| services.c (f1268534027a792f3d97a0cfff8041d314ef2fca) | services.c (65cddd50980be8c9c27ad7518a0dc812eccb25d5) |
|---|---|
| 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Implementation of the security services. 4 * 5 * Authors : Stephen Smalley, <sds@tycho.nsa.gov> 6 * James Morris <jmorris@redhat.com> 7 * 8 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> --- 753 unchanged lines hidden (view full) --- 762 struct sidtab_entry *nentry; 763 struct sidtab_entry *tentry; 764 struct class_datum *tclass_datum; 765 struct constraint_node *constraint; 766 u16 tclass; 767 int rc = 0; 768 769 | 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Implementation of the security services. 4 * 5 * Authors : Stephen Smalley, <sds@tycho.nsa.gov> 6 * James Morris <jmorris@redhat.com> 7 * 8 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> --- 753 unchanged lines hidden (view full) --- 762 struct sidtab_entry *nentry; 763 struct sidtab_entry *tentry; 764 struct class_datum *tclass_datum; 765 struct constraint_node *constraint; 766 u16 tclass; 767 int rc = 0; 768 769 |
| 770 if (!state->initialized) | 770 if (!selinux_initialized(state)) |
| 771 return 0; 772 773 read_lock(&state->ss->policy_rwlock); 774 775 policydb = &state->ss->policydb; 776 sidtab = state->ss->sidtab; 777 778 if (!user) --- 84 unchanged lines hidden (view full) --- 863{ 864 struct policydb *policydb; 865 struct sidtab *sidtab; 866 struct sidtab_entry *old_entry, *new_entry; 867 struct type_datum *type; 868 int index; 869 int rc; 870 | 771 return 0; 772 773 read_lock(&state->ss->policy_rwlock); 774 775 policydb = &state->ss->policydb; 776 sidtab = state->ss->sidtab; 777 778 if (!user) --- 84 unchanged lines hidden (view full) --- 863{ 864 struct policydb *policydb; 865 struct sidtab *sidtab; 866 struct sidtab_entry *old_entry, *new_entry; 867 struct type_datum *type; 868 int index; 869 int rc; 870 |
| 871 if (!state->initialized) | 871 if (!selinux_initialized(state)) |
| 872 return 0; 873 874 read_lock(&state->ss->policy_rwlock); 875 876 policydb = &state->ss->policydb; 877 sidtab = state->ss->sidtab; 878 879 rc = -EINVAL; --- 142 unchanged lines hidden (view full) --- 1022 1023 xpermd->driver = driver; 1024 xpermd->used = 0; 1025 memset(xpermd->allowed->p, 0, sizeof(xpermd->allowed->p)); 1026 memset(xpermd->auditallow->p, 0, sizeof(xpermd->auditallow->p)); 1027 memset(xpermd->dontaudit->p, 0, sizeof(xpermd->dontaudit->p)); 1028 1029 read_lock(&state->ss->policy_rwlock); | 872 return 0; 873 874 read_lock(&state->ss->policy_rwlock); 875 876 policydb = &state->ss->policydb; 877 sidtab = state->ss->sidtab; 878 879 rc = -EINVAL; --- 142 unchanged lines hidden (view full) --- 1022 1023 xpermd->driver = driver; 1024 xpermd->used = 0; 1025 memset(xpermd->allowed->p, 0, sizeof(xpermd->allowed->p)); 1026 memset(xpermd->auditallow->p, 0, sizeof(xpermd->auditallow->p)); 1027 memset(xpermd->dontaudit->p, 0, sizeof(xpermd->dontaudit->p)); 1028 1029 read_lock(&state->ss->policy_rwlock); |
| 1030 if (!state->initialized) | 1030 if (!selinux_initialized(state)) |
| 1031 goto allow; 1032 1033 policydb = &state->ss->policydb; 1034 sidtab = state->ss->sidtab; 1035 1036 scontext = sidtab_search(sidtab, ssid); 1037 if (!scontext) { 1038 pr_err("SELinux: %s: unrecognized SID %d\n", --- 68 unchanged lines hidden (view full) --- 1107 struct policydb *policydb; 1108 struct sidtab *sidtab; 1109 u16 tclass; 1110 struct context *scontext = NULL, *tcontext = NULL; 1111 1112 read_lock(&state->ss->policy_rwlock); 1113 avd_init(state, avd); 1114 xperms->len = 0; | 1031 goto allow; 1032 1033 policydb = &state->ss->policydb; 1034 sidtab = state->ss->sidtab; 1035 1036 scontext = sidtab_search(sidtab, ssid); 1037 if (!scontext) { 1038 pr_err("SELinux: %s: unrecognized SID %d\n", --- 68 unchanged lines hidden (view full) --- 1107 struct policydb *policydb; 1108 struct sidtab *sidtab; 1109 u16 tclass; 1110 struct context *scontext = NULL, *tcontext = NULL; 1111 1112 read_lock(&state->ss->policy_rwlock); 1113 avd_init(state, avd); 1114 xperms->len = 0; |
| 1115 if (!state->initialized) | 1115 if (!selinux_initialized(state)) |
| 1116 goto allow; 1117 1118 policydb = &state->ss->policydb; 1119 sidtab = state->ss->sidtab; 1120 1121 scontext = sidtab_search(sidtab, ssid); 1122 if (!scontext) { 1123 pr_err("SELinux: %s: unrecognized SID %d\n", --- 37 unchanged lines hidden (view full) --- 1161 struct av_decision *avd) 1162{ 1163 struct policydb *policydb; 1164 struct sidtab *sidtab; 1165 struct context *scontext = NULL, *tcontext = NULL; 1166 1167 read_lock(&state->ss->policy_rwlock); 1168 avd_init(state, avd); | 1116 goto allow; 1117 1118 policydb = &state->ss->policydb; 1119 sidtab = state->ss->sidtab; 1120 1121 scontext = sidtab_search(sidtab, ssid); 1122 if (!scontext) { 1123 pr_err("SELinux: %s: unrecognized SID %d\n", --- 37 unchanged lines hidden (view full) --- 1161 struct av_decision *avd) 1162{ 1163 struct policydb *policydb; 1164 struct sidtab *sidtab; 1165 struct context *scontext = NULL, *tcontext = NULL; 1166 1167 read_lock(&state->ss->policy_rwlock); 1168 avd_init(state, avd); |
| 1169 if (!state->initialized) | 1169 if (!selinux_initialized(state)) |
| 1170 goto allow; 1171 1172 policydb = &state->ss->policydb; 1173 sidtab = state->ss->sidtab; 1174 1175 scontext = sidtab_search(sidtab, ssid); 1176 if (!scontext) { 1177 pr_err("SELinux: %s: unrecognized SID %d\n", --- 103 unchanged lines hidden (view full) --- 1281} 1282 1283#include "initial_sid_to_string.h" 1284 1285int security_sidtab_hash_stats(struct selinux_state *state, char *page) 1286{ 1287 int rc; 1288 | 1170 goto allow; 1171 1172 policydb = &state->ss->policydb; 1173 sidtab = state->ss->sidtab; 1174 1175 scontext = sidtab_search(sidtab, ssid); 1176 if (!scontext) { 1177 pr_err("SELinux: %s: unrecognized SID %d\n", --- 103 unchanged lines hidden (view full) --- 1281} 1282 1283#include "initial_sid_to_string.h" 1284 1285int security_sidtab_hash_stats(struct selinux_state *state, char *page) 1286{ 1287 int rc; 1288 |
| 1289 if (!state->initialized) { | 1289 if (!selinux_initialized(state)) { |
| 1290 pr_err("SELinux: %s: called before initial load_policy\n", 1291 __func__); 1292 return -EINVAL; 1293 } 1294 1295 read_lock(&state->ss->policy_rwlock); 1296 rc = sidtab_hash_stats(state->ss->sidtab, page); 1297 read_unlock(&state->ss->policy_rwlock); --- 17 unchanged lines hidden (view full) --- 1315 struct sidtab *sidtab; 1316 struct sidtab_entry *entry; 1317 int rc = 0; 1318 1319 if (scontext) 1320 *scontext = NULL; 1321 *scontext_len = 0; 1322 | 1290 pr_err("SELinux: %s: called before initial load_policy\n", 1291 __func__); 1292 return -EINVAL; 1293 } 1294 1295 read_lock(&state->ss->policy_rwlock); 1296 rc = sidtab_hash_stats(state->ss->sidtab, page); 1297 read_unlock(&state->ss->policy_rwlock); --- 17 unchanged lines hidden (view full) --- 1315 struct sidtab *sidtab; 1316 struct sidtab_entry *entry; 1317 int rc = 0; 1318 1319 if (scontext) 1320 *scontext = NULL; 1321 *scontext_len = 0; 1322 |
| 1323 if (!state->initialized) { | 1323 if (!selinux_initialized(state)) { |
| 1324 if (sid <= SECINITSID_NUM) { 1325 char *scontextp; 1326 1327 *scontext_len = strlen(initial_sid_to_string[sid]) + 1; 1328 if (!scontext) 1329 goto out; 1330 scontextp = kmemdup(initial_sid_to_string[sid], 1331 *scontext_len, GFP_ATOMIC); --- 212 unchanged lines hidden (view full) --- 1544 if (!scontext_len) 1545 return -EINVAL; 1546 1547 /* Copy the string to allow changes and ensure a NUL terminator */ 1548 scontext2 = kmemdup_nul(scontext, scontext_len, gfp_flags); 1549 if (!scontext2) 1550 return -ENOMEM; 1551 | 1324 if (sid <= SECINITSID_NUM) { 1325 char *scontextp; 1326 1327 *scontext_len = strlen(initial_sid_to_string[sid]) + 1; 1328 if (!scontext) 1329 goto out; 1330 scontextp = kmemdup(initial_sid_to_string[sid], 1331 *scontext_len, GFP_ATOMIC); --- 212 unchanged lines hidden (view full) --- 1544 if (!scontext_len) 1545 return -EINVAL; 1546 1547 /* Copy the string to allow changes and ensure a NUL terminator */ 1548 scontext2 = kmemdup_nul(scontext, scontext_len, gfp_flags); 1549 if (!scontext2) 1550 return -ENOMEM; 1551 |
| 1552 if (!state->initialized) { | 1552 if (!selinux_initialized(state)) { |
| 1553 int i; 1554 1555 for (i = 1; i < SECINITSID_NUM; i++) { 1556 if (!strcmp(initial_sid_to_string[i], scontext2)) { 1557 *sid = i; 1558 goto out; 1559 } 1560 } --- 170 unchanged lines hidden (view full) --- 1731 struct role_trans *roletr = NULL; 1732 struct avtab_key avkey; 1733 struct avtab_datum *avdatum; 1734 struct avtab_node *node; 1735 u16 tclass; 1736 int rc = 0; 1737 bool sock; 1738 | 1553 int i; 1554 1555 for (i = 1; i < SECINITSID_NUM; i++) { 1556 if (!strcmp(initial_sid_to_string[i], scontext2)) { 1557 *sid = i; 1558 goto out; 1559 } 1560 } --- 170 unchanged lines hidden (view full) --- 1731 struct role_trans *roletr = NULL; 1732 struct avtab_key avkey; 1733 struct avtab_datum *avdatum; 1734 struct avtab_node *node; 1735 u16 tclass; 1736 int rc = 0; 1737 bool sock; 1738 |
| 1739 if (!state->initialized) { | 1739 if (!selinux_initialized(state)) { |
| 1740 switch (orig_tclass) { 1741 case SECCLASS_PROCESS: /* kernel value */ 1742 *out_sid = ssid; 1743 break; 1744 default: 1745 *out_sid = tsid; 1746 break; 1747 } --- 445 unchanged lines hidden (view full) --- 2193 policydb = &state->ss->policydb; 2194 2195 newsidtab = kmalloc(sizeof(*newsidtab), GFP_KERNEL); 2196 if (!newsidtab) { 2197 rc = -ENOMEM; 2198 goto out; 2199 } 2200 | 1740 switch (orig_tclass) { 1741 case SECCLASS_PROCESS: /* kernel value */ 1742 *out_sid = ssid; 1743 break; 1744 default: 1745 *out_sid = tsid; 1746 break; 1747 } --- 445 unchanged lines hidden (view full) --- 2193 policydb = &state->ss->policydb; 2194 2195 newsidtab = kmalloc(sizeof(*newsidtab), GFP_KERNEL); 2196 if (!newsidtab) { 2197 rc = -ENOMEM; 2198 goto out; 2199 } 2200 |
| 2201 if (!state->initialized) { | 2201 if (!selinux_initialized(state)) { |
| 2202 rc = policydb_read(policydb, fp); 2203 if (rc) { 2204 kfree(newsidtab); 2205 goto out; 2206 } 2207 2208 policydb->len = len; 2209 rc = selinux_set_mapping(policydb, secclass_map, --- 8 unchanged lines hidden (view full) --- 2218 if (rc) { 2219 kfree(newsidtab); 2220 policydb_destroy(policydb); 2221 goto out; 2222 } 2223 2224 state->ss->sidtab = newsidtab; 2225 security_load_policycaps(state); | 2202 rc = policydb_read(policydb, fp); 2203 if (rc) { 2204 kfree(newsidtab); 2205 goto out; 2206 } 2207 2208 policydb->len = len; 2209 rc = selinux_set_mapping(policydb, secclass_map, --- 8 unchanged lines hidden (view full) --- 2218 if (rc) { 2219 kfree(newsidtab); 2220 policydb_destroy(policydb); 2221 goto out; 2222 } 2223 2224 state->ss->sidtab = newsidtab; 2225 security_load_policycaps(state); |
| 2226 state->initialized = 1; | 2226 selinux_mark_initialized(state); |
| 2227 seqno = ++state->ss->latest_granting; 2228 selinux_complete_init(); 2229 avc_ss_reset(state->avc, seqno); 2230 selnl_notify_policyload(seqno); 2231 selinux_status_update_policyload(state, seqno); 2232 selinux_netlbl_cache_invalidate(); 2233 selinux_xfrm_notify_policyload(); 2234 goto out; --- 399 unchanged lines hidden (view full) --- 2634 struct user_datum *user; 2635 struct role_datum *role; 2636 struct ebitmap_node *rnode, *tnode; 2637 int rc = 0, i, j; 2638 2639 *sids = NULL; 2640 *nel = 0; 2641 | 2227 seqno = ++state->ss->latest_granting; 2228 selinux_complete_init(); 2229 avc_ss_reset(state->avc, seqno); 2230 selnl_notify_policyload(seqno); 2231 selinux_status_update_policyload(state, seqno); 2232 selinux_netlbl_cache_invalidate(); 2233 selinux_xfrm_notify_policyload(); 2234 goto out; --- 399 unchanged lines hidden (view full) --- 2634 struct user_datum *user; 2635 struct role_datum *role; 2636 struct ebitmap_node *rnode, *tnode; 2637 int rc = 0, i, j; 2638 2639 *sids = NULL; 2640 *nel = 0; 2641 |
| 2642 if (!state->initialized) | 2642 if (!selinux_initialized(state)) |
| 2643 goto out; 2644 2645 read_lock(&state->ss->policy_rwlock); 2646 2647 policydb = &state->ss->policydb; 2648 sidtab = state->ss->sidtab; 2649 2650 context_init(&usercon); --- 219 unchanged lines hidden (view full) --- 2870} 2871 2872int security_get_bools(struct selinux_state *state, 2873 int *len, char ***names, int **values) 2874{ 2875 struct policydb *policydb; 2876 int i, rc; 2877 | 2643 goto out; 2644 2645 read_lock(&state->ss->policy_rwlock); 2646 2647 policydb = &state->ss->policydb; 2648 sidtab = state->ss->sidtab; 2649 2650 context_init(&usercon); --- 219 unchanged lines hidden (view full) --- 2870} 2871 2872int security_get_bools(struct selinux_state *state, 2873 int *len, char ***names, int **values) 2874{ 2875 struct policydb *policydb; 2876 int i, rc; 2877 |
| 2878 if (!state->initialized) { | 2878 if (!selinux_initialized(state)) { |
| 2879 *len = 0; 2880 *names = NULL; 2881 *values = NULL; 2882 return 0; 2883 } 2884 2885 read_lock(&state->ss->policy_rwlock); 2886 --- 158 unchanged lines hidden (view full) --- 3045 struct context *context1; 3046 struct context *context2; 3047 struct context newcon; 3048 char *s; 3049 u32 len; 3050 int rc; 3051 3052 rc = 0; | 2879 *len = 0; 2880 *names = NULL; 2881 *values = NULL; 2882 return 0; 2883 } 2884 2885 read_lock(&state->ss->policy_rwlock); 2886 --- 158 unchanged lines hidden (view full) --- 3045 struct context *context1; 3046 struct context *context2; 3047 struct context newcon; 3048 char *s; 3049 u32 len; 3050 int rc; 3051 3052 rc = 0; |
| 3053 if (!state->initialized || !policydb->mls_enabled) { | 3053 if (!selinux_initialized(state) || !policydb->mls_enabled) { |
| 3054 *new_sid = sid; 3055 goto out; 3056 } 3057 3058 context_init(&newcon); 3059 3060 read_lock(&state->ss->policy_rwlock); 3061 --- 150 unchanged lines hidden (view full) --- 3212} 3213 3214int security_get_classes(struct selinux_state *state, 3215 char ***classes, int *nclasses) 3216{ 3217 struct policydb *policydb = &state->ss->policydb; 3218 int rc; 3219 | 3054 *new_sid = sid; 3055 goto out; 3056 } 3057 3058 context_init(&newcon); 3059 3060 read_lock(&state->ss->policy_rwlock); 3061 --- 150 unchanged lines hidden (view full) --- 3212} 3213 3214int security_get_classes(struct selinux_state *state, 3215 char ***classes, int *nclasses) 3216{ 3217 struct policydb *policydb = &state->ss->policydb; 3218 int rc; 3219 |
| 3220 if (!state->initialized) { | 3220 if (!selinux_initialized(state)) { |
| 3221 *nclasses = 0; 3222 *classes = NULL; 3223 return 0; 3224 } 3225 3226 read_lock(&state->ss->policy_rwlock); 3227 3228 rc = -ENOMEM; --- 132 unchanged lines hidden (view full) --- 3361 struct role_datum *roledatum; 3362 struct type_datum *typedatum; 3363 struct user_datum *userdatum; 3364 struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule; 3365 int rc = 0; 3366 3367 *rule = NULL; 3368 | 3221 *nclasses = 0; 3222 *classes = NULL; 3223 return 0; 3224 } 3225 3226 read_lock(&state->ss->policy_rwlock); 3227 3228 rc = -ENOMEM; --- 132 unchanged lines hidden (view full) --- 3361 struct role_datum *roledatum; 3362 struct type_datum *typedatum; 3363 struct user_datum *userdatum; 3364 struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule; 3365 int rc = 0; 3366 3367 *rule = NULL; 3368 |
| 3369 if (!state->initialized) | 3369 if (!selinux_initialized(state)) |
| 3370 return -EOPNOTSUPP; 3371 3372 switch (field) { 3373 case AUDIT_SUBJ_USER: 3374 case AUDIT_SUBJ_ROLE: 3375 case AUDIT_SUBJ_TYPE: 3376 case AUDIT_OBJ_USER: 3377 case AUDIT_OBJ_ROLE: --- 282 unchanged lines hidden (view full) --- 3660 u32 *sid) 3661{ 3662 struct policydb *policydb = &state->ss->policydb; 3663 struct sidtab *sidtab = state->ss->sidtab; 3664 int rc; 3665 struct context *ctx; 3666 struct context ctx_new; 3667 | 3370 return -EOPNOTSUPP; 3371 3372 switch (field) { 3373 case AUDIT_SUBJ_USER: 3374 case AUDIT_SUBJ_ROLE: 3375 case AUDIT_SUBJ_TYPE: 3376 case AUDIT_OBJ_USER: 3377 case AUDIT_OBJ_ROLE: --- 282 unchanged lines hidden (view full) --- 3660 u32 *sid) 3661{ 3662 struct policydb *policydb = &state->ss->policydb; 3663 struct sidtab *sidtab = state->ss->sidtab; 3664 int rc; 3665 struct context *ctx; 3666 struct context ctx_new; 3667 |
| 3668 if (!state->initialized) { | 3668 if (!selinux_initialized(state)) { |
| 3669 *sid = SECSID_NULL; 3670 return 0; 3671 } 3672 3673 read_lock(&state->ss->policy_rwlock); 3674 3675 if (secattr->flags & NETLBL_SECATTR_CACHE) 3676 *sid = *(u32 *)secattr->cache->data; --- 50 unchanged lines hidden (view full) --- 3727 */ 3728int security_netlbl_sid_to_secattr(struct selinux_state *state, 3729 u32 sid, struct netlbl_lsm_secattr *secattr) 3730{ 3731 struct policydb *policydb = &state->ss->policydb; 3732 int rc; 3733 struct context *ctx; 3734 | 3669 *sid = SECSID_NULL; 3670 return 0; 3671 } 3672 3673 read_lock(&state->ss->policy_rwlock); 3674 3675 if (secattr->flags & NETLBL_SECATTR_CACHE) 3676 *sid = *(u32 *)secattr->cache->data; --- 50 unchanged lines hidden (view full) --- 3727 */ 3728int security_netlbl_sid_to_secattr(struct selinux_state *state, 3729 u32 sid, struct netlbl_lsm_secattr *secattr) 3730{ 3731 struct policydb *policydb = &state->ss->policydb; 3732 int rc; 3733 struct context *ctx; 3734 |
| 3735 if (!state->initialized) | 3735 if (!selinux_initialized(state)) |
| 3736 return 0; 3737 3738 read_lock(&state->ss->policy_rwlock); 3739 3740 rc = -ENOENT; 3741 ctx = sidtab_search(state->ss->sidtab, sid); 3742 if (ctx == NULL) 3743 goto out; --- 22 unchanged lines hidden (view full) --- 3766 */ 3767int security_read_policy(struct selinux_state *state, 3768 void **data, size_t *len) 3769{ 3770 struct policydb *policydb = &state->ss->policydb; 3771 int rc; 3772 struct policy_file fp; 3773 | 3736 return 0; 3737 3738 read_lock(&state->ss->policy_rwlock); 3739 3740 rc = -ENOENT; 3741 ctx = sidtab_search(state->ss->sidtab, sid); 3742 if (ctx == NULL) 3743 goto out; --- 22 unchanged lines hidden (view full) --- 3766 */ 3767int security_read_policy(struct selinux_state *state, 3768 void **data, size_t *len) 3769{ 3770 struct policydb *policydb = &state->ss->policydb; 3771 int rc; 3772 struct policy_file fp; 3773 |
| 3774 if (!state->initialized) | 3774 if (!selinux_initialized(state)) |
| 3775 return -EINVAL; 3776 3777 *len = security_policydb_len(state); 3778 3779 *data = vmalloc_user(*len); 3780 if (!*data) 3781 return -ENOMEM; 3782 --- 14 unchanged lines hidden --- | 3775 return -EINVAL; 3776 3777 *len = security_policydb_len(state); 3778 3779 *data = vmalloc_user(*len); 3780 if (!*data) 3781 return -ENOMEM; 3782 --- 14 unchanged lines hidden --- |