xref: /openbmc/linux/security/selinux/hooks.c (revision f5da59f2)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *  Security-Enhanced Linux (SELinux) security module
4  *
5  *  This file contains the SELinux hook function implementations.
6  *
7  *  Authors:  Stephen Smalley, <stephen.smalley.work@gmail.com>
8  *	      Chris Vance, <cvance@nai.com>
9  *	      Wayne Salamon, <wsalamon@nai.com>
10  *	      James Morris <jmorris@redhat.com>
11  *
12  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14  *					   Eric Paris <eparis@redhat.com>
15  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16  *			    <dgoeddel@trustedcs.com>
17  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18  *	Paul Moore <paul@paul-moore.com>
19  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
21  *  Copyright (C) 2016 Mellanox Technologies
22  */
23 
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/kernel_read_file.h>
28 #include <linux/errno.h>
29 #include <linux/sched/signal.h>
30 #include <linux/sched/task.h>
31 #include <linux/lsm_hooks.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/proc_fs.h>
40 #include <linux/swap.h>
41 #include <linux/spinlock.h>
42 #include <linux/syscalls.h>
43 #include <linux/dcache.h>
44 #include <linux/file.h>
45 #include <linux/fdtable.h>
46 #include <linux/namei.h>
47 #include <linux/mount.h>
48 #include <linux/fs_context.h>
49 #include <linux/fs_parser.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>		/* for local_port_range[] */
55 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h>	/* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/sctp.h>
70 #include <net/sctp/structs.h>
71 #include <linux/quota.h>
72 #include <linux/un.h>		/* for Unix socket types */
73 #include <net/af_unix.h>	/* for Unix socket types */
74 #include <linux/parser.h>
75 #include <linux/nfs_mount.h>
76 #include <net/ipv6.h>
77 #include <linux/hugetlb.h>
78 #include <linux/personality.h>
79 #include <linux/audit.h>
80 #include <linux/string.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89 #include <linux/kernfs.h>
90 #include <linux/stringhash.h>	/* for hashlen_string() */
91 #include <uapi/linux/mount.h>
92 #include <linux/fsnotify.h>
93 #include <linux/fanotify.h>
94 #include <linux/io_uring.h>
95 
96 #include "avc.h"
97 #include "objsec.h"
98 #include "netif.h"
99 #include "netnode.h"
100 #include "netport.h"
101 #include "ibpkey.h"
102 #include "xfrm.h"
103 #include "netlabel.h"
104 #include "audit.h"
105 #include "avc_ss.h"
106 
107 #define SELINUX_INODE_INIT_XATTRS 1
108 
109 struct selinux_state selinux_state;
110 
111 /* SECMARK reference count */
112 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
113 
114 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
115 static int selinux_enforcing_boot __initdata;
116 
117 static int __init enforcing_setup(char *str)
118 {
119 	unsigned long enforcing;
120 	if (!kstrtoul(str, 0, &enforcing))
121 		selinux_enforcing_boot = enforcing ? 1 : 0;
122 	return 1;
123 }
124 __setup("enforcing=", enforcing_setup);
125 #else
126 #define selinux_enforcing_boot 1
127 #endif
128 
129 int selinux_enabled_boot __initdata = 1;
130 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
131 static int __init selinux_enabled_setup(char *str)
132 {
133 	unsigned long enabled;
134 	if (!kstrtoul(str, 0, &enabled))
135 		selinux_enabled_boot = enabled ? 1 : 0;
136 	return 1;
137 }
138 __setup("selinux=", selinux_enabled_setup);
139 #endif
140 
141 static int __init checkreqprot_setup(char *str)
142 {
143 	unsigned long checkreqprot;
144 
145 	if (!kstrtoul(str, 0, &checkreqprot)) {
146 		if (checkreqprot)
147 			pr_err("SELinux: checkreqprot set to 1 via kernel parameter.  This is no longer supported.\n");
148 	}
149 	return 1;
150 }
151 __setup("checkreqprot=", checkreqprot_setup);
152 
153 /**
154  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
155  *
156  * Description:
157  * This function checks the SECMARK reference counter to see if any SECMARK
158  * targets are currently configured, if the reference counter is greater than
159  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
160  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
161  * policy capability is enabled, SECMARK is always considered enabled.
162  *
163  */
164 static int selinux_secmark_enabled(void)
165 {
166 	return (selinux_policycap_alwaysnetwork() ||
167 		atomic_read(&selinux_secmark_refcount));
168 }
169 
170 /**
171  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
172  *
173  * Description:
174  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
175  * (1) if any are enabled or false (0) if neither are enabled.  If the
176  * always_check_network policy capability is enabled, peer labeling
177  * is always considered enabled.
178  *
179  */
180 static int selinux_peerlbl_enabled(void)
181 {
182 	return (selinux_policycap_alwaysnetwork() ||
183 		netlbl_enabled() || selinux_xfrm_enabled());
184 }
185 
186 static int selinux_netcache_avc_callback(u32 event)
187 {
188 	if (event == AVC_CALLBACK_RESET) {
189 		sel_netif_flush();
190 		sel_netnode_flush();
191 		sel_netport_flush();
192 		synchronize_net();
193 	}
194 	return 0;
195 }
196 
197 static int selinux_lsm_notifier_avc_callback(u32 event)
198 {
199 	if (event == AVC_CALLBACK_RESET) {
200 		sel_ib_pkey_flush();
201 		call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
202 	}
203 
204 	return 0;
205 }
206 
207 /*
208  * initialise the security for the init task
209  */
210 static void cred_init_security(void)
211 {
212 	struct task_security_struct *tsec;
213 
214 	tsec = selinux_cred(unrcu_pointer(current->real_cred));
215 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
216 }
217 
218 /*
219  * get the security ID of a set of credentials
220  */
221 static inline u32 cred_sid(const struct cred *cred)
222 {
223 	const struct task_security_struct *tsec;
224 
225 	tsec = selinux_cred(cred);
226 	return tsec->sid;
227 }
228 
229 static void __ad_net_init(struct common_audit_data *ad,
230 			  struct lsm_network_audit *net,
231 			  int ifindex, struct sock *sk, u16 family)
232 {
233 	ad->type = LSM_AUDIT_DATA_NET;
234 	ad->u.net = net;
235 	net->netif = ifindex;
236 	net->sk = sk;
237 	net->family = family;
238 }
239 
240 static void ad_net_init_from_sk(struct common_audit_data *ad,
241 				struct lsm_network_audit *net,
242 				struct sock *sk)
243 {
244 	__ad_net_init(ad, net, 0, sk, 0);
245 }
246 
247 static void ad_net_init_from_iif(struct common_audit_data *ad,
248 				 struct lsm_network_audit *net,
249 				 int ifindex, u16 family)
250 {
251 	__ad_net_init(ad, net, ifindex, NULL, family);
252 }
253 
254 /*
255  * get the objective security ID of a task
256  */
257 static inline u32 task_sid_obj(const struct task_struct *task)
258 {
259 	u32 sid;
260 
261 	rcu_read_lock();
262 	sid = cred_sid(__task_cred(task));
263 	rcu_read_unlock();
264 	return sid;
265 }
266 
267 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
268 
269 /*
270  * Try reloading inode security labels that have been marked as invalid.  The
271  * @may_sleep parameter indicates when sleeping and thus reloading labels is
272  * allowed; when set to false, returns -ECHILD when the label is
273  * invalid.  The @dentry parameter should be set to a dentry of the inode.
274  */
275 static int __inode_security_revalidate(struct inode *inode,
276 				       struct dentry *dentry,
277 				       bool may_sleep)
278 {
279 	struct inode_security_struct *isec = selinux_inode(inode);
280 
281 	might_sleep_if(may_sleep);
282 
283 	if (selinux_initialized() &&
284 	    isec->initialized != LABEL_INITIALIZED) {
285 		if (!may_sleep)
286 			return -ECHILD;
287 
288 		/*
289 		 * Try reloading the inode security label.  This will fail if
290 		 * @opt_dentry is NULL and no dentry for this inode can be
291 		 * found; in that case, continue using the old label.
292 		 */
293 		inode_doinit_with_dentry(inode, dentry);
294 	}
295 	return 0;
296 }
297 
298 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
299 {
300 	return selinux_inode(inode);
301 }
302 
303 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
304 {
305 	int error;
306 
307 	error = __inode_security_revalidate(inode, NULL, !rcu);
308 	if (error)
309 		return ERR_PTR(error);
310 	return selinux_inode(inode);
311 }
312 
313 /*
314  * Get the security label of an inode.
315  */
316 static struct inode_security_struct *inode_security(struct inode *inode)
317 {
318 	__inode_security_revalidate(inode, NULL, true);
319 	return selinux_inode(inode);
320 }
321 
322 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
323 {
324 	struct inode *inode = d_backing_inode(dentry);
325 
326 	return selinux_inode(inode);
327 }
328 
329 /*
330  * Get the security label of a dentry's backing inode.
331  */
332 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
333 {
334 	struct inode *inode = d_backing_inode(dentry);
335 
336 	__inode_security_revalidate(inode, dentry, true);
337 	return selinux_inode(inode);
338 }
339 
340 static void inode_free_security(struct inode *inode)
341 {
342 	struct inode_security_struct *isec = selinux_inode(inode);
343 	struct superblock_security_struct *sbsec;
344 
345 	if (!isec)
346 		return;
347 	sbsec = selinux_superblock(inode->i_sb);
348 	/*
349 	 * As not all inode security structures are in a list, we check for
350 	 * empty list outside of the lock to make sure that we won't waste
351 	 * time taking a lock doing nothing.
352 	 *
353 	 * The list_del_init() function can be safely called more than once.
354 	 * It should not be possible for this function to be called with
355 	 * concurrent list_add(), but for better safety against future changes
356 	 * in the code, we use list_empty_careful() here.
357 	 */
358 	if (!list_empty_careful(&isec->list)) {
359 		spin_lock(&sbsec->isec_lock);
360 		list_del_init(&isec->list);
361 		spin_unlock(&sbsec->isec_lock);
362 	}
363 }
364 
365 struct selinux_mnt_opts {
366 	u32 fscontext_sid;
367 	u32 context_sid;
368 	u32 rootcontext_sid;
369 	u32 defcontext_sid;
370 };
371 
372 static void selinux_free_mnt_opts(void *mnt_opts)
373 {
374 	kfree(mnt_opts);
375 }
376 
377 enum {
378 	Opt_error = -1,
379 	Opt_context = 0,
380 	Opt_defcontext = 1,
381 	Opt_fscontext = 2,
382 	Opt_rootcontext = 3,
383 	Opt_seclabel = 4,
384 };
385 
386 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
387 static const struct {
388 	const char *name;
389 	int len;
390 	int opt;
391 	bool has_arg;
392 } tokens[] = {
393 	A(context, true),
394 	A(fscontext, true),
395 	A(defcontext, true),
396 	A(rootcontext, true),
397 	A(seclabel, false),
398 };
399 #undef A
400 
401 static int match_opt_prefix(char *s, int l, char **arg)
402 {
403 	int i;
404 
405 	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
406 		size_t len = tokens[i].len;
407 		if (len > l || memcmp(s, tokens[i].name, len))
408 			continue;
409 		if (tokens[i].has_arg) {
410 			if (len == l || s[len] != '=')
411 				continue;
412 			*arg = s + len + 1;
413 		} else if (len != l)
414 			continue;
415 		return tokens[i].opt;
416 	}
417 	return Opt_error;
418 }
419 
420 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
421 
422 static int may_context_mount_sb_relabel(u32 sid,
423 			struct superblock_security_struct *sbsec,
424 			const struct cred *cred)
425 {
426 	const struct task_security_struct *tsec = selinux_cred(cred);
427 	int rc;
428 
429 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
430 			  FILESYSTEM__RELABELFROM, NULL);
431 	if (rc)
432 		return rc;
433 
434 	rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
435 			  FILESYSTEM__RELABELTO, NULL);
436 	return rc;
437 }
438 
439 static int may_context_mount_inode_relabel(u32 sid,
440 			struct superblock_security_struct *sbsec,
441 			const struct cred *cred)
442 {
443 	const struct task_security_struct *tsec = selinux_cred(cred);
444 	int rc;
445 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
446 			  FILESYSTEM__RELABELFROM, NULL);
447 	if (rc)
448 		return rc;
449 
450 	rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
451 			  FILESYSTEM__ASSOCIATE, NULL);
452 	return rc;
453 }
454 
455 static int selinux_is_genfs_special_handling(struct super_block *sb)
456 {
457 	/* Special handling. Genfs but also in-core setxattr handler */
458 	return	!strcmp(sb->s_type->name, "sysfs") ||
459 		!strcmp(sb->s_type->name, "pstore") ||
460 		!strcmp(sb->s_type->name, "debugfs") ||
461 		!strcmp(sb->s_type->name, "tracefs") ||
462 		!strcmp(sb->s_type->name, "rootfs") ||
463 		(selinux_policycap_cgroupseclabel() &&
464 		 (!strcmp(sb->s_type->name, "cgroup") ||
465 		  !strcmp(sb->s_type->name, "cgroup2")));
466 }
467 
468 static int selinux_is_sblabel_mnt(struct super_block *sb)
469 {
470 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
471 
472 	/*
473 	 * IMPORTANT: Double-check logic in this function when adding a new
474 	 * SECURITY_FS_USE_* definition!
475 	 */
476 	BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
477 
478 	switch (sbsec->behavior) {
479 	case SECURITY_FS_USE_XATTR:
480 	case SECURITY_FS_USE_TRANS:
481 	case SECURITY_FS_USE_TASK:
482 	case SECURITY_FS_USE_NATIVE:
483 		return 1;
484 
485 	case SECURITY_FS_USE_GENFS:
486 		return selinux_is_genfs_special_handling(sb);
487 
488 	/* Never allow relabeling on context mounts */
489 	case SECURITY_FS_USE_MNTPOINT:
490 	case SECURITY_FS_USE_NONE:
491 	default:
492 		return 0;
493 	}
494 }
495 
496 static int sb_check_xattr_support(struct super_block *sb)
497 {
498 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
499 	struct dentry *root = sb->s_root;
500 	struct inode *root_inode = d_backing_inode(root);
501 	u32 sid;
502 	int rc;
503 
504 	/*
505 	 * Make sure that the xattr handler exists and that no
506 	 * error other than -ENODATA is returned by getxattr on
507 	 * the root directory.  -ENODATA is ok, as this may be
508 	 * the first boot of the SELinux kernel before we have
509 	 * assigned xattr values to the filesystem.
510 	 */
511 	if (!(root_inode->i_opflags & IOP_XATTR)) {
512 		pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
513 			sb->s_id, sb->s_type->name);
514 		goto fallback;
515 	}
516 
517 	rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
518 	if (rc < 0 && rc != -ENODATA) {
519 		if (rc == -EOPNOTSUPP) {
520 			pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
521 				sb->s_id, sb->s_type->name);
522 			goto fallback;
523 		} else {
524 			pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
525 				sb->s_id, sb->s_type->name, -rc);
526 			return rc;
527 		}
528 	}
529 	return 0;
530 
531 fallback:
532 	/* No xattr support - try to fallback to genfs if possible. */
533 	rc = security_genfs_sid(sb->s_type->name, "/",
534 				SECCLASS_DIR, &sid);
535 	if (rc)
536 		return -EOPNOTSUPP;
537 
538 	pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
539 		sb->s_id, sb->s_type->name);
540 	sbsec->behavior = SECURITY_FS_USE_GENFS;
541 	sbsec->sid = sid;
542 	return 0;
543 }
544 
545 static int sb_finish_set_opts(struct super_block *sb)
546 {
547 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
548 	struct dentry *root = sb->s_root;
549 	struct inode *root_inode = d_backing_inode(root);
550 	int rc = 0;
551 
552 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
553 		rc = sb_check_xattr_support(sb);
554 		if (rc)
555 			return rc;
556 	}
557 
558 	sbsec->flags |= SE_SBINITIALIZED;
559 
560 	/*
561 	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
562 	 * leave the flag untouched because sb_clone_mnt_opts might be handing
563 	 * us a superblock that needs the flag to be cleared.
564 	 */
565 	if (selinux_is_sblabel_mnt(sb))
566 		sbsec->flags |= SBLABEL_MNT;
567 	else
568 		sbsec->flags &= ~SBLABEL_MNT;
569 
570 	/* Initialize the root inode. */
571 	rc = inode_doinit_with_dentry(root_inode, root);
572 
573 	/* Initialize any other inodes associated with the superblock, e.g.
574 	   inodes created prior to initial policy load or inodes created
575 	   during get_sb by a pseudo filesystem that directly
576 	   populates itself. */
577 	spin_lock(&sbsec->isec_lock);
578 	while (!list_empty(&sbsec->isec_head)) {
579 		struct inode_security_struct *isec =
580 				list_first_entry(&sbsec->isec_head,
581 					   struct inode_security_struct, list);
582 		struct inode *inode = isec->inode;
583 		list_del_init(&isec->list);
584 		spin_unlock(&sbsec->isec_lock);
585 		inode = igrab(inode);
586 		if (inode) {
587 			if (!IS_PRIVATE(inode))
588 				inode_doinit_with_dentry(inode, NULL);
589 			iput(inode);
590 		}
591 		spin_lock(&sbsec->isec_lock);
592 	}
593 	spin_unlock(&sbsec->isec_lock);
594 	return rc;
595 }
596 
597 static int bad_option(struct superblock_security_struct *sbsec, char flag,
598 		      u32 old_sid, u32 new_sid)
599 {
600 	char mnt_flags = sbsec->flags & SE_MNTMASK;
601 
602 	/* check if the old mount command had the same options */
603 	if (sbsec->flags & SE_SBINITIALIZED)
604 		if (!(sbsec->flags & flag) ||
605 		    (old_sid != new_sid))
606 			return 1;
607 
608 	/* check if we were passed the same options twice,
609 	 * aka someone passed context=a,context=b
610 	 */
611 	if (!(sbsec->flags & SE_SBINITIALIZED))
612 		if (mnt_flags & flag)
613 			return 1;
614 	return 0;
615 }
616 
617 /*
618  * Allow filesystems with binary mount data to explicitly set mount point
619  * labeling information.
620  */
621 static int selinux_set_mnt_opts(struct super_block *sb,
622 				void *mnt_opts,
623 				unsigned long kern_flags,
624 				unsigned long *set_kern_flags)
625 {
626 	const struct cred *cred = current_cred();
627 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
628 	struct dentry *root = sb->s_root;
629 	struct selinux_mnt_opts *opts = mnt_opts;
630 	struct inode_security_struct *root_isec;
631 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
632 	u32 defcontext_sid = 0;
633 	int rc = 0;
634 
635 	/*
636 	 * Specifying internal flags without providing a place to
637 	 * place the results is not allowed
638 	 */
639 	if (kern_flags && !set_kern_flags)
640 		return -EINVAL;
641 
642 	mutex_lock(&sbsec->lock);
643 
644 	if (!selinux_initialized()) {
645 		if (!opts) {
646 			/* Defer initialization until selinux_complete_init,
647 			   after the initial policy is loaded and the security
648 			   server is ready to handle calls. */
649 			if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
650 				sbsec->flags |= SE_SBNATIVE;
651 				*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
652 			}
653 			goto out;
654 		}
655 		rc = -EINVAL;
656 		pr_warn("SELinux: Unable to set superblock options "
657 			"before the security server is initialized\n");
658 		goto out;
659 	}
660 
661 	/*
662 	 * Binary mount data FS will come through this function twice.  Once
663 	 * from an explicit call and once from the generic calls from the vfs.
664 	 * Since the generic VFS calls will not contain any security mount data
665 	 * we need to skip the double mount verification.
666 	 *
667 	 * This does open a hole in which we will not notice if the first
668 	 * mount using this sb set explicit options and a second mount using
669 	 * this sb does not set any security options.  (The first options
670 	 * will be used for both mounts)
671 	 */
672 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
673 	    && !opts)
674 		goto out;
675 
676 	root_isec = backing_inode_security_novalidate(root);
677 
678 	/*
679 	 * parse the mount options, check if they are valid sids.
680 	 * also check if someone is trying to mount the same sb more
681 	 * than once with different security options.
682 	 */
683 	if (opts) {
684 		if (opts->fscontext_sid) {
685 			fscontext_sid = opts->fscontext_sid;
686 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
687 					fscontext_sid))
688 				goto out_double_mount;
689 			sbsec->flags |= FSCONTEXT_MNT;
690 		}
691 		if (opts->context_sid) {
692 			context_sid = opts->context_sid;
693 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
694 					context_sid))
695 				goto out_double_mount;
696 			sbsec->flags |= CONTEXT_MNT;
697 		}
698 		if (opts->rootcontext_sid) {
699 			rootcontext_sid = opts->rootcontext_sid;
700 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
701 					rootcontext_sid))
702 				goto out_double_mount;
703 			sbsec->flags |= ROOTCONTEXT_MNT;
704 		}
705 		if (opts->defcontext_sid) {
706 			defcontext_sid = opts->defcontext_sid;
707 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
708 					defcontext_sid))
709 				goto out_double_mount;
710 			sbsec->flags |= DEFCONTEXT_MNT;
711 		}
712 	}
713 
714 	if (sbsec->flags & SE_SBINITIALIZED) {
715 		/* previously mounted with options, but not on this attempt? */
716 		if ((sbsec->flags & SE_MNTMASK) && !opts)
717 			goto out_double_mount;
718 		rc = 0;
719 		goto out;
720 	}
721 
722 	if (strcmp(sb->s_type->name, "proc") == 0)
723 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
724 
725 	if (!strcmp(sb->s_type->name, "debugfs") ||
726 	    !strcmp(sb->s_type->name, "tracefs") ||
727 	    !strcmp(sb->s_type->name, "binder") ||
728 	    !strcmp(sb->s_type->name, "bpf") ||
729 	    !strcmp(sb->s_type->name, "pstore") ||
730 	    !strcmp(sb->s_type->name, "securityfs"))
731 		sbsec->flags |= SE_SBGENFS;
732 
733 	if (!strcmp(sb->s_type->name, "sysfs") ||
734 	    !strcmp(sb->s_type->name, "cgroup") ||
735 	    !strcmp(sb->s_type->name, "cgroup2"))
736 		sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
737 
738 	if (!sbsec->behavior) {
739 		/*
740 		 * Determine the labeling behavior to use for this
741 		 * filesystem type.
742 		 */
743 		rc = security_fs_use(sb);
744 		if (rc) {
745 			pr_warn("%s: security_fs_use(%s) returned %d\n",
746 					__func__, sb->s_type->name, rc);
747 			goto out;
748 		}
749 	}
750 
751 	/*
752 	 * If this is a user namespace mount and the filesystem type is not
753 	 * explicitly whitelisted, then no contexts are allowed on the command
754 	 * line and security labels must be ignored.
755 	 */
756 	if (sb->s_user_ns != &init_user_ns &&
757 	    strcmp(sb->s_type->name, "tmpfs") &&
758 	    strcmp(sb->s_type->name, "ramfs") &&
759 	    strcmp(sb->s_type->name, "devpts") &&
760 	    strcmp(sb->s_type->name, "overlay")) {
761 		if (context_sid || fscontext_sid || rootcontext_sid ||
762 		    defcontext_sid) {
763 			rc = -EACCES;
764 			goto out;
765 		}
766 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
767 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
768 			rc = security_transition_sid(current_sid(),
769 						     current_sid(),
770 						     SECCLASS_FILE, NULL,
771 						     &sbsec->mntpoint_sid);
772 			if (rc)
773 				goto out;
774 		}
775 		goto out_set_opts;
776 	}
777 
778 	/* sets the context of the superblock for the fs being mounted. */
779 	if (fscontext_sid) {
780 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
781 		if (rc)
782 			goto out;
783 
784 		sbsec->sid = fscontext_sid;
785 	}
786 
787 	/*
788 	 * Switch to using mount point labeling behavior.
789 	 * sets the label used on all file below the mountpoint, and will set
790 	 * the superblock context if not already set.
791 	 */
792 	if (sbsec->flags & SE_SBNATIVE) {
793 		/*
794 		 * This means we are initializing a superblock that has been
795 		 * mounted before the SELinux was initialized and the
796 		 * filesystem requested native labeling. We had already
797 		 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags
798 		 * in the original mount attempt, so now we just need to set
799 		 * the SECURITY_FS_USE_NATIVE behavior.
800 		 */
801 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
802 	} else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
803 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
804 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
805 	}
806 
807 	if (context_sid) {
808 		if (!fscontext_sid) {
809 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
810 							  cred);
811 			if (rc)
812 				goto out;
813 			sbsec->sid = context_sid;
814 		} else {
815 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
816 							     cred);
817 			if (rc)
818 				goto out;
819 		}
820 		if (!rootcontext_sid)
821 			rootcontext_sid = context_sid;
822 
823 		sbsec->mntpoint_sid = context_sid;
824 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
825 	}
826 
827 	if (rootcontext_sid) {
828 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
829 						     cred);
830 		if (rc)
831 			goto out;
832 
833 		root_isec->sid = rootcontext_sid;
834 		root_isec->initialized = LABEL_INITIALIZED;
835 	}
836 
837 	if (defcontext_sid) {
838 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
839 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
840 			rc = -EINVAL;
841 			pr_warn("SELinux: defcontext option is "
842 			       "invalid for this filesystem type\n");
843 			goto out;
844 		}
845 
846 		if (defcontext_sid != sbsec->def_sid) {
847 			rc = may_context_mount_inode_relabel(defcontext_sid,
848 							     sbsec, cred);
849 			if (rc)
850 				goto out;
851 		}
852 
853 		sbsec->def_sid = defcontext_sid;
854 	}
855 
856 out_set_opts:
857 	rc = sb_finish_set_opts(sb);
858 out:
859 	mutex_unlock(&sbsec->lock);
860 	return rc;
861 out_double_mount:
862 	rc = -EINVAL;
863 	pr_warn("SELinux: mount invalid.  Same superblock, different "
864 	       "security settings for (dev %s, type %s)\n", sb->s_id,
865 	       sb->s_type->name);
866 	goto out;
867 }
868 
869 static int selinux_cmp_sb_context(const struct super_block *oldsb,
870 				    const struct super_block *newsb)
871 {
872 	struct superblock_security_struct *old = selinux_superblock(oldsb);
873 	struct superblock_security_struct *new = selinux_superblock(newsb);
874 	char oldflags = old->flags & SE_MNTMASK;
875 	char newflags = new->flags & SE_MNTMASK;
876 
877 	if (oldflags != newflags)
878 		goto mismatch;
879 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
880 		goto mismatch;
881 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
882 		goto mismatch;
883 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
884 		goto mismatch;
885 	if (oldflags & ROOTCONTEXT_MNT) {
886 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
887 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
888 		if (oldroot->sid != newroot->sid)
889 			goto mismatch;
890 	}
891 	return 0;
892 mismatch:
893 	pr_warn("SELinux: mount invalid.  Same superblock, "
894 			    "different security settings for (dev %s, "
895 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
896 	return -EBUSY;
897 }
898 
899 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
900 					struct super_block *newsb,
901 					unsigned long kern_flags,
902 					unsigned long *set_kern_flags)
903 {
904 	int rc = 0;
905 	const struct superblock_security_struct *oldsbsec =
906 						selinux_superblock(oldsb);
907 	struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
908 
909 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
910 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
911 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
912 
913 	/*
914 	 * Specifying internal flags without providing a place to
915 	 * place the results is not allowed.
916 	 */
917 	if (kern_flags && !set_kern_flags)
918 		return -EINVAL;
919 
920 	mutex_lock(&newsbsec->lock);
921 
922 	/*
923 	 * if the parent was able to be mounted it clearly had no special lsm
924 	 * mount options.  thus we can safely deal with this superblock later
925 	 */
926 	if (!selinux_initialized()) {
927 		if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
928 			newsbsec->flags |= SE_SBNATIVE;
929 			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
930 		}
931 		goto out;
932 	}
933 
934 	/* how can we clone if the old one wasn't set up?? */
935 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
936 
937 	/* if fs is reusing a sb, make sure that the contexts match */
938 	if (newsbsec->flags & SE_SBINITIALIZED) {
939 		mutex_unlock(&newsbsec->lock);
940 		if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
941 			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
942 		return selinux_cmp_sb_context(oldsb, newsb);
943 	}
944 
945 	newsbsec->flags = oldsbsec->flags;
946 
947 	newsbsec->sid = oldsbsec->sid;
948 	newsbsec->def_sid = oldsbsec->def_sid;
949 	newsbsec->behavior = oldsbsec->behavior;
950 
951 	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
952 		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
953 		rc = security_fs_use(newsb);
954 		if (rc)
955 			goto out;
956 	}
957 
958 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
959 		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
960 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
961 	}
962 
963 	if (set_context) {
964 		u32 sid = oldsbsec->mntpoint_sid;
965 
966 		if (!set_fscontext)
967 			newsbsec->sid = sid;
968 		if (!set_rootcontext) {
969 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
970 			newisec->sid = sid;
971 		}
972 		newsbsec->mntpoint_sid = sid;
973 	}
974 	if (set_rootcontext) {
975 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
976 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
977 
978 		newisec->sid = oldisec->sid;
979 	}
980 
981 	sb_finish_set_opts(newsb);
982 out:
983 	mutex_unlock(&newsbsec->lock);
984 	return rc;
985 }
986 
987 /*
988  * NOTE: the caller is responsible for freeing the memory even if on error.
989  */
990 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
991 {
992 	struct selinux_mnt_opts *opts = *mnt_opts;
993 	u32 *dst_sid;
994 	int rc;
995 
996 	if (token == Opt_seclabel)
997 		/* eaten and completely ignored */
998 		return 0;
999 	if (!s)
1000 		return -EINVAL;
1001 
1002 	if (!selinux_initialized()) {
1003 		pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
1004 		return -EINVAL;
1005 	}
1006 
1007 	if (!opts) {
1008 		opts = kzalloc(sizeof(*opts), GFP_KERNEL);
1009 		if (!opts)
1010 			return -ENOMEM;
1011 		*mnt_opts = opts;
1012 	}
1013 
1014 	switch (token) {
1015 	case Opt_context:
1016 		if (opts->context_sid || opts->defcontext_sid)
1017 			goto err;
1018 		dst_sid = &opts->context_sid;
1019 		break;
1020 	case Opt_fscontext:
1021 		if (opts->fscontext_sid)
1022 			goto err;
1023 		dst_sid = &opts->fscontext_sid;
1024 		break;
1025 	case Opt_rootcontext:
1026 		if (opts->rootcontext_sid)
1027 			goto err;
1028 		dst_sid = &opts->rootcontext_sid;
1029 		break;
1030 	case Opt_defcontext:
1031 		if (opts->context_sid || opts->defcontext_sid)
1032 			goto err;
1033 		dst_sid = &opts->defcontext_sid;
1034 		break;
1035 	default:
1036 		WARN_ON(1);
1037 		return -EINVAL;
1038 	}
1039 	rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL);
1040 	if (rc)
1041 		pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
1042 			s, rc);
1043 	return rc;
1044 
1045 err:
1046 	pr_warn(SEL_MOUNT_FAIL_MSG);
1047 	return -EINVAL;
1048 }
1049 
1050 static int show_sid(struct seq_file *m, u32 sid)
1051 {
1052 	char *context = NULL;
1053 	u32 len;
1054 	int rc;
1055 
1056 	rc = security_sid_to_context(sid, &context, &len);
1057 	if (!rc) {
1058 		bool has_comma = strchr(context, ',');
1059 
1060 		seq_putc(m, '=');
1061 		if (has_comma)
1062 			seq_putc(m, '\"');
1063 		seq_escape(m, context, "\"\n\\");
1064 		if (has_comma)
1065 			seq_putc(m, '\"');
1066 	}
1067 	kfree(context);
1068 	return rc;
1069 }
1070 
1071 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1072 {
1073 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
1074 	int rc;
1075 
1076 	if (!(sbsec->flags & SE_SBINITIALIZED))
1077 		return 0;
1078 
1079 	if (!selinux_initialized())
1080 		return 0;
1081 
1082 	if (sbsec->flags & FSCONTEXT_MNT) {
1083 		seq_putc(m, ',');
1084 		seq_puts(m, FSCONTEXT_STR);
1085 		rc = show_sid(m, sbsec->sid);
1086 		if (rc)
1087 			return rc;
1088 	}
1089 	if (sbsec->flags & CONTEXT_MNT) {
1090 		seq_putc(m, ',');
1091 		seq_puts(m, CONTEXT_STR);
1092 		rc = show_sid(m, sbsec->mntpoint_sid);
1093 		if (rc)
1094 			return rc;
1095 	}
1096 	if (sbsec->flags & DEFCONTEXT_MNT) {
1097 		seq_putc(m, ',');
1098 		seq_puts(m, DEFCONTEXT_STR);
1099 		rc = show_sid(m, sbsec->def_sid);
1100 		if (rc)
1101 			return rc;
1102 	}
1103 	if (sbsec->flags & ROOTCONTEXT_MNT) {
1104 		struct dentry *root = sb->s_root;
1105 		struct inode_security_struct *isec = backing_inode_security(root);
1106 		seq_putc(m, ',');
1107 		seq_puts(m, ROOTCONTEXT_STR);
1108 		rc = show_sid(m, isec->sid);
1109 		if (rc)
1110 			return rc;
1111 	}
1112 	if (sbsec->flags & SBLABEL_MNT) {
1113 		seq_putc(m, ',');
1114 		seq_puts(m, SECLABEL_STR);
1115 	}
1116 	return 0;
1117 }
1118 
1119 static inline u16 inode_mode_to_security_class(umode_t mode)
1120 {
1121 	switch (mode & S_IFMT) {
1122 	case S_IFSOCK:
1123 		return SECCLASS_SOCK_FILE;
1124 	case S_IFLNK:
1125 		return SECCLASS_LNK_FILE;
1126 	case S_IFREG:
1127 		return SECCLASS_FILE;
1128 	case S_IFBLK:
1129 		return SECCLASS_BLK_FILE;
1130 	case S_IFDIR:
1131 		return SECCLASS_DIR;
1132 	case S_IFCHR:
1133 		return SECCLASS_CHR_FILE;
1134 	case S_IFIFO:
1135 		return SECCLASS_FIFO_FILE;
1136 
1137 	}
1138 
1139 	return SECCLASS_FILE;
1140 }
1141 
1142 static inline int default_protocol_stream(int protocol)
1143 {
1144 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1145 		protocol == IPPROTO_MPTCP);
1146 }
1147 
1148 static inline int default_protocol_dgram(int protocol)
1149 {
1150 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1151 }
1152 
1153 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1154 {
1155 	bool extsockclass = selinux_policycap_extsockclass();
1156 
1157 	switch (family) {
1158 	case PF_UNIX:
1159 		switch (type) {
1160 		case SOCK_STREAM:
1161 		case SOCK_SEQPACKET:
1162 			return SECCLASS_UNIX_STREAM_SOCKET;
1163 		case SOCK_DGRAM:
1164 		case SOCK_RAW:
1165 			return SECCLASS_UNIX_DGRAM_SOCKET;
1166 		}
1167 		break;
1168 	case PF_INET:
1169 	case PF_INET6:
1170 		switch (type) {
1171 		case SOCK_STREAM:
1172 		case SOCK_SEQPACKET:
1173 			if (default_protocol_stream(protocol))
1174 				return SECCLASS_TCP_SOCKET;
1175 			else if (extsockclass && protocol == IPPROTO_SCTP)
1176 				return SECCLASS_SCTP_SOCKET;
1177 			else
1178 				return SECCLASS_RAWIP_SOCKET;
1179 		case SOCK_DGRAM:
1180 			if (default_protocol_dgram(protocol))
1181 				return SECCLASS_UDP_SOCKET;
1182 			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1183 						  protocol == IPPROTO_ICMPV6))
1184 				return SECCLASS_ICMP_SOCKET;
1185 			else
1186 				return SECCLASS_RAWIP_SOCKET;
1187 		case SOCK_DCCP:
1188 			return SECCLASS_DCCP_SOCKET;
1189 		default:
1190 			return SECCLASS_RAWIP_SOCKET;
1191 		}
1192 		break;
1193 	case PF_NETLINK:
1194 		switch (protocol) {
1195 		case NETLINK_ROUTE:
1196 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1197 		case NETLINK_SOCK_DIAG:
1198 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1199 		case NETLINK_NFLOG:
1200 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1201 		case NETLINK_XFRM:
1202 			return SECCLASS_NETLINK_XFRM_SOCKET;
1203 		case NETLINK_SELINUX:
1204 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1205 		case NETLINK_ISCSI:
1206 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1207 		case NETLINK_AUDIT:
1208 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1209 		case NETLINK_FIB_LOOKUP:
1210 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1211 		case NETLINK_CONNECTOR:
1212 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1213 		case NETLINK_NETFILTER:
1214 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1215 		case NETLINK_DNRTMSG:
1216 			return SECCLASS_NETLINK_DNRT_SOCKET;
1217 		case NETLINK_KOBJECT_UEVENT:
1218 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1219 		case NETLINK_GENERIC:
1220 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1221 		case NETLINK_SCSITRANSPORT:
1222 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1223 		case NETLINK_RDMA:
1224 			return SECCLASS_NETLINK_RDMA_SOCKET;
1225 		case NETLINK_CRYPTO:
1226 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1227 		default:
1228 			return SECCLASS_NETLINK_SOCKET;
1229 		}
1230 	case PF_PACKET:
1231 		return SECCLASS_PACKET_SOCKET;
1232 	case PF_KEY:
1233 		return SECCLASS_KEY_SOCKET;
1234 	case PF_APPLETALK:
1235 		return SECCLASS_APPLETALK_SOCKET;
1236 	}
1237 
1238 	if (extsockclass) {
1239 		switch (family) {
1240 		case PF_AX25:
1241 			return SECCLASS_AX25_SOCKET;
1242 		case PF_IPX:
1243 			return SECCLASS_IPX_SOCKET;
1244 		case PF_NETROM:
1245 			return SECCLASS_NETROM_SOCKET;
1246 		case PF_ATMPVC:
1247 			return SECCLASS_ATMPVC_SOCKET;
1248 		case PF_X25:
1249 			return SECCLASS_X25_SOCKET;
1250 		case PF_ROSE:
1251 			return SECCLASS_ROSE_SOCKET;
1252 		case PF_DECnet:
1253 			return SECCLASS_DECNET_SOCKET;
1254 		case PF_ATMSVC:
1255 			return SECCLASS_ATMSVC_SOCKET;
1256 		case PF_RDS:
1257 			return SECCLASS_RDS_SOCKET;
1258 		case PF_IRDA:
1259 			return SECCLASS_IRDA_SOCKET;
1260 		case PF_PPPOX:
1261 			return SECCLASS_PPPOX_SOCKET;
1262 		case PF_LLC:
1263 			return SECCLASS_LLC_SOCKET;
1264 		case PF_CAN:
1265 			return SECCLASS_CAN_SOCKET;
1266 		case PF_TIPC:
1267 			return SECCLASS_TIPC_SOCKET;
1268 		case PF_BLUETOOTH:
1269 			return SECCLASS_BLUETOOTH_SOCKET;
1270 		case PF_IUCV:
1271 			return SECCLASS_IUCV_SOCKET;
1272 		case PF_RXRPC:
1273 			return SECCLASS_RXRPC_SOCKET;
1274 		case PF_ISDN:
1275 			return SECCLASS_ISDN_SOCKET;
1276 		case PF_PHONET:
1277 			return SECCLASS_PHONET_SOCKET;
1278 		case PF_IEEE802154:
1279 			return SECCLASS_IEEE802154_SOCKET;
1280 		case PF_CAIF:
1281 			return SECCLASS_CAIF_SOCKET;
1282 		case PF_ALG:
1283 			return SECCLASS_ALG_SOCKET;
1284 		case PF_NFC:
1285 			return SECCLASS_NFC_SOCKET;
1286 		case PF_VSOCK:
1287 			return SECCLASS_VSOCK_SOCKET;
1288 		case PF_KCM:
1289 			return SECCLASS_KCM_SOCKET;
1290 		case PF_QIPCRTR:
1291 			return SECCLASS_QIPCRTR_SOCKET;
1292 		case PF_SMC:
1293 			return SECCLASS_SMC_SOCKET;
1294 		case PF_XDP:
1295 			return SECCLASS_XDP_SOCKET;
1296 		case PF_MCTP:
1297 			return SECCLASS_MCTP_SOCKET;
1298 #if PF_MAX > 46
1299 #error New address family defined, please update this function.
1300 #endif
1301 		}
1302 	}
1303 
1304 	return SECCLASS_SOCKET;
1305 }
1306 
1307 static int selinux_genfs_get_sid(struct dentry *dentry,
1308 				 u16 tclass,
1309 				 u16 flags,
1310 				 u32 *sid)
1311 {
1312 	int rc;
1313 	struct super_block *sb = dentry->d_sb;
1314 	char *buffer, *path;
1315 
1316 	buffer = (char *)__get_free_page(GFP_KERNEL);
1317 	if (!buffer)
1318 		return -ENOMEM;
1319 
1320 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1321 	if (IS_ERR(path))
1322 		rc = PTR_ERR(path);
1323 	else {
1324 		if (flags & SE_SBPROC) {
1325 			/* each process gets a /proc/PID/ entry. Strip off the
1326 			 * PID part to get a valid selinux labeling.
1327 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1328 			while (path[1] >= '0' && path[1] <= '9') {
1329 				path[1] = '/';
1330 				path++;
1331 			}
1332 		}
1333 		rc = security_genfs_sid(sb->s_type->name,
1334 					path, tclass, sid);
1335 		if (rc == -ENOENT) {
1336 			/* No match in policy, mark as unlabeled. */
1337 			*sid = SECINITSID_UNLABELED;
1338 			rc = 0;
1339 		}
1340 	}
1341 	free_page((unsigned long)buffer);
1342 	return rc;
1343 }
1344 
1345 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1346 				  u32 def_sid, u32 *sid)
1347 {
1348 #define INITCONTEXTLEN 255
1349 	char *context;
1350 	unsigned int len;
1351 	int rc;
1352 
1353 	len = INITCONTEXTLEN;
1354 	context = kmalloc(len + 1, GFP_NOFS);
1355 	if (!context)
1356 		return -ENOMEM;
1357 
1358 	context[len] = '\0';
1359 	rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1360 	if (rc == -ERANGE) {
1361 		kfree(context);
1362 
1363 		/* Need a larger buffer.  Query for the right size. */
1364 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1365 		if (rc < 0)
1366 			return rc;
1367 
1368 		len = rc;
1369 		context = kmalloc(len + 1, GFP_NOFS);
1370 		if (!context)
1371 			return -ENOMEM;
1372 
1373 		context[len] = '\0';
1374 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1375 				    context, len);
1376 	}
1377 	if (rc < 0) {
1378 		kfree(context);
1379 		if (rc != -ENODATA) {
1380 			pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
1381 				__func__, -rc, inode->i_sb->s_id, inode->i_ino);
1382 			return rc;
1383 		}
1384 		*sid = def_sid;
1385 		return 0;
1386 	}
1387 
1388 	rc = security_context_to_sid_default(context, rc, sid,
1389 					     def_sid, GFP_NOFS);
1390 	if (rc) {
1391 		char *dev = inode->i_sb->s_id;
1392 		unsigned long ino = inode->i_ino;
1393 
1394 		if (rc == -EINVAL) {
1395 			pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
1396 					      ino, dev, context);
1397 		} else {
1398 			pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1399 				__func__, context, -rc, dev, ino);
1400 		}
1401 	}
1402 	kfree(context);
1403 	return 0;
1404 }
1405 
1406 /* The inode's security attributes must be initialized before first use. */
1407 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1408 {
1409 	struct superblock_security_struct *sbsec = NULL;
1410 	struct inode_security_struct *isec = selinux_inode(inode);
1411 	u32 task_sid, sid = 0;
1412 	u16 sclass;
1413 	struct dentry *dentry;
1414 	int rc = 0;
1415 
1416 	if (isec->initialized == LABEL_INITIALIZED)
1417 		return 0;
1418 
1419 	spin_lock(&isec->lock);
1420 	if (isec->initialized == LABEL_INITIALIZED)
1421 		goto out_unlock;
1422 
1423 	if (isec->sclass == SECCLASS_FILE)
1424 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1425 
1426 	sbsec = selinux_superblock(inode->i_sb);
1427 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1428 		/* Defer initialization until selinux_complete_init,
1429 		   after the initial policy is loaded and the security
1430 		   server is ready to handle calls. */
1431 		spin_lock(&sbsec->isec_lock);
1432 		if (list_empty(&isec->list))
1433 			list_add(&isec->list, &sbsec->isec_head);
1434 		spin_unlock(&sbsec->isec_lock);
1435 		goto out_unlock;
1436 	}
1437 
1438 	sclass = isec->sclass;
1439 	task_sid = isec->task_sid;
1440 	sid = isec->sid;
1441 	isec->initialized = LABEL_PENDING;
1442 	spin_unlock(&isec->lock);
1443 
1444 	switch (sbsec->behavior) {
1445 	/*
1446 	 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels
1447 	 * via xattr when called from delayed_superblock_init().
1448 	 */
1449 	case SECURITY_FS_USE_NATIVE:
1450 	case SECURITY_FS_USE_XATTR:
1451 		if (!(inode->i_opflags & IOP_XATTR)) {
1452 			sid = sbsec->def_sid;
1453 			break;
1454 		}
1455 		/* Need a dentry, since the xattr API requires one.
1456 		   Life would be simpler if we could just pass the inode. */
1457 		if (opt_dentry) {
1458 			/* Called from d_instantiate or d_splice_alias. */
1459 			dentry = dget(opt_dentry);
1460 		} else {
1461 			/*
1462 			 * Called from selinux_complete_init, try to find a dentry.
1463 			 * Some filesystems really want a connected one, so try
1464 			 * that first.  We could split SECURITY_FS_USE_XATTR in
1465 			 * two, depending upon that...
1466 			 */
1467 			dentry = d_find_alias(inode);
1468 			if (!dentry)
1469 				dentry = d_find_any_alias(inode);
1470 		}
1471 		if (!dentry) {
1472 			/*
1473 			 * this is can be hit on boot when a file is accessed
1474 			 * before the policy is loaded.  When we load policy we
1475 			 * may find inodes that have no dentry on the
1476 			 * sbsec->isec_head list.  No reason to complain as these
1477 			 * will get fixed up the next time we go through
1478 			 * inode_doinit with a dentry, before these inodes could
1479 			 * be used again by userspace.
1480 			 */
1481 			goto out_invalid;
1482 		}
1483 
1484 		rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1485 					    &sid);
1486 		dput(dentry);
1487 		if (rc)
1488 			goto out;
1489 		break;
1490 	case SECURITY_FS_USE_TASK:
1491 		sid = task_sid;
1492 		break;
1493 	case SECURITY_FS_USE_TRANS:
1494 		/* Default to the fs SID. */
1495 		sid = sbsec->sid;
1496 
1497 		/* Try to obtain a transition SID. */
1498 		rc = security_transition_sid(task_sid, sid,
1499 					     sclass, NULL, &sid);
1500 		if (rc)
1501 			goto out;
1502 		break;
1503 	case SECURITY_FS_USE_MNTPOINT:
1504 		sid = sbsec->mntpoint_sid;
1505 		break;
1506 	default:
1507 		/* Default to the fs superblock SID. */
1508 		sid = sbsec->sid;
1509 
1510 		if ((sbsec->flags & SE_SBGENFS) &&
1511 		     (!S_ISLNK(inode->i_mode) ||
1512 		      selinux_policycap_genfs_seclabel_symlinks())) {
1513 			/* We must have a dentry to determine the label on
1514 			 * procfs inodes */
1515 			if (opt_dentry) {
1516 				/* Called from d_instantiate or
1517 				 * d_splice_alias. */
1518 				dentry = dget(opt_dentry);
1519 			} else {
1520 				/* Called from selinux_complete_init, try to
1521 				 * find a dentry.  Some filesystems really want
1522 				 * a connected one, so try that first.
1523 				 */
1524 				dentry = d_find_alias(inode);
1525 				if (!dentry)
1526 					dentry = d_find_any_alias(inode);
1527 			}
1528 			/*
1529 			 * This can be hit on boot when a file is accessed
1530 			 * before the policy is loaded.  When we load policy we
1531 			 * may find inodes that have no dentry on the
1532 			 * sbsec->isec_head list.  No reason to complain as
1533 			 * these will get fixed up the next time we go through
1534 			 * inode_doinit() with a dentry, before these inodes
1535 			 * could be used again by userspace.
1536 			 */
1537 			if (!dentry)
1538 				goto out_invalid;
1539 			rc = selinux_genfs_get_sid(dentry, sclass,
1540 						   sbsec->flags, &sid);
1541 			if (rc) {
1542 				dput(dentry);
1543 				goto out;
1544 			}
1545 
1546 			if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1547 			    (inode->i_opflags & IOP_XATTR)) {
1548 				rc = inode_doinit_use_xattr(inode, dentry,
1549 							    sid, &sid);
1550 				if (rc) {
1551 					dput(dentry);
1552 					goto out;
1553 				}
1554 			}
1555 			dput(dentry);
1556 		}
1557 		break;
1558 	}
1559 
1560 out:
1561 	spin_lock(&isec->lock);
1562 	if (isec->initialized == LABEL_PENDING) {
1563 		if (rc) {
1564 			isec->initialized = LABEL_INVALID;
1565 			goto out_unlock;
1566 		}
1567 		isec->initialized = LABEL_INITIALIZED;
1568 		isec->sid = sid;
1569 	}
1570 
1571 out_unlock:
1572 	spin_unlock(&isec->lock);
1573 	return rc;
1574 
1575 out_invalid:
1576 	spin_lock(&isec->lock);
1577 	if (isec->initialized == LABEL_PENDING) {
1578 		isec->initialized = LABEL_INVALID;
1579 		isec->sid = sid;
1580 	}
1581 	spin_unlock(&isec->lock);
1582 	return 0;
1583 }
1584 
1585 /* Convert a Linux signal to an access vector. */
1586 static inline u32 signal_to_av(int sig)
1587 {
1588 	u32 perm = 0;
1589 
1590 	switch (sig) {
1591 	case SIGCHLD:
1592 		/* Commonly granted from child to parent. */
1593 		perm = PROCESS__SIGCHLD;
1594 		break;
1595 	case SIGKILL:
1596 		/* Cannot be caught or ignored */
1597 		perm = PROCESS__SIGKILL;
1598 		break;
1599 	case SIGSTOP:
1600 		/* Cannot be caught or ignored */
1601 		perm = PROCESS__SIGSTOP;
1602 		break;
1603 	default:
1604 		/* All other signals. */
1605 		perm = PROCESS__SIGNAL;
1606 		break;
1607 	}
1608 
1609 	return perm;
1610 }
1611 
1612 #if CAP_LAST_CAP > 63
1613 #error Fix SELinux to handle capabilities > 63.
1614 #endif
1615 
1616 /* Check whether a task is allowed to use a capability. */
1617 static int cred_has_capability(const struct cred *cred,
1618 			       int cap, unsigned int opts, bool initns)
1619 {
1620 	struct common_audit_data ad;
1621 	struct av_decision avd;
1622 	u16 sclass;
1623 	u32 sid = cred_sid(cred);
1624 	u32 av = CAP_TO_MASK(cap);
1625 	int rc;
1626 
1627 	ad.type = LSM_AUDIT_DATA_CAP;
1628 	ad.u.cap = cap;
1629 
1630 	switch (CAP_TO_INDEX(cap)) {
1631 	case 0:
1632 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1633 		break;
1634 	case 1:
1635 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1636 		break;
1637 	default:
1638 		pr_err("SELinux:  out of range capability %d\n", cap);
1639 		BUG();
1640 		return -EINVAL;
1641 	}
1642 
1643 	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1644 	if (!(opts & CAP_OPT_NOAUDIT)) {
1645 		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1646 		if (rc2)
1647 			return rc2;
1648 	}
1649 	return rc;
1650 }
1651 
1652 /* Check whether a task has a particular permission to an inode.
1653    The 'adp' parameter is optional and allows other audit
1654    data to be passed (e.g. the dentry). */
1655 static int inode_has_perm(const struct cred *cred,
1656 			  struct inode *inode,
1657 			  u32 perms,
1658 			  struct common_audit_data *adp)
1659 {
1660 	struct inode_security_struct *isec;
1661 	u32 sid;
1662 
1663 	if (unlikely(IS_PRIVATE(inode)))
1664 		return 0;
1665 
1666 	sid = cred_sid(cred);
1667 	isec = selinux_inode(inode);
1668 
1669 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1670 }
1671 
1672 /* Same as inode_has_perm, but pass explicit audit data containing
1673    the dentry to help the auditing code to more easily generate the
1674    pathname if needed. */
1675 static inline int dentry_has_perm(const struct cred *cred,
1676 				  struct dentry *dentry,
1677 				  u32 av)
1678 {
1679 	struct inode *inode = d_backing_inode(dentry);
1680 	struct common_audit_data ad;
1681 
1682 	ad.type = LSM_AUDIT_DATA_DENTRY;
1683 	ad.u.dentry = dentry;
1684 	__inode_security_revalidate(inode, dentry, true);
1685 	return inode_has_perm(cred, inode, av, &ad);
1686 }
1687 
1688 /* Same as inode_has_perm, but pass explicit audit data containing
1689    the path to help the auditing code to more easily generate the
1690    pathname if needed. */
1691 static inline int path_has_perm(const struct cred *cred,
1692 				const struct path *path,
1693 				u32 av)
1694 {
1695 	struct inode *inode = d_backing_inode(path->dentry);
1696 	struct common_audit_data ad;
1697 
1698 	ad.type = LSM_AUDIT_DATA_PATH;
1699 	ad.u.path = *path;
1700 	__inode_security_revalidate(inode, path->dentry, true);
1701 	return inode_has_perm(cred, inode, av, &ad);
1702 }
1703 
1704 /* Same as path_has_perm, but uses the inode from the file struct. */
1705 static inline int file_path_has_perm(const struct cred *cred,
1706 				     struct file *file,
1707 				     u32 av)
1708 {
1709 	struct common_audit_data ad;
1710 
1711 	ad.type = LSM_AUDIT_DATA_FILE;
1712 	ad.u.file = file;
1713 	return inode_has_perm(cred, file_inode(file), av, &ad);
1714 }
1715 
1716 #ifdef CONFIG_BPF_SYSCALL
1717 static int bpf_fd_pass(const struct file *file, u32 sid);
1718 #endif
1719 
1720 /* Check whether a task can use an open file descriptor to
1721    access an inode in a given way.  Check access to the
1722    descriptor itself, and then use dentry_has_perm to
1723    check a particular permission to the file.
1724    Access to the descriptor is implicitly granted if it
1725    has the same SID as the process.  If av is zero, then
1726    access to the file is not checked, e.g. for cases
1727    where only the descriptor is affected like seek. */
1728 static int file_has_perm(const struct cred *cred,
1729 			 struct file *file,
1730 			 u32 av)
1731 {
1732 	struct file_security_struct *fsec = selinux_file(file);
1733 	struct inode *inode = file_inode(file);
1734 	struct common_audit_data ad;
1735 	u32 sid = cred_sid(cred);
1736 	int rc;
1737 
1738 	ad.type = LSM_AUDIT_DATA_FILE;
1739 	ad.u.file = file;
1740 
1741 	if (sid != fsec->sid) {
1742 		rc = avc_has_perm(sid, fsec->sid,
1743 				  SECCLASS_FD,
1744 				  FD__USE,
1745 				  &ad);
1746 		if (rc)
1747 			goto out;
1748 	}
1749 
1750 #ifdef CONFIG_BPF_SYSCALL
1751 	rc = bpf_fd_pass(file, cred_sid(cred));
1752 	if (rc)
1753 		return rc;
1754 #endif
1755 
1756 	/* av is zero if only checking access to the descriptor. */
1757 	rc = 0;
1758 	if (av)
1759 		rc = inode_has_perm(cred, inode, av, &ad);
1760 
1761 out:
1762 	return rc;
1763 }
1764 
1765 /*
1766  * Determine the label for an inode that might be unioned.
1767  */
1768 static int
1769 selinux_determine_inode_label(const struct task_security_struct *tsec,
1770 				 struct inode *dir,
1771 				 const struct qstr *name, u16 tclass,
1772 				 u32 *_new_isid)
1773 {
1774 	const struct superblock_security_struct *sbsec =
1775 						selinux_superblock(dir->i_sb);
1776 
1777 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1778 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1779 		*_new_isid = sbsec->mntpoint_sid;
1780 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1781 		   tsec->create_sid) {
1782 		*_new_isid = tsec->create_sid;
1783 	} else {
1784 		const struct inode_security_struct *dsec = inode_security(dir);
1785 		return security_transition_sid(tsec->sid,
1786 					       dsec->sid, tclass,
1787 					       name, _new_isid);
1788 	}
1789 
1790 	return 0;
1791 }
1792 
1793 /* Check whether a task can create a file. */
1794 static int may_create(struct inode *dir,
1795 		      struct dentry *dentry,
1796 		      u16 tclass)
1797 {
1798 	const struct task_security_struct *tsec = selinux_cred(current_cred());
1799 	struct inode_security_struct *dsec;
1800 	struct superblock_security_struct *sbsec;
1801 	u32 sid, newsid;
1802 	struct common_audit_data ad;
1803 	int rc;
1804 
1805 	dsec = inode_security(dir);
1806 	sbsec = selinux_superblock(dir->i_sb);
1807 
1808 	sid = tsec->sid;
1809 
1810 	ad.type = LSM_AUDIT_DATA_DENTRY;
1811 	ad.u.dentry = dentry;
1812 
1813 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1814 			  DIR__ADD_NAME | DIR__SEARCH,
1815 			  &ad);
1816 	if (rc)
1817 		return rc;
1818 
1819 	rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1820 					   &newsid);
1821 	if (rc)
1822 		return rc;
1823 
1824 	rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1825 	if (rc)
1826 		return rc;
1827 
1828 	return avc_has_perm(newsid, sbsec->sid,
1829 			    SECCLASS_FILESYSTEM,
1830 			    FILESYSTEM__ASSOCIATE, &ad);
1831 }
1832 
1833 #define MAY_LINK	0
1834 #define MAY_UNLINK	1
1835 #define MAY_RMDIR	2
1836 
1837 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1838 static int may_link(struct inode *dir,
1839 		    struct dentry *dentry,
1840 		    int kind)
1841 
1842 {
1843 	struct inode_security_struct *dsec, *isec;
1844 	struct common_audit_data ad;
1845 	u32 sid = current_sid();
1846 	u32 av;
1847 	int rc;
1848 
1849 	dsec = inode_security(dir);
1850 	isec = backing_inode_security(dentry);
1851 
1852 	ad.type = LSM_AUDIT_DATA_DENTRY;
1853 	ad.u.dentry = dentry;
1854 
1855 	av = DIR__SEARCH;
1856 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1857 	rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1858 	if (rc)
1859 		return rc;
1860 
1861 	switch (kind) {
1862 	case MAY_LINK:
1863 		av = FILE__LINK;
1864 		break;
1865 	case MAY_UNLINK:
1866 		av = FILE__UNLINK;
1867 		break;
1868 	case MAY_RMDIR:
1869 		av = DIR__RMDIR;
1870 		break;
1871 	default:
1872 		pr_warn("SELinux: %s:  unrecognized kind %d\n",
1873 			__func__, kind);
1874 		return 0;
1875 	}
1876 
1877 	rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1878 	return rc;
1879 }
1880 
1881 static inline int may_rename(struct inode *old_dir,
1882 			     struct dentry *old_dentry,
1883 			     struct inode *new_dir,
1884 			     struct dentry *new_dentry)
1885 {
1886 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1887 	struct common_audit_data ad;
1888 	u32 sid = current_sid();
1889 	u32 av;
1890 	int old_is_dir, new_is_dir;
1891 	int rc;
1892 
1893 	old_dsec = inode_security(old_dir);
1894 	old_isec = backing_inode_security(old_dentry);
1895 	old_is_dir = d_is_dir(old_dentry);
1896 	new_dsec = inode_security(new_dir);
1897 
1898 	ad.type = LSM_AUDIT_DATA_DENTRY;
1899 
1900 	ad.u.dentry = old_dentry;
1901 	rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1902 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1903 	if (rc)
1904 		return rc;
1905 	rc = avc_has_perm(sid, old_isec->sid,
1906 			  old_isec->sclass, FILE__RENAME, &ad);
1907 	if (rc)
1908 		return rc;
1909 	if (old_is_dir && new_dir != old_dir) {
1910 		rc = avc_has_perm(sid, old_isec->sid,
1911 				  old_isec->sclass, DIR__REPARENT, &ad);
1912 		if (rc)
1913 			return rc;
1914 	}
1915 
1916 	ad.u.dentry = new_dentry;
1917 	av = DIR__ADD_NAME | DIR__SEARCH;
1918 	if (d_is_positive(new_dentry))
1919 		av |= DIR__REMOVE_NAME;
1920 	rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1921 	if (rc)
1922 		return rc;
1923 	if (d_is_positive(new_dentry)) {
1924 		new_isec = backing_inode_security(new_dentry);
1925 		new_is_dir = d_is_dir(new_dentry);
1926 		rc = avc_has_perm(sid, new_isec->sid,
1927 				  new_isec->sclass,
1928 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1929 		if (rc)
1930 			return rc;
1931 	}
1932 
1933 	return 0;
1934 }
1935 
1936 /* Check whether a task can perform a filesystem operation. */
1937 static int superblock_has_perm(const struct cred *cred,
1938 			       struct super_block *sb,
1939 			       u32 perms,
1940 			       struct common_audit_data *ad)
1941 {
1942 	struct superblock_security_struct *sbsec;
1943 	u32 sid = cred_sid(cred);
1944 
1945 	sbsec = selinux_superblock(sb);
1946 	return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1947 }
1948 
1949 /* Convert a Linux mode and permission mask to an access vector. */
1950 static inline u32 file_mask_to_av(int mode, int mask)
1951 {
1952 	u32 av = 0;
1953 
1954 	if (!S_ISDIR(mode)) {
1955 		if (mask & MAY_EXEC)
1956 			av |= FILE__EXECUTE;
1957 		if (mask & MAY_READ)
1958 			av |= FILE__READ;
1959 
1960 		if (mask & MAY_APPEND)
1961 			av |= FILE__APPEND;
1962 		else if (mask & MAY_WRITE)
1963 			av |= FILE__WRITE;
1964 
1965 	} else {
1966 		if (mask & MAY_EXEC)
1967 			av |= DIR__SEARCH;
1968 		if (mask & MAY_WRITE)
1969 			av |= DIR__WRITE;
1970 		if (mask & MAY_READ)
1971 			av |= DIR__READ;
1972 	}
1973 
1974 	return av;
1975 }
1976 
1977 /* Convert a Linux file to an access vector. */
1978 static inline u32 file_to_av(const struct file *file)
1979 {
1980 	u32 av = 0;
1981 
1982 	if (file->f_mode & FMODE_READ)
1983 		av |= FILE__READ;
1984 	if (file->f_mode & FMODE_WRITE) {
1985 		if (file->f_flags & O_APPEND)
1986 			av |= FILE__APPEND;
1987 		else
1988 			av |= FILE__WRITE;
1989 	}
1990 	if (!av) {
1991 		/*
1992 		 * Special file opened with flags 3 for ioctl-only use.
1993 		 */
1994 		av = FILE__IOCTL;
1995 	}
1996 
1997 	return av;
1998 }
1999 
2000 /*
2001  * Convert a file to an access vector and include the correct
2002  * open permission.
2003  */
2004 static inline u32 open_file_to_av(struct file *file)
2005 {
2006 	u32 av = file_to_av(file);
2007 	struct inode *inode = file_inode(file);
2008 
2009 	if (selinux_policycap_openperm() &&
2010 	    inode->i_sb->s_magic != SOCKFS_MAGIC)
2011 		av |= FILE__OPEN;
2012 
2013 	return av;
2014 }
2015 
2016 /* Hook functions begin here. */
2017 
2018 static int selinux_binder_set_context_mgr(const struct cred *mgr)
2019 {
2020 	return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER,
2021 			    BINDER__SET_CONTEXT_MGR, NULL);
2022 }
2023 
2024 static int selinux_binder_transaction(const struct cred *from,
2025 				      const struct cred *to)
2026 {
2027 	u32 mysid = current_sid();
2028 	u32 fromsid = cred_sid(from);
2029 	u32 tosid = cred_sid(to);
2030 	int rc;
2031 
2032 	if (mysid != fromsid) {
2033 		rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2034 				  BINDER__IMPERSONATE, NULL);
2035 		if (rc)
2036 			return rc;
2037 	}
2038 
2039 	return avc_has_perm(fromsid, tosid,
2040 			    SECCLASS_BINDER, BINDER__CALL, NULL);
2041 }
2042 
2043 static int selinux_binder_transfer_binder(const struct cred *from,
2044 					  const struct cred *to)
2045 {
2046 	return avc_has_perm(cred_sid(from), cred_sid(to),
2047 			    SECCLASS_BINDER, BINDER__TRANSFER,
2048 			    NULL);
2049 }
2050 
2051 static int selinux_binder_transfer_file(const struct cred *from,
2052 					const struct cred *to,
2053 					const struct file *file)
2054 {
2055 	u32 sid = cred_sid(to);
2056 	struct file_security_struct *fsec = selinux_file(file);
2057 	struct dentry *dentry = file->f_path.dentry;
2058 	struct inode_security_struct *isec;
2059 	struct common_audit_data ad;
2060 	int rc;
2061 
2062 	ad.type = LSM_AUDIT_DATA_PATH;
2063 	ad.u.path = file->f_path;
2064 
2065 	if (sid != fsec->sid) {
2066 		rc = avc_has_perm(sid, fsec->sid,
2067 				  SECCLASS_FD,
2068 				  FD__USE,
2069 				  &ad);
2070 		if (rc)
2071 			return rc;
2072 	}
2073 
2074 #ifdef CONFIG_BPF_SYSCALL
2075 	rc = bpf_fd_pass(file, sid);
2076 	if (rc)
2077 		return rc;
2078 #endif
2079 
2080 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2081 		return 0;
2082 
2083 	isec = backing_inode_security(dentry);
2084 	return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2085 			    &ad);
2086 }
2087 
2088 static int selinux_ptrace_access_check(struct task_struct *child,
2089 				       unsigned int mode)
2090 {
2091 	u32 sid = current_sid();
2092 	u32 csid = task_sid_obj(child);
2093 
2094 	if (mode & PTRACE_MODE_READ)
2095 		return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ,
2096 				NULL);
2097 
2098 	return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE,
2099 			NULL);
2100 }
2101 
2102 static int selinux_ptrace_traceme(struct task_struct *parent)
2103 {
2104 	return avc_has_perm(task_sid_obj(parent), task_sid_obj(current),
2105 			    SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2106 }
2107 
2108 static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective,
2109 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2110 {
2111 	return avc_has_perm(current_sid(), task_sid_obj(target),
2112 			SECCLASS_PROCESS, PROCESS__GETCAP, NULL);
2113 }
2114 
2115 static int selinux_capset(struct cred *new, const struct cred *old,
2116 			  const kernel_cap_t *effective,
2117 			  const kernel_cap_t *inheritable,
2118 			  const kernel_cap_t *permitted)
2119 {
2120 	return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2121 			    PROCESS__SETCAP, NULL);
2122 }
2123 
2124 /*
2125  * (This comment used to live with the selinux_task_setuid hook,
2126  * which was removed).
2127  *
2128  * Since setuid only affects the current process, and since the SELinux
2129  * controls are not based on the Linux identity attributes, SELinux does not
2130  * need to control this operation.  However, SELinux does control the use of
2131  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2132  */
2133 
2134 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2135 			   int cap, unsigned int opts)
2136 {
2137 	return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2138 }
2139 
2140 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2141 {
2142 	const struct cred *cred = current_cred();
2143 	int rc = 0;
2144 
2145 	if (!sb)
2146 		return 0;
2147 
2148 	switch (cmds) {
2149 	case Q_SYNC:
2150 	case Q_QUOTAON:
2151 	case Q_QUOTAOFF:
2152 	case Q_SETINFO:
2153 	case Q_SETQUOTA:
2154 	case Q_XQUOTAOFF:
2155 	case Q_XQUOTAON:
2156 	case Q_XSETQLIM:
2157 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2158 		break;
2159 	case Q_GETFMT:
2160 	case Q_GETINFO:
2161 	case Q_GETQUOTA:
2162 	case Q_XGETQUOTA:
2163 	case Q_XGETQSTAT:
2164 	case Q_XGETQSTATV:
2165 	case Q_XGETNEXTQUOTA:
2166 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2167 		break;
2168 	default:
2169 		rc = 0;  /* let the kernel handle invalid cmds */
2170 		break;
2171 	}
2172 	return rc;
2173 }
2174 
2175 static int selinux_quota_on(struct dentry *dentry)
2176 {
2177 	const struct cred *cred = current_cred();
2178 
2179 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2180 }
2181 
2182 static int selinux_syslog(int type)
2183 {
2184 	switch (type) {
2185 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2186 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2187 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2188 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2189 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2190 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2191 	/* Set level of messages printed to console */
2192 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2193 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2194 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2195 				    NULL);
2196 	}
2197 	/* All other syslog types */
2198 	return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2199 			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2200 }
2201 
2202 /*
2203  * Check that a process has enough memory to allocate a new virtual
2204  * mapping. 0 means there is enough memory for the allocation to
2205  * succeed and -ENOMEM implies there is not.
2206  *
2207  * Do not audit the selinux permission check, as this is applied to all
2208  * processes that allocate mappings.
2209  */
2210 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2211 {
2212 	int rc, cap_sys_admin = 0;
2213 
2214 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2215 				 CAP_OPT_NOAUDIT, true);
2216 	if (rc == 0)
2217 		cap_sys_admin = 1;
2218 
2219 	return cap_sys_admin;
2220 }
2221 
2222 /* binprm security operations */
2223 
2224 static u32 ptrace_parent_sid(void)
2225 {
2226 	u32 sid = 0;
2227 	struct task_struct *tracer;
2228 
2229 	rcu_read_lock();
2230 	tracer = ptrace_parent(current);
2231 	if (tracer)
2232 		sid = task_sid_obj(tracer);
2233 	rcu_read_unlock();
2234 
2235 	return sid;
2236 }
2237 
2238 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2239 			    const struct task_security_struct *old_tsec,
2240 			    const struct task_security_struct *new_tsec)
2241 {
2242 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2243 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2244 	int rc;
2245 	u32 av;
2246 
2247 	if (!nnp && !nosuid)
2248 		return 0; /* neither NNP nor nosuid */
2249 
2250 	if (new_tsec->sid == old_tsec->sid)
2251 		return 0; /* No change in credentials */
2252 
2253 	/*
2254 	 * If the policy enables the nnp_nosuid_transition policy capability,
2255 	 * then we permit transitions under NNP or nosuid if the
2256 	 * policy allows the corresponding permission between
2257 	 * the old and new contexts.
2258 	 */
2259 	if (selinux_policycap_nnp_nosuid_transition()) {
2260 		av = 0;
2261 		if (nnp)
2262 			av |= PROCESS2__NNP_TRANSITION;
2263 		if (nosuid)
2264 			av |= PROCESS2__NOSUID_TRANSITION;
2265 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2266 				  SECCLASS_PROCESS2, av, NULL);
2267 		if (!rc)
2268 			return 0;
2269 	}
2270 
2271 	/*
2272 	 * We also permit NNP or nosuid transitions to bounded SIDs,
2273 	 * i.e. SIDs that are guaranteed to only be allowed a subset
2274 	 * of the permissions of the current SID.
2275 	 */
2276 	rc = security_bounded_transition(old_tsec->sid,
2277 					 new_tsec->sid);
2278 	if (!rc)
2279 		return 0;
2280 
2281 	/*
2282 	 * On failure, preserve the errno values for NNP vs nosuid.
2283 	 * NNP:  Operation not permitted for caller.
2284 	 * nosuid:  Permission denied to file.
2285 	 */
2286 	if (nnp)
2287 		return -EPERM;
2288 	return -EACCES;
2289 }
2290 
2291 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2292 {
2293 	const struct task_security_struct *old_tsec;
2294 	struct task_security_struct *new_tsec;
2295 	struct inode_security_struct *isec;
2296 	struct common_audit_data ad;
2297 	struct inode *inode = file_inode(bprm->file);
2298 	int rc;
2299 
2300 	/* SELinux context only depends on initial program or script and not
2301 	 * the script interpreter */
2302 
2303 	old_tsec = selinux_cred(current_cred());
2304 	new_tsec = selinux_cred(bprm->cred);
2305 	isec = inode_security(inode);
2306 
2307 	/* Default to the current task SID. */
2308 	new_tsec->sid = old_tsec->sid;
2309 	new_tsec->osid = old_tsec->sid;
2310 
2311 	/* Reset fs, key, and sock SIDs on execve. */
2312 	new_tsec->create_sid = 0;
2313 	new_tsec->keycreate_sid = 0;
2314 	new_tsec->sockcreate_sid = 0;
2315 
2316 	if (old_tsec->exec_sid) {
2317 		new_tsec->sid = old_tsec->exec_sid;
2318 		/* Reset exec SID on execve. */
2319 		new_tsec->exec_sid = 0;
2320 
2321 		/* Fail on NNP or nosuid if not an allowed transition. */
2322 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2323 		if (rc)
2324 			return rc;
2325 	} else {
2326 		/* Check for a default transition on this program. */
2327 		rc = security_transition_sid(old_tsec->sid,
2328 					     isec->sid, SECCLASS_PROCESS, NULL,
2329 					     &new_tsec->sid);
2330 		if (rc)
2331 			return rc;
2332 
2333 		/*
2334 		 * Fallback to old SID on NNP or nosuid if not an allowed
2335 		 * transition.
2336 		 */
2337 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2338 		if (rc)
2339 			new_tsec->sid = old_tsec->sid;
2340 	}
2341 
2342 	ad.type = LSM_AUDIT_DATA_FILE;
2343 	ad.u.file = bprm->file;
2344 
2345 	if (new_tsec->sid == old_tsec->sid) {
2346 		rc = avc_has_perm(old_tsec->sid, isec->sid,
2347 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2348 		if (rc)
2349 			return rc;
2350 	} else {
2351 		/* Check permissions for the transition. */
2352 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2353 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2354 		if (rc)
2355 			return rc;
2356 
2357 		rc = avc_has_perm(new_tsec->sid, isec->sid,
2358 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2359 		if (rc)
2360 			return rc;
2361 
2362 		/* Check for shared state */
2363 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2364 			rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2365 					  SECCLASS_PROCESS, PROCESS__SHARE,
2366 					  NULL);
2367 			if (rc)
2368 				return -EPERM;
2369 		}
2370 
2371 		/* Make sure that anyone attempting to ptrace over a task that
2372 		 * changes its SID has the appropriate permit */
2373 		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2374 			u32 ptsid = ptrace_parent_sid();
2375 			if (ptsid != 0) {
2376 				rc = avc_has_perm(ptsid, new_tsec->sid,
2377 						  SECCLASS_PROCESS,
2378 						  PROCESS__PTRACE, NULL);
2379 				if (rc)
2380 					return -EPERM;
2381 			}
2382 		}
2383 
2384 		/* Clear any possibly unsafe personality bits on exec: */
2385 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2386 
2387 		/* Enable secure mode for SIDs transitions unless
2388 		   the noatsecure permission is granted between
2389 		   the two SIDs, i.e. ahp returns 0. */
2390 		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2391 				  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2392 				  NULL);
2393 		bprm->secureexec |= !!rc;
2394 	}
2395 
2396 	return 0;
2397 }
2398 
2399 static int match_file(const void *p, struct file *file, unsigned fd)
2400 {
2401 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2402 }
2403 
2404 /* Derived from fs/exec.c:flush_old_files. */
2405 static inline void flush_unauthorized_files(const struct cred *cred,
2406 					    struct files_struct *files)
2407 {
2408 	struct file *file, *devnull = NULL;
2409 	struct tty_struct *tty;
2410 	int drop_tty = 0;
2411 	unsigned n;
2412 
2413 	tty = get_current_tty();
2414 	if (tty) {
2415 		spin_lock(&tty->files_lock);
2416 		if (!list_empty(&tty->tty_files)) {
2417 			struct tty_file_private *file_priv;
2418 
2419 			/* Revalidate access to controlling tty.
2420 			   Use file_path_has_perm on the tty path directly
2421 			   rather than using file_has_perm, as this particular
2422 			   open file may belong to another process and we are
2423 			   only interested in the inode-based check here. */
2424 			file_priv = list_first_entry(&tty->tty_files,
2425 						struct tty_file_private, list);
2426 			file = file_priv->file;
2427 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2428 				drop_tty = 1;
2429 		}
2430 		spin_unlock(&tty->files_lock);
2431 		tty_kref_put(tty);
2432 	}
2433 	/* Reset controlling tty. */
2434 	if (drop_tty)
2435 		no_tty();
2436 
2437 	/* Revalidate access to inherited open files. */
2438 	n = iterate_fd(files, 0, match_file, cred);
2439 	if (!n) /* none found? */
2440 		return;
2441 
2442 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2443 	if (IS_ERR(devnull))
2444 		devnull = NULL;
2445 	/* replace all the matching ones with this */
2446 	do {
2447 		replace_fd(n - 1, devnull, 0);
2448 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2449 	if (devnull)
2450 		fput(devnull);
2451 }
2452 
2453 /*
2454  * Prepare a process for imminent new credential changes due to exec
2455  */
2456 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2457 {
2458 	struct task_security_struct *new_tsec;
2459 	struct rlimit *rlim, *initrlim;
2460 	int rc, i;
2461 
2462 	new_tsec = selinux_cred(bprm->cred);
2463 	if (new_tsec->sid == new_tsec->osid)
2464 		return;
2465 
2466 	/* Close files for which the new task SID is not authorized. */
2467 	flush_unauthorized_files(bprm->cred, current->files);
2468 
2469 	/* Always clear parent death signal on SID transitions. */
2470 	current->pdeath_signal = 0;
2471 
2472 	/* Check whether the new SID can inherit resource limits from the old
2473 	 * SID.  If not, reset all soft limits to the lower of the current
2474 	 * task's hard limit and the init task's soft limit.
2475 	 *
2476 	 * Note that the setting of hard limits (even to lower them) can be
2477 	 * controlled by the setrlimit check.  The inclusion of the init task's
2478 	 * soft limit into the computation is to avoid resetting soft limits
2479 	 * higher than the default soft limit for cases where the default is
2480 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2481 	 */
2482 	rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2483 			  PROCESS__RLIMITINH, NULL);
2484 	if (rc) {
2485 		/* protect against do_prlimit() */
2486 		task_lock(current);
2487 		for (i = 0; i < RLIM_NLIMITS; i++) {
2488 			rlim = current->signal->rlim + i;
2489 			initrlim = init_task.signal->rlim + i;
2490 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2491 		}
2492 		task_unlock(current);
2493 		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2494 			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2495 	}
2496 }
2497 
2498 /*
2499  * Clean up the process immediately after the installation of new credentials
2500  * due to exec
2501  */
2502 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2503 {
2504 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2505 	u32 osid, sid;
2506 	int rc;
2507 
2508 	osid = tsec->osid;
2509 	sid = tsec->sid;
2510 
2511 	if (sid == osid)
2512 		return;
2513 
2514 	/* Check whether the new SID can inherit signal state from the old SID.
2515 	 * If not, clear itimers to avoid subsequent signal generation and
2516 	 * flush and unblock signals.
2517 	 *
2518 	 * This must occur _after_ the task SID has been updated so that any
2519 	 * kill done after the flush will be checked against the new SID.
2520 	 */
2521 	rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2522 	if (rc) {
2523 		clear_itimer();
2524 
2525 		spin_lock_irq(&unrcu_pointer(current->sighand)->siglock);
2526 		if (!fatal_signal_pending(current)) {
2527 			flush_sigqueue(&current->pending);
2528 			flush_sigqueue(&current->signal->shared_pending);
2529 			flush_signal_handlers(current, 1);
2530 			sigemptyset(&current->blocked);
2531 			recalc_sigpending();
2532 		}
2533 		spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock);
2534 	}
2535 
2536 	/* Wake up the parent if it is waiting so that it can recheck
2537 	 * wait permission to the new task SID. */
2538 	read_lock(&tasklist_lock);
2539 	__wake_up_parent(current, unrcu_pointer(current->real_parent));
2540 	read_unlock(&tasklist_lock);
2541 }
2542 
2543 /* superblock security operations */
2544 
2545 static int selinux_sb_alloc_security(struct super_block *sb)
2546 {
2547 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2548 
2549 	mutex_init(&sbsec->lock);
2550 	INIT_LIST_HEAD(&sbsec->isec_head);
2551 	spin_lock_init(&sbsec->isec_lock);
2552 	sbsec->sid = SECINITSID_UNLABELED;
2553 	sbsec->def_sid = SECINITSID_FILE;
2554 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2555 
2556 	return 0;
2557 }
2558 
2559 static inline int opt_len(const char *s)
2560 {
2561 	bool open_quote = false;
2562 	int len;
2563 	char c;
2564 
2565 	for (len = 0; (c = s[len]) != '\0'; len++) {
2566 		if (c == '"')
2567 			open_quote = !open_quote;
2568 		if (c == ',' && !open_quote)
2569 			break;
2570 	}
2571 	return len;
2572 }
2573 
2574 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2575 {
2576 	char *from = options;
2577 	char *to = options;
2578 	bool first = true;
2579 	int rc;
2580 
2581 	while (1) {
2582 		int len = opt_len(from);
2583 		int token;
2584 		char *arg = NULL;
2585 
2586 		token = match_opt_prefix(from, len, &arg);
2587 
2588 		if (token != Opt_error) {
2589 			char *p, *q;
2590 
2591 			/* strip quotes */
2592 			if (arg) {
2593 				for (p = q = arg; p < from + len; p++) {
2594 					char c = *p;
2595 					if (c != '"')
2596 						*q++ = c;
2597 				}
2598 				arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2599 				if (!arg) {
2600 					rc = -ENOMEM;
2601 					goto free_opt;
2602 				}
2603 			}
2604 			rc = selinux_add_opt(token, arg, mnt_opts);
2605 			kfree(arg);
2606 			arg = NULL;
2607 			if (unlikely(rc)) {
2608 				goto free_opt;
2609 			}
2610 		} else {
2611 			if (!first) {	// copy with preceding comma
2612 				from--;
2613 				len++;
2614 			}
2615 			if (to != from)
2616 				memmove(to, from, len);
2617 			to += len;
2618 			first = false;
2619 		}
2620 		if (!from[len])
2621 			break;
2622 		from += len + 1;
2623 	}
2624 	*to = '\0';
2625 	return 0;
2626 
2627 free_opt:
2628 	if (*mnt_opts) {
2629 		selinux_free_mnt_opts(*mnt_opts);
2630 		*mnt_opts = NULL;
2631 	}
2632 	return rc;
2633 }
2634 
2635 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2636 {
2637 	struct selinux_mnt_opts *opts = mnt_opts;
2638 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2639 
2640 	/*
2641 	 * Superblock not initialized (i.e. no options) - reject if any
2642 	 * options specified, otherwise accept.
2643 	 */
2644 	if (!(sbsec->flags & SE_SBINITIALIZED))
2645 		return opts ? 1 : 0;
2646 
2647 	/*
2648 	 * Superblock initialized and no options specified - reject if
2649 	 * superblock has any options set, otherwise accept.
2650 	 */
2651 	if (!opts)
2652 		return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2653 
2654 	if (opts->fscontext_sid) {
2655 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2656 			       opts->fscontext_sid))
2657 			return 1;
2658 	}
2659 	if (opts->context_sid) {
2660 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2661 			       opts->context_sid))
2662 			return 1;
2663 	}
2664 	if (opts->rootcontext_sid) {
2665 		struct inode_security_struct *root_isec;
2666 
2667 		root_isec = backing_inode_security(sb->s_root);
2668 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2669 			       opts->rootcontext_sid))
2670 			return 1;
2671 	}
2672 	if (opts->defcontext_sid) {
2673 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2674 			       opts->defcontext_sid))
2675 			return 1;
2676 	}
2677 	return 0;
2678 }
2679 
2680 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2681 {
2682 	struct selinux_mnt_opts *opts = mnt_opts;
2683 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2684 
2685 	if (!(sbsec->flags & SE_SBINITIALIZED))
2686 		return 0;
2687 
2688 	if (!opts)
2689 		return 0;
2690 
2691 	if (opts->fscontext_sid) {
2692 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2693 			       opts->fscontext_sid))
2694 			goto out_bad_option;
2695 	}
2696 	if (opts->context_sid) {
2697 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2698 			       opts->context_sid))
2699 			goto out_bad_option;
2700 	}
2701 	if (opts->rootcontext_sid) {
2702 		struct inode_security_struct *root_isec;
2703 		root_isec = backing_inode_security(sb->s_root);
2704 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2705 			       opts->rootcontext_sid))
2706 			goto out_bad_option;
2707 	}
2708 	if (opts->defcontext_sid) {
2709 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2710 			       opts->defcontext_sid))
2711 			goto out_bad_option;
2712 	}
2713 	return 0;
2714 
2715 out_bad_option:
2716 	pr_warn("SELinux: unable to change security options "
2717 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2718 	       sb->s_type->name);
2719 	return -EINVAL;
2720 }
2721 
2722 static int selinux_sb_kern_mount(struct super_block *sb)
2723 {
2724 	const struct cred *cred = current_cred();
2725 	struct common_audit_data ad;
2726 
2727 	ad.type = LSM_AUDIT_DATA_DENTRY;
2728 	ad.u.dentry = sb->s_root;
2729 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2730 }
2731 
2732 static int selinux_sb_statfs(struct dentry *dentry)
2733 {
2734 	const struct cred *cred = current_cred();
2735 	struct common_audit_data ad;
2736 
2737 	ad.type = LSM_AUDIT_DATA_DENTRY;
2738 	ad.u.dentry = dentry->d_sb->s_root;
2739 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2740 }
2741 
2742 static int selinux_mount(const char *dev_name,
2743 			 const struct path *path,
2744 			 const char *type,
2745 			 unsigned long flags,
2746 			 void *data)
2747 {
2748 	const struct cred *cred = current_cred();
2749 
2750 	if (flags & MS_REMOUNT)
2751 		return superblock_has_perm(cred, path->dentry->d_sb,
2752 					   FILESYSTEM__REMOUNT, NULL);
2753 	else
2754 		return path_has_perm(cred, path, FILE__MOUNTON);
2755 }
2756 
2757 static int selinux_move_mount(const struct path *from_path,
2758 			      const struct path *to_path)
2759 {
2760 	const struct cred *cred = current_cred();
2761 
2762 	return path_has_perm(cred, to_path, FILE__MOUNTON);
2763 }
2764 
2765 static int selinux_umount(struct vfsmount *mnt, int flags)
2766 {
2767 	const struct cred *cred = current_cred();
2768 
2769 	return superblock_has_perm(cred, mnt->mnt_sb,
2770 				   FILESYSTEM__UNMOUNT, NULL);
2771 }
2772 
2773 static int selinux_fs_context_submount(struct fs_context *fc,
2774 				   struct super_block *reference)
2775 {
2776 	const struct superblock_security_struct *sbsec = selinux_superblock(reference);
2777 	struct selinux_mnt_opts *opts;
2778 
2779 	/*
2780 	 * Ensure that fc->security remains NULL when no options are set
2781 	 * as expected by selinux_set_mnt_opts().
2782 	 */
2783 	if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT)))
2784 		return 0;
2785 
2786 	opts = kzalloc(sizeof(*opts), GFP_KERNEL);
2787 	if (!opts)
2788 		return -ENOMEM;
2789 
2790 	if (sbsec->flags & FSCONTEXT_MNT)
2791 		opts->fscontext_sid = sbsec->sid;
2792 	if (sbsec->flags & CONTEXT_MNT)
2793 		opts->context_sid = sbsec->mntpoint_sid;
2794 	if (sbsec->flags & DEFCONTEXT_MNT)
2795 		opts->defcontext_sid = sbsec->def_sid;
2796 	fc->security = opts;
2797 	return 0;
2798 }
2799 
2800 static int selinux_fs_context_dup(struct fs_context *fc,
2801 				  struct fs_context *src_fc)
2802 {
2803 	const struct selinux_mnt_opts *src = src_fc->security;
2804 
2805 	if (!src)
2806 		return 0;
2807 
2808 	fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
2809 	return fc->security ? 0 : -ENOMEM;
2810 }
2811 
2812 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2813 	fsparam_string(CONTEXT_STR,	Opt_context),
2814 	fsparam_string(DEFCONTEXT_STR,	Opt_defcontext),
2815 	fsparam_string(FSCONTEXT_STR,	Opt_fscontext),
2816 	fsparam_string(ROOTCONTEXT_STR,	Opt_rootcontext),
2817 	fsparam_flag  (SECLABEL_STR,	Opt_seclabel),
2818 	{}
2819 };
2820 
2821 static int selinux_fs_context_parse_param(struct fs_context *fc,
2822 					  struct fs_parameter *param)
2823 {
2824 	struct fs_parse_result result;
2825 	int opt;
2826 
2827 	opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2828 	if (opt < 0)
2829 		return opt;
2830 
2831 	return selinux_add_opt(opt, param->string, &fc->security);
2832 }
2833 
2834 /* inode security operations */
2835 
2836 static int selinux_inode_alloc_security(struct inode *inode)
2837 {
2838 	struct inode_security_struct *isec = selinux_inode(inode);
2839 	u32 sid = current_sid();
2840 
2841 	spin_lock_init(&isec->lock);
2842 	INIT_LIST_HEAD(&isec->list);
2843 	isec->inode = inode;
2844 	isec->sid = SECINITSID_UNLABELED;
2845 	isec->sclass = SECCLASS_FILE;
2846 	isec->task_sid = sid;
2847 	isec->initialized = LABEL_INVALID;
2848 
2849 	return 0;
2850 }
2851 
2852 static void selinux_inode_free_security(struct inode *inode)
2853 {
2854 	inode_free_security(inode);
2855 }
2856 
2857 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2858 					const struct qstr *name,
2859 					const char **xattr_name, void **ctx,
2860 					u32 *ctxlen)
2861 {
2862 	u32 newsid;
2863 	int rc;
2864 
2865 	rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2866 					   d_inode(dentry->d_parent), name,
2867 					   inode_mode_to_security_class(mode),
2868 					   &newsid);
2869 	if (rc)
2870 		return rc;
2871 
2872 	if (xattr_name)
2873 		*xattr_name = XATTR_NAME_SELINUX;
2874 
2875 	return security_sid_to_context(newsid, (char **)ctx,
2876 				       ctxlen);
2877 }
2878 
2879 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2880 					  struct qstr *name,
2881 					  const struct cred *old,
2882 					  struct cred *new)
2883 {
2884 	u32 newsid;
2885 	int rc;
2886 	struct task_security_struct *tsec;
2887 
2888 	rc = selinux_determine_inode_label(selinux_cred(old),
2889 					   d_inode(dentry->d_parent), name,
2890 					   inode_mode_to_security_class(mode),
2891 					   &newsid);
2892 	if (rc)
2893 		return rc;
2894 
2895 	tsec = selinux_cred(new);
2896 	tsec->create_sid = newsid;
2897 	return 0;
2898 }
2899 
2900 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2901 				       const struct qstr *qstr,
2902 				       struct xattr *xattrs, int *xattr_count)
2903 {
2904 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2905 	struct superblock_security_struct *sbsec;
2906 	struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
2907 	u32 newsid, clen;
2908 	int rc;
2909 	char *context;
2910 
2911 	sbsec = selinux_superblock(dir->i_sb);
2912 
2913 	newsid = tsec->create_sid;
2914 
2915 	rc = selinux_determine_inode_label(tsec, dir, qstr,
2916 		inode_mode_to_security_class(inode->i_mode),
2917 		&newsid);
2918 	if (rc)
2919 		return rc;
2920 
2921 	/* Possibly defer initialization to selinux_complete_init. */
2922 	if (sbsec->flags & SE_SBINITIALIZED) {
2923 		struct inode_security_struct *isec = selinux_inode(inode);
2924 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2925 		isec->sid = newsid;
2926 		isec->initialized = LABEL_INITIALIZED;
2927 	}
2928 
2929 	if (!selinux_initialized() ||
2930 	    !(sbsec->flags & SBLABEL_MNT))
2931 		return -EOPNOTSUPP;
2932 
2933 	if (xattr) {
2934 		rc = security_sid_to_context_force(newsid,
2935 						   &context, &clen);
2936 		if (rc)
2937 			return rc;
2938 		xattr->value = context;
2939 		xattr->value_len = clen;
2940 		xattr->name = XATTR_SELINUX_SUFFIX;
2941 	}
2942 
2943 	return 0;
2944 }
2945 
2946 static int selinux_inode_init_security_anon(struct inode *inode,
2947 					    const struct qstr *name,
2948 					    const struct inode *context_inode)
2949 {
2950 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2951 	struct common_audit_data ad;
2952 	struct inode_security_struct *isec;
2953 	int rc;
2954 
2955 	if (unlikely(!selinux_initialized()))
2956 		return 0;
2957 
2958 	isec = selinux_inode(inode);
2959 
2960 	/*
2961 	 * We only get here once per ephemeral inode.  The inode has
2962 	 * been initialized via inode_alloc_security but is otherwise
2963 	 * untouched.
2964 	 */
2965 
2966 	if (context_inode) {
2967 		struct inode_security_struct *context_isec =
2968 			selinux_inode(context_inode);
2969 		if (context_isec->initialized != LABEL_INITIALIZED) {
2970 			pr_err("SELinux:  context_inode is not initialized\n");
2971 			return -EACCES;
2972 		}
2973 
2974 		isec->sclass = context_isec->sclass;
2975 		isec->sid = context_isec->sid;
2976 	} else {
2977 		isec->sclass = SECCLASS_ANON_INODE;
2978 		rc = security_transition_sid(
2979 			tsec->sid, tsec->sid,
2980 			isec->sclass, name, &isec->sid);
2981 		if (rc)
2982 			return rc;
2983 	}
2984 
2985 	isec->initialized = LABEL_INITIALIZED;
2986 	/*
2987 	 * Now that we've initialized security, check whether we're
2988 	 * allowed to actually create this type of anonymous inode.
2989 	 */
2990 
2991 	ad.type = LSM_AUDIT_DATA_ANONINODE;
2992 	ad.u.anonclass = name ? (const char *)name->name : "?";
2993 
2994 	return avc_has_perm(tsec->sid,
2995 			    isec->sid,
2996 			    isec->sclass,
2997 			    FILE__CREATE,
2998 			    &ad);
2999 }
3000 
3001 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3002 {
3003 	return may_create(dir, dentry, SECCLASS_FILE);
3004 }
3005 
3006 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3007 {
3008 	return may_link(dir, old_dentry, MAY_LINK);
3009 }
3010 
3011 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3012 {
3013 	return may_link(dir, dentry, MAY_UNLINK);
3014 }
3015 
3016 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3017 {
3018 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
3019 }
3020 
3021 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3022 {
3023 	return may_create(dir, dentry, SECCLASS_DIR);
3024 }
3025 
3026 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3027 {
3028 	return may_link(dir, dentry, MAY_RMDIR);
3029 }
3030 
3031 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3032 {
3033 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
3034 }
3035 
3036 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3037 				struct inode *new_inode, struct dentry *new_dentry)
3038 {
3039 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3040 }
3041 
3042 static int selinux_inode_readlink(struct dentry *dentry)
3043 {
3044 	const struct cred *cred = current_cred();
3045 
3046 	return dentry_has_perm(cred, dentry, FILE__READ);
3047 }
3048 
3049 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3050 				     bool rcu)
3051 {
3052 	const struct cred *cred = current_cred();
3053 	struct common_audit_data ad;
3054 	struct inode_security_struct *isec;
3055 	u32 sid;
3056 
3057 	ad.type = LSM_AUDIT_DATA_DENTRY;
3058 	ad.u.dentry = dentry;
3059 	sid = cred_sid(cred);
3060 	isec = inode_security_rcu(inode, rcu);
3061 	if (IS_ERR(isec))
3062 		return PTR_ERR(isec);
3063 
3064 	return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad);
3065 }
3066 
3067 static noinline int audit_inode_permission(struct inode *inode,
3068 					   u32 perms, u32 audited, u32 denied,
3069 					   int result)
3070 {
3071 	struct common_audit_data ad;
3072 	struct inode_security_struct *isec = selinux_inode(inode);
3073 
3074 	ad.type = LSM_AUDIT_DATA_INODE;
3075 	ad.u.inode = inode;
3076 
3077 	return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3078 			    audited, denied, result, &ad);
3079 }
3080 
3081 static int selinux_inode_permission(struct inode *inode, int mask)
3082 {
3083 	const struct cred *cred = current_cred();
3084 	u32 perms;
3085 	bool from_access;
3086 	bool no_block = mask & MAY_NOT_BLOCK;
3087 	struct inode_security_struct *isec;
3088 	u32 sid;
3089 	struct av_decision avd;
3090 	int rc, rc2;
3091 	u32 audited, denied;
3092 
3093 	from_access = mask & MAY_ACCESS;
3094 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3095 
3096 	/* No permission to check.  Existence test. */
3097 	if (!mask)
3098 		return 0;
3099 
3100 	if (unlikely(IS_PRIVATE(inode)))
3101 		return 0;
3102 
3103 	perms = file_mask_to_av(inode->i_mode, mask);
3104 
3105 	sid = cred_sid(cred);
3106 	isec = inode_security_rcu(inode, no_block);
3107 	if (IS_ERR(isec))
3108 		return PTR_ERR(isec);
3109 
3110 	rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0,
3111 				  &avd);
3112 	audited = avc_audit_required(perms, &avd, rc,
3113 				     from_access ? FILE__AUDIT_ACCESS : 0,
3114 				     &denied);
3115 	if (likely(!audited))
3116 		return rc;
3117 
3118 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3119 	if (rc2)
3120 		return rc2;
3121 	return rc;
3122 }
3123 
3124 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3125 {
3126 	const struct cred *cred = current_cred();
3127 	struct inode *inode = d_backing_inode(dentry);
3128 	unsigned int ia_valid = iattr->ia_valid;
3129 	__u32 av = FILE__WRITE;
3130 
3131 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3132 	if (ia_valid & ATTR_FORCE) {
3133 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3134 			      ATTR_FORCE);
3135 		if (!ia_valid)
3136 			return 0;
3137 	}
3138 
3139 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3140 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3141 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3142 
3143 	if (selinux_policycap_openperm() &&
3144 	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3145 	    (ia_valid & ATTR_SIZE) &&
3146 	    !(ia_valid & ATTR_FILE))
3147 		av |= FILE__OPEN;
3148 
3149 	return dentry_has_perm(cred, dentry, av);
3150 }
3151 
3152 static int selinux_inode_getattr(const struct path *path)
3153 {
3154 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3155 }
3156 
3157 static bool has_cap_mac_admin(bool audit)
3158 {
3159 	const struct cred *cred = current_cred();
3160 	unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3161 
3162 	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3163 		return false;
3164 	if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3165 		return false;
3166 	return true;
3167 }
3168 
3169 static int selinux_inode_setxattr(struct mnt_idmap *idmap,
3170 				  struct dentry *dentry, const char *name,
3171 				  const void *value, size_t size, int flags)
3172 {
3173 	struct inode *inode = d_backing_inode(dentry);
3174 	struct inode_security_struct *isec;
3175 	struct superblock_security_struct *sbsec;
3176 	struct common_audit_data ad;
3177 	u32 newsid, sid = current_sid();
3178 	int rc = 0;
3179 
3180 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3181 		rc = cap_inode_setxattr(dentry, name, value, size, flags);
3182 		if (rc)
3183 			return rc;
3184 
3185 		/* Not an attribute we recognize, so just check the
3186 		   ordinary setattr permission. */
3187 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3188 	}
3189 
3190 	if (!selinux_initialized())
3191 		return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM);
3192 
3193 	sbsec = selinux_superblock(inode->i_sb);
3194 	if (!(sbsec->flags & SBLABEL_MNT))
3195 		return -EOPNOTSUPP;
3196 
3197 	if (!inode_owner_or_capable(idmap, inode))
3198 		return -EPERM;
3199 
3200 	ad.type = LSM_AUDIT_DATA_DENTRY;
3201 	ad.u.dentry = dentry;
3202 
3203 	isec = backing_inode_security(dentry);
3204 	rc = avc_has_perm(sid, isec->sid, isec->sclass,
3205 			  FILE__RELABELFROM, &ad);
3206 	if (rc)
3207 		return rc;
3208 
3209 	rc = security_context_to_sid(value, size, &newsid,
3210 				     GFP_KERNEL);
3211 	if (rc == -EINVAL) {
3212 		if (!has_cap_mac_admin(true)) {
3213 			struct audit_buffer *ab;
3214 			size_t audit_size;
3215 
3216 			/* We strip a nul only if it is at the end, otherwise the
3217 			 * context contains a nul and we should audit that */
3218 			if (value) {
3219 				const char *str = value;
3220 
3221 				if (str[size - 1] == '\0')
3222 					audit_size = size - 1;
3223 				else
3224 					audit_size = size;
3225 			} else {
3226 				audit_size = 0;
3227 			}
3228 			ab = audit_log_start(audit_context(),
3229 					     GFP_ATOMIC, AUDIT_SELINUX_ERR);
3230 			if (!ab)
3231 				return rc;
3232 			audit_log_format(ab, "op=setxattr invalid_context=");
3233 			audit_log_n_untrustedstring(ab, value, audit_size);
3234 			audit_log_end(ab);
3235 
3236 			return rc;
3237 		}
3238 		rc = security_context_to_sid_force(value,
3239 						   size, &newsid);
3240 	}
3241 	if (rc)
3242 		return rc;
3243 
3244 	rc = avc_has_perm(sid, newsid, isec->sclass,
3245 			  FILE__RELABELTO, &ad);
3246 	if (rc)
3247 		return rc;
3248 
3249 	rc = security_validate_transition(isec->sid, newsid,
3250 					  sid, isec->sclass);
3251 	if (rc)
3252 		return rc;
3253 
3254 	return avc_has_perm(newsid,
3255 			    sbsec->sid,
3256 			    SECCLASS_FILESYSTEM,
3257 			    FILESYSTEM__ASSOCIATE,
3258 			    &ad);
3259 }
3260 
3261 static int selinux_inode_set_acl(struct mnt_idmap *idmap,
3262 				 struct dentry *dentry, const char *acl_name,
3263 				 struct posix_acl *kacl)
3264 {
3265 	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3266 }
3267 
3268 static int selinux_inode_get_acl(struct mnt_idmap *idmap,
3269 				 struct dentry *dentry, const char *acl_name)
3270 {
3271 	return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3272 }
3273 
3274 static int selinux_inode_remove_acl(struct mnt_idmap *idmap,
3275 				    struct dentry *dentry, const char *acl_name)
3276 {
3277 	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3278 }
3279 
3280 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3281 					const void *value, size_t size,
3282 					int flags)
3283 {
3284 	struct inode *inode = d_backing_inode(dentry);
3285 	struct inode_security_struct *isec;
3286 	u32 newsid;
3287 	int rc;
3288 
3289 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3290 		/* Not an attribute we recognize, so nothing to do. */
3291 		return;
3292 	}
3293 
3294 	if (!selinux_initialized()) {
3295 		/* If we haven't even been initialized, then we can't validate
3296 		 * against a policy, so leave the label as invalid. It may
3297 		 * resolve to a valid label on the next revalidation try if
3298 		 * we've since initialized.
3299 		 */
3300 		return;
3301 	}
3302 
3303 	rc = security_context_to_sid_force(value, size,
3304 					   &newsid);
3305 	if (rc) {
3306 		pr_err("SELinux:  unable to map context to SID"
3307 		       "for (%s, %lu), rc=%d\n",
3308 		       inode->i_sb->s_id, inode->i_ino, -rc);
3309 		return;
3310 	}
3311 
3312 	isec = backing_inode_security(dentry);
3313 	spin_lock(&isec->lock);
3314 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3315 	isec->sid = newsid;
3316 	isec->initialized = LABEL_INITIALIZED;
3317 	spin_unlock(&isec->lock);
3318 }
3319 
3320 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3321 {
3322 	const struct cred *cred = current_cred();
3323 
3324 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3325 }
3326 
3327 static int selinux_inode_listxattr(struct dentry *dentry)
3328 {
3329 	const struct cred *cred = current_cred();
3330 
3331 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3332 }
3333 
3334 static int selinux_inode_removexattr(struct mnt_idmap *idmap,
3335 				     struct dentry *dentry, const char *name)
3336 {
3337 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3338 		int rc = cap_inode_removexattr(idmap, dentry, name);
3339 		if (rc)
3340 			return rc;
3341 
3342 		/* Not an attribute we recognize, so just check the
3343 		   ordinary setattr permission. */
3344 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3345 	}
3346 
3347 	if (!selinux_initialized())
3348 		return 0;
3349 
3350 	/* No one is allowed to remove a SELinux security label.
3351 	   You can change the label, but all data must be labeled. */
3352 	return -EACCES;
3353 }
3354 
3355 static int selinux_path_notify(const struct path *path, u64 mask,
3356 						unsigned int obj_type)
3357 {
3358 	int ret;
3359 	u32 perm;
3360 
3361 	struct common_audit_data ad;
3362 
3363 	ad.type = LSM_AUDIT_DATA_PATH;
3364 	ad.u.path = *path;
3365 
3366 	/*
3367 	 * Set permission needed based on the type of mark being set.
3368 	 * Performs an additional check for sb watches.
3369 	 */
3370 	switch (obj_type) {
3371 	case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3372 		perm = FILE__WATCH_MOUNT;
3373 		break;
3374 	case FSNOTIFY_OBJ_TYPE_SB:
3375 		perm = FILE__WATCH_SB;
3376 		ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3377 						FILESYSTEM__WATCH, &ad);
3378 		if (ret)
3379 			return ret;
3380 		break;
3381 	case FSNOTIFY_OBJ_TYPE_INODE:
3382 		perm = FILE__WATCH;
3383 		break;
3384 	default:
3385 		return -EINVAL;
3386 	}
3387 
3388 	/* blocking watches require the file:watch_with_perm permission */
3389 	if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3390 		perm |= FILE__WATCH_WITH_PERM;
3391 
3392 	/* watches on read-like events need the file:watch_reads permission */
3393 	if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3394 		perm |= FILE__WATCH_READS;
3395 
3396 	return path_has_perm(current_cred(), path, perm);
3397 }
3398 
3399 /*
3400  * Copy the inode security context value to the user.
3401  *
3402  * Permission check is handled by selinux_inode_getxattr hook.
3403  */
3404 static int selinux_inode_getsecurity(struct mnt_idmap *idmap,
3405 				     struct inode *inode, const char *name,
3406 				     void **buffer, bool alloc)
3407 {
3408 	u32 size;
3409 	int error;
3410 	char *context = NULL;
3411 	struct inode_security_struct *isec;
3412 
3413 	/*
3414 	 * If we're not initialized yet, then we can't validate contexts, so
3415 	 * just let vfs_getxattr fall back to using the on-disk xattr.
3416 	 */
3417 	if (!selinux_initialized() ||
3418 	    strcmp(name, XATTR_SELINUX_SUFFIX))
3419 		return -EOPNOTSUPP;
3420 
3421 	/*
3422 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3423 	 * value even if it is not defined by current policy; otherwise,
3424 	 * use the in-core value under current policy.
3425 	 * Use the non-auditing forms of the permission checks since
3426 	 * getxattr may be called by unprivileged processes commonly
3427 	 * and lack of permission just means that we fall back to the
3428 	 * in-core context value, not a denial.
3429 	 */
3430 	isec = inode_security(inode);
3431 	if (has_cap_mac_admin(false))
3432 		error = security_sid_to_context_force(isec->sid, &context,
3433 						      &size);
3434 	else
3435 		error = security_sid_to_context(isec->sid,
3436 						&context, &size);
3437 	if (error)
3438 		return error;
3439 	error = size;
3440 	if (alloc) {
3441 		*buffer = context;
3442 		goto out_nofree;
3443 	}
3444 	kfree(context);
3445 out_nofree:
3446 	return error;
3447 }
3448 
3449 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3450 				     const void *value, size_t size, int flags)
3451 {
3452 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3453 	struct superblock_security_struct *sbsec;
3454 	u32 newsid;
3455 	int rc;
3456 
3457 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3458 		return -EOPNOTSUPP;
3459 
3460 	sbsec = selinux_superblock(inode->i_sb);
3461 	if (!(sbsec->flags & SBLABEL_MNT))
3462 		return -EOPNOTSUPP;
3463 
3464 	if (!value || !size)
3465 		return -EACCES;
3466 
3467 	rc = security_context_to_sid(value, size, &newsid,
3468 				     GFP_KERNEL);
3469 	if (rc)
3470 		return rc;
3471 
3472 	spin_lock(&isec->lock);
3473 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3474 	isec->sid = newsid;
3475 	isec->initialized = LABEL_INITIALIZED;
3476 	spin_unlock(&isec->lock);
3477 	return 0;
3478 }
3479 
3480 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3481 {
3482 	const int len = sizeof(XATTR_NAME_SELINUX);
3483 
3484 	if (!selinux_initialized())
3485 		return 0;
3486 
3487 	if (buffer && len <= buffer_size)
3488 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3489 	return len;
3490 }
3491 
3492 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3493 {
3494 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3495 	*secid = isec->sid;
3496 }
3497 
3498 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3499 {
3500 	u32 sid;
3501 	struct task_security_struct *tsec;
3502 	struct cred *new_creds = *new;
3503 
3504 	if (new_creds == NULL) {
3505 		new_creds = prepare_creds();
3506 		if (!new_creds)
3507 			return -ENOMEM;
3508 	}
3509 
3510 	tsec = selinux_cred(new_creds);
3511 	/* Get label from overlay inode and set it in create_sid */
3512 	selinux_inode_getsecid(d_inode(src), &sid);
3513 	tsec->create_sid = sid;
3514 	*new = new_creds;
3515 	return 0;
3516 }
3517 
3518 static int selinux_inode_copy_up_xattr(const char *name)
3519 {
3520 	/* The copy_up hook above sets the initial context on an inode, but we
3521 	 * don't then want to overwrite it by blindly copying all the lower
3522 	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3523 	 */
3524 	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3525 		return 1; /* Discard */
3526 	/*
3527 	 * Any other attribute apart from SELINUX is not claimed, supported
3528 	 * by selinux.
3529 	 */
3530 	return -EOPNOTSUPP;
3531 }
3532 
3533 /* kernfs node operations */
3534 
3535 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3536 					struct kernfs_node *kn)
3537 {
3538 	const struct task_security_struct *tsec = selinux_cred(current_cred());
3539 	u32 parent_sid, newsid, clen;
3540 	int rc;
3541 	char *context;
3542 
3543 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3544 	if (rc == -ENODATA)
3545 		return 0;
3546 	else if (rc < 0)
3547 		return rc;
3548 
3549 	clen = (u32)rc;
3550 	context = kmalloc(clen, GFP_KERNEL);
3551 	if (!context)
3552 		return -ENOMEM;
3553 
3554 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3555 	if (rc < 0) {
3556 		kfree(context);
3557 		return rc;
3558 	}
3559 
3560 	rc = security_context_to_sid(context, clen, &parent_sid,
3561 				     GFP_KERNEL);
3562 	kfree(context);
3563 	if (rc)
3564 		return rc;
3565 
3566 	if (tsec->create_sid) {
3567 		newsid = tsec->create_sid;
3568 	} else {
3569 		u16 secclass = inode_mode_to_security_class(kn->mode);
3570 		struct qstr q;
3571 
3572 		q.name = kn->name;
3573 		q.hash_len = hashlen_string(kn_dir, kn->name);
3574 
3575 		rc = security_transition_sid(tsec->sid,
3576 					     parent_sid, secclass, &q,
3577 					     &newsid);
3578 		if (rc)
3579 			return rc;
3580 	}
3581 
3582 	rc = security_sid_to_context_force(newsid,
3583 					   &context, &clen);
3584 	if (rc)
3585 		return rc;
3586 
3587 	rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3588 			      XATTR_CREATE);
3589 	kfree(context);
3590 	return rc;
3591 }
3592 
3593 
3594 /* file security operations */
3595 
3596 static int selinux_revalidate_file_permission(struct file *file, int mask)
3597 {
3598 	const struct cred *cred = current_cred();
3599 	struct inode *inode = file_inode(file);
3600 
3601 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3602 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3603 		mask |= MAY_APPEND;
3604 
3605 	return file_has_perm(cred, file,
3606 			     file_mask_to_av(inode->i_mode, mask));
3607 }
3608 
3609 static int selinux_file_permission(struct file *file, int mask)
3610 {
3611 	struct inode *inode = file_inode(file);
3612 	struct file_security_struct *fsec = selinux_file(file);
3613 	struct inode_security_struct *isec;
3614 	u32 sid = current_sid();
3615 
3616 	if (!mask)
3617 		/* No permission to check.  Existence test. */
3618 		return 0;
3619 
3620 	isec = inode_security(inode);
3621 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3622 	    fsec->pseqno == avc_policy_seqno())
3623 		/* No change since file_open check. */
3624 		return 0;
3625 
3626 	return selinux_revalidate_file_permission(file, mask);
3627 }
3628 
3629 static int selinux_file_alloc_security(struct file *file)
3630 {
3631 	struct file_security_struct *fsec = selinux_file(file);
3632 	u32 sid = current_sid();
3633 
3634 	fsec->sid = sid;
3635 	fsec->fown_sid = sid;
3636 
3637 	return 0;
3638 }
3639 
3640 /*
3641  * Check whether a task has the ioctl permission and cmd
3642  * operation to an inode.
3643  */
3644 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3645 		u32 requested, u16 cmd)
3646 {
3647 	struct common_audit_data ad;
3648 	struct file_security_struct *fsec = selinux_file(file);
3649 	struct inode *inode = file_inode(file);
3650 	struct inode_security_struct *isec;
3651 	struct lsm_ioctlop_audit ioctl;
3652 	u32 ssid = cred_sid(cred);
3653 	int rc;
3654 	u8 driver = cmd >> 8;
3655 	u8 xperm = cmd & 0xff;
3656 
3657 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3658 	ad.u.op = &ioctl;
3659 	ad.u.op->cmd = cmd;
3660 	ad.u.op->path = file->f_path;
3661 
3662 	if (ssid != fsec->sid) {
3663 		rc = avc_has_perm(ssid, fsec->sid,
3664 				SECCLASS_FD,
3665 				FD__USE,
3666 				&ad);
3667 		if (rc)
3668 			goto out;
3669 	}
3670 
3671 	if (unlikely(IS_PRIVATE(inode)))
3672 		return 0;
3673 
3674 	isec = inode_security(inode);
3675 	rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3676 				    requested, driver, xperm, &ad);
3677 out:
3678 	return rc;
3679 }
3680 
3681 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3682 			      unsigned long arg)
3683 {
3684 	const struct cred *cred = current_cred();
3685 	int error = 0;
3686 
3687 	switch (cmd) {
3688 	case FIONREAD:
3689 	case FIBMAP:
3690 	case FIGETBSZ:
3691 	case FS_IOC_GETFLAGS:
3692 	case FS_IOC_GETVERSION:
3693 		error = file_has_perm(cred, file, FILE__GETATTR);
3694 		break;
3695 
3696 	case FS_IOC_SETFLAGS:
3697 	case FS_IOC_SETVERSION:
3698 		error = file_has_perm(cred, file, FILE__SETATTR);
3699 		break;
3700 
3701 	/* sys_ioctl() checks */
3702 	case FIONBIO:
3703 	case FIOASYNC:
3704 		error = file_has_perm(cred, file, 0);
3705 		break;
3706 
3707 	case KDSKBENT:
3708 	case KDSKBSENT:
3709 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3710 					    CAP_OPT_NONE, true);
3711 		break;
3712 
3713 	case FIOCLEX:
3714 	case FIONCLEX:
3715 		if (!selinux_policycap_ioctl_skip_cloexec())
3716 			error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3717 		break;
3718 
3719 	/* default case assumes that the command will go
3720 	 * to the file's ioctl() function.
3721 	 */
3722 	default:
3723 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3724 	}
3725 	return error;
3726 }
3727 
3728 static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd,
3729 			      unsigned long arg)
3730 {
3731 	/*
3732 	 * If we are in a 64-bit kernel running 32-bit userspace, we need to
3733 	 * make sure we don't compare 32-bit flags to 64-bit flags.
3734 	 */
3735 	switch (cmd) {
3736 	case FS_IOC32_GETFLAGS:
3737 		cmd = FS_IOC_GETFLAGS;
3738 		break;
3739 	case FS_IOC32_SETFLAGS:
3740 		cmd = FS_IOC_SETFLAGS;
3741 		break;
3742 	case FS_IOC32_GETVERSION:
3743 		cmd = FS_IOC_GETVERSION;
3744 		break;
3745 	case FS_IOC32_SETVERSION:
3746 		cmd = FS_IOC_SETVERSION;
3747 		break;
3748 	default:
3749 		break;
3750 	}
3751 
3752 	return selinux_file_ioctl(file, cmd, arg);
3753 }
3754 
3755 static int default_noexec __ro_after_init;
3756 
3757 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3758 {
3759 	const struct cred *cred = current_cred();
3760 	u32 sid = cred_sid(cred);
3761 	int rc = 0;
3762 
3763 	if (default_noexec &&
3764 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3765 				   (!shared && (prot & PROT_WRITE)))) {
3766 		/*
3767 		 * We are making executable an anonymous mapping or a
3768 		 * private file mapping that will also be writable.
3769 		 * This has an additional check.
3770 		 */
3771 		rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3772 				  PROCESS__EXECMEM, NULL);
3773 		if (rc)
3774 			goto error;
3775 	}
3776 
3777 	if (file) {
3778 		/* read access is always possible with a mapping */
3779 		u32 av = FILE__READ;
3780 
3781 		/* write access only matters if the mapping is shared */
3782 		if (shared && (prot & PROT_WRITE))
3783 			av |= FILE__WRITE;
3784 
3785 		if (prot & PROT_EXEC)
3786 			av |= FILE__EXECUTE;
3787 
3788 		return file_has_perm(cred, file, av);
3789 	}
3790 
3791 error:
3792 	return rc;
3793 }
3794 
3795 static int selinux_mmap_addr(unsigned long addr)
3796 {
3797 	int rc = 0;
3798 
3799 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3800 		u32 sid = current_sid();
3801 		rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3802 				  MEMPROTECT__MMAP_ZERO, NULL);
3803 	}
3804 
3805 	return rc;
3806 }
3807 
3808 static int selinux_mmap_file(struct file *file,
3809 			     unsigned long reqprot __always_unused,
3810 			     unsigned long prot, unsigned long flags)
3811 {
3812 	struct common_audit_data ad;
3813 	int rc;
3814 
3815 	if (file) {
3816 		ad.type = LSM_AUDIT_DATA_FILE;
3817 		ad.u.file = file;
3818 		rc = inode_has_perm(current_cred(), file_inode(file),
3819 				    FILE__MAP, &ad);
3820 		if (rc)
3821 			return rc;
3822 	}
3823 
3824 	return file_map_prot_check(file, prot,
3825 				   (flags & MAP_TYPE) == MAP_SHARED);
3826 }
3827 
3828 static int selinux_file_mprotect(struct vm_area_struct *vma,
3829 				 unsigned long reqprot __always_unused,
3830 				 unsigned long prot)
3831 {
3832 	const struct cred *cred = current_cred();
3833 	u32 sid = cred_sid(cred);
3834 
3835 	if (default_noexec &&
3836 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3837 		int rc = 0;
3838 		if (vma_is_initial_heap(vma)) {
3839 			rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3840 					  PROCESS__EXECHEAP, NULL);
3841 		} else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
3842 			    vma_is_stack_for_current(vma))) {
3843 			rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3844 					  PROCESS__EXECSTACK, NULL);
3845 		} else if (vma->vm_file && vma->anon_vma) {
3846 			/*
3847 			 * We are making executable a file mapping that has
3848 			 * had some COW done. Since pages might have been
3849 			 * written, check ability to execute the possibly
3850 			 * modified content.  This typically should only
3851 			 * occur for text relocations.
3852 			 */
3853 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3854 		}
3855 		if (rc)
3856 			return rc;
3857 	}
3858 
3859 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3860 }
3861 
3862 static int selinux_file_lock(struct file *file, unsigned int cmd)
3863 {
3864 	const struct cred *cred = current_cred();
3865 
3866 	return file_has_perm(cred, file, FILE__LOCK);
3867 }
3868 
3869 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3870 			      unsigned long arg)
3871 {
3872 	const struct cred *cred = current_cred();
3873 	int err = 0;
3874 
3875 	switch (cmd) {
3876 	case F_SETFL:
3877 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3878 			err = file_has_perm(cred, file, FILE__WRITE);
3879 			break;
3880 		}
3881 		fallthrough;
3882 	case F_SETOWN:
3883 	case F_SETSIG:
3884 	case F_GETFL:
3885 	case F_GETOWN:
3886 	case F_GETSIG:
3887 	case F_GETOWNER_UIDS:
3888 		/* Just check FD__USE permission */
3889 		err = file_has_perm(cred, file, 0);
3890 		break;
3891 	case F_GETLK:
3892 	case F_SETLK:
3893 	case F_SETLKW:
3894 	case F_OFD_GETLK:
3895 	case F_OFD_SETLK:
3896 	case F_OFD_SETLKW:
3897 #if BITS_PER_LONG == 32
3898 	case F_GETLK64:
3899 	case F_SETLK64:
3900 	case F_SETLKW64:
3901 #endif
3902 		err = file_has_perm(cred, file, FILE__LOCK);
3903 		break;
3904 	}
3905 
3906 	return err;
3907 }
3908 
3909 static void selinux_file_set_fowner(struct file *file)
3910 {
3911 	struct file_security_struct *fsec;
3912 
3913 	fsec = selinux_file(file);
3914 	fsec->fown_sid = current_sid();
3915 }
3916 
3917 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3918 				       struct fown_struct *fown, int signum)
3919 {
3920 	struct file *file;
3921 	u32 sid = task_sid_obj(tsk);
3922 	u32 perm;
3923 	struct file_security_struct *fsec;
3924 
3925 	/* struct fown_struct is never outside the context of a struct file */
3926 	file = container_of(fown, struct file, f_owner);
3927 
3928 	fsec = selinux_file(file);
3929 
3930 	if (!signum)
3931 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3932 	else
3933 		perm = signal_to_av(signum);
3934 
3935 	return avc_has_perm(fsec->fown_sid, sid,
3936 			    SECCLASS_PROCESS, perm, NULL);
3937 }
3938 
3939 static int selinux_file_receive(struct file *file)
3940 {
3941 	const struct cred *cred = current_cred();
3942 
3943 	return file_has_perm(cred, file, file_to_av(file));
3944 }
3945 
3946 static int selinux_file_open(struct file *file)
3947 {
3948 	struct file_security_struct *fsec;
3949 	struct inode_security_struct *isec;
3950 
3951 	fsec = selinux_file(file);
3952 	isec = inode_security(file_inode(file));
3953 	/*
3954 	 * Save inode label and policy sequence number
3955 	 * at open-time so that selinux_file_permission
3956 	 * can determine whether revalidation is necessary.
3957 	 * Task label is already saved in the file security
3958 	 * struct as its SID.
3959 	 */
3960 	fsec->isid = isec->sid;
3961 	fsec->pseqno = avc_policy_seqno();
3962 	/*
3963 	 * Since the inode label or policy seqno may have changed
3964 	 * between the selinux_inode_permission check and the saving
3965 	 * of state above, recheck that access is still permitted.
3966 	 * Otherwise, access might never be revalidated against the
3967 	 * new inode label or new policy.
3968 	 * This check is not redundant - do not remove.
3969 	 */
3970 	return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3971 }
3972 
3973 /* task security operations */
3974 
3975 static int selinux_task_alloc(struct task_struct *task,
3976 			      unsigned long clone_flags)
3977 {
3978 	u32 sid = current_sid();
3979 
3980 	return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3981 }
3982 
3983 /*
3984  * prepare a new set of credentials for modification
3985  */
3986 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3987 				gfp_t gfp)
3988 {
3989 	const struct task_security_struct *old_tsec = selinux_cred(old);
3990 	struct task_security_struct *tsec = selinux_cred(new);
3991 
3992 	*tsec = *old_tsec;
3993 	return 0;
3994 }
3995 
3996 /*
3997  * transfer the SELinux data to a blank set of creds
3998  */
3999 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
4000 {
4001 	const struct task_security_struct *old_tsec = selinux_cred(old);
4002 	struct task_security_struct *tsec = selinux_cred(new);
4003 
4004 	*tsec = *old_tsec;
4005 }
4006 
4007 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
4008 {
4009 	*secid = cred_sid(c);
4010 }
4011 
4012 /*
4013  * set the security data for a kernel service
4014  * - all the creation contexts are set to unlabelled
4015  */
4016 static int selinux_kernel_act_as(struct cred *new, u32 secid)
4017 {
4018 	struct task_security_struct *tsec = selinux_cred(new);
4019 	u32 sid = current_sid();
4020 	int ret;
4021 
4022 	ret = avc_has_perm(sid, secid,
4023 			   SECCLASS_KERNEL_SERVICE,
4024 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
4025 			   NULL);
4026 	if (ret == 0) {
4027 		tsec->sid = secid;
4028 		tsec->create_sid = 0;
4029 		tsec->keycreate_sid = 0;
4030 		tsec->sockcreate_sid = 0;
4031 	}
4032 	return ret;
4033 }
4034 
4035 /*
4036  * set the file creation context in a security record to the same as the
4037  * objective context of the specified inode
4038  */
4039 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4040 {
4041 	struct inode_security_struct *isec = inode_security(inode);
4042 	struct task_security_struct *tsec = selinux_cred(new);
4043 	u32 sid = current_sid();
4044 	int ret;
4045 
4046 	ret = avc_has_perm(sid, isec->sid,
4047 			   SECCLASS_KERNEL_SERVICE,
4048 			   KERNEL_SERVICE__CREATE_FILES_AS,
4049 			   NULL);
4050 
4051 	if (ret == 0)
4052 		tsec->create_sid = isec->sid;
4053 	return ret;
4054 }
4055 
4056 static int selinux_kernel_module_request(char *kmod_name)
4057 {
4058 	struct common_audit_data ad;
4059 
4060 	ad.type = LSM_AUDIT_DATA_KMOD;
4061 	ad.u.kmod_name = kmod_name;
4062 
4063 	return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4064 			    SYSTEM__MODULE_REQUEST, &ad);
4065 }
4066 
4067 static int selinux_kernel_module_from_file(struct file *file)
4068 {
4069 	struct common_audit_data ad;
4070 	struct inode_security_struct *isec;
4071 	struct file_security_struct *fsec;
4072 	u32 sid = current_sid();
4073 	int rc;
4074 
4075 	/* init_module */
4076 	if (file == NULL)
4077 		return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
4078 					SYSTEM__MODULE_LOAD, NULL);
4079 
4080 	/* finit_module */
4081 
4082 	ad.type = LSM_AUDIT_DATA_FILE;
4083 	ad.u.file = file;
4084 
4085 	fsec = selinux_file(file);
4086 	if (sid != fsec->sid) {
4087 		rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4088 		if (rc)
4089 			return rc;
4090 	}
4091 
4092 	isec = inode_security(file_inode(file));
4093 	return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
4094 				SYSTEM__MODULE_LOAD, &ad);
4095 }
4096 
4097 static int selinux_kernel_read_file(struct file *file,
4098 				    enum kernel_read_file_id id,
4099 				    bool contents)
4100 {
4101 	int rc = 0;
4102 
4103 	switch (id) {
4104 	case READING_MODULE:
4105 		rc = selinux_kernel_module_from_file(contents ? file : NULL);
4106 		break;
4107 	default:
4108 		break;
4109 	}
4110 
4111 	return rc;
4112 }
4113 
4114 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4115 {
4116 	int rc = 0;
4117 
4118 	switch (id) {
4119 	case LOADING_MODULE:
4120 		rc = selinux_kernel_module_from_file(NULL);
4121 		break;
4122 	default:
4123 		break;
4124 	}
4125 
4126 	return rc;
4127 }
4128 
4129 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4130 {
4131 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4132 			    PROCESS__SETPGID, NULL);
4133 }
4134 
4135 static int selinux_task_getpgid(struct task_struct *p)
4136 {
4137 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4138 			    PROCESS__GETPGID, NULL);
4139 }
4140 
4141 static int selinux_task_getsid(struct task_struct *p)
4142 {
4143 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4144 			    PROCESS__GETSESSION, NULL);
4145 }
4146 
4147 static void selinux_current_getsecid_subj(u32 *secid)
4148 {
4149 	*secid = current_sid();
4150 }
4151 
4152 static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid)
4153 {
4154 	*secid = task_sid_obj(p);
4155 }
4156 
4157 static int selinux_task_setnice(struct task_struct *p, int nice)
4158 {
4159 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4160 			    PROCESS__SETSCHED, NULL);
4161 }
4162 
4163 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4164 {
4165 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4166 			    PROCESS__SETSCHED, NULL);
4167 }
4168 
4169 static int selinux_task_getioprio(struct task_struct *p)
4170 {
4171 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4172 			    PROCESS__GETSCHED, NULL);
4173 }
4174 
4175 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4176 				unsigned int flags)
4177 {
4178 	u32 av = 0;
4179 
4180 	if (!flags)
4181 		return 0;
4182 	if (flags & LSM_PRLIMIT_WRITE)
4183 		av |= PROCESS__SETRLIMIT;
4184 	if (flags & LSM_PRLIMIT_READ)
4185 		av |= PROCESS__GETRLIMIT;
4186 	return avc_has_perm(cred_sid(cred), cred_sid(tcred),
4187 			    SECCLASS_PROCESS, av, NULL);
4188 }
4189 
4190 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4191 		struct rlimit *new_rlim)
4192 {
4193 	struct rlimit *old_rlim = p->signal->rlim + resource;
4194 
4195 	/* Control the ability to change the hard limit (whether
4196 	   lowering or raising it), so that the hard limit can
4197 	   later be used as a safe reset point for the soft limit
4198 	   upon context transitions.  See selinux_bprm_committing_creds. */
4199 	if (old_rlim->rlim_max != new_rlim->rlim_max)
4200 		return avc_has_perm(current_sid(), task_sid_obj(p),
4201 				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4202 
4203 	return 0;
4204 }
4205 
4206 static int selinux_task_setscheduler(struct task_struct *p)
4207 {
4208 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4209 			    PROCESS__SETSCHED, NULL);
4210 }
4211 
4212 static int selinux_task_getscheduler(struct task_struct *p)
4213 {
4214 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4215 			    PROCESS__GETSCHED, NULL);
4216 }
4217 
4218 static int selinux_task_movememory(struct task_struct *p)
4219 {
4220 	return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4221 			    PROCESS__SETSCHED, NULL);
4222 }
4223 
4224 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4225 				int sig, const struct cred *cred)
4226 {
4227 	u32 secid;
4228 	u32 perm;
4229 
4230 	if (!sig)
4231 		perm = PROCESS__SIGNULL; /* null signal; existence test */
4232 	else
4233 		perm = signal_to_av(sig);
4234 	if (!cred)
4235 		secid = current_sid();
4236 	else
4237 		secid = cred_sid(cred);
4238 	return avc_has_perm(secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
4239 }
4240 
4241 static void selinux_task_to_inode(struct task_struct *p,
4242 				  struct inode *inode)
4243 {
4244 	struct inode_security_struct *isec = selinux_inode(inode);
4245 	u32 sid = task_sid_obj(p);
4246 
4247 	spin_lock(&isec->lock);
4248 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4249 	isec->sid = sid;
4250 	isec->initialized = LABEL_INITIALIZED;
4251 	spin_unlock(&isec->lock);
4252 }
4253 
4254 static int selinux_userns_create(const struct cred *cred)
4255 {
4256 	u32 sid = current_sid();
4257 
4258 	return avc_has_perm(sid, sid, SECCLASS_USER_NAMESPACE,
4259 			USER_NAMESPACE__CREATE, NULL);
4260 }
4261 
4262 /* Returns error only if unable to parse addresses */
4263 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4264 			struct common_audit_data *ad, u8 *proto)
4265 {
4266 	int offset, ihlen, ret = -EINVAL;
4267 	struct iphdr _iph, *ih;
4268 
4269 	offset = skb_network_offset(skb);
4270 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4271 	if (ih == NULL)
4272 		goto out;
4273 
4274 	ihlen = ih->ihl * 4;
4275 	if (ihlen < sizeof(_iph))
4276 		goto out;
4277 
4278 	ad->u.net->v4info.saddr = ih->saddr;
4279 	ad->u.net->v4info.daddr = ih->daddr;
4280 	ret = 0;
4281 
4282 	if (proto)
4283 		*proto = ih->protocol;
4284 
4285 	switch (ih->protocol) {
4286 	case IPPROTO_TCP: {
4287 		struct tcphdr _tcph, *th;
4288 
4289 		if (ntohs(ih->frag_off) & IP_OFFSET)
4290 			break;
4291 
4292 		offset += ihlen;
4293 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4294 		if (th == NULL)
4295 			break;
4296 
4297 		ad->u.net->sport = th->source;
4298 		ad->u.net->dport = th->dest;
4299 		break;
4300 	}
4301 
4302 	case IPPROTO_UDP: {
4303 		struct udphdr _udph, *uh;
4304 
4305 		if (ntohs(ih->frag_off) & IP_OFFSET)
4306 			break;
4307 
4308 		offset += ihlen;
4309 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4310 		if (uh == NULL)
4311 			break;
4312 
4313 		ad->u.net->sport = uh->source;
4314 		ad->u.net->dport = uh->dest;
4315 		break;
4316 	}
4317 
4318 	case IPPROTO_DCCP: {
4319 		struct dccp_hdr _dccph, *dh;
4320 
4321 		if (ntohs(ih->frag_off) & IP_OFFSET)
4322 			break;
4323 
4324 		offset += ihlen;
4325 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4326 		if (dh == NULL)
4327 			break;
4328 
4329 		ad->u.net->sport = dh->dccph_sport;
4330 		ad->u.net->dport = dh->dccph_dport;
4331 		break;
4332 	}
4333 
4334 #if IS_ENABLED(CONFIG_IP_SCTP)
4335 	case IPPROTO_SCTP: {
4336 		struct sctphdr _sctph, *sh;
4337 
4338 		if (ntohs(ih->frag_off) & IP_OFFSET)
4339 			break;
4340 
4341 		offset += ihlen;
4342 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4343 		if (sh == NULL)
4344 			break;
4345 
4346 		ad->u.net->sport = sh->source;
4347 		ad->u.net->dport = sh->dest;
4348 		break;
4349 	}
4350 #endif
4351 	default:
4352 		break;
4353 	}
4354 out:
4355 	return ret;
4356 }
4357 
4358 #if IS_ENABLED(CONFIG_IPV6)
4359 
4360 /* Returns error only if unable to parse addresses */
4361 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4362 			struct common_audit_data *ad, u8 *proto)
4363 {
4364 	u8 nexthdr;
4365 	int ret = -EINVAL, offset;
4366 	struct ipv6hdr _ipv6h, *ip6;
4367 	__be16 frag_off;
4368 
4369 	offset = skb_network_offset(skb);
4370 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4371 	if (ip6 == NULL)
4372 		goto out;
4373 
4374 	ad->u.net->v6info.saddr = ip6->saddr;
4375 	ad->u.net->v6info.daddr = ip6->daddr;
4376 	ret = 0;
4377 
4378 	nexthdr = ip6->nexthdr;
4379 	offset += sizeof(_ipv6h);
4380 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4381 	if (offset < 0)
4382 		goto out;
4383 
4384 	if (proto)
4385 		*proto = nexthdr;
4386 
4387 	switch (nexthdr) {
4388 	case IPPROTO_TCP: {
4389 		struct tcphdr _tcph, *th;
4390 
4391 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4392 		if (th == NULL)
4393 			break;
4394 
4395 		ad->u.net->sport = th->source;
4396 		ad->u.net->dport = th->dest;
4397 		break;
4398 	}
4399 
4400 	case IPPROTO_UDP: {
4401 		struct udphdr _udph, *uh;
4402 
4403 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4404 		if (uh == NULL)
4405 			break;
4406 
4407 		ad->u.net->sport = uh->source;
4408 		ad->u.net->dport = uh->dest;
4409 		break;
4410 	}
4411 
4412 	case IPPROTO_DCCP: {
4413 		struct dccp_hdr _dccph, *dh;
4414 
4415 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4416 		if (dh == NULL)
4417 			break;
4418 
4419 		ad->u.net->sport = dh->dccph_sport;
4420 		ad->u.net->dport = dh->dccph_dport;
4421 		break;
4422 	}
4423 
4424 #if IS_ENABLED(CONFIG_IP_SCTP)
4425 	case IPPROTO_SCTP: {
4426 		struct sctphdr _sctph, *sh;
4427 
4428 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4429 		if (sh == NULL)
4430 			break;
4431 
4432 		ad->u.net->sport = sh->source;
4433 		ad->u.net->dport = sh->dest;
4434 		break;
4435 	}
4436 #endif
4437 	/* includes fragments */
4438 	default:
4439 		break;
4440 	}
4441 out:
4442 	return ret;
4443 }
4444 
4445 #endif /* IPV6 */
4446 
4447 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4448 			     char **_addrp, int src, u8 *proto)
4449 {
4450 	char *addrp;
4451 	int ret;
4452 
4453 	switch (ad->u.net->family) {
4454 	case PF_INET:
4455 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4456 		if (ret)
4457 			goto parse_error;
4458 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4459 				       &ad->u.net->v4info.daddr);
4460 		goto okay;
4461 
4462 #if IS_ENABLED(CONFIG_IPV6)
4463 	case PF_INET6:
4464 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4465 		if (ret)
4466 			goto parse_error;
4467 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4468 				       &ad->u.net->v6info.daddr);
4469 		goto okay;
4470 #endif	/* IPV6 */
4471 	default:
4472 		addrp = NULL;
4473 		goto okay;
4474 	}
4475 
4476 parse_error:
4477 	pr_warn(
4478 	       "SELinux: failure in selinux_parse_skb(),"
4479 	       " unable to parse packet\n");
4480 	return ret;
4481 
4482 okay:
4483 	if (_addrp)
4484 		*_addrp = addrp;
4485 	return 0;
4486 }
4487 
4488 /**
4489  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4490  * @skb: the packet
4491  * @family: protocol family
4492  * @sid: the packet's peer label SID
4493  *
4494  * Description:
4495  * Check the various different forms of network peer labeling and determine
4496  * the peer label/SID for the packet; most of the magic actually occurs in
4497  * the security server function security_net_peersid_cmp().  The function
4498  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4499  * or -EACCES if @sid is invalid due to inconsistencies with the different
4500  * peer labels.
4501  *
4502  */
4503 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4504 {
4505 	int err;
4506 	u32 xfrm_sid;
4507 	u32 nlbl_sid;
4508 	u32 nlbl_type;
4509 
4510 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4511 	if (unlikely(err))
4512 		return -EACCES;
4513 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4514 	if (unlikely(err))
4515 		return -EACCES;
4516 
4517 	err = security_net_peersid_resolve(nlbl_sid,
4518 					   nlbl_type, xfrm_sid, sid);
4519 	if (unlikely(err)) {
4520 		pr_warn(
4521 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4522 		       " unable to determine packet's peer label\n");
4523 		return -EACCES;
4524 	}
4525 
4526 	return 0;
4527 }
4528 
4529 /**
4530  * selinux_conn_sid - Determine the child socket label for a connection
4531  * @sk_sid: the parent socket's SID
4532  * @skb_sid: the packet's SID
4533  * @conn_sid: the resulting connection SID
4534  *
4535  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4536  * combined with the MLS information from @skb_sid in order to create
4537  * @conn_sid.  If @skb_sid is not valid then @conn_sid is simply a copy
4538  * of @sk_sid.  Returns zero on success, negative values on failure.
4539  *
4540  */
4541 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4542 {
4543 	int err = 0;
4544 
4545 	if (skb_sid != SECSID_NULL)
4546 		err = security_sid_mls_copy(sk_sid, skb_sid,
4547 					    conn_sid);
4548 	else
4549 		*conn_sid = sk_sid;
4550 
4551 	return err;
4552 }
4553 
4554 /* socket security operations */
4555 
4556 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4557 				 u16 secclass, u32 *socksid)
4558 {
4559 	if (tsec->sockcreate_sid > SECSID_NULL) {
4560 		*socksid = tsec->sockcreate_sid;
4561 		return 0;
4562 	}
4563 
4564 	return security_transition_sid(tsec->sid, tsec->sid,
4565 				       secclass, NULL, socksid);
4566 }
4567 
4568 static int sock_has_perm(struct sock *sk, u32 perms)
4569 {
4570 	struct sk_security_struct *sksec = sk->sk_security;
4571 	struct common_audit_data ad;
4572 	struct lsm_network_audit net;
4573 
4574 	if (sksec->sid == SECINITSID_KERNEL)
4575 		return 0;
4576 
4577 	ad_net_init_from_sk(&ad, &net, sk);
4578 
4579 	return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4580 			    &ad);
4581 }
4582 
4583 static int selinux_socket_create(int family, int type,
4584 				 int protocol, int kern)
4585 {
4586 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4587 	u32 newsid;
4588 	u16 secclass;
4589 	int rc;
4590 
4591 	if (kern)
4592 		return 0;
4593 
4594 	secclass = socket_type_to_security_class(family, type, protocol);
4595 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4596 	if (rc)
4597 		return rc;
4598 
4599 	return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4600 }
4601 
4602 static int selinux_socket_post_create(struct socket *sock, int family,
4603 				      int type, int protocol, int kern)
4604 {
4605 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4606 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4607 	struct sk_security_struct *sksec;
4608 	u16 sclass = socket_type_to_security_class(family, type, protocol);
4609 	u32 sid = SECINITSID_KERNEL;
4610 	int err = 0;
4611 
4612 	if (!kern) {
4613 		err = socket_sockcreate_sid(tsec, sclass, &sid);
4614 		if (err)
4615 			return err;
4616 	}
4617 
4618 	isec->sclass = sclass;
4619 	isec->sid = sid;
4620 	isec->initialized = LABEL_INITIALIZED;
4621 
4622 	if (sock->sk) {
4623 		sksec = sock->sk->sk_security;
4624 		sksec->sclass = sclass;
4625 		sksec->sid = sid;
4626 		/* Allows detection of the first association on this socket */
4627 		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4628 			sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4629 
4630 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4631 	}
4632 
4633 	return err;
4634 }
4635 
4636 static int selinux_socket_socketpair(struct socket *socka,
4637 				     struct socket *sockb)
4638 {
4639 	struct sk_security_struct *sksec_a = socka->sk->sk_security;
4640 	struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4641 
4642 	sksec_a->peer_sid = sksec_b->sid;
4643 	sksec_b->peer_sid = sksec_a->sid;
4644 
4645 	return 0;
4646 }
4647 
4648 /* Range of port numbers used to automatically bind.
4649    Need to determine whether we should perform a name_bind
4650    permission check between the socket and the port number. */
4651 
4652 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4653 {
4654 	struct sock *sk = sock->sk;
4655 	struct sk_security_struct *sksec = sk->sk_security;
4656 	u16 family;
4657 	int err;
4658 
4659 	err = sock_has_perm(sk, SOCKET__BIND);
4660 	if (err)
4661 		goto out;
4662 
4663 	/* If PF_INET or PF_INET6, check name_bind permission for the port. */
4664 	family = sk->sk_family;
4665 	if (family == PF_INET || family == PF_INET6) {
4666 		char *addrp;
4667 		struct common_audit_data ad;
4668 		struct lsm_network_audit net = {0,};
4669 		struct sockaddr_in *addr4 = NULL;
4670 		struct sockaddr_in6 *addr6 = NULL;
4671 		u16 family_sa;
4672 		unsigned short snum;
4673 		u32 sid, node_perm;
4674 
4675 		/*
4676 		 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4677 		 * that validates multiple binding addresses. Because of this
4678 		 * need to check address->sa_family as it is possible to have
4679 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4680 		 */
4681 		if (addrlen < offsetofend(struct sockaddr, sa_family))
4682 			return -EINVAL;
4683 		family_sa = address->sa_family;
4684 		switch (family_sa) {
4685 		case AF_UNSPEC:
4686 		case AF_INET:
4687 			if (addrlen < sizeof(struct sockaddr_in))
4688 				return -EINVAL;
4689 			addr4 = (struct sockaddr_in *)address;
4690 			if (family_sa == AF_UNSPEC) {
4691 				if (family == PF_INET6) {
4692 					/* Length check from inet6_bind_sk() */
4693 					if (addrlen < SIN6_LEN_RFC2133)
4694 						return -EINVAL;
4695 					/* Family check from __inet6_bind() */
4696 					goto err_af;
4697 				}
4698 				/* see __inet_bind(), we only want to allow
4699 				 * AF_UNSPEC if the address is INADDR_ANY
4700 				 */
4701 				if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4702 					goto err_af;
4703 				family_sa = AF_INET;
4704 			}
4705 			snum = ntohs(addr4->sin_port);
4706 			addrp = (char *)&addr4->sin_addr.s_addr;
4707 			break;
4708 		case AF_INET6:
4709 			if (addrlen < SIN6_LEN_RFC2133)
4710 				return -EINVAL;
4711 			addr6 = (struct sockaddr_in6 *)address;
4712 			snum = ntohs(addr6->sin6_port);
4713 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4714 			break;
4715 		default:
4716 			goto err_af;
4717 		}
4718 
4719 		ad.type = LSM_AUDIT_DATA_NET;
4720 		ad.u.net = &net;
4721 		ad.u.net->sport = htons(snum);
4722 		ad.u.net->family = family_sa;
4723 
4724 		if (snum) {
4725 			int low, high;
4726 
4727 			inet_get_local_port_range(sock_net(sk), &low, &high);
4728 
4729 			if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4730 			    snum < low || snum > high) {
4731 				err = sel_netport_sid(sk->sk_protocol,
4732 						      snum, &sid);
4733 				if (err)
4734 					goto out;
4735 				err = avc_has_perm(sksec->sid, sid,
4736 						   sksec->sclass,
4737 						   SOCKET__NAME_BIND, &ad);
4738 				if (err)
4739 					goto out;
4740 			}
4741 		}
4742 
4743 		switch (sksec->sclass) {
4744 		case SECCLASS_TCP_SOCKET:
4745 			node_perm = TCP_SOCKET__NODE_BIND;
4746 			break;
4747 
4748 		case SECCLASS_UDP_SOCKET:
4749 			node_perm = UDP_SOCKET__NODE_BIND;
4750 			break;
4751 
4752 		case SECCLASS_DCCP_SOCKET:
4753 			node_perm = DCCP_SOCKET__NODE_BIND;
4754 			break;
4755 
4756 		case SECCLASS_SCTP_SOCKET:
4757 			node_perm = SCTP_SOCKET__NODE_BIND;
4758 			break;
4759 
4760 		default:
4761 			node_perm = RAWIP_SOCKET__NODE_BIND;
4762 			break;
4763 		}
4764 
4765 		err = sel_netnode_sid(addrp, family_sa, &sid);
4766 		if (err)
4767 			goto out;
4768 
4769 		if (family_sa == AF_INET)
4770 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4771 		else
4772 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4773 
4774 		err = avc_has_perm(sksec->sid, sid,
4775 				   sksec->sclass, node_perm, &ad);
4776 		if (err)
4777 			goto out;
4778 	}
4779 out:
4780 	return err;
4781 err_af:
4782 	/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4783 	if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4784 		return -EINVAL;
4785 	return -EAFNOSUPPORT;
4786 }
4787 
4788 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4789  * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4790  */
4791 static int selinux_socket_connect_helper(struct socket *sock,
4792 					 struct sockaddr *address, int addrlen)
4793 {
4794 	struct sock *sk = sock->sk;
4795 	struct sk_security_struct *sksec = sk->sk_security;
4796 	int err;
4797 
4798 	err = sock_has_perm(sk, SOCKET__CONNECT);
4799 	if (err)
4800 		return err;
4801 	if (addrlen < offsetofend(struct sockaddr, sa_family))
4802 		return -EINVAL;
4803 
4804 	/* connect(AF_UNSPEC) has special handling, as it is a documented
4805 	 * way to disconnect the socket
4806 	 */
4807 	if (address->sa_family == AF_UNSPEC)
4808 		return 0;
4809 
4810 	/*
4811 	 * If a TCP, DCCP or SCTP socket, check name_connect permission
4812 	 * for the port.
4813 	 */
4814 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4815 	    sksec->sclass == SECCLASS_DCCP_SOCKET ||
4816 	    sksec->sclass == SECCLASS_SCTP_SOCKET) {
4817 		struct common_audit_data ad;
4818 		struct lsm_network_audit net = {0,};
4819 		struct sockaddr_in *addr4 = NULL;
4820 		struct sockaddr_in6 *addr6 = NULL;
4821 		unsigned short snum;
4822 		u32 sid, perm;
4823 
4824 		/* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4825 		 * that validates multiple connect addresses. Because of this
4826 		 * need to check address->sa_family as it is possible to have
4827 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4828 		 */
4829 		switch (address->sa_family) {
4830 		case AF_INET:
4831 			addr4 = (struct sockaddr_in *)address;
4832 			if (addrlen < sizeof(struct sockaddr_in))
4833 				return -EINVAL;
4834 			snum = ntohs(addr4->sin_port);
4835 			break;
4836 		case AF_INET6:
4837 			addr6 = (struct sockaddr_in6 *)address;
4838 			if (addrlen < SIN6_LEN_RFC2133)
4839 				return -EINVAL;
4840 			snum = ntohs(addr6->sin6_port);
4841 			break;
4842 		default:
4843 			/* Note that SCTP services expect -EINVAL, whereas
4844 			 * others expect -EAFNOSUPPORT.
4845 			 */
4846 			if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4847 				return -EINVAL;
4848 			else
4849 				return -EAFNOSUPPORT;
4850 		}
4851 
4852 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4853 		if (err)
4854 			return err;
4855 
4856 		switch (sksec->sclass) {
4857 		case SECCLASS_TCP_SOCKET:
4858 			perm = TCP_SOCKET__NAME_CONNECT;
4859 			break;
4860 		case SECCLASS_DCCP_SOCKET:
4861 			perm = DCCP_SOCKET__NAME_CONNECT;
4862 			break;
4863 		case SECCLASS_SCTP_SOCKET:
4864 			perm = SCTP_SOCKET__NAME_CONNECT;
4865 			break;
4866 		}
4867 
4868 		ad.type = LSM_AUDIT_DATA_NET;
4869 		ad.u.net = &net;
4870 		ad.u.net->dport = htons(snum);
4871 		ad.u.net->family = address->sa_family;
4872 		err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4873 		if (err)
4874 			return err;
4875 	}
4876 
4877 	return 0;
4878 }
4879 
4880 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4881 static int selinux_socket_connect(struct socket *sock,
4882 				  struct sockaddr *address, int addrlen)
4883 {
4884 	int err;
4885 	struct sock *sk = sock->sk;
4886 
4887 	err = selinux_socket_connect_helper(sock, address, addrlen);
4888 	if (err)
4889 		return err;
4890 
4891 	return selinux_netlbl_socket_connect(sk, address);
4892 }
4893 
4894 static int selinux_socket_listen(struct socket *sock, int backlog)
4895 {
4896 	return sock_has_perm(sock->sk, SOCKET__LISTEN);
4897 }
4898 
4899 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4900 {
4901 	int err;
4902 	struct inode_security_struct *isec;
4903 	struct inode_security_struct *newisec;
4904 	u16 sclass;
4905 	u32 sid;
4906 
4907 	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4908 	if (err)
4909 		return err;
4910 
4911 	isec = inode_security_novalidate(SOCK_INODE(sock));
4912 	spin_lock(&isec->lock);
4913 	sclass = isec->sclass;
4914 	sid = isec->sid;
4915 	spin_unlock(&isec->lock);
4916 
4917 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4918 	newisec->sclass = sclass;
4919 	newisec->sid = sid;
4920 	newisec->initialized = LABEL_INITIALIZED;
4921 
4922 	return 0;
4923 }
4924 
4925 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4926 				  int size)
4927 {
4928 	return sock_has_perm(sock->sk, SOCKET__WRITE);
4929 }
4930 
4931 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4932 				  int size, int flags)
4933 {
4934 	return sock_has_perm(sock->sk, SOCKET__READ);
4935 }
4936 
4937 static int selinux_socket_getsockname(struct socket *sock)
4938 {
4939 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4940 }
4941 
4942 static int selinux_socket_getpeername(struct socket *sock)
4943 {
4944 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4945 }
4946 
4947 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4948 {
4949 	int err;
4950 
4951 	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4952 	if (err)
4953 		return err;
4954 
4955 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4956 }
4957 
4958 static int selinux_socket_getsockopt(struct socket *sock, int level,
4959 				     int optname)
4960 {
4961 	return sock_has_perm(sock->sk, SOCKET__GETOPT);
4962 }
4963 
4964 static int selinux_socket_shutdown(struct socket *sock, int how)
4965 {
4966 	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4967 }
4968 
4969 static int selinux_socket_unix_stream_connect(struct sock *sock,
4970 					      struct sock *other,
4971 					      struct sock *newsk)
4972 {
4973 	struct sk_security_struct *sksec_sock = sock->sk_security;
4974 	struct sk_security_struct *sksec_other = other->sk_security;
4975 	struct sk_security_struct *sksec_new = newsk->sk_security;
4976 	struct common_audit_data ad;
4977 	struct lsm_network_audit net;
4978 	int err;
4979 
4980 	ad_net_init_from_sk(&ad, &net, other);
4981 
4982 	err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4983 			   sksec_other->sclass,
4984 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4985 	if (err)
4986 		return err;
4987 
4988 	/* server child socket */
4989 	sksec_new->peer_sid = sksec_sock->sid;
4990 	err = security_sid_mls_copy(sksec_other->sid,
4991 				    sksec_sock->sid, &sksec_new->sid);
4992 	if (err)
4993 		return err;
4994 
4995 	/* connecting socket */
4996 	sksec_sock->peer_sid = sksec_new->sid;
4997 
4998 	return 0;
4999 }
5000 
5001 static int selinux_socket_unix_may_send(struct socket *sock,
5002 					struct socket *other)
5003 {
5004 	struct sk_security_struct *ssec = sock->sk->sk_security;
5005 	struct sk_security_struct *osec = other->sk->sk_security;
5006 	struct common_audit_data ad;
5007 	struct lsm_network_audit net;
5008 
5009 	ad_net_init_from_sk(&ad, &net, other->sk);
5010 
5011 	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
5012 			    &ad);
5013 }
5014 
5015 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
5016 				    char *addrp, u16 family, u32 peer_sid,
5017 				    struct common_audit_data *ad)
5018 {
5019 	int err;
5020 	u32 if_sid;
5021 	u32 node_sid;
5022 
5023 	err = sel_netif_sid(ns, ifindex, &if_sid);
5024 	if (err)
5025 		return err;
5026 	err = avc_has_perm(peer_sid, if_sid,
5027 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
5028 	if (err)
5029 		return err;
5030 
5031 	err = sel_netnode_sid(addrp, family, &node_sid);
5032 	if (err)
5033 		return err;
5034 	return avc_has_perm(peer_sid, node_sid,
5035 			    SECCLASS_NODE, NODE__RECVFROM, ad);
5036 }
5037 
5038 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5039 				       u16 family)
5040 {
5041 	int err = 0;
5042 	struct sk_security_struct *sksec = sk->sk_security;
5043 	u32 sk_sid = sksec->sid;
5044 	struct common_audit_data ad;
5045 	struct lsm_network_audit net;
5046 	char *addrp;
5047 
5048 	ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
5049 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5050 	if (err)
5051 		return err;
5052 
5053 	if (selinux_secmark_enabled()) {
5054 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5055 				   PACKET__RECV, &ad);
5056 		if (err)
5057 			return err;
5058 	}
5059 
5060 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5061 	if (err)
5062 		return err;
5063 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5064 
5065 	return err;
5066 }
5067 
5068 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5069 {
5070 	int err, peerlbl_active, secmark_active;
5071 	struct sk_security_struct *sksec = sk->sk_security;
5072 	u16 family = sk->sk_family;
5073 	u32 sk_sid = sksec->sid;
5074 	struct common_audit_data ad;
5075 	struct lsm_network_audit net;
5076 	char *addrp;
5077 
5078 	if (family != PF_INET && family != PF_INET6)
5079 		return 0;
5080 
5081 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
5082 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5083 		family = PF_INET;
5084 
5085 	/* If any sort of compatibility mode is enabled then handoff processing
5086 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
5087 	 * special handling.  We do this in an attempt to keep this function
5088 	 * as fast and as clean as possible. */
5089 	if (!selinux_policycap_netpeer())
5090 		return selinux_sock_rcv_skb_compat(sk, skb, family);
5091 
5092 	secmark_active = selinux_secmark_enabled();
5093 	peerlbl_active = selinux_peerlbl_enabled();
5094 	if (!secmark_active && !peerlbl_active)
5095 		return 0;
5096 
5097 	ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
5098 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5099 	if (err)
5100 		return err;
5101 
5102 	if (peerlbl_active) {
5103 		u32 peer_sid;
5104 
5105 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5106 		if (err)
5107 			return err;
5108 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5109 					       addrp, family, peer_sid, &ad);
5110 		if (err) {
5111 			selinux_netlbl_err(skb, family, err, 0);
5112 			return err;
5113 		}
5114 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
5115 				   PEER__RECV, &ad);
5116 		if (err) {
5117 			selinux_netlbl_err(skb, family, err, 0);
5118 			return err;
5119 		}
5120 	}
5121 
5122 	if (secmark_active) {
5123 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5124 				   PACKET__RECV, &ad);
5125 		if (err)
5126 			return err;
5127 	}
5128 
5129 	return err;
5130 }
5131 
5132 static int selinux_socket_getpeersec_stream(struct socket *sock,
5133 					    sockptr_t optval, sockptr_t optlen,
5134 					    unsigned int len)
5135 {
5136 	int err = 0;
5137 	char *scontext = NULL;
5138 	u32 scontext_len;
5139 	struct sk_security_struct *sksec = sock->sk->sk_security;
5140 	u32 peer_sid = SECSID_NULL;
5141 
5142 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5143 	    sksec->sclass == SECCLASS_TCP_SOCKET ||
5144 	    sksec->sclass == SECCLASS_SCTP_SOCKET)
5145 		peer_sid = sksec->peer_sid;
5146 	if (peer_sid == SECSID_NULL)
5147 		return -ENOPROTOOPT;
5148 
5149 	err = security_sid_to_context(peer_sid, &scontext,
5150 				      &scontext_len);
5151 	if (err)
5152 		return err;
5153 	if (scontext_len > len) {
5154 		err = -ERANGE;
5155 		goto out_len;
5156 	}
5157 
5158 	if (copy_to_sockptr(optval, scontext, scontext_len))
5159 		err = -EFAULT;
5160 out_len:
5161 	if (copy_to_sockptr(optlen, &scontext_len, sizeof(scontext_len)))
5162 		err = -EFAULT;
5163 	kfree(scontext);
5164 	return err;
5165 }
5166 
5167 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5168 {
5169 	u32 peer_secid = SECSID_NULL;
5170 	u16 family;
5171 	struct inode_security_struct *isec;
5172 
5173 	if (skb && skb->protocol == htons(ETH_P_IP))
5174 		family = PF_INET;
5175 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
5176 		family = PF_INET6;
5177 	else if (sock)
5178 		family = sock->sk->sk_family;
5179 	else
5180 		goto out;
5181 
5182 	if (sock && family == PF_UNIX) {
5183 		isec = inode_security_novalidate(SOCK_INODE(sock));
5184 		peer_secid = isec->sid;
5185 	} else if (skb)
5186 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5187 
5188 out:
5189 	*secid = peer_secid;
5190 	if (peer_secid == SECSID_NULL)
5191 		return -EINVAL;
5192 	return 0;
5193 }
5194 
5195 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5196 {
5197 	struct sk_security_struct *sksec;
5198 
5199 	sksec = kzalloc(sizeof(*sksec), priority);
5200 	if (!sksec)
5201 		return -ENOMEM;
5202 
5203 	sksec->peer_sid = SECINITSID_UNLABELED;
5204 	sksec->sid = SECINITSID_UNLABELED;
5205 	sksec->sclass = SECCLASS_SOCKET;
5206 	selinux_netlbl_sk_security_reset(sksec);
5207 	sk->sk_security = sksec;
5208 
5209 	return 0;
5210 }
5211 
5212 static void selinux_sk_free_security(struct sock *sk)
5213 {
5214 	struct sk_security_struct *sksec = sk->sk_security;
5215 
5216 	sk->sk_security = NULL;
5217 	selinux_netlbl_sk_security_free(sksec);
5218 	kfree(sksec);
5219 }
5220 
5221 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5222 {
5223 	struct sk_security_struct *sksec = sk->sk_security;
5224 	struct sk_security_struct *newsksec = newsk->sk_security;
5225 
5226 	newsksec->sid = sksec->sid;
5227 	newsksec->peer_sid = sksec->peer_sid;
5228 	newsksec->sclass = sksec->sclass;
5229 
5230 	selinux_netlbl_sk_security_reset(newsksec);
5231 }
5232 
5233 static void selinux_sk_getsecid(const struct sock *sk, u32 *secid)
5234 {
5235 	if (!sk)
5236 		*secid = SECINITSID_ANY_SOCKET;
5237 	else {
5238 		const struct sk_security_struct *sksec = sk->sk_security;
5239 
5240 		*secid = sksec->sid;
5241 	}
5242 }
5243 
5244 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5245 {
5246 	struct inode_security_struct *isec =
5247 		inode_security_novalidate(SOCK_INODE(parent));
5248 	struct sk_security_struct *sksec = sk->sk_security;
5249 
5250 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5251 	    sk->sk_family == PF_UNIX)
5252 		isec->sid = sksec->sid;
5253 	sksec->sclass = isec->sclass;
5254 }
5255 
5256 /*
5257  * Determines peer_secid for the asoc and updates socket's peer label
5258  * if it's the first association on the socket.
5259  */
5260 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
5261 					  struct sk_buff *skb)
5262 {
5263 	struct sock *sk = asoc->base.sk;
5264 	u16 family = sk->sk_family;
5265 	struct sk_security_struct *sksec = sk->sk_security;
5266 	struct common_audit_data ad;
5267 	struct lsm_network_audit net;
5268 	int err;
5269 
5270 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5271 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5272 		family = PF_INET;
5273 
5274 	if (selinux_peerlbl_enabled()) {
5275 		asoc->peer_secid = SECSID_NULL;
5276 
5277 		/* This will return peer_sid = SECSID_NULL if there are
5278 		 * no peer labels, see security_net_peersid_resolve().
5279 		 */
5280 		err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid);
5281 		if (err)
5282 			return err;
5283 
5284 		if (asoc->peer_secid == SECSID_NULL)
5285 			asoc->peer_secid = SECINITSID_UNLABELED;
5286 	} else {
5287 		asoc->peer_secid = SECINITSID_UNLABELED;
5288 	}
5289 
5290 	if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5291 		sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5292 
5293 		/* Here as first association on socket. As the peer SID
5294 		 * was allowed by peer recv (and the netif/node checks),
5295 		 * then it is approved by policy and used as the primary
5296 		 * peer SID for getpeercon(3).
5297 		 */
5298 		sksec->peer_sid = asoc->peer_secid;
5299 	} else if (sksec->peer_sid != asoc->peer_secid) {
5300 		/* Other association peer SIDs are checked to enforce
5301 		 * consistency among the peer SIDs.
5302 		 */
5303 		ad_net_init_from_sk(&ad, &net, asoc->base.sk);
5304 		err = avc_has_perm(sksec->peer_sid, asoc->peer_secid,
5305 				   sksec->sclass, SCTP_SOCKET__ASSOCIATION,
5306 				   &ad);
5307 		if (err)
5308 			return err;
5309 	}
5310 	return 0;
5311 }
5312 
5313 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This
5314  * happens on an incoming connect(2), sctp_connectx(3) or
5315  * sctp_sendmsg(3) (with no association already present).
5316  */
5317 static int selinux_sctp_assoc_request(struct sctp_association *asoc,
5318 				      struct sk_buff *skb)
5319 {
5320 	struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5321 	u32 conn_sid;
5322 	int err;
5323 
5324 	if (!selinux_policycap_extsockclass())
5325 		return 0;
5326 
5327 	err = selinux_sctp_process_new_assoc(asoc, skb);
5328 	if (err)
5329 		return err;
5330 
5331 	/* Compute the MLS component for the connection and store
5332 	 * the information in asoc. This will be used by SCTP TCP type
5333 	 * sockets and peeled off connections as they cause a new
5334 	 * socket to be generated. selinux_sctp_sk_clone() will then
5335 	 * plug this into the new socket.
5336 	 */
5337 	err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid);
5338 	if (err)
5339 		return err;
5340 
5341 	asoc->secid = conn_sid;
5342 
5343 	/* Set any NetLabel labels including CIPSO/CALIPSO options. */
5344 	return selinux_netlbl_sctp_assoc_request(asoc, skb);
5345 }
5346 
5347 /* Called when SCTP receives a COOKIE ACK chunk as the final
5348  * response to an association request (initited by us).
5349  */
5350 static int selinux_sctp_assoc_established(struct sctp_association *asoc,
5351 					  struct sk_buff *skb)
5352 {
5353 	struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5354 
5355 	if (!selinux_policycap_extsockclass())
5356 		return 0;
5357 
5358 	/* Inherit secid from the parent socket - this will be picked up
5359 	 * by selinux_sctp_sk_clone() if the association gets peeled off
5360 	 * into a new socket.
5361 	 */
5362 	asoc->secid = sksec->sid;
5363 
5364 	return selinux_sctp_process_new_assoc(asoc, skb);
5365 }
5366 
5367 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5368  * based on their @optname.
5369  */
5370 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5371 				     struct sockaddr *address,
5372 				     int addrlen)
5373 {
5374 	int len, err = 0, walk_size = 0;
5375 	void *addr_buf;
5376 	struct sockaddr *addr;
5377 	struct socket *sock;
5378 
5379 	if (!selinux_policycap_extsockclass())
5380 		return 0;
5381 
5382 	/* Process one or more addresses that may be IPv4 or IPv6 */
5383 	sock = sk->sk_socket;
5384 	addr_buf = address;
5385 
5386 	while (walk_size < addrlen) {
5387 		if (walk_size + sizeof(sa_family_t) > addrlen)
5388 			return -EINVAL;
5389 
5390 		addr = addr_buf;
5391 		switch (addr->sa_family) {
5392 		case AF_UNSPEC:
5393 		case AF_INET:
5394 			len = sizeof(struct sockaddr_in);
5395 			break;
5396 		case AF_INET6:
5397 			len = sizeof(struct sockaddr_in6);
5398 			break;
5399 		default:
5400 			return -EINVAL;
5401 		}
5402 
5403 		if (walk_size + len > addrlen)
5404 			return -EINVAL;
5405 
5406 		err = -EINVAL;
5407 		switch (optname) {
5408 		/* Bind checks */
5409 		case SCTP_PRIMARY_ADDR:
5410 		case SCTP_SET_PEER_PRIMARY_ADDR:
5411 		case SCTP_SOCKOPT_BINDX_ADD:
5412 			err = selinux_socket_bind(sock, addr, len);
5413 			break;
5414 		/* Connect checks */
5415 		case SCTP_SOCKOPT_CONNECTX:
5416 		case SCTP_PARAM_SET_PRIMARY:
5417 		case SCTP_PARAM_ADD_IP:
5418 		case SCTP_SENDMSG_CONNECT:
5419 			err = selinux_socket_connect_helper(sock, addr, len);
5420 			if (err)
5421 				return err;
5422 
5423 			/* As selinux_sctp_bind_connect() is called by the
5424 			 * SCTP protocol layer, the socket is already locked,
5425 			 * therefore selinux_netlbl_socket_connect_locked()
5426 			 * is called here. The situations handled are:
5427 			 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5428 			 * whenever a new IP address is added or when a new
5429 			 * primary address is selected.
5430 			 * Note that an SCTP connect(2) call happens before
5431 			 * the SCTP protocol layer and is handled via
5432 			 * selinux_socket_connect().
5433 			 */
5434 			err = selinux_netlbl_socket_connect_locked(sk, addr);
5435 			break;
5436 		}
5437 
5438 		if (err)
5439 			return err;
5440 
5441 		addr_buf += len;
5442 		walk_size += len;
5443 	}
5444 
5445 	return 0;
5446 }
5447 
5448 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5449 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
5450 				  struct sock *newsk)
5451 {
5452 	struct sk_security_struct *sksec = sk->sk_security;
5453 	struct sk_security_struct *newsksec = newsk->sk_security;
5454 
5455 	/* If policy does not support SECCLASS_SCTP_SOCKET then call
5456 	 * the non-sctp clone version.
5457 	 */
5458 	if (!selinux_policycap_extsockclass())
5459 		return selinux_sk_clone_security(sk, newsk);
5460 
5461 	newsksec->sid = asoc->secid;
5462 	newsksec->peer_sid = asoc->peer_secid;
5463 	newsksec->sclass = sksec->sclass;
5464 	selinux_netlbl_sctp_sk_clone(sk, newsk);
5465 }
5466 
5467 static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
5468 {
5469 	struct sk_security_struct *ssksec = ssk->sk_security;
5470 	struct sk_security_struct *sksec = sk->sk_security;
5471 
5472 	ssksec->sclass = sksec->sclass;
5473 	ssksec->sid = sksec->sid;
5474 
5475 	/* replace the existing subflow label deleting the existing one
5476 	 * and re-recreating a new label using the updated context
5477 	 */
5478 	selinux_netlbl_sk_security_free(ssksec);
5479 	return selinux_netlbl_socket_post_create(ssk, ssk->sk_family);
5480 }
5481 
5482 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
5483 				     struct request_sock *req)
5484 {
5485 	struct sk_security_struct *sksec = sk->sk_security;
5486 	int err;
5487 	u16 family = req->rsk_ops->family;
5488 	u32 connsid;
5489 	u32 peersid;
5490 
5491 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5492 	if (err)
5493 		return err;
5494 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5495 	if (err)
5496 		return err;
5497 	req->secid = connsid;
5498 	req->peer_secid = peersid;
5499 
5500 	return selinux_netlbl_inet_conn_request(req, family);
5501 }
5502 
5503 static void selinux_inet_csk_clone(struct sock *newsk,
5504 				   const struct request_sock *req)
5505 {
5506 	struct sk_security_struct *newsksec = newsk->sk_security;
5507 
5508 	newsksec->sid = req->secid;
5509 	newsksec->peer_sid = req->peer_secid;
5510 	/* NOTE: Ideally, we should also get the isec->sid for the
5511 	   new socket in sync, but we don't have the isec available yet.
5512 	   So we will wait until sock_graft to do it, by which
5513 	   time it will have been created and available. */
5514 
5515 	/* We don't need to take any sort of lock here as we are the only
5516 	 * thread with access to newsksec */
5517 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5518 }
5519 
5520 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5521 {
5522 	u16 family = sk->sk_family;
5523 	struct sk_security_struct *sksec = sk->sk_security;
5524 
5525 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5526 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5527 		family = PF_INET;
5528 
5529 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5530 }
5531 
5532 static int selinux_secmark_relabel_packet(u32 sid)
5533 {
5534 	const struct task_security_struct *tsec;
5535 	u32 tsid;
5536 
5537 	tsec = selinux_cred(current_cred());
5538 	tsid = tsec->sid;
5539 
5540 	return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5541 			    NULL);
5542 }
5543 
5544 static void selinux_secmark_refcount_inc(void)
5545 {
5546 	atomic_inc(&selinux_secmark_refcount);
5547 }
5548 
5549 static void selinux_secmark_refcount_dec(void)
5550 {
5551 	atomic_dec(&selinux_secmark_refcount);
5552 }
5553 
5554 static void selinux_req_classify_flow(const struct request_sock *req,
5555 				      struct flowi_common *flic)
5556 {
5557 	flic->flowic_secid = req->secid;
5558 }
5559 
5560 static int selinux_tun_dev_alloc_security(void **security)
5561 {
5562 	struct tun_security_struct *tunsec;
5563 
5564 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5565 	if (!tunsec)
5566 		return -ENOMEM;
5567 	tunsec->sid = current_sid();
5568 
5569 	*security = tunsec;
5570 	return 0;
5571 }
5572 
5573 static void selinux_tun_dev_free_security(void *security)
5574 {
5575 	kfree(security);
5576 }
5577 
5578 static int selinux_tun_dev_create(void)
5579 {
5580 	u32 sid = current_sid();
5581 
5582 	/* we aren't taking into account the "sockcreate" SID since the socket
5583 	 * that is being created here is not a socket in the traditional sense,
5584 	 * instead it is a private sock, accessible only to the kernel, and
5585 	 * representing a wide range of network traffic spanning multiple
5586 	 * connections unlike traditional sockets - check the TUN driver to
5587 	 * get a better understanding of why this socket is special */
5588 
5589 	return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5590 			    NULL);
5591 }
5592 
5593 static int selinux_tun_dev_attach_queue(void *security)
5594 {
5595 	struct tun_security_struct *tunsec = security;
5596 
5597 	return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5598 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5599 }
5600 
5601 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5602 {
5603 	struct tun_security_struct *tunsec = security;
5604 	struct sk_security_struct *sksec = sk->sk_security;
5605 
5606 	/* we don't currently perform any NetLabel based labeling here and it
5607 	 * isn't clear that we would want to do so anyway; while we could apply
5608 	 * labeling without the support of the TUN user the resulting labeled
5609 	 * traffic from the other end of the connection would almost certainly
5610 	 * cause confusion to the TUN user that had no idea network labeling
5611 	 * protocols were being used */
5612 
5613 	sksec->sid = tunsec->sid;
5614 	sksec->sclass = SECCLASS_TUN_SOCKET;
5615 
5616 	return 0;
5617 }
5618 
5619 static int selinux_tun_dev_open(void *security)
5620 {
5621 	struct tun_security_struct *tunsec = security;
5622 	u32 sid = current_sid();
5623 	int err;
5624 
5625 	err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5626 			   TUN_SOCKET__RELABELFROM, NULL);
5627 	if (err)
5628 		return err;
5629 	err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5630 			   TUN_SOCKET__RELABELTO, NULL);
5631 	if (err)
5632 		return err;
5633 	tunsec->sid = sid;
5634 
5635 	return 0;
5636 }
5637 
5638 #ifdef CONFIG_NETFILTER
5639 
5640 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
5641 				       const struct nf_hook_state *state)
5642 {
5643 	int ifindex;
5644 	u16 family;
5645 	char *addrp;
5646 	u32 peer_sid;
5647 	struct common_audit_data ad;
5648 	struct lsm_network_audit net;
5649 	int secmark_active, peerlbl_active;
5650 
5651 	if (!selinux_policycap_netpeer())
5652 		return NF_ACCEPT;
5653 
5654 	secmark_active = selinux_secmark_enabled();
5655 	peerlbl_active = selinux_peerlbl_enabled();
5656 	if (!secmark_active && !peerlbl_active)
5657 		return NF_ACCEPT;
5658 
5659 	family = state->pf;
5660 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5661 		return NF_DROP;
5662 
5663 	ifindex = state->in->ifindex;
5664 	ad_net_init_from_iif(&ad, &net, ifindex, family);
5665 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5666 		return NF_DROP;
5667 
5668 	if (peerlbl_active) {
5669 		int err;
5670 
5671 		err = selinux_inet_sys_rcv_skb(state->net, ifindex,
5672 					       addrp, family, peer_sid, &ad);
5673 		if (err) {
5674 			selinux_netlbl_err(skb, family, err, 1);
5675 			return NF_DROP;
5676 		}
5677 	}
5678 
5679 	if (secmark_active)
5680 		if (avc_has_perm(peer_sid, skb->secmark,
5681 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5682 			return NF_DROP;
5683 
5684 	if (netlbl_enabled())
5685 		/* we do this in the FORWARD path and not the POST_ROUTING
5686 		 * path because we want to make sure we apply the necessary
5687 		 * labeling before IPsec is applied so we can leverage AH
5688 		 * protection */
5689 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5690 			return NF_DROP;
5691 
5692 	return NF_ACCEPT;
5693 }
5694 
5695 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
5696 				      const struct nf_hook_state *state)
5697 {
5698 	struct sock *sk;
5699 	u32 sid;
5700 
5701 	if (!netlbl_enabled())
5702 		return NF_ACCEPT;
5703 
5704 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5705 	 * because we want to make sure we apply the necessary labeling
5706 	 * before IPsec is applied so we can leverage AH protection */
5707 	sk = skb->sk;
5708 	if (sk) {
5709 		struct sk_security_struct *sksec;
5710 
5711 		if (sk_listener(sk))
5712 			/* if the socket is the listening state then this
5713 			 * packet is a SYN-ACK packet which means it needs to
5714 			 * be labeled based on the connection/request_sock and
5715 			 * not the parent socket.  unfortunately, we can't
5716 			 * lookup the request_sock yet as it isn't queued on
5717 			 * the parent socket until after the SYN-ACK is sent.
5718 			 * the "solution" is to simply pass the packet as-is
5719 			 * as any IP option based labeling should be copied
5720 			 * from the initial connection request (in the IP
5721 			 * layer).  it is far from ideal, but until we get a
5722 			 * security label in the packet itself this is the
5723 			 * best we can do. */
5724 			return NF_ACCEPT;
5725 
5726 		/* standard practice, label using the parent socket */
5727 		sksec = sk->sk_security;
5728 		sid = sksec->sid;
5729 	} else
5730 		sid = SECINITSID_KERNEL;
5731 	if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0)
5732 		return NF_DROP;
5733 
5734 	return NF_ACCEPT;
5735 }
5736 
5737 
5738 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5739 					const struct nf_hook_state *state)
5740 {
5741 	struct sock *sk;
5742 	struct sk_security_struct *sksec;
5743 	struct common_audit_data ad;
5744 	struct lsm_network_audit net;
5745 	u8 proto = 0;
5746 
5747 	sk = skb_to_full_sk(skb);
5748 	if (sk == NULL)
5749 		return NF_ACCEPT;
5750 	sksec = sk->sk_security;
5751 
5752 	ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf);
5753 	if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))
5754 		return NF_DROP;
5755 
5756 	if (selinux_secmark_enabled())
5757 		if (avc_has_perm(sksec->sid, skb->secmark,
5758 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5759 			return NF_DROP_ERR(-ECONNREFUSED);
5760 
5761 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5762 		return NF_DROP_ERR(-ECONNREFUSED);
5763 
5764 	return NF_ACCEPT;
5765 }
5766 
5767 static unsigned int selinux_ip_postroute(void *priv,
5768 					 struct sk_buff *skb,
5769 					 const struct nf_hook_state *state)
5770 {
5771 	u16 family;
5772 	u32 secmark_perm;
5773 	u32 peer_sid;
5774 	int ifindex;
5775 	struct sock *sk;
5776 	struct common_audit_data ad;
5777 	struct lsm_network_audit net;
5778 	char *addrp;
5779 	int secmark_active, peerlbl_active;
5780 
5781 	/* If any sort of compatibility mode is enabled then handoff processing
5782 	 * to the selinux_ip_postroute_compat() function to deal with the
5783 	 * special handling.  We do this in an attempt to keep this function
5784 	 * as fast and as clean as possible. */
5785 	if (!selinux_policycap_netpeer())
5786 		return selinux_ip_postroute_compat(skb, state);
5787 
5788 	secmark_active = selinux_secmark_enabled();
5789 	peerlbl_active = selinux_peerlbl_enabled();
5790 	if (!secmark_active && !peerlbl_active)
5791 		return NF_ACCEPT;
5792 
5793 	sk = skb_to_full_sk(skb);
5794 
5795 #ifdef CONFIG_XFRM
5796 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5797 	 * packet transformation so allow the packet to pass without any checks
5798 	 * since we'll have another chance to perform access control checks
5799 	 * when the packet is on it's final way out.
5800 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5801 	 *       is NULL, in this case go ahead and apply access control.
5802 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5803 	 *       TCP listening state we cannot wait until the XFRM processing
5804 	 *       is done as we will miss out on the SA label if we do;
5805 	 *       unfortunately, this means more work, but it is only once per
5806 	 *       connection. */
5807 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5808 	    !(sk && sk_listener(sk)))
5809 		return NF_ACCEPT;
5810 #endif
5811 
5812 	family = state->pf;
5813 	if (sk == NULL) {
5814 		/* Without an associated socket the packet is either coming
5815 		 * from the kernel or it is being forwarded; check the packet
5816 		 * to determine which and if the packet is being forwarded
5817 		 * query the packet directly to determine the security label. */
5818 		if (skb->skb_iif) {
5819 			secmark_perm = PACKET__FORWARD_OUT;
5820 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5821 				return NF_DROP;
5822 		} else {
5823 			secmark_perm = PACKET__SEND;
5824 			peer_sid = SECINITSID_KERNEL;
5825 		}
5826 	} else if (sk_listener(sk)) {
5827 		/* Locally generated packet but the associated socket is in the
5828 		 * listening state which means this is a SYN-ACK packet.  In
5829 		 * this particular case the correct security label is assigned
5830 		 * to the connection/request_sock but unfortunately we can't
5831 		 * query the request_sock as it isn't queued on the parent
5832 		 * socket until after the SYN-ACK packet is sent; the only
5833 		 * viable choice is to regenerate the label like we do in
5834 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5835 		 * for similar problems. */
5836 		u32 skb_sid;
5837 		struct sk_security_struct *sksec;
5838 
5839 		sksec = sk->sk_security;
5840 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5841 			return NF_DROP;
5842 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5843 		 * and the packet has been through at least one XFRM
5844 		 * transformation then we must be dealing with the "final"
5845 		 * form of labeled IPsec packet; since we've already applied
5846 		 * all of our access controls on this packet we can safely
5847 		 * pass the packet. */
5848 		if (skb_sid == SECSID_NULL) {
5849 			switch (family) {
5850 			case PF_INET:
5851 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5852 					return NF_ACCEPT;
5853 				break;
5854 			case PF_INET6:
5855 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5856 					return NF_ACCEPT;
5857 				break;
5858 			default:
5859 				return NF_DROP_ERR(-ECONNREFUSED);
5860 			}
5861 		}
5862 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5863 			return NF_DROP;
5864 		secmark_perm = PACKET__SEND;
5865 	} else {
5866 		/* Locally generated packet, fetch the security label from the
5867 		 * associated socket. */
5868 		struct sk_security_struct *sksec = sk->sk_security;
5869 		peer_sid = sksec->sid;
5870 		secmark_perm = PACKET__SEND;
5871 	}
5872 
5873 	ifindex = state->out->ifindex;
5874 	ad_net_init_from_iif(&ad, &net, ifindex, family);
5875 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5876 		return NF_DROP;
5877 
5878 	if (secmark_active)
5879 		if (avc_has_perm(peer_sid, skb->secmark,
5880 				 SECCLASS_PACKET, secmark_perm, &ad))
5881 			return NF_DROP_ERR(-ECONNREFUSED);
5882 
5883 	if (peerlbl_active) {
5884 		u32 if_sid;
5885 		u32 node_sid;
5886 
5887 		if (sel_netif_sid(state->net, ifindex, &if_sid))
5888 			return NF_DROP;
5889 		if (avc_has_perm(peer_sid, if_sid,
5890 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5891 			return NF_DROP_ERR(-ECONNREFUSED);
5892 
5893 		if (sel_netnode_sid(addrp, family, &node_sid))
5894 			return NF_DROP;
5895 		if (avc_has_perm(peer_sid, node_sid,
5896 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5897 			return NF_DROP_ERR(-ECONNREFUSED);
5898 	}
5899 
5900 	return NF_ACCEPT;
5901 }
5902 #endif	/* CONFIG_NETFILTER */
5903 
5904 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5905 {
5906 	int rc = 0;
5907 	unsigned int msg_len;
5908 	unsigned int data_len = skb->len;
5909 	unsigned char *data = skb->data;
5910 	struct nlmsghdr *nlh;
5911 	struct sk_security_struct *sksec = sk->sk_security;
5912 	u16 sclass = sksec->sclass;
5913 	u32 perm;
5914 
5915 	while (data_len >= nlmsg_total_size(0)) {
5916 		nlh = (struct nlmsghdr *)data;
5917 
5918 		/* NOTE: the nlmsg_len field isn't reliably set by some netlink
5919 		 *       users which means we can't reject skb's with bogus
5920 		 *       length fields; our solution is to follow what
5921 		 *       netlink_rcv_skb() does and simply skip processing at
5922 		 *       messages with length fields that are clearly junk
5923 		 */
5924 		if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5925 			return 0;
5926 
5927 		rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5928 		if (rc == 0) {
5929 			rc = sock_has_perm(sk, perm);
5930 			if (rc)
5931 				return rc;
5932 		} else if (rc == -EINVAL) {
5933 			/* -EINVAL is a missing msg/perm mapping */
5934 			pr_warn_ratelimited("SELinux: unrecognized netlink"
5935 				" message: protocol=%hu nlmsg_type=%hu sclass=%s"
5936 				" pid=%d comm=%s\n",
5937 				sk->sk_protocol, nlh->nlmsg_type,
5938 				secclass_map[sclass - 1].name,
5939 				task_pid_nr(current), current->comm);
5940 			if (enforcing_enabled() &&
5941 			    !security_get_allow_unknown())
5942 				return rc;
5943 			rc = 0;
5944 		} else if (rc == -ENOENT) {
5945 			/* -ENOENT is a missing socket/class mapping, ignore */
5946 			rc = 0;
5947 		} else {
5948 			return rc;
5949 		}
5950 
5951 		/* move to the next message after applying netlink padding */
5952 		msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5953 		if (msg_len >= data_len)
5954 			return 0;
5955 		data_len -= msg_len;
5956 		data += msg_len;
5957 	}
5958 
5959 	return rc;
5960 }
5961 
5962 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5963 {
5964 	isec->sclass = sclass;
5965 	isec->sid = current_sid();
5966 }
5967 
5968 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5969 			u32 perms)
5970 {
5971 	struct ipc_security_struct *isec;
5972 	struct common_audit_data ad;
5973 	u32 sid = current_sid();
5974 
5975 	isec = selinux_ipc(ipc_perms);
5976 
5977 	ad.type = LSM_AUDIT_DATA_IPC;
5978 	ad.u.ipc_id = ipc_perms->key;
5979 
5980 	return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5981 }
5982 
5983 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5984 {
5985 	struct msg_security_struct *msec;
5986 
5987 	msec = selinux_msg_msg(msg);
5988 	msec->sid = SECINITSID_UNLABELED;
5989 
5990 	return 0;
5991 }
5992 
5993 /* message queue security operations */
5994 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5995 {
5996 	struct ipc_security_struct *isec;
5997 	struct common_audit_data ad;
5998 	u32 sid = current_sid();
5999 
6000 	isec = selinux_ipc(msq);
6001 	ipc_init_security(isec, SECCLASS_MSGQ);
6002 
6003 	ad.type = LSM_AUDIT_DATA_IPC;
6004 	ad.u.ipc_id = msq->key;
6005 
6006 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6007 			    MSGQ__CREATE, &ad);
6008 }
6009 
6010 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6011 {
6012 	struct ipc_security_struct *isec;
6013 	struct common_audit_data ad;
6014 	u32 sid = current_sid();
6015 
6016 	isec = selinux_ipc(msq);
6017 
6018 	ad.type = LSM_AUDIT_DATA_IPC;
6019 	ad.u.ipc_id = msq->key;
6020 
6021 	return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6022 			    MSGQ__ASSOCIATE, &ad);
6023 }
6024 
6025 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6026 {
6027 	u32 perms;
6028 
6029 	switch (cmd) {
6030 	case IPC_INFO:
6031 	case MSG_INFO:
6032 		/* No specific object, just general system-wide information. */
6033 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6034 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6035 	case IPC_STAT:
6036 	case MSG_STAT:
6037 	case MSG_STAT_ANY:
6038 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6039 		break;
6040 	case IPC_SET:
6041 		perms = MSGQ__SETATTR;
6042 		break;
6043 	case IPC_RMID:
6044 		perms = MSGQ__DESTROY;
6045 		break;
6046 	default:
6047 		return 0;
6048 	}
6049 
6050 	return ipc_has_perm(msq, perms);
6051 }
6052 
6053 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6054 {
6055 	struct ipc_security_struct *isec;
6056 	struct msg_security_struct *msec;
6057 	struct common_audit_data ad;
6058 	u32 sid = current_sid();
6059 	int rc;
6060 
6061 	isec = selinux_ipc(msq);
6062 	msec = selinux_msg_msg(msg);
6063 
6064 	/*
6065 	 * First time through, need to assign label to the message
6066 	 */
6067 	if (msec->sid == SECINITSID_UNLABELED) {
6068 		/*
6069 		 * Compute new sid based on current process and
6070 		 * message queue this message will be stored in
6071 		 */
6072 		rc = security_transition_sid(sid, isec->sid,
6073 					     SECCLASS_MSG, NULL, &msec->sid);
6074 		if (rc)
6075 			return rc;
6076 	}
6077 
6078 	ad.type = LSM_AUDIT_DATA_IPC;
6079 	ad.u.ipc_id = msq->key;
6080 
6081 	/* Can this process write to the queue? */
6082 	rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6083 			  MSGQ__WRITE, &ad);
6084 	if (!rc)
6085 		/* Can this process send the message */
6086 		rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
6087 				  MSG__SEND, &ad);
6088 	if (!rc)
6089 		/* Can the message be put in the queue? */
6090 		rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
6091 				  MSGQ__ENQUEUE, &ad);
6092 
6093 	return rc;
6094 }
6095 
6096 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6097 				    struct task_struct *target,
6098 				    long type, int mode)
6099 {
6100 	struct ipc_security_struct *isec;
6101 	struct msg_security_struct *msec;
6102 	struct common_audit_data ad;
6103 	u32 sid = task_sid_obj(target);
6104 	int rc;
6105 
6106 	isec = selinux_ipc(msq);
6107 	msec = selinux_msg_msg(msg);
6108 
6109 	ad.type = LSM_AUDIT_DATA_IPC;
6110 	ad.u.ipc_id = msq->key;
6111 
6112 	rc = avc_has_perm(sid, isec->sid,
6113 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
6114 	if (!rc)
6115 		rc = avc_has_perm(sid, msec->sid,
6116 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
6117 	return rc;
6118 }
6119 
6120 /* Shared Memory security operations */
6121 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6122 {
6123 	struct ipc_security_struct *isec;
6124 	struct common_audit_data ad;
6125 	u32 sid = current_sid();
6126 
6127 	isec = selinux_ipc(shp);
6128 	ipc_init_security(isec, SECCLASS_SHM);
6129 
6130 	ad.type = LSM_AUDIT_DATA_IPC;
6131 	ad.u.ipc_id = shp->key;
6132 
6133 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6134 			    SHM__CREATE, &ad);
6135 }
6136 
6137 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6138 {
6139 	struct ipc_security_struct *isec;
6140 	struct common_audit_data ad;
6141 	u32 sid = current_sid();
6142 
6143 	isec = selinux_ipc(shp);
6144 
6145 	ad.type = LSM_AUDIT_DATA_IPC;
6146 	ad.u.ipc_id = shp->key;
6147 
6148 	return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6149 			    SHM__ASSOCIATE, &ad);
6150 }
6151 
6152 /* Note, at this point, shp is locked down */
6153 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6154 {
6155 	u32 perms;
6156 
6157 	switch (cmd) {
6158 	case IPC_INFO:
6159 	case SHM_INFO:
6160 		/* No specific object, just general system-wide information. */
6161 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6162 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6163 	case IPC_STAT:
6164 	case SHM_STAT:
6165 	case SHM_STAT_ANY:
6166 		perms = SHM__GETATTR | SHM__ASSOCIATE;
6167 		break;
6168 	case IPC_SET:
6169 		perms = SHM__SETATTR;
6170 		break;
6171 	case SHM_LOCK:
6172 	case SHM_UNLOCK:
6173 		perms = SHM__LOCK;
6174 		break;
6175 	case IPC_RMID:
6176 		perms = SHM__DESTROY;
6177 		break;
6178 	default:
6179 		return 0;
6180 	}
6181 
6182 	return ipc_has_perm(shp, perms);
6183 }
6184 
6185 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6186 			     char __user *shmaddr, int shmflg)
6187 {
6188 	u32 perms;
6189 
6190 	if (shmflg & SHM_RDONLY)
6191 		perms = SHM__READ;
6192 	else
6193 		perms = SHM__READ | SHM__WRITE;
6194 
6195 	return ipc_has_perm(shp, perms);
6196 }
6197 
6198 /* Semaphore security operations */
6199 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6200 {
6201 	struct ipc_security_struct *isec;
6202 	struct common_audit_data ad;
6203 	u32 sid = current_sid();
6204 
6205 	isec = selinux_ipc(sma);
6206 	ipc_init_security(isec, SECCLASS_SEM);
6207 
6208 	ad.type = LSM_AUDIT_DATA_IPC;
6209 	ad.u.ipc_id = sma->key;
6210 
6211 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6212 			    SEM__CREATE, &ad);
6213 }
6214 
6215 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6216 {
6217 	struct ipc_security_struct *isec;
6218 	struct common_audit_data ad;
6219 	u32 sid = current_sid();
6220 
6221 	isec = selinux_ipc(sma);
6222 
6223 	ad.type = LSM_AUDIT_DATA_IPC;
6224 	ad.u.ipc_id = sma->key;
6225 
6226 	return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6227 			    SEM__ASSOCIATE, &ad);
6228 }
6229 
6230 /* Note, at this point, sma is locked down */
6231 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6232 {
6233 	int err;
6234 	u32 perms;
6235 
6236 	switch (cmd) {
6237 	case IPC_INFO:
6238 	case SEM_INFO:
6239 		/* No specific object, just general system-wide information. */
6240 		return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6241 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6242 	case GETPID:
6243 	case GETNCNT:
6244 	case GETZCNT:
6245 		perms = SEM__GETATTR;
6246 		break;
6247 	case GETVAL:
6248 	case GETALL:
6249 		perms = SEM__READ;
6250 		break;
6251 	case SETVAL:
6252 	case SETALL:
6253 		perms = SEM__WRITE;
6254 		break;
6255 	case IPC_RMID:
6256 		perms = SEM__DESTROY;
6257 		break;
6258 	case IPC_SET:
6259 		perms = SEM__SETATTR;
6260 		break;
6261 	case IPC_STAT:
6262 	case SEM_STAT:
6263 	case SEM_STAT_ANY:
6264 		perms = SEM__GETATTR | SEM__ASSOCIATE;
6265 		break;
6266 	default:
6267 		return 0;
6268 	}
6269 
6270 	err = ipc_has_perm(sma, perms);
6271 	return err;
6272 }
6273 
6274 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6275 			     struct sembuf *sops, unsigned nsops, int alter)
6276 {
6277 	u32 perms;
6278 
6279 	if (alter)
6280 		perms = SEM__READ | SEM__WRITE;
6281 	else
6282 		perms = SEM__READ;
6283 
6284 	return ipc_has_perm(sma, perms);
6285 }
6286 
6287 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6288 {
6289 	u32 av = 0;
6290 
6291 	av = 0;
6292 	if (flag & S_IRUGO)
6293 		av |= IPC__UNIX_READ;
6294 	if (flag & S_IWUGO)
6295 		av |= IPC__UNIX_WRITE;
6296 
6297 	if (av == 0)
6298 		return 0;
6299 
6300 	return ipc_has_perm(ipcp, av);
6301 }
6302 
6303 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6304 {
6305 	struct ipc_security_struct *isec = selinux_ipc(ipcp);
6306 	*secid = isec->sid;
6307 }
6308 
6309 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6310 {
6311 	if (inode)
6312 		inode_doinit_with_dentry(inode, dentry);
6313 }
6314 
6315 static int selinux_getprocattr(struct task_struct *p,
6316 			       const char *name, char **value)
6317 {
6318 	const struct task_security_struct *__tsec;
6319 	u32 sid;
6320 	int error;
6321 	unsigned len;
6322 
6323 	rcu_read_lock();
6324 	__tsec = selinux_cred(__task_cred(p));
6325 
6326 	if (current != p) {
6327 		error = avc_has_perm(current_sid(), __tsec->sid,
6328 				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6329 		if (error)
6330 			goto bad;
6331 	}
6332 
6333 	if (!strcmp(name, "current"))
6334 		sid = __tsec->sid;
6335 	else if (!strcmp(name, "prev"))
6336 		sid = __tsec->osid;
6337 	else if (!strcmp(name, "exec"))
6338 		sid = __tsec->exec_sid;
6339 	else if (!strcmp(name, "fscreate"))
6340 		sid = __tsec->create_sid;
6341 	else if (!strcmp(name, "keycreate"))
6342 		sid = __tsec->keycreate_sid;
6343 	else if (!strcmp(name, "sockcreate"))
6344 		sid = __tsec->sockcreate_sid;
6345 	else {
6346 		error = -EINVAL;
6347 		goto bad;
6348 	}
6349 	rcu_read_unlock();
6350 
6351 	if (!sid)
6352 		return 0;
6353 
6354 	error = security_sid_to_context(sid, value, &len);
6355 	if (error)
6356 		return error;
6357 	return len;
6358 
6359 bad:
6360 	rcu_read_unlock();
6361 	return error;
6362 }
6363 
6364 static int selinux_setprocattr(const char *name, void *value, size_t size)
6365 {
6366 	struct task_security_struct *tsec;
6367 	struct cred *new;
6368 	u32 mysid = current_sid(), sid = 0, ptsid;
6369 	int error;
6370 	char *str = value;
6371 
6372 	/*
6373 	 * Basic control over ability to set these attributes at all.
6374 	 */
6375 	if (!strcmp(name, "exec"))
6376 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6377 				     PROCESS__SETEXEC, NULL);
6378 	else if (!strcmp(name, "fscreate"))
6379 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6380 				     PROCESS__SETFSCREATE, NULL);
6381 	else if (!strcmp(name, "keycreate"))
6382 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6383 				     PROCESS__SETKEYCREATE, NULL);
6384 	else if (!strcmp(name, "sockcreate"))
6385 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6386 				     PROCESS__SETSOCKCREATE, NULL);
6387 	else if (!strcmp(name, "current"))
6388 		error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6389 				     PROCESS__SETCURRENT, NULL);
6390 	else
6391 		error = -EINVAL;
6392 	if (error)
6393 		return error;
6394 
6395 	/* Obtain a SID for the context, if one was specified. */
6396 	if (size && str[0] && str[0] != '\n') {
6397 		if (str[size-1] == '\n') {
6398 			str[size-1] = 0;
6399 			size--;
6400 		}
6401 		error = security_context_to_sid(value, size,
6402 						&sid, GFP_KERNEL);
6403 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
6404 			if (!has_cap_mac_admin(true)) {
6405 				struct audit_buffer *ab;
6406 				size_t audit_size;
6407 
6408 				/* We strip a nul only if it is at the end, otherwise the
6409 				 * context contains a nul and we should audit that */
6410 				if (str[size - 1] == '\0')
6411 					audit_size = size - 1;
6412 				else
6413 					audit_size = size;
6414 				ab = audit_log_start(audit_context(),
6415 						     GFP_ATOMIC,
6416 						     AUDIT_SELINUX_ERR);
6417 				if (!ab)
6418 					return error;
6419 				audit_log_format(ab, "op=fscreate invalid_context=");
6420 				audit_log_n_untrustedstring(ab, value, audit_size);
6421 				audit_log_end(ab);
6422 
6423 				return error;
6424 			}
6425 			error = security_context_to_sid_force(value, size,
6426 							&sid);
6427 		}
6428 		if (error)
6429 			return error;
6430 	}
6431 
6432 	new = prepare_creds();
6433 	if (!new)
6434 		return -ENOMEM;
6435 
6436 	/* Permission checking based on the specified context is
6437 	   performed during the actual operation (execve,
6438 	   open/mkdir/...), when we know the full context of the
6439 	   operation.  See selinux_bprm_creds_for_exec for the execve
6440 	   checks and may_create for the file creation checks. The
6441 	   operation will then fail if the context is not permitted. */
6442 	tsec = selinux_cred(new);
6443 	if (!strcmp(name, "exec")) {
6444 		tsec->exec_sid = sid;
6445 	} else if (!strcmp(name, "fscreate")) {
6446 		tsec->create_sid = sid;
6447 	} else if (!strcmp(name, "keycreate")) {
6448 		if (sid) {
6449 			error = avc_has_perm(mysid, sid,
6450 					     SECCLASS_KEY, KEY__CREATE, NULL);
6451 			if (error)
6452 				goto abort_change;
6453 		}
6454 		tsec->keycreate_sid = sid;
6455 	} else if (!strcmp(name, "sockcreate")) {
6456 		tsec->sockcreate_sid = sid;
6457 	} else if (!strcmp(name, "current")) {
6458 		error = -EINVAL;
6459 		if (sid == 0)
6460 			goto abort_change;
6461 
6462 		/* Only allow single threaded processes to change context */
6463 		if (!current_is_single_threaded()) {
6464 			error = security_bounded_transition(tsec->sid, sid);
6465 			if (error)
6466 				goto abort_change;
6467 		}
6468 
6469 		/* Check permissions for the transition. */
6470 		error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6471 				     PROCESS__DYNTRANSITION, NULL);
6472 		if (error)
6473 			goto abort_change;
6474 
6475 		/* Check for ptracing, and update the task SID if ok.
6476 		   Otherwise, leave SID unchanged and fail. */
6477 		ptsid = ptrace_parent_sid();
6478 		if (ptsid != 0) {
6479 			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6480 					     PROCESS__PTRACE, NULL);
6481 			if (error)
6482 				goto abort_change;
6483 		}
6484 
6485 		tsec->sid = sid;
6486 	} else {
6487 		error = -EINVAL;
6488 		goto abort_change;
6489 	}
6490 
6491 	commit_creds(new);
6492 	return size;
6493 
6494 abort_change:
6495 	abort_creds(new);
6496 	return error;
6497 }
6498 
6499 static int selinux_ismaclabel(const char *name)
6500 {
6501 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6502 }
6503 
6504 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6505 {
6506 	return security_sid_to_context(secid,
6507 				       secdata, seclen);
6508 }
6509 
6510 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6511 {
6512 	return security_context_to_sid(secdata, seclen,
6513 				       secid, GFP_KERNEL);
6514 }
6515 
6516 static void selinux_release_secctx(char *secdata, u32 seclen)
6517 {
6518 	kfree(secdata);
6519 }
6520 
6521 static void selinux_inode_invalidate_secctx(struct inode *inode)
6522 {
6523 	struct inode_security_struct *isec = selinux_inode(inode);
6524 
6525 	spin_lock(&isec->lock);
6526 	isec->initialized = LABEL_INVALID;
6527 	spin_unlock(&isec->lock);
6528 }
6529 
6530 /*
6531  *	called with inode->i_mutex locked
6532  */
6533 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6534 {
6535 	int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6536 					   ctx, ctxlen, 0);
6537 	/* Do not return error when suppressing label (SBLABEL_MNT not set). */
6538 	return rc == -EOPNOTSUPP ? 0 : rc;
6539 }
6540 
6541 /*
6542  *	called with inode->i_mutex locked
6543  */
6544 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6545 {
6546 	return __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX,
6547 				     ctx, ctxlen, 0);
6548 }
6549 
6550 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6551 {
6552 	int len = 0;
6553 	len = selinux_inode_getsecurity(&nop_mnt_idmap, inode,
6554 					XATTR_SELINUX_SUFFIX, ctx, true);
6555 	if (len < 0)
6556 		return len;
6557 	*ctxlen = len;
6558 	return 0;
6559 }
6560 #ifdef CONFIG_KEYS
6561 
6562 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6563 			     unsigned long flags)
6564 {
6565 	const struct task_security_struct *tsec;
6566 	struct key_security_struct *ksec;
6567 
6568 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6569 	if (!ksec)
6570 		return -ENOMEM;
6571 
6572 	tsec = selinux_cred(cred);
6573 	if (tsec->keycreate_sid)
6574 		ksec->sid = tsec->keycreate_sid;
6575 	else
6576 		ksec->sid = tsec->sid;
6577 
6578 	k->security = ksec;
6579 	return 0;
6580 }
6581 
6582 static void selinux_key_free(struct key *k)
6583 {
6584 	struct key_security_struct *ksec = k->security;
6585 
6586 	k->security = NULL;
6587 	kfree(ksec);
6588 }
6589 
6590 static int selinux_key_permission(key_ref_t key_ref,
6591 				  const struct cred *cred,
6592 				  enum key_need_perm need_perm)
6593 {
6594 	struct key *key;
6595 	struct key_security_struct *ksec;
6596 	u32 perm, sid;
6597 
6598 	switch (need_perm) {
6599 	case KEY_NEED_VIEW:
6600 		perm = KEY__VIEW;
6601 		break;
6602 	case KEY_NEED_READ:
6603 		perm = KEY__READ;
6604 		break;
6605 	case KEY_NEED_WRITE:
6606 		perm = KEY__WRITE;
6607 		break;
6608 	case KEY_NEED_SEARCH:
6609 		perm = KEY__SEARCH;
6610 		break;
6611 	case KEY_NEED_LINK:
6612 		perm = KEY__LINK;
6613 		break;
6614 	case KEY_NEED_SETATTR:
6615 		perm = KEY__SETATTR;
6616 		break;
6617 	case KEY_NEED_UNLINK:
6618 	case KEY_SYSADMIN_OVERRIDE:
6619 	case KEY_AUTHTOKEN_OVERRIDE:
6620 	case KEY_DEFER_PERM_CHECK:
6621 		return 0;
6622 	default:
6623 		WARN_ON(1);
6624 		return -EPERM;
6625 
6626 	}
6627 
6628 	sid = cred_sid(cred);
6629 	key = key_ref_to_ptr(key_ref);
6630 	ksec = key->security;
6631 
6632 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6633 }
6634 
6635 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6636 {
6637 	struct key_security_struct *ksec = key->security;
6638 	char *context = NULL;
6639 	unsigned len;
6640 	int rc;
6641 
6642 	rc = security_sid_to_context(ksec->sid,
6643 				     &context, &len);
6644 	if (!rc)
6645 		rc = len;
6646 	*_buffer = context;
6647 	return rc;
6648 }
6649 
6650 #ifdef CONFIG_KEY_NOTIFICATIONS
6651 static int selinux_watch_key(struct key *key)
6652 {
6653 	struct key_security_struct *ksec = key->security;
6654 	u32 sid = current_sid();
6655 
6656 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6657 }
6658 #endif
6659 #endif
6660 
6661 #ifdef CONFIG_SECURITY_INFINIBAND
6662 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6663 {
6664 	struct common_audit_data ad;
6665 	int err;
6666 	u32 sid = 0;
6667 	struct ib_security_struct *sec = ib_sec;
6668 	struct lsm_ibpkey_audit ibpkey;
6669 
6670 	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6671 	if (err)
6672 		return err;
6673 
6674 	ad.type = LSM_AUDIT_DATA_IBPKEY;
6675 	ibpkey.subnet_prefix = subnet_prefix;
6676 	ibpkey.pkey = pkey_val;
6677 	ad.u.ibpkey = &ibpkey;
6678 	return avc_has_perm(sec->sid, sid,
6679 			    SECCLASS_INFINIBAND_PKEY,
6680 			    INFINIBAND_PKEY__ACCESS, &ad);
6681 }
6682 
6683 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6684 					    u8 port_num)
6685 {
6686 	struct common_audit_data ad;
6687 	int err;
6688 	u32 sid = 0;
6689 	struct ib_security_struct *sec = ib_sec;
6690 	struct lsm_ibendport_audit ibendport;
6691 
6692 	err = security_ib_endport_sid(dev_name, port_num,
6693 				      &sid);
6694 
6695 	if (err)
6696 		return err;
6697 
6698 	ad.type = LSM_AUDIT_DATA_IBENDPORT;
6699 	ibendport.dev_name = dev_name;
6700 	ibendport.port = port_num;
6701 	ad.u.ibendport = &ibendport;
6702 	return avc_has_perm(sec->sid, sid,
6703 			    SECCLASS_INFINIBAND_ENDPORT,
6704 			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6705 }
6706 
6707 static int selinux_ib_alloc_security(void **ib_sec)
6708 {
6709 	struct ib_security_struct *sec;
6710 
6711 	sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6712 	if (!sec)
6713 		return -ENOMEM;
6714 	sec->sid = current_sid();
6715 
6716 	*ib_sec = sec;
6717 	return 0;
6718 }
6719 
6720 static void selinux_ib_free_security(void *ib_sec)
6721 {
6722 	kfree(ib_sec);
6723 }
6724 #endif
6725 
6726 #ifdef CONFIG_BPF_SYSCALL
6727 static int selinux_bpf(int cmd, union bpf_attr *attr,
6728 				     unsigned int size)
6729 {
6730 	u32 sid = current_sid();
6731 	int ret;
6732 
6733 	switch (cmd) {
6734 	case BPF_MAP_CREATE:
6735 		ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6736 				   NULL);
6737 		break;
6738 	case BPF_PROG_LOAD:
6739 		ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6740 				   NULL);
6741 		break;
6742 	default:
6743 		ret = 0;
6744 		break;
6745 	}
6746 
6747 	return ret;
6748 }
6749 
6750 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6751 {
6752 	u32 av = 0;
6753 
6754 	if (fmode & FMODE_READ)
6755 		av |= BPF__MAP_READ;
6756 	if (fmode & FMODE_WRITE)
6757 		av |= BPF__MAP_WRITE;
6758 	return av;
6759 }
6760 
6761 /* This function will check the file pass through unix socket or binder to see
6762  * if it is a bpf related object. And apply corresponding checks on the bpf
6763  * object based on the type. The bpf maps and programs, not like other files and
6764  * socket, are using a shared anonymous inode inside the kernel as their inode.
6765  * So checking that inode cannot identify if the process have privilege to
6766  * access the bpf object and that's why we have to add this additional check in
6767  * selinux_file_receive and selinux_binder_transfer_files.
6768  */
6769 static int bpf_fd_pass(const struct file *file, u32 sid)
6770 {
6771 	struct bpf_security_struct *bpfsec;
6772 	struct bpf_prog *prog;
6773 	struct bpf_map *map;
6774 	int ret;
6775 
6776 	if (file->f_op == &bpf_map_fops) {
6777 		map = file->private_data;
6778 		bpfsec = map->security;
6779 		ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6780 				   bpf_map_fmode_to_av(file->f_mode), NULL);
6781 		if (ret)
6782 			return ret;
6783 	} else if (file->f_op == &bpf_prog_fops) {
6784 		prog = file->private_data;
6785 		bpfsec = prog->aux->security;
6786 		ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6787 				   BPF__PROG_RUN, NULL);
6788 		if (ret)
6789 			return ret;
6790 	}
6791 	return 0;
6792 }
6793 
6794 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6795 {
6796 	u32 sid = current_sid();
6797 	struct bpf_security_struct *bpfsec;
6798 
6799 	bpfsec = map->security;
6800 	return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6801 			    bpf_map_fmode_to_av(fmode), NULL);
6802 }
6803 
6804 static int selinux_bpf_prog(struct bpf_prog *prog)
6805 {
6806 	u32 sid = current_sid();
6807 	struct bpf_security_struct *bpfsec;
6808 
6809 	bpfsec = prog->aux->security;
6810 	return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6811 			    BPF__PROG_RUN, NULL);
6812 }
6813 
6814 static int selinux_bpf_map_alloc(struct bpf_map *map)
6815 {
6816 	struct bpf_security_struct *bpfsec;
6817 
6818 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6819 	if (!bpfsec)
6820 		return -ENOMEM;
6821 
6822 	bpfsec->sid = current_sid();
6823 	map->security = bpfsec;
6824 
6825 	return 0;
6826 }
6827 
6828 static void selinux_bpf_map_free(struct bpf_map *map)
6829 {
6830 	struct bpf_security_struct *bpfsec = map->security;
6831 
6832 	map->security = NULL;
6833 	kfree(bpfsec);
6834 }
6835 
6836 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6837 {
6838 	struct bpf_security_struct *bpfsec;
6839 
6840 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6841 	if (!bpfsec)
6842 		return -ENOMEM;
6843 
6844 	bpfsec->sid = current_sid();
6845 	aux->security = bpfsec;
6846 
6847 	return 0;
6848 }
6849 
6850 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6851 {
6852 	struct bpf_security_struct *bpfsec = aux->security;
6853 
6854 	aux->security = NULL;
6855 	kfree(bpfsec);
6856 }
6857 #endif
6858 
6859 struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
6860 	.lbs_cred = sizeof(struct task_security_struct),
6861 	.lbs_file = sizeof(struct file_security_struct),
6862 	.lbs_inode = sizeof(struct inode_security_struct),
6863 	.lbs_ipc = sizeof(struct ipc_security_struct),
6864 	.lbs_msg_msg = sizeof(struct msg_security_struct),
6865 	.lbs_superblock = sizeof(struct superblock_security_struct),
6866 	.lbs_xattr_count = SELINUX_INODE_INIT_XATTRS,
6867 };
6868 
6869 #ifdef CONFIG_PERF_EVENTS
6870 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6871 {
6872 	u32 requested, sid = current_sid();
6873 
6874 	if (type == PERF_SECURITY_OPEN)
6875 		requested = PERF_EVENT__OPEN;
6876 	else if (type == PERF_SECURITY_CPU)
6877 		requested = PERF_EVENT__CPU;
6878 	else if (type == PERF_SECURITY_KERNEL)
6879 		requested = PERF_EVENT__KERNEL;
6880 	else if (type == PERF_SECURITY_TRACEPOINT)
6881 		requested = PERF_EVENT__TRACEPOINT;
6882 	else
6883 		return -EINVAL;
6884 
6885 	return avc_has_perm(sid, sid, SECCLASS_PERF_EVENT,
6886 			    requested, NULL);
6887 }
6888 
6889 static int selinux_perf_event_alloc(struct perf_event *event)
6890 {
6891 	struct perf_event_security_struct *perfsec;
6892 
6893 	perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
6894 	if (!perfsec)
6895 		return -ENOMEM;
6896 
6897 	perfsec->sid = current_sid();
6898 	event->security = perfsec;
6899 
6900 	return 0;
6901 }
6902 
6903 static void selinux_perf_event_free(struct perf_event *event)
6904 {
6905 	struct perf_event_security_struct *perfsec = event->security;
6906 
6907 	event->security = NULL;
6908 	kfree(perfsec);
6909 }
6910 
6911 static int selinux_perf_event_read(struct perf_event *event)
6912 {
6913 	struct perf_event_security_struct *perfsec = event->security;
6914 	u32 sid = current_sid();
6915 
6916 	return avc_has_perm(sid, perfsec->sid,
6917 			    SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
6918 }
6919 
6920 static int selinux_perf_event_write(struct perf_event *event)
6921 {
6922 	struct perf_event_security_struct *perfsec = event->security;
6923 	u32 sid = current_sid();
6924 
6925 	return avc_has_perm(sid, perfsec->sid,
6926 			    SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
6927 }
6928 #endif
6929 
6930 #ifdef CONFIG_IO_URING
6931 /**
6932  * selinux_uring_override_creds - check the requested cred override
6933  * @new: the target creds
6934  *
6935  * Check to see if the current task is allowed to override it's credentials
6936  * to service an io_uring operation.
6937  */
6938 static int selinux_uring_override_creds(const struct cred *new)
6939 {
6940 	return avc_has_perm(current_sid(), cred_sid(new),
6941 			    SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL);
6942 }
6943 
6944 /**
6945  * selinux_uring_sqpoll - check if a io_uring polling thread can be created
6946  *
6947  * Check to see if the current task is allowed to create a new io_uring
6948  * kernel polling thread.
6949  */
6950 static int selinux_uring_sqpoll(void)
6951 {
6952 	u32 sid = current_sid();
6953 
6954 	return avc_has_perm(sid, sid,
6955 			    SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
6956 }
6957 
6958 /**
6959  * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed
6960  * @ioucmd: the io_uring command structure
6961  *
6962  * Check to see if the current domain is allowed to execute an
6963  * IORING_OP_URING_CMD against the device/file specified in @ioucmd.
6964  *
6965  */
6966 static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
6967 {
6968 	struct file *file = ioucmd->file;
6969 	struct inode *inode = file_inode(file);
6970 	struct inode_security_struct *isec = selinux_inode(inode);
6971 	struct common_audit_data ad;
6972 
6973 	ad.type = LSM_AUDIT_DATA_FILE;
6974 	ad.u.file = file;
6975 
6976 	return avc_has_perm(current_sid(), isec->sid,
6977 			    SECCLASS_IO_URING, IO_URING__CMD, &ad);
6978 }
6979 #endif /* CONFIG_IO_URING */
6980 
6981 /*
6982  * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
6983  * 1. any hooks that don't belong to (2.) or (3.) below,
6984  * 2. hooks that both access structures allocated by other hooks, and allocate
6985  *    structures that can be later accessed by other hooks (mostly "cloning"
6986  *    hooks),
6987  * 3. hooks that only allocate structures that can be later accessed by other
6988  *    hooks ("allocating" hooks).
6989  *
6990  * Please follow block comment delimiters in the list to keep this order.
6991  */
6992 static struct security_hook_list selinux_hooks[] __ro_after_init = {
6993 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6994 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6995 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6996 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6997 
6998 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6999 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
7000 	LSM_HOOK_INIT(capget, selinux_capget),
7001 	LSM_HOOK_INIT(capset, selinux_capset),
7002 	LSM_HOOK_INIT(capable, selinux_capable),
7003 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
7004 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
7005 	LSM_HOOK_INIT(syslog, selinux_syslog),
7006 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
7007 
7008 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
7009 
7010 	LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
7011 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
7012 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
7013 
7014 	LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
7015 	LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat),
7016 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
7017 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7018 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
7019 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
7020 	LSM_HOOK_INIT(sb_mount, selinux_mount),
7021 	LSM_HOOK_INIT(sb_umount, selinux_umount),
7022 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7023 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7024 
7025 	LSM_HOOK_INIT(move_mount, selinux_move_mount),
7026 
7027 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7028 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7029 
7030 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7031 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7032 	LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
7033 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
7034 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
7035 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7036 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7037 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7038 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7039 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7040 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7041 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7042 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7043 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7044 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7045 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7046 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7047 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7048 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7049 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7050 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7051 	LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl),
7052 	LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl),
7053 	LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl),
7054 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7055 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7056 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7057 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7058 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7059 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7060 	LSM_HOOK_INIT(path_notify, selinux_path_notify),
7061 
7062 	LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7063 
7064 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
7065 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7066 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7067 	LSM_HOOK_INIT(file_ioctl_compat, selinux_file_ioctl_compat),
7068 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7069 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7070 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7071 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
7072 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7073 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7074 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7075 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
7076 
7077 	LSM_HOOK_INIT(file_open, selinux_file_open),
7078 
7079 	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7080 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7081 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7082 	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7083 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7084 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7085 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7086 	LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7087 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7088 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7089 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7090 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7091 	LSM_HOOK_INIT(current_getsecid_subj, selinux_current_getsecid_subj),
7092 	LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj),
7093 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7094 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7095 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7096 	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7097 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7098 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7099 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7100 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7101 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
7102 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7103 	LSM_HOOK_INIT(userns_create, selinux_userns_create),
7104 
7105 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7106 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7107 
7108 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7109 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7110 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7111 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7112 
7113 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7114 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7115 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7116 
7117 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7118 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7119 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7120 
7121 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7122 
7123 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7124 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7125 
7126 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7127 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7128 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7129 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7130 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7131 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7132 
7133 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7134 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7135 
7136 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
7137 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7138 	LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7139 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7140 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7141 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7142 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7143 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7144 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7145 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7146 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7147 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7148 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7149 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7150 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7151 	LSM_HOOK_INIT(socket_getpeersec_stream,
7152 			selinux_socket_getpeersec_stream),
7153 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7154 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7155 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7156 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7157 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7158 	LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7159 	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7160 	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7161 	LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
7162 	LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow),
7163 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7164 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7165 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7166 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7167 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7168 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7169 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7170 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7171 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7172 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7173 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7174 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7175 #ifdef CONFIG_SECURITY_INFINIBAND
7176 	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7177 	LSM_HOOK_INIT(ib_endport_manage_subnet,
7178 		      selinux_ib_endport_manage_subnet),
7179 	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7180 #endif
7181 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7182 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7183 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7184 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7185 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7186 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7187 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7188 			selinux_xfrm_state_pol_flow_match),
7189 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7190 #endif
7191 
7192 #ifdef CONFIG_KEYS
7193 	LSM_HOOK_INIT(key_free, selinux_key_free),
7194 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
7195 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7196 #ifdef CONFIG_KEY_NOTIFICATIONS
7197 	LSM_HOOK_INIT(watch_key, selinux_watch_key),
7198 #endif
7199 #endif
7200 
7201 #ifdef CONFIG_AUDIT
7202 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7203 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7204 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7205 #endif
7206 
7207 #ifdef CONFIG_BPF_SYSCALL
7208 	LSM_HOOK_INIT(bpf, selinux_bpf),
7209 	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7210 	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7211 	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7212 	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7213 #endif
7214 
7215 #ifdef CONFIG_PERF_EVENTS
7216 	LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7217 	LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7218 	LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7219 	LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7220 #endif
7221 
7222 #ifdef CONFIG_IO_URING
7223 	LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
7224 	LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
7225 	LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
7226 #endif
7227 
7228 	/*
7229 	 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7230 	 */
7231 	LSM_HOOK_INIT(fs_context_submount, selinux_fs_context_submount),
7232 	LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7233 	LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7234 	LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7235 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7236 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7237 #endif
7238 
7239 	/*
7240 	 * PUT "ALLOCATING" HOOKS HERE
7241 	 */
7242 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7243 	LSM_HOOK_INIT(msg_queue_alloc_security,
7244 		      selinux_msg_queue_alloc_security),
7245 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7246 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7247 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7248 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7249 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7250 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7251 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7252 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7253 #ifdef CONFIG_SECURITY_INFINIBAND
7254 	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7255 #endif
7256 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7257 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7258 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7259 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7260 		      selinux_xfrm_state_alloc_acquire),
7261 #endif
7262 #ifdef CONFIG_KEYS
7263 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7264 #endif
7265 #ifdef CONFIG_AUDIT
7266 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7267 #endif
7268 #ifdef CONFIG_BPF_SYSCALL
7269 	LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7270 	LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7271 #endif
7272 #ifdef CONFIG_PERF_EVENTS
7273 	LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7274 #endif
7275 };
7276 
7277 static __init int selinux_init(void)
7278 {
7279 	pr_info("SELinux:  Initializing.\n");
7280 
7281 	memset(&selinux_state, 0, sizeof(selinux_state));
7282 	enforcing_set(selinux_enforcing_boot);
7283 	selinux_avc_init();
7284 	mutex_init(&selinux_state.status_lock);
7285 	mutex_init(&selinux_state.policy_mutex);
7286 
7287 	/* Set the security state for the initial task. */
7288 	cred_init_security();
7289 
7290 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7291 	if (!default_noexec)
7292 		pr_notice("SELinux:  virtual memory is executable by default\n");
7293 
7294 	avc_init();
7295 
7296 	avtab_cache_init();
7297 
7298 	ebitmap_cache_init();
7299 
7300 	hashtab_cache_init();
7301 
7302 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7303 
7304 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7305 		panic("SELinux: Unable to register AVC netcache callback\n");
7306 
7307 	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7308 		panic("SELinux: Unable to register AVC LSM notifier callback\n");
7309 
7310 	if (selinux_enforcing_boot)
7311 		pr_debug("SELinux:  Starting in enforcing mode\n");
7312 	else
7313 		pr_debug("SELinux:  Starting in permissive mode\n");
7314 
7315 	fs_validate_description("selinux", selinux_fs_parameters);
7316 
7317 	return 0;
7318 }
7319 
7320 static void delayed_superblock_init(struct super_block *sb, void *unused)
7321 {
7322 	selinux_set_mnt_opts(sb, NULL, 0, NULL);
7323 }
7324 
7325 void selinux_complete_init(void)
7326 {
7327 	pr_debug("SELinux:  Completing initialization.\n");
7328 
7329 	/* Set up any superblocks initialized prior to the policy load. */
7330 	pr_debug("SELinux:  Setting up existing superblocks.\n");
7331 	iterate_supers(delayed_superblock_init, NULL);
7332 }
7333 
7334 /* SELinux requires early initialization in order to label
7335    all processes and objects when they are created. */
7336 DEFINE_LSM(selinux) = {
7337 	.name = "selinux",
7338 	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7339 	.enabled = &selinux_enabled_boot,
7340 	.blobs = &selinux_blob_sizes,
7341 	.init = selinux_init,
7342 };
7343 
7344 #if defined(CONFIG_NETFILTER)
7345 static const struct nf_hook_ops selinux_nf_ops[] = {
7346 	{
7347 		.hook =		selinux_ip_postroute,
7348 		.pf =		NFPROTO_IPV4,
7349 		.hooknum =	NF_INET_POST_ROUTING,
7350 		.priority =	NF_IP_PRI_SELINUX_LAST,
7351 	},
7352 	{
7353 		.hook =		selinux_ip_forward,
7354 		.pf =		NFPROTO_IPV4,
7355 		.hooknum =	NF_INET_FORWARD,
7356 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7357 	},
7358 	{
7359 		.hook =		selinux_ip_output,
7360 		.pf =		NFPROTO_IPV4,
7361 		.hooknum =	NF_INET_LOCAL_OUT,
7362 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7363 	},
7364 #if IS_ENABLED(CONFIG_IPV6)
7365 	{
7366 		.hook =		selinux_ip_postroute,
7367 		.pf =		NFPROTO_IPV6,
7368 		.hooknum =	NF_INET_POST_ROUTING,
7369 		.priority =	NF_IP6_PRI_SELINUX_LAST,
7370 	},
7371 	{
7372 		.hook =		selinux_ip_forward,
7373 		.pf =		NFPROTO_IPV6,
7374 		.hooknum =	NF_INET_FORWARD,
7375 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7376 	},
7377 	{
7378 		.hook =		selinux_ip_output,
7379 		.pf =		NFPROTO_IPV6,
7380 		.hooknum =	NF_INET_LOCAL_OUT,
7381 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7382 	},
7383 #endif	/* IPV6 */
7384 };
7385 
7386 static int __net_init selinux_nf_register(struct net *net)
7387 {
7388 	return nf_register_net_hooks(net, selinux_nf_ops,
7389 				     ARRAY_SIZE(selinux_nf_ops));
7390 }
7391 
7392 static void __net_exit selinux_nf_unregister(struct net *net)
7393 {
7394 	nf_unregister_net_hooks(net, selinux_nf_ops,
7395 				ARRAY_SIZE(selinux_nf_ops));
7396 }
7397 
7398 static struct pernet_operations selinux_net_ops = {
7399 	.init = selinux_nf_register,
7400 	.exit = selinux_nf_unregister,
7401 };
7402 
7403 static int __init selinux_nf_ip_init(void)
7404 {
7405 	int err;
7406 
7407 	if (!selinux_enabled_boot)
7408 		return 0;
7409 
7410 	pr_debug("SELinux:  Registering netfilter hooks\n");
7411 
7412 	err = register_pernet_subsys(&selinux_net_ops);
7413 	if (err)
7414 		panic("SELinux: register_pernet_subsys: error %d\n", err);
7415 
7416 	return 0;
7417 }
7418 __initcall(selinux_nf_ip_init);
7419 #endif /* CONFIG_NETFILTER */
7420