Merge tag 'selinux-pr-20210409' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

	struct avtab_node *prev, *cur, *newnode;

	u16 specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);

	if (!h)

	if (!h || !h->nslot)

		return -EINVAL;

	hvalue = avtab_hash(key, h->mask);

	struct avtab_node *prev, *cur;

	u16 specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);

	if (!h)

	if (!h || !h->nslot)

		return NULL;

	hvalue = avtab_hash(key, h->mask);

	for (prev = NULL, cur = h->htable[hvalue];

	struct avtab_node *cur;

	u16 specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);

	if (!h)

	if (!h || !h->nslot)

		return NULL;

	hvalue = avtab_hash(key, h->mask);

	struct avtab_node *cur;

	u16 specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);

	if (!h)

	if (!h || !h->nslot)

		return NULL;

	hvalue = avtab_hash(key, h->mask);

	}

	kvfree(h->htable);

	h->htable = NULL;

	h->nel = 0;

	h->nslot = 0;

	h->mask = 0;

}

{

	h->htable = NULL;

	h->nel = 0;

	h->nslot = 0;

	h->mask = 0;

}

int avtab_alloc(struct avtab *h, u32 nrules)

static int avtab_alloc_common(struct avtab *h, u32 nslot)

{

	u32 mask = 0;

	u32 shift = 0;

	u32 work = nrules;

	u32 nslot = 0;

	if (nrules == 0)

		goto avtab_alloc_out;

	while (work) {

		work  = work >> 1;

		shift++;

	}

	if (shift > 2)

		shift = shift - 2;

	nslot = 1 << shift;

	if (nslot > MAX_AVTAB_HASH_BUCKETS)

		nslot = MAX_AVTAB_HASH_BUCKETS;

	mask = nslot - 1;

	if (!nslot)

		return 0;

	h->htable = kvcalloc(nslot, sizeof(void *), GFP_KERNEL);

	if (!h->htable)

		return -ENOMEM;

 avtab_alloc_out:

	h->nel = 0;

	h->nslot = nslot;

	h->mask = mask;

	pr_debug("SELinux: %d avtab hash slots, %d rules.\n",

	       h->nslot, nrules);

	h->mask = nslot - 1;

	return 0;

}

int avtab_duplicate(struct avtab *new, struct avtab *orig)

int avtab_alloc(struct avtab *h, u32 nrules)

{

	int i;

	struct avtab_node *node, *tmp, *tail;

	memset(new, 0, sizeof(*new));

	int rc;

	u32 nslot = 0;

	new->htable = kvcalloc(orig->nslot, sizeof(void *), GFP_KERNEL);

	if (!new->htable)

		return -ENOMEM;

	new->nslot = orig->nslot;

	new->mask = orig->mask;

	for (i = 0; i < orig->nslot; i++) {

		tail = NULL;

		for (node = orig->htable[i]; node; node = node->next) {

			tmp = kmem_cache_zalloc(avtab_node_cachep, GFP_KERNEL);

			if (!tmp)

				goto error;

			tmp->key = node->key;

			if (tmp->key.specified & AVTAB_XPERMS) {

				tmp->datum.u.xperms =

					kmem_cache_zalloc(avtab_xperms_cachep,

							GFP_KERNEL);

				if (!tmp->datum.u.xperms) {

					kmem_cache_free(avtab_node_cachep, tmp);

					goto error;

				}

				tmp->datum.u.xperms = node->datum.u.xperms;

			} else

				tmp->datum.u.data = node->datum.u.data;

			if (tail)

				tail->next = tmp;

			else

				new->htable[i] = tmp;

			tail = tmp;

			new->nel++;

	if (nrules != 0) {

		u32 shift = 1;

		u32 work = nrules >> 3;

		while (work) {

			work >>= 1;

			shift++;

		}

		nslot = 1 << shift;

		if (nslot > MAX_AVTAB_HASH_BUCKETS)

			nslot = MAX_AVTAB_HASH_BUCKETS;

		rc = avtab_alloc_common(h, nslot);

		if (rc)

			return rc;

	}

	pr_debug("SELinux: %d avtab hash slots, %d rules.\n", nslot, nrules);

	return 0;

error:

	avtab_destroy(new);

	return -ENOMEM;

}

int avtab_alloc_dup(struct avtab *new, const struct avtab *orig)

{

	return avtab_alloc_common(new, orig->nslot);

}

void avtab_hash_eval(struct avtab *h, char *tag)

void avtab_init(struct avtab *h);

int avtab_alloc(struct avtab *, u32);

int avtab_duplicate(struct avtab *new, struct avtab *orig);

int avtab_alloc_dup(struct avtab *new, const struct avtab *orig);

struct avtab_datum *avtab_search(struct avtab *h, struct avtab_key *k);

void avtab_destroy(struct avtab *h);

void avtab_hash_eval(struct avtab *h, char *tag);

			struct cond_av_list *orig,

			struct avtab *avtab)

{

	struct avtab_node *avnode;

	u32 i;

	memset(new, 0, sizeof(*new));

		return -ENOMEM;

	for (i = 0; i < orig->len; i++) {

		avnode = avtab_search_node(avtab, &orig->nodes[i]->key);

		if (WARN_ON(!avnode))

			return -EINVAL;

		new->nodes[i] = avnode;

		new->nodes[i] = avtab_insert_nonunique(avtab,

						       &orig->nodes[i]->key,

						       &orig->nodes[i]->datum);

		if (!new->nodes[i])

			return -ENOMEM;

		new->len++;

	}

{

	int rc, i, j;

	rc = avtab_duplicate(&newp->te_cond_avtab, &origp->te_cond_avtab);

	rc = avtab_alloc_dup(&newp->te_cond_avtab, &origp->te_cond_avtab);

	if (rc)

		return rc;

		if (!str)

			goto out;

	}

retry:

	rcu_read_lock();

	policy = rcu_dereference(state->policy);

	policydb = &policy->policydb;

	} else if (rc)

		goto out_unlock;

	rc = sidtab_context_to_sid(sidtab, &context, sid);

	if (rc == -ESTALE) {

		rcu_read_unlock();

		if (context.str) {

			str = context.str;

			context.str = NULL;

		}

		context_destroy(&context);

		goto retry;

	}

	context_destroy(&context);

out_unlock:

	rcu_read_unlock();

	struct selinux_policy *policy;

	struct policydb *policydb;

	struct sidtab *sidtab;

	struct class_datum *cladatum = NULL;

	struct class_datum *cladatum;

	struct context *scontext, *tcontext, newcontext;

	struct sidtab_entry *sentry, *tentry;

	struct avtab_key avkey;

		goto out;

	}

retry:

	cladatum = NULL;

	context_init(&newcontext);

	rcu_read_lock();

	}

	/* Obtain the sid for the context. */

	rc = sidtab_context_to_sid(sidtab, &newcontext, out_sid);

	if (rc == -ESTALE) {

		rcu_read_unlock();

		context_destroy(&newcontext);

		goto retry;

	}

out_unlock:

	rcu_read_unlock();

	context_destroy(&newcontext);

			   struct selinux_load_state *load_state)

{

	struct selinux_policy *oldpolicy, *newpolicy = load_state->policy;

	unsigned long flags;

	u32 seqno;

	oldpolicy = rcu_dereference_protected(state->policy,

	seqno = newpolicy->latest_granting;

	/* Install the new policy. */

	if (oldpolicy) {

		sidtab_freeze_begin(oldpolicy->sidtab, &flags);

		rcu_assign_pointer(state->policy, newpolicy);

		sidtab_freeze_end(oldpolicy->sidtab, &flags);

	} else {

		rcu_assign_pointer(state->policy, newpolicy);

	}

	/* Load the policycaps from the new policy */

	security_load_policycaps(state, newpolicy);

	struct policydb *policydb;

	struct sidtab *sidtab;

	struct ocontext *c;

	int rc = 0;

	int rc;

	if (!selinux_initialized(state)) {

		*out_sid = SECINITSID_PORT;

		return 0;

	}

retry:

	rc = 0;

	rcu_read_lock();

	policy = rcu_dereference(state->policy);

	policydb = &policy->policydb;

		if (!c->sid[0]) {

			rc = sidtab_context_to_sid(sidtab, &c->context[0],

						   &c->sid[0]);

			if (rc == -ESTALE) {

				rcu_read_unlock();

				goto retry;

			}

			if (rc)

				goto out;

		}

	struct policydb *policydb;

	struct sidtab *sidtab;

	struct ocontext *c;

	int rc = 0;

	int rc;

	if (!selinux_initialized(state)) {

		*out_sid = SECINITSID_UNLABELED;

		return 0;

	}

retry:

	rc = 0;

	rcu_read_lock();

	policy = rcu_dereference(state->policy);

	policydb = &policy->policydb;

			rc = sidtab_context_to_sid(sidtab,

						   &c->context[0],

						   &c->sid[0]);

			if (rc == -ESTALE) {

				rcu_read_unlock();

				goto retry;

			}

			if (rc)

				goto out;

		}

	struct policydb *policydb;

	struct sidtab *sidtab;

	struct ocontext *c;

	int rc = 0;

	int rc;

	if (!selinux_initialized(state)) {

		*out_sid = SECINITSID_UNLABELED;

		return 0;

	}

retry:

	rc = 0;

	rcu_read_lock();

	policy = rcu_dereference(state->policy);

	policydb = &policy->policydb;

		if (!c->sid[0]) {

			rc = sidtab_context_to_sid(sidtab, &c->context[0],

						   &c->sid[0]);

			if (rc == -ESTALE) {

				rcu_read_unlock();

				goto retry;

			}

			if (rc)

				goto out;

		}

	struct selinux_policy *policy;

	struct policydb *policydb;

	struct sidtab *sidtab;

	int rc = 0;

	int rc;

	struct ocontext *c;

	if (!selinux_initialized(state)) {

		return 0;

	}

retry:

	rc = 0;

	rcu_read_lock();

	policy = rcu_dereference(state->policy);

	policydb = &policy->policydb;

		if (!c->sid[0] || !c->sid[1]) {

			rc = sidtab_context_to_sid(sidtab, &c->context[0],

						   &c->sid[0]);

			if (rc == -ESTALE) {

				rcu_read_unlock();

				goto retry;

			}

			if (rc)

				goto out;

			rc = sidtab_context_to_sid(sidtab, &c->context[1],

						   &c->sid[1]);

			if (rc == -ESTALE) {

				rcu_read_unlock();

				goto retry;

			}

			if (rc)

				goto out;

		}

		return 0;

	}

retry:

	rcu_read_lock();

	policy = rcu_dereference(state->policy);

	policydb = &policy->policydb;

			rc = sidtab_context_to_sid(sidtab,

						   &c->context[0],

						   &c->sid[0]);

			if (rc == -ESTALE) {

				rcu_read_unlock();

				goto retry;

			}

			if (rc)

				goto out;

		}

	struct sidtab *sidtab;

	struct context *fromcon, usercon;

	u32 *mysids = NULL, *mysids2, sid;

	u32 mynel = 0, maxnel = SIDS_NEL;

	u32 i, j, mynel, maxnel = SIDS_NEL;

	struct user_datum *user;

	struct role_datum *role;

	struct ebitmap_node *rnode, *tnode;

	int rc = 0, i, j;

	int rc;

	*sids = NULL;

	*nel = 0;

	if (!selinux_initialized(state))

		goto out;

		return 0;

	mysids = kcalloc(maxnel, sizeof(*mysids), GFP_KERNEL);

	if (!mysids)

		return -ENOMEM;

retry:

	mynel = 0;

	rcu_read_lock();

	policy = rcu_dereference(state->policy);

	policydb = &policy->policydb;

	usercon.user = user->value;

	rc = -ENOMEM;

	mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC);

	if (!mysids)

		goto out_unlock;

	ebitmap_for_each_positive_bit(&user->roles, rnode, i) {

		role = policydb->role_val_to_struct[i];

		usercon.role = i + 1;

				continue;

			rc = sidtab_context_to_sid(sidtab, &usercon, &sid);

			if (rc == -ESTALE) {

				rcu_read_unlock();

				goto retry;

			}

			if (rc)

				goto out_unlock;

			if (mynel < maxnel) {

	rcu_read_unlock();

	if (rc || !mynel) {

		kfree(mysids);

		goto out;

		return rc;

	}

	rc = -ENOMEM;

	mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL);

	if (!mysids2) {

		kfree(mysids);

		goto out;

		return rc;

	}

	for (i = 0, j = 0; i < mynel; i++) {

		struct av_decision dummy_avd;

			mysids2[j++] = mysids[i];

		cond_resched();

	}

	rc = 0;

	kfree(mysids);

	*sids = mysids2;

	*nel = j;

out:

	return rc;

	return 0;

}

/**

 * Obtain a SID to use for a file in a filesystem that

 * cannot support xattr or use a fixed labeling behavior like

 * transition SIDs or task SIDs.

 *

 * WARNING: This function may return -ESTALE, indicating that the caller

 * must retry the operation after re-acquiring the policy pointer!

 */

static inline int __security_genfs_sid(struct selinux_policy *policy,

				       const char *fstype,

		return 0;

	}

	do {

		rcu_read_lock();

		policy = rcu_dereference(state->policy);

	retval = __security_genfs_sid(policy,

				fstype, path, orig_sclass, sid);

		retval = __security_genfs_sid(policy, fstype, path,

					      orig_sclass, sid);

		rcu_read_unlock();

	} while (retval == -ESTALE);

	return retval;

}

	struct selinux_policy *policy;

	struct policydb *policydb;

	struct sidtab *sidtab;

	int rc = 0;

	int rc;

	struct ocontext *c;

	struct superblock_security_struct *sbsec = sb->s_security;

	const char *fstype = sb->s_type->name;

		return 0;

	}

retry:

	rc = 0;

	rcu_read_lock();

	policy = rcu_dereference(state->policy);

	policydb = &policy->policydb;

		if (!c->sid[0]) {

			rc = sidtab_context_to_sid(sidtab, &c->context[0],

						   &c->sid[0]);

			if (rc == -ESTALE) {

				rcu_read_unlock();

				goto retry;

			}

			if (rc)

				goto out;

		}

	} else {

		rc = __security_genfs_sid(policy, fstype, "/",

					SECCLASS_DIR, &sbsec->sid);

		if (rc == -ESTALE) {

			rcu_read_unlock();

			goto retry;

		}

		if (rc) {

			sbsec->behavior = SECURITY_FS_USE_NONE;

			rc = 0;

	u32 len;

	int rc;

	rc = 0;

	if (!selinux_initialized(state)) {

		*new_sid = sid;

		goto out;

		return 0;

	}

retry:

	rc = 0;

	context_init(&newcon);

	rcu_read_lock();

		}

	}

	rc = sidtab_context_to_sid(sidtab, &newcon, new_sid);

	if (rc == -ESTALE) {

		rcu_read_unlock();

		context_destroy(&newcon);

		goto retry;

	}

out_unlock:

	rcu_read_unlock();

	context_destroy(&newcon);

out:

	return rc;

}

		return 0;

	}

retry:

	rc = 0;

	rcu_read_lock();

	policy = rcu_dereference(state->policy);

	policydb = &policy->policydb;

				goto out;

		}

		rc = -EIDRM;