xref: /openbmc/linux/security/selinux/ss/services.c (revision 4da722ca)
1 /*
2  * Implementation of the security services.
3  *
4  * Authors : Stephen Smalley, <sds@epoch.ncsc.mil>
5  *	     James Morris <jmorris@redhat.com>
6  *
7  * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
8  *
9  *	Support for enhanced MLS infrastructure.
10  *	Support for context based audit filters.
11  *
12  * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
13  *
14  *	Added conditional policy language extensions
15  *
16  * Updated: Hewlett-Packard <paul@paul-moore.com>
17  *
18  *      Added support for NetLabel
19  *      Added support for the policy capability bitmap
20  *
21  * Updated: Chad Sellers <csellers@tresys.com>
22  *
23  *  Added validation of kernel classes and permissions
24  *
25  * Updated: KaiGai Kohei <kaigai@ak.jp.nec.com>
26  *
27  *  Added support for bounds domain and audit messaged on masked permissions
28  *
29  * Updated: Guido Trentalancia <guido@trentalancia.com>
30  *
31  *  Added support for runtime switching of the policy type
32  *
33  * Copyright (C) 2008, 2009 NEC Corporation
34  * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
35  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
36  * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
37  * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
38  *	This program is free software; you can redistribute it and/or modify
39  *	it under the terms of the GNU General Public License as published by
40  *	the Free Software Foundation, version 2.
41  */
42 #include <linux/kernel.h>
43 #include <linux/slab.h>
44 #include <linux/string.h>
45 #include <linux/spinlock.h>
46 #include <linux/rcupdate.h>
47 #include <linux/errno.h>
48 #include <linux/in.h>
49 #include <linux/sched.h>
50 #include <linux/audit.h>
51 #include <linux/mutex.h>
52 #include <linux/selinux.h>
53 #include <linux/flex_array.h>
54 #include <linux/vmalloc.h>
55 #include <net/netlabel.h>
56 
57 #include "flask.h"
58 #include "avc.h"
59 #include "avc_ss.h"
60 #include "security.h"
61 #include "context.h"
62 #include "policydb.h"
63 #include "sidtab.h"
64 #include "services.h"
65 #include "conditional.h"
66 #include "mls.h"
67 #include "objsec.h"
68 #include "netlabel.h"
69 #include "xfrm.h"
70 #include "ebitmap.h"
71 #include "audit.h"
72 
73 /* Policy capability names */
74 char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = {
75 	"network_peer_controls",
76 	"open_perms",
77 	"extended_socket_class",
78 	"always_check_network",
79 	"cgroup_seclabel"
80 };
81 
82 int selinux_policycap_netpeer;
83 int selinux_policycap_openperm;
84 int selinux_policycap_extsockclass;
85 int selinux_policycap_alwaysnetwork;
86 int selinux_policycap_cgroupseclabel;
87 
88 static DEFINE_RWLOCK(policy_rwlock);
89 
90 static struct sidtab sidtab;
91 struct policydb policydb;
92 int ss_initialized;
93 
94 /*
95  * The largest sequence number that has been used when
96  * providing an access decision to the access vector cache.
97  * The sequence number only changes when a policy change
98  * occurs.
99  */
100 static u32 latest_granting;
101 
102 /* Forward declaration. */
103 static int context_struct_to_string(struct context *context, char **scontext,
104 				    u32 *scontext_len);
105 
106 static void context_struct_compute_av(struct context *scontext,
107 					struct context *tcontext,
108 					u16 tclass,
109 					struct av_decision *avd,
110 					struct extended_perms *xperms);
111 
112 struct selinux_mapping {
113 	u16 value; /* policy value */
114 	unsigned num_perms;
115 	u32 perms[sizeof(u32) * 8];
116 };
117 
118 static struct selinux_mapping *current_mapping;
119 static u16 current_mapping_size;
120 
121 static int selinux_set_mapping(struct policydb *pol,
122 			       struct security_class_mapping *map,
123 			       struct selinux_mapping **out_map_p,
124 			       u16 *out_map_size)
125 {
126 	struct selinux_mapping *out_map = NULL;
127 	size_t size = sizeof(struct selinux_mapping);
128 	u16 i, j;
129 	unsigned k;
130 	bool print_unknown_handle = false;
131 
132 	/* Find number of classes in the input mapping */
133 	if (!map)
134 		return -EINVAL;
135 	i = 0;
136 	while (map[i].name)
137 		i++;
138 
139 	/* Allocate space for the class records, plus one for class zero */
140 	out_map = kcalloc(++i, size, GFP_ATOMIC);
141 	if (!out_map)
142 		return -ENOMEM;
143 
144 	/* Store the raw class and permission values */
145 	j = 0;
146 	while (map[j].name) {
147 		struct security_class_mapping *p_in = map + (j++);
148 		struct selinux_mapping *p_out = out_map + j;
149 
150 		/* An empty class string skips ahead */
151 		if (!strcmp(p_in->name, "")) {
152 			p_out->num_perms = 0;
153 			continue;
154 		}
155 
156 		p_out->value = string_to_security_class(pol, p_in->name);
157 		if (!p_out->value) {
158 			printk(KERN_INFO
159 			       "SELinux:  Class %s not defined in policy.\n",
160 			       p_in->name);
161 			if (pol->reject_unknown)
162 				goto err;
163 			p_out->num_perms = 0;
164 			print_unknown_handle = true;
165 			continue;
166 		}
167 
168 		k = 0;
169 		while (p_in->perms[k]) {
170 			/* An empty permission string skips ahead */
171 			if (!*p_in->perms[k]) {
172 				k++;
173 				continue;
174 			}
175 			p_out->perms[k] = string_to_av_perm(pol, p_out->value,
176 							    p_in->perms[k]);
177 			if (!p_out->perms[k]) {
178 				printk(KERN_INFO
179 				       "SELinux:  Permission %s in class %s not defined in policy.\n",
180 				       p_in->perms[k], p_in->name);
181 				if (pol->reject_unknown)
182 					goto err;
183 				print_unknown_handle = true;
184 			}
185 
186 			k++;
187 		}
188 		p_out->num_perms = k;
189 	}
190 
191 	if (print_unknown_handle)
192 		printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
193 		       pol->allow_unknown ? "allowed" : "denied");
194 
195 	*out_map_p = out_map;
196 	*out_map_size = i;
197 	return 0;
198 err:
199 	kfree(out_map);
200 	return -EINVAL;
201 }
202 
203 /*
204  * Get real, policy values from mapped values
205  */
206 
207 static u16 unmap_class(u16 tclass)
208 {
209 	if (tclass < current_mapping_size)
210 		return current_mapping[tclass].value;
211 
212 	return tclass;
213 }
214 
215 /*
216  * Get kernel value for class from its policy value
217  */
218 static u16 map_class(u16 pol_value)
219 {
220 	u16 i;
221 
222 	for (i = 1; i < current_mapping_size; i++) {
223 		if (current_mapping[i].value == pol_value)
224 			return i;
225 	}
226 
227 	return SECCLASS_NULL;
228 }
229 
230 static void map_decision(u16 tclass, struct av_decision *avd,
231 			 int allow_unknown)
232 {
233 	if (tclass < current_mapping_size) {
234 		unsigned i, n = current_mapping[tclass].num_perms;
235 		u32 result;
236 
237 		for (i = 0, result = 0; i < n; i++) {
238 			if (avd->allowed & current_mapping[tclass].perms[i])
239 				result |= 1<<i;
240 			if (allow_unknown && !current_mapping[tclass].perms[i])
241 				result |= 1<<i;
242 		}
243 		avd->allowed = result;
244 
245 		for (i = 0, result = 0; i < n; i++)
246 			if (avd->auditallow & current_mapping[tclass].perms[i])
247 				result |= 1<<i;
248 		avd->auditallow = result;
249 
250 		for (i = 0, result = 0; i < n; i++) {
251 			if (avd->auditdeny & current_mapping[tclass].perms[i])
252 				result |= 1<<i;
253 			if (!allow_unknown && !current_mapping[tclass].perms[i])
254 				result |= 1<<i;
255 		}
256 		/*
257 		 * In case the kernel has a bug and requests a permission
258 		 * between num_perms and the maximum permission number, we
259 		 * should audit that denial
260 		 */
261 		for (; i < (sizeof(u32)*8); i++)
262 			result |= 1<<i;
263 		avd->auditdeny = result;
264 	}
265 }
266 
267 int security_mls_enabled(void)
268 {
269 	return policydb.mls_enabled;
270 }
271 
272 /*
273  * Return the boolean value of a constraint expression
274  * when it is applied to the specified source and target
275  * security contexts.
276  *
277  * xcontext is a special beast...  It is used by the validatetrans rules
278  * only.  For these rules, scontext is the context before the transition,
279  * tcontext is the context after the transition, and xcontext is the context
280  * of the process performing the transition.  All other callers of
281  * constraint_expr_eval should pass in NULL for xcontext.
282  */
283 static int constraint_expr_eval(struct context *scontext,
284 				struct context *tcontext,
285 				struct context *xcontext,
286 				struct constraint_expr *cexpr)
287 {
288 	u32 val1, val2;
289 	struct context *c;
290 	struct role_datum *r1, *r2;
291 	struct mls_level *l1, *l2;
292 	struct constraint_expr *e;
293 	int s[CEXPR_MAXDEPTH];
294 	int sp = -1;
295 
296 	for (e = cexpr; e; e = e->next) {
297 		switch (e->expr_type) {
298 		case CEXPR_NOT:
299 			BUG_ON(sp < 0);
300 			s[sp] = !s[sp];
301 			break;
302 		case CEXPR_AND:
303 			BUG_ON(sp < 1);
304 			sp--;
305 			s[sp] &= s[sp + 1];
306 			break;
307 		case CEXPR_OR:
308 			BUG_ON(sp < 1);
309 			sp--;
310 			s[sp] |= s[sp + 1];
311 			break;
312 		case CEXPR_ATTR:
313 			if (sp == (CEXPR_MAXDEPTH - 1))
314 				return 0;
315 			switch (e->attr) {
316 			case CEXPR_USER:
317 				val1 = scontext->user;
318 				val2 = tcontext->user;
319 				break;
320 			case CEXPR_TYPE:
321 				val1 = scontext->type;
322 				val2 = tcontext->type;
323 				break;
324 			case CEXPR_ROLE:
325 				val1 = scontext->role;
326 				val2 = tcontext->role;
327 				r1 = policydb.role_val_to_struct[val1 - 1];
328 				r2 = policydb.role_val_to_struct[val2 - 1];
329 				switch (e->op) {
330 				case CEXPR_DOM:
331 					s[++sp] = ebitmap_get_bit(&r1->dominates,
332 								  val2 - 1);
333 					continue;
334 				case CEXPR_DOMBY:
335 					s[++sp] = ebitmap_get_bit(&r2->dominates,
336 								  val1 - 1);
337 					continue;
338 				case CEXPR_INCOMP:
339 					s[++sp] = (!ebitmap_get_bit(&r1->dominates,
340 								    val2 - 1) &&
341 						   !ebitmap_get_bit(&r2->dominates,
342 								    val1 - 1));
343 					continue;
344 				default:
345 					break;
346 				}
347 				break;
348 			case CEXPR_L1L2:
349 				l1 = &(scontext->range.level[0]);
350 				l2 = &(tcontext->range.level[0]);
351 				goto mls_ops;
352 			case CEXPR_L1H2:
353 				l1 = &(scontext->range.level[0]);
354 				l2 = &(tcontext->range.level[1]);
355 				goto mls_ops;
356 			case CEXPR_H1L2:
357 				l1 = &(scontext->range.level[1]);
358 				l2 = &(tcontext->range.level[0]);
359 				goto mls_ops;
360 			case CEXPR_H1H2:
361 				l1 = &(scontext->range.level[1]);
362 				l2 = &(tcontext->range.level[1]);
363 				goto mls_ops;
364 			case CEXPR_L1H1:
365 				l1 = &(scontext->range.level[0]);
366 				l2 = &(scontext->range.level[1]);
367 				goto mls_ops;
368 			case CEXPR_L2H2:
369 				l1 = &(tcontext->range.level[0]);
370 				l2 = &(tcontext->range.level[1]);
371 				goto mls_ops;
372 mls_ops:
373 			switch (e->op) {
374 			case CEXPR_EQ:
375 				s[++sp] = mls_level_eq(l1, l2);
376 				continue;
377 			case CEXPR_NEQ:
378 				s[++sp] = !mls_level_eq(l1, l2);
379 				continue;
380 			case CEXPR_DOM:
381 				s[++sp] = mls_level_dom(l1, l2);
382 				continue;
383 			case CEXPR_DOMBY:
384 				s[++sp] = mls_level_dom(l2, l1);
385 				continue;
386 			case CEXPR_INCOMP:
387 				s[++sp] = mls_level_incomp(l2, l1);
388 				continue;
389 			default:
390 				BUG();
391 				return 0;
392 			}
393 			break;
394 			default:
395 				BUG();
396 				return 0;
397 			}
398 
399 			switch (e->op) {
400 			case CEXPR_EQ:
401 				s[++sp] = (val1 == val2);
402 				break;
403 			case CEXPR_NEQ:
404 				s[++sp] = (val1 != val2);
405 				break;
406 			default:
407 				BUG();
408 				return 0;
409 			}
410 			break;
411 		case CEXPR_NAMES:
412 			if (sp == (CEXPR_MAXDEPTH-1))
413 				return 0;
414 			c = scontext;
415 			if (e->attr & CEXPR_TARGET)
416 				c = tcontext;
417 			else if (e->attr & CEXPR_XTARGET) {
418 				c = xcontext;
419 				if (!c) {
420 					BUG();
421 					return 0;
422 				}
423 			}
424 			if (e->attr & CEXPR_USER)
425 				val1 = c->user;
426 			else if (e->attr & CEXPR_ROLE)
427 				val1 = c->role;
428 			else if (e->attr & CEXPR_TYPE)
429 				val1 = c->type;
430 			else {
431 				BUG();
432 				return 0;
433 			}
434 
435 			switch (e->op) {
436 			case CEXPR_EQ:
437 				s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);
438 				break;
439 			case CEXPR_NEQ:
440 				s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);
441 				break;
442 			default:
443 				BUG();
444 				return 0;
445 			}
446 			break;
447 		default:
448 			BUG();
449 			return 0;
450 		}
451 	}
452 
453 	BUG_ON(sp != 0);
454 	return s[0];
455 }
456 
457 /*
458  * security_dump_masked_av - dumps masked permissions during
459  * security_compute_av due to RBAC, MLS/Constraint and Type bounds.
460  */
461 static int dump_masked_av_helper(void *k, void *d, void *args)
462 {
463 	struct perm_datum *pdatum = d;
464 	char **permission_names = args;
465 
466 	BUG_ON(pdatum->value < 1 || pdatum->value > 32);
467 
468 	permission_names[pdatum->value - 1] = (char *)k;
469 
470 	return 0;
471 }
472 
473 static void security_dump_masked_av(struct context *scontext,
474 				    struct context *tcontext,
475 				    u16 tclass,
476 				    u32 permissions,
477 				    const char *reason)
478 {
479 	struct common_datum *common_dat;
480 	struct class_datum *tclass_dat;
481 	struct audit_buffer *ab;
482 	char *tclass_name;
483 	char *scontext_name = NULL;
484 	char *tcontext_name = NULL;
485 	char *permission_names[32];
486 	int index;
487 	u32 length;
488 	bool need_comma = false;
489 
490 	if (!permissions)
491 		return;
492 
493 	tclass_name = sym_name(&policydb, SYM_CLASSES, tclass - 1);
494 	tclass_dat = policydb.class_val_to_struct[tclass - 1];
495 	common_dat = tclass_dat->comdatum;
496 
497 	/* init permission_names */
498 	if (common_dat &&
499 	    hashtab_map(common_dat->permissions.table,
500 			dump_masked_av_helper, permission_names) < 0)
501 		goto out;
502 
503 	if (hashtab_map(tclass_dat->permissions.table,
504 			dump_masked_av_helper, permission_names) < 0)
505 		goto out;
506 
507 	/* get scontext/tcontext in text form */
508 	if (context_struct_to_string(scontext,
509 				     &scontext_name, &length) < 0)
510 		goto out;
511 
512 	if (context_struct_to_string(tcontext,
513 				     &tcontext_name, &length) < 0)
514 		goto out;
515 
516 	/* audit a message */
517 	ab = audit_log_start(current->audit_context,
518 			     GFP_ATOMIC, AUDIT_SELINUX_ERR);
519 	if (!ab)
520 		goto out;
521 
522 	audit_log_format(ab, "op=security_compute_av reason=%s "
523 			 "scontext=%s tcontext=%s tclass=%s perms=",
524 			 reason, scontext_name, tcontext_name, tclass_name);
525 
526 	for (index = 0; index < 32; index++) {
527 		u32 mask = (1 << index);
528 
529 		if ((mask & permissions) == 0)
530 			continue;
531 
532 		audit_log_format(ab, "%s%s",
533 				 need_comma ? "," : "",
534 				 permission_names[index]
535 				 ? permission_names[index] : "????");
536 		need_comma = true;
537 	}
538 	audit_log_end(ab);
539 out:
540 	/* release scontext/tcontext */
541 	kfree(tcontext_name);
542 	kfree(scontext_name);
543 
544 	return;
545 }
546 
547 /*
548  * security_boundary_permission - drops violated permissions
549  * on boundary constraint.
550  */
551 static void type_attribute_bounds_av(struct context *scontext,
552 				     struct context *tcontext,
553 				     u16 tclass,
554 				     struct av_decision *avd)
555 {
556 	struct context lo_scontext;
557 	struct context lo_tcontext, *tcontextp = tcontext;
558 	struct av_decision lo_avd;
559 	struct type_datum *source;
560 	struct type_datum *target;
561 	u32 masked = 0;
562 
563 	source = flex_array_get_ptr(policydb.type_val_to_struct_array,
564 				    scontext->type - 1);
565 	BUG_ON(!source);
566 
567 	if (!source->bounds)
568 		return;
569 
570 	target = flex_array_get_ptr(policydb.type_val_to_struct_array,
571 				    tcontext->type - 1);
572 	BUG_ON(!target);
573 
574 	memset(&lo_avd, 0, sizeof(lo_avd));
575 
576 	memcpy(&lo_scontext, scontext, sizeof(lo_scontext));
577 	lo_scontext.type = source->bounds;
578 
579 	if (target->bounds) {
580 		memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext));
581 		lo_tcontext.type = target->bounds;
582 		tcontextp = &lo_tcontext;
583 	}
584 
585 	context_struct_compute_av(&lo_scontext,
586 				  tcontextp,
587 				  tclass,
588 				  &lo_avd,
589 				  NULL);
590 
591 	masked = ~lo_avd.allowed & avd->allowed;
592 
593 	if (likely(!masked))
594 		return;		/* no masked permission */
595 
596 	/* mask violated permissions */
597 	avd->allowed &= ~masked;
598 
599 	/* audit masked permissions */
600 	security_dump_masked_av(scontext, tcontext,
601 				tclass, masked, "bounds");
602 }
603 
604 /*
605  * flag which drivers have permissions
606  * only looking for ioctl based extended permssions
607  */
608 void services_compute_xperms_drivers(
609 		struct extended_perms *xperms,
610 		struct avtab_node *node)
611 {
612 	unsigned int i;
613 
614 	if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
615 		/* if one or more driver has all permissions allowed */
616 		for (i = 0; i < ARRAY_SIZE(xperms->drivers.p); i++)
617 			xperms->drivers.p[i] |= node->datum.u.xperms->perms.p[i];
618 	} else if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
619 		/* if allowing permissions within a driver */
620 		security_xperm_set(xperms->drivers.p,
621 					node->datum.u.xperms->driver);
622 	}
623 
624 	/* If no ioctl commands are allowed, ignore auditallow and auditdeny */
625 	if (node->key.specified & AVTAB_XPERMS_ALLOWED)
626 		xperms->len = 1;
627 }
628 
629 /*
630  * Compute access vectors and extended permissions based on a context
631  * structure pair for the permissions in a particular class.
632  */
633 static void context_struct_compute_av(struct context *scontext,
634 					struct context *tcontext,
635 					u16 tclass,
636 					struct av_decision *avd,
637 					struct extended_perms *xperms)
638 {
639 	struct constraint_node *constraint;
640 	struct role_allow *ra;
641 	struct avtab_key avkey;
642 	struct avtab_node *node;
643 	struct class_datum *tclass_datum;
644 	struct ebitmap *sattr, *tattr;
645 	struct ebitmap_node *snode, *tnode;
646 	unsigned int i, j;
647 
648 	avd->allowed = 0;
649 	avd->auditallow = 0;
650 	avd->auditdeny = 0xffffffff;
651 	if (xperms) {
652 		memset(&xperms->drivers, 0, sizeof(xperms->drivers));
653 		xperms->len = 0;
654 	}
655 
656 	if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
657 		if (printk_ratelimit())
658 			printk(KERN_WARNING "SELinux:  Invalid class %hu\n", tclass);
659 		return;
660 	}
661 
662 	tclass_datum = policydb.class_val_to_struct[tclass - 1];
663 
664 	/*
665 	 * If a specific type enforcement rule was defined for
666 	 * this permission check, then use it.
667 	 */
668 	avkey.target_class = tclass;
669 	avkey.specified = AVTAB_AV | AVTAB_XPERMS;
670 	sattr = flex_array_get(policydb.type_attr_map_array, scontext->type - 1);
671 	BUG_ON(!sattr);
672 	tattr = flex_array_get(policydb.type_attr_map_array, tcontext->type - 1);
673 	BUG_ON(!tattr);
674 	ebitmap_for_each_positive_bit(sattr, snode, i) {
675 		ebitmap_for_each_positive_bit(tattr, tnode, j) {
676 			avkey.source_type = i + 1;
677 			avkey.target_type = j + 1;
678 			for (node = avtab_search_node(&policydb.te_avtab, &avkey);
679 			     node;
680 			     node = avtab_search_node_next(node, avkey.specified)) {
681 				if (node->key.specified == AVTAB_ALLOWED)
682 					avd->allowed |= node->datum.u.data;
683 				else if (node->key.specified == AVTAB_AUDITALLOW)
684 					avd->auditallow |= node->datum.u.data;
685 				else if (node->key.specified == AVTAB_AUDITDENY)
686 					avd->auditdeny &= node->datum.u.data;
687 				else if (xperms && (node->key.specified & AVTAB_XPERMS))
688 					services_compute_xperms_drivers(xperms, node);
689 			}
690 
691 			/* Check conditional av table for additional permissions */
692 			cond_compute_av(&policydb.te_cond_avtab, &avkey,
693 					avd, xperms);
694 
695 		}
696 	}
697 
698 	/*
699 	 * Remove any permissions prohibited by a constraint (this includes
700 	 * the MLS policy).
701 	 */
702 	constraint = tclass_datum->constraints;
703 	while (constraint) {
704 		if ((constraint->permissions & (avd->allowed)) &&
705 		    !constraint_expr_eval(scontext, tcontext, NULL,
706 					  constraint->expr)) {
707 			avd->allowed &= ~(constraint->permissions);
708 		}
709 		constraint = constraint->next;
710 	}
711 
712 	/*
713 	 * If checking process transition permission and the
714 	 * role is changing, then check the (current_role, new_role)
715 	 * pair.
716 	 */
717 	if (tclass == policydb.process_class &&
718 	    (avd->allowed & policydb.process_trans_perms) &&
719 	    scontext->role != tcontext->role) {
720 		for (ra = policydb.role_allow; ra; ra = ra->next) {
721 			if (scontext->role == ra->role &&
722 			    tcontext->role == ra->new_role)
723 				break;
724 		}
725 		if (!ra)
726 			avd->allowed &= ~policydb.process_trans_perms;
727 	}
728 
729 	/*
730 	 * If the given source and target types have boundary
731 	 * constraint, lazy checks have to mask any violated
732 	 * permission and notice it to userspace via audit.
733 	 */
734 	type_attribute_bounds_av(scontext, tcontext,
735 				 tclass, avd);
736 }
737 
738 static int security_validtrans_handle_fail(struct context *ocontext,
739 					   struct context *ncontext,
740 					   struct context *tcontext,
741 					   u16 tclass)
742 {
743 	char *o = NULL, *n = NULL, *t = NULL;
744 	u32 olen, nlen, tlen;
745 
746 	if (context_struct_to_string(ocontext, &o, &olen))
747 		goto out;
748 	if (context_struct_to_string(ncontext, &n, &nlen))
749 		goto out;
750 	if (context_struct_to_string(tcontext, &t, &tlen))
751 		goto out;
752 	audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
753 		  "op=security_validate_transition seresult=denied"
754 		  " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
755 		  o, n, t, sym_name(&policydb, SYM_CLASSES, tclass-1));
756 out:
757 	kfree(o);
758 	kfree(n);
759 	kfree(t);
760 
761 	if (!selinux_enforcing)
762 		return 0;
763 	return -EPERM;
764 }
765 
766 static int security_compute_validatetrans(u32 oldsid, u32 newsid, u32 tasksid,
767 					  u16 orig_tclass, bool user)
768 {
769 	struct context *ocontext;
770 	struct context *ncontext;
771 	struct context *tcontext;
772 	struct class_datum *tclass_datum;
773 	struct constraint_node *constraint;
774 	u16 tclass;
775 	int rc = 0;
776 
777 	if (!ss_initialized)
778 		return 0;
779 
780 	read_lock(&policy_rwlock);
781 
782 	if (!user)
783 		tclass = unmap_class(orig_tclass);
784 	else
785 		tclass = orig_tclass;
786 
787 	if (!tclass || tclass > policydb.p_classes.nprim) {
788 		rc = -EINVAL;
789 		goto out;
790 	}
791 	tclass_datum = policydb.class_val_to_struct[tclass - 1];
792 
793 	ocontext = sidtab_search(&sidtab, oldsid);
794 	if (!ocontext) {
795 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
796 			__func__, oldsid);
797 		rc = -EINVAL;
798 		goto out;
799 	}
800 
801 	ncontext = sidtab_search(&sidtab, newsid);
802 	if (!ncontext) {
803 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
804 			__func__, newsid);
805 		rc = -EINVAL;
806 		goto out;
807 	}
808 
809 	tcontext = sidtab_search(&sidtab, tasksid);
810 	if (!tcontext) {
811 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
812 			__func__, tasksid);
813 		rc = -EINVAL;
814 		goto out;
815 	}
816 
817 	constraint = tclass_datum->validatetrans;
818 	while (constraint) {
819 		if (!constraint_expr_eval(ocontext, ncontext, tcontext,
820 					  constraint->expr)) {
821 			if (user)
822 				rc = -EPERM;
823 			else
824 				rc = security_validtrans_handle_fail(ocontext,
825 								     ncontext,
826 								     tcontext,
827 								     tclass);
828 			goto out;
829 		}
830 		constraint = constraint->next;
831 	}
832 
833 out:
834 	read_unlock(&policy_rwlock);
835 	return rc;
836 }
837 
838 int security_validate_transition_user(u32 oldsid, u32 newsid, u32 tasksid,
839 					u16 tclass)
840 {
841 	return security_compute_validatetrans(oldsid, newsid, tasksid,
842 						tclass, true);
843 }
844 
845 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
846 				 u16 orig_tclass)
847 {
848 	return security_compute_validatetrans(oldsid, newsid, tasksid,
849 						orig_tclass, false);
850 }
851 
852 /*
853  * security_bounded_transition - check whether the given
854  * transition is directed to bounded, or not.
855  * It returns 0, if @newsid is bounded by @oldsid.
856  * Otherwise, it returns error code.
857  *
858  * @oldsid : current security identifier
859  * @newsid : destinated security identifier
860  */
861 int security_bounded_transition(u32 old_sid, u32 new_sid)
862 {
863 	struct context *old_context, *new_context;
864 	struct type_datum *type;
865 	int index;
866 	int rc;
867 
868 	read_lock(&policy_rwlock);
869 
870 	rc = -EINVAL;
871 	old_context = sidtab_search(&sidtab, old_sid);
872 	if (!old_context) {
873 		printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
874 		       __func__, old_sid);
875 		goto out;
876 	}
877 
878 	rc = -EINVAL;
879 	new_context = sidtab_search(&sidtab, new_sid);
880 	if (!new_context) {
881 		printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
882 		       __func__, new_sid);
883 		goto out;
884 	}
885 
886 	rc = 0;
887 	/* type/domain unchanged */
888 	if (old_context->type == new_context->type)
889 		goto out;
890 
891 	index = new_context->type;
892 	while (true) {
893 		type = flex_array_get_ptr(policydb.type_val_to_struct_array,
894 					  index - 1);
895 		BUG_ON(!type);
896 
897 		/* not bounded anymore */
898 		rc = -EPERM;
899 		if (!type->bounds)
900 			break;
901 
902 		/* @newsid is bounded by @oldsid */
903 		rc = 0;
904 		if (type->bounds == old_context->type)
905 			break;
906 
907 		index = type->bounds;
908 	}
909 
910 	if (rc) {
911 		char *old_name = NULL;
912 		char *new_name = NULL;
913 		u32 length;
914 
915 		if (!context_struct_to_string(old_context,
916 					      &old_name, &length) &&
917 		    !context_struct_to_string(new_context,
918 					      &new_name, &length)) {
919 			audit_log(current->audit_context,
920 				  GFP_ATOMIC, AUDIT_SELINUX_ERR,
921 				  "op=security_bounded_transition "
922 				  "seresult=denied "
923 				  "oldcontext=%s newcontext=%s",
924 				  old_name, new_name);
925 		}
926 		kfree(new_name);
927 		kfree(old_name);
928 	}
929 out:
930 	read_unlock(&policy_rwlock);
931 
932 	return rc;
933 }
934 
935 static void avd_init(struct av_decision *avd)
936 {
937 	avd->allowed = 0;
938 	avd->auditallow = 0;
939 	avd->auditdeny = 0xffffffff;
940 	avd->seqno = latest_granting;
941 	avd->flags = 0;
942 }
943 
944 void services_compute_xperms_decision(struct extended_perms_decision *xpermd,
945 					struct avtab_node *node)
946 {
947 	unsigned int i;
948 
949 	if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
950 		if (xpermd->driver != node->datum.u.xperms->driver)
951 			return;
952 	} else if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
953 		if (!security_xperm_test(node->datum.u.xperms->perms.p,
954 					xpermd->driver))
955 			return;
956 	} else {
957 		BUG();
958 	}
959 
960 	if (node->key.specified == AVTAB_XPERMS_ALLOWED) {
961 		xpermd->used |= XPERMS_ALLOWED;
962 		if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
963 			memset(xpermd->allowed->p, 0xff,
964 					sizeof(xpermd->allowed->p));
965 		}
966 		if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
967 			for (i = 0; i < ARRAY_SIZE(xpermd->allowed->p); i++)
968 				xpermd->allowed->p[i] |=
969 					node->datum.u.xperms->perms.p[i];
970 		}
971 	} else if (node->key.specified == AVTAB_XPERMS_AUDITALLOW) {
972 		xpermd->used |= XPERMS_AUDITALLOW;
973 		if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
974 			memset(xpermd->auditallow->p, 0xff,
975 					sizeof(xpermd->auditallow->p));
976 		}
977 		if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
978 			for (i = 0; i < ARRAY_SIZE(xpermd->auditallow->p); i++)
979 				xpermd->auditallow->p[i] |=
980 					node->datum.u.xperms->perms.p[i];
981 		}
982 	} else if (node->key.specified == AVTAB_XPERMS_DONTAUDIT) {
983 		xpermd->used |= XPERMS_DONTAUDIT;
984 		if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
985 			memset(xpermd->dontaudit->p, 0xff,
986 					sizeof(xpermd->dontaudit->p));
987 		}
988 		if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
989 			for (i = 0; i < ARRAY_SIZE(xpermd->dontaudit->p); i++)
990 				xpermd->dontaudit->p[i] |=
991 					node->datum.u.xperms->perms.p[i];
992 		}
993 	} else {
994 		BUG();
995 	}
996 }
997 
998 void security_compute_xperms_decision(u32 ssid,
999 				u32 tsid,
1000 				u16 orig_tclass,
1001 				u8 driver,
1002 				struct extended_perms_decision *xpermd)
1003 {
1004 	u16 tclass;
1005 	struct context *scontext, *tcontext;
1006 	struct avtab_key avkey;
1007 	struct avtab_node *node;
1008 	struct ebitmap *sattr, *tattr;
1009 	struct ebitmap_node *snode, *tnode;
1010 	unsigned int i, j;
1011 
1012 	xpermd->driver = driver;
1013 	xpermd->used = 0;
1014 	memset(xpermd->allowed->p, 0, sizeof(xpermd->allowed->p));
1015 	memset(xpermd->auditallow->p, 0, sizeof(xpermd->auditallow->p));
1016 	memset(xpermd->dontaudit->p, 0, sizeof(xpermd->dontaudit->p));
1017 
1018 	read_lock(&policy_rwlock);
1019 	if (!ss_initialized)
1020 		goto allow;
1021 
1022 	scontext = sidtab_search(&sidtab, ssid);
1023 	if (!scontext) {
1024 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1025 		       __func__, ssid);
1026 		goto out;
1027 	}
1028 
1029 	tcontext = sidtab_search(&sidtab, tsid);
1030 	if (!tcontext) {
1031 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1032 		       __func__, tsid);
1033 		goto out;
1034 	}
1035 
1036 	tclass = unmap_class(orig_tclass);
1037 	if (unlikely(orig_tclass && !tclass)) {
1038 		if (policydb.allow_unknown)
1039 			goto allow;
1040 		goto out;
1041 	}
1042 
1043 
1044 	if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
1045 		pr_warn_ratelimited("SELinux:  Invalid class %hu\n", tclass);
1046 		goto out;
1047 	}
1048 
1049 	avkey.target_class = tclass;
1050 	avkey.specified = AVTAB_XPERMS;
1051 	sattr = flex_array_get(policydb.type_attr_map_array,
1052 				scontext->type - 1);
1053 	BUG_ON(!sattr);
1054 	tattr = flex_array_get(policydb.type_attr_map_array,
1055 				tcontext->type - 1);
1056 	BUG_ON(!tattr);
1057 	ebitmap_for_each_positive_bit(sattr, snode, i) {
1058 		ebitmap_for_each_positive_bit(tattr, tnode, j) {
1059 			avkey.source_type = i + 1;
1060 			avkey.target_type = j + 1;
1061 			for (node = avtab_search_node(&policydb.te_avtab, &avkey);
1062 			     node;
1063 			     node = avtab_search_node_next(node, avkey.specified))
1064 				services_compute_xperms_decision(xpermd, node);
1065 
1066 			cond_compute_xperms(&policydb.te_cond_avtab,
1067 						&avkey, xpermd);
1068 		}
1069 	}
1070 out:
1071 	read_unlock(&policy_rwlock);
1072 	return;
1073 allow:
1074 	memset(xpermd->allowed->p, 0xff, sizeof(xpermd->allowed->p));
1075 	goto out;
1076 }
1077 
1078 /**
1079  * security_compute_av - Compute access vector decisions.
1080  * @ssid: source security identifier
1081  * @tsid: target security identifier
1082  * @tclass: target security class
1083  * @avd: access vector decisions
1084  * @xperms: extended permissions
1085  *
1086  * Compute a set of access vector decisions based on the
1087  * SID pair (@ssid, @tsid) for the permissions in @tclass.
1088  */
1089 void security_compute_av(u32 ssid,
1090 			 u32 tsid,
1091 			 u16 orig_tclass,
1092 			 struct av_decision *avd,
1093 			 struct extended_perms *xperms)
1094 {
1095 	u16 tclass;
1096 	struct context *scontext = NULL, *tcontext = NULL;
1097 
1098 	read_lock(&policy_rwlock);
1099 	avd_init(avd);
1100 	xperms->len = 0;
1101 	if (!ss_initialized)
1102 		goto allow;
1103 
1104 	scontext = sidtab_search(&sidtab, ssid);
1105 	if (!scontext) {
1106 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1107 		       __func__, ssid);
1108 		goto out;
1109 	}
1110 
1111 	/* permissive domain? */
1112 	if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
1113 		avd->flags |= AVD_FLAGS_PERMISSIVE;
1114 
1115 	tcontext = sidtab_search(&sidtab, tsid);
1116 	if (!tcontext) {
1117 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1118 		       __func__, tsid);
1119 		goto out;
1120 	}
1121 
1122 	tclass = unmap_class(orig_tclass);
1123 	if (unlikely(orig_tclass && !tclass)) {
1124 		if (policydb.allow_unknown)
1125 			goto allow;
1126 		goto out;
1127 	}
1128 	context_struct_compute_av(scontext, tcontext, tclass, avd, xperms);
1129 	map_decision(orig_tclass, avd, policydb.allow_unknown);
1130 out:
1131 	read_unlock(&policy_rwlock);
1132 	return;
1133 allow:
1134 	avd->allowed = 0xffffffff;
1135 	goto out;
1136 }
1137 
1138 void security_compute_av_user(u32 ssid,
1139 			      u32 tsid,
1140 			      u16 tclass,
1141 			      struct av_decision *avd)
1142 {
1143 	struct context *scontext = NULL, *tcontext = NULL;
1144 
1145 	read_lock(&policy_rwlock);
1146 	avd_init(avd);
1147 	if (!ss_initialized)
1148 		goto allow;
1149 
1150 	scontext = sidtab_search(&sidtab, ssid);
1151 	if (!scontext) {
1152 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1153 		       __func__, ssid);
1154 		goto out;
1155 	}
1156 
1157 	/* permissive domain? */
1158 	if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
1159 		avd->flags |= AVD_FLAGS_PERMISSIVE;
1160 
1161 	tcontext = sidtab_search(&sidtab, tsid);
1162 	if (!tcontext) {
1163 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1164 		       __func__, tsid);
1165 		goto out;
1166 	}
1167 
1168 	if (unlikely(!tclass)) {
1169 		if (policydb.allow_unknown)
1170 			goto allow;
1171 		goto out;
1172 	}
1173 
1174 	context_struct_compute_av(scontext, tcontext, tclass, avd, NULL);
1175  out:
1176 	read_unlock(&policy_rwlock);
1177 	return;
1178 allow:
1179 	avd->allowed = 0xffffffff;
1180 	goto out;
1181 }
1182 
1183 /*
1184  * Write the security context string representation of
1185  * the context structure `context' into a dynamically
1186  * allocated string of the correct size.  Set `*scontext'
1187  * to point to this string and set `*scontext_len' to
1188  * the length of the string.
1189  */
1190 static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len)
1191 {
1192 	char *scontextp;
1193 
1194 	if (scontext)
1195 		*scontext = NULL;
1196 	*scontext_len = 0;
1197 
1198 	if (context->len) {
1199 		*scontext_len = context->len;
1200 		if (scontext) {
1201 			*scontext = kstrdup(context->str, GFP_ATOMIC);
1202 			if (!(*scontext))
1203 				return -ENOMEM;
1204 		}
1205 		return 0;
1206 	}
1207 
1208 	/* Compute the size of the context. */
1209 	*scontext_len += strlen(sym_name(&policydb, SYM_USERS, context->user - 1)) + 1;
1210 	*scontext_len += strlen(sym_name(&policydb, SYM_ROLES, context->role - 1)) + 1;
1211 	*scontext_len += strlen(sym_name(&policydb, SYM_TYPES, context->type - 1)) + 1;
1212 	*scontext_len += mls_compute_context_len(context);
1213 
1214 	if (!scontext)
1215 		return 0;
1216 
1217 	/* Allocate space for the context; caller must free this space. */
1218 	scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
1219 	if (!scontextp)
1220 		return -ENOMEM;
1221 	*scontext = scontextp;
1222 
1223 	/*
1224 	 * Copy the user name, role name and type name into the context.
1225 	 */
1226 	scontextp += sprintf(scontextp, "%s:%s:%s",
1227 		sym_name(&policydb, SYM_USERS, context->user - 1),
1228 		sym_name(&policydb, SYM_ROLES, context->role - 1),
1229 		sym_name(&policydb, SYM_TYPES, context->type - 1));
1230 
1231 	mls_sid_to_context(context, &scontextp);
1232 
1233 	*scontextp = 0;
1234 
1235 	return 0;
1236 }
1237 
1238 #include "initial_sid_to_string.h"
1239 
1240 const char *security_get_initial_sid_context(u32 sid)
1241 {
1242 	if (unlikely(sid > SECINITSID_NUM))
1243 		return NULL;
1244 	return initial_sid_to_string[sid];
1245 }
1246 
1247 static int security_sid_to_context_core(u32 sid, char **scontext,
1248 					u32 *scontext_len, int force)
1249 {
1250 	struct context *context;
1251 	int rc = 0;
1252 
1253 	if (scontext)
1254 		*scontext = NULL;
1255 	*scontext_len  = 0;
1256 
1257 	if (!ss_initialized) {
1258 		if (sid <= SECINITSID_NUM) {
1259 			char *scontextp;
1260 
1261 			*scontext_len = strlen(initial_sid_to_string[sid]) + 1;
1262 			if (!scontext)
1263 				goto out;
1264 			scontextp = kmemdup(initial_sid_to_string[sid],
1265 					    *scontext_len, GFP_ATOMIC);
1266 			if (!scontextp) {
1267 				rc = -ENOMEM;
1268 				goto out;
1269 			}
1270 			*scontext = scontextp;
1271 			goto out;
1272 		}
1273 		printk(KERN_ERR "SELinux: %s:  called before initial "
1274 		       "load_policy on unknown SID %d\n", __func__, sid);
1275 		rc = -EINVAL;
1276 		goto out;
1277 	}
1278 	read_lock(&policy_rwlock);
1279 	if (force)
1280 		context = sidtab_search_force(&sidtab, sid);
1281 	else
1282 		context = sidtab_search(&sidtab, sid);
1283 	if (!context) {
1284 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1285 			__func__, sid);
1286 		rc = -EINVAL;
1287 		goto out_unlock;
1288 	}
1289 	rc = context_struct_to_string(context, scontext, scontext_len);
1290 out_unlock:
1291 	read_unlock(&policy_rwlock);
1292 out:
1293 	return rc;
1294 
1295 }
1296 
1297 /**
1298  * security_sid_to_context - Obtain a context for a given SID.
1299  * @sid: security identifier, SID
1300  * @scontext: security context
1301  * @scontext_len: length in bytes
1302  *
1303  * Write the string representation of the context associated with @sid
1304  * into a dynamically allocated string of the correct size.  Set @scontext
1305  * to point to this string and set @scontext_len to the length of the string.
1306  */
1307 int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
1308 {
1309 	return security_sid_to_context_core(sid, scontext, scontext_len, 0);
1310 }
1311 
1312 int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len)
1313 {
1314 	return security_sid_to_context_core(sid, scontext, scontext_len, 1);
1315 }
1316 
1317 /*
1318  * Caveat:  Mutates scontext.
1319  */
1320 static int string_to_context_struct(struct policydb *pol,
1321 				    struct sidtab *sidtabp,
1322 				    char *scontext,
1323 				    u32 scontext_len,
1324 				    struct context *ctx,
1325 				    u32 def_sid)
1326 {
1327 	struct role_datum *role;
1328 	struct type_datum *typdatum;
1329 	struct user_datum *usrdatum;
1330 	char *scontextp, *p, oldc;
1331 	int rc = 0;
1332 
1333 	context_init(ctx);
1334 
1335 	/* Parse the security context. */
1336 
1337 	rc = -EINVAL;
1338 	scontextp = (char *) scontext;
1339 
1340 	/* Extract the user. */
1341 	p = scontextp;
1342 	while (*p && *p != ':')
1343 		p++;
1344 
1345 	if (*p == 0)
1346 		goto out;
1347 
1348 	*p++ = 0;
1349 
1350 	usrdatum = hashtab_search(pol->p_users.table, scontextp);
1351 	if (!usrdatum)
1352 		goto out;
1353 
1354 	ctx->user = usrdatum->value;
1355 
1356 	/* Extract role. */
1357 	scontextp = p;
1358 	while (*p && *p != ':')
1359 		p++;
1360 
1361 	if (*p == 0)
1362 		goto out;
1363 
1364 	*p++ = 0;
1365 
1366 	role = hashtab_search(pol->p_roles.table, scontextp);
1367 	if (!role)
1368 		goto out;
1369 	ctx->role = role->value;
1370 
1371 	/* Extract type. */
1372 	scontextp = p;
1373 	while (*p && *p != ':')
1374 		p++;
1375 	oldc = *p;
1376 	*p++ = 0;
1377 
1378 	typdatum = hashtab_search(pol->p_types.table, scontextp);
1379 	if (!typdatum || typdatum->attribute)
1380 		goto out;
1381 
1382 	ctx->type = typdatum->value;
1383 
1384 	rc = mls_context_to_sid(pol, oldc, &p, ctx, sidtabp, def_sid);
1385 	if (rc)
1386 		goto out;
1387 
1388 	rc = -EINVAL;
1389 	if ((p - scontext) < scontext_len)
1390 		goto out;
1391 
1392 	/* Check the validity of the new context. */
1393 	if (!policydb_context_isvalid(pol, ctx))
1394 		goto out;
1395 	rc = 0;
1396 out:
1397 	if (rc)
1398 		context_destroy(ctx);
1399 	return rc;
1400 }
1401 
1402 static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
1403 					u32 *sid, u32 def_sid, gfp_t gfp_flags,
1404 					int force)
1405 {
1406 	char *scontext2, *str = NULL;
1407 	struct context context;
1408 	int rc = 0;
1409 
1410 	/* An empty security context is never valid. */
1411 	if (!scontext_len)
1412 		return -EINVAL;
1413 
1414 	if (!ss_initialized) {
1415 		int i;
1416 
1417 		for (i = 1; i < SECINITSID_NUM; i++) {
1418 			if (!strcmp(initial_sid_to_string[i], scontext)) {
1419 				*sid = i;
1420 				return 0;
1421 			}
1422 		}
1423 		*sid = SECINITSID_KERNEL;
1424 		return 0;
1425 	}
1426 	*sid = SECSID_NULL;
1427 
1428 	/* Copy the string so that we can modify the copy as we parse it. */
1429 	scontext2 = kmalloc(scontext_len + 1, gfp_flags);
1430 	if (!scontext2)
1431 		return -ENOMEM;
1432 	memcpy(scontext2, scontext, scontext_len);
1433 	scontext2[scontext_len] = 0;
1434 
1435 	if (force) {
1436 		/* Save another copy for storing in uninterpreted form */
1437 		rc = -ENOMEM;
1438 		str = kstrdup(scontext2, gfp_flags);
1439 		if (!str)
1440 			goto out;
1441 	}
1442 
1443 	read_lock(&policy_rwlock);
1444 	rc = string_to_context_struct(&policydb, &sidtab, scontext2,
1445 				      scontext_len, &context, def_sid);
1446 	if (rc == -EINVAL && force) {
1447 		context.str = str;
1448 		context.len = scontext_len;
1449 		str = NULL;
1450 	} else if (rc)
1451 		goto out_unlock;
1452 	rc = sidtab_context_to_sid(&sidtab, &context, sid);
1453 	context_destroy(&context);
1454 out_unlock:
1455 	read_unlock(&policy_rwlock);
1456 out:
1457 	kfree(scontext2);
1458 	kfree(str);
1459 	return rc;
1460 }
1461 
1462 /**
1463  * security_context_to_sid - Obtain a SID for a given security context.
1464  * @scontext: security context
1465  * @scontext_len: length in bytes
1466  * @sid: security identifier, SID
1467  * @gfp: context for the allocation
1468  *
1469  * Obtains a SID associated with the security context that
1470  * has the string representation specified by @scontext.
1471  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
1472  * memory is available, or 0 on success.
1473  */
1474 int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid,
1475 			    gfp_t gfp)
1476 {
1477 	return security_context_to_sid_core(scontext, scontext_len,
1478 					    sid, SECSID_NULL, gfp, 0);
1479 }
1480 
1481 int security_context_str_to_sid(const char *scontext, u32 *sid, gfp_t gfp)
1482 {
1483 	return security_context_to_sid(scontext, strlen(scontext), sid, gfp);
1484 }
1485 
1486 /**
1487  * security_context_to_sid_default - Obtain a SID for a given security context,
1488  * falling back to specified default if needed.
1489  *
1490  * @scontext: security context
1491  * @scontext_len: length in bytes
1492  * @sid: security identifier, SID
1493  * @def_sid: default SID to assign on error
1494  *
1495  * Obtains a SID associated with the security context that
1496  * has the string representation specified by @scontext.
1497  * The default SID is passed to the MLS layer to be used to allow
1498  * kernel labeling of the MLS field if the MLS field is not present
1499  * (for upgrading to MLS without full relabel).
1500  * Implicitly forces adding of the context even if it cannot be mapped yet.
1501  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
1502  * memory is available, or 0 on success.
1503  */
1504 int security_context_to_sid_default(const char *scontext, u32 scontext_len,
1505 				    u32 *sid, u32 def_sid, gfp_t gfp_flags)
1506 {
1507 	return security_context_to_sid_core(scontext, scontext_len,
1508 					    sid, def_sid, gfp_flags, 1);
1509 }
1510 
1511 int security_context_to_sid_force(const char *scontext, u32 scontext_len,
1512 				  u32 *sid)
1513 {
1514 	return security_context_to_sid_core(scontext, scontext_len,
1515 					    sid, SECSID_NULL, GFP_KERNEL, 1);
1516 }
1517 
1518 static int compute_sid_handle_invalid_context(
1519 	struct context *scontext,
1520 	struct context *tcontext,
1521 	u16 tclass,
1522 	struct context *newcontext)
1523 {
1524 	char *s = NULL, *t = NULL, *n = NULL;
1525 	u32 slen, tlen, nlen;
1526 
1527 	if (context_struct_to_string(scontext, &s, &slen))
1528 		goto out;
1529 	if (context_struct_to_string(tcontext, &t, &tlen))
1530 		goto out;
1531 	if (context_struct_to_string(newcontext, &n, &nlen))
1532 		goto out;
1533 	audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
1534 		  "op=security_compute_sid invalid_context=%s"
1535 		  " scontext=%s"
1536 		  " tcontext=%s"
1537 		  " tclass=%s",
1538 		  n, s, t, sym_name(&policydb, SYM_CLASSES, tclass-1));
1539 out:
1540 	kfree(s);
1541 	kfree(t);
1542 	kfree(n);
1543 	if (!selinux_enforcing)
1544 		return 0;
1545 	return -EACCES;
1546 }
1547 
1548 static void filename_compute_type(struct policydb *p, struct context *newcontext,
1549 				  u32 stype, u32 ttype, u16 tclass,
1550 				  const char *objname)
1551 {
1552 	struct filename_trans ft;
1553 	struct filename_trans_datum *otype;
1554 
1555 	/*
1556 	 * Most filename trans rules are going to live in specific directories
1557 	 * like /dev or /var/run.  This bitmap will quickly skip rule searches
1558 	 * if the ttype does not contain any rules.
1559 	 */
1560 	if (!ebitmap_get_bit(&p->filename_trans_ttypes, ttype))
1561 		return;
1562 
1563 	ft.stype = stype;
1564 	ft.ttype = ttype;
1565 	ft.tclass = tclass;
1566 	ft.name = objname;
1567 
1568 	otype = hashtab_search(p->filename_trans, &ft);
1569 	if (otype)
1570 		newcontext->type = otype->otype;
1571 }
1572 
1573 static int security_compute_sid(u32 ssid,
1574 				u32 tsid,
1575 				u16 orig_tclass,
1576 				u32 specified,
1577 				const char *objname,
1578 				u32 *out_sid,
1579 				bool kern)
1580 {
1581 	struct class_datum *cladatum = NULL;
1582 	struct context *scontext = NULL, *tcontext = NULL, newcontext;
1583 	struct role_trans *roletr = NULL;
1584 	struct avtab_key avkey;
1585 	struct avtab_datum *avdatum;
1586 	struct avtab_node *node;
1587 	u16 tclass;
1588 	int rc = 0;
1589 	bool sock;
1590 
1591 	if (!ss_initialized) {
1592 		switch (orig_tclass) {
1593 		case SECCLASS_PROCESS: /* kernel value */
1594 			*out_sid = ssid;
1595 			break;
1596 		default:
1597 			*out_sid = tsid;
1598 			break;
1599 		}
1600 		goto out;
1601 	}
1602 
1603 	context_init(&newcontext);
1604 
1605 	read_lock(&policy_rwlock);
1606 
1607 	if (kern) {
1608 		tclass = unmap_class(orig_tclass);
1609 		sock = security_is_socket_class(orig_tclass);
1610 	} else {
1611 		tclass = orig_tclass;
1612 		sock = security_is_socket_class(map_class(tclass));
1613 	}
1614 
1615 	scontext = sidtab_search(&sidtab, ssid);
1616 	if (!scontext) {
1617 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1618 		       __func__, ssid);
1619 		rc = -EINVAL;
1620 		goto out_unlock;
1621 	}
1622 	tcontext = sidtab_search(&sidtab, tsid);
1623 	if (!tcontext) {
1624 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1625 		       __func__, tsid);
1626 		rc = -EINVAL;
1627 		goto out_unlock;
1628 	}
1629 
1630 	if (tclass && tclass <= policydb.p_classes.nprim)
1631 		cladatum = policydb.class_val_to_struct[tclass - 1];
1632 
1633 	/* Set the user identity. */
1634 	switch (specified) {
1635 	case AVTAB_TRANSITION:
1636 	case AVTAB_CHANGE:
1637 		if (cladatum && cladatum->default_user == DEFAULT_TARGET) {
1638 			newcontext.user = tcontext->user;
1639 		} else {
1640 			/* notice this gets both DEFAULT_SOURCE and unset */
1641 			/* Use the process user identity. */
1642 			newcontext.user = scontext->user;
1643 		}
1644 		break;
1645 	case AVTAB_MEMBER:
1646 		/* Use the related object owner. */
1647 		newcontext.user = tcontext->user;
1648 		break;
1649 	}
1650 
1651 	/* Set the role to default values. */
1652 	if (cladatum && cladatum->default_role == DEFAULT_SOURCE) {
1653 		newcontext.role = scontext->role;
1654 	} else if (cladatum && cladatum->default_role == DEFAULT_TARGET) {
1655 		newcontext.role = tcontext->role;
1656 	} else {
1657 		if ((tclass == policydb.process_class) || (sock == true))
1658 			newcontext.role = scontext->role;
1659 		else
1660 			newcontext.role = OBJECT_R_VAL;
1661 	}
1662 
1663 	/* Set the type to default values. */
1664 	if (cladatum && cladatum->default_type == DEFAULT_SOURCE) {
1665 		newcontext.type = scontext->type;
1666 	} else if (cladatum && cladatum->default_type == DEFAULT_TARGET) {
1667 		newcontext.type = tcontext->type;
1668 	} else {
1669 		if ((tclass == policydb.process_class) || (sock == true)) {
1670 			/* Use the type of process. */
1671 			newcontext.type = scontext->type;
1672 		} else {
1673 			/* Use the type of the related object. */
1674 			newcontext.type = tcontext->type;
1675 		}
1676 	}
1677 
1678 	/* Look for a type transition/member/change rule. */
1679 	avkey.source_type = scontext->type;
1680 	avkey.target_type = tcontext->type;
1681 	avkey.target_class = tclass;
1682 	avkey.specified = specified;
1683 	avdatum = avtab_search(&policydb.te_avtab, &avkey);
1684 
1685 	/* If no permanent rule, also check for enabled conditional rules */
1686 	if (!avdatum) {
1687 		node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
1688 		for (; node; node = avtab_search_node_next(node, specified)) {
1689 			if (node->key.specified & AVTAB_ENABLED) {
1690 				avdatum = &node->datum;
1691 				break;
1692 			}
1693 		}
1694 	}
1695 
1696 	if (avdatum) {
1697 		/* Use the type from the type transition/member/change rule. */
1698 		newcontext.type = avdatum->u.data;
1699 	}
1700 
1701 	/* if we have a objname this is a file trans check so check those rules */
1702 	if (objname)
1703 		filename_compute_type(&policydb, &newcontext, scontext->type,
1704 				      tcontext->type, tclass, objname);
1705 
1706 	/* Check for class-specific changes. */
1707 	if (specified & AVTAB_TRANSITION) {
1708 		/* Look for a role transition rule. */
1709 		for (roletr = policydb.role_tr; roletr; roletr = roletr->next) {
1710 			if ((roletr->role == scontext->role) &&
1711 			    (roletr->type == tcontext->type) &&
1712 			    (roletr->tclass == tclass)) {
1713 				/* Use the role transition rule. */
1714 				newcontext.role = roletr->new_role;
1715 				break;
1716 			}
1717 		}
1718 	}
1719 
1720 	/* Set the MLS attributes.
1721 	   This is done last because it may allocate memory. */
1722 	rc = mls_compute_sid(scontext, tcontext, tclass, specified,
1723 			     &newcontext, sock);
1724 	if (rc)
1725 		goto out_unlock;
1726 
1727 	/* Check the validity of the context. */
1728 	if (!policydb_context_isvalid(&policydb, &newcontext)) {
1729 		rc = compute_sid_handle_invalid_context(scontext,
1730 							tcontext,
1731 							tclass,
1732 							&newcontext);
1733 		if (rc)
1734 			goto out_unlock;
1735 	}
1736 	/* Obtain the sid for the context. */
1737 	rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid);
1738 out_unlock:
1739 	read_unlock(&policy_rwlock);
1740 	context_destroy(&newcontext);
1741 out:
1742 	return rc;
1743 }
1744 
1745 /**
1746  * security_transition_sid - Compute the SID for a new subject/object.
1747  * @ssid: source security identifier
1748  * @tsid: target security identifier
1749  * @tclass: target security class
1750  * @out_sid: security identifier for new subject/object
1751  *
1752  * Compute a SID to use for labeling a new subject or object in the
1753  * class @tclass based on a SID pair (@ssid, @tsid).
1754  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1755  * if insufficient memory is available, or %0 if the new SID was
1756  * computed successfully.
1757  */
1758 int security_transition_sid(u32 ssid, u32 tsid, u16 tclass,
1759 			    const struct qstr *qstr, u32 *out_sid)
1760 {
1761 	return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1762 				    qstr ? qstr->name : NULL, out_sid, true);
1763 }
1764 
1765 int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass,
1766 				 const char *objname, u32 *out_sid)
1767 {
1768 	return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1769 				    objname, out_sid, false);
1770 }
1771 
1772 /**
1773  * security_member_sid - Compute the SID for member selection.
1774  * @ssid: source security identifier
1775  * @tsid: target security identifier
1776  * @tclass: target security class
1777  * @out_sid: security identifier for selected member
1778  *
1779  * Compute a SID to use when selecting a member of a polyinstantiated
1780  * object of class @tclass based on a SID pair (@ssid, @tsid).
1781  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1782  * if insufficient memory is available, or %0 if the SID was
1783  * computed successfully.
1784  */
1785 int security_member_sid(u32 ssid,
1786 			u32 tsid,
1787 			u16 tclass,
1788 			u32 *out_sid)
1789 {
1790 	return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, NULL,
1791 				    out_sid, false);
1792 }
1793 
1794 /**
1795  * security_change_sid - Compute the SID for object relabeling.
1796  * @ssid: source security identifier
1797  * @tsid: target security identifier
1798  * @tclass: target security class
1799  * @out_sid: security identifier for selected member
1800  *
1801  * Compute a SID to use for relabeling an object of class @tclass
1802  * based on a SID pair (@ssid, @tsid).
1803  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1804  * if insufficient memory is available, or %0 if the SID was
1805  * computed successfully.
1806  */
1807 int security_change_sid(u32 ssid,
1808 			u32 tsid,
1809 			u16 tclass,
1810 			u32 *out_sid)
1811 {
1812 	return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, NULL,
1813 				    out_sid, false);
1814 }
1815 
1816 /* Clone the SID into the new SID table. */
1817 static int clone_sid(u32 sid,
1818 		     struct context *context,
1819 		     void *arg)
1820 {
1821 	struct sidtab *s = arg;
1822 
1823 	if (sid > SECINITSID_NUM)
1824 		return sidtab_insert(s, sid, context);
1825 	else
1826 		return 0;
1827 }
1828 
1829 static inline int convert_context_handle_invalid_context(struct context *context)
1830 {
1831 	char *s;
1832 	u32 len;
1833 
1834 	if (selinux_enforcing)
1835 		return -EINVAL;
1836 
1837 	if (!context_struct_to_string(context, &s, &len)) {
1838 		printk(KERN_WARNING "SELinux:  Context %s would be invalid if enforcing\n", s);
1839 		kfree(s);
1840 	}
1841 	return 0;
1842 }
1843 
1844 struct convert_context_args {
1845 	struct policydb *oldp;
1846 	struct policydb *newp;
1847 };
1848 
1849 /*
1850  * Convert the values in the security context
1851  * structure `c' from the values specified
1852  * in the policy `p->oldp' to the values specified
1853  * in the policy `p->newp'.  Verify that the
1854  * context is valid under the new policy.
1855  */
1856 static int convert_context(u32 key,
1857 			   struct context *c,
1858 			   void *p)
1859 {
1860 	struct convert_context_args *args;
1861 	struct context oldc;
1862 	struct ocontext *oc;
1863 	struct mls_range *range;
1864 	struct role_datum *role;
1865 	struct type_datum *typdatum;
1866 	struct user_datum *usrdatum;
1867 	char *s;
1868 	u32 len;
1869 	int rc = 0;
1870 
1871 	if (key <= SECINITSID_NUM)
1872 		goto out;
1873 
1874 	args = p;
1875 
1876 	if (c->str) {
1877 		struct context ctx;
1878 
1879 		rc = -ENOMEM;
1880 		s = kstrdup(c->str, GFP_KERNEL);
1881 		if (!s)
1882 			goto out;
1883 
1884 		rc = string_to_context_struct(args->newp, NULL, s,
1885 					      c->len, &ctx, SECSID_NULL);
1886 		kfree(s);
1887 		if (!rc) {
1888 			printk(KERN_INFO "SELinux:  Context %s became valid (mapped).\n",
1889 			       c->str);
1890 			/* Replace string with mapped representation. */
1891 			kfree(c->str);
1892 			memcpy(c, &ctx, sizeof(*c));
1893 			goto out;
1894 		} else if (rc == -EINVAL) {
1895 			/* Retain string representation for later mapping. */
1896 			rc = 0;
1897 			goto out;
1898 		} else {
1899 			/* Other error condition, e.g. ENOMEM. */
1900 			printk(KERN_ERR "SELinux:   Unable to map context %s, rc = %d.\n",
1901 			       c->str, -rc);
1902 			goto out;
1903 		}
1904 	}
1905 
1906 	rc = context_cpy(&oldc, c);
1907 	if (rc)
1908 		goto out;
1909 
1910 	/* Convert the user. */
1911 	rc = -EINVAL;
1912 	usrdatum = hashtab_search(args->newp->p_users.table,
1913 				  sym_name(args->oldp, SYM_USERS, c->user - 1));
1914 	if (!usrdatum)
1915 		goto bad;
1916 	c->user = usrdatum->value;
1917 
1918 	/* Convert the role. */
1919 	rc = -EINVAL;
1920 	role = hashtab_search(args->newp->p_roles.table,
1921 			      sym_name(args->oldp, SYM_ROLES, c->role - 1));
1922 	if (!role)
1923 		goto bad;
1924 	c->role = role->value;
1925 
1926 	/* Convert the type. */
1927 	rc = -EINVAL;
1928 	typdatum = hashtab_search(args->newp->p_types.table,
1929 				  sym_name(args->oldp, SYM_TYPES, c->type - 1));
1930 	if (!typdatum)
1931 		goto bad;
1932 	c->type = typdatum->value;
1933 
1934 	/* Convert the MLS fields if dealing with MLS policies */
1935 	if (args->oldp->mls_enabled && args->newp->mls_enabled) {
1936 		rc = mls_convert_context(args->oldp, args->newp, c);
1937 		if (rc)
1938 			goto bad;
1939 	} else if (args->oldp->mls_enabled && !args->newp->mls_enabled) {
1940 		/*
1941 		 * Switching between MLS and non-MLS policy:
1942 		 * free any storage used by the MLS fields in the
1943 		 * context for all existing entries in the sidtab.
1944 		 */
1945 		mls_context_destroy(c);
1946 	} else if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
1947 		/*
1948 		 * Switching between non-MLS and MLS policy:
1949 		 * ensure that the MLS fields of the context for all
1950 		 * existing entries in the sidtab are filled in with a
1951 		 * suitable default value, likely taken from one of the
1952 		 * initial SIDs.
1953 		 */
1954 		oc = args->newp->ocontexts[OCON_ISID];
1955 		while (oc && oc->sid[0] != SECINITSID_UNLABELED)
1956 			oc = oc->next;
1957 		rc = -EINVAL;
1958 		if (!oc) {
1959 			printk(KERN_ERR "SELinux:  unable to look up"
1960 				" the initial SIDs list\n");
1961 			goto bad;
1962 		}
1963 		range = &oc->context[0].range;
1964 		rc = mls_range_set(c, range);
1965 		if (rc)
1966 			goto bad;
1967 	}
1968 
1969 	/* Check the validity of the new context. */
1970 	if (!policydb_context_isvalid(args->newp, c)) {
1971 		rc = convert_context_handle_invalid_context(&oldc);
1972 		if (rc)
1973 			goto bad;
1974 	}
1975 
1976 	context_destroy(&oldc);
1977 
1978 	rc = 0;
1979 out:
1980 	return rc;
1981 bad:
1982 	/* Map old representation to string and save it. */
1983 	rc = context_struct_to_string(&oldc, &s, &len);
1984 	if (rc)
1985 		return rc;
1986 	context_destroy(&oldc);
1987 	context_destroy(c);
1988 	c->str = s;
1989 	c->len = len;
1990 	printk(KERN_INFO "SELinux:  Context %s became invalid (unmapped).\n",
1991 	       c->str);
1992 	rc = 0;
1993 	goto out;
1994 }
1995 
1996 static void security_load_policycaps(void)
1997 {
1998 	unsigned int i;
1999 	struct ebitmap_node *node;
2000 
2001 	selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps,
2002 						  POLICYDB_CAPABILITY_NETPEER);
2003 	selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
2004 						  POLICYDB_CAPABILITY_OPENPERM);
2005 	selinux_policycap_extsockclass = ebitmap_get_bit(&policydb.policycaps,
2006 					  POLICYDB_CAPABILITY_EXTSOCKCLASS);
2007 	selinux_policycap_alwaysnetwork = ebitmap_get_bit(&policydb.policycaps,
2008 						  POLICYDB_CAPABILITY_ALWAYSNETWORK);
2009 	selinux_policycap_cgroupseclabel =
2010 		ebitmap_get_bit(&policydb.policycaps,
2011 				POLICYDB_CAPABILITY_CGROUPSECLABEL);
2012 
2013 	for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++)
2014 		pr_info("SELinux:  policy capability %s=%d\n",
2015 			selinux_policycap_names[i],
2016 			ebitmap_get_bit(&policydb.policycaps, i));
2017 
2018 	ebitmap_for_each_positive_bit(&policydb.policycaps, node, i) {
2019 		if (i >= ARRAY_SIZE(selinux_policycap_names))
2020 			pr_info("SELinux:  unknown policy capability %u\n",
2021 				i);
2022 	}
2023 }
2024 
2025 static int security_preserve_bools(struct policydb *p);
2026 
2027 /**
2028  * security_load_policy - Load a security policy configuration.
2029  * @data: binary policy data
2030  * @len: length of data in bytes
2031  *
2032  * Load a new set of security policy configuration data,
2033  * validate it and convert the SID table as necessary.
2034  * This function will flush the access vector cache after
2035  * loading the new policy.
2036  */
2037 int security_load_policy(void *data, size_t len)
2038 {
2039 	struct policydb *oldpolicydb, *newpolicydb;
2040 	struct sidtab oldsidtab, newsidtab;
2041 	struct selinux_mapping *oldmap, *map = NULL;
2042 	struct convert_context_args args;
2043 	u32 seqno;
2044 	u16 map_size;
2045 	int rc = 0;
2046 	struct policy_file file = { data, len }, *fp = &file;
2047 
2048 	oldpolicydb = kzalloc(2 * sizeof(*oldpolicydb), GFP_KERNEL);
2049 	if (!oldpolicydb) {
2050 		rc = -ENOMEM;
2051 		goto out;
2052 	}
2053 	newpolicydb = oldpolicydb + 1;
2054 
2055 	if (!ss_initialized) {
2056 		avtab_cache_init();
2057 		ebitmap_cache_init();
2058 		rc = policydb_read(&policydb, fp);
2059 		if (rc) {
2060 			avtab_cache_destroy();
2061 			ebitmap_cache_destroy();
2062 			goto out;
2063 		}
2064 
2065 		policydb.len = len;
2066 		rc = selinux_set_mapping(&policydb, secclass_map,
2067 					 &current_mapping,
2068 					 &current_mapping_size);
2069 		if (rc) {
2070 			policydb_destroy(&policydb);
2071 			avtab_cache_destroy();
2072 			ebitmap_cache_destroy();
2073 			goto out;
2074 		}
2075 
2076 		rc = policydb_load_isids(&policydb, &sidtab);
2077 		if (rc) {
2078 			policydb_destroy(&policydb);
2079 			avtab_cache_destroy();
2080 			ebitmap_cache_destroy();
2081 			goto out;
2082 		}
2083 
2084 		security_load_policycaps();
2085 		ss_initialized = 1;
2086 		seqno = ++latest_granting;
2087 		selinux_complete_init();
2088 		avc_ss_reset(seqno);
2089 		selnl_notify_policyload(seqno);
2090 		selinux_status_update_policyload(seqno);
2091 		selinux_netlbl_cache_invalidate();
2092 		selinux_xfrm_notify_policyload();
2093 		goto out;
2094 	}
2095 
2096 #if 0
2097 	sidtab_hash_eval(&sidtab, "sids");
2098 #endif
2099 
2100 	rc = policydb_read(newpolicydb, fp);
2101 	if (rc)
2102 		goto out;
2103 
2104 	newpolicydb->len = len;
2105 	/* If switching between different policy types, log MLS status */
2106 	if (policydb.mls_enabled && !newpolicydb->mls_enabled)
2107 		printk(KERN_INFO "SELinux: Disabling MLS support...\n");
2108 	else if (!policydb.mls_enabled && newpolicydb->mls_enabled)
2109 		printk(KERN_INFO "SELinux: Enabling MLS support...\n");
2110 
2111 	rc = policydb_load_isids(newpolicydb, &newsidtab);
2112 	if (rc) {
2113 		printk(KERN_ERR "SELinux:  unable to load the initial SIDs\n");
2114 		policydb_destroy(newpolicydb);
2115 		goto out;
2116 	}
2117 
2118 	rc = selinux_set_mapping(newpolicydb, secclass_map, &map, &map_size);
2119 	if (rc)
2120 		goto err;
2121 
2122 	rc = security_preserve_bools(newpolicydb);
2123 	if (rc) {
2124 		printk(KERN_ERR "SELinux:  unable to preserve booleans\n");
2125 		goto err;
2126 	}
2127 
2128 	/* Clone the SID table. */
2129 	sidtab_shutdown(&sidtab);
2130 
2131 	rc = sidtab_map(&sidtab, clone_sid, &newsidtab);
2132 	if (rc)
2133 		goto err;
2134 
2135 	/*
2136 	 * Convert the internal representations of contexts
2137 	 * in the new SID table.
2138 	 */
2139 	args.oldp = &policydb;
2140 	args.newp = newpolicydb;
2141 	rc = sidtab_map(&newsidtab, convert_context, &args);
2142 	if (rc) {
2143 		printk(KERN_ERR "SELinux:  unable to convert the internal"
2144 			" representation of contexts in the new SID"
2145 			" table\n");
2146 		goto err;
2147 	}
2148 
2149 	/* Save the old policydb and SID table to free later. */
2150 	memcpy(oldpolicydb, &policydb, sizeof(policydb));
2151 	sidtab_set(&oldsidtab, &sidtab);
2152 
2153 	/* Install the new policydb and SID table. */
2154 	write_lock_irq(&policy_rwlock);
2155 	memcpy(&policydb, newpolicydb, sizeof(policydb));
2156 	sidtab_set(&sidtab, &newsidtab);
2157 	security_load_policycaps();
2158 	oldmap = current_mapping;
2159 	current_mapping = map;
2160 	current_mapping_size = map_size;
2161 	seqno = ++latest_granting;
2162 	write_unlock_irq(&policy_rwlock);
2163 
2164 	/* Free the old policydb and SID table. */
2165 	policydb_destroy(oldpolicydb);
2166 	sidtab_destroy(&oldsidtab);
2167 	kfree(oldmap);
2168 
2169 	avc_ss_reset(seqno);
2170 	selnl_notify_policyload(seqno);
2171 	selinux_status_update_policyload(seqno);
2172 	selinux_netlbl_cache_invalidate();
2173 	selinux_xfrm_notify_policyload();
2174 
2175 	rc = 0;
2176 	goto out;
2177 
2178 err:
2179 	kfree(map);
2180 	sidtab_destroy(&newsidtab);
2181 	policydb_destroy(newpolicydb);
2182 
2183 out:
2184 	kfree(oldpolicydb);
2185 	return rc;
2186 }
2187 
2188 size_t security_policydb_len(void)
2189 {
2190 	size_t len;
2191 
2192 	read_lock(&policy_rwlock);
2193 	len = policydb.len;
2194 	read_unlock(&policy_rwlock);
2195 
2196 	return len;
2197 }
2198 
2199 /**
2200  * security_port_sid - Obtain the SID for a port.
2201  * @protocol: protocol number
2202  * @port: port number
2203  * @out_sid: security identifier
2204  */
2205 int security_port_sid(u8 protocol, u16 port, u32 *out_sid)
2206 {
2207 	struct ocontext *c;
2208 	int rc = 0;
2209 
2210 	read_lock(&policy_rwlock);
2211 
2212 	c = policydb.ocontexts[OCON_PORT];
2213 	while (c) {
2214 		if (c->u.port.protocol == protocol &&
2215 		    c->u.port.low_port <= port &&
2216 		    c->u.port.high_port >= port)
2217 			break;
2218 		c = c->next;
2219 	}
2220 
2221 	if (c) {
2222 		if (!c->sid[0]) {
2223 			rc = sidtab_context_to_sid(&sidtab,
2224 						   &c->context[0],
2225 						   &c->sid[0]);
2226 			if (rc)
2227 				goto out;
2228 		}
2229 		*out_sid = c->sid[0];
2230 	} else {
2231 		*out_sid = SECINITSID_PORT;
2232 	}
2233 
2234 out:
2235 	read_unlock(&policy_rwlock);
2236 	return rc;
2237 }
2238 
2239 /**
2240  * security_pkey_sid - Obtain the SID for a pkey.
2241  * @subnet_prefix: Subnet Prefix
2242  * @pkey_num: pkey number
2243  * @out_sid: security identifier
2244  */
2245 int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid)
2246 {
2247 	struct ocontext *c;
2248 	int rc = 0;
2249 
2250 	read_lock(&policy_rwlock);
2251 
2252 	c = policydb.ocontexts[OCON_IBPKEY];
2253 	while (c) {
2254 		if (c->u.ibpkey.low_pkey <= pkey_num &&
2255 		    c->u.ibpkey.high_pkey >= pkey_num &&
2256 		    c->u.ibpkey.subnet_prefix == subnet_prefix)
2257 			break;
2258 
2259 		c = c->next;
2260 	}
2261 
2262 	if (c) {
2263 		if (!c->sid[0]) {
2264 			rc = sidtab_context_to_sid(&sidtab,
2265 						   &c->context[0],
2266 						   &c->sid[0]);
2267 			if (rc)
2268 				goto out;
2269 		}
2270 		*out_sid = c->sid[0];
2271 	} else
2272 		*out_sid = SECINITSID_UNLABELED;
2273 
2274 out:
2275 	read_unlock(&policy_rwlock);
2276 	return rc;
2277 }
2278 
2279 /**
2280  * security_ib_endport_sid - Obtain the SID for a subnet management interface.
2281  * @dev_name: device name
2282  * @port: port number
2283  * @out_sid: security identifier
2284  */
2285 int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid)
2286 {
2287 	struct ocontext *c;
2288 	int rc = 0;
2289 
2290 	read_lock(&policy_rwlock);
2291 
2292 	c = policydb.ocontexts[OCON_IBENDPORT];
2293 	while (c) {
2294 		if (c->u.ibendport.port == port_num &&
2295 		    !strncmp(c->u.ibendport.dev_name,
2296 			     dev_name,
2297 			     IB_DEVICE_NAME_MAX))
2298 			break;
2299 
2300 		c = c->next;
2301 	}
2302 
2303 	if (c) {
2304 		if (!c->sid[0]) {
2305 			rc = sidtab_context_to_sid(&sidtab,
2306 						   &c->context[0],
2307 						   &c->sid[0]);
2308 			if (rc)
2309 				goto out;
2310 		}
2311 		*out_sid = c->sid[0];
2312 	} else
2313 		*out_sid = SECINITSID_UNLABELED;
2314 
2315 out:
2316 	read_unlock(&policy_rwlock);
2317 	return rc;
2318 }
2319 
2320 /**
2321  * security_netif_sid - Obtain the SID for a network interface.
2322  * @name: interface name
2323  * @if_sid: interface SID
2324  */
2325 int security_netif_sid(char *name, u32 *if_sid)
2326 {
2327 	int rc = 0;
2328 	struct ocontext *c;
2329 
2330 	read_lock(&policy_rwlock);
2331 
2332 	c = policydb.ocontexts[OCON_NETIF];
2333 	while (c) {
2334 		if (strcmp(name, c->u.name) == 0)
2335 			break;
2336 		c = c->next;
2337 	}
2338 
2339 	if (c) {
2340 		if (!c->sid[0] || !c->sid[1]) {
2341 			rc = sidtab_context_to_sid(&sidtab,
2342 						  &c->context[0],
2343 						  &c->sid[0]);
2344 			if (rc)
2345 				goto out;
2346 			rc = sidtab_context_to_sid(&sidtab,
2347 						   &c->context[1],
2348 						   &c->sid[1]);
2349 			if (rc)
2350 				goto out;
2351 		}
2352 		*if_sid = c->sid[0];
2353 	} else
2354 		*if_sid = SECINITSID_NETIF;
2355 
2356 out:
2357 	read_unlock(&policy_rwlock);
2358 	return rc;
2359 }
2360 
2361 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
2362 {
2363 	int i, fail = 0;
2364 
2365 	for (i = 0; i < 4; i++)
2366 		if (addr[i] != (input[i] & mask[i])) {
2367 			fail = 1;
2368 			break;
2369 		}
2370 
2371 	return !fail;
2372 }
2373 
2374 /**
2375  * security_node_sid - Obtain the SID for a node (host).
2376  * @domain: communication domain aka address family
2377  * @addrp: address
2378  * @addrlen: address length in bytes
2379  * @out_sid: security identifier
2380  */
2381 int security_node_sid(u16 domain,
2382 		      void *addrp,
2383 		      u32 addrlen,
2384 		      u32 *out_sid)
2385 {
2386 	int rc;
2387 	struct ocontext *c;
2388 
2389 	read_lock(&policy_rwlock);
2390 
2391 	switch (domain) {
2392 	case AF_INET: {
2393 		u32 addr;
2394 
2395 		rc = -EINVAL;
2396 		if (addrlen != sizeof(u32))
2397 			goto out;
2398 
2399 		addr = *((u32 *)addrp);
2400 
2401 		c = policydb.ocontexts[OCON_NODE];
2402 		while (c) {
2403 			if (c->u.node.addr == (addr & c->u.node.mask))
2404 				break;
2405 			c = c->next;
2406 		}
2407 		break;
2408 	}
2409 
2410 	case AF_INET6:
2411 		rc = -EINVAL;
2412 		if (addrlen != sizeof(u64) * 2)
2413 			goto out;
2414 		c = policydb.ocontexts[OCON_NODE6];
2415 		while (c) {
2416 			if (match_ipv6_addrmask(addrp, c->u.node6.addr,
2417 						c->u.node6.mask))
2418 				break;
2419 			c = c->next;
2420 		}
2421 		break;
2422 
2423 	default:
2424 		rc = 0;
2425 		*out_sid = SECINITSID_NODE;
2426 		goto out;
2427 	}
2428 
2429 	if (c) {
2430 		if (!c->sid[0]) {
2431 			rc = sidtab_context_to_sid(&sidtab,
2432 						   &c->context[0],
2433 						   &c->sid[0]);
2434 			if (rc)
2435 				goto out;
2436 		}
2437 		*out_sid = c->sid[0];
2438 	} else {
2439 		*out_sid = SECINITSID_NODE;
2440 	}
2441 
2442 	rc = 0;
2443 out:
2444 	read_unlock(&policy_rwlock);
2445 	return rc;
2446 }
2447 
2448 #define SIDS_NEL 25
2449 
2450 /**
2451  * security_get_user_sids - Obtain reachable SIDs for a user.
2452  * @fromsid: starting SID
2453  * @username: username
2454  * @sids: array of reachable SIDs for user
2455  * @nel: number of elements in @sids
2456  *
2457  * Generate the set of SIDs for legal security contexts
2458  * for a given user that can be reached by @fromsid.
2459  * Set *@sids to point to a dynamically allocated
2460  * array containing the set of SIDs.  Set *@nel to the
2461  * number of elements in the array.
2462  */
2463 
2464 int security_get_user_sids(u32 fromsid,
2465 			   char *username,
2466 			   u32 **sids,
2467 			   u32 *nel)
2468 {
2469 	struct context *fromcon, usercon;
2470 	u32 *mysids = NULL, *mysids2, sid;
2471 	u32 mynel = 0, maxnel = SIDS_NEL;
2472 	struct user_datum *user;
2473 	struct role_datum *role;
2474 	struct ebitmap_node *rnode, *tnode;
2475 	int rc = 0, i, j;
2476 
2477 	*sids = NULL;
2478 	*nel = 0;
2479 
2480 	if (!ss_initialized)
2481 		goto out;
2482 
2483 	read_lock(&policy_rwlock);
2484 
2485 	context_init(&usercon);
2486 
2487 	rc = -EINVAL;
2488 	fromcon = sidtab_search(&sidtab, fromsid);
2489 	if (!fromcon)
2490 		goto out_unlock;
2491 
2492 	rc = -EINVAL;
2493 	user = hashtab_search(policydb.p_users.table, username);
2494 	if (!user)
2495 		goto out_unlock;
2496 
2497 	usercon.user = user->value;
2498 
2499 	rc = -ENOMEM;
2500 	mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC);
2501 	if (!mysids)
2502 		goto out_unlock;
2503 
2504 	ebitmap_for_each_positive_bit(&user->roles, rnode, i) {
2505 		role = policydb.role_val_to_struct[i];
2506 		usercon.role = i + 1;
2507 		ebitmap_for_each_positive_bit(&role->types, tnode, j) {
2508 			usercon.type = j + 1;
2509 
2510 			if (mls_setup_user_range(fromcon, user, &usercon))
2511 				continue;
2512 
2513 			rc = sidtab_context_to_sid(&sidtab, &usercon, &sid);
2514 			if (rc)
2515 				goto out_unlock;
2516 			if (mynel < maxnel) {
2517 				mysids[mynel++] = sid;
2518 			} else {
2519 				rc = -ENOMEM;
2520 				maxnel += SIDS_NEL;
2521 				mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
2522 				if (!mysids2)
2523 					goto out_unlock;
2524 				memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
2525 				kfree(mysids);
2526 				mysids = mysids2;
2527 				mysids[mynel++] = sid;
2528 			}
2529 		}
2530 	}
2531 	rc = 0;
2532 out_unlock:
2533 	read_unlock(&policy_rwlock);
2534 	if (rc || !mynel) {
2535 		kfree(mysids);
2536 		goto out;
2537 	}
2538 
2539 	rc = -ENOMEM;
2540 	mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL);
2541 	if (!mysids2) {
2542 		kfree(mysids);
2543 		goto out;
2544 	}
2545 	for (i = 0, j = 0; i < mynel; i++) {
2546 		struct av_decision dummy_avd;
2547 		rc = avc_has_perm_noaudit(fromsid, mysids[i],
2548 					  SECCLASS_PROCESS, /* kernel value */
2549 					  PROCESS__TRANSITION, AVC_STRICT,
2550 					  &dummy_avd);
2551 		if (!rc)
2552 			mysids2[j++] = mysids[i];
2553 		cond_resched();
2554 	}
2555 	rc = 0;
2556 	kfree(mysids);
2557 	*sids = mysids2;
2558 	*nel = j;
2559 out:
2560 	return rc;
2561 }
2562 
2563 /**
2564  * __security_genfs_sid - Helper to obtain a SID for a file in a filesystem
2565  * @fstype: filesystem type
2566  * @path: path from root of mount
2567  * @sclass: file security class
2568  * @sid: SID for path
2569  *
2570  * Obtain a SID to use for a file in a filesystem that
2571  * cannot support xattr or use a fixed labeling behavior like
2572  * transition SIDs or task SIDs.
2573  *
2574  * The caller must acquire the policy_rwlock before calling this function.
2575  */
2576 static inline int __security_genfs_sid(const char *fstype,
2577 				       char *path,
2578 				       u16 orig_sclass,
2579 				       u32 *sid)
2580 {
2581 	int len;
2582 	u16 sclass;
2583 	struct genfs *genfs;
2584 	struct ocontext *c;
2585 	int rc, cmp = 0;
2586 
2587 	while (path[0] == '/' && path[1] == '/')
2588 		path++;
2589 
2590 	sclass = unmap_class(orig_sclass);
2591 	*sid = SECINITSID_UNLABELED;
2592 
2593 	for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
2594 		cmp = strcmp(fstype, genfs->fstype);
2595 		if (cmp <= 0)
2596 			break;
2597 	}
2598 
2599 	rc = -ENOENT;
2600 	if (!genfs || cmp)
2601 		goto out;
2602 
2603 	for (c = genfs->head; c; c = c->next) {
2604 		len = strlen(c->u.name);
2605 		if ((!c->v.sclass || sclass == c->v.sclass) &&
2606 		    (strncmp(c->u.name, path, len) == 0))
2607 			break;
2608 	}
2609 
2610 	rc = -ENOENT;
2611 	if (!c)
2612 		goto out;
2613 
2614 	if (!c->sid[0]) {
2615 		rc = sidtab_context_to_sid(&sidtab, &c->context[0], &c->sid[0]);
2616 		if (rc)
2617 			goto out;
2618 	}
2619 
2620 	*sid = c->sid[0];
2621 	rc = 0;
2622 out:
2623 	return rc;
2624 }
2625 
2626 /**
2627  * security_genfs_sid - Obtain a SID for a file in a filesystem
2628  * @fstype: filesystem type
2629  * @path: path from root of mount
2630  * @sclass: file security class
2631  * @sid: SID for path
2632  *
2633  * Acquire policy_rwlock before calling __security_genfs_sid() and release
2634  * it afterward.
2635  */
2636 int security_genfs_sid(const char *fstype,
2637 		       char *path,
2638 		       u16 orig_sclass,
2639 		       u32 *sid)
2640 {
2641 	int retval;
2642 
2643 	read_lock(&policy_rwlock);
2644 	retval = __security_genfs_sid(fstype, path, orig_sclass, sid);
2645 	read_unlock(&policy_rwlock);
2646 	return retval;
2647 }
2648 
2649 /**
2650  * security_fs_use - Determine how to handle labeling for a filesystem.
2651  * @sb: superblock in question
2652  */
2653 int security_fs_use(struct super_block *sb)
2654 {
2655 	int rc = 0;
2656 	struct ocontext *c;
2657 	struct superblock_security_struct *sbsec = sb->s_security;
2658 	const char *fstype = sb->s_type->name;
2659 
2660 	read_lock(&policy_rwlock);
2661 
2662 	c = policydb.ocontexts[OCON_FSUSE];
2663 	while (c) {
2664 		if (strcmp(fstype, c->u.name) == 0)
2665 			break;
2666 		c = c->next;
2667 	}
2668 
2669 	if (c) {
2670 		sbsec->behavior = c->v.behavior;
2671 		if (!c->sid[0]) {
2672 			rc = sidtab_context_to_sid(&sidtab, &c->context[0],
2673 						   &c->sid[0]);
2674 			if (rc)
2675 				goto out;
2676 		}
2677 		sbsec->sid = c->sid[0];
2678 	} else {
2679 		rc = __security_genfs_sid(fstype, "/", SECCLASS_DIR,
2680 					  &sbsec->sid);
2681 		if (rc) {
2682 			sbsec->behavior = SECURITY_FS_USE_NONE;
2683 			rc = 0;
2684 		} else {
2685 			sbsec->behavior = SECURITY_FS_USE_GENFS;
2686 		}
2687 	}
2688 
2689 out:
2690 	read_unlock(&policy_rwlock);
2691 	return rc;
2692 }
2693 
2694 int security_get_bools(int *len, char ***names, int **values)
2695 {
2696 	int i, rc;
2697 
2698 	read_lock(&policy_rwlock);
2699 	*names = NULL;
2700 	*values = NULL;
2701 
2702 	rc = 0;
2703 	*len = policydb.p_bools.nprim;
2704 	if (!*len)
2705 		goto out;
2706 
2707 	rc = -ENOMEM;
2708 	*names = kcalloc(*len, sizeof(char *), GFP_ATOMIC);
2709 	if (!*names)
2710 		goto err;
2711 
2712 	rc = -ENOMEM;
2713 	*values = kcalloc(*len, sizeof(int), GFP_ATOMIC);
2714 	if (!*values)
2715 		goto err;
2716 
2717 	for (i = 0; i < *len; i++) {
2718 		(*values)[i] = policydb.bool_val_to_struct[i]->state;
2719 
2720 		rc = -ENOMEM;
2721 		(*names)[i] = kstrdup(sym_name(&policydb, SYM_BOOLS, i), GFP_ATOMIC);
2722 		if (!(*names)[i])
2723 			goto err;
2724 	}
2725 	rc = 0;
2726 out:
2727 	read_unlock(&policy_rwlock);
2728 	return rc;
2729 err:
2730 	if (*names) {
2731 		for (i = 0; i < *len; i++)
2732 			kfree((*names)[i]);
2733 	}
2734 	kfree(*values);
2735 	goto out;
2736 }
2737 
2738 
2739 int security_set_bools(int len, int *values)
2740 {
2741 	int i, rc;
2742 	int lenp, seqno = 0;
2743 	struct cond_node *cur;
2744 
2745 	write_lock_irq(&policy_rwlock);
2746 
2747 	rc = -EFAULT;
2748 	lenp = policydb.p_bools.nprim;
2749 	if (len != lenp)
2750 		goto out;
2751 
2752 	for (i = 0; i < len; i++) {
2753 		if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
2754 			audit_log(current->audit_context, GFP_ATOMIC,
2755 				AUDIT_MAC_CONFIG_CHANGE,
2756 				"bool=%s val=%d old_val=%d auid=%u ses=%u",
2757 				sym_name(&policydb, SYM_BOOLS, i),
2758 				!!values[i],
2759 				policydb.bool_val_to_struct[i]->state,
2760 				from_kuid(&init_user_ns, audit_get_loginuid(current)),
2761 				audit_get_sessionid(current));
2762 		}
2763 		if (values[i])
2764 			policydb.bool_val_to_struct[i]->state = 1;
2765 		else
2766 			policydb.bool_val_to_struct[i]->state = 0;
2767 	}
2768 
2769 	for (cur = policydb.cond_list; cur; cur = cur->next) {
2770 		rc = evaluate_cond_node(&policydb, cur);
2771 		if (rc)
2772 			goto out;
2773 	}
2774 
2775 	seqno = ++latest_granting;
2776 	rc = 0;
2777 out:
2778 	write_unlock_irq(&policy_rwlock);
2779 	if (!rc) {
2780 		avc_ss_reset(seqno);
2781 		selnl_notify_policyload(seqno);
2782 		selinux_status_update_policyload(seqno);
2783 		selinux_xfrm_notify_policyload();
2784 	}
2785 	return rc;
2786 }
2787 
2788 int security_get_bool_value(int index)
2789 {
2790 	int rc;
2791 	int len;
2792 
2793 	read_lock(&policy_rwlock);
2794 
2795 	rc = -EFAULT;
2796 	len = policydb.p_bools.nprim;
2797 	if (index >= len)
2798 		goto out;
2799 
2800 	rc = policydb.bool_val_to_struct[index]->state;
2801 out:
2802 	read_unlock(&policy_rwlock);
2803 	return rc;
2804 }
2805 
2806 static int security_preserve_bools(struct policydb *p)
2807 {
2808 	int rc, nbools = 0, *bvalues = NULL, i;
2809 	char **bnames = NULL;
2810 	struct cond_bool_datum *booldatum;
2811 	struct cond_node *cur;
2812 
2813 	rc = security_get_bools(&nbools, &bnames, &bvalues);
2814 	if (rc)
2815 		goto out;
2816 	for (i = 0; i < nbools; i++) {
2817 		booldatum = hashtab_search(p->p_bools.table, bnames[i]);
2818 		if (booldatum)
2819 			booldatum->state = bvalues[i];
2820 	}
2821 	for (cur = p->cond_list; cur; cur = cur->next) {
2822 		rc = evaluate_cond_node(p, cur);
2823 		if (rc)
2824 			goto out;
2825 	}
2826 
2827 out:
2828 	if (bnames) {
2829 		for (i = 0; i < nbools; i++)
2830 			kfree(bnames[i]);
2831 	}
2832 	kfree(bnames);
2833 	kfree(bvalues);
2834 	return rc;
2835 }
2836 
2837 /*
2838  * security_sid_mls_copy() - computes a new sid based on the given
2839  * sid and the mls portion of mls_sid.
2840  */
2841 int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
2842 {
2843 	struct context *context1;
2844 	struct context *context2;
2845 	struct context newcon;
2846 	char *s;
2847 	u32 len;
2848 	int rc;
2849 
2850 	rc = 0;
2851 	if (!ss_initialized || !policydb.mls_enabled) {
2852 		*new_sid = sid;
2853 		goto out;
2854 	}
2855 
2856 	context_init(&newcon);
2857 
2858 	read_lock(&policy_rwlock);
2859 
2860 	rc = -EINVAL;
2861 	context1 = sidtab_search(&sidtab, sid);
2862 	if (!context1) {
2863 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2864 			__func__, sid);
2865 		goto out_unlock;
2866 	}
2867 
2868 	rc = -EINVAL;
2869 	context2 = sidtab_search(&sidtab, mls_sid);
2870 	if (!context2) {
2871 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2872 			__func__, mls_sid);
2873 		goto out_unlock;
2874 	}
2875 
2876 	newcon.user = context1->user;
2877 	newcon.role = context1->role;
2878 	newcon.type = context1->type;
2879 	rc = mls_context_cpy(&newcon, context2);
2880 	if (rc)
2881 		goto out_unlock;
2882 
2883 	/* Check the validity of the new context. */
2884 	if (!policydb_context_isvalid(&policydb, &newcon)) {
2885 		rc = convert_context_handle_invalid_context(&newcon);
2886 		if (rc) {
2887 			if (!context_struct_to_string(&newcon, &s, &len)) {
2888 				audit_log(current->audit_context,
2889 					  GFP_ATOMIC, AUDIT_SELINUX_ERR,
2890 					  "op=security_sid_mls_copy "
2891 					  "invalid_context=%s", s);
2892 				kfree(s);
2893 			}
2894 			goto out_unlock;
2895 		}
2896 	}
2897 
2898 	rc = sidtab_context_to_sid(&sidtab, &newcon, new_sid);
2899 out_unlock:
2900 	read_unlock(&policy_rwlock);
2901 	context_destroy(&newcon);
2902 out:
2903 	return rc;
2904 }
2905 
2906 /**
2907  * security_net_peersid_resolve - Compare and resolve two network peer SIDs
2908  * @nlbl_sid: NetLabel SID
2909  * @nlbl_type: NetLabel labeling protocol type
2910  * @xfrm_sid: XFRM SID
2911  *
2912  * Description:
2913  * Compare the @nlbl_sid and @xfrm_sid values and if the two SIDs can be
2914  * resolved into a single SID it is returned via @peer_sid and the function
2915  * returns zero.  Otherwise @peer_sid is set to SECSID_NULL and the function
2916  * returns a negative value.  A table summarizing the behavior is below:
2917  *
2918  *                                 | function return |      @sid
2919  *   ------------------------------+-----------------+-----------------
2920  *   no peer labels                |        0        |    SECSID_NULL
2921  *   single peer label             |        0        |    <peer_label>
2922  *   multiple, consistent labels   |        0        |    <peer_label>
2923  *   multiple, inconsistent labels |    -<errno>     |    SECSID_NULL
2924  *
2925  */
2926 int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
2927 				 u32 xfrm_sid,
2928 				 u32 *peer_sid)
2929 {
2930 	int rc;
2931 	struct context *nlbl_ctx;
2932 	struct context *xfrm_ctx;
2933 
2934 	*peer_sid = SECSID_NULL;
2935 
2936 	/* handle the common (which also happens to be the set of easy) cases
2937 	 * right away, these two if statements catch everything involving a
2938 	 * single or absent peer SID/label */
2939 	if (xfrm_sid == SECSID_NULL) {
2940 		*peer_sid = nlbl_sid;
2941 		return 0;
2942 	}
2943 	/* NOTE: an nlbl_type == NETLBL_NLTYPE_UNLABELED is a "fallback" label
2944 	 * and is treated as if nlbl_sid == SECSID_NULL when a XFRM SID/label
2945 	 * is present */
2946 	if (nlbl_sid == SECSID_NULL || nlbl_type == NETLBL_NLTYPE_UNLABELED) {
2947 		*peer_sid = xfrm_sid;
2948 		return 0;
2949 	}
2950 
2951 	/* we don't need to check ss_initialized here since the only way both
2952 	 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
2953 	 * security server was initialized and ss_initialized was true */
2954 	if (!policydb.mls_enabled)
2955 		return 0;
2956 
2957 	read_lock(&policy_rwlock);
2958 
2959 	rc = -EINVAL;
2960 	nlbl_ctx = sidtab_search(&sidtab, nlbl_sid);
2961 	if (!nlbl_ctx) {
2962 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2963 		       __func__, nlbl_sid);
2964 		goto out;
2965 	}
2966 	rc = -EINVAL;
2967 	xfrm_ctx = sidtab_search(&sidtab, xfrm_sid);
2968 	if (!xfrm_ctx) {
2969 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2970 		       __func__, xfrm_sid);
2971 		goto out;
2972 	}
2973 	rc = (mls_context_cmp(nlbl_ctx, xfrm_ctx) ? 0 : -EACCES);
2974 	if (rc)
2975 		goto out;
2976 
2977 	/* at present NetLabel SIDs/labels really only carry MLS
2978 	 * information so if the MLS portion of the NetLabel SID
2979 	 * matches the MLS portion of the labeled XFRM SID/label
2980 	 * then pass along the XFRM SID as it is the most
2981 	 * expressive */
2982 	*peer_sid = xfrm_sid;
2983 out:
2984 	read_unlock(&policy_rwlock);
2985 	return rc;
2986 }
2987 
2988 static int get_classes_callback(void *k, void *d, void *args)
2989 {
2990 	struct class_datum *datum = d;
2991 	char *name = k, **classes = args;
2992 	int value = datum->value - 1;
2993 
2994 	classes[value] = kstrdup(name, GFP_ATOMIC);
2995 	if (!classes[value])
2996 		return -ENOMEM;
2997 
2998 	return 0;
2999 }
3000 
3001 int security_get_classes(char ***classes, int *nclasses)
3002 {
3003 	int rc;
3004 
3005 	read_lock(&policy_rwlock);
3006 
3007 	rc = -ENOMEM;
3008 	*nclasses = policydb.p_classes.nprim;
3009 	*classes = kcalloc(*nclasses, sizeof(**classes), GFP_ATOMIC);
3010 	if (!*classes)
3011 		goto out;
3012 
3013 	rc = hashtab_map(policydb.p_classes.table, get_classes_callback,
3014 			*classes);
3015 	if (rc) {
3016 		int i;
3017 		for (i = 0; i < *nclasses; i++)
3018 			kfree((*classes)[i]);
3019 		kfree(*classes);
3020 	}
3021 
3022 out:
3023 	read_unlock(&policy_rwlock);
3024 	return rc;
3025 }
3026 
3027 static int get_permissions_callback(void *k, void *d, void *args)
3028 {
3029 	struct perm_datum *datum = d;
3030 	char *name = k, **perms = args;
3031 	int value = datum->value - 1;
3032 
3033 	perms[value] = kstrdup(name, GFP_ATOMIC);
3034 	if (!perms[value])
3035 		return -ENOMEM;
3036 
3037 	return 0;
3038 }
3039 
3040 int security_get_permissions(char *class, char ***perms, int *nperms)
3041 {
3042 	int rc, i;
3043 	struct class_datum *match;
3044 
3045 	read_lock(&policy_rwlock);
3046 
3047 	rc = -EINVAL;
3048 	match = hashtab_search(policydb.p_classes.table, class);
3049 	if (!match) {
3050 		printk(KERN_ERR "SELinux: %s:  unrecognized class %s\n",
3051 			__func__, class);
3052 		goto out;
3053 	}
3054 
3055 	rc = -ENOMEM;
3056 	*nperms = match->permissions.nprim;
3057 	*perms = kcalloc(*nperms, sizeof(**perms), GFP_ATOMIC);
3058 	if (!*perms)
3059 		goto out;
3060 
3061 	if (match->comdatum) {
3062 		rc = hashtab_map(match->comdatum->permissions.table,
3063 				get_permissions_callback, *perms);
3064 		if (rc)
3065 			goto err;
3066 	}
3067 
3068 	rc = hashtab_map(match->permissions.table, get_permissions_callback,
3069 			*perms);
3070 	if (rc)
3071 		goto err;
3072 
3073 out:
3074 	read_unlock(&policy_rwlock);
3075 	return rc;
3076 
3077 err:
3078 	read_unlock(&policy_rwlock);
3079 	for (i = 0; i < *nperms; i++)
3080 		kfree((*perms)[i]);
3081 	kfree(*perms);
3082 	return rc;
3083 }
3084 
3085 int security_get_reject_unknown(void)
3086 {
3087 	return policydb.reject_unknown;
3088 }
3089 
3090 int security_get_allow_unknown(void)
3091 {
3092 	return policydb.allow_unknown;
3093 }
3094 
3095 /**
3096  * security_policycap_supported - Check for a specific policy capability
3097  * @req_cap: capability
3098  *
3099  * Description:
3100  * This function queries the currently loaded policy to see if it supports the
3101  * capability specified by @req_cap.  Returns true (1) if the capability is
3102  * supported, false (0) if it isn't supported.
3103  *
3104  */
3105 int security_policycap_supported(unsigned int req_cap)
3106 {
3107 	int rc;
3108 
3109 	read_lock(&policy_rwlock);
3110 	rc = ebitmap_get_bit(&policydb.policycaps, req_cap);
3111 	read_unlock(&policy_rwlock);
3112 
3113 	return rc;
3114 }
3115 
3116 struct selinux_audit_rule {
3117 	u32 au_seqno;
3118 	struct context au_ctxt;
3119 };
3120 
3121 void selinux_audit_rule_free(void *vrule)
3122 {
3123 	struct selinux_audit_rule *rule = vrule;
3124 
3125 	if (rule) {
3126 		context_destroy(&rule->au_ctxt);
3127 		kfree(rule);
3128 	}
3129 }
3130 
3131 int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
3132 {
3133 	struct selinux_audit_rule *tmprule;
3134 	struct role_datum *roledatum;
3135 	struct type_datum *typedatum;
3136 	struct user_datum *userdatum;
3137 	struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule;
3138 	int rc = 0;
3139 
3140 	*rule = NULL;
3141 
3142 	if (!ss_initialized)
3143 		return -EOPNOTSUPP;
3144 
3145 	switch (field) {
3146 	case AUDIT_SUBJ_USER:
3147 	case AUDIT_SUBJ_ROLE:
3148 	case AUDIT_SUBJ_TYPE:
3149 	case AUDIT_OBJ_USER:
3150 	case AUDIT_OBJ_ROLE:
3151 	case AUDIT_OBJ_TYPE:
3152 		/* only 'equals' and 'not equals' fit user, role, and type */
3153 		if (op != Audit_equal && op != Audit_not_equal)
3154 			return -EINVAL;
3155 		break;
3156 	case AUDIT_SUBJ_SEN:
3157 	case AUDIT_SUBJ_CLR:
3158 	case AUDIT_OBJ_LEV_LOW:
3159 	case AUDIT_OBJ_LEV_HIGH:
3160 		/* we do not allow a range, indicated by the presence of '-' */
3161 		if (strchr(rulestr, '-'))
3162 			return -EINVAL;
3163 		break;
3164 	default:
3165 		/* only the above fields are valid */
3166 		return -EINVAL;
3167 	}
3168 
3169 	tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
3170 	if (!tmprule)
3171 		return -ENOMEM;
3172 
3173 	context_init(&tmprule->au_ctxt);
3174 
3175 	read_lock(&policy_rwlock);
3176 
3177 	tmprule->au_seqno = latest_granting;
3178 
3179 	switch (field) {
3180 	case AUDIT_SUBJ_USER:
3181 	case AUDIT_OBJ_USER:
3182 		rc = -EINVAL;
3183 		userdatum = hashtab_search(policydb.p_users.table, rulestr);
3184 		if (!userdatum)
3185 			goto out;
3186 		tmprule->au_ctxt.user = userdatum->value;
3187 		break;
3188 	case AUDIT_SUBJ_ROLE:
3189 	case AUDIT_OBJ_ROLE:
3190 		rc = -EINVAL;
3191 		roledatum = hashtab_search(policydb.p_roles.table, rulestr);
3192 		if (!roledatum)
3193 			goto out;
3194 		tmprule->au_ctxt.role = roledatum->value;
3195 		break;
3196 	case AUDIT_SUBJ_TYPE:
3197 	case AUDIT_OBJ_TYPE:
3198 		rc = -EINVAL;
3199 		typedatum = hashtab_search(policydb.p_types.table, rulestr);
3200 		if (!typedatum)
3201 			goto out;
3202 		tmprule->au_ctxt.type = typedatum->value;
3203 		break;
3204 	case AUDIT_SUBJ_SEN:
3205 	case AUDIT_SUBJ_CLR:
3206 	case AUDIT_OBJ_LEV_LOW:
3207 	case AUDIT_OBJ_LEV_HIGH:
3208 		rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC);
3209 		if (rc)
3210 			goto out;
3211 		break;
3212 	}
3213 	rc = 0;
3214 out:
3215 	read_unlock(&policy_rwlock);
3216 
3217 	if (rc) {
3218 		selinux_audit_rule_free(tmprule);
3219 		tmprule = NULL;
3220 	}
3221 
3222 	*rule = tmprule;
3223 
3224 	return rc;
3225 }
3226 
3227 /* Check to see if the rule contains any selinux fields */
3228 int selinux_audit_rule_known(struct audit_krule *rule)
3229 {
3230 	int i;
3231 
3232 	for (i = 0; i < rule->field_count; i++) {
3233 		struct audit_field *f = &rule->fields[i];
3234 		switch (f->type) {
3235 		case AUDIT_SUBJ_USER:
3236 		case AUDIT_SUBJ_ROLE:
3237 		case AUDIT_SUBJ_TYPE:
3238 		case AUDIT_SUBJ_SEN:
3239 		case AUDIT_SUBJ_CLR:
3240 		case AUDIT_OBJ_USER:
3241 		case AUDIT_OBJ_ROLE:
3242 		case AUDIT_OBJ_TYPE:
3243 		case AUDIT_OBJ_LEV_LOW:
3244 		case AUDIT_OBJ_LEV_HIGH:
3245 			return 1;
3246 		}
3247 	}
3248 
3249 	return 0;
3250 }
3251 
3252 int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
3253 			     struct audit_context *actx)
3254 {
3255 	struct context *ctxt;
3256 	struct mls_level *level;
3257 	struct selinux_audit_rule *rule = vrule;
3258 	int match = 0;
3259 
3260 	if (unlikely(!rule)) {
3261 		WARN_ONCE(1, "selinux_audit_rule_match: missing rule\n");
3262 		return -ENOENT;
3263 	}
3264 
3265 	read_lock(&policy_rwlock);
3266 
3267 	if (rule->au_seqno < latest_granting) {
3268 		match = -ESTALE;
3269 		goto out;
3270 	}
3271 
3272 	ctxt = sidtab_search(&sidtab, sid);
3273 	if (unlikely(!ctxt)) {
3274 		WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n",
3275 			  sid);
3276 		match = -ENOENT;
3277 		goto out;
3278 	}
3279 
3280 	/* a field/op pair that is not caught here will simply fall through
3281 	   without a match */
3282 	switch (field) {
3283 	case AUDIT_SUBJ_USER:
3284 	case AUDIT_OBJ_USER:
3285 		switch (op) {
3286 		case Audit_equal:
3287 			match = (ctxt->user == rule->au_ctxt.user);
3288 			break;
3289 		case Audit_not_equal:
3290 			match = (ctxt->user != rule->au_ctxt.user);
3291 			break;
3292 		}
3293 		break;
3294 	case AUDIT_SUBJ_ROLE:
3295 	case AUDIT_OBJ_ROLE:
3296 		switch (op) {
3297 		case Audit_equal:
3298 			match = (ctxt->role == rule->au_ctxt.role);
3299 			break;
3300 		case Audit_not_equal:
3301 			match = (ctxt->role != rule->au_ctxt.role);
3302 			break;
3303 		}
3304 		break;
3305 	case AUDIT_SUBJ_TYPE:
3306 	case AUDIT_OBJ_TYPE:
3307 		switch (op) {
3308 		case Audit_equal:
3309 			match = (ctxt->type == rule->au_ctxt.type);
3310 			break;
3311 		case Audit_not_equal:
3312 			match = (ctxt->type != rule->au_ctxt.type);
3313 			break;
3314 		}
3315 		break;
3316 	case AUDIT_SUBJ_SEN:
3317 	case AUDIT_SUBJ_CLR:
3318 	case AUDIT_OBJ_LEV_LOW:
3319 	case AUDIT_OBJ_LEV_HIGH:
3320 		level = ((field == AUDIT_SUBJ_SEN ||
3321 			  field == AUDIT_OBJ_LEV_LOW) ?
3322 			 &ctxt->range.level[0] : &ctxt->range.level[1]);
3323 		switch (op) {
3324 		case Audit_equal:
3325 			match = mls_level_eq(&rule->au_ctxt.range.level[0],
3326 					     level);
3327 			break;
3328 		case Audit_not_equal:
3329 			match = !mls_level_eq(&rule->au_ctxt.range.level[0],
3330 					      level);
3331 			break;
3332 		case Audit_lt:
3333 			match = (mls_level_dom(&rule->au_ctxt.range.level[0],
3334 					       level) &&
3335 				 !mls_level_eq(&rule->au_ctxt.range.level[0],
3336 					       level));
3337 			break;
3338 		case Audit_le:
3339 			match = mls_level_dom(&rule->au_ctxt.range.level[0],
3340 					      level);
3341 			break;
3342 		case Audit_gt:
3343 			match = (mls_level_dom(level,
3344 					      &rule->au_ctxt.range.level[0]) &&
3345 				 !mls_level_eq(level,
3346 					       &rule->au_ctxt.range.level[0]));
3347 			break;
3348 		case Audit_ge:
3349 			match = mls_level_dom(level,
3350 					      &rule->au_ctxt.range.level[0]);
3351 			break;
3352 		}
3353 	}
3354 
3355 out:
3356 	read_unlock(&policy_rwlock);
3357 	return match;
3358 }
3359 
3360 static int (*aurule_callback)(void) = audit_update_lsm_rules;
3361 
3362 static int aurule_avc_callback(u32 event)
3363 {
3364 	int err = 0;
3365 
3366 	if (event == AVC_CALLBACK_RESET && aurule_callback)
3367 		err = aurule_callback();
3368 	return err;
3369 }
3370 
3371 static int __init aurule_init(void)
3372 {
3373 	int err;
3374 
3375 	err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET);
3376 	if (err)
3377 		panic("avc_add_callback() failed, error %d\n", err);
3378 
3379 	return err;
3380 }
3381 __initcall(aurule_init);
3382 
3383 #ifdef CONFIG_NETLABEL
3384 /**
3385  * security_netlbl_cache_add - Add an entry to the NetLabel cache
3386  * @secattr: the NetLabel packet security attributes
3387  * @sid: the SELinux SID
3388  *
3389  * Description:
3390  * Attempt to cache the context in @ctx, which was derived from the packet in
3391  * @skb, in the NetLabel subsystem cache.  This function assumes @secattr has
3392  * already been initialized.
3393  *
3394  */
3395 static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr,
3396 				      u32 sid)
3397 {
3398 	u32 *sid_cache;
3399 
3400 	sid_cache = kmalloc(sizeof(*sid_cache), GFP_ATOMIC);
3401 	if (sid_cache == NULL)
3402 		return;
3403 	secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
3404 	if (secattr->cache == NULL) {
3405 		kfree(sid_cache);
3406 		return;
3407 	}
3408 
3409 	*sid_cache = sid;
3410 	secattr->cache->free = kfree;
3411 	secattr->cache->data = sid_cache;
3412 	secattr->flags |= NETLBL_SECATTR_CACHE;
3413 }
3414 
3415 /**
3416  * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID
3417  * @secattr: the NetLabel packet security attributes
3418  * @sid: the SELinux SID
3419  *
3420  * Description:
3421  * Convert the given NetLabel security attributes in @secattr into a
3422  * SELinux SID.  If the @secattr field does not contain a full SELinux
3423  * SID/context then use SECINITSID_NETMSG as the foundation.  If possible the
3424  * 'cache' field of @secattr is set and the CACHE flag is set; this is to
3425  * allow the @secattr to be used by NetLabel to cache the secattr to SID
3426  * conversion for future lookups.  Returns zero on success, negative values on
3427  * failure.
3428  *
3429  */
3430 int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
3431 				   u32 *sid)
3432 {
3433 	int rc;
3434 	struct context *ctx;
3435 	struct context ctx_new;
3436 
3437 	if (!ss_initialized) {
3438 		*sid = SECSID_NULL;
3439 		return 0;
3440 	}
3441 
3442 	read_lock(&policy_rwlock);
3443 
3444 	if (secattr->flags & NETLBL_SECATTR_CACHE)
3445 		*sid = *(u32 *)secattr->cache->data;
3446 	else if (secattr->flags & NETLBL_SECATTR_SECID)
3447 		*sid = secattr->attr.secid;
3448 	else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) {
3449 		rc = -EIDRM;
3450 		ctx = sidtab_search(&sidtab, SECINITSID_NETMSG);
3451 		if (ctx == NULL)
3452 			goto out;
3453 
3454 		context_init(&ctx_new);
3455 		ctx_new.user = ctx->user;
3456 		ctx_new.role = ctx->role;
3457 		ctx_new.type = ctx->type;
3458 		mls_import_netlbl_lvl(&ctx_new, secattr);
3459 		if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
3460 			rc = mls_import_netlbl_cat(&ctx_new, secattr);
3461 			if (rc)
3462 				goto out;
3463 		}
3464 		rc = -EIDRM;
3465 		if (!mls_context_isvalid(&policydb, &ctx_new))
3466 			goto out_free;
3467 
3468 		rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid);
3469 		if (rc)
3470 			goto out_free;
3471 
3472 		security_netlbl_cache_add(secattr, *sid);
3473 
3474 		ebitmap_destroy(&ctx_new.range.level[0].cat);
3475 	} else
3476 		*sid = SECSID_NULL;
3477 
3478 	read_unlock(&policy_rwlock);
3479 	return 0;
3480 out_free:
3481 	ebitmap_destroy(&ctx_new.range.level[0].cat);
3482 out:
3483 	read_unlock(&policy_rwlock);
3484 	return rc;
3485 }
3486 
3487 /**
3488  * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr
3489  * @sid: the SELinux SID
3490  * @secattr: the NetLabel packet security attributes
3491  *
3492  * Description:
3493  * Convert the given SELinux SID in @sid into a NetLabel security attribute.
3494  * Returns zero on success, negative values on failure.
3495  *
3496  */
3497 int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)
3498 {
3499 	int rc;
3500 	struct context *ctx;
3501 
3502 	if (!ss_initialized)
3503 		return 0;
3504 
3505 	read_lock(&policy_rwlock);
3506 
3507 	rc = -ENOENT;
3508 	ctx = sidtab_search(&sidtab, sid);
3509 	if (ctx == NULL)
3510 		goto out;
3511 
3512 	rc = -ENOMEM;
3513 	secattr->domain = kstrdup(sym_name(&policydb, SYM_TYPES, ctx->type - 1),
3514 				  GFP_ATOMIC);
3515 	if (secattr->domain == NULL)
3516 		goto out;
3517 
3518 	secattr->attr.secid = sid;
3519 	secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID;
3520 	mls_export_netlbl_lvl(ctx, secattr);
3521 	rc = mls_export_netlbl_cat(ctx, secattr);
3522 out:
3523 	read_unlock(&policy_rwlock);
3524 	return rc;
3525 }
3526 #endif /* CONFIG_NETLABEL */
3527 
3528 /**
3529  * security_read_policy - read the policy.
3530  * @data: binary policy data
3531  * @len: length of data in bytes
3532  *
3533  */
3534 int security_read_policy(void **data, size_t *len)
3535 {
3536 	int rc;
3537 	struct policy_file fp;
3538 
3539 	if (!ss_initialized)
3540 		return -EINVAL;
3541 
3542 	*len = security_policydb_len();
3543 
3544 	*data = vmalloc_user(*len);
3545 	if (!*data)
3546 		return -ENOMEM;
3547 
3548 	fp.data = *data;
3549 	fp.len = *len;
3550 
3551 	read_lock(&policy_rwlock);
3552 	rc = policydb_write(&policydb, &fp);
3553 	read_unlock(&policy_rwlock);
3554 
3555 	if (rc)
3556 		return rc;
3557 
3558 	*len = (unsigned long)fp.data - (unsigned long)*data;
3559 	return 0;
3560 
3561 }
3562