xref: /openbmc/linux/security/selinux/hooks.c (revision f97769fd)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *  NSA Security-Enhanced Linux (SELinux) security module
4  *
5  *  This file contains the SELinux hook function implementations.
6  *
7  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
8  *	      Chris Vance, <cvance@nai.com>
9  *	      Wayne Salamon, <wsalamon@nai.com>
10  *	      James Morris <jmorris@redhat.com>
11  *
12  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14  *					   Eric Paris <eparis@redhat.com>
15  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16  *			    <dgoeddel@trustedcs.com>
17  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18  *	Paul Moore <paul@paul-moore.com>
19  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20  *		       Yuichi Nakamura <ynakam@hitachisoft.jp>
21  *  Copyright (C) 2016 Mellanox Technologies
22  */
23 
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/tracehook.h>
28 #include <linux/errno.h>
29 #include <linux/sched/signal.h>
30 #include <linux/sched/task.h>
31 #include <linux/lsm_hooks.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/proc_fs.h>
40 #include <linux/swap.h>
41 #include <linux/spinlock.h>
42 #include <linux/syscalls.h>
43 #include <linux/dcache.h>
44 #include <linux/file.h>
45 #include <linux/fdtable.h>
46 #include <linux/namei.h>
47 #include <linux/mount.h>
48 #include <linux/fs_context.h>
49 #include <linux/fs_parser.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>		/* for local_port_range[] */
55 #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h>	/* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/sctp.h>
70 #include <net/sctp/structs.h>
71 #include <linux/quota.h>
72 #include <linux/un.h>		/* for Unix socket types */
73 #include <net/af_unix.h>	/* for Unix socket types */
74 #include <linux/parser.h>
75 #include <linux/nfs_mount.h>
76 #include <net/ipv6.h>
77 #include <linux/hugetlb.h>
78 #include <linux/personality.h>
79 #include <linux/audit.h>
80 #include <linux/string.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89 #include <linux/kernfs.h>
90 #include <linux/stringhash.h>	/* for hashlen_string() */
91 #include <uapi/linux/mount.h>
92 #include <linux/fsnotify.h>
93 #include <linux/fanotify.h>
94 
95 #include "avc.h"
96 #include "objsec.h"
97 #include "netif.h"
98 #include "netnode.h"
99 #include "netport.h"
100 #include "ibpkey.h"
101 #include "xfrm.h"
102 #include "netlabel.h"
103 #include "audit.h"
104 #include "avc_ss.h"
105 
106 struct selinux_state selinux_state;
107 
108 /* SECMARK reference count */
109 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
110 
111 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
112 static int selinux_enforcing_boot __initdata;
113 
114 static int __init enforcing_setup(char *str)
115 {
116 	unsigned long enforcing;
117 	if (!kstrtoul(str, 0, &enforcing))
118 		selinux_enforcing_boot = enforcing ? 1 : 0;
119 	return 1;
120 }
121 __setup("enforcing=", enforcing_setup);
122 #else
123 #define selinux_enforcing_boot 1
124 #endif
125 
126 int selinux_enabled_boot __initdata = 1;
127 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
128 static int __init selinux_enabled_setup(char *str)
129 {
130 	unsigned long enabled;
131 	if (!kstrtoul(str, 0, &enabled))
132 		selinux_enabled_boot = enabled ? 1 : 0;
133 	return 1;
134 }
135 __setup("selinux=", selinux_enabled_setup);
136 #endif
137 
138 static unsigned int selinux_checkreqprot_boot =
139 	CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140 
141 static int __init checkreqprot_setup(char *str)
142 {
143 	unsigned long checkreqprot;
144 
145 	if (!kstrtoul(str, 0, &checkreqprot)) {
146 		selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 		if (checkreqprot)
148 			pr_warn("SELinux: checkreqprot set to 1 via kernel parameter.  This is deprecated and will be rejected in a future kernel release.\n");
149 	}
150 	return 1;
151 }
152 __setup("checkreqprot=", checkreqprot_setup);
153 
154 /**
155  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
156  *
157  * Description:
158  * This function checks the SECMARK reference counter to see if any SECMARK
159  * targets are currently configured, if the reference counter is greater than
160  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
161  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
162  * policy capability is enabled, SECMARK is always considered enabled.
163  *
164  */
165 static int selinux_secmark_enabled(void)
166 {
167 	return (selinux_policycap_alwaysnetwork() ||
168 		atomic_read(&selinux_secmark_refcount));
169 }
170 
171 /**
172  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
173  *
174  * Description:
175  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
176  * (1) if any are enabled or false (0) if neither are enabled.  If the
177  * always_check_network policy capability is enabled, peer labeling
178  * is always considered enabled.
179  *
180  */
181 static int selinux_peerlbl_enabled(void)
182 {
183 	return (selinux_policycap_alwaysnetwork() ||
184 		netlbl_enabled() || selinux_xfrm_enabled());
185 }
186 
187 static int selinux_netcache_avc_callback(u32 event)
188 {
189 	if (event == AVC_CALLBACK_RESET) {
190 		sel_netif_flush();
191 		sel_netnode_flush();
192 		sel_netport_flush();
193 		synchronize_net();
194 	}
195 	return 0;
196 }
197 
198 static int selinux_lsm_notifier_avc_callback(u32 event)
199 {
200 	if (event == AVC_CALLBACK_RESET) {
201 		sel_ib_pkey_flush();
202 		call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
203 	}
204 
205 	return 0;
206 }
207 
208 /*
209  * initialise the security for the init task
210  */
211 static void cred_init_security(void)
212 {
213 	struct cred *cred = (struct cred *) current->real_cred;
214 	struct task_security_struct *tsec;
215 
216 	tsec = selinux_cred(cred);
217 	tsec->osid = tsec->sid = SECINITSID_KERNEL;
218 }
219 
220 /*
221  * get the security ID of a set of credentials
222  */
223 static inline u32 cred_sid(const struct cred *cred)
224 {
225 	const struct task_security_struct *tsec;
226 
227 	tsec = selinux_cred(cred);
228 	return tsec->sid;
229 }
230 
231 /*
232  * get the objective security ID of a task
233  */
234 static inline u32 task_sid(const struct task_struct *task)
235 {
236 	u32 sid;
237 
238 	rcu_read_lock();
239 	sid = cred_sid(__task_cred(task));
240 	rcu_read_unlock();
241 	return sid;
242 }
243 
244 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
245 
246 /*
247  * Try reloading inode security labels that have been marked as invalid.  The
248  * @may_sleep parameter indicates when sleeping and thus reloading labels is
249  * allowed; when set to false, returns -ECHILD when the label is
250  * invalid.  The @dentry parameter should be set to a dentry of the inode.
251  */
252 static int __inode_security_revalidate(struct inode *inode,
253 				       struct dentry *dentry,
254 				       bool may_sleep)
255 {
256 	struct inode_security_struct *isec = selinux_inode(inode);
257 
258 	might_sleep_if(may_sleep);
259 
260 	if (selinux_initialized(&selinux_state) &&
261 	    isec->initialized != LABEL_INITIALIZED) {
262 		if (!may_sleep)
263 			return -ECHILD;
264 
265 		/*
266 		 * Try reloading the inode security label.  This will fail if
267 		 * @opt_dentry is NULL and no dentry for this inode can be
268 		 * found; in that case, continue using the old label.
269 		 */
270 		inode_doinit_with_dentry(inode, dentry);
271 	}
272 	return 0;
273 }
274 
275 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
276 {
277 	return selinux_inode(inode);
278 }
279 
280 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
281 {
282 	int error;
283 
284 	error = __inode_security_revalidate(inode, NULL, !rcu);
285 	if (error)
286 		return ERR_PTR(error);
287 	return selinux_inode(inode);
288 }
289 
290 /*
291  * Get the security label of an inode.
292  */
293 static struct inode_security_struct *inode_security(struct inode *inode)
294 {
295 	__inode_security_revalidate(inode, NULL, true);
296 	return selinux_inode(inode);
297 }
298 
299 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
300 {
301 	struct inode *inode = d_backing_inode(dentry);
302 
303 	return selinux_inode(inode);
304 }
305 
306 /*
307  * Get the security label of a dentry's backing inode.
308  */
309 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
310 {
311 	struct inode *inode = d_backing_inode(dentry);
312 
313 	__inode_security_revalidate(inode, dentry, true);
314 	return selinux_inode(inode);
315 }
316 
317 static void inode_free_security(struct inode *inode)
318 {
319 	struct inode_security_struct *isec = selinux_inode(inode);
320 	struct superblock_security_struct *sbsec;
321 
322 	if (!isec)
323 		return;
324 	sbsec = inode->i_sb->s_security;
325 	/*
326 	 * As not all inode security structures are in a list, we check for
327 	 * empty list outside of the lock to make sure that we won't waste
328 	 * time taking a lock doing nothing.
329 	 *
330 	 * The list_del_init() function can be safely called more than once.
331 	 * It should not be possible for this function to be called with
332 	 * concurrent list_add(), but for better safety against future changes
333 	 * in the code, we use list_empty_careful() here.
334 	 */
335 	if (!list_empty_careful(&isec->list)) {
336 		spin_lock(&sbsec->isec_lock);
337 		list_del_init(&isec->list);
338 		spin_unlock(&sbsec->isec_lock);
339 	}
340 }
341 
342 static void superblock_free_security(struct super_block *sb)
343 {
344 	struct superblock_security_struct *sbsec = sb->s_security;
345 	sb->s_security = NULL;
346 	kfree(sbsec);
347 }
348 
349 struct selinux_mnt_opts {
350 	const char *fscontext, *context, *rootcontext, *defcontext;
351 };
352 
353 static void selinux_free_mnt_opts(void *mnt_opts)
354 {
355 	struct selinux_mnt_opts *opts = mnt_opts;
356 	kfree(opts->fscontext);
357 	kfree(opts->context);
358 	kfree(opts->rootcontext);
359 	kfree(opts->defcontext);
360 	kfree(opts);
361 }
362 
363 enum {
364 	Opt_error = -1,
365 	Opt_context = 0,
366 	Opt_defcontext = 1,
367 	Opt_fscontext = 2,
368 	Opt_rootcontext = 3,
369 	Opt_seclabel = 4,
370 };
371 
372 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
373 static struct {
374 	const char *name;
375 	int len;
376 	int opt;
377 	bool has_arg;
378 } tokens[] = {
379 	A(context, true),
380 	A(fscontext, true),
381 	A(defcontext, true),
382 	A(rootcontext, true),
383 	A(seclabel, false),
384 };
385 #undef A
386 
387 static int match_opt_prefix(char *s, int l, char **arg)
388 {
389 	int i;
390 
391 	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
392 		size_t len = tokens[i].len;
393 		if (len > l || memcmp(s, tokens[i].name, len))
394 			continue;
395 		if (tokens[i].has_arg) {
396 			if (len == l || s[len] != '=')
397 				continue;
398 			*arg = s + len + 1;
399 		} else if (len != l)
400 			continue;
401 		return tokens[i].opt;
402 	}
403 	return Opt_error;
404 }
405 
406 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
407 
408 static int may_context_mount_sb_relabel(u32 sid,
409 			struct superblock_security_struct *sbsec,
410 			const struct cred *cred)
411 {
412 	const struct task_security_struct *tsec = selinux_cred(cred);
413 	int rc;
414 
415 	rc = avc_has_perm(&selinux_state,
416 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
417 			  FILESYSTEM__RELABELFROM, NULL);
418 	if (rc)
419 		return rc;
420 
421 	rc = avc_has_perm(&selinux_state,
422 			  tsec->sid, sid, SECCLASS_FILESYSTEM,
423 			  FILESYSTEM__RELABELTO, NULL);
424 	return rc;
425 }
426 
427 static int may_context_mount_inode_relabel(u32 sid,
428 			struct superblock_security_struct *sbsec,
429 			const struct cred *cred)
430 {
431 	const struct task_security_struct *tsec = selinux_cred(cred);
432 	int rc;
433 	rc = avc_has_perm(&selinux_state,
434 			  tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
435 			  FILESYSTEM__RELABELFROM, NULL);
436 	if (rc)
437 		return rc;
438 
439 	rc = avc_has_perm(&selinux_state,
440 			  sid, sbsec->sid, SECCLASS_FILESYSTEM,
441 			  FILESYSTEM__ASSOCIATE, NULL);
442 	return rc;
443 }
444 
445 static int selinux_is_genfs_special_handling(struct super_block *sb)
446 {
447 	/* Special handling. Genfs but also in-core setxattr handler */
448 	return	!strcmp(sb->s_type->name, "sysfs") ||
449 		!strcmp(sb->s_type->name, "pstore") ||
450 		!strcmp(sb->s_type->name, "debugfs") ||
451 		!strcmp(sb->s_type->name, "tracefs") ||
452 		!strcmp(sb->s_type->name, "rootfs") ||
453 		(selinux_policycap_cgroupseclabel() &&
454 		 (!strcmp(sb->s_type->name, "cgroup") ||
455 		  !strcmp(sb->s_type->name, "cgroup2")));
456 }
457 
458 static int selinux_is_sblabel_mnt(struct super_block *sb)
459 {
460 	struct superblock_security_struct *sbsec = sb->s_security;
461 
462 	/*
463 	 * IMPORTANT: Double-check logic in this function when adding a new
464 	 * SECURITY_FS_USE_* definition!
465 	 */
466 	BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
467 
468 	switch (sbsec->behavior) {
469 	case SECURITY_FS_USE_XATTR:
470 	case SECURITY_FS_USE_TRANS:
471 	case SECURITY_FS_USE_TASK:
472 	case SECURITY_FS_USE_NATIVE:
473 		return 1;
474 
475 	case SECURITY_FS_USE_GENFS:
476 		return selinux_is_genfs_special_handling(sb);
477 
478 	/* Never allow relabeling on context mounts */
479 	case SECURITY_FS_USE_MNTPOINT:
480 	case SECURITY_FS_USE_NONE:
481 	default:
482 		return 0;
483 	}
484 }
485 
486 static int sb_finish_set_opts(struct super_block *sb)
487 {
488 	struct superblock_security_struct *sbsec = sb->s_security;
489 	struct dentry *root = sb->s_root;
490 	struct inode *root_inode = d_backing_inode(root);
491 	int rc = 0;
492 
493 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
494 		/* Make sure that the xattr handler exists and that no
495 		   error other than -ENODATA is returned by getxattr on
496 		   the root directory.  -ENODATA is ok, as this may be
497 		   the first boot of the SELinux kernel before we have
498 		   assigned xattr values to the filesystem. */
499 		if (!(root_inode->i_opflags & IOP_XATTR)) {
500 			pr_warn("SELinux: (dev %s, type %s) has no "
501 			       "xattr support\n", sb->s_id, sb->s_type->name);
502 			rc = -EOPNOTSUPP;
503 			goto out;
504 		}
505 
506 		rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
507 		if (rc < 0 && rc != -ENODATA) {
508 			if (rc == -EOPNOTSUPP)
509 				pr_warn("SELinux: (dev %s, type "
510 				       "%s) has no security xattr handler\n",
511 				       sb->s_id, sb->s_type->name);
512 			else
513 				pr_warn("SELinux: (dev %s, type "
514 				       "%s) getxattr errno %d\n", sb->s_id,
515 				       sb->s_type->name, -rc);
516 			goto out;
517 		}
518 	}
519 
520 	sbsec->flags |= SE_SBINITIALIZED;
521 
522 	/*
523 	 * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
524 	 * leave the flag untouched because sb_clone_mnt_opts might be handing
525 	 * us a superblock that needs the flag to be cleared.
526 	 */
527 	if (selinux_is_sblabel_mnt(sb))
528 		sbsec->flags |= SBLABEL_MNT;
529 	else
530 		sbsec->flags &= ~SBLABEL_MNT;
531 
532 	/* Initialize the root inode. */
533 	rc = inode_doinit_with_dentry(root_inode, root);
534 
535 	/* Initialize any other inodes associated with the superblock, e.g.
536 	   inodes created prior to initial policy load or inodes created
537 	   during get_sb by a pseudo filesystem that directly
538 	   populates itself. */
539 	spin_lock(&sbsec->isec_lock);
540 	while (!list_empty(&sbsec->isec_head)) {
541 		struct inode_security_struct *isec =
542 				list_first_entry(&sbsec->isec_head,
543 					   struct inode_security_struct, list);
544 		struct inode *inode = isec->inode;
545 		list_del_init(&isec->list);
546 		spin_unlock(&sbsec->isec_lock);
547 		inode = igrab(inode);
548 		if (inode) {
549 			if (!IS_PRIVATE(inode))
550 				inode_doinit_with_dentry(inode, NULL);
551 			iput(inode);
552 		}
553 		spin_lock(&sbsec->isec_lock);
554 	}
555 	spin_unlock(&sbsec->isec_lock);
556 out:
557 	return rc;
558 }
559 
560 static int bad_option(struct superblock_security_struct *sbsec, char flag,
561 		      u32 old_sid, u32 new_sid)
562 {
563 	char mnt_flags = sbsec->flags & SE_MNTMASK;
564 
565 	/* check if the old mount command had the same options */
566 	if (sbsec->flags & SE_SBINITIALIZED)
567 		if (!(sbsec->flags & flag) ||
568 		    (old_sid != new_sid))
569 			return 1;
570 
571 	/* check if we were passed the same options twice,
572 	 * aka someone passed context=a,context=b
573 	 */
574 	if (!(sbsec->flags & SE_SBINITIALIZED))
575 		if (mnt_flags & flag)
576 			return 1;
577 	return 0;
578 }
579 
580 static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
581 {
582 	int rc = security_context_str_to_sid(&selinux_state, s,
583 					     sid, GFP_KERNEL);
584 	if (rc)
585 		pr_warn("SELinux: security_context_str_to_sid"
586 		       "(%s) failed for (dev %s, type %s) errno=%d\n",
587 		       s, sb->s_id, sb->s_type->name, rc);
588 	return rc;
589 }
590 
591 /*
592  * Allow filesystems with binary mount data to explicitly set mount point
593  * labeling information.
594  */
595 static int selinux_set_mnt_opts(struct super_block *sb,
596 				void *mnt_opts,
597 				unsigned long kern_flags,
598 				unsigned long *set_kern_flags)
599 {
600 	const struct cred *cred = current_cred();
601 	struct superblock_security_struct *sbsec = sb->s_security;
602 	struct dentry *root = sbsec->sb->s_root;
603 	struct selinux_mnt_opts *opts = mnt_opts;
604 	struct inode_security_struct *root_isec;
605 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
606 	u32 defcontext_sid = 0;
607 	int rc = 0;
608 
609 	mutex_lock(&sbsec->lock);
610 
611 	if (!selinux_initialized(&selinux_state)) {
612 		if (!opts) {
613 			/* Defer initialization until selinux_complete_init,
614 			   after the initial policy is loaded and the security
615 			   server is ready to handle calls. */
616 			goto out;
617 		}
618 		rc = -EINVAL;
619 		pr_warn("SELinux: Unable to set superblock options "
620 			"before the security server is initialized\n");
621 		goto out;
622 	}
623 	if (kern_flags && !set_kern_flags) {
624 		/* Specifying internal flags without providing a place to
625 		 * place the results is not allowed */
626 		rc = -EINVAL;
627 		goto out;
628 	}
629 
630 	/*
631 	 * Binary mount data FS will come through this function twice.  Once
632 	 * from an explicit call and once from the generic calls from the vfs.
633 	 * Since the generic VFS calls will not contain any security mount data
634 	 * we need to skip the double mount verification.
635 	 *
636 	 * This does open a hole in which we will not notice if the first
637 	 * mount using this sb set explict options and a second mount using
638 	 * this sb does not set any security options.  (The first options
639 	 * will be used for both mounts)
640 	 */
641 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
642 	    && !opts)
643 		goto out;
644 
645 	root_isec = backing_inode_security_novalidate(root);
646 
647 	/*
648 	 * parse the mount options, check if they are valid sids.
649 	 * also check if someone is trying to mount the same sb more
650 	 * than once with different security options.
651 	 */
652 	if (opts) {
653 		if (opts->fscontext) {
654 			rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
655 			if (rc)
656 				goto out;
657 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
658 					fscontext_sid))
659 				goto out_double_mount;
660 			sbsec->flags |= FSCONTEXT_MNT;
661 		}
662 		if (opts->context) {
663 			rc = parse_sid(sb, opts->context, &context_sid);
664 			if (rc)
665 				goto out;
666 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
667 					context_sid))
668 				goto out_double_mount;
669 			sbsec->flags |= CONTEXT_MNT;
670 		}
671 		if (opts->rootcontext) {
672 			rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
673 			if (rc)
674 				goto out;
675 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
676 					rootcontext_sid))
677 				goto out_double_mount;
678 			sbsec->flags |= ROOTCONTEXT_MNT;
679 		}
680 		if (opts->defcontext) {
681 			rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
682 			if (rc)
683 				goto out;
684 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
685 					defcontext_sid))
686 				goto out_double_mount;
687 			sbsec->flags |= DEFCONTEXT_MNT;
688 		}
689 	}
690 
691 	if (sbsec->flags & SE_SBINITIALIZED) {
692 		/* previously mounted with options, but not on this attempt? */
693 		if ((sbsec->flags & SE_MNTMASK) && !opts)
694 			goto out_double_mount;
695 		rc = 0;
696 		goto out;
697 	}
698 
699 	if (strcmp(sb->s_type->name, "proc") == 0)
700 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
701 
702 	if (!strcmp(sb->s_type->name, "debugfs") ||
703 	    !strcmp(sb->s_type->name, "tracefs") ||
704 	    !strcmp(sb->s_type->name, "binder") ||
705 	    !strcmp(sb->s_type->name, "bpf") ||
706 	    !strcmp(sb->s_type->name, "pstore"))
707 		sbsec->flags |= SE_SBGENFS;
708 
709 	if (!strcmp(sb->s_type->name, "sysfs") ||
710 	    !strcmp(sb->s_type->name, "cgroup") ||
711 	    !strcmp(sb->s_type->name, "cgroup2"))
712 		sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
713 
714 	if (!sbsec->behavior) {
715 		/*
716 		 * Determine the labeling behavior to use for this
717 		 * filesystem type.
718 		 */
719 		rc = security_fs_use(&selinux_state, sb);
720 		if (rc) {
721 			pr_warn("%s: security_fs_use(%s) returned %d\n",
722 					__func__, sb->s_type->name, rc);
723 			goto out;
724 		}
725 	}
726 
727 	/*
728 	 * If this is a user namespace mount and the filesystem type is not
729 	 * explicitly whitelisted, then no contexts are allowed on the command
730 	 * line and security labels must be ignored.
731 	 */
732 	if (sb->s_user_ns != &init_user_ns &&
733 	    strcmp(sb->s_type->name, "tmpfs") &&
734 	    strcmp(sb->s_type->name, "ramfs") &&
735 	    strcmp(sb->s_type->name, "devpts")) {
736 		if (context_sid || fscontext_sid || rootcontext_sid ||
737 		    defcontext_sid) {
738 			rc = -EACCES;
739 			goto out;
740 		}
741 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
742 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
743 			rc = security_transition_sid(&selinux_state,
744 						     current_sid(),
745 						     current_sid(),
746 						     SECCLASS_FILE, NULL,
747 						     &sbsec->mntpoint_sid);
748 			if (rc)
749 				goto out;
750 		}
751 		goto out_set_opts;
752 	}
753 
754 	/* sets the context of the superblock for the fs being mounted. */
755 	if (fscontext_sid) {
756 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
757 		if (rc)
758 			goto out;
759 
760 		sbsec->sid = fscontext_sid;
761 	}
762 
763 	/*
764 	 * Switch to using mount point labeling behavior.
765 	 * sets the label used on all file below the mountpoint, and will set
766 	 * the superblock context if not already set.
767 	 */
768 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
769 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
770 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
771 	}
772 
773 	if (context_sid) {
774 		if (!fscontext_sid) {
775 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
776 							  cred);
777 			if (rc)
778 				goto out;
779 			sbsec->sid = context_sid;
780 		} else {
781 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
782 							     cred);
783 			if (rc)
784 				goto out;
785 		}
786 		if (!rootcontext_sid)
787 			rootcontext_sid = context_sid;
788 
789 		sbsec->mntpoint_sid = context_sid;
790 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
791 	}
792 
793 	if (rootcontext_sid) {
794 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
795 						     cred);
796 		if (rc)
797 			goto out;
798 
799 		root_isec->sid = rootcontext_sid;
800 		root_isec->initialized = LABEL_INITIALIZED;
801 	}
802 
803 	if (defcontext_sid) {
804 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
805 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
806 			rc = -EINVAL;
807 			pr_warn("SELinux: defcontext option is "
808 			       "invalid for this filesystem type\n");
809 			goto out;
810 		}
811 
812 		if (defcontext_sid != sbsec->def_sid) {
813 			rc = may_context_mount_inode_relabel(defcontext_sid,
814 							     sbsec, cred);
815 			if (rc)
816 				goto out;
817 		}
818 
819 		sbsec->def_sid = defcontext_sid;
820 	}
821 
822 out_set_opts:
823 	rc = sb_finish_set_opts(sb);
824 out:
825 	mutex_unlock(&sbsec->lock);
826 	return rc;
827 out_double_mount:
828 	rc = -EINVAL;
829 	pr_warn("SELinux: mount invalid.  Same superblock, different "
830 	       "security settings for (dev %s, type %s)\n", sb->s_id,
831 	       sb->s_type->name);
832 	goto out;
833 }
834 
835 static int selinux_cmp_sb_context(const struct super_block *oldsb,
836 				    const struct super_block *newsb)
837 {
838 	struct superblock_security_struct *old = oldsb->s_security;
839 	struct superblock_security_struct *new = newsb->s_security;
840 	char oldflags = old->flags & SE_MNTMASK;
841 	char newflags = new->flags & SE_MNTMASK;
842 
843 	if (oldflags != newflags)
844 		goto mismatch;
845 	if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
846 		goto mismatch;
847 	if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
848 		goto mismatch;
849 	if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
850 		goto mismatch;
851 	if (oldflags & ROOTCONTEXT_MNT) {
852 		struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
853 		struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
854 		if (oldroot->sid != newroot->sid)
855 			goto mismatch;
856 	}
857 	return 0;
858 mismatch:
859 	pr_warn("SELinux: mount invalid.  Same superblock, "
860 			    "different security settings for (dev %s, "
861 			    "type %s)\n", newsb->s_id, newsb->s_type->name);
862 	return -EBUSY;
863 }
864 
865 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
866 					struct super_block *newsb,
867 					unsigned long kern_flags,
868 					unsigned long *set_kern_flags)
869 {
870 	int rc = 0;
871 	const struct superblock_security_struct *oldsbsec = oldsb->s_security;
872 	struct superblock_security_struct *newsbsec = newsb->s_security;
873 
874 	int set_fscontext =	(oldsbsec->flags & FSCONTEXT_MNT);
875 	int set_context =	(oldsbsec->flags & CONTEXT_MNT);
876 	int set_rootcontext =	(oldsbsec->flags & ROOTCONTEXT_MNT);
877 
878 	/*
879 	 * if the parent was able to be mounted it clearly had no special lsm
880 	 * mount options.  thus we can safely deal with this superblock later
881 	 */
882 	if (!selinux_initialized(&selinux_state))
883 		return 0;
884 
885 	/*
886 	 * Specifying internal flags without providing a place to
887 	 * place the results is not allowed.
888 	 */
889 	if (kern_flags && !set_kern_flags)
890 		return -EINVAL;
891 
892 	/* how can we clone if the old one wasn't set up?? */
893 	BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
894 
895 	/* if fs is reusing a sb, make sure that the contexts match */
896 	if (newsbsec->flags & SE_SBINITIALIZED) {
897 		if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
898 			*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
899 		return selinux_cmp_sb_context(oldsb, newsb);
900 	}
901 
902 	mutex_lock(&newsbsec->lock);
903 
904 	newsbsec->flags = oldsbsec->flags;
905 
906 	newsbsec->sid = oldsbsec->sid;
907 	newsbsec->def_sid = oldsbsec->def_sid;
908 	newsbsec->behavior = oldsbsec->behavior;
909 
910 	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
911 		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
912 		rc = security_fs_use(&selinux_state, newsb);
913 		if (rc)
914 			goto out;
915 	}
916 
917 	if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
918 		newsbsec->behavior = SECURITY_FS_USE_NATIVE;
919 		*set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
920 	}
921 
922 	if (set_context) {
923 		u32 sid = oldsbsec->mntpoint_sid;
924 
925 		if (!set_fscontext)
926 			newsbsec->sid = sid;
927 		if (!set_rootcontext) {
928 			struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
929 			newisec->sid = sid;
930 		}
931 		newsbsec->mntpoint_sid = sid;
932 	}
933 	if (set_rootcontext) {
934 		const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
935 		struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
936 
937 		newisec->sid = oldisec->sid;
938 	}
939 
940 	sb_finish_set_opts(newsb);
941 out:
942 	mutex_unlock(&newsbsec->lock);
943 	return rc;
944 }
945 
946 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
947 {
948 	struct selinux_mnt_opts *opts = *mnt_opts;
949 
950 	if (token == Opt_seclabel)	/* eaten and completely ignored */
951 		return 0;
952 
953 	if (!opts) {
954 		opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
955 		if (!opts)
956 			return -ENOMEM;
957 		*mnt_opts = opts;
958 	}
959 	if (!s)
960 		return -ENOMEM;
961 	switch (token) {
962 	case Opt_context:
963 		if (opts->context || opts->defcontext)
964 			goto Einval;
965 		opts->context = s;
966 		break;
967 	case Opt_fscontext:
968 		if (opts->fscontext)
969 			goto Einval;
970 		opts->fscontext = s;
971 		break;
972 	case Opt_rootcontext:
973 		if (opts->rootcontext)
974 			goto Einval;
975 		opts->rootcontext = s;
976 		break;
977 	case Opt_defcontext:
978 		if (opts->context || opts->defcontext)
979 			goto Einval;
980 		opts->defcontext = s;
981 		break;
982 	}
983 	return 0;
984 Einval:
985 	pr_warn(SEL_MOUNT_FAIL_MSG);
986 	return -EINVAL;
987 }
988 
989 static int selinux_add_mnt_opt(const char *option, const char *val, int len,
990 			       void **mnt_opts)
991 {
992 	int token = Opt_error;
993 	int rc, i;
994 
995 	for (i = 0; i < ARRAY_SIZE(tokens); i++) {
996 		if (strcmp(option, tokens[i].name) == 0) {
997 			token = tokens[i].opt;
998 			break;
999 		}
1000 	}
1001 
1002 	if (token == Opt_error)
1003 		return -EINVAL;
1004 
1005 	if (token != Opt_seclabel) {
1006 		val = kmemdup_nul(val, len, GFP_KERNEL);
1007 		if (!val) {
1008 			rc = -ENOMEM;
1009 			goto free_opt;
1010 		}
1011 	}
1012 	rc = selinux_add_opt(token, val, mnt_opts);
1013 	if (unlikely(rc)) {
1014 		kfree(val);
1015 		goto free_opt;
1016 	}
1017 	return rc;
1018 
1019 free_opt:
1020 	if (*mnt_opts) {
1021 		selinux_free_mnt_opts(*mnt_opts);
1022 		*mnt_opts = NULL;
1023 	}
1024 	return rc;
1025 }
1026 
1027 static int show_sid(struct seq_file *m, u32 sid)
1028 {
1029 	char *context = NULL;
1030 	u32 len;
1031 	int rc;
1032 
1033 	rc = security_sid_to_context(&selinux_state, sid,
1034 					     &context, &len);
1035 	if (!rc) {
1036 		bool has_comma = context && strchr(context, ',');
1037 
1038 		seq_putc(m, '=');
1039 		if (has_comma)
1040 			seq_putc(m, '\"');
1041 		seq_escape(m, context, "\"\n\\");
1042 		if (has_comma)
1043 			seq_putc(m, '\"');
1044 	}
1045 	kfree(context);
1046 	return rc;
1047 }
1048 
1049 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1050 {
1051 	struct superblock_security_struct *sbsec = sb->s_security;
1052 	int rc;
1053 
1054 	if (!(sbsec->flags & SE_SBINITIALIZED))
1055 		return 0;
1056 
1057 	if (!selinux_initialized(&selinux_state))
1058 		return 0;
1059 
1060 	if (sbsec->flags & FSCONTEXT_MNT) {
1061 		seq_putc(m, ',');
1062 		seq_puts(m, FSCONTEXT_STR);
1063 		rc = show_sid(m, sbsec->sid);
1064 		if (rc)
1065 			return rc;
1066 	}
1067 	if (sbsec->flags & CONTEXT_MNT) {
1068 		seq_putc(m, ',');
1069 		seq_puts(m, CONTEXT_STR);
1070 		rc = show_sid(m, sbsec->mntpoint_sid);
1071 		if (rc)
1072 			return rc;
1073 	}
1074 	if (sbsec->flags & DEFCONTEXT_MNT) {
1075 		seq_putc(m, ',');
1076 		seq_puts(m, DEFCONTEXT_STR);
1077 		rc = show_sid(m, sbsec->def_sid);
1078 		if (rc)
1079 			return rc;
1080 	}
1081 	if (sbsec->flags & ROOTCONTEXT_MNT) {
1082 		struct dentry *root = sbsec->sb->s_root;
1083 		struct inode_security_struct *isec = backing_inode_security(root);
1084 		seq_putc(m, ',');
1085 		seq_puts(m, ROOTCONTEXT_STR);
1086 		rc = show_sid(m, isec->sid);
1087 		if (rc)
1088 			return rc;
1089 	}
1090 	if (sbsec->flags & SBLABEL_MNT) {
1091 		seq_putc(m, ',');
1092 		seq_puts(m, SECLABEL_STR);
1093 	}
1094 	return 0;
1095 }
1096 
1097 static inline u16 inode_mode_to_security_class(umode_t mode)
1098 {
1099 	switch (mode & S_IFMT) {
1100 	case S_IFSOCK:
1101 		return SECCLASS_SOCK_FILE;
1102 	case S_IFLNK:
1103 		return SECCLASS_LNK_FILE;
1104 	case S_IFREG:
1105 		return SECCLASS_FILE;
1106 	case S_IFBLK:
1107 		return SECCLASS_BLK_FILE;
1108 	case S_IFDIR:
1109 		return SECCLASS_DIR;
1110 	case S_IFCHR:
1111 		return SECCLASS_CHR_FILE;
1112 	case S_IFIFO:
1113 		return SECCLASS_FIFO_FILE;
1114 
1115 	}
1116 
1117 	return SECCLASS_FILE;
1118 }
1119 
1120 static inline int default_protocol_stream(int protocol)
1121 {
1122 	return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1123 }
1124 
1125 static inline int default_protocol_dgram(int protocol)
1126 {
1127 	return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1128 }
1129 
1130 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1131 {
1132 	int extsockclass = selinux_policycap_extsockclass();
1133 
1134 	switch (family) {
1135 	case PF_UNIX:
1136 		switch (type) {
1137 		case SOCK_STREAM:
1138 		case SOCK_SEQPACKET:
1139 			return SECCLASS_UNIX_STREAM_SOCKET;
1140 		case SOCK_DGRAM:
1141 		case SOCK_RAW:
1142 			return SECCLASS_UNIX_DGRAM_SOCKET;
1143 		}
1144 		break;
1145 	case PF_INET:
1146 	case PF_INET6:
1147 		switch (type) {
1148 		case SOCK_STREAM:
1149 		case SOCK_SEQPACKET:
1150 			if (default_protocol_stream(protocol))
1151 				return SECCLASS_TCP_SOCKET;
1152 			else if (extsockclass && protocol == IPPROTO_SCTP)
1153 				return SECCLASS_SCTP_SOCKET;
1154 			else
1155 				return SECCLASS_RAWIP_SOCKET;
1156 		case SOCK_DGRAM:
1157 			if (default_protocol_dgram(protocol))
1158 				return SECCLASS_UDP_SOCKET;
1159 			else if (extsockclass && (protocol == IPPROTO_ICMP ||
1160 						  protocol == IPPROTO_ICMPV6))
1161 				return SECCLASS_ICMP_SOCKET;
1162 			else
1163 				return SECCLASS_RAWIP_SOCKET;
1164 		case SOCK_DCCP:
1165 			return SECCLASS_DCCP_SOCKET;
1166 		default:
1167 			return SECCLASS_RAWIP_SOCKET;
1168 		}
1169 		break;
1170 	case PF_NETLINK:
1171 		switch (protocol) {
1172 		case NETLINK_ROUTE:
1173 			return SECCLASS_NETLINK_ROUTE_SOCKET;
1174 		case NETLINK_SOCK_DIAG:
1175 			return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1176 		case NETLINK_NFLOG:
1177 			return SECCLASS_NETLINK_NFLOG_SOCKET;
1178 		case NETLINK_XFRM:
1179 			return SECCLASS_NETLINK_XFRM_SOCKET;
1180 		case NETLINK_SELINUX:
1181 			return SECCLASS_NETLINK_SELINUX_SOCKET;
1182 		case NETLINK_ISCSI:
1183 			return SECCLASS_NETLINK_ISCSI_SOCKET;
1184 		case NETLINK_AUDIT:
1185 			return SECCLASS_NETLINK_AUDIT_SOCKET;
1186 		case NETLINK_FIB_LOOKUP:
1187 			return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1188 		case NETLINK_CONNECTOR:
1189 			return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1190 		case NETLINK_NETFILTER:
1191 			return SECCLASS_NETLINK_NETFILTER_SOCKET;
1192 		case NETLINK_DNRTMSG:
1193 			return SECCLASS_NETLINK_DNRT_SOCKET;
1194 		case NETLINK_KOBJECT_UEVENT:
1195 			return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1196 		case NETLINK_GENERIC:
1197 			return SECCLASS_NETLINK_GENERIC_SOCKET;
1198 		case NETLINK_SCSITRANSPORT:
1199 			return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1200 		case NETLINK_RDMA:
1201 			return SECCLASS_NETLINK_RDMA_SOCKET;
1202 		case NETLINK_CRYPTO:
1203 			return SECCLASS_NETLINK_CRYPTO_SOCKET;
1204 		default:
1205 			return SECCLASS_NETLINK_SOCKET;
1206 		}
1207 	case PF_PACKET:
1208 		return SECCLASS_PACKET_SOCKET;
1209 	case PF_KEY:
1210 		return SECCLASS_KEY_SOCKET;
1211 	case PF_APPLETALK:
1212 		return SECCLASS_APPLETALK_SOCKET;
1213 	}
1214 
1215 	if (extsockclass) {
1216 		switch (family) {
1217 		case PF_AX25:
1218 			return SECCLASS_AX25_SOCKET;
1219 		case PF_IPX:
1220 			return SECCLASS_IPX_SOCKET;
1221 		case PF_NETROM:
1222 			return SECCLASS_NETROM_SOCKET;
1223 		case PF_ATMPVC:
1224 			return SECCLASS_ATMPVC_SOCKET;
1225 		case PF_X25:
1226 			return SECCLASS_X25_SOCKET;
1227 		case PF_ROSE:
1228 			return SECCLASS_ROSE_SOCKET;
1229 		case PF_DECnet:
1230 			return SECCLASS_DECNET_SOCKET;
1231 		case PF_ATMSVC:
1232 			return SECCLASS_ATMSVC_SOCKET;
1233 		case PF_RDS:
1234 			return SECCLASS_RDS_SOCKET;
1235 		case PF_IRDA:
1236 			return SECCLASS_IRDA_SOCKET;
1237 		case PF_PPPOX:
1238 			return SECCLASS_PPPOX_SOCKET;
1239 		case PF_LLC:
1240 			return SECCLASS_LLC_SOCKET;
1241 		case PF_CAN:
1242 			return SECCLASS_CAN_SOCKET;
1243 		case PF_TIPC:
1244 			return SECCLASS_TIPC_SOCKET;
1245 		case PF_BLUETOOTH:
1246 			return SECCLASS_BLUETOOTH_SOCKET;
1247 		case PF_IUCV:
1248 			return SECCLASS_IUCV_SOCKET;
1249 		case PF_RXRPC:
1250 			return SECCLASS_RXRPC_SOCKET;
1251 		case PF_ISDN:
1252 			return SECCLASS_ISDN_SOCKET;
1253 		case PF_PHONET:
1254 			return SECCLASS_PHONET_SOCKET;
1255 		case PF_IEEE802154:
1256 			return SECCLASS_IEEE802154_SOCKET;
1257 		case PF_CAIF:
1258 			return SECCLASS_CAIF_SOCKET;
1259 		case PF_ALG:
1260 			return SECCLASS_ALG_SOCKET;
1261 		case PF_NFC:
1262 			return SECCLASS_NFC_SOCKET;
1263 		case PF_VSOCK:
1264 			return SECCLASS_VSOCK_SOCKET;
1265 		case PF_KCM:
1266 			return SECCLASS_KCM_SOCKET;
1267 		case PF_QIPCRTR:
1268 			return SECCLASS_QIPCRTR_SOCKET;
1269 		case PF_SMC:
1270 			return SECCLASS_SMC_SOCKET;
1271 		case PF_XDP:
1272 			return SECCLASS_XDP_SOCKET;
1273 #if PF_MAX > 45
1274 #error New address family defined, please update this function.
1275 #endif
1276 		}
1277 	}
1278 
1279 	return SECCLASS_SOCKET;
1280 }
1281 
1282 static int selinux_genfs_get_sid(struct dentry *dentry,
1283 				 u16 tclass,
1284 				 u16 flags,
1285 				 u32 *sid)
1286 {
1287 	int rc;
1288 	struct super_block *sb = dentry->d_sb;
1289 	char *buffer, *path;
1290 
1291 	buffer = (char *)__get_free_page(GFP_KERNEL);
1292 	if (!buffer)
1293 		return -ENOMEM;
1294 
1295 	path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1296 	if (IS_ERR(path))
1297 		rc = PTR_ERR(path);
1298 	else {
1299 		if (flags & SE_SBPROC) {
1300 			/* each process gets a /proc/PID/ entry. Strip off the
1301 			 * PID part to get a valid selinux labeling.
1302 			 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1303 			while (path[1] >= '0' && path[1] <= '9') {
1304 				path[1] = '/';
1305 				path++;
1306 			}
1307 		}
1308 		rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1309 					path, tclass, sid);
1310 		if (rc == -ENOENT) {
1311 			/* No match in policy, mark as unlabeled. */
1312 			*sid = SECINITSID_UNLABELED;
1313 			rc = 0;
1314 		}
1315 	}
1316 	free_page((unsigned long)buffer);
1317 	return rc;
1318 }
1319 
1320 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1321 				  u32 def_sid, u32 *sid)
1322 {
1323 #define INITCONTEXTLEN 255
1324 	char *context;
1325 	unsigned int len;
1326 	int rc;
1327 
1328 	len = INITCONTEXTLEN;
1329 	context = kmalloc(len + 1, GFP_NOFS);
1330 	if (!context)
1331 		return -ENOMEM;
1332 
1333 	context[len] = '\0';
1334 	rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1335 	if (rc == -ERANGE) {
1336 		kfree(context);
1337 
1338 		/* Need a larger buffer.  Query for the right size. */
1339 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1340 		if (rc < 0)
1341 			return rc;
1342 
1343 		len = rc;
1344 		context = kmalloc(len + 1, GFP_NOFS);
1345 		if (!context)
1346 			return -ENOMEM;
1347 
1348 		context[len] = '\0';
1349 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1350 				    context, len);
1351 	}
1352 	if (rc < 0) {
1353 		kfree(context);
1354 		if (rc != -ENODATA) {
1355 			pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
1356 				__func__, -rc, inode->i_sb->s_id, inode->i_ino);
1357 			return rc;
1358 		}
1359 		*sid = def_sid;
1360 		return 0;
1361 	}
1362 
1363 	rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1364 					     def_sid, GFP_NOFS);
1365 	if (rc) {
1366 		char *dev = inode->i_sb->s_id;
1367 		unsigned long ino = inode->i_ino;
1368 
1369 		if (rc == -EINVAL) {
1370 			pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
1371 					      ino, dev, context);
1372 		} else {
1373 			pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1374 				__func__, context, -rc, dev, ino);
1375 		}
1376 	}
1377 	kfree(context);
1378 	return 0;
1379 }
1380 
1381 /* The inode's security attributes must be initialized before first use. */
1382 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1383 {
1384 	struct superblock_security_struct *sbsec = NULL;
1385 	struct inode_security_struct *isec = selinux_inode(inode);
1386 	u32 task_sid, sid = 0;
1387 	u16 sclass;
1388 	struct dentry *dentry;
1389 	int rc = 0;
1390 
1391 	if (isec->initialized == LABEL_INITIALIZED)
1392 		return 0;
1393 
1394 	spin_lock(&isec->lock);
1395 	if (isec->initialized == LABEL_INITIALIZED)
1396 		goto out_unlock;
1397 
1398 	if (isec->sclass == SECCLASS_FILE)
1399 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
1400 
1401 	sbsec = inode->i_sb->s_security;
1402 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1403 		/* Defer initialization until selinux_complete_init,
1404 		   after the initial policy is loaded and the security
1405 		   server is ready to handle calls. */
1406 		spin_lock(&sbsec->isec_lock);
1407 		if (list_empty(&isec->list))
1408 			list_add(&isec->list, &sbsec->isec_head);
1409 		spin_unlock(&sbsec->isec_lock);
1410 		goto out_unlock;
1411 	}
1412 
1413 	sclass = isec->sclass;
1414 	task_sid = isec->task_sid;
1415 	sid = isec->sid;
1416 	isec->initialized = LABEL_PENDING;
1417 	spin_unlock(&isec->lock);
1418 
1419 	switch (sbsec->behavior) {
1420 	case SECURITY_FS_USE_NATIVE:
1421 		break;
1422 	case SECURITY_FS_USE_XATTR:
1423 		if (!(inode->i_opflags & IOP_XATTR)) {
1424 			sid = sbsec->def_sid;
1425 			break;
1426 		}
1427 		/* Need a dentry, since the xattr API requires one.
1428 		   Life would be simpler if we could just pass the inode. */
1429 		if (opt_dentry) {
1430 			/* Called from d_instantiate or d_splice_alias. */
1431 			dentry = dget(opt_dentry);
1432 		} else {
1433 			/*
1434 			 * Called from selinux_complete_init, try to find a dentry.
1435 			 * Some filesystems really want a connected one, so try
1436 			 * that first.  We could split SECURITY_FS_USE_XATTR in
1437 			 * two, depending upon that...
1438 			 */
1439 			dentry = d_find_alias(inode);
1440 			if (!dentry)
1441 				dentry = d_find_any_alias(inode);
1442 		}
1443 		if (!dentry) {
1444 			/*
1445 			 * this is can be hit on boot when a file is accessed
1446 			 * before the policy is loaded.  When we load policy we
1447 			 * may find inodes that have no dentry on the
1448 			 * sbsec->isec_head list.  No reason to complain as these
1449 			 * will get fixed up the next time we go through
1450 			 * inode_doinit with a dentry, before these inodes could
1451 			 * be used again by userspace.
1452 			 */
1453 			goto out;
1454 		}
1455 
1456 		rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1457 					    &sid);
1458 		dput(dentry);
1459 		if (rc)
1460 			goto out;
1461 		break;
1462 	case SECURITY_FS_USE_TASK:
1463 		sid = task_sid;
1464 		break;
1465 	case SECURITY_FS_USE_TRANS:
1466 		/* Default to the fs SID. */
1467 		sid = sbsec->sid;
1468 
1469 		/* Try to obtain a transition SID. */
1470 		rc = security_transition_sid(&selinux_state, task_sid, sid,
1471 					     sclass, NULL, &sid);
1472 		if (rc)
1473 			goto out;
1474 		break;
1475 	case SECURITY_FS_USE_MNTPOINT:
1476 		sid = sbsec->mntpoint_sid;
1477 		break;
1478 	default:
1479 		/* Default to the fs superblock SID. */
1480 		sid = sbsec->sid;
1481 
1482 		if ((sbsec->flags & SE_SBGENFS) &&
1483 		     (!S_ISLNK(inode->i_mode) ||
1484 		      selinux_policycap_genfs_seclabel_symlinks())) {
1485 			/* We must have a dentry to determine the label on
1486 			 * procfs inodes */
1487 			if (opt_dentry) {
1488 				/* Called from d_instantiate or
1489 				 * d_splice_alias. */
1490 				dentry = dget(opt_dentry);
1491 			} else {
1492 				/* Called from selinux_complete_init, try to
1493 				 * find a dentry.  Some filesystems really want
1494 				 * a connected one, so try that first.
1495 				 */
1496 				dentry = d_find_alias(inode);
1497 				if (!dentry)
1498 					dentry = d_find_any_alias(inode);
1499 			}
1500 			/*
1501 			 * This can be hit on boot when a file is accessed
1502 			 * before the policy is loaded.  When we load policy we
1503 			 * may find inodes that have no dentry on the
1504 			 * sbsec->isec_head list.  No reason to complain as
1505 			 * these will get fixed up the next time we go through
1506 			 * inode_doinit() with a dentry, before these inodes
1507 			 * could be used again by userspace.
1508 			 */
1509 			if (!dentry)
1510 				goto out;
1511 			rc = selinux_genfs_get_sid(dentry, sclass,
1512 						   sbsec->flags, &sid);
1513 			if (rc) {
1514 				dput(dentry);
1515 				goto out;
1516 			}
1517 
1518 			if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1519 			    (inode->i_opflags & IOP_XATTR)) {
1520 				rc = inode_doinit_use_xattr(inode, dentry,
1521 							    sid, &sid);
1522 				if (rc) {
1523 					dput(dentry);
1524 					goto out;
1525 				}
1526 			}
1527 			dput(dentry);
1528 		}
1529 		break;
1530 	}
1531 
1532 out:
1533 	spin_lock(&isec->lock);
1534 	if (isec->initialized == LABEL_PENDING) {
1535 		if (!sid || rc) {
1536 			isec->initialized = LABEL_INVALID;
1537 			goto out_unlock;
1538 		}
1539 
1540 		isec->initialized = LABEL_INITIALIZED;
1541 		isec->sid = sid;
1542 	}
1543 
1544 out_unlock:
1545 	spin_unlock(&isec->lock);
1546 	return rc;
1547 }
1548 
1549 /* Convert a Linux signal to an access vector. */
1550 static inline u32 signal_to_av(int sig)
1551 {
1552 	u32 perm = 0;
1553 
1554 	switch (sig) {
1555 	case SIGCHLD:
1556 		/* Commonly granted from child to parent. */
1557 		perm = PROCESS__SIGCHLD;
1558 		break;
1559 	case SIGKILL:
1560 		/* Cannot be caught or ignored */
1561 		perm = PROCESS__SIGKILL;
1562 		break;
1563 	case SIGSTOP:
1564 		/* Cannot be caught or ignored */
1565 		perm = PROCESS__SIGSTOP;
1566 		break;
1567 	default:
1568 		/* All other signals. */
1569 		perm = PROCESS__SIGNAL;
1570 		break;
1571 	}
1572 
1573 	return perm;
1574 }
1575 
1576 #if CAP_LAST_CAP > 63
1577 #error Fix SELinux to handle capabilities > 63.
1578 #endif
1579 
1580 /* Check whether a task is allowed to use a capability. */
1581 static int cred_has_capability(const struct cred *cred,
1582 			       int cap, unsigned int opts, bool initns)
1583 {
1584 	struct common_audit_data ad;
1585 	struct av_decision avd;
1586 	u16 sclass;
1587 	u32 sid = cred_sid(cred);
1588 	u32 av = CAP_TO_MASK(cap);
1589 	int rc;
1590 
1591 	ad.type = LSM_AUDIT_DATA_CAP;
1592 	ad.u.cap = cap;
1593 
1594 	switch (CAP_TO_INDEX(cap)) {
1595 	case 0:
1596 		sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1597 		break;
1598 	case 1:
1599 		sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1600 		break;
1601 	default:
1602 		pr_err("SELinux:  out of range capability %d\n", cap);
1603 		BUG();
1604 		return -EINVAL;
1605 	}
1606 
1607 	rc = avc_has_perm_noaudit(&selinux_state,
1608 				  sid, sid, sclass, av, 0, &avd);
1609 	if (!(opts & CAP_OPT_NOAUDIT)) {
1610 		int rc2 = avc_audit(&selinux_state,
1611 				    sid, sid, sclass, av, &avd, rc, &ad, 0);
1612 		if (rc2)
1613 			return rc2;
1614 	}
1615 	return rc;
1616 }
1617 
1618 /* Check whether a task has a particular permission to an inode.
1619    The 'adp' parameter is optional and allows other audit
1620    data to be passed (e.g. the dentry). */
1621 static int inode_has_perm(const struct cred *cred,
1622 			  struct inode *inode,
1623 			  u32 perms,
1624 			  struct common_audit_data *adp)
1625 {
1626 	struct inode_security_struct *isec;
1627 	u32 sid;
1628 
1629 	validate_creds(cred);
1630 
1631 	if (unlikely(IS_PRIVATE(inode)))
1632 		return 0;
1633 
1634 	sid = cred_sid(cred);
1635 	isec = selinux_inode(inode);
1636 
1637 	return avc_has_perm(&selinux_state,
1638 			    sid, isec->sid, isec->sclass, perms, adp);
1639 }
1640 
1641 /* Same as inode_has_perm, but pass explicit audit data containing
1642    the dentry to help the auditing code to more easily generate the
1643    pathname if needed. */
1644 static inline int dentry_has_perm(const struct cred *cred,
1645 				  struct dentry *dentry,
1646 				  u32 av)
1647 {
1648 	struct inode *inode = d_backing_inode(dentry);
1649 	struct common_audit_data ad;
1650 
1651 	ad.type = LSM_AUDIT_DATA_DENTRY;
1652 	ad.u.dentry = dentry;
1653 	__inode_security_revalidate(inode, dentry, true);
1654 	return inode_has_perm(cred, inode, av, &ad);
1655 }
1656 
1657 /* Same as inode_has_perm, but pass explicit audit data containing
1658    the path to help the auditing code to more easily generate the
1659    pathname if needed. */
1660 static inline int path_has_perm(const struct cred *cred,
1661 				const struct path *path,
1662 				u32 av)
1663 {
1664 	struct inode *inode = d_backing_inode(path->dentry);
1665 	struct common_audit_data ad;
1666 
1667 	ad.type = LSM_AUDIT_DATA_PATH;
1668 	ad.u.path = *path;
1669 	__inode_security_revalidate(inode, path->dentry, true);
1670 	return inode_has_perm(cred, inode, av, &ad);
1671 }
1672 
1673 /* Same as path_has_perm, but uses the inode from the file struct. */
1674 static inline int file_path_has_perm(const struct cred *cred,
1675 				     struct file *file,
1676 				     u32 av)
1677 {
1678 	struct common_audit_data ad;
1679 
1680 	ad.type = LSM_AUDIT_DATA_FILE;
1681 	ad.u.file = file;
1682 	return inode_has_perm(cred, file_inode(file), av, &ad);
1683 }
1684 
1685 #ifdef CONFIG_BPF_SYSCALL
1686 static int bpf_fd_pass(struct file *file, u32 sid);
1687 #endif
1688 
1689 /* Check whether a task can use an open file descriptor to
1690    access an inode in a given way.  Check access to the
1691    descriptor itself, and then use dentry_has_perm to
1692    check a particular permission to the file.
1693    Access to the descriptor is implicitly granted if it
1694    has the same SID as the process.  If av is zero, then
1695    access to the file is not checked, e.g. for cases
1696    where only the descriptor is affected like seek. */
1697 static int file_has_perm(const struct cred *cred,
1698 			 struct file *file,
1699 			 u32 av)
1700 {
1701 	struct file_security_struct *fsec = selinux_file(file);
1702 	struct inode *inode = file_inode(file);
1703 	struct common_audit_data ad;
1704 	u32 sid = cred_sid(cred);
1705 	int rc;
1706 
1707 	ad.type = LSM_AUDIT_DATA_FILE;
1708 	ad.u.file = file;
1709 
1710 	if (sid != fsec->sid) {
1711 		rc = avc_has_perm(&selinux_state,
1712 				  sid, fsec->sid,
1713 				  SECCLASS_FD,
1714 				  FD__USE,
1715 				  &ad);
1716 		if (rc)
1717 			goto out;
1718 	}
1719 
1720 #ifdef CONFIG_BPF_SYSCALL
1721 	rc = bpf_fd_pass(file, cred_sid(cred));
1722 	if (rc)
1723 		return rc;
1724 #endif
1725 
1726 	/* av is zero if only checking access to the descriptor. */
1727 	rc = 0;
1728 	if (av)
1729 		rc = inode_has_perm(cred, inode, av, &ad);
1730 
1731 out:
1732 	return rc;
1733 }
1734 
1735 /*
1736  * Determine the label for an inode that might be unioned.
1737  */
1738 static int
1739 selinux_determine_inode_label(const struct task_security_struct *tsec,
1740 				 struct inode *dir,
1741 				 const struct qstr *name, u16 tclass,
1742 				 u32 *_new_isid)
1743 {
1744 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1745 
1746 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1747 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1748 		*_new_isid = sbsec->mntpoint_sid;
1749 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1750 		   tsec->create_sid) {
1751 		*_new_isid = tsec->create_sid;
1752 	} else {
1753 		const struct inode_security_struct *dsec = inode_security(dir);
1754 		return security_transition_sid(&selinux_state, tsec->sid,
1755 					       dsec->sid, tclass,
1756 					       name, _new_isid);
1757 	}
1758 
1759 	return 0;
1760 }
1761 
1762 /* Check whether a task can create a file. */
1763 static int may_create(struct inode *dir,
1764 		      struct dentry *dentry,
1765 		      u16 tclass)
1766 {
1767 	const struct task_security_struct *tsec = selinux_cred(current_cred());
1768 	struct inode_security_struct *dsec;
1769 	struct superblock_security_struct *sbsec;
1770 	u32 sid, newsid;
1771 	struct common_audit_data ad;
1772 	int rc;
1773 
1774 	dsec = inode_security(dir);
1775 	sbsec = dir->i_sb->s_security;
1776 
1777 	sid = tsec->sid;
1778 
1779 	ad.type = LSM_AUDIT_DATA_DENTRY;
1780 	ad.u.dentry = dentry;
1781 
1782 	rc = avc_has_perm(&selinux_state,
1783 			  sid, dsec->sid, SECCLASS_DIR,
1784 			  DIR__ADD_NAME | DIR__SEARCH,
1785 			  &ad);
1786 	if (rc)
1787 		return rc;
1788 
1789 	rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1790 					   &newsid);
1791 	if (rc)
1792 		return rc;
1793 
1794 	rc = avc_has_perm(&selinux_state,
1795 			  sid, newsid, tclass, FILE__CREATE, &ad);
1796 	if (rc)
1797 		return rc;
1798 
1799 	return avc_has_perm(&selinux_state,
1800 			    newsid, sbsec->sid,
1801 			    SECCLASS_FILESYSTEM,
1802 			    FILESYSTEM__ASSOCIATE, &ad);
1803 }
1804 
1805 #define MAY_LINK	0
1806 #define MAY_UNLINK	1
1807 #define MAY_RMDIR	2
1808 
1809 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1810 static int may_link(struct inode *dir,
1811 		    struct dentry *dentry,
1812 		    int kind)
1813 
1814 {
1815 	struct inode_security_struct *dsec, *isec;
1816 	struct common_audit_data ad;
1817 	u32 sid = current_sid();
1818 	u32 av;
1819 	int rc;
1820 
1821 	dsec = inode_security(dir);
1822 	isec = backing_inode_security(dentry);
1823 
1824 	ad.type = LSM_AUDIT_DATA_DENTRY;
1825 	ad.u.dentry = dentry;
1826 
1827 	av = DIR__SEARCH;
1828 	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1829 	rc = avc_has_perm(&selinux_state,
1830 			  sid, dsec->sid, SECCLASS_DIR, av, &ad);
1831 	if (rc)
1832 		return rc;
1833 
1834 	switch (kind) {
1835 	case MAY_LINK:
1836 		av = FILE__LINK;
1837 		break;
1838 	case MAY_UNLINK:
1839 		av = FILE__UNLINK;
1840 		break;
1841 	case MAY_RMDIR:
1842 		av = DIR__RMDIR;
1843 		break;
1844 	default:
1845 		pr_warn("SELinux: %s:  unrecognized kind %d\n",
1846 			__func__, kind);
1847 		return 0;
1848 	}
1849 
1850 	rc = avc_has_perm(&selinux_state,
1851 			  sid, isec->sid, isec->sclass, av, &ad);
1852 	return rc;
1853 }
1854 
1855 static inline int may_rename(struct inode *old_dir,
1856 			     struct dentry *old_dentry,
1857 			     struct inode *new_dir,
1858 			     struct dentry *new_dentry)
1859 {
1860 	struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1861 	struct common_audit_data ad;
1862 	u32 sid = current_sid();
1863 	u32 av;
1864 	int old_is_dir, new_is_dir;
1865 	int rc;
1866 
1867 	old_dsec = inode_security(old_dir);
1868 	old_isec = backing_inode_security(old_dentry);
1869 	old_is_dir = d_is_dir(old_dentry);
1870 	new_dsec = inode_security(new_dir);
1871 
1872 	ad.type = LSM_AUDIT_DATA_DENTRY;
1873 
1874 	ad.u.dentry = old_dentry;
1875 	rc = avc_has_perm(&selinux_state,
1876 			  sid, old_dsec->sid, SECCLASS_DIR,
1877 			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1878 	if (rc)
1879 		return rc;
1880 	rc = avc_has_perm(&selinux_state,
1881 			  sid, old_isec->sid,
1882 			  old_isec->sclass, FILE__RENAME, &ad);
1883 	if (rc)
1884 		return rc;
1885 	if (old_is_dir && new_dir != old_dir) {
1886 		rc = avc_has_perm(&selinux_state,
1887 				  sid, old_isec->sid,
1888 				  old_isec->sclass, DIR__REPARENT, &ad);
1889 		if (rc)
1890 			return rc;
1891 	}
1892 
1893 	ad.u.dentry = new_dentry;
1894 	av = DIR__ADD_NAME | DIR__SEARCH;
1895 	if (d_is_positive(new_dentry))
1896 		av |= DIR__REMOVE_NAME;
1897 	rc = avc_has_perm(&selinux_state,
1898 			  sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1899 	if (rc)
1900 		return rc;
1901 	if (d_is_positive(new_dentry)) {
1902 		new_isec = backing_inode_security(new_dentry);
1903 		new_is_dir = d_is_dir(new_dentry);
1904 		rc = avc_has_perm(&selinux_state,
1905 				  sid, new_isec->sid,
1906 				  new_isec->sclass,
1907 				  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1908 		if (rc)
1909 			return rc;
1910 	}
1911 
1912 	return 0;
1913 }
1914 
1915 /* Check whether a task can perform a filesystem operation. */
1916 static int superblock_has_perm(const struct cred *cred,
1917 			       struct super_block *sb,
1918 			       u32 perms,
1919 			       struct common_audit_data *ad)
1920 {
1921 	struct superblock_security_struct *sbsec;
1922 	u32 sid = cred_sid(cred);
1923 
1924 	sbsec = sb->s_security;
1925 	return avc_has_perm(&selinux_state,
1926 			    sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1927 }
1928 
1929 /* Convert a Linux mode and permission mask to an access vector. */
1930 static inline u32 file_mask_to_av(int mode, int mask)
1931 {
1932 	u32 av = 0;
1933 
1934 	if (!S_ISDIR(mode)) {
1935 		if (mask & MAY_EXEC)
1936 			av |= FILE__EXECUTE;
1937 		if (mask & MAY_READ)
1938 			av |= FILE__READ;
1939 
1940 		if (mask & MAY_APPEND)
1941 			av |= FILE__APPEND;
1942 		else if (mask & MAY_WRITE)
1943 			av |= FILE__WRITE;
1944 
1945 	} else {
1946 		if (mask & MAY_EXEC)
1947 			av |= DIR__SEARCH;
1948 		if (mask & MAY_WRITE)
1949 			av |= DIR__WRITE;
1950 		if (mask & MAY_READ)
1951 			av |= DIR__READ;
1952 	}
1953 
1954 	return av;
1955 }
1956 
1957 /* Convert a Linux file to an access vector. */
1958 static inline u32 file_to_av(struct file *file)
1959 {
1960 	u32 av = 0;
1961 
1962 	if (file->f_mode & FMODE_READ)
1963 		av |= FILE__READ;
1964 	if (file->f_mode & FMODE_WRITE) {
1965 		if (file->f_flags & O_APPEND)
1966 			av |= FILE__APPEND;
1967 		else
1968 			av |= FILE__WRITE;
1969 	}
1970 	if (!av) {
1971 		/*
1972 		 * Special file opened with flags 3 for ioctl-only use.
1973 		 */
1974 		av = FILE__IOCTL;
1975 	}
1976 
1977 	return av;
1978 }
1979 
1980 /*
1981  * Convert a file to an access vector and include the correct open
1982  * open permission.
1983  */
1984 static inline u32 open_file_to_av(struct file *file)
1985 {
1986 	u32 av = file_to_av(file);
1987 	struct inode *inode = file_inode(file);
1988 
1989 	if (selinux_policycap_openperm() &&
1990 	    inode->i_sb->s_magic != SOCKFS_MAGIC)
1991 		av |= FILE__OPEN;
1992 
1993 	return av;
1994 }
1995 
1996 /* Hook functions begin here. */
1997 
1998 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
1999 {
2000 	u32 mysid = current_sid();
2001 	u32 mgrsid = task_sid(mgr);
2002 
2003 	return avc_has_perm(&selinux_state,
2004 			    mysid, mgrsid, SECCLASS_BINDER,
2005 			    BINDER__SET_CONTEXT_MGR, NULL);
2006 }
2007 
2008 static int selinux_binder_transaction(struct task_struct *from,
2009 				      struct task_struct *to)
2010 {
2011 	u32 mysid = current_sid();
2012 	u32 fromsid = task_sid(from);
2013 	u32 tosid = task_sid(to);
2014 	int rc;
2015 
2016 	if (mysid != fromsid) {
2017 		rc = avc_has_perm(&selinux_state,
2018 				  mysid, fromsid, SECCLASS_BINDER,
2019 				  BINDER__IMPERSONATE, NULL);
2020 		if (rc)
2021 			return rc;
2022 	}
2023 
2024 	return avc_has_perm(&selinux_state,
2025 			    fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2026 			    NULL);
2027 }
2028 
2029 static int selinux_binder_transfer_binder(struct task_struct *from,
2030 					  struct task_struct *to)
2031 {
2032 	u32 fromsid = task_sid(from);
2033 	u32 tosid = task_sid(to);
2034 
2035 	return avc_has_perm(&selinux_state,
2036 			    fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2037 			    NULL);
2038 }
2039 
2040 static int selinux_binder_transfer_file(struct task_struct *from,
2041 					struct task_struct *to,
2042 					struct file *file)
2043 {
2044 	u32 sid = task_sid(to);
2045 	struct file_security_struct *fsec = selinux_file(file);
2046 	struct dentry *dentry = file->f_path.dentry;
2047 	struct inode_security_struct *isec;
2048 	struct common_audit_data ad;
2049 	int rc;
2050 
2051 	ad.type = LSM_AUDIT_DATA_PATH;
2052 	ad.u.path = file->f_path;
2053 
2054 	if (sid != fsec->sid) {
2055 		rc = avc_has_perm(&selinux_state,
2056 				  sid, fsec->sid,
2057 				  SECCLASS_FD,
2058 				  FD__USE,
2059 				  &ad);
2060 		if (rc)
2061 			return rc;
2062 	}
2063 
2064 #ifdef CONFIG_BPF_SYSCALL
2065 	rc = bpf_fd_pass(file, sid);
2066 	if (rc)
2067 		return rc;
2068 #endif
2069 
2070 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2071 		return 0;
2072 
2073 	isec = backing_inode_security(dentry);
2074 	return avc_has_perm(&selinux_state,
2075 			    sid, isec->sid, isec->sclass, file_to_av(file),
2076 			    &ad);
2077 }
2078 
2079 static int selinux_ptrace_access_check(struct task_struct *child,
2080 				     unsigned int mode)
2081 {
2082 	u32 sid = current_sid();
2083 	u32 csid = task_sid(child);
2084 
2085 	if (mode & PTRACE_MODE_READ)
2086 		return avc_has_perm(&selinux_state,
2087 				    sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2088 
2089 	return avc_has_perm(&selinux_state,
2090 			    sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2091 }
2092 
2093 static int selinux_ptrace_traceme(struct task_struct *parent)
2094 {
2095 	return avc_has_perm(&selinux_state,
2096 			    task_sid(parent), current_sid(), SECCLASS_PROCESS,
2097 			    PROCESS__PTRACE, NULL);
2098 }
2099 
2100 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2101 			  kernel_cap_t *inheritable, kernel_cap_t *permitted)
2102 {
2103 	return avc_has_perm(&selinux_state,
2104 			    current_sid(), task_sid(target), SECCLASS_PROCESS,
2105 			    PROCESS__GETCAP, NULL);
2106 }
2107 
2108 static int selinux_capset(struct cred *new, const struct cred *old,
2109 			  const kernel_cap_t *effective,
2110 			  const kernel_cap_t *inheritable,
2111 			  const kernel_cap_t *permitted)
2112 {
2113 	return avc_has_perm(&selinux_state,
2114 			    cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2115 			    PROCESS__SETCAP, NULL);
2116 }
2117 
2118 /*
2119  * (This comment used to live with the selinux_task_setuid hook,
2120  * which was removed).
2121  *
2122  * Since setuid only affects the current process, and since the SELinux
2123  * controls are not based on the Linux identity attributes, SELinux does not
2124  * need to control this operation.  However, SELinux does control the use of
2125  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2126  */
2127 
2128 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2129 			   int cap, unsigned int opts)
2130 {
2131 	return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2132 }
2133 
2134 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2135 {
2136 	const struct cred *cred = current_cred();
2137 	int rc = 0;
2138 
2139 	if (!sb)
2140 		return 0;
2141 
2142 	switch (cmds) {
2143 	case Q_SYNC:
2144 	case Q_QUOTAON:
2145 	case Q_QUOTAOFF:
2146 	case Q_SETINFO:
2147 	case Q_SETQUOTA:
2148 	case Q_XQUOTAOFF:
2149 	case Q_XQUOTAON:
2150 	case Q_XSETQLIM:
2151 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2152 		break;
2153 	case Q_GETFMT:
2154 	case Q_GETINFO:
2155 	case Q_GETQUOTA:
2156 	case Q_XGETQUOTA:
2157 	case Q_XGETQSTAT:
2158 	case Q_XGETQSTATV:
2159 	case Q_XGETNEXTQUOTA:
2160 		rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2161 		break;
2162 	default:
2163 		rc = 0;  /* let the kernel handle invalid cmds */
2164 		break;
2165 	}
2166 	return rc;
2167 }
2168 
2169 static int selinux_quota_on(struct dentry *dentry)
2170 {
2171 	const struct cred *cred = current_cred();
2172 
2173 	return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2174 }
2175 
2176 static int selinux_syslog(int type)
2177 {
2178 	switch (type) {
2179 	case SYSLOG_ACTION_READ_ALL:	/* Read last kernel messages */
2180 	case SYSLOG_ACTION_SIZE_BUFFER:	/* Return size of the log buffer */
2181 		return avc_has_perm(&selinux_state,
2182 				    current_sid(), SECINITSID_KERNEL,
2183 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2184 	case SYSLOG_ACTION_CONSOLE_OFF:	/* Disable logging to console */
2185 	case SYSLOG_ACTION_CONSOLE_ON:	/* Enable logging to console */
2186 	/* Set level of messages printed to console */
2187 	case SYSLOG_ACTION_CONSOLE_LEVEL:
2188 		return avc_has_perm(&selinux_state,
2189 				    current_sid(), SECINITSID_KERNEL,
2190 				    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2191 				    NULL);
2192 	}
2193 	/* All other syslog types */
2194 	return avc_has_perm(&selinux_state,
2195 			    current_sid(), SECINITSID_KERNEL,
2196 			    SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2197 }
2198 
2199 /*
2200  * Check that a process has enough memory to allocate a new virtual
2201  * mapping. 0 means there is enough memory for the allocation to
2202  * succeed and -ENOMEM implies there is not.
2203  *
2204  * Do not audit the selinux permission check, as this is applied to all
2205  * processes that allocate mappings.
2206  */
2207 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2208 {
2209 	int rc, cap_sys_admin = 0;
2210 
2211 	rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2212 				 CAP_OPT_NOAUDIT, true);
2213 	if (rc == 0)
2214 		cap_sys_admin = 1;
2215 
2216 	return cap_sys_admin;
2217 }
2218 
2219 /* binprm security operations */
2220 
2221 static u32 ptrace_parent_sid(void)
2222 {
2223 	u32 sid = 0;
2224 	struct task_struct *tracer;
2225 
2226 	rcu_read_lock();
2227 	tracer = ptrace_parent(current);
2228 	if (tracer)
2229 		sid = task_sid(tracer);
2230 	rcu_read_unlock();
2231 
2232 	return sid;
2233 }
2234 
2235 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2236 			    const struct task_security_struct *old_tsec,
2237 			    const struct task_security_struct *new_tsec)
2238 {
2239 	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2240 	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2241 	int rc;
2242 	u32 av;
2243 
2244 	if (!nnp && !nosuid)
2245 		return 0; /* neither NNP nor nosuid */
2246 
2247 	if (new_tsec->sid == old_tsec->sid)
2248 		return 0; /* No change in credentials */
2249 
2250 	/*
2251 	 * If the policy enables the nnp_nosuid_transition policy capability,
2252 	 * then we permit transitions under NNP or nosuid if the
2253 	 * policy allows the corresponding permission between
2254 	 * the old and new contexts.
2255 	 */
2256 	if (selinux_policycap_nnp_nosuid_transition()) {
2257 		av = 0;
2258 		if (nnp)
2259 			av |= PROCESS2__NNP_TRANSITION;
2260 		if (nosuid)
2261 			av |= PROCESS2__NOSUID_TRANSITION;
2262 		rc = avc_has_perm(&selinux_state,
2263 				  old_tsec->sid, new_tsec->sid,
2264 				  SECCLASS_PROCESS2, av, NULL);
2265 		if (!rc)
2266 			return 0;
2267 	}
2268 
2269 	/*
2270 	 * We also permit NNP or nosuid transitions to bounded SIDs,
2271 	 * i.e. SIDs that are guaranteed to only be allowed a subset
2272 	 * of the permissions of the current SID.
2273 	 */
2274 	rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2275 					 new_tsec->sid);
2276 	if (!rc)
2277 		return 0;
2278 
2279 	/*
2280 	 * On failure, preserve the errno values for NNP vs nosuid.
2281 	 * NNP:  Operation not permitted for caller.
2282 	 * nosuid:  Permission denied to file.
2283 	 */
2284 	if (nnp)
2285 		return -EPERM;
2286 	return -EACCES;
2287 }
2288 
2289 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2290 {
2291 	const struct task_security_struct *old_tsec;
2292 	struct task_security_struct *new_tsec;
2293 	struct inode_security_struct *isec;
2294 	struct common_audit_data ad;
2295 	struct inode *inode = file_inode(bprm->file);
2296 	int rc;
2297 
2298 	/* SELinux context only depends on initial program or script and not
2299 	 * the script interpreter */
2300 
2301 	old_tsec = selinux_cred(current_cred());
2302 	new_tsec = selinux_cred(bprm->cred);
2303 	isec = inode_security(inode);
2304 
2305 	/* Default to the current task SID. */
2306 	new_tsec->sid = old_tsec->sid;
2307 	new_tsec->osid = old_tsec->sid;
2308 
2309 	/* Reset fs, key, and sock SIDs on execve. */
2310 	new_tsec->create_sid = 0;
2311 	new_tsec->keycreate_sid = 0;
2312 	new_tsec->sockcreate_sid = 0;
2313 
2314 	if (old_tsec->exec_sid) {
2315 		new_tsec->sid = old_tsec->exec_sid;
2316 		/* Reset exec SID on execve. */
2317 		new_tsec->exec_sid = 0;
2318 
2319 		/* Fail on NNP or nosuid if not an allowed transition. */
2320 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2321 		if (rc)
2322 			return rc;
2323 	} else {
2324 		/* Check for a default transition on this program. */
2325 		rc = security_transition_sid(&selinux_state, old_tsec->sid,
2326 					     isec->sid, SECCLASS_PROCESS, NULL,
2327 					     &new_tsec->sid);
2328 		if (rc)
2329 			return rc;
2330 
2331 		/*
2332 		 * Fallback to old SID on NNP or nosuid if not an allowed
2333 		 * transition.
2334 		 */
2335 		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2336 		if (rc)
2337 			new_tsec->sid = old_tsec->sid;
2338 	}
2339 
2340 	ad.type = LSM_AUDIT_DATA_FILE;
2341 	ad.u.file = bprm->file;
2342 
2343 	if (new_tsec->sid == old_tsec->sid) {
2344 		rc = avc_has_perm(&selinux_state,
2345 				  old_tsec->sid, isec->sid,
2346 				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2347 		if (rc)
2348 			return rc;
2349 	} else {
2350 		/* Check permissions for the transition. */
2351 		rc = avc_has_perm(&selinux_state,
2352 				  old_tsec->sid, new_tsec->sid,
2353 				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2354 		if (rc)
2355 			return rc;
2356 
2357 		rc = avc_has_perm(&selinux_state,
2358 				  new_tsec->sid, isec->sid,
2359 				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2360 		if (rc)
2361 			return rc;
2362 
2363 		/* Check for shared state */
2364 		if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2365 			rc = avc_has_perm(&selinux_state,
2366 					  old_tsec->sid, new_tsec->sid,
2367 					  SECCLASS_PROCESS, PROCESS__SHARE,
2368 					  NULL);
2369 			if (rc)
2370 				return -EPERM;
2371 		}
2372 
2373 		/* Make sure that anyone attempting to ptrace over a task that
2374 		 * changes its SID has the appropriate permit */
2375 		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2376 			u32 ptsid = ptrace_parent_sid();
2377 			if (ptsid != 0) {
2378 				rc = avc_has_perm(&selinux_state,
2379 						  ptsid, new_tsec->sid,
2380 						  SECCLASS_PROCESS,
2381 						  PROCESS__PTRACE, NULL);
2382 				if (rc)
2383 					return -EPERM;
2384 			}
2385 		}
2386 
2387 		/* Clear any possibly unsafe personality bits on exec: */
2388 		bprm->per_clear |= PER_CLEAR_ON_SETID;
2389 
2390 		/* Enable secure mode for SIDs transitions unless
2391 		   the noatsecure permission is granted between
2392 		   the two SIDs, i.e. ahp returns 0. */
2393 		rc = avc_has_perm(&selinux_state,
2394 				  old_tsec->sid, new_tsec->sid,
2395 				  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2396 				  NULL);
2397 		bprm->secureexec |= !!rc;
2398 	}
2399 
2400 	return 0;
2401 }
2402 
2403 static int match_file(const void *p, struct file *file, unsigned fd)
2404 {
2405 	return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2406 }
2407 
2408 /* Derived from fs/exec.c:flush_old_files. */
2409 static inline void flush_unauthorized_files(const struct cred *cred,
2410 					    struct files_struct *files)
2411 {
2412 	struct file *file, *devnull = NULL;
2413 	struct tty_struct *tty;
2414 	int drop_tty = 0;
2415 	unsigned n;
2416 
2417 	tty = get_current_tty();
2418 	if (tty) {
2419 		spin_lock(&tty->files_lock);
2420 		if (!list_empty(&tty->tty_files)) {
2421 			struct tty_file_private *file_priv;
2422 
2423 			/* Revalidate access to controlling tty.
2424 			   Use file_path_has_perm on the tty path directly
2425 			   rather than using file_has_perm, as this particular
2426 			   open file may belong to another process and we are
2427 			   only interested in the inode-based check here. */
2428 			file_priv = list_first_entry(&tty->tty_files,
2429 						struct tty_file_private, list);
2430 			file = file_priv->file;
2431 			if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2432 				drop_tty = 1;
2433 		}
2434 		spin_unlock(&tty->files_lock);
2435 		tty_kref_put(tty);
2436 	}
2437 	/* Reset controlling tty. */
2438 	if (drop_tty)
2439 		no_tty();
2440 
2441 	/* Revalidate access to inherited open files. */
2442 	n = iterate_fd(files, 0, match_file, cred);
2443 	if (!n) /* none found? */
2444 		return;
2445 
2446 	devnull = dentry_open(&selinux_null, O_RDWR, cred);
2447 	if (IS_ERR(devnull))
2448 		devnull = NULL;
2449 	/* replace all the matching ones with this */
2450 	do {
2451 		replace_fd(n - 1, devnull, 0);
2452 	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2453 	if (devnull)
2454 		fput(devnull);
2455 }
2456 
2457 /*
2458  * Prepare a process for imminent new credential changes due to exec
2459  */
2460 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2461 {
2462 	struct task_security_struct *new_tsec;
2463 	struct rlimit *rlim, *initrlim;
2464 	int rc, i;
2465 
2466 	new_tsec = selinux_cred(bprm->cred);
2467 	if (new_tsec->sid == new_tsec->osid)
2468 		return;
2469 
2470 	/* Close files for which the new task SID is not authorized. */
2471 	flush_unauthorized_files(bprm->cred, current->files);
2472 
2473 	/* Always clear parent death signal on SID transitions. */
2474 	current->pdeath_signal = 0;
2475 
2476 	/* Check whether the new SID can inherit resource limits from the old
2477 	 * SID.  If not, reset all soft limits to the lower of the current
2478 	 * task's hard limit and the init task's soft limit.
2479 	 *
2480 	 * Note that the setting of hard limits (even to lower them) can be
2481 	 * controlled by the setrlimit check.  The inclusion of the init task's
2482 	 * soft limit into the computation is to avoid resetting soft limits
2483 	 * higher than the default soft limit for cases where the default is
2484 	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2485 	 */
2486 	rc = avc_has_perm(&selinux_state,
2487 			  new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2488 			  PROCESS__RLIMITINH, NULL);
2489 	if (rc) {
2490 		/* protect against do_prlimit() */
2491 		task_lock(current);
2492 		for (i = 0; i < RLIM_NLIMITS; i++) {
2493 			rlim = current->signal->rlim + i;
2494 			initrlim = init_task.signal->rlim + i;
2495 			rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2496 		}
2497 		task_unlock(current);
2498 		if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2499 			update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2500 	}
2501 }
2502 
2503 /*
2504  * Clean up the process immediately after the installation of new credentials
2505  * due to exec
2506  */
2507 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2508 {
2509 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2510 	u32 osid, sid;
2511 	int rc;
2512 
2513 	osid = tsec->osid;
2514 	sid = tsec->sid;
2515 
2516 	if (sid == osid)
2517 		return;
2518 
2519 	/* Check whether the new SID can inherit signal state from the old SID.
2520 	 * If not, clear itimers to avoid subsequent signal generation and
2521 	 * flush and unblock signals.
2522 	 *
2523 	 * This must occur _after_ the task SID has been updated so that any
2524 	 * kill done after the flush will be checked against the new SID.
2525 	 */
2526 	rc = avc_has_perm(&selinux_state,
2527 			  osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2528 	if (rc) {
2529 		clear_itimer();
2530 
2531 		spin_lock_irq(&current->sighand->siglock);
2532 		if (!fatal_signal_pending(current)) {
2533 			flush_sigqueue(&current->pending);
2534 			flush_sigqueue(&current->signal->shared_pending);
2535 			flush_signal_handlers(current, 1);
2536 			sigemptyset(&current->blocked);
2537 			recalc_sigpending();
2538 		}
2539 		spin_unlock_irq(&current->sighand->siglock);
2540 	}
2541 
2542 	/* Wake up the parent if it is waiting so that it can recheck
2543 	 * wait permission to the new task SID. */
2544 	read_lock(&tasklist_lock);
2545 	__wake_up_parent(current, current->real_parent);
2546 	read_unlock(&tasklist_lock);
2547 }
2548 
2549 /* superblock security operations */
2550 
2551 static int selinux_sb_alloc_security(struct super_block *sb)
2552 {
2553 	struct superblock_security_struct *sbsec;
2554 
2555 	sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
2556 	if (!sbsec)
2557 		return -ENOMEM;
2558 
2559 	mutex_init(&sbsec->lock);
2560 	INIT_LIST_HEAD(&sbsec->isec_head);
2561 	spin_lock_init(&sbsec->isec_lock);
2562 	sbsec->sb = sb;
2563 	sbsec->sid = SECINITSID_UNLABELED;
2564 	sbsec->def_sid = SECINITSID_FILE;
2565 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2566 	sb->s_security = sbsec;
2567 
2568 	return 0;
2569 }
2570 
2571 static void selinux_sb_free_security(struct super_block *sb)
2572 {
2573 	superblock_free_security(sb);
2574 }
2575 
2576 static inline int opt_len(const char *s)
2577 {
2578 	bool open_quote = false;
2579 	int len;
2580 	char c;
2581 
2582 	for (len = 0; (c = s[len]) != '\0'; len++) {
2583 		if (c == '"')
2584 			open_quote = !open_quote;
2585 		if (c == ',' && !open_quote)
2586 			break;
2587 	}
2588 	return len;
2589 }
2590 
2591 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2592 {
2593 	char *from = options;
2594 	char *to = options;
2595 	bool first = true;
2596 	int rc;
2597 
2598 	while (1) {
2599 		int len = opt_len(from);
2600 		int token;
2601 		char *arg = NULL;
2602 
2603 		token = match_opt_prefix(from, len, &arg);
2604 
2605 		if (token != Opt_error) {
2606 			char *p, *q;
2607 
2608 			/* strip quotes */
2609 			if (arg) {
2610 				for (p = q = arg; p < from + len; p++) {
2611 					char c = *p;
2612 					if (c != '"')
2613 						*q++ = c;
2614 				}
2615 				arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2616 				if (!arg) {
2617 					rc = -ENOMEM;
2618 					goto free_opt;
2619 				}
2620 			}
2621 			rc = selinux_add_opt(token, arg, mnt_opts);
2622 			if (unlikely(rc)) {
2623 				kfree(arg);
2624 				goto free_opt;
2625 			}
2626 		} else {
2627 			if (!first) {	// copy with preceding comma
2628 				from--;
2629 				len++;
2630 			}
2631 			if (to != from)
2632 				memmove(to, from, len);
2633 			to += len;
2634 			first = false;
2635 		}
2636 		if (!from[len])
2637 			break;
2638 		from += len + 1;
2639 	}
2640 	*to = '\0';
2641 	return 0;
2642 
2643 free_opt:
2644 	if (*mnt_opts) {
2645 		selinux_free_mnt_opts(*mnt_opts);
2646 		*mnt_opts = NULL;
2647 	}
2648 	return rc;
2649 }
2650 
2651 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2652 {
2653 	struct selinux_mnt_opts *opts = mnt_opts;
2654 	struct superblock_security_struct *sbsec = sb->s_security;
2655 	u32 sid;
2656 	int rc;
2657 
2658 	if (!(sbsec->flags & SE_SBINITIALIZED))
2659 		return 0;
2660 
2661 	if (!opts)
2662 		return 0;
2663 
2664 	if (opts->fscontext) {
2665 		rc = parse_sid(sb, opts->fscontext, &sid);
2666 		if (rc)
2667 			return rc;
2668 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2669 			goto out_bad_option;
2670 	}
2671 	if (opts->context) {
2672 		rc = parse_sid(sb, opts->context, &sid);
2673 		if (rc)
2674 			return rc;
2675 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2676 			goto out_bad_option;
2677 	}
2678 	if (opts->rootcontext) {
2679 		struct inode_security_struct *root_isec;
2680 		root_isec = backing_inode_security(sb->s_root);
2681 		rc = parse_sid(sb, opts->rootcontext, &sid);
2682 		if (rc)
2683 			return rc;
2684 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2685 			goto out_bad_option;
2686 	}
2687 	if (opts->defcontext) {
2688 		rc = parse_sid(sb, opts->defcontext, &sid);
2689 		if (rc)
2690 			return rc;
2691 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2692 			goto out_bad_option;
2693 	}
2694 	return 0;
2695 
2696 out_bad_option:
2697 	pr_warn("SELinux: unable to change security options "
2698 	       "during remount (dev %s, type=%s)\n", sb->s_id,
2699 	       sb->s_type->name);
2700 	return -EINVAL;
2701 }
2702 
2703 static int selinux_sb_kern_mount(struct super_block *sb)
2704 {
2705 	const struct cred *cred = current_cred();
2706 	struct common_audit_data ad;
2707 
2708 	ad.type = LSM_AUDIT_DATA_DENTRY;
2709 	ad.u.dentry = sb->s_root;
2710 	return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2711 }
2712 
2713 static int selinux_sb_statfs(struct dentry *dentry)
2714 {
2715 	const struct cred *cred = current_cred();
2716 	struct common_audit_data ad;
2717 
2718 	ad.type = LSM_AUDIT_DATA_DENTRY;
2719 	ad.u.dentry = dentry->d_sb->s_root;
2720 	return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2721 }
2722 
2723 static int selinux_mount(const char *dev_name,
2724 			 const struct path *path,
2725 			 const char *type,
2726 			 unsigned long flags,
2727 			 void *data)
2728 {
2729 	const struct cred *cred = current_cred();
2730 
2731 	if (flags & MS_REMOUNT)
2732 		return superblock_has_perm(cred, path->dentry->d_sb,
2733 					   FILESYSTEM__REMOUNT, NULL);
2734 	else
2735 		return path_has_perm(cred, path, FILE__MOUNTON);
2736 }
2737 
2738 static int selinux_move_mount(const struct path *from_path,
2739 			      const struct path *to_path)
2740 {
2741 	const struct cred *cred = current_cred();
2742 
2743 	return path_has_perm(cred, to_path, FILE__MOUNTON);
2744 }
2745 
2746 static int selinux_umount(struct vfsmount *mnt, int flags)
2747 {
2748 	const struct cred *cred = current_cred();
2749 
2750 	return superblock_has_perm(cred, mnt->mnt_sb,
2751 				   FILESYSTEM__UNMOUNT, NULL);
2752 }
2753 
2754 static int selinux_fs_context_dup(struct fs_context *fc,
2755 				  struct fs_context *src_fc)
2756 {
2757 	const struct selinux_mnt_opts *src = src_fc->security;
2758 	struct selinux_mnt_opts *opts;
2759 
2760 	if (!src)
2761 		return 0;
2762 
2763 	fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2764 	if (!fc->security)
2765 		return -ENOMEM;
2766 
2767 	opts = fc->security;
2768 
2769 	if (src->fscontext) {
2770 		opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2771 		if (!opts->fscontext)
2772 			return -ENOMEM;
2773 	}
2774 	if (src->context) {
2775 		opts->context = kstrdup(src->context, GFP_KERNEL);
2776 		if (!opts->context)
2777 			return -ENOMEM;
2778 	}
2779 	if (src->rootcontext) {
2780 		opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2781 		if (!opts->rootcontext)
2782 			return -ENOMEM;
2783 	}
2784 	if (src->defcontext) {
2785 		opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2786 		if (!opts->defcontext)
2787 			return -ENOMEM;
2788 	}
2789 	return 0;
2790 }
2791 
2792 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2793 	fsparam_string(CONTEXT_STR,	Opt_context),
2794 	fsparam_string(DEFCONTEXT_STR,	Opt_defcontext),
2795 	fsparam_string(FSCONTEXT_STR,	Opt_fscontext),
2796 	fsparam_string(ROOTCONTEXT_STR,	Opt_rootcontext),
2797 	fsparam_flag  (SECLABEL_STR,	Opt_seclabel),
2798 	{}
2799 };
2800 
2801 static int selinux_fs_context_parse_param(struct fs_context *fc,
2802 					  struct fs_parameter *param)
2803 {
2804 	struct fs_parse_result result;
2805 	int opt, rc;
2806 
2807 	opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2808 	if (opt < 0)
2809 		return opt;
2810 
2811 	rc = selinux_add_opt(opt, param->string, &fc->security);
2812 	if (!rc) {
2813 		param->string = NULL;
2814 		rc = 1;
2815 	}
2816 	return rc;
2817 }
2818 
2819 /* inode security operations */
2820 
2821 static int selinux_inode_alloc_security(struct inode *inode)
2822 {
2823 	struct inode_security_struct *isec = selinux_inode(inode);
2824 	u32 sid = current_sid();
2825 
2826 	spin_lock_init(&isec->lock);
2827 	INIT_LIST_HEAD(&isec->list);
2828 	isec->inode = inode;
2829 	isec->sid = SECINITSID_UNLABELED;
2830 	isec->sclass = SECCLASS_FILE;
2831 	isec->task_sid = sid;
2832 	isec->initialized = LABEL_INVALID;
2833 
2834 	return 0;
2835 }
2836 
2837 static void selinux_inode_free_security(struct inode *inode)
2838 {
2839 	inode_free_security(inode);
2840 }
2841 
2842 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2843 					const struct qstr *name, void **ctx,
2844 					u32 *ctxlen)
2845 {
2846 	u32 newsid;
2847 	int rc;
2848 
2849 	rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2850 					   d_inode(dentry->d_parent), name,
2851 					   inode_mode_to_security_class(mode),
2852 					   &newsid);
2853 	if (rc)
2854 		return rc;
2855 
2856 	return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2857 				       ctxlen);
2858 }
2859 
2860 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2861 					  struct qstr *name,
2862 					  const struct cred *old,
2863 					  struct cred *new)
2864 {
2865 	u32 newsid;
2866 	int rc;
2867 	struct task_security_struct *tsec;
2868 
2869 	rc = selinux_determine_inode_label(selinux_cred(old),
2870 					   d_inode(dentry->d_parent), name,
2871 					   inode_mode_to_security_class(mode),
2872 					   &newsid);
2873 	if (rc)
2874 		return rc;
2875 
2876 	tsec = selinux_cred(new);
2877 	tsec->create_sid = newsid;
2878 	return 0;
2879 }
2880 
2881 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2882 				       const struct qstr *qstr,
2883 				       const char **name,
2884 				       void **value, size_t *len)
2885 {
2886 	const struct task_security_struct *tsec = selinux_cred(current_cred());
2887 	struct superblock_security_struct *sbsec;
2888 	u32 newsid, clen;
2889 	int rc;
2890 	char *context;
2891 
2892 	sbsec = dir->i_sb->s_security;
2893 
2894 	newsid = tsec->create_sid;
2895 
2896 	rc = selinux_determine_inode_label(tsec, dir, qstr,
2897 		inode_mode_to_security_class(inode->i_mode),
2898 		&newsid);
2899 	if (rc)
2900 		return rc;
2901 
2902 	/* Possibly defer initialization to selinux_complete_init. */
2903 	if (sbsec->flags & SE_SBINITIALIZED) {
2904 		struct inode_security_struct *isec = selinux_inode(inode);
2905 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
2906 		isec->sid = newsid;
2907 		isec->initialized = LABEL_INITIALIZED;
2908 	}
2909 
2910 	if (!selinux_initialized(&selinux_state) ||
2911 	    !(sbsec->flags & SBLABEL_MNT))
2912 		return -EOPNOTSUPP;
2913 
2914 	if (name)
2915 		*name = XATTR_SELINUX_SUFFIX;
2916 
2917 	if (value && len) {
2918 		rc = security_sid_to_context_force(&selinux_state, newsid,
2919 						   &context, &clen);
2920 		if (rc)
2921 			return rc;
2922 		*value = context;
2923 		*len = clen;
2924 	}
2925 
2926 	return 0;
2927 }
2928 
2929 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2930 {
2931 	return may_create(dir, dentry, SECCLASS_FILE);
2932 }
2933 
2934 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2935 {
2936 	return may_link(dir, old_dentry, MAY_LINK);
2937 }
2938 
2939 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2940 {
2941 	return may_link(dir, dentry, MAY_UNLINK);
2942 }
2943 
2944 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2945 {
2946 	return may_create(dir, dentry, SECCLASS_LNK_FILE);
2947 }
2948 
2949 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2950 {
2951 	return may_create(dir, dentry, SECCLASS_DIR);
2952 }
2953 
2954 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2955 {
2956 	return may_link(dir, dentry, MAY_RMDIR);
2957 }
2958 
2959 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2960 {
2961 	return may_create(dir, dentry, inode_mode_to_security_class(mode));
2962 }
2963 
2964 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2965 				struct inode *new_inode, struct dentry *new_dentry)
2966 {
2967 	return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2968 }
2969 
2970 static int selinux_inode_readlink(struct dentry *dentry)
2971 {
2972 	const struct cred *cred = current_cred();
2973 
2974 	return dentry_has_perm(cred, dentry, FILE__READ);
2975 }
2976 
2977 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2978 				     bool rcu)
2979 {
2980 	const struct cred *cred = current_cred();
2981 	struct common_audit_data ad;
2982 	struct inode_security_struct *isec;
2983 	u32 sid;
2984 
2985 	validate_creds(cred);
2986 
2987 	ad.type = LSM_AUDIT_DATA_DENTRY;
2988 	ad.u.dentry = dentry;
2989 	sid = cred_sid(cred);
2990 	isec = inode_security_rcu(inode, rcu);
2991 	if (IS_ERR(isec))
2992 		return PTR_ERR(isec);
2993 
2994 	return avc_has_perm_flags(&selinux_state,
2995 				  sid, isec->sid, isec->sclass, FILE__READ, &ad,
2996 				  rcu ? MAY_NOT_BLOCK : 0);
2997 }
2998 
2999 static noinline int audit_inode_permission(struct inode *inode,
3000 					   u32 perms, u32 audited, u32 denied,
3001 					   int result)
3002 {
3003 	struct common_audit_data ad;
3004 	struct inode_security_struct *isec = selinux_inode(inode);
3005 	int rc;
3006 
3007 	ad.type = LSM_AUDIT_DATA_INODE;
3008 	ad.u.inode = inode;
3009 
3010 	rc = slow_avc_audit(&selinux_state,
3011 			    current_sid(), isec->sid, isec->sclass, perms,
3012 			    audited, denied, result, &ad);
3013 	if (rc)
3014 		return rc;
3015 	return 0;
3016 }
3017 
3018 static int selinux_inode_permission(struct inode *inode, int mask)
3019 {
3020 	const struct cred *cred = current_cred();
3021 	u32 perms;
3022 	bool from_access;
3023 	bool no_block = mask & MAY_NOT_BLOCK;
3024 	struct inode_security_struct *isec;
3025 	u32 sid;
3026 	struct av_decision avd;
3027 	int rc, rc2;
3028 	u32 audited, denied;
3029 
3030 	from_access = mask & MAY_ACCESS;
3031 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3032 
3033 	/* No permission to check.  Existence test. */
3034 	if (!mask)
3035 		return 0;
3036 
3037 	validate_creds(cred);
3038 
3039 	if (unlikely(IS_PRIVATE(inode)))
3040 		return 0;
3041 
3042 	perms = file_mask_to_av(inode->i_mode, mask);
3043 
3044 	sid = cred_sid(cred);
3045 	isec = inode_security_rcu(inode, no_block);
3046 	if (IS_ERR(isec))
3047 		return PTR_ERR(isec);
3048 
3049 	rc = avc_has_perm_noaudit(&selinux_state,
3050 				  sid, isec->sid, isec->sclass, perms,
3051 				  no_block ? AVC_NONBLOCKING : 0,
3052 				  &avd);
3053 	audited = avc_audit_required(perms, &avd, rc,
3054 				     from_access ? FILE__AUDIT_ACCESS : 0,
3055 				     &denied);
3056 	if (likely(!audited))
3057 		return rc;
3058 
3059 	/* fall back to ref-walk if we have to generate audit */
3060 	if (no_block)
3061 		return -ECHILD;
3062 
3063 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3064 	if (rc2)
3065 		return rc2;
3066 	return rc;
3067 }
3068 
3069 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3070 {
3071 	const struct cred *cred = current_cred();
3072 	struct inode *inode = d_backing_inode(dentry);
3073 	unsigned int ia_valid = iattr->ia_valid;
3074 	__u32 av = FILE__WRITE;
3075 
3076 	/* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3077 	if (ia_valid & ATTR_FORCE) {
3078 		ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3079 			      ATTR_FORCE);
3080 		if (!ia_valid)
3081 			return 0;
3082 	}
3083 
3084 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3085 			ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3086 		return dentry_has_perm(cred, dentry, FILE__SETATTR);
3087 
3088 	if (selinux_policycap_openperm() &&
3089 	    inode->i_sb->s_magic != SOCKFS_MAGIC &&
3090 	    (ia_valid & ATTR_SIZE) &&
3091 	    !(ia_valid & ATTR_FILE))
3092 		av |= FILE__OPEN;
3093 
3094 	return dentry_has_perm(cred, dentry, av);
3095 }
3096 
3097 static int selinux_inode_getattr(const struct path *path)
3098 {
3099 	return path_has_perm(current_cred(), path, FILE__GETATTR);
3100 }
3101 
3102 static bool has_cap_mac_admin(bool audit)
3103 {
3104 	const struct cred *cred = current_cred();
3105 	unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3106 
3107 	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3108 		return false;
3109 	if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3110 		return false;
3111 	return true;
3112 }
3113 
3114 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3115 				  const void *value, size_t size, int flags)
3116 {
3117 	struct inode *inode = d_backing_inode(dentry);
3118 	struct inode_security_struct *isec;
3119 	struct superblock_security_struct *sbsec;
3120 	struct common_audit_data ad;
3121 	u32 newsid, sid = current_sid();
3122 	int rc = 0;
3123 
3124 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3125 		rc = cap_inode_setxattr(dentry, name, value, size, flags);
3126 		if (rc)
3127 			return rc;
3128 
3129 		/* Not an attribute we recognize, so just check the
3130 		   ordinary setattr permission. */
3131 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3132 	}
3133 
3134 	if (!selinux_initialized(&selinux_state))
3135 		return (inode_owner_or_capable(inode) ? 0 : -EPERM);
3136 
3137 	sbsec = inode->i_sb->s_security;
3138 	if (!(sbsec->flags & SBLABEL_MNT))
3139 		return -EOPNOTSUPP;
3140 
3141 	if (!inode_owner_or_capable(inode))
3142 		return -EPERM;
3143 
3144 	ad.type = LSM_AUDIT_DATA_DENTRY;
3145 	ad.u.dentry = dentry;
3146 
3147 	isec = backing_inode_security(dentry);
3148 	rc = avc_has_perm(&selinux_state,
3149 			  sid, isec->sid, isec->sclass,
3150 			  FILE__RELABELFROM, &ad);
3151 	if (rc)
3152 		return rc;
3153 
3154 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3155 				     GFP_KERNEL);
3156 	if (rc == -EINVAL) {
3157 		if (!has_cap_mac_admin(true)) {
3158 			struct audit_buffer *ab;
3159 			size_t audit_size;
3160 
3161 			/* We strip a nul only if it is at the end, otherwise the
3162 			 * context contains a nul and we should audit that */
3163 			if (value) {
3164 				const char *str = value;
3165 
3166 				if (str[size - 1] == '\0')
3167 					audit_size = size - 1;
3168 				else
3169 					audit_size = size;
3170 			} else {
3171 				audit_size = 0;
3172 			}
3173 			ab = audit_log_start(audit_context(),
3174 					     GFP_ATOMIC, AUDIT_SELINUX_ERR);
3175 			audit_log_format(ab, "op=setxattr invalid_context=");
3176 			audit_log_n_untrustedstring(ab, value, audit_size);
3177 			audit_log_end(ab);
3178 
3179 			return rc;
3180 		}
3181 		rc = security_context_to_sid_force(&selinux_state, value,
3182 						   size, &newsid);
3183 	}
3184 	if (rc)
3185 		return rc;
3186 
3187 	rc = avc_has_perm(&selinux_state,
3188 			  sid, newsid, isec->sclass,
3189 			  FILE__RELABELTO, &ad);
3190 	if (rc)
3191 		return rc;
3192 
3193 	rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3194 					  sid, isec->sclass);
3195 	if (rc)
3196 		return rc;
3197 
3198 	return avc_has_perm(&selinux_state,
3199 			    newsid,
3200 			    sbsec->sid,
3201 			    SECCLASS_FILESYSTEM,
3202 			    FILESYSTEM__ASSOCIATE,
3203 			    &ad);
3204 }
3205 
3206 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3207 					const void *value, size_t size,
3208 					int flags)
3209 {
3210 	struct inode *inode = d_backing_inode(dentry);
3211 	struct inode_security_struct *isec;
3212 	u32 newsid;
3213 	int rc;
3214 
3215 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3216 		/* Not an attribute we recognize, so nothing to do. */
3217 		return;
3218 	}
3219 
3220 	if (!selinux_initialized(&selinux_state)) {
3221 		/* If we haven't even been initialized, then we can't validate
3222 		 * against a policy, so leave the label as invalid. It may
3223 		 * resolve to a valid label on the next revalidation try if
3224 		 * we've since initialized.
3225 		 */
3226 		return;
3227 	}
3228 
3229 	rc = security_context_to_sid_force(&selinux_state, value, size,
3230 					   &newsid);
3231 	if (rc) {
3232 		pr_err("SELinux:  unable to map context to SID"
3233 		       "for (%s, %lu), rc=%d\n",
3234 		       inode->i_sb->s_id, inode->i_ino, -rc);
3235 		return;
3236 	}
3237 
3238 	isec = backing_inode_security(dentry);
3239 	spin_lock(&isec->lock);
3240 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3241 	isec->sid = newsid;
3242 	isec->initialized = LABEL_INITIALIZED;
3243 	spin_unlock(&isec->lock);
3244 
3245 	return;
3246 }
3247 
3248 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3249 {
3250 	const struct cred *cred = current_cred();
3251 
3252 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3253 }
3254 
3255 static int selinux_inode_listxattr(struct dentry *dentry)
3256 {
3257 	const struct cred *cred = current_cred();
3258 
3259 	return dentry_has_perm(cred, dentry, FILE__GETATTR);
3260 }
3261 
3262 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3263 {
3264 	if (strcmp(name, XATTR_NAME_SELINUX)) {
3265 		int rc = cap_inode_removexattr(dentry, name);
3266 		if (rc)
3267 			return rc;
3268 
3269 		/* Not an attribute we recognize, so just check the
3270 		   ordinary setattr permission. */
3271 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3272 	}
3273 
3274 	/* No one is allowed to remove a SELinux security label.
3275 	   You can change the label, but all data must be labeled. */
3276 	return -EACCES;
3277 }
3278 
3279 static int selinux_path_notify(const struct path *path, u64 mask,
3280 						unsigned int obj_type)
3281 {
3282 	int ret;
3283 	u32 perm;
3284 
3285 	struct common_audit_data ad;
3286 
3287 	ad.type = LSM_AUDIT_DATA_PATH;
3288 	ad.u.path = *path;
3289 
3290 	/*
3291 	 * Set permission needed based on the type of mark being set.
3292 	 * Performs an additional check for sb watches.
3293 	 */
3294 	switch (obj_type) {
3295 	case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3296 		perm = FILE__WATCH_MOUNT;
3297 		break;
3298 	case FSNOTIFY_OBJ_TYPE_SB:
3299 		perm = FILE__WATCH_SB;
3300 		ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3301 						FILESYSTEM__WATCH, &ad);
3302 		if (ret)
3303 			return ret;
3304 		break;
3305 	case FSNOTIFY_OBJ_TYPE_INODE:
3306 		perm = FILE__WATCH;
3307 		break;
3308 	default:
3309 		return -EINVAL;
3310 	}
3311 
3312 	/* blocking watches require the file:watch_with_perm permission */
3313 	if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3314 		perm |= FILE__WATCH_WITH_PERM;
3315 
3316 	/* watches on read-like events need the file:watch_reads permission */
3317 	if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3318 		perm |= FILE__WATCH_READS;
3319 
3320 	return path_has_perm(current_cred(), path, perm);
3321 }
3322 
3323 /*
3324  * Copy the inode security context value to the user.
3325  *
3326  * Permission check is handled by selinux_inode_getxattr hook.
3327  */
3328 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3329 {
3330 	u32 size;
3331 	int error;
3332 	char *context = NULL;
3333 	struct inode_security_struct *isec;
3334 
3335 	/*
3336 	 * If we're not initialized yet, then we can't validate contexts, so
3337 	 * just let vfs_getxattr fall back to using the on-disk xattr.
3338 	 */
3339 	if (!selinux_initialized(&selinux_state) ||
3340 	    strcmp(name, XATTR_SELINUX_SUFFIX))
3341 		return -EOPNOTSUPP;
3342 
3343 	/*
3344 	 * If the caller has CAP_MAC_ADMIN, then get the raw context
3345 	 * value even if it is not defined by current policy; otherwise,
3346 	 * use the in-core value under current policy.
3347 	 * Use the non-auditing forms of the permission checks since
3348 	 * getxattr may be called by unprivileged processes commonly
3349 	 * and lack of permission just means that we fall back to the
3350 	 * in-core context value, not a denial.
3351 	 */
3352 	isec = inode_security(inode);
3353 	if (has_cap_mac_admin(false))
3354 		error = security_sid_to_context_force(&selinux_state,
3355 						      isec->sid, &context,
3356 						      &size);
3357 	else
3358 		error = security_sid_to_context(&selinux_state, isec->sid,
3359 						&context, &size);
3360 	if (error)
3361 		return error;
3362 	error = size;
3363 	if (alloc) {
3364 		*buffer = context;
3365 		goto out_nofree;
3366 	}
3367 	kfree(context);
3368 out_nofree:
3369 	return error;
3370 }
3371 
3372 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3373 				     const void *value, size_t size, int flags)
3374 {
3375 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3376 	struct superblock_security_struct *sbsec = inode->i_sb->s_security;
3377 	u32 newsid;
3378 	int rc;
3379 
3380 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
3381 		return -EOPNOTSUPP;
3382 
3383 	if (!(sbsec->flags & SBLABEL_MNT))
3384 		return -EOPNOTSUPP;
3385 
3386 	if (!value || !size)
3387 		return -EACCES;
3388 
3389 	rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3390 				     GFP_KERNEL);
3391 	if (rc)
3392 		return rc;
3393 
3394 	spin_lock(&isec->lock);
3395 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3396 	isec->sid = newsid;
3397 	isec->initialized = LABEL_INITIALIZED;
3398 	spin_unlock(&isec->lock);
3399 	return 0;
3400 }
3401 
3402 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3403 {
3404 	const int len = sizeof(XATTR_NAME_SELINUX);
3405 	if (buffer && len <= buffer_size)
3406 		memcpy(buffer, XATTR_NAME_SELINUX, len);
3407 	return len;
3408 }
3409 
3410 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3411 {
3412 	struct inode_security_struct *isec = inode_security_novalidate(inode);
3413 	*secid = isec->sid;
3414 }
3415 
3416 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3417 {
3418 	u32 sid;
3419 	struct task_security_struct *tsec;
3420 	struct cred *new_creds = *new;
3421 
3422 	if (new_creds == NULL) {
3423 		new_creds = prepare_creds();
3424 		if (!new_creds)
3425 			return -ENOMEM;
3426 	}
3427 
3428 	tsec = selinux_cred(new_creds);
3429 	/* Get label from overlay inode and set it in create_sid */
3430 	selinux_inode_getsecid(d_inode(src), &sid);
3431 	tsec->create_sid = sid;
3432 	*new = new_creds;
3433 	return 0;
3434 }
3435 
3436 static int selinux_inode_copy_up_xattr(const char *name)
3437 {
3438 	/* The copy_up hook above sets the initial context on an inode, but we
3439 	 * don't then want to overwrite it by blindly copying all the lower
3440 	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3441 	 */
3442 	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3443 		return 1; /* Discard */
3444 	/*
3445 	 * Any other attribute apart from SELINUX is not claimed, supported
3446 	 * by selinux.
3447 	 */
3448 	return -EOPNOTSUPP;
3449 }
3450 
3451 /* kernfs node operations */
3452 
3453 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3454 					struct kernfs_node *kn)
3455 {
3456 	const struct task_security_struct *tsec = selinux_cred(current_cred());
3457 	u32 parent_sid, newsid, clen;
3458 	int rc;
3459 	char *context;
3460 
3461 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3462 	if (rc == -ENODATA)
3463 		return 0;
3464 	else if (rc < 0)
3465 		return rc;
3466 
3467 	clen = (u32)rc;
3468 	context = kmalloc(clen, GFP_KERNEL);
3469 	if (!context)
3470 		return -ENOMEM;
3471 
3472 	rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3473 	if (rc < 0) {
3474 		kfree(context);
3475 		return rc;
3476 	}
3477 
3478 	rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3479 				     GFP_KERNEL);
3480 	kfree(context);
3481 	if (rc)
3482 		return rc;
3483 
3484 	if (tsec->create_sid) {
3485 		newsid = tsec->create_sid;
3486 	} else {
3487 		u16 secclass = inode_mode_to_security_class(kn->mode);
3488 		struct qstr q;
3489 
3490 		q.name = kn->name;
3491 		q.hash_len = hashlen_string(kn_dir, kn->name);
3492 
3493 		rc = security_transition_sid(&selinux_state, tsec->sid,
3494 					     parent_sid, secclass, &q,
3495 					     &newsid);
3496 		if (rc)
3497 			return rc;
3498 	}
3499 
3500 	rc = security_sid_to_context_force(&selinux_state, newsid,
3501 					   &context, &clen);
3502 	if (rc)
3503 		return rc;
3504 
3505 	rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3506 			      XATTR_CREATE);
3507 	kfree(context);
3508 	return rc;
3509 }
3510 
3511 
3512 /* file security operations */
3513 
3514 static int selinux_revalidate_file_permission(struct file *file, int mask)
3515 {
3516 	const struct cred *cred = current_cred();
3517 	struct inode *inode = file_inode(file);
3518 
3519 	/* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3520 	if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3521 		mask |= MAY_APPEND;
3522 
3523 	return file_has_perm(cred, file,
3524 			     file_mask_to_av(inode->i_mode, mask));
3525 }
3526 
3527 static int selinux_file_permission(struct file *file, int mask)
3528 {
3529 	struct inode *inode = file_inode(file);
3530 	struct file_security_struct *fsec = selinux_file(file);
3531 	struct inode_security_struct *isec;
3532 	u32 sid = current_sid();
3533 
3534 	if (!mask)
3535 		/* No permission to check.  Existence test. */
3536 		return 0;
3537 
3538 	isec = inode_security(inode);
3539 	if (sid == fsec->sid && fsec->isid == isec->sid &&
3540 	    fsec->pseqno == avc_policy_seqno(&selinux_state))
3541 		/* No change since file_open check. */
3542 		return 0;
3543 
3544 	return selinux_revalidate_file_permission(file, mask);
3545 }
3546 
3547 static int selinux_file_alloc_security(struct file *file)
3548 {
3549 	struct file_security_struct *fsec = selinux_file(file);
3550 	u32 sid = current_sid();
3551 
3552 	fsec->sid = sid;
3553 	fsec->fown_sid = sid;
3554 
3555 	return 0;
3556 }
3557 
3558 /*
3559  * Check whether a task has the ioctl permission and cmd
3560  * operation to an inode.
3561  */
3562 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3563 		u32 requested, u16 cmd)
3564 {
3565 	struct common_audit_data ad;
3566 	struct file_security_struct *fsec = selinux_file(file);
3567 	struct inode *inode = file_inode(file);
3568 	struct inode_security_struct *isec;
3569 	struct lsm_ioctlop_audit ioctl;
3570 	u32 ssid = cred_sid(cred);
3571 	int rc;
3572 	u8 driver = cmd >> 8;
3573 	u8 xperm = cmd & 0xff;
3574 
3575 	ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3576 	ad.u.op = &ioctl;
3577 	ad.u.op->cmd = cmd;
3578 	ad.u.op->path = file->f_path;
3579 
3580 	if (ssid != fsec->sid) {
3581 		rc = avc_has_perm(&selinux_state,
3582 				  ssid, fsec->sid,
3583 				SECCLASS_FD,
3584 				FD__USE,
3585 				&ad);
3586 		if (rc)
3587 			goto out;
3588 	}
3589 
3590 	if (unlikely(IS_PRIVATE(inode)))
3591 		return 0;
3592 
3593 	isec = inode_security(inode);
3594 	rc = avc_has_extended_perms(&selinux_state,
3595 				    ssid, isec->sid, isec->sclass,
3596 				    requested, driver, xperm, &ad);
3597 out:
3598 	return rc;
3599 }
3600 
3601 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3602 			      unsigned long arg)
3603 {
3604 	const struct cred *cred = current_cred();
3605 	int error = 0;
3606 
3607 	switch (cmd) {
3608 	case FIONREAD:
3609 	case FIBMAP:
3610 	case FIGETBSZ:
3611 	case FS_IOC_GETFLAGS:
3612 	case FS_IOC_GETVERSION:
3613 		error = file_has_perm(cred, file, FILE__GETATTR);
3614 		break;
3615 
3616 	case FS_IOC_SETFLAGS:
3617 	case FS_IOC_SETVERSION:
3618 		error = file_has_perm(cred, file, FILE__SETATTR);
3619 		break;
3620 
3621 	/* sys_ioctl() checks */
3622 	case FIONBIO:
3623 	case FIOASYNC:
3624 		error = file_has_perm(cred, file, 0);
3625 		break;
3626 
3627 	case KDSKBENT:
3628 	case KDSKBSENT:
3629 		error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3630 					    CAP_OPT_NONE, true);
3631 		break;
3632 
3633 	/* default case assumes that the command will go
3634 	 * to the file's ioctl() function.
3635 	 */
3636 	default:
3637 		error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3638 	}
3639 	return error;
3640 }
3641 
3642 static int default_noexec __ro_after_init;
3643 
3644 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3645 {
3646 	const struct cred *cred = current_cred();
3647 	u32 sid = cred_sid(cred);
3648 	int rc = 0;
3649 
3650 	if (default_noexec &&
3651 	    (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3652 				   (!shared && (prot & PROT_WRITE)))) {
3653 		/*
3654 		 * We are making executable an anonymous mapping or a
3655 		 * private file mapping that will also be writable.
3656 		 * This has an additional check.
3657 		 */
3658 		rc = avc_has_perm(&selinux_state,
3659 				  sid, sid, SECCLASS_PROCESS,
3660 				  PROCESS__EXECMEM, NULL);
3661 		if (rc)
3662 			goto error;
3663 	}
3664 
3665 	if (file) {
3666 		/* read access is always possible with a mapping */
3667 		u32 av = FILE__READ;
3668 
3669 		/* write access only matters if the mapping is shared */
3670 		if (shared && (prot & PROT_WRITE))
3671 			av |= FILE__WRITE;
3672 
3673 		if (prot & PROT_EXEC)
3674 			av |= FILE__EXECUTE;
3675 
3676 		return file_has_perm(cred, file, av);
3677 	}
3678 
3679 error:
3680 	return rc;
3681 }
3682 
3683 static int selinux_mmap_addr(unsigned long addr)
3684 {
3685 	int rc = 0;
3686 
3687 	if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3688 		u32 sid = current_sid();
3689 		rc = avc_has_perm(&selinux_state,
3690 				  sid, sid, SECCLASS_MEMPROTECT,
3691 				  MEMPROTECT__MMAP_ZERO, NULL);
3692 	}
3693 
3694 	return rc;
3695 }
3696 
3697 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3698 			     unsigned long prot, unsigned long flags)
3699 {
3700 	struct common_audit_data ad;
3701 	int rc;
3702 
3703 	if (file) {
3704 		ad.type = LSM_AUDIT_DATA_FILE;
3705 		ad.u.file = file;
3706 		rc = inode_has_perm(current_cred(), file_inode(file),
3707 				    FILE__MAP, &ad);
3708 		if (rc)
3709 			return rc;
3710 	}
3711 
3712 	if (selinux_state.checkreqprot)
3713 		prot = reqprot;
3714 
3715 	return file_map_prot_check(file, prot,
3716 				   (flags & MAP_TYPE) == MAP_SHARED);
3717 }
3718 
3719 static int selinux_file_mprotect(struct vm_area_struct *vma,
3720 				 unsigned long reqprot,
3721 				 unsigned long prot)
3722 {
3723 	const struct cred *cred = current_cred();
3724 	u32 sid = cred_sid(cred);
3725 
3726 	if (selinux_state.checkreqprot)
3727 		prot = reqprot;
3728 
3729 	if (default_noexec &&
3730 	    (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3731 		int rc = 0;
3732 		if (vma->vm_start >= vma->vm_mm->start_brk &&
3733 		    vma->vm_end <= vma->vm_mm->brk) {
3734 			rc = avc_has_perm(&selinux_state,
3735 					  sid, sid, SECCLASS_PROCESS,
3736 					  PROCESS__EXECHEAP, NULL);
3737 		} else if (!vma->vm_file &&
3738 			   ((vma->vm_start <= vma->vm_mm->start_stack &&
3739 			     vma->vm_end >= vma->vm_mm->start_stack) ||
3740 			    vma_is_stack_for_current(vma))) {
3741 			rc = avc_has_perm(&selinux_state,
3742 					  sid, sid, SECCLASS_PROCESS,
3743 					  PROCESS__EXECSTACK, NULL);
3744 		} else if (vma->vm_file && vma->anon_vma) {
3745 			/*
3746 			 * We are making executable a file mapping that has
3747 			 * had some COW done. Since pages might have been
3748 			 * written, check ability to execute the possibly
3749 			 * modified content.  This typically should only
3750 			 * occur for text relocations.
3751 			 */
3752 			rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3753 		}
3754 		if (rc)
3755 			return rc;
3756 	}
3757 
3758 	return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3759 }
3760 
3761 static int selinux_file_lock(struct file *file, unsigned int cmd)
3762 {
3763 	const struct cred *cred = current_cred();
3764 
3765 	return file_has_perm(cred, file, FILE__LOCK);
3766 }
3767 
3768 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3769 			      unsigned long arg)
3770 {
3771 	const struct cred *cred = current_cred();
3772 	int err = 0;
3773 
3774 	switch (cmd) {
3775 	case F_SETFL:
3776 		if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3777 			err = file_has_perm(cred, file, FILE__WRITE);
3778 			break;
3779 		}
3780 		fallthrough;
3781 	case F_SETOWN:
3782 	case F_SETSIG:
3783 	case F_GETFL:
3784 	case F_GETOWN:
3785 	case F_GETSIG:
3786 	case F_GETOWNER_UIDS:
3787 		/* Just check FD__USE permission */
3788 		err = file_has_perm(cred, file, 0);
3789 		break;
3790 	case F_GETLK:
3791 	case F_SETLK:
3792 	case F_SETLKW:
3793 	case F_OFD_GETLK:
3794 	case F_OFD_SETLK:
3795 	case F_OFD_SETLKW:
3796 #if BITS_PER_LONG == 32
3797 	case F_GETLK64:
3798 	case F_SETLK64:
3799 	case F_SETLKW64:
3800 #endif
3801 		err = file_has_perm(cred, file, FILE__LOCK);
3802 		break;
3803 	}
3804 
3805 	return err;
3806 }
3807 
3808 static void selinux_file_set_fowner(struct file *file)
3809 {
3810 	struct file_security_struct *fsec;
3811 
3812 	fsec = selinux_file(file);
3813 	fsec->fown_sid = current_sid();
3814 }
3815 
3816 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3817 				       struct fown_struct *fown, int signum)
3818 {
3819 	struct file *file;
3820 	u32 sid = task_sid(tsk);
3821 	u32 perm;
3822 	struct file_security_struct *fsec;
3823 
3824 	/* struct fown_struct is never outside the context of a struct file */
3825 	file = container_of(fown, struct file, f_owner);
3826 
3827 	fsec = selinux_file(file);
3828 
3829 	if (!signum)
3830 		perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3831 	else
3832 		perm = signal_to_av(signum);
3833 
3834 	return avc_has_perm(&selinux_state,
3835 			    fsec->fown_sid, sid,
3836 			    SECCLASS_PROCESS, perm, NULL);
3837 }
3838 
3839 static int selinux_file_receive(struct file *file)
3840 {
3841 	const struct cred *cred = current_cred();
3842 
3843 	return file_has_perm(cred, file, file_to_av(file));
3844 }
3845 
3846 static int selinux_file_open(struct file *file)
3847 {
3848 	struct file_security_struct *fsec;
3849 	struct inode_security_struct *isec;
3850 
3851 	fsec = selinux_file(file);
3852 	isec = inode_security(file_inode(file));
3853 	/*
3854 	 * Save inode label and policy sequence number
3855 	 * at open-time so that selinux_file_permission
3856 	 * can determine whether revalidation is necessary.
3857 	 * Task label is already saved in the file security
3858 	 * struct as its SID.
3859 	 */
3860 	fsec->isid = isec->sid;
3861 	fsec->pseqno = avc_policy_seqno(&selinux_state);
3862 	/*
3863 	 * Since the inode label or policy seqno may have changed
3864 	 * between the selinux_inode_permission check and the saving
3865 	 * of state above, recheck that access is still permitted.
3866 	 * Otherwise, access might never be revalidated against the
3867 	 * new inode label or new policy.
3868 	 * This check is not redundant - do not remove.
3869 	 */
3870 	return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3871 }
3872 
3873 /* task security operations */
3874 
3875 static int selinux_task_alloc(struct task_struct *task,
3876 			      unsigned long clone_flags)
3877 {
3878 	u32 sid = current_sid();
3879 
3880 	return avc_has_perm(&selinux_state,
3881 			    sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3882 }
3883 
3884 /*
3885  * prepare a new set of credentials for modification
3886  */
3887 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3888 				gfp_t gfp)
3889 {
3890 	const struct task_security_struct *old_tsec = selinux_cred(old);
3891 	struct task_security_struct *tsec = selinux_cred(new);
3892 
3893 	*tsec = *old_tsec;
3894 	return 0;
3895 }
3896 
3897 /*
3898  * transfer the SELinux data to a blank set of creds
3899  */
3900 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3901 {
3902 	const struct task_security_struct *old_tsec = selinux_cred(old);
3903 	struct task_security_struct *tsec = selinux_cred(new);
3904 
3905 	*tsec = *old_tsec;
3906 }
3907 
3908 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3909 {
3910 	*secid = cred_sid(c);
3911 }
3912 
3913 /*
3914  * set the security data for a kernel service
3915  * - all the creation contexts are set to unlabelled
3916  */
3917 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3918 {
3919 	struct task_security_struct *tsec = selinux_cred(new);
3920 	u32 sid = current_sid();
3921 	int ret;
3922 
3923 	ret = avc_has_perm(&selinux_state,
3924 			   sid, secid,
3925 			   SECCLASS_KERNEL_SERVICE,
3926 			   KERNEL_SERVICE__USE_AS_OVERRIDE,
3927 			   NULL);
3928 	if (ret == 0) {
3929 		tsec->sid = secid;
3930 		tsec->create_sid = 0;
3931 		tsec->keycreate_sid = 0;
3932 		tsec->sockcreate_sid = 0;
3933 	}
3934 	return ret;
3935 }
3936 
3937 /*
3938  * set the file creation context in a security record to the same as the
3939  * objective context of the specified inode
3940  */
3941 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3942 {
3943 	struct inode_security_struct *isec = inode_security(inode);
3944 	struct task_security_struct *tsec = selinux_cred(new);
3945 	u32 sid = current_sid();
3946 	int ret;
3947 
3948 	ret = avc_has_perm(&selinux_state,
3949 			   sid, isec->sid,
3950 			   SECCLASS_KERNEL_SERVICE,
3951 			   KERNEL_SERVICE__CREATE_FILES_AS,
3952 			   NULL);
3953 
3954 	if (ret == 0)
3955 		tsec->create_sid = isec->sid;
3956 	return ret;
3957 }
3958 
3959 static int selinux_kernel_module_request(char *kmod_name)
3960 {
3961 	struct common_audit_data ad;
3962 
3963 	ad.type = LSM_AUDIT_DATA_KMOD;
3964 	ad.u.kmod_name = kmod_name;
3965 
3966 	return avc_has_perm(&selinux_state,
3967 			    current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3968 			    SYSTEM__MODULE_REQUEST, &ad);
3969 }
3970 
3971 static int selinux_kernel_module_from_file(struct file *file)
3972 {
3973 	struct common_audit_data ad;
3974 	struct inode_security_struct *isec;
3975 	struct file_security_struct *fsec;
3976 	u32 sid = current_sid();
3977 	int rc;
3978 
3979 	/* init_module */
3980 	if (file == NULL)
3981 		return avc_has_perm(&selinux_state,
3982 				    sid, sid, SECCLASS_SYSTEM,
3983 					SYSTEM__MODULE_LOAD, NULL);
3984 
3985 	/* finit_module */
3986 
3987 	ad.type = LSM_AUDIT_DATA_FILE;
3988 	ad.u.file = file;
3989 
3990 	fsec = selinux_file(file);
3991 	if (sid != fsec->sid) {
3992 		rc = avc_has_perm(&selinux_state,
3993 				  sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3994 		if (rc)
3995 			return rc;
3996 	}
3997 
3998 	isec = inode_security(file_inode(file));
3999 	return avc_has_perm(&selinux_state,
4000 			    sid, isec->sid, SECCLASS_SYSTEM,
4001 				SYSTEM__MODULE_LOAD, &ad);
4002 }
4003 
4004 static int selinux_kernel_read_file(struct file *file,
4005 				    enum kernel_read_file_id id)
4006 {
4007 	int rc = 0;
4008 
4009 	switch (id) {
4010 	case READING_MODULE:
4011 		rc = selinux_kernel_module_from_file(file);
4012 		break;
4013 	default:
4014 		break;
4015 	}
4016 
4017 	return rc;
4018 }
4019 
4020 static int selinux_kernel_load_data(enum kernel_load_data_id id)
4021 {
4022 	int rc = 0;
4023 
4024 	switch (id) {
4025 	case LOADING_MODULE:
4026 		rc = selinux_kernel_module_from_file(NULL);
4027 	default:
4028 		break;
4029 	}
4030 
4031 	return rc;
4032 }
4033 
4034 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4035 {
4036 	return avc_has_perm(&selinux_state,
4037 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4038 			    PROCESS__SETPGID, NULL);
4039 }
4040 
4041 static int selinux_task_getpgid(struct task_struct *p)
4042 {
4043 	return avc_has_perm(&selinux_state,
4044 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4045 			    PROCESS__GETPGID, NULL);
4046 }
4047 
4048 static int selinux_task_getsid(struct task_struct *p)
4049 {
4050 	return avc_has_perm(&selinux_state,
4051 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4052 			    PROCESS__GETSESSION, NULL);
4053 }
4054 
4055 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4056 {
4057 	*secid = task_sid(p);
4058 }
4059 
4060 static int selinux_task_setnice(struct task_struct *p, int nice)
4061 {
4062 	return avc_has_perm(&selinux_state,
4063 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4064 			    PROCESS__SETSCHED, NULL);
4065 }
4066 
4067 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4068 {
4069 	return avc_has_perm(&selinux_state,
4070 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4071 			    PROCESS__SETSCHED, NULL);
4072 }
4073 
4074 static int selinux_task_getioprio(struct task_struct *p)
4075 {
4076 	return avc_has_perm(&selinux_state,
4077 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4078 			    PROCESS__GETSCHED, NULL);
4079 }
4080 
4081 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4082 				unsigned int flags)
4083 {
4084 	u32 av = 0;
4085 
4086 	if (!flags)
4087 		return 0;
4088 	if (flags & LSM_PRLIMIT_WRITE)
4089 		av |= PROCESS__SETRLIMIT;
4090 	if (flags & LSM_PRLIMIT_READ)
4091 		av |= PROCESS__GETRLIMIT;
4092 	return avc_has_perm(&selinux_state,
4093 			    cred_sid(cred), cred_sid(tcred),
4094 			    SECCLASS_PROCESS, av, NULL);
4095 }
4096 
4097 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4098 		struct rlimit *new_rlim)
4099 {
4100 	struct rlimit *old_rlim = p->signal->rlim + resource;
4101 
4102 	/* Control the ability to change the hard limit (whether
4103 	   lowering or raising it), so that the hard limit can
4104 	   later be used as a safe reset point for the soft limit
4105 	   upon context transitions.  See selinux_bprm_committing_creds. */
4106 	if (old_rlim->rlim_max != new_rlim->rlim_max)
4107 		return avc_has_perm(&selinux_state,
4108 				    current_sid(), task_sid(p),
4109 				    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4110 
4111 	return 0;
4112 }
4113 
4114 static int selinux_task_setscheduler(struct task_struct *p)
4115 {
4116 	return avc_has_perm(&selinux_state,
4117 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4118 			    PROCESS__SETSCHED, NULL);
4119 }
4120 
4121 static int selinux_task_getscheduler(struct task_struct *p)
4122 {
4123 	return avc_has_perm(&selinux_state,
4124 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4125 			    PROCESS__GETSCHED, NULL);
4126 }
4127 
4128 static int selinux_task_movememory(struct task_struct *p)
4129 {
4130 	return avc_has_perm(&selinux_state,
4131 			    current_sid(), task_sid(p), SECCLASS_PROCESS,
4132 			    PROCESS__SETSCHED, NULL);
4133 }
4134 
4135 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4136 				int sig, const struct cred *cred)
4137 {
4138 	u32 secid;
4139 	u32 perm;
4140 
4141 	if (!sig)
4142 		perm = PROCESS__SIGNULL; /* null signal; existence test */
4143 	else
4144 		perm = signal_to_av(sig);
4145 	if (!cred)
4146 		secid = current_sid();
4147 	else
4148 		secid = cred_sid(cred);
4149 	return avc_has_perm(&selinux_state,
4150 			    secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4151 }
4152 
4153 static void selinux_task_to_inode(struct task_struct *p,
4154 				  struct inode *inode)
4155 {
4156 	struct inode_security_struct *isec = selinux_inode(inode);
4157 	u32 sid = task_sid(p);
4158 
4159 	spin_lock(&isec->lock);
4160 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
4161 	isec->sid = sid;
4162 	isec->initialized = LABEL_INITIALIZED;
4163 	spin_unlock(&isec->lock);
4164 }
4165 
4166 /* Returns error only if unable to parse addresses */
4167 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4168 			struct common_audit_data *ad, u8 *proto)
4169 {
4170 	int offset, ihlen, ret = -EINVAL;
4171 	struct iphdr _iph, *ih;
4172 
4173 	offset = skb_network_offset(skb);
4174 	ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4175 	if (ih == NULL)
4176 		goto out;
4177 
4178 	ihlen = ih->ihl * 4;
4179 	if (ihlen < sizeof(_iph))
4180 		goto out;
4181 
4182 	ad->u.net->v4info.saddr = ih->saddr;
4183 	ad->u.net->v4info.daddr = ih->daddr;
4184 	ret = 0;
4185 
4186 	if (proto)
4187 		*proto = ih->protocol;
4188 
4189 	switch (ih->protocol) {
4190 	case IPPROTO_TCP: {
4191 		struct tcphdr _tcph, *th;
4192 
4193 		if (ntohs(ih->frag_off) & IP_OFFSET)
4194 			break;
4195 
4196 		offset += ihlen;
4197 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4198 		if (th == NULL)
4199 			break;
4200 
4201 		ad->u.net->sport = th->source;
4202 		ad->u.net->dport = th->dest;
4203 		break;
4204 	}
4205 
4206 	case IPPROTO_UDP: {
4207 		struct udphdr _udph, *uh;
4208 
4209 		if (ntohs(ih->frag_off) & IP_OFFSET)
4210 			break;
4211 
4212 		offset += ihlen;
4213 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4214 		if (uh == NULL)
4215 			break;
4216 
4217 		ad->u.net->sport = uh->source;
4218 		ad->u.net->dport = uh->dest;
4219 		break;
4220 	}
4221 
4222 	case IPPROTO_DCCP: {
4223 		struct dccp_hdr _dccph, *dh;
4224 
4225 		if (ntohs(ih->frag_off) & IP_OFFSET)
4226 			break;
4227 
4228 		offset += ihlen;
4229 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4230 		if (dh == NULL)
4231 			break;
4232 
4233 		ad->u.net->sport = dh->dccph_sport;
4234 		ad->u.net->dport = dh->dccph_dport;
4235 		break;
4236 	}
4237 
4238 #if IS_ENABLED(CONFIG_IP_SCTP)
4239 	case IPPROTO_SCTP: {
4240 		struct sctphdr _sctph, *sh;
4241 
4242 		if (ntohs(ih->frag_off) & IP_OFFSET)
4243 			break;
4244 
4245 		offset += ihlen;
4246 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4247 		if (sh == NULL)
4248 			break;
4249 
4250 		ad->u.net->sport = sh->source;
4251 		ad->u.net->dport = sh->dest;
4252 		break;
4253 	}
4254 #endif
4255 	default:
4256 		break;
4257 	}
4258 out:
4259 	return ret;
4260 }
4261 
4262 #if IS_ENABLED(CONFIG_IPV6)
4263 
4264 /* Returns error only if unable to parse addresses */
4265 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4266 			struct common_audit_data *ad, u8 *proto)
4267 {
4268 	u8 nexthdr;
4269 	int ret = -EINVAL, offset;
4270 	struct ipv6hdr _ipv6h, *ip6;
4271 	__be16 frag_off;
4272 
4273 	offset = skb_network_offset(skb);
4274 	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4275 	if (ip6 == NULL)
4276 		goto out;
4277 
4278 	ad->u.net->v6info.saddr = ip6->saddr;
4279 	ad->u.net->v6info.daddr = ip6->daddr;
4280 	ret = 0;
4281 
4282 	nexthdr = ip6->nexthdr;
4283 	offset += sizeof(_ipv6h);
4284 	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4285 	if (offset < 0)
4286 		goto out;
4287 
4288 	if (proto)
4289 		*proto = nexthdr;
4290 
4291 	switch (nexthdr) {
4292 	case IPPROTO_TCP: {
4293 		struct tcphdr _tcph, *th;
4294 
4295 		th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4296 		if (th == NULL)
4297 			break;
4298 
4299 		ad->u.net->sport = th->source;
4300 		ad->u.net->dport = th->dest;
4301 		break;
4302 	}
4303 
4304 	case IPPROTO_UDP: {
4305 		struct udphdr _udph, *uh;
4306 
4307 		uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4308 		if (uh == NULL)
4309 			break;
4310 
4311 		ad->u.net->sport = uh->source;
4312 		ad->u.net->dport = uh->dest;
4313 		break;
4314 	}
4315 
4316 	case IPPROTO_DCCP: {
4317 		struct dccp_hdr _dccph, *dh;
4318 
4319 		dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4320 		if (dh == NULL)
4321 			break;
4322 
4323 		ad->u.net->sport = dh->dccph_sport;
4324 		ad->u.net->dport = dh->dccph_dport;
4325 		break;
4326 	}
4327 
4328 #if IS_ENABLED(CONFIG_IP_SCTP)
4329 	case IPPROTO_SCTP: {
4330 		struct sctphdr _sctph, *sh;
4331 
4332 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4333 		if (sh == NULL)
4334 			break;
4335 
4336 		ad->u.net->sport = sh->source;
4337 		ad->u.net->dport = sh->dest;
4338 		break;
4339 	}
4340 #endif
4341 	/* includes fragments */
4342 	default:
4343 		break;
4344 	}
4345 out:
4346 	return ret;
4347 }
4348 
4349 #endif /* IPV6 */
4350 
4351 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4352 			     char **_addrp, int src, u8 *proto)
4353 {
4354 	char *addrp;
4355 	int ret;
4356 
4357 	switch (ad->u.net->family) {
4358 	case PF_INET:
4359 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
4360 		if (ret)
4361 			goto parse_error;
4362 		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4363 				       &ad->u.net->v4info.daddr);
4364 		goto okay;
4365 
4366 #if IS_ENABLED(CONFIG_IPV6)
4367 	case PF_INET6:
4368 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
4369 		if (ret)
4370 			goto parse_error;
4371 		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4372 				       &ad->u.net->v6info.daddr);
4373 		goto okay;
4374 #endif	/* IPV6 */
4375 	default:
4376 		addrp = NULL;
4377 		goto okay;
4378 	}
4379 
4380 parse_error:
4381 	pr_warn(
4382 	       "SELinux: failure in selinux_parse_skb(),"
4383 	       " unable to parse packet\n");
4384 	return ret;
4385 
4386 okay:
4387 	if (_addrp)
4388 		*_addrp = addrp;
4389 	return 0;
4390 }
4391 
4392 /**
4393  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4394  * @skb: the packet
4395  * @family: protocol family
4396  * @sid: the packet's peer label SID
4397  *
4398  * Description:
4399  * Check the various different forms of network peer labeling and determine
4400  * the peer label/SID for the packet; most of the magic actually occurs in
4401  * the security server function security_net_peersid_cmp().  The function
4402  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4403  * or -EACCES if @sid is invalid due to inconsistencies with the different
4404  * peer labels.
4405  *
4406  */
4407 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4408 {
4409 	int err;
4410 	u32 xfrm_sid;
4411 	u32 nlbl_sid;
4412 	u32 nlbl_type;
4413 
4414 	err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4415 	if (unlikely(err))
4416 		return -EACCES;
4417 	err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4418 	if (unlikely(err))
4419 		return -EACCES;
4420 
4421 	err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4422 					   nlbl_type, xfrm_sid, sid);
4423 	if (unlikely(err)) {
4424 		pr_warn(
4425 		       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4426 		       " unable to determine packet's peer label\n");
4427 		return -EACCES;
4428 	}
4429 
4430 	return 0;
4431 }
4432 
4433 /**
4434  * selinux_conn_sid - Determine the child socket label for a connection
4435  * @sk_sid: the parent socket's SID
4436  * @skb_sid: the packet's SID
4437  * @conn_sid: the resulting connection SID
4438  *
4439  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4440  * combined with the MLS information from @skb_sid in order to create
4441  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
4442  * of @sk_sid.  Returns zero on success, negative values on failure.
4443  *
4444  */
4445 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4446 {
4447 	int err = 0;
4448 
4449 	if (skb_sid != SECSID_NULL)
4450 		err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4451 					    conn_sid);
4452 	else
4453 		*conn_sid = sk_sid;
4454 
4455 	return err;
4456 }
4457 
4458 /* socket security operations */
4459 
4460 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4461 				 u16 secclass, u32 *socksid)
4462 {
4463 	if (tsec->sockcreate_sid > SECSID_NULL) {
4464 		*socksid = tsec->sockcreate_sid;
4465 		return 0;
4466 	}
4467 
4468 	return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4469 				       secclass, NULL, socksid);
4470 }
4471 
4472 static int sock_has_perm(struct sock *sk, u32 perms)
4473 {
4474 	struct sk_security_struct *sksec = sk->sk_security;
4475 	struct common_audit_data ad;
4476 	struct lsm_network_audit net = {0,};
4477 
4478 	if (sksec->sid == SECINITSID_KERNEL)
4479 		return 0;
4480 
4481 	ad.type = LSM_AUDIT_DATA_NET;
4482 	ad.u.net = &net;
4483 	ad.u.net->sk = sk;
4484 
4485 	return avc_has_perm(&selinux_state,
4486 			    current_sid(), sksec->sid, sksec->sclass, perms,
4487 			    &ad);
4488 }
4489 
4490 static int selinux_socket_create(int family, int type,
4491 				 int protocol, int kern)
4492 {
4493 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4494 	u32 newsid;
4495 	u16 secclass;
4496 	int rc;
4497 
4498 	if (kern)
4499 		return 0;
4500 
4501 	secclass = socket_type_to_security_class(family, type, protocol);
4502 	rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4503 	if (rc)
4504 		return rc;
4505 
4506 	return avc_has_perm(&selinux_state,
4507 			    tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4508 }
4509 
4510 static int selinux_socket_post_create(struct socket *sock, int family,
4511 				      int type, int protocol, int kern)
4512 {
4513 	const struct task_security_struct *tsec = selinux_cred(current_cred());
4514 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4515 	struct sk_security_struct *sksec;
4516 	u16 sclass = socket_type_to_security_class(family, type, protocol);
4517 	u32 sid = SECINITSID_KERNEL;
4518 	int err = 0;
4519 
4520 	if (!kern) {
4521 		err = socket_sockcreate_sid(tsec, sclass, &sid);
4522 		if (err)
4523 			return err;
4524 	}
4525 
4526 	isec->sclass = sclass;
4527 	isec->sid = sid;
4528 	isec->initialized = LABEL_INITIALIZED;
4529 
4530 	if (sock->sk) {
4531 		sksec = sock->sk->sk_security;
4532 		sksec->sclass = sclass;
4533 		sksec->sid = sid;
4534 		/* Allows detection of the first association on this socket */
4535 		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4536 			sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4537 
4538 		err = selinux_netlbl_socket_post_create(sock->sk, family);
4539 	}
4540 
4541 	return err;
4542 }
4543 
4544 static int selinux_socket_socketpair(struct socket *socka,
4545 				     struct socket *sockb)
4546 {
4547 	struct sk_security_struct *sksec_a = socka->sk->sk_security;
4548 	struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4549 
4550 	sksec_a->peer_sid = sksec_b->sid;
4551 	sksec_b->peer_sid = sksec_a->sid;
4552 
4553 	return 0;
4554 }
4555 
4556 /* Range of port numbers used to automatically bind.
4557    Need to determine whether we should perform a name_bind
4558    permission check between the socket and the port number. */
4559 
4560 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4561 {
4562 	struct sock *sk = sock->sk;
4563 	struct sk_security_struct *sksec = sk->sk_security;
4564 	u16 family;
4565 	int err;
4566 
4567 	err = sock_has_perm(sk, SOCKET__BIND);
4568 	if (err)
4569 		goto out;
4570 
4571 	/* If PF_INET or PF_INET6, check name_bind permission for the port. */
4572 	family = sk->sk_family;
4573 	if (family == PF_INET || family == PF_INET6) {
4574 		char *addrp;
4575 		struct common_audit_data ad;
4576 		struct lsm_network_audit net = {0,};
4577 		struct sockaddr_in *addr4 = NULL;
4578 		struct sockaddr_in6 *addr6 = NULL;
4579 		u16 family_sa;
4580 		unsigned short snum;
4581 		u32 sid, node_perm;
4582 
4583 		/*
4584 		 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4585 		 * that validates multiple binding addresses. Because of this
4586 		 * need to check address->sa_family as it is possible to have
4587 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4588 		 */
4589 		if (addrlen < offsetofend(struct sockaddr, sa_family))
4590 			return -EINVAL;
4591 		family_sa = address->sa_family;
4592 		switch (family_sa) {
4593 		case AF_UNSPEC:
4594 		case AF_INET:
4595 			if (addrlen < sizeof(struct sockaddr_in))
4596 				return -EINVAL;
4597 			addr4 = (struct sockaddr_in *)address;
4598 			if (family_sa == AF_UNSPEC) {
4599 				/* see __inet_bind(), we only want to allow
4600 				 * AF_UNSPEC if the address is INADDR_ANY
4601 				 */
4602 				if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4603 					goto err_af;
4604 				family_sa = AF_INET;
4605 			}
4606 			snum = ntohs(addr4->sin_port);
4607 			addrp = (char *)&addr4->sin_addr.s_addr;
4608 			break;
4609 		case AF_INET6:
4610 			if (addrlen < SIN6_LEN_RFC2133)
4611 				return -EINVAL;
4612 			addr6 = (struct sockaddr_in6 *)address;
4613 			snum = ntohs(addr6->sin6_port);
4614 			addrp = (char *)&addr6->sin6_addr.s6_addr;
4615 			break;
4616 		default:
4617 			goto err_af;
4618 		}
4619 
4620 		ad.type = LSM_AUDIT_DATA_NET;
4621 		ad.u.net = &net;
4622 		ad.u.net->sport = htons(snum);
4623 		ad.u.net->family = family_sa;
4624 
4625 		if (snum) {
4626 			int low, high;
4627 
4628 			inet_get_local_port_range(sock_net(sk), &low, &high);
4629 
4630 			if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4631 			    snum < low || snum > high) {
4632 				err = sel_netport_sid(sk->sk_protocol,
4633 						      snum, &sid);
4634 				if (err)
4635 					goto out;
4636 				err = avc_has_perm(&selinux_state,
4637 						   sksec->sid, sid,
4638 						   sksec->sclass,
4639 						   SOCKET__NAME_BIND, &ad);
4640 				if (err)
4641 					goto out;
4642 			}
4643 		}
4644 
4645 		switch (sksec->sclass) {
4646 		case SECCLASS_TCP_SOCKET:
4647 			node_perm = TCP_SOCKET__NODE_BIND;
4648 			break;
4649 
4650 		case SECCLASS_UDP_SOCKET:
4651 			node_perm = UDP_SOCKET__NODE_BIND;
4652 			break;
4653 
4654 		case SECCLASS_DCCP_SOCKET:
4655 			node_perm = DCCP_SOCKET__NODE_BIND;
4656 			break;
4657 
4658 		case SECCLASS_SCTP_SOCKET:
4659 			node_perm = SCTP_SOCKET__NODE_BIND;
4660 			break;
4661 
4662 		default:
4663 			node_perm = RAWIP_SOCKET__NODE_BIND;
4664 			break;
4665 		}
4666 
4667 		err = sel_netnode_sid(addrp, family_sa, &sid);
4668 		if (err)
4669 			goto out;
4670 
4671 		if (family_sa == AF_INET)
4672 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4673 		else
4674 			ad.u.net->v6info.saddr = addr6->sin6_addr;
4675 
4676 		err = avc_has_perm(&selinux_state,
4677 				   sksec->sid, sid,
4678 				   sksec->sclass, node_perm, &ad);
4679 		if (err)
4680 			goto out;
4681 	}
4682 out:
4683 	return err;
4684 err_af:
4685 	/* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4686 	if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4687 		return -EINVAL;
4688 	return -EAFNOSUPPORT;
4689 }
4690 
4691 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4692  * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4693  */
4694 static int selinux_socket_connect_helper(struct socket *sock,
4695 					 struct sockaddr *address, int addrlen)
4696 {
4697 	struct sock *sk = sock->sk;
4698 	struct sk_security_struct *sksec = sk->sk_security;
4699 	int err;
4700 
4701 	err = sock_has_perm(sk, SOCKET__CONNECT);
4702 	if (err)
4703 		return err;
4704 	if (addrlen < offsetofend(struct sockaddr, sa_family))
4705 		return -EINVAL;
4706 
4707 	/* connect(AF_UNSPEC) has special handling, as it is a documented
4708 	 * way to disconnect the socket
4709 	 */
4710 	if (address->sa_family == AF_UNSPEC)
4711 		return 0;
4712 
4713 	/*
4714 	 * If a TCP, DCCP or SCTP socket, check name_connect permission
4715 	 * for the port.
4716 	 */
4717 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4718 	    sksec->sclass == SECCLASS_DCCP_SOCKET ||
4719 	    sksec->sclass == SECCLASS_SCTP_SOCKET) {
4720 		struct common_audit_data ad;
4721 		struct lsm_network_audit net = {0,};
4722 		struct sockaddr_in *addr4 = NULL;
4723 		struct sockaddr_in6 *addr6 = NULL;
4724 		unsigned short snum;
4725 		u32 sid, perm;
4726 
4727 		/* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4728 		 * that validates multiple connect addresses. Because of this
4729 		 * need to check address->sa_family as it is possible to have
4730 		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4731 		 */
4732 		switch (address->sa_family) {
4733 		case AF_INET:
4734 			addr4 = (struct sockaddr_in *)address;
4735 			if (addrlen < sizeof(struct sockaddr_in))
4736 				return -EINVAL;
4737 			snum = ntohs(addr4->sin_port);
4738 			break;
4739 		case AF_INET6:
4740 			addr6 = (struct sockaddr_in6 *)address;
4741 			if (addrlen < SIN6_LEN_RFC2133)
4742 				return -EINVAL;
4743 			snum = ntohs(addr6->sin6_port);
4744 			break;
4745 		default:
4746 			/* Note that SCTP services expect -EINVAL, whereas
4747 			 * others expect -EAFNOSUPPORT.
4748 			 */
4749 			if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4750 				return -EINVAL;
4751 			else
4752 				return -EAFNOSUPPORT;
4753 		}
4754 
4755 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4756 		if (err)
4757 			return err;
4758 
4759 		switch (sksec->sclass) {
4760 		case SECCLASS_TCP_SOCKET:
4761 			perm = TCP_SOCKET__NAME_CONNECT;
4762 			break;
4763 		case SECCLASS_DCCP_SOCKET:
4764 			perm = DCCP_SOCKET__NAME_CONNECT;
4765 			break;
4766 		case SECCLASS_SCTP_SOCKET:
4767 			perm = SCTP_SOCKET__NAME_CONNECT;
4768 			break;
4769 		}
4770 
4771 		ad.type = LSM_AUDIT_DATA_NET;
4772 		ad.u.net = &net;
4773 		ad.u.net->dport = htons(snum);
4774 		ad.u.net->family = address->sa_family;
4775 		err = avc_has_perm(&selinux_state,
4776 				   sksec->sid, sid, sksec->sclass, perm, &ad);
4777 		if (err)
4778 			return err;
4779 	}
4780 
4781 	return 0;
4782 }
4783 
4784 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4785 static int selinux_socket_connect(struct socket *sock,
4786 				  struct sockaddr *address, int addrlen)
4787 {
4788 	int err;
4789 	struct sock *sk = sock->sk;
4790 
4791 	err = selinux_socket_connect_helper(sock, address, addrlen);
4792 	if (err)
4793 		return err;
4794 
4795 	return selinux_netlbl_socket_connect(sk, address);
4796 }
4797 
4798 static int selinux_socket_listen(struct socket *sock, int backlog)
4799 {
4800 	return sock_has_perm(sock->sk, SOCKET__LISTEN);
4801 }
4802 
4803 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4804 {
4805 	int err;
4806 	struct inode_security_struct *isec;
4807 	struct inode_security_struct *newisec;
4808 	u16 sclass;
4809 	u32 sid;
4810 
4811 	err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4812 	if (err)
4813 		return err;
4814 
4815 	isec = inode_security_novalidate(SOCK_INODE(sock));
4816 	spin_lock(&isec->lock);
4817 	sclass = isec->sclass;
4818 	sid = isec->sid;
4819 	spin_unlock(&isec->lock);
4820 
4821 	newisec = inode_security_novalidate(SOCK_INODE(newsock));
4822 	newisec->sclass = sclass;
4823 	newisec->sid = sid;
4824 	newisec->initialized = LABEL_INITIALIZED;
4825 
4826 	return 0;
4827 }
4828 
4829 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4830 				  int size)
4831 {
4832 	return sock_has_perm(sock->sk, SOCKET__WRITE);
4833 }
4834 
4835 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4836 				  int size, int flags)
4837 {
4838 	return sock_has_perm(sock->sk, SOCKET__READ);
4839 }
4840 
4841 static int selinux_socket_getsockname(struct socket *sock)
4842 {
4843 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4844 }
4845 
4846 static int selinux_socket_getpeername(struct socket *sock)
4847 {
4848 	return sock_has_perm(sock->sk, SOCKET__GETATTR);
4849 }
4850 
4851 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4852 {
4853 	int err;
4854 
4855 	err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4856 	if (err)
4857 		return err;
4858 
4859 	return selinux_netlbl_socket_setsockopt(sock, level, optname);
4860 }
4861 
4862 static int selinux_socket_getsockopt(struct socket *sock, int level,
4863 				     int optname)
4864 {
4865 	return sock_has_perm(sock->sk, SOCKET__GETOPT);
4866 }
4867 
4868 static int selinux_socket_shutdown(struct socket *sock, int how)
4869 {
4870 	return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4871 }
4872 
4873 static int selinux_socket_unix_stream_connect(struct sock *sock,
4874 					      struct sock *other,
4875 					      struct sock *newsk)
4876 {
4877 	struct sk_security_struct *sksec_sock = sock->sk_security;
4878 	struct sk_security_struct *sksec_other = other->sk_security;
4879 	struct sk_security_struct *sksec_new = newsk->sk_security;
4880 	struct common_audit_data ad;
4881 	struct lsm_network_audit net = {0,};
4882 	int err;
4883 
4884 	ad.type = LSM_AUDIT_DATA_NET;
4885 	ad.u.net = &net;
4886 	ad.u.net->sk = other;
4887 
4888 	err = avc_has_perm(&selinux_state,
4889 			   sksec_sock->sid, sksec_other->sid,
4890 			   sksec_other->sclass,
4891 			   UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4892 	if (err)
4893 		return err;
4894 
4895 	/* server child socket */
4896 	sksec_new->peer_sid = sksec_sock->sid;
4897 	err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4898 				    sksec_sock->sid, &sksec_new->sid);
4899 	if (err)
4900 		return err;
4901 
4902 	/* connecting socket */
4903 	sksec_sock->peer_sid = sksec_new->sid;
4904 
4905 	return 0;
4906 }
4907 
4908 static int selinux_socket_unix_may_send(struct socket *sock,
4909 					struct socket *other)
4910 {
4911 	struct sk_security_struct *ssec = sock->sk->sk_security;
4912 	struct sk_security_struct *osec = other->sk->sk_security;
4913 	struct common_audit_data ad;
4914 	struct lsm_network_audit net = {0,};
4915 
4916 	ad.type = LSM_AUDIT_DATA_NET;
4917 	ad.u.net = &net;
4918 	ad.u.net->sk = other->sk;
4919 
4920 	return avc_has_perm(&selinux_state,
4921 			    ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4922 			    &ad);
4923 }
4924 
4925 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4926 				    char *addrp, u16 family, u32 peer_sid,
4927 				    struct common_audit_data *ad)
4928 {
4929 	int err;
4930 	u32 if_sid;
4931 	u32 node_sid;
4932 
4933 	err = sel_netif_sid(ns, ifindex, &if_sid);
4934 	if (err)
4935 		return err;
4936 	err = avc_has_perm(&selinux_state,
4937 			   peer_sid, if_sid,
4938 			   SECCLASS_NETIF, NETIF__INGRESS, ad);
4939 	if (err)
4940 		return err;
4941 
4942 	err = sel_netnode_sid(addrp, family, &node_sid);
4943 	if (err)
4944 		return err;
4945 	return avc_has_perm(&selinux_state,
4946 			    peer_sid, node_sid,
4947 			    SECCLASS_NODE, NODE__RECVFROM, ad);
4948 }
4949 
4950 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4951 				       u16 family)
4952 {
4953 	int err = 0;
4954 	struct sk_security_struct *sksec = sk->sk_security;
4955 	u32 sk_sid = sksec->sid;
4956 	struct common_audit_data ad;
4957 	struct lsm_network_audit net = {0,};
4958 	char *addrp;
4959 
4960 	ad.type = LSM_AUDIT_DATA_NET;
4961 	ad.u.net = &net;
4962 	ad.u.net->netif = skb->skb_iif;
4963 	ad.u.net->family = family;
4964 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4965 	if (err)
4966 		return err;
4967 
4968 	if (selinux_secmark_enabled()) {
4969 		err = avc_has_perm(&selinux_state,
4970 				   sk_sid, skb->secmark, SECCLASS_PACKET,
4971 				   PACKET__RECV, &ad);
4972 		if (err)
4973 			return err;
4974 	}
4975 
4976 	err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4977 	if (err)
4978 		return err;
4979 	err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4980 
4981 	return err;
4982 }
4983 
4984 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4985 {
4986 	int err;
4987 	struct sk_security_struct *sksec = sk->sk_security;
4988 	u16 family = sk->sk_family;
4989 	u32 sk_sid = sksec->sid;
4990 	struct common_audit_data ad;
4991 	struct lsm_network_audit net = {0,};
4992 	char *addrp;
4993 	u8 secmark_active;
4994 	u8 peerlbl_active;
4995 
4996 	if (family != PF_INET && family != PF_INET6)
4997 		return 0;
4998 
4999 	/* Handle mapped IPv4 packets arriving via IPv6 sockets */
5000 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5001 		family = PF_INET;
5002 
5003 	/* If any sort of compatibility mode is enabled then handoff processing
5004 	 * to the selinux_sock_rcv_skb_compat() function to deal with the
5005 	 * special handling.  We do this in an attempt to keep this function
5006 	 * as fast and as clean as possible. */
5007 	if (!selinux_policycap_netpeer())
5008 		return selinux_sock_rcv_skb_compat(sk, skb, family);
5009 
5010 	secmark_active = selinux_secmark_enabled();
5011 	peerlbl_active = selinux_peerlbl_enabled();
5012 	if (!secmark_active && !peerlbl_active)
5013 		return 0;
5014 
5015 	ad.type = LSM_AUDIT_DATA_NET;
5016 	ad.u.net = &net;
5017 	ad.u.net->netif = skb->skb_iif;
5018 	ad.u.net->family = family;
5019 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5020 	if (err)
5021 		return err;
5022 
5023 	if (peerlbl_active) {
5024 		u32 peer_sid;
5025 
5026 		err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5027 		if (err)
5028 			return err;
5029 		err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5030 					       addrp, family, peer_sid, &ad);
5031 		if (err) {
5032 			selinux_netlbl_err(skb, family, err, 0);
5033 			return err;
5034 		}
5035 		err = avc_has_perm(&selinux_state,
5036 				   sk_sid, peer_sid, SECCLASS_PEER,
5037 				   PEER__RECV, &ad);
5038 		if (err) {
5039 			selinux_netlbl_err(skb, family, err, 0);
5040 			return err;
5041 		}
5042 	}
5043 
5044 	if (secmark_active) {
5045 		err = avc_has_perm(&selinux_state,
5046 				   sk_sid, skb->secmark, SECCLASS_PACKET,
5047 				   PACKET__RECV, &ad);
5048 		if (err)
5049 			return err;
5050 	}
5051 
5052 	return err;
5053 }
5054 
5055 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5056 					    int __user *optlen, unsigned len)
5057 {
5058 	int err = 0;
5059 	char *scontext;
5060 	u32 scontext_len;
5061 	struct sk_security_struct *sksec = sock->sk->sk_security;
5062 	u32 peer_sid = SECSID_NULL;
5063 
5064 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5065 	    sksec->sclass == SECCLASS_TCP_SOCKET ||
5066 	    sksec->sclass == SECCLASS_SCTP_SOCKET)
5067 		peer_sid = sksec->peer_sid;
5068 	if (peer_sid == SECSID_NULL)
5069 		return -ENOPROTOOPT;
5070 
5071 	err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5072 				      &scontext_len);
5073 	if (err)
5074 		return err;
5075 
5076 	if (scontext_len > len) {
5077 		err = -ERANGE;
5078 		goto out_len;
5079 	}
5080 
5081 	if (copy_to_user(optval, scontext, scontext_len))
5082 		err = -EFAULT;
5083 
5084 out_len:
5085 	if (put_user(scontext_len, optlen))
5086 		err = -EFAULT;
5087 	kfree(scontext);
5088 	return err;
5089 }
5090 
5091 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5092 {
5093 	u32 peer_secid = SECSID_NULL;
5094 	u16 family;
5095 	struct inode_security_struct *isec;
5096 
5097 	if (skb && skb->protocol == htons(ETH_P_IP))
5098 		family = PF_INET;
5099 	else if (skb && skb->protocol == htons(ETH_P_IPV6))
5100 		family = PF_INET6;
5101 	else if (sock)
5102 		family = sock->sk->sk_family;
5103 	else
5104 		goto out;
5105 
5106 	if (sock && family == PF_UNIX) {
5107 		isec = inode_security_novalidate(SOCK_INODE(sock));
5108 		peer_secid = isec->sid;
5109 	} else if (skb)
5110 		selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5111 
5112 out:
5113 	*secid = peer_secid;
5114 	if (peer_secid == SECSID_NULL)
5115 		return -EINVAL;
5116 	return 0;
5117 }
5118 
5119 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5120 {
5121 	struct sk_security_struct *sksec;
5122 
5123 	sksec = kzalloc(sizeof(*sksec), priority);
5124 	if (!sksec)
5125 		return -ENOMEM;
5126 
5127 	sksec->peer_sid = SECINITSID_UNLABELED;
5128 	sksec->sid = SECINITSID_UNLABELED;
5129 	sksec->sclass = SECCLASS_SOCKET;
5130 	selinux_netlbl_sk_security_reset(sksec);
5131 	sk->sk_security = sksec;
5132 
5133 	return 0;
5134 }
5135 
5136 static void selinux_sk_free_security(struct sock *sk)
5137 {
5138 	struct sk_security_struct *sksec = sk->sk_security;
5139 
5140 	sk->sk_security = NULL;
5141 	selinux_netlbl_sk_security_free(sksec);
5142 	kfree(sksec);
5143 }
5144 
5145 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5146 {
5147 	struct sk_security_struct *sksec = sk->sk_security;
5148 	struct sk_security_struct *newsksec = newsk->sk_security;
5149 
5150 	newsksec->sid = sksec->sid;
5151 	newsksec->peer_sid = sksec->peer_sid;
5152 	newsksec->sclass = sksec->sclass;
5153 
5154 	selinux_netlbl_sk_security_reset(newsksec);
5155 }
5156 
5157 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5158 {
5159 	if (!sk)
5160 		*secid = SECINITSID_ANY_SOCKET;
5161 	else {
5162 		struct sk_security_struct *sksec = sk->sk_security;
5163 
5164 		*secid = sksec->sid;
5165 	}
5166 }
5167 
5168 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5169 {
5170 	struct inode_security_struct *isec =
5171 		inode_security_novalidate(SOCK_INODE(parent));
5172 	struct sk_security_struct *sksec = sk->sk_security;
5173 
5174 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5175 	    sk->sk_family == PF_UNIX)
5176 		isec->sid = sksec->sid;
5177 	sksec->sclass = isec->sclass;
5178 }
5179 
5180 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5181  * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5182  * already present).
5183  */
5184 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5185 				      struct sk_buff *skb)
5186 {
5187 	struct sk_security_struct *sksec = ep->base.sk->sk_security;
5188 	struct common_audit_data ad;
5189 	struct lsm_network_audit net = {0,};
5190 	u8 peerlbl_active;
5191 	u32 peer_sid = SECINITSID_UNLABELED;
5192 	u32 conn_sid;
5193 	int err = 0;
5194 
5195 	if (!selinux_policycap_extsockclass())
5196 		return 0;
5197 
5198 	peerlbl_active = selinux_peerlbl_enabled();
5199 
5200 	if (peerlbl_active) {
5201 		/* This will return peer_sid = SECSID_NULL if there are
5202 		 * no peer labels, see security_net_peersid_resolve().
5203 		 */
5204 		err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5205 					      &peer_sid);
5206 		if (err)
5207 			return err;
5208 
5209 		if (peer_sid == SECSID_NULL)
5210 			peer_sid = SECINITSID_UNLABELED;
5211 	}
5212 
5213 	if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5214 		sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5215 
5216 		/* Here as first association on socket. As the peer SID
5217 		 * was allowed by peer recv (and the netif/node checks),
5218 		 * then it is approved by policy and used as the primary
5219 		 * peer SID for getpeercon(3).
5220 		 */
5221 		sksec->peer_sid = peer_sid;
5222 	} else if  (sksec->peer_sid != peer_sid) {
5223 		/* Other association peer SIDs are checked to enforce
5224 		 * consistency among the peer SIDs.
5225 		 */
5226 		ad.type = LSM_AUDIT_DATA_NET;
5227 		ad.u.net = &net;
5228 		ad.u.net->sk = ep->base.sk;
5229 		err = avc_has_perm(&selinux_state,
5230 				   sksec->peer_sid, peer_sid, sksec->sclass,
5231 				   SCTP_SOCKET__ASSOCIATION, &ad);
5232 		if (err)
5233 			return err;
5234 	}
5235 
5236 	/* Compute the MLS component for the connection and store
5237 	 * the information in ep. This will be used by SCTP TCP type
5238 	 * sockets and peeled off connections as they cause a new
5239 	 * socket to be generated. selinux_sctp_sk_clone() will then
5240 	 * plug this into the new socket.
5241 	 */
5242 	err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5243 	if (err)
5244 		return err;
5245 
5246 	ep->secid = conn_sid;
5247 	ep->peer_secid = peer_sid;
5248 
5249 	/* Set any NetLabel labels including CIPSO/CALIPSO options. */
5250 	return selinux_netlbl_sctp_assoc_request(ep, skb);
5251 }
5252 
5253 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5254  * based on their @optname.
5255  */
5256 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5257 				     struct sockaddr *address,
5258 				     int addrlen)
5259 {
5260 	int len, err = 0, walk_size = 0;
5261 	void *addr_buf;
5262 	struct sockaddr *addr;
5263 	struct socket *sock;
5264 
5265 	if (!selinux_policycap_extsockclass())
5266 		return 0;
5267 
5268 	/* Process one or more addresses that may be IPv4 or IPv6 */
5269 	sock = sk->sk_socket;
5270 	addr_buf = address;
5271 
5272 	while (walk_size < addrlen) {
5273 		if (walk_size + sizeof(sa_family_t) > addrlen)
5274 			return -EINVAL;
5275 
5276 		addr = addr_buf;
5277 		switch (addr->sa_family) {
5278 		case AF_UNSPEC:
5279 		case AF_INET:
5280 			len = sizeof(struct sockaddr_in);
5281 			break;
5282 		case AF_INET6:
5283 			len = sizeof(struct sockaddr_in6);
5284 			break;
5285 		default:
5286 			return -EINVAL;
5287 		}
5288 
5289 		if (walk_size + len > addrlen)
5290 			return -EINVAL;
5291 
5292 		err = -EINVAL;
5293 		switch (optname) {
5294 		/* Bind checks */
5295 		case SCTP_PRIMARY_ADDR:
5296 		case SCTP_SET_PEER_PRIMARY_ADDR:
5297 		case SCTP_SOCKOPT_BINDX_ADD:
5298 			err = selinux_socket_bind(sock, addr, len);
5299 			break;
5300 		/* Connect checks */
5301 		case SCTP_SOCKOPT_CONNECTX:
5302 		case SCTP_PARAM_SET_PRIMARY:
5303 		case SCTP_PARAM_ADD_IP:
5304 		case SCTP_SENDMSG_CONNECT:
5305 			err = selinux_socket_connect_helper(sock, addr, len);
5306 			if (err)
5307 				return err;
5308 
5309 			/* As selinux_sctp_bind_connect() is called by the
5310 			 * SCTP protocol layer, the socket is already locked,
5311 			 * therefore selinux_netlbl_socket_connect_locked() is
5312 			 * is called here. The situations handled are:
5313 			 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5314 			 * whenever a new IP address is added or when a new
5315 			 * primary address is selected.
5316 			 * Note that an SCTP connect(2) call happens before
5317 			 * the SCTP protocol layer and is handled via
5318 			 * selinux_socket_connect().
5319 			 */
5320 			err = selinux_netlbl_socket_connect_locked(sk, addr);
5321 			break;
5322 		}
5323 
5324 		if (err)
5325 			return err;
5326 
5327 		addr_buf += len;
5328 		walk_size += len;
5329 	}
5330 
5331 	return 0;
5332 }
5333 
5334 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5335 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5336 				  struct sock *newsk)
5337 {
5338 	struct sk_security_struct *sksec = sk->sk_security;
5339 	struct sk_security_struct *newsksec = newsk->sk_security;
5340 
5341 	/* If policy does not support SECCLASS_SCTP_SOCKET then call
5342 	 * the non-sctp clone version.
5343 	 */
5344 	if (!selinux_policycap_extsockclass())
5345 		return selinux_sk_clone_security(sk, newsk);
5346 
5347 	newsksec->sid = ep->secid;
5348 	newsksec->peer_sid = ep->peer_secid;
5349 	newsksec->sclass = sksec->sclass;
5350 	selinux_netlbl_sctp_sk_clone(sk, newsk);
5351 }
5352 
5353 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5354 				     struct request_sock *req)
5355 {
5356 	struct sk_security_struct *sksec = sk->sk_security;
5357 	int err;
5358 	u16 family = req->rsk_ops->family;
5359 	u32 connsid;
5360 	u32 peersid;
5361 
5362 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5363 	if (err)
5364 		return err;
5365 	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5366 	if (err)
5367 		return err;
5368 	req->secid = connsid;
5369 	req->peer_secid = peersid;
5370 
5371 	return selinux_netlbl_inet_conn_request(req, family);
5372 }
5373 
5374 static void selinux_inet_csk_clone(struct sock *newsk,
5375 				   const struct request_sock *req)
5376 {
5377 	struct sk_security_struct *newsksec = newsk->sk_security;
5378 
5379 	newsksec->sid = req->secid;
5380 	newsksec->peer_sid = req->peer_secid;
5381 	/* NOTE: Ideally, we should also get the isec->sid for the
5382 	   new socket in sync, but we don't have the isec available yet.
5383 	   So we will wait until sock_graft to do it, by which
5384 	   time it will have been created and available. */
5385 
5386 	/* We don't need to take any sort of lock here as we are the only
5387 	 * thread with access to newsksec */
5388 	selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5389 }
5390 
5391 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5392 {
5393 	u16 family = sk->sk_family;
5394 	struct sk_security_struct *sksec = sk->sk_security;
5395 
5396 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
5397 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5398 		family = PF_INET;
5399 
5400 	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5401 }
5402 
5403 static int selinux_secmark_relabel_packet(u32 sid)
5404 {
5405 	const struct task_security_struct *__tsec;
5406 	u32 tsid;
5407 
5408 	__tsec = selinux_cred(current_cred());
5409 	tsid = __tsec->sid;
5410 
5411 	return avc_has_perm(&selinux_state,
5412 			    tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5413 			    NULL);
5414 }
5415 
5416 static void selinux_secmark_refcount_inc(void)
5417 {
5418 	atomic_inc(&selinux_secmark_refcount);
5419 }
5420 
5421 static void selinux_secmark_refcount_dec(void)
5422 {
5423 	atomic_dec(&selinux_secmark_refcount);
5424 }
5425 
5426 static void selinux_req_classify_flow(const struct request_sock *req,
5427 				      struct flowi *fl)
5428 {
5429 	fl->flowi_secid = req->secid;
5430 }
5431 
5432 static int selinux_tun_dev_alloc_security(void **security)
5433 {
5434 	struct tun_security_struct *tunsec;
5435 
5436 	tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5437 	if (!tunsec)
5438 		return -ENOMEM;
5439 	tunsec->sid = current_sid();
5440 
5441 	*security = tunsec;
5442 	return 0;
5443 }
5444 
5445 static void selinux_tun_dev_free_security(void *security)
5446 {
5447 	kfree(security);
5448 }
5449 
5450 static int selinux_tun_dev_create(void)
5451 {
5452 	u32 sid = current_sid();
5453 
5454 	/* we aren't taking into account the "sockcreate" SID since the socket
5455 	 * that is being created here is not a socket in the traditional sense,
5456 	 * instead it is a private sock, accessible only to the kernel, and
5457 	 * representing a wide range of network traffic spanning multiple
5458 	 * connections unlike traditional sockets - check the TUN driver to
5459 	 * get a better understanding of why this socket is special */
5460 
5461 	return avc_has_perm(&selinux_state,
5462 			    sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5463 			    NULL);
5464 }
5465 
5466 static int selinux_tun_dev_attach_queue(void *security)
5467 {
5468 	struct tun_security_struct *tunsec = security;
5469 
5470 	return avc_has_perm(&selinux_state,
5471 			    current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5472 			    TUN_SOCKET__ATTACH_QUEUE, NULL);
5473 }
5474 
5475 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5476 {
5477 	struct tun_security_struct *tunsec = security;
5478 	struct sk_security_struct *sksec = sk->sk_security;
5479 
5480 	/* we don't currently perform any NetLabel based labeling here and it
5481 	 * isn't clear that we would want to do so anyway; while we could apply
5482 	 * labeling without the support of the TUN user the resulting labeled
5483 	 * traffic from the other end of the connection would almost certainly
5484 	 * cause confusion to the TUN user that had no idea network labeling
5485 	 * protocols were being used */
5486 
5487 	sksec->sid = tunsec->sid;
5488 	sksec->sclass = SECCLASS_TUN_SOCKET;
5489 
5490 	return 0;
5491 }
5492 
5493 static int selinux_tun_dev_open(void *security)
5494 {
5495 	struct tun_security_struct *tunsec = security;
5496 	u32 sid = current_sid();
5497 	int err;
5498 
5499 	err = avc_has_perm(&selinux_state,
5500 			   sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5501 			   TUN_SOCKET__RELABELFROM, NULL);
5502 	if (err)
5503 		return err;
5504 	err = avc_has_perm(&selinux_state,
5505 			   sid, sid, SECCLASS_TUN_SOCKET,
5506 			   TUN_SOCKET__RELABELTO, NULL);
5507 	if (err)
5508 		return err;
5509 	tunsec->sid = sid;
5510 
5511 	return 0;
5512 }
5513 
5514 #ifdef CONFIG_NETFILTER
5515 
5516 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5517 				       const struct net_device *indev,
5518 				       u16 family)
5519 {
5520 	int err;
5521 	char *addrp;
5522 	u32 peer_sid;
5523 	struct common_audit_data ad;
5524 	struct lsm_network_audit net = {0,};
5525 	u8 secmark_active;
5526 	u8 netlbl_active;
5527 	u8 peerlbl_active;
5528 
5529 	if (!selinux_policycap_netpeer())
5530 		return NF_ACCEPT;
5531 
5532 	secmark_active = selinux_secmark_enabled();
5533 	netlbl_active = netlbl_enabled();
5534 	peerlbl_active = selinux_peerlbl_enabled();
5535 	if (!secmark_active && !peerlbl_active)
5536 		return NF_ACCEPT;
5537 
5538 	if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5539 		return NF_DROP;
5540 
5541 	ad.type = LSM_AUDIT_DATA_NET;
5542 	ad.u.net = &net;
5543 	ad.u.net->netif = indev->ifindex;
5544 	ad.u.net->family = family;
5545 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5546 		return NF_DROP;
5547 
5548 	if (peerlbl_active) {
5549 		err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5550 					       addrp, family, peer_sid, &ad);
5551 		if (err) {
5552 			selinux_netlbl_err(skb, family, err, 1);
5553 			return NF_DROP;
5554 		}
5555 	}
5556 
5557 	if (secmark_active)
5558 		if (avc_has_perm(&selinux_state,
5559 				 peer_sid, skb->secmark,
5560 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5561 			return NF_DROP;
5562 
5563 	if (netlbl_active)
5564 		/* we do this in the FORWARD path and not the POST_ROUTING
5565 		 * path because we want to make sure we apply the necessary
5566 		 * labeling before IPsec is applied so we can leverage AH
5567 		 * protection */
5568 		if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5569 			return NF_DROP;
5570 
5571 	return NF_ACCEPT;
5572 }
5573 
5574 static unsigned int selinux_ipv4_forward(void *priv,
5575 					 struct sk_buff *skb,
5576 					 const struct nf_hook_state *state)
5577 {
5578 	return selinux_ip_forward(skb, state->in, PF_INET);
5579 }
5580 
5581 #if IS_ENABLED(CONFIG_IPV6)
5582 static unsigned int selinux_ipv6_forward(void *priv,
5583 					 struct sk_buff *skb,
5584 					 const struct nf_hook_state *state)
5585 {
5586 	return selinux_ip_forward(skb, state->in, PF_INET6);
5587 }
5588 #endif	/* IPV6 */
5589 
5590 static unsigned int selinux_ip_output(struct sk_buff *skb,
5591 				      u16 family)
5592 {
5593 	struct sock *sk;
5594 	u32 sid;
5595 
5596 	if (!netlbl_enabled())
5597 		return NF_ACCEPT;
5598 
5599 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5600 	 * because we want to make sure we apply the necessary labeling
5601 	 * before IPsec is applied so we can leverage AH protection */
5602 	sk = skb->sk;
5603 	if (sk) {
5604 		struct sk_security_struct *sksec;
5605 
5606 		if (sk_listener(sk))
5607 			/* if the socket is the listening state then this
5608 			 * packet is a SYN-ACK packet which means it needs to
5609 			 * be labeled based on the connection/request_sock and
5610 			 * not the parent socket.  unfortunately, we can't
5611 			 * lookup the request_sock yet as it isn't queued on
5612 			 * the parent socket until after the SYN-ACK is sent.
5613 			 * the "solution" is to simply pass the packet as-is
5614 			 * as any IP option based labeling should be copied
5615 			 * from the initial connection request (in the IP
5616 			 * layer).  it is far from ideal, but until we get a
5617 			 * security label in the packet itself this is the
5618 			 * best we can do. */
5619 			return NF_ACCEPT;
5620 
5621 		/* standard practice, label using the parent socket */
5622 		sksec = sk->sk_security;
5623 		sid = sksec->sid;
5624 	} else
5625 		sid = SECINITSID_KERNEL;
5626 	if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5627 		return NF_DROP;
5628 
5629 	return NF_ACCEPT;
5630 }
5631 
5632 static unsigned int selinux_ipv4_output(void *priv,
5633 					struct sk_buff *skb,
5634 					const struct nf_hook_state *state)
5635 {
5636 	return selinux_ip_output(skb, PF_INET);
5637 }
5638 
5639 #if IS_ENABLED(CONFIG_IPV6)
5640 static unsigned int selinux_ipv6_output(void *priv,
5641 					struct sk_buff *skb,
5642 					const struct nf_hook_state *state)
5643 {
5644 	return selinux_ip_output(skb, PF_INET6);
5645 }
5646 #endif	/* IPV6 */
5647 
5648 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5649 						int ifindex,
5650 						u16 family)
5651 {
5652 	struct sock *sk = skb_to_full_sk(skb);
5653 	struct sk_security_struct *sksec;
5654 	struct common_audit_data ad;
5655 	struct lsm_network_audit net = {0,};
5656 	char *addrp;
5657 	u8 proto;
5658 
5659 	if (sk == NULL)
5660 		return NF_ACCEPT;
5661 	sksec = sk->sk_security;
5662 
5663 	ad.type = LSM_AUDIT_DATA_NET;
5664 	ad.u.net = &net;
5665 	ad.u.net->netif = ifindex;
5666 	ad.u.net->family = family;
5667 	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5668 		return NF_DROP;
5669 
5670 	if (selinux_secmark_enabled())
5671 		if (avc_has_perm(&selinux_state,
5672 				 sksec->sid, skb->secmark,
5673 				 SECCLASS_PACKET, PACKET__SEND, &ad))
5674 			return NF_DROP_ERR(-ECONNREFUSED);
5675 
5676 	if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5677 		return NF_DROP_ERR(-ECONNREFUSED);
5678 
5679 	return NF_ACCEPT;
5680 }
5681 
5682 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5683 					 const struct net_device *outdev,
5684 					 u16 family)
5685 {
5686 	u32 secmark_perm;
5687 	u32 peer_sid;
5688 	int ifindex = outdev->ifindex;
5689 	struct sock *sk;
5690 	struct common_audit_data ad;
5691 	struct lsm_network_audit net = {0,};
5692 	char *addrp;
5693 	u8 secmark_active;
5694 	u8 peerlbl_active;
5695 
5696 	/* If any sort of compatibility mode is enabled then handoff processing
5697 	 * to the selinux_ip_postroute_compat() function to deal with the
5698 	 * special handling.  We do this in an attempt to keep this function
5699 	 * as fast and as clean as possible. */
5700 	if (!selinux_policycap_netpeer())
5701 		return selinux_ip_postroute_compat(skb, ifindex, family);
5702 
5703 	secmark_active = selinux_secmark_enabled();
5704 	peerlbl_active = selinux_peerlbl_enabled();
5705 	if (!secmark_active && !peerlbl_active)
5706 		return NF_ACCEPT;
5707 
5708 	sk = skb_to_full_sk(skb);
5709 
5710 #ifdef CONFIG_XFRM
5711 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5712 	 * packet transformation so allow the packet to pass without any checks
5713 	 * since we'll have another chance to perform access control checks
5714 	 * when the packet is on it's final way out.
5715 	 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5716 	 *       is NULL, in this case go ahead and apply access control.
5717 	 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5718 	 *       TCP listening state we cannot wait until the XFRM processing
5719 	 *       is done as we will miss out on the SA label if we do;
5720 	 *       unfortunately, this means more work, but it is only once per
5721 	 *       connection. */
5722 	if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5723 	    !(sk && sk_listener(sk)))
5724 		return NF_ACCEPT;
5725 #endif
5726 
5727 	if (sk == NULL) {
5728 		/* Without an associated socket the packet is either coming
5729 		 * from the kernel or it is being forwarded; check the packet
5730 		 * to determine which and if the packet is being forwarded
5731 		 * query the packet directly to determine the security label. */
5732 		if (skb->skb_iif) {
5733 			secmark_perm = PACKET__FORWARD_OUT;
5734 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5735 				return NF_DROP;
5736 		} else {
5737 			secmark_perm = PACKET__SEND;
5738 			peer_sid = SECINITSID_KERNEL;
5739 		}
5740 	} else if (sk_listener(sk)) {
5741 		/* Locally generated packet but the associated socket is in the
5742 		 * listening state which means this is a SYN-ACK packet.  In
5743 		 * this particular case the correct security label is assigned
5744 		 * to the connection/request_sock but unfortunately we can't
5745 		 * query the request_sock as it isn't queued on the parent
5746 		 * socket until after the SYN-ACK packet is sent; the only
5747 		 * viable choice is to regenerate the label like we do in
5748 		 * selinux_inet_conn_request().  See also selinux_ip_output()
5749 		 * for similar problems. */
5750 		u32 skb_sid;
5751 		struct sk_security_struct *sksec;
5752 
5753 		sksec = sk->sk_security;
5754 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5755 			return NF_DROP;
5756 		/* At this point, if the returned skb peerlbl is SECSID_NULL
5757 		 * and the packet has been through at least one XFRM
5758 		 * transformation then we must be dealing with the "final"
5759 		 * form of labeled IPsec packet; since we've already applied
5760 		 * all of our access controls on this packet we can safely
5761 		 * pass the packet. */
5762 		if (skb_sid == SECSID_NULL) {
5763 			switch (family) {
5764 			case PF_INET:
5765 				if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5766 					return NF_ACCEPT;
5767 				break;
5768 			case PF_INET6:
5769 				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5770 					return NF_ACCEPT;
5771 				break;
5772 			default:
5773 				return NF_DROP_ERR(-ECONNREFUSED);
5774 			}
5775 		}
5776 		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5777 			return NF_DROP;
5778 		secmark_perm = PACKET__SEND;
5779 	} else {
5780 		/* Locally generated packet, fetch the security label from the
5781 		 * associated socket. */
5782 		struct sk_security_struct *sksec = sk->sk_security;
5783 		peer_sid = sksec->sid;
5784 		secmark_perm = PACKET__SEND;
5785 	}
5786 
5787 	ad.type = LSM_AUDIT_DATA_NET;
5788 	ad.u.net = &net;
5789 	ad.u.net->netif = ifindex;
5790 	ad.u.net->family = family;
5791 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5792 		return NF_DROP;
5793 
5794 	if (secmark_active)
5795 		if (avc_has_perm(&selinux_state,
5796 				 peer_sid, skb->secmark,
5797 				 SECCLASS_PACKET, secmark_perm, &ad))
5798 			return NF_DROP_ERR(-ECONNREFUSED);
5799 
5800 	if (peerlbl_active) {
5801 		u32 if_sid;
5802 		u32 node_sid;
5803 
5804 		if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5805 			return NF_DROP;
5806 		if (avc_has_perm(&selinux_state,
5807 				 peer_sid, if_sid,
5808 				 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5809 			return NF_DROP_ERR(-ECONNREFUSED);
5810 
5811 		if (sel_netnode_sid(addrp, family, &node_sid))
5812 			return NF_DROP;
5813 		if (avc_has_perm(&selinux_state,
5814 				 peer_sid, node_sid,
5815 				 SECCLASS_NODE, NODE__SENDTO, &ad))
5816 			return NF_DROP_ERR(-ECONNREFUSED);
5817 	}
5818 
5819 	return NF_ACCEPT;
5820 }
5821 
5822 static unsigned int selinux_ipv4_postroute(void *priv,
5823 					   struct sk_buff *skb,
5824 					   const struct nf_hook_state *state)
5825 {
5826 	return selinux_ip_postroute(skb, state->out, PF_INET);
5827 }
5828 
5829 #if IS_ENABLED(CONFIG_IPV6)
5830 static unsigned int selinux_ipv6_postroute(void *priv,
5831 					   struct sk_buff *skb,
5832 					   const struct nf_hook_state *state)
5833 {
5834 	return selinux_ip_postroute(skb, state->out, PF_INET6);
5835 }
5836 #endif	/* IPV6 */
5837 
5838 #endif	/* CONFIG_NETFILTER */
5839 
5840 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5841 {
5842 	int rc = 0;
5843 	unsigned int msg_len;
5844 	unsigned int data_len = skb->len;
5845 	unsigned char *data = skb->data;
5846 	struct nlmsghdr *nlh;
5847 	struct sk_security_struct *sksec = sk->sk_security;
5848 	u16 sclass = sksec->sclass;
5849 	u32 perm;
5850 
5851 	while (data_len >= nlmsg_total_size(0)) {
5852 		nlh = (struct nlmsghdr *)data;
5853 
5854 		/* NOTE: the nlmsg_len field isn't reliably set by some netlink
5855 		 *       users which means we can't reject skb's with bogus
5856 		 *       length fields; our solution is to follow what
5857 		 *       netlink_rcv_skb() does and simply skip processing at
5858 		 *       messages with length fields that are clearly junk
5859 		 */
5860 		if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5861 			return 0;
5862 
5863 		rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5864 		if (rc == 0) {
5865 			rc = sock_has_perm(sk, perm);
5866 			if (rc)
5867 				return rc;
5868 		} else if (rc == -EINVAL) {
5869 			/* -EINVAL is a missing msg/perm mapping */
5870 			pr_warn_ratelimited("SELinux: unrecognized netlink"
5871 				" message: protocol=%hu nlmsg_type=%hu sclass=%s"
5872 				" pid=%d comm=%s\n",
5873 				sk->sk_protocol, nlh->nlmsg_type,
5874 				secclass_map[sclass - 1].name,
5875 				task_pid_nr(current), current->comm);
5876 			if (enforcing_enabled(&selinux_state) &&
5877 			    !security_get_allow_unknown(&selinux_state))
5878 				return rc;
5879 			rc = 0;
5880 		} else if (rc == -ENOENT) {
5881 			/* -ENOENT is a missing socket/class mapping, ignore */
5882 			rc = 0;
5883 		} else {
5884 			return rc;
5885 		}
5886 
5887 		/* move to the next message after applying netlink padding */
5888 		msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5889 		if (msg_len >= data_len)
5890 			return 0;
5891 		data_len -= msg_len;
5892 		data += msg_len;
5893 	}
5894 
5895 	return rc;
5896 }
5897 
5898 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5899 {
5900 	isec->sclass = sclass;
5901 	isec->sid = current_sid();
5902 }
5903 
5904 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5905 			u32 perms)
5906 {
5907 	struct ipc_security_struct *isec;
5908 	struct common_audit_data ad;
5909 	u32 sid = current_sid();
5910 
5911 	isec = selinux_ipc(ipc_perms);
5912 
5913 	ad.type = LSM_AUDIT_DATA_IPC;
5914 	ad.u.ipc_id = ipc_perms->key;
5915 
5916 	return avc_has_perm(&selinux_state,
5917 			    sid, isec->sid, isec->sclass, perms, &ad);
5918 }
5919 
5920 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5921 {
5922 	struct msg_security_struct *msec;
5923 
5924 	msec = selinux_msg_msg(msg);
5925 	msec->sid = SECINITSID_UNLABELED;
5926 
5927 	return 0;
5928 }
5929 
5930 /* message queue security operations */
5931 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5932 {
5933 	struct ipc_security_struct *isec;
5934 	struct common_audit_data ad;
5935 	u32 sid = current_sid();
5936 	int rc;
5937 
5938 	isec = selinux_ipc(msq);
5939 	ipc_init_security(isec, SECCLASS_MSGQ);
5940 
5941 	ad.type = LSM_AUDIT_DATA_IPC;
5942 	ad.u.ipc_id = msq->key;
5943 
5944 	rc = avc_has_perm(&selinux_state,
5945 			  sid, isec->sid, SECCLASS_MSGQ,
5946 			  MSGQ__CREATE, &ad);
5947 	return rc;
5948 }
5949 
5950 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5951 {
5952 	struct ipc_security_struct *isec;
5953 	struct common_audit_data ad;
5954 	u32 sid = current_sid();
5955 
5956 	isec = selinux_ipc(msq);
5957 
5958 	ad.type = LSM_AUDIT_DATA_IPC;
5959 	ad.u.ipc_id = msq->key;
5960 
5961 	return avc_has_perm(&selinux_state,
5962 			    sid, isec->sid, SECCLASS_MSGQ,
5963 			    MSGQ__ASSOCIATE, &ad);
5964 }
5965 
5966 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
5967 {
5968 	int err;
5969 	int perms;
5970 
5971 	switch (cmd) {
5972 	case IPC_INFO:
5973 	case MSG_INFO:
5974 		/* No specific object, just general system-wide information. */
5975 		return avc_has_perm(&selinux_state,
5976 				    current_sid(), SECINITSID_KERNEL,
5977 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5978 	case IPC_STAT:
5979 	case MSG_STAT:
5980 	case MSG_STAT_ANY:
5981 		perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5982 		break;
5983 	case IPC_SET:
5984 		perms = MSGQ__SETATTR;
5985 		break;
5986 	case IPC_RMID:
5987 		perms = MSGQ__DESTROY;
5988 		break;
5989 	default:
5990 		return 0;
5991 	}
5992 
5993 	err = ipc_has_perm(msq, perms);
5994 	return err;
5995 }
5996 
5997 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
5998 {
5999 	struct ipc_security_struct *isec;
6000 	struct msg_security_struct *msec;
6001 	struct common_audit_data ad;
6002 	u32 sid = current_sid();
6003 	int rc;
6004 
6005 	isec = selinux_ipc(msq);
6006 	msec = selinux_msg_msg(msg);
6007 
6008 	/*
6009 	 * First time through, need to assign label to the message
6010 	 */
6011 	if (msec->sid == SECINITSID_UNLABELED) {
6012 		/*
6013 		 * Compute new sid based on current process and
6014 		 * message queue this message will be stored in
6015 		 */
6016 		rc = security_transition_sid(&selinux_state, sid, isec->sid,
6017 					     SECCLASS_MSG, NULL, &msec->sid);
6018 		if (rc)
6019 			return rc;
6020 	}
6021 
6022 	ad.type = LSM_AUDIT_DATA_IPC;
6023 	ad.u.ipc_id = msq->key;
6024 
6025 	/* Can this process write to the queue? */
6026 	rc = avc_has_perm(&selinux_state,
6027 			  sid, isec->sid, SECCLASS_MSGQ,
6028 			  MSGQ__WRITE, &ad);
6029 	if (!rc)
6030 		/* Can this process send the message */
6031 		rc = avc_has_perm(&selinux_state,
6032 				  sid, msec->sid, SECCLASS_MSG,
6033 				  MSG__SEND, &ad);
6034 	if (!rc)
6035 		/* Can the message be put in the queue? */
6036 		rc = avc_has_perm(&selinux_state,
6037 				  msec->sid, isec->sid, SECCLASS_MSGQ,
6038 				  MSGQ__ENQUEUE, &ad);
6039 
6040 	return rc;
6041 }
6042 
6043 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6044 				    struct task_struct *target,
6045 				    long type, int mode)
6046 {
6047 	struct ipc_security_struct *isec;
6048 	struct msg_security_struct *msec;
6049 	struct common_audit_data ad;
6050 	u32 sid = task_sid(target);
6051 	int rc;
6052 
6053 	isec = selinux_ipc(msq);
6054 	msec = selinux_msg_msg(msg);
6055 
6056 	ad.type = LSM_AUDIT_DATA_IPC;
6057 	ad.u.ipc_id = msq->key;
6058 
6059 	rc = avc_has_perm(&selinux_state,
6060 			  sid, isec->sid,
6061 			  SECCLASS_MSGQ, MSGQ__READ, &ad);
6062 	if (!rc)
6063 		rc = avc_has_perm(&selinux_state,
6064 				  sid, msec->sid,
6065 				  SECCLASS_MSG, MSG__RECEIVE, &ad);
6066 	return rc;
6067 }
6068 
6069 /* Shared Memory security operations */
6070 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6071 {
6072 	struct ipc_security_struct *isec;
6073 	struct common_audit_data ad;
6074 	u32 sid = current_sid();
6075 	int rc;
6076 
6077 	isec = selinux_ipc(shp);
6078 	ipc_init_security(isec, SECCLASS_SHM);
6079 
6080 	ad.type = LSM_AUDIT_DATA_IPC;
6081 	ad.u.ipc_id = shp->key;
6082 
6083 	rc = avc_has_perm(&selinux_state,
6084 			  sid, isec->sid, SECCLASS_SHM,
6085 			  SHM__CREATE, &ad);
6086 	return rc;
6087 }
6088 
6089 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6090 {
6091 	struct ipc_security_struct *isec;
6092 	struct common_audit_data ad;
6093 	u32 sid = current_sid();
6094 
6095 	isec = selinux_ipc(shp);
6096 
6097 	ad.type = LSM_AUDIT_DATA_IPC;
6098 	ad.u.ipc_id = shp->key;
6099 
6100 	return avc_has_perm(&selinux_state,
6101 			    sid, isec->sid, SECCLASS_SHM,
6102 			    SHM__ASSOCIATE, &ad);
6103 }
6104 
6105 /* Note, at this point, shp is locked down */
6106 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6107 {
6108 	int perms;
6109 	int err;
6110 
6111 	switch (cmd) {
6112 	case IPC_INFO:
6113 	case SHM_INFO:
6114 		/* No specific object, just general system-wide information. */
6115 		return avc_has_perm(&selinux_state,
6116 				    current_sid(), SECINITSID_KERNEL,
6117 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6118 	case IPC_STAT:
6119 	case SHM_STAT:
6120 	case SHM_STAT_ANY:
6121 		perms = SHM__GETATTR | SHM__ASSOCIATE;
6122 		break;
6123 	case IPC_SET:
6124 		perms = SHM__SETATTR;
6125 		break;
6126 	case SHM_LOCK:
6127 	case SHM_UNLOCK:
6128 		perms = SHM__LOCK;
6129 		break;
6130 	case IPC_RMID:
6131 		perms = SHM__DESTROY;
6132 		break;
6133 	default:
6134 		return 0;
6135 	}
6136 
6137 	err = ipc_has_perm(shp, perms);
6138 	return err;
6139 }
6140 
6141 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6142 			     char __user *shmaddr, int shmflg)
6143 {
6144 	u32 perms;
6145 
6146 	if (shmflg & SHM_RDONLY)
6147 		perms = SHM__READ;
6148 	else
6149 		perms = SHM__READ | SHM__WRITE;
6150 
6151 	return ipc_has_perm(shp, perms);
6152 }
6153 
6154 /* Semaphore security operations */
6155 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6156 {
6157 	struct ipc_security_struct *isec;
6158 	struct common_audit_data ad;
6159 	u32 sid = current_sid();
6160 	int rc;
6161 
6162 	isec = selinux_ipc(sma);
6163 	ipc_init_security(isec, SECCLASS_SEM);
6164 
6165 	ad.type = LSM_AUDIT_DATA_IPC;
6166 	ad.u.ipc_id = sma->key;
6167 
6168 	rc = avc_has_perm(&selinux_state,
6169 			  sid, isec->sid, SECCLASS_SEM,
6170 			  SEM__CREATE, &ad);
6171 	return rc;
6172 }
6173 
6174 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6175 {
6176 	struct ipc_security_struct *isec;
6177 	struct common_audit_data ad;
6178 	u32 sid = current_sid();
6179 
6180 	isec = selinux_ipc(sma);
6181 
6182 	ad.type = LSM_AUDIT_DATA_IPC;
6183 	ad.u.ipc_id = sma->key;
6184 
6185 	return avc_has_perm(&selinux_state,
6186 			    sid, isec->sid, SECCLASS_SEM,
6187 			    SEM__ASSOCIATE, &ad);
6188 }
6189 
6190 /* Note, at this point, sma is locked down */
6191 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6192 {
6193 	int err;
6194 	u32 perms;
6195 
6196 	switch (cmd) {
6197 	case IPC_INFO:
6198 	case SEM_INFO:
6199 		/* No specific object, just general system-wide information. */
6200 		return avc_has_perm(&selinux_state,
6201 				    current_sid(), SECINITSID_KERNEL,
6202 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6203 	case GETPID:
6204 	case GETNCNT:
6205 	case GETZCNT:
6206 		perms = SEM__GETATTR;
6207 		break;
6208 	case GETVAL:
6209 	case GETALL:
6210 		perms = SEM__READ;
6211 		break;
6212 	case SETVAL:
6213 	case SETALL:
6214 		perms = SEM__WRITE;
6215 		break;
6216 	case IPC_RMID:
6217 		perms = SEM__DESTROY;
6218 		break;
6219 	case IPC_SET:
6220 		perms = SEM__SETATTR;
6221 		break;
6222 	case IPC_STAT:
6223 	case SEM_STAT:
6224 	case SEM_STAT_ANY:
6225 		perms = SEM__GETATTR | SEM__ASSOCIATE;
6226 		break;
6227 	default:
6228 		return 0;
6229 	}
6230 
6231 	err = ipc_has_perm(sma, perms);
6232 	return err;
6233 }
6234 
6235 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6236 			     struct sembuf *sops, unsigned nsops, int alter)
6237 {
6238 	u32 perms;
6239 
6240 	if (alter)
6241 		perms = SEM__READ | SEM__WRITE;
6242 	else
6243 		perms = SEM__READ;
6244 
6245 	return ipc_has_perm(sma, perms);
6246 }
6247 
6248 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6249 {
6250 	u32 av = 0;
6251 
6252 	av = 0;
6253 	if (flag & S_IRUGO)
6254 		av |= IPC__UNIX_READ;
6255 	if (flag & S_IWUGO)
6256 		av |= IPC__UNIX_WRITE;
6257 
6258 	if (av == 0)
6259 		return 0;
6260 
6261 	return ipc_has_perm(ipcp, av);
6262 }
6263 
6264 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6265 {
6266 	struct ipc_security_struct *isec = selinux_ipc(ipcp);
6267 	*secid = isec->sid;
6268 }
6269 
6270 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6271 {
6272 	if (inode)
6273 		inode_doinit_with_dentry(inode, dentry);
6274 }
6275 
6276 static int selinux_getprocattr(struct task_struct *p,
6277 			       char *name, char **value)
6278 {
6279 	const struct task_security_struct *__tsec;
6280 	u32 sid;
6281 	int error;
6282 	unsigned len;
6283 
6284 	rcu_read_lock();
6285 	__tsec = selinux_cred(__task_cred(p));
6286 
6287 	if (current != p) {
6288 		error = avc_has_perm(&selinux_state,
6289 				     current_sid(), __tsec->sid,
6290 				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6291 		if (error)
6292 			goto bad;
6293 	}
6294 
6295 	if (!strcmp(name, "current"))
6296 		sid = __tsec->sid;
6297 	else if (!strcmp(name, "prev"))
6298 		sid = __tsec->osid;
6299 	else if (!strcmp(name, "exec"))
6300 		sid = __tsec->exec_sid;
6301 	else if (!strcmp(name, "fscreate"))
6302 		sid = __tsec->create_sid;
6303 	else if (!strcmp(name, "keycreate"))
6304 		sid = __tsec->keycreate_sid;
6305 	else if (!strcmp(name, "sockcreate"))
6306 		sid = __tsec->sockcreate_sid;
6307 	else {
6308 		error = -EINVAL;
6309 		goto bad;
6310 	}
6311 	rcu_read_unlock();
6312 
6313 	if (!sid)
6314 		return 0;
6315 
6316 	error = security_sid_to_context(&selinux_state, sid, value, &len);
6317 	if (error)
6318 		return error;
6319 	return len;
6320 
6321 bad:
6322 	rcu_read_unlock();
6323 	return error;
6324 }
6325 
6326 static int selinux_setprocattr(const char *name, void *value, size_t size)
6327 {
6328 	struct task_security_struct *tsec;
6329 	struct cred *new;
6330 	u32 mysid = current_sid(), sid = 0, ptsid;
6331 	int error;
6332 	char *str = value;
6333 
6334 	/*
6335 	 * Basic control over ability to set these attributes at all.
6336 	 */
6337 	if (!strcmp(name, "exec"))
6338 		error = avc_has_perm(&selinux_state,
6339 				     mysid, mysid, SECCLASS_PROCESS,
6340 				     PROCESS__SETEXEC, NULL);
6341 	else if (!strcmp(name, "fscreate"))
6342 		error = avc_has_perm(&selinux_state,
6343 				     mysid, mysid, SECCLASS_PROCESS,
6344 				     PROCESS__SETFSCREATE, NULL);
6345 	else if (!strcmp(name, "keycreate"))
6346 		error = avc_has_perm(&selinux_state,
6347 				     mysid, mysid, SECCLASS_PROCESS,
6348 				     PROCESS__SETKEYCREATE, NULL);
6349 	else if (!strcmp(name, "sockcreate"))
6350 		error = avc_has_perm(&selinux_state,
6351 				     mysid, mysid, SECCLASS_PROCESS,
6352 				     PROCESS__SETSOCKCREATE, NULL);
6353 	else if (!strcmp(name, "current"))
6354 		error = avc_has_perm(&selinux_state,
6355 				     mysid, mysid, SECCLASS_PROCESS,
6356 				     PROCESS__SETCURRENT, NULL);
6357 	else
6358 		error = -EINVAL;
6359 	if (error)
6360 		return error;
6361 
6362 	/* Obtain a SID for the context, if one was specified. */
6363 	if (size && str[0] && str[0] != '\n') {
6364 		if (str[size-1] == '\n') {
6365 			str[size-1] = 0;
6366 			size--;
6367 		}
6368 		error = security_context_to_sid(&selinux_state, value, size,
6369 						&sid, GFP_KERNEL);
6370 		if (error == -EINVAL && !strcmp(name, "fscreate")) {
6371 			if (!has_cap_mac_admin(true)) {
6372 				struct audit_buffer *ab;
6373 				size_t audit_size;
6374 
6375 				/* We strip a nul only if it is at the end, otherwise the
6376 				 * context contains a nul and we should audit that */
6377 				if (str[size - 1] == '\0')
6378 					audit_size = size - 1;
6379 				else
6380 					audit_size = size;
6381 				ab = audit_log_start(audit_context(),
6382 						     GFP_ATOMIC,
6383 						     AUDIT_SELINUX_ERR);
6384 				audit_log_format(ab, "op=fscreate invalid_context=");
6385 				audit_log_n_untrustedstring(ab, value, audit_size);
6386 				audit_log_end(ab);
6387 
6388 				return error;
6389 			}
6390 			error = security_context_to_sid_force(
6391 						      &selinux_state,
6392 						      value, size, &sid);
6393 		}
6394 		if (error)
6395 			return error;
6396 	}
6397 
6398 	new = prepare_creds();
6399 	if (!new)
6400 		return -ENOMEM;
6401 
6402 	/* Permission checking based on the specified context is
6403 	   performed during the actual operation (execve,
6404 	   open/mkdir/...), when we know the full context of the
6405 	   operation.  See selinux_bprm_creds_for_exec for the execve
6406 	   checks and may_create for the file creation checks. The
6407 	   operation will then fail if the context is not permitted. */
6408 	tsec = selinux_cred(new);
6409 	if (!strcmp(name, "exec")) {
6410 		tsec->exec_sid = sid;
6411 	} else if (!strcmp(name, "fscreate")) {
6412 		tsec->create_sid = sid;
6413 	} else if (!strcmp(name, "keycreate")) {
6414 		if (sid) {
6415 			error = avc_has_perm(&selinux_state, mysid, sid,
6416 					     SECCLASS_KEY, KEY__CREATE, NULL);
6417 			if (error)
6418 				goto abort_change;
6419 		}
6420 		tsec->keycreate_sid = sid;
6421 	} else if (!strcmp(name, "sockcreate")) {
6422 		tsec->sockcreate_sid = sid;
6423 	} else if (!strcmp(name, "current")) {
6424 		error = -EINVAL;
6425 		if (sid == 0)
6426 			goto abort_change;
6427 
6428 		/* Only allow single threaded processes to change context */
6429 		error = -EPERM;
6430 		if (!current_is_single_threaded()) {
6431 			error = security_bounded_transition(&selinux_state,
6432 							    tsec->sid, sid);
6433 			if (error)
6434 				goto abort_change;
6435 		}
6436 
6437 		/* Check permissions for the transition. */
6438 		error = avc_has_perm(&selinux_state,
6439 				     tsec->sid, sid, SECCLASS_PROCESS,
6440 				     PROCESS__DYNTRANSITION, NULL);
6441 		if (error)
6442 			goto abort_change;
6443 
6444 		/* Check for ptracing, and update the task SID if ok.
6445 		   Otherwise, leave SID unchanged and fail. */
6446 		ptsid = ptrace_parent_sid();
6447 		if (ptsid != 0) {
6448 			error = avc_has_perm(&selinux_state,
6449 					     ptsid, sid, SECCLASS_PROCESS,
6450 					     PROCESS__PTRACE, NULL);
6451 			if (error)
6452 				goto abort_change;
6453 		}
6454 
6455 		tsec->sid = sid;
6456 	} else {
6457 		error = -EINVAL;
6458 		goto abort_change;
6459 	}
6460 
6461 	commit_creds(new);
6462 	return size;
6463 
6464 abort_change:
6465 	abort_creds(new);
6466 	return error;
6467 }
6468 
6469 static int selinux_ismaclabel(const char *name)
6470 {
6471 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6472 }
6473 
6474 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6475 {
6476 	return security_sid_to_context(&selinux_state, secid,
6477 				       secdata, seclen);
6478 }
6479 
6480 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6481 {
6482 	return security_context_to_sid(&selinux_state, secdata, seclen,
6483 				       secid, GFP_KERNEL);
6484 }
6485 
6486 static void selinux_release_secctx(char *secdata, u32 seclen)
6487 {
6488 	kfree(secdata);
6489 }
6490 
6491 static void selinux_inode_invalidate_secctx(struct inode *inode)
6492 {
6493 	struct inode_security_struct *isec = selinux_inode(inode);
6494 
6495 	spin_lock(&isec->lock);
6496 	isec->initialized = LABEL_INVALID;
6497 	spin_unlock(&isec->lock);
6498 }
6499 
6500 /*
6501  *	called with inode->i_mutex locked
6502  */
6503 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6504 {
6505 	int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6506 					   ctx, ctxlen, 0);
6507 	/* Do not return error when suppressing label (SBLABEL_MNT not set). */
6508 	return rc == -EOPNOTSUPP ? 0 : rc;
6509 }
6510 
6511 /*
6512  *	called with inode->i_mutex locked
6513  */
6514 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6515 {
6516 	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6517 }
6518 
6519 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6520 {
6521 	int len = 0;
6522 	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6523 						ctx, true);
6524 	if (len < 0)
6525 		return len;
6526 	*ctxlen = len;
6527 	return 0;
6528 }
6529 #ifdef CONFIG_KEYS
6530 
6531 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6532 			     unsigned long flags)
6533 {
6534 	const struct task_security_struct *tsec;
6535 	struct key_security_struct *ksec;
6536 
6537 	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6538 	if (!ksec)
6539 		return -ENOMEM;
6540 
6541 	tsec = selinux_cred(cred);
6542 	if (tsec->keycreate_sid)
6543 		ksec->sid = tsec->keycreate_sid;
6544 	else
6545 		ksec->sid = tsec->sid;
6546 
6547 	k->security = ksec;
6548 	return 0;
6549 }
6550 
6551 static void selinux_key_free(struct key *k)
6552 {
6553 	struct key_security_struct *ksec = k->security;
6554 
6555 	k->security = NULL;
6556 	kfree(ksec);
6557 }
6558 
6559 static int selinux_key_permission(key_ref_t key_ref,
6560 				  const struct cred *cred,
6561 				  enum key_need_perm need_perm)
6562 {
6563 	struct key *key;
6564 	struct key_security_struct *ksec;
6565 	u32 perm, sid;
6566 
6567 	switch (need_perm) {
6568 	case KEY_NEED_VIEW:
6569 		perm = KEY__VIEW;
6570 		break;
6571 	case KEY_NEED_READ:
6572 		perm = KEY__READ;
6573 		break;
6574 	case KEY_NEED_WRITE:
6575 		perm = KEY__WRITE;
6576 		break;
6577 	case KEY_NEED_SEARCH:
6578 		perm = KEY__SEARCH;
6579 		break;
6580 	case KEY_NEED_LINK:
6581 		perm = KEY__LINK;
6582 		break;
6583 	case KEY_NEED_SETATTR:
6584 		perm = KEY__SETATTR;
6585 		break;
6586 	case KEY_NEED_UNLINK:
6587 	case KEY_SYSADMIN_OVERRIDE:
6588 	case KEY_AUTHTOKEN_OVERRIDE:
6589 	case KEY_DEFER_PERM_CHECK:
6590 		return 0;
6591 	default:
6592 		WARN_ON(1);
6593 		return -EPERM;
6594 
6595 	}
6596 
6597 	sid = cred_sid(cred);
6598 	key = key_ref_to_ptr(key_ref);
6599 	ksec = key->security;
6600 
6601 	return avc_has_perm(&selinux_state,
6602 			    sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6603 }
6604 
6605 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6606 {
6607 	struct key_security_struct *ksec = key->security;
6608 	char *context = NULL;
6609 	unsigned len;
6610 	int rc;
6611 
6612 	rc = security_sid_to_context(&selinux_state, ksec->sid,
6613 				     &context, &len);
6614 	if (!rc)
6615 		rc = len;
6616 	*_buffer = context;
6617 	return rc;
6618 }
6619 
6620 #ifdef CONFIG_KEY_NOTIFICATIONS
6621 static int selinux_watch_key(struct key *key)
6622 {
6623 	struct key_security_struct *ksec = key->security;
6624 	u32 sid = current_sid();
6625 
6626 	return avc_has_perm(&selinux_state,
6627 			    sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6628 }
6629 #endif
6630 #endif
6631 
6632 #ifdef CONFIG_SECURITY_INFINIBAND
6633 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6634 {
6635 	struct common_audit_data ad;
6636 	int err;
6637 	u32 sid = 0;
6638 	struct ib_security_struct *sec = ib_sec;
6639 	struct lsm_ibpkey_audit ibpkey;
6640 
6641 	err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6642 	if (err)
6643 		return err;
6644 
6645 	ad.type = LSM_AUDIT_DATA_IBPKEY;
6646 	ibpkey.subnet_prefix = subnet_prefix;
6647 	ibpkey.pkey = pkey_val;
6648 	ad.u.ibpkey = &ibpkey;
6649 	return avc_has_perm(&selinux_state,
6650 			    sec->sid, sid,
6651 			    SECCLASS_INFINIBAND_PKEY,
6652 			    INFINIBAND_PKEY__ACCESS, &ad);
6653 }
6654 
6655 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6656 					    u8 port_num)
6657 {
6658 	struct common_audit_data ad;
6659 	int err;
6660 	u32 sid = 0;
6661 	struct ib_security_struct *sec = ib_sec;
6662 	struct lsm_ibendport_audit ibendport;
6663 
6664 	err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6665 				      &sid);
6666 
6667 	if (err)
6668 		return err;
6669 
6670 	ad.type = LSM_AUDIT_DATA_IBENDPORT;
6671 	strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6672 	ibendport.port = port_num;
6673 	ad.u.ibendport = &ibendport;
6674 	return avc_has_perm(&selinux_state,
6675 			    sec->sid, sid,
6676 			    SECCLASS_INFINIBAND_ENDPORT,
6677 			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6678 }
6679 
6680 static int selinux_ib_alloc_security(void **ib_sec)
6681 {
6682 	struct ib_security_struct *sec;
6683 
6684 	sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6685 	if (!sec)
6686 		return -ENOMEM;
6687 	sec->sid = current_sid();
6688 
6689 	*ib_sec = sec;
6690 	return 0;
6691 }
6692 
6693 static void selinux_ib_free_security(void *ib_sec)
6694 {
6695 	kfree(ib_sec);
6696 }
6697 #endif
6698 
6699 #ifdef CONFIG_BPF_SYSCALL
6700 static int selinux_bpf(int cmd, union bpf_attr *attr,
6701 				     unsigned int size)
6702 {
6703 	u32 sid = current_sid();
6704 	int ret;
6705 
6706 	switch (cmd) {
6707 	case BPF_MAP_CREATE:
6708 		ret = avc_has_perm(&selinux_state,
6709 				   sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6710 				   NULL);
6711 		break;
6712 	case BPF_PROG_LOAD:
6713 		ret = avc_has_perm(&selinux_state,
6714 				   sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6715 				   NULL);
6716 		break;
6717 	default:
6718 		ret = 0;
6719 		break;
6720 	}
6721 
6722 	return ret;
6723 }
6724 
6725 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6726 {
6727 	u32 av = 0;
6728 
6729 	if (fmode & FMODE_READ)
6730 		av |= BPF__MAP_READ;
6731 	if (fmode & FMODE_WRITE)
6732 		av |= BPF__MAP_WRITE;
6733 	return av;
6734 }
6735 
6736 /* This function will check the file pass through unix socket or binder to see
6737  * if it is a bpf related object. And apply correspinding checks on the bpf
6738  * object based on the type. The bpf maps and programs, not like other files and
6739  * socket, are using a shared anonymous inode inside the kernel as their inode.
6740  * So checking that inode cannot identify if the process have privilege to
6741  * access the bpf object and that's why we have to add this additional check in
6742  * selinux_file_receive and selinux_binder_transfer_files.
6743  */
6744 static int bpf_fd_pass(struct file *file, u32 sid)
6745 {
6746 	struct bpf_security_struct *bpfsec;
6747 	struct bpf_prog *prog;
6748 	struct bpf_map *map;
6749 	int ret;
6750 
6751 	if (file->f_op == &bpf_map_fops) {
6752 		map = file->private_data;
6753 		bpfsec = map->security;
6754 		ret = avc_has_perm(&selinux_state,
6755 				   sid, bpfsec->sid, SECCLASS_BPF,
6756 				   bpf_map_fmode_to_av(file->f_mode), NULL);
6757 		if (ret)
6758 			return ret;
6759 	} else if (file->f_op == &bpf_prog_fops) {
6760 		prog = file->private_data;
6761 		bpfsec = prog->aux->security;
6762 		ret = avc_has_perm(&selinux_state,
6763 				   sid, bpfsec->sid, SECCLASS_BPF,
6764 				   BPF__PROG_RUN, NULL);
6765 		if (ret)
6766 			return ret;
6767 	}
6768 	return 0;
6769 }
6770 
6771 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6772 {
6773 	u32 sid = current_sid();
6774 	struct bpf_security_struct *bpfsec;
6775 
6776 	bpfsec = map->security;
6777 	return avc_has_perm(&selinux_state,
6778 			    sid, bpfsec->sid, SECCLASS_BPF,
6779 			    bpf_map_fmode_to_av(fmode), NULL);
6780 }
6781 
6782 static int selinux_bpf_prog(struct bpf_prog *prog)
6783 {
6784 	u32 sid = current_sid();
6785 	struct bpf_security_struct *bpfsec;
6786 
6787 	bpfsec = prog->aux->security;
6788 	return avc_has_perm(&selinux_state,
6789 			    sid, bpfsec->sid, SECCLASS_BPF,
6790 			    BPF__PROG_RUN, NULL);
6791 }
6792 
6793 static int selinux_bpf_map_alloc(struct bpf_map *map)
6794 {
6795 	struct bpf_security_struct *bpfsec;
6796 
6797 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6798 	if (!bpfsec)
6799 		return -ENOMEM;
6800 
6801 	bpfsec->sid = current_sid();
6802 	map->security = bpfsec;
6803 
6804 	return 0;
6805 }
6806 
6807 static void selinux_bpf_map_free(struct bpf_map *map)
6808 {
6809 	struct bpf_security_struct *bpfsec = map->security;
6810 
6811 	map->security = NULL;
6812 	kfree(bpfsec);
6813 }
6814 
6815 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6816 {
6817 	struct bpf_security_struct *bpfsec;
6818 
6819 	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6820 	if (!bpfsec)
6821 		return -ENOMEM;
6822 
6823 	bpfsec->sid = current_sid();
6824 	aux->security = bpfsec;
6825 
6826 	return 0;
6827 }
6828 
6829 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6830 {
6831 	struct bpf_security_struct *bpfsec = aux->security;
6832 
6833 	aux->security = NULL;
6834 	kfree(bpfsec);
6835 }
6836 #endif
6837 
6838 static int selinux_lockdown(enum lockdown_reason what)
6839 {
6840 	struct common_audit_data ad;
6841 	u32 sid = current_sid();
6842 	int invalid_reason = (what <= LOCKDOWN_NONE) ||
6843 			     (what == LOCKDOWN_INTEGRITY_MAX) ||
6844 			     (what >= LOCKDOWN_CONFIDENTIALITY_MAX);
6845 
6846 	if (WARN(invalid_reason, "Invalid lockdown reason")) {
6847 		audit_log(audit_context(),
6848 			  GFP_ATOMIC, AUDIT_SELINUX_ERR,
6849 			  "lockdown_reason=invalid");
6850 		return -EINVAL;
6851 	}
6852 
6853 	ad.type = LSM_AUDIT_DATA_LOCKDOWN;
6854 	ad.u.reason = what;
6855 
6856 	if (what <= LOCKDOWN_INTEGRITY_MAX)
6857 		return avc_has_perm(&selinux_state,
6858 				    sid, sid, SECCLASS_LOCKDOWN,
6859 				    LOCKDOWN__INTEGRITY, &ad);
6860 	else
6861 		return avc_has_perm(&selinux_state,
6862 				    sid, sid, SECCLASS_LOCKDOWN,
6863 				    LOCKDOWN__CONFIDENTIALITY, &ad);
6864 }
6865 
6866 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
6867 	.lbs_cred = sizeof(struct task_security_struct),
6868 	.lbs_file = sizeof(struct file_security_struct),
6869 	.lbs_inode = sizeof(struct inode_security_struct),
6870 	.lbs_ipc = sizeof(struct ipc_security_struct),
6871 	.lbs_msg_msg = sizeof(struct msg_security_struct),
6872 };
6873 
6874 #ifdef CONFIG_PERF_EVENTS
6875 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6876 {
6877 	u32 requested, sid = current_sid();
6878 
6879 	if (type == PERF_SECURITY_OPEN)
6880 		requested = PERF_EVENT__OPEN;
6881 	else if (type == PERF_SECURITY_CPU)
6882 		requested = PERF_EVENT__CPU;
6883 	else if (type == PERF_SECURITY_KERNEL)
6884 		requested = PERF_EVENT__KERNEL;
6885 	else if (type == PERF_SECURITY_TRACEPOINT)
6886 		requested = PERF_EVENT__TRACEPOINT;
6887 	else
6888 		return -EINVAL;
6889 
6890 	return avc_has_perm(&selinux_state, sid, sid, SECCLASS_PERF_EVENT,
6891 			    requested, NULL);
6892 }
6893 
6894 static int selinux_perf_event_alloc(struct perf_event *event)
6895 {
6896 	struct perf_event_security_struct *perfsec;
6897 
6898 	perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
6899 	if (!perfsec)
6900 		return -ENOMEM;
6901 
6902 	perfsec->sid = current_sid();
6903 	event->security = perfsec;
6904 
6905 	return 0;
6906 }
6907 
6908 static void selinux_perf_event_free(struct perf_event *event)
6909 {
6910 	struct perf_event_security_struct *perfsec = event->security;
6911 
6912 	event->security = NULL;
6913 	kfree(perfsec);
6914 }
6915 
6916 static int selinux_perf_event_read(struct perf_event *event)
6917 {
6918 	struct perf_event_security_struct *perfsec = event->security;
6919 	u32 sid = current_sid();
6920 
6921 	return avc_has_perm(&selinux_state, sid, perfsec->sid,
6922 			    SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
6923 }
6924 
6925 static int selinux_perf_event_write(struct perf_event *event)
6926 {
6927 	struct perf_event_security_struct *perfsec = event->security;
6928 	u32 sid = current_sid();
6929 
6930 	return avc_has_perm(&selinux_state, sid, perfsec->sid,
6931 			    SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
6932 }
6933 #endif
6934 
6935 /*
6936  * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
6937  * 1. any hooks that don't belong to (2.) or (3.) below,
6938  * 2. hooks that both access structures allocated by other hooks, and allocate
6939  *    structures that can be later accessed by other hooks (mostly "cloning"
6940  *    hooks),
6941  * 3. hooks that only allocate structures that can be later accessed by other
6942  *    hooks ("allocating" hooks).
6943  *
6944  * Please follow block comment delimiters in the list to keep this order.
6945  *
6946  * This ordering is needed for SELinux runtime disable to work at least somewhat
6947  * safely. Breaking the ordering rules above might lead to NULL pointer derefs
6948  * when disabling SELinux at runtime.
6949  */
6950 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6951 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6952 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6953 	LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6954 	LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6955 
6956 	LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6957 	LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6958 	LSM_HOOK_INIT(capget, selinux_capget),
6959 	LSM_HOOK_INIT(capset, selinux_capset),
6960 	LSM_HOOK_INIT(capable, selinux_capable),
6961 	LSM_HOOK_INIT(quotactl, selinux_quotactl),
6962 	LSM_HOOK_INIT(quota_on, selinux_quota_on),
6963 	LSM_HOOK_INIT(syslog, selinux_syslog),
6964 	LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6965 
6966 	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6967 
6968 	LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
6969 	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6970 	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6971 
6972 	LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6973 	LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
6974 	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6975 	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6976 	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6977 	LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6978 	LSM_HOOK_INIT(sb_mount, selinux_mount),
6979 	LSM_HOOK_INIT(sb_umount, selinux_umount),
6980 	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6981 	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6982 
6983 	LSM_HOOK_INIT(move_mount, selinux_move_mount),
6984 
6985 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6986 	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6987 
6988 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6989 	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6990 	LSM_HOOK_INIT(inode_create, selinux_inode_create),
6991 	LSM_HOOK_INIT(inode_link, selinux_inode_link),
6992 	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6993 	LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6994 	LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6995 	LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6996 	LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6997 	LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6998 	LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6999 	LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7000 	LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7001 	LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7002 	LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7003 	LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7004 	LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7005 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7006 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7007 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7008 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7009 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7010 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7011 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7012 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7013 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7014 	LSM_HOOK_INIT(path_notify, selinux_path_notify),
7015 
7016 	LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7017 
7018 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
7019 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7020 	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7021 	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7022 	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7023 	LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7024 	LSM_HOOK_INIT(file_lock, selinux_file_lock),
7025 	LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7026 	LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7027 	LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7028 	LSM_HOOK_INIT(file_receive, selinux_file_receive),
7029 
7030 	LSM_HOOK_INIT(file_open, selinux_file_open),
7031 
7032 	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7033 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7034 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7035 	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7036 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7037 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7038 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7039 	LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7040 	LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7041 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7042 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7043 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7044 	LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
7045 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7046 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7047 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7048 	LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7049 	LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7050 	LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7051 	LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7052 	LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7053 	LSM_HOOK_INIT(task_kill, selinux_task_kill),
7054 	LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7055 
7056 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7057 	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7058 
7059 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7060 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7061 	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7062 	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7063 
7064 	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7065 	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7066 	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7067 
7068 	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7069 	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7070 	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7071 
7072 	LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7073 
7074 	LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7075 	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7076 
7077 	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7078 	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7079 	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7080 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7081 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7082 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7083 
7084 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7085 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7086 
7087 	LSM_HOOK_INIT(socket_create, selinux_socket_create),
7088 	LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7089 	LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7090 	LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7091 	LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7092 	LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7093 	LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7094 	LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7095 	LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7096 	LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7097 	LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7098 	LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7099 	LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7100 	LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7101 	LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7102 	LSM_HOOK_INIT(socket_getpeersec_stream,
7103 			selinux_socket_getpeersec_stream),
7104 	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7105 	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7106 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7107 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7108 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7109 	LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7110 	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7111 	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7112 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7113 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7114 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7115 	LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7116 	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7117 	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7118 	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7119 	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7120 	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7121 	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7122 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7123 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7124 #ifdef CONFIG_SECURITY_INFINIBAND
7125 	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7126 	LSM_HOOK_INIT(ib_endport_manage_subnet,
7127 		      selinux_ib_endport_manage_subnet),
7128 	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7129 #endif
7130 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7131 	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7132 	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7133 	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7134 	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7135 	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7136 	LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7137 			selinux_xfrm_state_pol_flow_match),
7138 	LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7139 #endif
7140 
7141 #ifdef CONFIG_KEYS
7142 	LSM_HOOK_INIT(key_free, selinux_key_free),
7143 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
7144 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7145 #ifdef CONFIG_KEY_NOTIFICATIONS
7146 	LSM_HOOK_INIT(watch_key, selinux_watch_key),
7147 #endif
7148 #endif
7149 
7150 #ifdef CONFIG_AUDIT
7151 	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7152 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7153 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7154 #endif
7155 
7156 #ifdef CONFIG_BPF_SYSCALL
7157 	LSM_HOOK_INIT(bpf, selinux_bpf),
7158 	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7159 	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7160 	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7161 	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7162 #endif
7163 
7164 #ifdef CONFIG_PERF_EVENTS
7165 	LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7166 	LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7167 	LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7168 	LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7169 #endif
7170 
7171 	LSM_HOOK_INIT(locked_down, selinux_lockdown),
7172 
7173 	/*
7174 	 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7175 	 */
7176 	LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7177 	LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7178 	LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7179 	LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt),
7180 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7181 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7182 #endif
7183 
7184 	/*
7185 	 * PUT "ALLOCATING" HOOKS HERE
7186 	 */
7187 	LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7188 	LSM_HOOK_INIT(msg_queue_alloc_security,
7189 		      selinux_msg_queue_alloc_security),
7190 	LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7191 	LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7192 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7193 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7194 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7195 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7196 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7197 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7198 #ifdef CONFIG_SECURITY_INFINIBAND
7199 	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7200 #endif
7201 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7202 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7203 	LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7204 	LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7205 		      selinux_xfrm_state_alloc_acquire),
7206 #endif
7207 #ifdef CONFIG_KEYS
7208 	LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7209 #endif
7210 #ifdef CONFIG_AUDIT
7211 	LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7212 #endif
7213 #ifdef CONFIG_BPF_SYSCALL
7214 	LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7215 	LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7216 #endif
7217 #ifdef CONFIG_PERF_EVENTS
7218 	LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7219 #endif
7220 };
7221 
7222 static __init int selinux_init(void)
7223 {
7224 	pr_info("SELinux:  Initializing.\n");
7225 
7226 	memset(&selinux_state, 0, sizeof(selinux_state));
7227 	enforcing_set(&selinux_state, selinux_enforcing_boot);
7228 	selinux_state.checkreqprot = selinux_checkreqprot_boot;
7229 	selinux_ss_init(&selinux_state.ss);
7230 	selinux_avc_init(&selinux_state.avc);
7231 	mutex_init(&selinux_state.status_lock);
7232 
7233 	/* Set the security state for the initial task. */
7234 	cred_init_security();
7235 
7236 	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7237 
7238 	avc_init();
7239 
7240 	avtab_cache_init();
7241 
7242 	ebitmap_cache_init();
7243 
7244 	hashtab_cache_init();
7245 
7246 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7247 
7248 	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7249 		panic("SELinux: Unable to register AVC netcache callback\n");
7250 
7251 	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7252 		panic("SELinux: Unable to register AVC LSM notifier callback\n");
7253 
7254 	if (selinux_enforcing_boot)
7255 		pr_debug("SELinux:  Starting in enforcing mode\n");
7256 	else
7257 		pr_debug("SELinux:  Starting in permissive mode\n");
7258 
7259 	fs_validate_description("selinux", selinux_fs_parameters);
7260 
7261 	return 0;
7262 }
7263 
7264 static void delayed_superblock_init(struct super_block *sb, void *unused)
7265 {
7266 	selinux_set_mnt_opts(sb, NULL, 0, NULL);
7267 }
7268 
7269 void selinux_complete_init(void)
7270 {
7271 	pr_debug("SELinux:  Completing initialization.\n");
7272 
7273 	/* Set up any superblocks initialized prior to the policy load. */
7274 	pr_debug("SELinux:  Setting up existing superblocks.\n");
7275 	iterate_supers(delayed_superblock_init, NULL);
7276 }
7277 
7278 /* SELinux requires early initialization in order to label
7279    all processes and objects when they are created. */
7280 DEFINE_LSM(selinux) = {
7281 	.name = "selinux",
7282 	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7283 	.enabled = &selinux_enabled_boot,
7284 	.blobs = &selinux_blob_sizes,
7285 	.init = selinux_init,
7286 };
7287 
7288 #if defined(CONFIG_NETFILTER)
7289 
7290 static const struct nf_hook_ops selinux_nf_ops[] = {
7291 	{
7292 		.hook =		selinux_ipv4_postroute,
7293 		.pf =		NFPROTO_IPV4,
7294 		.hooknum =	NF_INET_POST_ROUTING,
7295 		.priority =	NF_IP_PRI_SELINUX_LAST,
7296 	},
7297 	{
7298 		.hook =		selinux_ipv4_forward,
7299 		.pf =		NFPROTO_IPV4,
7300 		.hooknum =	NF_INET_FORWARD,
7301 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7302 	},
7303 	{
7304 		.hook =		selinux_ipv4_output,
7305 		.pf =		NFPROTO_IPV4,
7306 		.hooknum =	NF_INET_LOCAL_OUT,
7307 		.priority =	NF_IP_PRI_SELINUX_FIRST,
7308 	},
7309 #if IS_ENABLED(CONFIG_IPV6)
7310 	{
7311 		.hook =		selinux_ipv6_postroute,
7312 		.pf =		NFPROTO_IPV6,
7313 		.hooknum =	NF_INET_POST_ROUTING,
7314 		.priority =	NF_IP6_PRI_SELINUX_LAST,
7315 	},
7316 	{
7317 		.hook =		selinux_ipv6_forward,
7318 		.pf =		NFPROTO_IPV6,
7319 		.hooknum =	NF_INET_FORWARD,
7320 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7321 	},
7322 	{
7323 		.hook =		selinux_ipv6_output,
7324 		.pf =		NFPROTO_IPV6,
7325 		.hooknum =	NF_INET_LOCAL_OUT,
7326 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
7327 	},
7328 #endif	/* IPV6 */
7329 };
7330 
7331 static int __net_init selinux_nf_register(struct net *net)
7332 {
7333 	return nf_register_net_hooks(net, selinux_nf_ops,
7334 				     ARRAY_SIZE(selinux_nf_ops));
7335 }
7336 
7337 static void __net_exit selinux_nf_unregister(struct net *net)
7338 {
7339 	nf_unregister_net_hooks(net, selinux_nf_ops,
7340 				ARRAY_SIZE(selinux_nf_ops));
7341 }
7342 
7343 static struct pernet_operations selinux_net_ops = {
7344 	.init = selinux_nf_register,
7345 	.exit = selinux_nf_unregister,
7346 };
7347 
7348 static int __init selinux_nf_ip_init(void)
7349 {
7350 	int err;
7351 
7352 	if (!selinux_enabled_boot)
7353 		return 0;
7354 
7355 	pr_debug("SELinux:  Registering netfilter hooks\n");
7356 
7357 	err = register_pernet_subsys(&selinux_net_ops);
7358 	if (err)
7359 		panic("SELinux: register_pernet_subsys: error %d\n", err);
7360 
7361 	return 0;
7362 }
7363 __initcall(selinux_nf_ip_init);
7364 
7365 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7366 static void selinux_nf_ip_exit(void)
7367 {
7368 	pr_debug("SELinux:  Unregistering netfilter hooks\n");
7369 
7370 	unregister_pernet_subsys(&selinux_net_ops);
7371 }
7372 #endif
7373 
7374 #else /* CONFIG_NETFILTER */
7375 
7376 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7377 #define selinux_nf_ip_exit()
7378 #endif
7379 
7380 #endif /* CONFIG_NETFILTER */
7381 
7382 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7383 int selinux_disable(struct selinux_state *state)
7384 {
7385 	if (selinux_initialized(state)) {
7386 		/* Not permitted after initial policy load. */
7387 		return -EINVAL;
7388 	}
7389 
7390 	if (selinux_disabled(state)) {
7391 		/* Only do this once. */
7392 		return -EINVAL;
7393 	}
7394 
7395 	selinux_mark_disabled(state);
7396 
7397 	pr_info("SELinux:  Disabled at runtime.\n");
7398 
7399 	/*
7400 	 * Unregister netfilter hooks.
7401 	 * Must be done before security_delete_hooks() to avoid breaking
7402 	 * runtime disable.
7403 	 */
7404 	selinux_nf_ip_exit();
7405 
7406 	security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7407 
7408 	/* Try to destroy the avc node cache */
7409 	avc_disable();
7410 
7411 	/* Unregister selinuxfs. */
7412 	exit_sel_fs();
7413 
7414 	return 0;
7415 }
7416 #endif
7417