xref: /openbmc/linux/security/selinux/hooks.c (revision e2ad626f)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *  Security-Enhanced Linux (SELinux) security module
4  *
5  *  This file contains the SELinux hook function implementations.
6  *
7  *  Authors:  Stephen Smalley, <stephen.smalley.work@gmail.com>
8  *	      Chris Vance, <cvance@nai.com>
9  *	      Wayne Salamon, <wsalamon@nai.com>
10  *	      James Morris <jmorris@redhat.com>
11  *
12  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14  *					   Eric Paris <eparis@redhat.com>
15  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16  *			    <dgoeddel@trustedcs.com>
17  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18  *	Paul Moore <paul@paul-moore.com>
19  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
21  *  Copyright (C) 2016 Mellanox Technologies
22  */
23 
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/kernel_read_file.h>
28 #include <linux/errno.h>
29 #include <linux/sched/signal.h>
30 #include <linux/sched/task.h>
31 #include <linux/lsm_hooks.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/proc_fs.h>
40 #include <linux/swap.h>
41 #include <linux/spinlock.h>
42 #include <linux/syscalls.h>
43 #include <linux/dcache.h>
44 #include <linux/file.h>
45 #include <linux/fdtable.h>
46 #include <linux/namei.h>
47 #include <linux/mount.h>
48 #include <linux/fs_context.h>
49 #include <linux/fs_parser.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>		/* for local_port_range[] */
55 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h>	/* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/sctp.h>
70 #include <net/sctp/structs.h>
71 #include <linux/quota.h>
72 #include <linux/un.h>		/* for Unix socket types */
73 #include <net/af_unix.h>	/* for Unix socket types */
74 #include <linux/parser.h>
75 #include <linux/nfs_mount.h>
76 #include <net/ipv6.h>
77 #include <linux/hugetlb.h>
78 #include <linux/personality.h>
79 #include <linux/audit.h>
80 #include <linux/string.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89 #include <linux/kernfs.h>
90 #include <linux/stringhash.h>	/* for hashlen_string() */
91 #include <uapi/linux/mount.h>
92 #include <linux/fsnotify.h>
93 #include <linux/fanotify.h>
94 #include <linux/io_uring.h>
95 
96 #include "avc.h"
97 #include "objsec.h"
98 #include "netif.h"
99 #include "netnode.h"
100 #include "netport.h"
101 #include "ibpkey.h"
102 #include "xfrm.h"
103 #include "netlabel.h"
104 #include "audit.h"
105 #include "avc_ss.h"
106 
107 #define SELINUX_INODE_INIT_XATTRS 1
108 
109 struct selinux_state selinux_state;
110 
111 /* SECMARK reference count */
112 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
113 
114 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
115 static int selinux_enforcing_boot __initdata;
116 
117 static int __init enforcing_setup(char *str)
118 {
119 	unsigned long enforcing;
120 	if (!kstrtoul(str, 0, &enforcing))
121 		selinux_enforcing_boot = enforcing ? 1 : 0;
122 	return 1;
123 }
124 __setup("enforcing=", enforcing_setup);
125 #else
126 #define selinux_enforcing_boot 1
127 #endif
128 
129 int selinux_enabled_boot __initdata = 1;
130 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
131 static int __init selinux_enabled_setup(char *str)
132 {
133 	unsigned long enabled;
134 	if (!kstrtoul(str, 0, &enabled))
135 		selinux_enabled_boot = enabled ? 1 : 0;
136 	return 1;
137 }
138 __setup("selinux=", selinux_enabled_setup);
139 #endif
140 
141 static int __init checkreqprot_setup(char *str)
142 {
143 	unsigned long checkreqprot;
144 
145 	if (!kstrtoul(str, 0, &checkreqprot)) {
146 		if (checkreqprot)
147 			pr_err("SELinux: checkreqprot set to 1 via kernel parameter.  This is no longer supported.\n");
148 	}
149 	return 1;
150 }
151 __setup("checkreqprot=", checkreqprot_setup);
152 
153 /**
154  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
155  *
156  * Description:
157  * This function checks the SECMARK reference counter to see if any SECMARK
158  * targets are currently configured, if the reference counter is greater than
159  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
160  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
161  * policy capability is enabled, SECMARK is always considered enabled.
162  *
163  */
164 static int selinux_secmark_enabled(void)
165 {
166 	return (selinux_policycap_alwaysnetwork() ||
167 		atomic_read(&selinux_secmark_refcount));
168 }
169 
170 /**
171  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
172  *
173  * Description:
174  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
175  * (1) if any are enabled or false (0) if neither are enabled.  If the
176  * always_check_network policy capability is enabled, peer labeling
177  * is always considered enabled.
178  *
179  */
180 static int selinux_peerlbl_enabled(void)
181 {
182 	return (selinux_policycap_alwaysnetwork() ||
183 		netlbl_enabled() || selinux_xfrm_enabled());
184 }
185 
186 static int selinux_netcache_avc_callback(u32 event)
187 {
188 	if (event == AVC_CALLBACK_RESET) {
189 		sel_netif_flush();
190 		sel_netnode_flush();
191 		sel_netport_flush();
192 		synchronize_net();
193 	}
194 	return 0;
195 }
196 
197 static int selinux_lsm_notifier_avc_callback(u32 event)
198 {
199 	if (event == AVC_CALLBACK_RESET) {
200 		sel_ib_pkey_flush();
201 		call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
202 	}
203 
204 	return 0;
205 }
206 
207 /*
208  * initialise the security for the init task
209  */
210 static void cred_init_security(void)
211 {
212 	struct task_security_struct *tsec;
213 
214 	tsec = selinux_cred(unrcu_pointer(current->real_cred));
215 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
216 }
217 
218 /*
219  * get the security ID of a set of credentials
220  */
221 static inline u32 cred_sid(const struct cred *cred)
222 {
223 	const struct task_security_struct *tsec;
224 
225 	tsec = selinux_cred(cred);
226 	return tsec->sid;
227 }
228 
229 static void __ad_net_init(struct common_audit_data *ad,
230 			  struct lsm_network_audit *net,
231 			  int ifindex, struct sock *sk, u16 family)
232 {
233 	ad->type = LSM_AUDIT_DATA_NET;
234 	ad->u.net = net;
235 	net->netif = ifindex;
236 	net->sk = sk;
237 	net->family = family;
238 }
239 
240 static void ad_net_init_from_sk(struct common_audit_data *ad,
241 				struct lsm_network_audit *net,
242 				struct sock *sk)
243 {
244 	__ad_net_init(ad, net, 0, sk, 0);
245 }
246 
247 static void ad_net_init_from_iif(struct common_audit_data *ad,
248 				 struct lsm_network_audit *net,
249 				 int ifindex, u16 family)
250 {
251 	__ad_net_init(ad, net, ifindex, NULL, family);
252 }
253 
254 /*
255  * get the objective security ID of a task
256  */
257 static inline u32 task_sid_obj(const struct task_struct *task)
258 {
259 	u32 sid;
260 
261 	rcu_read_lock();
262 	sid = cred_sid(__task_cred(task));
263 	rcu_read_unlock();
264 	return sid;
265 }
266 
267 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
268 
269 /*
270  * Try reloading inode security labels that have been marked as invalid.  The
271  * @may_sleep parameter indicates when sleeping and thus reloading labels is
272  * allowed; when set to false, returns -ECHILD when the label is
273  * invalid.  The @dentry parameter should be set to a dentry of the inode.
274  */
275 static int __inode_security_revalidate(struct inode *inode,
276 				       struct dentry *dentry,
277 				       bool may_sleep)
278 {
279 	struct inode_security_struct *isec = selinux_inode(inode);
280 
281 	might_sleep_if(may_sleep);
282 
283 	if (selinux_initialized() &&
284 	    isec->initialized != LABEL_INITIALIZED) {
285 		if (!may_sleep)
286 			return -ECHILD;
287 
288 		/*
289 		 * Try reloading the inode security label.  This will fail if
290 		 * @opt_dentry is NULL and no dentry for this inode can be
291 		 * found; in that case, continue using the old label.
292 		 */
293 		inode_doinit_with_dentry(inode, dentry);
294 	}
295 	return 0;
296 }
297 
298 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
299 {
300 	return selinux_inode(inode);
301 }
302 
303 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
304 {
305 	int error;
306 
307 	error = __inode_security_revalidate(inode, NULL, !rcu);
308 	if (error)
309 		return ERR_PTR(error);
310 	return selinux_inode(inode);
311 }
312 
313 /*
314  * Get the security label of an inode.
315  */
316 static struct inode_security_struct *inode_security(struct inode *inode)
317 {
318 	__inode_security_revalidate(inode, NULL, true);
319 	return selinux_inode(inode);
320 }
321 
322 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
323 {
324 	struct inode *inode = d_backing_inode(dentry);
325 
326 	return selinux_inode(inode);
327 }
328 
329 /*
330  * Get the security label of a dentry's backing inode.
331  */
332 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
333 {
334 	struct inode *inode = d_backing_inode(dentry);
335 
336 	__inode_security_revalidate(inode, dentry, true);
337 	return selinux_inode(inode);
338 }
339 
340 static void inode_free_security(struct inode *inode)
341 {
342 	struct inode_security_struct *isec = selinux_inode(inode);
343 	struct superblock_security_struct *sbsec;
344 
345 	if (!isec)
346 		return;
347 	sbsec = selinux_superblock(inode->i_sb);
348 	/*
349 	 * As not all inode security structures are in a list, we check for
350 	 * empty list outside of the lock to make sure that we won't waste
351 	 * time taking a lock doing nothing.
352 	 *
353 	 * The list_del_init() function can be safely called more than once.
354 	 * It should not be possible for this function to be called with
355 	 * concurrent list_add(), but for better safety against future changes
356 	 * in the code, we use list_empty_careful() here.
357 	 */
358 	if (!list_empty_careful(&isec->list)) {
359 		spin_lock(&sbsec->isec_lock);
360 		list_del_init(&isec->list);
361 		spin_unlock(&sbsec->isec_lock);
362 	}
363 }
364 
365 struct selinux_mnt_opts {
366 	u32 fscontext_sid;
367 	u32 context_sid;
368 	u32 rootcontext_sid;
369 	u32 defcontext_sid;
370 };
371 
372 static void selinux_free_mnt_opts(void *mnt_opts)
373 {
374 	kfree(mnt_opts);
375 }
376 
377 enum {
378 	Opt_error = -1,
379 	Opt_context = 0,
380 	Opt_defcontext = 1,
381 	Opt_fscontext = 2,
382 	Opt_rootcontext = 3,
383 	Opt_seclabel = 4,
384 };
385 
386 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
387 static const struct {
388 	const char *name;
389 	int len;
390 	int opt;
391 	bool has_arg;
392 } tokens[] = {
393 	A(context, true),
394 	A(fscontext, true),
395 	A(defcontext, true),
396 	A(rootcontext, true),
397 	A(seclabel, false),
398 };
399 #undef A
400 
401 static int match_opt_prefix(char *s, int l, char **arg)
402 {
403 	int i;
404 
405 	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
406 		size_t len = tokens[i].len;
407 		if (len > l || memcmp(s, tokens[i].name, len))
408 			continue;
409 		if (tokens[i].has_arg) {
410 			if (len == l || s[len] != '=')
411 				continue;
412 			*arg = s + len + 1;
413 		} else if (len != l)
414 			continue;
415 		return tokens[i].opt;
416 	}
417 	return Opt_error;
418 }
419 
420 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
421 
422 static int may_context_mount_sb_relabel(u32 sid,
423 			struct superblock_security_struct *sbsec,
424 			const struct cred *cred)
425 {
426 	const struct task_security_struct *tsec = selinux_cred(cred);
427 	int rc;
428 
429 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
430 			  FILESYSTEM__RELABELFROM, NULL);
431 	if (rc)
432 		return rc;
433 
434 	rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
435 			  FILESYSTEM__RELABELTO, NULL);
436 	return rc;
437 }
438 
439 static int may_context_mount_inode_relabel(u32 sid,
440 			struct superblock_security_struct *sbsec,
441 			const struct cred *cred)
442 {
443 	const struct task_security_struct *tsec = selinux_cred(cred);
444 	int rc;
445 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
446 			  FILESYSTEM__RELABELFROM, NULL);
447 	if (rc)
448 		return rc;
449 
450 	rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
451 			  FILESYSTEM__ASSOCIATE, NULL);
452 	return rc;
453 }
454 
455 static int selinux_is_genfs_special_handling(struct super_block *sb)
456 {
457 	/* Special handling. Genfs but also in-core setxattr handler */
458 	return	!strcmp(sb->s_type->name, "sysfs") ||
459 		!strcmp(sb->s_type->name, "pstore") ||
460 		!strcmp(sb->s_type->name, "debugfs") ||
461 		!strcmp(sb->s_type->name, "tracefs") ||
462 		!strcmp(sb->s_type->name, "rootfs") ||
463 		(selinux_policycap_cgroupseclabel() &&
464 		 (!strcmp(sb->s_type->name, "cgroup") ||
465 		  !strcmp(sb->s_type->name, "cgroup2")));
466 }
467 
468 static int selinux_is_sblabel_mnt(struct super_block *sb)
469 {
470 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
471 
472 	/*
473 	 * IMPORTANT: Double-check logic in this function when adding a new
474 	 * SECURITY_FS_USE_* definition!
475 	 */
476 	BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
477 
478 	switch (sbsec->behavior) {
479 	case SECURITY_FS_USE_XATTR:
480 	case SECURITY_FS_USE_TRANS:
481 	case SECURITY_FS_USE_TASK:
482 	case SECURITY_FS_USE_NATIVE:
483 		return 1;
484 
485 	case SECURITY_FS_USE_GENFS:
486 		return selinux_is_genfs_special_handling(sb);
487 
488 	/* Never allow relabeling on context mounts */
489 	case SECURITY_FS_USE_MNTPOINT:
490 	case SECURITY_FS_USE_NONE:
491 	default:
492 		return 0;
493 	}
494 }
495 
496 static int sb_check_xattr_support(struct super_block *sb)
497 {
498 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
499 	struct dentry *root = sb->s_root;
500 	struct inode *root_inode = d_backing_inode(root);
501 	u32 sid;
502 	int rc;
503 
504 	/*
505 	 * Make sure that the xattr handler exists and that no
506 	 * error other than -ENODATA is returned by getxattr on
507 	 * the root directory.  -ENODATA is ok, as this may be
508 	 * the first boot of the SELinux kernel before we have
509 	 * assigned xattr values to the filesystem.
510 	 */
511 	if (!(root_inode->i_opflags & IOP_XATTR)) {
512 		pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
513 			sb->s_id, sb->s_type->name);
514 		goto fallback;
515 	}
516 
517 	rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
518 	if (rc < 0 && rc != -ENODATA) {
519 		if (rc == -EOPNOTSUPP) {
520 			pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
521 				sb->s_id, sb->s_type->name);
522 			goto fallback;
523 		} else {
524 			pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
525 				sb->s_id, sb->s_type->name, -rc);
526 			return rc;
527 		}
528 	}
529 	return 0;
530 
531 fallback:
532 	/* No xattr support - try to fallback to genfs if possible. */
533 	rc = security_genfs_sid(sb->s_type->name, "/",
534 				SECCLASS_DIR, &sid);
535 	if (rc)
536 		return -EOPNOTSUPP;
537 
538 	pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
539 		sb->s_id, sb->s_type->name);
540 	sbsec->behavior = SECURITY_FS_USE_GENFS;
541 	sbsec->sid = sid;
542 	return 0;
543 }
544 
545 static int sb_finish_set_opts(struct super_block *sb)
546 {
547 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
548 	struct dentry *root = sb->s_root;
549 	struct inode *root_inode = d_backing_inode(root);
550 	int rc = 0;
551 
552 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
553 		rc = sb_check_xattr_support(sb);
554 		if (rc)
555 			return rc;
556 	}
557 
558 	sbsec->flags |= SE_SBINITIALIZED;
559 
560 	/*
561 	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
562 	 * leave the flag untouched because sb_clone_mnt_opts might be handing
563 	 * us a superblock that needs the flag to be cleared.
564 	 */
565 	if (selinux_is_sblabel_mnt(sb))
566 		sbsec->flags |= SBLABEL_MNT;
567 	else
568 		sbsec->flags &= ~SBLABEL_MNT;
569 
570 	/* Initialize the root inode. */
571 	rc = inode_doinit_with_dentry(root_inode, root);
572 
573 	/* Initialize any other inodes associated with the superblock, e.g.
574 	   inodes created prior to initial policy load or inodes created
575 	   during get_sb by a pseudo filesystem that directly
576 	   populates itself. */
577 	spin_lock(&sbsec->isec_lock);
578 	while (!list_empty(&sbsec->isec_head)) {
579 		struct inode_security_struct *isec =
580 				list_first_entry(&sbsec->isec_head,
581 					   struct inode_security_struct, list);
582 		struct inode *inode = isec->inode;
583 		list_del_init(&isec->list);
584 		spin_unlock(&sbsec->isec_lock);
585 		inode = igrab(inode);
586 		if (inode) {
587 			if (!IS_PRIVATE(inode))
588 				inode_doinit_with_dentry(inode, NULL);
589 			iput(inode);
590 		}
591 		spin_lock(&sbsec->isec_lock);
592 	}
593 	spin_unlock(&sbsec->isec_lock);
594 	return rc;
595 }
596 
597 static int bad_option(struct superblock_security_struct *sbsec, char flag,
598 		      u32 old_sid, u32 new_sid)
599 {
600 	char mnt_flags = sbsec->flags & SE_MNTMASK;
601 
602 	/* check if the old mount command had the same options */
603 	if (sbsec->flags & SE_SBINITIALIZED)
604 		if (!(sbsec->flags & flag) ||
605 		    (old_sid != new_sid))
606 			return 1;
607 
608 	/* check if we were passed the same options twice,
609 	 * aka someone passed context=a,context=b
610 	 */
611 	if (!(sbsec->flags & SE_SBINITIALIZED))
612 		if (mnt_flags & flag)
613 			return 1;
614 	return 0;
615 }
616 
617 /*
618  * Allow filesystems with binary mount data to explicitly set mount point
619  * labeling information.
620  */
621 static int selinux_set_mnt_opts(struct super_block *sb,
622 				void *mnt_opts,
623 				unsigned long kern_flags,
624 				unsigned long *set_kern_flags)
625 {
626 	const struct cred *cred = current_cred();
627 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
628 	struct dentry *root = sb->s_root;
629 	struct selinux_mnt_opts *opts = mnt_opts;
630 	struct inode_security_struct *root_isec;
631 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
632 	u32 defcontext_sid = 0;
633 	int rc = 0;
634 
635 	/*
636 	 * Specifying internal flags without providing a place to
637 	 * place the results is not allowed
638 	 */
639 	if (kern_flags && !set_kern_flags)
640 		return -EINVAL;
641 
642 	mutex_lock(&sbsec->lock);
643 
644 	if (!selinux_initialized()) {
645 		if (!opts) {
646 			/* Defer initialization until selinux_complete_init,
647 			   after the initial policy is loaded and the security
648 			   server is ready to handle calls. */
649 			if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
650 				sbsec->flags |= SE_SBNATIVE;
651 				*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
652 			}
653 			goto out;
654 		}
655 		rc = -EINVAL;
656 		pr_warn("SELinux: Unable to set superblock options "
657 			"before the security server is initialized\n");
658 		goto out;
659 	}
660 
661 	/*
662 	 * Binary mount data FS will come through this function twice.  Once
663 	 * from an explicit call and once from the generic calls from the vfs.
664 	 * Since the generic VFS calls will not contain any security mount data
665 	 * we need to skip the double mount verification.
666 	 *
667 	 * This does open a hole in which we will not notice if the first
668 	 * mount using this sb set explicit options and a second mount using
669 	 * this sb does not set any security options.  (The first options
670 	 * will be used for both mounts)
671 	 */
672 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
673 	    && !opts)
674 		goto out;
675 
676 	root_isec = backing_inode_security_novalidate(root);
677 
678 	/*
679 	 * parse the mount options, check if they are valid sids.
680 	 * also check if someone is trying to mount the same sb more
681 	 * than once with different security options.
682 	 */
683 	if (opts) {
684 		if (opts->fscontext_sid) {
685 			fscontext_sid = opts->fscontext_sid;
686 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
687 					fscontext_sid))
688 				goto out_double_mount;
689 			sbsec->flags |= FSCONTEXT_MNT;
690 		}
691 		if (opts->context_sid) {
692 			context_sid = opts->context_sid;
693 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
694 					context_sid))
695 				goto out_double_mount;
696 			sbsec->flags |= CONTEXT_MNT;
697 		}
698 		if (opts->rootcontext_sid) {
699 			rootcontext_sid = opts->rootcontext_sid;
700 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
701 					rootcontext_sid))
702 				goto out_double_mount;
703 			sbsec->flags |= ROOTCONTEXT_MNT;
704 		}
705 		if (opts->defcontext_sid) {
706 			defcontext_sid = opts->defcontext_sid;
707 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
708 					defcontext_sid))
709 				goto out_double_mount;
710 			sbsec->flags |= DEFCONTEXT_MNT;
711 		}
712 	}
713 
714 	if (sbsec->flags & SE_SBINITIALIZED) {
715 		/* previously mounted with options, but not on this attempt? */
716 		if ((sbsec->flags & SE_MNTMASK) && !opts)
717 			goto out_double_mount;
718 		rc = 0;
719 		goto out;
720 	}
721 
722 	if (strcmp(sb->s_type->name, "proc") == 0)
723 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
724 
725 	if (!strcmp(sb->s_type->name, "debugfs") ||
726 	    !strcmp(sb->s_type->name, "tracefs") ||
727 	    !strcmp(sb->s_type->name, "binder") ||
728 	    !strcmp(sb->s_type->name, "bpf") ||
729 	    !strcmp(sb->s_type->name, "pstore") ||
730 	    !strcmp(sb->s_type->name, "securityfs"))
731 		sbsec->flags |= SE_SBGENFS;
732 
733 	if (!strcmp(sb->s_type->name, "sysfs") ||
734 	    !strcmp(sb->s_type->name, "cgroup") ||
735 	    !strcmp(sb->s_type->name, "cgroup2"))
736 		sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
737 
738 	if (!sbsec->behavior) {
739 		/*
740 		 * Determine the labeling behavior to use for this
741 		 * filesystem type.
742 		 */
743 		rc = security_fs_use(sb);
744 		if (rc) {
745 			pr_warn("%s: security_fs_use(%s) returned %d\n",
746 					__func__, sb->s_type->name, rc);
747 			goto out;
748 		}
749 	}
750 
751 	/*
752 	 * If this is a user namespace mount and the filesystem type is not
753 	 * explicitly whitelisted, then no contexts are allowed on the command
754 	 * line and security labels must be ignored.
755 	 */
756 	if (sb->s_user_ns != &init_user_ns &&
757 	    strcmp(sb->s_type->name, "tmpfs") &&
758 	    strcmp(sb->s_type->name, "ramfs") &&
759 	    strcmp(sb->s_type->name, "devpts") &&
760 	    strcmp(sb->s_type->name, "overlay")) {
761 		if (context_sid || fscontext_sid || rootcontext_sid ||
762 		    defcontext_sid) {
763 			rc = -EACCES;
764 			goto out;
765 		}
766 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
767 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
768 			rc = security_transition_sid(current_sid(),
769 						     current_sid(),
770 						     SECCLASS_FILE, NULL,
771 						     &sbsec->mntpoint_sid);
772 			if (rc)
773 				goto out;
774 		}
775 		goto out_set_opts;
776 	}
777 
778 	/* sets the context of the superblock for the fs being mounted. */
779 	if (fscontext_sid) {
780 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
781 		if (rc)
782 			goto out;
783 
784 		sbsec->sid = fscontext_sid;
785 	}
786 
787 	/*
788 	 * Switch to using mount point labeling behavior.
789 	 * sets the label used on all file below the mountpoint, and will set
790 	 * the superblock context if not already set.
791 	 */
792 	if (sbsec->flags & SE_SBNATIVE) {
793 		/*
794 		 * This means we are initializing a superblock that has been
795 		 * mounted before the SELinux was initialized and the
796 		 * filesystem requested native labeling. We had already
797 		 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags
798 		 * in the original mount attempt, so now we just need to set
799 		 * the SECURITY_FS_USE_NATIVE behavior.
800 		 */
801 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
802 	} else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
803 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
804 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
805 	}
806 
807 	if (context_sid) {
808 		if (!fscontext_sid) {
809 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
810 							  cred);
811 			if (rc)
812 				goto out;
813 			sbsec->sid = context_sid;
814 		} else {
815 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
816 							     cred);
817 			if (rc)
818 				goto out;
819 		}
820 		if (!rootcontext_sid)
821 			rootcontext_sid = context_sid;
822 
823 		sbsec->mntpoint_sid = context_sid;
824 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
825 	}
826 
827 	if (rootcontext_sid) {
828 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
829 						     cred);
830 		if (rc)
831 			goto out;
832 
833 		root_isec->sid = rootcontext_sid;
834 		root_isec->initialized = LABEL_INITIALIZED;
835 	}
836 
837 	if (defcontext_sid) {
838 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
839 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
840 			rc = -EINVAL;
841 			pr_warn("SELinux: defcontext option is "
842 			       "invalid for this filesystem type\n");
843 			goto out;
844 		}
845 
846 		if (defcontext_sid != sbsec->def_sid) {
847 			rc = may_context_mount_inode_relabel(defcontext_sid,
848 							     sbsec, cred);
849 			if (rc)
850 				goto out;
851 		}
852 
853 		sbsec->def_sid = defcontext_sid;
854 	}
855 
856 out_set_opts:
857 	rc = sb_finish_set_opts(sb);
858 out:
859 	mutex_unlock(&sbsec->lock);
860 	return rc;
861 out_double_mount:
862 	rc = -EINVAL;
863 	pr_warn("SELinux: mount invalid.  Same superblock, different "
864 	       "security settings for (dev %s, type %s)\n", sb->s_id,
865 	       sb->s_type->name);
866 	goto out;
867 }
868 
869 static int selinux_cmp_sb_context(const struct super_block *oldsb,
870 				    const struct super_block *newsb)
871 {
872 	struct superblock_security_struct *old = selinux_superblock(oldsb);
873 	struct superblock_security_struct *new = selinux_superblock(newsb);
874 	char oldflags = old->flags & SE_MNTMASK;
875 	char newflags = new->flags & SE_MNTMASK;
876 
877 	if (oldflags != newflags)
878 		goto mismatch;
879 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
880 		goto mismatch;
881 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
882 		goto mismatch;
883 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
884 		goto mismatch;
885 	if (oldflags & ROOTCONTEXT_MNT) {
886 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
887 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
888 		if (oldroot->sid != newroot->sid)
889 			goto mismatch;
890 	}
891 	return 0;
892 mismatch:
893 	pr_warn("SELinux: mount invalid.  Same superblock, "
894 			    "different security settings for (dev %s, "
895 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
896 	return -EBUSY;
897 }
898 
899 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
900 					struct super_block *newsb,
901 					unsigned long kern_flags,
902 					unsigned long *set_kern_flags)
903 {
904 	int rc = 0;
905 	const struct superblock_security_struct *oldsbsec =
906 						selinux_superblock(oldsb);
907 	struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
908 
909 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
910 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
911 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
912 
913 	/*
914 	 * Specifying internal flags without providing a place to
915 	 * place the results is not allowed.
916 	 */
917 	if (kern_flags && !set_kern_flags)
918 		return -EINVAL;
919 
920 	mutex_lock(&newsbsec->lock);
921 
922 	/*
923 	 * if the parent was able to be mounted it clearly had no special lsm
924 	 * mount options.  thus we can safely deal with this superblock later
925 	 */
926 	if (!selinux_initialized()) {
927 		if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
928 			newsbsec->flags |= SE_SBNATIVE;
929 			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
930 		}
931 		goto out;
932 	}
933 
934 	/* how can we clone if the old one wasn't set up?? */
935 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
936 
937 	/* if fs is reusing a sb, make sure that the contexts match */
938 	if (newsbsec->flags & SE_SBINITIALIZED) {
939 		mutex_unlock(&newsbsec->lock);
940 		if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
941 			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
942 		return selinux_cmp_sb_context(oldsb, newsb);
943 	}
944 
945 	newsbsec->flags = oldsbsec->flags;
946 
947 	newsbsec->sid = oldsbsec->sid;
948 	newsbsec->def_sid = oldsbsec->def_sid;
949 	newsbsec->behavior = oldsbsec->behavior;
950 
951 	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
952 		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
953 		rc = security_fs_use(newsb);
954 		if (rc)
955 			goto out;
956 	}
957 
958 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
959 		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
960 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
961 	}
962 
963 	if (set_context) {
964 		u32 sid = oldsbsec->mntpoint_sid;
965 
966 		if (!set_fscontext)
967 			newsbsec->sid = sid;
968 		if (!set_rootcontext) {
969 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
970 			newisec->sid = sid;
971 		}
972 		newsbsec->mntpoint_sid = sid;
973 	}
974 	if (set_rootcontext) {
975 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
976 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
977 
978 		newisec->sid = oldisec->sid;
979 	}
980 
981 	sb_finish_set_opts(newsb);
982 out:
983 	mutex_unlock(&newsbsec->lock);
984 	return rc;
985 }
986 
987 /*
988  * NOTE: the caller is responsible for freeing the memory even if on error.
989  */
990 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
991 {
992 	struct selinux_mnt_opts *opts = *mnt_opts;
993 	u32 *dst_sid;
994 	int rc;
995 
996 	if (token == Opt_seclabel)
997 		/* eaten and completely ignored */
998 		return 0;
999 	if (!s)
1000 		return -EINVAL;
1001 
1002 	if (!selinux_initialized()) {
1003 		pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
1004 		return -EINVAL;
1005 	}
1006 
1007 	if (!opts) {
1008 		opts = kzalloc(sizeof(*opts), GFP_KERNEL);
1009 		if (!opts)
1010 			return -ENOMEM;
1011 		*mnt_opts = opts;
1012 	}
1013 
1014 	switch (token) {
1015 	case Opt_context:
1016 		if (opts->context_sid || opts->defcontext_sid)
1017 			goto err;
1018 		dst_sid = &opts->context_sid;
1019 		break;
1020 	case Opt_fscontext:
1021 		if (opts->fscontext_sid)
1022 			goto err;
1023 		dst_sid = &opts->fscontext_sid;
1024 		break;
1025 	case Opt_rootcontext:
1026 		if (opts->rootcontext_sid)
1027 			goto err;
1028 		dst_sid = &opts->rootcontext_sid;
1029 		break;
1030 	case Opt_defcontext:
1031 		if (opts->context_sid || opts->defcontext_sid)
1032 			goto err;
1033 		dst_sid = &opts->defcontext_sid;
1034 		break;
1035 	default:
1036 		WARN_ON(1);
1037 		return -EINVAL;
1038 	}
1039 	rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL);
1040 	if (rc)
1041 		pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
1042 			s, rc);
1043 	return rc;
1044 
1045 err:
1046 	pr_warn(SEL_MOUNT_FAIL_MSG);
1047 	return -EINVAL;
1048 }
1049 
1050 static int show_sid(struct seq_file *m, u32 sid)
1051 {
1052 	char *context = NULL;
1053 	u32 len;
1054 	int rc;
1055 
1056 	rc = security_sid_to_context(sid, &context, &len);
1057 	if (!rc) {
1058 		bool has_comma = strchr(context, ',');
1059 
1060 		seq_putc(m, '=');
1061 		if (has_comma)
1062 			seq_putc(m, '\"');
1063 		seq_escape(m, context, "\"\n\\");
1064 		if (has_comma)
1065 			seq_putc(m, '\"');
1066 	}
1067 	kfree(context);
1068 	return rc;
1069 }
1070 
1071 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1072 {
1073 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
1074 	int rc;
1075 
1076 	if (!(sbsec->flags & SE_SBINITIALIZED))
1077 		return 0;
1078 
1079 	if (!selinux_initialized())
1080 		return 0;
1081 
1082 	if (sbsec->flags & FSCONTEXT_MNT) {
1083 		seq_putc(m, ',');
1084 		seq_puts(m, FSCONTEXT_STR);
1085 		rc = show_sid(m, sbsec->sid);
1086 		if (rc)
1087 			return rc;
1088 	}
1089 	if (sbsec->flags & CONTEXT_MNT) {
1090 		seq_putc(m, ',');
1091 		seq_puts(m, CONTEXT_STR);
1092 		rc = show_sid(m, sbsec->mntpoint_sid);
1093 		if (rc)
1094 			return rc;
1095 	}
1096 	if (sbsec->flags & DEFCONTEXT_MNT) {
1097 		seq_putc(m, ',');
1098 		seq_puts(m, DEFCONTEXT_STR);
1099 		rc = show_sid(m, sbsec->def_sid);
1100 		if (rc)
1101 			return rc;
1102 	}
1103 	if (sbsec->flags & ROOTCONTEXT_MNT) {
1104 		struct dentry *root = sb->s_root;
1105 		struct inode_security_struct *isec = backing_inode_security(root);
1106 		seq_putc(m, ',');
1107 		seq_puts(m, ROOTCONTEXT_STR);
1108 		rc = show_sid(m, isec->sid);
1109 		if (rc)
1110 			return rc;
1111 	}
1112 	if (sbsec->flags & SBLABEL_MNT) {
1113 		seq_putc(m, ',');
1114 		seq_puts(m, SECLABEL_STR);
1115 	}
1116 	return 0;
1117 }
1118 
1119 static inline u16 inode_mode_to_security_class(umode_t mode)
1120 {
1121 	switch (mode & S_IFMT) {
1122 	case S_IFSOCK:
1123 		return SECCLASS_SOCK_FILE;
1124 	case S_IFLNK:
1125 		return SECCLASS_LNK_FILE;
1126 	case S_IFREG:
1127 		return SECCLASS_FILE;
1128 	case S_IFBLK:
1129 		return SECCLASS_BLK_FILE;
1130 	case S_IFDIR:
1131 		return SECCLASS_DIR;
1132 	case S_IFCHR:
1133 		return SECCLASS_CHR_FILE;
1134 	case S_IFIFO:
1135 		return SECCLASS_FIFO_FILE;
1136 
1137 	}
1138 
1139 	return SECCLASS_FILE;
1140 }
1141 
1142 static inline int default_protocol_stream(int protocol)
1143 {
1144 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1145 		protocol == IPPROTO_MPTCP);
1146 }
1147 
1148 static inline int default_protocol_dgram(int protocol)
1149 {
1150 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1151 }
1152 
1153 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1154 {
1155 	bool extsockclass = selinux_policycap_extsockclass();
1156 
1157 	switch (family) {
1158 	case PF_UNIX:
1159 		switch (type) {
1160 		case SOCK_STREAM:
1161 		case SOCK_SEQPACKET:
1162 			return SECCLASS_UNIX_STREAM_SOCKET;
1163 		case SOCK_DGRAM:
1164 		case SOCK_RAW:
1165 			return SECCLASS_UNIX_DGRAM_SOCKET;
1166 		}
1167 		break;
1168 	case PF_INET:
1169 	case PF_INET6:
1170 		switch (type) {
1171 		case SOCK_STREAM:
1172 		case SOCK_SEQPACKET:
1173 			if (default_protocol_stream(protocol))
1174 				return SECCLASS_TCP_SOCKET;
1175 			else if (extsockclass && protocol == IPPROTO_SCTP)
1176 				return SECCLASS_SCTP_SOCKET;
1177 			else
1178 				return SECCLASS_RAWIP_SOCKET;
1179 		case SOCK_DGRAM:
1180 			if (default_protocol_dgram(protocol))
1181 				return SECCLASS_UDP_SOCKET;
1182 			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1183 						  protocol == IPPROTO_ICMPV6))
1184 				return SECCLASS_ICMP_SOCKET;
1185 			else
1186 				return SECCLASS_RAWIP_SOCKET;
1187 		case SOCK_DCCP:
1188 			return SECCLASS_DCCP_SOCKET;
1189 		default:
1190 			return SECCLASS_RAWIP_SOCKET;
1191 		}
1192 		break;
1193 	case PF_NETLINK:
1194 		switch (protocol) {
1195 		case NETLINK_ROUTE:
1196 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1197 		case NETLINK_SOCK_DIAG:
1198 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1199 		case NETLINK_NFLOG:
1200 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1201 		case NETLINK_XFRM:
1202 			return SECCLASS_NETLINK_XFRM_SOCKET;
1203 		case NETLINK_SELINUX:
1204 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1205 		case NETLINK_ISCSI:
1206 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1207 		case NETLINK_AUDIT:
1208 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1209 		case NETLINK_FIB_LOOKUP:
1210 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1211 		case NETLINK_CONNECTOR:
1212 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1213 		case NETLINK_NETFILTER:
1214 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1215 		case NETLINK_DNRTMSG:
1216 			return SECCLASS_NETLINK_DNRT_SOCKET;
1217 		case NETLINK_KOBJECT_UEVENT:
1218 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1219 		case NETLINK_GENERIC:
1220 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1221 		case NETLINK_SCSITRANSPORT:
1222 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1223 		case NETLINK_RDMA:
1224 			return SECCLASS_NETLINK_RDMA_SOCKET;
1225 		case NETLINK_CRYPTO:
1226 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1227 		default:
1228 			return SECCLASS_NETLINK_SOCKET;
1229 		}
1230 	case PF_PACKET:
1231 		return SECCLASS_PACKET_SOCKET;
1232 	case PF_KEY:
1233 		return SECCLASS_KEY_SOCKET;
1234 	case PF_APPLETALK:
1235 		return SECCLASS_APPLETALK_SOCKET;
1236 	}
1237 
1238 	if (extsockclass) {
1239 		switch (family) {
1240 		case PF_AX25:
1241 			return SECCLASS_AX25_SOCKET;
1242 		case PF_IPX:
1243 			return SECCLASS_IPX_SOCKET;
1244 		case PF_NETROM:
1245 			return SECCLASS_NETROM_SOCKET;
1246 		case PF_ATMPVC:
1247 			return SECCLASS_ATMPVC_SOCKET;
1248 		case PF_X25:
1249 			return SECCLASS_X25_SOCKET;
1250 		case PF_ROSE:
1251 			return SECCLASS_ROSE_SOCKET;
1252 		case PF_DECnet:
1253 			return SECCLASS_DECNET_SOCKET;
1254 		case PF_ATMSVC:
1255 			return SECCLASS_ATMSVC_SOCKET;
1256 		case PF_RDS:
1257 			return SECCLASS_RDS_SOCKET;
1258 		case PF_IRDA:
1259 			return SECCLASS_IRDA_SOCKET;
1260 		case PF_PPPOX:
1261 			return SECCLASS_PPPOX_SOCKET;
1262 		case PF_LLC:
1263 			return SECCLASS_LLC_SOCKET;
1264 		case PF_CAN:
1265 			return SECCLASS_CAN_SOCKET;
1266 		case PF_TIPC:
1267 			return SECCLASS_TIPC_SOCKET;
1268 		case PF_BLUETOOTH:
1269 			return SECCLASS_BLUETOOTH_SOCKET;
1270 		case PF_IUCV:
1271 			return SECCLASS_IUCV_SOCKET;
1272 		case PF_RXRPC:
1273 			return SECCLASS_RXRPC_SOCKET;
1274 		case PF_ISDN:
1275 			return SECCLASS_ISDN_SOCKET;
1276 		case PF_PHONET:
1277 			return SECCLASS_PHONET_SOCKET;
1278 		case PF_IEEE802154:
1279 			return SECCLASS_IEEE802154_SOCKET;
1280 		case PF_CAIF:
1281 			return SECCLASS_CAIF_SOCKET;
1282 		case PF_ALG:
1283 			return SECCLASS_ALG_SOCKET;
1284 		case PF_NFC:
1285 			return SECCLASS_NFC_SOCKET;
1286 		case PF_VSOCK:
1287 			return SECCLASS_VSOCK_SOCKET;
1288 		case PF_KCM:
1289 			return SECCLASS_KCM_SOCKET;
1290 		case PF_QIPCRTR:
1291 			return SECCLASS_QIPCRTR_SOCKET;
1292 		case PF_SMC:
1293 			return SECCLASS_SMC_SOCKET;
1294 		case PF_XDP:
1295 			return SECCLASS_XDP_SOCKET;
1296 		case PF_MCTP:
1297 			return SECCLASS_MCTP_SOCKET;
1298 #if PF_MAX > 46
1299 #error New address family defined, please update this function.
1300 #endif
1301 		}
1302 	}
1303 
1304 	return SECCLASS_SOCKET;
1305 }
1306 
1307 static int selinux_genfs_get_sid(struct dentry *dentry,
1308 				 u16 tclass,
1309 				 u16 flags,
1310 				 u32 *sid)
1311 {
1312 	int rc;
1313 	struct super_block *sb = dentry->d_sb;
1314 	char *buffer, *path;
1315 
1316 	buffer = (char *)__get_free_page(GFP_KERNEL);
1317 	if (!buffer)
1318 		return -ENOMEM;
1319 
1320 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1321 	if (IS_ERR(path))
1322 		rc = PTR_ERR(path);
1323 	else {
1324 		if (flags & SE_SBPROC) {
1325 			/* each process gets a /proc/PID/ entry. Strip off the
1326 			 * PID part to get a valid selinux labeling.
1327 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1328 			while (path[1] >= '0' && path[1] <= '9') {
1329 				path[1] = '/';
1330 				path++;
1331 			}
1332 		}
1333 		rc = security_genfs_sid(sb->s_type->name,
1334 					path, tclass, sid);
1335 		if (rc == -ENOENT) {
1336 			/* No match in policy, mark as unlabeled. */
1337 			*sid = SECINITSID_UNLABELED;
1338 			rc = 0;
1339 		}
1340 	}
1341 	free_page((unsigned long)buffer);
1342 	return rc;
1343 }
1344 
1345 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1346 				  u32 def_sid, u32 *sid)
1347 {
1348 #define INITCONTEXTLEN 255
1349 	char *context;
1350 	unsigned int len;
1351 	int rc;
1352 
1353 	len = INITCONTEXTLEN;
1354 	context = kmalloc(len + 1, GFP_NOFS);
1355 	if (!context)
1356 		return -ENOMEM;
1357 
1358 	context[len] = '\0';
1359 	rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1360 	if (rc == -ERANGE) {
1361 		kfree(context);
1362 
1363 		/* Need a larger buffer.  Query for the right size. */
1364 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1365 		if (rc < 0)
1366 			return rc;
1367 
1368 		len = rc;
1369 		context = kmalloc(len + 1, GFP_NOFS);
1370 		if (!context)
1371 			return -ENOMEM;
1372 
1373 		context[len] = '\0';
1374 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1375 				    context, len);
1376 	}
1377 	if (rc < 0) {
1378 		kfree(context);
1379 		if (rc != -ENODATA) {
1380 			pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
1381 				__func__, -rc, inode->i_sb->s_id, inode->i_ino);
1382 			return rc;
1383 		}
1384 		*sid = def_sid;
1385 		return 0;
1386 	}
1387 
1388 	rc = security_context_to_sid_default(context, rc, sid,
1389 					     def_sid, GFP_NOFS);
1390 	if (rc) {
1391 		char *dev = inode->i_sb->s_id;
1392 		unsigned long ino = inode->i_ino;
1393 
1394 		if (rc == -EINVAL) {
1395 			pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
1396 					      ino, dev, context);
1397 		} else {
1398 			pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1399 				__func__, context, -rc, dev, ino);
1400 		}
1401 	}
1402 	kfree(context);
1403 	return 0;
1404 }
1405 
1406 /* The inode's security attributes must be initialized before first use. */
1407 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1408 {
1409 	struct superblock_security_struct *sbsec = NULL;
1410 	struct inode_security_struct *isec = selinux_inode(inode);
1411 	u32 task_sid, sid = 0;
1412 	u16 sclass;
1413 	struct dentry *dentry;
1414 	int rc = 0;
1415 
1416 	if (isec->initialized == LABEL_INITIALIZED)
1417 		return 0;
1418 
1419 	spin_lock(&isec->lock);
1420 	if (isec->initialized == LABEL_INITIALIZED)
1421 		goto out_unlock;
1422 
1423 	if (isec->sclass == SECCLASS_FILE)
1424 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1425 
1426 	sbsec = selinux_superblock(inode->i_sb);
1427 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1428 		/* Defer initialization until selinux_complete_init,
1429 		   after the initial policy is loaded and the security
1430 		   server is ready to handle calls. */
1431 		spin_lock(&sbsec->isec_lock);
1432 		if (list_empty(&isec->list))
1433 			list_add(&isec->list, &sbsec->isec_head);
1434 		spin_unlock(&sbsec->isec_lock);
1435 		goto out_unlock;
1436 	}
1437 
1438 	sclass = isec->sclass;
1439 	task_sid = isec->task_sid;
1440 	sid = isec->sid;
1441 	isec->initialized = LABEL_PENDING;
1442 	spin_unlock(&isec->lock);
1443 
1444 	switch (sbsec->behavior) {
1445 	/*
1446 	 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels
1447 	 * via xattr when called from delayed_superblock_init().
1448 	 */
1449 	case SECURITY_FS_USE_NATIVE:
1450 	case SECURITY_FS_USE_XATTR:
1451 		if (!(inode->i_opflags & IOP_XATTR)) {
1452 			sid = sbsec->def_sid;
1453 			break;
1454 		}
1455 		/* Need a dentry, since the xattr API requires one.
1456 		   Life would be simpler if we could just pass the inode. */
1457 		if (opt_dentry) {
1458 			/* Called from d_instantiate or d_splice_alias. */
1459 			dentry = dget(opt_dentry);
1460 		} else {
1461 			/*
1462 			 * Called from selinux_complete_init, try to find a dentry.
1463 			 * Some filesystems really want a connected one, so try
1464 			 * that first.  We could split SECURITY_FS_USE_XATTR in
1465 			 * two, depending upon that...
1466 			 */
1467 			dentry = d_find_alias(inode);
1468 			if (!dentry)
1469 				dentry = d_find_any_alias(inode);
1470 		}
1471 		if (!dentry) {
1472 			/*
1473 			 * this is can be hit on boot when a file is accessed
1474 			 * before the policy is loaded.  When we load policy we
1475 			 * may find inodes that have no dentry on the
1476 			 * sbsec->isec_head list.  No reason to complain as these
1477 			 * will get fixed up the next time we go through
1478 			 * inode_doinit with a dentry, before these inodes could
1479 			 * be used again by userspace.
1480 			 */
1481 			goto out_invalid;
1482 		}
1483 
1484 		rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1485 					    &sid);
1486 		dput(dentry);
1487 		if (rc)
1488 			goto out;
1489 		break;
1490 	case SECURITY_FS_USE_TASK:
1491 		sid = task_sid;
1492 		break;
1493 	case SECURITY_FS_USE_TRANS:
1494 		/* Default to the fs SID. */
1495 		sid = sbsec->sid;
1496 
1497 		/* Try to obtain a transition SID. */
1498 		rc = security_transition_sid(task_sid, sid,
1499 					     sclass, NULL, &sid);
1500 		if (rc)
1501 			goto out;
1502 		break;
1503 	case SECURITY_FS_USE_MNTPOINT:
1504 		sid = sbsec->mntpoint_sid;
1505 		break;
1506 	default:
1507 		/* Default to the fs superblock SID. */
1508 		sid = sbsec->sid;
1509 
1510 		if ((sbsec->flags & SE_SBGENFS) &&
1511 		     (!S_ISLNK(inode->i_mode) ||
1512 		      selinux_policycap_genfs_seclabel_symlinks())) {
1513 			/* We must have a dentry to determine the label on
1514 			 * procfs inodes */
1515 			if (opt_dentry) {
1516 				/* Called from d_instantiate or
1517 				 * d_splice_alias. */
1518 				dentry = dget(opt_dentry);
1519 			} else {
1520 				/* Called from selinux_complete_init, try to
1521 				 * find a dentry.  Some filesystems really want
1522 				 * a connected one, so try that first.
1523 				 */
1524 				dentry = d_find_alias(inode);
1525 				if (!dentry)
1526 					dentry = d_find_any_alias(inode);
1527 			}
1528 			/*
1529 			 * This can be hit on boot when a file is accessed
1530 			 * before the policy is loaded.  When we load policy we
1531 			 * may find inodes that have no dentry on the
1532 			 * sbsec->isec_head list.  No reason to complain as
1533 			 * these will get fixed up the next time we go through
1534 			 * inode_doinit() with a dentry, before these inodes
1535 			 * could be used again by userspace.
1536 			 */
1537 			if (!dentry)
1538 				goto out_invalid;
1539 			rc = selinux_genfs_get_sid(dentry, sclass,
1540 						   sbsec->flags, &sid);
1541 			if (rc) {
1542 				dput(dentry);
1543 				goto out;
1544 			}
1545 
1546 			if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1547 			    (inode->i_opflags & IOP_XATTR)) {
1548 				rc = inode_doinit_use_xattr(inode, dentry,
1549 							    sid, &sid);
1550 				if (rc) {
1551 					dput(dentry);
1552 					goto out;
1553 				}
1554 			}
1555 			dput(dentry);
1556 		}
1557 		break;
1558 	}
1559 
1560 out:
1561 	spin_lock(&isec->lock);
1562 	if (isec->initialized == LABEL_PENDING) {
1563 		if (rc) {
1564 			isec->initialized = LABEL_INVALID;
1565 			goto out_unlock;
1566 		}
1567 		isec->initialized = LABEL_INITIALIZED;
1568 		isec->sid = sid;
1569 	}
1570 
1571 out_unlock:
1572 	spin_unlock(&isec->lock);
1573 	return rc;
1574 
1575 out_invalid:
1576 	spin_lock(&isec->lock);
1577 	if (isec->initialized == LABEL_PENDING) {
1578 		isec->initialized = LABEL_INVALID;
1579 		isec->sid = sid;
1580 	}
1581 	spin_unlock(&isec->lock);
1582 	return 0;
1583 }
1584 
1585 /* Convert a Linux signal to an access vector. */
1586 static inline u32 signal_to_av(int sig)
1587 {
1588 	u32 perm = 0;
1589 
1590 	switch (sig) {
1591 	case SIGCHLD:
1592 		/* Commonly granted from child to parent. */
1593 		perm = PROCESS__SIGCHLD;
1594 		break;
1595 	case SIGKILL:
1596 		/* Cannot be caught or ignored */
1597 		perm = PROCESS__SIGKILL;
1598 		break;
1599 	case SIGSTOP:
1600 		/* Cannot be caught or ignored */
1601 		perm = PROCESS__SIGSTOP;
1602 		break;
1603 	default:
1604 		/* All other signals. */
1605 		perm = PROCESS__SIGNAL;
1606 		break;
1607 	}
1608 
1609 	return perm;
1610 }
1611 
1612 #if CAP_LAST_CAP > 63
1613 #error Fix SELinux to handle capabilities > 63.
1614 #endif
1615 
1616 /* Check whether a task is allowed to use a capability. */
1617 static int cred_has_capability(const struct cred *cred,
1618 			       int cap, unsigned int opts, bool initns)
1619 {
1620 	struct common_audit_data ad;
1621 	struct av_decision avd;
1622 	u16 sclass;
1623 	u32 sid = cred_sid(cred);
1624 	u32 av = CAP_TO_MASK(cap);
1625 	int rc;
1626 
1627 	ad.type = LSM_AUDIT_DATA_CAP;
1628 	ad.u.cap = cap;
1629 
1630 	switch (CAP_TO_INDEX(cap)) {
1631 	case 0:
1632 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1633 		break;
1634 	case 1:
1635 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1636 		break;
1637 	default:
1638 		pr_err("SELinux:  out of range capability %d\n", cap);
1639 		BUG();
1640 		return -EINVAL;
1641 	}
1642 
1643 	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1644 	if (!(opts & CAP_OPT_NOAUDIT)) {
1645 		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1646 		if (rc2)
1647 			return rc2;
1648 	}
1649 	return rc;
1650 }
1651 
1652 /* Check whether a task has a particular permission to an inode.
1653    The 'adp' parameter is optional and allows other audit
1654    data to be passed (e.g. the dentry). */
1655 static int inode_has_perm(const struct cred *cred,
1656 			  struct inode *inode,
1657 			  u32 perms,
1658 			  struct common_audit_data *adp)
1659 {
1660 	struct inode_security_struct *isec;
1661 	u32 sid;
1662 
1663 	validate_creds(cred);
1664 
1665 	if (unlikely(IS_PRIVATE(inode)))
1666 		return 0;
1667 
1668 	sid = cred_sid(cred);
1669 	isec = selinux_inode(inode);
1670 
1671 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1672 }
1673 
1674 /* Same as inode_has_perm, but pass explicit audit data containing
1675    the dentry to help the auditing code to more easily generate the
1676    pathname if needed. */
1677 static inline int dentry_has_perm(const struct cred *cred,
1678 				  struct dentry *dentry,
1679 				  u32 av)
1680 {
1681 	struct inode *inode = d_backing_inode(dentry);
1682 	struct common_audit_data ad;
1683 
1684 	ad.type = LSM_AUDIT_DATA_DENTRY;
1685 	ad.u.dentry = dentry;
1686 	__inode_security_revalidate(inode, dentry, true);
1687 	return inode_has_perm(cred, inode, av, &ad);
1688 }
1689 
1690 /* Same as inode_has_perm, but pass explicit audit data containing
1691    the path to help the auditing code to more easily generate the
1692    pathname if needed. */
1693 static inline int path_has_perm(const struct cred *cred,
1694 				const struct path *path,
1695 				u32 av)
1696 {
1697 	struct inode *inode = d_backing_inode(path->dentry);
1698 	struct common_audit_data ad;
1699 
1700 	ad.type = LSM_AUDIT_DATA_PATH;
1701 	ad.u.path = *path;
1702 	__inode_security_revalidate(inode, path->dentry, true);
1703 	return inode_has_perm(cred, inode, av, &ad);
1704 }
1705 
1706 /* Same as path_has_perm, but uses the inode from the file struct. */
1707 static inline int file_path_has_perm(const struct cred *cred,
1708 				     struct file *file,
1709 				     u32 av)
1710 {
1711 	struct common_audit_data ad;
1712 
1713 	ad.type = LSM_AUDIT_DATA_FILE;
1714 	ad.u.file = file;
1715 	return inode_has_perm(cred, file_inode(file), av, &ad);
1716 }
1717 
1718 #ifdef CONFIG_BPF_SYSCALL
1719 static int bpf_fd_pass(const struct file *file, u32 sid);
1720 #endif
1721 
1722 /* Check whether a task can use an open file descriptor to
1723    access an inode in a given way.  Check access to the
1724    descriptor itself, and then use dentry_has_perm to
1725    check a particular permission to the file.
1726    Access to the descriptor is implicitly granted if it
1727    has the same SID as the process.  If av is zero, then
1728    access to the file is not checked, e.g. for cases
1729    where only the descriptor is affected like seek. */
1730 static int file_has_perm(const struct cred *cred,
1731 			 struct file *file,
1732 			 u32 av)
1733 {
1734 	struct file_security_struct *fsec = selinux_file(file);
1735 	struct inode *inode = file_inode(file);
1736 	struct common_audit_data ad;
1737 	u32 sid = cred_sid(cred);
1738 	int rc;
1739 
1740 	ad.type = LSM_AUDIT_DATA_FILE;
1741 	ad.u.file = file;
1742 
1743 	if (sid != fsec->sid) {
1744 		rc = avc_has_perm(sid, fsec->sid,
1745 				  SECCLASS_FD,
1746 				  FD__USE,
1747 				  &ad);
1748 		if (rc)
1749 			goto out;
1750 	}
1751 
1752 #ifdef CONFIG_BPF_SYSCALL
1753 	rc = bpf_fd_pass(file, cred_sid(cred));
1754 	if (rc)
1755 		return rc;
1756 #endif
1757 
1758 	/* av is zero if only checking access to the descriptor. */
1759 	rc = 0;
1760 	if (av)
1761 		rc = inode_has_perm(cred, inode, av, &ad);
1762 
1763 out:
1764 	return rc;
1765 }
1766 
1767 /*
1768  * Determine the label for an inode that might be unioned.
1769  */
1770 static int
1771 selinux_determine_inode_label(const struct task_security_struct *tsec,
1772 				 struct inode *dir,
1773 				 const struct qstr *name, u16 tclass,
1774 				 u32 *_new_isid)
1775 {
1776 	const struct superblock_security_struct *sbsec =
1777 						selinux_superblock(dir->i_sb);
1778 
1779 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1780 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1781 		*_new_isid = sbsec->mntpoint_sid;
1782 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1783 		   tsec->create_sid) {
1784 		*_new_isid = tsec->create_sid;
1785 	} else {
1786 		const struct inode_security_struct *dsec = inode_security(dir);
1787 		return security_transition_sid(tsec->sid,
1788 					       dsec->sid, tclass,
1789 					       name, _new_isid);
1790 	}
1791 
1792 	return 0;
1793 }
1794 
1795 /* Check whether a task can create a file. */
1796 static int may_create(struct inode *dir,
1797 		      struct dentry *dentry,
1798 		      u16 tclass)
1799 {
1800 	const struct task_security_struct *tsec = selinux_cred(current_cred());
1801 	struct inode_security_struct *dsec;
1802 	struct superblock_security_struct *sbsec;
1803 	u32 sid, newsid;
1804 	struct common_audit_data ad;
1805 	int rc;
1806 
1807 	dsec = inode_security(dir);
1808 	sbsec = selinux_superblock(dir->i_sb);
1809 
1810 	sid = tsec->sid;
1811 
1812 	ad.type = LSM_AUDIT_DATA_DENTRY;
1813 	ad.u.dentry = dentry;
1814 
1815 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1816 			  DIR__ADD_NAME | DIR__SEARCH,
1817 			  &ad);
1818 	if (rc)
1819 		return rc;
1820 
1821 	rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1822 					   &newsid);
1823 	if (rc)
1824 		return rc;
1825 
1826 	rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1827 	if (rc)
1828 		return rc;
1829 
1830 	return avc_has_perm(newsid, sbsec->sid,
1831 			    SECCLASS_FILESYSTEM,
1832 			    FILESYSTEM__ASSOCIATE, &ad);
1833 }
1834 
1835 #define MAY_LINK	0
1836 #define MAY_UNLINK	1
1837 #define MAY_RMDIR	2
1838 
1839 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1840 static int may_link(struct inode *dir,
1841 		    struct dentry *dentry,
1842 		    int kind)
1843 
1844 {
1845 	struct inode_security_struct *dsec, *isec;
1846 	struct common_audit_data ad;
1847 	u32 sid = current_sid();
1848 	u32 av;
1849 	int rc;
1850 
1851 	dsec = inode_security(dir);
1852 	isec = backing_inode_security(dentry);
1853 
1854 	ad.type = LSM_AUDIT_DATA_DENTRY;
1855 	ad.u.dentry = dentry;
1856 
1857 	av = DIR__SEARCH;
1858 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1859 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1860 	if (rc)
1861 		return rc;
1862 
1863 	switch (kind) {
1864 	case MAY_LINK:
1865 		av = FILE__LINK;
1866 		break;
1867 	case MAY_UNLINK:
1868 		av = FILE__UNLINK;
1869 		break;
1870 	case MAY_RMDIR:
1871 		av = DIR__RMDIR;
1872 		break;
1873 	default:
1874 		pr_warn("SELinux: %s:  unrecognized kind %d\n",
1875 			__func__, kind);
1876 		return 0;
1877 	}
1878 
1879 	rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1880 	return rc;
1881 }
1882 
1883 static inline int may_rename(struct inode *old_dir,
1884 			     struct dentry *old_dentry,
1885 			     struct inode *new_dir,
1886 			     struct dentry *new_dentry)
1887 {
1888 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1889 	struct common_audit_data ad;
1890 	u32 sid = current_sid();
1891 	u32 av;
1892 	int old_is_dir, new_is_dir;
1893 	int rc;
1894 
1895 	old_dsec = inode_security(old_dir);
1896 	old_isec = backing_inode_security(old_dentry);
1897 	old_is_dir = d_is_dir(old_dentry);
1898 	new_dsec = inode_security(new_dir);
1899 
1900 	ad.type = LSM_AUDIT_DATA_DENTRY;
1901 
1902 	ad.u.dentry = old_dentry;
1903 	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1904 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1905 	if (rc)
1906 		return rc;
1907 	rc = avc_has_perm(sid, old_isec->sid,
1908 			  old_isec->sclass, FILE__RENAME, &ad);
1909 	if (rc)
1910 		return rc;
1911 	if (old_is_dir && new_dir != old_dir) {
1912 		rc = avc_has_perm(sid, old_isec->sid,
1913 				  old_isec->sclass, DIR__REPARENT, &ad);
1914 		if (rc)
1915 			return rc;
1916 	}
1917 
1918 	ad.u.dentry = new_dentry;
1919 	av = DIR__ADD_NAME | DIR__SEARCH;
1920 	if (d_is_positive(new_dentry))
1921 		av |= DIR__REMOVE_NAME;
1922 	rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1923 	if (rc)
1924 		return rc;
1925 	if (d_is_positive(new_dentry)) {
1926 		new_isec = backing_inode_security(new_dentry);
1927 		new_is_dir = d_is_dir(new_dentry);
1928 		rc = avc_has_perm(sid, new_isec->sid,
1929 				  new_isec->sclass,
1930 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1931 		if (rc)
1932 			return rc;
1933 	}
1934 
1935 	return 0;
1936 }
1937 
1938 /* Check whether a task can perform a filesystem operation. */
1939 static int superblock_has_perm(const struct cred *cred,
1940 			       struct super_block *sb,
1941 			       u32 perms,
1942 			       struct common_audit_data *ad)
1943 {
1944 	struct superblock_security_struct *sbsec;
1945 	u32 sid = cred_sid(cred);
1946 
1947 	sbsec = selinux_superblock(sb);
1948 	return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1949 }
1950 
1951 /* Convert a Linux mode and permission mask to an access vector. */
1952 static inline u32 file_mask_to_av(int mode, int mask)
1953 {
1954 	u32 av = 0;
1955 
1956 	if (!S_ISDIR(mode)) {
1957 		if (mask & MAY_EXEC)
1958 			av |= FILE__EXECUTE;
1959 		if (mask & MAY_READ)
1960 			av |= FILE__READ;
1961 
1962 		if (mask & MAY_APPEND)
1963 			av |= FILE__APPEND;
1964 		else if (mask & MAY_WRITE)
1965 			av |= FILE__WRITE;
1966 
1967 	} else {
1968 		if (mask & MAY_EXEC)
1969 			av |= DIR__SEARCH;
1970 		if (mask & MAY_WRITE)
1971 			av |= DIR__WRITE;
1972 		if (mask & MAY_READ)
1973 			av |= DIR__READ;
1974 	}
1975 
1976 	return av;
1977 }
1978 
1979 /* Convert a Linux file to an access vector. */
1980 static inline u32 file_to_av(const struct file *file)
1981 {
1982 	u32 av = 0;
1983 
1984 	if (file->f_mode & FMODE_READ)
1985 		av |= FILE__READ;
1986 	if (file->f_mode & FMODE_WRITE) {
1987 		if (file->f_flags & O_APPEND)
1988 			av |= FILE__APPEND;
1989 		else
1990 			av |= FILE__WRITE;
1991 	}
1992 	if (!av) {
1993 		/*
1994 		 * Special file opened with flags 3 for ioctl-only use.
1995 		 */
1996 		av = FILE__IOCTL;
1997 	}
1998 
1999 	return av;
2000 }
2001 
2002 /*
2003  * Convert a file to an access vector and include the correct
2004  * open permission.
2005  */
2006 static inline u32 open_file_to_av(struct file *file)
2007 {
2008 	u32 av = file_to_av(file);
2009 	struct inode *inode = file_inode(file);
2010 
2011 	if (selinux_policycap_openperm() &&
2012 	    inode->i_sb->s_magic != SOCKFS_MAGIC)
2013 		av |= FILE__OPEN;
2014 
2015 	return av;
2016 }
2017 
2018 /* Hook functions begin here. */
2019 
2020 static int selinux_binder_set_context_mgr(const struct cred *mgr)
2021 {
2022 	return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER,
2023 			    BINDER__SET_CONTEXT_MGR, NULL);
2024 }
2025 
2026 static int selinux_binder_transaction(const struct cred *from,
2027 				      const struct cred *to)
2028 {
2029 	u32 mysid = current_sid();
2030 	u32 fromsid = cred_sid(from);
2031 	u32 tosid = cred_sid(to);
2032 	int rc;
2033 
2034 	if (mysid != fromsid) {
2035 		rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2036 				  BINDER__IMPERSONATE, NULL);
2037 		if (rc)
2038 			return rc;
2039 	}
2040 
2041 	return avc_has_perm(fromsid, tosid,
2042 			    SECCLASS_BINDER, BINDER__CALL, NULL);
2043 }
2044 
2045 static int selinux_binder_transfer_binder(const struct cred *from,
2046 					  const struct cred *to)
2047 {
2048 	return avc_has_perm(cred_sid(from), cred_sid(to),
2049 			    SECCLASS_BINDER, BINDER__TRANSFER,
2050 			    NULL);
2051 }
2052 
2053 static int selinux_binder_transfer_file(const struct cred *from,
2054 					const struct cred *to,
2055 					const struct file *file)
2056 {
2057 	u32 sid = cred_sid(to);
2058 	struct file_security_struct *fsec = selinux_file(file);
2059 	struct dentry *dentry = file->f_path.dentry;
2060 	struct inode_security_struct *isec;
2061 	struct common_audit_data ad;
2062 	int rc;
2063 
2064 	ad.type = LSM_AUDIT_DATA_PATH;
2065 	ad.u.path = file->f_path;
2066 
2067 	if (sid != fsec->sid) {
2068 		rc = avc_has_perm(sid, fsec->sid,
2069 				  SECCLASS_FD,
2070 				  FD__USE,
2071 				  &ad);
2072 		if (rc)
2073 			return rc;
2074 	}
2075 
2076 #ifdef CONFIG_BPF_SYSCALL
2077 	rc = bpf_fd_pass(file, sid);
2078 	if (rc)
2079 		return rc;
2080 #endif
2081 
2082 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2083 		return 0;
2084 
2085 	isec = backing_inode_security(dentry);
2086 	return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2087 			    &ad);
2088 }
2089 
2090 static int selinux_ptrace_access_check(struct task_struct *child,
2091 				       unsigned int mode)
2092 {
2093 	u32 sid = current_sid();
2094 	u32 csid = task_sid_obj(child);
2095 
2096 	if (mode & PTRACE_MODE_READ)
2097 		return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ,
2098 				NULL);
2099 
2100 	return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE,
2101 			NULL);
2102 }
2103 
2104 static int selinux_ptrace_traceme(struct task_struct *parent)
2105 {
2106 	return avc_has_perm(task_sid_obj(parent), task_sid_obj(current),
2107 			    SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2108 }
2109 
2110 static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective,
2111 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2112 {
2113 	return avc_has_perm(current_sid(), task_sid_obj(target),
2114 			SECCLASS_PROCESS, PROCESS__GETCAP, NULL);
2115 }
2116 
2117 static int selinux_capset(struct cred *new, const struct cred *old,
2118 			  const kernel_cap_t *effective,
2119 			  const kernel_cap_t *inheritable,
2120 			  const kernel_cap_t *permitted)
2121 {
2122 	return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2123 			    PROCESS__SETCAP, NULL);
2124 }
2125 
2126 /*
2127  * (This comment used to live with the selinux_task_setuid hook,
2128  * which was removed).
2129  *
2130  * Since setuid only affects the current process, and since the SELinux
2131  * controls are not based on the Linux identity attributes, SELinux does not
2132  * need to control this operation.  However, SELinux does control the use of
2133  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2134  */
2135 
2136 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2137 			   int cap, unsigned int opts)
2138 {
2139 	return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2140 }
2141 
2142 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2143 {
2144 	const struct cred *cred = current_cred();
2145 	int rc = 0;
2146 
2147 	if (!sb)
2148 		return 0;
2149 
2150 	switch (cmds) {
2151 	case Q_SYNC:
2152 	case Q_QUOTAON:
2153 	case Q_QUOTAOFF:
2154 	case Q_SETINFO:
2155 	case Q_SETQUOTA:
2156 	case Q_XQUOTAOFF:
2157 	case Q_XQUOTAON:
2158 	case Q_XSETQLIM:
2159 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2160 		break;
2161 	case Q_GETFMT:
2162 	case Q_GETINFO:
2163 	case Q_GETQUOTA:
2164 	case Q_XGETQUOTA:
2165 	case Q_XGETQSTAT:
2166 	case Q_XGETQSTATV:
2167 	case Q_XGETNEXTQUOTA:
2168 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2169 		break;
2170 	default:
2171 		rc = 0;  /* let the kernel handle invalid cmds */
2172 		break;
2173 	}
2174 	return rc;
2175 }
2176 
2177 static int selinux_quota_on(struct dentry *dentry)
2178 {
2179 	const struct cred *cred = current_cred();
2180 
2181 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2182 }
2183 
2184 static int selinux_syslog(int type)
2185 {
2186 	switch (type) {
2187 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2188 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2189 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2190 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2191 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2192 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2193 	/* Set level of messages printed to console */
2194 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2195 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2196 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2197 				    NULL);
2198 	}
2199 	/* All other syslog types */
2200 	return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2201 			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2202 }
2203 
2204 /*
2205  * Check that a process has enough memory to allocate a new virtual
2206  * mapping. 0 means there is enough memory for the allocation to
2207  * succeed and -ENOMEM implies there is not.
2208  *
2209  * Do not audit the selinux permission check, as this is applied to all
2210  * processes that allocate mappings.
2211  */
2212 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2213 {
2214 	int rc, cap_sys_admin = 0;
2215 
2216 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2217 				 CAP_OPT_NOAUDIT, true);
2218 	if (rc == 0)
2219 		cap_sys_admin = 1;
2220 
2221 	return cap_sys_admin;
2222 }
2223 
2224 /* binprm security operations */
2225 
2226 static u32 ptrace_parent_sid(void)
2227 {
2228 	u32 sid = 0;
2229 	struct task_struct *tracer;
2230 
2231 	rcu_read_lock();
2232 	tracer = ptrace_parent(current);
2233 	if (tracer)
2234 		sid = task_sid_obj(tracer);
2235 	rcu_read_unlock();
2236 
2237 	return sid;
2238 }
2239 
2240 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2241 			    const struct task_security_struct *old_tsec,
2242 			    const struct task_security_struct *new_tsec)
2243 {
2244 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2245 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2246 	int rc;
2247 	u32 av;
2248 
2249 	if (!nnp && !nosuid)
2250 		return 0; /* neither NNP nor nosuid */
2251 
2252 	if (new_tsec->sid == old_tsec->sid)
2253 		return 0; /* No change in credentials */
2254 
2255 	/*
2256 	 * If the policy enables the nnp_nosuid_transition policy capability,
2257 	 * then we permit transitions under NNP or nosuid if the
2258 	 * policy allows the corresponding permission between
2259 	 * the old and new contexts.
2260 	 */
2261 	if (selinux_policycap_nnp_nosuid_transition()) {
2262 		av = 0;
2263 		if (nnp)
2264 			av |= PROCESS2__NNP_TRANSITION;
2265 		if (nosuid)
2266 			av |= PROCESS2__NOSUID_TRANSITION;
2267 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2268 				  SECCLASS_PROCESS2, av, NULL);
2269 		if (!rc)
2270 			return 0;
2271 	}
2272 
2273 	/*
2274 	 * We also permit NNP or nosuid transitions to bounded SIDs,
2275 	 * i.e. SIDs that are guaranteed to only be allowed a subset
2276 	 * of the permissions of the current SID.
2277 	 */
2278 	rc = security_bounded_transition(old_tsec->sid,
2279 					 new_tsec->sid);
2280 	if (!rc)
2281 		return 0;
2282 
2283 	/*
2284 	 * On failure, preserve the errno values for NNP vs nosuid.
2285 	 * NNP:  Operation not permitted for caller.
2286 	 * nosuid:  Permission denied to file.
2287 	 */
2288 	if (nnp)
2289 		return -EPERM;
2290 	return -EACCES;
2291 }
2292 
2293 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2294 {
2295 	const struct task_security_struct *old_tsec;
2296 	struct task_security_struct *new_tsec;
2297 	struct inode_security_struct *isec;
2298 	struct common_audit_data ad;
2299 	struct inode *inode = file_inode(bprm->file);
2300 	int rc;
2301 
2302 	/* SELinux context only depends on initial program or script and not
2303 	 * the script interpreter */
2304 
2305 	old_tsec = selinux_cred(current_cred());
2306 	new_tsec = selinux_cred(bprm->cred);
2307 	isec = inode_security(inode);
2308 
2309 	/* Default to the current task SID. */
2310 	new_tsec->sid = old_tsec->sid;
2311 	new_tsec->osid = old_tsec->sid;
2312 
2313 	/* Reset fs, key, and sock SIDs on execve. */
2314 	new_tsec->create_sid = 0;
2315 	new_tsec->keycreate_sid = 0;
2316 	new_tsec->sockcreate_sid = 0;
2317 
2318 	if (old_tsec->exec_sid) {
2319 		new_tsec->sid = old_tsec->exec_sid;
2320 		/* Reset exec SID on execve. */
2321 		new_tsec->exec_sid = 0;
2322 
2323 		/* Fail on NNP or nosuid if not an allowed transition. */
2324 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2325 		if (rc)
2326 			return rc;
2327 	} else {
2328 		/* Check for a default transition on this program. */
2329 		rc = security_transition_sid(old_tsec->sid,
2330 					     isec->sid, SECCLASS_PROCESS, NULL,
2331 					     &new_tsec->sid);
2332 		if (rc)
2333 			return rc;
2334 
2335 		/*
2336 		 * Fallback to old SID on NNP or nosuid if not an allowed
2337 		 * transition.
2338 		 */
2339 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2340 		if (rc)
2341 			new_tsec->sid = old_tsec->sid;
2342 	}
2343 
2344 	ad.type = LSM_AUDIT_DATA_FILE;
2345 	ad.u.file = bprm->file;
2346 
2347 	if (new_tsec->sid == old_tsec->sid) {
2348 		rc = avc_has_perm(old_tsec->sid, isec->sid,
2349 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2350 		if (rc)
2351 			return rc;
2352 	} else {
2353 		/* Check permissions for the transition. */
2354 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2355 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2356 		if (rc)
2357 			return rc;
2358 
2359 		rc = avc_has_perm(new_tsec->sid, isec->sid,
2360 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2361 		if (rc)
2362 			return rc;
2363 
2364 		/* Check for shared state */
2365 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2366 			rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2367 					  SECCLASS_PROCESS, PROCESS__SHARE,
2368 					  NULL);
2369 			if (rc)
2370 				return -EPERM;
2371 		}
2372 
2373 		/* Make sure that anyone attempting to ptrace over a task that
2374 		 * changes its SID has the appropriate permit */
2375 		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2376 			u32 ptsid = ptrace_parent_sid();
2377 			if (ptsid != 0) {
2378 				rc = avc_has_perm(ptsid, new_tsec->sid,
2379 						  SECCLASS_PROCESS,
2380 						  PROCESS__PTRACE, NULL);
2381 				if (rc)
2382 					return -EPERM;
2383 			}
2384 		}
2385 
2386 		/* Clear any possibly unsafe personality bits on exec: */
2387 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2388 
2389 		/* Enable secure mode for SIDs transitions unless
2390 		   the noatsecure permission is granted between
2391 		   the two SIDs, i.e. ahp returns 0. */
2392 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2393 				  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2394 				  NULL);
2395 		bprm->secureexec |= !!rc;
2396 	}
2397 
2398 	return 0;
2399 }
2400 
2401 static int match_file(const void *p, struct file *file, unsigned fd)
2402 {
2403 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2404 }
2405 
2406 /* Derived from fs/exec.c:flush_old_files. */
2407 static inline void flush_unauthorized_files(const struct cred *cred,
2408 					    struct files_struct *files)
2409 {
2410 	struct file *file, *devnull = NULL;
2411 	struct tty_struct *tty;
2412 	int drop_tty = 0;
2413 	unsigned n;
2414 
2415 	tty = get_current_tty();
2416 	if (tty) {
2417 		spin_lock(&tty->files_lock);
2418 		if (!list_empty(&tty->tty_files)) {
2419 			struct tty_file_private *file_priv;
2420 
2421 			/* Revalidate access to controlling tty.
2422 			   Use file_path_has_perm on the tty path directly
2423 			   rather than using file_has_perm, as this particular
2424 			   open file may belong to another process and we are
2425 			   only interested in the inode-based check here. */
2426 			file_priv = list_first_entry(&tty->tty_files,
2427 						struct tty_file_private, list);
2428 			file = file_priv->file;
2429 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2430 				drop_tty = 1;
2431 		}
2432 		spin_unlock(&tty->files_lock);
2433 		tty_kref_put(tty);
2434 	}
2435 	/* Reset controlling tty. */
2436 	if (drop_tty)
2437 		no_tty();
2438 
2439 	/* Revalidate access to inherited open files. */
2440 	n = iterate_fd(files, 0, match_file, cred);
2441 	if (!n) /* none found? */
2442 		return;
2443 
2444 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2445 	if (IS_ERR(devnull))
2446 		devnull = NULL;
2447 	/* replace all the matching ones with this */
2448 	do {
2449 		replace_fd(n - 1, devnull, 0);
2450 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2451 	if (devnull)
2452 		fput(devnull);
2453 }
2454 
2455 /*
2456  * Prepare a process for imminent new credential changes due to exec
2457  */
2458 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2459 {
2460 	struct task_security_struct *new_tsec;
2461 	struct rlimit *rlim, *initrlim;
2462 	int rc, i;
2463 
2464 	new_tsec = selinux_cred(bprm->cred);
2465 	if (new_tsec->sid == new_tsec->osid)
2466 		return;
2467 
2468 	/* Close files for which the new task SID is not authorized. */
2469 	flush_unauthorized_files(bprm->cred, current->files);
2470 
2471 	/* Always clear parent death signal on SID transitions. */
2472 	current->pdeath_signal = 0;
2473 
2474 	/* Check whether the new SID can inherit resource limits from the old
2475 	 * SID.  If not, reset all soft limits to the lower of the current
2476 	 * task's hard limit and the init task's soft limit.
2477 	 *
2478 	 * Note that the setting of hard limits (even to lower them) can be
2479 	 * controlled by the setrlimit check.  The inclusion of the init task's
2480 	 * soft limit into the computation is to avoid resetting soft limits
2481 	 * higher than the default soft limit for cases where the default is
2482 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2483 	 */
2484 	rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2485 			  PROCESS__RLIMITINH, NULL);
2486 	if (rc) {
2487 		/* protect against do_prlimit() */
2488 		task_lock(current);
2489 		for (i = 0; i < RLIM_NLIMITS; i++) {
2490 			rlim = current->signal->rlim + i;
2491 			initrlim = init_task.signal->rlim + i;
2492 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2493 		}
2494 		task_unlock(current);
2495 		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2496 			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2497 	}
2498 }
2499 
2500 /*
2501  * Clean up the process immediately after the installation of new credentials
2502  * due to exec
2503  */
2504 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2505 {
2506 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2507 	u32 osid, sid;
2508 	int rc;
2509 
2510 	osid = tsec->osid;
2511 	sid = tsec->sid;
2512 
2513 	if (sid == osid)
2514 		return;
2515 
2516 	/* Check whether the new SID can inherit signal state from the old SID.
2517 	 * If not, clear itimers to avoid subsequent signal generation and
2518 	 * flush and unblock signals.
2519 	 *
2520 	 * This must occur _after_ the task SID has been updated so that any
2521 	 * kill done after the flush will be checked against the new SID.
2522 	 */
2523 	rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2524 	if (rc) {
2525 		clear_itimer();
2526 
2527 		spin_lock_irq(&unrcu_pointer(current->sighand)->siglock);
2528 		if (!fatal_signal_pending(current)) {
2529 			flush_sigqueue(&current->pending);
2530 			flush_sigqueue(&current->signal->shared_pending);
2531 			flush_signal_handlers(current, 1);
2532 			sigemptyset(&current->blocked);
2533 			recalc_sigpending();
2534 		}
2535 		spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock);
2536 	}
2537 
2538 	/* Wake up the parent if it is waiting so that it can recheck
2539 	 * wait permission to the new task SID. */
2540 	read_lock(&tasklist_lock);
2541 	__wake_up_parent(current, unrcu_pointer(current->real_parent));
2542 	read_unlock(&tasklist_lock);
2543 }
2544 
2545 /* superblock security operations */
2546 
2547 static int selinux_sb_alloc_security(struct super_block *sb)
2548 {
2549 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2550 
2551 	mutex_init(&sbsec->lock);
2552 	INIT_LIST_HEAD(&sbsec->isec_head);
2553 	spin_lock_init(&sbsec->isec_lock);
2554 	sbsec->sid = SECINITSID_UNLABELED;
2555 	sbsec->def_sid = SECINITSID_FILE;
2556 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2557 
2558 	return 0;
2559 }
2560 
2561 static inline int opt_len(const char *s)
2562 {
2563 	bool open_quote = false;
2564 	int len;
2565 	char c;
2566 
2567 	for (len = 0; (c = s[len]) != '\0'; len++) {
2568 		if (c == '"')
2569 			open_quote = !open_quote;
2570 		if (c == ',' && !open_quote)
2571 			break;
2572 	}
2573 	return len;
2574 }
2575 
2576 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2577 {
2578 	char *from = options;
2579 	char *to = options;
2580 	bool first = true;
2581 	int rc;
2582 
2583 	while (1) {
2584 		int len = opt_len(from);
2585 		int token;
2586 		char *arg = NULL;
2587 
2588 		token = match_opt_prefix(from, len, &arg);
2589 
2590 		if (token != Opt_error) {
2591 			char *p, *q;
2592 
2593 			/* strip quotes */
2594 			if (arg) {
2595 				for (p = q = arg; p < from + len; p++) {
2596 					char c = *p;
2597 					if (c != '"')
2598 						*q++ = c;
2599 				}
2600 				arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2601 				if (!arg) {
2602 					rc = -ENOMEM;
2603 					goto free_opt;
2604 				}
2605 			}
2606 			rc = selinux_add_opt(token, arg, mnt_opts);
2607 			kfree(arg);
2608 			arg = NULL;
2609 			if (unlikely(rc)) {
2610 				goto free_opt;
2611 			}
2612 		} else {
2613 			if (!first) {	// copy with preceding comma
2614 				from--;
2615 				len++;
2616 			}
2617 			if (to != from)
2618 				memmove(to, from, len);
2619 			to += len;
2620 			first = false;
2621 		}
2622 		if (!from[len])
2623 			break;
2624 		from += len + 1;
2625 	}
2626 	*to = '\0';
2627 	return 0;
2628 
2629 free_opt:
2630 	if (*mnt_opts) {
2631 		selinux_free_mnt_opts(*mnt_opts);
2632 		*mnt_opts = NULL;
2633 	}
2634 	return rc;
2635 }
2636 
2637 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2638 {
2639 	struct selinux_mnt_opts *opts = mnt_opts;
2640 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2641 
2642 	/*
2643 	 * Superblock not initialized (i.e. no options) - reject if any
2644 	 * options specified, otherwise accept.
2645 	 */
2646 	if (!(sbsec->flags & SE_SBINITIALIZED))
2647 		return opts ? 1 : 0;
2648 
2649 	/*
2650 	 * Superblock initialized and no options specified - reject if
2651 	 * superblock has any options set, otherwise accept.
2652 	 */
2653 	if (!opts)
2654 		return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2655 
2656 	if (opts->fscontext_sid) {
2657 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2658 			       opts->fscontext_sid))
2659 			return 1;
2660 	}
2661 	if (opts->context_sid) {
2662 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2663 			       opts->context_sid))
2664 			return 1;
2665 	}
2666 	if (opts->rootcontext_sid) {
2667 		struct inode_security_struct *root_isec;
2668 
2669 		root_isec = backing_inode_security(sb->s_root);
2670 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2671 			       opts->rootcontext_sid))
2672 			return 1;
2673 	}
2674 	if (opts->defcontext_sid) {
2675 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2676 			       opts->defcontext_sid))
2677 			return 1;
2678 	}
2679 	return 0;
2680 }
2681 
2682 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2683 {
2684 	struct selinux_mnt_opts *opts = mnt_opts;
2685 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2686 
2687 	if (!(sbsec->flags & SE_SBINITIALIZED))
2688 		return 0;
2689 
2690 	if (!opts)
2691 		return 0;
2692 
2693 	if (opts->fscontext_sid) {
2694 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2695 			       opts->fscontext_sid))
2696 			goto out_bad_option;
2697 	}
2698 	if (opts->context_sid) {
2699 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2700 			       opts->context_sid))
2701 			goto out_bad_option;
2702 	}
2703 	if (opts->rootcontext_sid) {
2704 		struct inode_security_struct *root_isec;
2705 		root_isec = backing_inode_security(sb->s_root);
2706 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2707 			       opts->rootcontext_sid))
2708 			goto out_bad_option;
2709 	}
2710 	if (opts->defcontext_sid) {
2711 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2712 			       opts->defcontext_sid))
2713 			goto out_bad_option;
2714 	}
2715 	return 0;
2716 
2717 out_bad_option:
2718 	pr_warn("SELinux: unable to change security options "
2719 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2720 	       sb->s_type->name);
2721 	return -EINVAL;
2722 }
2723 
2724 static int selinux_sb_kern_mount(struct super_block *sb)
2725 {
2726 	const struct cred *cred = current_cred();
2727 	struct common_audit_data ad;
2728 
2729 	ad.type = LSM_AUDIT_DATA_DENTRY;
2730 	ad.u.dentry = sb->s_root;
2731 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2732 }
2733 
2734 static int selinux_sb_statfs(struct dentry *dentry)
2735 {
2736 	const struct cred *cred = current_cred();
2737 	struct common_audit_data ad;
2738 
2739 	ad.type = LSM_AUDIT_DATA_DENTRY;
2740 	ad.u.dentry = dentry->d_sb->s_root;
2741 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2742 }
2743 
2744 static int selinux_mount(const char *dev_name,
2745 			 const struct path *path,
2746 			 const char *type,
2747 			 unsigned long flags,
2748 			 void *data)
2749 {
2750 	const struct cred *cred = current_cred();
2751 
2752 	if (flags & MS_REMOUNT)
2753 		return superblock_has_perm(cred, path->dentry->d_sb,
2754 					   FILESYSTEM__REMOUNT, NULL);
2755 	else
2756 		return path_has_perm(cred, path, FILE__MOUNTON);
2757 }
2758 
2759 static int selinux_move_mount(const struct path *from_path,
2760 			      const struct path *to_path)
2761 {
2762 	const struct cred *cred = current_cred();
2763 
2764 	return path_has_perm(cred, to_path, FILE__MOUNTON);
2765 }
2766 
2767 static int selinux_umount(struct vfsmount *mnt, int flags)
2768 {
2769 	const struct cred *cred = current_cred();
2770 
2771 	return superblock_has_perm(cred, mnt->mnt_sb,
2772 				   FILESYSTEM__UNMOUNT, NULL);
2773 }
2774 
2775 static int selinux_fs_context_submount(struct fs_context *fc,
2776 				   struct super_block *reference)
2777 {
2778 	const struct superblock_security_struct *sbsec;
2779 	struct selinux_mnt_opts *opts;
2780 
2781 	opts = kzalloc(sizeof(*opts), GFP_KERNEL);
2782 	if (!opts)
2783 		return -ENOMEM;
2784 
2785 	sbsec = selinux_superblock(reference);
2786 	if (sbsec->flags & FSCONTEXT_MNT)
2787 		opts->fscontext_sid = sbsec->sid;
2788 	if (sbsec->flags & CONTEXT_MNT)
2789 		opts->context_sid = sbsec->mntpoint_sid;
2790 	if (sbsec->flags & DEFCONTEXT_MNT)
2791 		opts->defcontext_sid = sbsec->def_sid;
2792 	fc->security = opts;
2793 	return 0;
2794 }
2795 
2796 static int selinux_fs_context_dup(struct fs_context *fc,
2797 				  struct fs_context *src_fc)
2798 {
2799 	const struct selinux_mnt_opts *src = src_fc->security;
2800 
2801 	if (!src)
2802 		return 0;
2803 
2804 	fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
2805 	return fc->security ? 0 : -ENOMEM;
2806 }
2807 
2808 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2809 	fsparam_string(CONTEXT_STR,	Opt_context),
2810 	fsparam_string(DEFCONTEXT_STR,	Opt_defcontext),
2811 	fsparam_string(FSCONTEXT_STR,	Opt_fscontext),
2812 	fsparam_string(ROOTCONTEXT_STR,	Opt_rootcontext),
2813 	fsparam_flag  (SECLABEL_STR,	Opt_seclabel),
2814 	{}
2815 };
2816 
2817 static int selinux_fs_context_parse_param(struct fs_context *fc,
2818 					  struct fs_parameter *param)
2819 {
2820 	struct fs_parse_result result;
2821 	int opt;
2822 
2823 	opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2824 	if (opt < 0)
2825 		return opt;
2826 
2827 	return selinux_add_opt(opt, param->string, &fc->security);
2828 }
2829 
2830 /* inode security operations */
2831 
2832 static int selinux_inode_alloc_security(struct inode *inode)
2833 {
2834 	struct inode_security_struct *isec = selinux_inode(inode);
2835 	u32 sid = current_sid();
2836 
2837 	spin_lock_init(&isec->lock);
2838 	INIT_LIST_HEAD(&isec->list);
2839 	isec->inode = inode;
2840 	isec->sid = SECINITSID_UNLABELED;
2841 	isec->sclass = SECCLASS_FILE;
2842 	isec->task_sid = sid;
2843 	isec->initialized = LABEL_INVALID;
2844 
2845 	return 0;
2846 }
2847 
2848 static void selinux_inode_free_security(struct inode *inode)
2849 {
2850 	inode_free_security(inode);
2851 }
2852 
2853 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2854 					const struct qstr *name,
2855 					const char **xattr_name, void **ctx,
2856 					u32 *ctxlen)
2857 {
2858 	u32 newsid;
2859 	int rc;
2860 
2861 	rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2862 					   d_inode(dentry->d_parent), name,
2863 					   inode_mode_to_security_class(mode),
2864 					   &newsid);
2865 	if (rc)
2866 		return rc;
2867 
2868 	if (xattr_name)
2869 		*xattr_name = XATTR_NAME_SELINUX;
2870 
2871 	return security_sid_to_context(newsid, (char **)ctx,
2872 				       ctxlen);
2873 }
2874 
2875 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2876 					  struct qstr *name,
2877 					  const struct cred *old,
2878 					  struct cred *new)
2879 {
2880 	u32 newsid;
2881 	int rc;
2882 	struct task_security_struct *tsec;
2883 
2884 	rc = selinux_determine_inode_label(selinux_cred(old),
2885 					   d_inode(dentry->d_parent), name,
2886 					   inode_mode_to_security_class(mode),
2887 					   &newsid);
2888 	if (rc)
2889 		return rc;
2890 
2891 	tsec = selinux_cred(new);
2892 	tsec->create_sid = newsid;
2893 	return 0;
2894 }
2895 
2896 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2897 				       const struct qstr *qstr,
2898 				       struct xattr *xattrs, int *xattr_count)
2899 {
2900 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2901 	struct superblock_security_struct *sbsec;
2902 	struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
2903 	u32 newsid, clen;
2904 	int rc;
2905 	char *context;
2906 
2907 	sbsec = selinux_superblock(dir->i_sb);
2908 
2909 	newsid = tsec->create_sid;
2910 
2911 	rc = selinux_determine_inode_label(tsec, dir, qstr,
2912 		inode_mode_to_security_class(inode->i_mode),
2913 		&newsid);
2914 	if (rc)
2915 		return rc;
2916 
2917 	/* Possibly defer initialization to selinux_complete_init. */
2918 	if (sbsec->flags & SE_SBINITIALIZED) {
2919 		struct inode_security_struct *isec = selinux_inode(inode);
2920 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2921 		isec->sid = newsid;
2922 		isec->initialized = LABEL_INITIALIZED;
2923 	}
2924 
2925 	if (!selinux_initialized() ||
2926 	    !(sbsec->flags & SBLABEL_MNT))
2927 		return -EOPNOTSUPP;
2928 
2929 	if (xattr) {
2930 		rc = security_sid_to_context_force(newsid,
2931 						   &context, &clen);
2932 		if (rc)
2933 			return rc;
2934 		xattr->value = context;
2935 		xattr->value_len = clen;
2936 		xattr->name = XATTR_SELINUX_SUFFIX;
2937 	}
2938 
2939 	return 0;
2940 }
2941 
2942 static int selinux_inode_init_security_anon(struct inode *inode,
2943 					    const struct qstr *name,
2944 					    const struct inode *context_inode)
2945 {
2946 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2947 	struct common_audit_data ad;
2948 	struct inode_security_struct *isec;
2949 	int rc;
2950 
2951 	if (unlikely(!selinux_initialized()))
2952 		return 0;
2953 
2954 	isec = selinux_inode(inode);
2955 
2956 	/*
2957 	 * We only get here once per ephemeral inode.  The inode has
2958 	 * been initialized via inode_alloc_security but is otherwise
2959 	 * untouched.
2960 	 */
2961 
2962 	if (context_inode) {
2963 		struct inode_security_struct *context_isec =
2964 			selinux_inode(context_inode);
2965 		if (context_isec->initialized != LABEL_INITIALIZED) {
2966 			pr_err("SELinux:  context_inode is not initialized\n");
2967 			return -EACCES;
2968 		}
2969 
2970 		isec->sclass = context_isec->sclass;
2971 		isec->sid = context_isec->sid;
2972 	} else {
2973 		isec->sclass = SECCLASS_ANON_INODE;
2974 		rc = security_transition_sid(
2975 			tsec->sid, tsec->sid,
2976 			isec->sclass, name, &isec->sid);
2977 		if (rc)
2978 			return rc;
2979 	}
2980 
2981 	isec->initialized = LABEL_INITIALIZED;
2982 	/*
2983 	 * Now that we've initialized security, check whether we're
2984 	 * allowed to actually create this type of anonymous inode.
2985 	 */
2986 
2987 	ad.type = LSM_AUDIT_DATA_ANONINODE;
2988 	ad.u.anonclass = name ? (const char *)name->name : "?";
2989 
2990 	return avc_has_perm(tsec->sid,
2991 			    isec->sid,
2992 			    isec->sclass,
2993 			    FILE__CREATE,
2994 			    &ad);
2995 }
2996 
2997 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2998 {
2999 	return may_create(dir, dentry, SECCLASS_FILE);
3000 }
3001 
3002 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3003 {
3004 	return may_link(dir, old_dentry, MAY_LINK);
3005 }
3006 
3007 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3008 {
3009 	return may_link(dir, dentry, MAY_UNLINK);
3010 }
3011 
3012 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3013 {
3014 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
3015 }
3016 
3017 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3018 {
3019 	return may_create(dir, dentry, SECCLASS_DIR);
3020 }
3021 
3022 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3023 {
3024 	return may_link(dir, dentry, MAY_RMDIR);
3025 }
3026 
3027 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3028 {
3029 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
3030 }
3031 
3032 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3033 				struct inode *new_inode, struct dentry *new_dentry)
3034 {
3035 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3036 }
3037 
3038 static int selinux_inode_readlink(struct dentry *dentry)
3039 {
3040 	const struct cred *cred = current_cred();
3041 
3042 	return dentry_has_perm(cred, dentry, FILE__READ);
3043 }
3044 
3045 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3046 				     bool rcu)
3047 {
3048 	const struct cred *cred = current_cred();
3049 	struct common_audit_data ad;
3050 	struct inode_security_struct *isec;
3051 	u32 sid;
3052 
3053 	validate_creds(cred);
3054 
3055 	ad.type = LSM_AUDIT_DATA_DENTRY;
3056 	ad.u.dentry = dentry;
3057 	sid = cred_sid(cred);
3058 	isec = inode_security_rcu(inode, rcu);
3059 	if (IS_ERR(isec))
3060 		return PTR_ERR(isec);
3061 
3062 	return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad);
3063 }
3064 
3065 static noinline int audit_inode_permission(struct inode *inode,
3066 					   u32 perms, u32 audited, u32 denied,
3067 					   int result)
3068 {
3069 	struct common_audit_data ad;
3070 	struct inode_security_struct *isec = selinux_inode(inode);
3071 
3072 	ad.type = LSM_AUDIT_DATA_INODE;
3073 	ad.u.inode = inode;
3074 
3075 	return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3076 			    audited, denied, result, &ad);
3077 }
3078 
3079 static int selinux_inode_permission(struct inode *inode, int mask)
3080 {
3081 	const struct cred *cred = current_cred();
3082 	u32 perms;
3083 	bool from_access;
3084 	bool no_block = mask & MAY_NOT_BLOCK;
3085 	struct inode_security_struct *isec;
3086 	u32 sid;
3087 	struct av_decision avd;
3088 	int rc, rc2;
3089 	u32 audited, denied;
3090 
3091 	from_access = mask & MAY_ACCESS;
3092 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3093 
3094 	/* No permission to check.  Existence test. */
3095 	if (!mask)
3096 		return 0;
3097 
3098 	validate_creds(cred);
3099 
3100 	if (unlikely(IS_PRIVATE(inode)))
3101 		return 0;
3102 
3103 	perms = file_mask_to_av(inode->i_mode, mask);
3104 
3105 	sid = cred_sid(cred);
3106 	isec = inode_security_rcu(inode, no_block);
3107 	if (IS_ERR(isec))
3108 		return PTR_ERR(isec);
3109 
3110 	rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0,
3111 				  &avd);
3112 	audited = avc_audit_required(perms, &avd, rc,
3113 				     from_access ? FILE__AUDIT_ACCESS : 0,
3114 				     &denied);
3115 	if (likely(!audited))
3116 		return rc;
3117 
3118 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3119 	if (rc2)
3120 		return rc2;
3121 	return rc;
3122 }
3123 
3124 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3125 {
3126 	const struct cred *cred = current_cred();
3127 	struct inode *inode = d_backing_inode(dentry);
3128 	unsigned int ia_valid = iattr->ia_valid;
3129 	__u32 av = FILE__WRITE;
3130 
3131 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3132 	if (ia_valid & ATTR_FORCE) {
3133 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3134 			      ATTR_FORCE);
3135 		if (!ia_valid)
3136 			return 0;
3137 	}
3138 
3139 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3140 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3141 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3142 
3143 	if (selinux_policycap_openperm() &&
3144 	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3145 	    (ia_valid & ATTR_SIZE) &&
3146 	    !(ia_valid & ATTR_FILE))
3147 		av |= FILE__OPEN;
3148 
3149 	return dentry_has_perm(cred, dentry, av);
3150 }
3151 
3152 static int selinux_inode_getattr(const struct path *path)
3153 {
3154 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3155 }
3156 
3157 static bool has_cap_mac_admin(bool audit)
3158 {
3159 	const struct cred *cred = current_cred();
3160 	unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3161 
3162 	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3163 		return false;
3164 	if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3165 		return false;
3166 	return true;
3167 }
3168 
3169 static int selinux_inode_setxattr(struct mnt_idmap *idmap,
3170 				  struct dentry *dentry, const char *name,
3171 				  const void *value, size_t size, int flags)
3172 {
3173 	struct inode *inode = d_backing_inode(dentry);
3174 	struct inode_security_struct *isec;
3175 	struct superblock_security_struct *sbsec;
3176 	struct common_audit_data ad;
3177 	u32 newsid, sid = current_sid();
3178 	int rc = 0;
3179 
3180 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3181 		rc = cap_inode_setxattr(dentry, name, value, size, flags);
3182 		if (rc)
3183 			return rc;
3184 
3185 		/* Not an attribute we recognize, so just check the
3186 		   ordinary setattr permission. */
3187 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3188 	}
3189 
3190 	if (!selinux_initialized())
3191 		return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM);
3192 
3193 	sbsec = selinux_superblock(inode->i_sb);
3194 	if (!(sbsec->flags & SBLABEL_MNT))
3195 		return -EOPNOTSUPP;
3196 
3197 	if (!inode_owner_or_capable(idmap, inode))
3198 		return -EPERM;
3199 
3200 	ad.type = LSM_AUDIT_DATA_DENTRY;
3201 	ad.u.dentry = dentry;
3202 
3203 	isec = backing_inode_security(dentry);
3204 	rc = avc_has_perm(sid, isec->sid, isec->sclass,
3205 			  FILE__RELABELFROM, &ad);
3206 	if (rc)
3207 		return rc;
3208 
3209 	rc = security_context_to_sid(value, size, &newsid,
3210 				     GFP_KERNEL);
3211 	if (rc == -EINVAL) {
3212 		if (!has_cap_mac_admin(true)) {
3213 			struct audit_buffer *ab;
3214 			size_t audit_size;
3215 
3216 			/* We strip a nul only if it is at the end, otherwise the
3217 			 * context contains a nul and we should audit that */
3218 			if (value) {
3219 				const char *str = value;
3220 
3221 				if (str[size - 1] == '\0')
3222 					audit_size = size - 1;
3223 				else
3224 					audit_size = size;
3225 			} else {
3226 				audit_size = 0;
3227 			}
3228 			ab = audit_log_start(audit_context(),
3229 					     GFP_ATOMIC, AUDIT_SELINUX_ERR);
3230 			if (!ab)
3231 				return rc;
3232 			audit_log_format(ab, "op=setxattr invalid_context=");
3233 			audit_log_n_untrustedstring(ab, value, audit_size);
3234 			audit_log_end(ab);
3235 
3236 			return rc;
3237 		}
3238 		rc = security_context_to_sid_force(value,
3239 						   size, &newsid);
3240 	}
3241 	if (rc)
3242 		return rc;
3243 
3244 	rc = avc_has_perm(sid, newsid, isec->sclass,
3245 			  FILE__RELABELTO, &ad);
3246 	if (rc)
3247 		return rc;
3248 
3249 	rc = security_validate_transition(isec->sid, newsid,
3250 					  sid, isec->sclass);
3251 	if (rc)
3252 		return rc;
3253 
3254 	return avc_has_perm(newsid,
3255 			    sbsec->sid,
3256 			    SECCLASS_FILESYSTEM,
3257 			    FILESYSTEM__ASSOCIATE,
3258 			    &ad);
3259 }
3260 
3261 static int selinux_inode_set_acl(struct mnt_idmap *idmap,
3262 				 struct dentry *dentry, const char *acl_name,
3263 				 struct posix_acl *kacl)
3264 {
3265 	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3266 }
3267 
3268 static int selinux_inode_get_acl(struct mnt_idmap *idmap,
3269 				 struct dentry *dentry, const char *acl_name)
3270 {
3271 	return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3272 }
3273 
3274 static int selinux_inode_remove_acl(struct mnt_idmap *idmap,
3275 				    struct dentry *dentry, const char *acl_name)
3276 {
3277 	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3278 }
3279 
3280 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3281 					const void *value, size_t size,
3282 					int flags)
3283 {
3284 	struct inode *inode = d_backing_inode(dentry);
3285 	struct inode_security_struct *isec;
3286 	u32 newsid;
3287 	int rc;
3288 
3289 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3290 		/* Not an attribute we recognize, so nothing to do. */
3291 		return;
3292 	}
3293 
3294 	if (!selinux_initialized()) {
3295 		/* If we haven't even been initialized, then we can't validate
3296 		 * against a policy, so leave the label as invalid. It may
3297 		 * resolve to a valid label on the next revalidation try if
3298 		 * we've since initialized.
3299 		 */
3300 		return;
3301 	}
3302 
3303 	rc = security_context_to_sid_force(value, size,
3304 					   &newsid);
3305 	if (rc) {
3306 		pr_err("SELinux:  unable to map context to SID"
3307 		       "for (%s, %lu), rc=%d\n",
3308 		       inode->i_sb->s_id, inode->i_ino, -rc);
3309 		return;
3310 	}
3311 
3312 	isec = backing_inode_security(dentry);
3313 	spin_lock(&isec->lock);
3314 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3315 	isec->sid = newsid;
3316 	isec->initialized = LABEL_INITIALIZED;
3317 	spin_unlock(&isec->lock);
3318 }
3319 
3320 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3321 {
3322 	const struct cred *cred = current_cred();
3323 
3324 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3325 }
3326 
3327 static int selinux_inode_listxattr(struct dentry *dentry)
3328 {
3329 	const struct cred *cred = current_cred();
3330 
3331 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3332 }
3333 
3334 static int selinux_inode_removexattr(struct mnt_idmap *idmap,
3335 				     struct dentry *dentry, const char *name)
3336 {
3337 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3338 		int rc = cap_inode_removexattr(idmap, dentry, name);
3339 		if (rc)
3340 			return rc;
3341 
3342 		/* Not an attribute we recognize, so just check the
3343 		   ordinary setattr permission. */
3344 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3345 	}
3346 
3347 	if (!selinux_initialized())
3348 		return 0;
3349 
3350 	/* No one is allowed to remove a SELinux security label.
3351 	   You can change the label, but all data must be labeled. */
3352 	return -EACCES;
3353 }
3354 
3355 static int selinux_path_notify(const struct path *path, u64 mask,
3356 						unsigned int obj_type)
3357 {
3358 	int ret;
3359 	u32 perm;
3360 
3361 	struct common_audit_data ad;
3362 
3363 	ad.type = LSM_AUDIT_DATA_PATH;
3364 	ad.u.path = *path;
3365 
3366 	/*
3367 	 * Set permission needed based on the type of mark being set.
3368 	 * Performs an additional check for sb watches.
3369 	 */
3370 	switch (obj_type) {
3371 	case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3372 		perm = FILE__WATCH_MOUNT;
3373 		break;
3374 	case FSNOTIFY_OBJ_TYPE_SB:
3375 		perm = FILE__WATCH_SB;
3376 		ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3377 						FILESYSTEM__WATCH, &ad);
3378 		if (ret)
3379 			return ret;
3380 		break;
3381 	case FSNOTIFY_OBJ_TYPE_INODE:
3382 		perm = FILE__WATCH;
3383 		break;
3384 	default:
3385 		return -EINVAL;
3386 	}
3387 
3388 	/* blocking watches require the file:watch_with_perm permission */
3389 	if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3390 		perm |= FILE__WATCH_WITH_PERM;
3391 
3392 	/* watches on read-like events need the file:watch_reads permission */
3393 	if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3394 		perm |= FILE__WATCH_READS;
3395 
3396 	return path_has_perm(current_cred(), path, perm);
3397 }
3398 
3399 /*
3400  * Copy the inode security context value to the user.
3401  *
3402  * Permission check is handled by selinux_inode_getxattr hook.
3403  */
3404 static int selinux_inode_getsecurity(struct mnt_idmap *idmap,
3405 				     struct inode *inode, const char *name,
3406 				     void **buffer, bool alloc)
3407 {
3408 	u32 size;
3409 	int error;
3410 	char *context = NULL;
3411 	struct inode_security_struct *isec;
3412 
3413 	/*
3414 	 * If we're not initialized yet, then we can't validate contexts, so
3415 	 * just let vfs_getxattr fall back to using the on-disk xattr.
3416 	 */
3417 	if (!selinux_initialized() ||
3418 	    strcmp(name, XATTR_SELINUX_SUFFIX))
3419 		return -EOPNOTSUPP;
3420 
3421 	/*
3422 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3423 	 * value even if it is not defined by current policy; otherwise,
3424 	 * use the in-core value under current policy.
3425 	 * Use the non-auditing forms of the permission checks since
3426 	 * getxattr may be called by unprivileged processes commonly
3427 	 * and lack of permission just means that we fall back to the
3428 	 * in-core context value, not a denial.
3429 	 */
3430 	isec = inode_security(inode);
3431 	if (has_cap_mac_admin(false))
3432 		error = security_sid_to_context_force(isec->sid, &context,
3433 						      &size);
3434 	else
3435 		error = security_sid_to_context(isec->sid,
3436 						&context, &size);
3437 	if (error)
3438 		return error;
3439 	error = size;
3440 	if (alloc) {
3441 		*buffer = context;
3442 		goto out_nofree;
3443 	}
3444 	kfree(context);
3445 out_nofree:
3446 	return error;
3447 }
3448 
3449 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3450 				     const void *value, size_t size, int flags)
3451 {
3452 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3453 	struct superblock_security_struct *sbsec;
3454 	u32 newsid;
3455 	int rc;
3456 
3457 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3458 		return -EOPNOTSUPP;
3459 
3460 	sbsec = selinux_superblock(inode->i_sb);
3461 	if (!(sbsec->flags & SBLABEL_MNT))
3462 		return -EOPNOTSUPP;
3463 
3464 	if (!value || !size)
3465 		return -EACCES;
3466 
3467 	rc = security_context_to_sid(value, size, &newsid,
3468 				     GFP_KERNEL);
3469 	if (rc)
3470 		return rc;
3471 
3472 	spin_lock(&isec->lock);
3473 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3474 	isec->sid = newsid;
3475 	isec->initialized = LABEL_INITIALIZED;
3476 	spin_unlock(&isec->lock);
3477 	return 0;
3478 }
3479 
3480 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3481 {
3482 	const int len = sizeof(XATTR_NAME_SELINUX);
3483 
3484 	if (!selinux_initialized())
3485 		return 0;
3486 
3487 	if (buffer && len <= buffer_size)
3488 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3489 	return len;
3490 }
3491 
3492 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3493 {
3494 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3495 	*secid = isec->sid;
3496 }
3497 
3498 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3499 {
3500 	u32 sid;
3501 	struct task_security_struct *tsec;
3502 	struct cred *new_creds = *new;
3503 
3504 	if (new_creds == NULL) {
3505 		new_creds = prepare_creds();
3506 		if (!new_creds)
3507 			return -ENOMEM;
3508 	}
3509 
3510 	tsec = selinux_cred(new_creds);
3511 	/* Get label from overlay inode and set it in create_sid */
3512 	selinux_inode_getsecid(d_inode(src), &sid);
3513 	tsec->create_sid = sid;
3514 	*new = new_creds;
3515 	return 0;
3516 }
3517 
3518 static int selinux_inode_copy_up_xattr(const char *name)
3519 {
3520 	/* The copy_up hook above sets the initial context on an inode, but we
3521 	 * don't then want to overwrite it by blindly copying all the lower
3522 	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3523 	 */
3524 	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3525 		return 1; /* Discard */
3526 	/*
3527 	 * Any other attribute apart from SELINUX is not claimed, supported
3528 	 * by selinux.
3529 	 */
3530 	return -EOPNOTSUPP;
3531 }
3532 
3533 /* kernfs node operations */
3534 
3535 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3536 					struct kernfs_node *kn)
3537 {
3538 	const struct task_security_struct *tsec = selinux_cred(current_cred());
3539 	u32 parent_sid, newsid, clen;
3540 	int rc;
3541 	char *context;
3542 
3543 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3544 	if (rc == -ENODATA)
3545 		return 0;
3546 	else if (rc < 0)
3547 		return rc;
3548 
3549 	clen = (u32)rc;
3550 	context = kmalloc(clen, GFP_KERNEL);
3551 	if (!context)
3552 		return -ENOMEM;
3553 
3554 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3555 	if (rc < 0) {
3556 		kfree(context);
3557 		return rc;
3558 	}
3559 
3560 	rc = security_context_to_sid(context, clen, &parent_sid,
3561 				     GFP_KERNEL);
3562 	kfree(context);
3563 	if (rc)
3564 		return rc;
3565 
3566 	if (tsec->create_sid) {
3567 		newsid = tsec->create_sid;
3568 	} else {
3569 		u16 secclass = inode_mode_to_security_class(kn->mode);
3570 		struct qstr q;
3571 
3572 		q.name = kn->name;
3573 		q.hash_len = hashlen_string(kn_dir, kn->name);
3574 
3575 		rc = security_transition_sid(tsec->sid,
3576 					     parent_sid, secclass, &q,
3577 					     &newsid);
3578 		if (rc)
3579 			return rc;
3580 	}
3581 
3582 	rc = security_sid_to_context_force(newsid,
3583 					   &context, &clen);
3584 	if (rc)
3585 		return rc;
3586 
3587 	rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3588 			      XATTR_CREATE);
3589 	kfree(context);
3590 	return rc;
3591 }
3592 
3593 
3594 /* file security operations */
3595 
3596 static int selinux_revalidate_file_permission(struct file *file, int mask)
3597 {
3598 	const struct cred *cred = current_cred();
3599 	struct inode *inode = file_inode(file);
3600 
3601 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3602 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3603 		mask |= MAY_APPEND;
3604 
3605 	return file_has_perm(cred, file,
3606 			     file_mask_to_av(inode->i_mode, mask));
3607 }
3608 
3609 static int selinux_file_permission(struct file *file, int mask)
3610 {
3611 	struct inode *inode = file_inode(file);
3612 	struct file_security_struct *fsec = selinux_file(file);
3613 	struct inode_security_struct *isec;
3614 	u32 sid = current_sid();
3615 
3616 	if (!mask)
3617 		/* No permission to check.  Existence test. */
3618 		return 0;
3619 
3620 	isec = inode_security(inode);
3621 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3622 	    fsec->pseqno == avc_policy_seqno())
3623 		/* No change since file_open check. */
3624 		return 0;
3625 
3626 	return selinux_revalidate_file_permission(file, mask);
3627 }
3628 
3629 static int selinux_file_alloc_security(struct file *file)
3630 {
3631 	struct file_security_struct *fsec = selinux_file(file);
3632 	u32 sid = current_sid();
3633 
3634 	fsec->sid = sid;
3635 	fsec->fown_sid = sid;
3636 
3637 	return 0;
3638 }
3639 
3640 /*
3641  * Check whether a task has the ioctl permission and cmd
3642  * operation to an inode.
3643  */
3644 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3645 		u32 requested, u16 cmd)
3646 {
3647 	struct common_audit_data ad;
3648 	struct file_security_struct *fsec = selinux_file(file);
3649 	struct inode *inode = file_inode(file);
3650 	struct inode_security_struct *isec;
3651 	struct lsm_ioctlop_audit ioctl;
3652 	u32 ssid = cred_sid(cred);
3653 	int rc;
3654 	u8 driver = cmd >> 8;
3655 	u8 xperm = cmd & 0xff;
3656 
3657 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3658 	ad.u.op = &ioctl;
3659 	ad.u.op->cmd = cmd;
3660 	ad.u.op->path = file->f_path;
3661 
3662 	if (ssid != fsec->sid) {
3663 		rc = avc_has_perm(ssid, fsec->sid,
3664 				SECCLASS_FD,
3665 				FD__USE,
3666 				&ad);
3667 		if (rc)
3668 			goto out;
3669 	}
3670 
3671 	if (unlikely(IS_PRIVATE(inode)))
3672 		return 0;
3673 
3674 	isec = inode_security(inode);
3675 	rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3676 				    requested, driver, xperm, &ad);
3677 out:
3678 	return rc;
3679 }
3680 
3681 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3682 			      unsigned long arg)
3683 {
3684 	const struct cred *cred = current_cred();
3685 	int error = 0;
3686 
3687 	switch (cmd) {
3688 	case FIONREAD:
3689 	case FIBMAP:
3690 	case FIGETBSZ:
3691 	case FS_IOC_GETFLAGS:
3692 	case FS_IOC_GETVERSION:
3693 		error = file_has_perm(cred, file, FILE__GETATTR);
3694 		break;
3695 
3696 	case FS_IOC_SETFLAGS:
3697 	case FS_IOC_SETVERSION:
3698 		error = file_has_perm(cred, file, FILE__SETATTR);
3699 		break;
3700 
3701 	/* sys_ioctl() checks */
3702 	case FIONBIO:
3703 	case FIOASYNC:
3704 		error = file_has_perm(cred, file, 0);
3705 		break;
3706 
3707 	case KDSKBENT:
3708 	case KDSKBSENT:
3709 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3710 					    CAP_OPT_NONE, true);
3711 		break;
3712 
3713 	case FIOCLEX:
3714 	case FIONCLEX:
3715 		if (!selinux_policycap_ioctl_skip_cloexec())
3716 			error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3717 		break;
3718 
3719 	/* default case assumes that the command will go
3720 	 * to the file's ioctl() function.
3721 	 */
3722 	default:
3723 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3724 	}
3725 	return error;
3726 }
3727 
3728 static int default_noexec __ro_after_init;
3729 
3730 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3731 {
3732 	const struct cred *cred = current_cred();
3733 	u32 sid = cred_sid(cred);
3734 	int rc = 0;
3735 
3736 	if (default_noexec &&
3737 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3738 				   (!shared && (prot & PROT_WRITE)))) {
3739 		/*
3740 		 * We are making executable an anonymous mapping or a
3741 		 * private file mapping that will also be writable.
3742 		 * This has an additional check.
3743 		 */
3744 		rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3745 				  PROCESS__EXECMEM, NULL);
3746 		if (rc)
3747 			goto error;
3748 	}
3749 
3750 	if (file) {
3751 		/* read access is always possible with a mapping */
3752 		u32 av = FILE__READ;
3753 
3754 		/* write access only matters if the mapping is shared */
3755 		if (shared && (prot & PROT_WRITE))
3756 			av |= FILE__WRITE;
3757 
3758 		if (prot & PROT_EXEC)
3759 			av |= FILE__EXECUTE;
3760 
3761 		return file_has_perm(cred, file, av);
3762 	}
3763 
3764 error:
3765 	return rc;
3766 }
3767 
3768 static int selinux_mmap_addr(unsigned long addr)
3769 {
3770 	int rc = 0;
3771 
3772 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3773 		u32 sid = current_sid();
3774 		rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3775 				  MEMPROTECT__MMAP_ZERO, NULL);
3776 	}
3777 
3778 	return rc;
3779 }
3780 
3781 static int selinux_mmap_file(struct file *file,
3782 			     unsigned long reqprot __always_unused,
3783 			     unsigned long prot, unsigned long flags)
3784 {
3785 	struct common_audit_data ad;
3786 	int rc;
3787 
3788 	if (file) {
3789 		ad.type = LSM_AUDIT_DATA_FILE;
3790 		ad.u.file = file;
3791 		rc = inode_has_perm(current_cred(), file_inode(file),
3792 				    FILE__MAP, &ad);
3793 		if (rc)
3794 			return rc;
3795 	}
3796 
3797 	return file_map_prot_check(file, prot,
3798 				   (flags & MAP_TYPE) == MAP_SHARED);
3799 }
3800 
3801 static int selinux_file_mprotect(struct vm_area_struct *vma,
3802 				 unsigned long reqprot __always_unused,
3803 				 unsigned long prot)
3804 {
3805 	const struct cred *cred = current_cred();
3806 	u32 sid = cred_sid(cred);
3807 
3808 	if (default_noexec &&
3809 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3810 		int rc = 0;
3811 		if (vma_is_initial_heap(vma)) {
3812 			rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3813 					  PROCESS__EXECHEAP, NULL);
3814 		} else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
3815 			    vma_is_stack_for_current(vma))) {
3816 			rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3817 					  PROCESS__EXECSTACK, NULL);
3818 		} else if (vma->vm_file && vma->anon_vma) {
3819 			/*
3820 			 * We are making executable a file mapping that has
3821 			 * had some COW done. Since pages might have been
3822 			 * written, check ability to execute the possibly
3823 			 * modified content.  This typically should only
3824 			 * occur for text relocations.
3825 			 */
3826 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3827 		}
3828 		if (rc)
3829 			return rc;
3830 	}
3831 
3832 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3833 }
3834 
3835 static int selinux_file_lock(struct file *file, unsigned int cmd)
3836 {
3837 	const struct cred *cred = current_cred();
3838 
3839 	return file_has_perm(cred, file, FILE__LOCK);
3840 }
3841 
3842 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3843 			      unsigned long arg)
3844 {
3845 	const struct cred *cred = current_cred();
3846 	int err = 0;
3847 
3848 	switch (cmd) {
3849 	case F_SETFL:
3850 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3851 			err = file_has_perm(cred, file, FILE__WRITE);
3852 			break;
3853 		}
3854 		fallthrough;
3855 	case F_SETOWN:
3856 	case F_SETSIG:
3857 	case F_GETFL:
3858 	case F_GETOWN:
3859 	case F_GETSIG:
3860 	case F_GETOWNER_UIDS:
3861 		/* Just check FD__USE permission */
3862 		err = file_has_perm(cred, file, 0);
3863 		break;
3864 	case F_GETLK:
3865 	case F_SETLK:
3866 	case F_SETLKW:
3867 	case F_OFD_GETLK:
3868 	case F_OFD_SETLK:
3869 	case F_OFD_SETLKW:
3870 #if BITS_PER_LONG == 32
3871 	case F_GETLK64:
3872 	case F_SETLK64:
3873 	case F_SETLKW64:
3874 #endif
3875 		err = file_has_perm(cred, file, FILE__LOCK);
3876 		break;
3877 	}
3878 
3879 	return err;
3880 }
3881 
3882 static void selinux_file_set_fowner(struct file *file)
3883 {
3884 	struct file_security_struct *fsec;
3885 
3886 	fsec = selinux_file(file);
3887 	fsec->fown_sid = current_sid();
3888 }
3889 
3890 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3891 				       struct fown_struct *fown, int signum)
3892 {
3893 	struct file *file;
3894 	u32 sid = task_sid_obj(tsk);
3895 	u32 perm;
3896 	struct file_security_struct *fsec;
3897 
3898 	/* struct fown_struct is never outside the context of a struct file */
3899 	file = container_of(fown, struct file, f_owner);
3900 
3901 	fsec = selinux_file(file);
3902 
3903 	if (!signum)
3904 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3905 	else
3906 		perm = signal_to_av(signum);
3907 
3908 	return avc_has_perm(fsec->fown_sid, sid,
3909 			    SECCLASS_PROCESS, perm, NULL);
3910 }
3911 
3912 static int selinux_file_receive(struct file *file)
3913 {
3914 	const struct cred *cred = current_cred();
3915 
3916 	return file_has_perm(cred, file, file_to_av(file));
3917 }
3918 
3919 static int selinux_file_open(struct file *file)
3920 {
3921 	struct file_security_struct *fsec;
3922 	struct inode_security_struct *isec;
3923 
3924 	fsec = selinux_file(file);
3925 	isec = inode_security(file_inode(file));
3926 	/*
3927 	 * Save inode label and policy sequence number
3928 	 * at open-time so that selinux_file_permission
3929 	 * can determine whether revalidation is necessary.
3930 	 * Task label is already saved in the file security
3931 	 * struct as its SID.
3932 	 */
3933 	fsec->isid = isec->sid;
3934 	fsec->pseqno = avc_policy_seqno();
3935 	/*
3936 	 * Since the inode label or policy seqno may have changed
3937 	 * between the selinux_inode_permission check and the saving
3938 	 * of state above, recheck that access is still permitted.
3939 	 * Otherwise, access might never be revalidated against the
3940 	 * new inode label or new policy.
3941 	 * This check is not redundant - do not remove.
3942 	 */
3943 	return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3944 }
3945 
3946 /* task security operations */
3947 
3948 static int selinux_task_alloc(struct task_struct *task,
3949 			      unsigned long clone_flags)
3950 {
3951 	u32 sid = current_sid();
3952 
3953 	return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3954 }
3955 
3956 /*
3957  * prepare a new set of credentials for modification
3958  */
3959 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3960 				gfp_t gfp)
3961 {
3962 	const struct task_security_struct *old_tsec = selinux_cred(old);
3963 	struct task_security_struct *tsec = selinux_cred(new);
3964 
3965 	*tsec = *old_tsec;
3966 	return 0;
3967 }
3968 
3969 /*
3970  * transfer the SELinux data to a blank set of creds
3971  */
3972 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3973 {
3974 	const struct task_security_struct *old_tsec = selinux_cred(old);
3975 	struct task_security_struct *tsec = selinux_cred(new);
3976 
3977 	*tsec = *old_tsec;
3978 }
3979 
3980 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3981 {
3982 	*secid = cred_sid(c);
3983 }
3984 
3985 /*
3986  * set the security data for a kernel service
3987  * - all the creation contexts are set to unlabelled
3988  */
3989 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3990 {
3991 	struct task_security_struct *tsec = selinux_cred(new);
3992 	u32 sid = current_sid();
3993 	int ret;
3994 
3995 	ret = avc_has_perm(sid, secid,
3996 			   SECCLASS_KERNEL_SERVICE,
3997 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3998 			   NULL);
3999 	if (ret == 0) {
4000 		tsec->sid = secid;
4001 		tsec->create_sid = 0;
4002 		tsec->keycreate_sid = 0;
4003 		tsec->sockcreate_sid = 0;
4004 	}
4005 	return ret;
4006 }
4007 
4008 /*
4009  * set the file creation context in a security record to the same as the
4010  * objective context of the specified inode
4011  */
4012 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4013 {
4014 	struct inode_security_struct *isec = inode_security(inode);
4015 	struct task_security_struct *tsec = selinux_cred(new);
4016 	u32 sid = current_sid();
4017 	int ret;
4018 
4019 	ret = avc_has_perm(sid, isec->sid,
4020 			   SECCLASS_KERNEL_SERVICE,
4021 			   KERNEL_SERVICE__CREATE_FILES_AS,
4022 			   NULL);
4023 
4024 	if (ret == 0)
4025 		tsec->create_sid = isec->sid;
4026 	return ret;
4027 }
4028 
4029 static int selinux_kernel_module_request(char *kmod_name)
4030 {
4031 	struct common_audit_data ad;
4032 
4033 	ad.type = LSM_AUDIT_DATA_KMOD;
4034 	ad.u.kmod_name = kmod_name;
4035 
4036 	return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4037 			    SYSTEM__MODULE_REQUEST, &ad);
4038 }
4039 
4040 static int selinux_kernel_module_from_file(struct file *file)
4041 {
4042 	struct common_audit_data ad;
4043 	struct inode_security_struct *isec;
4044 	struct file_security_struct *fsec;
4045 	u32 sid = current_sid();
4046 	int rc;
4047 
4048 	/* init_module */
4049 	if (file == NULL)
4050 		return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
4051 					SYSTEM__MODULE_LOAD, NULL);
4052 
4053 	/* finit_module */
4054 
4055 	ad.type = LSM_AUDIT_DATA_FILE;
4056 	ad.u.file = file;
4057 
4058 	fsec = selinux_file(file);
4059 	if (sid != fsec->sid) {
4060 		rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4061 		if (rc)
4062 			return rc;
4063 	}
4064 
4065 	isec = inode_security(file_inode(file));
4066 	return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
4067 				SYSTEM__MODULE_LOAD, &ad);
4068 }
4069 
4070 static int selinux_kernel_read_file(struct file *file,
4071 				    enum kernel_read_file_id id,
4072 				    bool contents)
4073 {
4074 	int rc = 0;
4075 
4076 	switch (id) {
4077 	case READING_MODULE:
4078 		rc = selinux_kernel_module_from_file(contents ? file : NULL);
4079 		break;
4080 	default:
4081 		break;
4082 	}
4083 
4084 	return rc;
4085 }
4086 
4087 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4088 {
4089 	int rc = 0;
4090 
4091 	switch (id) {
4092 	case LOADING_MODULE:
4093 		rc = selinux_kernel_module_from_file(NULL);
4094 		break;
4095 	default:
4096 		break;
4097 	}
4098 
4099 	return rc;
4100 }
4101 
4102 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4103 {
4104 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4105 			    PROCESS__SETPGID, NULL);
4106 }
4107 
4108 static int selinux_task_getpgid(struct task_struct *p)
4109 {
4110 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4111 			    PROCESS__GETPGID, NULL);
4112 }
4113 
4114 static int selinux_task_getsid(struct task_struct *p)
4115 {
4116 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4117 			    PROCESS__GETSESSION, NULL);
4118 }
4119 
4120 static void selinux_current_getsecid_subj(u32 *secid)
4121 {
4122 	*secid = current_sid();
4123 }
4124 
4125 static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid)
4126 {
4127 	*secid = task_sid_obj(p);
4128 }
4129 
4130 static int selinux_task_setnice(struct task_struct *p, int nice)
4131 {
4132 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4133 			    PROCESS__SETSCHED, NULL);
4134 }
4135 
4136 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4137 {
4138 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4139 			    PROCESS__SETSCHED, NULL);
4140 }
4141 
4142 static int selinux_task_getioprio(struct task_struct *p)
4143 {
4144 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4145 			    PROCESS__GETSCHED, NULL);
4146 }
4147 
4148 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4149 				unsigned int flags)
4150 {
4151 	u32 av = 0;
4152 
4153 	if (!flags)
4154 		return 0;
4155 	if (flags & LSM_PRLIMIT_WRITE)
4156 		av |= PROCESS__SETRLIMIT;
4157 	if (flags & LSM_PRLIMIT_READ)
4158 		av |= PROCESS__GETRLIMIT;
4159 	return avc_has_perm(cred_sid(cred), cred_sid(tcred),
4160 			    SECCLASS_PROCESS, av, NULL);
4161 }
4162 
4163 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4164 		struct rlimit *new_rlim)
4165 {
4166 	struct rlimit *old_rlim = p->signal->rlim + resource;
4167 
4168 	/* Control the ability to change the hard limit (whether
4169 	   lowering or raising it), so that the hard limit can
4170 	   later be used as a safe reset point for the soft limit
4171 	   upon context transitions.  See selinux_bprm_committing_creds. */
4172 	if (old_rlim->rlim_max != new_rlim->rlim_max)
4173 		return avc_has_perm(current_sid(), task_sid_obj(p),
4174 				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4175 
4176 	return 0;
4177 }
4178 
4179 static int selinux_task_setscheduler(struct task_struct *p)
4180 {
4181 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4182 			    PROCESS__SETSCHED, NULL);
4183 }
4184 
4185 static int selinux_task_getscheduler(struct task_struct *p)
4186 {
4187 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4188 			    PROCESS__GETSCHED, NULL);
4189 }
4190 
4191 static int selinux_task_movememory(struct task_struct *p)
4192 {
4193 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4194 			    PROCESS__SETSCHED, NULL);
4195 }
4196 
4197 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4198 				int sig, const struct cred *cred)
4199 {
4200 	u32 secid;
4201 	u32 perm;
4202 
4203 	if (!sig)
4204 		perm = PROCESS__SIGNULL; /* null signal; existence test */
4205 	else
4206 		perm = signal_to_av(sig);
4207 	if (!cred)
4208 		secid = current_sid();
4209 	else
4210 		secid = cred_sid(cred);
4211 	return avc_has_perm(secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
4212 }
4213 
4214 static void selinux_task_to_inode(struct task_struct *p,
4215 				  struct inode *inode)
4216 {
4217 	struct inode_security_struct *isec = selinux_inode(inode);
4218 	u32 sid = task_sid_obj(p);
4219 
4220 	spin_lock(&isec->lock);
4221 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4222 	isec->sid = sid;
4223 	isec->initialized = LABEL_INITIALIZED;
4224 	spin_unlock(&isec->lock);
4225 }
4226 
4227 static int selinux_userns_create(const struct cred *cred)
4228 {
4229 	u32 sid = current_sid();
4230 
4231 	return avc_has_perm(sid, sid, SECCLASS_USER_NAMESPACE,
4232 			USER_NAMESPACE__CREATE, NULL);
4233 }
4234 
4235 /* Returns error only if unable to parse addresses */
4236 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4237 			struct common_audit_data *ad, u8 *proto)
4238 {
4239 	int offset, ihlen, ret = -EINVAL;
4240 	struct iphdr _iph, *ih;
4241 
4242 	offset = skb_network_offset(skb);
4243 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4244 	if (ih == NULL)
4245 		goto out;
4246 
4247 	ihlen = ih->ihl * 4;
4248 	if (ihlen < sizeof(_iph))
4249 		goto out;
4250 
4251 	ad->u.net->v4info.saddr = ih->saddr;
4252 	ad->u.net->v4info.daddr = ih->daddr;
4253 	ret = 0;
4254 
4255 	if (proto)
4256 		*proto = ih->protocol;
4257 
4258 	switch (ih->protocol) {
4259 	case IPPROTO_TCP: {
4260 		struct tcphdr _tcph, *th;
4261 
4262 		if (ntohs(ih->frag_off) & IP_OFFSET)
4263 			break;
4264 
4265 		offset += ihlen;
4266 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4267 		if (th == NULL)
4268 			break;
4269 
4270 		ad->u.net->sport = th->source;
4271 		ad->u.net->dport = th->dest;
4272 		break;
4273 	}
4274 
4275 	case IPPROTO_UDP: {
4276 		struct udphdr _udph, *uh;
4277 
4278 		if (ntohs(ih->frag_off) & IP_OFFSET)
4279 			break;
4280 
4281 		offset += ihlen;
4282 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4283 		if (uh == NULL)
4284 			break;
4285 
4286 		ad->u.net->sport = uh->source;
4287 		ad->u.net->dport = uh->dest;
4288 		break;
4289 	}
4290 
4291 	case IPPROTO_DCCP: {
4292 		struct dccp_hdr _dccph, *dh;
4293 
4294 		if (ntohs(ih->frag_off) & IP_OFFSET)
4295 			break;
4296 
4297 		offset += ihlen;
4298 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4299 		if (dh == NULL)
4300 			break;
4301 
4302 		ad->u.net->sport = dh->dccph_sport;
4303 		ad->u.net->dport = dh->dccph_dport;
4304 		break;
4305 	}
4306 
4307 #if IS_ENABLED(CONFIG_IP_SCTP)
4308 	case IPPROTO_SCTP: {
4309 		struct sctphdr _sctph, *sh;
4310 
4311 		if (ntohs(ih->frag_off) & IP_OFFSET)
4312 			break;
4313 
4314 		offset += ihlen;
4315 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4316 		if (sh == NULL)
4317 			break;
4318 
4319 		ad->u.net->sport = sh->source;
4320 		ad->u.net->dport = sh->dest;
4321 		break;
4322 	}
4323 #endif
4324 	default:
4325 		break;
4326 	}
4327 out:
4328 	return ret;
4329 }
4330 
4331 #if IS_ENABLED(CONFIG_IPV6)
4332 
4333 /* Returns error only if unable to parse addresses */
4334 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4335 			struct common_audit_data *ad, u8 *proto)
4336 {
4337 	u8 nexthdr;
4338 	int ret = -EINVAL, offset;
4339 	struct ipv6hdr _ipv6h, *ip6;
4340 	__be16 frag_off;
4341 
4342 	offset = skb_network_offset(skb);
4343 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4344 	if (ip6 == NULL)
4345 		goto out;
4346 
4347 	ad->u.net->v6info.saddr = ip6->saddr;
4348 	ad->u.net->v6info.daddr = ip6->daddr;
4349 	ret = 0;
4350 
4351 	nexthdr = ip6->nexthdr;
4352 	offset += sizeof(_ipv6h);
4353 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4354 	if (offset < 0)
4355 		goto out;
4356 
4357 	if (proto)
4358 		*proto = nexthdr;
4359 
4360 	switch (nexthdr) {
4361 	case IPPROTO_TCP: {
4362 		struct tcphdr _tcph, *th;
4363 
4364 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4365 		if (th == NULL)
4366 			break;
4367 
4368 		ad->u.net->sport = th->source;
4369 		ad->u.net->dport = th->dest;
4370 		break;
4371 	}
4372 
4373 	case IPPROTO_UDP: {
4374 		struct udphdr _udph, *uh;
4375 
4376 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4377 		if (uh == NULL)
4378 			break;
4379 
4380 		ad->u.net->sport = uh->source;
4381 		ad->u.net->dport = uh->dest;
4382 		break;
4383 	}
4384 
4385 	case IPPROTO_DCCP: {
4386 		struct dccp_hdr _dccph, *dh;
4387 
4388 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4389 		if (dh == NULL)
4390 			break;
4391 
4392 		ad->u.net->sport = dh->dccph_sport;
4393 		ad->u.net->dport = dh->dccph_dport;
4394 		break;
4395 	}
4396 
4397 #if IS_ENABLED(CONFIG_IP_SCTP)
4398 	case IPPROTO_SCTP: {
4399 		struct sctphdr _sctph, *sh;
4400 
4401 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4402 		if (sh == NULL)
4403 			break;
4404 
4405 		ad->u.net->sport = sh->source;
4406 		ad->u.net->dport = sh->dest;
4407 		break;
4408 	}
4409 #endif
4410 	/* includes fragments */
4411 	default:
4412 		break;
4413 	}
4414 out:
4415 	return ret;
4416 }
4417 
4418 #endif /* IPV6 */
4419 
4420 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4421 			     char **_addrp, int src, u8 *proto)
4422 {
4423 	char *addrp;
4424 	int ret;
4425 
4426 	switch (ad->u.net->family) {
4427 	case PF_INET:
4428 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4429 		if (ret)
4430 			goto parse_error;
4431 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4432 				       &ad->u.net->v4info.daddr);
4433 		goto okay;
4434 
4435 #if IS_ENABLED(CONFIG_IPV6)
4436 	case PF_INET6:
4437 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4438 		if (ret)
4439 			goto parse_error;
4440 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4441 				       &ad->u.net->v6info.daddr);
4442 		goto okay;
4443 #endif	/* IPV6 */
4444 	default:
4445 		addrp = NULL;
4446 		goto okay;
4447 	}
4448 
4449 parse_error:
4450 	pr_warn(
4451 	       "SELinux: failure in selinux_parse_skb(),"
4452 	       " unable to parse packet\n");
4453 	return ret;
4454 
4455 okay:
4456 	if (_addrp)
4457 		*_addrp = addrp;
4458 	return 0;
4459 }
4460 
4461 /**
4462  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4463  * @skb: the packet
4464  * @family: protocol family
4465  * @sid: the packet's peer label SID
4466  *
4467  * Description:
4468  * Check the various different forms of network peer labeling and determine
4469  * the peer label/SID for the packet; most of the magic actually occurs in
4470  * the security server function security_net_peersid_cmp().  The function
4471  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4472  * or -EACCES if @sid is invalid due to inconsistencies with the different
4473  * peer labels.
4474  *
4475  */
4476 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4477 {
4478 	int err;
4479 	u32 xfrm_sid;
4480 	u32 nlbl_sid;
4481 	u32 nlbl_type;
4482 
4483 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4484 	if (unlikely(err))
4485 		return -EACCES;
4486 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4487 	if (unlikely(err))
4488 		return -EACCES;
4489 
4490 	err = security_net_peersid_resolve(nlbl_sid,
4491 					   nlbl_type, xfrm_sid, sid);
4492 	if (unlikely(err)) {
4493 		pr_warn(
4494 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4495 		       " unable to determine packet's peer label\n");
4496 		return -EACCES;
4497 	}
4498 
4499 	return 0;
4500 }
4501 
4502 /**
4503  * selinux_conn_sid - Determine the child socket label for a connection
4504  * @sk_sid: the parent socket's SID
4505  * @skb_sid: the packet's SID
4506  * @conn_sid: the resulting connection SID
4507  *
4508  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4509  * combined with the MLS information from @skb_sid in order to create
4510  * @conn_sid.  If @skb_sid is not valid then @conn_sid is simply a copy
4511  * of @sk_sid.  Returns zero on success, negative values on failure.
4512  *
4513  */
4514 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4515 {
4516 	int err = 0;
4517 
4518 	if (skb_sid != SECSID_NULL)
4519 		err = security_sid_mls_copy(sk_sid, skb_sid,
4520 					    conn_sid);
4521 	else
4522 		*conn_sid = sk_sid;
4523 
4524 	return err;
4525 }
4526 
4527 /* socket security operations */
4528 
4529 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4530 				 u16 secclass, u32 *socksid)
4531 {
4532 	if (tsec->sockcreate_sid > SECSID_NULL) {
4533 		*socksid = tsec->sockcreate_sid;
4534 		return 0;
4535 	}
4536 
4537 	return security_transition_sid(tsec->sid, tsec->sid,
4538 				       secclass, NULL, socksid);
4539 }
4540 
4541 static int sock_has_perm(struct sock *sk, u32 perms)
4542 {
4543 	struct sk_security_struct *sksec = sk->sk_security;
4544 	struct common_audit_data ad;
4545 	struct lsm_network_audit net;
4546 
4547 	if (sksec->sid == SECINITSID_KERNEL)
4548 		return 0;
4549 
4550 	ad_net_init_from_sk(&ad, &net, sk);
4551 
4552 	return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4553 			    &ad);
4554 }
4555 
4556 static int selinux_socket_create(int family, int type,
4557 				 int protocol, int kern)
4558 {
4559 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4560 	u32 newsid;
4561 	u16 secclass;
4562 	int rc;
4563 
4564 	if (kern)
4565 		return 0;
4566 
4567 	secclass = socket_type_to_security_class(family, type, protocol);
4568 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4569 	if (rc)
4570 		return rc;
4571 
4572 	return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4573 }
4574 
4575 static int selinux_socket_post_create(struct socket *sock, int family,
4576 				      int type, int protocol, int kern)
4577 {
4578 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4579 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4580 	struct sk_security_struct *sksec;
4581 	u16 sclass = socket_type_to_security_class(family, type, protocol);
4582 	u32 sid = SECINITSID_KERNEL;
4583 	int err = 0;
4584 
4585 	if (!kern) {
4586 		err = socket_sockcreate_sid(tsec, sclass, &sid);
4587 		if (err)
4588 			return err;
4589 	}
4590 
4591 	isec->sclass = sclass;
4592 	isec->sid = sid;
4593 	isec->initialized = LABEL_INITIALIZED;
4594 
4595 	if (sock->sk) {
4596 		sksec = sock->sk->sk_security;
4597 		sksec->sclass = sclass;
4598 		sksec->sid = sid;
4599 		/* Allows detection of the first association on this socket */
4600 		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4601 			sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4602 
4603 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4604 	}
4605 
4606 	return err;
4607 }
4608 
4609 static int selinux_socket_socketpair(struct socket *socka,
4610 				     struct socket *sockb)
4611 {
4612 	struct sk_security_struct *sksec_a = socka->sk->sk_security;
4613 	struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4614 
4615 	sksec_a->peer_sid = sksec_b->sid;
4616 	sksec_b->peer_sid = sksec_a->sid;
4617 
4618 	return 0;
4619 }
4620 
4621 /* Range of port numbers used to automatically bind.
4622    Need to determine whether we should perform a name_bind
4623    permission check between the socket and the port number. */
4624 
4625 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4626 {
4627 	struct sock *sk = sock->sk;
4628 	struct sk_security_struct *sksec = sk->sk_security;
4629 	u16 family;
4630 	int err;
4631 
4632 	err = sock_has_perm(sk, SOCKET__BIND);
4633 	if (err)
4634 		goto out;
4635 
4636 	/* If PF_INET or PF_INET6, check name_bind permission for the port. */
4637 	family = sk->sk_family;
4638 	if (family == PF_INET || family == PF_INET6) {
4639 		char *addrp;
4640 		struct common_audit_data ad;
4641 		struct lsm_network_audit net = {0,};
4642 		struct sockaddr_in *addr4 = NULL;
4643 		struct sockaddr_in6 *addr6 = NULL;
4644 		u16 family_sa;
4645 		unsigned short snum;
4646 		u32 sid, node_perm;
4647 
4648 		/*
4649 		 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4650 		 * that validates multiple binding addresses. Because of this
4651 		 * need to check address->sa_family as it is possible to have
4652 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4653 		 */
4654 		if (addrlen < offsetofend(struct sockaddr, sa_family))
4655 			return -EINVAL;
4656 		family_sa = address->sa_family;
4657 		switch (family_sa) {
4658 		case AF_UNSPEC:
4659 		case AF_INET:
4660 			if (addrlen < sizeof(struct sockaddr_in))
4661 				return -EINVAL;
4662 			addr4 = (struct sockaddr_in *)address;
4663 			if (family_sa == AF_UNSPEC) {
4664 				/* see __inet_bind(), we only want to allow
4665 				 * AF_UNSPEC if the address is INADDR_ANY
4666 				 */
4667 				if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4668 					goto err_af;
4669 				family_sa = AF_INET;
4670 			}
4671 			snum = ntohs(addr4->sin_port);
4672 			addrp = (char *)&addr4->sin_addr.s_addr;
4673 			break;
4674 		case AF_INET6:
4675 			if (addrlen < SIN6_LEN_RFC2133)
4676 				return -EINVAL;
4677 			addr6 = (struct sockaddr_in6 *)address;
4678 			snum = ntohs(addr6->sin6_port);
4679 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4680 			break;
4681 		default:
4682 			goto err_af;
4683 		}
4684 
4685 		ad.type = LSM_AUDIT_DATA_NET;
4686 		ad.u.net = &net;
4687 		ad.u.net->sport = htons(snum);
4688 		ad.u.net->family = family_sa;
4689 
4690 		if (snum) {
4691 			int low, high;
4692 
4693 			inet_get_local_port_range(sock_net(sk), &low, &high);
4694 
4695 			if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4696 			    snum < low || snum > high) {
4697 				err = sel_netport_sid(sk->sk_protocol,
4698 						      snum, &sid);
4699 				if (err)
4700 					goto out;
4701 				err = avc_has_perm(sksec->sid, sid,
4702 						   sksec->sclass,
4703 						   SOCKET__NAME_BIND, &ad);
4704 				if (err)
4705 					goto out;
4706 			}
4707 		}
4708 
4709 		switch (sksec->sclass) {
4710 		case SECCLASS_TCP_SOCKET:
4711 			node_perm = TCP_SOCKET__NODE_BIND;
4712 			break;
4713 
4714 		case SECCLASS_UDP_SOCKET:
4715 			node_perm = UDP_SOCKET__NODE_BIND;
4716 			break;
4717 
4718 		case SECCLASS_DCCP_SOCKET:
4719 			node_perm = DCCP_SOCKET__NODE_BIND;
4720 			break;
4721 
4722 		case SECCLASS_SCTP_SOCKET:
4723 			node_perm = SCTP_SOCKET__NODE_BIND;
4724 			break;
4725 
4726 		default:
4727 			node_perm = RAWIP_SOCKET__NODE_BIND;
4728 			break;
4729 		}
4730 
4731 		err = sel_netnode_sid(addrp, family_sa, &sid);
4732 		if (err)
4733 			goto out;
4734 
4735 		if (family_sa == AF_INET)
4736 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4737 		else
4738 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4739 
4740 		err = avc_has_perm(sksec->sid, sid,
4741 				   sksec->sclass, node_perm, &ad);
4742 		if (err)
4743 			goto out;
4744 	}
4745 out:
4746 	return err;
4747 err_af:
4748 	/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4749 	if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4750 		return -EINVAL;
4751 	return -EAFNOSUPPORT;
4752 }
4753 
4754 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4755  * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4756  */
4757 static int selinux_socket_connect_helper(struct socket *sock,
4758 					 struct sockaddr *address, int addrlen)
4759 {
4760 	struct sock *sk = sock->sk;
4761 	struct sk_security_struct *sksec = sk->sk_security;
4762 	int err;
4763 
4764 	err = sock_has_perm(sk, SOCKET__CONNECT);
4765 	if (err)
4766 		return err;
4767 	if (addrlen < offsetofend(struct sockaddr, sa_family))
4768 		return -EINVAL;
4769 
4770 	/* connect(AF_UNSPEC) has special handling, as it is a documented
4771 	 * way to disconnect the socket
4772 	 */
4773 	if (address->sa_family == AF_UNSPEC)
4774 		return 0;
4775 
4776 	/*
4777 	 * If a TCP, DCCP or SCTP socket, check name_connect permission
4778 	 * for the port.
4779 	 */
4780 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4781 	    sksec->sclass == SECCLASS_DCCP_SOCKET ||
4782 	    sksec->sclass == SECCLASS_SCTP_SOCKET) {
4783 		struct common_audit_data ad;
4784 		struct lsm_network_audit net = {0,};
4785 		struct sockaddr_in *addr4 = NULL;
4786 		struct sockaddr_in6 *addr6 = NULL;
4787 		unsigned short snum;
4788 		u32 sid, perm;
4789 
4790 		/* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4791 		 * that validates multiple connect addresses. Because of this
4792 		 * need to check address->sa_family as it is possible to have
4793 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4794 		 */
4795 		switch (address->sa_family) {
4796 		case AF_INET:
4797 			addr4 = (struct sockaddr_in *)address;
4798 			if (addrlen < sizeof(struct sockaddr_in))
4799 				return -EINVAL;
4800 			snum = ntohs(addr4->sin_port);
4801 			break;
4802 		case AF_INET6:
4803 			addr6 = (struct sockaddr_in6 *)address;
4804 			if (addrlen < SIN6_LEN_RFC2133)
4805 				return -EINVAL;
4806 			snum = ntohs(addr6->sin6_port);
4807 			break;
4808 		default:
4809 			/* Note that SCTP services expect -EINVAL, whereas
4810 			 * others expect -EAFNOSUPPORT.
4811 			 */
4812 			if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4813 				return -EINVAL;
4814 			else
4815 				return -EAFNOSUPPORT;
4816 		}
4817 
4818 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4819 		if (err)
4820 			return err;
4821 
4822 		switch (sksec->sclass) {
4823 		case SECCLASS_TCP_SOCKET:
4824 			perm = TCP_SOCKET__NAME_CONNECT;
4825 			break;
4826 		case SECCLASS_DCCP_SOCKET:
4827 			perm = DCCP_SOCKET__NAME_CONNECT;
4828 			break;
4829 		case SECCLASS_SCTP_SOCKET:
4830 			perm = SCTP_SOCKET__NAME_CONNECT;
4831 			break;
4832 		}
4833 
4834 		ad.type = LSM_AUDIT_DATA_NET;
4835 		ad.u.net = &net;
4836 		ad.u.net->dport = htons(snum);
4837 		ad.u.net->family = address->sa_family;
4838 		err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4839 		if (err)
4840 			return err;
4841 	}
4842 
4843 	return 0;
4844 }
4845 
4846 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4847 static int selinux_socket_connect(struct socket *sock,
4848 				  struct sockaddr *address, int addrlen)
4849 {
4850 	int err;
4851 	struct sock *sk = sock->sk;
4852 
4853 	err = selinux_socket_connect_helper(sock, address, addrlen);
4854 	if (err)
4855 		return err;
4856 
4857 	return selinux_netlbl_socket_connect(sk, address);
4858 }
4859 
4860 static int selinux_socket_listen(struct socket *sock, int backlog)
4861 {
4862 	return sock_has_perm(sock->sk, SOCKET__LISTEN);
4863 }
4864 
4865 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4866 {
4867 	int err;
4868 	struct inode_security_struct *isec;
4869 	struct inode_security_struct *newisec;
4870 	u16 sclass;
4871 	u32 sid;
4872 
4873 	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4874 	if (err)
4875 		return err;
4876 
4877 	isec = inode_security_novalidate(SOCK_INODE(sock));
4878 	spin_lock(&isec->lock);
4879 	sclass = isec->sclass;
4880 	sid = isec->sid;
4881 	spin_unlock(&isec->lock);
4882 
4883 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4884 	newisec->sclass = sclass;
4885 	newisec->sid = sid;
4886 	newisec->initialized = LABEL_INITIALIZED;
4887 
4888 	return 0;
4889 }
4890 
4891 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4892 				  int size)
4893 {
4894 	return sock_has_perm(sock->sk, SOCKET__WRITE);
4895 }
4896 
4897 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4898 				  int size, int flags)
4899 {
4900 	return sock_has_perm(sock->sk, SOCKET__READ);
4901 }
4902 
4903 static int selinux_socket_getsockname(struct socket *sock)
4904 {
4905 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4906 }
4907 
4908 static int selinux_socket_getpeername(struct socket *sock)
4909 {
4910 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4911 }
4912 
4913 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4914 {
4915 	int err;
4916 
4917 	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4918 	if (err)
4919 		return err;
4920 
4921 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4922 }
4923 
4924 static int selinux_socket_getsockopt(struct socket *sock, int level,
4925 				     int optname)
4926 {
4927 	return sock_has_perm(sock->sk, SOCKET__GETOPT);
4928 }
4929 
4930 static int selinux_socket_shutdown(struct socket *sock, int how)
4931 {
4932 	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4933 }
4934 
4935 static int selinux_socket_unix_stream_connect(struct sock *sock,
4936 					      struct sock *other,
4937 					      struct sock *newsk)
4938 {
4939 	struct sk_security_struct *sksec_sock = sock->sk_security;
4940 	struct sk_security_struct *sksec_other = other->sk_security;
4941 	struct sk_security_struct *sksec_new = newsk->sk_security;
4942 	struct common_audit_data ad;
4943 	struct lsm_network_audit net;
4944 	int err;
4945 
4946 	ad_net_init_from_sk(&ad, &net, other);
4947 
4948 	err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4949 			   sksec_other->sclass,
4950 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4951 	if (err)
4952 		return err;
4953 
4954 	/* server child socket */
4955 	sksec_new->peer_sid = sksec_sock->sid;
4956 	err = security_sid_mls_copy(sksec_other->sid,
4957 				    sksec_sock->sid, &sksec_new->sid);
4958 	if (err)
4959 		return err;
4960 
4961 	/* connecting socket */
4962 	sksec_sock->peer_sid = sksec_new->sid;
4963 
4964 	return 0;
4965 }
4966 
4967 static int selinux_socket_unix_may_send(struct socket *sock,
4968 					struct socket *other)
4969 {
4970 	struct sk_security_struct *ssec = sock->sk->sk_security;
4971 	struct sk_security_struct *osec = other->sk->sk_security;
4972 	struct common_audit_data ad;
4973 	struct lsm_network_audit net;
4974 
4975 	ad_net_init_from_sk(&ad, &net, other->sk);
4976 
4977 	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4978 			    &ad);
4979 }
4980 
4981 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4982 				    char *addrp, u16 family, u32 peer_sid,
4983 				    struct common_audit_data *ad)
4984 {
4985 	int err;
4986 	u32 if_sid;
4987 	u32 node_sid;
4988 
4989 	err = sel_netif_sid(ns, ifindex, &if_sid);
4990 	if (err)
4991 		return err;
4992 	err = avc_has_perm(peer_sid, if_sid,
4993 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4994 	if (err)
4995 		return err;
4996 
4997 	err = sel_netnode_sid(addrp, family, &node_sid);
4998 	if (err)
4999 		return err;
5000 	return avc_has_perm(peer_sid, node_sid,
5001 			    SECCLASS_NODE, NODE__RECVFROM, ad);
5002 }
5003 
5004 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5005 				       u16 family)
5006 {
5007 	int err = 0;
5008 	struct sk_security_struct *sksec = sk->sk_security;
5009 	u32 sk_sid = sksec->sid;
5010 	struct common_audit_data ad;
5011 	struct lsm_network_audit net;
5012 	char *addrp;
5013 
5014 	ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
5015 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5016 	if (err)
5017 		return err;
5018 
5019 	if (selinux_secmark_enabled()) {
5020 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5021 				   PACKET__RECV, &ad);
5022 		if (err)
5023 			return err;
5024 	}
5025 
5026 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5027 	if (err)
5028 		return err;
5029 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5030 
5031 	return err;
5032 }
5033 
5034 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5035 {
5036 	int err, peerlbl_active, secmark_active;
5037 	struct sk_security_struct *sksec = sk->sk_security;
5038 	u16 family = sk->sk_family;
5039 	u32 sk_sid = sksec->sid;
5040 	struct common_audit_data ad;
5041 	struct lsm_network_audit net;
5042 	char *addrp;
5043 
5044 	if (family != PF_INET && family != PF_INET6)
5045 		return 0;
5046 
5047 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
5048 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5049 		family = PF_INET;
5050 
5051 	/* If any sort of compatibility mode is enabled then handoff processing
5052 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
5053 	 * special handling.  We do this in an attempt to keep this function
5054 	 * as fast and as clean as possible. */
5055 	if (!selinux_policycap_netpeer())
5056 		return selinux_sock_rcv_skb_compat(sk, skb, family);
5057 
5058 	secmark_active = selinux_secmark_enabled();
5059 	peerlbl_active = selinux_peerlbl_enabled();
5060 	if (!secmark_active && !peerlbl_active)
5061 		return 0;
5062 
5063 	ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
5064 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5065 	if (err)
5066 		return err;
5067 
5068 	if (peerlbl_active) {
5069 		u32 peer_sid;
5070 
5071 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5072 		if (err)
5073 			return err;
5074 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5075 					       addrp, family, peer_sid, &ad);
5076 		if (err) {
5077 			selinux_netlbl_err(skb, family, err, 0);
5078 			return err;
5079 		}
5080 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
5081 				   PEER__RECV, &ad);
5082 		if (err) {
5083 			selinux_netlbl_err(skb, family, err, 0);
5084 			return err;
5085 		}
5086 	}
5087 
5088 	if (secmark_active) {
5089 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5090 				   PACKET__RECV, &ad);
5091 		if (err)
5092 			return err;
5093 	}
5094 
5095 	return err;
5096 }
5097 
5098 static int selinux_socket_getpeersec_stream(struct socket *sock,
5099 					    sockptr_t optval, sockptr_t optlen,
5100 					    unsigned int len)
5101 {
5102 	int err = 0;
5103 	char *scontext = NULL;
5104 	u32 scontext_len;
5105 	struct sk_security_struct *sksec = sock->sk->sk_security;
5106 	u32 peer_sid = SECSID_NULL;
5107 
5108 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5109 	    sksec->sclass == SECCLASS_TCP_SOCKET ||
5110 	    sksec->sclass == SECCLASS_SCTP_SOCKET)
5111 		peer_sid = sksec->peer_sid;
5112 	if (peer_sid == SECSID_NULL)
5113 		return -ENOPROTOOPT;
5114 
5115 	err = security_sid_to_context(peer_sid, &scontext,
5116 				      &scontext_len);
5117 	if (err)
5118 		return err;
5119 	if (scontext_len > len) {
5120 		err = -ERANGE;
5121 		goto out_len;
5122 	}
5123 
5124 	if (copy_to_sockptr(optval, scontext, scontext_len))
5125 		err = -EFAULT;
5126 out_len:
5127 	if (copy_to_sockptr(optlen, &scontext_len, sizeof(scontext_len)))
5128 		err = -EFAULT;
5129 	kfree(scontext);
5130 	return err;
5131 }
5132 
5133 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5134 {
5135 	u32 peer_secid = SECSID_NULL;
5136 	u16 family;
5137 	struct inode_security_struct *isec;
5138 
5139 	if (skb && skb->protocol == htons(ETH_P_IP))
5140 		family = PF_INET;
5141 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
5142 		family = PF_INET6;
5143 	else if (sock)
5144 		family = sock->sk->sk_family;
5145 	else
5146 		goto out;
5147 
5148 	if (sock && family == PF_UNIX) {
5149 		isec = inode_security_novalidate(SOCK_INODE(sock));
5150 		peer_secid = isec->sid;
5151 	} else if (skb)
5152 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5153 
5154 out:
5155 	*secid = peer_secid;
5156 	if (peer_secid == SECSID_NULL)
5157 		return -EINVAL;
5158 	return 0;
5159 }
5160 
5161 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5162 {
5163 	struct sk_security_struct *sksec;
5164 
5165 	sksec = kzalloc(sizeof(*sksec), priority);
5166 	if (!sksec)
5167 		return -ENOMEM;
5168 
5169 	sksec->peer_sid = SECINITSID_UNLABELED;
5170 	sksec->sid = SECINITSID_UNLABELED;
5171 	sksec->sclass = SECCLASS_SOCKET;
5172 	selinux_netlbl_sk_security_reset(sksec);
5173 	sk->sk_security = sksec;
5174 
5175 	return 0;
5176 }
5177 
5178 static void selinux_sk_free_security(struct sock *sk)
5179 {
5180 	struct sk_security_struct *sksec = sk->sk_security;
5181 
5182 	sk->sk_security = NULL;
5183 	selinux_netlbl_sk_security_free(sksec);
5184 	kfree(sksec);
5185 }
5186 
5187 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5188 {
5189 	struct sk_security_struct *sksec = sk->sk_security;
5190 	struct sk_security_struct *newsksec = newsk->sk_security;
5191 
5192 	newsksec->sid = sksec->sid;
5193 	newsksec->peer_sid = sksec->peer_sid;
5194 	newsksec->sclass = sksec->sclass;
5195 
5196 	selinux_netlbl_sk_security_reset(newsksec);
5197 }
5198 
5199 static void selinux_sk_getsecid(const struct sock *sk, u32 *secid)
5200 {
5201 	if (!sk)
5202 		*secid = SECINITSID_ANY_SOCKET;
5203 	else {
5204 		const struct sk_security_struct *sksec = sk->sk_security;
5205 
5206 		*secid = sksec->sid;
5207 	}
5208 }
5209 
5210 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5211 {
5212 	struct inode_security_struct *isec =
5213 		inode_security_novalidate(SOCK_INODE(parent));
5214 	struct sk_security_struct *sksec = sk->sk_security;
5215 
5216 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5217 	    sk->sk_family == PF_UNIX)
5218 		isec->sid = sksec->sid;
5219 	sksec->sclass = isec->sclass;
5220 }
5221 
5222 /*
5223  * Determines peer_secid for the asoc and updates socket's peer label
5224  * if it's the first association on the socket.
5225  */
5226 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
5227 					  struct sk_buff *skb)
5228 {
5229 	struct sock *sk = asoc->base.sk;
5230 	u16 family = sk->sk_family;
5231 	struct sk_security_struct *sksec = sk->sk_security;
5232 	struct common_audit_data ad;
5233 	struct lsm_network_audit net;
5234 	int err;
5235 
5236 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5237 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5238 		family = PF_INET;
5239 
5240 	if (selinux_peerlbl_enabled()) {
5241 		asoc->peer_secid = SECSID_NULL;
5242 
5243 		/* This will return peer_sid = SECSID_NULL if there are
5244 		 * no peer labels, see security_net_peersid_resolve().
5245 		 */
5246 		err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid);
5247 		if (err)
5248 			return err;
5249 
5250 		if (asoc->peer_secid == SECSID_NULL)
5251 			asoc->peer_secid = SECINITSID_UNLABELED;
5252 	} else {
5253 		asoc->peer_secid = SECINITSID_UNLABELED;
5254 	}
5255 
5256 	if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5257 		sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5258 
5259 		/* Here as first association on socket. As the peer SID
5260 		 * was allowed by peer recv (and the netif/node checks),
5261 		 * then it is approved by policy and used as the primary
5262 		 * peer SID for getpeercon(3).
5263 		 */
5264 		sksec->peer_sid = asoc->peer_secid;
5265 	} else if (sksec->peer_sid != asoc->peer_secid) {
5266 		/* Other association peer SIDs are checked to enforce
5267 		 * consistency among the peer SIDs.
5268 		 */
5269 		ad_net_init_from_sk(&ad, &net, asoc->base.sk);
5270 		err = avc_has_perm(sksec->peer_sid, asoc->peer_secid,
5271 				   sksec->sclass, SCTP_SOCKET__ASSOCIATION,
5272 				   &ad);
5273 		if (err)
5274 			return err;
5275 	}
5276 	return 0;
5277 }
5278 
5279 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This
5280  * happens on an incoming connect(2), sctp_connectx(3) or
5281  * sctp_sendmsg(3) (with no association already present).
5282  */
5283 static int selinux_sctp_assoc_request(struct sctp_association *asoc,
5284 				      struct sk_buff *skb)
5285 {
5286 	struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5287 	u32 conn_sid;
5288 	int err;
5289 
5290 	if (!selinux_policycap_extsockclass())
5291 		return 0;
5292 
5293 	err = selinux_sctp_process_new_assoc(asoc, skb);
5294 	if (err)
5295 		return err;
5296 
5297 	/* Compute the MLS component for the connection and store
5298 	 * the information in asoc. This will be used by SCTP TCP type
5299 	 * sockets and peeled off connections as they cause a new
5300 	 * socket to be generated. selinux_sctp_sk_clone() will then
5301 	 * plug this into the new socket.
5302 	 */
5303 	err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid);
5304 	if (err)
5305 		return err;
5306 
5307 	asoc->secid = conn_sid;
5308 
5309 	/* Set any NetLabel labels including CIPSO/CALIPSO options. */
5310 	return selinux_netlbl_sctp_assoc_request(asoc, skb);
5311 }
5312 
5313 /* Called when SCTP receives a COOKIE ACK chunk as the final
5314  * response to an association request (initited by us).
5315  */
5316 static int selinux_sctp_assoc_established(struct sctp_association *asoc,
5317 					  struct sk_buff *skb)
5318 {
5319 	struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5320 
5321 	if (!selinux_policycap_extsockclass())
5322 		return 0;
5323 
5324 	/* Inherit secid from the parent socket - this will be picked up
5325 	 * by selinux_sctp_sk_clone() if the association gets peeled off
5326 	 * into a new socket.
5327 	 */
5328 	asoc->secid = sksec->sid;
5329 
5330 	return selinux_sctp_process_new_assoc(asoc, skb);
5331 }
5332 
5333 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5334  * based on their @optname.
5335  */
5336 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5337 				     struct sockaddr *address,
5338 				     int addrlen)
5339 {
5340 	int len, err = 0, walk_size = 0;
5341 	void *addr_buf;
5342 	struct sockaddr *addr;
5343 	struct socket *sock;
5344 
5345 	if (!selinux_policycap_extsockclass())
5346 		return 0;
5347 
5348 	/* Process one or more addresses that may be IPv4 or IPv6 */
5349 	sock = sk->sk_socket;
5350 	addr_buf = address;
5351 
5352 	while (walk_size < addrlen) {
5353 		if (walk_size + sizeof(sa_family_t) > addrlen)
5354 			return -EINVAL;
5355 
5356 		addr = addr_buf;
5357 		switch (addr->sa_family) {
5358 		case AF_UNSPEC:
5359 		case AF_INET:
5360 			len = sizeof(struct sockaddr_in);
5361 			break;
5362 		case AF_INET6:
5363 			len = sizeof(struct sockaddr_in6);
5364 			break;
5365 		default:
5366 			return -EINVAL;
5367 		}
5368 
5369 		if (walk_size + len > addrlen)
5370 			return -EINVAL;
5371 
5372 		err = -EINVAL;
5373 		switch (optname) {
5374 		/* Bind checks */
5375 		case SCTP_PRIMARY_ADDR:
5376 		case SCTP_SET_PEER_PRIMARY_ADDR:
5377 		case SCTP_SOCKOPT_BINDX_ADD:
5378 			err = selinux_socket_bind(sock, addr, len);
5379 			break;
5380 		/* Connect checks */
5381 		case SCTP_SOCKOPT_CONNECTX:
5382 		case SCTP_PARAM_SET_PRIMARY:
5383 		case SCTP_PARAM_ADD_IP:
5384 		case SCTP_SENDMSG_CONNECT:
5385 			err = selinux_socket_connect_helper(sock, addr, len);
5386 			if (err)
5387 				return err;
5388 
5389 			/* As selinux_sctp_bind_connect() is called by the
5390 			 * SCTP protocol layer, the socket is already locked,
5391 			 * therefore selinux_netlbl_socket_connect_locked()
5392 			 * is called here. The situations handled are:
5393 			 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5394 			 * whenever a new IP address is added or when a new
5395 			 * primary address is selected.
5396 			 * Note that an SCTP connect(2) call happens before
5397 			 * the SCTP protocol layer and is handled via
5398 			 * selinux_socket_connect().
5399 			 */
5400 			err = selinux_netlbl_socket_connect_locked(sk, addr);
5401 			break;
5402 		}
5403 
5404 		if (err)
5405 			return err;
5406 
5407 		addr_buf += len;
5408 		walk_size += len;
5409 	}
5410 
5411 	return 0;
5412 }
5413 
5414 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5415 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
5416 				  struct sock *newsk)
5417 {
5418 	struct sk_security_struct *sksec = sk->sk_security;
5419 	struct sk_security_struct *newsksec = newsk->sk_security;
5420 
5421 	/* If policy does not support SECCLASS_SCTP_SOCKET then call
5422 	 * the non-sctp clone version.
5423 	 */
5424 	if (!selinux_policycap_extsockclass())
5425 		return selinux_sk_clone_security(sk, newsk);
5426 
5427 	newsksec->sid = asoc->secid;
5428 	newsksec->peer_sid = asoc->peer_secid;
5429 	newsksec->sclass = sksec->sclass;
5430 	selinux_netlbl_sctp_sk_clone(sk, newsk);
5431 }
5432 
5433 static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
5434 {
5435 	struct sk_security_struct *ssksec = ssk->sk_security;
5436 	struct sk_security_struct *sksec = sk->sk_security;
5437 
5438 	ssksec->sclass = sksec->sclass;
5439 	ssksec->sid = sksec->sid;
5440 
5441 	/* replace the existing subflow label deleting the existing one
5442 	 * and re-recreating a new label using the updated context
5443 	 */
5444 	selinux_netlbl_sk_security_free(ssksec);
5445 	return selinux_netlbl_socket_post_create(ssk, ssk->sk_family);
5446 }
5447 
5448 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
5449 				     struct request_sock *req)
5450 {
5451 	struct sk_security_struct *sksec = sk->sk_security;
5452 	int err;
5453 	u16 family = req->rsk_ops->family;
5454 	u32 connsid;
5455 	u32 peersid;
5456 
5457 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5458 	if (err)
5459 		return err;
5460 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5461 	if (err)
5462 		return err;
5463 	req->secid = connsid;
5464 	req->peer_secid = peersid;
5465 
5466 	return selinux_netlbl_inet_conn_request(req, family);
5467 }
5468 
5469 static void selinux_inet_csk_clone(struct sock *newsk,
5470 				   const struct request_sock *req)
5471 {
5472 	struct sk_security_struct *newsksec = newsk->sk_security;
5473 
5474 	newsksec->sid = req->secid;
5475 	newsksec->peer_sid = req->peer_secid;
5476 	/* NOTE: Ideally, we should also get the isec->sid for the
5477 	   new socket in sync, but we don't have the isec available yet.
5478 	   So we will wait until sock_graft to do it, by which
5479 	   time it will have been created and available. */
5480 
5481 	/* We don't need to take any sort of lock here as we are the only
5482 	 * thread with access to newsksec */
5483 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5484 }
5485 
5486 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5487 {
5488 	u16 family = sk->sk_family;
5489 	struct sk_security_struct *sksec = sk->sk_security;
5490 
5491 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5492 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5493 		family = PF_INET;
5494 
5495 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5496 }
5497 
5498 static int selinux_secmark_relabel_packet(u32 sid)
5499 {
5500 	const struct task_security_struct *tsec;
5501 	u32 tsid;
5502 
5503 	tsec = selinux_cred(current_cred());
5504 	tsid = tsec->sid;
5505 
5506 	return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5507 			    NULL);
5508 }
5509 
5510 static void selinux_secmark_refcount_inc(void)
5511 {
5512 	atomic_inc(&selinux_secmark_refcount);
5513 }
5514 
5515 static void selinux_secmark_refcount_dec(void)
5516 {
5517 	atomic_dec(&selinux_secmark_refcount);
5518 }
5519 
5520 static void selinux_req_classify_flow(const struct request_sock *req,
5521 				      struct flowi_common *flic)
5522 {
5523 	flic->flowic_secid = req->secid;
5524 }
5525 
5526 static int selinux_tun_dev_alloc_security(void **security)
5527 {
5528 	struct tun_security_struct *tunsec;
5529 
5530 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5531 	if (!tunsec)
5532 		return -ENOMEM;
5533 	tunsec->sid = current_sid();
5534 
5535 	*security = tunsec;
5536 	return 0;
5537 }
5538 
5539 static void selinux_tun_dev_free_security(void *security)
5540 {
5541 	kfree(security);
5542 }
5543 
5544 static int selinux_tun_dev_create(void)
5545 {
5546 	u32 sid = current_sid();
5547 
5548 	/* we aren't taking into account the "sockcreate" SID since the socket
5549 	 * that is being created here is not a socket in the traditional sense,
5550 	 * instead it is a private sock, accessible only to the kernel, and
5551 	 * representing a wide range of network traffic spanning multiple
5552 	 * connections unlike traditional sockets - check the TUN driver to
5553 	 * get a better understanding of why this socket is special */
5554 
5555 	return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5556 			    NULL);
5557 }
5558 
5559 static int selinux_tun_dev_attach_queue(void *security)
5560 {
5561 	struct tun_security_struct *tunsec = security;
5562 
5563 	return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5564 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5565 }
5566 
5567 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5568 {
5569 	struct tun_security_struct *tunsec = security;
5570 	struct sk_security_struct *sksec = sk->sk_security;
5571 
5572 	/* we don't currently perform any NetLabel based labeling here and it
5573 	 * isn't clear that we would want to do so anyway; while we could apply
5574 	 * labeling without the support of the TUN user the resulting labeled
5575 	 * traffic from the other end of the connection would almost certainly
5576 	 * cause confusion to the TUN user that had no idea network labeling
5577 	 * protocols were being used */
5578 
5579 	sksec->sid = tunsec->sid;
5580 	sksec->sclass = SECCLASS_TUN_SOCKET;
5581 
5582 	return 0;
5583 }
5584 
5585 static int selinux_tun_dev_open(void *security)
5586 {
5587 	struct tun_security_struct *tunsec = security;
5588 	u32 sid = current_sid();
5589 	int err;
5590 
5591 	err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5592 			   TUN_SOCKET__RELABELFROM, NULL);
5593 	if (err)
5594 		return err;
5595 	err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5596 			   TUN_SOCKET__RELABELTO, NULL);
5597 	if (err)
5598 		return err;
5599 	tunsec->sid = sid;
5600 
5601 	return 0;
5602 }
5603 
5604 #ifdef CONFIG_NETFILTER
5605 
5606 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
5607 				       const struct nf_hook_state *state)
5608 {
5609 	int ifindex;
5610 	u16 family;
5611 	char *addrp;
5612 	u32 peer_sid;
5613 	struct common_audit_data ad;
5614 	struct lsm_network_audit net;
5615 	int secmark_active, peerlbl_active;
5616 
5617 	if (!selinux_policycap_netpeer())
5618 		return NF_ACCEPT;
5619 
5620 	secmark_active = selinux_secmark_enabled();
5621 	peerlbl_active = selinux_peerlbl_enabled();
5622 	if (!secmark_active && !peerlbl_active)
5623 		return NF_ACCEPT;
5624 
5625 	family = state->pf;
5626 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5627 		return NF_DROP;
5628 
5629 	ifindex = state->in->ifindex;
5630 	ad_net_init_from_iif(&ad, &net, ifindex, family);
5631 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5632 		return NF_DROP;
5633 
5634 	if (peerlbl_active) {
5635 		int err;
5636 
5637 		err = selinux_inet_sys_rcv_skb(state->net, ifindex,
5638 					       addrp, family, peer_sid, &ad);
5639 		if (err) {
5640 			selinux_netlbl_err(skb, family, err, 1);
5641 			return NF_DROP;
5642 		}
5643 	}
5644 
5645 	if (secmark_active)
5646 		if (avc_has_perm(peer_sid, skb->secmark,
5647 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5648 			return NF_DROP;
5649 
5650 	if (netlbl_enabled())
5651 		/* we do this in the FORWARD path and not the POST_ROUTING
5652 		 * path because we want to make sure we apply the necessary
5653 		 * labeling before IPsec is applied so we can leverage AH
5654 		 * protection */
5655 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5656 			return NF_DROP;
5657 
5658 	return NF_ACCEPT;
5659 }
5660 
5661 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
5662 				      const struct nf_hook_state *state)
5663 {
5664 	struct sock *sk;
5665 	u32 sid;
5666 
5667 	if (!netlbl_enabled())
5668 		return NF_ACCEPT;
5669 
5670 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5671 	 * because we want to make sure we apply the necessary labeling
5672 	 * before IPsec is applied so we can leverage AH protection */
5673 	sk = skb->sk;
5674 	if (sk) {
5675 		struct sk_security_struct *sksec;
5676 
5677 		if (sk_listener(sk))
5678 			/* if the socket is the listening state then this
5679 			 * packet is a SYN-ACK packet which means it needs to
5680 			 * be labeled based on the connection/request_sock and
5681 			 * not the parent socket.  unfortunately, we can't
5682 			 * lookup the request_sock yet as it isn't queued on
5683 			 * the parent socket until after the SYN-ACK is sent.
5684 			 * the "solution" is to simply pass the packet as-is
5685 			 * as any IP option based labeling should be copied
5686 			 * from the initial connection request (in the IP
5687 			 * layer).  it is far from ideal, but until we get a
5688 			 * security label in the packet itself this is the
5689 			 * best we can do. */
5690 			return NF_ACCEPT;
5691 
5692 		/* standard practice, label using the parent socket */
5693 		sksec = sk->sk_security;
5694 		sid = sksec->sid;
5695 	} else
5696 		sid = SECINITSID_KERNEL;
5697 	if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0)
5698 		return NF_DROP;
5699 
5700 	return NF_ACCEPT;
5701 }
5702 
5703 
5704 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5705 					const struct nf_hook_state *state)
5706 {
5707 	struct sock *sk;
5708 	struct sk_security_struct *sksec;
5709 	struct common_audit_data ad;
5710 	struct lsm_network_audit net;
5711 	u8 proto = 0;
5712 
5713 	sk = skb_to_full_sk(skb);
5714 	if (sk == NULL)
5715 		return NF_ACCEPT;
5716 	sksec = sk->sk_security;
5717 
5718 	ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf);
5719 	if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))
5720 		return NF_DROP;
5721 
5722 	if (selinux_secmark_enabled())
5723 		if (avc_has_perm(sksec->sid, skb->secmark,
5724 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5725 			return NF_DROP_ERR(-ECONNREFUSED);
5726 
5727 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5728 		return NF_DROP_ERR(-ECONNREFUSED);
5729 
5730 	return NF_ACCEPT;
5731 }
5732 
5733 static unsigned int selinux_ip_postroute(void *priv,
5734 					 struct sk_buff *skb,
5735 					 const struct nf_hook_state *state)
5736 {
5737 	u16 family;
5738 	u32 secmark_perm;
5739 	u32 peer_sid;
5740 	int ifindex;
5741 	struct sock *sk;
5742 	struct common_audit_data ad;
5743 	struct lsm_network_audit net;
5744 	char *addrp;
5745 	int secmark_active, peerlbl_active;
5746 
5747 	/* If any sort of compatibility mode is enabled then handoff processing
5748 	 * to the selinux_ip_postroute_compat() function to deal with the
5749 	 * special handling.  We do this in an attempt to keep this function
5750 	 * as fast and as clean as possible. */
5751 	if (!selinux_policycap_netpeer())
5752 		return selinux_ip_postroute_compat(skb, state);
5753 
5754 	secmark_active = selinux_secmark_enabled();
5755 	peerlbl_active = selinux_peerlbl_enabled();
5756 	if (!secmark_active && !peerlbl_active)
5757 		return NF_ACCEPT;
5758 
5759 	sk = skb_to_full_sk(skb);
5760 
5761 #ifdef CONFIG_XFRM
5762 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5763 	 * packet transformation so allow the packet to pass without any checks
5764 	 * since we'll have another chance to perform access control checks
5765 	 * when the packet is on it's final way out.
5766 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5767 	 *       is NULL, in this case go ahead and apply access control.
5768 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5769 	 *       TCP listening state we cannot wait until the XFRM processing
5770 	 *       is done as we will miss out on the SA label if we do;
5771 	 *       unfortunately, this means more work, but it is only once per
5772 	 *       connection. */
5773 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5774 	    !(sk && sk_listener(sk)))
5775 		return NF_ACCEPT;
5776 #endif
5777 
5778 	family = state->pf;
5779 	if (sk == NULL) {
5780 		/* Without an associated socket the packet is either coming
5781 		 * from the kernel or it is being forwarded; check the packet
5782 		 * to determine which and if the packet is being forwarded
5783 		 * query the packet directly to determine the security label. */
5784 		if (skb->skb_iif) {
5785 			secmark_perm = PACKET__FORWARD_OUT;
5786 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5787 				return NF_DROP;
5788 		} else {
5789 			secmark_perm = PACKET__SEND;
5790 			peer_sid = SECINITSID_KERNEL;
5791 		}
5792 	} else if (sk_listener(sk)) {
5793 		/* Locally generated packet but the associated socket is in the
5794 		 * listening state which means this is a SYN-ACK packet.  In
5795 		 * this particular case the correct security label is assigned
5796 		 * to the connection/request_sock but unfortunately we can't
5797 		 * query the request_sock as it isn't queued on the parent
5798 		 * socket until after the SYN-ACK packet is sent; the only
5799 		 * viable choice is to regenerate the label like we do in
5800 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5801 		 * for similar problems. */
5802 		u32 skb_sid;
5803 		struct sk_security_struct *sksec;
5804 
5805 		sksec = sk->sk_security;
5806 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5807 			return NF_DROP;
5808 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5809 		 * and the packet has been through at least one XFRM
5810 		 * transformation then we must be dealing with the "final"
5811 		 * form of labeled IPsec packet; since we've already applied
5812 		 * all of our access controls on this packet we can safely
5813 		 * pass the packet. */
5814 		if (skb_sid == SECSID_NULL) {
5815 			switch (family) {
5816 			case PF_INET:
5817 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5818 					return NF_ACCEPT;
5819 				break;
5820 			case PF_INET6:
5821 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5822 					return NF_ACCEPT;
5823 				break;
5824 			default:
5825 				return NF_DROP_ERR(-ECONNREFUSED);
5826 			}
5827 		}
5828 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5829 			return NF_DROP;
5830 		secmark_perm = PACKET__SEND;
5831 	} else {
5832 		/* Locally generated packet, fetch the security label from the
5833 		 * associated socket. */
5834 		struct sk_security_struct *sksec = sk->sk_security;
5835 		peer_sid = sksec->sid;
5836 		secmark_perm = PACKET__SEND;
5837 	}
5838 
5839 	ifindex = state->out->ifindex;
5840 	ad_net_init_from_iif(&ad, &net, ifindex, family);
5841 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5842 		return NF_DROP;
5843 
5844 	if (secmark_active)
5845 		if (avc_has_perm(peer_sid, skb->secmark,
5846 				 SECCLASS_PACKET, secmark_perm, &ad))
5847 			return NF_DROP_ERR(-ECONNREFUSED);
5848 
5849 	if (peerlbl_active) {
5850 		u32 if_sid;
5851 		u32 node_sid;
5852 
5853 		if (sel_netif_sid(state->net, ifindex, &if_sid))
5854 			return NF_DROP;
5855 		if (avc_has_perm(peer_sid, if_sid,
5856 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5857 			return NF_DROP_ERR(-ECONNREFUSED);
5858 
5859 		if (sel_netnode_sid(addrp, family, &node_sid))
5860 			return NF_DROP;
5861 		if (avc_has_perm(peer_sid, node_sid,
5862 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5863 			return NF_DROP_ERR(-ECONNREFUSED);
5864 	}
5865 
5866 	return NF_ACCEPT;
5867 }
5868 #endif	/* CONFIG_NETFILTER */
5869 
5870 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5871 {
5872 	int rc = 0;
5873 	unsigned int msg_len;
5874 	unsigned int data_len = skb->len;
5875 	unsigned char *data = skb->data;
5876 	struct nlmsghdr *nlh;
5877 	struct sk_security_struct *sksec = sk->sk_security;
5878 	u16 sclass = sksec->sclass;
5879 	u32 perm;
5880 
5881 	while (data_len >= nlmsg_total_size(0)) {
5882 		nlh = (struct nlmsghdr *)data;
5883 
5884 		/* NOTE: the nlmsg_len field isn't reliably set by some netlink
5885 		 *       users which means we can't reject skb's with bogus
5886 		 *       length fields; our solution is to follow what
5887 		 *       netlink_rcv_skb() does and simply skip processing at
5888 		 *       messages with length fields that are clearly junk
5889 		 */
5890 		if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5891 			return 0;
5892 
5893 		rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5894 		if (rc == 0) {
5895 			rc = sock_has_perm(sk, perm);
5896 			if (rc)
5897 				return rc;
5898 		} else if (rc == -EINVAL) {
5899 			/* -EINVAL is a missing msg/perm mapping */
5900 			pr_warn_ratelimited("SELinux: unrecognized netlink"
5901 				" message: protocol=%hu nlmsg_type=%hu sclass=%s"
5902 				" pid=%d comm=%s\n",
5903 				sk->sk_protocol, nlh->nlmsg_type,
5904 				secclass_map[sclass - 1].name,
5905 				task_pid_nr(current), current->comm);
5906 			if (enforcing_enabled() &&
5907 			    !security_get_allow_unknown())
5908 				return rc;
5909 			rc = 0;
5910 		} else if (rc == -ENOENT) {
5911 			/* -ENOENT is a missing socket/class mapping, ignore */
5912 			rc = 0;
5913 		} else {
5914 			return rc;
5915 		}
5916 
5917 		/* move to the next message after applying netlink padding */
5918 		msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5919 		if (msg_len >= data_len)
5920 			return 0;
5921 		data_len -= msg_len;
5922 		data += msg_len;
5923 	}
5924 
5925 	return rc;
5926 }
5927 
5928 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5929 {
5930 	isec->sclass = sclass;
5931 	isec->sid = current_sid();
5932 }
5933 
5934 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5935 			u32 perms)
5936 {
5937 	struct ipc_security_struct *isec;
5938 	struct common_audit_data ad;
5939 	u32 sid = current_sid();
5940 
5941 	isec = selinux_ipc(ipc_perms);
5942 
5943 	ad.type = LSM_AUDIT_DATA_IPC;
5944 	ad.u.ipc_id = ipc_perms->key;
5945 
5946 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5947 }
5948 
5949 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5950 {
5951 	struct msg_security_struct *msec;
5952 
5953 	msec = selinux_msg_msg(msg);
5954 	msec->sid = SECINITSID_UNLABELED;
5955 
5956 	return 0;
5957 }
5958 
5959 /* message queue security operations */
5960 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5961 {
5962 	struct ipc_security_struct *isec;
5963 	struct common_audit_data ad;
5964 	u32 sid = current_sid();
5965 
5966 	isec = selinux_ipc(msq);
5967 	ipc_init_security(isec, SECCLASS_MSGQ);
5968 
5969 	ad.type = LSM_AUDIT_DATA_IPC;
5970 	ad.u.ipc_id = msq->key;
5971 
5972 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5973 			    MSGQ__CREATE, &ad);
5974 }
5975 
5976 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5977 {
5978 	struct ipc_security_struct *isec;
5979 	struct common_audit_data ad;
5980 	u32 sid = current_sid();
5981 
5982 	isec = selinux_ipc(msq);
5983 
5984 	ad.type = LSM_AUDIT_DATA_IPC;
5985 	ad.u.ipc_id = msq->key;
5986 
5987 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5988 			    MSGQ__ASSOCIATE, &ad);
5989 }
5990 
5991 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
5992 {
5993 	u32 perms;
5994 
5995 	switch (cmd) {
5996 	case IPC_INFO:
5997 	case MSG_INFO:
5998 		/* No specific object, just general system-wide information. */
5999 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6000 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6001 	case IPC_STAT:
6002 	case MSG_STAT:
6003 	case MSG_STAT_ANY:
6004 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6005 		break;
6006 	case IPC_SET:
6007 		perms = MSGQ__SETATTR;
6008 		break;
6009 	case IPC_RMID:
6010 		perms = MSGQ__DESTROY;
6011 		break;
6012 	default:
6013 		return 0;
6014 	}
6015 
6016 	return ipc_has_perm(msq, perms);
6017 }
6018 
6019 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6020 {
6021 	struct ipc_security_struct *isec;
6022 	struct msg_security_struct *msec;
6023 	struct common_audit_data ad;
6024 	u32 sid = current_sid();
6025 	int rc;
6026 
6027 	isec = selinux_ipc(msq);
6028 	msec = selinux_msg_msg(msg);
6029 
6030 	/*
6031 	 * First time through, need to assign label to the message
6032 	 */
6033 	if (msec->sid == SECINITSID_UNLABELED) {
6034 		/*
6035 		 * Compute new sid based on current process and
6036 		 * message queue this message will be stored in
6037 		 */
6038 		rc = security_transition_sid(sid, isec->sid,
6039 					     SECCLASS_MSG, NULL, &msec->sid);
6040 		if (rc)
6041 			return rc;
6042 	}
6043 
6044 	ad.type = LSM_AUDIT_DATA_IPC;
6045 	ad.u.ipc_id = msq->key;
6046 
6047 	/* Can this process write to the queue? */
6048 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6049 			  MSGQ__WRITE, &ad);
6050 	if (!rc)
6051 		/* Can this process send the message */
6052 		rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
6053 				  MSG__SEND, &ad);
6054 	if (!rc)
6055 		/* Can the message be put in the queue? */
6056 		rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
6057 				  MSGQ__ENQUEUE, &ad);
6058 
6059 	return rc;
6060 }
6061 
6062 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6063 				    struct task_struct *target,
6064 				    long type, int mode)
6065 {
6066 	struct ipc_security_struct *isec;
6067 	struct msg_security_struct *msec;
6068 	struct common_audit_data ad;
6069 	u32 sid = task_sid_obj(target);
6070 	int rc;
6071 
6072 	isec = selinux_ipc(msq);
6073 	msec = selinux_msg_msg(msg);
6074 
6075 	ad.type = LSM_AUDIT_DATA_IPC;
6076 	ad.u.ipc_id = msq->key;
6077 
6078 	rc = avc_has_perm(sid, isec->sid,
6079 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
6080 	if (!rc)
6081 		rc = avc_has_perm(sid, msec->sid,
6082 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
6083 	return rc;
6084 }
6085 
6086 /* Shared Memory security operations */
6087 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6088 {
6089 	struct ipc_security_struct *isec;
6090 	struct common_audit_data ad;
6091 	u32 sid = current_sid();
6092 
6093 	isec = selinux_ipc(shp);
6094 	ipc_init_security(isec, SECCLASS_SHM);
6095 
6096 	ad.type = LSM_AUDIT_DATA_IPC;
6097 	ad.u.ipc_id = shp->key;
6098 
6099 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6100 			    SHM__CREATE, &ad);
6101 }
6102 
6103 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6104 {
6105 	struct ipc_security_struct *isec;
6106 	struct common_audit_data ad;
6107 	u32 sid = current_sid();
6108 
6109 	isec = selinux_ipc(shp);
6110 
6111 	ad.type = LSM_AUDIT_DATA_IPC;
6112 	ad.u.ipc_id = shp->key;
6113 
6114 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6115 			    SHM__ASSOCIATE, &ad);
6116 }
6117 
6118 /* Note, at this point, shp is locked down */
6119 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6120 {
6121 	u32 perms;
6122 
6123 	switch (cmd) {
6124 	case IPC_INFO:
6125 	case SHM_INFO:
6126 		/* No specific object, just general system-wide information. */
6127 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6128 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6129 	case IPC_STAT:
6130 	case SHM_STAT:
6131 	case SHM_STAT_ANY:
6132 		perms = SHM__GETATTR | SHM__ASSOCIATE;
6133 		break;
6134 	case IPC_SET:
6135 		perms = SHM__SETATTR;
6136 		break;
6137 	case SHM_LOCK:
6138 	case SHM_UNLOCK:
6139 		perms = SHM__LOCK;
6140 		break;
6141 	case IPC_RMID:
6142 		perms = SHM__DESTROY;
6143 		break;
6144 	default:
6145 		return 0;
6146 	}
6147 
6148 	return ipc_has_perm(shp, perms);
6149 }
6150 
6151 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6152 			     char __user *shmaddr, int shmflg)
6153 {
6154 	u32 perms;
6155 
6156 	if (shmflg & SHM_RDONLY)
6157 		perms = SHM__READ;
6158 	else
6159 		perms = SHM__READ | SHM__WRITE;
6160 
6161 	return ipc_has_perm(shp, perms);
6162 }
6163 
6164 /* Semaphore security operations */
6165 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6166 {
6167 	struct ipc_security_struct *isec;
6168 	struct common_audit_data ad;
6169 	u32 sid = current_sid();
6170 
6171 	isec = selinux_ipc(sma);
6172 	ipc_init_security(isec, SECCLASS_SEM);
6173 
6174 	ad.type = LSM_AUDIT_DATA_IPC;
6175 	ad.u.ipc_id = sma->key;
6176 
6177 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6178 			    SEM__CREATE, &ad);
6179 }
6180 
6181 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6182 {
6183 	struct ipc_security_struct *isec;
6184 	struct common_audit_data ad;
6185 	u32 sid = current_sid();
6186 
6187 	isec = selinux_ipc(sma);
6188 
6189 	ad.type = LSM_AUDIT_DATA_IPC;
6190 	ad.u.ipc_id = sma->key;
6191 
6192 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6193 			    SEM__ASSOCIATE, &ad);
6194 }
6195 
6196 /* Note, at this point, sma is locked down */
6197 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6198 {
6199 	int err;
6200 	u32 perms;
6201 
6202 	switch (cmd) {
6203 	case IPC_INFO:
6204 	case SEM_INFO:
6205 		/* No specific object, just general system-wide information. */
6206 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6207 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6208 	case GETPID:
6209 	case GETNCNT:
6210 	case GETZCNT:
6211 		perms = SEM__GETATTR;
6212 		break;
6213 	case GETVAL:
6214 	case GETALL:
6215 		perms = SEM__READ;
6216 		break;
6217 	case SETVAL:
6218 	case SETALL:
6219 		perms = SEM__WRITE;
6220 		break;
6221 	case IPC_RMID:
6222 		perms = SEM__DESTROY;
6223 		break;
6224 	case IPC_SET:
6225 		perms = SEM__SETATTR;
6226 		break;
6227 	case IPC_STAT:
6228 	case SEM_STAT:
6229 	case SEM_STAT_ANY:
6230 		perms = SEM__GETATTR | SEM__ASSOCIATE;
6231 		break;
6232 	default:
6233 		return 0;
6234 	}
6235 
6236 	err = ipc_has_perm(sma, perms);
6237 	return err;
6238 }
6239 
6240 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6241 			     struct sembuf *sops, unsigned nsops, int alter)
6242 {
6243 	u32 perms;
6244 
6245 	if (alter)
6246 		perms = SEM__READ | SEM__WRITE;
6247 	else
6248 		perms = SEM__READ;
6249 
6250 	return ipc_has_perm(sma, perms);
6251 }
6252 
6253 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6254 {
6255 	u32 av = 0;
6256 
6257 	av = 0;
6258 	if (flag & S_IRUGO)
6259 		av |= IPC__UNIX_READ;
6260 	if (flag & S_IWUGO)
6261 		av |= IPC__UNIX_WRITE;
6262 
6263 	if (av == 0)
6264 		return 0;
6265 
6266 	return ipc_has_perm(ipcp, av);
6267 }
6268 
6269 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6270 {
6271 	struct ipc_security_struct *isec = selinux_ipc(ipcp);
6272 	*secid = isec->sid;
6273 }
6274 
6275 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6276 {
6277 	if (inode)
6278 		inode_doinit_with_dentry(inode, dentry);
6279 }
6280 
6281 static int selinux_getprocattr(struct task_struct *p,
6282 			       const char *name, char **value)
6283 {
6284 	const struct task_security_struct *__tsec;
6285 	u32 sid;
6286 	int error;
6287 	unsigned len;
6288 
6289 	rcu_read_lock();
6290 	__tsec = selinux_cred(__task_cred(p));
6291 
6292 	if (current != p) {
6293 		error = avc_has_perm(current_sid(), __tsec->sid,
6294 				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6295 		if (error)
6296 			goto bad;
6297 	}
6298 
6299 	if (!strcmp(name, "current"))
6300 		sid = __tsec->sid;
6301 	else if (!strcmp(name, "prev"))
6302 		sid = __tsec->osid;
6303 	else if (!strcmp(name, "exec"))
6304 		sid = __tsec->exec_sid;
6305 	else if (!strcmp(name, "fscreate"))
6306 		sid = __tsec->create_sid;
6307 	else if (!strcmp(name, "keycreate"))
6308 		sid = __tsec->keycreate_sid;
6309 	else if (!strcmp(name, "sockcreate"))
6310 		sid = __tsec->sockcreate_sid;
6311 	else {
6312 		error = -EINVAL;
6313 		goto bad;
6314 	}
6315 	rcu_read_unlock();
6316 
6317 	if (!sid)
6318 		return 0;
6319 
6320 	error = security_sid_to_context(sid, value, &len);
6321 	if (error)
6322 		return error;
6323 	return len;
6324 
6325 bad:
6326 	rcu_read_unlock();
6327 	return error;
6328 }
6329 
6330 static int selinux_setprocattr(const char *name, void *value, size_t size)
6331 {
6332 	struct task_security_struct *tsec;
6333 	struct cred *new;
6334 	u32 mysid = current_sid(), sid = 0, ptsid;
6335 	int error;
6336 	char *str = value;
6337 
6338 	/*
6339 	 * Basic control over ability to set these attributes at all.
6340 	 */
6341 	if (!strcmp(name, "exec"))
6342 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6343 				     PROCESS__SETEXEC, NULL);
6344 	else if (!strcmp(name, "fscreate"))
6345 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6346 				     PROCESS__SETFSCREATE, NULL);
6347 	else if (!strcmp(name, "keycreate"))
6348 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6349 				     PROCESS__SETKEYCREATE, NULL);
6350 	else if (!strcmp(name, "sockcreate"))
6351 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6352 				     PROCESS__SETSOCKCREATE, NULL);
6353 	else if (!strcmp(name, "current"))
6354 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6355 				     PROCESS__SETCURRENT, NULL);
6356 	else
6357 		error = -EINVAL;
6358 	if (error)
6359 		return error;
6360 
6361 	/* Obtain a SID for the context, if one was specified. */
6362 	if (size && str[0] && str[0] != '\n') {
6363 		if (str[size-1] == '\n') {
6364 			str[size-1] = 0;
6365 			size--;
6366 		}
6367 		error = security_context_to_sid(value, size,
6368 						&sid, GFP_KERNEL);
6369 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
6370 			if (!has_cap_mac_admin(true)) {
6371 				struct audit_buffer *ab;
6372 				size_t audit_size;
6373 
6374 				/* We strip a nul only if it is at the end, otherwise the
6375 				 * context contains a nul and we should audit that */
6376 				if (str[size - 1] == '\0')
6377 					audit_size = size - 1;
6378 				else
6379 					audit_size = size;
6380 				ab = audit_log_start(audit_context(),
6381 						     GFP_ATOMIC,
6382 						     AUDIT_SELINUX_ERR);
6383 				if (!ab)
6384 					return error;
6385 				audit_log_format(ab, "op=fscreate invalid_context=");
6386 				audit_log_n_untrustedstring(ab, value, audit_size);
6387 				audit_log_end(ab);
6388 
6389 				return error;
6390 			}
6391 			error = security_context_to_sid_force(value, size,
6392 							&sid);
6393 		}
6394 		if (error)
6395 			return error;
6396 	}
6397 
6398 	new = prepare_creds();
6399 	if (!new)
6400 		return -ENOMEM;
6401 
6402 	/* Permission checking based on the specified context is
6403 	   performed during the actual operation (execve,
6404 	   open/mkdir/...), when we know the full context of the
6405 	   operation.  See selinux_bprm_creds_for_exec for the execve
6406 	   checks and may_create for the file creation checks. The
6407 	   operation will then fail if the context is not permitted. */
6408 	tsec = selinux_cred(new);
6409 	if (!strcmp(name, "exec")) {
6410 		tsec->exec_sid = sid;
6411 	} else if (!strcmp(name, "fscreate")) {
6412 		tsec->create_sid = sid;
6413 	} else if (!strcmp(name, "keycreate")) {
6414 		if (sid) {
6415 			error = avc_has_perm(mysid, sid,
6416 					     SECCLASS_KEY, KEY__CREATE, NULL);
6417 			if (error)
6418 				goto abort_change;
6419 		}
6420 		tsec->keycreate_sid = sid;
6421 	} else if (!strcmp(name, "sockcreate")) {
6422 		tsec->sockcreate_sid = sid;
6423 	} else if (!strcmp(name, "current")) {
6424 		error = -EINVAL;
6425 		if (sid == 0)
6426 			goto abort_change;
6427 
6428 		/* Only allow single threaded processes to change context */
6429 		if (!current_is_single_threaded()) {
6430 			error = security_bounded_transition(tsec->sid, sid);
6431 			if (error)
6432 				goto abort_change;
6433 		}
6434 
6435 		/* Check permissions for the transition. */
6436 		error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6437 				     PROCESS__DYNTRANSITION, NULL);
6438 		if (error)
6439 			goto abort_change;
6440 
6441 		/* Check for ptracing, and update the task SID if ok.
6442 		   Otherwise, leave SID unchanged and fail. */
6443 		ptsid = ptrace_parent_sid();
6444 		if (ptsid != 0) {
6445 			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6446 					     PROCESS__PTRACE, NULL);
6447 			if (error)
6448 				goto abort_change;
6449 		}
6450 
6451 		tsec->sid = sid;
6452 	} else {
6453 		error = -EINVAL;
6454 		goto abort_change;
6455 	}
6456 
6457 	commit_creds(new);
6458 	return size;
6459 
6460 abort_change:
6461 	abort_creds(new);
6462 	return error;
6463 }
6464 
6465 static int selinux_ismaclabel(const char *name)
6466 {
6467 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6468 }
6469 
6470 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6471 {
6472 	return security_sid_to_context(secid,
6473 				       secdata, seclen);
6474 }
6475 
6476 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6477 {
6478 	return security_context_to_sid(secdata, seclen,
6479 				       secid, GFP_KERNEL);
6480 }
6481 
6482 static void selinux_release_secctx(char *secdata, u32 seclen)
6483 {
6484 	kfree(secdata);
6485 }
6486 
6487 static void selinux_inode_invalidate_secctx(struct inode *inode)
6488 {
6489 	struct inode_security_struct *isec = selinux_inode(inode);
6490 
6491 	spin_lock(&isec->lock);
6492 	isec->initialized = LABEL_INVALID;
6493 	spin_unlock(&isec->lock);
6494 }
6495 
6496 /*
6497  *	called with inode->i_mutex locked
6498  */
6499 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6500 {
6501 	int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6502 					   ctx, ctxlen, 0);
6503 	/* Do not return error when suppressing label (SBLABEL_MNT not set). */
6504 	return rc == -EOPNOTSUPP ? 0 : rc;
6505 }
6506 
6507 /*
6508  *	called with inode->i_mutex locked
6509  */
6510 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6511 {
6512 	return __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX,
6513 				     ctx, ctxlen, 0);
6514 }
6515 
6516 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6517 {
6518 	int len = 0;
6519 	len = selinux_inode_getsecurity(&nop_mnt_idmap, inode,
6520 					XATTR_SELINUX_SUFFIX, ctx, true);
6521 	if (len < 0)
6522 		return len;
6523 	*ctxlen = len;
6524 	return 0;
6525 }
6526 #ifdef CONFIG_KEYS
6527 
6528 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6529 			     unsigned long flags)
6530 {
6531 	const struct task_security_struct *tsec;
6532 	struct key_security_struct *ksec;
6533 
6534 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6535 	if (!ksec)
6536 		return -ENOMEM;
6537 
6538 	tsec = selinux_cred(cred);
6539 	if (tsec->keycreate_sid)
6540 		ksec->sid = tsec->keycreate_sid;
6541 	else
6542 		ksec->sid = tsec->sid;
6543 
6544 	k->security = ksec;
6545 	return 0;
6546 }
6547 
6548 static void selinux_key_free(struct key *k)
6549 {
6550 	struct key_security_struct *ksec = k->security;
6551 
6552 	k->security = NULL;
6553 	kfree(ksec);
6554 }
6555 
6556 static int selinux_key_permission(key_ref_t key_ref,
6557 				  const struct cred *cred,
6558 				  enum key_need_perm need_perm)
6559 {
6560 	struct key *key;
6561 	struct key_security_struct *ksec;
6562 	u32 perm, sid;
6563 
6564 	switch (need_perm) {
6565 	case KEY_NEED_VIEW:
6566 		perm = KEY__VIEW;
6567 		break;
6568 	case KEY_NEED_READ:
6569 		perm = KEY__READ;
6570 		break;
6571 	case KEY_NEED_WRITE:
6572 		perm = KEY__WRITE;
6573 		break;
6574 	case KEY_NEED_SEARCH:
6575 		perm = KEY__SEARCH;
6576 		break;
6577 	case KEY_NEED_LINK:
6578 		perm = KEY__LINK;
6579 		break;
6580 	case KEY_NEED_SETATTR:
6581 		perm = KEY__SETATTR;
6582 		break;
6583 	case KEY_NEED_UNLINK:
6584 	case KEY_SYSADMIN_OVERRIDE:
6585 	case KEY_AUTHTOKEN_OVERRIDE:
6586 	case KEY_DEFER_PERM_CHECK:
6587 		return 0;
6588 	default:
6589 		WARN_ON(1);
6590 		return -EPERM;
6591 
6592 	}
6593 
6594 	sid = cred_sid(cred);
6595 	key = key_ref_to_ptr(key_ref);
6596 	ksec = key->security;
6597 
6598 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6599 }
6600 
6601 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6602 {
6603 	struct key_security_struct *ksec = key->security;
6604 	char *context = NULL;
6605 	unsigned len;
6606 	int rc;
6607 
6608 	rc = security_sid_to_context(ksec->sid,
6609 				     &context, &len);
6610 	if (!rc)
6611 		rc = len;
6612 	*_buffer = context;
6613 	return rc;
6614 }
6615 
6616 #ifdef CONFIG_KEY_NOTIFICATIONS
6617 static int selinux_watch_key(struct key *key)
6618 {
6619 	struct key_security_struct *ksec = key->security;
6620 	u32 sid = current_sid();
6621 
6622 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6623 }
6624 #endif
6625 #endif
6626 
6627 #ifdef CONFIG_SECURITY_INFINIBAND
6628 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6629 {
6630 	struct common_audit_data ad;
6631 	int err;
6632 	u32 sid = 0;
6633 	struct ib_security_struct *sec = ib_sec;
6634 	struct lsm_ibpkey_audit ibpkey;
6635 
6636 	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6637 	if (err)
6638 		return err;
6639 
6640 	ad.type = LSM_AUDIT_DATA_IBPKEY;
6641 	ibpkey.subnet_prefix = subnet_prefix;
6642 	ibpkey.pkey = pkey_val;
6643 	ad.u.ibpkey = &ibpkey;
6644 	return avc_has_perm(sec->sid, sid,
6645 			    SECCLASS_INFINIBAND_PKEY,
6646 			    INFINIBAND_PKEY__ACCESS, &ad);
6647 }
6648 
6649 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6650 					    u8 port_num)
6651 {
6652 	struct common_audit_data ad;
6653 	int err;
6654 	u32 sid = 0;
6655 	struct ib_security_struct *sec = ib_sec;
6656 	struct lsm_ibendport_audit ibendport;
6657 
6658 	err = security_ib_endport_sid(dev_name, port_num,
6659 				      &sid);
6660 
6661 	if (err)
6662 		return err;
6663 
6664 	ad.type = LSM_AUDIT_DATA_IBENDPORT;
6665 	ibendport.dev_name = dev_name;
6666 	ibendport.port = port_num;
6667 	ad.u.ibendport = &ibendport;
6668 	return avc_has_perm(sec->sid, sid,
6669 			    SECCLASS_INFINIBAND_ENDPORT,
6670 			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6671 }
6672 
6673 static int selinux_ib_alloc_security(void **ib_sec)
6674 {
6675 	struct ib_security_struct *sec;
6676 
6677 	sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6678 	if (!sec)
6679 		return -ENOMEM;
6680 	sec->sid = current_sid();
6681 
6682 	*ib_sec = sec;
6683 	return 0;
6684 }
6685 
6686 static void selinux_ib_free_security(void *ib_sec)
6687 {
6688 	kfree(ib_sec);
6689 }
6690 #endif
6691 
6692 #ifdef CONFIG_BPF_SYSCALL
6693 static int selinux_bpf(int cmd, union bpf_attr *attr,
6694 				     unsigned int size)
6695 {
6696 	u32 sid = current_sid();
6697 	int ret;
6698 
6699 	switch (cmd) {
6700 	case BPF_MAP_CREATE:
6701 		ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6702 				   NULL);
6703 		break;
6704 	case BPF_PROG_LOAD:
6705 		ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6706 				   NULL);
6707 		break;
6708 	default:
6709 		ret = 0;
6710 		break;
6711 	}
6712 
6713 	return ret;
6714 }
6715 
6716 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6717 {
6718 	u32 av = 0;
6719 
6720 	if (fmode & FMODE_READ)
6721 		av |= BPF__MAP_READ;
6722 	if (fmode & FMODE_WRITE)
6723 		av |= BPF__MAP_WRITE;
6724 	return av;
6725 }
6726 
6727 /* This function will check the file pass through unix socket or binder to see
6728  * if it is a bpf related object. And apply corresponding checks on the bpf
6729  * object based on the type. The bpf maps and programs, not like other files and
6730  * socket, are using a shared anonymous inode inside the kernel as their inode.
6731  * So checking that inode cannot identify if the process have privilege to
6732  * access the bpf object and that's why we have to add this additional check in
6733  * selinux_file_receive and selinux_binder_transfer_files.
6734  */
6735 static int bpf_fd_pass(const struct file *file, u32 sid)
6736 {
6737 	struct bpf_security_struct *bpfsec;
6738 	struct bpf_prog *prog;
6739 	struct bpf_map *map;
6740 	int ret;
6741 
6742 	if (file->f_op == &bpf_map_fops) {
6743 		map = file->private_data;
6744 		bpfsec = map->security;
6745 		ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6746 				   bpf_map_fmode_to_av(file->f_mode), NULL);
6747 		if (ret)
6748 			return ret;
6749 	} else if (file->f_op == &bpf_prog_fops) {
6750 		prog = file->private_data;
6751 		bpfsec = prog->aux->security;
6752 		ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6753 				   BPF__PROG_RUN, NULL);
6754 		if (ret)
6755 			return ret;
6756 	}
6757 	return 0;
6758 }
6759 
6760 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6761 {
6762 	u32 sid = current_sid();
6763 	struct bpf_security_struct *bpfsec;
6764 
6765 	bpfsec = map->security;
6766 	return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6767 			    bpf_map_fmode_to_av(fmode), NULL);
6768 }
6769 
6770 static int selinux_bpf_prog(struct bpf_prog *prog)
6771 {
6772 	u32 sid = current_sid();
6773 	struct bpf_security_struct *bpfsec;
6774 
6775 	bpfsec = prog->aux->security;
6776 	return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6777 			    BPF__PROG_RUN, NULL);
6778 }
6779 
6780 static int selinux_bpf_map_alloc(struct bpf_map *map)
6781 {
6782 	struct bpf_security_struct *bpfsec;
6783 
6784 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6785 	if (!bpfsec)
6786 		return -ENOMEM;
6787 
6788 	bpfsec->sid = current_sid();
6789 	map->security = bpfsec;
6790 
6791 	return 0;
6792 }
6793 
6794 static void selinux_bpf_map_free(struct bpf_map *map)
6795 {
6796 	struct bpf_security_struct *bpfsec = map->security;
6797 
6798 	map->security = NULL;
6799 	kfree(bpfsec);
6800 }
6801 
6802 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6803 {
6804 	struct bpf_security_struct *bpfsec;
6805 
6806 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6807 	if (!bpfsec)
6808 		return -ENOMEM;
6809 
6810 	bpfsec->sid = current_sid();
6811 	aux->security = bpfsec;
6812 
6813 	return 0;
6814 }
6815 
6816 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6817 {
6818 	struct bpf_security_struct *bpfsec = aux->security;
6819 
6820 	aux->security = NULL;
6821 	kfree(bpfsec);
6822 }
6823 #endif
6824 
6825 struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
6826 	.lbs_cred = sizeof(struct task_security_struct),
6827 	.lbs_file = sizeof(struct file_security_struct),
6828 	.lbs_inode = sizeof(struct inode_security_struct),
6829 	.lbs_ipc = sizeof(struct ipc_security_struct),
6830 	.lbs_msg_msg = sizeof(struct msg_security_struct),
6831 	.lbs_superblock = sizeof(struct superblock_security_struct),
6832 	.lbs_xattr_count = SELINUX_INODE_INIT_XATTRS,
6833 };
6834 
6835 #ifdef CONFIG_PERF_EVENTS
6836 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6837 {
6838 	u32 requested, sid = current_sid();
6839 
6840 	if (type == PERF_SECURITY_OPEN)
6841 		requested = PERF_EVENT__OPEN;
6842 	else if (type == PERF_SECURITY_CPU)
6843 		requested = PERF_EVENT__CPU;
6844 	else if (type == PERF_SECURITY_KERNEL)
6845 		requested = PERF_EVENT__KERNEL;
6846 	else if (type == PERF_SECURITY_TRACEPOINT)
6847 		requested = PERF_EVENT__TRACEPOINT;
6848 	else
6849 		return -EINVAL;
6850 
6851 	return avc_has_perm(sid, sid, SECCLASS_PERF_EVENT,
6852 			    requested, NULL);
6853 }
6854 
6855 static int selinux_perf_event_alloc(struct perf_event *event)
6856 {
6857 	struct perf_event_security_struct *perfsec;
6858 
6859 	perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
6860 	if (!perfsec)
6861 		return -ENOMEM;
6862 
6863 	perfsec->sid = current_sid();
6864 	event->security = perfsec;
6865 
6866 	return 0;
6867 }
6868 
6869 static void selinux_perf_event_free(struct perf_event *event)
6870 {
6871 	struct perf_event_security_struct *perfsec = event->security;
6872 
6873 	event->security = NULL;
6874 	kfree(perfsec);
6875 }
6876 
6877 static int selinux_perf_event_read(struct perf_event *event)
6878 {
6879 	struct perf_event_security_struct *perfsec = event->security;
6880 	u32 sid = current_sid();
6881 
6882 	return avc_has_perm(sid, perfsec->sid,
6883 			    SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
6884 }
6885 
6886 static int selinux_perf_event_write(struct perf_event *event)
6887 {
6888 	struct perf_event_security_struct *perfsec = event->security;
6889 	u32 sid = current_sid();
6890 
6891 	return avc_has_perm(sid, perfsec->sid,
6892 			    SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
6893 }
6894 #endif
6895 
6896 #ifdef CONFIG_IO_URING
6897 /**
6898  * selinux_uring_override_creds - check the requested cred override
6899  * @new: the target creds
6900  *
6901  * Check to see if the current task is allowed to override it's credentials
6902  * to service an io_uring operation.
6903  */
6904 static int selinux_uring_override_creds(const struct cred *new)
6905 {
6906 	return avc_has_perm(current_sid(), cred_sid(new),
6907 			    SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL);
6908 }
6909 
6910 /**
6911  * selinux_uring_sqpoll - check if a io_uring polling thread can be created
6912  *
6913  * Check to see if the current task is allowed to create a new io_uring
6914  * kernel polling thread.
6915  */
6916 static int selinux_uring_sqpoll(void)
6917 {
6918 	u32 sid = current_sid();
6919 
6920 	return avc_has_perm(sid, sid,
6921 			    SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
6922 }
6923 
6924 /**
6925  * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed
6926  * @ioucmd: the io_uring command structure
6927  *
6928  * Check to see if the current domain is allowed to execute an
6929  * IORING_OP_URING_CMD against the device/file specified in @ioucmd.
6930  *
6931  */
6932 static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
6933 {
6934 	struct file *file = ioucmd->file;
6935 	struct inode *inode = file_inode(file);
6936 	struct inode_security_struct *isec = selinux_inode(inode);
6937 	struct common_audit_data ad;
6938 
6939 	ad.type = LSM_AUDIT_DATA_FILE;
6940 	ad.u.file = file;
6941 
6942 	return avc_has_perm(current_sid(), isec->sid,
6943 			    SECCLASS_IO_URING, IO_URING__CMD, &ad);
6944 }
6945 #endif /* CONFIG_IO_URING */
6946 
6947 /*
6948  * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
6949  * 1. any hooks that don't belong to (2.) or (3.) below,
6950  * 2. hooks that both access structures allocated by other hooks, and allocate
6951  *    structures that can be later accessed by other hooks (mostly "cloning"
6952  *    hooks),
6953  * 3. hooks that only allocate structures that can be later accessed by other
6954  *    hooks ("allocating" hooks).
6955  *
6956  * Please follow block comment delimiters in the list to keep this order.
6957  */
6958 static struct security_hook_list selinux_hooks[] __ro_after_init = {
6959 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6960 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6961 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6962 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6963 
6964 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6965 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6966 	LSM_HOOK_INIT(capget, selinux_capget),
6967 	LSM_HOOK_INIT(capset, selinux_capset),
6968 	LSM_HOOK_INIT(capable, selinux_capable),
6969 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
6970 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
6971 	LSM_HOOK_INIT(syslog, selinux_syslog),
6972 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6973 
6974 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6975 
6976 	LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
6977 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6978 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6979 
6980 	LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
6981 	LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat),
6982 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6983 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6984 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6985 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6986 	LSM_HOOK_INIT(sb_mount, selinux_mount),
6987 	LSM_HOOK_INIT(sb_umount, selinux_umount),
6988 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6989 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6990 
6991 	LSM_HOOK_INIT(move_mount, selinux_move_mount),
6992 
6993 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6994 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6995 
6996 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6997 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6998 	LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
6999 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
7000 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
7001 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7002 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7003 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7004 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7005 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7006 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7007 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7008 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7009 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7010 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7011 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7012 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7013 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7014 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7015 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7016 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7017 	LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl),
7018 	LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl),
7019 	LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl),
7020 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7021 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7022 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7023 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7024 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7025 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7026 	LSM_HOOK_INIT(path_notify, selinux_path_notify),
7027 
7028 	LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7029 
7030 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
7031 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7032 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7033 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7034 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7035 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7036 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
7037 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7038 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7039 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7040 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
7041 
7042 	LSM_HOOK_INIT(file_open, selinux_file_open),
7043 
7044 	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7045 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7046 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7047 	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7048 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7049 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7050 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7051 	LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7052 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7053 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7054 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7055 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7056 	LSM_HOOK_INIT(current_getsecid_subj, selinux_current_getsecid_subj),
7057 	LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj),
7058 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7059 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7060 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7061 	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7062 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7063 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7064 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7065 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7066 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
7067 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7068 	LSM_HOOK_INIT(userns_create, selinux_userns_create),
7069 
7070 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7071 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7072 
7073 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7074 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7075 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7076 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7077 
7078 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7079 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7080 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7081 
7082 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7083 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7084 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7085 
7086 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7087 
7088 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7089 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7090 
7091 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7092 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7093 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7094 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7095 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7096 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7097 
7098 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7099 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7100 
7101 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
7102 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7103 	LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7104 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7105 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7106 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7107 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7108 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7109 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7110 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7111 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7112 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7113 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7114 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7115 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7116 	LSM_HOOK_INIT(socket_getpeersec_stream,
7117 			selinux_socket_getpeersec_stream),
7118 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7119 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7120 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7121 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7122 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7123 	LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7124 	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7125 	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7126 	LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
7127 	LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow),
7128 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7129 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7130 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7131 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7132 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7133 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7134 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7135 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7136 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7137 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7138 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7139 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7140 #ifdef CONFIG_SECURITY_INFINIBAND
7141 	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7142 	LSM_HOOK_INIT(ib_endport_manage_subnet,
7143 		      selinux_ib_endport_manage_subnet),
7144 	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7145 #endif
7146 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7147 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7148 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7149 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7150 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7151 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7152 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7153 			selinux_xfrm_state_pol_flow_match),
7154 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7155 #endif
7156 
7157 #ifdef CONFIG_KEYS
7158 	LSM_HOOK_INIT(key_free, selinux_key_free),
7159 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
7160 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7161 #ifdef CONFIG_KEY_NOTIFICATIONS
7162 	LSM_HOOK_INIT(watch_key, selinux_watch_key),
7163 #endif
7164 #endif
7165 
7166 #ifdef CONFIG_AUDIT
7167 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7168 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7169 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7170 #endif
7171 
7172 #ifdef CONFIG_BPF_SYSCALL
7173 	LSM_HOOK_INIT(bpf, selinux_bpf),
7174 	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7175 	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7176 	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7177 	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7178 #endif
7179 
7180 #ifdef CONFIG_PERF_EVENTS
7181 	LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7182 	LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7183 	LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7184 	LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7185 #endif
7186 
7187 #ifdef CONFIG_IO_URING
7188 	LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
7189 	LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
7190 	LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
7191 #endif
7192 
7193 	/*
7194 	 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7195 	 */
7196 	LSM_HOOK_INIT(fs_context_submount, selinux_fs_context_submount),
7197 	LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7198 	LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7199 	LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7200 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7201 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7202 #endif
7203 
7204 	/*
7205 	 * PUT "ALLOCATING" HOOKS HERE
7206 	 */
7207 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7208 	LSM_HOOK_INIT(msg_queue_alloc_security,
7209 		      selinux_msg_queue_alloc_security),
7210 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7211 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7212 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7213 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7214 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7215 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7216 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7217 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7218 #ifdef CONFIG_SECURITY_INFINIBAND
7219 	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7220 #endif
7221 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7222 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7223 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7224 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7225 		      selinux_xfrm_state_alloc_acquire),
7226 #endif
7227 #ifdef CONFIG_KEYS
7228 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7229 #endif
7230 #ifdef CONFIG_AUDIT
7231 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7232 #endif
7233 #ifdef CONFIG_BPF_SYSCALL
7234 	LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7235 	LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7236 #endif
7237 #ifdef CONFIG_PERF_EVENTS
7238 	LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7239 #endif
7240 };
7241 
7242 static __init int selinux_init(void)
7243 {
7244 	pr_info("SELinux:  Initializing.\n");
7245 
7246 	memset(&selinux_state, 0, sizeof(selinux_state));
7247 	enforcing_set(selinux_enforcing_boot);
7248 	selinux_avc_init();
7249 	mutex_init(&selinux_state.status_lock);
7250 	mutex_init(&selinux_state.policy_mutex);
7251 
7252 	/* Set the security state for the initial task. */
7253 	cred_init_security();
7254 
7255 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7256 	if (!default_noexec)
7257 		pr_notice("SELinux:  virtual memory is executable by default\n");
7258 
7259 	avc_init();
7260 
7261 	avtab_cache_init();
7262 
7263 	ebitmap_cache_init();
7264 
7265 	hashtab_cache_init();
7266 
7267 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7268 
7269 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7270 		panic("SELinux: Unable to register AVC netcache callback\n");
7271 
7272 	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7273 		panic("SELinux: Unable to register AVC LSM notifier callback\n");
7274 
7275 	if (selinux_enforcing_boot)
7276 		pr_debug("SELinux:  Starting in enforcing mode\n");
7277 	else
7278 		pr_debug("SELinux:  Starting in permissive mode\n");
7279 
7280 	fs_validate_description("selinux", selinux_fs_parameters);
7281 
7282 	return 0;
7283 }
7284 
7285 static void delayed_superblock_init(struct super_block *sb, void *unused)
7286 {
7287 	selinux_set_mnt_opts(sb, NULL, 0, NULL);
7288 }
7289 
7290 void selinux_complete_init(void)
7291 {
7292 	pr_debug("SELinux:  Completing initialization.\n");
7293 
7294 	/* Set up any superblocks initialized prior to the policy load. */
7295 	pr_debug("SELinux:  Setting up existing superblocks.\n");
7296 	iterate_supers(delayed_superblock_init, NULL);
7297 }
7298 
7299 /* SELinux requires early initialization in order to label
7300    all processes and objects when they are created. */
7301 DEFINE_LSM(selinux) = {
7302 	.name = "selinux",
7303 	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7304 	.enabled = &selinux_enabled_boot,
7305 	.blobs = &selinux_blob_sizes,
7306 	.init = selinux_init,
7307 };
7308 
7309 #if defined(CONFIG_NETFILTER)
7310 static const struct nf_hook_ops selinux_nf_ops[] = {
7311 	{
7312 		.hook =		selinux_ip_postroute,
7313 		.pf =		NFPROTO_IPV4,
7314 		.hooknum =	NF_INET_POST_ROUTING,
7315 		.priority =	NF_IP_PRI_SELINUX_LAST,
7316 	},
7317 	{
7318 		.hook =		selinux_ip_forward,
7319 		.pf =		NFPROTO_IPV4,
7320 		.hooknum =	NF_INET_FORWARD,
7321 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7322 	},
7323 	{
7324 		.hook =		selinux_ip_output,
7325 		.pf =		NFPROTO_IPV4,
7326 		.hooknum =	NF_INET_LOCAL_OUT,
7327 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7328 	},
7329 #if IS_ENABLED(CONFIG_IPV6)
7330 	{
7331 		.hook =		selinux_ip_postroute,
7332 		.pf =		NFPROTO_IPV6,
7333 		.hooknum =	NF_INET_POST_ROUTING,
7334 		.priority =	NF_IP6_PRI_SELINUX_LAST,
7335 	},
7336 	{
7337 		.hook =		selinux_ip_forward,
7338 		.pf =		NFPROTO_IPV6,
7339 		.hooknum =	NF_INET_FORWARD,
7340 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7341 	},
7342 	{
7343 		.hook =		selinux_ip_output,
7344 		.pf =		NFPROTO_IPV6,
7345 		.hooknum =	NF_INET_LOCAL_OUT,
7346 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7347 	},
7348 #endif	/* IPV6 */
7349 };
7350 
7351 static int __net_init selinux_nf_register(struct net *net)
7352 {
7353 	return nf_register_net_hooks(net, selinux_nf_ops,
7354 				     ARRAY_SIZE(selinux_nf_ops));
7355 }
7356 
7357 static void __net_exit selinux_nf_unregister(struct net *net)
7358 {
7359 	nf_unregister_net_hooks(net, selinux_nf_ops,
7360 				ARRAY_SIZE(selinux_nf_ops));
7361 }
7362 
7363 static struct pernet_operations selinux_net_ops = {
7364 	.init = selinux_nf_register,
7365 	.exit = selinux_nf_unregister,
7366 };
7367 
7368 static int __init selinux_nf_ip_init(void)
7369 {
7370 	int err;
7371 
7372 	if (!selinux_enabled_boot)
7373 		return 0;
7374 
7375 	pr_debug("SELinux:  Registering netfilter hooks\n");
7376 
7377 	err = register_pernet_subsys(&selinux_net_ops);
7378 	if (err)
7379 		panic("SELinux: register_pernet_subsys: error %d\n", err);
7380 
7381 	return 0;
7382 }
7383 __initcall(selinux_nf_ip_init);
7384 #endif /* CONFIG_NETFILTER */
7385