root/security/selinux/hooks.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. enforcing_setup
  2. selinux_enabled_setup
  3. checkreqprot_setup
  4. selinux_secmark_enabled
  5. selinux_peerlbl_enabled
  6. selinux_netcache_avc_callback
  7. selinux_lsm_notifier_avc_callback
  8. cred_init_security
  9. cred_sid
  10. task_sid
  11. inode_alloc_security
  12. __inode_security_revalidate
  13. inode_security_novalidate
  14. inode_security_rcu
  15. backing_inode_security_novalidate
  16. backing_inode_security
  17. inode_free_security
  18. file_alloc_security
  19. superblock_alloc_security
  20. superblock_free_security
  21. selinux_free_mnt_opts
  22. inode_doinit
  23. match_opt_prefix
  24. may_context_mount_sb_relabel
  25. may_context_mount_inode_relabel
  26. selinux_is_genfs_special_handling
  27. selinux_is_sblabel_mnt
  28. sb_finish_set_opts
  29. bad_option
  30. parse_sid
  31. selinux_set_mnt_opts
  32. selinux_cmp_sb_context
  33. selinux_sb_clone_mnt_opts
  34. selinux_add_opt
  35. selinux_add_mnt_opt
  36. show_sid
  37. selinux_sb_show_options
  38. inode_mode_to_security_class
  39. default_protocol_stream
  40. default_protocol_dgram
  41. socket_type_to_security_class
  42. selinux_genfs_get_sid
  43. inode_doinit_use_xattr
  44. inode_doinit_with_dentry
  45. signal_to_av
  46. cred_has_capability
  47. inode_has_perm
  48. dentry_has_perm
  49. path_has_perm
  50. file_path_has_perm
  51. file_has_perm
  52. selinux_determine_inode_label
  53. may_create
  54. may_link
  55. may_rename
  56. superblock_has_perm
  57. file_mask_to_av
  58. file_to_av
  59. open_file_to_av
  60. selinux_binder_set_context_mgr
  61. selinux_binder_transaction
  62. selinux_binder_transfer_binder
  63. selinux_binder_transfer_file
  64. selinux_ptrace_access_check
  65. selinux_ptrace_traceme
  66. selinux_capget
  67. selinux_capset
  68. selinux_capable
  69. selinux_quotactl
  70. selinux_quota_on
  71. selinux_syslog
  72. selinux_vm_enough_memory
  73. ptrace_parent_sid
  74. check_nnp_nosuid
  75. selinux_bprm_set_creds
  76. match_file
  77. flush_unauthorized_files
  78. selinux_bprm_committing_creds
  79. selinux_bprm_committed_creds
  80. selinux_sb_alloc_security
  81. selinux_sb_free_security
  82. opt_len
  83. selinux_sb_eat_lsm_opts
  84. selinux_sb_remount
  85. selinux_sb_kern_mount
  86. selinux_sb_statfs
  87. selinux_mount
  88. selinux_move_mount
  89. selinux_umount
  90. selinux_fs_context_dup
  91. selinux_fs_context_parse_param
  92. selinux_inode_alloc_security
  93. selinux_inode_free_security
  94. selinux_dentry_init_security
  95. selinux_dentry_create_files_as
  96. selinux_inode_init_security
  97. selinux_inode_create
  98. selinux_inode_link
  99. selinux_inode_unlink
  100. selinux_inode_symlink
  101. selinux_inode_mkdir
  102. selinux_inode_rmdir
  103. selinux_inode_mknod
  104. selinux_inode_rename
  105. selinux_inode_readlink
  106. selinux_inode_follow_link
  107. audit_inode_permission
  108. selinux_inode_permission
  109. selinux_inode_setattr
  110. selinux_inode_getattr
  111. has_cap_mac_admin
  112. selinux_inode_setxattr
  113. selinux_inode_post_setxattr
  114. selinux_inode_getxattr
  115. selinux_inode_listxattr
  116. selinux_inode_removexattr
  117. selinux_path_notify
  118. selinux_inode_getsecurity
  119. selinux_inode_setsecurity
  120. selinux_inode_listsecurity
  121. selinux_inode_getsecid
  122. selinux_inode_copy_up
  123. selinux_inode_copy_up_xattr
  124. selinux_kernfs_init_security
  125. selinux_revalidate_file_permission
  126. selinux_file_permission
  127. selinux_file_alloc_security
  128. ioctl_has_perm
  129. selinux_file_ioctl
  130. file_map_prot_check
  131. selinux_mmap_addr
  132. selinux_mmap_file
  133. selinux_file_mprotect
  134. selinux_file_lock
  135. selinux_file_fcntl
  136. selinux_file_set_fowner
  137. selinux_file_send_sigiotask
  138. selinux_file_receive
  139. selinux_file_open
  140. selinux_task_alloc
  141. selinux_cred_prepare
  142. selinux_cred_transfer
  143. selinux_cred_getsecid
  144. selinux_kernel_act_as
  145. selinux_kernel_create_files_as
  146. selinux_kernel_module_request
  147. selinux_kernel_module_from_file
  148. selinux_kernel_read_file
  149. selinux_kernel_load_data
  150. selinux_task_setpgid
  151. selinux_task_getpgid
  152. selinux_task_getsid
  153. selinux_task_getsecid
  154. selinux_task_setnice
  155. selinux_task_setioprio
  156. selinux_task_getioprio
  157. selinux_task_prlimit
  158. selinux_task_setrlimit
  159. selinux_task_setscheduler
  160. selinux_task_getscheduler
  161. selinux_task_movememory
  162. selinux_task_kill
  163. selinux_task_to_inode
  164. selinux_parse_skb_ipv4
  165. selinux_parse_skb_ipv6
  166. selinux_parse_skb
  167. selinux_skb_peerlbl_sid
  168. selinux_conn_sid
  169. socket_sockcreate_sid
  170. sock_has_perm
  171. selinux_socket_create
  172. selinux_socket_post_create
  173. selinux_socket_socketpair
  174. selinux_socket_bind
  175. selinux_socket_connect_helper
  176. selinux_socket_connect
  177. selinux_socket_listen
  178. selinux_socket_accept
  179. selinux_socket_sendmsg
  180. selinux_socket_recvmsg
  181. selinux_socket_getsockname
  182. selinux_socket_getpeername
  183. selinux_socket_setsockopt
  184. selinux_socket_getsockopt
  185. selinux_socket_shutdown
  186. selinux_socket_unix_stream_connect
  187. selinux_socket_unix_may_send
  188. selinux_inet_sys_rcv_skb
  189. selinux_sock_rcv_skb_compat
  190. selinux_socket_sock_rcv_skb
  191. selinux_socket_getpeersec_stream
  192. selinux_socket_getpeersec_dgram
  193. selinux_sk_alloc_security
  194. selinux_sk_free_security
  195. selinux_sk_clone_security
  196. selinux_sk_getsecid
  197. selinux_sock_graft
  198. selinux_sctp_assoc_request
  199. selinux_sctp_bind_connect
  200. selinux_sctp_sk_clone
  201. selinux_inet_conn_request
  202. selinux_inet_csk_clone
  203. selinux_inet_conn_established
  204. selinux_secmark_relabel_packet
  205. selinux_secmark_refcount_inc
  206. selinux_secmark_refcount_dec
  207. selinux_req_classify_flow
  208. selinux_tun_dev_alloc_security
  209. selinux_tun_dev_free_security
  210. selinux_tun_dev_create
  211. selinux_tun_dev_attach_queue
  212. selinux_tun_dev_attach
  213. selinux_tun_dev_open
  214. selinux_nlmsg_perm
  215. selinux_ip_forward
  216. selinux_ipv4_forward
  217. selinux_ipv6_forward
  218. selinux_ip_output
  219. selinux_ipv4_output
  220. selinux_ipv6_output
  221. selinux_ip_postroute_compat
  222. selinux_ip_postroute
  223. selinux_ipv4_postroute
  224. selinux_ipv6_postroute
  225. selinux_netlink_send
  226. ipc_init_security
  227. msg_msg_alloc_security
  228. ipc_has_perm
  229. selinux_msg_msg_alloc_security
  230. selinux_msg_queue_alloc_security
  231. selinux_msg_queue_associate
  232. selinux_msg_queue_msgctl
  233. selinux_msg_queue_msgsnd
  234. selinux_msg_queue_msgrcv
  235. selinux_shm_alloc_security
  236. selinux_shm_associate
  237. selinux_shm_shmctl
  238. selinux_shm_shmat
  239. selinux_sem_alloc_security
  240. selinux_sem_associate
  241. selinux_sem_semctl
  242. selinux_sem_semop
  243. selinux_ipc_permission
  244. selinux_ipc_getsecid
  245. selinux_d_instantiate
  246. selinux_getprocattr
  247. selinux_setprocattr
  248. selinux_ismaclabel
  249. selinux_secid_to_secctx
  250. selinux_secctx_to_secid
  251. selinux_release_secctx
  252. selinux_inode_invalidate_secctx
  253. selinux_inode_notifysecctx
  254. selinux_inode_setsecctx
  255. selinux_inode_getsecctx
  256. selinux_key_alloc
  257. selinux_key_free
  258. selinux_key_permission
  259. selinux_key_getsecurity
  260. selinux_ib_pkey_access
  261. selinux_ib_endport_manage_subnet
  262. selinux_ib_alloc_security
  263. selinux_ib_free_security
  264. selinux_bpf
  265. bpf_map_fmode_to_av
  266. bpf_fd_pass
  267. selinux_bpf_map
  268. selinux_bpf_prog
  269. selinux_bpf_map_alloc
  270. selinux_bpf_map_free
  271. selinux_bpf_prog_alloc
  272. selinux_bpf_prog_free
  273. selinux_init
  274. delayed_superblock_init
  275. selinux_complete_init
  276. selinux_nf_register
  277. selinux_nf_unregister
  278. selinux_nf_ip_init
  279. selinux_nf_ip_exit
  280. selinux_disable

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /*
   3  *  NSA Security-Enhanced Linux (SELinux) security module
   4  *
   5  *  This file contains the SELinux hook function implementations.
   6  *
   7  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
   8  *            Chris Vance, <cvance@nai.com>
   9  *            Wayne Salamon, <wsalamon@nai.com>
  10  *            James Morris <jmorris@redhat.com>
  11  *
  12  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
  13  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
  14  *                                         Eric Paris <eparis@redhat.com>
  15  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
  16  *                          <dgoeddel@trustedcs.com>
  17  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
  18  *      Paul Moore <paul@paul-moore.com>
  19  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
  20  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
  21  *  Copyright (C) 2016 Mellanox Technologies
  22  */
  23 
  24 #include <linux/init.h>
  25 #include <linux/kd.h>
  26 #include <linux/kernel.h>
  27 #include <linux/tracehook.h>
  28 #include <linux/errno.h>
  29 #include <linux/sched/signal.h>
  30 #include <linux/sched/task.h>
  31 #include <linux/lsm_hooks.h>
  32 #include <linux/xattr.h>
  33 #include <linux/capability.h>
  34 #include <linux/unistd.h>
  35 #include <linux/mm.h>
  36 #include <linux/mman.h>
  37 #include <linux/slab.h>
  38 #include <linux/pagemap.h>
  39 #include <linux/proc_fs.h>
  40 #include <linux/swap.h>
  41 #include <linux/spinlock.h>
  42 #include <linux/syscalls.h>
  43 #include <linux/dcache.h>
  44 #include <linux/file.h>
  45 #include <linux/fdtable.h>
  46 #include <linux/namei.h>
  47 #include <linux/mount.h>
  48 #include <linux/fs_context.h>
  49 #include <linux/fs_parser.h>
  50 #include <linux/netfilter_ipv4.h>
  51 #include <linux/netfilter_ipv6.h>
  52 #include <linux/tty.h>
  53 #include <net/icmp.h>
  54 #include <net/ip.h>             /* for local_port_range[] */
  55 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
  56 #include <net/inet_connection_sock.h>
  57 #include <net/net_namespace.h>
  58 #include <net/netlabel.h>
  59 #include <linux/uaccess.h>
  60 #include <asm/ioctls.h>
  61 #include <linux/atomic.h>
  62 #include <linux/bitops.h>
  63 #include <linux/interrupt.h>
  64 #include <linux/netdevice.h>    /* for network interface checks */
  65 #include <net/netlink.h>
  66 #include <linux/tcp.h>
  67 #include <linux/udp.h>
  68 #include <linux/dccp.h>
  69 #include <linux/sctp.h>
  70 #include <net/sctp/structs.h>
  71 #include <linux/quota.h>
  72 #include <linux/un.h>           /* for Unix socket types */
  73 #include <net/af_unix.h>        /* for Unix socket types */
  74 #include <linux/parser.h>
  75 #include <linux/nfs_mount.h>
  76 #include <net/ipv6.h>
  77 #include <linux/hugetlb.h>
  78 #include <linux/personality.h>
  79 #include <linux/audit.h>
  80 #include <linux/string.h>
  81 #include <linux/mutex.h>
  82 #include <linux/posix-timers.h>
  83 #include <linux/syslog.h>
  84 #include <linux/user_namespace.h>
  85 #include <linux/export.h>
  86 #include <linux/msg.h>
  87 #include <linux/shm.h>
  88 #include <linux/bpf.h>
  89 #include <linux/kernfs.h>
  90 #include <linux/stringhash.h>   /* for hashlen_string() */
  91 #include <uapi/linux/mount.h>
  92 #include <linux/fsnotify.h>
  93 #include <linux/fanotify.h>
  94 
  95 #include "avc.h"
  96 #include "objsec.h"
  97 #include "netif.h"
  98 #include "netnode.h"
  99 #include "netport.h"
 100 #include "ibpkey.h"
 101 #include "xfrm.h"
 102 #include "netlabel.h"
 103 #include "audit.h"
 104 #include "avc_ss.h"
 105 
 106 struct selinux_state selinux_state;
 107 
 108 /* SECMARK reference count */
 109 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
 110 
 111 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
 112 static int selinux_enforcing_boot;
 113 
 114 static int __init enforcing_setup(char *str)
 115 {
 116         unsigned long enforcing;
 117         if (!kstrtoul(str, 0, &enforcing))
 118                 selinux_enforcing_boot = enforcing ? 1 : 0;
 119         return 1;
 120 }
 121 __setup("enforcing=", enforcing_setup);
 122 #else
 123 #define selinux_enforcing_boot 1
 124 #endif
 125 
 126 int selinux_enabled __lsm_ro_after_init = 1;
 127 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
 128 static int __init selinux_enabled_setup(char *str)
 129 {
 130         unsigned long enabled;
 131         if (!kstrtoul(str, 0, &enabled))
 132                 selinux_enabled = enabled ? 1 : 0;
 133         return 1;
 134 }
 135 __setup("selinux=", selinux_enabled_setup);
 136 #endif
 137 
 138 static unsigned int selinux_checkreqprot_boot =
 139         CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
 140 
 141 static int __init checkreqprot_setup(char *str)
 142 {
 143         unsigned long checkreqprot;
 144 
 145         if (!kstrtoul(str, 0, &checkreqprot))
 146                 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
 147         return 1;
 148 }
 149 __setup("checkreqprot=", checkreqprot_setup);
 150 
 151 /**
 152  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
 153  *
 154  * Description:
 155  * This function checks the SECMARK reference counter to see if any SECMARK
 156  * targets are currently configured, if the reference counter is greater than
 157  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
 158  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
 159  * policy capability is enabled, SECMARK is always considered enabled.
 160  *
 161  */
 162 static int selinux_secmark_enabled(void)
 163 {
 164         return (selinux_policycap_alwaysnetwork() ||
 165                 atomic_read(&selinux_secmark_refcount));
 166 }
 167 
 168 /**
 169  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
 170  *
 171  * Description:
 172  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
 173  * (1) if any are enabled or false (0) if neither are enabled.  If the
 174  * always_check_network policy capability is enabled, peer labeling
 175  * is always considered enabled.
 176  *
 177  */
 178 static int selinux_peerlbl_enabled(void)
 179 {
 180         return (selinux_policycap_alwaysnetwork() ||
 181                 netlbl_enabled() || selinux_xfrm_enabled());
 182 }
 183 
 184 static int selinux_netcache_avc_callback(u32 event)
 185 {
 186         if (event == AVC_CALLBACK_RESET) {
 187                 sel_netif_flush();
 188                 sel_netnode_flush();
 189                 sel_netport_flush();
 190                 synchronize_net();
 191         }
 192         return 0;
 193 }
 194 
 195 static int selinux_lsm_notifier_avc_callback(u32 event)
 196 {
 197         if (event == AVC_CALLBACK_RESET) {
 198                 sel_ib_pkey_flush();
 199                 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
 200         }
 201 
 202         return 0;
 203 }
 204 
 205 /*
 206  * initialise the security for the init task
 207  */
 208 static void cred_init_security(void)
 209 {
 210         struct cred *cred = (struct cred *) current->real_cred;
 211         struct task_security_struct *tsec;
 212 
 213         tsec = selinux_cred(cred);
 214         tsec->osid = tsec->sid = SECINITSID_KERNEL;
 215 }
 216 
 217 /*
 218  * get the security ID of a set of credentials
 219  */
 220 static inline u32 cred_sid(const struct cred *cred)
 221 {
 222         const struct task_security_struct *tsec;
 223 
 224         tsec = selinux_cred(cred);
 225         return tsec->sid;
 226 }
 227 
 228 /*
 229  * get the objective security ID of a task
 230  */
 231 static inline u32 task_sid(const struct task_struct *task)
 232 {
 233         u32 sid;
 234 
 235         rcu_read_lock();
 236         sid = cred_sid(__task_cred(task));
 237         rcu_read_unlock();
 238         return sid;
 239 }
 240 
 241 /* Allocate and free functions for each kind of security blob. */
 242 
 243 static int inode_alloc_security(struct inode *inode)
 244 {
 245         struct inode_security_struct *isec = selinux_inode(inode);
 246         u32 sid = current_sid();
 247 
 248         spin_lock_init(&isec->lock);
 249         INIT_LIST_HEAD(&isec->list);
 250         isec->inode = inode;
 251         isec->sid = SECINITSID_UNLABELED;
 252         isec->sclass = SECCLASS_FILE;
 253         isec->task_sid = sid;
 254         isec->initialized = LABEL_INVALID;
 255 
 256         return 0;
 257 }
 258 
 259 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
 260 
 261 /*
 262  * Try reloading inode security labels that have been marked as invalid.  The
 263  * @may_sleep parameter indicates when sleeping and thus reloading labels is
 264  * allowed; when set to false, returns -ECHILD when the label is
 265  * invalid.  The @dentry parameter should be set to a dentry of the inode.
 266  */
 267 static int __inode_security_revalidate(struct inode *inode,
 268                                        struct dentry *dentry,
 269                                        bool may_sleep)
 270 {
 271         struct inode_security_struct *isec = selinux_inode(inode);
 272 
 273         might_sleep_if(may_sleep);
 274 
 275         if (selinux_state.initialized &&
 276             isec->initialized != LABEL_INITIALIZED) {
 277                 if (!may_sleep)
 278                         return -ECHILD;
 279 
 280                 /*
 281                  * Try reloading the inode security label.  This will fail if
 282                  * @opt_dentry is NULL and no dentry for this inode can be
 283                  * found; in that case, continue using the old label.
 284                  */
 285                 inode_doinit_with_dentry(inode, dentry);
 286         }
 287         return 0;
 288 }
 289 
 290 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
 291 {
 292         return selinux_inode(inode);
 293 }
 294 
 295 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
 296 {
 297         int error;
 298 
 299         error = __inode_security_revalidate(inode, NULL, !rcu);
 300         if (error)
 301                 return ERR_PTR(error);
 302         return selinux_inode(inode);
 303 }
 304 
 305 /*
 306  * Get the security label of an inode.
 307  */
 308 static struct inode_security_struct *inode_security(struct inode *inode)
 309 {
 310         __inode_security_revalidate(inode, NULL, true);
 311         return selinux_inode(inode);
 312 }
 313 
 314 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
 315 {
 316         struct inode *inode = d_backing_inode(dentry);
 317 
 318         return selinux_inode(inode);
 319 }
 320 
 321 /*
 322  * Get the security label of a dentry's backing inode.
 323  */
 324 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
 325 {
 326         struct inode *inode = d_backing_inode(dentry);
 327 
 328         __inode_security_revalidate(inode, dentry, true);
 329         return selinux_inode(inode);
 330 }
 331 
 332 static void inode_free_security(struct inode *inode)
 333 {
 334         struct inode_security_struct *isec = selinux_inode(inode);
 335         struct superblock_security_struct *sbsec;
 336 
 337         if (!isec)
 338                 return;
 339         sbsec = inode->i_sb->s_security;
 340         /*
 341          * As not all inode security structures are in a list, we check for
 342          * empty list outside of the lock to make sure that we won't waste
 343          * time taking a lock doing nothing.
 344          *
 345          * The list_del_init() function can be safely called more than once.
 346          * It should not be possible for this function to be called with
 347          * concurrent list_add(), but for better safety against future changes
 348          * in the code, we use list_empty_careful() here.
 349          */
 350         if (!list_empty_careful(&isec->list)) {
 351                 spin_lock(&sbsec->isec_lock);
 352                 list_del_init(&isec->list);
 353                 spin_unlock(&sbsec->isec_lock);
 354         }
 355 }
 356 
 357 static int file_alloc_security(struct file *file)
 358 {
 359         struct file_security_struct *fsec = selinux_file(file);
 360         u32 sid = current_sid();
 361 
 362         fsec->sid = sid;
 363         fsec->fown_sid = sid;
 364 
 365         return 0;
 366 }
 367 
 368 static int superblock_alloc_security(struct super_block *sb)
 369 {
 370         struct superblock_security_struct *sbsec;
 371 
 372         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
 373         if (!sbsec)
 374                 return -ENOMEM;
 375 
 376         mutex_init(&sbsec->lock);
 377         INIT_LIST_HEAD(&sbsec->isec_head);
 378         spin_lock_init(&sbsec->isec_lock);
 379         sbsec->sb = sb;
 380         sbsec->sid = SECINITSID_UNLABELED;
 381         sbsec->def_sid = SECINITSID_FILE;
 382         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
 383         sb->s_security = sbsec;
 384 
 385         return 0;
 386 }
 387 
 388 static void superblock_free_security(struct super_block *sb)
 389 {
 390         struct superblock_security_struct *sbsec = sb->s_security;
 391         sb->s_security = NULL;
 392         kfree(sbsec);
 393 }
 394 
 395 struct selinux_mnt_opts {
 396         const char *fscontext, *context, *rootcontext, *defcontext;
 397 };
 398 
 399 static void selinux_free_mnt_opts(void *mnt_opts)
 400 {
 401         struct selinux_mnt_opts *opts = mnt_opts;
 402         kfree(opts->fscontext);
 403         kfree(opts->context);
 404         kfree(opts->rootcontext);
 405         kfree(opts->defcontext);
 406         kfree(opts);
 407 }
 408 
 409 static inline int inode_doinit(struct inode *inode)
 410 {
 411         return inode_doinit_with_dentry(inode, NULL);
 412 }
 413 
 414 enum {
 415         Opt_error = -1,
 416         Opt_context = 0,
 417         Opt_defcontext = 1,
 418         Opt_fscontext = 2,
 419         Opt_rootcontext = 3,
 420         Opt_seclabel = 4,
 421 };
 422 
 423 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
 424 static struct {
 425         const char *name;
 426         int len;
 427         int opt;
 428         bool has_arg;
 429 } tokens[] = {
 430         A(context, true),
 431         A(fscontext, true),
 432         A(defcontext, true),
 433         A(rootcontext, true),
 434         A(seclabel, false),
 435 };
 436 #undef A
 437 
 438 static int match_opt_prefix(char *s, int l, char **arg)
 439 {
 440         int i;
 441 
 442         for (i = 0; i < ARRAY_SIZE(tokens); i++) {
 443                 size_t len = tokens[i].len;
 444                 if (len > l || memcmp(s, tokens[i].name, len))
 445                         continue;
 446                 if (tokens[i].has_arg) {
 447                         if (len == l || s[len] != '=')
 448                                 continue;
 449                         *arg = s + len + 1;
 450                 } else if (len != l)
 451                         continue;
 452                 return tokens[i].opt;
 453         }
 454         return Opt_error;
 455 }
 456 
 457 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
 458 
 459 static int may_context_mount_sb_relabel(u32 sid,
 460                         struct superblock_security_struct *sbsec,
 461                         const struct cred *cred)
 462 {
 463         const struct task_security_struct *tsec = selinux_cred(cred);
 464         int rc;
 465 
 466         rc = avc_has_perm(&selinux_state,
 467                           tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
 468                           FILESYSTEM__RELABELFROM, NULL);
 469         if (rc)
 470                 return rc;
 471 
 472         rc = avc_has_perm(&selinux_state,
 473                           tsec->sid, sid, SECCLASS_FILESYSTEM,
 474                           FILESYSTEM__RELABELTO, NULL);
 475         return rc;
 476 }
 477 
 478 static int may_context_mount_inode_relabel(u32 sid,
 479                         struct superblock_security_struct *sbsec,
 480                         const struct cred *cred)
 481 {
 482         const struct task_security_struct *tsec = selinux_cred(cred);
 483         int rc;
 484         rc = avc_has_perm(&selinux_state,
 485                           tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
 486                           FILESYSTEM__RELABELFROM, NULL);
 487         if (rc)
 488                 return rc;
 489 
 490         rc = avc_has_perm(&selinux_state,
 491                           sid, sbsec->sid, SECCLASS_FILESYSTEM,
 492                           FILESYSTEM__ASSOCIATE, NULL);
 493         return rc;
 494 }
 495 
 496 static int selinux_is_genfs_special_handling(struct super_block *sb)
 497 {
 498         /* Special handling. Genfs but also in-core setxattr handler */
 499         return  !strcmp(sb->s_type->name, "sysfs") ||
 500                 !strcmp(sb->s_type->name, "pstore") ||
 501                 !strcmp(sb->s_type->name, "debugfs") ||
 502                 !strcmp(sb->s_type->name, "tracefs") ||
 503                 !strcmp(sb->s_type->name, "rootfs") ||
 504                 (selinux_policycap_cgroupseclabel() &&
 505                  (!strcmp(sb->s_type->name, "cgroup") ||
 506                   !strcmp(sb->s_type->name, "cgroup2")));
 507 }
 508 
 509 static int selinux_is_sblabel_mnt(struct super_block *sb)
 510 {
 511         struct superblock_security_struct *sbsec = sb->s_security;
 512 
 513         /*
 514          * IMPORTANT: Double-check logic in this function when adding a new
 515          * SECURITY_FS_USE_* definition!
 516          */
 517         BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
 518 
 519         switch (sbsec->behavior) {
 520         case SECURITY_FS_USE_XATTR:
 521         case SECURITY_FS_USE_TRANS:
 522         case SECURITY_FS_USE_TASK:
 523         case SECURITY_FS_USE_NATIVE:
 524                 return 1;
 525 
 526         case SECURITY_FS_USE_GENFS:
 527                 return selinux_is_genfs_special_handling(sb);
 528 
 529         /* Never allow relabeling on context mounts */
 530         case SECURITY_FS_USE_MNTPOINT:
 531         case SECURITY_FS_USE_NONE:
 532         default:
 533                 return 0;
 534         }
 535 }
 536 
 537 static int sb_finish_set_opts(struct super_block *sb)
 538 {
 539         struct superblock_security_struct *sbsec = sb->s_security;
 540         struct dentry *root = sb->s_root;
 541         struct inode *root_inode = d_backing_inode(root);
 542         int rc = 0;
 543 
 544         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
 545                 /* Make sure that the xattr handler exists and that no
 546                    error other than -ENODATA is returned by getxattr on
 547                    the root directory.  -ENODATA is ok, as this may be
 548                    the first boot of the SELinux kernel before we have
 549                    assigned xattr values to the filesystem. */
 550                 if (!(root_inode->i_opflags & IOP_XATTR)) {
 551                         pr_warn("SELinux: (dev %s, type %s) has no "
 552                                "xattr support\n", sb->s_id, sb->s_type->name);
 553                         rc = -EOPNOTSUPP;
 554                         goto out;
 555                 }
 556 
 557                 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
 558                 if (rc < 0 && rc != -ENODATA) {
 559                         if (rc == -EOPNOTSUPP)
 560                                 pr_warn("SELinux: (dev %s, type "
 561                                        "%s) has no security xattr handler\n",
 562                                        sb->s_id, sb->s_type->name);
 563                         else
 564                                 pr_warn("SELinux: (dev %s, type "
 565                                        "%s) getxattr errno %d\n", sb->s_id,
 566                                        sb->s_type->name, -rc);
 567                         goto out;
 568                 }
 569         }
 570 
 571         sbsec->flags |= SE_SBINITIALIZED;
 572 
 573         /*
 574          * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
 575          * leave the flag untouched because sb_clone_mnt_opts might be handing
 576          * us a superblock that needs the flag to be cleared.
 577          */
 578         if (selinux_is_sblabel_mnt(sb))
 579                 sbsec->flags |= SBLABEL_MNT;
 580         else
 581                 sbsec->flags &= ~SBLABEL_MNT;
 582 
 583         /* Initialize the root inode. */
 584         rc = inode_doinit_with_dentry(root_inode, root);
 585 
 586         /* Initialize any other inodes associated with the superblock, e.g.
 587            inodes created prior to initial policy load or inodes created
 588            during get_sb by a pseudo filesystem that directly
 589            populates itself. */
 590         spin_lock(&sbsec->isec_lock);
 591         while (!list_empty(&sbsec->isec_head)) {
 592                 struct inode_security_struct *isec =
 593                                 list_first_entry(&sbsec->isec_head,
 594                                            struct inode_security_struct, list);
 595                 struct inode *inode = isec->inode;
 596                 list_del_init(&isec->list);
 597                 spin_unlock(&sbsec->isec_lock);
 598                 inode = igrab(inode);
 599                 if (inode) {
 600                         if (!IS_PRIVATE(inode))
 601                                 inode_doinit(inode);
 602                         iput(inode);
 603                 }
 604                 spin_lock(&sbsec->isec_lock);
 605         }
 606         spin_unlock(&sbsec->isec_lock);
 607 out:
 608         return rc;
 609 }
 610 
 611 static int bad_option(struct superblock_security_struct *sbsec, char flag,
 612                       u32 old_sid, u32 new_sid)
 613 {
 614         char mnt_flags = sbsec->flags & SE_MNTMASK;
 615 
 616         /* check if the old mount command had the same options */
 617         if (sbsec->flags & SE_SBINITIALIZED)
 618                 if (!(sbsec->flags & flag) ||
 619                     (old_sid != new_sid))
 620                         return 1;
 621 
 622         /* check if we were passed the same options twice,
 623          * aka someone passed context=a,context=b
 624          */
 625         if (!(sbsec->flags & SE_SBINITIALIZED))
 626                 if (mnt_flags & flag)
 627                         return 1;
 628         return 0;
 629 }
 630 
 631 static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
 632 {
 633         int rc = security_context_str_to_sid(&selinux_state, s,
 634                                              sid, GFP_KERNEL);
 635         if (rc)
 636                 pr_warn("SELinux: security_context_str_to_sid"
 637                        "(%s) failed for (dev %s, type %s) errno=%d\n",
 638                        s, sb->s_id, sb->s_type->name, rc);
 639         return rc;
 640 }
 641 
 642 /*
 643  * Allow filesystems with binary mount data to explicitly set mount point
 644  * labeling information.
 645  */
 646 static int selinux_set_mnt_opts(struct super_block *sb,
 647                                 void *mnt_opts,
 648                                 unsigned long kern_flags,
 649                                 unsigned long *set_kern_flags)
 650 {
 651         const struct cred *cred = current_cred();
 652         struct superblock_security_struct *sbsec = sb->s_security;
 653         struct dentry *root = sbsec->sb->s_root;
 654         struct selinux_mnt_opts *opts = mnt_opts;
 655         struct inode_security_struct *root_isec;
 656         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
 657         u32 defcontext_sid = 0;
 658         int rc = 0;
 659 
 660         mutex_lock(&sbsec->lock);
 661 
 662         if (!selinux_state.initialized) {
 663                 if (!opts) {
 664                         /* Defer initialization until selinux_complete_init,
 665                            after the initial policy is loaded and the security
 666                            server is ready to handle calls. */
 667                         goto out;
 668                 }
 669                 rc = -EINVAL;
 670                 pr_warn("SELinux: Unable to set superblock options "
 671                         "before the security server is initialized\n");
 672                 goto out;
 673         }
 674         if (kern_flags && !set_kern_flags) {
 675                 /* Specifying internal flags without providing a place to
 676                  * place the results is not allowed */
 677                 rc = -EINVAL;
 678                 goto out;
 679         }
 680 
 681         /*
 682          * Binary mount data FS will come through this function twice.  Once
 683          * from an explicit call and once from the generic calls from the vfs.
 684          * Since the generic VFS calls will not contain any security mount data
 685          * we need to skip the double mount verification.
 686          *
 687          * This does open a hole in which we will not notice if the first
 688          * mount using this sb set explict options and a second mount using
 689          * this sb does not set any security options.  (The first options
 690          * will be used for both mounts)
 691          */
 692         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
 693             && !opts)
 694                 goto out;
 695 
 696         root_isec = backing_inode_security_novalidate(root);
 697 
 698         /*
 699          * parse the mount options, check if they are valid sids.
 700          * also check if someone is trying to mount the same sb more
 701          * than once with different security options.
 702          */
 703         if (opts) {
 704                 if (opts->fscontext) {
 705                         rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
 706                         if (rc)
 707                                 goto out;
 708                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
 709                                         fscontext_sid))
 710                                 goto out_double_mount;
 711                         sbsec->flags |= FSCONTEXT_MNT;
 712                 }
 713                 if (opts->context) {
 714                         rc = parse_sid(sb, opts->context, &context_sid);
 715                         if (rc)
 716                                 goto out;
 717                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
 718                                         context_sid))
 719                                 goto out_double_mount;
 720                         sbsec->flags |= CONTEXT_MNT;
 721                 }
 722                 if (opts->rootcontext) {
 723                         rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
 724                         if (rc)
 725                                 goto out;
 726                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
 727                                         rootcontext_sid))
 728                                 goto out_double_mount;
 729                         sbsec->flags |= ROOTCONTEXT_MNT;
 730                 }
 731                 if (opts->defcontext) {
 732                         rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
 733                         if (rc)
 734                                 goto out;
 735                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
 736                                         defcontext_sid))
 737                                 goto out_double_mount;
 738                         sbsec->flags |= DEFCONTEXT_MNT;
 739                 }
 740         }
 741 
 742         if (sbsec->flags & SE_SBINITIALIZED) {
 743                 /* previously mounted with options, but not on this attempt? */
 744                 if ((sbsec->flags & SE_MNTMASK) && !opts)
 745                         goto out_double_mount;
 746                 rc = 0;
 747                 goto out;
 748         }
 749 
 750         if (strcmp(sb->s_type->name, "proc") == 0)
 751                 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
 752 
 753         if (!strcmp(sb->s_type->name, "debugfs") ||
 754             !strcmp(sb->s_type->name, "tracefs") ||
 755             !strcmp(sb->s_type->name, "pstore"))
 756                 sbsec->flags |= SE_SBGENFS;
 757 
 758         if (!strcmp(sb->s_type->name, "sysfs") ||
 759             !strcmp(sb->s_type->name, "cgroup") ||
 760             !strcmp(sb->s_type->name, "cgroup2"))
 761                 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
 762 
 763         if (!sbsec->behavior) {
 764                 /*
 765                  * Determine the labeling behavior to use for this
 766                  * filesystem type.
 767                  */
 768                 rc = security_fs_use(&selinux_state, sb);
 769                 if (rc) {
 770                         pr_warn("%s: security_fs_use(%s) returned %d\n",
 771                                         __func__, sb->s_type->name, rc);
 772                         goto out;
 773                 }
 774         }
 775 
 776         /*
 777          * If this is a user namespace mount and the filesystem type is not
 778          * explicitly whitelisted, then no contexts are allowed on the command
 779          * line and security labels must be ignored.
 780          */
 781         if (sb->s_user_ns != &init_user_ns &&
 782             strcmp(sb->s_type->name, "tmpfs") &&
 783             strcmp(sb->s_type->name, "ramfs") &&
 784             strcmp(sb->s_type->name, "devpts")) {
 785                 if (context_sid || fscontext_sid || rootcontext_sid ||
 786                     defcontext_sid) {
 787                         rc = -EACCES;
 788                         goto out;
 789                 }
 790                 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
 791                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
 792                         rc = security_transition_sid(&selinux_state,
 793                                                      current_sid(),
 794                                                      current_sid(),
 795                                                      SECCLASS_FILE, NULL,
 796                                                      &sbsec->mntpoint_sid);
 797                         if (rc)
 798                                 goto out;
 799                 }
 800                 goto out_set_opts;
 801         }
 802 
 803         /* sets the context of the superblock for the fs being mounted. */
 804         if (fscontext_sid) {
 805                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
 806                 if (rc)
 807                         goto out;
 808 
 809                 sbsec->sid = fscontext_sid;
 810         }
 811 
 812         /*
 813          * Switch to using mount point labeling behavior.
 814          * sets the label used on all file below the mountpoint, and will set
 815          * the superblock context if not already set.
 816          */
 817         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
 818                 sbsec->behavior = SECURITY_FS_USE_NATIVE;
 819                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
 820         }
 821 
 822         if (context_sid) {
 823                 if (!fscontext_sid) {
 824                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
 825                                                           cred);
 826                         if (rc)
 827                                 goto out;
 828                         sbsec->sid = context_sid;
 829                 } else {
 830                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
 831                                                              cred);
 832                         if (rc)
 833                                 goto out;
 834                 }
 835                 if (!rootcontext_sid)
 836                         rootcontext_sid = context_sid;
 837 
 838                 sbsec->mntpoint_sid = context_sid;
 839                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
 840         }
 841 
 842         if (rootcontext_sid) {
 843                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
 844                                                      cred);
 845                 if (rc)
 846                         goto out;
 847 
 848                 root_isec->sid = rootcontext_sid;
 849                 root_isec->initialized = LABEL_INITIALIZED;
 850         }
 851 
 852         if (defcontext_sid) {
 853                 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
 854                         sbsec->behavior != SECURITY_FS_USE_NATIVE) {
 855                         rc = -EINVAL;
 856                         pr_warn("SELinux: defcontext option is "
 857                                "invalid for this filesystem type\n");
 858                         goto out;
 859                 }
 860 
 861                 if (defcontext_sid != sbsec->def_sid) {
 862                         rc = may_context_mount_inode_relabel(defcontext_sid,
 863                                                              sbsec, cred);
 864                         if (rc)
 865                                 goto out;
 866                 }
 867 
 868                 sbsec->def_sid = defcontext_sid;
 869         }
 870 
 871 out_set_opts:
 872         rc = sb_finish_set_opts(sb);
 873 out:
 874         mutex_unlock(&sbsec->lock);
 875         return rc;
 876 out_double_mount:
 877         rc = -EINVAL;
 878         pr_warn("SELinux: mount invalid.  Same superblock, different "
 879                "security settings for (dev %s, type %s)\n", sb->s_id,
 880                sb->s_type->name);
 881         goto out;
 882 }
 883 
 884 static int selinux_cmp_sb_context(const struct super_block *oldsb,
 885                                     const struct super_block *newsb)
 886 {
 887         struct superblock_security_struct *old = oldsb->s_security;
 888         struct superblock_security_struct *new = newsb->s_security;
 889         char oldflags = old->flags & SE_MNTMASK;
 890         char newflags = new->flags & SE_MNTMASK;
 891 
 892         if (oldflags != newflags)
 893                 goto mismatch;
 894         if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
 895                 goto mismatch;
 896         if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
 897                 goto mismatch;
 898         if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
 899                 goto mismatch;
 900         if (oldflags & ROOTCONTEXT_MNT) {
 901                 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
 902                 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
 903                 if (oldroot->sid != newroot->sid)
 904                         goto mismatch;
 905         }
 906         return 0;
 907 mismatch:
 908         pr_warn("SELinux: mount invalid.  Same superblock, "
 909                             "different security settings for (dev %s, "
 910                             "type %s)\n", newsb->s_id, newsb->s_type->name);
 911         return -EBUSY;
 912 }
 913 
 914 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
 915                                         struct super_block *newsb,
 916                                         unsigned long kern_flags,
 917                                         unsigned long *set_kern_flags)
 918 {
 919         int rc = 0;
 920         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
 921         struct superblock_security_struct *newsbsec = newsb->s_security;
 922 
 923         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
 924         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
 925         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
 926 
 927         /*
 928          * if the parent was able to be mounted it clearly had no special lsm
 929          * mount options.  thus we can safely deal with this superblock later
 930          */
 931         if (!selinux_state.initialized)
 932                 return 0;
 933 
 934         /*
 935          * Specifying internal flags without providing a place to
 936          * place the results is not allowed.
 937          */
 938         if (kern_flags && !set_kern_flags)
 939                 return -EINVAL;
 940 
 941         /* how can we clone if the old one wasn't set up?? */
 942         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
 943 
 944         /* if fs is reusing a sb, make sure that the contexts match */
 945         if (newsbsec->flags & SE_SBINITIALIZED) {
 946                 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
 947                         *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
 948                 return selinux_cmp_sb_context(oldsb, newsb);
 949         }
 950 
 951         mutex_lock(&newsbsec->lock);
 952 
 953         newsbsec->flags = oldsbsec->flags;
 954 
 955         newsbsec->sid = oldsbsec->sid;
 956         newsbsec->def_sid = oldsbsec->def_sid;
 957         newsbsec->behavior = oldsbsec->behavior;
 958 
 959         if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
 960                 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
 961                 rc = security_fs_use(&selinux_state, newsb);
 962                 if (rc)
 963                         goto out;
 964         }
 965 
 966         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
 967                 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
 968                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
 969         }
 970 
 971         if (set_context) {
 972                 u32 sid = oldsbsec->mntpoint_sid;
 973 
 974                 if (!set_fscontext)
 975                         newsbsec->sid = sid;
 976                 if (!set_rootcontext) {
 977                         struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
 978                         newisec->sid = sid;
 979                 }
 980                 newsbsec->mntpoint_sid = sid;
 981         }
 982         if (set_rootcontext) {
 983                 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
 984                 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
 985 
 986                 newisec->sid = oldisec->sid;
 987         }
 988 
 989         sb_finish_set_opts(newsb);
 990 out:
 991         mutex_unlock(&newsbsec->lock);
 992         return rc;
 993 }
 994 
 995 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
 996 {
 997         struct selinux_mnt_opts *opts = *mnt_opts;
 998 
 999         if (token == Opt_seclabel)      /* eaten and completely ignored */
1000                 return 0;
1001 
1002         if (!opts) {
1003                 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1004                 if (!opts)
1005                         return -ENOMEM;
1006                 *mnt_opts = opts;
1007         }
1008         if (!s)
1009                 return -ENOMEM;
1010         switch (token) {
1011         case Opt_context:
1012                 if (opts->context || opts->defcontext)
1013                         goto Einval;
1014                 opts->context = s;
1015                 break;
1016         case Opt_fscontext:
1017                 if (opts->fscontext)
1018                         goto Einval;
1019                 opts->fscontext = s;
1020                 break;
1021         case Opt_rootcontext:
1022                 if (opts->rootcontext)
1023                         goto Einval;
1024                 opts->rootcontext = s;
1025                 break;
1026         case Opt_defcontext:
1027                 if (opts->context || opts->defcontext)
1028                         goto Einval;
1029                 opts->defcontext = s;
1030                 break;
1031         }
1032         return 0;
1033 Einval:
1034         pr_warn(SEL_MOUNT_FAIL_MSG);
1035         return -EINVAL;
1036 }
1037 
1038 static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1039                                void **mnt_opts)
1040 {
1041         int token = Opt_error;
1042         int rc, i;
1043 
1044         for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1045                 if (strcmp(option, tokens[i].name) == 0) {
1046                         token = tokens[i].opt;
1047                         break;
1048                 }
1049         }
1050 
1051         if (token == Opt_error)
1052                 return -EINVAL;
1053 
1054         if (token != Opt_seclabel) {
1055                 val = kmemdup_nul(val, len, GFP_KERNEL);
1056                 if (!val) {
1057                         rc = -ENOMEM;
1058                         goto free_opt;
1059                 }
1060         }
1061         rc = selinux_add_opt(token, val, mnt_opts);
1062         if (unlikely(rc)) {
1063                 kfree(val);
1064                 goto free_opt;
1065         }
1066         return rc;
1067 
1068 free_opt:
1069         if (*mnt_opts) {
1070                 selinux_free_mnt_opts(*mnt_opts);
1071                 *mnt_opts = NULL;
1072         }
1073         return rc;
1074 }
1075 
1076 static int show_sid(struct seq_file *m, u32 sid)
1077 {
1078         char *context = NULL;
1079         u32 len;
1080         int rc;
1081 
1082         rc = security_sid_to_context(&selinux_state, sid,
1083                                              &context, &len);
1084         if (!rc) {
1085                 bool has_comma = context && strchr(context, ',');
1086 
1087                 seq_putc(m, '=');
1088                 if (has_comma)
1089                         seq_putc(m, '\"');
1090                 seq_escape(m, context, "\"\n\\");
1091                 if (has_comma)
1092                         seq_putc(m, '\"');
1093         }
1094         kfree(context);
1095         return rc;
1096 }
1097 
1098 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1099 {
1100         struct superblock_security_struct *sbsec = sb->s_security;
1101         int rc;
1102 
1103         if (!(sbsec->flags & SE_SBINITIALIZED))
1104                 return 0;
1105 
1106         if (!selinux_state.initialized)
1107                 return 0;
1108 
1109         if (sbsec->flags & FSCONTEXT_MNT) {
1110                 seq_putc(m, ',');
1111                 seq_puts(m, FSCONTEXT_STR);
1112                 rc = show_sid(m, sbsec->sid);
1113                 if (rc)
1114                         return rc;
1115         }
1116         if (sbsec->flags & CONTEXT_MNT) {
1117                 seq_putc(m, ',');
1118                 seq_puts(m, CONTEXT_STR);
1119                 rc = show_sid(m, sbsec->mntpoint_sid);
1120                 if (rc)
1121                         return rc;
1122         }
1123         if (sbsec->flags & DEFCONTEXT_MNT) {
1124                 seq_putc(m, ',');
1125                 seq_puts(m, DEFCONTEXT_STR);
1126                 rc = show_sid(m, sbsec->def_sid);
1127                 if (rc)
1128                         return rc;
1129         }
1130         if (sbsec->flags & ROOTCONTEXT_MNT) {
1131                 struct dentry *root = sbsec->sb->s_root;
1132                 struct inode_security_struct *isec = backing_inode_security(root);
1133                 seq_putc(m, ',');
1134                 seq_puts(m, ROOTCONTEXT_STR);
1135                 rc = show_sid(m, isec->sid);
1136                 if (rc)
1137                         return rc;
1138         }
1139         if (sbsec->flags & SBLABEL_MNT) {
1140                 seq_putc(m, ',');
1141                 seq_puts(m, SECLABEL_STR);
1142         }
1143         return 0;
1144 }
1145 
1146 static inline u16 inode_mode_to_security_class(umode_t mode)
1147 {
1148         switch (mode & S_IFMT) {
1149         case S_IFSOCK:
1150                 return SECCLASS_SOCK_FILE;
1151         case S_IFLNK:
1152                 return SECCLASS_LNK_FILE;
1153         case S_IFREG:
1154                 return SECCLASS_FILE;
1155         case S_IFBLK:
1156                 return SECCLASS_BLK_FILE;
1157         case S_IFDIR:
1158                 return SECCLASS_DIR;
1159         case S_IFCHR:
1160                 return SECCLASS_CHR_FILE;
1161         case S_IFIFO:
1162                 return SECCLASS_FIFO_FILE;
1163 
1164         }
1165 
1166         return SECCLASS_FILE;
1167 }
1168 
1169 static inline int default_protocol_stream(int protocol)
1170 {
1171         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1172 }
1173 
1174 static inline int default_protocol_dgram(int protocol)
1175 {
1176         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1177 }
1178 
1179 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1180 {
1181         int extsockclass = selinux_policycap_extsockclass();
1182 
1183         switch (family) {
1184         case PF_UNIX:
1185                 switch (type) {
1186                 case SOCK_STREAM:
1187                 case SOCK_SEQPACKET:
1188                         return SECCLASS_UNIX_STREAM_SOCKET;
1189                 case SOCK_DGRAM:
1190                 case SOCK_RAW:
1191                         return SECCLASS_UNIX_DGRAM_SOCKET;
1192                 }
1193                 break;
1194         case PF_INET:
1195         case PF_INET6:
1196                 switch (type) {
1197                 case SOCK_STREAM:
1198                 case SOCK_SEQPACKET:
1199                         if (default_protocol_stream(protocol))
1200                                 return SECCLASS_TCP_SOCKET;
1201                         else if (extsockclass && protocol == IPPROTO_SCTP)
1202                                 return SECCLASS_SCTP_SOCKET;
1203                         else
1204                                 return SECCLASS_RAWIP_SOCKET;
1205                 case SOCK_DGRAM:
1206                         if (default_protocol_dgram(protocol))
1207                                 return SECCLASS_UDP_SOCKET;
1208                         else if (extsockclass && (protocol == IPPROTO_ICMP ||
1209                                                   protocol == IPPROTO_ICMPV6))
1210                                 return SECCLASS_ICMP_SOCKET;
1211                         else
1212                                 return SECCLASS_RAWIP_SOCKET;
1213                 case SOCK_DCCP:
1214                         return SECCLASS_DCCP_SOCKET;
1215                 default:
1216                         return SECCLASS_RAWIP_SOCKET;
1217                 }
1218                 break;
1219         case PF_NETLINK:
1220                 switch (protocol) {
1221                 case NETLINK_ROUTE:
1222                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1223                 case NETLINK_SOCK_DIAG:
1224                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1225                 case NETLINK_NFLOG:
1226                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1227                 case NETLINK_XFRM:
1228                         return SECCLASS_NETLINK_XFRM_SOCKET;
1229                 case NETLINK_SELINUX:
1230                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1231                 case NETLINK_ISCSI:
1232                         return SECCLASS_NETLINK_ISCSI_SOCKET;
1233                 case NETLINK_AUDIT:
1234                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1235                 case NETLINK_FIB_LOOKUP:
1236                         return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1237                 case NETLINK_CONNECTOR:
1238                         return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1239                 case NETLINK_NETFILTER:
1240                         return SECCLASS_NETLINK_NETFILTER_SOCKET;
1241                 case NETLINK_DNRTMSG:
1242                         return SECCLASS_NETLINK_DNRT_SOCKET;
1243                 case NETLINK_KOBJECT_UEVENT:
1244                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1245                 case NETLINK_GENERIC:
1246                         return SECCLASS_NETLINK_GENERIC_SOCKET;
1247                 case NETLINK_SCSITRANSPORT:
1248                         return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1249                 case NETLINK_RDMA:
1250                         return SECCLASS_NETLINK_RDMA_SOCKET;
1251                 case NETLINK_CRYPTO:
1252                         return SECCLASS_NETLINK_CRYPTO_SOCKET;
1253                 default:
1254                         return SECCLASS_NETLINK_SOCKET;
1255                 }
1256         case PF_PACKET:
1257                 return SECCLASS_PACKET_SOCKET;
1258         case PF_KEY:
1259                 return SECCLASS_KEY_SOCKET;
1260         case PF_APPLETALK:
1261                 return SECCLASS_APPLETALK_SOCKET;
1262         }
1263 
1264         if (extsockclass) {
1265                 switch (family) {
1266                 case PF_AX25:
1267                         return SECCLASS_AX25_SOCKET;
1268                 case PF_IPX:
1269                         return SECCLASS_IPX_SOCKET;
1270                 case PF_NETROM:
1271                         return SECCLASS_NETROM_SOCKET;
1272                 case PF_ATMPVC:
1273                         return SECCLASS_ATMPVC_SOCKET;
1274                 case PF_X25:
1275                         return SECCLASS_X25_SOCKET;
1276                 case PF_ROSE:
1277                         return SECCLASS_ROSE_SOCKET;
1278                 case PF_DECnet:
1279                         return SECCLASS_DECNET_SOCKET;
1280                 case PF_ATMSVC:
1281                         return SECCLASS_ATMSVC_SOCKET;
1282                 case PF_RDS:
1283                         return SECCLASS_RDS_SOCKET;
1284                 case PF_IRDA:
1285                         return SECCLASS_IRDA_SOCKET;
1286                 case PF_PPPOX:
1287                         return SECCLASS_PPPOX_SOCKET;
1288                 case PF_LLC:
1289                         return SECCLASS_LLC_SOCKET;
1290                 case PF_CAN:
1291                         return SECCLASS_CAN_SOCKET;
1292                 case PF_TIPC:
1293                         return SECCLASS_TIPC_SOCKET;
1294                 case PF_BLUETOOTH:
1295                         return SECCLASS_BLUETOOTH_SOCKET;
1296                 case PF_IUCV:
1297                         return SECCLASS_IUCV_SOCKET;
1298                 case PF_RXRPC:
1299                         return SECCLASS_RXRPC_SOCKET;
1300                 case PF_ISDN:
1301                         return SECCLASS_ISDN_SOCKET;
1302                 case PF_PHONET:
1303                         return SECCLASS_PHONET_SOCKET;
1304                 case PF_IEEE802154:
1305                         return SECCLASS_IEEE802154_SOCKET;
1306                 case PF_CAIF:
1307                         return SECCLASS_CAIF_SOCKET;
1308                 case PF_ALG:
1309                         return SECCLASS_ALG_SOCKET;
1310                 case PF_NFC:
1311                         return SECCLASS_NFC_SOCKET;
1312                 case PF_VSOCK:
1313                         return SECCLASS_VSOCK_SOCKET;
1314                 case PF_KCM:
1315                         return SECCLASS_KCM_SOCKET;
1316                 case PF_QIPCRTR:
1317                         return SECCLASS_QIPCRTR_SOCKET;
1318                 case PF_SMC:
1319                         return SECCLASS_SMC_SOCKET;
1320                 case PF_XDP:
1321                         return SECCLASS_XDP_SOCKET;
1322 #if PF_MAX > 45
1323 #error New address family defined, please update this function.
1324 #endif
1325                 }
1326         }
1327 
1328         return SECCLASS_SOCKET;
1329 }
1330 
1331 static int selinux_genfs_get_sid(struct dentry *dentry,
1332                                  u16 tclass,
1333                                  u16 flags,
1334                                  u32 *sid)
1335 {
1336         int rc;
1337         struct super_block *sb = dentry->d_sb;
1338         char *buffer, *path;
1339 
1340         buffer = (char *)__get_free_page(GFP_KERNEL);
1341         if (!buffer)
1342                 return -ENOMEM;
1343 
1344         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1345         if (IS_ERR(path))
1346                 rc = PTR_ERR(path);
1347         else {
1348                 if (flags & SE_SBPROC) {
1349                         /* each process gets a /proc/PID/ entry. Strip off the
1350                          * PID part to get a valid selinux labeling.
1351                          * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1352                         while (path[1] >= '0' && path[1] <= '9') {
1353                                 path[1] = '/';
1354                                 path++;
1355                         }
1356                 }
1357                 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1358                                         path, tclass, sid);
1359                 if (rc == -ENOENT) {
1360                         /* No match in policy, mark as unlabeled. */
1361                         *sid = SECINITSID_UNLABELED;
1362                         rc = 0;
1363                 }
1364         }
1365         free_page((unsigned long)buffer);
1366         return rc;
1367 }
1368 
1369 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1370                                   u32 def_sid, u32 *sid)
1371 {
1372 #define INITCONTEXTLEN 255
1373         char *context;
1374         unsigned int len;
1375         int rc;
1376 
1377         len = INITCONTEXTLEN;
1378         context = kmalloc(len + 1, GFP_NOFS);
1379         if (!context)
1380                 return -ENOMEM;
1381 
1382         context[len] = '\0';
1383         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1384         if (rc == -ERANGE) {
1385                 kfree(context);
1386 
1387                 /* Need a larger buffer.  Query for the right size. */
1388                 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1389                 if (rc < 0)
1390                         return rc;
1391 
1392                 len = rc;
1393                 context = kmalloc(len + 1, GFP_NOFS);
1394                 if (!context)
1395                         return -ENOMEM;
1396 
1397                 context[len] = '\0';
1398                 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1399                                     context, len);
1400         }
1401         if (rc < 0) {
1402                 kfree(context);
1403                 if (rc != -ENODATA) {
1404                         pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
1405                                 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1406                         return rc;
1407                 }
1408                 *sid = def_sid;
1409                 return 0;
1410         }
1411 
1412         rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1413                                              def_sid, GFP_NOFS);
1414         if (rc) {
1415                 char *dev = inode->i_sb->s_id;
1416                 unsigned long ino = inode->i_ino;
1417 
1418                 if (rc == -EINVAL) {
1419                         pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
1420                                               ino, dev, context);
1421                 } else {
1422                         pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1423                                 __func__, context, -rc, dev, ino);
1424                 }
1425         }
1426         kfree(context);
1427         return 0;
1428 }
1429 
1430 /* The inode's security attributes must be initialized before first use. */
1431 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1432 {
1433         struct superblock_security_struct *sbsec = NULL;
1434         struct inode_security_struct *isec = selinux_inode(inode);
1435         u32 task_sid, sid = 0;
1436         u16 sclass;
1437         struct dentry *dentry;
1438         int rc = 0;
1439 
1440         if (isec->initialized == LABEL_INITIALIZED)
1441                 return 0;
1442 
1443         spin_lock(&isec->lock);
1444         if (isec->initialized == LABEL_INITIALIZED)
1445                 goto out_unlock;
1446 
1447         if (isec->sclass == SECCLASS_FILE)
1448                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1449 
1450         sbsec = inode->i_sb->s_security;
1451         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1452                 /* Defer initialization until selinux_complete_init,
1453                    after the initial policy is loaded and the security
1454                    server is ready to handle calls. */
1455                 spin_lock(&sbsec->isec_lock);
1456                 if (list_empty(&isec->list))
1457                         list_add(&isec->list, &sbsec->isec_head);
1458                 spin_unlock(&sbsec->isec_lock);
1459                 goto out_unlock;
1460         }
1461 
1462         sclass = isec->sclass;
1463         task_sid = isec->task_sid;
1464         sid = isec->sid;
1465         isec->initialized = LABEL_PENDING;
1466         spin_unlock(&isec->lock);
1467 
1468         switch (sbsec->behavior) {
1469         case SECURITY_FS_USE_NATIVE:
1470                 break;
1471         case SECURITY_FS_USE_XATTR:
1472                 if (!(inode->i_opflags & IOP_XATTR)) {
1473                         sid = sbsec->def_sid;
1474                         break;
1475                 }
1476                 /* Need a dentry, since the xattr API requires one.
1477                    Life would be simpler if we could just pass the inode. */
1478                 if (opt_dentry) {
1479                         /* Called from d_instantiate or d_splice_alias. */
1480                         dentry = dget(opt_dentry);
1481                 } else {
1482                         /*
1483                          * Called from selinux_complete_init, try to find a dentry.
1484                          * Some filesystems really want a connected one, so try
1485                          * that first.  We could split SECURITY_FS_USE_XATTR in
1486                          * two, depending upon that...
1487                          */
1488                         dentry = d_find_alias(inode);
1489                         if (!dentry)
1490                                 dentry = d_find_any_alias(inode);
1491                 }
1492                 if (!dentry) {
1493                         /*
1494                          * this is can be hit on boot when a file is accessed
1495                          * before the policy is loaded.  When we load policy we
1496                          * may find inodes that have no dentry on the
1497                          * sbsec->isec_head list.  No reason to complain as these
1498                          * will get fixed up the next time we go through
1499                          * inode_doinit with a dentry, before these inodes could
1500                          * be used again by userspace.
1501                          */
1502                         goto out;
1503                 }
1504 
1505                 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1506                                             &sid);
1507                 dput(dentry);
1508                 if (rc)
1509                         goto out;
1510                 break;
1511         case SECURITY_FS_USE_TASK:
1512                 sid = task_sid;
1513                 break;
1514         case SECURITY_FS_USE_TRANS:
1515                 /* Default to the fs SID. */
1516                 sid = sbsec->sid;
1517 
1518                 /* Try to obtain a transition SID. */
1519                 rc = security_transition_sid(&selinux_state, task_sid, sid,
1520                                              sclass, NULL, &sid);
1521                 if (rc)
1522                         goto out;
1523                 break;
1524         case SECURITY_FS_USE_MNTPOINT:
1525                 sid = sbsec->mntpoint_sid;
1526                 break;
1527         default:
1528                 /* Default to the fs superblock SID. */
1529                 sid = sbsec->sid;
1530 
1531                 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1532                         /* We must have a dentry to determine the label on
1533                          * procfs inodes */
1534                         if (opt_dentry) {
1535                                 /* Called from d_instantiate or
1536                                  * d_splice_alias. */
1537                                 dentry = dget(opt_dentry);
1538                         } else {
1539                                 /* Called from selinux_complete_init, try to
1540                                  * find a dentry.  Some filesystems really want
1541                                  * a connected one, so try that first.
1542                                  */
1543                                 dentry = d_find_alias(inode);
1544                                 if (!dentry)
1545                                         dentry = d_find_any_alias(inode);
1546                         }
1547                         /*
1548                          * This can be hit on boot when a file is accessed
1549                          * before the policy is loaded.  When we load policy we
1550                          * may find inodes that have no dentry on the
1551                          * sbsec->isec_head list.  No reason to complain as
1552                          * these will get fixed up the next time we go through
1553                          * inode_doinit() with a dentry, before these inodes
1554                          * could be used again by userspace.
1555                          */
1556                         if (!dentry)
1557                                 goto out;
1558                         rc = selinux_genfs_get_sid(dentry, sclass,
1559                                                    sbsec->flags, &sid);
1560                         if (rc) {
1561                                 dput(dentry);
1562                                 goto out;
1563                         }
1564 
1565                         if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1566                             (inode->i_opflags & IOP_XATTR)) {
1567                                 rc = inode_doinit_use_xattr(inode, dentry,
1568                                                             sid, &sid);
1569                                 if (rc) {
1570                                         dput(dentry);
1571                                         goto out;
1572                                 }
1573                         }
1574                         dput(dentry);
1575                 }
1576                 break;
1577         }
1578 
1579 out:
1580         spin_lock(&isec->lock);
1581         if (isec->initialized == LABEL_PENDING) {
1582                 if (!sid || rc) {
1583                         isec->initialized = LABEL_INVALID;
1584                         goto out_unlock;
1585                 }
1586 
1587                 isec->initialized = LABEL_INITIALIZED;
1588                 isec->sid = sid;
1589         }
1590 
1591 out_unlock:
1592         spin_unlock(&isec->lock);
1593         return rc;
1594 }
1595 
1596 /* Convert a Linux signal to an access vector. */
1597 static inline u32 signal_to_av(int sig)
1598 {
1599         u32 perm = 0;
1600 
1601         switch (sig) {
1602         case SIGCHLD:
1603                 /* Commonly granted from child to parent. */
1604                 perm = PROCESS__SIGCHLD;
1605                 break;
1606         case SIGKILL:
1607                 /* Cannot be caught or ignored */
1608                 perm = PROCESS__SIGKILL;
1609                 break;
1610         case SIGSTOP:
1611                 /* Cannot be caught or ignored */
1612                 perm = PROCESS__SIGSTOP;
1613                 break;
1614         default:
1615                 /* All other signals. */
1616                 perm = PROCESS__SIGNAL;
1617                 break;
1618         }
1619 
1620         return perm;
1621 }
1622 
1623 #if CAP_LAST_CAP > 63
1624 #error Fix SELinux to handle capabilities > 63.
1625 #endif
1626 
1627 /* Check whether a task is allowed to use a capability. */
1628 static int cred_has_capability(const struct cred *cred,
1629                                int cap, unsigned int opts, bool initns)
1630 {
1631         struct common_audit_data ad;
1632         struct av_decision avd;
1633         u16 sclass;
1634         u32 sid = cred_sid(cred);
1635         u32 av = CAP_TO_MASK(cap);
1636         int rc;
1637 
1638         ad.type = LSM_AUDIT_DATA_CAP;
1639         ad.u.cap = cap;
1640 
1641         switch (CAP_TO_INDEX(cap)) {
1642         case 0:
1643                 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1644                 break;
1645         case 1:
1646                 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1647                 break;
1648         default:
1649                 pr_err("SELinux:  out of range capability %d\n", cap);
1650                 BUG();
1651                 return -EINVAL;
1652         }
1653 
1654         rc = avc_has_perm_noaudit(&selinux_state,
1655                                   sid, sid, sclass, av, 0, &avd);
1656         if (!(opts & CAP_OPT_NOAUDIT)) {
1657                 int rc2 = avc_audit(&selinux_state,
1658                                     sid, sid, sclass, av, &avd, rc, &ad, 0);
1659                 if (rc2)
1660                         return rc2;
1661         }
1662         return rc;
1663 }
1664 
1665 /* Check whether a task has a particular permission to an inode.
1666    The 'adp' parameter is optional and allows other audit
1667    data to be passed (e.g. the dentry). */
1668 static int inode_has_perm(const struct cred *cred,
1669                           struct inode *inode,
1670                           u32 perms,
1671                           struct common_audit_data *adp)
1672 {
1673         struct inode_security_struct *isec;
1674         u32 sid;
1675 
1676         validate_creds(cred);
1677 
1678         if (unlikely(IS_PRIVATE(inode)))
1679                 return 0;
1680 
1681         sid = cred_sid(cred);
1682         isec = selinux_inode(inode);
1683 
1684         return avc_has_perm(&selinux_state,
1685                             sid, isec->sid, isec->sclass, perms, adp);
1686 }
1687 
1688 /* Same as inode_has_perm, but pass explicit audit data containing
1689    the dentry to help the auditing code to more easily generate the
1690    pathname if needed. */
1691 static inline int dentry_has_perm(const struct cred *cred,
1692                                   struct dentry *dentry,
1693                                   u32 av)
1694 {
1695         struct inode *inode = d_backing_inode(dentry);
1696         struct common_audit_data ad;
1697 
1698         ad.type = LSM_AUDIT_DATA_DENTRY;
1699         ad.u.dentry = dentry;
1700         __inode_security_revalidate(inode, dentry, true);
1701         return inode_has_perm(cred, inode, av, &ad);
1702 }
1703 
1704 /* Same as inode_has_perm, but pass explicit audit data containing
1705    the path to help the auditing code to more easily generate the
1706    pathname if needed. */
1707 static inline int path_has_perm(const struct cred *cred,
1708                                 const struct path *path,
1709                                 u32 av)
1710 {
1711         struct inode *inode = d_backing_inode(path->dentry);
1712         struct common_audit_data ad;
1713 
1714         ad.type = LSM_AUDIT_DATA_PATH;
1715         ad.u.path = *path;
1716         __inode_security_revalidate(inode, path->dentry, true);
1717         return inode_has_perm(cred, inode, av, &ad);
1718 }
1719 
1720 /* Same as path_has_perm, but uses the inode from the file struct. */
1721 static inline int file_path_has_perm(const struct cred *cred,
1722                                      struct file *file,
1723                                      u32 av)
1724 {
1725         struct common_audit_data ad;
1726 
1727         ad.type = LSM_AUDIT_DATA_FILE;
1728         ad.u.file = file;
1729         return inode_has_perm(cred, file_inode(file), av, &ad);
1730 }
1731 
1732 #ifdef CONFIG_BPF_SYSCALL
1733 static int bpf_fd_pass(struct file *file, u32 sid);
1734 #endif
1735 
1736 /* Check whether a task can use an open file descriptor to
1737    access an inode in a given way.  Check access to the
1738    descriptor itself, and then use dentry_has_perm to
1739    check a particular permission to the file.
1740    Access to the descriptor is implicitly granted if it
1741    has the same SID as the process.  If av is zero, then
1742    access to the file is not checked, e.g. for cases
1743    where only the descriptor is affected like seek. */
1744 static int file_has_perm(const struct cred *cred,
1745                          struct file *file,
1746                          u32 av)
1747 {
1748         struct file_security_struct *fsec = selinux_file(file);
1749         struct inode *inode = file_inode(file);
1750         struct common_audit_data ad;
1751         u32 sid = cred_sid(cred);
1752         int rc;
1753 
1754         ad.type = LSM_AUDIT_DATA_FILE;
1755         ad.u.file = file;
1756 
1757         if (sid != fsec->sid) {
1758                 rc = avc_has_perm(&selinux_state,
1759                                   sid, fsec->sid,
1760                                   SECCLASS_FD,
1761                                   FD__USE,
1762                                   &ad);
1763                 if (rc)
1764                         goto out;
1765         }
1766 
1767 #ifdef CONFIG_BPF_SYSCALL
1768         rc = bpf_fd_pass(file, cred_sid(cred));
1769         if (rc)
1770                 return rc;
1771 #endif
1772 
1773         /* av is zero if only checking access to the descriptor. */
1774         rc = 0;
1775         if (av)
1776                 rc = inode_has_perm(cred, inode, av, &ad);
1777 
1778 out:
1779         return rc;
1780 }
1781 
1782 /*
1783  * Determine the label for an inode that might be unioned.
1784  */
1785 static int
1786 selinux_determine_inode_label(const struct task_security_struct *tsec,
1787                                  struct inode *dir,
1788                                  const struct qstr *name, u16 tclass,
1789                                  u32 *_new_isid)
1790 {
1791         const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1792 
1793         if ((sbsec->flags & SE_SBINITIALIZED) &&
1794             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1795                 *_new_isid = sbsec->mntpoint_sid;
1796         } else if ((sbsec->flags & SBLABEL_MNT) &&
1797                    tsec->create_sid) {
1798                 *_new_isid = tsec->create_sid;
1799         } else {
1800                 const struct inode_security_struct *dsec = inode_security(dir);
1801                 return security_transition_sid(&selinux_state, tsec->sid,
1802                                                dsec->sid, tclass,
1803                                                name, _new_isid);
1804         }
1805 
1806         return 0;
1807 }
1808 
1809 /* Check whether a task can create a file. */
1810 static int may_create(struct inode *dir,
1811                       struct dentry *dentry,
1812                       u16 tclass)
1813 {
1814         const struct task_security_struct *tsec = selinux_cred(current_cred());
1815         struct inode_security_struct *dsec;
1816         struct superblock_security_struct *sbsec;
1817         u32 sid, newsid;
1818         struct common_audit_data ad;
1819         int rc;
1820 
1821         dsec = inode_security(dir);
1822         sbsec = dir->i_sb->s_security;
1823 
1824         sid = tsec->sid;
1825 
1826         ad.type = LSM_AUDIT_DATA_DENTRY;
1827         ad.u.dentry = dentry;
1828 
1829         rc = avc_has_perm(&selinux_state,
1830                           sid, dsec->sid, SECCLASS_DIR,
1831                           DIR__ADD_NAME | DIR__SEARCH,
1832                           &ad);
1833         if (rc)
1834                 return rc;
1835 
1836         rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
1837                                            &dentry->d_name, tclass, &newsid);
1838         if (rc)
1839                 return rc;
1840 
1841         rc = avc_has_perm(&selinux_state,
1842                           sid, newsid, tclass, FILE__CREATE, &ad);
1843         if (rc)
1844                 return rc;
1845 
1846         return avc_has_perm(&selinux_state,
1847                             newsid, sbsec->sid,
1848                             SECCLASS_FILESYSTEM,
1849                             FILESYSTEM__ASSOCIATE, &ad);
1850 }
1851 
1852 #define MAY_LINK        0
1853 #define MAY_UNLINK      1
1854 #define MAY_RMDIR       2
1855 
1856 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1857 static int may_link(struct inode *dir,
1858                     struct dentry *dentry,
1859                     int kind)
1860 
1861 {
1862         struct inode_security_struct *dsec, *isec;
1863         struct common_audit_data ad;
1864         u32 sid = current_sid();
1865         u32 av;
1866         int rc;
1867 
1868         dsec = inode_security(dir);
1869         isec = backing_inode_security(dentry);
1870 
1871         ad.type = LSM_AUDIT_DATA_DENTRY;
1872         ad.u.dentry = dentry;
1873 
1874         av = DIR__SEARCH;
1875         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1876         rc = avc_has_perm(&selinux_state,
1877                           sid, dsec->sid, SECCLASS_DIR, av, &ad);
1878         if (rc)
1879                 return rc;
1880 
1881         switch (kind) {
1882         case MAY_LINK:
1883                 av = FILE__LINK;
1884                 break;
1885         case MAY_UNLINK:
1886                 av = FILE__UNLINK;
1887                 break;
1888         case MAY_RMDIR:
1889                 av = DIR__RMDIR;
1890                 break;
1891         default:
1892                 pr_warn("SELinux: %s:  unrecognized kind %d\n",
1893                         __func__, kind);
1894                 return 0;
1895         }
1896 
1897         rc = avc_has_perm(&selinux_state,
1898                           sid, isec->sid, isec->sclass, av, &ad);
1899         return rc;
1900 }
1901 
1902 static inline int may_rename(struct inode *old_dir,
1903                              struct dentry *old_dentry,
1904                              struct inode *new_dir,
1905                              struct dentry *new_dentry)
1906 {
1907         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1908         struct common_audit_data ad;
1909         u32 sid = current_sid();
1910         u32 av;
1911         int old_is_dir, new_is_dir;
1912         int rc;
1913 
1914         old_dsec = inode_security(old_dir);
1915         old_isec = backing_inode_security(old_dentry);
1916         old_is_dir = d_is_dir(old_dentry);
1917         new_dsec = inode_security(new_dir);
1918 
1919         ad.type = LSM_AUDIT_DATA_DENTRY;
1920 
1921         ad.u.dentry = old_dentry;
1922         rc = avc_has_perm(&selinux_state,
1923                           sid, old_dsec->sid, SECCLASS_DIR,
1924                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1925         if (rc)
1926                 return rc;
1927         rc = avc_has_perm(&selinux_state,
1928                           sid, old_isec->sid,
1929                           old_isec->sclass, FILE__RENAME, &ad);
1930         if (rc)
1931                 return rc;
1932         if (old_is_dir && new_dir != old_dir) {
1933                 rc = avc_has_perm(&selinux_state,
1934                                   sid, old_isec->sid,
1935                                   old_isec->sclass, DIR__REPARENT, &ad);
1936                 if (rc)
1937                         return rc;
1938         }
1939 
1940         ad.u.dentry = new_dentry;
1941         av = DIR__ADD_NAME | DIR__SEARCH;
1942         if (d_is_positive(new_dentry))
1943                 av |= DIR__REMOVE_NAME;
1944         rc = avc_has_perm(&selinux_state,
1945                           sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1946         if (rc)
1947                 return rc;
1948         if (d_is_positive(new_dentry)) {
1949                 new_isec = backing_inode_security(new_dentry);
1950                 new_is_dir = d_is_dir(new_dentry);
1951                 rc = avc_has_perm(&selinux_state,
1952                                   sid, new_isec->sid,
1953                                   new_isec->sclass,
1954                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1955                 if (rc)
1956                         return rc;
1957         }
1958 
1959         return 0;
1960 }
1961 
1962 /* Check whether a task can perform a filesystem operation. */
1963 static int superblock_has_perm(const struct cred *cred,
1964                                struct super_block *sb,
1965                                u32 perms,
1966                                struct common_audit_data *ad)
1967 {
1968         struct superblock_security_struct *sbsec;
1969         u32 sid = cred_sid(cred);
1970 
1971         sbsec = sb->s_security;
1972         return avc_has_perm(&selinux_state,
1973                             sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1974 }
1975 
1976 /* Convert a Linux mode and permission mask to an access vector. */
1977 static inline u32 file_mask_to_av(int mode, int mask)
1978 {
1979         u32 av = 0;
1980 
1981         if (!S_ISDIR(mode)) {
1982                 if (mask & MAY_EXEC)
1983                         av |= FILE__EXECUTE;
1984                 if (mask & MAY_READ)
1985                         av |= FILE__READ;
1986 
1987                 if (mask & MAY_APPEND)
1988                         av |= FILE__APPEND;
1989                 else if (mask & MAY_WRITE)
1990                         av |= FILE__WRITE;
1991 
1992         } else {
1993                 if (mask & MAY_EXEC)
1994                         av |= DIR__SEARCH;
1995                 if (mask & MAY_WRITE)
1996                         av |= DIR__WRITE;
1997                 if (mask & MAY_READ)
1998                         av |= DIR__READ;
1999         }
2000 
2001         return av;
2002 }
2003 
2004 /* Convert a Linux file to an access vector. */
2005 static inline u32 file_to_av(struct file *file)
2006 {
2007         u32 av = 0;
2008 
2009         if (file->f_mode & FMODE_READ)
2010                 av |= FILE__READ;
2011         if (file->f_mode & FMODE_WRITE) {
2012                 if (file->f_flags & O_APPEND)
2013                         av |= FILE__APPEND;
2014                 else
2015                         av |= FILE__WRITE;
2016         }
2017         if (!av) {
2018                 /*
2019                  * Special file opened with flags 3 for ioctl-only use.
2020                  */
2021                 av = FILE__IOCTL;
2022         }
2023 
2024         return av;
2025 }
2026 
2027 /*
2028  * Convert a file to an access vector and include the correct open
2029  * open permission.
2030  */
2031 static inline u32 open_file_to_av(struct file *file)
2032 {
2033         u32 av = file_to_av(file);
2034         struct inode *inode = file_inode(file);
2035 
2036         if (selinux_policycap_openperm() &&
2037             inode->i_sb->s_magic != SOCKFS_MAGIC)
2038                 av |= FILE__OPEN;
2039 
2040         return av;
2041 }
2042 
2043 /* Hook functions begin here. */
2044 
2045 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2046 {
2047         u32 mysid = current_sid();
2048         u32 mgrsid = task_sid(mgr);
2049 
2050         return avc_has_perm(&selinux_state,
2051                             mysid, mgrsid, SECCLASS_BINDER,
2052                             BINDER__SET_CONTEXT_MGR, NULL);
2053 }
2054 
2055 static int selinux_binder_transaction(struct task_struct *from,
2056                                       struct task_struct *to)
2057 {
2058         u32 mysid = current_sid();
2059         u32 fromsid = task_sid(from);
2060         u32 tosid = task_sid(to);
2061         int rc;
2062 
2063         if (mysid != fromsid) {
2064                 rc = avc_has_perm(&selinux_state,
2065                                   mysid, fromsid, SECCLASS_BINDER,
2066                                   BINDER__IMPERSONATE, NULL);
2067                 if (rc)
2068                         return rc;
2069         }
2070 
2071         return avc_has_perm(&selinux_state,
2072                             fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2073                             NULL);
2074 }
2075 
2076 static int selinux_binder_transfer_binder(struct task_struct *from,
2077                                           struct task_struct *to)
2078 {
2079         u32 fromsid = task_sid(from);
2080         u32 tosid = task_sid(to);
2081 
2082         return avc_has_perm(&selinux_state,
2083                             fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2084                             NULL);
2085 }
2086 
2087 static int selinux_binder_transfer_file(struct task_struct *from,
2088                                         struct task_struct *to,
2089                                         struct file *file)
2090 {
2091         u32 sid = task_sid(to);
2092         struct file_security_struct *fsec = selinux_file(file);
2093         struct dentry *dentry = file->f_path.dentry;
2094         struct inode_security_struct *isec;
2095         struct common_audit_data ad;
2096         int rc;
2097 
2098         ad.type = LSM_AUDIT_DATA_PATH;
2099         ad.u.path = file->f_path;
2100 
2101         if (sid != fsec->sid) {
2102                 rc = avc_has_perm(&selinux_state,
2103                                   sid, fsec->sid,
2104                                   SECCLASS_FD,
2105                                   FD__USE,
2106                                   &ad);
2107                 if (rc)
2108                         return rc;
2109         }
2110 
2111 #ifdef CONFIG_BPF_SYSCALL
2112         rc = bpf_fd_pass(file, sid);
2113         if (rc)
2114                 return rc;
2115 #endif
2116 
2117         if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2118                 return 0;
2119 
2120         isec = backing_inode_security(dentry);
2121         return avc_has_perm(&selinux_state,
2122                             sid, isec->sid, isec->sclass, file_to_av(file),
2123                             &ad);
2124 }
2125 
2126 static int selinux_ptrace_access_check(struct task_struct *child,
2127                                      unsigned int mode)
2128 {
2129         u32 sid = current_sid();
2130         u32 csid = task_sid(child);
2131 
2132         if (mode & PTRACE_MODE_READ)
2133                 return avc_has_perm(&selinux_state,
2134                                     sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2135 
2136         return avc_has_perm(&selinux_state,
2137                             sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2138 }
2139 
2140 static int selinux_ptrace_traceme(struct task_struct *parent)
2141 {
2142         return avc_has_perm(&selinux_state,
2143                             task_sid(parent), current_sid(), SECCLASS_PROCESS,
2144                             PROCESS__PTRACE, NULL);
2145 }
2146 
2147 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2148                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
2149 {
2150         return avc_has_perm(&selinux_state,
2151                             current_sid(), task_sid(target), SECCLASS_PROCESS,
2152                             PROCESS__GETCAP, NULL);
2153 }
2154 
2155 static int selinux_capset(struct cred *new, const struct cred *old,
2156                           const kernel_cap_t *effective,
2157                           const kernel_cap_t *inheritable,
2158                           const kernel_cap_t *permitted)
2159 {
2160         return avc_has_perm(&selinux_state,
2161                             cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2162                             PROCESS__SETCAP, NULL);
2163 }
2164 
2165 /*
2166  * (This comment used to live with the selinux_task_setuid hook,
2167  * which was removed).
2168  *
2169  * Since setuid only affects the current process, and since the SELinux
2170  * controls are not based on the Linux identity attributes, SELinux does not
2171  * need to control this operation.  However, SELinux does control the use of
2172  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2173  */
2174 
2175 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2176                            int cap, unsigned int opts)
2177 {
2178         return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2179 }
2180 
2181 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2182 {
2183         const struct cred *cred = current_cred();
2184         int rc = 0;
2185 
2186         if (!sb)
2187                 return 0;
2188 
2189         switch (cmds) {
2190         case Q_SYNC:
2191         case Q_QUOTAON:
2192         case Q_QUOTAOFF:
2193         case Q_SETINFO:
2194         case Q_SETQUOTA:
2195                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2196                 break;
2197         case Q_GETFMT:
2198         case Q_GETINFO:
2199         case Q_GETQUOTA:
2200                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2201                 break;
2202         default:
2203                 rc = 0;  /* let the kernel handle invalid cmds */
2204                 break;
2205         }
2206         return rc;
2207 }
2208 
2209 static int selinux_quota_on(struct dentry *dentry)
2210 {
2211         const struct cred *cred = current_cred();
2212 
2213         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2214 }
2215 
2216 static int selinux_syslog(int type)
2217 {
2218         switch (type) {
2219         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2220         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2221                 return avc_has_perm(&selinux_state,
2222                                     current_sid(), SECINITSID_KERNEL,
2223                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2224         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2225         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2226         /* Set level of messages printed to console */
2227         case SYSLOG_ACTION_CONSOLE_LEVEL:
2228                 return avc_has_perm(&selinux_state,
2229                                     current_sid(), SECINITSID_KERNEL,
2230                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2231                                     NULL);
2232         }
2233         /* All other syslog types */
2234         return avc_has_perm(&selinux_state,
2235                             current_sid(), SECINITSID_KERNEL,
2236                             SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2237 }
2238 
2239 /*
2240  * Check that a process has enough memory to allocate a new virtual
2241  * mapping. 0 means there is enough memory for the allocation to
2242  * succeed and -ENOMEM implies there is not.
2243  *
2244  * Do not audit the selinux permission check, as this is applied to all
2245  * processes that allocate mappings.
2246  */
2247 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2248 {
2249         int rc, cap_sys_admin = 0;
2250 
2251         rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2252                                  CAP_OPT_NOAUDIT, true);
2253         if (rc == 0)
2254                 cap_sys_admin = 1;
2255 
2256         return cap_sys_admin;
2257 }
2258 
2259 /* binprm security operations */
2260 
2261 static u32 ptrace_parent_sid(void)
2262 {
2263         u32 sid = 0;
2264         struct task_struct *tracer;
2265 
2266         rcu_read_lock();
2267         tracer = ptrace_parent(current);
2268         if (tracer)
2269                 sid = task_sid(tracer);
2270         rcu_read_unlock();
2271 
2272         return sid;
2273 }
2274 
2275 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2276                             const struct task_security_struct *old_tsec,
2277                             const struct task_security_struct *new_tsec)
2278 {
2279         int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2280         int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2281         int rc;
2282         u32 av;
2283 
2284         if (!nnp && !nosuid)
2285                 return 0; /* neither NNP nor nosuid */
2286 
2287         if (new_tsec->sid == old_tsec->sid)
2288                 return 0; /* No change in credentials */
2289 
2290         /*
2291          * If the policy enables the nnp_nosuid_transition policy capability,
2292          * then we permit transitions under NNP or nosuid if the
2293          * policy allows the corresponding permission between
2294          * the old and new contexts.
2295          */
2296         if (selinux_policycap_nnp_nosuid_transition()) {
2297                 av = 0;
2298                 if (nnp)
2299                         av |= PROCESS2__NNP_TRANSITION;
2300                 if (nosuid)
2301                         av |= PROCESS2__NOSUID_TRANSITION;
2302                 rc = avc_has_perm(&selinux_state,
2303                                   old_tsec->sid, new_tsec->sid,
2304                                   SECCLASS_PROCESS2, av, NULL);
2305                 if (!rc)
2306                         return 0;
2307         }
2308 
2309         /*
2310          * We also permit NNP or nosuid transitions to bounded SIDs,
2311          * i.e. SIDs that are guaranteed to only be allowed a subset
2312          * of the permissions of the current SID.
2313          */
2314         rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2315                                          new_tsec->sid);
2316         if (!rc)
2317                 return 0;
2318 
2319         /*
2320          * On failure, preserve the errno values for NNP vs nosuid.
2321          * NNP:  Operation not permitted for caller.
2322          * nosuid:  Permission denied to file.
2323          */
2324         if (nnp)
2325                 return -EPERM;
2326         return -EACCES;
2327 }
2328 
2329 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2330 {
2331         const struct task_security_struct *old_tsec;
2332         struct task_security_struct *new_tsec;
2333         struct inode_security_struct *isec;
2334         struct common_audit_data ad;
2335         struct inode *inode = file_inode(bprm->file);
2336         int rc;
2337 
2338         /* SELinux context only depends on initial program or script and not
2339          * the script interpreter */
2340         if (bprm->called_set_creds)
2341                 return 0;
2342 
2343         old_tsec = selinux_cred(current_cred());
2344         new_tsec = selinux_cred(bprm->cred);
2345         isec = inode_security(inode);
2346 
2347         /* Default to the current task SID. */
2348         new_tsec->sid = old_tsec->sid;
2349         new_tsec->osid = old_tsec->sid;
2350 
2351         /* Reset fs, key, and sock SIDs on execve. */
2352         new_tsec->create_sid = 0;
2353         new_tsec->keycreate_sid = 0;
2354         new_tsec->sockcreate_sid = 0;
2355 
2356         if (old_tsec->exec_sid) {
2357                 new_tsec->sid = old_tsec->exec_sid;
2358                 /* Reset exec SID on execve. */
2359                 new_tsec->exec_sid = 0;
2360 
2361                 /* Fail on NNP or nosuid if not an allowed transition. */
2362                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2363                 if (rc)
2364                         return rc;
2365         } else {
2366                 /* Check for a default transition on this program. */
2367                 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2368                                              isec->sid, SECCLASS_PROCESS, NULL,
2369                                              &new_tsec->sid);
2370                 if (rc)
2371                         return rc;
2372 
2373                 /*
2374                  * Fallback to old SID on NNP or nosuid if not an allowed
2375                  * transition.
2376                  */
2377                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2378                 if (rc)
2379                         new_tsec->sid = old_tsec->sid;
2380         }
2381 
2382         ad.type = LSM_AUDIT_DATA_FILE;
2383         ad.u.file = bprm->file;
2384 
2385         if (new_tsec->sid == old_tsec->sid) {
2386                 rc = avc_has_perm(&selinux_state,
2387                                   old_tsec->sid, isec->sid,
2388                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2389                 if (rc)
2390                         return rc;
2391         } else {
2392                 /* Check permissions for the transition. */
2393                 rc = avc_has_perm(&selinux_state,
2394                                   old_tsec->sid, new_tsec->sid,
2395                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2396                 if (rc)
2397                         return rc;
2398 
2399                 rc = avc_has_perm(&selinux_state,
2400                                   new_tsec->sid, isec->sid,
2401                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2402                 if (rc)
2403                         return rc;
2404 
2405                 /* Check for shared state */
2406                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2407                         rc = avc_has_perm(&selinux_state,
2408                                           old_tsec->sid, new_tsec->sid,
2409                                           SECCLASS_PROCESS, PROCESS__SHARE,
2410                                           NULL);
2411                         if (rc)
2412                                 return -EPERM;
2413                 }
2414 
2415                 /* Make sure that anyone attempting to ptrace over a task that
2416                  * changes its SID has the appropriate permit */
2417                 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2418                         u32 ptsid = ptrace_parent_sid();
2419                         if (ptsid != 0) {
2420                                 rc = avc_has_perm(&selinux_state,
2421                                                   ptsid, new_tsec->sid,
2422                                                   SECCLASS_PROCESS,
2423                                                   PROCESS__PTRACE, NULL);
2424                                 if (rc)
2425                                         return -EPERM;
2426                         }
2427                 }
2428 
2429                 /* Clear any possibly unsafe personality bits on exec: */
2430                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2431 
2432                 /* Enable secure mode for SIDs transitions unless
2433                    the noatsecure permission is granted between
2434                    the two SIDs, i.e. ahp returns 0. */
2435                 rc = avc_has_perm(&selinux_state,
2436                                   old_tsec->sid, new_tsec->sid,
2437                                   SECCLASS_PROCESS, PROCESS__NOATSECURE,
2438                                   NULL);
2439                 bprm->secureexec |= !!rc;
2440         }
2441 
2442         return 0;
2443 }
2444 
2445 static int match_file(const void *p, struct file *file, unsigned fd)
2446 {
2447         return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2448 }
2449 
2450 /* Derived from fs/exec.c:flush_old_files. */
2451 static inline void flush_unauthorized_files(const struct cred *cred,
2452                                             struct files_struct *files)
2453 {
2454         struct file *file, *devnull = NULL;
2455         struct tty_struct *tty;
2456         int drop_tty = 0;
2457         unsigned n;
2458 
2459         tty = get_current_tty();
2460         if (tty) {
2461                 spin_lock(&tty->files_lock);
2462                 if (!list_empty(&tty->tty_files)) {
2463                         struct tty_file_private *file_priv;
2464 
2465                         /* Revalidate access to controlling tty.
2466                            Use file_path_has_perm on the tty path directly
2467                            rather than using file_has_perm, as this particular
2468                            open file may belong to another process and we are
2469                            only interested in the inode-based check here. */
2470                         file_priv = list_first_entry(&tty->tty_files,
2471                                                 struct tty_file_private, list);
2472                         file = file_priv->file;
2473                         if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2474                                 drop_tty = 1;
2475                 }
2476                 spin_unlock(&tty->files_lock);
2477                 tty_kref_put(tty);
2478         }
2479         /* Reset controlling tty. */
2480         if (drop_tty)
2481                 no_tty();
2482 
2483         /* Revalidate access to inherited open files. */
2484         n = iterate_fd(files, 0, match_file, cred);
2485         if (!n) /* none found? */
2486                 return;
2487 
2488         devnull = dentry_open(&selinux_null, O_RDWR, cred);
2489         if (IS_ERR(devnull))
2490                 devnull = NULL;
2491         /* replace all the matching ones with this */
2492         do {
2493                 replace_fd(n - 1, devnull, 0);
2494         } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2495         if (devnull)
2496                 fput(devnull);
2497 }
2498 
2499 /*
2500  * Prepare a process for imminent new credential changes due to exec
2501  */
2502 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2503 {
2504         struct task_security_struct *new_tsec;
2505         struct rlimit *rlim, *initrlim;
2506         int rc, i;
2507 
2508         new_tsec = selinux_cred(bprm->cred);
2509         if (new_tsec->sid == new_tsec->osid)
2510                 return;
2511 
2512         /* Close files for which the new task SID is not authorized. */
2513         flush_unauthorized_files(bprm->cred, current->files);
2514 
2515         /* Always clear parent death signal on SID transitions. */
2516         current->pdeath_signal = 0;
2517 
2518         /* Check whether the new SID can inherit resource limits from the old
2519          * SID.  If not, reset all soft limits to the lower of the current
2520          * task's hard limit and the init task's soft limit.
2521          *
2522          * Note that the setting of hard limits (even to lower them) can be
2523          * controlled by the setrlimit check.  The inclusion of the init task's
2524          * soft limit into the computation is to avoid resetting soft limits
2525          * higher than the default soft limit for cases where the default is
2526          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2527          */
2528         rc = avc_has_perm(&selinux_state,
2529                           new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2530                           PROCESS__RLIMITINH, NULL);
2531         if (rc) {
2532                 /* protect against do_prlimit() */
2533                 task_lock(current);
2534                 for (i = 0; i < RLIM_NLIMITS; i++) {
2535                         rlim = current->signal->rlim + i;
2536                         initrlim = init_task.signal->rlim + i;
2537                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2538                 }
2539                 task_unlock(current);
2540                 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2541                         update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2542         }
2543 }
2544 
2545 /*
2546  * Clean up the process immediately after the installation of new credentials
2547  * due to exec
2548  */
2549 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2550 {
2551         const struct task_security_struct *tsec = selinux_cred(current_cred());
2552         struct itimerval itimer;
2553         u32 osid, sid;
2554         int rc, i;
2555 
2556         osid = tsec->osid;
2557         sid = tsec->sid;
2558 
2559         if (sid == osid)
2560                 return;
2561 
2562         /* Check whether the new SID can inherit signal state from the old SID.
2563          * If not, clear itimers to avoid subsequent signal generation and
2564          * flush and unblock signals.
2565          *
2566          * This must occur _after_ the task SID has been updated so that any
2567          * kill done after the flush will be checked against the new SID.
2568          */
2569         rc = avc_has_perm(&selinux_state,
2570                           osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2571         if (rc) {
2572                 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2573                         memset(&itimer, 0, sizeof itimer);
2574                         for (i = 0; i < 3; i++)
2575                                 do_setitimer(i, &itimer, NULL);
2576                 }
2577                 spin_lock_irq(&current->sighand->siglock);
2578                 if (!fatal_signal_pending(current)) {
2579                         flush_sigqueue(&current->pending);
2580                         flush_sigqueue(&current->signal->shared_pending);
2581                         flush_signal_handlers(current, 1);
2582                         sigemptyset(&current->blocked);
2583                         recalc_sigpending();
2584                 }
2585                 spin_unlock_irq(&current->sighand->siglock);
2586         }
2587 
2588         /* Wake up the parent if it is waiting so that it can recheck
2589          * wait permission to the new task SID. */
2590         read_lock(&tasklist_lock);
2591         __wake_up_parent(current, current->real_parent);
2592         read_unlock(&tasklist_lock);
2593 }
2594 
2595 /* superblock security operations */
2596 
2597 static int selinux_sb_alloc_security(struct super_block *sb)
2598 {
2599         return superblock_alloc_security(sb);
2600 }
2601 
2602 static void selinux_sb_free_security(struct super_block *sb)
2603 {
2604         superblock_free_security(sb);
2605 }
2606 
2607 static inline int opt_len(const char *s)
2608 {
2609         bool open_quote = false;
2610         int len;
2611         char c;
2612 
2613         for (len = 0; (c = s[len]) != '\0'; len++) {
2614                 if (c == '"')
2615                         open_quote = !open_quote;
2616                 if (c == ',' && !open_quote)
2617                         break;
2618         }
2619         return len;
2620 }
2621 
2622 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2623 {
2624         char *from = options;
2625         char *to = options;
2626         bool first = true;
2627         int rc;
2628 
2629         while (1) {
2630                 int len = opt_len(from);
2631                 int token;
2632                 char *arg = NULL;
2633 
2634                 token = match_opt_prefix(from, len, &arg);
2635 
2636                 if (token != Opt_error) {
2637                         char *p, *q;
2638 
2639                         /* strip quotes */
2640                         if (arg) {
2641                                 for (p = q = arg; p < from + len; p++) {
2642                                         char c = *p;
2643                                         if (c != '"')
2644                                                 *q++ = c;
2645                                 }
2646                                 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2647                                 if (!arg) {
2648                                         rc = -ENOMEM;
2649                                         goto free_opt;
2650                                 }
2651                         }
2652                         rc = selinux_add_opt(token, arg, mnt_opts);
2653                         if (unlikely(rc)) {
2654                                 kfree(arg);
2655                                 goto free_opt;
2656                         }
2657                 } else {
2658                         if (!first) {   // copy with preceding comma
2659                                 from--;
2660                                 len++;
2661                         }
2662                         if (to != from)
2663                                 memmove(to, from, len);
2664                         to += len;
2665                         first = false;
2666                 }
2667                 if (!from[len])
2668                         break;
2669                 from += len + 1;
2670         }
2671         *to = '\0';
2672         return 0;
2673 
2674 free_opt:
2675         if (*mnt_opts) {
2676                 selinux_free_mnt_opts(*mnt_opts);
2677                 *mnt_opts = NULL;
2678         }
2679         return rc;
2680 }
2681 
2682 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2683 {
2684         struct selinux_mnt_opts *opts = mnt_opts;
2685         struct superblock_security_struct *sbsec = sb->s_security;
2686         u32 sid;
2687         int rc;
2688 
2689         if (!(sbsec->flags & SE_SBINITIALIZED))
2690                 return 0;
2691 
2692         if (!opts)
2693                 return 0;
2694 
2695         if (opts->fscontext) {
2696                 rc = parse_sid(sb, opts->fscontext, &sid);
2697                 if (rc)
2698                         return rc;
2699                 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2700                         goto out_bad_option;
2701         }
2702         if (opts->context) {
2703                 rc = parse_sid(sb, opts->context, &sid);
2704                 if (rc)
2705                         return rc;
2706                 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2707                         goto out_bad_option;
2708         }
2709         if (opts->rootcontext) {
2710                 struct inode_security_struct *root_isec;
2711                 root_isec = backing_inode_security(sb->s_root);
2712                 rc = parse_sid(sb, opts->rootcontext, &sid);
2713                 if (rc)
2714                         return rc;
2715                 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2716                         goto out_bad_option;
2717         }
2718         if (opts->defcontext) {
2719                 rc = parse_sid(sb, opts->defcontext, &sid);
2720                 if (rc)
2721                         return rc;
2722                 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2723                         goto out_bad_option;
2724         }
2725         return 0;
2726 
2727 out_bad_option:
2728         pr_warn("SELinux: unable to change security options "
2729                "during remount (dev %s, type=%s)\n", sb->s_id,
2730                sb->s_type->name);
2731         return -EINVAL;
2732 }
2733 
2734 static int selinux_sb_kern_mount(struct super_block *sb)
2735 {
2736         const struct cred *cred = current_cred();
2737         struct common_audit_data ad;
2738 
2739         ad.type = LSM_AUDIT_DATA_DENTRY;
2740         ad.u.dentry = sb->s_root;
2741         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2742 }
2743 
2744 static int selinux_sb_statfs(struct dentry *dentry)
2745 {
2746         const struct cred *cred = current_cred();
2747         struct common_audit_data ad;
2748 
2749         ad.type = LSM_AUDIT_DATA_DENTRY;
2750         ad.u.dentry = dentry->d_sb->s_root;
2751         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2752 }
2753 
2754 static int selinux_mount(const char *dev_name,
2755                          const struct path *path,
2756                          const char *type,
2757                          unsigned long flags,
2758                          void *data)
2759 {
2760         const struct cred *cred = current_cred();
2761 
2762         if (flags & MS_REMOUNT)
2763                 return superblock_has_perm(cred, path->dentry->d_sb,
2764                                            FILESYSTEM__REMOUNT, NULL);
2765         else
2766                 return path_has_perm(cred, path, FILE__MOUNTON);
2767 }
2768 
2769 static int selinux_move_mount(const struct path *from_path,
2770                               const struct path *to_path)
2771 {
2772         const struct cred *cred = current_cred();
2773 
2774         return path_has_perm(cred, to_path, FILE__MOUNTON);
2775 }
2776 
2777 static int selinux_umount(struct vfsmount *mnt, int flags)
2778 {
2779         const struct cred *cred = current_cred();
2780 
2781         return superblock_has_perm(cred, mnt->mnt_sb,
2782                                    FILESYSTEM__UNMOUNT, NULL);
2783 }
2784 
2785 static int selinux_fs_context_dup(struct fs_context *fc,
2786                                   struct fs_context *src_fc)
2787 {
2788         const struct selinux_mnt_opts *src = src_fc->security;
2789         struct selinux_mnt_opts *opts;
2790 
2791         if (!src)
2792                 return 0;
2793 
2794         fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2795         if (!fc->security)
2796                 return -ENOMEM;
2797 
2798         opts = fc->security;
2799 
2800         if (src->fscontext) {
2801                 opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2802                 if (!opts->fscontext)
2803                         return -ENOMEM;
2804         }
2805         if (src->context) {
2806                 opts->context = kstrdup(src->context, GFP_KERNEL);
2807                 if (!opts->context)
2808                         return -ENOMEM;
2809         }
2810         if (src->rootcontext) {
2811                 opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2812                 if (!opts->rootcontext)
2813                         return -ENOMEM;
2814         }
2815         if (src->defcontext) {
2816                 opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2817                 if (!opts->defcontext)
2818                         return -ENOMEM;
2819         }
2820         return 0;
2821 }
2822 
2823 static const struct fs_parameter_spec selinux_param_specs[] = {
2824         fsparam_string(CONTEXT_STR,     Opt_context),
2825         fsparam_string(DEFCONTEXT_STR,  Opt_defcontext),
2826         fsparam_string(FSCONTEXT_STR,   Opt_fscontext),
2827         fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2828         fsparam_flag  (SECLABEL_STR,    Opt_seclabel),
2829         {}
2830 };
2831 
2832 static const struct fs_parameter_description selinux_fs_parameters = {
2833         .name           = "SELinux",
2834         .specs          = selinux_param_specs,
2835 };
2836 
2837 static int selinux_fs_context_parse_param(struct fs_context *fc,
2838                                           struct fs_parameter *param)
2839 {
2840         struct fs_parse_result result;
2841         int opt, rc;
2842 
2843         opt = fs_parse(fc, &selinux_fs_parameters, param, &result);
2844         if (opt < 0)
2845                 return opt;
2846 
2847         rc = selinux_add_opt(opt, param->string, &fc->security);
2848         if (!rc) {
2849                 param->string = NULL;
2850                 rc = 1;
2851         }
2852         return rc;
2853 }
2854 
2855 /* inode security operations */
2856 
2857 static int selinux_inode_alloc_security(struct inode *inode)
2858 {
2859         return inode_alloc_security(inode);
2860 }
2861 
2862 static void selinux_inode_free_security(struct inode *inode)
2863 {
2864         inode_free_security(inode);
2865 }
2866 
2867 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2868                                         const struct qstr *name, void **ctx,
2869                                         u32 *ctxlen)
2870 {
2871         u32 newsid;
2872         int rc;
2873 
2874         rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2875                                            d_inode(dentry->d_parent), name,
2876                                            inode_mode_to_security_class(mode),
2877                                            &newsid);
2878         if (rc)
2879                 return rc;
2880 
2881         return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2882                                        ctxlen);
2883 }
2884 
2885 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2886                                           struct qstr *name,
2887                                           const struct cred *old,
2888                                           struct cred *new)
2889 {
2890         u32 newsid;
2891         int rc;
2892         struct task_security_struct *tsec;
2893 
2894         rc = selinux_determine_inode_label(selinux_cred(old),
2895                                            d_inode(dentry->d_parent), name,
2896                                            inode_mode_to_security_class(mode),
2897                                            &newsid);
2898         if (rc)
2899                 return rc;
2900 
2901         tsec = selinux_cred(new);
2902         tsec->create_sid = newsid;
2903         return 0;
2904 }
2905 
2906 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2907                                        const struct qstr *qstr,
2908                                        const char **name,
2909                                        void **value, size_t *len)
2910 {
2911         const struct task_security_struct *tsec = selinux_cred(current_cred());
2912         struct superblock_security_struct *sbsec;
2913         u32 newsid, clen;
2914         int rc;
2915         char *context;
2916 
2917         sbsec = dir->i_sb->s_security;
2918 
2919         newsid = tsec->create_sid;
2920 
2921         rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2922                 dir, qstr,
2923                 inode_mode_to_security_class(inode->i_mode),
2924                 &newsid);
2925         if (rc)
2926                 return rc;
2927 
2928         /* Possibly defer initialization to selinux_complete_init. */
2929         if (sbsec->flags & SE_SBINITIALIZED) {
2930                 struct inode_security_struct *isec = selinux_inode(inode);
2931                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2932                 isec->sid = newsid;
2933                 isec->initialized = LABEL_INITIALIZED;
2934         }
2935 
2936         if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
2937                 return -EOPNOTSUPP;
2938 
2939         if (name)
2940                 *name = XATTR_SELINUX_SUFFIX;
2941 
2942         if (value && len) {
2943                 rc = security_sid_to_context_force(&selinux_state, newsid,
2944                                                    &context, &clen);
2945                 if (rc)
2946                         return rc;
2947                 *value = context;
2948                 *len = clen;
2949         }
2950 
2951         return 0;
2952 }
2953 
2954 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2955 {
2956         return may_create(dir, dentry, SECCLASS_FILE);
2957 }
2958 
2959 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2960 {
2961         return may_link(dir, old_dentry, MAY_LINK);
2962 }
2963 
2964 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2965 {
2966         return may_link(dir, dentry, MAY_UNLINK);
2967 }
2968 
2969 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2970 {
2971         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2972 }
2973 
2974 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2975 {
2976         return may_create(dir, dentry, SECCLASS_DIR);
2977 }
2978 
2979 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2980 {
2981         return may_link(dir, dentry, MAY_RMDIR);
2982 }
2983 
2984 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2985 {
2986         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2987 }
2988 
2989 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2990                                 struct inode *new_inode, struct dentry *new_dentry)
2991 {
2992         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2993 }
2994 
2995 static int selinux_inode_readlink(struct dentry *dentry)
2996 {
2997         const struct cred *cred = current_cred();
2998 
2999         return dentry_has_perm(cred, dentry, FILE__READ);
3000 }
3001 
3002 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3003                                      bool rcu)
3004 {
3005         const struct cred *cred = current_cred();
3006         struct common_audit_data ad;
3007         struct inode_security_struct *isec;
3008         u32 sid;
3009 
3010         validate_creds(cred);
3011 
3012         ad.type = LSM_AUDIT_DATA_DENTRY;
3013         ad.u.dentry = dentry;
3014         sid = cred_sid(cred);
3015         isec = inode_security_rcu(inode, rcu);
3016         if (IS_ERR(isec))
3017                 return PTR_ERR(isec);
3018 
3019         return avc_has_perm_flags(&selinux_state,
3020                                   sid, isec->sid, isec->sclass, FILE__READ, &ad,
3021                                   rcu ? MAY_NOT_BLOCK : 0);
3022 }
3023 
3024 static noinline int audit_inode_permission(struct inode *inode,
3025                                            u32 perms, u32 audited, u32 denied,
3026                                            int result)
3027 {
3028         struct common_audit_data ad;
3029         struct inode_security_struct *isec = selinux_inode(inode);
3030         int rc;
3031 
3032         ad.type = LSM_AUDIT_DATA_INODE;
3033         ad.u.inode = inode;
3034 
3035         rc = slow_avc_audit(&selinux_state,
3036                             current_sid(), isec->sid, isec->sclass, perms,
3037                             audited, denied, result, &ad);
3038         if (rc)
3039                 return rc;
3040         return 0;
3041 }
3042 
3043 static int selinux_inode_permission(struct inode *inode, int mask)
3044 {
3045         const struct cred *cred = current_cred();
3046         u32 perms;
3047         bool from_access;
3048         unsigned flags = mask & MAY_NOT_BLOCK;
3049         struct inode_security_struct *isec;
3050         u32 sid;
3051         struct av_decision avd;
3052         int rc, rc2;
3053         u32 audited, denied;
3054 
3055         from_access = mask & MAY_ACCESS;
3056         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3057 
3058         /* No permission to check.  Existence test. */
3059         if (!mask)
3060                 return 0;
3061 
3062         validate_creds(cred);
3063 
3064         if (unlikely(IS_PRIVATE(inode)))
3065                 return 0;
3066 
3067         perms = file_mask_to_av(inode->i_mode, mask);
3068 
3069         sid = cred_sid(cred);
3070         isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3071         if (IS_ERR(isec))
3072                 return PTR_ERR(isec);
3073 
3074         rc = avc_has_perm_noaudit(&selinux_state,
3075                                   sid, isec->sid, isec->sclass, perms,
3076                                   (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
3077                                   &avd);
3078         audited = avc_audit_required(perms, &avd, rc,
3079                                      from_access ? FILE__AUDIT_ACCESS : 0,
3080                                      &denied);
3081         if (likely(!audited))
3082                 return rc;
3083 
3084         /* fall back to ref-walk if we have to generate audit */
3085         if (flags & MAY_NOT_BLOCK)
3086                 return -ECHILD;
3087 
3088         rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3089         if (rc2)
3090                 return rc2;
3091         return rc;
3092 }
3093 
3094 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3095 {
3096         const struct cred *cred = current_cred();
3097         struct inode *inode = d_backing_inode(dentry);
3098         unsigned int ia_valid = iattr->ia_valid;
3099         __u32 av = FILE__WRITE;
3100 
3101         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3102         if (ia_valid & ATTR_FORCE) {
3103                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3104                               ATTR_FORCE);
3105                 if (!ia_valid)
3106                         return 0;
3107         }
3108 
3109         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3110                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3111                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3112 
3113         if (selinux_policycap_openperm() &&
3114             inode->i_sb->s_magic != SOCKFS_MAGIC &&
3115             (ia_valid & ATTR_SIZE) &&
3116             !(ia_valid & ATTR_FILE))
3117                 av |= FILE__OPEN;
3118 
3119         return dentry_has_perm(cred, dentry, av);
3120 }
3121 
3122 static int selinux_inode_getattr(const struct path *path)
3123 {
3124         return path_has_perm(current_cred(), path, FILE__GETATTR);
3125 }
3126 
3127 static bool has_cap_mac_admin(bool audit)
3128 {
3129         const struct cred *cred = current_cred();
3130         unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3131 
3132         if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3133                 return false;
3134         if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3135                 return false;
3136         return true;
3137 }
3138 
3139 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3140                                   const void *value, size_t size, int flags)
3141 {
3142         struct inode *inode = d_backing_inode(dentry);
3143         struct inode_security_struct *isec;
3144         struct superblock_security_struct *sbsec;
3145         struct common_audit_data ad;
3146         u32 newsid, sid = current_sid();
3147         int rc = 0;
3148 
3149         if (strcmp(name, XATTR_NAME_SELINUX)) {
3150                 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3151                 if (rc)
3152                         return rc;
3153 
3154                 /* Not an attribute we recognize, so just check the
3155                    ordinary setattr permission. */
3156                 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3157         }
3158 
3159         sbsec = inode->i_sb->s_security;
3160         if (!(sbsec->flags & SBLABEL_MNT))
3161                 return -EOPNOTSUPP;
3162 
3163         if (!inode_owner_or_capable(inode))
3164                 return -EPERM;
3165 
3166         ad.type = LSM_AUDIT_DATA_DENTRY;
3167         ad.u.dentry = dentry;
3168 
3169         isec = backing_inode_security(dentry);
3170         rc = avc_has_perm(&selinux_state,
3171                           sid, isec->sid, isec->sclass,
3172                           FILE__RELABELFROM, &ad);
3173         if (rc)
3174                 return rc;
3175 
3176         rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3177                                      GFP_KERNEL);
3178         if (rc == -EINVAL) {
3179                 if (!has_cap_mac_admin(true)) {
3180                         struct audit_buffer *ab;
3181                         size_t audit_size;
3182 
3183                         /* We strip a nul only if it is at the end, otherwise the
3184                          * context contains a nul and we should audit that */
3185                         if (value) {
3186                                 const char *str = value;
3187 
3188                                 if (str[size - 1] == '\0')
3189                                         audit_size = size - 1;
3190                                 else
3191                                         audit_size = size;
3192                         } else {
3193                                 audit_size = 0;
3194                         }
3195                         ab = audit_log_start(audit_context(),
3196                                              GFP_ATOMIC, AUDIT_SELINUX_ERR);
3197                         audit_log_format(ab, "op=setxattr invalid_context=");
3198                         audit_log_n_untrustedstring(ab, value, audit_size);
3199                         audit_log_end(ab);
3200 
3201                         return rc;
3202                 }
3203                 rc = security_context_to_sid_force(&selinux_state, value,
3204                                                    size, &newsid);
3205         }
3206         if (rc)
3207                 return rc;
3208 
3209         rc = avc_has_perm(&selinux_state,
3210                           sid, newsid, isec->sclass,
3211                           FILE__RELABELTO, &ad);
3212         if (rc)
3213                 return rc;
3214 
3215         rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3216                                           sid, isec->sclass);
3217         if (rc)
3218                 return rc;
3219 
3220         return avc_has_perm(&selinux_state,
3221                             newsid,
3222                             sbsec->sid,
3223                             SECCLASS_FILESYSTEM,
3224                             FILESYSTEM__ASSOCIATE,
3225                             &ad);
3226 }
3227 
3228 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3229                                         const void *value, size_t size,
3230                                         int flags)
3231 {
3232         struct inode *inode = d_backing_inode(dentry);
3233         struct inode_security_struct *isec;
3234         u32 newsid;
3235         int rc;
3236 
3237         if (strcmp(name, XATTR_NAME_SELINUX)) {
3238                 /* Not an attribute we recognize, so nothing to do. */
3239                 return;
3240         }
3241 
3242         rc = security_context_to_sid_force(&selinux_state, value, size,
3243                                            &newsid);
3244         if (rc) {
3245                 pr_err("SELinux:  unable to map context to SID"
3246                        "for (%s, %lu), rc=%d\n",
3247                        inode->i_sb->s_id, inode->i_ino, -rc);
3248                 return;
3249         }
3250 
3251         isec = backing_inode_security(dentry);
3252         spin_lock(&isec->lock);
3253         isec->sclass = inode_mode_to_security_class(inode->i_mode);
3254         isec->sid = newsid;
3255         isec->initialized = LABEL_INITIALIZED;
3256         spin_unlock(&isec->lock);
3257 
3258         return;
3259 }
3260 
3261 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3262 {
3263         const struct cred *cred = current_cred();
3264 
3265         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3266 }
3267 
3268 static int selinux_inode_listxattr(struct dentry *dentry)
3269 {
3270         const struct cred *cred = current_cred();
3271 
3272         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3273 }
3274 
3275 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3276 {
3277         if (strcmp(name, XATTR_NAME_SELINUX)) {
3278                 int rc = cap_inode_removexattr(dentry, name);
3279                 if (rc)
3280                         return rc;
3281 
3282                 /* Not an attribute we recognize, so just check the
3283                    ordinary setattr permission. */
3284                 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3285         }
3286 
3287         /* No one is allowed to remove a SELinux security label.
3288            You can change the label, but all data must be labeled. */
3289         return -EACCES;
3290 }
3291 
3292 static int selinux_path_notify(const struct path *path, u64 mask,
3293                                                 unsigned int obj_type)
3294 {
3295         int ret;
3296         u32 perm;
3297 
3298         struct common_audit_data ad;
3299 
3300         ad.type = LSM_AUDIT_DATA_PATH;
3301         ad.u.path = *path;
3302 
3303         /*
3304          * Set permission needed based on the type of mark being set.
3305          * Performs an additional check for sb watches.
3306          */
3307         switch (obj_type) {
3308         case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3309                 perm = FILE__WATCH_MOUNT;
3310                 break;
3311         case FSNOTIFY_OBJ_TYPE_SB:
3312                 perm = FILE__WATCH_SB;
3313                 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3314                                                 FILESYSTEM__WATCH, &ad);
3315                 if (ret)
3316                         return ret;
3317                 break;
3318         case FSNOTIFY_OBJ_TYPE_INODE:
3319                 perm = FILE__WATCH;
3320                 break;
3321         default:
3322                 return -EINVAL;
3323         }
3324 
3325         /* blocking watches require the file:watch_with_perm permission */
3326         if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3327                 perm |= FILE__WATCH_WITH_PERM;
3328 
3329         /* watches on read-like events need the file:watch_reads permission */
3330         if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3331                 perm |= FILE__WATCH_READS;
3332 
3333         return path_has_perm(current_cred(), path, perm);
3334 }
3335 
3336 /*
3337  * Copy the inode security context value to the user.
3338  *
3339  * Permission check is handled by selinux_inode_getxattr hook.
3340  */
3341 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3342 {
3343         u32 size;
3344         int error;
3345         char *context = NULL;
3346         struct inode_security_struct *isec;
3347 
3348         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3349                 return -EOPNOTSUPP;
3350 
3351         /*
3352          * If the caller has CAP_MAC_ADMIN, then get the raw context
3353          * value even if it is not defined by current policy; otherwise,
3354          * use the in-core value under current policy.
3355          * Use the non-auditing forms of the permission checks since
3356          * getxattr may be called by unprivileged processes commonly
3357          * and lack of permission just means that we fall back to the
3358          * in-core context value, not a denial.
3359          */
3360         isec = inode_security(inode);
3361         if (has_cap_mac_admin(false))
3362                 error = security_sid_to_context_force(&selinux_state,
3363                                                       isec->sid, &context,
3364                                                       &size);
3365         else
3366                 error = security_sid_to_context(&selinux_state, isec->sid,
3367                                                 &context, &size);
3368         if (error)
3369                 return error;
3370         error = size;
3371         if (alloc) {
3372                 *buffer = context;
3373                 goto out_nofree;
3374         }
3375         kfree(context);
3376 out_nofree:
3377         return error;
3378 }
3379 
3380 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3381                                      const void *value, size_t size, int flags)
3382 {
3383         struct inode_security_struct *isec = inode_security_novalidate(inode);
3384         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
3385         u32 newsid;
3386         int rc;
3387 
3388         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3389                 return -EOPNOTSUPP;
3390 
3391         if (!(sbsec->flags & SBLABEL_MNT))
3392                 return -EOPNOTSUPP;
3393 
3394         if (!value || !size)
3395                 return -EACCES;
3396 
3397         rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3398                                      GFP_KERNEL);
3399         if (rc)
3400                 return rc;
3401 
3402         spin_lock(&isec->lock);
3403         isec->sclass = inode_mode_to_security_class(inode->i_mode);
3404         isec->sid = newsid;
3405         isec->initialized = LABEL_INITIALIZED;
3406         spin_unlock(&isec->lock);
3407         return 0;
3408 }
3409 
3410 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3411 {
3412         const int len = sizeof(XATTR_NAME_SELINUX);
3413         if (buffer && len <= buffer_size)
3414                 memcpy(buffer, XATTR_NAME_SELINUX, len);
3415         return len;
3416 }
3417 
3418 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3419 {
3420         struct inode_security_struct *isec = inode_security_novalidate(inode);
3421         *secid = isec->sid;
3422 }
3423 
3424 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3425 {
3426         u32 sid;
3427         struct task_security_struct *tsec;
3428         struct cred *new_creds = *new;
3429 
3430         if (new_creds == NULL) {
3431                 new_creds = prepare_creds();
3432                 if (!new_creds)
3433                         return -ENOMEM;
3434         }
3435 
3436         tsec = selinux_cred(new_creds);
3437         /* Get label from overlay inode and set it in create_sid */
3438         selinux_inode_getsecid(d_inode(src), &sid);
3439         tsec->create_sid = sid;
3440         *new = new_creds;
3441         return 0;
3442 }
3443 
3444 static int selinux_inode_copy_up_xattr(const char *name)
3445 {
3446         /* The copy_up hook above sets the initial context on an inode, but we
3447          * don't then want to overwrite it by blindly copying all the lower
3448          * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3449          */
3450         if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3451                 return 1; /* Discard */
3452         /*
3453          * Any other attribute apart from SELINUX is not claimed, supported
3454          * by selinux.
3455          */
3456         return -EOPNOTSUPP;
3457 }
3458 
3459 /* kernfs node operations */
3460 
3461 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3462                                         struct kernfs_node *kn)
3463 {
3464         const struct task_security_struct *tsec = selinux_cred(current_cred());
3465         u32 parent_sid, newsid, clen;
3466         int rc;
3467         char *context;
3468 
3469         rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3470         if (rc == -ENODATA)
3471                 return 0;
3472         else if (rc < 0)
3473                 return rc;
3474 
3475         clen = (u32)rc;
3476         context = kmalloc(clen, GFP_KERNEL);
3477         if (!context)
3478                 return -ENOMEM;
3479 
3480         rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3481         if (rc < 0) {
3482                 kfree(context);
3483                 return rc;
3484         }
3485 
3486         rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3487                                      GFP_KERNEL);
3488         kfree(context);
3489         if (rc)
3490                 return rc;
3491 
3492         if (tsec->create_sid) {
3493                 newsid = tsec->create_sid;
3494         } else {
3495                 u16 secclass = inode_mode_to_security_class(kn->mode);
3496                 struct qstr q;
3497 
3498                 q.name = kn->name;
3499                 q.hash_len = hashlen_string(kn_dir, kn->name);
3500 
3501                 rc = security_transition_sid(&selinux_state, tsec->sid,
3502                                              parent_sid, secclass, &q,
3503                                              &newsid);
3504                 if (rc)
3505                         return rc;
3506         }
3507 
3508         rc = security_sid_to_context_force(&selinux_state, newsid,
3509                                            &context, &clen);
3510         if (rc)
3511                 return rc;
3512 
3513         rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3514                               XATTR_CREATE);
3515         kfree(context);
3516         return rc;
3517 }
3518 
3519 
3520 /* file security operations */
3521 
3522 static int selinux_revalidate_file_permission(struct file *file, int mask)
3523 {
3524         const struct cred *cred = current_cred();
3525         struct inode *inode = file_inode(file);
3526 
3527         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3528         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3529                 mask |= MAY_APPEND;
3530 
3531         return file_has_perm(cred, file,
3532                              file_mask_to_av(inode->i_mode, mask));
3533 }
3534 
3535 static int selinux_file_permission(struct file *file, int mask)
3536 {
3537         struct inode *inode = file_inode(file);
3538         struct file_security_struct *fsec = selinux_file(file);
3539         struct inode_security_struct *isec;
3540         u32 sid = current_sid();
3541 
3542         if (!mask)
3543                 /* No permission to check.  Existence test. */
3544                 return 0;
3545 
3546         isec = inode_security(inode);
3547         if (sid == fsec->sid && fsec->isid == isec->sid &&
3548             fsec->pseqno == avc_policy_seqno(&selinux_state))
3549                 /* No change since file_open check. */
3550                 return 0;
3551 
3552         return selinux_revalidate_file_permission(file, mask);
3553 }
3554 
3555 static int selinux_file_alloc_security(struct file *file)
3556 {
3557         return file_alloc_security(file);
3558 }
3559 
3560 /*
3561  * Check whether a task has the ioctl permission and cmd
3562  * operation to an inode.
3563  */
3564 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3565                 u32 requested, u16 cmd)
3566 {
3567         struct common_audit_data ad;
3568         struct file_security_struct *fsec = selinux_file(file);
3569         struct inode *inode = file_inode(file);
3570         struct inode_security_struct *isec;
3571         struct lsm_ioctlop_audit ioctl;
3572         u32 ssid = cred_sid(cred);
3573         int rc;
3574         u8 driver = cmd >> 8;
3575         u8 xperm = cmd & 0xff;
3576 
3577         ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3578         ad.u.op = &ioctl;
3579         ad.u.op->cmd = cmd;
3580         ad.u.op->path = file->f_path;
3581 
3582         if (ssid != fsec->sid) {
3583                 rc = avc_has_perm(&selinux_state,
3584                                   ssid, fsec->sid,
3585                                 SECCLASS_FD,
3586                                 FD__USE,
3587                                 &ad);
3588                 if (rc)
3589                         goto out;
3590         }
3591 
3592         if (unlikely(IS_PRIVATE(inode)))
3593                 return 0;
3594 
3595         isec = inode_security(inode);
3596         rc = avc_has_extended_perms(&selinux_state,
3597                                     ssid, isec->sid, isec->sclass,
3598                                     requested, driver, xperm, &ad);
3599 out:
3600         return rc;
3601 }
3602 
3603 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3604                               unsigned long arg)
3605 {
3606         const struct cred *cred = current_cred();
3607         int error = 0;
3608 
3609         switch (cmd) {
3610         case FIONREAD:
3611         /* fall through */
3612         case FIBMAP:
3613         /* fall through */
3614         case FIGETBSZ:
3615         /* fall through */
3616         case FS_IOC_GETFLAGS:
3617         /* fall through */
3618         case FS_IOC_GETVERSION:
3619                 error = file_has_perm(cred, file, FILE__GETATTR);
3620                 break;
3621 
3622         case FS_IOC_SETFLAGS:
3623         /* fall through */
3624         case FS_IOC_SETVERSION:
3625                 error = file_has_perm(cred, file, FILE__SETATTR);
3626                 break;
3627 
3628         /* sys_ioctl() checks */
3629         case FIONBIO:
3630         /* fall through */
3631         case FIOASYNC:
3632                 error = file_has_perm(cred, file, 0);
3633                 break;
3634 
3635         case KDSKBENT:
3636         case KDSKBSENT:
3637                 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3638                                             CAP_OPT_NONE, true);
3639                 break;
3640 
3641         /* default case assumes that the command will go
3642          * to the file's ioctl() function.
3643          */
3644         default:
3645                 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3646         }
3647         return error;
3648 }
3649 
3650 static int default_noexec;
3651 
3652 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3653 {
3654         const struct cred *cred = current_cred();
3655         u32 sid = cred_sid(cred);
3656         int rc = 0;
3657 
3658         if (default_noexec &&
3659             (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3660                                    (!shared && (prot & PROT_WRITE)))) {
3661                 /*
3662                  * We are making executable an anonymous mapping or a
3663                  * private file mapping that will also be writable.
3664                  * This has an additional check.
3665                  */
3666                 rc = avc_has_perm(&selinux_state,
3667                                   sid, sid, SECCLASS_PROCESS,
3668                                   PROCESS__EXECMEM, NULL);
3669                 if (rc)
3670                         goto error;
3671         }
3672 
3673         if (file) {
3674                 /* read access is always possible with a mapping */
3675                 u32 av = FILE__READ;
3676 
3677                 /* write access only matters if the mapping is shared */
3678                 if (shared && (prot & PROT_WRITE))
3679                         av |= FILE__WRITE;
3680 
3681                 if (prot & PROT_EXEC)
3682                         av |= FILE__EXECUTE;
3683 
3684                 return file_has_perm(cred, file, av);
3685         }
3686 
3687 error:
3688         return rc;
3689 }
3690 
3691 static int selinux_mmap_addr(unsigned long addr)
3692 {
3693         int rc = 0;
3694 
3695         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3696                 u32 sid = current_sid();
3697                 rc = avc_has_perm(&selinux_state,
3698                                   sid, sid, SECCLASS_MEMPROTECT,
3699                                   MEMPROTECT__MMAP_ZERO, NULL);
3700         }
3701 
3702         return rc;
3703 }
3704 
3705 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3706                              unsigned long prot, unsigned long flags)
3707 {
3708         struct common_audit_data ad;
3709         int rc;
3710 
3711         if (file) {
3712                 ad.type = LSM_AUDIT_DATA_FILE;
3713                 ad.u.file = file;
3714                 rc = inode_has_perm(current_cred(), file_inode(file),
3715                                     FILE__MAP, &ad);
3716                 if (rc)
3717                         return rc;
3718         }
3719 
3720         if (selinux_state.checkreqprot)
3721                 prot = reqprot;
3722 
3723         return file_map_prot_check(file, prot,
3724                                    (flags & MAP_TYPE) == MAP_SHARED);
3725 }
3726 
3727 static int selinux_file_mprotect(struct vm_area_struct *vma,
3728                                  unsigned long reqprot,
3729                                  unsigned long prot)
3730 {
3731         const struct cred *cred = current_cred();
3732         u32 sid = cred_sid(cred);
3733 
3734         if (selinux_state.checkreqprot)
3735                 prot = reqprot;
3736 
3737         if (default_noexec &&
3738             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3739                 int rc = 0;
3740                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3741                     vma->vm_end <= vma->vm_mm->brk) {
3742                         rc = avc_has_perm(&selinux_state,
3743                                           sid, sid, SECCLASS_PROCESS,
3744                                           PROCESS__EXECHEAP, NULL);
3745                 } else if (!vma->vm_file &&
3746                            ((vma->vm_start <= vma->vm_mm->start_stack &&
3747                              vma->vm_end >= vma->vm_mm->start_stack) ||
3748                             vma_is_stack_for_current(vma))) {
3749                         rc = avc_has_perm(&selinux_state,
3750                                           sid, sid, SECCLASS_PROCESS,
3751                                           PROCESS__EXECSTACK, NULL);
3752                 } else if (vma->vm_file && vma->anon_vma) {
3753                         /*
3754                          * We are making executable a file mapping that has
3755                          * had some COW done. Since pages might have been
3756                          * written, check ability to execute the possibly
3757                          * modified content.  This typically should only
3758                          * occur for text relocations.
3759                          */
3760                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3761                 }
3762                 if (rc)
3763                         return rc;
3764         }
3765 
3766         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3767 }
3768 
3769 static int selinux_file_lock(struct file *file, unsigned int cmd)
3770 {
3771         const struct cred *cred = current_cred();
3772 
3773         return file_has_perm(cred, file, FILE__LOCK);
3774 }
3775 
3776 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3777                               unsigned long arg)
3778 {
3779         const struct cred *cred = current_cred();
3780         int err = 0;
3781 
3782         switch (cmd) {
3783         case F_SETFL:
3784                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3785                         err = file_has_perm(cred, file, FILE__WRITE);
3786                         break;
3787                 }
3788                 /* fall through */
3789         case F_SETOWN:
3790         case F_SETSIG:
3791         case F_GETFL:
3792         case F_GETOWN:
3793         case F_GETSIG:
3794         case F_GETOWNER_UIDS:
3795                 /* Just check FD__USE permission */
3796                 err = file_has_perm(cred, file, 0);
3797                 break;
3798         case F_GETLK:
3799         case F_SETLK:
3800         case F_SETLKW:
3801         case F_OFD_GETLK:
3802         case F_OFD_SETLK:
3803         case F_OFD_SETLKW:
3804 #if BITS_PER_LONG == 32
3805         case F_GETLK64:
3806         case F_SETLK64:
3807         case F_SETLKW64:
3808 #endif
3809                 err = file_has_perm(cred, file, FILE__LOCK);
3810                 break;
3811         }
3812 
3813         return err;
3814 }
3815 
3816 static void selinux_file_set_fowner(struct file *file)
3817 {
3818         struct file_security_struct *fsec;
3819 
3820         fsec = selinux_file(file);
3821         fsec->fown_sid = current_sid();
3822 }
3823 
3824 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3825                                        struct fown_struct *fown, int signum)
3826 {
3827         struct file *file;
3828         u32 sid = task_sid(tsk);
3829         u32 perm;
3830         struct file_security_struct *fsec;
3831 
3832         /* struct fown_struct is never outside the context of a struct file */
3833         file = container_of(fown, struct file, f_owner);
3834 
3835         fsec = selinux_file(file);
3836 
3837         if (!signum)
3838                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3839         else
3840                 perm = signal_to_av(signum);
3841 
3842         return avc_has_perm(&selinux_state,
3843                             fsec->fown_sid, sid,
3844                             SECCLASS_PROCESS, perm, NULL);
3845 }
3846 
3847 static int selinux_file_receive(struct file *file)
3848 {
3849         const struct cred *cred = current_cred();
3850 
3851         return file_has_perm(cred, file, file_to_av(file));
3852 }
3853 
3854 static int selinux_file_open(struct file *file)
3855 {
3856         struct file_security_struct *fsec;
3857         struct inode_security_struct *isec;
3858 
3859         fsec = selinux_file(file);
3860         isec = inode_security(file_inode(file));
3861         /*
3862          * Save inode label and policy sequence number
3863          * at open-time so that selinux_file_permission
3864          * can determine whether revalidation is necessary.
3865          * Task label is already saved in the file security
3866          * struct as its SID.
3867          */
3868         fsec->isid = isec->sid;
3869         fsec->pseqno = avc_policy_seqno(&selinux_state);
3870         /*
3871          * Since the inode label or policy seqno may have changed
3872          * between the selinux_inode_permission check and the saving
3873          * of state above, recheck that access is still permitted.
3874          * Otherwise, access might never be revalidated against the
3875          * new inode label or new policy.
3876          * This check is not redundant - do not remove.
3877          */
3878         return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3879 }
3880 
3881 /* task security operations */
3882 
3883 static int selinux_task_alloc(struct task_struct *task,
3884                               unsigned long clone_flags)
3885 {
3886         u32 sid = current_sid();
3887 
3888         return avc_has_perm(&selinux_state,
3889                             sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3890 }
3891 
3892 /*
3893  * prepare a new set of credentials for modification
3894  */
3895 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3896                                 gfp_t gfp)
3897 {
3898         const struct task_security_struct *old_tsec = selinux_cred(old);
3899         struct task_security_struct *tsec = selinux_cred(new);
3900 
3901         *tsec = *old_tsec;
3902         return 0;
3903 }
3904 
3905 /*
3906  * transfer the SELinux data to a blank set of creds
3907  */
3908 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3909 {
3910         const struct task_security_struct *old_tsec = selinux_cred(old);
3911         struct task_security_struct *tsec = selinux_cred(new);
3912 
3913         *tsec = *old_tsec;
3914 }
3915 
3916 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3917 {
3918         *secid = cred_sid(c);
3919 }
3920 
3921 /*
3922  * set the security data for a kernel service
3923  * - all the creation contexts are set to unlabelled
3924  */
3925 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3926 {
3927         struct task_security_struct *tsec = selinux_cred(new);
3928         u32 sid = current_sid();
3929         int ret;
3930 
3931         ret = avc_has_perm(&selinux_state,
3932                            sid, secid,
3933                            SECCLASS_KERNEL_SERVICE,
3934                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3935                            NULL);
3936         if (ret == 0) {
3937                 tsec->sid = secid;
3938                 tsec->create_sid = 0;
3939                 tsec->keycreate_sid = 0;
3940                 tsec->sockcreate_sid = 0;
3941         }
3942         return ret;
3943 }
3944 
3945 /*
3946  * set the file creation context in a security record to the same as the
3947  * objective context of the specified inode
3948  */
3949 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3950 {
3951         struct inode_security_struct *isec = inode_security(inode);
3952         struct task_security_struct *tsec = selinux_cred(new);
3953         u32 sid = current_sid();
3954         int ret;
3955 
3956         ret = avc_has_perm(&selinux_state,
3957                            sid, isec->sid,
3958                            SECCLASS_KERNEL_SERVICE,
3959                            KERNEL_SERVICE__CREATE_FILES_AS,
3960                            NULL);
3961 
3962         if (ret == 0)
3963                 tsec->create_sid = isec->sid;
3964         return ret;
3965 }
3966 
3967 static int selinux_kernel_module_request(char *kmod_name)
3968 {
3969         struct common_audit_data ad;
3970 
3971         ad.type = LSM_AUDIT_DATA_KMOD;
3972         ad.u.kmod_name = kmod_name;
3973 
3974         return avc_has_perm(&selinux_state,
3975                             current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3976                             SYSTEM__MODULE_REQUEST, &ad);
3977 }
3978 
3979 static int selinux_kernel_module_from_file(struct file *file)
3980 {
3981         struct common_audit_data ad;
3982         struct inode_security_struct *isec;
3983         struct file_security_struct *fsec;
3984         u32 sid = current_sid();
3985         int rc;
3986 
3987         /* init_module */
3988         if (file == NULL)
3989                 return avc_has_perm(&selinux_state,
3990                                     sid, sid, SECCLASS_SYSTEM,
3991                                         SYSTEM__MODULE_LOAD, NULL);
3992 
3993         /* finit_module */
3994 
3995         ad.type = LSM_AUDIT_DATA_FILE;
3996         ad.u.file = file;
3997 
3998         fsec = selinux_file(file);
3999         if (sid != fsec->sid) {
4000                 rc = avc_has_perm(&selinux_state,
4001                                   sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4002                 if (rc)
4003                         return rc;
4004         }
4005 
4006         isec = inode_security(file_inode(file));
4007         return avc_has_perm(&selinux_state,
4008                             sid, isec->sid, SECCLASS_SYSTEM,
4009                                 SYSTEM__MODULE_LOAD, &ad);
4010 }
4011 
4012 static int selinux_kernel_read_file(struct file *file,
4013                                     enum kernel_read_file_id id)
4014 {
4015         int rc = 0;
4016 
4017         switch (id) {
4018         case READING_MODULE:
4019                 rc = selinux_kernel_module_from_file(file);
4020                 break;
4021         default:
4022                 break;
4023         }
4024 
4025         return rc;
4026 }
4027 
4028 static int selinux_kernel_load_data(enum kernel_load_data_id id)
4029 {
4030         int rc = 0;
4031 
4032         switch (id) {
4033         case LOADING_MODULE:
4034                 rc = selinux_kernel_module_from_file(NULL);
4035         default:
4036                 break;
4037         }
4038 
4039         return rc;
4040 }
4041 
4042 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4043 {
4044         return avc_has_perm(&selinux_state,
4045                             current_sid(), task_sid(p), SECCLASS_PROCESS,
4046                             PROCESS__SETPGID, NULL);
4047 }
4048 
4049 static int selinux_task_getpgid(struct task_struct *p)
4050 {
4051         return avc_has_perm(&selinux_state,
4052                             current_sid(), task_sid(p), SECCLASS_PROCESS,
4053                             PROCESS__GETPGID, NULL);
4054 }
4055 
4056 static int selinux_task_getsid(struct task_struct *p)
4057 {
4058         return avc_has_perm(&selinux_state,
4059                             current_sid(), task_sid(p), SECCLASS_PROCESS,
4060                             PROCESS__GETSESSION, NULL);
4061 }
4062 
4063 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4064 {
4065         *secid = task_sid(p);
4066 }
4067 
4068 static int selinux_task_setnice(struct task_struct *p, int nice)
4069 {
4070         return avc_has_perm(&selinux_state,
4071                             current_sid(), task_sid(p), SECCLASS_PROCESS,
4072                             PROCESS__SETSCHED, NULL);
4073 }
4074 
4075 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4076 {
4077         return avc_has_perm(&selinux_state,
4078                             current_sid(), task_sid(p), SECCLASS_PROCESS,
4079                             PROCESS__SETSCHED, NULL);
4080 }
4081 
4082 static int selinux_task_getioprio(struct task_struct *p)
4083 {
4084         return avc_has_perm(&selinux_state,
4085                             current_sid(), task_sid(p), SECCLASS_PROCESS,
4086                             PROCESS__GETSCHED, NULL);
4087 }
4088 
4089 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4090                                 unsigned int flags)
4091 {
4092         u32 av = 0;
4093 
4094         if (!flags)
4095                 return 0;
4096         if (flags & LSM_PRLIMIT_WRITE)
4097                 av |= PROCESS__SETRLIMIT;
4098         if (flags & LSM_PRLIMIT_READ)
4099                 av |= PROCESS__GETRLIMIT;
4100         return avc_has_perm(&selinux_state,
4101                             cred_sid(cred), cred_sid(tcred),
4102                             SECCLASS_PROCESS, av, NULL);
4103 }
4104 
4105 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4106                 struct rlimit *new_rlim)
4107 {
4108         struct rlimit *old_rlim = p->signal->rlim + resource;
4109 
4110         /* Control the ability to change the hard limit (whether
4111            lowering or raising it), so that the hard limit can
4112            later be used as a safe reset point for the soft limit
4113            upon context transitions.  See selinux_bprm_committing_creds. */
4114         if (old_rlim->rlim_max != new_rlim->rlim_max)
4115                 return avc_has_perm(&selinux_state,
4116                                     current_sid(), task_sid(p),
4117                                     SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4118 
4119         return 0;
4120 }
4121 
4122 static int selinux_task_setscheduler(struct task_struct *p)
4123 {
4124         return avc_has_perm(&selinux_state,
4125                             current_sid(), task_sid(p), SECCLASS_PROCESS,
4126                             PROCESS__SETSCHED, NULL);
4127 }
4128 
4129 static int selinux_task_getscheduler(struct task_struct *p)
4130 {
4131         return avc_has_perm(&selinux_state,
4132                             current_sid(), task_sid(p), SECCLASS_PROCESS,
4133                             PROCESS__GETSCHED, NULL);
4134 }
4135 
4136 static int selinux_task_movememory(struct task_struct *p)
4137 {
4138         return avc_has_perm(&selinux_state,
4139                             current_sid(), task_sid(p), SECCLASS_PROCESS,
4140                             PROCESS__SETSCHED, NULL);
4141 }
4142 
4143 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4144                                 int sig, const struct cred *cred)
4145 {
4146         u32 secid;
4147         u32 perm;
4148 
4149         if (!sig)
4150                 perm = PROCESS__SIGNULL; /* null signal; existence test */
4151         else
4152                 perm = signal_to_av(sig);
4153         if (!cred)
4154                 secid = current_sid();
4155         else
4156                 secid = cred_sid(cred);
4157         return avc_has_perm(&selinux_state,
4158                             secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4159 }
4160 
4161 static void selinux_task_to_inode(struct task_struct *p,
4162                                   struct inode *inode)
4163 {
4164         struct inode_security_struct *isec = selinux_inode(inode);
4165         u32 sid = task_sid(p);
4166 
4167         spin_lock(&isec->lock);
4168         isec->sclass = inode_mode_to_security_class(inode->i_mode);
4169         isec->sid = sid;
4170         isec->initialized = LABEL_INITIALIZED;
4171         spin_unlock(&isec->lock);
4172 }
4173 
4174 /* Returns error only if unable to parse addresses */
4175 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4176                         struct common_audit_data *ad, u8 *proto)
4177 {
4178         int offset, ihlen, ret = -EINVAL;
4179         struct iphdr _iph, *ih;
4180 
4181         offset = skb_network_offset(skb);
4182         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4183         if (ih == NULL)
4184                 goto out;
4185 
4186         ihlen = ih->ihl * 4;
4187         if (ihlen < sizeof(_iph))
4188                 goto out;
4189 
4190         ad->u.net->v4info.saddr = ih->saddr;
4191         ad->u.net->v4info.daddr = ih->daddr;
4192         ret = 0;
4193 
4194         if (proto)
4195                 *proto = ih->protocol;
4196 
4197         switch (ih->protocol) {
4198         case IPPROTO_TCP: {
4199                 struct tcphdr _tcph, *th;
4200 
4201                 if (ntohs(ih->frag_off) & IP_OFFSET)
4202                         break;
4203 
4204                 offset += ihlen;
4205                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4206                 if (th == NULL)
4207                         break;
4208 
4209                 ad->u.net->sport = th->source;
4210                 ad->u.net->dport = th->dest;
4211                 break;
4212         }
4213 
4214         case IPPROTO_UDP: {
4215                 struct udphdr _udph, *uh;
4216 
4217                 if (ntohs(ih->frag_off) & IP_OFFSET)
4218                         break;
4219 
4220                 offset += ihlen;
4221                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4222                 if (uh == NULL)
4223                         break;
4224 
4225                 ad->u.net->sport = uh->source;
4226                 ad->u.net->dport = uh->dest;
4227                 break;
4228         }
4229 
4230         case IPPROTO_DCCP: {
4231                 struct dccp_hdr _dccph, *dh;
4232 
4233                 if (ntohs(ih->frag_off) & IP_OFFSET)
4234                         break;
4235 
4236                 offset += ihlen;
4237                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4238                 if (dh == NULL)
4239                         break;
4240 
4241                 ad->u.net->sport = dh->dccph_sport;
4242                 ad->u.net->dport = dh->dccph_dport;
4243                 break;
4244         }
4245 
4246 #if IS_ENABLED(CONFIG_IP_SCTP)
4247         case IPPROTO_SCTP: {
4248                 struct sctphdr _sctph, *sh;
4249 
4250                 if (ntohs(ih->frag_off) & IP_OFFSET)
4251                         break;
4252 
4253                 offset += ihlen;
4254                 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4255                 if (sh == NULL)
4256                         break;
4257 
4258                 ad->u.net->sport = sh->source;
4259                 ad->u.net->dport = sh->dest;
4260                 break;
4261         }
4262 #endif
4263         default:
4264                 break;
4265         }
4266 out:
4267         return ret;
4268 }
4269 
4270 #if IS_ENABLED(CONFIG_IPV6)
4271 
4272 /* Returns error only if unable to parse addresses */
4273 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4274                         struct common_audit_data *ad, u8 *proto)
4275 {
4276         u8 nexthdr;
4277         int ret = -EINVAL, offset;
4278         struct ipv6hdr _ipv6h, *ip6;
4279         __be16 frag_off;
4280 
4281         offset = skb_network_offset(skb);
4282         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4283         if (ip6 == NULL)
4284                 goto out;
4285 
4286         ad->u.net->v6info.saddr = ip6->saddr;
4287         ad->u.net->v6info.daddr = ip6->daddr;
4288         ret = 0;
4289 
4290         nexthdr = ip6->nexthdr;
4291         offset += sizeof(_ipv6h);
4292         offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4293         if (offset < 0)
4294                 goto out;
4295 
4296         if (proto)
4297                 *proto = nexthdr;
4298 
4299         switch (nexthdr) {
4300         case IPPROTO_TCP: {
4301                 struct tcphdr _tcph, *th;
4302 
4303                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4304                 if (th == NULL)
4305                         break;
4306 
4307                 ad->u.net->sport = th->source;
4308                 ad->u.net->dport = th->dest;
4309                 break;
4310         }
4311 
4312         case IPPROTO_UDP: {
4313                 struct udphdr _udph, *uh;
4314 
4315                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4316                 if (uh == NULL)
4317                         break;
4318 
4319                 ad->u.net->sport = uh->source;
4320                 ad->u.net->dport = uh->dest;
4321                 break;
4322         }
4323 
4324         case IPPROTO_DCCP: {
4325                 struct dccp_hdr _dccph, *dh;
4326 
4327                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4328                 if (dh == NULL)
4329                         break;
4330 
4331                 ad->u.net->sport = dh->dccph_sport;
4332                 ad->u.net->dport = dh->dccph_dport;
4333                 break;
4334         }
4335 
4336 #if IS_ENABLED(CONFIG_IP_SCTP)
4337         case IPPROTO_SCTP: {
4338                 struct sctphdr _sctph, *sh;
4339 
4340                 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4341                 if (sh == NULL)
4342                         break;
4343 
4344                 ad->u.net->sport = sh->source;
4345                 ad->u.net->dport = sh->dest;
4346                 break;
4347         }
4348 #endif
4349         /* includes fragments */
4350         default:
4351                 break;
4352         }
4353 out:
4354         return ret;
4355 }
4356 
4357 #endif /* IPV6 */
4358 
4359 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4360                              char **_addrp, int src, u8 *proto)
4361 {
4362         char *addrp;
4363         int ret;
4364 
4365         switch (ad->u.net->family) {
4366         case PF_INET:
4367                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4368                 if (ret)
4369                         goto parse_error;
4370                 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4371                                        &ad->u.net->v4info.daddr);
4372                 goto okay;
4373 
4374 #if IS_ENABLED(CONFIG_IPV6)
4375         case PF_INET6:
4376                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4377                 if (ret)
4378                         goto parse_error;
4379                 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4380                                        &ad->u.net->v6info.daddr);
4381                 goto okay;
4382 #endif  /* IPV6 */
4383         default:
4384                 addrp = NULL;
4385                 goto okay;
4386         }
4387 
4388 parse_error:
4389         pr_warn(
4390                "SELinux: failure in selinux_parse_skb(),"
4391                " unable to parse packet\n");
4392         return ret;
4393 
4394 okay:
4395         if (_addrp)
4396                 *_addrp = addrp;
4397         return 0;
4398 }
4399 
4400 /**
4401  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4402  * @skb: the packet
4403  * @family: protocol family
4404  * @sid: the packet's peer label SID
4405  *
4406  * Description:
4407  * Check the various different forms of network peer labeling and determine
4408  * the peer label/SID for the packet; most of the magic actually occurs in
4409  * the security server function security_net_peersid_cmp().  The function
4410  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4411  * or -EACCES if @sid is invalid due to inconsistencies with the different
4412  * peer labels.
4413  *
4414  */
4415 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4416 {
4417         int err;
4418         u32 xfrm_sid;
4419         u32 nlbl_sid;
4420         u32 nlbl_type;
4421 
4422         err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4423         if (unlikely(err))
4424                 return -EACCES;
4425         err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4426         if (unlikely(err))
4427                 return -EACCES;
4428 
4429         err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4430                                            nlbl_type, xfrm_sid, sid);
4431         if (unlikely(err)) {
4432                 pr_warn(
4433                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
4434                        " unable to determine packet's peer label\n");
4435                 return -EACCES;
4436         }
4437 
4438         return 0;
4439 }
4440 
4441 /**
4442  * selinux_conn_sid - Determine the child socket label for a connection
4443  * @sk_sid: the parent socket's SID
4444  * @skb_sid: the packet's SID
4445  * @conn_sid: the resulting connection SID
4446  *
4447  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4448  * combined with the MLS information from @skb_sid in order to create
4449  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
4450  * of @sk_sid.  Returns zero on success, negative values on failure.
4451  *
4452  */
4453 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4454 {
4455         int err = 0;
4456 
4457         if (skb_sid != SECSID_NULL)
4458                 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4459                                             conn_sid);
4460         else
4461                 *conn_sid = sk_sid;
4462 
4463         return err;
4464 }
4465 
4466 /* socket security operations */
4467 
4468 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4469                                  u16 secclass, u32 *socksid)
4470 {
4471         if (tsec->sockcreate_sid > SECSID_NULL) {
4472                 *socksid = tsec->sockcreate_sid;
4473                 return 0;
4474         }
4475 
4476         return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4477                                        secclass, NULL, socksid);
4478 }
4479 
4480 static int sock_has_perm(struct sock *sk, u32 perms)
4481 {
4482         struct sk_security_struct *sksec = sk->sk_security;
4483         struct common_audit_data ad;
4484         struct lsm_network_audit net = {0,};
4485 
4486         if (sksec->sid == SECINITSID_KERNEL)
4487                 return 0;
4488 
4489         ad.type = LSM_AUDIT_DATA_NET;
4490         ad.u.net = &net;
4491         ad.u.net->sk = sk;
4492 
4493         return avc_has_perm(&selinux_state,
4494                             current_sid(), sksec->sid, sksec->sclass, perms,
4495                             &ad);
4496 }
4497 
4498 static int selinux_socket_create(int family, int type,
4499                                  int protocol, int kern)
4500 {
4501         const struct task_security_struct *tsec = selinux_cred(current_cred());
4502         u32 newsid;
4503         u16 secclass;
4504         int rc;
4505 
4506         if (kern)
4507                 return 0;
4508 
4509         secclass = socket_type_to_security_class(family, type, protocol);
4510         rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4511         if (rc)
4512                 return rc;
4513 
4514         return avc_has_perm(&selinux_state,
4515                             tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4516 }
4517 
4518 static int selinux_socket_post_create(struct socket *sock, int family,
4519                                       int type, int protocol, int kern)
4520 {
4521         const struct task_security_struct *tsec = selinux_cred(current_cred());
4522         struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4523         struct sk_security_struct *sksec;
4524         u16 sclass = socket_type_to_security_class(family, type, protocol);
4525         u32 sid = SECINITSID_KERNEL;
4526         int err = 0;
4527 
4528         if (!kern) {
4529                 err = socket_sockcreate_sid(tsec, sclass, &sid);
4530                 if (err)
4531                         return err;
4532         }
4533 
4534         isec->sclass = sclass;
4535         isec->sid = sid;
4536         isec->initialized = LABEL_INITIALIZED;
4537 
4538         if (sock->sk) {
4539                 sksec = sock->sk->sk_security;
4540                 sksec->sclass = sclass;
4541                 sksec->sid = sid;
4542                 /* Allows detection of the first association on this socket */
4543                 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4544                         sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4545 
4546                 err = selinux_netlbl_socket_post_create(sock->sk, family);
4547         }
4548 
4549         return err;
4550 }
4551 
4552 static int selinux_socket_socketpair(struct socket *socka,
4553                                      struct socket *sockb)
4554 {
4555         struct sk_security_struct *sksec_a = socka->sk->sk_security;
4556         struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4557 
4558         sksec_a->peer_sid = sksec_b->sid;
4559         sksec_b->peer_sid = sksec_a->sid;
4560 
4561         return 0;
4562 }
4563 
4564 /* Range of port numbers used to automatically bind.
4565    Need to determine whether we should perform a name_bind
4566    permission check between the socket and the port number. */
4567 
4568 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4569 {
4570         struct sock *sk = sock->sk;
4571         struct sk_security_struct *sksec = sk->sk_security;
4572         u16 family;
4573         int err;
4574 
4575         err = sock_has_perm(sk, SOCKET__BIND);
4576         if (err)
4577                 goto out;
4578 
4579         /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4580         family = sk->sk_family;
4581         if (family == PF_INET || family == PF_INET6) {
4582                 char *addrp;
4583                 struct common_audit_data ad;
4584                 struct lsm_network_audit net = {0,};
4585                 struct sockaddr_in *addr4 = NULL;
4586                 struct sockaddr_in6 *addr6 = NULL;
4587                 u16 family_sa;
4588                 unsigned short snum;
4589                 u32 sid, node_perm;
4590 
4591                 /*
4592                  * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4593                  * that validates multiple binding addresses. Because of this
4594                  * need to check address->sa_family as it is possible to have
4595                  * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4596                  */
4597                 if (addrlen < offsetofend(struct sockaddr, sa_family))
4598                         return -EINVAL;
4599                 family_sa = address->sa_family;
4600                 switch (family_sa) {
4601                 case AF_UNSPEC:
4602                 case AF_INET:
4603                         if (addrlen < sizeof(struct sockaddr_in))
4604                                 return -EINVAL;
4605                         addr4 = (struct sockaddr_in *)address;
4606                         if (family_sa == AF_UNSPEC) {
4607                                 /* see __inet_bind(), we only want to allow
4608                                  * AF_UNSPEC if the address is INADDR_ANY
4609                                  */
4610                                 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4611                                         goto err_af;
4612                                 family_sa = AF_INET;
4613                         }
4614                         snum = ntohs(addr4->sin_port);
4615                         addrp = (char *)&addr4->sin_addr.s_addr;
4616                         break;
4617                 case AF_INET6:
4618                         if (addrlen < SIN6_LEN_RFC2133)
4619                                 return -EINVAL;
4620                         addr6 = (struct sockaddr_in6 *)address;
4621                         snum = ntohs(addr6->sin6_port);
4622                         addrp = (char *)&addr6->sin6_addr.s6_addr;
4623                         break;
4624                 default:
4625                         goto err_af;
4626                 }
4627 
4628                 ad.type = LSM_AUDIT_DATA_NET;
4629                 ad.u.net = &net;
4630                 ad.u.net->sport = htons(snum);
4631                 ad.u.net->family = family_sa;
4632 
4633                 if (snum) {
4634                         int low, high;
4635 
4636                         inet_get_local_port_range(sock_net(sk), &low, &high);
4637 
4638                         if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4639                             snum > high) {
4640                                 err = sel_netport_sid(sk->sk_protocol,
4641                                                       snum, &sid);
4642                                 if (err)
4643                                         goto out;
4644                                 err = avc_has_perm(&selinux_state,
4645                                                    sksec->sid, sid,
4646                                                    sksec->sclass,
4647                                                    SOCKET__NAME_BIND, &ad);
4648                                 if (err)
4649                                         goto out;
4650                         }
4651                 }
4652 
4653                 switch (sksec->sclass) {
4654                 case SECCLASS_TCP_SOCKET:
4655                         node_perm = TCP_SOCKET__NODE_BIND;
4656                         break;
4657 
4658                 case SECCLASS_UDP_SOCKET:
4659                         node_perm = UDP_SOCKET__NODE_BIND;
4660                         break;
4661 
4662                 case SECCLASS_DCCP_SOCKET:
4663                         node_perm = DCCP_SOCKET__NODE_BIND;
4664                         break;
4665 
4666                 case SECCLASS_SCTP_SOCKET:
4667                         node_perm = SCTP_SOCKET__NODE_BIND;
4668                         break;
4669 
4670                 default:
4671                         node_perm = RAWIP_SOCKET__NODE_BIND;
4672                         break;
4673                 }
4674 
4675                 err = sel_netnode_sid(addrp, family_sa, &sid);
4676                 if (err)
4677                         goto out;
4678 
4679                 if (family_sa == AF_INET)
4680                         ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4681                 else
4682                         ad.u.net->v6info.saddr = addr6->sin6_addr;
4683 
4684                 err = avc_has_perm(&selinux_state,
4685                                    sksec->sid, sid,
4686                                    sksec->sclass, node_perm, &ad);
4687                 if (err)
4688                         goto out;
4689         }
4690 out:
4691         return err;
4692 err_af:
4693         /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4694         if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4695                 return -EINVAL;
4696         return -EAFNOSUPPORT;
4697 }
4698 
4699 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4700  * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4701  */
4702 static int selinux_socket_connect_helper(struct socket *sock,
4703                                          struct sockaddr *address, int addrlen)
4704 {
4705         struct sock *sk = sock->sk;
4706         struct sk_security_struct *sksec = sk->sk_security;
4707         int err;
4708 
4709         err = sock_has_perm(sk, SOCKET__CONNECT);
4710         if (err)
4711                 return err;
4712         if (addrlen < offsetofend(struct sockaddr, sa_family))
4713                 return -EINVAL;
4714 
4715         /* connect(AF_UNSPEC) has special handling, as it is a documented
4716          * way to disconnect the socket
4717          */
4718         if (address->sa_family == AF_UNSPEC)
4719                 return 0;
4720 
4721         /*
4722          * If a TCP, DCCP or SCTP socket, check name_connect permission
4723          * for the port.
4724          */
4725         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4726             sksec->sclass == SECCLASS_DCCP_SOCKET ||
4727             sksec->sclass == SECCLASS_SCTP_SOCKET) {
4728                 struct common_audit_data ad;
4729                 struct lsm_network_audit net = {0,};
4730                 struct sockaddr_in *addr4 = NULL;
4731                 struct sockaddr_in6 *addr6 = NULL;
4732                 unsigned short snum;
4733                 u32 sid, perm;
4734 
4735                 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4736                  * that validates multiple connect addresses. Because of this
4737                  * need to check address->sa_family as it is possible to have
4738                  * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4739                  */
4740                 switch (address->sa_family) {
4741                 case AF_INET:
4742                         addr4 = (struct sockaddr_in *)address;
4743                         if (addrlen < sizeof(struct sockaddr_in))
4744                                 return -EINVAL;
4745                         snum = ntohs(addr4->sin_port);
4746                         break;
4747                 case AF_INET6:
4748                         addr6 = (struct sockaddr_in6 *)address;
4749                         if (addrlen < SIN6_LEN_RFC2133)
4750                                 return -EINVAL;
4751                         snum = ntohs(addr6->sin6_port);
4752                         break;
4753                 default:
4754                         /* Note that SCTP services expect -EINVAL, whereas
4755                          * others expect -EAFNOSUPPORT.
4756                          */
4757                         if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4758                                 return -EINVAL;
4759                         else
4760                                 return -EAFNOSUPPORT;
4761                 }
4762 
4763                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4764                 if (err)
4765                         return err;
4766 
4767                 switch (sksec->sclass) {
4768                 case SECCLASS_TCP_SOCKET:
4769                         perm = TCP_SOCKET__NAME_CONNECT;
4770                         break;
4771                 case SECCLASS_DCCP_SOCKET:
4772                         perm = DCCP_SOCKET__NAME_CONNECT;
4773                         break;
4774                 case SECCLASS_SCTP_SOCKET:
4775                         perm = SCTP_SOCKET__NAME_CONNECT;
4776                         break;
4777                 }
4778 
4779                 ad.type = LSM_AUDIT_DATA_NET;
4780                 ad.u.net = &net;
4781                 ad.u.net->dport = htons(snum);
4782                 ad.u.net->family = address->sa_family;
4783                 err = avc_has_perm(&selinux_state,
4784                                    sksec->sid, sid, sksec->sclass, perm, &ad);
4785                 if (err)
4786                         return err;
4787         }
4788 
4789         return 0;
4790 }
4791 
4792 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4793 static int selinux_socket_connect(struct socket *sock,
4794                                   struct sockaddr *address, int addrlen)
4795 {
4796         int err;
4797         struct sock *sk = sock->sk;
4798 
4799         err = selinux_socket_connect_helper(sock, address, addrlen);
4800         if (err)
4801                 return err;
4802 
4803         return selinux_netlbl_socket_connect(sk, address);
4804 }
4805 
4806 static int selinux_socket_listen(struct socket *sock, int backlog)
4807 {
4808         return sock_has_perm(sock->sk, SOCKET__LISTEN);
4809 }
4810 
4811 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4812 {
4813         int err;
4814         struct inode_security_struct *isec;
4815         struct inode_security_struct *newisec;
4816         u16 sclass;
4817         u32 sid;
4818 
4819         err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4820         if (err)
4821                 return err;
4822 
4823         isec = inode_security_novalidate(SOCK_INODE(sock));
4824         spin_lock(&isec->lock);
4825         sclass = isec->sclass;
4826         sid = isec->sid;
4827         spin_unlock(&isec->lock);
4828 
4829         newisec = inode_security_novalidate(SOCK_INODE(newsock));
4830         newisec->sclass = sclass;
4831         newisec->sid = sid;
4832         newisec->initialized = LABEL_INITIALIZED;
4833 
4834         return 0;
4835 }
4836 
4837 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4838                                   int size)
4839 {
4840         return sock_has_perm(sock->sk, SOCKET__WRITE);
4841 }
4842 
4843 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4844                                   int size, int flags)
4845 {
4846         return sock_has_perm(sock->sk, SOCKET__READ);
4847 }
4848 
4849 static int selinux_socket_getsockname(struct socket *sock)
4850 {
4851         return sock_has_perm(sock->sk, SOCKET__GETATTR);
4852 }
4853 
4854 static int selinux_socket_getpeername(struct socket *sock)
4855 {
4856         return sock_has_perm(sock->sk, SOCKET__GETATTR);
4857 }
4858 
4859 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4860 {
4861         int err;
4862 
4863         err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4864         if (err)
4865                 return err;
4866 
4867         return selinux_netlbl_socket_setsockopt(sock, level, optname);
4868 }
4869 
4870 static int selinux_socket_getsockopt(struct socket *sock, int level,
4871                                      int optname)
4872 {
4873         return sock_has_perm(sock->sk, SOCKET__GETOPT);
4874 }
4875 
4876 static int selinux_socket_shutdown(struct socket *sock, int how)
4877 {
4878         return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4879 }
4880 
4881 static int selinux_socket_unix_stream_connect(struct sock *sock,
4882                                               struct sock *other,
4883                                               struct sock *newsk)
4884 {
4885         struct sk_security_struct *sksec_sock = sock->sk_security;
4886         struct sk_security_struct *sksec_other = other->sk_security;
4887         struct sk_security_struct *sksec_new = newsk->sk_security;
4888         struct common_audit_data ad;
4889         struct lsm_network_audit net = {0,};
4890         int err;
4891 
4892         ad.type = LSM_AUDIT_DATA_NET;
4893         ad.u.net = &net;
4894         ad.u.net->sk = other;
4895 
4896         err = avc_has_perm(&selinux_state,
4897                            sksec_sock->sid, sksec_other->sid,
4898                            sksec_other->sclass,
4899                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4900         if (err)
4901                 return err;
4902 
4903         /* server child socket */
4904         sksec_new->peer_sid = sksec_sock->sid;
4905         err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4906                                     sksec_sock->sid, &sksec_new->sid);
4907         if (err)
4908                 return err;
4909 
4910         /* connecting socket */
4911         sksec_sock->peer_sid = sksec_new->sid;
4912 
4913         return 0;
4914 }
4915 
4916 static int selinux_socket_unix_may_send(struct socket *sock,
4917                                         struct socket *other)
4918 {
4919         struct sk_security_struct *ssec = sock->sk->sk_security;
4920         struct sk_security_struct *osec = other->sk->sk_security;
4921         struct common_audit_data ad;
4922         struct lsm_network_audit net = {0,};
4923 
4924         ad.type = LSM_AUDIT_DATA_NET;
4925         ad.u.net = &net;
4926         ad.u.net->sk = other->sk;
4927 
4928         return avc_has_perm(&selinux_state,
4929                             ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4930                             &ad);
4931 }
4932 
4933 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4934                                     char *addrp, u16 family, u32 peer_sid,
4935                                     struct common_audit_data *ad)
4936 {
4937         int err;
4938         u32 if_sid;
4939         u32 node_sid;
4940 
4941         err = sel_netif_sid(ns, ifindex, &if_sid);
4942         if (err)
4943                 return err;
4944         err = avc_has_perm(&selinux_state,
4945                            peer_sid, if_sid,
4946                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4947         if (err)
4948                 return err;
4949 
4950         err = sel_netnode_sid(addrp, family, &node_sid);
4951         if (err)
4952                 return err;
4953         return avc_has_perm(&selinux_state,
4954                             peer_sid, node_sid,
4955                             SECCLASS_NODE, NODE__RECVFROM, ad);
4956 }
4957 
4958 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4959                                        u16 family)
4960 {
4961         int err = 0;
4962         struct sk_security_struct *sksec = sk->sk_security;
4963         u32 sk_sid = sksec->sid;
4964         struct common_audit_data ad;
4965         struct lsm_network_audit net = {0,};
4966         char *addrp;
4967 
4968         ad.type = LSM_AUDIT_DATA_NET;
4969         ad.u.net = &net;
4970         ad.u.net->netif = skb->skb_iif;
4971         ad.u.net->family = family;
4972         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4973         if (err)
4974                 return err;
4975 
4976         if (selinux_secmark_enabled()) {
4977                 err = avc_has_perm(&selinux_state,
4978                                    sk_sid, skb->secmark, SECCLASS_PACKET,
4979                                    PACKET__RECV, &ad);
4980                 if (err)
4981                         return err;
4982         }
4983 
4984         err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4985         if (err)
4986                 return err;
4987         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4988 
4989         return err;
4990 }
4991 
4992 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4993 {
4994         int err;
4995         struct sk_security_struct *sksec = sk->sk_security;
4996         u16 family = sk->sk_family;
4997         u32 sk_sid = sksec->sid;
4998         struct common_audit_data ad;
4999         struct lsm_network_audit net = {0,};
5000         char *addrp;
5001         u8 secmark_active;
5002         u8 peerlbl_active;
5003 
5004         if (family != PF_INET && family != PF_INET6)
5005                 return 0;
5006 
5007         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5008         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5009                 family = PF_INET;
5010 
5011         /* If any sort of compatibility mode is enabled then handoff processing
5012          * to the selinux_sock_rcv_skb_compat() function to deal with the
5013          * special handling.  We do this in an attempt to keep this function
5014          * as fast and as clean as possible. */
5015         if (!selinux_policycap_netpeer())
5016                 return selinux_sock_rcv_skb_compat(sk, skb, family);
5017 
5018         secmark_active = selinux_secmark_enabled();
5019         peerlbl_active = selinux_peerlbl_enabled();
5020         if (!secmark_active && !peerlbl_active)
5021                 return 0;
5022 
5023         ad.type = LSM_AUDIT_DATA_NET;
5024         ad.u.net = &net;
5025         ad.u.net->netif = skb->skb_iif;
5026         ad.u.net->family = family;
5027         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5028         if (err)
5029                 return err;
5030 
5031         if (peerlbl_active) {
5032                 u32 peer_sid;
5033 
5034                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5035                 if (err)
5036                         return err;
5037                 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5038                                                addrp, family, peer_sid, &ad);
5039                 if (err) {
5040                         selinux_netlbl_err(skb, family, err, 0);
5041                         return err;
5042                 }
5043                 err = avc_has_perm(&selinux_state,
5044                                    sk_sid, peer_sid, SECCLASS_PEER,
5045                                    PEER__RECV, &ad);
5046                 if (err) {
5047                         selinux_netlbl_err(skb, family, err, 0);
5048                         return err;
5049                 }
5050         }
5051 
5052         if (secmark_active) {
5053                 err = avc_has_perm(&selinux_state,
5054                                    sk_sid, skb->secmark, SECCLASS_PACKET,
5055                                    PACKET__RECV, &ad);
5056                 if (err)
5057                         return err;
5058         }
5059 
5060         return err;
5061 }
5062 
5063 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5064                                             int __user *optlen, unsigned len)
5065 {
5066         int err = 0;
5067         char *scontext;
5068         u32 scontext_len;
5069         struct sk_security_struct *sksec = sock->sk->sk_security;
5070         u32 peer_sid = SECSID_NULL;
5071 
5072         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5073             sksec->sclass == SECCLASS_TCP_SOCKET ||
5074             sksec->sclass == SECCLASS_SCTP_SOCKET)
5075                 peer_sid = sksec->peer_sid;
5076         if (peer_sid == SECSID_NULL)
5077                 return -ENOPROTOOPT;
5078 
5079         err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5080                                       &scontext_len);
5081         if (err)
5082                 return err;
5083 
5084         if (scontext_len > len) {
5085                 err = -ERANGE;
5086                 goto out_len;
5087         }
5088 
5089         if (copy_to_user(optval, scontext, scontext_len))
5090                 err = -EFAULT;
5091 
5092 out_len:
5093         if (put_user(scontext_len, optlen))
5094                 err = -EFAULT;
5095         kfree(scontext);
5096         return err;
5097 }
5098 
5099 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5100 {
5101         u32 peer_secid = SECSID_NULL;
5102         u16 family;
5103         struct inode_security_struct *isec;
5104 
5105         if (skb && skb->protocol == htons(ETH_P_IP))
5106                 family = PF_INET;
5107         else if (skb && skb->protocol == htons(ETH_P_IPV6))
5108                 family = PF_INET6;
5109         else if (sock)
5110                 family = sock->sk->sk_family;
5111         else
5112                 goto out;
5113 
5114         if (sock && family == PF_UNIX) {
5115                 isec = inode_security_novalidate(SOCK_INODE(sock));
5116                 peer_secid = isec->sid;
5117         } else if (skb)
5118                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5119 
5120 out:
5121         *secid = peer_secid;
5122         if (peer_secid == SECSID_NULL)
5123                 return -EINVAL;
5124         return 0;
5125 }
5126 
5127 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5128 {
5129         struct sk_security_struct *sksec;
5130 
5131         sksec = kzalloc(sizeof(*sksec), priority);
5132         if (!sksec)
5133                 return -ENOMEM;
5134 
5135         sksec->peer_sid = SECINITSID_UNLABELED;
5136         sksec->sid = SECINITSID_UNLABELED;
5137         sksec->sclass = SECCLASS_SOCKET;
5138         selinux_netlbl_sk_security_reset(sksec);
5139         sk->sk_security = sksec;
5140 
5141         return 0;
5142 }
5143 
5144 static void selinux_sk_free_security(struct sock *sk)
5145 {
5146         struct sk_security_struct *sksec = sk->sk_security;
5147 
5148         sk->sk_security = NULL;
5149         selinux_netlbl_sk_security_free(sksec);
5150         kfree(sksec);
5151 }
5152 
5153 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5154 {
5155         struct sk_security_struct *sksec = sk->sk_security;
5156         struct sk_security_struct *newsksec = newsk->sk_security;
5157 
5158         newsksec->sid = sksec->sid;
5159         newsksec->peer_sid = sksec->peer_sid;
5160         newsksec->sclass = sksec->sclass;
5161 
5162         selinux_netlbl_sk_security_reset(newsksec);
5163 }
5164 
5165 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5166 {
5167         if (!sk)
5168                 *secid = SECINITSID_ANY_SOCKET;
5169         else {
5170                 struct sk_security_struct *sksec = sk->sk_security;
5171 
5172                 *secid = sksec->sid;
5173         }
5174 }
5175 
5176 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5177 {
5178         struct inode_security_struct *isec =
5179                 inode_security_novalidate(SOCK_INODE(parent));
5180         struct sk_security_struct *sksec = sk->sk_security;
5181 
5182         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5183             sk->sk_family == PF_UNIX)
5184                 isec->sid = sksec->sid;
5185         sksec->sclass = isec->sclass;
5186 }
5187 
5188 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5189  * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5190  * already present).
5191  */
5192 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5193                                       struct sk_buff *skb)
5194 {
5195         struct sk_security_struct *sksec = ep->base.sk->sk_security;
5196         struct common_audit_data ad;
5197         struct lsm_network_audit net = {0,};
5198         u8 peerlbl_active;
5199         u32 peer_sid = SECINITSID_UNLABELED;
5200         u32 conn_sid;
5201         int err = 0;
5202 
5203         if (!selinux_policycap_extsockclass())
5204                 return 0;
5205 
5206         peerlbl_active = selinux_peerlbl_enabled();
5207 
5208         if (peerlbl_active) {
5209                 /* This will return peer_sid = SECSID_NULL if there are
5210                  * no peer labels, see security_net_peersid_resolve().
5211                  */
5212                 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5213                                               &peer_sid);
5214                 if (err)
5215                         return err;
5216 
5217                 if (peer_sid == SECSID_NULL)
5218                         peer_sid = SECINITSID_UNLABELED;
5219         }
5220 
5221         if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5222                 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5223 
5224                 /* Here as first association on socket. As the peer SID
5225                  * was allowed by peer recv (and the netif/node checks),
5226                  * then it is approved by policy and used as the primary
5227                  * peer SID for getpeercon(3).
5228                  */
5229                 sksec->peer_sid = peer_sid;
5230         } else if  (sksec->peer_sid != peer_sid) {
5231                 /* Other association peer SIDs are checked to enforce
5232                  * consistency among the peer SIDs.
5233                  */
5234                 ad.type = LSM_AUDIT_DATA_NET;
5235                 ad.u.net = &net;
5236                 ad.u.net->sk = ep->base.sk;
5237                 err = avc_has_perm(&selinux_state,
5238                                    sksec->peer_sid, peer_sid, sksec->sclass,
5239                                    SCTP_SOCKET__ASSOCIATION, &ad);
5240                 if (err)
5241                         return err;
5242         }
5243 
5244         /* Compute the MLS component for the connection and store
5245          * the information in ep. This will be used by SCTP TCP type
5246          * sockets and peeled off connections as they cause a new
5247          * socket to be generated. selinux_sctp_sk_clone() will then
5248          * plug this into the new socket.
5249          */
5250         err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5251         if (err)
5252                 return err;
5253 
5254         ep->secid = conn_sid;
5255         ep->peer_secid = peer_sid;
5256 
5257         /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5258         return selinux_netlbl_sctp_assoc_request(ep, skb);
5259 }
5260 
5261 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5262  * based on their @optname.
5263  */
5264 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5265                                      struct sockaddr *address,
5266                                      int addrlen)
5267 {
5268         int len, err = 0, walk_size = 0;
5269         void *addr_buf;
5270         struct sockaddr *addr;
5271         struct socket *sock;
5272 
5273         if (!selinux_policycap_extsockclass())
5274                 return 0;
5275 
5276         /* Process one or more addresses that may be IPv4 or IPv6 */
5277         sock = sk->sk_socket;
5278         addr_buf = address;
5279 
5280         while (walk_size < addrlen) {
5281                 if (walk_size + sizeof(sa_family_t) > addrlen)
5282                         return -EINVAL;
5283 
5284                 addr = addr_buf;
5285                 switch (addr->sa_family) {
5286                 case AF_UNSPEC:
5287                 case AF_INET:
5288                         len = sizeof(struct sockaddr_in);
5289                         break;
5290                 case AF_INET6:
5291                         len = sizeof(struct sockaddr_in6);
5292                         break;
5293                 default:
5294                         return -EINVAL;
5295                 }
5296 
5297                 if (walk_size + len > addrlen)
5298                         return -EINVAL;
5299 
5300                 err = -EINVAL;
5301                 switch (optname) {
5302                 /* Bind checks */
5303                 case SCTP_PRIMARY_ADDR:
5304                 case SCTP_SET_PEER_PRIMARY_ADDR:
5305                 case SCTP_SOCKOPT_BINDX_ADD:
5306                         err = selinux_socket_bind(sock, addr, len);
5307                         break;
5308                 /* Connect checks */
5309                 case SCTP_SOCKOPT_CONNECTX:
5310                 case SCTP_PARAM_SET_PRIMARY:
5311                 case SCTP_PARAM_ADD_IP:
5312                 case SCTP_SENDMSG_CONNECT:
5313                         err = selinux_socket_connect_helper(sock, addr, len);
5314                         if (err)
5315                                 return err;
5316 
5317                         /* As selinux_sctp_bind_connect() is called by the
5318                          * SCTP protocol layer, the socket is already locked,
5319                          * therefore selinux_netlbl_socket_connect_locked() is
5320                          * is called here. The situations handled are:
5321                          * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5322                          * whenever a new IP address is added or when a new
5323                          * primary address is selected.
5324                          * Note that an SCTP connect(2) call happens before
5325                          * the SCTP protocol layer and is handled via
5326                          * selinux_socket_connect().
5327                          */
5328                         err = selinux_netlbl_socket_connect_locked(sk, addr);
5329                         break;
5330                 }
5331 
5332                 if (err)
5333                         return err;
5334 
5335                 addr_buf += len;
5336                 walk_size += len;
5337         }
5338 
5339         return 0;
5340 }
5341 
5342 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5343 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5344                                   struct sock *newsk)
5345 {
5346         struct sk_security_struct *sksec = sk->sk_security;
5347         struct sk_security_struct *newsksec = newsk->sk_security;
5348 
5349         /* If policy does not support SECCLASS_SCTP_SOCKET then call
5350          * the non-sctp clone version.
5351          */
5352         if (!selinux_policycap_extsockclass())
5353                 return selinux_sk_clone_security(sk, newsk);
5354 
5355         newsksec->sid = ep->secid;
5356         newsksec->peer_sid = ep->peer_secid;
5357         newsksec->sclass = sksec->sclass;
5358         selinux_netlbl_sctp_sk_clone(sk, newsk);
5359 }
5360 
5361 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5362                                      struct request_sock *req)
5363 {
5364         struct sk_security_struct *sksec = sk->sk_security;
5365         int err;
5366         u16 family = req->rsk_ops->family;
5367         u32 connsid;
5368         u32 peersid;
5369 
5370         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5371         if (err)
5372                 return err;
5373         err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5374         if (err)
5375                 return err;
5376         req->secid = connsid;
5377         req->peer_secid = peersid;
5378 
5379         return selinux_netlbl_inet_conn_request(req, family);
5380 }
5381 
5382 static void selinux_inet_csk_clone(struct sock *newsk,
5383                                    const struct request_sock *req)
5384 {
5385         struct sk_security_struct *newsksec = newsk->sk_security;
5386 
5387         newsksec->sid = req->secid;
5388         newsksec->peer_sid = req->peer_secid;
5389         /* NOTE: Ideally, we should also get the isec->sid for the
5390            new socket in sync, but we don't have the isec available yet.
5391            So we will wait until sock_graft to do it, by which
5392            time it will have been created and available. */
5393 
5394         /* We don't need to take any sort of lock here as we are the only
5395          * thread with access to newsksec */
5396         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5397 }
5398 
5399 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5400 {
5401         u16 family = sk->sk_family;
5402         struct sk_security_struct *sksec = sk->sk_security;
5403 
5404         /* handle mapped IPv4 packets arriving via IPv6 sockets */
5405         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5406                 family = PF_INET;
5407 
5408         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5409 }
5410 
5411 static int selinux_secmark_relabel_packet(u32 sid)
5412 {
5413         const struct task_security_struct *__tsec;
5414         u32 tsid;
5415 
5416         __tsec = selinux_cred(current_cred());
5417         tsid = __tsec->sid;
5418 
5419         return avc_has_perm(&selinux_state,
5420                             tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5421                             NULL);
5422 }
5423 
5424 static void selinux_secmark_refcount_inc(void)
5425 {
5426         atomic_inc(&selinux_secmark_refcount);
5427 }
5428 
5429 static void selinux_secmark_refcount_dec(void)
5430 {
5431         atomic_dec(&selinux_secmark_refcount);
5432 }
5433 
5434 static void selinux_req_classify_flow(const struct request_sock *req,
5435                                       struct flowi *fl)
5436 {
5437         fl->flowi_secid = req->secid;
5438 }
5439 
5440 static int selinux_tun_dev_alloc_security(void **security)
5441 {
5442         struct tun_security_struct *tunsec;
5443 
5444         tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5445         if (!tunsec)
5446                 return -ENOMEM;
5447         tunsec->sid = current_sid();
5448 
5449         *security = tunsec;
5450         return 0;
5451 }
5452 
5453 static void selinux_tun_dev_free_security(void *security)
5454 {
5455         kfree(security);
5456 }
5457 
5458 static int selinux_tun_dev_create(void)
5459 {
5460         u32 sid = current_sid();
5461 
5462         /* we aren't taking into account the "sockcreate" SID since the socket
5463          * that is being created here is not a socket in the traditional sense,
5464          * instead it is a private sock, accessible only to the kernel, and
5465          * representing a wide range of network traffic spanning multiple
5466          * connections unlike traditional sockets - check the TUN driver to
5467          * get a better understanding of why this socket is special */
5468 
5469         return avc_has_perm(&selinux_state,
5470                             sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5471                             NULL);
5472 }
5473 
5474 static int selinux_tun_dev_attach_queue(void *security)
5475 {
5476         struct tun_security_struct *tunsec = security;
5477 
5478         return avc_has_perm(&selinux_state,
5479                             current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5480                             TUN_SOCKET__ATTACH_QUEUE, NULL);
5481 }
5482 
5483 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5484 {
5485         struct tun_security_struct *tunsec = security;
5486         struct sk_security_struct *sksec = sk->sk_security;
5487 
5488         /* we don't currently perform any NetLabel based labeling here and it
5489          * isn't clear that we would want to do so anyway; while we could apply
5490          * labeling without the support of the TUN user the resulting labeled
5491          * traffic from the other end of the connection would almost certainly
5492          * cause confusion to the TUN user that had no idea network labeling
5493          * protocols were being used */
5494 
5495         sksec->sid = tunsec->sid;
5496         sksec->sclass = SECCLASS_TUN_SOCKET;
5497 
5498         return 0;
5499 }
5500 
5501 static int selinux_tun_dev_open(void *security)
5502 {
5503         struct tun_security_struct *tunsec = security;
5504         u32 sid = current_sid();
5505         int err;
5506 
5507         err = avc_has_perm(&selinux_state,
5508                            sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5509                            TUN_SOCKET__RELABELFROM, NULL);
5510         if (err)
5511                 return err;
5512         err = avc_has_perm(&selinux_state,
5513                            sid, sid, SECCLASS_TUN_SOCKET,
5514                            TUN_SOCKET__RELABELTO, NULL);
5515         if (err)
5516                 return err;
5517         tunsec->sid = sid;
5518 
5519         return 0;
5520 }
5521 
5522 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5523 {
5524         int rc = 0;
5525         unsigned int msg_len;
5526         unsigned int data_len = skb->len;
5527         unsigned char *data = skb->data;
5528         struct nlmsghdr *nlh;
5529         struct sk_security_struct *sksec = sk->sk_security;
5530         u16 sclass = sksec->sclass;
5531         u32 perm;
5532 
5533         while (data_len >= nlmsg_total_size(0)) {
5534                 nlh = (struct nlmsghdr *)data;
5535 
5536                 /* NOTE: the nlmsg_len field isn't reliably set by some netlink
5537                  *       users which means we can't reject skb's with bogus
5538                  *       length fields; our solution is to follow what
5539                  *       netlink_rcv_skb() does and simply skip processing at
5540                  *       messages with length fields that are clearly junk
5541                  */
5542                 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5543                         return 0;
5544 
5545                 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5546                 if (rc == 0) {
5547                         rc = sock_has_perm(sk, perm);
5548                         if (rc)
5549                                 return rc;
5550                 } else if (rc == -EINVAL) {
5551                         /* -EINVAL is a missing msg/perm mapping */
5552                         pr_warn_ratelimited("SELinux: unrecognized netlink"
5553                                 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5554                                 " pid=%d comm=%s\n",
5555                                 sk->sk_protocol, nlh->nlmsg_type,
5556                                 secclass_map[sclass - 1].name,
5557                                 task_pid_nr(current), current->comm);
5558                         if (enforcing_enabled(&selinux_state) &&
5559                             !security_get_allow_unknown(&selinux_state))
5560                                 return rc;
5561                         rc = 0;
5562                 } else if (rc == -ENOENT) {
5563                         /* -ENOENT is a missing socket/class mapping, ignore */
5564                         rc = 0;
5565                 } else {
5566                         return rc;
5567                 }
5568 
5569                 /* move to the next message after applying netlink padding */
5570                 msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5571                 if (msg_len >= data_len)
5572                         return 0;
5573                 data_len -= msg_len;
5574                 data += msg_len;
5575         }
5576 
5577         return rc;
5578 }
5579 
5580 #ifdef CONFIG_NETFILTER
5581 
5582 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5583                                        const struct net_device *indev,
5584                                        u16 family)
5585 {
5586         int err;
5587         char *addrp;
5588         u32 peer_sid;
5589         struct common_audit_data ad;
5590         struct lsm_network_audit net = {0,};
5591         u8 secmark_active;
5592         u8 netlbl_active;
5593         u8 peerlbl_active;
5594 
5595         if (!selinux_policycap_netpeer())
5596                 return NF_ACCEPT;
5597 
5598         secmark_active = selinux_secmark_enabled();
5599         netlbl_active = netlbl_enabled();
5600         peerlbl_active = selinux_peerlbl_enabled();
5601         if (!secmark_active && !peerlbl_active)
5602                 return NF_ACCEPT;
5603 
5604         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5605                 return NF_DROP;
5606 
5607         ad.type = LSM_AUDIT_DATA_NET;
5608         ad.u.net = &net;
5609         ad.u.net->netif = indev->ifindex;
5610         ad.u.net->family = family;
5611         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5612                 return NF_DROP;
5613 
5614         if (peerlbl_active) {
5615                 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5616                                                addrp, family, peer_sid, &ad);
5617                 if (err) {
5618                         selinux_netlbl_err(skb, family, err, 1);
5619                         return NF_DROP;
5620                 }
5621         }
5622 
5623         if (secmark_active)
5624                 if (avc_has_perm(&selinux_state,
5625                                  peer_sid, skb->secmark,
5626                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5627                         return NF_DROP;
5628 
5629         if (netlbl_active)
5630                 /* we do this in the FORWARD path and not the POST_ROUTING
5631                  * path because we want to make sure we apply the necessary
5632                  * labeling before IPsec is applied so we can leverage AH
5633                  * protection */
5634                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5635                         return NF_DROP;
5636 
5637         return NF_ACCEPT;
5638 }
5639 
5640 static unsigned int selinux_ipv4_forward(void *priv,
5641                                          struct sk_buff *skb,
5642                                          const struct nf_hook_state *state)
5643 {
5644         return selinux_ip_forward(skb, state->in, PF_INET);
5645 }
5646 
5647 #if IS_ENABLED(CONFIG_IPV6)
5648 static unsigned int selinux_ipv6_forward(void *priv,
5649                                          struct sk_buff *skb,
5650                                          const struct nf_hook_state *state)
5651 {
5652         return selinux_ip_forward(skb, state->in, PF_INET6);
5653 }
5654 #endif  /* IPV6 */
5655 
5656 static unsigned int selinux_ip_output(struct sk_buff *skb,
5657                                       u16 family)
5658 {
5659         struct sock *sk;
5660         u32 sid;
5661 
5662         if (!netlbl_enabled())
5663                 return NF_ACCEPT;
5664 
5665         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5666          * because we want to make sure we apply the necessary labeling
5667          * before IPsec is applied so we can leverage AH protection */
5668         sk = skb->sk;
5669         if (sk) {
5670                 struct sk_security_struct *sksec;
5671 
5672                 if (sk_listener(sk))
5673                         /* if the socket is the listening state then this
5674                          * packet is a SYN-ACK packet which means it needs to
5675                          * be labeled based on the connection/request_sock and
5676                          * not the parent socket.  unfortunately, we can't
5677                          * lookup the request_sock yet as it isn't queued on
5678                          * the parent socket until after the SYN-ACK is sent.
5679                          * the "solution" is to simply pass the packet as-is
5680                          * as any IP option based labeling should be copied
5681                          * from the initial connection request (in the IP
5682                          * layer).  it is far from ideal, but until we get a
5683                          * security label in the packet itself this is the
5684                          * best we can do. */
5685                         return NF_ACCEPT;
5686 
5687                 /* standard practice, label using the parent socket */
5688                 sksec = sk->sk_security;
5689                 sid = sksec->sid;
5690         } else
5691                 sid = SECINITSID_KERNEL;
5692         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5693                 return NF_DROP;
5694 
5695         return NF_ACCEPT;
5696 }
5697 
5698 static unsigned int selinux_ipv4_output(void *priv,
5699                                         struct sk_buff *skb,
5700                                         const struct nf_hook_state *state)
5701 {
5702         return selinux_ip_output(skb, PF_INET);
5703 }
5704 
5705 #if IS_ENABLED(CONFIG_IPV6)
5706 static unsigned int selinux_ipv6_output(void *priv,
5707                                         struct sk_buff *skb,
5708                                         const struct nf_hook_state *state)
5709 {
5710         return selinux_ip_output(skb, PF_INET6);
5711 }
5712 #endif  /* IPV6 */
5713 
5714 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5715                                                 int ifindex,
5716                                                 u16 family)
5717 {
5718         struct sock *sk = skb_to_full_sk(skb);
5719         struct sk_security_struct *sksec;
5720         struct common_audit_data ad;
5721         struct lsm_network_audit net = {0,};
5722         char *addrp;
5723         u8 proto;
5724 
5725         if (sk == NULL)
5726                 return NF_ACCEPT;
5727         sksec = sk->sk_security;
5728 
5729         ad.type = LSM_AUDIT_DATA_NET;
5730         ad.u.net = &net;
5731         ad.u.net->netif = ifindex;
5732         ad.u.net->family = family;
5733         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5734                 return NF_DROP;
5735 
5736         if (selinux_secmark_enabled())
5737                 if (avc_has_perm(&selinux_state,
5738                                  sksec->sid, skb->secmark,
5739                                  SECCLASS_PACKET, PACKET__SEND, &ad))
5740                         return NF_DROP_ERR(-ECONNREFUSED);
5741 
5742         if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5743                 return NF_DROP_ERR(-ECONNREFUSED);
5744 
5745         return NF_ACCEPT;
5746 }
5747 
5748 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5749                                          const struct net_device *outdev,
5750                                          u16 family)
5751 {
5752         u32 secmark_perm;
5753         u32 peer_sid;
5754         int ifindex = outdev->ifindex;
5755         struct sock *sk;
5756         struct common_audit_data ad;
5757         struct lsm_network_audit net = {0,};
5758         char *addrp;
5759         u8 secmark_active;
5760         u8 peerlbl_active;
5761 
5762         /* If any sort of compatibility mode is enabled then handoff processing
5763          * to the selinux_ip_postroute_compat() function to deal with the
5764          * special handling.  We do this in an attempt to keep this function
5765          * as fast and as clean as possible. */
5766         if (!selinux_policycap_netpeer())
5767                 return selinux_ip_postroute_compat(skb, ifindex, family);
5768 
5769         secmark_active = selinux_secmark_enabled();
5770         peerlbl_active = selinux_peerlbl_enabled();
5771         if (!secmark_active && !peerlbl_active)
5772                 return NF_ACCEPT;
5773 
5774         sk = skb_to_full_sk(skb);
5775 
5776 #ifdef CONFIG_XFRM
5777         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5778          * packet transformation so allow the packet to pass without any checks
5779          * since we'll have another chance to perform access control checks
5780          * when the packet is on it's final way out.
5781          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5782          *       is NULL, in this case go ahead and apply access control.
5783          * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5784          *       TCP listening state we cannot wait until the XFRM processing
5785          *       is done as we will miss out on the SA label if we do;
5786          *       unfortunately, this means more work, but it is only once per
5787          *       connection. */
5788         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5789             !(sk && sk_listener(sk)))
5790                 return NF_ACCEPT;
5791 #endif
5792 
5793         if (sk == NULL) {
5794                 /* Without an associated socket the packet is either coming
5795                  * from the kernel or it is being forwarded; check the packet
5796                  * to determine which and if the packet is being forwarded
5797                  * query the packet directly to determine the security label. */
5798                 if (skb->skb_iif) {
5799                         secmark_perm = PACKET__FORWARD_OUT;
5800                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5801                                 return NF_DROP;
5802                 } else {
5803                         secmark_perm = PACKET__SEND;
5804                         peer_sid = SECINITSID_KERNEL;
5805                 }
5806         } else if (sk_listener(sk)) {
5807                 /* Locally generated packet but the associated socket is in the
5808                  * listening state which means this is a SYN-ACK packet.  In
5809                  * this particular case the correct security label is assigned
5810                  * to the connection/request_sock but unfortunately we can't
5811                  * query the request_sock as it isn't queued on the parent
5812                  * socket until after the SYN-ACK packet is sent; the only
5813                  * viable choice is to regenerate the label like we do in
5814                  * selinux_inet_conn_request().  See also selinux_ip_output()
5815                  * for similar problems. */
5816                 u32 skb_sid;
5817                 struct sk_security_struct *sksec;
5818 
5819                 sksec = sk->sk_security;
5820                 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5821                         return NF_DROP;
5822                 /* At this point, if the returned skb peerlbl is SECSID_NULL
5823                  * and the packet has been through at least one XFRM
5824                  * transformation then we must be dealing with the "final"
5825                  * form of labeled IPsec packet; since we've already applied
5826                  * all of our access controls on this packet we can safely
5827                  * pass the packet. */
5828                 if (skb_sid == SECSID_NULL) {
5829                         switch (family) {
5830                         case PF_INET:
5831                                 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5832                                         return NF_ACCEPT;
5833                                 break;
5834                         case PF_INET6:
5835                                 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5836                                         return NF_ACCEPT;
5837                                 break;
5838                         default:
5839                                 return NF_DROP_ERR(-ECONNREFUSED);
5840                         }
5841                 }
5842                 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5843                         return NF_DROP;
5844                 secmark_perm = PACKET__SEND;
5845         } else {
5846                 /* Locally generated packet, fetch the security label from the
5847                  * associated socket. */
5848                 struct sk_security_struct *sksec = sk->sk_security;
5849                 peer_sid = sksec->sid;
5850                 secmark_perm = PACKET__SEND;
5851         }
5852 
5853         ad.type = LSM_AUDIT_DATA_NET;
5854         ad.u.net = &net;
5855         ad.u.net->netif = ifindex;
5856         ad.u.net->family = family;
5857         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5858                 return NF_DROP;
5859 
5860         if (secmark_active)
5861                 if (avc_has_perm(&selinux_state,
5862                                  peer_sid, skb->secmark,
5863                                  SECCLASS_PACKET, secmark_perm, &ad))
5864                         return NF_DROP_ERR(-ECONNREFUSED);
5865 
5866         if (peerlbl_active) {
5867                 u32 if_sid;
5868                 u32 node_sid;
5869 
5870                 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5871                         return NF_DROP;
5872                 if (avc_has_perm(&selinux_state,
5873                                  peer_sid, if_sid,
5874                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
5875                         return NF_DROP_ERR(-ECONNREFUSED);
5876 
5877                 if (sel_netnode_sid(addrp, family, &node_sid))
5878                         return NF_DROP;
5879                 if (avc_has_perm(&selinux_state,
5880                                  peer_sid, node_sid,
5881                                  SECCLASS_NODE, NODE__SENDTO, &ad))
5882                         return NF_DROP_ERR(-ECONNREFUSED);
5883         }
5884 
5885         return NF_ACCEPT;
5886 }
5887 
5888 static unsigned int selinux_ipv4_postroute(void *priv,
5889                                            struct sk_buff *skb,
5890                                            const struct nf_hook_state *state)
5891 {
5892         return selinux_ip_postroute(skb, state->out, PF_INET);
5893 }
5894 
5895 #if IS_ENABLED(CONFIG_IPV6)
5896 static unsigned int selinux_ipv6_postroute(void *priv,
5897                                            struct sk_buff *skb,
5898                                            const struct nf_hook_state *state)
5899 {
5900         return selinux_ip_postroute(skb, state->out, PF_INET6);
5901 }
5902 #endif  /* IPV6 */
5903 
5904 #endif  /* CONFIG_NETFILTER */
5905 
5906 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5907 {
5908         return selinux_nlmsg_perm(sk, skb);
5909 }
5910 
5911 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5912 {
5913         isec->sclass = sclass;
5914         isec->sid = current_sid();
5915 }
5916 
5917 static int msg_msg_alloc_security(struct msg_msg *msg)
5918 {
5919         struct msg_security_struct *msec;
5920 
5921         msec = selinux_msg_msg(msg);
5922         msec->sid = SECINITSID_UNLABELED;
5923 
5924         return 0;
5925 }
5926 
5927 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5928                         u32 perms)
5929 {
5930         struct ipc_security_struct *isec;
5931         struct common_audit_data ad;
5932         u32 sid = current_sid();
5933 
5934         isec = selinux_ipc(ipc_perms);
5935 
5936         ad.type = LSM_AUDIT_DATA_IPC;
5937         ad.u.ipc_id = ipc_perms->key;
5938 
5939         return avc_has_perm(&selinux_state,
5940                             sid, isec->sid, isec->sclass, perms, &ad);
5941 }
5942 
5943 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5944 {
5945         return msg_msg_alloc_security(msg);
5946 }
5947 
5948 /* message queue security operations */
5949 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5950 {
5951         struct ipc_security_struct *isec;
5952         struct common_audit_data ad;
5953         u32 sid = current_sid();
5954         int rc;
5955 
5956         isec = selinux_ipc(msq);
5957         ipc_init_security(isec, SECCLASS_MSGQ);
5958 
5959         ad.type = LSM_AUDIT_DATA_IPC;
5960         ad.u.ipc_id = msq->key;
5961 
5962         rc = avc_has_perm(&selinux_state,
5963                           sid, isec->sid, SECCLASS_MSGQ,
5964                           MSGQ__CREATE, &ad);
5965         return rc;
5966 }
5967 
5968 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5969 {
5970         struct ipc_security_struct *isec;
5971         struct common_audit_data ad;
5972         u32 sid = current_sid();
5973 
5974         isec = selinux_ipc(msq);
5975 
5976         ad.type = LSM_AUDIT_DATA_IPC;
5977         ad.u.ipc_id = msq->key;
5978 
5979         return avc_has_perm(&selinux_state,
5980                             sid, isec->sid, SECCLASS_MSGQ,
5981                             MSGQ__ASSOCIATE, &ad);
5982 }
5983 
5984 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
5985 {
5986         int err;
5987         int perms;
5988 
5989         switch (cmd) {
5990         case IPC_INFO:
5991         case MSG_INFO:
5992                 /* No specific object, just general system-wide information. */
5993                 return avc_has_perm(&selinux_state,
5994                                     current_sid(), SECINITSID_KERNEL,
5995                                     SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5996         case IPC_STAT:
5997         case MSG_STAT:
5998         case MSG_STAT_ANY:
5999                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6000                 break;
6001         case IPC_SET:
6002                 perms = MSGQ__SETATTR;
6003                 break;
6004         case IPC_RMID:
6005                 perms = MSGQ__DESTROY;
6006                 break;
6007         default:
6008                 return 0;
6009         }
6010 
6011         err = ipc_has_perm(msq, perms);
6012         return err;
6013 }
6014 
6015 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6016 {
6017         struct ipc_security_struct *isec;
6018         struct msg_security_struct *msec;
6019         struct common_audit_data ad;
6020         u32 sid = current_sid();
6021         int rc;
6022 
6023         isec = selinux_ipc(msq);
6024         msec = selinux_msg_msg(msg);
6025 
6026         /*
6027          * First time through, need to assign label to the message
6028          */
6029         if (msec->sid == SECINITSID_UNLABELED) {
6030                 /*
6031                  * Compute new sid based on current process and
6032                  * message queue this message will be stored in
6033                  */
6034                 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6035                                              SECCLASS_MSG, NULL, &msec->sid);
6036                 if (rc)
6037                         return rc;
6038         }
6039 
6040         ad.type = LSM_AUDIT_DATA_IPC;
6041         ad.u.ipc_id = msq->key;
6042 
6043         /* Can this process write to the queue? */
6044         rc = avc_has_perm(&selinux_state,
6045                           sid, isec->sid, SECCLASS_MSGQ,
6046                           MSGQ__WRITE, &ad);
6047         if (!rc)
6048                 /* Can this process send the message */
6049                 rc = avc_has_perm(&selinux_state,
6050                                   sid, msec->sid, SECCLASS_MSG,
6051                                   MSG__SEND, &ad);
6052         if (!rc)
6053                 /* Can the message be put in the queue? */
6054                 rc = avc_has_perm(&selinux_state,
6055                                   msec->sid, isec->sid, SECCLASS_MSGQ,
6056                                   MSGQ__ENQUEUE, &ad);
6057 
6058         return rc;
6059 }
6060 
6061 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6062                                     struct task_struct *target,
6063                                     long type, int mode)
6064 {
6065         struct ipc_security_struct *isec;
6066         struct msg_security_struct *msec;
6067         struct common_audit_data ad;
6068         u32 sid = task_sid(target);
6069         int rc;
6070 
6071         isec = selinux_ipc(msq);
6072         msec = selinux_msg_msg(msg);
6073 
6074         ad.type = LSM_AUDIT_DATA_IPC;
6075         ad.u.ipc_id = msq->key;
6076 
6077         rc = avc_has_perm(&selinux_state,
6078                           sid, isec->sid,
6079                           SECCLASS_MSGQ, MSGQ__READ, &ad);
6080         if (!rc)
6081                 rc = avc_has_perm(&selinux_state,
6082                                   sid, msec->sid,
6083                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
6084         return rc;
6085 }
6086 
6087 /* Shared Memory security operations */
6088 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6089 {
6090         struct ipc_security_struct *isec;
6091         struct common_audit_data ad;
6092         u32 sid = current_sid();
6093         int rc;
6094 
6095         isec = selinux_ipc(shp);
6096         ipc_init_security(isec, SECCLASS_SHM);
6097 
6098         ad.type = LSM_AUDIT_DATA_IPC;
6099         ad.u.ipc_id = shp->key;
6100 
6101         rc = avc_has_perm(&selinux_state,
6102                           sid, isec->sid, SECCLASS_SHM,
6103                           SHM__CREATE, &ad);
6104         return rc;
6105 }
6106 
6107 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6108 {
6109         struct ipc_security_struct *isec;
6110         struct common_audit_data ad;
6111         u32 sid = current_sid();
6112 
6113         isec = selinux_ipc(shp);
6114 
6115         ad.type = LSM_AUDIT_DATA_IPC;
6116         ad.u.ipc_id = shp->key;
6117 
6118         return avc_has_perm(&selinux_state,
6119                             sid, isec->sid, SECCLASS_SHM,
6120                             SHM__ASSOCIATE, &ad);
6121 }
6122 
6123 /* Note, at this point, shp is locked down */
6124 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6125 {
6126         int perms;
6127         int err;
6128 
6129         switch (cmd) {
6130         case IPC_INFO:
6131         case SHM_INFO:
6132                 /* No specific object, just general system-wide information. */
6133                 return avc_has_perm(&selinux_state,
6134                                     current_sid(), SECINITSID_KERNEL,
6135                                     SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6136         case IPC_STAT:
6137         case SHM_STAT:
6138         case SHM_STAT_ANY:
6139                 perms = SHM__GETATTR | SHM__ASSOCIATE;
6140                 break;
6141         case IPC_SET:
6142                 perms = SHM__SETATTR;
6143                 break;
6144         case SHM_LOCK:
6145         case SHM_UNLOCK:
6146                 perms = SHM__LOCK;
6147                 break;
6148         case IPC_RMID:
6149                 perms = SHM__DESTROY;
6150                 break;
6151         default:
6152                 return 0;
6153         }
6154 
6155         err = ipc_has_perm(shp, perms);
6156         return err;
6157 }
6158 
6159 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6160                              char __user *shmaddr, int shmflg)
6161 {
6162         u32 perms;
6163 
6164         if (shmflg & SHM_RDONLY)
6165                 perms = SHM__READ;
6166         else
6167                 perms = SHM__READ | SHM__WRITE;
6168 
6169         return ipc_has_perm(shp, perms);
6170 }
6171 
6172 /* Semaphore security operations */
6173 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6174 {
6175         struct ipc_security_struct *isec;
6176         struct common_audit_data ad;
6177         u32 sid = current_sid();
6178         int rc;
6179 
6180         isec = selinux_ipc(sma);
6181         ipc_init_security(isec, SECCLASS_SEM);
6182 
6183         ad.type = LSM_AUDIT_DATA_IPC;
6184         ad.u.ipc_id = sma->key;
6185 
6186         rc = avc_has_perm(&selinux_state,
6187                           sid, isec->sid, SECCLASS_SEM,
6188                           SEM__CREATE, &ad);
6189         return rc;
6190 }
6191 
6192 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6193 {
6194         struct ipc_security_struct *isec;
6195         struct common_audit_data ad;
6196         u32 sid = current_sid();
6197 
6198         isec = selinux_ipc(sma);
6199 
6200         ad.type = LSM_AUDIT_DATA_IPC;
6201         ad.u.ipc_id = sma->key;
6202 
6203         return avc_has_perm(&selinux_state,
6204                             sid, isec->sid, SECCLASS_SEM,
6205                             SEM__ASSOCIATE, &ad);
6206 }
6207 
6208 /* Note, at this point, sma is locked down */
6209 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6210 {
6211         int err;
6212         u32 perms;
6213 
6214         switch (cmd) {
6215         case IPC_INFO:
6216         case SEM_INFO:
6217                 /* No specific object, just general system-wide information. */
6218                 return avc_has_perm(&selinux_state,
6219                                     current_sid(), SECINITSID_KERNEL,
6220                                     SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6221         case GETPID:
6222         case GETNCNT:
6223         case GETZCNT:
6224                 perms = SEM__GETATTR;
6225                 break;
6226         case GETVAL:
6227         case GETALL:
6228                 perms = SEM__READ;
6229                 break;
6230         case SETVAL:
6231         case SETALL:
6232                 perms = SEM__WRITE;
6233                 break;
6234         case IPC_RMID:
6235                 perms = SEM__DESTROY;
6236                 break;
6237         case IPC_SET:
6238                 perms = SEM__SETATTR;
6239                 break;
6240         case IPC_STAT:
6241         case SEM_STAT:
6242         case SEM_STAT_ANY:
6243                 perms = SEM__GETATTR | SEM__ASSOCIATE;
6244                 break;
6245         default:
6246                 return 0;
6247         }
6248 
6249         err = ipc_has_perm(sma, perms);
6250         return err;
6251 }
6252 
6253 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6254                              struct sembuf *sops, unsigned nsops, int alter)
6255 {
6256         u32 perms;
6257 
6258         if (alter)
6259                 perms = SEM__READ | SEM__WRITE;
6260         else
6261                 perms = SEM__READ;
6262 
6263         return ipc_has_perm(sma, perms);
6264 }
6265 
6266 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6267 {
6268         u32 av = 0;
6269 
6270         av = 0;
6271         if (flag & S_IRUGO)
6272                 av |= IPC__UNIX_READ;
6273         if (flag & S_IWUGO)
6274                 av |= IPC__UNIX_WRITE;
6275 
6276         if (av == 0)
6277                 return 0;
6278 
6279         return ipc_has_perm(ipcp, av);
6280 }
6281 
6282 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6283 {
6284         struct ipc_security_struct *isec = selinux_ipc(ipcp);
6285         *secid = isec->sid;
6286 }
6287 
6288 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6289 {
6290         if (inode)
6291                 inode_doinit_with_dentry(inode, dentry);
6292 }
6293 
6294 static int selinux_getprocattr(struct task_struct *p,
6295                                char *name, char **value)
6296 {
6297         const struct task_security_struct *__tsec;
6298         u32 sid;
6299         int error;
6300         unsigned len;
6301 
6302         rcu_read_lock();
6303         __tsec = selinux_cred(__task_cred(p));
6304 
6305         if (current != p) {
6306                 error = avc_has_perm(&selinux_state,
6307                                      current_sid(), __tsec->sid,
6308                                      SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6309                 if (error)
6310                         goto bad;
6311         }
6312 
6313         if (!strcmp(name, "current"))
6314                 sid = __tsec->sid;
6315         else if (!strcmp(name, "prev"))
6316                 sid = __tsec->osid;
6317         else if (!strcmp(name, "exec"))
6318                 sid = __tsec->exec_sid;
6319         else if (!strcmp(name, "fscreate"))
6320                 sid = __tsec->create_sid;
6321         else if (!strcmp(name, "keycreate"))
6322                 sid = __tsec->keycreate_sid;
6323         else if (!strcmp(name, "sockcreate"))
6324                 sid = __tsec->sockcreate_sid;
6325         else {
6326                 error = -EINVAL;
6327                 goto bad;
6328         }
6329         rcu_read_unlock();
6330 
6331         if (!sid)
6332                 return 0;
6333 
6334         error = security_sid_to_context(&selinux_state, sid, value, &len);
6335         if (error)
6336                 return error;
6337         return len;
6338 
6339 bad:
6340         rcu_read_unlock();
6341         return error;
6342 }
6343 
6344 static int selinux_setprocattr(const char *name, void *value, size_t size)
6345 {
6346         struct task_security_struct *tsec;
6347         struct cred *new;
6348         u32 mysid = current_sid(), sid = 0, ptsid;
6349         int error;
6350         char *str = value;
6351 
6352         /*
6353          * Basic control over ability to set these attributes at all.
6354          */
6355         if (!strcmp(name, "exec"))
6356                 error = avc_has_perm(&selinux_state,
6357                                      mysid, mysid, SECCLASS_PROCESS,
6358                                      PROCESS__SETEXEC, NULL);
6359         else if (!strcmp(name, "fscreate"))
6360                 error = avc_has_perm(&selinux_state,
6361                                      mysid, mysid, SECCLASS_PROCESS,
6362                                      PROCESS__SETFSCREATE, NULL);
6363         else if (!strcmp(name, "keycreate"))
6364                 error = avc_has_perm(&selinux_state,
6365                                      mysid, mysid, SECCLASS_PROCESS,
6366                                      PROCESS__SETKEYCREATE, NULL);
6367         else if (!strcmp(name, "sockcreate"))
6368                 error = avc_has_perm(&selinux_state,
6369                                      mysid, mysid, SECCLASS_PROCESS,
6370                                      PROCESS__SETSOCKCREATE, NULL);
6371         else if (!strcmp(name, "current"))
6372                 error = avc_has_perm(&selinux_state,
6373                                      mysid, mysid, SECCLASS_PROCESS,
6374                                      PROCESS__SETCURRENT, NULL);
6375         else
6376                 error = -EINVAL;
6377         if (error)
6378                 return error;
6379 
6380         /* Obtain a SID for the context, if one was specified. */
6381         if (size && str[0] && str[0] != '\n') {
6382                 if (str[size-1] == '\n') {
6383                         str[size-1] = 0;
6384                         size--;
6385                 }
6386                 error = security_context_to_sid(&selinux_state, value, size,
6387                                                 &sid, GFP_KERNEL);
6388                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6389                         if (!has_cap_mac_admin(true)) {
6390                                 struct audit_buffer *ab;
6391                                 size_t audit_size;
6392 
6393                                 /* We strip a nul only if it is at the end, otherwise the
6394                                  * context contains a nul and we should audit that */
6395                                 if (str[size - 1] == '\0')
6396                                         audit_size = size - 1;
6397                                 else
6398                                         audit_size = size;
6399                                 ab = audit_log_start(audit_context(),
6400                                                      GFP_ATOMIC,
6401                                                      AUDIT_SELINUX_ERR);
6402                                 audit_log_format(ab, "op=fscreate invalid_context=");
6403                                 audit_log_n_untrustedstring(ab, value, audit_size);
6404                                 audit_log_end(ab);
6405 
6406                                 return error;
6407                         }
6408                         error = security_context_to_sid_force(
6409                                                       &selinux_state,
6410                                                       value, size, &sid);
6411                 }
6412                 if (error)
6413                         return error;
6414         }
6415 
6416         new = prepare_creds();
6417         if (!new)
6418                 return -ENOMEM;
6419 
6420         /* Permission checking based on the specified context is
6421            performed during the actual operation (execve,
6422            open/mkdir/...), when we know the full context of the
6423            operation.  See selinux_bprm_set_creds for the execve
6424            checks and may_create for the file creation checks. The
6425            operation will then fail if the context is not permitted. */
6426         tsec = selinux_cred(new);
6427         if (!strcmp(name, "exec")) {
6428                 tsec->exec_sid = sid;
6429         } else if (!strcmp(name, "fscreate")) {
6430                 tsec->create_sid = sid;
6431         } else if (!strcmp(name, "keycreate")) {
6432                 if (sid) {
6433                         error = avc_has_perm(&selinux_state, mysid, sid,
6434                                              SECCLASS_KEY, KEY__CREATE, NULL);
6435                         if (error)
6436                                 goto abort_change;
6437                 }
6438                 tsec->keycreate_sid = sid;
6439         } else if (!strcmp(name, "sockcreate")) {
6440                 tsec->sockcreate_sid = sid;
6441         } else if (!strcmp(name, "current")) {
6442                 error = -EINVAL;
6443                 if (sid == 0)
6444                         goto abort_change;
6445 
6446                 /* Only allow single threaded processes to change context */
6447                 error = -EPERM;
6448                 if (!current_is_single_threaded()) {
6449                         error = security_bounded_transition(&selinux_state,
6450                                                             tsec->sid, sid);
6451                         if (error)
6452                                 goto abort_change;
6453                 }
6454 
6455                 /* Check permissions for the transition. */
6456                 error = avc_has_perm(&selinux_state,
6457                                      tsec->sid, sid, SECCLASS_PROCESS,
6458                                      PROCESS__DYNTRANSITION, NULL);
6459                 if (error)
6460                         goto abort_change;
6461 
6462                 /* Check for ptracing, and update the task SID if ok.
6463                    Otherwise, leave SID unchanged and fail. */
6464                 ptsid = ptrace_parent_sid();
6465                 if (ptsid != 0) {
6466                         error = avc_has_perm(&selinux_state,
6467                                              ptsid, sid, SECCLASS_PROCESS,
6468                                              PROCESS__PTRACE, NULL);
6469                         if (error)
6470                                 goto abort_change;
6471                 }
6472 
6473                 tsec->sid = sid;
6474         } else {
6475                 error = -EINVAL;
6476                 goto abort_change;
6477         }
6478 
6479         commit_creds(new);
6480         return size;
6481 
6482 abort_change:
6483         abort_creds(new);
6484         return error;
6485 }
6486 
6487 static int selinux_ismaclabel(const char *name)
6488 {
6489         return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6490 }
6491 
6492 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6493 {
6494         return security_sid_to_context(&selinux_state, secid,
6495                                        secdata, seclen);
6496 }
6497 
6498 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6499 {
6500         return security_context_to_sid(&selinux_state, secdata, seclen,
6501                                        secid, GFP_KERNEL);
6502 }
6503 
6504 static void selinux_release_secctx(char *secdata, u32 seclen)
6505 {
6506         kfree(secdata);
6507 }
6508 
6509 static void selinux_inode_invalidate_secctx(struct inode *inode)
6510 {
6511         struct inode_security_struct *isec = selinux_inode(inode);
6512 
6513         spin_lock(&isec->lock);
6514         isec->initialized = LABEL_INVALID;
6515         spin_unlock(&isec->lock);
6516 }
6517 
6518 /*
6519  *      called with inode->i_mutex locked
6520  */
6521 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6522 {
6523         int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6524                                            ctx, ctxlen, 0);
6525         /* Do not return error when suppressing label (SBLABEL_MNT not set). */
6526         return rc == -EOPNOTSUPP ? 0 : rc;
6527 }
6528 
6529 /*
6530  *      called with inode->i_mutex locked
6531  */
6532 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6533 {
6534         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6535 }
6536 
6537 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6538 {
6539         int len = 0;
6540         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6541                                                 ctx, true);
6542         if (len < 0)
6543                 return len;
6544         *ctxlen = len;
6545         return 0;
6546 }
6547 #ifdef CONFIG_KEYS
6548 
6549 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6550                              unsigned long flags)
6551 {
6552         const struct task_security_struct *tsec;
6553         struct key_security_struct *ksec;
6554 
6555         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6556         if (!ksec)
6557                 return -ENOMEM;
6558 
6559         tsec = selinux_cred(cred);
6560         if (tsec->keycreate_sid)
6561                 ksec->sid = tsec->keycreate_sid;
6562         else
6563                 ksec->sid = tsec->sid;
6564 
6565         k->security = ksec;
6566         return 0;
6567 }
6568 
6569 static void selinux_key_free(struct key *k)
6570 {
6571         struct key_security_struct *ksec = k->security;
6572 
6573         k->security = NULL;
6574         kfree(ksec);
6575 }
6576 
6577 static int selinux_key_permission(key_ref_t key_ref,
6578                                   const struct cred *cred,
6579                                   unsigned perm)
6580 {
6581         struct key *key;
6582         struct key_security_struct *ksec;
6583         u32 sid;
6584 
6585         /* if no specific permissions are requested, we skip the
6586            permission check. No serious, additional covert channels
6587            appear to be created. */
6588         if (perm == 0)
6589                 return 0;
6590 
6591         sid = cred_sid(cred);
6592 
6593         key = key_ref_to_ptr(key_ref);
6594         ksec = key->security;
6595 
6596         return avc_has_perm(&selinux_state,
6597                             sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6598 }
6599 
6600 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6601 {
6602         struct key_security_struct *ksec = key->security;
6603         char *context = NULL;
6604         unsigned len;
6605         int rc;
6606 
6607         rc = security_sid_to_context(&selinux_state, ksec->sid,
6608                                      &context, &len);
6609         if (!rc)
6610                 rc = len;
6611         *_buffer = context;
6612         return rc;
6613 }
6614 #endif
6615 
6616 #ifdef CONFIG_SECURITY_INFINIBAND
6617 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6618 {
6619         struct common_audit_data ad;
6620         int err;
6621         u32 sid = 0;
6622         struct ib_security_struct *sec = ib_sec;
6623         struct lsm_ibpkey_audit ibpkey;
6624 
6625         err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6626         if (err)
6627                 return err;
6628 
6629         ad.type = LSM_AUDIT_DATA_IBPKEY;
6630         ibpkey.subnet_prefix = subnet_prefix;
6631         ibpkey.pkey = pkey_val;
6632         ad.u.ibpkey = &ibpkey;
6633         return avc_has_perm(&selinux_state,
6634                             sec->sid, sid,
6635                             SECCLASS_INFINIBAND_PKEY,
6636                             INFINIBAND_PKEY__ACCESS, &ad);
6637 }
6638 
6639 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6640                                             u8 port_num)
6641 {
6642         struct common_audit_data ad;
6643         int err;
6644         u32 sid = 0;
6645         struct ib_security_struct *sec = ib_sec;
6646         struct lsm_ibendport_audit ibendport;
6647 
6648         err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6649                                       &sid);
6650 
6651         if (err)
6652                 return err;
6653 
6654         ad.type = LSM_AUDIT_DATA_IBENDPORT;
6655         strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6656         ibendport.port = port_num;
6657         ad.u.ibendport = &ibendport;
6658         return avc_has_perm(&selinux_state,
6659                             sec->sid, sid,
6660                             SECCLASS_INFINIBAND_ENDPORT,
6661                             INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6662 }
6663 
6664 static int selinux_ib_alloc_security(void **ib_sec)
6665 {
6666         struct ib_security_struct *sec;
6667 
6668         sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6669         if (!sec)
6670                 return -ENOMEM;
6671         sec->sid = current_sid();
6672 
6673         *ib_sec = sec;
6674         return 0;
6675 }
6676 
6677 static void selinux_ib_free_security(void *ib_sec)
6678 {
6679         kfree(ib_sec);
6680 }
6681 #endif
6682 
6683 #ifdef CONFIG_BPF_SYSCALL
6684 static int selinux_bpf(int cmd, union bpf_attr *attr,
6685                                      unsigned int size)
6686 {
6687         u32 sid = current_sid();
6688         int ret;
6689 
6690         switch (cmd) {
6691         case BPF_MAP_CREATE:
6692                 ret = avc_has_perm(&selinux_state,
6693                                    sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6694                                    NULL);
6695                 break;
6696         case BPF_PROG_LOAD:
6697                 ret = avc_has_perm(&selinux_state,
6698                                    sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6699                                    NULL);
6700                 break;
6701         default:
6702                 ret = 0;
6703                 break;
6704         }
6705 
6706         return ret;
6707 }
6708 
6709 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6710 {
6711         u32 av = 0;
6712 
6713         if (fmode & FMODE_READ)
6714                 av |= BPF__MAP_READ;
6715         if (fmode & FMODE_WRITE)
6716                 av |= BPF__MAP_WRITE;
6717         return av;
6718 }
6719 
6720 /* This function will check the file pass through unix socket or binder to see
6721  * if it is a bpf related object. And apply correspinding checks on the bpf
6722  * object based on the type. The bpf maps and programs, not like other files and
6723  * socket, are using a shared anonymous inode inside the kernel as their inode.
6724  * So checking that inode cannot identify if the process have privilege to
6725  * access the bpf object and that's why we have to add this additional check in
6726  * selinux_file_receive and selinux_binder_transfer_files.
6727  */
6728 static int bpf_fd_pass(struct file *file, u32 sid)
6729 {
6730         struct bpf_security_struct *bpfsec;
6731         struct bpf_prog *prog;
6732         struct bpf_map *map;
6733         int ret;
6734 
6735         if (file->f_op == &bpf_map_fops) {
6736                 map = file->private_data;
6737                 bpfsec = map->security;
6738                 ret = avc_has_perm(&selinux_state,
6739                                    sid, bpfsec->sid, SECCLASS_BPF,
6740                                    bpf_map_fmode_to_av(file->f_mode), NULL);
6741                 if (ret)
6742                         return ret;
6743         } else if (file->f_op == &bpf_prog_fops) {
6744                 prog = file->private_data;
6745                 bpfsec = prog->aux->security;
6746                 ret = avc_has_perm(&selinux_state,
6747                                    sid, bpfsec->sid, SECCLASS_BPF,
6748                                    BPF__PROG_RUN, NULL);
6749                 if (ret)
6750                         return ret;
6751         }
6752         return 0;
6753 }
6754 
6755 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6756 {
6757         u32 sid = current_sid();
6758         struct bpf_security_struct *bpfsec;
6759 
6760         bpfsec = map->security;
6761         return avc_has_perm(&selinux_state,
6762                             sid, bpfsec->sid, SECCLASS_BPF,
6763                             bpf_map_fmode_to_av(fmode), NULL);
6764 }
6765 
6766 static int selinux_bpf_prog(struct bpf_prog *prog)
6767 {
6768         u32 sid = current_sid();
6769         struct bpf_security_struct *bpfsec;
6770 
6771         bpfsec = prog->aux->security;
6772         return avc_has_perm(&selinux_state,
6773                             sid, bpfsec->sid, SECCLASS_BPF,
6774                             BPF__PROG_RUN, NULL);
6775 }
6776 
6777 static int selinux_bpf_map_alloc(struct bpf_map *map)
6778 {
6779         struct bpf_security_struct *bpfsec;
6780 
6781         bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6782         if (!bpfsec)
6783                 return -ENOMEM;
6784 
6785         bpfsec->sid = current_sid();
6786         map->security = bpfsec;
6787 
6788         return 0;
6789 }
6790 
6791 static void selinux_bpf_map_free(struct bpf_map *map)
6792 {
6793         struct bpf_security_struct *bpfsec = map->security;
6794 
6795         map->security = NULL;
6796         kfree(bpfsec);
6797 }
6798 
6799 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6800 {
6801         struct bpf_security_struct *bpfsec;
6802 
6803         bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6804         if (!bpfsec)
6805                 return -ENOMEM;
6806 
6807         bpfsec->sid = current_sid();
6808         aux->security = bpfsec;
6809 
6810         return 0;
6811 }
6812 
6813 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6814 {
6815         struct bpf_security_struct *bpfsec = aux->security;
6816 
6817         aux->security = NULL;
6818         kfree(bpfsec);
6819 }
6820 #endif
6821 
6822 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
6823         .lbs_cred = sizeof(struct task_security_struct),
6824         .lbs_file = sizeof(struct file_security_struct),
6825         .lbs_inode = sizeof(struct inode_security_struct),
6826         .lbs_ipc = sizeof(struct ipc_security_struct),
6827         .lbs_msg_msg = sizeof(struct msg_security_struct),
6828 };
6829 
6830 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6831         LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6832         LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6833         LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6834         LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6835 
6836         LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6837         LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6838         LSM_HOOK_INIT(capget, selinux_capget),
6839         LSM_HOOK_INIT(capset, selinux_capset),
6840         LSM_HOOK_INIT(capable, selinux_capable),
6841         LSM_HOOK_INIT(quotactl, selinux_quotactl),
6842         LSM_HOOK_INIT(quota_on, selinux_quota_on),
6843         LSM_HOOK_INIT(syslog, selinux_syslog),
6844         LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6845 
6846         LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6847 
6848         LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6849         LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6850         LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6851 
6852         LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
6853         LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
6854 
6855         LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6856         LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6857         LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
6858         LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
6859         LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6860         LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6861         LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6862         LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6863         LSM_HOOK_INIT(sb_mount, selinux_mount),
6864         LSM_HOOK_INIT(sb_umount, selinux_umount),
6865         LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6866         LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6867         LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt),
6868 
6869         LSM_HOOK_INIT(move_mount, selinux_move_mount),
6870 
6871         LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6872         LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6873 
6874         LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6875         LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6876         LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6877         LSM_HOOK_INIT(inode_create, selinux_inode_create),
6878         LSM_HOOK_INIT(inode_link, selinux_inode_link),
6879         LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6880         LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6881         LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6882         LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6883         LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6884         LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6885         LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6886         LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6887         LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6888         LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6889         LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6890         LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6891         LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6892         LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6893         LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6894         LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6895         LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6896         LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6897         LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6898         LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6899         LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6900         LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6901         LSM_HOOK_INIT(path_notify, selinux_path_notify),
6902 
6903         LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
6904 
6905         LSM_HOOK_INIT(file_permission, selinux_file_permission),
6906         LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6907         LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6908         LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6909         LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6910         LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6911         LSM_HOOK_INIT(file_lock, selinux_file_lock),
6912         LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6913         LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6914         LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6915         LSM_HOOK_INIT(file_receive, selinux_file_receive),
6916 
6917         LSM_HOOK_INIT(file_open, selinux_file_open),
6918 
6919         LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6920         LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6921         LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6922         LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6923         LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6924         LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6925         LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6926         LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
6927         LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6928         LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6929         LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6930         LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6931         LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6932         LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6933         LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6934         LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6935         LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6936         LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6937         LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6938         LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6939         LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6940         LSM_HOOK_INIT(task_kill, selinux_task_kill),
6941         LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6942 
6943         LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6944         LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6945 
6946         LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6947 
6948         LSM_HOOK_INIT(msg_queue_alloc_security,
6949                         selinux_msg_queue_alloc_security),
6950         LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6951         LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6952         LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6953         LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6954 
6955         LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6956         LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6957         LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6958         LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6959 
6960         LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6961         LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6962         LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6963         LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6964 
6965         LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6966 
6967         LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6968         LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6969 
6970         LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6971         LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6972         LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6973         LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6974         LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6975         LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6976         LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6977         LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6978 
6979         LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6980         LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6981 
6982         LSM_HOOK_INIT(socket_create, selinux_socket_create),
6983         LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6984         LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
6985         LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6986         LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6987         LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6988         LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6989         LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6990         LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6991         LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6992         LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6993         LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6994         LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6995         LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6996         LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6997         LSM_HOOK_INIT(socket_getpeersec_stream,
6998                         selinux_socket_getpeersec_stream),
6999         LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7000         LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7001         LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7002         LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7003         LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7004         LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7005         LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7006         LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7007         LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7008         LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7009         LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7010         LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7011         LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7012         LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7013         LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7014         LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7015         LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7016         LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7017         LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7018         LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7019         LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7020         LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7021 #ifdef CONFIG_SECURITY_INFINIBAND
7022         LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7023         LSM_HOOK_INIT(ib_endport_manage_subnet,
7024                       selinux_ib_endport_manage_subnet),
7025         LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7026         LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7027 #endif
7028 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7029         LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7030         LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7031         LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7032         LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7033         LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7034         LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7035                         selinux_xfrm_state_alloc_acquire),
7036         LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7037         LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7038         LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7039         LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7040                         selinux_xfrm_state_pol_flow_match),
7041         LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7042 #endif
7043 
7044 #ifdef CONFIG_KEYS
7045         LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7046         LSM_HOOK_INIT(key_free, selinux_key_free),
7047         LSM_HOOK_INIT(key_permission, selinux_key_permission),
7048         LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7049 #endif
7050 
7051 #ifdef CONFIG_AUDIT
7052         LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7053         LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7054         LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7055         LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7056 #endif
7057 
7058 #ifdef CONFIG_BPF_SYSCALL
7059         LSM_HOOK_INIT(bpf, selinux_bpf),
7060         LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7061         LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7062         LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7063         LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7064         LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7065         LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7066 #endif
7067 };
7068 
7069 static __init int selinux_init(void)
7070 {
7071         pr_info("SELinux:  Initializing.\n");
7072 
7073         memset(&selinux_state, 0, sizeof(selinux_state));
7074         enforcing_set(&selinux_state, selinux_enforcing_boot);
7075         selinux_state.checkreqprot = selinux_checkreqprot_boot;
7076         selinux_ss_init(&selinux_state.ss);
7077         selinux_avc_init(&selinux_state.avc);
7078 
7079         /* Set the security state for the initial task. */
7080         cred_init_security();
7081 
7082         default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7083 
7084         avc_init();
7085 
7086         avtab_cache_init();
7087 
7088         ebitmap_cache_init();
7089 
7090         hashtab_cache_init();
7091 
7092         security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7093 
7094         if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7095                 panic("SELinux: Unable to register AVC netcache callback\n");
7096 
7097         if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7098                 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7099 
7100         if (selinux_enforcing_boot)
7101                 pr_debug("SELinux:  Starting in enforcing mode\n");
7102         else
7103                 pr_debug("SELinux:  Starting in permissive mode\n");
7104 
7105         fs_validate_description(&selinux_fs_parameters);
7106 
7107         return 0;
7108 }
7109 
7110 static void delayed_superblock_init(struct super_block *sb, void *unused)
7111 {
7112         selinux_set_mnt_opts(sb, NULL, 0, NULL);
7113 }
7114 
7115 void selinux_complete_init(void)
7116 {
7117         pr_debug("SELinux:  Completing initialization.\n");
7118 
7119         /* Set up any superblocks initialized prior to the policy load. */
7120         pr_debug("SELinux:  Setting up existing superblocks.\n");
7121         iterate_supers(delayed_superblock_init, NULL);
7122 }
7123 
7124 /* SELinux requires early initialization in order to label
7125    all processes and objects when they are created. */
7126 DEFINE_LSM(selinux) = {
7127         .name = "selinux",
7128         .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7129         .enabled = &selinux_enabled,
7130         .blobs = &selinux_blob_sizes,
7131         .init = selinux_init,
7132 };
7133 
7134 #if defined(CONFIG_NETFILTER)
7135 
7136 static const struct nf_hook_ops selinux_nf_ops[] = {
7137         {
7138                 .hook =         selinux_ipv4_postroute,
7139                 .pf =           NFPROTO_IPV4,
7140                 .hooknum =      NF_INET_POST_ROUTING,
7141                 .priority =     NF_IP_PRI_SELINUX_LAST,
7142         },
7143         {
7144                 .hook =         selinux_ipv4_forward,
7145                 .pf =           NFPROTO_IPV4,
7146                 .hooknum =      NF_INET_FORWARD,
7147                 .priority =     NF_IP_PRI_SELINUX_FIRST,
7148         },
7149         {
7150                 .hook =         selinux_ipv4_output,
7151                 .pf =           NFPROTO_IPV4,
7152                 .hooknum =      NF_INET_LOCAL_OUT,
7153                 .priority =     NF_IP_PRI_SELINUX_FIRST,
7154         },
7155 #if IS_ENABLED(CONFIG_IPV6)
7156         {
7157                 .hook =         selinux_ipv6_postroute,
7158                 .pf =           NFPROTO_IPV6,
7159                 .hooknum =      NF_INET_POST_ROUTING,
7160                 .priority =     NF_IP6_PRI_SELINUX_LAST,
7161         },
7162         {
7163                 .hook =         selinux_ipv6_forward,
7164                 .pf =           NFPROTO_IPV6,
7165                 .hooknum =      NF_INET_FORWARD,
7166                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
7167         },
7168         {
7169                 .hook =         selinux_ipv6_output,
7170                 .pf =           NFPROTO_IPV6,
7171                 .hooknum =      NF_INET_LOCAL_OUT,
7172                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
7173         },
7174 #endif  /* IPV6 */
7175 };
7176 
7177 static int __net_init selinux_nf_register(struct net *net)
7178 {
7179         return nf_register_net_hooks(net, selinux_nf_ops,
7180                                      ARRAY_SIZE(selinux_nf_ops));
7181 }
7182 
7183 static void __net_exit selinux_nf_unregister(struct net *net)
7184 {
7185         nf_unregister_net_hooks(net, selinux_nf_ops,
7186                                 ARRAY_SIZE(selinux_nf_ops));
7187 }
7188 
7189 static struct pernet_operations selinux_net_ops = {
7190         .init = selinux_nf_register,
7191         .exit = selinux_nf_unregister,
7192 };
7193 
7194 static int __init selinux_nf_ip_init(void)
7195 {
7196         int err;
7197 
7198         if (!selinux_enabled)
7199                 return 0;
7200 
7201         pr_debug("SELinux:  Registering netfilter hooks\n");
7202 
7203         err = register_pernet_subsys(&selinux_net_ops);
7204         if (err)
7205                 panic("SELinux: register_pernet_subsys: error %d\n", err);
7206 
7207         return 0;
7208 }
7209 __initcall(selinux_nf_ip_init);
7210 
7211 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7212 static void selinux_nf_ip_exit(void)
7213 {
7214         pr_debug("SELinux:  Unregistering netfilter hooks\n");
7215 
7216         unregister_pernet_subsys(&selinux_net_ops);
7217 }
7218 #endif
7219 
7220 #else /* CONFIG_NETFILTER */
7221 
7222 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7223 #define selinux_nf_ip_exit()
7224 #endif
7225 
7226 #endif /* CONFIG_NETFILTER */
7227 
7228 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7229 int selinux_disable(struct selinux_state *state)
7230 {
7231         if (state->initialized) {
7232                 /* Not permitted after initial policy load. */
7233                 return -EINVAL;
7234         }
7235 
7236         if (state->disabled) {
7237                 /* Only do this once. */
7238                 return -EINVAL;
7239         }
7240 
7241         state->disabled = 1;
7242 
7243         pr_info("SELinux:  Disabled at runtime.\n");
7244 
7245         selinux_enabled = 0;
7246 
7247         security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7248 
7249         /* Try to destroy the avc node cache */
7250         avc_disable();
7251 
7252         /* Unregister netfilter hooks. */
7253         selinux_nf_ip_exit();
7254 
7255         /* Unregister selinuxfs. */
7256         exit_sel_fs();
7257 
7258         return 0;
7259 }
7260 #endif

/* [<][>][^][v][top][bottom][index][help] */