services.c revision 85cd6da53a8073d3f4503f56e4ea6cddccbb1c7f
1/* 2 * Implementation of the security services. 3 * 4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> 5 * James Morris <jmorris@redhat.com> 6 * 7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 8 * 9 * Support for enhanced MLS infrastructure. 10 * Support for context based audit filters. 11 * 12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 13 * 14 * Added conditional policy language extensions 15 * 16 * Updated: Hewlett-Packard <paul.moore@hp.com> 17 * 18 * Added support for NetLabel 19 * Added support for the policy capability bitmap 20 * 21 * Updated: Chad Sellers <csellers@tresys.com> 22 * 23 * Added validation of kernel classes and permissions 24 * 25 * Updated: KaiGai Kohei <kaigai@ak.jp.nec.com> 26 * 27 * Added support for bounds domain and audit messaged on masked permissions 28 * 29 * Updated: Guido Trentalancia <guido@trentalancia.com> 30 * 31 * Added support for runtime switching of the policy type 32 * 33 * Copyright (C) 2008, 2009 NEC Corporation 34 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. 35 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc. 36 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC 37 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 38 * This program is free software; you can redistribute it and/or modify 39 * it under the terms of the GNU General Public License as published by 40 * the Free Software Foundation, version 2. 41 */ 42#include <linux/kernel.h> 43#include <linux/slab.h> 44#include <linux/string.h> 45#include <linux/spinlock.h> 46#include <linux/rcupdate.h> 47#include <linux/errno.h> 48#include <linux/in.h> 49#include <linux/sched.h> 50#include <linux/audit.h> 51#include <linux/mutex.h> 52#include <linux/selinux.h> 53#include <linux/flex_array.h> 54#include <linux/vmalloc.h> 55#include <net/netlabel.h> 56 57#include "flask.h" 58#include "avc.h" 59#include "avc_ss.h" 60#include "security.h" 61#include "context.h" 62#include "policydb.h" 63#include "sidtab.h" 64#include "services.h" 65#include "conditional.h" 66#include "mls.h" 67#include "objsec.h" 68#include "netlabel.h" 69#include "xfrm.h" 70#include "ebitmap.h" 71#include "audit.h" 72 73extern void selnl_notify_policyload(u32 seqno); 74 75int selinux_policycap_netpeer; 76int selinux_policycap_openperm; 77 78static DEFINE_RWLOCK(policy_rwlock); 79 80static struct sidtab sidtab; 81struct policydb policydb; 82int ss_initialized; 83 84/* 85 * The largest sequence number that has been used when 86 * providing an access decision to the access vector cache. 87 * The sequence number only changes when a policy change 88 * occurs. 89 */ 90static u32 latest_granting; 91 92/* Forward declaration. */ 93static int context_struct_to_string(struct context *context, char **scontext, 94 u32 *scontext_len); 95 96static void context_struct_compute_av(struct context *scontext, 97 struct context *tcontext, 98 u16 tclass, 99 struct av_decision *avd); 100 101struct selinux_mapping { 102 u16 value; /* policy value */ 103 unsigned num_perms; 104 u32 perms[sizeof(u32) * 8]; 105}; 106 107static struct selinux_mapping *current_mapping; 108static u16 current_mapping_size; 109 110static int selinux_set_mapping(struct policydb *pol, 111 struct security_class_mapping *map, 112 struct selinux_mapping **out_map_p, 113 u16 *out_map_size) 114{ 115 struct selinux_mapping *out_map = NULL; 116 size_t size = sizeof(struct selinux_mapping); 117 u16 i, j; 118 unsigned k; 119 bool print_unknown_handle = false; 120 121 /* Find number of classes in the input mapping */ 122 if (!map) 123 return -EINVAL; 124 i = 0; 125 while (map[i].name) 126 i++; 127 128 /* Allocate space for the class records, plus one for class zero */ 129 out_map = kcalloc(++i, size, GFP_ATOMIC); 130 if (!out_map) 131 return -ENOMEM; 132 133 /* Store the raw class and permission values */ 134 j = 0; 135 while (map[j].name) { 136 struct security_class_mapping *p_in = map + (j++); 137 struct selinux_mapping *p_out = out_map + j; 138 139 /* An empty class string skips ahead */ 140 if (!strcmp(p_in->name, "")) { 141 p_out->num_perms = 0; 142 continue; 143 } 144 145 p_out->value = string_to_security_class(pol, p_in->name); 146 if (!p_out->value) { 147 printk(KERN_INFO 148 "SELinux: Class %s not defined in policy.\n", 149 p_in->name); 150 if (pol->reject_unknown) 151 goto err; 152 p_out->num_perms = 0; 153 print_unknown_handle = true; 154 continue; 155 } 156 157 k = 0; 158 while (p_in->perms && p_in->perms[k]) { 159 /* An empty permission string skips ahead */ 160 if (!*p_in->perms[k]) { 161 k++; 162 continue; 163 } 164 p_out->perms[k] = string_to_av_perm(pol, p_out->value, 165 p_in->perms[k]); 166 if (!p_out->perms[k]) { 167 printk(KERN_INFO 168 "SELinux: Permission %s in class %s not defined in policy.\n", 169 p_in->perms[k], p_in->name); 170 if (pol->reject_unknown) 171 goto err; 172 print_unknown_handle = true; 173 } 174 175 k++; 176 } 177 p_out->num_perms = k; 178 } 179 180 if (print_unknown_handle) 181 printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n", 182 pol->allow_unknown ? "allowed" : "denied"); 183 184 *out_map_p = out_map; 185 *out_map_size = i; 186 return 0; 187err: 188 kfree(out_map); 189 return -EINVAL; 190} 191 192/* 193 * Get real, policy values from mapped values 194 */ 195 196static u16 unmap_class(u16 tclass) 197{ 198 if (tclass < current_mapping_size) 199 return current_mapping[tclass].value; 200 201 return tclass; 202} 203 204/* 205 * Get kernel value for class from its policy value 206 */ 207static u16 map_class(u16 pol_value) 208{ 209 u16 i; 210 211 for (i = 1; i < current_mapping_size; i++) { 212 if (current_mapping[i].value == pol_value) 213 return i; 214 } 215 216 return SECCLASS_NULL; 217} 218 219static void map_decision(u16 tclass, struct av_decision *avd, 220 int allow_unknown) 221{ 222 if (tclass < current_mapping_size) { 223 unsigned i, n = current_mapping[tclass].num_perms; 224 u32 result; 225 226 for (i = 0, result = 0; i < n; i++) { 227 if (avd->allowed & current_mapping[tclass].perms[i]) 228 result |= 1<<i; 229 if (allow_unknown && !current_mapping[tclass].perms[i]) 230 result |= 1<<i; 231 } 232 avd->allowed = result; 233 234 for (i = 0, result = 0; i < n; i++) 235 if (avd->auditallow & current_mapping[tclass].perms[i]) 236 result |= 1<<i; 237 avd->auditallow = result; 238 239 for (i = 0, result = 0; i < n; i++) { 240 if (avd->auditdeny & current_mapping[tclass].perms[i]) 241 result |= 1<<i; 242 if (!allow_unknown && !current_mapping[tclass].perms[i]) 243 result |= 1<<i; 244 } 245 /* 246 * In case the kernel has a bug and requests a permission 247 * between num_perms and the maximum permission number, we 248 * should audit that denial 249 */ 250 for (; i < (sizeof(u32)*8); i++) 251 result |= 1<<i; 252 avd->auditdeny = result; 253 } 254} 255 256int security_mls_enabled(void) 257{ 258 return policydb.mls_enabled; 259} 260 261/* 262 * Return the boolean value of a constraint expression 263 * when it is applied to the specified source and target 264 * security contexts. 265 * 266 * xcontext is a special beast... It is used by the validatetrans rules 267 * only. For these rules, scontext is the context before the transition, 268 * tcontext is the context after the transition, and xcontext is the context 269 * of the process performing the transition. All other callers of 270 * constraint_expr_eval should pass in NULL for xcontext. 271 */ 272static int constraint_expr_eval(struct context *scontext, 273 struct context *tcontext, 274 struct context *xcontext, 275 struct constraint_expr *cexpr) 276{ 277 u32 val1, val2; 278 struct context *c; 279 struct role_datum *r1, *r2; 280 struct mls_level *l1, *l2; 281 struct constraint_expr *e; 282 int s[CEXPR_MAXDEPTH]; 283 int sp = -1; 284 285 for (e = cexpr; e; e = e->next) { 286 switch (e->expr_type) { 287 case CEXPR_NOT: 288 BUG_ON(sp < 0); 289 s[sp] = !s[sp]; 290 break; 291 case CEXPR_AND: 292 BUG_ON(sp < 1); 293 sp--; 294 s[sp] &= s[sp + 1]; 295 break; 296 case CEXPR_OR: 297 BUG_ON(sp < 1); 298 sp--; 299 s[sp] |= s[sp + 1]; 300 break; 301 case CEXPR_ATTR: 302 if (sp == (CEXPR_MAXDEPTH - 1)) 303 return 0; 304 switch (e->attr) { 305 case CEXPR_USER: 306 val1 = scontext->user; 307 val2 = tcontext->user; 308 break; 309 case CEXPR_TYPE: 310 val1 = scontext->type; 311 val2 = tcontext->type; 312 break; 313 case CEXPR_ROLE: 314 val1 = scontext->role; 315 val2 = tcontext->role; 316 r1 = policydb.role_val_to_struct[val1 - 1]; 317 r2 = policydb.role_val_to_struct[val2 - 1]; 318 switch (e->op) { 319 case CEXPR_DOM: 320 s[++sp] = ebitmap_get_bit(&r1->dominates, 321 val2 - 1); 322 continue; 323 case CEXPR_DOMBY: 324 s[++sp] = ebitmap_get_bit(&r2->dominates, 325 val1 - 1); 326 continue; 327 case CEXPR_INCOMP: 328 s[++sp] = (!ebitmap_get_bit(&r1->dominates, 329 val2 - 1) && 330 !ebitmap_get_bit(&r2->dominates, 331 val1 - 1)); 332 continue; 333 default: 334 break; 335 } 336 break; 337 case CEXPR_L1L2: 338 l1 = &(scontext->range.level[0]); 339 l2 = &(tcontext->range.level[0]); 340 goto mls_ops; 341 case CEXPR_L1H2: 342 l1 = &(scontext->range.level[0]); 343 l2 = &(tcontext->range.level[1]); 344 goto mls_ops; 345 case CEXPR_H1L2: 346 l1 = &(scontext->range.level[1]); 347 l2 = &(tcontext->range.level[0]); 348 goto mls_ops; 349 case CEXPR_H1H2: 350 l1 = &(scontext->range.level[1]); 351 l2 = &(tcontext->range.level[1]); 352 goto mls_ops; 353 case CEXPR_L1H1: 354 l1 = &(scontext->range.level[0]); 355 l2 = &(scontext->range.level[1]); 356 goto mls_ops; 357 case CEXPR_L2H2: 358 l1 = &(tcontext->range.level[0]); 359 l2 = &(tcontext->range.level[1]); 360 goto mls_ops; 361mls_ops: 362 switch (e->op) { 363 case CEXPR_EQ: 364 s[++sp] = mls_level_eq(l1, l2); 365 continue; 366 case CEXPR_NEQ: 367 s[++sp] = !mls_level_eq(l1, l2); 368 continue; 369 case CEXPR_DOM: 370 s[++sp] = mls_level_dom(l1, l2); 371 continue; 372 case CEXPR_DOMBY: 373 s[++sp] = mls_level_dom(l2, l1); 374 continue; 375 case CEXPR_INCOMP: 376 s[++sp] = mls_level_incomp(l2, l1); 377 continue; 378 default: 379 BUG(); 380 return 0; 381 } 382 break; 383 default: 384 BUG(); 385 return 0; 386 } 387 388 switch (e->op) { 389 case CEXPR_EQ: 390 s[++sp] = (val1 == val2); 391 break; 392 case CEXPR_NEQ: 393 s[++sp] = (val1 != val2); 394 break; 395 default: 396 BUG(); 397 return 0; 398 } 399 break; 400 case CEXPR_NAMES: 401 if (sp == (CEXPR_MAXDEPTH-1)) 402 return 0; 403 c = scontext; 404 if (e->attr & CEXPR_TARGET) 405 c = tcontext; 406 else if (e->attr & CEXPR_XTARGET) { 407 c = xcontext; 408 if (!c) { 409 BUG(); 410 return 0; 411 } 412 } 413 if (e->attr & CEXPR_USER) 414 val1 = c->user; 415 else if (e->attr & CEXPR_ROLE) 416 val1 = c->role; 417 else if (e->attr & CEXPR_TYPE) 418 val1 = c->type; 419 else { 420 BUG(); 421 return 0; 422 } 423 424 switch (e->op) { 425 case CEXPR_EQ: 426 s[++sp] = ebitmap_get_bit(&e->names, val1 - 1); 427 break; 428 case CEXPR_NEQ: 429 s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1); 430 break; 431 default: 432 BUG(); 433 return 0; 434 } 435 break; 436 default: 437 BUG(); 438 return 0; 439 } 440 } 441 442 BUG_ON(sp != 0); 443 return s[0]; 444} 445 446/* 447 * security_dump_masked_av - dumps masked permissions during 448 * security_compute_av due to RBAC, MLS/Constraint and Type bounds. 449 */ 450static int dump_masked_av_helper(void *k, void *d, void *args) 451{ 452 struct perm_datum *pdatum = d; 453 char **permission_names = args; 454 455 BUG_ON(pdatum->value < 1 || pdatum->value > 32); 456 457 permission_names[pdatum->value - 1] = (char *)k; 458 459 return 0; 460} 461 462static void security_dump_masked_av(struct context *scontext, 463 struct context *tcontext, 464 u16 tclass, 465 u32 permissions, 466 const char *reason) 467{ 468 struct common_datum *common_dat; 469 struct class_datum *tclass_dat; 470 struct audit_buffer *ab; 471 char *tclass_name; 472 char *scontext_name = NULL; 473 char *tcontext_name = NULL; 474 char *permission_names[32]; 475 int index; 476 u32 length; 477 bool need_comma = false; 478 479 if (!permissions) 480 return; 481 482 tclass_name = sym_name(&policydb, SYM_CLASSES, tclass - 1); 483 tclass_dat = policydb.class_val_to_struct[tclass - 1]; 484 common_dat = tclass_dat->comdatum; 485 486 /* init permission_names */ 487 if (common_dat && 488 hashtab_map(common_dat->permissions.table, 489 dump_masked_av_helper, permission_names) < 0) 490 goto out; 491 492 if (hashtab_map(tclass_dat->permissions.table, 493 dump_masked_av_helper, permission_names) < 0) 494 goto out; 495 496 /* get scontext/tcontext in text form */ 497 if (context_struct_to_string(scontext, 498 &scontext_name, &length) < 0) 499 goto out; 500 501 if (context_struct_to_string(tcontext, 502 &tcontext_name, &length) < 0) 503 goto out; 504 505 /* audit a message */ 506 ab = audit_log_start(current->audit_context, 507 GFP_ATOMIC, AUDIT_SELINUX_ERR); 508 if (!ab) 509 goto out; 510 511 audit_log_format(ab, "op=security_compute_av reason=%s " 512 "scontext=%s tcontext=%s tclass=%s perms=", 513 reason, scontext_name, tcontext_name, tclass_name); 514 515 for (index = 0; index < 32; index++) { 516 u32 mask = (1 << index); 517 518 if ((mask & permissions) == 0) 519 continue; 520 521 audit_log_format(ab, "%s%s", 522 need_comma ? "," : "", 523 permission_names[index] 524 ? permission_names[index] : "????"); 525 need_comma = true; 526 } 527 audit_log_end(ab); 528out: 529 /* release scontext/tcontext */ 530 kfree(tcontext_name); 531 kfree(scontext_name); 532 533 return; 534} 535 536/* 537 * security_boundary_permission - drops violated permissions 538 * on boundary constraint. 539 */ 540static void type_attribute_bounds_av(struct context *scontext, 541 struct context *tcontext, 542 u16 tclass, 543 struct av_decision *avd) 544{ 545 struct context lo_scontext; 546 struct context lo_tcontext; 547 struct av_decision lo_avd; 548 struct type_datum *source; 549 struct type_datum *target; 550 u32 masked = 0; 551 552 source = flex_array_get_ptr(policydb.type_val_to_struct_array, 553 scontext->type - 1); 554 BUG_ON(!source); 555 556 target = flex_array_get_ptr(policydb.type_val_to_struct_array, 557 tcontext->type - 1); 558 BUG_ON(!target); 559 560 if (source->bounds) { 561 memset(&lo_avd, 0, sizeof(lo_avd)); 562 563 memcpy(&lo_scontext, scontext, sizeof(lo_scontext)); 564 lo_scontext.type = source->bounds; 565 566 context_struct_compute_av(&lo_scontext, 567 tcontext, 568 tclass, 569 &lo_avd); 570 if ((lo_avd.allowed & avd->allowed) == avd->allowed) 571 return; /* no masked permission */ 572 masked = ~lo_avd.allowed & avd->allowed; 573 } 574 575 if (target->bounds) { 576 memset(&lo_avd, 0, sizeof(lo_avd)); 577 578 memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext)); 579 lo_tcontext.type = target->bounds; 580 581 context_struct_compute_av(scontext, 582 &lo_tcontext, 583 tclass, 584 &lo_avd); 585 if ((lo_avd.allowed & avd->allowed) == avd->allowed) 586 return; /* no masked permission */ 587 masked = ~lo_avd.allowed & avd->allowed; 588 } 589 590 if (source->bounds && target->bounds) { 591 memset(&lo_avd, 0, sizeof(lo_avd)); 592 /* 593 * lo_scontext and lo_tcontext are already 594 * set up. 595 */ 596 597 context_struct_compute_av(&lo_scontext, 598 &lo_tcontext, 599 tclass, 600 &lo_avd); 601 if ((lo_avd.allowed & avd->allowed) == avd->allowed) 602 return; /* no masked permission */ 603 masked = ~lo_avd.allowed & avd->allowed; 604 } 605 606 if (masked) { 607 /* mask violated permissions */ 608 avd->allowed &= ~masked; 609 610 /* audit masked permissions */ 611 security_dump_masked_av(scontext, tcontext, 612 tclass, masked, "bounds"); 613 } 614} 615 616/* 617 * Compute access vectors based on a context structure pair for 618 * the permissions in a particular class. 619 */ 620static void context_struct_compute_av(struct context *scontext, 621 struct context *tcontext, 622 u16 tclass, 623 struct av_decision *avd) 624{ 625 struct constraint_node *constraint; 626 struct role_allow *ra; 627 struct avtab_key avkey; 628 struct avtab_node *node; 629 struct class_datum *tclass_datum; 630 struct ebitmap *sattr, *tattr; 631 struct ebitmap_node *snode, *tnode; 632 unsigned int i, j; 633 634 avd->allowed = 0; 635 avd->auditallow = 0; 636 avd->auditdeny = 0xffffffff; 637 638 if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) { 639 if (printk_ratelimit()) 640 printk(KERN_WARNING "SELinux: Invalid class %hu\n", tclass); 641 return; 642 } 643 644 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 645 646 /* 647 * If a specific type enforcement rule was defined for 648 * this permission check, then use it. 649 */ 650 avkey.target_class = tclass; 651 avkey.specified = AVTAB_AV; 652 sattr = flex_array_get(policydb.type_attr_map_array, scontext->type - 1); 653 BUG_ON(!sattr); 654 tattr = flex_array_get(policydb.type_attr_map_array, tcontext->type - 1); 655 BUG_ON(!tattr); 656 ebitmap_for_each_positive_bit(sattr, snode, i) { 657 ebitmap_for_each_positive_bit(tattr, tnode, j) { 658 avkey.source_type = i + 1; 659 avkey.target_type = j + 1; 660 for (node = avtab_search_node(&policydb.te_avtab, &avkey); 661 node; 662 node = avtab_search_node_next(node, avkey.specified)) { 663 if (node->key.specified == AVTAB_ALLOWED) 664 avd->allowed |= node->datum.data; 665 else if (node->key.specified == AVTAB_AUDITALLOW) 666 avd->auditallow |= node->datum.data; 667 else if (node->key.specified == AVTAB_AUDITDENY) 668 avd->auditdeny &= node->datum.data; 669 } 670 671 /* Check conditional av table for additional permissions */ 672 cond_compute_av(&policydb.te_cond_avtab, &avkey, avd); 673 674 } 675 } 676 677 /* 678 * Remove any permissions prohibited by a constraint (this includes 679 * the MLS policy). 680 */ 681 constraint = tclass_datum->constraints; 682 while (constraint) { 683 if ((constraint->permissions & (avd->allowed)) && 684 !constraint_expr_eval(scontext, tcontext, NULL, 685 constraint->expr)) { 686 avd->allowed &= ~(constraint->permissions); 687 } 688 constraint = constraint->next; 689 } 690 691 /* 692 * If checking process transition permission and the 693 * role is changing, then check the (current_role, new_role) 694 * pair. 695 */ 696 if (tclass == policydb.process_class && 697 (avd->allowed & policydb.process_trans_perms) && 698 scontext->role != tcontext->role) { 699 for (ra = policydb.role_allow; ra; ra = ra->next) { 700 if (scontext->role == ra->role && 701 tcontext->role == ra->new_role) 702 break; 703 } 704 if (!ra) 705 avd->allowed &= ~policydb.process_trans_perms; 706 } 707 708 /* 709 * If the given source and target types have boundary 710 * constraint, lazy checks have to mask any violated 711 * permission and notice it to userspace via audit. 712 */ 713 type_attribute_bounds_av(scontext, tcontext, 714 tclass, avd); 715} 716 717static int security_validtrans_handle_fail(struct context *ocontext, 718 struct context *ncontext, 719 struct context *tcontext, 720 u16 tclass) 721{ 722 char *o = NULL, *n = NULL, *t = NULL; 723 u32 olen, nlen, tlen; 724 725 if (context_struct_to_string(ocontext, &o, &olen)) 726 goto out; 727 if (context_struct_to_string(ncontext, &n, &nlen)) 728 goto out; 729 if (context_struct_to_string(tcontext, &t, &tlen)) 730 goto out; 731 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 732 "security_validate_transition: denied for" 733 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 734 o, n, t, sym_name(&policydb, SYM_CLASSES, tclass-1)); 735out: 736 kfree(o); 737 kfree(n); 738 kfree(t); 739 740 if (!selinux_enforcing) 741 return 0; 742 return -EPERM; 743} 744 745int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 746 u16 orig_tclass) 747{ 748 struct context *ocontext; 749 struct context *ncontext; 750 struct context *tcontext; 751 struct class_datum *tclass_datum; 752 struct constraint_node *constraint; 753 u16 tclass; 754 int rc = 0; 755 756 if (!ss_initialized) 757 return 0; 758 759 read_lock(&policy_rwlock); 760 761 tclass = unmap_class(orig_tclass); 762 763 if (!tclass || tclass > policydb.p_classes.nprim) { 764 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", 765 __func__, tclass); 766 rc = -EINVAL; 767 goto out; 768 } 769 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 770 771 ocontext = sidtab_search(&sidtab, oldsid); 772 if (!ocontext) { 773 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 774 __func__, oldsid); 775 rc = -EINVAL; 776 goto out; 777 } 778 779 ncontext = sidtab_search(&sidtab, newsid); 780 if (!ncontext) { 781 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 782 __func__, newsid); 783 rc = -EINVAL; 784 goto out; 785 } 786 787 tcontext = sidtab_search(&sidtab, tasksid); 788 if (!tcontext) { 789 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 790 __func__, tasksid); 791 rc = -EINVAL; 792 goto out; 793 } 794 795 constraint = tclass_datum->validatetrans; 796 while (constraint) { 797 if (!constraint_expr_eval(ocontext, ncontext, tcontext, 798 constraint->expr)) { 799 rc = security_validtrans_handle_fail(ocontext, ncontext, 800 tcontext, tclass); 801 goto out; 802 } 803 constraint = constraint->next; 804 } 805 806out: 807 read_unlock(&policy_rwlock); 808 return rc; 809} 810 811/* 812 * security_bounded_transition - check whether the given 813 * transition is directed to bounded, or not. 814 * It returns 0, if @newsid is bounded by @oldsid. 815 * Otherwise, it returns error code. 816 * 817 * @oldsid : current security identifier 818 * @newsid : destinated security identifier 819 */ 820int security_bounded_transition(u32 old_sid, u32 new_sid) 821{ 822 struct context *old_context, *new_context; 823 struct type_datum *type; 824 int index; 825 int rc; 826 827 read_lock(&policy_rwlock); 828 829 rc = -EINVAL; 830 old_context = sidtab_search(&sidtab, old_sid); 831 if (!old_context) { 832 printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n", 833 __func__, old_sid); 834 goto out; 835 } 836 837 rc = -EINVAL; 838 new_context = sidtab_search(&sidtab, new_sid); 839 if (!new_context) { 840 printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n", 841 __func__, new_sid); 842 goto out; 843 } 844 845 rc = 0; 846 /* type/domain unchanged */ 847 if (old_context->type == new_context->type) 848 goto out; 849 850 index = new_context->type; 851 while (true) { 852 type = flex_array_get_ptr(policydb.type_val_to_struct_array, 853 index - 1); 854 BUG_ON(!type); 855 856 /* not bounded anymore */ 857 rc = -EPERM; 858 if (!type->bounds) 859 break; 860 861 /* @newsid is bounded by @oldsid */ 862 rc = 0; 863 if (type->bounds == old_context->type) 864 break; 865 866 index = type->bounds; 867 } 868 869 if (rc) { 870 char *old_name = NULL; 871 char *new_name = NULL; 872 u32 length; 873 874 if (!context_struct_to_string(old_context, 875 &old_name, &length) && 876 !context_struct_to_string(new_context, 877 &new_name, &length)) { 878 audit_log(current->audit_context, 879 GFP_ATOMIC, AUDIT_SELINUX_ERR, 880 "op=security_bounded_transition " 881 "result=denied " 882 "oldcontext=%s newcontext=%s", 883 old_name, new_name); 884 } 885 kfree(new_name); 886 kfree(old_name); 887 } 888out: 889 read_unlock(&policy_rwlock); 890 891 return rc; 892} 893 894static void avd_init(struct av_decision *avd) 895{ 896 avd->allowed = 0; 897 avd->auditallow = 0; 898 avd->auditdeny = 0xffffffff; 899 avd->seqno = latest_granting; 900 avd->flags = 0; 901} 902 903 904/** 905 * security_compute_av - Compute access vector decisions. 906 * @ssid: source security identifier 907 * @tsid: target security identifier 908 * @tclass: target security class 909 * @avd: access vector decisions 910 * 911 * Compute a set of access vector decisions based on the 912 * SID pair (@ssid, @tsid) for the permissions in @tclass. 913 */ 914void security_compute_av(u32 ssid, 915 u32 tsid, 916 u16 orig_tclass, 917 struct av_decision *avd) 918{ 919 u16 tclass; 920 struct context *scontext = NULL, *tcontext = NULL; 921 922 read_lock(&policy_rwlock); 923 avd_init(avd); 924 if (!ss_initialized) 925 goto allow; 926 927 scontext = sidtab_search(&sidtab, ssid); 928 if (!scontext) { 929 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 930 __func__, ssid); 931 goto out; 932 } 933 934 /* permissive domain? */ 935 if (ebitmap_get_bit(&policydb.permissive_map, scontext->type)) 936 avd->flags |= AVD_FLAGS_PERMISSIVE; 937 938 tcontext = sidtab_search(&sidtab, tsid); 939 if (!tcontext) { 940 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 941 __func__, tsid); 942 goto out; 943 } 944 945 tclass = unmap_class(orig_tclass); 946 if (unlikely(orig_tclass && !tclass)) { 947 if (policydb.allow_unknown) 948 goto allow; 949 goto out; 950 } 951 context_struct_compute_av(scontext, tcontext, tclass, avd); 952 map_decision(orig_tclass, avd, policydb.allow_unknown); 953out: 954 read_unlock(&policy_rwlock); 955 return; 956allow: 957 avd->allowed = 0xffffffff; 958 goto out; 959} 960 961void security_compute_av_user(u32 ssid, 962 u32 tsid, 963 u16 tclass, 964 struct av_decision *avd) 965{ 966 struct context *scontext = NULL, *tcontext = NULL; 967 968 read_lock(&policy_rwlock); 969 avd_init(avd); 970 if (!ss_initialized) 971 goto allow; 972 973 scontext = sidtab_search(&sidtab, ssid); 974 if (!scontext) { 975 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 976 __func__, ssid); 977 goto out; 978 } 979 980 /* permissive domain? */ 981 if (ebitmap_get_bit(&policydb.permissive_map, scontext->type)) 982 avd->flags |= AVD_FLAGS_PERMISSIVE; 983 984 tcontext = sidtab_search(&sidtab, tsid); 985 if (!tcontext) { 986 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 987 __func__, tsid); 988 goto out; 989 } 990 991 if (unlikely(!tclass)) { 992 if (policydb.allow_unknown) 993 goto allow; 994 goto out; 995 } 996 997 context_struct_compute_av(scontext, tcontext, tclass, avd); 998 out: 999 read_unlock(&policy_rwlock); 1000 return; 1001allow: 1002 avd->allowed = 0xffffffff; 1003 goto out; 1004} 1005 1006/* 1007 * Write the security context string representation of 1008 * the context structure `context' into a dynamically 1009 * allocated string of the correct size. Set `*scontext' 1010 * to point to this string and set `*scontext_len' to 1011 * the length of the string. 1012 */ 1013static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len) 1014{ 1015 char *scontextp; 1016 1017 if (scontext) 1018 *scontext = NULL; 1019 *scontext_len = 0; 1020 1021 if (context->len) { 1022 *scontext_len = context->len; 1023 *scontext = kstrdup(context->str, GFP_ATOMIC); 1024 if (!(*scontext)) 1025 return -ENOMEM; 1026 return 0; 1027 } 1028 1029 /* Compute the size of the context. */ 1030 *scontext_len += strlen(sym_name(&policydb, SYM_USERS, context->user - 1)) + 1; 1031 *scontext_len += strlen(sym_name(&policydb, SYM_ROLES, context->role - 1)) + 1; 1032 *scontext_len += strlen(sym_name(&policydb, SYM_TYPES, context->type - 1)) + 1; 1033 *scontext_len += mls_compute_context_len(context); 1034 1035 if (!scontext) 1036 return 0; 1037 1038 /* Allocate space for the context; caller must free this space. */ 1039 scontextp = kmalloc(*scontext_len, GFP_ATOMIC); 1040 if (!scontextp) 1041 return -ENOMEM; 1042 *scontext = scontextp; 1043 1044 /* 1045 * Copy the user name, role name and type name into the context. 1046 */ 1047 sprintf(scontextp, "%s:%s:%s", 1048 sym_name(&policydb, SYM_USERS, context->user - 1), 1049 sym_name(&policydb, SYM_ROLES, context->role - 1), 1050 sym_name(&policydb, SYM_TYPES, context->type - 1)); 1051 scontextp += strlen(sym_name(&policydb, SYM_USERS, context->user - 1)) + 1052 1 + strlen(sym_name(&policydb, SYM_ROLES, context->role - 1)) + 1053 1 + strlen(sym_name(&policydb, SYM_TYPES, context->type - 1)); 1054 1055 mls_sid_to_context(context, &scontextp); 1056 1057 *scontextp = 0; 1058 1059 return 0; 1060} 1061 1062#include "initial_sid_to_string.h" 1063 1064const char *security_get_initial_sid_context(u32 sid) 1065{ 1066 if (unlikely(sid > SECINITSID_NUM)) 1067 return NULL; 1068 return initial_sid_to_string[sid]; 1069} 1070 1071static int security_sid_to_context_core(u32 sid, char **scontext, 1072 u32 *scontext_len, int force) 1073{ 1074 struct context *context; 1075 int rc = 0; 1076 1077 if (scontext) 1078 *scontext = NULL; 1079 *scontext_len = 0; 1080 1081 if (!ss_initialized) { 1082 if (sid <= SECINITSID_NUM) { 1083 char *scontextp; 1084 1085 *scontext_len = strlen(initial_sid_to_string[sid]) + 1; 1086 if (!scontext) 1087 goto out; 1088 scontextp = kmalloc(*scontext_len, GFP_ATOMIC); 1089 if (!scontextp) { 1090 rc = -ENOMEM; 1091 goto out; 1092 } 1093 strcpy(scontextp, initial_sid_to_string[sid]); 1094 *scontext = scontextp; 1095 goto out; 1096 } 1097 printk(KERN_ERR "SELinux: %s: called before initial " 1098 "load_policy on unknown SID %d\n", __func__, sid); 1099 rc = -EINVAL; 1100 goto out; 1101 } 1102 read_lock(&policy_rwlock); 1103 if (force) 1104 context = sidtab_search_force(&sidtab, sid); 1105 else 1106 context = sidtab_search(&sidtab, sid); 1107 if (!context) { 1108 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1109 __func__, sid); 1110 rc = -EINVAL; 1111 goto out_unlock; 1112 } 1113 rc = context_struct_to_string(context, scontext, scontext_len); 1114out_unlock: 1115 read_unlock(&policy_rwlock); 1116out: 1117 return rc; 1118 1119} 1120 1121/** 1122 * security_sid_to_context - Obtain a context for a given SID. 1123 * @sid: security identifier, SID 1124 * @scontext: security context 1125 * @scontext_len: length in bytes 1126 * 1127 * Write the string representation of the context associated with @sid 1128 * into a dynamically allocated string of the correct size. Set @scontext 1129 * to point to this string and set @scontext_len to the length of the string. 1130 */ 1131int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len) 1132{ 1133 return security_sid_to_context_core(sid, scontext, scontext_len, 0); 1134} 1135 1136int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len) 1137{ 1138 return security_sid_to_context_core(sid, scontext, scontext_len, 1); 1139} 1140 1141/* 1142 * Caveat: Mutates scontext. 1143 */ 1144static int string_to_context_struct(struct policydb *pol, 1145 struct sidtab *sidtabp, 1146 char *scontext, 1147 u32 scontext_len, 1148 struct context *ctx, 1149 u32 def_sid) 1150{ 1151 struct role_datum *role; 1152 struct type_datum *typdatum; 1153 struct user_datum *usrdatum; 1154 char *scontextp, *p, oldc; 1155 int rc = 0; 1156 1157 context_init(ctx); 1158 1159 /* Parse the security context. */ 1160 1161 rc = -EINVAL; 1162 scontextp = (char *) scontext; 1163 1164 /* Extract the user. */ 1165 p = scontextp; 1166 while (*p && *p != ':') 1167 p++; 1168 1169 if (*p == 0) 1170 goto out; 1171 1172 *p++ = 0; 1173 1174 usrdatum = hashtab_search(pol->p_users.table, scontextp); 1175 if (!usrdatum) 1176 goto out; 1177 1178 ctx->user = usrdatum->value; 1179 1180 /* Extract role. */ 1181 scontextp = p; 1182 while (*p && *p != ':') 1183 p++; 1184 1185 if (*p == 0) 1186 goto out; 1187 1188 *p++ = 0; 1189 1190 role = hashtab_search(pol->p_roles.table, scontextp); 1191 if (!role) 1192 goto out; 1193 ctx->role = role->value; 1194 1195 /* Extract type. */ 1196 scontextp = p; 1197 while (*p && *p != ':') 1198 p++; 1199 oldc = *p; 1200 *p++ = 0; 1201 1202 typdatum = hashtab_search(pol->p_types.table, scontextp); 1203 if (!typdatum || typdatum->attribute) 1204 goto out; 1205 1206 ctx->type = typdatum->value; 1207 1208 rc = mls_context_to_sid(pol, oldc, &p, ctx, sidtabp, def_sid); 1209 if (rc) 1210 goto out; 1211 1212 rc = -EINVAL; 1213 if ((p - scontext) < scontext_len) 1214 goto out; 1215 1216 /* Check the validity of the new context. */ 1217 if (!policydb_context_isvalid(pol, ctx)) 1218 goto out; 1219 rc = 0; 1220out: 1221 if (rc) 1222 context_destroy(ctx); 1223 return rc; 1224} 1225 1226static int security_context_to_sid_core(const char *scontext, u32 scontext_len, 1227 u32 *sid, u32 def_sid, gfp_t gfp_flags, 1228 int force) 1229{ 1230 char *scontext2, *str = NULL; 1231 struct context context; 1232 int rc = 0; 1233 1234 if (!ss_initialized) { 1235 int i; 1236 1237 for (i = 1; i < SECINITSID_NUM; i++) { 1238 if (!strcmp(initial_sid_to_string[i], scontext)) { 1239 *sid = i; 1240 return 0; 1241 } 1242 } 1243 *sid = SECINITSID_KERNEL; 1244 return 0; 1245 } 1246 *sid = SECSID_NULL; 1247 1248 /* Copy the string so that we can modify the copy as we parse it. */ 1249 scontext2 = kmalloc(scontext_len + 1, gfp_flags); 1250 if (!scontext2) 1251 return -ENOMEM; 1252 memcpy(scontext2, scontext, scontext_len); 1253 scontext2[scontext_len] = 0; 1254 1255 if (force) { 1256 /* Save another copy for storing in uninterpreted form */ 1257 rc = -ENOMEM; 1258 str = kstrdup(scontext2, gfp_flags); 1259 if (!str) 1260 goto out; 1261 } 1262 1263 read_lock(&policy_rwlock); 1264 rc = string_to_context_struct(&policydb, &sidtab, scontext2, 1265 scontext_len, &context, def_sid); 1266 if (rc == -EINVAL && force) { 1267 context.str = str; 1268 context.len = scontext_len; 1269 str = NULL; 1270 } else if (rc) 1271 goto out_unlock; 1272 rc = sidtab_context_to_sid(&sidtab, &context, sid); 1273 context_destroy(&context); 1274out_unlock: 1275 read_unlock(&policy_rwlock); 1276out: 1277 kfree(scontext2); 1278 kfree(str); 1279 return rc; 1280} 1281 1282/** 1283 * security_context_to_sid - Obtain a SID for a given security context. 1284 * @scontext: security context 1285 * @scontext_len: length in bytes 1286 * @sid: security identifier, SID 1287 * 1288 * Obtains a SID associated with the security context that 1289 * has the string representation specified by @scontext. 1290 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 1291 * memory is available, or 0 on success. 1292 */ 1293int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid) 1294{ 1295 return security_context_to_sid_core(scontext, scontext_len, 1296 sid, SECSID_NULL, GFP_KERNEL, 0); 1297} 1298 1299/** 1300 * security_context_to_sid_default - Obtain a SID for a given security context, 1301 * falling back to specified default if needed. 1302 * 1303 * @scontext: security context 1304 * @scontext_len: length in bytes 1305 * @sid: security identifier, SID 1306 * @def_sid: default SID to assign on error 1307 * 1308 * Obtains a SID associated with the security context that 1309 * has the string representation specified by @scontext. 1310 * The default SID is passed to the MLS layer to be used to allow 1311 * kernel labeling of the MLS field if the MLS field is not present 1312 * (for upgrading to MLS without full relabel). 1313 * Implicitly forces adding of the context even if it cannot be mapped yet. 1314 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 1315 * memory is available, or 0 on success. 1316 */ 1317int security_context_to_sid_default(const char *scontext, u32 scontext_len, 1318 u32 *sid, u32 def_sid, gfp_t gfp_flags) 1319{ 1320 return security_context_to_sid_core(scontext, scontext_len, 1321 sid, def_sid, gfp_flags, 1); 1322} 1323 1324int security_context_to_sid_force(const char *scontext, u32 scontext_len, 1325 u32 *sid) 1326{ 1327 return security_context_to_sid_core(scontext, scontext_len, 1328 sid, SECSID_NULL, GFP_KERNEL, 1); 1329} 1330 1331static int compute_sid_handle_invalid_context( 1332 struct context *scontext, 1333 struct context *tcontext, 1334 u16 tclass, 1335 struct context *newcontext) 1336{ 1337 char *s = NULL, *t = NULL, *n = NULL; 1338 u32 slen, tlen, nlen; 1339 1340 if (context_struct_to_string(scontext, &s, &slen)) 1341 goto out; 1342 if (context_struct_to_string(tcontext, &t, &tlen)) 1343 goto out; 1344 if (context_struct_to_string(newcontext, &n, &nlen)) 1345 goto out; 1346 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 1347 "security_compute_sid: invalid context %s" 1348 " for scontext=%s" 1349 " tcontext=%s" 1350 " tclass=%s", 1351 n, s, t, sym_name(&policydb, SYM_CLASSES, tclass-1)); 1352out: 1353 kfree(s); 1354 kfree(t); 1355 kfree(n); 1356 if (!selinux_enforcing) 1357 return 0; 1358 return -EACCES; 1359} 1360 1361static void filename_compute_type(struct policydb *p, struct context *newcontext, 1362 u32 scon, u32 tcon, u16 tclass, 1363 const struct qstr *qstr) 1364{ 1365 struct filename_trans *ft; 1366 for (ft = p->filename_trans; ft; ft = ft->next) { 1367 if (ft->stype == scon && 1368 ft->ttype == tcon && 1369 ft->tclass == tclass && 1370 !strcmp(ft->name, qstr->name)) { 1371 newcontext->type = ft->otype; 1372 return; 1373 } 1374 } 1375} 1376 1377static int security_compute_sid(u32 ssid, 1378 u32 tsid, 1379 u16 orig_tclass, 1380 u32 specified, 1381 const struct qstr *qstr, 1382 u32 *out_sid, 1383 bool kern) 1384{ 1385 struct context *scontext = NULL, *tcontext = NULL, newcontext; 1386 struct role_trans *roletr = NULL; 1387 struct avtab_key avkey; 1388 struct avtab_datum *avdatum; 1389 struct avtab_node *node; 1390 u16 tclass; 1391 int rc = 0; 1392 bool sock; 1393 1394 if (!ss_initialized) { 1395 switch (orig_tclass) { 1396 case SECCLASS_PROCESS: /* kernel value */ 1397 *out_sid = ssid; 1398 break; 1399 default: 1400 *out_sid = tsid; 1401 break; 1402 } 1403 goto out; 1404 } 1405 1406 context_init(&newcontext); 1407 1408 read_lock(&policy_rwlock); 1409 1410 if (kern) { 1411 tclass = unmap_class(orig_tclass); 1412 sock = security_is_socket_class(orig_tclass); 1413 } else { 1414 tclass = orig_tclass; 1415 sock = security_is_socket_class(map_class(tclass)); 1416 } 1417 1418 scontext = sidtab_search(&sidtab, ssid); 1419 if (!scontext) { 1420 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1421 __func__, ssid); 1422 rc = -EINVAL; 1423 goto out_unlock; 1424 } 1425 tcontext = sidtab_search(&sidtab, tsid); 1426 if (!tcontext) { 1427 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1428 __func__, tsid); 1429 rc = -EINVAL; 1430 goto out_unlock; 1431 } 1432 1433 /* Set the user identity. */ 1434 switch (specified) { 1435 case AVTAB_TRANSITION: 1436 case AVTAB_CHANGE: 1437 /* Use the process user identity. */ 1438 newcontext.user = scontext->user; 1439 break; 1440 case AVTAB_MEMBER: 1441 /* Use the related object owner. */ 1442 newcontext.user = tcontext->user; 1443 break; 1444 } 1445 1446 /* Set the role and type to default values. */ 1447 if ((tclass == policydb.process_class) || (sock == true)) { 1448 /* Use the current role and type of process. */ 1449 newcontext.role = scontext->role; 1450 newcontext.type = scontext->type; 1451 } else { 1452 /* Use the well-defined object role. */ 1453 newcontext.role = OBJECT_R_VAL; 1454 /* Use the type of the related object. */ 1455 newcontext.type = tcontext->type; 1456 } 1457 1458 /* Look for a type transition/member/change rule. */ 1459 avkey.source_type = scontext->type; 1460 avkey.target_type = tcontext->type; 1461 avkey.target_class = tclass; 1462 avkey.specified = specified; 1463 avdatum = avtab_search(&policydb.te_avtab, &avkey); 1464 1465 /* If no permanent rule, also check for enabled conditional rules */ 1466 if (!avdatum) { 1467 node = avtab_search_node(&policydb.te_cond_avtab, &avkey); 1468 for (; node; node = avtab_search_node_next(node, specified)) { 1469 if (node->key.specified & AVTAB_ENABLED) { 1470 avdatum = &node->datum; 1471 break; 1472 } 1473 } 1474 } 1475 1476 if (avdatum) { 1477 /* Use the type from the type transition/member/change rule. */ 1478 newcontext.type = avdatum->data; 1479 } 1480 1481 /* if we have a qstr this is a file trans check so check those rules */ 1482 if (qstr) 1483 filename_compute_type(&policydb, &newcontext, scontext->type, 1484 tcontext->type, tclass, qstr); 1485 1486 /* Check for class-specific changes. */ 1487 if (tclass == policydb.process_class) { 1488 if (specified & AVTAB_TRANSITION) { 1489 /* Look for a role transition rule. */ 1490 for (roletr = policydb.role_tr; roletr; 1491 roletr = roletr->next) { 1492 if (roletr->role == scontext->role && 1493 roletr->type == tcontext->type) { 1494 /* Use the role transition rule. */ 1495 newcontext.role = roletr->new_role; 1496 break; 1497 } 1498 } 1499 } 1500 } 1501 1502 /* Set the MLS attributes. 1503 This is done last because it may allocate memory. */ 1504 rc = mls_compute_sid(scontext, tcontext, tclass, specified, 1505 &newcontext, sock); 1506 if (rc) 1507 goto out_unlock; 1508 1509 /* Check the validity of the context. */ 1510 if (!policydb_context_isvalid(&policydb, &newcontext)) { 1511 rc = compute_sid_handle_invalid_context(scontext, 1512 tcontext, 1513 tclass, 1514 &newcontext); 1515 if (rc) 1516 goto out_unlock; 1517 } 1518 /* Obtain the sid for the context. */ 1519 rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid); 1520out_unlock: 1521 read_unlock(&policy_rwlock); 1522 context_destroy(&newcontext); 1523out: 1524 return rc; 1525} 1526 1527/** 1528 * security_transition_sid - Compute the SID for a new subject/object. 1529 * @ssid: source security identifier 1530 * @tsid: target security identifier 1531 * @tclass: target security class 1532 * @out_sid: security identifier for new subject/object 1533 * 1534 * Compute a SID to use for labeling a new subject or object in the 1535 * class @tclass based on a SID pair (@ssid, @tsid). 1536 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1537 * if insufficient memory is available, or %0 if the new SID was 1538 * computed successfully. 1539 */ 1540int security_transition_sid(u32 ssid, u32 tsid, u16 tclass, 1541 const struct qstr *qstr, u32 *out_sid) 1542{ 1543 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, 1544 qstr, out_sid, true); 1545} 1546 1547int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid) 1548{ 1549 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, 1550 NULL, out_sid, false); 1551} 1552 1553/** 1554 * security_member_sid - Compute the SID for member selection. 1555 * @ssid: source security identifier 1556 * @tsid: target security identifier 1557 * @tclass: target security class 1558 * @out_sid: security identifier for selected member 1559 * 1560 * Compute a SID to use when selecting a member of a polyinstantiated 1561 * object of class @tclass based on a SID pair (@ssid, @tsid). 1562 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1563 * if insufficient memory is available, or %0 if the SID was 1564 * computed successfully. 1565 */ 1566int security_member_sid(u32 ssid, 1567 u32 tsid, 1568 u16 tclass, 1569 u32 *out_sid) 1570{ 1571 return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, NULL, 1572 out_sid, false); 1573} 1574 1575/** 1576 * security_change_sid - Compute the SID for object relabeling. 1577 * @ssid: source security identifier 1578 * @tsid: target security identifier 1579 * @tclass: target security class 1580 * @out_sid: security identifier for selected member 1581 * 1582 * Compute a SID to use for relabeling an object of class @tclass 1583 * based on a SID pair (@ssid, @tsid). 1584 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1585 * if insufficient memory is available, or %0 if the SID was 1586 * computed successfully. 1587 */ 1588int security_change_sid(u32 ssid, 1589 u32 tsid, 1590 u16 tclass, 1591 u32 *out_sid) 1592{ 1593 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, NULL, 1594 out_sid, false); 1595} 1596 1597/* Clone the SID into the new SID table. */ 1598static int clone_sid(u32 sid, 1599 struct context *context, 1600 void *arg) 1601{ 1602 struct sidtab *s = arg; 1603 1604 if (sid > SECINITSID_NUM) 1605 return sidtab_insert(s, sid, context); 1606 else 1607 return 0; 1608} 1609 1610static inline int convert_context_handle_invalid_context(struct context *context) 1611{ 1612 char *s; 1613 u32 len; 1614 1615 if (selinux_enforcing) 1616 return -EINVAL; 1617 1618 if (!context_struct_to_string(context, &s, &len)) { 1619 printk(KERN_WARNING "SELinux: Context %s would be invalid if enforcing\n", s); 1620 kfree(s); 1621 } 1622 return 0; 1623} 1624 1625struct convert_context_args { 1626 struct policydb *oldp; 1627 struct policydb *newp; 1628}; 1629 1630/* 1631 * Convert the values in the security context 1632 * structure `c' from the values specified 1633 * in the policy `p->oldp' to the values specified 1634 * in the policy `p->newp'. Verify that the 1635 * context is valid under the new policy. 1636 */ 1637static int convert_context(u32 key, 1638 struct context *c, 1639 void *p) 1640{ 1641 struct convert_context_args *args; 1642 struct context oldc; 1643 struct ocontext *oc; 1644 struct mls_range *range; 1645 struct role_datum *role; 1646 struct type_datum *typdatum; 1647 struct user_datum *usrdatum; 1648 char *s; 1649 u32 len; 1650 int rc = 0; 1651 1652 if (key <= SECINITSID_NUM) 1653 goto out; 1654 1655 args = p; 1656 1657 if (c->str) { 1658 struct context ctx; 1659 1660 rc = -ENOMEM; 1661 s = kstrdup(c->str, GFP_KERNEL); 1662 if (!s) 1663 goto out; 1664 1665 rc = string_to_context_struct(args->newp, NULL, s, 1666 c->len, &ctx, SECSID_NULL); 1667 kfree(s); 1668 if (!rc) { 1669 printk(KERN_INFO "SELinux: Context %s became valid (mapped).\n", 1670 c->str); 1671 /* Replace string with mapped representation. */ 1672 kfree(c->str); 1673 memcpy(c, &ctx, sizeof(*c)); 1674 goto out; 1675 } else if (rc == -EINVAL) { 1676 /* Retain string representation for later mapping. */ 1677 rc = 0; 1678 goto out; 1679 } else { 1680 /* Other error condition, e.g. ENOMEM. */ 1681 printk(KERN_ERR "SELinux: Unable to map context %s, rc = %d.\n", 1682 c->str, -rc); 1683 goto out; 1684 } 1685 } 1686 1687 rc = context_cpy(&oldc, c); 1688 if (rc) 1689 goto out; 1690 1691 /* Convert the user. */ 1692 rc = -EINVAL; 1693 usrdatum = hashtab_search(args->newp->p_users.table, 1694 sym_name(args->oldp, SYM_USERS, c->user - 1)); 1695 if (!usrdatum) 1696 goto bad; 1697 c->user = usrdatum->value; 1698 1699 /* Convert the role. */ 1700 rc = -EINVAL; 1701 role = hashtab_search(args->newp->p_roles.table, 1702 sym_name(args->oldp, SYM_ROLES, c->role - 1)); 1703 if (!role) 1704 goto bad; 1705 c->role = role->value; 1706 1707 /* Convert the type. */ 1708 rc = -EINVAL; 1709 typdatum = hashtab_search(args->newp->p_types.table, 1710 sym_name(args->oldp, SYM_TYPES, c->type - 1)); 1711 if (!typdatum) 1712 goto bad; 1713 c->type = typdatum->value; 1714 1715 /* Convert the MLS fields if dealing with MLS policies */ 1716 if (args->oldp->mls_enabled && args->newp->mls_enabled) { 1717 rc = mls_convert_context(args->oldp, args->newp, c); 1718 if (rc) 1719 goto bad; 1720 } else if (args->oldp->mls_enabled && !args->newp->mls_enabled) { 1721 /* 1722 * Switching between MLS and non-MLS policy: 1723 * free any storage used by the MLS fields in the 1724 * context for all existing entries in the sidtab. 1725 */ 1726 mls_context_destroy(c); 1727 } else if (!args->oldp->mls_enabled && args->newp->mls_enabled) { 1728 /* 1729 * Switching between non-MLS and MLS policy: 1730 * ensure that the MLS fields of the context for all 1731 * existing entries in the sidtab are filled in with a 1732 * suitable default value, likely taken from one of the 1733 * initial SIDs. 1734 */ 1735 oc = args->newp->ocontexts[OCON_ISID]; 1736 while (oc && oc->sid[0] != SECINITSID_UNLABELED) 1737 oc = oc->next; 1738 rc = -EINVAL; 1739 if (!oc) { 1740 printk(KERN_ERR "SELinux: unable to look up" 1741 " the initial SIDs list\n"); 1742 goto bad; 1743 } 1744 range = &oc->context[0].range; 1745 rc = mls_range_set(c, range); 1746 if (rc) 1747 goto bad; 1748 } 1749 1750 /* Check the validity of the new context. */ 1751 if (!policydb_context_isvalid(args->newp, c)) { 1752 rc = convert_context_handle_invalid_context(&oldc); 1753 if (rc) 1754 goto bad; 1755 } 1756 1757 context_destroy(&oldc); 1758 1759 rc = 0; 1760out: 1761 return rc; 1762bad: 1763 /* Map old representation to string and save it. */ 1764 rc = context_struct_to_string(&oldc, &s, &len); 1765 if (rc) 1766 return rc; 1767 context_destroy(&oldc); 1768 context_destroy(c); 1769 c->str = s; 1770 c->len = len; 1771 printk(KERN_INFO "SELinux: Context %s became invalid (unmapped).\n", 1772 c->str); 1773 rc = 0; 1774 goto out; 1775} 1776 1777static void security_load_policycaps(void) 1778{ 1779 selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps, 1780 POLICYDB_CAPABILITY_NETPEER); 1781 selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps, 1782 POLICYDB_CAPABILITY_OPENPERM); 1783} 1784 1785extern void selinux_complete_init(void); 1786static int security_preserve_bools(struct policydb *p); 1787 1788/** 1789 * security_load_policy - Load a security policy configuration. 1790 * @data: binary policy data 1791 * @len: length of data in bytes 1792 * 1793 * Load a new set of security policy configuration data, 1794 * validate it and convert the SID table as necessary. 1795 * This function will flush the access vector cache after 1796 * loading the new policy. 1797 */ 1798int security_load_policy(void *data, size_t len) 1799{ 1800 struct policydb oldpolicydb, newpolicydb; 1801 struct sidtab oldsidtab, newsidtab; 1802 struct selinux_mapping *oldmap, *map = NULL; 1803 struct convert_context_args args; 1804 u32 seqno; 1805 u16 map_size; 1806 int rc = 0; 1807 struct policy_file file = { data, len }, *fp = &file; 1808 1809 if (!ss_initialized) { 1810 avtab_cache_init(); 1811 rc = policydb_read(&policydb, fp); 1812 if (rc) { 1813 avtab_cache_destroy(); 1814 return rc; 1815 } 1816 1817 policydb.len = len; 1818 rc = selinux_set_mapping(&policydb, secclass_map, 1819 ¤t_mapping, 1820 ¤t_mapping_size); 1821 if (rc) { 1822 policydb_destroy(&policydb); 1823 avtab_cache_destroy(); 1824 return rc; 1825 } 1826 1827 rc = policydb_load_isids(&policydb, &sidtab); 1828 if (rc) { 1829 policydb_destroy(&policydb); 1830 avtab_cache_destroy(); 1831 return rc; 1832 } 1833 1834 security_load_policycaps(); 1835 ss_initialized = 1; 1836 seqno = ++latest_granting; 1837 selinux_complete_init(); 1838 avc_ss_reset(seqno); 1839 selnl_notify_policyload(seqno); 1840 selinux_status_update_policyload(seqno); 1841 selinux_netlbl_cache_invalidate(); 1842 selinux_xfrm_notify_policyload(); 1843 return 0; 1844 } 1845 1846#if 0 1847 sidtab_hash_eval(&sidtab, "sids"); 1848#endif 1849 1850 rc = policydb_read(&newpolicydb, fp); 1851 if (rc) 1852 return rc; 1853 1854 newpolicydb.len = len; 1855 /* If switching between different policy types, log MLS status */ 1856 if (policydb.mls_enabled && !newpolicydb.mls_enabled) 1857 printk(KERN_INFO "SELinux: Disabling MLS support...\n"); 1858 else if (!policydb.mls_enabled && newpolicydb.mls_enabled) 1859 printk(KERN_INFO "SELinux: Enabling MLS support...\n"); 1860 1861 rc = policydb_load_isids(&newpolicydb, &newsidtab); 1862 if (rc) { 1863 printk(KERN_ERR "SELinux: unable to load the initial SIDs\n"); 1864 policydb_destroy(&newpolicydb); 1865 return rc; 1866 } 1867 1868 rc = selinux_set_mapping(&newpolicydb, secclass_map, &map, &map_size); 1869 if (rc) 1870 goto err; 1871 1872 rc = security_preserve_bools(&newpolicydb); 1873 if (rc) { 1874 printk(KERN_ERR "SELinux: unable to preserve booleans\n"); 1875 goto err; 1876 } 1877 1878 /* Clone the SID table. */ 1879 sidtab_shutdown(&sidtab); 1880 1881 rc = sidtab_map(&sidtab, clone_sid, &newsidtab); 1882 if (rc) 1883 goto err; 1884 1885 /* 1886 * Convert the internal representations of contexts 1887 * in the new SID table. 1888 */ 1889 args.oldp = &policydb; 1890 args.newp = &newpolicydb; 1891 rc = sidtab_map(&newsidtab, convert_context, &args); 1892 if (rc) { 1893 printk(KERN_ERR "SELinux: unable to convert the internal" 1894 " representation of contexts in the new SID" 1895 " table\n"); 1896 goto err; 1897 } 1898 1899 /* Save the old policydb and SID table to free later. */ 1900 memcpy(&oldpolicydb, &policydb, sizeof policydb); 1901 sidtab_set(&oldsidtab, &sidtab); 1902 1903 /* Install the new policydb and SID table. */ 1904 write_lock_irq(&policy_rwlock); 1905 memcpy(&policydb, &newpolicydb, sizeof policydb); 1906 sidtab_set(&sidtab, &newsidtab); 1907 security_load_policycaps(); 1908 oldmap = current_mapping; 1909 current_mapping = map; 1910 current_mapping_size = map_size; 1911 seqno = ++latest_granting; 1912 write_unlock_irq(&policy_rwlock); 1913 1914 /* Free the old policydb and SID table. */ 1915 policydb_destroy(&oldpolicydb); 1916 sidtab_destroy(&oldsidtab); 1917 kfree(oldmap); 1918 1919 avc_ss_reset(seqno); 1920 selnl_notify_policyload(seqno); 1921 selinux_status_update_policyload(seqno); 1922 selinux_netlbl_cache_invalidate(); 1923 selinux_xfrm_notify_policyload(); 1924 1925 return 0; 1926 1927err: 1928 kfree(map); 1929 sidtab_destroy(&newsidtab); 1930 policydb_destroy(&newpolicydb); 1931 return rc; 1932 1933} 1934 1935size_t security_policydb_len(void) 1936{ 1937 size_t len; 1938 1939 read_lock(&policy_rwlock); 1940 len = policydb.len; 1941 read_unlock(&policy_rwlock); 1942 1943 return len; 1944} 1945 1946/** 1947 * security_port_sid - Obtain the SID for a port. 1948 * @protocol: protocol number 1949 * @port: port number 1950 * @out_sid: security identifier 1951 */ 1952int security_port_sid(u8 protocol, u16 port, u32 *out_sid) 1953{ 1954 struct ocontext *c; 1955 int rc = 0; 1956 1957 read_lock(&policy_rwlock); 1958 1959 c = policydb.ocontexts[OCON_PORT]; 1960 while (c) { 1961 if (c->u.port.protocol == protocol && 1962 c->u.port.low_port <= port && 1963 c->u.port.high_port >= port) 1964 break; 1965 c = c->next; 1966 } 1967 1968 if (c) { 1969 if (!c->sid[0]) { 1970 rc = sidtab_context_to_sid(&sidtab, 1971 &c->context[0], 1972 &c->sid[0]); 1973 if (rc) 1974 goto out; 1975 } 1976 *out_sid = c->sid[0]; 1977 } else { 1978 *out_sid = SECINITSID_PORT; 1979 } 1980 1981out: 1982 read_unlock(&policy_rwlock); 1983 return rc; 1984} 1985 1986/** 1987 * security_netif_sid - Obtain the SID for a network interface. 1988 * @name: interface name 1989 * @if_sid: interface SID 1990 */ 1991int security_netif_sid(char *name, u32 *if_sid) 1992{ 1993 int rc = 0; 1994 struct ocontext *c; 1995 1996 read_lock(&policy_rwlock); 1997 1998 c = policydb.ocontexts[OCON_NETIF]; 1999 while (c) { 2000 if (strcmp(name, c->u.name) == 0) 2001 break; 2002 c = c->next; 2003 } 2004 2005 if (c) { 2006 if (!c->sid[0] || !c->sid[1]) { 2007 rc = sidtab_context_to_sid(&sidtab, 2008 &c->context[0], 2009 &c->sid[0]); 2010 if (rc) 2011 goto out; 2012 rc = sidtab_context_to_sid(&sidtab, 2013 &c->context[1], 2014 &c->sid[1]); 2015 if (rc) 2016 goto out; 2017 } 2018 *if_sid = c->sid[0]; 2019 } else 2020 *if_sid = SECINITSID_NETIF; 2021 2022out: 2023 read_unlock(&policy_rwlock); 2024 return rc; 2025} 2026 2027static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask) 2028{ 2029 int i, fail = 0; 2030 2031 for (i = 0; i < 4; i++) 2032 if (addr[i] != (input[i] & mask[i])) { 2033 fail = 1; 2034 break; 2035 } 2036 2037 return !fail; 2038} 2039 2040/** 2041 * security_node_sid - Obtain the SID for a node (host). 2042 * @domain: communication domain aka address family 2043 * @addrp: address 2044 * @addrlen: address length in bytes 2045 * @out_sid: security identifier 2046 */ 2047int security_node_sid(u16 domain, 2048 void *addrp, 2049 u32 addrlen, 2050 u32 *out_sid) 2051{ 2052 int rc; 2053 struct ocontext *c; 2054 2055 read_lock(&policy_rwlock); 2056 2057 switch (domain) { 2058 case AF_INET: { 2059 u32 addr; 2060 2061 rc = -EINVAL; 2062 if (addrlen != sizeof(u32)) 2063 goto out; 2064 2065 addr = *((u32 *)addrp); 2066 2067 c = policydb.ocontexts[OCON_NODE]; 2068 while (c) { 2069 if (c->u.node.addr == (addr & c->u.node.mask)) 2070 break; 2071 c = c->next; 2072 } 2073 break; 2074 } 2075 2076 case AF_INET6: 2077 rc = -EINVAL; 2078 if (addrlen != sizeof(u64) * 2) 2079 goto out; 2080 c = policydb.ocontexts[OCON_NODE6]; 2081 while (c) { 2082 if (match_ipv6_addrmask(addrp, c->u.node6.addr, 2083 c->u.node6.mask)) 2084 break; 2085 c = c->next; 2086 } 2087 break; 2088 2089 default: 2090 rc = 0; 2091 *out_sid = SECINITSID_NODE; 2092 goto out; 2093 } 2094 2095 if (c) { 2096 if (!c->sid[0]) { 2097 rc = sidtab_context_to_sid(&sidtab, 2098 &c->context[0], 2099 &c->sid[0]); 2100 if (rc) 2101 goto out; 2102 } 2103 *out_sid = c->sid[0]; 2104 } else { 2105 *out_sid = SECINITSID_NODE; 2106 } 2107 2108 rc = 0; 2109out: 2110 read_unlock(&policy_rwlock); 2111 return rc; 2112} 2113 2114#define SIDS_NEL 25 2115 2116/** 2117 * security_get_user_sids - Obtain reachable SIDs for a user. 2118 * @fromsid: starting SID 2119 * @username: username 2120 * @sids: array of reachable SIDs for user 2121 * @nel: number of elements in @sids 2122 * 2123 * Generate the set of SIDs for legal security contexts 2124 * for a given user that can be reached by @fromsid. 2125 * Set *@sids to point to a dynamically allocated 2126 * array containing the set of SIDs. Set *@nel to the 2127 * number of elements in the array. 2128 */ 2129 2130int security_get_user_sids(u32 fromsid, 2131 char *username, 2132 u32 **sids, 2133 u32 *nel) 2134{ 2135 struct context *fromcon, usercon; 2136 u32 *mysids = NULL, *mysids2, sid; 2137 u32 mynel = 0, maxnel = SIDS_NEL; 2138 struct user_datum *user; 2139 struct role_datum *role; 2140 struct ebitmap_node *rnode, *tnode; 2141 int rc = 0, i, j; 2142 2143 *sids = NULL; 2144 *nel = 0; 2145 2146 if (!ss_initialized) 2147 goto out; 2148 2149 read_lock(&policy_rwlock); 2150 2151 context_init(&usercon); 2152 2153 rc = -EINVAL; 2154 fromcon = sidtab_search(&sidtab, fromsid); 2155 if (!fromcon) 2156 goto out_unlock; 2157 2158 rc = -EINVAL; 2159 user = hashtab_search(policydb.p_users.table, username); 2160 if (!user) 2161 goto out_unlock; 2162 2163 usercon.user = user->value; 2164 2165 rc = -ENOMEM; 2166 mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC); 2167 if (!mysids) 2168 goto out_unlock; 2169 2170 ebitmap_for_each_positive_bit(&user->roles, rnode, i) { 2171 role = policydb.role_val_to_struct[i]; 2172 usercon.role = i + 1; 2173 ebitmap_for_each_positive_bit(&role->types, tnode, j) { 2174 usercon.type = j + 1; 2175 2176 if (mls_setup_user_range(fromcon, user, &usercon)) 2177 continue; 2178 2179 rc = sidtab_context_to_sid(&sidtab, &usercon, &sid); 2180 if (rc) 2181 goto out_unlock; 2182 if (mynel < maxnel) { 2183 mysids[mynel++] = sid; 2184 } else { 2185 rc = -ENOMEM; 2186 maxnel += SIDS_NEL; 2187 mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC); 2188 if (!mysids2) 2189 goto out_unlock; 2190 memcpy(mysids2, mysids, mynel * sizeof(*mysids2)); 2191 kfree(mysids); 2192 mysids = mysids2; 2193 mysids[mynel++] = sid; 2194 } 2195 } 2196 } 2197 rc = 0; 2198out_unlock: 2199 read_unlock(&policy_rwlock); 2200 if (rc || !mynel) { 2201 kfree(mysids); 2202 goto out; 2203 } 2204 2205 rc = -ENOMEM; 2206 mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL); 2207 if (!mysids2) { 2208 kfree(mysids); 2209 goto out; 2210 } 2211 for (i = 0, j = 0; i < mynel; i++) { 2212 rc = avc_has_perm_noaudit(fromsid, mysids[i], 2213 SECCLASS_PROCESS, /* kernel value */ 2214 PROCESS__TRANSITION, AVC_STRICT, 2215 NULL); 2216 if (!rc) 2217 mysids2[j++] = mysids[i]; 2218 cond_resched(); 2219 } 2220 rc = 0; 2221 kfree(mysids); 2222 *sids = mysids2; 2223 *nel = j; 2224out: 2225 return rc; 2226} 2227 2228/** 2229 * security_genfs_sid - Obtain a SID for a file in a filesystem 2230 * @fstype: filesystem type 2231 * @path: path from root of mount 2232 * @sclass: file security class 2233 * @sid: SID for path 2234 * 2235 * Obtain a SID to use for a file in a filesystem that 2236 * cannot support xattr or use a fixed labeling behavior like 2237 * transition SIDs or task SIDs. 2238 */ 2239int security_genfs_sid(const char *fstype, 2240 char *path, 2241 u16 orig_sclass, 2242 u32 *sid) 2243{ 2244 int len; 2245 u16 sclass; 2246 struct genfs *genfs; 2247 struct ocontext *c; 2248 int rc, cmp = 0; 2249 2250 while (path[0] == '/' && path[1] == '/') 2251 path++; 2252 2253 read_lock(&policy_rwlock); 2254 2255 sclass = unmap_class(orig_sclass); 2256 *sid = SECINITSID_UNLABELED; 2257 2258 for (genfs = policydb.genfs; genfs; genfs = genfs->next) { 2259 cmp = strcmp(fstype, genfs->fstype); 2260 if (cmp <= 0) 2261 break; 2262 } 2263 2264 rc = -ENOENT; 2265 if (!genfs || cmp) 2266 goto out; 2267 2268 for (c = genfs->head; c; c = c->next) { 2269 len = strlen(c->u.name); 2270 if ((!c->v.sclass || sclass == c->v.sclass) && 2271 (strncmp(c->u.name, path, len) == 0)) 2272 break; 2273 } 2274 2275 rc = -ENOENT; 2276 if (!c) 2277 goto out; 2278 2279 if (!c->sid[0]) { 2280 rc = sidtab_context_to_sid(&sidtab, &c->context[0], &c->sid[0]); 2281 if (rc) 2282 goto out; 2283 } 2284 2285 *sid = c->sid[0]; 2286 rc = 0; 2287out: 2288 read_unlock(&policy_rwlock); 2289 return rc; 2290} 2291 2292/** 2293 * security_fs_use - Determine how to handle labeling for a filesystem. 2294 * @fstype: filesystem type 2295 * @behavior: labeling behavior 2296 * @sid: SID for filesystem (superblock) 2297 */ 2298int security_fs_use( 2299 const char *fstype, 2300 unsigned int *behavior, 2301 u32 *sid) 2302{ 2303 int rc = 0; 2304 struct ocontext *c; 2305 2306 read_lock(&policy_rwlock); 2307 2308 c = policydb.ocontexts[OCON_FSUSE]; 2309 while (c) { 2310 if (strcmp(fstype, c->u.name) == 0) 2311 break; 2312 c = c->next; 2313 } 2314 2315 if (c) { 2316 *behavior = c->v.behavior; 2317 if (!c->sid[0]) { 2318 rc = sidtab_context_to_sid(&sidtab, &c->context[0], 2319 &c->sid[0]); 2320 if (rc) 2321 goto out; 2322 } 2323 *sid = c->sid[0]; 2324 } else { 2325 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid); 2326 if (rc) { 2327 *behavior = SECURITY_FS_USE_NONE; 2328 rc = 0; 2329 } else { 2330 *behavior = SECURITY_FS_USE_GENFS; 2331 } 2332 } 2333 2334out: 2335 read_unlock(&policy_rwlock); 2336 return rc; 2337} 2338 2339int security_get_bools(int *len, char ***names, int **values) 2340{ 2341 int i, rc; 2342 2343 read_lock(&policy_rwlock); 2344 *names = NULL; 2345 *values = NULL; 2346 2347 rc = 0; 2348 *len = policydb.p_bools.nprim; 2349 if (!*len) 2350 goto out; 2351 2352 rc = -ENOMEM; 2353 *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC); 2354 if (!*names) 2355 goto err; 2356 2357 rc = -ENOMEM; 2358 *values = kcalloc(*len, sizeof(int), GFP_ATOMIC); 2359 if (!*values) 2360 goto err; 2361 2362 for (i = 0; i < *len; i++) { 2363 size_t name_len; 2364 2365 (*values)[i] = policydb.bool_val_to_struct[i]->state; 2366 name_len = strlen(sym_name(&policydb, SYM_BOOLS, i)) + 1; 2367 2368 rc = -ENOMEM; 2369 (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); 2370 if (!(*names)[i]) 2371 goto err; 2372 2373 strncpy((*names)[i], sym_name(&policydb, SYM_BOOLS, i), name_len); 2374 (*names)[i][name_len - 1] = 0; 2375 } 2376 rc = 0; 2377out: 2378 read_unlock(&policy_rwlock); 2379 return rc; 2380err: 2381 if (*names) { 2382 for (i = 0; i < *len; i++) 2383 kfree((*names)[i]); 2384 } 2385 kfree(*values); 2386 goto out; 2387} 2388 2389 2390int security_set_bools(int len, int *values) 2391{ 2392 int i, rc; 2393 int lenp, seqno = 0; 2394 struct cond_node *cur; 2395 2396 write_lock_irq(&policy_rwlock); 2397 2398 rc = -EFAULT; 2399 lenp = policydb.p_bools.nprim; 2400 if (len != lenp) 2401 goto out; 2402 2403 for (i = 0; i < len; i++) { 2404 if (!!values[i] != policydb.bool_val_to_struct[i]->state) { 2405 audit_log(current->audit_context, GFP_ATOMIC, 2406 AUDIT_MAC_CONFIG_CHANGE, 2407 "bool=%s val=%d old_val=%d auid=%u ses=%u", 2408 sym_name(&policydb, SYM_BOOLS, i), 2409 !!values[i], 2410 policydb.bool_val_to_struct[i]->state, 2411 audit_get_loginuid(current), 2412 audit_get_sessionid(current)); 2413 } 2414 if (values[i]) 2415 policydb.bool_val_to_struct[i]->state = 1; 2416 else 2417 policydb.bool_val_to_struct[i]->state = 0; 2418 } 2419 2420 for (cur = policydb.cond_list; cur; cur = cur->next) { 2421 rc = evaluate_cond_node(&policydb, cur); 2422 if (rc) 2423 goto out; 2424 } 2425 2426 seqno = ++latest_granting; 2427 rc = 0; 2428out: 2429 write_unlock_irq(&policy_rwlock); 2430 if (!rc) { 2431 avc_ss_reset(seqno); 2432 selnl_notify_policyload(seqno); 2433 selinux_status_update_policyload(seqno); 2434 selinux_xfrm_notify_policyload(); 2435 } 2436 return rc; 2437} 2438 2439int security_get_bool_value(int bool) 2440{ 2441 int rc; 2442 int len; 2443 2444 read_lock(&policy_rwlock); 2445 2446 rc = -EFAULT; 2447 len = policydb.p_bools.nprim; 2448 if (bool >= len) 2449 goto out; 2450 2451 rc = policydb.bool_val_to_struct[bool]->state; 2452out: 2453 read_unlock(&policy_rwlock); 2454 return rc; 2455} 2456 2457static int security_preserve_bools(struct policydb *p) 2458{ 2459 int rc, nbools = 0, *bvalues = NULL, i; 2460 char **bnames = NULL; 2461 struct cond_bool_datum *booldatum; 2462 struct cond_node *cur; 2463 2464 rc = security_get_bools(&nbools, &bnames, &bvalues); 2465 if (rc) 2466 goto out; 2467 for (i = 0; i < nbools; i++) { 2468 booldatum = hashtab_search(p->p_bools.table, bnames[i]); 2469 if (booldatum) 2470 booldatum->state = bvalues[i]; 2471 } 2472 for (cur = p->cond_list; cur; cur = cur->next) { 2473 rc = evaluate_cond_node(p, cur); 2474 if (rc) 2475 goto out; 2476 } 2477 2478out: 2479 if (bnames) { 2480 for (i = 0; i < nbools; i++) 2481 kfree(bnames[i]); 2482 } 2483 kfree(bnames); 2484 kfree(bvalues); 2485 return rc; 2486} 2487 2488/* 2489 * security_sid_mls_copy() - computes a new sid based on the given 2490 * sid and the mls portion of mls_sid. 2491 */ 2492int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid) 2493{ 2494 struct context *context1; 2495 struct context *context2; 2496 struct context newcon; 2497 char *s; 2498 u32 len; 2499 int rc; 2500 2501 rc = 0; 2502 if (!ss_initialized || !policydb.mls_enabled) { 2503 *new_sid = sid; 2504 goto out; 2505 } 2506 2507 context_init(&newcon); 2508 2509 read_lock(&policy_rwlock); 2510 2511 rc = -EINVAL; 2512 context1 = sidtab_search(&sidtab, sid); 2513 if (!context1) { 2514 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 2515 __func__, sid); 2516 goto out_unlock; 2517 } 2518 2519 rc = -EINVAL; 2520 context2 = sidtab_search(&sidtab, mls_sid); 2521 if (!context2) { 2522 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 2523 __func__, mls_sid); 2524 goto out_unlock; 2525 } 2526 2527 newcon.user = context1->user; 2528 newcon.role = context1->role; 2529 newcon.type = context1->type; 2530 rc = mls_context_cpy(&newcon, context2); 2531 if (rc) 2532 goto out_unlock; 2533 2534 /* Check the validity of the new context. */ 2535 if (!policydb_context_isvalid(&policydb, &newcon)) { 2536 rc = convert_context_handle_invalid_context(&newcon); 2537 if (rc) { 2538 if (!context_struct_to_string(&newcon, &s, &len)) { 2539 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2540 "security_sid_mls_copy: invalid context %s", s); 2541 kfree(s); 2542 } 2543 goto out_unlock; 2544 } 2545 } 2546 2547 rc = sidtab_context_to_sid(&sidtab, &newcon, new_sid); 2548out_unlock: 2549 read_unlock(&policy_rwlock); 2550 context_destroy(&newcon); 2551out: 2552 return rc; 2553} 2554 2555/** 2556 * security_net_peersid_resolve - Compare and resolve two network peer SIDs 2557 * @nlbl_sid: NetLabel SID 2558 * @nlbl_type: NetLabel labeling protocol type 2559 * @xfrm_sid: XFRM SID 2560 * 2561 * Description: 2562 * Compare the @nlbl_sid and @xfrm_sid values and if the two SIDs can be 2563 * resolved into a single SID it is returned via @peer_sid and the function 2564 * returns zero. Otherwise @peer_sid is set to SECSID_NULL and the function 2565 * returns a negative value. A table summarizing the behavior is below: 2566 * 2567 * | function return | @sid 2568 * ------------------------------+-----------------+----------------- 2569 * no peer labels | 0 | SECSID_NULL 2570 * single peer label | 0 | <peer_label> 2571 * multiple, consistent labels | 0 | <peer_label> 2572 * multiple, inconsistent labels | -<errno> | SECSID_NULL 2573 * 2574 */ 2575int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type, 2576 u32 xfrm_sid, 2577 u32 *peer_sid) 2578{ 2579 int rc; 2580 struct context *nlbl_ctx; 2581 struct context *xfrm_ctx; 2582 2583 *peer_sid = SECSID_NULL; 2584 2585 /* handle the common (which also happens to be the set of easy) cases 2586 * right away, these two if statements catch everything involving a 2587 * single or absent peer SID/label */ 2588 if (xfrm_sid == SECSID_NULL) { 2589 *peer_sid = nlbl_sid; 2590 return 0; 2591 } 2592 /* NOTE: an nlbl_type == NETLBL_NLTYPE_UNLABELED is a "fallback" label 2593 * and is treated as if nlbl_sid == SECSID_NULL when a XFRM SID/label 2594 * is present */ 2595 if (nlbl_sid == SECSID_NULL || nlbl_type == NETLBL_NLTYPE_UNLABELED) { 2596 *peer_sid = xfrm_sid; 2597 return 0; 2598 } 2599 2600 /* we don't need to check ss_initialized here since the only way both 2601 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the 2602 * security server was initialized and ss_initialized was true */ 2603 if (!policydb.mls_enabled) 2604 return 0; 2605 2606 read_lock(&policy_rwlock); 2607 2608 rc = -EINVAL; 2609 nlbl_ctx = sidtab_search(&sidtab, nlbl_sid); 2610 if (!nlbl_ctx) { 2611 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 2612 __func__, nlbl_sid); 2613 goto out; 2614 } 2615 rc = -EINVAL; 2616 xfrm_ctx = sidtab_search(&sidtab, xfrm_sid); 2617 if (!xfrm_ctx) { 2618 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 2619 __func__, xfrm_sid); 2620 goto out; 2621 } 2622 rc = (mls_context_cmp(nlbl_ctx, xfrm_ctx) ? 0 : -EACCES); 2623 if (rc) 2624 goto out; 2625 2626 /* at present NetLabel SIDs/labels really only carry MLS 2627 * information so if the MLS portion of the NetLabel SID 2628 * matches the MLS portion of the labeled XFRM SID/label 2629 * then pass along the XFRM SID as it is the most 2630 * expressive */ 2631 *peer_sid = xfrm_sid; 2632out: 2633 read_unlock(&policy_rwlock); 2634 return rc; 2635} 2636 2637static int get_classes_callback(void *k, void *d, void *args) 2638{ 2639 struct class_datum *datum = d; 2640 char *name = k, **classes = args; 2641 int value = datum->value - 1; 2642 2643 classes[value] = kstrdup(name, GFP_ATOMIC); 2644 if (!classes[value]) 2645 return -ENOMEM; 2646 2647 return 0; 2648} 2649 2650int security_get_classes(char ***classes, int *nclasses) 2651{ 2652 int rc; 2653 2654 read_lock(&policy_rwlock); 2655 2656 rc = -ENOMEM; 2657 *nclasses = policydb.p_classes.nprim; 2658 *classes = kcalloc(*nclasses, sizeof(**classes), GFP_ATOMIC); 2659 if (!*classes) 2660 goto out; 2661 2662 rc = hashtab_map(policydb.p_classes.table, get_classes_callback, 2663 *classes); 2664 if (rc) { 2665 int i; 2666 for (i = 0; i < *nclasses; i++) 2667 kfree((*classes)[i]); 2668 kfree(*classes); 2669 } 2670 2671out: 2672 read_unlock(&policy_rwlock); 2673 return rc; 2674} 2675 2676static int get_permissions_callback(void *k, void *d, void *args) 2677{ 2678 struct perm_datum *datum = d; 2679 char *name = k, **perms = args; 2680 int value = datum->value - 1; 2681 2682 perms[value] = kstrdup(name, GFP_ATOMIC); 2683 if (!perms[value]) 2684 return -ENOMEM; 2685 2686 return 0; 2687} 2688 2689int security_get_permissions(char *class, char ***perms, int *nperms) 2690{ 2691 int rc, i; 2692 struct class_datum *match; 2693 2694 read_lock(&policy_rwlock); 2695 2696 rc = -EINVAL; 2697 match = hashtab_search(policydb.p_classes.table, class); 2698 if (!match) { 2699 printk(KERN_ERR "SELinux: %s: unrecognized class %s\n", 2700 __func__, class); 2701 goto out; 2702 } 2703 2704 rc = -ENOMEM; 2705 *nperms = match->permissions.nprim; 2706 *perms = kcalloc(*nperms, sizeof(**perms), GFP_ATOMIC); 2707 if (!*perms) 2708 goto out; 2709 2710 if (match->comdatum) { 2711 rc = hashtab_map(match->comdatum->permissions.table, 2712 get_permissions_callback, *perms); 2713 if (rc) 2714 goto err; 2715 } 2716 2717 rc = hashtab_map(match->permissions.table, get_permissions_callback, 2718 *perms); 2719 if (rc) 2720 goto err; 2721 2722out: 2723 read_unlock(&policy_rwlock); 2724 return rc; 2725 2726err: 2727 read_unlock(&policy_rwlock); 2728 for (i = 0; i < *nperms; i++) 2729 kfree((*perms)[i]); 2730 kfree(*perms); 2731 return rc; 2732} 2733 2734int security_get_reject_unknown(void) 2735{ 2736 return policydb.reject_unknown; 2737} 2738 2739int security_get_allow_unknown(void) 2740{ 2741 return policydb.allow_unknown; 2742} 2743 2744/** 2745 * security_policycap_supported - Check for a specific policy capability 2746 * @req_cap: capability 2747 * 2748 * Description: 2749 * This function queries the currently loaded policy to see if it supports the 2750 * capability specified by @req_cap. Returns true (1) if the capability is 2751 * supported, false (0) if it isn't supported. 2752 * 2753 */ 2754int security_policycap_supported(unsigned int req_cap) 2755{ 2756 int rc; 2757 2758 read_lock(&policy_rwlock); 2759 rc = ebitmap_get_bit(&policydb.policycaps, req_cap); 2760 read_unlock(&policy_rwlock); 2761 2762 return rc; 2763} 2764 2765struct selinux_audit_rule { 2766 u32 au_seqno; 2767 struct context au_ctxt; 2768}; 2769 2770void selinux_audit_rule_free(void *vrule) 2771{ 2772 struct selinux_audit_rule *rule = vrule; 2773 2774 if (rule) { 2775 context_destroy(&rule->au_ctxt); 2776 kfree(rule); 2777 } 2778} 2779 2780int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 2781{ 2782 struct selinux_audit_rule *tmprule; 2783 struct role_datum *roledatum; 2784 struct type_datum *typedatum; 2785 struct user_datum *userdatum; 2786 struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule; 2787 int rc = 0; 2788 2789 *rule = NULL; 2790 2791 if (!ss_initialized) 2792 return -EOPNOTSUPP; 2793 2794 switch (field) { 2795 case AUDIT_SUBJ_USER: 2796 case AUDIT_SUBJ_ROLE: 2797 case AUDIT_SUBJ_TYPE: 2798 case AUDIT_OBJ_USER: 2799 case AUDIT_OBJ_ROLE: 2800 case AUDIT_OBJ_TYPE: 2801 /* only 'equals' and 'not equals' fit user, role, and type */ 2802 if (op != Audit_equal && op != Audit_not_equal) 2803 return -EINVAL; 2804 break; 2805 case AUDIT_SUBJ_SEN: 2806 case AUDIT_SUBJ_CLR: 2807 case AUDIT_OBJ_LEV_LOW: 2808 case AUDIT_OBJ_LEV_HIGH: 2809 /* we do not allow a range, indicated by the presense of '-' */ 2810 if (strchr(rulestr, '-')) 2811 return -EINVAL; 2812 break; 2813 default: 2814 /* only the above fields are valid */ 2815 return -EINVAL; 2816 } 2817 2818 tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL); 2819 if (!tmprule) 2820 return -ENOMEM; 2821 2822 context_init(&tmprule->au_ctxt); 2823 2824 read_lock(&policy_rwlock); 2825 2826 tmprule->au_seqno = latest_granting; 2827 2828 switch (field) { 2829 case AUDIT_SUBJ_USER: 2830 case AUDIT_OBJ_USER: 2831 rc = -EINVAL; 2832 userdatum = hashtab_search(policydb.p_users.table, rulestr); 2833 if (!userdatum) 2834 goto out; 2835 tmprule->au_ctxt.user = userdatum->value; 2836 break; 2837 case AUDIT_SUBJ_ROLE: 2838 case AUDIT_OBJ_ROLE: 2839 rc = -EINVAL; 2840 roledatum = hashtab_search(policydb.p_roles.table, rulestr); 2841 if (!roledatum) 2842 goto out; 2843 tmprule->au_ctxt.role = roledatum->value; 2844 break; 2845 case AUDIT_SUBJ_TYPE: 2846 case AUDIT_OBJ_TYPE: 2847 rc = -EINVAL; 2848 typedatum = hashtab_search(policydb.p_types.table, rulestr); 2849 if (!typedatum) 2850 goto out; 2851 tmprule->au_ctxt.type = typedatum->value; 2852 break; 2853 case AUDIT_SUBJ_SEN: 2854 case AUDIT_SUBJ_CLR: 2855 case AUDIT_OBJ_LEV_LOW: 2856 case AUDIT_OBJ_LEV_HIGH: 2857 rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC); 2858 if (rc) 2859 goto out; 2860 break; 2861 } 2862 rc = 0; 2863out: 2864 read_unlock(&policy_rwlock); 2865 2866 if (rc) { 2867 selinux_audit_rule_free(tmprule); 2868 tmprule = NULL; 2869 } 2870 2871 *rule = tmprule; 2872 2873 return rc; 2874} 2875 2876/* Check to see if the rule contains any selinux fields */ 2877int selinux_audit_rule_known(struct audit_krule *rule) 2878{ 2879 int i; 2880 2881 for (i = 0; i < rule->field_count; i++) { 2882 struct audit_field *f = &rule->fields[i]; 2883 switch (f->type) { 2884 case AUDIT_SUBJ_USER: 2885 case AUDIT_SUBJ_ROLE: 2886 case AUDIT_SUBJ_TYPE: 2887 case AUDIT_SUBJ_SEN: 2888 case AUDIT_SUBJ_CLR: 2889 case AUDIT_OBJ_USER: 2890 case AUDIT_OBJ_ROLE: 2891 case AUDIT_OBJ_TYPE: 2892 case AUDIT_OBJ_LEV_LOW: 2893 case AUDIT_OBJ_LEV_HIGH: 2894 return 1; 2895 } 2896 } 2897 2898 return 0; 2899} 2900 2901int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, 2902 struct audit_context *actx) 2903{ 2904 struct context *ctxt; 2905 struct mls_level *level; 2906 struct selinux_audit_rule *rule = vrule; 2907 int match = 0; 2908 2909 if (!rule) { 2910 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2911 "selinux_audit_rule_match: missing rule\n"); 2912 return -ENOENT; 2913 } 2914 2915 read_lock(&policy_rwlock); 2916 2917 if (rule->au_seqno < latest_granting) { 2918 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2919 "selinux_audit_rule_match: stale rule\n"); 2920 match = -ESTALE; 2921 goto out; 2922 } 2923 2924 ctxt = sidtab_search(&sidtab, sid); 2925 if (!ctxt) { 2926 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2927 "selinux_audit_rule_match: unrecognized SID %d\n", 2928 sid); 2929 match = -ENOENT; 2930 goto out; 2931 } 2932 2933 /* a field/op pair that is not caught here will simply fall through 2934 without a match */ 2935 switch (field) { 2936 case AUDIT_SUBJ_USER: 2937 case AUDIT_OBJ_USER: 2938 switch (op) { 2939 case Audit_equal: 2940 match = (ctxt->user == rule->au_ctxt.user); 2941 break; 2942 case Audit_not_equal: 2943 match = (ctxt->user != rule->au_ctxt.user); 2944 break; 2945 } 2946 break; 2947 case AUDIT_SUBJ_ROLE: 2948 case AUDIT_OBJ_ROLE: 2949 switch (op) { 2950 case Audit_equal: 2951 match = (ctxt->role == rule->au_ctxt.role); 2952 break; 2953 case Audit_not_equal: 2954 match = (ctxt->role != rule->au_ctxt.role); 2955 break; 2956 } 2957 break; 2958 case AUDIT_SUBJ_TYPE: 2959 case AUDIT_OBJ_TYPE: 2960 switch (op) { 2961 case Audit_equal: 2962 match = (ctxt->type == rule->au_ctxt.type); 2963 break; 2964 case Audit_not_equal: 2965 match = (ctxt->type != rule->au_ctxt.type); 2966 break; 2967 } 2968 break; 2969 case AUDIT_SUBJ_SEN: 2970 case AUDIT_SUBJ_CLR: 2971 case AUDIT_OBJ_LEV_LOW: 2972 case AUDIT_OBJ_LEV_HIGH: 2973 level = ((field == AUDIT_SUBJ_SEN || 2974 field == AUDIT_OBJ_LEV_LOW) ? 2975 &ctxt->range.level[0] : &ctxt->range.level[1]); 2976 switch (op) { 2977 case Audit_equal: 2978 match = mls_level_eq(&rule->au_ctxt.range.level[0], 2979 level); 2980 break; 2981 case Audit_not_equal: 2982 match = !mls_level_eq(&rule->au_ctxt.range.level[0], 2983 level); 2984 break; 2985 case Audit_lt: 2986 match = (mls_level_dom(&rule->au_ctxt.range.level[0], 2987 level) && 2988 !mls_level_eq(&rule->au_ctxt.range.level[0], 2989 level)); 2990 break; 2991 case Audit_le: 2992 match = mls_level_dom(&rule->au_ctxt.range.level[0], 2993 level); 2994 break; 2995 case Audit_gt: 2996 match = (mls_level_dom(level, 2997 &rule->au_ctxt.range.level[0]) && 2998 !mls_level_eq(level, 2999 &rule->au_ctxt.range.level[0])); 3000 break; 3001 case Audit_ge: 3002 match = mls_level_dom(level, 3003 &rule->au_ctxt.range.level[0]); 3004 break; 3005 } 3006 } 3007 3008out: 3009 read_unlock(&policy_rwlock); 3010 return match; 3011} 3012 3013static int (*aurule_callback)(void) = audit_update_lsm_rules; 3014 3015static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid, 3016 u16 class, u32 perms, u32 *retained) 3017{ 3018 int err = 0; 3019 3020 if (event == AVC_CALLBACK_RESET && aurule_callback) 3021 err = aurule_callback(); 3022 return err; 3023} 3024 3025static int __init aurule_init(void) 3026{ 3027 int err; 3028 3029 err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET, 3030 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); 3031 if (err) 3032 panic("avc_add_callback() failed, error %d\n", err); 3033 3034 return err; 3035} 3036__initcall(aurule_init); 3037 3038#ifdef CONFIG_NETLABEL 3039/** 3040 * security_netlbl_cache_add - Add an entry to the NetLabel cache 3041 * @secattr: the NetLabel packet security attributes 3042 * @sid: the SELinux SID 3043 * 3044 * Description: 3045 * Attempt to cache the context in @ctx, which was derived from the packet in 3046 * @skb, in the NetLabel subsystem cache. This function assumes @secattr has 3047 * already been initialized. 3048 * 3049 */ 3050static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr, 3051 u32 sid) 3052{ 3053 u32 *sid_cache; 3054 3055 sid_cache = kmalloc(sizeof(*sid_cache), GFP_ATOMIC); 3056 if (sid_cache == NULL) 3057 return; 3058 secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); 3059 if (secattr->cache == NULL) { 3060 kfree(sid_cache); 3061 return; 3062 } 3063 3064 *sid_cache = sid; 3065 secattr->cache->free = kfree; 3066 secattr->cache->data = sid_cache; 3067 secattr->flags |= NETLBL_SECATTR_CACHE; 3068} 3069 3070/** 3071 * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID 3072 * @secattr: the NetLabel packet security attributes 3073 * @sid: the SELinux SID 3074 * 3075 * Description: 3076 * Convert the given NetLabel security attributes in @secattr into a 3077 * SELinux SID. If the @secattr field does not contain a full SELinux 3078 * SID/context then use SECINITSID_NETMSG as the foundation. If possibile the 3079 * 'cache' field of @secattr is set and the CACHE flag is set; this is to 3080 * allow the @secattr to be used by NetLabel to cache the secattr to SID 3081 * conversion for future lookups. Returns zero on success, negative values on 3082 * failure. 3083 * 3084 */ 3085int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr, 3086 u32 *sid) 3087{ 3088 int rc; 3089 struct context *ctx; 3090 struct context ctx_new; 3091 3092 if (!ss_initialized) { 3093 *sid = SECSID_NULL; 3094 return 0; 3095 } 3096 3097 read_lock(&policy_rwlock); 3098 3099 if (secattr->flags & NETLBL_SECATTR_CACHE) 3100 *sid = *(u32 *)secattr->cache->data; 3101 else if (secattr->flags & NETLBL_SECATTR_SECID) 3102 *sid = secattr->attr.secid; 3103 else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) { 3104 rc = -EIDRM; 3105 ctx = sidtab_search(&sidtab, SECINITSID_NETMSG); 3106 if (ctx == NULL) 3107 goto out; 3108 3109 context_init(&ctx_new); 3110 ctx_new.user = ctx->user; 3111 ctx_new.role = ctx->role; 3112 ctx_new.type = ctx->type; 3113 mls_import_netlbl_lvl(&ctx_new, secattr); 3114 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { 3115 rc = ebitmap_netlbl_import(&ctx_new.range.level[0].cat, 3116 secattr->attr.mls.cat); 3117 if (rc) 3118 goto out; 3119 memcpy(&ctx_new.range.level[1].cat, 3120 &ctx_new.range.level[0].cat, 3121 sizeof(ctx_new.range.level[0].cat)); 3122 } 3123 rc = -EIDRM; 3124 if (!mls_context_isvalid(&policydb, &ctx_new)) 3125 goto out_free; 3126 3127 rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid); 3128 if (rc) 3129 goto out_free; 3130 3131 security_netlbl_cache_add(secattr, *sid); 3132 3133 ebitmap_destroy(&ctx_new.range.level[0].cat); 3134 } else 3135 *sid = SECSID_NULL; 3136 3137 read_unlock(&policy_rwlock); 3138 return 0; 3139out_free: 3140 ebitmap_destroy(&ctx_new.range.level[0].cat); 3141out: 3142 read_unlock(&policy_rwlock); 3143 return rc; 3144} 3145 3146/** 3147 * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr 3148 * @sid: the SELinux SID 3149 * @secattr: the NetLabel packet security attributes 3150 * 3151 * Description: 3152 * Convert the given SELinux SID in @sid into a NetLabel security attribute. 3153 * Returns zero on success, negative values on failure. 3154 * 3155 */ 3156int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr) 3157{ 3158 int rc; 3159 struct context *ctx; 3160 3161 if (!ss_initialized) 3162 return 0; 3163 3164 read_lock(&policy_rwlock); 3165 3166 rc = -ENOENT; 3167 ctx = sidtab_search(&sidtab, sid); 3168 if (ctx == NULL) 3169 goto out; 3170 3171 rc = -ENOMEM; 3172 secattr->domain = kstrdup(sym_name(&policydb, SYM_TYPES, ctx->type - 1), 3173 GFP_ATOMIC); 3174 if (secattr->domain == NULL) 3175 goto out; 3176 3177 secattr->attr.secid = sid; 3178 secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID; 3179 mls_export_netlbl_lvl(ctx, secattr); 3180 rc = mls_export_netlbl_cat(ctx, secattr); 3181out: 3182 read_unlock(&policy_rwlock); 3183 return rc; 3184} 3185#endif /* CONFIG_NETLABEL */ 3186 3187/** 3188 * security_read_policy - read the policy. 3189 * @data: binary policy data 3190 * @len: length of data in bytes 3191 * 3192 */ 3193int security_read_policy(void **data, ssize_t *len) 3194{ 3195 int rc; 3196 struct policy_file fp; 3197 3198 if (!ss_initialized) 3199 return -EINVAL; 3200 3201 *len = security_policydb_len(); 3202 3203 *data = vmalloc_user(*len); 3204 if (!*data) 3205 return -ENOMEM; 3206 3207 fp.data = *data; 3208 fp.len = *len; 3209 3210 read_lock(&policy_rwlock); 3211 rc = policydb_write(&policydb, &fp); 3212 read_unlock(&policy_rwlock); 3213 3214 if (rc) 3215 return rc; 3216 3217 *len = (unsigned long)fp.data - (unsigned long)*data; 3218 return 0; 3219 3220} 3221