1 /* 2 * Implementation of the policy database. 3 * 4 * Author : Stephen Smalley, <sds@epoch.ncsc.mil> 5 */ 6 7 /* 8 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 9 * 10 * Support for enhanced MLS infrastructure. 11 * 12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 13 * 14 * Added conditional policy language extensions 15 * 16 * Updated: Hewlett-Packard <paul.moore@hp.com> 17 * 18 * Added support for the policy capability bitmap 19 * 20 * Copyright (C) 2007 Hewlett-Packard Development Company, L.P. 21 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 22 * Copyright (C) 2003 - 2004 Tresys Technology, LLC 23 * This program is free software; you can redistribute it and/or modify 24 * it under the terms of the GNU General Public License as published by 25 * the Free Software Foundation, version 2. 26 */ 27 28 #include <linux/kernel.h> 29 #include <linux/sched.h> 30 #include <linux/slab.h> 31 #include <linux/string.h> 32 #include <linux/errno.h> 33 #include <linux/audit.h> 34 #include "security.h" 35 36 #include "policydb.h" 37 #include "conditional.h" 38 #include "mls.h" 39 40 #define _DEBUG_HASHES 41 42 #ifdef DEBUG_HASHES 43 static char *symtab_name[SYM_NUM] = { 44 "common prefixes", 45 "classes", 46 "roles", 47 "types", 48 "users", 49 "bools", 50 "levels", 51 "categories", 52 }; 53 #endif 54 55 int selinux_mls_enabled; 56 57 static unsigned int symtab_sizes[SYM_NUM] = { 58 2, 59 32, 60 16, 61 512, 62 128, 63 16, 64 16, 65 16, 66 }; 67 68 struct policydb_compat_info { 69 int version; 70 int sym_num; 71 int ocon_num; 72 }; 73 74 /* These need to be updated if SYM_NUM or OCON_NUM changes */ 75 static struct policydb_compat_info policydb_compat[] = { 76 { 77 .version = POLICYDB_VERSION_BASE, 78 .sym_num = SYM_NUM - 3, 79 .ocon_num = OCON_NUM - 1, 80 }, 81 { 82 .version = POLICYDB_VERSION_BOOL, 83 .sym_num = SYM_NUM - 2, 84 .ocon_num = OCON_NUM - 1, 85 }, 86 { 87 .version = POLICYDB_VERSION_IPV6, 88 .sym_num = SYM_NUM - 2, 89 .ocon_num = OCON_NUM, 90 }, 91 { 92 .version = POLICYDB_VERSION_NLCLASS, 93 .sym_num = SYM_NUM - 2, 94 .ocon_num = OCON_NUM, 95 }, 96 { 97 .version = POLICYDB_VERSION_MLS, 98 .sym_num = SYM_NUM, 99 .ocon_num = OCON_NUM, 100 }, 101 { 102 .version = POLICYDB_VERSION_AVTAB, 103 .sym_num = SYM_NUM, 104 .ocon_num = OCON_NUM, 105 }, 106 { 107 .version = POLICYDB_VERSION_RANGETRANS, 108 .sym_num = SYM_NUM, 109 .ocon_num = OCON_NUM, 110 }, 111 { 112 .version = POLICYDB_VERSION_POLCAP, 113 .sym_num = SYM_NUM, 114 .ocon_num = OCON_NUM, 115 }, 116 { 117 .version = POLICYDB_VERSION_PERMISSIVE, 118 .sym_num = SYM_NUM, 119 .ocon_num = OCON_NUM, 120 }, 121 { 122 .version = POLICYDB_VERSION_BOUNDARY, 123 .sym_num = SYM_NUM, 124 .ocon_num = OCON_NUM, 125 }, 126 }; 127 128 static struct policydb_compat_info *policydb_lookup_compat(int version) 129 { 130 int i; 131 struct policydb_compat_info *info = NULL; 132 133 for (i = 0; i < ARRAY_SIZE(policydb_compat); i++) { 134 if (policydb_compat[i].version == version) { 135 info = &policydb_compat[i]; 136 break; 137 } 138 } 139 return info; 140 } 141 142 /* 143 * Initialize the role table. 144 */ 145 static int roles_init(struct policydb *p) 146 { 147 char *key = NULL; 148 int rc; 149 struct role_datum *role; 150 151 role = kzalloc(sizeof(*role), GFP_KERNEL); 152 if (!role) { 153 rc = -ENOMEM; 154 goto out; 155 } 156 role->value = ++p->p_roles.nprim; 157 if (role->value != OBJECT_R_VAL) { 158 rc = -EINVAL; 159 goto out_free_role; 160 } 161 key = kmalloc(strlen(OBJECT_R)+1, GFP_KERNEL); 162 if (!key) { 163 rc = -ENOMEM; 164 goto out_free_role; 165 } 166 strcpy(key, OBJECT_R); 167 rc = hashtab_insert(p->p_roles.table, key, role); 168 if (rc) 169 goto out_free_key; 170 out: 171 return rc; 172 173 out_free_key: 174 kfree(key); 175 out_free_role: 176 kfree(role); 177 goto out; 178 } 179 180 /* 181 * Initialize a policy database structure. 182 */ 183 static int policydb_init(struct policydb *p) 184 { 185 int i, rc; 186 187 memset(p, 0, sizeof(*p)); 188 189 for (i = 0; i < SYM_NUM; i++) { 190 rc = symtab_init(&p->symtab[i], symtab_sizes[i]); 191 if (rc) 192 goto out_free_symtab; 193 } 194 195 rc = avtab_init(&p->te_avtab); 196 if (rc) 197 goto out_free_symtab; 198 199 rc = roles_init(p); 200 if (rc) 201 goto out_free_symtab; 202 203 rc = cond_policydb_init(p); 204 if (rc) 205 goto out_free_symtab; 206 207 ebitmap_init(&p->policycaps); 208 ebitmap_init(&p->permissive_map); 209 210 out: 211 return rc; 212 213 out_free_symtab: 214 for (i = 0; i < SYM_NUM; i++) 215 hashtab_destroy(p->symtab[i].table); 216 goto out; 217 } 218 219 /* 220 * The following *_index functions are used to 221 * define the val_to_name and val_to_struct arrays 222 * in a policy database structure. The val_to_name 223 * arrays are used when converting security context 224 * structures into string representations. The 225 * val_to_struct arrays are used when the attributes 226 * of a class, role, or user are needed. 227 */ 228 229 static int common_index(void *key, void *datum, void *datap) 230 { 231 struct policydb *p; 232 struct common_datum *comdatum; 233 234 comdatum = datum; 235 p = datap; 236 if (!comdatum->value || comdatum->value > p->p_commons.nprim) 237 return -EINVAL; 238 p->p_common_val_to_name[comdatum->value - 1] = key; 239 return 0; 240 } 241 242 static int class_index(void *key, void *datum, void *datap) 243 { 244 struct policydb *p; 245 struct class_datum *cladatum; 246 247 cladatum = datum; 248 p = datap; 249 if (!cladatum->value || cladatum->value > p->p_classes.nprim) 250 return -EINVAL; 251 p->p_class_val_to_name[cladatum->value - 1] = key; 252 p->class_val_to_struct[cladatum->value - 1] = cladatum; 253 return 0; 254 } 255 256 static int role_index(void *key, void *datum, void *datap) 257 { 258 struct policydb *p; 259 struct role_datum *role; 260 261 role = datum; 262 p = datap; 263 if (!role->value 264 || role->value > p->p_roles.nprim 265 || role->bounds > p->p_roles.nprim) 266 return -EINVAL; 267 p->p_role_val_to_name[role->value - 1] = key; 268 p->role_val_to_struct[role->value - 1] = role; 269 return 0; 270 } 271 272 static int type_index(void *key, void *datum, void *datap) 273 { 274 struct policydb *p; 275 struct type_datum *typdatum; 276 277 typdatum = datum; 278 p = datap; 279 280 if (typdatum->primary) { 281 if (!typdatum->value 282 || typdatum->value > p->p_types.nprim 283 || typdatum->bounds > p->p_types.nprim) 284 return -EINVAL; 285 p->p_type_val_to_name[typdatum->value - 1] = key; 286 p->type_val_to_struct[typdatum->value - 1] = typdatum; 287 } 288 289 return 0; 290 } 291 292 static int user_index(void *key, void *datum, void *datap) 293 { 294 struct policydb *p; 295 struct user_datum *usrdatum; 296 297 usrdatum = datum; 298 p = datap; 299 if (!usrdatum->value 300 || usrdatum->value > p->p_users.nprim 301 || usrdatum->bounds > p->p_users.nprim) 302 return -EINVAL; 303 p->p_user_val_to_name[usrdatum->value - 1] = key; 304 p->user_val_to_struct[usrdatum->value - 1] = usrdatum; 305 return 0; 306 } 307 308 static int sens_index(void *key, void *datum, void *datap) 309 { 310 struct policydb *p; 311 struct level_datum *levdatum; 312 313 levdatum = datum; 314 p = datap; 315 316 if (!levdatum->isalias) { 317 if (!levdatum->level->sens || 318 levdatum->level->sens > p->p_levels.nprim) 319 return -EINVAL; 320 p->p_sens_val_to_name[levdatum->level->sens - 1] = key; 321 } 322 323 return 0; 324 } 325 326 static int cat_index(void *key, void *datum, void *datap) 327 { 328 struct policydb *p; 329 struct cat_datum *catdatum; 330 331 catdatum = datum; 332 p = datap; 333 334 if (!catdatum->isalias) { 335 if (!catdatum->value || catdatum->value > p->p_cats.nprim) 336 return -EINVAL; 337 p->p_cat_val_to_name[catdatum->value - 1] = key; 338 } 339 340 return 0; 341 } 342 343 static int (*index_f[SYM_NUM]) (void *key, void *datum, void *datap) = 344 { 345 common_index, 346 class_index, 347 role_index, 348 type_index, 349 user_index, 350 cond_index_bool, 351 sens_index, 352 cat_index, 353 }; 354 355 /* 356 * Define the common val_to_name array and the class 357 * val_to_name and val_to_struct arrays in a policy 358 * database structure. 359 * 360 * Caller must clean up upon failure. 361 */ 362 static int policydb_index_classes(struct policydb *p) 363 { 364 int rc; 365 366 p->p_common_val_to_name = 367 kmalloc(p->p_commons.nprim * sizeof(char *), GFP_KERNEL); 368 if (!p->p_common_val_to_name) { 369 rc = -ENOMEM; 370 goto out; 371 } 372 373 rc = hashtab_map(p->p_commons.table, common_index, p); 374 if (rc) 375 goto out; 376 377 p->class_val_to_struct = 378 kmalloc(p->p_classes.nprim * sizeof(*(p->class_val_to_struct)), GFP_KERNEL); 379 if (!p->class_val_to_struct) { 380 rc = -ENOMEM; 381 goto out; 382 } 383 384 p->p_class_val_to_name = 385 kmalloc(p->p_classes.nprim * sizeof(char *), GFP_KERNEL); 386 if (!p->p_class_val_to_name) { 387 rc = -ENOMEM; 388 goto out; 389 } 390 391 rc = hashtab_map(p->p_classes.table, class_index, p); 392 out: 393 return rc; 394 } 395 396 #ifdef DEBUG_HASHES 397 static void symtab_hash_eval(struct symtab *s) 398 { 399 int i; 400 401 for (i = 0; i < SYM_NUM; i++) { 402 struct hashtab *h = s[i].table; 403 struct hashtab_info info; 404 405 hashtab_stat(h, &info); 406 printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, " 407 "longest chain length %d\n", symtab_name[i], h->nel, 408 info.slots_used, h->size, info.max_chain_len); 409 } 410 } 411 #endif 412 413 /* 414 * Define the other val_to_name and val_to_struct arrays 415 * in a policy database structure. 416 * 417 * Caller must clean up on failure. 418 */ 419 static int policydb_index_others(struct policydb *p) 420 { 421 int i, rc = 0; 422 423 printk(KERN_DEBUG "SELinux: %d users, %d roles, %d types, %d bools", 424 p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim); 425 if (selinux_mls_enabled) 426 printk(", %d sens, %d cats", p->p_levels.nprim, 427 p->p_cats.nprim); 428 printk("\n"); 429 430 printk(KERN_DEBUG "SELinux: %d classes, %d rules\n", 431 p->p_classes.nprim, p->te_avtab.nel); 432 433 #ifdef DEBUG_HASHES 434 avtab_hash_eval(&p->te_avtab, "rules"); 435 symtab_hash_eval(p->symtab); 436 #endif 437 438 p->role_val_to_struct = 439 kmalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)), 440 GFP_KERNEL); 441 if (!p->role_val_to_struct) { 442 rc = -ENOMEM; 443 goto out; 444 } 445 446 p->user_val_to_struct = 447 kmalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)), 448 GFP_KERNEL); 449 if (!p->user_val_to_struct) { 450 rc = -ENOMEM; 451 goto out; 452 } 453 454 p->type_val_to_struct = 455 kmalloc(p->p_types.nprim * sizeof(*(p->type_val_to_struct)), 456 GFP_KERNEL); 457 if (!p->type_val_to_struct) { 458 rc = -ENOMEM; 459 goto out; 460 } 461 462 if (cond_init_bool_indexes(p)) { 463 rc = -ENOMEM; 464 goto out; 465 } 466 467 for (i = SYM_ROLES; i < SYM_NUM; i++) { 468 p->sym_val_to_name[i] = 469 kmalloc(p->symtab[i].nprim * sizeof(char *), GFP_KERNEL); 470 if (!p->sym_val_to_name[i]) { 471 rc = -ENOMEM; 472 goto out; 473 } 474 rc = hashtab_map(p->symtab[i].table, index_f[i], p); 475 if (rc) 476 goto out; 477 } 478 479 out: 480 return rc; 481 } 482 483 /* 484 * The following *_destroy functions are used to 485 * free any memory allocated for each kind of 486 * symbol data in the policy database. 487 */ 488 489 static int perm_destroy(void *key, void *datum, void *p) 490 { 491 kfree(key); 492 kfree(datum); 493 return 0; 494 } 495 496 static int common_destroy(void *key, void *datum, void *p) 497 { 498 struct common_datum *comdatum; 499 500 kfree(key); 501 comdatum = datum; 502 hashtab_map(comdatum->permissions.table, perm_destroy, NULL); 503 hashtab_destroy(comdatum->permissions.table); 504 kfree(datum); 505 return 0; 506 } 507 508 static int cls_destroy(void *key, void *datum, void *p) 509 { 510 struct class_datum *cladatum; 511 struct constraint_node *constraint, *ctemp; 512 struct constraint_expr *e, *etmp; 513 514 kfree(key); 515 cladatum = datum; 516 hashtab_map(cladatum->permissions.table, perm_destroy, NULL); 517 hashtab_destroy(cladatum->permissions.table); 518 constraint = cladatum->constraints; 519 while (constraint) { 520 e = constraint->expr; 521 while (e) { 522 ebitmap_destroy(&e->names); 523 etmp = e; 524 e = e->next; 525 kfree(etmp); 526 } 527 ctemp = constraint; 528 constraint = constraint->next; 529 kfree(ctemp); 530 } 531 532 constraint = cladatum->validatetrans; 533 while (constraint) { 534 e = constraint->expr; 535 while (e) { 536 ebitmap_destroy(&e->names); 537 etmp = e; 538 e = e->next; 539 kfree(etmp); 540 } 541 ctemp = constraint; 542 constraint = constraint->next; 543 kfree(ctemp); 544 } 545 546 kfree(cladatum->comkey); 547 kfree(datum); 548 return 0; 549 } 550 551 static int role_destroy(void *key, void *datum, void *p) 552 { 553 struct role_datum *role; 554 555 kfree(key); 556 role = datum; 557 ebitmap_destroy(&role->dominates); 558 ebitmap_destroy(&role->types); 559 kfree(datum); 560 return 0; 561 } 562 563 static int type_destroy(void *key, void *datum, void *p) 564 { 565 kfree(key); 566 kfree(datum); 567 return 0; 568 } 569 570 static int user_destroy(void *key, void *datum, void *p) 571 { 572 struct user_datum *usrdatum; 573 574 kfree(key); 575 usrdatum = datum; 576 ebitmap_destroy(&usrdatum->roles); 577 ebitmap_destroy(&usrdatum->range.level[0].cat); 578 ebitmap_destroy(&usrdatum->range.level[1].cat); 579 ebitmap_destroy(&usrdatum->dfltlevel.cat); 580 kfree(datum); 581 return 0; 582 } 583 584 static int sens_destroy(void *key, void *datum, void *p) 585 { 586 struct level_datum *levdatum; 587 588 kfree(key); 589 levdatum = datum; 590 ebitmap_destroy(&levdatum->level->cat); 591 kfree(levdatum->level); 592 kfree(datum); 593 return 0; 594 } 595 596 static int cat_destroy(void *key, void *datum, void *p) 597 { 598 kfree(key); 599 kfree(datum); 600 return 0; 601 } 602 603 static int (*destroy_f[SYM_NUM]) (void *key, void *datum, void *datap) = 604 { 605 common_destroy, 606 cls_destroy, 607 role_destroy, 608 type_destroy, 609 user_destroy, 610 cond_destroy_bool, 611 sens_destroy, 612 cat_destroy, 613 }; 614 615 static void ocontext_destroy(struct ocontext *c, int i) 616 { 617 context_destroy(&c->context[0]); 618 context_destroy(&c->context[1]); 619 if (i == OCON_ISID || i == OCON_FS || 620 i == OCON_NETIF || i == OCON_FSUSE) 621 kfree(c->u.name); 622 kfree(c); 623 } 624 625 /* 626 * Free any memory allocated by a policy database structure. 627 */ 628 void policydb_destroy(struct policydb *p) 629 { 630 struct ocontext *c, *ctmp; 631 struct genfs *g, *gtmp; 632 int i; 633 struct role_allow *ra, *lra = NULL; 634 struct role_trans *tr, *ltr = NULL; 635 struct range_trans *rt, *lrt = NULL; 636 637 for (i = 0; i < SYM_NUM; i++) { 638 cond_resched(); 639 hashtab_map(p->symtab[i].table, destroy_f[i], NULL); 640 hashtab_destroy(p->symtab[i].table); 641 } 642 643 for (i = 0; i < SYM_NUM; i++) 644 kfree(p->sym_val_to_name[i]); 645 646 kfree(p->class_val_to_struct); 647 kfree(p->role_val_to_struct); 648 kfree(p->user_val_to_struct); 649 kfree(p->type_val_to_struct); 650 651 avtab_destroy(&p->te_avtab); 652 653 for (i = 0; i < OCON_NUM; i++) { 654 cond_resched(); 655 c = p->ocontexts[i]; 656 while (c) { 657 ctmp = c; 658 c = c->next; 659 ocontext_destroy(ctmp, i); 660 } 661 p->ocontexts[i] = NULL; 662 } 663 664 g = p->genfs; 665 while (g) { 666 cond_resched(); 667 kfree(g->fstype); 668 c = g->head; 669 while (c) { 670 ctmp = c; 671 c = c->next; 672 ocontext_destroy(ctmp, OCON_FSUSE); 673 } 674 gtmp = g; 675 g = g->next; 676 kfree(gtmp); 677 } 678 p->genfs = NULL; 679 680 cond_policydb_destroy(p); 681 682 for (tr = p->role_tr; tr; tr = tr->next) { 683 cond_resched(); 684 kfree(ltr); 685 ltr = tr; 686 } 687 kfree(ltr); 688 689 for (ra = p->role_allow; ra; ra = ra->next) { 690 cond_resched(); 691 kfree(lra); 692 lra = ra; 693 } 694 kfree(lra); 695 696 for (rt = p->range_tr; rt; rt = rt->next) { 697 cond_resched(); 698 if (lrt) { 699 ebitmap_destroy(&lrt->target_range.level[0].cat); 700 ebitmap_destroy(&lrt->target_range.level[1].cat); 701 kfree(lrt); 702 } 703 lrt = rt; 704 } 705 if (lrt) { 706 ebitmap_destroy(&lrt->target_range.level[0].cat); 707 ebitmap_destroy(&lrt->target_range.level[1].cat); 708 kfree(lrt); 709 } 710 711 if (p->type_attr_map) { 712 for (i = 0; i < p->p_types.nprim; i++) 713 ebitmap_destroy(&p->type_attr_map[i]); 714 } 715 kfree(p->type_attr_map); 716 ebitmap_destroy(&p->policycaps); 717 ebitmap_destroy(&p->permissive_map); 718 719 return; 720 } 721 722 /* 723 * Load the initial SIDs specified in a policy database 724 * structure into a SID table. 725 */ 726 int policydb_load_isids(struct policydb *p, struct sidtab *s) 727 { 728 struct ocontext *head, *c; 729 int rc; 730 731 rc = sidtab_init(s); 732 if (rc) { 733 printk(KERN_ERR "SELinux: out of memory on SID table init\n"); 734 goto out; 735 } 736 737 head = p->ocontexts[OCON_ISID]; 738 for (c = head; c; c = c->next) { 739 if (!c->context[0].user) { 740 printk(KERN_ERR "SELinux: SID %s was never " 741 "defined.\n", c->u.name); 742 rc = -EINVAL; 743 goto out; 744 } 745 if (sidtab_insert(s, c->sid[0], &c->context[0])) { 746 printk(KERN_ERR "SELinux: unable to load initial " 747 "SID %s.\n", c->u.name); 748 rc = -EINVAL; 749 goto out; 750 } 751 } 752 out: 753 return rc; 754 } 755 756 int policydb_class_isvalid(struct policydb *p, unsigned int class) 757 { 758 if (!class || class > p->p_classes.nprim) 759 return 0; 760 return 1; 761 } 762 763 int policydb_role_isvalid(struct policydb *p, unsigned int role) 764 { 765 if (!role || role > p->p_roles.nprim) 766 return 0; 767 return 1; 768 } 769 770 int policydb_type_isvalid(struct policydb *p, unsigned int type) 771 { 772 if (!type || type > p->p_types.nprim) 773 return 0; 774 return 1; 775 } 776 777 /* 778 * Return 1 if the fields in the security context 779 * structure `c' are valid. Return 0 otherwise. 780 */ 781 int policydb_context_isvalid(struct policydb *p, struct context *c) 782 { 783 struct role_datum *role; 784 struct user_datum *usrdatum; 785 786 if (!c->role || c->role > p->p_roles.nprim) 787 return 0; 788 789 if (!c->user || c->user > p->p_users.nprim) 790 return 0; 791 792 if (!c->type || c->type > p->p_types.nprim) 793 return 0; 794 795 if (c->role != OBJECT_R_VAL) { 796 /* 797 * Role must be authorized for the type. 798 */ 799 role = p->role_val_to_struct[c->role - 1]; 800 if (!ebitmap_get_bit(&role->types, 801 c->type - 1)) 802 /* role may not be associated with type */ 803 return 0; 804 805 /* 806 * User must be authorized for the role. 807 */ 808 usrdatum = p->user_val_to_struct[c->user - 1]; 809 if (!usrdatum) 810 return 0; 811 812 if (!ebitmap_get_bit(&usrdatum->roles, 813 c->role - 1)) 814 /* user may not be associated with role */ 815 return 0; 816 } 817 818 if (!mls_context_isvalid(p, c)) 819 return 0; 820 821 return 1; 822 } 823 824 /* 825 * Read a MLS range structure from a policydb binary 826 * representation file. 827 */ 828 static int mls_read_range_helper(struct mls_range *r, void *fp) 829 { 830 __le32 buf[2]; 831 u32 items; 832 int rc; 833 834 rc = next_entry(buf, fp, sizeof(u32)); 835 if (rc < 0) 836 goto out; 837 838 items = le32_to_cpu(buf[0]); 839 if (items > ARRAY_SIZE(buf)) { 840 printk(KERN_ERR "SELinux: mls: range overflow\n"); 841 rc = -EINVAL; 842 goto out; 843 } 844 rc = next_entry(buf, fp, sizeof(u32) * items); 845 if (rc < 0) { 846 printk(KERN_ERR "SELinux: mls: truncated range\n"); 847 goto out; 848 } 849 r->level[0].sens = le32_to_cpu(buf[0]); 850 if (items > 1) 851 r->level[1].sens = le32_to_cpu(buf[1]); 852 else 853 r->level[1].sens = r->level[0].sens; 854 855 rc = ebitmap_read(&r->level[0].cat, fp); 856 if (rc) { 857 printk(KERN_ERR "SELinux: mls: error reading low " 858 "categories\n"); 859 goto out; 860 } 861 if (items > 1) { 862 rc = ebitmap_read(&r->level[1].cat, fp); 863 if (rc) { 864 printk(KERN_ERR "SELinux: mls: error reading high " 865 "categories\n"); 866 goto bad_high; 867 } 868 } else { 869 rc = ebitmap_cpy(&r->level[1].cat, &r->level[0].cat); 870 if (rc) { 871 printk(KERN_ERR "SELinux: mls: out of memory\n"); 872 goto bad_high; 873 } 874 } 875 876 rc = 0; 877 out: 878 return rc; 879 bad_high: 880 ebitmap_destroy(&r->level[0].cat); 881 goto out; 882 } 883 884 /* 885 * Read and validate a security context structure 886 * from a policydb binary representation file. 887 */ 888 static int context_read_and_validate(struct context *c, 889 struct policydb *p, 890 void *fp) 891 { 892 __le32 buf[3]; 893 int rc; 894 895 rc = next_entry(buf, fp, sizeof buf); 896 if (rc < 0) { 897 printk(KERN_ERR "SELinux: context truncated\n"); 898 goto out; 899 } 900 c->user = le32_to_cpu(buf[0]); 901 c->role = le32_to_cpu(buf[1]); 902 c->type = le32_to_cpu(buf[2]); 903 if (p->policyvers >= POLICYDB_VERSION_MLS) { 904 if (mls_read_range_helper(&c->range, fp)) { 905 printk(KERN_ERR "SELinux: error reading MLS range of " 906 "context\n"); 907 rc = -EINVAL; 908 goto out; 909 } 910 } 911 912 if (!policydb_context_isvalid(p, c)) { 913 printk(KERN_ERR "SELinux: invalid security context\n"); 914 context_destroy(c); 915 rc = -EINVAL; 916 } 917 out: 918 return rc; 919 } 920 921 /* 922 * The following *_read functions are used to 923 * read the symbol data from a policy database 924 * binary representation file. 925 */ 926 927 static int perm_read(struct policydb *p, struct hashtab *h, void *fp) 928 { 929 char *key = NULL; 930 struct perm_datum *perdatum; 931 int rc; 932 __le32 buf[2]; 933 u32 len; 934 935 perdatum = kzalloc(sizeof(*perdatum), GFP_KERNEL); 936 if (!perdatum) { 937 rc = -ENOMEM; 938 goto out; 939 } 940 941 rc = next_entry(buf, fp, sizeof buf); 942 if (rc < 0) 943 goto bad; 944 945 len = le32_to_cpu(buf[0]); 946 perdatum->value = le32_to_cpu(buf[1]); 947 948 key = kmalloc(len + 1, GFP_KERNEL); 949 if (!key) { 950 rc = -ENOMEM; 951 goto bad; 952 } 953 rc = next_entry(key, fp, len); 954 if (rc < 0) 955 goto bad; 956 key[len] = '\0'; 957 958 rc = hashtab_insert(h, key, perdatum); 959 if (rc) 960 goto bad; 961 out: 962 return rc; 963 bad: 964 perm_destroy(key, perdatum, NULL); 965 goto out; 966 } 967 968 static int common_read(struct policydb *p, struct hashtab *h, void *fp) 969 { 970 char *key = NULL; 971 struct common_datum *comdatum; 972 __le32 buf[4]; 973 u32 len, nel; 974 int i, rc; 975 976 comdatum = kzalloc(sizeof(*comdatum), GFP_KERNEL); 977 if (!comdatum) { 978 rc = -ENOMEM; 979 goto out; 980 } 981 982 rc = next_entry(buf, fp, sizeof buf); 983 if (rc < 0) 984 goto bad; 985 986 len = le32_to_cpu(buf[0]); 987 comdatum->value = le32_to_cpu(buf[1]); 988 989 rc = symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE); 990 if (rc) 991 goto bad; 992 comdatum->permissions.nprim = le32_to_cpu(buf[2]); 993 nel = le32_to_cpu(buf[3]); 994 995 key = kmalloc(len + 1, GFP_KERNEL); 996 if (!key) { 997 rc = -ENOMEM; 998 goto bad; 999 } 1000 rc = next_entry(key, fp, len); 1001 if (rc < 0) 1002 goto bad; 1003 key[len] = '\0'; 1004 1005 for (i = 0; i < nel; i++) { 1006 rc = perm_read(p, comdatum->permissions.table, fp); 1007 if (rc) 1008 goto bad; 1009 } 1010 1011 rc = hashtab_insert(h, key, comdatum); 1012 if (rc) 1013 goto bad; 1014 out: 1015 return rc; 1016 bad: 1017 common_destroy(key, comdatum, NULL); 1018 goto out; 1019 } 1020 1021 static int read_cons_helper(struct constraint_node **nodep, int ncons, 1022 int allowxtarget, void *fp) 1023 { 1024 struct constraint_node *c, *lc; 1025 struct constraint_expr *e, *le; 1026 __le32 buf[3]; 1027 u32 nexpr; 1028 int rc, i, j, depth; 1029 1030 lc = NULL; 1031 for (i = 0; i < ncons; i++) { 1032 c = kzalloc(sizeof(*c), GFP_KERNEL); 1033 if (!c) 1034 return -ENOMEM; 1035 1036 if (lc) 1037 lc->next = c; 1038 else 1039 *nodep = c; 1040 1041 rc = next_entry(buf, fp, (sizeof(u32) * 2)); 1042 if (rc < 0) 1043 return rc; 1044 c->permissions = le32_to_cpu(buf[0]); 1045 nexpr = le32_to_cpu(buf[1]); 1046 le = NULL; 1047 depth = -1; 1048 for (j = 0; j < nexpr; j++) { 1049 e = kzalloc(sizeof(*e), GFP_KERNEL); 1050 if (!e) 1051 return -ENOMEM; 1052 1053 if (le) 1054 le->next = e; 1055 else 1056 c->expr = e; 1057 1058 rc = next_entry(buf, fp, (sizeof(u32) * 3)); 1059 if (rc < 0) 1060 return rc; 1061 e->expr_type = le32_to_cpu(buf[0]); 1062 e->attr = le32_to_cpu(buf[1]); 1063 e->op = le32_to_cpu(buf[2]); 1064 1065 switch (e->expr_type) { 1066 case CEXPR_NOT: 1067 if (depth < 0) 1068 return -EINVAL; 1069 break; 1070 case CEXPR_AND: 1071 case CEXPR_OR: 1072 if (depth < 1) 1073 return -EINVAL; 1074 depth--; 1075 break; 1076 case CEXPR_ATTR: 1077 if (depth == (CEXPR_MAXDEPTH - 1)) 1078 return -EINVAL; 1079 depth++; 1080 break; 1081 case CEXPR_NAMES: 1082 if (!allowxtarget && (e->attr & CEXPR_XTARGET)) 1083 return -EINVAL; 1084 if (depth == (CEXPR_MAXDEPTH - 1)) 1085 return -EINVAL; 1086 depth++; 1087 if (ebitmap_read(&e->names, fp)) 1088 return -EINVAL; 1089 break; 1090 default: 1091 return -EINVAL; 1092 } 1093 le = e; 1094 } 1095 if (depth != 0) 1096 return -EINVAL; 1097 lc = c; 1098 } 1099 1100 return 0; 1101 } 1102 1103 static int class_read(struct policydb *p, struct hashtab *h, void *fp) 1104 { 1105 char *key = NULL; 1106 struct class_datum *cladatum; 1107 __le32 buf[6]; 1108 u32 len, len2, ncons, nel; 1109 int i, rc; 1110 1111 cladatum = kzalloc(sizeof(*cladatum), GFP_KERNEL); 1112 if (!cladatum) { 1113 rc = -ENOMEM; 1114 goto out; 1115 } 1116 1117 rc = next_entry(buf, fp, sizeof(u32)*6); 1118 if (rc < 0) 1119 goto bad; 1120 1121 len = le32_to_cpu(buf[0]); 1122 len2 = le32_to_cpu(buf[1]); 1123 cladatum->value = le32_to_cpu(buf[2]); 1124 1125 rc = symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE); 1126 if (rc) 1127 goto bad; 1128 cladatum->permissions.nprim = le32_to_cpu(buf[3]); 1129 nel = le32_to_cpu(buf[4]); 1130 1131 ncons = le32_to_cpu(buf[5]); 1132 1133 key = kmalloc(len + 1, GFP_KERNEL); 1134 if (!key) { 1135 rc = -ENOMEM; 1136 goto bad; 1137 } 1138 rc = next_entry(key, fp, len); 1139 if (rc < 0) 1140 goto bad; 1141 key[len] = '\0'; 1142 1143 if (len2) { 1144 cladatum->comkey = kmalloc(len2 + 1, GFP_KERNEL); 1145 if (!cladatum->comkey) { 1146 rc = -ENOMEM; 1147 goto bad; 1148 } 1149 rc = next_entry(cladatum->comkey, fp, len2); 1150 if (rc < 0) 1151 goto bad; 1152 cladatum->comkey[len2] = '\0'; 1153 1154 cladatum->comdatum = hashtab_search(p->p_commons.table, 1155 cladatum->comkey); 1156 if (!cladatum->comdatum) { 1157 printk(KERN_ERR "SELinux: unknown common %s\n", 1158 cladatum->comkey); 1159 rc = -EINVAL; 1160 goto bad; 1161 } 1162 } 1163 for (i = 0; i < nel; i++) { 1164 rc = perm_read(p, cladatum->permissions.table, fp); 1165 if (rc) 1166 goto bad; 1167 } 1168 1169 rc = read_cons_helper(&cladatum->constraints, ncons, 0, fp); 1170 if (rc) 1171 goto bad; 1172 1173 if (p->policyvers >= POLICYDB_VERSION_VALIDATETRANS) { 1174 /* grab the validatetrans rules */ 1175 rc = next_entry(buf, fp, sizeof(u32)); 1176 if (rc < 0) 1177 goto bad; 1178 ncons = le32_to_cpu(buf[0]); 1179 rc = read_cons_helper(&cladatum->validatetrans, ncons, 1, fp); 1180 if (rc) 1181 goto bad; 1182 } 1183 1184 rc = hashtab_insert(h, key, cladatum); 1185 if (rc) 1186 goto bad; 1187 1188 rc = 0; 1189 out: 1190 return rc; 1191 bad: 1192 cls_destroy(key, cladatum, NULL); 1193 goto out; 1194 } 1195 1196 static int role_read(struct policydb *p, struct hashtab *h, void *fp) 1197 { 1198 char *key = NULL; 1199 struct role_datum *role; 1200 int rc, to_read = 2; 1201 __le32 buf[3]; 1202 u32 len; 1203 1204 role = kzalloc(sizeof(*role), GFP_KERNEL); 1205 if (!role) { 1206 rc = -ENOMEM; 1207 goto out; 1208 } 1209 1210 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) 1211 to_read = 3; 1212 1213 rc = next_entry(buf, fp, sizeof(buf[0]) * to_read); 1214 if (rc < 0) 1215 goto bad; 1216 1217 len = le32_to_cpu(buf[0]); 1218 role->value = le32_to_cpu(buf[1]); 1219 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) 1220 role->bounds = le32_to_cpu(buf[2]); 1221 1222 key = kmalloc(len + 1, GFP_KERNEL); 1223 if (!key) { 1224 rc = -ENOMEM; 1225 goto bad; 1226 } 1227 rc = next_entry(key, fp, len); 1228 if (rc < 0) 1229 goto bad; 1230 key[len] = '\0'; 1231 1232 rc = ebitmap_read(&role->dominates, fp); 1233 if (rc) 1234 goto bad; 1235 1236 rc = ebitmap_read(&role->types, fp); 1237 if (rc) 1238 goto bad; 1239 1240 if (strcmp(key, OBJECT_R) == 0) { 1241 if (role->value != OBJECT_R_VAL) { 1242 printk(KERN_ERR "SELinux: Role %s has wrong value %d\n", 1243 OBJECT_R, role->value); 1244 rc = -EINVAL; 1245 goto bad; 1246 } 1247 rc = 0; 1248 goto bad; 1249 } 1250 1251 rc = hashtab_insert(h, key, role); 1252 if (rc) 1253 goto bad; 1254 out: 1255 return rc; 1256 bad: 1257 role_destroy(key, role, NULL); 1258 goto out; 1259 } 1260 1261 static int type_read(struct policydb *p, struct hashtab *h, void *fp) 1262 { 1263 char *key = NULL; 1264 struct type_datum *typdatum; 1265 int rc, to_read = 3; 1266 __le32 buf[4]; 1267 u32 len; 1268 1269 typdatum = kzalloc(sizeof(*typdatum), GFP_KERNEL); 1270 if (!typdatum) { 1271 rc = -ENOMEM; 1272 return rc; 1273 } 1274 1275 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) 1276 to_read = 4; 1277 1278 rc = next_entry(buf, fp, sizeof(buf[0]) * to_read); 1279 if (rc < 0) 1280 goto bad; 1281 1282 len = le32_to_cpu(buf[0]); 1283 typdatum->value = le32_to_cpu(buf[1]); 1284 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) { 1285 u32 prop = le32_to_cpu(buf[2]); 1286 1287 if (prop & TYPEDATUM_PROPERTY_PRIMARY) 1288 typdatum->primary = 1; 1289 if (prop & TYPEDATUM_PROPERTY_ATTRIBUTE) 1290 typdatum->attribute = 1; 1291 1292 typdatum->bounds = le32_to_cpu(buf[3]); 1293 } else { 1294 typdatum->primary = le32_to_cpu(buf[2]); 1295 } 1296 1297 key = kmalloc(len + 1, GFP_KERNEL); 1298 if (!key) { 1299 rc = -ENOMEM; 1300 goto bad; 1301 } 1302 rc = next_entry(key, fp, len); 1303 if (rc < 0) 1304 goto bad; 1305 key[len] = '\0'; 1306 1307 rc = hashtab_insert(h, key, typdatum); 1308 if (rc) 1309 goto bad; 1310 out: 1311 return rc; 1312 bad: 1313 type_destroy(key, typdatum, NULL); 1314 goto out; 1315 } 1316 1317 1318 /* 1319 * Read a MLS level structure from a policydb binary 1320 * representation file. 1321 */ 1322 static int mls_read_level(struct mls_level *lp, void *fp) 1323 { 1324 __le32 buf[1]; 1325 int rc; 1326 1327 memset(lp, 0, sizeof(*lp)); 1328 1329 rc = next_entry(buf, fp, sizeof buf); 1330 if (rc < 0) { 1331 printk(KERN_ERR "SELinux: mls: truncated level\n"); 1332 goto bad; 1333 } 1334 lp->sens = le32_to_cpu(buf[0]); 1335 1336 if (ebitmap_read(&lp->cat, fp)) { 1337 printk(KERN_ERR "SELinux: mls: error reading level " 1338 "categories\n"); 1339 goto bad; 1340 } 1341 1342 return 0; 1343 1344 bad: 1345 return -EINVAL; 1346 } 1347 1348 static int user_read(struct policydb *p, struct hashtab *h, void *fp) 1349 { 1350 char *key = NULL; 1351 struct user_datum *usrdatum; 1352 int rc, to_read = 2; 1353 __le32 buf[3]; 1354 u32 len; 1355 1356 usrdatum = kzalloc(sizeof(*usrdatum), GFP_KERNEL); 1357 if (!usrdatum) { 1358 rc = -ENOMEM; 1359 goto out; 1360 } 1361 1362 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) 1363 to_read = 3; 1364 1365 rc = next_entry(buf, fp, sizeof(buf[0]) * to_read); 1366 if (rc < 0) 1367 goto bad; 1368 1369 len = le32_to_cpu(buf[0]); 1370 usrdatum->value = le32_to_cpu(buf[1]); 1371 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) 1372 usrdatum->bounds = le32_to_cpu(buf[2]); 1373 1374 key = kmalloc(len + 1, GFP_KERNEL); 1375 if (!key) { 1376 rc = -ENOMEM; 1377 goto bad; 1378 } 1379 rc = next_entry(key, fp, len); 1380 if (rc < 0) 1381 goto bad; 1382 key[len] = '\0'; 1383 1384 rc = ebitmap_read(&usrdatum->roles, fp); 1385 if (rc) 1386 goto bad; 1387 1388 if (p->policyvers >= POLICYDB_VERSION_MLS) { 1389 rc = mls_read_range_helper(&usrdatum->range, fp); 1390 if (rc) 1391 goto bad; 1392 rc = mls_read_level(&usrdatum->dfltlevel, fp); 1393 if (rc) 1394 goto bad; 1395 } 1396 1397 rc = hashtab_insert(h, key, usrdatum); 1398 if (rc) 1399 goto bad; 1400 out: 1401 return rc; 1402 bad: 1403 user_destroy(key, usrdatum, NULL); 1404 goto out; 1405 } 1406 1407 static int sens_read(struct policydb *p, struct hashtab *h, void *fp) 1408 { 1409 char *key = NULL; 1410 struct level_datum *levdatum; 1411 int rc; 1412 __le32 buf[2]; 1413 u32 len; 1414 1415 levdatum = kzalloc(sizeof(*levdatum), GFP_ATOMIC); 1416 if (!levdatum) { 1417 rc = -ENOMEM; 1418 goto out; 1419 } 1420 1421 rc = next_entry(buf, fp, sizeof buf); 1422 if (rc < 0) 1423 goto bad; 1424 1425 len = le32_to_cpu(buf[0]); 1426 levdatum->isalias = le32_to_cpu(buf[1]); 1427 1428 key = kmalloc(len + 1, GFP_ATOMIC); 1429 if (!key) { 1430 rc = -ENOMEM; 1431 goto bad; 1432 } 1433 rc = next_entry(key, fp, len); 1434 if (rc < 0) 1435 goto bad; 1436 key[len] = '\0'; 1437 1438 levdatum->level = kmalloc(sizeof(struct mls_level), GFP_ATOMIC); 1439 if (!levdatum->level) { 1440 rc = -ENOMEM; 1441 goto bad; 1442 } 1443 if (mls_read_level(levdatum->level, fp)) { 1444 rc = -EINVAL; 1445 goto bad; 1446 } 1447 1448 rc = hashtab_insert(h, key, levdatum); 1449 if (rc) 1450 goto bad; 1451 out: 1452 return rc; 1453 bad: 1454 sens_destroy(key, levdatum, NULL); 1455 goto out; 1456 } 1457 1458 static int cat_read(struct policydb *p, struct hashtab *h, void *fp) 1459 { 1460 char *key = NULL; 1461 struct cat_datum *catdatum; 1462 int rc; 1463 __le32 buf[3]; 1464 u32 len; 1465 1466 catdatum = kzalloc(sizeof(*catdatum), GFP_ATOMIC); 1467 if (!catdatum) { 1468 rc = -ENOMEM; 1469 goto out; 1470 } 1471 1472 rc = next_entry(buf, fp, sizeof buf); 1473 if (rc < 0) 1474 goto bad; 1475 1476 len = le32_to_cpu(buf[0]); 1477 catdatum->value = le32_to_cpu(buf[1]); 1478 catdatum->isalias = le32_to_cpu(buf[2]); 1479 1480 key = kmalloc(len + 1, GFP_ATOMIC); 1481 if (!key) { 1482 rc = -ENOMEM; 1483 goto bad; 1484 } 1485 rc = next_entry(key, fp, len); 1486 if (rc < 0) 1487 goto bad; 1488 key[len] = '\0'; 1489 1490 rc = hashtab_insert(h, key, catdatum); 1491 if (rc) 1492 goto bad; 1493 out: 1494 return rc; 1495 1496 bad: 1497 cat_destroy(key, catdatum, NULL); 1498 goto out; 1499 } 1500 1501 static int (*read_f[SYM_NUM]) (struct policydb *p, struct hashtab *h, void *fp) = 1502 { 1503 common_read, 1504 class_read, 1505 role_read, 1506 type_read, 1507 user_read, 1508 cond_read_bool, 1509 sens_read, 1510 cat_read, 1511 }; 1512 1513 static int user_bounds_sanity_check(void *key, void *datum, void *datap) 1514 { 1515 struct user_datum *upper, *user; 1516 struct policydb *p = datap; 1517 int depth = 0; 1518 1519 upper = user = datum; 1520 while (upper->bounds) { 1521 struct ebitmap_node *node; 1522 unsigned long bit; 1523 1524 if (++depth == POLICYDB_BOUNDS_MAXDEPTH) { 1525 printk(KERN_ERR "SELinux: user %s: " 1526 "too deep or looped boundary", 1527 (char *) key); 1528 return -EINVAL; 1529 } 1530 1531 upper = p->user_val_to_struct[upper->bounds - 1]; 1532 ebitmap_for_each_positive_bit(&user->roles, node, bit) { 1533 if (ebitmap_get_bit(&upper->roles, bit)) 1534 continue; 1535 1536 printk(KERN_ERR 1537 "SELinux: boundary violated policy: " 1538 "user=%s role=%s bounds=%s\n", 1539 p->p_user_val_to_name[user->value - 1], 1540 p->p_role_val_to_name[bit], 1541 p->p_user_val_to_name[upper->value - 1]); 1542 1543 return -EINVAL; 1544 } 1545 } 1546 1547 return 0; 1548 } 1549 1550 static int role_bounds_sanity_check(void *key, void *datum, void *datap) 1551 { 1552 struct role_datum *upper, *role; 1553 struct policydb *p = datap; 1554 int depth = 0; 1555 1556 upper = role = datum; 1557 while (upper->bounds) { 1558 struct ebitmap_node *node; 1559 unsigned long bit; 1560 1561 if (++depth == POLICYDB_BOUNDS_MAXDEPTH) { 1562 printk(KERN_ERR "SELinux: role %s: " 1563 "too deep or looped bounds\n", 1564 (char *) key); 1565 return -EINVAL; 1566 } 1567 1568 upper = p->role_val_to_struct[upper->bounds - 1]; 1569 ebitmap_for_each_positive_bit(&role->types, node, bit) { 1570 if (ebitmap_get_bit(&upper->types, bit)) 1571 continue; 1572 1573 printk(KERN_ERR 1574 "SELinux: boundary violated policy: " 1575 "role=%s type=%s bounds=%s\n", 1576 p->p_role_val_to_name[role->value - 1], 1577 p->p_type_val_to_name[bit], 1578 p->p_role_val_to_name[upper->value - 1]); 1579 1580 return -EINVAL; 1581 } 1582 } 1583 1584 return 0; 1585 } 1586 1587 static int type_bounds_sanity_check(void *key, void *datum, void *datap) 1588 { 1589 struct type_datum *upper, *type; 1590 struct policydb *p = datap; 1591 int depth = 0; 1592 1593 upper = type = datum; 1594 while (upper->bounds) { 1595 if (++depth == POLICYDB_BOUNDS_MAXDEPTH) { 1596 printk(KERN_ERR "SELinux: type %s: " 1597 "too deep or looped boundary\n", 1598 (char *) key); 1599 return -EINVAL; 1600 } 1601 1602 upper = p->type_val_to_struct[upper->bounds - 1]; 1603 if (upper->attribute) { 1604 printk(KERN_ERR "SELinux: type %s: " 1605 "bounded by attribute %s", 1606 (char *) key, 1607 p->p_type_val_to_name[upper->value - 1]); 1608 return -EINVAL; 1609 } 1610 } 1611 1612 return 0; 1613 } 1614 1615 static int policydb_bounds_sanity_check(struct policydb *p) 1616 { 1617 int rc; 1618 1619 if (p->policyvers < POLICYDB_VERSION_BOUNDARY) 1620 return 0; 1621 1622 rc = hashtab_map(p->p_users.table, 1623 user_bounds_sanity_check, p); 1624 if (rc) 1625 return rc; 1626 1627 rc = hashtab_map(p->p_roles.table, 1628 role_bounds_sanity_check, p); 1629 if (rc) 1630 return rc; 1631 1632 rc = hashtab_map(p->p_types.table, 1633 type_bounds_sanity_check, p); 1634 if (rc) 1635 return rc; 1636 1637 return 0; 1638 } 1639 1640 extern int ss_initialized; 1641 1642 u16 string_to_security_class(struct policydb *p, const char *name) 1643 { 1644 struct class_datum *cladatum; 1645 1646 cladatum = hashtab_search(p->p_classes.table, name); 1647 if (!cladatum) 1648 return 0; 1649 1650 return cladatum->value; 1651 } 1652 1653 u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name) 1654 { 1655 struct class_datum *cladatum; 1656 struct perm_datum *perdatum = NULL; 1657 struct common_datum *comdatum; 1658 1659 if (!tclass || tclass > p->p_classes.nprim) 1660 return 0; 1661 1662 cladatum = p->class_val_to_struct[tclass-1]; 1663 comdatum = cladatum->comdatum; 1664 if (comdatum) 1665 perdatum = hashtab_search(comdatum->permissions.table, 1666 name); 1667 if (!perdatum) 1668 perdatum = hashtab_search(cladatum->permissions.table, 1669 name); 1670 if (!perdatum) 1671 return 0; 1672 1673 return 1U << (perdatum->value-1); 1674 } 1675 1676 /* 1677 * Read the configuration data from a policy database binary 1678 * representation file into a policy database structure. 1679 */ 1680 int policydb_read(struct policydb *p, void *fp) 1681 { 1682 struct role_allow *ra, *lra; 1683 struct role_trans *tr, *ltr; 1684 struct ocontext *l, *c, *newc; 1685 struct genfs *genfs_p, *genfs, *newgenfs; 1686 int i, j, rc; 1687 __le32 buf[4]; 1688 u32 nodebuf[8]; 1689 u32 len, len2, config, nprim, nel, nel2; 1690 char *policydb_str; 1691 struct policydb_compat_info *info; 1692 struct range_trans *rt, *lrt; 1693 1694 config = 0; 1695 1696 rc = policydb_init(p); 1697 if (rc) 1698 goto out; 1699 1700 /* Read the magic number and string length. */ 1701 rc = next_entry(buf, fp, sizeof(u32) * 2); 1702 if (rc < 0) 1703 goto bad; 1704 1705 if (le32_to_cpu(buf[0]) != POLICYDB_MAGIC) { 1706 printk(KERN_ERR "SELinux: policydb magic number 0x%x does " 1707 "not match expected magic number 0x%x\n", 1708 le32_to_cpu(buf[0]), POLICYDB_MAGIC); 1709 goto bad; 1710 } 1711 1712 len = le32_to_cpu(buf[1]); 1713 if (len != strlen(POLICYDB_STRING)) { 1714 printk(KERN_ERR "SELinux: policydb string length %d does not " 1715 "match expected length %Zu\n", 1716 len, strlen(POLICYDB_STRING)); 1717 goto bad; 1718 } 1719 policydb_str = kmalloc(len + 1, GFP_KERNEL); 1720 if (!policydb_str) { 1721 printk(KERN_ERR "SELinux: unable to allocate memory for policydb " 1722 "string of length %d\n", len); 1723 rc = -ENOMEM; 1724 goto bad; 1725 } 1726 rc = next_entry(policydb_str, fp, len); 1727 if (rc < 0) { 1728 printk(KERN_ERR "SELinux: truncated policydb string identifier\n"); 1729 kfree(policydb_str); 1730 goto bad; 1731 } 1732 policydb_str[len] = '\0'; 1733 if (strcmp(policydb_str, POLICYDB_STRING)) { 1734 printk(KERN_ERR "SELinux: policydb string %s does not match " 1735 "my string %s\n", policydb_str, POLICYDB_STRING); 1736 kfree(policydb_str); 1737 goto bad; 1738 } 1739 /* Done with policydb_str. */ 1740 kfree(policydb_str); 1741 policydb_str = NULL; 1742 1743 /* Read the version, config, and table sizes. */ 1744 rc = next_entry(buf, fp, sizeof(u32)*4); 1745 if (rc < 0) 1746 goto bad; 1747 1748 p->policyvers = le32_to_cpu(buf[0]); 1749 if (p->policyvers < POLICYDB_VERSION_MIN || 1750 p->policyvers > POLICYDB_VERSION_MAX) { 1751 printk(KERN_ERR "SELinux: policydb version %d does not match " 1752 "my version range %d-%d\n", 1753 le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); 1754 goto bad; 1755 } 1756 1757 if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) { 1758 if (ss_initialized && !selinux_mls_enabled) { 1759 printk(KERN_ERR "SELinux: Cannot switch between non-MLS" 1760 " and MLS policies\n"); 1761 goto bad; 1762 } 1763 selinux_mls_enabled = 1; 1764 config |= POLICYDB_CONFIG_MLS; 1765 1766 if (p->policyvers < POLICYDB_VERSION_MLS) { 1767 printk(KERN_ERR "SELinux: security policydb version %d " 1768 "(MLS) not backwards compatible\n", 1769 p->policyvers); 1770 goto bad; 1771 } 1772 } else { 1773 if (ss_initialized && selinux_mls_enabled) { 1774 printk(KERN_ERR "SELinux: Cannot switch between MLS and" 1775 " non-MLS policies\n"); 1776 goto bad; 1777 } 1778 } 1779 p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN); 1780 p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN); 1781 1782 if (p->policyvers >= POLICYDB_VERSION_POLCAP && 1783 ebitmap_read(&p->policycaps, fp) != 0) 1784 goto bad; 1785 1786 if (p->policyvers >= POLICYDB_VERSION_PERMISSIVE && 1787 ebitmap_read(&p->permissive_map, fp) != 0) 1788 goto bad; 1789 1790 info = policydb_lookup_compat(p->policyvers); 1791 if (!info) { 1792 printk(KERN_ERR "SELinux: unable to find policy compat info " 1793 "for version %d\n", p->policyvers); 1794 goto bad; 1795 } 1796 1797 if (le32_to_cpu(buf[2]) != info->sym_num || 1798 le32_to_cpu(buf[3]) != info->ocon_num) { 1799 printk(KERN_ERR "SELinux: policydb table sizes (%d,%d) do " 1800 "not match mine (%d,%d)\n", le32_to_cpu(buf[2]), 1801 le32_to_cpu(buf[3]), 1802 info->sym_num, info->ocon_num); 1803 goto bad; 1804 } 1805 1806 for (i = 0; i < info->sym_num; i++) { 1807 rc = next_entry(buf, fp, sizeof(u32)*2); 1808 if (rc < 0) 1809 goto bad; 1810 nprim = le32_to_cpu(buf[0]); 1811 nel = le32_to_cpu(buf[1]); 1812 for (j = 0; j < nel; j++) { 1813 rc = read_f[i](p, p->symtab[i].table, fp); 1814 if (rc) 1815 goto bad; 1816 } 1817 1818 p->symtab[i].nprim = nprim; 1819 } 1820 1821 rc = avtab_read(&p->te_avtab, fp, p); 1822 if (rc) 1823 goto bad; 1824 1825 if (p->policyvers >= POLICYDB_VERSION_BOOL) { 1826 rc = cond_read_list(p, fp); 1827 if (rc) 1828 goto bad; 1829 } 1830 1831 rc = next_entry(buf, fp, sizeof(u32)); 1832 if (rc < 0) 1833 goto bad; 1834 nel = le32_to_cpu(buf[0]); 1835 ltr = NULL; 1836 for (i = 0; i < nel; i++) { 1837 tr = kzalloc(sizeof(*tr), GFP_KERNEL); 1838 if (!tr) { 1839 rc = -ENOMEM; 1840 goto bad; 1841 } 1842 if (ltr) 1843 ltr->next = tr; 1844 else 1845 p->role_tr = tr; 1846 rc = next_entry(buf, fp, sizeof(u32)*3); 1847 if (rc < 0) 1848 goto bad; 1849 tr->role = le32_to_cpu(buf[0]); 1850 tr->type = le32_to_cpu(buf[1]); 1851 tr->new_role = le32_to_cpu(buf[2]); 1852 if (!policydb_role_isvalid(p, tr->role) || 1853 !policydb_type_isvalid(p, tr->type) || 1854 !policydb_role_isvalid(p, tr->new_role)) { 1855 rc = -EINVAL; 1856 goto bad; 1857 } 1858 ltr = tr; 1859 } 1860 1861 rc = next_entry(buf, fp, sizeof(u32)); 1862 if (rc < 0) 1863 goto bad; 1864 nel = le32_to_cpu(buf[0]); 1865 lra = NULL; 1866 for (i = 0; i < nel; i++) { 1867 ra = kzalloc(sizeof(*ra), GFP_KERNEL); 1868 if (!ra) { 1869 rc = -ENOMEM; 1870 goto bad; 1871 } 1872 if (lra) 1873 lra->next = ra; 1874 else 1875 p->role_allow = ra; 1876 rc = next_entry(buf, fp, sizeof(u32)*2); 1877 if (rc < 0) 1878 goto bad; 1879 ra->role = le32_to_cpu(buf[0]); 1880 ra->new_role = le32_to_cpu(buf[1]); 1881 if (!policydb_role_isvalid(p, ra->role) || 1882 !policydb_role_isvalid(p, ra->new_role)) { 1883 rc = -EINVAL; 1884 goto bad; 1885 } 1886 lra = ra; 1887 } 1888 1889 rc = policydb_index_classes(p); 1890 if (rc) 1891 goto bad; 1892 1893 rc = policydb_index_others(p); 1894 if (rc) 1895 goto bad; 1896 1897 p->process_class = string_to_security_class(p, "process"); 1898 if (!p->process_class) 1899 goto bad; 1900 p->process_trans_perms = string_to_av_perm(p, p->process_class, 1901 "transition"); 1902 p->process_trans_perms |= string_to_av_perm(p, p->process_class, 1903 "dyntransition"); 1904 if (!p->process_trans_perms) 1905 goto bad; 1906 1907 for (i = 0; i < info->ocon_num; i++) { 1908 rc = next_entry(buf, fp, sizeof(u32)); 1909 if (rc < 0) 1910 goto bad; 1911 nel = le32_to_cpu(buf[0]); 1912 l = NULL; 1913 for (j = 0; j < nel; j++) { 1914 c = kzalloc(sizeof(*c), GFP_KERNEL); 1915 if (!c) { 1916 rc = -ENOMEM; 1917 goto bad; 1918 } 1919 if (l) 1920 l->next = c; 1921 else 1922 p->ocontexts[i] = c; 1923 l = c; 1924 rc = -EINVAL; 1925 switch (i) { 1926 case OCON_ISID: 1927 rc = next_entry(buf, fp, sizeof(u32)); 1928 if (rc < 0) 1929 goto bad; 1930 c->sid[0] = le32_to_cpu(buf[0]); 1931 rc = context_read_and_validate(&c->context[0], p, fp); 1932 if (rc) 1933 goto bad; 1934 break; 1935 case OCON_FS: 1936 case OCON_NETIF: 1937 rc = next_entry(buf, fp, sizeof(u32)); 1938 if (rc < 0) 1939 goto bad; 1940 len = le32_to_cpu(buf[0]); 1941 c->u.name = kmalloc(len + 1, GFP_KERNEL); 1942 if (!c->u.name) { 1943 rc = -ENOMEM; 1944 goto bad; 1945 } 1946 rc = next_entry(c->u.name, fp, len); 1947 if (rc < 0) 1948 goto bad; 1949 c->u.name[len] = 0; 1950 rc = context_read_and_validate(&c->context[0], p, fp); 1951 if (rc) 1952 goto bad; 1953 rc = context_read_and_validate(&c->context[1], p, fp); 1954 if (rc) 1955 goto bad; 1956 break; 1957 case OCON_PORT: 1958 rc = next_entry(buf, fp, sizeof(u32)*3); 1959 if (rc < 0) 1960 goto bad; 1961 c->u.port.protocol = le32_to_cpu(buf[0]); 1962 c->u.port.low_port = le32_to_cpu(buf[1]); 1963 c->u.port.high_port = le32_to_cpu(buf[2]); 1964 rc = context_read_and_validate(&c->context[0], p, fp); 1965 if (rc) 1966 goto bad; 1967 break; 1968 case OCON_NODE: 1969 rc = next_entry(nodebuf, fp, sizeof(u32) * 2); 1970 if (rc < 0) 1971 goto bad; 1972 c->u.node.addr = nodebuf[0]; /* network order */ 1973 c->u.node.mask = nodebuf[1]; /* network order */ 1974 rc = context_read_and_validate(&c->context[0], p, fp); 1975 if (rc) 1976 goto bad; 1977 break; 1978 case OCON_FSUSE: 1979 rc = next_entry(buf, fp, sizeof(u32)*2); 1980 if (rc < 0) 1981 goto bad; 1982 c->v.behavior = le32_to_cpu(buf[0]); 1983 if (c->v.behavior > SECURITY_FS_USE_NONE) 1984 goto bad; 1985 len = le32_to_cpu(buf[1]); 1986 c->u.name = kmalloc(len + 1, GFP_KERNEL); 1987 if (!c->u.name) { 1988 rc = -ENOMEM; 1989 goto bad; 1990 } 1991 rc = next_entry(c->u.name, fp, len); 1992 if (rc < 0) 1993 goto bad; 1994 c->u.name[len] = 0; 1995 rc = context_read_and_validate(&c->context[0], p, fp); 1996 if (rc) 1997 goto bad; 1998 break; 1999 case OCON_NODE6: { 2000 int k; 2001 2002 rc = next_entry(nodebuf, fp, sizeof(u32) * 8); 2003 if (rc < 0) 2004 goto bad; 2005 for (k = 0; k < 4; k++) 2006 c->u.node6.addr[k] = nodebuf[k]; 2007 for (k = 0; k < 4; k++) 2008 c->u.node6.mask[k] = nodebuf[k+4]; 2009 if (context_read_and_validate(&c->context[0], p, fp)) 2010 goto bad; 2011 break; 2012 } 2013 } 2014 } 2015 } 2016 2017 rc = next_entry(buf, fp, sizeof(u32)); 2018 if (rc < 0) 2019 goto bad; 2020 nel = le32_to_cpu(buf[0]); 2021 genfs_p = NULL; 2022 rc = -EINVAL; 2023 for (i = 0; i < nel; i++) { 2024 rc = next_entry(buf, fp, sizeof(u32)); 2025 if (rc < 0) 2026 goto bad; 2027 len = le32_to_cpu(buf[0]); 2028 newgenfs = kzalloc(sizeof(*newgenfs), GFP_KERNEL); 2029 if (!newgenfs) { 2030 rc = -ENOMEM; 2031 goto bad; 2032 } 2033 2034 newgenfs->fstype = kmalloc(len + 1, GFP_KERNEL); 2035 if (!newgenfs->fstype) { 2036 rc = -ENOMEM; 2037 kfree(newgenfs); 2038 goto bad; 2039 } 2040 rc = next_entry(newgenfs->fstype, fp, len); 2041 if (rc < 0) { 2042 kfree(newgenfs->fstype); 2043 kfree(newgenfs); 2044 goto bad; 2045 } 2046 newgenfs->fstype[len] = 0; 2047 for (genfs_p = NULL, genfs = p->genfs; genfs; 2048 genfs_p = genfs, genfs = genfs->next) { 2049 if (strcmp(newgenfs->fstype, genfs->fstype) == 0) { 2050 printk(KERN_ERR "SELinux: dup genfs " 2051 "fstype %s\n", newgenfs->fstype); 2052 kfree(newgenfs->fstype); 2053 kfree(newgenfs); 2054 goto bad; 2055 } 2056 if (strcmp(newgenfs->fstype, genfs->fstype) < 0) 2057 break; 2058 } 2059 newgenfs->next = genfs; 2060 if (genfs_p) 2061 genfs_p->next = newgenfs; 2062 else 2063 p->genfs = newgenfs; 2064 rc = next_entry(buf, fp, sizeof(u32)); 2065 if (rc < 0) 2066 goto bad; 2067 nel2 = le32_to_cpu(buf[0]); 2068 for (j = 0; j < nel2; j++) { 2069 rc = next_entry(buf, fp, sizeof(u32)); 2070 if (rc < 0) 2071 goto bad; 2072 len = le32_to_cpu(buf[0]); 2073 2074 newc = kzalloc(sizeof(*newc), GFP_KERNEL); 2075 if (!newc) { 2076 rc = -ENOMEM; 2077 goto bad; 2078 } 2079 2080 newc->u.name = kmalloc(len + 1, GFP_KERNEL); 2081 if (!newc->u.name) { 2082 rc = -ENOMEM; 2083 goto bad_newc; 2084 } 2085 rc = next_entry(newc->u.name, fp, len); 2086 if (rc < 0) 2087 goto bad_newc; 2088 newc->u.name[len] = 0; 2089 rc = next_entry(buf, fp, sizeof(u32)); 2090 if (rc < 0) 2091 goto bad_newc; 2092 newc->v.sclass = le32_to_cpu(buf[0]); 2093 if (context_read_and_validate(&newc->context[0], p, fp)) 2094 goto bad_newc; 2095 for (l = NULL, c = newgenfs->head; c; 2096 l = c, c = c->next) { 2097 if (!strcmp(newc->u.name, c->u.name) && 2098 (!c->v.sclass || !newc->v.sclass || 2099 newc->v.sclass == c->v.sclass)) { 2100 printk(KERN_ERR "SELinux: dup genfs " 2101 "entry (%s,%s)\n", 2102 newgenfs->fstype, c->u.name); 2103 goto bad_newc; 2104 } 2105 len = strlen(newc->u.name); 2106 len2 = strlen(c->u.name); 2107 if (len > len2) 2108 break; 2109 } 2110 2111 newc->next = c; 2112 if (l) 2113 l->next = newc; 2114 else 2115 newgenfs->head = newc; 2116 } 2117 } 2118 2119 if (p->policyvers >= POLICYDB_VERSION_MLS) { 2120 int new_rangetr = p->policyvers >= POLICYDB_VERSION_RANGETRANS; 2121 rc = next_entry(buf, fp, sizeof(u32)); 2122 if (rc < 0) 2123 goto bad; 2124 nel = le32_to_cpu(buf[0]); 2125 lrt = NULL; 2126 for (i = 0; i < nel; i++) { 2127 rt = kzalloc(sizeof(*rt), GFP_KERNEL); 2128 if (!rt) { 2129 rc = -ENOMEM; 2130 goto bad; 2131 } 2132 if (lrt) 2133 lrt->next = rt; 2134 else 2135 p->range_tr = rt; 2136 rc = next_entry(buf, fp, (sizeof(u32) * 2)); 2137 if (rc < 0) 2138 goto bad; 2139 rt->source_type = le32_to_cpu(buf[0]); 2140 rt->target_type = le32_to_cpu(buf[1]); 2141 if (new_rangetr) { 2142 rc = next_entry(buf, fp, sizeof(u32)); 2143 if (rc < 0) 2144 goto bad; 2145 rt->target_class = le32_to_cpu(buf[0]); 2146 } else 2147 rt->target_class = p->process_class; 2148 if (!policydb_type_isvalid(p, rt->source_type) || 2149 !policydb_type_isvalid(p, rt->target_type) || 2150 !policydb_class_isvalid(p, rt->target_class)) { 2151 rc = -EINVAL; 2152 goto bad; 2153 } 2154 rc = mls_read_range_helper(&rt->target_range, fp); 2155 if (rc) 2156 goto bad; 2157 if (!mls_range_isvalid(p, &rt->target_range)) { 2158 printk(KERN_WARNING "SELinux: rangetrans: invalid range\n"); 2159 goto bad; 2160 } 2161 lrt = rt; 2162 } 2163 } 2164 2165 p->type_attr_map = kmalloc(p->p_types.nprim*sizeof(struct ebitmap), GFP_KERNEL); 2166 if (!p->type_attr_map) 2167 goto bad; 2168 2169 for (i = 0; i < p->p_types.nprim; i++) { 2170 ebitmap_init(&p->type_attr_map[i]); 2171 if (p->policyvers >= POLICYDB_VERSION_AVTAB) { 2172 if (ebitmap_read(&p->type_attr_map[i], fp)) 2173 goto bad; 2174 } 2175 /* add the type itself as the degenerate case */ 2176 if (ebitmap_set_bit(&p->type_attr_map[i], i, 1)) 2177 goto bad; 2178 } 2179 2180 rc = policydb_bounds_sanity_check(p); 2181 if (rc) 2182 goto bad; 2183 2184 rc = 0; 2185 out: 2186 return rc; 2187 bad_newc: 2188 ocontext_destroy(newc, OCON_FSUSE); 2189 bad: 2190 if (!rc) 2191 rc = -EINVAL; 2192 policydb_destroy(p); 2193 goto out; 2194 } 2195