~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/selinux/hooks.c

Version: ~ [ linux-5.10-rc1 ] ~ [ linux-5.9.1 ] ~ [ linux-5.8.16 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.72 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.152 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.202 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.240 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.240 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.85 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  *  NSA Security-Enhanced Linux (SELinux) security module
  3  *
  4  *  This file contains the SELinux hook function implementations.
  5  *
  6  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
  7  *            Chris Vance, <cvance@nai.com>
  8  *            Wayne Salamon, <wsalamon@nai.com>
  9  *            James Morris <jmorris@redhat.com>
 10  *
 11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
 12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
 13  *                                         Eric Paris <eparis@redhat.com>
 14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
 15  *                          <dgoeddel@trustedcs.com>
 16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
 17  *      Paul Moore <paul@paul-moore.com>
 18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
 19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
 20  *  Copyright (C) 2016 Mellanox Technologies
 21  *
 22  *      This program is free software; you can redistribute it and/or modify
 23  *      it under the terms of the GNU General Public License version 2,
 24  *      as published by the Free Software Foundation.
 25  */
 26 
 27 #include <linux/init.h>
 28 #include <linux/kd.h>
 29 #include <linux/kernel.h>
 30 #include <linux/tracehook.h>
 31 #include <linux/errno.h>
 32 #include <linux/sched/signal.h>
 33 #include <linux/sched/task.h>
 34 #include <linux/lsm_hooks.h>
 35 #include <linux/xattr.h>
 36 #include <linux/capability.h>
 37 #include <linux/unistd.h>
 38 #include <linux/mm.h>
 39 #include <linux/mman.h>
 40 #include <linux/slab.h>
 41 #include <linux/pagemap.h>
 42 #include <linux/proc_fs.h>
 43 #include <linux/swap.h>
 44 #include <linux/spinlock.h>
 45 #include <linux/syscalls.h>
 46 #include <linux/dcache.h>
 47 #include <linux/file.h>
 48 #include <linux/fdtable.h>
 49 #include <linux/namei.h>
 50 #include <linux/mount.h>
 51 #include <linux/netfilter_ipv4.h>
 52 #include <linux/netfilter_ipv6.h>
 53 #include <linux/tty.h>
 54 #include <net/icmp.h>
 55 #include <net/ip.h>             /* for local_port_range[] */
 56 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
 57 #include <net/inet_connection_sock.h>
 58 #include <net/net_namespace.h>
 59 #include <net/netlabel.h>
 60 #include <linux/uaccess.h>
 61 #include <asm/ioctls.h>
 62 #include <linux/atomic.h>
 63 #include <linux/bitops.h>
 64 #include <linux/interrupt.h>
 65 #include <linux/netdevice.h>    /* for network interface checks */
 66 #include <net/netlink.h>
 67 #include <linux/tcp.h>
 68 #include <linux/udp.h>
 69 #include <linux/dccp.h>
 70 #include <linux/quota.h>
 71 #include <linux/un.h>           /* for Unix socket types */
 72 #include <net/af_unix.h>        /* for Unix socket types */
 73 #include <linux/parser.h>
 74 #include <linux/nfs_mount.h>
 75 #include <net/ipv6.h>
 76 #include <linux/hugetlb.h>
 77 #include <linux/personality.h>
 78 #include <linux/audit.h>
 79 #include <linux/string.h>
 80 #include <linux/selinux.h>
 81 #include <linux/mutex.h>
 82 #include <linux/posix-timers.h>
 83 #include <linux/syslog.h>
 84 #include <linux/user_namespace.h>
 85 #include <linux/export.h>
 86 #include <linux/msg.h>
 87 #include <linux/shm.h>
 88 #include <linux/bpf.h>
 89 
 90 #include "avc.h"
 91 #include "objsec.h"
 92 #include "netif.h"
 93 #include "netnode.h"
 94 #include "netport.h"
 95 #include "ibpkey.h"
 96 #include "xfrm.h"
 97 #include "netlabel.h"
 98 #include "audit.h"
 99 #include "avc_ss.h"
100 
101 /* SECMARK reference count */
102 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
103 
104 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105 int selinux_enforcing;
106 
107 static int __init enforcing_setup(char *str)
108 {
109         unsigned long enforcing;
110         if (!kstrtoul(str, 0, &enforcing))
111                 selinux_enforcing = enforcing ? 1 : 0;
112         return 1;
113 }
114 __setup("enforcing=", enforcing_setup);
115 #endif
116 
117 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
118 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
119 
120 static int __init selinux_enabled_setup(char *str)
121 {
122         unsigned long enabled;
123         if (!kstrtoul(str, 0, &enabled))
124                 selinux_enabled = enabled ? 1 : 0;
125         return 1;
126 }
127 __setup("selinux=", selinux_enabled_setup);
128 #else
129 int selinux_enabled = 1;
130 #endif
131 
132 static struct kmem_cache *sel_inode_cache;
133 static struct kmem_cache *file_security_cache;
134 
135 /**
136  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
137  *
138  * Description:
139  * This function checks the SECMARK reference counter to see if any SECMARK
140  * targets are currently configured, if the reference counter is greater than
141  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
142  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
143  * policy capability is enabled, SECMARK is always considered enabled.
144  *
145  */
146 static int selinux_secmark_enabled(void)
147 {
148         return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
149 }
150 
151 /**
152  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
153  *
154  * Description:
155  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
156  * (1) if any are enabled or false (0) if neither are enabled.  If the
157  * always_check_network policy capability is enabled, peer labeling
158  * is always considered enabled.
159  *
160  */
161 static int selinux_peerlbl_enabled(void)
162 {
163         return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
164 }
165 
166 static int selinux_netcache_avc_callback(u32 event)
167 {
168         if (event == AVC_CALLBACK_RESET) {
169                 sel_netif_flush();
170                 sel_netnode_flush();
171                 sel_netport_flush();
172                 synchronize_net();
173         }
174         return 0;
175 }
176 
177 static int selinux_lsm_notifier_avc_callback(u32 event)
178 {
179         if (event == AVC_CALLBACK_RESET) {
180                 sel_ib_pkey_flush();
181                 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
182         }
183 
184         return 0;
185 }
186 
187 /*
188  * initialise the security for the init task
189  */
190 static void cred_init_security(void)
191 {
192         struct cred *cred = (struct cred *) current->real_cred;
193         struct task_security_struct *tsec;
194 
195         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
196         if (!tsec)
197                 panic("SELinux:  Failed to initialize initial task.\n");
198 
199         tsec->osid = tsec->sid = SECINITSID_KERNEL;
200         cred->security = tsec;
201 }
202 
203 /*
204  * get the security ID of a set of credentials
205  */
206 static inline u32 cred_sid(const struct cred *cred)
207 {
208         const struct task_security_struct *tsec;
209 
210         tsec = cred->security;
211         return tsec->sid;
212 }
213 
214 /*
215  * get the objective security ID of a task
216  */
217 static inline u32 task_sid(const struct task_struct *task)
218 {
219         u32 sid;
220 
221         rcu_read_lock();
222         sid = cred_sid(__task_cred(task));
223         rcu_read_unlock();
224         return sid;
225 }
226 
227 /* Allocate and free functions for each kind of security blob. */
228 
229 static int inode_alloc_security(struct inode *inode)
230 {
231         struct inode_security_struct *isec;
232         u32 sid = current_sid();
233 
234         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
235         if (!isec)
236                 return -ENOMEM;
237 
238         spin_lock_init(&isec->lock);
239         INIT_LIST_HEAD(&isec->list);
240         isec->inode = inode;
241         isec->sid = SECINITSID_UNLABELED;
242         isec->sclass = SECCLASS_FILE;
243         isec->task_sid = sid;
244         isec->initialized = LABEL_INVALID;
245         inode->i_security = isec;
246 
247         return 0;
248 }
249 
250 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
251 
252 /*
253  * Try reloading inode security labels that have been marked as invalid.  The
254  * @may_sleep parameter indicates when sleeping and thus reloading labels is
255  * allowed; when set to false, returns -ECHILD when the label is
256  * invalid.  The @opt_dentry parameter should be set to a dentry of the inode;
257  * when no dentry is available, set it to NULL instead.
258  */
259 static int __inode_security_revalidate(struct inode *inode,
260                                        struct dentry *opt_dentry,
261                                        bool may_sleep)
262 {
263         struct inode_security_struct *isec = inode->i_security;
264 
265         might_sleep_if(may_sleep);
266 
267         if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
268                 if (!may_sleep)
269                         return -ECHILD;
270 
271                 /*
272                  * Try reloading the inode security label.  This will fail if
273                  * @opt_dentry is NULL and no dentry for this inode can be
274                  * found; in that case, continue using the old label.
275                  */
276                 inode_doinit_with_dentry(inode, opt_dentry);
277         }
278         return 0;
279 }
280 
281 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
282 {
283         return inode->i_security;
284 }
285 
286 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
287 {
288         int error;
289 
290         error = __inode_security_revalidate(inode, NULL, !rcu);
291         if (error)
292                 return ERR_PTR(error);
293         return inode->i_security;
294 }
295 
296 /*
297  * Get the security label of an inode.
298  */
299 static struct inode_security_struct *inode_security(struct inode *inode)
300 {
301         __inode_security_revalidate(inode, NULL, true);
302         return inode->i_security;
303 }
304 
305 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
306 {
307         struct inode *inode = d_backing_inode(dentry);
308 
309         return inode->i_security;
310 }
311 
312 /*
313  * Get the security label of a dentry's backing inode.
314  */
315 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
316 {
317         struct inode *inode = d_backing_inode(dentry);
318 
319         __inode_security_revalidate(inode, dentry, true);
320         return inode->i_security;
321 }
322 
323 static void inode_free_rcu(struct rcu_head *head)
324 {
325         struct inode_security_struct *isec;
326 
327         isec = container_of(head, struct inode_security_struct, rcu);
328         kmem_cache_free(sel_inode_cache, isec);
329 }
330 
331 static void inode_free_security(struct inode *inode)
332 {
333         struct inode_security_struct *isec = inode->i_security;
334         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
335 
336         /*
337          * As not all inode security structures are in a list, we check for
338          * empty list outside of the lock to make sure that we won't waste
339          * time taking a lock doing nothing.
340          *
341          * The list_del_init() function can be safely called more than once.
342          * It should not be possible for this function to be called with
343          * concurrent list_add(), but for better safety against future changes
344          * in the code, we use list_empty_careful() here.
345          */
346         if (!list_empty_careful(&isec->list)) {
347                 spin_lock(&sbsec->isec_lock);
348                 list_del_init(&isec->list);
349                 spin_unlock(&sbsec->isec_lock);
350         }
351 
352         /*
353          * The inode may still be referenced in a path walk and
354          * a call to selinux_inode_permission() can be made
355          * after inode_free_security() is called. Ideally, the VFS
356          * wouldn't do this, but fixing that is a much harder
357          * job. For now, simply free the i_security via RCU, and
358          * leave the current inode->i_security pointer intact.
359          * The inode will be freed after the RCU grace period too.
360          */
361         call_rcu(&isec->rcu, inode_free_rcu);
362 }
363 
364 static int file_alloc_security(struct file *file)
365 {
366         struct file_security_struct *fsec;
367         u32 sid = current_sid();
368 
369         fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
370         if (!fsec)
371                 return -ENOMEM;
372 
373         fsec->sid = sid;
374         fsec->fown_sid = sid;
375         file->f_security = fsec;
376 
377         return 0;
378 }
379 
380 static void file_free_security(struct file *file)
381 {
382         struct file_security_struct *fsec = file->f_security;
383         file->f_security = NULL;
384         kmem_cache_free(file_security_cache, fsec);
385 }
386 
387 static int superblock_alloc_security(struct super_block *sb)
388 {
389         struct superblock_security_struct *sbsec;
390 
391         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
392         if (!sbsec)
393                 return -ENOMEM;
394 
395         mutex_init(&sbsec->lock);
396         INIT_LIST_HEAD(&sbsec->isec_head);
397         spin_lock_init(&sbsec->isec_lock);
398         sbsec->sb = sb;
399         sbsec->sid = SECINITSID_UNLABELED;
400         sbsec->def_sid = SECINITSID_FILE;
401         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
402         sb->s_security = sbsec;
403 
404         return 0;
405 }
406 
407 static void superblock_free_security(struct super_block *sb)
408 {
409         struct superblock_security_struct *sbsec = sb->s_security;
410         sb->s_security = NULL;
411         kfree(sbsec);
412 }
413 
414 static inline int inode_doinit(struct inode *inode)
415 {
416         return inode_doinit_with_dentry(inode, NULL);
417 }
418 
419 enum {
420         Opt_error = -1,
421         Opt_context = 1,
422         Opt_fscontext = 2,
423         Opt_defcontext = 3,
424         Opt_rootcontext = 4,
425         Opt_labelsupport = 5,
426         Opt_nextmntopt = 6,
427 };
428 
429 #define NUM_SEL_MNT_OPTS        (Opt_nextmntopt - 1)
430 
431 static const match_table_t tokens = {
432         {Opt_context, CONTEXT_STR "%s"},
433         {Opt_fscontext, FSCONTEXT_STR "%s"},
434         {Opt_defcontext, DEFCONTEXT_STR "%s"},
435         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
436         {Opt_labelsupport, LABELSUPP_STR},
437         {Opt_error, NULL},
438 };
439 
440 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
441 
442 static int may_context_mount_sb_relabel(u32 sid,
443                         struct superblock_security_struct *sbsec,
444                         const struct cred *cred)
445 {
446         const struct task_security_struct *tsec = cred->security;
447         int rc;
448 
449         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450                           FILESYSTEM__RELABELFROM, NULL);
451         if (rc)
452                 return rc;
453 
454         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
455                           FILESYSTEM__RELABELTO, NULL);
456         return rc;
457 }
458 
459 static int may_context_mount_inode_relabel(u32 sid,
460                         struct superblock_security_struct *sbsec,
461                         const struct cred *cred)
462 {
463         const struct task_security_struct *tsec = cred->security;
464         int rc;
465         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
466                           FILESYSTEM__RELABELFROM, NULL);
467         if (rc)
468                 return rc;
469 
470         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
471                           FILESYSTEM__ASSOCIATE, NULL);
472         return rc;
473 }
474 
475 static int selinux_is_sblabel_mnt(struct super_block *sb)
476 {
477         struct superblock_security_struct *sbsec = sb->s_security;
478 
479         return sbsec->behavior == SECURITY_FS_USE_XATTR ||
480                 sbsec->behavior == SECURITY_FS_USE_TRANS ||
481                 sbsec->behavior == SECURITY_FS_USE_TASK ||
482                 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
483                 /* Special handling. Genfs but also in-core setxattr handler */
484                 !strcmp(sb->s_type->name, "sysfs") ||
485                 !strcmp(sb->s_type->name, "pstore") ||
486                 !strcmp(sb->s_type->name, "debugfs") ||
487                 !strcmp(sb->s_type->name, "tracefs") ||
488                 !strcmp(sb->s_type->name, "rootfs") ||
489                 (selinux_policycap_cgroupseclabel &&
490                  (!strcmp(sb->s_type->name, "cgroup") ||
491                   !strcmp(sb->s_type->name, "cgroup2")));
492 }
493 
494 static int sb_finish_set_opts(struct super_block *sb)
495 {
496         struct superblock_security_struct *sbsec = sb->s_security;
497         struct dentry *root = sb->s_root;
498         struct inode *root_inode = d_backing_inode(root);
499         int rc = 0;
500 
501         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
502                 /* Make sure that the xattr handler exists and that no
503                    error other than -ENODATA is returned by getxattr on
504                    the root directory.  -ENODATA is ok, as this may be
505                    the first boot of the SELinux kernel before we have
506                    assigned xattr values to the filesystem. */
507                 if (!(root_inode->i_opflags & IOP_XATTR)) {
508                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
509                                "xattr support\n", sb->s_id, sb->s_type->name);
510                         rc = -EOPNOTSUPP;
511                         goto out;
512                 }
513 
514                 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
515                 if (rc < 0 && rc != -ENODATA) {
516                         if (rc == -EOPNOTSUPP)
517                                 printk(KERN_WARNING "SELinux: (dev %s, type "
518                                        "%s) has no security xattr handler\n",
519                                        sb->s_id, sb->s_type->name);
520                         else
521                                 printk(KERN_WARNING "SELinux: (dev %s, type "
522                                        "%s) getxattr errno %d\n", sb->s_id,
523                                        sb->s_type->name, -rc);
524                         goto out;
525                 }
526         }
527 
528         sbsec->flags |= SE_SBINITIALIZED;
529 
530         /*
531          * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
532          * leave the flag untouched because sb_clone_mnt_opts might be handing
533          * us a superblock that needs the flag to be cleared.
534          */
535         if (selinux_is_sblabel_mnt(sb))
536                 sbsec->flags |= SBLABEL_MNT;
537         else
538                 sbsec->flags &= ~SBLABEL_MNT;
539 
540         /* Initialize the root inode. */
541         rc = inode_doinit_with_dentry(root_inode, root);
542 
543         /* Initialize any other inodes associated with the superblock, e.g.
544            inodes created prior to initial policy load or inodes created
545            during get_sb by a pseudo filesystem that directly
546            populates itself. */
547         spin_lock(&sbsec->isec_lock);
548 next_inode:
549         if (!list_empty(&sbsec->isec_head)) {
550                 struct inode_security_struct *isec =
551                                 list_entry(sbsec->isec_head.next,
552                                            struct inode_security_struct, list);
553                 struct inode *inode = isec->inode;
554                 list_del_init(&isec->list);
555                 spin_unlock(&sbsec->isec_lock);
556                 inode = igrab(inode);
557                 if (inode) {
558                         if (!IS_PRIVATE(inode))
559                                 inode_doinit(inode);
560                         iput(inode);
561                 }
562                 spin_lock(&sbsec->isec_lock);
563                 goto next_inode;
564         }
565         spin_unlock(&sbsec->isec_lock);
566 out:
567         return rc;
568 }
569 
570 /*
571  * This function should allow an FS to ask what it's mount security
572  * options were so it can use those later for submounts, displaying
573  * mount options, or whatever.
574  */
575 static int selinux_get_mnt_opts(const struct super_block *sb,
576                                 struct security_mnt_opts *opts)
577 {
578         int rc = 0, i;
579         struct superblock_security_struct *sbsec = sb->s_security;
580         char *context = NULL;
581         u32 len;
582         char tmp;
583 
584         security_init_mnt_opts(opts);
585 
586         if (!(sbsec->flags & SE_SBINITIALIZED))
587                 return -EINVAL;
588 
589         if (!ss_initialized)
590                 return -EINVAL;
591 
592         /* make sure we always check enough bits to cover the mask */
593         BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
594 
595         tmp = sbsec->flags & SE_MNTMASK;
596         /* count the number of mount options for this sb */
597         for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
598                 if (tmp & 0x01)
599                         opts->num_mnt_opts++;
600                 tmp >>= 1;
601         }
602         /* Check if the Label support flag is set */
603         if (sbsec->flags & SBLABEL_MNT)
604                 opts->num_mnt_opts++;
605 
606         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
607         if (!opts->mnt_opts) {
608                 rc = -ENOMEM;
609                 goto out_free;
610         }
611 
612         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
613         if (!opts->mnt_opts_flags) {
614                 rc = -ENOMEM;
615                 goto out_free;
616         }
617 
618         i = 0;
619         if (sbsec->flags & FSCONTEXT_MNT) {
620                 rc = security_sid_to_context(sbsec->sid, &context, &len);
621                 if (rc)
622                         goto out_free;
623                 opts->mnt_opts[i] = context;
624                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
625         }
626         if (sbsec->flags & CONTEXT_MNT) {
627                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
628                 if (rc)
629                         goto out_free;
630                 opts->mnt_opts[i] = context;
631                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
632         }
633         if (sbsec->flags & DEFCONTEXT_MNT) {
634                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
635                 if (rc)
636                         goto out_free;
637                 opts->mnt_opts[i] = context;
638                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
639         }
640         if (sbsec->flags & ROOTCONTEXT_MNT) {
641                 struct dentry *root = sbsec->sb->s_root;
642                 struct inode_security_struct *isec = backing_inode_security(root);
643 
644                 rc = security_sid_to_context(isec->sid, &context, &len);
645                 if (rc)
646                         goto out_free;
647                 opts->mnt_opts[i] = context;
648                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
649         }
650         if (sbsec->flags & SBLABEL_MNT) {
651                 opts->mnt_opts[i] = NULL;
652                 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
653         }
654 
655         BUG_ON(i != opts->num_mnt_opts);
656 
657         return 0;
658 
659 out_free:
660         security_free_mnt_opts(opts);
661         return rc;
662 }
663 
664 static int bad_option(struct superblock_security_struct *sbsec, char flag,
665                       u32 old_sid, u32 new_sid)
666 {
667         char mnt_flags = sbsec->flags & SE_MNTMASK;
668 
669         /* check if the old mount command had the same options */
670         if (sbsec->flags & SE_SBINITIALIZED)
671                 if (!(sbsec->flags & flag) ||
672                     (old_sid != new_sid))
673                         return 1;
674 
675         /* check if we were passed the same options twice,
676          * aka someone passed context=a,context=b
677          */
678         if (!(sbsec->flags & SE_SBINITIALIZED))
679                 if (mnt_flags & flag)
680                         return 1;
681         return 0;
682 }
683 
684 /*
685  * Allow filesystems with binary mount data to explicitly set mount point
686  * labeling information.
687  */
688 static int selinux_set_mnt_opts(struct super_block *sb,
689                                 struct security_mnt_opts *opts,
690                                 unsigned long kern_flags,
691                                 unsigned long *set_kern_flags)
692 {
693         const struct cred *cred = current_cred();
694         int rc = 0, i;
695         struct superblock_security_struct *sbsec = sb->s_security;
696         const char *name = sb->s_type->name;
697         struct dentry *root = sbsec->sb->s_root;
698         struct inode_security_struct *root_isec;
699         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
700         u32 defcontext_sid = 0;
701         char **mount_options = opts->mnt_opts;
702         int *flags = opts->mnt_opts_flags;
703         int num_opts = opts->num_mnt_opts;
704 
705         mutex_lock(&sbsec->lock);
706 
707         if (!ss_initialized) {
708                 if (!num_opts) {
709                         /* Defer initialization until selinux_complete_init,
710                            after the initial policy is loaded and the security
711                            server is ready to handle calls. */
712                         goto out;
713                 }
714                 rc = -EINVAL;
715                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
716                         "before the security server is initialized\n");
717                 goto out;
718         }
719         if (kern_flags && !set_kern_flags) {
720                 /* Specifying internal flags without providing a place to
721                  * place the results is not allowed */
722                 rc = -EINVAL;
723                 goto out;
724         }
725 
726         /*
727          * Binary mount data FS will come through this function twice.  Once
728          * from an explicit call and once from the generic calls from the vfs.
729          * Since the generic VFS calls will not contain any security mount data
730          * we need to skip the double mount verification.
731          *
732          * This does open a hole in which we will not notice if the first
733          * mount using this sb set explict options and a second mount using
734          * this sb does not set any security options.  (The first options
735          * will be used for both mounts)
736          */
737         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
738             && (num_opts == 0))
739                 goto out;
740 
741         root_isec = backing_inode_security_novalidate(root);
742 
743         /*
744          * parse the mount options, check if they are valid sids.
745          * also check if someone is trying to mount the same sb more
746          * than once with different security options.
747          */
748         for (i = 0; i < num_opts; i++) {
749                 u32 sid;
750 
751                 if (flags[i] == SBLABEL_MNT)
752                         continue;
753                 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
754                 if (rc) {
755                         printk(KERN_WARNING "SELinux: security_context_str_to_sid"
756                                "(%s) failed for (dev %s, type %s) errno=%d\n",
757                                mount_options[i], sb->s_id, name, rc);
758                         goto out;
759                 }
760                 switch (flags[i]) {
761                 case FSCONTEXT_MNT:
762                         fscontext_sid = sid;
763 
764                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
765                                         fscontext_sid))
766                                 goto out_double_mount;
767 
768                         sbsec->flags |= FSCONTEXT_MNT;
769                         break;
770                 case CONTEXT_MNT:
771                         context_sid = sid;
772 
773                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
774                                         context_sid))
775                                 goto out_double_mount;
776 
777                         sbsec->flags |= CONTEXT_MNT;
778                         break;
779                 case ROOTCONTEXT_MNT:
780                         rootcontext_sid = sid;
781 
782                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
783                                         rootcontext_sid))
784                                 goto out_double_mount;
785 
786                         sbsec->flags |= ROOTCONTEXT_MNT;
787 
788                         break;
789                 case DEFCONTEXT_MNT:
790                         defcontext_sid = sid;
791 
792                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
793                                         defcontext_sid))
794                                 goto out_double_mount;
795 
796                         sbsec->flags |= DEFCONTEXT_MNT;
797 
798                         break;
799                 default:
800                         rc = -EINVAL;
801                         goto out;
802                 }
803         }
804 
805         if (sbsec->flags & SE_SBINITIALIZED) {
806                 /* previously mounted with options, but not on this attempt? */
807                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
808                         goto out_double_mount;
809                 rc = 0;
810                 goto out;
811         }
812 
813         if (strcmp(sb->s_type->name, "proc") == 0)
814                 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
815 
816         if (!strcmp(sb->s_type->name, "debugfs") ||
817             !strcmp(sb->s_type->name, "tracefs") ||
818             !strcmp(sb->s_type->name, "sysfs") ||
819             !strcmp(sb->s_type->name, "pstore") ||
820             !strcmp(sb->s_type->name, "cgroup") ||
821             !strcmp(sb->s_type->name, "cgroup2"))
822                 sbsec->flags |= SE_SBGENFS;
823 
824         if (!sbsec->behavior) {
825                 /*
826                  * Determine the labeling behavior to use for this
827                  * filesystem type.
828                  */
829                 rc = security_fs_use(sb);
830                 if (rc) {
831                         printk(KERN_WARNING
832                                 "%s: security_fs_use(%s) returned %d\n",
833                                         __func__, sb->s_type->name, rc);
834                         goto out;
835                 }
836         }
837 
838         /*
839          * If this is a user namespace mount and the filesystem type is not
840          * explicitly whitelisted, then no contexts are allowed on the command
841          * line and security labels must be ignored.
842          */
843         if (sb->s_user_ns != &init_user_ns &&
844             strcmp(sb->s_type->name, "tmpfs") &&
845             strcmp(sb->s_type->name, "ramfs") &&
846             strcmp(sb->s_type->name, "devpts")) {
847                 if (context_sid || fscontext_sid || rootcontext_sid ||
848                     defcontext_sid) {
849                         rc = -EACCES;
850                         goto out;
851                 }
852                 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
853                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
854                         rc = security_transition_sid(current_sid(), current_sid(),
855                                                      SECCLASS_FILE, NULL,
856                                                      &sbsec->mntpoint_sid);
857                         if (rc)
858                                 goto out;
859                 }
860                 goto out_set_opts;
861         }
862 
863         /* sets the context of the superblock for the fs being mounted. */
864         if (fscontext_sid) {
865                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
866                 if (rc)
867                         goto out;
868 
869                 sbsec->sid = fscontext_sid;
870         }
871 
872         /*
873          * Switch to using mount point labeling behavior.
874          * sets the label used on all file below the mountpoint, and will set
875          * the superblock context if not already set.
876          */
877         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
878                 sbsec->behavior = SECURITY_FS_USE_NATIVE;
879                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
880         }
881 
882         if (context_sid) {
883                 if (!fscontext_sid) {
884                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
885                                                           cred);
886                         if (rc)
887                                 goto out;
888                         sbsec->sid = context_sid;
889                 } else {
890                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
891                                                              cred);
892                         if (rc)
893                                 goto out;
894                 }
895                 if (!rootcontext_sid)
896                         rootcontext_sid = context_sid;
897 
898                 sbsec->mntpoint_sid = context_sid;
899                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
900         }
901 
902         if (rootcontext_sid) {
903                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
904                                                      cred);
905                 if (rc)
906                         goto out;
907 
908                 root_isec->sid = rootcontext_sid;
909                 root_isec->initialized = LABEL_INITIALIZED;
910         }
911 
912         if (defcontext_sid) {
913                 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
914                         sbsec->behavior != SECURITY_FS_USE_NATIVE) {
915                         rc = -EINVAL;
916                         printk(KERN_WARNING "SELinux: defcontext option is "
917                                "invalid for this filesystem type\n");
918                         goto out;
919                 }
920 
921                 if (defcontext_sid != sbsec->def_sid) {
922                         rc = may_context_mount_inode_relabel(defcontext_sid,
923                                                              sbsec, cred);
924                         if (rc)
925                                 goto out;
926                 }
927 
928                 sbsec->def_sid = defcontext_sid;
929         }
930 
931 out_set_opts:
932         rc = sb_finish_set_opts(sb);
933 out:
934         mutex_unlock(&sbsec->lock);
935         return rc;
936 out_double_mount:
937         rc = -EINVAL;
938         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
939                "security settings for (dev %s, type %s)\n", sb->s_id, name);
940         goto out;
941 }
942 
943 static int selinux_cmp_sb_context(const struct super_block *oldsb,
944                                     const struct super_block *newsb)
945 {
946         struct superblock_security_struct *old = oldsb->s_security;
947         struct superblock_security_struct *new = newsb->s_security;
948         char oldflags = old->flags & SE_MNTMASK;
949         char newflags = new->flags & SE_MNTMASK;
950 
951         if (oldflags != newflags)
952                 goto mismatch;
953         if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
954                 goto mismatch;
955         if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
956                 goto mismatch;
957         if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
958                 goto mismatch;
959         if (oldflags & ROOTCONTEXT_MNT) {
960                 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
961                 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
962                 if (oldroot->sid != newroot->sid)
963                         goto mismatch;
964         }
965         return 0;
966 mismatch:
967         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
968                             "different security settings for (dev %s, "
969                             "type %s)\n", newsb->s_id, newsb->s_type->name);
970         return -EBUSY;
971 }
972 
973 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
974                                         struct super_block *newsb,
975                                         unsigned long kern_flags,
976                                         unsigned long *set_kern_flags)
977 {
978         int rc = 0;
979         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
980         struct superblock_security_struct *newsbsec = newsb->s_security;
981 
982         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
983         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
984         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
985 
986         /*
987          * if the parent was able to be mounted it clearly had no special lsm
988          * mount options.  thus we can safely deal with this superblock later
989          */
990         if (!ss_initialized)
991                 return 0;
992 
993         /*
994          * Specifying internal flags without providing a place to
995          * place the results is not allowed.
996          */
997         if (kern_flags && !set_kern_flags)
998                 return -EINVAL;
999 
1000         /* how can we clone if the old one wasn't set up?? */
1001         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1002 
1003         /* if fs is reusing a sb, make sure that the contexts match */
1004         if (newsbsec->flags & SE_SBINITIALIZED)
1005                 return selinux_cmp_sb_context(oldsb, newsb);
1006 
1007         mutex_lock(&newsbsec->lock);
1008 
1009         newsbsec->flags = oldsbsec->flags;
1010 
1011         newsbsec->sid = oldsbsec->sid;
1012         newsbsec->def_sid = oldsbsec->def_sid;
1013         newsbsec->behavior = oldsbsec->behavior;
1014 
1015         if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1016                 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1017                 rc = security_fs_use(newsb);
1018                 if (rc)
1019                         goto out;
1020         }
1021 
1022         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1023                 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1024                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1025         }
1026 
1027         if (set_context) {
1028                 u32 sid = oldsbsec->mntpoint_sid;
1029 
1030                 if (!set_fscontext)
1031                         newsbsec->sid = sid;
1032                 if (!set_rootcontext) {
1033                         struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1034                         newisec->sid = sid;
1035                 }
1036                 newsbsec->mntpoint_sid = sid;
1037         }
1038         if (set_rootcontext) {
1039                 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1040                 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1041 
1042                 newisec->sid = oldisec->sid;
1043         }
1044 
1045         sb_finish_set_opts(newsb);
1046 out:
1047         mutex_unlock(&newsbsec->lock);
1048         return rc;
1049 }
1050 
1051 static int selinux_parse_opts_str(char *options,
1052                                   struct security_mnt_opts *opts)
1053 {
1054         char *p;
1055         char *context = NULL, *defcontext = NULL;
1056         char *fscontext = NULL, *rootcontext = NULL;
1057         int rc, num_mnt_opts = 0;
1058 
1059         opts->num_mnt_opts = 0;
1060 
1061         /* Standard string-based options. */
1062         while ((p = strsep(&options, "|")) != NULL) {
1063                 int token;
1064                 substring_t args[MAX_OPT_ARGS];
1065 
1066                 if (!*p)
1067                         continue;
1068 
1069                 token = match_token(p, tokens, args);
1070 
1071                 switch (token) {
1072                 case Opt_context:
1073                         if (context || defcontext) {
1074                                 rc = -EINVAL;
1075                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1076                                 goto out_err;
1077                         }
1078                         context = match_strdup(&args[0]);
1079                         if (!context) {
1080                                 rc = -ENOMEM;
1081                                 goto out_err;
1082                         }
1083                         break;
1084 
1085                 case Opt_fscontext:
1086                         if (fscontext) {
1087                                 rc = -EINVAL;
1088                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1089                                 goto out_err;
1090                         }
1091                         fscontext = match_strdup(&args[0]);
1092                         if (!fscontext) {
1093                                 rc = -ENOMEM;
1094                                 goto out_err;
1095                         }
1096                         break;
1097 
1098                 case Opt_rootcontext:
1099                         if (rootcontext) {
1100                                 rc = -EINVAL;
1101                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1102                                 goto out_err;
1103                         }
1104                         rootcontext = match_strdup(&args[0]);
1105                         if (!rootcontext) {
1106                                 rc = -ENOMEM;
1107                                 goto out_err;
1108                         }
1109                         break;
1110 
1111                 case Opt_defcontext:
1112                         if (context || defcontext) {
1113                                 rc = -EINVAL;
1114                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1115                                 goto out_err;
1116                         }
1117                         defcontext = match_strdup(&args[0]);
1118                         if (!defcontext) {
1119                                 rc = -ENOMEM;
1120                                 goto out_err;
1121                         }
1122                         break;
1123                 case Opt_labelsupport:
1124                         break;
1125                 default:
1126                         rc = -EINVAL;
1127                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
1128                         goto out_err;
1129 
1130                 }
1131         }
1132 
1133         rc = -ENOMEM;
1134         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1135         if (!opts->mnt_opts)
1136                 goto out_err;
1137 
1138         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1139                                        GFP_KERNEL);
1140         if (!opts->mnt_opts_flags)
1141                 goto out_err;
1142 
1143         if (fscontext) {
1144                 opts->mnt_opts[num_mnt_opts] = fscontext;
1145                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1146         }
1147         if (context) {
1148                 opts->mnt_opts[num_mnt_opts] = context;
1149                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1150         }
1151         if (rootcontext) {
1152                 opts->mnt_opts[num_mnt_opts] = rootcontext;
1153                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1154         }
1155         if (defcontext) {
1156                 opts->mnt_opts[num_mnt_opts] = defcontext;
1157                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1158         }
1159 
1160         opts->num_mnt_opts = num_mnt_opts;
1161         return 0;
1162 
1163 out_err:
1164         security_free_mnt_opts(opts);
1165         kfree(context);
1166         kfree(defcontext);
1167         kfree(fscontext);
1168         kfree(rootcontext);
1169         return rc;
1170 }
1171 /*
1172  * string mount options parsing and call set the sbsec
1173  */
1174 static int superblock_doinit(struct super_block *sb, void *data)
1175 {
1176         int rc = 0;
1177         char *options = data;
1178         struct security_mnt_opts opts;
1179 
1180         security_init_mnt_opts(&opts);
1181 
1182         if (!data)
1183                 goto out;
1184 
1185         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1186 
1187         rc = selinux_parse_opts_str(options, &opts);
1188         if (rc)
1189                 goto out_err;
1190 
1191 out:
1192         rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1193 
1194 out_err:
1195         security_free_mnt_opts(&opts);
1196         return rc;
1197 }
1198 
1199 static void selinux_write_opts(struct seq_file *m,
1200                                struct security_mnt_opts *opts)
1201 {
1202         int i;
1203         char *prefix;
1204 
1205         for (i = 0; i < opts->num_mnt_opts; i++) {
1206                 char *has_comma;
1207 
1208                 if (opts->mnt_opts[i])
1209                         has_comma = strchr(opts->mnt_opts[i], ',');
1210                 else
1211                         has_comma = NULL;
1212 
1213                 switch (opts->mnt_opts_flags[i]) {
1214                 case CONTEXT_MNT:
1215                         prefix = CONTEXT_STR;
1216                         break;
1217                 case FSCONTEXT_MNT:
1218                         prefix = FSCONTEXT_STR;
1219                         break;
1220                 case ROOTCONTEXT_MNT:
1221                         prefix = ROOTCONTEXT_STR;
1222                         break;
1223                 case DEFCONTEXT_MNT:
1224                         prefix = DEFCONTEXT_STR;
1225                         break;
1226                 case SBLABEL_MNT:
1227                         seq_putc(m, ',');
1228                         seq_puts(m, LABELSUPP_STR);
1229                         continue;
1230                 default:
1231                         BUG();
1232                         return;
1233                 };
1234                 /* we need a comma before each option */
1235                 seq_putc(m, ',');
1236                 seq_puts(m, prefix);
1237                 if (has_comma)
1238                         seq_putc(m, '\"');
1239                 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1240                 if (has_comma)
1241                         seq_putc(m, '\"');
1242         }
1243 }
1244 
1245 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1246 {
1247         struct security_mnt_opts opts;
1248         int rc;
1249 
1250         rc = selinux_get_mnt_opts(sb, &opts);
1251         if (rc) {
1252                 /* before policy load we may get EINVAL, don't show anything */
1253                 if (rc == -EINVAL)
1254                         rc = 0;
1255                 return rc;
1256         }
1257 
1258         selinux_write_opts(m, &opts);
1259 
1260         security_free_mnt_opts(&opts);
1261 
1262         return rc;
1263 }
1264 
1265 static inline u16 inode_mode_to_security_class(umode_t mode)
1266 {
1267         switch (mode & S_IFMT) {
1268         case S_IFSOCK:
1269                 return SECCLASS_SOCK_FILE;
1270         case S_IFLNK:
1271                 return SECCLASS_LNK_FILE;
1272         case S_IFREG:
1273                 return SECCLASS_FILE;
1274         case S_IFBLK:
1275                 return SECCLASS_BLK_FILE;
1276         case S_IFDIR:
1277                 return SECCLASS_DIR;
1278         case S_IFCHR:
1279                 return SECCLASS_CHR_FILE;
1280         case S_IFIFO:
1281                 return SECCLASS_FIFO_FILE;
1282 
1283         }
1284 
1285         return SECCLASS_FILE;
1286 }
1287 
1288 static inline int default_protocol_stream(int protocol)
1289 {
1290         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1291 }
1292 
1293 static inline int default_protocol_dgram(int protocol)
1294 {
1295         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1296 }
1297 
1298 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1299 {
1300         int extsockclass = selinux_policycap_extsockclass;
1301 
1302         switch (family) {
1303         case PF_UNIX:
1304                 switch (type) {
1305                 case SOCK_STREAM:
1306                 case SOCK_SEQPACKET:
1307                         return SECCLASS_UNIX_STREAM_SOCKET;
1308                 case SOCK_DGRAM:
1309                 case SOCK_RAW:
1310                         return SECCLASS_UNIX_DGRAM_SOCKET;
1311                 }
1312                 break;
1313         case PF_INET:
1314         case PF_INET6:
1315                 switch (type) {
1316                 case SOCK_STREAM:
1317                 case SOCK_SEQPACKET:
1318                         if (default_protocol_stream(protocol))
1319                                 return SECCLASS_TCP_SOCKET;
1320                         else if (extsockclass && protocol == IPPROTO_SCTP)
1321                                 return SECCLASS_SCTP_SOCKET;
1322                         else
1323                                 return SECCLASS_RAWIP_SOCKET;
1324                 case SOCK_DGRAM:
1325                         if (default_protocol_dgram(protocol))
1326                                 return SECCLASS_UDP_SOCKET;
1327                         else if (extsockclass && (protocol == IPPROTO_ICMP ||
1328                                                   protocol == IPPROTO_ICMPV6))
1329                                 return SECCLASS_ICMP_SOCKET;
1330                         else
1331                                 return SECCLASS_RAWIP_SOCKET;
1332                 case SOCK_DCCP:
1333                         return SECCLASS_DCCP_SOCKET;
1334                 default:
1335                         return SECCLASS_RAWIP_SOCKET;
1336                 }
1337                 break;
1338         case PF_NETLINK:
1339                 switch (protocol) {
1340                 case NETLINK_ROUTE:
1341                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1342                 case NETLINK_SOCK_DIAG:
1343                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1344                 case NETLINK_NFLOG:
1345                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1346                 case NETLINK_XFRM:
1347                         return SECCLASS_NETLINK_XFRM_SOCKET;
1348                 case NETLINK_SELINUX:
1349                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1350                 case NETLINK_ISCSI:
1351                         return SECCLASS_NETLINK_ISCSI_SOCKET;
1352                 case NETLINK_AUDIT:
1353                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1354                 case NETLINK_FIB_LOOKUP:
1355                         return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1356                 case NETLINK_CONNECTOR:
1357                         return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1358                 case NETLINK_NETFILTER:
1359                         return SECCLASS_NETLINK_NETFILTER_SOCKET;
1360                 case NETLINK_DNRTMSG:
1361                         return SECCLASS_NETLINK_DNRT_SOCKET;
1362                 case NETLINK_KOBJECT_UEVENT:
1363                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1364                 case NETLINK_GENERIC:
1365                         return SECCLASS_NETLINK_GENERIC_SOCKET;
1366                 case NETLINK_SCSITRANSPORT:
1367                         return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1368                 case NETLINK_RDMA:
1369                         return SECCLASS_NETLINK_RDMA_SOCKET;
1370                 case NETLINK_CRYPTO:
1371                         return SECCLASS_NETLINK_CRYPTO_SOCKET;
1372                 default:
1373                         return SECCLASS_NETLINK_SOCKET;
1374                 }
1375         case PF_PACKET:
1376                 return SECCLASS_PACKET_SOCKET;
1377         case PF_KEY:
1378                 return SECCLASS_KEY_SOCKET;
1379         case PF_APPLETALK:
1380                 return SECCLASS_APPLETALK_SOCKET;
1381         }
1382 
1383         if (extsockclass) {
1384                 switch (family) {
1385                 case PF_AX25:
1386                         return SECCLASS_AX25_SOCKET;
1387                 case PF_IPX:
1388                         return SECCLASS_IPX_SOCKET;
1389                 case PF_NETROM:
1390                         return SECCLASS_NETROM_SOCKET;
1391                 case PF_ATMPVC:
1392                         return SECCLASS_ATMPVC_SOCKET;
1393                 case PF_X25:
1394                         return SECCLASS_X25_SOCKET;
1395                 case PF_ROSE:
1396                         return SECCLASS_ROSE_SOCKET;
1397                 case PF_DECnet:
1398                         return SECCLASS_DECNET_SOCKET;
1399                 case PF_ATMSVC:
1400                         return SECCLASS_ATMSVC_SOCKET;
1401                 case PF_RDS:
1402                         return SECCLASS_RDS_SOCKET;
1403                 case PF_IRDA:
1404                         return SECCLASS_IRDA_SOCKET;
1405                 case PF_PPPOX:
1406                         return SECCLASS_PPPOX_SOCKET;
1407                 case PF_LLC:
1408                         return SECCLASS_LLC_SOCKET;
1409                 case PF_CAN:
1410                         return SECCLASS_CAN_SOCKET;
1411                 case PF_TIPC:
1412                         return SECCLASS_TIPC_SOCKET;
1413                 case PF_BLUETOOTH:
1414                         return SECCLASS_BLUETOOTH_SOCKET;
1415                 case PF_IUCV:
1416                         return SECCLASS_IUCV_SOCKET;
1417                 case PF_RXRPC:
1418                         return SECCLASS_RXRPC_SOCKET;
1419                 case PF_ISDN:
1420                         return SECCLASS_ISDN_SOCKET;
1421                 case PF_PHONET:
1422                         return SECCLASS_PHONET_SOCKET;
1423                 case PF_IEEE802154:
1424                         return SECCLASS_IEEE802154_SOCKET;
1425                 case PF_CAIF:
1426                         return SECCLASS_CAIF_SOCKET;
1427                 case PF_ALG:
1428                         return SECCLASS_ALG_SOCKET;
1429                 case PF_NFC:
1430                         return SECCLASS_NFC_SOCKET;
1431                 case PF_VSOCK:
1432                         return SECCLASS_VSOCK_SOCKET;
1433                 case PF_KCM:
1434                         return SECCLASS_KCM_SOCKET;
1435                 case PF_QIPCRTR:
1436                         return SECCLASS_QIPCRTR_SOCKET;
1437                 case PF_SMC:
1438                         return SECCLASS_SMC_SOCKET;
1439 #if PF_MAX > 44
1440 #error New address family defined, please update this function.
1441 #endif
1442                 }
1443         }
1444 
1445         return SECCLASS_SOCKET;
1446 }
1447 
1448 static int selinux_genfs_get_sid(struct dentry *dentry,
1449                                  u16 tclass,
1450                                  u16 flags,
1451                                  u32 *sid)
1452 {
1453         int rc;
1454         struct super_block *sb = dentry->d_sb;
1455         char *buffer, *path;
1456 
1457         buffer = (char *)__get_free_page(GFP_KERNEL);
1458         if (!buffer)
1459                 return -ENOMEM;
1460 
1461         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1462         if (IS_ERR(path))
1463                 rc = PTR_ERR(path);
1464         else {
1465                 if (flags & SE_SBPROC) {
1466                         /* each process gets a /proc/PID/ entry. Strip off the
1467                          * PID part to get a valid selinux labeling.
1468                          * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1469                         while (path[1] >= '' && path[1] <= '9') {
1470                                 path[1] = '/';
1471                                 path++;
1472                         }
1473                 }
1474                 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1475         }
1476         free_page((unsigned long)buffer);
1477         return rc;
1478 }
1479 
1480 /* The inode's security attributes must be initialized before first use. */
1481 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1482 {
1483         struct superblock_security_struct *sbsec = NULL;
1484         struct inode_security_struct *isec = inode->i_security;
1485         u32 task_sid, sid = 0;
1486         u16 sclass;
1487         struct dentry *dentry;
1488 #define INITCONTEXTLEN 255
1489         char *context = NULL;
1490         unsigned len = 0;
1491         int rc = 0;
1492 
1493         if (isec->initialized == LABEL_INITIALIZED)
1494                 return 0;
1495 
1496         spin_lock(&isec->lock);
1497         if (isec->initialized == LABEL_INITIALIZED)
1498                 goto out_unlock;
1499 
1500         if (isec->sclass == SECCLASS_FILE)
1501                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1502 
1503         sbsec = inode->i_sb->s_security;
1504         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1505                 /* Defer initialization until selinux_complete_init,
1506                    after the initial policy is loaded and the security
1507                    server is ready to handle calls. */
1508                 spin_lock(&sbsec->isec_lock);
1509                 if (list_empty(&isec->list))
1510                         list_add(&isec->list, &sbsec->isec_head);
1511                 spin_unlock(&sbsec->isec_lock);
1512                 goto out_unlock;
1513         }
1514 
1515         sclass = isec->sclass;
1516         task_sid = isec->task_sid;
1517         sid = isec->sid;
1518         isec->initialized = LABEL_PENDING;
1519         spin_unlock(&isec->lock);
1520 
1521         switch (sbsec->behavior) {
1522         case SECURITY_FS_USE_NATIVE:
1523                 break;
1524         case SECURITY_FS_USE_XATTR:
1525                 if (!(inode->i_opflags & IOP_XATTR)) {
1526                         sid = sbsec->def_sid;
1527                         break;
1528                 }
1529                 /* Need a dentry, since the xattr API requires one.
1530                    Life would be simpler if we could just pass the inode. */
1531                 if (opt_dentry) {
1532                         /* Called from d_instantiate or d_splice_alias. */
1533                         dentry = dget(opt_dentry);
1534                 } else {
1535                         /* Called from selinux_complete_init, try to find a dentry. */
1536                         dentry = d_find_alias(inode);
1537                 }
1538                 if (!dentry) {
1539                         /*
1540                          * this is can be hit on boot when a file is accessed
1541                          * before the policy is loaded.  When we load policy we
1542                          * may find inodes that have no dentry on the
1543                          * sbsec->isec_head list.  No reason to complain as these
1544                          * will get fixed up the next time we go through
1545                          * inode_doinit with a dentry, before these inodes could
1546                          * be used again by userspace.
1547                          */
1548                         goto out;
1549                 }
1550 
1551                 len = INITCONTEXTLEN;
1552                 context = kmalloc(len+1, GFP_NOFS);
1553                 if (!context) {
1554                         rc = -ENOMEM;
1555                         dput(dentry);
1556                         goto out;
1557                 }
1558                 context[len] = '\0';
1559                 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1560                 if (rc == -ERANGE) {
1561                         kfree(context);
1562 
1563                         /* Need a larger buffer.  Query for the right size. */
1564                         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1565                         if (rc < 0) {
1566                                 dput(dentry);
1567                                 goto out;
1568                         }
1569                         len = rc;
1570                         context = kmalloc(len+1, GFP_NOFS);
1571                         if (!context) {
1572                                 rc = -ENOMEM;
1573                                 dput(dentry);
1574                                 goto out;
1575                         }
1576                         context[len] = '\0';
1577                         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1578                 }
1579                 dput(dentry);
1580                 if (rc < 0) {
1581                         if (rc != -ENODATA) {
1582                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1583                                        "%d for dev=%s ino=%ld\n", __func__,
1584                                        -rc, inode->i_sb->s_id, inode->i_ino);
1585                                 kfree(context);
1586                                 goto out;
1587                         }
1588                         /* Map ENODATA to the default file SID */
1589                         sid = sbsec->def_sid;
1590                         rc = 0;
1591                 } else {
1592                         rc = security_context_to_sid_default(context, rc, &sid,
1593                                                              sbsec->def_sid,
1594                                                              GFP_NOFS);
1595                         if (rc) {
1596                                 char *dev = inode->i_sb->s_id;
1597                                 unsigned long ino = inode->i_ino;
1598 
1599                                 if (rc == -EINVAL) {
1600                                         if (printk_ratelimit())
1601                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1602                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1603                                                         "filesystem in question.\n", ino, dev, context);
1604                                 } else {
1605                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1606                                                "returned %d for dev=%s ino=%ld\n",
1607                                                __func__, context, -rc, dev, ino);
1608                                 }
1609                                 kfree(context);
1610                                 /* Leave with the unlabeled SID */
1611                                 rc = 0;
1612                                 break;
1613                         }
1614                 }
1615                 kfree(context);
1616                 break;
1617         case SECURITY_FS_USE_TASK:
1618                 sid = task_sid;
1619                 break;
1620         case SECURITY_FS_USE_TRANS:
1621                 /* Default to the fs SID. */
1622                 sid = sbsec->sid;
1623 
1624                 /* Try to obtain a transition SID. */
1625                 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1626                 if (rc)
1627                         goto out;
1628                 break;
1629         case SECURITY_FS_USE_MNTPOINT:
1630                 sid = sbsec->mntpoint_sid;
1631                 break;
1632         default:
1633                 /* Default to the fs superblock SID. */
1634                 sid = sbsec->sid;
1635 
1636                 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1637                         /* We must have a dentry to determine the label on
1638                          * procfs inodes */
1639                         if (opt_dentry)
1640                                 /* Called from d_instantiate or
1641                                  * d_splice_alias. */
1642                                 dentry = dget(opt_dentry);
1643                         else
1644                                 /* Called from selinux_complete_init, try to
1645                                  * find a dentry. */
1646                                 dentry = d_find_alias(inode);
1647                         /*
1648                          * This can be hit on boot when a file is accessed
1649                          * before the policy is loaded.  When we load policy we
1650                          * may find inodes that have no dentry on the
1651                          * sbsec->isec_head list.  No reason to complain as
1652                          * these will get fixed up the next time we go through
1653                          * inode_doinit() with a dentry, before these inodes
1654                          * could be used again by userspace.
1655                          */
1656                         if (!dentry)
1657                                 goto out;
1658                         rc = selinux_genfs_get_sid(dentry, sclass,
1659                                                    sbsec->flags, &sid);
1660                         dput(dentry);
1661                         if (rc)
1662                                 goto out;
1663                 }
1664                 break;
1665         }
1666 
1667 out:
1668         spin_lock(&isec->lock);
1669         if (isec->initialized == LABEL_PENDING) {
1670                 if (!sid || rc) {
1671                         isec->initialized = LABEL_INVALID;
1672                         goto out_unlock;
1673                 }
1674 
1675                 isec->initialized = LABEL_INITIALIZED;
1676                 isec->sid = sid;
1677         }
1678 
1679 out_unlock:
1680         spin_unlock(&isec->lock);
1681         return rc;
1682 }
1683 
1684 /* Convert a Linux signal to an access vector. */
1685 static inline u32 signal_to_av(int sig)
1686 {
1687         u32 perm = 0;
1688 
1689         switch (sig) {
1690         case SIGCHLD:
1691                 /* Commonly granted from child to parent. */
1692                 perm = PROCESS__SIGCHLD;
1693                 break;
1694         case SIGKILL:
1695                 /* Cannot be caught or ignored */
1696                 perm = PROCESS__SIGKILL;
1697                 break;
1698         case SIGSTOP:
1699                 /* Cannot be caught or ignored */
1700                 perm = PROCESS__SIGSTOP;
1701                 break;
1702         default:
1703                 /* All other signals. */
1704                 perm = PROCESS__SIGNAL;
1705                 break;
1706         }
1707 
1708         return perm;
1709 }
1710 
1711 #if CAP_LAST_CAP > 63
1712 #error Fix SELinux to handle capabilities > 63.
1713 #endif
1714 
1715 /* Check whether a task is allowed to use a capability. */
1716 static int cred_has_capability(const struct cred *cred,
1717                                int cap, int audit, bool initns)
1718 {
1719         struct common_audit_data ad;
1720         struct av_decision avd;
1721         u16 sclass;
1722         u32 sid = cred_sid(cred);
1723         u32 av = CAP_TO_MASK(cap);
1724         int rc;
1725 
1726         ad.type = LSM_AUDIT_DATA_CAP;
1727         ad.u.cap = cap;
1728 
1729         switch (CAP_TO_INDEX(cap)) {
1730         case 0:
1731                 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1732                 break;
1733         case 1:
1734                 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1735                 break;
1736         default:
1737                 printk(KERN_ERR
1738                        "SELinux:  out of range capability %d\n", cap);
1739                 BUG();
1740                 return -EINVAL;
1741         }
1742 
1743         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1744         if (audit == SECURITY_CAP_AUDIT) {
1745                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1746                 if (rc2)
1747                         return rc2;
1748         }
1749         return rc;
1750 }
1751 
1752 /* Check whether a task has a particular permission to an inode.
1753    The 'adp' parameter is optional and allows other audit
1754    data to be passed (e.g. the dentry). */
1755 static int inode_has_perm(const struct cred *cred,
1756                           struct inode *inode,
1757                           u32 perms,
1758                           struct common_audit_data *adp)
1759 {
1760         struct inode_security_struct *isec;
1761         u32 sid;
1762 
1763         validate_creds(cred);
1764 
1765         if (unlikely(IS_PRIVATE(inode)))
1766                 return 0;
1767 
1768         sid = cred_sid(cred);
1769         isec = inode->i_security;
1770 
1771         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1772 }
1773 
1774 /* Same as inode_has_perm, but pass explicit audit data containing
1775    the dentry to help the auditing code to more easily generate the
1776    pathname if needed. */
1777 static inline int dentry_has_perm(const struct cred *cred,
1778                                   struct dentry *dentry,
1779                                   u32 av)
1780 {
1781         struct inode *inode = d_backing_inode(dentry);
1782         struct common_audit_data ad;
1783 
1784         ad.type = LSM_AUDIT_DATA_DENTRY;
1785         ad.u.dentry = dentry;
1786         __inode_security_revalidate(inode, dentry, true);
1787         return inode_has_perm(cred, inode, av, &ad);
1788 }
1789 
1790 /* Same as inode_has_perm, but pass explicit audit data containing
1791    the path to help the auditing code to more easily generate the
1792    pathname if needed. */
1793 static inline int path_has_perm(const struct cred *cred,
1794                                 const struct path *path,
1795                                 u32 av)
1796 {
1797         struct inode *inode = d_backing_inode(path->dentry);
1798         struct common_audit_data ad;
1799 
1800         ad.type = LSM_AUDIT_DATA_PATH;
1801         ad.u.path = *path;
1802         __inode_security_revalidate(inode, path->dentry, true);
1803         return inode_has_perm(cred, inode, av, &ad);
1804 }
1805 
1806 /* Same as path_has_perm, but uses the inode from the file struct. */
1807 static inline int file_path_has_perm(const struct cred *cred,
1808                                      struct file *file,
1809                                      u32 av)
1810 {
1811         struct common_audit_data ad;
1812 
1813         ad.type = LSM_AUDIT_DATA_FILE;
1814         ad.u.file = file;
1815         return inode_has_perm(cred, file_inode(file), av, &ad);
1816 }
1817 
1818 #ifdef CONFIG_BPF_SYSCALL
1819 static int bpf_fd_pass(struct file *file, u32 sid);
1820 #endif
1821 
1822 /* Check whether a task can use an open file descriptor to
1823    access an inode in a given way.  Check access to the
1824    descriptor itself, and then use dentry_has_perm to
1825    check a particular permission to the file.
1826    Access to the descriptor is implicitly granted if it
1827    has the same SID as the process.  If av is zero, then
1828    access to the file is not checked, e.g. for cases
1829    where only the descriptor is affected like seek. */
1830 static int file_has_perm(const struct cred *cred,
1831                          struct file *file,
1832                          u32 av)
1833 {
1834         struct file_security_struct *fsec = file->f_security;
1835         struct inode *inode = file_inode(file);
1836         struct common_audit_data ad;
1837         u32 sid = cred_sid(cred);
1838         int rc;
1839 
1840         ad.type = LSM_AUDIT_DATA_FILE;
1841         ad.u.file = file;
1842 
1843         if (sid != fsec->sid) {
1844                 rc = avc_has_perm(sid, fsec->sid,
1845                                   SECCLASS_FD,
1846                                   FD__USE,
1847                                   &ad);
1848                 if (rc)
1849                         goto out;
1850         }
1851 
1852 #ifdef CONFIG_BPF_SYSCALL
1853         rc = bpf_fd_pass(file, cred_sid(cred));
1854         if (rc)
1855                 return rc;
1856 #endif
1857 
1858         /* av is zero if only checking access to the descriptor. */
1859         rc = 0;
1860         if (av)
1861                 rc = inode_has_perm(cred, inode, av, &ad);
1862 
1863 out:
1864         return rc;
1865 }
1866 
1867 /*
1868  * Determine the label for an inode that might be unioned.
1869  */
1870 static int
1871 selinux_determine_inode_label(const struct task_security_struct *tsec,
1872                                  struct inode *dir,
1873                                  const struct qstr *name, u16 tclass,
1874                                  u32 *_new_isid)
1875 {
1876         const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1877 
1878         if ((sbsec->flags & SE_SBINITIALIZED) &&
1879             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1880                 *_new_isid = sbsec->mntpoint_sid;
1881         } else if ((sbsec->flags & SBLABEL_MNT) &&
1882                    tsec->create_sid) {
1883                 *_new_isid = tsec->create_sid;
1884         } else {
1885                 const struct inode_security_struct *dsec = inode_security(dir);
1886                 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1887                                                name, _new_isid);
1888         }
1889 
1890         return 0;
1891 }
1892 
1893 /* Check whether a task can create a file. */
1894 static int may_create(struct inode *dir,
1895                       struct dentry *dentry,
1896                       u16 tclass)
1897 {
1898         const struct task_security_struct *tsec = current_security();
1899         struct inode_security_struct *dsec;
1900         struct superblock_security_struct *sbsec;
1901         u32 sid, newsid;
1902         struct common_audit_data ad;
1903         int rc;
1904 
1905         dsec = inode_security(dir);
1906         sbsec = dir->i_sb->s_security;
1907 
1908         sid = tsec->sid;
1909 
1910         ad.type = LSM_AUDIT_DATA_DENTRY;
1911         ad.u.dentry = dentry;
1912 
1913         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1914                           DIR__ADD_NAME | DIR__SEARCH,
1915                           &ad);
1916         if (rc)
1917                 return rc;
1918 
1919         rc = selinux_determine_inode_label(current_security(), dir,
1920                                            &dentry->d_name, tclass, &newsid);
1921         if (rc)
1922                 return rc;
1923 
1924         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1925         if (rc)
1926                 return rc;
1927 
1928         return avc_has_perm(newsid, sbsec->sid,
1929                             SECCLASS_FILESYSTEM,
1930                             FILESYSTEM__ASSOCIATE, &ad);
1931 }
1932 
1933 #define MAY_LINK        0
1934 #define MAY_UNLINK      1
1935 #define MAY_RMDIR       2
1936 
1937 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1938 static int may_link(struct inode *dir,
1939                     struct dentry *dentry,
1940                     int kind)
1941 
1942 {
1943         struct inode_security_struct *dsec, *isec;
1944         struct common_audit_data ad;
1945         u32 sid = current_sid();
1946         u32 av;
1947         int rc;
1948 
1949         dsec = inode_security(dir);
1950         isec = backing_inode_security(dentry);
1951 
1952         ad.type = LSM_AUDIT_DATA_DENTRY;
1953         ad.u.dentry = dentry;
1954 
1955         av = DIR__SEARCH;
1956         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1957         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1958         if (rc)
1959                 return rc;
1960 
1961         switch (kind) {
1962         case MAY_LINK:
1963                 av = FILE__LINK;
1964                 break;
1965         case MAY_UNLINK:
1966                 av = FILE__UNLINK;
1967                 break;
1968         case MAY_RMDIR:
1969                 av = DIR__RMDIR;
1970                 break;
1971         default:
1972                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1973                         __func__, kind);
1974                 return 0;
1975         }
1976 
1977         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1978         return rc;
1979 }
1980 
1981 static inline int may_rename(struct inode *old_dir,
1982                              struct dentry *old_dentry,
1983                              struct inode *new_dir,
1984                              struct dentry *new_dentry)
1985 {
1986         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1987         struct common_audit_data ad;
1988         u32 sid = current_sid();
1989         u32 av;
1990         int old_is_dir, new_is_dir;
1991         int rc;
1992 
1993         old_dsec = inode_security(old_dir);
1994         old_isec = backing_inode_security(old_dentry);
1995         old_is_dir = d_is_dir(old_dentry);
1996         new_dsec = inode_security(new_dir);
1997 
1998         ad.type = LSM_AUDIT_DATA_DENTRY;
1999 
2000         ad.u.dentry = old_dentry;
2001         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
2002                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2003         if (rc)
2004                 return rc;
2005         rc = avc_has_perm(sid, old_isec->sid,
2006                           old_isec->sclass, FILE__RENAME, &ad);
2007         if (rc)
2008                 return rc;
2009         if (old_is_dir && new_dir != old_dir) {
2010                 rc = avc_has_perm(sid, old_isec->sid,
2011                                   old_isec->sclass, DIR__REPARENT, &ad);
2012                 if (rc)
2013                         return rc;
2014         }
2015 
2016         ad.u.dentry = new_dentry;
2017         av = DIR__ADD_NAME | DIR__SEARCH;
2018         if (d_is_positive(new_dentry))
2019                 av |= DIR__REMOVE_NAME;
2020         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2021         if (rc)
2022                 return rc;
2023         if (d_is_positive(new_dentry)) {
2024                 new_isec = backing_inode_security(new_dentry);
2025                 new_is_dir = d_is_dir(new_dentry);
2026                 rc = avc_has_perm(sid, new_isec->sid,
2027                                   new_isec->sclass,
2028                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2029                 if (rc)
2030                         return rc;
2031         }
2032 
2033         return 0;
2034 }
2035 
2036 /* Check whether a task can perform a filesystem operation. */
2037 static int superblock_has_perm(const struct cred *cred,
2038                                struct super_block *sb,
2039                                u32 perms,
2040                                struct common_audit_data *ad)
2041 {
2042         struct superblock_security_struct *sbsec;
2043         u32 sid = cred_sid(cred);
2044 
2045         sbsec = sb->s_security;
2046         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2047 }
2048 
2049 /* Convert a Linux mode and permission mask to an access vector. */
2050 static inline u32 file_mask_to_av(int mode, int mask)
2051 {
2052         u32 av = 0;
2053 
2054         if (!S_ISDIR(mode)) {
2055                 if (mask & MAY_EXEC)
2056                         av |= FILE__EXECUTE;
2057                 if (mask & MAY_READ)
2058                         av |= FILE__READ;
2059 
2060                 if (mask & MAY_APPEND)
2061                         av |= FILE__APPEND;
2062                 else if (mask & MAY_WRITE)
2063                         av |= FILE__WRITE;
2064 
2065         } else {
2066                 if (mask & MAY_EXEC)
2067                         av |= DIR__SEARCH;
2068                 if (mask & MAY_WRITE)
2069                         av |= DIR__WRITE;
2070                 if (mask & MAY_READ)
2071                         av |= DIR__READ;
2072         }
2073 
2074         return av;
2075 }
2076 
2077 /* Convert a Linux file to an access vector. */
2078 static inline u32 file_to_av(struct file *file)
2079 {
2080         u32 av = 0;
2081 
2082         if (file->f_mode & FMODE_READ)
2083                 av |= FILE__READ;
2084         if (file->f_mode & FMODE_WRITE) {
2085                 if (file->f_flags & O_APPEND)
2086                         av |= FILE__APPEND;
2087                 else
2088                         av |= FILE__WRITE;
2089         }
2090         if (!av) {
2091                 /*
2092                  * Special file opened with flags 3 for ioctl-only use.
2093                  */
2094                 av = FILE__IOCTL;
2095         }
2096 
2097         return av;
2098 }
2099 
2100 /*
2101  * Convert a file to an access vector and include the correct open
2102  * open permission.
2103  */
2104 static inline u32 open_file_to_av(struct file *file)
2105 {
2106         u32 av = file_to_av(file);
2107         struct inode *inode = file_inode(file);
2108 
2109         if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2110                 av |= FILE__OPEN;
2111 
2112         return av;
2113 }
2114 
2115 /* Hook functions begin here. */
2116 
2117 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2118 {
2119         u32 mysid = current_sid();
2120         u32 mgrsid = task_sid(mgr);
2121 
2122         return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2123                             BINDER__SET_CONTEXT_MGR, NULL);
2124 }
2125 
2126 static int selinux_binder_transaction(struct task_struct *from,
2127                                       struct task_struct *to)
2128 {
2129         u32 mysid = current_sid();
2130         u32 fromsid = task_sid(from);
2131         u32 tosid = task_sid(to);
2132         int rc;
2133 
2134         if (mysid != fromsid) {
2135                 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2136                                   BINDER__IMPERSONATE, NULL);
2137                 if (rc)
2138                         return rc;
2139         }
2140 
2141         return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2142                             NULL);
2143 }
2144 
2145 static int selinux_binder_transfer_binder(struct task_struct *from,
2146                                           struct task_struct *to)
2147 {
2148         u32 fromsid = task_sid(from);
2149         u32 tosid = task_sid(to);
2150 
2151         return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2152                             NULL);
2153 }
2154 
2155 static int selinux_binder_transfer_file(struct task_struct *from,
2156                                         struct task_struct *to,
2157                                         struct file *file)
2158 {
2159         u32 sid = task_sid(to);
2160         struct file_security_struct *fsec = file->f_security;
2161         struct dentry *dentry = file->f_path.dentry;
2162         struct inode_security_struct *isec;
2163         struct common_audit_data ad;
2164         int rc;
2165 
2166         ad.type = LSM_AUDIT_DATA_PATH;
2167         ad.u.path = file->f_path;
2168 
2169         if (sid != fsec->sid) {
2170                 rc = avc_has_perm(sid, fsec->sid,
2171                                   SECCLASS_FD,
2172                                   FD__USE,
2173                                   &ad);
2174                 if (rc)
2175                         return rc;
2176         }
2177 
2178 #ifdef CONFIG_BPF_SYSCALL
2179         rc = bpf_fd_pass(file, sid);
2180         if (rc)
2181                 return rc;
2182 #endif
2183 
2184         if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2185                 return 0;
2186 
2187         isec = backing_inode_security(dentry);
2188         return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2189                             &ad);
2190 }
2191 
2192 static int selinux_ptrace_access_check(struct task_struct *child,
2193                                      unsigned int mode)
2194 {
2195         u32 sid = current_sid();
2196         u32 csid = task_sid(child);
2197 
2198         if (mode & PTRACE_MODE_READ)
2199                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2200 
2201         return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2202 }
2203 
2204 static int selinux_ptrace_traceme(struct task_struct *parent)
2205 {
2206         return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2207                             PROCESS__PTRACE, NULL);
2208 }
2209 
2210 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2211                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
2212 {
2213         return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2214                             PROCESS__GETCAP, NULL);
2215 }
2216 
2217 static int selinux_capset(struct cred *new, const struct cred *old,
2218                           const kernel_cap_t *effective,
2219                           const kernel_cap_t *inheritable,
2220                           const kernel_cap_t *permitted)
2221 {
2222         return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2223                             PROCESS__SETCAP, NULL);
2224 }
2225 
2226 /*
2227  * (This comment used to live with the selinux_task_setuid hook,
2228  * which was removed).
2229  *
2230  * Since setuid only affects the current process, and since the SELinux
2231  * controls are not based on the Linux identity attributes, SELinux does not
2232  * need to control this operation.  However, SELinux does control the use of
2233  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2234  */
2235 
2236 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2237                            int cap, int audit)
2238 {
2239         return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2240 }
2241 
2242 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2243 {
2244         const struct cred *cred = current_cred();
2245         int rc = 0;
2246 
2247         if (!sb)
2248                 return 0;
2249 
2250         switch (cmds) {
2251         case Q_SYNC:
2252         case Q_QUOTAON:
2253         case Q_QUOTAOFF:
2254         case Q_SETINFO:
2255         case Q_SETQUOTA:
2256                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2257                 break;
2258         case Q_GETFMT:
2259         case Q_GETINFO:
2260         case Q_GETQUOTA:
2261                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2262                 break;
2263         default:
2264                 rc = 0;  /* let the kernel handle invalid cmds */
2265                 break;
2266         }
2267         return rc;
2268 }
2269 
2270 static int selinux_quota_on(struct dentry *dentry)
2271 {
2272         const struct cred *cred = current_cred();
2273 
2274         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2275 }
2276 
2277 static int selinux_syslog(int type)
2278 {
2279         switch (type) {
2280         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2281         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2282                 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2283                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2284         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2285         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2286         /* Set level of messages printed to console */
2287         case SYSLOG_ACTION_CONSOLE_LEVEL:
2288                 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2289                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2290                                     NULL);
2291         }
2292         /* All other syslog types */
2293         return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2294                             SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2295 }
2296 
2297 /*
2298  * Check that a process has enough memory to allocate a new virtual
2299  * mapping. 0 means there is enough memory for the allocation to
2300  * succeed and -ENOMEM implies there is not.
2301  *
2302  * Do not audit the selinux permission check, as this is applied to all
2303  * processes that allocate mappings.
2304  */
2305 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2306 {
2307         int rc, cap_sys_admin = 0;
2308 
2309         rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2310                                  SECURITY_CAP_NOAUDIT, true);
2311         if (rc == 0)
2312                 cap_sys_admin = 1;
2313 
2314         return cap_sys_admin;
2315 }
2316 
2317 /* binprm security operations */
2318 
2319 static u32 ptrace_parent_sid(void)
2320 {
2321         u32 sid = 0;
2322         struct task_struct *tracer;
2323 
2324         rcu_read_lock();
2325         tracer = ptrace_parent(current);
2326         if (tracer)
2327                 sid = task_sid(tracer);
2328         rcu_read_unlock();
2329 
2330         return sid;
2331 }
2332 
2333 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2334                             const struct task_security_struct *old_tsec,
2335                             const struct task_security_struct *new_tsec)
2336 {
2337         int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2338         int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2339         int rc;
2340         u32 av;
2341 
2342         if (!nnp && !nosuid)
2343                 return 0; /* neither NNP nor nosuid */
2344 
2345         if (new_tsec->sid == old_tsec->sid)
2346                 return 0; /* No change in credentials */
2347 
2348         /*
2349          * If the policy enables the nnp_nosuid_transition policy capability,
2350          * then we permit transitions under NNP or nosuid if the
2351          * policy allows the corresponding permission between
2352          * the old and new contexts.
2353          */
2354         if (selinux_policycap_nnp_nosuid_transition) {
2355                 av = 0;
2356                 if (nnp)
2357                         av |= PROCESS2__NNP_TRANSITION;
2358                 if (nosuid)
2359                         av |= PROCESS2__NOSUID_TRANSITION;
2360                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2361                                   SECCLASS_PROCESS2, av, NULL);
2362                 if (!rc)
2363                         return 0;
2364         }
2365 
2366         /*
2367          * We also permit NNP or nosuid transitions to bounded SIDs,
2368          * i.e. SIDs that are guaranteed to only be allowed a subset
2369          * of the permissions of the current SID.
2370          */
2371         rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2372         if (!rc)
2373                 return 0;
2374 
2375         /*
2376          * On failure, preserve the errno values for NNP vs nosuid.
2377          * NNP:  Operation not permitted for caller.
2378          * nosuid:  Permission denied to file.
2379          */
2380         if (nnp)
2381                 return -EPERM;
2382         return -EACCES;
2383 }
2384 
2385 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2386 {
2387         const struct task_security_struct *old_tsec;
2388         struct task_security_struct *new_tsec;
2389         struct inode_security_struct *isec;
2390         struct common_audit_data ad;
2391         struct inode *inode = file_inode(bprm->file);
2392         int rc;
2393 
2394         /* SELinux context only depends on initial program or script and not
2395          * the script interpreter */
2396         if (bprm->called_set_creds)
2397                 return 0;
2398 
2399         old_tsec = current_security();
2400         new_tsec = bprm->cred->security;
2401         isec = inode_security(inode);
2402 
2403         /* Default to the current task SID. */
2404         new_tsec->sid = old_tsec->sid;
2405         new_tsec->osid = old_tsec->sid;
2406 
2407         /* Reset fs, key, and sock SIDs on execve. */
2408         new_tsec->create_sid = 0;
2409         new_tsec->keycreate_sid = 0;
2410         new_tsec->sockcreate_sid = 0;
2411 
2412         if (old_tsec->exec_sid) {
2413                 new_tsec->sid = old_tsec->exec_sid;
2414                 /* Reset exec SID on execve. */
2415                 new_tsec->exec_sid = 0;
2416 
2417                 /* Fail on NNP or nosuid if not an allowed transition. */
2418                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2419                 if (rc)
2420                         return rc;
2421         } else {
2422                 /* Check for a default transition on this program. */
2423                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2424                                              SECCLASS_PROCESS, NULL,
2425                                              &new_tsec->sid);
2426                 if (rc)
2427                         return rc;
2428 
2429                 /*
2430                  * Fallback to old SID on NNP or nosuid if not an allowed
2431                  * transition.
2432                  */
2433                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2434                 if (rc)
2435                         new_tsec->sid = old_tsec->sid;
2436         }
2437 
2438         ad.type = LSM_AUDIT_DATA_FILE;
2439         ad.u.file = bprm->file;
2440 
2441         if (new_tsec->sid == old_tsec->sid) {
2442                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2443                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2444                 if (rc)
2445                         return rc;
2446         } else {
2447                 /* Check permissions for the transition. */
2448                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2449                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2450                 if (rc)
2451                         return rc;
2452 
2453                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2454                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2455                 if (rc)
2456                         return rc;
2457 
2458                 /* Check for shared state */
2459                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2460                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2461                                           SECCLASS_PROCESS, PROCESS__SHARE,
2462                                           NULL);
2463                         if (rc)
2464                                 return -EPERM;
2465                 }
2466 
2467                 /* Make sure that anyone attempting to ptrace over a task that
2468                  * changes its SID has the appropriate permit */
2469                 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2470                         u32 ptsid = ptrace_parent_sid();
2471                         if (ptsid != 0) {
2472                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2473                                                   SECCLASS_PROCESS,
2474                                                   PROCESS__PTRACE, NULL);
2475                                 if (rc)
2476                                         return -EPERM;
2477                         }
2478                 }
2479 
2480                 /* Clear any possibly unsafe personality bits on exec: */
2481                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2482 
2483                 /* Enable secure mode for SIDs transitions unless
2484                    the noatsecure permission is granted between
2485                    the two SIDs, i.e. ahp returns 0. */
2486                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2487                                   SECCLASS_PROCESS, PROCESS__NOATSECURE,
2488                                   NULL);
2489                 bprm->secureexec |= !!rc;
2490         }
2491 
2492         return 0;
2493 }
2494 
2495 static int match_file(const void *p, struct file *file, unsigned fd)
2496 {
2497         return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2498 }
2499 
2500 /* Derived from fs/exec.c:flush_old_files. */
2501 static inline void flush_unauthorized_files(const struct cred *cred,
2502                                             struct files_struct *files)
2503 {
2504         struct file *file, *devnull = NULL;
2505         struct tty_struct *tty;
2506         int drop_tty = 0;
2507         unsigned n;
2508 
2509         tty = get_current_tty();
2510         if (tty) {
2511                 spin_lock(&tty->files_lock);
2512                 if (!list_empty(&tty->tty_files)) {
2513                         struct tty_file_private *file_priv;
2514 
2515                         /* Revalidate access to controlling tty.
2516                            Use file_path_has_perm on the tty path directly
2517                            rather than using file_has_perm, as this particular
2518                            open file may belong to another process and we are
2519                            only interested in the inode-based check here. */
2520                         file_priv = list_first_entry(&tty->tty_files,
2521                                                 struct tty_file_private, list);
2522                         file = file_priv->file;
2523                         if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2524                                 drop_tty = 1;
2525                 }
2526                 spin_unlock(&tty->files_lock);
2527                 tty_kref_put(tty);
2528         }
2529         /* Reset controlling tty. */
2530         if (drop_tty)
2531                 no_tty();
2532 
2533         /* Revalidate access to inherited open files. */
2534         n = iterate_fd(files, 0, match_file, cred);
2535         if (!n) /* none found? */
2536                 return;
2537 
2538         devnull = dentry_open(&selinux_null, O_RDWR, cred);
2539         if (IS_ERR(devnull))
2540                 devnull = NULL;
2541         /* replace all the matching ones with this */
2542         do {
2543                 replace_fd(n - 1, devnull, 0);
2544         } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2545         if (devnull)
2546                 fput(devnull);
2547 }
2548 
2549 /*
2550  * Prepare a process for imminent new credential changes due to exec
2551  */
2552 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2553 {
2554         struct task_security_struct *new_tsec;
2555         struct rlimit *rlim, *initrlim;
2556         int rc, i;
2557 
2558         new_tsec = bprm->cred->security;
2559         if (new_tsec->sid == new_tsec->osid)
2560                 return;
2561 
2562         /* Close files for which the new task SID is not authorized. */
2563         flush_unauthorized_files(bprm->cred, current->files);
2564 
2565         /* Always clear parent death signal on SID transitions. */
2566         current->pdeath_signal = 0;
2567 
2568         /* Check whether the new SID can inherit resource limits from the old
2569          * SID.  If not, reset all soft limits to the lower of the current
2570          * task's hard limit and the init task's soft limit.
2571          *
2572          * Note that the setting of hard limits (even to lower them) can be
2573          * controlled by the setrlimit check.  The inclusion of the init task's
2574          * soft limit into the computation is to avoid resetting soft limits
2575          * higher than the default soft limit for cases where the default is
2576          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2577          */
2578         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2579                           PROCESS__RLIMITINH, NULL);
2580         if (rc) {
2581                 /* protect against do_prlimit() */
2582                 task_lock(current);
2583                 for (i = 0; i < RLIM_NLIMITS; i++) {
2584                         rlim = current->signal->rlim + i;
2585                         initrlim = init_task.signal->rlim + i;
2586                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2587                 }
2588                 task_unlock(current);
2589                 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2590                         update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2591         }
2592 }
2593 
2594 /*
2595  * Clean up the process immediately after the installation of new credentials
2596  * due to exec
2597  */
2598 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2599 {
2600         const struct task_security_struct *tsec = current_security();
2601         struct itimerval itimer;
2602         u32 osid, sid;
2603         int rc, i;
2604 
2605         osid = tsec->osid;
2606         sid = tsec->sid;
2607 
2608         if (sid == osid)
2609                 return;
2610 
2611         /* Check whether the new SID can inherit signal state from the old SID.
2612          * If not, clear itimers to avoid subsequent signal generation and
2613          * flush and unblock signals.
2614          *
2615          * This must occur _after_ the task SID has been updated so that any
2616          * kill done after the flush will be checked against the new SID.
2617          */
2618         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2619         if (rc) {
2620                 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2621                         memset(&itimer, 0, sizeof itimer);
2622                         for (i = 0; i < 3; i++)
2623                                 do_setitimer(i, &itimer, NULL);
2624                 }
2625                 spin_lock_irq(&current->sighand->siglock);
2626                 if (!fatal_signal_pending(current)) {
2627                         flush_sigqueue(&current->pending);
2628                         flush_sigqueue(&current->signal->shared_pending);
2629                         flush_signal_handlers(current, 1);
2630                         sigemptyset(&current->blocked);
2631                         recalc_sigpending();
2632                 }
2633                 spin_unlock_irq(&current->sighand->siglock);
2634         }
2635 
2636         /* Wake up the parent if it is waiting so that it can recheck
2637          * wait permission to the new task SID. */
2638         read_lock(&tasklist_lock);
2639         __wake_up_parent(current, current->real_parent);
2640         read_unlock(&tasklist_lock);
2641 }
2642 
2643 /* superblock security operations */
2644 
2645 static int selinux_sb_alloc_security(struct super_block *sb)
2646 {
2647         return superblock_alloc_security(sb);
2648 }
2649 
2650 static void selinux_sb_free_security(struct super_block *sb)
2651 {
2652         superblock_free_security(sb);
2653 }
2654 
2655 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2656 {
2657         if (plen > olen)
2658                 return 0;
2659 
2660         return !memcmp(prefix, option, plen);
2661 }
2662 
2663 static inline int selinux_option(char *option, int len)
2664 {
2665         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2666                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2667                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2668                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2669                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2670 }
2671 
2672 static inline void take_option(char **to, char *from, int *first, int len)
2673 {
2674         if (!*first) {
2675                 **to = ',';
2676                 *to += 1;
2677         } else
2678                 *first = 0;
2679         memcpy(*to, from, len);
2680         *to += len;
2681 }
2682 
2683 static inline void take_selinux_option(char **to, char *from, int *first,
2684                                        int len)
2685 {
2686         int current_size = 0;
2687 
2688         if (!*first) {
2689                 **to = '|';
2690                 *to += 1;
2691         } else
2692                 *first = 0;
2693 
2694         while (current_size < len) {
2695                 if (*from != '"') {
2696                         **to = *from;
2697                         *to += 1;
2698                 }
2699                 from += 1;
2700                 current_size += 1;
2701         }
2702 }
2703 
2704 static int selinux_sb_copy_data(char *orig, char *copy)
2705 {
2706         int fnosec, fsec, rc = 0;
2707         char *in_save, *in_curr, *in_end;
2708         char *sec_curr, *nosec_save, *nosec;
2709         int open_quote = 0;
2710 
2711         in_curr = orig;
2712         sec_curr = copy;
2713 
2714         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2715         if (!nosec) {
2716                 rc = -ENOMEM;
2717                 goto out;
2718         }
2719 
2720         nosec_save = nosec;
2721         fnosec = fsec = 1;
2722         in_save = in_end = orig;
2723 
2724         do {
2725                 if (*in_end == '"')
2726                         open_quote = !open_quote;
2727                 if ((*in_end == ',' && open_quote == 0) ||
2728                                 *in_end == '\0') {
2729                         int len = in_end - in_curr;
2730 
2731                         if (selinux_option(in_curr, len))
2732                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2733                         else
2734                                 take_option(&nosec, in_curr, &fnosec, len);
2735 
2736                         in_curr = in_end + 1;
2737                 }
2738         } while (*in_end++);
2739 
2740         strcpy(in_save, nosec_save);
2741         free_page((unsigned long)nosec_save);
2742 out:
2743         return rc;
2744 }
2745 
2746 static int selinux_sb_remount(struct super_block *sb, void *data)
2747 {
2748         int rc, i, *flags;
2749         struct security_mnt_opts opts;
2750         char *secdata, **mount_options;
2751         struct superblock_security_struct *sbsec = sb->s_security;
2752 
2753         if (!(sbsec->flags & SE_SBINITIALIZED))
2754                 return 0;
2755 
2756         if (!data)
2757                 return 0;
2758 
2759         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2760                 return 0;
2761 
2762         security_init_mnt_opts(&opts);
2763         secdata = alloc_secdata();
2764         if (!secdata)
2765                 return -ENOMEM;
2766         rc = selinux_sb_copy_data(data, secdata);
2767         if (rc)
2768                 goto out_free_secdata;
2769 
2770         rc = selinux_parse_opts_str(secdata, &opts);
2771         if (rc)
2772                 goto out_free_secdata;
2773 
2774         mount_options = opts.mnt_opts;
2775         flags = opts.mnt_opts_flags;
2776 
2777         for (i = 0; i < opts.num_mnt_opts; i++) {
2778                 u32 sid;
2779 
2780                 if (flags[i] == SBLABEL_MNT)
2781                         continue;
2782                 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2783                 if (rc) {
2784                         printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2785                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2786                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2787                         goto out_free_opts;
2788                 }
2789                 rc = -EINVAL;
2790                 switch (flags[i]) {
2791                 case FSCONTEXT_MNT:
2792                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2793                                 goto out_bad_option;
2794                         break;
2795                 case CONTEXT_MNT:
2796                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2797                                 goto out_bad_option;
2798                         break;
2799                 case ROOTCONTEXT_MNT: {
2800                         struct inode_security_struct *root_isec;
2801                         root_isec = backing_inode_security(sb->s_root);
2802 
2803                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2804                                 goto out_bad_option;
2805                         break;
2806                 }
2807                 case DEFCONTEXT_MNT:
2808                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2809                                 goto out_bad_option;
2810                         break;
2811                 default:
2812                         goto out_free_opts;
2813                 }
2814         }
2815 
2816         rc = 0;
2817 out_free_opts:
2818         security_free_mnt_opts(&opts);
2819 out_free_secdata:
2820         free_secdata(secdata);
2821         return rc;
2822 out_bad_option:
2823         printk(KERN_WARNING "SELinux: unable to change security options "
2824                "during remount (dev %s, type=%s)\n", sb->s_id,
2825                sb->s_type->name);
2826         goto out_free_opts;
2827 }
2828 
2829 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2830 {
2831         const struct cred *cred = current_cred();
2832         struct common_audit_data ad;
2833         int rc;
2834 
2835         rc = superblock_doinit(sb, data);
2836         if (rc)
2837                 return rc;
2838 
2839         /* Allow all mounts performed by the kernel */
2840         if (flags & MS_KERNMOUNT)
2841                 return 0;
2842 
2843         ad.type = LSM_AUDIT_DATA_DENTRY;
2844         ad.u.dentry = sb->s_root;
2845         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2846 }
2847 
2848 static int selinux_sb_statfs(struct dentry *dentry)
2849 {
2850         const struct cred *cred = current_cred();
2851         struct common_audit_data ad;
2852 
2853         ad.type = LSM_AUDIT_DATA_DENTRY;
2854         ad.u.dentry = dentry->d_sb->s_root;
2855         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2856 }
2857 
2858 static int selinux_mount(const char *dev_name,
2859                          const struct path *path,
2860                          const char *type,
2861                          unsigned long flags,
2862                          void *data)
2863 {
2864         const struct cred *cred = current_cred();
2865 
2866         if (flags & MS_REMOUNT)
2867                 return superblock_has_perm(cred, path->dentry->d_sb,
2868                                            FILESYSTEM__REMOUNT, NULL);
2869         else
2870                 return path_has_perm(cred, path, FILE__MOUNTON);
2871 }
2872 
2873 static int selinux_umount(struct vfsmount *mnt, int flags)
2874 {
2875         const struct cred *cred = current_cred();
2876 
2877         return superblock_has_perm(cred, mnt->mnt_sb,
2878                                    FILESYSTEM__UNMOUNT, NULL);
2879 }
2880 
2881 /* inode security operations */
2882 
2883 static int selinux_inode_alloc_security(struct inode *inode)
2884 {
2885         return inode_alloc_security(inode);
2886 }
2887 
2888 static void selinux_inode_free_security(struct inode *inode)
2889 {
2890         inode_free_security(inode);
2891 }
2892 
2893 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2894                                         const struct qstr *name, void **ctx,
2895                                         u32 *ctxlen)
2896 {
2897         u32 newsid;
2898         int rc;
2899 
2900         rc = selinux_determine_inode_label(current_security(),
2901                                            d_inode(dentry->d_parent), name,
2902                                            inode_mode_to_security_class(mode),
2903                                            &newsid);
2904         if (rc)
2905                 return rc;
2906 
2907         return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2908 }
2909 
2910 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2911                                           struct qstr *name,
2912                                           const struct cred *old,
2913                                           struct cred *new)
2914 {
2915         u32 newsid;
2916         int rc;
2917         struct task_security_struct *tsec;
2918 
2919         rc = selinux_determine_inode_label(old->security,
2920                                            d_inode(dentry->d_parent), name,
2921                                            inode_mode_to_security_class(mode),
2922                                            &newsid);
2923         if (rc)
2924                 return rc;
2925 
2926         tsec = new->security;
2927         tsec->create_sid = newsid;
2928         return 0;
2929 }
2930 
2931 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2932                                        const struct qstr *qstr,
2933                                        const char **name,
2934                                        void **value, size_t *len)
2935 {
2936         const struct task_security_struct *tsec = current_security();
2937         struct superblock_security_struct *sbsec;
2938         u32 newsid, clen;
2939         int rc;
2940         char *context;
2941 
2942         sbsec = dir->i_sb->s_security;
2943 
2944         newsid = tsec->create_sid;
2945 
2946         rc = selinux_determine_inode_label(current_security(),
2947                 dir, qstr,
2948                 inode_mode_to_security_class(inode->i_mode),
2949                 &newsid);
2950         if (rc)
2951                 return rc;
2952 
2953         /* Possibly defer initialization to selinux_complete_init. */
2954         if (sbsec->flags & SE_SBINITIALIZED) {
2955                 struct inode_security_struct *isec = inode->i_security;
2956                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2957                 isec->sid = newsid;
2958                 isec->initialized = LABEL_INITIALIZED;
2959         }
2960 
2961         if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2962                 return -EOPNOTSUPP;
2963 
2964         if (name)
2965                 *name = XATTR_SELINUX_SUFFIX;
2966 
2967         if (value && len) {
2968                 rc = security_sid_to_context_force(newsid, &context, &clen);
2969                 if (rc)
2970                         return rc;
2971                 *value = context;
2972                 *len = clen;
2973         }
2974 
2975         return 0;
2976 }
2977 
2978 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2979 {
2980         return may_create(dir, dentry, SECCLASS_FILE);
2981 }
2982 
2983 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2984 {
2985         return may_link(dir, old_dentry, MAY_LINK);
2986 }
2987 
2988 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2989 {
2990         return may_link(dir, dentry, MAY_UNLINK);
2991 }
2992 
2993 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2994 {
2995         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2996 }
2997 
2998 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2999 {
3000         return may_create(dir, dentry, SECCLASS_DIR);
3001 }
3002 
3003 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3004 {
3005         return may_link(dir, dentry, MAY_RMDIR);
3006 }
3007 
3008 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3009 {
3010         return may_create(dir, dentry, inode_mode_to_security_class(mode));
3011 }
3012 
3013 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3014                                 struct inode *new_inode, struct dentry *new_dentry)
3015 {
3016         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3017 }
3018 
3019 static int selinux_inode_readlink(struct dentry *dentry)
3020 {
3021         const struct cred *cred = current_cred();
3022 
3023         return dentry_has_perm(cred, dentry, FILE__READ);
3024 }
3025 
3026 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3027                                      bool rcu)
3028 {
3029         const struct cred *cred = current_cred();
3030         struct common_audit_data ad;
3031         struct inode_security_struct *isec;
3032         u32 sid;
3033 
3034         validate_creds(cred);
3035 
3036         ad.type = LSM_AUDIT_DATA_DENTRY;
3037         ad.u.dentry = dentry;
3038         sid = cred_sid(cred);
3039         isec = inode_security_rcu(inode, rcu);
3040         if (IS_ERR(isec))
3041                 return PTR_ERR(isec);
3042 
3043         return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3044                                   rcu ? MAY_NOT_BLOCK : 0);
3045 }
3046 
3047 static noinline int audit_inode_permission(struct inode *inode,
3048                                            u32 perms, u32 audited, u32 denied,
3049                                            int result,
3050                                            unsigned flags)
3051 {
3052         struct common_audit_data ad;
3053         struct inode_security_struct *isec = inode->i_security;
3054         int rc;
3055 
3056         ad.type = LSM_AUDIT_DATA_INODE;
3057         ad.u.inode = inode;
3058 
3059         rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3060                             audited, denied, result, &ad, flags);
3061         if (rc)
3062                 return rc;
3063         return 0;
3064 }
3065 
3066 static int selinux_inode_permission(struct inode *inode, int mask)
3067 {
3068         const struct cred *cred = current_cred();
3069         u32 perms;
3070         bool from_access;
3071         unsigned flags = mask & MAY_NOT_BLOCK;
3072         struct inode_security_struct *isec;
3073         u32 sid;
3074         struct av_decision avd;
3075         int rc, rc2;
3076         u32 audited, denied;
3077 
3078         from_access = mask & MAY_ACCESS;
3079         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3080 
3081         /* No permission to check.  Existence test. */
3082         if (!mask)
3083                 return 0;
3084 
3085         validate_creds(cred);
3086 
3087         if (unlikely(IS_PRIVATE(inode)))
3088                 return 0;
3089 
3090         perms = file_mask_to_av(inode->i_mode, mask);
3091 
3092         sid = cred_sid(cred);
3093         isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3094         if (IS_ERR(isec))
3095                 return PTR_ERR(isec);
3096 
3097         rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3098         audited = avc_audit_required(perms, &avd, rc,
3099                                      from_access ? FILE__AUDIT_ACCESS : 0,
3100                                      &denied);
3101         if (likely(!audited))
3102                 return rc;
3103 
3104         rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3105         if (rc2)
3106                 return rc2;
3107         return rc;
3108 }
3109 
3110 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3111 {
3112         const struct cred *cred = current_cred();
3113         struct inode *inode = d_backing_inode(dentry);
3114         unsigned int ia_valid = iattr->ia_valid;
3115         __u32 av = FILE__WRITE;
3116 
3117         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3118         if (ia_valid & ATTR_FORCE) {
3119                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3120                               ATTR_FORCE);
3121                 if (!ia_valid)
3122                         return 0;
3123         }
3124 
3125         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3126                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3127                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3128 
3129         if (selinux_policycap_openperm &&
3130             inode->i_sb->s_magic != SOCKFS_MAGIC &&
3131             (ia_valid & ATTR_SIZE) &&
3132             !(ia_valid & ATTR_FILE))
3133                 av |= FILE__OPEN;
3134 
3135         return dentry_has_perm(cred, dentry, av);
3136 }
3137 
3138 static int selinux_inode_getattr(const struct path *path)
3139 {
3140         return path_has_perm(current_cred(), path, FILE__GETATTR);
3141 }
3142 
3143 static bool has_cap_mac_admin(bool audit)
3144 {
3145         const struct cred *cred = current_cred();
3146         int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3147 
3148         if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3149                 return false;
3150         if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3151                 return false;
3152         return true;
3153 }
3154 
3155 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3156                                   const void *value, size_t size, int flags)
3157 {
3158         struct inode *inode = d_backing_inode(dentry);
3159         struct inode_security_struct *isec;
3160         struct superblock_security_struct *sbsec;
3161         struct common_audit_data ad;
3162         u32 newsid, sid = current_sid();
3163         int rc = 0;
3164 
3165         if (strcmp(name, XATTR_NAME_SELINUX)) {
3166                 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3167                 if (rc)
3168                         return rc;
3169 
3170                 /* Not an attribute we recognize, so just check the
3171                    ordinary setattr permission. */
3172                 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3173         }
3174 
3175         sbsec = inode->i_sb->s_security;
3176         if (!(sbsec->flags & SBLABEL_MNT))
3177                 return -EOPNOTSUPP;
3178 
3179         if (!inode_owner_or_capable(inode))
3180                 return -EPERM;
3181 
3182         ad.type = LSM_AUDIT_DATA_DENTRY;
3183         ad.u.dentry = dentry;
3184 
3185         isec = backing_inode_security(dentry);
3186         rc = avc_has_perm(sid, isec->sid, isec->sclass,
3187                           FILE__RELABELFROM, &ad);
3188         if (rc)
3189                 return rc;
3190 
3191         rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3192         if (rc == -EINVAL) {
3193                 if (!has_cap_mac_admin(true)) {
3194                         struct audit_buffer *ab;
3195                         size_t audit_size;
3196 
3197                         /* We strip a nul only if it is at the end, otherwise the
3198                          * context contains a nul and we should audit that */
3199                         if (value) {
3200                                 const char *str = value;
3201 
3202                                 if (str[size - 1] == '\0')
3203                                         audit_size = size - 1;
3204                                 else
3205                                         audit_size = size;
3206                         } else {
3207                                 audit_size = 0;
3208                         }
3209                         ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3210                         audit_log_format(ab, "op=setxattr invalid_context=");
3211                         audit_log_n_untrustedstring(ab, value, audit_size);
3212                         audit_log_end(ab);
3213 
3214                         return rc;
3215                 }
3216                 rc = security_context_to_sid_force(value, size, &newsid);
3217         }
3218         if (rc)
3219                 return rc;
3220 
3221         rc = avc_has_perm(sid, newsid, isec->sclass,
3222                           FILE__RELABELTO, &ad);
3223         if (rc)
3224                 return rc;
3225 
3226         rc = security_validate_transition(isec->sid, newsid, sid,
3227                                           isec->sclass);
3228         if (rc)
3229                 return rc;
3230 
3231         return avc_has_perm(newsid,
3232                             sbsec->sid,
3233                             SECCLASS_FILESYSTEM,
3234                             FILESYSTEM__ASSOCIATE,
3235                             &ad);
3236 }
3237 
3238 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3239                                         const void *value, size_t size,
3240                                         int flags)
3241 {
3242         struct inode *inode = d_backing_inode(dentry);
3243         struct inode_security_struct *isec;
3244         u32 newsid;
3245         int rc;
3246 
3247         if (strcmp(name, XATTR_NAME_SELINUX)) {
3248                 /* Not an attribute we recognize, so nothing to do. */
3249                 return;
3250         }
3251 
3252         rc = security_context_to_sid_force(value, size, &newsid);
3253         if (rc) {
3254                 printk(KERN_ERR "SELinux:  unable to map context to SID"
3255                        "for (%s, %lu), rc=%d\n",
3256                        inode->i_sb->s_id, inode->i_ino, -rc);
3257                 return;
3258         }
3259 
3260         isec = backing_inode_security(dentry);
3261         spin_lock(&isec->lock);
3262         isec->sclass = inode_mode_to_security_class(inode->i_mode);
3263         isec->sid = newsid;
3264         isec->initialized = LABEL_INITIALIZED;
3265         spin_unlock(&isec->lock);
3266 
3267         return;
3268 }
3269 
3270 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3271 {
3272         const struct cred *cred = current_cred();
3273 
3274         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3275 }
3276 
3277 static int selinux_inode_listxattr(struct dentry *dentry)
3278 {
3279         const struct cred *cred = current_cred();
3280 
3281         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3282 }
3283 
3284 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3285 {
3286         if (strcmp(name, XATTR_NAME_SELINUX)) {
3287                 int rc = cap_inode_removexattr(dentry, name);
3288                 if (rc)
3289                         return rc;
3290 
3291                 /* Not an attribute we recognize, so just check the
3292                    ordinary setattr permission. */
3293                 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3294         }
3295 
3296         /* No one is allowed to remove a SELinux security label.
3297            You can change the label, but all data must be labeled. */
3298         return -EACCES;
3299 }
3300 
3301 /*
3302  * Copy the inode security context value to the user.
3303  *
3304  * Permission check is handled by selinux_inode_getxattr hook.
3305  */
3306 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3307 {
3308         u32 size;
3309         int error;
3310         char *context = NULL;
3311         struct inode_security_struct *isec;
3312 
3313         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3314                 return -EOPNOTSUPP;
3315 
3316         /*
3317          * If the caller has CAP_MAC_ADMIN, then get the raw context
3318          * value even if it is not defined by current policy; otherwise,
3319          * use the in-core value under current policy.
3320          * Use the non-auditing forms of the permission checks since
3321          * getxattr may be called by unprivileged processes commonly
3322          * and lack of permission just means that we fall back to the
3323          * in-core context value, not a denial.
3324          */
3325         isec = inode_security(inode);
3326         if (has_cap_mac_admin(false))
3327                 error = security_sid_to_context_force(isec->sid, &context,
3328                                                       &size);
3329         else
3330                 error = security_sid_to_context(isec->sid, &context, &size);
3331         if (error)
3332                 return error;
3333         error = size;
3334         if (alloc) {
3335                 *buffer = context;
3336                 goto out_nofree;
3337         }
3338         kfree(context);
3339 out_nofree:
3340         return error;
3341 }
3342 
3343 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3344                                      const void *value, size_t size, int flags)
3345 {
3346         struct inode_security_struct *isec = inode_security_novalidate(inode);
3347         u32 newsid;
3348         int rc;
3349 
3350         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3351                 return -EOPNOTSUPP;
3352 
3353         if (!value || !size)
3354                 return -EACCES;
3355 
3356         rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3357         if (rc)
3358                 return rc;
3359 
3360         spin_lock(&isec->lock);
3361         isec->sclass = inode_mode_to_security_class(inode->i_mode);
3362         isec->sid = newsid;
3363         isec->initialized = LABEL_INITIALIZED;
3364         spin_unlock(&isec->lock);
3365         return 0;
3366 }
3367 
3368 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3369 {
3370         const int len = sizeof(XATTR_NAME_SELINUX);
3371         if (buffer && len <= buffer_size)
3372                 memcpy(buffer, XATTR_NAME_SELINUX, len);
3373         return len;
3374 }
3375 
3376 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3377 {
3378         struct inode_security_struct *isec = inode_security_novalidate(inode);
3379         *secid = isec->sid;
3380 }
3381 
3382 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3383 {
3384         u32 sid;
3385         struct task_security_struct *tsec;
3386         struct cred *new_creds = *new;
3387 
3388         if (new_creds == NULL) {
3389                 new_creds = prepare_creds();
3390                 if (!new_creds)
3391                         return -ENOMEM;
3392         }
3393 
3394         tsec = new_creds->security;
3395         /* Get label from overlay inode and set it in create_sid */
3396         selinux_inode_getsecid(d_inode(src), &sid);
3397         tsec->create_sid = sid;
3398         *new = new_creds;
3399         return 0;
3400 }
3401 
3402 static int selinux_inode_copy_up_xattr(const char *name)
3403 {
3404         /* The copy_up hook above sets the initial context on an inode, but we
3405          * don't then want to overwrite it by blindly copying all the lower
3406          * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3407          */
3408         if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3409                 return 1; /* Discard */
3410         /*
3411          * Any other attribute apart from SELINUX is not claimed, supported
3412          * by selinux.
3413          */
3414         return -EOPNOTSUPP;
3415 }
3416 
3417 /* file security operations */
3418 
3419 static int selinux_revalidate_file_permission(struct file *file, int mask)
3420 {
3421         const struct cred *cred = current_cred();
3422         struct inode *inode = file_inode(file);
3423 
3424         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3425         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3426                 mask |= MAY_APPEND;
3427 
3428         return file_has_perm(cred, file,
3429                              file_mask_to_av(inode->i_mode, mask));
3430 }
3431 
3432 static int selinux_file_permission(struct file *file, int mask)
3433 {
3434         struct inode *inode = file_inode(file);
3435         struct file_security_struct *fsec = file->f_security;
3436         struct inode_security_struct *isec;
3437         u32 sid = current_sid();
3438 
3439         if (!mask)
3440                 /* No permission to check.  Existence test. */
3441                 return 0;
3442 
3443         isec = inode_security(inode);
3444         if (sid == fsec->sid && fsec->isid == isec->sid &&
3445             fsec->pseqno == avc_policy_seqno())
3446                 /* No change since file_open check. */
3447                 return 0;
3448 
3449         return selinux_revalidate_file_permission(file, mask);
3450 }
3451 
3452 static int selinux_file_alloc_security(struct file *file)
3453 {
3454         return file_alloc_security(file);
3455 }
3456 
3457 static void selinux_file_free_security(struct file *file)
3458 {
3459         file_free_security(file);
3460 }
3461 
3462 /*
3463  * Check whether a task has the ioctl permission and cmd
3464  * operation to an inode.
3465  */
3466 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3467                 u32 requested, u16 cmd)
3468 {
3469         struct common_audit_data ad;
3470         struct file_security_struct *fsec = file->f_security;
3471         struct inode *inode = file_inode(file);
3472         struct inode_security_struct *isec;
3473         struct lsm_ioctlop_audit ioctl;
3474         u32 ssid = cred_sid(cred);
3475         int rc;
3476         u8 driver = cmd >> 8;
3477         u8 xperm = cmd & 0xff;
3478 
3479         ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3480         ad.u.op = &ioctl;
3481         ad.u.op->cmd = cmd;
3482         ad.u.op->path = file->f_path;
3483 
3484         if (ssid != fsec->sid) {
3485                 rc = avc_has_perm(ssid, fsec->sid,
3486                                 SECCLASS_FD,
3487                                 FD__USE,
3488                                 &ad);
3489                 if (rc)
3490                         goto out;
3491         }
3492 
3493         if (unlikely(IS_PRIVATE(inode)))
3494                 return 0;
3495 
3496         isec = inode_security(inode);
3497         rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3498                         requested, driver, xperm, &ad);
3499 out:
3500         return rc;
3501 }
3502 
3503 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3504                               unsigned long arg)
3505 {
3506         const struct cred *cred = current_cred();
3507         int error = 0;
3508 
3509         switch (cmd) {
3510         case FIONREAD:
3511         /* fall through */
3512         case FIBMAP:
3513         /* fall through */
3514         case FIGETBSZ:
3515         /* fall through */
3516         case FS_IOC_GETFLAGS:
3517         /* fall through */
3518         case FS_IOC_GETVERSION:
3519                 error = file_has_perm(cred, file, FILE__GETATTR);
3520                 break;
3521 
3522         case FS_IOC_SETFLAGS:
3523         /* fall through */
3524         case FS_IOC_SETVERSION:
3525                 error = file_has_perm(cred, file, FILE__SETATTR);
3526                 break;
3527 
3528         /* sys_ioctl() checks */
3529         case FIONBIO:
3530         /* fall through */
3531         case FIOASYNC:
3532                 error = file_has_perm(cred, file, 0);
3533                 break;
3534 
3535         case KDSKBENT:
3536         case KDSKBSENT:
3537                 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3538                                             SECURITY_CAP_AUDIT, true);
3539                 break;
3540 
3541         /* default case assumes that the command will go
3542          * to the file's ioctl() function.
3543          */
3544         default:
3545                 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3546         }
3547         return error;
3548 }
3549 
3550 static int default_noexec;
3551 
3552 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3553 {
3554         const struct cred *cred = current_cred();
3555         u32 sid = cred_sid(cred);
3556         int rc = 0;
3557 
3558         if (default_noexec &&
3559             (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3560                                    (!shared && (prot & PROT_WRITE)))) {
3561                 /*
3562                  * We are making executable an anonymous mapping or a
3563                  * private file mapping that will also be writable.
3564                  * This has an additional check.
3565                  */
3566                 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3567                                   PROCESS__EXECMEM, NULL);
3568                 if (rc)
3569                         goto error;
3570         }
3571 
3572         if (file) {
3573                 /* read access is always possible with a mapping */
3574                 u32 av = FILE__READ;
3575 
3576                 /* write access only matters if the mapping is shared */
3577                 if (shared && (prot & PROT_WRITE))
3578                         av |= FILE__WRITE;
3579 
3580                 if (prot & PROT_EXEC)
3581                         av |= FILE__EXECUTE;
3582 
3583                 return file_has_perm(cred, file, av);
3584         }
3585 
3586 error:
3587         return rc;
3588 }
3589 
3590 static int selinux_mmap_addr(unsigned long addr)
3591 {
3592         int rc = 0;
3593 
3594         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3595                 u32 sid = current_sid();
3596                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3597                                   MEMPROTECT__MMAP_ZERO, NULL);
3598         }
3599 
3600         return rc;
3601 }
3602 
3603 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3604                              unsigned long prot, unsigned long flags)
3605 {
3606         struct common_audit_data ad;
3607         int rc;
3608 
3609         if (file) {
3610                 ad.type = LSM_AUDIT_DATA_FILE;
3611                 ad.u.file = file;
3612                 rc = inode_has_perm(current_cred(), file_inode(file),
3613                                     FILE__MAP, &ad);
3614                 if (rc)
3615                         return rc;
3616         }
3617 
3618         if (selinux_checkreqprot)
3619                 prot = reqprot;
3620 
3621         return file_map_prot_check(file, prot,
3622                                    (flags & MAP_TYPE) == MAP_SHARED);
3623 }
3624 
3625 static int selinux_file_mprotect(struct vm_area_struct *vma,
3626                                  unsigned long reqprot,
3627                                  unsigned long prot)
3628 {
3629         const struct cred *cred = current_cred();
3630         u32 sid = cred_sid(cred);
3631 
3632         if (selinux_checkreqprot)
3633                 prot = reqprot;
3634 
3635         if (default_noexec &&
3636             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3637                 int rc = 0;
3638                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3639                     vma->vm_end <= vma->vm_mm->brk) {
3640                         rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3641                                           PROCESS__EXECHEAP, NULL);
3642                 } else if (!vma->vm_file &&
3643                            ((vma->vm_start <= vma->vm_mm->start_stack &&
3644                              vma->vm_end >= vma->vm_mm->start_stack) ||
3645                             vma_is_stack_for_current(vma))) {
3646                         rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3647                                           PROCESS__EXECSTACK, NULL);
3648                 } else if (vma->vm_file && vma->anon_vma) {
3649                         /*
3650                          * We are making executable a file mapping that has
3651                          * had some COW done. Since pages might have been
3652                          * written, check ability to execute the possibly
3653                          * modified content.  This typically should only
3654                          * occur for text relocations.
3655                          */
3656                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3657                 }
3658                 if (rc)
3659                         return rc;
3660         }
3661 
3662         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3663 }
3664 
3665 static int selinux_file_lock(struct file *file, unsigned int cmd)
3666 {
3667         const struct cred *cred = current_cred();
3668 
3669         return file_has_perm(cred, file, FILE__LOCK);
3670 }
3671 
3672 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3673                               unsigned long arg)
3674 {
3675         const struct cred *cred = current_cred();
3676         int err = 0;
3677 
3678         switch (cmd) {
3679         case F_SETFL:
3680                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3681                         err = file_has_perm(cred, file, FILE__WRITE);
3682                         break;
3683                 }
3684                 /* fall through */
3685         case F_SETOWN:
3686         case F_SETSIG:
3687         case F_GETFL:
3688         case F_GETOWN:
3689         case F_GETSIG:
3690         case F_GETOWNER_UIDS:
3691                 /* Just check FD__USE permission */
3692                 err = file_has_perm(cred, file, 0);
3693                 break;
3694         case F_GETLK:
3695         case F_SETLK:
3696         case F_SETLKW:
3697         case F_OFD_GETLK:
3698         case F_OFD_SETLK:
3699         case F_OFD_SETLKW:
3700 #if BITS_PER_LONG == 32
3701         case F_GETLK64:
3702         case F_SETLK64:
3703         case F_SETLKW64:
3704 #endif
3705                 err = file_has_perm(cred, file, FILE__LOCK);
3706                 break;
3707         }
3708 
3709         return err;
3710 }
3711 
3712 static void selinux_file_set_fowner(struct file *file)
3713 {
3714         struct file_security_struct *fsec;
3715 
3716         fsec = file->f_security;
3717         fsec->fown_sid = current_sid();
3718 }
3719 
3720 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3721                                        struct fown_struct *fown, int signum)
3722 {
3723         struct file *file;
3724         u32 sid = task_sid(tsk);
3725         u32 perm;
3726         struct file_security_struct *fsec;
3727 
3728         /* struct fown_struct is never outside the context of a struct file */
3729         file = container_of(fown, struct file, f_owner);
3730 
3731         fsec = file->f_security;
3732 
3733         if (!signum)
3734                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3735         else
3736                 perm = signal_to_av(signum);
3737 
3738         return avc_has_perm(fsec->fown_sid, sid,
3739                             SECCLASS_PROCESS, perm, NULL);
3740 }
3741 
3742 static int selinux_file_receive(struct file *file)
3743 {
3744         const struct cred *cred = current_cred();
3745 
3746         return file_has_perm(cred, file, file_to_av(file));
3747 }
3748 
3749 static int selinux_file_open(struct file *file, const struct cred *cred)
3750 {
3751         struct file_security_struct *fsec;
3752         struct inode_security_struct *isec;
3753 
3754         fsec = file->f_security;
3755         isec = inode_security(file_inode(file));
3756         /*
3757          * Save inode label and policy sequence number
3758          * at open-time so that selinux_file_permission
3759          * can determine whether revalidation is necessary.
3760          * Task label is already saved in the file security
3761          * struct as its SID.
3762          */
3763         fsec->isid = isec->sid;
3764         fsec->pseqno = avc_policy_seqno();
3765         /*
3766          * Since the inode label or policy seqno may have changed
3767          * between the selinux_inode_permission check and the saving
3768          * of state above, recheck that access is still permitted.
3769          * Otherwise, access might never be revalidated against the
3770          * new inode label or new policy.
3771          * This check is not redundant - do not remove.
3772          */
3773         return file_path_has_perm(cred, file, open_file_to_av(file));
3774 }
3775 
3776 /* task security operations */
3777 
3778 static int selinux_task_alloc(struct task_struct *task,
3779                               unsigned long clone_flags)
3780 {
3781         u32 sid = current_sid();
3782 
3783         return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3784 }
3785 
3786 /*
3787  * allocate the SELinux part of blank credentials
3788  */
3789 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3790 {
3791         struct task_security_struct *tsec;
3792 
3793         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3794         if (!tsec)
3795                 return -ENOMEM;
3796 
3797         cred->security = tsec;
3798         return 0;
3799 }
3800 
3801 /*
3802  * detach and free the LSM part of a set of credentials
3803  */
3804 static void selinux_cred_free(struct cred *cred)
3805 {
3806         struct task_security_struct *tsec = cred->security;
3807 
3808         /*
3809          * cred->security == NULL if security_cred_alloc_blank() or
3810          * security_prepare_creds() returned an error.
3811          */
3812         BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3813         cred->security = (void *) 0x7UL;
3814         kfree(tsec);
3815 }
3816 
3817 /*
3818  * prepare a new set of credentials for modification
3819  */
3820 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3821                                 gfp_t gfp)
3822 {
3823         const struct task_security_struct *old_tsec;
3824         struct task_security_struct *tsec;
3825 
3826         old_tsec = old->security;
3827 
3828         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3829         if (!tsec)
3830                 return -ENOMEM;
3831 
3832         new->security = tsec;
3833         return 0;
3834 }
3835 
3836 /*
3837  * transfer the SELinux data to a blank set of creds
3838  */
3839 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3840 {
3841         const struct task_security_struct *old_tsec = old->security;
3842         struct task_security_struct *tsec = new->security;
3843 
3844         *tsec = *old_tsec;
3845 }
3846 
3847 /*
3848  * set the security data for a kernel service
3849  * - all the creation contexts are set to unlabelled
3850  */
3851 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3852 {
3853         struct task_security_struct *tsec = new->security;
3854         u32 sid = current_sid();
3855         int ret;
3856 
3857         ret = avc_has_perm(sid, secid,
3858                            SECCLASS_KERNEL_SERVICE,
3859                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3860                            NULL);
3861         if (ret == 0) {
3862                 tsec->sid = secid;
3863                 tsec->create_sid = 0;
3864                 tsec->keycreate_sid = 0;
3865                 tsec->sockcreate_sid = 0;
3866         }
3867         return ret;
3868 }
3869 
3870 /*
3871  * set the file creation context in a security record to the same as the
3872  * objective context of the specified inode
3873  */
3874 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3875 {
3876         struct inode_security_struct *isec = inode_security(inode);
3877         struct task_security_struct *tsec = new->security;
3878         u32 sid = current_sid();
3879         int ret;
3880 
3881         ret = avc_has_perm(sid, isec->sid,
3882                            SECCLASS_KERNEL_SERVICE,
3883                            KERNEL_SERVICE__CREATE_FILES_AS,
3884                            NULL);
3885 
3886         if (ret == 0)
3887                 tsec->create_sid = isec->sid;
3888         return ret;
3889 }
3890 
3891 static int selinux_kernel_module_request(char *kmod_name)
3892 {
3893         struct common_audit_data ad;
3894 
3895         ad.type = LSM_AUDIT_DATA_KMOD;
3896         ad.u.kmod_name = kmod_name;
3897 
3898         return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3899                             SYSTEM__MODULE_REQUEST, &ad);
3900 }
3901 
3902 static int selinux_kernel_module_from_file(struct file *file)
3903 {
3904         struct common_audit_data ad;
3905         struct inode_security_struct *isec;
3906         struct file_security_struct *fsec;
3907         u32 sid = current_sid();
3908         int rc;
3909 
3910         /* init_module */
3911         if (file == NULL)
3912                 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3913                                         SYSTEM__MODULE_LOAD, NULL);
3914 
3915         /* finit_module */
3916 
3917         ad.type = LSM_AUDIT_DATA_FILE;
3918         ad.u.file = file;
3919 
3920         fsec = file->f_security;
3921         if (sid != fsec->sid) {
3922                 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3923                 if (rc)
3924                         return rc;
3925         }
3926 
3927         isec = inode_security(file_inode(file));
3928         return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3929                                 SYSTEM__MODULE_LOAD, &ad);
3930 }
3931 
3932 static int selinux_kernel_read_file(struct file *file,
3933                                     enum kernel_read_file_id id)
3934 {
3935         int rc = 0;
3936 
3937         switch (id) {
3938         case READING_MODULE:
3939                 rc = selinux_kernel_module_from_file(file);
3940                 break;
3941         default:
3942                 break;
3943         }
3944 
3945         return rc;
3946 }
3947 
3948 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3949 {
3950         return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3951                             PROCESS__SETPGID, NULL);
3952 }
3953 
3954 static int selinux_task_getpgid(struct task_struct *p)
3955 {
3956         return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3957                             PROCESS__GETPGID, NULL);
3958 }
3959 
3960 static int selinux_task_getsid(struct task_struct *p)
3961 {
3962         return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3963                             PROCESS__GETSESSION, NULL);
3964 }
3965 
3966 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3967 {
3968         *secid = task_sid(p);
3969 }
3970 
3971 static int selinux_task_setnice(struct task_struct *p, int nice)
3972 {
3973         return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3974                             PROCESS__SETSCHED, NULL);
3975 }
3976 
3977 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3978 {
3979         return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3980                             PROCESS__SETSCHED, NULL);
3981 }
3982 
3983 static int selinux_task_getioprio(struct task_struct *p)
3984 {
3985         return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3986                             PROCESS__GETSCHED, NULL);
3987 }
3988 
3989 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
3990                                 unsigned int flags)
3991 {
3992         u32 av = 0;
3993 
3994         if (!flags)
3995                 return 0;
3996         if (flags & LSM_PRLIMIT_WRITE)
3997                 av |= PROCESS__SETRLIMIT;
3998         if (flags & LSM_PRLIMIT_READ)
3999                 av |= PROCESS__GETRLIMIT;
4000         return avc_has_perm(cred_sid(cred), cred_sid(tcred),
4001                             SECCLASS_PROCESS, av, NULL);
4002 }
4003 
4004 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4005                 struct rlimit *new_rlim)
4006 {
4007         struct rlimit *old_rlim = p->signal->rlim + resource;
4008 
4009         /* Control the ability to change the hard limit (whether
4010            lowering or raising it), so that the hard limit can
4011            later be used as a safe reset point for the soft limit
4012            upon context transitions.  See selinux_bprm_committing_creds. */
4013         if (old_rlim->rlim_max != new_rlim->rlim_max)
4014                 return avc_has_perm(current_sid(), task_sid(p),
4015                                     SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4016 
4017         return 0;
4018 }
4019 
4020 static int selinux_task_setscheduler(struct task_struct *p)
4021 {
4022         return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4023                             PROCESS__SETSCHED, NULL);
4024 }
4025 
4026 static int selinux_task_getscheduler(struct task_struct *p)
4027 {
4028         return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4029                             PROCESS__GETSCHED, NULL);
4030 }
4031 
4032 static int selinux_task_movememory(struct task_struct *p)
4033 {
4034         return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4035                             PROCESS__SETSCHED, NULL);
4036 }
4037 
4038 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4039                                 int sig, u32 secid)
4040 {
4041         u32 perm;
4042 
4043         if (!sig)
4044                 perm = PROCESS__SIGNULL; /* null signal; existence test */
4045         else
4046                 perm = signal_to_av(sig);
4047         if (!secid)
4048                 secid = current_sid();
4049         return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4050 }
4051 
4052 static void selinux_task_to_inode(struct task_struct *p,
4053                                   struct inode *inode)
4054 {
4055         struct inode_security_struct *isec = inode->i_security;
4056         u32 sid = task_sid(p);
4057 
4058         spin_lock(&isec->lock);
4059         isec->sclass = inode_mode_to_security_class(inode->i_mode);
4060         isec->sid = sid;
4061         isec->initialized = LABEL_INITIALIZED;
4062         spin_unlock(&isec->lock);
4063 }
4064 
4065 /* Returns error only if unable to parse addresses */
4066 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4067                         struct common_audit_data *ad, u8 *proto)
4068 {
4069         int offset, ihlen, ret = -EINVAL;
4070         struct iphdr _iph, *ih;
4071 
4072         offset = skb_network_offset(skb);
4073         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4074         if (ih == NULL)
4075                 goto out;
4076 
4077         ihlen = ih->ihl * 4;
4078         if (ihlen < sizeof(_iph))
4079                 goto out;
4080 
4081         ad->u.net->v4info.saddr = ih->saddr;
4082         ad->u.net->v4info.daddr = ih->daddr;
4083         ret = 0;
4084 
4085         if (proto)
4086                 *proto = ih->protocol;
4087 
4088         switch (ih->protocol) {
4089         case IPPROTO_TCP: {
4090                 struct tcphdr _tcph, *th;
4091 
4092                 if (ntohs(ih->frag_off) & IP_OFFSET)
4093                         break;
4094 
4095                 offset += ihlen;
4096                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4097                 if (th == NULL)
4098                         break;
4099 
4100                 ad->u.net->sport = th->source;
4101                 ad->u.net->dport = th->dest;
4102                 break;
4103         }
4104 
4105         case IPPROTO_UDP: {
4106                 struct udphdr _udph, *uh;
4107 
4108                 if (ntohs(ih->frag_off) & IP_OFFSET)
4109                         break;
4110 
4111                 offset += ihlen;
4112                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4113                 if (uh == NULL)
4114                         break;
4115 
4116                 ad->u.net->sport = uh->source;
4117                 ad->u.net->dport = uh->dest;
4118                 break;
4119         }
4120 
4121         case IPPROTO_DCCP: {
4122                 struct dccp_hdr _dccph, *dh;
4123 
4124                 if (ntohs(ih->frag_off) & IP_OFFSET)
4125                         break;
4126 
4127                 offset += ihlen;
4128                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4129                 if (dh == NULL)
4130                         break;
4131 
4132                 ad->u.net->sport = dh->dccph_sport;
4133                 ad->u.net->dport = dh->dccph_dport;
4134                 break;
4135         }
4136 
4137         default:
4138                 break;
4139         }
4140 out:
4141         return ret;
4142 }
4143 
4144 #if IS_ENABLED(CONFIG_IPV6)
4145 
4146 /* Returns error only if unable to parse addresses */
4147 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4148                         struct common_audit_data *ad, u8 *proto)
4149 {
4150         u8 nexthdr;
4151         int ret = -EINVAL, offset;
4152         struct ipv6hdr _ipv6h, *ip6;
4153         __be16 frag_off;
4154 
4155         offset = skb_network_offset(skb);
4156         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4157         if (ip6 == NULL)
4158                 goto out;
4159 
4160         ad->u.net->v6info.saddr = ip6->saddr;
4161         ad->u.net->v6info.daddr = ip6->daddr;
4162         ret = 0;
4163 
4164         nexthdr = ip6->nexthdr;
4165         offset += sizeof(_ipv6h);
4166         offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4167         if (offset < 0)
4168                 goto out;
4169 
4170         if (proto)
4171                 *proto = nexthdr;
4172 
4173         switch (nexthdr) {
4174         case IPPROTO_TCP: {
4175                 struct tcphdr _tcph, *th;
4176 
4177                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4178                 if (th == NULL)
4179                         break;
4180 
4181                 ad->u.net->sport = th->source;
4182                 ad->u.net->dport = th->dest;
4183                 break;
4184         }
4185 
4186         case IPPROTO_UDP: {
4187                 struct udphdr _udph, *uh;
4188 
4189                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4190                 if (uh == NULL)
4191                         break;
4192 
4193                 ad->u.net->sport = uh->source;
4194                 ad->u.net->dport = uh->dest;
4195                 break;
4196         }
4197 
4198         case IPPROTO_DCCP: {
4199                 struct dccp_hdr _dccph, *dh;
4200 
4201                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4202                 if (dh == NULL)
4203                         break;
4204 
4205                 ad->u.net->sport = dh->dccph_sport;
4206                 ad->u.net->dport = dh->dccph_dport;
4207                 break;
4208         }
4209 
4210         /* includes fragments */
4211         default:
4212                 break;
4213         }
4214 out:
4215         return ret;
4216 }
4217 
4218 #endif /* IPV6 */
4219 
4220 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4221                              char **_addrp, int src, u8 *proto)
4222 {
4223         char *addrp;
4224         int ret;
4225 
4226         switch (ad->u.net->family) {
4227         case PF_INET:
4228                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4229                 if (ret)
4230                         goto parse_error;
4231                 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4232                                        &ad->u.net->v4info.daddr);
4233                 goto okay;
4234 
4235 #if IS_ENABLED(CONFIG_IPV6)
4236         case PF_INET6:
4237                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4238                 if (ret)
4239                         goto parse_error;
4240                 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4241                                        &ad->u.net->v6info.daddr);
4242                 goto okay;
4243 #endif  /* IPV6 */
4244         default:
4245                 addrp = NULL;
4246                 goto okay;
4247         }
4248 
4249 parse_error:
4250         printk(KERN_WARNING
4251                "SELinux: failure in selinux_parse_skb(),"
4252                " unable to parse packet\n");
4253         return ret;
4254 
4255 okay:
4256         if (_addrp)
4257                 *_addrp = addrp;
4258         return 0;
4259 }
4260 
4261 /**
4262  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4263  * @skb: the packet
4264  * @family: protocol family
4265  * @sid: the packet's peer label SID
4266  *
4267  * Description:
4268  * Check the various different forms of network peer labeling and determine
4269  * the peer label/SID for the packet; most of the magic actually occurs in
4270  * the security server function security_net_peersid_cmp().  The function
4271  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4272  * or -EACCES if @sid is invalid due to inconsistencies with the different
4273  * peer labels.
4274  *
4275  */
4276 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4277 {
4278         int err;
4279         u32 xfrm_sid;
4280         u32 nlbl_sid;
4281         u32 nlbl_type;
4282 
4283         err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4284         if (unlikely(err))
4285                 return -EACCES;
4286         err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4287         if (unlikely(err))
4288                 return -EACCES;
4289 
4290         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4291         if (unlikely(err)) {
4292                 printk(KERN_WARNING
4293                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
4294                        " unable to determine packet's peer label\n");
4295                 return -EACCES;
4296         }
4297 
4298         return 0;
4299 }
4300 
4301 /**
4302  * selinux_conn_sid - Determine the child socket label for a connection
4303  * @sk_sid: the parent socket's SID
4304  * @skb_sid: the packet's SID
4305  * @conn_sid: the resulting connection SID
4306  *
4307  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4308  * combined with the MLS information from @skb_sid in order to create
4309  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
4310  * of @sk_sid.  Returns zero on success, negative values on failure.
4311  *
4312  */
4313 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4314 {
4315         int err = 0;
4316 
4317         if (skb_sid != SECSID_NULL)
4318                 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4319         else
4320                 *conn_sid = sk_sid;
4321 
4322         return err;
4323 }
4324 
4325 /* socket security operations */
4326 
4327 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4328                                  u16 secclass, u32 *socksid)
4329 {
4330         if (tsec->sockcreate_sid > SECSID_NULL) {
4331                 *socksid = tsec->sockcreate_sid;
4332                 return 0;
4333         }
4334 
4335         return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4336                                        socksid);
4337 }
4338 
4339 static int sock_has_perm(struct sock *sk, u32 perms)
4340 {
4341         struct sk_security_struct *sksec = sk->sk_security;
4342         struct common_audit_data ad;
4343         struct lsm_network_audit net = {0,};
4344 
4345         if (sksec->sid == SECINITSID_KERNEL)
4346                 return 0;
4347 
4348         ad.type = LSM_AUDIT_DATA_NET;
4349         ad.u.net = &net;
4350         ad.u.net->sk = sk;
4351 
4352         return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4353                             &ad);
4354 }
4355 
4356 static int selinux_socket_create(int family, int type,
4357                                  int protocol, int kern)
4358 {
4359         const struct task_security_struct *tsec = current_security();
4360         u32 newsid;
4361         u16 secclass;
4362         int rc;
4363 
4364         if (kern)
4365                 return 0;
4366 
4367         secclass = socket_type_to_security_class(family, type, protocol);
4368         rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4369         if (rc)
4370                 return rc;
4371 
4372         return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4373 }
4374 
4375 static int selinux_socket_post_create(struct socket *sock, int family,
4376                                       int type, int protocol, int kern)
4377 {
4378         const struct task_security_struct *tsec = current_security();
4379         struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4380         struct sk_security_struct *sksec;
4381         u16 sclass = socket_type_to_security_class(family, type, protocol);
4382         u32 sid = SECINITSID_KERNEL;
4383         int err = 0;
4384 
4385         if (!kern) {
4386                 err = socket_sockcreate_sid(tsec, sclass, &sid);
4387                 if (err)
4388                         return err;
4389         }
4390 
4391         isec->sclass = sclass;
4392         isec->sid = sid;
4393         isec->initialized = LABEL_INITIALIZED;
4394 
4395         if (sock->sk) {
4396                 sksec = sock->sk->sk_security;
4397                 sksec->sclass = sclass;
4398                 sksec->sid = sid;
4399                 err = selinux_netlbl_socket_post_create(sock->sk, family);
4400         }
4401 
4402         return err;
4403 }
4404 
4405 /* Range of port numbers used to automatically bind.
4406    Need to determine whether we should perform a name_bind
4407    permission check between the socket and the port number. */
4408 
4409 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4410 {
4411         struct sock *sk = sock->sk;
4412         u16 family;
4413         int err;
4414 
4415         err = sock_has_perm(sk, SOCKET__BIND);
4416         if (err)
4417                 goto out;
4418 
4419         /*
4420          * If PF_INET or PF_INET6, check name_bind permission for the port.
4421          * Multiple address binding for SCTP is not supported yet: we just
4422          * check the first address now.
4423          */
4424         family = sk->sk_family;
4425         if (family == PF_INET || family == PF_INET6) {
4426                 char *addrp;
4427                 struct sk_security_struct *sksec = sk->sk_security;
4428                 struct common_audit_data ad;
4429                 struct lsm_network_audit net = {0,};
4430                 struct sockaddr_in *addr4 = NULL;
4431                 struct sockaddr_in6 *addr6 = NULL;
4432                 unsigned short snum;
4433                 u32 sid, node_perm;
4434 
4435                 if (family == PF_INET) {
4436                         if (addrlen < sizeof(struct sockaddr_in)) {
4437                                 err = -EINVAL;
4438                                 goto out;
4439                         }
4440                         addr4 = (struct sockaddr_in *)address;
4441                         snum = ntohs(addr4->sin_port);
4442                         addrp = (char *)&addr4->sin_addr.s_addr;
4443                 } else {
4444                         if (addrlen < SIN6_LEN_RFC2133) {
4445                                 err = -EINVAL;
4446                                 goto out;
4447                         }
4448                         addr6 = (struct sockaddr_in6 *)address;
4449                         snum = ntohs(addr6->sin6_port);
4450                         addrp = (char *)&addr6->sin6_addr.s6_addr;
4451                 }
4452 
4453                 if (snum) {
4454                         int low, high;
4455 
4456                         inet_get_local_port_range(sock_net(sk), &low, &high);
4457 
4458                         if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4459                             snum > high) {
4460                                 err = sel_netport_sid(sk->sk_protocol,
4461                                                       snum, &sid);
4462                                 if (err)
4463                                         goto out;
4464                                 ad.type = LSM_AUDIT_DATA_NET;
4465                                 ad.u.net = &net;
4466                                 ad.u.net->sport = htons(snum);
4467                                 ad.u.net->family = family;
4468                                 err = avc_has_perm(sksec->sid, sid,
4469                                                    sksec->sclass,
4470                                                    SOCKET__NAME_BIND, &ad);
4471                                 if (err)
4472                                         goto out;
4473                         }
4474                 }
4475 
4476                 switch (sksec->sclass) {
4477                 case SECCLASS_TCP_SOCKET:
4478                         node_perm = TCP_SOCKET__NODE_BIND;
4479                         break;
4480 
4481                 case SECCLASS_UDP_SOCKET:
4482                         node_perm = UDP_SOCKET__NODE_BIND;
4483                         break;
4484 
4485                 case SECCLASS_DCCP_SOCKET:
4486                         node_perm = DCCP_SOCKET__NODE_BIND;
4487                         break;
4488 
4489                 default:
4490                         node_perm = RAWIP_SOCKET__NODE_BIND;
4491                         break;
4492                 }
4493 
4494                 err = sel_netnode_sid(addrp, family, &sid);
4495                 if (err)
4496                         goto out;
4497 
4498                 ad.type = LSM_AUDIT_DATA_NET;
4499                 ad.u.net = &net;
4500                 ad.u.net->sport = htons(snum);
4501                 ad.u.net->family = family;
4502 
4503                 if (family == PF_INET)
4504                         ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4505                 else
4506                         ad.u.net->v6info.saddr = addr6->sin6_addr;
4507 
4508                 err = avc_has_perm(sksec->sid, sid,
4509                                    sksec->sclass, node_perm, &ad);
4510                 if (err)
4511                         goto out;
4512         }
4513 out:
4514         return err;
4515 }
4516 
4517 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4518 {
4519         struct sock *sk = sock->sk;
4520         struct sk_security_struct *sksec = sk->sk_security;
4521         int err;
4522 
4523         err = sock_has_perm(sk, SOCKET__CONNECT);
4524         if (err)
4525                 return err;
4526 
4527         /*
4528          * If a TCP or DCCP socket, check name_connect permission for the port.
4529          */
4530         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4531             sksec->sclass == SECCLASS_DCCP_SOCKET) {
4532                 struct common_audit_data ad;
4533                 struct lsm_network_audit net = {0,};
4534                 struct sockaddr_in *addr4 = NULL;
4535                 struct sockaddr_in6 *addr6 = NULL;
4536                 unsigned short snum;
4537                 u32 sid, perm;
4538 
4539                 if (sk->sk_family == PF_INET) {
4540                         addr4 = (struct sockaddr_in *)address;
4541                         if (addrlen < sizeof(struct sockaddr_in))
4542                                 return -EINVAL;
4543                         snum = ntohs(addr4->sin_port);
4544                 } else {
4545                         addr6 = (struct sockaddr_in6 *)address;
4546                         if (addrlen < SIN6_LEN_RFC2133)
4547                                 return -EINVAL;
4548                         snum = ntohs(addr6->sin6_port);
4549                 }
4550 
4551                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4552                 if (err)
4553                         goto out;
4554 
4555                 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4556                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4557 
4558                 ad.type = LSM_AUDIT_DATA_NET;
4559                 ad.u.net = &net;
4560                 ad.u.net->dport = htons(snum);
4561                 ad.u.net->family = sk->sk_family;
4562                 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4563                 if (err)
4564                         goto out;
4565         }
4566 
4567         err = selinux_netlbl_socket_connect(sk, address);
4568 
4569 out:
4570         return err;
4571 }
4572 
4573 static int selinux_socket_listen(struct socket *sock, int backlog)
4574 {
4575         return sock_has_perm(sock->sk, SOCKET__LISTEN);
4576 }
4577 
4578 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4579 {
4580         int err;
4581         struct inode_security_struct *isec;
4582         struct inode_security_struct *newisec;
4583         u16 sclass;
4584         u32 sid;
4585 
4586         err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4587         if (err)
4588                 return err;
4589 
4590         isec = inode_security_novalidate(SOCK_INODE(sock));
4591         spin_lock(&isec->lock);
4592         sclass = isec->sclass;
4593         sid = isec->sid;
4594         spin_unlock(&isec->lock);
4595 
4596         newisec = inode_security_novalidate(SOCK_INODE(newsock));
4597         newisec->sclass = sclass;
4598         newisec->sid = sid;
4599         newisec->initialized = LABEL_INITIALIZED;
4600 
4601         return 0;
4602 }
4603 
4604 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4605                                   int size)
4606 {
4607         return sock_has_perm(sock->sk, SOCKET__WRITE);
4608 }
4609 
4610 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4611                                   int size, int flags)
4612 {
4613         return sock_has_perm(sock->sk, SOCKET__READ);
4614 }
4615 
4616 static int selinux_socket_getsockname(struct socket *sock)
4617 {
4618         return sock_has_perm(sock->sk, SOCKET__GETATTR);
4619 }
4620 
4621 static int selinux_socket_getpeername(struct socket *sock)
4622 {
4623         return sock_has_perm(sock->sk, SOCKET__GETATTR);
4624 }
4625 
4626 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4627 {
4628         int err;
4629 
4630         err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4631         if (err)
4632                 return err;
4633 
4634         return selinux_netlbl_socket_setsockopt(sock, level, optname);
4635 }
4636 
4637 static int selinux_socket_getsockopt(struct socket *sock, int level,
4638                                      int optname)
4639 {
4640         return sock_has_perm(sock->sk, SOCKET__GETOPT);
4641 }
4642 
4643 static int selinux_socket_shutdown(struct socket *sock, int how)
4644 {
4645         return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4646 }
4647 
4648 static int selinux_socket_unix_stream_connect(struct sock *sock,
4649                                               struct sock *other,
4650                                               struct sock *newsk)
4651 {
4652         struct sk_security_struct *sksec_sock = sock->sk_security;
4653         struct sk_security_struct *sksec_other = other->sk_security;
4654         struct sk_security_struct *sksec_new = newsk->sk_security;
4655         struct common_audit_data ad;
4656         struct lsm_network_audit net = {0,};
4657         int err;
4658 
4659         ad.type = LSM_AUDIT_DATA_NET;
4660         ad.u.net = &net;
4661         ad.u.net->sk = other;
4662 
4663         err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4664                            sksec_other->sclass,
4665                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4666         if (err)
4667                 return err;
4668 
4669         /* server child socket */
4670         sksec_new->peer_sid = sksec_sock->sid;
4671         err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4672                                     &sksec_new->sid);
4673         if (err)
4674                 return err;
4675 
4676         /* connecting socket */
4677         sksec_sock->peer_sid = sksec_new->sid;
4678 
4679         return 0;
4680 }
4681 
4682 static int selinux_socket_unix_may_send(struct socket *sock,
4683                                         struct socket *other)
4684 {
4685         struct sk_security_struct *ssec = sock->sk->sk_security;
4686         struct sk_security_struct *osec = other->sk->sk_security;
4687         struct common_audit_data ad;
4688         struct lsm_network_audit net = {0,};
4689 
4690         ad.type = LSM_AUDIT_DATA_NET;
4691         ad.u.net = &net;
4692         ad.u.net->sk = other->sk;
4693 
4694         return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4695                             &ad);
4696 }
4697 
4698 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4699                                     char *addrp, u16 family, u32 peer_sid,
4700                                     struct common_audit_data *ad)
4701 {
4702         int err;
4703         u32 if_sid;
4704         u32 node_sid;
4705 
4706         err = sel_netif_sid(ns, ifindex, &if_sid);
4707         if (err)
4708                 return err;
4709         err = avc_has_perm(peer_sid, if_sid,
4710                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4711         if (err)
4712                 return err;
4713 
4714         err = sel_netnode_sid(addrp, family, &node_sid);
4715         if (err)
4716                 return err;
4717         return avc_has_perm(peer_sid, node_sid,
4718                             SECCLASS_NODE, NODE__RECVFROM, ad);
4719 }
4720 
4721 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4722                                        u16 family)
4723 {
4724         int err = 0;
4725         struct sk_security_struct *sksec = sk->sk_security;
4726         u32 sk_sid = sksec->sid;
4727         struct common_audit_data ad;
4728         struct lsm_network_audit net = {0,};
4729         char *addrp;
4730 
4731         ad.type = LSM_AUDIT_DATA_NET;
4732         ad.u.net = &net;
4733         ad.u.net->netif = skb->skb_iif;
4734         ad.u.net->family = family;
4735         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4736         if (err)
4737                 return err;
4738 
4739         if (selinux_secmark_enabled()) {
4740                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4741                                    PACKET__RECV, &ad);
4742                 if (err)
4743                         return err;
4744         }
4745 
4746         err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4747         if (err)
4748                 return err;
4749         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4750 
4751         return err;
4752 }
4753 
4754 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4755 {
4756         int err;
4757         struct sk_security_struct *sksec = sk->sk_security;
4758         u16 family = sk->sk_family;
4759         u32 sk_sid = sksec->sid;
4760         struct common_audit_data ad;
4761         struct lsm_network_audit net = {0,};
4762         char *addrp;
4763         u8 secmark_active;
4764         u8 peerlbl_active;
4765 
4766         if (family != PF_INET && family != PF_INET6)
4767                 return 0;
4768 
4769         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4770         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4771                 family = PF_INET;
4772 
4773         /* If any sort of compatibility mode is enabled then handoff processing
4774          * to the selinux_sock_rcv_skb_compat() function to deal with the
4775          * special handling.  We do this in an attempt to keep this function
4776          * as fast and as clean as possible. */
4777         if (!selinux_policycap_netpeer)
4778                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4779 
4780         secmark_active = selinux_secmark_enabled();
4781         peerlbl_active = selinux_peerlbl_enabled();
4782         if (!secmark_active && !peerlbl_active)
4783                 return 0;
4784 
4785         ad.type = LSM_AUDIT_DATA_NET;
4786         ad.u.net = &net;
4787         ad.u.net->netif = skb->skb_iif;
4788         ad.u.net->family = family;
4789         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4790         if (err)
4791                 return err;
4792 
4793         if (peerlbl_active) {
4794                 u32 peer_sid;
4795 
4796                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4797                 if (err)
4798                         return err;
4799                 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4800                                                addrp, family, peer_sid, &ad);
4801                 if (err) {
4802                         selinux_netlbl_err(skb, family, err, 0);
4803                         return err;
4804                 }
4805                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4806                                    PEER__RECV, &ad);
4807                 if (err) {
4808                         selinux_netlbl_err(skb, family, err, 0);
4809                         return err;
4810                 }
4811         }
4812 
4813         if (secmark_active) {
4814                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4815                                    PACKET__RECV, &ad);
4816                 if (err)
4817                         return err;
4818         }
4819 
4820         return err;
4821 }
4822 
4823 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4824                                             int __user *optlen, unsigned len)
4825 {
4826         int err = 0;
4827         char *scontext;
4828         u32 scontext_len;
4829         struct sk_security_struct *sksec = sock->sk->sk_security;
4830         u32 peer_sid = SECSID_NULL;
4831 
4832         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4833             sksec->sclass == SECCLASS_TCP_SOCKET)
4834                 peer_sid = sksec->peer_sid;
4835         if (peer_sid == SECSID_NULL)
4836                 return -ENOPROTOOPT;
4837 
4838         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4839         if (err)
4840                 return err;
4841 
4842         if (scontext_len > len) {
4843                 err = -ERANGE;
4844                 goto out_len;
4845         }
4846 
4847         if (copy_to_user(optval, scontext, scontext_len))
4848                 err = -EFAULT;
4849 
4850 out_len:
4851         if (put_user(scontext_len, optlen))
4852                 err = -EFAULT;
4853         kfree(scontext);
4854         return err;
4855 }
4856 
4857 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4858 {
4859         u32 peer_secid = SECSID_NULL;
4860         u16 family;
4861         struct inode_security_struct *isec;
4862 
4863         if (skb && skb->protocol == htons(ETH_P_IP))
4864                 family = PF_INET;
4865         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4866                 family = PF_INET6;
4867         else if (sock)
4868                 family = sock->sk->sk_family;
4869         else
4870                 goto out;
4871 
4872         if (sock && family == PF_UNIX) {
4873                 isec = inode_security_novalidate(SOCK_INODE(sock));
4874                 peer_secid = isec->sid;
4875         } else if (skb)
4876                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4877 
4878 out:
4879         *secid = peer_secid;
4880         if (peer_secid == SECSID_NULL)
4881                 return -EINVAL;
4882         return 0;
4883 }
4884 
4885 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4886 {
4887         struct sk_security_struct *sksec;
4888 
4889         sksec = kzalloc(sizeof(*sksec), priority);
4890         if (!sksec)
4891                 return -ENOMEM;
4892 
4893         sksec->peer_sid = SECINITSID_UNLABELED;
4894         sksec->sid = SECINITSID_UNLABELED;
4895         sksec->sclass = SECCLASS_SOCKET;
4896         selinux_netlbl_sk_security_reset(sksec);
4897         sk->sk_security = sksec;
4898 
4899         return 0;
4900 }
4901 
4902 static void selinux_sk_free_security(struct sock *sk)
4903 {
4904         struct sk_security_struct *sksec = sk->sk_security;
4905 
4906         sk->sk_security = NULL;
4907         selinux_netlbl_sk_security_free(sksec);
4908         kfree(sksec);
4909 }
4910 
4911 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4912 {
4913         struct sk_security_struct *sksec = sk->sk_security;
4914         struct sk_security_struct *newsksec = newsk->sk_security;
4915 
4916         newsksec->sid = sksec->sid;
4917         newsksec->peer_sid = sksec->peer_sid;
4918         newsksec->sclass = sksec->sclass;
4919 
4920         selinux_netlbl_sk_security_reset(newsksec);
4921 }
4922 
4923 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4924 {
4925         if (!sk)
4926                 *secid = SECINITSID_ANY_SOCKET;
4927         else {
4928                 struct sk_security_struct *sksec = sk->sk_security;
4929 
4930                 *secid = sksec->sid;
4931         }
4932 }
4933 
4934 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4935 {
4936         struct inode_security_struct *isec =
4937                 inode_security_novalidate(SOCK_INODE(parent));
4938         struct sk_security_struct *sksec = sk->sk_security;
4939 
4940         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4941             sk->sk_family == PF_UNIX)
4942                 isec->sid = sksec->sid;
4943         sksec->sclass = isec->sclass;
4944 }
4945 
4946 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4947                                      struct request_sock *req)
4948 {
4949         struct sk_security_struct *sksec = sk->sk_security;
4950         int err;
4951         u16 family = req->rsk_ops->family;
4952         u32 connsid;
4953         u32 peersid;
4954 
4955         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4956         if (err)
4957                 return err;
4958         err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4959         if (err)
4960                 return err;
4961         req->secid = connsid;
4962         req->peer_secid = peersid;
4963 
4964         return selinux_netlbl_inet_conn_request(req, family);
4965 }
4966 
4967 static void selinux_inet_csk_clone(struct sock *newsk,
4968                                    const struct request_sock *req)
4969 {
4970         struct sk_security_struct *newsksec = newsk->sk_security;
4971 
4972         newsksec->sid = req->secid;
4973         newsksec->peer_sid = req->peer_secid;
4974         /* NOTE: Ideally, we should also get the isec->sid for the
4975            new socket in sync, but we don't have the isec available yet.
4976            So we will wait until sock_graft to do it, by which
4977            time it will have been created and available. */
4978 
4979         /* We don't need to take any sort of lock here as we are the only
4980          * thread with access to newsksec */
4981         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4982 }
4983 
4984 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4985 {
4986         u16 family = sk->sk_family;
4987         struct sk_security_struct *sksec = sk->sk_security;
4988 
4989         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4990         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4991                 family = PF_INET;
4992 
4993         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4994 }
4995 
4996 static int selinux_secmark_relabel_packet(u32 sid)
4997 {
4998         const struct task_security_struct *__tsec;
4999         u32 tsid;
5000 
5001         __tsec = current_security();
5002         tsid = __tsec->sid;
5003 
5004         return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
5005 }
5006 
5007 static void selinux_secmark_refcount_inc(void)
5008 {
5009         atomic_inc(&selinux_secmark_refcount);
5010 }
5011 
5012 static void selinux_secmark_refcount_dec(void)
5013 {
5014         atomic_dec(&selinux_secmark_refcount);
5015 }
5016 
5017 static void selinux_req_classify_flow(const struct request_sock *req,
5018                                       struct flowi *fl)
5019 {
5020         fl->flowi_secid = req->secid;
5021 }
5022 
5023 static int selinux_tun_dev_alloc_security(void **security)
5024 {
5025         struct tun_security_struct *tunsec;
5026 
5027         tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5028         if (!tunsec)
5029                 return -ENOMEM;
5030         tunsec->sid = current_sid();
5031 
5032         *security = tunsec;
5033         return 0;
5034 }
5035 
5036 static void selinux_tun_dev_free_security(void *security)
5037 {
5038         kfree(security);
5039 }
5040 
5041 static int selinux_tun_dev_create(void)
5042 {
5043         u32 sid = current_sid();
5044 
5045         /* we aren't taking into account the "sockcreate" SID since the socket
5046          * that is being created here is not a socket in the traditional sense,
5047          * instead it is a private sock, accessible only to the kernel, and
5048          * representing a wide range of network traffic spanning multiple
5049          * connections unlike traditional sockets - check the TUN driver to
5050          * get a better understanding of why this socket is special */
5051 
5052         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5053                             NULL);
5054 }
5055 
5056 static int selinux_tun_dev_attach_queue(void *security)
5057 {
5058         struct tun_security_struct *tunsec = security;
5059 
5060         return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5061                             TUN_SOCKET__ATTACH_QUEUE, NULL);
5062 }
5063 
5064 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5065 {
5066         struct tun_security_struct *tunsec = security;
5067         struct sk_security_struct *sksec = sk->sk_security;
5068 
5069         /* we don't currently perform any NetLabel based labeling here and it
5070          * isn't clear that we would want to do so anyway; while we could apply
5071          * labeling without the support of the TUN user the resulting labeled
5072          * traffic from the other end of the connection would almost certainly
5073          * cause confusion to the TUN user that had no idea network labeling
5074          * protocols were being used */
5075 
5076         sksec->sid = tunsec->sid;
5077         sksec->sclass = SECCLASS_TUN_SOCKET;
5078 
5079         return 0;
5080 }
5081 
5082 static int selinux_tun_dev_open(void *security)
5083 {
5084         struct tun_security_struct *tunsec = security;
5085         u32 sid = current_sid();
5086         int err;
5087 
5088         err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5089                            TUN_SOCKET__RELABELFROM, NULL);
5090         if (err)
5091                 return err;
5092         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5093                            TUN_SOCKET__RELABELTO, NULL);
5094         if (err)
5095                 return err;
5096         tunsec->sid = sid;
5097 
5098         return 0;
5099 }
5100 
5101 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5102 {
5103         int err = 0;
5104         u32 perm;
5105         struct nlmsghdr *nlh;
5106         struct sk_security_struct *sksec = sk->sk_security;
5107 
5108         if (skb->len < NLMSG_HDRLEN) {
5109                 err = -EINVAL;
5110                 goto out;
5111         }
5112         nlh = nlmsg_hdr(skb);
5113 
5114         err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5115         if (err) {
5116                 if (err == -EINVAL) {
5117                         pr_warn_ratelimited("SELinux: unrecognized netlink"
5118                                " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5119                                " pig=%d comm=%s\n",
5120                                sk->sk_protocol, nlh->nlmsg_type,
5121                                secclass_map[sksec->sclass - 1].name,
5122                                task_pid_nr(current), current->comm);
5123                         if (!selinux_enforcing || security_get_allow_unknown())
5124                                 err = 0;
5125                 }
5126 
5127                 /* Ignore */
5128                 if (err == -ENOENT)
5129                         err = 0;
5130                 goto out;
5131         }
5132 
5133         err = sock_has_perm(sk, perm);
5134 out:
5135         return err;
5136 }
5137 
5138 #ifdef CONFIG_NETFILTER
5139 
5140 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5141                                        const struct net_device *indev,
5142                                        u16 family)
5143 {
5144         int err;
5145         char *addrp;
5146         u32 peer_sid;
5147         struct common_audit_data ad;
5148         struct lsm_network_audit net = {0,};
5149         u8 secmark_active;
5150         u8 netlbl_active;
5151         u8 peerlbl_active;
5152 
5153         if (!selinux_policycap_netpeer)
5154                 return NF_ACCEPT;
5155 
5156         secmark_active = selinux_secmark_enabled();
5157         netlbl_active = netlbl_enabled();
5158         peerlbl_active = selinux_peerlbl_enabled();
5159         if (!secmark_active && !peerlbl_active)
5160                 return NF_ACCEPT;
5161 
5162         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5163                 return NF_DROP;
5164 
5165         ad.type = LSM_AUDIT_DATA_NET;
5166         ad.u.net = &net;
5167         ad.u.net->netif = indev->ifindex;
5168         ad.u.net->family = family;
5169         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5170                 return NF_DROP;
5171 
5172         if (peerlbl_active) {
5173                 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5174                                                addrp, family, peer_sid, &ad);
5175                 if (err) {
5176                         selinux_netlbl_err(skb, family, err, 1);
5177                         return NF_DROP;
5178                 }
5179         }
5180 
5181         if (secmark_active)
5182                 if (avc_has_perm(peer_sid, skb->secmark,
5183                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5184                         return NF_DROP;
5185 
5186         if (netlbl_active)
5187                 /* we do this in the FORWARD path and not the POST_ROUTING
5188                  * path because we want to make sure we apply the necessary
5189                  * labeling before IPsec is applied so we can leverage AH
5190                  * protection */
5191                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5192                         return NF_DROP;
5193 
5194         return NF_ACCEPT;
5195 }
5196 
5197 static unsigned int selinux_ipv4_forward(void *priv,
5198                                          struct sk_buff *skb,
5199                                          const struct nf_hook_state *state)
5200 {
5201         return selinux_ip_forward(skb, state->in, PF_INET);
5202 }
5203 
5204 #if IS_ENABLED(CONFIG_IPV6)
5205 static unsigned int selinux_ipv6_forward(void *priv,
5206                                          struct sk_buff *skb,
5207                                          const struct nf_hook_state *state)
5208 {
5209         return selinux_ip_forward(skb, state->in, PF_INET6);
5210 }
5211 #endif  /* IPV6 */
5212 
5213 static unsigned int selinux_ip_output(struct sk_buff *skb,
5214                                       u16 family)
5215 {
5216         struct sock *sk;
5217         u32 sid;
5218 
5219         if (!netlbl_enabled())
5220                 return NF_ACCEPT;
5221 
5222         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5223          * because we want to make sure we apply the necessary labeling
5224          * before IPsec is applied so we can leverage AH protection */
5225         sk = skb->sk;
5226         if (sk) {
5227                 struct sk_security_struct *sksec;
5228 
5229                 if (sk_listener(sk))
5230                         /* if the socket is the listening state then this
5231                          * packet is a SYN-ACK packet which means it needs to
5232                          * be labeled based on the connection/request_sock and
5233                          * not the parent socket.  unfortunately, we can't
5234                          * lookup the request_sock yet as it isn't queued on
5235                          * the parent socket until after the SYN-ACK is sent.
5236                          * the "solution" is to simply pass the packet as-is
5237                          * as any IP option based labeling should be copied
5238                          * from the initial connection request (in the IP
5239                          * layer).  it is far from ideal, but until we get a
5240                          * security label in the packet itself this is the
5241                          * best we can do. */
5242                         return NF_ACCEPT;
5243 
5244                 /* standard practice, label using the parent socket */
5245                 sksec = sk->sk_security;
5246                 sid = sksec->sid;
5247         } else
5248                 sid = SECINITSID_KERNEL;
5249         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5250                 return NF_DROP;
5251 
5252         return NF_ACCEPT;
5253 }
5254 
5255 static unsigned int selinux_ipv4_output(void *priv,
5256                                         struct sk_buff *skb,
5257                                         const struct nf_hook_state *state)
5258 {
5259         return selinux_ip_output(skb, PF_INET);
5260 }
5261 
5262 #if IS_ENABLED(CONFIG_IPV6)
5263 static unsigned int selinux_ipv6_output(void *priv,
5264                                         struct sk_buff *skb,
5265                                         const struct nf_hook_state *state)
5266 {
5267         return selinux_ip_output(skb, PF_INET6);
5268 }
5269 #endif  /* IPV6 */
5270 
5271 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5272                                                 int ifindex,
5273                                                 u16 family)
5274 {
5275         struct sock *sk = skb_to_full_sk(skb);
5276         struct sk_security_struct *sksec;
5277         struct common_audit_data ad;
5278         struct lsm_network_audit net = {0,};
5279         char *addrp;
5280         u8 proto;
5281 
5282         if (sk == NULL)
5283                 return NF_ACCEPT;
5284         sksec = sk->sk_security;
5285 
5286         ad.type = LSM_AUDIT_DATA_NET;
5287         ad.u.net = &net;
5288         ad.u.net->netif = ifindex;
5289         ad.u.net->family = family;
5290         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5291                 return NF_DROP;
5292 
5293         if (selinux_secmark_enabled())
5294                 if (avc_has_perm(sksec->sid, skb->secmark,
5295                                  SECCLASS_PACKET, PACKET__SEND, &ad))
5296                         return NF_DROP_ERR(-ECONNREFUSED);
5297 
5298         if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5299                 return NF_DROP_ERR(-ECONNREFUSED);
5300 
5301         return NF_ACCEPT;
5302 }
5303 
5304 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5305                                          const struct net_device *outdev,
5306                                          u16 family)
5307 {
5308         u32 secmark_perm;
5309         u32 peer_sid;
5310         int ifindex = outdev->ifindex;
5311         struct sock *sk;
5312         struct common_audit_data ad;
5313         struct lsm_network_audit net = {0,};
5314         char *addrp;
5315         u8 secmark_active;
5316         u8 peerlbl_active;
5317 
5318         /* If any sort of compatibility mode is enabled then handoff processing
5319          * to the selinux_ip_postroute_compat() function to deal with the
5320          * special handling.  We do this in an attempt to keep this function
5321          * as fast and as clean as possible. */
5322         if (!selinux_policycap_netpeer)
5323                 return selinux_ip_postroute_compat(skb, ifindex, family);
5324 
5325         secmark_active = selinux_secmark_enabled();
5326         peerlbl_active = selinux_peerlbl_enabled();
5327         if (!secmark_active && !peerlbl_active)
5328                 return NF_ACCEPT;
5329 
5330         sk = skb_to_full_sk(skb);
5331 
5332 #ifdef CONFIG_XFRM
5333         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5334          * packet transformation so allow the packet to pass without any checks
5335          * since we'll have another chance to perform access control checks
5336          * when the packet is on it's final way out.
5337          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5338          *       is NULL, in this case go ahead and apply access control.
5339          * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5340          *       TCP listening state we cannot wait until the XFRM processing
5341          *       is done as we will miss out on the SA label if we do;
5342          *       unfortunately, this means more work, but it is only once per
5343          *       connection. */
5344         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5345             !(sk && sk_listener(sk)))
5346                 return NF_ACCEPT;
5347 #endif
5348 
5349         if (sk == NULL) {
5350                 /* Without an associated socket the packet is either coming
5351                  * from the kernel or it is being forwarded; check the packet
5352                  * to determine which and if the packet is being forwarded
5353                  * query the packet directly to determine the security label. */
5354                 if (skb->skb_iif) {
5355                         secmark_perm = PACKET__FORWARD_OUT;
5356                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5357                                 return NF_DROP;
5358                 } else {
5359                         secmark_perm = PACKET__SEND;
5360                         peer_sid = SECINITSID_KERNEL;
5361                 }
5362         } else if (sk_listener(sk)) {
5363                 /* Locally generated packet but the associated socket is in the
5364                  * listening state which means this is a SYN-ACK packet.  In
5365                  * this particular case the correct security label is assigned
5366                  * to the connection/request_sock but unfortunately we can't
5367                  * query the request_sock as it isn't queued on the parent
5368                  * socket until after the SYN-ACK packet is sent; the only
5369                  * viable choice is to regenerate the label like we do in
5370                  * selinux_inet_conn_request().  See also selinux_ip_output()
5371                  * for similar problems. */
5372                 u32 skb_sid;
5373                 struct sk_security_struct *sksec;
5374 
5375                 sksec = sk->sk_security;
5376                 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5377                         return NF_DROP;
5378                 /* At this point, if the returned skb peerlbl is SECSID_NULL
5379                  * and the packet has been through at least one XFRM
5380                  * transformation then we must be dealing with the "final"
5381                  * form of labeled IPsec packet; since we've already applied
5382                  * all of our access controls on this packet we can safely
5383                  * pass the packet. */
5384                 if (skb_sid == SECSID_NULL) {
5385                         switch (family) {
5386                         case PF_INET:
5387                                 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5388                                         return NF_ACCEPT;
5389                                 break;
5390                         case PF_INET6:
5391                                 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5392                                         return NF_ACCEPT;
5393                                 break;
5394                         default:
5395                                 return NF_DROP_ERR(-ECONNREFUSED);
5396                         }
5397                 }
5398                 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5399                         return NF_DROP;
5400                 secmark_perm = PACKET__SEND;
5401         } else {
5402                 /* Locally generated packet, fetch the security label from the
5403                  * associated socket. */
5404                 struct sk_security_struct *sksec = sk->sk_security;
5405                 peer_sid = sksec->sid;
5406                 secmark_perm = PACKET__SEND;
5407         }
5408 
5409         ad.type = LSM_AUDIT_DATA_NET;
5410         ad.u.net = &net;
5411         ad.u.net->netif = ifindex;
5412         ad.u.net->family = family;
5413         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5414                 return NF_DROP;
5415 
5416         if (secmark_active)
5417                 if (avc_has_perm(peer_sid, skb->secmark,
5418                                  SECCLASS_PACKET, secmark_perm, &ad))
5419                         return NF_DROP_ERR(-ECONNREFUSED);
5420 
5421         if (peerlbl_active) {
5422                 u32 if_sid;
5423                 u32 node_sid;
5424 
5425                 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5426                         return NF_DROP;
5427                 if (avc_has_perm(peer_sid, if_sid,
5428                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
5429                         return NF_DROP_ERR(-ECONNREFUSED);
5430 
5431                 if (sel_netnode_sid(addrp, family, &node_sid))
5432                         return NF_DROP;
5433                 if (avc_has_perm(peer_sid, node_sid,
5434                                  SECCLASS_NODE, NODE__SENDTO, &ad))
5435                         return NF_DROP_ERR(-ECONNREFUSED);
5436         }
5437 
5438         return NF_ACCEPT;
5439 }
5440 
5441 static unsigned int selinux_ipv4_postroute(void *priv,
5442                                            struct sk_buff *skb,
5443                                            const struct nf_hook_state *state)
5444 {
5445         return selinux_ip_postroute(skb, state->out, PF_INET);
5446 }
5447 
5448 #if IS_ENABLED(CONFIG_IPV6)
5449 static unsigned int selinux_ipv6_postroute(void *priv,
5450                                            struct sk_buff *skb,
5451                                            const struct nf_hook_state *state)
5452 {
5453         return selinux_ip_postroute(skb, state->out, PF_INET6);
5454 }
5455 #endif  /* IPV6 */
5456 
5457 #endif  /* CONFIG_NETFILTER */
5458 
5459 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5460 {
5461         return selinux_nlmsg_perm(sk, skb);
5462 }
5463 
5464 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5465                               u16 sclass)
5466 {
5467         struct ipc_security_struct *isec;
5468 
5469         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5470         if (!isec)
5471                 return -ENOMEM;
5472 
5473         isec->sclass = sclass;
5474         isec->sid = current_sid();
5475         perm->security = isec;
5476 
5477         return 0;
5478 }
5479 
5480 static void ipc_free_security(struct kern_ipc_perm *perm)
5481 {
5482         struct ipc_security_struct *isec = perm->security;
5483         perm->security = NULL;
5484         kfree(isec);
5485 }
5486 
5487 static int msg_msg_alloc_security(struct msg_msg *msg)
5488 {
5489         struct msg_security_struct *msec;
5490 
5491         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5492         if (!msec)
5493                 return -ENOMEM;
5494 
5495         msec->sid = SECINITSID_UNLABELED;
5496         msg->security = msec;
5497 
5498         return 0;
5499 }
5500 
5501 static void msg_msg_free_security(struct msg_msg *msg)
5502 {
5503         struct msg_security_struct *msec = msg->security;
5504 
5505         msg->security = NULL;
5506         kfree(msec);
5507 }
5508 
5509 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5510                         u32 perms)
5511 {
5512         struct ipc_security_struct *isec;
5513         struct common_audit_data ad;
5514         u32 sid = current_sid();
5515 
5516         isec = ipc_perms->security;
5517 
5518         ad.type = LSM_AUDIT_DATA_IPC;
5519         ad.u.ipc_id = ipc_perms->key;
5520 
5521         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5522 }
5523 
5524 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5525 {
5526         return msg_msg_alloc_security(msg);
5527 }
5528 
5529 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5530 {
5531         msg_msg_free_security(msg);
5532 }
5533 
5534 /* message queue security operations */
5535 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5536 {
5537         struct ipc_security_struct *isec;
5538         struct common_audit_data ad;
5539         u32 sid = current_sid();
5540         int rc;
5541 
5542         rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ);
5543         if (rc)
5544                 return rc;
5545 
5546         isec = msq->q_perm.security;
5547 
5548         ad.type = LSM_AUDIT_DATA_IPC;
5549         ad.u.ipc_id = msq->q_perm.key;
5550 
5551         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5552                           MSGQ__CREATE, &ad);
5553         if (rc) {
5554                 ipc_free_security(&msq->q_perm);
5555                 return rc;
5556         }
5557         return 0;
5558 }
5559 
5560 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5561 {
5562         ipc_free_security(&msq->q_perm);
5563 }
5564 
5565 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5566 {
5567         struct ipc_security_struct *isec;
5568         struct common_audit_data ad;
5569         u32 sid = current_sid();
5570 
5571         isec = msq->q_perm.security;
5572 
5573         ad.type = LSM_AUDIT_DATA_IPC;
5574         ad.u.ipc_id = msq->q_perm.key;
5575 
5576         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5577                             MSGQ__ASSOCIATE, &ad);
5578 }
5579 
5580 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5581 {
5582         int err;
5583         int perms;
5584 
5585         switch (cmd) {
5586         case IPC_INFO:
5587         case MSG_INFO:
5588                 /* No specific object, just general system-wide information. */
5589                 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5590                                     SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5591         case IPC_STAT:
5592         case MSG_STAT:
5593                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5594                 break;
5595         case IPC_SET:
5596                 perms = MSGQ__SETATTR;
5597                 break;
5598         case IPC_RMID:
5599                 perms = MSGQ__DESTROY;
5600                 break;
5601         default:
5602                 return 0;
5603         }
5604 
5605         err = ipc_has_perm(&msq->q_perm, perms);
5606         return err;
5607 }
5608 
5609 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5610 {
5611         struct ipc_security_struct *isec;
5612         struct msg_security_struct *msec;
5613         struct common_audit_data ad;
5614         u32 sid = current_sid();
5615         int rc;
5616 
5617         isec = msq->q_perm.security;
5618         msec = msg->security;
5619 
5620         /*
5621          * First time through, need to assign label to the message
5622          */
5623         if (msec->sid == SECINITSID_UNLABELED) {
5624                 /*
5625                  * Compute new sid based on current process and
5626                  * message queue this message will be stored in
5627                  */
5628                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5629                                              NULL, &msec->sid);
5630                 if (rc)
5631                         return rc;
5632         }
5633 
5634         ad.type = LSM_AUDIT_DATA_IPC;
5635         ad.u.ipc_id = msq->q_perm.key;
5636 
5637         /* Can this process write to the queue? */
5638         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,