14 files changed, 355 insertions, 451 deletions
diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h
index d5495134a5b9..52aca71210b4 100644
--- a/security/selinux/include/audit.h
+++ b/security/selinux/include/audit.h
@@ -57,4 +57,3 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule);
 int selinux_audit_rule_known(struct audit_krule *rule);
 
 #endif /* _SELINUX_AUDIT_H */
-
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 8f0aa66ccb13..96a614d47df8 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -4,6 +4,7 @@
  *
  * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
  */
+
 #ifndef _SELINUX_AVC_H_
 #define _SELINUX_AVC_H_
 
@@ -60,11 +61,8 @@ struct selinux_audit_data {
 
 void __init avc_init(void);
 
-static inline u32 avc_audit_required(u32 requested,
-			      struct av_decision *avd,
-			      int result,
-			      u32 auditdeny,
-			      u32 *deniedp)
+static inline u32 avc_audit_required(u32 requested, struct av_decision *avd,
+				     int result, u32 auditdeny, u32 *deniedp)
 {
 	u32 denied, audited;
 	denied = requested & ~avd->allowed;
@@ -96,9 +94,8 @@ static inline u32 avc_audit_required(u32 requested,
 	return audited;
 }
 
-int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
-		   u32 requested, u32 audited, u32 denied, int result,
-		   struct common_audit_data *a);
+int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 requested, u32 audited,
+		   u32 denied, int result, struct common_audit_data *a);
 
 /**
  * avc_audit - Audit the granting or denial of permissions.
@@ -119,36 +116,29 @@ int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
  * be performed under a lock, to allow the lock to be released
  * before calling the auditing code.
  */
-static inline int avc_audit(u32 ssid, u32 tsid,
-			    u16 tclass, u32 requested,
-			    struct av_decision *avd,
-			    int result,
+static inline int avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 requested,
+			    struct av_decision *avd, int result,
 			    struct common_audit_data *a)
 {
 	u32 audited, denied;
 	audited = avc_audit_required(requested, avd, result, 0, &denied);
 	if (likely(!audited))
 		return 0;
-	return slow_avc_audit(ssid, tsid, tclass,
-			      requested, audited, denied, result,
-			      a);
+	return slow_avc_audit(ssid, tsid, tclass, requested, audited, denied,
+			      result, a);
 }
 
-#define AVC_STRICT 1 /* Ignore permissive mode. */
-#define AVC_EXTENDED_PERMS 2	/* update extended permissions */
-int avc_has_perm_noaudit(u32 ssid, u32 tsid,
-			 u16 tclass, u32 requested,
-			 unsigned flags,
-			 struct av_decision *avd);
+#define AVC_STRICT	   1 /* Ignore permissive mode. */
+#define AVC_EXTENDED_PERMS 2 /* update extended permissions */
+int avc_has_perm_noaudit(u32 ssid, u32 tsid, u16 tclass, u32 requested,
+			 unsigned int flags, struct av_decision *avd);
 
-int avc_has_perm(u32 ssid, u32 tsid,
-		 u16 tclass, u32 requested,
+int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, u32 requested,
 		 struct common_audit_data *auditdata);
 
 int avc_has_extended_perms(u32 ssid, u32 tsid, u16 tclass, u32 requested,
 			   u8 driver, u8 perm, struct common_audit_data *ad);
 
-
 u32 avc_policy_seqno(void);
 
 #define AVC_CALLBACK_GRANT		1
@@ -156,7 +146,7 @@ u32 avc_policy_seqno(void);
 #define AVC_CALLBACK_REVOKE		4
 #define AVC_CALLBACK_RESET		8
 #define AVC_CALLBACK_AUDITALLOW_ENABLE	16
-#define AVC_CALLBACK_AUDITALLOW_DISABLE	32
+#define AVC_CALLBACK_AUDITALLOW_DISABLE 32
 #define AVC_CALLBACK_AUDITDENY_ENABLE	64
 #define AVC_CALLBACK_AUDITDENY_DISABLE	128
 #define AVC_CALLBACK_ADD_XPERMS		256
@@ -173,4 +163,3 @@ DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
 #endif
 
 #endif /* _SELINUX_AVC_H_ */
-
diff --git a/security/selinux/include/avc_ss.h b/security/selinux/include/avc_ss.h
index 88b139e086c4..48ad64d54032 100644
--- a/security/selinux/include/avc_ss.h
+++ b/security/selinux/include/avc_ss.h
@@ -4,6 +4,7 @@
  *
  * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
  */
+
 #ifndef _SELINUX_AVC_SS_H_
 #define _SELINUX_AVC_SS_H_
 
@@ -20,4 +21,3 @@ struct security_class_mapping {
 extern const struct security_class_mapping secclass_map[];
 
 #endif /* _SELINUX_AVC_SS_H_ */
-
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index a3c380775d41..7229c9bf6c27 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -1,34 +1,40 @@
 /* SPDX-License-Identifier: GPL-2.0 */
+
 #include <linux/capability.h>
 #include <linux/socket.h>
 
-#define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \
-    "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append", "map"
+#define COMMON_FILE_SOCK_PERMS                                            \
+	"ioctl", "read", "write", "create", "getattr", "setattr", "lock", \
+		"relabelfrom", "relabelto", "append", "map"
 
-#define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
-    "rename", "execute", "quotaon", "mounton", "audit_access", \
-	"open", "execmod", "watch", "watch_mount", "watch_sb", \
-	"watch_with_perm", "watch_reads"
+#define COMMON_FILE_PERMS                                                \
+	COMMON_FILE_SOCK_PERMS, "unlink", "link", "rename", "execute",   \
+		"quotaon", "mounton", "audit_access", "open", "execmod", \
+		"watch", "watch_mount", "watch_sb", "watch_with_perm",   \
+		"watch_reads"
 
-#define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
-    "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom",  \
-    "sendto", "name_bind"
+#define COMMON_SOCK_PERMS                                              \
+	COMMON_FILE_SOCK_PERMS, "bind", "connect", "listen", "accept", \
+		"getopt", "setopt", "shutdown", "recvfrom", "sendto",  \
+		"name_bind"
 
-#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
-	    "write", "associate", "unix_read", "unix_write"
+#define COMMON_IPC_PERMS                                            \
+	"create", "destroy", "getattr", "setattr", "read", "write", \
+		"associate", "unix_read", "unix_write"
 
-#define COMMON_CAP_PERMS  "chown", "dac_override", "dac_read_search", \
-	    "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", \
-	    "linux_immutable", "net_bind_service", "net_broadcast", \
-	    "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", \
-	    "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", \
-	    "sys_boot", "sys_nice", "sys_resource", "sys_time", \
-	    "sys_tty_config", "mknod", "lease", "audit_write", \
-	    "audit_control", "setfcap"
+#define COMMON_CAP_PERMS                                                     \
+	"chown", "dac_override", "dac_read_search", "fowner", "fsetid",      \
+		"kill", "setgid", "setuid", "setpcap", "linux_immutable",    \
+		"net_bind_service", "net_broadcast", "net_admin", "net_raw", \
+		"ipc_lock", "ipc_owner", "sys_module", "sys_rawio",          \
+		"sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin",        \
+		"sys_boot", "sys_nice", "sys_resource", "sys_time",          \
+		"sys_tty_config", "mknod", "lease", "audit_write",           \
+		"audit_control", "setfcap"
 
-#define COMMON_CAP2_PERMS  "mac_override", "mac_admin", "syslog", \
-		"wake_alarm", "block_suspend", "audit_read", "perfmon", "bpf", \
-		"checkpoint_restore"
+#define COMMON_CAP2_PERMS                                                     \
+	"mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", \
+		"audit_read", "perfmon", "bpf", "checkpoint_restore"
 
 #if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE
 #error New capability defined, please update COMMON_CAP2_PERMS.
@@ -40,224 +46,140 @@
  */
 const struct security_class_mapping secclass_map[] = {
 	{ "security",
-	  { "compute_av", "compute_create", "compute_member",
-	    "check_context", "load_policy", "compute_relabel",
-	    "compute_user", "setenforce", "setbool", "setsecparam",
-	    "setcheckreqprot", "read_policy", "validate_trans", NULL } },
+	  { "compute_av", "compute_create", "compute_member", "check_context",
+	    "load_policy", "compute_relabel", "compute_user", "setenforce",
+	    "setbool", "setsecparam", "setcheckreqprot", "read_policy",
+	    "validate_trans", NULL } },
 	{ "process",
-	  { "fork", "transition", "sigchld", "sigkill",
-	    "sigstop", "signull", "signal", "ptrace", "getsched", "setsched",
-	    "getsession", "getpgid", "setpgid", "getcap", "setcap", "share",
-	    "getattr", "setexec", "setfscreate", "noatsecure", "siginh",
-	    "setrlimit", "rlimitinh", "dyntransition", "setcurrent",
-	    "execmem", "execstack", "execheap", "setkeycreate",
-	    "setsockcreate", "getrlimit", NULL } },
-	{ "process2",
-	  { "nnp_transition", "nosuid_transition", NULL } },
+	  { "fork",	    "transition",    "sigchld",	    "sigkill",
+	    "sigstop",	    "signull",	     "signal",	    "ptrace",
+	    "getsched",	    "setsched",	     "getsession",  "getpgid",
+	    "setpgid",	    "getcap",	     "setcap",	    "share",
+	    "getattr",	    "setexec",	     "setfscreate", "noatsecure",
+	    "siginh",	    "setrlimit",     "rlimitinh",   "dyntransition",
+	    "setcurrent",   "execmem",	     "execstack",   "execheap",
+	    "setkeycreate", "setsockcreate", "getrlimit",   NULL } },
+	{ "process2", { "nnp_transition", "nosuid_transition", NULL } },
 	{ "system",
-	  { "ipc_info", "syslog_read", "syslog_mod",
-	    "syslog_console", "module_request", "module_load", NULL } },
-	{ "capability",
-	  { COMMON_CAP_PERMS, NULL } },
+	  { "ipc_info", "syslog_read", "syslog_mod", "syslog_console",
+	    "module_request", "module_load", NULL } },
+	{ "capability", { COMMON_CAP_PERMS, NULL } },
 	{ "filesystem",
-	  { "mount", "remount", "unmount", "getattr",
-	    "relabelfrom", "relabelto", "associate", "quotamod",
-	    "quotaget", "watch", NULL } },
+	  { "mount", "remount", "unmount", "getattr", "relabelfrom",
+	    "relabelto", "associate", "quotamod", "quotaget", "watch", NULL } },
 	{ "file",
-	  { COMMON_FILE_PERMS,
-	    "execute_no_trans", "entrypoint", NULL } },
+	  { COMMON_FILE_PERMS, "execute_no_trans", "entrypoint", NULL } },
 	{ "dir",
-	  { COMMON_FILE_PERMS, "add_name", "remove_name",
-	    "reparent", "search", "rmdir", NULL } },
+	  { COMMON_FILE_PERMS, "add_name", "remove_name", "reparent", "search",
+	    "rmdir", NULL } },
 	{ "fd", { "use", NULL } },
-	{ "lnk_file",
-	  { COMMON_FILE_PERMS, NULL } },
-	{ "chr_file",
-	  { COMMON_FILE_PERMS, NULL } },
-	{ "blk_file",
-	  { COMMON_FILE_PERMS, NULL } },
-	{ "sock_file",
-	  { COMMON_FILE_PERMS, NULL } },
-	{ "fifo_file",
-	  { COMMON_FILE_PERMS, NULL } },
-	{ "socket",
-	  { COMMON_SOCK_PERMS, NULL } },
+	{ "lnk_file", { COMMON_FILE_PERMS, NULL } },
+	{ "chr_file", { COMMON_FILE_PERMS, NULL } },
+	{ "blk_file", { COMMON_FILE_PERMS, NULL } },
+	{ "sock_file", { COMMON_FILE_PERMS, NULL } },
+	{ "fifo_file", { COMMON_FILE_PERMS, NULL } },
+	{ "socket", { COMMON_SOCK_PERMS, NULL } },
 	{ "tcp_socket",
-	  { COMMON_SOCK_PERMS,
-	    "node_bind", "name_connect",
-	    NULL } },
-	{ "udp_socket",
-	  { COMMON_SOCK_PERMS,
-	    "node_bind", NULL } },
-	{ "rawip_socket",
-	  { COMMON_SOCK_PERMS,
-	    "node_bind", NULL } },
-	{ "node",
-	  { "recvfrom", "sendto", NULL } },
-	{ "netif",
-	  { "ingress", "egress", NULL } },
-	{ "netlink_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "packet_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "key_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "unix_stream_socket",
-	  { COMMON_SOCK_PERMS, "connectto", NULL } },
-	{ "unix_dgram_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "sem",
-	  { COMMON_IPC_PERMS, NULL } },
+	  { COMMON_SOCK_PERMS, "node_bind", "name_connect", NULL } },
+	{ "udp_socket", { COMMON_SOCK_PERMS, "node_bind", NULL } },
+	{ "rawip_socket", { COMMON_SOCK_PERMS, "node_bind", NULL } },
+	{ "node", { "recvfrom", "sendto", NULL } },
+	{ "netif", { "ingress", "egress", NULL } },
+	{ "netlink_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "packet_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "key_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "unix_stream_socket", { COMMON_SOCK_PERMS, "connectto", NULL } },
+	{ "unix_dgram_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "sem", { COMMON_IPC_PERMS, NULL } },
 	{ "msg", { "send", "receive", NULL } },
-	{ "msgq",
-	  { COMMON_IPC_PERMS, "enqueue", NULL } },
-	{ "shm",
-	  { COMMON_IPC_PERMS, "lock", NULL } },
-	{ "ipc",
-	  { COMMON_IPC_PERMS, NULL } },
+	{ "msgq", { COMMON_IPC_PERMS, "enqueue", NULL } },
+	{ "shm", { COMMON_IPC_PERMS, "lock", NULL } },
+	{ "ipc", { COMMON_IPC_PERMS, NULL } },
 	{ "netlink_route_socket",
-	  { COMMON_SOCK_PERMS,
-	    "nlmsg_read", "nlmsg_write", NULL } },
+	  { COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", NULL } },
 	{ "netlink_tcpdiag_socket",
-	  { COMMON_SOCK_PERMS,
-	    "nlmsg_read", "nlmsg_write", NULL } },
-	{ "netlink_nflog_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
+	  { COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", NULL } },
+	{ "netlink_nflog_socket", { COMMON_SOCK_PERMS, NULL } },
 	{ "netlink_xfrm_socket",
-	  { COMMON_SOCK_PERMS,
-	    "nlmsg_read", "nlmsg_write", NULL } },
-	{ "netlink_selinux_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "netlink_iscsi_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
+	  { COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", NULL } },
+	{ "netlink_selinux_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "netlink_iscsi_socket", { COMMON_SOCK_PERMS, NULL } },
 	{ "netlink_audit_socket",
-	  { COMMON_SOCK_PERMS,
-	    "nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv",
-	    "nlmsg_tty_audit", NULL } },
-	{ "netlink_fib_lookup_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "netlink_connector_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "netlink_netfilter_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "netlink_dnrt_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
+	  { COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", "nlmsg_relay",
+	    "nlmsg_readpriv", "nlmsg_tty_audit", NULL } },
+	{ "netlink_fib_lookup_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "netlink_connector_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "netlink_netfilter_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "netlink_dnrt_socket", { COMMON_SOCK_PERMS, NULL } },
 	{ "association",
 	  { "sendto", "recvfrom", "setcontext", "polmatch", NULL } },
-	{ "netlink_kobject_uevent_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "netlink_generic_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "netlink_scsitransport_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "netlink_rdma_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "netlink_crypto_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "appletalk_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
+	{ "netlink_kobject_uevent_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "netlink_generic_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "netlink_scsitransport_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "netlink_rdma_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "netlink_crypto_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "appletalk_socket", { COMMON_SOCK_PERMS, NULL } },
 	{ "packet",
 	  { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } },
 	{ "key",
 	  { "view", "read", "write", "search", "link", "setattr", "create",
 	    NULL } },
 	{ "dccp_socket",
-	  { COMMON_SOCK_PERMS,
-	    "node_bind", "name_connect", NULL } },
+	  { COMMON_SOCK_PERMS, "node_bind", "name_connect", NULL } },
 	{ "memprotect", { "mmap_zero", NULL } },
 	{ "peer", { "recv", NULL } },
-	{ "capability2",
-	  { COMMON_CAP2_PERMS, NULL } },
+	{ "capability2", { COMMON_CAP2_PERMS, NULL } },
 	{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
-	{ "tun_socket",
-	  { COMMON_SOCK_PERMS, "attach_queue", NULL } },
-	{ "binder", { "impersonate", "call", "set_context_mgr", "transfer",
-		      NULL } },
-	{ "cap_userns",
-	  { COMMON_CAP_PERMS, NULL } },
-	{ "cap2_userns",
-	  { COMMON_CAP2_PERMS, NULL } },
+	{ "tun_socket", { COMMON_SOCK_PERMS, "attach_queue", NULL } },
+	{ "binder",
+	  { "impersonate", "call", "set_context_mgr", "transfer", NULL } },
+	{ "cap_userns", { COMMON_CAP_PERMS, NULL } },
+	{ "cap2_userns", { COMMON_CAP2_PERMS, NULL } },
 	{ "sctp_socket",
-	  { COMMON_SOCK_PERMS,
-	    "node_bind", "name_connect", "association", NULL } },
-	{ "icmp_socket",
-	  { COMMON_SOCK_PERMS,
-	    "node_bind", NULL } },
-	{ "ax25_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "ipx_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "netrom_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "atmpvc_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "x25_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "rose_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "decnet_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "atmsvc_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "rds_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "irda_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "pppox_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "llc_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "can_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "tipc_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "bluetooth_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "iucv_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "rxrpc_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "isdn_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "phonet_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "ieee802154_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "caif_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "alg_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "nfc_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "vsock_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "kcm_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "qipcrtr_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "smc_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "infiniband_pkey",
-	  { "access", NULL } },
-	{ "infiniband_endport",
-	  { "manage_subnet", NULL } },
+	  { COMMON_SOCK_PERMS, "node_bind", "name_connect", "association",
+	    NULL } },
+	{ "icmp_socket", { COMMON_SOCK_PERMS, "node_bind", NULL } },
+	{ "ax25_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "ipx_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "netrom_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "atmpvc_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "x25_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "rose_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "decnet_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "atmsvc_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "rds_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "irda_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "pppox_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "llc_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "can_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "tipc_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "bluetooth_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "iucv_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "rxrpc_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "isdn_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "phonet_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "ieee802154_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "caif_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "alg_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "nfc_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "vsock_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "kcm_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "qipcrtr_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "smc_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "infiniband_pkey", { "access", NULL } },
+	{ "infiniband_endport", { "manage_subnet", NULL } },
 	{ "bpf",
 	  { "map_create", "map_read", "map_write", "prog_load", "prog_run",
 	    NULL } },
-	{ "xdp_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
-	{ "mctp_socket",
-	  { COMMON_SOCK_PERMS, NULL } },
+	{ "xdp_socket", { COMMON_SOCK_PERMS, NULL } },
+	{ "mctp_socket", { COMMON_SOCK_PERMS, NULL } },
 	{ "perf_event",
 	  { "open", "cpu", "kernel", "tracepoint", "read", "write", NULL } },
-	{ "anon_inode",
-	  { COMMON_FILE_PERMS, NULL } },
-	{ "io_uring",
-	  { "override_creds", "sqpoll", "cmd", NULL } },
-	{ "user_namespace",
-	  { "create", NULL } },
+	{ "anon_inode", { COMMON_FILE_PERMS, NULL } },
+	{ "io_uring", { "override_creds", "sqpoll", "cmd", NULL } },
+	{ "user_namespace", { "create", NULL } },
 	{ NULL }
-  };
+};
 
 #if PF_MAX > 46
 #error New address family defined, please update secclass_map.
diff --git a/security/selinux/include/conditional.h b/security/selinux/include/conditional.h
index 693a654714eb..5910bb7c2eca 100644
--- a/security/selinux/include/conditional.h
+++ b/security/selinux/include/conditional.h
@@ -13,8 +13,8 @@
 
 #include "security.h"
 
-int security_get_bools(struct selinux_policy *policy,
-		       u32 *len, char ***names, int **values);
+int security_get_bools(struct selinux_policy *policy, u32 *len, char ***names,
+		       int **values);
 
 int security_set_bools(u32 len, int *values);
 
diff --git a/security/selinux/include/ima.h b/security/selinux/include/ima.h
index 93c05e97eb7f..38ab302f5946 100644
--- a/security/selinux/include/ima.h
+++ b/security/selinux/include/ima.h
@@ -25,4 +25,4 @@ static inline void selinux_ima_measure_state_locked(void)
 }
 #endif
 
-#endif	/* _SELINUX_IMA_H_ */
+#endif /* _SELINUX_IMA_H_ */
diff --git a/security/selinux/include/initial_sid_to_string.h b/security/selinux/include/initial_sid_to_string.h
index ecc6e74fa09b..99b353b2abb4 100644
--- a/security/selinux/include/initial_sid_to_string.h
+++ b/security/selinux/include/initial_sid_to_string.h
@@ -3,33 +3,32 @@
 #include <linux/stddef.h>
 
 static const char *const initial_sid_to_string[] = {
-	NULL,
-	"kernel",
-	"security",
-	"unlabeled",
-	NULL,
-	"file",
-	NULL,
-	NULL,
-	"any_socket",
-	"port",
-	"netif",
-	"netmsg",
-	"node",
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	"devnull",
+	NULL, /* zero placeholder, not used */
+	"kernel", /* kernel / SECINITSID_KERNEL */
+	"security", /* security / SECINITSID_SECURITY */
+	"unlabeled", /* unlabeled / SECINITSID_UNLABELED */
+	NULL, /* fs */
+	"file", /* file / SECINITSID_FILE */
+	NULL, /* file_labels */
+	"init", /* init / SECINITSID_INIT */
+	"any_socket", /* any_socket / SECINITSID_ANY_SOCKET */
+	"port", /* port / SECINITSID_PORT */
+	"netif", /* netif / SECINITSID_NETIF */
+	"netmsg", /* netmsg / SECINITSID_NETMSG */
+	"node", /* node / SECINITSID_NODE */
+	NULL, /* igmp_packet */
+	NULL, /* icmp_socket */
+	NULL, /* tcp_socket */
+	NULL, /* sysctl_modprobe */
+	NULL, /* sysctl */
+	NULL, /* sysctl_fs */
+	NULL, /* sysctl_kernel */
+	NULL, /* sysctl_net */
+	NULL, /* sysctl_net_unix */
+	NULL, /* sysctl_vm */
+	NULL, /* sysctl_dev */
+	NULL, /* kmod */
+	NULL, /* policy */
+	NULL, /* scmp_packet */
+	"devnull", /* devnull / SECINITSID_DEVNULL */
 };
-
diff --git a/security/selinux/include/netif.h b/security/selinux/include/netif.h
index 85ec30d11144..2838bdc170dd 100644
--- a/security/selinux/include/netif.h
+++ b/security/selinux/include/netif.h
@@ -11,6 +11,7 @@
  * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
  *                    Paul Moore <paul@paul-moore.com>
  */
+
 #ifndef _SELINUX_NETIF_H_
 #define _SELINUX_NETIF_H_
 
@@ -20,5 +21,4 @@ void sel_netif_flush(void);
 
 int sel_netif_sid(struct net *ns, int ifindex, u32 *sid);
 
-#endif	/* _SELINUX_NETIF_H_ */
-
+#endif /* _SELINUX_NETIF_H_ */
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h
index 4d0456d3d459..5731c0dcd3e8 100644
--- a/security/selinux/include/netlabel.h
+++ b/security/selinux/include/netlabel.h
@@ -32,25 +32,19 @@ void selinux_netlbl_err(struct sk_buff *skb, u16 family, int error,
 void selinux_netlbl_sk_security_free(struct sk_security_struct *sksec);
 void selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec);
 
-int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
-				 u16 family,
-				 u32 *type,
+int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u16 family, u32 *type,
 				 u32 *sid);
-int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
-				 u16 family,
-				 u32 sid);
+int selinux_netlbl_skbuff_setsid(struct sk_buff *skb, u16 family, u32 sid);
 int selinux_netlbl_sctp_assoc_request(struct sctp_association *asoc,
-				     struct sk_buff *skb);
+				      struct sk_buff *skb);
 int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family);
 void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family);
 void selinux_netlbl_sctp_sk_clone(struct sock *sk, struct sock *newsk);
 int selinux_netlbl_socket_post_create(struct sock *sk, u16 family);
 int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
-				struct sk_buff *skb,
-				u16 family,
+				struct sk_buff *skb, u16 family,
 				struct common_audit_data *ad);
-int selinux_netlbl_socket_setsockopt(struct socket *sock,
-				     int level,
+int selinux_netlbl_socket_setsockopt(struct socket *sock, int level,
 				     int optname);
 int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr);
 int selinux_netlbl_socket_connect_locked(struct sock *sk,
@@ -62,44 +56,40 @@ static inline void selinux_netlbl_cache_invalidate(void)
 	return;
 }
 
-static inline void selinux_netlbl_err(struct sk_buff *skb,
-				      u16 family,
-				      int error,
-				      int gateway)
+static inline void selinux_netlbl_err(struct sk_buff *skb, u16 family,
+				      int error, int gateway)
 {
 	return;
 }
 
-static inline void selinux_netlbl_sk_security_free(
-					       struct sk_security_struct *sksec)
+static inline void
+selinux_netlbl_sk_security_free(struct sk_security_struct *sksec)
 {
 	return;
 }
 
-static inline void selinux_netlbl_sk_security_reset(
-					       struct sk_security_struct *sksec)
+static inline void
+selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec)
 {
 	return;
 }
 
-static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
-					       u16 family,
-					       u32 *type,
-					       u32 *sid)
+static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u16 family,
+					       u32 *type, u32 *sid)
 {
 	*type = NETLBL_NLTYPE_NONE;
 	*sid = SECSID_NULL;
 	return 0;
 }
-static inline int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
-					       u16 family,
+static inline int selinux_netlbl_skbuff_setsid(struct sk_buff *skb, u16 family,
 					       u32 sid)
 {
 	return 0;
 }
 
-static inline int selinux_netlbl_sctp_assoc_request(struct sctp_association *asoc,
-						    struct sk_buff *skb)
+static inline int
+selinux_netlbl_sctp_assoc_request(struct sctp_association *asoc,
+				  struct sk_buff *skb)
 {
 	return 0;
 }
@@ -117,21 +107,18 @@ static inline void selinux_netlbl_sctp_sk_clone(struct sock *sk,
 {
 	return;
 }
-static inline int selinux_netlbl_socket_post_create(struct sock *sk,
-						    u16 family)
+static inline int selinux_netlbl_socket_post_create(struct sock *sk, u16 family)
 {
 	return 0;
 }
 static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
-					      struct sk_buff *skb,
-					      u16 family,
+					      struct sk_buff *skb, u16 family,
 					      struct common_audit_data *ad)
 {
 	return 0;
 }
 static inline int selinux_netlbl_socket_setsockopt(struct socket *sock,
-						   int level,
-						   int optname)
+						   int level, int optname)
 {
 	return 0;
 }
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 8159fd53c3de..dea1d6f3ed2d 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -13,6 +13,7 @@
  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
  *  Copyright (C) 2016 Mellanox Technologies
  */
+
 #ifndef _SELINUX_OBJSEC_H_
 #define _SELINUX_OBJSEC_H_
 
@@ -29,122 +30,122 @@
 #include "avc.h"
 
 struct task_security_struct {
-	u32 osid;		/* SID prior to last execve */
-	u32 sid;		/* current SID */
-	u32 exec_sid;		/* exec SID */
-	u32 create_sid;		/* fscreate SID */
-	u32 keycreate_sid;	/* keycreate SID */
-	u32 sockcreate_sid;	/* fscreate SID */
+	u32 osid; /* SID prior to last execve */
+	u32 sid; /* current SID */
+	u32 exec_sid; /* exec SID */
+	u32 create_sid; /* fscreate SID */
+	u32 keycreate_sid; /* keycreate SID */
+	u32 sockcreate_sid; /* fscreate SID */
 } __randomize_layout;
 
 enum label_initialized {
-	LABEL_INVALID,		/* invalid or not initialized */
-	LABEL_INITIALIZED,	/* initialized */
+	LABEL_INVALID, /* invalid or not initialized */
+	LABEL_INITIALIZED, /* initialized */
 	LABEL_PENDING
 };
 
 struct inode_security_struct {
-	struct inode *inode;	/* back pointer to inode object */
-	struct list_head list;	/* list of inode_security_struct */
-	u32 task_sid;		/* SID of creating task */
-	u32 sid;		/* SID of this object */
-	u16 sclass;		/* security class of this object */
-	unsigned char initialized;	/* initialization flag */
+	struct inode *inode; /* back pointer to inode object */
+	struct list_head list; /* list of inode_security_struct */
+	u32 task_sid; /* SID of creating task */
+	u32 sid; /* SID of this object */
+	u16 sclass; /* security class of this object */
+	unsigned char initialized; /* initialization flag */
 	spinlock_t lock;
 };
 
 struct file_security_struct {
-	u32 sid;		/* SID of open file description */
-	u32 fown_sid;		/* SID of file owner (for SIGIO) */
-	u32 isid;		/* SID of inode at the time of file open */
-	u32 pseqno;		/* Policy seqno at the time of file open */
+	u32 sid; /* SID of open file description */
+	u32 fown_sid; /* SID of file owner (for SIGIO) */
+	u32 isid; /* SID of inode at the time of file open */
+	u32 pseqno; /* Policy seqno at the time of file open */
 };
 
 struct superblock_security_struct {
-	u32 sid;			/* SID of file system superblock */
-	u32 def_sid;			/* default SID for labeling */
-	u32 mntpoint_sid;		/* SECURITY_FS_USE_MNTPOINT context for files */
-	unsigned short behavior;	/* labeling behavior */
-	unsigned short flags;		/* which mount options were specified */
+	u32 sid; /* SID of file system superblock */
+	u32 def_sid; /* default SID for labeling */
+	u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */
+	unsigned short behavior; /* labeling behavior */
+	unsigned short flags; /* which mount options were specified */
 	struct mutex lock;
 	struct list_head isec_head;
 	spinlock_t isec_lock;
 };
 
 struct msg_security_struct {
-	u32 sid;	/* SID of message */
+	u32 sid; /* SID of message */
 };
 
 struct ipc_security_struct {
-	u16 sclass;	/* security class of this object */
-	u32 sid;	/* SID of IPC resource */
+	u16 sclass; /* security class of this object */
+	u32 sid; /* SID of IPC resource */
 };
 
 struct netif_security_struct {
-	struct net *ns;			/* network namespace */
-	int ifindex;			/* device index */
-	u32 sid;			/* SID for this interface */
+	struct net *ns; /* network namespace */
+	int ifindex; /* device index */
+	u32 sid; /* SID for this interface */
 };
 
 struct netnode_security_struct {
 	union {
-		__be32 ipv4;		/* IPv4 node address */
-		struct in6_addr ipv6;	/* IPv6 node address */
+		__be32 ipv4; /* IPv4 node address */
+		struct in6_addr ipv6; /* IPv6 node address */
 	} addr;
-	u32 sid;			/* SID for this node */
-	u16 family;			/* address family */
+	u32 sid; /* SID for this node */
+	u16 family; /* address family */
 };
 
 struct netport_security_struct {
-	u32 sid;			/* SID for this node */
-	u16 port;			/* port number */
-	u8 protocol;			/* transport protocol */
+	u32 sid; /* SID for this node */
+	u16 port; /* port number */
+	u8 protocol; /* transport protocol */
 };
 
 struct sk_security_struct {
 #ifdef CONFIG_NETLABEL
-	enum {				/* NetLabel state */
-		NLBL_UNSET = 0,
-		NLBL_REQUIRE,
-		NLBL_LABELED,
-		NLBL_REQSKB,
-		NLBL_CONNLABELED,
+	enum { /* NetLabel state */
+	       NLBL_UNSET = 0,
+	       NLBL_REQUIRE,
+	       NLBL_LABELED,
+	       NLBL_REQSKB,
+	       NLBL_CONNLABELED,
 	} nlbl_state;
 	struct netlbl_lsm_secattr *nlbl_secattr; /* NetLabel sec attributes */
 #endif
-	u32 sid;			/* SID of this object */
-	u32 peer_sid;			/* SID of peer */
-	u16 sclass;			/* sock security class */
-	enum {				/* SCTP association state */
-		SCTP_ASSOC_UNSET = 0,
-		SCTP_ASSOC_SET,
+	u32 sid; /* SID of this object */
+	u32 peer_sid; /* SID of peer */
+	u16 sclass; /* sock security class */
+	enum { /* SCTP association state */
+	       SCTP_ASSOC_UNSET = 0,
+	       SCTP_ASSOC_SET,
 	} sctp_assoc_state;
 };
 
 struct tun_security_struct {
-	u32 sid;			/* SID for the tun device sockets */
+	u32 sid; /* SID for the tun device sockets */
 };
 
 struct key_security_struct {
-	u32 sid;	/* SID of key */
+	u32 sid; /* SID of key */
 };
 
 struct ib_security_struct {
-	u32 sid;        /* SID of the queue pair or MAD agent */
+	u32 sid; /* SID of the queue pair or MAD agent */
 };
 
 struct pkey_security_struct {
-	u64	subnet_prefix; /* Port subnet prefix */
-	u16	pkey;	/* PKey number */
-	u32	sid;	/* SID of pkey */
+	u64 subnet_prefix; /* Port subnet prefix */
+	u16 pkey; /* PKey number */
+	u32 sid; /* SID of pkey */
 };
 
 struct bpf_security_struct {
-	u32 sid;  /* SID of bpf obj creator */
+	u32 sid; /* SID of bpf obj creator */
 };
 
 struct perf_event_security_struct {
-	u32 sid;  /* SID of perf_event obj creator */
+	u32 sid; /* SID of perf_event obj creator */
 };
 
 extern struct lsm_blob_sizes selinux_blob_sizes;
@@ -158,22 +159,22 @@ static inline struct file_security_struct *selinux_file(const struct file *file)
 	return file->f_security + selinux_blob_sizes.lbs_file;
 }
 
-static inline struct inode_security_struct *selinux_inode(
-						const struct inode *inode)
+static inline struct inode_security_struct *
+selinux_inode(const struct inode *inode)
 {
 	if (unlikely(!inode->i_security))
 		return NULL;
 	return inode->i_security + selinux_blob_sizes.lbs_inode;
 }
 
-static inline struct msg_security_struct *selinux_msg_msg(
-						const struct msg_msg *msg_msg)
+static inline struct msg_security_struct *
+selinux_msg_msg(const struct msg_msg *msg_msg)
 {
 	return msg_msg->security + selinux_blob_sizes.lbs_msg_msg;
 }
 
-static inline struct ipc_security_struct *selinux_ipc(
-						const struct kern_ipc_perm *ipc)
+static inline struct ipc_security_struct *
+selinux_ipc(const struct kern_ipc_perm *ipc)
 {
 	return ipc->security + selinux_blob_sizes.lbs_ipc;
 }
@@ -188,8 +189,8 @@ static inline u32 current_sid(void)
 	return tsec->sid;
 }
 
-static inline struct superblock_security_struct *selinux_superblock(
-					const struct super_block *superblock)
+static inline struct superblock_security_struct *
+selinux_superblock(const struct super_block *superblock)
 {
 	return superblock->s_security + selinux_blob_sizes.lbs_superblock;
 }
diff --git a/security/selinux/include/policycap.h b/security/selinux/include/policycap.h
index f35d3458e71d..dc3674eb29c1 100644
--- a/security/selinux/include/policycap.h
+++ b/security/selinux/include/policycap.h
@@ -1,4 +1,5 @@
 /* SPDX-License-Identifier: GPL-2.0 */
+
 #ifndef _SELINUX_POLICYCAP_H_
 #define _SELINUX_POLICYCAP_H_
 
@@ -12,6 +13,7 @@ enum {
 	POLICYDB_CAP_NNP_NOSUID_TRANSITION,
 	POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS,
 	POLICYDB_CAP_IOCTL_SKIP_CLOEXEC,
+	POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT,
 	__POLICYDB_CAP_MAX
 };
 #define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1)
diff --git a/security/selinux/include/policycap_names.h b/security/selinux/include/policycap_names.h
index 49bbe120d173..2cffcc1ce851 100644
--- a/security/selinux/include/policycap_names.h
+++ b/security/selinux/include/policycap_names.h
@@ -1,9 +1,11 @@
 /* SPDX-License-Identifier: GPL-2.0 */
+
 #ifndef _SELINUX_POLICYCAP_NAMES_H_
 #define _SELINUX_POLICYCAP_NAMES_H_
 
 #include "policycap.h"
 
+/* clang-format off */
 /* Policy capability names */
 const char *const selinux_policycap_names[__POLICYDB_CAP_MAX] = {
 	"network_peer_controls",
@@ -14,6 +16,8 @@ const char *const selinux_policycap_names[__POLICYDB_CAP_MAX] = {
 	"nnp_nosuid_transition",
 	"genfs_seclabel_symlinks",
 	"ioctl_skip_cloexec",
+	"userspace_initial_context",
 };
+/* clang-format on */
 
 #endif /* _SELINUX_POLICYCAP_NAMES_H_ */
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index a9de89af8fdc..289bf9233f71 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -21,57 +21,57 @@
 #include "flask.h"
 #include "policycap.h"
 
-#define SECSID_NULL			0x00000000 /* unspecified SID */
-#define SECSID_WILD			0xffffffff /* wildcard SID */
-#define SECCLASS_NULL			0x0000 /* no class */
+#define SECSID_NULL   0x00000000 /* unspecified SID */
+#define SECSID_WILD   0xffffffff /* wildcard SID */
+#define SECCLASS_NULL 0x0000 /* no class */
 
 /* Identify specific policy version changes */
-#define POLICYDB_VERSION_BASE		15
-#define POLICYDB_VERSION_BOOL		16
-#define POLICYDB_VERSION_IPV6		17
-#define POLICYDB_VERSION_NLCLASS	18
-#define POLICYDB_VERSION_VALIDATETRANS	19
-#define POLICYDB_VERSION_MLS		19
-#define POLICYDB_VERSION_AVTAB		20
-#define POLICYDB_VERSION_RANGETRANS	21
-#define POLICYDB_VERSION_POLCAP		22
-#define POLICYDB_VERSION_PERMISSIVE	23
-#define POLICYDB_VERSION_BOUNDARY	24
-#define POLICYDB_VERSION_FILENAME_TRANS	25
-#define POLICYDB_VERSION_ROLETRANS	26
-#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS	27
-#define POLICYDB_VERSION_DEFAULT_TYPE	28
-#define POLICYDB_VERSION_CONSTRAINT_NAMES	29
-#define POLICYDB_VERSION_XPERMS_IOCTL	30
-#define POLICYDB_VERSION_INFINIBAND		31
-#define POLICYDB_VERSION_GLBLUB		32
-#define POLICYDB_VERSION_COMP_FTRANS	33 /* compressed filename transitions */
+#define POLICYDB_VERSION_BASE		     15
+#define POLICYDB_VERSION_BOOL		     16
+#define POLICYDB_VERSION_IPV6		     17
+#define POLICYDB_VERSION_NLCLASS	     18
+#define POLICYDB_VERSION_VALIDATETRANS	     19
+#define POLICYDB_VERSION_MLS		     19
+#define POLICYDB_VERSION_AVTAB		     20
+#define POLICYDB_VERSION_RANGETRANS	     21
+#define POLICYDB_VERSION_POLCAP		     22
+#define POLICYDB_VERSION_PERMISSIVE	     23
+#define POLICYDB_VERSION_BOUNDARY	     24
+#define POLICYDB_VERSION_FILENAME_TRANS	     25
+#define POLICYDB_VERSION_ROLETRANS	     26
+#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27
+#define POLICYDB_VERSION_DEFAULT_TYPE	     28
+#define POLICYDB_VERSION_CONSTRAINT_NAMES    29
+#define POLICYDB_VERSION_XPERMS_IOCTL	     30
+#define POLICYDB_VERSION_INFINIBAND	     31
+#define POLICYDB_VERSION_GLBLUB		     32
+#define POLICYDB_VERSION_COMP_FTRANS	     33 /* compressed filename transitions */
 
 /* Range of policy versions we understand*/
-#define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX   POLICYDB_VERSION_COMP_FTRANS
+#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
+#define POLICYDB_VERSION_MAX POLICYDB_VERSION_COMP_FTRANS
 
 /* Mask for just the mount related flags */
-#define SE_MNTMASK	0x0f
+#define SE_MNTMASK 0x0f
 /* Super block security struct flags for mount options */
 /* BE CAREFUL, these need to be the low order bits for selinux_get_mnt_opts */
 #define CONTEXT_MNT	0x01
 #define FSCONTEXT_MNT	0x02
-#define ROOTCONTEXT_MNT	0x04
+#define ROOTCONTEXT_MNT 0x04
 #define DEFCONTEXT_MNT	0x08
 #define SBLABEL_MNT	0x10
 /* Non-mount related flags */
-#define SE_SBINITIALIZED	0x0100
-#define SE_SBPROC		0x0200
-#define SE_SBGENFS		0x0400
-#define SE_SBGENFS_XATTR	0x0800
-#define SE_SBNATIVE		0x1000
+#define SE_SBINITIALIZED 0x0100
+#define SE_SBPROC	 0x0200
+#define SE_SBGENFS	 0x0400
+#define SE_SBGENFS_XATTR 0x0800
+#define SE_SBNATIVE	 0x1000
 
 #define CONTEXT_STR	"context"
 #define FSCONTEXT_STR	"fscontext"
-#define ROOTCONTEXT_STR	"rootcontext"
+#define ROOTCONTEXT_STR "rootcontext"
 #define DEFCONTEXT_STR	"defcontext"
-#define SECLABEL_STR "seclabel"
+#define SECLABEL_STR	"seclabel"
 
 struct netlbl_lsm_secattr;
 
@@ -81,11 +81,11 @@ extern int selinux_enabled_boot;
  * type_datum properties
  * available at the kernel policy version >= POLICYDB_VERSION_BOUNDARY
  */
-#define TYPEDATUM_PROPERTY_PRIMARY	0x0001
-#define TYPEDATUM_PROPERTY_ATTRIBUTE	0x0002
+#define TYPEDATUM_PROPERTY_PRIMARY   0x0001
+#define TYPEDATUM_PROPERTY_ATTRIBUTE 0x0002
 
 /* limitation of boundary depth  */
-#define POLICYDB_BOUNDS_MAXDEPTH	4
+#define POLICYDB_BOUNDS_MAXDEPTH 4
 
 struct selinux_policy;
 
@@ -189,6 +189,12 @@ static inline bool selinux_policycap_ioctl_skip_cloexec(void)
 		selinux_state.policycap[POLICYDB_CAP_IOCTL_SKIP_CLOEXEC]);
 }
 
+static inline bool selinux_policycap_userspace_initial_context(void)
+{
+	return READ_ONCE(
+		selinux_state.policycap[POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT]);
+}
+
 struct selinux_policy_convert_data;
 
 struct selinux_load_state {
@@ -214,12 +220,12 @@ struct av_decision {
 	u32 flags;
 };
 
-#define XPERMS_ALLOWED 1
+#define XPERMS_ALLOWED	  1
 #define XPERMS_AUDITALLOW 2
-#define XPERMS_DONTAUDIT 4
+#define XPERMS_DONTAUDIT  4
 
-#define security_xperm_set(perms, x) ((perms)[(x) >> 5] |= 1 << ((x) & 0x1f))
-#define security_xperm_test(perms, x) (1 & ((perms)[(x) >> 5] >> ((x) & 0x1f)))
+#define security_xperm_set(perms, x)  ((perms)[(x) >> 5] |= 1 << ((x)&0x1f))
+#define security_xperm_test(perms, x) (1 & ((perms)[(x) >> 5] >> ((x)&0x1f)))
 struct extended_perms_data {
 	u32 p[8];
 };
@@ -233,23 +239,22 @@ struct extended_perms_decision {
 };
 
 struct extended_perms {
-	u16 len;	/* length associated decision chain */
+	u16 len; /* length associated decision chain */
 	struct extended_perms_data drivers; /* flag drivers that are used */
 };
 
 /* definitions of av_decision.flags */
-#define AVD_FLAGS_PERMISSIVE	0x0001
+#define AVD_FLAGS_PERMISSIVE 0x0001
 
-void security_compute_av(u32 ssid, u32 tsid,
-			 u16 tclass, struct av_decision *avd,
+void security_compute_av(u32 ssid, u32 tsid, u16 tclass,
+			 struct av_decision *avd,
 			 struct extended_perms *xperms);
 
-void security_compute_xperms_decision(u32 ssid, u32 tsid, u16 tclass,
-				      u8 driver,
+void security_compute_xperms_decision(u32 ssid, u32 tsid, u16 tclass, u8 driver,
 				      struct extended_perms_decision *xpermd);
 
-void security_compute_av_user(u32 ssid, u32 tsid,
-			      u16 tclass, struct av_decision *avd);
+void security_compute_av_user(u32 ssid, u32 tsid, u16 tclass,
+			      struct av_decision *avd);
 
 int security_transition_sid(u32 ssid, u32 tsid, u16 tclass,
 			    const struct qstr *qstr, u32 *out_sid);
@@ -288,8 +293,7 @@ int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid);
 
 int security_netif_sid(char *name, u32 *if_sid);
 
-int security_node_sid(u16 domain, void *addr, u32 addrlen,
-		      u32 *out_sid);
+int security_node_sid(u16 domain, void *addr, u32 addrlen, u32 *out_sid);
 
 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
 				 u16 tclass);
@@ -301,50 +305,47 @@ int security_bounded_transition(u32 oldsid, u32 newsid);
 
 int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid);
 
-int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
-				 u32 xfrm_sid,
+int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type, u32 xfrm_sid,
 				 u32 *peer_sid);
 
-int security_get_classes(struct selinux_policy *policy,
-			 char ***classes, u32 *nclasses);
-int security_get_permissions(struct selinux_policy *policy,
-			     const char *class, char ***perms, u32 *nperms);
+int security_get_classes(struct selinux_policy *policy, char ***classes,
+			 u32 *nclasses);
+int security_get_permissions(struct selinux_policy *policy, const char *class,
+			     char ***perms, u32 *nperms);
 int security_get_reject_unknown(void);
 int security_get_allow_unknown(void);
 
-#define SECURITY_FS_USE_XATTR		1 /* use xattr */
-#define SECURITY_FS_USE_TRANS		2 /* use transition SIDs, e.g. devpts/tmpfs */
-#define SECURITY_FS_USE_TASK		3 /* use task SIDs, e.g. pipefs/sockfs */
-#define SECURITY_FS_USE_GENFS		4 /* use the genfs support */
-#define SECURITY_FS_USE_NONE		5 /* no labeling support */
-#define SECURITY_FS_USE_MNTPOINT	6 /* use mountpoint labeling */
-#define SECURITY_FS_USE_NATIVE		7 /* use native label support */
-#define SECURITY_FS_USE_MAX		7 /* Highest SECURITY_FS_USE_XXX */
+#define SECURITY_FS_USE_XATTR	 1 /* use xattr */
+#define SECURITY_FS_USE_TRANS	 2 /* use transition SIDs, e.g. devpts/tmpfs */
+#define SECURITY_FS_USE_TASK	 3 /* use task SIDs, e.g. pipefs/sockfs */
+#define SECURITY_FS_USE_GENFS	 4 /* use the genfs support */
+#define SECURITY_FS_USE_NONE	 5 /* no labeling support */
+#define SECURITY_FS_USE_MNTPOINT 6 /* use mountpoint labeling */
+#define SECURITY_FS_USE_NATIVE	 7 /* use native label support */
+#define SECURITY_FS_USE_MAX	 7 /* Highest SECURITY_FS_USE_XXX */
 
 int security_fs_use(struct super_block *sb);
 
 int security_genfs_sid(const char *fstype, const char *path, u16 sclass,
 		       u32 *sid);
 
-int selinux_policy_genfs_sid(struct selinux_policy *policy,
-		       const char *fstype, const char *path, u16 sclass,
-		       u32 *sid);
+int selinux_policy_genfs_sid(struct selinux_policy *policy, const char *fstype,
+			     const char *path, u16 sclass, u32 *sid);
 
 #ifdef CONFIG_NETLABEL
 int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
 				   u32 *sid);
 
-int security_netlbl_sid_to_secattr(u32 sid,
-				   struct netlbl_lsm_secattr *secattr);
+int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr);
 #else
-static inline int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
-					    u32 *sid)
+static inline int
+security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr, u32 *sid)
 {
 	return -EIDRM;
 }
 
-static inline int security_netlbl_sid_to_secattr(u32 sid,
-					 struct netlbl_lsm_secattr *secattr)
+static inline int
+security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)
 {
 	return -ENOENT;
 }
@@ -357,13 +358,13 @@ const char *security_get_initial_sid_context(u32 sid);
  */
 extern struct page *selinux_kernel_status_page(void);
 
-#define SELINUX_KERNEL_STATUS_VERSION	1
+#define SELINUX_KERNEL_STATUS_VERSION 1
 struct selinux_kernel_status {
-	u32	version;	/* version number of the structure */
-	u32	sequence;	/* sequence number of seqlock logic */
-	u32	enforcing;	/* current setting of enforcing mode */
-	u32	policyload;	/* times of policy reloaded */
-	u32	deny_unknown;	/* current setting of deny_unknown */
+	u32 version; /* version number of the structure */
+	u32 sequence; /* sequence number of seqlock logic */
+	u32 enforcing; /* current setting of enforcing mode */
+	u32 policyload; /* times of policy reloaded */
+	u32 deny_unknown; /* current setting of deny_unknown */
 	/*
 	 * The version > 0 supports above members.
 	 */
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index c75839860200..de485556ae29 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -5,6 +5,7 @@
  * Author : Trent Jaeger, <jaegert@us.ibm.com>
  * Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com>
  */
+
 #ifndef _SELINUX_XFRM_H_
 #define _SELINUX_XFRM_H_
 
@@ -13,8 +14,7 @@
 #include <net/xfrm.h>
 
 int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
-			      struct xfrm_user_sec_ctx *uctx,
-			      gfp_t gfp);
+			      struct xfrm_user_sec_ctx *uctx, gfp_t gfp);
 int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
 			      struct xfrm_sec_ctx **new_ctxp);
 void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx);