Merge tag 'selinux-pr-20240513' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

					    const struct qstr *name,

					    const struct inode *context_inode)

{

	const struct task_security_struct *tsec = selinux_cred(current_cred());

	u32 sid = current_sid();

	struct common_audit_data ad;

	struct inode_security_struct *isec;

	int rc;

	} else {

		isec->sclass = SECCLASS_ANON_INODE;

		rc = security_transition_sid(

			tsec->sid, tsec->sid,

			sid, sid,

			isec->sclass, name, &isec->sid);

		if (rc)

			return rc;

	ad.type = LSM_AUDIT_DATA_ANONINODE;

	ad.u.anonclass = name ? (const char *)name->name : "?";

	return avc_has_perm(tsec->sid,

	return avc_has_perm(sid,

			    isec->sid,

			    isec->sclass,

			    FILE__CREATE,

static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,

				     bool rcu)

{

	const struct cred *cred = current_cred();

	struct common_audit_data ad;

	struct inode_security_struct *isec;

	u32 sid;

	u32 sid = current_sid();

	ad.type = LSM_AUDIT_DATA_DENTRY;

	ad.u.dentry = dentry;

	sid = cred_sid(cred);

	isec = inode_security_rcu(inode, rcu);

	if (IS_ERR(isec))

		return PTR_ERR(isec);

static int selinux_inode_permission(struct inode *inode, int mask)

{

	const struct cred *cred = current_cred();

	u32 perms;

	bool from_access;

	bool no_block = mask & MAY_NOT_BLOCK;

	struct inode_security_struct *isec;

	u32 sid;

	u32 sid = current_sid();

	struct av_decision avd;

	int rc, rc2;

	u32 audited, denied;

	perms = file_mask_to_av(inode->i_mode, mask);

	sid = cred_sid(cred);

	isec = inode_security_rcu(inode, no_block);

	if (IS_ERR(isec))

		return PTR_ERR(isec);

static int selinux_secmark_relabel_packet(u32 sid)

{

	const struct task_security_struct *tsec;

	u32 tsid;

	tsec = selinux_cred(current_cred());

	tsid = tsec->sid;

	return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,

	return avc_has_perm(current_sid(), sid, SECCLASS_PACKET, PACKET__RELABELTO,

			    NULL);

}

static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p,

			       char **value)

{

	const struct task_security_struct *__tsec;

	u32 sid;

	const struct task_security_struct *tsec;

	int error;

	unsigned len;

	u32 sid;

	u32 len;

	rcu_read_lock();

	__tsec = selinux_cred(__task_cred(p));

	if (current != p) {

		error = avc_has_perm(current_sid(), __tsec->sid,

	tsec = selinux_cred(__task_cred(p));

	if (p != current) {

		error = avc_has_perm(current_sid(), tsec->sid,

				     SECCLASS_PROCESS, PROCESS__GETATTR, NULL);

		if (error)

			goto bad;

			goto err_unlock;

	}

	switch (attr) {

	case LSM_ATTR_CURRENT:

		sid = __tsec->sid;

		sid = tsec->sid;

		break;

	case LSM_ATTR_PREV:

		sid = __tsec->osid;

		sid = tsec->osid;

		break;

	case LSM_ATTR_EXEC:

		sid = __tsec->exec_sid;

		sid = tsec->exec_sid;

		break;

	case LSM_ATTR_FSCREATE:

		sid = __tsec->create_sid;

		sid = tsec->create_sid;

		break;

	case LSM_ATTR_KEYCREATE:

		sid = __tsec->keycreate_sid;

		sid = tsec->keycreate_sid;

		break;

	case LSM_ATTR_SOCKCREATE:

		sid = __tsec->sockcreate_sid;

		sid = tsec->sockcreate_sid;

		break;

	default:

		error = -EOPNOTSUPP;

		goto bad;

		goto err_unlock;

	}

	rcu_read_unlock();

	if (!sid)

	if (sid == SECSID_NULL) {

		*value = NULL;

		return 0;

	}

	error = security_sid_to_context(sid, value, &len);

	if (error)

		return error;

	return len;

bad:

err_unlock:

	rcu_read_unlock();

	return error;

}

			      size_t count, loff_t *ppos)

{

	struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info;

	struct selinux_fs_info *fsi;

	struct selinux_load_state load_state;

	ssize_t length;

	void *data = NULL;

	/* no partial writes */

	if (*ppos)

		return -EINVAL;

	/* no empty policies */

	if (!count)

		return -EINVAL;

	mutex_lock(&selinux_state.policy_mutex);

	length = avc_has_perm(current_sid(), SECINITSID_SECURITY,

	if (length)

		goto out;

	/* No partial writes. */

	length = -EINVAL;

	if (*ppos != 0)

		goto out;

	length = -ENOMEM;

	data = vmalloc(count);

	if (!data)

	if (!data) {

		length = -ENOMEM;

		goto out;

	}

	if (copy_from_user(data, buf, count) != 0) {

		length = -EFAULT;

	if (copy_from_user(data, buf, count) != 0)

		goto out;

	}

	length = security_load_policy(data, count, &load_state);

	if (length) {

		pr_warn_ratelimited("SELinux: failed to load policy\n");

		goto out;

	}

	fsi = file_inode(file)->i_sb->s_fs_info;

	length = sel_make_policy_nodes(fsi, load_state.policy);

	if (length) {

		pr_warn_ratelimited("SELinux: failed to initialize selinuxfs\n");

	}

	selinux_policy_commit(&load_state);

	length = count;

	audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,

		"auid=%u ses=%u lsm=selinux res=1",

		from_kuid(&init_user_ns, audit_get_loginuid(current)),

		audit_get_sessionid(current));

out:

	mutex_unlock(&selinux_state.policy_mutex);

	vfree(data);

		return err;

	}

	/*

	 * Try to pre-allocate the status page, so the sequence number of the

	 * initial policy load can be stored.

	 */

	(void) selinux_kernel_status_page();

	return err;

}

		p->p_bools.nprim, sizeof(*p->bool_val_to_struct), GFP_KERNEL);

	if (!p->bool_val_to_struct)

		return -ENOMEM;

	avtab_hash_eval(&p->te_cond_avtab, "conditional_rules");

	return 0;

}

	}

}

static int cond_dup_av_list(struct cond_av_list *new, struct cond_av_list *orig,

static int cond_dup_av_list(struct cond_av_list *new,

			    const struct cond_av_list *orig,

			    struct avtab *avtab)

{

	u32 i;

}

static int duplicate_policydb_cond_list(struct policydb *newp,

					struct policydb *origp)

					const struct policydb *origp)

{

	int rc;

	u32 i;

	for (i = 0; i < origp->cond_list_len; i++) {

		struct cond_node *newn = &newp->cond_list[i];

		struct cond_node *orign = &origp->cond_list[i];

		const struct cond_node *orign = &origp->cond_list[i];

		newp->cond_list_len++;

	return 0;

}

static int cond_bools_copy(struct hashtab_node *new, struct hashtab_node *orig,

			   void *args)

static int cond_bools_copy(struct hashtab_node *new,

			   const struct hashtab_node *orig, void *args)

{

	struct cond_bool_datum *datum;

}

static int duplicate_policydb_bools(struct policydb *newdb,

				    struct policydb *orig)

				    const struct policydb *orig)

{

	struct cond_bool_datum **cond_bool_array;

	int rc;

	cond_policydb_destroy(p);

}

int cond_policydb_dup(struct policydb *new, struct policydb *orig)

int cond_policydb_dup(struct policydb *new, const struct policydb *orig)

{

	cond_policydb_init(new);

			 struct extended_perms_decision *xpermd);

void evaluate_cond_nodes(struct policydb *p);

void cond_policydb_destroy_dup(struct policydb *p);

int cond_policydb_dup(struct policydb *new, struct policydb *orig);

int cond_policydb_dup(struct policydb *new, const struct policydb *orig);

#endif /* _CONDITIONAL_H_ */

#include "ebitmap.h"

#include "policydb.h"

#define BITS_PER_U64 (sizeof(u64) * 8)

#define BITS_PER_U64 ((u32)(sizeof(u64) * 8))

static struct kmem_cache *ebitmap_node_cachep __ro_after_init;

		const struct ebitmap *e2)

{

	struct ebitmap_node *n;

	int bit, rc;

	u32 bit;

	int rc;

	ebitmap_init(dst);

	return 1;

}

int ebitmap_get_bit(const struct ebitmap *e, unsigned long bit)

int ebitmap_get_bit(const struct ebitmap *e, u32 bit)

{

	const struct ebitmap_node *n;

	return 0;

}

int ebitmap_set_bit(struct ebitmap *e, unsigned long bit, int value)

int ebitmap_set_bit(struct ebitmap *e, u32 bit, int value)

{

	struct ebitmap_node *n, *prev, *new;

			if (value) {

				ebitmap_node_set_bit(n, bit);

			} else {

				unsigned int s;

				u32 s;

				ebitmap_node_clr_bit(n, bit);

int ebitmap_read(struct ebitmap *e, void *fp)

{

	struct ebitmap_node *n = NULL;

	u32 mapunit, count, startbit, index;

	u32 mapunit, count, startbit, index, i;

	__le32 ebitmap_start;

	u64 map;

	__le64 mapbits;

	__le32 buf[3];

	int rc, i;

	int rc;

	ebitmap_init(e);

	if (mapunit != BITS_PER_U64) {

		pr_err("SELinux: ebitmap: map size %u does not "

		       "match my size %zd (high bit was %d)\n",

		       "match my size %u (high bit was %u)\n",

		       mapunit, BITS_PER_U64, e->highbit);

		goto bad;

	}

		startbit = le32_to_cpu(ebitmap_start);

		if (startbit & (mapunit - 1)) {

			pr_err("SELinux: ebitmap start bit (%d) is "

			pr_err("SELinux: ebitmap start bit (%u) is "

			       "not a multiple of the map unit size (%u)\n",

			       startbit, mapunit);

			goto bad;

		}

		if (startbit > e->highbit - mapunit) {

			pr_err("SELinux: ebitmap start bit (%d) is "

			pr_err("SELinux: ebitmap start bit (%u) is "

			       "beyond the end of the bitmap (%u)\n",

			       startbit, (e->highbit - mapunit));

			goto bad;

				e->node = tmp;

			n = tmp;

		} else if (startbit <= n->startbit) {

			pr_err("SELinux: ebitmap: start bit %d"

			       " comes after start bit %d\n",

			pr_err("SELinux: ebitmap: start bit %u"

			       " comes after start bit %u\n",

			       startbit, n->startbit);

			goto bad;

		}

			goto bad;

		}

		map = le64_to_cpu(mapbits);

		if (!map) {

			pr_err("SELinux: ebitmap: empty map\n");

			goto bad;

		}

		index = (startbit - n->startbit) / EBITMAP_UNIT_SIZE;

		while (map) {

			map = EBITMAP_SHIFT_UNIT_SIZE(map);

		}

	}

	if (n && n->startbit + EBITMAP_SIZE != e->highbit) {

		pr_err("SELinux: ebitmap: high bit %u is not equal to the expected value %zu\n",

		       e->highbit, n->startbit + EBITMAP_SIZE);

		goto bad;

	}

ok:

	rc = 0;

out:

int ebitmap_write(const struct ebitmap *e, void *fp)

{

	struct ebitmap_node *n;

	u32 count;

	u32 bit, count, last_bit, last_startbit;

	__le32 buf[3];

	u64 map;

	int bit, last_bit, last_startbit, rc;

	int rc;

	buf[0] = cpu_to_le32(BITS_PER_U64);

	count = 0;

	last_bit = 0;

	last_startbit = -1;

	last_startbit = U32_MAX;

	ebitmap_for_each_positive_bit(e, n, bit)

	{

		if (rounddown(bit, (int)BITS_PER_U64) > last_startbit) {

		if (last_startbit == U32_MAX ||

		    rounddown(bit, BITS_PER_U64) > last_startbit) {

			count++;

			last_startbit = rounddown(bit, BITS_PER_U64);

		}

		return rc;

	map = 0;

	last_startbit = INT_MIN;

	last_startbit = U32_MAX;

	ebitmap_for_each_positive_bit(e, n, bit)

	{

		if (rounddown(bit, (int)BITS_PER_U64) > last_startbit) {

		if (last_startbit == U32_MAX ||

		    rounddown(bit, BITS_PER_U64) > last_startbit) {

			__le64 buf64[1];

			/* this is the very first bit */