1 /* 2 * Implementation of the security services. 3 * 4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> 5 * James Morris <jmorris@redhat.com> 6 * 7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 8 * 9 * Support for enhanced MLS infrastructure. 10 * Support for context based audit filters. 11 * 12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 13 * 14 * Added conditional policy language extensions 15 * 16 * Updated: Hewlett-Packard <paul.moore@hp.com> 17 * 18 * Added support for NetLabel 19 * Added support for the policy capability bitmap 20 * 21 * Updated: Chad Sellers <csellers@tresys.com> 22 * 23 * Added validation of kernel classes and permissions 24 * 25 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. 26 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc. 27 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC 28 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 29 * This program is free software; you can redistribute it and/or modify 30 * it under the terms of the GNU General Public License as published by 31 * the Free Software Foundation, version 2. 32 */ 33 #include <linux/kernel.h> 34 #include <linux/slab.h> 35 #include <linux/string.h> 36 #include <linux/spinlock.h> 37 #include <linux/rcupdate.h> 38 #include <linux/errno.h> 39 #include <linux/in.h> 40 #include <linux/sched.h> 41 #include <linux/audit.h> 42 #include <linux/mutex.h> 43 #include <net/netlabel.h> 44 45 #include "flask.h" 46 #include "avc.h" 47 #include "avc_ss.h" 48 #include "security.h" 49 #include "context.h" 50 #include "policydb.h" 51 #include "sidtab.h" 52 #include "services.h" 53 #include "conditional.h" 54 #include "mls.h" 55 #include "objsec.h" 56 #include "netlabel.h" 57 #include "xfrm.h" 58 #include "ebitmap.h" 59 60 extern void selnl_notify_policyload(u32 seqno); 61 unsigned int policydb_loaded_version; 62 63 int selinux_policycap_netpeer; 64 65 /* 66 * This is declared in avc.c 67 */ 68 extern const struct selinux_class_perm selinux_class_perm; 69 70 static DEFINE_RWLOCK(policy_rwlock); 71 #define POLICY_RDLOCK read_lock(&policy_rwlock) 72 #define POLICY_WRLOCK write_lock_irq(&policy_rwlock) 73 #define POLICY_RDUNLOCK read_unlock(&policy_rwlock) 74 #define POLICY_WRUNLOCK write_unlock_irq(&policy_rwlock) 75 76 static DEFINE_MUTEX(load_mutex); 77 #define LOAD_LOCK mutex_lock(&load_mutex) 78 #define LOAD_UNLOCK mutex_unlock(&load_mutex) 79 80 static struct sidtab sidtab; 81 struct policydb policydb; 82 int ss_initialized = 0; 83 84 /* 85 * The largest sequence number that has been used when 86 * providing an access decision to the access vector cache. 87 * The sequence number only changes when a policy change 88 * occurs. 89 */ 90 static u32 latest_granting = 0; 91 92 /* Forward declaration. */ 93 static int context_struct_to_string(struct context *context, char **scontext, 94 u32 *scontext_len); 95 96 /* 97 * Return the boolean value of a constraint expression 98 * when it is applied to the specified source and target 99 * security contexts. 100 * 101 * xcontext is a special beast... It is used by the validatetrans rules 102 * only. For these rules, scontext is the context before the transition, 103 * tcontext is the context after the transition, and xcontext is the context 104 * of the process performing the transition. All other callers of 105 * constraint_expr_eval should pass in NULL for xcontext. 106 */ 107 static int constraint_expr_eval(struct context *scontext, 108 struct context *tcontext, 109 struct context *xcontext, 110 struct constraint_expr *cexpr) 111 { 112 u32 val1, val2; 113 struct context *c; 114 struct role_datum *r1, *r2; 115 struct mls_level *l1, *l2; 116 struct constraint_expr *e; 117 int s[CEXPR_MAXDEPTH]; 118 int sp = -1; 119 120 for (e = cexpr; e; e = e->next) { 121 switch (e->expr_type) { 122 case CEXPR_NOT: 123 BUG_ON(sp < 0); 124 s[sp] = !s[sp]; 125 break; 126 case CEXPR_AND: 127 BUG_ON(sp < 1); 128 sp--; 129 s[sp] &= s[sp+1]; 130 break; 131 case CEXPR_OR: 132 BUG_ON(sp < 1); 133 sp--; 134 s[sp] |= s[sp+1]; 135 break; 136 case CEXPR_ATTR: 137 if (sp == (CEXPR_MAXDEPTH-1)) 138 return 0; 139 switch (e->attr) { 140 case CEXPR_USER: 141 val1 = scontext->user; 142 val2 = tcontext->user; 143 break; 144 case CEXPR_TYPE: 145 val1 = scontext->type; 146 val2 = tcontext->type; 147 break; 148 case CEXPR_ROLE: 149 val1 = scontext->role; 150 val2 = tcontext->role; 151 r1 = policydb.role_val_to_struct[val1 - 1]; 152 r2 = policydb.role_val_to_struct[val2 - 1]; 153 switch (e->op) { 154 case CEXPR_DOM: 155 s[++sp] = ebitmap_get_bit(&r1->dominates, 156 val2 - 1); 157 continue; 158 case CEXPR_DOMBY: 159 s[++sp] = ebitmap_get_bit(&r2->dominates, 160 val1 - 1); 161 continue; 162 case CEXPR_INCOMP: 163 s[++sp] = ( !ebitmap_get_bit(&r1->dominates, 164 val2 - 1) && 165 !ebitmap_get_bit(&r2->dominates, 166 val1 - 1) ); 167 continue; 168 default: 169 break; 170 } 171 break; 172 case CEXPR_L1L2: 173 l1 = &(scontext->range.level[0]); 174 l2 = &(tcontext->range.level[0]); 175 goto mls_ops; 176 case CEXPR_L1H2: 177 l1 = &(scontext->range.level[0]); 178 l2 = &(tcontext->range.level[1]); 179 goto mls_ops; 180 case CEXPR_H1L2: 181 l1 = &(scontext->range.level[1]); 182 l2 = &(tcontext->range.level[0]); 183 goto mls_ops; 184 case CEXPR_H1H2: 185 l1 = &(scontext->range.level[1]); 186 l2 = &(tcontext->range.level[1]); 187 goto mls_ops; 188 case CEXPR_L1H1: 189 l1 = &(scontext->range.level[0]); 190 l2 = &(scontext->range.level[1]); 191 goto mls_ops; 192 case CEXPR_L2H2: 193 l1 = &(tcontext->range.level[0]); 194 l2 = &(tcontext->range.level[1]); 195 goto mls_ops; 196 mls_ops: 197 switch (e->op) { 198 case CEXPR_EQ: 199 s[++sp] = mls_level_eq(l1, l2); 200 continue; 201 case CEXPR_NEQ: 202 s[++sp] = !mls_level_eq(l1, l2); 203 continue; 204 case CEXPR_DOM: 205 s[++sp] = mls_level_dom(l1, l2); 206 continue; 207 case CEXPR_DOMBY: 208 s[++sp] = mls_level_dom(l2, l1); 209 continue; 210 case CEXPR_INCOMP: 211 s[++sp] = mls_level_incomp(l2, l1); 212 continue; 213 default: 214 BUG(); 215 return 0; 216 } 217 break; 218 default: 219 BUG(); 220 return 0; 221 } 222 223 switch (e->op) { 224 case CEXPR_EQ: 225 s[++sp] = (val1 == val2); 226 break; 227 case CEXPR_NEQ: 228 s[++sp] = (val1 != val2); 229 break; 230 default: 231 BUG(); 232 return 0; 233 } 234 break; 235 case CEXPR_NAMES: 236 if (sp == (CEXPR_MAXDEPTH-1)) 237 return 0; 238 c = scontext; 239 if (e->attr & CEXPR_TARGET) 240 c = tcontext; 241 else if (e->attr & CEXPR_XTARGET) { 242 c = xcontext; 243 if (!c) { 244 BUG(); 245 return 0; 246 } 247 } 248 if (e->attr & CEXPR_USER) 249 val1 = c->user; 250 else if (e->attr & CEXPR_ROLE) 251 val1 = c->role; 252 else if (e->attr & CEXPR_TYPE) 253 val1 = c->type; 254 else { 255 BUG(); 256 return 0; 257 } 258 259 switch (e->op) { 260 case CEXPR_EQ: 261 s[++sp] = ebitmap_get_bit(&e->names, val1 - 1); 262 break; 263 case CEXPR_NEQ: 264 s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1); 265 break; 266 default: 267 BUG(); 268 return 0; 269 } 270 break; 271 default: 272 BUG(); 273 return 0; 274 } 275 } 276 277 BUG_ON(sp != 0); 278 return s[0]; 279 } 280 281 /* 282 * Compute access vectors based on a context structure pair for 283 * the permissions in a particular class. 284 */ 285 static int context_struct_compute_av(struct context *scontext, 286 struct context *tcontext, 287 u16 tclass, 288 u32 requested, 289 struct av_decision *avd) 290 { 291 struct constraint_node *constraint; 292 struct role_allow *ra; 293 struct avtab_key avkey; 294 struct avtab_node *node; 295 struct class_datum *tclass_datum; 296 struct ebitmap *sattr, *tattr; 297 struct ebitmap_node *snode, *tnode; 298 const struct selinux_class_perm *kdefs = &selinux_class_perm; 299 unsigned int i, j; 300 301 /* 302 * Remap extended Netlink classes for old policy versions. 303 * Do this here rather than socket_type_to_security_class() 304 * in case a newer policy version is loaded, allowing sockets 305 * to remain in the correct class. 306 */ 307 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) 308 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET && 309 tclass <= SECCLASS_NETLINK_DNRT_SOCKET) 310 tclass = SECCLASS_NETLINK_SOCKET; 311 312 /* 313 * Initialize the access vectors to the default values. 314 */ 315 avd->allowed = 0; 316 avd->decided = 0xffffffff; 317 avd->auditallow = 0; 318 avd->auditdeny = 0xffffffff; 319 avd->seqno = latest_granting; 320 321 /* 322 * Check for all the invalid cases. 323 * - tclass 0 324 * - tclass > policy and > kernel 325 * - tclass > policy but is a userspace class 326 * - tclass > policy but we do not allow unknowns 327 */ 328 if (unlikely(!tclass)) 329 goto inval_class; 330 if (unlikely(tclass > policydb.p_classes.nprim)) 331 if (tclass > kdefs->cts_len || 332 !kdefs->class_to_string[tclass - 1] || 333 !policydb.allow_unknown) 334 goto inval_class; 335 336 /* 337 * Kernel class and we allow unknown so pad the allow decision 338 * the pad will be all 1 for unknown classes. 339 */ 340 if (tclass <= kdefs->cts_len && policydb.allow_unknown) 341 avd->allowed = policydb.undefined_perms[tclass - 1]; 342 343 /* 344 * Not in policy. Since decision is completed (all 1 or all 0) return. 345 */ 346 if (unlikely(tclass > policydb.p_classes.nprim)) 347 return 0; 348 349 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 350 351 /* 352 * If a specific type enforcement rule was defined for 353 * this permission check, then use it. 354 */ 355 avkey.target_class = tclass; 356 avkey.specified = AVTAB_AV; 357 sattr = &policydb.type_attr_map[scontext->type - 1]; 358 tattr = &policydb.type_attr_map[tcontext->type - 1]; 359 ebitmap_for_each_positive_bit(sattr, snode, i) { 360 ebitmap_for_each_positive_bit(tattr, tnode, j) { 361 avkey.source_type = i + 1; 362 avkey.target_type = j + 1; 363 for (node = avtab_search_node(&policydb.te_avtab, &avkey); 364 node != NULL; 365 node = avtab_search_node_next(node, avkey.specified)) { 366 if (node->key.specified == AVTAB_ALLOWED) 367 avd->allowed |= node->datum.data; 368 else if (node->key.specified == AVTAB_AUDITALLOW) 369 avd->auditallow |= node->datum.data; 370 else if (node->key.specified == AVTAB_AUDITDENY) 371 avd->auditdeny &= node->datum.data; 372 } 373 374 /* Check conditional av table for additional permissions */ 375 cond_compute_av(&policydb.te_cond_avtab, &avkey, avd); 376 377 } 378 } 379 380 /* 381 * Remove any permissions prohibited by a constraint (this includes 382 * the MLS policy). 383 */ 384 constraint = tclass_datum->constraints; 385 while (constraint) { 386 if ((constraint->permissions & (avd->allowed)) && 387 !constraint_expr_eval(scontext, tcontext, NULL, 388 constraint->expr)) { 389 avd->allowed = (avd->allowed) & ~(constraint->permissions); 390 } 391 constraint = constraint->next; 392 } 393 394 /* 395 * If checking process transition permission and the 396 * role is changing, then check the (current_role, new_role) 397 * pair. 398 */ 399 if (tclass == SECCLASS_PROCESS && 400 (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) && 401 scontext->role != tcontext->role) { 402 for (ra = policydb.role_allow; ra; ra = ra->next) { 403 if (scontext->role == ra->role && 404 tcontext->role == ra->new_role) 405 break; 406 } 407 if (!ra) 408 avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION | 409 PROCESS__DYNTRANSITION); 410 } 411 412 return 0; 413 414 inval_class: 415 printk(KERN_ERR "%s: unrecognized class %d\n", __FUNCTION__, tclass); 416 return -EINVAL; 417 } 418 419 static int security_validtrans_handle_fail(struct context *ocontext, 420 struct context *ncontext, 421 struct context *tcontext, 422 u16 tclass) 423 { 424 char *o = NULL, *n = NULL, *t = NULL; 425 u32 olen, nlen, tlen; 426 427 if (context_struct_to_string(ocontext, &o, &olen) < 0) 428 goto out; 429 if (context_struct_to_string(ncontext, &n, &nlen) < 0) 430 goto out; 431 if (context_struct_to_string(tcontext, &t, &tlen) < 0) 432 goto out; 433 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 434 "security_validate_transition: denied for" 435 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 436 o, n, t, policydb.p_class_val_to_name[tclass-1]); 437 out: 438 kfree(o); 439 kfree(n); 440 kfree(t); 441 442 if (!selinux_enforcing) 443 return 0; 444 return -EPERM; 445 } 446 447 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 448 u16 tclass) 449 { 450 struct context *ocontext; 451 struct context *ncontext; 452 struct context *tcontext; 453 struct class_datum *tclass_datum; 454 struct constraint_node *constraint; 455 int rc = 0; 456 457 if (!ss_initialized) 458 return 0; 459 460 POLICY_RDLOCK; 461 462 /* 463 * Remap extended Netlink classes for old policy versions. 464 * Do this here rather than socket_type_to_security_class() 465 * in case a newer policy version is loaded, allowing sockets 466 * to remain in the correct class. 467 */ 468 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) 469 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET && 470 tclass <= SECCLASS_NETLINK_DNRT_SOCKET) 471 tclass = SECCLASS_NETLINK_SOCKET; 472 473 if (!tclass || tclass > policydb.p_classes.nprim) { 474 printk(KERN_ERR "security_validate_transition: " 475 "unrecognized class %d\n", tclass); 476 rc = -EINVAL; 477 goto out; 478 } 479 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 480 481 ocontext = sidtab_search(&sidtab, oldsid); 482 if (!ocontext) { 483 printk(KERN_ERR "security_validate_transition: " 484 " unrecognized SID %d\n", oldsid); 485 rc = -EINVAL; 486 goto out; 487 } 488 489 ncontext = sidtab_search(&sidtab, newsid); 490 if (!ncontext) { 491 printk(KERN_ERR "security_validate_transition: " 492 " unrecognized SID %d\n", newsid); 493 rc = -EINVAL; 494 goto out; 495 } 496 497 tcontext = sidtab_search(&sidtab, tasksid); 498 if (!tcontext) { 499 printk(KERN_ERR "security_validate_transition: " 500 " unrecognized SID %d\n", tasksid); 501 rc = -EINVAL; 502 goto out; 503 } 504 505 constraint = tclass_datum->validatetrans; 506 while (constraint) { 507 if (!constraint_expr_eval(ocontext, ncontext, tcontext, 508 constraint->expr)) { 509 rc = security_validtrans_handle_fail(ocontext, ncontext, 510 tcontext, tclass); 511 goto out; 512 } 513 constraint = constraint->next; 514 } 515 516 out: 517 POLICY_RDUNLOCK; 518 return rc; 519 } 520 521 /** 522 * security_compute_av - Compute access vector decisions. 523 * @ssid: source security identifier 524 * @tsid: target security identifier 525 * @tclass: target security class 526 * @requested: requested permissions 527 * @avd: access vector decisions 528 * 529 * Compute a set of access vector decisions based on the 530 * SID pair (@ssid, @tsid) for the permissions in @tclass. 531 * Return -%EINVAL if any of the parameters are invalid or %0 532 * if the access vector decisions were computed successfully. 533 */ 534 int security_compute_av(u32 ssid, 535 u32 tsid, 536 u16 tclass, 537 u32 requested, 538 struct av_decision *avd) 539 { 540 struct context *scontext = NULL, *tcontext = NULL; 541 int rc = 0; 542 543 if (!ss_initialized) { 544 avd->allowed = 0xffffffff; 545 avd->decided = 0xffffffff; 546 avd->auditallow = 0; 547 avd->auditdeny = 0xffffffff; 548 avd->seqno = latest_granting; 549 return 0; 550 } 551 552 POLICY_RDLOCK; 553 554 scontext = sidtab_search(&sidtab, ssid); 555 if (!scontext) { 556 printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", 557 ssid); 558 rc = -EINVAL; 559 goto out; 560 } 561 tcontext = sidtab_search(&sidtab, tsid); 562 if (!tcontext) { 563 printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", 564 tsid); 565 rc = -EINVAL; 566 goto out; 567 } 568 569 rc = context_struct_compute_av(scontext, tcontext, tclass, 570 requested, avd); 571 out: 572 POLICY_RDUNLOCK; 573 return rc; 574 } 575 576 /* 577 * Write the security context string representation of 578 * the context structure `context' into a dynamically 579 * allocated string of the correct size. Set `*scontext' 580 * to point to this string and set `*scontext_len' to 581 * the length of the string. 582 */ 583 static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len) 584 { 585 char *scontextp; 586 587 *scontext = NULL; 588 *scontext_len = 0; 589 590 /* Compute the size of the context. */ 591 *scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1; 592 *scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1; 593 *scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1; 594 *scontext_len += mls_compute_context_len(context); 595 596 /* Allocate space for the context; caller must free this space. */ 597 scontextp = kmalloc(*scontext_len, GFP_ATOMIC); 598 if (!scontextp) { 599 return -ENOMEM; 600 } 601 *scontext = scontextp; 602 603 /* 604 * Copy the user name, role name and type name into the context. 605 */ 606 sprintf(scontextp, "%s:%s:%s", 607 policydb.p_user_val_to_name[context->user - 1], 608 policydb.p_role_val_to_name[context->role - 1], 609 policydb.p_type_val_to_name[context->type - 1]); 610 scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) + 611 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) + 612 1 + strlen(policydb.p_type_val_to_name[context->type - 1]); 613 614 mls_sid_to_context(context, &scontextp); 615 616 *scontextp = 0; 617 618 return 0; 619 } 620 621 #include "initial_sid_to_string.h" 622 623 const char *security_get_initial_sid_context(u32 sid) 624 { 625 if (unlikely(sid > SECINITSID_NUM)) 626 return NULL; 627 return initial_sid_to_string[sid]; 628 } 629 630 /** 631 * security_sid_to_context - Obtain a context for a given SID. 632 * @sid: security identifier, SID 633 * @scontext: security context 634 * @scontext_len: length in bytes 635 * 636 * Write the string representation of the context associated with @sid 637 * into a dynamically allocated string of the correct size. Set @scontext 638 * to point to this string and set @scontext_len to the length of the string. 639 */ 640 int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len) 641 { 642 struct context *context; 643 int rc = 0; 644 645 *scontext = NULL; 646 *scontext_len = 0; 647 648 if (!ss_initialized) { 649 if (sid <= SECINITSID_NUM) { 650 char *scontextp; 651 652 *scontext_len = strlen(initial_sid_to_string[sid]) + 1; 653 scontextp = kmalloc(*scontext_len,GFP_ATOMIC); 654 if (!scontextp) { 655 rc = -ENOMEM; 656 goto out; 657 } 658 strcpy(scontextp, initial_sid_to_string[sid]); 659 *scontext = scontextp; 660 goto out; 661 } 662 printk(KERN_ERR "security_sid_to_context: called before initial " 663 "load_policy on unknown SID %d\n", sid); 664 rc = -EINVAL; 665 goto out; 666 } 667 POLICY_RDLOCK; 668 context = sidtab_search(&sidtab, sid); 669 if (!context) { 670 printk(KERN_ERR "security_sid_to_context: unrecognized SID " 671 "%d\n", sid); 672 rc = -EINVAL; 673 goto out_unlock; 674 } 675 rc = context_struct_to_string(context, scontext, scontext_len); 676 out_unlock: 677 POLICY_RDUNLOCK; 678 out: 679 return rc; 680 681 } 682 683 static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid) 684 { 685 char *scontext2; 686 struct context context; 687 struct role_datum *role; 688 struct type_datum *typdatum; 689 struct user_datum *usrdatum; 690 char *scontextp, *p, oldc; 691 int rc = 0; 692 693 if (!ss_initialized) { 694 int i; 695 696 for (i = 1; i < SECINITSID_NUM; i++) { 697 if (!strcmp(initial_sid_to_string[i], scontext)) { 698 *sid = i; 699 goto out; 700 } 701 } 702 *sid = SECINITSID_KERNEL; 703 goto out; 704 } 705 *sid = SECSID_NULL; 706 707 /* Copy the string so that we can modify the copy as we parse it. 708 The string should already by null terminated, but we append a 709 null suffix to the copy to avoid problems with the existing 710 attr package, which doesn't view the null terminator as part 711 of the attribute value. */ 712 scontext2 = kmalloc(scontext_len+1,GFP_KERNEL); 713 if (!scontext2) { 714 rc = -ENOMEM; 715 goto out; 716 } 717 memcpy(scontext2, scontext, scontext_len); 718 scontext2[scontext_len] = 0; 719 720 context_init(&context); 721 *sid = SECSID_NULL; 722 723 POLICY_RDLOCK; 724 725 /* Parse the security context. */ 726 727 rc = -EINVAL; 728 scontextp = (char *) scontext2; 729 730 /* Extract the user. */ 731 p = scontextp; 732 while (*p && *p != ':') 733 p++; 734 735 if (*p == 0) 736 goto out_unlock; 737 738 *p++ = 0; 739 740 usrdatum = hashtab_search(policydb.p_users.table, scontextp); 741 if (!usrdatum) 742 goto out_unlock; 743 744 context.user = usrdatum->value; 745 746 /* Extract role. */ 747 scontextp = p; 748 while (*p && *p != ':') 749 p++; 750 751 if (*p == 0) 752 goto out_unlock; 753 754 *p++ = 0; 755 756 role = hashtab_search(policydb.p_roles.table, scontextp); 757 if (!role) 758 goto out_unlock; 759 context.role = role->value; 760 761 /* Extract type. */ 762 scontextp = p; 763 while (*p && *p != ':') 764 p++; 765 oldc = *p; 766 *p++ = 0; 767 768 typdatum = hashtab_search(policydb.p_types.table, scontextp); 769 if (!typdatum) 770 goto out_unlock; 771 772 context.type = typdatum->value; 773 774 rc = mls_context_to_sid(oldc, &p, &context, &sidtab, def_sid); 775 if (rc) 776 goto out_unlock; 777 778 if ((p - scontext2) < scontext_len) { 779 rc = -EINVAL; 780 goto out_unlock; 781 } 782 783 /* Check the validity of the new context. */ 784 if (!policydb_context_isvalid(&policydb, &context)) { 785 rc = -EINVAL; 786 goto out_unlock; 787 } 788 /* Obtain the new sid. */ 789 rc = sidtab_context_to_sid(&sidtab, &context, sid); 790 out_unlock: 791 POLICY_RDUNLOCK; 792 context_destroy(&context); 793 kfree(scontext2); 794 out: 795 return rc; 796 } 797 798 /** 799 * security_context_to_sid - Obtain a SID for a given security context. 800 * @scontext: security context 801 * @scontext_len: length in bytes 802 * @sid: security identifier, SID 803 * 804 * Obtains a SID associated with the security context that 805 * has the string representation specified by @scontext. 806 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 807 * memory is available, or 0 on success. 808 */ 809 int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid) 810 { 811 return security_context_to_sid_core(scontext, scontext_len, 812 sid, SECSID_NULL); 813 } 814 815 /** 816 * security_context_to_sid_default - Obtain a SID for a given security context, 817 * falling back to specified default if needed. 818 * 819 * @scontext: security context 820 * @scontext_len: length in bytes 821 * @sid: security identifier, SID 822 * @def_sid: default SID to assign on error 823 * 824 * Obtains a SID associated with the security context that 825 * has the string representation specified by @scontext. 826 * The default SID is passed to the MLS layer to be used to allow 827 * kernel labeling of the MLS field if the MLS field is not present 828 * (for upgrading to MLS without full relabel). 829 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 830 * memory is available, or 0 on success. 831 */ 832 int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid) 833 { 834 return security_context_to_sid_core(scontext, scontext_len, 835 sid, def_sid); 836 } 837 838 static int compute_sid_handle_invalid_context( 839 struct context *scontext, 840 struct context *tcontext, 841 u16 tclass, 842 struct context *newcontext) 843 { 844 char *s = NULL, *t = NULL, *n = NULL; 845 u32 slen, tlen, nlen; 846 847 if (context_struct_to_string(scontext, &s, &slen) < 0) 848 goto out; 849 if (context_struct_to_string(tcontext, &t, &tlen) < 0) 850 goto out; 851 if (context_struct_to_string(newcontext, &n, &nlen) < 0) 852 goto out; 853 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 854 "security_compute_sid: invalid context %s" 855 " for scontext=%s" 856 " tcontext=%s" 857 " tclass=%s", 858 n, s, t, policydb.p_class_val_to_name[tclass-1]); 859 out: 860 kfree(s); 861 kfree(t); 862 kfree(n); 863 if (!selinux_enforcing) 864 return 0; 865 return -EACCES; 866 } 867 868 static int security_compute_sid(u32 ssid, 869 u32 tsid, 870 u16 tclass, 871 u32 specified, 872 u32 *out_sid) 873 { 874 struct context *scontext = NULL, *tcontext = NULL, newcontext; 875 struct role_trans *roletr = NULL; 876 struct avtab_key avkey; 877 struct avtab_datum *avdatum; 878 struct avtab_node *node; 879 int rc = 0; 880 881 if (!ss_initialized) { 882 switch (tclass) { 883 case SECCLASS_PROCESS: 884 *out_sid = ssid; 885 break; 886 default: 887 *out_sid = tsid; 888 break; 889 } 890 goto out; 891 } 892 893 context_init(&newcontext); 894 895 POLICY_RDLOCK; 896 897 scontext = sidtab_search(&sidtab, ssid); 898 if (!scontext) { 899 printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", 900 ssid); 901 rc = -EINVAL; 902 goto out_unlock; 903 } 904 tcontext = sidtab_search(&sidtab, tsid); 905 if (!tcontext) { 906 printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", 907 tsid); 908 rc = -EINVAL; 909 goto out_unlock; 910 } 911 912 /* Set the user identity. */ 913 switch (specified) { 914 case AVTAB_TRANSITION: 915 case AVTAB_CHANGE: 916 /* Use the process user identity. */ 917 newcontext.user = scontext->user; 918 break; 919 case AVTAB_MEMBER: 920 /* Use the related object owner. */ 921 newcontext.user = tcontext->user; 922 break; 923 } 924 925 /* Set the role and type to default values. */ 926 switch (tclass) { 927 case SECCLASS_PROCESS: 928 /* Use the current role and type of process. */ 929 newcontext.role = scontext->role; 930 newcontext.type = scontext->type; 931 break; 932 default: 933 /* Use the well-defined object role. */ 934 newcontext.role = OBJECT_R_VAL; 935 /* Use the type of the related object. */ 936 newcontext.type = tcontext->type; 937 } 938 939 /* Look for a type transition/member/change rule. */ 940 avkey.source_type = scontext->type; 941 avkey.target_type = tcontext->type; 942 avkey.target_class = tclass; 943 avkey.specified = specified; 944 avdatum = avtab_search(&policydb.te_avtab, &avkey); 945 946 /* If no permanent rule, also check for enabled conditional rules */ 947 if(!avdatum) { 948 node = avtab_search_node(&policydb.te_cond_avtab, &avkey); 949 for (; node != NULL; node = avtab_search_node_next(node, specified)) { 950 if (node->key.specified & AVTAB_ENABLED) { 951 avdatum = &node->datum; 952 break; 953 } 954 } 955 } 956 957 if (avdatum) { 958 /* Use the type from the type transition/member/change rule. */ 959 newcontext.type = avdatum->data; 960 } 961 962 /* Check for class-specific changes. */ 963 switch (tclass) { 964 case SECCLASS_PROCESS: 965 if (specified & AVTAB_TRANSITION) { 966 /* Look for a role transition rule. */ 967 for (roletr = policydb.role_tr; roletr; 968 roletr = roletr->next) { 969 if (roletr->role == scontext->role && 970 roletr->type == tcontext->type) { 971 /* Use the role transition rule. */ 972 newcontext.role = roletr->new_role; 973 break; 974 } 975 } 976 } 977 break; 978 default: 979 break; 980 } 981 982 /* Set the MLS attributes. 983 This is done last because it may allocate memory. */ 984 rc = mls_compute_sid(scontext, tcontext, tclass, specified, &newcontext); 985 if (rc) 986 goto out_unlock; 987 988 /* Check the validity of the context. */ 989 if (!policydb_context_isvalid(&policydb, &newcontext)) { 990 rc = compute_sid_handle_invalid_context(scontext, 991 tcontext, 992 tclass, 993 &newcontext); 994 if (rc) 995 goto out_unlock; 996 } 997 /* Obtain the sid for the context. */ 998 rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid); 999 out_unlock: 1000 POLICY_RDUNLOCK; 1001 context_destroy(&newcontext); 1002 out: 1003 return rc; 1004 } 1005 1006 /** 1007 * security_transition_sid - Compute the SID for a new subject/object. 1008 * @ssid: source security identifier 1009 * @tsid: target security identifier 1010 * @tclass: target security class 1011 * @out_sid: security identifier for new subject/object 1012 * 1013 * Compute a SID to use for labeling a new subject or object in the 1014 * class @tclass based on a SID pair (@ssid, @tsid). 1015 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1016 * if insufficient memory is available, or %0 if the new SID was 1017 * computed successfully. 1018 */ 1019 int security_transition_sid(u32 ssid, 1020 u32 tsid, 1021 u16 tclass, 1022 u32 *out_sid) 1023 { 1024 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid); 1025 } 1026 1027 /** 1028 * security_member_sid - Compute the SID for member selection. 1029 * @ssid: source security identifier 1030 * @tsid: target security identifier 1031 * @tclass: target security class 1032 * @out_sid: security identifier for selected member 1033 * 1034 * Compute a SID to use when selecting a member of a polyinstantiated 1035 * object of class @tclass based on a SID pair (@ssid, @tsid). 1036 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1037 * if insufficient memory is available, or %0 if the SID was 1038 * computed successfully. 1039 */ 1040 int security_member_sid(u32 ssid, 1041 u32 tsid, 1042 u16 tclass, 1043 u32 *out_sid) 1044 { 1045 return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid); 1046 } 1047 1048 /** 1049 * security_change_sid - Compute the SID for object relabeling. 1050 * @ssid: source security identifier 1051 * @tsid: target security identifier 1052 * @tclass: target security class 1053 * @out_sid: security identifier for selected member 1054 * 1055 * Compute a SID to use for relabeling an object of class @tclass 1056 * based on a SID pair (@ssid, @tsid). 1057 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1058 * if insufficient memory is available, or %0 if the SID was 1059 * computed successfully. 1060 */ 1061 int security_change_sid(u32 ssid, 1062 u32 tsid, 1063 u16 tclass, 1064 u32 *out_sid) 1065 { 1066 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid); 1067 } 1068 1069 /* 1070 * Verify that each kernel class that is defined in the 1071 * policy is correct 1072 */ 1073 static int validate_classes(struct policydb *p) 1074 { 1075 int i, j; 1076 struct class_datum *cladatum; 1077 struct perm_datum *perdatum; 1078 u32 nprim, tmp, common_pts_len, perm_val, pol_val; 1079 u16 class_val; 1080 const struct selinux_class_perm *kdefs = &selinux_class_perm; 1081 const char *def_class, *def_perm, *pol_class; 1082 struct symtab *perms; 1083 1084 if (p->allow_unknown) { 1085 u32 num_classes = kdefs->cts_len; 1086 p->undefined_perms = kcalloc(num_classes, sizeof(u32), GFP_KERNEL); 1087 if (!p->undefined_perms) 1088 return -ENOMEM; 1089 } 1090 1091 for (i = 1; i < kdefs->cts_len; i++) { 1092 def_class = kdefs->class_to_string[i]; 1093 if (!def_class) 1094 continue; 1095 if (i > p->p_classes.nprim) { 1096 printk(KERN_INFO 1097 "security: class %s not defined in policy\n", 1098 def_class); 1099 if (p->reject_unknown) 1100 return -EINVAL; 1101 if (p->allow_unknown) 1102 p->undefined_perms[i-1] = ~0U; 1103 continue; 1104 } 1105 pol_class = p->p_class_val_to_name[i-1]; 1106 if (strcmp(pol_class, def_class)) { 1107 printk(KERN_ERR 1108 "security: class %d is incorrect, found %s but should be %s\n", 1109 i, pol_class, def_class); 1110 return -EINVAL; 1111 } 1112 } 1113 for (i = 0; i < kdefs->av_pts_len; i++) { 1114 class_val = kdefs->av_perm_to_string[i].tclass; 1115 perm_val = kdefs->av_perm_to_string[i].value; 1116 def_perm = kdefs->av_perm_to_string[i].name; 1117 if (class_val > p->p_classes.nprim) 1118 continue; 1119 pol_class = p->p_class_val_to_name[class_val-1]; 1120 cladatum = hashtab_search(p->p_classes.table, pol_class); 1121 BUG_ON(!cladatum); 1122 perms = &cladatum->permissions; 1123 nprim = 1 << (perms->nprim - 1); 1124 if (perm_val > nprim) { 1125 printk(KERN_INFO 1126 "security: permission %s in class %s not defined in policy\n", 1127 def_perm, pol_class); 1128 if (p->reject_unknown) 1129 return -EINVAL; 1130 if (p->allow_unknown) 1131 p->undefined_perms[class_val-1] |= perm_val; 1132 continue; 1133 } 1134 perdatum = hashtab_search(perms->table, def_perm); 1135 if (perdatum == NULL) { 1136 printk(KERN_ERR 1137 "security: permission %s in class %s not found in policy, bad policy\n", 1138 def_perm, pol_class); 1139 return -EINVAL; 1140 } 1141 pol_val = 1 << (perdatum->value - 1); 1142 if (pol_val != perm_val) { 1143 printk(KERN_ERR 1144 "security: permission %s in class %s has incorrect value\n", 1145 def_perm, pol_class); 1146 return -EINVAL; 1147 } 1148 } 1149 for (i = 0; i < kdefs->av_inherit_len; i++) { 1150 class_val = kdefs->av_inherit[i].tclass; 1151 if (class_val > p->p_classes.nprim) 1152 continue; 1153 pol_class = p->p_class_val_to_name[class_val-1]; 1154 cladatum = hashtab_search(p->p_classes.table, pol_class); 1155 BUG_ON(!cladatum); 1156 if (!cladatum->comdatum) { 1157 printk(KERN_ERR 1158 "security: class %s should have an inherits clause but does not\n", 1159 pol_class); 1160 return -EINVAL; 1161 } 1162 tmp = kdefs->av_inherit[i].common_base; 1163 common_pts_len = 0; 1164 while (!(tmp & 0x01)) { 1165 common_pts_len++; 1166 tmp >>= 1; 1167 } 1168 perms = &cladatum->comdatum->permissions; 1169 for (j = 0; j < common_pts_len; j++) { 1170 def_perm = kdefs->av_inherit[i].common_pts[j]; 1171 if (j >= perms->nprim) { 1172 printk(KERN_INFO 1173 "security: permission %s in class %s not defined in policy\n", 1174 def_perm, pol_class); 1175 if (p->reject_unknown) 1176 return -EINVAL; 1177 if (p->allow_unknown) 1178 p->undefined_perms[class_val-1] |= (1 << j); 1179 continue; 1180 } 1181 perdatum = hashtab_search(perms->table, def_perm); 1182 if (perdatum == NULL) { 1183 printk(KERN_ERR 1184 "security: permission %s in class %s not found in policy, bad policy\n", 1185 def_perm, pol_class); 1186 return -EINVAL; 1187 } 1188 if (perdatum->value != j + 1) { 1189 printk(KERN_ERR 1190 "security: permission %s in class %s has incorrect value\n", 1191 def_perm, pol_class); 1192 return -EINVAL; 1193 } 1194 } 1195 } 1196 return 0; 1197 } 1198 1199 /* Clone the SID into the new SID table. */ 1200 static int clone_sid(u32 sid, 1201 struct context *context, 1202 void *arg) 1203 { 1204 struct sidtab *s = arg; 1205 1206 return sidtab_insert(s, sid, context); 1207 } 1208 1209 static inline int convert_context_handle_invalid_context(struct context *context) 1210 { 1211 int rc = 0; 1212 1213 if (selinux_enforcing) { 1214 rc = -EINVAL; 1215 } else { 1216 char *s; 1217 u32 len; 1218 1219 context_struct_to_string(context, &s, &len); 1220 printk(KERN_ERR "security: context %s is invalid\n", s); 1221 kfree(s); 1222 } 1223 return rc; 1224 } 1225 1226 struct convert_context_args { 1227 struct policydb *oldp; 1228 struct policydb *newp; 1229 }; 1230 1231 /* 1232 * Convert the values in the security context 1233 * structure `c' from the values specified 1234 * in the policy `p->oldp' to the values specified 1235 * in the policy `p->newp'. Verify that the 1236 * context is valid under the new policy. 1237 */ 1238 static int convert_context(u32 key, 1239 struct context *c, 1240 void *p) 1241 { 1242 struct convert_context_args *args; 1243 struct context oldc; 1244 struct role_datum *role; 1245 struct type_datum *typdatum; 1246 struct user_datum *usrdatum; 1247 char *s; 1248 u32 len; 1249 int rc; 1250 1251 args = p; 1252 1253 rc = context_cpy(&oldc, c); 1254 if (rc) 1255 goto out; 1256 1257 rc = -EINVAL; 1258 1259 /* Convert the user. */ 1260 usrdatum = hashtab_search(args->newp->p_users.table, 1261 args->oldp->p_user_val_to_name[c->user - 1]); 1262 if (!usrdatum) { 1263 goto bad; 1264 } 1265 c->user = usrdatum->value; 1266 1267 /* Convert the role. */ 1268 role = hashtab_search(args->newp->p_roles.table, 1269 args->oldp->p_role_val_to_name[c->role - 1]); 1270 if (!role) { 1271 goto bad; 1272 } 1273 c->role = role->value; 1274 1275 /* Convert the type. */ 1276 typdatum = hashtab_search(args->newp->p_types.table, 1277 args->oldp->p_type_val_to_name[c->type - 1]); 1278 if (!typdatum) { 1279 goto bad; 1280 } 1281 c->type = typdatum->value; 1282 1283 rc = mls_convert_context(args->oldp, args->newp, c); 1284 if (rc) 1285 goto bad; 1286 1287 /* Check the validity of the new context. */ 1288 if (!policydb_context_isvalid(args->newp, c)) { 1289 rc = convert_context_handle_invalid_context(&oldc); 1290 if (rc) 1291 goto bad; 1292 } 1293 1294 context_destroy(&oldc); 1295 out: 1296 return rc; 1297 bad: 1298 context_struct_to_string(&oldc, &s, &len); 1299 context_destroy(&oldc); 1300 printk(KERN_ERR "security: invalidating context %s\n", s); 1301 kfree(s); 1302 goto out; 1303 } 1304 1305 static void security_load_policycaps(void) 1306 { 1307 selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps, 1308 POLICYDB_CAPABILITY_NETPEER); 1309 } 1310 1311 extern void selinux_complete_init(void); 1312 static int security_preserve_bools(struct policydb *p); 1313 1314 /** 1315 * security_load_policy - Load a security policy configuration. 1316 * @data: binary policy data 1317 * @len: length of data in bytes 1318 * 1319 * Load a new set of security policy configuration data, 1320 * validate it and convert the SID table as necessary. 1321 * This function will flush the access vector cache after 1322 * loading the new policy. 1323 */ 1324 int security_load_policy(void *data, size_t len) 1325 { 1326 struct policydb oldpolicydb, newpolicydb; 1327 struct sidtab oldsidtab, newsidtab; 1328 struct convert_context_args args; 1329 u32 seqno; 1330 int rc = 0; 1331 struct policy_file file = { data, len }, *fp = &file; 1332 1333 LOAD_LOCK; 1334 1335 if (!ss_initialized) { 1336 avtab_cache_init(); 1337 if (policydb_read(&policydb, fp)) { 1338 LOAD_UNLOCK; 1339 avtab_cache_destroy(); 1340 return -EINVAL; 1341 } 1342 if (policydb_load_isids(&policydb, &sidtab)) { 1343 LOAD_UNLOCK; 1344 policydb_destroy(&policydb); 1345 avtab_cache_destroy(); 1346 return -EINVAL; 1347 } 1348 /* Verify that the kernel defined classes are correct. */ 1349 if (validate_classes(&policydb)) { 1350 printk(KERN_ERR 1351 "security: the definition of a class is incorrect\n"); 1352 LOAD_UNLOCK; 1353 sidtab_destroy(&sidtab); 1354 policydb_destroy(&policydb); 1355 avtab_cache_destroy(); 1356 return -EINVAL; 1357 } 1358 security_load_policycaps(); 1359 policydb_loaded_version = policydb.policyvers; 1360 ss_initialized = 1; 1361 seqno = ++latest_granting; 1362 LOAD_UNLOCK; 1363 selinux_complete_init(); 1364 avc_ss_reset(seqno); 1365 selnl_notify_policyload(seqno); 1366 selinux_netlbl_cache_invalidate(); 1367 selinux_xfrm_notify_policyload(); 1368 return 0; 1369 } 1370 1371 #if 0 1372 sidtab_hash_eval(&sidtab, "sids"); 1373 #endif 1374 1375 if (policydb_read(&newpolicydb, fp)) { 1376 LOAD_UNLOCK; 1377 return -EINVAL; 1378 } 1379 1380 sidtab_init(&newsidtab); 1381 1382 /* Verify that the kernel defined classes are correct. */ 1383 if (validate_classes(&newpolicydb)) { 1384 printk(KERN_ERR 1385 "security: the definition of a class is incorrect\n"); 1386 rc = -EINVAL; 1387 goto err; 1388 } 1389 1390 rc = security_preserve_bools(&newpolicydb); 1391 if (rc) { 1392 printk(KERN_ERR "security: unable to preserve booleans\n"); 1393 goto err; 1394 } 1395 1396 /* Clone the SID table. */ 1397 sidtab_shutdown(&sidtab); 1398 if (sidtab_map(&sidtab, clone_sid, &newsidtab)) { 1399 rc = -ENOMEM; 1400 goto err; 1401 } 1402 1403 /* Convert the internal representations of contexts 1404 in the new SID table and remove invalid SIDs. */ 1405 args.oldp = &policydb; 1406 args.newp = &newpolicydb; 1407 sidtab_map_remove_on_error(&newsidtab, convert_context, &args); 1408 1409 /* Save the old policydb and SID table to free later. */ 1410 memcpy(&oldpolicydb, &policydb, sizeof policydb); 1411 sidtab_set(&oldsidtab, &sidtab); 1412 1413 /* Install the new policydb and SID table. */ 1414 POLICY_WRLOCK; 1415 memcpy(&policydb, &newpolicydb, sizeof policydb); 1416 sidtab_set(&sidtab, &newsidtab); 1417 security_load_policycaps(); 1418 seqno = ++latest_granting; 1419 policydb_loaded_version = policydb.policyvers; 1420 POLICY_WRUNLOCK; 1421 LOAD_UNLOCK; 1422 1423 /* Free the old policydb and SID table. */ 1424 policydb_destroy(&oldpolicydb); 1425 sidtab_destroy(&oldsidtab); 1426 1427 avc_ss_reset(seqno); 1428 selnl_notify_policyload(seqno); 1429 selinux_netlbl_cache_invalidate(); 1430 selinux_xfrm_notify_policyload(); 1431 1432 return 0; 1433 1434 err: 1435 LOAD_UNLOCK; 1436 sidtab_destroy(&newsidtab); 1437 policydb_destroy(&newpolicydb); 1438 return rc; 1439 1440 } 1441 1442 /** 1443 * security_port_sid - Obtain the SID for a port. 1444 * @domain: communication domain aka address family 1445 * @type: socket type 1446 * @protocol: protocol number 1447 * @port: port number 1448 * @out_sid: security identifier 1449 */ 1450 int security_port_sid(u16 domain, 1451 u16 type, 1452 u8 protocol, 1453 u16 port, 1454 u32 *out_sid) 1455 { 1456 struct ocontext *c; 1457 int rc = 0; 1458 1459 POLICY_RDLOCK; 1460 1461 c = policydb.ocontexts[OCON_PORT]; 1462 while (c) { 1463 if (c->u.port.protocol == protocol && 1464 c->u.port.low_port <= port && 1465 c->u.port.high_port >= port) 1466 break; 1467 c = c->next; 1468 } 1469 1470 if (c) { 1471 if (!c->sid[0]) { 1472 rc = sidtab_context_to_sid(&sidtab, 1473 &c->context[0], 1474 &c->sid[0]); 1475 if (rc) 1476 goto out; 1477 } 1478 *out_sid = c->sid[0]; 1479 } else { 1480 *out_sid = SECINITSID_PORT; 1481 } 1482 1483 out: 1484 POLICY_RDUNLOCK; 1485 return rc; 1486 } 1487 1488 /** 1489 * security_netif_sid - Obtain the SID for a network interface. 1490 * @name: interface name 1491 * @if_sid: interface SID 1492 */ 1493 int security_netif_sid(char *name, u32 *if_sid) 1494 { 1495 int rc = 0; 1496 struct ocontext *c; 1497 1498 POLICY_RDLOCK; 1499 1500 c = policydb.ocontexts[OCON_NETIF]; 1501 while (c) { 1502 if (strcmp(name, c->u.name) == 0) 1503 break; 1504 c = c->next; 1505 } 1506 1507 if (c) { 1508 if (!c->sid[0] || !c->sid[1]) { 1509 rc = sidtab_context_to_sid(&sidtab, 1510 &c->context[0], 1511 &c->sid[0]); 1512 if (rc) 1513 goto out; 1514 rc = sidtab_context_to_sid(&sidtab, 1515 &c->context[1], 1516 &c->sid[1]); 1517 if (rc) 1518 goto out; 1519 } 1520 *if_sid = c->sid[0]; 1521 } else 1522 *if_sid = SECINITSID_NETIF; 1523 1524 out: 1525 POLICY_RDUNLOCK; 1526 return rc; 1527 } 1528 1529 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask) 1530 { 1531 int i, fail = 0; 1532 1533 for(i = 0; i < 4; i++) 1534 if(addr[i] != (input[i] & mask[i])) { 1535 fail = 1; 1536 break; 1537 } 1538 1539 return !fail; 1540 } 1541 1542 /** 1543 * security_node_sid - Obtain the SID for a node (host). 1544 * @domain: communication domain aka address family 1545 * @addrp: address 1546 * @addrlen: address length in bytes 1547 * @out_sid: security identifier 1548 */ 1549 int security_node_sid(u16 domain, 1550 void *addrp, 1551 u32 addrlen, 1552 u32 *out_sid) 1553 { 1554 int rc = 0; 1555 struct ocontext *c; 1556 1557 POLICY_RDLOCK; 1558 1559 switch (domain) { 1560 case AF_INET: { 1561 u32 addr; 1562 1563 if (addrlen != sizeof(u32)) { 1564 rc = -EINVAL; 1565 goto out; 1566 } 1567 1568 addr = *((u32 *)addrp); 1569 1570 c = policydb.ocontexts[OCON_NODE]; 1571 while (c) { 1572 if (c->u.node.addr == (addr & c->u.node.mask)) 1573 break; 1574 c = c->next; 1575 } 1576 break; 1577 } 1578 1579 case AF_INET6: 1580 if (addrlen != sizeof(u64) * 2) { 1581 rc = -EINVAL; 1582 goto out; 1583 } 1584 c = policydb.ocontexts[OCON_NODE6]; 1585 while (c) { 1586 if (match_ipv6_addrmask(addrp, c->u.node6.addr, 1587 c->u.node6.mask)) 1588 break; 1589 c = c->next; 1590 } 1591 break; 1592 1593 default: 1594 *out_sid = SECINITSID_NODE; 1595 goto out; 1596 } 1597 1598 if (c) { 1599 if (!c->sid[0]) { 1600 rc = sidtab_context_to_sid(&sidtab, 1601 &c->context[0], 1602 &c->sid[0]); 1603 if (rc) 1604 goto out; 1605 } 1606 *out_sid = c->sid[0]; 1607 } else { 1608 *out_sid = SECINITSID_NODE; 1609 } 1610 1611 out: 1612 POLICY_RDUNLOCK; 1613 return rc; 1614 } 1615 1616 #define SIDS_NEL 25 1617 1618 /** 1619 * security_get_user_sids - Obtain reachable SIDs for a user. 1620 * @fromsid: starting SID 1621 * @username: username 1622 * @sids: array of reachable SIDs for user 1623 * @nel: number of elements in @sids 1624 * 1625 * Generate the set of SIDs for legal security contexts 1626 * for a given user that can be reached by @fromsid. 1627 * Set *@sids to point to a dynamically allocated 1628 * array containing the set of SIDs. Set *@nel to the 1629 * number of elements in the array. 1630 */ 1631 1632 int security_get_user_sids(u32 fromsid, 1633 char *username, 1634 u32 **sids, 1635 u32 *nel) 1636 { 1637 struct context *fromcon, usercon; 1638 u32 *mysids = NULL, *mysids2, sid; 1639 u32 mynel = 0, maxnel = SIDS_NEL; 1640 struct user_datum *user; 1641 struct role_datum *role; 1642 struct ebitmap_node *rnode, *tnode; 1643 int rc = 0, i, j; 1644 1645 *sids = NULL; 1646 *nel = 0; 1647 1648 if (!ss_initialized) 1649 goto out; 1650 1651 POLICY_RDLOCK; 1652 1653 fromcon = sidtab_search(&sidtab, fromsid); 1654 if (!fromcon) { 1655 rc = -EINVAL; 1656 goto out_unlock; 1657 } 1658 1659 user = hashtab_search(policydb.p_users.table, username); 1660 if (!user) { 1661 rc = -EINVAL; 1662 goto out_unlock; 1663 } 1664 usercon.user = user->value; 1665 1666 mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC); 1667 if (!mysids) { 1668 rc = -ENOMEM; 1669 goto out_unlock; 1670 } 1671 1672 ebitmap_for_each_positive_bit(&user->roles, rnode, i) { 1673 role = policydb.role_val_to_struct[i]; 1674 usercon.role = i+1; 1675 ebitmap_for_each_positive_bit(&role->types, tnode, j) { 1676 usercon.type = j+1; 1677 1678 if (mls_setup_user_range(fromcon, user, &usercon)) 1679 continue; 1680 1681 rc = sidtab_context_to_sid(&sidtab, &usercon, &sid); 1682 if (rc) 1683 goto out_unlock; 1684 if (mynel < maxnel) { 1685 mysids[mynel++] = sid; 1686 } else { 1687 maxnel += SIDS_NEL; 1688 mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC); 1689 if (!mysids2) { 1690 rc = -ENOMEM; 1691 goto out_unlock; 1692 } 1693 memcpy(mysids2, mysids, mynel * sizeof(*mysids2)); 1694 kfree(mysids); 1695 mysids = mysids2; 1696 mysids[mynel++] = sid; 1697 } 1698 } 1699 } 1700 1701 out_unlock: 1702 POLICY_RDUNLOCK; 1703 if (rc || !mynel) { 1704 kfree(mysids); 1705 goto out; 1706 } 1707 1708 mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL); 1709 if (!mysids2) { 1710 rc = -ENOMEM; 1711 kfree(mysids); 1712 goto out; 1713 } 1714 for (i = 0, j = 0; i < mynel; i++) { 1715 rc = avc_has_perm_noaudit(fromsid, mysids[i], 1716 SECCLASS_PROCESS, 1717 PROCESS__TRANSITION, AVC_STRICT, 1718 NULL); 1719 if (!rc) 1720 mysids2[j++] = mysids[i]; 1721 cond_resched(); 1722 } 1723 rc = 0; 1724 kfree(mysids); 1725 *sids = mysids2; 1726 *nel = j; 1727 out: 1728 return rc; 1729 } 1730 1731 /** 1732 * security_genfs_sid - Obtain a SID for a file in a filesystem 1733 * @fstype: filesystem type 1734 * @path: path from root of mount 1735 * @sclass: file security class 1736 * @sid: SID for path 1737 * 1738 * Obtain a SID to use for a file in a filesystem that 1739 * cannot support xattr or use a fixed labeling behavior like 1740 * transition SIDs or task SIDs. 1741 */ 1742 int security_genfs_sid(const char *fstype, 1743 char *path, 1744 u16 sclass, 1745 u32 *sid) 1746 { 1747 int len; 1748 struct genfs *genfs; 1749 struct ocontext *c; 1750 int rc = 0, cmp = 0; 1751 1752 while (path[0] == '/' && path[1] == '/') 1753 path++; 1754 1755 POLICY_RDLOCK; 1756 1757 for (genfs = policydb.genfs; genfs; genfs = genfs->next) { 1758 cmp = strcmp(fstype, genfs->fstype); 1759 if (cmp <= 0) 1760 break; 1761 } 1762 1763 if (!genfs || cmp) { 1764 *sid = SECINITSID_UNLABELED; 1765 rc = -ENOENT; 1766 goto out; 1767 } 1768 1769 for (c = genfs->head; c; c = c->next) { 1770 len = strlen(c->u.name); 1771 if ((!c->v.sclass || sclass == c->v.sclass) && 1772 (strncmp(c->u.name, path, len) == 0)) 1773 break; 1774 } 1775 1776 if (!c) { 1777 *sid = SECINITSID_UNLABELED; 1778 rc = -ENOENT; 1779 goto out; 1780 } 1781 1782 if (!c->sid[0]) { 1783 rc = sidtab_context_to_sid(&sidtab, 1784 &c->context[0], 1785 &c->sid[0]); 1786 if (rc) 1787 goto out; 1788 } 1789 1790 *sid = c->sid[0]; 1791 out: 1792 POLICY_RDUNLOCK; 1793 return rc; 1794 } 1795 1796 /** 1797 * security_fs_use - Determine how to handle labeling for a filesystem. 1798 * @fstype: filesystem type 1799 * @behavior: labeling behavior 1800 * @sid: SID for filesystem (superblock) 1801 */ 1802 int security_fs_use( 1803 const char *fstype, 1804 unsigned int *behavior, 1805 u32 *sid) 1806 { 1807 int rc = 0; 1808 struct ocontext *c; 1809 1810 POLICY_RDLOCK; 1811 1812 c = policydb.ocontexts[OCON_FSUSE]; 1813 while (c) { 1814 if (strcmp(fstype, c->u.name) == 0) 1815 break; 1816 c = c->next; 1817 } 1818 1819 if (c) { 1820 *behavior = c->v.behavior; 1821 if (!c->sid[0]) { 1822 rc = sidtab_context_to_sid(&sidtab, 1823 &c->context[0], 1824 &c->sid[0]); 1825 if (rc) 1826 goto out; 1827 } 1828 *sid = c->sid[0]; 1829 } else { 1830 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid); 1831 if (rc) { 1832 *behavior = SECURITY_FS_USE_NONE; 1833 rc = 0; 1834 } else { 1835 *behavior = SECURITY_FS_USE_GENFS; 1836 } 1837 } 1838 1839 out: 1840 POLICY_RDUNLOCK; 1841 return rc; 1842 } 1843 1844 int security_get_bools(int *len, char ***names, int **values) 1845 { 1846 int i, rc = -ENOMEM; 1847 1848 POLICY_RDLOCK; 1849 *names = NULL; 1850 *values = NULL; 1851 1852 *len = policydb.p_bools.nprim; 1853 if (!*len) { 1854 rc = 0; 1855 goto out; 1856 } 1857 1858 *names = kcalloc(*len, sizeof(char*), GFP_ATOMIC); 1859 if (!*names) 1860 goto err; 1861 1862 *values = kcalloc(*len, sizeof(int), GFP_ATOMIC); 1863 if (!*values) 1864 goto err; 1865 1866 for (i = 0; i < *len; i++) { 1867 size_t name_len; 1868 (*values)[i] = policydb.bool_val_to_struct[i]->state; 1869 name_len = strlen(policydb.p_bool_val_to_name[i]) + 1; 1870 (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); 1871 if (!(*names)[i]) 1872 goto err; 1873 strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len); 1874 (*names)[i][name_len - 1] = 0; 1875 } 1876 rc = 0; 1877 out: 1878 POLICY_RDUNLOCK; 1879 return rc; 1880 err: 1881 if (*names) { 1882 for (i = 0; i < *len; i++) 1883 kfree((*names)[i]); 1884 } 1885 kfree(*values); 1886 goto out; 1887 } 1888 1889 1890 int security_set_bools(int len, int *values) 1891 { 1892 int i, rc = 0; 1893 int lenp, seqno = 0; 1894 struct cond_node *cur; 1895 1896 POLICY_WRLOCK; 1897 1898 lenp = policydb.p_bools.nprim; 1899 if (len != lenp) { 1900 rc = -EFAULT; 1901 goto out; 1902 } 1903 1904 for (i = 0; i < len; i++) { 1905 if (!!values[i] != policydb.bool_val_to_struct[i]->state) { 1906 audit_log(current->audit_context, GFP_ATOMIC, 1907 AUDIT_MAC_CONFIG_CHANGE, 1908 "bool=%s val=%d old_val=%d auid=%u ses=%u", 1909 policydb.p_bool_val_to_name[i], 1910 !!values[i], 1911 policydb.bool_val_to_struct[i]->state, 1912 audit_get_loginuid(current), 1913 audit_get_sessionid(current)); 1914 } 1915 if (values[i]) { 1916 policydb.bool_val_to_struct[i]->state = 1; 1917 } else { 1918 policydb.bool_val_to_struct[i]->state = 0; 1919 } 1920 } 1921 1922 for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { 1923 rc = evaluate_cond_node(&policydb, cur); 1924 if (rc) 1925 goto out; 1926 } 1927 1928 seqno = ++latest_granting; 1929 1930 out: 1931 POLICY_WRUNLOCK; 1932 if (!rc) { 1933 avc_ss_reset(seqno); 1934 selnl_notify_policyload(seqno); 1935 selinux_xfrm_notify_policyload(); 1936 } 1937 return rc; 1938 } 1939 1940 int security_get_bool_value(int bool) 1941 { 1942 int rc = 0; 1943 int len; 1944 1945 POLICY_RDLOCK; 1946 1947 len = policydb.p_bools.nprim; 1948 if (bool >= len) { 1949 rc = -EFAULT; 1950 goto out; 1951 } 1952 1953 rc = policydb.bool_val_to_struct[bool]->state; 1954 out: 1955 POLICY_RDUNLOCK; 1956 return rc; 1957 } 1958 1959 static int security_preserve_bools(struct policydb *p) 1960 { 1961 int rc, nbools = 0, *bvalues = NULL, i; 1962 char **bnames = NULL; 1963 struct cond_bool_datum *booldatum; 1964 struct cond_node *cur; 1965 1966 rc = security_get_bools(&nbools, &bnames, &bvalues); 1967 if (rc) 1968 goto out; 1969 for (i = 0; i < nbools; i++) { 1970 booldatum = hashtab_search(p->p_bools.table, bnames[i]); 1971 if (booldatum) 1972 booldatum->state = bvalues[i]; 1973 } 1974 for (cur = p->cond_list; cur != NULL; cur = cur->next) { 1975 rc = evaluate_cond_node(p, cur); 1976 if (rc) 1977 goto out; 1978 } 1979 1980 out: 1981 if (bnames) { 1982 for (i = 0; i < nbools; i++) 1983 kfree(bnames[i]); 1984 } 1985 kfree(bnames); 1986 kfree(bvalues); 1987 return rc; 1988 } 1989 1990 /* 1991 * security_sid_mls_copy() - computes a new sid based on the given 1992 * sid and the mls portion of mls_sid. 1993 */ 1994 int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid) 1995 { 1996 struct context *context1; 1997 struct context *context2; 1998 struct context newcon; 1999 char *s; 2000 u32 len; 2001 int rc = 0; 2002 2003 if (!ss_initialized || !selinux_mls_enabled) { 2004 *new_sid = sid; 2005 goto out; 2006 } 2007 2008 context_init(&newcon); 2009 2010 POLICY_RDLOCK; 2011 context1 = sidtab_search(&sidtab, sid); 2012 if (!context1) { 2013 printk(KERN_ERR "security_sid_mls_copy: unrecognized SID " 2014 "%d\n", sid); 2015 rc = -EINVAL; 2016 goto out_unlock; 2017 } 2018 2019 context2 = sidtab_search(&sidtab, mls_sid); 2020 if (!context2) { 2021 printk(KERN_ERR "security_sid_mls_copy: unrecognized SID " 2022 "%d\n", mls_sid); 2023 rc = -EINVAL; 2024 goto out_unlock; 2025 } 2026 2027 newcon.user = context1->user; 2028 newcon.role = context1->role; 2029 newcon.type = context1->type; 2030 rc = mls_context_cpy(&newcon, context2); 2031 if (rc) 2032 goto out_unlock; 2033 2034 /* Check the validity of the new context. */ 2035 if (!policydb_context_isvalid(&policydb, &newcon)) { 2036 rc = convert_context_handle_invalid_context(&newcon); 2037 if (rc) 2038 goto bad; 2039 } 2040 2041 rc = sidtab_context_to_sid(&sidtab, &newcon, new_sid); 2042 goto out_unlock; 2043 2044 bad: 2045 if (!context_struct_to_string(&newcon, &s, &len)) { 2046 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2047 "security_sid_mls_copy: invalid context %s", s); 2048 kfree(s); 2049 } 2050 2051 out_unlock: 2052 POLICY_RDUNLOCK; 2053 context_destroy(&newcon); 2054 out: 2055 return rc; 2056 } 2057 2058 /** 2059 * security_net_peersid_resolve - Compare and resolve two network peer SIDs 2060 * @nlbl_sid: NetLabel SID 2061 * @nlbl_type: NetLabel labeling protocol type 2062 * @xfrm_sid: XFRM SID 2063 * 2064 * Description: 2065 * Compare the @nlbl_sid and @xfrm_sid values and if the two SIDs can be 2066 * resolved into a single SID it is returned via @peer_sid and the function 2067 * returns zero. Otherwise @peer_sid is set to SECSID_NULL and the function 2068 * returns a negative value. A table summarizing the behavior is below: 2069 * 2070 * | function return | @sid 2071 * ------------------------------+-----------------+----------------- 2072 * no peer labels | 0 | SECSID_NULL 2073 * single peer label | 0 | <peer_label> 2074 * multiple, consistent labels | 0 | <peer_label> 2075 * multiple, inconsistent labels | -<errno> | SECSID_NULL 2076 * 2077 */ 2078 int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type, 2079 u32 xfrm_sid, 2080 u32 *peer_sid) 2081 { 2082 int rc; 2083 struct context *nlbl_ctx; 2084 struct context *xfrm_ctx; 2085 2086 /* handle the common (which also happens to be the set of easy) cases 2087 * right away, these two if statements catch everything involving a 2088 * single or absent peer SID/label */ 2089 if (xfrm_sid == SECSID_NULL) { 2090 *peer_sid = nlbl_sid; 2091 return 0; 2092 } 2093 /* NOTE: an nlbl_type == NETLBL_NLTYPE_UNLABELED is a "fallback" label 2094 * and is treated as if nlbl_sid == SECSID_NULL when a XFRM SID/label 2095 * is present */ 2096 if (nlbl_sid == SECSID_NULL || nlbl_type == NETLBL_NLTYPE_UNLABELED) { 2097 *peer_sid = xfrm_sid; 2098 return 0; 2099 } 2100 2101 /* we don't need to check ss_initialized here since the only way both 2102 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the 2103 * security server was initialized and ss_initialized was true */ 2104 if (!selinux_mls_enabled) { 2105 *peer_sid = SECSID_NULL; 2106 return 0; 2107 } 2108 2109 POLICY_RDLOCK; 2110 2111 nlbl_ctx = sidtab_search(&sidtab, nlbl_sid); 2112 if (!nlbl_ctx) { 2113 printk(KERN_ERR 2114 "security_sid_mls_cmp: unrecognized SID %d\n", 2115 nlbl_sid); 2116 rc = -EINVAL; 2117 goto out_slowpath; 2118 } 2119 xfrm_ctx = sidtab_search(&sidtab, xfrm_sid); 2120 if (!xfrm_ctx) { 2121 printk(KERN_ERR 2122 "security_sid_mls_cmp: unrecognized SID %d\n", 2123 xfrm_sid); 2124 rc = -EINVAL; 2125 goto out_slowpath; 2126 } 2127 rc = (mls_context_cmp(nlbl_ctx, xfrm_ctx) ? 0 : -EACCES); 2128 2129 out_slowpath: 2130 POLICY_RDUNLOCK; 2131 if (rc == 0) 2132 /* at present NetLabel SIDs/labels really only carry MLS 2133 * information so if the MLS portion of the NetLabel SID 2134 * matches the MLS portion of the labeled XFRM SID/label 2135 * then pass along the XFRM SID as it is the most 2136 * expressive */ 2137 *peer_sid = xfrm_sid; 2138 else 2139 *peer_sid = SECSID_NULL; 2140 return rc; 2141 } 2142 2143 static int get_classes_callback(void *k, void *d, void *args) 2144 { 2145 struct class_datum *datum = d; 2146 char *name = k, **classes = args; 2147 int value = datum->value - 1; 2148 2149 classes[value] = kstrdup(name, GFP_ATOMIC); 2150 if (!classes[value]) 2151 return -ENOMEM; 2152 2153 return 0; 2154 } 2155 2156 int security_get_classes(char ***classes, int *nclasses) 2157 { 2158 int rc = -ENOMEM; 2159 2160 POLICY_RDLOCK; 2161 2162 *nclasses = policydb.p_classes.nprim; 2163 *classes = kcalloc(*nclasses, sizeof(*classes), GFP_ATOMIC); 2164 if (!*classes) 2165 goto out; 2166 2167 rc = hashtab_map(policydb.p_classes.table, get_classes_callback, 2168 *classes); 2169 if (rc < 0) { 2170 int i; 2171 for (i = 0; i < *nclasses; i++) 2172 kfree((*classes)[i]); 2173 kfree(*classes); 2174 } 2175 2176 out: 2177 POLICY_RDUNLOCK; 2178 return rc; 2179 } 2180 2181 static int get_permissions_callback(void *k, void *d, void *args) 2182 { 2183 struct perm_datum *datum = d; 2184 char *name = k, **perms = args; 2185 int value = datum->value - 1; 2186 2187 perms[value] = kstrdup(name, GFP_ATOMIC); 2188 if (!perms[value]) 2189 return -ENOMEM; 2190 2191 return 0; 2192 } 2193 2194 int security_get_permissions(char *class, char ***perms, int *nperms) 2195 { 2196 int rc = -ENOMEM, i; 2197 struct class_datum *match; 2198 2199 POLICY_RDLOCK; 2200 2201 match = hashtab_search(policydb.p_classes.table, class); 2202 if (!match) { 2203 printk(KERN_ERR "%s: unrecognized class %s\n", 2204 __FUNCTION__, class); 2205 rc = -EINVAL; 2206 goto out; 2207 } 2208 2209 *nperms = match->permissions.nprim; 2210 *perms = kcalloc(*nperms, sizeof(*perms), GFP_ATOMIC); 2211 if (!*perms) 2212 goto out; 2213 2214 if (match->comdatum) { 2215 rc = hashtab_map(match->comdatum->permissions.table, 2216 get_permissions_callback, *perms); 2217 if (rc < 0) 2218 goto err; 2219 } 2220 2221 rc = hashtab_map(match->permissions.table, get_permissions_callback, 2222 *perms); 2223 if (rc < 0) 2224 goto err; 2225 2226 out: 2227 POLICY_RDUNLOCK; 2228 return rc; 2229 2230 err: 2231 POLICY_RDUNLOCK; 2232 for (i = 0; i < *nperms; i++) 2233 kfree((*perms)[i]); 2234 kfree(*perms); 2235 return rc; 2236 } 2237 2238 int security_get_reject_unknown(void) 2239 { 2240 return policydb.reject_unknown; 2241 } 2242 2243 int security_get_allow_unknown(void) 2244 { 2245 return policydb.allow_unknown; 2246 } 2247 2248 /** 2249 * security_get_policycaps - Query the loaded policy for its capabilities 2250 * @len: the number of capability bits 2251 * @values: the capability bit array 2252 * 2253 * Description: 2254 * Get an array of the policy capabilities in @values where each entry in 2255 * @values is either true (1) or false (0) depending the policy's support of 2256 * that feature. The policy capabilities are defined by the 2257 * POLICYDB_CAPABILITY_* enums. The size of the array is stored in @len and it 2258 * is up to the caller to free the array in @values. Returns zero on success, 2259 * negative values on failure. 2260 * 2261 */ 2262 int security_get_policycaps(int *len, int **values) 2263 { 2264 int rc = -ENOMEM; 2265 unsigned int iter; 2266 2267 POLICY_RDLOCK; 2268 2269 *values = kcalloc(POLICYDB_CAPABILITY_MAX, sizeof(int), GFP_ATOMIC); 2270 if (*values == NULL) 2271 goto out; 2272 for (iter = 0; iter < POLICYDB_CAPABILITY_MAX; iter++) 2273 (*values)[iter] = ebitmap_get_bit(&policydb.policycaps, iter); 2274 *len = POLICYDB_CAPABILITY_MAX; 2275 2276 out: 2277 POLICY_RDUNLOCK; 2278 return rc; 2279 } 2280 2281 /** 2282 * security_policycap_supported - Check for a specific policy capability 2283 * @req_cap: capability 2284 * 2285 * Description: 2286 * This function queries the currently loaded policy to see if it supports the 2287 * capability specified by @req_cap. Returns true (1) if the capability is 2288 * supported, false (0) if it isn't supported. 2289 * 2290 */ 2291 int security_policycap_supported(unsigned int req_cap) 2292 { 2293 int rc; 2294 2295 POLICY_RDLOCK; 2296 rc = ebitmap_get_bit(&policydb.policycaps, req_cap); 2297 POLICY_RDUNLOCK; 2298 2299 return rc; 2300 } 2301 2302 struct selinux_audit_rule { 2303 u32 au_seqno; 2304 struct context au_ctxt; 2305 }; 2306 2307 void selinux_audit_rule_free(struct selinux_audit_rule *rule) 2308 { 2309 if (rule) { 2310 context_destroy(&rule->au_ctxt); 2311 kfree(rule); 2312 } 2313 } 2314 2315 int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, 2316 struct selinux_audit_rule **rule) 2317 { 2318 struct selinux_audit_rule *tmprule; 2319 struct role_datum *roledatum; 2320 struct type_datum *typedatum; 2321 struct user_datum *userdatum; 2322 int rc = 0; 2323 2324 *rule = NULL; 2325 2326 if (!ss_initialized) 2327 return -EOPNOTSUPP; 2328 2329 switch (field) { 2330 case AUDIT_SUBJ_USER: 2331 case AUDIT_SUBJ_ROLE: 2332 case AUDIT_SUBJ_TYPE: 2333 case AUDIT_OBJ_USER: 2334 case AUDIT_OBJ_ROLE: 2335 case AUDIT_OBJ_TYPE: 2336 /* only 'equals' and 'not equals' fit user, role, and type */ 2337 if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL) 2338 return -EINVAL; 2339 break; 2340 case AUDIT_SUBJ_SEN: 2341 case AUDIT_SUBJ_CLR: 2342 case AUDIT_OBJ_LEV_LOW: 2343 case AUDIT_OBJ_LEV_HIGH: 2344 /* we do not allow a range, indicated by the presense of '-' */ 2345 if (strchr(rulestr, '-')) 2346 return -EINVAL; 2347 break; 2348 default: 2349 /* only the above fields are valid */ 2350 return -EINVAL; 2351 } 2352 2353 tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL); 2354 if (!tmprule) 2355 return -ENOMEM; 2356 2357 context_init(&tmprule->au_ctxt); 2358 2359 POLICY_RDLOCK; 2360 2361 tmprule->au_seqno = latest_granting; 2362 2363 switch (field) { 2364 case AUDIT_SUBJ_USER: 2365 case AUDIT_OBJ_USER: 2366 userdatum = hashtab_search(policydb.p_users.table, rulestr); 2367 if (!userdatum) 2368 rc = -EINVAL; 2369 else 2370 tmprule->au_ctxt.user = userdatum->value; 2371 break; 2372 case AUDIT_SUBJ_ROLE: 2373 case AUDIT_OBJ_ROLE: 2374 roledatum = hashtab_search(policydb.p_roles.table, rulestr); 2375 if (!roledatum) 2376 rc = -EINVAL; 2377 else 2378 tmprule->au_ctxt.role = roledatum->value; 2379 break; 2380 case AUDIT_SUBJ_TYPE: 2381 case AUDIT_OBJ_TYPE: 2382 typedatum = hashtab_search(policydb.p_types.table, rulestr); 2383 if (!typedatum) 2384 rc = -EINVAL; 2385 else 2386 tmprule->au_ctxt.type = typedatum->value; 2387 break; 2388 case AUDIT_SUBJ_SEN: 2389 case AUDIT_SUBJ_CLR: 2390 case AUDIT_OBJ_LEV_LOW: 2391 case AUDIT_OBJ_LEV_HIGH: 2392 rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC); 2393 break; 2394 } 2395 2396 POLICY_RDUNLOCK; 2397 2398 if (rc) { 2399 selinux_audit_rule_free(tmprule); 2400 tmprule = NULL; 2401 } 2402 2403 *rule = tmprule; 2404 2405 return rc; 2406 } 2407 2408 int selinux_audit_rule_match(u32 sid, u32 field, u32 op, 2409 struct selinux_audit_rule *rule, 2410 struct audit_context *actx) 2411 { 2412 struct context *ctxt; 2413 struct mls_level *level; 2414 int match = 0; 2415 2416 if (!rule) { 2417 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2418 "selinux_audit_rule_match: missing rule\n"); 2419 return -ENOENT; 2420 } 2421 2422 POLICY_RDLOCK; 2423 2424 if (rule->au_seqno < latest_granting) { 2425 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2426 "selinux_audit_rule_match: stale rule\n"); 2427 match = -ESTALE; 2428 goto out; 2429 } 2430 2431 ctxt = sidtab_search(&sidtab, sid); 2432 if (!ctxt) { 2433 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2434 "selinux_audit_rule_match: unrecognized SID %d\n", 2435 sid); 2436 match = -ENOENT; 2437 goto out; 2438 } 2439 2440 /* a field/op pair that is not caught here will simply fall through 2441 without a match */ 2442 switch (field) { 2443 case AUDIT_SUBJ_USER: 2444 case AUDIT_OBJ_USER: 2445 switch (op) { 2446 case AUDIT_EQUAL: 2447 match = (ctxt->user == rule->au_ctxt.user); 2448 break; 2449 case AUDIT_NOT_EQUAL: 2450 match = (ctxt->user != rule->au_ctxt.user); 2451 break; 2452 } 2453 break; 2454 case AUDIT_SUBJ_ROLE: 2455 case AUDIT_OBJ_ROLE: 2456 switch (op) { 2457 case AUDIT_EQUAL: 2458 match = (ctxt->role == rule->au_ctxt.role); 2459 break; 2460 case AUDIT_NOT_EQUAL: 2461 match = (ctxt->role != rule->au_ctxt.role); 2462 break; 2463 } 2464 break; 2465 case AUDIT_SUBJ_TYPE: 2466 case AUDIT_OBJ_TYPE: 2467 switch (op) { 2468 case AUDIT_EQUAL: 2469 match = (ctxt->type == rule->au_ctxt.type); 2470 break; 2471 case AUDIT_NOT_EQUAL: 2472 match = (ctxt->type != rule->au_ctxt.type); 2473 break; 2474 } 2475 break; 2476 case AUDIT_SUBJ_SEN: 2477 case AUDIT_SUBJ_CLR: 2478 case AUDIT_OBJ_LEV_LOW: 2479 case AUDIT_OBJ_LEV_HIGH: 2480 level = ((field == AUDIT_SUBJ_SEN || 2481 field == AUDIT_OBJ_LEV_LOW) ? 2482 &ctxt->range.level[0] : &ctxt->range.level[1]); 2483 switch (op) { 2484 case AUDIT_EQUAL: 2485 match = mls_level_eq(&rule->au_ctxt.range.level[0], 2486 level); 2487 break; 2488 case AUDIT_NOT_EQUAL: 2489 match = !mls_level_eq(&rule->au_ctxt.range.level[0], 2490 level); 2491 break; 2492 case AUDIT_LESS_THAN: 2493 match = (mls_level_dom(&rule->au_ctxt.range.level[0], 2494 level) && 2495 !mls_level_eq(&rule->au_ctxt.range.level[0], 2496 level)); 2497 break; 2498 case AUDIT_LESS_THAN_OR_EQUAL: 2499 match = mls_level_dom(&rule->au_ctxt.range.level[0], 2500 level); 2501 break; 2502 case AUDIT_GREATER_THAN: 2503 match = (mls_level_dom(level, 2504 &rule->au_ctxt.range.level[0]) && 2505 !mls_level_eq(level, 2506 &rule->au_ctxt.range.level[0])); 2507 break; 2508 case AUDIT_GREATER_THAN_OR_EQUAL: 2509 match = mls_level_dom(level, 2510 &rule->au_ctxt.range.level[0]); 2511 break; 2512 } 2513 } 2514 2515 out: 2516 POLICY_RDUNLOCK; 2517 return match; 2518 } 2519 2520 static int (*aurule_callback)(void) = NULL; 2521 2522 static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid, 2523 u16 class, u32 perms, u32 *retained) 2524 { 2525 int err = 0; 2526 2527 if (event == AVC_CALLBACK_RESET && aurule_callback) 2528 err = aurule_callback(); 2529 return err; 2530 } 2531 2532 static int __init aurule_init(void) 2533 { 2534 int err; 2535 2536 err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET, 2537 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); 2538 if (err) 2539 panic("avc_add_callback() failed, error %d\n", err); 2540 2541 return err; 2542 } 2543 __initcall(aurule_init); 2544 2545 void selinux_audit_set_callback(int (*callback)(void)) 2546 { 2547 aurule_callback = callback; 2548 } 2549 2550 #ifdef CONFIG_NETLABEL 2551 /** 2552 * security_netlbl_cache_add - Add an entry to the NetLabel cache 2553 * @secattr: the NetLabel packet security attributes 2554 * @sid: the SELinux SID 2555 * 2556 * Description: 2557 * Attempt to cache the context in @ctx, which was derived from the packet in 2558 * @skb, in the NetLabel subsystem cache. This function assumes @secattr has 2559 * already been initialized. 2560 * 2561 */ 2562 static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr, 2563 u32 sid) 2564 { 2565 u32 *sid_cache; 2566 2567 sid_cache = kmalloc(sizeof(*sid_cache), GFP_ATOMIC); 2568 if (sid_cache == NULL) 2569 return; 2570 secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); 2571 if (secattr->cache == NULL) { 2572 kfree(sid_cache); 2573 return; 2574 } 2575 2576 *sid_cache = sid; 2577 secattr->cache->free = kfree; 2578 secattr->cache->data = sid_cache; 2579 secattr->flags |= NETLBL_SECATTR_CACHE; 2580 } 2581 2582 /** 2583 * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID 2584 * @secattr: the NetLabel packet security attributes 2585 * @sid: the SELinux SID 2586 * 2587 * Description: 2588 * Convert the given NetLabel security attributes in @secattr into a 2589 * SELinux SID. If the @secattr field does not contain a full SELinux 2590 * SID/context then use SECINITSID_NETMSG as the foundation. If possibile the 2591 * 'cache' field of @secattr is set and the CACHE flag is set; this is to 2592 * allow the @secattr to be used by NetLabel to cache the secattr to SID 2593 * conversion for future lookups. Returns zero on success, negative values on 2594 * failure. 2595 * 2596 */ 2597 int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr, 2598 u32 *sid) 2599 { 2600 int rc = -EIDRM; 2601 struct context *ctx; 2602 struct context ctx_new; 2603 2604 if (!ss_initialized) { 2605 *sid = SECSID_NULL; 2606 return 0; 2607 } 2608 2609 POLICY_RDLOCK; 2610 2611 if (secattr->flags & NETLBL_SECATTR_CACHE) { 2612 *sid = *(u32 *)secattr->cache->data; 2613 rc = 0; 2614 } else if (secattr->flags & NETLBL_SECATTR_SECID) { 2615 *sid = secattr->attr.secid; 2616 rc = 0; 2617 } else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) { 2618 ctx = sidtab_search(&sidtab, SECINITSID_NETMSG); 2619 if (ctx == NULL) 2620 goto netlbl_secattr_to_sid_return; 2621 2622 ctx_new.user = ctx->user; 2623 ctx_new.role = ctx->role; 2624 ctx_new.type = ctx->type; 2625 mls_import_netlbl_lvl(&ctx_new, secattr); 2626 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { 2627 if (ebitmap_netlbl_import(&ctx_new.range.level[0].cat, 2628 secattr->attr.mls.cat) != 0) 2629 goto netlbl_secattr_to_sid_return; 2630 ctx_new.range.level[1].cat.highbit = 2631 ctx_new.range.level[0].cat.highbit; 2632 ctx_new.range.level[1].cat.node = 2633 ctx_new.range.level[0].cat.node; 2634 } else { 2635 ebitmap_init(&ctx_new.range.level[0].cat); 2636 ebitmap_init(&ctx_new.range.level[1].cat); 2637 } 2638 if (mls_context_isvalid(&policydb, &ctx_new) != 1) 2639 goto netlbl_secattr_to_sid_return_cleanup; 2640 2641 rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid); 2642 if (rc != 0) 2643 goto netlbl_secattr_to_sid_return_cleanup; 2644 2645 security_netlbl_cache_add(secattr, *sid); 2646 2647 ebitmap_destroy(&ctx_new.range.level[0].cat); 2648 } else { 2649 *sid = SECSID_NULL; 2650 rc = 0; 2651 } 2652 2653 netlbl_secattr_to_sid_return: 2654 POLICY_RDUNLOCK; 2655 return rc; 2656 netlbl_secattr_to_sid_return_cleanup: 2657 ebitmap_destroy(&ctx_new.range.level[0].cat); 2658 goto netlbl_secattr_to_sid_return; 2659 } 2660 2661 /** 2662 * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr 2663 * @sid: the SELinux SID 2664 * @secattr: the NetLabel packet security attributes 2665 * 2666 * Description: 2667 * Convert the given SELinux SID in @sid into a NetLabel security attribute. 2668 * Returns zero on success, negative values on failure. 2669 * 2670 */ 2671 int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr) 2672 { 2673 int rc = -ENOENT; 2674 struct context *ctx; 2675 2676 if (!ss_initialized) 2677 return 0; 2678 2679 POLICY_RDLOCK; 2680 ctx = sidtab_search(&sidtab, sid); 2681 if (ctx == NULL) 2682 goto netlbl_sid_to_secattr_failure; 2683 secattr->domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], 2684 GFP_ATOMIC); 2685 secattr->flags |= NETLBL_SECATTR_DOMAIN; 2686 mls_export_netlbl_lvl(ctx, secattr); 2687 rc = mls_export_netlbl_cat(ctx, secattr); 2688 if (rc != 0) 2689 goto netlbl_sid_to_secattr_failure; 2690 POLICY_RDUNLOCK; 2691 2692 return 0; 2693 2694 netlbl_sid_to_secattr_failure: 2695 POLICY_RDUNLOCK; 2696 return rc; 2697 } 2698 #endif /* CONFIG_NETLABEL */ 2699