selinux: rename the cred_security_struct variables to "crsec"

 */

static void cred_init_security(void)

{

	struct cred_security_struct *tsec;

	struct cred_security_struct *crsec;

	/* NOTE: the lsm framework zeros out the buffer on allocation */

	tsec = selinux_cred(unrcu_pointer(current->real_cred));

	tsec->osid = tsec->sid = SECINITSID_KERNEL;

	crsec = selinux_cred(unrcu_pointer(current->real_cred));

	crsec->osid = crsec->sid = SECINITSID_KERNEL;

}

/*

 */

static inline u32 cred_sid(const struct cred *cred)

{

	const struct cred_security_struct *tsec;

	const struct cred_security_struct *crsec;

	tsec = selinux_cred(cred);

	return tsec->sid;

	crsec = selinux_cred(cred);

	return crsec->sid;

}

static void __ad_net_init(struct common_audit_data *ad,

			struct superblock_security_struct *sbsec,

			const struct cred *cred)

{

	const struct cred_security_struct *tsec = selinux_cred(cred);

	const struct cred_security_struct *crsec = selinux_cred(cred);

	int rc;

	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,

	rc = avc_has_perm(crsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,

			  FILESYSTEM__RELABELFROM, NULL);

	if (rc)

		return rc;

	rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,

	rc = avc_has_perm(crsec->sid, sid, SECCLASS_FILESYSTEM,

			  FILESYSTEM__RELABELTO, NULL);

	return rc;

}

			struct superblock_security_struct *sbsec,

			const struct cred *cred)

{

	const struct cred_security_struct *tsec = selinux_cred(cred);

	const struct cred_security_struct *crsec = selinux_cred(cred);

	int rc;

	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,

	rc = avc_has_perm(crsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,

			  FILESYSTEM__RELABELFROM, NULL);

	if (rc)

		return rc;

 * Determine the label for an inode that might be unioned.

 */

static int

selinux_determine_inode_label(const struct cred_security_struct *tsec,

selinux_determine_inode_label(const struct cred_security_struct *crsec,

				 struct inode *dir,

				 const struct qstr *name, u16 tclass,

				 u32 *_new_isid)

	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {

		*_new_isid = sbsec->mntpoint_sid;

	} else if ((sbsec->flags & SBLABEL_MNT) &&

		   tsec->create_sid) {

		*_new_isid = tsec->create_sid;

		   crsec->create_sid) {

		*_new_isid = crsec->create_sid;

	} else {

		const struct inode_security_struct *dsec = inode_security(dir);

		return security_transition_sid(tsec->sid,

		return security_transition_sid(crsec->sid,

					       dsec->sid, tclass,

					       name, _new_isid);

	}

		      struct dentry *dentry,

		      u16 tclass)

{

	const struct cred_security_struct *tsec = selinux_cred(current_cred());

	const struct cred_security_struct *crsec = selinux_cred(current_cred());

	struct inode_security_struct *dsec;

	struct superblock_security_struct *sbsec;

	u32 sid, newsid;

	dsec = inode_security(dir);

	sbsec = selinux_superblock(dir->i_sb);

	sid = tsec->sid;

	sid = crsec->sid;

	ad.type = LSM_AUDIT_DATA_DENTRY;

	ad.u.dentry = dentry;

	if (rc)

		return rc;

	rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,

	rc = selinux_determine_inode_label(crsec, dir, &dentry->d_name, tclass,

					   &newsid);

	if (rc)

		return rc;

}

static int check_nnp_nosuid(const struct linux_binprm *bprm,

			    const struct cred_security_struct *old_tsec,

			    const struct cred_security_struct *new_tsec)

			    const struct cred_security_struct *old_crsec,

			    const struct cred_security_struct *new_crsec)

{

	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);

	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);

	if (!nnp && !nosuid)

		return 0; /* neither NNP nor nosuid */

	if (new_tsec->sid == old_tsec->sid)

	if (new_crsec->sid == old_crsec->sid)

		return 0; /* No change in credentials */

	/*

			av |= PROCESS2__NNP_TRANSITION;

		if (nosuid)

			av |= PROCESS2__NOSUID_TRANSITION;

		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,

		rc = avc_has_perm(old_crsec->sid, new_crsec->sid,

				  SECCLASS_PROCESS2, av, NULL);

		if (!rc)

			return 0;

	 * i.e. SIDs that are guaranteed to only be allowed a subset

	 * of the permissions of the current SID.

	 */

	rc = security_bounded_transition(old_tsec->sid,

					 new_tsec->sid);

	rc = security_bounded_transition(old_crsec->sid,

					 new_crsec->sid);

	if (!rc)

		return 0;

static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)

{

	const struct cred_security_struct *old_tsec;

	struct cred_security_struct *new_tsec;

	const struct cred_security_struct *old_crsec;

	struct cred_security_struct *new_crsec;

	struct inode_security_struct *isec;

	struct common_audit_data ad;

	struct inode *inode = file_inode(bprm->file);

	/* SELinux context only depends on initial program or script and not

	 * the script interpreter */

	old_tsec = selinux_cred(current_cred());

	new_tsec = selinux_cred(bprm->cred);

	old_crsec = selinux_cred(current_cred());

	new_crsec = selinux_cred(bprm->cred);

	isec = inode_security(inode);

	/* Default to the current task SID. */

	new_tsec->sid = old_tsec->sid;

	new_tsec->osid = old_tsec->sid;

	new_crsec->sid = old_crsec->sid;

	new_crsec->osid = old_crsec->sid;

	/* Reset fs, key, and sock SIDs on execve. */

	new_tsec->create_sid = 0;

	new_tsec->keycreate_sid = 0;

	new_tsec->sockcreate_sid = 0;

	new_crsec->create_sid = 0;

	new_crsec->keycreate_sid = 0;

	new_crsec->sockcreate_sid = 0;

	/*

	 * Before policy is loaded, label any task outside kernel space

	 * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL).

	 */

	if (!selinux_initialized()) {

		new_tsec->sid = SECINITSID_INIT;

		new_crsec->sid = SECINITSID_INIT;

		/* also clear the exec_sid just in case */

		new_tsec->exec_sid = 0;

		new_crsec->exec_sid = 0;

		return 0;

	}

	if (old_tsec->exec_sid) {

		new_tsec->sid = old_tsec->exec_sid;

	if (old_crsec->exec_sid) {

		new_crsec->sid = old_crsec->exec_sid;

		/* Reset exec SID on execve. */

		new_tsec->exec_sid = 0;

		new_crsec->exec_sid = 0;

		/* Fail on NNP or nosuid if not an allowed transition. */

		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);

		rc = check_nnp_nosuid(bprm, old_crsec, new_crsec);

		if (rc)

			return rc;

	} else {

		/* Check for a default transition on this program. */

		rc = security_transition_sid(old_tsec->sid,

		rc = security_transition_sid(old_crsec->sid,

					     isec->sid, SECCLASS_PROCESS, NULL,

					     &new_tsec->sid);

					     &new_crsec->sid);

		if (rc)

			return rc;

		 * Fallback to old SID on NNP or nosuid if not an allowed

		 * transition.

		 */

		rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);

		rc = check_nnp_nosuid(bprm, old_crsec, new_crsec);

		if (rc)

			new_tsec->sid = old_tsec->sid;

			new_crsec->sid = old_crsec->sid;

	}

	ad.type = LSM_AUDIT_DATA_FILE;

	ad.u.file = bprm->file;

	if (new_tsec->sid == old_tsec->sid) {

		rc = avc_has_perm(old_tsec->sid, isec->sid,

	if (new_crsec->sid == old_crsec->sid) {

		rc = avc_has_perm(old_crsec->sid, isec->sid,

				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);

		if (rc)

			return rc;

	} else {

		/* Check permissions for the transition. */

		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,

		rc = avc_has_perm(old_crsec->sid, new_crsec->sid,

				  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);

		if (rc)

			return rc;

		rc = avc_has_perm(new_tsec->sid, isec->sid,

		rc = avc_has_perm(new_crsec->sid, isec->sid,

				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);

		if (rc)

			return rc;

		/* Check for shared state */

		if (bprm->unsafe & LSM_UNSAFE_SHARE) {

			rc = avc_has_perm(old_tsec->sid, new_tsec->sid,

			rc = avc_has_perm(old_crsec->sid, new_crsec->sid,

					  SECCLASS_PROCESS, PROCESS__SHARE,

					  NULL);

			if (rc)

		if (bprm->unsafe & LSM_UNSAFE_PTRACE) {

			u32 ptsid = ptrace_parent_sid();

			if (ptsid != 0) {

				rc = avc_has_perm(ptsid, new_tsec->sid,

				rc = avc_has_perm(ptsid, new_crsec->sid,

						  SECCLASS_PROCESS,

						  PROCESS__PTRACE, NULL);

				if (rc)

		/* Enable secure mode for SIDs transitions unless

		   the noatsecure permission is granted between

		   the two SIDs, i.e. ahp returns 0. */

		rc = avc_has_perm(old_tsec->sid, new_tsec->sid,

		rc = avc_has_perm(old_crsec->sid, new_crsec->sid,

				  SECCLASS_PROCESS, PROCESS__NOATSECURE,

				  NULL);

		bprm->secureexec |= !!rc;

 */

static void selinux_bprm_committing_creds(const struct linux_binprm *bprm)

{

	struct cred_security_struct *new_tsec;

	struct cred_security_struct *new_crsec;

	struct rlimit *rlim, *initrlim;

	int rc, i;

	new_tsec = selinux_cred(bprm->cred);

	if (new_tsec->sid == new_tsec->osid)

	new_crsec = selinux_cred(bprm->cred);

	if (new_crsec->sid == new_crsec->osid)

		return;

	/* Close files for which the new task SID is not authorized. */

	 * higher than the default soft limit for cases where the default is

	 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.

	 */

	rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,

	rc = avc_has_perm(new_crsec->osid, new_crsec->sid, SECCLASS_PROCESS,

			  PROCESS__RLIMITINH, NULL);

	if (rc) {

		/* protect against do_prlimit() */

 */

static void selinux_bprm_committed_creds(const struct linux_binprm *bprm)

{

	const struct cred_security_struct *tsec = selinux_cred(current_cred());

	const struct cred_security_struct *crsec = selinux_cred(current_cred());

	u32 osid, sid;

	int rc;

	osid = tsec->osid;

	sid = tsec->sid;

	osid = crsec->osid;

	sid = crsec->sid;

	if (sid == osid)

		return;

{

	u32 newsid;

	int rc;

	struct cred_security_struct *tsec;

	struct cred_security_struct *crsec;

	rc = selinux_determine_inode_label(selinux_cred(old),

					   d_inode(dentry->d_parent), name,

	if (rc)

		return rc;

	tsec = selinux_cred(new);

	tsec->create_sid = newsid;

	crsec = selinux_cred(new);

	crsec->create_sid = newsid;

	return 0;

}

				       const struct qstr *qstr,

				       struct xattr *xattrs, int *xattr_count)

{

	const struct cred_security_struct *tsec = selinux_cred(current_cred());

	const struct cred_security_struct *crsec = selinux_cred(current_cred());

	struct superblock_security_struct *sbsec;

	struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);

	u32 newsid, clen;

	sbsec = selinux_superblock(dir->i_sb);

	newsid = tsec->create_sid;

	newsid = crsec->create_sid;

	newsclass = inode_mode_to_security_class(inode->i_mode);

	rc = selinux_determine_inode_label(tsec, dir, qstr, newsclass, &newsid);

	rc = selinux_determine_inode_label(crsec, dir, qstr, newsclass, &newsid);

	if (rc)

		return rc;

static int selinux_inode_copy_up(struct dentry *src, struct cred **new)

{

	struct lsm_prop prop;

	struct cred_security_struct *tsec;

	struct cred_security_struct *crsec;

	struct cred *new_creds = *new;

	if (new_creds == NULL) {

			return -ENOMEM;

	}

	tsec = selinux_cred(new_creds);

	crsec = selinux_cred(new_creds);

	/* Get label from overlay inode and set it in create_sid */

	selinux_inode_getlsmprop(d_inode(src), &prop);

	tsec->create_sid = prop.selinux.secid;

	crsec->create_sid = prop.selinux.secid;

	*new = new_creds;

	return 0;

}

static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,

					struct kernfs_node *kn)

{

	const struct cred_security_struct *tsec = selinux_cred(current_cred());

	const struct cred_security_struct *crsec = selinux_cred(current_cred());

	u32 parent_sid, newsid, clen;

	int rc;

	char *context;

	if (rc)

		return rc;

	if (tsec->create_sid) {

		newsid = tsec->create_sid;

	if (crsec->create_sid) {

		newsid = crsec->create_sid;

	} else {

		u16 secclass = inode_mode_to_security_class(kn->mode);

		const char *kn_name;

		q.name = kn_name;

		q.hash_len = hashlen_string(kn_dir, kn_name);

		rc = security_transition_sid(tsec->sid,

		rc = security_transition_sid(crsec->sid,

					     parent_sid, secclass, &q,

					     &newsid);

		if (rc)

static int selinux_cred_prepare(struct cred *new, const struct cred *old,

				gfp_t gfp)

{

	const struct cred_security_struct *old_tsec = selinux_cred(old);

	struct cred_security_struct *tsec = selinux_cred(new);

	const struct cred_security_struct *old_crsec = selinux_cred(old);

	struct cred_security_struct *crsec = selinux_cred(new);

	*tsec = *old_tsec;

	*crsec = *old_crsec;

	return 0;

}

 */

static void selinux_cred_transfer(struct cred *new, const struct cred *old)

{

	const struct cred_security_struct *old_tsec = selinux_cred(old);

	struct cred_security_struct *tsec = selinux_cred(new);

	const struct cred_security_struct *old_crsec = selinux_cred(old);

	struct cred_security_struct *crsec = selinux_cred(new);

	*tsec = *old_tsec;

	*crsec = *old_crsec;

}

static void selinux_cred_getsecid(const struct cred *c, u32 *secid)

 */

static int selinux_kernel_act_as(struct cred *new, u32 secid)

{

	struct cred_security_struct *tsec = selinux_cred(new);

	struct cred_security_struct *crsec = selinux_cred(new);

	u32 sid = current_sid();

	int ret;

			   KERNEL_SERVICE__USE_AS_OVERRIDE,

			   NULL);

	if (ret == 0) {

		tsec->sid = secid;

		tsec->create_sid = 0;

		tsec->keycreate_sid = 0;

		tsec->sockcreate_sid = 0;

		crsec->sid = secid;

		crsec->create_sid = 0;

		crsec->keycreate_sid = 0;

		crsec->sockcreate_sid = 0;

	}

	return ret;

}

static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)

{

	struct inode_security_struct *isec = inode_security(inode);

	struct cred_security_struct *tsec = selinux_cred(new);

	struct cred_security_struct *crsec = selinux_cred(new);

	u32 sid = current_sid();

	int ret;

			   NULL);

	if (ret == 0)

		tsec->create_sid = isec->sid;

		crsec->create_sid = isec->sid;

	return ret;

}

/* socket security operations */

static int socket_sockcreate_sid(const struct cred_security_struct *tsec,

static int socket_sockcreate_sid(const struct cred_security_struct *crsec,

				 u16 secclass, u32 *socksid)

{

	if (tsec->sockcreate_sid > SECSID_NULL) {

		*socksid = tsec->sockcreate_sid;

	if (crsec->sockcreate_sid > SECSID_NULL) {

		*socksid = crsec->sockcreate_sid;

		return 0;

	}

	return security_transition_sid(tsec->sid, tsec->sid,

	return security_transition_sid(crsec->sid, crsec->sid,

				       secclass, NULL, socksid);

}

static int selinux_socket_create(int family, int type,

				 int protocol, int kern)

{

	const struct cred_security_struct *tsec = selinux_cred(current_cred());

	const struct cred_security_struct *crsec = selinux_cred(current_cred());

	u32 newsid;

	u16 secclass;

	int rc;

		return 0;

	secclass = socket_type_to_security_class(family, type, protocol);

	rc = socket_sockcreate_sid(tsec, secclass, &newsid);

	rc = socket_sockcreate_sid(crsec, secclass, &newsid);

	if (rc)

		return rc;

	return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);

	return avc_has_perm(crsec->sid, newsid, secclass, SOCKET__CREATE, NULL);

}

static int selinux_socket_post_create(struct socket *sock, int family,

				      int type, int protocol, int kern)

{

	const struct cred_security_struct *tsec = selinux_cred(current_cred());

	const struct cred_security_struct *crsec = selinux_cred(current_cred());

	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));

	struct sk_security_struct *sksec;

	u16 sclass = socket_type_to_security_class(family, type, protocol);

	int err = 0;

	if (!kern) {

		err = socket_sockcreate_sid(tsec, sclass, &sid);

		err = socket_sockcreate_sid(crsec, sclass, &sid);

		if (err)

			return err;

	}

static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p,

			       char **value)

{

	const struct cred_security_struct *tsec;

	const struct cred_security_struct *crsec;

	int error;

	u32 sid;

	u32 len;

	rcu_read_lock();

	tsec = selinux_cred(__task_cred(p));

	crsec = selinux_cred(__task_cred(p));

	if (p != current) {

		error = avc_has_perm(current_sid(), tsec->sid,

		error = avc_has_perm(current_sid(), crsec->sid,

				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);

		if (error)

			goto err_unlock;

	}

	switch (attr) {

	case LSM_ATTR_CURRENT:

		sid = tsec->sid;

		sid = crsec->sid;

		break;

	case LSM_ATTR_PREV:

		sid = tsec->osid;

		sid = crsec->osid;

		break;

	case LSM_ATTR_EXEC:

		sid = tsec->exec_sid;

		sid = crsec->exec_sid;

		break;

	case LSM_ATTR_FSCREATE:

		sid = tsec->create_sid;

		sid = crsec->create_sid;

		break;

	case LSM_ATTR_KEYCREATE:

		sid = tsec->keycreate_sid;

		sid = crsec->keycreate_sid;

		break;

	case LSM_ATTR_SOCKCREATE:

		sid = tsec->sockcreate_sid;

		sid = crsec->sockcreate_sid;

		break;

	default:

		error = -EOPNOTSUPP;