Merge tag 'selinux-pr-20260501' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

{

	const struct cred_security_struct *crsec = selinux_cred(current_cred());

	struct superblock_security_struct *sbsec;

	struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);

	struct xattr *xattr;

	u32 newsid, clen;

	u16 newsclass;

	int rc;

	    !(sbsec->flags & SBLABEL_MNT))

		return -EOPNOTSUPP;

	xattr = lsm_get_xattr_slot(xattrs, xattr_count);

	if (xattr) {

		rc = security_sid_to_context_force(newsid,

						   &context, &clen);

 * @tsec: the task's security state

 * @isec: the inode associated with the cache entry

 * @avd: the AVD to cache

 * @audited: the permission audit bitmask to cache

 *

 * Update the AVD cache in @tsec with the @avdc and @audited info associated

 * Update the AVD cache in @tsec with the @avd info associated

 * with @isec.

 */

static inline void task_avdcache_update(struct task_security_struct *tsec,

					struct inode_security_struct *isec,

					struct av_decision *avd,

					u32 audited)

					struct av_decision *avd)

{

	int spot;

	spot = (tsec->avdcache.dir_spot + 1) & (TSEC_AVDC_DIR_SIZE - 1);

	tsec->avdcache.dir_spot = spot;

	tsec->avdcache.dir[spot].isid = isec->sid;

	tsec->avdcache.dir[spot].audited = audited;

	tsec->avdcache.dir[spot].allowed = avd->allowed;

	tsec->avdcache.dir[spot].permissive = avd->flags & AVD_FLAGS_PERMISSIVE;

	tsec->avdcache.dir[spot].avd = *avd;

	tsec->avdcache.permissive_neveraudit =

		(avd->flags == (AVD_FLAGS_PERMISSIVE|AVD_FLAGS_NEVERAUDIT));

}

	struct task_security_struct *tsec;

	struct inode_security_struct *isec;

	struct avdc_entry *avdc;

	struct av_decision avd, *avdp = &avd;

	int rc, rc2;

	u32 audited, denied;

	rc = task_avdcache_search(tsec, isec, &avdc);

	if (likely(!rc)) {

		/* Cache hit. */

		audited = perms & avdc->audited;

		denied = perms & ~avdc->allowed;

		if (unlikely(denied && enforcing_enabled() &&

			     !avdc->permissive))

		avdp = &avdc->avd;

		denied = perms & ~avdp->allowed;

		if (unlikely(denied) && enforcing_enabled() &&

			!(avdp->flags & AVD_FLAGS_PERMISSIVE))

			rc = -EACCES;

	} else {

		struct av_decision avd;

		/* Cache miss. */

		rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass,

					  perms, 0, &avd);

		audited = avc_audit_required(perms, &avd, rc,

			(requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0,

			&denied);

		task_avdcache_update(tsec, isec, &avd, audited);

					  perms, 0, avdp);

		task_avdcache_update(tsec, isec, avdp);

	}

	audited = avc_audit_required(perms, avdp, rc,

				     (requested & MAY_ACCESS) ?

				     FILE__AUDIT_ACCESS : 0, &denied);

	if (likely(!audited))

		return rc;

static int sock_has_perm(struct sock *sk, u32 perms)

{

	struct sk_security_struct *sksec = sk->sk_security;

	struct sk_security_struct *sksec = selinux_sock(sk);

	struct common_audit_data ad;

	struct lsm_network_audit net;

static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type)

{

	struct sk_security_struct *sksec = sk->sk_security;

	struct sk_security_struct *sksec = selinux_sock(sk);

	struct common_audit_data ad;

	u8 driver;

	u8 xperm;

struct avdc_entry {

	u32 isid; /* inode SID */

	u32 allowed; /* allowed permission bitmask */

	u32 audited; /* audited permission bitmask */

	bool permissive; /* AVC permissive flag */

	struct av_decision avd; /* av decision */

};

struct cred_security_struct {