xref: /openbmc/linux/security/selinux/hooks.c (revision f17f06a0)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *  NSA Security-Enhanced Linux (SELinux) security module
4  *
5  *  This file contains the SELinux hook function implementations.
6  *
7  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
8  *	      Chris Vance, <cvance@nai.com>
9  *	      Wayne Salamon, <wsalamon@nai.com>
10  *	      James Morris <jmorris@redhat.com>
11  *
12  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14  *					   Eric Paris <eparis@redhat.com>
15  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16  *			    <dgoeddel@trustedcs.com>
17  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18  *	Paul Moore <paul@paul-moore.com>
19  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
21  *  Copyright (C) 2016 Mellanox Technologies
22  */
23 
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/tracehook.h>
28 #include <linux/errno.h>
29 #include <linux/sched/signal.h>
30 #include <linux/sched/task.h>
31 #include <linux/lsm_hooks.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/proc_fs.h>
40 #include <linux/swap.h>
41 #include <linux/spinlock.h>
42 #include <linux/syscalls.h>
43 #include <linux/dcache.h>
44 #include <linux/file.h>
45 #include <linux/fdtable.h>
46 #include <linux/namei.h>
47 #include <linux/mount.h>
48 #include <linux/fs_context.h>
49 #include <linux/fs_parser.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>		/* for local_port_range[] */
55 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h>	/* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/sctp.h>
70 #include <net/sctp/structs.h>
71 #include <linux/quota.h>
72 #include <linux/un.h>		/* for Unix socket types */
73 #include <net/af_unix.h>	/* for Unix socket types */
74 #include <linux/parser.h>
75 #include <linux/nfs_mount.h>
76 #include <net/ipv6.h>
77 #include <linux/hugetlb.h>
78 #include <linux/personality.h>
79 #include <linux/audit.h>
80 #include <linux/string.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89 #include <linux/kernfs.h>
90 #include <linux/stringhash.h>	/* for hashlen_string() */
91 #include <uapi/linux/mount.h>
92 #include <linux/fsnotify.h>
93 #include <linux/fanotify.h>
94 
95 #include "avc.h"
96 #include "objsec.h"
97 #include "netif.h"
98 #include "netnode.h"
99 #include "netport.h"
100 #include "ibpkey.h"
101 #include "xfrm.h"
102 #include "netlabel.h"
103 #include "audit.h"
104 #include "avc_ss.h"
105 
106 struct selinux_state selinux_state;
107 
108 /* SECMARK reference count */
109 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
110 
111 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
112 static int selinux_enforcing_boot __initdata;
113 
114 static int __init enforcing_setup(char *str)
115 {
116 	unsigned long enforcing;
117 	if (!kstrtoul(str, 0, &enforcing))
118 		selinux_enforcing_boot = enforcing ? 1 : 0;
119 	return 1;
120 }
121 __setup("enforcing=", enforcing_setup);
122 #else
123 #define selinux_enforcing_boot 1
124 #endif
125 
126 int selinux_enabled_boot __initdata = 1;
127 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
128 static int __init selinux_enabled_setup(char *str)
129 {
130 	unsigned long enabled;
131 	if (!kstrtoul(str, 0, &enabled))
132 		selinux_enabled_boot = enabled ? 1 : 0;
133 	return 1;
134 }
135 __setup("selinux=", selinux_enabled_setup);
136 #endif
137 
138 static unsigned int selinux_checkreqprot_boot =
139 	CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140 
141 static int __init checkreqprot_setup(char *str)
142 {
143 	unsigned long checkreqprot;
144 
145 	if (!kstrtoul(str, 0, &checkreqprot))
146 		selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 	return 1;
148 }
149 __setup("checkreqprot=", checkreqprot_setup);
150 
151 /**
152  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
153  *
154  * Description:
155  * This function checks the SECMARK reference counter to see if any SECMARK
156  * targets are currently configured, if the reference counter is greater than
157  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
158  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
159  * policy capability is enabled, SECMARK is always considered enabled.
160  *
161  */
162 static int selinux_secmark_enabled(void)
163 {
164 	return (selinux_policycap_alwaysnetwork() ||
165 		atomic_read(&selinux_secmark_refcount));
166 }
167 
168 /**
169  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
170  *
171  * Description:
172  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
173  * (1) if any are enabled or false (0) if neither are enabled.  If the
174  * always_check_network policy capability is enabled, peer labeling
175  * is always considered enabled.
176  *
177  */
178 static int selinux_peerlbl_enabled(void)
179 {
180 	return (selinux_policycap_alwaysnetwork() ||
181 		netlbl_enabled() || selinux_xfrm_enabled());
182 }
183 
184 static int selinux_netcache_avc_callback(u32 event)
185 {
186 	if (event == AVC_CALLBACK_RESET) {
187 		sel_netif_flush();
188 		sel_netnode_flush();
189 		sel_netport_flush();
190 		synchronize_net();
191 	}
192 	return 0;
193 }
194 
195 static int selinux_lsm_notifier_avc_callback(u32 event)
196 {
197 	if (event == AVC_CALLBACK_RESET) {
198 		sel_ib_pkey_flush();
199 		call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
200 	}
201 
202 	return 0;
203 }
204 
205 /*
206  * initialise the security for the init task
207  */
208 static void cred_init_security(void)
209 {
210 	struct cred *cred = (struct cred *) current->real_cred;
211 	struct task_security_struct *tsec;
212 
213 	tsec = selinux_cred(cred);
214 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
215 }
216 
217 /*
218  * get the security ID of a set of credentials
219  */
220 static inline u32 cred_sid(const struct cred *cred)
221 {
222 	const struct task_security_struct *tsec;
223 
224 	tsec = selinux_cred(cred);
225 	return tsec->sid;
226 }
227 
228 /*
229  * get the objective security ID of a task
230  */
231 static inline u32 task_sid(const struct task_struct *task)
232 {
233 	u32 sid;
234 
235 	rcu_read_lock();
236 	sid = cred_sid(__task_cred(task));
237 	rcu_read_unlock();
238 	return sid;
239 }
240 
241 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
242 
243 /*
244  * Try reloading inode security labels that have been marked as invalid.  The
245  * @may_sleep parameter indicates when sleeping and thus reloading labels is
246  * allowed; when set to false, returns -ECHILD when the label is
247  * invalid.  The @dentry parameter should be set to a dentry of the inode.
248  */
249 static int __inode_security_revalidate(struct inode *inode,
250 				       struct dentry *dentry,
251 				       bool may_sleep)
252 {
253 	struct inode_security_struct *isec = selinux_inode(inode);
254 
255 	might_sleep_if(may_sleep);
256 
257 	if (selinux_initialized(&selinux_state) &&
258 	    isec->initialized != LABEL_INITIALIZED) {
259 		if (!may_sleep)
260 			return -ECHILD;
261 
262 		/*
263 		 * Try reloading the inode security label.  This will fail if
264 		 * @opt_dentry is NULL and no dentry for this inode can be
265 		 * found; in that case, continue using the old label.
266 		 */
267 		inode_doinit_with_dentry(inode, dentry);
268 	}
269 	return 0;
270 }
271 
272 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
273 {
274 	return selinux_inode(inode);
275 }
276 
277 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
278 {
279 	int error;
280 
281 	error = __inode_security_revalidate(inode, NULL, !rcu);
282 	if (error)
283 		return ERR_PTR(error);
284 	return selinux_inode(inode);
285 }
286 
287 /*
288  * Get the security label of an inode.
289  */
290 static struct inode_security_struct *inode_security(struct inode *inode)
291 {
292 	__inode_security_revalidate(inode, NULL, true);
293 	return selinux_inode(inode);
294 }
295 
296 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
297 {
298 	struct inode *inode = d_backing_inode(dentry);
299 
300 	return selinux_inode(inode);
301 }
302 
303 /*
304  * Get the security label of a dentry's backing inode.
305  */
306 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
307 {
308 	struct inode *inode = d_backing_inode(dentry);
309 
310 	__inode_security_revalidate(inode, dentry, true);
311 	return selinux_inode(inode);
312 }
313 
314 static void inode_free_security(struct inode *inode)
315 {
316 	struct inode_security_struct *isec = selinux_inode(inode);
317 	struct superblock_security_struct *sbsec;
318 
319 	if (!isec)
320 		return;
321 	sbsec = inode->i_sb->s_security;
322 	/*
323 	 * As not all inode security structures are in a list, we check for
324 	 * empty list outside of the lock to make sure that we won't waste
325 	 * time taking a lock doing nothing.
326 	 *
327 	 * The list_del_init() function can be safely called more than once.
328 	 * It should not be possible for this function to be called with
329 	 * concurrent list_add(), but for better safety against future changes
330 	 * in the code, we use list_empty_careful() here.
331 	 */
332 	if (!list_empty_careful(&isec->list)) {
333 		spin_lock(&sbsec->isec_lock);
334 		list_del_init(&isec->list);
335 		spin_unlock(&sbsec->isec_lock);
336 	}
337 }
338 
339 static void superblock_free_security(struct super_block *sb)
340 {
341 	struct superblock_security_struct *sbsec = sb->s_security;
342 	sb->s_security = NULL;
343 	kfree(sbsec);
344 }
345 
346 struct selinux_mnt_opts {
347 	const char *fscontext, *context, *rootcontext, *defcontext;
348 };
349 
350 static void selinux_free_mnt_opts(void *mnt_opts)
351 {
352 	struct selinux_mnt_opts *opts = mnt_opts;
353 	kfree(opts->fscontext);
354 	kfree(opts->context);
355 	kfree(opts->rootcontext);
356 	kfree(opts->defcontext);
357 	kfree(opts);
358 }
359 
360 enum {
361 	Opt_error = -1,
362 	Opt_context = 0,
363 	Opt_defcontext = 1,
364 	Opt_fscontext = 2,
365 	Opt_rootcontext = 3,
366 	Opt_seclabel = 4,
367 };
368 
369 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
370 static struct {
371 	const char *name;
372 	int len;
373 	int opt;
374 	bool has_arg;
375 } tokens[] = {
376 	A(context, true),
377 	A(fscontext, true),
378 	A(defcontext, true),
379 	A(rootcontext, true),
380 	A(seclabel, false),
381 };
382 #undef A
383 
384 static int match_opt_prefix(char *s, int l, char **arg)
385 {
386 	int i;
387 
388 	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
389 		size_t len = tokens[i].len;
390 		if (len > l || memcmp(s, tokens[i].name, len))
391 			continue;
392 		if (tokens[i].has_arg) {
393 			if (len == l || s[len] != '=')
394 				continue;
395 			*arg = s + len + 1;
396 		} else if (len != l)
397 			continue;
398 		return tokens[i].opt;
399 	}
400 	return Opt_error;
401 }
402 
403 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
404 
405 static int may_context_mount_sb_relabel(u32 sid,
406 			struct superblock_security_struct *sbsec,
407 			const struct cred *cred)
408 {
409 	const struct task_security_struct *tsec = selinux_cred(cred);
410 	int rc;
411 
412 	rc = avc_has_perm(&selinux_state,
413 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
414 			  FILESYSTEM__RELABELFROM, NULL);
415 	if (rc)
416 		return rc;
417 
418 	rc = avc_has_perm(&selinux_state,
419 			  tsec->sid, sid, SECCLASS_FILESYSTEM,
420 			  FILESYSTEM__RELABELTO, NULL);
421 	return rc;
422 }
423 
424 static int may_context_mount_inode_relabel(u32 sid,
425 			struct superblock_security_struct *sbsec,
426 			const struct cred *cred)
427 {
428 	const struct task_security_struct *tsec = selinux_cred(cred);
429 	int rc;
430 	rc = avc_has_perm(&selinux_state,
431 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
432 			  FILESYSTEM__RELABELFROM, NULL);
433 	if (rc)
434 		return rc;
435 
436 	rc = avc_has_perm(&selinux_state,
437 			  sid, sbsec->sid, SECCLASS_FILESYSTEM,
438 			  FILESYSTEM__ASSOCIATE, NULL);
439 	return rc;
440 }
441 
442 static int selinux_is_genfs_special_handling(struct super_block *sb)
443 {
444 	/* Special handling. Genfs but also in-core setxattr handler */
445 	return	!strcmp(sb->s_type->name, "sysfs") ||
446 		!strcmp(sb->s_type->name, "pstore") ||
447 		!strcmp(sb->s_type->name, "debugfs") ||
448 		!strcmp(sb->s_type->name, "tracefs") ||
449 		!strcmp(sb->s_type->name, "rootfs") ||
450 		(selinux_policycap_cgroupseclabel() &&
451 		 (!strcmp(sb->s_type->name, "cgroup") ||
452 		  !strcmp(sb->s_type->name, "cgroup2")));
453 }
454 
455 static int selinux_is_sblabel_mnt(struct super_block *sb)
456 {
457 	struct superblock_security_struct *sbsec = sb->s_security;
458 
459 	/*
460 	 * IMPORTANT: Double-check logic in this function when adding a new
461 	 * SECURITY_FS_USE_* definition!
462 	 */
463 	BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
464 
465 	switch (sbsec->behavior) {
466 	case SECURITY_FS_USE_XATTR:
467 	case SECURITY_FS_USE_TRANS:
468 	case SECURITY_FS_USE_TASK:
469 	case SECURITY_FS_USE_NATIVE:
470 		return 1;
471 
472 	case SECURITY_FS_USE_GENFS:
473 		return selinux_is_genfs_special_handling(sb);
474 
475 	/* Never allow relabeling on context mounts */
476 	case SECURITY_FS_USE_MNTPOINT:
477 	case SECURITY_FS_USE_NONE:
478 	default:
479 		return 0;
480 	}
481 }
482 
483 static int sb_finish_set_opts(struct super_block *sb)
484 {
485 	struct superblock_security_struct *sbsec = sb->s_security;
486 	struct dentry *root = sb->s_root;
487 	struct inode *root_inode = d_backing_inode(root);
488 	int rc = 0;
489 
490 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
491 		/* Make sure that the xattr handler exists and that no
492 		   error other than -ENODATA is returned by getxattr on
493 		   the root directory.  -ENODATA is ok, as this may be
494 		   the first boot of the SELinux kernel before we have
495 		   assigned xattr values to the filesystem. */
496 		if (!(root_inode->i_opflags & IOP_XATTR)) {
497 			pr_warn("SELinux: (dev %s, type %s) has no "
498 			       "xattr support\n", sb->s_id, sb->s_type->name);
499 			rc = -EOPNOTSUPP;
500 			goto out;
501 		}
502 
503 		rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
504 		if (rc < 0 && rc != -ENODATA) {
505 			if (rc == -EOPNOTSUPP)
506 				pr_warn("SELinux: (dev %s, type "
507 				       "%s) has no security xattr handler\n",
508 				       sb->s_id, sb->s_type->name);
509 			else
510 				pr_warn("SELinux: (dev %s, type "
511 				       "%s) getxattr errno %d\n", sb->s_id,
512 				       sb->s_type->name, -rc);
513 			goto out;
514 		}
515 	}
516 
517 	sbsec->flags |= SE_SBINITIALIZED;
518 
519 	/*
520 	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
521 	 * leave the flag untouched because sb_clone_mnt_opts might be handing
522 	 * us a superblock that needs the flag to be cleared.
523 	 */
524 	if (selinux_is_sblabel_mnt(sb))
525 		sbsec->flags |= SBLABEL_MNT;
526 	else
527 		sbsec->flags &= ~SBLABEL_MNT;
528 
529 	/* Initialize the root inode. */
530 	rc = inode_doinit_with_dentry(root_inode, root);
531 
532 	/* Initialize any other inodes associated with the superblock, e.g.
533 	   inodes created prior to initial policy load or inodes created
534 	   during get_sb by a pseudo filesystem that directly
535 	   populates itself. */
536 	spin_lock(&sbsec->isec_lock);
537 	while (!list_empty(&sbsec->isec_head)) {
538 		struct inode_security_struct *isec =
539 				list_first_entry(&sbsec->isec_head,
540 					   struct inode_security_struct, list);
541 		struct inode *inode = isec->inode;
542 		list_del_init(&isec->list);
543 		spin_unlock(&sbsec->isec_lock);
544 		inode = igrab(inode);
545 		if (inode) {
546 			if (!IS_PRIVATE(inode))
547 				inode_doinit_with_dentry(inode, NULL);
548 			iput(inode);
549 		}
550 		spin_lock(&sbsec->isec_lock);
551 	}
552 	spin_unlock(&sbsec->isec_lock);
553 out:
554 	return rc;
555 }
556 
557 static int bad_option(struct superblock_security_struct *sbsec, char flag,
558 		      u32 old_sid, u32 new_sid)
559 {
560 	char mnt_flags = sbsec->flags & SE_MNTMASK;
561 
562 	/* check if the old mount command had the same options */
563 	if (sbsec->flags & SE_SBINITIALIZED)
564 		if (!(sbsec->flags & flag) ||
565 		    (old_sid != new_sid))
566 			return 1;
567 
568 	/* check if we were passed the same options twice,
569 	 * aka someone passed context=a,context=b
570 	 */
571 	if (!(sbsec->flags & SE_SBINITIALIZED))
572 		if (mnt_flags & flag)
573 			return 1;
574 	return 0;
575 }
576 
577 static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
578 {
579 	int rc = security_context_str_to_sid(&selinux_state, s,
580 					     sid, GFP_KERNEL);
581 	if (rc)
582 		pr_warn("SELinux: security_context_str_to_sid"
583 		       "(%s) failed for (dev %s, type %s) errno=%d\n",
584 		       s, sb->s_id, sb->s_type->name, rc);
585 	return rc;
586 }
587 
588 /*
589  * Allow filesystems with binary mount data to explicitly set mount point
590  * labeling information.
591  */
592 static int selinux_set_mnt_opts(struct super_block *sb,
593 				void *mnt_opts,
594 				unsigned long kern_flags,
595 				unsigned long *set_kern_flags)
596 {
597 	const struct cred *cred = current_cred();
598 	struct superblock_security_struct *sbsec = sb->s_security;
599 	struct dentry *root = sbsec->sb->s_root;
600 	struct selinux_mnt_opts *opts = mnt_opts;
601 	struct inode_security_struct *root_isec;
602 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
603 	u32 defcontext_sid = 0;
604 	int rc = 0;
605 
606 	mutex_lock(&sbsec->lock);
607 
608 	if (!selinux_initialized(&selinux_state)) {
609 		if (!opts) {
610 			/* Defer initialization until selinux_complete_init,
611 			   after the initial policy is loaded and the security
612 			   server is ready to handle calls. */
613 			goto out;
614 		}
615 		rc = -EINVAL;
616 		pr_warn("SELinux: Unable to set superblock options "
617 			"before the security server is initialized\n");
618 		goto out;
619 	}
620 	if (kern_flags && !set_kern_flags) {
621 		/* Specifying internal flags without providing a place to
622 		 * place the results is not allowed */
623 		rc = -EINVAL;
624 		goto out;
625 	}
626 
627 	/*
628 	 * Binary mount data FS will come through this function twice.  Once
629 	 * from an explicit call and once from the generic calls from the vfs.
630 	 * Since the generic VFS calls will not contain any security mount data
631 	 * we need to skip the double mount verification.
632 	 *
633 	 * This does open a hole in which we will not notice if the first
634 	 * mount using this sb set explict options and a second mount using
635 	 * this sb does not set any security options.  (The first options
636 	 * will be used for both mounts)
637 	 */
638 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
639 	    && !opts)
640 		goto out;
641 
642 	root_isec = backing_inode_security_novalidate(root);
643 
644 	/*
645 	 * parse the mount options, check if they are valid sids.
646 	 * also check if someone is trying to mount the same sb more
647 	 * than once with different security options.
648 	 */
649 	if (opts) {
650 		if (opts->fscontext) {
651 			rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
652 			if (rc)
653 				goto out;
654 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
655 					fscontext_sid))
656 				goto out_double_mount;
657 			sbsec->flags |= FSCONTEXT_MNT;
658 		}
659 		if (opts->context) {
660 			rc = parse_sid(sb, opts->context, &context_sid);
661 			if (rc)
662 				goto out;
663 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
664 					context_sid))
665 				goto out_double_mount;
666 			sbsec->flags |= CONTEXT_MNT;
667 		}
668 		if (opts->rootcontext) {
669 			rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
670 			if (rc)
671 				goto out;
672 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
673 					rootcontext_sid))
674 				goto out_double_mount;
675 			sbsec->flags |= ROOTCONTEXT_MNT;
676 		}
677 		if (opts->defcontext) {
678 			rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
679 			if (rc)
680 				goto out;
681 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
682 					defcontext_sid))
683 				goto out_double_mount;
684 			sbsec->flags |= DEFCONTEXT_MNT;
685 		}
686 	}
687 
688 	if (sbsec->flags & SE_SBINITIALIZED) {
689 		/* previously mounted with options, but not on this attempt? */
690 		if ((sbsec->flags & SE_MNTMASK) && !opts)
691 			goto out_double_mount;
692 		rc = 0;
693 		goto out;
694 	}
695 
696 	if (strcmp(sb->s_type->name, "proc") == 0)
697 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
698 
699 	if (!strcmp(sb->s_type->name, "debugfs") ||
700 	    !strcmp(sb->s_type->name, "tracefs") ||
701 	    !strcmp(sb->s_type->name, "binder") ||
702 	    !strcmp(sb->s_type->name, "pstore"))
703 		sbsec->flags |= SE_SBGENFS;
704 
705 	if (!strcmp(sb->s_type->name, "sysfs") ||
706 	    !strcmp(sb->s_type->name, "cgroup") ||
707 	    !strcmp(sb->s_type->name, "cgroup2"))
708 		sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
709 
710 	if (!sbsec->behavior) {
711 		/*
712 		 * Determine the labeling behavior to use for this
713 		 * filesystem type.
714 		 */
715 		rc = security_fs_use(&selinux_state, sb);
716 		if (rc) {
717 			pr_warn("%s: security_fs_use(%s) returned %d\n",
718 					__func__, sb->s_type->name, rc);
719 			goto out;
720 		}
721 	}
722 
723 	/*
724 	 * If this is a user namespace mount and the filesystem type is not
725 	 * explicitly whitelisted, then no contexts are allowed on the command
726 	 * line and security labels must be ignored.
727 	 */
728 	if (sb->s_user_ns != &init_user_ns &&
729 	    strcmp(sb->s_type->name, "tmpfs") &&
730 	    strcmp(sb->s_type->name, "ramfs") &&
731 	    strcmp(sb->s_type->name, "devpts")) {
732 		if (context_sid || fscontext_sid || rootcontext_sid ||
733 		    defcontext_sid) {
734 			rc = -EACCES;
735 			goto out;
736 		}
737 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
738 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
739 			rc = security_transition_sid(&selinux_state,
740 						     current_sid(),
741 						     current_sid(),
742 						     SECCLASS_FILE, NULL,
743 						     &sbsec->mntpoint_sid);
744 			if (rc)
745 				goto out;
746 		}
747 		goto out_set_opts;
748 	}
749 
750 	/* sets the context of the superblock for the fs being mounted. */
751 	if (fscontext_sid) {
752 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
753 		if (rc)
754 			goto out;
755 
756 		sbsec->sid = fscontext_sid;
757 	}
758 
759 	/*
760 	 * Switch to using mount point labeling behavior.
761 	 * sets the label used on all file below the mountpoint, and will set
762 	 * the superblock context if not already set.
763 	 */
764 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
765 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
766 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
767 	}
768 
769 	if (context_sid) {
770 		if (!fscontext_sid) {
771 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
772 							  cred);
773 			if (rc)
774 				goto out;
775 			sbsec->sid = context_sid;
776 		} else {
777 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
778 							     cred);
779 			if (rc)
780 				goto out;
781 		}
782 		if (!rootcontext_sid)
783 			rootcontext_sid = context_sid;
784 
785 		sbsec->mntpoint_sid = context_sid;
786 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
787 	}
788 
789 	if (rootcontext_sid) {
790 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
791 						     cred);
792 		if (rc)
793 			goto out;
794 
795 		root_isec->sid = rootcontext_sid;
796 		root_isec->initialized = LABEL_INITIALIZED;
797 	}
798 
799 	if (defcontext_sid) {
800 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
801 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
802 			rc = -EINVAL;
803 			pr_warn("SELinux: defcontext option is "
804 			       "invalid for this filesystem type\n");
805 			goto out;
806 		}
807 
808 		if (defcontext_sid != sbsec->def_sid) {
809 			rc = may_context_mount_inode_relabel(defcontext_sid,
810 							     sbsec, cred);
811 			if (rc)
812 				goto out;
813 		}
814 
815 		sbsec->def_sid = defcontext_sid;
816 	}
817 
818 out_set_opts:
819 	rc = sb_finish_set_opts(sb);
820 out:
821 	mutex_unlock(&sbsec->lock);
822 	return rc;
823 out_double_mount:
824 	rc = -EINVAL;
825 	pr_warn("SELinux: mount invalid.  Same superblock, different "
826 	       "security settings for (dev %s, type %s)\n", sb->s_id,
827 	       sb->s_type->name);
828 	goto out;
829 }
830 
831 static int selinux_cmp_sb_context(const struct super_block *oldsb,
832 				    const struct super_block *newsb)
833 {
834 	struct superblock_security_struct *old = oldsb->s_security;
835 	struct superblock_security_struct *new = newsb->s_security;
836 	char oldflags = old->flags & SE_MNTMASK;
837 	char newflags = new->flags & SE_MNTMASK;
838 
839 	if (oldflags != newflags)
840 		goto mismatch;
841 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
842 		goto mismatch;
843 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
844 		goto mismatch;
845 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
846 		goto mismatch;
847 	if (oldflags & ROOTCONTEXT_MNT) {
848 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
849 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
850 		if (oldroot->sid != newroot->sid)
851 			goto mismatch;
852 	}
853 	return 0;
854 mismatch:
855 	pr_warn("SELinux: mount invalid.  Same superblock, "
856 			    "different security settings for (dev %s, "
857 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
858 	return -EBUSY;
859 }
860 
861 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
862 					struct super_block *newsb,
863 					unsigned long kern_flags,
864 					unsigned long *set_kern_flags)
865 {
866 	int rc = 0;
867 	const struct superblock_security_struct *oldsbsec = oldsb->s_security;
868 	struct superblock_security_struct *newsbsec = newsb->s_security;
869 
870 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
871 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
872 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
873 
874 	/*
875 	 * if the parent was able to be mounted it clearly had no special lsm
876 	 * mount options.  thus we can safely deal with this superblock later
877 	 */
878 	if (!selinux_initialized(&selinux_state))
879 		return 0;
880 
881 	/*
882 	 * Specifying internal flags without providing a place to
883 	 * place the results is not allowed.
884 	 */
885 	if (kern_flags && !set_kern_flags)
886 		return -EINVAL;
887 
888 	/* how can we clone if the old one wasn't set up?? */
889 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
890 
891 	/* if fs is reusing a sb, make sure that the contexts match */
892 	if (newsbsec->flags & SE_SBINITIALIZED) {
893 		if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
894 			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
895 		return selinux_cmp_sb_context(oldsb, newsb);
896 	}
897 
898 	mutex_lock(&newsbsec->lock);
899 
900 	newsbsec->flags = oldsbsec->flags;
901 
902 	newsbsec->sid = oldsbsec->sid;
903 	newsbsec->def_sid = oldsbsec->def_sid;
904 	newsbsec->behavior = oldsbsec->behavior;
905 
906 	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
907 		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
908 		rc = security_fs_use(&selinux_state, newsb);
909 		if (rc)
910 			goto out;
911 	}
912 
913 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
914 		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
915 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
916 	}
917 
918 	if (set_context) {
919 		u32 sid = oldsbsec->mntpoint_sid;
920 
921 		if (!set_fscontext)
922 			newsbsec->sid = sid;
923 		if (!set_rootcontext) {
924 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
925 			newisec->sid = sid;
926 		}
927 		newsbsec->mntpoint_sid = sid;
928 	}
929 	if (set_rootcontext) {
930 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
931 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
932 
933 		newisec->sid = oldisec->sid;
934 	}
935 
936 	sb_finish_set_opts(newsb);
937 out:
938 	mutex_unlock(&newsbsec->lock);
939 	return rc;
940 }
941 
942 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
943 {
944 	struct selinux_mnt_opts *opts = *mnt_opts;
945 
946 	if (token == Opt_seclabel)	/* eaten and completely ignored */
947 		return 0;
948 
949 	if (!opts) {
950 		opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
951 		if (!opts)
952 			return -ENOMEM;
953 		*mnt_opts = opts;
954 	}
955 	if (!s)
956 		return -ENOMEM;
957 	switch (token) {
958 	case Opt_context:
959 		if (opts->context || opts->defcontext)
960 			goto Einval;
961 		opts->context = s;
962 		break;
963 	case Opt_fscontext:
964 		if (opts->fscontext)
965 			goto Einval;
966 		opts->fscontext = s;
967 		break;
968 	case Opt_rootcontext:
969 		if (opts->rootcontext)
970 			goto Einval;
971 		opts->rootcontext = s;
972 		break;
973 	case Opt_defcontext:
974 		if (opts->context || opts->defcontext)
975 			goto Einval;
976 		opts->defcontext = s;
977 		break;
978 	}
979 	return 0;
980 Einval:
981 	pr_warn(SEL_MOUNT_FAIL_MSG);
982 	return -EINVAL;
983 }
984 
985 static int selinux_add_mnt_opt(const char *option, const char *val, int len,
986 			       void **mnt_opts)
987 {
988 	int token = Opt_error;
989 	int rc, i;
990 
991 	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
992 		if (strcmp(option, tokens[i].name) == 0) {
993 			token = tokens[i].opt;
994 			break;
995 		}
996 	}
997 
998 	if (token == Opt_error)
999 		return -EINVAL;
1000 
1001 	if (token != Opt_seclabel) {
1002 		val = kmemdup_nul(val, len, GFP_KERNEL);
1003 		if (!val) {
1004 			rc = -ENOMEM;
1005 			goto free_opt;
1006 		}
1007 	}
1008 	rc = selinux_add_opt(token, val, mnt_opts);
1009 	if (unlikely(rc)) {
1010 		kfree(val);
1011 		goto free_opt;
1012 	}
1013 	return rc;
1014 
1015 free_opt:
1016 	if (*mnt_opts) {
1017 		selinux_free_mnt_opts(*mnt_opts);
1018 		*mnt_opts = NULL;
1019 	}
1020 	return rc;
1021 }
1022 
1023 static int show_sid(struct seq_file *m, u32 sid)
1024 {
1025 	char *context = NULL;
1026 	u32 len;
1027 	int rc;
1028 
1029 	rc = security_sid_to_context(&selinux_state, sid,
1030 					     &context, &len);
1031 	if (!rc) {
1032 		bool has_comma = context && strchr(context, ',');
1033 
1034 		seq_putc(m, '=');
1035 		if (has_comma)
1036 			seq_putc(m, '\"');
1037 		seq_escape(m, context, "\"\n\\");
1038 		if (has_comma)
1039 			seq_putc(m, '\"');
1040 	}
1041 	kfree(context);
1042 	return rc;
1043 }
1044 
1045 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1046 {
1047 	struct superblock_security_struct *sbsec = sb->s_security;
1048 	int rc;
1049 
1050 	if (!(sbsec->flags & SE_SBINITIALIZED))
1051 		return 0;
1052 
1053 	if (!selinux_initialized(&selinux_state))
1054 		return 0;
1055 
1056 	if (sbsec->flags & FSCONTEXT_MNT) {
1057 		seq_putc(m, ',');
1058 		seq_puts(m, FSCONTEXT_STR);
1059 		rc = show_sid(m, sbsec->sid);
1060 		if (rc)
1061 			return rc;
1062 	}
1063 	if (sbsec->flags & CONTEXT_MNT) {
1064 		seq_putc(m, ',');
1065 		seq_puts(m, CONTEXT_STR);
1066 		rc = show_sid(m, sbsec->mntpoint_sid);
1067 		if (rc)
1068 			return rc;
1069 	}
1070 	if (sbsec->flags & DEFCONTEXT_MNT) {
1071 		seq_putc(m, ',');
1072 		seq_puts(m, DEFCONTEXT_STR);
1073 		rc = show_sid(m, sbsec->def_sid);
1074 		if (rc)
1075 			return rc;
1076 	}
1077 	if (sbsec->flags & ROOTCONTEXT_MNT) {
1078 		struct dentry *root = sbsec->sb->s_root;
1079 		struct inode_security_struct *isec = backing_inode_security(root);
1080 		seq_putc(m, ',');
1081 		seq_puts(m, ROOTCONTEXT_STR);
1082 		rc = show_sid(m, isec->sid);
1083 		if (rc)
1084 			return rc;
1085 	}
1086 	if (sbsec->flags & SBLABEL_MNT) {
1087 		seq_putc(m, ',');
1088 		seq_puts(m, SECLABEL_STR);
1089 	}
1090 	return 0;
1091 }
1092 
1093 static inline u16 inode_mode_to_security_class(umode_t mode)
1094 {
1095 	switch (mode & S_IFMT) {
1096 	case S_IFSOCK:
1097 		return SECCLASS_SOCK_FILE;
1098 	case S_IFLNK:
1099 		return SECCLASS_LNK_FILE;
1100 	case S_IFREG:
1101 		return SECCLASS_FILE;
1102 	case S_IFBLK:
1103 		return SECCLASS_BLK_FILE;
1104 	case S_IFDIR:
1105 		return SECCLASS_DIR;
1106 	case S_IFCHR:
1107 		return SECCLASS_CHR_FILE;
1108 	case S_IFIFO:
1109 		return SECCLASS_FIFO_FILE;
1110 
1111 	}
1112 
1113 	return SECCLASS_FILE;
1114 }
1115 
1116 static inline int default_protocol_stream(int protocol)
1117 {
1118 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1119 }
1120 
1121 static inline int default_protocol_dgram(int protocol)
1122 {
1123 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1124 }
1125 
1126 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1127 {
1128 	int extsockclass = selinux_policycap_extsockclass();
1129 
1130 	switch (family) {
1131 	case PF_UNIX:
1132 		switch (type) {
1133 		case SOCK_STREAM:
1134 		case SOCK_SEQPACKET:
1135 			return SECCLASS_UNIX_STREAM_SOCKET;
1136 		case SOCK_DGRAM:
1137 		case SOCK_RAW:
1138 			return SECCLASS_UNIX_DGRAM_SOCKET;
1139 		}
1140 		break;
1141 	case PF_INET:
1142 	case PF_INET6:
1143 		switch (type) {
1144 		case SOCK_STREAM:
1145 		case SOCK_SEQPACKET:
1146 			if (default_protocol_stream(protocol))
1147 				return SECCLASS_TCP_SOCKET;
1148 			else if (extsockclass && protocol == IPPROTO_SCTP)
1149 				return SECCLASS_SCTP_SOCKET;
1150 			else
1151 				return SECCLASS_RAWIP_SOCKET;
1152 		case SOCK_DGRAM:
1153 			if (default_protocol_dgram(protocol))
1154 				return SECCLASS_UDP_SOCKET;
1155 			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1156 						  protocol == IPPROTO_ICMPV6))
1157 				return SECCLASS_ICMP_SOCKET;
1158 			else
1159 				return SECCLASS_RAWIP_SOCKET;
1160 		case SOCK_DCCP:
1161 			return SECCLASS_DCCP_SOCKET;
1162 		default:
1163 			return SECCLASS_RAWIP_SOCKET;
1164 		}
1165 		break;
1166 	case PF_NETLINK:
1167 		switch (protocol) {
1168 		case NETLINK_ROUTE:
1169 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1170 		case NETLINK_SOCK_DIAG:
1171 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1172 		case NETLINK_NFLOG:
1173 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1174 		case NETLINK_XFRM:
1175 			return SECCLASS_NETLINK_XFRM_SOCKET;
1176 		case NETLINK_SELINUX:
1177 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1178 		case NETLINK_ISCSI:
1179 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1180 		case NETLINK_AUDIT:
1181 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1182 		case NETLINK_FIB_LOOKUP:
1183 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1184 		case NETLINK_CONNECTOR:
1185 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1186 		case NETLINK_NETFILTER:
1187 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1188 		case NETLINK_DNRTMSG:
1189 			return SECCLASS_NETLINK_DNRT_SOCKET;
1190 		case NETLINK_KOBJECT_UEVENT:
1191 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1192 		case NETLINK_GENERIC:
1193 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1194 		case NETLINK_SCSITRANSPORT:
1195 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1196 		case NETLINK_RDMA:
1197 			return SECCLASS_NETLINK_RDMA_SOCKET;
1198 		case NETLINK_CRYPTO:
1199 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1200 		default:
1201 			return SECCLASS_NETLINK_SOCKET;
1202 		}
1203 	case PF_PACKET:
1204 		return SECCLASS_PACKET_SOCKET;
1205 	case PF_KEY:
1206 		return SECCLASS_KEY_SOCKET;
1207 	case PF_APPLETALK:
1208 		return SECCLASS_APPLETALK_SOCKET;
1209 	}
1210 
1211 	if (extsockclass) {
1212 		switch (family) {
1213 		case PF_AX25:
1214 			return SECCLASS_AX25_SOCKET;
1215 		case PF_IPX:
1216 			return SECCLASS_IPX_SOCKET;
1217 		case PF_NETROM:
1218 			return SECCLASS_NETROM_SOCKET;
1219 		case PF_ATMPVC:
1220 			return SECCLASS_ATMPVC_SOCKET;
1221 		case PF_X25:
1222 			return SECCLASS_X25_SOCKET;
1223 		case PF_ROSE:
1224 			return SECCLASS_ROSE_SOCKET;
1225 		case PF_DECnet:
1226 			return SECCLASS_DECNET_SOCKET;
1227 		case PF_ATMSVC:
1228 			return SECCLASS_ATMSVC_SOCKET;
1229 		case PF_RDS:
1230 			return SECCLASS_RDS_SOCKET;
1231 		case PF_IRDA:
1232 			return SECCLASS_IRDA_SOCKET;
1233 		case PF_PPPOX:
1234 			return SECCLASS_PPPOX_SOCKET;
1235 		case PF_LLC:
1236 			return SECCLASS_LLC_SOCKET;
1237 		case PF_CAN:
1238 			return SECCLASS_CAN_SOCKET;
1239 		case PF_TIPC:
1240 			return SECCLASS_TIPC_SOCKET;
1241 		case PF_BLUETOOTH:
1242 			return SECCLASS_BLUETOOTH_SOCKET;
1243 		case PF_IUCV:
1244 			return SECCLASS_IUCV_SOCKET;
1245 		case PF_RXRPC:
1246 			return SECCLASS_RXRPC_SOCKET;
1247 		case PF_ISDN:
1248 			return SECCLASS_ISDN_SOCKET;
1249 		case PF_PHONET:
1250 			return SECCLASS_PHONET_SOCKET;
1251 		case PF_IEEE802154:
1252 			return SECCLASS_IEEE802154_SOCKET;
1253 		case PF_CAIF:
1254 			return SECCLASS_CAIF_SOCKET;
1255 		case PF_ALG:
1256 			return SECCLASS_ALG_SOCKET;
1257 		case PF_NFC:
1258 			return SECCLASS_NFC_SOCKET;
1259 		case PF_VSOCK:
1260 			return SECCLASS_VSOCK_SOCKET;
1261 		case PF_KCM:
1262 			return SECCLASS_KCM_SOCKET;
1263 		case PF_QIPCRTR:
1264 			return SECCLASS_QIPCRTR_SOCKET;
1265 		case PF_SMC:
1266 			return SECCLASS_SMC_SOCKET;
1267 		case PF_XDP:
1268 			return SECCLASS_XDP_SOCKET;
1269 #if PF_MAX > 45
1270 #error New address family defined, please update this function.
1271 #endif
1272 		}
1273 	}
1274 
1275 	return SECCLASS_SOCKET;
1276 }
1277 
1278 static int selinux_genfs_get_sid(struct dentry *dentry,
1279 				 u16 tclass,
1280 				 u16 flags,
1281 				 u32 *sid)
1282 {
1283 	int rc;
1284 	struct super_block *sb = dentry->d_sb;
1285 	char *buffer, *path;
1286 
1287 	buffer = (char *)__get_free_page(GFP_KERNEL);
1288 	if (!buffer)
1289 		return -ENOMEM;
1290 
1291 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1292 	if (IS_ERR(path))
1293 		rc = PTR_ERR(path);
1294 	else {
1295 		if (flags & SE_SBPROC) {
1296 			/* each process gets a /proc/PID/ entry. Strip off the
1297 			 * PID part to get a valid selinux labeling.
1298 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1299 			while (path[1] >= '0' && path[1] <= '9') {
1300 				path[1] = '/';
1301 				path++;
1302 			}
1303 		}
1304 		rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1305 					path, tclass, sid);
1306 		if (rc == -ENOENT) {
1307 			/* No match in policy, mark as unlabeled. */
1308 			*sid = SECINITSID_UNLABELED;
1309 			rc = 0;
1310 		}
1311 	}
1312 	free_page((unsigned long)buffer);
1313 	return rc;
1314 }
1315 
1316 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1317 				  u32 def_sid, u32 *sid)
1318 {
1319 #define INITCONTEXTLEN 255
1320 	char *context;
1321 	unsigned int len;
1322 	int rc;
1323 
1324 	len = INITCONTEXTLEN;
1325 	context = kmalloc(len + 1, GFP_NOFS);
1326 	if (!context)
1327 		return -ENOMEM;
1328 
1329 	context[len] = '\0';
1330 	rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1331 	if (rc == -ERANGE) {
1332 		kfree(context);
1333 
1334 		/* Need a larger buffer.  Query for the right size. */
1335 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1336 		if (rc < 0)
1337 			return rc;
1338 
1339 		len = rc;
1340 		context = kmalloc(len + 1, GFP_NOFS);
1341 		if (!context)
1342 			return -ENOMEM;
1343 
1344 		context[len] = '\0';
1345 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1346 				    context, len);
1347 	}
1348 	if (rc < 0) {
1349 		kfree(context);
1350 		if (rc != -ENODATA) {
1351 			pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
1352 				__func__, -rc, inode->i_sb->s_id, inode->i_ino);
1353 			return rc;
1354 		}
1355 		*sid = def_sid;
1356 		return 0;
1357 	}
1358 
1359 	rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1360 					     def_sid, GFP_NOFS);
1361 	if (rc) {
1362 		char *dev = inode->i_sb->s_id;
1363 		unsigned long ino = inode->i_ino;
1364 
1365 		if (rc == -EINVAL) {
1366 			pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
1367 					      ino, dev, context);
1368 		} else {
1369 			pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1370 				__func__, context, -rc, dev, ino);
1371 		}
1372 	}
1373 	kfree(context);
1374 	return 0;
1375 }
1376 
1377 /* The inode's security attributes must be initialized before first use. */
1378 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1379 {
1380 	struct superblock_security_struct *sbsec = NULL;
1381 	struct inode_security_struct *isec = selinux_inode(inode);
1382 	u32 task_sid, sid = 0;
1383 	u16 sclass;
1384 	struct dentry *dentry;
1385 	int rc = 0;
1386 
1387 	if (isec->initialized == LABEL_INITIALIZED)
1388 		return 0;
1389 
1390 	spin_lock(&isec->lock);
1391 	if (isec->initialized == LABEL_INITIALIZED)
1392 		goto out_unlock;
1393 
1394 	if (isec->sclass == SECCLASS_FILE)
1395 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1396 
1397 	sbsec = inode->i_sb->s_security;
1398 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1399 		/* Defer initialization until selinux_complete_init,
1400 		   after the initial policy is loaded and the security
1401 		   server is ready to handle calls. */
1402 		spin_lock(&sbsec->isec_lock);
1403 		if (list_empty(&isec->list))
1404 			list_add(&isec->list, &sbsec->isec_head);
1405 		spin_unlock(&sbsec->isec_lock);
1406 		goto out_unlock;
1407 	}
1408 
1409 	sclass = isec->sclass;
1410 	task_sid = isec->task_sid;
1411 	sid = isec->sid;
1412 	isec->initialized = LABEL_PENDING;
1413 	spin_unlock(&isec->lock);
1414 
1415 	switch (sbsec->behavior) {
1416 	case SECURITY_FS_USE_NATIVE:
1417 		break;
1418 	case SECURITY_FS_USE_XATTR:
1419 		if (!(inode->i_opflags & IOP_XATTR)) {
1420 			sid = sbsec->def_sid;
1421 			break;
1422 		}
1423 		/* Need a dentry, since the xattr API requires one.
1424 		   Life would be simpler if we could just pass the inode. */
1425 		if (opt_dentry) {
1426 			/* Called from d_instantiate or d_splice_alias. */
1427 			dentry = dget(opt_dentry);
1428 		} else {
1429 			/*
1430 			 * Called from selinux_complete_init, try to find a dentry.
1431 			 * Some filesystems really want a connected one, so try
1432 			 * that first.  We could split SECURITY_FS_USE_XATTR in
1433 			 * two, depending upon that...
1434 			 */
1435 			dentry = d_find_alias(inode);
1436 			if (!dentry)
1437 				dentry = d_find_any_alias(inode);
1438 		}
1439 		if (!dentry) {
1440 			/*
1441 			 * this is can be hit on boot when a file is accessed
1442 			 * before the policy is loaded.  When we load policy we
1443 			 * may find inodes that have no dentry on the
1444 			 * sbsec->isec_head list.  No reason to complain as these
1445 			 * will get fixed up the next time we go through
1446 			 * inode_doinit with a dentry, before these inodes could
1447 			 * be used again by userspace.
1448 			 */
1449 			goto out;
1450 		}
1451 
1452 		rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1453 					    &sid);
1454 		dput(dentry);
1455 		if (rc)
1456 			goto out;
1457 		break;
1458 	case SECURITY_FS_USE_TASK:
1459 		sid = task_sid;
1460 		break;
1461 	case SECURITY_FS_USE_TRANS:
1462 		/* Default to the fs SID. */
1463 		sid = sbsec->sid;
1464 
1465 		/* Try to obtain a transition SID. */
1466 		rc = security_transition_sid(&selinux_state, task_sid, sid,
1467 					     sclass, NULL, &sid);
1468 		if (rc)
1469 			goto out;
1470 		break;
1471 	case SECURITY_FS_USE_MNTPOINT:
1472 		sid = sbsec->mntpoint_sid;
1473 		break;
1474 	default:
1475 		/* Default to the fs superblock SID. */
1476 		sid = sbsec->sid;
1477 
1478 		if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1479 			/* We must have a dentry to determine the label on
1480 			 * procfs inodes */
1481 			if (opt_dentry) {
1482 				/* Called from d_instantiate or
1483 				 * d_splice_alias. */
1484 				dentry = dget(opt_dentry);
1485 			} else {
1486 				/* Called from selinux_complete_init, try to
1487 				 * find a dentry.  Some filesystems really want
1488 				 * a connected one, so try that first.
1489 				 */
1490 				dentry = d_find_alias(inode);
1491 				if (!dentry)
1492 					dentry = d_find_any_alias(inode);
1493 			}
1494 			/*
1495 			 * This can be hit on boot when a file is accessed
1496 			 * before the policy is loaded.  When we load policy we
1497 			 * may find inodes that have no dentry on the
1498 			 * sbsec->isec_head list.  No reason to complain as
1499 			 * these will get fixed up the next time we go through
1500 			 * inode_doinit() with a dentry, before these inodes
1501 			 * could be used again by userspace.
1502 			 */
1503 			if (!dentry)
1504 				goto out;
1505 			rc = selinux_genfs_get_sid(dentry, sclass,
1506 						   sbsec->flags, &sid);
1507 			if (rc) {
1508 				dput(dentry);
1509 				goto out;
1510 			}
1511 
1512 			if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1513 			    (inode->i_opflags & IOP_XATTR)) {
1514 				rc = inode_doinit_use_xattr(inode, dentry,
1515 							    sid, &sid);
1516 				if (rc) {
1517 					dput(dentry);
1518 					goto out;
1519 				}
1520 			}
1521 			dput(dentry);
1522 		}
1523 		break;
1524 	}
1525 
1526 out:
1527 	spin_lock(&isec->lock);
1528 	if (isec->initialized == LABEL_PENDING) {
1529 		if (!sid || rc) {
1530 			isec->initialized = LABEL_INVALID;
1531 			goto out_unlock;
1532 		}
1533 
1534 		isec->initialized = LABEL_INITIALIZED;
1535 		isec->sid = sid;
1536 	}
1537 
1538 out_unlock:
1539 	spin_unlock(&isec->lock);
1540 	return rc;
1541 }
1542 
1543 /* Convert a Linux signal to an access vector. */
1544 static inline u32 signal_to_av(int sig)
1545 {
1546 	u32 perm = 0;
1547 
1548 	switch (sig) {
1549 	case SIGCHLD:
1550 		/* Commonly granted from child to parent. */
1551 		perm = PROCESS__SIGCHLD;
1552 		break;
1553 	case SIGKILL:
1554 		/* Cannot be caught or ignored */
1555 		perm = PROCESS__SIGKILL;
1556 		break;
1557 	case SIGSTOP:
1558 		/* Cannot be caught or ignored */
1559 		perm = PROCESS__SIGSTOP;
1560 		break;
1561 	default:
1562 		/* All other signals. */
1563 		perm = PROCESS__SIGNAL;
1564 		break;
1565 	}
1566 
1567 	return perm;
1568 }
1569 
1570 #if CAP_LAST_CAP > 63
1571 #error Fix SELinux to handle capabilities > 63.
1572 #endif
1573 
1574 /* Check whether a task is allowed to use a capability. */
1575 static int cred_has_capability(const struct cred *cred,
1576 			       int cap, unsigned int opts, bool initns)
1577 {
1578 	struct common_audit_data ad;
1579 	struct av_decision avd;
1580 	u16 sclass;
1581 	u32 sid = cred_sid(cred);
1582 	u32 av = CAP_TO_MASK(cap);
1583 	int rc;
1584 
1585 	ad.type = LSM_AUDIT_DATA_CAP;
1586 	ad.u.cap = cap;
1587 
1588 	switch (CAP_TO_INDEX(cap)) {
1589 	case 0:
1590 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1591 		break;
1592 	case 1:
1593 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1594 		break;
1595 	default:
1596 		pr_err("SELinux:  out of range capability %d\n", cap);
1597 		BUG();
1598 		return -EINVAL;
1599 	}
1600 
1601 	rc = avc_has_perm_noaudit(&selinux_state,
1602 				  sid, sid, sclass, av, 0, &avd);
1603 	if (!(opts & CAP_OPT_NOAUDIT)) {
1604 		int rc2 = avc_audit(&selinux_state,
1605 				    sid, sid, sclass, av, &avd, rc, &ad, 0);
1606 		if (rc2)
1607 			return rc2;
1608 	}
1609 	return rc;
1610 }
1611 
1612 /* Check whether a task has a particular permission to an inode.
1613    The 'adp' parameter is optional and allows other audit
1614    data to be passed (e.g. the dentry). */
1615 static int inode_has_perm(const struct cred *cred,
1616 			  struct inode *inode,
1617 			  u32 perms,
1618 			  struct common_audit_data *adp)
1619 {
1620 	struct inode_security_struct *isec;
1621 	u32 sid;
1622 
1623 	validate_creds(cred);
1624 
1625 	if (unlikely(IS_PRIVATE(inode)))
1626 		return 0;
1627 
1628 	sid = cred_sid(cred);
1629 	isec = selinux_inode(inode);
1630 
1631 	return avc_has_perm(&selinux_state,
1632 			    sid, isec->sid, isec->sclass, perms, adp);
1633 }
1634 
1635 /* Same as inode_has_perm, but pass explicit audit data containing
1636    the dentry to help the auditing code to more easily generate the
1637    pathname if needed. */
1638 static inline int dentry_has_perm(const struct cred *cred,
1639 				  struct dentry *dentry,
1640 				  u32 av)
1641 {
1642 	struct inode *inode = d_backing_inode(dentry);
1643 	struct common_audit_data ad;
1644 
1645 	ad.type = LSM_AUDIT_DATA_DENTRY;
1646 	ad.u.dentry = dentry;
1647 	__inode_security_revalidate(inode, dentry, true);
1648 	return inode_has_perm(cred, inode, av, &ad);
1649 }
1650 
1651 /* Same as inode_has_perm, but pass explicit audit data containing
1652    the path to help the auditing code to more easily generate the
1653    pathname if needed. */
1654 static inline int path_has_perm(const struct cred *cred,
1655 				const struct path *path,
1656 				u32 av)
1657 {
1658 	struct inode *inode = d_backing_inode(path->dentry);
1659 	struct common_audit_data ad;
1660 
1661 	ad.type = LSM_AUDIT_DATA_PATH;
1662 	ad.u.path = *path;
1663 	__inode_security_revalidate(inode, path->dentry, true);
1664 	return inode_has_perm(cred, inode, av, &ad);
1665 }
1666 
1667 /* Same as path_has_perm, but uses the inode from the file struct. */
1668 static inline int file_path_has_perm(const struct cred *cred,
1669 				     struct file *file,
1670 				     u32 av)
1671 {
1672 	struct common_audit_data ad;
1673 
1674 	ad.type = LSM_AUDIT_DATA_FILE;
1675 	ad.u.file = file;
1676 	return inode_has_perm(cred, file_inode(file), av, &ad);
1677 }
1678 
1679 #ifdef CONFIG_BPF_SYSCALL
1680 static int bpf_fd_pass(struct file *file, u32 sid);
1681 #endif
1682 
1683 /* Check whether a task can use an open file descriptor to
1684    access an inode in a given way.  Check access to the
1685    descriptor itself, and then use dentry_has_perm to
1686    check a particular permission to the file.
1687    Access to the descriptor is implicitly granted if it
1688    has the same SID as the process.  If av is zero, then
1689    access to the file is not checked, e.g. for cases
1690    where only the descriptor is affected like seek. */
1691 static int file_has_perm(const struct cred *cred,
1692 			 struct file *file,
1693 			 u32 av)
1694 {
1695 	struct file_security_struct *fsec = selinux_file(file);
1696 	struct inode *inode = file_inode(file);
1697 	struct common_audit_data ad;
1698 	u32 sid = cred_sid(cred);
1699 	int rc;
1700 
1701 	ad.type = LSM_AUDIT_DATA_FILE;
1702 	ad.u.file = file;
1703 
1704 	if (sid != fsec->sid) {
1705 		rc = avc_has_perm(&selinux_state,
1706 				  sid, fsec->sid,
1707 				  SECCLASS_FD,
1708 				  FD__USE,
1709 				  &ad);
1710 		if (rc)
1711 			goto out;
1712 	}
1713 
1714 #ifdef CONFIG_BPF_SYSCALL
1715 	rc = bpf_fd_pass(file, cred_sid(cred));
1716 	if (rc)
1717 		return rc;
1718 #endif
1719 
1720 	/* av is zero if only checking access to the descriptor. */
1721 	rc = 0;
1722 	if (av)
1723 		rc = inode_has_perm(cred, inode, av, &ad);
1724 
1725 out:
1726 	return rc;
1727 }
1728 
1729 /*
1730  * Determine the label for an inode that might be unioned.
1731  */
1732 static int
1733 selinux_determine_inode_label(const struct task_security_struct *tsec,
1734 				 struct inode *dir,
1735 				 const struct qstr *name, u16 tclass,
1736 				 u32 *_new_isid)
1737 {
1738 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1739 
1740 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1741 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1742 		*_new_isid = sbsec->mntpoint_sid;
1743 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1744 		   tsec->create_sid) {
1745 		*_new_isid = tsec->create_sid;
1746 	} else {
1747 		const struct inode_security_struct *dsec = inode_security(dir);
1748 		return security_transition_sid(&selinux_state, tsec->sid,
1749 					       dsec->sid, tclass,
1750 					       name, _new_isid);
1751 	}
1752 
1753 	return 0;
1754 }
1755 
1756 /* Check whether a task can create a file. */
1757 static int may_create(struct inode *dir,
1758 		      struct dentry *dentry,
1759 		      u16 tclass)
1760 {
1761 	const struct task_security_struct *tsec = selinux_cred(current_cred());
1762 	struct inode_security_struct *dsec;
1763 	struct superblock_security_struct *sbsec;
1764 	u32 sid, newsid;
1765 	struct common_audit_data ad;
1766 	int rc;
1767 
1768 	dsec = inode_security(dir);
1769 	sbsec = dir->i_sb->s_security;
1770 
1771 	sid = tsec->sid;
1772 
1773 	ad.type = LSM_AUDIT_DATA_DENTRY;
1774 	ad.u.dentry = dentry;
1775 
1776 	rc = avc_has_perm(&selinux_state,
1777 			  sid, dsec->sid, SECCLASS_DIR,
1778 			  DIR__ADD_NAME | DIR__SEARCH,
1779 			  &ad);
1780 	if (rc)
1781 		return rc;
1782 
1783 	rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1784 					   &newsid);
1785 	if (rc)
1786 		return rc;
1787 
1788 	rc = avc_has_perm(&selinux_state,
1789 			  sid, newsid, tclass, FILE__CREATE, &ad);
1790 	if (rc)
1791 		return rc;
1792 
1793 	return avc_has_perm(&selinux_state,
1794 			    newsid, sbsec->sid,
1795 			    SECCLASS_FILESYSTEM,
1796 			    FILESYSTEM__ASSOCIATE, &ad);
1797 }
1798 
1799 #define MAY_LINK	0
1800 #define MAY_UNLINK	1
1801 #define MAY_RMDIR	2
1802 
1803 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1804 static int may_link(struct inode *dir,
1805 		    struct dentry *dentry,
1806 		    int kind)
1807 
1808 {
1809 	struct inode_security_struct *dsec, *isec;
1810 	struct common_audit_data ad;
1811 	u32 sid = current_sid();
1812 	u32 av;
1813 	int rc;
1814 
1815 	dsec = inode_security(dir);
1816 	isec = backing_inode_security(dentry);
1817 
1818 	ad.type = LSM_AUDIT_DATA_DENTRY;
1819 	ad.u.dentry = dentry;
1820 
1821 	av = DIR__SEARCH;
1822 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1823 	rc = avc_has_perm(&selinux_state,
1824 			  sid, dsec->sid, SECCLASS_DIR, av, &ad);
1825 	if (rc)
1826 		return rc;
1827 
1828 	switch (kind) {
1829 	case MAY_LINK:
1830 		av = FILE__LINK;
1831 		break;
1832 	case MAY_UNLINK:
1833 		av = FILE__UNLINK;
1834 		break;
1835 	case MAY_RMDIR:
1836 		av = DIR__RMDIR;
1837 		break;
1838 	default:
1839 		pr_warn("SELinux: %s:  unrecognized kind %d\n",
1840 			__func__, kind);
1841 		return 0;
1842 	}
1843 
1844 	rc = avc_has_perm(&selinux_state,
1845 			  sid, isec->sid, isec->sclass, av, &ad);
1846 	return rc;
1847 }
1848 
1849 static inline int may_rename(struct inode *old_dir,
1850 			     struct dentry *old_dentry,
1851 			     struct inode *new_dir,
1852 			     struct dentry *new_dentry)
1853 {
1854 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1855 	struct common_audit_data ad;
1856 	u32 sid = current_sid();
1857 	u32 av;
1858 	int old_is_dir, new_is_dir;
1859 	int rc;
1860 
1861 	old_dsec = inode_security(old_dir);
1862 	old_isec = backing_inode_security(old_dentry);
1863 	old_is_dir = d_is_dir(old_dentry);
1864 	new_dsec = inode_security(new_dir);
1865 
1866 	ad.type = LSM_AUDIT_DATA_DENTRY;
1867 
1868 	ad.u.dentry = old_dentry;
1869 	rc = avc_has_perm(&selinux_state,
1870 			  sid, old_dsec->sid, SECCLASS_DIR,
1871 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1872 	if (rc)
1873 		return rc;
1874 	rc = avc_has_perm(&selinux_state,
1875 			  sid, old_isec->sid,
1876 			  old_isec->sclass, FILE__RENAME, &ad);
1877 	if (rc)
1878 		return rc;
1879 	if (old_is_dir && new_dir != old_dir) {
1880 		rc = avc_has_perm(&selinux_state,
1881 				  sid, old_isec->sid,
1882 				  old_isec->sclass, DIR__REPARENT, &ad);
1883 		if (rc)
1884 			return rc;
1885 	}
1886 
1887 	ad.u.dentry = new_dentry;
1888 	av = DIR__ADD_NAME | DIR__SEARCH;
1889 	if (d_is_positive(new_dentry))
1890 		av |= DIR__REMOVE_NAME;
1891 	rc = avc_has_perm(&selinux_state,
1892 			  sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1893 	if (rc)
1894 		return rc;
1895 	if (d_is_positive(new_dentry)) {
1896 		new_isec = backing_inode_security(new_dentry);
1897 		new_is_dir = d_is_dir(new_dentry);
1898 		rc = avc_has_perm(&selinux_state,
1899 				  sid, new_isec->sid,
1900 				  new_isec->sclass,
1901 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1902 		if (rc)
1903 			return rc;
1904 	}
1905 
1906 	return 0;
1907 }
1908 
1909 /* Check whether a task can perform a filesystem operation. */
1910 static int superblock_has_perm(const struct cred *cred,
1911 			       struct super_block *sb,
1912 			       u32 perms,
1913 			       struct common_audit_data *ad)
1914 {
1915 	struct superblock_security_struct *sbsec;
1916 	u32 sid = cred_sid(cred);
1917 
1918 	sbsec = sb->s_security;
1919 	return avc_has_perm(&selinux_state,
1920 			    sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1921 }
1922 
1923 /* Convert a Linux mode and permission mask to an access vector. */
1924 static inline u32 file_mask_to_av(int mode, int mask)
1925 {
1926 	u32 av = 0;
1927 
1928 	if (!S_ISDIR(mode)) {
1929 		if (mask & MAY_EXEC)
1930 			av |= FILE__EXECUTE;
1931 		if (mask & MAY_READ)
1932 			av |= FILE__READ;
1933 
1934 		if (mask & MAY_APPEND)
1935 			av |= FILE__APPEND;
1936 		else if (mask & MAY_WRITE)
1937 			av |= FILE__WRITE;
1938 
1939 	} else {
1940 		if (mask & MAY_EXEC)
1941 			av |= DIR__SEARCH;
1942 		if (mask & MAY_WRITE)
1943 			av |= DIR__WRITE;
1944 		if (mask & MAY_READ)
1945 			av |= DIR__READ;
1946 	}
1947 
1948 	return av;
1949 }
1950 
1951 /* Convert a Linux file to an access vector. */
1952 static inline u32 file_to_av(struct file *file)
1953 {
1954 	u32 av = 0;
1955 
1956 	if (file->f_mode & FMODE_READ)
1957 		av |= FILE__READ;
1958 	if (file->f_mode & FMODE_WRITE) {
1959 		if (file->f_flags & O_APPEND)
1960 			av |= FILE__APPEND;
1961 		else
1962 			av |= FILE__WRITE;
1963 	}
1964 	if (!av) {
1965 		/*
1966 		 * Special file opened with flags 3 for ioctl-only use.
1967 		 */
1968 		av = FILE__IOCTL;
1969 	}
1970 
1971 	return av;
1972 }
1973 
1974 /*
1975  * Convert a file to an access vector and include the correct open
1976  * open permission.
1977  */
1978 static inline u32 open_file_to_av(struct file *file)
1979 {
1980 	u32 av = file_to_av(file);
1981 	struct inode *inode = file_inode(file);
1982 
1983 	if (selinux_policycap_openperm() &&
1984 	    inode->i_sb->s_magic != SOCKFS_MAGIC)
1985 		av |= FILE__OPEN;
1986 
1987 	return av;
1988 }
1989 
1990 /* Hook functions begin here. */
1991 
1992 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
1993 {
1994 	u32 mysid = current_sid();
1995 	u32 mgrsid = task_sid(mgr);
1996 
1997 	return avc_has_perm(&selinux_state,
1998 			    mysid, mgrsid, SECCLASS_BINDER,
1999 			    BINDER__SET_CONTEXT_MGR, NULL);
2000 }
2001 
2002 static int selinux_binder_transaction(struct task_struct *from,
2003 				      struct task_struct *to)
2004 {
2005 	u32 mysid = current_sid();
2006 	u32 fromsid = task_sid(from);
2007 	u32 tosid = task_sid(to);
2008 	int rc;
2009 
2010 	if (mysid != fromsid) {
2011 		rc = avc_has_perm(&selinux_state,
2012 				  mysid, fromsid, SECCLASS_BINDER,
2013 				  BINDER__IMPERSONATE, NULL);
2014 		if (rc)
2015 			return rc;
2016 	}
2017 
2018 	return avc_has_perm(&selinux_state,
2019 			    fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2020 			    NULL);
2021 }
2022 
2023 static int selinux_binder_transfer_binder(struct task_struct *from,
2024 					  struct task_struct *to)
2025 {
2026 	u32 fromsid = task_sid(from);
2027 	u32 tosid = task_sid(to);
2028 
2029 	return avc_has_perm(&selinux_state,
2030 			    fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2031 			    NULL);
2032 }
2033 
2034 static int selinux_binder_transfer_file(struct task_struct *from,
2035 					struct task_struct *to,
2036 					struct file *file)
2037 {
2038 	u32 sid = task_sid(to);
2039 	struct file_security_struct *fsec = selinux_file(file);
2040 	struct dentry *dentry = file->f_path.dentry;
2041 	struct inode_security_struct *isec;
2042 	struct common_audit_data ad;
2043 	int rc;
2044 
2045 	ad.type = LSM_AUDIT_DATA_PATH;
2046 	ad.u.path = file->f_path;
2047 
2048 	if (sid != fsec->sid) {
2049 		rc = avc_has_perm(&selinux_state,
2050 				  sid, fsec->sid,
2051 				  SECCLASS_FD,
2052 				  FD__USE,
2053 				  &ad);
2054 		if (rc)
2055 			return rc;
2056 	}
2057 
2058 #ifdef CONFIG_BPF_SYSCALL
2059 	rc = bpf_fd_pass(file, sid);
2060 	if (rc)
2061 		return rc;
2062 #endif
2063 
2064 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2065 		return 0;
2066 
2067 	isec = backing_inode_security(dentry);
2068 	return avc_has_perm(&selinux_state,
2069 			    sid, isec->sid, isec->sclass, file_to_av(file),
2070 			    &ad);
2071 }
2072 
2073 static int selinux_ptrace_access_check(struct task_struct *child,
2074 				     unsigned int mode)
2075 {
2076 	u32 sid = current_sid();
2077 	u32 csid = task_sid(child);
2078 
2079 	if (mode & PTRACE_MODE_READ)
2080 		return avc_has_perm(&selinux_state,
2081 				    sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2082 
2083 	return avc_has_perm(&selinux_state,
2084 			    sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2085 }
2086 
2087 static int selinux_ptrace_traceme(struct task_struct *parent)
2088 {
2089 	return avc_has_perm(&selinux_state,
2090 			    task_sid(parent), current_sid(), SECCLASS_PROCESS,
2091 			    PROCESS__PTRACE, NULL);
2092 }
2093 
2094 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2095 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2096 {
2097 	return avc_has_perm(&selinux_state,
2098 			    current_sid(), task_sid(target), SECCLASS_PROCESS,
2099 			    PROCESS__GETCAP, NULL);
2100 }
2101 
2102 static int selinux_capset(struct cred *new, const struct cred *old,
2103 			  const kernel_cap_t *effective,
2104 			  const kernel_cap_t *inheritable,
2105 			  const kernel_cap_t *permitted)
2106 {
2107 	return avc_has_perm(&selinux_state,
2108 			    cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2109 			    PROCESS__SETCAP, NULL);
2110 }
2111 
2112 /*
2113  * (This comment used to live with the selinux_task_setuid hook,
2114  * which was removed).
2115  *
2116  * Since setuid only affects the current process, and since the SELinux
2117  * controls are not based on the Linux identity attributes, SELinux does not
2118  * need to control this operation.  However, SELinux does control the use of
2119  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2120  */
2121 
2122 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2123 			   int cap, unsigned int opts)
2124 {
2125 	return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2126 }
2127 
2128 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2129 {
2130 	const struct cred *cred = current_cred();
2131 	int rc = 0;
2132 
2133 	if (!sb)
2134 		return 0;
2135 
2136 	switch (cmds) {
2137 	case Q_SYNC:
2138 	case Q_QUOTAON:
2139 	case Q_QUOTAOFF:
2140 	case Q_SETINFO:
2141 	case Q_SETQUOTA:
2142 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2143 		break;
2144 	case Q_GETFMT:
2145 	case Q_GETINFO:
2146 	case Q_GETQUOTA:
2147 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2148 		break;
2149 	default:
2150 		rc = 0;  /* let the kernel handle invalid cmds */
2151 		break;
2152 	}
2153 	return rc;
2154 }
2155 
2156 static int selinux_quota_on(struct dentry *dentry)
2157 {
2158 	const struct cred *cred = current_cred();
2159 
2160 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2161 }
2162 
2163 static int selinux_syslog(int type)
2164 {
2165 	switch (type) {
2166 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2167 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2168 		return avc_has_perm(&selinux_state,
2169 				    current_sid(), SECINITSID_KERNEL,
2170 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2171 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2172 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2173 	/* Set level of messages printed to console */
2174 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2175 		return avc_has_perm(&selinux_state,
2176 				    current_sid(), SECINITSID_KERNEL,
2177 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2178 				    NULL);
2179 	}
2180 	/* All other syslog types */
2181 	return avc_has_perm(&selinux_state,
2182 			    current_sid(), SECINITSID_KERNEL,
2183 			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2184 }
2185 
2186 /*
2187  * Check that a process has enough memory to allocate a new virtual
2188  * mapping. 0 means there is enough memory for the allocation to
2189  * succeed and -ENOMEM implies there is not.
2190  *
2191  * Do not audit the selinux permission check, as this is applied to all
2192  * processes that allocate mappings.
2193  */
2194 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2195 {
2196 	int rc, cap_sys_admin = 0;
2197 
2198 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2199 				 CAP_OPT_NOAUDIT, true);
2200 	if (rc == 0)
2201 		cap_sys_admin = 1;
2202 
2203 	return cap_sys_admin;
2204 }
2205 
2206 /* binprm security operations */
2207 
2208 static u32 ptrace_parent_sid(void)
2209 {
2210 	u32 sid = 0;
2211 	struct task_struct *tracer;
2212 
2213 	rcu_read_lock();
2214 	tracer = ptrace_parent(current);
2215 	if (tracer)
2216 		sid = task_sid(tracer);
2217 	rcu_read_unlock();
2218 
2219 	return sid;
2220 }
2221 
2222 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2223 			    const struct task_security_struct *old_tsec,
2224 			    const struct task_security_struct *new_tsec)
2225 {
2226 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2227 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2228 	int rc;
2229 	u32 av;
2230 
2231 	if (!nnp && !nosuid)
2232 		return 0; /* neither NNP nor nosuid */
2233 
2234 	if (new_tsec->sid == old_tsec->sid)
2235 		return 0; /* No change in credentials */
2236 
2237 	/*
2238 	 * If the policy enables the nnp_nosuid_transition policy capability,
2239 	 * then we permit transitions under NNP or nosuid if the
2240 	 * policy allows the corresponding permission between
2241 	 * the old and new contexts.
2242 	 */
2243 	if (selinux_policycap_nnp_nosuid_transition()) {
2244 		av = 0;
2245 		if (nnp)
2246 			av |= PROCESS2__NNP_TRANSITION;
2247 		if (nosuid)
2248 			av |= PROCESS2__NOSUID_TRANSITION;
2249 		rc = avc_has_perm(&selinux_state,
2250 				  old_tsec->sid, new_tsec->sid,
2251 				  SECCLASS_PROCESS2, av, NULL);
2252 		if (!rc)
2253 			return 0;
2254 	}
2255 
2256 	/*
2257 	 * We also permit NNP or nosuid transitions to bounded SIDs,
2258 	 * i.e. SIDs that are guaranteed to only be allowed a subset
2259 	 * of the permissions of the current SID.
2260 	 */
2261 	rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2262 					 new_tsec->sid);
2263 	if (!rc)
2264 		return 0;
2265 
2266 	/*
2267 	 * On failure, preserve the errno values for NNP vs nosuid.
2268 	 * NNP:  Operation not permitted for caller.
2269 	 * nosuid:  Permission denied to file.
2270 	 */
2271 	if (nnp)
2272 		return -EPERM;
2273 	return -EACCES;
2274 }
2275 
2276 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2277 {
2278 	const struct task_security_struct *old_tsec;
2279 	struct task_security_struct *new_tsec;
2280 	struct inode_security_struct *isec;
2281 	struct common_audit_data ad;
2282 	struct inode *inode = file_inode(bprm->file);
2283 	int rc;
2284 
2285 	/* SELinux context only depends on initial program or script and not
2286 	 * the script interpreter */
2287 	if (bprm->called_set_creds)
2288 		return 0;
2289 
2290 	old_tsec = selinux_cred(current_cred());
2291 	new_tsec = selinux_cred(bprm->cred);
2292 	isec = inode_security(inode);
2293 
2294 	/* Default to the current task SID. */
2295 	new_tsec->sid = old_tsec->sid;
2296 	new_tsec->osid = old_tsec->sid;
2297 
2298 	/* Reset fs, key, and sock SIDs on execve. */
2299 	new_tsec->create_sid = 0;
2300 	new_tsec->keycreate_sid = 0;
2301 	new_tsec->sockcreate_sid = 0;
2302 
2303 	if (old_tsec->exec_sid) {
2304 		new_tsec->sid = old_tsec->exec_sid;
2305 		/* Reset exec SID on execve. */
2306 		new_tsec->exec_sid = 0;
2307 
2308 		/* Fail on NNP or nosuid if not an allowed transition. */
2309 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2310 		if (rc)
2311 			return rc;
2312 	} else {
2313 		/* Check for a default transition on this program. */
2314 		rc = security_transition_sid(&selinux_state, old_tsec->sid,
2315 					     isec->sid, SECCLASS_PROCESS, NULL,
2316 					     &new_tsec->sid);
2317 		if (rc)
2318 			return rc;
2319 
2320 		/*
2321 		 * Fallback to old SID on NNP or nosuid if not an allowed
2322 		 * transition.
2323 		 */
2324 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2325 		if (rc)
2326 			new_tsec->sid = old_tsec->sid;
2327 	}
2328 
2329 	ad.type = LSM_AUDIT_DATA_FILE;
2330 	ad.u.file = bprm->file;
2331 
2332 	if (new_tsec->sid == old_tsec->sid) {
2333 		rc = avc_has_perm(&selinux_state,
2334 				  old_tsec->sid, isec->sid,
2335 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2336 		if (rc)
2337 			return rc;
2338 	} else {
2339 		/* Check permissions for the transition. */
2340 		rc = avc_has_perm(&selinux_state,
2341 				  old_tsec->sid, new_tsec->sid,
2342 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2343 		if (rc)
2344 			return rc;
2345 
2346 		rc = avc_has_perm(&selinux_state,
2347 				  new_tsec->sid, isec->sid,
2348 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2349 		if (rc)
2350 			return rc;
2351 
2352 		/* Check for shared state */
2353 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2354 			rc = avc_has_perm(&selinux_state,
2355 					  old_tsec->sid, new_tsec->sid,
2356 					  SECCLASS_PROCESS, PROCESS__SHARE,
2357 					  NULL);
2358 			if (rc)
2359 				return -EPERM;
2360 		}
2361 
2362 		/* Make sure that anyone attempting to ptrace over a task that
2363 		 * changes its SID has the appropriate permit */
2364 		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2365 			u32 ptsid = ptrace_parent_sid();
2366 			if (ptsid != 0) {
2367 				rc = avc_has_perm(&selinux_state,
2368 						  ptsid, new_tsec->sid,
2369 						  SECCLASS_PROCESS,
2370 						  PROCESS__PTRACE, NULL);
2371 				if (rc)
2372 					return -EPERM;
2373 			}
2374 		}
2375 
2376 		/* Clear any possibly unsafe personality bits on exec: */
2377 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2378 
2379 		/* Enable secure mode for SIDs transitions unless
2380 		   the noatsecure permission is granted between
2381 		   the two SIDs, i.e. ahp returns 0. */
2382 		rc = avc_has_perm(&selinux_state,
2383 				  old_tsec->sid, new_tsec->sid,
2384 				  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2385 				  NULL);
2386 		bprm->secureexec |= !!rc;
2387 	}
2388 
2389 	return 0;
2390 }
2391 
2392 static int match_file(const void *p, struct file *file, unsigned fd)
2393 {
2394 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2395 }
2396 
2397 /* Derived from fs/exec.c:flush_old_files. */
2398 static inline void flush_unauthorized_files(const struct cred *cred,
2399 					    struct files_struct *files)
2400 {
2401 	struct file *file, *devnull = NULL;
2402 	struct tty_struct *tty;
2403 	int drop_tty = 0;
2404 	unsigned n;
2405 
2406 	tty = get_current_tty();
2407 	if (tty) {
2408 		spin_lock(&tty->files_lock);
2409 		if (!list_empty(&tty->tty_files)) {
2410 			struct tty_file_private *file_priv;
2411 
2412 			/* Revalidate access to controlling tty.
2413 			   Use file_path_has_perm on the tty path directly
2414 			   rather than using file_has_perm, as this particular
2415 			   open file may belong to another process and we are
2416 			   only interested in the inode-based check here. */
2417 			file_priv = list_first_entry(&tty->tty_files,
2418 						struct tty_file_private, list);
2419 			file = file_priv->file;
2420 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2421 				drop_tty = 1;
2422 		}
2423 		spin_unlock(&tty->files_lock);
2424 		tty_kref_put(tty);
2425 	}
2426 	/* Reset controlling tty. */
2427 	if (drop_tty)
2428 		no_tty();
2429 
2430 	/* Revalidate access to inherited open files. */
2431 	n = iterate_fd(files, 0, match_file, cred);
2432 	if (!n) /* none found? */
2433 		return;
2434 
2435 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2436 	if (IS_ERR(devnull))
2437 		devnull = NULL;
2438 	/* replace all the matching ones with this */
2439 	do {
2440 		replace_fd(n - 1, devnull, 0);
2441 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2442 	if (devnull)
2443 		fput(devnull);
2444 }
2445 
2446 /*
2447  * Prepare a process for imminent new credential changes due to exec
2448  */
2449 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2450 {
2451 	struct task_security_struct *new_tsec;
2452 	struct rlimit *rlim, *initrlim;
2453 	int rc, i;
2454 
2455 	new_tsec = selinux_cred(bprm->cred);
2456 	if (new_tsec->sid == new_tsec->osid)
2457 		return;
2458 
2459 	/* Close files for which the new task SID is not authorized. */
2460 	flush_unauthorized_files(bprm->cred, current->files);
2461 
2462 	/* Always clear parent death signal on SID transitions. */
2463 	current->pdeath_signal = 0;
2464 
2465 	/* Check whether the new SID can inherit resource limits from the old
2466 	 * SID.  If not, reset all soft limits to the lower of the current
2467 	 * task's hard limit and the init task's soft limit.
2468 	 *
2469 	 * Note that the setting of hard limits (even to lower them) can be
2470 	 * controlled by the setrlimit check.  The inclusion of the init task's
2471 	 * soft limit into the computation is to avoid resetting soft limits
2472 	 * higher than the default soft limit for cases where the default is
2473 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2474 	 */
2475 	rc = avc_has_perm(&selinux_state,
2476 			  new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2477 			  PROCESS__RLIMITINH, NULL);
2478 	if (rc) {
2479 		/* protect against do_prlimit() */
2480 		task_lock(current);
2481 		for (i = 0; i < RLIM_NLIMITS; i++) {
2482 			rlim = current->signal->rlim + i;
2483 			initrlim = init_task.signal->rlim + i;
2484 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2485 		}
2486 		task_unlock(current);
2487 		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2488 			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2489 	}
2490 }
2491 
2492 /*
2493  * Clean up the process immediately after the installation of new credentials
2494  * due to exec
2495  */
2496 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2497 {
2498 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2499 	u32 osid, sid;
2500 	int rc;
2501 
2502 	osid = tsec->osid;
2503 	sid = tsec->sid;
2504 
2505 	if (sid == osid)
2506 		return;
2507 
2508 	/* Check whether the new SID can inherit signal state from the old SID.
2509 	 * If not, clear itimers to avoid subsequent signal generation and
2510 	 * flush and unblock signals.
2511 	 *
2512 	 * This must occur _after_ the task SID has been updated so that any
2513 	 * kill done after the flush will be checked against the new SID.
2514 	 */
2515 	rc = avc_has_perm(&selinux_state,
2516 			  osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2517 	if (rc) {
2518 		clear_itimer();
2519 
2520 		spin_lock_irq(&current->sighand->siglock);
2521 		if (!fatal_signal_pending(current)) {
2522 			flush_sigqueue(&current->pending);
2523 			flush_sigqueue(&current->signal->shared_pending);
2524 			flush_signal_handlers(current, 1);
2525 			sigemptyset(&current->blocked);
2526 			recalc_sigpending();
2527 		}
2528 		spin_unlock_irq(&current->sighand->siglock);
2529 	}
2530 
2531 	/* Wake up the parent if it is waiting so that it can recheck
2532 	 * wait permission to the new task SID. */
2533 	read_lock(&tasklist_lock);
2534 	__wake_up_parent(current, current->real_parent);
2535 	read_unlock(&tasklist_lock);
2536 }
2537 
2538 /* superblock security operations */
2539 
2540 static int selinux_sb_alloc_security(struct super_block *sb)
2541 {
2542 	struct superblock_security_struct *sbsec;
2543 
2544 	sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
2545 	if (!sbsec)
2546 		return -ENOMEM;
2547 
2548 	mutex_init(&sbsec->lock);
2549 	INIT_LIST_HEAD(&sbsec->isec_head);
2550 	spin_lock_init(&sbsec->isec_lock);
2551 	sbsec->sb = sb;
2552 	sbsec->sid = SECINITSID_UNLABELED;
2553 	sbsec->def_sid = SECINITSID_FILE;
2554 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2555 	sb->s_security = sbsec;
2556 
2557 	return 0;
2558 }
2559 
2560 static void selinux_sb_free_security(struct super_block *sb)
2561 {
2562 	superblock_free_security(sb);
2563 }
2564 
2565 static inline int opt_len(const char *s)
2566 {
2567 	bool open_quote = false;
2568 	int len;
2569 	char c;
2570 
2571 	for (len = 0; (c = s[len]) != '\0'; len++) {
2572 		if (c == '"')
2573 			open_quote = !open_quote;
2574 		if (c == ',' && !open_quote)
2575 			break;
2576 	}
2577 	return len;
2578 }
2579 
2580 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2581 {
2582 	char *from = options;
2583 	char *to = options;
2584 	bool first = true;
2585 	int rc;
2586 
2587 	while (1) {
2588 		int len = opt_len(from);
2589 		int token;
2590 		char *arg = NULL;
2591 
2592 		token = match_opt_prefix(from, len, &arg);
2593 
2594 		if (token != Opt_error) {
2595 			char *p, *q;
2596 
2597 			/* strip quotes */
2598 			if (arg) {
2599 				for (p = q = arg; p < from + len; p++) {
2600 					char c = *p;
2601 					if (c != '"')
2602 						*q++ = c;
2603 				}
2604 				arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2605 				if (!arg) {
2606 					rc = -ENOMEM;
2607 					goto free_opt;
2608 				}
2609 			}
2610 			rc = selinux_add_opt(token, arg, mnt_opts);
2611 			if (unlikely(rc)) {
2612 				kfree(arg);
2613 				goto free_opt;
2614 			}
2615 		} else {
2616 			if (!first) {	// copy with preceding comma
2617 				from--;
2618 				len++;
2619 			}
2620 			if (to != from)
2621 				memmove(to, from, len);
2622 			to += len;
2623 			first = false;
2624 		}
2625 		if (!from[len])
2626 			break;
2627 		from += len + 1;
2628 	}
2629 	*to = '\0';
2630 	return 0;
2631 
2632 free_opt:
2633 	if (*mnt_opts) {
2634 		selinux_free_mnt_opts(*mnt_opts);
2635 		*mnt_opts = NULL;
2636 	}
2637 	return rc;
2638 }
2639 
2640 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2641 {
2642 	struct selinux_mnt_opts *opts = mnt_opts;
2643 	struct superblock_security_struct *sbsec = sb->s_security;
2644 	u32 sid;
2645 	int rc;
2646 
2647 	if (!(sbsec->flags & SE_SBINITIALIZED))
2648 		return 0;
2649 
2650 	if (!opts)
2651 		return 0;
2652 
2653 	if (opts->fscontext) {
2654 		rc = parse_sid(sb, opts->fscontext, &sid);
2655 		if (rc)
2656 			return rc;
2657 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2658 			goto out_bad_option;
2659 	}
2660 	if (opts->context) {
2661 		rc = parse_sid(sb, opts->context, &sid);
2662 		if (rc)
2663 			return rc;
2664 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2665 			goto out_bad_option;
2666 	}
2667 	if (opts->rootcontext) {
2668 		struct inode_security_struct *root_isec;
2669 		root_isec = backing_inode_security(sb->s_root);
2670 		rc = parse_sid(sb, opts->rootcontext, &sid);
2671 		if (rc)
2672 			return rc;
2673 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2674 			goto out_bad_option;
2675 	}
2676 	if (opts->defcontext) {
2677 		rc = parse_sid(sb, opts->defcontext, &sid);
2678 		if (rc)
2679 			return rc;
2680 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2681 			goto out_bad_option;
2682 	}
2683 	return 0;
2684 
2685 out_bad_option:
2686 	pr_warn("SELinux: unable to change security options "
2687 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2688 	       sb->s_type->name);
2689 	return -EINVAL;
2690 }
2691 
2692 static int selinux_sb_kern_mount(struct super_block *sb)
2693 {
2694 	const struct cred *cred = current_cred();
2695 	struct common_audit_data ad;
2696 
2697 	ad.type = LSM_AUDIT_DATA_DENTRY;
2698 	ad.u.dentry = sb->s_root;
2699 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2700 }
2701 
2702 static int selinux_sb_statfs(struct dentry *dentry)
2703 {
2704 	const struct cred *cred = current_cred();
2705 	struct common_audit_data ad;
2706 
2707 	ad.type = LSM_AUDIT_DATA_DENTRY;
2708 	ad.u.dentry = dentry->d_sb->s_root;
2709 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2710 }
2711 
2712 static int selinux_mount(const char *dev_name,
2713 			 const struct path *path,
2714 			 const char *type,
2715 			 unsigned long flags,
2716 			 void *data)
2717 {
2718 	const struct cred *cred = current_cred();
2719 
2720 	if (flags & MS_REMOUNT)
2721 		return superblock_has_perm(cred, path->dentry->d_sb,
2722 					   FILESYSTEM__REMOUNT, NULL);
2723 	else
2724 		return path_has_perm(cred, path, FILE__MOUNTON);
2725 }
2726 
2727 static int selinux_move_mount(const struct path *from_path,
2728 			      const struct path *to_path)
2729 {
2730 	const struct cred *cred = current_cred();
2731 
2732 	return path_has_perm(cred, to_path, FILE__MOUNTON);
2733 }
2734 
2735 static int selinux_umount(struct vfsmount *mnt, int flags)
2736 {
2737 	const struct cred *cred = current_cred();
2738 
2739 	return superblock_has_perm(cred, mnt->mnt_sb,
2740 				   FILESYSTEM__UNMOUNT, NULL);
2741 }
2742 
2743 static int selinux_fs_context_dup(struct fs_context *fc,
2744 				  struct fs_context *src_fc)
2745 {
2746 	const struct selinux_mnt_opts *src = src_fc->security;
2747 	struct selinux_mnt_opts *opts;
2748 
2749 	if (!src)
2750 		return 0;
2751 
2752 	fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2753 	if (!fc->security)
2754 		return -ENOMEM;
2755 
2756 	opts = fc->security;
2757 
2758 	if (src->fscontext) {
2759 		opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2760 		if (!opts->fscontext)
2761 			return -ENOMEM;
2762 	}
2763 	if (src->context) {
2764 		opts->context = kstrdup(src->context, GFP_KERNEL);
2765 		if (!opts->context)
2766 			return -ENOMEM;
2767 	}
2768 	if (src->rootcontext) {
2769 		opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2770 		if (!opts->rootcontext)
2771 			return -ENOMEM;
2772 	}
2773 	if (src->defcontext) {
2774 		opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2775 		if (!opts->defcontext)
2776 			return -ENOMEM;
2777 	}
2778 	return 0;
2779 }
2780 
2781 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2782 	fsparam_string(CONTEXT_STR,	Opt_context),
2783 	fsparam_string(DEFCONTEXT_STR,	Opt_defcontext),
2784 	fsparam_string(FSCONTEXT_STR,	Opt_fscontext),
2785 	fsparam_string(ROOTCONTEXT_STR,	Opt_rootcontext),
2786 	fsparam_flag  (SECLABEL_STR,	Opt_seclabel),
2787 	{}
2788 };
2789 
2790 static int selinux_fs_context_parse_param(struct fs_context *fc,
2791 					  struct fs_parameter *param)
2792 {
2793 	struct fs_parse_result result;
2794 	int opt, rc;
2795 
2796 	opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2797 	if (opt < 0)
2798 		return opt;
2799 
2800 	rc = selinux_add_opt(opt, param->string, &fc->security);
2801 	if (!rc) {
2802 		param->string = NULL;
2803 		rc = 1;
2804 	}
2805 	return rc;
2806 }
2807 
2808 /* inode security operations */
2809 
2810 static int selinux_inode_alloc_security(struct inode *inode)
2811 {
2812 	struct inode_security_struct *isec = selinux_inode(inode);
2813 	u32 sid = current_sid();
2814 
2815 	spin_lock_init(&isec->lock);
2816 	INIT_LIST_HEAD(&isec->list);
2817 	isec->inode = inode;
2818 	isec->sid = SECINITSID_UNLABELED;
2819 	isec->sclass = SECCLASS_FILE;
2820 	isec->task_sid = sid;
2821 	isec->initialized = LABEL_INVALID;
2822 
2823 	return 0;
2824 }
2825 
2826 static void selinux_inode_free_security(struct inode *inode)
2827 {
2828 	inode_free_security(inode);
2829 }
2830 
2831 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2832 					const struct qstr *name, void **ctx,
2833 					u32 *ctxlen)
2834 {
2835 	u32 newsid;
2836 	int rc;
2837 
2838 	rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2839 					   d_inode(dentry->d_parent), name,
2840 					   inode_mode_to_security_class(mode),
2841 					   &newsid);
2842 	if (rc)
2843 		return rc;
2844 
2845 	return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2846 				       ctxlen);
2847 }
2848 
2849 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2850 					  struct qstr *name,
2851 					  const struct cred *old,
2852 					  struct cred *new)
2853 {
2854 	u32 newsid;
2855 	int rc;
2856 	struct task_security_struct *tsec;
2857 
2858 	rc = selinux_determine_inode_label(selinux_cred(old),
2859 					   d_inode(dentry->d_parent), name,
2860 					   inode_mode_to_security_class(mode),
2861 					   &newsid);
2862 	if (rc)
2863 		return rc;
2864 
2865 	tsec = selinux_cred(new);
2866 	tsec->create_sid = newsid;
2867 	return 0;
2868 }
2869 
2870 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2871 				       const struct qstr *qstr,
2872 				       const char **name,
2873 				       void **value, size_t *len)
2874 {
2875 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2876 	struct superblock_security_struct *sbsec;
2877 	u32 newsid, clen;
2878 	int rc;
2879 	char *context;
2880 
2881 	sbsec = dir->i_sb->s_security;
2882 
2883 	newsid = tsec->create_sid;
2884 
2885 	rc = selinux_determine_inode_label(tsec, dir, qstr,
2886 		inode_mode_to_security_class(inode->i_mode),
2887 		&newsid);
2888 	if (rc)
2889 		return rc;
2890 
2891 	/* Possibly defer initialization to selinux_complete_init. */
2892 	if (sbsec->flags & SE_SBINITIALIZED) {
2893 		struct inode_security_struct *isec = selinux_inode(inode);
2894 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2895 		isec->sid = newsid;
2896 		isec->initialized = LABEL_INITIALIZED;
2897 	}
2898 
2899 	if (!selinux_initialized(&selinux_state) ||
2900 	    !(sbsec->flags & SBLABEL_MNT))
2901 		return -EOPNOTSUPP;
2902 
2903 	if (name)
2904 		*name = XATTR_SELINUX_SUFFIX;
2905 
2906 	if (value && len) {
2907 		rc = security_sid_to_context_force(&selinux_state, newsid,
2908 						   &context, &clen);
2909 		if (rc)
2910 			return rc;
2911 		*value = context;
2912 		*len = clen;
2913 	}
2914 
2915 	return 0;
2916 }
2917 
2918 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2919 {
2920 	return may_create(dir, dentry, SECCLASS_FILE);
2921 }
2922 
2923 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2924 {
2925 	return may_link(dir, old_dentry, MAY_LINK);
2926 }
2927 
2928 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2929 {
2930 	return may_link(dir, dentry, MAY_UNLINK);
2931 }
2932 
2933 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2934 {
2935 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
2936 }
2937 
2938 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2939 {
2940 	return may_create(dir, dentry, SECCLASS_DIR);
2941 }
2942 
2943 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2944 {
2945 	return may_link(dir, dentry, MAY_RMDIR);
2946 }
2947 
2948 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2949 {
2950 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
2951 }
2952 
2953 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2954 				struct inode *new_inode, struct dentry *new_dentry)
2955 {
2956 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2957 }
2958 
2959 static int selinux_inode_readlink(struct dentry *dentry)
2960 {
2961 	const struct cred *cred = current_cred();
2962 
2963 	return dentry_has_perm(cred, dentry, FILE__READ);
2964 }
2965 
2966 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2967 				     bool rcu)
2968 {
2969 	const struct cred *cred = current_cred();
2970 	struct common_audit_data ad;
2971 	struct inode_security_struct *isec;
2972 	u32 sid;
2973 
2974 	validate_creds(cred);
2975 
2976 	ad.type = LSM_AUDIT_DATA_DENTRY;
2977 	ad.u.dentry = dentry;
2978 	sid = cred_sid(cred);
2979 	isec = inode_security_rcu(inode, rcu);
2980 	if (IS_ERR(isec))
2981 		return PTR_ERR(isec);
2982 
2983 	return avc_has_perm_flags(&selinux_state,
2984 				  sid, isec->sid, isec->sclass, FILE__READ, &ad,
2985 				  rcu ? MAY_NOT_BLOCK : 0);
2986 }
2987 
2988 static noinline int audit_inode_permission(struct inode *inode,
2989 					   u32 perms, u32 audited, u32 denied,
2990 					   int result)
2991 {
2992 	struct common_audit_data ad;
2993 	struct inode_security_struct *isec = selinux_inode(inode);
2994 	int rc;
2995 
2996 	ad.type = LSM_AUDIT_DATA_INODE;
2997 	ad.u.inode = inode;
2998 
2999 	rc = slow_avc_audit(&selinux_state,
3000 			    current_sid(), isec->sid, isec->sclass, perms,
3001 			    audited, denied, result, &ad);
3002 	if (rc)
3003 		return rc;
3004 	return 0;
3005 }
3006 
3007 static int selinux_inode_permission(struct inode *inode, int mask)
3008 {
3009 	const struct cred *cred = current_cred();
3010 	u32 perms;
3011 	bool from_access;
3012 	bool no_block = mask & MAY_NOT_BLOCK;
3013 	struct inode_security_struct *isec;
3014 	u32 sid;
3015 	struct av_decision avd;
3016 	int rc, rc2;
3017 	u32 audited, denied;
3018 
3019 	from_access = mask & MAY_ACCESS;
3020 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3021 
3022 	/* No permission to check.  Existence test. */
3023 	if (!mask)
3024 		return 0;
3025 
3026 	validate_creds(cred);
3027 
3028 	if (unlikely(IS_PRIVATE(inode)))
3029 		return 0;
3030 
3031 	perms = file_mask_to_av(inode->i_mode, mask);
3032 
3033 	sid = cred_sid(cred);
3034 	isec = inode_security_rcu(inode, no_block);
3035 	if (IS_ERR(isec))
3036 		return PTR_ERR(isec);
3037 
3038 	rc = avc_has_perm_noaudit(&selinux_state,
3039 				  sid, isec->sid, isec->sclass, perms,
3040 				  no_block ? AVC_NONBLOCKING : 0,
3041 				  &avd);
3042 	audited = avc_audit_required(perms, &avd, rc,
3043 				     from_access ? FILE__AUDIT_ACCESS : 0,
3044 				     &denied);
3045 	if (likely(!audited))
3046 		return rc;
3047 
3048 	/* fall back to ref-walk if we have to generate audit */
3049 	if (no_block)
3050 		return -ECHILD;
3051 
3052 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3053 	if (rc2)
3054 		return rc2;
3055 	return rc;
3056 }
3057 
3058 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3059 {
3060 	const struct cred *cred = current_cred();
3061 	struct inode *inode = d_backing_inode(dentry);
3062 	unsigned int ia_valid = iattr->ia_valid;
3063 	__u32 av = FILE__WRITE;
3064 
3065 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3066 	if (ia_valid & ATTR_FORCE) {
3067 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3068 			      ATTR_FORCE);
3069 		if (!ia_valid)
3070 			return 0;
3071 	}
3072 
3073 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3074 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3075 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3076 
3077 	if (selinux_policycap_openperm() &&
3078 	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3079 	    (ia_valid & ATTR_SIZE) &&
3080 	    !(ia_valid & ATTR_FILE))
3081 		av |= FILE__OPEN;
3082 
3083 	return dentry_has_perm(cred, dentry, av);
3084 }
3085 
3086 static int selinux_inode_getattr(const struct path *path)
3087 {
3088 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3089 }
3090 
3091 static bool has_cap_mac_admin(bool audit)
3092 {
3093 	const struct cred *cred = current_cred();
3094 	unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3095 
3096 	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3097 		return false;
3098 	if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3099 		return false;
3100 	return true;
3101 }
3102 
3103 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3104 				  const void *value, size_t size, int flags)
3105 {
3106 	struct inode *inode = d_backing_inode(dentry);
3107 	struct inode_security_struct *isec;
3108 	struct superblock_security_struct *sbsec;
3109 	struct common_audit_data ad;
3110 	u32 newsid, sid = current_sid();
3111 	int rc = 0;
3112 
3113 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3114 		rc = cap_inode_setxattr(dentry, name, value, size, flags);
3115 		if (rc)
3116 			return rc;
3117 
3118 		/* Not an attribute we recognize, so just check the
3119 		   ordinary setattr permission. */
3120 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3121 	}
3122 
3123 	if (!selinux_initialized(&selinux_state))
3124 		return (inode_owner_or_capable(inode) ? 0 : -EPERM);
3125 
3126 	sbsec = inode->i_sb->s_security;
3127 	if (!(sbsec->flags & SBLABEL_MNT))
3128 		return -EOPNOTSUPP;
3129 
3130 	if (!inode_owner_or_capable(inode))
3131 		return -EPERM;
3132 
3133 	ad.type = LSM_AUDIT_DATA_DENTRY;
3134 	ad.u.dentry = dentry;
3135 
3136 	isec = backing_inode_security(dentry);
3137 	rc = avc_has_perm(&selinux_state,
3138 			  sid, isec->sid, isec->sclass,
3139 			  FILE__RELABELFROM, &ad);
3140 	if (rc)
3141 		return rc;
3142 
3143 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3144 				     GFP_KERNEL);
3145 	if (rc == -EINVAL) {
3146 		if (!has_cap_mac_admin(true)) {
3147 			struct audit_buffer *ab;
3148 			size_t audit_size;
3149 
3150 			/* We strip a nul only if it is at the end, otherwise the
3151 			 * context contains a nul and we should audit that */
3152 			if (value) {
3153 				const char *str = value;
3154 
3155 				if (str[size - 1] == '\0')
3156 					audit_size = size - 1;
3157 				else
3158 					audit_size = size;
3159 			} else {
3160 				audit_size = 0;
3161 			}
3162 			ab = audit_log_start(audit_context(),
3163 					     GFP_ATOMIC, AUDIT_SELINUX_ERR);
3164 			audit_log_format(ab, "op=setxattr invalid_context=");
3165 			audit_log_n_untrustedstring(ab, value, audit_size);
3166 			audit_log_end(ab);
3167 
3168 			return rc;
3169 		}
3170 		rc = security_context_to_sid_force(&selinux_state, value,
3171 						   size, &newsid);
3172 	}
3173 	if (rc)
3174 		return rc;
3175 
3176 	rc = avc_has_perm(&selinux_state,
3177 			  sid, newsid, isec->sclass,
3178 			  FILE__RELABELTO, &ad);
3179 	if (rc)
3180 		return rc;
3181 
3182 	rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3183 					  sid, isec->sclass);
3184 	if (rc)
3185 		return rc;
3186 
3187 	return avc_has_perm(&selinux_state,
3188 			    newsid,
3189 			    sbsec->sid,
3190 			    SECCLASS_FILESYSTEM,
3191 			    FILESYSTEM__ASSOCIATE,
3192 			    &ad);
3193 }
3194 
3195 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3196 					const void *value, size_t size,
3197 					int flags)
3198 {
3199 	struct inode *inode = d_backing_inode(dentry);
3200 	struct inode_security_struct *isec;
3201 	u32 newsid;
3202 	int rc;
3203 
3204 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3205 		/* Not an attribute we recognize, so nothing to do. */
3206 		return;
3207 	}
3208 
3209 	if (!selinux_initialized(&selinux_state)) {
3210 		/* If we haven't even been initialized, then we can't validate
3211 		 * against a policy, so leave the label as invalid. It may
3212 		 * resolve to a valid label on the next revalidation try if
3213 		 * we've since initialized.
3214 		 */
3215 		return;
3216 	}
3217 
3218 	rc = security_context_to_sid_force(&selinux_state, value, size,
3219 					   &newsid);
3220 	if (rc) {
3221 		pr_err("SELinux:  unable to map context to SID"
3222 		       "for (%s, %lu), rc=%d\n",
3223 		       inode->i_sb->s_id, inode->i_ino, -rc);
3224 		return;
3225 	}
3226 
3227 	isec = backing_inode_security(dentry);
3228 	spin_lock(&isec->lock);
3229 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3230 	isec->sid = newsid;
3231 	isec->initialized = LABEL_INITIALIZED;
3232 	spin_unlock(&isec->lock);
3233 
3234 	return;
3235 }
3236 
3237 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3238 {
3239 	const struct cred *cred = current_cred();
3240 
3241 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3242 }
3243 
3244 static int selinux_inode_listxattr(struct dentry *dentry)
3245 {
3246 	const struct cred *cred = current_cred();
3247 
3248 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3249 }
3250 
3251 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3252 {
3253 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3254 		int rc = cap_inode_removexattr(dentry, name);
3255 		if (rc)
3256 			return rc;
3257 
3258 		/* Not an attribute we recognize, so just check the
3259 		   ordinary setattr permission. */
3260 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3261 	}
3262 
3263 	/* No one is allowed to remove a SELinux security label.
3264 	   You can change the label, but all data must be labeled. */
3265 	return -EACCES;
3266 }
3267 
3268 static int selinux_path_notify(const struct path *path, u64 mask,
3269 						unsigned int obj_type)
3270 {
3271 	int ret;
3272 	u32 perm;
3273 
3274 	struct common_audit_data ad;
3275 
3276 	ad.type = LSM_AUDIT_DATA_PATH;
3277 	ad.u.path = *path;
3278 
3279 	/*
3280 	 * Set permission needed based on the type of mark being set.
3281 	 * Performs an additional check for sb watches.
3282 	 */
3283 	switch (obj_type) {
3284 	case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3285 		perm = FILE__WATCH_MOUNT;
3286 		break;
3287 	case FSNOTIFY_OBJ_TYPE_SB:
3288 		perm = FILE__WATCH_SB;
3289 		ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3290 						FILESYSTEM__WATCH, &ad);
3291 		if (ret)
3292 			return ret;
3293 		break;
3294 	case FSNOTIFY_OBJ_TYPE_INODE:
3295 		perm = FILE__WATCH;
3296 		break;
3297 	default:
3298 		return -EINVAL;
3299 	}
3300 
3301 	/* blocking watches require the file:watch_with_perm permission */
3302 	if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3303 		perm |= FILE__WATCH_WITH_PERM;
3304 
3305 	/* watches on read-like events need the file:watch_reads permission */
3306 	if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3307 		perm |= FILE__WATCH_READS;
3308 
3309 	return path_has_perm(current_cred(), path, perm);
3310 }
3311 
3312 /*
3313  * Copy the inode security context value to the user.
3314  *
3315  * Permission check is handled by selinux_inode_getxattr hook.
3316  */
3317 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3318 {
3319 	u32 size;
3320 	int error;
3321 	char *context = NULL;
3322 	struct inode_security_struct *isec;
3323 
3324 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3325 		return -EOPNOTSUPP;
3326 
3327 	/*
3328 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3329 	 * value even if it is not defined by current policy; otherwise,
3330 	 * use the in-core value under current policy.
3331 	 * Use the non-auditing forms of the permission checks since
3332 	 * getxattr may be called by unprivileged processes commonly
3333 	 * and lack of permission just means that we fall back to the
3334 	 * in-core context value, not a denial.
3335 	 */
3336 	isec = inode_security(inode);
3337 	if (has_cap_mac_admin(false))
3338 		error = security_sid_to_context_force(&selinux_state,
3339 						      isec->sid, &context,
3340 						      &size);
3341 	else
3342 		error = security_sid_to_context(&selinux_state, isec->sid,
3343 						&context, &size);
3344 	if (error)
3345 		return error;
3346 	error = size;
3347 	if (alloc) {
3348 		*buffer = context;
3349 		goto out_nofree;
3350 	}
3351 	kfree(context);
3352 out_nofree:
3353 	return error;
3354 }
3355 
3356 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3357 				     const void *value, size_t size, int flags)
3358 {
3359 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3360 	struct superblock_security_struct *sbsec = inode->i_sb->s_security;
3361 	u32 newsid;
3362 	int rc;
3363 
3364 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3365 		return -EOPNOTSUPP;
3366 
3367 	if (!(sbsec->flags & SBLABEL_MNT))
3368 		return -EOPNOTSUPP;
3369 
3370 	if (!value || !size)
3371 		return -EACCES;
3372 
3373 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3374 				     GFP_KERNEL);
3375 	if (rc)
3376 		return rc;
3377 
3378 	spin_lock(&isec->lock);
3379 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3380 	isec->sid = newsid;
3381 	isec->initialized = LABEL_INITIALIZED;
3382 	spin_unlock(&isec->lock);
3383 	return 0;
3384 }
3385 
3386 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3387 {
3388 	const int len = sizeof(XATTR_NAME_SELINUX);
3389 	if (buffer && len <= buffer_size)
3390 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3391 	return len;
3392 }
3393 
3394 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3395 {
3396 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3397 	*secid = isec->sid;
3398 }
3399 
3400 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3401 {
3402 	u32 sid;
3403 	struct task_security_struct *tsec;
3404 	struct cred *new_creds = *new;
3405 
3406 	if (new_creds == NULL) {
3407 		new_creds = prepare_creds();
3408 		if (!new_creds)
3409 			return -ENOMEM;
3410 	}
3411 
3412 	tsec = selinux_cred(new_creds);
3413 	/* Get label from overlay inode and set it in create_sid */
3414 	selinux_inode_getsecid(d_inode(src), &sid);
3415 	tsec->create_sid = sid;
3416 	*new = new_creds;
3417 	return 0;
3418 }
3419 
3420 static int selinux_inode_copy_up_xattr(const char *name)
3421 {
3422 	/* The copy_up hook above sets the initial context on an inode, but we
3423 	 * don't then want to overwrite it by blindly copying all the lower
3424 	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3425 	 */
3426 	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3427 		return 1; /* Discard */
3428 	/*
3429 	 * Any other attribute apart from SELINUX is not claimed, supported
3430 	 * by selinux.
3431 	 */
3432 	return -EOPNOTSUPP;
3433 }
3434 
3435 /* kernfs node operations */
3436 
3437 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3438 					struct kernfs_node *kn)
3439 {
3440 	const struct task_security_struct *tsec = selinux_cred(current_cred());
3441 	u32 parent_sid, newsid, clen;
3442 	int rc;
3443 	char *context;
3444 
3445 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3446 	if (rc == -ENODATA)
3447 		return 0;
3448 	else if (rc < 0)
3449 		return rc;
3450 
3451 	clen = (u32)rc;
3452 	context = kmalloc(clen, GFP_KERNEL);
3453 	if (!context)
3454 		return -ENOMEM;
3455 
3456 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3457 	if (rc < 0) {
3458 		kfree(context);
3459 		return rc;
3460 	}
3461 
3462 	rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3463 				     GFP_KERNEL);
3464 	kfree(context);
3465 	if (rc)
3466 		return rc;
3467 
3468 	if (tsec->create_sid) {
3469 		newsid = tsec->create_sid;
3470 	} else {
3471 		u16 secclass = inode_mode_to_security_class(kn->mode);
3472 		struct qstr q;
3473 
3474 		q.name = kn->name;
3475 		q.hash_len = hashlen_string(kn_dir, kn->name);
3476 
3477 		rc = security_transition_sid(&selinux_state, tsec->sid,
3478 					     parent_sid, secclass, &q,
3479 					     &newsid);
3480 		if (rc)
3481 			return rc;
3482 	}
3483 
3484 	rc = security_sid_to_context_force(&selinux_state, newsid,
3485 					   &context, &clen);
3486 	if (rc)
3487 		return rc;
3488 
3489 	rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3490 			      XATTR_CREATE);
3491 	kfree(context);
3492 	return rc;
3493 }
3494 
3495 
3496 /* file security operations */
3497 
3498 static int selinux_revalidate_file_permission(struct file *file, int mask)
3499 {
3500 	const struct cred *cred = current_cred();
3501 	struct inode *inode = file_inode(file);
3502 
3503 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3504 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3505 		mask |= MAY_APPEND;
3506 
3507 	return file_has_perm(cred, file,
3508 			     file_mask_to_av(inode->i_mode, mask));
3509 }
3510 
3511 static int selinux_file_permission(struct file *file, int mask)
3512 {
3513 	struct inode *inode = file_inode(file);
3514 	struct file_security_struct *fsec = selinux_file(file);
3515 	struct inode_security_struct *isec;
3516 	u32 sid = current_sid();
3517 
3518 	if (!mask)
3519 		/* No permission to check.  Existence test. */
3520 		return 0;
3521 
3522 	isec = inode_security(inode);
3523 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3524 	    fsec->pseqno == avc_policy_seqno(&selinux_state))
3525 		/* No change since file_open check. */
3526 		return 0;
3527 
3528 	return selinux_revalidate_file_permission(file, mask);
3529 }
3530 
3531 static int selinux_file_alloc_security(struct file *file)
3532 {
3533 	struct file_security_struct *fsec = selinux_file(file);
3534 	u32 sid = current_sid();
3535 
3536 	fsec->sid = sid;
3537 	fsec->fown_sid = sid;
3538 
3539 	return 0;
3540 }
3541 
3542 /*
3543  * Check whether a task has the ioctl permission and cmd
3544  * operation to an inode.
3545  */
3546 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3547 		u32 requested, u16 cmd)
3548 {
3549 	struct common_audit_data ad;
3550 	struct file_security_struct *fsec = selinux_file(file);
3551 	struct inode *inode = file_inode(file);
3552 	struct inode_security_struct *isec;
3553 	struct lsm_ioctlop_audit ioctl;
3554 	u32 ssid = cred_sid(cred);
3555 	int rc;
3556 	u8 driver = cmd >> 8;
3557 	u8 xperm = cmd & 0xff;
3558 
3559 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3560 	ad.u.op = &ioctl;
3561 	ad.u.op->cmd = cmd;
3562 	ad.u.op->path = file->f_path;
3563 
3564 	if (ssid != fsec->sid) {
3565 		rc = avc_has_perm(&selinux_state,
3566 				  ssid, fsec->sid,
3567 				SECCLASS_FD,
3568 				FD__USE,
3569 				&ad);
3570 		if (rc)
3571 			goto out;
3572 	}
3573 
3574 	if (unlikely(IS_PRIVATE(inode)))
3575 		return 0;
3576 
3577 	isec = inode_security(inode);
3578 	rc = avc_has_extended_perms(&selinux_state,
3579 				    ssid, isec->sid, isec->sclass,
3580 				    requested, driver, xperm, &ad);
3581 out:
3582 	return rc;
3583 }
3584 
3585 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3586 			      unsigned long arg)
3587 {
3588 	const struct cred *cred = current_cred();
3589 	int error = 0;
3590 
3591 	switch (cmd) {
3592 	case FIONREAD:
3593 	/* fall through */
3594 	case FIBMAP:
3595 	/* fall through */
3596 	case FIGETBSZ:
3597 	/* fall through */
3598 	case FS_IOC_GETFLAGS:
3599 	/* fall through */
3600 	case FS_IOC_GETVERSION:
3601 		error = file_has_perm(cred, file, FILE__GETATTR);
3602 		break;
3603 
3604 	case FS_IOC_SETFLAGS:
3605 	/* fall through */
3606 	case FS_IOC_SETVERSION:
3607 		error = file_has_perm(cred, file, FILE__SETATTR);
3608 		break;
3609 
3610 	/* sys_ioctl() checks */
3611 	case FIONBIO:
3612 	/* fall through */
3613 	case FIOASYNC:
3614 		error = file_has_perm(cred, file, 0);
3615 		break;
3616 
3617 	case KDSKBENT:
3618 	case KDSKBSENT:
3619 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3620 					    CAP_OPT_NONE, true);
3621 		break;
3622 
3623 	/* default case assumes that the command will go
3624 	 * to the file's ioctl() function.
3625 	 */
3626 	default:
3627 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3628 	}
3629 	return error;
3630 }
3631 
3632 static int default_noexec __ro_after_init;
3633 
3634 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3635 {
3636 	const struct cred *cred = current_cred();
3637 	u32 sid = cred_sid(cred);
3638 	int rc = 0;
3639 
3640 	if (default_noexec &&
3641 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3642 				   (!shared && (prot & PROT_WRITE)))) {
3643 		/*
3644 		 * We are making executable an anonymous mapping or a
3645 		 * private file mapping that will also be writable.
3646 		 * This has an additional check.
3647 		 */
3648 		rc = avc_has_perm(&selinux_state,
3649 				  sid, sid, SECCLASS_PROCESS,
3650 				  PROCESS__EXECMEM, NULL);
3651 		if (rc)
3652 			goto error;
3653 	}
3654 
3655 	if (file) {
3656 		/* read access is always possible with a mapping */
3657 		u32 av = FILE__READ;
3658 
3659 		/* write access only matters if the mapping is shared */
3660 		if (shared && (prot & PROT_WRITE))
3661 			av |= FILE__WRITE;
3662 
3663 		if (prot & PROT_EXEC)
3664 			av |= FILE__EXECUTE;
3665 
3666 		return file_has_perm(cred, file, av);
3667 	}
3668 
3669 error:
3670 	return rc;
3671 }
3672 
3673 static int selinux_mmap_addr(unsigned long addr)
3674 {
3675 	int rc = 0;
3676 
3677 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3678 		u32 sid = current_sid();
3679 		rc = avc_has_perm(&selinux_state,
3680 				  sid, sid, SECCLASS_MEMPROTECT,
3681 				  MEMPROTECT__MMAP_ZERO, NULL);
3682 	}
3683 
3684 	return rc;
3685 }
3686 
3687 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3688 			     unsigned long prot, unsigned long flags)
3689 {
3690 	struct common_audit_data ad;
3691 	int rc;
3692 
3693 	if (file) {
3694 		ad.type = LSM_AUDIT_DATA_FILE;
3695 		ad.u.file = file;
3696 		rc = inode_has_perm(current_cred(), file_inode(file),
3697 				    FILE__MAP, &ad);
3698 		if (rc)
3699 			return rc;
3700 	}
3701 
3702 	if (selinux_state.checkreqprot)
3703 		prot = reqprot;
3704 
3705 	return file_map_prot_check(file, prot,
3706 				   (flags & MAP_TYPE) == MAP_SHARED);
3707 }
3708 
3709 static int selinux_file_mprotect(struct vm_area_struct *vma,
3710 				 unsigned long reqprot,
3711 				 unsigned long prot)
3712 {
3713 	const struct cred *cred = current_cred();
3714 	u32 sid = cred_sid(cred);
3715 
3716 	if (selinux_state.checkreqprot)
3717 		prot = reqprot;
3718 
3719 	if (default_noexec &&
3720 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3721 		int rc = 0;
3722 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3723 		    vma->vm_end <= vma->vm_mm->brk) {
3724 			rc = avc_has_perm(&selinux_state,
3725 					  sid, sid, SECCLASS_PROCESS,
3726 					  PROCESS__EXECHEAP, NULL);
3727 		} else if (!vma->vm_file &&
3728 			   ((vma->vm_start <= vma->vm_mm->start_stack &&
3729 			     vma->vm_end >= vma->vm_mm->start_stack) ||
3730 			    vma_is_stack_for_current(vma))) {
3731 			rc = avc_has_perm(&selinux_state,
3732 					  sid, sid, SECCLASS_PROCESS,
3733 					  PROCESS__EXECSTACK, NULL);
3734 		} else if (vma->vm_file && vma->anon_vma) {
3735 			/*
3736 			 * We are making executable a file mapping that has
3737 			 * had some COW done. Since pages might have been
3738 			 * written, check ability to execute the possibly
3739 			 * modified content.  This typically should only
3740 			 * occur for text relocations.
3741 			 */
3742 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3743 		}
3744 		if (rc)
3745 			return rc;
3746 	}
3747 
3748 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3749 }
3750 
3751 static int selinux_file_lock(struct file *file, unsigned int cmd)
3752 {
3753 	const struct cred *cred = current_cred();
3754 
3755 	return file_has_perm(cred, file, FILE__LOCK);
3756 }
3757 
3758 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3759 			      unsigned long arg)
3760 {
3761 	const struct cred *cred = current_cred();
3762 	int err = 0;
3763 
3764 	switch (cmd) {
3765 	case F_SETFL:
3766 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3767 			err = file_has_perm(cred, file, FILE__WRITE);
3768 			break;
3769 		}
3770 		/* fall through */
3771 	case F_SETOWN:
3772 	case F_SETSIG:
3773 	case F_GETFL:
3774 	case F_GETOWN:
3775 	case F_GETSIG:
3776 	case F_GETOWNER_UIDS:
3777 		/* Just check FD__USE permission */
3778 		err = file_has_perm(cred, file, 0);
3779 		break;
3780 	case F_GETLK:
3781 	case F_SETLK:
3782 	case F_SETLKW:
3783 	case F_OFD_GETLK:
3784 	case F_OFD_SETLK:
3785 	case F_OFD_SETLKW:
3786 #if BITS_PER_LONG == 32
3787 	case F_GETLK64:
3788 	case F_SETLK64:
3789 	case F_SETLKW64:
3790 #endif
3791 		err = file_has_perm(cred, file, FILE__LOCK);
3792 		break;
3793 	}
3794 
3795 	return err;
3796 }
3797 
3798 static void selinux_file_set_fowner(struct file *file)
3799 {
3800 	struct file_security_struct *fsec;
3801 
3802 	fsec = selinux_file(file);
3803 	fsec->fown_sid = current_sid();
3804 }
3805 
3806 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3807 				       struct fown_struct *fown, int signum)
3808 {
3809 	struct file *file;
3810 	u32 sid = task_sid(tsk);
3811 	u32 perm;
3812 	struct file_security_struct *fsec;
3813 
3814 	/* struct fown_struct is never outside the context of a struct file */
3815 	file = container_of(fown, struct file, f_owner);
3816 
3817 	fsec = selinux_file(file);
3818 
3819 	if (!signum)
3820 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3821 	else
3822 		perm = signal_to_av(signum);
3823 
3824 	return avc_has_perm(&selinux_state,
3825 			    fsec->fown_sid, sid,
3826 			    SECCLASS_PROCESS, perm, NULL);
3827 }
3828 
3829 static int selinux_file_receive(struct file *file)
3830 {
3831 	const struct cred *cred = current_cred();
3832 
3833 	return file_has_perm(cred, file, file_to_av(file));
3834 }
3835 
3836 static int selinux_file_open(struct file *file)
3837 {
3838 	struct file_security_struct *fsec;
3839 	struct inode_security_struct *isec;
3840 
3841 	fsec = selinux_file(file);
3842 	isec = inode_security(file_inode(file));
3843 	/*
3844 	 * Save inode label and policy sequence number
3845 	 * at open-time so that selinux_file_permission
3846 	 * can determine whether revalidation is necessary.
3847 	 * Task label is already saved in the file security
3848 	 * struct as its SID.
3849 	 */
3850 	fsec->isid = isec->sid;
3851 	fsec->pseqno = avc_policy_seqno(&selinux_state);
3852 	/*
3853 	 * Since the inode label or policy seqno may have changed
3854 	 * between the selinux_inode_permission check and the saving
3855 	 * of state above, recheck that access is still permitted.
3856 	 * Otherwise, access might never be revalidated against the
3857 	 * new inode label or new policy.
3858 	 * This check is not redundant - do not remove.
3859 	 */
3860 	return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3861 }
3862 
3863 /* task security operations */
3864 
3865 static int selinux_task_alloc(struct task_struct *task,
3866 			      unsigned long clone_flags)
3867 {
3868 	u32 sid = current_sid();
3869 
3870 	return avc_has_perm(&selinux_state,
3871 			    sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3872 }
3873 
3874 /*
3875  * prepare a new set of credentials for modification
3876  */
3877 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3878 				gfp_t gfp)
3879 {
3880 	const struct task_security_struct *old_tsec = selinux_cred(old);
3881 	struct task_security_struct *tsec = selinux_cred(new);
3882 
3883 	*tsec = *old_tsec;
3884 	return 0;
3885 }
3886 
3887 /*
3888  * transfer the SELinux data to a blank set of creds
3889  */
3890 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3891 {
3892 	const struct task_security_struct *old_tsec = selinux_cred(old);
3893 	struct task_security_struct *tsec = selinux_cred(new);
3894 
3895 	*tsec = *old_tsec;
3896 }
3897 
3898 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3899 {
3900 	*secid = cred_sid(c);
3901 }
3902 
3903 /*
3904  * set the security data for a kernel service
3905  * - all the creation contexts are set to unlabelled
3906  */
3907 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3908 {
3909 	struct task_security_struct *tsec = selinux_cred(new);
3910 	u32 sid = current_sid();
3911 	int ret;
3912 
3913 	ret = avc_has_perm(&selinux_state,
3914 			   sid, secid,
3915 			   SECCLASS_KERNEL_SERVICE,
3916 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3917 			   NULL);
3918 	if (ret == 0) {
3919 		tsec->sid = secid;
3920 		tsec->create_sid = 0;
3921 		tsec->keycreate_sid = 0;
3922 		tsec->sockcreate_sid = 0;
3923 	}
3924 	return ret;
3925 }
3926 
3927 /*
3928  * set the file creation context in a security record to the same as the
3929  * objective context of the specified inode
3930  */
3931 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3932 {
3933 	struct inode_security_struct *isec = inode_security(inode);
3934 	struct task_security_struct *tsec = selinux_cred(new);
3935 	u32 sid = current_sid();
3936 	int ret;
3937 
3938 	ret = avc_has_perm(&selinux_state,
3939 			   sid, isec->sid,
3940 			   SECCLASS_KERNEL_SERVICE,
3941 			   KERNEL_SERVICE__CREATE_FILES_AS,
3942 			   NULL);
3943 
3944 	if (ret == 0)
3945 		tsec->create_sid = isec->sid;
3946 	return ret;
3947 }
3948 
3949 static int selinux_kernel_module_request(char *kmod_name)
3950 {
3951 	struct common_audit_data ad;
3952 
3953 	ad.type = LSM_AUDIT_DATA_KMOD;
3954 	ad.u.kmod_name = kmod_name;
3955 
3956 	return avc_has_perm(&selinux_state,
3957 			    current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3958 			    SYSTEM__MODULE_REQUEST, &ad);
3959 }
3960 
3961 static int selinux_kernel_module_from_file(struct file *file)
3962 {
3963 	struct common_audit_data ad;
3964 	struct inode_security_struct *isec;
3965 	struct file_security_struct *fsec;
3966 	u32 sid = current_sid();
3967 	int rc;
3968 
3969 	/* init_module */
3970 	if (file == NULL)
3971 		return avc_has_perm(&selinux_state,
3972 				    sid, sid, SECCLASS_SYSTEM,
3973 					SYSTEM__MODULE_LOAD, NULL);
3974 
3975 	/* finit_module */
3976 
3977 	ad.type = LSM_AUDIT_DATA_FILE;
3978 	ad.u.file = file;
3979 
3980 	fsec = selinux_file(file);
3981 	if (sid != fsec->sid) {
3982 		rc = avc_has_perm(&selinux_state,
3983 				  sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3984 		if (rc)
3985 			return rc;
3986 	}
3987 
3988 	isec = inode_security(file_inode(file));
3989 	return avc_has_perm(&selinux_state,
3990 			    sid, isec->sid, SECCLASS_SYSTEM,
3991 				SYSTEM__MODULE_LOAD, &ad);
3992 }
3993 
3994 static int selinux_kernel_read_file(struct file *file,
3995 				    enum kernel_read_file_id id)
3996 {
3997 	int rc = 0;
3998 
3999 	switch (id) {
4000 	case READING_MODULE:
4001 		rc = selinux_kernel_module_from_file(file);
4002 		break;
4003 	default:
4004 		break;
4005 	}
4006 
4007 	return rc;
4008 }
4009 
4010 static int selinux_kernel_load_data(enum kernel_load_data_id id)
4011 {
4012 	int rc = 0;
4013 
4014 	switch (id) {
4015 	case LOADING_MODULE:
4016 		rc = selinux_kernel_module_from_file(NULL);
4017 	default:
4018 		break;
4019 	}
4020 
4021 	return rc;
4022 }
4023 
4024 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4025 {
4026 	return avc_has_perm(&selinux_state,
4027 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4028 			    PROCESS__SETPGID, NULL);
4029 }
4030 
4031 static int selinux_task_getpgid(struct task_struct *p)
4032 {
4033 	return avc_has_perm(&selinux_state,
4034 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4035 			    PROCESS__GETPGID, NULL);
4036 }
4037 
4038 static int selinux_task_getsid(struct task_struct *p)
4039 {
4040 	return avc_has_perm(&selinux_state,
4041 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4042 			    PROCESS__GETSESSION, NULL);
4043 }
4044 
4045 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4046 {
4047 	*secid = task_sid(p);
4048 }
4049 
4050 static int selinux_task_setnice(struct task_struct *p, int nice)
4051 {
4052 	return avc_has_perm(&selinux_state,
4053 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4054 			    PROCESS__SETSCHED, NULL);
4055 }
4056 
4057 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4058 {
4059 	return avc_has_perm(&selinux_state,
4060 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4061 			    PROCESS__SETSCHED, NULL);
4062 }
4063 
4064 static int selinux_task_getioprio(struct task_struct *p)
4065 {
4066 	return avc_has_perm(&selinux_state,
4067 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4068 			    PROCESS__GETSCHED, NULL);
4069 }
4070 
4071 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4072 				unsigned int flags)
4073 {
4074 	u32 av = 0;
4075 
4076 	if (!flags)
4077 		return 0;
4078 	if (flags & LSM_PRLIMIT_WRITE)
4079 		av |= PROCESS__SETRLIMIT;
4080 	if (flags & LSM_PRLIMIT_READ)
4081 		av |= PROCESS__GETRLIMIT;
4082 	return avc_has_perm(&selinux_state,
4083 			    cred_sid(cred), cred_sid(tcred),
4084 			    SECCLASS_PROCESS, av, NULL);
4085 }
4086 
4087 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4088 		struct rlimit *new_rlim)
4089 {
4090 	struct rlimit *old_rlim = p->signal->rlim + resource;
4091 
4092 	/* Control the ability to change the hard limit (whether
4093 	   lowering or raising it), so that the hard limit can
4094 	   later be used as a safe reset point for the soft limit
4095 	   upon context transitions.  See selinux_bprm_committing_creds. */
4096 	if (old_rlim->rlim_max != new_rlim->rlim_max)
4097 		return avc_has_perm(&selinux_state,
4098 				    current_sid(), task_sid(p),
4099 				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4100 
4101 	return 0;
4102 }
4103 
4104 static int selinux_task_setscheduler(struct task_struct *p)
4105 {
4106 	return avc_has_perm(&selinux_state,
4107 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4108 			    PROCESS__SETSCHED, NULL);
4109 }
4110 
4111 static int selinux_task_getscheduler(struct task_struct *p)
4112 {
4113 	return avc_has_perm(&selinux_state,
4114 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4115 			    PROCESS__GETSCHED, NULL);
4116 }
4117 
4118 static int selinux_task_movememory(struct task_struct *p)
4119 {
4120 	return avc_has_perm(&selinux_state,
4121 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4122 			    PROCESS__SETSCHED, NULL);
4123 }
4124 
4125 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4126 				int sig, const struct cred *cred)
4127 {
4128 	u32 secid;
4129 	u32 perm;
4130 
4131 	if (!sig)
4132 		perm = PROCESS__SIGNULL; /* null signal; existence test */
4133 	else
4134 		perm = signal_to_av(sig);
4135 	if (!cred)
4136 		secid = current_sid();
4137 	else
4138 		secid = cred_sid(cred);
4139 	return avc_has_perm(&selinux_state,
4140 			    secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4141 }
4142 
4143 static void selinux_task_to_inode(struct task_struct *p,
4144 				  struct inode *inode)
4145 {
4146 	struct inode_security_struct *isec = selinux_inode(inode);
4147 	u32 sid = task_sid(p);
4148 
4149 	spin_lock(&isec->lock);
4150 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4151 	isec->sid = sid;
4152 	isec->initialized = LABEL_INITIALIZED;
4153 	spin_unlock(&isec->lock);
4154 }
4155 
4156 /* Returns error only if unable to parse addresses */
4157 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4158 			struct common_audit_data *ad, u8 *proto)
4159 {
4160 	int offset, ihlen, ret = -EINVAL;
4161 	struct iphdr _iph, *ih;
4162 
4163 	offset = skb_network_offset(skb);
4164 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4165 	if (ih == NULL)
4166 		goto out;
4167 
4168 	ihlen = ih->ihl * 4;
4169 	if (ihlen < sizeof(_iph))
4170 		goto out;
4171 
4172 	ad->u.net->v4info.saddr = ih->saddr;
4173 	ad->u.net->v4info.daddr = ih->daddr;
4174 	ret = 0;
4175 
4176 	if (proto)
4177 		*proto = ih->protocol;
4178 
4179 	switch (ih->protocol) {
4180 	case IPPROTO_TCP: {
4181 		struct tcphdr _tcph, *th;
4182 
4183 		if (ntohs(ih->frag_off) & IP_OFFSET)
4184 			break;
4185 
4186 		offset += ihlen;
4187 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4188 		if (th == NULL)
4189 			break;
4190 
4191 		ad->u.net->sport = th->source;
4192 		ad->u.net->dport = th->dest;
4193 		break;
4194 	}
4195 
4196 	case IPPROTO_UDP: {
4197 		struct udphdr _udph, *uh;
4198 
4199 		if (ntohs(ih->frag_off) & IP_OFFSET)
4200 			break;
4201 
4202 		offset += ihlen;
4203 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4204 		if (uh == NULL)
4205 			break;
4206 
4207 		ad->u.net->sport = uh->source;
4208 		ad->u.net->dport = uh->dest;
4209 		break;
4210 	}
4211 
4212 	case IPPROTO_DCCP: {
4213 		struct dccp_hdr _dccph, *dh;
4214 
4215 		if (ntohs(ih->frag_off) & IP_OFFSET)
4216 			break;
4217 
4218 		offset += ihlen;
4219 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4220 		if (dh == NULL)
4221 			break;
4222 
4223 		ad->u.net->sport = dh->dccph_sport;
4224 		ad->u.net->dport = dh->dccph_dport;
4225 		break;
4226 	}
4227 
4228 #if IS_ENABLED(CONFIG_IP_SCTP)
4229 	case IPPROTO_SCTP: {
4230 		struct sctphdr _sctph, *sh;
4231 
4232 		if (ntohs(ih->frag_off) & IP_OFFSET)
4233 			break;
4234 
4235 		offset += ihlen;
4236 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4237 		if (sh == NULL)
4238 			break;
4239 
4240 		ad->u.net->sport = sh->source;
4241 		ad->u.net->dport = sh->dest;
4242 		break;
4243 	}
4244 #endif
4245 	default:
4246 		break;
4247 	}
4248 out:
4249 	return ret;
4250 }
4251 
4252 #if IS_ENABLED(CONFIG_IPV6)
4253 
4254 /* Returns error only if unable to parse addresses */
4255 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4256 			struct common_audit_data *ad, u8 *proto)
4257 {
4258 	u8 nexthdr;
4259 	int ret = -EINVAL, offset;
4260 	struct ipv6hdr _ipv6h, *ip6;
4261 	__be16 frag_off;
4262 
4263 	offset = skb_network_offset(skb);
4264 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4265 	if (ip6 == NULL)
4266 		goto out;
4267 
4268 	ad->u.net->v6info.saddr = ip6->saddr;
4269 	ad->u.net->v6info.daddr = ip6->daddr;
4270 	ret = 0;
4271 
4272 	nexthdr = ip6->nexthdr;
4273 	offset += sizeof(_ipv6h);
4274 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4275 	if (offset < 0)
4276 		goto out;
4277 
4278 	if (proto)
4279 		*proto = nexthdr;
4280 
4281 	switch (nexthdr) {
4282 	case IPPROTO_TCP: {
4283 		struct tcphdr _tcph, *th;
4284 
4285 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4286 		if (th == NULL)
4287 			break;
4288 
4289 		ad->u.net->sport = th->source;
4290 		ad->u.net->dport = th->dest;
4291 		break;
4292 	}
4293 
4294 	case IPPROTO_UDP: {
4295 		struct udphdr _udph, *uh;
4296 
4297 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4298 		if (uh == NULL)
4299 			break;
4300 
4301 		ad->u.net->sport = uh->source;
4302 		ad->u.net->dport = uh->dest;
4303 		break;
4304 	}
4305 
4306 	case IPPROTO_DCCP: {
4307 		struct dccp_hdr _dccph, *dh;
4308 
4309 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4310 		if (dh == NULL)
4311 			break;
4312 
4313 		ad->u.net->sport = dh->dccph_sport;
4314 		ad->u.net->dport = dh->dccph_dport;
4315 		break;
4316 	}
4317 
4318 #if IS_ENABLED(CONFIG_IP_SCTP)
4319 	case IPPROTO_SCTP: {
4320 		struct sctphdr _sctph, *sh;
4321 
4322 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4323 		if (sh == NULL)
4324 			break;
4325 
4326 		ad->u.net->sport = sh->source;
4327 		ad->u.net->dport = sh->dest;
4328 		break;
4329 	}
4330 #endif
4331 	/* includes fragments */
4332 	default:
4333 		break;
4334 	}
4335 out:
4336 	return ret;
4337 }
4338 
4339 #endif /* IPV6 */
4340 
4341 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4342 			     char **_addrp, int src, u8 *proto)
4343 {
4344 	char *addrp;
4345 	int ret;
4346 
4347 	switch (ad->u.net->family) {
4348 	case PF_INET:
4349 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4350 		if (ret)
4351 			goto parse_error;
4352 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4353 				       &ad->u.net->v4info.daddr);
4354 		goto okay;
4355 
4356 #if IS_ENABLED(CONFIG_IPV6)
4357 	case PF_INET6:
4358 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4359 		if (ret)
4360 			goto parse_error;
4361 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4362 				       &ad->u.net->v6info.daddr);
4363 		goto okay;
4364 #endif	/* IPV6 */
4365 	default:
4366 		addrp = NULL;
4367 		goto okay;
4368 	}
4369 
4370 parse_error:
4371 	pr_warn(
4372 	       "SELinux: failure in selinux_parse_skb(),"
4373 	       " unable to parse packet\n");
4374 	return ret;
4375 
4376 okay:
4377 	if (_addrp)
4378 		*_addrp = addrp;
4379 	return 0;
4380 }
4381 
4382 /**
4383  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4384  * @skb: the packet
4385  * @family: protocol family
4386  * @sid: the packet's peer label SID
4387  *
4388  * Description:
4389  * Check the various different forms of network peer labeling and determine
4390  * the peer label/SID for the packet; most of the magic actually occurs in
4391  * the security server function security_net_peersid_cmp().  The function
4392  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4393  * or -EACCES if @sid is invalid due to inconsistencies with the different
4394  * peer labels.
4395  *
4396  */
4397 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4398 {
4399 	int err;
4400 	u32 xfrm_sid;
4401 	u32 nlbl_sid;
4402 	u32 nlbl_type;
4403 
4404 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4405 	if (unlikely(err))
4406 		return -EACCES;
4407 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4408 	if (unlikely(err))
4409 		return -EACCES;
4410 
4411 	err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4412 					   nlbl_type, xfrm_sid, sid);
4413 	if (unlikely(err)) {
4414 		pr_warn(
4415 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4416 		       " unable to determine packet's peer label\n");
4417 		return -EACCES;
4418 	}
4419 
4420 	return 0;
4421 }
4422 
4423 /**
4424  * selinux_conn_sid - Determine the child socket label for a connection
4425  * @sk_sid: the parent socket's SID
4426  * @skb_sid: the packet's SID
4427  * @conn_sid: the resulting connection SID
4428  *
4429  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4430  * combined with the MLS information from @skb_sid in order to create
4431  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
4432  * of @sk_sid.  Returns zero on success, negative values on failure.
4433  *
4434  */
4435 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4436 {
4437 	int err = 0;
4438 
4439 	if (skb_sid != SECSID_NULL)
4440 		err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4441 					    conn_sid);
4442 	else
4443 		*conn_sid = sk_sid;
4444 
4445 	return err;
4446 }
4447 
4448 /* socket security operations */
4449 
4450 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4451 				 u16 secclass, u32 *socksid)
4452 {
4453 	if (tsec->sockcreate_sid > SECSID_NULL) {
4454 		*socksid = tsec->sockcreate_sid;
4455 		return 0;
4456 	}
4457 
4458 	return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4459 				       secclass, NULL, socksid);
4460 }
4461 
4462 static int sock_has_perm(struct sock *sk, u32 perms)
4463 {
4464 	struct sk_security_struct *sksec = sk->sk_security;
4465 	struct common_audit_data ad;
4466 	struct lsm_network_audit net = {0,};
4467 
4468 	if (sksec->sid == SECINITSID_KERNEL)
4469 		return 0;
4470 
4471 	ad.type = LSM_AUDIT_DATA_NET;
4472 	ad.u.net = &net;
4473 	ad.u.net->sk = sk;
4474 
4475 	return avc_has_perm(&selinux_state,
4476 			    current_sid(), sksec->sid, sksec->sclass, perms,
4477 			    &ad);
4478 }
4479 
4480 static int selinux_socket_create(int family, int type,
4481 				 int protocol, int kern)
4482 {
4483 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4484 	u32 newsid;
4485 	u16 secclass;
4486 	int rc;
4487 
4488 	if (kern)
4489 		return 0;
4490 
4491 	secclass = socket_type_to_security_class(family, type, protocol);
4492 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4493 	if (rc)
4494 		return rc;
4495 
4496 	return avc_has_perm(&selinux_state,
4497 			    tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4498 }
4499 
4500 static int selinux_socket_post_create(struct socket *sock, int family,
4501 				      int type, int protocol, int kern)
4502 {
4503 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4504 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4505 	struct sk_security_struct *sksec;
4506 	u16 sclass = socket_type_to_security_class(family, type, protocol);
4507 	u32 sid = SECINITSID_KERNEL;
4508 	int err = 0;
4509 
4510 	if (!kern) {
4511 		err = socket_sockcreate_sid(tsec, sclass, &sid);
4512 		if (err)
4513 			return err;
4514 	}
4515 
4516 	isec->sclass = sclass;
4517 	isec->sid = sid;
4518 	isec->initialized = LABEL_INITIALIZED;
4519 
4520 	if (sock->sk) {
4521 		sksec = sock->sk->sk_security;
4522 		sksec->sclass = sclass;
4523 		sksec->sid = sid;
4524 		/* Allows detection of the first association on this socket */
4525 		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4526 			sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4527 
4528 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4529 	}
4530 
4531 	return err;
4532 }
4533 
4534 static int selinux_socket_socketpair(struct socket *socka,
4535 				     struct socket *sockb)
4536 {
4537 	struct sk_security_struct *sksec_a = socka->sk->sk_security;
4538 	struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4539 
4540 	sksec_a->peer_sid = sksec_b->sid;
4541 	sksec_b->peer_sid = sksec_a->sid;
4542 
4543 	return 0;
4544 }
4545 
4546 /* Range of port numbers used to automatically bind.
4547    Need to determine whether we should perform a name_bind
4548    permission check between the socket and the port number. */
4549 
4550 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4551 {
4552 	struct sock *sk = sock->sk;
4553 	struct sk_security_struct *sksec = sk->sk_security;
4554 	u16 family;
4555 	int err;
4556 
4557 	err = sock_has_perm(sk, SOCKET__BIND);
4558 	if (err)
4559 		goto out;
4560 
4561 	/* If PF_INET or PF_INET6, check name_bind permission for the port. */
4562 	family = sk->sk_family;
4563 	if (family == PF_INET || family == PF_INET6) {
4564 		char *addrp;
4565 		struct common_audit_data ad;
4566 		struct lsm_network_audit net = {0,};
4567 		struct sockaddr_in *addr4 = NULL;
4568 		struct sockaddr_in6 *addr6 = NULL;
4569 		u16 family_sa;
4570 		unsigned short snum;
4571 		u32 sid, node_perm;
4572 
4573 		/*
4574 		 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4575 		 * that validates multiple binding addresses. Because of this
4576 		 * need to check address->sa_family as it is possible to have
4577 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4578 		 */
4579 		if (addrlen < offsetofend(struct sockaddr, sa_family))
4580 			return -EINVAL;
4581 		family_sa = address->sa_family;
4582 		switch (family_sa) {
4583 		case AF_UNSPEC:
4584 		case AF_INET:
4585 			if (addrlen < sizeof(struct sockaddr_in))
4586 				return -EINVAL;
4587 			addr4 = (struct sockaddr_in *)address;
4588 			if (family_sa == AF_UNSPEC) {
4589 				/* see __inet_bind(), we only want to allow
4590 				 * AF_UNSPEC if the address is INADDR_ANY
4591 				 */
4592 				if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4593 					goto err_af;
4594 				family_sa = AF_INET;
4595 			}
4596 			snum = ntohs(addr4->sin_port);
4597 			addrp = (char *)&addr4->sin_addr.s_addr;
4598 			break;
4599 		case AF_INET6:
4600 			if (addrlen < SIN6_LEN_RFC2133)
4601 				return -EINVAL;
4602 			addr6 = (struct sockaddr_in6 *)address;
4603 			snum = ntohs(addr6->sin6_port);
4604 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4605 			break;
4606 		default:
4607 			goto err_af;
4608 		}
4609 
4610 		ad.type = LSM_AUDIT_DATA_NET;
4611 		ad.u.net = &net;
4612 		ad.u.net->sport = htons(snum);
4613 		ad.u.net->family = family_sa;
4614 
4615 		if (snum) {
4616 			int low, high;
4617 
4618 			inet_get_local_port_range(sock_net(sk), &low, &high);
4619 
4620 			if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4621 			    snum < low || snum > high) {
4622 				err = sel_netport_sid(sk->sk_protocol,
4623 						      snum, &sid);
4624 				if (err)
4625 					goto out;
4626 				err = avc_has_perm(&selinux_state,
4627 						   sksec->sid, sid,
4628 						   sksec->sclass,
4629 						   SOCKET__NAME_BIND, &ad);
4630 				if (err)
4631 					goto out;
4632 			}
4633 		}
4634 
4635 		switch (sksec->sclass) {
4636 		case SECCLASS_TCP_SOCKET:
4637 			node_perm = TCP_SOCKET__NODE_BIND;
4638 			break;
4639 
4640 		case SECCLASS_UDP_SOCKET:
4641 			node_perm = UDP_SOCKET__NODE_BIND;
4642 			break;
4643 
4644 		case SECCLASS_DCCP_SOCKET:
4645 			node_perm = DCCP_SOCKET__NODE_BIND;
4646 			break;
4647 
4648 		case SECCLASS_SCTP_SOCKET:
4649 			node_perm = SCTP_SOCKET__NODE_BIND;
4650 			break;
4651 
4652 		default:
4653 			node_perm = RAWIP_SOCKET__NODE_BIND;
4654 			break;
4655 		}
4656 
4657 		err = sel_netnode_sid(addrp, family_sa, &sid);
4658 		if (err)
4659 			goto out;
4660 
4661 		if (family_sa == AF_INET)
4662 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4663 		else
4664 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4665 
4666 		err = avc_has_perm(&selinux_state,
4667 				   sksec->sid, sid,
4668 				   sksec->sclass, node_perm, &ad);
4669 		if (err)
4670 			goto out;
4671 	}
4672 out:
4673 	return err;
4674 err_af:
4675 	/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4676 	if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4677 		return -EINVAL;
4678 	return -EAFNOSUPPORT;
4679 }
4680 
4681 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4682  * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4683  */
4684 static int selinux_socket_connect_helper(struct socket *sock,
4685 					 struct sockaddr *address, int addrlen)
4686 {
4687 	struct sock *sk = sock->sk;
4688 	struct sk_security_struct *sksec = sk->sk_security;
4689 	int err;
4690 
4691 	err = sock_has_perm(sk, SOCKET__CONNECT);
4692 	if (err)
4693 		return err;
4694 	if (addrlen < offsetofend(struct sockaddr, sa_family))
4695 		return -EINVAL;
4696 
4697 	/* connect(AF_UNSPEC) has special handling, as it is a documented
4698 	 * way to disconnect the socket
4699 	 */
4700 	if (address->sa_family == AF_UNSPEC)
4701 		return 0;
4702 
4703 	/*
4704 	 * If a TCP, DCCP or SCTP socket, check name_connect permission
4705 	 * for the port.
4706 	 */
4707 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4708 	    sksec->sclass == SECCLASS_DCCP_SOCKET ||
4709 	    sksec->sclass == SECCLASS_SCTP_SOCKET) {
4710 		struct common_audit_data ad;
4711 		struct lsm_network_audit net = {0,};
4712 		struct sockaddr_in *addr4 = NULL;
4713 		struct sockaddr_in6 *addr6 = NULL;
4714 		unsigned short snum;
4715 		u32 sid, perm;
4716 
4717 		/* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4718 		 * that validates multiple connect addresses. Because of this
4719 		 * need to check address->sa_family as it is possible to have
4720 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4721 		 */
4722 		switch (address->sa_family) {
4723 		case AF_INET:
4724 			addr4 = (struct sockaddr_in *)address;
4725 			if (addrlen < sizeof(struct sockaddr_in))
4726 				return -EINVAL;
4727 			snum = ntohs(addr4->sin_port);
4728 			break;
4729 		case AF_INET6:
4730 			addr6 = (struct sockaddr_in6 *)address;
4731 			if (addrlen < SIN6_LEN_RFC2133)
4732 				return -EINVAL;
4733 			snum = ntohs(addr6->sin6_port);
4734 			break;
4735 		default:
4736 			/* Note that SCTP services expect -EINVAL, whereas
4737 			 * others expect -EAFNOSUPPORT.
4738 			 */
4739 			if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4740 				return -EINVAL;
4741 			else
4742 				return -EAFNOSUPPORT;
4743 		}
4744 
4745 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4746 		if (err)
4747 			return err;
4748 
4749 		switch (sksec->sclass) {
4750 		case SECCLASS_TCP_SOCKET:
4751 			perm = TCP_SOCKET__NAME_CONNECT;
4752 			break;
4753 		case SECCLASS_DCCP_SOCKET:
4754 			perm = DCCP_SOCKET__NAME_CONNECT;
4755 			break;
4756 		case SECCLASS_SCTP_SOCKET:
4757 			perm = SCTP_SOCKET__NAME_CONNECT;
4758 			break;
4759 		}
4760 
4761 		ad.type = LSM_AUDIT_DATA_NET;
4762 		ad.u.net = &net;
4763 		ad.u.net->dport = htons(snum);
4764 		ad.u.net->family = address->sa_family;
4765 		err = avc_has_perm(&selinux_state,
4766 				   sksec->sid, sid, sksec->sclass, perm, &ad);
4767 		if (err)
4768 			return err;
4769 	}
4770 
4771 	return 0;
4772 }
4773 
4774 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4775 static int selinux_socket_connect(struct socket *sock,
4776 				  struct sockaddr *address, int addrlen)
4777 {
4778 	int err;
4779 	struct sock *sk = sock->sk;
4780 
4781 	err = selinux_socket_connect_helper(sock, address, addrlen);
4782 	if (err)
4783 		return err;
4784 
4785 	return selinux_netlbl_socket_connect(sk, address);
4786 }
4787 
4788 static int selinux_socket_listen(struct socket *sock, int backlog)
4789 {
4790 	return sock_has_perm(sock->sk, SOCKET__LISTEN);
4791 }
4792 
4793 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4794 {
4795 	int err;
4796 	struct inode_security_struct *isec;
4797 	struct inode_security_struct *newisec;
4798 	u16 sclass;
4799 	u32 sid;
4800 
4801 	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4802 	if (err)
4803 		return err;
4804 
4805 	isec = inode_security_novalidate(SOCK_INODE(sock));
4806 	spin_lock(&isec->lock);
4807 	sclass = isec->sclass;
4808 	sid = isec->sid;
4809 	spin_unlock(&isec->lock);
4810 
4811 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4812 	newisec->sclass = sclass;
4813 	newisec->sid = sid;
4814 	newisec->initialized = LABEL_INITIALIZED;
4815 
4816 	return 0;
4817 }
4818 
4819 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4820 				  int size)
4821 {
4822 	return sock_has_perm(sock->sk, SOCKET__WRITE);
4823 }
4824 
4825 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4826 				  int size, int flags)
4827 {
4828 	return sock_has_perm(sock->sk, SOCKET__READ);
4829 }
4830 
4831 static int selinux_socket_getsockname(struct socket *sock)
4832 {
4833 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4834 }
4835 
4836 static int selinux_socket_getpeername(struct socket *sock)
4837 {
4838 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4839 }
4840 
4841 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4842 {
4843 	int err;
4844 
4845 	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4846 	if (err)
4847 		return err;
4848 
4849 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4850 }
4851 
4852 static int selinux_socket_getsockopt(struct socket *sock, int level,
4853 				     int optname)
4854 {
4855 	return sock_has_perm(sock->sk, SOCKET__GETOPT);
4856 }
4857 
4858 static int selinux_socket_shutdown(struct socket *sock, int how)
4859 {
4860 	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4861 }
4862 
4863 static int selinux_socket_unix_stream_connect(struct sock *sock,
4864 					      struct sock *other,
4865 					      struct sock *newsk)
4866 {
4867 	struct sk_security_struct *sksec_sock = sock->sk_security;
4868 	struct sk_security_struct *sksec_other = other->sk_security;
4869 	struct sk_security_struct *sksec_new = newsk->sk_security;
4870 	struct common_audit_data ad;
4871 	struct lsm_network_audit net = {0,};
4872 	int err;
4873 
4874 	ad.type = LSM_AUDIT_DATA_NET;
4875 	ad.u.net = &net;
4876 	ad.u.net->sk = other;
4877 
4878 	err = avc_has_perm(&selinux_state,
4879 			   sksec_sock->sid, sksec_other->sid,
4880 			   sksec_other->sclass,
4881 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4882 	if (err)
4883 		return err;
4884 
4885 	/* server child socket */
4886 	sksec_new->peer_sid = sksec_sock->sid;
4887 	err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4888 				    sksec_sock->sid, &sksec_new->sid);
4889 	if (err)
4890 		return err;
4891 
4892 	/* connecting socket */
4893 	sksec_sock->peer_sid = sksec_new->sid;
4894 
4895 	return 0;
4896 }
4897 
4898 static int selinux_socket_unix_may_send(struct socket *sock,
4899 					struct socket *other)
4900 {
4901 	struct sk_security_struct *ssec = sock->sk->sk_security;
4902 	struct sk_security_struct *osec = other->sk->sk_security;
4903 	struct common_audit_data ad;
4904 	struct lsm_network_audit net = {0,};
4905 
4906 	ad.type = LSM_AUDIT_DATA_NET;
4907 	ad.u.net = &net;
4908 	ad.u.net->sk = other->sk;
4909 
4910 	return avc_has_perm(&selinux_state,
4911 			    ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4912 			    &ad);
4913 }
4914 
4915 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4916 				    char *addrp, u16 family, u32 peer_sid,
4917 				    struct common_audit_data *ad)
4918 {
4919 	int err;
4920 	u32 if_sid;
4921 	u32 node_sid;
4922 
4923 	err = sel_netif_sid(ns, ifindex, &if_sid);
4924 	if (err)
4925 		return err;
4926 	err = avc_has_perm(&selinux_state,
4927 			   peer_sid, if_sid,
4928 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4929 	if (err)
4930 		return err;
4931 
4932 	err = sel_netnode_sid(addrp, family, &node_sid);
4933 	if (err)
4934 		return err;
4935 	return avc_has_perm(&selinux_state,
4936 			    peer_sid, node_sid,
4937 			    SECCLASS_NODE, NODE__RECVFROM, ad);
4938 }
4939 
4940 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4941 				       u16 family)
4942 {
4943 	int err = 0;
4944 	struct sk_security_struct *sksec = sk->sk_security;
4945 	u32 sk_sid = sksec->sid;
4946 	struct common_audit_data ad;
4947 	struct lsm_network_audit net = {0,};
4948 	char *addrp;
4949 
4950 	ad.type = LSM_AUDIT_DATA_NET;
4951 	ad.u.net = &net;
4952 	ad.u.net->netif = skb->skb_iif;
4953 	ad.u.net->family = family;
4954 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4955 	if (err)
4956 		return err;
4957 
4958 	if (selinux_secmark_enabled()) {
4959 		err = avc_has_perm(&selinux_state,
4960 				   sk_sid, skb->secmark, SECCLASS_PACKET,
4961 				   PACKET__RECV, &ad);
4962 		if (err)
4963 			return err;
4964 	}
4965 
4966 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4967 	if (err)
4968 		return err;
4969 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4970 
4971 	return err;
4972 }
4973 
4974 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4975 {
4976 	int err;
4977 	struct sk_security_struct *sksec = sk->sk_security;
4978 	u16 family = sk->sk_family;
4979 	u32 sk_sid = sksec->sid;
4980 	struct common_audit_data ad;
4981 	struct lsm_network_audit net = {0,};
4982 	char *addrp;
4983 	u8 secmark_active;
4984 	u8 peerlbl_active;
4985 
4986 	if (family != PF_INET && family != PF_INET6)
4987 		return 0;
4988 
4989 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
4990 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4991 		family = PF_INET;
4992 
4993 	/* If any sort of compatibility mode is enabled then handoff processing
4994 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
4995 	 * special handling.  We do this in an attempt to keep this function
4996 	 * as fast and as clean as possible. */
4997 	if (!selinux_policycap_netpeer())
4998 		return selinux_sock_rcv_skb_compat(sk, skb, family);
4999 
5000 	secmark_active = selinux_secmark_enabled();
5001 	peerlbl_active = selinux_peerlbl_enabled();
5002 	if (!secmark_active && !peerlbl_active)
5003 		return 0;
5004 
5005 	ad.type = LSM_AUDIT_DATA_NET;
5006 	ad.u.net = &net;
5007 	ad.u.net->netif = skb->skb_iif;
5008 	ad.u.net->family = family;
5009 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5010 	if (err)
5011 		return err;
5012 
5013 	if (peerlbl_active) {
5014 		u32 peer_sid;
5015 
5016 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5017 		if (err)
5018 			return err;
5019 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5020 					       addrp, family, peer_sid, &ad);
5021 		if (err) {
5022 			selinux_netlbl_err(skb, family, err, 0);
5023 			return err;
5024 		}
5025 		err = avc_has_perm(&selinux_state,
5026 				   sk_sid, peer_sid, SECCLASS_PEER,
5027 				   PEER__RECV, &ad);
5028 		if (err) {
5029 			selinux_netlbl_err(skb, family, err, 0);
5030 			return err;
5031 		}
5032 	}
5033 
5034 	if (secmark_active) {
5035 		err = avc_has_perm(&selinux_state,
5036 				   sk_sid, skb->secmark, SECCLASS_PACKET,
5037 				   PACKET__RECV, &ad);
5038 		if (err)
5039 			return err;
5040 	}
5041 
5042 	return err;
5043 }
5044 
5045 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5046 					    int __user *optlen, unsigned len)
5047 {
5048 	int err = 0;
5049 	char *scontext;
5050 	u32 scontext_len;
5051 	struct sk_security_struct *sksec = sock->sk->sk_security;
5052 	u32 peer_sid = SECSID_NULL;
5053 
5054 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5055 	    sksec->sclass == SECCLASS_TCP_SOCKET ||
5056 	    sksec->sclass == SECCLASS_SCTP_SOCKET)
5057 		peer_sid = sksec->peer_sid;
5058 	if (peer_sid == SECSID_NULL)
5059 		return -ENOPROTOOPT;
5060 
5061 	err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5062 				      &scontext_len);
5063 	if (err)
5064 		return err;
5065 
5066 	if (scontext_len > len) {
5067 		err = -ERANGE;
5068 		goto out_len;
5069 	}
5070 
5071 	if (copy_to_user(optval, scontext, scontext_len))
5072 		err = -EFAULT;
5073 
5074 out_len:
5075 	if (put_user(scontext_len, optlen))
5076 		err = -EFAULT;
5077 	kfree(scontext);
5078 	return err;
5079 }
5080 
5081 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5082 {
5083 	u32 peer_secid = SECSID_NULL;
5084 	u16 family;
5085 	struct inode_security_struct *isec;
5086 
5087 	if (skb && skb->protocol == htons(ETH_P_IP))
5088 		family = PF_INET;
5089 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
5090 		family = PF_INET6;
5091 	else if (sock)
5092 		family = sock->sk->sk_family;
5093 	else
5094 		goto out;
5095 
5096 	if (sock && family == PF_UNIX) {
5097 		isec = inode_security_novalidate(SOCK_INODE(sock));
5098 		peer_secid = isec->sid;
5099 	} else if (skb)
5100 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5101 
5102 out:
5103 	*secid = peer_secid;
5104 	if (peer_secid == SECSID_NULL)
5105 		return -EINVAL;
5106 	return 0;
5107 }
5108 
5109 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5110 {
5111 	struct sk_security_struct *sksec;
5112 
5113 	sksec = kzalloc(sizeof(*sksec), priority);
5114 	if (!sksec)
5115 		return -ENOMEM;
5116 
5117 	sksec->peer_sid = SECINITSID_UNLABELED;
5118 	sksec->sid = SECINITSID_UNLABELED;
5119 	sksec->sclass = SECCLASS_SOCKET;
5120 	selinux_netlbl_sk_security_reset(sksec);
5121 	sk->sk_security = sksec;
5122 
5123 	return 0;
5124 }
5125 
5126 static void selinux_sk_free_security(struct sock *sk)
5127 {
5128 	struct sk_security_struct *sksec = sk->sk_security;
5129 
5130 	sk->sk_security = NULL;
5131 	selinux_netlbl_sk_security_free(sksec);
5132 	kfree(sksec);
5133 }
5134 
5135 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5136 {
5137 	struct sk_security_struct *sksec = sk->sk_security;
5138 	struct sk_security_struct *newsksec = newsk->sk_security;
5139 
5140 	newsksec->sid = sksec->sid;
5141 	newsksec->peer_sid = sksec->peer_sid;
5142 	newsksec->sclass = sksec->sclass;
5143 
5144 	selinux_netlbl_sk_security_reset(newsksec);
5145 }
5146 
5147 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5148 {
5149 	if (!sk)
5150 		*secid = SECINITSID_ANY_SOCKET;
5151 	else {
5152 		struct sk_security_struct *sksec = sk->sk_security;
5153 
5154 		*secid = sksec->sid;
5155 	}
5156 }
5157 
5158 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5159 {
5160 	struct inode_security_struct *isec =
5161 		inode_security_novalidate(SOCK_INODE(parent));
5162 	struct sk_security_struct *sksec = sk->sk_security;
5163 
5164 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5165 	    sk->sk_family == PF_UNIX)
5166 		isec->sid = sksec->sid;
5167 	sksec->sclass = isec->sclass;
5168 }
5169 
5170 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5171  * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5172  * already present).
5173  */
5174 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5175 				      struct sk_buff *skb)
5176 {
5177 	struct sk_security_struct *sksec = ep->base.sk->sk_security;
5178 	struct common_audit_data ad;
5179 	struct lsm_network_audit net = {0,};
5180 	u8 peerlbl_active;
5181 	u32 peer_sid = SECINITSID_UNLABELED;
5182 	u32 conn_sid;
5183 	int err = 0;
5184 
5185 	if (!selinux_policycap_extsockclass())
5186 		return 0;
5187 
5188 	peerlbl_active = selinux_peerlbl_enabled();
5189 
5190 	if (peerlbl_active) {
5191 		/* This will return peer_sid = SECSID_NULL if there are
5192 		 * no peer labels, see security_net_peersid_resolve().
5193 		 */
5194 		err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5195 					      &peer_sid);
5196 		if (err)
5197 			return err;
5198 
5199 		if (peer_sid == SECSID_NULL)
5200 			peer_sid = SECINITSID_UNLABELED;
5201 	}
5202 
5203 	if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5204 		sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5205 
5206 		/* Here as first association on socket. As the peer SID
5207 		 * was allowed by peer recv (and the netif/node checks),
5208 		 * then it is approved by policy and used as the primary
5209 		 * peer SID for getpeercon(3).
5210 		 */
5211 		sksec->peer_sid = peer_sid;
5212 	} else if  (sksec->peer_sid != peer_sid) {
5213 		/* Other association peer SIDs are checked to enforce
5214 		 * consistency among the peer SIDs.
5215 		 */
5216 		ad.type = LSM_AUDIT_DATA_NET;
5217 		ad.u.net = &net;
5218 		ad.u.net->sk = ep->base.sk;
5219 		err = avc_has_perm(&selinux_state,
5220 				   sksec->peer_sid, peer_sid, sksec->sclass,
5221 				   SCTP_SOCKET__ASSOCIATION, &ad);
5222 		if (err)
5223 			return err;
5224 	}
5225 
5226 	/* Compute the MLS component for the connection and store
5227 	 * the information in ep. This will be used by SCTP TCP type
5228 	 * sockets and peeled off connections as they cause a new
5229 	 * socket to be generated. selinux_sctp_sk_clone() will then
5230 	 * plug this into the new socket.
5231 	 */
5232 	err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5233 	if (err)
5234 		return err;
5235 
5236 	ep->secid = conn_sid;
5237 	ep->peer_secid = peer_sid;
5238 
5239 	/* Set any NetLabel labels including CIPSO/CALIPSO options. */
5240 	return selinux_netlbl_sctp_assoc_request(ep, skb);
5241 }
5242 
5243 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5244  * based on their @optname.
5245  */
5246 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5247 				     struct sockaddr *address,
5248 				     int addrlen)
5249 {
5250 	int len, err = 0, walk_size = 0;
5251 	void *addr_buf;
5252 	struct sockaddr *addr;
5253 	struct socket *sock;
5254 
5255 	if (!selinux_policycap_extsockclass())
5256 		return 0;
5257 
5258 	/* Process one or more addresses that may be IPv4 or IPv6 */
5259 	sock = sk->sk_socket;
5260 	addr_buf = address;
5261 
5262 	while (walk_size < addrlen) {
5263 		if (walk_size + sizeof(sa_family_t) > addrlen)
5264 			return -EINVAL;
5265 
5266 		addr = addr_buf;
5267 		switch (addr->sa_family) {
5268 		case AF_UNSPEC:
5269 		case AF_INET:
5270 			len = sizeof(struct sockaddr_in);
5271 			break;
5272 		case AF_INET6:
5273 			len = sizeof(struct sockaddr_in6);
5274 			break;
5275 		default:
5276 			return -EINVAL;
5277 		}
5278 
5279 		if (walk_size + len > addrlen)
5280 			return -EINVAL;
5281 
5282 		err = -EINVAL;
5283 		switch (optname) {
5284 		/* Bind checks */
5285 		case SCTP_PRIMARY_ADDR:
5286 		case SCTP_SET_PEER_PRIMARY_ADDR:
5287 		case SCTP_SOCKOPT_BINDX_ADD:
5288 			err = selinux_socket_bind(sock, addr, len);
5289 			break;
5290 		/* Connect checks */
5291 		case SCTP_SOCKOPT_CONNECTX:
5292 		case SCTP_PARAM_SET_PRIMARY:
5293 		case SCTP_PARAM_ADD_IP:
5294 		case SCTP_SENDMSG_CONNECT:
5295 			err = selinux_socket_connect_helper(sock, addr, len);
5296 			if (err)
5297 				return err;
5298 
5299 			/* As selinux_sctp_bind_connect() is called by the
5300 			 * SCTP protocol layer, the socket is already locked,
5301 			 * therefore selinux_netlbl_socket_connect_locked() is
5302 			 * is called here. The situations handled are:
5303 			 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5304 			 * whenever a new IP address is added or when a new
5305 			 * primary address is selected.
5306 			 * Note that an SCTP connect(2) call happens before
5307 			 * the SCTP protocol layer and is handled via
5308 			 * selinux_socket_connect().
5309 			 */
5310 			err = selinux_netlbl_socket_connect_locked(sk, addr);
5311 			break;
5312 		}
5313 
5314 		if (err)
5315 			return err;
5316 
5317 		addr_buf += len;
5318 		walk_size += len;
5319 	}
5320 
5321 	return 0;
5322 }
5323 
5324 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5325 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5326 				  struct sock *newsk)
5327 {
5328 	struct sk_security_struct *sksec = sk->sk_security;
5329 	struct sk_security_struct *newsksec = newsk->sk_security;
5330 
5331 	/* If policy does not support SECCLASS_SCTP_SOCKET then call
5332 	 * the non-sctp clone version.
5333 	 */
5334 	if (!selinux_policycap_extsockclass())
5335 		return selinux_sk_clone_security(sk, newsk);
5336 
5337 	newsksec->sid = ep->secid;
5338 	newsksec->peer_sid = ep->peer_secid;
5339 	newsksec->sclass = sksec->sclass;
5340 	selinux_netlbl_sctp_sk_clone(sk, newsk);
5341 }
5342 
5343 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5344 				     struct request_sock *req)
5345 {
5346 	struct sk_security_struct *sksec = sk->sk_security;
5347 	int err;
5348 	u16 family = req->rsk_ops->family;
5349 	u32 connsid;
5350 	u32 peersid;
5351 
5352 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5353 	if (err)
5354 		return err;
5355 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5356 	if (err)
5357 		return err;
5358 	req->secid = connsid;
5359 	req->peer_secid = peersid;
5360 
5361 	return selinux_netlbl_inet_conn_request(req, family);
5362 }
5363 
5364 static void selinux_inet_csk_clone(struct sock *newsk,
5365 				   const struct request_sock *req)
5366 {
5367 	struct sk_security_struct *newsksec = newsk->sk_security;
5368 
5369 	newsksec->sid = req->secid;
5370 	newsksec->peer_sid = req->peer_secid;
5371 	/* NOTE: Ideally, we should also get the isec->sid for the
5372 	   new socket in sync, but we don't have the isec available yet.
5373 	   So we will wait until sock_graft to do it, by which
5374 	   time it will have been created and available. */
5375 
5376 	/* We don't need to take any sort of lock here as we are the only
5377 	 * thread with access to newsksec */
5378 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5379 }
5380 
5381 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5382 {
5383 	u16 family = sk->sk_family;
5384 	struct sk_security_struct *sksec = sk->sk_security;
5385 
5386 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5387 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5388 		family = PF_INET;
5389 
5390 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5391 }
5392 
5393 static int selinux_secmark_relabel_packet(u32 sid)
5394 {
5395 	const struct task_security_struct *__tsec;
5396 	u32 tsid;
5397 
5398 	__tsec = selinux_cred(current_cred());
5399 	tsid = __tsec->sid;
5400 
5401 	return avc_has_perm(&selinux_state,
5402 			    tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5403 			    NULL);
5404 }
5405 
5406 static void selinux_secmark_refcount_inc(void)
5407 {
5408 	atomic_inc(&selinux_secmark_refcount);
5409 }
5410 
5411 static void selinux_secmark_refcount_dec(void)
5412 {
5413 	atomic_dec(&selinux_secmark_refcount);
5414 }
5415 
5416 static void selinux_req_classify_flow(const struct request_sock *req,
5417 				      struct flowi *fl)
5418 {
5419 	fl->flowi_secid = req->secid;
5420 }
5421 
5422 static int selinux_tun_dev_alloc_security(void **security)
5423 {
5424 	struct tun_security_struct *tunsec;
5425 
5426 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5427 	if (!tunsec)
5428 		return -ENOMEM;
5429 	tunsec->sid = current_sid();
5430 
5431 	*security = tunsec;
5432 	return 0;
5433 }
5434 
5435 static void selinux_tun_dev_free_security(void *security)
5436 {
5437 	kfree(security);
5438 }
5439 
5440 static int selinux_tun_dev_create(void)
5441 {
5442 	u32 sid = current_sid();
5443 
5444 	/* we aren't taking into account the "sockcreate" SID since the socket
5445 	 * that is being created here is not a socket in the traditional sense,
5446 	 * instead it is a private sock, accessible only to the kernel, and
5447 	 * representing a wide range of network traffic spanning multiple
5448 	 * connections unlike traditional sockets - check the TUN driver to
5449 	 * get a better understanding of why this socket is special */
5450 
5451 	return avc_has_perm(&selinux_state,
5452 			    sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5453 			    NULL);
5454 }
5455 
5456 static int selinux_tun_dev_attach_queue(void *security)
5457 {
5458 	struct tun_security_struct *tunsec = security;
5459 
5460 	return avc_has_perm(&selinux_state,
5461 			    current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5462 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5463 }
5464 
5465 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5466 {
5467 	struct tun_security_struct *tunsec = security;
5468 	struct sk_security_struct *sksec = sk->sk_security;
5469 
5470 	/* we don't currently perform any NetLabel based labeling here and it
5471 	 * isn't clear that we would want to do so anyway; while we could apply
5472 	 * labeling without the support of the TUN user the resulting labeled
5473 	 * traffic from the other end of the connection would almost certainly
5474 	 * cause confusion to the TUN user that had no idea network labeling
5475 	 * protocols were being used */
5476 
5477 	sksec->sid = tunsec->sid;
5478 	sksec->sclass = SECCLASS_TUN_SOCKET;
5479 
5480 	return 0;
5481 }
5482 
5483 static int selinux_tun_dev_open(void *security)
5484 {
5485 	struct tun_security_struct *tunsec = security;
5486 	u32 sid = current_sid();
5487 	int err;
5488 
5489 	err = avc_has_perm(&selinux_state,
5490 			   sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5491 			   TUN_SOCKET__RELABELFROM, NULL);
5492 	if (err)
5493 		return err;
5494 	err = avc_has_perm(&selinux_state,
5495 			   sid, sid, SECCLASS_TUN_SOCKET,
5496 			   TUN_SOCKET__RELABELTO, NULL);
5497 	if (err)
5498 		return err;
5499 	tunsec->sid = sid;
5500 
5501 	return 0;
5502 }
5503 
5504 #ifdef CONFIG_NETFILTER
5505 
5506 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5507 				       const struct net_device *indev,
5508 				       u16 family)
5509 {
5510 	int err;
5511 	char *addrp;
5512 	u32 peer_sid;
5513 	struct common_audit_data ad;
5514 	struct lsm_network_audit net = {0,};
5515 	u8 secmark_active;
5516 	u8 netlbl_active;
5517 	u8 peerlbl_active;
5518 
5519 	if (!selinux_policycap_netpeer())
5520 		return NF_ACCEPT;
5521 
5522 	secmark_active = selinux_secmark_enabled();
5523 	netlbl_active = netlbl_enabled();
5524 	peerlbl_active = selinux_peerlbl_enabled();
5525 	if (!secmark_active && !peerlbl_active)
5526 		return NF_ACCEPT;
5527 
5528 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5529 		return NF_DROP;
5530 
5531 	ad.type = LSM_AUDIT_DATA_NET;
5532 	ad.u.net = &net;
5533 	ad.u.net->netif = indev->ifindex;
5534 	ad.u.net->family = family;
5535 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5536 		return NF_DROP;
5537 
5538 	if (peerlbl_active) {
5539 		err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5540 					       addrp, family, peer_sid, &ad);
5541 		if (err) {
5542 			selinux_netlbl_err(skb, family, err, 1);
5543 			return NF_DROP;
5544 		}
5545 	}
5546 
5547 	if (secmark_active)
5548 		if (avc_has_perm(&selinux_state,
5549 				 peer_sid, skb->secmark,
5550 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5551 			return NF_DROP;
5552 
5553 	if (netlbl_active)
5554 		/* we do this in the FORWARD path and not the POST_ROUTING
5555 		 * path because we want to make sure we apply the necessary
5556 		 * labeling before IPsec is applied so we can leverage AH
5557 		 * protection */
5558 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5559 			return NF_DROP;
5560 
5561 	return NF_ACCEPT;
5562 }
5563 
5564 static unsigned int selinux_ipv4_forward(void *priv,
5565 					 struct sk_buff *skb,
5566 					 const struct nf_hook_state *state)
5567 {
5568 	return selinux_ip_forward(skb, state->in, PF_INET);
5569 }
5570 
5571 #if IS_ENABLED(CONFIG_IPV6)
5572 static unsigned int selinux_ipv6_forward(void *priv,
5573 					 struct sk_buff *skb,
5574 					 const struct nf_hook_state *state)
5575 {
5576 	return selinux_ip_forward(skb, state->in, PF_INET6);
5577 }
5578 #endif	/* IPV6 */
5579 
5580 static unsigned int selinux_ip_output(struct sk_buff *skb,
5581 				      u16 family)
5582 {
5583 	struct sock *sk;
5584 	u32 sid;
5585 
5586 	if (!netlbl_enabled())
5587 		return NF_ACCEPT;
5588 
5589 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5590 	 * because we want to make sure we apply the necessary labeling
5591 	 * before IPsec is applied so we can leverage AH protection */
5592 	sk = skb->sk;
5593 	if (sk) {
5594 		struct sk_security_struct *sksec;
5595 
5596 		if (sk_listener(sk))
5597 			/* if the socket is the listening state then this
5598 			 * packet is a SYN-ACK packet which means it needs to
5599 			 * be labeled based on the connection/request_sock and
5600 			 * not the parent socket.  unfortunately, we can't
5601 			 * lookup the request_sock yet as it isn't queued on
5602 			 * the parent socket until after the SYN-ACK is sent.
5603 			 * the "solution" is to simply pass the packet as-is
5604 			 * as any IP option based labeling should be copied
5605 			 * from the initial connection request (in the IP
5606 			 * layer).  it is far from ideal, but until we get a
5607 			 * security label in the packet itself this is the
5608 			 * best we can do. */
5609 			return NF_ACCEPT;
5610 
5611 		/* standard practice, label using the parent socket */
5612 		sksec = sk->sk_security;
5613 		sid = sksec->sid;
5614 	} else
5615 		sid = SECINITSID_KERNEL;
5616 	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5617 		return NF_DROP;
5618 
5619 	return NF_ACCEPT;
5620 }
5621 
5622 static unsigned int selinux_ipv4_output(void *priv,
5623 					struct sk_buff *skb,
5624 					const struct nf_hook_state *state)
5625 {
5626 	return selinux_ip_output(skb, PF_INET);
5627 }
5628 
5629 #if IS_ENABLED(CONFIG_IPV6)
5630 static unsigned int selinux_ipv6_output(void *priv,
5631 					struct sk_buff *skb,
5632 					const struct nf_hook_state *state)
5633 {
5634 	return selinux_ip_output(skb, PF_INET6);
5635 }
5636 #endif	/* IPV6 */
5637 
5638 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5639 						int ifindex,
5640 						u16 family)
5641 {
5642 	struct sock *sk = skb_to_full_sk(skb);
5643 	struct sk_security_struct *sksec;
5644 	struct common_audit_data ad;
5645 	struct lsm_network_audit net = {0,};
5646 	char *addrp;
5647 	u8 proto;
5648 
5649 	if (sk == NULL)
5650 		return NF_ACCEPT;
5651 	sksec = sk->sk_security;
5652 
5653 	ad.type = LSM_AUDIT_DATA_NET;
5654 	ad.u.net = &net;
5655 	ad.u.net->netif = ifindex;
5656 	ad.u.net->family = family;
5657 	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5658 		return NF_DROP;
5659 
5660 	if (selinux_secmark_enabled())
5661 		if (avc_has_perm(&selinux_state,
5662 				 sksec->sid, skb->secmark,
5663 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5664 			return NF_DROP_ERR(-ECONNREFUSED);
5665 
5666 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5667 		return NF_DROP_ERR(-ECONNREFUSED);
5668 
5669 	return NF_ACCEPT;
5670 }
5671 
5672 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5673 					 const struct net_device *outdev,
5674 					 u16 family)
5675 {
5676 	u32 secmark_perm;
5677 	u32 peer_sid;
5678 	int ifindex = outdev->ifindex;
5679 	struct sock *sk;
5680 	struct common_audit_data ad;
5681 	struct lsm_network_audit net = {0,};
5682 	char *addrp;
5683 	u8 secmark_active;
5684 	u8 peerlbl_active;
5685 
5686 	/* If any sort of compatibility mode is enabled then handoff processing
5687 	 * to the selinux_ip_postroute_compat() function to deal with the
5688 	 * special handling.  We do this in an attempt to keep this function
5689 	 * as fast and as clean as possible. */
5690 	if (!selinux_policycap_netpeer())
5691 		return selinux_ip_postroute_compat(skb, ifindex, family);
5692 
5693 	secmark_active = selinux_secmark_enabled();
5694 	peerlbl_active = selinux_peerlbl_enabled();
5695 	if (!secmark_active && !peerlbl_active)
5696 		return NF_ACCEPT;
5697 
5698 	sk = skb_to_full_sk(skb);
5699 
5700 #ifdef CONFIG_XFRM
5701 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5702 	 * packet transformation so allow the packet to pass without any checks
5703 	 * since we'll have another chance to perform access control checks
5704 	 * when the packet is on it's final way out.
5705 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5706 	 *       is NULL, in this case go ahead and apply access control.
5707 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5708 	 *       TCP listening state we cannot wait until the XFRM processing
5709 	 *       is done as we will miss out on the SA label if we do;
5710 	 *       unfortunately, this means more work, but it is only once per
5711 	 *       connection. */
5712 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5713 	    !(sk && sk_listener(sk)))
5714 		return NF_ACCEPT;
5715 #endif
5716 
5717 	if (sk == NULL) {
5718 		/* Without an associated socket the packet is either coming
5719 		 * from the kernel or it is being forwarded; check the packet
5720 		 * to determine which and if the packet is being forwarded
5721 		 * query the packet directly to determine the security label. */
5722 		if (skb->skb_iif) {
5723 			secmark_perm = PACKET__FORWARD_OUT;
5724 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5725 				return NF_DROP;
5726 		} else {
5727 			secmark_perm = PACKET__SEND;
5728 			peer_sid = SECINITSID_KERNEL;
5729 		}
5730 	} else if (sk_listener(sk)) {
5731 		/* Locally generated packet but the associated socket is in the
5732 		 * listening state which means this is a SYN-ACK packet.  In
5733 		 * this particular case the correct security label is assigned
5734 		 * to the connection/request_sock but unfortunately we can't
5735 		 * query the request_sock as it isn't queued on the parent
5736 		 * socket until after the SYN-ACK packet is sent; the only
5737 		 * viable choice is to regenerate the label like we do in
5738 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5739 		 * for similar problems. */
5740 		u32 skb_sid;
5741 		struct sk_security_struct *sksec;
5742 
5743 		sksec = sk->sk_security;
5744 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5745 			return NF_DROP;
5746 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5747 		 * and the packet has been through at least one XFRM
5748 		 * transformation then we must be dealing with the "final"
5749 		 * form of labeled IPsec packet; since we've already applied
5750 		 * all of our access controls on this packet we can safely
5751 		 * pass the packet. */
5752 		if (skb_sid == SECSID_NULL) {
5753 			switch (family) {
5754 			case PF_INET:
5755 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5756 					return NF_ACCEPT;
5757 				break;
5758 			case PF_INET6:
5759 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5760 					return NF_ACCEPT;
5761 				break;
5762 			default:
5763 				return NF_DROP_ERR(-ECONNREFUSED);
5764 			}
5765 		}
5766 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5767 			return NF_DROP;
5768 		secmark_perm = PACKET__SEND;
5769 	} else {
5770 		/* Locally generated packet, fetch the security label from the
5771 		 * associated socket. */
5772 		struct sk_security_struct *sksec = sk->sk_security;
5773 		peer_sid = sksec->sid;
5774 		secmark_perm = PACKET__SEND;
5775 	}
5776 
5777 	ad.type = LSM_AUDIT_DATA_NET;
5778 	ad.u.net = &net;
5779 	ad.u.net->netif = ifindex;
5780 	ad.u.net->family = family;
5781 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5782 		return NF_DROP;
5783 
5784 	if (secmark_active)
5785 		if (avc_has_perm(&selinux_state,
5786 				 peer_sid, skb->secmark,
5787 				 SECCLASS_PACKET, secmark_perm, &ad))
5788 			return NF_DROP_ERR(-ECONNREFUSED);
5789 
5790 	if (peerlbl_active) {
5791 		u32 if_sid;
5792 		u32 node_sid;
5793 
5794 		if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5795 			return NF_DROP;
5796 		if (avc_has_perm(&selinux_state,
5797 				 peer_sid, if_sid,
5798 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5799 			return NF_DROP_ERR(-ECONNREFUSED);
5800 
5801 		if (sel_netnode_sid(addrp, family, &node_sid))
5802 			return NF_DROP;
5803 		if (avc_has_perm(&selinux_state,
5804 				 peer_sid, node_sid,
5805 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5806 			return NF_DROP_ERR(-ECONNREFUSED);
5807 	}
5808 
5809 	return NF_ACCEPT;
5810 }
5811 
5812 static unsigned int selinux_ipv4_postroute(void *priv,
5813 					   struct sk_buff *skb,
5814 					   const struct nf_hook_state *state)
5815 {
5816 	return selinux_ip_postroute(skb, state->out, PF_INET);
5817 }
5818 
5819 #if IS_ENABLED(CONFIG_IPV6)
5820 static unsigned int selinux_ipv6_postroute(void *priv,
5821 					   struct sk_buff *skb,
5822 					   const struct nf_hook_state *state)
5823 {
5824 	return selinux_ip_postroute(skb, state->out, PF_INET6);
5825 }
5826 #endif	/* IPV6 */
5827 
5828 #endif	/* CONFIG_NETFILTER */
5829 
5830 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5831 {
5832 	int err = 0;
5833 	u32 perm;
5834 	struct nlmsghdr *nlh;
5835 	struct sk_security_struct *sksec = sk->sk_security;
5836 
5837 	if (skb->len < NLMSG_HDRLEN) {
5838 		err = -EINVAL;
5839 		goto out;
5840 	}
5841 	nlh = nlmsg_hdr(skb);
5842 
5843 	err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5844 	if (err) {
5845 		if (err == -EINVAL) {
5846 			pr_warn_ratelimited("SELinux: unrecognized netlink"
5847 			       " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5848 			       " pid=%d comm=%s\n",
5849 			       sk->sk_protocol, nlh->nlmsg_type,
5850 			       secclass_map[sksec->sclass - 1].name,
5851 			       task_pid_nr(current), current->comm);
5852 			if (!enforcing_enabled(&selinux_state) ||
5853 			    security_get_allow_unknown(&selinux_state))
5854 				err = 0;
5855 		}
5856 
5857 		/* Ignore */
5858 		if (err == -ENOENT)
5859 			err = 0;
5860 		goto out;
5861 	}
5862 
5863 	err = sock_has_perm(sk, perm);
5864 out:
5865 	return err;
5866 }
5867 
5868 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5869 {
5870 	isec->sclass = sclass;
5871 	isec->sid = current_sid();
5872 }
5873 
5874 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5875 			u32 perms)
5876 {
5877 	struct ipc_security_struct *isec;
5878 	struct common_audit_data ad;
5879 	u32 sid = current_sid();
5880 
5881 	isec = selinux_ipc(ipc_perms);
5882 
5883 	ad.type = LSM_AUDIT_DATA_IPC;
5884 	ad.u.ipc_id = ipc_perms->key;
5885 
5886 	return avc_has_perm(&selinux_state,
5887 			    sid, isec->sid, isec->sclass, perms, &ad);
5888 }
5889 
5890 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5891 {
5892 	struct msg_security_struct *msec;
5893 
5894 	msec = selinux_msg_msg(msg);
5895 	msec->sid = SECINITSID_UNLABELED;
5896 
5897 	return 0;
5898 }
5899 
5900 /* message queue security operations */
5901 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5902 {
5903 	struct ipc_security_struct *isec;
5904 	struct common_audit_data ad;
5905 	u32 sid = current_sid();
5906 	int rc;
5907 
5908 	isec = selinux_ipc(msq);
5909 	ipc_init_security(isec, SECCLASS_MSGQ);
5910 
5911 	ad.type = LSM_AUDIT_DATA_IPC;
5912 	ad.u.ipc_id = msq->key;
5913 
5914 	rc = avc_has_perm(&selinux_state,
5915 			  sid, isec->sid, SECCLASS_MSGQ,
5916 			  MSGQ__CREATE, &ad);
5917 	return rc;
5918 }
5919 
5920 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5921 {
5922 	struct ipc_security_struct *isec;
5923 	struct common_audit_data ad;
5924 	u32 sid = current_sid();
5925 
5926 	isec = selinux_ipc(msq);
5927 
5928 	ad.type = LSM_AUDIT_DATA_IPC;
5929 	ad.u.ipc_id = msq->key;
5930 
5931 	return avc_has_perm(&selinux_state,
5932 			    sid, isec->sid, SECCLASS_MSGQ,
5933 			    MSGQ__ASSOCIATE, &ad);
5934 }
5935 
5936 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
5937 {
5938 	int err;
5939 	int perms;
5940 
5941 	switch (cmd) {
5942 	case IPC_INFO:
5943 	case MSG_INFO:
5944 		/* No specific object, just general system-wide information. */
5945 		return avc_has_perm(&selinux_state,
5946 				    current_sid(), SECINITSID_KERNEL,
5947 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5948 	case IPC_STAT:
5949 	case MSG_STAT:
5950 	case MSG_STAT_ANY:
5951 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5952 		break;
5953 	case IPC_SET:
5954 		perms = MSGQ__SETATTR;
5955 		break;
5956 	case IPC_RMID:
5957 		perms = MSGQ__DESTROY;
5958 		break;
5959 	default:
5960 		return 0;
5961 	}
5962 
5963 	err = ipc_has_perm(msq, perms);
5964 	return err;
5965 }
5966 
5967 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
5968 {
5969 	struct ipc_security_struct *isec;
5970 	struct msg_security_struct *msec;
5971 	struct common_audit_data ad;
5972 	u32 sid = current_sid();
5973 	int rc;
5974 
5975 	isec = selinux_ipc(msq);
5976 	msec = selinux_msg_msg(msg);
5977 
5978 	/*
5979 	 * First time through, need to assign label to the message
5980 	 */
5981 	if (msec->sid == SECINITSID_UNLABELED) {
5982 		/*
5983 		 * Compute new sid based on current process and
5984 		 * message queue this message will be stored in
5985 		 */
5986 		rc = security_transition_sid(&selinux_state, sid, isec->sid,
5987 					     SECCLASS_MSG, NULL, &msec->sid);
5988 		if (rc)
5989 			return rc;
5990 	}
5991 
5992 	ad.type = LSM_AUDIT_DATA_IPC;
5993 	ad.u.ipc_id = msq->key;
5994 
5995 	/* Can this process write to the queue? */
5996 	rc = avc_has_perm(&selinux_state,
5997 			  sid, isec->sid, SECCLASS_MSGQ,
5998 			  MSGQ__WRITE, &ad);
5999 	if (!rc)
6000 		/* Can this process send the message */
6001 		rc = avc_has_perm(&selinux_state,
6002 				  sid, msec->sid, SECCLASS_MSG,
6003 				  MSG__SEND, &ad);
6004 	if (!rc)
6005 		/* Can the message be put in the queue? */
6006 		rc = avc_has_perm(&selinux_state,
6007 				  msec->sid, isec->sid, SECCLASS_MSGQ,
6008 				  MSGQ__ENQUEUE, &ad);
6009 
6010 	return rc;
6011 }
6012 
6013 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6014 				    struct task_struct *target,
6015 				    long type, int mode)
6016 {
6017 	struct ipc_security_struct *isec;
6018 	struct msg_security_struct *msec;
6019 	struct common_audit_data ad;
6020 	u32 sid = task_sid(target);
6021 	int rc;
6022 
6023 	isec = selinux_ipc(msq);
6024 	msec = selinux_msg_msg(msg);
6025 
6026 	ad.type = LSM_AUDIT_DATA_IPC;
6027 	ad.u.ipc_id = msq->key;
6028 
6029 	rc = avc_has_perm(&selinux_state,
6030 			  sid, isec->sid,
6031 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
6032 	if (!rc)
6033 		rc = avc_has_perm(&selinux_state,
6034 				  sid, msec->sid,
6035 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
6036 	return rc;
6037 }
6038 
6039 /* Shared Memory security operations */
6040 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6041 {
6042 	struct ipc_security_struct *isec;
6043 	struct common_audit_data ad;
6044 	u32 sid = current_sid();
6045 	int rc;
6046 
6047 	isec = selinux_ipc(shp);
6048 	ipc_init_security(isec, SECCLASS_SHM);
6049 
6050 	ad.type = LSM_AUDIT_DATA_IPC;
6051 	ad.u.ipc_id = shp->key;
6052 
6053 	rc = avc_has_perm(&selinux_state,
6054 			  sid, isec->sid, SECCLASS_SHM,
6055 			  SHM__CREATE, &ad);
6056 	return rc;
6057 }
6058 
6059 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6060 {
6061 	struct ipc_security_struct *isec;
6062 	struct common_audit_data ad;
6063 	u32 sid = current_sid();
6064 
6065 	isec = selinux_ipc(shp);
6066 
6067 	ad.type = LSM_AUDIT_DATA_IPC;
6068 	ad.u.ipc_id = shp->key;
6069 
6070 	return avc_has_perm(&selinux_state,
6071 			    sid, isec->sid, SECCLASS_SHM,
6072 			    SHM__ASSOCIATE, &ad);
6073 }
6074 
6075 /* Note, at this point, shp is locked down */
6076 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6077 {
6078 	int perms;
6079 	int err;
6080 
6081 	switch (cmd) {
6082 	case IPC_INFO:
6083 	case SHM_INFO:
6084 		/* No specific object, just general system-wide information. */
6085 		return avc_has_perm(&selinux_state,
6086 				    current_sid(), SECINITSID_KERNEL,
6087 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6088 	case IPC_STAT:
6089 	case SHM_STAT:
6090 	case SHM_STAT_ANY:
6091 		perms = SHM__GETATTR | SHM__ASSOCIATE;
6092 		break;
6093 	case IPC_SET:
6094 		perms = SHM__SETATTR;
6095 		break;
6096 	case SHM_LOCK:
6097 	case SHM_UNLOCK:
6098 		perms = SHM__LOCK;
6099 		break;
6100 	case IPC_RMID:
6101 		perms = SHM__DESTROY;
6102 		break;
6103 	default:
6104 		return 0;
6105 	}
6106 
6107 	err = ipc_has_perm(shp, perms);
6108 	return err;
6109 }
6110 
6111 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6112 			     char __user *shmaddr, int shmflg)
6113 {
6114 	u32 perms;
6115 
6116 	if (shmflg & SHM_RDONLY)
6117 		perms = SHM__READ;
6118 	else
6119 		perms = SHM__READ | SHM__WRITE;
6120 
6121 	return ipc_has_perm(shp, perms);
6122 }
6123 
6124 /* Semaphore security operations */
6125 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6126 {
6127 	struct ipc_security_struct *isec;
6128 	struct common_audit_data ad;
6129 	u32 sid = current_sid();
6130 	int rc;
6131 
6132 	isec = selinux_ipc(sma);
6133 	ipc_init_security(isec, SECCLASS_SEM);
6134 
6135 	ad.type = LSM_AUDIT_DATA_IPC;
6136 	ad.u.ipc_id = sma->key;
6137 
6138 	rc = avc_has_perm(&selinux_state,
6139 			  sid, isec->sid, SECCLASS_SEM,
6140 			  SEM__CREATE, &ad);
6141 	return rc;
6142 }
6143 
6144 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6145 {
6146 	struct ipc_security_struct *isec;
6147 	struct common_audit_data ad;
6148 	u32 sid = current_sid();
6149 
6150 	isec = selinux_ipc(sma);
6151 
6152 	ad.type = LSM_AUDIT_DATA_IPC;
6153 	ad.u.ipc_id = sma->key;
6154 
6155 	return avc_has_perm(&selinux_state,
6156 			    sid, isec->sid, SECCLASS_SEM,
6157 			    SEM__ASSOCIATE, &ad);
6158 }
6159 
6160 /* Note, at this point, sma is locked down */
6161 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6162 {
6163 	int err;
6164 	u32 perms;
6165 
6166 	switch (cmd) {
6167 	case IPC_INFO:
6168 	case SEM_INFO:
6169 		/* No specific object, just general system-wide information. */
6170 		return avc_has_perm(&selinux_state,
6171 				    current_sid(), SECINITSID_KERNEL,
6172 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6173 	case GETPID:
6174 	case GETNCNT:
6175 	case GETZCNT:
6176 		perms = SEM__GETATTR;
6177 		break;
6178 	case GETVAL:
6179 	case GETALL:
6180 		perms = SEM__READ;
6181 		break;
6182 	case SETVAL:
6183 	case SETALL:
6184 		perms = SEM__WRITE;
6185 		break;
6186 	case IPC_RMID:
6187 		perms = SEM__DESTROY;
6188 		break;
6189 	case IPC_SET:
6190 		perms = SEM__SETATTR;
6191 		break;
6192 	case IPC_STAT:
6193 	case SEM_STAT:
6194 	case SEM_STAT_ANY:
6195 		perms = SEM__GETATTR | SEM__ASSOCIATE;
6196 		break;
6197 	default:
6198 		return 0;
6199 	}
6200 
6201 	err = ipc_has_perm(sma, perms);
6202 	return err;
6203 }
6204 
6205 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6206 			     struct sembuf *sops, unsigned nsops, int alter)
6207 {
6208 	u32 perms;
6209 
6210 	if (alter)
6211 		perms = SEM__READ | SEM__WRITE;
6212 	else
6213 		perms = SEM__READ;
6214 
6215 	return ipc_has_perm(sma, perms);
6216 }
6217 
6218 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6219 {
6220 	u32 av = 0;
6221 
6222 	av = 0;
6223 	if (flag & S_IRUGO)
6224 		av |= IPC__UNIX_READ;
6225 	if (flag & S_IWUGO)
6226 		av |= IPC__UNIX_WRITE;
6227 
6228 	if (av == 0)
6229 		return 0;
6230 
6231 	return ipc_has_perm(ipcp, av);
6232 }
6233 
6234 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6235 {
6236 	struct ipc_security_struct *isec = selinux_ipc(ipcp);
6237 	*secid = isec->sid;
6238 }
6239 
6240 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6241 {
6242 	if (inode)
6243 		inode_doinit_with_dentry(inode, dentry);
6244 }
6245 
6246 static int selinux_getprocattr(struct task_struct *p,
6247 			       char *name, char **value)
6248 {
6249 	const struct task_security_struct *__tsec;
6250 	u32 sid;
6251 	int error;
6252 	unsigned len;
6253 
6254 	rcu_read_lock();
6255 	__tsec = selinux_cred(__task_cred(p));
6256 
6257 	if (current != p) {
6258 		error = avc_has_perm(&selinux_state,
6259 				     current_sid(), __tsec->sid,
6260 				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6261 		if (error)
6262 			goto bad;
6263 	}
6264 
6265 	if (!strcmp(name, "current"))
6266 		sid = __tsec->sid;
6267 	else if (!strcmp(name, "prev"))
6268 		sid = __tsec->osid;
6269 	else if (!strcmp(name, "exec"))
6270 		sid = __tsec->exec_sid;
6271 	else if (!strcmp(name, "fscreate"))
6272 		sid = __tsec->create_sid;
6273 	else if (!strcmp(name, "keycreate"))
6274 		sid = __tsec->keycreate_sid;
6275 	else if (!strcmp(name, "sockcreate"))
6276 		sid = __tsec->sockcreate_sid;
6277 	else {
6278 		error = -EINVAL;
6279 		goto bad;
6280 	}
6281 	rcu_read_unlock();
6282 
6283 	if (!sid)
6284 		return 0;
6285 
6286 	error = security_sid_to_context(&selinux_state, sid, value, &len);
6287 	if (error)
6288 		return error;
6289 	return len;
6290 
6291 bad:
6292 	rcu_read_unlock();
6293 	return error;
6294 }
6295 
6296 static int selinux_setprocattr(const char *name, void *value, size_t size)
6297 {
6298 	struct task_security_struct *tsec;
6299 	struct cred *new;
6300 	u32 mysid = current_sid(), sid = 0, ptsid;
6301 	int error;
6302 	char *str = value;
6303 
6304 	/*
6305 	 * Basic control over ability to set these attributes at all.
6306 	 */
6307 	if (!strcmp(name, "exec"))
6308 		error = avc_has_perm(&selinux_state,
6309 				     mysid, mysid, SECCLASS_PROCESS,
6310 				     PROCESS__SETEXEC, NULL);
6311 	else if (!strcmp(name, "fscreate"))
6312 		error = avc_has_perm(&selinux_state,
6313 				     mysid, mysid, SECCLASS_PROCESS,
6314 				     PROCESS__SETFSCREATE, NULL);
6315 	else if (!strcmp(name, "keycreate"))
6316 		error = avc_has_perm(&selinux_state,
6317 				     mysid, mysid, SECCLASS_PROCESS,
6318 				     PROCESS__SETKEYCREATE, NULL);
6319 	else if (!strcmp(name, "sockcreate"))
6320 		error = avc_has_perm(&selinux_state,
6321 				     mysid, mysid, SECCLASS_PROCESS,
6322 				     PROCESS__SETSOCKCREATE, NULL);
6323 	else if (!strcmp(name, "current"))
6324 		error = avc_has_perm(&selinux_state,
6325 				     mysid, mysid, SECCLASS_PROCESS,
6326 				     PROCESS__SETCURRENT, NULL);
6327 	else
6328 		error = -EINVAL;
6329 	if (error)
6330 		return error;
6331 
6332 	/* Obtain a SID for the context, if one was specified. */
6333 	if (size && str[0] && str[0] != '\n') {
6334 		if (str[size-1] == '\n') {
6335 			str[size-1] = 0;
6336 			size--;
6337 		}
6338 		error = security_context_to_sid(&selinux_state, value, size,
6339 						&sid, GFP_KERNEL);
6340 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
6341 			if (!has_cap_mac_admin(true)) {
6342 				struct audit_buffer *ab;
6343 				size_t audit_size;
6344 
6345 				/* We strip a nul only if it is at the end, otherwise the
6346 				 * context contains a nul and we should audit that */
6347 				if (str[size - 1] == '\0')
6348 					audit_size = size - 1;
6349 				else
6350 					audit_size = size;
6351 				ab = audit_log_start(audit_context(),
6352 						     GFP_ATOMIC,
6353 						     AUDIT_SELINUX_ERR);
6354 				audit_log_format(ab, "op=fscreate invalid_context=");
6355 				audit_log_n_untrustedstring(ab, value, audit_size);
6356 				audit_log_end(ab);
6357 
6358 				return error;
6359 			}
6360 			error = security_context_to_sid_force(
6361 						      &selinux_state,
6362 						      value, size, &sid);
6363 		}
6364 		if (error)
6365 			return error;
6366 	}
6367 
6368 	new = prepare_creds();
6369 	if (!new)
6370 		return -ENOMEM;
6371 
6372 	/* Permission checking based on the specified context is
6373 	   performed during the actual operation (execve,
6374 	   open/mkdir/...), when we know the full context of the
6375 	   operation.  See selinux_bprm_set_creds for the execve
6376 	   checks and may_create for the file creation checks. The
6377 	   operation will then fail if the context is not permitted. */
6378 	tsec = selinux_cred(new);
6379 	if (!strcmp(name, "exec")) {
6380 		tsec->exec_sid = sid;
6381 	} else if (!strcmp(name, "fscreate")) {
6382 		tsec->create_sid = sid;
6383 	} else if (!strcmp(name, "keycreate")) {
6384 		if (sid) {
6385 			error = avc_has_perm(&selinux_state, mysid, sid,
6386 					     SECCLASS_KEY, KEY__CREATE, NULL);
6387 			if (error)
6388 				goto abort_change;
6389 		}
6390 		tsec->keycreate_sid = sid;
6391 	} else if (!strcmp(name, "sockcreate")) {
6392 		tsec->sockcreate_sid = sid;
6393 	} else if (!strcmp(name, "current")) {
6394 		error = -EINVAL;
6395 		if (sid == 0)
6396 			goto abort_change;
6397 
6398 		/* Only allow single threaded processes to change context */
6399 		error = -EPERM;
6400 		if (!current_is_single_threaded()) {
6401 			error = security_bounded_transition(&selinux_state,
6402 							    tsec->sid, sid);
6403 			if (error)
6404 				goto abort_change;
6405 		}
6406 
6407 		/* Check permissions for the transition. */
6408 		error = avc_has_perm(&selinux_state,
6409 				     tsec->sid, sid, SECCLASS_PROCESS,
6410 				     PROCESS__DYNTRANSITION, NULL);
6411 		if (error)
6412 			goto abort_change;
6413 
6414 		/* Check for ptracing, and update the task SID if ok.
6415 		   Otherwise, leave SID unchanged and fail. */
6416 		ptsid = ptrace_parent_sid();
6417 		if (ptsid != 0) {
6418 			error = avc_has_perm(&selinux_state,
6419 					     ptsid, sid, SECCLASS_PROCESS,
6420 					     PROCESS__PTRACE, NULL);
6421 			if (error)
6422 				goto abort_change;
6423 		}
6424 
6425 		tsec->sid = sid;
6426 	} else {
6427 		error = -EINVAL;
6428 		goto abort_change;
6429 	}
6430 
6431 	commit_creds(new);
6432 	return size;
6433 
6434 abort_change:
6435 	abort_creds(new);
6436 	return error;
6437 }
6438 
6439 static int selinux_ismaclabel(const char *name)
6440 {
6441 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6442 }
6443 
6444 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6445 {
6446 	return security_sid_to_context(&selinux_state, secid,
6447 				       secdata, seclen);
6448 }
6449 
6450 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6451 {
6452 	return security_context_to_sid(&selinux_state, secdata, seclen,
6453 				       secid, GFP_KERNEL);
6454 }
6455 
6456 static void selinux_release_secctx(char *secdata, u32 seclen)
6457 {
6458 	kfree(secdata);
6459 }
6460 
6461 static void selinux_inode_invalidate_secctx(struct inode *inode)
6462 {
6463 	struct inode_security_struct *isec = selinux_inode(inode);
6464 
6465 	spin_lock(&isec->lock);
6466 	isec->initialized = LABEL_INVALID;
6467 	spin_unlock(&isec->lock);
6468 }
6469 
6470 /*
6471  *	called with inode->i_mutex locked
6472  */
6473 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6474 {
6475 	int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6476 					   ctx, ctxlen, 0);
6477 	/* Do not return error when suppressing label (SBLABEL_MNT not set). */
6478 	return rc == -EOPNOTSUPP ? 0 : rc;
6479 }
6480 
6481 /*
6482  *	called with inode->i_mutex locked
6483  */
6484 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6485 {
6486 	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6487 }
6488 
6489 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6490 {
6491 	int len = 0;
6492 	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6493 						ctx, true);
6494 	if (len < 0)
6495 		return len;
6496 	*ctxlen = len;
6497 	return 0;
6498 }
6499 #ifdef CONFIG_KEYS
6500 
6501 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6502 			     unsigned long flags)
6503 {
6504 	const struct task_security_struct *tsec;
6505 	struct key_security_struct *ksec;
6506 
6507 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6508 	if (!ksec)
6509 		return -ENOMEM;
6510 
6511 	tsec = selinux_cred(cred);
6512 	if (tsec->keycreate_sid)
6513 		ksec->sid = tsec->keycreate_sid;
6514 	else
6515 		ksec->sid = tsec->sid;
6516 
6517 	k->security = ksec;
6518 	return 0;
6519 }
6520 
6521 static void selinux_key_free(struct key *k)
6522 {
6523 	struct key_security_struct *ksec = k->security;
6524 
6525 	k->security = NULL;
6526 	kfree(ksec);
6527 }
6528 
6529 static int selinux_key_permission(key_ref_t key_ref,
6530 				  const struct cred *cred,
6531 				  unsigned perm)
6532 {
6533 	struct key *key;
6534 	struct key_security_struct *ksec;
6535 	u32 sid;
6536 
6537 	/* if no specific permissions are requested, we skip the
6538 	   permission check. No serious, additional covert channels
6539 	   appear to be created. */
6540 	if (perm == 0)
6541 		return 0;
6542 
6543 	sid = cred_sid(cred);
6544 
6545 	key = key_ref_to_ptr(key_ref);
6546 	ksec = key->security;
6547 
6548 	return avc_has_perm(&selinux_state,
6549 			    sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6550 }
6551 
6552 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6553 {
6554 	struct key_security_struct *ksec = key->security;
6555 	char *context = NULL;
6556 	unsigned len;
6557 	int rc;
6558 
6559 	rc = security_sid_to_context(&selinux_state, ksec->sid,
6560 				     &context, &len);
6561 	if (!rc)
6562 		rc = len;
6563 	*_buffer = context;
6564 	return rc;
6565 }
6566 #endif
6567 
6568 #ifdef CONFIG_SECURITY_INFINIBAND
6569 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6570 {
6571 	struct common_audit_data ad;
6572 	int err;
6573 	u32 sid = 0;
6574 	struct ib_security_struct *sec = ib_sec;
6575 	struct lsm_ibpkey_audit ibpkey;
6576 
6577 	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6578 	if (err)
6579 		return err;
6580 
6581 	ad.type = LSM_AUDIT_DATA_IBPKEY;
6582 	ibpkey.subnet_prefix = subnet_prefix;
6583 	ibpkey.pkey = pkey_val;
6584 	ad.u.ibpkey = &ibpkey;
6585 	return avc_has_perm(&selinux_state,
6586 			    sec->sid, sid,
6587 			    SECCLASS_INFINIBAND_PKEY,
6588 			    INFINIBAND_PKEY__ACCESS, &ad);
6589 }
6590 
6591 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6592 					    u8 port_num)
6593 {
6594 	struct common_audit_data ad;
6595 	int err;
6596 	u32 sid = 0;
6597 	struct ib_security_struct *sec = ib_sec;
6598 	struct lsm_ibendport_audit ibendport;
6599 
6600 	err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6601 				      &sid);
6602 
6603 	if (err)
6604 		return err;
6605 
6606 	ad.type = LSM_AUDIT_DATA_IBENDPORT;
6607 	strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6608 	ibendport.port = port_num;
6609 	ad.u.ibendport = &ibendport;
6610 	return avc_has_perm(&selinux_state,
6611 			    sec->sid, sid,
6612 			    SECCLASS_INFINIBAND_ENDPORT,
6613 			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6614 }
6615 
6616 static int selinux_ib_alloc_security(void **ib_sec)
6617 {
6618 	struct ib_security_struct *sec;
6619 
6620 	sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6621 	if (!sec)
6622 		return -ENOMEM;
6623 	sec->sid = current_sid();
6624 
6625 	*ib_sec = sec;
6626 	return 0;
6627 }
6628 
6629 static void selinux_ib_free_security(void *ib_sec)
6630 {
6631 	kfree(ib_sec);
6632 }
6633 #endif
6634 
6635 #ifdef CONFIG_BPF_SYSCALL
6636 static int selinux_bpf(int cmd, union bpf_attr *attr,
6637 				     unsigned int size)
6638 {
6639 	u32 sid = current_sid();
6640 	int ret;
6641 
6642 	switch (cmd) {
6643 	case BPF_MAP_CREATE:
6644 		ret = avc_has_perm(&selinux_state,
6645 				   sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6646 				   NULL);
6647 		break;
6648 	case BPF_PROG_LOAD:
6649 		ret = avc_has_perm(&selinux_state,
6650 				   sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6651 				   NULL);
6652 		break;
6653 	default:
6654 		ret = 0;
6655 		break;
6656 	}
6657 
6658 	return ret;
6659 }
6660 
6661 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6662 {
6663 	u32 av = 0;
6664 
6665 	if (fmode & FMODE_READ)
6666 		av |= BPF__MAP_READ;
6667 	if (fmode & FMODE_WRITE)
6668 		av |= BPF__MAP_WRITE;
6669 	return av;
6670 }
6671 
6672 /* This function will check the file pass through unix socket or binder to see
6673  * if it is a bpf related object. And apply correspinding checks on the bpf
6674  * object based on the type. The bpf maps and programs, not like other files and
6675  * socket, are using a shared anonymous inode inside the kernel as their inode.
6676  * So checking that inode cannot identify if the process have privilege to
6677  * access the bpf object and that's why we have to add this additional check in
6678  * selinux_file_receive and selinux_binder_transfer_files.
6679  */
6680 static int bpf_fd_pass(struct file *file, u32 sid)
6681 {
6682 	struct bpf_security_struct *bpfsec;
6683 	struct bpf_prog *prog;
6684 	struct bpf_map *map;
6685 	int ret;
6686 
6687 	if (file->f_op == &bpf_map_fops) {
6688 		map = file->private_data;
6689 		bpfsec = map->security;
6690 		ret = avc_has_perm(&selinux_state,
6691 				   sid, bpfsec->sid, SECCLASS_BPF,
6692 				   bpf_map_fmode_to_av(file->f_mode), NULL);
6693 		if (ret)
6694 			return ret;
6695 	} else if (file->f_op == &bpf_prog_fops) {
6696 		prog = file->private_data;
6697 		bpfsec = prog->aux->security;
6698 		ret = avc_has_perm(&selinux_state,
6699 				   sid, bpfsec->sid, SECCLASS_BPF,
6700 				   BPF__PROG_RUN, NULL);
6701 		if (ret)
6702 			return ret;
6703 	}
6704 	return 0;
6705 }
6706 
6707 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6708 {
6709 	u32 sid = current_sid();
6710 	struct bpf_security_struct *bpfsec;
6711 
6712 	bpfsec = map->security;
6713 	return avc_has_perm(&selinux_state,
6714 			    sid, bpfsec->sid, SECCLASS_BPF,
6715 			    bpf_map_fmode_to_av(fmode), NULL);
6716 }
6717 
6718 static int selinux_bpf_prog(struct bpf_prog *prog)
6719 {
6720 	u32 sid = current_sid();
6721 	struct bpf_security_struct *bpfsec;
6722 
6723 	bpfsec = prog->aux->security;
6724 	return avc_has_perm(&selinux_state,
6725 			    sid, bpfsec->sid, SECCLASS_BPF,
6726 			    BPF__PROG_RUN, NULL);
6727 }
6728 
6729 static int selinux_bpf_map_alloc(struct bpf_map *map)
6730 {
6731 	struct bpf_security_struct *bpfsec;
6732 
6733 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6734 	if (!bpfsec)
6735 		return -ENOMEM;
6736 
6737 	bpfsec->sid = current_sid();
6738 	map->security = bpfsec;
6739 
6740 	return 0;
6741 }
6742 
6743 static void selinux_bpf_map_free(struct bpf_map *map)
6744 {
6745 	struct bpf_security_struct *bpfsec = map->security;
6746 
6747 	map->security = NULL;
6748 	kfree(bpfsec);
6749 }
6750 
6751 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6752 {
6753 	struct bpf_security_struct *bpfsec;
6754 
6755 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6756 	if (!bpfsec)
6757 		return -ENOMEM;
6758 
6759 	bpfsec->sid = current_sid();
6760 	aux->security = bpfsec;
6761 
6762 	return 0;
6763 }
6764 
6765 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6766 {
6767 	struct bpf_security_struct *bpfsec = aux->security;
6768 
6769 	aux->security = NULL;
6770 	kfree(bpfsec);
6771 }
6772 #endif
6773 
6774 static int selinux_lockdown(enum lockdown_reason what)
6775 {
6776 	struct common_audit_data ad;
6777 	u32 sid = current_sid();
6778 	int invalid_reason = (what <= LOCKDOWN_NONE) ||
6779 			     (what == LOCKDOWN_INTEGRITY_MAX) ||
6780 			     (what >= LOCKDOWN_CONFIDENTIALITY_MAX);
6781 
6782 	if (WARN(invalid_reason, "Invalid lockdown reason")) {
6783 		audit_log(audit_context(),
6784 			  GFP_ATOMIC, AUDIT_SELINUX_ERR,
6785 			  "lockdown_reason=invalid");
6786 		return -EINVAL;
6787 	}
6788 
6789 	ad.type = LSM_AUDIT_DATA_LOCKDOWN;
6790 	ad.u.reason = what;
6791 
6792 	if (what <= LOCKDOWN_INTEGRITY_MAX)
6793 		return avc_has_perm(&selinux_state,
6794 				    sid, sid, SECCLASS_LOCKDOWN,
6795 				    LOCKDOWN__INTEGRITY, &ad);
6796 	else
6797 		return avc_has_perm(&selinux_state,
6798 				    sid, sid, SECCLASS_LOCKDOWN,
6799 				    LOCKDOWN__CONFIDENTIALITY, &ad);
6800 }
6801 
6802 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
6803 	.lbs_cred = sizeof(struct task_security_struct),
6804 	.lbs_file = sizeof(struct file_security_struct),
6805 	.lbs_inode = sizeof(struct inode_security_struct),
6806 	.lbs_ipc = sizeof(struct ipc_security_struct),
6807 	.lbs_msg_msg = sizeof(struct msg_security_struct),
6808 };
6809 
6810 #ifdef CONFIG_PERF_EVENTS
6811 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6812 {
6813 	u32 requested, sid = current_sid();
6814 
6815 	if (type == PERF_SECURITY_OPEN)
6816 		requested = PERF_EVENT__OPEN;
6817 	else if (type == PERF_SECURITY_CPU)
6818 		requested = PERF_EVENT__CPU;
6819 	else if (type == PERF_SECURITY_KERNEL)
6820 		requested = PERF_EVENT__KERNEL;
6821 	else if (type == PERF_SECURITY_TRACEPOINT)
6822 		requested = PERF_EVENT__TRACEPOINT;
6823 	else
6824 		return -EINVAL;
6825 
6826 	return avc_has_perm(&selinux_state, sid, sid, SECCLASS_PERF_EVENT,
6827 			    requested, NULL);
6828 }
6829 
6830 static int selinux_perf_event_alloc(struct perf_event *event)
6831 {
6832 	struct perf_event_security_struct *perfsec;
6833 
6834 	perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
6835 	if (!perfsec)
6836 		return -ENOMEM;
6837 
6838 	perfsec->sid = current_sid();
6839 	event->security = perfsec;
6840 
6841 	return 0;
6842 }
6843 
6844 static void selinux_perf_event_free(struct perf_event *event)
6845 {
6846 	struct perf_event_security_struct *perfsec = event->security;
6847 
6848 	event->security = NULL;
6849 	kfree(perfsec);
6850 }
6851 
6852 static int selinux_perf_event_read(struct perf_event *event)
6853 {
6854 	struct perf_event_security_struct *perfsec = event->security;
6855 	u32 sid = current_sid();
6856 
6857 	return avc_has_perm(&selinux_state, sid, perfsec->sid,
6858 			    SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
6859 }
6860 
6861 static int selinux_perf_event_write(struct perf_event *event)
6862 {
6863 	struct perf_event_security_struct *perfsec = event->security;
6864 	u32 sid = current_sid();
6865 
6866 	return avc_has_perm(&selinux_state, sid, perfsec->sid,
6867 			    SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
6868 }
6869 #endif
6870 
6871 /*
6872  * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
6873  * 1. any hooks that don't belong to (2.) or (3.) below,
6874  * 2. hooks that both access structures allocated by other hooks, and allocate
6875  *    structures that can be later accessed by other hooks (mostly "cloning"
6876  *    hooks),
6877  * 3. hooks that only allocate structures that can be later accessed by other
6878  *    hooks ("allocating" hooks).
6879  *
6880  * Please follow block comment delimiters in the list to keep this order.
6881  *
6882  * This ordering is needed for SELinux runtime disable to work at least somewhat
6883  * safely. Breaking the ordering rules above might lead to NULL pointer derefs
6884  * when disabling SELinux at runtime.
6885  */
6886 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6887 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6888 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6889 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6890 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6891 
6892 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6893 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6894 	LSM_HOOK_INIT(capget, selinux_capget),
6895 	LSM_HOOK_INIT(capset, selinux_capset),
6896 	LSM_HOOK_INIT(capable, selinux_capable),
6897 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
6898 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
6899 	LSM_HOOK_INIT(syslog, selinux_syslog),
6900 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6901 
6902 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6903 
6904 	LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6905 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6906 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6907 
6908 	LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6909 	LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
6910 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6911 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6912 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6913 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6914 	LSM_HOOK_INIT(sb_mount, selinux_mount),
6915 	LSM_HOOK_INIT(sb_umount, selinux_umount),
6916 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6917 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6918 
6919 	LSM_HOOK_INIT(move_mount, selinux_move_mount),
6920 
6921 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6922 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6923 
6924 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6925 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6926 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
6927 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
6928 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6929 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6930 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6931 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6932 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6933 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6934 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6935 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6936 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6937 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6938 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6939 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6940 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6941 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6942 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6943 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6944 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6945 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6946 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6947 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6948 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6949 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6950 	LSM_HOOK_INIT(path_notify, selinux_path_notify),
6951 
6952 	LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
6953 
6954 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
6955 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6956 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6957 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6958 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6959 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6960 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
6961 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6962 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6963 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6964 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
6965 
6966 	LSM_HOOK_INIT(file_open, selinux_file_open),
6967 
6968 	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6969 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6970 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6971 	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6972 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6973 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6974 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6975 	LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
6976 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6977 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6978 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6979 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6980 	LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6981 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6982 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6983 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6984 	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6985 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6986 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6987 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6988 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6989 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
6990 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6991 
6992 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6993 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6994 
6995 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6996 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6997 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6998 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6999 
7000 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7001 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7002 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7003 
7004 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7005 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7006 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7007 
7008 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7009 
7010 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7011 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7012 
7013 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7014 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7015 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7016 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7017 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7018 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7019 
7020 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7021 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7022 
7023 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
7024 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7025 	LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7026 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7027 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7028 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7029 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7030 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7031 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7032 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7033 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7034 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7035 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7036 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7037 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7038 	LSM_HOOK_INIT(socket_getpeersec_stream,
7039 			selinux_socket_getpeersec_stream),
7040 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7041 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7042 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7043 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7044 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7045 	LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7046 	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7047 	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7048 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7049 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7050 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7051 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7052 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7053 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7054 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7055 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7056 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7057 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7058 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7059 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7060 #ifdef CONFIG_SECURITY_INFINIBAND
7061 	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7062 	LSM_HOOK_INIT(ib_endport_manage_subnet,
7063 		      selinux_ib_endport_manage_subnet),
7064 	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7065 #endif
7066 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7067 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7068 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7069 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7070 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7071 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7072 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7073 			selinux_xfrm_state_pol_flow_match),
7074 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7075 #endif
7076 
7077 #ifdef CONFIG_KEYS
7078 	LSM_HOOK_INIT(key_free, selinux_key_free),
7079 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
7080 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7081 #endif
7082 
7083 #ifdef CONFIG_AUDIT
7084 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7085 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7086 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7087 #endif
7088 
7089 #ifdef CONFIG_BPF_SYSCALL
7090 	LSM_HOOK_INIT(bpf, selinux_bpf),
7091 	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7092 	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7093 	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7094 	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7095 #endif
7096 
7097 #ifdef CONFIG_PERF_EVENTS
7098 	LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7099 	LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7100 	LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7101 	LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7102 #endif
7103 
7104 	LSM_HOOK_INIT(locked_down, selinux_lockdown),
7105 
7106 	/*
7107 	 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7108 	 */
7109 	LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7110 	LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7111 	LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7112 	LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt),
7113 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7114 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7115 #endif
7116 
7117 	/*
7118 	 * PUT "ALLOCATING" HOOKS HERE
7119 	 */
7120 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7121 	LSM_HOOK_INIT(msg_queue_alloc_security,
7122 		      selinux_msg_queue_alloc_security),
7123 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7124 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7125 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7126 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7127 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7128 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7129 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7130 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7131 #ifdef CONFIG_SECURITY_INFINIBAND
7132 	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7133 #endif
7134 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7135 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7136 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7137 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7138 		      selinux_xfrm_state_alloc_acquire),
7139 #endif
7140 #ifdef CONFIG_KEYS
7141 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7142 #endif
7143 #ifdef CONFIG_AUDIT
7144 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7145 #endif
7146 #ifdef CONFIG_BPF_SYSCALL
7147 	LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7148 	LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7149 #endif
7150 #ifdef CONFIG_PERF_EVENTS
7151 	LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7152 #endif
7153 };
7154 
7155 static __init int selinux_init(void)
7156 {
7157 	pr_info("SELinux:  Initializing.\n");
7158 
7159 	memset(&selinux_state, 0, sizeof(selinux_state));
7160 	enforcing_set(&selinux_state, selinux_enforcing_boot);
7161 	selinux_state.checkreqprot = selinux_checkreqprot_boot;
7162 	selinux_ss_init(&selinux_state.ss);
7163 	selinux_avc_init(&selinux_state.avc);
7164 
7165 	/* Set the security state for the initial task. */
7166 	cred_init_security();
7167 
7168 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7169 
7170 	avc_init();
7171 
7172 	avtab_cache_init();
7173 
7174 	ebitmap_cache_init();
7175 
7176 	hashtab_cache_init();
7177 
7178 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7179 
7180 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7181 		panic("SELinux: Unable to register AVC netcache callback\n");
7182 
7183 	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7184 		panic("SELinux: Unable to register AVC LSM notifier callback\n");
7185 
7186 	if (selinux_enforcing_boot)
7187 		pr_debug("SELinux:  Starting in enforcing mode\n");
7188 	else
7189 		pr_debug("SELinux:  Starting in permissive mode\n");
7190 
7191 	fs_validate_description("selinux", selinux_fs_parameters);
7192 
7193 	return 0;
7194 }
7195 
7196 static void delayed_superblock_init(struct super_block *sb, void *unused)
7197 {
7198 	selinux_set_mnt_opts(sb, NULL, 0, NULL);
7199 }
7200 
7201 void selinux_complete_init(void)
7202 {
7203 	pr_debug("SELinux:  Completing initialization.\n");
7204 
7205 	/* Set up any superblocks initialized prior to the policy load. */
7206 	pr_debug("SELinux:  Setting up existing superblocks.\n");
7207 	iterate_supers(delayed_superblock_init, NULL);
7208 }
7209 
7210 /* SELinux requires early initialization in order to label
7211    all processes and objects when they are created. */
7212 DEFINE_LSM(selinux) = {
7213 	.name = "selinux",
7214 	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7215 	.enabled = &selinux_enabled_boot,
7216 	.blobs = &selinux_blob_sizes,
7217 	.init = selinux_init,
7218 };
7219 
7220 #if defined(CONFIG_NETFILTER)
7221 
7222 static const struct nf_hook_ops selinux_nf_ops[] = {
7223 	{
7224 		.hook =		selinux_ipv4_postroute,
7225 		.pf =		NFPROTO_IPV4,
7226 		.hooknum =	NF_INET_POST_ROUTING,
7227 		.priority =	NF_IP_PRI_SELINUX_LAST,
7228 	},
7229 	{
7230 		.hook =		selinux_ipv4_forward,
7231 		.pf =		NFPROTO_IPV4,
7232 		.hooknum =	NF_INET_FORWARD,
7233 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7234 	},
7235 	{
7236 		.hook =		selinux_ipv4_output,
7237 		.pf =		NFPROTO_IPV4,
7238 		.hooknum =	NF_INET_LOCAL_OUT,
7239 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7240 	},
7241 #if IS_ENABLED(CONFIG_IPV6)
7242 	{
7243 		.hook =		selinux_ipv6_postroute,
7244 		.pf =		NFPROTO_IPV6,
7245 		.hooknum =	NF_INET_POST_ROUTING,
7246 		.priority =	NF_IP6_PRI_SELINUX_LAST,
7247 	},
7248 	{
7249 		.hook =		selinux_ipv6_forward,
7250 		.pf =		NFPROTO_IPV6,
7251 		.hooknum =	NF_INET_FORWARD,
7252 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7253 	},
7254 	{
7255 		.hook =		selinux_ipv6_output,
7256 		.pf =		NFPROTO_IPV6,
7257 		.hooknum =	NF_INET_LOCAL_OUT,
7258 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7259 	},
7260 #endif	/* IPV6 */
7261 };
7262 
7263 static int __net_init selinux_nf_register(struct net *net)
7264 {
7265 	return nf_register_net_hooks(net, selinux_nf_ops,
7266 				     ARRAY_SIZE(selinux_nf_ops));
7267 }
7268 
7269 static void __net_exit selinux_nf_unregister(struct net *net)
7270 {
7271 	nf_unregister_net_hooks(net, selinux_nf_ops,
7272 				ARRAY_SIZE(selinux_nf_ops));
7273 }
7274 
7275 static struct pernet_operations selinux_net_ops = {
7276 	.init = selinux_nf_register,
7277 	.exit = selinux_nf_unregister,
7278 };
7279 
7280 static int __init selinux_nf_ip_init(void)
7281 {
7282 	int err;
7283 
7284 	if (!selinux_enabled_boot)
7285 		return 0;
7286 
7287 	pr_debug("SELinux:  Registering netfilter hooks\n");
7288 
7289 	err = register_pernet_subsys(&selinux_net_ops);
7290 	if (err)
7291 		panic("SELinux: register_pernet_subsys: error %d\n", err);
7292 
7293 	return 0;
7294 }
7295 __initcall(selinux_nf_ip_init);
7296 
7297 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7298 static void selinux_nf_ip_exit(void)
7299 {
7300 	pr_debug("SELinux:  Unregistering netfilter hooks\n");
7301 
7302 	unregister_pernet_subsys(&selinux_net_ops);
7303 }
7304 #endif
7305 
7306 #else /* CONFIG_NETFILTER */
7307 
7308 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7309 #define selinux_nf_ip_exit()
7310 #endif
7311 
7312 #endif /* CONFIG_NETFILTER */
7313 
7314 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7315 int selinux_disable(struct selinux_state *state)
7316 {
7317 	if (selinux_initialized(state)) {
7318 		/* Not permitted after initial policy load. */
7319 		return -EINVAL;
7320 	}
7321 
7322 	if (selinux_disabled(state)) {
7323 		/* Only do this once. */
7324 		return -EINVAL;
7325 	}
7326 
7327 	selinux_mark_disabled(state);
7328 
7329 	pr_info("SELinux:  Disabled at runtime.\n");
7330 
7331 	/*
7332 	 * Unregister netfilter hooks.
7333 	 * Must be done before security_delete_hooks() to avoid breaking
7334 	 * runtime disable.
7335 	 */
7336 	selinux_nf_ip_exit();
7337 
7338 	security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7339 
7340 	/* Try to destroy the avc node cache */
7341 	avc_disable();
7342 
7343 	/* Unregister selinuxfs. */
7344 	exit_sel_fs();
7345 
7346 	return 0;
7347 }
7348 #endif
7349