10a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 20a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * Copyright (C) 2005 International Business Machines Corporation 30a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * Copyright (c) 2005 by Trusted Computer Solutions, Inc. 40a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * All rights reserved. 50a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 60a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * Redistribution and use in source and binary forms, with or without 70a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * modification, are permitted provided that the following conditions 80a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * are met: 90a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 1. Redistributions of source code must retain the above copyright 100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * notice, this list of conditions and the following disclaimer. 110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 2. Redistributions in binary form must reproduce the above copyright 120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * notice, this list of conditions and the following disclaimer in the 130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * documentation and/or other materials provided with the distribution. 140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 3. Neither the name of the project nor the names of its contributors 150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * may be used to endorse or promote products derived from this software 160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * without specific prior written permission. 170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * SUCH DAMAGE. 290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "config.h" 330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <sys/types.h> 350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <stdlib.h> 370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <stdio.h> 380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <string.h> 390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <selinux/selinux.h> 410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <selinux/flask.h> 420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <selinux/av_permissions.h> 430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <selinux/avc.h> 440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <selinux/context.h> 450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "var.h" 470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "vmbuf.h" 480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "misc.h" 490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "plog.h" 500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "isakmp_var.h" 520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "isakmp.h" 530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "ipsec_doi.h" 540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "policy.h" 550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "proposal.h" 560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "strnames.h" 570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "handler.h" 580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * Get the security context information from SA. 610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangint 630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangget_security_context(sa, p) 640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *sa; 650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct policyindex *p; 660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int len = 0; 680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int flag, type = 0; 690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang u_int16_t lorv; 700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang caddr_t bp; 710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *pbuf = NULL; 720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *tbuf = NULL; 730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct isakmp_parse_t *pa; 740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct isakmp_parse_t *ta; 750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct isakmp_pl_p *prop; 760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct isakmp_pl_t *trns; 770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct isakmp_data *d; 780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct ipsecdoi_sa_b *sab = (struct ipsecdoi_sa_b *)sa->v; 790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* check SA payload size */ 810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (sa->l < sizeof(*sab)) { 820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "Invalid SA length = %zu.\n", sa->l); 840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang bp = (caddr_t)(sab + 1); /* here bp points to first proposal payload */ 880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang len = sa->l - sizeof(*sab); 890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pbuf = isakmp_parsewoh(ISAKMP_NPTYPE_P, (struct isakmp_gen *)bp, len); 910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (pbuf == NULL) 920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa = (struct isakmp_parse_t *)pbuf->v; 950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* check the value of next payload */ 960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (pa->type != ISAKMP_NPTYPE_P) { 970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "Invalid payload type=%u\n", pa->type); 990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(pbuf); 1000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 1010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (pa->len == 0) { 1040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 1050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "invalid proposal with length %d\n", pa->len); 1060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(pbuf); 1070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 1080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* our first proposal */ 1110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang prop = (struct isakmp_pl_p *)pa->ptr; 1120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* now get transform */ 1140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang bp = (caddr_t)prop + sizeof(struct isakmp_pl_p) + prop->spi_size; 1150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang len = ntohs(prop->h.len) - 1160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang (sizeof(struct isakmp_pl_p) + prop->spi_size); 1170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang tbuf = isakmp_parsewoh(ISAKMP_NPTYPE_T, (struct isakmp_gen *)bp, len); 1180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (tbuf == NULL) 1190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 1200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang ta = (struct isakmp_parse_t *)tbuf->v; 1220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (ta->type != ISAKMP_NPTYPE_T) { 1230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 1240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "Invalid payload type=%u\n", ta->type); 1250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 1260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang trns = (struct isakmp_pl_t *)ta->ptr; 1290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang len = ntohs(trns->h.len) - sizeof(struct isakmp_pl_t); 1310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang d = (struct isakmp_data *)((caddr_t)trns + sizeof(struct isakmp_pl_t)); 1320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang while (len > 0) { 1340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang type = ntohs(d->type) & ~ISAKMP_GEN_MASK; 1350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang flag = ntohs(d->type) & ISAKMP_GEN_MASK; 1360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang lorv = ntohs(d->lorv); 1370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (type != IPSECDOI_ATTR_SECCTX) { 1390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (flag) { 1400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang len -= sizeof(*d); 1410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang d = (struct isakmp_data *)((char *)d 1420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang + sizeof(*d)); 1430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } else { 1440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang len -= (sizeof(*d) + lorv); 1450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang d = (struct isakmp_data *)((caddr_t)d 1460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang + sizeof(*d) + lorv); 1470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } else { 1490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang flag = ntohs(d->type & ISAKMP_GEN_MASK); 1500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (flag) { 1510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 1520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "SECCTX must be in TLV.\n"); 1530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 1540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang memcpy(&p->sec_ctx, d + 1, lorv); 1560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p->sec_ctx.ctx_strlen = ntohs(p->sec_ctx.ctx_strlen); 1570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return 0; 1580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return 0; 1610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 1620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangvoid 1640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangset_secctx_in_proposal(iph2, spidx) 1650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct ph2handle *iph2; 1660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct policyindex spidx; 1670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 1680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph2->proposal->sctx.ctx_doi = spidx.sec_ctx.ctx_doi; 1690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph2->proposal->sctx.ctx_alg = spidx.sec_ctx.ctx_alg; 1700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph2->proposal->sctx.ctx_strlen = spidx.sec_ctx.ctx_strlen; 1710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang memcpy(iph2->proposal->sctx.ctx_str, spidx.sec_ctx.ctx_str, 1720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang spidx.sec_ctx.ctx_strlen); 1730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 1740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 1770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * function: init_avc 1780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * description: function performs the steps necessary to initialize the 1790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * userspace avc. 1800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * input: void 1810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * return: 0 if avc was successfully initialized 1820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 1 if the avc could not be initialized 1830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 1840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic int mls_ready = 0; 1860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangvoid 1880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wanginit_avc(void) 1890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 1900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (!is_selinux_mls_enabled()) { 1910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, "racoon: MLS support is not" 1920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang " enabled.\n"); 1930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return; 1940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (avc_init("racoon", NULL, NULL, NULL, NULL) == 0) 1970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang mls_ready = 1; 1980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang else 1990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 2000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "racoon: could not initialize avc.\n"); 2010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 2020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 2040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * function: within_range 2050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * description: function determines if the specified sl is within the 2060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * configured range for a policy rule. 2070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * input: security_context *sl SL 2080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * char *range Range 2090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * return: 1 if the sl is within the range 2100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 0 if the sl is not within the range or an error 2110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * occurred which prevented the determination 2120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 2130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangint 2150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangwithin_range(security_context_t sl, security_context_t range) 2160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 2170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int rtn = 1; 2180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang security_id_t slsid; 2190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang security_id_t rangesid; 2200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct av_decision avd; 2210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang security_class_t tclass; 2220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang access_vector_t av; 2230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (!*range) /* This policy doesn't have security context */ 2250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return 1; 2260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (!mls_ready) /* mls may not be enabled */ 2280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return 0; 2290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* 2310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * Get the sids for the sl and range contexts 2320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 2330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang rtn = avc_context_to_sid(sl, &slsid); 2340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (rtn != 0) { 2350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 2360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "within_range: Unable to retrieve " 2370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "sid for sl context (%s).\n", sl); 2380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return 0; 2390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 2400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang rtn = avc_context_to_sid(range, &rangesid); 2410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (rtn != 0) { 2420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 2430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "within_range: Unable to retrieve " 2440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "sid for range context (%s).\n", range); 2450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang sidput(slsid); 2460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return 0; 2470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 2480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* 2500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * Straight up test between sl and range 2510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 2520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang tclass = SECCLASS_ASSOCIATION; 2530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang av = ASSOCIATION__POLMATCH; 2540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang rtn = avc_has_perm(slsid, rangesid, tclass, av, NULL, &avd); 2550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (rtn != 0) { 2560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_INFO, LOCATION, NULL, 2570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "within_range: The sl is not within range\n"); 2580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang sidput(slsid); 2590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang sidput(rangesid); 2600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return 0; 2610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 2620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_DEBUG, LOCATION, NULL, 2630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "within_range: The sl (%s) is within range (%s)\n", sl, range); 2640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return 1; 2650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 266