xref: /openbmc/linux/security/selinux/hooks.c (revision f220d3eb)
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
7  *	      Chris Vance, <cvance@nai.com>
8  *	      Wayne Salamon, <wsalamon@nai.com>
9  *	      James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *					   Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *			    <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *	Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *  Copyright (C) 2016 Mellanox Technologies
21  *
22  *	This program is free software; you can redistribute it and/or modify
23  *	it under the terms of the GNU General Public License version 2,
24  *	as published by the Free Software Foundation.
25  */
26 
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h>		/* for local_port_range[] */
56 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h>	/* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h>		/* for Unix socket types */
74 #include <net/af_unix.h>	/* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
77 #include <net/ipv6.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/selinux.h>
83 #include <linux/mutex.h>
84 #include <linux/posix-timers.h>
85 #include <linux/syslog.h>
86 #include <linux/user_namespace.h>
87 #include <linux/export.h>
88 #include <linux/msg.h>
89 #include <linux/shm.h>
90 #include <linux/bpf.h>
91 
92 #include "avc.h"
93 #include "objsec.h"
94 #include "netif.h"
95 #include "netnode.h"
96 #include "netport.h"
97 #include "ibpkey.h"
98 #include "xfrm.h"
99 #include "netlabel.h"
100 #include "audit.h"
101 #include "avc_ss.h"
102 
103 struct selinux_state selinux_state;
104 
105 /* SECMARK reference count */
106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
107 
108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109 static int selinux_enforcing_boot;
110 
111 static int __init enforcing_setup(char *str)
112 {
113 	unsigned long enforcing;
114 	if (!kstrtoul(str, 0, &enforcing))
115 		selinux_enforcing_boot = enforcing ? 1 : 0;
116 	return 1;
117 }
118 __setup("enforcing=", enforcing_setup);
119 #else
120 #define selinux_enforcing_boot 1
121 #endif
122 
123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
125 
126 static int __init selinux_enabled_setup(char *str)
127 {
128 	unsigned long enabled;
129 	if (!kstrtoul(str, 0, &enabled))
130 		selinux_enabled = enabled ? 1 : 0;
131 	return 1;
132 }
133 __setup("selinux=", selinux_enabled_setup);
134 #else
135 int selinux_enabled = 1;
136 #endif
137 
138 static unsigned int selinux_checkreqprot_boot =
139 	CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140 
141 static int __init checkreqprot_setup(char *str)
142 {
143 	unsigned long checkreqprot;
144 
145 	if (!kstrtoul(str, 0, &checkreqprot))
146 		selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 	return 1;
148 }
149 __setup("checkreqprot=", checkreqprot_setup);
150 
151 static struct kmem_cache *sel_inode_cache;
152 static struct kmem_cache *file_security_cache;
153 
154 /**
155  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
156  *
157  * Description:
158  * This function checks the SECMARK reference counter to see if any SECMARK
159  * targets are currently configured, if the reference counter is greater than
160  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
161  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
162  * policy capability is enabled, SECMARK is always considered enabled.
163  *
164  */
165 static int selinux_secmark_enabled(void)
166 {
167 	return (selinux_policycap_alwaysnetwork() ||
168 		atomic_read(&selinux_secmark_refcount));
169 }
170 
171 /**
172  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
173  *
174  * Description:
175  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
176  * (1) if any are enabled or false (0) if neither are enabled.  If the
177  * always_check_network policy capability is enabled, peer labeling
178  * is always considered enabled.
179  *
180  */
181 static int selinux_peerlbl_enabled(void)
182 {
183 	return (selinux_policycap_alwaysnetwork() ||
184 		netlbl_enabled() || selinux_xfrm_enabled());
185 }
186 
187 static int selinux_netcache_avc_callback(u32 event)
188 {
189 	if (event == AVC_CALLBACK_RESET) {
190 		sel_netif_flush();
191 		sel_netnode_flush();
192 		sel_netport_flush();
193 		synchronize_net();
194 	}
195 	return 0;
196 }
197 
198 static int selinux_lsm_notifier_avc_callback(u32 event)
199 {
200 	if (event == AVC_CALLBACK_RESET) {
201 		sel_ib_pkey_flush();
202 		call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
203 	}
204 
205 	return 0;
206 }
207 
208 /*
209  * initialise the security for the init task
210  */
211 static void cred_init_security(void)
212 {
213 	struct cred *cred = (struct cred *) current->real_cred;
214 	struct task_security_struct *tsec;
215 
216 	tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
217 	if (!tsec)
218 		panic("SELinux:  Failed to initialize initial task.\n");
219 
220 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
221 	cred->security = tsec;
222 }
223 
224 /*
225  * get the security ID of a set of credentials
226  */
227 static inline u32 cred_sid(const struct cred *cred)
228 {
229 	const struct task_security_struct *tsec;
230 
231 	tsec = cred->security;
232 	return tsec->sid;
233 }
234 
235 /*
236  * get the objective security ID of a task
237  */
238 static inline u32 task_sid(const struct task_struct *task)
239 {
240 	u32 sid;
241 
242 	rcu_read_lock();
243 	sid = cred_sid(__task_cred(task));
244 	rcu_read_unlock();
245 	return sid;
246 }
247 
248 /* Allocate and free functions for each kind of security blob. */
249 
250 static int inode_alloc_security(struct inode *inode)
251 {
252 	struct inode_security_struct *isec;
253 	u32 sid = current_sid();
254 
255 	isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
256 	if (!isec)
257 		return -ENOMEM;
258 
259 	spin_lock_init(&isec->lock);
260 	INIT_LIST_HEAD(&isec->list);
261 	isec->inode = inode;
262 	isec->sid = SECINITSID_UNLABELED;
263 	isec->sclass = SECCLASS_FILE;
264 	isec->task_sid = sid;
265 	isec->initialized = LABEL_INVALID;
266 	inode->i_security = isec;
267 
268 	return 0;
269 }
270 
271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
272 
273 /*
274  * Try reloading inode security labels that have been marked as invalid.  The
275  * @may_sleep parameter indicates when sleeping and thus reloading labels is
276  * allowed; when set to false, returns -ECHILD when the label is
277  * invalid.  The @dentry parameter should be set to a dentry of the inode.
278  */
279 static int __inode_security_revalidate(struct inode *inode,
280 				       struct dentry *dentry,
281 				       bool may_sleep)
282 {
283 	struct inode_security_struct *isec = inode->i_security;
284 
285 	might_sleep_if(may_sleep);
286 
287 	if (selinux_state.initialized &&
288 	    isec->initialized != LABEL_INITIALIZED) {
289 		if (!may_sleep)
290 			return -ECHILD;
291 
292 		/*
293 		 * Try reloading the inode security label.  This will fail if
294 		 * @opt_dentry is NULL and no dentry for this inode can be
295 		 * found; in that case, continue using the old label.
296 		 */
297 		inode_doinit_with_dentry(inode, dentry);
298 	}
299 	return 0;
300 }
301 
302 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
303 {
304 	return inode->i_security;
305 }
306 
307 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
308 {
309 	int error;
310 
311 	error = __inode_security_revalidate(inode, NULL, !rcu);
312 	if (error)
313 		return ERR_PTR(error);
314 	return inode->i_security;
315 }
316 
317 /*
318  * Get the security label of an inode.
319  */
320 static struct inode_security_struct *inode_security(struct inode *inode)
321 {
322 	__inode_security_revalidate(inode, NULL, true);
323 	return inode->i_security;
324 }
325 
326 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
327 {
328 	struct inode *inode = d_backing_inode(dentry);
329 
330 	return inode->i_security;
331 }
332 
333 /*
334  * Get the security label of a dentry's backing inode.
335  */
336 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
337 {
338 	struct inode *inode = d_backing_inode(dentry);
339 
340 	__inode_security_revalidate(inode, dentry, true);
341 	return inode->i_security;
342 }
343 
344 static void inode_free_rcu(struct rcu_head *head)
345 {
346 	struct inode_security_struct *isec;
347 
348 	isec = container_of(head, struct inode_security_struct, rcu);
349 	kmem_cache_free(sel_inode_cache, isec);
350 }
351 
352 static void inode_free_security(struct inode *inode)
353 {
354 	struct inode_security_struct *isec = inode->i_security;
355 	struct superblock_security_struct *sbsec = inode->i_sb->s_security;
356 
357 	/*
358 	 * As not all inode security structures are in a list, we check for
359 	 * empty list outside of the lock to make sure that we won't waste
360 	 * time taking a lock doing nothing.
361 	 *
362 	 * The list_del_init() function can be safely called more than once.
363 	 * It should not be possible for this function to be called with
364 	 * concurrent list_add(), but for better safety against future changes
365 	 * in the code, we use list_empty_careful() here.
366 	 */
367 	if (!list_empty_careful(&isec->list)) {
368 		spin_lock(&sbsec->isec_lock);
369 		list_del_init(&isec->list);
370 		spin_unlock(&sbsec->isec_lock);
371 	}
372 
373 	/*
374 	 * The inode may still be referenced in a path walk and
375 	 * a call to selinux_inode_permission() can be made
376 	 * after inode_free_security() is called. Ideally, the VFS
377 	 * wouldn't do this, but fixing that is a much harder
378 	 * job. For now, simply free the i_security via RCU, and
379 	 * leave the current inode->i_security pointer intact.
380 	 * The inode will be freed after the RCU grace period too.
381 	 */
382 	call_rcu(&isec->rcu, inode_free_rcu);
383 }
384 
385 static int file_alloc_security(struct file *file)
386 {
387 	struct file_security_struct *fsec;
388 	u32 sid = current_sid();
389 
390 	fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
391 	if (!fsec)
392 		return -ENOMEM;
393 
394 	fsec->sid = sid;
395 	fsec->fown_sid = sid;
396 	file->f_security = fsec;
397 
398 	return 0;
399 }
400 
401 static void file_free_security(struct file *file)
402 {
403 	struct file_security_struct *fsec = file->f_security;
404 	file->f_security = NULL;
405 	kmem_cache_free(file_security_cache, fsec);
406 }
407 
408 static int superblock_alloc_security(struct super_block *sb)
409 {
410 	struct superblock_security_struct *sbsec;
411 
412 	sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
413 	if (!sbsec)
414 		return -ENOMEM;
415 
416 	mutex_init(&sbsec->lock);
417 	INIT_LIST_HEAD(&sbsec->isec_head);
418 	spin_lock_init(&sbsec->isec_lock);
419 	sbsec->sb = sb;
420 	sbsec->sid = SECINITSID_UNLABELED;
421 	sbsec->def_sid = SECINITSID_FILE;
422 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
423 	sb->s_security = sbsec;
424 
425 	return 0;
426 }
427 
428 static void superblock_free_security(struct super_block *sb)
429 {
430 	struct superblock_security_struct *sbsec = sb->s_security;
431 	sb->s_security = NULL;
432 	kfree(sbsec);
433 }
434 
435 static inline int inode_doinit(struct inode *inode)
436 {
437 	return inode_doinit_with_dentry(inode, NULL);
438 }
439 
440 enum {
441 	Opt_error = -1,
442 	Opt_context = 1,
443 	Opt_fscontext = 2,
444 	Opt_defcontext = 3,
445 	Opt_rootcontext = 4,
446 	Opt_labelsupport = 5,
447 	Opt_nextmntopt = 6,
448 };
449 
450 #define NUM_SEL_MNT_OPTS	(Opt_nextmntopt - 1)
451 
452 static const match_table_t tokens = {
453 	{Opt_context, CONTEXT_STR "%s"},
454 	{Opt_fscontext, FSCONTEXT_STR "%s"},
455 	{Opt_defcontext, DEFCONTEXT_STR "%s"},
456 	{Opt_rootcontext, ROOTCONTEXT_STR "%s"},
457 	{Opt_labelsupport, LABELSUPP_STR},
458 	{Opt_error, NULL},
459 };
460 
461 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
462 
463 static int may_context_mount_sb_relabel(u32 sid,
464 			struct superblock_security_struct *sbsec,
465 			const struct cred *cred)
466 {
467 	const struct task_security_struct *tsec = cred->security;
468 	int rc;
469 
470 	rc = avc_has_perm(&selinux_state,
471 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
472 			  FILESYSTEM__RELABELFROM, NULL);
473 	if (rc)
474 		return rc;
475 
476 	rc = avc_has_perm(&selinux_state,
477 			  tsec->sid, sid, SECCLASS_FILESYSTEM,
478 			  FILESYSTEM__RELABELTO, NULL);
479 	return rc;
480 }
481 
482 static int may_context_mount_inode_relabel(u32 sid,
483 			struct superblock_security_struct *sbsec,
484 			const struct cred *cred)
485 {
486 	const struct task_security_struct *tsec = cred->security;
487 	int rc;
488 	rc = avc_has_perm(&selinux_state,
489 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
490 			  FILESYSTEM__RELABELFROM, NULL);
491 	if (rc)
492 		return rc;
493 
494 	rc = avc_has_perm(&selinux_state,
495 			  sid, sbsec->sid, SECCLASS_FILESYSTEM,
496 			  FILESYSTEM__ASSOCIATE, NULL);
497 	return rc;
498 }
499 
500 static int selinux_is_sblabel_mnt(struct super_block *sb)
501 {
502 	struct superblock_security_struct *sbsec = sb->s_security;
503 
504 	return sbsec->behavior == SECURITY_FS_USE_XATTR ||
505 		sbsec->behavior == SECURITY_FS_USE_TRANS ||
506 		sbsec->behavior == SECURITY_FS_USE_TASK ||
507 		sbsec->behavior == SECURITY_FS_USE_NATIVE ||
508 		/* Special handling. Genfs but also in-core setxattr handler */
509 		!strcmp(sb->s_type->name, "sysfs") ||
510 		!strcmp(sb->s_type->name, "pstore") ||
511 		!strcmp(sb->s_type->name, "debugfs") ||
512 		!strcmp(sb->s_type->name, "tracefs") ||
513 		!strcmp(sb->s_type->name, "rootfs") ||
514 		(selinux_policycap_cgroupseclabel() &&
515 		 (!strcmp(sb->s_type->name, "cgroup") ||
516 		  !strcmp(sb->s_type->name, "cgroup2")));
517 }
518 
519 static int sb_finish_set_opts(struct super_block *sb)
520 {
521 	struct superblock_security_struct *sbsec = sb->s_security;
522 	struct dentry *root = sb->s_root;
523 	struct inode *root_inode = d_backing_inode(root);
524 	int rc = 0;
525 
526 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
527 		/* Make sure that the xattr handler exists and that no
528 		   error other than -ENODATA is returned by getxattr on
529 		   the root directory.  -ENODATA is ok, as this may be
530 		   the first boot of the SELinux kernel before we have
531 		   assigned xattr values to the filesystem. */
532 		if (!(root_inode->i_opflags & IOP_XATTR)) {
533 			pr_warn("SELinux: (dev %s, type %s) has no "
534 			       "xattr support\n", sb->s_id, sb->s_type->name);
535 			rc = -EOPNOTSUPP;
536 			goto out;
537 		}
538 
539 		rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
540 		if (rc < 0 && rc != -ENODATA) {
541 			if (rc == -EOPNOTSUPP)
542 				pr_warn("SELinux: (dev %s, type "
543 				       "%s) has no security xattr handler\n",
544 				       sb->s_id, sb->s_type->name);
545 			else
546 				pr_warn("SELinux: (dev %s, type "
547 				       "%s) getxattr errno %d\n", sb->s_id,
548 				       sb->s_type->name, -rc);
549 			goto out;
550 		}
551 	}
552 
553 	sbsec->flags |= SE_SBINITIALIZED;
554 
555 	/*
556 	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
557 	 * leave the flag untouched because sb_clone_mnt_opts might be handing
558 	 * us a superblock that needs the flag to be cleared.
559 	 */
560 	if (selinux_is_sblabel_mnt(sb))
561 		sbsec->flags |= SBLABEL_MNT;
562 	else
563 		sbsec->flags &= ~SBLABEL_MNT;
564 
565 	/* Initialize the root inode. */
566 	rc = inode_doinit_with_dentry(root_inode, root);
567 
568 	/* Initialize any other inodes associated with the superblock, e.g.
569 	   inodes created prior to initial policy load or inodes created
570 	   during get_sb by a pseudo filesystem that directly
571 	   populates itself. */
572 	spin_lock(&sbsec->isec_lock);
573 next_inode:
574 	if (!list_empty(&sbsec->isec_head)) {
575 		struct inode_security_struct *isec =
576 				list_entry(sbsec->isec_head.next,
577 					   struct inode_security_struct, list);
578 		struct inode *inode = isec->inode;
579 		list_del_init(&isec->list);
580 		spin_unlock(&sbsec->isec_lock);
581 		inode = igrab(inode);
582 		if (inode) {
583 			if (!IS_PRIVATE(inode))
584 				inode_doinit(inode);
585 			iput(inode);
586 		}
587 		spin_lock(&sbsec->isec_lock);
588 		goto next_inode;
589 	}
590 	spin_unlock(&sbsec->isec_lock);
591 out:
592 	return rc;
593 }
594 
595 /*
596  * This function should allow an FS to ask what it's mount security
597  * options were so it can use those later for submounts, displaying
598  * mount options, or whatever.
599  */
600 static int selinux_get_mnt_opts(const struct super_block *sb,
601 				struct security_mnt_opts *opts)
602 {
603 	int rc = 0, i;
604 	struct superblock_security_struct *sbsec = sb->s_security;
605 	char *context = NULL;
606 	u32 len;
607 	char tmp;
608 
609 	security_init_mnt_opts(opts);
610 
611 	if (!(sbsec->flags & SE_SBINITIALIZED))
612 		return -EINVAL;
613 
614 	if (!selinux_state.initialized)
615 		return -EINVAL;
616 
617 	/* make sure we always check enough bits to cover the mask */
618 	BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
619 
620 	tmp = sbsec->flags & SE_MNTMASK;
621 	/* count the number of mount options for this sb */
622 	for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
623 		if (tmp & 0x01)
624 			opts->num_mnt_opts++;
625 		tmp >>= 1;
626 	}
627 	/* Check if the Label support flag is set */
628 	if (sbsec->flags & SBLABEL_MNT)
629 		opts->num_mnt_opts++;
630 
631 	opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
632 	if (!opts->mnt_opts) {
633 		rc = -ENOMEM;
634 		goto out_free;
635 	}
636 
637 	opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
638 	if (!opts->mnt_opts_flags) {
639 		rc = -ENOMEM;
640 		goto out_free;
641 	}
642 
643 	i = 0;
644 	if (sbsec->flags & FSCONTEXT_MNT) {
645 		rc = security_sid_to_context(&selinux_state, sbsec->sid,
646 					     &context, &len);
647 		if (rc)
648 			goto out_free;
649 		opts->mnt_opts[i] = context;
650 		opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
651 	}
652 	if (sbsec->flags & CONTEXT_MNT) {
653 		rc = security_sid_to_context(&selinux_state,
654 					     sbsec->mntpoint_sid,
655 					     &context, &len);
656 		if (rc)
657 			goto out_free;
658 		opts->mnt_opts[i] = context;
659 		opts->mnt_opts_flags[i++] = CONTEXT_MNT;
660 	}
661 	if (sbsec->flags & DEFCONTEXT_MNT) {
662 		rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
663 					     &context, &len);
664 		if (rc)
665 			goto out_free;
666 		opts->mnt_opts[i] = context;
667 		opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
668 	}
669 	if (sbsec->flags & ROOTCONTEXT_MNT) {
670 		struct dentry *root = sbsec->sb->s_root;
671 		struct inode_security_struct *isec = backing_inode_security(root);
672 
673 		rc = security_sid_to_context(&selinux_state, isec->sid,
674 					     &context, &len);
675 		if (rc)
676 			goto out_free;
677 		opts->mnt_opts[i] = context;
678 		opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
679 	}
680 	if (sbsec->flags & SBLABEL_MNT) {
681 		opts->mnt_opts[i] = NULL;
682 		opts->mnt_opts_flags[i++] = SBLABEL_MNT;
683 	}
684 
685 	BUG_ON(i != opts->num_mnt_opts);
686 
687 	return 0;
688 
689 out_free:
690 	security_free_mnt_opts(opts);
691 	return rc;
692 }
693 
694 static int bad_option(struct superblock_security_struct *sbsec, char flag,
695 		      u32 old_sid, u32 new_sid)
696 {
697 	char mnt_flags = sbsec->flags & SE_MNTMASK;
698 
699 	/* check if the old mount command had the same options */
700 	if (sbsec->flags & SE_SBINITIALIZED)
701 		if (!(sbsec->flags & flag) ||
702 		    (old_sid != new_sid))
703 			return 1;
704 
705 	/* check if we were passed the same options twice,
706 	 * aka someone passed context=a,context=b
707 	 */
708 	if (!(sbsec->flags & SE_SBINITIALIZED))
709 		if (mnt_flags & flag)
710 			return 1;
711 	return 0;
712 }
713 
714 /*
715  * Allow filesystems with binary mount data to explicitly set mount point
716  * labeling information.
717  */
718 static int selinux_set_mnt_opts(struct super_block *sb,
719 				struct security_mnt_opts *opts,
720 				unsigned long kern_flags,
721 				unsigned long *set_kern_flags)
722 {
723 	const struct cred *cred = current_cred();
724 	int rc = 0, i;
725 	struct superblock_security_struct *sbsec = sb->s_security;
726 	const char *name = sb->s_type->name;
727 	struct dentry *root = sbsec->sb->s_root;
728 	struct inode_security_struct *root_isec;
729 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
730 	u32 defcontext_sid = 0;
731 	char **mount_options = opts->mnt_opts;
732 	int *flags = opts->mnt_opts_flags;
733 	int num_opts = opts->num_mnt_opts;
734 
735 	mutex_lock(&sbsec->lock);
736 
737 	if (!selinux_state.initialized) {
738 		if (!num_opts) {
739 			/* Defer initialization until selinux_complete_init,
740 			   after the initial policy is loaded and the security
741 			   server is ready to handle calls. */
742 			goto out;
743 		}
744 		rc = -EINVAL;
745 		pr_warn("SELinux: Unable to set superblock options "
746 			"before the security server is initialized\n");
747 		goto out;
748 	}
749 	if (kern_flags && !set_kern_flags) {
750 		/* Specifying internal flags without providing a place to
751 		 * place the results is not allowed */
752 		rc = -EINVAL;
753 		goto out;
754 	}
755 
756 	/*
757 	 * Binary mount data FS will come through this function twice.  Once
758 	 * from an explicit call and once from the generic calls from the vfs.
759 	 * Since the generic VFS calls will not contain any security mount data
760 	 * we need to skip the double mount verification.
761 	 *
762 	 * This does open a hole in which we will not notice if the first
763 	 * mount using this sb set explict options and a second mount using
764 	 * this sb does not set any security options.  (The first options
765 	 * will be used for both mounts)
766 	 */
767 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
768 	    && (num_opts == 0))
769 		goto out;
770 
771 	root_isec = backing_inode_security_novalidate(root);
772 
773 	/*
774 	 * parse the mount options, check if they are valid sids.
775 	 * also check if someone is trying to mount the same sb more
776 	 * than once with different security options.
777 	 */
778 	for (i = 0; i < num_opts; i++) {
779 		u32 sid;
780 
781 		if (flags[i] == SBLABEL_MNT)
782 			continue;
783 		rc = security_context_str_to_sid(&selinux_state,
784 						 mount_options[i], &sid,
785 						 GFP_KERNEL);
786 		if (rc) {
787 			pr_warn("SELinux: security_context_str_to_sid"
788 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
789 			       mount_options[i], sb->s_id, name, rc);
790 			goto out;
791 		}
792 		switch (flags[i]) {
793 		case FSCONTEXT_MNT:
794 			fscontext_sid = sid;
795 
796 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
797 					fscontext_sid))
798 				goto out_double_mount;
799 
800 			sbsec->flags |= FSCONTEXT_MNT;
801 			break;
802 		case CONTEXT_MNT:
803 			context_sid = sid;
804 
805 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
806 					context_sid))
807 				goto out_double_mount;
808 
809 			sbsec->flags |= CONTEXT_MNT;
810 			break;
811 		case ROOTCONTEXT_MNT:
812 			rootcontext_sid = sid;
813 
814 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
815 					rootcontext_sid))
816 				goto out_double_mount;
817 
818 			sbsec->flags |= ROOTCONTEXT_MNT;
819 
820 			break;
821 		case DEFCONTEXT_MNT:
822 			defcontext_sid = sid;
823 
824 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
825 					defcontext_sid))
826 				goto out_double_mount;
827 
828 			sbsec->flags |= DEFCONTEXT_MNT;
829 
830 			break;
831 		default:
832 			rc = -EINVAL;
833 			goto out;
834 		}
835 	}
836 
837 	if (sbsec->flags & SE_SBINITIALIZED) {
838 		/* previously mounted with options, but not on this attempt? */
839 		if ((sbsec->flags & SE_MNTMASK) && !num_opts)
840 			goto out_double_mount;
841 		rc = 0;
842 		goto out;
843 	}
844 
845 	if (strcmp(sb->s_type->name, "proc") == 0)
846 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
847 
848 	if (!strcmp(sb->s_type->name, "debugfs") ||
849 	    !strcmp(sb->s_type->name, "tracefs") ||
850 	    !strcmp(sb->s_type->name, "sysfs") ||
851 	    !strcmp(sb->s_type->name, "pstore") ||
852 	    !strcmp(sb->s_type->name, "cgroup") ||
853 	    !strcmp(sb->s_type->name, "cgroup2"))
854 		sbsec->flags |= SE_SBGENFS;
855 
856 	if (!sbsec->behavior) {
857 		/*
858 		 * Determine the labeling behavior to use for this
859 		 * filesystem type.
860 		 */
861 		rc = security_fs_use(&selinux_state, sb);
862 		if (rc) {
863 			pr_warn("%s: security_fs_use(%s) returned %d\n",
864 					__func__, sb->s_type->name, rc);
865 			goto out;
866 		}
867 	}
868 
869 	/*
870 	 * If this is a user namespace mount and the filesystem type is not
871 	 * explicitly whitelisted, then no contexts are allowed on the command
872 	 * line and security labels must be ignored.
873 	 */
874 	if (sb->s_user_ns != &init_user_ns &&
875 	    strcmp(sb->s_type->name, "tmpfs") &&
876 	    strcmp(sb->s_type->name, "ramfs") &&
877 	    strcmp(sb->s_type->name, "devpts")) {
878 		if (context_sid || fscontext_sid || rootcontext_sid ||
879 		    defcontext_sid) {
880 			rc = -EACCES;
881 			goto out;
882 		}
883 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
884 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
885 			rc = security_transition_sid(&selinux_state,
886 						     current_sid(),
887 						     current_sid(),
888 						     SECCLASS_FILE, NULL,
889 						     &sbsec->mntpoint_sid);
890 			if (rc)
891 				goto out;
892 		}
893 		goto out_set_opts;
894 	}
895 
896 	/* sets the context of the superblock for the fs being mounted. */
897 	if (fscontext_sid) {
898 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
899 		if (rc)
900 			goto out;
901 
902 		sbsec->sid = fscontext_sid;
903 	}
904 
905 	/*
906 	 * Switch to using mount point labeling behavior.
907 	 * sets the label used on all file below the mountpoint, and will set
908 	 * the superblock context if not already set.
909 	 */
910 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
911 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
912 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
913 	}
914 
915 	if (context_sid) {
916 		if (!fscontext_sid) {
917 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
918 							  cred);
919 			if (rc)
920 				goto out;
921 			sbsec->sid = context_sid;
922 		} else {
923 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
924 							     cred);
925 			if (rc)
926 				goto out;
927 		}
928 		if (!rootcontext_sid)
929 			rootcontext_sid = context_sid;
930 
931 		sbsec->mntpoint_sid = context_sid;
932 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
933 	}
934 
935 	if (rootcontext_sid) {
936 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
937 						     cred);
938 		if (rc)
939 			goto out;
940 
941 		root_isec->sid = rootcontext_sid;
942 		root_isec->initialized = LABEL_INITIALIZED;
943 	}
944 
945 	if (defcontext_sid) {
946 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
947 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
948 			rc = -EINVAL;
949 			pr_warn("SELinux: defcontext option is "
950 			       "invalid for this filesystem type\n");
951 			goto out;
952 		}
953 
954 		if (defcontext_sid != sbsec->def_sid) {
955 			rc = may_context_mount_inode_relabel(defcontext_sid,
956 							     sbsec, cred);
957 			if (rc)
958 				goto out;
959 		}
960 
961 		sbsec->def_sid = defcontext_sid;
962 	}
963 
964 out_set_opts:
965 	rc = sb_finish_set_opts(sb);
966 out:
967 	mutex_unlock(&sbsec->lock);
968 	return rc;
969 out_double_mount:
970 	rc = -EINVAL;
971 	pr_warn("SELinux: mount invalid.  Same superblock, different "
972 	       "security settings for (dev %s, type %s)\n", sb->s_id, name);
973 	goto out;
974 }
975 
976 static int selinux_cmp_sb_context(const struct super_block *oldsb,
977 				    const struct super_block *newsb)
978 {
979 	struct superblock_security_struct *old = oldsb->s_security;
980 	struct superblock_security_struct *new = newsb->s_security;
981 	char oldflags = old->flags & SE_MNTMASK;
982 	char newflags = new->flags & SE_MNTMASK;
983 
984 	if (oldflags != newflags)
985 		goto mismatch;
986 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
987 		goto mismatch;
988 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
989 		goto mismatch;
990 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
991 		goto mismatch;
992 	if (oldflags & ROOTCONTEXT_MNT) {
993 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
994 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
995 		if (oldroot->sid != newroot->sid)
996 			goto mismatch;
997 	}
998 	return 0;
999 mismatch:
1000 	pr_warn("SELinux: mount invalid.  Same superblock, "
1001 			    "different security settings for (dev %s, "
1002 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
1003 	return -EBUSY;
1004 }
1005 
1006 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1007 					struct super_block *newsb,
1008 					unsigned long kern_flags,
1009 					unsigned long *set_kern_flags)
1010 {
1011 	int rc = 0;
1012 	const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1013 	struct superblock_security_struct *newsbsec = newsb->s_security;
1014 
1015 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
1016 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
1017 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
1018 
1019 	/*
1020 	 * if the parent was able to be mounted it clearly had no special lsm
1021 	 * mount options.  thus we can safely deal with this superblock later
1022 	 */
1023 	if (!selinux_state.initialized)
1024 		return 0;
1025 
1026 	/*
1027 	 * Specifying internal flags without providing a place to
1028 	 * place the results is not allowed.
1029 	 */
1030 	if (kern_flags && !set_kern_flags)
1031 		return -EINVAL;
1032 
1033 	/* how can we clone if the old one wasn't set up?? */
1034 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1035 
1036 	/* if fs is reusing a sb, make sure that the contexts match */
1037 	if (newsbsec->flags & SE_SBINITIALIZED)
1038 		return selinux_cmp_sb_context(oldsb, newsb);
1039 
1040 	mutex_lock(&newsbsec->lock);
1041 
1042 	newsbsec->flags = oldsbsec->flags;
1043 
1044 	newsbsec->sid = oldsbsec->sid;
1045 	newsbsec->def_sid = oldsbsec->def_sid;
1046 	newsbsec->behavior = oldsbsec->behavior;
1047 
1048 	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1049 		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1050 		rc = security_fs_use(&selinux_state, newsb);
1051 		if (rc)
1052 			goto out;
1053 	}
1054 
1055 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1056 		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1057 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1058 	}
1059 
1060 	if (set_context) {
1061 		u32 sid = oldsbsec->mntpoint_sid;
1062 
1063 		if (!set_fscontext)
1064 			newsbsec->sid = sid;
1065 		if (!set_rootcontext) {
1066 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1067 			newisec->sid = sid;
1068 		}
1069 		newsbsec->mntpoint_sid = sid;
1070 	}
1071 	if (set_rootcontext) {
1072 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1073 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1074 
1075 		newisec->sid = oldisec->sid;
1076 	}
1077 
1078 	sb_finish_set_opts(newsb);
1079 out:
1080 	mutex_unlock(&newsbsec->lock);
1081 	return rc;
1082 }
1083 
1084 static int selinux_parse_opts_str(char *options,
1085 				  struct security_mnt_opts *opts)
1086 {
1087 	char *p;
1088 	char *context = NULL, *defcontext = NULL;
1089 	char *fscontext = NULL, *rootcontext = NULL;
1090 	int rc, num_mnt_opts = 0;
1091 
1092 	opts->num_mnt_opts = 0;
1093 
1094 	/* Standard string-based options. */
1095 	while ((p = strsep(&options, "|")) != NULL) {
1096 		int token;
1097 		substring_t args[MAX_OPT_ARGS];
1098 
1099 		if (!*p)
1100 			continue;
1101 
1102 		token = match_token(p, tokens, args);
1103 
1104 		switch (token) {
1105 		case Opt_context:
1106 			if (context || defcontext) {
1107 				rc = -EINVAL;
1108 				pr_warn(SEL_MOUNT_FAIL_MSG);
1109 				goto out_err;
1110 			}
1111 			context = match_strdup(&args[0]);
1112 			if (!context) {
1113 				rc = -ENOMEM;
1114 				goto out_err;
1115 			}
1116 			break;
1117 
1118 		case Opt_fscontext:
1119 			if (fscontext) {
1120 				rc = -EINVAL;
1121 				pr_warn(SEL_MOUNT_FAIL_MSG);
1122 				goto out_err;
1123 			}
1124 			fscontext = match_strdup(&args[0]);
1125 			if (!fscontext) {
1126 				rc = -ENOMEM;
1127 				goto out_err;
1128 			}
1129 			break;
1130 
1131 		case Opt_rootcontext:
1132 			if (rootcontext) {
1133 				rc = -EINVAL;
1134 				pr_warn(SEL_MOUNT_FAIL_MSG);
1135 				goto out_err;
1136 			}
1137 			rootcontext = match_strdup(&args[0]);
1138 			if (!rootcontext) {
1139 				rc = -ENOMEM;
1140 				goto out_err;
1141 			}
1142 			break;
1143 
1144 		case Opt_defcontext:
1145 			if (context || defcontext) {
1146 				rc = -EINVAL;
1147 				pr_warn(SEL_MOUNT_FAIL_MSG);
1148 				goto out_err;
1149 			}
1150 			defcontext = match_strdup(&args[0]);
1151 			if (!defcontext) {
1152 				rc = -ENOMEM;
1153 				goto out_err;
1154 			}
1155 			break;
1156 		case Opt_labelsupport:
1157 			break;
1158 		default:
1159 			rc = -EINVAL;
1160 			pr_warn("SELinux:  unknown mount option\n");
1161 			goto out_err;
1162 
1163 		}
1164 	}
1165 
1166 	rc = -ENOMEM;
1167 	opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1168 	if (!opts->mnt_opts)
1169 		goto out_err;
1170 
1171 	opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1172 				       GFP_KERNEL);
1173 	if (!opts->mnt_opts_flags)
1174 		goto out_err;
1175 
1176 	if (fscontext) {
1177 		opts->mnt_opts[num_mnt_opts] = fscontext;
1178 		opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1179 	}
1180 	if (context) {
1181 		opts->mnt_opts[num_mnt_opts] = context;
1182 		opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1183 	}
1184 	if (rootcontext) {
1185 		opts->mnt_opts[num_mnt_opts] = rootcontext;
1186 		opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1187 	}
1188 	if (defcontext) {
1189 		opts->mnt_opts[num_mnt_opts] = defcontext;
1190 		opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1191 	}
1192 
1193 	opts->num_mnt_opts = num_mnt_opts;
1194 	return 0;
1195 
1196 out_err:
1197 	security_free_mnt_opts(opts);
1198 	kfree(context);
1199 	kfree(defcontext);
1200 	kfree(fscontext);
1201 	kfree(rootcontext);
1202 	return rc;
1203 }
1204 /*
1205  * string mount options parsing and call set the sbsec
1206  */
1207 static int superblock_doinit(struct super_block *sb, void *data)
1208 {
1209 	int rc = 0;
1210 	char *options = data;
1211 	struct security_mnt_opts opts;
1212 
1213 	security_init_mnt_opts(&opts);
1214 
1215 	if (!data)
1216 		goto out;
1217 
1218 	BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1219 
1220 	rc = selinux_parse_opts_str(options, &opts);
1221 	if (rc)
1222 		goto out_err;
1223 
1224 out:
1225 	rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1226 
1227 out_err:
1228 	security_free_mnt_opts(&opts);
1229 	return rc;
1230 }
1231 
1232 static void selinux_write_opts(struct seq_file *m,
1233 			       struct security_mnt_opts *opts)
1234 {
1235 	int i;
1236 	char *prefix;
1237 
1238 	for (i = 0; i < opts->num_mnt_opts; i++) {
1239 		char *has_comma;
1240 
1241 		if (opts->mnt_opts[i])
1242 			has_comma = strchr(opts->mnt_opts[i], ',');
1243 		else
1244 			has_comma = NULL;
1245 
1246 		switch (opts->mnt_opts_flags[i]) {
1247 		case CONTEXT_MNT:
1248 			prefix = CONTEXT_STR;
1249 			break;
1250 		case FSCONTEXT_MNT:
1251 			prefix = FSCONTEXT_STR;
1252 			break;
1253 		case ROOTCONTEXT_MNT:
1254 			prefix = ROOTCONTEXT_STR;
1255 			break;
1256 		case DEFCONTEXT_MNT:
1257 			prefix = DEFCONTEXT_STR;
1258 			break;
1259 		case SBLABEL_MNT:
1260 			seq_putc(m, ',');
1261 			seq_puts(m, LABELSUPP_STR);
1262 			continue;
1263 		default:
1264 			BUG();
1265 			return;
1266 		};
1267 		/* we need a comma before each option */
1268 		seq_putc(m, ',');
1269 		seq_puts(m, prefix);
1270 		if (has_comma)
1271 			seq_putc(m, '\"');
1272 		seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1273 		if (has_comma)
1274 			seq_putc(m, '\"');
1275 	}
1276 }
1277 
1278 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1279 {
1280 	struct security_mnt_opts opts;
1281 	int rc;
1282 
1283 	rc = selinux_get_mnt_opts(sb, &opts);
1284 	if (rc) {
1285 		/* before policy load we may get EINVAL, don't show anything */
1286 		if (rc == -EINVAL)
1287 			rc = 0;
1288 		return rc;
1289 	}
1290 
1291 	selinux_write_opts(m, &opts);
1292 
1293 	security_free_mnt_opts(&opts);
1294 
1295 	return rc;
1296 }
1297 
1298 static inline u16 inode_mode_to_security_class(umode_t mode)
1299 {
1300 	switch (mode & S_IFMT) {
1301 	case S_IFSOCK:
1302 		return SECCLASS_SOCK_FILE;
1303 	case S_IFLNK:
1304 		return SECCLASS_LNK_FILE;
1305 	case S_IFREG:
1306 		return SECCLASS_FILE;
1307 	case S_IFBLK:
1308 		return SECCLASS_BLK_FILE;
1309 	case S_IFDIR:
1310 		return SECCLASS_DIR;
1311 	case S_IFCHR:
1312 		return SECCLASS_CHR_FILE;
1313 	case S_IFIFO:
1314 		return SECCLASS_FIFO_FILE;
1315 
1316 	}
1317 
1318 	return SECCLASS_FILE;
1319 }
1320 
1321 static inline int default_protocol_stream(int protocol)
1322 {
1323 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1324 }
1325 
1326 static inline int default_protocol_dgram(int protocol)
1327 {
1328 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1329 }
1330 
1331 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1332 {
1333 	int extsockclass = selinux_policycap_extsockclass();
1334 
1335 	switch (family) {
1336 	case PF_UNIX:
1337 		switch (type) {
1338 		case SOCK_STREAM:
1339 		case SOCK_SEQPACKET:
1340 			return SECCLASS_UNIX_STREAM_SOCKET;
1341 		case SOCK_DGRAM:
1342 		case SOCK_RAW:
1343 			return SECCLASS_UNIX_DGRAM_SOCKET;
1344 		}
1345 		break;
1346 	case PF_INET:
1347 	case PF_INET6:
1348 		switch (type) {
1349 		case SOCK_STREAM:
1350 		case SOCK_SEQPACKET:
1351 			if (default_protocol_stream(protocol))
1352 				return SECCLASS_TCP_SOCKET;
1353 			else if (extsockclass && protocol == IPPROTO_SCTP)
1354 				return SECCLASS_SCTP_SOCKET;
1355 			else
1356 				return SECCLASS_RAWIP_SOCKET;
1357 		case SOCK_DGRAM:
1358 			if (default_protocol_dgram(protocol))
1359 				return SECCLASS_UDP_SOCKET;
1360 			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1361 						  protocol == IPPROTO_ICMPV6))
1362 				return SECCLASS_ICMP_SOCKET;
1363 			else
1364 				return SECCLASS_RAWIP_SOCKET;
1365 		case SOCK_DCCP:
1366 			return SECCLASS_DCCP_SOCKET;
1367 		default:
1368 			return SECCLASS_RAWIP_SOCKET;
1369 		}
1370 		break;
1371 	case PF_NETLINK:
1372 		switch (protocol) {
1373 		case NETLINK_ROUTE:
1374 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1375 		case NETLINK_SOCK_DIAG:
1376 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1377 		case NETLINK_NFLOG:
1378 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1379 		case NETLINK_XFRM:
1380 			return SECCLASS_NETLINK_XFRM_SOCKET;
1381 		case NETLINK_SELINUX:
1382 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1383 		case NETLINK_ISCSI:
1384 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1385 		case NETLINK_AUDIT:
1386 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1387 		case NETLINK_FIB_LOOKUP:
1388 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1389 		case NETLINK_CONNECTOR:
1390 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1391 		case NETLINK_NETFILTER:
1392 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1393 		case NETLINK_DNRTMSG:
1394 			return SECCLASS_NETLINK_DNRT_SOCKET;
1395 		case NETLINK_KOBJECT_UEVENT:
1396 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1397 		case NETLINK_GENERIC:
1398 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1399 		case NETLINK_SCSITRANSPORT:
1400 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1401 		case NETLINK_RDMA:
1402 			return SECCLASS_NETLINK_RDMA_SOCKET;
1403 		case NETLINK_CRYPTO:
1404 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1405 		default:
1406 			return SECCLASS_NETLINK_SOCKET;
1407 		}
1408 	case PF_PACKET:
1409 		return SECCLASS_PACKET_SOCKET;
1410 	case PF_KEY:
1411 		return SECCLASS_KEY_SOCKET;
1412 	case PF_APPLETALK:
1413 		return SECCLASS_APPLETALK_SOCKET;
1414 	}
1415 
1416 	if (extsockclass) {
1417 		switch (family) {
1418 		case PF_AX25:
1419 			return SECCLASS_AX25_SOCKET;
1420 		case PF_IPX:
1421 			return SECCLASS_IPX_SOCKET;
1422 		case PF_NETROM:
1423 			return SECCLASS_NETROM_SOCKET;
1424 		case PF_ATMPVC:
1425 			return SECCLASS_ATMPVC_SOCKET;
1426 		case PF_X25:
1427 			return SECCLASS_X25_SOCKET;
1428 		case PF_ROSE:
1429 			return SECCLASS_ROSE_SOCKET;
1430 		case PF_DECnet:
1431 			return SECCLASS_DECNET_SOCKET;
1432 		case PF_ATMSVC:
1433 			return SECCLASS_ATMSVC_SOCKET;
1434 		case PF_RDS:
1435 			return SECCLASS_RDS_SOCKET;
1436 		case PF_IRDA:
1437 			return SECCLASS_IRDA_SOCKET;
1438 		case PF_PPPOX:
1439 			return SECCLASS_PPPOX_SOCKET;
1440 		case PF_LLC:
1441 			return SECCLASS_LLC_SOCKET;
1442 		case PF_CAN:
1443 			return SECCLASS_CAN_SOCKET;
1444 		case PF_TIPC:
1445 			return SECCLASS_TIPC_SOCKET;
1446 		case PF_BLUETOOTH:
1447 			return SECCLASS_BLUETOOTH_SOCKET;
1448 		case PF_IUCV:
1449 			return SECCLASS_IUCV_SOCKET;
1450 		case PF_RXRPC:
1451 			return SECCLASS_RXRPC_SOCKET;
1452 		case PF_ISDN:
1453 			return SECCLASS_ISDN_SOCKET;
1454 		case PF_PHONET:
1455 			return SECCLASS_PHONET_SOCKET;
1456 		case PF_IEEE802154:
1457 			return SECCLASS_IEEE802154_SOCKET;
1458 		case PF_CAIF:
1459 			return SECCLASS_CAIF_SOCKET;
1460 		case PF_ALG:
1461 			return SECCLASS_ALG_SOCKET;
1462 		case PF_NFC:
1463 			return SECCLASS_NFC_SOCKET;
1464 		case PF_VSOCK:
1465 			return SECCLASS_VSOCK_SOCKET;
1466 		case PF_KCM:
1467 			return SECCLASS_KCM_SOCKET;
1468 		case PF_QIPCRTR:
1469 			return SECCLASS_QIPCRTR_SOCKET;
1470 		case PF_SMC:
1471 			return SECCLASS_SMC_SOCKET;
1472 		case PF_XDP:
1473 			return SECCLASS_XDP_SOCKET;
1474 #if PF_MAX > 45
1475 #error New address family defined, please update this function.
1476 #endif
1477 		}
1478 	}
1479 
1480 	return SECCLASS_SOCKET;
1481 }
1482 
1483 static int selinux_genfs_get_sid(struct dentry *dentry,
1484 				 u16 tclass,
1485 				 u16 flags,
1486 				 u32 *sid)
1487 {
1488 	int rc;
1489 	struct super_block *sb = dentry->d_sb;
1490 	char *buffer, *path;
1491 
1492 	buffer = (char *)__get_free_page(GFP_KERNEL);
1493 	if (!buffer)
1494 		return -ENOMEM;
1495 
1496 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1497 	if (IS_ERR(path))
1498 		rc = PTR_ERR(path);
1499 	else {
1500 		if (flags & SE_SBPROC) {
1501 			/* each process gets a /proc/PID/ entry. Strip off the
1502 			 * PID part to get a valid selinux labeling.
1503 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1504 			while (path[1] >= '0' && path[1] <= '9') {
1505 				path[1] = '/';
1506 				path++;
1507 			}
1508 		}
1509 		rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1510 					path, tclass, sid);
1511 	}
1512 	free_page((unsigned long)buffer);
1513 	return rc;
1514 }
1515 
1516 /* The inode's security attributes must be initialized before first use. */
1517 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1518 {
1519 	struct superblock_security_struct *sbsec = NULL;
1520 	struct inode_security_struct *isec = inode->i_security;
1521 	u32 task_sid, sid = 0;
1522 	u16 sclass;
1523 	struct dentry *dentry;
1524 #define INITCONTEXTLEN 255
1525 	char *context = NULL;
1526 	unsigned len = 0;
1527 	int rc = 0;
1528 
1529 	if (isec->initialized == LABEL_INITIALIZED)
1530 		return 0;
1531 
1532 	spin_lock(&isec->lock);
1533 	if (isec->initialized == LABEL_INITIALIZED)
1534 		goto out_unlock;
1535 
1536 	if (isec->sclass == SECCLASS_FILE)
1537 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1538 
1539 	sbsec = inode->i_sb->s_security;
1540 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1541 		/* Defer initialization until selinux_complete_init,
1542 		   after the initial policy is loaded and the security
1543 		   server is ready to handle calls. */
1544 		spin_lock(&sbsec->isec_lock);
1545 		if (list_empty(&isec->list))
1546 			list_add(&isec->list, &sbsec->isec_head);
1547 		spin_unlock(&sbsec->isec_lock);
1548 		goto out_unlock;
1549 	}
1550 
1551 	sclass = isec->sclass;
1552 	task_sid = isec->task_sid;
1553 	sid = isec->sid;
1554 	isec->initialized = LABEL_PENDING;
1555 	spin_unlock(&isec->lock);
1556 
1557 	switch (sbsec->behavior) {
1558 	case SECURITY_FS_USE_NATIVE:
1559 		break;
1560 	case SECURITY_FS_USE_XATTR:
1561 		if (!(inode->i_opflags & IOP_XATTR)) {
1562 			sid = sbsec->def_sid;
1563 			break;
1564 		}
1565 		/* Need a dentry, since the xattr API requires one.
1566 		   Life would be simpler if we could just pass the inode. */
1567 		if (opt_dentry) {
1568 			/* Called from d_instantiate or d_splice_alias. */
1569 			dentry = dget(opt_dentry);
1570 		} else {
1571 			/*
1572 			 * Called from selinux_complete_init, try to find a dentry.
1573 			 * Some filesystems really want a connected one, so try
1574 			 * that first.  We could split SECURITY_FS_USE_XATTR in
1575 			 * two, depending upon that...
1576 			 */
1577 			dentry = d_find_alias(inode);
1578 			if (!dentry)
1579 				dentry = d_find_any_alias(inode);
1580 		}
1581 		if (!dentry) {
1582 			/*
1583 			 * this is can be hit on boot when a file is accessed
1584 			 * before the policy is loaded.  When we load policy we
1585 			 * may find inodes that have no dentry on the
1586 			 * sbsec->isec_head list.  No reason to complain as these
1587 			 * will get fixed up the next time we go through
1588 			 * inode_doinit with a dentry, before these inodes could
1589 			 * be used again by userspace.
1590 			 */
1591 			goto out;
1592 		}
1593 
1594 		len = INITCONTEXTLEN;
1595 		context = kmalloc(len+1, GFP_NOFS);
1596 		if (!context) {
1597 			rc = -ENOMEM;
1598 			dput(dentry);
1599 			goto out;
1600 		}
1601 		context[len] = '\0';
1602 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1603 		if (rc == -ERANGE) {
1604 			kfree(context);
1605 
1606 			/* Need a larger buffer.  Query for the right size. */
1607 			rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1608 			if (rc < 0) {
1609 				dput(dentry);
1610 				goto out;
1611 			}
1612 			len = rc;
1613 			context = kmalloc(len+1, GFP_NOFS);
1614 			if (!context) {
1615 				rc = -ENOMEM;
1616 				dput(dentry);
1617 				goto out;
1618 			}
1619 			context[len] = '\0';
1620 			rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1621 		}
1622 		dput(dentry);
1623 		if (rc < 0) {
1624 			if (rc != -ENODATA) {
1625 				pr_warn("SELinux: %s:  getxattr returned "
1626 				       "%d for dev=%s ino=%ld\n", __func__,
1627 				       -rc, inode->i_sb->s_id, inode->i_ino);
1628 				kfree(context);
1629 				goto out;
1630 			}
1631 			/* Map ENODATA to the default file SID */
1632 			sid = sbsec->def_sid;
1633 			rc = 0;
1634 		} else {
1635 			rc = security_context_to_sid_default(&selinux_state,
1636 							     context, rc, &sid,
1637 							     sbsec->def_sid,
1638 							     GFP_NOFS);
1639 			if (rc) {
1640 				char *dev = inode->i_sb->s_id;
1641 				unsigned long ino = inode->i_ino;
1642 
1643 				if (rc == -EINVAL) {
1644 					if (printk_ratelimit())
1645 						pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
1646 							"context=%s.  This indicates you may need to relabel the inode or the "
1647 							"filesystem in question.\n", ino, dev, context);
1648 				} else {
1649 					pr_warn("SELinux: %s:  context_to_sid(%s) "
1650 					       "returned %d for dev=%s ino=%ld\n",
1651 					       __func__, context, -rc, dev, ino);
1652 				}
1653 				kfree(context);
1654 				/* Leave with the unlabeled SID */
1655 				rc = 0;
1656 				break;
1657 			}
1658 		}
1659 		kfree(context);
1660 		break;
1661 	case SECURITY_FS_USE_TASK:
1662 		sid = task_sid;
1663 		break;
1664 	case SECURITY_FS_USE_TRANS:
1665 		/* Default to the fs SID. */
1666 		sid = sbsec->sid;
1667 
1668 		/* Try to obtain a transition SID. */
1669 		rc = security_transition_sid(&selinux_state, task_sid, sid,
1670 					     sclass, NULL, &sid);
1671 		if (rc)
1672 			goto out;
1673 		break;
1674 	case SECURITY_FS_USE_MNTPOINT:
1675 		sid = sbsec->mntpoint_sid;
1676 		break;
1677 	default:
1678 		/* Default to the fs superblock SID. */
1679 		sid = sbsec->sid;
1680 
1681 		if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1682 			/* We must have a dentry to determine the label on
1683 			 * procfs inodes */
1684 			if (opt_dentry) {
1685 				/* Called from d_instantiate or
1686 				 * d_splice_alias. */
1687 				dentry = dget(opt_dentry);
1688 			} else {
1689 				/* Called from selinux_complete_init, try to
1690 				 * find a dentry.  Some filesystems really want
1691 				 * a connected one, so try that first.
1692 				 */
1693 				dentry = d_find_alias(inode);
1694 				if (!dentry)
1695 					dentry = d_find_any_alias(inode);
1696 			}
1697 			/*
1698 			 * This can be hit on boot when a file is accessed
1699 			 * before the policy is loaded.  When we load policy we
1700 			 * may find inodes that have no dentry on the
1701 			 * sbsec->isec_head list.  No reason to complain as
1702 			 * these will get fixed up the next time we go through
1703 			 * inode_doinit() with a dentry, before these inodes
1704 			 * could be used again by userspace.
1705 			 */
1706 			if (!dentry)
1707 				goto out;
1708 			rc = selinux_genfs_get_sid(dentry, sclass,
1709 						   sbsec->flags, &sid);
1710 			dput(dentry);
1711 			if (rc)
1712 				goto out;
1713 		}
1714 		break;
1715 	}
1716 
1717 out:
1718 	spin_lock(&isec->lock);
1719 	if (isec->initialized == LABEL_PENDING) {
1720 		if (!sid || rc) {
1721 			isec->initialized = LABEL_INVALID;
1722 			goto out_unlock;
1723 		}
1724 
1725 		isec->initialized = LABEL_INITIALIZED;
1726 		isec->sid = sid;
1727 	}
1728 
1729 out_unlock:
1730 	spin_unlock(&isec->lock);
1731 	return rc;
1732 }
1733 
1734 /* Convert a Linux signal to an access vector. */
1735 static inline u32 signal_to_av(int sig)
1736 {
1737 	u32 perm = 0;
1738 
1739 	switch (sig) {
1740 	case SIGCHLD:
1741 		/* Commonly granted from child to parent. */
1742 		perm = PROCESS__SIGCHLD;
1743 		break;
1744 	case SIGKILL:
1745 		/* Cannot be caught or ignored */
1746 		perm = PROCESS__SIGKILL;
1747 		break;
1748 	case SIGSTOP:
1749 		/* Cannot be caught or ignored */
1750 		perm = PROCESS__SIGSTOP;
1751 		break;
1752 	default:
1753 		/* All other signals. */
1754 		perm = PROCESS__SIGNAL;
1755 		break;
1756 	}
1757 
1758 	return perm;
1759 }
1760 
1761 #if CAP_LAST_CAP > 63
1762 #error Fix SELinux to handle capabilities > 63.
1763 #endif
1764 
1765 /* Check whether a task is allowed to use a capability. */
1766 static int cred_has_capability(const struct cred *cred,
1767 			       int cap, int audit, bool initns)
1768 {
1769 	struct common_audit_data ad;
1770 	struct av_decision avd;
1771 	u16 sclass;
1772 	u32 sid = cred_sid(cred);
1773 	u32 av = CAP_TO_MASK(cap);
1774 	int rc;
1775 
1776 	ad.type = LSM_AUDIT_DATA_CAP;
1777 	ad.u.cap = cap;
1778 
1779 	switch (CAP_TO_INDEX(cap)) {
1780 	case 0:
1781 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1782 		break;
1783 	case 1:
1784 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1785 		break;
1786 	default:
1787 		pr_err("SELinux:  out of range capability %d\n", cap);
1788 		BUG();
1789 		return -EINVAL;
1790 	}
1791 
1792 	rc = avc_has_perm_noaudit(&selinux_state,
1793 				  sid, sid, sclass, av, 0, &avd);
1794 	if (audit == SECURITY_CAP_AUDIT) {
1795 		int rc2 = avc_audit(&selinux_state,
1796 				    sid, sid, sclass, av, &avd, rc, &ad, 0);
1797 		if (rc2)
1798 			return rc2;
1799 	}
1800 	return rc;
1801 }
1802 
1803 /* Check whether a task has a particular permission to an inode.
1804    The 'adp' parameter is optional and allows other audit
1805    data to be passed (e.g. the dentry). */
1806 static int inode_has_perm(const struct cred *cred,
1807 			  struct inode *inode,
1808 			  u32 perms,
1809 			  struct common_audit_data *adp)
1810 {
1811 	struct inode_security_struct *isec;
1812 	u32 sid;
1813 
1814 	validate_creds(cred);
1815 
1816 	if (unlikely(IS_PRIVATE(inode)))
1817 		return 0;
1818 
1819 	sid = cred_sid(cred);
1820 	isec = inode->i_security;
1821 
1822 	return avc_has_perm(&selinux_state,
1823 			    sid, isec->sid, isec->sclass, perms, adp);
1824 }
1825 
1826 /* Same as inode_has_perm, but pass explicit audit data containing
1827    the dentry to help the auditing code to more easily generate the
1828    pathname if needed. */
1829 static inline int dentry_has_perm(const struct cred *cred,
1830 				  struct dentry *dentry,
1831 				  u32 av)
1832 {
1833 	struct inode *inode = d_backing_inode(dentry);
1834 	struct common_audit_data ad;
1835 
1836 	ad.type = LSM_AUDIT_DATA_DENTRY;
1837 	ad.u.dentry = dentry;
1838 	__inode_security_revalidate(inode, dentry, true);
1839 	return inode_has_perm(cred, inode, av, &ad);
1840 }
1841 
1842 /* Same as inode_has_perm, but pass explicit audit data containing
1843    the path to help the auditing code to more easily generate the
1844    pathname if needed. */
1845 static inline int path_has_perm(const struct cred *cred,
1846 				const struct path *path,
1847 				u32 av)
1848 {
1849 	struct inode *inode = d_backing_inode(path->dentry);
1850 	struct common_audit_data ad;
1851 
1852 	ad.type = LSM_AUDIT_DATA_PATH;
1853 	ad.u.path = *path;
1854 	__inode_security_revalidate(inode, path->dentry, true);
1855 	return inode_has_perm(cred, inode, av, &ad);
1856 }
1857 
1858 /* Same as path_has_perm, but uses the inode from the file struct. */
1859 static inline int file_path_has_perm(const struct cred *cred,
1860 				     struct file *file,
1861 				     u32 av)
1862 {
1863 	struct common_audit_data ad;
1864 
1865 	ad.type = LSM_AUDIT_DATA_FILE;
1866 	ad.u.file = file;
1867 	return inode_has_perm(cred, file_inode(file), av, &ad);
1868 }
1869 
1870 #ifdef CONFIG_BPF_SYSCALL
1871 static int bpf_fd_pass(struct file *file, u32 sid);
1872 #endif
1873 
1874 /* Check whether a task can use an open file descriptor to
1875    access an inode in a given way.  Check access to the
1876    descriptor itself, and then use dentry_has_perm to
1877    check a particular permission to the file.
1878    Access to the descriptor is implicitly granted if it
1879    has the same SID as the process.  If av is zero, then
1880    access to the file is not checked, e.g. for cases
1881    where only the descriptor is affected like seek. */
1882 static int file_has_perm(const struct cred *cred,
1883 			 struct file *file,
1884 			 u32 av)
1885 {
1886 	struct file_security_struct *fsec = file->f_security;
1887 	struct inode *inode = file_inode(file);
1888 	struct common_audit_data ad;
1889 	u32 sid = cred_sid(cred);
1890 	int rc;
1891 
1892 	ad.type = LSM_AUDIT_DATA_FILE;
1893 	ad.u.file = file;
1894 
1895 	if (sid != fsec->sid) {
1896 		rc = avc_has_perm(&selinux_state,
1897 				  sid, fsec->sid,
1898 				  SECCLASS_FD,
1899 				  FD__USE,
1900 				  &ad);
1901 		if (rc)
1902 			goto out;
1903 	}
1904 
1905 #ifdef CONFIG_BPF_SYSCALL
1906 	rc = bpf_fd_pass(file, cred_sid(cred));
1907 	if (rc)
1908 		return rc;
1909 #endif
1910 
1911 	/* av is zero if only checking access to the descriptor. */
1912 	rc = 0;
1913 	if (av)
1914 		rc = inode_has_perm(cred, inode, av, &ad);
1915 
1916 out:
1917 	return rc;
1918 }
1919 
1920 /*
1921  * Determine the label for an inode that might be unioned.
1922  */
1923 static int
1924 selinux_determine_inode_label(const struct task_security_struct *tsec,
1925 				 struct inode *dir,
1926 				 const struct qstr *name, u16 tclass,
1927 				 u32 *_new_isid)
1928 {
1929 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1930 
1931 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1932 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1933 		*_new_isid = sbsec->mntpoint_sid;
1934 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1935 		   tsec->create_sid) {
1936 		*_new_isid = tsec->create_sid;
1937 	} else {
1938 		const struct inode_security_struct *dsec = inode_security(dir);
1939 		return security_transition_sid(&selinux_state, tsec->sid,
1940 					       dsec->sid, tclass,
1941 					       name, _new_isid);
1942 	}
1943 
1944 	return 0;
1945 }
1946 
1947 /* Check whether a task can create a file. */
1948 static int may_create(struct inode *dir,
1949 		      struct dentry *dentry,
1950 		      u16 tclass)
1951 {
1952 	const struct task_security_struct *tsec = current_security();
1953 	struct inode_security_struct *dsec;
1954 	struct superblock_security_struct *sbsec;
1955 	u32 sid, newsid;
1956 	struct common_audit_data ad;
1957 	int rc;
1958 
1959 	dsec = inode_security(dir);
1960 	sbsec = dir->i_sb->s_security;
1961 
1962 	sid = tsec->sid;
1963 
1964 	ad.type = LSM_AUDIT_DATA_DENTRY;
1965 	ad.u.dentry = dentry;
1966 
1967 	rc = avc_has_perm(&selinux_state,
1968 			  sid, dsec->sid, SECCLASS_DIR,
1969 			  DIR__ADD_NAME | DIR__SEARCH,
1970 			  &ad);
1971 	if (rc)
1972 		return rc;
1973 
1974 	rc = selinux_determine_inode_label(current_security(), dir,
1975 					   &dentry->d_name, tclass, &newsid);
1976 	if (rc)
1977 		return rc;
1978 
1979 	rc = avc_has_perm(&selinux_state,
1980 			  sid, newsid, tclass, FILE__CREATE, &ad);
1981 	if (rc)
1982 		return rc;
1983 
1984 	return avc_has_perm(&selinux_state,
1985 			    newsid, sbsec->sid,
1986 			    SECCLASS_FILESYSTEM,
1987 			    FILESYSTEM__ASSOCIATE, &ad);
1988 }
1989 
1990 #define MAY_LINK	0
1991 #define MAY_UNLINK	1
1992 #define MAY_RMDIR	2
1993 
1994 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1995 static int may_link(struct inode *dir,
1996 		    struct dentry *dentry,
1997 		    int kind)
1998 
1999 {
2000 	struct inode_security_struct *dsec, *isec;
2001 	struct common_audit_data ad;
2002 	u32 sid = current_sid();
2003 	u32 av;
2004 	int rc;
2005 
2006 	dsec = inode_security(dir);
2007 	isec = backing_inode_security(dentry);
2008 
2009 	ad.type = LSM_AUDIT_DATA_DENTRY;
2010 	ad.u.dentry = dentry;
2011 
2012 	av = DIR__SEARCH;
2013 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
2014 	rc = avc_has_perm(&selinux_state,
2015 			  sid, dsec->sid, SECCLASS_DIR, av, &ad);
2016 	if (rc)
2017 		return rc;
2018 
2019 	switch (kind) {
2020 	case MAY_LINK:
2021 		av = FILE__LINK;
2022 		break;
2023 	case MAY_UNLINK:
2024 		av = FILE__UNLINK;
2025 		break;
2026 	case MAY_RMDIR:
2027 		av = DIR__RMDIR;
2028 		break;
2029 	default:
2030 		pr_warn("SELinux: %s:  unrecognized kind %d\n",
2031 			__func__, kind);
2032 		return 0;
2033 	}
2034 
2035 	rc = avc_has_perm(&selinux_state,
2036 			  sid, isec->sid, isec->sclass, av, &ad);
2037 	return rc;
2038 }
2039 
2040 static inline int may_rename(struct inode *old_dir,
2041 			     struct dentry *old_dentry,
2042 			     struct inode *new_dir,
2043 			     struct dentry *new_dentry)
2044 {
2045 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2046 	struct common_audit_data ad;
2047 	u32 sid = current_sid();
2048 	u32 av;
2049 	int old_is_dir, new_is_dir;
2050 	int rc;
2051 
2052 	old_dsec = inode_security(old_dir);
2053 	old_isec = backing_inode_security(old_dentry);
2054 	old_is_dir = d_is_dir(old_dentry);
2055 	new_dsec = inode_security(new_dir);
2056 
2057 	ad.type = LSM_AUDIT_DATA_DENTRY;
2058 
2059 	ad.u.dentry = old_dentry;
2060 	rc = avc_has_perm(&selinux_state,
2061 			  sid, old_dsec->sid, SECCLASS_DIR,
2062 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2063 	if (rc)
2064 		return rc;
2065 	rc = avc_has_perm(&selinux_state,
2066 			  sid, old_isec->sid,
2067 			  old_isec->sclass, FILE__RENAME, &ad);
2068 	if (rc)
2069 		return rc;
2070 	if (old_is_dir && new_dir != old_dir) {
2071 		rc = avc_has_perm(&selinux_state,
2072 				  sid, old_isec->sid,
2073 				  old_isec->sclass, DIR__REPARENT, &ad);
2074 		if (rc)
2075 			return rc;
2076 	}
2077 
2078 	ad.u.dentry = new_dentry;
2079 	av = DIR__ADD_NAME | DIR__SEARCH;
2080 	if (d_is_positive(new_dentry))
2081 		av |= DIR__REMOVE_NAME;
2082 	rc = avc_has_perm(&selinux_state,
2083 			  sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2084 	if (rc)
2085 		return rc;
2086 	if (d_is_positive(new_dentry)) {
2087 		new_isec = backing_inode_security(new_dentry);
2088 		new_is_dir = d_is_dir(new_dentry);
2089 		rc = avc_has_perm(&selinux_state,
2090 				  sid, new_isec->sid,
2091 				  new_isec->sclass,
2092 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2093 		if (rc)
2094 			return rc;
2095 	}
2096 
2097 	return 0;
2098 }
2099 
2100 /* Check whether a task can perform a filesystem operation. */
2101 static int superblock_has_perm(const struct cred *cred,
2102 			       struct super_block *sb,
2103 			       u32 perms,
2104 			       struct common_audit_data *ad)
2105 {
2106 	struct superblock_security_struct *sbsec;
2107 	u32 sid = cred_sid(cred);
2108 
2109 	sbsec = sb->s_security;
2110 	return avc_has_perm(&selinux_state,
2111 			    sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2112 }
2113 
2114 /* Convert a Linux mode and permission mask to an access vector. */
2115 static inline u32 file_mask_to_av(int mode, int mask)
2116 {
2117 	u32 av = 0;
2118 
2119 	if (!S_ISDIR(mode)) {
2120 		if (mask & MAY_EXEC)
2121 			av |= FILE__EXECUTE;
2122 		if (mask & MAY_READ)
2123 			av |= FILE__READ;
2124 
2125 		if (mask & MAY_APPEND)
2126 			av |= FILE__APPEND;
2127 		else if (mask & MAY_WRITE)
2128 			av |= FILE__WRITE;
2129 
2130 	} else {
2131 		if (mask & MAY_EXEC)
2132 			av |= DIR__SEARCH;
2133 		if (mask & MAY_WRITE)
2134 			av |= DIR__WRITE;
2135 		if (mask & MAY_READ)
2136 			av |= DIR__READ;
2137 	}
2138 
2139 	return av;
2140 }
2141 
2142 /* Convert a Linux file to an access vector. */
2143 static inline u32 file_to_av(struct file *file)
2144 {
2145 	u32 av = 0;
2146 
2147 	if (file->f_mode & FMODE_READ)
2148 		av |= FILE__READ;
2149 	if (file->f_mode & FMODE_WRITE) {
2150 		if (file->f_flags & O_APPEND)
2151 			av |= FILE__APPEND;
2152 		else
2153 			av |= FILE__WRITE;
2154 	}
2155 	if (!av) {
2156 		/*
2157 		 * Special file opened with flags 3 for ioctl-only use.
2158 		 */
2159 		av = FILE__IOCTL;
2160 	}
2161 
2162 	return av;
2163 }
2164 
2165 /*
2166  * Convert a file to an access vector and include the correct open
2167  * open permission.
2168  */
2169 static inline u32 open_file_to_av(struct file *file)
2170 {
2171 	u32 av = file_to_av(file);
2172 	struct inode *inode = file_inode(file);
2173 
2174 	if (selinux_policycap_openperm() &&
2175 	    inode->i_sb->s_magic != SOCKFS_MAGIC)
2176 		av |= FILE__OPEN;
2177 
2178 	return av;
2179 }
2180 
2181 /* Hook functions begin here. */
2182 
2183 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2184 {
2185 	u32 mysid = current_sid();
2186 	u32 mgrsid = task_sid(mgr);
2187 
2188 	return avc_has_perm(&selinux_state,
2189 			    mysid, mgrsid, SECCLASS_BINDER,
2190 			    BINDER__SET_CONTEXT_MGR, NULL);
2191 }
2192 
2193 static int selinux_binder_transaction(struct task_struct *from,
2194 				      struct task_struct *to)
2195 {
2196 	u32 mysid = current_sid();
2197 	u32 fromsid = task_sid(from);
2198 	u32 tosid = task_sid(to);
2199 	int rc;
2200 
2201 	if (mysid != fromsid) {
2202 		rc = avc_has_perm(&selinux_state,
2203 				  mysid, fromsid, SECCLASS_BINDER,
2204 				  BINDER__IMPERSONATE, NULL);
2205 		if (rc)
2206 			return rc;
2207 	}
2208 
2209 	return avc_has_perm(&selinux_state,
2210 			    fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2211 			    NULL);
2212 }
2213 
2214 static int selinux_binder_transfer_binder(struct task_struct *from,
2215 					  struct task_struct *to)
2216 {
2217 	u32 fromsid = task_sid(from);
2218 	u32 tosid = task_sid(to);
2219 
2220 	return avc_has_perm(&selinux_state,
2221 			    fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2222 			    NULL);
2223 }
2224 
2225 static int selinux_binder_transfer_file(struct task_struct *from,
2226 					struct task_struct *to,
2227 					struct file *file)
2228 {
2229 	u32 sid = task_sid(to);
2230 	struct file_security_struct *fsec = file->f_security;
2231 	struct dentry *dentry = file->f_path.dentry;
2232 	struct inode_security_struct *isec;
2233 	struct common_audit_data ad;
2234 	int rc;
2235 
2236 	ad.type = LSM_AUDIT_DATA_PATH;
2237 	ad.u.path = file->f_path;
2238 
2239 	if (sid != fsec->sid) {
2240 		rc = avc_has_perm(&selinux_state,
2241 				  sid, fsec->sid,
2242 				  SECCLASS_FD,
2243 				  FD__USE,
2244 				  &ad);
2245 		if (rc)
2246 			return rc;
2247 	}
2248 
2249 #ifdef CONFIG_BPF_SYSCALL
2250 	rc = bpf_fd_pass(file, sid);
2251 	if (rc)
2252 		return rc;
2253 #endif
2254 
2255 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2256 		return 0;
2257 
2258 	isec = backing_inode_security(dentry);
2259 	return avc_has_perm(&selinux_state,
2260 			    sid, isec->sid, isec->sclass, file_to_av(file),
2261 			    &ad);
2262 }
2263 
2264 static int selinux_ptrace_access_check(struct task_struct *child,
2265 				     unsigned int mode)
2266 {
2267 	u32 sid = current_sid();
2268 	u32 csid = task_sid(child);
2269 
2270 	if (mode & PTRACE_MODE_READ)
2271 		return avc_has_perm(&selinux_state,
2272 				    sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2273 
2274 	return avc_has_perm(&selinux_state,
2275 			    sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2276 }
2277 
2278 static int selinux_ptrace_traceme(struct task_struct *parent)
2279 {
2280 	return avc_has_perm(&selinux_state,
2281 			    task_sid(parent), current_sid(), SECCLASS_PROCESS,
2282 			    PROCESS__PTRACE, NULL);
2283 }
2284 
2285 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2286 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2287 {
2288 	return avc_has_perm(&selinux_state,
2289 			    current_sid(), task_sid(target), SECCLASS_PROCESS,
2290 			    PROCESS__GETCAP, NULL);
2291 }
2292 
2293 static int selinux_capset(struct cred *new, const struct cred *old,
2294 			  const kernel_cap_t *effective,
2295 			  const kernel_cap_t *inheritable,
2296 			  const kernel_cap_t *permitted)
2297 {
2298 	return avc_has_perm(&selinux_state,
2299 			    cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2300 			    PROCESS__SETCAP, NULL);
2301 }
2302 
2303 /*
2304  * (This comment used to live with the selinux_task_setuid hook,
2305  * which was removed).
2306  *
2307  * Since setuid only affects the current process, and since the SELinux
2308  * controls are not based on the Linux identity attributes, SELinux does not
2309  * need to control this operation.  However, SELinux does control the use of
2310  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2311  */
2312 
2313 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2314 			   int cap, int audit)
2315 {
2316 	return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2317 }
2318 
2319 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2320 {
2321 	const struct cred *cred = current_cred();
2322 	int rc = 0;
2323 
2324 	if (!sb)
2325 		return 0;
2326 
2327 	switch (cmds) {
2328 	case Q_SYNC:
2329 	case Q_QUOTAON:
2330 	case Q_QUOTAOFF:
2331 	case Q_SETINFO:
2332 	case Q_SETQUOTA:
2333 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2334 		break;
2335 	case Q_GETFMT:
2336 	case Q_GETINFO:
2337 	case Q_GETQUOTA:
2338 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2339 		break;
2340 	default:
2341 		rc = 0;  /* let the kernel handle invalid cmds */
2342 		break;
2343 	}
2344 	return rc;
2345 }
2346 
2347 static int selinux_quota_on(struct dentry *dentry)
2348 {
2349 	const struct cred *cred = current_cred();
2350 
2351 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2352 }
2353 
2354 static int selinux_syslog(int type)
2355 {
2356 	switch (type) {
2357 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2358 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2359 		return avc_has_perm(&selinux_state,
2360 				    current_sid(), SECINITSID_KERNEL,
2361 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2362 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2363 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2364 	/* Set level of messages printed to console */
2365 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2366 		return avc_has_perm(&selinux_state,
2367 				    current_sid(), SECINITSID_KERNEL,
2368 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2369 				    NULL);
2370 	}
2371 	/* All other syslog types */
2372 	return avc_has_perm(&selinux_state,
2373 			    current_sid(), SECINITSID_KERNEL,
2374 			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2375 }
2376 
2377 /*
2378  * Check that a process has enough memory to allocate a new virtual
2379  * mapping. 0 means there is enough memory for the allocation to
2380  * succeed and -ENOMEM implies there is not.
2381  *
2382  * Do not audit the selinux permission check, as this is applied to all
2383  * processes that allocate mappings.
2384  */
2385 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2386 {
2387 	int rc, cap_sys_admin = 0;
2388 
2389 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2390 				 SECURITY_CAP_NOAUDIT, true);
2391 	if (rc == 0)
2392 		cap_sys_admin = 1;
2393 
2394 	return cap_sys_admin;
2395 }
2396 
2397 /* binprm security operations */
2398 
2399 static u32 ptrace_parent_sid(void)
2400 {
2401 	u32 sid = 0;
2402 	struct task_struct *tracer;
2403 
2404 	rcu_read_lock();
2405 	tracer = ptrace_parent(current);
2406 	if (tracer)
2407 		sid = task_sid(tracer);
2408 	rcu_read_unlock();
2409 
2410 	return sid;
2411 }
2412 
2413 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2414 			    const struct task_security_struct *old_tsec,
2415 			    const struct task_security_struct *new_tsec)
2416 {
2417 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2418 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2419 	int rc;
2420 	u32 av;
2421 
2422 	if (!nnp && !nosuid)
2423 		return 0; /* neither NNP nor nosuid */
2424 
2425 	if (new_tsec->sid == old_tsec->sid)
2426 		return 0; /* No change in credentials */
2427 
2428 	/*
2429 	 * If the policy enables the nnp_nosuid_transition policy capability,
2430 	 * then we permit transitions under NNP or nosuid if the
2431 	 * policy allows the corresponding permission between
2432 	 * the old and new contexts.
2433 	 */
2434 	if (selinux_policycap_nnp_nosuid_transition()) {
2435 		av = 0;
2436 		if (nnp)
2437 			av |= PROCESS2__NNP_TRANSITION;
2438 		if (nosuid)
2439 			av |= PROCESS2__NOSUID_TRANSITION;
2440 		rc = avc_has_perm(&selinux_state,
2441 				  old_tsec->sid, new_tsec->sid,
2442 				  SECCLASS_PROCESS2, av, NULL);
2443 		if (!rc)
2444 			return 0;
2445 	}
2446 
2447 	/*
2448 	 * We also permit NNP or nosuid transitions to bounded SIDs,
2449 	 * i.e. SIDs that are guaranteed to only be allowed a subset
2450 	 * of the permissions of the current SID.
2451 	 */
2452 	rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2453 					 new_tsec->sid);
2454 	if (!rc)
2455 		return 0;
2456 
2457 	/*
2458 	 * On failure, preserve the errno values for NNP vs nosuid.
2459 	 * NNP:  Operation not permitted for caller.
2460 	 * nosuid:  Permission denied to file.
2461 	 */
2462 	if (nnp)
2463 		return -EPERM;
2464 	return -EACCES;
2465 }
2466 
2467 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2468 {
2469 	const struct task_security_struct *old_tsec;
2470 	struct task_security_struct *new_tsec;
2471 	struct inode_security_struct *isec;
2472 	struct common_audit_data ad;
2473 	struct inode *inode = file_inode(bprm->file);
2474 	int rc;
2475 
2476 	/* SELinux context only depends on initial program or script and not
2477 	 * the script interpreter */
2478 	if (bprm->called_set_creds)
2479 		return 0;
2480 
2481 	old_tsec = current_security();
2482 	new_tsec = bprm->cred->security;
2483 	isec = inode_security(inode);
2484 
2485 	/* Default to the current task SID. */
2486 	new_tsec->sid = old_tsec->sid;
2487 	new_tsec->osid = old_tsec->sid;
2488 
2489 	/* Reset fs, key, and sock SIDs on execve. */
2490 	new_tsec->create_sid = 0;
2491 	new_tsec->keycreate_sid = 0;
2492 	new_tsec->sockcreate_sid = 0;
2493 
2494 	if (old_tsec->exec_sid) {
2495 		new_tsec->sid = old_tsec->exec_sid;
2496 		/* Reset exec SID on execve. */
2497 		new_tsec->exec_sid = 0;
2498 
2499 		/* Fail on NNP or nosuid if not an allowed transition. */
2500 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2501 		if (rc)
2502 			return rc;
2503 	} else {
2504 		/* Check for a default transition on this program. */
2505 		rc = security_transition_sid(&selinux_state, old_tsec->sid,
2506 					     isec->sid, SECCLASS_PROCESS, NULL,
2507 					     &new_tsec->sid);
2508 		if (rc)
2509 			return rc;
2510 
2511 		/*
2512 		 * Fallback to old SID on NNP or nosuid if not an allowed
2513 		 * transition.
2514 		 */
2515 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2516 		if (rc)
2517 			new_tsec->sid = old_tsec->sid;
2518 	}
2519 
2520 	ad.type = LSM_AUDIT_DATA_FILE;
2521 	ad.u.file = bprm->file;
2522 
2523 	if (new_tsec->sid == old_tsec->sid) {
2524 		rc = avc_has_perm(&selinux_state,
2525 				  old_tsec->sid, isec->sid,
2526 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2527 		if (rc)
2528 			return rc;
2529 	} else {
2530 		/* Check permissions for the transition. */
2531 		rc = avc_has_perm(&selinux_state,
2532 				  old_tsec->sid, new_tsec->sid,
2533 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2534 		if (rc)
2535 			return rc;
2536 
2537 		rc = avc_has_perm(&selinux_state,
2538 				  new_tsec->sid, isec->sid,
2539 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2540 		if (rc)
2541 			return rc;
2542 
2543 		/* Check for shared state */
2544 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2545 			rc = avc_has_perm(&selinux_state,
2546 					  old_tsec->sid, new_tsec->sid,
2547 					  SECCLASS_PROCESS, PROCESS__SHARE,
2548 					  NULL);
2549 			if (rc)
2550 				return -EPERM;
2551 		}
2552 
2553 		/* Make sure that anyone attempting to ptrace over a task that
2554 		 * changes its SID has the appropriate permit */
2555 		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2556 			u32 ptsid = ptrace_parent_sid();
2557 			if (ptsid != 0) {
2558 				rc = avc_has_perm(&selinux_state,
2559 						  ptsid, new_tsec->sid,
2560 						  SECCLASS_PROCESS,
2561 						  PROCESS__PTRACE, NULL);
2562 				if (rc)
2563 					return -EPERM;
2564 			}
2565 		}
2566 
2567 		/* Clear any possibly unsafe personality bits on exec: */
2568 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2569 
2570 		/* Enable secure mode for SIDs transitions unless
2571 		   the noatsecure permission is granted between
2572 		   the two SIDs, i.e. ahp returns 0. */
2573 		rc = avc_has_perm(&selinux_state,
2574 				  old_tsec->sid, new_tsec->sid,
2575 				  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2576 				  NULL);
2577 		bprm->secureexec |= !!rc;
2578 	}
2579 
2580 	return 0;
2581 }
2582 
2583 static int match_file(const void *p, struct file *file, unsigned fd)
2584 {
2585 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2586 }
2587 
2588 /* Derived from fs/exec.c:flush_old_files. */
2589 static inline void flush_unauthorized_files(const struct cred *cred,
2590 					    struct files_struct *files)
2591 {
2592 	struct file *file, *devnull = NULL;
2593 	struct tty_struct *tty;
2594 	int drop_tty = 0;
2595 	unsigned n;
2596 
2597 	tty = get_current_tty();
2598 	if (tty) {
2599 		spin_lock(&tty->files_lock);
2600 		if (!list_empty(&tty->tty_files)) {
2601 			struct tty_file_private *file_priv;
2602 
2603 			/* Revalidate access to controlling tty.
2604 			   Use file_path_has_perm on the tty path directly
2605 			   rather than using file_has_perm, as this particular
2606 			   open file may belong to another process and we are
2607 			   only interested in the inode-based check here. */
2608 			file_priv = list_first_entry(&tty->tty_files,
2609 						struct tty_file_private, list);
2610 			file = file_priv->file;
2611 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2612 				drop_tty = 1;
2613 		}
2614 		spin_unlock(&tty->files_lock);
2615 		tty_kref_put(tty);
2616 	}
2617 	/* Reset controlling tty. */
2618 	if (drop_tty)
2619 		no_tty();
2620 
2621 	/* Revalidate access to inherited open files. */
2622 	n = iterate_fd(files, 0, match_file, cred);
2623 	if (!n) /* none found? */
2624 		return;
2625 
2626 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2627 	if (IS_ERR(devnull))
2628 		devnull = NULL;
2629 	/* replace all the matching ones with this */
2630 	do {
2631 		replace_fd(n - 1, devnull, 0);
2632 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2633 	if (devnull)
2634 		fput(devnull);
2635 }
2636 
2637 /*
2638  * Prepare a process for imminent new credential changes due to exec
2639  */
2640 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2641 {
2642 	struct task_security_struct *new_tsec;
2643 	struct rlimit *rlim, *initrlim;
2644 	int rc, i;
2645 
2646 	new_tsec = bprm->cred->security;
2647 	if (new_tsec->sid == new_tsec->osid)
2648 		return;
2649 
2650 	/* Close files for which the new task SID is not authorized. */
2651 	flush_unauthorized_files(bprm->cred, current->files);
2652 
2653 	/* Always clear parent death signal on SID transitions. */
2654 	current->pdeath_signal = 0;
2655 
2656 	/* Check whether the new SID can inherit resource limits from the old
2657 	 * SID.  If not, reset all soft limits to the lower of the current
2658 	 * task's hard limit and the init task's soft limit.
2659 	 *
2660 	 * Note that the setting of hard limits (even to lower them) can be
2661 	 * controlled by the setrlimit check.  The inclusion of the init task's
2662 	 * soft limit into the computation is to avoid resetting soft limits
2663 	 * higher than the default soft limit for cases where the default is
2664 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2665 	 */
2666 	rc = avc_has_perm(&selinux_state,
2667 			  new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2668 			  PROCESS__RLIMITINH, NULL);
2669 	if (rc) {
2670 		/* protect against do_prlimit() */
2671 		task_lock(current);
2672 		for (i = 0; i < RLIM_NLIMITS; i++) {
2673 			rlim = current->signal->rlim + i;
2674 			initrlim = init_task.signal->rlim + i;
2675 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2676 		}
2677 		task_unlock(current);
2678 		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2679 			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2680 	}
2681 }
2682 
2683 /*
2684  * Clean up the process immediately after the installation of new credentials
2685  * due to exec
2686  */
2687 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2688 {
2689 	const struct task_security_struct *tsec = current_security();
2690 	struct itimerval itimer;
2691 	u32 osid, sid;
2692 	int rc, i;
2693 
2694 	osid = tsec->osid;
2695 	sid = tsec->sid;
2696 
2697 	if (sid == osid)
2698 		return;
2699 
2700 	/* Check whether the new SID can inherit signal state from the old SID.
2701 	 * If not, clear itimers to avoid subsequent signal generation and
2702 	 * flush and unblock signals.
2703 	 *
2704 	 * This must occur _after_ the task SID has been updated so that any
2705 	 * kill done after the flush will be checked against the new SID.
2706 	 */
2707 	rc = avc_has_perm(&selinux_state,
2708 			  osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2709 	if (rc) {
2710 		if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2711 			memset(&itimer, 0, sizeof itimer);
2712 			for (i = 0; i < 3; i++)
2713 				do_setitimer(i, &itimer, NULL);
2714 		}
2715 		spin_lock_irq(&current->sighand->siglock);
2716 		if (!fatal_signal_pending(current)) {
2717 			flush_sigqueue(&current->pending);
2718 			flush_sigqueue(&current->signal->shared_pending);
2719 			flush_signal_handlers(current, 1);
2720 			sigemptyset(&current->blocked);
2721 			recalc_sigpending();
2722 		}
2723 		spin_unlock_irq(&current->sighand->siglock);
2724 	}
2725 
2726 	/* Wake up the parent if it is waiting so that it can recheck
2727 	 * wait permission to the new task SID. */
2728 	read_lock(&tasklist_lock);
2729 	__wake_up_parent(current, current->real_parent);
2730 	read_unlock(&tasklist_lock);
2731 }
2732 
2733 /* superblock security operations */
2734 
2735 static int selinux_sb_alloc_security(struct super_block *sb)
2736 {
2737 	return superblock_alloc_security(sb);
2738 }
2739 
2740 static void selinux_sb_free_security(struct super_block *sb)
2741 {
2742 	superblock_free_security(sb);
2743 }
2744 
2745 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2746 {
2747 	if (plen > olen)
2748 		return 0;
2749 
2750 	return !memcmp(prefix, option, plen);
2751 }
2752 
2753 static inline int selinux_option(char *option, int len)
2754 {
2755 	return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2756 		match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2757 		match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2758 		match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2759 		match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2760 }
2761 
2762 static inline void take_option(char **to, char *from, int *first, int len)
2763 {
2764 	if (!*first) {
2765 		**to = ',';
2766 		*to += 1;
2767 	} else
2768 		*first = 0;
2769 	memcpy(*to, from, len);
2770 	*to += len;
2771 }
2772 
2773 static inline void take_selinux_option(char **to, char *from, int *first,
2774 				       int len)
2775 {
2776 	int current_size = 0;
2777 
2778 	if (!*first) {
2779 		**to = '|';
2780 		*to += 1;
2781 	} else
2782 		*first = 0;
2783 
2784 	while (current_size < len) {
2785 		if (*from != '"') {
2786 			**to = *from;
2787 			*to += 1;
2788 		}
2789 		from += 1;
2790 		current_size += 1;
2791 	}
2792 }
2793 
2794 static int selinux_sb_copy_data(char *orig, char *copy)
2795 {
2796 	int fnosec, fsec, rc = 0;
2797 	char *in_save, *in_curr, *in_end;
2798 	char *sec_curr, *nosec_save, *nosec;
2799 	int open_quote = 0;
2800 
2801 	in_curr = orig;
2802 	sec_curr = copy;
2803 
2804 	nosec = (char *)get_zeroed_page(GFP_KERNEL);
2805 	if (!nosec) {
2806 		rc = -ENOMEM;
2807 		goto out;
2808 	}
2809 
2810 	nosec_save = nosec;
2811 	fnosec = fsec = 1;
2812 	in_save = in_end = orig;
2813 
2814 	do {
2815 		if (*in_end == '"')
2816 			open_quote = !open_quote;
2817 		if ((*in_end == ',' && open_quote == 0) ||
2818 				*in_end == '\0') {
2819 			int len = in_end - in_curr;
2820 
2821 			if (selinux_option(in_curr, len))
2822 				take_selinux_option(&sec_curr, in_curr, &fsec, len);
2823 			else
2824 				take_option(&nosec, in_curr, &fnosec, len);
2825 
2826 			in_curr = in_end + 1;
2827 		}
2828 	} while (*in_end++);
2829 
2830 	strcpy(in_save, nosec_save);
2831 	free_page((unsigned long)nosec_save);
2832 out:
2833 	return rc;
2834 }
2835 
2836 static int selinux_sb_remount(struct super_block *sb, void *data)
2837 {
2838 	int rc, i, *flags;
2839 	struct security_mnt_opts opts;
2840 	char *secdata, **mount_options;
2841 	struct superblock_security_struct *sbsec = sb->s_security;
2842 
2843 	if (!(sbsec->flags & SE_SBINITIALIZED))
2844 		return 0;
2845 
2846 	if (!data)
2847 		return 0;
2848 
2849 	if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2850 		return 0;
2851 
2852 	security_init_mnt_opts(&opts);
2853 	secdata = alloc_secdata();
2854 	if (!secdata)
2855 		return -ENOMEM;
2856 	rc = selinux_sb_copy_data(data, secdata);
2857 	if (rc)
2858 		goto out_free_secdata;
2859 
2860 	rc = selinux_parse_opts_str(secdata, &opts);
2861 	if (rc)
2862 		goto out_free_secdata;
2863 
2864 	mount_options = opts.mnt_opts;
2865 	flags = opts.mnt_opts_flags;
2866 
2867 	for (i = 0; i < opts.num_mnt_opts; i++) {
2868 		u32 sid;
2869 
2870 		if (flags[i] == SBLABEL_MNT)
2871 			continue;
2872 		rc = security_context_str_to_sid(&selinux_state,
2873 						 mount_options[i], &sid,
2874 						 GFP_KERNEL);
2875 		if (rc) {
2876 			pr_warn("SELinux: security_context_str_to_sid"
2877 			       "(%s) failed for (dev %s, type %s) errno=%d\n",
2878 			       mount_options[i], sb->s_id, sb->s_type->name, rc);
2879 			goto out_free_opts;
2880 		}
2881 		rc = -EINVAL;
2882 		switch (flags[i]) {
2883 		case FSCONTEXT_MNT:
2884 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2885 				goto out_bad_option;
2886 			break;
2887 		case CONTEXT_MNT:
2888 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2889 				goto out_bad_option;
2890 			break;
2891 		case ROOTCONTEXT_MNT: {
2892 			struct inode_security_struct *root_isec;
2893 			root_isec = backing_inode_security(sb->s_root);
2894 
2895 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2896 				goto out_bad_option;
2897 			break;
2898 		}
2899 		case DEFCONTEXT_MNT:
2900 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2901 				goto out_bad_option;
2902 			break;
2903 		default:
2904 			goto out_free_opts;
2905 		}
2906 	}
2907 
2908 	rc = 0;
2909 out_free_opts:
2910 	security_free_mnt_opts(&opts);
2911 out_free_secdata:
2912 	free_secdata(secdata);
2913 	return rc;
2914 out_bad_option:
2915 	pr_warn("SELinux: unable to change security options "
2916 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2917 	       sb->s_type->name);
2918 	goto out_free_opts;
2919 }
2920 
2921 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2922 {
2923 	const struct cred *cred = current_cred();
2924 	struct common_audit_data ad;
2925 	int rc;
2926 
2927 	rc = superblock_doinit(sb, data);
2928 	if (rc)
2929 		return rc;
2930 
2931 	/* Allow all mounts performed by the kernel */
2932 	if (flags & MS_KERNMOUNT)
2933 		return 0;
2934 
2935 	ad.type = LSM_AUDIT_DATA_DENTRY;
2936 	ad.u.dentry = sb->s_root;
2937 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2938 }
2939 
2940 static int selinux_sb_statfs(struct dentry *dentry)
2941 {
2942 	const struct cred *cred = current_cred();
2943 	struct common_audit_data ad;
2944 
2945 	ad.type = LSM_AUDIT_DATA_DENTRY;
2946 	ad.u.dentry = dentry->d_sb->s_root;
2947 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2948 }
2949 
2950 static int selinux_mount(const char *dev_name,
2951 			 const struct path *path,
2952 			 const char *type,
2953 			 unsigned long flags,
2954 			 void *data)
2955 {
2956 	const struct cred *cred = current_cred();
2957 
2958 	if (flags & MS_REMOUNT)
2959 		return superblock_has_perm(cred, path->dentry->d_sb,
2960 					   FILESYSTEM__REMOUNT, NULL);
2961 	else
2962 		return path_has_perm(cred, path, FILE__MOUNTON);
2963 }
2964 
2965 static int selinux_umount(struct vfsmount *mnt, int flags)
2966 {
2967 	const struct cred *cred = current_cred();
2968 
2969 	return superblock_has_perm(cred, mnt->mnt_sb,
2970 				   FILESYSTEM__UNMOUNT, NULL);
2971 }
2972 
2973 /* inode security operations */
2974 
2975 static int selinux_inode_alloc_security(struct inode *inode)
2976 {
2977 	return inode_alloc_security(inode);
2978 }
2979 
2980 static void selinux_inode_free_security(struct inode *inode)
2981 {
2982 	inode_free_security(inode);
2983 }
2984 
2985 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2986 					const struct qstr *name, void **ctx,
2987 					u32 *ctxlen)
2988 {
2989 	u32 newsid;
2990 	int rc;
2991 
2992 	rc = selinux_determine_inode_label(current_security(),
2993 					   d_inode(dentry->d_parent), name,
2994 					   inode_mode_to_security_class(mode),
2995 					   &newsid);
2996 	if (rc)
2997 		return rc;
2998 
2999 	return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
3000 				       ctxlen);
3001 }
3002 
3003 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
3004 					  struct qstr *name,
3005 					  const struct cred *old,
3006 					  struct cred *new)
3007 {
3008 	u32 newsid;
3009 	int rc;
3010 	struct task_security_struct *tsec;
3011 
3012 	rc = selinux_determine_inode_label(old->security,
3013 					   d_inode(dentry->d_parent), name,
3014 					   inode_mode_to_security_class(mode),
3015 					   &newsid);
3016 	if (rc)
3017 		return rc;
3018 
3019 	tsec = new->security;
3020 	tsec->create_sid = newsid;
3021 	return 0;
3022 }
3023 
3024 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
3025 				       const struct qstr *qstr,
3026 				       const char **name,
3027 				       void **value, size_t *len)
3028 {
3029 	const struct task_security_struct *tsec = current_security();
3030 	struct superblock_security_struct *sbsec;
3031 	u32 newsid, clen;
3032 	int rc;
3033 	char *context;
3034 
3035 	sbsec = dir->i_sb->s_security;
3036 
3037 	newsid = tsec->create_sid;
3038 
3039 	rc = selinux_determine_inode_label(current_security(),
3040 		dir, qstr,
3041 		inode_mode_to_security_class(inode->i_mode),
3042 		&newsid);
3043 	if (rc)
3044 		return rc;
3045 
3046 	/* Possibly defer initialization to selinux_complete_init. */
3047 	if (sbsec->flags & SE_SBINITIALIZED) {
3048 		struct inode_security_struct *isec = inode->i_security;
3049 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
3050 		isec->sid = newsid;
3051 		isec->initialized = LABEL_INITIALIZED;
3052 	}
3053 
3054 	if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
3055 		return -EOPNOTSUPP;
3056 
3057 	if (name)
3058 		*name = XATTR_SELINUX_SUFFIX;
3059 
3060 	if (value && len) {
3061 		rc = security_sid_to_context_force(&selinux_state, newsid,
3062 						   &context, &clen);
3063 		if (rc)
3064 			return rc;
3065 		*value = context;
3066 		*len = clen;
3067 	}
3068 
3069 	return 0;
3070 }
3071 
3072 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3073 {
3074 	return may_create(dir, dentry, SECCLASS_FILE);
3075 }
3076 
3077 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3078 {
3079 	return may_link(dir, old_dentry, MAY_LINK);
3080 }
3081 
3082 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3083 {
3084 	return may_link(dir, dentry, MAY_UNLINK);
3085 }
3086 
3087 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3088 {
3089 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
3090 }
3091 
3092 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3093 {
3094 	return may_create(dir, dentry, SECCLASS_DIR);
3095 }
3096 
3097 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3098 {
3099 	return may_link(dir, dentry, MAY_RMDIR);
3100 }
3101 
3102 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3103 {
3104 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
3105 }
3106 
3107 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3108 				struct inode *new_inode, struct dentry *new_dentry)
3109 {
3110 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3111 }
3112 
3113 static int selinux_inode_readlink(struct dentry *dentry)
3114 {
3115 	const struct cred *cred = current_cred();
3116 
3117 	return dentry_has_perm(cred, dentry, FILE__READ);
3118 }
3119 
3120 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3121 				     bool rcu)
3122 {
3123 	const struct cred *cred = current_cred();
3124 	struct common_audit_data ad;
3125 	struct inode_security_struct *isec;
3126 	u32 sid;
3127 
3128 	validate_creds(cred);
3129 
3130 	ad.type = LSM_AUDIT_DATA_DENTRY;
3131 	ad.u.dentry = dentry;
3132 	sid = cred_sid(cred);
3133 	isec = inode_security_rcu(inode, rcu);
3134 	if (IS_ERR(isec))
3135 		return PTR_ERR(isec);
3136 
3137 	return avc_has_perm_flags(&selinux_state,
3138 				  sid, isec->sid, isec->sclass, FILE__READ, &ad,
3139 				  rcu ? MAY_NOT_BLOCK : 0);
3140 }
3141 
3142 static noinline int audit_inode_permission(struct inode *inode,
3143 					   u32 perms, u32 audited, u32 denied,
3144 					   int result,
3145 					   unsigned flags)
3146 {
3147 	struct common_audit_data ad;
3148 	struct inode_security_struct *isec = inode->i_security;
3149 	int rc;
3150 
3151 	ad.type = LSM_AUDIT_DATA_INODE;
3152 	ad.u.inode = inode;
3153 
3154 	rc = slow_avc_audit(&selinux_state,
3155 			    current_sid(), isec->sid, isec->sclass, perms,
3156 			    audited, denied, result, &ad, flags);
3157 	if (rc)
3158 		return rc;
3159 	return 0;
3160 }
3161 
3162 static int selinux_inode_permission(struct inode *inode, int mask)
3163 {
3164 	const struct cred *cred = current_cred();
3165 	u32 perms;
3166 	bool from_access;
3167 	unsigned flags = mask & MAY_NOT_BLOCK;
3168 	struct inode_security_struct *isec;
3169 	u32 sid;
3170 	struct av_decision avd;
3171 	int rc, rc2;
3172 	u32 audited, denied;
3173 
3174 	from_access = mask & MAY_ACCESS;
3175 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3176 
3177 	/* No permission to check.  Existence test. */
3178 	if (!mask)
3179 		return 0;
3180 
3181 	validate_creds(cred);
3182 
3183 	if (unlikely(IS_PRIVATE(inode)))
3184 		return 0;
3185 
3186 	perms = file_mask_to_av(inode->i_mode, mask);
3187 
3188 	sid = cred_sid(cred);
3189 	isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3190 	if (IS_ERR(isec))
3191 		return PTR_ERR(isec);
3192 
3193 	rc = avc_has_perm_noaudit(&selinux_state,
3194 				  sid, isec->sid, isec->sclass, perms, 0, &avd);
3195 	audited = avc_audit_required(perms, &avd, rc,
3196 				     from_access ? FILE__AUDIT_ACCESS : 0,
3197 				     &denied);
3198 	if (likely(!audited))
3199 		return rc;
3200 
3201 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3202 	if (rc2)
3203 		return rc2;
3204 	return rc;
3205 }
3206 
3207 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3208 {
3209 	const struct cred *cred = current_cred();
3210 	struct inode *inode = d_backing_inode(dentry);
3211 	unsigned int ia_valid = iattr->ia_valid;
3212 	__u32 av = FILE__WRITE;
3213 
3214 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3215 	if (ia_valid & ATTR_FORCE) {
3216 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3217 			      ATTR_FORCE);
3218 		if (!ia_valid)
3219 			return 0;
3220 	}
3221 
3222 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3223 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3224 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3225 
3226 	if (selinux_policycap_openperm() &&
3227 	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3228 	    (ia_valid & ATTR_SIZE) &&
3229 	    !(ia_valid & ATTR_FILE))
3230 		av |= FILE__OPEN;
3231 
3232 	return dentry_has_perm(cred, dentry, av);
3233 }
3234 
3235 static int selinux_inode_getattr(const struct path *path)
3236 {
3237 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3238 }
3239 
3240 static bool has_cap_mac_admin(bool audit)
3241 {
3242 	const struct cred *cred = current_cred();
3243 	int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3244 
3245 	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3246 		return false;
3247 	if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3248 		return false;
3249 	return true;
3250 }
3251 
3252 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3253 				  const void *value, size_t size, int flags)
3254 {
3255 	struct inode *inode = d_backing_inode(dentry);
3256 	struct inode_security_struct *isec;
3257 	struct superblock_security_struct *sbsec;
3258 	struct common_audit_data ad;
3259 	u32 newsid, sid = current_sid();
3260 	int rc = 0;
3261 
3262 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3263 		rc = cap_inode_setxattr(dentry, name, value, size, flags);
3264 		if (rc)
3265 			return rc;
3266 
3267 		/* Not an attribute we recognize, so just check the
3268 		   ordinary setattr permission. */
3269 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3270 	}
3271 
3272 	sbsec = inode->i_sb->s_security;
3273 	if (!(sbsec->flags & SBLABEL_MNT))
3274 		return -EOPNOTSUPP;
3275 
3276 	if (!inode_owner_or_capable(inode))
3277 		return -EPERM;
3278 
3279 	ad.type = LSM_AUDIT_DATA_DENTRY;
3280 	ad.u.dentry = dentry;
3281 
3282 	isec = backing_inode_security(dentry);
3283 	rc = avc_has_perm(&selinux_state,
3284 			  sid, isec->sid, isec->sclass,
3285 			  FILE__RELABELFROM, &ad);
3286 	if (rc)
3287 		return rc;
3288 
3289 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3290 				     GFP_KERNEL);
3291 	if (rc == -EINVAL) {
3292 		if (!has_cap_mac_admin(true)) {
3293 			struct audit_buffer *ab;
3294 			size_t audit_size;
3295 
3296 			/* We strip a nul only if it is at the end, otherwise the
3297 			 * context contains a nul and we should audit that */
3298 			if (value) {
3299 				const char *str = value;
3300 
3301 				if (str[size - 1] == '\0')
3302 					audit_size = size - 1;
3303 				else
3304 					audit_size = size;
3305 			} else {
3306 				audit_size = 0;
3307 			}
3308 			ab = audit_log_start(audit_context(),
3309 					     GFP_ATOMIC, AUDIT_SELINUX_ERR);
3310 			audit_log_format(ab, "op=setxattr invalid_context=");
3311 			audit_log_n_untrustedstring(ab, value, audit_size);
3312 			audit_log_end(ab);
3313 
3314 			return rc;
3315 		}
3316 		rc = security_context_to_sid_force(&selinux_state, value,
3317 						   size, &newsid);
3318 	}
3319 	if (rc)
3320 		return rc;
3321 
3322 	rc = avc_has_perm(&selinux_state,
3323 			  sid, newsid, isec->sclass,
3324 			  FILE__RELABELTO, &ad);
3325 	if (rc)
3326 		return rc;
3327 
3328 	rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3329 					  sid, isec->sclass);
3330 	if (rc)
3331 		return rc;
3332 
3333 	return avc_has_perm(&selinux_state,
3334 			    newsid,
3335 			    sbsec->sid,
3336 			    SECCLASS_FILESYSTEM,
3337 			    FILESYSTEM__ASSOCIATE,
3338 			    &ad);
3339 }
3340 
3341 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3342 					const void *value, size_t size,
3343 					int flags)
3344 {
3345 	struct inode *inode = d_backing_inode(dentry);
3346 	struct inode_security_struct *isec;
3347 	u32 newsid;
3348 	int rc;
3349 
3350 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3351 		/* Not an attribute we recognize, so nothing to do. */
3352 		return;
3353 	}
3354 
3355 	rc = security_context_to_sid_force(&selinux_state, value, size,
3356 					   &newsid);
3357 	if (rc) {
3358 		pr_err("SELinux:  unable to map context to SID"
3359 		       "for (%s, %lu), rc=%d\n",
3360 		       inode->i_sb->s_id, inode->i_ino, -rc);
3361 		return;
3362 	}
3363 
3364 	isec = backing_inode_security(dentry);
3365 	spin_lock(&isec->lock);
3366 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3367 	isec->sid = newsid;
3368 	isec->initialized = LABEL_INITIALIZED;
3369 	spin_unlock(&isec->lock);
3370 
3371 	return;
3372 }
3373 
3374 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3375 {
3376 	const struct cred *cred = current_cred();
3377 
3378 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3379 }
3380 
3381 static int selinux_inode_listxattr(struct dentry *dentry)
3382 {
3383 	const struct cred *cred = current_cred();
3384 
3385 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3386 }
3387 
3388 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3389 {
3390 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3391 		int rc = cap_inode_removexattr(dentry, name);
3392 		if (rc)
3393 			return rc;
3394 
3395 		/* Not an attribute we recognize, so just check the
3396 		   ordinary setattr permission. */
3397 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3398 	}
3399 
3400 	/* No one is allowed to remove a SELinux security label.
3401 	   You can change the label, but all data must be labeled. */
3402 	return -EACCES;
3403 }
3404 
3405 /*
3406  * Copy the inode security context value to the user.
3407  *
3408  * Permission check is handled by selinux_inode_getxattr hook.
3409  */
3410 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3411 {
3412 	u32 size;
3413 	int error;
3414 	char *context = NULL;
3415 	struct inode_security_struct *isec;
3416 
3417 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3418 		return -EOPNOTSUPP;
3419 
3420 	/*
3421 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3422 	 * value even if it is not defined by current policy; otherwise,
3423 	 * use the in-core value under current policy.
3424 	 * Use the non-auditing forms of the permission checks since
3425 	 * getxattr may be called by unprivileged processes commonly
3426 	 * and lack of permission just means that we fall back to the
3427 	 * in-core context value, not a denial.
3428 	 */
3429 	isec = inode_security(inode);
3430 	if (has_cap_mac_admin(false))
3431 		error = security_sid_to_context_force(&selinux_state,
3432 						      isec->sid, &context,
3433 						      &size);
3434 	else
3435 		error = security_sid_to_context(&selinux_state, isec->sid,
3436 						&context, &size);
3437 	if (error)
3438 		return error;
3439 	error = size;
3440 	if (alloc) {
3441 		*buffer = context;
3442 		goto out_nofree;
3443 	}
3444 	kfree(context);
3445 out_nofree:
3446 	return error;
3447 }
3448 
3449 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3450 				     const void *value, size_t size, int flags)
3451 {
3452 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3453 	u32 newsid;
3454 	int rc;
3455 
3456 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3457 		return -EOPNOTSUPP;
3458 
3459 	if (!value || !size)
3460 		return -EACCES;
3461 
3462 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3463 				     GFP_KERNEL);
3464 	if (rc)
3465 		return rc;
3466 
3467 	spin_lock(&isec->lock);
3468 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3469 	isec->sid = newsid;
3470 	isec->initialized = LABEL_INITIALIZED;
3471 	spin_unlock(&isec->lock);
3472 	return 0;
3473 }
3474 
3475 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3476 {
3477 	const int len = sizeof(XATTR_NAME_SELINUX);
3478 	if (buffer && len <= buffer_size)
3479 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3480 	return len;
3481 }
3482 
3483 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3484 {
3485 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3486 	*secid = isec->sid;
3487 }
3488 
3489 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3490 {
3491 	u32 sid;
3492 	struct task_security_struct *tsec;
3493 	struct cred *new_creds = *new;
3494 
3495 	if (new_creds == NULL) {
3496 		new_creds = prepare_creds();
3497 		if (!new_creds)
3498 			return -ENOMEM;
3499 	}
3500 
3501 	tsec = new_creds->security;
3502 	/* Get label from overlay inode and set it in create_sid */
3503 	selinux_inode_getsecid(d_inode(src), &sid);
3504 	tsec->create_sid = sid;
3505 	*new = new_creds;
3506 	return 0;
3507 }
3508 
3509 static int selinux_inode_copy_up_xattr(const char *name)
3510 {
3511 	/* The copy_up hook above sets the initial context on an inode, but we
3512 	 * don't then want to overwrite it by blindly copying all the lower
3513 	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3514 	 */
3515 	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3516 		return 1; /* Discard */
3517 	/*
3518 	 * Any other attribute apart from SELINUX is not claimed, supported
3519 	 * by selinux.
3520 	 */
3521 	return -EOPNOTSUPP;
3522 }
3523 
3524 /* file security operations */
3525 
3526 static int selinux_revalidate_file_permission(struct file *file, int mask)
3527 {
3528 	const struct cred *cred = current_cred();
3529 	struct inode *inode = file_inode(file);
3530 
3531 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3532 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3533 		mask |= MAY_APPEND;
3534 
3535 	return file_has_perm(cred, file,
3536 			     file_mask_to_av(inode->i_mode, mask));
3537 }
3538 
3539 static int selinux_file_permission(struct file *file, int mask)
3540 {
3541 	struct inode *inode = file_inode(file);
3542 	struct file_security_struct *fsec = file->f_security;
3543 	struct inode_security_struct *isec;
3544 	u32 sid = current_sid();
3545 
3546 	if (!mask)
3547 		/* No permission to check.  Existence test. */
3548 		return 0;
3549 
3550 	isec = inode_security(inode);
3551 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3552 	    fsec->pseqno == avc_policy_seqno(&selinux_state))
3553 		/* No change since file_open check. */
3554 		return 0;
3555 
3556 	return selinux_revalidate_file_permission(file, mask);
3557 }
3558 
3559 static int selinux_file_alloc_security(struct file *file)
3560 {
3561 	return file_alloc_security(file);
3562 }
3563 
3564 static void selinux_file_free_security(struct file *file)
3565 {
3566 	file_free_security(file);
3567 }
3568 
3569 /*
3570  * Check whether a task has the ioctl permission and cmd
3571  * operation to an inode.
3572  */
3573 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3574 		u32 requested, u16 cmd)
3575 {
3576 	struct common_audit_data ad;
3577 	struct file_security_struct *fsec = file->f_security;
3578 	struct inode *inode = file_inode(file);
3579 	struct inode_security_struct *isec;
3580 	struct lsm_ioctlop_audit ioctl;
3581 	u32 ssid = cred_sid(cred);
3582 	int rc;
3583 	u8 driver = cmd >> 8;
3584 	u8 xperm = cmd & 0xff;
3585 
3586 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3587 	ad.u.op = &ioctl;
3588 	ad.u.op->cmd = cmd;
3589 	ad.u.op->path = file->f_path;
3590 
3591 	if (ssid != fsec->sid) {
3592 		rc = avc_has_perm(&selinux_state,
3593 				  ssid, fsec->sid,
3594 				SECCLASS_FD,
3595 				FD__USE,
3596 				&ad);
3597 		if (rc)
3598 			goto out;
3599 	}
3600 
3601 	if (unlikely(IS_PRIVATE(inode)))
3602 		return 0;
3603 
3604 	isec = inode_security(inode);
3605 	rc = avc_has_extended_perms(&selinux_state,
3606 				    ssid, isec->sid, isec->sclass,
3607 				    requested, driver, xperm, &ad);
3608 out:
3609 	return rc;
3610 }
3611 
3612 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3613 			      unsigned long arg)
3614 {
3615 	const struct cred *cred = current_cred();
3616 	int error = 0;
3617 
3618 	switch (cmd) {
3619 	case FIONREAD:
3620 	/* fall through */
3621 	case FIBMAP:
3622 	/* fall through */
3623 	case FIGETBSZ:
3624 	/* fall through */
3625 	case FS_IOC_GETFLAGS:
3626 	/* fall through */
3627 	case FS_IOC_GETVERSION:
3628 		error = file_has_perm(cred, file, FILE__GETATTR);
3629 		break;
3630 
3631 	case FS_IOC_SETFLAGS:
3632 	/* fall through */
3633 	case FS_IOC_SETVERSION:
3634 		error = file_has_perm(cred, file, FILE__SETATTR);
3635 		break;
3636 
3637 	/* sys_ioctl() checks */
3638 	case FIONBIO:
3639 	/* fall through */
3640 	case FIOASYNC:
3641 		error = file_has_perm(cred, file, 0);
3642 		break;
3643 
3644 	case KDSKBENT:
3645 	case KDSKBSENT:
3646 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3647 					    SECURITY_CAP_AUDIT, true);
3648 		break;
3649 
3650 	/* default case assumes that the command will go
3651 	 * to the file's ioctl() function.
3652 	 */
3653 	default:
3654 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3655 	}
3656 	return error;
3657 }
3658 
3659 static int default_noexec;
3660 
3661 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3662 {
3663 	const struct cred *cred = current_cred();
3664 	u32 sid = cred_sid(cred);
3665 	int rc = 0;
3666 
3667 	if (default_noexec &&
3668 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3669 				   (!shared && (prot & PROT_WRITE)))) {
3670 		/*
3671 		 * We are making executable an anonymous mapping or a
3672 		 * private file mapping that will also be writable.
3673 		 * This has an additional check.
3674 		 */
3675 		rc = avc_has_perm(&selinux_state,
3676 				  sid, sid, SECCLASS_PROCESS,
3677 				  PROCESS__EXECMEM, NULL);
3678 		if (rc)
3679 			goto error;
3680 	}
3681 
3682 	if (file) {
3683 		/* read access is always possible with a mapping */
3684 		u32 av = FILE__READ;
3685 
3686 		/* write access only matters if the mapping is shared */
3687 		if (shared && (prot & PROT_WRITE))
3688 			av |= FILE__WRITE;
3689 
3690 		if (prot & PROT_EXEC)
3691 			av |= FILE__EXECUTE;
3692 
3693 		return file_has_perm(cred, file, av);
3694 	}
3695 
3696 error:
3697 	return rc;
3698 }
3699 
3700 static int selinux_mmap_addr(unsigned long addr)
3701 {
3702 	int rc = 0;
3703 
3704 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3705 		u32 sid = current_sid();
3706 		rc = avc_has_perm(&selinux_state,
3707 				  sid, sid, SECCLASS_MEMPROTECT,
3708 				  MEMPROTECT__MMAP_ZERO, NULL);
3709 	}
3710 
3711 	return rc;
3712 }
3713 
3714 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3715 			     unsigned long prot, unsigned long flags)
3716 {
3717 	struct common_audit_data ad;
3718 	int rc;
3719 
3720 	if (file) {
3721 		ad.type = LSM_AUDIT_DATA_FILE;
3722 		ad.u.file = file;
3723 		rc = inode_has_perm(current_cred(), file_inode(file),
3724 				    FILE__MAP, &ad);
3725 		if (rc)
3726 			return rc;
3727 	}
3728 
3729 	if (selinux_state.checkreqprot)
3730 		prot = reqprot;
3731 
3732 	return file_map_prot_check(file, prot,
3733 				   (flags & MAP_TYPE) == MAP_SHARED);
3734 }
3735 
3736 static int selinux_file_mprotect(struct vm_area_struct *vma,
3737 				 unsigned long reqprot,
3738 				 unsigned long prot)
3739 {
3740 	const struct cred *cred = current_cred();
3741 	u32 sid = cred_sid(cred);
3742 
3743 	if (selinux_state.checkreqprot)
3744 		prot = reqprot;
3745 
3746 	if (default_noexec &&
3747 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3748 		int rc = 0;
3749 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3750 		    vma->vm_end <= vma->vm_mm->brk) {
3751 			rc = avc_has_perm(&selinux_state,
3752 					  sid, sid, SECCLASS_PROCESS,
3753 					  PROCESS__EXECHEAP, NULL);
3754 		} else if (!vma->vm_file &&
3755 			   ((vma->vm_start <= vma->vm_mm->start_stack &&
3756 			     vma->vm_end >= vma->vm_mm->start_stack) ||
3757 			    vma_is_stack_for_current(vma))) {
3758 			rc = avc_has_perm(&selinux_state,
3759 					  sid, sid, SECCLASS_PROCESS,
3760 					  PROCESS__EXECSTACK, NULL);
3761 		} else if (vma->vm_file && vma->anon_vma) {
3762 			/*
3763 			 * We are making executable a file mapping that has
3764 			 * had some COW done. Since pages might have been
3765 			 * written, check ability to execute the possibly
3766 			 * modified content.  This typically should only
3767 			 * occur for text relocations.
3768 			 */
3769 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3770 		}
3771 		if (rc)
3772 			return rc;
3773 	}
3774 
3775 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3776 }
3777 
3778 static int selinux_file_lock(struct file *file, unsigned int cmd)
3779 {
3780 	const struct cred *cred = current_cred();
3781 
3782 	return file_has_perm(cred, file, FILE__LOCK);
3783 }
3784 
3785 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3786 			      unsigned long arg)
3787 {
3788 	const struct cred *cred = current_cred();
3789 	int err = 0;
3790 
3791 	switch (cmd) {
3792 	case F_SETFL:
3793 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3794 			err = file_has_perm(cred, file, FILE__WRITE);
3795 			break;
3796 		}
3797 		/* fall through */
3798 	case F_SETOWN:
3799 	case F_SETSIG:
3800 	case F_GETFL:
3801 	case F_GETOWN:
3802 	case F_GETSIG:
3803 	case F_GETOWNER_UIDS:
3804 		/* Just check FD__USE permission */
3805 		err = file_has_perm(cred, file, 0);
3806 		break;
3807 	case F_GETLK:
3808 	case F_SETLK:
3809 	case F_SETLKW:
3810 	case F_OFD_GETLK:
3811 	case F_OFD_SETLK:
3812 	case F_OFD_SETLKW:
3813 #if BITS_PER_LONG == 32
3814 	case F_GETLK64:
3815 	case F_SETLK64:
3816 	case F_SETLKW64:
3817 #endif
3818 		err = file_has_perm(cred, file, FILE__LOCK);
3819 		break;
3820 	}
3821 
3822 	return err;
3823 }
3824 
3825 static void selinux_file_set_fowner(struct file *file)
3826 {
3827 	struct file_security_struct *fsec;
3828 
3829 	fsec = file->f_security;
3830 	fsec->fown_sid = current_sid();
3831 }
3832 
3833 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3834 				       struct fown_struct *fown, int signum)
3835 {
3836 	struct file *file;
3837 	u32 sid = task_sid(tsk);
3838 	u32 perm;
3839 	struct file_security_struct *fsec;
3840 
3841 	/* struct fown_struct is never outside the context of a struct file */
3842 	file = container_of(fown, struct file, f_owner);
3843 
3844 	fsec = file->f_security;
3845 
3846 	if (!signum)
3847 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3848 	else
3849 		perm = signal_to_av(signum);
3850 
3851 	return avc_has_perm(&selinux_state,
3852 			    fsec->fown_sid, sid,
3853 			    SECCLASS_PROCESS, perm, NULL);
3854 }
3855 
3856 static int selinux_file_receive(struct file *file)
3857 {
3858 	const struct cred *cred = current_cred();
3859 
3860 	return file_has_perm(cred, file, file_to_av(file));
3861 }
3862 
3863 static int selinux_file_open(struct file *file)
3864 {
3865 	struct file_security_struct *fsec;
3866 	struct inode_security_struct *isec;
3867 
3868 	fsec = file->f_security;
3869 	isec = inode_security(file_inode(file));
3870 	/*
3871 	 * Save inode label and policy sequence number
3872 	 * at open-time so that selinux_file_permission
3873 	 * can determine whether revalidation is necessary.
3874 	 * Task label is already saved in the file security
3875 	 * struct as its SID.
3876 	 */
3877 	fsec->isid = isec->sid;
3878 	fsec->pseqno = avc_policy_seqno(&selinux_state);
3879 	/*
3880 	 * Since the inode label or policy seqno may have changed
3881 	 * between the selinux_inode_permission check and the saving
3882 	 * of state above, recheck that access is still permitted.
3883 	 * Otherwise, access might never be revalidated against the
3884 	 * new inode label or new policy.
3885 	 * This check is not redundant - do not remove.
3886 	 */
3887 	return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3888 }
3889 
3890 /* task security operations */
3891 
3892 static int selinux_task_alloc(struct task_struct *task,
3893 			      unsigned long clone_flags)
3894 {
3895 	u32 sid = current_sid();
3896 
3897 	return avc_has_perm(&selinux_state,
3898 			    sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3899 }
3900 
3901 /*
3902  * allocate the SELinux part of blank credentials
3903  */
3904 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3905 {
3906 	struct task_security_struct *tsec;
3907 
3908 	tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3909 	if (!tsec)
3910 		return -ENOMEM;
3911 
3912 	cred->security = tsec;
3913 	return 0;
3914 }
3915 
3916 /*
3917  * detach and free the LSM part of a set of credentials
3918  */
3919 static void selinux_cred_free(struct cred *cred)
3920 {
3921 	struct task_security_struct *tsec = cred->security;
3922 
3923 	/*
3924 	 * cred->security == NULL if security_cred_alloc_blank() or
3925 	 * security_prepare_creds() returned an error.
3926 	 */
3927 	BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3928 	cred->security = (void *) 0x7UL;
3929 	kfree(tsec);
3930 }
3931 
3932 /*
3933  * prepare a new set of credentials for modification
3934  */
3935 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3936 				gfp_t gfp)
3937 {
3938 	const struct task_security_struct *old_tsec;
3939 	struct task_security_struct *tsec;
3940 
3941 	old_tsec = old->security;
3942 
3943 	tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3944 	if (!tsec)
3945 		return -ENOMEM;
3946 
3947 	new->security = tsec;
3948 	return 0;
3949 }
3950 
3951 /*
3952  * transfer the SELinux data to a blank set of creds
3953  */
3954 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3955 {
3956 	const struct task_security_struct *old_tsec = old->security;
3957 	struct task_security_struct *tsec = new->security;
3958 
3959 	*tsec = *old_tsec;
3960 }
3961 
3962 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3963 {
3964 	*secid = cred_sid(c);
3965 }
3966 
3967 /*
3968  * set the security data for a kernel service
3969  * - all the creation contexts are set to unlabelled
3970  */
3971 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3972 {
3973 	struct task_security_struct *tsec = new->security;
3974 	u32 sid = current_sid();
3975 	int ret;
3976 
3977 	ret = avc_has_perm(&selinux_state,
3978 			   sid, secid,
3979 			   SECCLASS_KERNEL_SERVICE,
3980 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3981 			   NULL);
3982 	if (ret == 0) {
3983 		tsec->sid = secid;
3984 		tsec->create_sid = 0;
3985 		tsec->keycreate_sid = 0;
3986 		tsec->sockcreate_sid = 0;
3987 	}
3988 	return ret;
3989 }
3990 
3991 /*
3992  * set the file creation context in a security record to the same as the
3993  * objective context of the specified inode
3994  */
3995 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3996 {
3997 	struct inode_security_struct *isec = inode_security(inode);
3998 	struct task_security_struct *tsec = new->security;
3999 	u32 sid = current_sid();
4000 	int ret;
4001 
4002 	ret = avc_has_perm(&selinux_state,
4003 			   sid, isec->sid,
4004 			   SECCLASS_KERNEL_SERVICE,
4005 			   KERNEL_SERVICE__CREATE_FILES_AS,
4006 			   NULL);
4007 
4008 	if (ret == 0)
4009 		tsec->create_sid = isec->sid;
4010 	return ret;
4011 }
4012 
4013 static int selinux_kernel_module_request(char *kmod_name)
4014 {
4015 	struct common_audit_data ad;
4016 
4017 	ad.type = LSM_AUDIT_DATA_KMOD;
4018 	ad.u.kmod_name = kmod_name;
4019 
4020 	return avc_has_perm(&selinux_state,
4021 			    current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4022 			    SYSTEM__MODULE_REQUEST, &ad);
4023 }
4024 
4025 static int selinux_kernel_module_from_file(struct file *file)
4026 {
4027 	struct common_audit_data ad;
4028 	struct inode_security_struct *isec;
4029 	struct file_security_struct *fsec;
4030 	u32 sid = current_sid();
4031 	int rc;
4032 
4033 	/* init_module */
4034 	if (file == NULL)
4035 		return avc_has_perm(&selinux_state,
4036 				    sid, sid, SECCLASS_SYSTEM,
4037 					SYSTEM__MODULE_LOAD, NULL);
4038 
4039 	/* finit_module */
4040 
4041 	ad.type = LSM_AUDIT_DATA_FILE;
4042 	ad.u.file = file;
4043 
4044 	fsec = file->f_security;
4045 	if (sid != fsec->sid) {
4046 		rc = avc_has_perm(&selinux_state,
4047 				  sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4048 		if (rc)
4049 			return rc;
4050 	}
4051 
4052 	isec = inode_security(file_inode(file));
4053 	return avc_has_perm(&selinux_state,
4054 			    sid, isec->sid, SECCLASS_SYSTEM,
4055 				SYSTEM__MODULE_LOAD, &ad);
4056 }
4057 
4058 static int selinux_kernel_read_file(struct file *file,
4059 				    enum kernel_read_file_id id)
4060 {
4061 	int rc = 0;
4062 
4063 	switch (id) {
4064 	case READING_MODULE:
4065 		rc = selinux_kernel_module_from_file(file);
4066 		break;
4067 	default:
4068 		break;
4069 	}
4070 
4071 	return rc;
4072 }
4073 
4074 static int selinux_kernel_load_data(enum kernel_load_data_id id)
4075 {
4076 	int rc = 0;
4077 
4078 	switch (id) {
4079 	case LOADING_MODULE:
4080 		rc = selinux_kernel_module_from_file(NULL);
4081 	default:
4082 		break;
4083 	}
4084 
4085 	return rc;
4086 }
4087 
4088 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4089 {
4090 	return avc_has_perm(&selinux_state,
4091 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4092 			    PROCESS__SETPGID, NULL);
4093 }
4094 
4095 static int selinux_task_getpgid(struct task_struct *p)
4096 {
4097 	return avc_has_perm(&selinux_state,
4098 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4099 			    PROCESS__GETPGID, NULL);
4100 }
4101 
4102 static int selinux_task_getsid(struct task_struct *p)
4103 {
4104 	return avc_has_perm(&selinux_state,
4105 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4106 			    PROCESS__GETSESSION, NULL);
4107 }
4108 
4109 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4110 {
4111 	*secid = task_sid(p);
4112 }
4113 
4114 static int selinux_task_setnice(struct task_struct *p, int nice)
4115 {
4116 	return avc_has_perm(&selinux_state,
4117 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4118 			    PROCESS__SETSCHED, NULL);
4119 }
4120 
4121 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4122 {
4123 	return avc_has_perm(&selinux_state,
4124 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4125 			    PROCESS__SETSCHED, NULL);
4126 }
4127 
4128 static int selinux_task_getioprio(struct task_struct *p)
4129 {
4130 	return avc_has_perm(&selinux_state,
4131 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4132 			    PROCESS__GETSCHED, NULL);
4133 }
4134 
4135 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4136 				unsigned int flags)
4137 {
4138 	u32 av = 0;
4139 
4140 	if (!flags)
4141 		return 0;
4142 	if (flags & LSM_PRLIMIT_WRITE)
4143 		av |= PROCESS__SETRLIMIT;
4144 	if (flags & LSM_PRLIMIT_READ)
4145 		av |= PROCESS__GETRLIMIT;
4146 	return avc_has_perm(&selinux_state,
4147 			    cred_sid(cred), cred_sid(tcred),
4148 			    SECCLASS_PROCESS, av, NULL);
4149 }
4150 
4151 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4152 		struct rlimit *new_rlim)
4153 {
4154 	struct rlimit *old_rlim = p->signal->rlim + resource;
4155 
4156 	/* Control the ability to change the hard limit (whether
4157 	   lowering or raising it), so that the hard limit can
4158 	   later be used as a safe reset point for the soft limit
4159 	   upon context transitions.  See selinux_bprm_committing_creds. */
4160 	if (old_rlim->rlim_max != new_rlim->rlim_max)
4161 		return avc_has_perm(&selinux_state,
4162 				    current_sid(), task_sid(p),
4163 				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4164 
4165 	return 0;
4166 }
4167 
4168 static int selinux_task_setscheduler(struct task_struct *p)
4169 {
4170 	return avc_has_perm(&selinux_state,
4171 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4172 			    PROCESS__SETSCHED, NULL);
4173 }
4174 
4175 static int selinux_task_getscheduler(struct task_struct *p)
4176 {
4177 	return avc_has_perm(&selinux_state,
4178 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4179 			    PROCESS__GETSCHED, NULL);
4180 }
4181 
4182 static int selinux_task_movememory(struct task_struct *p)
4183 {
4184 	return avc_has_perm(&selinux_state,
4185 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4186 			    PROCESS__SETSCHED, NULL);
4187 }
4188 
4189 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4190 				int sig, const struct cred *cred)
4191 {
4192 	u32 secid;
4193 	u32 perm;
4194 
4195 	if (!sig)
4196 		perm = PROCESS__SIGNULL; /* null signal; existence test */
4197 	else
4198 		perm = signal_to_av(sig);
4199 	if (!cred)
4200 		secid = current_sid();
4201 	else
4202 		secid = cred_sid(cred);
4203 	return avc_has_perm(&selinux_state,
4204 			    secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4205 }
4206 
4207 static void selinux_task_to_inode(struct task_struct *p,
4208 				  struct inode *inode)
4209 {
4210 	struct inode_security_struct *isec = inode->i_security;
4211 	u32 sid = task_sid(p);
4212 
4213 	spin_lock(&isec->lock);
4214 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4215 	isec->sid = sid;
4216 	isec->initialized = LABEL_INITIALIZED;
4217 	spin_unlock(&isec->lock);
4218 }
4219 
4220 /* Returns error only if unable to parse addresses */
4221 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4222 			struct common_audit_data *ad, u8 *proto)
4223 {
4224 	int offset, ihlen, ret = -EINVAL;
4225 	struct iphdr _iph, *ih;
4226 
4227 	offset = skb_network_offset(skb);
4228 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4229 	if (ih == NULL)
4230 		goto out;
4231 
4232 	ihlen = ih->ihl * 4;
4233 	if (ihlen < sizeof(_iph))
4234 		goto out;
4235 
4236 	ad->u.net->v4info.saddr = ih->saddr;
4237 	ad->u.net->v4info.daddr = ih->daddr;
4238 	ret = 0;
4239 
4240 	if (proto)
4241 		*proto = ih->protocol;
4242 
4243 	switch (ih->protocol) {
4244 	case IPPROTO_TCP: {
4245 		struct tcphdr _tcph, *th;
4246 
4247 		if (ntohs(ih->frag_off) & IP_OFFSET)
4248 			break;
4249 
4250 		offset += ihlen;
4251 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4252 		if (th == NULL)
4253 			break;
4254 
4255 		ad->u.net->sport = th->source;
4256 		ad->u.net->dport = th->dest;
4257 		break;
4258 	}
4259 
4260 	case IPPROTO_UDP: {
4261 		struct udphdr _udph, *uh;
4262 
4263 		if (ntohs(ih->frag_off) & IP_OFFSET)
4264 			break;
4265 
4266 		offset += ihlen;
4267 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4268 		if (uh == NULL)
4269 			break;
4270 
4271 		ad->u.net->sport = uh->source;
4272 		ad->u.net->dport = uh->dest;
4273 		break;
4274 	}
4275 
4276 	case IPPROTO_DCCP: {
4277 		struct dccp_hdr _dccph, *dh;
4278 
4279 		if (ntohs(ih->frag_off) & IP_OFFSET)
4280 			break;
4281 
4282 		offset += ihlen;
4283 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4284 		if (dh == NULL)
4285 			break;
4286 
4287 		ad->u.net->sport = dh->dccph_sport;
4288 		ad->u.net->dport = dh->dccph_dport;
4289 		break;
4290 	}
4291 
4292 #if IS_ENABLED(CONFIG_IP_SCTP)
4293 	case IPPROTO_SCTP: {
4294 		struct sctphdr _sctph, *sh;
4295 
4296 		if (ntohs(ih->frag_off) & IP_OFFSET)
4297 			break;
4298 
4299 		offset += ihlen;
4300 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4301 		if (sh == NULL)
4302 			break;
4303 
4304 		ad->u.net->sport = sh->source;
4305 		ad->u.net->dport = sh->dest;
4306 		break;
4307 	}
4308 #endif
4309 	default:
4310 		break;
4311 	}
4312 out:
4313 	return ret;
4314 }
4315 
4316 #if IS_ENABLED(CONFIG_IPV6)
4317 
4318 /* Returns error only if unable to parse addresses */
4319 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4320 			struct common_audit_data *ad, u8 *proto)
4321 {
4322 	u8 nexthdr;
4323 	int ret = -EINVAL, offset;
4324 	struct ipv6hdr _ipv6h, *ip6;
4325 	__be16 frag_off;
4326 
4327 	offset = skb_network_offset(skb);
4328 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4329 	if (ip6 == NULL)
4330 		goto out;
4331 
4332 	ad->u.net->v6info.saddr = ip6->saddr;
4333 	ad->u.net->v6info.daddr = ip6->daddr;
4334 	ret = 0;
4335 
4336 	nexthdr = ip6->nexthdr;
4337 	offset += sizeof(_ipv6h);
4338 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4339 	if (offset < 0)
4340 		goto out;
4341 
4342 	if (proto)
4343 		*proto = nexthdr;
4344 
4345 	switch (nexthdr) {
4346 	case IPPROTO_TCP: {
4347 		struct tcphdr _tcph, *th;
4348 
4349 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4350 		if (th == NULL)
4351 			break;
4352 
4353 		ad->u.net->sport = th->source;
4354 		ad->u.net->dport = th->dest;
4355 		break;
4356 	}
4357 
4358 	case IPPROTO_UDP: {
4359 		struct udphdr _udph, *uh;
4360 
4361 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4362 		if (uh == NULL)
4363 			break;
4364 
4365 		ad->u.net->sport = uh->source;
4366 		ad->u.net->dport = uh->dest;
4367 		break;
4368 	}
4369 
4370 	case IPPROTO_DCCP: {
4371 		struct dccp_hdr _dccph, *dh;
4372 
4373 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4374 		if (dh == NULL)
4375 			break;
4376 
4377 		ad->u.net->sport = dh->dccph_sport;
4378 		ad->u.net->dport = dh->dccph_dport;
4379 		break;
4380 	}
4381 
4382 #if IS_ENABLED(CONFIG_IP_SCTP)
4383 	case IPPROTO_SCTP: {
4384 		struct sctphdr _sctph, *sh;
4385 
4386 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4387 		if (sh == NULL)
4388 			break;
4389 
4390 		ad->u.net->sport = sh->source;
4391 		ad->u.net->dport = sh->dest;
4392 		break;
4393 	}
4394 #endif
4395 	/* includes fragments */
4396 	default:
4397 		break;
4398 	}
4399 out:
4400 	return ret;
4401 }
4402 
4403 #endif /* IPV6 */
4404 
4405 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4406 			     char **_addrp, int src, u8 *proto)
4407 {
4408 	char *addrp;
4409 	int ret;
4410 
4411 	switch (ad->u.net->family) {
4412 	case PF_INET:
4413 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4414 		if (ret)
4415 			goto parse_error;
4416 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4417 				       &ad->u.net->v4info.daddr);
4418 		goto okay;
4419 
4420 #if IS_ENABLED(CONFIG_IPV6)
4421 	case PF_INET6:
4422 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4423 		if (ret)
4424 			goto parse_error;
4425 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4426 				       &ad->u.net->v6info.daddr);
4427 		goto okay;
4428 #endif	/* IPV6 */
4429 	default:
4430 		addrp = NULL;
4431 		goto okay;
4432 	}
4433 
4434 parse_error:
4435 	pr_warn(
4436 	       "SELinux: failure in selinux_parse_skb(),"
4437 	       " unable to parse packet\n");
4438 	return ret;
4439 
4440 okay:
4441 	if (_addrp)
4442 		*_addrp = addrp;
4443 	return 0;
4444 }
4445 
4446 /**
4447  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4448  * @skb: the packet
4449  * @family: protocol family
4450  * @sid: the packet's peer label SID
4451  *
4452  * Description:
4453  * Check the various different forms of network peer labeling and determine
4454  * the peer label/SID for the packet; most of the magic actually occurs in
4455  * the security server function security_net_peersid_cmp().  The function
4456  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4457  * or -EACCES if @sid is invalid due to inconsistencies with the different
4458  * peer labels.
4459  *
4460  */
4461 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4462 {
4463 	int err;
4464 	u32 xfrm_sid;
4465 	u32 nlbl_sid;
4466 	u32 nlbl_type;
4467 
4468 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4469 	if (unlikely(err))
4470 		return -EACCES;
4471 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4472 	if (unlikely(err))
4473 		return -EACCES;
4474 
4475 	err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4476 					   nlbl_type, xfrm_sid, sid);
4477 	if (unlikely(err)) {
4478 		pr_warn(
4479 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4480 		       " unable to determine packet's peer label\n");
4481 		return -EACCES;
4482 	}
4483 
4484 	return 0;
4485 }
4486 
4487 /**
4488  * selinux_conn_sid - Determine the child socket label for a connection
4489  * @sk_sid: the parent socket's SID
4490  * @skb_sid: the packet's SID
4491  * @conn_sid: the resulting connection SID
4492  *
4493  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4494  * combined with the MLS information from @skb_sid in order to create
4495  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
4496  * of @sk_sid.  Returns zero on success, negative values on failure.
4497  *
4498  */
4499 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4500 {
4501 	int err = 0;
4502 
4503 	if (skb_sid != SECSID_NULL)
4504 		err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4505 					    conn_sid);
4506 	else
4507 		*conn_sid = sk_sid;
4508 
4509 	return err;
4510 }
4511 
4512 /* socket security operations */
4513 
4514 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4515 				 u16 secclass, u32 *socksid)
4516 {
4517 	if (tsec->sockcreate_sid > SECSID_NULL) {
4518 		*socksid = tsec->sockcreate_sid;
4519 		return 0;
4520 	}
4521 
4522 	return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4523 				       secclass, NULL, socksid);
4524 }
4525 
4526 static int sock_has_perm(struct sock *sk, u32 perms)
4527 {
4528 	struct sk_security_struct *sksec = sk->sk_security;
4529 	struct common_audit_data ad;
4530 	struct lsm_network_audit net = {0,};
4531 
4532 	if (sksec->sid == SECINITSID_KERNEL)
4533 		return 0;
4534 
4535 	ad.type = LSM_AUDIT_DATA_NET;
4536 	ad.u.net = &net;
4537 	ad.u.net->sk = sk;
4538 
4539 	return avc_has_perm(&selinux_state,
4540 			    current_sid(), sksec->sid, sksec->sclass, perms,
4541 			    &ad);
4542 }
4543 
4544 static int selinux_socket_create(int family, int type,
4545 				 int protocol, int kern)
4546 {
4547 	const struct task_security_struct *tsec = current_security();
4548 	u32 newsid;
4549 	u16 secclass;
4550 	int rc;
4551 
4552 	if (kern)
4553 		return 0;
4554 
4555 	secclass = socket_type_to_security_class(family, type, protocol);
4556 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4557 	if (rc)
4558 		return rc;
4559 
4560 	return avc_has_perm(&selinux_state,
4561 			    tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4562 }
4563 
4564 static int selinux_socket_post_create(struct socket *sock, int family,
4565 				      int type, int protocol, int kern)
4566 {
4567 	const struct task_security_struct *tsec = current_security();
4568 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4569 	struct sk_security_struct *sksec;
4570 	u16 sclass = socket_type_to_security_class(family, type, protocol);
4571 	u32 sid = SECINITSID_KERNEL;
4572 	int err = 0;
4573 
4574 	if (!kern) {
4575 		err = socket_sockcreate_sid(tsec, sclass, &sid);
4576 		if (err)
4577 			return err;
4578 	}
4579 
4580 	isec->sclass = sclass;
4581 	isec->sid = sid;
4582 	isec->initialized = LABEL_INITIALIZED;
4583 
4584 	if (sock->sk) {
4585 		sksec = sock->sk->sk_security;
4586 		sksec->sclass = sclass;
4587 		sksec->sid = sid;
4588 		/* Allows detection of the first association on this socket */
4589 		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4590 			sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4591 
4592 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4593 	}
4594 
4595 	return err;
4596 }
4597 
4598 static int selinux_socket_socketpair(struct socket *socka,
4599 				     struct socket *sockb)
4600 {
4601 	struct sk_security_struct *sksec_a = socka->sk->sk_security;
4602 	struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4603 
4604 	sksec_a->peer_sid = sksec_b->sid;
4605 	sksec_b->peer_sid = sksec_a->sid;
4606 
4607 	return 0;
4608 }
4609 
4610 /* Range of port numbers used to automatically bind.
4611    Need to determine whether we should perform a name_bind
4612    permission check between the socket and the port number. */
4613 
4614 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4615 {
4616 	struct sock *sk = sock->sk;
4617 	struct sk_security_struct *sksec = sk->sk_security;
4618 	u16 family;
4619 	int err;
4620 
4621 	err = sock_has_perm(sk, SOCKET__BIND);
4622 	if (err)
4623 		goto out;
4624 
4625 	/* If PF_INET or PF_INET6, check name_bind permission for the port. */
4626 	family = sk->sk_family;
4627 	if (family == PF_INET || family == PF_INET6) {
4628 		char *addrp;
4629 		struct common_audit_data ad;
4630 		struct lsm_network_audit net = {0,};
4631 		struct sockaddr_in *addr4 = NULL;
4632 		struct sockaddr_in6 *addr6 = NULL;
4633 		u16 family_sa = address->sa_family;
4634 		unsigned short snum;
4635 		u32 sid, node_perm;
4636 
4637 		/*
4638 		 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4639 		 * that validates multiple binding addresses. Because of this
4640 		 * need to check address->sa_family as it is possible to have
4641 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4642 		 */
4643 		switch (family_sa) {
4644 		case AF_UNSPEC:
4645 		case AF_INET:
4646 			if (addrlen < sizeof(struct sockaddr_in))
4647 				return -EINVAL;
4648 			addr4 = (struct sockaddr_in *)address;
4649 			if (family_sa == AF_UNSPEC) {
4650 				/* see __inet_bind(), we only want to allow
4651 				 * AF_UNSPEC if the address is INADDR_ANY
4652 				 */
4653 				if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4654 					goto err_af;
4655 				family_sa = AF_INET;
4656 			}
4657 			snum = ntohs(addr4->sin_port);
4658 			addrp = (char *)&addr4->sin_addr.s_addr;
4659 			break;
4660 		case AF_INET6:
4661 			if (addrlen < SIN6_LEN_RFC2133)
4662 				return -EINVAL;
4663 			addr6 = (struct sockaddr_in6 *)address;
4664 			snum = ntohs(addr6->sin6_port);
4665 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4666 			break;
4667 		default:
4668 			goto err_af;
4669 		}
4670 
4671 		ad.type = LSM_AUDIT_DATA_NET;
4672 		ad.u.net = &net;
4673 		ad.u.net->sport = htons(snum);
4674 		ad.u.net->family = family_sa;
4675 
4676 		if (snum) {
4677 			int low, high;
4678 
4679 			inet_get_local_port_range(sock_net(sk), &low, &high);
4680 
4681 			if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4682 			    snum > high) {
4683 				err = sel_netport_sid(sk->sk_protocol,
4684 						      snum, &sid);
4685 				if (err)
4686 					goto out;
4687 				err = avc_has_perm(&selinux_state,
4688 						   sksec->sid, sid,
4689 						   sksec->sclass,
4690 						   SOCKET__NAME_BIND, &ad);
4691 				if (err)
4692 					goto out;
4693 			}
4694 		}
4695 
4696 		switch (sksec->sclass) {
4697 		case SECCLASS_TCP_SOCKET:
4698 			node_perm = TCP_SOCKET__NODE_BIND;
4699 			break;
4700 
4701 		case SECCLASS_UDP_SOCKET:
4702 			node_perm = UDP_SOCKET__NODE_BIND;
4703 			break;
4704 
4705 		case SECCLASS_DCCP_SOCKET:
4706 			node_perm = DCCP_SOCKET__NODE_BIND;
4707 			break;
4708 
4709 		case SECCLASS_SCTP_SOCKET:
4710 			node_perm = SCTP_SOCKET__NODE_BIND;
4711 			break;
4712 
4713 		default:
4714 			node_perm = RAWIP_SOCKET__NODE_BIND;
4715 			break;
4716 		}
4717 
4718 		err = sel_netnode_sid(addrp, family_sa, &sid);
4719 		if (err)
4720 			goto out;
4721 
4722 		if (family_sa == AF_INET)
4723 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4724 		else
4725 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4726 
4727 		err = avc_has_perm(&selinux_state,
4728 				   sksec->sid, sid,
4729 				   sksec->sclass, node_perm, &ad);
4730 		if (err)
4731 			goto out;
4732 	}
4733 out:
4734 	return err;
4735 err_af:
4736 	/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4737 	if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4738 		return -EINVAL;
4739 	return -EAFNOSUPPORT;
4740 }
4741 
4742 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4743  * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.rst
4744  */
4745 static int selinux_socket_connect_helper(struct socket *sock,
4746 					 struct sockaddr *address, int addrlen)
4747 {
4748 	struct sock *sk = sock->sk;
4749 	struct sk_security_struct *sksec = sk->sk_security;
4750 	int err;
4751 
4752 	err = sock_has_perm(sk, SOCKET__CONNECT);
4753 	if (err)
4754 		return err;
4755 
4756 	/*
4757 	 * If a TCP, DCCP or SCTP socket, check name_connect permission
4758 	 * for the port.
4759 	 */
4760 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4761 	    sksec->sclass == SECCLASS_DCCP_SOCKET ||
4762 	    sksec->sclass == SECCLASS_SCTP_SOCKET) {
4763 		struct common_audit_data ad;
4764 		struct lsm_network_audit net = {0,};
4765 		struct sockaddr_in *addr4 = NULL;
4766 		struct sockaddr_in6 *addr6 = NULL;
4767 		unsigned short snum;
4768 		u32 sid, perm;
4769 
4770 		/* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4771 		 * that validates multiple connect addresses. Because of this
4772 		 * need to check address->sa_family as it is possible to have
4773 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4774 		 */
4775 		switch (address->sa_family) {
4776 		case AF_INET:
4777 			addr4 = (struct sockaddr_in *)address;
4778 			if (addrlen < sizeof(struct sockaddr_in))
4779 				return -EINVAL;
4780 			snum = ntohs(addr4->sin_port);
4781 			break;
4782 		case AF_INET6:
4783 			addr6 = (struct sockaddr_in6 *)address;
4784 			if (addrlen < SIN6_LEN_RFC2133)
4785 				return -EINVAL;
4786 			snum = ntohs(addr6->sin6_port);
4787 			break;
4788 		default:
4789 			/* Note that SCTP services expect -EINVAL, whereas
4790 			 * others expect -EAFNOSUPPORT.
4791 			 */
4792 			if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4793 				return -EINVAL;
4794 			else
4795 				return -EAFNOSUPPORT;
4796 		}
4797 
4798 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4799 		if (err)
4800 			return err;
4801 
4802 		switch (sksec->sclass) {
4803 		case SECCLASS_TCP_SOCKET:
4804 			perm = TCP_SOCKET__NAME_CONNECT;
4805 			break;
4806 		case SECCLASS_DCCP_SOCKET:
4807 			perm = DCCP_SOCKET__NAME_CONNECT;
4808 			break;
4809 		case SECCLASS_SCTP_SOCKET:
4810 			perm = SCTP_SOCKET__NAME_CONNECT;
4811 			break;
4812 		}
4813 
4814 		ad.type = LSM_AUDIT_DATA_NET;
4815 		ad.u.net = &net;
4816 		ad.u.net->dport = htons(snum);
4817 		ad.u.net->family = address->sa_family;
4818 		err = avc_has_perm(&selinux_state,
4819 				   sksec->sid, sid, sksec->sclass, perm, &ad);
4820 		if (err)
4821 			return err;
4822 	}
4823 
4824 	return 0;
4825 }
4826 
4827 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4828 static int selinux_socket_connect(struct socket *sock,
4829 				  struct sockaddr *address, int addrlen)
4830 {
4831 	int err;
4832 	struct sock *sk = sock->sk;
4833 
4834 	err = selinux_socket_connect_helper(sock, address, addrlen);
4835 	if (err)
4836 		return err;
4837 
4838 	return selinux_netlbl_socket_connect(sk, address);
4839 }
4840 
4841 static int selinux_socket_listen(struct socket *sock, int backlog)
4842 {
4843 	return sock_has_perm(sock->sk, SOCKET__LISTEN);
4844 }
4845 
4846 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4847 {
4848 	int err;
4849 	struct inode_security_struct *isec;
4850 	struct inode_security_struct *newisec;
4851 	u16 sclass;
4852 	u32 sid;
4853 
4854 	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4855 	if (err)
4856 		return err;
4857 
4858 	isec = inode_security_novalidate(SOCK_INODE(sock));
4859 	spin_lock(&isec->lock);
4860 	sclass = isec->sclass;
4861 	sid = isec->sid;
4862 	spin_unlock(&isec->lock);
4863 
4864 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4865 	newisec->sclass = sclass;
4866 	newisec->sid = sid;
4867 	newisec->initialized = LABEL_INITIALIZED;
4868 
4869 	return 0;
4870 }
4871 
4872 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4873 				  int size)
4874 {
4875 	return sock_has_perm(sock->sk, SOCKET__WRITE);
4876 }
4877 
4878 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4879 				  int size, int flags)
4880 {
4881 	return sock_has_perm(sock->sk, SOCKET__READ);
4882 }
4883 
4884 static int selinux_socket_getsockname(struct socket *sock)
4885 {
4886 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4887 }
4888 
4889 static int selinux_socket_getpeername(struct socket *sock)
4890 {
4891 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4892 }
4893 
4894 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4895 {
4896 	int err;
4897 
4898 	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4899 	if (err)
4900 		return err;
4901 
4902 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4903 }
4904 
4905 static int selinux_socket_getsockopt(struct socket *sock, int level,
4906 				     int optname)
4907 {
4908 	return sock_has_perm(sock->sk, SOCKET__GETOPT);
4909 }
4910 
4911 static int selinux_socket_shutdown(struct socket *sock, int how)
4912 {
4913 	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4914 }
4915 
4916 static int selinux_socket_unix_stream_connect(struct sock *sock,
4917 					      struct sock *other,
4918 					      struct sock *newsk)
4919 {
4920 	struct sk_security_struct *sksec_sock = sock->sk_security;
4921 	struct sk_security_struct *sksec_other = other->sk_security;
4922 	struct sk_security_struct *sksec_new = newsk->sk_security;
4923 	struct common_audit_data ad;
4924 	struct lsm_network_audit net = {0,};
4925 	int err;
4926 
4927 	ad.type = LSM_AUDIT_DATA_NET;
4928 	ad.u.net = &net;
4929 	ad.u.net->sk = other;
4930 
4931 	err = avc_has_perm(&selinux_state,
4932 			   sksec_sock->sid, sksec_other->sid,
4933 			   sksec_other->sclass,
4934 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4935 	if (err)
4936 		return err;
4937 
4938 	/* server child socket */
4939 	sksec_new->peer_sid = sksec_sock->sid;
4940 	err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4941 				    sksec_sock->sid, &sksec_new->sid);
4942 	if (err)
4943 		return err;
4944 
4945 	/* connecting socket */
4946 	sksec_sock->peer_sid = sksec_new->sid;
4947 
4948 	return 0;
4949 }
4950 
4951 static int selinux_socket_unix_may_send(struct socket *sock,
4952 					struct socket *other)
4953 {
4954 	struct sk_security_struct *ssec = sock->sk->sk_security;
4955 	struct sk_security_struct *osec = other->sk->sk_security;
4956 	struct common_audit_data ad;
4957 	struct lsm_network_audit net = {0,};
4958 
4959 	ad.type = LSM_AUDIT_DATA_NET;
4960 	ad.u.net = &net;
4961 	ad.u.net->sk = other->sk;
4962 
4963 	return avc_has_perm(&selinux_state,
4964 			    ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4965 			    &ad);
4966 }
4967 
4968 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4969 				    char *addrp, u16 family, u32 peer_sid,
4970 				    struct common_audit_data *ad)
4971 {
4972 	int err;
4973 	u32 if_sid;
4974 	u32 node_sid;
4975 
4976 	err = sel_netif_sid(ns, ifindex, &if_sid);
4977 	if (err)
4978 		return err;
4979 	err = avc_has_perm(&selinux_state,
4980 			   peer_sid, if_sid,
4981 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4982 	if (err)
4983 		return err;
4984 
4985 	err = sel_netnode_sid(addrp, family, &node_sid);
4986 	if (err)
4987 		return err;
4988 	return avc_has_perm(&selinux_state,
4989 			    peer_sid, node_sid,
4990 			    SECCLASS_NODE, NODE__RECVFROM, ad);
4991 }
4992 
4993 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4994 				       u16 family)
4995 {
4996 	int err = 0;
4997 	struct sk_security_struct *sksec = sk->sk_security;
4998 	u32 sk_sid = sksec->sid;
4999 	struct common_audit_data ad;
5000 	struct lsm_network_audit net = {0,};
5001 	char *addrp;
5002 
5003 	ad.type = LSM_AUDIT_DATA_NET;
5004 	ad.u.net = &net;
5005 	ad.u.net->netif = skb->skb_iif;
5006 	ad.u.net->family = family;
5007 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5008 	if (err)
5009 		return err;
5010 
5011 	if (selinux_secmark_enabled()) {
5012 		err = avc_has_perm(&selinux_state,
5013 				   sk_sid, skb->secmark, SECCLASS_PACKET,
5014 				   PACKET__RECV, &ad);
5015 		if (err)
5016 			return err;
5017 	}
5018 
5019 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5020 	if (err)
5021 		return err;
5022 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5023 
5024 	return err;
5025 }
5026 
5027 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5028 {
5029 	int err;
5030 	struct sk_security_struct *sksec = sk->sk_security;
5031 	u16 family = sk->sk_family;
5032 	u32 sk_sid = sksec->sid;
5033 	struct common_audit_data ad;
5034 	struct lsm_network_audit net = {0,};
5035 	char *addrp;
5036 	u8 secmark_active;
5037 	u8 peerlbl_active;
5038 
5039 	if (family != PF_INET && family != PF_INET6)
5040 		return 0;
5041 
5042 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
5043 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5044 		family = PF_INET;
5045 
5046 	/* If any sort of compatibility mode is enabled then handoff processing
5047 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
5048 	 * special handling.  We do this in an attempt to keep this function
5049 	 * as fast and as clean as possible. */
5050 	if (!selinux_policycap_netpeer())
5051 		return selinux_sock_rcv_skb_compat(sk, skb, family);
5052 
5053 	secmark_active = selinux_secmark_enabled();
5054 	peerlbl_active = selinux_peerlbl_enabled();
5055 	if (!secmark_active && !peerlbl_active)
5056 		return 0;
5057 
5058 	ad.type = LSM_AUDIT_DATA_NET;
5059 	ad.u.net = &net;
5060 	ad.u.net->netif = skb->skb_iif;
5061 	ad.u.net->family = family;
5062 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5063 	if (err)
5064 		return err;
5065 
5066 	if (peerlbl_active) {
5067 		u32 peer_sid;
5068 
5069 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5070 		if (err)
5071 			return err;
5072 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5073 					       addrp, family, peer_sid, &ad);
5074 		if (err) {
5075 			selinux_netlbl_err(skb, family, err, 0);
5076 			return err;
5077 		}
5078 		err = avc_has_perm(&selinux_state,
5079 				   sk_sid, peer_sid, SECCLASS_PEER,
5080 				   PEER__RECV, &ad);
5081 		if (err) {
5082 			selinux_netlbl_err(skb, family, err, 0);
5083 			return err;
5084 		}
5085 	}
5086 
5087 	if (secmark_active) {
5088 		err = avc_has_perm(&selinux_state,
5089 				   sk_sid, skb->secmark, SECCLASS_PACKET,
5090 				   PACKET__RECV, &ad);
5091 		if (err)
5092 			return err;
5093 	}
5094 
5095 	return err;
5096 }
5097 
5098 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5099 					    int __user *optlen, unsigned len)
5100 {
5101 	int err = 0;
5102 	char *scontext;
5103 	u32 scontext_len;
5104 	struct sk_security_struct *sksec = sock->sk->sk_security;
5105 	u32 peer_sid = SECSID_NULL;
5106 
5107 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5108 	    sksec->sclass == SECCLASS_TCP_SOCKET ||
5109 	    sksec->sclass == SECCLASS_SCTP_SOCKET)
5110 		peer_sid = sksec->peer_sid;
5111 	if (peer_sid == SECSID_NULL)
5112 		return -ENOPROTOOPT;
5113 
5114 	err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5115 				      &scontext_len);
5116 	if (err)
5117 		return err;
5118 
5119 	if (scontext_len > len) {
5120 		err = -ERANGE;
5121 		goto out_len;
5122 	}
5123 
5124 	if (copy_to_user(optval, scontext, scontext_len))
5125 		err = -EFAULT;
5126 
5127 out_len:
5128 	if (put_user(scontext_len, optlen))
5129 		err = -EFAULT;
5130 	kfree(scontext);
5131 	return err;
5132 }
5133 
5134 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5135 {
5136 	u32 peer_secid = SECSID_NULL;
5137 	u16 family;
5138 	struct inode_security_struct *isec;
5139 
5140 	if (skb && skb->protocol == htons(ETH_P_IP))
5141 		family = PF_INET;
5142 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
5143 		family = PF_INET6;
5144 	else if (sock)
5145 		family = sock->sk->sk_family;
5146 	else
5147 		goto out;
5148 
5149 	if (sock && family == PF_UNIX) {
5150 		isec = inode_security_novalidate(SOCK_INODE(sock));
5151 		peer_secid = isec->sid;
5152 	} else if (skb)
5153 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5154 
5155 out:
5156 	*secid = peer_secid;
5157 	if (peer_secid == SECSID_NULL)
5158 		return -EINVAL;
5159 	return 0;
5160 }
5161 
5162 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5163 {
5164 	struct sk_security_struct *sksec;
5165 
5166 	sksec = kzalloc(sizeof(*sksec), priority);
5167 	if (!sksec)
5168 		return -ENOMEM;
5169 
5170 	sksec->peer_sid = SECINITSID_UNLABELED;
5171 	sksec->sid = SECINITSID_UNLABELED;
5172 	sksec->sclass = SECCLASS_SOCKET;
5173 	selinux_netlbl_sk_security_reset(sksec);
5174 	sk->sk_security = sksec;
5175 
5176 	return 0;
5177 }
5178 
5179 static void selinux_sk_free_security(struct sock *sk)
5180 {
5181 	struct sk_security_struct *sksec = sk->sk_security;
5182 
5183 	sk->sk_security = NULL;
5184 	selinux_netlbl_sk_security_free(sksec);
5185 	kfree(sksec);
5186 }
5187 
5188 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5189 {
5190 	struct sk_security_struct *sksec = sk->sk_security;
5191 	struct sk_security_struct *newsksec = newsk->sk_security;
5192 
5193 	newsksec->sid = sksec->sid;
5194 	newsksec->peer_sid = sksec->peer_sid;
5195 	newsksec->sclass = sksec->sclass;
5196 
5197 	selinux_netlbl_sk_security_reset(newsksec);
5198 }
5199 
5200 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5201 {
5202 	if (!sk)
5203 		*secid = SECINITSID_ANY_SOCKET;
5204 	else {
5205 		struct sk_security_struct *sksec = sk->sk_security;
5206 
5207 		*secid = sksec->sid;
5208 	}
5209 }
5210 
5211 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5212 {
5213 	struct inode_security_struct *isec =
5214 		inode_security_novalidate(SOCK_INODE(parent));
5215 	struct sk_security_struct *sksec = sk->sk_security;
5216 
5217 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5218 	    sk->sk_family == PF_UNIX)
5219 		isec->sid = sksec->sid;
5220 	sksec->sclass = isec->sclass;
5221 }
5222 
5223 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5224  * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5225  * already present).
5226  */
5227 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5228 				      struct sk_buff *skb)
5229 {
5230 	struct sk_security_struct *sksec = ep->base.sk->sk_security;
5231 	struct common_audit_data ad;
5232 	struct lsm_network_audit net = {0,};
5233 	u8 peerlbl_active;
5234 	u32 peer_sid = SECINITSID_UNLABELED;
5235 	u32 conn_sid;
5236 	int err = 0;
5237 
5238 	if (!selinux_policycap_extsockclass())
5239 		return 0;
5240 
5241 	peerlbl_active = selinux_peerlbl_enabled();
5242 
5243 	if (peerlbl_active) {
5244 		/* This will return peer_sid = SECSID_NULL if there are
5245 		 * no peer labels, see security_net_peersid_resolve().
5246 		 */
5247 		err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5248 					      &peer_sid);
5249 		if (err)
5250 			return err;
5251 
5252 		if (peer_sid == SECSID_NULL)
5253 			peer_sid = SECINITSID_UNLABELED;
5254 	}
5255 
5256 	if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5257 		sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5258 
5259 		/* Here as first association on socket. As the peer SID
5260 		 * was allowed by peer recv (and the netif/node checks),
5261 		 * then it is approved by policy and used as the primary
5262 		 * peer SID for getpeercon(3).
5263 		 */
5264 		sksec->peer_sid = peer_sid;
5265 	} else if  (sksec->peer_sid != peer_sid) {
5266 		/* Other association peer SIDs are checked to enforce
5267 		 * consistency among the peer SIDs.
5268 		 */
5269 		ad.type = LSM_AUDIT_DATA_NET;
5270 		ad.u.net = &net;
5271 		ad.u.net->sk = ep->base.sk;
5272 		err = avc_has_perm(&selinux_state,
5273 				   sksec->peer_sid, peer_sid, sksec->sclass,
5274 				   SCTP_SOCKET__ASSOCIATION, &ad);
5275 		if (err)
5276 			return err;
5277 	}
5278 
5279 	/* Compute the MLS component for the connection and store
5280 	 * the information in ep. This will be used by SCTP TCP type
5281 	 * sockets and peeled off connections as they cause a new
5282 	 * socket to be generated. selinux_sctp_sk_clone() will then
5283 	 * plug this into the new socket.
5284 	 */
5285 	err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5286 	if (err)
5287 		return err;
5288 
5289 	ep->secid = conn_sid;
5290 	ep->peer_secid = peer_sid;
5291 
5292 	/* Set any NetLabel labels including CIPSO/CALIPSO options. */
5293 	return selinux_netlbl_sctp_assoc_request(ep, skb);
5294 }
5295 
5296 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5297  * based on their @optname.
5298  */
5299 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5300 				     struct sockaddr *address,
5301 				     int addrlen)
5302 {
5303 	int len, err = 0, walk_size = 0;
5304 	void *addr_buf;
5305 	struct sockaddr *addr;
5306 	struct socket *sock;
5307 
5308 	if (!selinux_policycap_extsockclass())
5309 		return 0;
5310 
5311 	/* Process one or more addresses that may be IPv4 or IPv6 */
5312 	sock = sk->sk_socket;
5313 	addr_buf = address;
5314 
5315 	while (walk_size < addrlen) {
5316 		addr = addr_buf;
5317 		switch (addr->sa_family) {
5318 		case AF_UNSPEC:
5319 		case AF_INET:
5320 			len = sizeof(struct sockaddr_in);
5321 			break;
5322 		case AF_INET6:
5323 			len = sizeof(struct sockaddr_in6);
5324 			break;
5325 		default:
5326 			return -EINVAL;
5327 		}
5328 
5329 		err = -EINVAL;
5330 		switch (optname) {
5331 		/* Bind checks */
5332 		case SCTP_PRIMARY_ADDR:
5333 		case SCTP_SET_PEER_PRIMARY_ADDR:
5334 		case SCTP_SOCKOPT_BINDX_ADD:
5335 			err = selinux_socket_bind(sock, addr, len);
5336 			break;
5337 		/* Connect checks */
5338 		case SCTP_SOCKOPT_CONNECTX:
5339 		case SCTP_PARAM_SET_PRIMARY:
5340 		case SCTP_PARAM_ADD_IP:
5341 		case SCTP_SENDMSG_CONNECT:
5342 			err = selinux_socket_connect_helper(sock, addr, len);
5343 			if (err)
5344 				return err;
5345 
5346 			/* As selinux_sctp_bind_connect() is called by the
5347 			 * SCTP protocol layer, the socket is already locked,
5348 			 * therefore selinux_netlbl_socket_connect_locked() is
5349 			 * is called here. The situations handled are:
5350 			 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5351 			 * whenever a new IP address is added or when a new
5352 			 * primary address is selected.
5353 			 * Note that an SCTP connect(2) call happens before
5354 			 * the SCTP protocol layer and is handled via
5355 			 * selinux_socket_connect().
5356 			 */
5357 			err = selinux_netlbl_socket_connect_locked(sk, addr);
5358 			break;
5359 		}
5360 
5361 		if (err)
5362 			return err;
5363 
5364 		addr_buf += len;
5365 		walk_size += len;
5366 	}
5367 
5368 	return 0;
5369 }
5370 
5371 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5372 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5373 				  struct sock *newsk)
5374 {
5375 	struct sk_security_struct *sksec = sk->sk_security;
5376 	struct sk_security_struct *newsksec = newsk->sk_security;
5377 
5378 	/* If policy does not support SECCLASS_SCTP_SOCKET then call
5379 	 * the non-sctp clone version.
5380 	 */
5381 	if (!selinux_policycap_extsockclass())
5382 		return selinux_sk_clone_security(sk, newsk);
5383 
5384 	newsksec->sid = ep->secid;
5385 	newsksec->peer_sid = ep->peer_secid;
5386 	newsksec->sclass = sksec->sclass;
5387 	selinux_netlbl_sctp_sk_clone(sk, newsk);
5388 }
5389 
5390 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5391 				     struct request_sock *req)
5392 {
5393 	struct sk_security_struct *sksec = sk->sk_security;
5394 	int err;
5395 	u16 family = req->rsk_ops->family;
5396 	u32 connsid;
5397 	u32 peersid;
5398 
5399 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5400 	if (err)
5401 		return err;
5402 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5403 	if (err)
5404 		return err;
5405 	req->secid = connsid;
5406 	req->peer_secid = peersid;
5407 
5408 	return selinux_netlbl_inet_conn_request(req, family);
5409 }
5410 
5411 static void selinux_inet_csk_clone(struct sock *newsk,
5412 				   const struct request_sock *req)
5413 {
5414 	struct sk_security_struct *newsksec = newsk->sk_security;
5415 
5416 	newsksec->sid = req->secid;
5417 	newsksec->peer_sid = req->peer_secid;
5418 	/* NOTE: Ideally, we should also get the isec->sid for the
5419 	   new socket in sync, but we don't have the isec available yet.
5420 	   So we will wait until sock_graft to do it, by which
5421 	   time it will have been created and available. */
5422 
5423 	/* We don't need to take any sort of lock here as we are the only
5424 	 * thread with access to newsksec */
5425 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5426 }
5427 
5428 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5429 {
5430 	u16 family = sk->sk_family;
5431 	struct sk_security_struct *sksec = sk->sk_security;
5432 
5433 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5434 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5435 		family = PF_INET;
5436 
5437 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5438 }
5439 
5440 static int selinux_secmark_relabel_packet(u32 sid)
5441 {
5442 	const struct task_security_struct *__tsec;
5443 	u32 tsid;
5444 
5445 	__tsec = current_security();
5446 	tsid = __tsec->sid;
5447 
5448 	return avc_has_perm(&selinux_state,
5449 			    tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5450 			    NULL);
5451 }
5452 
5453 static void selinux_secmark_refcount_inc(void)
5454 {
5455 	atomic_inc(&selinux_secmark_refcount);
5456 }
5457 
5458 static void selinux_secmark_refcount_dec(void)
5459 {
5460 	atomic_dec(&selinux_secmark_refcount);
5461 }
5462 
5463 static void selinux_req_classify_flow(const struct request_sock *req,
5464 				      struct flowi *fl)
5465 {
5466 	fl->flowi_secid = req->secid;
5467 }
5468 
5469 static int selinux_tun_dev_alloc_security(void **security)
5470 {
5471 	struct tun_security_struct *tunsec;
5472 
5473 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5474 	if (!tunsec)
5475 		return -ENOMEM;
5476 	tunsec->sid = current_sid();
5477 
5478 	*security = tunsec;
5479 	return 0;
5480 }
5481 
5482 static void selinux_tun_dev_free_security(void *security)
5483 {
5484 	kfree(security);
5485 }
5486 
5487 static int selinux_tun_dev_create(void)
5488 {
5489 	u32 sid = current_sid();
5490 
5491 	/* we aren't taking into account the "sockcreate" SID since the socket
5492 	 * that is being created here is not a socket in the traditional sense,
5493 	 * instead it is a private sock, accessible only to the kernel, and
5494 	 * representing a wide range of network traffic spanning multiple
5495 	 * connections unlike traditional sockets - check the TUN driver to
5496 	 * get a better understanding of why this socket is special */
5497 
5498 	return avc_has_perm(&selinux_state,
5499 			    sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5500 			    NULL);
5501 }
5502 
5503 static int selinux_tun_dev_attach_queue(void *security)
5504 {
5505 	struct tun_security_struct *tunsec = security;
5506 
5507 	return avc_has_perm(&selinux_state,
5508 			    current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5509 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5510 }
5511 
5512 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5513 {
5514 	struct tun_security_struct *tunsec = security;
5515 	struct sk_security_struct *sksec = sk->sk_security;
5516 
5517 	/* we don't currently perform any NetLabel based labeling here and it
5518 	 * isn't clear that we would want to do so anyway; while we could apply
5519 	 * labeling without the support of the TUN user the resulting labeled
5520 	 * traffic from the other end of the connection would almost certainly
5521 	 * cause confusion to the TUN user that had no idea network labeling
5522 	 * protocols were being used */
5523 
5524 	sksec->sid = tunsec->sid;
5525 	sksec->sclass = SECCLASS_TUN_SOCKET;
5526 
5527 	return 0;
5528 }
5529 
5530 static int selinux_tun_dev_open(void *security)
5531 {
5532 	struct tun_security_struct *tunsec = security;
5533 	u32 sid = current_sid();
5534 	int err;
5535 
5536 	err = avc_has_perm(&selinux_state,
5537 			   sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5538 			   TUN_SOCKET__RELABELFROM, NULL);
5539 	if (err)
5540 		return err;
5541 	err = avc_has_perm(&selinux_state,
5542 			   sid, sid, SECCLASS_TUN_SOCKET,
5543 			   TUN_SOCKET__RELABELTO, NULL);
5544 	if (err)
5545 		return err;
5546 	tunsec->sid = sid;
5547 
5548 	return 0;
5549 }
5550 
5551 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5552 {
5553 	int err = 0;
5554 	u32 perm;
5555 	struct nlmsghdr *nlh;
5556 	struct sk_security_struct *sksec = sk->sk_security;
5557 
5558 	if (skb->len < NLMSG_HDRLEN) {
5559 		err = -EINVAL;
5560 		goto out;
5561 	}
5562 	nlh = nlmsg_hdr(skb);
5563 
5564 	err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5565 	if (err) {
5566 		if (err == -EINVAL) {
5567 			pr_warn_ratelimited("SELinux: unrecognized netlink"
5568 			       " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5569 			       " pig=%d comm=%s\n",
5570 			       sk->sk_protocol, nlh->nlmsg_type,
5571 			       secclass_map[sksec->sclass - 1].name,
5572 			       task_pid_nr(current), current->comm);
5573 			if (!enforcing_enabled(&selinux_state) ||
5574 			    security_get_allow_unknown(&selinux_state))
5575 				err = 0;
5576 		}
5577 
5578 		/* Ignore */
5579 		if (err == -ENOENT)
5580 			err = 0;
5581 		goto out;
5582 	}
5583 
5584 	err = sock_has_perm(sk, perm);
5585 out:
5586 	return err;
5587 }
5588 
5589 #ifdef CONFIG_NETFILTER
5590 
5591 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5592 				       const struct net_device *indev,
5593 				       u16 family)
5594 {
5595 	int err;
5596 	char *addrp;
5597 	u32 peer_sid;
5598 	struct common_audit_data ad;
5599 	struct lsm_network_audit net = {0,};
5600 	u8 secmark_active;
5601 	u8 netlbl_active;
5602 	u8 peerlbl_active;
5603 
5604 	if (!selinux_policycap_netpeer())
5605 		return NF_ACCEPT;
5606 
5607 	secmark_active = selinux_secmark_enabled();
5608 	netlbl_active = netlbl_enabled();
5609 	peerlbl_active = selinux_peerlbl_enabled();
5610 	if (!secmark_active && !peerlbl_active)
5611 		return NF_ACCEPT;
5612 
5613 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5614 		return NF_DROP;
5615 
5616 	ad.type = LSM_AUDIT_DATA_NET;
5617 	ad.u.net = &net;
5618 	ad.u.net->netif = indev->ifindex;
5619 	ad.u.net->family = family;
5620 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5621 		return NF_DROP;
5622 
5623 	if (peerlbl_active) {
5624 		err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5625 					       addrp, family, peer_sid, &ad);
5626 		if (err) {
5627 			selinux_netlbl_err(skb, family, err, 1);
5628 			return NF_DROP;
5629 		}
5630 	}
5631 
5632 	if (secmark_active)
5633 		if (avc_has_perm(&selinux_state,
5634 				 peer_sid, skb->secmark,
5635 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5636 			return NF_DROP;
5637 
5638 	if (netlbl_active)
5639 		/* we do this in the FORWARD path and not the POST_ROUTING
5640 		 * path because we want to make sure we apply the necessary
5641 		 * labeling before IPsec is applied so we can leverage AH
5642 		 * protection */
5643 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5644 			return NF_DROP;
5645 
5646 	return NF_ACCEPT;
5647 }
5648 
5649 static unsigned int selinux_ipv4_forward(void *priv,
5650 					 struct sk_buff *skb,
5651 					 const struct nf_hook_state *state)
5652 {
5653 	return selinux_ip_forward(skb, state->in, PF_INET);
5654 }
5655 
5656 #if IS_ENABLED(CONFIG_IPV6)
5657 static unsigned int selinux_ipv6_forward(void *priv,
5658 					 struct sk_buff *skb,
5659 					 const struct nf_hook_state *state)
5660 {
5661 	return selinux_ip_forward(skb, state->in, PF_INET6);
5662 }
5663 #endif	/* IPV6 */
5664 
5665 static unsigned int selinux_ip_output(struct sk_buff *skb,
5666 				      u16 family)
5667 {
5668 	struct sock *sk;
5669 	u32 sid;
5670 
5671 	if (!netlbl_enabled())
5672 		return NF_ACCEPT;
5673 
5674 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5675 	 * because we want to make sure we apply the necessary labeling
5676 	 * before IPsec is applied so we can leverage AH protection */
5677 	sk = skb->sk;
5678 	if (sk) {
5679 		struct sk_security_struct *sksec;
5680 
5681 		if (sk_listener(sk))
5682 			/* if the socket is the listening state then this
5683 			 * packet is a SYN-ACK packet which means it needs to
5684 			 * be labeled based on the connection/request_sock and
5685 			 * not the parent socket.  unfortunately, we can't
5686 			 * lookup the request_sock yet as it isn't queued on
5687 			 * the parent socket until after the SYN-ACK is sent.
5688 			 * the "solution" is to simply pass the packet as-is
5689 			 * as any IP option based labeling should be copied
5690 			 * from the initial connection request (in the IP
5691 			 * layer).  it is far from ideal, but until we get a
5692 			 * security label in the packet itself this is the
5693 			 * best we can do. */
5694 			return NF_ACCEPT;
5695 
5696 		/* standard practice, label using the parent socket */
5697 		sksec = sk->sk_security;
5698 		sid = sksec->sid;
5699 	} else
5700 		sid = SECINITSID_KERNEL;
5701 	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5702 		return NF_DROP;
5703 
5704 	return NF_ACCEPT;
5705 }
5706 
5707 static unsigned int selinux_ipv4_output(void *priv,
5708 					struct sk_buff *skb,
5709 					const struct nf_hook_state *state)
5710 {
5711 	return selinux_ip_output(skb, PF_INET);
5712 }
5713 
5714 #if IS_ENABLED(CONFIG_IPV6)
5715 static unsigned int selinux_ipv6_output(void *priv,
5716 					struct sk_buff *skb,
5717 					const struct nf_hook_state *state)
5718 {
5719 	return selinux_ip_output(skb, PF_INET6);
5720 }
5721 #endif	/* IPV6 */
5722 
5723 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5724 						int ifindex,
5725 						u16 family)
5726 {
5727 	struct sock *sk = skb_to_full_sk(skb);
5728 	struct sk_security_struct *sksec;
5729 	struct common_audit_data ad;
5730 	struct lsm_network_audit net = {0,};
5731 	char *addrp;
5732 	u8 proto;
5733 
5734 	if (sk == NULL)
5735 		return NF_ACCEPT;
5736 	sksec = sk->sk_security;
5737 
5738 	ad.type = LSM_AUDIT_DATA_NET;
5739 	ad.u.net = &net;
5740 	ad.u.net->netif = ifindex;
5741 	ad.u.net->family = family;
5742 	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5743 		return NF_DROP;
5744 
5745 	if (selinux_secmark_enabled())
5746 		if (avc_has_perm(&selinux_state,
5747 				 sksec->sid, skb->secmark,
5748 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5749 			return NF_DROP_ERR(-ECONNREFUSED);
5750 
5751 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5752 		return NF_DROP_ERR(-ECONNREFUSED);
5753 
5754 	return NF_ACCEPT;
5755 }
5756 
5757 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5758 					 const struct net_device *outdev,
5759 					 u16 family)
5760 {
5761 	u32 secmark_perm;
5762 	u32 peer_sid;
5763 	int ifindex = outdev->ifindex;
5764 	struct sock *sk;
5765 	struct common_audit_data ad;
5766 	struct lsm_network_audit net = {0,};
5767 	char *addrp;
5768 	u8 secmark_active;
5769 	u8 peerlbl_active;
5770 
5771 	/* If any sort of compatibility mode is enabled then handoff processing
5772 	 * to the selinux_ip_postroute_compat() function to deal with the
5773 	 * special handling.  We do this in an attempt to keep this function
5774 	 * as fast and as clean as possible. */
5775 	if (!selinux_policycap_netpeer())
5776 		return selinux_ip_postroute_compat(skb, ifindex, family);
5777 
5778 	secmark_active = selinux_secmark_enabled();
5779 	peerlbl_active = selinux_peerlbl_enabled();
5780 	if (!secmark_active && !peerlbl_active)
5781 		return NF_ACCEPT;
5782 
5783 	sk = skb_to_full_sk(skb);
5784 
5785 #ifdef CONFIG_XFRM
5786 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5787 	 * packet transformation so allow the packet to pass without any checks
5788 	 * since we'll have another chance to perform access control checks
5789 	 * when the packet is on it's final way out.
5790 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5791 	 *       is NULL, in this case go ahead and apply access control.
5792 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5793 	 *       TCP listening state we cannot wait until the XFRM processing
5794 	 *       is done as we will miss out on the SA label if we do;
5795 	 *       unfortunately, this means more work, but it is only once per
5796 	 *       connection. */
5797 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5798 	    !(sk && sk_listener(sk)))
5799 		return NF_ACCEPT;
5800 #endif
5801 
5802 	if (sk == NULL) {
5803 		/* Without an associated socket the packet is either coming
5804 		 * from the kernel or it is being forwarded; check the packet
5805 		 * to determine which and if the packet is being forwarded
5806 		 * query the packet directly to determine the security label. */
5807 		if (skb->skb_iif) {
5808 			secmark_perm = PACKET__FORWARD_OUT;
5809 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5810 				return NF_DROP;
5811 		} else {
5812 			secmark_perm = PACKET__SEND;
5813 			peer_sid = SECINITSID_KERNEL;
5814 		}
5815 	} else if (sk_listener(sk)) {
5816 		/* Locally generated packet but the associated socket is in the
5817 		 * listening state which means this is a SYN-ACK packet.  In
5818 		 * this particular case the correct security label is assigned
5819 		 * to the connection/request_sock but unfortunately we can't
5820 		 * query the request_sock as it isn't queued on the parent
5821 		 * socket until after the SYN-ACK packet is sent; the only
5822 		 * viable choice is to regenerate the label like we do in
5823 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5824 		 * for similar problems. */
5825 		u32 skb_sid;
5826 		struct sk_security_struct *sksec;
5827 
5828 		sksec = sk->sk_security;
5829 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5830 			return NF_DROP;
5831 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5832 		 * and the packet has been through at least one XFRM
5833 		 * transformation then we must be dealing with the "final"
5834 		 * form of labeled IPsec packet; since we've already applied
5835 		 * all of our access controls on this packet we can safely
5836 		 * pass the packet. */
5837 		if (skb_sid == SECSID_NULL) {
5838 			switch (family) {
5839 			case PF_INET:
5840 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5841 					return NF_ACCEPT;
5842 				break;
5843 			case PF_INET6:
5844 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5845 					return NF_ACCEPT;
5846 				break;
5847 			default:
5848 				return NF_DROP_ERR(-ECONNREFUSED);
5849 			}
5850 		}
5851 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5852 			return NF_DROP;
5853 		secmark_perm = PACKET__SEND;
5854 	} else {
5855 		/* Locally generated packet, fetch the security label from the
5856 		 * associated socket. */
5857 		struct sk_security_struct *sksec = sk->sk_security;
5858 		peer_sid = sksec->sid;
5859 		secmark_perm = PACKET__SEND;
5860 	}
5861 
5862 	ad.type = LSM_AUDIT_DATA_NET;
5863 	ad.u.net = &net;
5864 	ad.u.net->netif = ifindex;
5865 	ad.u.net->family = family;
5866 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5867 		return NF_DROP;
5868 
5869 	if (secmark_active)
5870 		if (avc_has_perm(&selinux_state,
5871 				 peer_sid, skb->secmark,
5872 				 SECCLASS_PACKET, secmark_perm, &ad))
5873 			return NF_DROP_ERR(-ECONNREFUSED);
5874 
5875 	if (peerlbl_active) {
5876 		u32 if_sid;
5877 		u32 node_sid;
5878 
5879 		if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5880 			return NF_DROP;
5881 		if (avc_has_perm(&selinux_state,
5882 				 peer_sid, if_sid,
5883 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5884 			return NF_DROP_ERR(-ECONNREFUSED);
5885 
5886 		if (sel_netnode_sid(addrp, family, &node_sid))
5887 			return NF_DROP;
5888 		if (avc_has_perm(&selinux_state,
5889 				 peer_sid, node_sid,
5890 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5891 			return NF_DROP_ERR(-ECONNREFUSED);
5892 	}
5893 
5894 	return NF_ACCEPT;
5895 }
5896 
5897 static unsigned int selinux_ipv4_postroute(void *priv,
5898 					   struct sk_buff *skb,
5899 					   const struct nf_hook_state *state)
5900 {
5901 	return selinux_ip_postroute(skb, state->out, PF_INET);
5902 }
5903 
5904 #if IS_ENABLED(CONFIG_IPV6)
5905 static unsigned int selinux_ipv6_postroute(void *priv,
5906 					   struct sk_buff *skb,
5907 					   const struct nf_hook_state *state)
5908 {
5909 	return selinux_ip_postroute(skb, state->out, PF_INET6);
5910 }
5911 #endif	/* IPV6 */
5912 
5913 #endif	/* CONFIG_NETFILTER */
5914 
5915 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5916 {
5917 	return selinux_nlmsg_perm(sk, skb);
5918 }
5919 
5920 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5921 			      u16 sclass)
5922 {
5923 	struct ipc_security_struct *isec;
5924 
5925 	isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5926 	if (!isec)
5927 		return -ENOMEM;
5928 
5929 	isec->sclass = sclass;
5930 	isec->sid = current_sid();
5931 	perm->security = isec;
5932 
5933 	return 0;
5934 }
5935 
5936 static void ipc_free_security(struct kern_ipc_perm *perm)
5937 {
5938 	struct ipc_security_struct *isec = perm->security;
5939 	perm->security = NULL;
5940 	kfree(isec);
5941 }
5942 
5943 static int msg_msg_alloc_security(struct msg_msg *msg)
5944 {
5945 	struct msg_security_struct *msec;
5946 
5947 	msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5948 	if (!msec)
5949 		return -ENOMEM;
5950 
5951 	msec->sid = SECINITSID_UNLABELED;
5952 	msg->security = msec;
5953 
5954 	return 0;
5955 }
5956 
5957 static void msg_msg_free_security(struct msg_msg *msg)
5958 {
5959 	struct msg_security_struct *msec = msg->security;
5960 
5961 	msg->security = NULL;
5962 	kfree(msec);
5963 }
5964 
5965 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5966 			u32 perms)
5967 {
5968 	struct ipc_security_struct *isec;
5969 	struct common_audit_data ad;
5970 	u32 sid = current_sid();
5971 
5972 	isec = ipc_perms->security;
5973 
5974 	ad.type = LSM_AUDIT_DATA_IPC;
5975 	ad.u.ipc_id = ipc_perms->key;
5976 
5977 	return avc_has_perm(&selinux_state,
5978 			    sid, isec->sid, isec->sclass, perms, &ad);
5979 }
5980 
5981 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5982 {
5983 	return msg_msg_alloc_security(msg);
5984 }
5985 
5986 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5987 {
5988 	msg_msg_free_security(msg);
5989 }
5990 
5991 /* message queue security operations */
5992 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5993 {
5994 	struct ipc_security_struct *isec;
5995 	struct common_audit_data ad;
5996 	u32 sid = current_sid();
5997 	int rc;
5998 
5999 	rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
6000 	if (rc)
6001 		return rc;
6002 
6003 	isec = msq->security;
6004 
6005 	ad.type = LSM_AUDIT_DATA_IPC;
6006 	ad.u.ipc_id = msq->key;
6007 
6008 	rc = avc_has_perm(&selinux_state,
6009 			  sid, isec->sid, SECCLASS_MSGQ,
6010 			  MSGQ__CREATE, &ad);
6011 	if (rc) {
6012 		ipc_free_security(msq);
6013 		return rc;
6014 	}
6015 	return 0;
6016 }
6017 
6018 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
6019 {
6020 	ipc_free_security(msq);
6021 }
6022 
6023 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6024 {
6025 	struct ipc_security_struct *isec;
6026 	struct common_audit_data ad;
6027 	u32 sid = current_sid();
6028 
6029 	isec = msq->security;
6030 
6031 	ad.type = LSM_AUDIT_DATA_IPC;
6032 	ad.u.ipc_id = msq->key;
6033 
6034 	return avc_has_perm(&selinux_state,
6035 			    sid, isec->sid, SECCLASS_MSGQ,
6036 			    MSGQ__ASSOCIATE, &ad);
6037 }
6038 
6039 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6040 {
6041 	int err;
6042 	int perms;
6043 
6044 	switch (cmd) {
6045 	case IPC_INFO:
6046 	case MSG_INFO:
6047 		/* No specific object, just general system-wide information. */
6048 		return avc_has_perm(&selinux_state,
6049 				    current_sid(), SECINITSID_KERNEL,
6050 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6051 	case IPC_STAT:
6052 	case MSG_STAT:
6053 	case MSG_STAT_ANY:
6054 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6055 		break;
6056 	case IPC_SET:
6057 		perms = MSGQ__SETATTR;
6058 		break;
6059 	case IPC_RMID:
6060 		perms = MSGQ__DESTROY;
6061 		break;
6062 	default:
6063 		return 0;
6064 	}
6065 
6066 	err = ipc_has_perm(msq, perms);
6067 	return err;
6068 }
6069 
6070 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6071 {
6072 	struct ipc_security_struct *isec;
6073 	struct msg_security_struct *msec;
6074 	struct common_audit_data ad;
6075 	u32 sid = current_sid();
6076 	int rc;
6077 
6078 	isec = msq->security;
6079 	msec = msg->security;
6080 
6081 	/*
6082 	 * First time through, need to assign label to the message
6083 	 */
6084 	if (msec->sid == SECINITSID_UNLABELED) {
6085 		/*
6086 		 * Compute new sid based on current process and
6087 		 * message queue this message will be stored in
6088 		 */
6089 		rc = security_transition_sid(&selinux_state, sid, isec->sid,
6090 					     SECCLASS_MSG, NULL, &msec->sid);
6091 		if (rc)
6092 			return rc;
6093 	}
6094 
6095 	ad.type = LSM_AUDIT_DATA_IPC;
6096 	ad.u.ipc_id = msq->key;
6097 
6098 	/* Can this process write to the queue? */
6099 	rc = avc_has_perm(&selinux_state,
6100 			  sid, isec->sid, SECCLASS_MSGQ,
6101 			  MSGQ__WRITE, &ad);
6102 	if (!rc)
6103 		/* Can this process send the message */
6104 		rc = avc_has_perm(&selinux_state,
6105 				  sid, msec->sid, SECCLASS_MSG,
6106 				  MSG__SEND, &ad);
6107 	if (!rc)
6108 		/* Can the message be put in the queue? */
6109 		rc = avc_has_perm(&selinux_state,
6110 				  msec->sid, isec->sid, SECCLASS_MSGQ,
6111 				  MSGQ__ENQUEUE, &ad);
6112 
6113 	return rc;
6114 }
6115 
6116 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6117 				    struct task_struct *target,
6118 				    long type, int mode)
6119 {
6120 	struct ipc_security_struct *isec;
6121 	struct msg_security_struct *msec;
6122 	struct common_audit_data ad;
6123 	u32 sid = task_sid(target);
6124 	int rc;
6125 
6126 	isec = msq->security;
6127 	msec = msg->security;
6128 
6129 	ad.type = LSM_AUDIT_DATA_IPC;
6130 	ad.u.ipc_id = msq->key;
6131 
6132 	rc = avc_has_perm(&selinux_state,
6133 			  sid, isec->sid,
6134 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
6135 	if (!rc)
6136 		rc = avc_has_perm(&selinux_state,
6137 				  sid, msec->sid,
6138 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
6139 	return rc;
6140 }
6141 
6142 /* Shared Memory security operations */
6143 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6144 {
6145 	struct ipc_security_struct *isec;
6146 	struct common_audit_data ad;
6147 	u32 sid = current_sid();
6148 	int rc;
6149 
6150 	rc = ipc_alloc_security(shp, SECCLASS_SHM);
6151 	if (rc)
6152 		return rc;
6153 
6154 	isec = shp->security;
6155 
6156 	ad.type = LSM_AUDIT_DATA_IPC;
6157 	ad.u.ipc_id = shp->key;
6158 
6159 	rc = avc_has_perm(&selinux_state,
6160 			  sid, isec->sid, SECCLASS_SHM,
6161 			  SHM__CREATE, &ad);
6162 	if (rc) {
6163 		ipc_free_security(shp);
6164 		return rc;
6165 	}
6166 	return 0;
6167 }
6168 
6169 static void selinux_shm_free_security(struct kern_ipc_perm *shp)
6170 {
6171 	ipc_free_security(shp);
6172 }
6173 
6174 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6175 {
6176 	struct ipc_security_struct *isec;
6177 	struct common_audit_data ad;
6178 	u32 sid = current_sid();
6179 
6180 	isec = shp->security;
6181 
6182 	ad.type = LSM_AUDIT_DATA_IPC;
6183 	ad.u.ipc_id = shp->key;
6184 
6185 	return avc_has_perm(&selinux_state,
6186 			    sid, isec->sid, SECCLASS_SHM,
6187 			    SHM__ASSOCIATE, &ad);
6188 }
6189 
6190 /* Note, at this point, shp is locked down */
6191 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6192 {
6193 	int perms;
6194 	int err;
6195 
6196 	switch (cmd) {
6197 	case IPC_INFO:
6198 	case SHM_INFO:
6199 		/* No specific object, just general system-wide information. */
6200 		return avc_has_perm(&selinux_state,
6201 				    current_sid(), SECINITSID_KERNEL,
6202 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6203 	case IPC_STAT:
6204 	case SHM_STAT:
6205 	case SHM_STAT_ANY:
6206 		perms = SHM__GETATTR | SHM__ASSOCIATE;
6207 		break;
6208 	case IPC_SET:
6209 		perms = SHM__SETATTR;
6210 		break;
6211 	case SHM_LOCK:
6212 	case SHM_UNLOCK:
6213 		perms = SHM__LOCK;
6214 		break;
6215 	case IPC_RMID:
6216 		perms = SHM__DESTROY;
6217 		break;
6218 	default:
6219 		return 0;
6220 	}
6221 
6222 	err = ipc_has_perm(shp, perms);
6223 	return err;
6224 }
6225 
6226 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6227 			     char __user *shmaddr, int shmflg)
6228 {
6229 	u32 perms;
6230 
6231 	if (shmflg & SHM_RDONLY)
6232 		perms = SHM__READ;
6233 	else
6234 		perms = SHM__READ | SHM__WRITE;
6235 
6236 	return ipc_has_perm(shp, perms);
6237 }
6238 
6239 /* Semaphore security operations */
6240 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6241 {
6242 	struct ipc_security_struct *isec;
6243 	struct common_audit_data ad;
6244 	u32 sid = current_sid();
6245 	int rc;
6246 
6247 	rc = ipc_alloc_security(sma, SECCLASS_SEM);
6248 	if (rc)
6249 		return rc;
6250 
6251 	isec = sma->security;
6252 
6253 	ad.type = LSM_AUDIT_DATA_IPC;
6254 	ad.u.ipc_id = sma->key;
6255 
6256 	rc = avc_has_perm(&selinux_state,
6257 			  sid, isec->sid, SECCLASS_SEM,
6258 			  SEM__CREATE, &ad);
6259 	if (rc) {
6260 		ipc_free_security(sma);
6261 		return rc;
6262 	}
6263 	return 0;
6264 }
6265 
6266 static void selinux_sem_free_security(struct kern_ipc_perm *sma)
6267 {
6268 	ipc_free_security(sma);
6269 }
6270 
6271 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6272 {
6273 	struct ipc_security_struct *isec;
6274 	struct common_audit_data ad;
6275 	u32 sid = current_sid();
6276 
6277 	isec = sma->security;
6278 
6279 	ad.type = LSM_AUDIT_DATA_IPC;
6280 	ad.u.ipc_id = sma->key;
6281 
6282 	return avc_has_perm(&selinux_state,
6283 			    sid, isec->sid, SECCLASS_SEM,
6284 			    SEM__ASSOCIATE, &ad);
6285 }
6286 
6287 /* Note, at this point, sma is locked down */
6288 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6289 {
6290 	int err;
6291 	u32 perms;
6292 
6293 	switch (cmd) {
6294 	case IPC_INFO:
6295 	case SEM_INFO:
6296 		/* No specific object, just general system-wide information. */
6297 		return avc_has_perm(&selinux_state,
6298 				    current_sid(), SECINITSID_KERNEL,
6299 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6300 	case GETPID:
6301 	case GETNCNT:
6302 	case GETZCNT:
6303 		perms = SEM__GETATTR;
6304 		break;
6305 	case GETVAL:
6306 	case GETALL:
6307 		perms = SEM__READ;
6308 		break;
6309 	case SETVAL:
6310 	case SETALL:
6311 		perms = SEM__WRITE;
6312 		break;
6313 	case IPC_RMID:
6314 		perms = SEM__DESTROY;
6315 		break;
6316 	case IPC_SET:
6317 		perms = SEM__SETATTR;
6318 		break;
6319 	case IPC_STAT:
6320 	case SEM_STAT:
6321 	case SEM_STAT_ANY:
6322 		perms = SEM__GETATTR | SEM__ASSOCIATE;
6323 		break;
6324 	default:
6325 		return 0;
6326 	}
6327 
6328 	err = ipc_has_perm(sma, perms);
6329 	return err;
6330 }
6331 
6332 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6333 			     struct sembuf *sops, unsigned nsops, int alter)
6334 {
6335 	u32 perms;
6336 
6337 	if (alter)
6338 		perms = SEM__READ | SEM__WRITE;
6339 	else
6340 		perms = SEM__READ;
6341 
6342 	return ipc_has_perm(sma, perms);
6343 }
6344 
6345 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6346 {
6347 	u32 av = 0;
6348 
6349 	av = 0;
6350 	if (flag & S_IRUGO)
6351 		av |= IPC__UNIX_READ;
6352 	if (flag & S_IWUGO)
6353 		av |= IPC__UNIX_WRITE;
6354 
6355 	if (av == 0)
6356 		return 0;
6357 
6358 	return ipc_has_perm(ipcp, av);
6359 }
6360 
6361 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6362 {
6363 	struct ipc_security_struct *isec = ipcp->security;
6364 	*secid = isec->sid;
6365 }
6366 
6367 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6368 {
6369 	if (inode)
6370 		inode_doinit_with_dentry(inode, dentry);
6371 }
6372 
6373 static int selinux_getprocattr(struct task_struct *p,
6374 			       char *name, char **value)
6375 {
6376 	const struct task_security_struct *__tsec;
6377 	u32 sid;
6378 	int error;
6379 	unsigned len;
6380 
6381 	rcu_read_lock();
6382 	__tsec = __task_cred(p)->security;
6383 
6384 	if (current != p) {
6385 		error = avc_has_perm(&selinux_state,
6386 				     current_sid(), __tsec->sid,
6387 				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6388 		if (error)
6389 			goto bad;
6390 	}
6391 
6392 	if (!strcmp(name, "current"))
6393 		sid = __tsec->sid;
6394 	else if (!strcmp(name, "prev"))
6395 		sid = __tsec->osid;
6396 	else if (!strcmp(name, "exec"))
6397 		sid = __tsec->exec_sid;
6398 	else if (!strcmp(name, "fscreate"))
6399 		sid = __tsec->create_sid;
6400 	else if (!strcmp(name, "keycreate"))
6401 		sid = __tsec->keycreate_sid;
6402 	else if (!strcmp(name, "sockcreate"))
6403 		sid = __tsec->sockcreate_sid;
6404 	else {
6405 		error = -EINVAL;
6406 		goto bad;
6407 	}
6408 	rcu_read_unlock();
6409 
6410 	if (!sid)
6411 		return 0;
6412 
6413 	error = security_sid_to_context(&selinux_state, sid, value, &len);
6414 	if (error)
6415 		return error;
6416 	return len;
6417 
6418 bad:
6419 	rcu_read_unlock();
6420 	return error;
6421 }
6422 
6423 static int selinux_setprocattr(const char *name, void *value, size_t size)
6424 {
6425 	struct task_security_struct *tsec;
6426 	struct cred *new;
6427 	u32 mysid = current_sid(), sid = 0, ptsid;
6428 	int error;
6429 	char *str = value;
6430 
6431 	/*
6432 	 * Basic control over ability to set these attributes at all.
6433 	 */
6434 	if (!strcmp(name, "exec"))
6435 		error = avc_has_perm(&selinux_state,
6436 				     mysid, mysid, SECCLASS_PROCESS,
6437 				     PROCESS__SETEXEC, NULL);
6438 	else if (!strcmp(name, "fscreate"))
6439 		error = avc_has_perm(&selinux_state,
6440 				     mysid, mysid, SECCLASS_PROCESS,
6441 				     PROCESS__SETFSCREATE, NULL);
6442 	else if (!strcmp(name, "keycreate"))
6443 		error = avc_has_perm(&selinux_state,
6444 				     mysid, mysid, SECCLASS_PROCESS,
6445 				     PROCESS__SETKEYCREATE, NULL);
6446 	else if (!strcmp(name, "sockcreate"))
6447 		error = avc_has_perm(&selinux_state,
6448 				     mysid, mysid, SECCLASS_PROCESS,
6449 				     PROCESS__SETSOCKCREATE, NULL);
6450 	else if (!strcmp(name, "current"))
6451 		error = avc_has_perm(&selinux_state,
6452 				     mysid, mysid, SECCLASS_PROCESS,
6453 				     PROCESS__SETCURRENT, NULL);
6454 	else
6455 		error = -EINVAL;
6456 	if (error)
6457 		return error;
6458 
6459 	/* Obtain a SID for the context, if one was specified. */
6460 	if (size && str[0] && str[0] != '\n') {
6461 		if (str[size-1] == '\n') {
6462 			str[size-1] = 0;
6463 			size--;
6464 		}
6465 		error = security_context_to_sid(&selinux_state, value, size,
6466 						&sid, GFP_KERNEL);
6467 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
6468 			if (!has_cap_mac_admin(true)) {
6469 				struct audit_buffer *ab;
6470 				size_t audit_size;
6471 
6472 				/* We strip a nul only if it is at the end, otherwise the
6473 				 * context contains a nul and we should audit that */
6474 				if (str[size - 1] == '\0')
6475 					audit_size = size - 1;
6476 				else
6477 					audit_size = size;
6478 				ab = audit_log_start(audit_context(),
6479 						     GFP_ATOMIC,
6480 						     AUDIT_SELINUX_ERR);
6481 				audit_log_format(ab, "op=fscreate invalid_context=");
6482 				audit_log_n_untrustedstring(ab, value, audit_size);
6483 				audit_log_end(ab);
6484 
6485 				return error;
6486 			}
6487 			error = security_context_to_sid_force(
6488 						      &selinux_state,
6489 						      value, size, &sid);
6490 		}
6491 		if (error)
6492 			return error;
6493 	}
6494 
6495 	new = prepare_creds();
6496 	if (!new)
6497 		return -ENOMEM;
6498 
6499 	/* Permission checking based on the specified context is
6500 	   performed during the actual operation (execve,
6501 	   open/mkdir/...), when we know the full context of the
6502 	   operation.  See selinux_bprm_set_creds for the execve
6503 	   checks and may_create for the file creation checks. The
6504 	   operation will then fail if the context is not permitted. */
6505 	tsec = new->security;
6506 	if (!strcmp(name, "exec")) {
6507 		tsec->exec_sid = sid;
6508 	} else if (!strcmp(name, "fscreate")) {
6509 		tsec->create_sid = sid;
6510 	} else if (!strcmp(name, "keycreate")) {
6511 		error = avc_has_perm(&selinux_state,
6512 				     mysid, sid, SECCLASS_KEY, KEY__CREATE,
6513 				     NULL);
6514 		if (error)
6515 			goto abort_change;
6516 		tsec->keycreate_sid = sid;
6517 	} else if (!strcmp(name, "sockcreate")) {
6518 		tsec->sockcreate_sid = sid;
6519 	} else if (!strcmp(name, "current")) {
6520 		error = -EINVAL;
6521 		if (sid == 0)
6522 			goto abort_change;
6523 
6524 		/* Only allow single threaded processes to change context */
6525 		error = -EPERM;
6526 		if (!current_is_single_threaded()) {
6527 			error = security_bounded_transition(&selinux_state,
6528 							    tsec->sid, sid);
6529 			if (error)
6530 				goto abort_change;
6531 		}
6532 
6533 		/* Check permissions for the transition. */
6534 		error = avc_has_perm(&selinux_state,
6535 				     tsec->sid, sid, SECCLASS_PROCESS,
6536 				     PROCESS__DYNTRANSITION, NULL);
6537 		if (error)
6538 			goto abort_change;
6539 
6540 		/* Check for ptracing, and update the task SID if ok.
6541 		   Otherwise, leave SID unchanged and fail. */
6542 		ptsid = ptrace_parent_sid();
6543 		if (ptsid != 0) {
6544 			error = avc_has_perm(&selinux_state,
6545 					     ptsid, sid, SECCLASS_PROCESS,
6546 					     PROCESS__PTRACE, NULL);
6547 			if (error)
6548 				goto abort_change;
6549 		}
6550 
6551 		tsec->sid = sid;
6552 	} else {
6553 		error = -EINVAL;
6554 		goto abort_change;
6555 	}
6556 
6557 	commit_creds(new);
6558 	return size;
6559 
6560 abort_change:
6561 	abort_creds(new);
6562 	return error;
6563 }
6564 
6565 static int selinux_ismaclabel(const char *name)
6566 {
6567 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6568 }
6569 
6570 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6571 {
6572 	return security_sid_to_context(&selinux_state, secid,
6573 				       secdata, seclen);
6574 }
6575 
6576 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6577 {
6578 	return security_context_to_sid(&selinux_state, secdata, seclen,
6579 				       secid, GFP_KERNEL);
6580 }
6581 
6582 static void selinux_release_secctx(char *secdata, u32 seclen)
6583 {
6584 	kfree(secdata);
6585 }
6586 
6587 static void selinux_inode_invalidate_secctx(struct inode *inode)
6588 {
6589 	struct inode_security_struct *isec = inode->i_security;
6590 
6591 	spin_lock(&isec->lock);
6592 	isec->initialized = LABEL_INVALID;
6593 	spin_unlock(&isec->lock);
6594 }
6595 
6596 /*
6597  *	called with inode->i_mutex locked
6598  */
6599 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6600 {
6601 	return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6602 }
6603 
6604 /*
6605  *	called with inode->i_mutex locked
6606  */
6607 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6608 {
6609 	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6610 }
6611 
6612 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6613 {
6614 	int len = 0;
6615 	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6616 						ctx, true);
6617 	if (len < 0)
6618 		return len;
6619 	*ctxlen = len;
6620 	return 0;
6621 }
6622 #ifdef CONFIG_KEYS
6623 
6624 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6625 			     unsigned long flags)
6626 {
6627 	const struct task_security_struct *tsec;
6628 	struct key_security_struct *ksec;
6629 
6630 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6631 	if (!ksec)
6632 		return -ENOMEM;
6633 
6634 	tsec = cred->security;
6635 	if (tsec->keycreate_sid)
6636 		ksec->sid = tsec->keycreate_sid;
6637 	else
6638 		ksec->sid = tsec->sid;
6639 
6640 	k->security = ksec;
6641 	return 0;
6642 }
6643 
6644 static void selinux_key_free(struct key *k)
6645 {
6646 	struct key_security_struct *ksec = k->security;
6647 
6648 	k->security = NULL;
6649 	kfree(ksec);
6650 }
6651 
6652 static int selinux_key_permission(key_ref_t key_ref,
6653 				  const struct cred *cred,
6654 				  unsigned perm)
6655 {
6656 	struct key *key;
6657 	struct key_security_struct *ksec;
6658 	u32 sid;
6659 
6660 	/* if no specific permissions are requested, we skip the
6661 	   permission check. No serious, additional covert channels
6662 	   appear to be created. */
6663 	if (perm == 0)
6664 		return 0;
6665 
6666 	sid = cred_sid(cred);
6667 
6668 	key = key_ref_to_ptr(key_ref);
6669 	ksec = key->security;
6670 
6671 	return avc_has_perm(&selinux_state,
6672 			    sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6673 }
6674 
6675 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6676 {
6677 	struct key_security_struct *ksec = key->security;
6678 	char *context = NULL;
6679 	unsigned len;
6680 	int rc;
6681 
6682 	rc = security_sid_to_context(&selinux_state, ksec->sid,
6683 				     &context, &len);
6684 	if (!rc)
6685 		rc = len;
6686 	*_buffer = context;
6687 	return rc;
6688 }
6689 #endif
6690 
6691 #ifdef CONFIG_SECURITY_INFINIBAND
6692 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6693 {
6694 	struct common_audit_data ad;
6695 	int err;
6696 	u32 sid = 0;
6697 	struct ib_security_struct *sec = ib_sec;
6698 	struct lsm_ibpkey_audit ibpkey;
6699 
6700 	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6701 	if (err)
6702 		return err;
6703 
6704 	ad.type = LSM_AUDIT_DATA_IBPKEY;
6705 	ibpkey.subnet_prefix = subnet_prefix;
6706 	ibpkey.pkey = pkey_val;
6707 	ad.u.ibpkey = &ibpkey;
6708 	return avc_has_perm(&selinux_state,
6709 			    sec->sid, sid,
6710 			    SECCLASS_INFINIBAND_PKEY,
6711 			    INFINIBAND_PKEY__ACCESS, &ad);
6712 }
6713 
6714 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6715 					    u8 port_num)
6716 {
6717 	struct common_audit_data ad;
6718 	int err;
6719 	u32 sid = 0;
6720 	struct ib_security_struct *sec = ib_sec;
6721 	struct lsm_ibendport_audit ibendport;
6722 
6723 	err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6724 				      &sid);
6725 
6726 	if (err)
6727 		return err;
6728 
6729 	ad.type = LSM_AUDIT_DATA_IBENDPORT;
6730 	strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6731 	ibendport.port = port_num;
6732 	ad.u.ibendport = &ibendport;
6733 	return avc_has_perm(&selinux_state,
6734 			    sec->sid, sid,
6735 			    SECCLASS_INFINIBAND_ENDPORT,
6736 			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6737 }
6738 
6739 static int selinux_ib_alloc_security(void **ib_sec)
6740 {
6741 	struct ib_security_struct *sec;
6742 
6743 	sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6744 	if (!sec)
6745 		return -ENOMEM;
6746 	sec->sid = current_sid();
6747 
6748 	*ib_sec = sec;
6749 	return 0;
6750 }
6751 
6752 static void selinux_ib_free_security(void *ib_sec)
6753 {
6754 	kfree(ib_sec);
6755 }
6756 #endif
6757 
6758 #ifdef CONFIG_BPF_SYSCALL
6759 static int selinux_bpf(int cmd, union bpf_attr *attr,
6760 				     unsigned int size)
6761 {
6762 	u32 sid = current_sid();
6763 	int ret;
6764 
6765 	switch (cmd) {
6766 	case BPF_MAP_CREATE:
6767 		ret = avc_has_perm(&selinux_state,
6768 				   sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6769 				   NULL);
6770 		break;
6771 	case BPF_PROG_LOAD:
6772 		ret = avc_has_perm(&selinux_state,
6773 				   sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6774 				   NULL);
6775 		break;
6776 	default:
6777 		ret = 0;
6778 		break;
6779 	}
6780 
6781 	return ret;
6782 }
6783 
6784 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6785 {
6786 	u32 av = 0;
6787 
6788 	if (fmode & FMODE_READ)
6789 		av |= BPF__MAP_READ;
6790 	if (fmode & FMODE_WRITE)
6791 		av |= BPF__MAP_WRITE;
6792 	return av;
6793 }
6794 
6795 /* This function will check the file pass through unix socket or binder to see
6796  * if it is a bpf related object. And apply correspinding checks on the bpf
6797  * object based on the type. The bpf maps and programs, not like other files and
6798  * socket, are using a shared anonymous inode inside the kernel as their inode.
6799  * So checking that inode cannot identify if the process have privilege to
6800  * access the bpf object and that's why we have to add this additional check in
6801  * selinux_file_receive and selinux_binder_transfer_files.
6802  */
6803 static int bpf_fd_pass(struct file *file, u32 sid)
6804 {
6805 	struct bpf_security_struct *bpfsec;
6806 	struct bpf_prog *prog;
6807 	struct bpf_map *map;
6808 	int ret;
6809 
6810 	if (file->f_op == &bpf_map_fops) {
6811 		map = file->private_data;
6812 		bpfsec = map->security;
6813 		ret = avc_has_perm(&selinux_state,
6814 				   sid, bpfsec->sid, SECCLASS_BPF,
6815 				   bpf_map_fmode_to_av(file->f_mode), NULL);
6816 		if (ret)
6817 			return ret;
6818 	} else if (file->f_op == &bpf_prog_fops) {
6819 		prog = file->private_data;
6820 		bpfsec = prog->aux->security;
6821 		ret = avc_has_perm(&selinux_state,
6822 				   sid, bpfsec->sid, SECCLASS_BPF,
6823 				   BPF__PROG_RUN, NULL);
6824 		if (ret)
6825 			return ret;
6826 	}
6827 	return 0;
6828 }
6829 
6830 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6831 {
6832 	u32 sid = current_sid();
6833 	struct bpf_security_struct *bpfsec;
6834 
6835 	bpfsec = map->security;
6836 	return avc_has_perm(&selinux_state,
6837 			    sid, bpfsec->sid, SECCLASS_BPF,
6838 			    bpf_map_fmode_to_av(fmode), NULL);
6839 }
6840 
6841 static int selinux_bpf_prog(struct bpf_prog *prog)
6842 {
6843 	u32 sid = current_sid();
6844 	struct bpf_security_struct *bpfsec;
6845 
6846 	bpfsec = prog->aux->security;
6847 	return avc_has_perm(&selinux_state,
6848 			    sid, bpfsec->sid, SECCLASS_BPF,
6849 			    BPF__PROG_RUN, NULL);
6850 }
6851 
6852 static int selinux_bpf_map_alloc(struct bpf_map *map)
6853 {
6854 	struct bpf_security_struct *bpfsec;
6855 
6856 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6857 	if (!bpfsec)
6858 		return -ENOMEM;
6859 
6860 	bpfsec->sid = current_sid();
6861 	map->security = bpfsec;
6862 
6863 	return 0;
6864 }
6865 
6866 static void selinux_bpf_map_free(struct bpf_map *map)
6867 {
6868 	struct bpf_security_struct *bpfsec = map->security;
6869 
6870 	map->security = NULL;
6871 	kfree(bpfsec);
6872 }
6873 
6874 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6875 {
6876 	struct bpf_security_struct *bpfsec;
6877 
6878 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6879 	if (!bpfsec)
6880 		return -ENOMEM;
6881 
6882 	bpfsec->sid = current_sid();
6883 	aux->security = bpfsec;
6884 
6885 	return 0;
6886 }
6887 
6888 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6889 {
6890 	struct bpf_security_struct *bpfsec = aux->security;
6891 
6892 	aux->security = NULL;
6893 	kfree(bpfsec);
6894 }
6895 #endif
6896 
6897 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6898 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6899 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6900 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6901 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6902 
6903 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6904 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6905 	LSM_HOOK_INIT(capget, selinux_capget),
6906 	LSM_HOOK_INIT(capset, selinux_capset),
6907 	LSM_HOOK_INIT(capable, selinux_capable),
6908 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
6909 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
6910 	LSM_HOOK_INIT(syslog, selinux_syslog),
6911 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6912 
6913 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6914 
6915 	LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6916 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6917 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6918 
6919 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6920 	LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6921 	LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6922 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6923 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6924 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6925 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6926 	LSM_HOOK_INIT(sb_mount, selinux_mount),
6927 	LSM_HOOK_INIT(sb_umount, selinux_umount),
6928 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6929 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6930 	LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6931 
6932 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6933 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6934 
6935 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6936 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6937 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6938 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
6939 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
6940 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6941 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6942 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6943 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6944 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6945 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6946 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6947 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6948 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6949 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6950 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6951 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6952 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6953 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6954 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6955 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6956 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6957 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6958 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6959 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6960 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6961 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6962 
6963 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
6964 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6965 	LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6966 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6967 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6968 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6969 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6970 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
6971 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6972 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6973 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6974 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
6975 
6976 	LSM_HOOK_INIT(file_open, selinux_file_open),
6977 
6978 	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6979 	LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6980 	LSM_HOOK_INIT(cred_free, selinux_cred_free),
6981 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6982 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6983 	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6984 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6985 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6986 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6987 	LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
6988 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6989 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6990 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6991 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6992 	LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6993 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6994 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6995 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6996 	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6997 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6998 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6999 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7000 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7001 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
7002 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7003 
7004 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7005 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7006 
7007 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7008 	LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
7009 
7010 	LSM_HOOK_INIT(msg_queue_alloc_security,
7011 			selinux_msg_queue_alloc_security),
7012 	LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
7013 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7014 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7015 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7016 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7017 
7018 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7019 	LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
7020 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7021 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7022 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7023 
7024 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7025 	LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
7026 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7027 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7028 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7029 
7030 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7031 
7032 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7033 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7034 
7035 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7036 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7037 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7038 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7039 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7040 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7041 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7042 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7043 
7044 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7045 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7046 
7047 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
7048 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7049 	LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7050 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7051 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7052 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7053 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7054 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7055 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7056 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7057 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7058 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7059 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7060 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7061 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7062 	LSM_HOOK_INIT(socket_getpeersec_stream,
7063 			selinux_socket_getpeersec_stream),
7064 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7065 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7066 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7067 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7068 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7069 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7070 	LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7071 	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7072 	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7073 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7074 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7075 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7076 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7077 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7078 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7079 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7080 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7081 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7082 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7083 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7084 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7085 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7086 #ifdef CONFIG_SECURITY_INFINIBAND
7087 	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7088 	LSM_HOOK_INIT(ib_endport_manage_subnet,
7089 		      selinux_ib_endport_manage_subnet),
7090 	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7091 	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7092 #endif
7093 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7094 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7095 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7096 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7097 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7098 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7099 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7100 			selinux_xfrm_state_alloc_acquire),
7101 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7102 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7103 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7104 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7105 			selinux_xfrm_state_pol_flow_match),
7106 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7107 #endif
7108 
7109 #ifdef CONFIG_KEYS
7110 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7111 	LSM_HOOK_INIT(key_free, selinux_key_free),
7112 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
7113 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7114 #endif
7115 
7116 #ifdef CONFIG_AUDIT
7117 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7118 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7119 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7120 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7121 #endif
7122 
7123 #ifdef CONFIG_BPF_SYSCALL
7124 	LSM_HOOK_INIT(bpf, selinux_bpf),
7125 	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7126 	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7127 	LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7128 	LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7129 	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7130 	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7131 #endif
7132 };
7133 
7134 static __init int selinux_init(void)
7135 {
7136 	if (!security_module_enable("selinux")) {
7137 		selinux_enabled = 0;
7138 		return 0;
7139 	}
7140 
7141 	if (!selinux_enabled) {
7142 		pr_info("SELinux:  Disabled at boot.\n");
7143 		return 0;
7144 	}
7145 
7146 	pr_info("SELinux:  Initializing.\n");
7147 
7148 	memset(&selinux_state, 0, sizeof(selinux_state));
7149 	enforcing_set(&selinux_state, selinux_enforcing_boot);
7150 	selinux_state.checkreqprot = selinux_checkreqprot_boot;
7151 	selinux_ss_init(&selinux_state.ss);
7152 	selinux_avc_init(&selinux_state.avc);
7153 
7154 	/* Set the security state for the initial task. */
7155 	cred_init_security();
7156 
7157 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7158 
7159 	sel_inode_cache = kmem_cache_create("selinux_inode_security",
7160 					    sizeof(struct inode_security_struct),
7161 					    0, SLAB_PANIC, NULL);
7162 	file_security_cache = kmem_cache_create("selinux_file_security",
7163 					    sizeof(struct file_security_struct),
7164 					    0, SLAB_PANIC, NULL);
7165 	avc_init();
7166 
7167 	avtab_cache_init();
7168 
7169 	ebitmap_cache_init();
7170 
7171 	hashtab_cache_init();
7172 
7173 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7174 
7175 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7176 		panic("SELinux: Unable to register AVC netcache callback\n");
7177 
7178 	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7179 		panic("SELinux: Unable to register AVC LSM notifier callback\n");
7180 
7181 	if (selinux_enforcing_boot)
7182 		pr_debug("SELinux:  Starting in enforcing mode\n");
7183 	else
7184 		pr_debug("SELinux:  Starting in permissive mode\n");
7185 
7186 	return 0;
7187 }
7188 
7189 static void delayed_superblock_init(struct super_block *sb, void *unused)
7190 {
7191 	superblock_doinit(sb, NULL);
7192 }
7193 
7194 void selinux_complete_init(void)
7195 {
7196 	pr_debug("SELinux:  Completing initialization.\n");
7197 
7198 	/* Set up any superblocks initialized prior to the policy load. */
7199 	pr_debug("SELinux:  Setting up existing superblocks.\n");
7200 	iterate_supers(delayed_superblock_init, NULL);
7201 }
7202 
7203 /* SELinux requires early initialization in order to label
7204    all processes and objects when they are created. */
7205 security_initcall(selinux_init);
7206 
7207 #if defined(CONFIG_NETFILTER)
7208 
7209 static const struct nf_hook_ops selinux_nf_ops[] = {
7210 	{
7211 		.hook =		selinux_ipv4_postroute,
7212 		.pf =		NFPROTO_IPV4,
7213 		.hooknum =	NF_INET_POST_ROUTING,
7214 		.priority =	NF_IP_PRI_SELINUX_LAST,
7215 	},
7216 	{
7217 		.hook =		selinux_ipv4_forward,
7218 		.pf =		NFPROTO_IPV4,
7219 		.hooknum =	NF_INET_FORWARD,
7220 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7221 	},
7222 	{
7223 		.hook =		selinux_ipv4_output,
7224 		.pf =		NFPROTO_IPV4,
7225 		.hooknum =	NF_INET_LOCAL_OUT,
7226 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7227 	},
7228 #if IS_ENABLED(CONFIG_IPV6)
7229 	{
7230 		.hook =		selinux_ipv6_postroute,
7231 		.pf =		NFPROTO_IPV6,
7232 		.hooknum =	NF_INET_POST_ROUTING,
7233 		.priority =	NF_IP6_PRI_SELINUX_LAST,
7234 	},
7235 	{
7236 		.hook =		selinux_ipv6_forward,
7237 		.pf =		NFPROTO_IPV6,
7238 		.hooknum =	NF_INET_FORWARD,
7239 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7240 	},
7241 	{
7242 		.hook =		selinux_ipv6_output,
7243 		.pf =		NFPROTO_IPV6,
7244 		.hooknum =	NF_INET_LOCAL_OUT,
7245 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7246 	},
7247 #endif	/* IPV6 */
7248 };
7249 
7250 static int __net_init selinux_nf_register(struct net *net)
7251 {
7252 	return nf_register_net_hooks(net, selinux_nf_ops,
7253 				     ARRAY_SIZE(selinux_nf_ops));
7254 }
7255 
7256 static void __net_exit selinux_nf_unregister(struct net *net)
7257 {
7258 	nf_unregister_net_hooks(net, selinux_nf_ops,
7259 				ARRAY_SIZE(selinux_nf_ops));
7260 }
7261 
7262 static struct pernet_operations selinux_net_ops = {
7263 	.init = selinux_nf_register,
7264 	.exit = selinux_nf_unregister,
7265 };
7266 
7267 static int __init selinux_nf_ip_init(void)
7268 {
7269 	int err;
7270 
7271 	if (!selinux_enabled)
7272 		return 0;
7273 
7274 	pr_debug("SELinux:  Registering netfilter hooks\n");
7275 
7276 	err = register_pernet_subsys(&selinux_net_ops);
7277 	if (err)
7278 		panic("SELinux: register_pernet_subsys: error %d\n", err);
7279 
7280 	return 0;
7281 }
7282 __initcall(selinux_nf_ip_init);
7283 
7284 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7285 static void selinux_nf_ip_exit(void)
7286 {
7287 	pr_debug("SELinux:  Unregistering netfilter hooks\n");
7288 
7289 	unregister_pernet_subsys(&selinux_net_ops);
7290 }
7291 #endif
7292 
7293 #else /* CONFIG_NETFILTER */
7294 
7295 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7296 #define selinux_nf_ip_exit()
7297 #endif
7298 
7299 #endif /* CONFIG_NETFILTER */
7300 
7301 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7302 int selinux_disable(struct selinux_state *state)
7303 {
7304 	if (state->initialized) {
7305 		/* Not permitted after initial policy load. */
7306 		return -EINVAL;
7307 	}
7308 
7309 	if (state->disabled) {
7310 		/* Only do this once. */
7311 		return -EINVAL;
7312 	}
7313 
7314 	state->disabled = 1;
7315 
7316 	pr_info("SELinux:  Disabled at runtime.\n");
7317 
7318 	selinux_enabled = 0;
7319 
7320 	security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7321 
7322 	/* Try to destroy the avc node cache */
7323 	avc_disable();
7324 
7325 	/* Unregister netfilter hooks. */
7326 	selinux_nf_ip_exit();
7327 
7328 	/* Unregister selinuxfs. */
7329 	exit_sel_fs();
7330 
7331 	return 0;
7332 }
7333 #endif
7334