Merge tag 'selinux-pr-20251201' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

#include <linux/file.h>

#define MEMFD_ANON_NAME "[memfd]"

#ifdef CONFIG_MEMFD_CREATE

extern long memfd_fcntl(struct file *file, unsigned int cmd, unsigned int arg);

struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx);

{

	unsigned int *file_seals;

	struct file *file;

	struct inode *inode;

	int err = 0;

	if (flags & MFD_HUGETLB) {

		file = hugetlb_file_setup(name, 0, VM_NORESERVE,

	}

	if (IS_ERR(file))

		return file;

	inode = file_inode(file);

	err = security_inode_init_security_anon(inode,

			&QSTR(MEMFD_ANON_NAME), NULL);

	if (err) {

		fput(file);

		file = ERR_PTR(err);

		return file;

	}

	file->f_mode |= FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE;

	file->f_flags |= O_LARGEFILE;

	if (flags & MFD_NOEXEC_SEAL) {

		struct inode *inode = file_inode(file);

		inode->i_mode &= ~0111;

		file_seals = memfd_file_seals_ptr(file);

		if (file_seals) {

	  If unsure, keep the default value.

config SECURITY_SELINUX_AVC_HASH_BITS

	int "SELinux avc hashtable size"

	depends on SECURITY_SELINUX

	range 9 14

	default 9

	help

	  This option sets the number of buckets used in the AVC hash table

	  to 2^SECURITY_SELINUX_AVC_HASH_BITS. A higher value helps maintain

	  shorter chain lengths especially when expanding AVC nodes via

	  /sys/fs/selinux/avc/cache_threshold.

config SECURITY_SELINUX_DEBUG

	bool "SELinux kernel debugging support"

	depends on SECURITY_SELINUX

#include "avc.h"

#include "avc_ss.h"

#include "classmap.h"

#include "hash.h"

#define CREATE_TRACE_POINTS

#include <trace/events/avc.h>

#define AVC_CACHE_SLOTS			512

#define AVC_DEF_CACHE_THRESHOLD		512

#define AVC_CACHE_SLOTS		(1 << CONFIG_SECURITY_SELINUX_AVC_HASH_BITS)

#define AVC_DEF_CACHE_THRESHOLD	AVC_CACHE_SLOTS

#define AVC_CACHE_RECLAIM	16

#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS

static inline u32 avc_hash(u32 ssid, u32 tsid, u16 tclass)

{

	return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1);

	return av_hash(ssid, tsid, (u32)tclass, (u32)(AVC_CACHE_SLOTS - 1));

}

/**

#include <linux/fanotify.h>

#include <linux/io_uring/cmd.h>

#include <uapi/linux/lsm.h>

#include <linux/memfd.h>

#include "initcalls.h"

#include "avc.h"

	new_crsec = selinux_cred(bprm->cred);

	isec = inode_security(inode);

	if (WARN_ON(isec->sclass != SECCLASS_FILE &&

		    isec->sclass != SECCLASS_MEMFD_FILE))

		return -EACCES;

	/* Default to the current task SID. */

	new_crsec->sid = old_crsec->sid;

	new_crsec->osid = old_crsec->sid;

	ad.u.file = bprm->file;

	if (new_crsec->sid == old_crsec->sid) {

		rc = avc_has_perm(old_crsec->sid, isec->sid,

				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);

		rc = avc_has_perm(old_crsec->sid, isec->sid, isec->sclass,

				  FILE__EXECUTE_NO_TRANS, &ad);

		if (rc)

			return rc;

	} else {

		if (rc)

			return rc;

		rc = avc_has_perm(new_crsec->sid, isec->sid,

				  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);

		rc = avc_has_perm(new_crsec->sid, isec->sid, isec->sclass,

				  FILE__ENTRYPOINT, &ad);

		if (rc)

			return rc;

	struct common_audit_data ad;

	struct inode_security_struct *isec;

	int rc;

	bool is_memfd = false;

	if (unlikely(!selinux_initialized()))

		return 0;

	if (name != NULL && name->name != NULL &&

	    !strcmp(name->name, MEMFD_ANON_NAME)) {

		if (!selinux_policycap_memfd_class())

			return 0;

		is_memfd = true;

	}

	isec = selinux_inode(inode);

	/*

		isec->sclass = context_isec->sclass;

		isec->sid = context_isec->sid;

	} else {

		if (is_memfd)

			isec->sclass = SECCLASS_MEMFD_FILE;

		else

			isec->sclass = SECCLASS_ANON_INODE;

		rc = security_transition_sid(

			sid, sid,