1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Implementation of the security services. 4 * 5 * Authors : Stephen Smalley, <sds@tycho.nsa.gov> 6 * James Morris <jmorris@redhat.com> 7 * 8 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 9 * 10 * Support for enhanced MLS infrastructure. 11 * Support for context based audit filters. 12 * 13 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 14 * 15 * Added conditional policy language extensions 16 * 17 * Updated: Hewlett-Packard <paul@paul-moore.com> 18 * 19 * Added support for NetLabel 20 * Added support for the policy capability bitmap 21 * 22 * Updated: Chad Sellers <csellers@tresys.com> 23 * 24 * Added validation of kernel classes and permissions 25 * 26 * Updated: KaiGai Kohei <kaigai@ak.jp.nec.com> 27 * 28 * Added support for bounds domain and audit messaged on masked permissions 29 * 30 * Updated: Guido Trentalancia <guido@trentalancia.com> 31 * 32 * Added support for runtime switching of the policy type 33 * 34 * Copyright (C) 2008, 2009 NEC Corporation 35 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. 36 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc. 37 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC 38 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 39 */ 40 #include <linux/kernel.h> 41 #include <linux/slab.h> 42 #include <linux/string.h> 43 #include <linux/spinlock.h> 44 #include <linux/rcupdate.h> 45 #include <linux/errno.h> 46 #include <linux/in.h> 47 #include <linux/sched.h> 48 #include <linux/audit.h> 49 #include <linux/mutex.h> 50 #include <linux/vmalloc.h> 51 #include <net/netlabel.h> 52 53 #include "flask.h" 54 #include "avc.h" 55 #include "avc_ss.h" 56 #include "security.h" 57 #include "context.h" 58 #include "policydb.h" 59 #include "sidtab.h" 60 #include "services.h" 61 #include "conditional.h" 62 #include "mls.h" 63 #include "objsec.h" 64 #include "netlabel.h" 65 #include "xfrm.h" 66 #include "ebitmap.h" 67 #include "audit.h" 68 69 /* Policy capability names */ 70 const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = { 71 "network_peer_controls", 72 "open_perms", 73 "extended_socket_class", 74 "always_check_network", 75 "cgroup_seclabel", 76 "nnp_nosuid_transition" 77 }; 78 79 static struct selinux_ss selinux_ss; 80 81 void selinux_ss_init(struct selinux_ss **ss) 82 { 83 rwlock_init(&selinux_ss.policy_rwlock); 84 mutex_init(&selinux_ss.status_lock); 85 *ss = &selinux_ss; 86 } 87 88 /* Forward declaration. */ 89 static int context_struct_to_string(struct policydb *policydb, 90 struct context *context, 91 char **scontext, 92 u32 *scontext_len); 93 94 static void context_struct_compute_av(struct policydb *policydb, 95 struct context *scontext, 96 struct context *tcontext, 97 u16 tclass, 98 struct av_decision *avd, 99 struct extended_perms *xperms); 100 101 static int selinux_set_mapping(struct policydb *pol, 102 struct security_class_mapping *map, 103 struct selinux_map *out_map) 104 { 105 u16 i, j; 106 unsigned k; 107 bool print_unknown_handle = false; 108 109 /* Find number of classes in the input mapping */ 110 if (!map) 111 return -EINVAL; 112 i = 0; 113 while (map[i].name) 114 i++; 115 116 /* Allocate space for the class records, plus one for class zero */ 117 out_map->mapping = kcalloc(++i, sizeof(*out_map->mapping), GFP_ATOMIC); 118 if (!out_map->mapping) 119 return -ENOMEM; 120 121 /* Store the raw class and permission values */ 122 j = 0; 123 while (map[j].name) { 124 struct security_class_mapping *p_in = map + (j++); 125 struct selinux_mapping *p_out = out_map->mapping + j; 126 127 /* An empty class string skips ahead */ 128 if (!strcmp(p_in->name, "")) { 129 p_out->num_perms = 0; 130 continue; 131 } 132 133 p_out->value = string_to_security_class(pol, p_in->name); 134 if (!p_out->value) { 135 pr_info("SELinux: Class %s not defined in policy.\n", 136 p_in->name); 137 if (pol->reject_unknown) 138 goto err; 139 p_out->num_perms = 0; 140 print_unknown_handle = true; 141 continue; 142 } 143 144 k = 0; 145 while (p_in->perms[k]) { 146 /* An empty permission string skips ahead */ 147 if (!*p_in->perms[k]) { 148 k++; 149 continue; 150 } 151 p_out->perms[k] = string_to_av_perm(pol, p_out->value, 152 p_in->perms[k]); 153 if (!p_out->perms[k]) { 154 pr_info("SELinux: Permission %s in class %s not defined in policy.\n", 155 p_in->perms[k], p_in->name); 156 if (pol->reject_unknown) 157 goto err; 158 print_unknown_handle = true; 159 } 160 161 k++; 162 } 163 p_out->num_perms = k; 164 } 165 166 if (print_unknown_handle) 167 pr_info("SELinux: the above unknown classes and permissions will be %s\n", 168 pol->allow_unknown ? "allowed" : "denied"); 169 170 out_map->size = i; 171 return 0; 172 err: 173 kfree(out_map->mapping); 174 out_map->mapping = NULL; 175 return -EINVAL; 176 } 177 178 /* 179 * Get real, policy values from mapped values 180 */ 181 182 static u16 unmap_class(struct selinux_map *map, u16 tclass) 183 { 184 if (tclass < map->size) 185 return map->mapping[tclass].value; 186 187 return tclass; 188 } 189 190 /* 191 * Get kernel value for class from its policy value 192 */ 193 static u16 map_class(struct selinux_map *map, u16 pol_value) 194 { 195 u16 i; 196 197 for (i = 1; i < map->size; i++) { 198 if (map->mapping[i].value == pol_value) 199 return i; 200 } 201 202 return SECCLASS_NULL; 203 } 204 205 static void map_decision(struct selinux_map *map, 206 u16 tclass, struct av_decision *avd, 207 int allow_unknown) 208 { 209 if (tclass < map->size) { 210 struct selinux_mapping *mapping = &map->mapping[tclass]; 211 unsigned int i, n = mapping->num_perms; 212 u32 result; 213 214 for (i = 0, result = 0; i < n; i++) { 215 if (avd->allowed & mapping->perms[i]) 216 result |= 1<<i; 217 if (allow_unknown && !mapping->perms[i]) 218 result |= 1<<i; 219 } 220 avd->allowed = result; 221 222 for (i = 0, result = 0; i < n; i++) 223 if (avd->auditallow & mapping->perms[i]) 224 result |= 1<<i; 225 avd->auditallow = result; 226 227 for (i = 0, result = 0; i < n; i++) { 228 if (avd->auditdeny & mapping->perms[i]) 229 result |= 1<<i; 230 if (!allow_unknown && !mapping->perms[i]) 231 result |= 1<<i; 232 } 233 /* 234 * In case the kernel has a bug and requests a permission 235 * between num_perms and the maximum permission number, we 236 * should audit that denial 237 */ 238 for (; i < (sizeof(u32)*8); i++) 239 result |= 1<<i; 240 avd->auditdeny = result; 241 } 242 } 243 244 int security_mls_enabled(struct selinux_state *state) 245 { 246 struct policydb *p = &state->ss->policydb; 247 248 return p->mls_enabled; 249 } 250 251 /* 252 * Return the boolean value of a constraint expression 253 * when it is applied to the specified source and target 254 * security contexts. 255 * 256 * xcontext is a special beast... It is used by the validatetrans rules 257 * only. For these rules, scontext is the context before the transition, 258 * tcontext is the context after the transition, and xcontext is the context 259 * of the process performing the transition. All other callers of 260 * constraint_expr_eval should pass in NULL for xcontext. 261 */ 262 static int constraint_expr_eval(struct policydb *policydb, 263 struct context *scontext, 264 struct context *tcontext, 265 struct context *xcontext, 266 struct constraint_expr *cexpr) 267 { 268 u32 val1, val2; 269 struct context *c; 270 struct role_datum *r1, *r2; 271 struct mls_level *l1, *l2; 272 struct constraint_expr *e; 273 int s[CEXPR_MAXDEPTH]; 274 int sp = -1; 275 276 for (e = cexpr; e; e = e->next) { 277 switch (e->expr_type) { 278 case CEXPR_NOT: 279 BUG_ON(sp < 0); 280 s[sp] = !s[sp]; 281 break; 282 case CEXPR_AND: 283 BUG_ON(sp < 1); 284 sp--; 285 s[sp] &= s[sp + 1]; 286 break; 287 case CEXPR_OR: 288 BUG_ON(sp < 1); 289 sp--; 290 s[sp] |= s[sp + 1]; 291 break; 292 case CEXPR_ATTR: 293 if (sp == (CEXPR_MAXDEPTH - 1)) 294 return 0; 295 switch (e->attr) { 296 case CEXPR_USER: 297 val1 = scontext->user; 298 val2 = tcontext->user; 299 break; 300 case CEXPR_TYPE: 301 val1 = scontext->type; 302 val2 = tcontext->type; 303 break; 304 case CEXPR_ROLE: 305 val1 = scontext->role; 306 val2 = tcontext->role; 307 r1 = policydb->role_val_to_struct[val1 - 1]; 308 r2 = policydb->role_val_to_struct[val2 - 1]; 309 switch (e->op) { 310 case CEXPR_DOM: 311 s[++sp] = ebitmap_get_bit(&r1->dominates, 312 val2 - 1); 313 continue; 314 case CEXPR_DOMBY: 315 s[++sp] = ebitmap_get_bit(&r2->dominates, 316 val1 - 1); 317 continue; 318 case CEXPR_INCOMP: 319 s[++sp] = (!ebitmap_get_bit(&r1->dominates, 320 val2 - 1) && 321 !ebitmap_get_bit(&r2->dominates, 322 val1 - 1)); 323 continue; 324 default: 325 break; 326 } 327 break; 328 case CEXPR_L1L2: 329 l1 = &(scontext->range.level[0]); 330 l2 = &(tcontext->range.level[0]); 331 goto mls_ops; 332 case CEXPR_L1H2: 333 l1 = &(scontext->range.level[0]); 334 l2 = &(tcontext->range.level[1]); 335 goto mls_ops; 336 case CEXPR_H1L2: 337 l1 = &(scontext->range.level[1]); 338 l2 = &(tcontext->range.level[0]); 339 goto mls_ops; 340 case CEXPR_H1H2: 341 l1 = &(scontext->range.level[1]); 342 l2 = &(tcontext->range.level[1]); 343 goto mls_ops; 344 case CEXPR_L1H1: 345 l1 = &(scontext->range.level[0]); 346 l2 = &(scontext->range.level[1]); 347 goto mls_ops; 348 case CEXPR_L2H2: 349 l1 = &(tcontext->range.level[0]); 350 l2 = &(tcontext->range.level[1]); 351 goto mls_ops; 352 mls_ops: 353 switch (e->op) { 354 case CEXPR_EQ: 355 s[++sp] = mls_level_eq(l1, l2); 356 continue; 357 case CEXPR_NEQ: 358 s[++sp] = !mls_level_eq(l1, l2); 359 continue; 360 case CEXPR_DOM: 361 s[++sp] = mls_level_dom(l1, l2); 362 continue; 363 case CEXPR_DOMBY: 364 s[++sp] = mls_level_dom(l2, l1); 365 continue; 366 case CEXPR_INCOMP: 367 s[++sp] = mls_level_incomp(l2, l1); 368 continue; 369 default: 370 BUG(); 371 return 0; 372 } 373 break; 374 default: 375 BUG(); 376 return 0; 377 } 378 379 switch (e->op) { 380 case CEXPR_EQ: 381 s[++sp] = (val1 == val2); 382 break; 383 case CEXPR_NEQ: 384 s[++sp] = (val1 != val2); 385 break; 386 default: 387 BUG(); 388 return 0; 389 } 390 break; 391 case CEXPR_NAMES: 392 if (sp == (CEXPR_MAXDEPTH-1)) 393 return 0; 394 c = scontext; 395 if (e->attr & CEXPR_TARGET) 396 c = tcontext; 397 else if (e->attr & CEXPR_XTARGET) { 398 c = xcontext; 399 if (!c) { 400 BUG(); 401 return 0; 402 } 403 } 404 if (e->attr & CEXPR_USER) 405 val1 = c->user; 406 else if (e->attr & CEXPR_ROLE) 407 val1 = c->role; 408 else if (e->attr & CEXPR_TYPE) 409 val1 = c->type; 410 else { 411 BUG(); 412 return 0; 413 } 414 415 switch (e->op) { 416 case CEXPR_EQ: 417 s[++sp] = ebitmap_get_bit(&e->names, val1 - 1); 418 break; 419 case CEXPR_NEQ: 420 s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1); 421 break; 422 default: 423 BUG(); 424 return 0; 425 } 426 break; 427 default: 428 BUG(); 429 return 0; 430 } 431 } 432 433 BUG_ON(sp != 0); 434 return s[0]; 435 } 436 437 /* 438 * security_dump_masked_av - dumps masked permissions during 439 * security_compute_av due to RBAC, MLS/Constraint and Type bounds. 440 */ 441 static int dump_masked_av_helper(void *k, void *d, void *args) 442 { 443 struct perm_datum *pdatum = d; 444 char **permission_names = args; 445 446 BUG_ON(pdatum->value < 1 || pdatum->value > 32); 447 448 permission_names[pdatum->value - 1] = (char *)k; 449 450 return 0; 451 } 452 453 static void security_dump_masked_av(struct policydb *policydb, 454 struct context *scontext, 455 struct context *tcontext, 456 u16 tclass, 457 u32 permissions, 458 const char *reason) 459 { 460 struct common_datum *common_dat; 461 struct class_datum *tclass_dat; 462 struct audit_buffer *ab; 463 char *tclass_name; 464 char *scontext_name = NULL; 465 char *tcontext_name = NULL; 466 char *permission_names[32]; 467 int index; 468 u32 length; 469 bool need_comma = false; 470 471 if (!permissions) 472 return; 473 474 tclass_name = sym_name(policydb, SYM_CLASSES, tclass - 1); 475 tclass_dat = policydb->class_val_to_struct[tclass - 1]; 476 common_dat = tclass_dat->comdatum; 477 478 /* init permission_names */ 479 if (common_dat && 480 hashtab_map(common_dat->permissions.table, 481 dump_masked_av_helper, permission_names) < 0) 482 goto out; 483 484 if (hashtab_map(tclass_dat->permissions.table, 485 dump_masked_av_helper, permission_names) < 0) 486 goto out; 487 488 /* get scontext/tcontext in text form */ 489 if (context_struct_to_string(policydb, scontext, 490 &scontext_name, &length) < 0) 491 goto out; 492 493 if (context_struct_to_string(policydb, tcontext, 494 &tcontext_name, &length) < 0) 495 goto out; 496 497 /* audit a message */ 498 ab = audit_log_start(audit_context(), 499 GFP_ATOMIC, AUDIT_SELINUX_ERR); 500 if (!ab) 501 goto out; 502 503 audit_log_format(ab, "op=security_compute_av reason=%s " 504 "scontext=%s tcontext=%s tclass=%s perms=", 505 reason, scontext_name, tcontext_name, tclass_name); 506 507 for (index = 0; index < 32; index++) { 508 u32 mask = (1 << index); 509 510 if ((mask & permissions) == 0) 511 continue; 512 513 audit_log_format(ab, "%s%s", 514 need_comma ? "," : "", 515 permission_names[index] 516 ? permission_names[index] : "????"); 517 need_comma = true; 518 } 519 audit_log_end(ab); 520 out: 521 /* release scontext/tcontext */ 522 kfree(tcontext_name); 523 kfree(scontext_name); 524 525 return; 526 } 527 528 /* 529 * security_boundary_permission - drops violated permissions 530 * on boundary constraint. 531 */ 532 static void type_attribute_bounds_av(struct policydb *policydb, 533 struct context *scontext, 534 struct context *tcontext, 535 u16 tclass, 536 struct av_decision *avd) 537 { 538 struct context lo_scontext; 539 struct context lo_tcontext, *tcontextp = tcontext; 540 struct av_decision lo_avd; 541 struct type_datum *source; 542 struct type_datum *target; 543 u32 masked = 0; 544 545 source = policydb->type_val_to_struct[scontext->type - 1]; 546 BUG_ON(!source); 547 548 if (!source->bounds) 549 return; 550 551 target = policydb->type_val_to_struct[tcontext->type - 1]; 552 BUG_ON(!target); 553 554 memset(&lo_avd, 0, sizeof(lo_avd)); 555 556 memcpy(&lo_scontext, scontext, sizeof(lo_scontext)); 557 lo_scontext.type = source->bounds; 558 559 if (target->bounds) { 560 memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext)); 561 lo_tcontext.type = target->bounds; 562 tcontextp = &lo_tcontext; 563 } 564 565 context_struct_compute_av(policydb, &lo_scontext, 566 tcontextp, 567 tclass, 568 &lo_avd, 569 NULL); 570 571 masked = ~lo_avd.allowed & avd->allowed; 572 573 if (likely(!masked)) 574 return; /* no masked permission */ 575 576 /* mask violated permissions */ 577 avd->allowed &= ~masked; 578 579 /* audit masked permissions */ 580 security_dump_masked_av(policydb, scontext, tcontext, 581 tclass, masked, "bounds"); 582 } 583 584 /* 585 * flag which drivers have permissions 586 * only looking for ioctl based extended permssions 587 */ 588 void services_compute_xperms_drivers( 589 struct extended_perms *xperms, 590 struct avtab_node *node) 591 { 592 unsigned int i; 593 594 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) { 595 /* if one or more driver has all permissions allowed */ 596 for (i = 0; i < ARRAY_SIZE(xperms->drivers.p); i++) 597 xperms->drivers.p[i] |= node->datum.u.xperms->perms.p[i]; 598 } else if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) { 599 /* if allowing permissions within a driver */ 600 security_xperm_set(xperms->drivers.p, 601 node->datum.u.xperms->driver); 602 } 603 604 /* If no ioctl commands are allowed, ignore auditallow and auditdeny */ 605 if (node->key.specified & AVTAB_XPERMS_ALLOWED) 606 xperms->len = 1; 607 } 608 609 /* 610 * Compute access vectors and extended permissions based on a context 611 * structure pair for the permissions in a particular class. 612 */ 613 static void context_struct_compute_av(struct policydb *policydb, 614 struct context *scontext, 615 struct context *tcontext, 616 u16 tclass, 617 struct av_decision *avd, 618 struct extended_perms *xperms) 619 { 620 struct constraint_node *constraint; 621 struct role_allow *ra; 622 struct avtab_key avkey; 623 struct avtab_node *node; 624 struct class_datum *tclass_datum; 625 struct ebitmap *sattr, *tattr; 626 struct ebitmap_node *snode, *tnode; 627 unsigned int i, j; 628 629 avd->allowed = 0; 630 avd->auditallow = 0; 631 avd->auditdeny = 0xffffffff; 632 if (xperms) { 633 memset(&xperms->drivers, 0, sizeof(xperms->drivers)); 634 xperms->len = 0; 635 } 636 637 if (unlikely(!tclass || tclass > policydb->p_classes.nprim)) { 638 if (printk_ratelimit()) 639 pr_warn("SELinux: Invalid class %hu\n", tclass); 640 return; 641 } 642 643 tclass_datum = policydb->class_val_to_struct[tclass - 1]; 644 645 /* 646 * If a specific type enforcement rule was defined for 647 * this permission check, then use it. 648 */ 649 avkey.target_class = tclass; 650 avkey.specified = AVTAB_AV | AVTAB_XPERMS; 651 sattr = &policydb->type_attr_map_array[scontext->type - 1]; 652 tattr = &policydb->type_attr_map_array[tcontext->type - 1]; 653 ebitmap_for_each_positive_bit(sattr, snode, i) { 654 ebitmap_for_each_positive_bit(tattr, tnode, j) { 655 avkey.source_type = i + 1; 656 avkey.target_type = j + 1; 657 for (node = avtab_search_node(&policydb->te_avtab, 658 &avkey); 659 node; 660 node = avtab_search_node_next(node, avkey.specified)) { 661 if (node->key.specified == AVTAB_ALLOWED) 662 avd->allowed |= node->datum.u.data; 663 else if (node->key.specified == AVTAB_AUDITALLOW) 664 avd->auditallow |= node->datum.u.data; 665 else if (node->key.specified == AVTAB_AUDITDENY) 666 avd->auditdeny &= node->datum.u.data; 667 else if (xperms && (node->key.specified & AVTAB_XPERMS)) 668 services_compute_xperms_drivers(xperms, node); 669 } 670 671 /* Check conditional av table for additional permissions */ 672 cond_compute_av(&policydb->te_cond_avtab, &avkey, 673 avd, xperms); 674 675 } 676 } 677 678 /* 679 * Remove any permissions prohibited by a constraint (this includes 680 * the MLS policy). 681 */ 682 constraint = tclass_datum->constraints; 683 while (constraint) { 684 if ((constraint->permissions & (avd->allowed)) && 685 !constraint_expr_eval(policydb, scontext, tcontext, NULL, 686 constraint->expr)) { 687 avd->allowed &= ~(constraint->permissions); 688 } 689 constraint = constraint->next; 690 } 691 692 /* 693 * If checking process transition permission and the 694 * role is changing, then check the (current_role, new_role) 695 * pair. 696 */ 697 if (tclass == policydb->process_class && 698 (avd->allowed & policydb->process_trans_perms) && 699 scontext->role != tcontext->role) { 700 for (ra = policydb->role_allow; ra; ra = ra->next) { 701 if (scontext->role == ra->role && 702 tcontext->role == ra->new_role) 703 break; 704 } 705 if (!ra) 706 avd->allowed &= ~policydb->process_trans_perms; 707 } 708 709 /* 710 * If the given source and target types have boundary 711 * constraint, lazy checks have to mask any violated 712 * permission and notice it to userspace via audit. 713 */ 714 type_attribute_bounds_av(policydb, scontext, tcontext, 715 tclass, avd); 716 } 717 718 static int security_validtrans_handle_fail(struct selinux_state *state, 719 struct context *ocontext, 720 struct context *ncontext, 721 struct context *tcontext, 722 u16 tclass) 723 { 724 struct policydb *p = &state->ss->policydb; 725 char *o = NULL, *n = NULL, *t = NULL; 726 u32 olen, nlen, tlen; 727 728 if (context_struct_to_string(p, ocontext, &o, &olen)) 729 goto out; 730 if (context_struct_to_string(p, ncontext, &n, &nlen)) 731 goto out; 732 if (context_struct_to_string(p, tcontext, &t, &tlen)) 733 goto out; 734 audit_log(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR, 735 "op=security_validate_transition seresult=denied" 736 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 737 o, n, t, sym_name(p, SYM_CLASSES, tclass-1)); 738 out: 739 kfree(o); 740 kfree(n); 741 kfree(t); 742 743 if (!enforcing_enabled(state)) 744 return 0; 745 return -EPERM; 746 } 747 748 static int security_compute_validatetrans(struct selinux_state *state, 749 u32 oldsid, u32 newsid, u32 tasksid, 750 u16 orig_tclass, bool user) 751 { 752 struct policydb *policydb; 753 struct sidtab *sidtab; 754 struct context *ocontext; 755 struct context *ncontext; 756 struct context *tcontext; 757 struct class_datum *tclass_datum; 758 struct constraint_node *constraint; 759 u16 tclass; 760 int rc = 0; 761 762 763 if (!state->initialized) 764 return 0; 765 766 read_lock(&state->ss->policy_rwlock); 767 768 policydb = &state->ss->policydb; 769 sidtab = state->ss->sidtab; 770 771 if (!user) 772 tclass = unmap_class(&state->ss->map, orig_tclass); 773 else 774 tclass = orig_tclass; 775 776 if (!tclass || tclass > policydb->p_classes.nprim) { 777 rc = -EINVAL; 778 goto out; 779 } 780 tclass_datum = policydb->class_val_to_struct[tclass - 1]; 781 782 ocontext = sidtab_search(sidtab, oldsid); 783 if (!ocontext) { 784 pr_err("SELinux: %s: unrecognized SID %d\n", 785 __func__, oldsid); 786 rc = -EINVAL; 787 goto out; 788 } 789 790 ncontext = sidtab_search(sidtab, newsid); 791 if (!ncontext) { 792 pr_err("SELinux: %s: unrecognized SID %d\n", 793 __func__, newsid); 794 rc = -EINVAL; 795 goto out; 796 } 797 798 tcontext = sidtab_search(sidtab, tasksid); 799 if (!tcontext) { 800 pr_err("SELinux: %s: unrecognized SID %d\n", 801 __func__, tasksid); 802 rc = -EINVAL; 803 goto out; 804 } 805 806 constraint = tclass_datum->validatetrans; 807 while (constraint) { 808 if (!constraint_expr_eval(policydb, ocontext, ncontext, 809 tcontext, constraint->expr)) { 810 if (user) 811 rc = -EPERM; 812 else 813 rc = security_validtrans_handle_fail(state, 814 ocontext, 815 ncontext, 816 tcontext, 817 tclass); 818 goto out; 819 } 820 constraint = constraint->next; 821 } 822 823 out: 824 read_unlock(&state->ss->policy_rwlock); 825 return rc; 826 } 827 828 int security_validate_transition_user(struct selinux_state *state, 829 u32 oldsid, u32 newsid, u32 tasksid, 830 u16 tclass) 831 { 832 return security_compute_validatetrans(state, oldsid, newsid, tasksid, 833 tclass, true); 834 } 835 836 int security_validate_transition(struct selinux_state *state, 837 u32 oldsid, u32 newsid, u32 tasksid, 838 u16 orig_tclass) 839 { 840 return security_compute_validatetrans(state, oldsid, newsid, tasksid, 841 orig_tclass, false); 842 } 843 844 /* 845 * security_bounded_transition - check whether the given 846 * transition is directed to bounded, or not. 847 * It returns 0, if @newsid is bounded by @oldsid. 848 * Otherwise, it returns error code. 849 * 850 * @oldsid : current security identifier 851 * @newsid : destinated security identifier 852 */ 853 int security_bounded_transition(struct selinux_state *state, 854 u32 old_sid, u32 new_sid) 855 { 856 struct policydb *policydb; 857 struct sidtab *sidtab; 858 struct context *old_context, *new_context; 859 struct type_datum *type; 860 int index; 861 int rc; 862 863 if (!state->initialized) 864 return 0; 865 866 read_lock(&state->ss->policy_rwlock); 867 868 policydb = &state->ss->policydb; 869 sidtab = state->ss->sidtab; 870 871 rc = -EINVAL; 872 old_context = sidtab_search(sidtab, old_sid); 873 if (!old_context) { 874 pr_err("SELinux: %s: unrecognized SID %u\n", 875 __func__, old_sid); 876 goto out; 877 } 878 879 rc = -EINVAL; 880 new_context = sidtab_search(sidtab, new_sid); 881 if (!new_context) { 882 pr_err("SELinux: %s: unrecognized SID %u\n", 883 __func__, new_sid); 884 goto out; 885 } 886 887 rc = 0; 888 /* type/domain unchanged */ 889 if (old_context->type == new_context->type) 890 goto out; 891 892 index = new_context->type; 893 while (true) { 894 type = policydb->type_val_to_struct[index - 1]; 895 BUG_ON(!type); 896 897 /* not bounded anymore */ 898 rc = -EPERM; 899 if (!type->bounds) 900 break; 901 902 /* @newsid is bounded by @oldsid */ 903 rc = 0; 904 if (type->bounds == old_context->type) 905 break; 906 907 index = type->bounds; 908 } 909 910 if (rc) { 911 char *old_name = NULL; 912 char *new_name = NULL; 913 u32 length; 914 915 if (!context_struct_to_string(policydb, old_context, 916 &old_name, &length) && 917 !context_struct_to_string(policydb, new_context, 918 &new_name, &length)) { 919 audit_log(audit_context(), 920 GFP_ATOMIC, AUDIT_SELINUX_ERR, 921 "op=security_bounded_transition " 922 "seresult=denied " 923 "oldcontext=%s newcontext=%s", 924 old_name, new_name); 925 } 926 kfree(new_name); 927 kfree(old_name); 928 } 929 out: 930 read_unlock(&state->ss->policy_rwlock); 931 932 return rc; 933 } 934 935 static void avd_init(struct selinux_state *state, struct av_decision *avd) 936 { 937 avd->allowed = 0; 938 avd->auditallow = 0; 939 avd->auditdeny = 0xffffffff; 940 avd->seqno = state->ss->latest_granting; 941 avd->flags = 0; 942 } 943 944 void services_compute_xperms_decision(struct extended_perms_decision *xpermd, 945 struct avtab_node *node) 946 { 947 unsigned int i; 948 949 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) { 950 if (xpermd->driver != node->datum.u.xperms->driver) 951 return; 952 } else if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) { 953 if (!security_xperm_test(node->datum.u.xperms->perms.p, 954 xpermd->driver)) 955 return; 956 } else { 957 BUG(); 958 } 959 960 if (node->key.specified == AVTAB_XPERMS_ALLOWED) { 961 xpermd->used |= XPERMS_ALLOWED; 962 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) { 963 memset(xpermd->allowed->p, 0xff, 964 sizeof(xpermd->allowed->p)); 965 } 966 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) { 967 for (i = 0; i < ARRAY_SIZE(xpermd->allowed->p); i++) 968 xpermd->allowed->p[i] |= 969 node->datum.u.xperms->perms.p[i]; 970 } 971 } else if (node->key.specified == AVTAB_XPERMS_AUDITALLOW) { 972 xpermd->used |= XPERMS_AUDITALLOW; 973 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) { 974 memset(xpermd->auditallow->p, 0xff, 975 sizeof(xpermd->auditallow->p)); 976 } 977 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) { 978 for (i = 0; i < ARRAY_SIZE(xpermd->auditallow->p); i++) 979 xpermd->auditallow->p[i] |= 980 node->datum.u.xperms->perms.p[i]; 981 } 982 } else if (node->key.specified == AVTAB_XPERMS_DONTAUDIT) { 983 xpermd->used |= XPERMS_DONTAUDIT; 984 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) { 985 memset(xpermd->dontaudit->p, 0xff, 986 sizeof(xpermd->dontaudit->p)); 987 } 988 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) { 989 for (i = 0; i < ARRAY_SIZE(xpermd->dontaudit->p); i++) 990 xpermd->dontaudit->p[i] |= 991 node->datum.u.xperms->perms.p[i]; 992 } 993 } else { 994 BUG(); 995 } 996 } 997 998 void security_compute_xperms_decision(struct selinux_state *state, 999 u32 ssid, 1000 u32 tsid, 1001 u16 orig_tclass, 1002 u8 driver, 1003 struct extended_perms_decision *xpermd) 1004 { 1005 struct policydb *policydb; 1006 struct sidtab *sidtab; 1007 u16 tclass; 1008 struct context *scontext, *tcontext; 1009 struct avtab_key avkey; 1010 struct avtab_node *node; 1011 struct ebitmap *sattr, *tattr; 1012 struct ebitmap_node *snode, *tnode; 1013 unsigned int i, j; 1014 1015 xpermd->driver = driver; 1016 xpermd->used = 0; 1017 memset(xpermd->allowed->p, 0, sizeof(xpermd->allowed->p)); 1018 memset(xpermd->auditallow->p, 0, sizeof(xpermd->auditallow->p)); 1019 memset(xpermd->dontaudit->p, 0, sizeof(xpermd->dontaudit->p)); 1020 1021 read_lock(&state->ss->policy_rwlock); 1022 if (!state->initialized) 1023 goto allow; 1024 1025 policydb = &state->ss->policydb; 1026 sidtab = state->ss->sidtab; 1027 1028 scontext = sidtab_search(sidtab, ssid); 1029 if (!scontext) { 1030 pr_err("SELinux: %s: unrecognized SID %d\n", 1031 __func__, ssid); 1032 goto out; 1033 } 1034 1035 tcontext = sidtab_search(sidtab, tsid); 1036 if (!tcontext) { 1037 pr_err("SELinux: %s: unrecognized SID %d\n", 1038 __func__, tsid); 1039 goto out; 1040 } 1041 1042 tclass = unmap_class(&state->ss->map, orig_tclass); 1043 if (unlikely(orig_tclass && !tclass)) { 1044 if (policydb->allow_unknown) 1045 goto allow; 1046 goto out; 1047 } 1048 1049 1050 if (unlikely(!tclass || tclass > policydb->p_classes.nprim)) { 1051 pr_warn_ratelimited("SELinux: Invalid class %hu\n", tclass); 1052 goto out; 1053 } 1054 1055 avkey.target_class = tclass; 1056 avkey.specified = AVTAB_XPERMS; 1057 sattr = &policydb->type_attr_map_array[scontext->type - 1]; 1058 tattr = &policydb->type_attr_map_array[tcontext->type - 1]; 1059 ebitmap_for_each_positive_bit(sattr, snode, i) { 1060 ebitmap_for_each_positive_bit(tattr, tnode, j) { 1061 avkey.source_type = i + 1; 1062 avkey.target_type = j + 1; 1063 for (node = avtab_search_node(&policydb->te_avtab, 1064 &avkey); 1065 node; 1066 node = avtab_search_node_next(node, avkey.specified)) 1067 services_compute_xperms_decision(xpermd, node); 1068 1069 cond_compute_xperms(&policydb->te_cond_avtab, 1070 &avkey, xpermd); 1071 } 1072 } 1073 out: 1074 read_unlock(&state->ss->policy_rwlock); 1075 return; 1076 allow: 1077 memset(xpermd->allowed->p, 0xff, sizeof(xpermd->allowed->p)); 1078 goto out; 1079 } 1080 1081 /** 1082 * security_compute_av - Compute access vector decisions. 1083 * @ssid: source security identifier 1084 * @tsid: target security identifier 1085 * @tclass: target security class 1086 * @avd: access vector decisions 1087 * @xperms: extended permissions 1088 * 1089 * Compute a set of access vector decisions based on the 1090 * SID pair (@ssid, @tsid) for the permissions in @tclass. 1091 */ 1092 void security_compute_av(struct selinux_state *state, 1093 u32 ssid, 1094 u32 tsid, 1095 u16 orig_tclass, 1096 struct av_decision *avd, 1097 struct extended_perms *xperms) 1098 { 1099 struct policydb *policydb; 1100 struct sidtab *sidtab; 1101 u16 tclass; 1102 struct context *scontext = NULL, *tcontext = NULL; 1103 1104 read_lock(&state->ss->policy_rwlock); 1105 avd_init(state, avd); 1106 xperms->len = 0; 1107 if (!state->initialized) 1108 goto allow; 1109 1110 policydb = &state->ss->policydb; 1111 sidtab = state->ss->sidtab; 1112 1113 scontext = sidtab_search(sidtab, ssid); 1114 if (!scontext) { 1115 pr_err("SELinux: %s: unrecognized SID %d\n", 1116 __func__, ssid); 1117 goto out; 1118 } 1119 1120 /* permissive domain? */ 1121 if (ebitmap_get_bit(&policydb->permissive_map, scontext->type)) 1122 avd->flags |= AVD_FLAGS_PERMISSIVE; 1123 1124 tcontext = sidtab_search(sidtab, tsid); 1125 if (!tcontext) { 1126 pr_err("SELinux: %s: unrecognized SID %d\n", 1127 __func__, tsid); 1128 goto out; 1129 } 1130 1131 tclass = unmap_class(&state->ss->map, orig_tclass); 1132 if (unlikely(orig_tclass && !tclass)) { 1133 if (policydb->allow_unknown) 1134 goto allow; 1135 goto out; 1136 } 1137 context_struct_compute_av(policydb, scontext, tcontext, tclass, avd, 1138 xperms); 1139 map_decision(&state->ss->map, orig_tclass, avd, 1140 policydb->allow_unknown); 1141 out: 1142 read_unlock(&state->ss->policy_rwlock); 1143 return; 1144 allow: 1145 avd->allowed = 0xffffffff; 1146 goto out; 1147 } 1148 1149 void security_compute_av_user(struct selinux_state *state, 1150 u32 ssid, 1151 u32 tsid, 1152 u16 tclass, 1153 struct av_decision *avd) 1154 { 1155 struct policydb *policydb; 1156 struct sidtab *sidtab; 1157 struct context *scontext = NULL, *tcontext = NULL; 1158 1159 read_lock(&state->ss->policy_rwlock); 1160 avd_init(state, avd); 1161 if (!state->initialized) 1162 goto allow; 1163 1164 policydb = &state->ss->policydb; 1165 sidtab = state->ss->sidtab; 1166 1167 scontext = sidtab_search(sidtab, ssid); 1168 if (!scontext) { 1169 pr_err("SELinux: %s: unrecognized SID %d\n", 1170 __func__, ssid); 1171 goto out; 1172 } 1173 1174 /* permissive domain? */ 1175 if (ebitmap_get_bit(&policydb->permissive_map, scontext->type)) 1176 avd->flags |= AVD_FLAGS_PERMISSIVE; 1177 1178 tcontext = sidtab_search(sidtab, tsid); 1179 if (!tcontext) { 1180 pr_err("SELinux: %s: unrecognized SID %d\n", 1181 __func__, tsid); 1182 goto out; 1183 } 1184 1185 if (unlikely(!tclass)) { 1186 if (policydb->allow_unknown) 1187 goto allow; 1188 goto out; 1189 } 1190 1191 context_struct_compute_av(policydb, scontext, tcontext, tclass, avd, 1192 NULL); 1193 out: 1194 read_unlock(&state->ss->policy_rwlock); 1195 return; 1196 allow: 1197 avd->allowed = 0xffffffff; 1198 goto out; 1199 } 1200 1201 /* 1202 * Write the security context string representation of 1203 * the context structure `context' into a dynamically 1204 * allocated string of the correct size. Set `*scontext' 1205 * to point to this string and set `*scontext_len' to 1206 * the length of the string. 1207 */ 1208 static int context_struct_to_string(struct policydb *p, 1209 struct context *context, 1210 char **scontext, u32 *scontext_len) 1211 { 1212 char *scontextp; 1213 1214 if (scontext) 1215 *scontext = NULL; 1216 *scontext_len = 0; 1217 1218 if (context->len) { 1219 *scontext_len = context->len; 1220 if (scontext) { 1221 *scontext = kstrdup(context->str, GFP_ATOMIC); 1222 if (!(*scontext)) 1223 return -ENOMEM; 1224 } 1225 return 0; 1226 } 1227 1228 /* Compute the size of the context. */ 1229 *scontext_len += strlen(sym_name(p, SYM_USERS, context->user - 1)) + 1; 1230 *scontext_len += strlen(sym_name(p, SYM_ROLES, context->role - 1)) + 1; 1231 *scontext_len += strlen(sym_name(p, SYM_TYPES, context->type - 1)) + 1; 1232 *scontext_len += mls_compute_context_len(p, context); 1233 1234 if (!scontext) 1235 return 0; 1236 1237 /* Allocate space for the context; caller must free this space. */ 1238 scontextp = kmalloc(*scontext_len, GFP_ATOMIC); 1239 if (!scontextp) 1240 return -ENOMEM; 1241 *scontext = scontextp; 1242 1243 /* 1244 * Copy the user name, role name and type name into the context. 1245 */ 1246 scontextp += sprintf(scontextp, "%s:%s:%s", 1247 sym_name(p, SYM_USERS, context->user - 1), 1248 sym_name(p, SYM_ROLES, context->role - 1), 1249 sym_name(p, SYM_TYPES, context->type - 1)); 1250 1251 mls_sid_to_context(p, context, &scontextp); 1252 1253 *scontextp = 0; 1254 1255 return 0; 1256 } 1257 1258 #include "initial_sid_to_string.h" 1259 1260 const char *security_get_initial_sid_context(u32 sid) 1261 { 1262 if (unlikely(sid > SECINITSID_NUM)) 1263 return NULL; 1264 return initial_sid_to_string[sid]; 1265 } 1266 1267 static int security_sid_to_context_core(struct selinux_state *state, 1268 u32 sid, char **scontext, 1269 u32 *scontext_len, int force, 1270 int only_invalid) 1271 { 1272 struct policydb *policydb; 1273 struct sidtab *sidtab; 1274 struct context *context; 1275 int rc = 0; 1276 1277 if (scontext) 1278 *scontext = NULL; 1279 *scontext_len = 0; 1280 1281 if (!state->initialized) { 1282 if (sid <= SECINITSID_NUM) { 1283 char *scontextp; 1284 1285 *scontext_len = strlen(initial_sid_to_string[sid]) + 1; 1286 if (!scontext) 1287 goto out; 1288 scontextp = kmemdup(initial_sid_to_string[sid], 1289 *scontext_len, GFP_ATOMIC); 1290 if (!scontextp) { 1291 rc = -ENOMEM; 1292 goto out; 1293 } 1294 *scontext = scontextp; 1295 goto out; 1296 } 1297 pr_err("SELinux: %s: called before initial " 1298 "load_policy on unknown SID %d\n", __func__, sid); 1299 rc = -EINVAL; 1300 goto out; 1301 } 1302 read_lock(&state->ss->policy_rwlock); 1303 policydb = &state->ss->policydb; 1304 sidtab = state->ss->sidtab; 1305 if (force) 1306 context = sidtab_search_force(sidtab, sid); 1307 else 1308 context = sidtab_search(sidtab, sid); 1309 if (!context) { 1310 pr_err("SELinux: %s: unrecognized SID %d\n", 1311 __func__, sid); 1312 rc = -EINVAL; 1313 goto out_unlock; 1314 } 1315 if (only_invalid && !context->len) 1316 rc = 0; 1317 else 1318 rc = context_struct_to_string(policydb, context, scontext, 1319 scontext_len); 1320 out_unlock: 1321 read_unlock(&state->ss->policy_rwlock); 1322 out: 1323 return rc; 1324 1325 } 1326 1327 /** 1328 * security_sid_to_context - Obtain a context for a given SID. 1329 * @sid: security identifier, SID 1330 * @scontext: security context 1331 * @scontext_len: length in bytes 1332 * 1333 * Write the string representation of the context associated with @sid 1334 * into a dynamically allocated string of the correct size. Set @scontext 1335 * to point to this string and set @scontext_len to the length of the string. 1336 */ 1337 int security_sid_to_context(struct selinux_state *state, 1338 u32 sid, char **scontext, u32 *scontext_len) 1339 { 1340 return security_sid_to_context_core(state, sid, scontext, 1341 scontext_len, 0, 0); 1342 } 1343 1344 int security_sid_to_context_force(struct selinux_state *state, u32 sid, 1345 char **scontext, u32 *scontext_len) 1346 { 1347 return security_sid_to_context_core(state, sid, scontext, 1348 scontext_len, 1, 0); 1349 } 1350 1351 /** 1352 * security_sid_to_context_inval - Obtain a context for a given SID if it 1353 * is invalid. 1354 * @sid: security identifier, SID 1355 * @scontext: security context 1356 * @scontext_len: length in bytes 1357 * 1358 * Write the string representation of the context associated with @sid 1359 * into a dynamically allocated string of the correct size, but only if the 1360 * context is invalid in the current policy. Set @scontext to point to 1361 * this string (or NULL if the context is valid) and set @scontext_len to 1362 * the length of the string (or 0 if the context is valid). 1363 */ 1364 int security_sid_to_context_inval(struct selinux_state *state, u32 sid, 1365 char **scontext, u32 *scontext_len) 1366 { 1367 return security_sid_to_context_core(state, sid, scontext, 1368 scontext_len, 1, 1); 1369 } 1370 1371 /* 1372 * Caveat: Mutates scontext. 1373 */ 1374 static int string_to_context_struct(struct policydb *pol, 1375 struct sidtab *sidtabp, 1376 char *scontext, 1377 struct context *ctx, 1378 u32 def_sid) 1379 { 1380 struct role_datum *role; 1381 struct type_datum *typdatum; 1382 struct user_datum *usrdatum; 1383 char *scontextp, *p, oldc; 1384 int rc = 0; 1385 1386 context_init(ctx); 1387 1388 /* Parse the security context. */ 1389 1390 rc = -EINVAL; 1391 scontextp = (char *) scontext; 1392 1393 /* Extract the user. */ 1394 p = scontextp; 1395 while (*p && *p != ':') 1396 p++; 1397 1398 if (*p == 0) 1399 goto out; 1400 1401 *p++ = 0; 1402 1403 usrdatum = hashtab_search(pol->p_users.table, scontextp); 1404 if (!usrdatum) 1405 goto out; 1406 1407 ctx->user = usrdatum->value; 1408 1409 /* Extract role. */ 1410 scontextp = p; 1411 while (*p && *p != ':') 1412 p++; 1413 1414 if (*p == 0) 1415 goto out; 1416 1417 *p++ = 0; 1418 1419 role = hashtab_search(pol->p_roles.table, scontextp); 1420 if (!role) 1421 goto out; 1422 ctx->role = role->value; 1423 1424 /* Extract type. */ 1425 scontextp = p; 1426 while (*p && *p != ':') 1427 p++; 1428 oldc = *p; 1429 *p++ = 0; 1430 1431 typdatum = hashtab_search(pol->p_types.table, scontextp); 1432 if (!typdatum || typdatum->attribute) 1433 goto out; 1434 1435 ctx->type = typdatum->value; 1436 1437 rc = mls_context_to_sid(pol, oldc, p, ctx, sidtabp, def_sid); 1438 if (rc) 1439 goto out; 1440 1441 /* Check the validity of the new context. */ 1442 rc = -EINVAL; 1443 if (!policydb_context_isvalid(pol, ctx)) 1444 goto out; 1445 rc = 0; 1446 out: 1447 if (rc) 1448 context_destroy(ctx); 1449 return rc; 1450 } 1451 1452 static int security_context_to_sid_core(struct selinux_state *state, 1453 const char *scontext, u32 scontext_len, 1454 u32 *sid, u32 def_sid, gfp_t gfp_flags, 1455 int force) 1456 { 1457 struct policydb *policydb; 1458 struct sidtab *sidtab; 1459 char *scontext2, *str = NULL; 1460 struct context context; 1461 int rc = 0; 1462 1463 /* An empty security context is never valid. */ 1464 if (!scontext_len) 1465 return -EINVAL; 1466 1467 /* Copy the string to allow changes and ensure a NUL terminator */ 1468 scontext2 = kmemdup_nul(scontext, scontext_len, gfp_flags); 1469 if (!scontext2) 1470 return -ENOMEM; 1471 1472 if (!state->initialized) { 1473 int i; 1474 1475 for (i = 1; i < SECINITSID_NUM; i++) { 1476 if (!strcmp(initial_sid_to_string[i], scontext2)) { 1477 *sid = i; 1478 goto out; 1479 } 1480 } 1481 *sid = SECINITSID_KERNEL; 1482 goto out; 1483 } 1484 *sid = SECSID_NULL; 1485 1486 if (force) { 1487 /* Save another copy for storing in uninterpreted form */ 1488 rc = -ENOMEM; 1489 str = kstrdup(scontext2, gfp_flags); 1490 if (!str) 1491 goto out; 1492 } 1493 read_lock(&state->ss->policy_rwlock); 1494 policydb = &state->ss->policydb; 1495 sidtab = state->ss->sidtab; 1496 rc = string_to_context_struct(policydb, sidtab, scontext2, 1497 &context, def_sid); 1498 if (rc == -EINVAL && force) { 1499 context.str = str; 1500 context.len = strlen(str) + 1; 1501 str = NULL; 1502 } else if (rc) 1503 goto out_unlock; 1504 rc = sidtab_context_to_sid(sidtab, &context, sid); 1505 context_destroy(&context); 1506 out_unlock: 1507 read_unlock(&state->ss->policy_rwlock); 1508 out: 1509 kfree(scontext2); 1510 kfree(str); 1511 return rc; 1512 } 1513 1514 /** 1515 * security_context_to_sid - Obtain a SID for a given security context. 1516 * @scontext: security context 1517 * @scontext_len: length in bytes 1518 * @sid: security identifier, SID 1519 * @gfp: context for the allocation 1520 * 1521 * Obtains a SID associated with the security context that 1522 * has the string representation specified by @scontext. 1523 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 1524 * memory is available, or 0 on success. 1525 */ 1526 int security_context_to_sid(struct selinux_state *state, 1527 const char *scontext, u32 scontext_len, u32 *sid, 1528 gfp_t gfp) 1529 { 1530 return security_context_to_sid_core(state, scontext, scontext_len, 1531 sid, SECSID_NULL, gfp, 0); 1532 } 1533 1534 int security_context_str_to_sid(struct selinux_state *state, 1535 const char *scontext, u32 *sid, gfp_t gfp) 1536 { 1537 return security_context_to_sid(state, scontext, strlen(scontext), 1538 sid, gfp); 1539 } 1540 1541 /** 1542 * security_context_to_sid_default - Obtain a SID for a given security context, 1543 * falling back to specified default if needed. 1544 * 1545 * @scontext: security context 1546 * @scontext_len: length in bytes 1547 * @sid: security identifier, SID 1548 * @def_sid: default SID to assign on error 1549 * 1550 * Obtains a SID associated with the security context that 1551 * has the string representation specified by @scontext. 1552 * The default SID is passed to the MLS layer to be used to allow 1553 * kernel labeling of the MLS field if the MLS field is not present 1554 * (for upgrading to MLS without full relabel). 1555 * Implicitly forces adding of the context even if it cannot be mapped yet. 1556 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 1557 * memory is available, or 0 on success. 1558 */ 1559 int security_context_to_sid_default(struct selinux_state *state, 1560 const char *scontext, u32 scontext_len, 1561 u32 *sid, u32 def_sid, gfp_t gfp_flags) 1562 { 1563 return security_context_to_sid_core(state, scontext, scontext_len, 1564 sid, def_sid, gfp_flags, 1); 1565 } 1566 1567 int security_context_to_sid_force(struct selinux_state *state, 1568 const char *scontext, u32 scontext_len, 1569 u32 *sid) 1570 { 1571 return security_context_to_sid_core(state, scontext, scontext_len, 1572 sid, SECSID_NULL, GFP_KERNEL, 1); 1573 } 1574 1575 static int compute_sid_handle_invalid_context( 1576 struct selinux_state *state, 1577 struct context *scontext, 1578 struct context *tcontext, 1579 u16 tclass, 1580 struct context *newcontext) 1581 { 1582 struct policydb *policydb = &state->ss->policydb; 1583 char *s = NULL, *t = NULL, *n = NULL; 1584 u32 slen, tlen, nlen; 1585 struct audit_buffer *ab; 1586 1587 if (context_struct_to_string(policydb, scontext, &s, &slen)) 1588 goto out; 1589 if (context_struct_to_string(policydb, tcontext, &t, &tlen)) 1590 goto out; 1591 if (context_struct_to_string(policydb, newcontext, &n, &nlen)) 1592 goto out; 1593 ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR); 1594 audit_log_format(ab, 1595 "op=security_compute_sid invalid_context="); 1596 /* no need to record the NUL with untrusted strings */ 1597 audit_log_n_untrustedstring(ab, n, nlen - 1); 1598 audit_log_format(ab, " scontext=%s tcontext=%s tclass=%s", 1599 s, t, sym_name(policydb, SYM_CLASSES, tclass-1)); 1600 audit_log_end(ab); 1601 out: 1602 kfree(s); 1603 kfree(t); 1604 kfree(n); 1605 if (!enforcing_enabled(state)) 1606 return 0; 1607 return -EACCES; 1608 } 1609 1610 static void filename_compute_type(struct policydb *policydb, 1611 struct context *newcontext, 1612 u32 stype, u32 ttype, u16 tclass, 1613 const char *objname) 1614 { 1615 struct filename_trans ft; 1616 struct filename_trans_datum *otype; 1617 1618 /* 1619 * Most filename trans rules are going to live in specific directories 1620 * like /dev or /var/run. This bitmap will quickly skip rule searches 1621 * if the ttype does not contain any rules. 1622 */ 1623 if (!ebitmap_get_bit(&policydb->filename_trans_ttypes, ttype)) 1624 return; 1625 1626 ft.stype = stype; 1627 ft.ttype = ttype; 1628 ft.tclass = tclass; 1629 ft.name = objname; 1630 1631 otype = hashtab_search(policydb->filename_trans, &ft); 1632 if (otype) 1633 newcontext->type = otype->otype; 1634 } 1635 1636 static int security_compute_sid(struct selinux_state *state, 1637 u32 ssid, 1638 u32 tsid, 1639 u16 orig_tclass, 1640 u32 specified, 1641 const char *objname, 1642 u32 *out_sid, 1643 bool kern) 1644 { 1645 struct policydb *policydb; 1646 struct sidtab *sidtab; 1647 struct class_datum *cladatum = NULL; 1648 struct context *scontext = NULL, *tcontext = NULL, newcontext; 1649 struct role_trans *roletr = NULL; 1650 struct avtab_key avkey; 1651 struct avtab_datum *avdatum; 1652 struct avtab_node *node; 1653 u16 tclass; 1654 int rc = 0; 1655 bool sock; 1656 1657 if (!state->initialized) { 1658 switch (orig_tclass) { 1659 case SECCLASS_PROCESS: /* kernel value */ 1660 *out_sid = ssid; 1661 break; 1662 default: 1663 *out_sid = tsid; 1664 break; 1665 } 1666 goto out; 1667 } 1668 1669 context_init(&newcontext); 1670 1671 read_lock(&state->ss->policy_rwlock); 1672 1673 if (kern) { 1674 tclass = unmap_class(&state->ss->map, orig_tclass); 1675 sock = security_is_socket_class(orig_tclass); 1676 } else { 1677 tclass = orig_tclass; 1678 sock = security_is_socket_class(map_class(&state->ss->map, 1679 tclass)); 1680 } 1681 1682 policydb = &state->ss->policydb; 1683 sidtab = state->ss->sidtab; 1684 1685 scontext = sidtab_search(sidtab, ssid); 1686 if (!scontext) { 1687 pr_err("SELinux: %s: unrecognized SID %d\n", 1688 __func__, ssid); 1689 rc = -EINVAL; 1690 goto out_unlock; 1691 } 1692 tcontext = sidtab_search(sidtab, tsid); 1693 if (!tcontext) { 1694 pr_err("SELinux: %s: unrecognized SID %d\n", 1695 __func__, tsid); 1696 rc = -EINVAL; 1697 goto out_unlock; 1698 } 1699 1700 if (tclass && tclass <= policydb->p_classes.nprim) 1701 cladatum = policydb->class_val_to_struct[tclass - 1]; 1702 1703 /* Set the user identity. */ 1704 switch (specified) { 1705 case AVTAB_TRANSITION: 1706 case AVTAB_CHANGE: 1707 if (cladatum && cladatum->default_user == DEFAULT_TARGET) { 1708 newcontext.user = tcontext->user; 1709 } else { 1710 /* notice this gets both DEFAULT_SOURCE and unset */ 1711 /* Use the process user identity. */ 1712 newcontext.user = scontext->user; 1713 } 1714 break; 1715 case AVTAB_MEMBER: 1716 /* Use the related object owner. */ 1717 newcontext.user = tcontext->user; 1718 break; 1719 } 1720 1721 /* Set the role to default values. */ 1722 if (cladatum && cladatum->default_role == DEFAULT_SOURCE) { 1723 newcontext.role = scontext->role; 1724 } else if (cladatum && cladatum->default_role == DEFAULT_TARGET) { 1725 newcontext.role = tcontext->role; 1726 } else { 1727 if ((tclass == policydb->process_class) || (sock == true)) 1728 newcontext.role = scontext->role; 1729 else 1730 newcontext.role = OBJECT_R_VAL; 1731 } 1732 1733 /* Set the type to default values. */ 1734 if (cladatum && cladatum->default_type == DEFAULT_SOURCE) { 1735 newcontext.type = scontext->type; 1736 } else if (cladatum && cladatum->default_type == DEFAULT_TARGET) { 1737 newcontext.type = tcontext->type; 1738 } else { 1739 if ((tclass == policydb->process_class) || (sock == true)) { 1740 /* Use the type of process. */ 1741 newcontext.type = scontext->type; 1742 } else { 1743 /* Use the type of the related object. */ 1744 newcontext.type = tcontext->type; 1745 } 1746 } 1747 1748 /* Look for a type transition/member/change rule. */ 1749 avkey.source_type = scontext->type; 1750 avkey.target_type = tcontext->type; 1751 avkey.target_class = tclass; 1752 avkey.specified = specified; 1753 avdatum = avtab_search(&policydb->te_avtab, &avkey); 1754 1755 /* If no permanent rule, also check for enabled conditional rules */ 1756 if (!avdatum) { 1757 node = avtab_search_node(&policydb->te_cond_avtab, &avkey); 1758 for (; node; node = avtab_search_node_next(node, specified)) { 1759 if (node->key.specified & AVTAB_ENABLED) { 1760 avdatum = &node->datum; 1761 break; 1762 } 1763 } 1764 } 1765 1766 if (avdatum) { 1767 /* Use the type from the type transition/member/change rule. */ 1768 newcontext.type = avdatum->u.data; 1769 } 1770 1771 /* if we have a objname this is a file trans check so check those rules */ 1772 if (objname) 1773 filename_compute_type(policydb, &newcontext, scontext->type, 1774 tcontext->type, tclass, objname); 1775 1776 /* Check for class-specific changes. */ 1777 if (specified & AVTAB_TRANSITION) { 1778 /* Look for a role transition rule. */ 1779 for (roletr = policydb->role_tr; roletr; 1780 roletr = roletr->next) { 1781 if ((roletr->role == scontext->role) && 1782 (roletr->type == tcontext->type) && 1783 (roletr->tclass == tclass)) { 1784 /* Use the role transition rule. */ 1785 newcontext.role = roletr->new_role; 1786 break; 1787 } 1788 } 1789 } 1790 1791 /* Set the MLS attributes. 1792 This is done last because it may allocate memory. */ 1793 rc = mls_compute_sid(policydb, scontext, tcontext, tclass, specified, 1794 &newcontext, sock); 1795 if (rc) 1796 goto out_unlock; 1797 1798 /* Check the validity of the context. */ 1799 if (!policydb_context_isvalid(policydb, &newcontext)) { 1800 rc = compute_sid_handle_invalid_context(state, scontext, 1801 tcontext, 1802 tclass, 1803 &newcontext); 1804 if (rc) 1805 goto out_unlock; 1806 } 1807 /* Obtain the sid for the context. */ 1808 rc = sidtab_context_to_sid(sidtab, &newcontext, out_sid); 1809 out_unlock: 1810 read_unlock(&state->ss->policy_rwlock); 1811 context_destroy(&newcontext); 1812 out: 1813 return rc; 1814 } 1815 1816 /** 1817 * security_transition_sid - Compute the SID for a new subject/object. 1818 * @ssid: source security identifier 1819 * @tsid: target security identifier 1820 * @tclass: target security class 1821 * @out_sid: security identifier for new subject/object 1822 * 1823 * Compute a SID to use for labeling a new subject or object in the 1824 * class @tclass based on a SID pair (@ssid, @tsid). 1825 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1826 * if insufficient memory is available, or %0 if the new SID was 1827 * computed successfully. 1828 */ 1829 int security_transition_sid(struct selinux_state *state, 1830 u32 ssid, u32 tsid, u16 tclass, 1831 const struct qstr *qstr, u32 *out_sid) 1832 { 1833 return security_compute_sid(state, ssid, tsid, tclass, 1834 AVTAB_TRANSITION, 1835 qstr ? qstr->name : NULL, out_sid, true); 1836 } 1837 1838 int security_transition_sid_user(struct selinux_state *state, 1839 u32 ssid, u32 tsid, u16 tclass, 1840 const char *objname, u32 *out_sid) 1841 { 1842 return security_compute_sid(state, ssid, tsid, tclass, 1843 AVTAB_TRANSITION, 1844 objname, out_sid, false); 1845 } 1846 1847 /** 1848 * security_member_sid - Compute the SID for member selection. 1849 * @ssid: source security identifier 1850 * @tsid: target security identifier 1851 * @tclass: target security class 1852 * @out_sid: security identifier for selected member 1853 * 1854 * Compute a SID to use when selecting a member of a polyinstantiated 1855 * object of class @tclass based on a SID pair (@ssid, @tsid). 1856 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1857 * if insufficient memory is available, or %0 if the SID was 1858 * computed successfully. 1859 */ 1860 int security_member_sid(struct selinux_state *state, 1861 u32 ssid, 1862 u32 tsid, 1863 u16 tclass, 1864 u32 *out_sid) 1865 { 1866 return security_compute_sid(state, ssid, tsid, tclass, 1867 AVTAB_MEMBER, NULL, 1868 out_sid, false); 1869 } 1870 1871 /** 1872 * security_change_sid - Compute the SID for object relabeling. 1873 * @ssid: source security identifier 1874 * @tsid: target security identifier 1875 * @tclass: target security class 1876 * @out_sid: security identifier for selected member 1877 * 1878 * Compute a SID to use for relabeling an object of class @tclass 1879 * based on a SID pair (@ssid, @tsid). 1880 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1881 * if insufficient memory is available, or %0 if the SID was 1882 * computed successfully. 1883 */ 1884 int security_change_sid(struct selinux_state *state, 1885 u32 ssid, 1886 u32 tsid, 1887 u16 tclass, 1888 u32 *out_sid) 1889 { 1890 return security_compute_sid(state, 1891 ssid, tsid, tclass, AVTAB_CHANGE, NULL, 1892 out_sid, false); 1893 } 1894 1895 static inline int convert_context_handle_invalid_context( 1896 struct selinux_state *state, 1897 struct context *context) 1898 { 1899 struct policydb *policydb = &state->ss->policydb; 1900 char *s; 1901 u32 len; 1902 1903 if (enforcing_enabled(state)) 1904 return -EINVAL; 1905 1906 if (!context_struct_to_string(policydb, context, &s, &len)) { 1907 pr_warn("SELinux: Context %s would be invalid if enforcing\n", 1908 s); 1909 kfree(s); 1910 } 1911 return 0; 1912 } 1913 1914 struct convert_context_args { 1915 struct selinux_state *state; 1916 struct policydb *oldp; 1917 struct policydb *newp; 1918 }; 1919 1920 /* 1921 * Convert the values in the security context 1922 * structure `oldc' from the values specified 1923 * in the policy `p->oldp' to the values specified 1924 * in the policy `p->newp', storing the new context 1925 * in `newc'. Verify that the context is valid 1926 * under the new policy. 1927 */ 1928 static int convert_context(struct context *oldc, struct context *newc, void *p) 1929 { 1930 struct convert_context_args *args; 1931 struct ocontext *oc; 1932 struct role_datum *role; 1933 struct type_datum *typdatum; 1934 struct user_datum *usrdatum; 1935 char *s; 1936 u32 len; 1937 int rc; 1938 1939 args = p; 1940 1941 if (oldc->str) { 1942 s = kstrdup(oldc->str, GFP_KERNEL); 1943 if (!s) 1944 return -ENOMEM; 1945 1946 rc = string_to_context_struct(args->newp, NULL, s, 1947 newc, SECSID_NULL); 1948 if (rc == -EINVAL) { 1949 /* 1950 * Retain string representation for later mapping. 1951 * 1952 * IMPORTANT: We need to copy the contents of oldc->str 1953 * back into s again because string_to_context_struct() 1954 * may have garbled it. 1955 */ 1956 memcpy(s, oldc->str, oldc->len); 1957 context_init(newc); 1958 newc->str = s; 1959 newc->len = oldc->len; 1960 return 0; 1961 } 1962 kfree(s); 1963 if (rc) { 1964 /* Other error condition, e.g. ENOMEM. */ 1965 pr_err("SELinux: Unable to map context %s, rc = %d.\n", 1966 oldc->str, -rc); 1967 return rc; 1968 } 1969 pr_info("SELinux: Context %s became valid (mapped).\n", 1970 oldc->str); 1971 return 0; 1972 } 1973 1974 context_init(newc); 1975 1976 /* Convert the user. */ 1977 rc = -EINVAL; 1978 usrdatum = hashtab_search(args->newp->p_users.table, 1979 sym_name(args->oldp, 1980 SYM_USERS, oldc->user - 1)); 1981 if (!usrdatum) 1982 goto bad; 1983 newc->user = usrdatum->value; 1984 1985 /* Convert the role. */ 1986 rc = -EINVAL; 1987 role = hashtab_search(args->newp->p_roles.table, 1988 sym_name(args->oldp, SYM_ROLES, oldc->role - 1)); 1989 if (!role) 1990 goto bad; 1991 newc->role = role->value; 1992 1993 /* Convert the type. */ 1994 rc = -EINVAL; 1995 typdatum = hashtab_search(args->newp->p_types.table, 1996 sym_name(args->oldp, 1997 SYM_TYPES, oldc->type - 1)); 1998 if (!typdatum) 1999 goto bad; 2000 newc->type = typdatum->value; 2001 2002 /* Convert the MLS fields if dealing with MLS policies */ 2003 if (args->oldp->mls_enabled && args->newp->mls_enabled) { 2004 rc = mls_convert_context(args->oldp, args->newp, oldc, newc); 2005 if (rc) 2006 goto bad; 2007 } else if (!args->oldp->mls_enabled && args->newp->mls_enabled) { 2008 /* 2009 * Switching between non-MLS and MLS policy: 2010 * ensure that the MLS fields of the context for all 2011 * existing entries in the sidtab are filled in with a 2012 * suitable default value, likely taken from one of the 2013 * initial SIDs. 2014 */ 2015 oc = args->newp->ocontexts[OCON_ISID]; 2016 while (oc && oc->sid[0] != SECINITSID_UNLABELED) 2017 oc = oc->next; 2018 rc = -EINVAL; 2019 if (!oc) { 2020 pr_err("SELinux: unable to look up" 2021 " the initial SIDs list\n"); 2022 goto bad; 2023 } 2024 rc = mls_range_set(newc, &oc->context[0].range); 2025 if (rc) 2026 goto bad; 2027 } 2028 2029 /* Check the validity of the new context. */ 2030 if (!policydb_context_isvalid(args->newp, newc)) { 2031 rc = convert_context_handle_invalid_context(args->state, oldc); 2032 if (rc) 2033 goto bad; 2034 } 2035 2036 return 0; 2037 bad: 2038 /* Map old representation to string and save it. */ 2039 rc = context_struct_to_string(args->oldp, oldc, &s, &len); 2040 if (rc) 2041 return rc; 2042 context_destroy(newc); 2043 newc->str = s; 2044 newc->len = len; 2045 pr_info("SELinux: Context %s became invalid (unmapped).\n", 2046 newc->str); 2047 return 0; 2048 } 2049 2050 static void security_load_policycaps(struct selinux_state *state) 2051 { 2052 struct policydb *p = &state->ss->policydb; 2053 unsigned int i; 2054 struct ebitmap_node *node; 2055 2056 for (i = 0; i < ARRAY_SIZE(state->policycap); i++) 2057 state->policycap[i] = ebitmap_get_bit(&p->policycaps, i); 2058 2059 for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++) 2060 pr_info("SELinux: policy capability %s=%d\n", 2061 selinux_policycap_names[i], 2062 ebitmap_get_bit(&p->policycaps, i)); 2063 2064 ebitmap_for_each_positive_bit(&p->policycaps, node, i) { 2065 if (i >= ARRAY_SIZE(selinux_policycap_names)) 2066 pr_info("SELinux: unknown policy capability %u\n", 2067 i); 2068 } 2069 } 2070 2071 static int security_preserve_bools(struct selinux_state *state, 2072 struct policydb *newpolicydb); 2073 2074 /** 2075 * security_load_policy - Load a security policy configuration. 2076 * @data: binary policy data 2077 * @len: length of data in bytes 2078 * 2079 * Load a new set of security policy configuration data, 2080 * validate it and convert the SID table as necessary. 2081 * This function will flush the access vector cache after 2082 * loading the new policy. 2083 */ 2084 int security_load_policy(struct selinux_state *state, void *data, size_t len) 2085 { 2086 struct policydb *policydb; 2087 struct sidtab *oldsidtab, *newsidtab; 2088 struct policydb *oldpolicydb, *newpolicydb; 2089 struct selinux_mapping *oldmapping; 2090 struct selinux_map newmap; 2091 struct sidtab_convert_params convert_params; 2092 struct convert_context_args args; 2093 u32 seqno; 2094 int rc = 0; 2095 struct policy_file file = { data, len }, *fp = &file; 2096 2097 oldpolicydb = kcalloc(2, sizeof(*oldpolicydb), GFP_KERNEL); 2098 if (!oldpolicydb) { 2099 rc = -ENOMEM; 2100 goto out; 2101 } 2102 newpolicydb = oldpolicydb + 1; 2103 2104 policydb = &state->ss->policydb; 2105 2106 newsidtab = kmalloc(sizeof(*newsidtab), GFP_KERNEL); 2107 if (!newsidtab) { 2108 rc = -ENOMEM; 2109 goto out; 2110 } 2111 2112 if (!state->initialized) { 2113 rc = policydb_read(policydb, fp); 2114 if (rc) { 2115 kfree(newsidtab); 2116 goto out; 2117 } 2118 2119 policydb->len = len; 2120 rc = selinux_set_mapping(policydb, secclass_map, 2121 &state->ss->map); 2122 if (rc) { 2123 kfree(newsidtab); 2124 policydb_destroy(policydb); 2125 goto out; 2126 } 2127 2128 rc = policydb_load_isids(policydb, newsidtab); 2129 if (rc) { 2130 kfree(newsidtab); 2131 policydb_destroy(policydb); 2132 goto out; 2133 } 2134 2135 state->ss->sidtab = newsidtab; 2136 security_load_policycaps(state); 2137 state->initialized = 1; 2138 seqno = ++state->ss->latest_granting; 2139 selinux_complete_init(); 2140 avc_ss_reset(state->avc, seqno); 2141 selnl_notify_policyload(seqno); 2142 selinux_status_update_policyload(state, seqno); 2143 selinux_netlbl_cache_invalidate(); 2144 selinux_xfrm_notify_policyload(); 2145 goto out; 2146 } 2147 2148 rc = policydb_read(newpolicydb, fp); 2149 if (rc) { 2150 kfree(newsidtab); 2151 goto out; 2152 } 2153 2154 newpolicydb->len = len; 2155 /* If switching between different policy types, log MLS status */ 2156 if (policydb->mls_enabled && !newpolicydb->mls_enabled) 2157 pr_info("SELinux: Disabling MLS support...\n"); 2158 else if (!policydb->mls_enabled && newpolicydb->mls_enabled) 2159 pr_info("SELinux: Enabling MLS support...\n"); 2160 2161 rc = policydb_load_isids(newpolicydb, newsidtab); 2162 if (rc) { 2163 pr_err("SELinux: unable to load the initial SIDs\n"); 2164 policydb_destroy(newpolicydb); 2165 kfree(newsidtab); 2166 goto out; 2167 } 2168 2169 rc = selinux_set_mapping(newpolicydb, secclass_map, &newmap); 2170 if (rc) 2171 goto err; 2172 2173 rc = security_preserve_bools(state, newpolicydb); 2174 if (rc) { 2175 pr_err("SELinux: unable to preserve booleans\n"); 2176 goto err; 2177 } 2178 2179 oldsidtab = state->ss->sidtab; 2180 2181 /* 2182 * Convert the internal representations of contexts 2183 * in the new SID table. 2184 */ 2185 args.state = state; 2186 args.oldp = policydb; 2187 args.newp = newpolicydb; 2188 2189 convert_params.func = convert_context; 2190 convert_params.args = &args; 2191 convert_params.target = newsidtab; 2192 2193 rc = sidtab_convert(oldsidtab, &convert_params); 2194 if (rc) { 2195 pr_err("SELinux: unable to convert the internal" 2196 " representation of contexts in the new SID" 2197 " table\n"); 2198 goto err; 2199 } 2200 2201 /* Save the old policydb and SID table to free later. */ 2202 memcpy(oldpolicydb, policydb, sizeof(*policydb)); 2203 2204 /* Install the new policydb and SID table. */ 2205 write_lock_irq(&state->ss->policy_rwlock); 2206 memcpy(policydb, newpolicydb, sizeof(*policydb)); 2207 state->ss->sidtab = newsidtab; 2208 security_load_policycaps(state); 2209 oldmapping = state->ss->map.mapping; 2210 state->ss->map.mapping = newmap.mapping; 2211 state->ss->map.size = newmap.size; 2212 seqno = ++state->ss->latest_granting; 2213 write_unlock_irq(&state->ss->policy_rwlock); 2214 2215 /* Free the old policydb and SID table. */ 2216 policydb_destroy(oldpolicydb); 2217 sidtab_destroy(oldsidtab); 2218 kfree(oldsidtab); 2219 kfree(oldmapping); 2220 2221 avc_ss_reset(state->avc, seqno); 2222 selnl_notify_policyload(seqno); 2223 selinux_status_update_policyload(state, seqno); 2224 selinux_netlbl_cache_invalidate(); 2225 selinux_xfrm_notify_policyload(); 2226 2227 rc = 0; 2228 goto out; 2229 2230 err: 2231 kfree(newmap.mapping); 2232 sidtab_destroy(newsidtab); 2233 kfree(newsidtab); 2234 policydb_destroy(newpolicydb); 2235 2236 out: 2237 kfree(oldpolicydb); 2238 return rc; 2239 } 2240 2241 size_t security_policydb_len(struct selinux_state *state) 2242 { 2243 struct policydb *p = &state->ss->policydb; 2244 size_t len; 2245 2246 read_lock(&state->ss->policy_rwlock); 2247 len = p->len; 2248 read_unlock(&state->ss->policy_rwlock); 2249 2250 return len; 2251 } 2252 2253 /** 2254 * security_port_sid - Obtain the SID for a port. 2255 * @protocol: protocol number 2256 * @port: port number 2257 * @out_sid: security identifier 2258 */ 2259 int security_port_sid(struct selinux_state *state, 2260 u8 protocol, u16 port, u32 *out_sid) 2261 { 2262 struct policydb *policydb; 2263 struct sidtab *sidtab; 2264 struct ocontext *c; 2265 int rc = 0; 2266 2267 read_lock(&state->ss->policy_rwlock); 2268 2269 policydb = &state->ss->policydb; 2270 sidtab = state->ss->sidtab; 2271 2272 c = policydb->ocontexts[OCON_PORT]; 2273 while (c) { 2274 if (c->u.port.protocol == protocol && 2275 c->u.port.low_port <= port && 2276 c->u.port.high_port >= port) 2277 break; 2278 c = c->next; 2279 } 2280 2281 if (c) { 2282 if (!c->sid[0]) { 2283 rc = sidtab_context_to_sid(sidtab, 2284 &c->context[0], 2285 &c->sid[0]); 2286 if (rc) 2287 goto out; 2288 } 2289 *out_sid = c->sid[0]; 2290 } else { 2291 *out_sid = SECINITSID_PORT; 2292 } 2293 2294 out: 2295 read_unlock(&state->ss->policy_rwlock); 2296 return rc; 2297 } 2298 2299 /** 2300 * security_pkey_sid - Obtain the SID for a pkey. 2301 * @subnet_prefix: Subnet Prefix 2302 * @pkey_num: pkey number 2303 * @out_sid: security identifier 2304 */ 2305 int security_ib_pkey_sid(struct selinux_state *state, 2306 u64 subnet_prefix, u16 pkey_num, u32 *out_sid) 2307 { 2308 struct policydb *policydb; 2309 struct sidtab *sidtab; 2310 struct ocontext *c; 2311 int rc = 0; 2312 2313 read_lock(&state->ss->policy_rwlock); 2314 2315 policydb = &state->ss->policydb; 2316 sidtab = state->ss->sidtab; 2317 2318 c = policydb->ocontexts[OCON_IBPKEY]; 2319 while (c) { 2320 if (c->u.ibpkey.low_pkey <= pkey_num && 2321 c->u.ibpkey.high_pkey >= pkey_num && 2322 c->u.ibpkey.subnet_prefix == subnet_prefix) 2323 break; 2324 2325 c = c->next; 2326 } 2327 2328 if (c) { 2329 if (!c->sid[0]) { 2330 rc = sidtab_context_to_sid(sidtab, 2331 &c->context[0], 2332 &c->sid[0]); 2333 if (rc) 2334 goto out; 2335 } 2336 *out_sid = c->sid[0]; 2337 } else 2338 *out_sid = SECINITSID_UNLABELED; 2339 2340 out: 2341 read_unlock(&state->ss->policy_rwlock); 2342 return rc; 2343 } 2344 2345 /** 2346 * security_ib_endport_sid - Obtain the SID for a subnet management interface. 2347 * @dev_name: device name 2348 * @port: port number 2349 * @out_sid: security identifier 2350 */ 2351 int security_ib_endport_sid(struct selinux_state *state, 2352 const char *dev_name, u8 port_num, u32 *out_sid) 2353 { 2354 struct policydb *policydb; 2355 struct sidtab *sidtab; 2356 struct ocontext *c; 2357 int rc = 0; 2358 2359 read_lock(&state->ss->policy_rwlock); 2360 2361 policydb = &state->ss->policydb; 2362 sidtab = state->ss->sidtab; 2363 2364 c = policydb->ocontexts[OCON_IBENDPORT]; 2365 while (c) { 2366 if (c->u.ibendport.port == port_num && 2367 !strncmp(c->u.ibendport.dev_name, 2368 dev_name, 2369 IB_DEVICE_NAME_MAX)) 2370 break; 2371 2372 c = c->next; 2373 } 2374 2375 if (c) { 2376 if (!c->sid[0]) { 2377 rc = sidtab_context_to_sid(sidtab, 2378 &c->context[0], 2379 &c->sid[0]); 2380 if (rc) 2381 goto out; 2382 } 2383 *out_sid = c->sid[0]; 2384 } else 2385 *out_sid = SECINITSID_UNLABELED; 2386 2387 out: 2388 read_unlock(&state->ss->policy_rwlock); 2389 return rc; 2390 } 2391 2392 /** 2393 * security_netif_sid - Obtain the SID for a network interface. 2394 * @name: interface name 2395 * @if_sid: interface SID 2396 */ 2397 int security_netif_sid(struct selinux_state *state, 2398 char *name, u32 *if_sid) 2399 { 2400 struct policydb *policydb; 2401 struct sidtab *sidtab; 2402 int rc = 0; 2403 struct ocontext *c; 2404 2405 read_lock(&state->ss->policy_rwlock); 2406 2407 policydb = &state->ss->policydb; 2408 sidtab = state->ss->sidtab; 2409 2410 c = policydb->ocontexts[OCON_NETIF]; 2411 while (c) { 2412 if (strcmp(name, c->u.name) == 0) 2413 break; 2414 c = c->next; 2415 } 2416 2417 if (c) { 2418 if (!c->sid[0] || !c->sid[1]) { 2419 rc = sidtab_context_to_sid(sidtab, 2420 &c->context[0], 2421 &c->sid[0]); 2422 if (rc) 2423 goto out; 2424 rc = sidtab_context_to_sid(sidtab, 2425 &c->context[1], 2426 &c->sid[1]); 2427 if (rc) 2428 goto out; 2429 } 2430 *if_sid = c->sid[0]; 2431 } else 2432 *if_sid = SECINITSID_NETIF; 2433 2434 out: 2435 read_unlock(&state->ss->policy_rwlock); 2436 return rc; 2437 } 2438 2439 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask) 2440 { 2441 int i, fail = 0; 2442 2443 for (i = 0; i < 4; i++) 2444 if (addr[i] != (input[i] & mask[i])) { 2445 fail = 1; 2446 break; 2447 } 2448 2449 return !fail; 2450 } 2451 2452 /** 2453 * security_node_sid - Obtain the SID for a node (host). 2454 * @domain: communication domain aka address family 2455 * @addrp: address 2456 * @addrlen: address length in bytes 2457 * @out_sid: security identifier 2458 */ 2459 int security_node_sid(struct selinux_state *state, 2460 u16 domain, 2461 void *addrp, 2462 u32 addrlen, 2463 u32 *out_sid) 2464 { 2465 struct policydb *policydb; 2466 struct sidtab *sidtab; 2467 int rc; 2468 struct ocontext *c; 2469 2470 read_lock(&state->ss->policy_rwlock); 2471 2472 policydb = &state->ss->policydb; 2473 sidtab = state->ss->sidtab; 2474 2475 switch (domain) { 2476 case AF_INET: { 2477 u32 addr; 2478 2479 rc = -EINVAL; 2480 if (addrlen != sizeof(u32)) 2481 goto out; 2482 2483 addr = *((u32 *)addrp); 2484 2485 c = policydb->ocontexts[OCON_NODE]; 2486 while (c) { 2487 if (c->u.node.addr == (addr & c->u.node.mask)) 2488 break; 2489 c = c->next; 2490 } 2491 break; 2492 } 2493 2494 case AF_INET6: 2495 rc = -EINVAL; 2496 if (addrlen != sizeof(u64) * 2) 2497 goto out; 2498 c = policydb->ocontexts[OCON_NODE6]; 2499 while (c) { 2500 if (match_ipv6_addrmask(addrp, c->u.node6.addr, 2501 c->u.node6.mask)) 2502 break; 2503 c = c->next; 2504 } 2505 break; 2506 2507 default: 2508 rc = 0; 2509 *out_sid = SECINITSID_NODE; 2510 goto out; 2511 } 2512 2513 if (c) { 2514 if (!c->sid[0]) { 2515 rc = sidtab_context_to_sid(sidtab, 2516 &c->context[0], 2517 &c->sid[0]); 2518 if (rc) 2519 goto out; 2520 } 2521 *out_sid = c->sid[0]; 2522 } else { 2523 *out_sid = SECINITSID_NODE; 2524 } 2525 2526 rc = 0; 2527 out: 2528 read_unlock(&state->ss->policy_rwlock); 2529 return rc; 2530 } 2531 2532 #define SIDS_NEL 25 2533 2534 /** 2535 * security_get_user_sids - Obtain reachable SIDs for a user. 2536 * @fromsid: starting SID 2537 * @username: username 2538 * @sids: array of reachable SIDs for user 2539 * @nel: number of elements in @sids 2540 * 2541 * Generate the set of SIDs for legal security contexts 2542 * for a given user that can be reached by @fromsid. 2543 * Set *@sids to point to a dynamically allocated 2544 * array containing the set of SIDs. Set *@nel to the 2545 * number of elements in the array. 2546 */ 2547 2548 int security_get_user_sids(struct selinux_state *state, 2549 u32 fromsid, 2550 char *username, 2551 u32 **sids, 2552 u32 *nel) 2553 { 2554 struct policydb *policydb; 2555 struct sidtab *sidtab; 2556 struct context *fromcon, usercon; 2557 u32 *mysids = NULL, *mysids2, sid; 2558 u32 mynel = 0, maxnel = SIDS_NEL; 2559 struct user_datum *user; 2560 struct role_datum *role; 2561 struct ebitmap_node *rnode, *tnode; 2562 int rc = 0, i, j; 2563 2564 *sids = NULL; 2565 *nel = 0; 2566 2567 if (!state->initialized) 2568 goto out; 2569 2570 read_lock(&state->ss->policy_rwlock); 2571 2572 policydb = &state->ss->policydb; 2573 sidtab = state->ss->sidtab; 2574 2575 context_init(&usercon); 2576 2577 rc = -EINVAL; 2578 fromcon = sidtab_search(sidtab, fromsid); 2579 if (!fromcon) 2580 goto out_unlock; 2581 2582 rc = -EINVAL; 2583 user = hashtab_search(policydb->p_users.table, username); 2584 if (!user) 2585 goto out_unlock; 2586 2587 usercon.user = user->value; 2588 2589 rc = -ENOMEM; 2590 mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC); 2591 if (!mysids) 2592 goto out_unlock; 2593 2594 ebitmap_for_each_positive_bit(&user->roles, rnode, i) { 2595 role = policydb->role_val_to_struct[i]; 2596 usercon.role = i + 1; 2597 ebitmap_for_each_positive_bit(&role->types, tnode, j) { 2598 usercon.type = j + 1; 2599 2600 if (mls_setup_user_range(policydb, fromcon, user, 2601 &usercon)) 2602 continue; 2603 2604 rc = sidtab_context_to_sid(sidtab, &usercon, &sid); 2605 if (rc) 2606 goto out_unlock; 2607 if (mynel < maxnel) { 2608 mysids[mynel++] = sid; 2609 } else { 2610 rc = -ENOMEM; 2611 maxnel += SIDS_NEL; 2612 mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC); 2613 if (!mysids2) 2614 goto out_unlock; 2615 memcpy(mysids2, mysids, mynel * sizeof(*mysids2)); 2616 kfree(mysids); 2617 mysids = mysids2; 2618 mysids[mynel++] = sid; 2619 } 2620 } 2621 } 2622 rc = 0; 2623 out_unlock: 2624 read_unlock(&state->ss->policy_rwlock); 2625 if (rc || !mynel) { 2626 kfree(mysids); 2627 goto out; 2628 } 2629 2630 rc = -ENOMEM; 2631 mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL); 2632 if (!mysids2) { 2633 kfree(mysids); 2634 goto out; 2635 } 2636 for (i = 0, j = 0; i < mynel; i++) { 2637 struct av_decision dummy_avd; 2638 rc = avc_has_perm_noaudit(state, 2639 fromsid, mysids[i], 2640 SECCLASS_PROCESS, /* kernel value */ 2641 PROCESS__TRANSITION, AVC_STRICT, 2642 &dummy_avd); 2643 if (!rc) 2644 mysids2[j++] = mysids[i]; 2645 cond_resched(); 2646 } 2647 rc = 0; 2648 kfree(mysids); 2649 *sids = mysids2; 2650 *nel = j; 2651 out: 2652 return rc; 2653 } 2654 2655 /** 2656 * __security_genfs_sid - Helper to obtain a SID for a file in a filesystem 2657 * @fstype: filesystem type 2658 * @path: path from root of mount 2659 * @sclass: file security class 2660 * @sid: SID for path 2661 * 2662 * Obtain a SID to use for a file in a filesystem that 2663 * cannot support xattr or use a fixed labeling behavior like 2664 * transition SIDs or task SIDs. 2665 * 2666 * The caller must acquire the policy_rwlock before calling this function. 2667 */ 2668 static inline int __security_genfs_sid(struct selinux_state *state, 2669 const char *fstype, 2670 char *path, 2671 u16 orig_sclass, 2672 u32 *sid) 2673 { 2674 struct policydb *policydb = &state->ss->policydb; 2675 struct sidtab *sidtab = state->ss->sidtab; 2676 int len; 2677 u16 sclass; 2678 struct genfs *genfs; 2679 struct ocontext *c; 2680 int rc, cmp = 0; 2681 2682 while (path[0] == '/' && path[1] == '/') 2683 path++; 2684 2685 sclass = unmap_class(&state->ss->map, orig_sclass); 2686 *sid = SECINITSID_UNLABELED; 2687 2688 for (genfs = policydb->genfs; genfs; genfs = genfs->next) { 2689 cmp = strcmp(fstype, genfs->fstype); 2690 if (cmp <= 0) 2691 break; 2692 } 2693 2694 rc = -ENOENT; 2695 if (!genfs || cmp) 2696 goto out; 2697 2698 for (c = genfs->head; c; c = c->next) { 2699 len = strlen(c->u.name); 2700 if ((!c->v.sclass || sclass == c->v.sclass) && 2701 (strncmp(c->u.name, path, len) == 0)) 2702 break; 2703 } 2704 2705 rc = -ENOENT; 2706 if (!c) 2707 goto out; 2708 2709 if (!c->sid[0]) { 2710 rc = sidtab_context_to_sid(sidtab, &c->context[0], &c->sid[0]); 2711 if (rc) 2712 goto out; 2713 } 2714 2715 *sid = c->sid[0]; 2716 rc = 0; 2717 out: 2718 return rc; 2719 } 2720 2721 /** 2722 * security_genfs_sid - Obtain a SID for a file in a filesystem 2723 * @fstype: filesystem type 2724 * @path: path from root of mount 2725 * @sclass: file security class 2726 * @sid: SID for path 2727 * 2728 * Acquire policy_rwlock before calling __security_genfs_sid() and release 2729 * it afterward. 2730 */ 2731 int security_genfs_sid(struct selinux_state *state, 2732 const char *fstype, 2733 char *path, 2734 u16 orig_sclass, 2735 u32 *sid) 2736 { 2737 int retval; 2738 2739 read_lock(&state->ss->policy_rwlock); 2740 retval = __security_genfs_sid(state, fstype, path, orig_sclass, sid); 2741 read_unlock(&state->ss->policy_rwlock); 2742 return retval; 2743 } 2744 2745 /** 2746 * security_fs_use - Determine how to handle labeling for a filesystem. 2747 * @sb: superblock in question 2748 */ 2749 int security_fs_use(struct selinux_state *state, struct super_block *sb) 2750 { 2751 struct policydb *policydb; 2752 struct sidtab *sidtab; 2753 int rc = 0; 2754 struct ocontext *c; 2755 struct superblock_security_struct *sbsec = sb->s_security; 2756 const char *fstype = sb->s_type->name; 2757 2758 read_lock(&state->ss->policy_rwlock); 2759 2760 policydb = &state->ss->policydb; 2761 sidtab = state->ss->sidtab; 2762 2763 c = policydb->ocontexts[OCON_FSUSE]; 2764 while (c) { 2765 if (strcmp(fstype, c->u.name) == 0) 2766 break; 2767 c = c->next; 2768 } 2769 2770 if (c) { 2771 sbsec->behavior = c->v.behavior; 2772 if (!c->sid[0]) { 2773 rc = sidtab_context_to_sid(sidtab, &c->context[0], 2774 &c->sid[0]); 2775 if (rc) 2776 goto out; 2777 } 2778 sbsec->sid = c->sid[0]; 2779 } else { 2780 rc = __security_genfs_sid(state, fstype, "/", SECCLASS_DIR, 2781 &sbsec->sid); 2782 if (rc) { 2783 sbsec->behavior = SECURITY_FS_USE_NONE; 2784 rc = 0; 2785 } else { 2786 sbsec->behavior = SECURITY_FS_USE_GENFS; 2787 } 2788 } 2789 2790 out: 2791 read_unlock(&state->ss->policy_rwlock); 2792 return rc; 2793 } 2794 2795 int security_get_bools(struct selinux_state *state, 2796 int *len, char ***names, int **values) 2797 { 2798 struct policydb *policydb; 2799 int i, rc; 2800 2801 if (!state->initialized) { 2802 *len = 0; 2803 *names = NULL; 2804 *values = NULL; 2805 return 0; 2806 } 2807 2808 read_lock(&state->ss->policy_rwlock); 2809 2810 policydb = &state->ss->policydb; 2811 2812 *names = NULL; 2813 *values = NULL; 2814 2815 rc = 0; 2816 *len = policydb->p_bools.nprim; 2817 if (!*len) 2818 goto out; 2819 2820 rc = -ENOMEM; 2821 *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC); 2822 if (!*names) 2823 goto err; 2824 2825 rc = -ENOMEM; 2826 *values = kcalloc(*len, sizeof(int), GFP_ATOMIC); 2827 if (!*values) 2828 goto err; 2829 2830 for (i = 0; i < *len; i++) { 2831 (*values)[i] = policydb->bool_val_to_struct[i]->state; 2832 2833 rc = -ENOMEM; 2834 (*names)[i] = kstrdup(sym_name(policydb, SYM_BOOLS, i), 2835 GFP_ATOMIC); 2836 if (!(*names)[i]) 2837 goto err; 2838 } 2839 rc = 0; 2840 out: 2841 read_unlock(&state->ss->policy_rwlock); 2842 return rc; 2843 err: 2844 if (*names) { 2845 for (i = 0; i < *len; i++) 2846 kfree((*names)[i]); 2847 } 2848 kfree(*values); 2849 goto out; 2850 } 2851 2852 2853 int security_set_bools(struct selinux_state *state, int len, int *values) 2854 { 2855 struct policydb *policydb; 2856 int i, rc; 2857 int lenp, seqno = 0; 2858 struct cond_node *cur; 2859 2860 write_lock_irq(&state->ss->policy_rwlock); 2861 2862 policydb = &state->ss->policydb; 2863 2864 rc = -EFAULT; 2865 lenp = policydb->p_bools.nprim; 2866 if (len != lenp) 2867 goto out; 2868 2869 for (i = 0; i < len; i++) { 2870 if (!!values[i] != policydb->bool_val_to_struct[i]->state) { 2871 audit_log(audit_context(), GFP_ATOMIC, 2872 AUDIT_MAC_CONFIG_CHANGE, 2873 "bool=%s val=%d old_val=%d auid=%u ses=%u", 2874 sym_name(policydb, SYM_BOOLS, i), 2875 !!values[i], 2876 policydb->bool_val_to_struct[i]->state, 2877 from_kuid(&init_user_ns, audit_get_loginuid(current)), 2878 audit_get_sessionid(current)); 2879 } 2880 if (values[i]) 2881 policydb->bool_val_to_struct[i]->state = 1; 2882 else 2883 policydb->bool_val_to_struct[i]->state = 0; 2884 } 2885 2886 for (cur = policydb->cond_list; cur; cur = cur->next) { 2887 rc = evaluate_cond_node(policydb, cur); 2888 if (rc) 2889 goto out; 2890 } 2891 2892 seqno = ++state->ss->latest_granting; 2893 rc = 0; 2894 out: 2895 write_unlock_irq(&state->ss->policy_rwlock); 2896 if (!rc) { 2897 avc_ss_reset(state->avc, seqno); 2898 selnl_notify_policyload(seqno); 2899 selinux_status_update_policyload(state, seqno); 2900 selinux_xfrm_notify_policyload(); 2901 } 2902 return rc; 2903 } 2904 2905 int security_get_bool_value(struct selinux_state *state, 2906 int index) 2907 { 2908 struct policydb *policydb; 2909 int rc; 2910 int len; 2911 2912 read_lock(&state->ss->policy_rwlock); 2913 2914 policydb = &state->ss->policydb; 2915 2916 rc = -EFAULT; 2917 len = policydb->p_bools.nprim; 2918 if (index >= len) 2919 goto out; 2920 2921 rc = policydb->bool_val_to_struct[index]->state; 2922 out: 2923 read_unlock(&state->ss->policy_rwlock); 2924 return rc; 2925 } 2926 2927 static int security_preserve_bools(struct selinux_state *state, 2928 struct policydb *policydb) 2929 { 2930 int rc, nbools = 0, *bvalues = NULL, i; 2931 char **bnames = NULL; 2932 struct cond_bool_datum *booldatum; 2933 struct cond_node *cur; 2934 2935 rc = security_get_bools(state, &nbools, &bnames, &bvalues); 2936 if (rc) 2937 goto out; 2938 for (i = 0; i < nbools; i++) { 2939 booldatum = hashtab_search(policydb->p_bools.table, bnames[i]); 2940 if (booldatum) 2941 booldatum->state = bvalues[i]; 2942 } 2943 for (cur = policydb->cond_list; cur; cur = cur->next) { 2944 rc = evaluate_cond_node(policydb, cur); 2945 if (rc) 2946 goto out; 2947 } 2948 2949 out: 2950 if (bnames) { 2951 for (i = 0; i < nbools; i++) 2952 kfree(bnames[i]); 2953 } 2954 kfree(bnames); 2955 kfree(bvalues); 2956 return rc; 2957 } 2958 2959 /* 2960 * security_sid_mls_copy() - computes a new sid based on the given 2961 * sid and the mls portion of mls_sid. 2962 */ 2963 int security_sid_mls_copy(struct selinux_state *state, 2964 u32 sid, u32 mls_sid, u32 *new_sid) 2965 { 2966 struct policydb *policydb = &state->ss->policydb; 2967 struct sidtab *sidtab = state->ss->sidtab; 2968 struct context *context1; 2969 struct context *context2; 2970 struct context newcon; 2971 char *s; 2972 u32 len; 2973 int rc; 2974 2975 rc = 0; 2976 if (!state->initialized || !policydb->mls_enabled) { 2977 *new_sid = sid; 2978 goto out; 2979 } 2980 2981 context_init(&newcon); 2982 2983 read_lock(&state->ss->policy_rwlock); 2984 2985 rc = -EINVAL; 2986 context1 = sidtab_search(sidtab, sid); 2987 if (!context1) { 2988 pr_err("SELinux: %s: unrecognized SID %d\n", 2989 __func__, sid); 2990 goto out_unlock; 2991 } 2992 2993 rc = -EINVAL; 2994 context2 = sidtab_search(sidtab, mls_sid); 2995 if (!context2) { 2996 pr_err("SELinux: %s: unrecognized SID %d\n", 2997 __func__, mls_sid); 2998 goto out_unlock; 2999 } 3000 3001 newcon.user = context1->user; 3002 newcon.role = context1->role; 3003 newcon.type = context1->type; 3004 rc = mls_context_cpy(&newcon, context2); 3005 if (rc) 3006 goto out_unlock; 3007 3008 /* Check the validity of the new context. */ 3009 if (!policydb_context_isvalid(policydb, &newcon)) { 3010 rc = convert_context_handle_invalid_context(state, &newcon); 3011 if (rc) { 3012 if (!context_struct_to_string(policydb, &newcon, &s, 3013 &len)) { 3014 struct audit_buffer *ab; 3015 3016 ab = audit_log_start(audit_context(), 3017 GFP_ATOMIC, 3018 AUDIT_SELINUX_ERR); 3019 audit_log_format(ab, 3020 "op=security_sid_mls_copy invalid_context="); 3021 /* don't record NUL with untrusted strings */ 3022 audit_log_n_untrustedstring(ab, s, len - 1); 3023 audit_log_end(ab); 3024 kfree(s); 3025 } 3026 goto out_unlock; 3027 } 3028 } 3029 3030 rc = sidtab_context_to_sid(sidtab, &newcon, new_sid); 3031 out_unlock: 3032 read_unlock(&state->ss->policy_rwlock); 3033 context_destroy(&newcon); 3034 out: 3035 return rc; 3036 } 3037 3038 /** 3039 * security_net_peersid_resolve - Compare and resolve two network peer SIDs 3040 * @nlbl_sid: NetLabel SID 3041 * @nlbl_type: NetLabel labeling protocol type 3042 * @xfrm_sid: XFRM SID 3043 * 3044 * Description: 3045 * Compare the @nlbl_sid and @xfrm_sid values and if the two SIDs can be 3046 * resolved into a single SID it is returned via @peer_sid and the function 3047 * returns zero. Otherwise @peer_sid is set to SECSID_NULL and the function 3048 * returns a negative value. A table summarizing the behavior is below: 3049 * 3050 * | function return | @sid 3051 * ------------------------------+-----------------+----------------- 3052 * no peer labels | 0 | SECSID_NULL 3053 * single peer label | 0 | <peer_label> 3054 * multiple, consistent labels | 0 | <peer_label> 3055 * multiple, inconsistent labels | -<errno> | SECSID_NULL 3056 * 3057 */ 3058 int security_net_peersid_resolve(struct selinux_state *state, 3059 u32 nlbl_sid, u32 nlbl_type, 3060 u32 xfrm_sid, 3061 u32 *peer_sid) 3062 { 3063 struct policydb *policydb = &state->ss->policydb; 3064 struct sidtab *sidtab = state->ss->sidtab; 3065 int rc; 3066 struct context *nlbl_ctx; 3067 struct context *xfrm_ctx; 3068 3069 *peer_sid = SECSID_NULL; 3070 3071 /* handle the common (which also happens to be the set of easy) cases 3072 * right away, these two if statements catch everything involving a 3073 * single or absent peer SID/label */ 3074 if (xfrm_sid == SECSID_NULL) { 3075 *peer_sid = nlbl_sid; 3076 return 0; 3077 } 3078 /* NOTE: an nlbl_type == NETLBL_NLTYPE_UNLABELED is a "fallback" label 3079 * and is treated as if nlbl_sid == SECSID_NULL when a XFRM SID/label 3080 * is present */ 3081 if (nlbl_sid == SECSID_NULL || nlbl_type == NETLBL_NLTYPE_UNLABELED) { 3082 *peer_sid = xfrm_sid; 3083 return 0; 3084 } 3085 3086 /* 3087 * We don't need to check initialized here since the only way both 3088 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the 3089 * security server was initialized and state->initialized was true. 3090 */ 3091 if (!policydb->mls_enabled) 3092 return 0; 3093 3094 read_lock(&state->ss->policy_rwlock); 3095 3096 rc = -EINVAL; 3097 nlbl_ctx = sidtab_search(sidtab, nlbl_sid); 3098 if (!nlbl_ctx) { 3099 pr_err("SELinux: %s: unrecognized SID %d\n", 3100 __func__, nlbl_sid); 3101 goto out; 3102 } 3103 rc = -EINVAL; 3104 xfrm_ctx = sidtab_search(sidtab, xfrm_sid); 3105 if (!xfrm_ctx) { 3106 pr_err("SELinux: %s: unrecognized SID %d\n", 3107 __func__, xfrm_sid); 3108 goto out; 3109 } 3110 rc = (mls_context_cmp(nlbl_ctx, xfrm_ctx) ? 0 : -EACCES); 3111 if (rc) 3112 goto out; 3113 3114 /* at present NetLabel SIDs/labels really only carry MLS 3115 * information so if the MLS portion of the NetLabel SID 3116 * matches the MLS portion of the labeled XFRM SID/label 3117 * then pass along the XFRM SID as it is the most 3118 * expressive */ 3119 *peer_sid = xfrm_sid; 3120 out: 3121 read_unlock(&state->ss->policy_rwlock); 3122 return rc; 3123 } 3124 3125 static int get_classes_callback(void *k, void *d, void *args) 3126 { 3127 struct class_datum *datum = d; 3128 char *name = k, **classes = args; 3129 int value = datum->value - 1; 3130 3131 classes[value] = kstrdup(name, GFP_ATOMIC); 3132 if (!classes[value]) 3133 return -ENOMEM; 3134 3135 return 0; 3136 } 3137 3138 int security_get_classes(struct selinux_state *state, 3139 char ***classes, int *nclasses) 3140 { 3141 struct policydb *policydb = &state->ss->policydb; 3142 int rc; 3143 3144 if (!state->initialized) { 3145 *nclasses = 0; 3146 *classes = NULL; 3147 return 0; 3148 } 3149 3150 read_lock(&state->ss->policy_rwlock); 3151 3152 rc = -ENOMEM; 3153 *nclasses = policydb->p_classes.nprim; 3154 *classes = kcalloc(*nclasses, sizeof(**classes), GFP_ATOMIC); 3155 if (!*classes) 3156 goto out; 3157 3158 rc = hashtab_map(policydb->p_classes.table, get_classes_callback, 3159 *classes); 3160 if (rc) { 3161 int i; 3162 for (i = 0; i < *nclasses; i++) 3163 kfree((*classes)[i]); 3164 kfree(*classes); 3165 } 3166 3167 out: 3168 read_unlock(&state->ss->policy_rwlock); 3169 return rc; 3170 } 3171 3172 static int get_permissions_callback(void *k, void *d, void *args) 3173 { 3174 struct perm_datum *datum = d; 3175 char *name = k, **perms = args; 3176 int value = datum->value - 1; 3177 3178 perms[value] = kstrdup(name, GFP_ATOMIC); 3179 if (!perms[value]) 3180 return -ENOMEM; 3181 3182 return 0; 3183 } 3184 3185 int security_get_permissions(struct selinux_state *state, 3186 char *class, char ***perms, int *nperms) 3187 { 3188 struct policydb *policydb = &state->ss->policydb; 3189 int rc, i; 3190 struct class_datum *match; 3191 3192 read_lock(&state->ss->policy_rwlock); 3193 3194 rc = -EINVAL; 3195 match = hashtab_search(policydb->p_classes.table, class); 3196 if (!match) { 3197 pr_err("SELinux: %s: unrecognized class %s\n", 3198 __func__, class); 3199 goto out; 3200 } 3201 3202 rc = -ENOMEM; 3203 *nperms = match->permissions.nprim; 3204 *perms = kcalloc(*nperms, sizeof(**perms), GFP_ATOMIC); 3205 if (!*perms) 3206 goto out; 3207 3208 if (match->comdatum) { 3209 rc = hashtab_map(match->comdatum->permissions.table, 3210 get_permissions_callback, *perms); 3211 if (rc) 3212 goto err; 3213 } 3214 3215 rc = hashtab_map(match->permissions.table, get_permissions_callback, 3216 *perms); 3217 if (rc) 3218 goto err; 3219 3220 out: 3221 read_unlock(&state->ss->policy_rwlock); 3222 return rc; 3223 3224 err: 3225 read_unlock(&state->ss->policy_rwlock); 3226 for (i = 0; i < *nperms; i++) 3227 kfree((*perms)[i]); 3228 kfree(*perms); 3229 return rc; 3230 } 3231 3232 int security_get_reject_unknown(struct selinux_state *state) 3233 { 3234 return state->ss->policydb.reject_unknown; 3235 } 3236 3237 int security_get_allow_unknown(struct selinux_state *state) 3238 { 3239 return state->ss->policydb.allow_unknown; 3240 } 3241 3242 /** 3243 * security_policycap_supported - Check for a specific policy capability 3244 * @req_cap: capability 3245 * 3246 * Description: 3247 * This function queries the currently loaded policy to see if it supports the 3248 * capability specified by @req_cap. Returns true (1) if the capability is 3249 * supported, false (0) if it isn't supported. 3250 * 3251 */ 3252 int security_policycap_supported(struct selinux_state *state, 3253 unsigned int req_cap) 3254 { 3255 struct policydb *policydb = &state->ss->policydb; 3256 int rc; 3257 3258 read_lock(&state->ss->policy_rwlock); 3259 rc = ebitmap_get_bit(&policydb->policycaps, req_cap); 3260 read_unlock(&state->ss->policy_rwlock); 3261 3262 return rc; 3263 } 3264 3265 struct selinux_audit_rule { 3266 u32 au_seqno; 3267 struct context au_ctxt; 3268 }; 3269 3270 void selinux_audit_rule_free(void *vrule) 3271 { 3272 struct selinux_audit_rule *rule = vrule; 3273 3274 if (rule) { 3275 context_destroy(&rule->au_ctxt); 3276 kfree(rule); 3277 } 3278 } 3279 3280 int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 3281 { 3282 struct selinux_state *state = &selinux_state; 3283 struct policydb *policydb = &state->ss->policydb; 3284 struct selinux_audit_rule *tmprule; 3285 struct role_datum *roledatum; 3286 struct type_datum *typedatum; 3287 struct user_datum *userdatum; 3288 struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule; 3289 int rc = 0; 3290 3291 *rule = NULL; 3292 3293 if (!state->initialized) 3294 return -EOPNOTSUPP; 3295 3296 switch (field) { 3297 case AUDIT_SUBJ_USER: 3298 case AUDIT_SUBJ_ROLE: 3299 case AUDIT_SUBJ_TYPE: 3300 case AUDIT_OBJ_USER: 3301 case AUDIT_OBJ_ROLE: 3302 case AUDIT_OBJ_TYPE: 3303 /* only 'equals' and 'not equals' fit user, role, and type */ 3304 if (op != Audit_equal && op != Audit_not_equal) 3305 return -EINVAL; 3306 break; 3307 case AUDIT_SUBJ_SEN: 3308 case AUDIT_SUBJ_CLR: 3309 case AUDIT_OBJ_LEV_LOW: 3310 case AUDIT_OBJ_LEV_HIGH: 3311 /* we do not allow a range, indicated by the presence of '-' */ 3312 if (strchr(rulestr, '-')) 3313 return -EINVAL; 3314 break; 3315 default: 3316 /* only the above fields are valid */ 3317 return -EINVAL; 3318 } 3319 3320 tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL); 3321 if (!tmprule) 3322 return -ENOMEM; 3323 3324 context_init(&tmprule->au_ctxt); 3325 3326 read_lock(&state->ss->policy_rwlock); 3327 3328 tmprule->au_seqno = state->ss->latest_granting; 3329 3330 switch (field) { 3331 case AUDIT_SUBJ_USER: 3332 case AUDIT_OBJ_USER: 3333 rc = -EINVAL; 3334 userdatum = hashtab_search(policydb->p_users.table, rulestr); 3335 if (!userdatum) 3336 goto out; 3337 tmprule->au_ctxt.user = userdatum->value; 3338 break; 3339 case AUDIT_SUBJ_ROLE: 3340 case AUDIT_OBJ_ROLE: 3341 rc = -EINVAL; 3342 roledatum = hashtab_search(policydb->p_roles.table, rulestr); 3343 if (!roledatum) 3344 goto out; 3345 tmprule->au_ctxt.role = roledatum->value; 3346 break; 3347 case AUDIT_SUBJ_TYPE: 3348 case AUDIT_OBJ_TYPE: 3349 rc = -EINVAL; 3350 typedatum = hashtab_search(policydb->p_types.table, rulestr); 3351 if (!typedatum) 3352 goto out; 3353 tmprule->au_ctxt.type = typedatum->value; 3354 break; 3355 case AUDIT_SUBJ_SEN: 3356 case AUDIT_SUBJ_CLR: 3357 case AUDIT_OBJ_LEV_LOW: 3358 case AUDIT_OBJ_LEV_HIGH: 3359 rc = mls_from_string(policydb, rulestr, &tmprule->au_ctxt, 3360 GFP_ATOMIC); 3361 if (rc) 3362 goto out; 3363 break; 3364 } 3365 rc = 0; 3366 out: 3367 read_unlock(&state->ss->policy_rwlock); 3368 3369 if (rc) { 3370 selinux_audit_rule_free(tmprule); 3371 tmprule = NULL; 3372 } 3373 3374 *rule = tmprule; 3375 3376 return rc; 3377 } 3378 3379 /* Check to see if the rule contains any selinux fields */ 3380 int selinux_audit_rule_known(struct audit_krule *rule) 3381 { 3382 int i; 3383 3384 for (i = 0; i < rule->field_count; i++) { 3385 struct audit_field *f = &rule->fields[i]; 3386 switch (f->type) { 3387 case AUDIT_SUBJ_USER: 3388 case AUDIT_SUBJ_ROLE: 3389 case AUDIT_SUBJ_TYPE: 3390 case AUDIT_SUBJ_SEN: 3391 case AUDIT_SUBJ_CLR: 3392 case AUDIT_OBJ_USER: 3393 case AUDIT_OBJ_ROLE: 3394 case AUDIT_OBJ_TYPE: 3395 case AUDIT_OBJ_LEV_LOW: 3396 case AUDIT_OBJ_LEV_HIGH: 3397 return 1; 3398 } 3399 } 3400 3401 return 0; 3402 } 3403 3404 int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule) 3405 { 3406 struct selinux_state *state = &selinux_state; 3407 struct context *ctxt; 3408 struct mls_level *level; 3409 struct selinux_audit_rule *rule = vrule; 3410 int match = 0; 3411 3412 if (unlikely(!rule)) { 3413 WARN_ONCE(1, "selinux_audit_rule_match: missing rule\n"); 3414 return -ENOENT; 3415 } 3416 3417 read_lock(&state->ss->policy_rwlock); 3418 3419 if (rule->au_seqno < state->ss->latest_granting) { 3420 match = -ESTALE; 3421 goto out; 3422 } 3423 3424 ctxt = sidtab_search(state->ss->sidtab, sid); 3425 if (unlikely(!ctxt)) { 3426 WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n", 3427 sid); 3428 match = -ENOENT; 3429 goto out; 3430 } 3431 3432 /* a field/op pair that is not caught here will simply fall through 3433 without a match */ 3434 switch (field) { 3435 case AUDIT_SUBJ_USER: 3436 case AUDIT_OBJ_USER: 3437 switch (op) { 3438 case Audit_equal: 3439 match = (ctxt->user == rule->au_ctxt.user); 3440 break; 3441 case Audit_not_equal: 3442 match = (ctxt->user != rule->au_ctxt.user); 3443 break; 3444 } 3445 break; 3446 case AUDIT_SUBJ_ROLE: 3447 case AUDIT_OBJ_ROLE: 3448 switch (op) { 3449 case Audit_equal: 3450 match = (ctxt->role == rule->au_ctxt.role); 3451 break; 3452 case Audit_not_equal: 3453 match = (ctxt->role != rule->au_ctxt.role); 3454 break; 3455 } 3456 break; 3457 case AUDIT_SUBJ_TYPE: 3458 case AUDIT_OBJ_TYPE: 3459 switch (op) { 3460 case Audit_equal: 3461 match = (ctxt->type == rule->au_ctxt.type); 3462 break; 3463 case Audit_not_equal: 3464 match = (ctxt->type != rule->au_ctxt.type); 3465 break; 3466 } 3467 break; 3468 case AUDIT_SUBJ_SEN: 3469 case AUDIT_SUBJ_CLR: 3470 case AUDIT_OBJ_LEV_LOW: 3471 case AUDIT_OBJ_LEV_HIGH: 3472 level = ((field == AUDIT_SUBJ_SEN || 3473 field == AUDIT_OBJ_LEV_LOW) ? 3474 &ctxt->range.level[0] : &ctxt->range.level[1]); 3475 switch (op) { 3476 case Audit_equal: 3477 match = mls_level_eq(&rule->au_ctxt.range.level[0], 3478 level); 3479 break; 3480 case Audit_not_equal: 3481 match = !mls_level_eq(&rule->au_ctxt.range.level[0], 3482 level); 3483 break; 3484 case Audit_lt: 3485 match = (mls_level_dom(&rule->au_ctxt.range.level[0], 3486 level) && 3487 !mls_level_eq(&rule->au_ctxt.range.level[0], 3488 level)); 3489 break; 3490 case Audit_le: 3491 match = mls_level_dom(&rule->au_ctxt.range.level[0], 3492 level); 3493 break; 3494 case Audit_gt: 3495 match = (mls_level_dom(level, 3496 &rule->au_ctxt.range.level[0]) && 3497 !mls_level_eq(level, 3498 &rule->au_ctxt.range.level[0])); 3499 break; 3500 case Audit_ge: 3501 match = mls_level_dom(level, 3502 &rule->au_ctxt.range.level[0]); 3503 break; 3504 } 3505 } 3506 3507 out: 3508 read_unlock(&state->ss->policy_rwlock); 3509 return match; 3510 } 3511 3512 static int (*aurule_callback)(void) = audit_update_lsm_rules; 3513 3514 static int aurule_avc_callback(u32 event) 3515 { 3516 int err = 0; 3517 3518 if (event == AVC_CALLBACK_RESET && aurule_callback) 3519 err = aurule_callback(); 3520 return err; 3521 } 3522 3523 static int __init aurule_init(void) 3524 { 3525 int err; 3526 3527 err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET); 3528 if (err) 3529 panic("avc_add_callback() failed, error %d\n", err); 3530 3531 return err; 3532 } 3533 __initcall(aurule_init); 3534 3535 #ifdef CONFIG_NETLABEL 3536 /** 3537 * security_netlbl_cache_add - Add an entry to the NetLabel cache 3538 * @secattr: the NetLabel packet security attributes 3539 * @sid: the SELinux SID 3540 * 3541 * Description: 3542 * Attempt to cache the context in @ctx, which was derived from the packet in 3543 * @skb, in the NetLabel subsystem cache. This function assumes @secattr has 3544 * already been initialized. 3545 * 3546 */ 3547 static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr, 3548 u32 sid) 3549 { 3550 u32 *sid_cache; 3551 3552 sid_cache = kmalloc(sizeof(*sid_cache), GFP_ATOMIC); 3553 if (sid_cache == NULL) 3554 return; 3555 secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); 3556 if (secattr->cache == NULL) { 3557 kfree(sid_cache); 3558 return; 3559 } 3560 3561 *sid_cache = sid; 3562 secattr->cache->free = kfree; 3563 secattr->cache->data = sid_cache; 3564 secattr->flags |= NETLBL_SECATTR_CACHE; 3565 } 3566 3567 /** 3568 * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID 3569 * @secattr: the NetLabel packet security attributes 3570 * @sid: the SELinux SID 3571 * 3572 * Description: 3573 * Convert the given NetLabel security attributes in @secattr into a 3574 * SELinux SID. If the @secattr field does not contain a full SELinux 3575 * SID/context then use SECINITSID_NETMSG as the foundation. If possible the 3576 * 'cache' field of @secattr is set and the CACHE flag is set; this is to 3577 * allow the @secattr to be used by NetLabel to cache the secattr to SID 3578 * conversion for future lookups. Returns zero on success, negative values on 3579 * failure. 3580 * 3581 */ 3582 int security_netlbl_secattr_to_sid(struct selinux_state *state, 3583 struct netlbl_lsm_secattr *secattr, 3584 u32 *sid) 3585 { 3586 struct policydb *policydb = &state->ss->policydb; 3587 struct sidtab *sidtab = state->ss->sidtab; 3588 int rc; 3589 struct context *ctx; 3590 struct context ctx_new; 3591 3592 if (!state->initialized) { 3593 *sid = SECSID_NULL; 3594 return 0; 3595 } 3596 3597 read_lock(&state->ss->policy_rwlock); 3598 3599 if (secattr->flags & NETLBL_SECATTR_CACHE) 3600 *sid = *(u32 *)secattr->cache->data; 3601 else if (secattr->flags & NETLBL_SECATTR_SECID) 3602 *sid = secattr->attr.secid; 3603 else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) { 3604 rc = -EIDRM; 3605 ctx = sidtab_search(sidtab, SECINITSID_NETMSG); 3606 if (ctx == NULL) 3607 goto out; 3608 3609 context_init(&ctx_new); 3610 ctx_new.user = ctx->user; 3611 ctx_new.role = ctx->role; 3612 ctx_new.type = ctx->type; 3613 mls_import_netlbl_lvl(policydb, &ctx_new, secattr); 3614 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { 3615 rc = mls_import_netlbl_cat(policydb, &ctx_new, secattr); 3616 if (rc) 3617 goto out; 3618 } 3619 rc = -EIDRM; 3620 if (!mls_context_isvalid(policydb, &ctx_new)) 3621 goto out_free; 3622 3623 rc = sidtab_context_to_sid(sidtab, &ctx_new, sid); 3624 if (rc) 3625 goto out_free; 3626 3627 security_netlbl_cache_add(secattr, *sid); 3628 3629 ebitmap_destroy(&ctx_new.range.level[0].cat); 3630 } else 3631 *sid = SECSID_NULL; 3632 3633 read_unlock(&state->ss->policy_rwlock); 3634 return 0; 3635 out_free: 3636 ebitmap_destroy(&ctx_new.range.level[0].cat); 3637 out: 3638 read_unlock(&state->ss->policy_rwlock); 3639 return rc; 3640 } 3641 3642 /** 3643 * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr 3644 * @sid: the SELinux SID 3645 * @secattr: the NetLabel packet security attributes 3646 * 3647 * Description: 3648 * Convert the given SELinux SID in @sid into a NetLabel security attribute. 3649 * Returns zero on success, negative values on failure. 3650 * 3651 */ 3652 int security_netlbl_sid_to_secattr(struct selinux_state *state, 3653 u32 sid, struct netlbl_lsm_secattr *secattr) 3654 { 3655 struct policydb *policydb = &state->ss->policydb; 3656 int rc; 3657 struct context *ctx; 3658 3659 if (!state->initialized) 3660 return 0; 3661 3662 read_lock(&state->ss->policy_rwlock); 3663 3664 rc = -ENOENT; 3665 ctx = sidtab_search(state->ss->sidtab, sid); 3666 if (ctx == NULL) 3667 goto out; 3668 3669 rc = -ENOMEM; 3670 secattr->domain = kstrdup(sym_name(policydb, SYM_TYPES, ctx->type - 1), 3671 GFP_ATOMIC); 3672 if (secattr->domain == NULL) 3673 goto out; 3674 3675 secattr->attr.secid = sid; 3676 secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID; 3677 mls_export_netlbl_lvl(policydb, ctx, secattr); 3678 rc = mls_export_netlbl_cat(policydb, ctx, secattr); 3679 out: 3680 read_unlock(&state->ss->policy_rwlock); 3681 return rc; 3682 } 3683 #endif /* CONFIG_NETLABEL */ 3684 3685 /** 3686 * security_read_policy - read the policy. 3687 * @data: binary policy data 3688 * @len: length of data in bytes 3689 * 3690 */ 3691 int security_read_policy(struct selinux_state *state, 3692 void **data, size_t *len) 3693 { 3694 struct policydb *policydb = &state->ss->policydb; 3695 int rc; 3696 struct policy_file fp; 3697 3698 if (!state->initialized) 3699 return -EINVAL; 3700 3701 *len = security_policydb_len(state); 3702 3703 *data = vmalloc_user(*len); 3704 if (!*data) 3705 return -ENOMEM; 3706 3707 fp.data = *data; 3708 fp.len = *len; 3709 3710 read_lock(&state->ss->policy_rwlock); 3711 rc = policydb_write(policydb, &fp); 3712 read_unlock(&state->ss->policy_rwlock); 3713 3714 if (rc) 3715 return rc; 3716 3717 *len = (unsigned long)fp.data - (unsigned long)*data; 3718 return 0; 3719 3720 } 3721