Merge tag 'selinux-pr-20230829' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

# SPDX-License-Identifier: GPL-2.0-only

config SECURITY_SELINUX

	bool "NSA SELinux Support"

	bool "SELinux Support"

	depends on SECURITY_NETWORK && AUDIT && NET && INET

	select NETWORK_SECMARK

	default n

	help

	  This selects NSA Security-Enhanced Linux (SELinux).

	  This selects Security-Enhanced Linux (SELinux).

	  You will also need a policy configuration and a labeled filesystem.

	  If you are unsure how to answer this question, answer N.

config SECURITY_SELINUX_BOOTPARAM

	bool "NSA SELinux boot parameter"

	bool "SELinux boot parameter"

	depends on SECURITY_SELINUX

	default n

	help

	  If you are unsure how to answer this question, answer N.

config SECURITY_SELINUX_DEVELOP

	bool "NSA SELinux Development Support"

	bool "SELinux Development Support"

	depends on SECURITY_SELINUX

	default y

	help

	  This enables the development support option of NSA SELinux,

	  This enables the development support option of SELinux,

	  which is useful for experimenting with SELinux and developing

	  policies.  If unsure, say Y.  With this option enabled, the

	  kernel will start in permissive mode (log everything, deny nothing)

	  /sys/fs/selinux/enforce.

config SECURITY_SELINUX_AVC_STATS

	bool "NSA SELinux AVC Statistics"

	bool "SELinux AVC Statistics"

	depends on SECURITY_SELINUX

	default y

	help

	  tools such as avcstat.

config SECURITY_SELINUX_SIDTAB_HASH_BITS

	int "NSA SELinux sidtab hashtable size"

	int "SELinux sidtab hashtable size"

	depends on SECURITY_SELINUX

	range 8 13

	default 9

	  will ensure that lookups times are short and stable.

config SECURITY_SELINUX_SID2STR_CACHE_SIZE

	int "NSA SELinux SID to context string translation cache size"

	int "SELinux SID to context string translation cache size"

	depends on SECURITY_SELINUX

	default 256

	help

	  conversion.  Setting this option to 0 disables the cache completely.

	  If unsure, keep the default value.

config SECURITY_SELINUX_DEBUG

	bool "SELinux kernel debugging support"

	depends on SECURITY_SELINUX

	default n

	help

	  This enables debugging code designed to help SELinux kernel

	  developers, unless you know what this does in the kernel code you

	  should leave this disabled.

/*

 * Implementation of the kernel access vector cache (AVC).

 *

 * Authors:  Stephen Smalley, <sds@tycho.nsa.gov>

 * Authors:  Stephen Smalley, <stephen.smalley.work@gmail.com>

 *	     James Morris <jmorris@redhat.com>

 *

 * Update:   KaiGai, Kohei <kaigai@ak.jp.nec.com>

static struct kmem_cache *avc_xperms_decision_cachep __ro_after_init;

static struct kmem_cache *avc_xperms_cachep __ro_after_init;

static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass)

static inline u32 avc_hash(u32 ssid, u32 tsid, u16 tclass)

{

	return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1);

}

static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass)

{

	struct avc_node *node, *ret = NULL;

	int hvalue;

	u32 hvalue;

	struct hlist_head *head;

	hvalue = avc_hash(ssid, tsid, tclass);

	return NULL;

}

static int avc_latest_notif_update(int seqno, int is_insert)

static int avc_latest_notif_update(u32 seqno, int is_insert)

{

	int ret = 0;

	static DEFINE_SPINLOCK(notif_lock);

		       struct av_decision *avd, struct avc_xperms_node *xp_node)

{

	struct avc_node *pos, *node = NULL;

	int hvalue;

	u32 hvalue;

	unsigned long flag;

	spinlock_t *lock;

	struct hlist_head *head;

{

	struct common_audit_data *ad = a;

	struct selinux_audit_data *sad = ad->selinux_audit_data;

	u32 av = sad->audited;

	u32 av = sad->audited, perm;

	const char *const *perms;

	int i, perm;

	u32 i;

	audit_log_format(ab, "avc:  %s ", sad->denied ? "denied" : "granted");

			   struct extended_perms_decision *xpd,

			   u32 flags)

{

	int hvalue, rc = 0;

	u32 hvalue;

	int rc = 0;

	unsigned long flag;

	struct avc_node *pos, *node, *orig = NULL;

	struct hlist_head *head;

// SPDX-License-Identifier: GPL-2.0-only

/*

 *  NSA Security-Enhanced Linux (SELinux) security module

 *  Security-Enhanced Linux (SELinux) security module

 *

 *  This file contains the SELinux hook function implementations.

 *

 *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>

 *  Authors:  Stephen Smalley, <stephen.smalley.work@gmail.com>

 *	      Chris Vance, <cvance@nai.com>

 *	      Wayne Salamon, <wsalamon@nai.com>

 *	      James Morris <jmorris@redhat.com>

	return tsec->sid;

}

static void __ad_net_init(struct common_audit_data *ad,

			  struct lsm_network_audit *net,

			  int ifindex, struct sock *sk, u16 family)

{

	ad->type = LSM_AUDIT_DATA_NET;

	ad->u.net = net;

	net->netif = ifindex;

	net->sk = sk;

	net->family = family;

}

static void ad_net_init_from_sk(struct common_audit_data *ad,

				struct lsm_network_audit *net,

				struct sock *sk)

{

	__ad_net_init(ad, net, 0, sk, 0);

}

static void ad_net_init_from_iif(struct common_audit_data *ad,

				 struct lsm_network_audit *net,

				 int ifindex, u16 family)

{

	__ad_net_init(ad, net, ifindex, NULL, family);

}

/*

 * get the objective security ID of a task

 */

static inline u16 socket_type_to_security_class(int family, int type, int protocol)

{

	int extsockclass = selinux_policycap_extsockclass();

	bool extsockclass = selinux_policycap_extsockclass();

	switch (family) {

	case PF_UNIX:

		struct inode_security_struct *context_isec =

			selinux_inode(context_inode);

		if (context_isec->initialized != LABEL_INITIALIZED) {

			pr_err("SELinux:  context_inode is not initialized");

			pr_err("SELinux:  context_inode is not initialized\n");

			return -EACCES;

		}

{

	struct sk_security_struct *sksec = sk->sk_security;

	struct common_audit_data ad;

	struct lsm_network_audit net = {0,};

	struct lsm_network_audit net;

	if (sksec->sid == SECINITSID_KERNEL)

		return 0;

	ad.type = LSM_AUDIT_DATA_NET;

	ad.u.net = &net;

	ad.u.net->sk = sk;

	ad_net_init_from_sk(&ad, &net, sk);

	return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,

			    &ad);

	struct sk_security_struct *sksec_other = other->sk_security;

	struct sk_security_struct *sksec_new = newsk->sk_security;

	struct common_audit_data ad;

	struct lsm_network_audit net = {0,};

	struct lsm_network_audit net;

	int err;

	ad.type = LSM_AUDIT_DATA_NET;

	ad.u.net = &net;

	ad.u.net->sk = other;

	ad_net_init_from_sk(&ad, &net, other);

	err = avc_has_perm(sksec_sock->sid, sksec_other->sid,

			   sksec_other->sclass,

	struct sk_security_struct *ssec = sock->sk->sk_security;

	struct sk_security_struct *osec = other->sk->sk_security;

	struct common_audit_data ad;

	struct lsm_network_audit net = {0,};

	struct lsm_network_audit net;

	ad.type = LSM_AUDIT_DATA_NET;

	ad.u.net = &net;

	ad.u.net->sk = other->sk;

	ad_net_init_from_sk(&ad, &net, other->sk);

	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,

			    &ad);

	struct sk_security_struct *sksec = sk->sk_security;

	u32 sk_sid = sksec->sid;

	struct common_audit_data ad;

	struct lsm_network_audit net = {0,};

	struct lsm_network_audit net;

	char *addrp;

	ad.type = LSM_AUDIT_DATA_NET;

	ad.u.net = &net;

	ad.u.net->netif = skb->skb_iif;

	ad.u.net->family = family;

	ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);

	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);

	if (err)

		return err;

static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)

{

	int err;

	int err, peerlbl_active, secmark_active;

	struct sk_security_struct *sksec = sk->sk_security;

	u16 family = sk->sk_family;

	u32 sk_sid = sksec->sid;

	struct common_audit_data ad;

	struct lsm_network_audit net = {0,};

	struct lsm_network_audit net;

	char *addrp;

	u8 secmark_active;

	u8 peerlbl_active;

	if (family != PF_INET && family != PF_INET6)

		return 0;

	if (!secmark_active && !peerlbl_active)

		return 0;

	ad.type = LSM_AUDIT_DATA_NET;

	ad.u.net = &net;

	ad.u.net->netif = skb->skb_iif;

	ad.u.net->family = family;

	ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);

	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);

	if (err)

		return err;

	u16 family = sk->sk_family;

	struct sk_security_struct *sksec = sk->sk_security;

	struct common_audit_data ad;

	struct lsm_network_audit net = {0,};

	struct lsm_network_audit net;

	int err;

	/* handle mapped IPv4 packets arriving via IPv6 sockets */

		/* Other association peer SIDs are checked to enforce

		 * consistency among the peer SIDs.

		 */

		ad.type = LSM_AUDIT_DATA_NET;

		ad.u.net = &net;

		ad.u.net->sk = asoc->base.sk;

		ad_net_init_from_sk(&ad, &net, asoc->base.sk);

		err = avc_has_perm(sksec->peer_sid, asoc->peer_secid,

				   sksec->sclass, SCTP_SOCKET__ASSOCIATION,

				   &ad);

static int selinux_secmark_relabel_packet(u32 sid)

{

	const struct task_security_struct *__tsec;

	const struct task_security_struct *tsec;

	u32 tsid;

	__tsec = selinux_cred(current_cred());

	tsid = __tsec->sid;

	tsec = selinux_cred(current_cred());

	tsid = tsec->sid;

	return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,

			    NULL);

	char *addrp;

	u32 peer_sid;

	struct common_audit_data ad;

	struct lsm_network_audit net = {0,};

	struct lsm_network_audit net;

	int secmark_active, peerlbl_active;

	if (!selinux_policycap_netpeer())

		return NF_DROP;

	ifindex = state->in->ifindex;

	ad.type = LSM_AUDIT_DATA_NET;

	ad.u.net = &net;

	ad.u.net->netif = ifindex;

	ad.u.net->family = family;

	ad_net_init_from_iif(&ad, &net, ifindex, family);

	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)

		return NF_DROP;

	struct sock *sk;

	struct sk_security_struct *sksec;

	struct common_audit_data ad;

	struct lsm_network_audit net = {0,};

	struct lsm_network_audit net;

	u8 proto = 0;

	sk = skb_to_full_sk(skb);

		return NF_ACCEPT;

	sksec = sk->sk_security;

	ad.type = LSM_AUDIT_DATA_NET;

	ad.u.net = &net;

	ad.u.net->netif = state->out->ifindex;

	ad.u.net->family = state->pf;

	ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf);

	if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))

		return NF_DROP;

	int ifindex;

	struct sock *sk;

	struct common_audit_data ad;

	struct lsm_network_audit net = {0,};

	struct lsm_network_audit net;

	char *addrp;

	int secmark_active, peerlbl_active;

	}

	ifindex = state->out->ifindex;

	ad.type = LSM_AUDIT_DATA_NET;

	ad.u.net = &net;

	ad.u.net->netif = ifindex;

	ad.u.net->family = family;

	ad_net_init_from_iif(&ad, &net, ifindex, family);

	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))

		return NF_DROP;

static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)

{

	int err;

	int perms;

	u32 perms;

	switch (cmd) {

	case IPC_INFO:

		return 0;

	}

	err = ipc_has_perm(msq, perms);

	return err;

	return ipc_has_perm(msq, perms);

}

static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)

/* Note, at this point, shp is locked down */

static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)

{

	int perms;

	int err;

	u32 perms;

	switch (cmd) {

	case IPC_INFO:

		return 0;

	}

	err = ipc_has_perm(shp, perms);

	return err;

	return ipc_has_perm(shp, perms);

}

static int selinux_shm_shmat(struct kern_ipc_perm *shp,

 */

static int selinux_uring_sqpoll(void)

{

	int sid = current_sid();

	u32 sid = current_sid();

	return avc_has_perm(sid, sid,

			    SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);

 *    hooks ("allocating" hooks).

 *

 * Please follow block comment delimiters in the list to keep this order.

 *

 * This ordering is needed for SELinux runtime disable to work at least somewhat

 * safely. Breaking the ordering rules above might lead to NULL pointer derefs

 * when disabling SELinux at runtime.

 */

static struct security_hook_list selinux_hooks[] __ro_after_init = {

	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),

	cred_init_security();

	default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);

	if (!default_noexec)

		pr_notice("SELinux:  virtual memory is executable by default\n");

	avc_init();

/*

 * Access vector cache interface for object managers.

 *

 * Author : Stephen Smalley, <sds@tycho.nsa.gov>

 * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>

 */

#ifndef _SELINUX_AVC_H_

#define _SELINUX_AVC_H_

/*

 * Access vector cache interface for the security server.

 *

 * Author : Stephen Smalley, <sds@tycho.nsa.gov>

 * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>

 */

#ifndef _SELINUX_AVC_SS_H_

#define _SELINUX_AVC_SS_H_