1 /* 2 * Implementation of the policy database. 3 * 4 * Author : Stephen Smalley, <sds@epoch.ncsc.mil> 5 */ 6 7 /* 8 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 9 * 10 * Support for enhanced MLS infrastructure. 11 * 12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 13 * 14 * Added conditional policy language extensions 15 * 16 * Updated: Hewlett-Packard <paul.moore@hp.com> 17 * 18 * Added support for the policy capability bitmap 19 * 20 * Copyright (C) 2007 Hewlett-Packard Development Company, L.P. 21 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 22 * Copyright (C) 2003 - 2004 Tresys Technology, LLC 23 * This program is free software; you can redistribute it and/or modify 24 * it under the terms of the GNU General Public License as published by 25 * the Free Software Foundation, version 2. 26 */ 27 28 #include <linux/kernel.h> 29 #include <linux/sched.h> 30 #include <linux/slab.h> 31 #include <linux/string.h> 32 #include <linux/errno.h> 33 #include <linux/audit.h> 34 #include "security.h" 35 36 #include "policydb.h" 37 #include "conditional.h" 38 #include "mls.h" 39 40 #define _DEBUG_HASHES 41 42 #ifdef DEBUG_HASHES 43 static char *symtab_name[SYM_NUM] = { 44 "common prefixes", 45 "classes", 46 "roles", 47 "types", 48 "users", 49 "bools", 50 "levels", 51 "categories", 52 }; 53 #endif 54 55 int selinux_mls_enabled; 56 57 static unsigned int symtab_sizes[SYM_NUM] = { 58 2, 59 32, 60 16, 61 512, 62 128, 63 16, 64 16, 65 16, 66 }; 67 68 struct policydb_compat_info { 69 int version; 70 int sym_num; 71 int ocon_num; 72 }; 73 74 /* These need to be updated if SYM_NUM or OCON_NUM changes */ 75 static struct policydb_compat_info policydb_compat[] = { 76 { 77 .version = POLICYDB_VERSION_BASE, 78 .sym_num = SYM_NUM - 3, 79 .ocon_num = OCON_NUM - 1, 80 }, 81 { 82 .version = POLICYDB_VERSION_BOOL, 83 .sym_num = SYM_NUM - 2, 84 .ocon_num = OCON_NUM - 1, 85 }, 86 { 87 .version = POLICYDB_VERSION_IPV6, 88 .sym_num = SYM_NUM - 2, 89 .ocon_num = OCON_NUM, 90 }, 91 { 92 .version = POLICYDB_VERSION_NLCLASS, 93 .sym_num = SYM_NUM - 2, 94 .ocon_num = OCON_NUM, 95 }, 96 { 97 .version = POLICYDB_VERSION_MLS, 98 .sym_num = SYM_NUM, 99 .ocon_num = OCON_NUM, 100 }, 101 { 102 .version = POLICYDB_VERSION_AVTAB, 103 .sym_num = SYM_NUM, 104 .ocon_num = OCON_NUM, 105 }, 106 { 107 .version = POLICYDB_VERSION_RANGETRANS, 108 .sym_num = SYM_NUM, 109 .ocon_num = OCON_NUM, 110 }, 111 { 112 .version = POLICYDB_VERSION_POLCAP, 113 .sym_num = SYM_NUM, 114 .ocon_num = OCON_NUM, 115 }, 116 { 117 .version = POLICYDB_VERSION_PERMISSIVE, 118 .sym_num = SYM_NUM, 119 .ocon_num = OCON_NUM, 120 }, 121 { 122 .version = POLICYDB_VERSION_BOUNDARY, 123 .sym_num = SYM_NUM, 124 .ocon_num = OCON_NUM, 125 }, 126 }; 127 128 static struct policydb_compat_info *policydb_lookup_compat(int version) 129 { 130 int i; 131 struct policydb_compat_info *info = NULL; 132 133 for (i = 0; i < ARRAY_SIZE(policydb_compat); i++) { 134 if (policydb_compat[i].version == version) { 135 info = &policydb_compat[i]; 136 break; 137 } 138 } 139 return info; 140 } 141 142 /* 143 * Initialize the role table. 144 */ 145 static int roles_init(struct policydb *p) 146 { 147 char *key = NULL; 148 int rc; 149 struct role_datum *role; 150 151 role = kzalloc(sizeof(*role), GFP_KERNEL); 152 if (!role) { 153 rc = -ENOMEM; 154 goto out; 155 } 156 role->value = ++p->p_roles.nprim; 157 if (role->value != OBJECT_R_VAL) { 158 rc = -EINVAL; 159 goto out_free_role; 160 } 161 key = kmalloc(strlen(OBJECT_R)+1, GFP_KERNEL); 162 if (!key) { 163 rc = -ENOMEM; 164 goto out_free_role; 165 } 166 strcpy(key, OBJECT_R); 167 rc = hashtab_insert(p->p_roles.table, key, role); 168 if (rc) 169 goto out_free_key; 170 out: 171 return rc; 172 173 out_free_key: 174 kfree(key); 175 out_free_role: 176 kfree(role); 177 goto out; 178 } 179 180 /* 181 * Initialize a policy database structure. 182 */ 183 static int policydb_init(struct policydb *p) 184 { 185 int i, rc; 186 187 memset(p, 0, sizeof(*p)); 188 189 for (i = 0; i < SYM_NUM; i++) { 190 rc = symtab_init(&p->symtab[i], symtab_sizes[i]); 191 if (rc) 192 goto out_free_symtab; 193 } 194 195 rc = avtab_init(&p->te_avtab); 196 if (rc) 197 goto out_free_symtab; 198 199 rc = roles_init(p); 200 if (rc) 201 goto out_free_symtab; 202 203 rc = cond_policydb_init(p); 204 if (rc) 205 goto out_free_symtab; 206 207 ebitmap_init(&p->policycaps); 208 ebitmap_init(&p->permissive_map); 209 210 out: 211 return rc; 212 213 out_free_symtab: 214 for (i = 0; i < SYM_NUM; i++) 215 hashtab_destroy(p->symtab[i].table); 216 goto out; 217 } 218 219 /* 220 * The following *_index functions are used to 221 * define the val_to_name and val_to_struct arrays 222 * in a policy database structure. The val_to_name 223 * arrays are used when converting security context 224 * structures into string representations. The 225 * val_to_struct arrays are used when the attributes 226 * of a class, role, or user are needed. 227 */ 228 229 static int common_index(void *key, void *datum, void *datap) 230 { 231 struct policydb *p; 232 struct common_datum *comdatum; 233 234 comdatum = datum; 235 p = datap; 236 if (!comdatum->value || comdatum->value > p->p_commons.nprim) 237 return -EINVAL; 238 p->p_common_val_to_name[comdatum->value - 1] = key; 239 return 0; 240 } 241 242 static int class_index(void *key, void *datum, void *datap) 243 { 244 struct policydb *p; 245 struct class_datum *cladatum; 246 247 cladatum = datum; 248 p = datap; 249 if (!cladatum->value || cladatum->value > p->p_classes.nprim) 250 return -EINVAL; 251 p->p_class_val_to_name[cladatum->value - 1] = key; 252 p->class_val_to_struct[cladatum->value - 1] = cladatum; 253 return 0; 254 } 255 256 static int role_index(void *key, void *datum, void *datap) 257 { 258 struct policydb *p; 259 struct role_datum *role; 260 261 role = datum; 262 p = datap; 263 if (!role->value 264 || role->value > p->p_roles.nprim 265 || role->bounds > p->p_roles.nprim) 266 return -EINVAL; 267 p->p_role_val_to_name[role->value - 1] = key; 268 p->role_val_to_struct[role->value - 1] = role; 269 return 0; 270 } 271 272 static int type_index(void *key, void *datum, void *datap) 273 { 274 struct policydb *p; 275 struct type_datum *typdatum; 276 277 typdatum = datum; 278 p = datap; 279 280 if (typdatum->primary) { 281 if (!typdatum->value 282 || typdatum->value > p->p_types.nprim 283 || typdatum->bounds > p->p_types.nprim) 284 return -EINVAL; 285 p->p_type_val_to_name[typdatum->value - 1] = key; 286 p->type_val_to_struct[typdatum->value - 1] = typdatum; 287 } 288 289 return 0; 290 } 291 292 static int user_index(void *key, void *datum, void *datap) 293 { 294 struct policydb *p; 295 struct user_datum *usrdatum; 296 297 usrdatum = datum; 298 p = datap; 299 if (!usrdatum->value 300 || usrdatum->value > p->p_users.nprim 301 || usrdatum->bounds > p->p_users.nprim) 302 return -EINVAL; 303 p->p_user_val_to_name[usrdatum->value - 1] = key; 304 p->user_val_to_struct[usrdatum->value - 1] = usrdatum; 305 return 0; 306 } 307 308 static int sens_index(void *key, void *datum, void *datap) 309 { 310 struct policydb *p; 311 struct level_datum *levdatum; 312 313 levdatum = datum; 314 p = datap; 315 316 if (!levdatum->isalias) { 317 if (!levdatum->level->sens || 318 levdatum->level->sens > p->p_levels.nprim) 319 return -EINVAL; 320 p->p_sens_val_to_name[levdatum->level->sens - 1] = key; 321 } 322 323 return 0; 324 } 325 326 static int cat_index(void *key, void *datum, void *datap) 327 { 328 struct policydb *p; 329 struct cat_datum *catdatum; 330 331 catdatum = datum; 332 p = datap; 333 334 if (!catdatum->isalias) { 335 if (!catdatum->value || catdatum->value > p->p_cats.nprim) 336 return -EINVAL; 337 p->p_cat_val_to_name[catdatum->value - 1] = key; 338 } 339 340 return 0; 341 } 342 343 static int (*index_f[SYM_NUM]) (void *key, void *datum, void *datap) = 344 { 345 common_index, 346 class_index, 347 role_index, 348 type_index, 349 user_index, 350 cond_index_bool, 351 sens_index, 352 cat_index, 353 }; 354 355 /* 356 * Define the common val_to_name array and the class 357 * val_to_name and val_to_struct arrays in a policy 358 * database structure. 359 * 360 * Caller must clean up upon failure. 361 */ 362 static int policydb_index_classes(struct policydb *p) 363 { 364 int rc; 365 366 p->p_common_val_to_name = 367 kmalloc(p->p_commons.nprim * sizeof(char *), GFP_KERNEL); 368 if (!p->p_common_val_to_name) { 369 rc = -ENOMEM; 370 goto out; 371 } 372 373 rc = hashtab_map(p->p_commons.table, common_index, p); 374 if (rc) 375 goto out; 376 377 p->class_val_to_struct = 378 kmalloc(p->p_classes.nprim * sizeof(*(p->class_val_to_struct)), GFP_KERNEL); 379 if (!p->class_val_to_struct) { 380 rc = -ENOMEM; 381 goto out; 382 } 383 384 p->p_class_val_to_name = 385 kmalloc(p->p_classes.nprim * sizeof(char *), GFP_KERNEL); 386 if (!p->p_class_val_to_name) { 387 rc = -ENOMEM; 388 goto out; 389 } 390 391 rc = hashtab_map(p->p_classes.table, class_index, p); 392 out: 393 return rc; 394 } 395 396 #ifdef DEBUG_HASHES 397 static void symtab_hash_eval(struct symtab *s) 398 { 399 int i; 400 401 for (i = 0; i < SYM_NUM; i++) { 402 struct hashtab *h = s[i].table; 403 struct hashtab_info info; 404 405 hashtab_stat(h, &info); 406 printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, " 407 "longest chain length %d\n", symtab_name[i], h->nel, 408 info.slots_used, h->size, info.max_chain_len); 409 } 410 } 411 #endif 412 413 /* 414 * Define the other val_to_name and val_to_struct arrays 415 * in a policy database structure. 416 * 417 * Caller must clean up on failure. 418 */ 419 static int policydb_index_others(struct policydb *p) 420 { 421 int i, rc = 0; 422 423 printk(KERN_DEBUG "SELinux: %d users, %d roles, %d types, %d bools", 424 p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim); 425 if (selinux_mls_enabled) 426 printk(", %d sens, %d cats", p->p_levels.nprim, 427 p->p_cats.nprim); 428 printk("\n"); 429 430 printk(KERN_DEBUG "SELinux: %d classes, %d rules\n", 431 p->p_classes.nprim, p->te_avtab.nel); 432 433 #ifdef DEBUG_HASHES 434 avtab_hash_eval(&p->te_avtab, "rules"); 435 symtab_hash_eval(p->symtab); 436 #endif 437 438 p->role_val_to_struct = 439 kmalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)), 440 GFP_KERNEL); 441 if (!p->role_val_to_struct) { 442 rc = -ENOMEM; 443 goto out; 444 } 445 446 p->user_val_to_struct = 447 kmalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)), 448 GFP_KERNEL); 449 if (!p->user_val_to_struct) { 450 rc = -ENOMEM; 451 goto out; 452 } 453 454 p->type_val_to_struct = 455 kmalloc(p->p_types.nprim * sizeof(*(p->type_val_to_struct)), 456 GFP_KERNEL); 457 if (!p->type_val_to_struct) { 458 rc = -ENOMEM; 459 goto out; 460 } 461 462 if (cond_init_bool_indexes(p)) { 463 rc = -ENOMEM; 464 goto out; 465 } 466 467 for (i = SYM_ROLES; i < SYM_NUM; i++) { 468 p->sym_val_to_name[i] = 469 kmalloc(p->symtab[i].nprim * sizeof(char *), GFP_KERNEL); 470 if (!p->sym_val_to_name[i]) { 471 rc = -ENOMEM; 472 goto out; 473 } 474 rc = hashtab_map(p->symtab[i].table, index_f[i], p); 475 if (rc) 476 goto out; 477 } 478 479 out: 480 return rc; 481 } 482 483 /* 484 * The following *_destroy functions are used to 485 * free any memory allocated for each kind of 486 * symbol data in the policy database. 487 */ 488 489 static int perm_destroy(void *key, void *datum, void *p) 490 { 491 kfree(key); 492 kfree(datum); 493 return 0; 494 } 495 496 static int common_destroy(void *key, void *datum, void *p) 497 { 498 struct common_datum *comdatum; 499 500 kfree(key); 501 comdatum = datum; 502 hashtab_map(comdatum->permissions.table, perm_destroy, NULL); 503 hashtab_destroy(comdatum->permissions.table); 504 kfree(datum); 505 return 0; 506 } 507 508 static int cls_destroy(void *key, void *datum, void *p) 509 { 510 struct class_datum *cladatum; 511 struct constraint_node *constraint, *ctemp; 512 struct constraint_expr *e, *etmp; 513 514 kfree(key); 515 cladatum = datum; 516 hashtab_map(cladatum->permissions.table, perm_destroy, NULL); 517 hashtab_destroy(cladatum->permissions.table); 518 constraint = cladatum->constraints; 519 while (constraint) { 520 e = constraint->expr; 521 while (e) { 522 ebitmap_destroy(&e->names); 523 etmp = e; 524 e = e->next; 525 kfree(etmp); 526 } 527 ctemp = constraint; 528 constraint = constraint->next; 529 kfree(ctemp); 530 } 531 532 constraint = cladatum->validatetrans; 533 while (constraint) { 534 e = constraint->expr; 535 while (e) { 536 ebitmap_destroy(&e->names); 537 etmp = e; 538 e = e->next; 539 kfree(etmp); 540 } 541 ctemp = constraint; 542 constraint = constraint->next; 543 kfree(ctemp); 544 } 545 546 kfree(cladatum->comkey); 547 kfree(datum); 548 return 0; 549 } 550 551 static int role_destroy(void *key, void *datum, void *p) 552 { 553 struct role_datum *role; 554 555 kfree(key); 556 role = datum; 557 ebitmap_destroy(&role->dominates); 558 ebitmap_destroy(&role->types); 559 kfree(datum); 560 return 0; 561 } 562 563 static int type_destroy(void *key, void *datum, void *p) 564 { 565 kfree(key); 566 kfree(datum); 567 return 0; 568 } 569 570 static int user_destroy(void *key, void *datum, void *p) 571 { 572 struct user_datum *usrdatum; 573 574 kfree(key); 575 usrdatum = datum; 576 ebitmap_destroy(&usrdatum->roles); 577 ebitmap_destroy(&usrdatum->range.level[0].cat); 578 ebitmap_destroy(&usrdatum->range.level[1].cat); 579 ebitmap_destroy(&usrdatum->dfltlevel.cat); 580 kfree(datum); 581 return 0; 582 } 583 584 static int sens_destroy(void *key, void *datum, void *p) 585 { 586 struct level_datum *levdatum; 587 588 kfree(key); 589 levdatum = datum; 590 ebitmap_destroy(&levdatum->level->cat); 591 kfree(levdatum->level); 592 kfree(datum); 593 return 0; 594 } 595 596 static int cat_destroy(void *key, void *datum, void *p) 597 { 598 kfree(key); 599 kfree(datum); 600 return 0; 601 } 602 603 static int (*destroy_f[SYM_NUM]) (void *key, void *datum, void *datap) = 604 { 605 common_destroy, 606 cls_destroy, 607 role_destroy, 608 type_destroy, 609 user_destroy, 610 cond_destroy_bool, 611 sens_destroy, 612 cat_destroy, 613 }; 614 615 static void ocontext_destroy(struct ocontext *c, int i) 616 { 617 context_destroy(&c->context[0]); 618 context_destroy(&c->context[1]); 619 if (i == OCON_ISID || i == OCON_FS || 620 i == OCON_NETIF || i == OCON_FSUSE) 621 kfree(c->u.name); 622 kfree(c); 623 } 624 625 /* 626 * Free any memory allocated by a policy database structure. 627 */ 628 void policydb_destroy(struct policydb *p) 629 { 630 struct ocontext *c, *ctmp; 631 struct genfs *g, *gtmp; 632 int i; 633 struct role_allow *ra, *lra = NULL; 634 struct role_trans *tr, *ltr = NULL; 635 struct range_trans *rt, *lrt = NULL; 636 637 for (i = 0; i < SYM_NUM; i++) { 638 cond_resched(); 639 hashtab_map(p->symtab[i].table, destroy_f[i], NULL); 640 hashtab_destroy(p->symtab[i].table); 641 } 642 643 for (i = 0; i < SYM_NUM; i++) 644 kfree(p->sym_val_to_name[i]); 645 646 kfree(p->class_val_to_struct); 647 kfree(p->role_val_to_struct); 648 kfree(p->user_val_to_struct); 649 kfree(p->type_val_to_struct); 650 651 avtab_destroy(&p->te_avtab); 652 653 for (i = 0; i < OCON_NUM; i++) { 654 cond_resched(); 655 c = p->ocontexts[i]; 656 while (c) { 657 ctmp = c; 658 c = c->next; 659 ocontext_destroy(ctmp, i); 660 } 661 p->ocontexts[i] = NULL; 662 } 663 664 g = p->genfs; 665 while (g) { 666 cond_resched(); 667 kfree(g->fstype); 668 c = g->head; 669 while (c) { 670 ctmp = c; 671 c = c->next; 672 ocontext_destroy(ctmp, OCON_FSUSE); 673 } 674 gtmp = g; 675 g = g->next; 676 kfree(gtmp); 677 } 678 p->genfs = NULL; 679 680 cond_policydb_destroy(p); 681 682 for (tr = p->role_tr; tr; tr = tr->next) { 683 cond_resched(); 684 kfree(ltr); 685 ltr = tr; 686 } 687 kfree(ltr); 688 689 for (ra = p->role_allow; ra; ra = ra->next) { 690 cond_resched(); 691 kfree(lra); 692 lra = ra; 693 } 694 kfree(lra); 695 696 for (rt = p->range_tr; rt; rt = rt->next) { 697 cond_resched(); 698 if (lrt) { 699 ebitmap_destroy(&lrt->target_range.level[0].cat); 700 ebitmap_destroy(&lrt->target_range.level[1].cat); 701 kfree(lrt); 702 } 703 lrt = rt; 704 } 705 if (lrt) { 706 ebitmap_destroy(&lrt->target_range.level[0].cat); 707 ebitmap_destroy(&lrt->target_range.level[1].cat); 708 kfree(lrt); 709 } 710 711 if (p->type_attr_map) { 712 for (i = 0; i < p->p_types.nprim; i++) 713 ebitmap_destroy(&p->type_attr_map[i]); 714 } 715 kfree(p->type_attr_map); 716 kfree(p->undefined_perms); 717 ebitmap_destroy(&p->policycaps); 718 ebitmap_destroy(&p->permissive_map); 719 720 return; 721 } 722 723 /* 724 * Load the initial SIDs specified in a policy database 725 * structure into a SID table. 726 */ 727 int policydb_load_isids(struct policydb *p, struct sidtab *s) 728 { 729 struct ocontext *head, *c; 730 int rc; 731 732 rc = sidtab_init(s); 733 if (rc) { 734 printk(KERN_ERR "SELinux: out of memory on SID table init\n"); 735 goto out; 736 } 737 738 head = p->ocontexts[OCON_ISID]; 739 for (c = head; c; c = c->next) { 740 if (!c->context[0].user) { 741 printk(KERN_ERR "SELinux: SID %s was never " 742 "defined.\n", c->u.name); 743 rc = -EINVAL; 744 goto out; 745 } 746 if (sidtab_insert(s, c->sid[0], &c->context[0])) { 747 printk(KERN_ERR "SELinux: unable to load initial " 748 "SID %s.\n", c->u.name); 749 rc = -EINVAL; 750 goto out; 751 } 752 } 753 out: 754 return rc; 755 } 756 757 int policydb_class_isvalid(struct policydb *p, unsigned int class) 758 { 759 if (!class || class > p->p_classes.nprim) 760 return 0; 761 return 1; 762 } 763 764 int policydb_role_isvalid(struct policydb *p, unsigned int role) 765 { 766 if (!role || role > p->p_roles.nprim) 767 return 0; 768 return 1; 769 } 770 771 int policydb_type_isvalid(struct policydb *p, unsigned int type) 772 { 773 if (!type || type > p->p_types.nprim) 774 return 0; 775 return 1; 776 } 777 778 /* 779 * Return 1 if the fields in the security context 780 * structure `c' are valid. Return 0 otherwise. 781 */ 782 int policydb_context_isvalid(struct policydb *p, struct context *c) 783 { 784 struct role_datum *role; 785 struct user_datum *usrdatum; 786 787 if (!c->role || c->role > p->p_roles.nprim) 788 return 0; 789 790 if (!c->user || c->user > p->p_users.nprim) 791 return 0; 792 793 if (!c->type || c->type > p->p_types.nprim) 794 return 0; 795 796 if (c->role != OBJECT_R_VAL) { 797 /* 798 * Role must be authorized for the type. 799 */ 800 role = p->role_val_to_struct[c->role - 1]; 801 if (!ebitmap_get_bit(&role->types, 802 c->type - 1)) 803 /* role may not be associated with type */ 804 return 0; 805 806 /* 807 * User must be authorized for the role. 808 */ 809 usrdatum = p->user_val_to_struct[c->user - 1]; 810 if (!usrdatum) 811 return 0; 812 813 if (!ebitmap_get_bit(&usrdatum->roles, 814 c->role - 1)) 815 /* user may not be associated with role */ 816 return 0; 817 } 818 819 if (!mls_context_isvalid(p, c)) 820 return 0; 821 822 return 1; 823 } 824 825 /* 826 * Read a MLS range structure from a policydb binary 827 * representation file. 828 */ 829 static int mls_read_range_helper(struct mls_range *r, void *fp) 830 { 831 __le32 buf[2]; 832 u32 items; 833 int rc; 834 835 rc = next_entry(buf, fp, sizeof(u32)); 836 if (rc < 0) 837 goto out; 838 839 items = le32_to_cpu(buf[0]); 840 if (items > ARRAY_SIZE(buf)) { 841 printk(KERN_ERR "SELinux: mls: range overflow\n"); 842 rc = -EINVAL; 843 goto out; 844 } 845 rc = next_entry(buf, fp, sizeof(u32) * items); 846 if (rc < 0) { 847 printk(KERN_ERR "SELinux: mls: truncated range\n"); 848 goto out; 849 } 850 r->level[0].sens = le32_to_cpu(buf[0]); 851 if (items > 1) 852 r->level[1].sens = le32_to_cpu(buf[1]); 853 else 854 r->level[1].sens = r->level[0].sens; 855 856 rc = ebitmap_read(&r->level[0].cat, fp); 857 if (rc) { 858 printk(KERN_ERR "SELinux: mls: error reading low " 859 "categories\n"); 860 goto out; 861 } 862 if (items > 1) { 863 rc = ebitmap_read(&r->level[1].cat, fp); 864 if (rc) { 865 printk(KERN_ERR "SELinux: mls: error reading high " 866 "categories\n"); 867 goto bad_high; 868 } 869 } else { 870 rc = ebitmap_cpy(&r->level[1].cat, &r->level[0].cat); 871 if (rc) { 872 printk(KERN_ERR "SELinux: mls: out of memory\n"); 873 goto bad_high; 874 } 875 } 876 877 rc = 0; 878 out: 879 return rc; 880 bad_high: 881 ebitmap_destroy(&r->level[0].cat); 882 goto out; 883 } 884 885 /* 886 * Read and validate a security context structure 887 * from a policydb binary representation file. 888 */ 889 static int context_read_and_validate(struct context *c, 890 struct policydb *p, 891 void *fp) 892 { 893 __le32 buf[3]; 894 int rc; 895 896 rc = next_entry(buf, fp, sizeof buf); 897 if (rc < 0) { 898 printk(KERN_ERR "SELinux: context truncated\n"); 899 goto out; 900 } 901 c->user = le32_to_cpu(buf[0]); 902 c->role = le32_to_cpu(buf[1]); 903 c->type = le32_to_cpu(buf[2]); 904 if (p->policyvers >= POLICYDB_VERSION_MLS) { 905 if (mls_read_range_helper(&c->range, fp)) { 906 printk(KERN_ERR "SELinux: error reading MLS range of " 907 "context\n"); 908 rc = -EINVAL; 909 goto out; 910 } 911 } 912 913 if (!policydb_context_isvalid(p, c)) { 914 printk(KERN_ERR "SELinux: invalid security context\n"); 915 context_destroy(c); 916 rc = -EINVAL; 917 } 918 out: 919 return rc; 920 } 921 922 /* 923 * The following *_read functions are used to 924 * read the symbol data from a policy database 925 * binary representation file. 926 */ 927 928 static int perm_read(struct policydb *p, struct hashtab *h, void *fp) 929 { 930 char *key = NULL; 931 struct perm_datum *perdatum; 932 int rc; 933 __le32 buf[2]; 934 u32 len; 935 936 perdatum = kzalloc(sizeof(*perdatum), GFP_KERNEL); 937 if (!perdatum) { 938 rc = -ENOMEM; 939 goto out; 940 } 941 942 rc = next_entry(buf, fp, sizeof buf); 943 if (rc < 0) 944 goto bad; 945 946 len = le32_to_cpu(buf[0]); 947 perdatum->value = le32_to_cpu(buf[1]); 948 949 key = kmalloc(len + 1, GFP_KERNEL); 950 if (!key) { 951 rc = -ENOMEM; 952 goto bad; 953 } 954 rc = next_entry(key, fp, len); 955 if (rc < 0) 956 goto bad; 957 key[len] = '\0'; 958 959 rc = hashtab_insert(h, key, perdatum); 960 if (rc) 961 goto bad; 962 out: 963 return rc; 964 bad: 965 perm_destroy(key, perdatum, NULL); 966 goto out; 967 } 968 969 static int common_read(struct policydb *p, struct hashtab *h, void *fp) 970 { 971 char *key = NULL; 972 struct common_datum *comdatum; 973 __le32 buf[4]; 974 u32 len, nel; 975 int i, rc; 976 977 comdatum = kzalloc(sizeof(*comdatum), GFP_KERNEL); 978 if (!comdatum) { 979 rc = -ENOMEM; 980 goto out; 981 } 982 983 rc = next_entry(buf, fp, sizeof buf); 984 if (rc < 0) 985 goto bad; 986 987 len = le32_to_cpu(buf[0]); 988 comdatum->value = le32_to_cpu(buf[1]); 989 990 rc = symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE); 991 if (rc) 992 goto bad; 993 comdatum->permissions.nprim = le32_to_cpu(buf[2]); 994 nel = le32_to_cpu(buf[3]); 995 996 key = kmalloc(len + 1, GFP_KERNEL); 997 if (!key) { 998 rc = -ENOMEM; 999 goto bad; 1000 } 1001 rc = next_entry(key, fp, len); 1002 if (rc < 0) 1003 goto bad; 1004 key[len] = '\0'; 1005 1006 for (i = 0; i < nel; i++) { 1007 rc = perm_read(p, comdatum->permissions.table, fp); 1008 if (rc) 1009 goto bad; 1010 } 1011 1012 rc = hashtab_insert(h, key, comdatum); 1013 if (rc) 1014 goto bad; 1015 out: 1016 return rc; 1017 bad: 1018 common_destroy(key, comdatum, NULL); 1019 goto out; 1020 } 1021 1022 static int read_cons_helper(struct constraint_node **nodep, int ncons, 1023 int allowxtarget, void *fp) 1024 { 1025 struct constraint_node *c, *lc; 1026 struct constraint_expr *e, *le; 1027 __le32 buf[3]; 1028 u32 nexpr; 1029 int rc, i, j, depth; 1030 1031 lc = NULL; 1032 for (i = 0; i < ncons; i++) { 1033 c = kzalloc(sizeof(*c), GFP_KERNEL); 1034 if (!c) 1035 return -ENOMEM; 1036 1037 if (lc) 1038 lc->next = c; 1039 else 1040 *nodep = c; 1041 1042 rc = next_entry(buf, fp, (sizeof(u32) * 2)); 1043 if (rc < 0) 1044 return rc; 1045 c->permissions = le32_to_cpu(buf[0]); 1046 nexpr = le32_to_cpu(buf[1]); 1047 le = NULL; 1048 depth = -1; 1049 for (j = 0; j < nexpr; j++) { 1050 e = kzalloc(sizeof(*e), GFP_KERNEL); 1051 if (!e) 1052 return -ENOMEM; 1053 1054 if (le) 1055 le->next = e; 1056 else 1057 c->expr = e; 1058 1059 rc = next_entry(buf, fp, (sizeof(u32) * 3)); 1060 if (rc < 0) 1061 return rc; 1062 e->expr_type = le32_to_cpu(buf[0]); 1063 e->attr = le32_to_cpu(buf[1]); 1064 e->op = le32_to_cpu(buf[2]); 1065 1066 switch (e->expr_type) { 1067 case CEXPR_NOT: 1068 if (depth < 0) 1069 return -EINVAL; 1070 break; 1071 case CEXPR_AND: 1072 case CEXPR_OR: 1073 if (depth < 1) 1074 return -EINVAL; 1075 depth--; 1076 break; 1077 case CEXPR_ATTR: 1078 if (depth == (CEXPR_MAXDEPTH - 1)) 1079 return -EINVAL; 1080 depth++; 1081 break; 1082 case CEXPR_NAMES: 1083 if (!allowxtarget && (e->attr & CEXPR_XTARGET)) 1084 return -EINVAL; 1085 if (depth == (CEXPR_MAXDEPTH - 1)) 1086 return -EINVAL; 1087 depth++; 1088 if (ebitmap_read(&e->names, fp)) 1089 return -EINVAL; 1090 break; 1091 default: 1092 return -EINVAL; 1093 } 1094 le = e; 1095 } 1096 if (depth != 0) 1097 return -EINVAL; 1098 lc = c; 1099 } 1100 1101 return 0; 1102 } 1103 1104 static int class_read(struct policydb *p, struct hashtab *h, void *fp) 1105 { 1106 char *key = NULL; 1107 struct class_datum *cladatum; 1108 __le32 buf[6]; 1109 u32 len, len2, ncons, nel; 1110 int i, rc; 1111 1112 cladatum = kzalloc(sizeof(*cladatum), GFP_KERNEL); 1113 if (!cladatum) { 1114 rc = -ENOMEM; 1115 goto out; 1116 } 1117 1118 rc = next_entry(buf, fp, sizeof(u32)*6); 1119 if (rc < 0) 1120 goto bad; 1121 1122 len = le32_to_cpu(buf[0]); 1123 len2 = le32_to_cpu(buf[1]); 1124 cladatum->value = le32_to_cpu(buf[2]); 1125 1126 rc = symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE); 1127 if (rc) 1128 goto bad; 1129 cladatum->permissions.nprim = le32_to_cpu(buf[3]); 1130 nel = le32_to_cpu(buf[4]); 1131 1132 ncons = le32_to_cpu(buf[5]); 1133 1134 key = kmalloc(len + 1, GFP_KERNEL); 1135 if (!key) { 1136 rc = -ENOMEM; 1137 goto bad; 1138 } 1139 rc = next_entry(key, fp, len); 1140 if (rc < 0) 1141 goto bad; 1142 key[len] = '\0'; 1143 1144 if (len2) { 1145 cladatum->comkey = kmalloc(len2 + 1, GFP_KERNEL); 1146 if (!cladatum->comkey) { 1147 rc = -ENOMEM; 1148 goto bad; 1149 } 1150 rc = next_entry(cladatum->comkey, fp, len2); 1151 if (rc < 0) 1152 goto bad; 1153 cladatum->comkey[len2] = '\0'; 1154 1155 cladatum->comdatum = hashtab_search(p->p_commons.table, 1156 cladatum->comkey); 1157 if (!cladatum->comdatum) { 1158 printk(KERN_ERR "SELinux: unknown common %s\n", 1159 cladatum->comkey); 1160 rc = -EINVAL; 1161 goto bad; 1162 } 1163 } 1164 for (i = 0; i < nel; i++) { 1165 rc = perm_read(p, cladatum->permissions.table, fp); 1166 if (rc) 1167 goto bad; 1168 } 1169 1170 rc = read_cons_helper(&cladatum->constraints, ncons, 0, fp); 1171 if (rc) 1172 goto bad; 1173 1174 if (p->policyvers >= POLICYDB_VERSION_VALIDATETRANS) { 1175 /* grab the validatetrans rules */ 1176 rc = next_entry(buf, fp, sizeof(u32)); 1177 if (rc < 0) 1178 goto bad; 1179 ncons = le32_to_cpu(buf[0]); 1180 rc = read_cons_helper(&cladatum->validatetrans, ncons, 1, fp); 1181 if (rc) 1182 goto bad; 1183 } 1184 1185 rc = hashtab_insert(h, key, cladatum); 1186 if (rc) 1187 goto bad; 1188 1189 rc = 0; 1190 out: 1191 return rc; 1192 bad: 1193 cls_destroy(key, cladatum, NULL); 1194 goto out; 1195 } 1196 1197 static int role_read(struct policydb *p, struct hashtab *h, void *fp) 1198 { 1199 char *key = NULL; 1200 struct role_datum *role; 1201 int rc, to_read = 2; 1202 __le32 buf[3]; 1203 u32 len; 1204 1205 role = kzalloc(sizeof(*role), GFP_KERNEL); 1206 if (!role) { 1207 rc = -ENOMEM; 1208 goto out; 1209 } 1210 1211 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) 1212 to_read = 3; 1213 1214 rc = next_entry(buf, fp, sizeof(buf[0]) * to_read); 1215 if (rc < 0) 1216 goto bad; 1217 1218 len = le32_to_cpu(buf[0]); 1219 role->value = le32_to_cpu(buf[1]); 1220 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) 1221 role->bounds = le32_to_cpu(buf[2]); 1222 1223 key = kmalloc(len + 1, GFP_KERNEL); 1224 if (!key) { 1225 rc = -ENOMEM; 1226 goto bad; 1227 } 1228 rc = next_entry(key, fp, len); 1229 if (rc < 0) 1230 goto bad; 1231 key[len] = '\0'; 1232 1233 rc = ebitmap_read(&role->dominates, fp); 1234 if (rc) 1235 goto bad; 1236 1237 rc = ebitmap_read(&role->types, fp); 1238 if (rc) 1239 goto bad; 1240 1241 if (strcmp(key, OBJECT_R) == 0) { 1242 if (role->value != OBJECT_R_VAL) { 1243 printk(KERN_ERR "SELinux: Role %s has wrong value %d\n", 1244 OBJECT_R, role->value); 1245 rc = -EINVAL; 1246 goto bad; 1247 } 1248 rc = 0; 1249 goto bad; 1250 } 1251 1252 rc = hashtab_insert(h, key, role); 1253 if (rc) 1254 goto bad; 1255 out: 1256 return rc; 1257 bad: 1258 role_destroy(key, role, NULL); 1259 goto out; 1260 } 1261 1262 static int type_read(struct policydb *p, struct hashtab *h, void *fp) 1263 { 1264 char *key = NULL; 1265 struct type_datum *typdatum; 1266 int rc, to_read = 3; 1267 __le32 buf[4]; 1268 u32 len; 1269 1270 typdatum = kzalloc(sizeof(*typdatum), GFP_KERNEL); 1271 if (!typdatum) { 1272 rc = -ENOMEM; 1273 return rc; 1274 } 1275 1276 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) 1277 to_read = 4; 1278 1279 rc = next_entry(buf, fp, sizeof(buf[0]) * to_read); 1280 if (rc < 0) 1281 goto bad; 1282 1283 len = le32_to_cpu(buf[0]); 1284 typdatum->value = le32_to_cpu(buf[1]); 1285 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) { 1286 u32 prop = le32_to_cpu(buf[2]); 1287 1288 if (prop & TYPEDATUM_PROPERTY_PRIMARY) 1289 typdatum->primary = 1; 1290 if (prop & TYPEDATUM_PROPERTY_ATTRIBUTE) 1291 typdatum->attribute = 1; 1292 1293 typdatum->bounds = le32_to_cpu(buf[3]); 1294 } else { 1295 typdatum->primary = le32_to_cpu(buf[2]); 1296 } 1297 1298 key = kmalloc(len + 1, GFP_KERNEL); 1299 if (!key) { 1300 rc = -ENOMEM; 1301 goto bad; 1302 } 1303 rc = next_entry(key, fp, len); 1304 if (rc < 0) 1305 goto bad; 1306 key[len] = '\0'; 1307 1308 rc = hashtab_insert(h, key, typdatum); 1309 if (rc) 1310 goto bad; 1311 out: 1312 return rc; 1313 bad: 1314 type_destroy(key, typdatum, NULL); 1315 goto out; 1316 } 1317 1318 1319 /* 1320 * Read a MLS level structure from a policydb binary 1321 * representation file. 1322 */ 1323 static int mls_read_level(struct mls_level *lp, void *fp) 1324 { 1325 __le32 buf[1]; 1326 int rc; 1327 1328 memset(lp, 0, sizeof(*lp)); 1329 1330 rc = next_entry(buf, fp, sizeof buf); 1331 if (rc < 0) { 1332 printk(KERN_ERR "SELinux: mls: truncated level\n"); 1333 goto bad; 1334 } 1335 lp->sens = le32_to_cpu(buf[0]); 1336 1337 if (ebitmap_read(&lp->cat, fp)) { 1338 printk(KERN_ERR "SELinux: mls: error reading level " 1339 "categories\n"); 1340 goto bad; 1341 } 1342 1343 return 0; 1344 1345 bad: 1346 return -EINVAL; 1347 } 1348 1349 static int user_read(struct policydb *p, struct hashtab *h, void *fp) 1350 { 1351 char *key = NULL; 1352 struct user_datum *usrdatum; 1353 int rc, to_read = 2; 1354 __le32 buf[3]; 1355 u32 len; 1356 1357 usrdatum = kzalloc(sizeof(*usrdatum), GFP_KERNEL); 1358 if (!usrdatum) { 1359 rc = -ENOMEM; 1360 goto out; 1361 } 1362 1363 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) 1364 to_read = 3; 1365 1366 rc = next_entry(buf, fp, sizeof(buf[0]) * to_read); 1367 if (rc < 0) 1368 goto bad; 1369 1370 len = le32_to_cpu(buf[0]); 1371 usrdatum->value = le32_to_cpu(buf[1]); 1372 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) 1373 usrdatum->bounds = le32_to_cpu(buf[2]); 1374 1375 key = kmalloc(len + 1, GFP_KERNEL); 1376 if (!key) { 1377 rc = -ENOMEM; 1378 goto bad; 1379 } 1380 rc = next_entry(key, fp, len); 1381 if (rc < 0) 1382 goto bad; 1383 key[len] = '\0'; 1384 1385 rc = ebitmap_read(&usrdatum->roles, fp); 1386 if (rc) 1387 goto bad; 1388 1389 if (p->policyvers >= POLICYDB_VERSION_MLS) { 1390 rc = mls_read_range_helper(&usrdatum->range, fp); 1391 if (rc) 1392 goto bad; 1393 rc = mls_read_level(&usrdatum->dfltlevel, fp); 1394 if (rc) 1395 goto bad; 1396 } 1397 1398 rc = hashtab_insert(h, key, usrdatum); 1399 if (rc) 1400 goto bad; 1401 out: 1402 return rc; 1403 bad: 1404 user_destroy(key, usrdatum, NULL); 1405 goto out; 1406 } 1407 1408 static int sens_read(struct policydb *p, struct hashtab *h, void *fp) 1409 { 1410 char *key = NULL; 1411 struct level_datum *levdatum; 1412 int rc; 1413 __le32 buf[2]; 1414 u32 len; 1415 1416 levdatum = kzalloc(sizeof(*levdatum), GFP_ATOMIC); 1417 if (!levdatum) { 1418 rc = -ENOMEM; 1419 goto out; 1420 } 1421 1422 rc = next_entry(buf, fp, sizeof buf); 1423 if (rc < 0) 1424 goto bad; 1425 1426 len = le32_to_cpu(buf[0]); 1427 levdatum->isalias = le32_to_cpu(buf[1]); 1428 1429 key = kmalloc(len + 1, GFP_ATOMIC); 1430 if (!key) { 1431 rc = -ENOMEM; 1432 goto bad; 1433 } 1434 rc = next_entry(key, fp, len); 1435 if (rc < 0) 1436 goto bad; 1437 key[len] = '\0'; 1438 1439 levdatum->level = kmalloc(sizeof(struct mls_level), GFP_ATOMIC); 1440 if (!levdatum->level) { 1441 rc = -ENOMEM; 1442 goto bad; 1443 } 1444 if (mls_read_level(levdatum->level, fp)) { 1445 rc = -EINVAL; 1446 goto bad; 1447 } 1448 1449 rc = hashtab_insert(h, key, levdatum); 1450 if (rc) 1451 goto bad; 1452 out: 1453 return rc; 1454 bad: 1455 sens_destroy(key, levdatum, NULL); 1456 goto out; 1457 } 1458 1459 static int cat_read(struct policydb *p, struct hashtab *h, void *fp) 1460 { 1461 char *key = NULL; 1462 struct cat_datum *catdatum; 1463 int rc; 1464 __le32 buf[3]; 1465 u32 len; 1466 1467 catdatum = kzalloc(sizeof(*catdatum), GFP_ATOMIC); 1468 if (!catdatum) { 1469 rc = -ENOMEM; 1470 goto out; 1471 } 1472 1473 rc = next_entry(buf, fp, sizeof buf); 1474 if (rc < 0) 1475 goto bad; 1476 1477 len = le32_to_cpu(buf[0]); 1478 catdatum->value = le32_to_cpu(buf[1]); 1479 catdatum->isalias = le32_to_cpu(buf[2]); 1480 1481 key = kmalloc(len + 1, GFP_ATOMIC); 1482 if (!key) { 1483 rc = -ENOMEM; 1484 goto bad; 1485 } 1486 rc = next_entry(key, fp, len); 1487 if (rc < 0) 1488 goto bad; 1489 key[len] = '\0'; 1490 1491 rc = hashtab_insert(h, key, catdatum); 1492 if (rc) 1493 goto bad; 1494 out: 1495 return rc; 1496 1497 bad: 1498 cat_destroy(key, catdatum, NULL); 1499 goto out; 1500 } 1501 1502 static int (*read_f[SYM_NUM]) (struct policydb *p, struct hashtab *h, void *fp) = 1503 { 1504 common_read, 1505 class_read, 1506 role_read, 1507 type_read, 1508 user_read, 1509 cond_read_bool, 1510 sens_read, 1511 cat_read, 1512 }; 1513 1514 static int user_bounds_sanity_check(void *key, void *datum, void *datap) 1515 { 1516 struct user_datum *upper, *user; 1517 struct policydb *p = datap; 1518 int depth = 0; 1519 1520 upper = user = datum; 1521 while (upper->bounds) { 1522 struct ebitmap_node *node; 1523 unsigned long bit; 1524 1525 if (++depth == POLICYDB_BOUNDS_MAXDEPTH) { 1526 printk(KERN_ERR "SELinux: user %s: " 1527 "too deep or looped boundary", 1528 (char *) key); 1529 return -EINVAL; 1530 } 1531 1532 upper = p->user_val_to_struct[upper->bounds - 1]; 1533 ebitmap_for_each_positive_bit(&user->roles, node, bit) { 1534 if (ebitmap_get_bit(&upper->roles, bit)) 1535 continue; 1536 1537 printk(KERN_ERR 1538 "SELinux: boundary violated policy: " 1539 "user=%s role=%s bounds=%s\n", 1540 p->p_user_val_to_name[user->value - 1], 1541 p->p_role_val_to_name[bit], 1542 p->p_user_val_to_name[upper->value - 1]); 1543 1544 return -EINVAL; 1545 } 1546 } 1547 1548 return 0; 1549 } 1550 1551 static int role_bounds_sanity_check(void *key, void *datum, void *datap) 1552 { 1553 struct role_datum *upper, *role; 1554 struct policydb *p = datap; 1555 int depth = 0; 1556 1557 upper = role = datum; 1558 while (upper->bounds) { 1559 struct ebitmap_node *node; 1560 unsigned long bit; 1561 1562 if (++depth == POLICYDB_BOUNDS_MAXDEPTH) { 1563 printk(KERN_ERR "SELinux: role %s: " 1564 "too deep or looped bounds\n", 1565 (char *) key); 1566 return -EINVAL; 1567 } 1568 1569 upper = p->role_val_to_struct[upper->bounds - 1]; 1570 ebitmap_for_each_positive_bit(&role->types, node, bit) { 1571 if (ebitmap_get_bit(&upper->types, bit)) 1572 continue; 1573 1574 printk(KERN_ERR 1575 "SELinux: boundary violated policy: " 1576 "role=%s type=%s bounds=%s\n", 1577 p->p_role_val_to_name[role->value - 1], 1578 p->p_type_val_to_name[bit], 1579 p->p_role_val_to_name[upper->value - 1]); 1580 1581 return -EINVAL; 1582 } 1583 } 1584 1585 return 0; 1586 } 1587 1588 static int type_bounds_sanity_check(void *key, void *datum, void *datap) 1589 { 1590 struct type_datum *upper, *type; 1591 struct policydb *p = datap; 1592 int depth = 0; 1593 1594 upper = type = datum; 1595 while (upper->bounds) { 1596 if (++depth == POLICYDB_BOUNDS_MAXDEPTH) { 1597 printk(KERN_ERR "SELinux: type %s: " 1598 "too deep or looped boundary\n", 1599 (char *) key); 1600 return -EINVAL; 1601 } 1602 1603 upper = p->type_val_to_struct[upper->bounds - 1]; 1604 if (upper->attribute) { 1605 printk(KERN_ERR "SELinux: type %s: " 1606 "bounded by attribute %s", 1607 (char *) key, 1608 p->p_type_val_to_name[upper->value - 1]); 1609 return -EINVAL; 1610 } 1611 } 1612 1613 return 0; 1614 } 1615 1616 static int policydb_bounds_sanity_check(struct policydb *p) 1617 { 1618 int rc; 1619 1620 if (p->policyvers < POLICYDB_VERSION_BOUNDARY) 1621 return 0; 1622 1623 rc = hashtab_map(p->p_users.table, 1624 user_bounds_sanity_check, p); 1625 if (rc) 1626 return rc; 1627 1628 rc = hashtab_map(p->p_roles.table, 1629 role_bounds_sanity_check, p); 1630 if (rc) 1631 return rc; 1632 1633 rc = hashtab_map(p->p_types.table, 1634 type_bounds_sanity_check, p); 1635 if (rc) 1636 return rc; 1637 1638 return 0; 1639 } 1640 1641 extern int ss_initialized; 1642 1643 /* 1644 * Read the configuration data from a policy database binary 1645 * representation file into a policy database structure. 1646 */ 1647 int policydb_read(struct policydb *p, void *fp) 1648 { 1649 struct role_allow *ra, *lra; 1650 struct role_trans *tr, *ltr; 1651 struct ocontext *l, *c, *newc; 1652 struct genfs *genfs_p, *genfs, *newgenfs; 1653 int i, j, rc; 1654 __le32 buf[4]; 1655 u32 nodebuf[8]; 1656 u32 len, len2, config, nprim, nel, nel2; 1657 char *policydb_str; 1658 struct policydb_compat_info *info; 1659 struct range_trans *rt, *lrt; 1660 1661 config = 0; 1662 1663 rc = policydb_init(p); 1664 if (rc) 1665 goto out; 1666 1667 /* Read the magic number and string length. */ 1668 rc = next_entry(buf, fp, sizeof(u32) * 2); 1669 if (rc < 0) 1670 goto bad; 1671 1672 if (le32_to_cpu(buf[0]) != POLICYDB_MAGIC) { 1673 printk(KERN_ERR "SELinux: policydb magic number 0x%x does " 1674 "not match expected magic number 0x%x\n", 1675 le32_to_cpu(buf[0]), POLICYDB_MAGIC); 1676 goto bad; 1677 } 1678 1679 len = le32_to_cpu(buf[1]); 1680 if (len != strlen(POLICYDB_STRING)) { 1681 printk(KERN_ERR "SELinux: policydb string length %d does not " 1682 "match expected length %Zu\n", 1683 len, strlen(POLICYDB_STRING)); 1684 goto bad; 1685 } 1686 policydb_str = kmalloc(len + 1, GFP_KERNEL); 1687 if (!policydb_str) { 1688 printk(KERN_ERR "SELinux: unable to allocate memory for policydb " 1689 "string of length %d\n", len); 1690 rc = -ENOMEM; 1691 goto bad; 1692 } 1693 rc = next_entry(policydb_str, fp, len); 1694 if (rc < 0) { 1695 printk(KERN_ERR "SELinux: truncated policydb string identifier\n"); 1696 kfree(policydb_str); 1697 goto bad; 1698 } 1699 policydb_str[len] = '\0'; 1700 if (strcmp(policydb_str, POLICYDB_STRING)) { 1701 printk(KERN_ERR "SELinux: policydb string %s does not match " 1702 "my string %s\n", policydb_str, POLICYDB_STRING); 1703 kfree(policydb_str); 1704 goto bad; 1705 } 1706 /* Done with policydb_str. */ 1707 kfree(policydb_str); 1708 policydb_str = NULL; 1709 1710 /* Read the version, config, and table sizes. */ 1711 rc = next_entry(buf, fp, sizeof(u32)*4); 1712 if (rc < 0) 1713 goto bad; 1714 1715 p->policyvers = le32_to_cpu(buf[0]); 1716 if (p->policyvers < POLICYDB_VERSION_MIN || 1717 p->policyvers > POLICYDB_VERSION_MAX) { 1718 printk(KERN_ERR "SELinux: policydb version %d does not match " 1719 "my version range %d-%d\n", 1720 le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); 1721 goto bad; 1722 } 1723 1724 if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) { 1725 if (ss_initialized && !selinux_mls_enabled) { 1726 printk(KERN_ERR "SELinux: Cannot switch between non-MLS" 1727 " and MLS policies\n"); 1728 goto bad; 1729 } 1730 selinux_mls_enabled = 1; 1731 config |= POLICYDB_CONFIG_MLS; 1732 1733 if (p->policyvers < POLICYDB_VERSION_MLS) { 1734 printk(KERN_ERR "SELinux: security policydb version %d " 1735 "(MLS) not backwards compatible\n", 1736 p->policyvers); 1737 goto bad; 1738 } 1739 } else { 1740 if (ss_initialized && selinux_mls_enabled) { 1741 printk(KERN_ERR "SELinux: Cannot switch between MLS and" 1742 " non-MLS policies\n"); 1743 goto bad; 1744 } 1745 } 1746 p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN); 1747 p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN); 1748 1749 if (p->policyvers >= POLICYDB_VERSION_POLCAP && 1750 ebitmap_read(&p->policycaps, fp) != 0) 1751 goto bad; 1752 1753 if (p->policyvers >= POLICYDB_VERSION_PERMISSIVE && 1754 ebitmap_read(&p->permissive_map, fp) != 0) 1755 goto bad; 1756 1757 info = policydb_lookup_compat(p->policyvers); 1758 if (!info) { 1759 printk(KERN_ERR "SELinux: unable to find policy compat info " 1760 "for version %d\n", p->policyvers); 1761 goto bad; 1762 } 1763 1764 if (le32_to_cpu(buf[2]) != info->sym_num || 1765 le32_to_cpu(buf[3]) != info->ocon_num) { 1766 printk(KERN_ERR "SELinux: policydb table sizes (%d,%d) do " 1767 "not match mine (%d,%d)\n", le32_to_cpu(buf[2]), 1768 le32_to_cpu(buf[3]), 1769 info->sym_num, info->ocon_num); 1770 goto bad; 1771 } 1772 1773 for (i = 0; i < info->sym_num; i++) { 1774 rc = next_entry(buf, fp, sizeof(u32)*2); 1775 if (rc < 0) 1776 goto bad; 1777 nprim = le32_to_cpu(buf[0]); 1778 nel = le32_to_cpu(buf[1]); 1779 for (j = 0; j < nel; j++) { 1780 rc = read_f[i](p, p->symtab[i].table, fp); 1781 if (rc) 1782 goto bad; 1783 } 1784 1785 p->symtab[i].nprim = nprim; 1786 } 1787 1788 rc = avtab_read(&p->te_avtab, fp, p); 1789 if (rc) 1790 goto bad; 1791 1792 if (p->policyvers >= POLICYDB_VERSION_BOOL) { 1793 rc = cond_read_list(p, fp); 1794 if (rc) 1795 goto bad; 1796 } 1797 1798 rc = next_entry(buf, fp, sizeof(u32)); 1799 if (rc < 0) 1800 goto bad; 1801 nel = le32_to_cpu(buf[0]); 1802 ltr = NULL; 1803 for (i = 0; i < nel; i++) { 1804 tr = kzalloc(sizeof(*tr), GFP_KERNEL); 1805 if (!tr) { 1806 rc = -ENOMEM; 1807 goto bad; 1808 } 1809 if (ltr) 1810 ltr->next = tr; 1811 else 1812 p->role_tr = tr; 1813 rc = next_entry(buf, fp, sizeof(u32)*3); 1814 if (rc < 0) 1815 goto bad; 1816 tr->role = le32_to_cpu(buf[0]); 1817 tr->type = le32_to_cpu(buf[1]); 1818 tr->new_role = le32_to_cpu(buf[2]); 1819 if (!policydb_role_isvalid(p, tr->role) || 1820 !policydb_type_isvalid(p, tr->type) || 1821 !policydb_role_isvalid(p, tr->new_role)) { 1822 rc = -EINVAL; 1823 goto bad; 1824 } 1825 ltr = tr; 1826 } 1827 1828 rc = next_entry(buf, fp, sizeof(u32)); 1829 if (rc < 0) 1830 goto bad; 1831 nel = le32_to_cpu(buf[0]); 1832 lra = NULL; 1833 for (i = 0; i < nel; i++) { 1834 ra = kzalloc(sizeof(*ra), GFP_KERNEL); 1835 if (!ra) { 1836 rc = -ENOMEM; 1837 goto bad; 1838 } 1839 if (lra) 1840 lra->next = ra; 1841 else 1842 p->role_allow = ra; 1843 rc = next_entry(buf, fp, sizeof(u32)*2); 1844 if (rc < 0) 1845 goto bad; 1846 ra->role = le32_to_cpu(buf[0]); 1847 ra->new_role = le32_to_cpu(buf[1]); 1848 if (!policydb_role_isvalid(p, ra->role) || 1849 !policydb_role_isvalid(p, ra->new_role)) { 1850 rc = -EINVAL; 1851 goto bad; 1852 } 1853 lra = ra; 1854 } 1855 1856 rc = policydb_index_classes(p); 1857 if (rc) 1858 goto bad; 1859 1860 rc = policydb_index_others(p); 1861 if (rc) 1862 goto bad; 1863 1864 for (i = 0; i < info->ocon_num; i++) { 1865 rc = next_entry(buf, fp, sizeof(u32)); 1866 if (rc < 0) 1867 goto bad; 1868 nel = le32_to_cpu(buf[0]); 1869 l = NULL; 1870 for (j = 0; j < nel; j++) { 1871 c = kzalloc(sizeof(*c), GFP_KERNEL); 1872 if (!c) { 1873 rc = -ENOMEM; 1874 goto bad; 1875 } 1876 if (l) 1877 l->next = c; 1878 else 1879 p->ocontexts[i] = c; 1880 l = c; 1881 rc = -EINVAL; 1882 switch (i) { 1883 case OCON_ISID: 1884 rc = next_entry(buf, fp, sizeof(u32)); 1885 if (rc < 0) 1886 goto bad; 1887 c->sid[0] = le32_to_cpu(buf[0]); 1888 rc = context_read_and_validate(&c->context[0], p, fp); 1889 if (rc) 1890 goto bad; 1891 break; 1892 case OCON_FS: 1893 case OCON_NETIF: 1894 rc = next_entry(buf, fp, sizeof(u32)); 1895 if (rc < 0) 1896 goto bad; 1897 len = le32_to_cpu(buf[0]); 1898 c->u.name = kmalloc(len + 1, GFP_KERNEL); 1899 if (!c->u.name) { 1900 rc = -ENOMEM; 1901 goto bad; 1902 } 1903 rc = next_entry(c->u.name, fp, len); 1904 if (rc < 0) 1905 goto bad; 1906 c->u.name[len] = 0; 1907 rc = context_read_and_validate(&c->context[0], p, fp); 1908 if (rc) 1909 goto bad; 1910 rc = context_read_and_validate(&c->context[1], p, fp); 1911 if (rc) 1912 goto bad; 1913 break; 1914 case OCON_PORT: 1915 rc = next_entry(buf, fp, sizeof(u32)*3); 1916 if (rc < 0) 1917 goto bad; 1918 c->u.port.protocol = le32_to_cpu(buf[0]); 1919 c->u.port.low_port = le32_to_cpu(buf[1]); 1920 c->u.port.high_port = le32_to_cpu(buf[2]); 1921 rc = context_read_and_validate(&c->context[0], p, fp); 1922 if (rc) 1923 goto bad; 1924 break; 1925 case OCON_NODE: 1926 rc = next_entry(nodebuf, fp, sizeof(u32) * 2); 1927 if (rc < 0) 1928 goto bad; 1929 c->u.node.addr = nodebuf[0]; /* network order */ 1930 c->u.node.mask = nodebuf[1]; /* network order */ 1931 rc = context_read_and_validate(&c->context[0], p, fp); 1932 if (rc) 1933 goto bad; 1934 break; 1935 case OCON_FSUSE: 1936 rc = next_entry(buf, fp, sizeof(u32)*2); 1937 if (rc < 0) 1938 goto bad; 1939 c->v.behavior = le32_to_cpu(buf[0]); 1940 if (c->v.behavior > SECURITY_FS_USE_NONE) 1941 goto bad; 1942 len = le32_to_cpu(buf[1]); 1943 c->u.name = kmalloc(len + 1, GFP_KERNEL); 1944 if (!c->u.name) { 1945 rc = -ENOMEM; 1946 goto bad; 1947 } 1948 rc = next_entry(c->u.name, fp, len); 1949 if (rc < 0) 1950 goto bad; 1951 c->u.name[len] = 0; 1952 rc = context_read_and_validate(&c->context[0], p, fp); 1953 if (rc) 1954 goto bad; 1955 break; 1956 case OCON_NODE6: { 1957 int k; 1958 1959 rc = next_entry(nodebuf, fp, sizeof(u32) * 8); 1960 if (rc < 0) 1961 goto bad; 1962 for (k = 0; k < 4; k++) 1963 c->u.node6.addr[k] = nodebuf[k]; 1964 for (k = 0; k < 4; k++) 1965 c->u.node6.mask[k] = nodebuf[k+4]; 1966 if (context_read_and_validate(&c->context[0], p, fp)) 1967 goto bad; 1968 break; 1969 } 1970 } 1971 } 1972 } 1973 1974 rc = next_entry(buf, fp, sizeof(u32)); 1975 if (rc < 0) 1976 goto bad; 1977 nel = le32_to_cpu(buf[0]); 1978 genfs_p = NULL; 1979 rc = -EINVAL; 1980 for (i = 0; i < nel; i++) { 1981 rc = next_entry(buf, fp, sizeof(u32)); 1982 if (rc < 0) 1983 goto bad; 1984 len = le32_to_cpu(buf[0]); 1985 newgenfs = kzalloc(sizeof(*newgenfs), GFP_KERNEL); 1986 if (!newgenfs) { 1987 rc = -ENOMEM; 1988 goto bad; 1989 } 1990 1991 newgenfs->fstype = kmalloc(len + 1, GFP_KERNEL); 1992 if (!newgenfs->fstype) { 1993 rc = -ENOMEM; 1994 kfree(newgenfs); 1995 goto bad; 1996 } 1997 rc = next_entry(newgenfs->fstype, fp, len); 1998 if (rc < 0) { 1999 kfree(newgenfs->fstype); 2000 kfree(newgenfs); 2001 goto bad; 2002 } 2003 newgenfs->fstype[len] = 0; 2004 for (genfs_p = NULL, genfs = p->genfs; genfs; 2005 genfs_p = genfs, genfs = genfs->next) { 2006 if (strcmp(newgenfs->fstype, genfs->fstype) == 0) { 2007 printk(KERN_ERR "SELinux: dup genfs " 2008 "fstype %s\n", newgenfs->fstype); 2009 kfree(newgenfs->fstype); 2010 kfree(newgenfs); 2011 goto bad; 2012 } 2013 if (strcmp(newgenfs->fstype, genfs->fstype) < 0) 2014 break; 2015 } 2016 newgenfs->next = genfs; 2017 if (genfs_p) 2018 genfs_p->next = newgenfs; 2019 else 2020 p->genfs = newgenfs; 2021 rc = next_entry(buf, fp, sizeof(u32)); 2022 if (rc < 0) 2023 goto bad; 2024 nel2 = le32_to_cpu(buf[0]); 2025 for (j = 0; j < nel2; j++) { 2026 rc = next_entry(buf, fp, sizeof(u32)); 2027 if (rc < 0) 2028 goto bad; 2029 len = le32_to_cpu(buf[0]); 2030 2031 newc = kzalloc(sizeof(*newc), GFP_KERNEL); 2032 if (!newc) { 2033 rc = -ENOMEM; 2034 goto bad; 2035 } 2036 2037 newc->u.name = kmalloc(len + 1, GFP_KERNEL); 2038 if (!newc->u.name) { 2039 rc = -ENOMEM; 2040 goto bad_newc; 2041 } 2042 rc = next_entry(newc->u.name, fp, len); 2043 if (rc < 0) 2044 goto bad_newc; 2045 newc->u.name[len] = 0; 2046 rc = next_entry(buf, fp, sizeof(u32)); 2047 if (rc < 0) 2048 goto bad_newc; 2049 newc->v.sclass = le32_to_cpu(buf[0]); 2050 if (context_read_and_validate(&newc->context[0], p, fp)) 2051 goto bad_newc; 2052 for (l = NULL, c = newgenfs->head; c; 2053 l = c, c = c->next) { 2054 if (!strcmp(newc->u.name, c->u.name) && 2055 (!c->v.sclass || !newc->v.sclass || 2056 newc->v.sclass == c->v.sclass)) { 2057 printk(KERN_ERR "SELinux: dup genfs " 2058 "entry (%s,%s)\n", 2059 newgenfs->fstype, c->u.name); 2060 goto bad_newc; 2061 } 2062 len = strlen(newc->u.name); 2063 len2 = strlen(c->u.name); 2064 if (len > len2) 2065 break; 2066 } 2067 2068 newc->next = c; 2069 if (l) 2070 l->next = newc; 2071 else 2072 newgenfs->head = newc; 2073 } 2074 } 2075 2076 if (p->policyvers >= POLICYDB_VERSION_MLS) { 2077 int new_rangetr = p->policyvers >= POLICYDB_VERSION_RANGETRANS; 2078 rc = next_entry(buf, fp, sizeof(u32)); 2079 if (rc < 0) 2080 goto bad; 2081 nel = le32_to_cpu(buf[0]); 2082 lrt = NULL; 2083 for (i = 0; i < nel; i++) { 2084 rt = kzalloc(sizeof(*rt), GFP_KERNEL); 2085 if (!rt) { 2086 rc = -ENOMEM; 2087 goto bad; 2088 } 2089 if (lrt) 2090 lrt->next = rt; 2091 else 2092 p->range_tr = rt; 2093 rc = next_entry(buf, fp, (sizeof(u32) * 2)); 2094 if (rc < 0) 2095 goto bad; 2096 rt->source_type = le32_to_cpu(buf[0]); 2097 rt->target_type = le32_to_cpu(buf[1]); 2098 if (new_rangetr) { 2099 rc = next_entry(buf, fp, sizeof(u32)); 2100 if (rc < 0) 2101 goto bad; 2102 rt->target_class = le32_to_cpu(buf[0]); 2103 } else 2104 rt->target_class = SECCLASS_PROCESS; 2105 if (!policydb_type_isvalid(p, rt->source_type) || 2106 !policydb_type_isvalid(p, rt->target_type) || 2107 !policydb_class_isvalid(p, rt->target_class)) { 2108 rc = -EINVAL; 2109 goto bad; 2110 } 2111 rc = mls_read_range_helper(&rt->target_range, fp); 2112 if (rc) 2113 goto bad; 2114 if (!mls_range_isvalid(p, &rt->target_range)) { 2115 printk(KERN_WARNING "SELinux: rangetrans: invalid range\n"); 2116 goto bad; 2117 } 2118 lrt = rt; 2119 } 2120 } 2121 2122 p->type_attr_map = kmalloc(p->p_types.nprim*sizeof(struct ebitmap), GFP_KERNEL); 2123 if (!p->type_attr_map) 2124 goto bad; 2125 2126 for (i = 0; i < p->p_types.nprim; i++) { 2127 ebitmap_init(&p->type_attr_map[i]); 2128 if (p->policyvers >= POLICYDB_VERSION_AVTAB) { 2129 if (ebitmap_read(&p->type_attr_map[i], fp)) 2130 goto bad; 2131 } 2132 /* add the type itself as the degenerate case */ 2133 if (ebitmap_set_bit(&p->type_attr_map[i], i, 1)) 2134 goto bad; 2135 } 2136 2137 rc = policydb_bounds_sanity_check(p); 2138 if (rc) 2139 goto bad; 2140 2141 rc = 0; 2142 out: 2143 return rc; 2144 bad_newc: 2145 ocontext_destroy(newc, OCON_FSUSE); 2146 bad: 2147 if (!rc) 2148 rc = -EINVAL; 2149 policydb_destroy(p); 2150 goto out; 2151 } 2152