1 /* 2 * Implementation of the security services. 3 * 4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> 5 * James Morris <jmorris@redhat.com> 6 * 7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 8 * 9 * Support for enhanced MLS infrastructure. 10 * Support for context based audit filters. 11 * 12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 13 * 14 * Added conditional policy language extensions 15 * 16 * Updated: Hewlett-Packard <paul.moore@hp.com> 17 * 18 * Added support for NetLabel 19 * Added support for the policy capability bitmap 20 * 21 * Updated: Chad Sellers <csellers@tresys.com> 22 * 23 * Added validation of kernel classes and permissions 24 * 25 * Updated: KaiGai Kohei <kaigai@ak.jp.nec.com> 26 * 27 * Added support for bounds domain and audit messaged on masked permissions 28 * 29 * Updated: Guido Trentalancia <guido@trentalancia.com> 30 * 31 * Added support for runtime switching of the policy type 32 * 33 * Copyright (C) 2008, 2009 NEC Corporation 34 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. 35 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc. 36 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC 37 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 38 * This program is free software; you can redistribute it and/or modify 39 * it under the terms of the GNU General Public License as published by 40 * the Free Software Foundation, version 2. 41 */ 42 #include <linux/kernel.h> 43 #include <linux/slab.h> 44 #include <linux/string.h> 45 #include <linux/spinlock.h> 46 #include <linux/rcupdate.h> 47 #include <linux/errno.h> 48 #include <linux/in.h> 49 #include <linux/sched.h> 50 #include <linux/audit.h> 51 #include <linux/mutex.h> 52 #include <linux/selinux.h> 53 #include <linux/flex_array.h> 54 #include <linux/vmalloc.h> 55 #include <net/netlabel.h> 56 57 #include "flask.h" 58 #include "avc.h" 59 #include "avc_ss.h" 60 #include "security.h" 61 #include "context.h" 62 #include "policydb.h" 63 #include "sidtab.h" 64 #include "services.h" 65 #include "conditional.h" 66 #include "mls.h" 67 #include "objsec.h" 68 #include "netlabel.h" 69 #include "xfrm.h" 70 #include "ebitmap.h" 71 #include "audit.h" 72 73 extern void selnl_notify_policyload(u32 seqno); 74 75 int selinux_policycap_netpeer; 76 int selinux_policycap_openperm; 77 78 static DEFINE_RWLOCK(policy_rwlock); 79 80 static struct sidtab sidtab; 81 struct policydb policydb; 82 int ss_initialized; 83 84 /* 85 * The largest sequence number that has been used when 86 * providing an access decision to the access vector cache. 87 * The sequence number only changes when a policy change 88 * occurs. 89 */ 90 static u32 latest_granting; 91 92 /* Forward declaration. */ 93 static int context_struct_to_string(struct context *context, char **scontext, 94 u32 *scontext_len); 95 96 static void context_struct_compute_av(struct context *scontext, 97 struct context *tcontext, 98 u16 tclass, 99 struct av_decision *avd); 100 101 struct selinux_mapping { 102 u16 value; /* policy value */ 103 unsigned num_perms; 104 u32 perms[sizeof(u32) * 8]; 105 }; 106 107 static struct selinux_mapping *current_mapping; 108 static u16 current_mapping_size; 109 110 static int selinux_set_mapping(struct policydb *pol, 111 struct security_class_mapping *map, 112 struct selinux_mapping **out_map_p, 113 u16 *out_map_size) 114 { 115 struct selinux_mapping *out_map = NULL; 116 size_t size = sizeof(struct selinux_mapping); 117 u16 i, j; 118 unsigned k; 119 bool print_unknown_handle = false; 120 121 /* Find number of classes in the input mapping */ 122 if (!map) 123 return -EINVAL; 124 i = 0; 125 while (map[i].name) 126 i++; 127 128 /* Allocate space for the class records, plus one for class zero */ 129 out_map = kcalloc(++i, size, GFP_ATOMIC); 130 if (!out_map) 131 return -ENOMEM; 132 133 /* Store the raw class and permission values */ 134 j = 0; 135 while (map[j].name) { 136 struct security_class_mapping *p_in = map + (j++); 137 struct selinux_mapping *p_out = out_map + j; 138 139 /* An empty class string skips ahead */ 140 if (!strcmp(p_in->name, "")) { 141 p_out->num_perms = 0; 142 continue; 143 } 144 145 p_out->value = string_to_security_class(pol, p_in->name); 146 if (!p_out->value) { 147 printk(KERN_INFO 148 "SELinux: Class %s not defined in policy.\n", 149 p_in->name); 150 if (pol->reject_unknown) 151 goto err; 152 p_out->num_perms = 0; 153 print_unknown_handle = true; 154 continue; 155 } 156 157 k = 0; 158 while (p_in->perms && p_in->perms[k]) { 159 /* An empty permission string skips ahead */ 160 if (!*p_in->perms[k]) { 161 k++; 162 continue; 163 } 164 p_out->perms[k] = string_to_av_perm(pol, p_out->value, 165 p_in->perms[k]); 166 if (!p_out->perms[k]) { 167 printk(KERN_INFO 168 "SELinux: Permission %s in class %s not defined in policy.\n", 169 p_in->perms[k], p_in->name); 170 if (pol->reject_unknown) 171 goto err; 172 print_unknown_handle = true; 173 } 174 175 k++; 176 } 177 p_out->num_perms = k; 178 } 179 180 if (print_unknown_handle) 181 printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n", 182 pol->allow_unknown ? "allowed" : "denied"); 183 184 *out_map_p = out_map; 185 *out_map_size = i; 186 return 0; 187 err: 188 kfree(out_map); 189 return -EINVAL; 190 } 191 192 /* 193 * Get real, policy values from mapped values 194 */ 195 196 static u16 unmap_class(u16 tclass) 197 { 198 if (tclass < current_mapping_size) 199 return current_mapping[tclass].value; 200 201 return tclass; 202 } 203 204 /* 205 * Get kernel value for class from its policy value 206 */ 207 static u16 map_class(u16 pol_value) 208 { 209 u16 i; 210 211 for (i = 1; i < current_mapping_size; i++) { 212 if (current_mapping[i].value == pol_value) 213 return i; 214 } 215 216 return SECCLASS_NULL; 217 } 218 219 static void map_decision(u16 tclass, struct av_decision *avd, 220 int allow_unknown) 221 { 222 if (tclass < current_mapping_size) { 223 unsigned i, n = current_mapping[tclass].num_perms; 224 u32 result; 225 226 for (i = 0, result = 0; i < n; i++) { 227 if (avd->allowed & current_mapping[tclass].perms[i]) 228 result |= 1<<i; 229 if (allow_unknown && !current_mapping[tclass].perms[i]) 230 result |= 1<<i; 231 } 232 avd->allowed = result; 233 234 for (i = 0, result = 0; i < n; i++) 235 if (avd->auditallow & current_mapping[tclass].perms[i]) 236 result |= 1<<i; 237 avd->auditallow = result; 238 239 for (i = 0, result = 0; i < n; i++) { 240 if (avd->auditdeny & current_mapping[tclass].perms[i]) 241 result |= 1<<i; 242 if (!allow_unknown && !current_mapping[tclass].perms[i]) 243 result |= 1<<i; 244 } 245 /* 246 * In case the kernel has a bug and requests a permission 247 * between num_perms and the maximum permission number, we 248 * should audit that denial 249 */ 250 for (; i < (sizeof(u32)*8); i++) 251 result |= 1<<i; 252 avd->auditdeny = result; 253 } 254 } 255 256 int security_mls_enabled(void) 257 { 258 return policydb.mls_enabled; 259 } 260 261 /* 262 * Return the boolean value of a constraint expression 263 * when it is applied to the specified source and target 264 * security contexts. 265 * 266 * xcontext is a special beast... It is used by the validatetrans rules 267 * only. For these rules, scontext is the context before the transition, 268 * tcontext is the context after the transition, and xcontext is the context 269 * of the process performing the transition. All other callers of 270 * constraint_expr_eval should pass in NULL for xcontext. 271 */ 272 static int constraint_expr_eval(struct context *scontext, 273 struct context *tcontext, 274 struct context *xcontext, 275 struct constraint_expr *cexpr) 276 { 277 u32 val1, val2; 278 struct context *c; 279 struct role_datum *r1, *r2; 280 struct mls_level *l1, *l2; 281 struct constraint_expr *e; 282 int s[CEXPR_MAXDEPTH]; 283 int sp = -1; 284 285 for (e = cexpr; e; e = e->next) { 286 switch (e->expr_type) { 287 case CEXPR_NOT: 288 BUG_ON(sp < 0); 289 s[sp] = !s[sp]; 290 break; 291 case CEXPR_AND: 292 BUG_ON(sp < 1); 293 sp--; 294 s[sp] &= s[sp + 1]; 295 break; 296 case CEXPR_OR: 297 BUG_ON(sp < 1); 298 sp--; 299 s[sp] |= s[sp + 1]; 300 break; 301 case CEXPR_ATTR: 302 if (sp == (CEXPR_MAXDEPTH - 1)) 303 return 0; 304 switch (e->attr) { 305 case CEXPR_USER: 306 val1 = scontext->user; 307 val2 = tcontext->user; 308 break; 309 case CEXPR_TYPE: 310 val1 = scontext->type; 311 val2 = tcontext->type; 312 break; 313 case CEXPR_ROLE: 314 val1 = scontext->role; 315 val2 = tcontext->role; 316 r1 = policydb.role_val_to_struct[val1 - 1]; 317 r2 = policydb.role_val_to_struct[val2 - 1]; 318 switch (e->op) { 319 case CEXPR_DOM: 320 s[++sp] = ebitmap_get_bit(&r1->dominates, 321 val2 - 1); 322 continue; 323 case CEXPR_DOMBY: 324 s[++sp] = ebitmap_get_bit(&r2->dominates, 325 val1 - 1); 326 continue; 327 case CEXPR_INCOMP: 328 s[++sp] = (!ebitmap_get_bit(&r1->dominates, 329 val2 - 1) && 330 !ebitmap_get_bit(&r2->dominates, 331 val1 - 1)); 332 continue; 333 default: 334 break; 335 } 336 break; 337 case CEXPR_L1L2: 338 l1 = &(scontext->range.level[0]); 339 l2 = &(tcontext->range.level[0]); 340 goto mls_ops; 341 case CEXPR_L1H2: 342 l1 = &(scontext->range.level[0]); 343 l2 = &(tcontext->range.level[1]); 344 goto mls_ops; 345 case CEXPR_H1L2: 346 l1 = &(scontext->range.level[1]); 347 l2 = &(tcontext->range.level[0]); 348 goto mls_ops; 349 case CEXPR_H1H2: 350 l1 = &(scontext->range.level[1]); 351 l2 = &(tcontext->range.level[1]); 352 goto mls_ops; 353 case CEXPR_L1H1: 354 l1 = &(scontext->range.level[0]); 355 l2 = &(scontext->range.level[1]); 356 goto mls_ops; 357 case CEXPR_L2H2: 358 l1 = &(tcontext->range.level[0]); 359 l2 = &(tcontext->range.level[1]); 360 goto mls_ops; 361 mls_ops: 362 switch (e->op) { 363 case CEXPR_EQ: 364 s[++sp] = mls_level_eq(l1, l2); 365 continue; 366 case CEXPR_NEQ: 367 s[++sp] = !mls_level_eq(l1, l2); 368 continue; 369 case CEXPR_DOM: 370 s[++sp] = mls_level_dom(l1, l2); 371 continue; 372 case CEXPR_DOMBY: 373 s[++sp] = mls_level_dom(l2, l1); 374 continue; 375 case CEXPR_INCOMP: 376 s[++sp] = mls_level_incomp(l2, l1); 377 continue; 378 default: 379 BUG(); 380 return 0; 381 } 382 break; 383 default: 384 BUG(); 385 return 0; 386 } 387 388 switch (e->op) { 389 case CEXPR_EQ: 390 s[++sp] = (val1 == val2); 391 break; 392 case CEXPR_NEQ: 393 s[++sp] = (val1 != val2); 394 break; 395 default: 396 BUG(); 397 return 0; 398 } 399 break; 400 case CEXPR_NAMES: 401 if (sp == (CEXPR_MAXDEPTH-1)) 402 return 0; 403 c = scontext; 404 if (e->attr & CEXPR_TARGET) 405 c = tcontext; 406 else if (e->attr & CEXPR_XTARGET) { 407 c = xcontext; 408 if (!c) { 409 BUG(); 410 return 0; 411 } 412 } 413 if (e->attr & CEXPR_USER) 414 val1 = c->user; 415 else if (e->attr & CEXPR_ROLE) 416 val1 = c->role; 417 else if (e->attr & CEXPR_TYPE) 418 val1 = c->type; 419 else { 420 BUG(); 421 return 0; 422 } 423 424 switch (e->op) { 425 case CEXPR_EQ: 426 s[++sp] = ebitmap_get_bit(&e->names, val1 - 1); 427 break; 428 case CEXPR_NEQ: 429 s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1); 430 break; 431 default: 432 BUG(); 433 return 0; 434 } 435 break; 436 default: 437 BUG(); 438 return 0; 439 } 440 } 441 442 BUG_ON(sp != 0); 443 return s[0]; 444 } 445 446 /* 447 * security_dump_masked_av - dumps masked permissions during 448 * security_compute_av due to RBAC, MLS/Constraint and Type bounds. 449 */ 450 static int dump_masked_av_helper(void *k, void *d, void *args) 451 { 452 struct perm_datum *pdatum = d; 453 char **permission_names = args; 454 455 BUG_ON(pdatum->value < 1 || pdatum->value > 32); 456 457 permission_names[pdatum->value - 1] = (char *)k; 458 459 return 0; 460 } 461 462 static void security_dump_masked_av(struct context *scontext, 463 struct context *tcontext, 464 u16 tclass, 465 u32 permissions, 466 const char *reason) 467 { 468 struct common_datum *common_dat; 469 struct class_datum *tclass_dat; 470 struct audit_buffer *ab; 471 char *tclass_name; 472 char *scontext_name = NULL; 473 char *tcontext_name = NULL; 474 char *permission_names[32]; 475 int index; 476 u32 length; 477 bool need_comma = false; 478 479 if (!permissions) 480 return; 481 482 tclass_name = sym_name(&policydb, SYM_CLASSES, tclass - 1); 483 tclass_dat = policydb.class_val_to_struct[tclass - 1]; 484 common_dat = tclass_dat->comdatum; 485 486 /* init permission_names */ 487 if (common_dat && 488 hashtab_map(common_dat->permissions.table, 489 dump_masked_av_helper, permission_names) < 0) 490 goto out; 491 492 if (hashtab_map(tclass_dat->permissions.table, 493 dump_masked_av_helper, permission_names) < 0) 494 goto out; 495 496 /* get scontext/tcontext in text form */ 497 if (context_struct_to_string(scontext, 498 &scontext_name, &length) < 0) 499 goto out; 500 501 if (context_struct_to_string(tcontext, 502 &tcontext_name, &length) < 0) 503 goto out; 504 505 /* audit a message */ 506 ab = audit_log_start(current->audit_context, 507 GFP_ATOMIC, AUDIT_SELINUX_ERR); 508 if (!ab) 509 goto out; 510 511 audit_log_format(ab, "op=security_compute_av reason=%s " 512 "scontext=%s tcontext=%s tclass=%s perms=", 513 reason, scontext_name, tcontext_name, tclass_name); 514 515 for (index = 0; index < 32; index++) { 516 u32 mask = (1 << index); 517 518 if ((mask & permissions) == 0) 519 continue; 520 521 audit_log_format(ab, "%s%s", 522 need_comma ? "," : "", 523 permission_names[index] 524 ? permission_names[index] : "????"); 525 need_comma = true; 526 } 527 audit_log_end(ab); 528 out: 529 /* release scontext/tcontext */ 530 kfree(tcontext_name); 531 kfree(scontext_name); 532 533 return; 534 } 535 536 /* 537 * security_boundary_permission - drops violated permissions 538 * on boundary constraint. 539 */ 540 static void type_attribute_bounds_av(struct context *scontext, 541 struct context *tcontext, 542 u16 tclass, 543 struct av_decision *avd) 544 { 545 struct context lo_scontext; 546 struct context lo_tcontext; 547 struct av_decision lo_avd; 548 struct type_datum *source; 549 struct type_datum *target; 550 u32 masked = 0; 551 552 source = flex_array_get_ptr(policydb.type_val_to_struct_array, 553 scontext->type - 1); 554 BUG_ON(!source); 555 556 target = flex_array_get_ptr(policydb.type_val_to_struct_array, 557 tcontext->type - 1); 558 BUG_ON(!target); 559 560 if (source->bounds) { 561 memset(&lo_avd, 0, sizeof(lo_avd)); 562 563 memcpy(&lo_scontext, scontext, sizeof(lo_scontext)); 564 lo_scontext.type = source->bounds; 565 566 context_struct_compute_av(&lo_scontext, 567 tcontext, 568 tclass, 569 &lo_avd); 570 if ((lo_avd.allowed & avd->allowed) == avd->allowed) 571 return; /* no masked permission */ 572 masked = ~lo_avd.allowed & avd->allowed; 573 } 574 575 if (target->bounds) { 576 memset(&lo_avd, 0, sizeof(lo_avd)); 577 578 memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext)); 579 lo_tcontext.type = target->bounds; 580 581 context_struct_compute_av(scontext, 582 &lo_tcontext, 583 tclass, 584 &lo_avd); 585 if ((lo_avd.allowed & avd->allowed) == avd->allowed) 586 return; /* no masked permission */ 587 masked = ~lo_avd.allowed & avd->allowed; 588 } 589 590 if (source->bounds && target->bounds) { 591 memset(&lo_avd, 0, sizeof(lo_avd)); 592 /* 593 * lo_scontext and lo_tcontext are already 594 * set up. 595 */ 596 597 context_struct_compute_av(&lo_scontext, 598 &lo_tcontext, 599 tclass, 600 &lo_avd); 601 if ((lo_avd.allowed & avd->allowed) == avd->allowed) 602 return; /* no masked permission */ 603 masked = ~lo_avd.allowed & avd->allowed; 604 } 605 606 if (masked) { 607 /* mask violated permissions */ 608 avd->allowed &= ~masked; 609 610 /* audit masked permissions */ 611 security_dump_masked_av(scontext, tcontext, 612 tclass, masked, "bounds"); 613 } 614 } 615 616 /* 617 * Compute access vectors based on a context structure pair for 618 * the permissions in a particular class. 619 */ 620 static void context_struct_compute_av(struct context *scontext, 621 struct context *tcontext, 622 u16 tclass, 623 struct av_decision *avd) 624 { 625 struct constraint_node *constraint; 626 struct role_allow *ra; 627 struct avtab_key avkey; 628 struct avtab_node *node; 629 struct class_datum *tclass_datum; 630 struct ebitmap *sattr, *tattr; 631 struct ebitmap_node *snode, *tnode; 632 unsigned int i, j; 633 634 avd->allowed = 0; 635 avd->auditallow = 0; 636 avd->auditdeny = 0xffffffff; 637 638 if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) { 639 if (printk_ratelimit()) 640 printk(KERN_WARNING "SELinux: Invalid class %hu\n", tclass); 641 return; 642 } 643 644 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 645 646 /* 647 * If a specific type enforcement rule was defined for 648 * this permission check, then use it. 649 */ 650 avkey.target_class = tclass; 651 avkey.specified = AVTAB_AV; 652 sattr = flex_array_get(policydb.type_attr_map_array, scontext->type - 1); 653 BUG_ON(!sattr); 654 tattr = flex_array_get(policydb.type_attr_map_array, tcontext->type - 1); 655 BUG_ON(!tattr); 656 ebitmap_for_each_positive_bit(sattr, snode, i) { 657 ebitmap_for_each_positive_bit(tattr, tnode, j) { 658 avkey.source_type = i + 1; 659 avkey.target_type = j + 1; 660 for (node = avtab_search_node(&policydb.te_avtab, &avkey); 661 node; 662 node = avtab_search_node_next(node, avkey.specified)) { 663 if (node->key.specified == AVTAB_ALLOWED) 664 avd->allowed |= node->datum.data; 665 else if (node->key.specified == AVTAB_AUDITALLOW) 666 avd->auditallow |= node->datum.data; 667 else if (node->key.specified == AVTAB_AUDITDENY) 668 avd->auditdeny &= node->datum.data; 669 } 670 671 /* Check conditional av table for additional permissions */ 672 cond_compute_av(&policydb.te_cond_avtab, &avkey, avd); 673 674 } 675 } 676 677 /* 678 * Remove any permissions prohibited by a constraint (this includes 679 * the MLS policy). 680 */ 681 constraint = tclass_datum->constraints; 682 while (constraint) { 683 if ((constraint->permissions & (avd->allowed)) && 684 !constraint_expr_eval(scontext, tcontext, NULL, 685 constraint->expr)) { 686 avd->allowed &= ~(constraint->permissions); 687 } 688 constraint = constraint->next; 689 } 690 691 /* 692 * If checking process transition permission and the 693 * role is changing, then check the (current_role, new_role) 694 * pair. 695 */ 696 if (tclass == policydb.process_class && 697 (avd->allowed & policydb.process_trans_perms) && 698 scontext->role != tcontext->role) { 699 for (ra = policydb.role_allow; ra; ra = ra->next) { 700 if (scontext->role == ra->role && 701 tcontext->role == ra->new_role) 702 break; 703 } 704 if (!ra) 705 avd->allowed &= ~policydb.process_trans_perms; 706 } 707 708 /* 709 * If the given source and target types have boundary 710 * constraint, lazy checks have to mask any violated 711 * permission and notice it to userspace via audit. 712 */ 713 type_attribute_bounds_av(scontext, tcontext, 714 tclass, avd); 715 } 716 717 static int security_validtrans_handle_fail(struct context *ocontext, 718 struct context *ncontext, 719 struct context *tcontext, 720 u16 tclass) 721 { 722 char *o = NULL, *n = NULL, *t = NULL; 723 u32 olen, nlen, tlen; 724 725 if (context_struct_to_string(ocontext, &o, &olen)) 726 goto out; 727 if (context_struct_to_string(ncontext, &n, &nlen)) 728 goto out; 729 if (context_struct_to_string(tcontext, &t, &tlen)) 730 goto out; 731 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 732 "security_validate_transition: denied for" 733 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 734 o, n, t, sym_name(&policydb, SYM_CLASSES, tclass-1)); 735 out: 736 kfree(o); 737 kfree(n); 738 kfree(t); 739 740 if (!selinux_enforcing) 741 return 0; 742 return -EPERM; 743 } 744 745 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 746 u16 orig_tclass) 747 { 748 struct context *ocontext; 749 struct context *ncontext; 750 struct context *tcontext; 751 struct class_datum *tclass_datum; 752 struct constraint_node *constraint; 753 u16 tclass; 754 int rc = 0; 755 756 if (!ss_initialized) 757 return 0; 758 759 read_lock(&policy_rwlock); 760 761 tclass = unmap_class(orig_tclass); 762 763 if (!tclass || tclass > policydb.p_classes.nprim) { 764 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", 765 __func__, tclass); 766 rc = -EINVAL; 767 goto out; 768 } 769 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 770 771 ocontext = sidtab_search(&sidtab, oldsid); 772 if (!ocontext) { 773 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 774 __func__, oldsid); 775 rc = -EINVAL; 776 goto out; 777 } 778 779 ncontext = sidtab_search(&sidtab, newsid); 780 if (!ncontext) { 781 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 782 __func__, newsid); 783 rc = -EINVAL; 784 goto out; 785 } 786 787 tcontext = sidtab_search(&sidtab, tasksid); 788 if (!tcontext) { 789 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 790 __func__, tasksid); 791 rc = -EINVAL; 792 goto out; 793 } 794 795 constraint = tclass_datum->validatetrans; 796 while (constraint) { 797 if (!constraint_expr_eval(ocontext, ncontext, tcontext, 798 constraint->expr)) { 799 rc = security_validtrans_handle_fail(ocontext, ncontext, 800 tcontext, tclass); 801 goto out; 802 } 803 constraint = constraint->next; 804 } 805 806 out: 807 read_unlock(&policy_rwlock); 808 return rc; 809 } 810 811 /* 812 * security_bounded_transition - check whether the given 813 * transition is directed to bounded, or not. 814 * It returns 0, if @newsid is bounded by @oldsid. 815 * Otherwise, it returns error code. 816 * 817 * @oldsid : current security identifier 818 * @newsid : destinated security identifier 819 */ 820 int security_bounded_transition(u32 old_sid, u32 new_sid) 821 { 822 struct context *old_context, *new_context; 823 struct type_datum *type; 824 int index; 825 int rc; 826 827 read_lock(&policy_rwlock); 828 829 rc = -EINVAL; 830 old_context = sidtab_search(&sidtab, old_sid); 831 if (!old_context) { 832 printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n", 833 __func__, old_sid); 834 goto out; 835 } 836 837 rc = -EINVAL; 838 new_context = sidtab_search(&sidtab, new_sid); 839 if (!new_context) { 840 printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n", 841 __func__, new_sid); 842 goto out; 843 } 844 845 rc = 0; 846 /* type/domain unchanged */ 847 if (old_context->type == new_context->type) 848 goto out; 849 850 index = new_context->type; 851 while (true) { 852 type = flex_array_get_ptr(policydb.type_val_to_struct_array, 853 index - 1); 854 BUG_ON(!type); 855 856 /* not bounded anymore */ 857 rc = -EPERM; 858 if (!type->bounds) 859 break; 860 861 /* @newsid is bounded by @oldsid */ 862 rc = 0; 863 if (type->bounds == old_context->type) 864 break; 865 866 index = type->bounds; 867 } 868 869 if (rc) { 870 char *old_name = NULL; 871 char *new_name = NULL; 872 u32 length; 873 874 if (!context_struct_to_string(old_context, 875 &old_name, &length) && 876 !context_struct_to_string(new_context, 877 &new_name, &length)) { 878 audit_log(current->audit_context, 879 GFP_ATOMIC, AUDIT_SELINUX_ERR, 880 "op=security_bounded_transition " 881 "result=denied " 882 "oldcontext=%s newcontext=%s", 883 old_name, new_name); 884 } 885 kfree(new_name); 886 kfree(old_name); 887 } 888 out: 889 read_unlock(&policy_rwlock); 890 891 return rc; 892 } 893 894 static void avd_init(struct av_decision *avd) 895 { 896 avd->allowed = 0; 897 avd->auditallow = 0; 898 avd->auditdeny = 0xffffffff; 899 avd->seqno = latest_granting; 900 avd->flags = 0; 901 } 902 903 904 /** 905 * security_compute_av - Compute access vector decisions. 906 * @ssid: source security identifier 907 * @tsid: target security identifier 908 * @tclass: target security class 909 * @avd: access vector decisions 910 * 911 * Compute a set of access vector decisions based on the 912 * SID pair (@ssid, @tsid) for the permissions in @tclass. 913 */ 914 void security_compute_av(u32 ssid, 915 u32 tsid, 916 u16 orig_tclass, 917 struct av_decision *avd) 918 { 919 u16 tclass; 920 struct context *scontext = NULL, *tcontext = NULL; 921 922 read_lock(&policy_rwlock); 923 avd_init(avd); 924 if (!ss_initialized) 925 goto allow; 926 927 scontext = sidtab_search(&sidtab, ssid); 928 if (!scontext) { 929 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 930 __func__, ssid); 931 goto out; 932 } 933 934 /* permissive domain? */ 935 if (ebitmap_get_bit(&policydb.permissive_map, scontext->type)) 936 avd->flags |= AVD_FLAGS_PERMISSIVE; 937 938 tcontext = sidtab_search(&sidtab, tsid); 939 if (!tcontext) { 940 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 941 __func__, tsid); 942 goto out; 943 } 944 945 tclass = unmap_class(orig_tclass); 946 if (unlikely(orig_tclass && !tclass)) { 947 if (policydb.allow_unknown) 948 goto allow; 949 goto out; 950 } 951 context_struct_compute_av(scontext, tcontext, tclass, avd); 952 map_decision(orig_tclass, avd, policydb.allow_unknown); 953 out: 954 read_unlock(&policy_rwlock); 955 return; 956 allow: 957 avd->allowed = 0xffffffff; 958 goto out; 959 } 960 961 void security_compute_av_user(u32 ssid, 962 u32 tsid, 963 u16 tclass, 964 struct av_decision *avd) 965 { 966 struct context *scontext = NULL, *tcontext = NULL; 967 968 read_lock(&policy_rwlock); 969 avd_init(avd); 970 if (!ss_initialized) 971 goto allow; 972 973 scontext = sidtab_search(&sidtab, ssid); 974 if (!scontext) { 975 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 976 __func__, ssid); 977 goto out; 978 } 979 980 /* permissive domain? */ 981 if (ebitmap_get_bit(&policydb.permissive_map, scontext->type)) 982 avd->flags |= AVD_FLAGS_PERMISSIVE; 983 984 tcontext = sidtab_search(&sidtab, tsid); 985 if (!tcontext) { 986 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 987 __func__, tsid); 988 goto out; 989 } 990 991 if (unlikely(!tclass)) { 992 if (policydb.allow_unknown) 993 goto allow; 994 goto out; 995 } 996 997 context_struct_compute_av(scontext, tcontext, tclass, avd); 998 out: 999 read_unlock(&policy_rwlock); 1000 return; 1001 allow: 1002 avd->allowed = 0xffffffff; 1003 goto out; 1004 } 1005 1006 /* 1007 * Write the security context string representation of 1008 * the context structure `context' into a dynamically 1009 * allocated string of the correct size. Set `*scontext' 1010 * to point to this string and set `*scontext_len' to 1011 * the length of the string. 1012 */ 1013 static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len) 1014 { 1015 char *scontextp; 1016 1017 if (scontext) 1018 *scontext = NULL; 1019 *scontext_len = 0; 1020 1021 if (context->len) { 1022 *scontext_len = context->len; 1023 *scontext = kstrdup(context->str, GFP_ATOMIC); 1024 if (!(*scontext)) 1025 return -ENOMEM; 1026 return 0; 1027 } 1028 1029 /* Compute the size of the context. */ 1030 *scontext_len += strlen(sym_name(&policydb, SYM_USERS, context->user - 1)) + 1; 1031 *scontext_len += strlen(sym_name(&policydb, SYM_ROLES, context->role - 1)) + 1; 1032 *scontext_len += strlen(sym_name(&policydb, SYM_TYPES, context->type - 1)) + 1; 1033 *scontext_len += mls_compute_context_len(context); 1034 1035 if (!scontext) 1036 return 0; 1037 1038 /* Allocate space for the context; caller must free this space. */ 1039 scontextp = kmalloc(*scontext_len, GFP_ATOMIC); 1040 if (!scontextp) 1041 return -ENOMEM; 1042 *scontext = scontextp; 1043 1044 /* 1045 * Copy the user name, role name and type name into the context. 1046 */ 1047 sprintf(scontextp, "%s:%s:%s", 1048 sym_name(&policydb, SYM_USERS, context->user - 1), 1049 sym_name(&policydb, SYM_ROLES, context->role - 1), 1050 sym_name(&policydb, SYM_TYPES, context->type - 1)); 1051 scontextp += strlen(sym_name(&policydb, SYM_USERS, context->user - 1)) + 1052 1 + strlen(sym_name(&policydb, SYM_ROLES, context->role - 1)) + 1053 1 + strlen(sym_name(&policydb, SYM_TYPES, context->type - 1)); 1054 1055 mls_sid_to_context(context, &scontextp); 1056 1057 *scontextp = 0; 1058 1059 return 0; 1060 } 1061 1062 #include "initial_sid_to_string.h" 1063 1064 const char *security_get_initial_sid_context(u32 sid) 1065 { 1066 if (unlikely(sid > SECINITSID_NUM)) 1067 return NULL; 1068 return initial_sid_to_string[sid]; 1069 } 1070 1071 static int security_sid_to_context_core(u32 sid, char **scontext, 1072 u32 *scontext_len, int force) 1073 { 1074 struct context *context; 1075 int rc = 0; 1076 1077 if (scontext) 1078 *scontext = NULL; 1079 *scontext_len = 0; 1080 1081 if (!ss_initialized) { 1082 if (sid <= SECINITSID_NUM) { 1083 char *scontextp; 1084 1085 *scontext_len = strlen(initial_sid_to_string[sid]) + 1; 1086 if (!scontext) 1087 goto out; 1088 scontextp = kmalloc(*scontext_len, GFP_ATOMIC); 1089 if (!scontextp) { 1090 rc = -ENOMEM; 1091 goto out; 1092 } 1093 strcpy(scontextp, initial_sid_to_string[sid]); 1094 *scontext = scontextp; 1095 goto out; 1096 } 1097 printk(KERN_ERR "SELinux: %s: called before initial " 1098 "load_policy on unknown SID %d\n", __func__, sid); 1099 rc = -EINVAL; 1100 goto out; 1101 } 1102 read_lock(&policy_rwlock); 1103 if (force) 1104 context = sidtab_search_force(&sidtab, sid); 1105 else 1106 context = sidtab_search(&sidtab, sid); 1107 if (!context) { 1108 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1109 __func__, sid); 1110 rc = -EINVAL; 1111 goto out_unlock; 1112 } 1113 rc = context_struct_to_string(context, scontext, scontext_len); 1114 out_unlock: 1115 read_unlock(&policy_rwlock); 1116 out: 1117 return rc; 1118 1119 } 1120 1121 /** 1122 * security_sid_to_context - Obtain a context for a given SID. 1123 * @sid: security identifier, SID 1124 * @scontext: security context 1125 * @scontext_len: length in bytes 1126 * 1127 * Write the string representation of the context associated with @sid 1128 * into a dynamically allocated string of the correct size. Set @scontext 1129 * to point to this string and set @scontext_len to the length of the string. 1130 */ 1131 int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len) 1132 { 1133 return security_sid_to_context_core(sid, scontext, scontext_len, 0); 1134 } 1135 1136 int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len) 1137 { 1138 return security_sid_to_context_core(sid, scontext, scontext_len, 1); 1139 } 1140 1141 /* 1142 * Caveat: Mutates scontext. 1143 */ 1144 static int string_to_context_struct(struct policydb *pol, 1145 struct sidtab *sidtabp, 1146 char *scontext, 1147 u32 scontext_len, 1148 struct context *ctx, 1149 u32 def_sid) 1150 { 1151 struct role_datum *role; 1152 struct type_datum *typdatum; 1153 struct user_datum *usrdatum; 1154 char *scontextp, *p, oldc; 1155 int rc = 0; 1156 1157 context_init(ctx); 1158 1159 /* Parse the security context. */ 1160 1161 rc = -EINVAL; 1162 scontextp = (char *) scontext; 1163 1164 /* Extract the user. */ 1165 p = scontextp; 1166 while (*p && *p != ':') 1167 p++; 1168 1169 if (*p == 0) 1170 goto out; 1171 1172 *p++ = 0; 1173 1174 usrdatum = hashtab_search(pol->p_users.table, scontextp); 1175 if (!usrdatum) 1176 goto out; 1177 1178 ctx->user = usrdatum->value; 1179 1180 /* Extract role. */ 1181 scontextp = p; 1182 while (*p && *p != ':') 1183 p++; 1184 1185 if (*p == 0) 1186 goto out; 1187 1188 *p++ = 0; 1189 1190 role = hashtab_search(pol->p_roles.table, scontextp); 1191 if (!role) 1192 goto out; 1193 ctx->role = role->value; 1194 1195 /* Extract type. */ 1196 scontextp = p; 1197 while (*p && *p != ':') 1198 p++; 1199 oldc = *p; 1200 *p++ = 0; 1201 1202 typdatum = hashtab_search(pol->p_types.table, scontextp); 1203 if (!typdatum || typdatum->attribute) 1204 goto out; 1205 1206 ctx->type = typdatum->value; 1207 1208 rc = mls_context_to_sid(pol, oldc, &p, ctx, sidtabp, def_sid); 1209 if (rc) 1210 goto out; 1211 1212 rc = -EINVAL; 1213 if ((p - scontext) < scontext_len) 1214 goto out; 1215 1216 /* Check the validity of the new context. */ 1217 if (!policydb_context_isvalid(pol, ctx)) 1218 goto out; 1219 rc = 0; 1220 out: 1221 if (rc) 1222 context_destroy(ctx); 1223 return rc; 1224 } 1225 1226 static int security_context_to_sid_core(const char *scontext, u32 scontext_len, 1227 u32 *sid, u32 def_sid, gfp_t gfp_flags, 1228 int force) 1229 { 1230 char *scontext2, *str = NULL; 1231 struct context context; 1232 int rc = 0; 1233 1234 if (!ss_initialized) { 1235 int i; 1236 1237 for (i = 1; i < SECINITSID_NUM; i++) { 1238 if (!strcmp(initial_sid_to_string[i], scontext)) { 1239 *sid = i; 1240 return 0; 1241 } 1242 } 1243 *sid = SECINITSID_KERNEL; 1244 return 0; 1245 } 1246 *sid = SECSID_NULL; 1247 1248 /* Copy the string so that we can modify the copy as we parse it. */ 1249 scontext2 = kmalloc(scontext_len + 1, gfp_flags); 1250 if (!scontext2) 1251 return -ENOMEM; 1252 memcpy(scontext2, scontext, scontext_len); 1253 scontext2[scontext_len] = 0; 1254 1255 if (force) { 1256 /* Save another copy for storing in uninterpreted form */ 1257 rc = -ENOMEM; 1258 str = kstrdup(scontext2, gfp_flags); 1259 if (!str) 1260 goto out; 1261 } 1262 1263 read_lock(&policy_rwlock); 1264 rc = string_to_context_struct(&policydb, &sidtab, scontext2, 1265 scontext_len, &context, def_sid); 1266 if (rc == -EINVAL && force) { 1267 context.str = str; 1268 context.len = scontext_len; 1269 str = NULL; 1270 } else if (rc) 1271 goto out_unlock; 1272 rc = sidtab_context_to_sid(&sidtab, &context, sid); 1273 context_destroy(&context); 1274 out_unlock: 1275 read_unlock(&policy_rwlock); 1276 out: 1277 kfree(scontext2); 1278 kfree(str); 1279 return rc; 1280 } 1281 1282 /** 1283 * security_context_to_sid - Obtain a SID for a given security context. 1284 * @scontext: security context 1285 * @scontext_len: length in bytes 1286 * @sid: security identifier, SID 1287 * 1288 * Obtains a SID associated with the security context that 1289 * has the string representation specified by @scontext. 1290 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 1291 * memory is available, or 0 on success. 1292 */ 1293 int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid) 1294 { 1295 return security_context_to_sid_core(scontext, scontext_len, 1296 sid, SECSID_NULL, GFP_KERNEL, 0); 1297 } 1298 1299 /** 1300 * security_context_to_sid_default - Obtain a SID for a given security context, 1301 * falling back to specified default if needed. 1302 * 1303 * @scontext: security context 1304 * @scontext_len: length in bytes 1305 * @sid: security identifier, SID 1306 * @def_sid: default SID to assign on error 1307 * 1308 * Obtains a SID associated with the security context that 1309 * has the string representation specified by @scontext. 1310 * The default SID is passed to the MLS layer to be used to allow 1311 * kernel labeling of the MLS field if the MLS field is not present 1312 * (for upgrading to MLS without full relabel). 1313 * Implicitly forces adding of the context even if it cannot be mapped yet. 1314 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 1315 * memory is available, or 0 on success. 1316 */ 1317 int security_context_to_sid_default(const char *scontext, u32 scontext_len, 1318 u32 *sid, u32 def_sid, gfp_t gfp_flags) 1319 { 1320 return security_context_to_sid_core(scontext, scontext_len, 1321 sid, def_sid, gfp_flags, 1); 1322 } 1323 1324 int security_context_to_sid_force(const char *scontext, u32 scontext_len, 1325 u32 *sid) 1326 { 1327 return security_context_to_sid_core(scontext, scontext_len, 1328 sid, SECSID_NULL, GFP_KERNEL, 1); 1329 } 1330 1331 static int compute_sid_handle_invalid_context( 1332 struct context *scontext, 1333 struct context *tcontext, 1334 u16 tclass, 1335 struct context *newcontext) 1336 { 1337 char *s = NULL, *t = NULL, *n = NULL; 1338 u32 slen, tlen, nlen; 1339 1340 if (context_struct_to_string(scontext, &s, &slen)) 1341 goto out; 1342 if (context_struct_to_string(tcontext, &t, &tlen)) 1343 goto out; 1344 if (context_struct_to_string(newcontext, &n, &nlen)) 1345 goto out; 1346 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 1347 "security_compute_sid: invalid context %s" 1348 " for scontext=%s" 1349 " tcontext=%s" 1350 " tclass=%s", 1351 n, s, t, sym_name(&policydb, SYM_CLASSES, tclass-1)); 1352 out: 1353 kfree(s); 1354 kfree(t); 1355 kfree(n); 1356 if (!selinux_enforcing) 1357 return 0; 1358 return -EACCES; 1359 } 1360 1361 static void filename_compute_type(struct policydb *p, struct context *newcontext, 1362 u32 stype, u32 ttype, u16 tclass, 1363 const char *objname) 1364 { 1365 struct filename_trans ft; 1366 struct filename_trans_datum *otype; 1367 1368 /* 1369 * Most filename trans rules are going to live in specific directories 1370 * like /dev or /var/run. This bitmap will quickly skip rule searches 1371 * if the ttype does not contain any rules. 1372 */ 1373 if (!ebitmap_get_bit(&p->filename_trans_ttypes, ttype)) 1374 return; 1375 1376 ft.stype = stype; 1377 ft.ttype = ttype; 1378 ft.tclass = tclass; 1379 ft.name = objname; 1380 1381 otype = hashtab_search(p->filename_trans, &ft); 1382 if (otype) 1383 newcontext->type = otype->otype; 1384 } 1385 1386 static int security_compute_sid(u32 ssid, 1387 u32 tsid, 1388 u16 orig_tclass, 1389 u32 specified, 1390 const char *objname, 1391 u32 *out_sid, 1392 bool kern) 1393 { 1394 struct context *scontext = NULL, *tcontext = NULL, newcontext; 1395 struct role_trans *roletr = NULL; 1396 struct avtab_key avkey; 1397 struct avtab_datum *avdatum; 1398 struct avtab_node *node; 1399 u16 tclass; 1400 int rc = 0; 1401 bool sock; 1402 1403 if (!ss_initialized) { 1404 switch (orig_tclass) { 1405 case SECCLASS_PROCESS: /* kernel value */ 1406 *out_sid = ssid; 1407 break; 1408 default: 1409 *out_sid = tsid; 1410 break; 1411 } 1412 goto out; 1413 } 1414 1415 context_init(&newcontext); 1416 1417 read_lock(&policy_rwlock); 1418 1419 if (kern) { 1420 tclass = unmap_class(orig_tclass); 1421 sock = security_is_socket_class(orig_tclass); 1422 } else { 1423 tclass = orig_tclass; 1424 sock = security_is_socket_class(map_class(tclass)); 1425 } 1426 1427 scontext = sidtab_search(&sidtab, ssid); 1428 if (!scontext) { 1429 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1430 __func__, ssid); 1431 rc = -EINVAL; 1432 goto out_unlock; 1433 } 1434 tcontext = sidtab_search(&sidtab, tsid); 1435 if (!tcontext) { 1436 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1437 __func__, tsid); 1438 rc = -EINVAL; 1439 goto out_unlock; 1440 } 1441 1442 /* Set the user identity. */ 1443 switch (specified) { 1444 case AVTAB_TRANSITION: 1445 case AVTAB_CHANGE: 1446 /* Use the process user identity. */ 1447 newcontext.user = scontext->user; 1448 break; 1449 case AVTAB_MEMBER: 1450 /* Use the related object owner. */ 1451 newcontext.user = tcontext->user; 1452 break; 1453 } 1454 1455 /* Set the role and type to default values. */ 1456 if ((tclass == policydb.process_class) || (sock == true)) { 1457 /* Use the current role and type of process. */ 1458 newcontext.role = scontext->role; 1459 newcontext.type = scontext->type; 1460 } else { 1461 /* Use the well-defined object role. */ 1462 newcontext.role = OBJECT_R_VAL; 1463 /* Use the type of the related object. */ 1464 newcontext.type = tcontext->type; 1465 } 1466 1467 /* Look for a type transition/member/change rule. */ 1468 avkey.source_type = scontext->type; 1469 avkey.target_type = tcontext->type; 1470 avkey.target_class = tclass; 1471 avkey.specified = specified; 1472 avdatum = avtab_search(&policydb.te_avtab, &avkey); 1473 1474 /* If no permanent rule, also check for enabled conditional rules */ 1475 if (!avdatum) { 1476 node = avtab_search_node(&policydb.te_cond_avtab, &avkey); 1477 for (; node; node = avtab_search_node_next(node, specified)) { 1478 if (node->key.specified & AVTAB_ENABLED) { 1479 avdatum = &node->datum; 1480 break; 1481 } 1482 } 1483 } 1484 1485 if (avdatum) { 1486 /* Use the type from the type transition/member/change rule. */ 1487 newcontext.type = avdatum->data; 1488 } 1489 1490 /* if we have a objname this is a file trans check so check those rules */ 1491 if (objname) 1492 filename_compute_type(&policydb, &newcontext, scontext->type, 1493 tcontext->type, tclass, objname); 1494 1495 /* Check for class-specific changes. */ 1496 if (specified & AVTAB_TRANSITION) { 1497 /* Look for a role transition rule. */ 1498 for (roletr = policydb.role_tr; roletr; roletr = roletr->next) { 1499 if ((roletr->role == scontext->role) && 1500 (roletr->type == tcontext->type) && 1501 (roletr->tclass == tclass)) { 1502 /* Use the role transition rule. */ 1503 newcontext.role = roletr->new_role; 1504 break; 1505 } 1506 } 1507 } 1508 1509 /* Set the MLS attributes. 1510 This is done last because it may allocate memory. */ 1511 rc = mls_compute_sid(scontext, tcontext, tclass, specified, 1512 &newcontext, sock); 1513 if (rc) 1514 goto out_unlock; 1515 1516 /* Check the validity of the context. */ 1517 if (!policydb_context_isvalid(&policydb, &newcontext)) { 1518 rc = compute_sid_handle_invalid_context(scontext, 1519 tcontext, 1520 tclass, 1521 &newcontext); 1522 if (rc) 1523 goto out_unlock; 1524 } 1525 /* Obtain the sid for the context. */ 1526 rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid); 1527 out_unlock: 1528 read_unlock(&policy_rwlock); 1529 context_destroy(&newcontext); 1530 out: 1531 return rc; 1532 } 1533 1534 /** 1535 * security_transition_sid - Compute the SID for a new subject/object. 1536 * @ssid: source security identifier 1537 * @tsid: target security identifier 1538 * @tclass: target security class 1539 * @out_sid: security identifier for new subject/object 1540 * 1541 * Compute a SID to use for labeling a new subject or object in the 1542 * class @tclass based on a SID pair (@ssid, @tsid). 1543 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1544 * if insufficient memory is available, or %0 if the new SID was 1545 * computed successfully. 1546 */ 1547 int security_transition_sid(u32 ssid, u32 tsid, u16 tclass, 1548 const struct qstr *qstr, u32 *out_sid) 1549 { 1550 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, 1551 qstr ? qstr->name : NULL, out_sid, true); 1552 } 1553 1554 int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass, 1555 const char *objname, u32 *out_sid) 1556 { 1557 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, 1558 objname, out_sid, false); 1559 } 1560 1561 /** 1562 * security_member_sid - Compute the SID for member selection. 1563 * @ssid: source security identifier 1564 * @tsid: target security identifier 1565 * @tclass: target security class 1566 * @out_sid: security identifier for selected member 1567 * 1568 * Compute a SID to use when selecting a member of a polyinstantiated 1569 * object of class @tclass based on a SID pair (@ssid, @tsid). 1570 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1571 * if insufficient memory is available, or %0 if the SID was 1572 * computed successfully. 1573 */ 1574 int security_member_sid(u32 ssid, 1575 u32 tsid, 1576 u16 tclass, 1577 u32 *out_sid) 1578 { 1579 return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, NULL, 1580 out_sid, false); 1581 } 1582 1583 /** 1584 * security_change_sid - Compute the SID for object relabeling. 1585 * @ssid: source security identifier 1586 * @tsid: target security identifier 1587 * @tclass: target security class 1588 * @out_sid: security identifier for selected member 1589 * 1590 * Compute a SID to use for relabeling an object of class @tclass 1591 * based on a SID pair (@ssid, @tsid). 1592 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1593 * if insufficient memory is available, or %0 if the SID was 1594 * computed successfully. 1595 */ 1596 int security_change_sid(u32 ssid, 1597 u32 tsid, 1598 u16 tclass, 1599 u32 *out_sid) 1600 { 1601 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, NULL, 1602 out_sid, false); 1603 } 1604 1605 /* Clone the SID into the new SID table. */ 1606 static int clone_sid(u32 sid, 1607 struct context *context, 1608 void *arg) 1609 { 1610 struct sidtab *s = arg; 1611 1612 if (sid > SECINITSID_NUM) 1613 return sidtab_insert(s, sid, context); 1614 else 1615 return 0; 1616 } 1617 1618 static inline int convert_context_handle_invalid_context(struct context *context) 1619 { 1620 char *s; 1621 u32 len; 1622 1623 if (selinux_enforcing) 1624 return -EINVAL; 1625 1626 if (!context_struct_to_string(context, &s, &len)) { 1627 printk(KERN_WARNING "SELinux: Context %s would be invalid if enforcing\n", s); 1628 kfree(s); 1629 } 1630 return 0; 1631 } 1632 1633 struct convert_context_args { 1634 struct policydb *oldp; 1635 struct policydb *newp; 1636 }; 1637 1638 /* 1639 * Convert the values in the security context 1640 * structure `c' from the values specified 1641 * in the policy `p->oldp' to the values specified 1642 * in the policy `p->newp'. Verify that the 1643 * context is valid under the new policy. 1644 */ 1645 static int convert_context(u32 key, 1646 struct context *c, 1647 void *p) 1648 { 1649 struct convert_context_args *args; 1650 struct context oldc; 1651 struct ocontext *oc; 1652 struct mls_range *range; 1653 struct role_datum *role; 1654 struct type_datum *typdatum; 1655 struct user_datum *usrdatum; 1656 char *s; 1657 u32 len; 1658 int rc = 0; 1659 1660 if (key <= SECINITSID_NUM) 1661 goto out; 1662 1663 args = p; 1664 1665 if (c->str) { 1666 struct context ctx; 1667 1668 rc = -ENOMEM; 1669 s = kstrdup(c->str, GFP_KERNEL); 1670 if (!s) 1671 goto out; 1672 1673 rc = string_to_context_struct(args->newp, NULL, s, 1674 c->len, &ctx, SECSID_NULL); 1675 kfree(s); 1676 if (!rc) { 1677 printk(KERN_INFO "SELinux: Context %s became valid (mapped).\n", 1678 c->str); 1679 /* Replace string with mapped representation. */ 1680 kfree(c->str); 1681 memcpy(c, &ctx, sizeof(*c)); 1682 goto out; 1683 } else if (rc == -EINVAL) { 1684 /* Retain string representation for later mapping. */ 1685 rc = 0; 1686 goto out; 1687 } else { 1688 /* Other error condition, e.g. ENOMEM. */ 1689 printk(KERN_ERR "SELinux: Unable to map context %s, rc = %d.\n", 1690 c->str, -rc); 1691 goto out; 1692 } 1693 } 1694 1695 rc = context_cpy(&oldc, c); 1696 if (rc) 1697 goto out; 1698 1699 /* Convert the user. */ 1700 rc = -EINVAL; 1701 usrdatum = hashtab_search(args->newp->p_users.table, 1702 sym_name(args->oldp, SYM_USERS, c->user - 1)); 1703 if (!usrdatum) 1704 goto bad; 1705 c->user = usrdatum->value; 1706 1707 /* Convert the role. */ 1708 rc = -EINVAL; 1709 role = hashtab_search(args->newp->p_roles.table, 1710 sym_name(args->oldp, SYM_ROLES, c->role - 1)); 1711 if (!role) 1712 goto bad; 1713 c->role = role->value; 1714 1715 /* Convert the type. */ 1716 rc = -EINVAL; 1717 typdatum = hashtab_search(args->newp->p_types.table, 1718 sym_name(args->oldp, SYM_TYPES, c->type - 1)); 1719 if (!typdatum) 1720 goto bad; 1721 c->type = typdatum->value; 1722 1723 /* Convert the MLS fields if dealing with MLS policies */ 1724 if (args->oldp->mls_enabled && args->newp->mls_enabled) { 1725 rc = mls_convert_context(args->oldp, args->newp, c); 1726 if (rc) 1727 goto bad; 1728 } else if (args->oldp->mls_enabled && !args->newp->mls_enabled) { 1729 /* 1730 * Switching between MLS and non-MLS policy: 1731 * free any storage used by the MLS fields in the 1732 * context for all existing entries in the sidtab. 1733 */ 1734 mls_context_destroy(c); 1735 } else if (!args->oldp->mls_enabled && args->newp->mls_enabled) { 1736 /* 1737 * Switching between non-MLS and MLS policy: 1738 * ensure that the MLS fields of the context for all 1739 * existing entries in the sidtab are filled in with a 1740 * suitable default value, likely taken from one of the 1741 * initial SIDs. 1742 */ 1743 oc = args->newp->ocontexts[OCON_ISID]; 1744 while (oc && oc->sid[0] != SECINITSID_UNLABELED) 1745 oc = oc->next; 1746 rc = -EINVAL; 1747 if (!oc) { 1748 printk(KERN_ERR "SELinux: unable to look up" 1749 " the initial SIDs list\n"); 1750 goto bad; 1751 } 1752 range = &oc->context[0].range; 1753 rc = mls_range_set(c, range); 1754 if (rc) 1755 goto bad; 1756 } 1757 1758 /* Check the validity of the new context. */ 1759 if (!policydb_context_isvalid(args->newp, c)) { 1760 rc = convert_context_handle_invalid_context(&oldc); 1761 if (rc) 1762 goto bad; 1763 } 1764 1765 context_destroy(&oldc); 1766 1767 rc = 0; 1768 out: 1769 return rc; 1770 bad: 1771 /* Map old representation to string and save it. */ 1772 rc = context_struct_to_string(&oldc, &s, &len); 1773 if (rc) 1774 return rc; 1775 context_destroy(&oldc); 1776 context_destroy(c); 1777 c->str = s; 1778 c->len = len; 1779 printk(KERN_INFO "SELinux: Context %s became invalid (unmapped).\n", 1780 c->str); 1781 rc = 0; 1782 goto out; 1783 } 1784 1785 static void security_load_policycaps(void) 1786 { 1787 selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps, 1788 POLICYDB_CAPABILITY_NETPEER); 1789 selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps, 1790 POLICYDB_CAPABILITY_OPENPERM); 1791 } 1792 1793 extern void selinux_complete_init(void); 1794 static int security_preserve_bools(struct policydb *p); 1795 1796 /** 1797 * security_load_policy - Load a security policy configuration. 1798 * @data: binary policy data 1799 * @len: length of data in bytes 1800 * 1801 * Load a new set of security policy configuration data, 1802 * validate it and convert the SID table as necessary. 1803 * This function will flush the access vector cache after 1804 * loading the new policy. 1805 */ 1806 int security_load_policy(void *data, size_t len) 1807 { 1808 struct policydb oldpolicydb, newpolicydb; 1809 struct sidtab oldsidtab, newsidtab; 1810 struct selinux_mapping *oldmap, *map = NULL; 1811 struct convert_context_args args; 1812 u32 seqno; 1813 u16 map_size; 1814 int rc = 0; 1815 struct policy_file file = { data, len }, *fp = &file; 1816 1817 if (!ss_initialized) { 1818 avtab_cache_init(); 1819 rc = policydb_read(&policydb, fp); 1820 if (rc) { 1821 avtab_cache_destroy(); 1822 return rc; 1823 } 1824 1825 policydb.len = len; 1826 rc = selinux_set_mapping(&policydb, secclass_map, 1827 ¤t_mapping, 1828 ¤t_mapping_size); 1829 if (rc) { 1830 policydb_destroy(&policydb); 1831 avtab_cache_destroy(); 1832 return rc; 1833 } 1834 1835 rc = policydb_load_isids(&policydb, &sidtab); 1836 if (rc) { 1837 policydb_destroy(&policydb); 1838 avtab_cache_destroy(); 1839 return rc; 1840 } 1841 1842 security_load_policycaps(); 1843 ss_initialized = 1; 1844 seqno = ++latest_granting; 1845 selinux_complete_init(); 1846 avc_ss_reset(seqno); 1847 selnl_notify_policyload(seqno); 1848 selinux_status_update_policyload(seqno); 1849 selinux_netlbl_cache_invalidate(); 1850 selinux_xfrm_notify_policyload(); 1851 return 0; 1852 } 1853 1854 #if 0 1855 sidtab_hash_eval(&sidtab, "sids"); 1856 #endif 1857 1858 rc = policydb_read(&newpolicydb, fp); 1859 if (rc) 1860 return rc; 1861 1862 newpolicydb.len = len; 1863 /* If switching between different policy types, log MLS status */ 1864 if (policydb.mls_enabled && !newpolicydb.mls_enabled) 1865 printk(KERN_INFO "SELinux: Disabling MLS support...\n"); 1866 else if (!policydb.mls_enabled && newpolicydb.mls_enabled) 1867 printk(KERN_INFO "SELinux: Enabling MLS support...\n"); 1868 1869 rc = policydb_load_isids(&newpolicydb, &newsidtab); 1870 if (rc) { 1871 printk(KERN_ERR "SELinux: unable to load the initial SIDs\n"); 1872 policydb_destroy(&newpolicydb); 1873 return rc; 1874 } 1875 1876 rc = selinux_set_mapping(&newpolicydb, secclass_map, &map, &map_size); 1877 if (rc) 1878 goto err; 1879 1880 rc = security_preserve_bools(&newpolicydb); 1881 if (rc) { 1882 printk(KERN_ERR "SELinux: unable to preserve booleans\n"); 1883 goto err; 1884 } 1885 1886 /* Clone the SID table. */ 1887 sidtab_shutdown(&sidtab); 1888 1889 rc = sidtab_map(&sidtab, clone_sid, &newsidtab); 1890 if (rc) 1891 goto err; 1892 1893 /* 1894 * Convert the internal representations of contexts 1895 * in the new SID table. 1896 */ 1897 args.oldp = &policydb; 1898 args.newp = &newpolicydb; 1899 rc = sidtab_map(&newsidtab, convert_context, &args); 1900 if (rc) { 1901 printk(KERN_ERR "SELinux: unable to convert the internal" 1902 " representation of contexts in the new SID" 1903 " table\n"); 1904 goto err; 1905 } 1906 1907 /* Save the old policydb and SID table to free later. */ 1908 memcpy(&oldpolicydb, &policydb, sizeof policydb); 1909 sidtab_set(&oldsidtab, &sidtab); 1910 1911 /* Install the new policydb and SID table. */ 1912 write_lock_irq(&policy_rwlock); 1913 memcpy(&policydb, &newpolicydb, sizeof policydb); 1914 sidtab_set(&sidtab, &newsidtab); 1915 security_load_policycaps(); 1916 oldmap = current_mapping; 1917 current_mapping = map; 1918 current_mapping_size = map_size; 1919 seqno = ++latest_granting; 1920 write_unlock_irq(&policy_rwlock); 1921 1922 /* Free the old policydb and SID table. */ 1923 policydb_destroy(&oldpolicydb); 1924 sidtab_destroy(&oldsidtab); 1925 kfree(oldmap); 1926 1927 avc_ss_reset(seqno); 1928 selnl_notify_policyload(seqno); 1929 selinux_status_update_policyload(seqno); 1930 selinux_netlbl_cache_invalidate(); 1931 selinux_xfrm_notify_policyload(); 1932 1933 return 0; 1934 1935 err: 1936 kfree(map); 1937 sidtab_destroy(&newsidtab); 1938 policydb_destroy(&newpolicydb); 1939 return rc; 1940 1941 } 1942 1943 size_t security_policydb_len(void) 1944 { 1945 size_t len; 1946 1947 read_lock(&policy_rwlock); 1948 len = policydb.len; 1949 read_unlock(&policy_rwlock); 1950 1951 return len; 1952 } 1953 1954 /** 1955 * security_port_sid - Obtain the SID for a port. 1956 * @protocol: protocol number 1957 * @port: port number 1958 * @out_sid: security identifier 1959 */ 1960 int security_port_sid(u8 protocol, u16 port, u32 *out_sid) 1961 { 1962 struct ocontext *c; 1963 int rc = 0; 1964 1965 read_lock(&policy_rwlock); 1966 1967 c = policydb.ocontexts[OCON_PORT]; 1968 while (c) { 1969 if (c->u.port.protocol == protocol && 1970 c->u.port.low_port <= port && 1971 c->u.port.high_port >= port) 1972 break; 1973 c = c->next; 1974 } 1975 1976 if (c) { 1977 if (!c->sid[0]) { 1978 rc = sidtab_context_to_sid(&sidtab, 1979 &c->context[0], 1980 &c->sid[0]); 1981 if (rc) 1982 goto out; 1983 } 1984 *out_sid = c->sid[0]; 1985 } else { 1986 *out_sid = SECINITSID_PORT; 1987 } 1988 1989 out: 1990 read_unlock(&policy_rwlock); 1991 return rc; 1992 } 1993 1994 /** 1995 * security_netif_sid - Obtain the SID for a network interface. 1996 * @name: interface name 1997 * @if_sid: interface SID 1998 */ 1999 int security_netif_sid(char *name, u32 *if_sid) 2000 { 2001 int rc = 0; 2002 struct ocontext *c; 2003 2004 read_lock(&policy_rwlock); 2005 2006 c = policydb.ocontexts[OCON_NETIF]; 2007 while (c) { 2008 if (strcmp(name, c->u.name) == 0) 2009 break; 2010 c = c->next; 2011 } 2012 2013 if (c) { 2014 if (!c->sid[0] || !c->sid[1]) { 2015 rc = sidtab_context_to_sid(&sidtab, 2016 &c->context[0], 2017 &c->sid[0]); 2018 if (rc) 2019 goto out; 2020 rc = sidtab_context_to_sid(&sidtab, 2021 &c->context[1], 2022 &c->sid[1]); 2023 if (rc) 2024 goto out; 2025 } 2026 *if_sid = c->sid[0]; 2027 } else 2028 *if_sid = SECINITSID_NETIF; 2029 2030 out: 2031 read_unlock(&policy_rwlock); 2032 return rc; 2033 } 2034 2035 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask) 2036 { 2037 int i, fail = 0; 2038 2039 for (i = 0; i < 4; i++) 2040 if (addr[i] != (input[i] & mask[i])) { 2041 fail = 1; 2042 break; 2043 } 2044 2045 return !fail; 2046 } 2047 2048 /** 2049 * security_node_sid - Obtain the SID for a node (host). 2050 * @domain: communication domain aka address family 2051 * @addrp: address 2052 * @addrlen: address length in bytes 2053 * @out_sid: security identifier 2054 */ 2055 int security_node_sid(u16 domain, 2056 void *addrp, 2057 u32 addrlen, 2058 u32 *out_sid) 2059 { 2060 int rc; 2061 struct ocontext *c; 2062 2063 read_lock(&policy_rwlock); 2064 2065 switch (domain) { 2066 case AF_INET: { 2067 u32 addr; 2068 2069 rc = -EINVAL; 2070 if (addrlen != sizeof(u32)) 2071 goto out; 2072 2073 addr = *((u32 *)addrp); 2074 2075 c = policydb.ocontexts[OCON_NODE]; 2076 while (c) { 2077 if (c->u.node.addr == (addr & c->u.node.mask)) 2078 break; 2079 c = c->next; 2080 } 2081 break; 2082 } 2083 2084 case AF_INET6: 2085 rc = -EINVAL; 2086 if (addrlen != sizeof(u64) * 2) 2087 goto out; 2088 c = policydb.ocontexts[OCON_NODE6]; 2089 while (c) { 2090 if (match_ipv6_addrmask(addrp, c->u.node6.addr, 2091 c->u.node6.mask)) 2092 break; 2093 c = c->next; 2094 } 2095 break; 2096 2097 default: 2098 rc = 0; 2099 *out_sid = SECINITSID_NODE; 2100 goto out; 2101 } 2102 2103 if (c) { 2104 if (!c->sid[0]) { 2105 rc = sidtab_context_to_sid(&sidtab, 2106 &c->context[0], 2107 &c->sid[0]); 2108 if (rc) 2109 goto out; 2110 } 2111 *out_sid = c->sid[0]; 2112 } else { 2113 *out_sid = SECINITSID_NODE; 2114 } 2115 2116 rc = 0; 2117 out: 2118 read_unlock(&policy_rwlock); 2119 return rc; 2120 } 2121 2122 #define SIDS_NEL 25 2123 2124 /** 2125 * security_get_user_sids - Obtain reachable SIDs for a user. 2126 * @fromsid: starting SID 2127 * @username: username 2128 * @sids: array of reachable SIDs for user 2129 * @nel: number of elements in @sids 2130 * 2131 * Generate the set of SIDs for legal security contexts 2132 * for a given user that can be reached by @fromsid. 2133 * Set *@sids to point to a dynamically allocated 2134 * array containing the set of SIDs. Set *@nel to the 2135 * number of elements in the array. 2136 */ 2137 2138 int security_get_user_sids(u32 fromsid, 2139 char *username, 2140 u32 **sids, 2141 u32 *nel) 2142 { 2143 struct context *fromcon, usercon; 2144 u32 *mysids = NULL, *mysids2, sid; 2145 u32 mynel = 0, maxnel = SIDS_NEL; 2146 struct user_datum *user; 2147 struct role_datum *role; 2148 struct ebitmap_node *rnode, *tnode; 2149 int rc = 0, i, j; 2150 2151 *sids = NULL; 2152 *nel = 0; 2153 2154 if (!ss_initialized) 2155 goto out; 2156 2157 read_lock(&policy_rwlock); 2158 2159 context_init(&usercon); 2160 2161 rc = -EINVAL; 2162 fromcon = sidtab_search(&sidtab, fromsid); 2163 if (!fromcon) 2164 goto out_unlock; 2165 2166 rc = -EINVAL; 2167 user = hashtab_search(policydb.p_users.table, username); 2168 if (!user) 2169 goto out_unlock; 2170 2171 usercon.user = user->value; 2172 2173 rc = -ENOMEM; 2174 mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC); 2175 if (!mysids) 2176 goto out_unlock; 2177 2178 ebitmap_for_each_positive_bit(&user->roles, rnode, i) { 2179 role = policydb.role_val_to_struct[i]; 2180 usercon.role = i + 1; 2181 ebitmap_for_each_positive_bit(&role->types, tnode, j) { 2182 usercon.type = j + 1; 2183 2184 if (mls_setup_user_range(fromcon, user, &usercon)) 2185 continue; 2186 2187 rc = sidtab_context_to_sid(&sidtab, &usercon, &sid); 2188 if (rc) 2189 goto out_unlock; 2190 if (mynel < maxnel) { 2191 mysids[mynel++] = sid; 2192 } else { 2193 rc = -ENOMEM; 2194 maxnel += SIDS_NEL; 2195 mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC); 2196 if (!mysids2) 2197 goto out_unlock; 2198 memcpy(mysids2, mysids, mynel * sizeof(*mysids2)); 2199 kfree(mysids); 2200 mysids = mysids2; 2201 mysids[mynel++] = sid; 2202 } 2203 } 2204 } 2205 rc = 0; 2206 out_unlock: 2207 read_unlock(&policy_rwlock); 2208 if (rc || !mynel) { 2209 kfree(mysids); 2210 goto out; 2211 } 2212 2213 rc = -ENOMEM; 2214 mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL); 2215 if (!mysids2) { 2216 kfree(mysids); 2217 goto out; 2218 } 2219 for (i = 0, j = 0; i < mynel; i++) { 2220 struct av_decision dummy_avd; 2221 rc = avc_has_perm_noaudit(fromsid, mysids[i], 2222 SECCLASS_PROCESS, /* kernel value */ 2223 PROCESS__TRANSITION, AVC_STRICT, 2224 &dummy_avd); 2225 if (!rc) 2226 mysids2[j++] = mysids[i]; 2227 cond_resched(); 2228 } 2229 rc = 0; 2230 kfree(mysids); 2231 *sids = mysids2; 2232 *nel = j; 2233 out: 2234 return rc; 2235 } 2236 2237 /** 2238 * security_genfs_sid - Obtain a SID for a file in a filesystem 2239 * @fstype: filesystem type 2240 * @path: path from root of mount 2241 * @sclass: file security class 2242 * @sid: SID for path 2243 * 2244 * Obtain a SID to use for a file in a filesystem that 2245 * cannot support xattr or use a fixed labeling behavior like 2246 * transition SIDs or task SIDs. 2247 */ 2248 int security_genfs_sid(const char *fstype, 2249 char *path, 2250 u16 orig_sclass, 2251 u32 *sid) 2252 { 2253 int len; 2254 u16 sclass; 2255 struct genfs *genfs; 2256 struct ocontext *c; 2257 int rc, cmp = 0; 2258 2259 while (path[0] == '/' && path[1] == '/') 2260 path++; 2261 2262 read_lock(&policy_rwlock); 2263 2264 sclass = unmap_class(orig_sclass); 2265 *sid = SECINITSID_UNLABELED; 2266 2267 for (genfs = policydb.genfs; genfs; genfs = genfs->next) { 2268 cmp = strcmp(fstype, genfs->fstype); 2269 if (cmp <= 0) 2270 break; 2271 } 2272 2273 rc = -ENOENT; 2274 if (!genfs || cmp) 2275 goto out; 2276 2277 for (c = genfs->head; c; c = c->next) { 2278 len = strlen(c->u.name); 2279 if ((!c->v.sclass || sclass == c->v.sclass) && 2280 (strncmp(c->u.name, path, len) == 0)) 2281 break; 2282 } 2283 2284 rc = -ENOENT; 2285 if (!c) 2286 goto out; 2287 2288 if (!c->sid[0]) { 2289 rc = sidtab_context_to_sid(&sidtab, &c->context[0], &c->sid[0]); 2290 if (rc) 2291 goto out; 2292 } 2293 2294 *sid = c->sid[0]; 2295 rc = 0; 2296 out: 2297 read_unlock(&policy_rwlock); 2298 return rc; 2299 } 2300 2301 /** 2302 * security_fs_use - Determine how to handle labeling for a filesystem. 2303 * @fstype: filesystem type 2304 * @behavior: labeling behavior 2305 * @sid: SID for filesystem (superblock) 2306 */ 2307 int security_fs_use( 2308 const char *fstype, 2309 unsigned int *behavior, 2310 u32 *sid) 2311 { 2312 int rc = 0; 2313 struct ocontext *c; 2314 2315 read_lock(&policy_rwlock); 2316 2317 c = policydb.ocontexts[OCON_FSUSE]; 2318 while (c) { 2319 if (strcmp(fstype, c->u.name) == 0) 2320 break; 2321 c = c->next; 2322 } 2323 2324 if (c) { 2325 *behavior = c->v.behavior; 2326 if (!c->sid[0]) { 2327 rc = sidtab_context_to_sid(&sidtab, &c->context[0], 2328 &c->sid[0]); 2329 if (rc) 2330 goto out; 2331 } 2332 *sid = c->sid[0]; 2333 } else { 2334 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid); 2335 if (rc) { 2336 *behavior = SECURITY_FS_USE_NONE; 2337 rc = 0; 2338 } else { 2339 *behavior = SECURITY_FS_USE_GENFS; 2340 } 2341 } 2342 2343 out: 2344 read_unlock(&policy_rwlock); 2345 return rc; 2346 } 2347 2348 int security_get_bools(int *len, char ***names, int **values) 2349 { 2350 int i, rc; 2351 2352 read_lock(&policy_rwlock); 2353 *names = NULL; 2354 *values = NULL; 2355 2356 rc = 0; 2357 *len = policydb.p_bools.nprim; 2358 if (!*len) 2359 goto out; 2360 2361 rc = -ENOMEM; 2362 *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC); 2363 if (!*names) 2364 goto err; 2365 2366 rc = -ENOMEM; 2367 *values = kcalloc(*len, sizeof(int), GFP_ATOMIC); 2368 if (!*values) 2369 goto err; 2370 2371 for (i = 0; i < *len; i++) { 2372 size_t name_len; 2373 2374 (*values)[i] = policydb.bool_val_to_struct[i]->state; 2375 name_len = strlen(sym_name(&policydb, SYM_BOOLS, i)) + 1; 2376 2377 rc = -ENOMEM; 2378 (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); 2379 if (!(*names)[i]) 2380 goto err; 2381 2382 strncpy((*names)[i], sym_name(&policydb, SYM_BOOLS, i), name_len); 2383 (*names)[i][name_len - 1] = 0; 2384 } 2385 rc = 0; 2386 out: 2387 read_unlock(&policy_rwlock); 2388 return rc; 2389 err: 2390 if (*names) { 2391 for (i = 0; i < *len; i++) 2392 kfree((*names)[i]); 2393 } 2394 kfree(*values); 2395 goto out; 2396 } 2397 2398 2399 int security_set_bools(int len, int *values) 2400 { 2401 int i, rc; 2402 int lenp, seqno = 0; 2403 struct cond_node *cur; 2404 2405 write_lock_irq(&policy_rwlock); 2406 2407 rc = -EFAULT; 2408 lenp = policydb.p_bools.nprim; 2409 if (len != lenp) 2410 goto out; 2411 2412 for (i = 0; i < len; i++) { 2413 if (!!values[i] != policydb.bool_val_to_struct[i]->state) { 2414 audit_log(current->audit_context, GFP_ATOMIC, 2415 AUDIT_MAC_CONFIG_CHANGE, 2416 "bool=%s val=%d old_val=%d auid=%u ses=%u", 2417 sym_name(&policydb, SYM_BOOLS, i), 2418 !!values[i], 2419 policydb.bool_val_to_struct[i]->state, 2420 audit_get_loginuid(current), 2421 audit_get_sessionid(current)); 2422 } 2423 if (values[i]) 2424 policydb.bool_val_to_struct[i]->state = 1; 2425 else 2426 policydb.bool_val_to_struct[i]->state = 0; 2427 } 2428 2429 for (cur = policydb.cond_list; cur; cur = cur->next) { 2430 rc = evaluate_cond_node(&policydb, cur); 2431 if (rc) 2432 goto out; 2433 } 2434 2435 seqno = ++latest_granting; 2436 rc = 0; 2437 out: 2438 write_unlock_irq(&policy_rwlock); 2439 if (!rc) { 2440 avc_ss_reset(seqno); 2441 selnl_notify_policyload(seqno); 2442 selinux_status_update_policyload(seqno); 2443 selinux_xfrm_notify_policyload(); 2444 } 2445 return rc; 2446 } 2447 2448 int security_get_bool_value(int bool) 2449 { 2450 int rc; 2451 int len; 2452 2453 read_lock(&policy_rwlock); 2454 2455 rc = -EFAULT; 2456 len = policydb.p_bools.nprim; 2457 if (bool >= len) 2458 goto out; 2459 2460 rc = policydb.bool_val_to_struct[bool]->state; 2461 out: 2462 read_unlock(&policy_rwlock); 2463 return rc; 2464 } 2465 2466 static int security_preserve_bools(struct policydb *p) 2467 { 2468 int rc, nbools = 0, *bvalues = NULL, i; 2469 char **bnames = NULL; 2470 struct cond_bool_datum *booldatum; 2471 struct cond_node *cur; 2472 2473 rc = security_get_bools(&nbools, &bnames, &bvalues); 2474 if (rc) 2475 goto out; 2476 for (i = 0; i < nbools; i++) { 2477 booldatum = hashtab_search(p->p_bools.table, bnames[i]); 2478 if (booldatum) 2479 booldatum->state = bvalues[i]; 2480 } 2481 for (cur = p->cond_list; cur; cur = cur->next) { 2482 rc = evaluate_cond_node(p, cur); 2483 if (rc) 2484 goto out; 2485 } 2486 2487 out: 2488 if (bnames) { 2489 for (i = 0; i < nbools; i++) 2490 kfree(bnames[i]); 2491 } 2492 kfree(bnames); 2493 kfree(bvalues); 2494 return rc; 2495 } 2496 2497 /* 2498 * security_sid_mls_copy() - computes a new sid based on the given 2499 * sid and the mls portion of mls_sid. 2500 */ 2501 int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid) 2502 { 2503 struct context *context1; 2504 struct context *context2; 2505 struct context newcon; 2506 char *s; 2507 u32 len; 2508 int rc; 2509 2510 rc = 0; 2511 if (!ss_initialized || !policydb.mls_enabled) { 2512 *new_sid = sid; 2513 goto out; 2514 } 2515 2516 context_init(&newcon); 2517 2518 read_lock(&policy_rwlock); 2519 2520 rc = -EINVAL; 2521 context1 = sidtab_search(&sidtab, sid); 2522 if (!context1) { 2523 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 2524 __func__, sid); 2525 goto out_unlock; 2526 } 2527 2528 rc = -EINVAL; 2529 context2 = sidtab_search(&sidtab, mls_sid); 2530 if (!context2) { 2531 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 2532 __func__, mls_sid); 2533 goto out_unlock; 2534 } 2535 2536 newcon.user = context1->user; 2537 newcon.role = context1->role; 2538 newcon.type = context1->type; 2539 rc = mls_context_cpy(&newcon, context2); 2540 if (rc) 2541 goto out_unlock; 2542 2543 /* Check the validity of the new context. */ 2544 if (!policydb_context_isvalid(&policydb, &newcon)) { 2545 rc = convert_context_handle_invalid_context(&newcon); 2546 if (rc) { 2547 if (!context_struct_to_string(&newcon, &s, &len)) { 2548 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2549 "security_sid_mls_copy: invalid context %s", s); 2550 kfree(s); 2551 } 2552 goto out_unlock; 2553 } 2554 } 2555 2556 rc = sidtab_context_to_sid(&sidtab, &newcon, new_sid); 2557 out_unlock: 2558 read_unlock(&policy_rwlock); 2559 context_destroy(&newcon); 2560 out: 2561 return rc; 2562 } 2563 2564 /** 2565 * security_net_peersid_resolve - Compare and resolve two network peer SIDs 2566 * @nlbl_sid: NetLabel SID 2567 * @nlbl_type: NetLabel labeling protocol type 2568 * @xfrm_sid: XFRM SID 2569 * 2570 * Description: 2571 * Compare the @nlbl_sid and @xfrm_sid values and if the two SIDs can be 2572 * resolved into a single SID it is returned via @peer_sid and the function 2573 * returns zero. Otherwise @peer_sid is set to SECSID_NULL and the function 2574 * returns a negative value. A table summarizing the behavior is below: 2575 * 2576 * | function return | @sid 2577 * ------------------------------+-----------------+----------------- 2578 * no peer labels | 0 | SECSID_NULL 2579 * single peer label | 0 | <peer_label> 2580 * multiple, consistent labels | 0 | <peer_label> 2581 * multiple, inconsistent labels | -<errno> | SECSID_NULL 2582 * 2583 */ 2584 int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type, 2585 u32 xfrm_sid, 2586 u32 *peer_sid) 2587 { 2588 int rc; 2589 struct context *nlbl_ctx; 2590 struct context *xfrm_ctx; 2591 2592 *peer_sid = SECSID_NULL; 2593 2594 /* handle the common (which also happens to be the set of easy) cases 2595 * right away, these two if statements catch everything involving a 2596 * single or absent peer SID/label */ 2597 if (xfrm_sid == SECSID_NULL) { 2598 *peer_sid = nlbl_sid; 2599 return 0; 2600 } 2601 /* NOTE: an nlbl_type == NETLBL_NLTYPE_UNLABELED is a "fallback" label 2602 * and is treated as if nlbl_sid == SECSID_NULL when a XFRM SID/label 2603 * is present */ 2604 if (nlbl_sid == SECSID_NULL || nlbl_type == NETLBL_NLTYPE_UNLABELED) { 2605 *peer_sid = xfrm_sid; 2606 return 0; 2607 } 2608 2609 /* we don't need to check ss_initialized here since the only way both 2610 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the 2611 * security server was initialized and ss_initialized was true */ 2612 if (!policydb.mls_enabled) 2613 return 0; 2614 2615 read_lock(&policy_rwlock); 2616 2617 rc = -EINVAL; 2618 nlbl_ctx = sidtab_search(&sidtab, nlbl_sid); 2619 if (!nlbl_ctx) { 2620 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 2621 __func__, nlbl_sid); 2622 goto out; 2623 } 2624 rc = -EINVAL; 2625 xfrm_ctx = sidtab_search(&sidtab, xfrm_sid); 2626 if (!xfrm_ctx) { 2627 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 2628 __func__, xfrm_sid); 2629 goto out; 2630 } 2631 rc = (mls_context_cmp(nlbl_ctx, xfrm_ctx) ? 0 : -EACCES); 2632 if (rc) 2633 goto out; 2634 2635 /* at present NetLabel SIDs/labels really only carry MLS 2636 * information so if the MLS portion of the NetLabel SID 2637 * matches the MLS portion of the labeled XFRM SID/label 2638 * then pass along the XFRM SID as it is the most 2639 * expressive */ 2640 *peer_sid = xfrm_sid; 2641 out: 2642 read_unlock(&policy_rwlock); 2643 return rc; 2644 } 2645 2646 static int get_classes_callback(void *k, void *d, void *args) 2647 { 2648 struct class_datum *datum = d; 2649 char *name = k, **classes = args; 2650 int value = datum->value - 1; 2651 2652 classes[value] = kstrdup(name, GFP_ATOMIC); 2653 if (!classes[value]) 2654 return -ENOMEM; 2655 2656 return 0; 2657 } 2658 2659 int security_get_classes(char ***classes, int *nclasses) 2660 { 2661 int rc; 2662 2663 read_lock(&policy_rwlock); 2664 2665 rc = -ENOMEM; 2666 *nclasses = policydb.p_classes.nprim; 2667 *classes = kcalloc(*nclasses, sizeof(**classes), GFP_ATOMIC); 2668 if (!*classes) 2669 goto out; 2670 2671 rc = hashtab_map(policydb.p_classes.table, get_classes_callback, 2672 *classes); 2673 if (rc) { 2674 int i; 2675 for (i = 0; i < *nclasses; i++) 2676 kfree((*classes)[i]); 2677 kfree(*classes); 2678 } 2679 2680 out: 2681 read_unlock(&policy_rwlock); 2682 return rc; 2683 } 2684 2685 static int get_permissions_callback(void *k, void *d, void *args) 2686 { 2687 struct perm_datum *datum = d; 2688 char *name = k, **perms = args; 2689 int value = datum->value - 1; 2690 2691 perms[value] = kstrdup(name, GFP_ATOMIC); 2692 if (!perms[value]) 2693 return -ENOMEM; 2694 2695 return 0; 2696 } 2697 2698 int security_get_permissions(char *class, char ***perms, int *nperms) 2699 { 2700 int rc, i; 2701 struct class_datum *match; 2702 2703 read_lock(&policy_rwlock); 2704 2705 rc = -EINVAL; 2706 match = hashtab_search(policydb.p_classes.table, class); 2707 if (!match) { 2708 printk(KERN_ERR "SELinux: %s: unrecognized class %s\n", 2709 __func__, class); 2710 goto out; 2711 } 2712 2713 rc = -ENOMEM; 2714 *nperms = match->permissions.nprim; 2715 *perms = kcalloc(*nperms, sizeof(**perms), GFP_ATOMIC); 2716 if (!*perms) 2717 goto out; 2718 2719 if (match->comdatum) { 2720 rc = hashtab_map(match->comdatum->permissions.table, 2721 get_permissions_callback, *perms); 2722 if (rc) 2723 goto err; 2724 } 2725 2726 rc = hashtab_map(match->permissions.table, get_permissions_callback, 2727 *perms); 2728 if (rc) 2729 goto err; 2730 2731 out: 2732 read_unlock(&policy_rwlock); 2733 return rc; 2734 2735 err: 2736 read_unlock(&policy_rwlock); 2737 for (i = 0; i < *nperms; i++) 2738 kfree((*perms)[i]); 2739 kfree(*perms); 2740 return rc; 2741 } 2742 2743 int security_get_reject_unknown(void) 2744 { 2745 return policydb.reject_unknown; 2746 } 2747 2748 int security_get_allow_unknown(void) 2749 { 2750 return policydb.allow_unknown; 2751 } 2752 2753 /** 2754 * security_policycap_supported - Check for a specific policy capability 2755 * @req_cap: capability 2756 * 2757 * Description: 2758 * This function queries the currently loaded policy to see if it supports the 2759 * capability specified by @req_cap. Returns true (1) if the capability is 2760 * supported, false (0) if it isn't supported. 2761 * 2762 */ 2763 int security_policycap_supported(unsigned int req_cap) 2764 { 2765 int rc; 2766 2767 read_lock(&policy_rwlock); 2768 rc = ebitmap_get_bit(&policydb.policycaps, req_cap); 2769 read_unlock(&policy_rwlock); 2770 2771 return rc; 2772 } 2773 2774 struct selinux_audit_rule { 2775 u32 au_seqno; 2776 struct context au_ctxt; 2777 }; 2778 2779 void selinux_audit_rule_free(void *vrule) 2780 { 2781 struct selinux_audit_rule *rule = vrule; 2782 2783 if (rule) { 2784 context_destroy(&rule->au_ctxt); 2785 kfree(rule); 2786 } 2787 } 2788 2789 int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 2790 { 2791 struct selinux_audit_rule *tmprule; 2792 struct role_datum *roledatum; 2793 struct type_datum *typedatum; 2794 struct user_datum *userdatum; 2795 struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule; 2796 int rc = 0; 2797 2798 *rule = NULL; 2799 2800 if (!ss_initialized) 2801 return -EOPNOTSUPP; 2802 2803 switch (field) { 2804 case AUDIT_SUBJ_USER: 2805 case AUDIT_SUBJ_ROLE: 2806 case AUDIT_SUBJ_TYPE: 2807 case AUDIT_OBJ_USER: 2808 case AUDIT_OBJ_ROLE: 2809 case AUDIT_OBJ_TYPE: 2810 /* only 'equals' and 'not equals' fit user, role, and type */ 2811 if (op != Audit_equal && op != Audit_not_equal) 2812 return -EINVAL; 2813 break; 2814 case AUDIT_SUBJ_SEN: 2815 case AUDIT_SUBJ_CLR: 2816 case AUDIT_OBJ_LEV_LOW: 2817 case AUDIT_OBJ_LEV_HIGH: 2818 /* we do not allow a range, indicated by the presence of '-' */ 2819 if (strchr(rulestr, '-')) 2820 return -EINVAL; 2821 break; 2822 default: 2823 /* only the above fields are valid */ 2824 return -EINVAL; 2825 } 2826 2827 tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL); 2828 if (!tmprule) 2829 return -ENOMEM; 2830 2831 context_init(&tmprule->au_ctxt); 2832 2833 read_lock(&policy_rwlock); 2834 2835 tmprule->au_seqno = latest_granting; 2836 2837 switch (field) { 2838 case AUDIT_SUBJ_USER: 2839 case AUDIT_OBJ_USER: 2840 rc = -EINVAL; 2841 userdatum = hashtab_search(policydb.p_users.table, rulestr); 2842 if (!userdatum) 2843 goto out; 2844 tmprule->au_ctxt.user = userdatum->value; 2845 break; 2846 case AUDIT_SUBJ_ROLE: 2847 case AUDIT_OBJ_ROLE: 2848 rc = -EINVAL; 2849 roledatum = hashtab_search(policydb.p_roles.table, rulestr); 2850 if (!roledatum) 2851 goto out; 2852 tmprule->au_ctxt.role = roledatum->value; 2853 break; 2854 case AUDIT_SUBJ_TYPE: 2855 case AUDIT_OBJ_TYPE: 2856 rc = -EINVAL; 2857 typedatum = hashtab_search(policydb.p_types.table, rulestr); 2858 if (!typedatum) 2859 goto out; 2860 tmprule->au_ctxt.type = typedatum->value; 2861 break; 2862 case AUDIT_SUBJ_SEN: 2863 case AUDIT_SUBJ_CLR: 2864 case AUDIT_OBJ_LEV_LOW: 2865 case AUDIT_OBJ_LEV_HIGH: 2866 rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC); 2867 if (rc) 2868 goto out; 2869 break; 2870 } 2871 rc = 0; 2872 out: 2873 read_unlock(&policy_rwlock); 2874 2875 if (rc) { 2876 selinux_audit_rule_free(tmprule); 2877 tmprule = NULL; 2878 } 2879 2880 *rule = tmprule; 2881 2882 return rc; 2883 } 2884 2885 /* Check to see if the rule contains any selinux fields */ 2886 int selinux_audit_rule_known(struct audit_krule *rule) 2887 { 2888 int i; 2889 2890 for (i = 0; i < rule->field_count; i++) { 2891 struct audit_field *f = &rule->fields[i]; 2892 switch (f->type) { 2893 case AUDIT_SUBJ_USER: 2894 case AUDIT_SUBJ_ROLE: 2895 case AUDIT_SUBJ_TYPE: 2896 case AUDIT_SUBJ_SEN: 2897 case AUDIT_SUBJ_CLR: 2898 case AUDIT_OBJ_USER: 2899 case AUDIT_OBJ_ROLE: 2900 case AUDIT_OBJ_TYPE: 2901 case AUDIT_OBJ_LEV_LOW: 2902 case AUDIT_OBJ_LEV_HIGH: 2903 return 1; 2904 } 2905 } 2906 2907 return 0; 2908 } 2909 2910 int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, 2911 struct audit_context *actx) 2912 { 2913 struct context *ctxt; 2914 struct mls_level *level; 2915 struct selinux_audit_rule *rule = vrule; 2916 int match = 0; 2917 2918 if (!rule) { 2919 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2920 "selinux_audit_rule_match: missing rule\n"); 2921 return -ENOENT; 2922 } 2923 2924 read_lock(&policy_rwlock); 2925 2926 if (rule->au_seqno < latest_granting) { 2927 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2928 "selinux_audit_rule_match: stale rule\n"); 2929 match = -ESTALE; 2930 goto out; 2931 } 2932 2933 ctxt = sidtab_search(&sidtab, sid); 2934 if (!ctxt) { 2935 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2936 "selinux_audit_rule_match: unrecognized SID %d\n", 2937 sid); 2938 match = -ENOENT; 2939 goto out; 2940 } 2941 2942 /* a field/op pair that is not caught here will simply fall through 2943 without a match */ 2944 switch (field) { 2945 case AUDIT_SUBJ_USER: 2946 case AUDIT_OBJ_USER: 2947 switch (op) { 2948 case Audit_equal: 2949 match = (ctxt->user == rule->au_ctxt.user); 2950 break; 2951 case Audit_not_equal: 2952 match = (ctxt->user != rule->au_ctxt.user); 2953 break; 2954 } 2955 break; 2956 case AUDIT_SUBJ_ROLE: 2957 case AUDIT_OBJ_ROLE: 2958 switch (op) { 2959 case Audit_equal: 2960 match = (ctxt->role == rule->au_ctxt.role); 2961 break; 2962 case Audit_not_equal: 2963 match = (ctxt->role != rule->au_ctxt.role); 2964 break; 2965 } 2966 break; 2967 case AUDIT_SUBJ_TYPE: 2968 case AUDIT_OBJ_TYPE: 2969 switch (op) { 2970 case Audit_equal: 2971 match = (ctxt->type == rule->au_ctxt.type); 2972 break; 2973 case Audit_not_equal: 2974 match = (ctxt->type != rule->au_ctxt.type); 2975 break; 2976 } 2977 break; 2978 case AUDIT_SUBJ_SEN: 2979 case AUDIT_SUBJ_CLR: 2980 case AUDIT_OBJ_LEV_LOW: 2981 case AUDIT_OBJ_LEV_HIGH: 2982 level = ((field == AUDIT_SUBJ_SEN || 2983 field == AUDIT_OBJ_LEV_LOW) ? 2984 &ctxt->range.level[0] : &ctxt->range.level[1]); 2985 switch (op) { 2986 case Audit_equal: 2987 match = mls_level_eq(&rule->au_ctxt.range.level[0], 2988 level); 2989 break; 2990 case Audit_not_equal: 2991 match = !mls_level_eq(&rule->au_ctxt.range.level[0], 2992 level); 2993 break; 2994 case Audit_lt: 2995 match = (mls_level_dom(&rule->au_ctxt.range.level[0], 2996 level) && 2997 !mls_level_eq(&rule->au_ctxt.range.level[0], 2998 level)); 2999 break; 3000 case Audit_le: 3001 match = mls_level_dom(&rule->au_ctxt.range.level[0], 3002 level); 3003 break; 3004 case Audit_gt: 3005 match = (mls_level_dom(level, 3006 &rule->au_ctxt.range.level[0]) && 3007 !mls_level_eq(level, 3008 &rule->au_ctxt.range.level[0])); 3009 break; 3010 case Audit_ge: 3011 match = mls_level_dom(level, 3012 &rule->au_ctxt.range.level[0]); 3013 break; 3014 } 3015 } 3016 3017 out: 3018 read_unlock(&policy_rwlock); 3019 return match; 3020 } 3021 3022 static int (*aurule_callback)(void) = audit_update_lsm_rules; 3023 3024 static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid, 3025 u16 class, u32 perms, u32 *retained) 3026 { 3027 int err = 0; 3028 3029 if (event == AVC_CALLBACK_RESET && aurule_callback) 3030 err = aurule_callback(); 3031 return err; 3032 } 3033 3034 static int __init aurule_init(void) 3035 { 3036 int err; 3037 3038 err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET, 3039 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); 3040 if (err) 3041 panic("avc_add_callback() failed, error %d\n", err); 3042 3043 return err; 3044 } 3045 __initcall(aurule_init); 3046 3047 #ifdef CONFIG_NETLABEL 3048 /** 3049 * security_netlbl_cache_add - Add an entry to the NetLabel cache 3050 * @secattr: the NetLabel packet security attributes 3051 * @sid: the SELinux SID 3052 * 3053 * Description: 3054 * Attempt to cache the context in @ctx, which was derived from the packet in 3055 * @skb, in the NetLabel subsystem cache. This function assumes @secattr has 3056 * already been initialized. 3057 * 3058 */ 3059 static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr, 3060 u32 sid) 3061 { 3062 u32 *sid_cache; 3063 3064 sid_cache = kmalloc(sizeof(*sid_cache), GFP_ATOMIC); 3065 if (sid_cache == NULL) 3066 return; 3067 secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); 3068 if (secattr->cache == NULL) { 3069 kfree(sid_cache); 3070 return; 3071 } 3072 3073 *sid_cache = sid; 3074 secattr->cache->free = kfree; 3075 secattr->cache->data = sid_cache; 3076 secattr->flags |= NETLBL_SECATTR_CACHE; 3077 } 3078 3079 /** 3080 * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID 3081 * @secattr: the NetLabel packet security attributes 3082 * @sid: the SELinux SID 3083 * 3084 * Description: 3085 * Convert the given NetLabel security attributes in @secattr into a 3086 * SELinux SID. If the @secattr field does not contain a full SELinux 3087 * SID/context then use SECINITSID_NETMSG as the foundation. If possible the 3088 * 'cache' field of @secattr is set and the CACHE flag is set; this is to 3089 * allow the @secattr to be used by NetLabel to cache the secattr to SID 3090 * conversion for future lookups. Returns zero on success, negative values on 3091 * failure. 3092 * 3093 */ 3094 int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr, 3095 u32 *sid) 3096 { 3097 int rc; 3098 struct context *ctx; 3099 struct context ctx_new; 3100 3101 if (!ss_initialized) { 3102 *sid = SECSID_NULL; 3103 return 0; 3104 } 3105 3106 read_lock(&policy_rwlock); 3107 3108 if (secattr->flags & NETLBL_SECATTR_CACHE) 3109 *sid = *(u32 *)secattr->cache->data; 3110 else if (secattr->flags & NETLBL_SECATTR_SECID) 3111 *sid = secattr->attr.secid; 3112 else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) { 3113 rc = -EIDRM; 3114 ctx = sidtab_search(&sidtab, SECINITSID_NETMSG); 3115 if (ctx == NULL) 3116 goto out; 3117 3118 context_init(&ctx_new); 3119 ctx_new.user = ctx->user; 3120 ctx_new.role = ctx->role; 3121 ctx_new.type = ctx->type; 3122 mls_import_netlbl_lvl(&ctx_new, secattr); 3123 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { 3124 rc = ebitmap_netlbl_import(&ctx_new.range.level[0].cat, 3125 secattr->attr.mls.cat); 3126 if (rc) 3127 goto out; 3128 memcpy(&ctx_new.range.level[1].cat, 3129 &ctx_new.range.level[0].cat, 3130 sizeof(ctx_new.range.level[0].cat)); 3131 } 3132 rc = -EIDRM; 3133 if (!mls_context_isvalid(&policydb, &ctx_new)) 3134 goto out_free; 3135 3136 rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid); 3137 if (rc) 3138 goto out_free; 3139 3140 security_netlbl_cache_add(secattr, *sid); 3141 3142 ebitmap_destroy(&ctx_new.range.level[0].cat); 3143 } else 3144 *sid = SECSID_NULL; 3145 3146 read_unlock(&policy_rwlock); 3147 return 0; 3148 out_free: 3149 ebitmap_destroy(&ctx_new.range.level[0].cat); 3150 out: 3151 read_unlock(&policy_rwlock); 3152 return rc; 3153 } 3154 3155 /** 3156 * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr 3157 * @sid: the SELinux SID 3158 * @secattr: the NetLabel packet security attributes 3159 * 3160 * Description: 3161 * Convert the given SELinux SID in @sid into a NetLabel security attribute. 3162 * Returns zero on success, negative values on failure. 3163 * 3164 */ 3165 int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr) 3166 { 3167 int rc; 3168 struct context *ctx; 3169 3170 if (!ss_initialized) 3171 return 0; 3172 3173 read_lock(&policy_rwlock); 3174 3175 rc = -ENOENT; 3176 ctx = sidtab_search(&sidtab, sid); 3177 if (ctx == NULL) 3178 goto out; 3179 3180 rc = -ENOMEM; 3181 secattr->domain = kstrdup(sym_name(&policydb, SYM_TYPES, ctx->type - 1), 3182 GFP_ATOMIC); 3183 if (secattr->domain == NULL) 3184 goto out; 3185 3186 secattr->attr.secid = sid; 3187 secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID; 3188 mls_export_netlbl_lvl(ctx, secattr); 3189 rc = mls_export_netlbl_cat(ctx, secattr); 3190 out: 3191 read_unlock(&policy_rwlock); 3192 return rc; 3193 } 3194 #endif /* CONFIG_NETLABEL */ 3195 3196 /** 3197 * security_read_policy - read the policy. 3198 * @data: binary policy data 3199 * @len: length of data in bytes 3200 * 3201 */ 3202 int security_read_policy(void **data, size_t *len) 3203 { 3204 int rc; 3205 struct policy_file fp; 3206 3207 if (!ss_initialized) 3208 return -EINVAL; 3209 3210 *len = security_policydb_len(); 3211 3212 *data = vmalloc_user(*len); 3213 if (!*data) 3214 return -ENOMEM; 3215 3216 fp.data = *data; 3217 fp.len = *len; 3218 3219 read_lock(&policy_rwlock); 3220 rc = policydb_write(&policydb, &fp); 3221 read_unlock(&policy_rwlock); 3222 3223 if (rc) 3224 return rc; 3225 3226 *len = (unsigned long)fp.data - (unsigned long)*data; 3227 return 0; 3228 3229 } 3230