Sync to v4.15-rc3 for security subsystem developers to work against.

25 files changed, 234 insertions, 36 deletions

diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index ff5895ede96f..c7161f8792b2 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: GPL-2.0
 #
 # Makefile for building the SELinux module as part of the kernel tree.
 #
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f5d304736852..8644d864e3c1 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -85,6 +85,7 @@
 #include <linux/export.h>
 #include <linux/msg.h>
 #include <linux/shm.h>
+#include <linux/bpf.h>
 
 #include "avc.h"
 #include "objsec.h"
@@ -1814,6 +1815,10 @@ static inline int file_path_has_perm(const struct cred *cred,
         return inode_has_perm(cred, file_inode(file), av, &ad);
 }
 
+#ifdef CONFIG_BPF_SYSCALL
+static int bpf_fd_pass(struct file *file, u32 sid);
+#endif
+
 /* Check whether a task can use an open file descriptor to
    access an inode in a given way.  Check access to the
    descriptor itself, and then use dentry_has_perm to
@@ -1844,6 +1849,12 @@ static int file_has_perm(const struct cred *cred,
                         goto out;
         }
 
+#ifdef CONFIG_BPF_SYSCALL
+        rc = bpf_fd_pass(file, cred_sid(cred));
+        if (rc)
+                return rc;
+#endif
+
         /* av is zero if only checking access to the descriptor. */
         rc = 0;
         if (av)
@@ -2164,6 +2175,12 @@ static int selinux_binder_transfer_file(struct task_struct *from,
                         return rc;
         }
 
+#ifdef CONFIG_BPF_SYSCALL
+        rc = bpf_fd_pass(file, sid);
+        if (rc)
+                return rc;
+#endif
+
         if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
                 return 0;
 
@@ -2918,13 +2935,12 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
 {
         const struct task_security_struct *tsec = current_security();
         struct superblock_security_struct *sbsec;
-        u32 sid, newsid, clen;
+        u32 newsid, clen;
         int rc;
         char *context;
 
         sbsec = dir->i_sb->s_security;
 
-        sid = tsec->sid;
         newsid = tsec->create_sid;
 
         rc = selinux_determine_inode_label(current_security(),
@@ -3124,27 +3140,6 @@ static int selinux_inode_getattr(const struct path *path)
         return path_has_perm(current_cred(), path, FILE__GETATTR);
 }
 
-static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
-{
-        const struct cred *cred = current_cred();
-
-        if (!strncmp(name, XATTR_SECURITY_PREFIX,
-                     sizeof XATTR_SECURITY_PREFIX - 1)) {
-                if (!strcmp(name, XATTR_NAME_CAPS)) {
-                        if (!capable(CAP_SETFCAP))
-                                return -EPERM;
-                } else if (!capable(CAP_SYS_ADMIN)) {
-                        /* A different attribute in the security namespace.
-                           Restrict to administrator. */
-                        return -EPERM;
-                }
-        }
-
-        /* Not an attribute we recognize, so just check the
-           ordinary setattr permission. */
-        return dentry_has_perm(cred, dentry, FILE__SETATTR);
-}
-
 static bool has_cap_mac_admin(bool audit)
 {
         const struct cred *cred = current_cred();
@@ -3167,8 +3162,15 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
         u32 newsid, sid = current_sid();
         int rc = 0;
 
-        if (strcmp(name, XATTR_NAME_SELINUX))
-                return selinux_inode_setotherxattr(dentry, name);
+        if (strcmp(name, XATTR_NAME_SELINUX)) {
+                rc = cap_inode_setxattr(dentry, name, value, size, flags);
+                if (rc)
+                        return rc;
+
+                /* Not an attribute we recognize, so just check the
+                   ordinary setattr permission. */
+                return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
+        }
 
         sbsec = inode->i_sb->s_security;
         if (!(sbsec->flags & SBLABEL_MNT))
@@ -3191,18 +3193,17 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
                 if (!has_cap_mac_admin(true)) {
                         struct audit_buffer *ab;
                         size_t audit_size;
-                        const char *str;
 
                         /* We strip a nul only if it is at the end, otherwise the
                          * context contains a nul and we should audit that */
                         if (value) {
-                                str = value;
+                                const char *str = value;
+
                                 if (str[size - 1] == '\0')
                                         audit_size = size - 1;
                                 else
                                         audit_size = size;
                         } else {
-                                str = "";
                                 audit_size = 0;
                         }
                         ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
@@ -3282,8 +3283,15 @@ static int selinux_inode_listxattr(struct dentry *dentry)
 
 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
 {
-        if (strcmp(name, XATTR_NAME_SELINUX))
-                return selinux_inode_setotherxattr(dentry, name);
+        if (strcmp(name, XATTR_NAME_SELINUX)) {
+                int rc = cap_inode_removexattr(dentry, name);
+                if (rc)
+                        return rc;
+
+                /* Not an attribute we recognize, so just check the
+                   ordinary setattr permission. */
+                return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
+        }
 
         /* No one is allowed to remove a SELinux security label.
            You can change the label, but all data must be labeled. */
@@ -3978,8 +3986,8 @@ static int selinux_task_getioprio(struct task_struct *p)
                             PROCESS__GETSCHED, NULL);
 }
 
-int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
-                         unsigned int flags)
+static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
+                                unsigned int flags)
 {
         u32 av = 0;
 
@@ -6252,6 +6260,139 @@ static void selinux_ib_free_security(void *ib_sec)
 }
 #endif
 
+#ifdef CONFIG_BPF_SYSCALL
+static int selinux_bpf(int cmd, union bpf_attr *attr,
+                                     unsigned int size)
+{
+        u32 sid = current_sid();
+        int ret;
+
+        switch (cmd) {
+        case BPF_MAP_CREATE:
+                ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
+                                   NULL);
+                break;
+        case BPF_PROG_LOAD:
+                ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
+                                   NULL);
+                break;
+        default:
+                ret = 0;
+                break;
+        }
+
+        return ret;
+}
+
+static u32 bpf_map_fmode_to_av(fmode_t fmode)
+{
+        u32 av = 0;
+
+        if (fmode & FMODE_READ)
+                av |= BPF__MAP_READ;
+        if (fmode & FMODE_WRITE)
+                av |= BPF__MAP_WRITE;
+        return av;
+}
+
+/* This function will check the file pass through unix socket or binder to see
+ * if it is a bpf related object. And apply correspinding checks on the bpf
+ * object based on the type. The bpf maps and programs, not like other files and
+ * socket, are using a shared anonymous inode inside the kernel as their inode.
+ * So checking that inode cannot identify if the process have privilege to
+ * access the bpf object and that's why we have to add this additional check in
+ * selinux_file_receive and selinux_binder_transfer_files.
+ */
+static int bpf_fd_pass(struct file *file, u32 sid)
+{
+        struct bpf_security_struct *bpfsec;
+        struct bpf_prog *prog;
+        struct bpf_map *map;
+        int ret;
+
+        if (file->f_op == &bpf_map_fops) {
+                map = file->private_data;
+                bpfsec = map->security;
+                ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
+                                   bpf_map_fmode_to_av(file->f_mode), NULL);
+                if (ret)
+                        return ret;
+        } else if (file->f_op == &bpf_prog_fops) {
+                prog = file->private_data;
+                bpfsec = prog->aux->security;
+                ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
+                                   BPF__PROG_RUN, NULL);
+                if (ret)
+                        return ret;
+        }
+        return 0;
+}
+
+static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
+{
+        u32 sid = current_sid();
+        struct bpf_security_struct *bpfsec;
+
+        bpfsec = map->security;
+        return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
+                            bpf_map_fmode_to_av(fmode), NULL);
+}
+
+static int selinux_bpf_prog(struct bpf_prog *prog)
+{
+        u32 sid = current_sid();
+        struct bpf_security_struct *bpfsec;
+
+        bpfsec = prog->aux->security;
+        return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
+                            BPF__PROG_RUN, NULL);
+}
+
+static int selinux_bpf_map_alloc(struct bpf_map *map)
+{
+        struct bpf_security_struct *bpfsec;
+
+        bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
+        if (!bpfsec)
+                return -ENOMEM;
+
+        bpfsec->sid = current_sid();
+        map->security = bpfsec;
+
+        return 0;
+}
+
+static void selinux_bpf_map_free(struct bpf_map *map)
+{
+        struct bpf_security_struct *bpfsec = map->security;
+
+        map->security = NULL;
+        kfree(bpfsec);
+}
+
+static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
+{
+        struct bpf_security_struct *bpfsec;
+
+        bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
+        if (!bpfsec)
+                return -ENOMEM;
+
+        bpfsec->sid = current_sid();
+        aux->security = bpfsec;
+
+        return 0;
+}
+
+static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
+{
+        struct bpf_security_struct *bpfsec = aux->security;
+
+        aux->security = NULL;
+        kfree(bpfsec);
+}
+#endif
+
 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
         LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
         LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
@@ -6471,6 +6612,16 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
         LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
         LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
 #endif
+
+#ifdef CONFIG_BPF_SYSCALL
+        LSM_HOOK_INIT(bpf, selinux_bpf),
+        LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
+        LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
+        LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
+        LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
+        LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
+        LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
+#endif
 };
 
 static __init int selinux_init(void)
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index a5004e9de11a..57d61cf36500 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: GPL-2.0 */
 /*
  * Access vector cache interface for object managers.
  *
diff --git a/security/selinux/include/avc_ss.h b/security/selinux/include/avc_ss.h
index 37d57dadd476..3bcc72769b87 100644
--- a/security/selinux/include/avc_ss.h
+++ b/security/selinux/include/avc_ss.h
@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: GPL-2.0 */
 /*
  * Access vector cache interface for the security server.
  *
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 35ffb29a69cb..acdee7795297 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: GPL-2.0 */
 #include <linux/capability.h>
 
 #define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \
@@ -237,6 +238,8 @@ struct security_class_mapping secclass_map[] = {
           { "access", NULL } },
         { "infiniband_endport",
           { "manage_subnet", NULL } },
+        { "bpf",
+          {"map_create", "map_read", "map_write", "prog_load", "prog_run"} },
         { NULL }
   };
 
diff --git a/security/selinux/include/initial_sid_to_string.h b/security/selinux/include/initial_sid_to_string.h
index a59b64e3fd02..4f93f697f71c 100644
--- a/security/selinux/include/initial_sid_to_string.h
+++ b/security/selinux/include/initial_sid_to_string.h
@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: GPL-2.0 */
 /* This file is automatically generated.  Do not edit. */
 static const char *initial_sid_to_string[] =
 {
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 1649cd18eb0b..3d54468ce334 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -150,6 +150,10 @@ struct pkey_security_struct {
         u32     sid;    /* SID of pkey */
 };
 
+struct bpf_security_struct {
+        u32 sid;  /*SID of bpf obj creater*/
+};
+
 extern unsigned int selinux_checkreqprot;
 
 #endif /* _SELINUX_OBJSEC_H_ */
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 28dfb2f93e4d..02f0412d42f2 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: GPL-2.0 */
 /*
  * Security server interface.
  *
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 36a7ce9e11ff..1f173a7a4daa 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: GPL-2.0 */
 /*
  * SELinux support for the XFRM LSM hooks
  *
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 771c96afe1d5..c91543a617ac 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -361,7 +361,6 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *
 
         *ret_list = NULL;
 
-        len = 0;
         rc = next_entry(buf, fp, sizeof(u32));
         if (rc)
                 return rc;
diff --git a/security/selinux/ss/constraint.h b/security/selinux/ss/constraint.h
index 33ae2aec4f36..4e563be9ef5f 100644
--- a/security/selinux/ss/constraint.h
+++ b/security/selinux/ss/constraint.h
@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: GPL-2.0 */
 /*
  * A constraint is a condition that must be satisfied in
  * order for one or more permissions to be granted.
diff --git a/security/selinux/ss/context.h b/security/selinux/ss/context.h
index a2c0f37c42ae..2260c44a568c 100644
--- a/security/selinux/ss/context.h
+++ b/security/selinux/ss/context.h
@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: GPL-2.0 */
 /*
  * A security context is a set of security attributes
  * associated with each subject and object controlled
diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
index fc28149a4f2e..b6a78b09235c 100644
--- a/security/selinux/ss/ebitmap.c
+++ b/security/selinux/ss/ebitmap.c
@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: GPL-2.0
 /*
  * Implementation of the extensible bitmap type.
  *
diff --git a/security/selinux/ss/ebitmap.h b/security/selinux/ss/ebitmap.h
index da1325dda550..edf4fa39c60a 100644
--- a/security/selinux/ss/ebitmap.h
+++ b/security/selinux/ss/ebitmap.h
@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: GPL-2.0 */
 /*
  * An extensible bitmap is a bitmap that supports an
  * arbitrary number of bits.  Extensible bitmaps are
diff --git a/security/selinux/ss/hashtab.c b/security/selinux/ss/hashtab.c
index 686c3917064c..fe25b3fb2154 100644
--- a/security/selinux/ss/hashtab.c
+++ b/security/selinux/ss/hashtab.c
@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: GPL-2.0
 /*
  * Implementation of the hash table type.
  *
@@ -9,6 +10,8 @@
 #include <linux/sched.h>
 #include "hashtab.h"
 
+static struct kmem_cache *hashtab_node_cachep;
+
 struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key),
                                int (*keycmp)(struct hashtab *h, const void *key1, const void *key2),
                                u32 size)
@@ -57,7 +60,7 @@ int hashtab_insert(struct hashtab *h, void *key, void *datum)
         if (cur && (h->keycmp(h, key, cur->key) == 0))
                 return -EEXIST;
 
-        newnode = kzalloc(sizeof(*newnode), GFP_KERNEL);
+        newnode = kmem_cache_zalloc(hashtab_node_cachep, GFP_KERNEL);
         if (!newnode)
                 return -ENOMEM;
         newnode->key = key;
@@ -106,7 +109,7 @@ void hashtab_destroy(struct hashtab *h)
                 while (cur) {
                         temp = cur;
                         cur = cur->next;
-                        kfree(temp);
+                        kmem_cache_free(hashtab_node_cachep, temp);
                 }
                 h->htable[i] = NULL;
         }
@@ -148,7 +151,7 @@ void hashtab_stat(struct hashtab *h, struct hashtab_info *info)
 
         slots_used = 0;
         max_chain_len = 0;
-        for (slots_used = max_chain_len = i = 0; i < h->size; i++) {
+        for (i = 0; i < h->size; i++) {
                 cur = h->htable[i];
                 if (cur) {
                         slots_used++;
@@ -166,3 +169,14 @@ void hashtab_stat(struct hashtab *h, struct hashtab_info *info)
         info->slots_used = slots_used;
         info->max_chain_len = max_chain_len;
 }
+void hashtab_cache_init(void)
+{
+                hashtab_node_cachep = kmem_cache_create("hashtab_node",
+                        sizeof(struct hashtab_node),
+                        0, SLAB_PANIC, NULL);
+}
+
+void hashtab_cache_destroy(void)
+{
+                kmem_cache_destroy(hashtab_node_cachep);
+}
diff --git a/security/selinux/ss/hashtab.h b/security/selinux/ss/hashtab.h
index 009fb5e06172..6183ee2a2e7a 100644
--- a/security/selinux/ss/hashtab.h
+++ b/security/selinux/ss/hashtab.h
@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: GPL-2.0 */
 /*
  * A hash table (hashtab) maintains associations between
  * key values and datum values.  The type of the key values
@@ -84,4 +85,8 @@ int hashtab_map(struct hashtab *h,
 /* Fill info with some hash table statistics */
 void hashtab_stat(struct hashtab *h, struct hashtab_info *info);
 
+/* Use kmem_cache for hashtab_node */
+void hashtab_cache_init(void);
+void hashtab_cache_destroy(void);
+
 #endif  /* _SS_HASHTAB_H */
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index d9dc34f4fade..ad982ce8bfa4 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: GPL-2.0
 /*
  * Implementation of the multi-level security (MLS) policy.
  *
diff --git a/security/selinux/ss/mls.h b/security/selinux/ss/mls.h
index 0f0a1d65b2ce..131d76266ea5 100644
--- a/security/selinux/ss/mls.h
+++ b/security/selinux/ss/mls.h
@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: GPL-2.0 */
 /*
  * Multi-level security (MLS) policy operations.
  *
diff --git a/security/selinux/ss/mls_types.h b/security/selinux/ss/mls_types.h
index 47f3702cd596..068e0d7809db 100644
--- a/security/selinux/ss/mls_types.h
+++ b/security/selinux/ss/mls_types.h
@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: GPL-2.0 */
 /*
  * Type definitions for the multi-level security (MLS) policy.
  *
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index e4a1c0dc561a..33cfe5d3d6cb 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2060,10 +2060,12 @@ int security_load_policy(void *data, size_t len)
         if (!ss_initialized) {
                 avtab_cache_init();
                 ebitmap_cache_init();
+                hashtab_cache_init();
                 rc = policydb_read(&policydb, fp);
                 if (rc) {
                         avtab_cache_destroy();
                         ebitmap_cache_destroy();
+                        hashtab_cache_destroy();
                         goto out;
                 }
 
@@ -2075,6 +2077,7 @@ int security_load_policy(void *data, size_t len)
                         policydb_destroy(&policydb);
                         avtab_cache_destroy();
                         ebitmap_cache_destroy();
+                        hashtab_cache_destroy();
                         goto out;
                 }
 
@@ -2083,6 +2086,7 @@ int security_load_policy(void *data, size_t len)
                         policydb_destroy(&policydb);
                         avtab_cache_destroy();
                         ebitmap_cache_destroy();
+                        hashtab_cache_destroy();
                         goto out;
                 }
 
diff --git a/security/selinux/ss/services.h b/security/selinux/ss/services.h
index 3d9fa9556b4f..356bdd36cf6d 100644
--- a/security/selinux/ss/services.h
+++ b/security/selinux/ss/services.h
@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: GPL-2.0 */
 /*
  * Implementation of the security services.
  *
diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c
index 6ae08efc5ae7..5be31b7af225 100644
--- a/security/selinux/ss/sidtab.c
+++ b/security/selinux/ss/sidtab.c
@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: GPL-2.0
 /*
  * Implementation of the SID table type.
  *
diff --git a/security/selinux/ss/sidtab.h b/security/selinux/ss/sidtab.h
index de5d0ea583d2..a1a1d2617b6f 100644
--- a/security/selinux/ss/sidtab.h
+++ b/security/selinux/ss/sidtab.h
@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: GPL-2.0 */
 /*
  * A security identifier table (sidtab) is a hash table
  * of security context structures indexed by SID value.
diff --git a/security/selinux/ss/symtab.c b/security/selinux/ss/symtab.c
index d1a6745849a7..dc2ce94165d3 100644
--- a/security/selinux/ss/symtab.c
+++ b/security/selinux/ss/symtab.c
@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: GPL-2.0
 /*
  * Implementation of the symbol table type.
  *
diff --git a/security/selinux/ss/symtab.h b/security/selinux/ss/symtab.h
index 0bc12d587d3a..d75fcafe7281 100644
--- a/security/selinux/ss/symtab.h
+++ b/security/selinux/ss/symtab.h
@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: GPL-2.0 */
 /*
  * A symbol table (symtab) maintains associations between symbol
  * strings and datum values.  The type of the datum values