~hc/RK356X_SDK_RELEASE.git

..	..	@@ -1,3 +1,4 @@
	1	+// SPDX-License-Identifier: GPL-2.0-only
1	2	/*
2	3	* NSA Security-Enhanced Linux (SELinux) security module
3	4	*
..	..	@@ -18,15 +19,12 @@
18	19	* Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19	20	* Yuichi Nakamura <ynakam@hitachisoft.jp>
20	21	* Copyright (C) 2016 Mellanox Technologies
21		- *
22		- * This program is free software; you can redistribute it and/or modify
23		- * it under the terms of the GNU General Public License version 2,
24		- * as published by the Free Software Foundation.
25	22	*/
26	23
27	24	#include <linux/init.h>
28	25	#include <linux/kd.h>
29	26	#include <linux/kernel.h>
	27	+#include <linux/kernel_read_file.h>
30	28	#include <linux/tracehook.h>
31	29	#include <linux/errno.h>
32	30	#include <linux/sched/signal.h>
..	..	@@ -48,6 +46,8 @@
48	46	#include <linux/fdtable.h>
49	47	#include <linux/namei.h>
50	48	#include <linux/mount.h>
	49	+#include <linux/fs_context.h>
	50	+#include <linux/fs_parser.h>
51	51	#include <linux/netfilter_ipv4.h>
52	52	#include <linux/netfilter_ipv6.h>
53	53	#include <linux/tty.h>
..	..	@@ -79,7 +79,6 @@
79	79	#include <linux/personality.h>
80	80	#include <linux/audit.h>
81	81	#include <linux/string.h>
82		-#include <linux/selinux.h>
83	82	#include <linux/mutex.h>
84	83	#include <linux/posix-timers.h>
85	84	#include <linux/syslog.h>
..	..	@@ -88,6 +87,11 @@
88	87	#include <linux/msg.h>
89	88	#include <linux/shm.h>
90	89	#include <linux/bpf.h>
	90	+#include <linux/kernfs.h>
	91	+#include <linux/stringhash.h> /* for hashlen_string() */
	92	+#include <uapi/linux/mount.h>
	93	+#include <linux/fsnotify.h>
	94	+#include <linux/fanotify.h>
91	95
92	96	#include "avc.h"
93	97	#include "objsec.h"
..	..	@@ -106,7 +110,7 @@
106	110	static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
107	111
108	112	#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109		-static int selinux_enforcing_boot;
	113	+static int selinux_enforcing_boot __initdata;
110	114
111	115	static int __init enforcing_setup(char *str)
112	116	{
..	..	@@ -120,19 +124,16 @@
120	124	#define selinux_enforcing_boot 1
121	125	#endif
122	126
	127	+int selinux_enabled_boot __initdata = 1;
123	128	#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124		-int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
125		-
126	129	static int __init selinux_enabled_setup(char *str)
127	130	{
128	131	unsigned long enabled;
129	132	if (!kstrtoul(str, 0, &enabled))
130		- selinux_enabled = enabled ? 1 : 0;
	133	+ selinux_enabled_boot = enabled ? 1 : 0;
131	134	return 1;
132	135	}
133	136	__setup("selinux=", selinux_enabled_setup);
134		-#else
135		-int selinux_enabled = 1;
136	137	#endif
137	138
138	139	static unsigned int selinux_checkreqprot_boot =
..	..	@@ -142,14 +143,14 @@
142	143	{
143	144	unsigned long checkreqprot;
144	145
145		- if (!kstrtoul(str, 0, &checkreqprot))
	146	+ if (!kstrtoul(str, 0, &checkreqprot)) {
146	147	selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
	148	+ if (checkreqprot)
	149	+ pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n");
	150	+ }
147	151	return 1;
148	152	}
149	153	__setup("checkreqprot=", checkreqprot_setup);
150		-
151		-static struct kmem_cache *sel_inode_cache;
152		-static struct kmem_cache *file_security_cache;
153	154
154	155	/**
155	156	* selinux_secmark_enabled - Check to see if SECMARK is currently enabled
..	..	@@ -199,7 +200,7 @@
199	200	{
200	201	if (event == AVC_CALLBACK_RESET) {
201	202	sel_ib_pkey_flush();
202		- call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
	203	+ call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
203	204	}
204	205
205	206	return 0;
..	..	@@ -213,12 +214,8 @@
213	214	struct cred cred = (struct cred ) current->real_cred;
214	215	struct task_security_struct *tsec;
215	216
216		- tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
217		- if (!tsec)
218		- panic("SELinux: Failed to initialize initial task.\n");
219		-
	217	+ tsec = selinux_cred(cred);
220	218	tsec->osid = tsec->sid = SECINITSID_KERNEL;
221		- cred->security = tsec;
222	219	}
223	220
224	221	/*
..	..	@@ -228,7 +225,7 @@
228	225	{
229	226	const struct task_security_struct *tsec;
230	227
231		- tsec = cred->security;
	228	+ tsec = selinux_cred(cred);
232	229	return tsec->sid;
233	230	}
234	231
..	..	@@ -245,29 +242,6 @@
245	242	return sid;
246	243	}
247	244
248		-/* Allocate and free functions for each kind of security blob. */
249		-
250		-static int inode_alloc_security(struct inode *inode)
251		-{
252		- struct inode_security_struct *isec;
253		- u32 sid = current_sid();
254		-
255		- isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
256		- if (!isec)
257		- return -ENOMEM;
258		-
259		- spin_lock_init(&isec->lock);
260		- INIT_LIST_HEAD(&isec->list);
261		- isec->inode = inode;
262		- isec->sid = SECINITSID_UNLABELED;
263		- isec->sclass = SECCLASS_FILE;
264		- isec->task_sid = sid;
265		- isec->initialized = LABEL_INVALID;
266		- inode->i_security = isec;
267		-
268		- return 0;
269		-}
270		-
271	245	static int inode_doinit_with_dentry(struct inode inode, struct dentry opt_dentry);
272	246
273	247	/*
..	..	@@ -280,11 +254,11 @@
280	254	struct dentry *dentry,
281	255	bool may_sleep)
282	256	{
283		- struct inode_security_struct *isec = inode->i_security;
	257	+ struct inode_security_struct *isec = selinux_inode(inode);
284	258
285	259	might_sleep_if(may_sleep);
286	260
287		- if (selinux_state.initialized &&
	261	+ if (selinux_initialized(&selinux_state) &&
288	262	isec->initialized != LABEL_INITIALIZED) {
289	263	if (!may_sleep)
290	264	return -ECHILD;
..	..	@@ -301,7 +275,7 @@
301	275
302	276	static struct inode_security_struct inode_security_novalidate(struct inode inode)
303	277	{
304		- return inode->i_security;
	278	+ return selinux_inode(inode);
305	279	}
306	280
307	281	static struct inode_security_struct inode_security_rcu(struct inode inode, bool rcu)
..	..	@@ -311,7 +285,7 @@
311	285	error = __inode_security_revalidate(inode, NULL, !rcu);
312	286	if (error)
313	287	return ERR_PTR(error);
314		- return inode->i_security;
	288	+ return selinux_inode(inode);
315	289	}
316	290
317	291	/*
..	..	@@ -320,14 +294,14 @@
320	294	static struct inode_security_struct inode_security(struct inode inode)
321	295	{
322	296	__inode_security_revalidate(inode, NULL, true);
323		- return inode->i_security;
	297	+ return selinux_inode(inode);
324	298	}
325	299
326	300	static struct inode_security_struct backing_inode_security_novalidate(struct dentry dentry)
327	301	{
328	302	struct inode *inode = d_backing_inode(dentry);
329	303
330		- return inode->i_security;
	304	+ return selinux_inode(inode);
331	305	}
332	306
333	307	/*
..	..	@@ -338,22 +312,17 @@
338	312	struct inode *inode = d_backing_inode(dentry);
339	313
340	314	__inode_security_revalidate(inode, dentry, true);
341		- return inode->i_security;
342		-}
343		-
344		-static void inode_free_rcu(struct rcu_head *head)
345		-{
346		- struct inode_security_struct *isec;
347		-
348		- isec = container_of(head, struct inode_security_struct, rcu);
349		- kmem_cache_free(sel_inode_cache, isec);
	315	+ return selinux_inode(inode);
350	316	}
351	317
352	318	static void inode_free_security(struct inode *inode)
353	319	{
354		- struct inode_security_struct *isec = inode->i_security;
355		- struct superblock_security_struct *sbsec = inode->i_sb->s_security;
	320	+ struct inode_security_struct *isec = selinux_inode(inode);
	321	+ struct superblock_security_struct *sbsec;
356	322
	323	+ if (!isec)
	324	+ return;
	325	+ sbsec = inode->i_sb->s_security;
357	326	/*
358	327	* As not all inode security structures are in a list, we check for
359	328	* empty list outside of the lock to make sure that we won't waste
..	..	@@ -369,60 +338,6 @@
369	338	list_del_init(&isec->list);
370	339	spin_unlock(&sbsec->isec_lock);
371	340	}
372		-
373		- /*
374		- * The inode may still be referenced in a path walk and
375		- * a call to selinux_inode_permission() can be made
376		- * after inode_free_security() is called. Ideally, the VFS
377		- * wouldn't do this, but fixing that is a much harder
378		- * job. For now, simply free the i_security via RCU, and
379		- * leave the current inode->i_security pointer intact.
380		- * The inode will be freed after the RCU grace period too.
381		- */
382		- call_rcu(&isec->rcu, inode_free_rcu);
383		-}
384		-
385		-static int file_alloc_security(struct file *file)
386		-{
387		- struct file_security_struct *fsec;
388		- u32 sid = current_sid();
389		-
390		- fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
391		- if (!fsec)
392		- return -ENOMEM;
393		-
394		- fsec->sid = sid;
395		- fsec->fown_sid = sid;
396		- file->f_security = fsec;
397		-
398		- return 0;
399		-}
400		-
401		-static void file_free_security(struct file *file)
402		-{
403		- struct file_security_struct *fsec = file->f_security;
404		- file->f_security = NULL;
405		- kmem_cache_free(file_security_cache, fsec);
406		-}
407		-
408		-static int superblock_alloc_security(struct super_block *sb)
409		-{
410		- struct superblock_security_struct *sbsec;
411		-
412		- sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
413		- if (!sbsec)
414		- return -ENOMEM;
415		-
416		- mutex_init(&sbsec->lock);
417		- INIT_LIST_HEAD(&sbsec->isec_head);
418		- spin_lock_init(&sbsec->isec_lock);
419		- sbsec->sb = sb;
420		- sbsec->sid = SECINITSID_UNLABELED;
421		- sbsec->def_sid = SECINITSID_FILE;
422		- sbsec->mntpoint_sid = SECINITSID_UNLABELED;
423		- sb->s_security = sbsec;
424		-
425		- return 0;
426	341	}
427	342
428	343	static void superblock_free_security(struct super_block *sb)
..	..	@@ -432,31 +347,62 @@
432	347	kfree(sbsec);
433	348	}
434	349
435		-static inline int inode_doinit(struct inode *inode)
	350	+struct selinux_mnt_opts {
	351	+ const char fscontext, context, rootcontext, defcontext;
	352	+};
	353	+
	354	+static void selinux_free_mnt_opts(void *mnt_opts)
436	355	{
437		- return inode_doinit_with_dentry(inode, NULL);
	356	+ struct selinux_mnt_opts *opts = mnt_opts;
	357	+ kfree(opts->fscontext);
	358	+ kfree(opts->context);
	359	+ kfree(opts->rootcontext);
	360	+ kfree(opts->defcontext);
	361	+ kfree(opts);
438	362	}
439	363
440	364	enum {
441	365	Opt_error = -1,
442		- Opt_context = 1,
	366	+ Opt_context = 0,
	367	+ Opt_defcontext = 1,
443	368	Opt_fscontext = 2,
444		- Opt_defcontext = 3,
445		- Opt_rootcontext = 4,
446		- Opt_labelsupport = 5,
447		- Opt_nextmntopt = 6,
	369	+ Opt_rootcontext = 3,
	370	+ Opt_seclabel = 4,
448	371	};
449	372
450		-#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
451		-
452		-static const match_table_t tokens = {
453		- {Opt_context, CONTEXT_STR "%s"},
454		- {Opt_fscontext, FSCONTEXT_STR "%s"},
455		- {Opt_defcontext, DEFCONTEXT_STR "%s"},
456		- {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
457		- {Opt_labelsupport, LABELSUPP_STR},
458		- {Opt_error, NULL},
	373	+#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
	374	+static struct {
	375	+ const char *name;
	376	+ int len;
	377	+ int opt;
	378	+ bool has_arg;
	379	+} tokens[] = {
	380	+ A(context, true),
	381	+ A(fscontext, true),
	382	+ A(defcontext, true),
	383	+ A(rootcontext, true),
	384	+ A(seclabel, false),
459	385	};
	386	+#undef A
	387	+
	388	+static int match_opt_prefix(char s, int l, char *arg)
	389	+{
	390	+ int i;
	391	+
	392	+ for (i = 0; i < ARRAY_SIZE(tokens); i++) {
	393	+ size_t len = tokens[i].len;
	394	+ if (len > l \|\| memcmp(s, tokens[i].name, len))
	395	+ continue;
	396	+ if (tokens[i].has_arg) {
	397	+ if (len == l \|\| s[len] != '=')
	398	+ continue;
	399	+ *arg = s + len + 1;
	400	+ } else if (len != l)
	401	+ continue;
	402	+ return tokens[i].opt;
	403	+ }
	404	+ return Opt_error;
	405	+}
460	406
461	407	#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
462	408
..	..	@@ -464,7 +410,7 @@
464	410	struct superblock_security_struct *sbsec,
465	411	const struct cred *cred)
466	412	{
467		- const struct task_security_struct *tsec = cred->security;
	413	+ const struct task_security_struct *tsec = selinux_cred(cred);
468	414	int rc;
469	415
470	416	rc = avc_has_perm(&selinux_state,
..	..	@@ -483,7 +429,7 @@
483	429	struct superblock_security_struct *sbsec,
484	430	const struct cred *cred)
485	431	{
486		- const struct task_security_struct *tsec = cred->security;
	432	+ const struct task_security_struct *tsec = selinux_cred(cred);
487	433	int rc;
488	434	rc = avc_has_perm(&selinux_state,
489	435	tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
..	..	@@ -558,7 +504,8 @@
558	504	goto out;
559	505	}
560	506
561		- rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
	507	+ rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL,
	508	+ 0, XATTR_NOSECURITY);
562	509	if (rc < 0 && rc != -ENODATA) {
563	510	if (rc == -EOPNOTSUPP)
564	511	pr_warn("SELinux: (dev %s, type "
..	..	@@ -592,10 +539,9 @@
592	539	during get_sb by a pseudo filesystem that directly
593	540	populates itself. */
594	541	spin_lock(&sbsec->isec_lock);
595		-next_inode:
596		- if (!list_empty(&sbsec->isec_head)) {
	542	+ while (!list_empty(&sbsec->isec_head)) {
597	543	struct inode_security_struct *isec =
598		- list_entry(sbsec->isec_head.next,
	544	+ list_first_entry(&sbsec->isec_head,
599	545	struct inode_security_struct, list);
600	546	struct inode *inode = isec->inode;
601	547	list_del_init(&isec->list);
..	..	@@ -603,113 +549,13 @@
603	549	inode = igrab(inode);
604	550	if (inode) {
605	551	if (!IS_PRIVATE(inode))
606		- inode_doinit(inode);
	552	+ inode_doinit_with_dentry(inode, NULL);
607	553	iput(inode);
608	554	}
609	555	spin_lock(&sbsec->isec_lock);
610		- goto next_inode;
611	556	}
612	557	spin_unlock(&sbsec->isec_lock);
613	558	out:
614		- return rc;
615		-}
616		-
617		-/*
618		- * This function should allow an FS to ask what it's mount security
619		- * options were so it can use those later for submounts, displaying
620		- * mount options, or whatever.
621		- */
622		-static int selinux_get_mnt_opts(const struct super_block *sb,
623		- struct security_mnt_opts *opts)
624		-{
625		- int rc = 0, i;
626		- struct superblock_security_struct *sbsec = sb->s_security;
627		- char *context = NULL;
628		- u32 len;
629		- char tmp;
630		-
631		- security_init_mnt_opts(opts);
632		-
633		- if (!(sbsec->flags & SE_SBINITIALIZED))
634		- return -EINVAL;
635		-
636		- if (!selinux_state.initialized)
637		- return -EINVAL;
638		-
639		- /* make sure we always check enough bits to cover the mask */
640		- BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
641		-
642		- tmp = sbsec->flags & SE_MNTMASK;
643		- /* count the number of mount options for this sb */
644		- for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
645		- if (tmp & 0x01)
646		- opts->num_mnt_opts++;
647		- tmp >>= 1;
648		- }
649		- /* Check if the Label support flag is set */
650		- if (sbsec->flags & SBLABEL_MNT)
651		- opts->num_mnt_opts++;
652		-
653		- opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
654		- if (!opts->mnt_opts) {
655		- rc = -ENOMEM;
656		- goto out_free;
657		- }
658		-
659		- opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
660		- if (!opts->mnt_opts_flags) {
661		- rc = -ENOMEM;
662		- goto out_free;
663		- }
664		-
665		- i = 0;
666		- if (sbsec->flags & FSCONTEXT_MNT) {
667		- rc = security_sid_to_context(&selinux_state, sbsec->sid,
668		- &context, &len);
669		- if (rc)
670		- goto out_free;
671		- opts->mnt_opts[i] = context;
672		- opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
673		- }
674		- if (sbsec->flags & CONTEXT_MNT) {
675		- rc = security_sid_to_context(&selinux_state,
676		- sbsec->mntpoint_sid,
677		- &context, &len);
678		- if (rc)
679		- goto out_free;
680		- opts->mnt_opts[i] = context;
681		- opts->mnt_opts_flags[i++] = CONTEXT_MNT;
682		- }
683		- if (sbsec->flags & DEFCONTEXT_MNT) {
684		- rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
685		- &context, &len);
686		- if (rc)
687		- goto out_free;
688		- opts->mnt_opts[i] = context;
689		- opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
690		- }
691		- if (sbsec->flags & ROOTCONTEXT_MNT) {
692		- struct dentry *root = sbsec->sb->s_root;
693		- struct inode_security_struct *isec = backing_inode_security(root);
694		-
695		- rc = security_sid_to_context(&selinux_state, isec->sid,
696		- &context, &len);
697		- if (rc)
698		- goto out_free;
699		- opts->mnt_opts[i] = context;
700		- opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
701		- }
702		- if (sbsec->flags & SBLABEL_MNT) {
703		- opts->mnt_opts[i] = NULL;
704		- opts->mnt_opts_flags[i++] = SBLABEL_MNT;
705		- }
706		-
707		- BUG_ON(i != opts->num_mnt_opts);
708		-
709		- return 0;
710		-
711		-out_free:
712		- security_free_mnt_opts(opts);
713	559	return rc;
714	560	}
715	561
..	..	@@ -733,31 +579,39 @@
733	579	return 0;
734	580	}
735	581
	582	+static int parse_sid(struct super_block sb, const char s, u32 *sid)
	583	+{
	584	+ int rc = security_context_str_to_sid(&selinux_state, s,
	585	+ sid, GFP_KERNEL);
	586	+ if (rc)
	587	+ pr_warn("SELinux: security_context_str_to_sid"
	588	+ "(%s) failed for (dev %s, type %s) errno=%d\n",
	589	+ s, sb->s_id, sb->s_type->name, rc);
	590	+ return rc;
	591	+}
	592	+
736	593	/*
737	594	* Allow filesystems with binary mount data to explicitly set mount point
738	595	* labeling information.
739	596	*/
740	597	static int selinux_set_mnt_opts(struct super_block *sb,
741		- struct security_mnt_opts *opts,
	598	+ void *mnt_opts,
742	599	unsigned long kern_flags,
743	600	unsigned long *set_kern_flags)
744	601	{
745	602	const struct cred *cred = current_cred();
746		- int rc = 0, i;
747	603	struct superblock_security_struct *sbsec = sb->s_security;
748		- const char *name = sb->s_type->name;
749	604	struct dentry *root = sbsec->sb->s_root;
	605	+ struct selinux_mnt_opts *opts = mnt_opts;
750	606	struct inode_security_struct *root_isec;
751	607	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
752	608	u32 defcontext_sid = 0;
753		- char **mount_options = opts->mnt_opts;
754		- int *flags = opts->mnt_opts_flags;
755		- int num_opts = opts->num_mnt_opts;
	609	+ int rc = 0;
756	610
757	611	mutex_lock(&sbsec->lock);
758	612
759		- if (!selinux_state.initialized) {
760		- if (!num_opts) {
	613	+ if (!selinux_initialized(&selinux_state)) {
	614	+ if (!opts) {
761	615	/* Defer initialization until selinux_complete_init,
762	616	after the initial policy is loaded and the security
763	617	server is ready to handle calls. */
..	..	@@ -787,7 +641,7 @@
787	641	* will be used for both mounts)
788	642	*/
789	643	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
790		- && (num_opts == 0))
	644	+ && !opts)
791	645	goto out;
792	646
793	647	root_isec = backing_inode_security_novalidate(root);
..	..	@@ -797,68 +651,48 @@
797	651	* also check if someone is trying to mount the same sb more
798	652	* than once with different security options.
799	653	*/
800		- for (i = 0; i < num_opts; i++) {
801		- u32 sid;
802		-
803		- if (flags[i] == SBLABEL_MNT)
804		- continue;
805		- rc = security_context_str_to_sid(&selinux_state,
806		- mount_options[i], &sid,
807		- GFP_KERNEL);
808		- if (rc) {
809		- pr_warn("SELinux: security_context_str_to_sid"
810		- "(%s) failed for (dev %s, type %s) errno=%d\n",
811		- mount_options[i], sb->s_id, name, rc);
812		- goto out;
813		- }
814		- switch (flags[i]) {
815		- case FSCONTEXT_MNT:
816		- fscontext_sid = sid;
817		-
	654	+ if (opts) {
	655	+ if (opts->fscontext) {
	656	+ rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
	657	+ if (rc)
	658	+ goto out;
818	659	if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
819	660	fscontext_sid))
820	661	goto out_double_mount;
821		-
822	662	sbsec->flags \|= FSCONTEXT_MNT;
823		- break;
824		- case CONTEXT_MNT:
825		- context_sid = sid;
826		-
	663	+ }
	664	+ if (opts->context) {
	665	+ rc = parse_sid(sb, opts->context, &context_sid);
	666	+ if (rc)
	667	+ goto out;
827	668	if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
828	669	context_sid))
829	670	goto out_double_mount;
830		-
831	671	sbsec->flags \|= CONTEXT_MNT;
832		- break;
833		- case ROOTCONTEXT_MNT:
834		- rootcontext_sid = sid;
835		-
	672	+ }
	673	+ if (opts->rootcontext) {
	674	+ rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
	675	+ if (rc)
	676	+ goto out;
836	677	if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
837	678	rootcontext_sid))
838	679	goto out_double_mount;
839		-
840	680	sbsec->flags \|= ROOTCONTEXT_MNT;
841		-
842		- break;
843		- case DEFCONTEXT_MNT:
844		- defcontext_sid = sid;
845		-
	681	+ }
	682	+ if (opts->defcontext) {
	683	+ rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
	684	+ if (rc)
	685	+ goto out;
846	686	if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
847	687	defcontext_sid))
848	688	goto out_double_mount;
849		-
850	689	sbsec->flags \|= DEFCONTEXT_MNT;
851		-
852		- break;
853		- default:
854		- rc = -EINVAL;
855		- goto out;
856	690	}
857	691	}
858	692
859	693	if (sbsec->flags & SE_SBINITIALIZED) {
860	694	/* previously mounted with options, but not on this attempt? */
861		- if ((sbsec->flags & SE_MNTMASK) && !num_opts)
	695	+ if ((sbsec->flags & SE_MNTMASK) && !opts)
862	696	goto out_double_mount;
863	697	rc = 0;
864	698	goto out;
..	..	@@ -869,13 +703,15 @@
869	703
870	704	if (!strcmp(sb->s_type->name, "debugfs") \|\|
871	705	!strcmp(sb->s_type->name, "tracefs") \|\|
872		- !strcmp(sb->s_type->name, "sysfs") \|\|
873		- !strcmp(sb->s_type->name, "pstore") \|\|
874	706	!strcmp(sb->s_type->name, "binder") \|\|
875	707	!strcmp(sb->s_type->name, "bpf") \|\|
	708	+ !strcmp(sb->s_type->name, "pstore"))
	709	+ sbsec->flags \|= SE_SBGENFS;
	710	+
	711	+ if (!strcmp(sb->s_type->name, "sysfs") \|\|
876	712	!strcmp(sb->s_type->name, "cgroup") \|\|
877	713	!strcmp(sb->s_type->name, "cgroup2"))
878		- sbsec->flags \|= SE_SBGENFS;
	714	+ sbsec->flags \|= SE_SBGENFS \| SE_SBGENFS_XATTR;
879	715
880	716	if (!sbsec->behavior) {
881	717	/*
..	..	@@ -993,7 +829,8 @@
993	829	out_double_mount:
994	830	rc = -EINVAL;
995	831	pr_warn("SELinux: mount invalid. Same superblock, different "
996		- "security settings for (dev %s, type %s)\n", sb->s_id, name);
	832	+ "security settings for (dev %s, type %s)\n", sb->s_id,
	833	+ sb->s_type->name);
997	834	goto out;
998	835	}
999	836
..	..	@@ -1044,7 +881,7 @@
1044	881	* if the parent was able to be mounted it clearly had no special lsm
1045	882	* mount options. thus we can safely deal with this superblock later
1046	883	*/
1047		- if (!selinux_state.initialized)
	884	+ if (!selinux_initialized(&selinux_state))
1048	885	return 0;
1049	886
1050	887	/*
..	..	@@ -1108,218 +945,163 @@
1108	945	return rc;
1109	946	}
1110	947
1111		-static int selinux_parse_opts_str(char *options,
1112		- struct security_mnt_opts *opts)
	948	+static int selinux_add_opt(int token, const char s, void *mnt_opts)
1113	949	{
1114		- char *p;
1115		- char context = NULL, defcontext = NULL;
1116		- char fscontext = NULL, rootcontext = NULL;
1117		- int rc, num_mnt_opts = 0;
	950	+ struct selinux_mnt_opts opts = mnt_opts;
	951	+ bool is_alloc_opts = false;
1118	952
1119		- opts->num_mnt_opts = 0;
	953	+ if (token == Opt_seclabel) /* eaten and completely ignored */
	954	+ return 0;
1120	955
1121		- /* Standard string-based options. */
1122		- while ((p = strsep(&options, "\|")) != NULL) {
1123		- int token;
1124		- substring_t args[MAX_OPT_ARGS];
	956	+ if (!s)
	957	+ return -ENOMEM;
1125	958
1126		- if (!*p)
1127		- continue;
	959	+ if (!opts) {
	960	+ opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
	961	+ if (!opts)
	962	+ return -ENOMEM;
	963	+ *mnt_opts = opts;
	964	+ is_alloc_opts = true;
	965	+ }
1128	966
1129		- token = match_token(p, tokens, args);
	967	+ switch (token) {
	968	+ case Opt_context:
	969	+ if (opts->context \|\| opts->defcontext)
	970	+ goto Einval;
	971	+ opts->context = s;
	972	+ break;
	973	+ case Opt_fscontext:
	974	+ if (opts->fscontext)
	975	+ goto Einval;
	976	+ opts->fscontext = s;
	977	+ break;
	978	+ case Opt_rootcontext:
	979	+ if (opts->rootcontext)
	980	+ goto Einval;
	981	+ opts->rootcontext = s;
	982	+ break;
	983	+ case Opt_defcontext:
	984	+ if (opts->context \|\| opts->defcontext)
	985	+ goto Einval;
	986	+ opts->defcontext = s;
	987	+ break;
	988	+ }
	989	+ return 0;
	990	+Einval:
	991	+ if (is_alloc_opts) {
	992	+ kfree(opts);
	993	+ *mnt_opts = NULL;
	994	+ }
	995	+ pr_warn(SEL_MOUNT_FAIL_MSG);
	996	+ return -EINVAL;
	997	+}
1130	998
1131		- switch (token) {
1132		- case Opt_context:
1133		- if (context \|\| defcontext) {
1134		- rc = -EINVAL;
1135		- pr_warn(SEL_MOUNT_FAIL_MSG);
1136		- goto out_err;
1137		- }
1138		- context = match_strdup(&args[0]);
1139		- if (!context) {
1140		- rc = -ENOMEM;
1141		- goto out_err;
1142		- }
	999	+static int selinux_add_mnt_opt(const char option, const char val, int len,
	1000	+ void **mnt_opts)
	1001	+{
	1002	+ int token = Opt_error;
	1003	+ int rc, i;
	1004	+
	1005	+ for (i = 0; i < ARRAY_SIZE(tokens); i++) {
	1006	+ if (strcmp(option, tokens[i].name) == 0) {
	1007	+ token = tokens[i].opt;
1143	1008	break;
1144		-
1145		- case Opt_fscontext:
1146		- if (fscontext) {
1147		- rc = -EINVAL;
1148		- pr_warn(SEL_MOUNT_FAIL_MSG);
1149		- goto out_err;
1150		- }
1151		- fscontext = match_strdup(&args[0]);
1152		- if (!fscontext) {
1153		- rc = -ENOMEM;
1154		- goto out_err;
1155		- }
1156		- break;
1157		-
1158		- case Opt_rootcontext:
1159		- if (rootcontext) {
1160		- rc = -EINVAL;
1161		- pr_warn(SEL_MOUNT_FAIL_MSG);
1162		- goto out_err;
1163		- }
1164		- rootcontext = match_strdup(&args[0]);
1165		- if (!rootcontext) {
1166		- rc = -ENOMEM;
1167		- goto out_err;
1168		- }
1169		- break;
1170		-
1171		- case Opt_defcontext:
1172		- if (context \|\| defcontext) {
1173		- rc = -EINVAL;
1174		- pr_warn(SEL_MOUNT_FAIL_MSG);
1175		- goto out_err;
1176		- }
1177		- defcontext = match_strdup(&args[0]);
1178		- if (!defcontext) {
1179		- rc = -ENOMEM;
1180		- goto out_err;
1181		- }
1182		- break;
1183		- case Opt_labelsupport:
1184		- break;
1185		- default:
1186		- rc = -EINVAL;
1187		- pr_warn("SELinux: unknown mount option\n");
1188		- goto out_err;
1189		-
1190	1009	}
1191	1010	}
1192	1011
1193		- rc = -ENOMEM;
1194		- opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1195		- if (!opts->mnt_opts)
1196		- goto out_err;
	1012	+ if (token == Opt_error)
	1013	+ return -EINVAL;
1197	1014
1198		- opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1199		- GFP_KERNEL);
1200		- if (!opts->mnt_opts_flags)
1201		- goto out_err;
	1015	+ if (token != Opt_seclabel) {
	1016	+ val = kmemdup_nul(val, len, GFP_KERNEL);
	1017	+ if (!val) {
	1018	+ rc = -ENOMEM;
	1019	+ goto free_opt;
	1020	+ }
	1021	+ }
	1022	+ rc = selinux_add_opt(token, val, mnt_opts);
	1023	+ if (unlikely(rc)) {
	1024	+ kfree(val);
	1025	+ goto free_opt;
	1026	+ }
	1027	+ return rc;
1202	1028
1203		- if (fscontext) {
1204		- opts->mnt_opts[num_mnt_opts] = fscontext;
1205		- opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
	1029	+free_opt:
	1030	+ if (*mnt_opts) {
	1031	+ selinux_free_mnt_opts(*mnt_opts);
	1032	+ *mnt_opts = NULL;
1206	1033	}
1207		- if (context) {
1208		- opts->mnt_opts[num_mnt_opts] = context;
1209		- opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1210		- }
1211		- if (rootcontext) {
1212		- opts->mnt_opts[num_mnt_opts] = rootcontext;
1213		- opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1214		- }
1215		- if (defcontext) {
1216		- opts->mnt_opts[num_mnt_opts] = defcontext;
1217		- opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1218		- }
	1034	+ return rc;
	1035	+}
1219	1036
1220		- opts->num_mnt_opts = num_mnt_opts;
1221		- return 0;
	1037	+static int show_sid(struct seq_file *m, u32 sid)
	1038	+{
	1039	+ char *context = NULL;
	1040	+ u32 len;
	1041	+ int rc;
1222	1042
1223		-out_err:
1224		- security_free_mnt_opts(opts);
	1043	+ rc = security_sid_to_context(&selinux_state, sid,
	1044	+ &context, &len);
	1045	+ if (!rc) {
	1046	+ bool has_comma = context && strchr(context, ',');
	1047	+
	1048	+ seq_putc(m, '=');
	1049	+ if (has_comma)
	1050	+ seq_putc(m, '\"');
	1051	+ seq_escape(m, context, "\"\n\\");
	1052	+ if (has_comma)
	1053	+ seq_putc(m, '\"');
	1054	+ }
1225	1055	kfree(context);
1226		- kfree(defcontext);
1227		- kfree(fscontext);
1228		- kfree(rootcontext);
1229	1056	return rc;
1230		-}
1231		-/*
1232		- * string mount options parsing and call set the sbsec
1233		- */
1234		-static int superblock_doinit(struct super_block sb, void data)
1235		-{
1236		- int rc = 0;
1237		- char *options = data;
1238		- struct security_mnt_opts opts;
1239		-
1240		- security_init_mnt_opts(&opts);
1241		-
1242		- if (!data)
1243		- goto out;
1244		-
1245		- BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1246		-
1247		- rc = selinux_parse_opts_str(options, &opts);
1248		- if (rc)
1249		- goto out_err;
1250		-
1251		-out:
1252		- rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1253		-
1254		-out_err:
1255		- security_free_mnt_opts(&opts);
1256		- return rc;
1257		-}
1258		-
1259		-static void selinux_write_opts(struct seq_file *m,
1260		- struct security_mnt_opts *opts)
1261		-{
1262		- int i;
1263		- char *prefix;
1264		-
1265		- for (i = 0; i < opts->num_mnt_opts; i++) {
1266		- char *has_comma;
1267		-
1268		- if (opts->mnt_opts[i])
1269		- has_comma = strchr(opts->mnt_opts[i], ',');
1270		- else
1271		- has_comma = NULL;
1272		-
1273		- switch (opts->mnt_opts_flags[i]) {
1274		- case CONTEXT_MNT:
1275		- prefix = CONTEXT_STR;
1276		- break;
1277		- case FSCONTEXT_MNT:
1278		- prefix = FSCONTEXT_STR;
1279		- break;
1280		- case ROOTCONTEXT_MNT:
1281		- prefix = ROOTCONTEXT_STR;
1282		- break;
1283		- case DEFCONTEXT_MNT:
1284		- prefix = DEFCONTEXT_STR;
1285		- break;
1286		- case SBLABEL_MNT:
1287		- seq_putc(m, ',');
1288		- seq_puts(m, LABELSUPP_STR);
1289		- continue;
1290		- default:
1291		- BUG();
1292		- return;
1293		- };
1294		- /* we need a comma before each option */
1295		- seq_putc(m, ',');
1296		- seq_puts(m, prefix);
1297		- if (has_comma)
1298		- seq_putc(m, '\"');
1299		- seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1300		- if (has_comma)
1301		- seq_putc(m, '\"');
1302		- }
1303	1057	}
1304	1058
1305	1059	static int selinux_sb_show_options(struct seq_file m, struct super_block sb)
1306	1060	{
1307		- struct security_mnt_opts opts;
	1061	+ struct superblock_security_struct *sbsec = sb->s_security;
1308	1062	int rc;
1309	1063
1310		- rc = selinux_get_mnt_opts(sb, &opts);
1311		- if (rc) {
1312		- /* before policy load we may get EINVAL, don't show anything */
1313		- if (rc == -EINVAL)
1314		- rc = 0;
1315		- return rc;
	1064	+ if (!(sbsec->flags & SE_SBINITIALIZED))
	1065	+ return 0;
	1066	+
	1067	+ if (!selinux_initialized(&selinux_state))
	1068	+ return 0;
	1069	+
	1070	+ if (sbsec->flags & FSCONTEXT_MNT) {
	1071	+ seq_putc(m, ',');
	1072	+ seq_puts(m, FSCONTEXT_STR);
	1073	+ rc = show_sid(m, sbsec->sid);
	1074	+ if (rc)
	1075	+ return rc;
1316	1076	}
1317		-
1318		- selinux_write_opts(m, &opts);
1319		-
1320		- security_free_mnt_opts(&opts);
1321		-
1322		- return rc;
	1077	+ if (sbsec->flags & CONTEXT_MNT) {
	1078	+ seq_putc(m, ',');
	1079	+ seq_puts(m, CONTEXT_STR);
	1080	+ rc = show_sid(m, sbsec->mntpoint_sid);
	1081	+ if (rc)
	1082	+ return rc;
	1083	+ }
	1084	+ if (sbsec->flags & DEFCONTEXT_MNT) {
	1085	+ seq_putc(m, ',');
	1086	+ seq_puts(m, DEFCONTEXT_STR);
	1087	+ rc = show_sid(m, sbsec->def_sid);
	1088	+ if (rc)
	1089	+ return rc;
	1090	+ }
	1091	+ if (sbsec->flags & ROOTCONTEXT_MNT) {
	1092	+ struct dentry *root = sbsec->sb->s_root;
	1093	+ struct inode_security_struct *isec = backing_inode_security(root);
	1094	+ seq_putc(m, ',');
	1095	+ seq_puts(m, ROOTCONTEXT_STR);
	1096	+ rc = show_sid(m, isec->sid);
	1097	+ if (rc)
	1098	+ return rc;
	1099	+ }
	1100	+ if (sbsec->flags & SBLABEL_MNT) {
	1101	+ seq_putc(m, ',');
	1102	+ seq_puts(m, SECLABEL_STR);
	1103	+ }
	1104	+ return 0;
1323	1105	}
1324	1106
1325	1107	static inline u16 inode_mode_to_security_class(umode_t mode)
..	..	@@ -1545,17 +1327,77 @@
1545	1327	return rc;
1546	1328	}
1547	1329
	1330	+static int inode_doinit_use_xattr(struct inode inode, struct dentry dentry,
	1331	+ u32 def_sid, u32 *sid)
	1332	+{
	1333	+#define INITCONTEXTLEN 255
	1334	+ char *context;
	1335	+ unsigned int len;
	1336	+ int rc;
	1337	+
	1338	+ len = INITCONTEXTLEN;
	1339	+ context = kmalloc(len + 1, GFP_NOFS);
	1340	+ if (!context)
	1341	+ return -ENOMEM;
	1342	+
	1343	+ context[len] = '\0';
	1344	+ rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len,
	1345	+ XATTR_NOSECURITY);
	1346	+ if (rc == -ERANGE) {
	1347	+ kfree(context);
	1348	+
	1349	+ /* Need a larger buffer. Query for the right size. */
	1350	+ rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0,
	1351	+ XATTR_NOSECURITY);
	1352	+ if (rc < 0)
	1353	+ return rc;
	1354	+
	1355	+ len = rc;
	1356	+ context = kmalloc(len + 1, GFP_NOFS);
	1357	+ if (!context)
	1358	+ return -ENOMEM;
	1359	+
	1360	+ context[len] = '\0';
	1361	+ rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
	1362	+ context, len, XATTR_NOSECURITY);
	1363	+ }
	1364	+ if (rc < 0) {
	1365	+ kfree(context);
	1366	+ if (rc != -ENODATA) {
	1367	+ pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
	1368	+ __func__, -rc, inode->i_sb->s_id, inode->i_ino);
	1369	+ return rc;
	1370	+ }
	1371	+ *sid = def_sid;
	1372	+ return 0;
	1373	+ }
	1374	+
	1375	+ rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
	1376	+ def_sid, GFP_NOFS);
	1377	+ if (rc) {
	1378	+ char *dev = inode->i_sb->s_id;
	1379	+ unsigned long ino = inode->i_ino;
	1380	+
	1381	+ if (rc == -EINVAL) {
	1382	+ pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
	1383	+ ino, dev, context);
	1384	+ } else {
	1385	+ pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
	1386	+ __func__, context, -rc, dev, ino);
	1387	+ }
	1388	+ }
	1389	+ kfree(context);
	1390	+ return 0;
	1391	+}
	1392	+
1548	1393	/* The inode's security attributes must be initialized before first use. */
1549	1394	static int inode_doinit_with_dentry(struct inode inode, struct dentry opt_dentry)
1550	1395	{
1551	1396	struct superblock_security_struct *sbsec = NULL;
1552		- struct inode_security_struct *isec = inode->i_security;
	1397	+ struct inode_security_struct *isec = selinux_inode(inode);
1553	1398	u32 task_sid, sid = 0;
1554	1399	u16 sclass;
1555	1400	struct dentry *dentry;
1556		-#define INITCONTEXTLEN 255
1557		- char *context = NULL;
1558		- unsigned len = 0;
1559	1401	int rc = 0;
1560	1402
1561	1403	if (isec->initialized == LABEL_INITIALIZED)
..	..	@@ -1623,72 +1465,11 @@
1623	1465	goto out_invalid;
1624	1466	}
1625	1467
1626		- len = INITCONTEXTLEN;
1627		- context = kmalloc(len+1, GFP_NOFS);
1628		- if (!context) {
1629		- rc = -ENOMEM;
1630		- dput(dentry);
1631		- goto out;
1632		- }
1633		- context[len] = '\0';
1634		- rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1635		- if (rc == -ERANGE) {
1636		- kfree(context);
1637		-
1638		- /* Need a larger buffer. Query for the right size. */
1639		- rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1640		- if (rc < 0) {
1641		- dput(dentry);
1642		- goto out;
1643		- }
1644		- len = rc;
1645		- context = kmalloc(len+1, GFP_NOFS);
1646		- if (!context) {
1647		- rc = -ENOMEM;
1648		- dput(dentry);
1649		- goto out;
1650		- }
1651		- context[len] = '\0';
1652		- rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1653		- }
	1468	+ rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
	1469	+ &sid);
1654	1470	dput(dentry);
1655		- if (rc < 0) {
1656		- if (rc != -ENODATA) {
1657		- pr_warn("SELinux: %s: getxattr returned "
1658		- "%d for dev=%s ino=%ld\n", __func__,
1659		- -rc, inode->i_sb->s_id, inode->i_ino);
1660		- kfree(context);
1661		- goto out;
1662		- }
1663		- /* Map ENODATA to the default file SID */
1664		- sid = sbsec->def_sid;
1665		- rc = 0;
1666		- } else {
1667		- rc = security_context_to_sid_default(&selinux_state,
1668		- context, rc, &sid,
1669		- sbsec->def_sid,
1670		- GFP_NOFS);
1671		- if (rc) {
1672		- char *dev = inode->i_sb->s_id;
1673		- unsigned long ino = inode->i_ino;
1674		-
1675		- if (rc == -EINVAL) {
1676		- if (printk_ratelimit())
1677		- pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
1678		- "context=%s. This indicates you may need to relabel the inode or the "
1679		- "filesystem in question.\n", ino, dev, context);
1680		- } else {
1681		- pr_warn("SELinux: %s: context_to_sid(%s) "
1682		- "returned %d for dev=%s ino=%ld\n",
1683		- __func__, context, -rc, dev, ino);
1684		- }
1685		- kfree(context);
1686		- /* Leave with the unlabeled SID */
1687		- rc = 0;
1688		- break;
1689		- }
1690		- }
1691		- kfree(context);
	1471	+ if (rc)
	1472	+ goto out;
1692	1473	break;
1693	1474	case SECURITY_FS_USE_TASK:
1694	1475	sid = task_sid;
..	..	@@ -1710,7 +1491,9 @@
1710	1491	/* Default to the fs superblock SID. */
1711	1492	sid = sbsec->sid;
1712	1493
1713		- if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
	1494	+ if ((sbsec->flags & SE_SBGENFS) &&
	1495	+ (!S_ISLNK(inode->i_mode) \|\|
	1496	+ selinux_policycap_genfs_seclabel_symlinks())) {
1714	1497	/* We must have a dentry to determine the label on
1715	1498	* procfs inodes */
1716	1499	if (opt_dentry) {
..	..	@@ -1739,9 +1522,21 @@
1739	1522	goto out_invalid;
1740	1523	rc = selinux_genfs_get_sid(dentry, sclass,
1741	1524	sbsec->flags, &sid);
1742		- dput(dentry);
1743		- if (rc)
	1525	+ if (rc) {
	1526	+ dput(dentry);
1744	1527	goto out;
	1528	+ }
	1529	+
	1530	+ if ((sbsec->flags & SE_SBGENFS_XATTR) &&
	1531	+ (inode->i_opflags & IOP_XATTR)) {
	1532	+ rc = inode_doinit_use_xattr(inode, dentry,
	1533	+ sid, &sid);
	1534	+ if (rc) {
	1535	+ dput(dentry);
	1536	+ goto out;
	1537	+ }
	1538	+ }
	1539	+ dput(dentry);
1745	1540	}
1746	1541	break;
1747	1542	}
..	..	@@ -1857,7 +1652,7 @@
1857	1652	return 0;
1858	1653
1859	1654	sid = cred_sid(cred);
1860		- isec = inode->i_security;
	1655	+ isec = selinux_inode(inode);
1861	1656
1862	1657	return avc_has_perm(&selinux_state,
1863	1658	sid, isec->sid, isec->sclass, perms, adp);
..	..	@@ -1923,7 +1718,7 @@
1923	1718	struct file *file,
1924	1719	u32 av)
1925	1720	{
1926		- struct file_security_struct *fsec = file->f_security;
	1721	+ struct file_security_struct *fsec = selinux_file(file);
1927	1722	struct inode *inode = file_inode(file);
1928	1723	struct common_audit_data ad;
1929	1724	u32 sid = cred_sid(cred);
..	..	@@ -1989,7 +1784,7 @@
1989	1784	struct dentry *dentry,
1990	1785	u16 tclass)
1991	1786	{
1992		- const struct task_security_struct *tsec = current_security();
	1787	+ const struct task_security_struct *tsec = selinux_cred(current_cred());
1993	1788	struct inode_security_struct *dsec;
1994	1789	struct superblock_security_struct *sbsec;
1995	1790	u32 sid, newsid;
..	..	@@ -2011,8 +1806,8 @@
2011	1806	if (rc)
2012	1807	return rc;
2013	1808
2014		- rc = selinux_determine_inode_label(current_security(), dir,
2015		- &dentry->d_name, tclass, &newsid);
	1809	+ rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
	1810	+ &newsid);
2016	1811	if (rc)
2017	1812	return rc;
2018	1813
..	..	@@ -2203,7 +1998,7 @@
2203	1998	}
2204	1999
2205	2000	/*
2206		- * Convert a file to an access vector and include the correct open
	2001	+ * Convert a file to an access vector and include the correct
2207	2002	* open permission.
2208	2003	*/
2209	2004	static inline u32 open_file_to_av(struct file *file)
..	..	@@ -2261,7 +2056,7 @@
2261	2056	struct file *file)
2262	2057	{
2263	2058	u32 sid = cred_sid(to);
2264		- struct file_security_struct *fsec = file->f_security;
	2059	+ struct file_security_struct *fsec = selinux_file(file);
2265	2060	struct dentry *dentry = file->f_path.dentry;
2266	2061	struct inode_security_struct *isec;
2267	2062	struct common_audit_data ad;
..	..	@@ -2364,11 +2159,18 @@
2364	2159	case Q_QUOTAOFF:
2365	2160	case Q_SETINFO:
2366	2161	case Q_SETQUOTA:
	2162	+ case Q_XQUOTAOFF:
	2163	+ case Q_XQUOTAON:
	2164	+ case Q_XSETQLIM:
2367	2165	rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2368	2166	break;
2369	2167	case Q_GETFMT:
2370	2168	case Q_GETINFO:
2371	2169	case Q_GETQUOTA:
	2170	+ case Q_XGETQUOTA:
	2171	+ case Q_XGETQSTAT:
	2172	+ case Q_XGETQSTATV:
	2173	+ case Q_XGETNEXTQUOTA:
2372	2174	rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2373	2175	break;
2374	2176	default:
..	..	@@ -2498,7 +2300,7 @@
2498	2300	return -EACCES;
2499	2301	}
2500	2302
2501		-static int selinux_bprm_set_creds(struct linux_binprm *bprm)
	2303	+static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2502	2304	{
2503	2305	const struct task_security_struct *old_tsec;
2504	2306	struct task_security_struct *new_tsec;
..	..	@@ -2509,11 +2311,9 @@
2509	2311
2510	2312	/* SELinux context only depends on initial program or script and not
2511	2313	* the script interpreter */
2512		- if (bprm->called_set_creds)
2513		- return 0;
2514	2314
2515		- old_tsec = current_security();
2516		- new_tsec = bprm->cred->security;
	2315	+ old_tsec = selinux_cred(current_cred());
	2316	+ new_tsec = selinux_cred(bprm->cred);
2517	2317	isec = inode_security(inode);
2518	2318
2519	2319	/* Default to the current task SID. */
..	..	@@ -2677,7 +2477,7 @@
2677	2477	struct rlimit rlim, initrlim;
2678	2478	int rc, i;
2679	2479
2680		- new_tsec = bprm->cred->security;
	2480	+ new_tsec = selinux_cred(bprm->cred);
2681	2481	if (new_tsec->sid == new_tsec->osid)
2682	2482	return;
2683	2483
..	..	@@ -2720,10 +2520,9 @@
2720	2520	*/
2721	2521	static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2722	2522	{
2723		- const struct task_security_struct *tsec = current_security();
2724		- struct itimerval itimer;
	2523	+ const struct task_security_struct *tsec = selinux_cred(current_cred());
2725	2524	u32 osid, sid;
2726		- int rc, i;
	2525	+ int rc;
2727	2526
2728	2527	osid = tsec->osid;
2729	2528	sid = tsec->sid;
..	..	@@ -2741,11 +2540,8 @@
2741	2540	rc = avc_has_perm(&selinux_state,
2742	2541	osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2743	2542	if (rc) {
2744		- if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2745		- memset(&itimer, 0, sizeof itimer);
2746		- for (i = 0; i < 3; i++)
2747		- do_setitimer(i, &itimer, NULL);
2748		- }
	2543	+ clear_itimer();
	2544	+
2749	2545	spin_lock_irq(&current->sighand->siglock);
2750	2546	if (!fatal_signal_pending(current)) {
2751	2547	flush_sigqueue(&current->pending);
..	..	@@ -2768,7 +2564,22 @@
2768	2564
2769	2565	static int selinux_sb_alloc_security(struct super_block *sb)
2770	2566	{
2771		- return superblock_alloc_security(sb);
	2567	+ struct superblock_security_struct *sbsec;
	2568	+
	2569	+ sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
	2570	+ if (!sbsec)
	2571	+ return -ENOMEM;
	2572	+
	2573	+ mutex_init(&sbsec->lock);
	2574	+ INIT_LIST_HEAD(&sbsec->isec_head);
	2575	+ spin_lock_init(&sbsec->isec_lock);
	2576	+ sbsec->sb = sb;
	2577	+ sbsec->sid = SECINITSID_UNLABELED;
	2578	+ sbsec->def_sid = SECINITSID_FILE;
	2579	+ sbsec->mntpoint_sid = SECINITSID_UNLABELED;
	2580	+ sb->s_security = sbsec;
	2581	+
	2582	+ return 0;
2772	2583	}
2773	2584
2774	2585	static void selinux_sb_free_security(struct super_block *sb)
..	..	@@ -2776,195 +2587,137 @@
2776	2587	superblock_free_security(sb);
2777	2588	}
2778	2589
2779		-static inline int match_prefix(char prefix, int plen, char option, int olen)
	2590	+static inline int opt_len(const char *s)
2780	2591	{
2781		- if (plen > olen)
2782		- return 0;
	2592	+ bool open_quote = false;
	2593	+ int len;
	2594	+ char c;
2783	2595
2784		- return !memcmp(prefix, option, plen);
2785		-}
2786		-
2787		-static inline int selinux_option(char *option, int len)
2788		-{
2789		- return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) \|\|
2790		- match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) \|\|
2791		- match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) \|\|
2792		- match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) \|\|
2793		- match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2794		-}
2795		-
2796		-static inline void take_option(char *to, char from, int *first, int len)
2797		-{
2798		- if (!*first) {
2799		- **to = ',';
2800		- *to += 1;
2801		- } else
2802		- *first = 0;
2803		- memcpy(*to, from, len);
2804		- *to += len;
2805		-}
2806		-
2807		-static inline void take_selinux_option(char *to, char from, int *first,
2808		- int len)
2809		-{
2810		- int current_size = 0;
2811		-
2812		- if (!*first) {
2813		- **to = '\|';
2814		- *to += 1;
2815		- } else
2816		- *first = 0;
2817		-
2818		- while (current_size < len) {
2819		- if (*from != '"') {
2820		- *to = from;
2821		- *to += 1;
2822		- }
2823		- from += 1;
2824		- current_size += 1;
2825		- }
2826		-}
2827		-
2828		-static int selinux_sb_copy_data(char orig, char copy)
2829		-{
2830		- int fnosec, fsec, rc = 0;
2831		- char in_save, in_curr, *in_end;
2832		- char sec_curr, nosec_save, *nosec;
2833		- int open_quote = 0;
2834		-
2835		- in_curr = orig;
2836		- sec_curr = copy;
2837		-
2838		- nosec = (char *)get_zeroed_page(GFP_KERNEL);
2839		- if (!nosec) {
2840		- rc = -ENOMEM;
2841		- goto out;
2842		- }
2843		-
2844		- nosec_save = nosec;
2845		- fnosec = fsec = 1;
2846		- in_save = in_end = orig;
2847		-
2848		- do {
2849		- if (*in_end == '"')
	2596	+ for (len = 0; (c = s[len]) != '\0'; len++) {
	2597	+ if (c == '"')
2850	2598	open_quote = !open_quote;
2851		- if ((*in_end == ',' && open_quote == 0) \|\|
2852		- *in_end == '\0') {
2853		- int len = in_end - in_curr;
	2599	+ if (c == ',' && !open_quote)
	2600	+ break;
	2601	+ }
	2602	+ return len;
	2603	+}
2854	2604
2855		- if (selinux_option(in_curr, len))
2856		- take_selinux_option(&sec_curr, in_curr, &fsec, len);
2857		- else
2858		- take_option(&nosec, in_curr, &fnosec, len);
	2605	+static int selinux_sb_eat_lsm_opts(char options, void *mnt_opts)
	2606	+{
	2607	+ char *from = options;
	2608	+ char *to = options;
	2609	+ bool first = true;
	2610	+ int rc;
2859	2611
2860		- in_curr = in_end + 1;
	2612	+ while (1) {
	2613	+ int len = opt_len(from);
	2614	+ int token;
	2615	+ char *arg = NULL;
	2616	+
	2617	+ token = match_opt_prefix(from, len, &arg);
	2618	+
	2619	+ if (token != Opt_error) {
	2620	+ char p, q;
	2621	+
	2622	+ /* strip quotes */
	2623	+ if (arg) {
	2624	+ for (p = q = arg; p < from + len; p++) {
	2625	+ char c = *p;
	2626	+ if (c != '"')
	2627	+ *q++ = c;
	2628	+ }
	2629	+ arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
	2630	+ if (!arg) {
	2631	+ rc = -ENOMEM;
	2632	+ goto free_opt;
	2633	+ }
	2634	+ }
	2635	+ rc = selinux_add_opt(token, arg, mnt_opts);
	2636	+ if (unlikely(rc)) {
	2637	+ kfree(arg);
	2638	+ goto free_opt;
	2639	+ }
	2640	+ } else {
	2641	+ if (!first) { // copy with preceding comma
	2642	+ from--;
	2643	+ len++;
	2644	+ }
	2645	+ if (to != from)
	2646	+ memmove(to, from, len);
	2647	+ to += len;
	2648	+ first = false;
2861	2649	}
2862		- } while (*in_end++);
	2650	+ if (!from[len])
	2651	+ break;
	2652	+ from += len + 1;
	2653	+ }
	2654	+ *to = '\0';
	2655	+ return 0;
2863	2656
2864		- strcpy(in_save, nosec_save);
2865		- free_page((unsigned long)nosec_save);
2866		-out:
	2657	+free_opt:
	2658	+ if (*mnt_opts) {
	2659	+ selinux_free_mnt_opts(*mnt_opts);
	2660	+ *mnt_opts = NULL;
	2661	+ }
2867	2662	return rc;
2868	2663	}
2869	2664
2870		-static int selinux_sb_remount(struct super_block sb, void data)
	2665	+static int selinux_sb_remount(struct super_block sb, void mnt_opts)
2871	2666	{
2872		- int rc, i, *flags;
2873		- struct security_mnt_opts opts;
2874		- char secdata, *mount_options;
	2667	+ struct selinux_mnt_opts *opts = mnt_opts;
2875	2668	struct superblock_security_struct *sbsec = sb->s_security;
	2669	+ u32 sid;
	2670	+ int rc;
2876	2671
2877	2672	if (!(sbsec->flags & SE_SBINITIALIZED))
2878	2673	return 0;
2879	2674
2880		- if (!data)
	2675	+ if (!opts)
2881	2676	return 0;
2882	2677
2883		- if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2884		- return 0;
2885		-
2886		- security_init_mnt_opts(&opts);
2887		- secdata = alloc_secdata();
2888		- if (!secdata)
2889		- return -ENOMEM;
2890		- rc = selinux_sb_copy_data(data, secdata);
2891		- if (rc)
2892		- goto out_free_secdata;
2893		-
2894		- rc = selinux_parse_opts_str(secdata, &opts);
2895		- if (rc)
2896		- goto out_free_secdata;
2897		-
2898		- mount_options = opts.mnt_opts;
2899		- flags = opts.mnt_opts_flags;
2900		-
2901		- for (i = 0; i < opts.num_mnt_opts; i++) {
2902		- u32 sid;
2903		-
2904		- if (flags[i] == SBLABEL_MNT)
2905		- continue;
2906		- rc = security_context_str_to_sid(&selinux_state,
2907		- mount_options[i], &sid,
2908		- GFP_KERNEL);
2909		- if (rc) {
2910		- pr_warn("SELinux: security_context_str_to_sid"
2911		- "(%s) failed for (dev %s, type %s) errno=%d\n",
2912		- mount_options[i], sb->s_id, sb->s_type->name, rc);
2913		- goto out_free_opts;
2914		- }
2915		- rc = -EINVAL;
2916		- switch (flags[i]) {
2917		- case FSCONTEXT_MNT:
2918		- if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2919		- goto out_bad_option;
2920		- break;
2921		- case CONTEXT_MNT:
2922		- if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2923		- goto out_bad_option;
2924		- break;
2925		- case ROOTCONTEXT_MNT: {
2926		- struct inode_security_struct *root_isec;
2927		- root_isec = backing_inode_security(sb->s_root);
2928		-
2929		- if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2930		- goto out_bad_option;
2931		- break;
2932		- }
2933		- case DEFCONTEXT_MNT:
2934		- if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2935		- goto out_bad_option;
2936		- break;
2937		- default:
2938		- goto out_free_opts;
2939		- }
	2678	+ if (opts->fscontext) {
	2679	+ rc = parse_sid(sb, opts->fscontext, &sid);
	2680	+ if (rc)
	2681	+ return rc;
	2682	+ if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
	2683	+ goto out_bad_option;
2940	2684	}
	2685	+ if (opts->context) {
	2686	+ rc = parse_sid(sb, opts->context, &sid);
	2687	+ if (rc)
	2688	+ return rc;
	2689	+ if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
	2690	+ goto out_bad_option;
	2691	+ }
	2692	+ if (opts->rootcontext) {
	2693	+ struct inode_security_struct *root_isec;
	2694	+ root_isec = backing_inode_security(sb->s_root);
	2695	+ rc = parse_sid(sb, opts->rootcontext, &sid);
	2696	+ if (rc)
	2697	+ return rc;
	2698	+ if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
	2699	+ goto out_bad_option;
	2700	+ }
	2701	+ if (opts->defcontext) {
	2702	+ rc = parse_sid(sb, opts->defcontext, &sid);
	2703	+ if (rc)
	2704	+ return rc;
	2705	+ if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
	2706	+ goto out_bad_option;
	2707	+ }
	2708	+ return 0;
2941	2709
2942		- rc = 0;
2943		-out_free_opts:
2944		- security_free_mnt_opts(&opts);
2945		-out_free_secdata:
2946		- free_secdata(secdata);
2947		- return rc;
2948	2710	out_bad_option:
2949	2711	pr_warn("SELinux: unable to change security options "
2950	2712	"during remount (dev %s, type=%s)\n", sb->s_id,
2951	2713	sb->s_type->name);
2952		- goto out_free_opts;
	2714	+ return -EINVAL;
2953	2715	}
2954	2716
2955		-static int selinux_sb_kern_mount(struct super_block sb, int flags, void data)
	2717	+static int selinux_sb_kern_mount(struct super_block *sb)
2956	2718	{
2957	2719	const struct cred *cred = current_cred();
2958	2720	struct common_audit_data ad;
2959		- int rc;
2960		-
2961		- rc = superblock_doinit(sb, data);
2962		- if (rc)
2963		- return rc;
2964		-
2965		- /* Allow all mounts performed by the kernel */
2966		- if (flags & (MS_KERNMOUNT \| MS_SUBMOUNT))
2967		- return 0;
2968	2721
2969	2722	ad.type = LSM_AUDIT_DATA_DENTRY;
2970	2723	ad.u.dentry = sb->s_root;
..	..	@@ -2996,6 +2749,14 @@
2996	2749	return path_has_perm(cred, path, FILE__MOUNTON);
2997	2750	}
2998	2751
	2752	+static int selinux_move_mount(const struct path *from_path,
	2753	+ const struct path *to_path)
	2754	+{
	2755	+ const struct cred *cred = current_cred();
	2756	+
	2757	+ return path_has_perm(cred, to_path, FILE__MOUNTON);
	2758	+}
	2759	+
2999	2760	static int selinux_umount(struct vfsmount *mnt, int flags)
3000	2761	{
3001	2762	const struct cred *cred = current_cred();
..	..	@@ -3004,11 +2765,86 @@
3004	2765	FILESYSTEM__UNMOUNT, NULL);
3005	2766	}
3006	2767
	2768	+static int selinux_fs_context_dup(struct fs_context *fc,
	2769	+ struct fs_context *src_fc)
	2770	+{
	2771	+ const struct selinux_mnt_opts *src = src_fc->security;
	2772	+ struct selinux_mnt_opts *opts;
	2773	+
	2774	+ if (!src)
	2775	+ return 0;
	2776	+
	2777	+ fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
	2778	+ if (!fc->security)
	2779	+ return -ENOMEM;
	2780	+
	2781	+ opts = fc->security;
	2782	+
	2783	+ if (src->fscontext) {
	2784	+ opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
	2785	+ if (!opts->fscontext)
	2786	+ return -ENOMEM;
	2787	+ }
	2788	+ if (src->context) {
	2789	+ opts->context = kstrdup(src->context, GFP_KERNEL);
	2790	+ if (!opts->context)
	2791	+ return -ENOMEM;
	2792	+ }
	2793	+ if (src->rootcontext) {
	2794	+ opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
	2795	+ if (!opts->rootcontext)
	2796	+ return -ENOMEM;
	2797	+ }
	2798	+ if (src->defcontext) {
	2799	+ opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
	2800	+ if (!opts->defcontext)
	2801	+ return -ENOMEM;
	2802	+ }
	2803	+ return 0;
	2804	+}
	2805	+
	2806	+static const struct fs_parameter_spec selinux_fs_parameters[] = {
	2807	+ fsparam_string(CONTEXT_STR, Opt_context),
	2808	+ fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
	2809	+ fsparam_string(FSCONTEXT_STR, Opt_fscontext),
	2810	+ fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
	2811	+ fsparam_flag (SECLABEL_STR, Opt_seclabel),
	2812	+ {}
	2813	+};
	2814	+
	2815	+static int selinux_fs_context_parse_param(struct fs_context *fc,
	2816	+ struct fs_parameter *param)
	2817	+{
	2818	+ struct fs_parse_result result;
	2819	+ int opt, rc;
	2820	+
	2821	+ opt = fs_parse(fc, selinux_fs_parameters, param, &result);
	2822	+ if (opt < 0)
	2823	+ return opt;
	2824	+
	2825	+ rc = selinux_add_opt(opt, param->string, &fc->security);
	2826	+ if (!rc)
	2827	+ param->string = NULL;
	2828	+
	2829	+ return rc;
	2830	+}
	2831	+
3007	2832	/* inode security operations */
3008	2833
3009	2834	static int selinux_inode_alloc_security(struct inode *inode)
3010	2835	{
3011		- return inode_alloc_security(inode);
	2836	+ struct inode_security_struct *isec = selinux_inode(inode);
	2837	+ u32 sid = current_sid();
	2838	+
	2839	+ spin_lock_init(&isec->lock);
	2840	+ INIT_LIST_HEAD(&isec->list);
	2841	+ isec->inode = inode;
	2842	+ isec->sid = SECINITSID_UNLABELED;
	2843	+ isec->sclass = SECCLASS_FILE;
	2844	+ isec->task_sid = sid;
	2845	+ isec->initialized = LABEL_INVALID;
	2846	+
	2847	+ return 0;
3012	2848	}
3013	2849
3014	2850	static void selinux_inode_free_security(struct inode *inode)
..	..	@@ -3023,7 +2859,7 @@
3023	2859	u32 newsid;
3024	2860	int rc;
3025	2861
3026		- rc = selinux_determine_inode_label(current_security(),
	2862	+ rc = selinux_determine_inode_label(selinux_cred(current_cred()),
3027	2863	d_inode(dentry->d_parent), name,
3028	2864	inode_mode_to_security_class(mode),
3029	2865	&newsid);
..	..	@@ -3043,14 +2879,14 @@
3043	2879	int rc;
3044	2880	struct task_security_struct *tsec;
3045	2881
3046		- rc = selinux_determine_inode_label(old->security,
	2882	+ rc = selinux_determine_inode_label(selinux_cred(old),
3047	2883	d_inode(dentry->d_parent), name,
3048	2884	inode_mode_to_security_class(mode),
3049	2885	&newsid);
3050	2886	if (rc)
3051	2887	return rc;
3052	2888
3053		- tsec = new->security;
	2889	+ tsec = selinux_cred(new);
3054	2890	tsec->create_sid = newsid;
3055	2891	return 0;
3056	2892	}
..	..	@@ -3060,7 +2896,7 @@
3060	2896	const char **name,
3061	2897	void *value, size_t len)
3062	2898	{
3063		- const struct task_security_struct *tsec = current_security();
	2899	+ const struct task_security_struct *tsec = selinux_cred(current_cred());
3064	2900	struct superblock_security_struct *sbsec;
3065	2901	u32 newsid, clen;
3066	2902	int rc;
..	..	@@ -3070,8 +2906,7 @@
3070	2906
3071	2907	newsid = tsec->create_sid;
3072	2908
3073		- rc = selinux_determine_inode_label(current_security(),
3074		- dir, qstr,
	2909	+ rc = selinux_determine_inode_label(tsec, dir, qstr,
3075	2910	inode_mode_to_security_class(inode->i_mode),
3076	2911	&newsid);
3077	2912	if (rc)
..	..	@@ -3079,13 +2914,14 @@
3079	2914
3080	2915	/* Possibly defer initialization to selinux_complete_init. */
3081	2916	if (sbsec->flags & SE_SBINITIALIZED) {
3082		- struct inode_security_struct *isec = inode->i_security;
	2917	+ struct inode_security_struct *isec = selinux_inode(inode);
3083	2918	isec->sclass = inode_mode_to_security_class(inode->i_mode);
3084	2919	isec->sid = newsid;
3085	2920	isec->initialized = LABEL_INITIALIZED;
3086	2921	}
3087	2922
3088		- if (!selinux_state.initialized \|\| !(sbsec->flags & SBLABEL_MNT))
	2923	+ if (!selinux_initialized(&selinux_state) \|\|
	2924	+ !(sbsec->flags & SBLABEL_MNT))
3089	2925	return -EOPNOTSUPP;
3090	2926
3091	2927	if (name)
..	..	@@ -3101,6 +2937,62 @@
3101	2937	}
3102	2938
3103	2939	return 0;
	2940	+}
	2941	+
	2942	+static int selinux_inode_init_security_anon(struct inode *inode,
	2943	+ const struct qstr *name,
	2944	+ const struct inode *context_inode)
	2945	+{
	2946	+ const struct task_security_struct *tsec = selinux_cred(current_cred());
	2947	+ struct common_audit_data ad;
	2948	+ struct inode_security_struct *isec;
	2949	+ int rc;
	2950	+
	2951	+ if (unlikely(!selinux_initialized(&selinux_state)))
	2952	+ return 0;
	2953	+
	2954	+ isec = selinux_inode(inode);
	2955	+
	2956	+ /*
	2957	+ * We only get here once per ephemeral inode. The inode has
	2958	+ * been initialized via inode_alloc_security but is otherwise
	2959	+ * untouched.
	2960	+ */
	2961	+
	2962	+ if (context_inode) {
	2963	+ struct inode_security_struct *context_isec =
	2964	+ selinux_inode(context_inode);
	2965	+ if (context_isec->initialized != LABEL_INITIALIZED) {
	2966	+ pr_err("SELinux: context_inode is not initialized");
	2967	+ return -EACCES;
	2968	+ }
	2969	+
	2970	+ isec->sclass = context_isec->sclass;
	2971	+ isec->sid = context_isec->sid;
	2972	+ } else {
	2973	+ isec->sclass = SECCLASS_ANON_INODE;
	2974	+ rc = security_transition_sid(
	2975	+ &selinux_state, tsec->sid, tsec->sid,
	2976	+ isec->sclass, name, &isec->sid);
	2977	+ if (rc)
	2978	+ return rc;
	2979	+ }
	2980	+
	2981	+ isec->initialized = LABEL_INITIALIZED;
	2982	+ /*
	2983	+ * Now that we've initialized security, check whether we're
	2984	+ * allowed to actually create this type of anonymous inode.
	2985	+ */
	2986	+
	2987	+ ad.type = LSM_AUDIT_DATA_INODE;
	2988	+ ad.u.inode = inode;
	2989	+
	2990	+ return avc_has_perm(&selinux_state,
	2991	+ tsec->sid,
	2992	+ isec->sid,
	2993	+ isec->sclass,
	2994	+ FILE__CREATE,
	2995	+ &ad);
3104	2996	}
3105	2997
3106	2998	static int selinux_inode_create(struct inode dir, struct dentry dentry, umode_t mode)
..	..	@@ -3178,7 +3070,7 @@
3178	3070	int result)
3179	3071	{
3180	3072	struct common_audit_data ad;
3181		- struct inode_security_struct *isec = inode->i_security;
	3073	+ struct inode_security_struct *isec = selinux_inode(inode);
3182	3074	int rc;
3183	3075
3184	3076	ad.type = LSM_AUDIT_DATA_INODE;
..	..	@@ -3197,7 +3089,7 @@
3197	3089	const struct cred *cred = current_cred();
3198	3090	u32 perms;
3199	3091	bool from_access;
3200		- unsigned flags = mask & MAY_NOT_BLOCK;
	3092	+ bool no_block = mask & MAY_NOT_BLOCK;
3201	3093	struct inode_security_struct *isec;
3202	3094	u32 sid;
3203	3095	struct av_decision avd;
..	..	@@ -3219,13 +3111,13 @@
3219	3111	perms = file_mask_to_av(inode->i_mode, mask);
3220	3112
3221	3113	sid = cred_sid(cred);
3222		- isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
	3114	+ isec = inode_security_rcu(inode, no_block);
3223	3115	if (IS_ERR(isec))
3224	3116	return PTR_ERR(isec);
3225	3117
3226	3118	rc = avc_has_perm_noaudit(&selinux_state,
3227	3119	sid, isec->sid, isec->sclass, perms,
3228		- (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
	3120	+ no_block ? AVC_NONBLOCKING : 0,
3229	3121	&avd);
3230	3122	audited = avc_audit_required(perms, &avd, rc,
3231	3123	from_access ? FILE__AUDIT_ACCESS : 0,
..	..	@@ -3234,7 +3126,7 @@
3234	3126	return rc;
3235	3127
3236	3128	/* fall back to ref-walk if we have to generate audit */
3237		- if (flags & MAY_NOT_BLOCK)
	3129	+ if (no_block)
3238	3130	return -ECHILD;
3239	3131
3240	3132	rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
..	..	@@ -3308,7 +3200,7 @@
3308	3200	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3309	3201	}
3310	3202
3311		- if (!selinux_state.initialized)
	3203	+ if (!selinux_initialized(&selinux_state))
3312	3204	return (inode_owner_or_capable(inode) ? 0 : -EPERM);
3313	3205
3314	3206	sbsec = inode->i_sb->s_security;
..	..	@@ -3394,7 +3286,7 @@
3394	3286	return;
3395	3287	}
3396	3288
3397		- if (!selinux_state.initialized) {
	3289	+ if (!selinux_initialized(&selinux_state)) {
3398	3290	/* If we haven't even been initialized, then we can't validate
3399	3291	* against a policy, so leave the label as invalid. It may
3400	3292	* resolve to a valid label on the next revalidation try if
..	..	@@ -3448,9 +3340,56 @@
3448	3340	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3449	3341	}
3450	3342
	3343	+ if (!selinux_initialized(&selinux_state))
	3344	+ return 0;
	3345	+
3451	3346	/* No one is allowed to remove a SELinux security label.
3452	3347	You can change the label, but all data must be labeled. */
3453	3348	return -EACCES;
	3349	+}
	3350	+
	3351	+static int selinux_path_notify(const struct path *path, u64 mask,
	3352	+ unsigned int obj_type)
	3353	+{
	3354	+ int ret;
	3355	+ u32 perm;
	3356	+
	3357	+ struct common_audit_data ad;
	3358	+
	3359	+ ad.type = LSM_AUDIT_DATA_PATH;
	3360	+ ad.u.path = *path;
	3361	+
	3362	+ /*
	3363	+ * Set permission needed based on the type of mark being set.
	3364	+ * Performs an additional check for sb watches.
	3365	+ */
	3366	+ switch (obj_type) {
	3367	+ case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
	3368	+ perm = FILE__WATCH_MOUNT;
	3369	+ break;
	3370	+ case FSNOTIFY_OBJ_TYPE_SB:
	3371	+ perm = FILE__WATCH_SB;
	3372	+ ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
	3373	+ FILESYSTEM__WATCH, &ad);
	3374	+ if (ret)
	3375	+ return ret;
	3376	+ break;
	3377	+ case FSNOTIFY_OBJ_TYPE_INODE:
	3378	+ perm = FILE__WATCH;
	3379	+ break;
	3380	+ default:
	3381	+ return -EINVAL;
	3382	+ }
	3383	+
	3384	+ /* blocking watches require the file:watch_with_perm permission */
	3385	+ if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
	3386	+ perm \|= FILE__WATCH_WITH_PERM;
	3387	+
	3388	+ /* watches on read-like events need the file:watch_reads permission */
	3389	+ if (mask & (FS_ACCESS \| FS_ACCESS_PERM \| FS_CLOSE_NOWRITE))
	3390	+ perm \|= FILE__WATCH_READS;
	3391	+
	3392	+ return path_has_perm(current_cred(), path, perm);
3454	3393	}
3455	3394
3456	3395	/*
..	..	@@ -3465,7 +3404,12 @@
3465	3404	char *context = NULL;
3466	3405	struct inode_security_struct *isec;
3467	3406
3468		- if (strcmp(name, XATTR_SELINUX_SUFFIX))
	3407	+ /*
	3408	+ * If we're not initialized yet, then we can't validate contexts, so
	3409	+ * just let vfs_getxattr fall back to using the on-disk xattr.
	3410	+ */
	3411	+ if (!selinux_initialized(&selinux_state) \|\|
	3412	+ strcmp(name, XATTR_SELINUX_SUFFIX))
3469	3413	return -EOPNOTSUPP;
3470	3414
3471	3415	/*
..	..	@@ -3530,6 +3474,10 @@
3530	3474	static int selinux_inode_listsecurity(struct inode inode, char buffer, size_t buffer_size)
3531	3475	{
3532	3476	const int len = sizeof(XATTR_NAME_SELINUX);
	3477	+
	3478	+ if (!selinux_initialized(&selinux_state))
	3479	+ return 0;
	3480	+
3533	3481	if (buffer && len <= buffer_size)
3534	3482	memcpy(buffer, XATTR_NAME_SELINUX, len);
3535	3483	return len;
..	..	@@ -3553,7 +3501,7 @@
3553	3501	return -ENOMEM;
3554	3502	}
3555	3503
3556		- tsec = new_creds->security;
	3504	+ tsec = selinux_cred(new_creds);
3557	3505	/* Get label from overlay inode and set it in create_sid */
3558	3506	selinux_inode_getsecid(d_inode(src), &sid);
3559	3507	tsec->create_sid = sid;
..	..	@@ -3576,6 +3524,67 @@
3576	3524	return -EOPNOTSUPP;
3577	3525	}
3578	3526
	3527	+/* kernfs node operations */
	3528	+
	3529	+static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
	3530	+ struct kernfs_node *kn)
	3531	+{
	3532	+ const struct task_security_struct *tsec = selinux_cred(current_cred());
	3533	+ u32 parent_sid, newsid, clen;
	3534	+ int rc;
	3535	+ char *context;
	3536	+
	3537	+ rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
	3538	+ if (rc == -ENODATA)
	3539	+ return 0;
	3540	+ else if (rc < 0)
	3541	+ return rc;
	3542	+
	3543	+ clen = (u32)rc;
	3544	+ context = kmalloc(clen, GFP_KERNEL);
	3545	+ if (!context)
	3546	+ return -ENOMEM;
	3547	+
	3548	+ rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
	3549	+ if (rc < 0) {
	3550	+ kfree(context);
	3551	+ return rc;
	3552	+ }
	3553	+
	3554	+ rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
	3555	+ GFP_KERNEL);
	3556	+ kfree(context);
	3557	+ if (rc)
	3558	+ return rc;
	3559	+
	3560	+ if (tsec->create_sid) {
	3561	+ newsid = tsec->create_sid;
	3562	+ } else {
	3563	+ u16 secclass = inode_mode_to_security_class(kn->mode);
	3564	+ struct qstr q;
	3565	+
	3566	+ q.name = kn->name;
	3567	+ q.hash_len = hashlen_string(kn_dir, kn->name);
	3568	+
	3569	+ rc = security_transition_sid(&selinux_state, tsec->sid,
	3570	+ parent_sid, secclass, &q,
	3571	+ &newsid);
	3572	+ if (rc)
	3573	+ return rc;
	3574	+ }
	3575	+
	3576	+ rc = security_sid_to_context_force(&selinux_state, newsid,
	3577	+ &context, &clen);
	3578	+ if (rc)
	3579	+ return rc;
	3580	+
	3581	+ rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
	3582	+ XATTR_CREATE);
	3583	+ kfree(context);
	3584	+ return rc;
	3585	+}
	3586	+
	3587	+
3579	3588	/* file security operations */
3580	3589
3581	3590	static int selinux_revalidate_file_permission(struct file *file, int mask)
..	..	@@ -3594,7 +3603,7 @@
3594	3603	static int selinux_file_permission(struct file *file, int mask)
3595	3604	{
3596	3605	struct inode *inode = file_inode(file);
3597		- struct file_security_struct *fsec = file->f_security;
	3606	+ struct file_security_struct *fsec = selinux_file(file);
3598	3607	struct inode_security_struct *isec;
3599	3608	u32 sid = current_sid();
3600	3609
..	..	@@ -3613,12 +3622,13 @@
3613	3622
3614	3623	static int selinux_file_alloc_security(struct file *file)
3615	3624	{
3616		- return file_alloc_security(file);
3617		-}
	3625	+ struct file_security_struct *fsec = selinux_file(file);
	3626	+ u32 sid = current_sid();
3618	3627
3619		-static void selinux_file_free_security(struct file *file)
3620		-{
3621		- file_free_security(file);
	3628	+ fsec->sid = sid;
	3629	+ fsec->fown_sid = sid;
	3630	+
	3631	+ return 0;
3622	3632	}
3623	3633
3624	3634	/*
..	..	@@ -3629,7 +3639,7 @@
3629	3639	u32 requested, u16 cmd)
3630	3640	{
3631	3641	struct common_audit_data ad;
3632		- struct file_security_struct *fsec = file->f_security;
	3642	+ struct file_security_struct *fsec = selinux_file(file);
3633	3643	struct inode *inode = file_inode(file);
3634	3644	struct inode_security_struct *isec;
3635	3645	struct lsm_ioctlop_audit ioctl;
..	..	@@ -3672,26 +3682,20 @@
3672	3682
3673	3683	switch (cmd) {
3674	3684	case FIONREAD:
3675		- /* fall through */
3676	3685	case FIBMAP:
3677		- /* fall through */
3678	3686	case FIGETBSZ:
3679		- /* fall through */
3680	3687	case FS_IOC_GETFLAGS:
3681		- /* fall through */
3682	3688	case FS_IOC_GETVERSION:
3683	3689	error = file_has_perm(cred, file, FILE__GETATTR);
3684	3690	break;
3685	3691
3686	3692	case FS_IOC_SETFLAGS:
3687		- /* fall through */
3688	3693	case FS_IOC_SETVERSION:
3689	3694	error = file_has_perm(cred, file, FILE__SETATTR);
3690	3695	break;
3691	3696
3692	3697	/* sys_ioctl() checks */
3693	3698	case FIONBIO:
3694		- /* fall through */
3695	3699	case FIOASYNC:
3696	3700	error = file_has_perm(cred, file, 0);
3697	3701	break;
..	..	@@ -3700,6 +3704,12 @@
3700	3704	case KDSKBSENT:
3701	3705	error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3702	3706	CAP_OPT_NONE, true);
	3707	+ break;
	3708	+
	3709	+ case FIOCLEX:
	3710	+ case FIONCLEX:
	3711	+ if (!selinux_policycap_ioctl_skip_cloexec())
	3712	+ error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3703	3713	break;
3704	3714
3705	3715	/* default case assumes that the command will go
..	..	@@ -3711,7 +3721,7 @@
3711	3721	return error;
3712	3722	}
3713	3723
3714		-static int default_noexec;
	3724	+static int default_noexec __ro_after_init;
3715	3725
3716	3726	static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3717	3727	{
..	..	@@ -3781,7 +3791,7 @@
3781	3791	return rc;
3782	3792	}
3783	3793
3784		- if (selinux_state.checkreqprot)
	3794	+ if (checkreqprot_get(&selinux_state))
3785	3795	prot = reqprot;
3786	3796
3787	3797	return file_map_prot_check(file, prot,
..	..	@@ -3795,7 +3805,7 @@
3795	3805	const struct cred *cred = current_cred();
3796	3806	u32 sid = cred_sid(cred);
3797	3807
3798		- if (selinux_state.checkreqprot)
	3808	+ if (checkreqprot_get(&selinux_state))
3799	3809	prot = reqprot;
3800	3810
3801	3811	if (default_noexec &&
..	..	@@ -3849,7 +3859,7 @@
3849	3859	err = file_has_perm(cred, file, FILE__WRITE);
3850	3860	break;
3851	3861	}
3852		- /* fall through */
	3862	+ fallthrough;
3853	3863	case F_SETOWN:
3854	3864	case F_SETSIG:
3855	3865	case F_GETFL:
..	..	@@ -3881,7 +3891,7 @@
3881	3891	{
3882	3892	struct file_security_struct *fsec;
3883	3893
3884		- fsec = file->f_security;
	3894	+ fsec = selinux_file(file);
3885	3895	fsec->fown_sid = current_sid();
3886	3896	}
3887	3897
..	..	@@ -3896,7 +3906,7 @@
3896	3906	/* struct fown_struct is never outside the context of a struct file */
3897	3907	file = container_of(fown, struct file, f_owner);
3898	3908
3899		- fsec = file->f_security;
	3909	+ fsec = selinux_file(file);
3900	3910
3901	3911	if (!signum)
3902	3912	perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
..	..	@@ -3920,7 +3930,7 @@
3920	3930	struct file_security_struct *fsec;
3921	3931	struct inode_security_struct *isec;
3922	3932
3923		- fsec = file->f_security;
	3933	+ fsec = selinux_file(file);
3924	3934	isec = inode_security(file_inode(file));
3925	3935	/*
3926	3936	* Save inode label and policy sequence number
..	..	@@ -3954,52 +3964,15 @@
3954	3964	}
3955	3965
3956	3966	/*
3957		- * allocate the SELinux part of blank credentials
3958		- */
3959		-static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3960		-{
3961		- struct task_security_struct *tsec;
3962		-
3963		- tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3964		- if (!tsec)
3965		- return -ENOMEM;
3966		-
3967		- cred->security = tsec;
3968		- return 0;
3969		-}
3970		-
3971		-/*
3972		- * detach and free the LSM part of a set of credentials
3973		- */
3974		-static void selinux_cred_free(struct cred *cred)
3975		-{
3976		- struct task_security_struct *tsec = cred->security;
3977		-
3978		- /*
3979		- * cred->security == NULL if security_cred_alloc_blank() or
3980		- * security_prepare_creds() returned an error.
3981		- */
3982		- BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3983		- cred->security = (void *) 0x7UL;
3984		- kfree(tsec);
3985		-}
3986		-
3987		-/*
3988	3967	* prepare a new set of credentials for modification
3989	3968	*/
3990	3969	static int selinux_cred_prepare(struct cred new, const struct cred old,
3991	3970	gfp_t gfp)
3992	3971	{
3993		- const struct task_security_struct *old_tsec;
3994		- struct task_security_struct *tsec;
	3972	+ const struct task_security_struct *old_tsec = selinux_cred(old);
	3973	+ struct task_security_struct *tsec = selinux_cred(new);
3995	3974
3996		- old_tsec = old->security;
3997		-
3998		- tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3999		- if (!tsec)
4000		- return -ENOMEM;
4001		-
4002		- new->security = tsec;
	3975	+ tsec = old_tsec;
4003	3976	return 0;
4004	3977	}
4005	3978
..	..	@@ -4008,8 +3981,8 @@
4008	3981	*/
4009	3982	static void selinux_cred_transfer(struct cred new, const struct cred old)
4010	3983	{
4011		- const struct task_security_struct *old_tsec = old->security;
4012		- struct task_security_struct *tsec = new->security;
	3984	+ const struct task_security_struct *old_tsec = selinux_cred(old);
	3985	+ struct task_security_struct *tsec = selinux_cred(new);
4013	3986
4014	3987	tsec = old_tsec;
4015	3988	}
..	..	@@ -4025,7 +3998,7 @@
4025	3998	*/
4026	3999	static int selinux_kernel_act_as(struct cred *new, u32 secid)
4027	4000	{
4028		- struct task_security_struct *tsec = new->security;
	4001	+ struct task_security_struct *tsec = selinux_cred(new);
4029	4002	u32 sid = current_sid();
4030	4003	int ret;
4031	4004
..	..	@@ -4050,7 +4023,7 @@
4050	4023	static int selinux_kernel_create_files_as(struct cred new, struct inode inode)
4051	4024	{
4052	4025	struct inode_security_struct *isec = inode_security(inode);
4053		- struct task_security_struct *tsec = new->security;
	4026	+ struct task_security_struct *tsec = selinux_cred(new);
4054	4027	u32 sid = current_sid();
4055	4028	int ret;
4056	4029
..	..	@@ -4096,7 +4069,7 @@
4096	4069	ad.type = LSM_AUDIT_DATA_FILE;
4097	4070	ad.u.file = file;
4098	4071
4099		- fsec = file->f_security;
	4072	+ fsec = selinux_file(file);
4100	4073	if (sid != fsec->sid) {
4101	4074	rc = avc_has_perm(&selinux_state,
4102	4075	sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
..	..	@@ -4111,13 +4084,14 @@
4111	4084	}
4112	4085
4113	4086	static int selinux_kernel_read_file(struct file *file,
4114		- enum kernel_read_file_id id)
	4087	+ enum kernel_read_file_id id,
	4088	+ bool contents)
4115	4089	{
4116	4090	int rc = 0;
4117	4091
4118	4092	switch (id) {
4119	4093	case READING_MODULE:
4120		- rc = selinux_kernel_module_from_file(file);
	4094	+ rc = selinux_kernel_module_from_file(contents ? file : NULL);
4121	4095	break;
4122	4096	default:
4123	4097	break;
..	..	@@ -4126,7 +4100,7 @@
4126	4100	return rc;
4127	4101	}
4128	4102
4129		-static int selinux_kernel_load_data(enum kernel_load_data_id id)
	4103	+static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4130	4104	{
4131	4105	int rc = 0;
4132	4106
..	..	@@ -4241,7 +4215,7 @@
4241	4215	PROCESS__SETSCHED, NULL);
4242	4216	}
4243	4217
4244		-static int selinux_task_kill(struct task_struct p, struct siginfo info,
	4218	+static int selinux_task_kill(struct task_struct p, struct kernel_siginfo info,
4245	4219	int sig, const struct cred *cred)
4246	4220	{
4247	4221	u32 secid;
..	..	@@ -4262,7 +4236,7 @@
4262	4236	static void selinux_task_to_inode(struct task_struct *p,
4263	4237	struct inode *inode)
4264	4238	{
4265		- struct inode_security_struct *isec = inode->i_security;
	4239	+ struct inode_security_struct *isec = selinux_inode(inode);
4266	4240	u32 sid = task_sid(p);
4267	4241
4268	4242	spin_lock(&isec->lock);
..	..	@@ -4547,7 +4521,7 @@
4547	4521	*
4548	4522	* If @skb_sid is valid then the user:role:type information from @sk_sid is
4549	4523	* combined with the MLS information from @skb_sid in order to create
4550		- * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
	4524	+ * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy
4551	4525	* of @sk_sid. Returns zero on success, negative values on failure.
4552	4526	*
4553	4527	*/
..	..	@@ -4599,7 +4573,7 @@
4599	4573	static int selinux_socket_create(int family, int type,
4600	4574	int protocol, int kern)
4601	4575	{
4602		- const struct task_security_struct *tsec = current_security();
	4576	+ const struct task_security_struct *tsec = selinux_cred(current_cred());
4603	4577	u32 newsid;
4604	4578	u16 secclass;
4605	4579	int rc;
..	..	@@ -4619,7 +4593,7 @@
4619	4593	static int selinux_socket_post_create(struct socket *sock, int family,
4620	4594	int type, int protocol, int kern)
4621	4595	{
4622		- const struct task_security_struct *tsec = current_security();
	4596	+ const struct task_security_struct *tsec = selinux_cred(current_cred());
4623	4597	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4624	4598	struct sk_security_struct *sksec;
4625	4599	u16 sclass = socket_type_to_security_class(family, type, protocol);
..	..	@@ -4685,7 +4659,7 @@
4685	4659	struct lsm_network_audit net = {0,};
4686	4660	struct sockaddr_in *addr4 = NULL;
4687	4661	struct sockaddr_in6 *addr6 = NULL;
4688		- u16 family_sa = address->sa_family;
	4662	+ u16 family_sa;
4689	4663	unsigned short snum;
4690	4664	u32 sid, node_perm;
4691	4665
..	..	@@ -4695,6 +4669,9 @@
4695	4669	* need to check address->sa_family as it is possible to have
4696	4670	* sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4697	4671	*/
	4672	+ if (addrlen < offsetofend(struct sockaddr, sa_family))
	4673	+ return -EINVAL;
	4674	+ family_sa = address->sa_family;
4698	4675	switch (family_sa) {
4699	4676	case AF_UNSPEC:
4700	4677	case AF_INET:
..	..	@@ -4733,8 +4710,8 @@
4733	4710
4734	4711	inet_get_local_port_range(sock_net(sk), &low, &high);
4735	4712
4736		- if (snum < max(inet_prot_sock(sock_net(sk)), low) \|\|
4737		- snum > high) {
	4713	+ if (inet_port_requires_bind_service(sock_net(sk), snum) \|\|
	4714	+ snum < low \|\| snum > high) {
4738	4715	err = sel_netport_sid(sk->sk_protocol,
4739	4716	snum, &sid);
4740	4717	if (err)
..	..	@@ -4795,7 +4772,7 @@
4795	4772	}
4796	4773
4797	4774	/* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4798		- * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.rst
	4775	+ * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4799	4776	*/
4800	4777	static int selinux_socket_connect_helper(struct socket *sock,
4801	4778	struct sockaddr *address, int addrlen)
..	..	@@ -4807,6 +4784,14 @@
4807	4784	err = sock_has_perm(sk, SOCKET__CONNECT);
4808	4785	if (err)
4809	4786	return err;
	4787	+ if (addrlen < offsetofend(struct sockaddr, sa_family))
	4788	+ return -EINVAL;
	4789	+
	4790	+ /* connect(AF_UNSPEC) has special handling, as it is a documented
	4791	+ * way to disconnect the socket
	4792	+ */
	4793	+ if (address->sa_family == AF_UNSPEC)
	4794	+ return 0;
4810	4795
4811	4796	/*
4812	4797	* If a TCP, DCCP or SCTP socket, check name_connect permission
..	..	@@ -4819,7 +4804,7 @@
4819	4804	struct lsm_network_audit net = {0,};
4820	4805	struct sockaddr_in *addr4 = NULL;
4821	4806	struct sockaddr_in6 *addr6 = NULL;
4822		- unsigned short snum = 0;
	4807	+ unsigned short snum;
4823	4808	u32 sid, perm;
4824	4809
4825	4810	/* sctp_connectx(3) calls via selinux_sctp_bind_connect()
..	..	@@ -4842,12 +4827,12 @@
4842	4827	break;
4843	4828	default:
4844	4829	/* Note that SCTP services expect -EINVAL, whereas
4845		- * others must handle this at the protocol level:
4846		- * connect(AF_UNSPEC) on a connected socket is
4847		- * a documented way disconnect the socket.
	4830	+ * others expect -EAFNOSUPPORT.
4848	4831	*/
4849	4832	if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4850	4833	return -EINVAL;
	4834	+ else
	4835	+ return -EAFNOSUPPORT;
4851	4836	}
4852	4837
4853	4838	err = sel_netport_sid(sk->sk_protocol, snum, &sid);
..	..	@@ -5406,7 +5391,7 @@
5406	5391
5407	5392	/* As selinux_sctp_bind_connect() is called by the
5408	5393	* SCTP protocol layer, the socket is already locked,
5409		- * therefore selinux_netlbl_socket_connect_locked() is
	5394	+ * therefore selinux_netlbl_socket_connect_locked()
5410	5395	* is called here. The situations handled are:
5411	5396	* sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5412	5397	* whenever a new IP address is added or when a new
..	..	@@ -5503,7 +5488,7 @@
5503	5488	const struct task_security_struct *__tsec;
5504	5489	u32 tsid;
5505	5490
5506		- __tsec = current_security();
	5491	+ __tsec = selinux_cred(current_cred());
5507	5492	tsid = __tsec->sid;
5508	5493
5509	5494	return avc_has_perm(&selinux_state,
..	..	@@ -5522,9 +5507,9 @@
5522	5507	}
5523	5508
5524	5509	static void selinux_req_classify_flow(const struct request_sock *req,
5525		- struct flowi *fl)
	5510	+ struct flowi_common *flic)
5526	5511	{
5527		- fl->flowi_secid = req->secid;
	5512	+ flic->flowic_secid = req->secid;
5528	5513	}
5529	5514
5530	5515	static int selinux_tun_dev_alloc_security(void **security)
..	..	@@ -5607,64 +5592,6 @@
5607	5592	tunsec->sid = sid;
5608	5593
5609	5594	return 0;
5610		-}
5611		-
5612		-static int selinux_nlmsg_perm(struct sock sk, struct sk_buff skb)
5613		-{
5614		- int rc = 0;
5615		- unsigned int msg_len;
5616		- unsigned int data_len = skb->len;
5617		- unsigned char *data = skb->data;
5618		- struct nlmsghdr *nlh;
5619		- struct sk_security_struct *sksec = sk->sk_security;
5620		- u16 sclass = sksec->sclass;
5621		- u32 perm;
5622		-
5623		- while (data_len >= nlmsg_total_size(0)) {
5624		- nlh = (struct nlmsghdr *)data;
5625		-
5626		- /* NOTE: the nlmsg_len field isn't reliably set by some netlink
5627		- * users which means we can't reject skb's with bogus
5628		- * length fields; our solution is to follow what
5629		- * netlink_rcv_skb() does and simply skip processing at
5630		- * messages with length fields that are clearly junk
5631		- */
5632		- if (nlh->nlmsg_len < NLMSG_HDRLEN \|\| nlh->nlmsg_len > data_len)
5633		- return 0;
5634		-
5635		- rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5636		- if (rc == 0) {
5637		- rc = sock_has_perm(sk, perm);
5638		- if (rc)
5639		- return rc;
5640		- } else if (rc == -EINVAL) {
5641		- /* -EINVAL is a missing msg/perm mapping */
5642		- pr_warn_ratelimited("SELinux: unrecognized netlink"
5643		- " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5644		- " pid=%d comm=%s\n",
5645		- sk->sk_protocol, nlh->nlmsg_type,
5646		- secclass_map[sclass - 1].name,
5647		- task_pid_nr(current), current->comm);
5648		- if (enforcing_enabled(&selinux_state) &&
5649		- !security_get_allow_unknown(&selinux_state))
5650		- return rc;
5651		- rc = 0;
5652		- } else if (rc == -ENOENT) {
5653		- /* -ENOENT is a missing socket/class mapping, ignore */
5654		- rc = 0;
5655		- } else {
5656		- return rc;
5657		- }
5658		-
5659		- /* move to the next message after applying netlink padding */
5660		- msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5661		- if (msg_len >= data_len)
5662		- return 0;
5663		- data_len -= msg_len;
5664		- data += msg_len;
5665		- }
5666		-
5667		- return rc;
5668	5595	}
5669	5596
5670	5597	#ifdef CONFIG_NETFILTER
..	..	@@ -5995,52 +5922,66 @@
5995	5922
5996	5923	static int selinux_netlink_send(struct sock sk, struct sk_buff skb)
5997	5924	{
5998		- return selinux_nlmsg_perm(sk, skb);
	5925	+ int rc = 0;
	5926	+ unsigned int msg_len;
	5927	+ unsigned int data_len = skb->len;
	5928	+ unsigned char *data = skb->data;
	5929	+ struct nlmsghdr *nlh;
	5930	+ struct sk_security_struct *sksec = sk->sk_security;
	5931	+ u16 sclass = sksec->sclass;
	5932	+ u32 perm;
	5933	+
	5934	+ while (data_len >= nlmsg_total_size(0)) {
	5935	+ nlh = (struct nlmsghdr *)data;
	5936	+
	5937	+ /* NOTE: the nlmsg_len field isn't reliably set by some netlink
	5938	+ * users which means we can't reject skb's with bogus
	5939	+ * length fields; our solution is to follow what
	5940	+ * netlink_rcv_skb() does and simply skip processing at
	5941	+ * messages with length fields that are clearly junk
	5942	+ */
	5943	+ if (nlh->nlmsg_len < NLMSG_HDRLEN \|\| nlh->nlmsg_len > data_len)
	5944	+ return 0;
	5945	+
	5946	+ rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
	5947	+ if (rc == 0) {
	5948	+ rc = sock_has_perm(sk, perm);
	5949	+ if (rc)
	5950	+ return rc;
	5951	+ } else if (rc == -EINVAL) {
	5952	+ /* -EINVAL is a missing msg/perm mapping */
	5953	+ pr_warn_ratelimited("SELinux: unrecognized netlink"
	5954	+ " message: protocol=%hu nlmsg_type=%hu sclass=%s"
	5955	+ " pid=%d comm=%s\n",
	5956	+ sk->sk_protocol, nlh->nlmsg_type,
	5957	+ secclass_map[sclass - 1].name,
	5958	+ task_pid_nr(current), current->comm);
	5959	+ if (enforcing_enabled(&selinux_state) &&
	5960	+ !security_get_allow_unknown(&selinux_state))
	5961	+ return rc;
	5962	+ rc = 0;
	5963	+ } else if (rc == -ENOENT) {
	5964	+ /* -ENOENT is a missing socket/class mapping, ignore */
	5965	+ rc = 0;
	5966	+ } else {
	5967	+ return rc;
	5968	+ }
	5969	+
	5970	+ /* move to the next message after applying netlink padding */
	5971	+ msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
	5972	+ if (msg_len >= data_len)
	5973	+ return 0;
	5974	+ data_len -= msg_len;
	5975	+ data += msg_len;
	5976	+ }
	5977	+
	5978	+ return rc;
5999	5979	}
6000	5980
6001		-static int ipc_alloc_security(struct kern_ipc_perm *perm,
6002		- u16 sclass)
	5981	+static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
6003	5982	{
6004		- struct ipc_security_struct *isec;
6005		-
6006		- isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
6007		- if (!isec)
6008		- return -ENOMEM;
6009		-
6010	5983	isec->sclass = sclass;
6011	5984	isec->sid = current_sid();
6012		- perm->security = isec;
6013		-
6014		- return 0;
6015		-}
6016		-
6017		-static void ipc_free_security(struct kern_ipc_perm *perm)
6018		-{
6019		- struct ipc_security_struct *isec = perm->security;
6020		- perm->security = NULL;
6021		- kfree(isec);
6022		-}
6023		-
6024		-static int msg_msg_alloc_security(struct msg_msg *msg)
6025		-{
6026		- struct msg_security_struct *msec;
6027		-
6028		- msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
6029		- if (!msec)
6030		- return -ENOMEM;
6031		-
6032		- msec->sid = SECINITSID_UNLABELED;
6033		- msg->security = msec;
6034		-
6035		- return 0;
6036		-}
6037		-
6038		-static void msg_msg_free_security(struct msg_msg *msg)
6039		-{
6040		- struct msg_security_struct *msec = msg->security;
6041		-
6042		- msg->security = NULL;
6043		- kfree(msec);
6044	5985	}
6045	5986
6046	5987	static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
..	..	@@ -6050,7 +5991,7 @@
6050	5991	struct common_audit_data ad;
6051	5992	u32 sid = current_sid();
6052	5993
6053		- isec = ipc_perms->security;
	5994	+ isec = selinux_ipc(ipc_perms);
6054	5995
6055	5996	ad.type = LSM_AUDIT_DATA_IPC;
6056	5997	ad.u.ipc_id = ipc_perms->key;
..	..	@@ -6061,12 +6002,12 @@
6061	6002
6062	6003	static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
6063	6004	{
6064		- return msg_msg_alloc_security(msg);
6065		-}
	6005	+ struct msg_security_struct *msec;
6066	6006
6067		-static void selinux_msg_msg_free_security(struct msg_msg *msg)
6068		-{
6069		- msg_msg_free_security(msg);
	6007	+ msec = selinux_msg_msg(msg);
	6008	+ msec->sid = SECINITSID_UNLABELED;
	6009	+
	6010	+ return 0;
6070	6011	}
6071	6012
6072	6013	/* message queue security operations */
..	..	@@ -6077,11 +6018,8 @@
6077	6018	u32 sid = current_sid();
6078	6019	int rc;
6079	6020
6080		- rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
6081		- if (rc)
6082		- return rc;
6083		-
6084		- isec = msq->security;
	6021	+ isec = selinux_ipc(msq);
	6022	+ ipc_init_security(isec, SECCLASS_MSGQ);
6085	6023
6086	6024	ad.type = LSM_AUDIT_DATA_IPC;
6087	6025	ad.u.ipc_id = msq->key;
..	..	@@ -6089,16 +6027,7 @@
6089	6027	rc = avc_has_perm(&selinux_state,
6090	6028	sid, isec->sid, SECCLASS_MSGQ,
6091	6029	MSGQ__CREATE, &ad);
6092		- if (rc) {
6093		- ipc_free_security(msq);
6094		- return rc;
6095		- }
6096		- return 0;
6097		-}
6098		-
6099		-static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
6100		-{
6101		- ipc_free_security(msq);
	6030	+ return rc;
6102	6031	}
6103	6032
6104	6033	static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
..	..	@@ -6107,7 +6036,7 @@
6107	6036	struct common_audit_data ad;
6108	6037	u32 sid = current_sid();
6109	6038
6110		- isec = msq->security;
	6039	+ isec = selinux_ipc(msq);
6111	6040
6112	6041	ad.type = LSM_AUDIT_DATA_IPC;
6113	6042	ad.u.ipc_id = msq->key;
..	..	@@ -6156,8 +6085,8 @@
6156	6085	u32 sid = current_sid();
6157	6086	int rc;
6158	6087
6159		- isec = msq->security;
6160		- msec = msg->security;
	6088	+ isec = selinux_ipc(msq);
	6089	+ msec = selinux_msg_msg(msg);
6161	6090
6162	6091	/*
6163	6092	* First time through, need to assign label to the message
..	..	@@ -6204,8 +6133,8 @@
6204	6133	u32 sid = task_sid(target);
6205	6134	int rc;
6206	6135
6207		- isec = msq->security;
6208		- msec = msg->security;
	6136	+ isec = selinux_ipc(msq);
	6137	+ msec = selinux_msg_msg(msg);
6209	6138
6210	6139	ad.type = LSM_AUDIT_DATA_IPC;
6211	6140	ad.u.ipc_id = msq->key;
..	..	@@ -6228,11 +6157,8 @@
6228	6157	u32 sid = current_sid();
6229	6158	int rc;
6230	6159
6231		- rc = ipc_alloc_security(shp, SECCLASS_SHM);
6232		- if (rc)
6233		- return rc;
6234		-
6235		- isec = shp->security;
	6160	+ isec = selinux_ipc(shp);
	6161	+ ipc_init_security(isec, SECCLASS_SHM);
6236	6162
6237	6163	ad.type = LSM_AUDIT_DATA_IPC;
6238	6164	ad.u.ipc_id = shp->key;
..	..	@@ -6240,16 +6166,7 @@
6240	6166	rc = avc_has_perm(&selinux_state,
6241	6167	sid, isec->sid, SECCLASS_SHM,
6242	6168	SHM__CREATE, &ad);
6243		- if (rc) {
6244		- ipc_free_security(shp);
6245		- return rc;
6246		- }
6247		- return 0;
6248		-}
6249		-
6250		-static void selinux_shm_free_security(struct kern_ipc_perm *shp)
6251		-{
6252		- ipc_free_security(shp);
	6169	+ return rc;
6253	6170	}
6254	6171
6255	6172	static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
..	..	@@ -6258,7 +6175,7 @@
6258	6175	struct common_audit_data ad;
6259	6176	u32 sid = current_sid();
6260	6177
6261		- isec = shp->security;
	6178	+ isec = selinux_ipc(shp);
6262	6179
6263	6180	ad.type = LSM_AUDIT_DATA_IPC;
6264	6181	ad.u.ipc_id = shp->key;
..	..	@@ -6325,11 +6242,8 @@
6325	6242	u32 sid = current_sid();
6326	6243	int rc;
6327	6244
6328		- rc = ipc_alloc_security(sma, SECCLASS_SEM);
6329		- if (rc)
6330		- return rc;
6331		-
6332		- isec = sma->security;
	6245	+ isec = selinux_ipc(sma);
	6246	+ ipc_init_security(isec, SECCLASS_SEM);
6333	6247
6334	6248	ad.type = LSM_AUDIT_DATA_IPC;
6335	6249	ad.u.ipc_id = sma->key;
..	..	@@ -6337,16 +6251,7 @@
6337	6251	rc = avc_has_perm(&selinux_state,
6338	6252	sid, isec->sid, SECCLASS_SEM,
6339	6253	SEM__CREATE, &ad);
6340		- if (rc) {
6341		- ipc_free_security(sma);
6342		- return rc;
6343		- }
6344		- return 0;
6345		-}
6346		-
6347		-static void selinux_sem_free_security(struct kern_ipc_perm *sma)
6348		-{
6349		- ipc_free_security(sma);
	6254	+ return rc;
6350	6255	}
6351	6256
6352	6257	static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
..	..	@@ -6355,7 +6260,7 @@
6355	6260	struct common_audit_data ad;
6356	6261	u32 sid = current_sid();
6357	6262
6358		- isec = sma->security;
	6263	+ isec = selinux_ipc(sma);
6359	6264
6360	6265	ad.type = LSM_AUDIT_DATA_IPC;
6361	6266	ad.u.ipc_id = sma->key;
..	..	@@ -6441,7 +6346,7 @@
6441	6346
6442	6347	static void selinux_ipc_getsecid(struct kern_ipc_perm ipcp, u32 secid)
6443	6348	{
6444		- struct ipc_security_struct *isec = ipcp->security;
	6349	+ struct ipc_security_struct *isec = selinux_ipc(ipcp);
6445	6350	*secid = isec->sid;
6446	6351	}
6447	6352
..	..	@@ -6460,7 +6365,7 @@
6460	6365	unsigned len;
6461	6366
6462	6367	rcu_read_lock();
6463		- __tsec = __task_cred(p)->security;
	6368	+ __tsec = selinux_cred(__task_cred(p));
6464	6369
6465	6370	if (current != p) {
6466	6371	error = avc_has_perm(&selinux_state,
..	..	@@ -6580,10 +6485,10 @@
6580	6485	/* Permission checking based on the specified context is
6581	6486	performed during the actual operation (execve,
6582	6487	open/mkdir/...), when we know the full context of the
6583		- operation. See selinux_bprm_set_creds for the execve
	6488	+ operation. See selinux_bprm_creds_for_exec for the execve
6584	6489	checks and may_create for the file creation checks. The
6585	6490	operation will then fail if the context is not permitted. */
6586		- tsec = new->security;
	6491	+ tsec = selinux_cred(new);
6587	6492	if (!strcmp(name, "exec")) {
6588	6493	tsec->exec_sid = sid;
6589	6494	} else if (!strcmp(name, "fscreate")) {
..	..	@@ -6668,7 +6573,7 @@
6668	6573
6669	6574	static void selinux_inode_invalidate_secctx(struct inode *inode)
6670	6575	{
6671		- struct inode_security_struct *isec = inode->i_security;
	6576	+ struct inode_security_struct *isec = selinux_inode(inode);
6672	6577
6673	6578	spin_lock(&isec->lock);
6674	6579	isec->initialized = LABEL_INVALID;
..	..	@@ -6716,7 +6621,7 @@
6716	6621	if (!ksec)
6717	6622	return -ENOMEM;
6718	6623
6719		- tsec = cred->security;
	6624	+ tsec = selinux_cred(cred);
6720	6625	if (tsec->keycreate_sid)
6721	6626	ksec->sid = tsec->keycreate_sid;
6722	6627	else
..	..	@@ -6736,20 +6641,43 @@
6736	6641
6737	6642	static int selinux_key_permission(key_ref_t key_ref,
6738	6643	const struct cred *cred,
6739		- unsigned perm)
	6644	+ enum key_need_perm need_perm)
6740	6645	{
6741	6646	struct key *key;
6742	6647	struct key_security_struct *ksec;
6743		- u32 sid;
	6648	+ u32 perm, sid;
6744	6649
6745		- /* if no specific permissions are requested, we skip the
6746		- permission check. No serious, additional covert channels
6747		- appear to be created. */
6748		- if (perm == 0)
	6650	+ switch (need_perm) {
	6651	+ case KEY_NEED_VIEW:
	6652	+ perm = KEY__VIEW;
	6653	+ break;
	6654	+ case KEY_NEED_READ:
	6655	+ perm = KEY__READ;
	6656	+ break;
	6657	+ case KEY_NEED_WRITE:
	6658	+ perm = KEY__WRITE;
	6659	+ break;
	6660	+ case KEY_NEED_SEARCH:
	6661	+ perm = KEY__SEARCH;
	6662	+ break;
	6663	+ case KEY_NEED_LINK:
	6664	+ perm = KEY__LINK;
	6665	+ break;
	6666	+ case KEY_NEED_SETATTR:
	6667	+ perm = KEY__SETATTR;
	6668	+ break;
	6669	+ case KEY_NEED_UNLINK:
	6670	+ case KEY_SYSADMIN_OVERRIDE:
	6671	+ case KEY_AUTHTOKEN_OVERRIDE:
	6672	+ case KEY_DEFER_PERM_CHECK:
6749	6673	return 0;
	6674	+ default:
	6675	+ WARN_ON(1);
	6676	+ return -EPERM;
	6677	+
	6678	+ }
6750	6679
6751	6680	sid = cred_sid(cred);
6752		-
6753	6681	key = key_ref_to_ptr(key_ref);
6754	6682	ksec = key->security;
6755	6683
..	..	@@ -6771,6 +6699,17 @@
6771	6699	*_buffer = context;
6772	6700	return rc;
6773	6701	}
	6702	+
	6703	+#ifdef CONFIG_KEY_NOTIFICATIONS
	6704	+static int selinux_watch_key(struct key *key)
	6705	+{
	6706	+ struct key_security_struct *ksec = key->security;
	6707	+ u32 sid = current_sid();
	6708	+
	6709	+ return avc_has_perm(&selinux_state,
	6710	+ sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
	6711	+}
	6712	+#endif
6774	6713	#endif
6775	6714
6776	6715	#ifdef CONFIG_SECURITY_INFINIBAND
..	..	@@ -6979,6 +6918,13 @@
6979	6918	}
6980	6919	#endif
6981	6920
	6921	+struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
	6922	+ .lbs_cred = sizeof(struct task_security_struct),
	6923	+ .lbs_file = sizeof(struct file_security_struct),
	6924	+ .lbs_inode = sizeof(struct inode_security_struct),
	6925	+ .lbs_ipc = sizeof(struct ipc_security_struct),
	6926	+ .lbs_msg_msg = sizeof(struct msg_security_struct),
	6927	+};
6982	6928
6983	6929	#ifdef CONFIG_PERF_EVENTS
6984	6930	static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
..	..	@@ -7041,6 +6987,21 @@
7041	6987	}
7042	6988	#endif
7043	6989
	6990	+/*
	6991	+ * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
	6992	+ * 1. any hooks that don't belong to (2.) or (3.) below,
	6993	+ * 2. hooks that both access structures allocated by other hooks, and allocate
	6994	+ * structures that can be later accessed by other hooks (mostly "cloning"
	6995	+ * hooks),
	6996	+ * 3. hooks that only allocate structures that can be later accessed by other
	6997	+ * hooks ("allocating" hooks).
	6998	+ *
	6999	+ * Please follow block comment delimiters in the list to keep this order.
	7000	+ *
	7001	+ * This ordering is needed for SELinux runtime disable to work at least somewhat
	7002	+ * safely. Breaking the ordering rules above might lead to NULL pointer derefs
	7003	+ * when disabling SELinux at runtime.
	7004	+ */
7044	7005	static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
7045	7006	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
7046	7007	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
..	..	@@ -7059,13 +7020,12 @@
7059	7020
7060	7021	LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
7061	7022
7062		- LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
	7023	+ LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
7063	7024	LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
7064	7025	LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
7065	7026
7066		- LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7067	7027	LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
7068		- LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
	7028	+ LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
7069	7029	LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
7070	7030	LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7071	7031	LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
..	..	@@ -7074,14 +7034,15 @@
7074	7034	LSM_HOOK_INIT(sb_umount, selinux_umount),
7075	7035	LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7076	7036	LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7077		- LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
	7037	+
	7038	+ LSM_HOOK_INIT(move_mount, selinux_move_mount),
7078	7039
7079	7040	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7080	7041	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7081	7042
7082		- LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7083	7043	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7084	7044	LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
	7045	+ LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
7085	7046	LSM_HOOK_INIT(inode_create, selinux_inode_create),
7086	7047	LSM_HOOK_INIT(inode_link, selinux_inode_link),
7087	7048	LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
..	..	@@ -7106,10 +7067,12 @@
7106	7067	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7107	7068	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7108	7069	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
	7070	+ LSM_HOOK_INIT(path_notify, selinux_path_notify),
	7071	+
	7072	+ LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7109	7073
7110	7074	LSM_HOOK_INIT(file_permission, selinux_file_permission),
7111	7075	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7112		- LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
7113	7076	LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7114	7077	LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7115	7078	LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
..	..	@@ -7123,8 +7086,6 @@
7123	7086	LSM_HOOK_INIT(file_open, selinux_file_open),
7124	7087
7125	7088	LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7126		- LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
7127		- LSM_HOOK_INIT(cred_free, selinux_cred_free),
7128	7089	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7129	7090	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7130	7091	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
..	..	@@ -7151,25 +7112,15 @@
7151	7112	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7152	7113	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7153	7114
7154		- LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7155		- LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
7156		-
7157		- LSM_HOOK_INIT(msg_queue_alloc_security,
7158		- selinux_msg_queue_alloc_security),
7159		- LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
7160	7115	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7161	7116	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7162	7117	LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7163	7118	LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7164	7119
7165		- LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7166		- LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
7167	7120	LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7168	7121	LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7169	7122	LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7170	7123
7171		- LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7172		- LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
7173	7124	LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7174	7125	LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7175	7126	LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
..	..	@@ -7180,13 +7131,11 @@
7180	7131	LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7181	7132
7182	7133	LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7183		- LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7184	7134	LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7185	7135	LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7186	7136	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7187	7137	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7188	7138	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7189		- LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7190	7139
7191	7140	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7192	7141	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
..	..	@@ -7209,7 +7158,6 @@
7209	7158	LSM_HOOK_INIT(socket_getpeersec_stream,
7210	7159	selinux_socket_getpeersec_stream),
7211	7160	LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7212		- LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7213	7161	LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7214	7162	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7215	7163	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
..	..	@@ -7224,7 +7172,6 @@
7224	7172	LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7225	7173	LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7226	7174	LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7227		- LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7228	7175	LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7229	7176	LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7230	7177	LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
..	..	@@ -7234,17 +7181,11 @@
7234	7181	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7235	7182	LSM_HOOK_INIT(ib_endport_manage_subnet,
7236	7183	selinux_ib_endport_manage_subnet),
7237		- LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7238	7184	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7239	7185	#endif
7240	7186	#ifdef CONFIG_SECURITY_NETWORK_XFRM
7241		- LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7242		- LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7243	7187	LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7244	7188	LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7245		- LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7246		- LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7247		- selinux_xfrm_state_alloc_acquire),
7248	7189	LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7249	7190	LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7250	7191	LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
..	..	@@ -7254,14 +7195,15 @@
7254	7195	#endif
7255	7196
7256	7197	#ifdef CONFIG_KEYS
7257		- LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7258	7198	LSM_HOOK_INIT(key_free, selinux_key_free),
7259	7199	LSM_HOOK_INIT(key_permission, selinux_key_permission),
7260	7200	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
	7201	+#ifdef CONFIG_KEY_NOTIFICATIONS
	7202	+ LSM_HOOK_INIT(watch_key, selinux_watch_key),
	7203	+#endif
7261	7204	#endif
7262	7205
7263	7206	#ifdef CONFIG_AUDIT
7264		- LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7265	7207	LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7266	7208	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7267	7209	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
..	..	@@ -7271,52 +7213,82 @@
7271	7213	LSM_HOOK_INIT(bpf, selinux_bpf),
7272	7214	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7273	7215	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7274		- LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7275		- LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7276	7216	LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7277	7217	LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7278	7218	#endif
7279	7219
7280	7220	#ifdef CONFIG_PERF_EVENTS
7281	7221	LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7282		- LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7283	7222	LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7284	7223	LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7285	7224	LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
	7225	+#endif
	7226	+
	7227	+ /*
	7228	+ * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
	7229	+ */
	7230	+ LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
	7231	+ LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
	7232	+ LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
	7233	+ LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt),
	7234	+#ifdef CONFIG_SECURITY_NETWORK_XFRM
	7235	+ LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
	7236	+#endif
	7237	+
	7238	+ /*
	7239	+ * PUT "ALLOCATING" HOOKS HERE
	7240	+ */
	7241	+ LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
	7242	+ LSM_HOOK_INIT(msg_queue_alloc_security,
	7243	+ selinux_msg_queue_alloc_security),
	7244	+ LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
	7245	+ LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
	7246	+ LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
	7247	+ LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
	7248	+ LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
	7249	+ LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
	7250	+ LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
	7251	+ LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
	7252	+#ifdef CONFIG_SECURITY_INFINIBAND
	7253	+ LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
	7254	+#endif
	7255	+#ifdef CONFIG_SECURITY_NETWORK_XFRM
	7256	+ LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
	7257	+ LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
	7258	+ LSM_HOOK_INIT(xfrm_state_alloc_acquire,
	7259	+ selinux_xfrm_state_alloc_acquire),
	7260	+#endif
	7261	+#ifdef CONFIG_KEYS
	7262	+ LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
	7263	+#endif
	7264	+#ifdef CONFIG_AUDIT
	7265	+ LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
	7266	+#endif
	7267	+#ifdef CONFIG_BPF_SYSCALL
	7268	+ LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
	7269	+ LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
	7270	+#endif
	7271	+#ifdef CONFIG_PERF_EVENTS
	7272	+ LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7286	7273	#endif
7287	7274	};
7288	7275
7289	7276	static __init int selinux_init(void)
7290	7277	{
7291		- if (!security_module_enable("selinux")) {
7292		- selinux_enabled = 0;
7293		- return 0;
7294		- }
7295		-
7296		- if (!selinux_enabled) {
7297		- pr_info("SELinux: Disabled at boot.\n");
7298		- return 0;
7299		- }
7300		-
7301	7278	pr_info("SELinux: Initializing.\n");
7302	7279
7303	7280	memset(&selinux_state, 0, sizeof(selinux_state));
7304	7281	enforcing_set(&selinux_state, selinux_enforcing_boot);
7305		- selinux_state.checkreqprot = selinux_checkreqprot_boot;
7306		- selinux_ss_init(&selinux_state.ss);
	7282	+ checkreqprot_set(&selinux_state, selinux_checkreqprot_boot);
7307	7283	selinux_avc_init(&selinux_state.avc);
	7284	+ mutex_init(&selinux_state.status_lock);
	7285	+ mutex_init(&selinux_state.policy_mutex);
7308	7286
7309	7287	/* Set the security state for the initial task. */
7310	7288	cred_init_security();
7311	7289
7312	7290	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7313	7291
7314		- sel_inode_cache = kmem_cache_create("selinux_inode_security",
7315		- sizeof(struct inode_security_struct),
7316		- 0, SLAB_PANIC, NULL);
7317		- file_security_cache = kmem_cache_create("selinux_file_security",
7318		- sizeof(struct file_security_struct),
7319		- 0, SLAB_PANIC, NULL);
7320	7292	avc_init();
7321	7293
7322	7294	avtab_cache_init();
..	..	@@ -7338,12 +7310,14 @@
7338	7310	else
7339	7311	pr_debug("SELinux: Starting in permissive mode\n");
7340	7312
	7313	+ fs_validate_description("selinux", selinux_fs_parameters);
	7314	+
7341	7315	return 0;
7342	7316	}
7343	7317
7344	7318	static void delayed_superblock_init(struct super_block sb, void unused)
7345	7319	{
7346		- superblock_doinit(sb, NULL);
	7320	+ selinux_set_mnt_opts(sb, NULL, 0, NULL);
7347	7321	}
7348	7322
7349	7323	void selinux_complete_init(void)
..	..	@@ -7357,7 +7331,13 @@
7357	7331
7358	7332	/* SELinux requires early initialization in order to label
7359	7333	all processes and objects when they are created. */
7360		-security_initcall(selinux_init);
	7334	+DEFINE_LSM(selinux) = {
	7335	+ .name = "selinux",
	7336	+ .flags = LSM_FLAG_LEGACY_MAJOR \| LSM_FLAG_EXCLUSIVE,
	7337	+ .enabled = &selinux_enabled_boot,
	7338	+ .blobs = &selinux_blob_sizes,
	7339	+ .init = selinux_init,
	7340	+};
7361	7341
7362	7342	#if defined(CONFIG_NETFILTER)
7363	7343
..	..	@@ -7423,7 +7403,7 @@
7423	7403	{
7424	7404	int err;
7425	7405
7426		- if (!selinux_enabled)
	7406	+ if (!selinux_enabled_boot)
7427	7407	return 0;
7428	7408
7429	7409	pr_debug("SELinux: Registering netfilter hooks\n");
..	..	@@ -7456,29 +7436,31 @@
7456	7436	#ifdef CONFIG_SECURITY_SELINUX_DISABLE
7457	7437	int selinux_disable(struct selinux_state *state)
7458	7438	{
7459		- if (state->initialized) {
	7439	+ if (selinux_initialized(state)) {
7460	7440	/* Not permitted after initial policy load. */
7461	7441	return -EINVAL;
7462	7442	}
7463	7443
7464		- if (state->disabled) {
	7444	+ if (selinux_disabled(state)) {
7465	7445	/* Only do this once. */
7466	7446	return -EINVAL;
7467	7447	}
7468	7448
7469		- state->disabled = 1;
	7449	+ selinux_mark_disabled(state);
7470	7450
7471	7451	pr_info("SELinux: Disabled at runtime.\n");
7472	7452
7473		- selinux_enabled = 0;
	7453	+ /*
	7454	+ * Unregister netfilter hooks.
	7455	+ * Must be done before security_delete_hooks() to avoid breaking
	7456	+ * runtime disable.
	7457	+ */
	7458	+ selinux_nf_ip_exit();
7474	7459
7475	7460	security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7476	7461
7477	7462	/* Try to destroy the avc node cache */
7478	7463	avc_disable();
7479		-
7480		- /* Unregister netfilter hooks. */
7481		- selinux_nf_ip_exit();
7482	7464
7483	7465	/* Unregister selinuxfs. */
7484	7466	exit_sel_fs();