1 /* 2 * Implementation of the security services. 3 * 4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> 5 * James Morris <jmorris@redhat.com> 6 * 7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 8 * 9 * Support for enhanced MLS infrastructure. 10 * Support for context based audit filters. 11 * 12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 13 * 14 * Added conditional policy language extensions 15 * 16 * Updated: Hewlett-Packard <paul.moore@hp.com> 17 * 18 * Added support for NetLabel 19 * 20 * Updated: Chad Sellers <csellers@tresys.com> 21 * 22 * Added validation of kernel classes and permissions 23 * 24 * Copyright (C) 2006 Hewlett-Packard Development Company, L.P. 25 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc. 26 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC 27 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 28 * This program is free software; you can redistribute it and/or modify 29 * it under the terms of the GNU General Public License as published by 30 * the Free Software Foundation, version 2. 31 */ 32 #include <linux/kernel.h> 33 #include <linux/slab.h> 34 #include <linux/string.h> 35 #include <linux/spinlock.h> 36 #include <linux/rcupdate.h> 37 #include <linux/errno.h> 38 #include <linux/in.h> 39 #include <linux/sched.h> 40 #include <linux/audit.h> 41 #include <linux/mutex.h> 42 #include <net/netlabel.h> 43 44 #include "flask.h" 45 #include "avc.h" 46 #include "avc_ss.h" 47 #include "security.h" 48 #include "context.h" 49 #include "policydb.h" 50 #include "sidtab.h" 51 #include "services.h" 52 #include "conditional.h" 53 #include "mls.h" 54 #include "objsec.h" 55 #include "netlabel.h" 56 #include "xfrm.h" 57 #include "ebitmap.h" 58 59 extern void selnl_notify_policyload(u32 seqno); 60 unsigned int policydb_loaded_version; 61 62 /* 63 * This is declared in avc.c 64 */ 65 extern const struct selinux_class_perm selinux_class_perm; 66 67 static DEFINE_RWLOCK(policy_rwlock); 68 #define POLICY_RDLOCK read_lock(&policy_rwlock) 69 #define POLICY_WRLOCK write_lock_irq(&policy_rwlock) 70 #define POLICY_RDUNLOCK read_unlock(&policy_rwlock) 71 #define POLICY_WRUNLOCK write_unlock_irq(&policy_rwlock) 72 73 static DEFINE_MUTEX(load_mutex); 74 #define LOAD_LOCK mutex_lock(&load_mutex) 75 #define LOAD_UNLOCK mutex_unlock(&load_mutex) 76 77 static struct sidtab sidtab; 78 struct policydb policydb; 79 int ss_initialized = 0; 80 81 /* 82 * The largest sequence number that has been used when 83 * providing an access decision to the access vector cache. 84 * The sequence number only changes when a policy change 85 * occurs. 86 */ 87 static u32 latest_granting = 0; 88 89 /* Forward declaration. */ 90 static int context_struct_to_string(struct context *context, char **scontext, 91 u32 *scontext_len); 92 93 /* 94 * Return the boolean value of a constraint expression 95 * when it is applied to the specified source and target 96 * security contexts. 97 * 98 * xcontext is a special beast... It is used by the validatetrans rules 99 * only. For these rules, scontext is the context before the transition, 100 * tcontext is the context after the transition, and xcontext is the context 101 * of the process performing the transition. All other callers of 102 * constraint_expr_eval should pass in NULL for xcontext. 103 */ 104 static int constraint_expr_eval(struct context *scontext, 105 struct context *tcontext, 106 struct context *xcontext, 107 struct constraint_expr *cexpr) 108 { 109 u32 val1, val2; 110 struct context *c; 111 struct role_datum *r1, *r2; 112 struct mls_level *l1, *l2; 113 struct constraint_expr *e; 114 int s[CEXPR_MAXDEPTH]; 115 int sp = -1; 116 117 for (e = cexpr; e; e = e->next) { 118 switch (e->expr_type) { 119 case CEXPR_NOT: 120 BUG_ON(sp < 0); 121 s[sp] = !s[sp]; 122 break; 123 case CEXPR_AND: 124 BUG_ON(sp < 1); 125 sp--; 126 s[sp] &= s[sp+1]; 127 break; 128 case CEXPR_OR: 129 BUG_ON(sp < 1); 130 sp--; 131 s[sp] |= s[sp+1]; 132 break; 133 case CEXPR_ATTR: 134 if (sp == (CEXPR_MAXDEPTH-1)) 135 return 0; 136 switch (e->attr) { 137 case CEXPR_USER: 138 val1 = scontext->user; 139 val2 = tcontext->user; 140 break; 141 case CEXPR_TYPE: 142 val1 = scontext->type; 143 val2 = tcontext->type; 144 break; 145 case CEXPR_ROLE: 146 val1 = scontext->role; 147 val2 = tcontext->role; 148 r1 = policydb.role_val_to_struct[val1 - 1]; 149 r2 = policydb.role_val_to_struct[val2 - 1]; 150 switch (e->op) { 151 case CEXPR_DOM: 152 s[++sp] = ebitmap_get_bit(&r1->dominates, 153 val2 - 1); 154 continue; 155 case CEXPR_DOMBY: 156 s[++sp] = ebitmap_get_bit(&r2->dominates, 157 val1 - 1); 158 continue; 159 case CEXPR_INCOMP: 160 s[++sp] = ( !ebitmap_get_bit(&r1->dominates, 161 val2 - 1) && 162 !ebitmap_get_bit(&r2->dominates, 163 val1 - 1) ); 164 continue; 165 default: 166 break; 167 } 168 break; 169 case CEXPR_L1L2: 170 l1 = &(scontext->range.level[0]); 171 l2 = &(tcontext->range.level[0]); 172 goto mls_ops; 173 case CEXPR_L1H2: 174 l1 = &(scontext->range.level[0]); 175 l2 = &(tcontext->range.level[1]); 176 goto mls_ops; 177 case CEXPR_H1L2: 178 l1 = &(scontext->range.level[1]); 179 l2 = &(tcontext->range.level[0]); 180 goto mls_ops; 181 case CEXPR_H1H2: 182 l1 = &(scontext->range.level[1]); 183 l2 = &(tcontext->range.level[1]); 184 goto mls_ops; 185 case CEXPR_L1H1: 186 l1 = &(scontext->range.level[0]); 187 l2 = &(scontext->range.level[1]); 188 goto mls_ops; 189 case CEXPR_L2H2: 190 l1 = &(tcontext->range.level[0]); 191 l2 = &(tcontext->range.level[1]); 192 goto mls_ops; 193 mls_ops: 194 switch (e->op) { 195 case CEXPR_EQ: 196 s[++sp] = mls_level_eq(l1, l2); 197 continue; 198 case CEXPR_NEQ: 199 s[++sp] = !mls_level_eq(l1, l2); 200 continue; 201 case CEXPR_DOM: 202 s[++sp] = mls_level_dom(l1, l2); 203 continue; 204 case CEXPR_DOMBY: 205 s[++sp] = mls_level_dom(l2, l1); 206 continue; 207 case CEXPR_INCOMP: 208 s[++sp] = mls_level_incomp(l2, l1); 209 continue; 210 default: 211 BUG(); 212 return 0; 213 } 214 break; 215 default: 216 BUG(); 217 return 0; 218 } 219 220 switch (e->op) { 221 case CEXPR_EQ: 222 s[++sp] = (val1 == val2); 223 break; 224 case CEXPR_NEQ: 225 s[++sp] = (val1 != val2); 226 break; 227 default: 228 BUG(); 229 return 0; 230 } 231 break; 232 case CEXPR_NAMES: 233 if (sp == (CEXPR_MAXDEPTH-1)) 234 return 0; 235 c = scontext; 236 if (e->attr & CEXPR_TARGET) 237 c = tcontext; 238 else if (e->attr & CEXPR_XTARGET) { 239 c = xcontext; 240 if (!c) { 241 BUG(); 242 return 0; 243 } 244 } 245 if (e->attr & CEXPR_USER) 246 val1 = c->user; 247 else if (e->attr & CEXPR_ROLE) 248 val1 = c->role; 249 else if (e->attr & CEXPR_TYPE) 250 val1 = c->type; 251 else { 252 BUG(); 253 return 0; 254 } 255 256 switch (e->op) { 257 case CEXPR_EQ: 258 s[++sp] = ebitmap_get_bit(&e->names, val1 - 1); 259 break; 260 case CEXPR_NEQ: 261 s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1); 262 break; 263 default: 264 BUG(); 265 return 0; 266 } 267 break; 268 default: 269 BUG(); 270 return 0; 271 } 272 } 273 274 BUG_ON(sp != 0); 275 return s[0]; 276 } 277 278 /* 279 * Compute access vectors based on a context structure pair for 280 * the permissions in a particular class. 281 */ 282 static int context_struct_compute_av(struct context *scontext, 283 struct context *tcontext, 284 u16 tclass, 285 u32 requested, 286 struct av_decision *avd) 287 { 288 struct constraint_node *constraint; 289 struct role_allow *ra; 290 struct avtab_key avkey; 291 struct avtab_node *node; 292 struct class_datum *tclass_datum; 293 struct ebitmap *sattr, *tattr; 294 struct ebitmap_node *snode, *tnode; 295 unsigned int i, j; 296 297 /* 298 * Remap extended Netlink classes for old policy versions. 299 * Do this here rather than socket_type_to_security_class() 300 * in case a newer policy version is loaded, allowing sockets 301 * to remain in the correct class. 302 */ 303 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) 304 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET && 305 tclass <= SECCLASS_NETLINK_DNRT_SOCKET) 306 tclass = SECCLASS_NETLINK_SOCKET; 307 308 if (!tclass || tclass > policydb.p_classes.nprim) { 309 printk(KERN_ERR "security_compute_av: unrecognized class %d\n", 310 tclass); 311 return -EINVAL; 312 } 313 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 314 315 /* 316 * Initialize the access vectors to the default values. 317 */ 318 avd->allowed = 0; 319 avd->decided = 0xffffffff; 320 avd->auditallow = 0; 321 avd->auditdeny = 0xffffffff; 322 avd->seqno = latest_granting; 323 324 /* 325 * If a specific type enforcement rule was defined for 326 * this permission check, then use it. 327 */ 328 avkey.target_class = tclass; 329 avkey.specified = AVTAB_AV; 330 sattr = &policydb.type_attr_map[scontext->type - 1]; 331 tattr = &policydb.type_attr_map[tcontext->type - 1]; 332 ebitmap_for_each_bit(sattr, snode, i) { 333 if (!ebitmap_node_get_bit(snode, i)) 334 continue; 335 ebitmap_for_each_bit(tattr, tnode, j) { 336 if (!ebitmap_node_get_bit(tnode, j)) 337 continue; 338 avkey.source_type = i + 1; 339 avkey.target_type = j + 1; 340 for (node = avtab_search_node(&policydb.te_avtab, &avkey); 341 node != NULL; 342 node = avtab_search_node_next(node, avkey.specified)) { 343 if (node->key.specified == AVTAB_ALLOWED) 344 avd->allowed |= node->datum.data; 345 else if (node->key.specified == AVTAB_AUDITALLOW) 346 avd->auditallow |= node->datum.data; 347 else if (node->key.specified == AVTAB_AUDITDENY) 348 avd->auditdeny &= node->datum.data; 349 } 350 351 /* Check conditional av table for additional permissions */ 352 cond_compute_av(&policydb.te_cond_avtab, &avkey, avd); 353 354 } 355 } 356 357 /* 358 * Remove any permissions prohibited by a constraint (this includes 359 * the MLS policy). 360 */ 361 constraint = tclass_datum->constraints; 362 while (constraint) { 363 if ((constraint->permissions & (avd->allowed)) && 364 !constraint_expr_eval(scontext, tcontext, NULL, 365 constraint->expr)) { 366 avd->allowed = (avd->allowed) & ~(constraint->permissions); 367 } 368 constraint = constraint->next; 369 } 370 371 /* 372 * If checking process transition permission and the 373 * role is changing, then check the (current_role, new_role) 374 * pair. 375 */ 376 if (tclass == SECCLASS_PROCESS && 377 (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) && 378 scontext->role != tcontext->role) { 379 for (ra = policydb.role_allow; ra; ra = ra->next) { 380 if (scontext->role == ra->role && 381 tcontext->role == ra->new_role) 382 break; 383 } 384 if (!ra) 385 avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION | 386 PROCESS__DYNTRANSITION); 387 } 388 389 return 0; 390 } 391 392 static int security_validtrans_handle_fail(struct context *ocontext, 393 struct context *ncontext, 394 struct context *tcontext, 395 u16 tclass) 396 { 397 char *o = NULL, *n = NULL, *t = NULL; 398 u32 olen, nlen, tlen; 399 400 if (context_struct_to_string(ocontext, &o, &olen) < 0) 401 goto out; 402 if (context_struct_to_string(ncontext, &n, &nlen) < 0) 403 goto out; 404 if (context_struct_to_string(tcontext, &t, &tlen) < 0) 405 goto out; 406 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 407 "security_validate_transition: denied for" 408 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 409 o, n, t, policydb.p_class_val_to_name[tclass-1]); 410 out: 411 kfree(o); 412 kfree(n); 413 kfree(t); 414 415 if (!selinux_enforcing) 416 return 0; 417 return -EPERM; 418 } 419 420 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 421 u16 tclass) 422 { 423 struct context *ocontext; 424 struct context *ncontext; 425 struct context *tcontext; 426 struct class_datum *tclass_datum; 427 struct constraint_node *constraint; 428 int rc = 0; 429 430 if (!ss_initialized) 431 return 0; 432 433 POLICY_RDLOCK; 434 435 /* 436 * Remap extended Netlink classes for old policy versions. 437 * Do this here rather than socket_type_to_security_class() 438 * in case a newer policy version is loaded, allowing sockets 439 * to remain in the correct class. 440 */ 441 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) 442 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET && 443 tclass <= SECCLASS_NETLINK_DNRT_SOCKET) 444 tclass = SECCLASS_NETLINK_SOCKET; 445 446 if (!tclass || tclass > policydb.p_classes.nprim) { 447 printk(KERN_ERR "security_validate_transition: " 448 "unrecognized class %d\n", tclass); 449 rc = -EINVAL; 450 goto out; 451 } 452 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 453 454 ocontext = sidtab_search(&sidtab, oldsid); 455 if (!ocontext) { 456 printk(KERN_ERR "security_validate_transition: " 457 " unrecognized SID %d\n", oldsid); 458 rc = -EINVAL; 459 goto out; 460 } 461 462 ncontext = sidtab_search(&sidtab, newsid); 463 if (!ncontext) { 464 printk(KERN_ERR "security_validate_transition: " 465 " unrecognized SID %d\n", newsid); 466 rc = -EINVAL; 467 goto out; 468 } 469 470 tcontext = sidtab_search(&sidtab, tasksid); 471 if (!tcontext) { 472 printk(KERN_ERR "security_validate_transition: " 473 " unrecognized SID %d\n", tasksid); 474 rc = -EINVAL; 475 goto out; 476 } 477 478 constraint = tclass_datum->validatetrans; 479 while (constraint) { 480 if (!constraint_expr_eval(ocontext, ncontext, tcontext, 481 constraint->expr)) { 482 rc = security_validtrans_handle_fail(ocontext, ncontext, 483 tcontext, tclass); 484 goto out; 485 } 486 constraint = constraint->next; 487 } 488 489 out: 490 POLICY_RDUNLOCK; 491 return rc; 492 } 493 494 /** 495 * security_compute_av - Compute access vector decisions. 496 * @ssid: source security identifier 497 * @tsid: target security identifier 498 * @tclass: target security class 499 * @requested: requested permissions 500 * @avd: access vector decisions 501 * 502 * Compute a set of access vector decisions based on the 503 * SID pair (@ssid, @tsid) for the permissions in @tclass. 504 * Return -%EINVAL if any of the parameters are invalid or %0 505 * if the access vector decisions were computed successfully. 506 */ 507 int security_compute_av(u32 ssid, 508 u32 tsid, 509 u16 tclass, 510 u32 requested, 511 struct av_decision *avd) 512 { 513 struct context *scontext = NULL, *tcontext = NULL; 514 int rc = 0; 515 516 if (!ss_initialized) { 517 avd->allowed = 0xffffffff; 518 avd->decided = 0xffffffff; 519 avd->auditallow = 0; 520 avd->auditdeny = 0xffffffff; 521 avd->seqno = latest_granting; 522 return 0; 523 } 524 525 POLICY_RDLOCK; 526 527 scontext = sidtab_search(&sidtab, ssid); 528 if (!scontext) { 529 printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", 530 ssid); 531 rc = -EINVAL; 532 goto out; 533 } 534 tcontext = sidtab_search(&sidtab, tsid); 535 if (!tcontext) { 536 printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", 537 tsid); 538 rc = -EINVAL; 539 goto out; 540 } 541 542 rc = context_struct_compute_av(scontext, tcontext, tclass, 543 requested, avd); 544 out: 545 POLICY_RDUNLOCK; 546 return rc; 547 } 548 549 /* 550 * Write the security context string representation of 551 * the context structure `context' into a dynamically 552 * allocated string of the correct size. Set `*scontext' 553 * to point to this string and set `*scontext_len' to 554 * the length of the string. 555 */ 556 static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len) 557 { 558 char *scontextp; 559 560 *scontext = NULL; 561 *scontext_len = 0; 562 563 /* Compute the size of the context. */ 564 *scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1; 565 *scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1; 566 *scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1; 567 *scontext_len += mls_compute_context_len(context); 568 569 /* Allocate space for the context; caller must free this space. */ 570 scontextp = kmalloc(*scontext_len, GFP_ATOMIC); 571 if (!scontextp) { 572 return -ENOMEM; 573 } 574 *scontext = scontextp; 575 576 /* 577 * Copy the user name, role name and type name into the context. 578 */ 579 sprintf(scontextp, "%s:%s:%s", 580 policydb.p_user_val_to_name[context->user - 1], 581 policydb.p_role_val_to_name[context->role - 1], 582 policydb.p_type_val_to_name[context->type - 1]); 583 scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) + 584 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) + 585 1 + strlen(policydb.p_type_val_to_name[context->type - 1]); 586 587 mls_sid_to_context(context, &scontextp); 588 589 *scontextp = 0; 590 591 return 0; 592 } 593 594 #include "initial_sid_to_string.h" 595 596 const char *security_get_initial_sid_context(u32 sid) 597 { 598 if (unlikely(sid > SECINITSID_NUM)) 599 return NULL; 600 return initial_sid_to_string[sid]; 601 } 602 603 /** 604 * security_sid_to_context - Obtain a context for a given SID. 605 * @sid: security identifier, SID 606 * @scontext: security context 607 * @scontext_len: length in bytes 608 * 609 * Write the string representation of the context associated with @sid 610 * into a dynamically allocated string of the correct size. Set @scontext 611 * to point to this string and set @scontext_len to the length of the string. 612 */ 613 int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len) 614 { 615 struct context *context; 616 int rc = 0; 617 618 *scontext = NULL; 619 *scontext_len = 0; 620 621 if (!ss_initialized) { 622 if (sid <= SECINITSID_NUM) { 623 char *scontextp; 624 625 *scontext_len = strlen(initial_sid_to_string[sid]) + 1; 626 scontextp = kmalloc(*scontext_len,GFP_ATOMIC); 627 if (!scontextp) { 628 rc = -ENOMEM; 629 goto out; 630 } 631 strcpy(scontextp, initial_sid_to_string[sid]); 632 *scontext = scontextp; 633 goto out; 634 } 635 printk(KERN_ERR "security_sid_to_context: called before initial " 636 "load_policy on unknown SID %d\n", sid); 637 rc = -EINVAL; 638 goto out; 639 } 640 POLICY_RDLOCK; 641 context = sidtab_search(&sidtab, sid); 642 if (!context) { 643 printk(KERN_ERR "security_sid_to_context: unrecognized SID " 644 "%d\n", sid); 645 rc = -EINVAL; 646 goto out_unlock; 647 } 648 rc = context_struct_to_string(context, scontext, scontext_len); 649 out_unlock: 650 POLICY_RDUNLOCK; 651 out: 652 return rc; 653 654 } 655 656 static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid) 657 { 658 char *scontext2; 659 struct context context; 660 struct role_datum *role; 661 struct type_datum *typdatum; 662 struct user_datum *usrdatum; 663 char *scontextp, *p, oldc; 664 int rc = 0; 665 666 if (!ss_initialized) { 667 int i; 668 669 for (i = 1; i < SECINITSID_NUM; i++) { 670 if (!strcmp(initial_sid_to_string[i], scontext)) { 671 *sid = i; 672 goto out; 673 } 674 } 675 *sid = SECINITSID_KERNEL; 676 goto out; 677 } 678 *sid = SECSID_NULL; 679 680 /* Copy the string so that we can modify the copy as we parse it. 681 The string should already by null terminated, but we append a 682 null suffix to the copy to avoid problems with the existing 683 attr package, which doesn't view the null terminator as part 684 of the attribute value. */ 685 scontext2 = kmalloc(scontext_len+1,GFP_KERNEL); 686 if (!scontext2) { 687 rc = -ENOMEM; 688 goto out; 689 } 690 memcpy(scontext2, scontext, scontext_len); 691 scontext2[scontext_len] = 0; 692 693 context_init(&context); 694 *sid = SECSID_NULL; 695 696 POLICY_RDLOCK; 697 698 /* Parse the security context. */ 699 700 rc = -EINVAL; 701 scontextp = (char *) scontext2; 702 703 /* Extract the user. */ 704 p = scontextp; 705 while (*p && *p != ':') 706 p++; 707 708 if (*p == 0) 709 goto out_unlock; 710 711 *p++ = 0; 712 713 usrdatum = hashtab_search(policydb.p_users.table, scontextp); 714 if (!usrdatum) 715 goto out_unlock; 716 717 context.user = usrdatum->value; 718 719 /* Extract role. */ 720 scontextp = p; 721 while (*p && *p != ':') 722 p++; 723 724 if (*p == 0) 725 goto out_unlock; 726 727 *p++ = 0; 728 729 role = hashtab_search(policydb.p_roles.table, scontextp); 730 if (!role) 731 goto out_unlock; 732 context.role = role->value; 733 734 /* Extract type. */ 735 scontextp = p; 736 while (*p && *p != ':') 737 p++; 738 oldc = *p; 739 *p++ = 0; 740 741 typdatum = hashtab_search(policydb.p_types.table, scontextp); 742 if (!typdatum) 743 goto out_unlock; 744 745 context.type = typdatum->value; 746 747 rc = mls_context_to_sid(oldc, &p, &context, &sidtab, def_sid); 748 if (rc) 749 goto out_unlock; 750 751 if ((p - scontext2) < scontext_len) { 752 rc = -EINVAL; 753 goto out_unlock; 754 } 755 756 /* Check the validity of the new context. */ 757 if (!policydb_context_isvalid(&policydb, &context)) { 758 rc = -EINVAL; 759 goto out_unlock; 760 } 761 /* Obtain the new sid. */ 762 rc = sidtab_context_to_sid(&sidtab, &context, sid); 763 out_unlock: 764 POLICY_RDUNLOCK; 765 context_destroy(&context); 766 kfree(scontext2); 767 out: 768 return rc; 769 } 770 771 /** 772 * security_context_to_sid - Obtain a SID for a given security context. 773 * @scontext: security context 774 * @scontext_len: length in bytes 775 * @sid: security identifier, SID 776 * 777 * Obtains a SID associated with the security context that 778 * has the string representation specified by @scontext. 779 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 780 * memory is available, or 0 on success. 781 */ 782 int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid) 783 { 784 return security_context_to_sid_core(scontext, scontext_len, 785 sid, SECSID_NULL); 786 } 787 788 /** 789 * security_context_to_sid_default - Obtain a SID for a given security context, 790 * falling back to specified default if needed. 791 * 792 * @scontext: security context 793 * @scontext_len: length in bytes 794 * @sid: security identifier, SID 795 * @def_sid: default SID to assign on errror 796 * 797 * Obtains a SID associated with the security context that 798 * has the string representation specified by @scontext. 799 * The default SID is passed to the MLS layer to be used to allow 800 * kernel labeling of the MLS field if the MLS field is not present 801 * (for upgrading to MLS without full relabel). 802 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 803 * memory is available, or 0 on success. 804 */ 805 int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid) 806 { 807 return security_context_to_sid_core(scontext, scontext_len, 808 sid, def_sid); 809 } 810 811 static int compute_sid_handle_invalid_context( 812 struct context *scontext, 813 struct context *tcontext, 814 u16 tclass, 815 struct context *newcontext) 816 { 817 char *s = NULL, *t = NULL, *n = NULL; 818 u32 slen, tlen, nlen; 819 820 if (context_struct_to_string(scontext, &s, &slen) < 0) 821 goto out; 822 if (context_struct_to_string(tcontext, &t, &tlen) < 0) 823 goto out; 824 if (context_struct_to_string(newcontext, &n, &nlen) < 0) 825 goto out; 826 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 827 "security_compute_sid: invalid context %s" 828 " for scontext=%s" 829 " tcontext=%s" 830 " tclass=%s", 831 n, s, t, policydb.p_class_val_to_name[tclass-1]); 832 out: 833 kfree(s); 834 kfree(t); 835 kfree(n); 836 if (!selinux_enforcing) 837 return 0; 838 return -EACCES; 839 } 840 841 static int security_compute_sid(u32 ssid, 842 u32 tsid, 843 u16 tclass, 844 u32 specified, 845 u32 *out_sid) 846 { 847 struct context *scontext = NULL, *tcontext = NULL, newcontext; 848 struct role_trans *roletr = NULL; 849 struct avtab_key avkey; 850 struct avtab_datum *avdatum; 851 struct avtab_node *node; 852 int rc = 0; 853 854 if (!ss_initialized) { 855 switch (tclass) { 856 case SECCLASS_PROCESS: 857 *out_sid = ssid; 858 break; 859 default: 860 *out_sid = tsid; 861 break; 862 } 863 goto out; 864 } 865 866 context_init(&newcontext); 867 868 POLICY_RDLOCK; 869 870 scontext = sidtab_search(&sidtab, ssid); 871 if (!scontext) { 872 printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", 873 ssid); 874 rc = -EINVAL; 875 goto out_unlock; 876 } 877 tcontext = sidtab_search(&sidtab, tsid); 878 if (!tcontext) { 879 printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", 880 tsid); 881 rc = -EINVAL; 882 goto out_unlock; 883 } 884 885 /* Set the user identity. */ 886 switch (specified) { 887 case AVTAB_TRANSITION: 888 case AVTAB_CHANGE: 889 /* Use the process user identity. */ 890 newcontext.user = scontext->user; 891 break; 892 case AVTAB_MEMBER: 893 /* Use the related object owner. */ 894 newcontext.user = tcontext->user; 895 break; 896 } 897 898 /* Set the role and type to default values. */ 899 switch (tclass) { 900 case SECCLASS_PROCESS: 901 /* Use the current role and type of process. */ 902 newcontext.role = scontext->role; 903 newcontext.type = scontext->type; 904 break; 905 default: 906 /* Use the well-defined object role. */ 907 newcontext.role = OBJECT_R_VAL; 908 /* Use the type of the related object. */ 909 newcontext.type = tcontext->type; 910 } 911 912 /* Look for a type transition/member/change rule. */ 913 avkey.source_type = scontext->type; 914 avkey.target_type = tcontext->type; 915 avkey.target_class = tclass; 916 avkey.specified = specified; 917 avdatum = avtab_search(&policydb.te_avtab, &avkey); 918 919 /* If no permanent rule, also check for enabled conditional rules */ 920 if(!avdatum) { 921 node = avtab_search_node(&policydb.te_cond_avtab, &avkey); 922 for (; node != NULL; node = avtab_search_node_next(node, specified)) { 923 if (node->key.specified & AVTAB_ENABLED) { 924 avdatum = &node->datum; 925 break; 926 } 927 } 928 } 929 930 if (avdatum) { 931 /* Use the type from the type transition/member/change rule. */ 932 newcontext.type = avdatum->data; 933 } 934 935 /* Check for class-specific changes. */ 936 switch (tclass) { 937 case SECCLASS_PROCESS: 938 if (specified & AVTAB_TRANSITION) { 939 /* Look for a role transition rule. */ 940 for (roletr = policydb.role_tr; roletr; 941 roletr = roletr->next) { 942 if (roletr->role == scontext->role && 943 roletr->type == tcontext->type) { 944 /* Use the role transition rule. */ 945 newcontext.role = roletr->new_role; 946 break; 947 } 948 } 949 } 950 break; 951 default: 952 break; 953 } 954 955 /* Set the MLS attributes. 956 This is done last because it may allocate memory. */ 957 rc = mls_compute_sid(scontext, tcontext, tclass, specified, &newcontext); 958 if (rc) 959 goto out_unlock; 960 961 /* Check the validity of the context. */ 962 if (!policydb_context_isvalid(&policydb, &newcontext)) { 963 rc = compute_sid_handle_invalid_context(scontext, 964 tcontext, 965 tclass, 966 &newcontext); 967 if (rc) 968 goto out_unlock; 969 } 970 /* Obtain the sid for the context. */ 971 rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid); 972 out_unlock: 973 POLICY_RDUNLOCK; 974 context_destroy(&newcontext); 975 out: 976 return rc; 977 } 978 979 /** 980 * security_transition_sid - Compute the SID for a new subject/object. 981 * @ssid: source security identifier 982 * @tsid: target security identifier 983 * @tclass: target security class 984 * @out_sid: security identifier for new subject/object 985 * 986 * Compute a SID to use for labeling a new subject or object in the 987 * class @tclass based on a SID pair (@ssid, @tsid). 988 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 989 * if insufficient memory is available, or %0 if the new SID was 990 * computed successfully. 991 */ 992 int security_transition_sid(u32 ssid, 993 u32 tsid, 994 u16 tclass, 995 u32 *out_sid) 996 { 997 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid); 998 } 999 1000 /** 1001 * security_member_sid - Compute the SID for member selection. 1002 * @ssid: source security identifier 1003 * @tsid: target security identifier 1004 * @tclass: target security class 1005 * @out_sid: security identifier for selected member 1006 * 1007 * Compute a SID to use when selecting a member of a polyinstantiated 1008 * object of class @tclass based on a SID pair (@ssid, @tsid). 1009 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1010 * if insufficient memory is available, or %0 if the SID was 1011 * computed successfully. 1012 */ 1013 int security_member_sid(u32 ssid, 1014 u32 tsid, 1015 u16 tclass, 1016 u32 *out_sid) 1017 { 1018 return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid); 1019 } 1020 1021 /** 1022 * security_change_sid - Compute the SID for object relabeling. 1023 * @ssid: source security identifier 1024 * @tsid: target security identifier 1025 * @tclass: target security class 1026 * @out_sid: security identifier for selected member 1027 * 1028 * Compute a SID to use for relabeling an object of class @tclass 1029 * based on a SID pair (@ssid, @tsid). 1030 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1031 * if insufficient memory is available, or %0 if the SID was 1032 * computed successfully. 1033 */ 1034 int security_change_sid(u32 ssid, 1035 u32 tsid, 1036 u16 tclass, 1037 u32 *out_sid) 1038 { 1039 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid); 1040 } 1041 1042 /* 1043 * Verify that each kernel class that is defined in the 1044 * policy is correct 1045 */ 1046 static int validate_classes(struct policydb *p) 1047 { 1048 int i, j; 1049 struct class_datum *cladatum; 1050 struct perm_datum *perdatum; 1051 u32 nprim, tmp, common_pts_len, perm_val, pol_val; 1052 u16 class_val; 1053 const struct selinux_class_perm *kdefs = &selinux_class_perm; 1054 const char *def_class, *def_perm, *pol_class; 1055 struct symtab *perms; 1056 1057 for (i = 1; i < kdefs->cts_len; i++) { 1058 def_class = kdefs->class_to_string[i]; 1059 if (!def_class) 1060 continue; 1061 if (i > p->p_classes.nprim) { 1062 printk(KERN_INFO 1063 "security: class %s not defined in policy\n", 1064 def_class); 1065 continue; 1066 } 1067 pol_class = p->p_class_val_to_name[i-1]; 1068 if (strcmp(pol_class, def_class)) { 1069 printk(KERN_ERR 1070 "security: class %d is incorrect, found %s but should be %s\n", 1071 i, pol_class, def_class); 1072 return -EINVAL; 1073 } 1074 } 1075 for (i = 0; i < kdefs->av_pts_len; i++) { 1076 class_val = kdefs->av_perm_to_string[i].tclass; 1077 perm_val = kdefs->av_perm_to_string[i].value; 1078 def_perm = kdefs->av_perm_to_string[i].name; 1079 if (class_val > p->p_classes.nprim) 1080 continue; 1081 pol_class = p->p_class_val_to_name[class_val-1]; 1082 cladatum = hashtab_search(p->p_classes.table, pol_class); 1083 BUG_ON(!cladatum); 1084 perms = &cladatum->permissions; 1085 nprim = 1 << (perms->nprim - 1); 1086 if (perm_val > nprim) { 1087 printk(KERN_INFO 1088 "security: permission %s in class %s not defined in policy\n", 1089 def_perm, pol_class); 1090 continue; 1091 } 1092 perdatum = hashtab_search(perms->table, def_perm); 1093 if (perdatum == NULL) { 1094 printk(KERN_ERR 1095 "security: permission %s in class %s not found in policy\n", 1096 def_perm, pol_class); 1097 return -EINVAL; 1098 } 1099 pol_val = 1 << (perdatum->value - 1); 1100 if (pol_val != perm_val) { 1101 printk(KERN_ERR 1102 "security: permission %s in class %s has incorrect value\n", 1103 def_perm, pol_class); 1104 return -EINVAL; 1105 } 1106 } 1107 for (i = 0; i < kdefs->av_inherit_len; i++) { 1108 class_val = kdefs->av_inherit[i].tclass; 1109 if (class_val > p->p_classes.nprim) 1110 continue; 1111 pol_class = p->p_class_val_to_name[class_val-1]; 1112 cladatum = hashtab_search(p->p_classes.table, pol_class); 1113 BUG_ON(!cladatum); 1114 if (!cladatum->comdatum) { 1115 printk(KERN_ERR 1116 "security: class %s should have an inherits clause but does not\n", 1117 pol_class); 1118 return -EINVAL; 1119 } 1120 tmp = kdefs->av_inherit[i].common_base; 1121 common_pts_len = 0; 1122 while (!(tmp & 0x01)) { 1123 common_pts_len++; 1124 tmp >>= 1; 1125 } 1126 perms = &cladatum->comdatum->permissions; 1127 for (j = 0; j < common_pts_len; j++) { 1128 def_perm = kdefs->av_inherit[i].common_pts[j]; 1129 if (j >= perms->nprim) { 1130 printk(KERN_INFO 1131 "security: permission %s in class %s not defined in policy\n", 1132 def_perm, pol_class); 1133 continue; 1134 } 1135 perdatum = hashtab_search(perms->table, def_perm); 1136 if (perdatum == NULL) { 1137 printk(KERN_ERR 1138 "security: permission %s in class %s not found in policy\n", 1139 def_perm, pol_class); 1140 return -EINVAL; 1141 } 1142 if (perdatum->value != j + 1) { 1143 printk(KERN_ERR 1144 "security: permission %s in class %s has incorrect value\n", 1145 def_perm, pol_class); 1146 return -EINVAL; 1147 } 1148 } 1149 } 1150 return 0; 1151 } 1152 1153 /* Clone the SID into the new SID table. */ 1154 static int clone_sid(u32 sid, 1155 struct context *context, 1156 void *arg) 1157 { 1158 struct sidtab *s = arg; 1159 1160 return sidtab_insert(s, sid, context); 1161 } 1162 1163 static inline int convert_context_handle_invalid_context(struct context *context) 1164 { 1165 int rc = 0; 1166 1167 if (selinux_enforcing) { 1168 rc = -EINVAL; 1169 } else { 1170 char *s; 1171 u32 len; 1172 1173 context_struct_to_string(context, &s, &len); 1174 printk(KERN_ERR "security: context %s is invalid\n", s); 1175 kfree(s); 1176 } 1177 return rc; 1178 } 1179 1180 struct convert_context_args { 1181 struct policydb *oldp; 1182 struct policydb *newp; 1183 }; 1184 1185 /* 1186 * Convert the values in the security context 1187 * structure `c' from the values specified 1188 * in the policy `p->oldp' to the values specified 1189 * in the policy `p->newp'. Verify that the 1190 * context is valid under the new policy. 1191 */ 1192 static int convert_context(u32 key, 1193 struct context *c, 1194 void *p) 1195 { 1196 struct convert_context_args *args; 1197 struct context oldc; 1198 struct role_datum *role; 1199 struct type_datum *typdatum; 1200 struct user_datum *usrdatum; 1201 char *s; 1202 u32 len; 1203 int rc; 1204 1205 args = p; 1206 1207 rc = context_cpy(&oldc, c); 1208 if (rc) 1209 goto out; 1210 1211 rc = -EINVAL; 1212 1213 /* Convert the user. */ 1214 usrdatum = hashtab_search(args->newp->p_users.table, 1215 args->oldp->p_user_val_to_name[c->user - 1]); 1216 if (!usrdatum) { 1217 goto bad; 1218 } 1219 c->user = usrdatum->value; 1220 1221 /* Convert the role. */ 1222 role = hashtab_search(args->newp->p_roles.table, 1223 args->oldp->p_role_val_to_name[c->role - 1]); 1224 if (!role) { 1225 goto bad; 1226 } 1227 c->role = role->value; 1228 1229 /* Convert the type. */ 1230 typdatum = hashtab_search(args->newp->p_types.table, 1231 args->oldp->p_type_val_to_name[c->type - 1]); 1232 if (!typdatum) { 1233 goto bad; 1234 } 1235 c->type = typdatum->value; 1236 1237 rc = mls_convert_context(args->oldp, args->newp, c); 1238 if (rc) 1239 goto bad; 1240 1241 /* Check the validity of the new context. */ 1242 if (!policydb_context_isvalid(args->newp, c)) { 1243 rc = convert_context_handle_invalid_context(&oldc); 1244 if (rc) 1245 goto bad; 1246 } 1247 1248 context_destroy(&oldc); 1249 out: 1250 return rc; 1251 bad: 1252 context_struct_to_string(&oldc, &s, &len); 1253 context_destroy(&oldc); 1254 printk(KERN_ERR "security: invalidating context %s\n", s); 1255 kfree(s); 1256 goto out; 1257 } 1258 1259 extern void selinux_complete_init(void); 1260 static int security_preserve_bools(struct policydb *p); 1261 1262 /** 1263 * security_load_policy - Load a security policy configuration. 1264 * @data: binary policy data 1265 * @len: length of data in bytes 1266 * 1267 * Load a new set of security policy configuration data, 1268 * validate it and convert the SID table as necessary. 1269 * This function will flush the access vector cache after 1270 * loading the new policy. 1271 */ 1272 int security_load_policy(void *data, size_t len) 1273 { 1274 struct policydb oldpolicydb, newpolicydb; 1275 struct sidtab oldsidtab, newsidtab; 1276 struct convert_context_args args; 1277 u32 seqno; 1278 int rc = 0; 1279 struct policy_file file = { data, len }, *fp = &file; 1280 1281 LOAD_LOCK; 1282 1283 if (!ss_initialized) { 1284 avtab_cache_init(); 1285 if (policydb_read(&policydb, fp)) { 1286 LOAD_UNLOCK; 1287 avtab_cache_destroy(); 1288 return -EINVAL; 1289 } 1290 if (policydb_load_isids(&policydb, &sidtab)) { 1291 LOAD_UNLOCK; 1292 policydb_destroy(&policydb); 1293 avtab_cache_destroy(); 1294 return -EINVAL; 1295 } 1296 /* Verify that the kernel defined classes are correct. */ 1297 if (validate_classes(&policydb)) { 1298 printk(KERN_ERR 1299 "security: the definition of a class is incorrect\n"); 1300 LOAD_UNLOCK; 1301 sidtab_destroy(&sidtab); 1302 policydb_destroy(&policydb); 1303 avtab_cache_destroy(); 1304 return -EINVAL; 1305 } 1306 policydb_loaded_version = policydb.policyvers; 1307 ss_initialized = 1; 1308 seqno = ++latest_granting; 1309 LOAD_UNLOCK; 1310 selinux_complete_init(); 1311 avc_ss_reset(seqno); 1312 selnl_notify_policyload(seqno); 1313 selinux_netlbl_cache_invalidate(); 1314 selinux_xfrm_notify_policyload(); 1315 return 0; 1316 } 1317 1318 #if 0 1319 sidtab_hash_eval(&sidtab, "sids"); 1320 #endif 1321 1322 if (policydb_read(&newpolicydb, fp)) { 1323 LOAD_UNLOCK; 1324 return -EINVAL; 1325 } 1326 1327 sidtab_init(&newsidtab); 1328 1329 /* Verify that the kernel defined classes are correct. */ 1330 if (validate_classes(&newpolicydb)) { 1331 printk(KERN_ERR 1332 "security: the definition of a class is incorrect\n"); 1333 rc = -EINVAL; 1334 goto err; 1335 } 1336 1337 rc = security_preserve_bools(&newpolicydb); 1338 if (rc) { 1339 printk(KERN_ERR "security: unable to preserve booleans\n"); 1340 goto err; 1341 } 1342 1343 /* Clone the SID table. */ 1344 sidtab_shutdown(&sidtab); 1345 if (sidtab_map(&sidtab, clone_sid, &newsidtab)) { 1346 rc = -ENOMEM; 1347 goto err; 1348 } 1349 1350 /* Convert the internal representations of contexts 1351 in the new SID table and remove invalid SIDs. */ 1352 args.oldp = &policydb; 1353 args.newp = &newpolicydb; 1354 sidtab_map_remove_on_error(&newsidtab, convert_context, &args); 1355 1356 /* Save the old policydb and SID table to free later. */ 1357 memcpy(&oldpolicydb, &policydb, sizeof policydb); 1358 sidtab_set(&oldsidtab, &sidtab); 1359 1360 /* Install the new policydb and SID table. */ 1361 POLICY_WRLOCK; 1362 memcpy(&policydb, &newpolicydb, sizeof policydb); 1363 sidtab_set(&sidtab, &newsidtab); 1364 seqno = ++latest_granting; 1365 policydb_loaded_version = policydb.policyvers; 1366 POLICY_WRUNLOCK; 1367 LOAD_UNLOCK; 1368 1369 /* Free the old policydb and SID table. */ 1370 policydb_destroy(&oldpolicydb); 1371 sidtab_destroy(&oldsidtab); 1372 1373 avc_ss_reset(seqno); 1374 selnl_notify_policyload(seqno); 1375 selinux_netlbl_cache_invalidate(); 1376 selinux_xfrm_notify_policyload(); 1377 1378 return 0; 1379 1380 err: 1381 LOAD_UNLOCK; 1382 sidtab_destroy(&newsidtab); 1383 policydb_destroy(&newpolicydb); 1384 return rc; 1385 1386 } 1387 1388 /** 1389 * security_port_sid - Obtain the SID for a port. 1390 * @domain: communication domain aka address family 1391 * @type: socket type 1392 * @protocol: protocol number 1393 * @port: port number 1394 * @out_sid: security identifier 1395 */ 1396 int security_port_sid(u16 domain, 1397 u16 type, 1398 u8 protocol, 1399 u16 port, 1400 u32 *out_sid) 1401 { 1402 struct ocontext *c; 1403 int rc = 0; 1404 1405 POLICY_RDLOCK; 1406 1407 c = policydb.ocontexts[OCON_PORT]; 1408 while (c) { 1409 if (c->u.port.protocol == protocol && 1410 c->u.port.low_port <= port && 1411 c->u.port.high_port >= port) 1412 break; 1413 c = c->next; 1414 } 1415 1416 if (c) { 1417 if (!c->sid[0]) { 1418 rc = sidtab_context_to_sid(&sidtab, 1419 &c->context[0], 1420 &c->sid[0]); 1421 if (rc) 1422 goto out; 1423 } 1424 *out_sid = c->sid[0]; 1425 } else { 1426 *out_sid = SECINITSID_PORT; 1427 } 1428 1429 out: 1430 POLICY_RDUNLOCK; 1431 return rc; 1432 } 1433 1434 /** 1435 * security_netif_sid - Obtain the SID for a network interface. 1436 * @name: interface name 1437 * @if_sid: interface SID 1438 * @msg_sid: default SID for received packets 1439 */ 1440 int security_netif_sid(char *name, 1441 u32 *if_sid, 1442 u32 *msg_sid) 1443 { 1444 int rc = 0; 1445 struct ocontext *c; 1446 1447 POLICY_RDLOCK; 1448 1449 c = policydb.ocontexts[OCON_NETIF]; 1450 while (c) { 1451 if (strcmp(name, c->u.name) == 0) 1452 break; 1453 c = c->next; 1454 } 1455 1456 if (c) { 1457 if (!c->sid[0] || !c->sid[1]) { 1458 rc = sidtab_context_to_sid(&sidtab, 1459 &c->context[0], 1460 &c->sid[0]); 1461 if (rc) 1462 goto out; 1463 rc = sidtab_context_to_sid(&sidtab, 1464 &c->context[1], 1465 &c->sid[1]); 1466 if (rc) 1467 goto out; 1468 } 1469 *if_sid = c->sid[0]; 1470 *msg_sid = c->sid[1]; 1471 } else { 1472 *if_sid = SECINITSID_NETIF; 1473 *msg_sid = SECINITSID_NETMSG; 1474 } 1475 1476 out: 1477 POLICY_RDUNLOCK; 1478 return rc; 1479 } 1480 1481 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask) 1482 { 1483 int i, fail = 0; 1484 1485 for(i = 0; i < 4; i++) 1486 if(addr[i] != (input[i] & mask[i])) { 1487 fail = 1; 1488 break; 1489 } 1490 1491 return !fail; 1492 } 1493 1494 /** 1495 * security_node_sid - Obtain the SID for a node (host). 1496 * @domain: communication domain aka address family 1497 * @addrp: address 1498 * @addrlen: address length in bytes 1499 * @out_sid: security identifier 1500 */ 1501 int security_node_sid(u16 domain, 1502 void *addrp, 1503 u32 addrlen, 1504 u32 *out_sid) 1505 { 1506 int rc = 0; 1507 struct ocontext *c; 1508 1509 POLICY_RDLOCK; 1510 1511 switch (domain) { 1512 case AF_INET: { 1513 u32 addr; 1514 1515 if (addrlen != sizeof(u32)) { 1516 rc = -EINVAL; 1517 goto out; 1518 } 1519 1520 addr = *((u32 *)addrp); 1521 1522 c = policydb.ocontexts[OCON_NODE]; 1523 while (c) { 1524 if (c->u.node.addr == (addr & c->u.node.mask)) 1525 break; 1526 c = c->next; 1527 } 1528 break; 1529 } 1530 1531 case AF_INET6: 1532 if (addrlen != sizeof(u64) * 2) { 1533 rc = -EINVAL; 1534 goto out; 1535 } 1536 c = policydb.ocontexts[OCON_NODE6]; 1537 while (c) { 1538 if (match_ipv6_addrmask(addrp, c->u.node6.addr, 1539 c->u.node6.mask)) 1540 break; 1541 c = c->next; 1542 } 1543 break; 1544 1545 default: 1546 *out_sid = SECINITSID_NODE; 1547 goto out; 1548 } 1549 1550 if (c) { 1551 if (!c->sid[0]) { 1552 rc = sidtab_context_to_sid(&sidtab, 1553 &c->context[0], 1554 &c->sid[0]); 1555 if (rc) 1556 goto out; 1557 } 1558 *out_sid = c->sid[0]; 1559 } else { 1560 *out_sid = SECINITSID_NODE; 1561 } 1562 1563 out: 1564 POLICY_RDUNLOCK; 1565 return rc; 1566 } 1567 1568 #define SIDS_NEL 25 1569 1570 /** 1571 * security_get_user_sids - Obtain reachable SIDs for a user. 1572 * @fromsid: starting SID 1573 * @username: username 1574 * @sids: array of reachable SIDs for user 1575 * @nel: number of elements in @sids 1576 * 1577 * Generate the set of SIDs for legal security contexts 1578 * for a given user that can be reached by @fromsid. 1579 * Set *@sids to point to a dynamically allocated 1580 * array containing the set of SIDs. Set *@nel to the 1581 * number of elements in the array. 1582 */ 1583 1584 int security_get_user_sids(u32 fromsid, 1585 char *username, 1586 u32 **sids, 1587 u32 *nel) 1588 { 1589 struct context *fromcon, usercon; 1590 u32 *mysids, *mysids2, sid; 1591 u32 mynel = 0, maxnel = SIDS_NEL; 1592 struct user_datum *user; 1593 struct role_datum *role; 1594 struct av_decision avd; 1595 struct ebitmap_node *rnode, *tnode; 1596 int rc = 0, i, j; 1597 1598 if (!ss_initialized) { 1599 *sids = NULL; 1600 *nel = 0; 1601 goto out; 1602 } 1603 1604 POLICY_RDLOCK; 1605 1606 fromcon = sidtab_search(&sidtab, fromsid); 1607 if (!fromcon) { 1608 rc = -EINVAL; 1609 goto out_unlock; 1610 } 1611 1612 user = hashtab_search(policydb.p_users.table, username); 1613 if (!user) { 1614 rc = -EINVAL; 1615 goto out_unlock; 1616 } 1617 usercon.user = user->value; 1618 1619 mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC); 1620 if (!mysids) { 1621 rc = -ENOMEM; 1622 goto out_unlock; 1623 } 1624 1625 ebitmap_for_each_bit(&user->roles, rnode, i) { 1626 if (!ebitmap_node_get_bit(rnode, i)) 1627 continue; 1628 role = policydb.role_val_to_struct[i]; 1629 usercon.role = i+1; 1630 ebitmap_for_each_bit(&role->types, tnode, j) { 1631 if (!ebitmap_node_get_bit(tnode, j)) 1632 continue; 1633 usercon.type = j+1; 1634 1635 if (mls_setup_user_range(fromcon, user, &usercon)) 1636 continue; 1637 1638 rc = context_struct_compute_av(fromcon, &usercon, 1639 SECCLASS_PROCESS, 1640 PROCESS__TRANSITION, 1641 &avd); 1642 if (rc || !(avd.allowed & PROCESS__TRANSITION)) 1643 continue; 1644 rc = sidtab_context_to_sid(&sidtab, &usercon, &sid); 1645 if (rc) { 1646 kfree(mysids); 1647 goto out_unlock; 1648 } 1649 if (mynel < maxnel) { 1650 mysids[mynel++] = sid; 1651 } else { 1652 maxnel += SIDS_NEL; 1653 mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC); 1654 if (!mysids2) { 1655 rc = -ENOMEM; 1656 kfree(mysids); 1657 goto out_unlock; 1658 } 1659 memcpy(mysids2, mysids, mynel * sizeof(*mysids2)); 1660 kfree(mysids); 1661 mysids = mysids2; 1662 mysids[mynel++] = sid; 1663 } 1664 } 1665 } 1666 1667 *sids = mysids; 1668 *nel = mynel; 1669 1670 out_unlock: 1671 POLICY_RDUNLOCK; 1672 out: 1673 return rc; 1674 } 1675 1676 /** 1677 * security_genfs_sid - Obtain a SID for a file in a filesystem 1678 * @fstype: filesystem type 1679 * @path: path from root of mount 1680 * @sclass: file security class 1681 * @sid: SID for path 1682 * 1683 * Obtain a SID to use for a file in a filesystem that 1684 * cannot support xattr or use a fixed labeling behavior like 1685 * transition SIDs or task SIDs. 1686 */ 1687 int security_genfs_sid(const char *fstype, 1688 char *path, 1689 u16 sclass, 1690 u32 *sid) 1691 { 1692 int len; 1693 struct genfs *genfs; 1694 struct ocontext *c; 1695 int rc = 0, cmp = 0; 1696 1697 POLICY_RDLOCK; 1698 1699 for (genfs = policydb.genfs; genfs; genfs = genfs->next) { 1700 cmp = strcmp(fstype, genfs->fstype); 1701 if (cmp <= 0) 1702 break; 1703 } 1704 1705 if (!genfs || cmp) { 1706 *sid = SECINITSID_UNLABELED; 1707 rc = -ENOENT; 1708 goto out; 1709 } 1710 1711 for (c = genfs->head; c; c = c->next) { 1712 len = strlen(c->u.name); 1713 if ((!c->v.sclass || sclass == c->v.sclass) && 1714 (strncmp(c->u.name, path, len) == 0)) 1715 break; 1716 } 1717 1718 if (!c) { 1719 *sid = SECINITSID_UNLABELED; 1720 rc = -ENOENT; 1721 goto out; 1722 } 1723 1724 if (!c->sid[0]) { 1725 rc = sidtab_context_to_sid(&sidtab, 1726 &c->context[0], 1727 &c->sid[0]); 1728 if (rc) 1729 goto out; 1730 } 1731 1732 *sid = c->sid[0]; 1733 out: 1734 POLICY_RDUNLOCK; 1735 return rc; 1736 } 1737 1738 /** 1739 * security_fs_use - Determine how to handle labeling for a filesystem. 1740 * @fstype: filesystem type 1741 * @behavior: labeling behavior 1742 * @sid: SID for filesystem (superblock) 1743 */ 1744 int security_fs_use( 1745 const char *fstype, 1746 unsigned int *behavior, 1747 u32 *sid) 1748 { 1749 int rc = 0; 1750 struct ocontext *c; 1751 1752 POLICY_RDLOCK; 1753 1754 c = policydb.ocontexts[OCON_FSUSE]; 1755 while (c) { 1756 if (strcmp(fstype, c->u.name) == 0) 1757 break; 1758 c = c->next; 1759 } 1760 1761 if (c) { 1762 *behavior = c->v.behavior; 1763 if (!c->sid[0]) { 1764 rc = sidtab_context_to_sid(&sidtab, 1765 &c->context[0], 1766 &c->sid[0]); 1767 if (rc) 1768 goto out; 1769 } 1770 *sid = c->sid[0]; 1771 } else { 1772 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid); 1773 if (rc) { 1774 *behavior = SECURITY_FS_USE_NONE; 1775 rc = 0; 1776 } else { 1777 *behavior = SECURITY_FS_USE_GENFS; 1778 } 1779 } 1780 1781 out: 1782 POLICY_RDUNLOCK; 1783 return rc; 1784 } 1785 1786 int security_get_bools(int *len, char ***names, int **values) 1787 { 1788 int i, rc = -ENOMEM; 1789 1790 POLICY_RDLOCK; 1791 *names = NULL; 1792 *values = NULL; 1793 1794 *len = policydb.p_bools.nprim; 1795 if (!*len) { 1796 rc = 0; 1797 goto out; 1798 } 1799 1800 *names = kcalloc(*len, sizeof(char*), GFP_ATOMIC); 1801 if (!*names) 1802 goto err; 1803 1804 *values = kcalloc(*len, sizeof(int), GFP_ATOMIC); 1805 if (!*values) 1806 goto err; 1807 1808 for (i = 0; i < *len; i++) { 1809 size_t name_len; 1810 (*values)[i] = policydb.bool_val_to_struct[i]->state; 1811 name_len = strlen(policydb.p_bool_val_to_name[i]) + 1; 1812 (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); 1813 if (!(*names)[i]) 1814 goto err; 1815 strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len); 1816 (*names)[i][name_len - 1] = 0; 1817 } 1818 rc = 0; 1819 out: 1820 POLICY_RDUNLOCK; 1821 return rc; 1822 err: 1823 if (*names) { 1824 for (i = 0; i < *len; i++) 1825 kfree((*names)[i]); 1826 } 1827 kfree(*values); 1828 goto out; 1829 } 1830 1831 1832 int security_set_bools(int len, int *values) 1833 { 1834 int i, rc = 0; 1835 int lenp, seqno = 0; 1836 struct cond_node *cur; 1837 1838 POLICY_WRLOCK; 1839 1840 lenp = policydb.p_bools.nprim; 1841 if (len != lenp) { 1842 rc = -EFAULT; 1843 goto out; 1844 } 1845 1846 for (i = 0; i < len; i++) { 1847 if (!!values[i] != policydb.bool_val_to_struct[i]->state) { 1848 audit_log(current->audit_context, GFP_ATOMIC, 1849 AUDIT_MAC_CONFIG_CHANGE, 1850 "bool=%s val=%d old_val=%d auid=%u", 1851 policydb.p_bool_val_to_name[i], 1852 !!values[i], 1853 policydb.bool_val_to_struct[i]->state, 1854 audit_get_loginuid(current->audit_context)); 1855 } 1856 if (values[i]) { 1857 policydb.bool_val_to_struct[i]->state = 1; 1858 } else { 1859 policydb.bool_val_to_struct[i]->state = 0; 1860 } 1861 } 1862 1863 for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { 1864 rc = evaluate_cond_node(&policydb, cur); 1865 if (rc) 1866 goto out; 1867 } 1868 1869 seqno = ++latest_granting; 1870 1871 out: 1872 POLICY_WRUNLOCK; 1873 if (!rc) { 1874 avc_ss_reset(seqno); 1875 selnl_notify_policyload(seqno); 1876 selinux_xfrm_notify_policyload(); 1877 } 1878 return rc; 1879 } 1880 1881 int security_get_bool_value(int bool) 1882 { 1883 int rc = 0; 1884 int len; 1885 1886 POLICY_RDLOCK; 1887 1888 len = policydb.p_bools.nprim; 1889 if (bool >= len) { 1890 rc = -EFAULT; 1891 goto out; 1892 } 1893 1894 rc = policydb.bool_val_to_struct[bool]->state; 1895 out: 1896 POLICY_RDUNLOCK; 1897 return rc; 1898 } 1899 1900 static int security_preserve_bools(struct policydb *p) 1901 { 1902 int rc, nbools = 0, *bvalues = NULL, i; 1903 char **bnames = NULL; 1904 struct cond_bool_datum *booldatum; 1905 struct cond_node *cur; 1906 1907 rc = security_get_bools(&nbools, &bnames, &bvalues); 1908 if (rc) 1909 goto out; 1910 for (i = 0; i < nbools; i++) { 1911 booldatum = hashtab_search(p->p_bools.table, bnames[i]); 1912 if (booldatum) 1913 booldatum->state = bvalues[i]; 1914 } 1915 for (cur = p->cond_list; cur != NULL; cur = cur->next) { 1916 rc = evaluate_cond_node(p, cur); 1917 if (rc) 1918 goto out; 1919 } 1920 1921 out: 1922 if (bnames) { 1923 for (i = 0; i < nbools; i++) 1924 kfree(bnames[i]); 1925 } 1926 kfree(bnames); 1927 kfree(bvalues); 1928 return rc; 1929 } 1930 1931 /* 1932 * security_sid_mls_copy() - computes a new sid based on the given 1933 * sid and the mls portion of mls_sid. 1934 */ 1935 int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid) 1936 { 1937 struct context *context1; 1938 struct context *context2; 1939 struct context newcon; 1940 char *s; 1941 u32 len; 1942 int rc = 0; 1943 1944 if (!ss_initialized || !selinux_mls_enabled) { 1945 *new_sid = sid; 1946 goto out; 1947 } 1948 1949 context_init(&newcon); 1950 1951 POLICY_RDLOCK; 1952 context1 = sidtab_search(&sidtab, sid); 1953 if (!context1) { 1954 printk(KERN_ERR "security_sid_mls_copy: unrecognized SID " 1955 "%d\n", sid); 1956 rc = -EINVAL; 1957 goto out_unlock; 1958 } 1959 1960 context2 = sidtab_search(&sidtab, mls_sid); 1961 if (!context2) { 1962 printk(KERN_ERR "security_sid_mls_copy: unrecognized SID " 1963 "%d\n", mls_sid); 1964 rc = -EINVAL; 1965 goto out_unlock; 1966 } 1967 1968 newcon.user = context1->user; 1969 newcon.role = context1->role; 1970 newcon.type = context1->type; 1971 rc = mls_context_cpy(&newcon, context2); 1972 if (rc) 1973 goto out_unlock; 1974 1975 /* Check the validity of the new context. */ 1976 if (!policydb_context_isvalid(&policydb, &newcon)) { 1977 rc = convert_context_handle_invalid_context(&newcon); 1978 if (rc) 1979 goto bad; 1980 } 1981 1982 rc = sidtab_context_to_sid(&sidtab, &newcon, new_sid); 1983 goto out_unlock; 1984 1985 bad: 1986 if (!context_struct_to_string(&newcon, &s, &len)) { 1987 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 1988 "security_sid_mls_copy: invalid context %s", s); 1989 kfree(s); 1990 } 1991 1992 out_unlock: 1993 POLICY_RDUNLOCK; 1994 context_destroy(&newcon); 1995 out: 1996 return rc; 1997 } 1998 1999 struct selinux_audit_rule { 2000 u32 au_seqno; 2001 struct context au_ctxt; 2002 }; 2003 2004 void selinux_audit_rule_free(struct selinux_audit_rule *rule) 2005 { 2006 if (rule) { 2007 context_destroy(&rule->au_ctxt); 2008 kfree(rule); 2009 } 2010 } 2011 2012 int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, 2013 struct selinux_audit_rule **rule) 2014 { 2015 struct selinux_audit_rule *tmprule; 2016 struct role_datum *roledatum; 2017 struct type_datum *typedatum; 2018 struct user_datum *userdatum; 2019 int rc = 0; 2020 2021 *rule = NULL; 2022 2023 if (!ss_initialized) 2024 return -ENOTSUPP; 2025 2026 switch (field) { 2027 case AUDIT_SUBJ_USER: 2028 case AUDIT_SUBJ_ROLE: 2029 case AUDIT_SUBJ_TYPE: 2030 case AUDIT_OBJ_USER: 2031 case AUDIT_OBJ_ROLE: 2032 case AUDIT_OBJ_TYPE: 2033 /* only 'equals' and 'not equals' fit user, role, and type */ 2034 if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL) 2035 return -EINVAL; 2036 break; 2037 case AUDIT_SUBJ_SEN: 2038 case AUDIT_SUBJ_CLR: 2039 case AUDIT_OBJ_LEV_LOW: 2040 case AUDIT_OBJ_LEV_HIGH: 2041 /* we do not allow a range, indicated by the presense of '-' */ 2042 if (strchr(rulestr, '-')) 2043 return -EINVAL; 2044 break; 2045 default: 2046 /* only the above fields are valid */ 2047 return -EINVAL; 2048 } 2049 2050 tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL); 2051 if (!tmprule) 2052 return -ENOMEM; 2053 2054 context_init(&tmprule->au_ctxt); 2055 2056 POLICY_RDLOCK; 2057 2058 tmprule->au_seqno = latest_granting; 2059 2060 switch (field) { 2061 case AUDIT_SUBJ_USER: 2062 case AUDIT_OBJ_USER: 2063 userdatum = hashtab_search(policydb.p_users.table, rulestr); 2064 if (!userdatum) 2065 rc = -EINVAL; 2066 else 2067 tmprule->au_ctxt.user = userdatum->value; 2068 break; 2069 case AUDIT_SUBJ_ROLE: 2070 case AUDIT_OBJ_ROLE: 2071 roledatum = hashtab_search(policydb.p_roles.table, rulestr); 2072 if (!roledatum) 2073 rc = -EINVAL; 2074 else 2075 tmprule->au_ctxt.role = roledatum->value; 2076 break; 2077 case AUDIT_SUBJ_TYPE: 2078 case AUDIT_OBJ_TYPE: 2079 typedatum = hashtab_search(policydb.p_types.table, rulestr); 2080 if (!typedatum) 2081 rc = -EINVAL; 2082 else 2083 tmprule->au_ctxt.type = typedatum->value; 2084 break; 2085 case AUDIT_SUBJ_SEN: 2086 case AUDIT_SUBJ_CLR: 2087 case AUDIT_OBJ_LEV_LOW: 2088 case AUDIT_OBJ_LEV_HIGH: 2089 rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC); 2090 break; 2091 } 2092 2093 POLICY_RDUNLOCK; 2094 2095 if (rc) { 2096 selinux_audit_rule_free(tmprule); 2097 tmprule = NULL; 2098 } 2099 2100 *rule = tmprule; 2101 2102 return rc; 2103 } 2104 2105 int selinux_audit_rule_match(u32 sid, u32 field, u32 op, 2106 struct selinux_audit_rule *rule, 2107 struct audit_context *actx) 2108 { 2109 struct context *ctxt; 2110 struct mls_level *level; 2111 int match = 0; 2112 2113 if (!rule) { 2114 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2115 "selinux_audit_rule_match: missing rule\n"); 2116 return -ENOENT; 2117 } 2118 2119 POLICY_RDLOCK; 2120 2121 if (rule->au_seqno < latest_granting) { 2122 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2123 "selinux_audit_rule_match: stale rule\n"); 2124 match = -ESTALE; 2125 goto out; 2126 } 2127 2128 ctxt = sidtab_search(&sidtab, sid); 2129 if (!ctxt) { 2130 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2131 "selinux_audit_rule_match: unrecognized SID %d\n", 2132 sid); 2133 match = -ENOENT; 2134 goto out; 2135 } 2136 2137 /* a field/op pair that is not caught here will simply fall through 2138 without a match */ 2139 switch (field) { 2140 case AUDIT_SUBJ_USER: 2141 case AUDIT_OBJ_USER: 2142 switch (op) { 2143 case AUDIT_EQUAL: 2144 match = (ctxt->user == rule->au_ctxt.user); 2145 break; 2146 case AUDIT_NOT_EQUAL: 2147 match = (ctxt->user != rule->au_ctxt.user); 2148 break; 2149 } 2150 break; 2151 case AUDIT_SUBJ_ROLE: 2152 case AUDIT_OBJ_ROLE: 2153 switch (op) { 2154 case AUDIT_EQUAL: 2155 match = (ctxt->role == rule->au_ctxt.role); 2156 break; 2157 case AUDIT_NOT_EQUAL: 2158 match = (ctxt->role != rule->au_ctxt.role); 2159 break; 2160 } 2161 break; 2162 case AUDIT_SUBJ_TYPE: 2163 case AUDIT_OBJ_TYPE: 2164 switch (op) { 2165 case AUDIT_EQUAL: 2166 match = (ctxt->type == rule->au_ctxt.type); 2167 break; 2168 case AUDIT_NOT_EQUAL: 2169 match = (ctxt->type != rule->au_ctxt.type); 2170 break; 2171 } 2172 break; 2173 case AUDIT_SUBJ_SEN: 2174 case AUDIT_SUBJ_CLR: 2175 case AUDIT_OBJ_LEV_LOW: 2176 case AUDIT_OBJ_LEV_HIGH: 2177 level = ((field == AUDIT_SUBJ_SEN || 2178 field == AUDIT_OBJ_LEV_LOW) ? 2179 &ctxt->range.level[0] : &ctxt->range.level[1]); 2180 switch (op) { 2181 case AUDIT_EQUAL: 2182 match = mls_level_eq(&rule->au_ctxt.range.level[0], 2183 level); 2184 break; 2185 case AUDIT_NOT_EQUAL: 2186 match = !mls_level_eq(&rule->au_ctxt.range.level[0], 2187 level); 2188 break; 2189 case AUDIT_LESS_THAN: 2190 match = (mls_level_dom(&rule->au_ctxt.range.level[0], 2191 level) && 2192 !mls_level_eq(&rule->au_ctxt.range.level[0], 2193 level)); 2194 break; 2195 case AUDIT_LESS_THAN_OR_EQUAL: 2196 match = mls_level_dom(&rule->au_ctxt.range.level[0], 2197 level); 2198 break; 2199 case AUDIT_GREATER_THAN: 2200 match = (mls_level_dom(level, 2201 &rule->au_ctxt.range.level[0]) && 2202 !mls_level_eq(level, 2203 &rule->au_ctxt.range.level[0])); 2204 break; 2205 case AUDIT_GREATER_THAN_OR_EQUAL: 2206 match = mls_level_dom(level, 2207 &rule->au_ctxt.range.level[0]); 2208 break; 2209 } 2210 } 2211 2212 out: 2213 POLICY_RDUNLOCK; 2214 return match; 2215 } 2216 2217 static int (*aurule_callback)(void) = NULL; 2218 2219 static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid, 2220 u16 class, u32 perms, u32 *retained) 2221 { 2222 int err = 0; 2223 2224 if (event == AVC_CALLBACK_RESET && aurule_callback) 2225 err = aurule_callback(); 2226 return err; 2227 } 2228 2229 static int __init aurule_init(void) 2230 { 2231 int err; 2232 2233 err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET, 2234 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); 2235 if (err) 2236 panic("avc_add_callback() failed, error %d\n", err); 2237 2238 return err; 2239 } 2240 __initcall(aurule_init); 2241 2242 void selinux_audit_set_callback(int (*callback)(void)) 2243 { 2244 aurule_callback = callback; 2245 } 2246 2247 #ifdef CONFIG_NETLABEL 2248 /* 2249 * NetLabel cache structure 2250 */ 2251 #define NETLBL_CACHE(x) ((struct selinux_netlbl_cache *)(x)) 2252 #define NETLBL_CACHE_T_NONE 0 2253 #define NETLBL_CACHE_T_SID 1 2254 #define NETLBL_CACHE_T_MLS 2 2255 struct selinux_netlbl_cache { 2256 u32 type; 2257 union { 2258 u32 sid; 2259 struct mls_range mls_label; 2260 } data; 2261 }; 2262 2263 /** 2264 * security_netlbl_cache_free - Free the NetLabel cached data 2265 * @data: the data to free 2266 * 2267 * Description: 2268 * This function is intended to be used as the free() callback inside the 2269 * netlbl_lsm_cache structure. 2270 * 2271 */ 2272 static void security_netlbl_cache_free(const void *data) 2273 { 2274 struct selinux_netlbl_cache *cache; 2275 2276 if (data == NULL) 2277 return; 2278 2279 cache = NETLBL_CACHE(data); 2280 switch (cache->type) { 2281 case NETLBL_CACHE_T_MLS: 2282 ebitmap_destroy(&cache->data.mls_label.level[0].cat); 2283 break; 2284 } 2285 kfree(data); 2286 } 2287 2288 /** 2289 * security_netlbl_cache_add - Add an entry to the NetLabel cache 2290 * @secattr: the NetLabel packet security attributes 2291 * @ctx: the SELinux context 2292 * 2293 * Description: 2294 * Attempt to cache the context in @ctx, which was derived from the packet in 2295 * @skb, in the NetLabel subsystem cache. This function assumes @secattr has 2296 * already been initialized. 2297 * 2298 */ 2299 static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr, 2300 struct context *ctx) 2301 { 2302 struct selinux_netlbl_cache *cache = NULL; 2303 2304 secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); 2305 if (secattr->cache == NULL) 2306 return; 2307 2308 cache = kzalloc(sizeof(*cache), GFP_ATOMIC); 2309 if (cache == NULL) 2310 return; 2311 2312 cache->type = NETLBL_CACHE_T_MLS; 2313 if (ebitmap_cpy(&cache->data.mls_label.level[0].cat, 2314 &ctx->range.level[0].cat) != 0) 2315 return; 2316 cache->data.mls_label.level[1].cat.highbit = 2317 cache->data.mls_label.level[0].cat.highbit; 2318 cache->data.mls_label.level[1].cat.node = 2319 cache->data.mls_label.level[0].cat.node; 2320 cache->data.mls_label.level[0].sens = ctx->range.level[0].sens; 2321 cache->data.mls_label.level[1].sens = ctx->range.level[0].sens; 2322 2323 secattr->cache->free = security_netlbl_cache_free; 2324 secattr->cache->data = (void *)cache; 2325 secattr->flags |= NETLBL_SECATTR_CACHE; 2326 } 2327 2328 /** 2329 * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID 2330 * @secattr: the NetLabel packet security attributes 2331 * @base_sid: the SELinux SID to use as a context for MLS only attributes 2332 * @sid: the SELinux SID 2333 * 2334 * Description: 2335 * Convert the given NetLabel security attributes in @secattr into a 2336 * SELinux SID. If the @secattr field does not contain a full SELinux 2337 * SID/context then use the context in @base_sid as the foundation. If 2338 * possibile the 'cache' field of @secattr is set and the CACHE flag is set; 2339 * this is to allow the @secattr to be used by NetLabel to cache the secattr to 2340 * SID conversion for future lookups. Returns zero on success, negative 2341 * values on failure. 2342 * 2343 */ 2344 int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr, 2345 u32 base_sid, 2346 u32 *sid) 2347 { 2348 int rc = -EIDRM; 2349 struct context *ctx; 2350 struct context ctx_new; 2351 struct selinux_netlbl_cache *cache; 2352 2353 if (!ss_initialized) { 2354 *sid = SECSID_NULL; 2355 return 0; 2356 } 2357 2358 POLICY_RDLOCK; 2359 2360 if (secattr->flags & NETLBL_SECATTR_CACHE) { 2361 cache = NETLBL_CACHE(secattr->cache->data); 2362 switch (cache->type) { 2363 case NETLBL_CACHE_T_SID: 2364 *sid = cache->data.sid; 2365 rc = 0; 2366 break; 2367 case NETLBL_CACHE_T_MLS: 2368 ctx = sidtab_search(&sidtab, base_sid); 2369 if (ctx == NULL) 2370 goto netlbl_secattr_to_sid_return; 2371 2372 ctx_new.user = ctx->user; 2373 ctx_new.role = ctx->role; 2374 ctx_new.type = ctx->type; 2375 ctx_new.range.level[0].sens = 2376 cache->data.mls_label.level[0].sens; 2377 ctx_new.range.level[0].cat.highbit = 2378 cache->data.mls_label.level[0].cat.highbit; 2379 ctx_new.range.level[0].cat.node = 2380 cache->data.mls_label.level[0].cat.node; 2381 ctx_new.range.level[1].sens = 2382 cache->data.mls_label.level[1].sens; 2383 ctx_new.range.level[1].cat.highbit = 2384 cache->data.mls_label.level[1].cat.highbit; 2385 ctx_new.range.level[1].cat.node = 2386 cache->data.mls_label.level[1].cat.node; 2387 2388 rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid); 2389 break; 2390 default: 2391 goto netlbl_secattr_to_sid_return; 2392 } 2393 } else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) { 2394 ctx = sidtab_search(&sidtab, base_sid); 2395 if (ctx == NULL) 2396 goto netlbl_secattr_to_sid_return; 2397 2398 ctx_new.user = ctx->user; 2399 ctx_new.role = ctx->role; 2400 ctx_new.type = ctx->type; 2401 mls_import_netlbl_lvl(&ctx_new, secattr); 2402 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { 2403 if (ebitmap_netlbl_import(&ctx_new.range.level[0].cat, 2404 secattr->mls_cat) != 0) 2405 goto netlbl_secattr_to_sid_return; 2406 ctx_new.range.level[1].cat.highbit = 2407 ctx_new.range.level[0].cat.highbit; 2408 ctx_new.range.level[1].cat.node = 2409 ctx_new.range.level[0].cat.node; 2410 } else { 2411 ebitmap_init(&ctx_new.range.level[0].cat); 2412 ebitmap_init(&ctx_new.range.level[1].cat); 2413 } 2414 if (mls_context_isvalid(&policydb, &ctx_new) != 1) 2415 goto netlbl_secattr_to_sid_return_cleanup; 2416 2417 rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid); 2418 if (rc != 0) 2419 goto netlbl_secattr_to_sid_return_cleanup; 2420 2421 security_netlbl_cache_add(secattr, &ctx_new); 2422 2423 ebitmap_destroy(&ctx_new.range.level[0].cat); 2424 } else { 2425 *sid = SECSID_NULL; 2426 rc = 0; 2427 } 2428 2429 netlbl_secattr_to_sid_return: 2430 POLICY_RDUNLOCK; 2431 return rc; 2432 netlbl_secattr_to_sid_return_cleanup: 2433 ebitmap_destroy(&ctx_new.range.level[0].cat); 2434 goto netlbl_secattr_to_sid_return; 2435 } 2436 2437 /** 2438 * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr 2439 * @sid: the SELinux SID 2440 * @secattr: the NetLabel packet security attributes 2441 * 2442 * Description: 2443 * Convert the given SELinux SID in @sid into a NetLabel security attribute. 2444 * Returns zero on success, negative values on failure. 2445 * 2446 */ 2447 int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr) 2448 { 2449 int rc = -ENOENT; 2450 struct context *ctx; 2451 2452 netlbl_secattr_init(secattr); 2453 2454 if (!ss_initialized) 2455 return 0; 2456 2457 POLICY_RDLOCK; 2458 ctx = sidtab_search(&sidtab, sid); 2459 if (ctx == NULL) 2460 goto netlbl_sid_to_secattr_failure; 2461 secattr->domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], 2462 GFP_ATOMIC); 2463 secattr->flags |= NETLBL_SECATTR_DOMAIN; 2464 mls_export_netlbl_lvl(ctx, secattr); 2465 rc = mls_export_netlbl_cat(ctx, secattr); 2466 if (rc != 0) 2467 goto netlbl_sid_to_secattr_failure; 2468 POLICY_RDUNLOCK; 2469 2470 return 0; 2471 2472 netlbl_sid_to_secattr_failure: 2473 POLICY_RDUNLOCK; 2474 netlbl_secattr_destroy(secattr); 2475 return rc; 2476 } 2477 #endif /* CONFIG_NETLABEL */ 2478