arch/arm64/configs/a53x-ksu_defconfig

@@ -6038,7 +6038,7 @@ CONFIG_CPIF_PAGE_RECYCLING=m
 
 CONFIG_EXYNOS_GNSS_IF=m
 CONFIG_CAL_IF=m
-# CONFIG_EXYNOS_DEBUG_INFO is not set
+CONFIG_EXYNOS_DEBUG_INFO=y
 CONFIG_CMUCAL=m
 CONFIG_CP_PMUCAL=m
 CONFIG_GNSS_PMUCAL=m
@@ -6072,7 +6072,7 @@ CONFIG_EXYNOS_CPUHP=m
 CONFIG_EXYNOS_UFCC=m
 CONFIG_EXYNOS_AFM=m
 CONFIG_EXYNOS_PM_QOS=m
-# CONFIG_EXYNOS_DEBUG_FREQ is not set
+CONFIG_EXYNOS_DEBUG_FREQ=m
 CONFIG_EXYNOS_MEMORY_LOGGER=m
 CONFIG_EXYNOS_SYSTEM_EVENT=m
 CONFIG_EXYNOS_IMGLOADER=m
@@ -6104,7 +6104,7 @@ CONFIG_EXYNOS_ACPM_MFD=y
 CONFIG_EXYNOS_MFD_I3C=y
 # CONFIG_EXYNOS_ACPM_S2D is not set
 CONFIG_EXYNOS_ACPM_PLGDBG=m
-# CONFIG_EXYNOS_DEBUG is not set
+CONFIG_EXYNOS_DEBUG=y
 CONFIG_DEBUG_SNAPSHOT=m
 CONFIG_DEBUG_SNAPSHOT_API=y
 CONFIG_DEBUG_SNAPSHOT_FREQ_DOMAIN_NUM=32

arch/arm64/configs/a53x_defconfig

@@ -6038,7 +6038,7 @@ CONFIG_CPIF_PAGE_RECYCLING=m
 
 CONFIG_EXYNOS_GNSS_IF=m
 CONFIG_CAL_IF=m
-# CONFIG_EXYNOS_DEBUG_INFO is not set
+CONFIG_EXYNOS_DEBUG_INFO=y
 CONFIG_CMUCAL=m
 CONFIG_CP_PMUCAL=m
 CONFIG_GNSS_PMUCAL=m
@@ -6072,7 +6072,7 @@ CONFIG_EXYNOS_CPUHP=m
 CONFIG_EXYNOS_UFCC=m
 CONFIG_EXYNOS_AFM=m
 CONFIG_EXYNOS_PM_QOS=m
-# CONFIG_EXYNOS_DEBUG_FREQ is not set
+CONFIG_EXYNOS_DEBUG_FREQ=m
 CONFIG_EXYNOS_MEMORY_LOGGER=m
 CONFIG_EXYNOS_SYSTEM_EVENT=m
 CONFIG_EXYNOS_IMGLOADER=m
@@ -6104,7 +6104,7 @@ CONFIG_EXYNOS_ACPM_MFD=y
 CONFIG_EXYNOS_MFD_I3C=y
 # CONFIG_EXYNOS_ACPM_S2D is not set
 CONFIG_EXYNOS_ACPM_PLGDBG=m
-# CONFIG_EXYNOS_DEBUG is not set
+CONFIG_EXYNOS_DEBUG=y
 CONFIG_DEBUG_SNAPSHOT=m
 CONFIG_DEBUG_SNAPSHOT_API=y
 CONFIG_DEBUG_SNAPSHOT_FREQ_DOMAIN_NUM=32

drivers/soc/samsung/exynos-bcm_dbg.c

@@ -84,7 +84,7 @@ static int __exynos_bcm_dbg_ipc_send_data(enum exynos_bcm_dbg_ipc_type ipc_type,
 	int i = 0;
 	struct cmd_data config;
 #endif
-	enum exynos_bcm_err_code ipc_err = -1;
+	enum exynos_bcm_err_code ipc_err;
 	unsigned int *bcm_cmd;
 
 	if ((ipc_type < IPC_BCM_DBG_EVENT) ||
@@ -128,7 +128,7 @@ static int __exynos_bcm_dbg_ipc_send_data(enum exynos_bcm_dbg_ipc_type ipc_type,
 
 	ipc_err = exynos_bcm_dbg_ipc_err_handle(config.raw_cmd);
 #endif
-	if (ipc_err != -1) {
+	if (ipc_err) {
 		ret = -EBADMSG;
 		return ret;
 	}

ipc/mq_sysctl.c

@@ -43,11 +43,11 @@ static int proc_mq_dointvec_minmax(struct ctl_table *table, int write,
 #define proc_mq_dointvec_minmax NULL
 #endif
 
-static int msg_max_limit_min = MIN_MSGMAX;
-static int msg_max_limit_max = HARD_MSGMAX;
+static int msg_max_limit_min __read_only = MIN_MSGMAX;
+static int msg_max_limit_max __read_only = HARD_MSGMAX;
 
-static int msg_maxsize_limit_min = MIN_MSGSIZEMAX;
-static int msg_maxsize_limit_max = HARD_MSGSIZEMAX;
+static int msg_maxsize_limit_min __read_only = MIN_MSGSIZEMAX;
+static int msg_maxsize_limit_max __read_only = HARD_MSGSIZEMAX;
 
 static struct ctl_table mq_sysctls[] = {
 	{

kernel/sysctl.c

@@ -119,27 +119,27 @@ EXPORT_SYMBOL(deny_new_usb);
 
 /* Constants used for minimum and  maximum */
 #ifdef CONFIG_LOCKUP_DETECTOR
-static int sixty = 60;
+static int sixty __read_only  = 60;
 #endif
 
-static unsigned long zero_ul;
-static unsigned long one_ul = 1;
-static unsigned long long_max = LONG_MAX;
+static unsigned long __read_only zero_ul;
+static unsigned long __read_only one_ul = 1;
+static unsigned long __read_only long_max = LONG_MAX;
 #ifdef CONFIG_PRINTK
-static int ten_thousand = 10000;
+static int ten_thousand __read_only = 10000;
 #endif
 #ifdef CONFIG_PERF_EVENTS
-static int six_hundred_forty_kb = 640 * 1024;
+static int six_hundred_forty_kb __read_only = 640 * 1024;
 #endif
 
 /* this is needed for the proc_doulongvec_minmax of vm_dirty_bytes */
-static unsigned long dirty_bytes_min = 2 * PAGE_SIZE;
+static unsigned long dirty_bytes_min __read_only = 2 * PAGE_SIZE;
 
 /* this is needed for the proc_dointvec_minmax for [fs_]overflow UID and GID */
-static int maxolduid = 65535;
-static int minolduid;
+static int maxolduid __read_only = 65535;
+static int minolduid __read_only;
 
-static int ngroups_max = NGROUPS_MAX;
+static int ngroups_max __read_only = NGROUPS_MAX;
 static const int cap_last_cap = CAP_LAST_CAP;
 
 /*
@@ -147,7 +147,7 @@ static const int cap_last_cap = CAP_LAST_CAP;
  * and hung_task_check_interval_secs
  */
 #ifdef CONFIG_DETECT_HUNG_TASK
-static unsigned long hung_task_timeout_max = (LONG_MAX/HZ);
+static unsigned long hung_task_timeout_max __read_only = (LONG_MAX/HZ);
 #endif
 
 #ifdef CONFIG_INOTIFY_USER
@@ -193,19 +193,19 @@ int sysctl_legacy_va_layout;
 #endif
 
 #ifdef CONFIG_SCHED_DEBUG
-static int min_sched_granularity_ns = 100000;		/* 100 usecs */
-static int max_sched_granularity_ns = NSEC_PER_SEC;	/* 1 second */
-static int min_wakeup_granularity_ns;			/* 0 usecs */
-static int max_wakeup_granularity_ns = NSEC_PER_SEC;	/* 1 second */
+static int min_sched_granularity_ns __read_only = 100000;		/* 100 usecs */
+static int max_sched_granularity_ns __read_only = NSEC_PER_SEC;	/* 1 second */
+static int min_wakeup_granularity_ns __read_only;			/* 0 usecs */
+static int max_wakeup_granularity_ns __read_only = NSEC_PER_SEC;	/* 1 second */
 #ifdef CONFIG_SMP
-static int min_sched_tunable_scaling = SCHED_TUNABLESCALING_NONE;
-static int max_sched_tunable_scaling = SCHED_TUNABLESCALING_END-1;
+static int min_sched_tunable_scaling __read_only = SCHED_TUNABLESCALING_NONE;
+static int max_sched_tunable_scaling __read_only = SCHED_TUNABLESCALING_END-1;
 #endif /* CONFIG_SMP */
 #endif /* CONFIG_SCHED_DEBUG */
 
 #ifdef CONFIG_COMPACTION
-static int min_extfrag_threshold;
-static int max_extfrag_threshold = 1000;
+static int min_extfrag_threshold __read_only;
+static int max_extfrag_threshold __read_only = 1000;
 #endif
 
 #endif /* CONFIG_SYSCTL */

lib/test_sysctl.c

@@ -36,8 +36,8 @@
 #include <linux/delay.h>
 #include <linux/vmalloc.h>
 
-static int i_zero;
-static int i_one_hundred = 100;
+static int i_zero __read_only;
+static int i_one_hundred __read_only = 100;
 
 struct test_sysctl_data {
 	int int_0001;

mm/mmap.c

@@ -250,6 +250,13 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
 
 	newbrk = PAGE_ALIGN(brk);
 	oldbrk = PAGE_ALIGN(mm->brk);
+	/* properly handle unaligned min_brk as an empty heap */
+	if (min_brk & ~PAGE_MASK) {
+		if (brk == min_brk)
+			newbrk -= PAGE_SIZE;
+		if (mm->brk == min_brk)
+			oldbrk -= PAGE_SIZE;
+	}
 	if (oldbrk == newbrk) {
 		mm->brk = brk;
 		goto success;

mm/slab_common.c

@@ -33,10 +33,10 @@
 
 #include "slab.h"
 
-enum slab_state slab_state;
+enum slab_state slab_state __ro_after_init;
 LIST_HEAD(slab_caches);
 DEFINE_MUTEX(slab_mutex);
-struct kmem_cache *kmem_cache;
+struct kmem_cache *kmem_cache __ro_after_init;
 
 #ifdef CONFIG_HARDENED_USERCOPY
 bool usercopy_fallback __ro_after_init =
@@ -64,7 +64,7 @@ static DECLARE_WORK(slab_caches_to_rcu_destroy_work,
 /*
  * Merge control. If this is set then no merging of slab caches will occur.
  */
-static bool slab_nomerge = !IS_ENABLED(CONFIG_SLAB_MERGE_DEFAULT);
+static bool slab_nomerge __ro_after_init = !IS_ENABLED(CONFIG_SLAB_MERGE_DEFAULT);
 
 static int __init setup_slab_nomerge(char *str)
 {

mm/util.c

@@ -372,9 +372,9 @@ unsigned long arch_randomize_brk(struct mm_struct *mm)
 {
 	/* Is the current task 32bit ? */
 	if (!IS_ENABLED(CONFIG_64BIT) || is_compat_task())
-		return randomize_page(mm->brk, SZ_32M);
+		return mm->brk + get_random_long() % SZ_32M;
 
-	return randomize_page(mm->brk, SZ_1G);
+	return mm->brk + get_random_long() % SZ_1G;
 }
 
 unsigned long arch_mmap_rnd(void)

net/ax25/sysctl_net_ax25.c

@@ -9,21 +9,21 @@
 #include <linux/spinlock.h>
 #include <net/ax25.h>
 
-static int min_ipdefmode[1],    	max_ipdefmode[] = {1};
-static int min_axdefmode[1],            max_axdefmode[] = {1};
-static int min_backoff[1],		max_backoff[] = {2};
-static int min_conmode[1],		max_conmode[] = {2};
-static int min_window[] = {1},		max_window[] = {7};
-static int min_ewindow[] = {1},		max_ewindow[] = {63};
-static int min_t1[] = {1},		max_t1[] = {30000};
-static int min_t2[] = {1},		max_t2[] = {20000};
-static int min_t3[1],			max_t3[] = {3600000};
-static int min_idle[1],			max_idle[] = {65535000};
-static int min_n2[] = {1},		max_n2[] = {31};
-static int min_paclen[] = {1},		max_paclen[] = {512};
-static int min_proto[1],		max_proto[] = { AX25_PROTO_MAX };
+static int min_ipdefmode[1],    	max_ipdefmode[] __read_only = {1};
+static int min_axdefmode[1],            max_axdefmode[] __read_only = {1};
+static int min_backoff[1],		max_backoff[] __read_only = {2};
+static int min_conmode[1],		max_conmode[] __read_only = {2};
+static int min_window[] __read_only = {1},		max_window[] __read_only = {7};
+static int min_ewindow[] __read_only = {1},		max_ewindow[] __read_only = {63};
+static int min_t1[] __read_only = {1},		max_t1[] __read_only = {30000};
+static int min_t2[] __read_only = {1},		max_t2[] __read_only = {20000};
+static int min_t3[1],			max_t3[] __read_only = {3600000};
+static int min_idle[1],			max_idle[] __read_only = {65535000};
+static int min_n2[] __read_only = {1},		max_n2[] __read_only = {31};
+static int min_paclen[] __read_only = {1},		max_paclen[] __read_only = {512};
+static int min_proto[1],		max_proto[] __read_only = { AX25_PROTO_MAX };
 #ifdef CONFIG_AX25_DAMA_SLAVE
-static int min_ds_timeout[1],		max_ds_timeout[] = {65535000};
+static int min_ds_timeout[1],		max_ds_timeout[] __read_only = {65535000};
 #endif
 
 static const struct ctl_table ax25_param_table[] = {

net/core/sysctl_net_core.c

@@ -22,13 +22,13 @@
 #include <net/busy_poll.h>
 #include <net/pkt_sched.h>
 
-static int two = 2;
-static int three = 3;
-static int min_sndbuf = SOCK_MIN_SNDBUF;
-static int min_rcvbuf = SOCK_MIN_RCVBUF;
-static int max_skb_frags = MAX_SKB_FRAGS;
-static long long_one __maybe_unused = 1;
-static long long_max __maybe_unused = LONG_MAX;
+static int two __read_only = 2;
+static int three __read_only = 3;
+static int min_sndbuf __read_only = SOCK_MIN_SNDBUF;
+static int min_rcvbuf __read_only = SOCK_MIN_RCVBUF;
+static int max_skb_frags __read_only = MAX_SKB_FRAGS;
+static long long_one __maybe_unused __read_only = 1;
+static long long_max __maybe_unused __read_only = LONG_MAX;
 
 static int net_msg_warn;	/* Unused, but still a sysctl */
 

net/ipv4/sysctl_net_ipv4.c

@@ -28,27 +28,27 @@
 #include <net/protocol.h>
 #include <net/netevent.h>
 
-static int two = 2;
-static int four = 4;
-static int thousand = 1000;
-static int tcp_retr1_max = 255;
-static int ip_local_port_range_min[] = { 1, 1 };
-static int ip_local_port_range_max[] = { 65535, 65535 };
-static int tcp_adv_win_scale_min = -31;
-static int tcp_adv_win_scale_max = 31;
-static int tcp_min_snd_mss_min = TCP_MIN_SND_MSS;
-static int tcp_min_snd_mss_max = 65535;
-static int ip_privileged_port_min;
-static int ip_privileged_port_max = 65535;
-static int ip_ttl_min = 1;
-static int ip_ttl_max = 255;
-static int tcp_syn_retries_min = 1;
-static int tcp_syn_retries_max = MAX_TCP_SYNCNT;
-static int ip_ping_group_range_min[] = { 0, 0 };
-static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX };
-static int comp_sack_nr_max = 255;
-static u32 u32_max_div_HZ = UINT_MAX / HZ;
-static int one_day_secs = 24 * 3600;
+static int two __read_only = 2;
+static int four __read_only = 4;
+static int thousand __read_only = 1000;
+static int tcp_retr1_max __read_only = 255;
+static int ip_local_port_range_min[] __read_only = { 1, 1 };
+static int ip_local_port_range_max[] __read_only = { 65535, 65535 };
+static int tcp_adv_win_scale_min __read_only = -31;
+static int tcp_adv_win_scale_max __read_only = 31;
+static int tcp_min_snd_mss_min __read_only = TCP_MIN_SND_MSS;
+static int tcp_min_snd_mss_max __read_only = 65535;
+static int ip_privileged_port_min __read_only;
+static int ip_privileged_port_max __read_only = 65535;
+static int ip_ttl_min __read_only = 1;
+static int ip_ttl_max __read_only = 255;
+static int tcp_syn_retries_min __read_only = 1;
+static int tcp_syn_retries_max __read_only = MAX_TCP_SYNCNT;
+static int ip_ping_group_range_min[] __read_only = { 0, 0 };
+static int ip_ping_group_range_max[] __read_only = { GID_T_MAX, GID_T_MAX };
+static int comp_sack_nr_max __read_only = 255;
+static u32 u32_max_div_HZ __read_only = UINT_MAX / HZ;
+static int one_day_secs __read_only = 24 * 3600;
 
 /* obsolete */
 static int sysctl_tcp_low_latency __read_mostly;

net/ipv6/sysctl_net_ipv6.c

@@ -21,10 +21,10 @@
 #include <net/calipso.h>
 #endif
 
-static int two = 2;
-static int flowlabel_reflect_max = 0x7;
-static int auto_flowlabels_min;
-static int auto_flowlabels_max = IP6_AUTO_FLOW_LABEL_MAX;
+static int two __read_only = 2;
+static int flowlabel_reflect_max __read_only = 0x7;
+static int auto_flowlabels_min __read_only;
+static int auto_flowlabels_max __read_only = IP6_AUTO_FLOW_LABEL_MAX;
 
 static int proc_rt6_multipath_hash_policy(struct ctl_table *table, int write,
 					  void *buffer, size_t *lenp, loff_t *ppos)

net/netrom/sysctl_net_netrom.c

@@ -12,22 +12,22 @@
 /*
  *	Values taken from NET/ROM documentation.
  */
-static int min_quality[] = {0}, max_quality[] = {255};
-static int min_obs[]     = {0}, max_obs[]     = {255};
-static int min_ttl[]     = {0}, max_ttl[]     = {255};
-static int min_t1[]      = {5 * HZ};
-static int max_t1[]      = {600 * HZ};
-static int min_n2[]      = {2}, max_n2[]      = {127};
-static int min_t2[]      = {1 * HZ};
-static int max_t2[]      = {60 * HZ};
-static int min_t4[]      = {1 * HZ};
-static int max_t4[]      = {1000 * HZ};
-static int min_window[]  = {1}, max_window[]  = {127};
-static int min_idle[]    = {0 * HZ};
-static int max_idle[]    = {65535 * HZ};
-static int min_route[]   = {0}, max_route[]   = {1};
-static int min_fails[]   = {1}, max_fails[]   = {10};
-static int min_reset[]   = {0}, max_reset[]   = {1};
+static int min_quality[] __read_only = {0}, max_quality[] __read_only = {255};
+static int min_obs[] __read_only     = {0}, max_obs[] __read_only     = {255};
+static int min_ttl[] __read_only     = {0}, max_ttl[] __read_only     = {255};
+static int min_t1[] __read_only      = {5 * HZ};
+static int max_t1[] __read_only      = {600 * HZ};
+static int min_n2[] __read_only      = {2}, max_n2[] __read_only      = {127};
+static int min_t2[] __read_only      = {1 * HZ};
+static int max_t2[] __read_only      = {60 * HZ};
+static int min_t4[] __read_only      = {1 * HZ};
+static int max_t4[] __read_only      = {1000 * HZ};
+static int min_window[] __read_only  = {1}, max_window[] __read_only  = {127};
+static int min_idle[] __read_only    = {0 * HZ};
+static int max_idle[] __read_only    = {65535 * HZ};
+static int min_route[] __read_only   = {0}, max_route[] __read_only   = {1};
+static int min_fails[] __read_only   = {1}, max_fails[] __read_only   = {10};
+static int min_reset[] __read_only   = {0}, max_reset[] __read_only   = {1};
 
 static struct ctl_table_header *nr_table_header;
 

net/phonet/sysctl.c

@@ -22,8 +22,8 @@
 #define DYNAMIC_PORT_MAX	0x7f
 
 static DEFINE_SEQLOCK(local_port_range_lock);
-static int local_port_range_min[2] = {0, 0};
-static int local_port_range_max[2] = {1023, 1023};
+static int local_port_range_min[2] __read_only = {0, 0};
+static int local_port_range_max[2] __read_only = {1023, 1023};
 static int local_port_range[2] = {DYNAMIC_PORT_MIN, DYNAMIC_PORT_MAX};
 static struct ctl_table_header *phonet_table_hrd;
 

net/rose/sysctl_net_rose.c

@@ -9,15 +9,15 @@
 #include <net/ax25.h>
 #include <net/rose.h>
 
-static int min_timer[]  = {1 * HZ};
-static int max_timer[]  = {300 * HZ};
-static int min_idle[]   = {0 * HZ};
-static int max_idle[]   = {65535 * HZ};
-static int min_route[1],       max_route[] = {1};
-static int min_ftimer[] = {60 * HZ};
-static int max_ftimer[] = {600 * HZ};
-static int min_maxvcs[] = {1}, max_maxvcs[] = {254};
-static int min_window[] = {1}, max_window[] = {7};
+static int min_timer[] __read_only  = {1 * HZ};
+static int max_timer[] __read_only  = {300 * HZ};
+static int min_idle[] __read_only   = {0 * HZ};
+static int max_idle[] __read_only   = {65535 * HZ};
+static int min_route[1],       max_route[] __read_only = {1};
+static int min_ftimer[] __read_only = {60 * HZ};
+static int max_ftimer[] __read_only = {600 * HZ};
+static int min_maxvcs[] __read_only = {1}, max_maxvcs[] = {254};
+static int min_window[] __read_only = {1}, max_window[] = {7};
 
 static struct ctl_table_header *rose_table_header;
 

net/sctp/sysctl.c

@@ -25,20 +25,20 @@
 #include <net/sctp/sctp.h>
 #include <linux/sysctl.h>
 
-static int timer_max = 86400000; /* ms in one day */
-static int sack_timer_min = 1;
-static int sack_timer_max = 500;
-static int addr_scope_max = SCTP_SCOPE_POLICY_MAX;
-static int rwnd_scale_max = 16;
-static int rto_alpha_min = 0;
-static int rto_beta_min = 0;
-static int rto_alpha_max = 1000;
-static int rto_beta_max = 1000;
-static int pf_expose_max = SCTP_PF_EXPOSE_MAX;
-static int ps_retrans_max = SCTP_PS_RETRANS_MAX;
+static int timer_max __read_only = 86400000; /* ms in one day */
+static int sack_timer_min __read_only = 1;
+static int sack_timer_max __read_only = 500;
+static int addr_scope_max __read_only = SCTP_SCOPE_POLICY_MAX;
+static int rwnd_scale_max __read_only = 16;
+static int rto_alpha_min __read_only = 0;
+static int rto_beta_min __read_only = 0;
+static int rto_alpha_max __read_only = 1000;
+static int rto_beta_max __read_only = 1000;
+static int pf_expose_max __read_only = SCTP_PF_EXPOSE_MAX;
+static int ps_retrans_max __read_only = SCTP_PS_RETRANS_MAX;
 
-static unsigned long max_autoclose_min = 0;
-static unsigned long max_autoclose_max =
+static unsigned long max_autoclose_min __read_only = 0;
+static unsigned long max_autoclose_max __read_only =
 	(MAX_SCHEDULE_TIMEOUT / HZ > UINT_MAX)
 	? UINT_MAX : MAX_SCHEDULE_TIMEOUT / HZ;
 

net/x25/sysctl_net_x25.c

@@ -13,8 +13,8 @@
 #include <linux/init.h>
 #include <net/x25.h>
 
-static int min_timer[] = {   1 * HZ };
-static int max_timer[] = { 300 * HZ };
+static int min_timer[] __read_only = {   1 * HZ };
+static int max_timer[] __read_only = { 300 * HZ };
 
 static struct ctl_table_header *x25_table_header;
 

security/selinux/include/security.h

@@ -87,6 +87,11 @@ extern int selinux_enabled_boot;
 struct selinux_avc;
 struct selinux_policy;
 
+struct context_types {
+	u32 webview_zygote;
+	u32 zygote;
+};
+
 struct selinux_state {
 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
 	bool disabled;
@@ -100,6 +105,8 @@ struct selinux_state {
 	bool android_netlink_route;
 	bool android_netlink_getneigh;
 
+	struct context_types types;
+
 	struct page *status_page;
 	struct mutex status_lock;
 
@@ -329,6 +336,8 @@ int security_change_sid(struct selinux_state *state, u32 ssid, u32 tsid,
 int security_sid_to_context(struct selinux_state *state, u32 sid,
 			    char **scontext, u32 *scontext_len);
 
+int security_sid_to_context_type(struct selinux_state *state, u32 sid, u32 *out);
+
 int security_sid_to_context_force(struct selinux_state *state,
 				  u32 sid, char **scontext, u32 *scontext_len);
 

security/selinux/selinuxfs.c

@@ -41,6 +41,8 @@
 #include "security.h"
 #include "objsec.h"
 #include "conditional.h"
+#include "ss/services.h"
+#include "ss/symtab.h"
 
 enum sel_inos {
 	SEL_ROOT_INO = 2,
@@ -611,6 +613,30 @@ out:
 	return ret;
 }
 
+static int resolve_context_type(struct selinux_load_state *state, const char *name, u32 *out_type)
+{
+	struct type_datum *typdatum = symtab_search(&state->policy->policydb.p_types, name);
+	if (!typdatum || typdatum->attribute) {
+		pr_err("SELinux: missing type_datum for %s\n", name);
+		return -EINVAL;
+	}
+	*out_type = typdatum->value;
+	return 0;
+}
+
+static int resolve_context_types(struct selinux_load_state *lstate, struct context_types *types) {
+	int rc;
+
+#define RESOLVE_TYPE(t) rc = resolve_context_type(lstate, #t, &types->t); if (rc) return rc
+
+	RESOLVE_TYPE(webview_zygote);
+	RESOLVE_TYPE(zygote);
+
+#undef RESOLVE_TYPE
+
+	return 0;
+}
+
 static ssize_t sel_write_load(struct file *file, const char __user *buf,
 			      size_t count, loff_t *ppos)
 
@@ -656,6 +682,12 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf,
 		goto out;
 	}
 
+	length = resolve_context_types(&load_state, &fsi->state->types);
+	if (length) {
+		selinux_policy_cancel(fsi->state, &load_state);
+		goto out;
+	}
+
 	selinux_policy_commit(fsi->state, &load_state);
 	length = count;
 	audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,

security/selinux/ss/services.c

@@ -1386,6 +1386,35 @@ out_unlock:
 
 }
 
+// based on security_sid_to_context_core() above
+int security_sid_to_context_type(struct selinux_state *state, u32 sid, u32 *out)
+{
+	struct selinux_policy *policy;
+	struct policydb *policydb;
+	struct sidtab *sidtab;
+	struct sidtab_entry *entry;
+	int rc = 0;
+
+	rcu_read_lock();
+	policy = rcu_dereference(state->policy);
+	policydb = &policy->policydb;
+	sidtab = policy->sidtab;
+
+	entry = sidtab_search_entry(sidtab, sid);
+
+	if (!entry) {
+		pr_err("SELinux: %s:  unrecognized SID %d\n", __func__, sid);
+		rc = -EINVAL;
+		goto out_unlock;
+	}
+
+	*out = entry->context.type;
+
+out_unlock:
+	rcu_read_unlock();
+	return rc;
+}
+
 /**
  * security_sid_to_context - Obtain a context for a given SID.
  * @sid: security identifier, SID