services.c revision 972ccac2b237967ed7e56a50eb181b5a0a484b79
1/* 2 * Implementation of the security services. 3 * 4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> 5 * James Morris <jmorris@redhat.com> 6 * 7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 8 * 9 * Support for enhanced MLS infrastructure. 10 * Support for context based audit filters. 11 * 12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 13 * 14 * Added conditional policy language extensions 15 * 16 * Updated: Hewlett-Packard <paul.moore@hp.com> 17 * 18 * Added support for NetLabel 19 * Added support for the policy capability bitmap 20 * 21 * Updated: Chad Sellers <csellers@tresys.com> 22 * 23 * Added validation of kernel classes and permissions 24 * 25 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. 26 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc. 27 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC 28 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 29 * This program is free software; you can redistribute it and/or modify 30 * it under the terms of the GNU General Public License as published by 31 * the Free Software Foundation, version 2. 32 */ 33#include <linux/kernel.h> 34#include <linux/slab.h> 35#include <linux/string.h> 36#include <linux/spinlock.h> 37#include <linux/rcupdate.h> 38#include <linux/errno.h> 39#include <linux/in.h> 40#include <linux/sched.h> 41#include <linux/audit.h> 42#include <linux/mutex.h> 43#include <linux/selinux.h> 44#include <net/netlabel.h> 45 46#include "flask.h" 47#include "avc.h" 48#include "avc_ss.h" 49#include "security.h" 50#include "context.h" 51#include "policydb.h" 52#include "sidtab.h" 53#include "services.h" 54#include "conditional.h" 55#include "mls.h" 56#include "objsec.h" 57#include "netlabel.h" 58#include "xfrm.h" 59#include "ebitmap.h" 60#include "audit.h" 61 62extern void selnl_notify_policyload(u32 seqno); 63unsigned int policydb_loaded_version; 64 65int selinux_policycap_netpeer; 66int selinux_policycap_openperm; 67 68/* 69 * This is declared in avc.c 70 */ 71extern const struct selinux_class_perm selinux_class_perm; 72 73static DEFINE_RWLOCK(policy_rwlock); 74static DEFINE_MUTEX(load_mutex); 75 76static struct sidtab sidtab; 77struct policydb policydb; 78int ss_initialized; 79 80/* 81 * The largest sequence number that has been used when 82 * providing an access decision to the access vector cache. 83 * The sequence number only changes when a policy change 84 * occurs. 85 */ 86static u32 latest_granting; 87 88/* Forward declaration. */ 89static int context_struct_to_string(struct context *context, char **scontext, 90 u32 *scontext_len); 91 92/* 93 * Return the boolean value of a constraint expression 94 * when it is applied to the specified source and target 95 * security contexts. 96 * 97 * xcontext is a special beast... It is used by the validatetrans rules 98 * only. For these rules, scontext is the context before the transition, 99 * tcontext is the context after the transition, and xcontext is the context 100 * of the process performing the transition. All other callers of 101 * constraint_expr_eval should pass in NULL for xcontext. 102 */ 103static int constraint_expr_eval(struct context *scontext, 104 struct context *tcontext, 105 struct context *xcontext, 106 struct constraint_expr *cexpr) 107{ 108 u32 val1, val2; 109 struct context *c; 110 struct role_datum *r1, *r2; 111 struct mls_level *l1, *l2; 112 struct constraint_expr *e; 113 int s[CEXPR_MAXDEPTH]; 114 int sp = -1; 115 116 for (e = cexpr; e; e = e->next) { 117 switch (e->expr_type) { 118 case CEXPR_NOT: 119 BUG_ON(sp < 0); 120 s[sp] = !s[sp]; 121 break; 122 case CEXPR_AND: 123 BUG_ON(sp < 1); 124 sp--; 125 s[sp] &= s[sp+1]; 126 break; 127 case CEXPR_OR: 128 BUG_ON(sp < 1); 129 sp--; 130 s[sp] |= s[sp+1]; 131 break; 132 case CEXPR_ATTR: 133 if (sp == (CEXPR_MAXDEPTH-1)) 134 return 0; 135 switch (e->attr) { 136 case CEXPR_USER: 137 val1 = scontext->user; 138 val2 = tcontext->user; 139 break; 140 case CEXPR_TYPE: 141 val1 = scontext->type; 142 val2 = tcontext->type; 143 break; 144 case CEXPR_ROLE: 145 val1 = scontext->role; 146 val2 = tcontext->role; 147 r1 = policydb.role_val_to_struct[val1 - 1]; 148 r2 = policydb.role_val_to_struct[val2 - 1]; 149 switch (e->op) { 150 case CEXPR_DOM: 151 s[++sp] = ebitmap_get_bit(&r1->dominates, 152 val2 - 1); 153 continue; 154 case CEXPR_DOMBY: 155 s[++sp] = ebitmap_get_bit(&r2->dominates, 156 val1 - 1); 157 continue; 158 case CEXPR_INCOMP: 159 s[++sp] = (!ebitmap_get_bit(&r1->dominates, 160 val2 - 1) && 161 !ebitmap_get_bit(&r2->dominates, 162 val1 - 1)); 163 continue; 164 default: 165 break; 166 } 167 break; 168 case CEXPR_L1L2: 169 l1 = &(scontext->range.level[0]); 170 l2 = &(tcontext->range.level[0]); 171 goto mls_ops; 172 case CEXPR_L1H2: 173 l1 = &(scontext->range.level[0]); 174 l2 = &(tcontext->range.level[1]); 175 goto mls_ops; 176 case CEXPR_H1L2: 177 l1 = &(scontext->range.level[1]); 178 l2 = &(tcontext->range.level[0]); 179 goto mls_ops; 180 case CEXPR_H1H2: 181 l1 = &(scontext->range.level[1]); 182 l2 = &(tcontext->range.level[1]); 183 goto mls_ops; 184 case CEXPR_L1H1: 185 l1 = &(scontext->range.level[0]); 186 l2 = &(scontext->range.level[1]); 187 goto mls_ops; 188 case CEXPR_L2H2: 189 l1 = &(tcontext->range.level[0]); 190 l2 = &(tcontext->range.level[1]); 191 goto mls_ops; 192mls_ops: 193 switch (e->op) { 194 case CEXPR_EQ: 195 s[++sp] = mls_level_eq(l1, l2); 196 continue; 197 case CEXPR_NEQ: 198 s[++sp] = !mls_level_eq(l1, l2); 199 continue; 200 case CEXPR_DOM: 201 s[++sp] = mls_level_dom(l1, l2); 202 continue; 203 case CEXPR_DOMBY: 204 s[++sp] = mls_level_dom(l2, l1); 205 continue; 206 case CEXPR_INCOMP: 207 s[++sp] = mls_level_incomp(l2, l1); 208 continue; 209 default: 210 BUG(); 211 return 0; 212 } 213 break; 214 default: 215 BUG(); 216 return 0; 217 } 218 219 switch (e->op) { 220 case CEXPR_EQ: 221 s[++sp] = (val1 == val2); 222 break; 223 case CEXPR_NEQ: 224 s[++sp] = (val1 != val2); 225 break; 226 default: 227 BUG(); 228 return 0; 229 } 230 break; 231 case CEXPR_NAMES: 232 if (sp == (CEXPR_MAXDEPTH-1)) 233 return 0; 234 c = scontext; 235 if (e->attr & CEXPR_TARGET) 236 c = tcontext; 237 else if (e->attr & CEXPR_XTARGET) { 238 c = xcontext; 239 if (!c) { 240 BUG(); 241 return 0; 242 } 243 } 244 if (e->attr & CEXPR_USER) 245 val1 = c->user; 246 else if (e->attr & CEXPR_ROLE) 247 val1 = c->role; 248 else if (e->attr & CEXPR_TYPE) 249 val1 = c->type; 250 else { 251 BUG(); 252 return 0; 253 } 254 255 switch (e->op) { 256 case CEXPR_EQ: 257 s[++sp] = ebitmap_get_bit(&e->names, val1 - 1); 258 break; 259 case CEXPR_NEQ: 260 s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1); 261 break; 262 default: 263 BUG(); 264 return 0; 265 } 266 break; 267 default: 268 BUG(); 269 return 0; 270 } 271 } 272 273 BUG_ON(sp != 0); 274 return s[0]; 275} 276 277/* 278 * Compute access vectors based on a context structure pair for 279 * the permissions in a particular class. 280 */ 281static int context_struct_compute_av(struct context *scontext, 282 struct context *tcontext, 283 u16 tclass, 284 u32 requested, 285 struct av_decision *avd) 286{ 287 struct constraint_node *constraint; 288 struct role_allow *ra; 289 struct avtab_key avkey; 290 struct avtab_node *node; 291 struct class_datum *tclass_datum; 292 struct ebitmap *sattr, *tattr; 293 struct ebitmap_node *snode, *tnode; 294 const struct selinux_class_perm *kdefs = &selinux_class_perm; 295 unsigned int i, j; 296 297 /* 298 * Remap extended Netlink classes for old policy versions. 299 * Do this here rather than socket_type_to_security_class() 300 * in case a newer policy version is loaded, allowing sockets 301 * to remain in the correct class. 302 */ 303 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) 304 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET && 305 tclass <= SECCLASS_NETLINK_DNRT_SOCKET) 306 tclass = SECCLASS_NETLINK_SOCKET; 307 308 /* 309 * Initialize the access vectors to the default values. 310 */ 311 avd->allowed = 0; 312 avd->decided = 0xffffffff; 313 avd->auditallow = 0; 314 avd->auditdeny = 0xffffffff; 315 avd->seqno = latest_granting; 316 317 /* 318 * Check for all the invalid cases. 319 * - tclass 0 320 * - tclass > policy and > kernel 321 * - tclass > policy but is a userspace class 322 * - tclass > policy but we do not allow unknowns 323 */ 324 if (unlikely(!tclass)) 325 goto inval_class; 326 if (unlikely(tclass > policydb.p_classes.nprim)) 327 if (tclass > kdefs->cts_len || 328 !kdefs->class_to_string[tclass - 1] || 329 !policydb.allow_unknown) 330 goto inval_class; 331 332 /* 333 * Kernel class and we allow unknown so pad the allow decision 334 * the pad will be all 1 for unknown classes. 335 */ 336 if (tclass <= kdefs->cts_len && policydb.allow_unknown) 337 avd->allowed = policydb.undefined_perms[tclass - 1]; 338 339 /* 340 * Not in policy. Since decision is completed (all 1 or all 0) return. 341 */ 342 if (unlikely(tclass > policydb.p_classes.nprim)) 343 return 0; 344 345 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 346 347 /* 348 * If a specific type enforcement rule was defined for 349 * this permission check, then use it. 350 */ 351 avkey.target_class = tclass; 352 avkey.specified = AVTAB_AV; 353 sattr = &policydb.type_attr_map[scontext->type - 1]; 354 tattr = &policydb.type_attr_map[tcontext->type - 1]; 355 ebitmap_for_each_positive_bit(sattr, snode, i) { 356 ebitmap_for_each_positive_bit(tattr, tnode, j) { 357 avkey.source_type = i + 1; 358 avkey.target_type = j + 1; 359 for (node = avtab_search_node(&policydb.te_avtab, &avkey); 360 node != NULL; 361 node = avtab_search_node_next(node, avkey.specified)) { 362 if (node->key.specified == AVTAB_ALLOWED) 363 avd->allowed |= node->datum.data; 364 else if (node->key.specified == AVTAB_AUDITALLOW) 365 avd->auditallow |= node->datum.data; 366 else if (node->key.specified == AVTAB_AUDITDENY) 367 avd->auditdeny &= node->datum.data; 368 } 369 370 /* Check conditional av table for additional permissions */ 371 cond_compute_av(&policydb.te_cond_avtab, &avkey, avd); 372 373 } 374 } 375 376 /* 377 * Remove any permissions prohibited by a constraint (this includes 378 * the MLS policy). 379 */ 380 constraint = tclass_datum->constraints; 381 while (constraint) { 382 if ((constraint->permissions & (avd->allowed)) && 383 !constraint_expr_eval(scontext, tcontext, NULL, 384 constraint->expr)) { 385 avd->allowed = (avd->allowed) & ~(constraint->permissions); 386 } 387 constraint = constraint->next; 388 } 389 390 /* 391 * If checking process transition permission and the 392 * role is changing, then check the (current_role, new_role) 393 * pair. 394 */ 395 if (tclass == SECCLASS_PROCESS && 396 (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) && 397 scontext->role != tcontext->role) { 398 for (ra = policydb.role_allow; ra; ra = ra->next) { 399 if (scontext->role == ra->role && 400 tcontext->role == ra->new_role) 401 break; 402 } 403 if (!ra) 404 avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION | 405 PROCESS__DYNTRANSITION); 406 } 407 408 return 0; 409 410inval_class: 411 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", __func__, 412 tclass); 413 return -EINVAL; 414} 415 416/* 417 * Given a sid find if the type has the permissive flag set 418 */ 419int security_permissive_sid(u32 sid) 420{ 421 struct context *context; 422 u32 type; 423 int rc; 424 425 read_lock(&policy_rwlock); 426 427 context = sidtab_search(&sidtab, sid); 428 BUG_ON(!context); 429 430 type = context->type; 431 /* 432 * we are intentionally using type here, not type-1, the 0th bit may 433 * someday indicate that we are globally setting permissive in policy. 434 */ 435 rc = ebitmap_get_bit(&policydb.permissive_map, type); 436 437 read_unlock(&policy_rwlock); 438 return rc; 439} 440 441static int security_validtrans_handle_fail(struct context *ocontext, 442 struct context *ncontext, 443 struct context *tcontext, 444 u16 tclass) 445{ 446 char *o = NULL, *n = NULL, *t = NULL; 447 u32 olen, nlen, tlen; 448 449 if (context_struct_to_string(ocontext, &o, &olen) < 0) 450 goto out; 451 if (context_struct_to_string(ncontext, &n, &nlen) < 0) 452 goto out; 453 if (context_struct_to_string(tcontext, &t, &tlen) < 0) 454 goto out; 455 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 456 "security_validate_transition: denied for" 457 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 458 o, n, t, policydb.p_class_val_to_name[tclass-1]); 459out: 460 kfree(o); 461 kfree(n); 462 kfree(t); 463 464 if (!selinux_enforcing) 465 return 0; 466 return -EPERM; 467} 468 469int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 470 u16 tclass) 471{ 472 struct context *ocontext; 473 struct context *ncontext; 474 struct context *tcontext; 475 struct class_datum *tclass_datum; 476 struct constraint_node *constraint; 477 int rc = 0; 478 479 if (!ss_initialized) 480 return 0; 481 482 read_lock(&policy_rwlock); 483 484 /* 485 * Remap extended Netlink classes for old policy versions. 486 * Do this here rather than socket_type_to_security_class() 487 * in case a newer policy version is loaded, allowing sockets 488 * to remain in the correct class. 489 */ 490 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) 491 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET && 492 tclass <= SECCLASS_NETLINK_DNRT_SOCKET) 493 tclass = SECCLASS_NETLINK_SOCKET; 494 495 if (!tclass || tclass > policydb.p_classes.nprim) { 496 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", 497 __func__, tclass); 498 rc = -EINVAL; 499 goto out; 500 } 501 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 502 503 ocontext = sidtab_search(&sidtab, oldsid); 504 if (!ocontext) { 505 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 506 __func__, oldsid); 507 rc = -EINVAL; 508 goto out; 509 } 510 511 ncontext = sidtab_search(&sidtab, newsid); 512 if (!ncontext) { 513 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 514 __func__, newsid); 515 rc = -EINVAL; 516 goto out; 517 } 518 519 tcontext = sidtab_search(&sidtab, tasksid); 520 if (!tcontext) { 521 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 522 __func__, tasksid); 523 rc = -EINVAL; 524 goto out; 525 } 526 527 constraint = tclass_datum->validatetrans; 528 while (constraint) { 529 if (!constraint_expr_eval(ocontext, ncontext, tcontext, 530 constraint->expr)) { 531 rc = security_validtrans_handle_fail(ocontext, ncontext, 532 tcontext, tclass); 533 goto out; 534 } 535 constraint = constraint->next; 536 } 537 538out: 539 read_unlock(&policy_rwlock); 540 return rc; 541} 542 543/** 544 * security_compute_av - Compute access vector decisions. 545 * @ssid: source security identifier 546 * @tsid: target security identifier 547 * @tclass: target security class 548 * @requested: requested permissions 549 * @avd: access vector decisions 550 * 551 * Compute a set of access vector decisions based on the 552 * SID pair (@ssid, @tsid) for the permissions in @tclass. 553 * Return -%EINVAL if any of the parameters are invalid or %0 554 * if the access vector decisions were computed successfully. 555 */ 556int security_compute_av(u32 ssid, 557 u32 tsid, 558 u16 tclass, 559 u32 requested, 560 struct av_decision *avd) 561{ 562 struct context *scontext = NULL, *tcontext = NULL; 563 int rc = 0; 564 565 if (!ss_initialized) { 566 avd->allowed = 0xffffffff; 567 avd->decided = 0xffffffff; 568 avd->auditallow = 0; 569 avd->auditdeny = 0xffffffff; 570 avd->seqno = latest_granting; 571 return 0; 572 } 573 574 read_lock(&policy_rwlock); 575 576 scontext = sidtab_search(&sidtab, ssid); 577 if (!scontext) { 578 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 579 __func__, ssid); 580 rc = -EINVAL; 581 goto out; 582 } 583 tcontext = sidtab_search(&sidtab, tsid); 584 if (!tcontext) { 585 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 586 __func__, tsid); 587 rc = -EINVAL; 588 goto out; 589 } 590 591 rc = context_struct_compute_av(scontext, tcontext, tclass, 592 requested, avd); 593out: 594 read_unlock(&policy_rwlock); 595 return rc; 596} 597 598/* 599 * Write the security context string representation of 600 * the context structure `context' into a dynamically 601 * allocated string of the correct size. Set `*scontext' 602 * to point to this string and set `*scontext_len' to 603 * the length of the string. 604 */ 605static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len) 606{ 607 char *scontextp; 608 609 *scontext = NULL; 610 *scontext_len = 0; 611 612 if (context->len) { 613 *scontext_len = context->len; 614 *scontext = kstrdup(context->str, GFP_ATOMIC); 615 if (!(*scontext)) 616 return -ENOMEM; 617 return 0; 618 } 619 620 /* Compute the size of the context. */ 621 *scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1; 622 *scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1; 623 *scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1; 624 *scontext_len += mls_compute_context_len(context); 625 626 /* Allocate space for the context; caller must free this space. */ 627 scontextp = kmalloc(*scontext_len, GFP_ATOMIC); 628 if (!scontextp) 629 return -ENOMEM; 630 *scontext = scontextp; 631 632 /* 633 * Copy the user name, role name and type name into the context. 634 */ 635 sprintf(scontextp, "%s:%s:%s", 636 policydb.p_user_val_to_name[context->user - 1], 637 policydb.p_role_val_to_name[context->role - 1], 638 policydb.p_type_val_to_name[context->type - 1]); 639 scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) + 640 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) + 641 1 + strlen(policydb.p_type_val_to_name[context->type - 1]); 642 643 mls_sid_to_context(context, &scontextp); 644 645 *scontextp = 0; 646 647 return 0; 648} 649 650#include "initial_sid_to_string.h" 651 652const char *security_get_initial_sid_context(u32 sid) 653{ 654 if (unlikely(sid > SECINITSID_NUM)) 655 return NULL; 656 return initial_sid_to_string[sid]; 657} 658 659static int security_sid_to_context_core(u32 sid, char **scontext, 660 u32 *scontext_len, int force) 661{ 662 struct context *context; 663 int rc = 0; 664 665 *scontext = NULL; 666 *scontext_len = 0; 667 668 if (!ss_initialized) { 669 if (sid <= SECINITSID_NUM) { 670 char *scontextp; 671 672 *scontext_len = strlen(initial_sid_to_string[sid]) + 1; 673 scontextp = kmalloc(*scontext_len, GFP_ATOMIC); 674 if (!scontextp) { 675 rc = -ENOMEM; 676 goto out; 677 } 678 strcpy(scontextp, initial_sid_to_string[sid]); 679 *scontext = scontextp; 680 goto out; 681 } 682 printk(KERN_ERR "SELinux: %s: called before initial " 683 "load_policy on unknown SID %d\n", __func__, sid); 684 rc = -EINVAL; 685 goto out; 686 } 687 read_lock(&policy_rwlock); 688 if (force) 689 context = sidtab_search_force(&sidtab, sid); 690 else 691 context = sidtab_search(&sidtab, sid); 692 if (!context) { 693 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 694 __func__, sid); 695 rc = -EINVAL; 696 goto out_unlock; 697 } 698 rc = context_struct_to_string(context, scontext, scontext_len); 699out_unlock: 700 read_unlock(&policy_rwlock); 701out: 702 return rc; 703 704} 705 706/** 707 * security_sid_to_context - Obtain a context for a given SID. 708 * @sid: security identifier, SID 709 * @scontext: security context 710 * @scontext_len: length in bytes 711 * 712 * Write the string representation of the context associated with @sid 713 * into a dynamically allocated string of the correct size. Set @scontext 714 * to point to this string and set @scontext_len to the length of the string. 715 */ 716int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len) 717{ 718 return security_sid_to_context_core(sid, scontext, scontext_len, 0); 719} 720 721int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len) 722{ 723 return security_sid_to_context_core(sid, scontext, scontext_len, 1); 724} 725 726/* 727 * Caveat: Mutates scontext. 728 */ 729static int string_to_context_struct(struct policydb *pol, 730 struct sidtab *sidtabp, 731 char *scontext, 732 u32 scontext_len, 733 struct context *ctx, 734 u32 def_sid) 735{ 736 struct role_datum *role; 737 struct type_datum *typdatum; 738 struct user_datum *usrdatum; 739 char *scontextp, *p, oldc; 740 int rc = 0; 741 742 context_init(ctx); 743 744 /* Parse the security context. */ 745 746 rc = -EINVAL; 747 scontextp = (char *) scontext; 748 749 /* Extract the user. */ 750 p = scontextp; 751 while (*p && *p != ':') 752 p++; 753 754 if (*p == 0) 755 goto out; 756 757 *p++ = 0; 758 759 usrdatum = hashtab_search(pol->p_users.table, scontextp); 760 if (!usrdatum) 761 goto out; 762 763 ctx->user = usrdatum->value; 764 765 /* Extract role. */ 766 scontextp = p; 767 while (*p && *p != ':') 768 p++; 769 770 if (*p == 0) 771 goto out; 772 773 *p++ = 0; 774 775 role = hashtab_search(pol->p_roles.table, scontextp); 776 if (!role) 777 goto out; 778 ctx->role = role->value; 779 780 /* Extract type. */ 781 scontextp = p; 782 while (*p && *p != ':') 783 p++; 784 oldc = *p; 785 *p++ = 0; 786 787 typdatum = hashtab_search(pol->p_types.table, scontextp); 788 if (!typdatum) 789 goto out; 790 791 ctx->type = typdatum->value; 792 793 rc = mls_context_to_sid(pol, oldc, &p, ctx, sidtabp, def_sid); 794 if (rc) 795 goto out; 796 797 if ((p - scontext) < scontext_len) { 798 rc = -EINVAL; 799 goto out; 800 } 801 802 /* Check the validity of the new context. */ 803 if (!policydb_context_isvalid(pol, ctx)) { 804 rc = -EINVAL; 805 context_destroy(ctx); 806 goto out; 807 } 808 rc = 0; 809out: 810 return rc; 811} 812 813static int security_context_to_sid_core(const char *scontext, u32 scontext_len, 814 u32 *sid, u32 def_sid, gfp_t gfp_flags, 815 int force) 816{ 817 char *scontext2, *str = NULL; 818 struct context context; 819 int rc = 0; 820 821 if (!ss_initialized) { 822 int i; 823 824 for (i = 1; i < SECINITSID_NUM; i++) { 825 if (!strcmp(initial_sid_to_string[i], scontext)) { 826 *sid = i; 827 return 0; 828 } 829 } 830 *sid = SECINITSID_KERNEL; 831 return 0; 832 } 833 *sid = SECSID_NULL; 834 835 /* Copy the string so that we can modify the copy as we parse it. */ 836 scontext2 = kmalloc(scontext_len+1, gfp_flags); 837 if (!scontext2) 838 return -ENOMEM; 839 memcpy(scontext2, scontext, scontext_len); 840 scontext2[scontext_len] = 0; 841 842 if (force) { 843 /* Save another copy for storing in uninterpreted form */ 844 str = kstrdup(scontext2, gfp_flags); 845 if (!str) { 846 kfree(scontext2); 847 return -ENOMEM; 848 } 849 } 850 851 read_lock(&policy_rwlock); 852 rc = string_to_context_struct(&policydb, &sidtab, 853 scontext2, scontext_len, 854 &context, def_sid); 855 if (rc == -EINVAL && force) { 856 context.str = str; 857 context.len = scontext_len; 858 str = NULL; 859 } else if (rc) 860 goto out; 861 rc = sidtab_context_to_sid(&sidtab, &context, sid); 862 if (rc) 863 context_destroy(&context); 864out: 865 read_unlock(&policy_rwlock); 866 kfree(scontext2); 867 kfree(str); 868 return rc; 869} 870 871/** 872 * security_context_to_sid - Obtain a SID for a given security context. 873 * @scontext: security context 874 * @scontext_len: length in bytes 875 * @sid: security identifier, SID 876 * 877 * Obtains a SID associated with the security context that 878 * has the string representation specified by @scontext. 879 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 880 * memory is available, or 0 on success. 881 */ 882int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid) 883{ 884 return security_context_to_sid_core(scontext, scontext_len, 885 sid, SECSID_NULL, GFP_KERNEL, 0); 886} 887 888/** 889 * security_context_to_sid_default - Obtain a SID for a given security context, 890 * falling back to specified default if needed. 891 * 892 * @scontext: security context 893 * @scontext_len: length in bytes 894 * @sid: security identifier, SID 895 * @def_sid: default SID to assign on error 896 * 897 * Obtains a SID associated with the security context that 898 * has the string representation specified by @scontext. 899 * The default SID is passed to the MLS layer to be used to allow 900 * kernel labeling of the MLS field if the MLS field is not present 901 * (for upgrading to MLS without full relabel). 902 * Implicitly forces adding of the context even if it cannot be mapped yet. 903 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 904 * memory is available, or 0 on success. 905 */ 906int security_context_to_sid_default(const char *scontext, u32 scontext_len, 907 u32 *sid, u32 def_sid, gfp_t gfp_flags) 908{ 909 return security_context_to_sid_core(scontext, scontext_len, 910 sid, def_sid, gfp_flags, 1); 911} 912 913int security_context_to_sid_force(const char *scontext, u32 scontext_len, 914 u32 *sid) 915{ 916 return security_context_to_sid_core(scontext, scontext_len, 917 sid, SECSID_NULL, GFP_KERNEL, 1); 918} 919 920static int compute_sid_handle_invalid_context( 921 struct context *scontext, 922 struct context *tcontext, 923 u16 tclass, 924 struct context *newcontext) 925{ 926 char *s = NULL, *t = NULL, *n = NULL; 927 u32 slen, tlen, nlen; 928 929 if (context_struct_to_string(scontext, &s, &slen) < 0) 930 goto out; 931 if (context_struct_to_string(tcontext, &t, &tlen) < 0) 932 goto out; 933 if (context_struct_to_string(newcontext, &n, &nlen) < 0) 934 goto out; 935 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 936 "security_compute_sid: invalid context %s" 937 " for scontext=%s" 938 " tcontext=%s" 939 " tclass=%s", 940 n, s, t, policydb.p_class_val_to_name[tclass-1]); 941out: 942 kfree(s); 943 kfree(t); 944 kfree(n); 945 if (!selinux_enforcing) 946 return 0; 947 return -EACCES; 948} 949 950static int security_compute_sid(u32 ssid, 951 u32 tsid, 952 u16 tclass, 953 u32 specified, 954 u32 *out_sid) 955{ 956 struct context *scontext = NULL, *tcontext = NULL, newcontext; 957 struct role_trans *roletr = NULL; 958 struct avtab_key avkey; 959 struct avtab_datum *avdatum; 960 struct avtab_node *node; 961 int rc = 0; 962 963 if (!ss_initialized) { 964 switch (tclass) { 965 case SECCLASS_PROCESS: 966 *out_sid = ssid; 967 break; 968 default: 969 *out_sid = tsid; 970 break; 971 } 972 goto out; 973 } 974 975 context_init(&newcontext); 976 977 read_lock(&policy_rwlock); 978 979 scontext = sidtab_search(&sidtab, ssid); 980 if (!scontext) { 981 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 982 __func__, ssid); 983 rc = -EINVAL; 984 goto out_unlock; 985 } 986 tcontext = sidtab_search(&sidtab, tsid); 987 if (!tcontext) { 988 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 989 __func__, tsid); 990 rc = -EINVAL; 991 goto out_unlock; 992 } 993 994 /* Set the user identity. */ 995 switch (specified) { 996 case AVTAB_TRANSITION: 997 case AVTAB_CHANGE: 998 /* Use the process user identity. */ 999 newcontext.user = scontext->user; 1000 break; 1001 case AVTAB_MEMBER: 1002 /* Use the related object owner. */ 1003 newcontext.user = tcontext->user; 1004 break; 1005 } 1006 1007 /* Set the role and type to default values. */ 1008 switch (tclass) { 1009 case SECCLASS_PROCESS: 1010 /* Use the current role and type of process. */ 1011 newcontext.role = scontext->role; 1012 newcontext.type = scontext->type; 1013 break; 1014 default: 1015 /* Use the well-defined object role. */ 1016 newcontext.role = OBJECT_R_VAL; 1017 /* Use the type of the related object. */ 1018 newcontext.type = tcontext->type; 1019 } 1020 1021 /* Look for a type transition/member/change rule. */ 1022 avkey.source_type = scontext->type; 1023 avkey.target_type = tcontext->type; 1024 avkey.target_class = tclass; 1025 avkey.specified = specified; 1026 avdatum = avtab_search(&policydb.te_avtab, &avkey); 1027 1028 /* If no permanent rule, also check for enabled conditional rules */ 1029 if (!avdatum) { 1030 node = avtab_search_node(&policydb.te_cond_avtab, &avkey); 1031 for (; node != NULL; node = avtab_search_node_next(node, specified)) { 1032 if (node->key.specified & AVTAB_ENABLED) { 1033 avdatum = &node->datum; 1034 break; 1035 } 1036 } 1037 } 1038 1039 if (avdatum) { 1040 /* Use the type from the type transition/member/change rule. */ 1041 newcontext.type = avdatum->data; 1042 } 1043 1044 /* Check for class-specific changes. */ 1045 switch (tclass) { 1046 case SECCLASS_PROCESS: 1047 if (specified & AVTAB_TRANSITION) { 1048 /* Look for a role transition rule. */ 1049 for (roletr = policydb.role_tr; roletr; 1050 roletr = roletr->next) { 1051 if (roletr->role == scontext->role && 1052 roletr->type == tcontext->type) { 1053 /* Use the role transition rule. */ 1054 newcontext.role = roletr->new_role; 1055 break; 1056 } 1057 } 1058 } 1059 break; 1060 default: 1061 break; 1062 } 1063 1064 /* Set the MLS attributes. 1065 This is done last because it may allocate memory. */ 1066 rc = mls_compute_sid(scontext, tcontext, tclass, specified, &newcontext); 1067 if (rc) 1068 goto out_unlock; 1069 1070 /* Check the validity of the context. */ 1071 if (!policydb_context_isvalid(&policydb, &newcontext)) { 1072 rc = compute_sid_handle_invalid_context(scontext, 1073 tcontext, 1074 tclass, 1075 &newcontext); 1076 if (rc) 1077 goto out_unlock; 1078 } 1079 /* Obtain the sid for the context. */ 1080 rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid); 1081out_unlock: 1082 read_unlock(&policy_rwlock); 1083 context_destroy(&newcontext); 1084out: 1085 return rc; 1086} 1087 1088/** 1089 * security_transition_sid - Compute the SID for a new subject/object. 1090 * @ssid: source security identifier 1091 * @tsid: target security identifier 1092 * @tclass: target security class 1093 * @out_sid: security identifier for new subject/object 1094 * 1095 * Compute a SID to use for labeling a new subject or object in the 1096 * class @tclass based on a SID pair (@ssid, @tsid). 1097 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1098 * if insufficient memory is available, or %0 if the new SID was 1099 * computed successfully. 1100 */ 1101int security_transition_sid(u32 ssid, 1102 u32 tsid, 1103 u16 tclass, 1104 u32 *out_sid) 1105{ 1106 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid); 1107} 1108 1109/** 1110 * security_member_sid - Compute the SID for member selection. 1111 * @ssid: source security identifier 1112 * @tsid: target security identifier 1113 * @tclass: target security class 1114 * @out_sid: security identifier for selected member 1115 * 1116 * Compute a SID to use when selecting a member of a polyinstantiated 1117 * object of class @tclass based on a SID pair (@ssid, @tsid). 1118 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1119 * if insufficient memory is available, or %0 if the SID was 1120 * computed successfully. 1121 */ 1122int security_member_sid(u32 ssid, 1123 u32 tsid, 1124 u16 tclass, 1125 u32 *out_sid) 1126{ 1127 return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid); 1128} 1129 1130/** 1131 * security_change_sid - Compute the SID for object relabeling. 1132 * @ssid: source security identifier 1133 * @tsid: target security identifier 1134 * @tclass: target security class 1135 * @out_sid: security identifier for selected member 1136 * 1137 * Compute a SID to use for relabeling an object of class @tclass 1138 * based on a SID pair (@ssid, @tsid). 1139 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1140 * if insufficient memory is available, or %0 if the SID was 1141 * computed successfully. 1142 */ 1143int security_change_sid(u32 ssid, 1144 u32 tsid, 1145 u16 tclass, 1146 u32 *out_sid) 1147{ 1148 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid); 1149} 1150 1151/* 1152 * Verify that each kernel class that is defined in the 1153 * policy is correct 1154 */ 1155static int validate_classes(struct policydb *p) 1156{ 1157 int i, j; 1158 struct class_datum *cladatum; 1159 struct perm_datum *perdatum; 1160 u32 nprim, tmp, common_pts_len, perm_val, pol_val; 1161 u16 class_val; 1162 const struct selinux_class_perm *kdefs = &selinux_class_perm; 1163 const char *def_class, *def_perm, *pol_class; 1164 struct symtab *perms; 1165 1166 if (p->allow_unknown) { 1167 u32 num_classes = kdefs->cts_len; 1168 p->undefined_perms = kcalloc(num_classes, sizeof(u32), GFP_KERNEL); 1169 if (!p->undefined_perms) 1170 return -ENOMEM; 1171 } 1172 1173 for (i = 1; i < kdefs->cts_len; i++) { 1174 def_class = kdefs->class_to_string[i]; 1175 if (!def_class) 1176 continue; 1177 if (i > p->p_classes.nprim) { 1178 printk(KERN_INFO 1179 "SELinux: class %s not defined in policy\n", 1180 def_class); 1181 if (p->reject_unknown) 1182 return -EINVAL; 1183 if (p->allow_unknown) 1184 p->undefined_perms[i-1] = ~0U; 1185 continue; 1186 } 1187 pol_class = p->p_class_val_to_name[i-1]; 1188 if (strcmp(pol_class, def_class)) { 1189 printk(KERN_ERR 1190 "SELinux: class %d is incorrect, found %s but should be %s\n", 1191 i, pol_class, def_class); 1192 return -EINVAL; 1193 } 1194 } 1195 for (i = 0; i < kdefs->av_pts_len; i++) { 1196 class_val = kdefs->av_perm_to_string[i].tclass; 1197 perm_val = kdefs->av_perm_to_string[i].value; 1198 def_perm = kdefs->av_perm_to_string[i].name; 1199 if (class_val > p->p_classes.nprim) 1200 continue; 1201 pol_class = p->p_class_val_to_name[class_val-1]; 1202 cladatum = hashtab_search(p->p_classes.table, pol_class); 1203 BUG_ON(!cladatum); 1204 perms = &cladatum->permissions; 1205 nprim = 1 << (perms->nprim - 1); 1206 if (perm_val > nprim) { 1207 printk(KERN_INFO 1208 "SELinux: permission %s in class %s not defined in policy\n", 1209 def_perm, pol_class); 1210 if (p->reject_unknown) 1211 return -EINVAL; 1212 if (p->allow_unknown) 1213 p->undefined_perms[class_val-1] |= perm_val; 1214 continue; 1215 } 1216 perdatum = hashtab_search(perms->table, def_perm); 1217 if (perdatum == NULL) { 1218 printk(KERN_ERR 1219 "SELinux: permission %s in class %s not found in policy, bad policy\n", 1220 def_perm, pol_class); 1221 return -EINVAL; 1222 } 1223 pol_val = 1 << (perdatum->value - 1); 1224 if (pol_val != perm_val) { 1225 printk(KERN_ERR 1226 "SELinux: permission %s in class %s has incorrect value\n", 1227 def_perm, pol_class); 1228 return -EINVAL; 1229 } 1230 } 1231 for (i = 0; i < kdefs->av_inherit_len; i++) { 1232 class_val = kdefs->av_inherit[i].tclass; 1233 if (class_val > p->p_classes.nprim) 1234 continue; 1235 pol_class = p->p_class_val_to_name[class_val-1]; 1236 cladatum = hashtab_search(p->p_classes.table, pol_class); 1237 BUG_ON(!cladatum); 1238 if (!cladatum->comdatum) { 1239 printk(KERN_ERR 1240 "SELinux: class %s should have an inherits clause but does not\n", 1241 pol_class); 1242 return -EINVAL; 1243 } 1244 tmp = kdefs->av_inherit[i].common_base; 1245 common_pts_len = 0; 1246 while (!(tmp & 0x01)) { 1247 common_pts_len++; 1248 tmp >>= 1; 1249 } 1250 perms = &cladatum->comdatum->permissions; 1251 for (j = 0; j < common_pts_len; j++) { 1252 def_perm = kdefs->av_inherit[i].common_pts[j]; 1253 if (j >= perms->nprim) { 1254 printk(KERN_INFO 1255 "SELinux: permission %s in class %s not defined in policy\n", 1256 def_perm, pol_class); 1257 if (p->reject_unknown) 1258 return -EINVAL; 1259 if (p->allow_unknown) 1260 p->undefined_perms[class_val-1] |= (1 << j); 1261 continue; 1262 } 1263 perdatum = hashtab_search(perms->table, def_perm); 1264 if (perdatum == NULL) { 1265 printk(KERN_ERR 1266 "SELinux: permission %s in class %s not found in policy, bad policy\n", 1267 def_perm, pol_class); 1268 return -EINVAL; 1269 } 1270 if (perdatum->value != j + 1) { 1271 printk(KERN_ERR 1272 "SELinux: permission %s in class %s has incorrect value\n", 1273 def_perm, pol_class); 1274 return -EINVAL; 1275 } 1276 } 1277 } 1278 return 0; 1279} 1280 1281/* Clone the SID into the new SID table. */ 1282static int clone_sid(u32 sid, 1283 struct context *context, 1284 void *arg) 1285{ 1286 struct sidtab *s = arg; 1287 1288 return sidtab_insert(s, sid, context); 1289} 1290 1291static inline int convert_context_handle_invalid_context(struct context *context) 1292{ 1293 int rc = 0; 1294 1295 if (selinux_enforcing) { 1296 rc = -EINVAL; 1297 } else { 1298 char *s; 1299 u32 len; 1300 1301 if (!context_struct_to_string(context, &s, &len)) { 1302 printk(KERN_WARNING 1303 "SELinux: Context %s would be invalid if enforcing\n", 1304 s); 1305 kfree(s); 1306 } 1307 } 1308 return rc; 1309} 1310 1311struct convert_context_args { 1312 struct policydb *oldp; 1313 struct policydb *newp; 1314}; 1315 1316/* 1317 * Convert the values in the security context 1318 * structure `c' from the values specified 1319 * in the policy `p->oldp' to the values specified 1320 * in the policy `p->newp'. Verify that the 1321 * context is valid under the new policy. 1322 */ 1323static int convert_context(u32 key, 1324 struct context *c, 1325 void *p) 1326{ 1327 struct convert_context_args *args; 1328 struct context oldc; 1329 struct role_datum *role; 1330 struct type_datum *typdatum; 1331 struct user_datum *usrdatum; 1332 char *s; 1333 u32 len; 1334 int rc; 1335 1336 args = p; 1337 1338 if (c->str) { 1339 struct context ctx; 1340 s = kstrdup(c->str, GFP_KERNEL); 1341 if (!s) { 1342 rc = -ENOMEM; 1343 goto out; 1344 } 1345 rc = string_to_context_struct(args->newp, NULL, s, 1346 c->len, &ctx, SECSID_NULL); 1347 kfree(s); 1348 if (!rc) { 1349 printk(KERN_INFO 1350 "SELinux: Context %s became valid (mapped).\n", 1351 c->str); 1352 /* Replace string with mapped representation. */ 1353 kfree(c->str); 1354 memcpy(c, &ctx, sizeof(*c)); 1355 goto out; 1356 } else if (rc == -EINVAL) { 1357 /* Retain string representation for later mapping. */ 1358 rc = 0; 1359 goto out; 1360 } else { 1361 /* Other error condition, e.g. ENOMEM. */ 1362 printk(KERN_ERR 1363 "SELinux: Unable to map context %s, rc = %d.\n", 1364 c->str, -rc); 1365 goto out; 1366 } 1367 } 1368 1369 rc = context_cpy(&oldc, c); 1370 if (rc) 1371 goto out; 1372 1373 rc = -EINVAL; 1374 1375 /* Convert the user. */ 1376 usrdatum = hashtab_search(args->newp->p_users.table, 1377 args->oldp->p_user_val_to_name[c->user - 1]); 1378 if (!usrdatum) 1379 goto bad; 1380 c->user = usrdatum->value; 1381 1382 /* Convert the role. */ 1383 role = hashtab_search(args->newp->p_roles.table, 1384 args->oldp->p_role_val_to_name[c->role - 1]); 1385 if (!role) 1386 goto bad; 1387 c->role = role->value; 1388 1389 /* Convert the type. */ 1390 typdatum = hashtab_search(args->newp->p_types.table, 1391 args->oldp->p_type_val_to_name[c->type - 1]); 1392 if (!typdatum) 1393 goto bad; 1394 c->type = typdatum->value; 1395 1396 rc = mls_convert_context(args->oldp, args->newp, c); 1397 if (rc) 1398 goto bad; 1399 1400 /* Check the validity of the new context. */ 1401 if (!policydb_context_isvalid(args->newp, c)) { 1402 rc = convert_context_handle_invalid_context(&oldc); 1403 if (rc) 1404 goto bad; 1405 } 1406 1407 context_destroy(&oldc); 1408 rc = 0; 1409out: 1410 return rc; 1411bad: 1412 /* Map old representation to string and save it. */ 1413 if (context_struct_to_string(&oldc, &s, &len)) 1414 return -ENOMEM; 1415 context_destroy(&oldc); 1416 context_destroy(c); 1417 c->str = s; 1418 c->len = len; 1419 printk(KERN_INFO 1420 "SELinux: Context %s became invalid (unmapped).\n", 1421 c->str); 1422 rc = 0; 1423 goto out; 1424} 1425 1426static void security_load_policycaps(void) 1427{ 1428 selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps, 1429 POLICYDB_CAPABILITY_NETPEER); 1430 selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps, 1431 POLICYDB_CAPABILITY_OPENPERM); 1432} 1433 1434extern void selinux_complete_init(void); 1435static int security_preserve_bools(struct policydb *p); 1436 1437/** 1438 * security_load_policy - Load a security policy configuration. 1439 * @data: binary policy data 1440 * @len: length of data in bytes 1441 * 1442 * Load a new set of security policy configuration data, 1443 * validate it and convert the SID table as necessary. 1444 * This function will flush the access vector cache after 1445 * loading the new policy. 1446 */ 1447int security_load_policy(void *data, size_t len) 1448{ 1449 struct policydb oldpolicydb, newpolicydb; 1450 struct sidtab oldsidtab, newsidtab; 1451 struct convert_context_args args; 1452 u32 seqno; 1453 int rc = 0; 1454 struct policy_file file = { data, len }, *fp = &file; 1455 1456 mutex_lock(&load_mutex); 1457 1458 if (!ss_initialized) { 1459 avtab_cache_init(); 1460 if (policydb_read(&policydb, fp)) { 1461 mutex_unlock(&load_mutex); 1462 avtab_cache_destroy(); 1463 return -EINVAL; 1464 } 1465 if (policydb_load_isids(&policydb, &sidtab)) { 1466 mutex_unlock(&load_mutex); 1467 policydb_destroy(&policydb); 1468 avtab_cache_destroy(); 1469 return -EINVAL; 1470 } 1471 /* Verify that the kernel defined classes are correct. */ 1472 if (validate_classes(&policydb)) { 1473 printk(KERN_ERR 1474 "SELinux: the definition of a class is incorrect\n"); 1475 mutex_unlock(&load_mutex); 1476 sidtab_destroy(&sidtab); 1477 policydb_destroy(&policydb); 1478 avtab_cache_destroy(); 1479 return -EINVAL; 1480 } 1481 security_load_policycaps(); 1482 policydb_loaded_version = policydb.policyvers; 1483 ss_initialized = 1; 1484 seqno = ++latest_granting; 1485 mutex_unlock(&load_mutex); 1486 selinux_complete_init(); 1487 avc_ss_reset(seqno); 1488 selnl_notify_policyload(seqno); 1489 selinux_netlbl_cache_invalidate(); 1490 selinux_xfrm_notify_policyload(); 1491 return 0; 1492 } 1493 1494#if 0 1495 sidtab_hash_eval(&sidtab, "sids"); 1496#endif 1497 1498 if (policydb_read(&newpolicydb, fp)) { 1499 mutex_unlock(&load_mutex); 1500 return -EINVAL; 1501 } 1502 1503 if (sidtab_init(&newsidtab)) { 1504 mutex_unlock(&load_mutex); 1505 policydb_destroy(&newpolicydb); 1506 return -ENOMEM; 1507 } 1508 1509 /* Verify that the kernel defined classes are correct. */ 1510 if (validate_classes(&newpolicydb)) { 1511 printk(KERN_ERR 1512 "SELinux: the definition of a class is incorrect\n"); 1513 rc = -EINVAL; 1514 goto err; 1515 } 1516 1517 rc = security_preserve_bools(&newpolicydb); 1518 if (rc) { 1519 printk(KERN_ERR "SELinux: unable to preserve booleans\n"); 1520 goto err; 1521 } 1522 1523 /* Clone the SID table. */ 1524 sidtab_shutdown(&sidtab); 1525 if (sidtab_map(&sidtab, clone_sid, &newsidtab)) { 1526 rc = -ENOMEM; 1527 goto err; 1528 } 1529 1530 /* 1531 * Convert the internal representations of contexts 1532 * in the new SID table. 1533 */ 1534 args.oldp = &policydb; 1535 args.newp = &newpolicydb; 1536 rc = sidtab_map(&newsidtab, convert_context, &args); 1537 if (rc) 1538 goto err; 1539 1540 /* Save the old policydb and SID table to free later. */ 1541 memcpy(&oldpolicydb, &policydb, sizeof policydb); 1542 sidtab_set(&oldsidtab, &sidtab); 1543 1544 /* Install the new policydb and SID table. */ 1545 write_lock_irq(&policy_rwlock); 1546 memcpy(&policydb, &newpolicydb, sizeof policydb); 1547 sidtab_set(&sidtab, &newsidtab); 1548 security_load_policycaps(); 1549 seqno = ++latest_granting; 1550 policydb_loaded_version = policydb.policyvers; 1551 write_unlock_irq(&policy_rwlock); 1552 mutex_unlock(&load_mutex); 1553 1554 /* Free the old policydb and SID table. */ 1555 policydb_destroy(&oldpolicydb); 1556 sidtab_destroy(&oldsidtab); 1557 1558 avc_ss_reset(seqno); 1559 selnl_notify_policyload(seqno); 1560 selinux_netlbl_cache_invalidate(); 1561 selinux_xfrm_notify_policyload(); 1562 1563 return 0; 1564 1565err: 1566 mutex_unlock(&load_mutex); 1567 sidtab_destroy(&newsidtab); 1568 policydb_destroy(&newpolicydb); 1569 return rc; 1570 1571} 1572 1573/** 1574 * security_port_sid - Obtain the SID for a port. 1575 * @protocol: protocol number 1576 * @port: port number 1577 * @out_sid: security identifier 1578 */ 1579int security_port_sid(u8 protocol, u16 port, u32 *out_sid) 1580{ 1581 struct ocontext *c; 1582 int rc = 0; 1583 1584 read_lock(&policy_rwlock); 1585 1586 c = policydb.ocontexts[OCON_PORT]; 1587 while (c) { 1588 if (c->u.port.protocol == protocol && 1589 c->u.port.low_port <= port && 1590 c->u.port.high_port >= port) 1591 break; 1592 c = c->next; 1593 } 1594 1595 if (c) { 1596 if (!c->sid[0]) { 1597 rc = sidtab_context_to_sid(&sidtab, 1598 &c->context[0], 1599 &c->sid[0]); 1600 if (rc) 1601 goto out; 1602 } 1603 *out_sid = c->sid[0]; 1604 } else { 1605 *out_sid = SECINITSID_PORT; 1606 } 1607 1608out: 1609 read_unlock(&policy_rwlock); 1610 return rc; 1611} 1612 1613/** 1614 * security_netif_sid - Obtain the SID for a network interface. 1615 * @name: interface name 1616 * @if_sid: interface SID 1617 */ 1618int security_netif_sid(char *name, u32 *if_sid) 1619{ 1620 int rc = 0; 1621 struct ocontext *c; 1622 1623 read_lock(&policy_rwlock); 1624 1625 c = policydb.ocontexts[OCON_NETIF]; 1626 while (c) { 1627 if (strcmp(name, c->u.name) == 0) 1628 break; 1629 c = c->next; 1630 } 1631 1632 if (c) { 1633 if (!c->sid[0] || !c->sid[1]) { 1634 rc = sidtab_context_to_sid(&sidtab, 1635 &c->context[0], 1636 &c->sid[0]); 1637 if (rc) 1638 goto out; 1639 rc = sidtab_context_to_sid(&sidtab, 1640 &c->context[1], 1641 &c->sid[1]); 1642 if (rc) 1643 goto out; 1644 } 1645 *if_sid = c->sid[0]; 1646 } else 1647 *if_sid = SECINITSID_NETIF; 1648 1649out: 1650 read_unlock(&policy_rwlock); 1651 return rc; 1652} 1653 1654static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask) 1655{ 1656 int i, fail = 0; 1657 1658 for (i = 0; i < 4; i++) 1659 if (addr[i] != (input[i] & mask[i])) { 1660 fail = 1; 1661 break; 1662 } 1663 1664 return !fail; 1665} 1666 1667/** 1668 * security_node_sid - Obtain the SID for a node (host). 1669 * @domain: communication domain aka address family 1670 * @addrp: address 1671 * @addrlen: address length in bytes 1672 * @out_sid: security identifier 1673 */ 1674int security_node_sid(u16 domain, 1675 void *addrp, 1676 u32 addrlen, 1677 u32 *out_sid) 1678{ 1679 int rc = 0; 1680 struct ocontext *c; 1681 1682 read_lock(&policy_rwlock); 1683 1684 switch (domain) { 1685 case AF_INET: { 1686 u32 addr; 1687 1688 if (addrlen != sizeof(u32)) { 1689 rc = -EINVAL; 1690 goto out; 1691 } 1692 1693 addr = *((u32 *)addrp); 1694 1695 c = policydb.ocontexts[OCON_NODE]; 1696 while (c) { 1697 if (c->u.node.addr == (addr & c->u.node.mask)) 1698 break; 1699 c = c->next; 1700 } 1701 break; 1702 } 1703 1704 case AF_INET6: 1705 if (addrlen != sizeof(u64) * 2) { 1706 rc = -EINVAL; 1707 goto out; 1708 } 1709 c = policydb.ocontexts[OCON_NODE6]; 1710 while (c) { 1711 if (match_ipv6_addrmask(addrp, c->u.node6.addr, 1712 c->u.node6.mask)) 1713 break; 1714 c = c->next; 1715 } 1716 break; 1717 1718 default: 1719 *out_sid = SECINITSID_NODE; 1720 goto out; 1721 } 1722 1723 if (c) { 1724 if (!c->sid[0]) { 1725 rc = sidtab_context_to_sid(&sidtab, 1726 &c->context[0], 1727 &c->sid[0]); 1728 if (rc) 1729 goto out; 1730 } 1731 *out_sid = c->sid[0]; 1732 } else { 1733 *out_sid = SECINITSID_NODE; 1734 } 1735 1736out: 1737 read_unlock(&policy_rwlock); 1738 return rc; 1739} 1740 1741#define SIDS_NEL 25 1742 1743/** 1744 * security_get_user_sids - Obtain reachable SIDs for a user. 1745 * @fromsid: starting SID 1746 * @username: username 1747 * @sids: array of reachable SIDs for user 1748 * @nel: number of elements in @sids 1749 * 1750 * Generate the set of SIDs for legal security contexts 1751 * for a given user that can be reached by @fromsid. 1752 * Set *@sids to point to a dynamically allocated 1753 * array containing the set of SIDs. Set *@nel to the 1754 * number of elements in the array. 1755 */ 1756 1757int security_get_user_sids(u32 fromsid, 1758 char *username, 1759 u32 **sids, 1760 u32 *nel) 1761{ 1762 struct context *fromcon, usercon; 1763 u32 *mysids = NULL, *mysids2, sid; 1764 u32 mynel = 0, maxnel = SIDS_NEL; 1765 struct user_datum *user; 1766 struct role_datum *role; 1767 struct ebitmap_node *rnode, *tnode; 1768 int rc = 0, i, j; 1769 1770 *sids = NULL; 1771 *nel = 0; 1772 1773 if (!ss_initialized) 1774 goto out; 1775 1776 read_lock(&policy_rwlock); 1777 1778 context_init(&usercon); 1779 1780 fromcon = sidtab_search(&sidtab, fromsid); 1781 if (!fromcon) { 1782 rc = -EINVAL; 1783 goto out_unlock; 1784 } 1785 1786 user = hashtab_search(policydb.p_users.table, username); 1787 if (!user) { 1788 rc = -EINVAL; 1789 goto out_unlock; 1790 } 1791 usercon.user = user->value; 1792 1793 mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC); 1794 if (!mysids) { 1795 rc = -ENOMEM; 1796 goto out_unlock; 1797 } 1798 1799 ebitmap_for_each_positive_bit(&user->roles, rnode, i) { 1800 role = policydb.role_val_to_struct[i]; 1801 usercon.role = i+1; 1802 ebitmap_for_each_positive_bit(&role->types, tnode, j) { 1803 usercon.type = j+1; 1804 1805 if (mls_setup_user_range(fromcon, user, &usercon)) 1806 continue; 1807 1808 rc = sidtab_context_to_sid(&sidtab, &usercon, &sid); 1809 if (rc) 1810 goto out_unlock; 1811 if (mynel < maxnel) { 1812 mysids[mynel++] = sid; 1813 } else { 1814 maxnel += SIDS_NEL; 1815 mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC); 1816 if (!mysids2) { 1817 rc = -ENOMEM; 1818 goto out_unlock; 1819 } 1820 memcpy(mysids2, mysids, mynel * sizeof(*mysids2)); 1821 kfree(mysids); 1822 mysids = mysids2; 1823 mysids[mynel++] = sid; 1824 } 1825 } 1826 } 1827 1828out_unlock: 1829 read_unlock(&policy_rwlock); 1830 if (rc || !mynel) { 1831 kfree(mysids); 1832 goto out; 1833 } 1834 1835 mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL); 1836 if (!mysids2) { 1837 rc = -ENOMEM; 1838 kfree(mysids); 1839 goto out; 1840 } 1841 for (i = 0, j = 0; i < mynel; i++) { 1842 rc = avc_has_perm_noaudit(fromsid, mysids[i], 1843 SECCLASS_PROCESS, 1844 PROCESS__TRANSITION, AVC_STRICT, 1845 NULL); 1846 if (!rc) 1847 mysids2[j++] = mysids[i]; 1848 cond_resched(); 1849 } 1850 rc = 0; 1851 kfree(mysids); 1852 *sids = mysids2; 1853 *nel = j; 1854out: 1855 return rc; 1856} 1857 1858/** 1859 * security_genfs_sid - Obtain a SID for a file in a filesystem 1860 * @fstype: filesystem type 1861 * @path: path from root of mount 1862 * @sclass: file security class 1863 * @sid: SID for path 1864 * 1865 * Obtain a SID to use for a file in a filesystem that 1866 * cannot support xattr or use a fixed labeling behavior like 1867 * transition SIDs or task SIDs. 1868 */ 1869int security_genfs_sid(const char *fstype, 1870 char *path, 1871 u16 sclass, 1872 u32 *sid) 1873{ 1874 int len; 1875 struct genfs *genfs; 1876 struct ocontext *c; 1877 int rc = 0, cmp = 0; 1878 1879 while (path[0] == '/' && path[1] == '/') 1880 path++; 1881 1882 read_lock(&policy_rwlock); 1883 1884 for (genfs = policydb.genfs; genfs; genfs = genfs->next) { 1885 cmp = strcmp(fstype, genfs->fstype); 1886 if (cmp <= 0) 1887 break; 1888 } 1889 1890 if (!genfs || cmp) { 1891 *sid = SECINITSID_UNLABELED; 1892 rc = -ENOENT; 1893 goto out; 1894 } 1895 1896 for (c = genfs->head; c; c = c->next) { 1897 len = strlen(c->u.name); 1898 if ((!c->v.sclass || sclass == c->v.sclass) && 1899 (strncmp(c->u.name, path, len) == 0)) 1900 break; 1901 } 1902 1903 if (!c) { 1904 *sid = SECINITSID_UNLABELED; 1905 rc = -ENOENT; 1906 goto out; 1907 } 1908 1909 if (!c->sid[0]) { 1910 rc = sidtab_context_to_sid(&sidtab, 1911 &c->context[0], 1912 &c->sid[0]); 1913 if (rc) 1914 goto out; 1915 } 1916 1917 *sid = c->sid[0]; 1918out: 1919 read_unlock(&policy_rwlock); 1920 return rc; 1921} 1922 1923/** 1924 * security_fs_use - Determine how to handle labeling for a filesystem. 1925 * @fstype: filesystem type 1926 * @behavior: labeling behavior 1927 * @sid: SID for filesystem (superblock) 1928 */ 1929int security_fs_use( 1930 const char *fstype, 1931 unsigned int *behavior, 1932 u32 *sid) 1933{ 1934 int rc = 0; 1935 struct ocontext *c; 1936 1937 read_lock(&policy_rwlock); 1938 1939 c = policydb.ocontexts[OCON_FSUSE]; 1940 while (c) { 1941 if (strcmp(fstype, c->u.name) == 0) 1942 break; 1943 c = c->next; 1944 } 1945 1946 if (c) { 1947 *behavior = c->v.behavior; 1948 if (!c->sid[0]) { 1949 rc = sidtab_context_to_sid(&sidtab, 1950 &c->context[0], 1951 &c->sid[0]); 1952 if (rc) 1953 goto out; 1954 } 1955 *sid = c->sid[0]; 1956 } else { 1957 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid); 1958 if (rc) { 1959 *behavior = SECURITY_FS_USE_NONE; 1960 rc = 0; 1961 } else { 1962 *behavior = SECURITY_FS_USE_GENFS; 1963 } 1964 } 1965 1966out: 1967 read_unlock(&policy_rwlock); 1968 return rc; 1969} 1970 1971int security_get_bools(int *len, char ***names, int **values) 1972{ 1973 int i, rc = -ENOMEM; 1974 1975 read_lock(&policy_rwlock); 1976 *names = NULL; 1977 *values = NULL; 1978 1979 *len = policydb.p_bools.nprim; 1980 if (!*len) { 1981 rc = 0; 1982 goto out; 1983 } 1984 1985 *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC); 1986 if (!*names) 1987 goto err; 1988 1989 *values = kcalloc(*len, sizeof(int), GFP_ATOMIC); 1990 if (!*values) 1991 goto err; 1992 1993 for (i = 0; i < *len; i++) { 1994 size_t name_len; 1995 (*values)[i] = policydb.bool_val_to_struct[i]->state; 1996 name_len = strlen(policydb.p_bool_val_to_name[i]) + 1; 1997 (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); 1998 if (!(*names)[i]) 1999 goto err; 2000 strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len); 2001 (*names)[i][name_len - 1] = 0; 2002 } 2003 rc = 0; 2004out: 2005 read_unlock(&policy_rwlock); 2006 return rc; 2007err: 2008 if (*names) { 2009 for (i = 0; i < *len; i++) 2010 kfree((*names)[i]); 2011 } 2012 kfree(*values); 2013 goto out; 2014} 2015 2016 2017int security_set_bools(int len, int *values) 2018{ 2019 int i, rc = 0; 2020 int lenp, seqno = 0; 2021 struct cond_node *cur; 2022 2023 write_lock_irq(&policy_rwlock); 2024 2025 lenp = policydb.p_bools.nprim; 2026 if (len != lenp) { 2027 rc = -EFAULT; 2028 goto out; 2029 } 2030 2031 for (i = 0; i < len; i++) { 2032 if (!!values[i] != policydb.bool_val_to_struct[i]->state) { 2033 audit_log(current->audit_context, GFP_ATOMIC, 2034 AUDIT_MAC_CONFIG_CHANGE, 2035 "bool=%s val=%d old_val=%d auid=%u ses=%u", 2036 policydb.p_bool_val_to_name[i], 2037 !!values[i], 2038 policydb.bool_val_to_struct[i]->state, 2039 audit_get_loginuid(current), 2040 audit_get_sessionid(current)); 2041 } 2042 if (values[i]) 2043 policydb.bool_val_to_struct[i]->state = 1; 2044 else 2045 policydb.bool_val_to_struct[i]->state = 0; 2046 } 2047 2048 for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { 2049 rc = evaluate_cond_node(&policydb, cur); 2050 if (rc) 2051 goto out; 2052 } 2053 2054 seqno = ++latest_granting; 2055 2056out: 2057 write_unlock_irq(&policy_rwlock); 2058 if (!rc) { 2059 avc_ss_reset(seqno); 2060 selnl_notify_policyload(seqno); 2061 selinux_xfrm_notify_policyload(); 2062 } 2063 return rc; 2064} 2065 2066int security_get_bool_value(int bool) 2067{ 2068 int rc = 0; 2069 int len; 2070 2071 read_lock(&policy_rwlock); 2072 2073 len = policydb.p_bools.nprim; 2074 if (bool >= len) { 2075 rc = -EFAULT; 2076 goto out; 2077 } 2078 2079 rc = policydb.bool_val_to_struct[bool]->state; 2080out: 2081 read_unlock(&policy_rwlock); 2082 return rc; 2083} 2084 2085static int security_preserve_bools(struct policydb *p) 2086{ 2087 int rc, nbools = 0, *bvalues = NULL, i; 2088 char **bnames = NULL; 2089 struct cond_bool_datum *booldatum; 2090 struct cond_node *cur; 2091 2092 rc = security_get_bools(&nbools, &bnames, &bvalues); 2093 if (rc) 2094 goto out; 2095 for (i = 0; i < nbools; i++) { 2096 booldatum = hashtab_search(p->p_bools.table, bnames[i]); 2097 if (booldatum) 2098 booldatum->state = bvalues[i]; 2099 } 2100 for (cur = p->cond_list; cur != NULL; cur = cur->next) { 2101 rc = evaluate_cond_node(p, cur); 2102 if (rc) 2103 goto out; 2104 } 2105 2106out: 2107 if (bnames) { 2108 for (i = 0; i < nbools; i++) 2109 kfree(bnames[i]); 2110 } 2111 kfree(bnames); 2112 kfree(bvalues); 2113 return rc; 2114} 2115 2116/* 2117 * security_sid_mls_copy() - computes a new sid based on the given 2118 * sid and the mls portion of mls_sid. 2119 */ 2120int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid) 2121{ 2122 struct context *context1; 2123 struct context *context2; 2124 struct context newcon; 2125 char *s; 2126 u32 len; 2127 int rc = 0; 2128 2129 if (!ss_initialized || !selinux_mls_enabled) { 2130 *new_sid = sid; 2131 goto out; 2132 } 2133 2134 context_init(&newcon); 2135 2136 read_lock(&policy_rwlock); 2137 context1 = sidtab_search(&sidtab, sid); 2138 if (!context1) { 2139 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 2140 __func__, sid); 2141 rc = -EINVAL; 2142 goto out_unlock; 2143 } 2144 2145 context2 = sidtab_search(&sidtab, mls_sid); 2146 if (!context2) { 2147 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 2148 __func__, mls_sid); 2149 rc = -EINVAL; 2150 goto out_unlock; 2151 } 2152 2153 newcon.user = context1->user; 2154 newcon.role = context1->role; 2155 newcon.type = context1->type; 2156 rc = mls_context_cpy(&newcon, context2); 2157 if (rc) 2158 goto out_unlock; 2159 2160 /* Check the validity of the new context. */ 2161 if (!policydb_context_isvalid(&policydb, &newcon)) { 2162 rc = convert_context_handle_invalid_context(&newcon); 2163 if (rc) 2164 goto bad; 2165 } 2166 2167 rc = sidtab_context_to_sid(&sidtab, &newcon, new_sid); 2168 goto out_unlock; 2169 2170bad: 2171 if (!context_struct_to_string(&newcon, &s, &len)) { 2172 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2173 "security_sid_mls_copy: invalid context %s", s); 2174 kfree(s); 2175 } 2176 2177out_unlock: 2178 read_unlock(&policy_rwlock); 2179 context_destroy(&newcon); 2180out: 2181 return rc; 2182} 2183 2184/** 2185 * security_net_peersid_resolve - Compare and resolve two network peer SIDs 2186 * @nlbl_sid: NetLabel SID 2187 * @nlbl_type: NetLabel labeling protocol type 2188 * @xfrm_sid: XFRM SID 2189 * 2190 * Description: 2191 * Compare the @nlbl_sid and @xfrm_sid values and if the two SIDs can be 2192 * resolved into a single SID it is returned via @peer_sid and the function 2193 * returns zero. Otherwise @peer_sid is set to SECSID_NULL and the function 2194 * returns a negative value. A table summarizing the behavior is below: 2195 * 2196 * | function return | @sid 2197 * ------------------------------+-----------------+----------------- 2198 * no peer labels | 0 | SECSID_NULL 2199 * single peer label | 0 | <peer_label> 2200 * multiple, consistent labels | 0 | <peer_label> 2201 * multiple, inconsistent labels | -<errno> | SECSID_NULL 2202 * 2203 */ 2204int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type, 2205 u32 xfrm_sid, 2206 u32 *peer_sid) 2207{ 2208 int rc; 2209 struct context *nlbl_ctx; 2210 struct context *xfrm_ctx; 2211 2212 /* handle the common (which also happens to be the set of easy) cases 2213 * right away, these two if statements catch everything involving a 2214 * single or absent peer SID/label */ 2215 if (xfrm_sid == SECSID_NULL) { 2216 *peer_sid = nlbl_sid; 2217 return 0; 2218 } 2219 /* NOTE: an nlbl_type == NETLBL_NLTYPE_UNLABELED is a "fallback" label 2220 * and is treated as if nlbl_sid == SECSID_NULL when a XFRM SID/label 2221 * is present */ 2222 if (nlbl_sid == SECSID_NULL || nlbl_type == NETLBL_NLTYPE_UNLABELED) { 2223 *peer_sid = xfrm_sid; 2224 return 0; 2225 } 2226 2227 /* we don't need to check ss_initialized here since the only way both 2228 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the 2229 * security server was initialized and ss_initialized was true */ 2230 if (!selinux_mls_enabled) { 2231 *peer_sid = SECSID_NULL; 2232 return 0; 2233 } 2234 2235 read_lock(&policy_rwlock); 2236 2237 nlbl_ctx = sidtab_search(&sidtab, nlbl_sid); 2238 if (!nlbl_ctx) { 2239 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 2240 __func__, nlbl_sid); 2241 rc = -EINVAL; 2242 goto out_slowpath; 2243 } 2244 xfrm_ctx = sidtab_search(&sidtab, xfrm_sid); 2245 if (!xfrm_ctx) { 2246 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 2247 __func__, xfrm_sid); 2248 rc = -EINVAL; 2249 goto out_slowpath; 2250 } 2251 rc = (mls_context_cmp(nlbl_ctx, xfrm_ctx) ? 0 : -EACCES); 2252 2253out_slowpath: 2254 read_unlock(&policy_rwlock); 2255 if (rc == 0) 2256 /* at present NetLabel SIDs/labels really only carry MLS 2257 * information so if the MLS portion of the NetLabel SID 2258 * matches the MLS portion of the labeled XFRM SID/label 2259 * then pass along the XFRM SID as it is the most 2260 * expressive */ 2261 *peer_sid = xfrm_sid; 2262 else 2263 *peer_sid = SECSID_NULL; 2264 return rc; 2265} 2266 2267static int get_classes_callback(void *k, void *d, void *args) 2268{ 2269 struct class_datum *datum = d; 2270 char *name = k, **classes = args; 2271 int value = datum->value - 1; 2272 2273 classes[value] = kstrdup(name, GFP_ATOMIC); 2274 if (!classes[value]) 2275 return -ENOMEM; 2276 2277 return 0; 2278} 2279 2280int security_get_classes(char ***classes, int *nclasses) 2281{ 2282 int rc = -ENOMEM; 2283 2284 read_lock(&policy_rwlock); 2285 2286 *nclasses = policydb.p_classes.nprim; 2287 *classes = kcalloc(*nclasses, sizeof(*classes), GFP_ATOMIC); 2288 if (!*classes) 2289 goto out; 2290 2291 rc = hashtab_map(policydb.p_classes.table, get_classes_callback, 2292 *classes); 2293 if (rc < 0) { 2294 int i; 2295 for (i = 0; i < *nclasses; i++) 2296 kfree((*classes)[i]); 2297 kfree(*classes); 2298 } 2299 2300out: 2301 read_unlock(&policy_rwlock); 2302 return rc; 2303} 2304 2305static int get_permissions_callback(void *k, void *d, void *args) 2306{ 2307 struct perm_datum *datum = d; 2308 char *name = k, **perms = args; 2309 int value = datum->value - 1; 2310 2311 perms[value] = kstrdup(name, GFP_ATOMIC); 2312 if (!perms[value]) 2313 return -ENOMEM; 2314 2315 return 0; 2316} 2317 2318int security_get_permissions(char *class, char ***perms, int *nperms) 2319{ 2320 int rc = -ENOMEM, i; 2321 struct class_datum *match; 2322 2323 read_lock(&policy_rwlock); 2324 2325 match = hashtab_search(policydb.p_classes.table, class); 2326 if (!match) { 2327 printk(KERN_ERR "SELinux: %s: unrecognized class %s\n", 2328 __func__, class); 2329 rc = -EINVAL; 2330 goto out; 2331 } 2332 2333 *nperms = match->permissions.nprim; 2334 *perms = kcalloc(*nperms, sizeof(*perms), GFP_ATOMIC); 2335 if (!*perms) 2336 goto out; 2337 2338 if (match->comdatum) { 2339 rc = hashtab_map(match->comdatum->permissions.table, 2340 get_permissions_callback, *perms); 2341 if (rc < 0) 2342 goto err; 2343 } 2344 2345 rc = hashtab_map(match->permissions.table, get_permissions_callback, 2346 *perms); 2347 if (rc < 0) 2348 goto err; 2349 2350out: 2351 read_unlock(&policy_rwlock); 2352 return rc; 2353 2354err: 2355 read_unlock(&policy_rwlock); 2356 for (i = 0; i < *nperms; i++) 2357 kfree((*perms)[i]); 2358 kfree(*perms); 2359 return rc; 2360} 2361 2362int security_get_reject_unknown(void) 2363{ 2364 return policydb.reject_unknown; 2365} 2366 2367int security_get_allow_unknown(void) 2368{ 2369 return policydb.allow_unknown; 2370} 2371 2372/** 2373 * security_policycap_supported - Check for a specific policy capability 2374 * @req_cap: capability 2375 * 2376 * Description: 2377 * This function queries the currently loaded policy to see if it supports the 2378 * capability specified by @req_cap. Returns true (1) if the capability is 2379 * supported, false (0) if it isn't supported. 2380 * 2381 */ 2382int security_policycap_supported(unsigned int req_cap) 2383{ 2384 int rc; 2385 2386 read_lock(&policy_rwlock); 2387 rc = ebitmap_get_bit(&policydb.policycaps, req_cap); 2388 read_unlock(&policy_rwlock); 2389 2390 return rc; 2391} 2392 2393struct selinux_audit_rule { 2394 u32 au_seqno; 2395 struct context au_ctxt; 2396}; 2397 2398void selinux_audit_rule_free(void *vrule) 2399{ 2400 struct selinux_audit_rule *rule = vrule; 2401 2402 if (rule) { 2403 context_destroy(&rule->au_ctxt); 2404 kfree(rule); 2405 } 2406} 2407 2408int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 2409{ 2410 struct selinux_audit_rule *tmprule; 2411 struct role_datum *roledatum; 2412 struct type_datum *typedatum; 2413 struct user_datum *userdatum; 2414 struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule; 2415 int rc = 0; 2416 2417 *rule = NULL; 2418 2419 if (!ss_initialized) 2420 return -EOPNOTSUPP; 2421 2422 switch (field) { 2423 case AUDIT_SUBJ_USER: 2424 case AUDIT_SUBJ_ROLE: 2425 case AUDIT_SUBJ_TYPE: 2426 case AUDIT_OBJ_USER: 2427 case AUDIT_OBJ_ROLE: 2428 case AUDIT_OBJ_TYPE: 2429 /* only 'equals' and 'not equals' fit user, role, and type */ 2430 if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL) 2431 return -EINVAL; 2432 break; 2433 case AUDIT_SUBJ_SEN: 2434 case AUDIT_SUBJ_CLR: 2435 case AUDIT_OBJ_LEV_LOW: 2436 case AUDIT_OBJ_LEV_HIGH: 2437 /* we do not allow a range, indicated by the presense of '-' */ 2438 if (strchr(rulestr, '-')) 2439 return -EINVAL; 2440 break; 2441 default: 2442 /* only the above fields are valid */ 2443 return -EINVAL; 2444 } 2445 2446 tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL); 2447 if (!tmprule) 2448 return -ENOMEM; 2449 2450 context_init(&tmprule->au_ctxt); 2451 2452 read_lock(&policy_rwlock); 2453 2454 tmprule->au_seqno = latest_granting; 2455 2456 switch (field) { 2457 case AUDIT_SUBJ_USER: 2458 case AUDIT_OBJ_USER: 2459 userdatum = hashtab_search(policydb.p_users.table, rulestr); 2460 if (!userdatum) 2461 rc = -EINVAL; 2462 else 2463 tmprule->au_ctxt.user = userdatum->value; 2464 break; 2465 case AUDIT_SUBJ_ROLE: 2466 case AUDIT_OBJ_ROLE: 2467 roledatum = hashtab_search(policydb.p_roles.table, rulestr); 2468 if (!roledatum) 2469 rc = -EINVAL; 2470 else 2471 tmprule->au_ctxt.role = roledatum->value; 2472 break; 2473 case AUDIT_SUBJ_TYPE: 2474 case AUDIT_OBJ_TYPE: 2475 typedatum = hashtab_search(policydb.p_types.table, rulestr); 2476 if (!typedatum) 2477 rc = -EINVAL; 2478 else 2479 tmprule->au_ctxt.type = typedatum->value; 2480 break; 2481 case AUDIT_SUBJ_SEN: 2482 case AUDIT_SUBJ_CLR: 2483 case AUDIT_OBJ_LEV_LOW: 2484 case AUDIT_OBJ_LEV_HIGH: 2485 rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC); 2486 break; 2487 } 2488 2489 read_unlock(&policy_rwlock); 2490 2491 if (rc) { 2492 selinux_audit_rule_free(tmprule); 2493 tmprule = NULL; 2494 } 2495 2496 *rule = tmprule; 2497 2498 return rc; 2499} 2500 2501/* Check to see if the rule contains any selinux fields */ 2502int selinux_audit_rule_known(struct audit_krule *rule) 2503{ 2504 int i; 2505 2506 for (i = 0; i < rule->field_count; i++) { 2507 struct audit_field *f = &rule->fields[i]; 2508 switch (f->type) { 2509 case AUDIT_SUBJ_USER: 2510 case AUDIT_SUBJ_ROLE: 2511 case AUDIT_SUBJ_TYPE: 2512 case AUDIT_SUBJ_SEN: 2513 case AUDIT_SUBJ_CLR: 2514 case AUDIT_OBJ_USER: 2515 case AUDIT_OBJ_ROLE: 2516 case AUDIT_OBJ_TYPE: 2517 case AUDIT_OBJ_LEV_LOW: 2518 case AUDIT_OBJ_LEV_HIGH: 2519 return 1; 2520 } 2521 } 2522 2523 return 0; 2524} 2525 2526int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, 2527 struct audit_context *actx) 2528{ 2529 struct context *ctxt; 2530 struct mls_level *level; 2531 struct selinux_audit_rule *rule = vrule; 2532 int match = 0; 2533 2534 if (!rule) { 2535 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2536 "selinux_audit_rule_match: missing rule\n"); 2537 return -ENOENT; 2538 } 2539 2540 read_lock(&policy_rwlock); 2541 2542 if (rule->au_seqno < latest_granting) { 2543 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2544 "selinux_audit_rule_match: stale rule\n"); 2545 match = -ESTALE; 2546 goto out; 2547 } 2548 2549 ctxt = sidtab_search(&sidtab, sid); 2550 if (!ctxt) { 2551 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2552 "selinux_audit_rule_match: unrecognized SID %d\n", 2553 sid); 2554 match = -ENOENT; 2555 goto out; 2556 } 2557 2558 /* a field/op pair that is not caught here will simply fall through 2559 without a match */ 2560 switch (field) { 2561 case AUDIT_SUBJ_USER: 2562 case AUDIT_OBJ_USER: 2563 switch (op) { 2564 case AUDIT_EQUAL: 2565 match = (ctxt->user == rule->au_ctxt.user); 2566 break; 2567 case AUDIT_NOT_EQUAL: 2568 match = (ctxt->user != rule->au_ctxt.user); 2569 break; 2570 } 2571 break; 2572 case AUDIT_SUBJ_ROLE: 2573 case AUDIT_OBJ_ROLE: 2574 switch (op) { 2575 case AUDIT_EQUAL: 2576 match = (ctxt->role == rule->au_ctxt.role); 2577 break; 2578 case AUDIT_NOT_EQUAL: 2579 match = (ctxt->role != rule->au_ctxt.role); 2580 break; 2581 } 2582 break; 2583 case AUDIT_SUBJ_TYPE: 2584 case AUDIT_OBJ_TYPE: 2585 switch (op) { 2586 case AUDIT_EQUAL: 2587 match = (ctxt->type == rule->au_ctxt.type); 2588 break; 2589 case AUDIT_NOT_EQUAL: 2590 match = (ctxt->type != rule->au_ctxt.type); 2591 break; 2592 } 2593 break; 2594 case AUDIT_SUBJ_SEN: 2595 case AUDIT_SUBJ_CLR: 2596 case AUDIT_OBJ_LEV_LOW: 2597 case AUDIT_OBJ_LEV_HIGH: 2598 level = ((field == AUDIT_SUBJ_SEN || 2599 field == AUDIT_OBJ_LEV_LOW) ? 2600 &ctxt->range.level[0] : &ctxt->range.level[1]); 2601 switch (op) { 2602 case AUDIT_EQUAL: 2603 match = mls_level_eq(&rule->au_ctxt.range.level[0], 2604 level); 2605 break; 2606 case AUDIT_NOT_EQUAL: 2607 match = !mls_level_eq(&rule->au_ctxt.range.level[0], 2608 level); 2609 break; 2610 case AUDIT_LESS_THAN: 2611 match = (mls_level_dom(&rule->au_ctxt.range.level[0], 2612 level) && 2613 !mls_level_eq(&rule->au_ctxt.range.level[0], 2614 level)); 2615 break; 2616 case AUDIT_LESS_THAN_OR_EQUAL: 2617 match = mls_level_dom(&rule->au_ctxt.range.level[0], 2618 level); 2619 break; 2620 case AUDIT_GREATER_THAN: 2621 match = (mls_level_dom(level, 2622 &rule->au_ctxt.range.level[0]) && 2623 !mls_level_eq(level, 2624 &rule->au_ctxt.range.level[0])); 2625 break; 2626 case AUDIT_GREATER_THAN_OR_EQUAL: 2627 match = mls_level_dom(level, 2628 &rule->au_ctxt.range.level[0]); 2629 break; 2630 } 2631 } 2632 2633out: 2634 read_unlock(&policy_rwlock); 2635 return match; 2636} 2637 2638static int (*aurule_callback)(void) = audit_update_lsm_rules; 2639 2640static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid, 2641 u16 class, u32 perms, u32 *retained) 2642{ 2643 int err = 0; 2644 2645 if (event == AVC_CALLBACK_RESET && aurule_callback) 2646 err = aurule_callback(); 2647 return err; 2648} 2649 2650static int __init aurule_init(void) 2651{ 2652 int err; 2653 2654 err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET, 2655 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); 2656 if (err) 2657 panic("avc_add_callback() failed, error %d\n", err); 2658 2659 return err; 2660} 2661__initcall(aurule_init); 2662 2663#ifdef CONFIG_NETLABEL 2664/** 2665 * security_netlbl_cache_add - Add an entry to the NetLabel cache 2666 * @secattr: the NetLabel packet security attributes 2667 * @sid: the SELinux SID 2668 * 2669 * Description: 2670 * Attempt to cache the context in @ctx, which was derived from the packet in 2671 * @skb, in the NetLabel subsystem cache. This function assumes @secattr has 2672 * already been initialized. 2673 * 2674 */ 2675static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr, 2676 u32 sid) 2677{ 2678 u32 *sid_cache; 2679 2680 sid_cache = kmalloc(sizeof(*sid_cache), GFP_ATOMIC); 2681 if (sid_cache == NULL) 2682 return; 2683 secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); 2684 if (secattr->cache == NULL) { 2685 kfree(sid_cache); 2686 return; 2687 } 2688 2689 *sid_cache = sid; 2690 secattr->cache->free = kfree; 2691 secattr->cache->data = sid_cache; 2692 secattr->flags |= NETLBL_SECATTR_CACHE; 2693} 2694 2695/** 2696 * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID 2697 * @secattr: the NetLabel packet security attributes 2698 * @sid: the SELinux SID 2699 * 2700 * Description: 2701 * Convert the given NetLabel security attributes in @secattr into a 2702 * SELinux SID. If the @secattr field does not contain a full SELinux 2703 * SID/context then use SECINITSID_NETMSG as the foundation. If possibile the 2704 * 'cache' field of @secattr is set and the CACHE flag is set; this is to 2705 * allow the @secattr to be used by NetLabel to cache the secattr to SID 2706 * conversion for future lookups. Returns zero on success, negative values on 2707 * failure. 2708 * 2709 */ 2710int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr, 2711 u32 *sid) 2712{ 2713 int rc = -EIDRM; 2714 struct context *ctx; 2715 struct context ctx_new; 2716 2717 if (!ss_initialized) { 2718 *sid = SECSID_NULL; 2719 return 0; 2720 } 2721 2722 read_lock(&policy_rwlock); 2723 2724 if (secattr->flags & NETLBL_SECATTR_CACHE) { 2725 *sid = *(u32 *)secattr->cache->data; 2726 rc = 0; 2727 } else if (secattr->flags & NETLBL_SECATTR_SECID) { 2728 *sid = secattr->attr.secid; 2729 rc = 0; 2730 } else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) { 2731 ctx = sidtab_search(&sidtab, SECINITSID_NETMSG); 2732 if (ctx == NULL) 2733 goto netlbl_secattr_to_sid_return; 2734 2735 ctx_new.user = ctx->user; 2736 ctx_new.role = ctx->role; 2737 ctx_new.type = ctx->type; 2738 mls_import_netlbl_lvl(&ctx_new, secattr); 2739 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { 2740 if (ebitmap_netlbl_import(&ctx_new.range.level[0].cat, 2741 secattr->attr.mls.cat) != 0) 2742 goto netlbl_secattr_to_sid_return; 2743 ctx_new.range.level[1].cat.highbit = 2744 ctx_new.range.level[0].cat.highbit; 2745 ctx_new.range.level[1].cat.node = 2746 ctx_new.range.level[0].cat.node; 2747 } else { 2748 ebitmap_init(&ctx_new.range.level[0].cat); 2749 ebitmap_init(&ctx_new.range.level[1].cat); 2750 } 2751 if (mls_context_isvalid(&policydb, &ctx_new) != 1) 2752 goto netlbl_secattr_to_sid_return_cleanup; 2753 2754 rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid); 2755 if (rc != 0) 2756 goto netlbl_secattr_to_sid_return_cleanup; 2757 2758 security_netlbl_cache_add(secattr, *sid); 2759 2760 ebitmap_destroy(&ctx_new.range.level[0].cat); 2761 } else { 2762 *sid = SECSID_NULL; 2763 rc = 0; 2764 } 2765 2766netlbl_secattr_to_sid_return: 2767 read_unlock(&policy_rwlock); 2768 return rc; 2769netlbl_secattr_to_sid_return_cleanup: 2770 ebitmap_destroy(&ctx_new.range.level[0].cat); 2771 goto netlbl_secattr_to_sid_return; 2772} 2773 2774/** 2775 * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr 2776 * @sid: the SELinux SID 2777 * @secattr: the NetLabel packet security attributes 2778 * 2779 * Description: 2780 * Convert the given SELinux SID in @sid into a NetLabel security attribute. 2781 * Returns zero on success, negative values on failure. 2782 * 2783 */ 2784int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr) 2785{ 2786 int rc = -ENOENT; 2787 struct context *ctx; 2788 2789 if (!ss_initialized) 2790 return 0; 2791 2792 read_lock(&policy_rwlock); 2793 ctx = sidtab_search(&sidtab, sid); 2794 if (ctx == NULL) 2795 goto netlbl_sid_to_secattr_failure; 2796 secattr->domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], 2797 GFP_ATOMIC); 2798 secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY; 2799 mls_export_netlbl_lvl(ctx, secattr); 2800 rc = mls_export_netlbl_cat(ctx, secattr); 2801 if (rc != 0) 2802 goto netlbl_sid_to_secattr_failure; 2803 read_unlock(&policy_rwlock); 2804 2805 return 0; 2806 2807netlbl_sid_to_secattr_failure: 2808 read_unlock(&policy_rwlock); 2809 return rc; 2810} 2811#endif /* CONFIG_NETLABEL */ 2812