramfs") &&
784 	    strcmp(sb->s_type->name, "devpts")) {
785 		if (context_sid || fscontext_sid || rootcontext_sid ||
786 		    defcontext_sid) {
787 			rc = -EACCES;
788 			goto out;
789 		}
790 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
791 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
792 			rc = security_transition_sid(&selinux_state,
793 						     current_sid(),
794 						     current_sid(),
795 						     SECCLASS_FILE, NULL,
796 						     &sbsec->mntpoint_sid);
797 			if (rc)
798 				goto out;
799 		}
800 		goto out_set_opts;
801 	}
802 
803 	/* sets the context of the superblock for the fs being mounted. */
804 	if (fscontext_sid) {
805 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
806 		if (rc)
807 			goto out;
808 
809 		sbsec->sid = fscontext_sid;
810 	}
811 
812 	/*
813 	 * Switch to using mount point labeling behavior.
814 	 * sets the label used on all file below the mountpoint, and will set
815 	 * the superblock context if not already set.
816 	 */
817 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
818 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
819 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
820 	}
821 
822 	if (context_sid) {
823 		if (!fscontext_sid) {
824 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
825 							  cred);
826 			if (rc)
827 				goto out;
828 			sbsec->sid = context_sid;
829 		} else {
830 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
831 							     cred);
832 			if (rc)
833 				goto out;
834 		}
835 		if (!rootcontext_sid)
836 			rootcontext_sid = context_sid;
837 
838 		sbsec->mntpoint_sid = context_sid;
839 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
840 	}
841 
842 	if (rootcontext_sid) {
843 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
844 						     cred);
845 		if (rc)
846 			goto out;
847 
848 		root_isec->sid = rootcontext_sid;
849 		root_isec->initialized = LABEL_INITIALIZED;
850 	}
851 
852 	if (defcontext_sid) {
853 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
854 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
855 			rc = -EINVAL;
856 			pr_warn("SELinux: defcontext option is "
857 			       "invalid for this filesystem type\n");
858 			goto out;
859 		}
860 
861 		if (defcontext_sid != sbsec->def_sid) {
862 			rc = may_context_mount_inode_relabel(defcontext_sid,
863 							     sbsec, cred);
864 			if (rc)
865 				goto out;
866 		}
867 
868 		sbsec->def_sid = defcontext_sid;
869 	}
870 
871 out_set_opts:
872 	rc = sb_finish_set_opts(sb);
873 out:
874 	mutex_unlock(&sbsec->lock);
875 	return rc;
876 out_double_mount:
877 	rc = -EINVAL;
878 	pr_warn("SELinux: mount invalid.  Same superblock, different "
879 	       "security settings for (dev %s, type %s)\n", sb->s_id,
880 	       sb->s_type->name);
881 	goto out;
882 }
883 
884 static int selinux_cmp_sb_context(const struct super_block *oldsb,
885 				    const struct super_block *newsb)
886 {
887 	struct superblock_security_struct *old = oldsb->s_security;
888 	struct superblock_security_struct *new = newsb->s_security;
889 	char oldflags = old->flags & SE_MNTMASK;
890 	char newflags = new->flags & SE_MNTMASK;
891 
892 	if (oldflags != newflags)
893 		goto mismatch;
894 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
895 		goto mismatch;
896 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
897 		goto mismatch;
898 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
899 		goto mismatch;
900 	if (oldflags & ROOTCONTEXT_MNT) {
901 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
902 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
903 		if (oldroot->sid != newroot->sid)
904 			goto mismatch;
905 	}
906 	return 0;
907 mismatch:
908 	pr_warn("SELinux: mount invalid.  Same superblock, "
909 			    "different security settings for (dev %s, "
910 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
911 	return -EBUSY;
912 }
913 
914 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
915 					struct super_block *newsb,
916 					unsigned long kern_flags,
917 					unsigned long *set_kern_flags)
918 {
919 	int rc = 0;
920 	const struct superblock_security_struct *oldsbsec = oldsb->s_security;
921 	struct superblock_security_struct *newsbsec = newsb->s_security;
922 
923 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
924 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
925 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
926 
927 	/*
928 	 * if the parent was able to be mounted it clearly had no special lsm
929 	 * mount options.  thus we can safely deal with this superblock later
930 	 */
931 	if (!selinux_state.initialized)
932 		return 0;
933 
934 	/*
935 	 * Specifying internal flags without providing a place to
936 	 * place the results is not allowed.
937 	 */
938 	if (kern_flags && !set_kern_flags)
939 		return -EINVAL;
940 
941 	/* how can we clone if the old one wasn't set up?? */
942 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
943 
944 	/* if fs is reusing a sb, make sure that the contexts match */
945 	if (newsbsec->flags & SE_SBINITIALIZED) {
946 		if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
947 			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
948 		return selinux_cmp_sb_context(oldsb, newsb);
949 	}
950 
951 	mutex_lock(&newsbsec->lock);
952 
953 	newsbsec->flags = oldsbsec->flags;
954 
955 	newsbsec->sid = oldsbsec->sid;
956 	newsbsec->def_sid = oldsbsec->def_sid;
957 	newsbsec->behavior = oldsbsec->behavior;
958 
959 	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
960 		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
961 		rc = security_fs_use(&selinux_state, newsb);
962 		if (rc)
963 			goto out;
964 	}
965 
966 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
967 		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
968 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
969 	}
970 
971 	if (set_context) {
972 		u32 sid = oldsbsec->mntpoint_sid;
973 
974 		if (!set_fscontext)
975 			newsbsec->sid = sid;
976 		if (!set_rootcontext) {
977 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
978 			newisec->sid = sid;
979 		}
980 		newsbsec->mntpoint_sid = sid;
981 	}
982 	if (set_rootcontext) {
983 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
984 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
985 
986 		newisec->sid = oldisec->sid;
987 	}
988 
989 	sb_finish_set_opts(newsb);
990 out:
991 	mutex_unlock(&newsbsec->lock);
992 	return rc;
993 }
994 
995 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
996 {
997 	struct selinux_mnt_opts *opts = *mnt_opts;
998 
999 	if (token == Opt_seclabel)	/* eaten and completely ignored */
1000 		return 0;
1001 
1002 	if (!opts) {
1003 		opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1004 		if (!opts)
1005 			return -ENOMEM;
1006 		*mnt_opts = opts;
1007 	}
1008 	if (!s)
1009 		return -ENOMEM;
1010 	switch (token) {
1011 	case Opt_context:
1012 		if (opts->context || opts->defcontext)
1013 			goto Einval;
1014 		opts->context = s;
1015 		break;
1016 	case Opt_fscontext:
1017 		if (opts->fscontext)
1018 			goto Einval;
1019 		opts->fscontext = s;
1020 		break;
1021 	case Opt_rootcontext:
1022 		if (opts->rootcontext)
1023 			goto Einval;
1024 		opts->rootcontext = s;
1025 		break;
1026 	case Opt_defcontext:
1027 		if (opts->context || opts->defcontext)
1028 			goto Einval;
1029 		opts->defcontext = s;
1030 		break;
1031 	}
1032 	return 0;
1033 Einval:
1034 	pr_warn(SEL_MOUNT_FAIL_MSG);
1035 	return -EINVAL;
1036 }
1037 
1038 static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1039 			       void **mnt_opts)
1040 {
1041 	int token = Opt_error;
1042 	int rc, i;
1043 
1044 	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1045 		if (strcmp(option, tokens[i].name) == 0) {
1046 			token = tokens[i].opt;
1047 			break;
1048 		}
1049 	}
1050 
1051 	if (token == Opt_error)
1052 		return -EINVAL;
1053 
1054 	if (token != Opt_seclabel) {
1055 		val = kmemdup_nul(val, len, GFP_KERNEL);
1056 		if (!val) {
1057 			rc = -ENOMEM;
1058 			goto free_opt;
1059 		}
1060 	}
1061 	rc = selinux_add_opt(token, val, mnt_opts);
1062 	if (unlikely(rc)) {
1063 		kfree(val);
1064 		goto free_opt;
1065 	}
1066 	return rc;
1067 
1068 free_opt:
1069 	if (*mnt_opts) {
1070 		selinux_free_mnt_opts(*mnt_opts);
1071 		*mnt_opts = NULL;
1072 	}
1073 	return rc;
1074 }
1075 
1076 static int show_sid(struct seq_file *m, u32 sid)
1077 {
1078 	char *context = NULL;
1079 	u32 len;
1080 	int rc;
1081 
1082 	rc = security_sid_to_context(&selinux_state, sid,
1083 					     &context, &len);
1084 	if (!rc) {
1085 		bool has_comma = context && strchr(context, ',');
1086 
1087 		seq_putc(m, '=');
1088 		if (has_comma)
1089 			seq_putc(m, '\"');
1090 		seq_escape(m, context, "\"\n\\");
1091 		if (has_comma)
1092 			seq_putc(m, '\"');
1093 	}
1094 	kfree(context);
1095 	return rc;
1096 }
1097 
1098 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1099 {
1100 	struct superblock_security_struct *sbsec = sb->s_security;
1101 	int rc;
1102 
1103 	if (!(sbsec->flags & SE_SBINITIALIZED))
1104 		return 0;
1105 
1106 	if (!selinux_state.initialized)
1107 		return 0;
1108 
1109 	if (sbsec->flags & FSCONTEXT_MNT) {
1110 		seq_putc(m, ',');
1111 		seq_puts(m, FSCONTEXT_STR);
1112 		rc = show_sid(m, sbsec->sid);
1113 		if (rc)
1114 			return rc;
1115 	}
1116 	if (sbsec->flags & CONTEXT_MNT) {
1117 		seq_putc(m, ',');
1118 		seq_puts(m, CONTEXT_STR);
1119 		rc = show_sid(m, sbsec->mntpoint_sid);
1120 		if (rc)
1121 			return rc;
1122 	}
1123 	if (sbsec->flags & DEFCONTEXT_MNT) {
1124 		seq_putc(m, ',');
1125 		seq_puts(m, DEFCONTEXT_STR);
1126 		rc = show_sid(m, sbsec->def_sid);
1127 		if (rc)
1128 			return rc;
1129 	}
1130 	if (sbsec->flags & ROOTCONTEXT_MNT) {
1131 		struct dentry *root = sbsec->sb->s_root;
1132 		struct inode_security_struct *isec = backing_inode_security(root);
1133 		seq_putc(m, ',');
1134 		seq_puts(m, ROOTCONTEXT_STR);
1135 		rc = show_sid(m, isec->sid);
1136 		if (rc)
1137 			return rc;
1138 	}
1139 	if (sbsec->flags & SBLABEL_MNT) {
1140 		seq_putc(m, ',');
1141 		seq_puts(m, SECLABEL_STR);
1142 	}
1143 	return 0;
1144 }
1145 
1146 static inline u16 inode_mode_to_security_class(umode_t mode)
1147 {
1148 	switch (mode & S_IFMT) {
1149 	case S_IFSOCK:
1150 		return SECCLASS_SOCK_FILE;
1151 	case S_IFLNK:
1152 		return SECCLASS_LNK_FILE;
1153 	case S_IFREG:
1154 		return SECCLASS_FILE;
1155 	case S_IFBLK:
1156 		return SECCLASS_BLK_FILE;
1157 	case S_IFDIR:
1158 		return SECCLASS_DIR;
1159 	case S_IFCHR:
1160 		return SECCLASS_CHR_FILE;
1161 	case S_IFIFO:
1162 		return SECCLASS_FIFO_FILE;
1163 
1164 	}
1165 
1166 	return SECCLASS_FILE;
1167 }
1168 
1169 static inline int default_protocol_stream(int protocol)
1170 {
1171 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1172 }
1173 
1174 static inline int default_protocol_dgram(int protocol)
1175 {
1176 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1177 }
1178 
1179 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1180 {
1181 	int extsockclass = selinux_policycap_extsockclass();
1182 
1183 	switch (family) {
1184 	case PF_UNIX:
1185 		switch (type) {
1186 		case SOCK_STREAM:
1187 		case SOCK_SEQPACKET:
1188 			return SECCLASS_UNIX_STREAM_SOCKET;
1189 		case SOCK_DGRAM:
1190 		case SOCK_RAW:
1191 			return SECCLASS_UNIX_DGRAM_SOCKET;
1192 		}
1193 		break;
1194 	case PF_INET:
1195 	case PF_INET6:
1196 		switch (type) {
1197 		case SOCK_STREAM:
1198 		case SOCK_SEQPACKET:
1199 			if (default_protocol_stream(protocol))
1200 				return SECCLASS_TCP_SOCKET;
1201 			else if (extsockclass && protocol == IPPROTO_SCTP)
1202 				return SECCLASS_SCTP_SOCKET;
1203 			else
1204 				return SECCLASS_RAWIP_SOCKET;
1205 		case SOCK_DGRAM:
1206 			if (default_protocol_dgram(protocol))
1207 				return SECCLASS_UDP_SOCKET;
1208 			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1209 						  protocol == IPPROTO_ICMPV6))
1210 				return SECCLASS_ICMP_SOCKET;
1211 			else
1212 				return SECCLASS_RAWIP_SOCKET;
1213 		case SOCK_DCCP:
1214 			return SECCLASS_DCCP_SOCKET;
1215 		default:
1216 			return SECCLASS_RAWIP_SOCKET;
1217 		}
1218 		break;
1219 	case PF_NETLINK:
1220 		switch (protocol) {
1221 		case NETLINK_ROUTE:
1222 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1223 		case NETLINK_SOCK_DIAG:
1224 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1225 		case NETLINK_NFLOG:
1226 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1227 		case NETLINK_XFRM:
1228 			return SECCLASS_NETLINK_XFRM_SOCKET;
1229 		case NETLINK_SELINUX:
1230 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1231 		case NETLINK_ISCSI:
1232 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1233 		case NETLINK_AUDIT:
1234 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1235 		case NETLINK_FIB_LOOKUP:
1236 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1237 		case NETLINK_CONNECTOR:
1238 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1239 		case NETLINK_NETFILTER:
1240 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1241 		case NETLINK_DNRTMSG:
1242 			return SECCLASS_NETLINK_DNRT_SOCKET;
1243 		case NETLINK_KOBJECT_UEVENT:
1244 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1245 		case NETLINK_GENERIC:
1246 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1247 		case NETLINK_SCSITRANSPORT:
1248 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1249 		case NETLINK_RDMA:
1250 			return SECCLASS_NETLINK_RDMA_SOCKET;
1251 		case NETLINK_CRYPTO:
1252 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1253 		default:
1254 			return SECCLASS_NETLINK_SOCKET;
1255 		}
1256 	case PF_PACKET:
1257 		return SECCLASS_PACKET_SOCKET;
1258 	case PF_KEY:
1259 		return SECCLASS_KEY_SOCKET;
1260 	case PF_APPLETALK:
1261 		return SECCLASS_APPLETALK_SOCKET;
1262 	}
1263 
1264 	if (extsockclass) {
1265 		switch (family) {
1266 		case PF_AX25:
1267 			return SECCLASS_AX25_SOCKET;
1268 		case PF_IPX:
1269 			return SECCLASS_IPX_SOCKET;
1270 		case PF_NETROM:
1271 			return SECCLASS_NETROM_SOCKET;
1272 		case PF_ATMPVC:
1273 			return SECCLASS_ATMPVC_SOCKET;
1274 		case PF_X25:
1275 			return SECCLASS_X25_SOCKET;
1276 		case PF_ROSE:
1277 			return SECCLASS_ROSE_SOCKET;
1278 		case PF_DECnet:
1279 			return SECCLASS_DECNET_SOCKET;
1280 		case PF_ATMSVC:
1281 			return SECCLASS_ATMSVC_SOCKET;
1282 		case PF_RDS:
1283 			return SECCLASS_RDS_SOCKET;
1284 		case PF_IRDA:
1285 			return SECCLASS_IRDA_SOCKET;
1286 		case PF_PPPOX:
1287 			return SECCLASS_PPPOX_SOCKET;
1288 		case PF_LLC:
1289 			return SECCLASS_LLC_SOCKET;
1290 		case PF_CAN:
1291 			return SECCLASS_CAN_SOCKET;
1292 		case PF_TIPC:
1293 			return SECCLASS_TIPC_SOCKET;
1294 		case PF_BLUETOOTH:
1295 			return SECCLASS_BLUETOOTH_SOCKET;
1296 		case PF_IUCV:
1297 			return SECCLASS_IUCV_SOCKET;
1298 		case PF_RXRPC:
1299 			return SECCLASS_RXRPC_SOCKET;
1300 		case PF_ISDN:
1301 			return SECCLASS_ISDN_SOCKET;
1302 		case PF_PHONET:
1303 			return SECCLASS_PHONET_SOCKET;
1304 		case PF_IEEE802154:
1305 			return SECCLASS_IEEE802154_SOCKET;
1306 		case PF_CAIF:
1307 			return SECCLASS_CAIF_SOCKET;
1308 		case PF_ALG:
1309 			return SECCLASS_ALG_SOCKET;
1310 		case PF_NFC:
1311 			return SECCLASS_NFC_SOCKET;
1312 		case PF_VSOCK:
1313 			return SECCLASS_VSOCK_SOCKET;
1314 		case PF_KCM:
1315 			return SECCLASS_KCM_SOCKET;
1316 		case PF_QIPCRTR:
1317 			return SECCLASS_QIPCRTR_SOCKET;
1318 		case PF_SMC:
1319 			return SECCLASS_SMC_SOCKET;
1320 		case PF_XDP:
1321 			return SECCLASS_XDP_SOCKET;
1322 #if PF_MAX > 45
1323 #error New address family defined, please update this function.
1324 #endif
1325 		}
1326 	}
1327 
1328 	return SECCLASS_SOCKET;
1329 }
1330 
1331 static int selinux_genfs_get_sid(struct dentry *dentry,
1332 				 u16 tclass,
1333 				 u16 flags,
1334 				 u32 *sid)
1335 {
1336 	int rc;
1337 	struct super_block *sb = dentry->d_sb;
1338 	char *buffer, *path;
1339 
1340 	buffer = (char *)__get_free_page(GFP_KERNEL);
1341 	if (!buffer)
1342 		return -ENOMEM;
1343 
1344 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1345 	if (IS_ERR(path))
1346 		rc = PTR_ERR(path);
1347 	else {
1348 		if (flags & SE_SBPROC) {
1349 			/* each process gets a /proc/PID/ entry. Strip off the
1350 			 * PID part to get a valid selinux labeling.
1351 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1352 			while (path[1] >= '0' && path[1] <= '9') {
1353 				path[1] = '/';
1354 				path++;
1355 			}
1356 		}
1357 		rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1358 					path, tclass, sid);
1359 		if (rc == -ENOENT) {
1360 			/* No match in policy, mark as unlabeled. */
1361 			*sid = SECINITSID_UNLABELED;
1362 			rc = 0;
1363 		}
1364 	}
1365 	free_page((unsigned long)buffer);
1366 	return rc;
1367 }
1368 
1369 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1370 				  u32 def_sid, u32 *sid)
1371 {
1372 #define INITCONTEXTLEN 255
1373 	char *context;
1374 	unsigned int len;
1375 	int rc;
1376 
1377 	len = INITCONTEXTLEN;
1378 	context = kmalloc(len + 1, GFP_NOFS);
1379 	if (!context)
1380 		return -ENOMEM;
1381 
1382 	context[len] = '\0';
1383 	rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1384 	if (rc == -ERANGE) {
1385 		kfree(context);
1386 
1387 		/* Need a larger buffer.  Query for the right size. */
1388 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1389 		if (rc < 0)
1390 			return rc;
1391 
1392 		len = rc;
1393 		context = kmalloc(len + 1, GFP_NOFS);
1394 		if (!context)
1395 			return -ENOMEM;
1396 
1397 		context[len] = '\0';
1398 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1399 				    context, len);
1400 	}
1401 	if (rc < 0) {
1402 		kfree(context);
1403 		if (rc != -ENODATA) {
1404 			pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
1405 				__func__, -rc, inode->i_sb->s_id, inode->i_ino);
1406 			return rc;
1407 		}
1408 		*sid = def_sid;
1409 		return 0;
1410 	}
1411 
1412 	rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1413 					     def_sid, GFP_NOFS);
1414 	if (rc) {
1415 		char *dev = inode->i_sb->s_id;
1416 		unsigned long ino = inode->i_ino;
1417 
1418 		if (rc == -EINVAL) {
1419 			pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
1420 					      ino, dev, context);
1421 		} else {
1422 			pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1423 				__func__, context, -rc, dev, ino);
1424 		}
1425 	}
1426 	kfree(context);
1427 	return 0;
1428 }
1429 
1430 /* The inode's security attributes must be initialized before first use. */
1431 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1432 {
1433 	struct superblock_security_struct *sbsec = NULL;
1434 	struct inode_security_struct *isec = selinux_inode(inode);
1435 	u32 task_sid, sid = 0;
1436 	u16 sclass;
1437 	struct dentry *dentry;
1438 	int rc = 0;
1439 
1440 	if (isec->initialized == LABEL_INITIALIZED)
1441 		return 0;
1442 
1443 	spin_lock(&isec->lock);
1444 	if (isec->initialized == LABEL_INITIALIZED)
1445 		goto out_unlock;
1446 
1447 	if (isec->sclass == SECCLASS_FILE)
1448 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1449 
1450 	sbsec = inode->i_sb->s_security;
1451 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1452 		/* Defer initialization until selinux_complete_init,
1453 		   after the initial policy is loaded and the security
1454 		   server is ready to handle calls. */
1455 		spin_lock(&sbsec->isec_lock);
1456 		if (list_empty(&isec->list))
1457 			list_add(&isec->list, &sbsec->isec_head);
1458 		spin_unlock(&sbsec->isec_lock);
1459 		goto out_unlock;
1460 	}
1461 
1462 	sclass = isec->sclass;
1463 	task_sid = isec->task_sid;
1464 	sid = isec->sid;
1465 	isec->initialized = LABEL_PENDING;
1466 	spin_unlock(&isec->lock);
1467 
1468 	switch (sbsec->behavior) {
1469 	case SECURITY_FS_USE_NATIVE:
1470 		break;
1471 	case SECURITY_FS_USE_XATTR:
1472 		if (!(inode->i_opflags & IOP_XATTR)) {
1473 			sid = sbsec->def_sid;
1474 			break;
1475 		}
1476 		/* Need a dentry, since the xattr API requires one.
1477 		   Life would be simpler if we could just pass the inode. */
1478 		if (opt_dentry) {
1479 			/* Called from d_instantiate or d_splice_alias. */
1480 			dentry = dget(opt_dentry);
1481 		} else {
1482 			/*
1483 			 * Called from selinux_complete_init, try to find a dentry.
1484 			 * Some filesystems really want a connected one, so try
1485 			 * that first.  We could split SECURITY_FS_USE_XATTR in
1486 			 * two, depending upon that...
1487 			 */
1488 			dentry = d_find_alias(inode);
1489 			if (!dentry)
1490 				dentry = d_find_any_alias(inode);
1491 		}
1492 		if (!dentry) {
1493 			/*
1494 			 * this is can be hit on boot when a file is accessed
1495 			 * before the policy is loaded.  When we load policy we
1496 			 * may find inodes that have no dentry on the
1497 			 * sbsec->isec_head list.  No reason to complain as these
1498 			 * will get fixed up the next time we go through
1499 			 * inode_doinit with a dentry, before these inodes could
1500 			 * be used again by userspace.
1501 			 */
1502 			goto out;
1503 		}
1504 
1505 		rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1506 					    &sid);
1507 		dput(dentry);
1508 		if (rc)
1509 			goto out;
1510 		break;
1511 	case SECURITY_FS_USE_TASK:
1512 		sid = task_sid;
1513 		break;
1514 	case SECURITY_FS_USE_TRANS:
1515 		/* Default to the fs SID. */
1516 		sid = sbsec->sid;
1517 
1518 		/* Try to obtain a transition SID. */
1519 		rc = security_transition_sid(&selinux_state, task_sid, sid,
1520 					     sclass, NULL, &sid);
1521 		if (rc)
1522 			goto out;
1523 		break;
1524 	case SECURITY_FS_USE_MNTPOINT:
1525 		sid = sbsec->mntpoint_sid;
1526 		break;
1527 	default:
1528 		/* Default to the fs superblock SID. */
1529 		sid = sbsec->sid;
1530 
1531 		if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1532 			/* We must have a dentry to determine the label on
1533 			 * procfs inodes */
1534 			if (opt_dentry) {
1535 				/* Called from d_instantiate or
1536 				 * d_splice_alias. */
1537 				dentry = dget(opt_dentry);
1538 			} else {
1539 				/* Called from selinux_complete_init, try to
1540 				 * find a dentry.  Some filesystems really want
1541 				 * a connected one, so try that first.
1542 				 */
1543 				dentry = d_find_alias(inode);
1544 				if (!dentry)
1545 					dentry = d_find_any_alias(inode);
1546 			}
1547 			/*
1548 			 * This can be hit on boot when a file is accessed
1549 			 * before the policy is loaded.  When we load policy we
1550 			 * may find inodes that have no dentry on the
1551 			 * sbsec->isec_head list.  No reason to complain as
1552 			 * these will get fixed up the next time we go through
1553 			 * inode_doinit() with a dentry, before these inodes
1554 			 * could be used again by userspace.
1555 			 */
1556 			if (!dentry)
1557 				goto out;
1558 			rc = selinux_genfs_get_sid(dentry, sclass,
1559 						   sbsec->flags, &sid);
1560 			if (rc) {
1561 				dput(dentry);
1562 				goto out;
1563 			}
1564 
1565 			if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1566 			    (inode->i_opflags & IOP_XATTR)) {
1567 				rc = inode_doinit_use_xattr(inode, dentry,
1568 							    sid, &sid);
1569 				if (rc) {
1570 					dput(dentry);
1571 					goto out;
1572 				}
1573 			}
1574 			dput(dentry);
1575 		}
1576 		break;
1577 	}
1578 
1579 out:
1580 	spin_lock(&isec->lock);
1581 	if (isec->initialized == LABEL_PENDING) {
1582 		if (!sid || rc) {
1583 			isec->initialized = LABEL_INVALID;
1584 			goto out_unlock;
1585 		}
1586 
1587 		isec->initialized = LABEL_INITIALIZED;
1588 		isec->sid = sid;
1589 	}
1590 
1591 out_unlock:
1592 	spin_unlock(&isec->lock);
1593 	return rc;
1594 }
1595 
1596 /* Convert a Linux signal to an access vector. */
1597 static inline u32 signal_to_av(int sig)
1598 {
1599 	u32 perm = 0;
1600 
1601 	switch (sig) {
1602 	case SIGCHLD:
1603 		/* Commonly granted from child to parent. */
1604 		perm = PROCESS__SIGCHLD;
1605 		break;
1606 	case SIGKILL:
1607 		/* Cannot be caught or ignored */
1608 		perm = PROCESS__SIGKILL;
1609 		break;
1610 	case SIGSTOP:
1611 		/* Cannot be caught or ignored */
1612 		perm = PROCESS__SIGSTOP;
1613 		break;
1614 	default:
1615 		/* All other signals. */
1616 		perm = PROCESS__SIGNAL;
1617 		break;
1618 	}
1619 
1620 	return perm;
1621 }
1622 
1623 #if CAP_LAST_CAP > 63
1624 #error Fix SELinux to handle capabilities > 63.
1625 #endif
1626 
1627 /* Check whether a task is allowed to use a capability. */
1628 static int cred_has_capability(const struct cred *cred,
1629 			       int cap, unsigned int opts, bool initns)
1630 {
1631 	struct common_audit_data ad;
1632 	struct av_decision avd;
1633 	u16 sclass;
1634 	u32 sid = cred_sid(cred);
1635 	u32 av = CAP_TO_MASK(cap);
1636 	int rc;
1637 
1638 	ad.type = LSM_AUDIT_DATA_CAP;
1639 	ad.u.cap = cap;
1640 
1641 	switch (CAP_TO_INDEX(cap)) {
1642 	case 0:
1643 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1644 		break;
1645 	case 1:
1646 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1647 		break;
1648 	default:
1649 		pr_err("SELinux:  out of range capability %d\n", cap);
1650 		BUG();
1651 		return -EINVAL;
1652 	}
1653 
1654 	rc = avc_has_perm_noaudit(&selinux_state,
1655 				  sid, sid, sclass, av, 0, &avd);
1656 	if (!(opts & CAP_OPT_NOAUDIT)) {
1657 		int rc2 = avc_audit(&selinux_state,
1658 				    sid, sid, sclass, av, &avd, rc, &ad, 0);
1659 		if (rc2)
1660 			return rc2;
1661 	}
1662 	return rc;
1663 }
1664 
1665 /* Check whether a task has a particular permission to an inode.
1666    The 'adp' parameter is optional and allows other audit
1667    data to be passed (e.g. the dentry). */
1668 static int inode_has_perm(const struct cred *cred,
1669 			  struct inode *inode,
1670 			  u32 perms,
1671 			  struct common_audit_data *adp)
1672 {
1673 	struct inode_security_struct *isec;
1674 	u32 sid;
1675 
1676 	validate_creds(cred);
1677 
1678 	if (unlikely(IS_PRIVATE(inode)))
1679 		return 0;
1680 
1681 	sid = cred_sid(cred);
1682 	isec = selinux_inode(inode);
1683 
1684 	return avc_has_perm(&selinux_state,
1685 			    sid, isec->sid, isec->sclass, perms, adp);
1686 }
1687 
1688 /* Same as inode_has_perm, but pass explicit audit data containing
1689    the dentry to help the auditing code to more easily generate the
1690    pathname if needed. */
1691 static inline int dentry_has_perm(const struct cred *cred,
1692 				  struct dentry *dentry,
1693 				  u32 av)
1694 {
1695 	struct inode *inode = d_backing_inode(dentry);
1696 	struct common_audit_data ad;
1697 
1698 	ad.type = LSM_AUDIT_DATA_DENTRY;
1699 	ad.u.dentry = dentry;
1700 	__inode_security_revalidate(inode, dentry, true);
1701 	return inode_has_perm(cred, inode, av, &ad);
1702 }
1703 
1704 /* Same as inode_has_perm, but pass explicit audit data containing
1705    the path to help the auditing code to more easily generate the
1706    pathname if needed. */
1707 static inline int path_has_perm(const struct cred *cred,
1708 				const struct path *path,
1709 				u32 av)
1710 {
1711 	struct inode *inode = d_backing_inode(path->dentry);
1712 	struct common_audit_data ad;
1713 
1714 	ad.type = LSM_AUDIT_DATA_PATH;
1715 	ad.u.path = *path;
1716 	__inode_security_revalidate(inode, path->dentry, true);
1717 	return inode_has_perm(cred, inode, av, &ad);
1718 }
1719 
1720 /* Same as path_has_perm, but uses the inode from the file struct. */
1721 static inline int file_path_has_perm(const struct cred *cred,
1722 				     struct file *file,
1723 				     u32 av)
1724 {
1725 	struct common_audit_data ad;
1726 
1727 	ad.type = LSM_AUDIT_DATA_FILE;
1728 	ad.u.file = file;
1729 	return inode_has_perm(cred, file_inode(file), av, &ad);
1730 }
1731 
1732 #ifdef CONFIG_BPF_SYSCALL
1733 static int bpf_fd_pass(struct file *file, u32 sid);
1734 #endif
1735 
1736 /* Check whether a task can use an open file descriptor to
1737    access an inode in a given way.  Check access to the
1738    descriptor itself, and then use dentry_has_perm to
1739    check a particular permission to the file.
1740    Access to the descriptor is implicitly granted if it
1741    has the same SID as the process.  If av is zero, then
1742    access to the file is not checked, e.g. for cases
1743    where only the descriptor is affected like seek. */
1744 static int file_has_perm(const struct cred *cred,
1745 			 struct file *file,
1746 			 u32 av)
1747 {
1748 	struct file_security_struct *fsec = selinux_file(file);
1749 	struct inode *inode = file_inode(file);
1750 	struct common_audit_data ad;
1751 	u32 sid = cred_sid(cred);
1752 	int rc;
1753 
1754 	ad.type = LSM_AUDIT_DATA_FILE;
1755 	ad.u.file = file;
1756 
1757 	if (sid != fsec->sid) {
1758 		rc = avc_has_perm(&selinux_state,
1759 				  sid, fsec->sid,
1760 				  SECCLASS_FD,
1761 				  FD__USE,
1762 				  &ad);
1763 		if (rc)
1764 			goto out;
1765 	}
1766 
1767 #ifdef CONFIG_BPF_SYSCALL
1768 	rc = bpf_fd_pass(file, cred_sid(cred));
1769 	if (rc)
1770 		return rc;
1771 #endif
1772 
1773 	/* av is zero if only checking access to the descriptor. */
1774 	rc = 0;
1775 	if (av)
1776 		rc = inode_has_perm(cred, inode, av, &ad);
1777 
1778 out:
1779 	return rc;
1780 }
1781 
1782 /*
1783  * Determine the label for an inode that might be unioned.
1784  */
1785 static int
1786 selinux_determine_inode_label(const struct task_security_struct *tsec,
1787 				 struct inode *dir,
1788 				 const struct qstr *name, u16 tclass,
1789 				 u32 *_new_isid)
1790 {
1791 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1792 
1793 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1794 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1795 		*_new_isid = sbsec->mntpoint_sid;
1796 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1797 		   tsec->create_sid) {
1798 		*_new_isid = tsec->create_sid;
1799 	} else {
1800 		const struct inode_security_struct *dsec = inode_security(dir);
1801 		return security_transition_sid(&selinux_state, tsec->sid,
1802 					       dsec->sid, tclass,
1803 					       name, _new_isid);
1804 	}
1805 
1806 	return 0;
1807 }
1808 
1809 /* Check whether a task can create a file. */
1810 static int may_create(struct inode *dir,
1811 		      struct dentry *dentry,
1812 		      u16 tclass)
1813 {
1814 	const struct task_security_struct *tsec = selinux_cred(current_cred());
1815 	struct inode_security_struct *dsec;
1816 	struct superblock_security_struct *sbsec;
1817 	u32 sid, newsid;
1818 	struct common_audit_data ad;
1819 	int rc;
1820 
1821 	dsec = inode_security(dir);
1822 	sbsec = dir->i_sb->s_security;
1823 
1824 	sid = tsec->sid;
1825 
1826 	ad.type = LSM_AUDIT_DATA_DENTRY;
1827 	ad.u.dentry = dentry;
1828 
1829 	rc = avc_has_perm(&selinux_state,
1830 			  sid, dsec->sid, SECCLASS_DIR,
1831 			  DIR__ADD_NAME | DIR__SEARCH,
1832 			  &ad);
1833 	if (rc)
1834 		return rc;
1835 
1836 	rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
1837 					   &dentry->d_name, tclass, &newsid);
1838 	if (rc)
1839 		return rc;
1840 
1841 	rc = avc_has_perm(&selinux_state,
1842 			  sid, newsid, tclass, FILE__CREATE, &ad);
1843 	if (rc)
1844 		return rc;
1845 
1846 	return avc_has_perm(&selinux_state,
1847 			    newsid, sbsec->sid,
1848 			    SECCLASS_FILESYSTEM,
1849 			    FILESYSTEM__ASSOCIATE, &ad);
1850 }
1851 
1852 #define MAY_LINK	0
1853 #define MAY_UNLINK	1
1854 #define MAY_RMDIR	2
1855 
1856 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1857 static int may_link(struct inode *dir,
1858 		    struct dentry *dentry,
1859 		    int kind)
1860 
1861 {
1862 	struct inode_security_struct *dsec, *isec;
1863 	struct common_audit_data ad;
1864 	u32 sid = current_sid();
1865 	u32 av;
1866 	int rc;
1867 
1868 	dsec = inode_security(dir);
1869 	isec = backing_inode_security(dentry);
1870 
1871 	ad.type = LSM_AUDIT_DATA_DENTRY;
1872 	ad.u.dentry = dentry;
1873 
1874 	av = DIR__SEARCH;
1875 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1876 	rc = avc_has_perm(&selinux_state,
1877 			  sid, dsec->sid, SECCLASS_DIR, av, &ad);
1878 	if (rc)
1879 		return rc;
1880 
1881 	switch (kind) {
1882 	case MAY_LINK:
1883 		av = FILE__LINK;
1884 		break;
1885 	case MAY_UNLINK:
1886 		av = FILE__UNLINK;
1887 		break;
1888 	case MAY_RMDIR:
1889 		av = DIR__RMDIR;
1890 		break;
1891 	default:
1892 		pr_warn("SELinux: %s:  unrecognized kind %d\n",
1893 			__func__, kind);
1894 		return 0;
1895 	}
1896 
1897 	rc = avc_has_perm(&selinux_state,
1898 			  sid, isec->sid, isec->sclass, av, &ad);
1899 	return rc;
1900 }
1901 
1902 static inline int may_rename(struct inode *old_dir,
1903 			     struct dentry *old_dentry,
1904 			     struct inode *new_dir,
1905 			     struct dentry *new_dentry)
1906 {
1907 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1908 	struct common_audit_data ad;
1909 	u32 sid = current_sid();
1910 	u32 av;
1911 	int old_is_dir, new_is_dir;
1912 	int rc;
1913 
1914 	old_dsec = inode_security(old_dir);
1915 	old_isec = backing_inode_security(old_dentry);
1916 	old_is_dir = d_is_dir(old_dentry);
1917 	new_dsec = inode_security(new_dir);
1918 
1919 	ad.type = LSM_AUDIT_DATA_DENTRY;
1920 
1921 	ad.u.dentry = old_dentry;
1922 	rc = avc_has_perm(&selinux_state,
1923 			  sid, old_dsec->sid, SECCLASS_DIR,
1924 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1925 	if (rc)
1926 		return rc;
1927 	rc = avc_has_perm(&selinux_state,
1928 			  sid, old_isec->sid,
1929 			  old_isec->sclass, FILE__RENAME, &ad);
1930 	if (rc)
1931 		return rc;
1932 	if (old_is_dir && new_dir != old_dir) {
1933 		rc = avc_has_perm(&selinux_state,
1934 				  sid, old_isec->sid,
1935 				  old_isec->sclass, DIR__REPARENT, &ad);
1936 		if (rc)
1937 			return rc;
1938 	}
1939 
1940 	ad.u.dentry = new_dentry;
1941 	av = DIR__ADD_NAME | DIR__SEARCH;
1942 	if (d_is_positive(new_dentry))
1943 		av |= DIR__REMOVE_NAME;
1944 	rc = avc_has_perm(&selinux_state,
1945 			  sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1946 	if (rc)
1947 		return rc;
1948 	if (d_is_positive(new_dentry)) {
1949 		new_isec = backing_inode_security(new_dentry);
1950 		new_is_dir = d_is_dir(new_dentry);
1951 		rc = avc_has_perm(&selinux_state,
1952 				  sid, new_isec->sid,
1953 				  new_isec->sclass,
1954 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1955 		if (rc)
1956 			return rc;
1957 	}
1958 
1959 	return 0;
1960 }
1961 
1962 /* Check whether a task can perform a filesystem operation. */
1963 static int superblock_has_perm(const struct cred *cred,
1964 			       struct super_block *sb,
1965 			       u32 perms,
1966 			       struct common_audit_data *ad)
1967 {
1968 	struct superblock_security_struct *sbsec;
1969 	u32 sid = cred_sid(cred);
1970 
1971 	sbsec = sb->s_security;
1972 	return avc_has_perm(&selinux_state,
1973 			    sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1974 }
1975 
1976 /* Convert a Linux mode and permission mask to an access vector. */
1977 static inline u32 file_mask_to_av(int mode, int mask)
1978 {
1979 	u32 av = 0;
1980 
1981 	if (!S_ISDIR(mode)) {
1982 		if (mask & MAY_EXEC)
1983 			av |= FILE__EXECUTE;
1984 		if (mask & MAY_READ)
1985 			av |= FILE__READ;
1986 
1987 		if (mask & MAY_APPEND)
1988 			av |= FILE__APPEND;
1989 		else if (mask & MAY_WRITE)
1990 			av |= FILE__WRITE;
1991 
1992 	} else {
1993 		if (mask & MAY_EXEC)
1994 			av |= DIR__SEARCH;
1995 		if (mask & MAY_WRITE)
1996 			av |= DIR__WRITE;
1997 		if (mask & MAY_READ)
1998 			av |= DIR__READ;
1999 	}
2000 
2001 	return av;
2002 }
2003 
2004 /* Convert a Linux file to an access vector. */
2005 static inline u32 file_to_av(struct file *file)
2006 {
2007 	u32 av = 0;
2008 
2009 	if (file->f_mode & FMODE_READ)
2010 		av |= FILE__READ;
2011 	if (file->f_mode & FMODE_WRITE) {
2012 		if (file->f_flags & O_APPEND)
2013 			av |= FILE__APPEND;
2014 		else
2015 			av |= FILE__WRITE;
2016 	}
2017 	if (!av) {
2018 		/*
2019 		 * Special file opened with flags 3 for ioctl-only use.
2020 		 */
2021 		av = FILE__IOCTL;
2022 	}
2023 
2024 	return av;
2025 }
2026 
2027 /*
2028  * Convert a file to an access vector and include the correct open
2029  * open permission.
2030  */
2031 static inline u32 open_file_to_av(struct file *file)
2032 {
2033 	u32 av = file_to_av(file);
2034 	struct inode *inode = file_inode(file);
2035 
2036 	if (selinux_policycap_openperm() &&
2037 	    inode->i_sb->s_magic != SOCKFS_MAGIC)
2038 		av |= FILE__OPEN;
2039 
2040 	return av;
2041 }
2042 
2043 /* Hook functions begin here. */
2044 
2045 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2046 {
2047 	u32 mysid = current_sid();
2048 	u32 mgrsid = task_sid(mgr);
2049 
2050 	return avc_has_perm(&selinux_state,
2051 			    mysid, mgrsid, SECCLASS_BINDER,
2052 			    BINDER__SET_CONTEXT_MGR, NULL);
2053 }
2054 
2055 static int selinux_binder_transaction(struct task_struct *from,
2056 				      struct task_struct *to)
2057 {
2058 	u32 mysid = current_sid();
2059 	u32 fromsid = task_sid(from);
2060 	u32 tosid = task_sid(to);
2061 	int rc;
2062 
2063 	if (mysid != fromsid) {
2064 		rc = avc_has_perm(&selinux_state,
2065 				  mysid, fromsid, SECCLASS_BINDER,
2066 				  BINDER__IMPERSONATE, NULL);
2067 		if (rc)
2068 			return rc;
2069 	}
2070 
2071 	return avc_has_perm(&selinux_state,
2072 			    fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2073 			    NULL);
2074 }
2075 
2076 static int selinux_binder_transfer_binder(struct task_struct *from,
2077 					  struct task_struct *to)
2078 {
2079 	u32 fromsid = task_sid(from);
2080 	u32 tosid = task_sid(to);
2081 
2082 	return avc_has_perm(&selinux_state,
2083 			    fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2084 			    NULL);
2085 }
2086 
2087 static int selinux_binder_transfer_file(struct task_struct *from,
2088 					struct task_struct *to,
2089 					struct file *file)
2090 {
2091 	u32 sid = task_sid(to);
2092 	struct file_security_struct *fsec = selinux_file(file);
2093 	struct dentry *dentry = file->f_path.dentry;
2094 	struct inode_security_struct *isec;
2095 	struct common_audit_data ad;
2096 	int rc;
2097 
2098 	ad.type = LSM_AUDIT_DATA_PATH;
2099 	ad.u.path = file->f_path;
2100 
2101 	if (sid != fsec->sid) {
2102 		rc = avc_has_perm(&selinux_state,
2103 				  sid, fsec->sid,
2104 				  SECCLASS_FD,
2105 				  FD__USE,
2106 				  &ad);
2107 		if (rc)
2108 			return rc;
2109 	}
2110 
2111 #ifdef CONFIG_BPF_SYSCALL
2112 	rc = bpf_fd_pass(file, sid);
2113 	if (rc)
2114 		return rc;
2115 #endif
2116 
2117 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2118 		return 0;
2119 
2120 	isec = backing_inode_security(dentry);
2121 	return avc_has_perm(&selinux_state,
2122 			    sid, isec->sid, isec->sclass, file_to_av(file),
2123 			    &ad);
2124 }
2125 
2126 static int selinux_ptrace_access_check(struct task_struct *child,
2127 				     unsigned int mode)
2128 {
2129 	u32 sid = current_sid();
2130 	u32 csid = task_sid(child);
2131 
2132 	if (mode & PTRACE_MODE_READ)
2133 		return avc_has_perm(&selinux_state,
2134 				    sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2135 
2136 	return avc_has_perm(&selinux_state,
2137 			    sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2138 }
2139 
2140 static int selinux_ptrace_traceme(struct task_struct *parent)
2141 {
2142 	return avc_has_perm(&selinux_state,
2143 			    task_sid(parent), current_sid(), SECCLASS_PROCESS,
2144 			    PROCESS__PTRACE, NULL);
2145 }
2146 
2147 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2148 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2149 {
2150 	return avc_has_perm(&selinux_state,
2151 			    current_sid(), task_sid(target), SECCLASS_PROCESS,
2152 			    PROCESS__GETCAP, NULL);
2153 }
2154 
2155 static int selinux_capset(struct cred *new, const struct cred *old,
2156 			  const kernel_cap_t *effective,
2157 			  const kernel_cap_t *inheritable,
2158 			  const kernel_cap_t *permitted)
2159 {
2160 	return avc_has_perm(&selinux_state,
2161 			    cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2162 			    PROCESS__SETCAP, NULL);
2163 }
2164 
2165 /*
2166  * (This comment used to live with the selinux_task_setuid hook,
2167  * which was removed).
2168  *
2169  * Since setuid only affects the current process, and since the SELinux
2170  * controls are not based on the Linux identity attributes, SELinux does not
2171  * need to control this operation.  However, SELinux does control the use of
2172  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2173  */
2174 
2175 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2176 			   int cap, unsigned int opts)
2177 {
2178 	return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2179 }
2180 
2181 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2182 {
2183 	const struct cred *cred = current_cred();
2184 	int rc = 0;
2185 
2186 	if (!sb)
2187 		return 0;
2188 
2189 	switch (cmds) {
2190 	case Q_SYNC:
2191 	case Q_QUOTAON:
2192 	case Q_QUOTAOFF:
2193 	case Q_SETINFO:
2194 	case Q_SETQUOTA:
2195 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2196 		break;
2197 	case Q_GETFMT:
2198 	case Q_GETINFO:
2199 	case Q_GETQUOTA:
2200 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2201 		break;
2202 	default:
2203 		rc = 0;  /* let the kernel handle invalid cmds */
2204 		break;
2205 	}
2206 	return rc;
2207 }
2208 
2209 static int selinux_quota_on(struct dentry *dentry)
2210 {
2211 	const struct cred *cred = current_cred();
2212 
2213 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2214 }
2215 
2216 static int selinux_syslog(int type)
2217 {
2218 	switch (type) {
2219 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2220 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2221 		return avc_has_perm(&selinux_state,
2222 				    current_sid(), SECINITSID_KERNEL,
2223 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2224 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2225 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2226 	/* Set level of messages printed to console */
2227 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2228 		return avc_has_perm(&selinux_state,
2229 				    current_sid(), SECINITSID_KERNEL,
2230 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2231 				    NULL);
2232 	}
2233 	/* All other syslog types */
2234 	return avc_has_perm(&selinux_state,
2235 			    current_sid(), SECINITSID_KERNEL,
2236 			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2237 }
2238 
2239 /*
2240  * Check that a process has enough memory to allocate a new virtual
2241  * mapping. 0 means there is enough memory for the allocation to
2242  * succeed and -ENOMEM implies there is not.
2243  *
2244  * Do not audit the selinux permission check, as this is applied to all
2245  * processes that allocate mappings.
2246  */
2247 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2248 {
2249 	int rc, cap_sys_admin = 0;
2250 
2251 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2252 				 CAP_OPT_NOAUDIT, true);
2253 	if (rc == 0)
2254 		cap_sys_admin = 1;
2255 
2256 	return cap_sys_admin;
2257 }
2258 
2259 /* binprm security operations */
2260 
2261 static u32 ptrace_parent_sid(void)
2262 {
2263 	u32 sid = 0;
2264 	struct task_struct *tracer;
2265 
2266 	rcu_read_lock();
2267 	tracer = ptrace_parent(current);
2268 	if (tracer)
2269 		sid = task_sid(tracer);
2270 	rcu_read_unlock();
2271 
2272 	return sid;
2273 }
2274 
2275 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2276 			    const struct task_security_struct *old_tsec,
2277 			    const struct task_security_struct *new_tsec)
2278 {
2279 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2280 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2281 	int rc;
2282 	u32 av;
2283 
2284 	if (!nnp && !nosuid)
2285 		return 0; /* neither NNP nor nosuid */
2286 
2287 	if (new_tsec->sid == old_tsec->sid)
2288 		return 0; /* No change in credentials */
2289 
2290 	/*
2291 	 * If the policy enables the nnp_nosuid_transition policy capability,
2292 	 * then we permit transitions under NNP or nosuid if the
2293 	 * policy allows the corresponding permission between
2294 	 * the old and new contexts.
2295 	 */
2296 	if (selinux_policycap_nnp_nosuid_transition()) {
2297 		av = 0;
2298 		if (nnp)
2299 			av |= PROCESS2__NNP_TRANSITION;
2300 		if (nosuid)
2301 			av |= PROCESS2__NOSUID_TRANSITION;
2302 		rc = avc_has_perm(&selinux_state,
2303 				  old_tsec->sid, new_tsec->sid,
2304 				  SECCLASS_PROCESS2, av, NULL);
2305 		if (!rc)
2306 			return 0;
2307 	}
2308 
2309 	/*
2310 	 * We also permit NNP or nosuid transitions to bounded SIDs,
2311 	 * i.e. SIDs that are guaranteed to only be allowed a subset
2312 	 * of the permissions of the current SID.
2313 	 */
2314 	rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2315 					 new_tsec->sid);
2316 	if (!rc)
2317 		return 0;
2318 
2319 	/*
2320 	 * On failure, preserve the errno values for NNP vs nosuid.
2321 	 * NNP:  Operation not permitted for caller.
2322 	 * nosuid:  Permission denied to file.
2323 	 */
2324 	if (nnp)
2325 		return -EPERM;
2326 	return -EACCES;
2327 }
2328 
2329 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2330 {
2331 	const struct task_security_struct *old_tsec;
2332 	struct task_security_struct *new_tsec;
2333 	struct inode_security_struct *isec;
2334 	struct common_audit_data ad;
2335 	struct inode *inode = file_inode(bprm->file);
2336 	int rc;
2337 
2338 	/* SELinux context only depends on initial program or script and not
2339 	 * the script interpreter */
2340 	if (bprm->called_set_creds)
2341 		return 0;
2342 
2343 	old_tsec = selinux_cred(current_cred());
2344 	new_tsec = selinux_cred(bprm->cred);
2345 	isec = inode_security(inode);
2346 
2347 	/* Default to the current task SID. */
2348 	new_tsec->sid = old_tsec->sid;
2349 	new_tsec->osid = old_tsec->sid;
2350 
2351 	/* Reset fs, key, and sock SIDs on execve. */
2352 	new_tsec->create_sid = 0;
2353 	new_tsec->keycreate_sid = 0;
2354 	new_tsec->sockcreate_sid = 0;
2355 
2356 	if (old_tsec->exec_sid) {
2357 		new_tsec->sid = old_tsec->exec_sid;
2358 		/* Reset exec SID on execve. */
2359 		new_tsec->exec_sid = 0;
2360 
2361 		/* Fail on NNP or nosuid if not an allowed transition. */
2362 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2363 		if (rc)
2364 			return rc;
2365 	} else {
2366 		/* Check for a default transition on this program. */
2367 		rc = security_transition_sid(&selinux_state, old_tsec->sid,
2368 					     isec->sid, SECCLASS_PROCESS, NULL,
2369 					     &new_tsec->sid);
2370 		if (rc)
2371 			return rc;
2372 
2373 		/*
2374 		 * Fallback to old SID on NNP or nosuid if not an allowed
2375 		 * transition.
2376 		 */
2377 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2378 		if (rc)
2379 			new_tsec->sid = old_tsec->sid;
2380 	}
2381 
2382 	ad.type = LSM_AUDIT_DATA_FILE;
2383 	ad.u.file = bprm->file;
2384 
2385 	if (new_tsec->sid == old_tsec->sid) {
2386 		rc = avc_has_perm(&selinux_state,
2387 				  old_tsec->sid, isec->sid,
2388 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2389 		if (rc)
2390 			return rc;
2391 	} else {
2392 		/* Check permissions for the transition. */
2393 		rc = avc_has_perm(&selinux_state,
2394 				  old_tsec->sid, new_tsec->sid,
2395 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2396 		if (rc)
2397 			return rc;
2398 
2399 		rc = avc_has_perm(&selinux_state,
2400 				  new_tsec->sid, isec->sid,
2401 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2402 		if (rc)
2403 			return rc;
2404 
2405 		/* Check for shared state */
2406 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2407 			rc = avc_has_perm(&selinux_state,
2408 					  old_tsec->sid, new_tsec->sid,
2409 					  SECCLASS_PROCESS, PROCESS__SHARE,
2410 					  NULL);
2411 			if (rc)
2412 				return -EPERM;
2413 		}
2414 
2415 		/* Make sure that anyone attempting to ptrace over a task that
2416 		 * changes its SID has the appropriate permit */
2417 		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2418 			u32 ptsid = ptrace_parent_sid();
2419 			if (ptsid != 0) {
2420 				rc = avc_has_perm(&selinux_state,
2421 						  ptsid, new_tsec->sid,
2422 						  SECCLASS_PROCESS,
2423 						  PROCESS__PTRACE, NULL);
2424 				if (rc)
2425 					return -EPERM;
2426 			}
2427 		}
2428 
2429 		/* Clear any possibly unsafe personality bits on exec: */
2430 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2431 
2432 		/* Enable secure mode for SIDs transitions unless
2433 		   the noatsecure permission is granted between
2434 		   the two SIDs, i.e. ahp returns 0. */
2435 		rc = avc_has_perm(&selinux_state,
2436 				  old_tsec->sid, new_tsec->sid,
2437 				  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2438 				  NULL);
2439 		bprm->secureexec |= !!rc;
2440 	}
2441 
2442 	return 0;
2443 }
2444 
2445 static int match_file(const void *p, struct file *file, unsigned fd)
2446 {
2447 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2448 }
2449 
2450 /* Derived from fs/exec.c:flush_old_files. */
2451 static inline void flush_unauthorized_files(const struct cred *cred,
2452 					    struct files_struct *files)
2453 {
2454 	struct file *file, *devnull = NULL;
2455 	struct tty_struct *tty;
2456 	int drop_tty = 0;
2457 	unsigned n;
2458 
2459 	tty = get_current_tty();
2460 	if (tty) {
2461 		spin_lock(&tty->files_lock);
2462 		if (!list_empty(&tty->tty_files)) {
2463 			struct tty_file_private *file_priv;
2464 
2465 			/* Revalidate access to controlling tty.
2466 			   Use file_path_has_perm on the tty path directly
2467 			   rather than using file_has_perm, as this particular
2468 			   open file may belong to another process and we are
2469 			   only interested in the inode-based check here. */
2470 			file_priv = list_first_entry(&tty->tty_files,
2471 						struct tty_file_private, list);
2472 			file = file_priv->file;
2473 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2474 				drop_tty = 1;
2475 		}
2476 		spin_unlock(&tty->files_lock);
2477 		tty_kref_put(tty);
2478 	}
2479 	/* Reset controlling tty. */
2480 	if (drop_tty)
2481 		no_tty();
2482 
2483 	/* Revalidate access to inherited open files. */
2484 	n = iterate_fd(files, 0, match_file, cred);
2485 	if (!n) /* none found? */
2486 		return;
2487 
2488 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2489 	if (IS_ERR(devnull))
2490 		devnull = NULL;
2491 	/* replace all the matching ones with this */
2492 	do {
2493 		replace_fd(n - 1, devnull, 0);
2494 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2495 	if (devnull)
2496 		fput(devnull);
2497 }
2498 
2499 /*
2500  * Prepare a process for imminent new credential changes due to exec
2501  */
2502 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2503 {
2504 	struct task_security_struct *new_tsec;
2505 	struct rlimit *rlim, *initrlim;
2506 	int rc, i;
2507 
2508 	new_tsec = selinux_cred(bprm->cred);
2509 	if (new_tsec->sid == new_tsec->osid)
2510 		return;
2511 
2512 	/* Close files for which the new task SID is not authorized. */
2513 	flush_unauthorized_files(bprm->cred, current->files);
2514 
2515 	/* Always clear parent death signal on SID transitions. */
2516 	current->pdeath_signal = 0;
2517 
2518 	/* Check whether the new SID can inherit resource limits from the old
2519 	 * SID.  If not, reset all soft limits to the lower of the current
2520 	 * task's hard limit and the init task's soft limit.
2521 	 *
2522 	 * Note that the setting of hard limits (even to lower them) can be
2523 	 * controlled by the setrlimit check.  The inclusion of the init task's
2524 	 * soft limit into the computation is to avoid resetting soft limits
2525 	 * higher than the default soft limit for cases where the default is
2526 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2527 	 */
2528 	rc = avc_has_perm(&selinux_state,
2529 			  new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2530 			  PROCESS__RLIMITINH, NULL);
2531 	if (rc) {
2532 		/* protect against do_prlimit() */
2533 		task_lock(current);
2534 		for (i = 0; i < RLIM_NLIMITS; i++) {
2535 			rlim = current->signal->rlim + i;
2536 			initrlim = init_task.signal->rlim + i;
2537 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2538 		}
2539 		task_unlock(current);
2540 		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2541 			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2542 	}
2543 }
2544 
2545 /*
2546  * Clean up the process immediately after the installation of new credentials
2547  * due to exec
2548  */
2549 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2550 {
2551 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2552 	struct itimerval itimer;
2553 	u32 osid, sid;
2554 	int rc, i;
2555 
2556 	osid = tsec->osid;
2557 	sid = tsec->sid;
2558 
2559 	if (sid == osid)
2560 		return;
2561 
2562 	/* Check whether the new SID can inherit signal state from the old SID.
2563 	 * If not, clear itimers to avoid subsequent signal generation and
2564 	 * flush and unblock signals.
2565 	 *
2566 	 * This must occur _after_ the task SID has been updated so that any
2567 	 * kill done after the flush will be checked against the new SID.
2568 	 */
2569 	rc = avc_has_perm(&selinux_state,
2570 			  osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2571 	if (rc) {
2572 		if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2573 			memset(&itimer, 0, sizeof itimer);
2574 			for (i = 0; i < 3; i++)
2575 				do_setitimer(i, &itimer, NULL);
2576 		}
2577 		spin_lock_irq(&current->sighand->siglock);
2578 		if (!fatal_signal_pending(current)) {
2579 			flush_sigqueue(&current->pending);
2580 			flush_sigqueue(&current->signal->shared_pending);
2581 			flush_signal_handlers(current, 1);
2582 			sigemptyset(&current->blocked);
2583 			recalc_sigpending();
2584 		}
2585 		spin_unlock_irq(&current->sighand->siglock);
2586 	}
2587 
2588 	/* Wake up the parent if it is waiting so that it can recheck
2589 	 * wait permission to the new task SID. */
2590 	read_lock(&tasklist_lock);
2591 	__wake_up_parent(current, current->real_parent);
2592 	read_unlock(&tasklist_lock);
2593 }
2594 
2595 /* superblock security operations */
2596 
2597 static int selinux_sb_alloc_security(struct super_block *sb)
2598 {
2599 	return superblock_alloc_security(sb);
2600 }
2601 
2602 static void selinux_sb_free_security(struct super_block *sb)
2603 {
2604 	superblock_free_security(sb);
2605 }
2606 
2607 static inline int opt_len(const char *s)
2608 {
2609 	bool open_quote = false;
2610 	int len;
2611 	char c;
2612 
2613 	for (len = 0; (c = s[len]) != '\0'; len++) {
2614 		if (c == '"')
2615 			open_quote = !open_quote;
2616 		if (c == ',' && !open_quote)
2617 			break;
2618 	}
2619 	return len;
2620 }
2621 
2622 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2623 {
2624 	char *from = options;
2625 	char *to = options;
2626 	bool first = true;
2627 	int rc;
2628 
2629 	while (1) {
2630 		int len = opt_len(from);
2631 		int token;
2632 		char *arg = NULL;
2633 
2634 		token = match_opt_prefix(from, len, &arg);
2635 
2636 		if (token != Opt_error) {
2637 			char *p, *q;
2638 
2639 			/* strip quotes */
2640 			if (arg) {
2641 				for (p = q = arg; p < from + len; p++) {
2642 					char c = *p;
2643 					if (c != '"')
2644 						*q++ = c;
2645 				}
2646 				arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2647 				if (!arg) {
2648 					rc = -ENOMEM;
2649 					goto free_opt;
2650 				}
2651 			}
2652 			rc = selinux_add_opt(token, arg, mnt_opts);
2653 			if (unlikely(rc)) {
2654 				kfree(arg);
2655 				goto free_opt;
2656 			}
2657 		} else {
2658 			if (!first) {	// copy with preceding comma
2659 				from--;
2660 				len++;
2661 			}
2662 			if (to != from)
2663 				memmove(to, from, len);
2664 			to += len;
2665 			first = false;
2666 		}
2667 		if (!from[len])
2668 			break;
2669 		from += len + 1;
2670 	}
2671 	*to = '\0';
2672 	return 0;
2673 
2674 free_opt:
2675 	if (*mnt_opts) {
2676 		selinux_free_mnt_opts(*mnt_opts);
2677 		*mnt_opts = NULL;
2678 	}
2679 	return rc;
2680 }
2681 
2682 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2683 {
2684 	struct selinux_mnt_opts *opts = mnt_opts;
2685 	struct superblock_security_struct *sbsec = sb->s_security;
2686 	u32 sid;
2687 	int rc;
2688 
2689 	if (!(sbsec->flags & SE_SBINITIALIZED))
2690 		return 0;
2691 
2692 	if (!opts)
2693 		return 0;
2694 
2695 	if (opts->fscontext) {
2696 		rc = parse_sid(sb, opts->fscontext, &sid);
2697 		if (rc)
2698 			return rc;
2699 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2700 			goto out_bad_option;
2701 	}
2702 	if (opts->context) {
2703 		rc = parse_sid(sb, opts->context, &sid);
2704 		if (rc)
2705 			return rc;
2706 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2707 			goto out_bad_option;
2708 	}
2709 	if (opts->rootcontext) {
2710 		struct inode_security_struct *root_isec;
2711 		root_isec = backing_inode_security(sb->s_root);
2712 		rc = parse_sid(sb, opts->rootcontext, &sid);
2713 		if (rc)
2714 			return rc;
2715 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2716 			goto out_bad_option;
2717 	}
2718 	if (opts->defcontext) {
2719 		rc = parse_sid(sb, opts->defcontext, &sid);
2720 		if (rc)
2721 			return rc;
2722 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2723 			goto out_bad_option;
2724 	}
2725 	return 0;
2726 
2727 out_bad_option:
2728 	pr_warn("SELinux: unable to change security options "
2729 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2730 	       sb->s_type->name);
2731 	return -EINVAL;
2732 }
2733 
2734 static int selinux_sb_kern_mount(struct super_block *sb)
2735 {
2736 	const struct cred *cred = current_cred();
2737 	struct common_audit_data ad;
2738 
2739 	ad.type = LSM_AUDIT_DATA_DENTRY;
2740 	ad.u.dentry = sb->s_root;
2741 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2742 }
2743 
2744 static int selinux_sb_statfs(struct dentry *dentry)
2745 {
2746 	const struct cred *cred = current_cred();
2747 	struct common_audit_data ad;
2748 
2749 	ad.type = LSM_AUDIT_DATA_DENTRY;
2750 	ad.u.dentry = dentry->d_sb->s_root;
2751 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2752 }
2753 
2754 static int selinux_mount(const char *dev_name,
2755 			 const struct path *path,
2756 			 const char *type,
2757 			 unsigned long flags,
2758 			 void *data)
2759 {
2760 	const struct cred *cred = current_cred();
2761 
2762 	if (flags & MS_REMOUNT)
2763 		return superblock_has_perm(cred, path->dentry->d_sb,
2764 					   FILESYSTEM__REMOUNT, NULL);
2765 	else
2766 		return path_has_perm(cred, path, FILE__MOUNTON);
2767 }
2768 
2769 static int selinux_umount(struct vfsmount *mnt, int flags)
2770 {
2771 	const struct cred *cred = current_cred();
2772 
2773 	return superblock_has_perm(cred, mnt->mnt_sb,
2774 				   FILESYSTEM__UNMOUNT, NULL);
2775 }
2776 
2777 static int selinux_fs_context_dup(struct fs_context *fc,
2778 				  struct fs_context *src_fc)
2779 {
2780 	const struct selinux_mnt_opts *src = src_fc->security;
2781 	struct selinux_mnt_opts *opts;
2782 
2783 	if (!src)
2784 		return 0;
2785 
2786 	fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2787 	if (!fc->security)
2788 		return -ENOMEM;
2789 
2790 	opts = fc->security;
2791 
2792 	if (src->fscontext) {
2793 		opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2794 		if (!opts->fscontext)
2795 			return -ENOMEM;
2796 	}
2797 	if (src->context) {
2798 		opts->context = kstrdup(src->context, GFP_KERNEL);
2799 		if (!opts->context)
2800 			return -ENOMEM;
2801 	}
2802 	if (src->rootcontext) {
2803 		opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2804 		if (!opts->rootcontext)
2805 			return -ENOMEM;
2806 	}
2807 	if (src->defcontext) {
2808 		opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2809 		if (!opts->defcontext)
2810 			return -ENOMEM;
2811 	}
2812 	return 0;
2813 }
2814 
2815 static const struct fs_parameter_spec selinux_param_specs[] = {
2816 	fsparam_string(CONTEXT_STR,	Opt_context),
2817 	fsparam_string(DEFCONTEXT_STR,	Opt_defcontext),
2818 	fsparam_string(FSCONTEXT_STR,	Opt_fscontext),
2819 	fsparam_string(ROOTCONTEXT_STR,	Opt_rootcontext),
2820 	fsparam_flag  (SECLABEL_STR,	Opt_seclabel),
2821 	{}
2822 };
2823 
2824 static const struct fs_parameter_description selinux_fs_parameters = {
2825 	.name		= "SELinux",
2826 	.specs		= selinux_param_specs,
2827 };
2828 
2829 static int selinux_fs_context_parse_param(struct fs_context *fc,
2830 					  struct fs_parameter *param)
2831 {
2832 	struct fs_parse_result result;
2833 	int opt, rc;
2834 
2835 	opt = fs_parse(fc, &selinux_fs_parameters, param, &result);
2836 	if (opt < 0)
2837 		return opt;
2838 
2839 	rc = selinux_add_opt(opt, param->string, &fc->security);
2840 	if (!rc) {
2841 		param->string = NULL;
2842 		rc = 1;
2843 	}
2844 	return rc;
2845 }
2846 
2847 /* inode security operations */
2848 
2849 static int selinux_inode_alloc_security(struct inode *inode)
2850 {
2851 	return inode_alloc_security(inode);
2852 }
2853 
2854 static void selinux_inode_free_security(struct inode *inode)
2855 {
2856 	inode_free_security(inode);
2857 }
2858 
2859 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2860 					const struct qstr *name, void **ctx,
2861 					u32 *ctxlen)
2862 {
2863 	u32 newsid;
2864 	int rc;
2865 
2866 	rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2867 					   d_inode(dentry->d_parent), name,
2868 					   inode_mode_to_security_class(mode),
2869 					   &newsid);
2870 	if (rc)
2871 		return rc;
2872 
2873 	return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2874 				       ctxlen);
2875 }
2876 
2877 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2878 					  struct qstr *name,
2879 					  const struct cred *old,
2880 					  struct cred *new)
2881 {
2882 	u32 newsid;
2883 	int rc;
2884 	struct task_security_struct *tsec;
2885 
2886 	rc = selinux_determine_inode_label(selinux_cred(old),
2887 					   d_inode(dentry->d_parent), name,
2888 					   inode_mode_to_security_class(mode),
2889 					   &newsid);
2890 	if (rc)
2891 		return rc;
2892 
2893 	tsec = selinux_cred(new);
2894 	tsec->create_sid = newsid;
2895 	return 0;
2896 }
2897 
2898 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2899 				       const struct qstr *qstr,
2900 				       const char **name,
2901 				       void **value, size_t *len)
2902 {
2903 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2904 	struct superblock_security_struct *sbsec;
2905 	u32 newsid, clen;
2906 	int rc;
2907 	char *context;
2908 
2909 	sbsec = dir->i_sb->s_security;
2910 
2911 	newsid = tsec->create_sid;
2912 
2913 	rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2914 		dir, qstr,
2915 		inode_mode_to_security_class(inode->i_mode),
2916 		&newsid);
2917 	if (rc)
2918 		return rc;
2919 
2920 	/* Possibly defer initialization to selinux_complete_init. */
2921 	if (sbsec->flags & SE_SBINITIALIZED) {
2922 		struct inode_security_struct *isec = selinux_inode(inode);
2923 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2924 		isec->sid = newsid;
2925 		isec->initialized = LABEL_INITIALIZED;
2926 	}
2927 
2928 	if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
2929 		return -EOPNOTSUPP;
2930 
2931 	if (name)
2932 		*name = XATTR_SELINUX_SUFFIX;
2933 
2934 	if (value && len) {
2935 		rc = security_sid_to_context_force(&selinux_state, newsid,
2936 						   &context, &clen);
2937 		if (rc)
2938 			return rc;
2939 		*value = context;
2940 		*len = clen;
2941 	}
2942 
2943 	return 0;
2944 }
2945 
2946 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2947 {
2948 	return may_create(dir, dentry, SECCLASS_FILE);
2949 }
2950 
2951 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2952 {
2953 	return may_link(dir, old_dentry, MAY_LINK);
2954 }
2955 
2956 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2957 {
2958 	return may_link(dir, dentry, MAY_UNLINK);
2959 }
2960 
2961 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2962 {
2963 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
2964 }
2965 
2966 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2967 {
2968 	return may_create(dir, dentry, SECCLASS_DIR);
2969 }
2970 
2971 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2972 {
2973 	return may_link(dir, dentry, MAY_RMDIR);
2974 }
2975 
2976 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2977 {
2978 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
2979 }
2980 
2981 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2982 				struct inode *new_inode, struct dentry *new_dentry)
2983 {
2984 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2985 }
2986 
2987 static int selinux_inode_readlink(struct dentry *dentry)
2988 {
2989 	const struct cred *cred = current_cred();
2990 
2991 	return dentry_has_perm(cred, dentry, FILE__READ);
2992 }
2993 
2994 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2995 				     bool rcu)
2996 {
2997 	const struct cred *cred = current_cred();
2998 	struct common_audit_data ad;
2999 	struct inode_security_struct *isec;
3000 	u32 sid;
3001 
3002 	validate_creds(cred);
3003 
3004 	ad.type = LSM_AUDIT_DATA_DENTRY;
3005 	ad.u.dentry = dentry;
3006 	sid = cred_sid(cred);
3007 	isec = inode_security_rcu(inode, rcu);
3008 	if (IS_ERR(isec))
3009 		return PTR_ERR(isec);
3010 
3011 	return avc_has_perm(&selinux_state,
3012 			    sid, isec->sid, isec->sclass, FILE__READ, &ad);
3013 }
3014 
3015 static noinline int audit_inode_permission(struct inode *inode,
3016 					   u32 perms, u32 audited, u32 denied,
3017 					   int result,
3018 					   unsigned flags)
3019 {
3020 	struct common_audit_data ad;
3021 	struct inode_security_struct *isec = selinux_inode(inode);
3022 	int rc;
3023 
3024 	ad.type = LSM_AUDIT_DATA_INODE;
3025 	ad.u.inode = inode;
3026 
3027 	rc = slow_avc_audit(&selinux_state,
3028 			    current_sid(), isec->sid, isec->sclass, perms,
3029 			    audited, denied, result, &ad, flags);
3030 	if (rc)
3031 		return rc;
3032 	return 0;
3033 }
3034 
3035 static int selinux_inode_permission(struct inode *inode, int mask)
3036 {
3037 	const struct cred *cred = current_cred();
3038 	u32 perms;
3039 	bool from_access;
3040 	unsigned flags = mask & MAY_NOT_BLOCK;
3041 	struct inode_security_struct *isec;
3042 	u32 sid;
3043 	struct av_decision avd;
3044 	int rc, rc2;
3045 	u32 audited, denied;
3046 
3047 	from_access = mask & MAY_ACCESS;
3048 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3049 
3050 	/* No permission to check.  Existence test. */
3051 	if (!mask)
3052 		return 0;
3053 
3054 	validate_creds(cred);
3055 
3056 	if (unlikely(IS_PRIVATE(inode)))
3057 		return 0;
3058 
3059 	perms = file_mask_to_av(inode->i_mode, mask);
3060 
3061 	sid = cred_sid(cred);
3062 	isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3063 	if (IS_ERR(isec))
3064 		return PTR_ERR(isec);
3065 
3066 	rc = avc_has_perm_noaudit(&selinux_state,
3067 				  sid, isec->sid, isec->sclass, perms,
3068 				  (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
3069 				  &avd);
3070 	audited = avc_audit_required(perms, &avd, rc,
3071 				     from_access ? FILE__AUDIT_ACCESS : 0,
3072 				     &denied);
3073 	if (likely(!audited))
3074 		return rc;
3075 
3076 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3077 	if (rc2)
3078 		return rc2;
3079 	return rc;
3080 }
3081 
3082 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3083 {
3084 	const struct cred *cred = current_cred();
3085 	struct inode *inode = d_backing_inode(dentry);
3086 	unsigned int ia_valid = iattr->ia_valid;
3087 	__u32 av = FILE__WRITE;
3088 
3089 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3090 	if (ia_valid & ATTR_FORCE) {
3091 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3092 			      ATTR_FORCE);
3093 		if (!ia_valid)
3094 			return 0;
3095 	}
3096 
3097 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3098 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3099 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3100 
3101 	if (selinux_policycap_openperm() &&
3102 	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3103 	    (ia_valid & ATTR_SIZE) &&
3104 	    !(ia_valid & ATTR_FILE))
3105 		av |= FILE__OPEN;
3106 
3107 	return dentry_has_perm(cred, dentry, av);
3108 }
3109 
3110 static int selinux_inode_getattr(const struct path *path)
3111 {
3112 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3113 }
3114 
3115 static bool has_cap_mac_admin(bool audit)
3116 {
3117 	const struct cred *cred = current_cred();
3118 	unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3119 
3120 	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3121 		return false;
3122 	if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3123 		return false;
3124 	return true;
3125 }
3126 
3127 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3128 				  const void *value, size_t size, int flags)
3129 {
3130 	struct inode *inode = d_backing_inode(dentry);
3131 	struct inode_security_struct *isec;
3132 	struct superblock_security_struct *sbsec;
3133 	struct common_audit_data ad;
3134 	u32 newsid, sid = current_sid();
3135 	int rc = 0;
3136 
3137 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3138 		rc = cap_inode_setxattr(dentry, name, value, size, flags);
3139 		if (rc)
3140 			return rc;
3141 
3142 		/* Not an attribute we recognize, so just check the
3143 		   ordinary setattr permission. */
3144 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3145 	}
3146 
3147 	sbsec = inode->i_sb->s_security;
3148 	if (!(sbsec->flags & SBLABEL_MNT))
3149 		return -EOPNOTSUPP;
3150 
3151 	if (!inode_owner_or_capable(inode))
3152 		return -EPERM;
3153 
3154 	ad.type = LSM_AUDIT_DATA_DENTRY;
3155 	ad.u.dentry = dentry;
3156 
3157 	isec = backing_inode_security(dentry);
3158 	rc = avc_has_perm(&selinux_state,
3159 			  sid, isec->sid, isec->sclass,
3160 			  FILE__RELABELFROM, &ad);
3161 	if (rc)
3162 		return rc;
3163 
3164 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3165 				     GFP_KERNEL);
3166 	if (rc == -EINVAL) {
3167 		if (!has_cap_mac_admin(true)) {
3168 			struct audit_buffer *ab;
3169 			size_t audit_size;
3170 
3171 			/* We strip a nul only if it is at the end, otherwise the
3172 			 * context contains a nul and we should audit that */
3173 			if (value) {
3174 				const char *str = value;
3175 
3176 				if (str[size - 1] == '\0')
3177 					audit_size = size - 1;
3178 				else
3179 					audit_size = size;
3180 			} else {
3181 				audit_size = 0;
3182 			}
3183 			ab = audit_log_start(audit_context(),
3184 					     GFP_ATOMIC, AUDIT_SELINUX_ERR);
3185 			audit_log_format(ab, "op=setxattr invalid_context=");
3186 			audit_log_n_untrustedstring(ab, value, audit_size);
3187 			audit_log_end(ab);
3188 
3189 			return rc;
3190 		}
3191 		rc = security_context_to_sid_force(&selinux_state, value,
3192 						   size, &newsid);
3193 	}
3194 	if (rc)
3195 		return rc;
3196 
3197 	rc = avc_has_perm(&selinux_state,
3198 			  sid, newsid, isec->sclass,
3199 			  FILE__RELABELTO, &ad);
3200 	if (rc)
3201 		return rc;
3202 
3203 	rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3204 					  sid, isec->sclass);
3205 	if (rc)
3206 		return rc;
3207 
3208 	return avc_has_perm(&selinux_state,
3209 			    newsid,
3210 			    sbsec->sid,
3211 			    SECCLASS_FILESYSTEM,
3212 			    FILESYSTEM__ASSOCIATE,
3213 			    &ad);
3214 }
3215 
3216 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3217 					const void *value, size_t size,
3218 					int flags)
3219 {
3220 	struct inode *inode = d_backing_inode(dentry);
3221 	struct inode_security_struct *isec;
3222 	u32 newsid;
3223 	int rc;
3224 
3225 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3226 		/* Not an attribute we recognize, so nothing to do. */
3227 		return;
3228 	}
3229 
3230 	rc = security_context_to_sid_force(&selinux_state, value, size,
3231 					   &newsid);
3232 	if (rc) {
3233 		pr_err("SELinux:  unable to map context to SID"
3234 		       "for (%s, %lu), rc=%d\n",
3235 		       inode->i_sb->s_id, inode->i_ino, -rc);
3236 		return;
3237 	}
3238 
3239 	isec = backing_inode_security(dentry);
3240 	spin_lock(&isec->lock);
3241 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3242 	isec->sid = newsid;
3243 	isec->initialized = LABEL_INITIALIZED;
3244 	spin_unlock(&isec->lock);
3245 
3246 	return;
3247 }
3248 
3249 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3250 {
3251 	const struct cred *cred = current_cred();
3252 
3253 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3254 }
3255 
3256 static int selinux_inode_listxattr(struct dentry *dentry)
3257 {
3258 	const struct cred *cred = current_cred();
3259 
3260 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3261 }
3262 
3263 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3264 {
3265 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3266 		int rc = cap_inode_removexattr(dentry, name);
3267 		if (rc)
3268 			return rc;
3269 
3270 		/* Not an attribute we recognize, so just check the
3271 		   ordinary setattr permission. */
3272 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3273 	}
3274 
3275 	/* No one is allowed to remove a SELinux security label.
3276 	   You can change the label, but all data must be labeled. */
3277 	return -EACCES;
3278 }
3279 
3280 static int selinux_path_notify(const struct path *path, u64 mask,
3281 						unsigned int obj_type)
3282 {
3283 	int ret;
3284 	u32 perm;
3285 
3286 	struct common_audit_data ad;
3287 
3288 	ad.type = LSM_AUDIT_DATA_PATH;
3289 	ad.u.path = *path;
3290 
3291 	/*
3292 	 * Set permission needed based on the type of mark being set.
3293 	 * Performs an additional check for sb watches.
3294 	 */
3295 	switch (obj_type) {
3296 	case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3297 		perm = FILE__WATCH_MOUNT;
3298 		break;
3299 	case FSNOTIFY_OBJ_TYPE_SB:
3300 		perm = FILE__WATCH_SB;
3301 		ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3302 						FILESYSTEM__WATCH, &ad);
3303 		if (ret)
3304 			return ret;
3305 		break;
3306 	case FSNOTIFY_OBJ_TYPE_INODE:
3307 		perm = FILE__WATCH;
3308 		break;
3309 	default:
3310 		return -EINVAL;
3311 	}
3312 
3313 	/* blocking watches require the file:watch_with_perm permission */
3314 	if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3315 		perm |= FILE__WATCH_WITH_PERM;
3316 
3317 	/* watches on read-like events need the file:watch_reads permission */
3318 	if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3319 		perm |= FILE__WATCH_READS;
3320 
3321 	return path_has_perm(current_cred(), path, perm);
3322 }
3323 
3324 /*
3325  * Copy the inode security context value to the user.
3326  *
3327  * Permission check is handled by selinux_inode_getxattr hook.
3328  */
3329 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3330 {
3331 	u32 size;
3332 	int error;
3333 	char *context = NULL;
3334 	struct inode_security_struct *isec;
3335 
3336 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3337 		return -EOPNOTSUPP;
3338 
3339 	/*
3340 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3341 	 * value even if it is not defined by current policy; otherwise,
3342 	 * use the in-core value under current policy.
3343 	 * Use the non-auditing forms of the permission checks since
3344 	 * getxattr may be called by unprivileged processes commonly
3345 	 * and lack of permission just means that we fall back to the
3346 	 * in-core context value, not a denial.
3347 	 */
3348 	isec = inode_security(inode);
3349 	if (has_cap_mac_admin(false))
3350 		error = security_sid_to_context_force(&selinux_state,
3351 						      isec->sid, &context,
3352 						      &size);
3353 	else
3354 		error = security_sid_to_context(&selinux_state, isec->sid,
3355 						&context, &size);
3356 	if (error)
3357 		return error;
3358 	error = size;
3359 	if (alloc) {
3360 		*buffer = context;
3361 		goto out_nofree;
3362 	}
3363 	kfree(context);
3364 out_nofree:
3365 	return error;
3366 }
3367 
3368 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3369 				     const void *value, size_t size, int flags)
3370 {
3371 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3372 	struct superblock_security_struct *sbsec = inode->i_sb->s_security;
3373 	u32 newsid;
3374 	int rc;
3375 
3376 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3377 		return -EOPNOTSUPP;
3378 
3379 	if (!(sbsec->flags & SBLABEL_MNT))
3380 		return -EOPNOTSUPP;
3381 
3382 	if (!value || !size)
3383 		return -EACCES;
3384 
3385 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3386 				     GFP_KERNEL);
3387 	if (rc)
3388 		return rc;
3389 
3390 	spin_lock(&isec->lock);
3391 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3392 	isec->sid = newsid;
3393 	isec->initialized = LABEL_INITIALIZED;
3394 	spin_unlock(&isec->lock);
3395 	return 0;
3396 }
3397 
3398 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3399 {
3400 	const int len = sizeof(XATTR_NAME_SELINUX);
3401 	if (buffer && len <= buffer_size)
3402 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3403 	return len;
3404 }
3405 
3406 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3407 {
3408 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3409 	*secid = isec->sid;
3410 }
3411 
3412 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3413 {
3414 	u32 sid;
3415 	struct task_security_struct *tsec;
3416 	struct cred *new_creds = *new;
3417 
3418 	if (new_creds == NULL) {
3419 		new_creds = prepare_creds();
3420 		if (!new_creds)
3421 			return -ENOMEM;
3422 	}
3423 
3424 	tsec = selinux_cred(new_creds);
3425 	/* Get label from overlay inode and set it in create_sid */
3426 	selinux_inode_getsecid(d_inode(src), &sid);
3427 	tsec->create_sid = sid;
3428 	*new = new_creds;
3429 	return 0;
3430 }
3431 
3432 static int selinux_inode_copy_up_xattr(const char *name)
3433 {
3434 	/* The copy_up hook above sets the initial context on an inode, but we
3435 	 * don't then want to overwrite it by blindly copying all the lower
3436 	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3437 	 */
3438 	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3439 		return 1; /* Discard */
3440 	/*
3441 	 * Any other attribute apart from SELINUX is not claimed, supported
3442 	 * by selinux.
3443 	 */
3444 	return -EOPNOTSUPP;
3445 }
3446 
3447 /* kernfs node operations */
3448 
3449 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3450 					struct kernfs_node *kn)
3451 {
3452 	const struct task_security_struct *tsec = selinux_cred(current_cred());
3453 	u32 parent_sid, newsid, clen;
3454 	int rc;
3455 	char *context;
3456 
3457 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3458 	if (rc == -ENODATA)
3459 		return 0;
3460 	else if (rc < 0)
3461 		return rc;
3462 
3463 	clen = (u32)rc;
3464 	context = kmalloc(clen, GFP_KERNEL);
3465 	if (!context)
3466 		return -ENOMEM;
3467 
3468 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3469 	if (rc < 0) {
3470 		kfree(context);
3471 		return rc;
3472 	}
3473 
3474 	rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3475 				     GFP_KERNEL);
3476 	kfree(context);
3477 	if (rc)
3478 		return rc;
3479 
3480 	if (tsec->create_sid) {
3481 		newsid = tsec->create_sid;
3482 	} else {
3483 		u16 secclass = inode_mode_to_security_class(kn->mode);
3484 		struct qstr q;
3485 
3486 		q.name = kn->name;
3487 		q.hash_len = hashlen_string(kn_dir, kn->name);
3488 
3489 		rc = security_transition_sid(&selinux_state, tsec->sid,
3490 					     parent_sid, secclass, &q,
3491 					     &newsid);
3492 		if (rc)
3493 			return rc;
3494 	}
3495 
3496 	rc = security_sid_to_context_force(&selinux_state, newsid,
3497 					   &context, &clen);
3498 	if (rc)
3499 		return rc;
3500 
3501 	rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3502 			      XATTR_CREATE);
3503 	kfree(context);
3504 	return rc;
3505 }
3506 
3507 
3508 /* file security operations */
3509 
3510 static int selinux_revalidate_file_permission(struct file *file, int mask)
3511 {
3512 	const struct cred *cred = current_cred();
3513 	struct inode *inode = file_inode(file);
3514 
3515 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3516 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3517 		mask |= MAY_APPEND;
3518 
3519 	return file_has_perm(cred, file,
3520 			     file_mask_to_av(inode->i_mode, mask));
3521 }
3522 
3523 static int selinux_file_permission(struct file *file, int mask)
3524 {
3525 	struct inode *inode = file_inode(file);
3526 	struct file_security_struct *fsec = selinux_file(file);
3527 	struct inode_security_struct *isec;
3528 	u32 sid = current_sid();
3529 
3530 	if (!mask)
3531 		/* No permission to check.  Existence test. */
3532 		return 0;
3533 
3534 	isec = inode_security(inode);
3535 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3536 	    fsec->pseqno == avc_policy_seqno(&selinux_state))
3537 		/* No change since file_open check. */
3538 		return 0;
3539 
3540 	return selinux_revalidate_file_permission(file, mask);
3541 }
3542 
3543 static int selinux_file_alloc_security(struct file *file)
3544 {
3545 	return file_alloc_security(file);
3546 }
3547 
3548 /*
3549  * Check whether a task has the ioctl permission and cmd
3550  * operation to an inode.
3551  */
3552 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3553 		u32 requested, u16 cmd)
3554 {
3555 	struct common_audit_data ad;
3556 	struct file_security_struct *fsec = selinux_file(file);
3557 	struct inode *inode = file_inode(file);
3558 	struct inode_security_struct *isec;
3559 	struct lsm_ioctlop_audit ioctl;
3560 	u32 ssid = cred_sid(cred);
3561 	int rc;
3562 	u8 driver = cmd >> 8;
3563 	u8 xperm = cmd & 0xff;
3564 
3565 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3566 	ad.u.op = &ioctl;
3567 	ad.u.op->cmd = cmd;
3568 	ad.u.op->path = file->f_path;
3569 
3570 	if (ssid != fsec->sid) {
3571 		rc = avc_has_perm(&selinux_state,
3572 				  ssid, fsec->sid,
3573 				SECCLASS_FD,
3574 				FD__USE,
3575 				&ad);
3576 		if (rc)
3577 			goto out;
3578 	}
3579 
3580 	if (unlikely(IS_PRIVATE(inode)))
3581 		return 0;
3582 
3583 	isec = inode_security(inode);
3584 	rc = avc_has_extended_perms(&selinux_state,
3585 				    ssid, isec->sid, isec->sclass,
3586 				    requested, driver, xperm, &ad);
3587 out:
3588 	return rc;
3589 }
3590 
3591 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3592 			      unsigned long arg)
3593 {
3594 	const struct cred *cred = current_cred();
3595 	int error = 0;
3596 
3597 	switch (cmd) {
3598 	case FIONREAD:
3599 	/* fall through */
3600 	case FIBMAP:
3601 	/* fall through */
3602 	case FIGETBSZ:
3603 	/* fall through */
3604 	case FS_IOC_GETFLAGS:
3605 	/* fall through */
3606 	case FS_IOC_GETVERSION:
3607 		error = file_has_perm(cred, file, FILE__GETATTR);
3608 		break;
3609 
3610 	case FS_IOC_SETFLAGS:
3611 	/* fall through */
3612 	case FS_IOC_SETVERSION:
3613 		error = file_has_perm(cred, file, FILE__SETATTR);
3614 		break;
3615 
3616 	/* sys_ioctl() checks */
3617 	case FIONBIO:
3618 	/* fall through */
3619 	case FIOASYNC:
3620 		error = file_has_perm(cred, file, 0);
3621 		break;
3622 
3623 	case KDSKBENT:
3624 	case KDSKBSENT:
3625 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3626 					    CAP_OPT_NONE, true);
3627 		break;
3628 
3629 	/* default case assumes that the command will go
3630 	 * to the file's ioctl() function.
3631 	 */
3632 	default:
3633 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3634 	}
3635 	return error;
3636 }
3637 
3638 static int default_noexec;
3639 
3640 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3641 {
3642 	const struct cred *cred = current_cred();
3643 	u32 sid = cred_sid(cred);
3644 	int rc = 0;
3645 
3646 	if (default_noexec &&
3647 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3648 				   (!shared && (prot & PROT_WRITE)))) {
3649 		/*
3650 		 * We are making executable an anonymous mapping or a
3651 		 * private file mapping that will also be writable.
3652 		 * This has an additional check.
3653 		 */
3654 		rc = avc_has_perm(&selinux_state,
3655 				  sid, sid, SECCLASS_PROCESS,
3656 				  PROCESS__EXECMEM, NULL);
3657 		if (rc)
3658 			goto error;
3659 	}
3660 
3661 	if (file) {
3662 		/* read access is always possible with a mapping */
3663 		u32 av = FILE__READ;
3664 
3665 		/* write access only matters if the mapping is shared */
3666 		if (shared && (prot & PROT_WRITE))
3667 			av |= FILE__WRITE;
3668 
3669 		if (prot & PROT_EXEC)
3670 			av |= FILE__EXECUTE;
3671 
3672 		return file_has_perm(cred, file, av);
3673 	}
3674 
3675 error:
3676 	return rc;
3677 }
3678 
3679 static int selinux_mmap_addr(unsigned long addr)
3680 {
3681 	int rc = 0;
3682 
3683 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3684 		u32 sid = current_sid();
3685 		rc = avc_has_perm(&selinux_state,
3686 				  sid, sid, SECCLASS_MEMPROTECT,
3687 				  MEMPROTECT__MMAP_ZERO, NULL);
3688 	}
3689 
3690 	return rc;
3691 }
3692 
3693 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3694 			     unsigned long prot, unsigned long flags)
3695 {
3696 	struct common_audit_data ad;
3697 	int rc;
3698 
3699 	if (file) {
3700 		ad.type = LSM_AUDIT_DATA_FILE;
3701 		ad.u.file = file;
3702 		rc = inode_has_perm(current_cred(), file_inode(file),
3703 				    FILE__MAP, &ad);
3704 		if (rc)
3705 			return rc;
3706 	}
3707 
3708 	if (selinux_state.checkreqprot)
3709 		prot = reqprot;
3710 
3711 	return file_map_prot_check(file, prot,
3712 				   (flags & MAP_TYPE) == MAP_SHARED);
3713 }
3714 
3715 static int selinux_file_mprotect(struct vm_area_struct *vma,
3716 				 unsigned long reqprot,
3717 				 unsigned long prot)
3718 {
3719 	const struct cred *cred = current_cred();
3720 	u32 sid = cred_sid(cred);
3721 
3722 	if (selinux_state.checkreqprot)
3723 		prot = reqprot;
3724 
3725 	if (default_noexec &&
3726 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3727 		int rc = 0;
3728 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3729 		    vma->vm_end <= vma->vm_mm->brk) {
3730 			rc = avc_has_perm(&selinux_state,
3731 					  sid, sid, SECCLASS_PROCESS,
3732 					  PROCESS__EXECHEAP, NULL);
3733 		} else if (!vma->vm_file &&
3734 			   ((vma->vm_start <= vma->vm_mm->start_stack &&
3735 			     vma->vm_end >= vma->vm_mm->start_stack) ||
3736 			    vma_is_stack_for_current(vma))) {
3737 			rc = avc_has_perm(&selinux_state,
3738 					  sid, sid, SECCLASS_PROCESS,
3739 					  PROCESS__EXECSTACK, NULL);
3740 		} else if (vma->vm_file && vma->anon_vma) {
3741 			/*
3742 			 * We are making executable a file mapping that has
3743 			 * had some COW done. Since pages might have been
3744 			 * written, check ability to execute the possibly
3745 			 * modified content.  This typically should only
3746 			 * occur for text relocations.
3747 			 */
3748 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3749 		}
3750 		if (rc)
3751 			return rc;
3752 	}
3753 
3754 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3755 }
3756 
3757 static int selinux_file_lock(struct file *file, unsigned int cmd)
3758 {
3759 	const struct cred *cred = current_cred();
3760 
3761 	return file_has_perm(cred, file, FILE__LOCK);
3762 }
3763 
3764 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3765 			      unsigned long arg)
3766 {
3767 	const struct cred *cred = current_cred();
3768 	int err = 0;
3769 
3770 	switch (cmd) {
3771 	case F_SETFL:
3772 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3773 			err = file_has_perm(cred, file, FILE__WRITE);
3774 			break;
3775 		}
3776 		/* fall through */
3777 	case F_SETOWN:
3778 	case F_SETSIG:
3779 	case F_GETFL:
3780 	case F_GETOWN:
3781 	case F_GETSIG:
3782 	case F_GETOWNER_UIDS:
3783 		/* Just check FD__USE permission */
3784 		err = file_has_perm(cred, file, 0);
3785 		break;
3786 	case F_GETLK:
3787 	case F_SETLK:
3788 	case F_SETLKW:
3789 	case F_OFD_GETLK:
3790 	case F_OFD_SETLK:
3791 	case F_OFD_SETLKW:
3792 #if BITS_PER_LONG == 32
3793 	case F_GETLK64:
3794 	case F_SETLK64:
3795 	case F_SETLKW64:
3796 #endif
3797 		err = file_has_perm(cred, file, FILE__LOCK);
3798 		break;
3799 	}
3800 
3801 	return err;
3802 }
3803 
3804 static void selinux_file_set_fowner(struct file *file)
3805 {
3806 	struct file_security_struct *fsec;
3807 
3808 	fsec = selinux_file(file);
3809 	fsec->fown_sid = current_sid();
3810 }
3811 
3812 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3813 				       struct fown_struct *fown, int signum)
3814 {
3815 	struct file *file;
3816 	u32 sid = task_sid(tsk);
3817 	u32 perm;
3818 	struct file_security_struct *fsec;
3819 
3820 	/* struct fown_struct is never outside the context of a struct file */
3821 	file = container_of(fown, struct file, f_owner);
3822 
3823 	fsec = selinux_file(file);
3824 
3825 	if (!signum)
3826 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3827 	else
3828 		perm = signal_to_av(signum);
3829 
3830 	return avc_has_perm(&selinux_state,
3831 			    fsec->fown_sid, sid,
3832 			    SECCLASS_PROCESS, perm, NULL);
3833 }
3834 
3835 static int selinux_file_receive(struct file *file)
3836 {
3837 	const struct cred *cred = current_cred();
3838 
3839 	return file_has_perm(cred, file, file_to_av(file));
3840 }
3841 
3842 static int selinux_file_open(struct file *file)
3843 {
3844 	struct file_security_struct *fsec;
3845 	struct inode_security_struct *isec;
3846 
3847 	fsec = selinux_file(file);
3848 	isec = inode_security(file_inode(file));
3849 	/*
3850 	 * Save inode label and policy sequence number
3851 	 * at open-time so that selinux_file_permission
3852 	 * can determine whether revalidation is necessary.
3853 	 * Task label is already saved in the file security
3854 	 * struct as its SID.
3855 	 */
3856 	fsec->isid = isec->sid;
3857 	fsec->pseqno = avc_policy_seqno(&selinux_state);
3858 	/*
3859 	 * Since the inode label or policy seqno may have changed
3860 	 * between the selinux_inode_permission check and the saving
3861 	 * of state above, recheck that access is still permitted.
3862 	 * Otherwise, access might never be revalidated against the
3863 	 * new inode label or new policy.
3864 	 * This check is not redundant - do not remove.
3865 	 */
3866 	return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3867 }
3868 
3869 /* task security operations */
3870 
3871 static int selinux_task_alloc(struct task_struct *task,
3872 			      unsigned long clone_flags)
3873 {
3874 	u32 sid = current_sid();
3875 
3876 	return avc_has_perm(&selinux_state,
3877 			    sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3878 }
3879 
3880 /*
3881  * prepare a new set of credentials for modification
3882  */
3883 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3884 				gfp_t gfp)
3885 {
3886 	const struct task_security_struct *old_tsec = selinux_cred(old);
3887 	struct task_security_struct *tsec = selinux_cred(new);
3888 
3889 	*tsec = *old_tsec;
3890 	return 0;
3891 }
3892 
3893 /*
3894  * transfer the SELinux data to a blank set of creds
3895  */
3896 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3897 {
3898 	const struct task_security_struct *old_tsec = selinux_cred(old);
3899 	struct task_security_struct *tsec = selinux_cred(new);
3900 
3901 	*tsec = *old_tsec;
3902 }
3903 
3904 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3905 {
3906 	*secid = cred_sid(c);
3907 }
3908 
3909 /*
3910  * set the security data for a kernel service
3911  * - all the creation contexts are set to unlabelled
3912  */
3913 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3914 {
3915 	struct task_security_struct *tsec = selinux_cred(new);
3916 	u32 sid = current_sid();
3917 	int ret;
3918 
3919 	ret = avc_has_perm(&selinux_state,
3920 			   sid, secid,
3921 			   SECCLASS_KERNEL_SERVICE,
3922 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3923 			   NULL);
3924 	if (ret == 0) {
3925 		tsec->sid = secid;
3926 		tsec->create_sid = 0;
3927 		tsec->keycreate_sid = 0;
3928 		tsec->sockcreate_sid = 0;
3929 	}
3930 	return ret;
3931 }
3932 
3933 /*
3934  * set the file creation context in a security record to the same as the
3935  * objective context of the specified inode
3936  */
3937 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3938 {
3939 	struct inode_security_struct *isec = inode_security(inode);
3940 	struct task_security_struct *tsec = selinux_cred(new);
3941 	u32 sid = current_sid();
3942 	int ret;
3943 
3944 	ret = avc_has_perm(&selinux_state,
3945 			   sid, isec->sid,
3946 			   SECCLASS_KERNEL_SERVICE,
3947 			   KERNEL_SERVICE__CREATE_FILES_AS,
3948 			   NULL);
3949 
3950 	if (ret == 0)
3951 		tsec->create_sid = isec->sid;
3952 	return ret;
3953 }
3954 
3955 static int selinux_kernel_module_request(char *kmod_name)
3956 {
3957 	struct common_audit_data ad;
3958 
3959 	ad.type = LSM_AUDIT_DATA_KMOD;
3960 	ad.u.kmod_name = kmod_name;
3961 
3962 	return avc_has_perm(&selinux_state,
3963 			    current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3964 			    SYSTEM__MODULE_REQUEST, &ad);
3965 }
3966 
3967 static int selinux_kernel_module_from_file(struct file *file)
3968 {
3969 	struct common_audit_data ad;
3970 	struct inode_security_struct *isec;
3971 	struct file_security_struct *fsec;
3972 	u32 sid = current_sid();
3973 	int rc;
3974 
3975 	/* init_module */
3976 	if (file == NULL)
3977 		return avc_has_perm(&selinux_state,
3978 				    sid, sid, SECCLASS_SYSTEM,
3979 					SYSTEM__MODULE_LOAD, NULL);
3980 
3981 	/* finit_module */
3982 
3983 	ad.type = LSM_AUDIT_DATA_FILE;
3984 	ad.u.file = file;
3985 
3986 	fsec = selinux_file(file);
3987 	if (sid != fsec->sid) {
3988 		rc = avc_has_perm(&selinux_state,
3989 				  sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3990 		if (rc)
3991 			return rc;
3992 	}
3993 
3994 	isec = inode_security(file_inode(file));
3995 	return avc_has_perm(&selinux_state,
3996 			    sid, isec->sid, SECCLASS_SYSTEM,
3997 				SYSTEM__MODULE_LOAD, &ad);
3998 }
3999 
4000 static int selinux_kernel_read_file(struct file *file,
4001 				    enum kernel_read_file_id id)
4002 {
4003 	int rc = 0;
4004 
4005 	switch (id) {
4006 	case READING_MODULE:
4007 		rc = selinux_kernel_module_from_file(file);
4008 		break;
4009 	default:
4010 		break;
4011 	}
4012 
4013 	return rc;
4014 }
4015 
4016 static int selinux_kernel_load_data(enum kernel_load_data_id id)
4017 {
4018 	int rc = 0;
4019 
4020 	switch (id) {
4021 	case LOADING_MODULE:
4022 		rc = selinux_kernel_module_from_file(NULL);
4023 	default:
4024 		break;
4025 	}
4026 
4027 	return rc;
4028 }
4029 
4030 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4031 {
4032 	return avc_has_perm(&selinux_state,
4033 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4034 			    PROCESS__SETPGID, NULL);
4035 }
4036 
4037 static int selinux_task_getpgid(struct task_struct *p)
4038 {
4039 	return avc_has_perm(&selinux_state,
4040 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4041 			    PROCESS__GETPGID, NULL);
4042 }
4043 
4044 static int selinux_task_getsid(struct task_struct *p)
4045 {
4046 	return avc_has_perm(&selinux_state,
4047 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4048 			    PROCESS__GETSESSION, NULL);
4049 }
4050 
4051 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4052 {
4053 	*secid = task_sid(p);
4054 }
4055 
4056 static int selinux_task_setnice(struct task_struct *p, int nice)
4057 {
4058 	return avc_has_perm(&selinux_state,
4059 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4060 			    PROCESS__SETSCHED, NULL);
4061 }
4062 
4063 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4064 {
4065 	return avc_has_perm(&selinux_state,
4066 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4067 			    PROCESS__SETSCHED, NULL);
4068 }
4069 
4070 static int selinux_task_getioprio(struct task_struct *p)
4071 {
4072 	return avc_has_perm(&selinux_state,
4073 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4074 			    PROCESS__GETSCHED, NULL);
4075 }
4076 
4077 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4078 				unsigned int flags)
4079 {
4080 	u32 av = 0;
4081 
4082 	if (!flags)
4083 		return 0;
4084 	if (flags & LSM_PRLIMIT_WRITE)
4085 		av |= PROCESS__SETRLIMIT;
4086 	if (flags & LSM_PRLIMIT_READ)
4087 		av |= PROCESS__GETRLIMIT;
4088 	return avc_has_perm(&selinux_state,
4089 			    cred_sid(cred), cred_sid(tcred),
4090 			    SECCLASS_PROCESS, av, NULL);
4091 }
4092 
4093 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4094 		struct rlimit *new_rlim)
4095 {
4096 	struct rlimit *old_rlim = p->signal->rlim + resource;
4097 
4098 	/* Control the ability to change the hard limit (whether
4099 	   lowering or raising it), so that the hard limit can
4100 	   later be used as a safe reset point for the soft limit
4101 	   upon context transitions.  See selinux_bprm_committing_creds. */
4102 	if (old_rlim->rlim_max != new_rlim->rlim_max)
4103 		return avc_has_perm(&selinux_state,
4104 				    current_sid(), task_sid(p),
4105 				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4106 
4107 	return 0;
4108 }
4109 
4110 static int selinux_task_setscheduler(struct task_struct *p)
4111 {
4112 	return avc_has_perm(&selinux_state,
4113 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4114 			    PROCESS__SETSCHED, NULL);
4115 }
4116 
4117 static int selinux_task_getscheduler(struct task_struct *p)
4118 {
4119 	return avc_has_perm(&selinux_state,
4120 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4121 			    PROCESS__GETSCHED, NULL);
4122 }
4123 
4124 static int selinux_task_movememory(struct task_struct *p)
4125 {
4126 	return avc_has_perm(&selinux_state,
4127 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4128 			    PROCESS__SETSCHED, NULL);
4129 }
4130 
4131 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4132 				int sig, const struct cred *cred)
4133 {
4134 	u32 secid;
4135 	u32 perm;
4136 
4137 	if (!sig)
4138 		perm = PROCESS__SIGNULL; /* null signal; existence test */
4139 	else
4140 		perm = signal_to_av(sig);
4141 	if (!cred)
4142 		secid = current_sid();
4143 	else
4144 		secid = cred_sid(cred);
4145 	return avc_has_perm(&selinux_state,
4146 			    secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4147 }
4148 
4149 static void selinux_task_to_inode(struct task_struct *p,
4150 				  struct inode *inode)
4151 {
4152 	struct inode_security_struct *isec = selinux_inode(inode);
4153 	u32 sid = task_sid(p);
4154 
4155 	spin_lock(&isec->lock);
4156 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4157 	isec->sid = sid;
4158 	isec->initialized = LABEL_INITIALIZED;
4159 	spin_unlock(&isec->lock);
4160 }
4161 
4162 /* Returns error only if unable to parse addresses */
4163 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4164 			struct common_audit_data *ad, u8 *proto)
4165 {
4166 	int offset, ihlen, ret = -EINVAL;
4167 	struct iphdr _iph, *ih;
4168 
4169 	offset = skb_network_offset(skb);
4170 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4171 	if (ih == NULL)
4172 		goto out;
4173 
4174 	ihlen = ih->ihl * 4;
4175 	if (ihlen < sizeof(_iph))
4176 		goto out;
4177 
4178 	ad->u.net->v4info.saddr = ih->saddr;
4179 	ad->u.net->v4info.daddr = ih->daddr;
4180 	ret = 0;
4181 
4182 	if (proto)
4183 		*proto = ih->protocol;
4184 
4185 	switch (ih->protocol) {
4186 	case IPPROTO_TCP: {
4187 		struct tcphdr _tcph, *th;
4188 
4189 		if (ntohs(ih->frag_off) & IP_OFFSET)
4190 			break;
4191 
4192 		offset += ihlen;
4193 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4194 		if (th == NULL)
4195 			break;
4196 
4197 		ad->u.net->sport = th->source;
4198 		ad->u.net->dport = th->dest;
4199 		break;
4200 	}
4201 
4202 	case IPPROTO_UDP: {
4203 		struct udphdr _udph, *uh;
4204 
4205 		if (ntohs(ih->frag_off) & IP_OFFSET)
4206 			break;
4207 
4208 		offset += ihlen;
4209 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4210 		if (uh == NULL)
4211 			break;
4212 
4213 		ad->u.net->sport = uh->source;
4214 		ad->u.net->dport = uh->dest;
4215 		break;
4216 	}
4217 
4218 	case IPPROTO_DCCP: {
4219 		struct dccp_hdr _dccph, *dh;
4220 
4221 		if (ntohs(ih->frag_off) & IP_OFFSET)
4222 			break;
4223 
4224 		offset += ihlen;
4225 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4226 		if (dh == NULL)
4227 			break;
4228 
4229 		ad->u.net->sport = dh->dccph_sport;
4230 		ad->u.net->dport = dh->dccph_dport;
4231 		break;
4232 	}
4233 
4234 #if IS_ENABLED(CONFIG_IP_SCTP)
4235 	case IPPROTO_SCTP: {
4236 		struct sctphdr _sctph, *sh;
4237 
4238 		if (ntohs(ih->frag_off) & IP_OFFSET)
4239 			break;
4240 
4241 		offset += ihlen;
4242 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4243 		if (sh == NULL)
4244 			break;
4245 
4246 		ad->u.net->sport = sh->source;
4247 		ad->u.net->dport = sh->dest;
4248 		break;
4249 	}
4250 #endif
4251 	default:
4252 		break;
4253 	}
4254 out:
4255 	return ret;
4256 }
4257 
4258 #if IS_ENABLED(CONFIG_IPV6)
4259 
4260 /* Returns error only if unable to parse addresses */
4261 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4262 			struct common_audit_data *ad, u8 *proto)
4263 {
4264 	u8 nexthdr;
4265 	int ret = -EINVAL, offset;
4266 	struct ipv6hdr _ipv6h, *ip6;
4267 	__be16 frag_off;
4268 
4269 	offset = skb_network_offset(skb);
4270 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4271 	if (ip6 == NULL)
4272 		goto out;
4273 
4274 	ad->u.net->v6info.saddr = ip6->saddr;
4275 	ad->u.net->v6info.daddr = ip6->daddr;
4276 	ret = 0;
4277 
4278 	nexthdr = ip6->nexthdr;
4279 	offset += sizeof(_ipv6h);
4280 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4281 	if (offset < 0)
4282 		goto out;
4283 
4284 	if (proto)
4285 		*proto = nexthdr;
4286 
4287 	switch (nexthdr) {
4288 	case IPPROTO_TCP: {
4289 		struct tcphdr _tcph, *th;
4290 
4291 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4292 		if (th == NULL)
4293 			break;
4294 
4295 		ad->u.net->sport = th->source;
4296 		ad->u.net->dport = th->dest;
4297 		break;
4298 	}
4299 
4300 	case IPPROTO_UDP: {
4301 		struct udphdr _udph, *uh;
4302 
4303 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4304 		if (uh == NULL)
4305 			break;
4306 
4307 		ad->u.net->sport = uh->source;
4308 		ad->u.net->dport = uh->dest;
4309 		break;
4310 	}
4311 
4312 	case IPPROTO_DCCP: {
4313 		struct dccp_hdr _dccph, *dh;
4314 
4315 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4316 		if (dh == NULL)
4317 			break;
4318 
4319 		ad->u.net->sport = dh->dccph_sport;
4320 		ad->u.net->dport = dh->dccph_dport;
4321 		break;
4322 	}
4323 
4324 #if IS_ENABLED(CONFIG_IP_SCTP)
4325 	case IPPROTO_SCTP: {
4326 		struct sctphdr _sctph, *sh;
4327 
4328 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4329 		if (sh == NULL)
4330 			break;
4331 
4332 		ad->u.net->sport = sh->source;
4333 		ad->u.net->dport = sh->dest;
4334 		break;
4335 	}
4336 #endif
4337 	/* includes fragments */
4338 	default:
4339 		break;
4340 	}
4341 out:
4342 	return ret;
4343 }
4344 
4345 #endif /* IPV6 */
4346 
4347 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4348 			     char **_addrp, int src, u8 *proto)
4349 {
4350 	char *addrp;
4351 	int ret;
4352 
4353 	switch (ad->u.net->family) {
4354 	case PF_INET:
4355 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4356 		if (ret)
4357 			goto parse_error;
4358 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4359 				       &ad->u.net->v4info.daddr);
4360 		goto okay;
4361 
4362 #if IS_ENABLED(CONFIG_IPV6)
4363 	case PF_INET6:
4364 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4365 		if (ret)
4366 			goto parse_error;
4367 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4368 				       &ad->u.net->v6info.daddr);
4369 		goto okay;
4370 #endif	/* IPV6 */
4371 	default:
4372 		addrp = NULL;
4373 		goto okay;
4374 	}
4375 
4376 parse_error:
4377 	pr_warn(
4378 	       "SELinux: failure in selinux_parse_skb(),"
4379 	       " unable to parse packet\n");
4380 	return ret;
4381 
4382 okay:
4383 	if (_addrp)
4384 		*_addrp = addrp;
4385 	return 0;
4386 }
4387 
4388 /**
4389  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4390  * @skb: the packet
4391  * @family: protocol family
4392  * @sid: the packet's peer label SID
4393  *
4394  * Description:
4395  * Check the various different forms of network peer labeling and determine
4396  * the peer label/SID for the packet; most of the magic actually occurs in
4397  * the security server function security_net_peersid_cmp().  The function
4398  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4399  * or -EACCES if @sid is invalid due to inconsistencies with the different
4400  * peer labels.
4401  *
4402  */
4403 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4404 {
4405 	int err;
4406 	u32 xfrm_sid;
4407 	u32 nlbl_sid;
4408 	u32 nlbl_type;
4409 
4410 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4411 	if (unlikely(err))
4412 		return -EACCES;
4413 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4414 	if (unlikely(err))
4415 		return -EACCES;
4416 
4417 	err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4418 					   nlbl_type, xfrm_sid, sid);
4419 	if (unlikely(err)) {
4420 		pr_warn(
4421 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4422 		       " unable to determine packet's peer label\n");
4423 		return -EACCES;
4424 	}
4425 
4426 	return 0;
4427 }
4428 
4429 /**
4430  * selinux_conn_sid - Determine the child socket label for a connection
4431  * @sk_sid: the parent socket's SID
4432  * @skb_sid: the packet's SID
4433  * @conn_sid: the resulting connection SID
4434  *
4435  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4436  * combined with the MLS information from @skb_sid in order to create
4437  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
4438  * of @sk_sid.  Returns zero on success, negative values on failure.
4439  *
4440  */
4441 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4442 {
4443 	int err = 0;
4444 
4445 	if (skb_sid != SECSID_NULL)
4446 		err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4447 					    conn_sid);
4448 	else
4449 		*conn_sid = sk_sid;
4450 
4451 	return err;
4452 }
4453 
4454 /* socket security operations */
4455 
4456 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4457 				 u16 secclass, u32 *socksid)
4458 {
4459 	if (tsec->sockcreate_sid > SECSID_NULL) {
4460 		*socksid = tsec->sockcreate_sid;
4461 		return 0;
4462 	}
4463 
4464 	return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4465 				       secclass, NULL, socksid);
4466 }
4467 
4468 static int sock_has_perm(struct sock *sk, u32 perms)
4469 {
4470 	struct sk_security_struct *sksec = sk->sk_security;
4471 	struct common_audit_data ad;
4472 	struct lsm_network_audit net = {0,};
4473 
4474 	if (sksec->sid == SECINITSID_KERNEL)
4475 		return 0;
4476 
4477 	ad.type = LSM_AUDIT_DATA_NET;
4478 	ad.u.net = &net;
4479 	ad.u.net->sk = sk;
4480 
4481 	return avc_has_perm(&selinux_state,
4482 			    current_sid(), sksec->sid, sksec->sclass, perms,
4483 			    &ad);
4484 }
4485 
4486 static int selinux_socket_create(int family, int type,
4487 				 int protocol, int kern)
4488 {
4489 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4490 	u32 newsid;
4491 	u16 secclass;
4492 	int rc;
4493 
4494 	if (kern)
4495 		return 0;
4496 
4497 	secclass = socket_type_to_security_class(family, type, protocol);
4498 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4499 	if (rc)
4500 		return rc;
4501 
4502 	return avc_has_perm(&selinux_state,
4503 			    tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4504 }
4505 
4506 static int selinux_socket_post_create(struct socket *sock, int family,
4507 				      int type, int protocol, int kern)
4508 {
4509 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4510 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4511 	struct sk_security_struct *sksec;
4512 	u16 sclass = socket_type_to_security_class(family, type, protocol);
4513 	u32 sid = SECINITSID_KERNEL;
4514 	int err = 0;
4515 
4516 	if (!kern) {
4517 		err = socket_sockcreate_sid(tsec, sclass, &sid);
4518 		if (err)
4519 			return err;
4520 	}
4521 
4522 	isec->sclass = sclass;
4523 	isec->sid = sid;
4524 	isec->initialized = LABEL_INITIALIZED;
4525 
4526 	if (sock->sk) {
4527 		sksec = sock->sk->sk_security;
4528 		sksec->sclass = sclass;
4529 		sksec->sid = sid;
4530 		/* Allows detection of the first association on this socket */
4531 		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4532 			sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4533 
4534 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4535 	}
4536 
4537 	return err;
4538 }
4539 
4540 static int selinux_socket_socketpair(struct socket *socka,
4541 				     struct socket *sockb)
4542 {
4543 	struct sk_security_struct *sksec_a = socka->sk->sk_security;
4544 	struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4545 
4546 	sksec_a->peer_sid = sksec_b->sid;
4547 	sksec_b->peer_sid = sksec_a->sid;
4548 
4549 	return 0;
4550 }
4551 
4552 /* Range of port numbers used to automatically bind.
4553    Need to determine whether we should perform a name_bind
4554    permission check between the socket and the port number. */
4555 
4556 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4557 {
4558 	struct sock *sk = sock->sk;
4559 	struct sk_security_struct *sksec = sk->sk_security;
4560 	u16 family;
4561 	int err;
4562 
4563 	err = sock_has_perm(sk, SOCKET__BIND);
4564 	if (err)
4565 		goto out;
4566 
4567 	/* If PF_INET or PF_INET6, check name_bind permission for the port. */
4568 	family = sk->sk_family;
4569 	if (family == PF_INET || family == PF_INET6) {
4570 		char *addrp;
4571 		struct common_audit_data ad;
4572 		struct lsm_network_audit net = {0,};
4573 		struct sockaddr_in *addr4 = NULL;
4574 		struct sockaddr_in6 *addr6 = NULL;
4575 		u16 family_sa;
4576 		unsigned short snum;
4577 		u32 sid, node_perm;
4578 
4579 		/*
4580 		 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4581 		 * that validates multiple binding addresses. Because of this
4582 		 * need to check address->sa_family as it is possible to have
4583 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4584 		 */
4585 		if (addrlen < offsetofend(struct sockaddr, sa_family))
4586 			return -EINVAL;
4587 		family_sa = address->sa_family;
4588 		switch (family_sa) {
4589 		case AF_UNSPEC:
4590 		case AF_INET:
4591 			if (addrlen < sizeof(struct sockaddr_in))
4592 				return -EINVAL;
4593 			addr4 = (struct sockaddr_in *)address;
4594 			if (family_sa == AF_UNSPEC) {
4595 				/* see __inet_bind(), we only want to allow
4596 				 * AF_UNSPEC if the address is INADDR_ANY
4597 				 */
4598 				if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4599 					goto err_af;
4600 				family_sa = AF_INET;
4601 			}
4602 			snum = ntohs(addr4->sin_port);
4603 			addrp = (char *)&addr4->sin_addr.s_addr;
4604 			break;
4605 		case AF_INET6:
4606 			if (addrlen < SIN6_LEN_RFC2133)
4607 				return -EINVAL;
4608 			addr6 = (struct sockaddr_in6 *)address;
4609 			snum = ntohs(addr6->sin6_port);
4610 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4611 			break;
4612 		default:
4613 			goto err_af;
4614 		}
4615 
4616 		ad.type = LSM_AUDIT_DATA_NET;
4617 		ad.u.net = &net;
4618 		ad.u.net->sport = htons(snum);
4619 		ad.u.net->family = family_sa;
4620 
4621 		if (snum) {
4622 			int low, high;
4623 
4624 			inet_get_local_port_range(sock_net(sk), &low, &high);
4625 
4626 			if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4627 			    snum > high) {
4628 				err = sel_netport_sid(sk->sk_protocol,
4629 						      snum, &sid);
4630 				if (err)
4631 					goto out;
4632 				err = avc_has_perm(&selinux_state,
4633 						   sksec->sid, sid,
4634 						   sksec->sclass,
4635 						   SOCKET__NAME_BIND, &ad);
4636 				if (err)
4637 					goto out;
4638 			}
4639 		}
4640 
4641 		switch (sksec->sclass) {
4642 		case SECCLASS_TCP_SOCKET:
4643 			node_perm = TCP_SOCKET__NODE_BIND;
4644 			break;
4645 
4646 		case SECCLASS_UDP_SOCKET:
4647 			node_perm = UDP_SOCKET__NODE_BIND;
4648 			break;
4649 
4650 		case SECCLASS_DCCP_SOCKET:
4651 			node_perm = DCCP_SOCKET__NODE_BIND;
4652 			break;
4653 
4654 		case SECCLASS_SCTP_SOCKET:
4655 			node_perm = SCTP_SOCKET__NODE_BIND;
4656 			break;
4657 
4658 		default:
4659 			node_perm = RAWIP_SOCKET__NODE_BIND;
4660 			break;
4661 		}
4662 
4663 		err = sel_netnode_sid(addrp, family_sa, &sid);
4664 		if (err)
4665 			goto out;
4666 
4667 		if (family_sa == AF_INET)
4668 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4669 		else
4670 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4671 
4672 		err = avc_has_perm(&selinux_state,
4673 				   sksec->sid, sid,
4674 				   sksec->sclass, node_perm, &ad);
4675 		if (err)
4676 			goto out;
4677 	}
4678 out:
4679 	return err;
4680 err_af:
4681 	/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4682 	if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4683 		return -EINVAL;
4684 	return -EAFNOSUPPORT;
4685 }
4686 
4687 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4688  * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4689  */
4690 static int selinux_socket_connect_helper(struct socket *sock,
4691 					 struct sockaddr *address, int addrlen)
4692 {
4693 	struct sock *sk = sock->sk;
4694 	struct sk_security_struct *sksec = sk->sk_security;
4695 	int err;
4696 
4697 	err = sock_has_perm(sk, SOCKET__CONNECT);
4698 	if (err)
4699 		return err;
4700 	if (addrlen < offsetofend(struct sockaddr, sa_family))
4701 		return -EINVAL;
4702 
4703 	/* connect(AF_UNSPEC) has special handling, as it is a documented
4704 	 * way to disconnect the socket
4705 	 */
4706 	if (address->sa_family == AF_UNSPEC)
4707 		return 0;
4708 
4709 	/*
4710 	 * If a TCP, DCCP or SCTP socket, check name_connect permission
4711 	 * for the port.
4712 	 */
4713 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4714 	    sksec->sclass == SECCLASS_DCCP_SOCKET ||
4715 	    sksec->sclass == SECCLASS_SCTP_SOCKET) {
4716 		struct common_audit_data ad;
4717 		struct lsm_network_audit net = {0,};
4718 		struct sockaddr_in *addr4 = NULL;
4719 		struct sockaddr_in6 *addr6 = NULL;
4720 		unsigned short snum;
4721 		u32 sid, perm;
4722 
4723 		/* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4724 		 * that validates multiple connect addresses. Because of this
4725 		 * need to check address->sa_family as it is possible to have
4726 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4727 		 */
4728 		switch (address->sa_family) {
4729 		case AF_INET:
4730 			addr4 = (struct sockaddr_in *)address;
4731 			if (addrlen < sizeof(struct sockaddr_in))
4732 				return -EINVAL;
4733 			snum = ntohs(addr4->sin_port);
4734 			break;
4735 		case AF_INET6:
4736 			addr6 = (struct sockaddr_in6 *)address;
4737 			if (addrlen < SIN6_LEN_RFC2133)
4738 				return -EINVAL;
4739 			snum = ntohs(addr6->sin6_port);
4740 			break;
4741 		default:
4742 			/* Note that SCTP services expect -EINVAL, whereas
4743 			 * others expect -EAFNOSUPPORT.
4744 			 */
4745 			if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4746 				return -EINVAL;
4747 			else
4748 				return -EAFNOSUPPORT;
4749 		}
4750 
4751 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4752 		if (err)
4753 			return err;
4754 
4755 		switch (sksec->sclass) {
4756 		case SECCLASS_TCP_SOCKET:
4757 			perm = TCP_SOCKET__NAME_CONNECT;
4758 			break;
4759 		case SECCLASS_DCCP_SOCKET:
4760 			perm = DCCP_SOCKET__NAME_CONNECT;
4761 			break;
4762 		case SECCLASS_SCTP_SOCKET:
4763 			perm = SCTP_SOCKET__NAME_CONNECT;
4764 			break;
4765 		}
4766 
4767 		ad.type = LSM_AUDIT_DATA_NET;
4768 		ad.u.net = &net;
4769 		ad.u.net->dport = htons(snum);
4770 		ad.u.net->family = address->sa_family;
4771 		err = avc_has_perm(&selinux_state,
4772 				   sksec->sid, sid, sksec->sclass, perm, &ad);
4773 		if (err)
4774 			return err;
4775 	}
4776 
4777 	return 0;
4778 }
4779 
4780 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4781 static int selinux_socket_connect(struct socket *sock,
4782 				  struct sockaddr *address, int addrlen)
4783 {
4784 	int err;
4785 	struct sock *sk = sock->sk;
4786 
4787 	err = selinux_socket_connect_helper(sock, address, addrlen);
4788 	if (err)
4789 		return err;
4790 
4791 	return selinux_netlbl_socket_connect(sk, address);
4792 }
4793 
4794 static int selinux_socket_listen(struct socket *sock, int backlog)
4795 {
4796 	return sock_has_perm(sock->sk, SOCKET__LISTEN);
4797 }
4798 
4799 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4800 {
4801 	int err;
4802 	struct inode_security_struct *isec;
4803 	struct inode_security_struct *newisec;
4804 	u16 sclass;
4805 	u32 sid;
4806 
4807 	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4808 	if (err)
4809 		return err;
4810 
4811 	isec = inode_security_novalidate(SOCK_INODE(sock));
4812 	spin_lock(&isec->lock);
4813 	sclass = isec->sclass;
4814 	sid = isec->sid;
4815 	spin_unlock(&isec->lock);
4816 
4817 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4818 	newisec->sclass = sclass;
4819 	newisec->sid = sid;
4820 	newisec->initialized = LABEL_INITIALIZED;
4821 
4822 	return 0;
4823 }
4824 
4825 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4826 				  int size)
4827 {
4828 	return sock_has_perm(sock->sk, SOCKET__WRITE);
4829 }
4830 
4831 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4832 				  int size, int flags)
4833 {
4834 	return sock_has_perm(sock->sk, SOCKET__READ);
4835 }
4836 
4837 static int selinux_socket_getsockname(struct socket *sock)
4838 {
4839 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4840 }
4841 
4842 static int selinux_socket_getpeername(struct socket *sock)
4843 {
4844 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4845 }
4846 
4847 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4848 {
4849 	int err;
4850 
4851 	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4852 	if (err)
4853 		return err;
4854 
4855 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4856 }
4857 
4858 static int selinux_socket_getsockopt(struct socket *sock, int level,
4859 				     int optname)
4860 {
4861 	return sock_has_perm(sock->sk, SOCKET__GETOPT);
4862 }
4863 
4864 static int selinux_socket_shutdown(struct socket *sock, int how)
4865 {
4866 	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4867 }
4868 
4869 static int selinux_socket_unix_stream_connect(struct sock *sock,
4870 					      struct sock *other,
4871 					      struct sock *newsk)
4872 {
4873 	struct sk_security_struct *sksec_sock = sock->sk_security;
4874 	struct sk_security_struct *sksec_other = other->sk_security;
4875 	struct sk_security_struct *sksec_new = newsk->sk_security;
4876 	struct common_audit_data ad;
4877 	struct lsm_network_audit net = {0,};
4878 	int err;
4879 
4880 	ad.type = LSM_AUDIT_DATA_NET;
4881 	ad.u.net = &net;
4882 	ad.u.net->sk = other;
4883 
4884 	err = avc_has_perm(&selinux_state,
4885 			   sksec_sock->sid, sksec_other->sid,
4886 			   sksec_other->sclass,
4887 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4888 	if (err)
4889 		return err;
4890 
4891 	/* server child socket */
4892 	sksec_new->peer_sid = sksec_sock->sid;
4893 	err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4894 				    sksec_sock->sid, &sksec_new->sid);
4895 	if (err)
4896 		return err;
4897 
4898 	/* connecting socket */
4899 	sksec_sock->peer_sid = sksec_new->sid;
4900 
4901 	return 0;
4902 }
4903 
4904 static int selinux_socket_unix_may_send(struct socket *sock,
4905 					struct socket *other)
4906 {
4907 	struct sk_security_struct *ssec = sock->sk->sk_security;
4908 	struct sk_security_struct *osec = other->sk->sk_security;
4909 	struct common_audit_data ad;
4910 	struct lsm_network_audit net = {0,};
4911 
4912 	ad.type = LSM_AUDIT_DATA_NET;
4913 	ad.u.net = &net;
4914 	ad.u.net->sk = other->sk;
4915 
4916 	return avc_has_perm(&selinux_state,
4917 			    ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4918 			    &ad);
4919 }
4920 
4921 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4922 				    char *addrp, u16 family, u32 peer_sid,
4923 				    struct common_audit_data *ad)
4924 {
4925 	int err;
4926 	u32 if_sid;
4927 	u32 node_sid;
4928 
4929 	err = sel_netif_sid(ns, ifindex, &if_sid);
4930 	if (err)
4931 		return err;
4932 	err = avc_has_perm(&selinux_state,
4933 			   peer_sid, if_sid,
4934 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4935 	if (err)
4936 		return err;
4937 
4938 	err = sel_netnode_sid(addrp, family, &node_sid);
4939 	if (err)
4940 		return err;
4941 	return avc_has_perm(&selinux_state,
4942 			    peer_sid, node_sid,
4943 			    SECCLASS_NODE, NODE__RECVFROM, ad);
4944 }
4945 
4946 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4947 				       u16 family)
4948 {
4949 	int err = 0;
4950 	struct sk_security_struct *sksec = sk->sk_security;
4951 	u32 sk_sid = sksec->sid;
4952 	struct common_audit_data ad;
4953 	struct lsm_network_audit net = {0,};
4954 	char *addrp;
4955 
4956 	ad.type = LSM_AUDIT_DATA_NET;
4957 	ad.u.net = &net;
4958 	ad.u.net->netif = skb->skb_iif;
4959 	ad.u.net->family = family;
4960 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4961 	if (err)
4962 		return err;
4963 
4964 	if (selinux_secmark_enabled()) {
4965 		err = avc_has_perm(&selinux_state,
4966 				   sk_sid, skb->secmark, SECCLASS_PACKET,
4967 				   PACKET__RECV, &ad);
4968 		if (err)
4969 			return err;
4970 	}
4971 
4972 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4973 	if (err)
4974 		return err;
4975 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4976 
4977 	return err;
4978 }
4979 
4980 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4981 {
4982 	int err;
4983 	struct sk_security_struct *sksec = sk->sk_security;
4984 	u16 family = sk->sk_family;
4985 	u32 sk_sid = sksec->sid;
4986 	struct common_audit_data ad;
4987 	struct lsm_network_audit net = {0,};
4988 	char *addrp;
4989 	u8 secmark_active;
4990 	u8 peerlbl_active;
4991 
4992 	if (family != PF_INET && family != PF_INET6)
4993 		return 0;
4994 
4995 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
4996 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4997 		family = PF_INET;
4998 
4999 	/* If any sort of compatibility mode is enabled then handoff processing
5000 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
5001 	 * special handling.  We do this in an attempt to keep this function
5002 	 * as fast and as clean as possible. */
5003 	if (!selinux_policycap_netpeer())
5004 		return selinux_sock_rcv_skb_compat(sk, skb, family);
5005 
5006 	secmark_active = selinux_secmark_enabled();
5007 	peerlbl_active = selinux_peerlbl_enabled();
5008 	if (!secmark_active && !peerlbl_active)
5009 		return 0;
5010 
5011 	ad.type = LSM_AUDIT_DATA_NET;
5012 	ad.u.net = &net;
5013 	ad.u.net->netif = skb->skb_iif;
5014 	ad.u.net->family = family;
5015 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5016 	if (err)
5017 		return err;
5018 
5019 	if (peerlbl_active) {
5020 		u32 peer_sid;
5021 
5022 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5023 		if (err)
5024 			return err;
5025 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5026 					       addrp, family, peer_sid, &ad);
5027 		if (err) {
5028 			selinux_netlbl_err(skb, family, err, 0);
5029 			return err;
5030 		}
5031 		err = avc_has_perm(&selinux_state,
5032 				   sk_sid, peer_sid, SECCLASS_PEER,
5033 				   PEER__RECV, &ad);
5034 		if (err) {
5035 			selinux_netlbl_err(skb, family, err, 0);
5036 			return err;
5037 		}
5038 	}
5039 
5040 	if (secmark_active) {
5041 		err = avc_has_perm(&selinux_state,
5042 				   sk_sid, skb->secmark, SECCLASS_PACKET,
5043 				   PACKET__RECV, &ad);
5044 		if (err)
5045 			return err;
5046 	}
5047 
5048 	return err;
5049 }
5050 
5051 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5052 					    int __user *optlen, unsigned len)
5053 {
5054 	int err = 0;
5055 	char *scontext;
5056 	u32 scontext_len;
5057 	struct sk_security_struct *sksec = sock->sk->sk_security;
5058 	u32 peer_sid = SECSID_NULL;
5059 
5060 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5061 	    sksec->sclass == SECCLASS_TCP_SOCKET ||
5062 	    sksec->sclass == SECCLASS_SCTP_SOCKET)
5063 		peer_sid = sksec->peer_sid;
5064 	if (peer_sid == SECSID_NULL)
5065 		return -ENOPROTOOPT;
5066 
5067 	err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5068 				      &scontext_len);
5069 	if (err)
5070 		return err;
5071 
5072 	if (scontext_len > len) {
5073 		err = -ERANGE;
5074 		goto out_len;
5075 	}
5076 
5077 	if (copy_to_user(optval, scontext, scontext_len))
5078 		err = -EFAULT;
5079 
5080 out_len:
5081 	if (put_user(scontext_len, optlen))
5082 		err = -EFAULT;
5083 	kfree(scontext);
5084 	return err;
5085 }
5086 
5087 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5088 {
5089 	u32 peer_secid = SECSID_NULL;
5090 	u16 family;
5091 	struct inode_security_struct *isec;
5092 
5093 	if (skb && skb->protocol == htons(ETH_P_IP))
5094 		family = PF_INET;
5095 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
5096 		family = PF_INET6;
5097 	else if (sock)
5098 		family = sock->sk->sk_family;
5099 	else
5100 		goto out;
5101 
5102 	if (sock && family == PF_UNIX) {
5103 		isec = inode_security_novalidate(SOCK_INODE(sock));
5104 		peer_secid = isec->sid;
5105 	} else if (skb)
5106 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5107 
5108 out:
5109 	*secid = peer_secid;
5110 	if (peer_secid == SECSID_NULL)
5111 		return -EINVAL;
5112 	return 0;
5113 }
5114 
5115 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5116 {
5117 	struct sk_security_struct *sksec;
5118 
5119 	sksec = kzalloc(sizeof(*sksec), priority);
5120 	if (!sksec)
5121 		return -ENOMEM;
5122 
5123 	sksec->peer_sid = SECINITSID_UNLABELED;
5124 	sksec->sid = SECINITSID_UNLABELED;
5125 	sksec->sclass = SECCLASS_SOCKET;
5126 	selinux_netlbl_sk_security_reset(sksec);
5127 	sk->sk_security = sksec;
5128 
5129 	return 0;
5130 }
5131 
5132 static void selinux_sk_free_security(struct sock *sk)
5133 {
5134 	struct sk_security_struct *sksec = sk->sk_security;
5135 
5136 	sk->sk_security = NULL;
5137 	selinux_netlbl_sk_security_free(sksec);
5138 	kfree(sksec);
5139 }
5140 
5141 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5142 {
5143 	struct sk_security_struct *sksec = sk->sk_security;
5144 	struct sk_security_struct *newsksec = newsk->sk_security;
5145 
5146 	newsksec->sid = sksec->sid;
5147 	newsksec->peer_sid = sksec->peer_sid;
5148 	newsksec->sclass = sksec->sclass;
5149 
5150 	selinux_netlbl_sk_security_reset(newsksec);
5151 }
5152 
5153 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5154 {
5155 	if (!sk)
5156 		*secid = SECINITSID_ANY_SOCKET;
5157 	else {
5158 		struct sk_security_struct *sksec = sk->sk_security;
5159 
5160 		*secid = sksec->sid;
5161 	}
5162 }
5163 
5164 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5165 {
5166 	struct inode_security_struct *isec =
5167 		inode_security_novalidate(SOCK_INODE(parent));
5168 	struct sk_security_struct *sksec = sk->sk_security;
5169 
5170 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5171 	    sk->sk_family == PF_UNIX)
5172 		isec->sid = sksec->sid;
5173 	sksec->sclass = isec->sclass;
5174 }
5175 
5176 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5177  * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5178  * already present).
5179  */
5180 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5181 				      struct sk_buff *skb)
5182 {
5183 	struct sk_security_struct *sksec = ep->base.sk->sk_security;
5184 	struct common_audit_data ad;
5185 	struct lsm_network_audit net = {0,};
5186 	u8 peerlbl_active;
5187 	u32 peer_sid = SECINITSID_UNLABELED;
5188 	u32 conn_sid;
5189 	int err = 0;
5190 
5191 	if (!selinux_policycap_extsockclass())
5192 		return 0;
5193 
5194 	peerlbl_active = selinux_peerlbl_enabled();
5195 
5196 	if (peerlbl_active) {
5197 		/* This will return peer_sid = SECSID_NULL if there are
5198 		 * no peer labels, see security_net_peersid_resolve().
5199 		 */
5200 		err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5201 					      &peer_sid);
5202 		if (err)
5203 			return err;
5204 
5205 		if (peer_sid == SECSID_NULL)
5206 			peer_sid = SECINITSID_UNLABELED;
5207 	}
5208 
5209 	if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5210 		sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5211 
5212 		/* Here as first association on socket. As the peer SID
5213 		 * was allowed by peer recv (and the netif/node checks),
5214 		 * then it is approved by policy and used as the primary
5215 		 * peer SID for getpeercon(3).
5216 		 */
5217 		sksec->peer_sid = peer_sid;
5218 	} else if  (sksec->peer_sid != peer_sid) {
5219 		/* Other association peer SIDs are checked to enforce
5220 		 * consistency among the peer SIDs.
5221 		 */
5222 		ad.type = LSM_AUDIT_DATA_NET;
5223 		ad.u.net = &net;
5224 		ad.u.net->sk = ep->base.sk;
5225 		err = avc_has_perm(&selinux_state,
5226 				   sksec->peer_sid, peer_sid, sksec->sclass,
5227 				   SCTP_SOCKET__ASSOCIATION, &ad);
5228 		if (err)
5229 			return err;
5230 	}
5231 
5232 	/* Compute the MLS component for the connection and store
5233 	 * the information in ep. This will be used by SCTP TCP type
5234 	 * sockets and peeled off connections as they cause a new
5235 	 * socket to be generated. selinux_sctp_sk_clone() will then
5236 	 * plug this into the new socket.
5237 	 */
5238 	err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5239 	if (err)
5240 		return err;
5241 
5242 	ep->secid = conn_sid;
5243 	ep->peer_secid = peer_sid;
5244 
5245 	/* Set any NetLabel labels including CIPSO/CALIPSO options. */
5246 	return selinux_netlbl_sctp_assoc_request(ep, skb);
5247 }
5248 
5249 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5250  * based on their @optname.
5251  */
5252 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5253 				     struct sockaddr *address,
5254 				     int addrlen)
5255 {
5256 	int len, err = 0, walk_size = 0;
5257 	void *addr_buf;
5258 	struct sockaddr *addr;
5259 	struct socket *sock;
5260 
5261 	if (!selinux_policycap_extsockclass())
5262 		return 0;
5263 
5264 	/* Process one or more addresses that may be IPv4 or IPv6 */
5265 	sock = sk->sk_socket;
5266 	addr_buf = address;
5267 
5268 	while (walk_size < addrlen) {
5269 		if (walk_size + sizeof(sa_family_t) > addrlen)
5270 			return -EINVAL;
5271 
5272 		addr = addr_buf;
5273 		switch (addr->sa_family) {
5274 		case AF_UNSPEC:
5275 		case AF_INET:
5276 			len = sizeof(struct sockaddr_in);
5277 			break;
5278 		case AF_INET6:
5279 			len = sizeof(struct sockaddr_in6);
5280 			break;
5281 		default:
5282 			return -EINVAL;
5283 		}
5284 
5285 		if (walk_size + len > addrlen)
5286 			return -EINVAL;
5287 
5288 		err = -EINVAL;
5289 		switch (optname) {
5290 		/* Bind checks */
5291 		case SCTP_PRIMARY_ADDR:
5292 		case SCTP_SET_PEER_PRIMARY_ADDR:
5293 		case SCTP_SOCKOPT_BINDX_ADD:
5294 			err = selinux_socket_bind(sock, addr, len);
5295 			break;
5296 		/* Connect checks */
5297 		case SCTP_SOCKOPT_CONNECTX:
5298 		case SCTP_PARAM_SET_PRIMARY:
5299 		case SCTP_PARAM_ADD_IP:
5300 		case SCTP_SENDMSG_CONNECT:
5301 			err = selinux_socket_connect_helper(sock, addr, len);
5302 			if (err)
5303 				return err;
5304 
5305 			/* As selinux_sctp_bind_connect() is called by the
5306 			 * SCTP protocol layer, the socket is already locked,
5307 			 * therefore selinux_netlbl_socket_connect_locked() is
5308 			 * is called here. The situations handled are:
5309 			 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5310 			 * whenever a new IP address is added or when a new
5311 			 * primary address is selected.
5312 			 * Note that an SCTP connect(2) call happens before
5313 			 * the SCTP protocol layer and is handled via
5314 			 * selinux_socket_connect().
5315 			 */
5316 			err = selinux_netlbl_socket_connect_locked(sk, addr);
5317 			break;
5318 		}
5319 
5320 		if (err)
5321 			return err;
5322 
5323 		addr_buf += len;
5324 		walk_size += len;
5325 	}
5326 
5327 	return 0;
5328 }
5329 
5330 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5331 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5332 				  struct sock *newsk)
5333 {
5334 	struct sk_security_struct *sksec = sk->sk_security;
5335 	struct sk_security_struct *newsksec = newsk->sk_security;
5336 
5337 	/* If policy does not support SECCLASS_SCTP_SOCKET then call
5338 	 * the non-sctp clone version.
5339 	 */
5340 	if (!selinux_policycap_extsockclass())
5341 		return selinux_sk_clone_security(sk, newsk);
5342 
5343 	newsksec->sid = ep->secid;
5344 	newsksec->peer_sid = ep->peer_secid;
5345 	newsksec->sclass = sksec->sclass;
5346 	selinux_netlbl_sctp_sk_clone(sk, newsk);
5347 }
5348 
5349 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5350 				     struct request_sock *req)
5351 {
5352 	struct sk_security_struct *sksec = sk->sk_security;
5353 	int err;
5354 	u16 family = req->rsk_ops->family;
5355 	u32 connsid;
5356 	u32 peersid;
5357 
5358 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5359 	if (err)
5360 		return err;
5361 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5362 	if (err)
5363 		return err;
5364 	req->secid = connsid;
5365 	req->peer_secid = peersid;
5366 
5367 	return selinux_netlbl_inet_conn_request(req, family);
5368 }
5369 
5370 static void selinux_inet_csk_clone(struct sock *newsk,
5371 				   const struct request_sock *req)
5372 {
5373 	struct sk_security_struct *newsksec = newsk->sk_security;
5374 
5375 	newsksec->sid = req->secid;
5376 	newsksec->peer_sid = req->peer_secid;
5377 	/* NOTE: Ideally, we should also get the isec->sid for the
5378 	   new socket in sync, but we don't have the isec available yet.
5379 	   So we will wait until sock_graft to do it, by which
5380 	   time it will have been created and available. */
5381 
5382 	/* We don't need to take any sort of lock here as we are the only
5383 	 * thread with access to newsksec */
5384 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5385 }
5386 
5387 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5388 {
5389 	u16 family = sk->sk_family;
5390 	struct sk_security_struct *sksec = sk->sk_security;
5391 
5392 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5393 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5394 		family = PF_INET;
5395 
5396 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5397 }
5398 
5399 static int selinux_secmark_relabel_packet(u32 sid)
5400 {
5401 	const struct task_security_struct *__tsec;
5402 	u32 tsid;
5403 
5404 	__tsec = selinux_cred(current_cred());
5405 	tsid = __tsec->sid;
5406 
5407 	return avc_has_perm(&selinux_state,
5408 			    tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5409 			    NULL);
5410 }
5411 
5412 static void selinux_secmark_refcount_inc(void)
5413 {
5414 	atomic_inc(&selinux_secmark_refcount);
5415 }
5416 
5417 static void selinux_secmark_refcount_dec(void)
5418 {
5419 	atomic_dec(&selinux_secmark_refcount);
5420 }
5421 
5422 static void selinux_req_classify_flow(const struct request_sock *req,
5423 				      struct flowi *fl)
5424 {
5425 	fl->flowi_secid = req->secid;
5426 }
5427 
5428 static int selinux_tun_dev_alloc_security(void **security)
5429 {
5430 	struct tun_security_struct *tunsec;
5431 
5432 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5433 	if (!tunsec)
5434 		return -ENOMEM;
5435 	tunsec->sid = current_sid();
5436 
5437 	*security = tunsec;
5438 	return 0;
5439 }
5440 
5441 static void selinux_tun_dev_free_security(void *security)
5442 {
5443 	kfree(security);
5444 }
5445 
5446 static int selinux_tun_dev_create(void)
5447 {
5448 	u32 sid = current_sid();
5449 
5450 	/* we aren't taking into account the "sockcreate" SID since the socket
5451 	 * that is being created here is not a socket in the traditional sense,
5452 	 * instead it is a private sock, accessible only to the kernel, and
5453 	 * representing a wide range of network traffic spanning multiple
5454 	 * connections unlike traditional sockets - check the TUN driver to
5455 	 * get a better understanding of why this socket is special */
5456 
5457 	return avc_has_perm(&selinux_state,
5458 			    sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5459 			    NULL);
5460 }
5461 
5462 static int selinux_tun_dev_attach_queue(void *security)
5463 {
5464 	struct tun_security_struct *tunsec = security;
5465 
5466 	return avc_has_perm(&selinux_state,
5467 			    current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5468 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5469 }
5470 
5471 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5472 {
5473 	struct tun_security_struct *tunsec = security;
5474 	struct sk_security_struct *sksec = sk->sk_security;
5475 
5476 	/* we don't currently perform any NetLabel based labeling here and it
5477 	 * isn't clear that we would want to do so anyway; while we could apply
5478 	 * labeling without the support of the TUN user the resulting labeled
5479 	 * traffic from the other end of the connection would almost certainly
5480 	 * cause confusion to the TUN user that had no idea network labeling
5481 	 * protocols were being used */
5482 
5483 	sksec->sid = tunsec->sid;
5484 	sksec->sclass = SECCLASS_TUN_SOCKET;
5485 
5486 	return 0;
5487 }
5488 
5489 static int selinux_tun_dev_open(void *security)
5490 {
5491 	struct tun_security_struct *tunsec = security;
5492 	u32 sid = current_sid();
5493 	int err;
5494 
5495 	err = avc_has_perm(&selinux_state,
5496 			   sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5497 			   TUN_SOCKET__RELABELFROM, NULL);
5498 	if (err)
5499 		return err;
5500 	err = avc_has_perm(&selinux_state,
5501 			   sid, sid, SECCLASS_TUN_SOCKET,
5502 			   TUN_SOCKET__RELABELTO, NULL);
5503 	if (err)
5504 		return err;
5505 	tunsec->sid = sid;
5506 
5507 	return 0;
5508 }
5509 
5510 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5511 {
5512 	int err = 0;
5513 	u32 perm;
5514 	struct nlmsghdr *nlh;
5515 	struct sk_security_struct *sksec = sk->sk_security;
5516 
5517 	if (skb->len < NLMSG_HDRLEN) {
5518 		err = -EINVAL;
5519 		goto out;
5520 	}
5521 	nlh = nlmsg_hdr(skb);
5522 
5523 	err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5524 	if (err) {
5525 		if (err == -EINVAL) {
5526 			pr_warn_ratelimited("SELinux: unrecognized netlink"
5527 			       " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5528 			       " pig=%d comm=%s\n",
5529 			       sk->sk_protocol, nlh->nlmsg_type,
5530 			       secclass_map[sksec->sclass - 1].name,
5531 			       task_pid_nr(current), current->comm);
5532 			if (!enforcing_enabled(&selinux_state) ||
5533 			    security_get_allow_unknown(&selinux_state))
5534 				err = 0;
5535 		}
5536 
5537 		/* Ignore */
5538 		if (err == -ENOENT)
5539 			err = 0;
5540 		goto out;
5541 	}
5542 
5543 	err = sock_has_perm(sk, perm);
5544 out:
5545 	return err;
5546 }
5547 
5548 #ifdef CONFIG_NETFILTER
5549 
5550 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5551 				       const struct net_device *indev,
5552 				       u16 family)
5553 {
5554 	int err;
5555 	char *addrp;
5556 	u32 peer_sid;
5557 	struct common_audit_data ad;
5558 	struct lsm_network_audit net = {0,};
5559 	u8 secmark_active;
5560 	u8 netlbl_active;
5561 	u8 peerlbl_active;
5562 
5563 	if (!selinux_policycap_netpeer())
5564 		return NF_ACCEPT;
5565 
5566 	secmark_active = selinux_secmark_enabled();
5567 	netlbl_active = netlbl_enabled();
5568 	peerlbl_active = selinux_peerlbl_enabled();
5569 	if (!secmark_active && !peerlbl_active)
5570 		return NF_ACCEPT;
5571 
5572 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5573 		return NF_DROP;
5574 
5575 	ad.type = LSM_AUDIT_DATA_NET;
5576 	ad.u.net = &net;
5577 	ad.u.net->netif = indev->ifindex;
5578 	ad.u.net->family = family;
5579 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5580 		return NF_DROP;
5581 
5582 	if (peerlbl_active) {
5583 		err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5584 					       addrp, family, peer_sid, &ad);
5585 		if (err) {
5586 			selinux_netlbl_err(skb, family, err, 1);
5587 			return NF_DROP;
5588 		}
5589 	}
5590 
5591 	if (secmark_active)
5592 		if (avc_has_perm(&selinux_state,
5593 				 peer_sid, skb->secmark,
5594 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5595 			return NF_DROP;
5596 
5597 	if (netlbl_active)
5598 		/* we do this in the FORWARD path and not the POST_ROUTING
5599 		 * path because we want to make sure we apply the necessary
5600 		 * labeling before IPsec is applied so we can leverage AH
5601 		 * protection */
5602 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5603 			return NF_DROP;
5604 
5605 	return NF_ACCEPT;
5606 }
5607 
5608 static unsigned int selinux_ipv4_forward(void *priv,
5609 					 struct sk_buff *skb,
5610 					 const struct nf_hook_state *state)
5611 {
5612 	return selinux_ip_forward(skb, state->in, PF_INET);
5613 }
5614 
5615 #if IS_ENABLED(CONFIG_IPV6)
5616 static unsigned int selinux_ipv6_forward(void *priv,
5617 					 struct sk_buff *skb,
5618 					 const struct nf_hook_state *state)
5619 {
5620 	return selinux_ip_forward(skb, state->in, PF_INET6);
5621 }
5622 #endif	/* IPV6 */
5623 
5624 static unsigned int selinux_ip_output(struct sk_buff *skb,
5625 				      u16 family)
5626 {
5627 	struct sock *sk;
5628 	u32 sid;
5629 
5630 	if (!netlbl_enabled())
5631 		return NF_ACCEPT;
5632 
5633 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5634 	 * because we want to make sure we apply the necessary labeling
5635 	 * before IPsec is applied so we can leverage AH protection */
5636 	sk = skb->sk;
5637 	if (sk) {
5638 		struct sk_security_struct *sksec;
5639 
5640 		if (sk_listener(sk))
5641 			/* if the socket is the listening state then this
5642 			 * packet is a SYN-ACK packet which means it needs to
5643 			 * be labeled based on the connection/request_sock and
5644 			 * not the parent socket.  unfortunately, we can't
5645 			 * lookup the request_sock yet as it isn't queued on
5646 			 * the parent socket until after the SYN-ACK is sent.
5647 			 * the "solution" is to simply pass the packet as-is
5648 			 * as any IP option based labeling should be copied
5649 			 * from the initial connection request (in the IP
5650 			 * layer).  it is far from ideal, but until we get a
5651 			 * security label in the packet itself this is the
5652 			 * best we can do. */
5653 			return NF_ACCEPT;
5654 
5655 		/* standard practice, label using the parent socket */
5656 		sksec = sk->sk_security;
5657 		sid = sksec->sid;
5658 	} else
5659 		sid = SECINITSID_KERNEL;
5660 	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5661 		return NF_DROP;
5662 
5663 	return NF_ACCEPT;
5664 }
5665 
5666 static unsigned int selinux_ipv4_output(void *priv,
5667 					struct sk_buff *skb,
5668 					const struct nf_hook_state *state)
5669 {
5670 	return selinux_ip_output(skb, PF_INET);
5671 }
5672 
5673 #if IS_ENABLED(CONFIG_IPV6)
5674 static unsigned int selinux_ipv6_output(void *priv,
5675 					struct sk_buff *skb,
5676 					const struct nf_hook_state *state)
5677 {
5678 	return selinux_ip_output(skb, PF_INET6);
5679 }
5680 #endif	/* IPV6 */
5681 
5682 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5683 						int ifindex,
5684 						u16 family)
5685 {
5686 	struct sock *sk = skb_to_full_sk(skb);
5687 	struct sk_security_struct *sksec;
5688 	struct common_audit_data ad;
5689 	struct lsm_network_audit net = {0,};
5690 	char *addrp;
5691 	u8 proto;
5692 
5693 	if (sk == NULL)
5694 		return NF_ACCEPT;
5695 	sksec = sk->sk_security;
5696 
5697 	ad.type = LSM_AUDIT_DATA_NET;
5698 	ad.u.net = &net;
5699 	ad.u.net->netif = ifindex;
5700 	ad.u.net->family = family;
5701 	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5702 		return NF_DROP;
5703 
5704 	if (selinux_secmark_enabled())
5705 		if (avc_has_perm(&selinux_state,
5706 				 sksec->sid, skb->secmark,
5707 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5708 			return NF_DROP_ERR(-ECONNREFUSED);
5709 
5710 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5711 		return NF_DROP_ERR(-ECONNREFUSED);
5712 
5713 	return NF_ACCEPT;
5714 }
5715 
5716 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5717 					 const struct net_device *outdev,
5718 					 u16 family)
5719 {
5720 	u32 secmark_perm;
5721 	u32 peer_sid;
5722 	int ifindex = outdev->ifindex;
5723 	struct sock *sk;
5724 	struct common_audit_data ad;
5725 	struct lsm_network_audit net = {0,};
5726 	char *addrp;
5727 	u8 secmark_active;
5728 	u8 peerlbl_active;
5729 
5730 	/* If any sort of compatibility mode is enabled then handoff processing
5731 	 * to the selinux_ip_postroute_compat() function to deal with the
5732 	 * special handling.  We do this in an attempt to keep this function
5733 	 * as fast and as clean as possible. */
5734 	if (!selinux_policycap_netpeer())
5735 		return selinux_ip_postroute_compat(skb, ifindex, family);
5736 
5737 	secmark_active = selinux_secmark_enabled();
5738 	peerlbl_active = selinux_peerlbl_enabled();
5739 	if (!secmark_active && !peerlbl_active)
5740 		return NF_ACCEPT;
5741 
5742 	sk = skb_to_full_sk(skb);
5743 
5744 #ifdef CONFIG_XFRM
5745 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5746 	 * packet transformation so allow the packet to pass without any checks
5747 	 * since we'll have another chance to perform access control checks
5748 	 * when the packet is on it's final way out.
5749 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5750 	 *       is NULL, in this case go ahead and apply access control.
5751 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5752 	 *       TCP listening state we cannot wait until the XFRM processing
5753 	 *       is done as we will miss out on the SA label if we do;
5754 	 *       unfortunately, this means more work, but it is only once per
5755 	 *       connection. */
5756 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5757 	    !(sk && sk_listener(sk)))
5758 		return NF_ACCEPT;
5759 #endif
5760 
5761 	if (sk == NULL) {
5762 		/* Without an associated socket the packet is either coming
5763 		 * from the kernel or it is being forwarded; check the packet
5764 		 * to determine which and if the packet is being forwarded
5765 		 * query the packet directly to determine the security label. */
5766 		if (skb->skb_iif) {
5767 			secmark_perm = PACKET__FORWARD_OUT;
5768 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5769 				return NF_DROP;
5770 		} else {
5771 			secmark_perm = PACKET__SEND;
5772 			peer_sid = SECINITSID_KERNEL;
5773 		}
5774 	} else if (sk_listener(sk)) {
5775 		/* Locally generated packet but the associated socket is in the
5776 		 * listening state which means this is a SYN-ACK packet.  In
5777 		 * this particular case the correct security label is assigned
5778 		 * to the connection/request_sock but unfortunately we can't
5779 		 * query the request_sock as it isn't queued on the parent
5780 		 * socket until after the SYN-ACK packet is sent; the only
5781 		 * viable choice is to regenerate the label like we do in
5782 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5783 		 * for similar problems. */
5784 		u32 skb_sid;
5785 		struct sk_security_struct *sksec;
5786 
5787 		sksec = sk->sk_security;
5788 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5789 			return NF_DROP;
5790 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5791 		 * and the packet has been through at least one XFRM
5792 		 * transformation then we must be dealing with the "final"
5793 		 * form of labeled IPsec packet; since we've already applied
5794 		 * all of our access controls on this packet we can safely
5795 		 * pass the packet. */
5796 		if (skb_sid == SECSID_NULL) {
5797 			switch (family) {
5798 			case PF_INET:
5799 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5800 					return NF_ACCEPT;
5801 				break;
5802 			case PF_INET6:
5803 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5804 					return NF_ACCEPT;
5805 				break;
5806 			default:
5807 				return NF_DROP_ERR(-ECONNREFUSED);
5808 			}
5809 		}
5810 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5811 			return NF_DROP;
5812 		secmark_perm = PACKET__SEND;
5813 	} else {
5814 		/* Locally generated packet, fetch the security label from the
5815 		 * associated socket. */
5816 		struct sk_security_struct *sksec = sk->sk_security;
5817 		peer_sid = sksec->sid;
5818 		secmark_perm = PACKET__SEND;
5819 	}
5820 
5821 	ad.type = LSM_AUDIT_DATA_NET;
5822 	ad.u.net = &net;
5823 	ad.u.net->netif = ifindex;
5824 	ad.u.net->family = family;
5825 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5826 		return NF_DROP;
5827 
5828 	if (secmark_active)
5829 		if (avc_has_perm(&selinux_state,
5830 				 peer_sid, skb->secmark,
5831 				 SECCLASS_PACKET, secmark_perm, &ad))
5832 			return NF_DROP_ERR(-ECONNREFUSED);
5833 
5834 	if (peerlbl_active) {
5835 		u32 if_sid;
5836 		u32 node_sid;
5837 
5838 		if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5839 			return NF_DROP;
5840 		if (avc_has_perm(&selinux_state,
5841 				 peer_sid, if_sid,
5842 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5843 			return NF_DROP_ERR(-ECONNREFUSED);
5844 
5845 		if (sel_netnode_sid(addrp, family, &node_sid))
5846 			return NF_DROP;
5847 		if (avc_has_perm(&selinux_state,
5848 				 peer_sid, node_sid,
5849 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5850 			return NF_DROP_ERR(-ECONNREFUSED);
5851 	}
5852 
5853 	return NF_ACCEPT;
5854 }
5855 
5856 static unsigned int selinux_ipv4_postroute(void *priv,
5857 					   struct sk_buff *skb,
5858 					   const struct nf_hook_state *state)
5859 {
5860 	return selinux_ip_postroute(skb, state->out, PF_INET);
5861 }
5862 
5863 #if IS_ENABLED(CONFIG_IPV6)
5864 static unsigned int selinux_ipv6_postroute(void *priv,
5865 					   struct sk_buff *skb,
5866 					   const struct nf_hook_state *state)
5867 {
5868 	return selinux_ip_postroute(skb, state->out, PF_INET6);
5869 }
5870 #endif	/* IPV6 */
5871 
5872 #endif	/* CONFIG_NETFILTER */
5873 
5874 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5875 {
5876 	return selinux_nlmsg_perm(sk, skb);
5877 }
5878 
5879 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5880 {
5881 	isec->sclass = sclass;
5882 	isec->sid = current_sid();
5883 }
5884 
5885 static int msg_msg_alloc_security(struct msg_msg *msg)
5886 {
5887 	struct msg_security_struct *msec;
5888 
5889 	msec = selinux_msg_msg(msg);
5890 	msec->sid = SECINITSID_UNLABELED;
5891 
5892 	return 0;
5893 }
5894 
5895 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5896 			u32 perms)
5897 {
5898 	struct ipc_security_struct *isec;
5899 	struct common_audit_data ad;
5900 	u32 sid = current_sid();
5901 
5902 	isec = selinux_ipc(ipc_perms);
5903 
5904 	ad.type = LSM_AUDIT_DATA_IPC;
5905 	ad.u.ipc_id = ipc_perms->key;
5906 
5907 	return avc_has_perm(&selinux_state,
5908 			    sid, isec->sid, isec->sclass, perms, &ad);
5909 }
5910 
5911 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5912 {
5913 	return msg_msg_alloc_security(msg);
5914 }
5915 
5916 /* message queue security operations */
5917 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5918 {
5919 	struct ipc_security_struct *isec;
5920 	struct common_audit_data ad;
5921 	u32 sid = current_sid();
5922 	int rc;
5923 
5924 	isec = selinux_ipc(msq);
5925 	ipc_init_security(isec, SECCLASS_MSGQ);
5926 
5927 	ad.type = LSM_AUDIT_DATA_IPC;
5928 	ad.u.ipc_id = msq->key;
5929 
5930 	rc = avc_has_perm(&selinux_state,
5931 			  sid, isec->sid, SECCLASS_MSGQ,
5932 			  MSGQ__CREATE, &ad);
5933 	return rc;
5934 }
5935 
5936 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5937 {
5938 	struct ipc_security_struct *isec;
5939 	struct common_audit_data ad;
5940 	u32 sid = current_sid();
5941 
5942 	isec = selinux_ipc(msq);
5943 
5944 	ad.type = LSM_AUDIT_DATA_IPC;
5945 	ad.u.ipc_id = msq->key;
5946 
5947 	return avc_has_perm(&selinux_state,
5948 			    sid, isec->sid, SECCLASS_MSGQ,
5949 			    MSGQ__ASSOCIATE, &ad);
5950 }
5951 
5952 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
5953 {
5954 	int err;
5955 	int perms;
5956 
5957 	switch (cmd) {
5958 	case IPC_INFO:
5959 	case MSG_INFO:
5960 		/* No specific object, just general system-wide information. */
5961 		return avc_has_perm(&selinux_state,
5962 				    current_sid(), SECINITSID_KERNEL,
5963 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5964 	case IPC_STAT:
5965 	case MSG_STAT:
5966 	case MSG_STAT_ANY:
5967 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5968 		break;
5969 	case IPC_SET:
5970 		perms = MSGQ__SETATTR;
5971 		break;
5972 	case IPC_RMID:
5973 		perms = MSGQ__DESTROY;
5974 		break;
5975 	default:
5976 		return 0;
5977 	}
5978 
5979 	err = ipc_has_perm(msq, perms);
5980 	return err;
5981 }
5982 
5983 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
5984 {
5985 	struct ipc_security_struct *isec;
5986 	struct msg_security_struct *msec;
5987 	struct common_audit_data ad;
5988 	u32 sid = current_sid();
5989 	int rc;
5990 
5991 	isec = selinux_ipc(msq);
5992 	msec = selinux_msg_msg(msg);
5993 
5994 	/*
5995 	 * First time through, need to assign label to the message
5996 	 */
5997 	if (msec->sid == SECINITSID_UNLABELED) {
5998 		/*
5999 		 * Compute new sid based on current process and
6000 		 * message queue this message will be stored in
6001 		 */
6002 		rc = security_transition_sid(&selinux_state, sid, isec->sid,
6003 					     SECCLASS_MSG, NULL, &msec->sid);
6004 		if (rc)
6005 			return rc;
6006 	}
6007 
6008 	ad.type = LSM_AUDIT_DATA_IPC;
6009 	ad.u.ipc_id = msq->key;
6010 
6011 	/* Can this process write to the queue? */
6012 	rc = avc_has_perm(&selinux_state,
6013 			  sid, isec->sid, SECCLASS_MSGQ,
6014 			  MSGQ__WRITE, &ad);
6015 	if (!rc)
6016 		/* Can this process send the message */
6017 		rc = avc_has_perm(&selinux_state,
6018 				  sid, msec->sid, SECCLASS_MSG,
6019 				  MSG__SEND, &ad);
6020 	if (!rc)
6021 		/* Can the message be put in the queue? */
6022 		rc = avc_has_perm(&selinux_state,
6023 				  msec->sid, isec->sid, SECCLASS_MSGQ,
6024 				  MSGQ__ENQUEUE, &ad);
6025 
6026 	return rc;
6027 }
6028 
6029 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6030 				    struct task_struct *target,
6031 				    long type, int mode)
6032 {
6033 	struct ipc_security_struct *isec;
6034 	struct msg_security_struct *msec;
6035 	struct common_audit_data ad;
6036 	u32 sid = task_sid(target);
6037 	int rc;
6038 
6039 	isec = selinux_ipc(msq);
6040 	msec = selinux_msg_msg(msg);
6041 
6042 	ad.type = LSM_AUDIT_DATA_IPC;
6043 	ad.u.ipc_id = msq->key;
6044 
6045 	rc = avc_has_perm(&selinux_state,
6046 			  sid, isec->sid,
6047 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
6048 	if (!rc)
6049 		rc = avc_has_perm(&selinux_state,
6050 				  sid, msec->sid,
6051 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
6052 	return rc;
6053 }
6054 
6055 /* Shared Memory security operations */
6056 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6057 {
6058 	struct ipc_security_struct *isec;
6059 	struct common_audit_data ad;
6060 	u32 sid = current_sid();
6061 	int rc;
6062 
6063 	isec = selinux_ipc(shp);
6064 	ipc_init_security(isec, SECCLASS_SHM);
6065 
6066 	ad.type = LSM_AUDIT_DATA_IPC;
6067 	ad.u.ipc_id = shp->key;
6068 
6069 	rc = avc_has_perm(&selinux_state,
6070 			  sid, isec->sid, SECCLASS_SHM,
6071 			  SHM__CREATE, &ad);
6072 	return rc;
6073 }
6074 
6075 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6076 {
6077 	struct ipc_security_struct *isec;
6078 	struct common_audit_data ad;
6079 	u32 sid = current_sid();
6080 
6081 	isec = selinux_ipc(shp);
6082 
6083 	ad.type = LSM_AUDIT_DATA_IPC;
6084 	ad.u.ipc_id = shp->key;
6085 
6086 	return avc_has_perm(&selinux_state,
6087 			    sid, isec->sid, SECCLASS_SHM,
6088 			    SHM__ASSOCIATE, &ad);
6089 }
6090 
6091 /* Note, at this point, shp is locked down */
6092 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6093 {
6094 	int perms;
6095 	int err;
6096 
6097 	switch (cmd) {
6098 	case IPC_INFO:
6099 	case SHM_INFO:
6100 		/* No specific object, just general system-wide information. */
6101 		return avc_has_perm(&selinux_state,
6102 				    current_sid(), SECINITSID_KERNEL,
6103 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6104 	case IPC_STAT:
6105 	case SHM_STAT:
6106 	case SHM_STAT_ANY:
6107 		perms = SHM__GETATTR | SHM__ASSOCIATE;
6108 		break;
6109 	case IPC_SET:
6110 		perms = SHM__SETATTR;
6111 		break;
6112 	case SHM_LOCK:
6113 	case SHM_UNLOCK:
6114 		perms = SHM__LOCK;
6115 		break;
6116 	case IPC_RMID:
6117 		perms = SHM__DESTROY;
6118 		break;
6119 	default:
6120 		return 0;
6121 	}
6122 
6123 	err = ipc_has_perm(shp, perms);
6124 	return err;
6125 }
6126 
6127 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6128 			     char __user *shmaddr, int shmflg)
6129 {
6130 	u32 perms;
6131 
6132 	if (shmflg & SHM_RDONLY)
6133 		perms = SHM__READ;
6134 	else
6135 		perms = SHM__READ | SHM__WRITE;
6136 
6137 	return ipc_has_perm(shp, perms);
6138 }
6139 
6140 /* Semaphore security operations */
6141 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6142 {
6143 	struct ipc_security_struct *isec;
6144 	struct common_audit_data ad;
6145 	u32 sid = current_sid();
6146 	int rc;
6147 
6148 	isec = selinux_ipc(sma);
6149 	ipc_init_security(isec, SECCLASS_SEM);
6150 
6151 	ad.type = LSM_AUDIT_DATA_IPC;
6152 	ad.u.ipc_id = sma->key;
6153 
6154 	rc = avc_has_perm(&selinux_state,
6155 			  sid, isec->sid, SECCLASS_SEM,
6156 			  SEM__CREATE, &ad);
6157 	return rc;
6158 }
6159 
6160 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6161 {
6162 	struct ipc_security_struct *isec;
6163 	struct common_audit_data ad;
6164 	u32 sid = current_sid();
6165 
6166 	isec = selinux_ipc(sma);
6167 
6168 	ad.type = LSM_AUDIT_DATA_IPC;
6169 	ad.u.ipc_id = sma->key;
6170 
6171 	return avc_has_perm(&selinux_state,
6172 			    sid, isec->sid, SECCLASS_SEM,
6173 			    SEM__ASSOCIATE, &ad);
6174 }
6175 
6176 /* Note, at this point, sma is locked down */
6177 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6178 {
6179 	int err;
6180 	u32 perms;
6181 
6182 	switch (cmd) {
6183 	case IPC_INFO:
6184 	case SEM_INFO:
6185 		/* No specific object, just general system-wide information. */
6186 		return avc_has_perm(&selinux_state,
6187 				    current_sid(), SECINITSID_KERNEL,
6188 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6189 	case GETPID:
6190 	case GETNCNT:
6191 	case GETZCNT:
6192 		perms = SEM__GETATTR;
6193 		break;
6194 	case GETVAL:
6195 	case GETALL:
6196 		perms = SEM__READ;
6197 		break;
6198 	case SETVAL:
6199 	case SETALL:
6200 		perms = SEM__WRITE;
6201 		break;
6202 	case IPC_RMID:
6203 		perms = SEM__DESTROY;
6204 		break;
6205 	case IPC_SET:
6206 		perms = SEM__SETATTR;
6207 		break;
6208 	case IPC_STAT:
6209 	case SEM_STAT:
6210 	case SEM_STAT_ANY:
6211 		perms = SEM__GETATTR | SEM__ASSOCIATE;
6212 		break;
6213 	default:
6214 		return 0;
6215 	}
6216 
6217 	err = ipc_has_perm(sma, perms);
6218 	return err;
6219 }
6220 
6221 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6222 			     struct sembuf *sops, unsigned nsops, int alter)
6223 {
6224 	u32 perms;
6225 
6226 	if (alter)
6227 		perms = SEM__READ | SEM__WRITE;
6228 	else
6229 		perms = SEM__READ;
6230 
6231 	return ipc_has_perm(sma, perms);
6232 }
6233 
6234 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6235 {
6236 	u32 av = 0;
6237 
6238 	av = 0;
6239 	if (flag & S_IRUGO)
6240 		av |= IPC__UNIX_READ;
6241 	if (flag & S_IWUGO)
6242 		av |= IPC__UNIX_WRITE;
6243 
6244 	if (av == 0)
6245 		return 0;
6246 
6247 	return ipc_has_perm(ipcp, av);
6248 }
6249 
6250 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6251 {
6252 	struct ipc_security_struct *isec = selinux_ipc(ipcp);
6253 	*secid = isec->sid;
6254 }
6255 
6256 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6257 {
6258 	if (inode)
6259 		inode_doinit_with_dentry(inode, dentry);
6260 }
6261 
6262 static int selinux_getprocattr(struct task_struct *p,
6263 			       char *name, char **value)
6264 {
6265 	const struct task_security_struct *__tsec;
6266 	u32 sid;
6267 	int error;
6268 	unsigned len;
6269 
6270 	rcu_read_lock();
6271 	__tsec = selinux_cred(__task_cred(p));
6272 
6273 	if (current != p) {
6274 		error = avc_has_perm(&selinux_state,
6275 				     current_sid(), __tsec->sid,
6276 				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6277 		if (error)
6278 			goto bad;
6279 	}
6280 
6281 	if (!strcmp(name, "current"))
6282 		sid = __tsec->sid;
6283 	else if (!strcmp(name, "prev"))
6284 		sid = __tsec->osid;
6285 	else if (!strcmp(name, "exec"))
6286 		sid = __tsec->exec_sid;
6287 	else if (!strcmp(name, "fscreate"))
6288 		sid = __tsec->create_sid;
6289 	else if (!strcmp(name, "keycreate"))
6290 		sid = __tsec->keycreate_sid;
6291 	else if (!strcmp(name, "sockcreate"))
6292 		sid = __tsec->sockcreate_sid;
6293 	else {
6294 		error = -EINVAL;
6295 		goto bad;
6296 	}
6297 	rcu_read_unlock();
6298 
6299 	if (!sid)
6300 		return 0;
6301 
6302 	error = security_sid_to_context(&selinux_state, sid, value, &len);
6303 	if (error)
6304 		return error;
6305 	return len;
6306 
6307 bad:
6308 	rcu_read_unlock();
6309 	return error;
6310 }
6311 
6312 static int selinux_setprocattr(const char *name, void *value, size_t size)
6313 {
6314 	struct task_security_struct *tsec;
6315 	struct cred *new;
6316 	u32 mysid = current_sid(), sid = 0, ptsid;
6317 	int error;
6318 	char *str = value;
6319 
6320 	/*
6321 	 * Basic control over ability to set these attributes at all.
6322 	 */
6323 	if (!strcmp(name, "exec"))
6324 		error = avc_has_perm(&selinux_state,
6325 				     mysid, mysid, SECCLASS_PROCESS,
6326 				     PROCESS__SETEXEC, NULL);
6327 	else if (!strcmp(name, "fscreate"))
6328 		error = avc_has_perm(&selinux_state,
6329 				     mysid, mysid, SECCLASS_PROCESS,
6330 				     PROCESS__SETFSCREATE, NULL);
6331 	else if (!strcmp(name, "keycreate"))
6332 		error = avc_has_perm(&selinux_state,
6333 				     mysid, mysid, SECCLASS_PROCESS,
6334 				     PROCESS__SETKEYCREATE, NULL);
6335 	else if (!strcmp(name, "sockcreate"))
6336 		error = avc_has_perm(&selinux_state,
6337 				     mysid, mysid, SECCLASS_PROCESS,
6338 				     PROCESS__SETSOCKCREATE, NULL);
6339 	else if (!strcmp(name, "current"))
6340 		error = avc_has_perm(&selinux_state,
6341 				     mysid, mysid, SECCLASS_PROCESS,
6342 				     PROCESS__SETCURRENT, NULL);
6343 	else
6344 		error = -EINVAL;
6345 	if (error)
6346 		return error;
6347 
6348 	/* Obtain a SID for the context, if one was specified. */
6349 	if (size && str[0] && str[0] != '\n') {
6350 		if (str[size-1] == '\n') {
6351 			str[size-1] = 0;
6352 			size--;
6353 		}
6354 		error = security_context_to_sid(&selinux_state, value, size,
6355 						&sid, GFP_KERNEL);
6356 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
6357 			if (!has_cap_mac_admin(true)) {
6358 				struct audit_buffer *ab;
6359 				size_t audit_size;
6360 
6361 				/* We strip a nul only if it is at the end, otherwise the
6362 				 * context contains a nul and we should audit that */
6363 				if (str[size - 1] == '\0')
6364 					audit_size = size - 1;
6365 				else
6366 					audit_size = size;
6367 				ab = audit_log_start(audit_context(),
6368 						     GFP_ATOMIC,
6369 						     AUDIT_SELINUX_ERR);
6370 				audit_log_format(ab, "op=fscreate invalid_context=");
6371 				audit_log_n_untrustedstring(ab, value, audit_size);
6372 				audit_log_end(ab);
6373 
6374 				return error;
6375 			}
6376 			error = security_context_to_sid_force(
6377 						      &selinux_state,
6378 						      value, size, &sid);
6379 		}
6380 		if (error)
6381 			return error;
6382 	}
6383 
6384 	new = prepare_creds();
6385 	if (!new)
6386 		return -ENOMEM;
6387 
6388 	/* Permission checking based on the specified context is
6389 	   performed during the actual operation (execve,
6390 	   open/mkdir/...), when we know the full context of the
6391 	   operation.  See selinux_bprm_set_creds for the execve
6392 	   checks and may_create for the file creation checks. The
6393 	   operation will then fail if the context is not permitted. */
6394 	tsec = selinux_cred(new);
6395 	if (!strcmp(name, "exec")) {
6396 		tsec->exec_sid = sid;
6397 	} else if (!strcmp(name, "fscreate")) {
6398 		tsec->create_sid = sid;
6399 	} else if (!strcmp(name, "keycreate")) {
6400 		if (sid) {
6401 			error = avc_has_perm(&selinux_state, mysid, sid,
6402 					     SECCLASS_KEY, KEY__CREATE, NULL);
6403 			if (error)
6404 				goto abort_change;
6405 		}
6406 		tsec->keycreate_sid = sid;
6407 	} else if (!strcmp(name, "sockcreate")) {
6408 		tsec->sockcreate_sid = sid;
6409 	} else if (!strcmp(name, "current")) {
6410 		error = -EINVAL;
6411 		if (sid == 0)
6412 			goto abort_change;
6413 
6414 		/* Only allow single threaded processes to change context */
6415 		error = -EPERM;
6416 		if (!current_is_single_threaded()) {
6417 			error = security_bounded_transition(&selinux_state,
6418 							    tsec->sid, sid);
6419 			if (error)
6420 				goto abort_change;
6421 		}
6422 
6423 		/* Check permissions for the transition. */
6424 		error = avc_has_perm(&selinux_state,
6425 				     tsec->sid, sid, SECCLASS_PROCESS,
6426 				     PROCESS__DYNTRANSITION, NULL);
6427 		if (error)
6428 			goto abort_change;
6429 
6430 		/* Check for ptracing, and update the task SID if ok.
6431 		   Otherwise, leave SID unchanged and fail. */
6432 		ptsid = ptrace_parent_sid();
6433 		if (ptsid != 0) {
6434 			error = avc_has_perm(&selinux_state,
6435 					     ptsid, sid, SECCLASS_PROCESS,
6436 					     PROCESS__PTRACE, NULL);
6437 			if (error)
6438 				goto abort_change;
6439 		}
6440 
6441 		tsec->sid = sid;
6442 	} else {
6443 		error = -EINVAL;
6444 		goto abort_change;
6445 	}
6446 
6447 	commit_creds(new);
6448 	return size;
6449 
6450 abort_change:
6451 	abort_creds(new);
6452 	return error;
6453 }
6454 
6455 static int selinux_ismaclabel(const char *name)
6456 {
6457 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6458 }
6459 
6460 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6461 {
6462 	return security_sid_to_context(&selinux_state, secid,
6463 				       secdata, seclen);
6464 }
6465 
6466 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6467 {
6468 	return security_context_to_sid(&selinux_state, secdata, seclen,
6469 				       secid, GFP_KERNEL);
6470 }
6471 
6472 static void selinux_release_secctx(char *secdata, u32 seclen)
6473 {
6474 	kfree(secdata);
6475 }
6476 
6477 static void selinux_inode_invalidate_secctx(struct inode *inode)
6478 {
6479 	struct inode_security_struct *isec = selinux_inode(inode);
6480 
6481 	spin_lock(&isec->lock);
6482 	isec->initialized = LABEL_INVALID;
6483 	spin_unlock(&isec->lock);
6484 }
6485 
6486 /*
6487  *	called with inode->i_mutex locked
6488  */
6489 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6490 {
6491 	int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6492 					   ctx, ctxlen, 0);
6493 	/* Do not return error when suppressing label (SBLABEL_MNT not set). */
6494 	return rc == -EOPNOTSUPP ? 0 : rc;
6495 }
6496 
6497 /*
6498  *	called with inode->i_mutex locked
6499  */
6500 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6501 {
6502 	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6503 }
6504 
6505 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6506 {
6507 	int len = 0;
6508 	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6509 						ctx, true);
6510 	if (len < 0)
6511 		return len;
6512 	*ctxlen = len;
6513 	return 0;
6514 }
6515 #ifdef CONFIG_KEYS
6516 
6517 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6518 			     unsigned long flags)
6519 {
6520 	const struct task_security_struct *tsec;
6521 	struct key_security_struct *ksec;
6522 
6523 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6524 	if (!ksec)
6525 		return -ENOMEM;
6526 
6527 	tsec = selinux_cred(cred);
6528 	if (tsec->keycreate_sid)
6529 		ksec->sid = tsec->keycreate_sid;
6530 	else
6531 		ksec->sid = tsec->sid;
6532 
6533 	k->security = ksec;
6534 	return 0;
6535 }
6536 
6537 static void selinux_key_free(struct key *k)
6538 {
6539 	struct key_security_struct *ksec = k->security;
6540 
6541 	k->security = NULL;
6542 	kfree(ksec);
6543 }
6544 
6545 static int selinux_key_permission(key_ref_t key_ref,
6546 				  const struct cred *cred,
6547 				  unsigned perm)
6548 {
6549 	struct key *key;
6550 	struct key_security_struct *ksec;
6551 	u32 sid;
6552 
6553 	/* if no specific permissions are requested, we skip the
6554 	   permission check. No serious, additional covert channels
6555 	   appear to be created. */
6556 	if (perm == 0)
6557 		return 0;
6558 
6559 	sid = cred_sid(cred);
6560 
6561 	key = key_ref_to_ptr(key_ref);
6562 	ksec = key->security;
6563 
6564 	return avc_has_perm(&selinux_state,
6565 			    sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6566 }
6567 
6568 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6569 {
6570 	struct key_security_struct *ksec = key->security;
6571 	char *context = NULL;
6572 	unsigned len;
6573 	int rc;
6574 
6575 	rc = security_sid_to_context(&selinux_state, ksec->sid,
6576 				     &context, &len);
6577 	if (!rc)
6578 		rc = len;
6579 	*_buffer = context;
6580 	return rc;
6581 }
6582 #endif
6583 
6584 #ifdef CONFIG_SECURITY_INFINIBAND
6585 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6586 {
6587 	struct common_audit_data ad;
6588 	int err;
6589 	u32 sid = 0;
6590 	struct ib_security_struct *sec = ib_sec;
6591 	struct lsm_ibpkey_audit ibpkey;
6592 
6593 	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6594 	if (err)
6595 		return err;
6596 
6597 	ad.type = LSM_AUDIT_DATA_IBPKEY;
6598 	ibpkey.subnet_prefix = subnet_prefix;
6599 	ibpkey.pkey = pkey_val;
6600 	ad.u.ibpkey = &ibpkey;
6601 	return avc_has_perm(&selinux_state,
6602 			    sec->sid, sid,
6603 			    SECCLASS_INFINIBAND_PKEY,
6604 			    INFINIBAND_PKEY__ACCESS, &ad);
6605 }
6606 
6607 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6608 					    u8 port_num)
6609 {
6610 	struct common_audit_data ad;
6611 	int err;
6612 	u32 sid = 0;
6613 	struct ib_security_struct *sec = ib_sec;
6614 	struct lsm_ibendport_audit ibendport;
6615 
6616 	err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6617 				      &sid);
6618 
6619 	if (err)
6620 		return err;
6621 
6622 	ad.type = LSM_AUDIT_DATA_IBENDPORT;
6623 	strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6624 	ibendport.port = port_num;
6625 	ad.u.ibendport = &ibendport;
6626 	return avc_has_perm(&selinux_state,
6627 			    sec->sid, sid,
6628 			    SECCLASS_INFINIBAND_ENDPORT,
6629 			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6630 }
6631 
6632 static int selinux_ib_alloc_security(void **ib_sec)
6633 {
6634 	struct ib_security_struct *sec;
6635 
6636 	sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6637 	if (!sec)
6638 		return -ENOMEM;
6639 	sec->sid = current_sid();
6640 
6641 	*ib_sec = sec;
6642 	return 0;
6643 }
6644 
6645 static void selinux_ib_free_security(void *ib_sec)
6646 {
6647 	kfree(ib_sec);
6648 }
6649 #endif
6650 
6651 #ifdef CONFIG_BPF_SYSCALL
6652 static int selinux_bpf(int cmd, union bpf_attr *attr,
6653 				     unsigned int size)
6654 {
6655 	u32 sid = current_sid();
6656 	int ret;
6657 
6658 	switch (cmd) {
6659 	case BPF_MAP_CREATE:
6660 		ret = avc_has_perm(&selinux_state,
6661 				   sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6662 				   NULL);
6663 		break;
6664 	case BPF_PROG_LOAD:
6665 		ret = avc_has_perm(&selinux_state,
6666 				   sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6667 				   NULL);
6668 		break;
6669 	default:
6670 		ret = 0;
6671 		break;
6672 	}
6673 
6674 	return ret;
6675 }
6676 
6677 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6678 {
6679 	u32 av = 0;
6680 
6681 	if (fmode & FMODE_READ)
6682 		av |= BPF__MAP_READ;
6683 	if (fmode & FMODE_WRITE)
6684 		av |= BPF__MAP_WRITE;
6685 	return av;
6686 }
6687 
6688 /* This function will check the file pass through unix socket or binder to see
6689  * if it is a bpf related object. And apply correspinding checks on the bpf
6690  * object based on the type. The bpf maps and programs, not like other files and
6691  * socket, are using a shared anonymous inode inside the kernel as their inode.
6692  * So checking that inode cannot identify if the process have privilege to
6693  * access the bpf object and that's why we have to add this additional check in
6694  * selinux_file_receive and selinux_binder_transfer_files.
6695  */
6696 static int bpf_fd_pass(struct file *file, u32 sid)
6697 {
6698 	struct bpf_security_struct *bpfsec;
6699 	struct bpf_prog *prog;
6700 	struct bpf_map *map;
6701 	int ret;
6702 
6703 	if (file->f_op == &bpf_map_fops) {
6704 		map = file->private_data;
6705 		bpfsec = map->security;
6706 		ret = avc_has_perm(&selinux_state,
6707 				   sid, bpfsec->sid, SECCLASS_BPF,
6708 				   bpf_map_fmode_to_av(file->f_mode), NULL);
6709 		if (ret)
6710 			return ret;
6711 	} else if (file->f_op == &bpf_prog_fops) {
6712 		prog = file->private_data;
6713 		bpfsec = prog->aux->security;
6714 		ret = avc_has_perm(&selinux_state,
6715 				   sid, bpfsec->sid, SECCLASS_BPF,
6716 				   BPF__PROG_RUN, NULL);
6717 		if (ret)
6718 			return ret;
6719 	}
6720 	return 0;
6721 }
6722 
6723 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6724 {
6725 	u32 sid = current_sid();
6726 	struct bpf_security_struct *bpfsec;
6727 
6728 	bpfsec = map->security;
6729 	return avc_has_perm(&selinux_state,
6730 			    sid, bpfsec->sid, SECCLASS_BPF,
6731 			    bpf_map_fmode_to_av(fmode), NULL);
6732 }
6733 
6734 static int selinux_bpf_prog(struct bpf_prog *prog)
6735 {
6736 	u32 sid = current_sid();
6737 	struct bpf_security_struct *bpfsec;
6738 
6739 	bpfsec = prog->aux->security;
6740 	return avc_has_perm(&selinux_state,
6741 			    sid, bpfsec->sid, SECCLASS_BPF,
6742 			    BPF__PROG_RUN, NULL);
6743 }
6744 
6745 static int selinux_bpf_map_alloc(struct bpf_map *map)
6746 {
6747 	struct bpf_security_struct *bpfsec;
6748 
6749 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6750 	if (!bpfsec)
6751 		return -ENOMEM;
6752 
6753 	bpfsec->sid = current_sid();
6754 	map->security = bpfsec;
6755 
6756 	return 0;
6757 }
6758 
6759 static void selinux_bpf_map_free(struct bpf_map *map)
6760 {
6761 	struct bpf_security_struct *bpfsec = map->security;
6762 
6763 	map->security = NULL;
6764 	kfree(bpfsec);
6765 }
6766 
6767 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6768 {
6769 	struct bpf_security_struct *bpfsec;
6770 
6771 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6772 	if (!bpfsec)
6773 		return -ENOMEM;
6774 
6775 	bpfsec->sid = current_sid();
6776 	aux->security = bpfsec;
6777 
6778 	return 0;
6779 }
6780 
6781 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6782 {
6783 	struct bpf_security_struct *bpfsec = aux->security;
6784 
6785 	aux->security = NULL;
6786 	kfree(bpfsec);
6787 }
6788 #endif
6789 
6790 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
6791 	.lbs_cred = sizeof(struct task_security_struct),
6792 	.lbs_file = sizeof(struct file_security_struct),
6793 	.lbs_inode = sizeof(struct inode_security_struct),
6794 	.lbs_ipc = sizeof(struct ipc_security_struct),
6795 	.lbs_msg_msg = sizeof(struct msg_security_struct),
6796 };
6797 
6798 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6799 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6800 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6801 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6802 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6803 
6804 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6805 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6806 	LSM_HOOK_INIT(capget, selinux_capget),
6807 	LSM_HOOK_INIT(capset, selinux_capset),
6808 	LSM_HOOK_INIT(capable, selinux_capable),
6809 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
6810 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
6811 	LSM_HOOK_INIT(syslog, selinux_syslog),
6812 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6813 
6814 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6815 
6816 	LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6817 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6818 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6819 
6820 	LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
6821 	LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
6822 
6823 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6824 	LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6825 	LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
6826 	LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
6827 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6828 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6829 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6830 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6831 	LSM_HOOK_INIT(sb_mount, selinux_mount),
6832 	LSM_HOOK_INIT(sb_umount, selinux_umount),
6833 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6834 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6835 	LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt),
6836 
6837 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6838 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6839 
6840 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6841 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6842 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6843 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
6844 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
6845 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6846 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6847 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6848 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6849 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6850 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6851 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6852 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6853 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6854 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6855 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6856 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6857 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6858 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6859 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6860 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6861 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6862 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6863 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6864 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6865 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6866 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6867 	LSM_HOOK_INIT(path_notify, selinux_path_notify),
6868 
6869 	LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
6870 
6871 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
6872 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6873 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6874 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6875 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6876 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6877 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
6878 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6879 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6880 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6881 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
6882 
6883 	LSM_HOOK_INIT(file_open, selinux_file_open),
6884 
6885 	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6886 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6887 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6888 	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6889 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6890 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6891 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6892 	LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
6893 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6894 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6895 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6896 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6897 	LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6898 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6899 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6900 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6901 	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6902 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6903 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6904 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6905 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6906 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
6907 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6908 
6909 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6910 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6911 
6912 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6913 
6914 	LSM_HOOK_INIT(msg_queue_alloc_security,
6915 			selinux_msg_queue_alloc_security),
6916 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6917 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6918 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6919 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6920 
6921 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6922 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6923 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6924 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6925 
6926 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6927 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6928 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6929 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6930 
6931 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6932 
6933 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6934 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6935 
6936 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6937 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6938 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6939 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6940 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6941 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6942 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6943 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6944 
6945 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6946 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6947 
6948 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
6949 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6950 	LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
6951 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6952 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6953 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6954 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6955 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6956 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6957 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6958 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6959 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6960 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6961 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6962 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6963 	LSM_HOOK_INIT(socket_getpeersec_stream,
6964 			selinux_socket_getpeersec_stream),
6965 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6966 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6967 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6968 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6969 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6970 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6971 	LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
6972 	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
6973 	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
6974 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6975 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6976 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6977 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6978 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6979 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6980 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6981 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6982 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6983 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6984 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6985 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6986 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6987 #ifdef CONFIG_SECURITY_INFINIBAND
6988 	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
6989 	LSM_HOOK_INIT(ib_endport_manage_subnet,
6990 		      selinux_ib_endport_manage_subnet),
6991 	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
6992 	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
6993 #endif
6994 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6995 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6996 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6997 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6998 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6999 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7000 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7001 			selinux_xfrm_state_alloc_acquire),
7002 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7003 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7004 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7005 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7006 			selinux_xfrm_state_pol_flow_match),
7007 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7008 #endif
7009 
7010 #ifdef CONFIG_KEYS
7011 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7012 	LSM_HOOK_INIT(key_free, selinux_key_free),
7013 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
7014 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7015 #endif
7016 
7017 #ifdef CONFIG_AUDIT
7018 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7019 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7020 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7021 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7022 #endif
7023 
7024 #ifdef CONFIG_BPF_SYSCALL
7025 	LSM_HOOK_INIT(bpf, selinux_bpf),
7026 	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7027 	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7028 	LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7029 	LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7030 	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7031 	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7032 #endif
7033 };
7034 
7035 static __init int selinux_init(void)
7036 {
7037 	pr_info("SELinux:  Initializing.\n");
7038 
7039 	memset(&selinux_state, 0, sizeof(selinux_state));
7040 	enforcing_set(&selinux_state, selinux_enforcing_boot);
7041 	selinux_state.checkreqprot = selinux_checkreqprot_boot;
7042 	selinux_ss_init(&selinux_state.ss);
7043 	selinux_avc_init(&selinux_state.avc);
7044 
7045 	/* Set the security state for the initial task. */
7046 	cred_init_security();
7047 
7048 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7049 
7050 	avc_init();
7051 
7052 	avtab_cache_init();
7053 
7054 	ebitmap_cache_init();
7055 
7056 	hashtab_cache_init();
7057 
7058 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7059 
7060 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7061 		panic("SELinux: Unable to register AVC netcache callback\n");
7062 
7063 	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7064 		panic("SELinux: Unable to register AVC LSM notifier callback\n");
7065 
7066 	if (selinux_enforcing_boot)
7067 		pr_debug("SELinux:  Starting in enforcing mode\n");
7068 	else
7069 		pr_debug("SELinux:  Starting in permissive mode\n");
7070 
7071 	fs_validate_description(&selinux_fs_parameters);
7072 
7073 	return 0;
7074 }
7075 
7076 static void delayed_superblock_init(struct super_block *sb, void *unused)
7077 {
7078 	selinux_set_mnt_opts(sb, NULL, 0, NULL);
7079 }
7080 
7081 void selinux_complete_init(void)
7082 {
7083 	pr_debug("SELinux:  Completing initialization.\n");
7084 
7085 	/* Set up any superblocks initialized prior to the policy load. */
7086 	pr_debug("SELinux:  Setting up existing superblocks.\n");
7087 	iterate_supers(delayed_superblock_init, NULL);
7088 }
7089 
7090 /* SELinux requires early initialization in order to label
7091    all processes and objects when they are created. */
7092 DEFINE_LSM(selinux) = {
7093 	.name = "selinux",
7094 	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7095 	.enabled = &selinux_enabled,
7096 	.blobs = &selinux_blob_sizes,
7097 	.init = selinux_init,
7098 };
7099 
7100 #if defined(CONFIG_NETFILTER)
7101 
7102 static const struct nf_hook_ops selinux_nf_ops[] = {
7103 	{
7104 		.hook =		selinux_ipv4_postroute,
7105 		.pf =		NFPROTO_IPV4,
7106 		.hooknum =	NF_INET_POST_ROUTING,
7107 		.priority =	NF_IP_PRI_SELINUX_LAST,
7108 	},
7109 	{
7110 		.hook =		selinux_ipv4_forward,
7111 		.pf =		NFPROTO_IPV4,
7112 		.hooknum =	NF_INET_FORWARD,
7113 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7114 	},
7115 	{
7116 		.hook =		selinux_ipv4_output,
7117 		.pf =		NFPROTO_IPV4,
7118 		.hooknum =	NF_INET_LOCAL_OUT,
7119 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7120 	},
7121 #if IS_ENABLED(CONFIG_IPV6)
7122 	{
7123 		.hook =		selinux_ipv6_postroute,
7124 		.pf =		NFPROTO_IPV6,
7125 		.hooknum =	NF_INET_POST_ROUTING,
7126 		.priority =	NF_IP6_PRI_SELINUX_LAST,
7127 	},
7128 	{
7129 		.hook =		selinux_ipv6_forward,
7130 		.pf =		NFPROTO_IPV6,
7131 		.hooknum =	NF_INET_FORWARD,
7132 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7133 	},
7134 	{
7135 		.hook =		selinux_ipv6_output,
7136 		.pf =		NFPROTO_IPV6,
7137 		.hooknum =	NF_INET_LOCAL_OUT,
7138 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7139 	},
7140 #endif	/* IPV6 */
7141 };
7142 
7143 static int __net_init selinux_nf_register(struct net *net)
7144 {
7145 	return nf_register_net_hooks(net, selinux_nf_ops,
7146 				     ARRAY_SIZE(selinux_nf_ops));
7147 }
7148 
7149 static void __net_exit selinux_nf_unregister(struct net *net)
7150 {
7151 	nf_unregister_net_hooks(net, selinux_nf_ops,
7152 				ARRAY_SIZE(selinux_nf_ops));
7153 }
7154 
7155 static struct pernet_operations selinux_net_ops = {
7156 	.init = selinux_nf_register,
7157 	.exit = selinux_nf_unregister,
7158 };
7159 
7160 static int __init selinux_nf_ip_init(void)
7161 {
7162 	int err;
7163 
7164 	if (!selinux_enabled)
7165 		return 0;
7166 
7167 	pr_debug("SELinux:  Registering netfilter hooks\n");
7168 
7169 	err = register_pernet_subsys(&selinux_net_ops);
7170 	if (err)
7171 		panic("SELinux: register_pernet_subsys: error %d\n", err);
7172 
7173 	return 0;
7174 }
7175 __initcall(selinux_nf_ip_init);
7176 
7177 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7178 static void selinux_nf_ip_exit(void)
7179 {
7180 	pr_debug("SELinux:  Unregistering netfilter hooks\n");
7181 
7182 	unregister_pernet_subsys(&selinux_net_ops);
7183 }
7184 #endif
7185 
7186 #else /* CONFIG_NETFILTER */
7187 
7188 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7189 #define selinux_nf_ip_exit()
7190 #endif
7191 
7192 #endif /* CONFIG_NETFILTER */
7193 
7194 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7195 int selinux_disable(struct selinux_state *state)
7196 {
7197 	if (state->initialized) {
7198 		/* Not permitted after initial policy load. */
7199 		return -EINVAL;
7200 	}
7201 
7202 	if (state->disabled) {
7203 		/* Only do this once. */
7204 		return -EINVAL;
7205 	}
7206 
7207 	state->disabled = 1;
7208 
7209 	pr_info("SELinux:  Disabled at runtime.\n");
7210 
7211 	selinux_enabled = 0;
7212 
7213 	security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7214 
7215 	/* Try to destroy the avc node cache */
7216 	avc_disable();
7217 
7218 	/* Unregister netfilter hooks. */
7219 	selinux_nf_ip_exit();
7220 
7221 	/* Unregister selinuxfs. */
7222 	exit_sel_fs();
7223 
7224 	return 0;
7225 }
7226 #endif
7227