services.c revision 0719aaf5ead7555b7b7a4a080ebf2826a871384e
1/*
2 * Implementation of the security services.
3 *
4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil>
5 *	     James Morris <jmorris@redhat.com>
6 *
7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
8 *
9 *	Support for enhanced MLS infrastructure.
10 *	Support for context based audit filters.
11 *
12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
13 *
14 *	Added conditional policy language extensions
15 *
16 * Updated: Hewlett-Packard <paul.moore@hp.com>
17 *
18 *      Added support for NetLabel
19 *      Added support for the policy capability bitmap
20 *
21 * Updated: Chad Sellers <csellers@tresys.com>
22 *
23 *  Added validation of kernel classes and permissions
24 *
25 * Updated: KaiGai Kohei <kaigai@ak.jp.nec.com>
26 *
27 *  Added support for bounds domain and audit messaged on masked permissions
28 *
29 * Updated: Guido Trentalancia <guido@trentalancia.com>
30 *
31 *  Added support for runtime switching of the policy type
32 *
33 * Copyright (C) 2008, 2009 NEC Corporation
34 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
35 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
36 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
37 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
38 *	This program is free software; you can redistribute it and/or modify
39 *	it under the terms of the GNU General Public License as published by
40 *	the Free Software Foundation, version 2.
41 */
42#include <linux/kernel.h>
43#include <linux/slab.h>
44#include <linux/string.h>
45#include <linux/spinlock.h>
46#include <linux/rcupdate.h>
47#include <linux/errno.h>
48#include <linux/in.h>
49#include <linux/sched.h>
50#include <linux/audit.h>
51#include <linux/mutex.h>
52#include <linux/selinux.h>
53#include <net/netlabel.h>
54
55#include "flask.h"
56#include "avc.h"
57#include "avc_ss.h"
58#include "security.h"
59#include "context.h"
60#include "policydb.h"
61#include "sidtab.h"
62#include "services.h"
63#include "conditional.h"
64#include "mls.h"
65#include "objsec.h"
66#include "netlabel.h"
67#include "xfrm.h"
68#include "ebitmap.h"
69#include "audit.h"
70
71extern void selnl_notify_policyload(u32 seqno);
72
73int selinux_policycap_netpeer;
74int selinux_policycap_openperm;
75
76static DEFINE_RWLOCK(policy_rwlock);
77
78static struct sidtab sidtab;
79struct policydb policydb;
80int ss_initialized;
81
82/*
83 * The largest sequence number that has been used when
84 * providing an access decision to the access vector cache.
85 * The sequence number only changes when a policy change
86 * occurs.
87 */
88static u32 latest_granting;
89
90/* Forward declaration. */
91static int context_struct_to_string(struct context *context, char **scontext,
92				    u32 *scontext_len);
93
94static void context_struct_compute_av(struct context *scontext,
95				      struct context *tcontext,
96				      u16 tclass,
97				      struct av_decision *avd);
98
99struct selinux_mapping {
100	u16 value; /* policy value */
101	unsigned num_perms;
102	u32 perms[sizeof(u32) * 8];
103};
104
105static struct selinux_mapping *current_mapping;
106static u16 current_mapping_size;
107
108static int selinux_set_mapping(struct policydb *pol,
109			       struct security_class_mapping *map,
110			       struct selinux_mapping **out_map_p,
111			       u16 *out_map_size)
112{
113	struct selinux_mapping *out_map = NULL;
114	size_t size = sizeof(struct selinux_mapping);
115	u16 i, j;
116	unsigned k;
117	bool print_unknown_handle = false;
118
119	/* Find number of classes in the input mapping */
120	if (!map)
121		return -EINVAL;
122	i = 0;
123	while (map[i].name)
124		i++;
125
126	/* Allocate space for the class records, plus one for class zero */
127	out_map = kcalloc(++i, size, GFP_ATOMIC);
128	if (!out_map)
129		return -ENOMEM;
130
131	/* Store the raw class and permission values */
132	j = 0;
133	while (map[j].name) {
134		struct security_class_mapping *p_in = map + (j++);
135		struct selinux_mapping *p_out = out_map + j;
136
137		/* An empty class string skips ahead */
138		if (!strcmp(p_in->name, "")) {
139			p_out->num_perms = 0;
140			continue;
141		}
142
143		p_out->value = string_to_security_class(pol, p_in->name);
144		if (!p_out->value) {
145			printk(KERN_INFO
146			       "SELinux:  Class %s not defined in policy.\n",
147			       p_in->name);
148			if (pol->reject_unknown)
149				goto err;
150			p_out->num_perms = 0;
151			print_unknown_handle = true;
152			continue;
153		}
154
155		k = 0;
156		while (p_in->perms && p_in->perms[k]) {
157			/* An empty permission string skips ahead */
158			if (!*p_in->perms[k]) {
159				k++;
160				continue;
161			}
162			p_out->perms[k] = string_to_av_perm(pol, p_out->value,
163							    p_in->perms[k]);
164			if (!p_out->perms[k]) {
165				printk(KERN_INFO
166				       "SELinux:  Permission %s in class %s not defined in policy.\n",
167				       p_in->perms[k], p_in->name);
168				if (pol->reject_unknown)
169					goto err;
170				print_unknown_handle = true;
171			}
172
173			k++;
174		}
175		p_out->num_perms = k;
176	}
177
178	if (print_unknown_handle)
179		printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
180		       pol->allow_unknown ? "allowed" : "denied");
181
182	*out_map_p = out_map;
183	*out_map_size = i;
184	return 0;
185err:
186	kfree(out_map);
187	return -EINVAL;
188}
189
190/*
191 * Get real, policy values from mapped values
192 */
193
194static u16 unmap_class(u16 tclass)
195{
196	if (tclass < current_mapping_size)
197		return current_mapping[tclass].value;
198
199	return tclass;
200}
201
202static void map_decision(u16 tclass, struct av_decision *avd,
203			 int allow_unknown)
204{
205	if (tclass < current_mapping_size) {
206		unsigned i, n = current_mapping[tclass].num_perms;
207		u32 result;
208
209		for (i = 0, result = 0; i < n; i++) {
210			if (avd->allowed & current_mapping[tclass].perms[i])
211				result |= 1<<i;
212			if (allow_unknown && !current_mapping[tclass].perms[i])
213				result |= 1<<i;
214		}
215		avd->allowed = result;
216
217		for (i = 0, result = 0; i < n; i++)
218			if (avd->auditallow & current_mapping[tclass].perms[i])
219				result |= 1<<i;
220		avd->auditallow = result;
221
222		for (i = 0, result = 0; i < n; i++) {
223			if (avd->auditdeny & current_mapping[tclass].perms[i])
224				result |= 1<<i;
225			if (!allow_unknown && !current_mapping[tclass].perms[i])
226				result |= 1<<i;
227		}
228		/*
229		 * In case the kernel has a bug and requests a permission
230		 * between num_perms and the maximum permission number, we
231		 * should audit that denial
232		 */
233		for (; i < (sizeof(u32)*8); i++)
234			result |= 1<<i;
235		avd->auditdeny = result;
236	}
237}
238
239int security_mls_enabled(void)
240{
241	return policydb.mls_enabled;
242}
243
244/*
245 * Return the boolean value of a constraint expression
246 * when it is applied to the specified source and target
247 * security contexts.
248 *
249 * xcontext is a special beast...  It is used by the validatetrans rules
250 * only.  For these rules, scontext is the context before the transition,
251 * tcontext is the context after the transition, and xcontext is the context
252 * of the process performing the transition.  All other callers of
253 * constraint_expr_eval should pass in NULL for xcontext.
254 */
255static int constraint_expr_eval(struct context *scontext,
256				struct context *tcontext,
257				struct context *xcontext,
258				struct constraint_expr *cexpr)
259{
260	u32 val1, val2;
261	struct context *c;
262	struct role_datum *r1, *r2;
263	struct mls_level *l1, *l2;
264	struct constraint_expr *e;
265	int s[CEXPR_MAXDEPTH];
266	int sp = -1;
267
268	for (e = cexpr; e; e = e->next) {
269		switch (e->expr_type) {
270		case CEXPR_NOT:
271			BUG_ON(sp < 0);
272			s[sp] = !s[sp];
273			break;
274		case CEXPR_AND:
275			BUG_ON(sp < 1);
276			sp--;
277			s[sp] &= s[sp+1];
278			break;
279		case CEXPR_OR:
280			BUG_ON(sp < 1);
281			sp--;
282			s[sp] |= s[sp+1];
283			break;
284		case CEXPR_ATTR:
285			if (sp == (CEXPR_MAXDEPTH-1))
286				return 0;
287			switch (e->attr) {
288			case CEXPR_USER:
289				val1 = scontext->user;
290				val2 = tcontext->user;
291				break;
292			case CEXPR_TYPE:
293				val1 = scontext->type;
294				val2 = tcontext->type;
295				break;
296			case CEXPR_ROLE:
297				val1 = scontext->role;
298				val2 = tcontext->role;
299				r1 = policydb.role_val_to_struct[val1 - 1];
300				r2 = policydb.role_val_to_struct[val2 - 1];
301				switch (e->op) {
302				case CEXPR_DOM:
303					s[++sp] = ebitmap_get_bit(&r1->dominates,
304								  val2 - 1);
305					continue;
306				case CEXPR_DOMBY:
307					s[++sp] = ebitmap_get_bit(&r2->dominates,
308								  val1 - 1);
309					continue;
310				case CEXPR_INCOMP:
311					s[++sp] = (!ebitmap_get_bit(&r1->dominates,
312								    val2 - 1) &&
313						   !ebitmap_get_bit(&r2->dominates,
314								    val1 - 1));
315					continue;
316				default:
317					break;
318				}
319				break;
320			case CEXPR_L1L2:
321				l1 = &(scontext->range.level[0]);
322				l2 = &(tcontext->range.level[0]);
323				goto mls_ops;
324			case CEXPR_L1H2:
325				l1 = &(scontext->range.level[0]);
326				l2 = &(tcontext->range.level[1]);
327				goto mls_ops;
328			case CEXPR_H1L2:
329				l1 = &(scontext->range.level[1]);
330				l2 = &(tcontext->range.level[0]);
331				goto mls_ops;
332			case CEXPR_H1H2:
333				l1 = &(scontext->range.level[1]);
334				l2 = &(tcontext->range.level[1]);
335				goto mls_ops;
336			case CEXPR_L1H1:
337				l1 = &(scontext->range.level[0]);
338				l2 = &(scontext->range.level[1]);
339				goto mls_ops;
340			case CEXPR_L2H2:
341				l1 = &(tcontext->range.level[0]);
342				l2 = &(tcontext->range.level[1]);
343				goto mls_ops;
344mls_ops:
345			switch (e->op) {
346			case CEXPR_EQ:
347				s[++sp] = mls_level_eq(l1, l2);
348				continue;
349			case CEXPR_NEQ:
350				s[++sp] = !mls_level_eq(l1, l2);
351				continue;
352			case CEXPR_DOM:
353				s[++sp] = mls_level_dom(l1, l2);
354				continue;
355			case CEXPR_DOMBY:
356				s[++sp] = mls_level_dom(l2, l1);
357				continue;
358			case CEXPR_INCOMP:
359				s[++sp] = mls_level_incomp(l2, l1);
360				continue;
361			default:
362				BUG();
363				return 0;
364			}
365			break;
366			default:
367				BUG();
368				return 0;
369			}
370
371			switch (e->op) {
372			case CEXPR_EQ:
373				s[++sp] = (val1 == val2);
374				break;
375			case CEXPR_NEQ:
376				s[++sp] = (val1 != val2);
377				break;
378			default:
379				BUG();
380				return 0;
381			}
382			break;
383		case CEXPR_NAMES:
384			if (sp == (CEXPR_MAXDEPTH-1))
385				return 0;
386			c = scontext;
387			if (e->attr & CEXPR_TARGET)
388				c = tcontext;
389			else if (e->attr & CEXPR_XTARGET) {
390				c = xcontext;
391				if (!c) {
392					BUG();
393					return 0;
394				}
395			}
396			if (e->attr & CEXPR_USER)
397				val1 = c->user;
398			else if (e->attr & CEXPR_ROLE)
399				val1 = c->role;
400			else if (e->attr & CEXPR_TYPE)
401				val1 = c->type;
402			else {
403				BUG();
404				return 0;
405			}
406
407			switch (e->op) {
408			case CEXPR_EQ:
409				s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);
410				break;
411			case CEXPR_NEQ:
412				s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);
413				break;
414			default:
415				BUG();
416				return 0;
417			}
418			break;
419		default:
420			BUG();
421			return 0;
422		}
423	}
424
425	BUG_ON(sp != 0);
426	return s[0];
427}
428
429/*
430 * security_dump_masked_av - dumps masked permissions during
431 * security_compute_av due to RBAC, MLS/Constraint and Type bounds.
432 */
433static int dump_masked_av_helper(void *k, void *d, void *args)
434{
435	struct perm_datum *pdatum = d;
436	char **permission_names = args;
437
438	BUG_ON(pdatum->value < 1 || pdatum->value > 32);
439
440	permission_names[pdatum->value - 1] = (char *)k;
441
442	return 0;
443}
444
445static void security_dump_masked_av(struct context *scontext,
446				    struct context *tcontext,
447				    u16 tclass,
448				    u32 permissions,
449				    const char *reason)
450{
451	struct common_datum *common_dat;
452	struct class_datum *tclass_dat;
453	struct audit_buffer *ab;
454	char *tclass_name;
455	char *scontext_name = NULL;
456	char *tcontext_name = NULL;
457	char *permission_names[32];
458	int index, length;
459	bool need_comma = false;
460
461	if (!permissions)
462		return;
463
464	tclass_name = policydb.p_class_val_to_name[tclass - 1];
465	tclass_dat = policydb.class_val_to_struct[tclass - 1];
466	common_dat = tclass_dat->comdatum;
467
468	/* init permission_names */
469	if (common_dat &&
470	    hashtab_map(common_dat->permissions.table,
471			dump_masked_av_helper, permission_names) < 0)
472		goto out;
473
474	if (hashtab_map(tclass_dat->permissions.table,
475			dump_masked_av_helper, permission_names) < 0)
476		goto out;
477
478	/* get scontext/tcontext in text form */
479	if (context_struct_to_string(scontext,
480				     &scontext_name, &length) < 0)
481		goto out;
482
483	if (context_struct_to_string(tcontext,
484				     &tcontext_name, &length) < 0)
485		goto out;
486
487	/* audit a message */
488	ab = audit_log_start(current->audit_context,
489			     GFP_ATOMIC, AUDIT_SELINUX_ERR);
490	if (!ab)
491		goto out;
492
493	audit_log_format(ab, "op=security_compute_av reason=%s "
494			 "scontext=%s tcontext=%s tclass=%s perms=",
495			 reason, scontext_name, tcontext_name, tclass_name);
496
497	for (index = 0; index < 32; index++) {
498		u32 mask = (1 << index);
499
500		if ((mask & permissions) == 0)
501			continue;
502
503		audit_log_format(ab, "%s%s",
504				 need_comma ? "," : "",
505				 permission_names[index]
506				 ? permission_names[index] : "????");
507		need_comma = true;
508	}
509	audit_log_end(ab);
510out:
511	/* release scontext/tcontext */
512	kfree(tcontext_name);
513	kfree(scontext_name);
514
515	return;
516}
517
518/*
519 * security_boundary_permission - drops violated permissions
520 * on boundary constraint.
521 */
522static void type_attribute_bounds_av(struct context *scontext,
523				     struct context *tcontext,
524				     u16 tclass,
525				     struct av_decision *avd)
526{
527	struct type_datum *source
528		= policydb.type_val_to_struct[scontext->type - 1];
529
530	if (source->bounds) {
531		struct context lo_scontext;
532		struct av_decision lo_avd;
533		u32 masked;
534
535		memset(&lo_avd, 0, sizeof(lo_avd));
536
537		memcpy(&lo_scontext, scontext, sizeof(lo_scontext));
538		lo_scontext.type = source->bounds;
539
540		context_struct_compute_av(&lo_scontext,
541					  tcontext,
542					  tclass,
543					  &lo_avd);
544		if ((lo_avd.allowed & avd->allowed) == avd->allowed)
545			return;		/* no masked permission */
546		masked = ~lo_avd.allowed & avd->allowed;
547
548		/* mask violated permissions */
549		avd->allowed &= ~masked;
550
551		/* audit masked permissions */
552		security_dump_masked_av(scontext, tcontext,
553					tclass, masked, "bounds");
554	}
555}
556
557/*
558 * Compute access vectors based on a context structure pair for
559 * the permissions in a particular class.
560 */
561static void context_struct_compute_av(struct context *scontext,
562				      struct context *tcontext,
563				      u16 tclass,
564				      struct av_decision *avd)
565{
566	struct constraint_node *constraint;
567	struct role_allow *ra;
568	struct avtab_key avkey;
569	struct avtab_node *node;
570	struct class_datum *tclass_datum;
571	struct ebitmap *sattr, *tattr;
572	struct ebitmap_node *snode, *tnode;
573	unsigned int i, j;
574
575	avd->allowed = 0;
576	avd->auditallow = 0;
577	avd->auditdeny = 0xffffffff;
578
579	if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
580		if (printk_ratelimit())
581			printk(KERN_WARNING "SELinux:  Invalid class %hu\n", tclass);
582		return;
583	}
584
585	tclass_datum = policydb.class_val_to_struct[tclass - 1];
586
587	/*
588	 * If a specific type enforcement rule was defined for
589	 * this permission check, then use it.
590	 */
591	avkey.target_class = tclass;
592	avkey.specified = AVTAB_AV;
593	sattr = &policydb.type_attr_map[scontext->type - 1];
594	tattr = &policydb.type_attr_map[tcontext->type - 1];
595	ebitmap_for_each_positive_bit(sattr, snode, i) {
596		ebitmap_for_each_positive_bit(tattr, tnode, j) {
597			avkey.source_type = i + 1;
598			avkey.target_type = j + 1;
599			for (node = avtab_search_node(&policydb.te_avtab, &avkey);
600			     node;
601			     node = avtab_search_node_next(node, avkey.specified)) {
602				if (node->key.specified == AVTAB_ALLOWED)
603					avd->allowed |= node->datum.data;
604				else if (node->key.specified == AVTAB_AUDITALLOW)
605					avd->auditallow |= node->datum.data;
606				else if (node->key.specified == AVTAB_AUDITDENY)
607					avd->auditdeny &= node->datum.data;
608			}
609
610			/* Check conditional av table for additional permissions */
611			cond_compute_av(&policydb.te_cond_avtab, &avkey, avd);
612
613		}
614	}
615
616	/*
617	 * Remove any permissions prohibited by a constraint (this includes
618	 * the MLS policy).
619	 */
620	constraint = tclass_datum->constraints;
621	while (constraint) {
622		if ((constraint->permissions & (avd->allowed)) &&
623		    !constraint_expr_eval(scontext, tcontext, NULL,
624					  constraint->expr)) {
625			avd->allowed &= ~(constraint->permissions);
626		}
627		constraint = constraint->next;
628	}
629
630	/*
631	 * If checking process transition permission and the
632	 * role is changing, then check the (current_role, new_role)
633	 * pair.
634	 */
635	if (tclass == policydb.process_class &&
636	    (avd->allowed & policydb.process_trans_perms) &&
637	    scontext->role != tcontext->role) {
638		for (ra = policydb.role_allow; ra; ra = ra->next) {
639			if (scontext->role == ra->role &&
640			    tcontext->role == ra->new_role)
641				break;
642		}
643		if (!ra)
644			avd->allowed &= ~policydb.process_trans_perms;
645	}
646
647	/*
648	 * If the given source and target types have boundary
649	 * constraint, lazy checks have to mask any violated
650	 * permission and notice it to userspace via audit.
651	 */
652	type_attribute_bounds_av(scontext, tcontext,
653				 tclass, avd);
654}
655
656static int security_validtrans_handle_fail(struct context *ocontext,
657					   struct context *ncontext,
658					   struct context *tcontext,
659					   u16 tclass)
660{
661	char *o = NULL, *n = NULL, *t = NULL;
662	u32 olen, nlen, tlen;
663
664	if (context_struct_to_string(ocontext, &o, &olen) < 0)
665		goto out;
666	if (context_struct_to_string(ncontext, &n, &nlen) < 0)
667		goto out;
668	if (context_struct_to_string(tcontext, &t, &tlen) < 0)
669		goto out;
670	audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
671		  "security_validate_transition:  denied for"
672		  " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
673		  o, n, t, policydb.p_class_val_to_name[tclass-1]);
674out:
675	kfree(o);
676	kfree(n);
677	kfree(t);
678
679	if (!selinux_enforcing)
680		return 0;
681	return -EPERM;
682}
683
684int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
685				 u16 orig_tclass)
686{
687	struct context *ocontext;
688	struct context *ncontext;
689	struct context *tcontext;
690	struct class_datum *tclass_datum;
691	struct constraint_node *constraint;
692	u16 tclass;
693	int rc = 0;
694
695	if (!ss_initialized)
696		return 0;
697
698	read_lock(&policy_rwlock);
699
700	tclass = unmap_class(orig_tclass);
701
702	if (!tclass || tclass > policydb.p_classes.nprim) {
703		printk(KERN_ERR "SELinux: %s:  unrecognized class %d\n",
704			__func__, tclass);
705		rc = -EINVAL;
706		goto out;
707	}
708	tclass_datum = policydb.class_val_to_struct[tclass - 1];
709
710	ocontext = sidtab_search(&sidtab, oldsid);
711	if (!ocontext) {
712		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
713			__func__, oldsid);
714		rc = -EINVAL;
715		goto out;
716	}
717
718	ncontext = sidtab_search(&sidtab, newsid);
719	if (!ncontext) {
720		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
721			__func__, newsid);
722		rc = -EINVAL;
723		goto out;
724	}
725
726	tcontext = sidtab_search(&sidtab, tasksid);
727	if (!tcontext) {
728		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
729			__func__, tasksid);
730		rc = -EINVAL;
731		goto out;
732	}
733
734	constraint = tclass_datum->validatetrans;
735	while (constraint) {
736		if (!constraint_expr_eval(ocontext, ncontext, tcontext,
737					  constraint->expr)) {
738			rc = security_validtrans_handle_fail(ocontext, ncontext,
739							     tcontext, tclass);
740			goto out;
741		}
742		constraint = constraint->next;
743	}
744
745out:
746	read_unlock(&policy_rwlock);
747	return rc;
748}
749
750/*
751 * security_bounded_transition - check whether the given
752 * transition is directed to bounded, or not.
753 * It returns 0, if @newsid is bounded by @oldsid.
754 * Otherwise, it returns error code.
755 *
756 * @oldsid : current security identifier
757 * @newsid : destinated security identifier
758 */
759int security_bounded_transition(u32 old_sid, u32 new_sid)
760{
761	struct context *old_context, *new_context;
762	struct type_datum *type;
763	int index;
764	int rc = -EINVAL;
765
766	read_lock(&policy_rwlock);
767
768	old_context = sidtab_search(&sidtab, old_sid);
769	if (!old_context) {
770		printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
771		       __func__, old_sid);
772		goto out;
773	}
774
775	new_context = sidtab_search(&sidtab, new_sid);
776	if (!new_context) {
777		printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
778		       __func__, new_sid);
779		goto out;
780	}
781
782	/* type/domain unchanged */
783	if (old_context->type == new_context->type) {
784		rc = 0;
785		goto out;
786	}
787
788	index = new_context->type;
789	while (true) {
790		type = policydb.type_val_to_struct[index - 1];
791		BUG_ON(!type);
792
793		/* not bounded anymore */
794		if (!type->bounds) {
795			rc = -EPERM;
796			break;
797		}
798
799		/* @newsid is bounded by @oldsid */
800		if (type->bounds == old_context->type) {
801			rc = 0;
802			break;
803		}
804		index = type->bounds;
805	}
806
807	if (rc) {
808		char *old_name = NULL;
809		char *new_name = NULL;
810		int length;
811
812		if (!context_struct_to_string(old_context,
813					      &old_name, &length) &&
814		    !context_struct_to_string(new_context,
815					      &new_name, &length)) {
816			audit_log(current->audit_context,
817				  GFP_ATOMIC, AUDIT_SELINUX_ERR,
818				  "op=security_bounded_transition "
819				  "result=denied "
820				  "oldcontext=%s newcontext=%s",
821				  old_name, new_name);
822		}
823		kfree(new_name);
824		kfree(old_name);
825	}
826out:
827	read_unlock(&policy_rwlock);
828
829	return rc;
830}
831
832static void avd_init(struct av_decision *avd)
833{
834	avd->allowed = 0;
835	avd->auditallow = 0;
836	avd->auditdeny = 0xffffffff;
837	avd->seqno = latest_granting;
838	avd->flags = 0;
839}
840
841
842/**
843 * security_compute_av - Compute access vector decisions.
844 * @ssid: source security identifier
845 * @tsid: target security identifier
846 * @tclass: target security class
847 * @avd: access vector decisions
848 *
849 * Compute a set of access vector decisions based on the
850 * SID pair (@ssid, @tsid) for the permissions in @tclass.
851 */
852void security_compute_av(u32 ssid,
853			 u32 tsid,
854			 u16 orig_tclass,
855			 struct av_decision *avd)
856{
857	u16 tclass;
858	struct context *scontext = NULL, *tcontext = NULL;
859
860	read_lock(&policy_rwlock);
861	avd_init(avd);
862	if (!ss_initialized)
863		goto allow;
864
865	scontext = sidtab_search(&sidtab, ssid);
866	if (!scontext) {
867		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
868		       __func__, ssid);
869		goto out;
870	}
871
872	/* permissive domain? */
873	if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
874		avd->flags |= AVD_FLAGS_PERMISSIVE;
875
876	tcontext = sidtab_search(&sidtab, tsid);
877	if (!tcontext) {
878		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
879		       __func__, tsid);
880		goto out;
881	}
882
883	tclass = unmap_class(orig_tclass);
884	if (unlikely(orig_tclass && !tclass)) {
885		if (policydb.allow_unknown)
886			goto allow;
887		goto out;
888	}
889	context_struct_compute_av(scontext, tcontext, tclass, avd);
890	map_decision(orig_tclass, avd, policydb.allow_unknown);
891out:
892	read_unlock(&policy_rwlock);
893	return;
894allow:
895	avd->allowed = 0xffffffff;
896	goto out;
897}
898
899void security_compute_av_user(u32 ssid,
900			      u32 tsid,
901			      u16 tclass,
902			      struct av_decision *avd)
903{
904	struct context *scontext = NULL, *tcontext = NULL;
905
906	read_lock(&policy_rwlock);
907	avd_init(avd);
908	if (!ss_initialized)
909		goto allow;
910
911	scontext = sidtab_search(&sidtab, ssid);
912	if (!scontext) {
913		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
914		       __func__, ssid);
915		goto out;
916	}
917
918	/* permissive domain? */
919	if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
920		avd->flags |= AVD_FLAGS_PERMISSIVE;
921
922	tcontext = sidtab_search(&sidtab, tsid);
923	if (!tcontext) {
924		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
925		       __func__, tsid);
926		goto out;
927	}
928
929	if (unlikely(!tclass)) {
930		if (policydb.allow_unknown)
931			goto allow;
932		goto out;
933	}
934
935	context_struct_compute_av(scontext, tcontext, tclass, avd);
936 out:
937	read_unlock(&policy_rwlock);
938	return;
939allow:
940	avd->allowed = 0xffffffff;
941	goto out;
942}
943
944/*
945 * Write the security context string representation of
946 * the context structure `context' into a dynamically
947 * allocated string of the correct size.  Set `*scontext'
948 * to point to this string and set `*scontext_len' to
949 * the length of the string.
950 */
951static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len)
952{
953	char *scontextp;
954
955	*scontext = NULL;
956	*scontext_len = 0;
957
958	if (context->len) {
959		*scontext_len = context->len;
960		*scontext = kstrdup(context->str, GFP_ATOMIC);
961		if (!(*scontext))
962			return -ENOMEM;
963		return 0;
964	}
965
966	/* Compute the size of the context. */
967	*scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1;
968	*scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1;
969	*scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1;
970	*scontext_len += mls_compute_context_len(context);
971
972	/* Allocate space for the context; caller must free this space. */
973	scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
974	if (!scontextp)
975		return -ENOMEM;
976	*scontext = scontextp;
977
978	/*
979	 * Copy the user name, role name and type name into the context.
980	 */
981	sprintf(scontextp, "%s:%s:%s",
982		policydb.p_user_val_to_name[context->user - 1],
983		policydb.p_role_val_to_name[context->role - 1],
984		policydb.p_type_val_to_name[context->type - 1]);
985	scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) +
986		     1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +
987		     1 + strlen(policydb.p_type_val_to_name[context->type - 1]);
988
989	mls_sid_to_context(context, &scontextp);
990
991	*scontextp = 0;
992
993	return 0;
994}
995
996#include "initial_sid_to_string.h"
997
998const char *security_get_initial_sid_context(u32 sid)
999{
1000	if (unlikely(sid > SECINITSID_NUM))
1001		return NULL;
1002	return initial_sid_to_string[sid];
1003}
1004
1005static int security_sid_to_context_core(u32 sid, char **scontext,
1006					u32 *scontext_len, int force)
1007{
1008	struct context *context;
1009	int rc = 0;
1010
1011	*scontext = NULL;
1012	*scontext_len  = 0;
1013
1014	if (!ss_initialized) {
1015		if (sid <= SECINITSID_NUM) {
1016			char *scontextp;
1017
1018			*scontext_len = strlen(initial_sid_to_string[sid]) + 1;
1019			scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
1020			if (!scontextp) {
1021				rc = -ENOMEM;
1022				goto out;
1023			}
1024			strcpy(scontextp, initial_sid_to_string[sid]);
1025			*scontext = scontextp;
1026			goto out;
1027		}
1028		printk(KERN_ERR "SELinux: %s:  called before initial "
1029		       "load_policy on unknown SID %d\n", __func__, sid);
1030		rc = -EINVAL;
1031		goto out;
1032	}
1033	read_lock(&policy_rwlock);
1034	if (force)
1035		context = sidtab_search_force(&sidtab, sid);
1036	else
1037		context = sidtab_search(&sidtab, sid);
1038	if (!context) {
1039		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1040			__func__, sid);
1041		rc = -EINVAL;
1042		goto out_unlock;
1043	}
1044	rc = context_struct_to_string(context, scontext, scontext_len);
1045out_unlock:
1046	read_unlock(&policy_rwlock);
1047out:
1048	return rc;
1049
1050}
1051
1052/**
1053 * security_sid_to_context - Obtain a context for a given SID.
1054 * @sid: security identifier, SID
1055 * @scontext: security context
1056 * @scontext_len: length in bytes
1057 *
1058 * Write the string representation of the context associated with @sid
1059 * into a dynamically allocated string of the correct size.  Set @scontext
1060 * to point to this string and set @scontext_len to the length of the string.
1061 */
1062int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
1063{
1064	return security_sid_to_context_core(sid, scontext, scontext_len, 0);
1065}
1066
1067int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len)
1068{
1069	return security_sid_to_context_core(sid, scontext, scontext_len, 1);
1070}
1071
1072/*
1073 * Caveat:  Mutates scontext.
1074 */
1075static int string_to_context_struct(struct policydb *pol,
1076				    struct sidtab *sidtabp,
1077				    char *scontext,
1078				    u32 scontext_len,
1079				    struct context *ctx,
1080				    u32 def_sid)
1081{
1082	struct role_datum *role;
1083	struct type_datum *typdatum;
1084	struct user_datum *usrdatum;
1085	char *scontextp, *p, oldc;
1086	int rc = 0;
1087
1088	context_init(ctx);
1089
1090	/* Parse the security context. */
1091
1092	rc = -EINVAL;
1093	scontextp = (char *) scontext;
1094
1095	/* Extract the user. */
1096	p = scontextp;
1097	while (*p && *p != ':')
1098		p++;
1099
1100	if (*p == 0)
1101		goto out;
1102
1103	*p++ = 0;
1104
1105	usrdatum = hashtab_search(pol->p_users.table, scontextp);
1106	if (!usrdatum)
1107		goto out;
1108
1109	ctx->user = usrdatum->value;
1110
1111	/* Extract role. */
1112	scontextp = p;
1113	while (*p && *p != ':')
1114		p++;
1115
1116	if (*p == 0)
1117		goto out;
1118
1119	*p++ = 0;
1120
1121	role = hashtab_search(pol->p_roles.table, scontextp);
1122	if (!role)
1123		goto out;
1124	ctx->role = role->value;
1125
1126	/* Extract type. */
1127	scontextp = p;
1128	while (*p && *p != ':')
1129		p++;
1130	oldc = *p;
1131	*p++ = 0;
1132
1133	typdatum = hashtab_search(pol->p_types.table, scontextp);
1134	if (!typdatum || typdatum->attribute)
1135		goto out;
1136
1137	ctx->type = typdatum->value;
1138
1139	rc = mls_context_to_sid(pol, oldc, &p, ctx, sidtabp, def_sid);
1140	if (rc)
1141		goto out;
1142
1143	if ((p - scontext) < scontext_len) {
1144		rc = -EINVAL;
1145		goto out;
1146	}
1147
1148	/* Check the validity of the new context. */
1149	if (!policydb_context_isvalid(pol, ctx)) {
1150		rc = -EINVAL;
1151		goto out;
1152	}
1153	rc = 0;
1154out:
1155	if (rc)
1156		context_destroy(ctx);
1157	return rc;
1158}
1159
1160static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
1161					u32 *sid, u32 def_sid, gfp_t gfp_flags,
1162					int force)
1163{
1164	char *scontext2, *str = NULL;
1165	struct context context;
1166	int rc = 0;
1167
1168	if (!ss_initialized) {
1169		int i;
1170
1171		for (i = 1; i < SECINITSID_NUM; i++) {
1172			if (!strcmp(initial_sid_to_string[i], scontext)) {
1173				*sid = i;
1174				return 0;
1175			}
1176		}
1177		*sid = SECINITSID_KERNEL;
1178		return 0;
1179	}
1180	*sid = SECSID_NULL;
1181
1182	/* Copy the string so that we can modify the copy as we parse it. */
1183	scontext2 = kmalloc(scontext_len+1, gfp_flags);
1184	if (!scontext2)
1185		return -ENOMEM;
1186	memcpy(scontext2, scontext, scontext_len);
1187	scontext2[scontext_len] = 0;
1188
1189	if (force) {
1190		/* Save another copy for storing in uninterpreted form */
1191		str = kstrdup(scontext2, gfp_flags);
1192		if (!str) {
1193			kfree(scontext2);
1194			return -ENOMEM;
1195		}
1196	}
1197
1198	read_lock(&policy_rwlock);
1199	rc = string_to_context_struct(&policydb, &sidtab,
1200				      scontext2, scontext_len,
1201				      &context, def_sid);
1202	if (rc == -EINVAL && force) {
1203		context.str = str;
1204		context.len = scontext_len;
1205		str = NULL;
1206	} else if (rc)
1207		goto out;
1208	rc = sidtab_context_to_sid(&sidtab, &context, sid);
1209	context_destroy(&context);
1210out:
1211	read_unlock(&policy_rwlock);
1212	kfree(scontext2);
1213	kfree(str);
1214	return rc;
1215}
1216
1217/**
1218 * security_context_to_sid - Obtain a SID for a given security context.
1219 * @scontext: security context
1220 * @scontext_len: length in bytes
1221 * @sid: security identifier, SID
1222 *
1223 * Obtains a SID associated with the security context that
1224 * has the string representation specified by @scontext.
1225 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
1226 * memory is available, or 0 on success.
1227 */
1228int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid)
1229{
1230	return security_context_to_sid_core(scontext, scontext_len,
1231					    sid, SECSID_NULL, GFP_KERNEL, 0);
1232}
1233
1234/**
1235 * security_context_to_sid_default - Obtain a SID for a given security context,
1236 * falling back to specified default if needed.
1237 *
1238 * @scontext: security context
1239 * @scontext_len: length in bytes
1240 * @sid: security identifier, SID
1241 * @def_sid: default SID to assign on error
1242 *
1243 * Obtains a SID associated with the security context that
1244 * has the string representation specified by @scontext.
1245 * The default SID is passed to the MLS layer to be used to allow
1246 * kernel labeling of the MLS field if the MLS field is not present
1247 * (for upgrading to MLS without full relabel).
1248 * Implicitly forces adding of the context even if it cannot be mapped yet.
1249 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
1250 * memory is available, or 0 on success.
1251 */
1252int security_context_to_sid_default(const char *scontext, u32 scontext_len,
1253				    u32 *sid, u32 def_sid, gfp_t gfp_flags)
1254{
1255	return security_context_to_sid_core(scontext, scontext_len,
1256					    sid, def_sid, gfp_flags, 1);
1257}
1258
1259int security_context_to_sid_force(const char *scontext, u32 scontext_len,
1260				  u32 *sid)
1261{
1262	return security_context_to_sid_core(scontext, scontext_len,
1263					    sid, SECSID_NULL, GFP_KERNEL, 1);
1264}
1265
1266static int compute_sid_handle_invalid_context(
1267	struct context *scontext,
1268	struct context *tcontext,
1269	u16 tclass,
1270	struct context *newcontext)
1271{
1272	char *s = NULL, *t = NULL, *n = NULL;
1273	u32 slen, tlen, nlen;
1274
1275	if (context_struct_to_string(scontext, &s, &slen) < 0)
1276		goto out;
1277	if (context_struct_to_string(tcontext, &t, &tlen) < 0)
1278		goto out;
1279	if (context_struct_to_string(newcontext, &n, &nlen) < 0)
1280		goto out;
1281	audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
1282		  "security_compute_sid:  invalid context %s"
1283		  " for scontext=%s"
1284		  " tcontext=%s"
1285		  " tclass=%s",
1286		  n, s, t, policydb.p_class_val_to_name[tclass-1]);
1287out:
1288	kfree(s);
1289	kfree(t);
1290	kfree(n);
1291	if (!selinux_enforcing)
1292		return 0;
1293	return -EACCES;
1294}
1295
1296static int security_compute_sid(u32 ssid,
1297				u32 tsid,
1298				u16 orig_tclass,
1299				u32 specified,
1300				u32 *out_sid,
1301				bool kern)
1302{
1303	struct context *scontext = NULL, *tcontext = NULL, newcontext;
1304	struct role_trans *roletr = NULL;
1305	struct avtab_key avkey;
1306	struct avtab_datum *avdatum;
1307	struct avtab_node *node;
1308	u16 tclass;
1309	int rc = 0;
1310
1311	if (!ss_initialized) {
1312		switch (orig_tclass) {
1313		case SECCLASS_PROCESS: /* kernel value */
1314			*out_sid = ssid;
1315			break;
1316		default:
1317			*out_sid = tsid;
1318			break;
1319		}
1320		goto out;
1321	}
1322
1323	context_init(&newcontext);
1324
1325	read_lock(&policy_rwlock);
1326
1327	if (kern)
1328		tclass = unmap_class(orig_tclass);
1329	else
1330		tclass = orig_tclass;
1331
1332	scontext = sidtab_search(&sidtab, ssid);
1333	if (!scontext) {
1334		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1335		       __func__, ssid);
1336		rc = -EINVAL;
1337		goto out_unlock;
1338	}
1339	tcontext = sidtab_search(&sidtab, tsid);
1340	if (!tcontext) {
1341		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1342		       __func__, tsid);
1343		rc = -EINVAL;
1344		goto out_unlock;
1345	}
1346
1347	/* Set the user identity. */
1348	switch (specified) {
1349	case AVTAB_TRANSITION:
1350	case AVTAB_CHANGE:
1351		/* Use the process user identity. */
1352		newcontext.user = scontext->user;
1353		break;
1354	case AVTAB_MEMBER:
1355		/* Use the related object owner. */
1356		newcontext.user = tcontext->user;
1357		break;
1358	}
1359
1360	/* Set the role and type to default values. */
1361	if (tclass == policydb.process_class) {
1362		/* Use the current role and type of process. */
1363		newcontext.role = scontext->role;
1364		newcontext.type = scontext->type;
1365	} else {
1366		/* Use the well-defined object role. */
1367		newcontext.role = OBJECT_R_VAL;
1368		/* Use the type of the related object. */
1369		newcontext.type = tcontext->type;
1370	}
1371
1372	/* Look for a type transition/member/change rule. */
1373	avkey.source_type = scontext->type;
1374	avkey.target_type = tcontext->type;
1375	avkey.target_class = tclass;
1376	avkey.specified = specified;
1377	avdatum = avtab_search(&policydb.te_avtab, &avkey);
1378
1379	/* If no permanent rule, also check for enabled conditional rules */
1380	if (!avdatum) {
1381		node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
1382		for (; node; node = avtab_search_node_next(node, specified)) {
1383			if (node->key.specified & AVTAB_ENABLED) {
1384				avdatum = &node->datum;
1385				break;
1386			}
1387		}
1388	}
1389
1390	if (avdatum) {
1391		/* Use the type from the type transition/member/change rule. */
1392		newcontext.type = avdatum->data;
1393	}
1394
1395	/* Check for class-specific changes. */
1396	if  (tclass == policydb.process_class) {
1397		if (specified & AVTAB_TRANSITION) {
1398			/* Look for a role transition rule. */
1399			for (roletr = policydb.role_tr; roletr;
1400			     roletr = roletr->next) {
1401				if (roletr->role == scontext->role &&
1402				    roletr->type == tcontext->type) {
1403					/* Use the role transition rule. */
1404					newcontext.role = roletr->new_role;
1405					break;
1406				}
1407			}
1408		}
1409	}
1410
1411	/* Set the MLS attributes.
1412	   This is done last because it may allocate memory. */
1413	rc = mls_compute_sid(scontext, tcontext, tclass, specified, &newcontext);
1414	if (rc)
1415		goto out_unlock;
1416
1417	/* Check the validity of the context. */
1418	if (!policydb_context_isvalid(&policydb, &newcontext)) {
1419		rc = compute_sid_handle_invalid_context(scontext,
1420							tcontext,
1421							tclass,
1422							&newcontext);
1423		if (rc)
1424			goto out_unlock;
1425	}
1426	/* Obtain the sid for the context. */
1427	rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid);
1428out_unlock:
1429	read_unlock(&policy_rwlock);
1430	context_destroy(&newcontext);
1431out:
1432	return rc;
1433}
1434
1435/**
1436 * security_transition_sid - Compute the SID for a new subject/object.
1437 * @ssid: source security identifier
1438 * @tsid: target security identifier
1439 * @tclass: target security class
1440 * @out_sid: security identifier for new subject/object
1441 *
1442 * Compute a SID to use for labeling a new subject or object in the
1443 * class @tclass based on a SID pair (@ssid, @tsid).
1444 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1445 * if insufficient memory is available, or %0 if the new SID was
1446 * computed successfully.
1447 */
1448int security_transition_sid(u32 ssid,
1449			    u32 tsid,
1450			    u16 tclass,
1451			    u32 *out_sid)
1452{
1453	return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1454				    out_sid, true);
1455}
1456
1457int security_transition_sid_user(u32 ssid,
1458				 u32 tsid,
1459				 u16 tclass,
1460				 u32 *out_sid)
1461{
1462	return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1463				    out_sid, false);
1464}
1465
1466/**
1467 * security_member_sid - Compute the SID for member selection.
1468 * @ssid: source security identifier
1469 * @tsid: target security identifier
1470 * @tclass: target security class
1471 * @out_sid: security identifier for selected member
1472 *
1473 * Compute a SID to use when selecting a member of a polyinstantiated
1474 * object of class @tclass based on a SID pair (@ssid, @tsid).
1475 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1476 * if insufficient memory is available, or %0 if the SID was
1477 * computed successfully.
1478 */
1479int security_member_sid(u32 ssid,
1480			u32 tsid,
1481			u16 tclass,
1482			u32 *out_sid)
1483{
1484	return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid,
1485				    false);
1486}
1487
1488/**
1489 * security_change_sid - Compute the SID for object relabeling.
1490 * @ssid: source security identifier
1491 * @tsid: target security identifier
1492 * @tclass: target security class
1493 * @out_sid: security identifier for selected member
1494 *
1495 * Compute a SID to use for relabeling an object of class @tclass
1496 * based on a SID pair (@ssid, @tsid).
1497 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1498 * if insufficient memory is available, or %0 if the SID was
1499 * computed successfully.
1500 */
1501int security_change_sid(u32 ssid,
1502			u32 tsid,
1503			u16 tclass,
1504			u32 *out_sid)
1505{
1506	return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid,
1507				    false);
1508}
1509
1510/* Clone the SID into the new SID table. */
1511static int clone_sid(u32 sid,
1512		     struct context *context,
1513		     void *arg)
1514{
1515	struct sidtab *s = arg;
1516
1517	if (sid > SECINITSID_NUM)
1518		return sidtab_insert(s, sid, context);
1519	else
1520		return 0;
1521}
1522
1523static inline int convert_context_handle_invalid_context(struct context *context)
1524{
1525	int rc = 0;
1526
1527	if (selinux_enforcing) {
1528		rc = -EINVAL;
1529	} else {
1530		char *s;
1531		u32 len;
1532
1533		if (!context_struct_to_string(context, &s, &len)) {
1534			printk(KERN_WARNING
1535		       "SELinux:  Context %s would be invalid if enforcing\n",
1536			       s);
1537			kfree(s);
1538		}
1539	}
1540	return rc;
1541}
1542
1543struct convert_context_args {
1544	struct policydb *oldp;
1545	struct policydb *newp;
1546};
1547
1548/*
1549 * Convert the values in the security context
1550 * structure `c' from the values specified
1551 * in the policy `p->oldp' to the values specified
1552 * in the policy `p->newp'.  Verify that the
1553 * context is valid under the new policy.
1554 */
1555static int convert_context(u32 key,
1556			   struct context *c,
1557			   void *p)
1558{
1559	struct convert_context_args *args;
1560	struct context oldc;
1561	struct ocontext *oc;
1562	struct mls_range *range;
1563	struct role_datum *role;
1564	struct type_datum *typdatum;
1565	struct user_datum *usrdatum;
1566	char *s;
1567	u32 len;
1568	int rc = 0;
1569
1570	if (key <= SECINITSID_NUM)
1571		goto out;
1572
1573	args = p;
1574
1575	if (c->str) {
1576		struct context ctx;
1577		s = kstrdup(c->str, GFP_KERNEL);
1578		if (!s) {
1579			rc = -ENOMEM;
1580			goto out;
1581		}
1582		rc = string_to_context_struct(args->newp, NULL, s,
1583					      c->len, &ctx, SECSID_NULL);
1584		kfree(s);
1585		if (!rc) {
1586			printk(KERN_INFO
1587		       "SELinux:  Context %s became valid (mapped).\n",
1588			       c->str);
1589			/* Replace string with mapped representation. */
1590			kfree(c->str);
1591			memcpy(c, &ctx, sizeof(*c));
1592			goto out;
1593		} else if (rc == -EINVAL) {
1594			/* Retain string representation for later mapping. */
1595			rc = 0;
1596			goto out;
1597		} else {
1598			/* Other error condition, e.g. ENOMEM. */
1599			printk(KERN_ERR
1600		       "SELinux:   Unable to map context %s, rc = %d.\n",
1601			       c->str, -rc);
1602			goto out;
1603		}
1604	}
1605
1606	rc = context_cpy(&oldc, c);
1607	if (rc)
1608		goto out;
1609
1610	rc = -EINVAL;
1611
1612	/* Convert the user. */
1613	usrdatum = hashtab_search(args->newp->p_users.table,
1614				  args->oldp->p_user_val_to_name[c->user - 1]);
1615	if (!usrdatum)
1616		goto bad;
1617	c->user = usrdatum->value;
1618
1619	/* Convert the role. */
1620	role = hashtab_search(args->newp->p_roles.table,
1621			      args->oldp->p_role_val_to_name[c->role - 1]);
1622	if (!role)
1623		goto bad;
1624	c->role = role->value;
1625
1626	/* Convert the type. */
1627	typdatum = hashtab_search(args->newp->p_types.table,
1628				  args->oldp->p_type_val_to_name[c->type - 1]);
1629	if (!typdatum)
1630		goto bad;
1631	c->type = typdatum->value;
1632
1633	/* Convert the MLS fields if dealing with MLS policies */
1634	if (args->oldp->mls_enabled && args->newp->mls_enabled) {
1635		rc = mls_convert_context(args->oldp, args->newp, c);
1636		if (rc)
1637			goto bad;
1638	} else if (args->oldp->mls_enabled && !args->newp->mls_enabled) {
1639		/*
1640		 * Switching between MLS and non-MLS policy:
1641		 * free any storage used by the MLS fields in the
1642		 * context for all existing entries in the sidtab.
1643		 */
1644		mls_context_destroy(c);
1645	} else if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
1646		/*
1647		 * Switching between non-MLS and MLS policy:
1648		 * ensure that the MLS fields of the context for all
1649		 * existing entries in the sidtab are filled in with a
1650		 * suitable default value, likely taken from one of the
1651		 * initial SIDs.
1652		 */
1653		oc = args->newp->ocontexts[OCON_ISID];
1654		while (oc && oc->sid[0] != SECINITSID_UNLABELED)
1655			oc = oc->next;
1656		if (!oc) {
1657			printk(KERN_ERR "SELinux:  unable to look up"
1658				" the initial SIDs list\n");
1659			goto bad;
1660		}
1661		range = &oc->context[0].range;
1662		rc = mls_range_set(c, range);
1663		if (rc)
1664			goto bad;
1665	}
1666
1667	/* Check the validity of the new context. */
1668	if (!policydb_context_isvalid(args->newp, c)) {
1669		rc = convert_context_handle_invalid_context(&oldc);
1670		if (rc)
1671			goto bad;
1672	}
1673
1674	context_destroy(&oldc);
1675	rc = 0;
1676out:
1677	return rc;
1678bad:
1679	/* Map old representation to string and save it. */
1680	if (context_struct_to_string(&oldc, &s, &len))
1681		return -ENOMEM;
1682	context_destroy(&oldc);
1683	context_destroy(c);
1684	c->str = s;
1685	c->len = len;
1686	printk(KERN_INFO
1687	       "SELinux:  Context %s became invalid (unmapped).\n",
1688	       c->str);
1689	rc = 0;
1690	goto out;
1691}
1692
1693static void security_load_policycaps(void)
1694{
1695	selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps,
1696						  POLICYDB_CAPABILITY_NETPEER);
1697	selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
1698						  POLICYDB_CAPABILITY_OPENPERM);
1699}
1700
1701extern void selinux_complete_init(void);
1702static int security_preserve_bools(struct policydb *p);
1703
1704/**
1705 * security_load_policy - Load a security policy configuration.
1706 * @data: binary policy data
1707 * @len: length of data in bytes
1708 *
1709 * Load a new set of security policy configuration data,
1710 * validate it and convert the SID table as necessary.
1711 * This function will flush the access vector cache after
1712 * loading the new policy.
1713 */
1714int security_load_policy(void *data, size_t len)
1715{
1716	struct policydb oldpolicydb, newpolicydb;
1717	struct sidtab oldsidtab, newsidtab;
1718	struct selinux_mapping *oldmap, *map = NULL;
1719	struct convert_context_args args;
1720	u32 seqno;
1721	u16 map_size;
1722	int rc = 0;
1723	struct policy_file file = { data, len }, *fp = &file;
1724
1725	if (!ss_initialized) {
1726		avtab_cache_init();
1727		if (policydb_read(&policydb, fp)) {
1728			avtab_cache_destroy();
1729			return -EINVAL;
1730		}
1731		if (selinux_set_mapping(&policydb, secclass_map,
1732					&current_mapping,
1733					&current_mapping_size)) {
1734			policydb_destroy(&policydb);
1735			avtab_cache_destroy();
1736			return -EINVAL;
1737		}
1738		if (policydb_load_isids(&policydb, &sidtab)) {
1739			policydb_destroy(&policydb);
1740			avtab_cache_destroy();
1741			return -EINVAL;
1742		}
1743		security_load_policycaps();
1744		ss_initialized = 1;
1745		seqno = ++latest_granting;
1746		selinux_complete_init();
1747		avc_ss_reset(seqno);
1748		selnl_notify_policyload(seqno);
1749		selinux_netlbl_cache_invalidate();
1750		selinux_xfrm_notify_policyload();
1751		return 0;
1752	}
1753
1754#if 0
1755	sidtab_hash_eval(&sidtab, "sids");
1756#endif
1757
1758	if (policydb_read(&newpolicydb, fp))
1759		return -EINVAL;
1760
1761	/* If switching between different policy types, log MLS status */
1762	if (policydb.mls_enabled && !newpolicydb.mls_enabled)
1763		printk(KERN_INFO "SELinux: Disabling MLS support...\n");
1764	else if (!policydb.mls_enabled && newpolicydb.mls_enabled)
1765		printk(KERN_INFO "SELinux: Enabling MLS support...\n");
1766
1767	rc = policydb_load_isids(&newpolicydb, &newsidtab);
1768	if (rc) {
1769		printk(KERN_ERR "SELinux:  unable to load the initial SIDs\n");
1770		policydb_destroy(&newpolicydb);
1771		return rc;
1772	}
1773
1774	if (selinux_set_mapping(&newpolicydb, secclass_map,
1775				&map, &map_size))
1776		goto err;
1777
1778	rc = security_preserve_bools(&newpolicydb);
1779	if (rc) {
1780		printk(KERN_ERR "SELinux:  unable to preserve booleans\n");
1781		goto err;
1782	}
1783
1784	/* Clone the SID table. */
1785	sidtab_shutdown(&sidtab);
1786	if (sidtab_map(&sidtab, clone_sid, &newsidtab)) {
1787		rc = -ENOMEM;
1788		goto err;
1789	}
1790
1791	/*
1792	 * Convert the internal representations of contexts
1793	 * in the new SID table.
1794	 */
1795	args.oldp = &policydb;
1796	args.newp = &newpolicydb;
1797	rc = sidtab_map(&newsidtab, convert_context, &args);
1798	if (rc) {
1799		printk(KERN_ERR "SELinux:  unable to convert the internal"
1800			" representation of contexts in the new SID"
1801			" table\n");
1802		goto err;
1803	}
1804
1805	/* Save the old policydb and SID table to free later. */
1806	memcpy(&oldpolicydb, &policydb, sizeof policydb);
1807	sidtab_set(&oldsidtab, &sidtab);
1808
1809	/* Install the new policydb and SID table. */
1810	write_lock_irq(&policy_rwlock);
1811	memcpy(&policydb, &newpolicydb, sizeof policydb);
1812	sidtab_set(&sidtab, &newsidtab);
1813	security_load_policycaps();
1814	oldmap = current_mapping;
1815	current_mapping = map;
1816	current_mapping_size = map_size;
1817	seqno = ++latest_granting;
1818	write_unlock_irq(&policy_rwlock);
1819
1820	/* Free the old policydb and SID table. */
1821	policydb_destroy(&oldpolicydb);
1822	sidtab_destroy(&oldsidtab);
1823	kfree(oldmap);
1824
1825	avc_ss_reset(seqno);
1826	selnl_notify_policyload(seqno);
1827	selinux_netlbl_cache_invalidate();
1828	selinux_xfrm_notify_policyload();
1829
1830	return 0;
1831
1832err:
1833	kfree(map);
1834	sidtab_destroy(&newsidtab);
1835	policydb_destroy(&newpolicydb);
1836	return rc;
1837
1838}
1839
1840/**
1841 * security_port_sid - Obtain the SID for a port.
1842 * @protocol: protocol number
1843 * @port: port number
1844 * @out_sid: security identifier
1845 */
1846int security_port_sid(u8 protocol, u16 port, u32 *out_sid)
1847{
1848	struct ocontext *c;
1849	int rc = 0;
1850
1851	read_lock(&policy_rwlock);
1852
1853	c = policydb.ocontexts[OCON_PORT];
1854	while (c) {
1855		if (c->u.port.protocol == protocol &&
1856		    c->u.port.low_port <= port &&
1857		    c->u.port.high_port >= port)
1858			break;
1859		c = c->next;
1860	}
1861
1862	if (c) {
1863		if (!c->sid[0]) {
1864			rc = sidtab_context_to_sid(&sidtab,
1865						   &c->context[0],
1866						   &c->sid[0]);
1867			if (rc)
1868				goto out;
1869		}
1870		*out_sid = c->sid[0];
1871	} else {
1872		*out_sid = SECINITSID_PORT;
1873	}
1874
1875out:
1876	read_unlock(&policy_rwlock);
1877	return rc;
1878}
1879
1880/**
1881 * security_netif_sid - Obtain the SID for a network interface.
1882 * @name: interface name
1883 * @if_sid: interface SID
1884 */
1885int security_netif_sid(char *name, u32 *if_sid)
1886{
1887	int rc = 0;
1888	struct ocontext *c;
1889
1890	read_lock(&policy_rwlock);
1891
1892	c = policydb.ocontexts[OCON_NETIF];
1893	while (c) {
1894		if (strcmp(name, c->u.name) == 0)
1895			break;
1896		c = c->next;
1897	}
1898
1899	if (c) {
1900		if (!c->sid[0] || !c->sid[1]) {
1901			rc = sidtab_context_to_sid(&sidtab,
1902						  &c->context[0],
1903						  &c->sid[0]);
1904			if (rc)
1905				goto out;
1906			rc = sidtab_context_to_sid(&sidtab,
1907						   &c->context[1],
1908						   &c->sid[1]);
1909			if (rc)
1910				goto out;
1911		}
1912		*if_sid = c->sid[0];
1913	} else
1914		*if_sid = SECINITSID_NETIF;
1915
1916out:
1917	read_unlock(&policy_rwlock);
1918	return rc;
1919}
1920
1921static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
1922{
1923	int i, fail = 0;
1924
1925	for (i = 0; i < 4; i++)
1926		if (addr[i] != (input[i] & mask[i])) {
1927			fail = 1;
1928			break;
1929		}
1930
1931	return !fail;
1932}
1933
1934/**
1935 * security_node_sid - Obtain the SID for a node (host).
1936 * @domain: communication domain aka address family
1937 * @addrp: address
1938 * @addrlen: address length in bytes
1939 * @out_sid: security identifier
1940 */
1941int security_node_sid(u16 domain,
1942		      void *addrp,
1943		      u32 addrlen,
1944		      u32 *out_sid)
1945{
1946	int rc = 0;
1947	struct ocontext *c;
1948
1949	read_lock(&policy_rwlock);
1950
1951	switch (domain) {
1952	case AF_INET: {
1953		u32 addr;
1954
1955		if (addrlen != sizeof(u32)) {
1956			rc = -EINVAL;
1957			goto out;
1958		}
1959
1960		addr = *((u32 *)addrp);
1961
1962		c = policydb.ocontexts[OCON_NODE];
1963		while (c) {
1964			if (c->u.node.addr == (addr & c->u.node.mask))
1965				break;
1966			c = c->next;
1967		}
1968		break;
1969	}
1970
1971	case AF_INET6:
1972		if (addrlen != sizeof(u64) * 2) {
1973			rc = -EINVAL;
1974			goto out;
1975		}
1976		c = policydb.ocontexts[OCON_NODE6];
1977		while (c) {
1978			if (match_ipv6_addrmask(addrp, c->u.node6.addr,
1979						c->u.node6.mask))
1980				break;
1981			c = c->next;
1982		}
1983		break;
1984
1985	default:
1986		*out_sid = SECINITSID_NODE;
1987		goto out;
1988	}
1989
1990	if (c) {
1991		if (!c->sid[0]) {
1992			rc = sidtab_context_to_sid(&sidtab,
1993						   &c->context[0],
1994						   &c->sid[0]);
1995			if (rc)
1996				goto out;
1997		}
1998		*out_sid = c->sid[0];
1999	} else {
2000		*out_sid = SECINITSID_NODE;
2001	}
2002
2003out:
2004	read_unlock(&policy_rwlock);
2005	return rc;
2006}
2007
2008#define SIDS_NEL 25
2009
2010/**
2011 * security_get_user_sids - Obtain reachable SIDs for a user.
2012 * @fromsid: starting SID
2013 * @username: username
2014 * @sids: array of reachable SIDs for user
2015 * @nel: number of elements in @sids
2016 *
2017 * Generate the set of SIDs for legal security contexts
2018 * for a given user that can be reached by @fromsid.
2019 * Set *@sids to point to a dynamically allocated
2020 * array containing the set of SIDs.  Set *@nel to the
2021 * number of elements in the array.
2022 */
2023
2024int security_get_user_sids(u32 fromsid,
2025			   char *username,
2026			   u32 **sids,
2027			   u32 *nel)
2028{
2029	struct context *fromcon, usercon;
2030	u32 *mysids = NULL, *mysids2, sid;
2031	u32 mynel = 0, maxnel = SIDS_NEL;
2032	struct user_datum *user;
2033	struct role_datum *role;
2034	struct ebitmap_node *rnode, *tnode;
2035	int rc = 0, i, j;
2036
2037	*sids = NULL;
2038	*nel = 0;
2039
2040	if (!ss_initialized)
2041		goto out;
2042
2043	read_lock(&policy_rwlock);
2044
2045	context_init(&usercon);
2046
2047	fromcon = sidtab_search(&sidtab, fromsid);
2048	if (!fromcon) {
2049		rc = -EINVAL;
2050		goto out_unlock;
2051	}
2052
2053	user = hashtab_search(policydb.p_users.table, username);
2054	if (!user) {
2055		rc = -EINVAL;
2056		goto out_unlock;
2057	}
2058	usercon.user = user->value;
2059
2060	mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC);
2061	if (!mysids) {
2062		rc = -ENOMEM;
2063		goto out_unlock;
2064	}
2065
2066	ebitmap_for_each_positive_bit(&user->roles, rnode, i) {
2067		role = policydb.role_val_to_struct[i];
2068		usercon.role = i+1;
2069		ebitmap_for_each_positive_bit(&role->types, tnode, j) {
2070			usercon.type = j+1;
2071
2072			if (mls_setup_user_range(fromcon, user, &usercon))
2073				continue;
2074
2075			rc = sidtab_context_to_sid(&sidtab, &usercon, &sid);
2076			if (rc)
2077				goto out_unlock;
2078			if (mynel < maxnel) {
2079				mysids[mynel++] = sid;
2080			} else {
2081				maxnel += SIDS_NEL;
2082				mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
2083				if (!mysids2) {
2084					rc = -ENOMEM;
2085					goto out_unlock;
2086				}
2087				memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
2088				kfree(mysids);
2089				mysids = mysids2;
2090				mysids[mynel++] = sid;
2091			}
2092		}
2093	}
2094
2095out_unlock:
2096	read_unlock(&policy_rwlock);
2097	if (rc || !mynel) {
2098		kfree(mysids);
2099		goto out;
2100	}
2101
2102	mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL);
2103	if (!mysids2) {
2104		rc = -ENOMEM;
2105		kfree(mysids);
2106		goto out;
2107	}
2108	for (i = 0, j = 0; i < mynel; i++) {
2109		rc = avc_has_perm_noaudit(fromsid, mysids[i],
2110					  SECCLASS_PROCESS, /* kernel value */
2111					  PROCESS__TRANSITION, AVC_STRICT,
2112					  NULL);
2113		if (!rc)
2114			mysids2[j++] = mysids[i];
2115		cond_resched();
2116	}
2117	rc = 0;
2118	kfree(mysids);
2119	*sids = mysids2;
2120	*nel = j;
2121out:
2122	return rc;
2123}
2124
2125/**
2126 * security_genfs_sid - Obtain a SID for a file in a filesystem
2127 * @fstype: filesystem type
2128 * @path: path from root of mount
2129 * @sclass: file security class
2130 * @sid: SID for path
2131 *
2132 * Obtain a SID to use for a file in a filesystem that
2133 * cannot support xattr or use a fixed labeling behavior like
2134 * transition SIDs or task SIDs.
2135 */
2136int security_genfs_sid(const char *fstype,
2137		       char *path,
2138		       u16 orig_sclass,
2139		       u32 *sid)
2140{
2141	int len;
2142	u16 sclass;
2143	struct genfs *genfs;
2144	struct ocontext *c;
2145	int rc = 0, cmp = 0;
2146
2147	while (path[0] == '/' && path[1] == '/')
2148		path++;
2149
2150	read_lock(&policy_rwlock);
2151
2152	sclass = unmap_class(orig_sclass);
2153
2154	for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
2155		cmp = strcmp(fstype, genfs->fstype);
2156		if (cmp <= 0)
2157			break;
2158	}
2159
2160	if (!genfs || cmp) {
2161		*sid = SECINITSID_UNLABELED;
2162		rc = -ENOENT;
2163		goto out;
2164	}
2165
2166	for (c = genfs->head; c; c = c->next) {
2167		len = strlen(c->u.name);
2168		if ((!c->v.sclass || sclass == c->v.sclass) &&
2169		    (strncmp(c->u.name, path, len) == 0))
2170			break;
2171	}
2172
2173	if (!c) {
2174		*sid = SECINITSID_UNLABELED;
2175		rc = -ENOENT;
2176		goto out;
2177	}
2178
2179	if (!c->sid[0]) {
2180		rc = sidtab_context_to_sid(&sidtab,
2181					   &c->context[0],
2182					   &c->sid[0]);
2183		if (rc)
2184			goto out;
2185	}
2186
2187	*sid = c->sid[0];
2188out:
2189	read_unlock(&policy_rwlock);
2190	return rc;
2191}
2192
2193/**
2194 * security_fs_use - Determine how to handle labeling for a filesystem.
2195 * @fstype: filesystem type
2196 * @behavior: labeling behavior
2197 * @sid: SID for filesystem (superblock)
2198 */
2199int security_fs_use(
2200	const char *fstype,
2201	unsigned int *behavior,
2202	u32 *sid)
2203{
2204	int rc = 0;
2205	struct ocontext *c;
2206
2207	read_lock(&policy_rwlock);
2208
2209	c = policydb.ocontexts[OCON_FSUSE];
2210	while (c) {
2211		if (strcmp(fstype, c->u.name) == 0)
2212			break;
2213		c = c->next;
2214	}
2215
2216	if (c) {
2217		*behavior = c->v.behavior;
2218		if (!c->sid[0]) {
2219			rc = sidtab_context_to_sid(&sidtab,
2220						   &c->context[0],
2221						   &c->sid[0]);
2222			if (rc)
2223				goto out;
2224		}
2225		*sid = c->sid[0];
2226	} else {
2227		rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid);
2228		if (rc) {
2229			*behavior = SECURITY_FS_USE_NONE;
2230			rc = 0;
2231		} else {
2232			*behavior = SECURITY_FS_USE_GENFS;
2233		}
2234	}
2235
2236out:
2237	read_unlock(&policy_rwlock);
2238	return rc;
2239}
2240
2241int security_get_bools(int *len, char ***names, int **values)
2242{
2243	int i, rc = -ENOMEM;
2244
2245	read_lock(&policy_rwlock);
2246	*names = NULL;
2247	*values = NULL;
2248
2249	*len = policydb.p_bools.nprim;
2250	if (!*len) {
2251		rc = 0;
2252		goto out;
2253	}
2254
2255       *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC);
2256	if (!*names)
2257		goto err;
2258
2259       *values = kcalloc(*len, sizeof(int), GFP_ATOMIC);
2260	if (!*values)
2261		goto err;
2262
2263	for (i = 0; i < *len; i++) {
2264		size_t name_len;
2265		(*values)[i] = policydb.bool_val_to_struct[i]->state;
2266		name_len = strlen(policydb.p_bool_val_to_name[i]) + 1;
2267	       (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
2268		if (!(*names)[i])
2269			goto err;
2270		strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len);
2271		(*names)[i][name_len - 1] = 0;
2272	}
2273	rc = 0;
2274out:
2275	read_unlock(&policy_rwlock);
2276	return rc;
2277err:
2278	if (*names) {
2279		for (i = 0; i < *len; i++)
2280			kfree((*names)[i]);
2281	}
2282	kfree(*values);
2283	goto out;
2284}
2285
2286
2287int security_set_bools(int len, int *values)
2288{
2289	int i, rc = 0;
2290	int lenp, seqno = 0;
2291	struct cond_node *cur;
2292
2293	write_lock_irq(&policy_rwlock);
2294
2295	lenp = policydb.p_bools.nprim;
2296	if (len != lenp) {
2297		rc = -EFAULT;
2298		goto out;
2299	}
2300
2301	for (i = 0; i < len; i++) {
2302		if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
2303			audit_log(current->audit_context, GFP_ATOMIC,
2304				AUDIT_MAC_CONFIG_CHANGE,
2305				"bool=%s val=%d old_val=%d auid=%u ses=%u",
2306				policydb.p_bool_val_to_name[i],
2307				!!values[i],
2308				policydb.bool_val_to_struct[i]->state,
2309				audit_get_loginuid(current),
2310				audit_get_sessionid(current));
2311		}
2312		if (values[i])
2313			policydb.bool_val_to_struct[i]->state = 1;
2314		else
2315			policydb.bool_val_to_struct[i]->state = 0;
2316	}
2317
2318	for (cur = policydb.cond_list; cur; cur = cur->next) {
2319		rc = evaluate_cond_node(&policydb, cur);
2320		if (rc)
2321			goto out;
2322	}
2323
2324	seqno = ++latest_granting;
2325
2326out:
2327	write_unlock_irq(&policy_rwlock);
2328	if (!rc) {
2329		avc_ss_reset(seqno);
2330		selnl_notify_policyload(seqno);
2331		selinux_xfrm_notify_policyload();
2332	}
2333	return rc;
2334}
2335
2336int security_get_bool_value(int bool)
2337{
2338	int rc = 0;
2339	int len;
2340
2341	read_lock(&policy_rwlock);
2342
2343	len = policydb.p_bools.nprim;
2344	if (bool >= len) {
2345		rc = -EFAULT;
2346		goto out;
2347	}
2348
2349	rc = policydb.bool_val_to_struct[bool]->state;
2350out:
2351	read_unlock(&policy_rwlock);
2352	return rc;
2353}
2354
2355static int security_preserve_bools(struct policydb *p)
2356{
2357	int rc, nbools = 0, *bvalues = NULL, i;
2358	char **bnames = NULL;
2359	struct cond_bool_datum *booldatum;
2360	struct cond_node *cur;
2361
2362	rc = security_get_bools(&nbools, &bnames, &bvalues);
2363	if (rc)
2364		goto out;
2365	for (i = 0; i < nbools; i++) {
2366		booldatum = hashtab_search(p->p_bools.table, bnames[i]);
2367		if (booldatum)
2368			booldatum->state = bvalues[i];
2369	}
2370	for (cur = p->cond_list; cur; cur = cur->next) {
2371		rc = evaluate_cond_node(p, cur);
2372		if (rc)
2373			goto out;
2374	}
2375
2376out:
2377	if (bnames) {
2378		for (i = 0; i < nbools; i++)
2379			kfree(bnames[i]);
2380	}
2381	kfree(bnames);
2382	kfree(bvalues);
2383	return rc;
2384}
2385
2386/*
2387 * security_sid_mls_copy() - computes a new sid based on the given
2388 * sid and the mls portion of mls_sid.
2389 */
2390int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
2391{
2392	struct context *context1;
2393	struct context *context2;
2394	struct context newcon;
2395	char *s;
2396	u32 len;
2397	int rc = 0;
2398
2399	if (!ss_initialized || !policydb.mls_enabled) {
2400		*new_sid = sid;
2401		goto out;
2402	}
2403
2404	context_init(&newcon);
2405
2406	read_lock(&policy_rwlock);
2407	context1 = sidtab_search(&sidtab, sid);
2408	if (!context1) {
2409		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2410			__func__, sid);
2411		rc = -EINVAL;
2412		goto out_unlock;
2413	}
2414
2415	context2 = sidtab_search(&sidtab, mls_sid);
2416	if (!context2) {
2417		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2418			__func__, mls_sid);
2419		rc = -EINVAL;
2420		goto out_unlock;
2421	}
2422
2423	newcon.user = context1->user;
2424	newcon.role = context1->role;
2425	newcon.type = context1->type;
2426	rc = mls_context_cpy(&newcon, context2);
2427	if (rc)
2428		goto out_unlock;
2429
2430	/* Check the validity of the new context. */
2431	if (!policydb_context_isvalid(&policydb, &newcon)) {
2432		rc = convert_context_handle_invalid_context(&newcon);
2433		if (rc)
2434			goto bad;
2435	}
2436
2437	rc = sidtab_context_to_sid(&sidtab, &newcon, new_sid);
2438	goto out_unlock;
2439
2440bad:
2441	if (!context_struct_to_string(&newcon, &s, &len)) {
2442		audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2443			  "security_sid_mls_copy: invalid context %s", s);
2444		kfree(s);
2445	}
2446
2447out_unlock:
2448	read_unlock(&policy_rwlock);
2449	context_destroy(&newcon);
2450out:
2451	return rc;
2452}
2453
2454/**
2455 * security_net_peersid_resolve - Compare and resolve two network peer SIDs
2456 * @nlbl_sid: NetLabel SID
2457 * @nlbl_type: NetLabel labeling protocol type
2458 * @xfrm_sid: XFRM SID
2459 *
2460 * Description:
2461 * Compare the @nlbl_sid and @xfrm_sid values and if the two SIDs can be
2462 * resolved into a single SID it is returned via @peer_sid and the function
2463 * returns zero.  Otherwise @peer_sid is set to SECSID_NULL and the function
2464 * returns a negative value.  A table summarizing the behavior is below:
2465 *
2466 *                                 | function return |      @sid
2467 *   ------------------------------+-----------------+-----------------
2468 *   no peer labels                |        0        |    SECSID_NULL
2469 *   single peer label             |        0        |    <peer_label>
2470 *   multiple, consistent labels   |        0        |    <peer_label>
2471 *   multiple, inconsistent labels |    -<errno>     |    SECSID_NULL
2472 *
2473 */
2474int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
2475				 u32 xfrm_sid,
2476				 u32 *peer_sid)
2477{
2478	int rc;
2479	struct context *nlbl_ctx;
2480	struct context *xfrm_ctx;
2481
2482	/* handle the common (which also happens to be the set of easy) cases
2483	 * right away, these two if statements catch everything involving a
2484	 * single or absent peer SID/label */
2485	if (xfrm_sid == SECSID_NULL) {
2486		*peer_sid = nlbl_sid;
2487		return 0;
2488	}
2489	/* NOTE: an nlbl_type == NETLBL_NLTYPE_UNLABELED is a "fallback" label
2490	 * and is treated as if nlbl_sid == SECSID_NULL when a XFRM SID/label
2491	 * is present */
2492	if (nlbl_sid == SECSID_NULL || nlbl_type == NETLBL_NLTYPE_UNLABELED) {
2493		*peer_sid = xfrm_sid;
2494		return 0;
2495	}
2496
2497	/* we don't need to check ss_initialized here since the only way both
2498	 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
2499	 * security server was initialized and ss_initialized was true */
2500	if (!policydb.mls_enabled) {
2501		*peer_sid = SECSID_NULL;
2502		return 0;
2503	}
2504
2505	read_lock(&policy_rwlock);
2506
2507	nlbl_ctx = sidtab_search(&sidtab, nlbl_sid);
2508	if (!nlbl_ctx) {
2509		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2510		       __func__, nlbl_sid);
2511		rc = -EINVAL;
2512		goto out_slowpath;
2513	}
2514	xfrm_ctx = sidtab_search(&sidtab, xfrm_sid);
2515	if (!xfrm_ctx) {
2516		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2517		       __func__, xfrm_sid);
2518		rc = -EINVAL;
2519		goto out_slowpath;
2520	}
2521	rc = (mls_context_cmp(nlbl_ctx, xfrm_ctx) ? 0 : -EACCES);
2522
2523out_slowpath:
2524	read_unlock(&policy_rwlock);
2525	if (rc == 0)
2526		/* at present NetLabel SIDs/labels really only carry MLS
2527		 * information so if the MLS portion of the NetLabel SID
2528		 * matches the MLS portion of the labeled XFRM SID/label
2529		 * then pass along the XFRM SID as it is the most
2530		 * expressive */
2531		*peer_sid = xfrm_sid;
2532	else
2533		*peer_sid = SECSID_NULL;
2534	return rc;
2535}
2536
2537static int get_classes_callback(void *k, void *d, void *args)
2538{
2539	struct class_datum *datum = d;
2540	char *name = k, **classes = args;
2541	int value = datum->value - 1;
2542
2543	classes[value] = kstrdup(name, GFP_ATOMIC);
2544	if (!classes[value])
2545		return -ENOMEM;
2546
2547	return 0;
2548}
2549
2550int security_get_classes(char ***classes, int *nclasses)
2551{
2552	int rc = -ENOMEM;
2553
2554	read_lock(&policy_rwlock);
2555
2556	*nclasses = policydb.p_classes.nprim;
2557	*classes = kcalloc(*nclasses, sizeof(**classes), GFP_ATOMIC);
2558	if (!*classes)
2559		goto out;
2560
2561	rc = hashtab_map(policydb.p_classes.table, get_classes_callback,
2562			*classes);
2563	if (rc < 0) {
2564		int i;
2565		for (i = 0; i < *nclasses; i++)
2566			kfree((*classes)[i]);
2567		kfree(*classes);
2568	}
2569
2570out:
2571	read_unlock(&policy_rwlock);
2572	return rc;
2573}
2574
2575static int get_permissions_callback(void *k, void *d, void *args)
2576{
2577	struct perm_datum *datum = d;
2578	char *name = k, **perms = args;
2579	int value = datum->value - 1;
2580
2581	perms[value] = kstrdup(name, GFP_ATOMIC);
2582	if (!perms[value])
2583		return -ENOMEM;
2584
2585	return 0;
2586}
2587
2588int security_get_permissions(char *class, char ***perms, int *nperms)
2589{
2590	int rc = -ENOMEM, i;
2591	struct class_datum *match;
2592
2593	read_lock(&policy_rwlock);
2594
2595	match = hashtab_search(policydb.p_classes.table, class);
2596	if (!match) {
2597		printk(KERN_ERR "SELinux: %s:  unrecognized class %s\n",
2598			__func__, class);
2599		rc = -EINVAL;
2600		goto out;
2601	}
2602
2603	*nperms = match->permissions.nprim;
2604	*perms = kcalloc(*nperms, sizeof(**perms), GFP_ATOMIC);
2605	if (!*perms)
2606		goto out;
2607
2608	if (match->comdatum) {
2609		rc = hashtab_map(match->comdatum->permissions.table,
2610				get_permissions_callback, *perms);
2611		if (rc < 0)
2612			goto err;
2613	}
2614
2615	rc = hashtab_map(match->permissions.table, get_permissions_callback,
2616			*perms);
2617	if (rc < 0)
2618		goto err;
2619
2620out:
2621	read_unlock(&policy_rwlock);
2622	return rc;
2623
2624err:
2625	read_unlock(&policy_rwlock);
2626	for (i = 0; i < *nperms; i++)
2627		kfree((*perms)[i]);
2628	kfree(*perms);
2629	return rc;
2630}
2631
2632int security_get_reject_unknown(void)
2633{
2634	return policydb.reject_unknown;
2635}
2636
2637int security_get_allow_unknown(void)
2638{
2639	return policydb.allow_unknown;
2640}
2641
2642/**
2643 * security_policycap_supported - Check for a specific policy capability
2644 * @req_cap: capability
2645 *
2646 * Description:
2647 * This function queries the currently loaded policy to see if it supports the
2648 * capability specified by @req_cap.  Returns true (1) if the capability is
2649 * supported, false (0) if it isn't supported.
2650 *
2651 */
2652int security_policycap_supported(unsigned int req_cap)
2653{
2654	int rc;
2655
2656	read_lock(&policy_rwlock);
2657	rc = ebitmap_get_bit(&policydb.policycaps, req_cap);
2658	read_unlock(&policy_rwlock);
2659
2660	return rc;
2661}
2662
2663struct selinux_audit_rule {
2664	u32 au_seqno;
2665	struct context au_ctxt;
2666};
2667
2668void selinux_audit_rule_free(void *vrule)
2669{
2670	struct selinux_audit_rule *rule = vrule;
2671
2672	if (rule) {
2673		context_destroy(&rule->au_ctxt);
2674		kfree(rule);
2675	}
2676}
2677
2678int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
2679{
2680	struct selinux_audit_rule *tmprule;
2681	struct role_datum *roledatum;
2682	struct type_datum *typedatum;
2683	struct user_datum *userdatum;
2684	struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule;
2685	int rc = 0;
2686
2687	*rule = NULL;
2688
2689	if (!ss_initialized)
2690		return -EOPNOTSUPP;
2691
2692	switch (field) {
2693	case AUDIT_SUBJ_USER:
2694	case AUDIT_SUBJ_ROLE:
2695	case AUDIT_SUBJ_TYPE:
2696	case AUDIT_OBJ_USER:
2697	case AUDIT_OBJ_ROLE:
2698	case AUDIT_OBJ_TYPE:
2699		/* only 'equals' and 'not equals' fit user, role, and type */
2700		if (op != Audit_equal && op != Audit_not_equal)
2701			return -EINVAL;
2702		break;
2703	case AUDIT_SUBJ_SEN:
2704	case AUDIT_SUBJ_CLR:
2705	case AUDIT_OBJ_LEV_LOW:
2706	case AUDIT_OBJ_LEV_HIGH:
2707		/* we do not allow a range, indicated by the presense of '-' */
2708		if (strchr(rulestr, '-'))
2709			return -EINVAL;
2710		break;
2711	default:
2712		/* only the above fields are valid */
2713		return -EINVAL;
2714	}
2715
2716	tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
2717	if (!tmprule)
2718		return -ENOMEM;
2719
2720	context_init(&tmprule->au_ctxt);
2721
2722	read_lock(&policy_rwlock);
2723
2724	tmprule->au_seqno = latest_granting;
2725
2726	switch (field) {
2727	case AUDIT_SUBJ_USER:
2728	case AUDIT_OBJ_USER:
2729		userdatum = hashtab_search(policydb.p_users.table, rulestr);
2730		if (!userdatum)
2731			rc = -EINVAL;
2732		else
2733			tmprule->au_ctxt.user = userdatum->value;
2734		break;
2735	case AUDIT_SUBJ_ROLE:
2736	case AUDIT_OBJ_ROLE:
2737		roledatum = hashtab_search(policydb.p_roles.table, rulestr);
2738		if (!roledatum)
2739			rc = -EINVAL;
2740		else
2741			tmprule->au_ctxt.role = roledatum->value;
2742		break;
2743	case AUDIT_SUBJ_TYPE:
2744	case AUDIT_OBJ_TYPE:
2745		typedatum = hashtab_search(policydb.p_types.table, rulestr);
2746		if (!typedatum)
2747			rc = -EINVAL;
2748		else
2749			tmprule->au_ctxt.type = typedatum->value;
2750		break;
2751	case AUDIT_SUBJ_SEN:
2752	case AUDIT_SUBJ_CLR:
2753	case AUDIT_OBJ_LEV_LOW:
2754	case AUDIT_OBJ_LEV_HIGH:
2755		rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC);
2756		break;
2757	}
2758
2759	read_unlock(&policy_rwlock);
2760
2761	if (rc) {
2762		selinux_audit_rule_free(tmprule);
2763		tmprule = NULL;
2764	}
2765
2766	*rule = tmprule;
2767
2768	return rc;
2769}
2770
2771/* Check to see if the rule contains any selinux fields */
2772int selinux_audit_rule_known(struct audit_krule *rule)
2773{
2774	int i;
2775
2776	for (i = 0; i < rule->field_count; i++) {
2777		struct audit_field *f = &rule->fields[i];
2778		switch (f->type) {
2779		case AUDIT_SUBJ_USER:
2780		case AUDIT_SUBJ_ROLE:
2781		case AUDIT_SUBJ_TYPE:
2782		case AUDIT_SUBJ_SEN:
2783		case AUDIT_SUBJ_CLR:
2784		case AUDIT_OBJ_USER:
2785		case AUDIT_OBJ_ROLE:
2786		case AUDIT_OBJ_TYPE:
2787		case AUDIT_OBJ_LEV_LOW:
2788		case AUDIT_OBJ_LEV_HIGH:
2789			return 1;
2790		}
2791	}
2792
2793	return 0;
2794}
2795
2796int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2797			     struct audit_context *actx)
2798{
2799	struct context *ctxt;
2800	struct mls_level *level;
2801	struct selinux_audit_rule *rule = vrule;
2802	int match = 0;
2803
2804	if (!rule) {
2805		audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2806			  "selinux_audit_rule_match: missing rule\n");
2807		return -ENOENT;
2808	}
2809
2810	read_lock(&policy_rwlock);
2811
2812	if (rule->au_seqno < latest_granting) {
2813		audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2814			  "selinux_audit_rule_match: stale rule\n");
2815		match = -ESTALE;
2816		goto out;
2817	}
2818
2819	ctxt = sidtab_search(&sidtab, sid);
2820	if (!ctxt) {
2821		audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2822			  "selinux_audit_rule_match: unrecognized SID %d\n",
2823			  sid);
2824		match = -ENOENT;
2825		goto out;
2826	}
2827
2828	/* a field/op pair that is not caught here will simply fall through
2829	   without a match */
2830	switch (field) {
2831	case AUDIT_SUBJ_USER:
2832	case AUDIT_OBJ_USER:
2833		switch (op) {
2834		case Audit_equal:
2835			match = (ctxt->user == rule->au_ctxt.user);
2836			break;
2837		case Audit_not_equal:
2838			match = (ctxt->user != rule->au_ctxt.user);
2839			break;
2840		}
2841		break;
2842	case AUDIT_SUBJ_ROLE:
2843	case AUDIT_OBJ_ROLE:
2844		switch (op) {
2845		case Audit_equal:
2846			match = (ctxt->role == rule->au_ctxt.role);
2847			break;
2848		case Audit_not_equal:
2849			match = (ctxt->role != rule->au_ctxt.role);
2850			break;
2851		}
2852		break;
2853	case AUDIT_SUBJ_TYPE:
2854	case AUDIT_OBJ_TYPE:
2855		switch (op) {
2856		case Audit_equal:
2857			match = (ctxt->type == rule->au_ctxt.type);
2858			break;
2859		case Audit_not_equal:
2860			match = (ctxt->type != rule->au_ctxt.type);
2861			break;
2862		}
2863		break;
2864	case AUDIT_SUBJ_SEN:
2865	case AUDIT_SUBJ_CLR:
2866	case AUDIT_OBJ_LEV_LOW:
2867	case AUDIT_OBJ_LEV_HIGH:
2868		level = ((field == AUDIT_SUBJ_SEN ||
2869			  field == AUDIT_OBJ_LEV_LOW) ?
2870			 &ctxt->range.level[0] : &ctxt->range.level[1]);
2871		switch (op) {
2872		case Audit_equal:
2873			match = mls_level_eq(&rule->au_ctxt.range.level[0],
2874					     level);
2875			break;
2876		case Audit_not_equal:
2877			match = !mls_level_eq(&rule->au_ctxt.range.level[0],
2878					      level);
2879			break;
2880		case Audit_lt:
2881			match = (mls_level_dom(&rule->au_ctxt.range.level[0],
2882					       level) &&
2883				 !mls_level_eq(&rule->au_ctxt.range.level[0],
2884					       level));
2885			break;
2886		case Audit_le:
2887			match = mls_level_dom(&rule->au_ctxt.range.level[0],
2888					      level);
2889			break;
2890		case Audit_gt:
2891			match = (mls_level_dom(level,
2892					      &rule->au_ctxt.range.level[0]) &&
2893				 !mls_level_eq(level,
2894					       &rule->au_ctxt.range.level[0]));
2895			break;
2896		case Audit_ge:
2897			match = mls_level_dom(level,
2898					      &rule->au_ctxt.range.level[0]);
2899			break;
2900		}
2901	}
2902
2903out:
2904	read_unlock(&policy_rwlock);
2905	return match;
2906}
2907
2908static int (*aurule_callback)(void) = audit_update_lsm_rules;
2909
2910static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid,
2911			       u16 class, u32 perms, u32 *retained)
2912{
2913	int err = 0;
2914
2915	if (event == AVC_CALLBACK_RESET && aurule_callback)
2916		err = aurule_callback();
2917	return err;
2918}
2919
2920static int __init aurule_init(void)
2921{
2922	int err;
2923
2924	err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET,
2925			       SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
2926	if (err)
2927		panic("avc_add_callback() failed, error %d\n", err);
2928
2929	return err;
2930}
2931__initcall(aurule_init);
2932
2933#ifdef CONFIG_NETLABEL
2934/**
2935 * security_netlbl_cache_add - Add an entry to the NetLabel cache
2936 * @secattr: the NetLabel packet security attributes
2937 * @sid: the SELinux SID
2938 *
2939 * Description:
2940 * Attempt to cache the context in @ctx, which was derived from the packet in
2941 * @skb, in the NetLabel subsystem cache.  This function assumes @secattr has
2942 * already been initialized.
2943 *
2944 */
2945static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr,
2946				      u32 sid)
2947{
2948	u32 *sid_cache;
2949
2950	sid_cache = kmalloc(sizeof(*sid_cache), GFP_ATOMIC);
2951	if (sid_cache == NULL)
2952		return;
2953	secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
2954	if (secattr->cache == NULL) {
2955		kfree(sid_cache);
2956		return;
2957	}
2958
2959	*sid_cache = sid;
2960	secattr->cache->free = kfree;
2961	secattr->cache->data = sid_cache;
2962	secattr->flags |= NETLBL_SECATTR_CACHE;
2963}
2964
2965/**
2966 * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID
2967 * @secattr: the NetLabel packet security attributes
2968 * @sid: the SELinux SID
2969 *
2970 * Description:
2971 * Convert the given NetLabel security attributes in @secattr into a
2972 * SELinux SID.  If the @secattr field does not contain a full SELinux
2973 * SID/context then use SECINITSID_NETMSG as the foundation.  If possibile the
2974 * 'cache' field of @secattr is set and the CACHE flag is set; this is to
2975 * allow the @secattr to be used by NetLabel to cache the secattr to SID
2976 * conversion for future lookups.  Returns zero on success, negative values on
2977 * failure.
2978 *
2979 */
2980int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
2981				   u32 *sid)
2982{
2983	int rc = -EIDRM;
2984	struct context *ctx;
2985	struct context ctx_new;
2986
2987	if (!ss_initialized) {
2988		*sid = SECSID_NULL;
2989		return 0;
2990	}
2991
2992	read_lock(&policy_rwlock);
2993
2994	if (secattr->flags & NETLBL_SECATTR_CACHE) {
2995		*sid = *(u32 *)secattr->cache->data;
2996		rc = 0;
2997	} else if (secattr->flags & NETLBL_SECATTR_SECID) {
2998		*sid = secattr->attr.secid;
2999		rc = 0;
3000	} else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) {
3001		ctx = sidtab_search(&sidtab, SECINITSID_NETMSG);
3002		if (ctx == NULL)
3003			goto netlbl_secattr_to_sid_return;
3004
3005		context_init(&ctx_new);
3006		ctx_new.user = ctx->user;
3007		ctx_new.role = ctx->role;
3008		ctx_new.type = ctx->type;
3009		mls_import_netlbl_lvl(&ctx_new, secattr);
3010		if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
3011			if (ebitmap_netlbl_import(&ctx_new.range.level[0].cat,
3012						  secattr->attr.mls.cat) != 0)
3013				goto netlbl_secattr_to_sid_return;
3014			memcpy(&ctx_new.range.level[1].cat,
3015			       &ctx_new.range.level[0].cat,
3016			       sizeof(ctx_new.range.level[0].cat));
3017		}
3018		if (mls_context_isvalid(&policydb, &ctx_new) != 1)
3019			goto netlbl_secattr_to_sid_return_cleanup;
3020
3021		rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid);
3022		if (rc != 0)
3023			goto netlbl_secattr_to_sid_return_cleanup;
3024
3025		security_netlbl_cache_add(secattr, *sid);
3026
3027		ebitmap_destroy(&ctx_new.range.level[0].cat);
3028	} else {
3029		*sid = SECSID_NULL;
3030		rc = 0;
3031	}
3032
3033netlbl_secattr_to_sid_return:
3034	read_unlock(&policy_rwlock);
3035	return rc;
3036netlbl_secattr_to_sid_return_cleanup:
3037	ebitmap_destroy(&ctx_new.range.level[0].cat);
3038	goto netlbl_secattr_to_sid_return;
3039}
3040
3041/**
3042 * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr
3043 * @sid: the SELinux SID
3044 * @secattr: the NetLabel packet security attributes
3045 *
3046 * Description:
3047 * Convert the given SELinux SID in @sid into a NetLabel security attribute.
3048 * Returns zero on success, negative values on failure.
3049 *
3050 */
3051int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)
3052{
3053	int rc;
3054	struct context *ctx;
3055
3056	if (!ss_initialized)
3057		return 0;
3058
3059	read_lock(&policy_rwlock);
3060	ctx = sidtab_search(&sidtab, sid);
3061	if (ctx == NULL) {
3062		rc = -ENOENT;
3063		goto netlbl_sid_to_secattr_failure;
3064	}
3065	secattr->domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],
3066				  GFP_ATOMIC);
3067	if (secattr->domain == NULL) {
3068		rc = -ENOMEM;
3069		goto netlbl_sid_to_secattr_failure;
3070	}
3071	secattr->attr.secid = sid;
3072	secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID;
3073	mls_export_netlbl_lvl(ctx, secattr);
3074	rc = mls_export_netlbl_cat(ctx, secattr);
3075	if (rc != 0)
3076		goto netlbl_sid_to_secattr_failure;
3077	read_unlock(&policy_rwlock);
3078
3079	return 0;
3080
3081netlbl_sid_to_secattr_failure:
3082	read_unlock(&policy_rwlock);
3083	return rc;
3084}
3085#endif /* CONFIG_NETLABEL */
3086